From smooge at gmail.com Tue Jan 2 01:53:41 2007 From: smooge at gmail.com (Stephen John Smoogen) Date: Mon, 1 Jan 2007 18:53:41 -0700 Subject: How to 'fix' webalizer problem since FC4? Message-ID: <80d7e4090701011753j1e136aabxbc635fa9892d15d2@mail.gmail.com> I installed a new system, and saw that I was getting a set of selinux messages everytime cron runs. It looks like it is this bug: Bug 169434 Processed: selinux prevents webalizer running from cron The message from audit2allow is allow webalizer_t fs_t:filesystem getattr; audit2why shows: type=AVC msg=audit(1167649332.157:607): avc: denied { getattr } for pid=2739 comm="webalizer" name="/" dev=dm-3 ino=2 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. type=AVC msg=audit(1167649332.273:608): avc: denied { getattr } for pid=2737 comm="webalizer" name="/" dev=dm-3 ino=2 scontext=system_u:system_r:webalizer_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From dwalsh at redhat.com Tue Jan 2 17:40:09 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 02 Jan 2007 12:40:09 -0500 Subject: vmware beta....needs mount/unmount? In-Reply-To: <4c4ba1530612301023s1ca6145i49cdf5d4804b8276@mail.gmail.com> References: <4c4ba1530612301023s1ca6145i49cdf5d4804b8276@mail.gmail.com> Message-ID: <459A98F9.5090301@redhat.com> Tom London wrote: > Running latest rawhide, targeted/enforcing. > > I'm testing the latest vmware beta (6?). > > Seems to want to mount on /proc/fs/vmware-block/mountPoint: > none on /proc/fs/vmware-block/mountPoint type vmware-block (rw) > > This produces the following AVC during boot: > > type=AVC msg=audit(1167500297.368:6): avc: denied { mount } for > pid=2225 comm="mount" name="/" dev=vmware-block ino=1 > scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem > type=SYSCALL msg=audit(1167500297.368:6): arch=40000003 syscall=21 > success=yes exit=0 a0=937cdd8 a1=937ce00 a2=937cde8 a3=c0ed0000 > items=0 ppid=2212 pid=2225 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" exe="/bin/mount" > subj=system_u:system_r:mount_t:s0 key=(null) > > I believe this is the associated AVC from 'unmount' during shutdown: > > type=AVC msg=audit(1167502331.621:34): avc: denied { unmount } for > pid=4269 comm="umount" scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem > type=SYSCALL msg=audit(1167502331.621:34): arch=40000003 syscall=22 > success=yes exit=0 a0=9f20120 a1=bffc51f0 a2=9f20148 a3=9f20121 > items=0 ppid=4268 pid=4269 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="umount" > exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null) > > This appears to be the script from /etc/init.d/vmware: > > # Start the file system blocking driver > vmware_start_vmblock() { > mkdir -p /tmp/VMwareDnD && chmod 777 /tmp/VMwareDnD > vmware_exec 'Loading module' vmware_load_module $vmblock > exitcode=`expr $exitcode + $?` > mount -t vmware-block none /proc/fs/vmware-block/mountPoint > } > > # Stop the file system blocking driver > vmware_stop_vmblock() { > umount /proc/fs/vmware-block/mountPoint > vmware_unload_module $vmblock > } > > Right way to fix? > > tom This looks like we need a genfscon for a vmware-block type file system. Perhaps adding these lines and then some interface to allow vmware to access the filesystem, would work? # # vmwarefs_t is the type for vmware file systems # filesystems and their files. # type vmwarefs_t; fs_noxattr_type(vmwarefs_t) allow vmwarefs_t fs_t:filesystem associate; genfscon vmware-block / gen_context(system_u:object_r:vmwarefs_t,s0) From selinux at gmail.com Tue Jan 2 18:18:33 2007 From: selinux at gmail.com (Tom London) Date: Tue, 2 Jan 2007 10:18:33 -0800 Subject: vmware beta....needs mount/unmount? In-Reply-To: <459A98F9.5090301@redhat.com> References: <4c4ba1530612301023s1ca6145i49cdf5d4804b8276@mail.gmail.com> <459A98F9.5090301@redhat.com> Message-ID: <4c4ba1530701021018w7f15fcbvcff0e1eb9a1b74b6@mail.gmail.com> On 1/2/07, Daniel J Walsh wrote: > This looks like we need a genfscon for a vmware-block type file system. > > Perhaps adding these lines and then some interface to allow vmware to > access the filesystem, would work? > > # > # vmwarefs_t is the type for vmware file systems > # filesystems and their files. > # > type vmwarefs_t; > fs_noxattr_type(vmwarefs_t) > allow vmwarefs_t fs_t:filesystem associate; > genfscon vmware-block / gen_context(system_u:object_r:vmwarefs_t,s0) > > OK thanks. I'll try to poke around using this as a start.... tom -- Tom London From fedora at richardfearn.co.uk Tue Jan 2 23:50:55 2007 From: fedora at richardfearn.co.uk (Richard Fearn) Date: Tue, 02 Jan 2007 23:50:55 +0000 Subject: Process for creating Fedora selinux-policy packages Message-ID: <459AEFDF.5040500@richardfearn.co.uk> Hello, Due to an SELinux bug I reported in August, I've been tyring to understand the selinux-policy packages to see how they're built. I understand the principle of taking the upstream refpolicy, modifying it and building the Fedora-specific packages. However, I'm struggling to see where the refpolicy is coming from. For example, as I write this, the latest FC6 selinux-policy package pushed to the repositories is 2.4.6-1. According to the "sources" file in CVS, this package is built using serefpolicy-2.4.6.tgz. If I get serefpolicy-2.4.6.tgz from the lookaside repository then the VERSION file in it says 20061018. However, the contents of serefpolicy-2.4.6.tgz differ a great deal from the "official" 20061018 version of the reference policy from Tresys. I could understand it if the Fedora selinux-policy packages were directly based on the 20061018 version of the refpolicy from Tresys, but there seems to be an intermediate stage of development that produces the serefpolicy-2.x.x.tgz files in the lookaside repository. My question is: is there a CVS repository somewhere for a "Fedora reference policy", that is used to build all these serefpolicy files? Thanks Richard Fearn From bofh1234 at hotmail.com Wed Jan 3 15:29:15 2007 From: bofh1234 at hotmail.com (Jack Null) Date: Wed, 03 Jan 2007 09:29:15 -0600 Subject: selinux and oracle Message-ID: I have a RHEL4U4 server that will become an Oracle 10gR2 server in three weeks. Almost all of the documentation I have seen about installing oracle on a selinux enabled server says to turn off selinux. Only 1 document said that oracle and selinux can function together. So can oracle and selinux play nice or do I have to turn it off? Thanks, Adam _________________________________________________________________ Find sales, coupons, and free shipping, all in one place! ?MSN Shopping Sales & Deals http://shopping.msn.com/content/shp/?ctid=198,ptnrid=176,ptnrdata=200639 From ejtr at layer3.co.uk Thu Jan 4 14:08:42 2007 From: ejtr at layer3.co.uk (Ted Rule) Date: Thu, 04 Jan 2007 14:08:42 +0000 Subject: Problems with sudo on FC6 Message-ID: <1167919722.3668.66.camel@topaz.bugfinder.co.uk> I'm trying to build a new FC6 machine to replace my aging FC4 box. As with the FC4 box, I'd like to retain SELinux's strict policy in enforcing mode. Eventually, I would like to run the machine up to run-level 5 in strict enforcing as I had done with FC4. For the present, all the testing is in run-level 3 on the console itself, as GDM login currently fails with SELinux enforcing and I haven't yet enabled sshd. The first big hurdle I'm facing is sudo. On my old FC4 machine, I was able to add a user to /etc/sudoers, enable the "user_canbe_sysadm" tunable and recompile and reload the policy. Admittedly, I had to tweak policy to allow sudo's stdout to be pipeable, but asides from that I mostly had the ability to leave the machine permanently in strict/enforcing. The FC6 machine was installed on a fresh disk, whereafter I reset /etc/sysconfig/selinux SELINUXTYPE=strict, touched /.autorelabel and rebooted. I've updated the machine to all the latest FC6-Updates, in particular: kernel-2.6.18-1.2869.i686.rpm selinux-policy-strict-2.4.6-13.fc6.noarch.rpm Having amended /etc/sudoers to grant a "fred" test user sudo permission, I saw AVC's indicating the inability of sudo to write into /var/run/sudo, as well as an AVC indicating that sudo wasn't allowed to execute /bin/cat, i.e.: type=USER_AUTH msg=audit(1167906300.693:29): user pid=3072 uid=0 auid=500 subj=user_u:user_r:user_sudo_t:s0 msg='PAM: authentication acct=fred : exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=tty2 res=success)' type=USER_ACCT msg=audit(1167906300.700:30): user pid=3072 uid=0 auid=500 subj=user_u:user_r:user_sudo_t:s0 msg='PAM: accounting acct=fred : exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=tty2 res=success)' type=AVC msg=audit(1167906300.700:31): avc: denied { write } for pid=3072 comm="sudo" name="fred" dev=hda7 ino=420634 scontext=user_u:user_r:user_sudo_t:s0 tcontext=user_u:object_r:pam_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1167906300.700:31): arch=40000003 syscall=5 success=no exit=-13 a0=8c1afd0 a1=241 a2=180 a3=8c1afd0 items=0 ppid=3013 pid=3072 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=500 fsgid=0 tty=tty2 comm="sudo" exe="/usr/bin/sudo" subj=user_u:user_r:user_sudo_t:s0 key=(null) type=CRED_ACQ msg=audit(1167906300.702:32): user pid=3072 uid=0 auid=500 subj=user_u:user_r:user_sudo_t:s0 msg='PAM: setcred acct=root : exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=tty2 res=success)' type=AVC msg=audit(1167906300.702:33): avc: denied { search } for pid=3072 comm="sudo" scontext=user_u:user_r:user_sudo_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=key type=SYSCALL msg=audit(1167906300.702:33): arch=40000003 syscall=288 success=no exit=-13 a0=0 a1=fffffffd a2=0 a3=0 items=0 ppid=3013 pid=3072 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="sudo" exe="/usr/bin/sudo" subj=user_u:user_r:user_sudo_t:s0 key=(null) type=USER_START msg=audit(1167906300.703:34): user pid=3072 uid=0 auid=500 subj=user_u:user_r:user_sudo_t:s0 msg='PAM: session open acct=root : exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=tty2 res=success)' type=USER_END msg=audit(1167906300.703:35): user pid=3072 uid=0 auid=500 subj=user_u:user_r:user_sudo_t:s0 msg='PAM: session close acct=root : exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=tty2 res=success)' type=AVC msg=audit(1167906300.704:36): avc: denied { execute } for pid=3072 comm="sudo" name="cat" dev=hda2 ino=323546 scontext=user_u:user_r:user_sudo_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=SYSCALL msg=audit(1167906300.704:36): arch=40000003 syscall=11 success=no exit=-13 a0=806e2e0 a1=bfd618e8 a2=8c26500 a3=8c26500 items=0 ppid=3013 pid=3072 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="sudo" exe="/usr/bin/sudo" subj=user_u:user_r:user_sudo_t:s0 key=(null) Somewhat bizarrely, of course, sudo continues to run even if it fails to write into /var/run/sudo. I guess this is arguably a bug in sudo itself, albeit relatively harmless. Setting SELinux to permissive, sudo worked Ok. I also tried changing "fred" from user_u to staff_u, since FC4 defaulted to only allowing for staff_u to use sudo, as in: # semanage login -a -s staff_u fred I then rm -rf'ed /var/run/sudo/*, and restorecon'ed /home/fred to correct the home directory labelling. This also failed with SELinux enforcing, and worked in permissive, giving similar AVC's where previous references to "user_..." appeared instead as "staff_..." I had a look at the various booleans available in the policy, and none seem to be relevant to this problem. All in all, I can't see an easy way of making sudo work, but the fact that the user_sudo_t and staff_sudo_t domains exist implies that the policy contains support for running sudo from either user_r or staff_r. Can anyone assist me in getting sudo to work on FC6/strict? Thanks, -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/ From redmonds98 at googlemail.com Thu Jan 4 14:24:07 2007 From: redmonds98 at googlemail.com (R Edmonds) Date: Thu, 4 Jan 2007 14:24:07 +0000 Subject: FC5, Apache, Bugzilla, SELinux issues Message-ID: <95ca7da0701040624ucb936eav8987a08d9f3c6135@mail.gmail.com> Greetings out there in Penguin-land! I'm going through the rather painful process of installing Bugzilla on an SELinux FC5 box. I'm almost there now, I think, however I'm trying to add a local policy to SELinux for allowing Apache to execute .cgi scripts, and have hit a brick wall. When I try to hit the Bugzilla page from a browser on the network I get this: tail -f /var/log/messages output: kernel: audit(1167911234.610:20): avc: denied { execute_no_trans } for pid=28833 comm="httpd" name=" index.cgi" dev=dm-0 ino=34931972 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file So, following the guide in the fedora docs HereI generated a local.te using *audit2allow -m local -l -i /var/log/messages > local.te *, compiled it using *checkmodule -M -m -o local.mod local.te*, packaged it using *semodule_package -o local.pp -m local.mod*, then attempted to add it to the current running policy using *semodule -i local.pp *. This point is where I get stuck. i'm seeing this output when I execute the command: tail -f /var/log/messages output: Jan 4 11:56:13 svn kernel: security: 3 users, 6 roles, 1481 types, 152 bools, 1 sens, 256 cats Jan 4 11:56:13 svn kernel: security: 58 classes, 43474 rules Jan 4 11:56:13 svn dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=7) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Jan 4 11:56:13 svn dbus: Can't send to audit system: USER_AVC avc: 0 AV entries and 0/512 buckets used, longest chain length 0 : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Jan 4 11:56:13 svn kernel: audit( 1167911773.820:21): policy loaded auid=4294967295 After looking around, I saw on this mailing list that this might be a bug in SELinux-Policy that was fixed in version 2.3.14-3. Yum doesn't seem to know about this newer version. Am I barking up the wrong tree? -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Thu Jan 4 14:35:20 2007 From: paul at city-fan.org (Paul Howarth) Date: Thu, 04 Jan 2007 14:35:20 +0000 Subject: FC5, Apache, Bugzilla, SELinux issues In-Reply-To: <95ca7da0701040624ucb936eav8987a08d9f3c6135@mail.gmail.com> References: <95ca7da0701040624ucb936eav8987a08d9f3c6135@mail.gmail.com> Message-ID: <459D10A8.1060709@city-fan.org> Hi, R Edmonds wrote: > Greetings out there in Penguin-land! > > I'm going through the rather painful process of installing Bugzilla on an > SELinux FC5 box. I'm almost there now, I think, however I'm trying to add a > local policy to SELinux for allowing Apache to execute .cgi scripts, and > have hit a brick wall. Could you please take a look at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188359#c45 where an initial SELinux policy for the bugzilla package in Fedora Extras was proposed. Please try using this, following the instructions at the URL mentioned instead of using the module you generated using audit2allow (make sure you have the latest selinux-policy-devel package installed). It was hoped to get this included much earlier but there was no active user of bugzilla that wanted to use SELinux around at that time to do any testing. Getting this working for you could benefit lots of people in the future. Cheers, Paul. From redmonds98 at googlemail.com Thu Jan 4 14:43:37 2007 From: redmonds98 at googlemail.com (R Edmonds) Date: Thu, 4 Jan 2007 14:43:37 +0000 Subject: FC5, Apache, Bugzilla, SELinux issues In-Reply-To: <459D10A8.1060709@city-fan.org> References: <95ca7da0701040624ucb936eav8987a08d9f3c6135@mail.gmail.com> <459D10A8.1060709@city-fan.org> Message-ID: <95ca7da0701040643g127608f3o55076023c37c9635@mail.gmail.com> Hi Paul, Thanks for your fast reply. I'll give this a blast right now. Best regards, R. On 04/01/07, Paul Howarth wrote: > > Hi, > > R Edmonds wrote: > > Greetings out there in Penguin-land! > > > > I'm going through the rather painful process of installing Bugzilla on > an > > SELinux FC5 box. I'm almost there now, I think, however I'm trying to > add a > > local policy to SELinux for allowing Apache to execute .cgi scripts, and > > have hit a brick wall. > > Could you please take a look at > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188359#c45 where an > initial SELinux policy for the bugzilla package in Fedora Extras was > proposed. Please try using this, following the instructions at the URL > mentioned instead of using the module you generated using audit2allow > (make sure you have the latest selinux-policy-devel package installed). > > It was hoped to get this included much earlier but there was no active > user of bugzilla that wanted to use SELinux around at that time to do > any testing. Getting this working for you could benefit lots of people > in the future. > > Cheers, Paul. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From redmonds98 at googlemail.com Thu Jan 4 15:05:26 2007 From: redmonds98 at googlemail.com (R Edmonds) Date: Thu, 4 Jan 2007 15:05:26 +0000 Subject: FC5, Apache, Bugzilla, SELinux issues In-Reply-To: <95ca7da0701040643g127608f3o55076023c37c9635@mail.gmail.com> References: <95ca7da0701040624ucb936eav8987a08d9f3c6135@mail.gmail.com> <459D10A8.1060709@city-fan.org> <95ca7da0701040643g127608f3o55076023c37c9635@mail.gmail.com> Message-ID: <95ca7da0701040705p73ef5c66n16b76b2ec3541803@mail.gmail.com> I seem to have fallen at the first hurdle. Following your instructions in the thread: Enable CGI scripts: # setsebool -P httpd_enable_cgi 1 I get the following: [root at svn ~]# setsebool -P httpd_enable_sgi 1 libsemanage.dbase_llist_set: record not found in the database libsemanage.dbase_llist_set: could not set record value Could not change boolean httpd_enable_sgi Could not change policy booleans [root at svn ~]# Perhaps I've made a schoolboy error here? Some prerequisite action to make setsebool happy? Best regards, R. On 04/01/07, R Edmonds wrote: > > Hi Paul, > > Thanks for your fast reply. I'll give this a blast right now. > > Best regards, > > R. > > On 04/01/07, Paul Howarth < paul at city-fan.org> wrote: > > > > Hi, > > > > R Edmonds wrote: > > > Greetings out there in Penguin-land! > > > > > > I'm going through the rather painful process of installing Bugzilla on > > an > > > SELinux FC5 box. I'm almost there now, I think, however I'm trying to > > add a > > > local policy to SELinux for allowing Apache to execute .cgi scripts, > > and > > > have hit a brick wall. > > > > Could you please take a look at > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188359#c45 where an > > > > initial SELinux policy for the bugzilla package in Fedora Extras was > > proposed. Please try using this, following the instructions at the URL > > mentioned instead of using the module you generated using audit2allow > > (make sure you have the latest selinux-policy-devel package installed). > > > > It was hoped to get this included much earlier but there was no active > > user of bugzilla that wanted to use SELinux around at that time to do > > any testing. Getting this working for you could benefit lots of people > > in the future. > > > > Cheers, Paul. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From redmonds98 at googlemail.com Thu Jan 4 15:07:52 2007 From: redmonds98 at googlemail.com (R Edmonds) Date: Thu, 4 Jan 2007 15:07:52 +0000 Subject: FC5, Apache, Bugzilla, SELinux issues In-Reply-To: <95ca7da0701040705p73ef5c66n16b76b2ec3541803@mail.gmail.com> References: <95ca7da0701040624ucb936eav8987a08d9f3c6135@mail.gmail.com> <459D10A8.1060709@city-fan.org> <95ca7da0701040643g127608f3o55076023c37c9635@mail.gmail.com> <95ca7da0701040705p73ef5c66n16b76b2ec3541803@mail.gmail.com> Message-ID: <95ca7da0701040707l5e3d8e51pbc41807698dc9811@mail.gmail.com> Argh! did you spot my deliberate mistake there! /slaps forehead. Ignore me. *hangs head* On 04/01/07, R Edmonds wrote: > > I seem to have fallen at the first hurdle. Following your instructions in > the thread: > > Enable CGI scripts: > # setsebool -P httpd_enable_cgi 1 > > > I get the following: > > [root at svn ~]# setsebool -P httpd_enable_sgi 1 > libsemanage.dbase_llist_set: record not found in the database > libsemanage.dbase_llist_set: could not set record value > Could not change boolean httpd_enable_sgi > Could not change policy booleans > [root at svn ~]# > > Perhaps I've made a schoolboy error here? Some prerequisite action to > make setsebool happy? > > Best regards, > > R. > > > On 04/01/07, R Edmonds wrote: > > > > Hi Paul, > > > > Thanks for your fast reply. I'll give this a blast right now. > > > > Best regards, > > > > R. > > > > On 04/01/07, Paul Howarth < paul at city-fan.org> wrote: > > > > > > Hi, > > > > > > R Edmonds wrote: > > > > Greetings out there in Penguin-land! > > > > > > > > I'm going through the rather painful process of installing Bugzilla > > > on an > > > > SELinux FC5 box. I'm almost there now, I think, however I'm trying > > > to add a > > > > local policy to SELinux for allowing Apache to execute .cgi scripts, > > > and > > > > have hit a brick wall. > > > > > > Could you please take a look at > > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188359#c45 where > > > an > > > initial SELinux policy for the bugzilla package in Fedora Extras was > > > proposed. Please try using this, following the instructions at the URL > > > mentioned instead of using the module you generated using audit2allow > > > (make sure you have the latest selinux-policy-devel package > > > installed). > > > > > > It was hoped to get this included much earlier but there was no active > > > user of bugzilla that wanted to use SELinux around at that time to do > > > any testing. Getting this working for you could benefit lots of people > > > in the future. > > > > > > Cheers, Paul. > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Thu Jan 4 15:08:06 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 04 Jan 2007 10:08:06 -0500 Subject: Problems with sudo on FC6 In-Reply-To: <1167919722.3668.66.camel@topaz.bugfinder.co.uk> References: <1167919722.3668.66.camel@topaz.bugfinder.co.uk> Message-ID: <1167923286.18961.64.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-01-04 at 14:08 +0000, Ted Rule wrote: > I'm trying to build a new FC6 machine to replace my aging FC4 box. > > As with the FC4 box, I'd like to retain SELinux's strict policy in > enforcing mode. > > Eventually, I would like to run the machine up to run-level 5 in strict > enforcing as I had done with FC4. For the present, all the testing is in > run-level 3 on the console itself, as GDM login currently fails with > SELinux enforcing and I haven't yet enabled sshd. > > The first big hurdle I'm facing is sudo. On my old FC4 machine, I was > able to add a user to /etc/sudoers, enable the "user_canbe_sysadm" > tunable and recompile and reload the policy. Admittedly, I had to tweak > policy to allow sudo's stdout to be pipeable, but asides from that I > mostly had the ability to leave the machine permanently in > strict/enforcing. > > The FC6 machine was installed on a fresh disk, whereafter I > reset /etc/sysconfig/selinux SELINUXTYPE=strict, touched /.autorelabel > and rebooted. > > > I've updated the machine to all the latest FC6-Updates, in particular: > > kernel-2.6.18-1.2869.i686.rpm > selinux-policy-strict-2.4.6-13.fc6.noarch.rpm > > > Having amended /etc/sudoers to grant a "fred" test user sudo permission, > I saw AVC's indicating the inability of sudo to write > into /var/run/sudo, as well as an AVC indicating that sudo wasn't > allowed to execute /bin/cat, i.e.: > > type=USER_AUTH msg=audit(1167906300.693:29): user pid=3072 uid=0 > auid=500 subj=user_u:user_r:user_sudo_t:s0 msg='PAM: authentication > acct=fred : exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=tty2 > res=success)' > type=USER_ACCT msg=audit(1167906300.700:30): user pid=3072 uid=0 > auid=500 subj=user_u:user_r:user_sudo_t:s0 msg='PAM: accounting > acct=fred : exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=tty2 > res=success)' > type=AVC msg=audit(1167906300.700:31): avc: denied { write } for > pid=3072 comm="sudo" name="fred" dev=hda7 ino=420634 > scontext=user_u:user_r:user_sudo_t:s0 > tcontext=user_u:object_r:pam_var_run_t:s0 tclass=dir > type=SYSCALL msg=audit(1167906300.700:31): arch=40000003 syscall=5 > success=no exit=-13 a0=8c1afd0 a1=241 a2=180 a3=8c1afd0 items=0 > ppid=3013 pid=3072 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=0 > sgid=500 fsgid=0 tty=tty2 comm="sudo" exe="/usr/bin/sudo" > subj=user_u:user_r:user_sudo_t:s0 key=(null) > type=CRED_ACQ msg=audit(1167906300.702:32): user pid=3072 uid=0 auid=500 > subj=user_u:user_r:user_sudo_t:s0 msg='PAM: setcred acct=root : > exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=tty2 res=success)' > type=AVC msg=audit(1167906300.702:33): avc: denied { search } for > pid=3072 comm="sudo" scontext=user_u:user_r:user_sudo_t:s0 > tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=key > type=SYSCALL msg=audit(1167906300.702:33): arch=40000003 syscall=288 > success=no exit=-13 a0=0 a1=fffffffd a2=0 a3=0 items=0 ppid=3013 > pid=3072 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=tty2 comm="sudo" exe="/usr/bin/sudo" > subj=user_u:user_r:user_sudo_t:s0 key=(null) > type=USER_START msg=audit(1167906300.703:34): user pid=3072 uid=0 > auid=500 subj=user_u:user_r:user_sudo_t:s0 msg='PAM: session open > acct=root : exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=tty2 > res=success)' > type=USER_END msg=audit(1167906300.703:35): user pid=3072 uid=0 auid=500 > subj=user_u:user_r:user_sudo_t:s0 msg='PAM: session close acct=root : > exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=tty2 res=success)' > type=AVC msg=audit(1167906300.704:36): avc: denied { execute } for > pid=3072 comm="sudo" name="cat" dev=hda2 ino=323546 > scontext=user_u:user_r:user_sudo_t:s0 > tcontext=system_u:object_r:bin_t:s0 tclass=file > type=SYSCALL msg=audit(1167906300.704:36): arch=40000003 syscall=11 > success=no exit=-13 a0=806e2e0 a1=bfd618e8 a2=8c26500 a3=8c26500 items=0 > ppid=3013 pid=3072 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=tty2 comm="sudo" exe="/usr/bin/sudo" > subj=user_u:user_r:user_sudo_t:s0 key=(null) > > > Somewhat bizarrely, of course, sudo continues to run even if it fails to > write into /var/run/sudo. I guess this is arguably a bug in sudo itself, > albeit relatively harmless. > > > Setting SELinux to permissive, sudo worked Ok. > > > I also tried changing "fred" from user_u to staff_u, since FC4 defaulted > to only allowing for staff_u to use sudo, as in: > > # semanage login -a -s staff_u fred > > I then rm -rf'ed /var/run/sudo/*, and restorecon'ed /home/fred to > correct the home directory labelling. > > > This also failed with SELinux enforcing, and worked in permissive, > giving similar AVC's where previous references to "user_..." appeared > instead as "staff_..." > > I had a look at the various booleans available in the policy, and none > seem to be relevant to this problem. > > All in all, I can't see an easy way of making sudo work, but the fact > that the user_sudo_t and staff_sudo_t domains exist implies that the > policy contains support for running sudo from either user_r or staff_r. > > > Can anyone assist me in getting sudo to work on FC6/strict? The /var/run/sudo denials seem like a bug in policy, either in the labeling of that directory or in the allow rules. I see a ifdef TODO block in sudo.if in the refpolicy that omits rules that were in the original example policy. The larger issue though is that in FC4 and earlier, sudo was modified to transition to a security context for "root" and to execute a helper (/usr/sbin/sesh) in order to try to provide transparent operation with SELinux, such that you could have e.g. bash (user_u:user_r:user_t) -> sudo (user_u:user_r:user_sudo_t) -> sesh (root:sysadm_r:sysadm_t) -> arbitrarycommand (root:sysadm_r:). This was similar to the su selinux integration, which used pam_selinux to set up a transition to a new security context for the new user identity as well. The approach was driven by transparency/compatibility rather than security, diverged from the original SELinux model, and caused unexpected problems (as reported on this list, in bugzilla, and elsewhere). In FC5 and later, SELinux reverted to its original model for strict policy, in which a change in Linux uid via su or sudo does not change SELinux user identity (i.e. authorized role set and range) and one must separately newrole to perform changes in role or level, and one is strictly bounded by one's initial login context. Thus, for sudo, you have to first be in user identity (set upon login) and role (set upon login or via newrole) authorized for what you want to do, and you have to set up policy to specify how you want sudo to transition upon executing the particular commands (other than the shell, which has a default transition back to the calling domain). Not transparent, but more correct. userhelper/usermode remains an exception that still has to be addressed. -- Stephen Smalley National Security Agency From empirical.humanist at gmail.com Thu Jan 4 15:18:40 2007 From: empirical.humanist at gmail.com (Kirk Lowery) Date: Thu, 4 Jan 2007 10:18:40 -0500 Subject: Post FC6 upgrade SELinux problem Message-ID: After upgrading from FC5 to FC6, my first clue was that X-Windows wouldn't come up because it could not find the 'fixed' font. This meant the xfs server wasn't working. Sure enough, dmesg showed: audit(1167922474.426:78): avc: denied { read } for pid=2399 comm="xfs" name="fonts.dir" dev=hda5 ino=3260727 scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file Looking through dmesg, I discovered many other "avc: denied" messages: audit(1167922423.998:4): avc: denied { audit_write } for pid=376 comm="hwclock" capability=29 scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:system_r:hwclock_t:s0 tclass=capability audit(1167922427.986:5): avc: denied { getattr } for pid=1369 comm="pam_console_app" name="adsp1" dev=tmpfs ino=5904 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit(1167922462.739:7): avc: denied { search } for pid=2083 comm="auditd" name="bin" dev=hda5 ino=1042531 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir audit(1167922463.659:12): avc: denied { write } for pid=2132 comm="dbus-daemon" name=".setrans-unix" dev=hda5 ino=423906 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r: var_run_t:s0 tclass=sock_file audit(1167922464.088:15): avc: denied { setuid } for pid=2154 comm="mount" capability=7 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:mount_t:s0 tclass=capability audit(1167922464.089:16): avc: denied { setgid } for pid=2154 comm="mount" capability=6 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:mount_t:s0 tclass=capability audit(1167922464.531:23): avc: denied { search } for pid=2193 comm="automount" name="1" dev=proc ino=65538 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir audit(1167922470.796:75): avc: denied { search } for pid=2249 comm="ntpd" name="net" dev=proc ino=-268435432 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir audit(1167922474.229:76): avc: denied { write } for pid=2396 comm="restorecon" name=".setrans-unix" dev=hda5 ino=423906 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file audit(1167922474.426:78): avc: denied { read } for pid=2399 comm="xfs" name="fonts.dir" dev=hda5 ino=3260727 scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file ....and many, many more. Clearly, my SELinux policies were seriously broken during the upgrade. So, how to recover? If I could get X-Windows up, would the new SELinux GUI be the way to go? Do I need to reinstall an SELinux package(s)? If so, which one(s)? Suggestions, pointers much appreciated! TIA, Kirk From sds at tycho.nsa.gov Thu Jan 4 15:13:48 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 04 Jan 2007 10:13:48 -0500 Subject: FC5, Apache, Bugzilla, SELinux issues In-Reply-To: <95ca7da0701040705p73ef5c66n16b76b2ec3541803@mail.gmail.com> References: <95ca7da0701040624ucb936eav8987a08d9f3c6135@mail.gmail.com> <459D10A8.1060709@city-fan.org> <95ca7da0701040643g127608f3o55076023c37c9635@mail.gmail.com> <95ca7da0701040705p73ef5c66n16b76b2ec3541803@mail.gmail.com> Message-ID: <1167923628.18961.67.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-01-04 at 15:05 +0000, R Edmonds wrote: > I seem to have fallen at the first hurdle. Following your > instructions in the thread: > > Enable CGI scripts: > # setsebool -P httpd_enable_cgi 1 > > I get the following: > > [root at svn ~]# setsebool -P httpd_enable_sgi 1 > libsemanage.dbase_llist_set: record not found in the database > libsemanage.dbase_llist_set: could not set record value > Could not change boolean httpd_enable_sgi > Could not change policy booleans > [root at svn ~]# > > Perhaps I've made a schoolboy error here? Some prerequisite action to > make setsebool happy? You typed "sgi" rather than "cgi"? getsebool -a will display all booleans and their settings. -- Stephen Smalley National Security Agency From redmonds98 at googlemail.com Thu Jan 4 15:33:09 2007 From: redmonds98 at googlemail.com (R Edmonds) Date: Thu, 4 Jan 2007 15:33:09 +0000 Subject: FC5, Apache, Bugzilla, SELinux issues In-Reply-To: <95ca7da0701040731m44e7cc82sdd10f80702cf3bec@mail.gmail.com> References: <95ca7da0701040624ucb936eav8987a08d9f3c6135@mail.gmail.com> <459D10A8.1060709@city-fan.org> <95ca7da0701040643g127608f3o55076023c37c9635@mail.gmail.com> <95ca7da0701040705p73ef5c66n16b76b2ec3541803@mail.gmail.com> <1167923628.18961.67.camel@moss-spartans.epoch.ncsc.mil> <95ca7da0701040731m44e7cc82sdd10f80702cf3bec@mail.gmail.com> Message-ID: <95ca7da0701040733x4dc1a8e9vc42eece2badcb4df@mail.gmail.com> Indeed I did. Oh well at least I got 3 posts in before making an ass of myself.. OK, next hurdle. The step in Pauls instructions: # ln -s /usr/share/selinux/devel/Makefile . I don't have a devel directory in that path. Again, some prerequisite i'm missing? I double checked for typos this time ;) Bear with me folks! > > You typed "sgi" rather than "cgi"? > > getsebool -a will display all booleans and their settings. > > -- > Stephen Smalley > National Security Agency > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Thu Jan 4 15:38:18 2007 From: paul at city-fan.org (Paul Howarth) Date: Thu, 04 Jan 2007 15:38:18 +0000 Subject: FC5, Apache, Bugzilla, SELinux issues In-Reply-To: <95ca7da0701040733x4dc1a8e9vc42eece2badcb4df@mail.gmail.com> References: <95ca7da0701040624ucb936eav8987a08d9f3c6135@mail.gmail.com> <459D10A8.1060709@city-fan.org> <95ca7da0701040643g127608f3o55076023c37c9635@mail.gmail.com> <95ca7da0701040705p73ef5c66n16b76b2ec3541803@mail.gmail.com> <1167923628.18961.67.camel@moss-spartans.epoch.ncsc.mil> <95ca7da0701040731m44e7cc82sdd10f80702cf3bec@mail.gmail.com> <95ca7da0701040733x4dc1a8e9vc42eece2badcb4df@mail.gmail.com> Message-ID: <459D1F6A.7060308@city-fan.org> R Edmonds wrote: > Indeed I did. Oh well at least I got 3 posts in before making an ass of > myself.. > > OK, next hurdle. The step in Pauls instructions: > > # ln -s /usr/share/selinux/devel/Makefile . > > > I don't have a devel directory in that path. Again, some prerequisite > i'm missing? I double checked for typos this time ;) > > Bear with me folks! # yum install selinux-policy-devel Paul. From selinux at gmail.com Thu Jan 4 15:38:40 2007 From: selinux at gmail.com (Tom London) Date: Thu, 4 Jan 2007 07:38:40 -0800 Subject: FC5, Apache, Bugzilla, SELinux issues In-Reply-To: <95ca7da0701040733x4dc1a8e9vc42eece2badcb4df@mail.gmail.com> References: <95ca7da0701040624ucb936eav8987a08d9f3c6135@mail.gmail.com> <459D10A8.1060709@city-fan.org> <95ca7da0701040643g127608f3o55076023c37c9635@mail.gmail.com> <95ca7da0701040705p73ef5c66n16b76b2ec3541803@mail.gmail.com> <1167923628.18961.67.camel@moss-spartans.epoch.ncsc.mil> <95ca7da0701040731m44e7cc82sdd10f80702cf3bec@mail.gmail.com> <95ca7da0701040733x4dc1a8e9vc42eece2badcb4df@mail.gmail.com> Message-ID: <4c4ba1530701040738t425462e8td0ee9300ccd74c9a@mail.gmail.com> On 1/4/07, R Edmonds wrote: > Indeed I did. Oh well at least I got 3 posts in before making an ass of > myself.. > > OK, next hurdle. The step in Pauls instructions: > > # ln -s /usr/share/selinux/devel/Makefile . > Try 'yum whatprovides /usr/share/selinux/devel/Makefile': Loading "skip-broken" plugin Loading "installonlyn" plugin Setting up repositories development 100% |=========================| 1.1 kB 00:00 extras-development 100% |=========================| 1.1 kB 00:00 Reading repository metadata in from local files Importing additional filelist information filelists.xml.gz 100% |=========================| 2.5 MB 00:01 ################################################## 2271/2271 filelists.xml.gz 100% |=========================| 3.0 MB 00:02 ################################################## 4124/4124 selinux-policy-devel.noarch 2.4.6-21.fc7 development Matched from: /usr/share/selinux/devel/Makefile So, you need to do a 'yum install selinux-policy-devel'. tom -- Tom London From sds at tycho.nsa.gov Thu Jan 4 15:37:59 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 04 Jan 2007 10:37:59 -0500 Subject: FC5, Apache, Bugzilla, SELinux issues In-Reply-To: <95ca7da0701040733x4dc1a8e9vc42eece2badcb4df@mail.gmail.com> References: <95ca7da0701040624ucb936eav8987a08d9f3c6135@mail.gmail.com> <459D10A8.1060709@city-fan.org> <95ca7da0701040643g127608f3o55076023c37c9635@mail.gmail.com> <95ca7da0701040705p73ef5c66n16b76b2ec3541803@mail.gmail.com> <1167923628.18961.67.camel@moss-spartans.epoch.ncsc.mil> <95ca7da0701040731m44e7cc82sdd10f80702cf3bec@mail.gmail.com> <95ca7da0701040733x4dc1a8e9vc42eece2badcb4df@mail.gmail.com> Message-ID: <1167925079.18961.69.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-01-04 at 15:33 +0000, R Edmonds wrote: > Indeed I did. Oh well at least I got 3 posts in before making an ass > of myself.. > > OK, next hurdle. The step in Pauls instructions: > > # ln -s /usr/share/selinux/devel/Makefile . > > > > I don't have a devel directory in that path. Again, some prerequisite i'm missing? I double checked for typos this time ;) yum install selinux-policy-devel checkpolicy -- Stephen Smalley National Security Agency From redmonds98 at googlemail.com Thu Jan 4 16:14:32 2007 From: redmonds98 at googlemail.com (R Edmonds) Date: Thu, 4 Jan 2007 16:14:32 +0000 Subject: FC5, Apache, Bugzilla, SELinux issues In-Reply-To: <1167925079.18961.69.camel@moss-spartans.epoch.ncsc.mil> References: <95ca7da0701040624ucb936eav8987a08d9f3c6135@mail.gmail.com> <459D10A8.1060709@city-fan.org> <95ca7da0701040643g127608f3o55076023c37c9635@mail.gmail.com> <95ca7da0701040705p73ef5c66n16b76b2ec3541803@mail.gmail.com> <1167923628.18961.67.camel@moss-spartans.epoch.ncsc.mil> <95ca7da0701040731m44e7cc82sdd10f80702cf3bec@mail.gmail.com> <95ca7da0701040733x4dc1a8e9vc42eece2badcb4df@mail.gmail.com> <1167925079.18961.69.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <95ca7da0701040814t51781184t55e385aba3a3ce19@mail.gmail.com> Thanks all for all the helpful replies. after a few more typos and a few more yum installs i've gotten the .pp created and attempted to load it with semodule -i bugzilla.pp in /var/log/messages i see a similar error to my original post: Jan 4 15:57:11 svn kernel: security: 3 users, 6 roles, 1489 types, 153 bools, 1 sens, 256 cats Jan 4 15:57:11 svn kernel: security: 58 classes, 43765 rules Jan 4 15:57:11 svn dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=13) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Jan 4 15:57:11 svn kernel: audit(1167926231.944:32): policy loaded auid=4294967295 Jan 4 15:57:11 svn dbus: Can't send to audit system: USER_AVC avc: 0 AV entries and 0/512 buckets used, longest chain length 0 : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) However, when I try to hit the bugzilla site from a browser I don't see any avc denials in /var/log/messages anymore. So I guess that's fixed that! Great job! Of course, Bugzilla STILL doesn't work. Ho hum... i'll go join some more mailing lists... Thanks again for all the help guys. Time to check the rest of my Bugzilla install for errors now.. On 04/01/07, Stephen Smalley wrote: > > On Thu, 2007-01-04 at 15:33 +0000, R Edmonds wrote: > > Indeed I did. Oh well at least I got 3 posts in before making an ass > > of myself.. > > > > OK, next hurdle. The step in Pauls instructions: > > > > # ln -s /usr/share/selinux/devel/Makefile . > > > > > > > > I don't have a devel directory in that path. Again, some prerequisite > i'm missing? I double checked for typos this time ;) > > yum install selinux-policy-devel checkpolicy > > -- > Stephen Smalley > National Security Agency > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From linux_4ever at yahoo.com Thu Jan 4 18:50:01 2007 From: linux_4ever at yahoo.com (Steve G) Date: Thu, 4 Jan 2007 10:50:01 -0800 (PST) Subject: FC5, Apache, Bugzilla, SELinux issues In-Reply-To: <95ca7da0701040814t51781184t55e385aba3a3ce19@mail.gmail.com> Message-ID: <20070104185001.81810.qmail@web51506.mail.yahoo.com> >in /var/log/messages i see a similar error to my original post: > >Jan 4 15:57:11 svn kernel: security: 3 users, 6 roles, 1489 types, 153 bools, 1 >sens, 256 cats >Jan 4 15:57:11 svn kernel: security: 58 classes, 43765 rules >Jan 4 15:57:11 svn dbus: Can't send to audit system: USER_AVC avc: received >policyload notice (seqno=13) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) These are not errors. Part of the problem is that the libselinux audit callback API only allows a format and varargs to be passed to the logging function. This means the logger has to assume that everything it sees is an AVC so it doesn't miss one. I'd like to correct this API problem at some point during FC7 devel cycle so that the message type is also passed to the logger. This way we can properly label the audit events so that it says USER_POLICY_LOAD instead of USER_AVC which tends to get people excited. I also think that dbus could do a slightly better job of determining when it should send an audit message vs simply syslogging it. The user session bus does not have the privileges necessary to write to the audit system. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From selinux at gmail.com Thu Jan 4 20:46:15 2007 From: selinux at gmail.com (Tom London) Date: Thu, 4 Jan 2007 12:46:15 -0800 Subject: more setroubleshoot troubles ;) Message-ID: <4c4ba1530701041246y58559018sda91a27f3ea39e33@mail.gmail.com> Running latest rawhide, targeted enforcing. Installing latest python-libs (fixes execstack issue in _ctypes.so) other packages, and rebooting, I get the following AVCs: type=AVC msg=audit(1167943082.579:7): avc: denied { execute } for pid=2331 comm="sh" name="ldconfig" dev=dm-0 ino=11337788 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=SYSCALL msg=audit(1167943082.579:7): arch=40000003 syscall=11 success=no exit=-13 a0=91d4dd8 a1=91d4e58 a2=91d4330 a3=0 items=0 ppid=2330 pid=2331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sh" exe="/bin/bash" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1167943082.646:8): avc: denied { getattr } for pid=2331 comm="sh" name="ldconfig" dev=dm-0 ino=11337788 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=SYSCALL msg=audit(1167943082.646:8): arch=40000003 syscall=195 success=no exit=-13 a0=91d4dd8 a1=bfcbee10 a2=47818ff4 a3=0 items=0 ppid=2330 pid=2331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sh" exe="/bin/bash" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC_PATH msg=audit(1167943082.646:8): path="/sbin/ldconfig" type=AVC msg=audit(1167943082.647:9): avc: denied { getattr } for pid=2331 comm="sh" name="ldconfig" dev=dm-0 ino=11337788 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=SYSCALL msg=audit(1167943082.647:9): arch=40000003 syscall=195 success=no exit=-13 a0=91d4dd8 a1=bfcbed30 a2=47818ff4 a3=91d4dd8 items=0 ppid=2330 pid=2331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sh" exe="/bin/bash" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC_PATH msg=audit(1167943082.647:9): path="/sbin/ldconfig" type=AVC msg=audit(1167943082.756:10): avc: denied { execute_no_trans } for pid=2340 comm="ldd" name="ld-2.5.90.so" dev=dm-0 ino=7209012 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file type=SYSCALL msg=audit(1167943082.756:10): arch=40000003 syscall=11 success=no exit=-13 a0=8196308 a1=8196988 a2=819cd48 a3=40 items=0 ppid=2339 pid=2340 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ldd" exe="/bin/bash" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC_PATH msg=audit(1167943082.756:10): path="/lib/ld-2.5.90.so" type=AVC msg=audit(1167943082.758:11): avc: denied { write } for pid=2253 comm="setroubleshootd" name="tmp" dev=dm-0 ino=2686977 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1167943082.758:11): arch=40000003 syscall=5 success=no exit=-13 a0=88b4970 a1=280c2 a2=180 a3=280c2 items=0 ppid=1 pid=2253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1167943082.759:12): avc: denied { write } for pid=2253 comm="setroubleshootd" name="tmp" dev=dm-0 ino=65540 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1167943082.759:12): arch=40000003 syscall=5 success=no exit=-13 a0=8921b50 a1=280c2 a2=180 a3=280c2 items=0 ppid=1 pid=2253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1167943082.759:13): avc: denied { write } for pid=2253 comm="setroubleshootd" name="tmp" dev=dm-0 ino=65540 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1167943082.759:13): arch=40000003 syscall=5 success=no exit=-13 a0=8921b50 a1=280c2 a2=180 a3=280c2 items=0 ppid=1 pid=2253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1167943082.760:14): avc: denied { unlink } for pid=2253 comm="setroubleshootd" name="Yp9cip" dev=dm-0 ino=164238 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=SYSCALL msg=audit(1167943082.760:14): arch=40000003 syscall=10 success=no exit=-13 a0=88c80c0 a1=1 a2=ae50b4 a3=874f1b0 items=0 ppid=1 pid=2253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1167943082.765:15): avc: denied { execute } for pid=2342 comm="sh" name="ldconfig" dev=dm-0 ino=11337788 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=SYSCALL msg=audit(1167943082.765:15): arch=40000003 syscall=11 success=no exit=-13 a0=8bd4dd8 a1=8bd4e58 a2=8bd4330 a3=0 items=0 ppid=2341 pid=2342 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sh" exe="/bin/bash" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1167943082.765:16): avc: denied { getattr } for pid=2342 comm="sh" name="ldconfig" dev=dm-0 ino=11337788 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=SYSCALL msg=audit(1167943082.765:16): arch=40000003 syscall=195 success=no exit=-13 a0=8bd4dd8 a1=bfa425c0 a2=47818ff4 a3=0 items=0 ppid=2341 pid=2342 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sh" exe="/bin/bash" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC_PATH msg=audit(1167943082.765:16): path="/sbin/ldconfig" type=AVC msg=audit(1167943082.766:17): avc: denied { getattr } for pid=2342 comm="sh" name="ldconfig" dev=dm-0 ino=11337788 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=SYSCALL msg=audit(1167943082.766:17): arch=40000003 syscall=195 success=no exit=-13 a0=8bd4dd8 a1=bfa424e0 a2=47818ff4 a3=8bd4dd8 items=0 ppid=2341 pid=2342 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sh" exe="/bin/bash" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC_PATH msg=audit(1167943082.766:17): path="/sbin/ldconfig" type=AVC msg=audit(1167943082.782:18): avc: denied { execute_no_trans } for pid=2345 comm="ldd" name="ld-2.5.90.so" dev=dm-0 ino=7209012 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file type=SYSCALL msg=audit(1167943082.782:18): arch=40000003 syscall=11 success=no exit=-13 a0=84f4308 a1=84f4988 a2=84fad48 a3=40 items=0 ppid=2344 pid=2345 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ldd" exe="/bin/bash" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC_PATH msg=audit(1167943082.782:18): path="/lib/ld-2.5.90.so" type=AVC msg=audit(1167943082.784:19): avc: denied { write } for pid=2253 comm="setroubleshootd" name="tmp" dev=dm-0 ino=2686977 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1167943082.784:19): arch=40000003 syscall=5 success=no exit=-13 a0=88c9600 a1=280c2 a2=180 a3=280c2 items=0 ppid=1 pid=2253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1167943082.785:20): avc: denied { write } for pid=2253 comm="setroubleshootd" name="tmp" dev=dm-0 ino=65540 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1167943082.785:20): arch=40000003 syscall=5 success=no exit=-13 a0=8921b50 a1=280c2 a2=180 a3=280c2 items=0 ppid=1 pid=2253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1167943082.786:21): avc: denied { write } for pid=2253 comm="setroubleshootd" name="tmp" dev=dm-0 ino=65540 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1167943082.786:21): arch=40000003 syscall=5 success=no exit=-13 a0=8921b50 a1=280c2 a2=180 a3=280c2 items=0 ppid=1 pid=2253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1167943082.787:22): avc: denied { unlink } for pid=2253 comm="setroubleshootd" name="PRdzmq" dev=dm-0 ino=164259 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=SYSCALL msg=audit(1167943082.787:22): arch=40000003 syscall=10 success=no exit=-13 a0=88d22a0 a1=1 a2=ae50b4 a3=874f1b0 items=0 ppid=1 pid=2253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) tom -- Tom London From redmonds98 at googlemail.com Fri Jan 5 10:09:26 2007 From: redmonds98 at googlemail.com (R Edmonds) Date: Fri, 5 Jan 2007 10:09:26 +0000 Subject: FC5, Apache, Bugzilla, SELinux issues In-Reply-To: <20070104185001.81810.qmail@web51506.mail.yahoo.com> References: <95ca7da0701040814t51781184t55e385aba3a3ce19@mail.gmail.com> <20070104185001.81810.qmail@web51506.mail.yahoo.com> Message-ID: <95ca7da0701050209x6fc665efx481ac35e27533461@mail.gmail.com> Once again, thanks to all who helped. I have Bugzilla successfully up and running on FC5 with SELinux! A few notes about my experiences: My install was Bugzilla 2.22.1, which had a bug in the groups preferences page. I grabbed the patch and after applying it the whole site went back to being broken. I reloaded the policy and reran restorecon -rv /var/lib/bugzilla /var/www/html/bugzilla/ then all was well again. If anyone has further questions feel free to ask. Cheers. R. On 04/01/07, Steve G wrote: > > > >in /var/log/messages i see a similar error to my original post: > > > >Jan 4 15:57:11 svn kernel: security: 3 users, 6 roles, 1489 types, 153 > bools, > 1 >sens, 256 cats > >Jan 4 15:57:11 svn kernel: security: 58 classes, 43765 rules > >Jan 4 15:57:11 svn dbus: Can't send to audit system: USER_AVC > avc: received > >policyload notice (seqno=13) : exe="?" (sauid=81, hostname=?, addr=?, > terminal=?) > > These are not errors. Part of the problem is that the libselinux audit > callback > API only allows a format and varargs to be passed to the logging function. > This > means the logger has to assume that everything it sees is an AVC so it > doesn't > miss one. I'd like to correct this API problem at some point during FC7 > devel > cycle so that the message type is also passed to the logger. This way we > can > properly label the audit events so that it says USER_POLICY_LOAD instead > of > USER_AVC which tends to get people excited. > > I also think that dbus could do a slightly better job of determining when > it > should send an audit message vs simply syslogging it. The user session bus > does > not have the privileges necessary to write to the audit system. > > -Steve > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Fri Jan 5 10:20:22 2007 From: paul at city-fan.org (Paul Howarth) Date: Fri, 05 Jan 2007 10:20:22 +0000 Subject: FC5, Apache, Bugzilla, SELinux issues In-Reply-To: <95ca7da0701050209x6fc665efx481ac35e27533461@mail.gmail.com> References: <95ca7da0701040814t51781184t55e385aba3a3ce19@mail.gmail.com> <20070104185001.81810.qmail@web51506.mail.yahoo.com> <95ca7da0701050209x6fc665efx481ac35e27533461@mail.gmail.com> Message-ID: <459E2666.8000100@city-fan.org> R Edmonds wrote: > Once again, thanks to all who helped. I have Bugzilla successfully up and > running on FC5 with SELinux! > > A few notes about my experiences: > > My install was Bugzilla 2.22.1, which had a bug in the groups preferences > page. I grabbed the patch and after applying it the whole site went > back to > being broken. > > I reloaded the policy and reran restorecon -rv /var/lib/bugzilla > /var/www/html/bugzilla/ > then all was well again. Reloading the policy should not be necessary (including after a reboot); the restorecon should be sufficient. Are you using the bugzilla RPM from Extras, or a locally-installed version? Paul. From redmonds98 at googlemail.com Fri Jan 5 10:55:16 2007 From: redmonds98 at googlemail.com (R Edmonds) Date: Fri, 5 Jan 2007 10:55:16 +0000 Subject: FC5, Apache, Bugzilla, SELinux issues In-Reply-To: <459E2666.8000100@city-fan.org> References: <95ca7da0701040814t51781184t55e385aba3a3ce19@mail.gmail.com> <20070104185001.81810.qmail@web51506.mail.yahoo.com> <95ca7da0701050209x6fc665efx481ac35e27533461@mail.gmail.com> <459E2666.8000100@city-fan.org> Message-ID: <95ca7da0701050255n15b96a33k32f640894b2c21e9@mail.gmail.com> I installed bugzilla via yum to get all the perl modules installed nicely (perl CPAN was being an arse) then untar'd the latest bugzilla into /var/www/html/bugzilla/ and followed the setup docs from there. Out of curiosity, I realise this is the wrong list for this... The skin on the Redhat bugzilla is really nice looking, where can I get me one of those? :) The default install layout is ugly! On 05/01/07, Paul Howarth wrote: > > R Edmonds wrote: > > Once again, thanks to all who helped. I have Bugzilla successfully up > and > > running on FC5 with SELinux! > > > > A few notes about my experiences: > > > > My install was Bugzilla 2.22.1, which had a bug in the groups > preferences > > page. I grabbed the patch and after applying it the whole site went > > back to > > being broken. > > > > I reloaded the policy and reran restorecon -rv /var/lib/bugzilla > > /var/www/html/bugzilla/ > > then all was well again. > > Reloading the policy should not be necessary (including after a reboot); > the restorecon should be sufficient. > > Are you using the bugzilla RPM from Extras, or a locally-installed > version? > > Paul. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From selinux at gmail.com Fri Jan 5 15:06:43 2007 From: selinux at gmail.com (Tom London) Date: Fri, 5 Jan 2007 07:06:43 -0800 Subject: more setroubleshoot troubles ;) In-Reply-To: <4c4ba1530701041246y58559018sda91a27f3ea39e33@mail.gmail.com> References: <4c4ba1530701041246y58559018sda91a27f3ea39e33@mail.gmail.com> Message-ID: <4c4ba1530701050706m531ed1d0y86355839c5ce606c@mail.gmail.com> /var/log/messages shows (get this in permissive mode too): Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:00,246 [plugin.ERROR] failed to load allow_daemons_dump_core plugin Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/allow_daemons_dump_core.py", line 21, in from setroubleshoot.util import * SystemError: Parent module 'plugins' not loaded Jan 5 06:49:00 localhost vmnet-dhcpd: All rights reserved. Jan 5 06:49:00 localhost kernel: Normal 4096 -> 229376 Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:01,134 [plugin.ERROR] failed to load catchall plugin Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/catchall.py", line 22, in from setroubleshoot.util import * SystemError: Parent module 'plugins' not loaded <<<<....>>>>> Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:02,142 [plugin.ERROR] failed to load httpd_enable_homedirs plugin Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/httpd_enable_homedirs.py", line 19, in from setroubleshoot.util import * SystemError: Parent module 'plugins' not loaded Jan 5 06:49:03 localhost vmnet-dhcpd: For info, please visit http://www.isc.org/dhcp-contrib.html Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:03,505 [plugin.ERROR] failed to load home_tmp_bad_labels plugin Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/home_tmp_bad_labels.py", line 19, in from setroubleshoot.util import * SystemError: Parent module 'plugins' not loaded Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:03,539 [plugin.ERROR] failed to load allow_httpd_sys_script_anon_write plugin Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/allow_httpd_sys_script_anon_write.py", line 19, in from setroubleshoot.util import * SystemError: Parent module 'plugins' not loaded Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:03,558 [plugin.ERROR] failed to load allow_execstack plugin Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/allow_execstack.py", line 19, in from setroubleshoot.util import * SystemError: Parent module 'plugins' not loaded Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:03,814 [plugin.ERROR] failed to load public_content plugin Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/public_content.py", line 19, in from setroubleshoot.util import * SystemError: Parent module 'plugins' not loaded etc. From jdennis at redhat.com Fri Jan 5 15:45:06 2007 From: jdennis at redhat.com (John Dennis) Date: Fri, 05 Jan 2007 10:45:06 -0500 Subject: more setroubleshoot troubles ;) In-Reply-To: <4c4ba1530701050706m531ed1d0y86355839c5ce606c@mail.gmail.com> References: <4c4ba1530701041246y58559018sda91a27f3ea39e33@mail.gmail.com> <4c4ba1530701050706m531ed1d0y86355839c5ce606c@mail.gmail.com> Message-ID: <1168011907.25851.24.camel@junko.usersys.redhat.com> Thank you for bringing these issues to our attention, I'm going to be looking into them and I very much appreciate your input. But I have a favor to ask, because your mail client wraps long lines the information you're posting is very hard to read. It would be better use the bugzilla system rather than posting a problem report to an email list. The preferred procedure is to open a bugzilla and then *attach* the log information to the bug report (not paste into the comment section). This just makes it way easier for us to deal with these reports (because they are tracked, not buried in an inbox, and the logs can be read, parsed and not clutter the comment dialog). The easier it is for us to deal with problem reports the more likely they will get immediate attention. In the cases when it still makes sense to send log information to a mailing list please either set your mail client to not wrap text or better yet include it as an attachment. I'm replying to the list to encourage others to follow the same practice. -- John Dennis From selinux at gmail.com Fri Jan 5 15:53:42 2007 From: selinux at gmail.com (Tom London) Date: Fri, 5 Jan 2007 07:53:42 -0800 Subject: more setroubleshoot troubles ;) In-Reply-To: <4c4ba1530701050750k2dd65052l18f1f952112dd563@mail.gmail.com> References: <4c4ba1530701041246y58559018sda91a27f3ea39e33@mail.gmail.com> <4c4ba1530701050706m531ed1d0y86355839c5ce606c@mail.gmail.com> <1168011907.25851.24.camel@junko.usersys.redhat.com> <4c4ba1530701050750k2dd65052l18f1f952112dd563@mail.gmail.com> Message-ID: <4c4ba1530701050753g73dfa95gefe8f8a704e7a9df@mail.gmail.com> On 1/5/07, Tom London wrote: > Sorry... no problem. Will do. > > tom > -- > Tom London > Argh....gmail didn't type the attachments properly. Let me try again. tom -- Tom London -------------- next part -------------- A non-text attachment was scrubbed... Name: se.log Type: text/x-log Size: 13347 bytes Desc: not available URL: -------------- next part -------------- Jan 5 06:48:58 localhost kernel: Zone PFN ranges: Jan 5 06:48:59 localhost vmnet-dhcpd: Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium. Jan 5 06:48:59 localhost kernel: DMA 0 -> 4096 Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:00,246 [plugin.ERROR] failed to load allow_daemons_dump_core plugin Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/allow_daemons_dump_core.py", line 21, in from setroubleshoot.util import * SystemError: Parent module 'plugins' not loaded Jan 5 06:49:00 localhost vmnet-dhcpd: All rights reserved. Jan 5 06:49:00 localhost kernel: Normal 4096 -> 229376 Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:01,134 [plugin.ERROR] failed to load catchall plugin Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/catchall.py", line 22, in from setroubleshoot.util import * SystemError: Parent module 'plugins' not loaded Jan 5 06:49:01 localhost vmnet-dhcpd: Jan 5 06:49:01 localhost kernel: HighMem 229376 -> 521952 Jan 5 06:49:02 localhost kernel: early_node_map[1] active PFN ranges Jan 5 06:49:02 localhost vmnet-dhcpd: Please contribute if you find this software useful. Jan 5 06:49:02 localhost kernel: 0: 0 -> 521952 Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:02,142 [plugin.ERROR] failed to load httpd_enable_homedirs plugin Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/httpd_enable_homedirs.py", line 19, in from setroubleshoot.util import * SystemError: Parent module 'plugins' not loaded Jan 5 06:49:03 localhost vmnet-dhcpd: For info, please visit http://www.isc.org/dhcp-contrib.html Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:03,505 [plugin.ERROR] failed to load home_tmp_bad_labels plugin Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/home_tmp_bad_labels.py", line 19, in from setroubleshoot.util import * SystemError: Parent module 'plugins' not loaded Jan 5 06:49:03 localhost vmnet-dhcpd: Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:03,539 [plugin.ERROR] failed to load allow_httpd_sys_script_anon_write plugin Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/allow_httpd_sys_script_anon_write.py", line 19, in from setroubleshoot.util import * SystemError: Parent module 'plugins' not loaded Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:03,558 [plugin.ERROR] failed to load allow_execstack plugin Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/allow_execstack.py", line 19, in from setroubleshoot.util import * SystemError: Parent module 'plugins' not loaded Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:03,814 [plugin.ERROR] failed to load public_content plugin Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/public_content.py", line 19, in from setroubleshoot.util import * SystemError: Parent module 'plugins' not loaded Jan 5 06:49:03 localhost vmnet-dhcpd: Configured subnet: 192.168.8.0 Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:03,820 [plugin.ERROR] failed to load httpd_bad_labels plugin Traceback (most recent call last): File "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, in load_plugins mod = imp.load_module(module_name, *imp.find_module(plugin_name, [plugin_dir])) File "/usr/share/setroubleshoot/plugins/httpd_bad_labels.py", line 19, in from setroubleshoot.util import * SystemError: Parent module 'plugins' not loaded Jan 5 06:49:03 localhost vmnet-dhcpd: Setting vmnet-dhcp IP address: 192.168.8.254 Jan 5 06:49:03 localhost vmnet-dhcpd: Recving on VNet/vmnet1/192.168.8.0 From selinux at gmail.com Fri Jan 5 15:50:40 2007 From: selinux at gmail.com (Tom London) Date: Fri, 5 Jan 2007 07:50:40 -0800 Subject: more setroubleshoot troubles ;) In-Reply-To: <1168011907.25851.24.camel@junko.usersys.redhat.com> References: <4c4ba1530701041246y58559018sda91a27f3ea39e33@mail.gmail.com> <4c4ba1530701050706m531ed1d0y86355839c5ce606c@mail.gmail.com> <1168011907.25851.24.camel@junko.usersys.redhat.com> Message-ID: <4c4ba1530701050750k2dd65052l18f1f952112dd563@mail.gmail.com> On 1/5/07, John Dennis wrote: > Thank you for bringing these issues to our attention, I'm going to be > looking into them and I very much appreciate your input. But I have a > favor to ask, because your mail client wraps long lines the information > you're posting is very hard to read. > > It would be better use the bugzilla system rather than posting a problem > report to an email list. The preferred procedure is to open a bugzilla > and then *attach* the log information to the bug report (not paste into > the comment section). This just makes it way easier for us to deal with > these reports (because they are tracked, not buried in an inbox, and the > logs can be read, parsed and not clutter the comment dialog). The easier > it is for us to deal with problem reports the more likely they will get > immediate attention. > > In the cases when it still makes sense to send log information to a > mailing list please either set your mail client to not wrap text or > better yet include it as an attachment. > > I'm replying to the list to encourage others to follow the same > practice. > > -- > John Dennis > > Sorry... no problem. Will do. tom -- Tom London -------------- next part -------------- A non-text attachment was scrubbed... Name: se.log Type: text/x-log Size: 13347 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: se.mess Type: application/octet-stream Size: 5113 bytes Desc: not available URL: From wart at kobold.org Fri Jan 5 22:44:11 2007 From: wart at kobold.org (Wart) Date: Fri, 05 Jan 2007 14:44:11 -0800 Subject: policy build failure Message-ID: <459ED4BB.7030901@kobold.org> I just tried rebuilding the policy files for a package that I am working on (cyphesis), and started getting this syntax error in Rawhide: % make NAME=strict -f /usr/share/selinux/devel/Makefile cat: /selinux/mls: No such file or directory Compiling strict cyphesis module tmp/all_interfaces.conf:7820:ERROR 'syntax error' at token 'allow' on line 3871: allow staff_evolution_alarm_t staff_t:fifo_file { getattr write }; /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from tmp/cyphesis.tmp This was done using the latest: checkpolicy 1.33.1-2.fc7 selinux-policy 2.4.6-21.fc7 selinux-policy-devel 2.4.6-21.fc7 policycoreutils 1.33.6-9.fc7 Any ideas on how to work around this? --Wart From ejtr at layer3.co.uk Mon Jan 8 16:07:40 2007 From: ejtr at layer3.co.uk (Ted Rule) Date: Mon, 08 Jan 2007 16:07:40 +0000 Subject: anacron under FC6/SELinux/strict In-Reply-To: <1168268331.3569.7.camel@topaz.bugfinder.co.uk> References: <1168209454.3534.20.camel@topaz.bugfinder.co.uk> <1168255768.3638.19.camel@topaz.bugfinder.co.uk> <1168268331.3569.7.camel@topaz.bugfinder.co.uk> Message-ID: <1168272461.3569.37.camel@topaz.bugfinder.co.uk> I've patched my local FC6 strict policy to accommodate the use of anacron; as the machine is generally powered off overnight, anacron gets far more usage than crond. The FC6 strict policy, selinux-policy-2.4.6-17.fc6.noarch.rpm, appeared to fail to run the overnight jobs in the correct domains. Whilst investigating the issue, I noted the following: crond starts up in crond_t, but seemingly transitions itself to system_crond_t via setexeccon(). anacron is also started in crond_t, but doesn't bother to call setexeccon(), and hence remains forever in crond_t. Under targeted policy only, crond_t is a typealias for system_crond_t The various auto-transitions to logrotate_t, logwatch_t and so on, are apparently linked to system_crond_t rather than crond_t. Hence anacron jobs never transition to system_crond_t, unless the policy is targeted, in which case anacron is already in system_crond_t by virtue of the typealias. The fcron package in Extras appears to have sufficient functionality to replace both anacron and cron, and also knows about setexeccon(), but I didn't investigate this further. The nsarefpolicy contains a separate transition from initrc_t to system_crond_t for anacron_exec_t, but the latest FC6 policy, (selinux-policy-2.4.6-17.fc6.noarch.rpm), has both the anacron_exec_t definition and the alternative transition patched out. The latest rawhide policy contains some additional fixes for anacron covering /var/spool/anacron and /var/lock usage, but not the anacron_exec_t definition or the initrc_t -> system_crond_t transition. Because the cron.fc already defines a label for /usr/sbin/anacron, I've manually labelled /usr/sbin/anacron to anacron_exec_t for the present. Obviously this label will be undone by any /.autorelabel I'm forced to invoke, until such time as this patch, or an equivalent fix, is released. My current patch module, incorporating the cron fixes already in selinux-policy-2.4.6-21.fc6.noarch.rpm, is as below. The ifdef strict clause at the end avoids a double definition of the same policy on targeted where crond_t and system_crond_t are the same thing. I guess that in an ideal world, anacron itself would be patched to launch all it's child jobs in system_crond_t, further emulating crond's behaviour, and thereby avoiding this fixup. [root at topaz ~]# cat /root/selinux.local/localanacron.fc # anacrond executable will have: # label: system_u:object_r:anacron_exec_t # MLS sensitivity: s0 # MCS categories: # We cant easily override the /usr/sbin/anacron setting in Fedora policy, so we create # a clone binary and label as anacron_exec_t /usr/sbin/anacrond -- gen_context(system_u:object_r:anacron_exec_t,s0) /var/lock/subsys/anacron -- gen_context(system_u:object_r:system_crond_lock_t,s0) /var/spool/anacron(/.*)? gen_context(system_u:object_r:cron_spool_t,s0) [root at topaz ~]# [root at topaz ~]# cat /root/selinux.local/localanacron.te policy_module(localanacron,0.1.1) require { type system_crond_t; type system_crond_lock_t; type cron_spool_t; type crond_var_run_t; } ######################################## # # Anacron local policy # type anacron_exec_t; corecmd_executable_file(anacron_exec_t) # anacron transitions directly to system_crond_t, # rather than crond_t because it doesnt currently # perform a setexeccon internally init_daemon_domain(system_crond_t,anacron_exec_t) # Allow anacron to update spool files in /var/spool/anacron allow system_crond_t cron_spool_t:file create_file_perms; # This is to handle creation of files in /var/lock directory. (anacron) allow system_crond_t system_crond_lock_t:file create_file_perms; files_lock_filetrans(system_crond_t,system_crond_lock_t,file) # Allow anacron to write to /var/run/anacron.pid ifdef(`strict_policy',` allow system_crond_t crond_var_run_t:file create_file_perms; files_pid_filetrans(system_crond_t,crond_var_run_t,file) ') [root at topaz ~]# -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/ From linux_4ever at yahoo.com Mon Jan 8 16:45:02 2007 From: linux_4ever at yahoo.com (Steve G) Date: Mon, 8 Jan 2007 08:45:02 -0800 (PST) Subject: anacron under FC6/SELinux/strict In-Reply-To: <1168272461.3569.37.camel@topaz.bugfinder.co.uk> Message-ID: <20070108164502.88047.qmail@web51504.mail.yahoo.com> >I guess that in an ideal world, anacron itself would be patched to >launch all it's child jobs in system_crond_t, further emulating crond's >behaviour, and thereby avoiding this fixup. Sounds like the right thing to do. Please bz it. I also wonder if atd has the same issue. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From dwalsh at redhat.com Mon Jan 8 20:45:30 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 08 Jan 2007 15:45:30 -0500 Subject: selinux and oracle In-Reply-To: References: Message-ID: <45A2AD6A.6050508@redhat.com> Jack Null wrote: > I have a RHEL4U4 server that will become an Oracle 10gR2 server in > three weeks. Almost all of the documentation I have seen about > installing oracle on a selinux enabled server says to turn off > selinux. Only 1 document said that oracle and selinux can function > together. So can oracle and selinux play nice or do I have to turn it > off? They should be able to play nice. The only place they might hit would be if there is a web interface. Oracle might also be seeking to eek out every bit of performace. SELinux can add some load between 2-20% depending on which performance test you run. > > Thanks, > Adam > > _________________________________________________________________ > Find sales, coupons, and free shipping, all in one place! MSN > Shopping Sales & Deals > http://shopping.msn.com/content/shp/?ctid=198,ptnrid=176,ptnrdata=200639 > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Mon Jan 8 20:49:08 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 08 Jan 2007 15:49:08 -0500 Subject: Process for creating Fedora selinux-policy packages In-Reply-To: <459AEFDF.5040500@richardfearn.co.uk> References: <459AEFDF.5040500@richardfearn.co.uk> Message-ID: <45A2AE44.7010804@redhat.com> Richard Fearn wrote: > Hello, > > Due to an SELinux bug I reported in August, I've been tyring to > understand the selinux-policy packages to see how they're built. I > understand the principle of taking the upstream refpolicy, modifying > it and building the Fedora-specific packages. However, I'm struggling > to see where the refpolicy is coming from. > > For example, as I write this, the latest FC6 selinux-policy package > pushed to the repositories is 2.4.6-1. According to the "sources" file > in CVS, this package is built using serefpolicy-2.4.6.tgz. If I get > serefpolicy-2.4.6.tgz from the lookaside repository then the VERSION > file in it says 20061018. However, the contents of > serefpolicy-2.4.6.tgz differ a great deal from the "official" 20061018 > version of the reference policy from Tresys. > > I could understand it if the Fedora selinux-policy packages were > directly based on the 20061018 version of the refpolicy from Tresys, > but there seems to be an intermediate stage of development that > produces the serefpolicy-2.x.x.tgz files in the lookaside repository. > > My question is: is there a CVS repository somewhere for a "Fedora > reference policy", that is used to build all these serefpolicy files? > The numbering is being done by me. I am just taking CVS dumps off of tresys policy and applying patches. When I update to the latest policy from Tresys. I build my own policy tarball off of the current cvs/svn version and apply my patch. Treysys at some later time releases a version with the date you have. So it is difficult to match up my release with what tresys is releasing. > Thanks > > Richard Fearn > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Mon Jan 8 20:52:23 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 08 Jan 2007 15:52:23 -0500 Subject: Post FC6 upgrade SELinux problem In-Reply-To: References: Message-ID: <45A2AF07.1040100@redhat.com> Kirk Lowery wrote: > After upgrading from FC5 to FC6, my first clue was that X-Windows > wouldn't come up because it could not find the 'fixed' font. This > meant the xfs server wasn't working. Sure enough, dmesg showed: > > audit(1167922474.426:78): avc: denied { read } for pid=2399 > comm="xfs" name="fonts.dir" dev=hda5 ino=3260727 > scontext=system_u:system_r:xfs_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=file > > Looking through dmesg, I discovered many other "avc: denied" messages: > > audit(1167922423.998:4): avc: denied { audit_write } for pid=376 > comm="hwclock" capability=29 scontext=system_u:system_r:hwclock_t:s0 > tcontext=system_u:system_r:hwclock_t:s0 tclass=capability > > audit(1167922427.986:5): avc: denied { getattr } for pid=1369 > comm="pam_console_app" name="adsp1" dev=tmpfs ino=5904 > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 > tcontext=system_u:object_r:device_t:s0 tclass=chr_file > > audit(1167922462.739:7): avc: denied { search } for pid=2083 > comm="auditd" name="bin" dev=hda5 ino=1042531 > scontext=system_u:system_r:auditd_t:s0 > tcontext=system_u:object_r:bin_t:s0 tclass=dir > > audit(1167922463.659:12): avc: denied { write } for pid=2132 > comm="dbus-daemon" name=".setrans-unix" dev=hda5 ino=423906 > scontext=system_u:system_r:system_dbusd_t:s0 > tcontext=system_u:object_r: > var_run_t:s0 tclass=sock_file > > audit(1167922464.088:15): avc: denied { setuid } for pid=2154 > comm="mount" capability=7 scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:system_r:mount_t:s0 tclass=capability > > audit(1167922464.089:16): avc: denied { setgid } for pid=2154 > comm="mount" capability=6 scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:system_r:mount_t:s0 tclass=capability > > audit(1167922464.531:23): avc: denied { search } for pid=2193 > comm="automount" name="1" dev=proc ino=65538 > scontext=system_u:system_r:automount_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=dir > > audit(1167922470.796:75): avc: denied { search } for pid=2249 > comm="ntpd" name="net" dev=proc ino=-268435432 > scontext=system_u:system_r:ntpd_t:s0 > tcontext=system_u:object_r:proc_net_t:s0 tclass=dir > > audit(1167922474.229:76): avc: denied { write } for pid=2396 > comm="restorecon" name=".setrans-unix" dev=hda5 ino=423906 > scontext=system_u:system_r:restorecon_t:s0 > tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file > > audit(1167922474.426:78): avc: denied { read } for pid=2399 > comm="xfs" name="fonts.dir" dev=hda5 ino=3260727 > scontext=system_u:system_r:xfs_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=file > > ....and many, many more. Clearly, my SELinux policies were seriously > broken during the upgrade. So, how to recover? If I could get > X-Windows up, would the new SELinux GUI be the way to go? Do I need to > reinstall an SELinux package(s)? If so, which one(s)? > > Suggestions, pointers much appreciated! > > TIA, Looks like you have a badly labeled system. You should be able to boot in permissive mode. (Add enforcing=0 to kernel line) touch /.autorelabel; reboot Then yum -y upgrade selinux-policy and yum -y upgrade > > Kirk > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From sds at tycho.nsa.gov Mon Jan 8 20:48:56 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 08 Jan 2007 15:48:56 -0500 Subject: Process for creating Fedora selinux-policy packages In-Reply-To: <45A2AE44.7010804@redhat.com> References: <459AEFDF.5040500@richardfearn.co.uk> <45A2AE44.7010804@redhat.com> Message-ID: <1168289336.7993.32.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-01-08 at 15:49 -0500, Daniel J Walsh wrote: > Richard Fearn wrote: > > Hello, > > > > Due to an SELinux bug I reported in August, I've been tyring to > > understand the selinux-policy packages to see how they're built. I > > understand the principle of taking the upstream refpolicy, modifying > > it and building the Fedora-specific packages. However, I'm struggling > > to see where the refpolicy is coming from. > > > > For example, as I write this, the latest FC6 selinux-policy package > > pushed to the repositories is 2.4.6-1. According to the "sources" file > > in CVS, this package is built using serefpolicy-2.4.6.tgz. If I get > > serefpolicy-2.4.6.tgz from the lookaside repository then the VERSION > > file in it says 20061018. However, the contents of > > serefpolicy-2.4.6.tgz differ a great deal from the "official" 20061018 > > version of the reference policy from Tresys. > > > > I could understand it if the Fedora selinux-policy packages were > > directly based on the 20061018 version of the refpolicy from Tresys, > > but there seems to be an intermediate stage of development that > > produces the serefpolicy-2.x.x.tgz files in the lookaside repository. > > > > My question is: is there a CVS repository somewhere for a "Fedora > > reference policy", that is used to build all these serefpolicy files? > > > The numbering is being done by me. I am just taking CVS dumps off of > tresys policy and applying patches. When I update to the latest policy > from Tresys. I build my own policy tarball off of the current cvs/svn > version and apply my patch. Treysys at some later time releases a > version with the date you have. So it is difficult to match up my > release with what tresys is releasing. Hmmm...possibly you could save the svn revision number from their svn tree, either as a file in the tarball or as part of the package version or release number, so that one could easily find the specific svn revision it matches? -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon Jan 8 21:00:41 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 08 Jan 2007 16:00:41 -0500 Subject: policy build failure In-Reply-To: <459ED4BB.7030901@kobold.org> References: <459ED4BB.7030901@kobold.org> Message-ID: <45A2B0F9.6070709@redhat.com> Wart wrote: > I just tried rebuilding the policy files for a package that I am > working on (cyphesis), and started getting this syntax error in Rawhide: > > % make NAME=strict -f /usr/share/selinux/devel/Makefile > cat: /selinux/mls: No such file or directory > Compiling strict cyphesis module > tmp/all_interfaces.conf:7820:ERROR 'syntax error' at token 'allow' on > line 3871: > > allow staff_evolution_alarm_t staff_t:fifo_file { getattr write }; > /usr/bin/checkmodule: error(s) encountered while parsing configuration > /usr/bin/checkmodule: loading policy configuration from tmp/cyphesis.tmp > Why don't you have /selinux/mls? > This was done using the latest: > checkpolicy 1.33.1-2.fc7 > selinux-policy 2.4.6-21.fc7 > selinux-policy-devel 2.4.6-21.fc7 > policycoreutils 1.33.6-9.fc7 > > Any ideas on how to work around this? > > --Wart > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From sds at tycho.nsa.gov Mon Jan 8 20:55:49 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 08 Jan 2007 15:55:49 -0500 Subject: policy build failure In-Reply-To: <45A2B0F9.6070709@redhat.com> References: <459ED4BB.7030901@kobold.org> <45A2B0F9.6070709@redhat.com> Message-ID: <1168289749.7993.40.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-01-08 at 16:00 -0500, Daniel J Walsh wrote: > Wart wrote: > > I just tried rebuilding the policy files for a package that I am > > working on (cyphesis), and started getting this syntax error in Rawhide: > > > > % make NAME=strict -f /usr/share/selinux/devel/Makefile > > cat: /selinux/mls: No such file or directory > > Compiling strict cyphesis module > > tmp/all_interfaces.conf:7820:ERROR 'syntax error' at token 'allow' on > > line 3871: > > > > allow staff_evolution_alarm_t staff_t:fifo_file { getattr write }; > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > /usr/bin/checkmodule: loading policy configuration from tmp/cyphesis.tmp > > > Why don't you have /selinux/mls? SELinux disabled on the build host? Or building in a chroot that doesn't have selinuxfs mounted? -- Stephen Smalley National Security Agency From bofh1234 at hotmail.com Mon Jan 8 21:14:12 2007 From: bofh1234 at hotmail.com (Adam Turk) Date: Mon, 08 Jan 2007 16:14:12 -0500 Subject: oracle and selinux In-Reply-To: <200701061925.08556.sgrubb@redhat.com> Message-ID: >From: Steve Grubb > >On Saturday 06 January 2007 18:43, Adam Turk wrote: > > I guess I will try the install with selinux enabled and see what >happens. > >Yes and please tell us if you get any AVCs. I asked for the update because there was some talk back on April 13, 2004 about Russell Coker working on a selinux policy for oracle. The install is scheduled for the end of the month. I will put selinux in enforcing mode and let the list know what happens. Thanks, _________________________________________________________________ Find sales, coupons, and free shipping, all in one place! ?MSN Shopping Sales & Deals http://shopping.msn.com/content/shp/?ctid=198,ptnrid=176,ptnrdata=200639 From wart at kobold.org Mon Jan 8 21:55:50 2007 From: wart at kobold.org (Michael Thomas) Date: Mon, 08 Jan 2007 13:55:50 -0800 Subject: policy build failure In-Reply-To: <1168289749.7993.40.camel@moss-spartans.epoch.ncsc.mil> References: <459ED4BB.7030901@kobold.org> <45A2B0F9.6070709@redhat.com> <1168289749.7993.40.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <45A2BDE6.4040302@kobold.org> Stephen Smalley wrote: > On Mon, 2007-01-08 at 16:00 -0500, Daniel J Walsh wrote: >> Wart wrote: >>> I just tried rebuilding the policy files for a package that I am >>> working on (cyphesis), and started getting this syntax error in Rawhide: >>> >>> % make NAME=strict -f /usr/share/selinux/devel/Makefile >>> cat: /selinux/mls: No such file or directory >>> Compiling strict cyphesis module >>> tmp/all_interfaces.conf:7820:ERROR 'syntax error' at token 'allow' on >>> line 3871: >>> >>> allow staff_evolution_alarm_t staff_t:fifo_file { getattr write }; >>> /usr/bin/checkmodule: error(s) encountered while parsing configuration >>> /usr/bin/checkmodule: loading policy configuration from tmp/cyphesis.tmp >>> >> Why don't you have /selinux/mls? > > SELinux disabled on the build host? Or building in a chroot that > doesn't have selinuxfs mounted? The latter. I'm building in the mock chroot environment. I'm not concerned about the missing /selinux/mls error, as that doesn't seem prevent the build from finishing. I've always seen this error when building in mock. The real problem is the new syntax error when compiling the module. --Wart From dwalsh at redhat.com Tue Jan 9 14:03:32 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 09 Jan 2007 09:03:32 -0500 Subject: policy build failure In-Reply-To: <45A2BDE6.4040302@kobold.org> References: <459ED4BB.7030901@kobold.org> <45A2B0F9.6070709@redhat.com> <1168289749.7993.40.camel@moss-spartans.epoch.ncsc.mil> <45A2BDE6.4040302@kobold.org> Message-ID: <45A3A0B4.4020306@redhat.com> Michael Thomas wrote: > Stephen Smalley wrote: >> On Mon, 2007-01-08 at 16:00 -0500, Daniel J Walsh wrote: >>> Wart wrote: >>>> I just tried rebuilding the policy files for a package that I am >>>> working on (cyphesis), and started getting this syntax error in >>>> Rawhide: >>>> >>>> % make NAME=strict -f /usr/share/selinux/devel/Makefile >>>> cat: /selinux/mls: No such file or directory >>>> Compiling strict cyphesis module >>>> tmp/all_interfaces.conf:7820:ERROR 'syntax error' at token 'allow' >>>> on line 3871: >>>> >>>> allow staff_evolution_alarm_t staff_t:fifo_file { getattr write }; >>>> /usr/bin/checkmodule: error(s) encountered while parsing >>>> configuration >>>> /usr/bin/checkmodule: loading policy configuration from >>>> tmp/cyphesis.tmp >>>> >>> Why don't you have /selinux/mls? >> >> SELinux disabled on the build host? Or building in a chroot that >> doesn't have selinuxfs mounted? > > The latter. I'm building in the mock chroot environment. I'm not > concerned about the missing /selinux/mls error, as that doesn't seem > prevent the build from finishing. I've always seen this error when > building in mock. The real problem is the new syntax error when > compiling the module. > > --Wart Try make NAME=strict -f /usr/share/selinux/strict/include/Makefile From kmacmill at redhat.com Tue Jan 9 22:49:18 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Tue, 09 Jan 2007 17:49:18 -0500 Subject: [ANN] Madison policy generation tools In-Reply-To: <45923758.8020803@fedoraproject.org> References: <45896ECC.6010605@redhat.com> <45923758.8020803@fedoraproject.org> Message-ID: <45A41BEE.9090306@redhat.com> Rahul Sundaram wrote: > Karl MacMillan wrote: >> The first public release of the Madison SELinux policy generation >> tools can be found at http://et.redhat.com/madison/. Madison is a new >> project to create command line and GUI policy generation tools that: >> >> * Create more readable and secure policy by leveraging the reference >> policy development environment. >> * Provide administrators with guidance and information to help them >> make good security decisions. >> >> This release focuses on the creation of a foundation library (in >> python). It only includes a single tool - audit2policy - that is a >> drop in replacement for audit2allow with better reference policy >> interface call generation (using the undocumented -R audit2allow flag). >> >> Contributions are very welcome. I'm looking for help with: >> >> * Testing (particularly interface call generation and module >> generation) >> * Documenation >> * Unit test creation >> * Code / tool development >> >> See the website for more details on contributing. >> >> To the authors of other policy generation tools: I would like to avoid >> duplication of effort where possible. The current release focuses on >> areas that other tools have not explored thoroughly. Moving forward I >> would to discuss how we can best work together. >> >> Please send any feedback to the selinux development list. > > I dont want to subscribe to yet another list so I will send in my > comments here. I have put in a announcement in fedoraproject.org. A few > questions. > Sorry for the delay in answering. > * I installed the FC6 version. audit2policy is the only tool in this > package as of now. Do you plan to include it within a existing package > or introduce a new one? I am currently planning to submit this code to the upstream selinux project. If it is accepted then this will ultimately be included there. > Do you plan to replace audit2allow with this? If it is accepted upstream, yes. > What are the specific differences between them? > The main user visible difference is more accurate reference policy interface generation with audit2policy. Otherwise, the bulk of the difference is in the code behind them - madison is designed to be capable of much more and will hopefully be the basis for other tools in the future. > * What is the plan for the GUI application? Is this connected to > system-config-selinux or semanage? > I have two tools in mind: 1) Local policy modifications - allow the user to make small policy tweaks without having to build modules by hand. It will also help them review the changes and suggest other ways to solve the problems (like booleans). This will hopefully be part of system-config-selinux. 2) New policy module creation - help people create new policy modules for applications, including things like cgi-scripts run by apache. This is longer term. > * There is absolutely no documentation on the madison package and I know - the audit2allow man page is most applicable. > running audit2policy on its own doesnt return the prompt (that probably > should return some basic help and we need a man page). This is, unfortunately, inherited from audit2policy. By default it reads from standard input. I can help with > writing documentation if someone can explain the details to me. > Thanks - right now the audit2allow man page is sufficient. As more tools are created I'll let you know so you can contribute to documentation if you are still interested. Thanks - Karl > Rahul > > From adam.huffman at gmail.com Wed Jan 10 11:20:40 2007 From: adam.huffman at gmail.com (Adam Huffman) Date: Wed, 10 Jan 2007 11:20:40 +0000 Subject: Problem with label on / Message-ID: <608c44bf0701100320v2917c064vf00817441b351a13@mail.gmail.com> Rather unwisely I followed through some advice from setroubleshootd on a new FC6 test system without thinking through the implications. It advised me to run: chcon -R -t xen_image_t / because xend was having some trouble with virtual disk files. This had some interesting consequences, most of which I have been able to fix via relabelling. However, there are still errors being reported for various daemons. E.g. SELinux is preventing /usr/sbin/cupsd (cupsd_t) "search" access to / (xen_image_t). Is there any way of fixing this? Adam From dwalsh at redhat.com Wed Jan 10 13:40:10 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 10 Jan 2007 08:40:10 -0500 Subject: Problem with label on / In-Reply-To: <608c44bf0701100320v2917c064vf00817441b351a13@mail.gmail.com> References: <608c44bf0701100320v2917c064vf00817441b351a13@mail.gmail.com> Message-ID: <45A4ECBA.8070409@redhat.com> Adam Huffman wrote: > Rather unwisely I followed through some advice from setroubleshootd on > a new FC6 test system without thinking through the implications. > > It advised me to run: > > chcon -R -t xen_image_t / > > because xend was having some trouble with virtual disk files. > > This had some interesting consequences, most of which I have been able > to fix via relabelling. > > However, there are still errors being reported for various daemons. E.g. > > SELinux is preventing /usr/sbin/cupsd (cupsd_t) "search" access to / > (xen_image_t). > > > Is there any way of fixing this? > > restorecon / xen images should be in their own directory. Not in / or /root. The default directory for xen images is under /var/lib/xen, which would solve your problem. I will take a look at the troubleshoot plugin to make fix it up. > Adam > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Wed Jan 10 13:41:32 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 10 Jan 2007 08:41:32 -0500 Subject: Problem with label on / In-Reply-To: <608c44bf0701100320v2917c064vf00817441b351a13@mail.gmail.com> References: <608c44bf0701100320v2917c064vf00817441b351a13@mail.gmail.com> Message-ID: <45A4ED0C.3010208@redhat.com> Adam Huffman wrote: > Rather unwisely I followed through some advice from setroubleshootd on > a new FC6 test system without thinking through the implications. > > It advised me to run: > > chcon -R -t xen_image_t / Actually I just saw the -R. touch /.autorelabel; reboot Is your best bet to fix the system labeling. > > because xend was having some trouble with virtual disk files. > > This had some interesting consequences, most of which I have been able > to fix via relabelling. > > However, there are still errors being reported for various daemons. E.g. > > SELinux is preventing /usr/sbin/cupsd (cupsd_t) "search" access to / > (xen_image_t). > > > Is there any way of fixing this? > > > Adam > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From adam.huffman at gmail.com Wed Jan 10 18:09:14 2007 From: adam.huffman at gmail.com (Adam Huffman) Date: Wed, 10 Jan 2007 18:09:14 +0000 Subject: Problem with label on / In-Reply-To: <45A4ED0C.3010208@redhat.com> References: <608c44bf0701100320v2917c064vf00817441b351a13@mail.gmail.com> <45A4ED0C.3010208@redhat.com> Message-ID: <608c44bf0701101009l5e1b4116h947d54af784253f6@mail.gmail.com> On 10/01/07, Daniel J Walsh wrote: > > > > chcon -R -t xen_image_t / > Actually I just saw the -R. > touch /.autorelabel; reboot > > Is your best bet to fix the system labeling. Actually I've already done that, twice, and the warning messages persist. I'll give it another go, though. From adam.huffman at gmail.com Wed Jan 10 18:10:58 2007 From: adam.huffman at gmail.com (Adam Huffman) Date: Wed, 10 Jan 2007 18:10:58 +0000 Subject: Problem with label on / In-Reply-To: <45A4ECBA.8070409@redhat.com> References: <608c44bf0701100320v2917c064vf00817441b351a13@mail.gmail.com> <45A4ECBA.8070409@redhat.com> Message-ID: <608c44bf0701101010s68ac1a4dob15fe3a4c0a4e4ee@mail.gmail.com> On 10/01/07, Daniel J Walsh wrote: > Adam Huffman wrote: > > Rather unwisely I followed through some advice from setroubleshootd on > > a new FC6 test system without thinking through the implications. > > > > It advised me to run: > > > > chcon -R -t xen_image_t / > > > > because xend was having some trouble with virtual disk files. > > > > This had some interesting consequences, most of which I have been able > > to fix via relabelling. > > > > However, there are still errors being reported for various daemons. E.g. > > > > SELinux is preventing /usr/sbin/cupsd (cupsd_t) "search" access to / > > (xen_image_t). > > > > xen images should be in their own directory. Not in / or /root. The > default directory for xen images is under /var/lib/xen, which would > solve your problem. I will take a look at the troubleshoot plugin to > make fix it up. Yes, I was only experimenting with different locations because of an error in virt-install (it was complaining that it couldn't get access to the virtual disks I was creating). From sds at tycho.nsa.gov Wed Jan 10 18:36:38 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 10 Jan 2007 13:36:38 -0500 Subject: Problem with label on / In-Reply-To: <608c44bf0701101010s68ac1a4dob15fe3a4c0a4e4ee@mail.gmail.com> References: <608c44bf0701100320v2917c064vf00817441b351a13@mail.gmail.com> <45A4ECBA.8070409@redhat.com> <608c44bf0701101010s68ac1a4dob15fe3a4c0a4e4ee@mail.gmail.com> Message-ID: <1168454198.7993.194.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-01-10 at 18:10 +0000, Adam Huffman wrote: > On 10/01/07, Daniel J Walsh wrote: > > Adam Huffman wrote: > > > Rather unwisely I followed through some advice from setroubleshootd on > > > a new FC6 test system without thinking through the implications. > > > > > > It advised me to run: > > > > > > chcon -R -t xen_image_t / > > > > > > because xend was having some trouble with virtual disk files. > > > > > > This had some interesting consequences, most of which I have been able > > > to fix via relabelling. > > > > > > However, there are still errors being reported for various daemons. E.g. > > > > > > SELinux is preventing /usr/sbin/cupsd (cupsd_t) "search" access to / > > > (xen_image_t). > > > > > > > xen images should be in their own directory. Not in / or /root. The > > default directory for xen images is under /var/lib/xen, which would > > solve your problem. I will take a look at the troubleshoot plugin to > > make fix it up. > > Yes, I was only experimenting with different locations because of an > error in virt-install (it was complaining that it couldn't get access > to the virtual disks I was creating). Use the force option (-F to fixfiles or restorecon) to force relabeling of even files with customizable types? -- Stephen Smalley National Security Agency From cra at WPI.EDU Wed Jan 10 20:11:06 2007 From: cra at WPI.EDU (Chuck Anderson) Date: Wed, 10 Jan 2007 15:11:06 -0500 Subject: cricket grapher.cgi Message-ID: <20070110201106.GB17053@angus.ind.WPI.EDU> I'm trying to get cricket (cricket.sf.net) to work on FC6 with SELinux targeted enforcing. I get the following AVC when trying to view the grapher.cgi from my web browser: type=AVC msg=audit(1168459205.932:49631): avc: denied { read } for pid=5499 comm="grapher.cgi" name="cricket" dev=dm-4 ino=5242884 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1168459205.932:49631): arch=40000003 syscall=195 success=no exit=-13 a0=8e10010 a1=bff4190c a2=42378ff4 a3=8e10010 items=0 ppid=5314 pid=5499 auid=10002 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="grapher.cgi" exe="/usr/bin/perl" subj=user_u:system_r:httpd_sys_script_t:s0 key=(null) The ino number in the AVC is /var/cricket/cricket. The application is installed in /var/cricket (from the legacy install) but if necessary I can move bits and pieces around to accomodate SELinux standards. I relabeled the entire /var/cricket tree to httpd_script_exec_t. drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t bin/ lrwxrwxrwx root root user_u:object_r:httpd_sys_script_exec_t cricket -> cricket-1.0.5/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-1.0.5/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config-attic/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-data/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-logs/ drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t public_html/ Here is my relavent Apache config: AddHandler cgi-script .cgi NameVirtualHost *:80 ServerAdmin root at localhost DocumentRoot /var/cricket/public_html ServerName server.host.name ErrorLog /var/log/httpd/cricket/error_log CustomLog /var/log/httpd/cricket/access_log common AllowOverride Options FileInfo AuthConfig Limit Order allow,deny Allow from all Has anyone had success running cricket with SELinux? Thanks. From mayerf at tresys.com Wed Jan 10 20:12:22 2007 From: mayerf at tresys.com (Frank L. Mayer) Date: Wed, 10 Jan 2007 15:12:22 -0500 Subject: SELinux Symposium: Head of IBM Linux Development to be Keynote Speaker Message-ID: <6FE441CD9F0C0C479F2D88F959B015887B997A@exchange.columbia.tresys.com> All, FYI we just announced that Dan Frye, head of Linux development at IBM as a keynote speaker at this year's SELinux Symposium. I expect a second keynote speaker to be announced later this month. Hope to see you all there. Frank -=-=-=-=-=-=-=-=-=-=-=- FOR IMMEDIATE RELEASE CONTACT: info at selinux-symposium.org Head of IBM Linux Development to be Keynote Speaker at Third Security Enhanced Linux Symposium Baltimore, Maryland-January 10, 2007- Daniel Frye, Vice President, IBM Open Systems Development, will be a keynote speaker for the third annual Security Enhanced Linux (SELinux) Symposium (www.selinux-symposium.org), scheduled for March 12-16, 2007 in Baltimore, Maryland. Dr. Frye is the head of IBM's UNIX development team, principally responsible for Linux and AIX development. He is additionally responsible for overseeing IBM's Linux technical strategy, IBM's participation in the open source Linux development community, and the IBM Linux Technology Center (LTC). The goal of Dr. Frye's Linux organization is to help the global open source community make Linux better, to ensure Enterprise-level Linux support for IBM's hardware, software, and services brands, and to help expand the reach of Linux into new markets. Dr. Frye will present a keynote address entitled "Open and Secure: Linux Today and Tomorrow." In this address, Dr. Frye will discuss the impact of SELinux on Linux, and how open software helps in the proliferation of new security technology. About the SELinux Symposium The Security Enhanced Linux (SELinux) Symposium is an annual exchange of ideas, technology, and research involving SELinux. SELinux is emerging technology that adds flexible, strong mandatory access control security to Linux. The third annual symposium is scheduled for March 12-16, 2007 in Baltimore, Maryland, USA. This year's symposium is sponsored by Hewlett-Packard, IBM, Red Hat, and Tresys Technology. The event brings together experts from business, government, and academia to share research, development, and application experiences using SELinux. For information on registration and sponsorship opportunities, see www.selinux-symposium.org. From dwalsh at redhat.com Wed Jan 10 21:45:23 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 10 Jan 2007 16:45:23 -0500 Subject: cricket grapher.cgi In-Reply-To: <20070110201106.GB17053@angus.ind.WPI.EDU> References: <20070110201106.GB17053@angus.ind.WPI.EDU> Message-ID: <45A55E73.4060202@redhat.com> Chuck Anderson wrote: > I'm trying to get cricket (cricket.sf.net) to work on FC6 with SELinux > targeted enforcing. I get the following AVC when trying to view the > grapher.cgi from my web browser: > > type=AVC msg=audit(1168459205.932:49631): avc: denied { read } for > pid=5499 comm="grapher.cgi" name="cricket" dev=dm-4 ino=5242884 > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file > type=SYSCALL msg=audit(1168459205.932:49631): arch=40000003 > syscall=195 success=no exit=-13 a0=8e10010 a1=bff4190c a2=42378ff4 > a3=8e10010 items=0 ppid=5314 pid=5499 auid=10002 uid=48 gid=48 euid=48 > suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) > comm="grapher.cgi" exe="/usr/bin/perl" > subj=user_u:system_r:httpd_sys_script_t:s0 key=(null) > > > The ino number in the AVC is /var/cricket/cricket. > > The application is installed in /var/cricket (from the legacy install) > but if necessary I can move bits and pieces around to accomodate > SELinux standards. I relabeled the entire /var/cricket tree to > httpd_script_exec_t. httpd_sys_script_exec_t is the context for a cgi script. You should label it httpd_sys_content_t and I think it will work better. > drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t bin/ > lrwxrwxrwx root root user_u:object_r:httpd_sys_script_exec_t cricket -> cricket-1.0.5/ > drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-1.0.5/ > drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config/ > drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-config-attic/ > drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-data/ > drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t cricket-logs/ > drwxr-xr-x cricket cricket system_u:object_r:httpd_sys_script_exec_t public_html/ > > Here is my relavent Apache config: > > AddHandler cgi-script .cgi > > NameVirtualHost *:80 > > > ServerAdmin root at localhost > DocumentRoot /var/cricket/public_html > ServerName server.host.name > ErrorLog /var/log/httpd/cricket/error_log > CustomLog /var/log/httpd/cricket/access_log common > > > > AllowOverride Options FileInfo AuthConfig Limit > Order allow,deny > Allow from all > > > Has anyone had success running cricket with SELinux? > > Thanks. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From cra at WPI.EDU Wed Jan 10 21:55:29 2007 From: cra at WPI.EDU (Chuck Anderson) Date: Wed, 10 Jan 2007 16:55:29 -0500 Subject: cricket grapher.cgi In-Reply-To: <45A55E73.4060202@redhat.com> References: <20070110201106.GB17053@angus.ind.WPI.EDU> <45A55E73.4060202@redhat.com> Message-ID: <20070110215529.GD17053@angus.ind.WPI.EDU> On Wed, Jan 10, 2007 at 04:45:23PM -0500, Daniel J Walsh wrote: > >The application is installed in /var/cricket (from the legacy install) > >but if necessary I can move bits and pieces around to accomodate > >SELinux standards. I relabeled the entire /var/cricket tree to > >httpd_script_exec_t. > > httpd_sys_script_exec_t is the context for a cgi script. > You should label it httpd_sys_content_t and I think it will work better. Thanks. This works, but I had trouble labeling the symlinks. I ended up deleting and recreating the symlinks and they acquired the correct context from the parent directory. Is there an easy way to label a symlink with chcon? From paul at city-fan.org Thu Jan 11 09:20:55 2007 From: paul at city-fan.org (Paul Howarth) Date: Thu, 11 Jan 2007 09:20:55 +0000 Subject: cricket grapher.cgi In-Reply-To: <20070110215529.GD17053@angus.ind.WPI.EDU> References: <20070110201106.GB17053@angus.ind.WPI.EDU> <45A55E73.4060202@redhat.com> <20070110215529.GD17053@angus.ind.WPI.EDU> Message-ID: <45A60177.5080200@city-fan.org> Chuck Anderson wrote: > On Wed, Jan 10, 2007 at 04:45:23PM -0500, Daniel J Walsh wrote: >>> The application is installed in /var/cricket (from the legacy install) >>> but if necessary I can move bits and pieces around to accomodate >>> SELinux standards. I relabeled the entire /var/cricket tree to >>> httpd_script_exec_t. >> httpd_sys_script_exec_t is the context for a cgi script. >> You should label it httpd_sys_content_t and I think it will work better. > > Thanks. This works, but I had trouble labeling the symlinks. I ended > up deleting and recreating the symlinks and they acquired the correct > context from the parent directory. > > Is there an easy way to label a symlink with chcon? "man chcon" and see the "-h" option. Paul. From adam.huffman at gmail.com Thu Jan 11 13:02:53 2007 From: adam.huffman at gmail.com (Adam Huffman) Date: Thu, 11 Jan 2007 13:02:53 +0000 Subject: Problem with label on / In-Reply-To: <1168454198.7993.194.camel@moss-spartans.epoch.ncsc.mil> References: <608c44bf0701100320v2917c064vf00817441b351a13@mail.gmail.com> <45A4ECBA.8070409@redhat.com> <608c44bf0701101010s68ac1a4dob15fe3a4c0a4e4ee@mail.gmail.com> <1168454198.7993.194.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <608c44bf0701110502u4a4ea49ao75d1adde3ed5f01a@mail.gmail.com> On 10/01/07, Stephen Smalley wrote: > > Use the force option (-F to fixfiles or restorecon) to force relabeling > of even files with customizable types? > That seems to have done the trick. Thanks a lot, Adam From mshapiro at mail.ucf.edu Thu Jan 11 19:34:57 2007 From: mshapiro at mail.ucf.edu (Matthew Shapiro) Date: Thu, 11 Jan 2007 14:34:57 -0500 Subject: SE Linux preventing mounting an iso on FC5 through nfs Message-ID: <45A64B11020000C200000127@mail.ucf.edu> Hey all, A SE Linux newbie here. I am trying to learn SE Linux to fix this one issue we are having on our servers and I was hoping someone here might be able to give me some insight into the problem and tell me if I am following the correct line of thinking or not. We have FC5 systems with an automount point that mounts a directory on our main server for the cluster. Inside this mountpoint are some directories, which contain a list of rpms. Each of these rpms is really just a symlink to another automount point that automounts a certain Fedora Core iso image which really contains the real rpm. This makes it really easy to install the rpms without having to scour all four FC5 cds manually. The problem is that SE Linux doesn't seem to want us to mount the iso image automatically from nfs. When I directly use the mount command on the iso it mounts perfectly fine, but when I try to have the automounter mount it, it fails with the following error in /var/log/messages: avc: denied { read } for pid=1709 comm="mount" name="FC3-i386-disc1.iso" dev=0:17 no=1188825 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file After reading various SE Linux HOWTO's and pieces of documentation what it looks like to me (a SE Linux newbie) is that the mount_t domain does not have access to read files under the nfs_t domain security context. So after various reading I thought all I would have to do is create a domain transition from the mount_t domain to the nfs_t domain. I created the file /etc/selinux/strict/src/policy/domains/misc/mmae.te and added the following line: domain_auto_trans(mount_t, mount_exec_t, nfs_t) Unfortunatly, when I did a make load I got the following two errors assertion on line 226661 violated by allow nfs_t mount_t:process { sigchld }; assertion on line 226508 violated by allow mount_t nfs_t:process { transition }; Line 226661 of policy.conf contains neverallow ~{ domain unlabeled_t } *:process *; and line 226508 of policy.conf contains neverallow domain ~domain:process transition; Unfortunatly, with my limited knowledge in SE Linux I am unsure of what is wrong with my statement, why it violates those two rules, what those two rules really mean and even if I am following the correct path. I also tried to switch mount_t and nfs_t in the domain_auto_trans function which resulted in the same assertions. Finally, I decided to take a stab in the dark and try a different approach without dealing with domains. The only information I could deduce from those previous error messages were that one of those was not an actual domain. After looking at various entries in the policy.conf I commented out the domain transition and instead put in: allow mount_t nfs_t:file { read }; thinking that this would allow processes in the mount_t security context to read files in the nfs_t context. I then ran make load, which didn't give any hassle, looked in the policy.conf to make sure it was listed in there (which it was), and tried again. It still gave the original error. After reading various threads on mailing lists (found through google) I decided to try giving the main directory a different security context so it wasn't in the nfs_t domain. So I edited the /etc/auto.misc entry for the original mountpoint to include context=system_u:object_r:tmp_t, which failed with the message: SELinux: security_context_to_sid(system_u:object_r/tmp_t) failed for (dev 0:17, type nfs) errno=-22 which I am guessing means it doesn't have access to change security contexts. I am really stumped as to how to proceed from here. If anyone could give me any advice I would really appreciate it. Thanks --Matthew Shapiro From sds at tycho.nsa.gov Thu Jan 11 20:07:16 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 11 Jan 2007 15:07:16 -0500 Subject: SE Linux preventing mounting an iso on FC5 through nfs In-Reply-To: <45A64B11020000C200000127@mail.ucf.edu> References: <45A64B11020000C200000127@mail.ucf.edu> Message-ID: <1168546036.7993.437.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-01-11 at 14:34 -0500, Matthew Shapiro wrote: > Hey all, A SE Linux newbie here. I am trying to learn SE Linux to fix > this one issue we are having on our servers and I was hoping someone > here might be able to give me some insight into the problem and tell me > if I am following the correct line of thinking or not. > > We have FC5 systems with an automount point that mounts a directory on > our main server for the cluster. Inside this mountpoint are some > directories, which contain a list of rpms. Each of these rpms is really > just a symlink to another automount point that automounts a certain > Fedora Core iso image which really contains the real rpm. This makes it > really easy to install the rpms without having to scour all four FC5 cds > manually. > > The problem is that SE Linux doesn't seem to want us to mount the iso > image automatically from nfs. When I directly use the mount command on > the iso it mounts perfectly fine, but when I try to have the automounter > mount it, it fails with the following error in /var/log/messages: > > avc: denied { read } for pid=1709 comm="mount" > name="FC3-i386-disc1.iso" dev=0:17 no=1188825 > scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:object_r:nfs_t:s0 tclass=file audit2allow -M local < /var/log/messages semodule -i local.pp > After reading various SE Linux HOWTO's and pieces of documentation Did you look at the Fedora SELinux FAQ and wiki pages? http://fedora.redhat.com/docs/selinux-faq-fc5/ http://fedoraproject.org/wiki/SELinux/ > what > it looks like to me (a SE Linux newbie) is that the mount_t domain does > not have access to read files under the nfs_t domain security context. > So after various reading I thought all I would have to do is create a > domain transition from the mount_t domain to the nfs_t domain. I > created the file /etc/selinux/strict/src/policy/domains/misc/mmae.te and Are you actually using strict policy? It isn't the default in Fedora. > added the following line: > > domain_auto_trans(mount_t, mount_exec_t, nfs_t) nfs_t is a file type, not a process domain, and you want to allow mount_t to read nfs_t:file, not transition into it. > Finally, I decided to take a stab in the dark and try a different > approach without dealing with domains. The only information I could > deduce from those previous error messages were that one of those was not > an actual domain. After looking at various entries in the policy.conf I > commented out the domain transition and instead put in: > > allow mount_t nfs_t:file { read }; That looks correct, and is what audit2allow would generate. > thinking that this would allow processes in the mount_t security context > to read files in the nfs_t context. I then ran make load, which didn't > give any hassle, looked in the policy.conf to make sure it was listed in > there (which it was), and tried again. It still gave the original > error. load_policy will always load the active policy, as defined by /etc/selinux/config, which defaults to targeted. In which case it never looked at your policy at all. Also, you want to use a loadable policy module since FC5 (and later) supports them. -- Stephen Smalley National Security Agency From mshapiro at mail.ucf.edu Thu Jan 11 21:04:21 2007 From: mshapiro at mail.ucf.edu (Matthew Shapiro) Date: Thu, 11 Jan 2007 16:04:21 -0500 Subject: SE Linux preventing mounting an iso on FC5 through nfs Message-ID: <45A66006020000C200000135@mail.ucf.edu> >>> Stephen Smalley 01/11/07 3:07 PM >>> >audit2allow -M local < /var/log/messages >semodule -i local.pp Wow that makes life simple. Thanks a lot! >Did you look at the Fedora SELinux FAQ and wiki pages? >http://fedora.redhat.com/docs/selinux-faq-fc5/ >http://fedoraproject.org/wiki/SELinux/ Actually I did not know about these (the HOWTO's I found was a policy HOWTO and a general (focused on debian) SELinux introduction). This look like great resources though. > Are you actually using strict policy? It isn't the default in Fedora. Ah that explains it. I actually got confused with the versions (installed the strict src from fc3 by accident, targeted wouldn't install) and that explains why my last attempt didn't work. I confirmed and it is setup to use targeted. Though the loadable modules that I now know about make doing this much easier anyways. >nfs_t is a file type, not a process domain, and you want to allow >mount_t to read nfs_t:file, not transition into it. Gotcha. From the documentation I read it made it seem like the _t denoted a domain. Guess I have some more reading to do to fully understand everything that is going on. Thanks for your help and quick response! It's now working, and I"m going to do some more research to learn more about SE Linux now that I'm not fighting with it :) --Matthew Shapiro From sds at tycho.nsa.gov Thu Jan 11 21:26:55 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 11 Jan 2007 16:26:55 -0500 Subject: SE Linux preventing mounting an iso on FC5 through nfs In-Reply-To: <45A66006020000C200000135@mail.ucf.edu> References: <45A66006020000C200000135@mail.ucf.edu> Message-ID: <1168550815.7993.463.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-01-11 at 16:04 -0500, Matthew Shapiro wrote: > >>> Stephen Smalley 01/11/07 3:07 PM >>> > >audit2allow -M local < /var/log/messages > >semodule -i local.pp > > Wow that makes life simple. Thanks a lot! > > >Did you look at the Fedora SELinux FAQ and wiki pages? > >http://fedora.redhat.com/docs/selinux-faq-fc5/ > >http://fedoraproject.org/wiki/SELinux/ > > Actually I did not know about these (the HOWTO's I found was a policy > HOWTO and a general (focused on debian) SELinux introduction). This > look like great resources though. > > > Are you actually using strict policy? It isn't the default in Fedora. > > Ah that explains it. I actually got confused with the versions > (installed the strict src from fc3 by accident, targeted wouldn't > install) and that explains why my last attempt didn't work. I > confirmed and it is setup to use targeted. Though the loadable modules > that I now know about make doing this much easier anyways. > > >nfs_t is a file type, not a process domain, and you want to allow > >mount_t to read nfs_t:file, not transition into it. > > Gotcha. From the documentation I read it made it seem like the _t > denoted a domain. Guess I have some more reading to do to fully > understand everything that is going on. A domain is just a kind of type, specifically a process type. SELinux collapses the two concepts together. -- Stephen Smalley National Security Agency From jdennis at redhat.com Thu Jan 11 23:27:35 2007 From: jdennis at redhat.com (John Dennis) Date: Thu, 11 Jan 2007 18:27:35 -0500 Subject: more setroubleshoot troubles ;) In-Reply-To: <4c4ba1530701050706m531ed1d0y86355839c5ce606c@mail.gmail.com> References: <4c4ba1530701041246y58559018sda91a27f3ea39e33@mail.gmail.com> <4c4ba1530701050706m531ed1d0y86355839c5ce606c@mail.gmail.com> Message-ID: <1168558055.21316.56.camel@finch.boston.redhat.com> [Top posting by choice] These problems (failure to load plugins) are reported in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221850 The problem was introduced with the python 2.5 upgrade from the python 2.4 version setroubleshoot had been developed and tested under. Python 2.5 changed the semantics of module loading which caused our plugin loading code to fail. This has been fixed in setroubleshoot-1_8_14-1_fc7. On Fri, 2007-01-05 at 07:06 -0800, Tom London wrote: > /var/log/messages shows (get this in permissive mode too): > > Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:00,246 > [plugin.ERROR] failed to load allow_daemons_dump_core plugin Traceback > (most recent call last): File > "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, > in load_plugins mod = imp.load_module(module_name, > *imp.find_module(plugin_name, [plugin_dir])) File > "/usr/share/setroubleshoot/plugins/allow_daemons_dump_core.py", line > 21, in from setroubleshoot.util import * SystemError: > Parent module 'plugins' not loaded > Jan 5 06:49:00 localhost vmnet-dhcpd: All rights reserved. > Jan 5 06:49:00 localhost kernel: Normal 4096 -> 229376 > Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:01,134 > [plugin.ERROR] failed to load catchall plugin Traceback (most recent > call last): File > "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, > in load_plugins mod = imp.load_module(module_name, > *imp.find_module(plugin_name, [plugin_dir])) File > "/usr/share/setroubleshoot/plugins/catchall.py", line 22, in > from setroubleshoot.util import * SystemError: Parent module > 'plugins' not loaded > <<<<....>>>>> > Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:02,142 > [plugin.ERROR] failed to load httpd_enable_homedirs plugin Traceback > (most recent call last): File > "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, > in load_plugins mod = imp.load_module(module_name, > *imp.find_module(plugin_name, [plugin_dir])) File > "/usr/share/setroubleshoot/plugins/httpd_enable_homedirs.py", line 19, > in from setroubleshoot.util import * SystemError: Parent > module 'plugins' not loaded > Jan 5 06:49:03 localhost vmnet-dhcpd: For info, please visit > http://www.isc.org/dhcp-contrib.html > Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:03,505 > [plugin.ERROR] failed to load home_tmp_bad_labels plugin Traceback > (most recent call last): File > "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, > in load_plugins mod = imp.load_module(module_name, > *imp.find_module(plugin_name, [plugin_dir])) File > "/usr/share/setroubleshoot/plugins/home_tmp_bad_labels.py", line 19, > in from setroubleshoot.util import * SystemError: Parent > module 'plugins' not loaded > > Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:03,539 > [plugin.ERROR] failed to load allow_httpd_sys_script_anon_write plugin > Traceback (most recent call last): File > "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, > in load_plugins mod = imp.load_module(module_name, > *imp.find_module(plugin_name, [plugin_dir])) File > "/usr/share/setroubleshoot/plugins/allow_httpd_sys_script_anon_write.py", > line 19, in from setroubleshoot.util import * > SystemError: Parent module 'plugins' not loaded > Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:03,558 > [plugin.ERROR] failed to load allow_execstack plugin Traceback (most > recent call last): File > "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, > in load_plugins mod = imp.load_module(module_name, > *imp.find_module(plugin_name, [plugin_dir])) File > "/usr/share/setroubleshoot/plugins/allow_execstack.py", line 19, in > from setroubleshoot.util import * SystemError: Parent > module 'plugins' not loaded > Jan 5 06:49:03 localhost setroubleshoot: 2007-01-05 06:49:03,814 > [plugin.ERROR] failed to load public_content plugin Traceback (most > recent call last): File > "/usr/lib/python2.5/site-packages/setroubleshoot/util.py", line 406, > in load_plugins mod = imp.load_module(module_name, > *imp.find_module(plugin_name, [plugin_dir])) File > "/usr/share/setroubleshoot/plugins/public_content.py", line 19, in > from setroubleshoot.util import * SystemError: Parent > module 'plugins' not loaded > > etc. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- John Dennis Learn. Network. Experience open source. Red Hat Summit San Diego | May 9-11, 2007 Learn more: http://www.redhat.com/promo/summit/2007 From jsyoung72 at gmail.com Fri Jan 12 12:07:48 2007 From: jsyoung72 at gmail.com (James Young) Date: Fri, 12 Jan 2007 06:07:48 -0600 Subject: Postgres directory context Message-ID: Does selinux check context on the whole directory hierarchy when making a decision about permission to enter a directory? That is, when I try to access /home/Data/pgsql, will it check the context on /home, then /home/Data, and then on /home/Data/pgsql? Or will it only check the context on /home/Data/pgsql? I want to put a Postgres database in a /home/Data/pgsql/data directory, but the initrc script will not run it there. I can run it as the postgres user. The contexts mirror the /var/lib/pgsql/data directory: user_u:object_r:postgres_db_t. The context of /home/Data/pgsql is system_u:object_r:var_lib_t. It does run fine with initrc in /var/lib/pgsql. When I leave the pgstartup.log in /var/lib/pgsql, I see the errors below. It doesn't matter whether the database is already initialized or not. The contexts for the /home/Data/pgsql directory are listed below as well. /home/Data is system_u:object_r:user_home_dir_t. I don't see anything in /var/log/audit/audit.log, but I think dontaudit rules may be in effect. Does Fedora use the reference policy from Tresys exactly? If not, where can I find the source policy for Fedora. All I can find are the if files. Finally, are there any better references for selinux. Everything I've read seems dated. Thanks, Jim Young pgstartup.log: ------------------------- could not change directory to "/home/Data/pgsql" initdb: could not access directory "/home/Data/pgsql/data": Permission denied The files belonging to this database system will be owned by user "postgres". This user must also own the server process. The database cluster will be initialized with locale en_US.UTF-8. The default database encoding has accordingly been set to UTF8. postmaster cannot access the server configuration file "/home/Data/pgsql/data/postgresql.conf": Permission denied could not change directory to "/home/Data/pgsql" initdb: could not access directory "/home/Data/pgsql/data": Permission denied The files belonging to this database system will be owned by user "postgres". This user must also own the server process. The database cluster will be initialized with locale en_US.UTF-8. The default database encoding has accordingly been set to UTF8. postmaster cannot access the server configuration file "/home/Data/pgsql/data/postgresql.conf": Permission denied ----------- directory contexts: ------------------------------- ls -Zd /home/Data/pgsql drwx------ postgres postgres system_u:object_r:var_lib_t /home/Data/pgsql ls -Z /home/Data/pgsql drwx------ postgres postgres system_u:object_r:var_lib_t backups drwx------ postgres postgres system_u:object_r:postgresql_db_t data -rw------- postgres postgres system_u:object_r:postgresql_log_t pgstartup.log ls -Z /home/Data/pgsql/data drwx------ postgres postgres user_u:object_r:postgresql_db_t base drwx------ postgres postgres user_u:object_r:postgresql_db_t global drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_clog -rw------- postgres postgres user_u:object_r:postgresql_db_t pg_hba.conf -rw------- postgres postgres user_u:object_r:postgresql_db_t pg_ident.conf drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_log drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_multixact drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_subtrans drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_tblspc drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_twophase -rw------- postgres postgres user_u:object_r:postgresql_db_t PG_VERSION drwx------ postgres postgres user_u:object_r:postgresql_db_t pg_xlog -rw------- postgres postgres user_u:object_r:postgresql_db_t postgresql.conf -rw------- postgres postgres user_u:object_r:postgresql_db_t postmaster.opts -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Fri Jan 12 12:39:52 2007 From: paul at city-fan.org (Paul Howarth) Date: Fri, 12 Jan 2007 12:39:52 +0000 Subject: Postgres directory context In-Reply-To: References: Message-ID: <45A78198.1080600@city-fan.org> James Young wrote: > Does selinux check context on the whole directory hierarchy when making a > decision about permission to enter a directory? That is, when I try to > access /home/Data/pgsql, will it check the context on /home, then > /home/Data, and then on /home/Data/pgsql? Or will it only check the context > on /home/Data/pgsql? > > I want to put a Postgres database in a /home/Data/pgsql/data directory, but > the initrc script will not run it there. I can run it as the postgres user. > The contexts mirror the /var/lib/pgsql/data directory: > user_u:object_r:postgres_db_t. The context of /home/Data/pgsql is > system_u:object_r:var_lib_t. The whole hierarchy must be readable. Putting server data under /home always causes problems. I'd suggest bind mounting /home/Data/pgsql to /var/lib/pgsql or something similar. You could change the context type of /home/Data to var_t but you'd probably still have issues with /home itself. > Does Fedora use the reference policy from Tresys exactly? If not, where can > I find the source policy for Fedora. All I can find are the if files. The selinux-policy SRPM. > Finally, are there any better references for selinux. Everything I've read > seems dated. http://fedoraproject.org/wiki/SELinux is a decent starting point. Paul. From thethirddoorontheleft at verizon.net Fri Jan 12 22:45:57 2007 From: thethirddoorontheleft at verizon.net (Darwin H. Webb) Date: Fri, 12 Jan 2007 14:45:57 -0800 Subject: selinux and oracle In-Reply-To: <45A2AD6A.6050508@redhat.com> References: <45A2AD6A.6050508@redhat.com> Message-ID: <45A80FA5.8000703@verizon.net> Daniel J Walsh wrote: > Jack Null wrote: >> I have a RHEL4U4 server that will become an Oracle 10gR2 server in >> three weeks. Almost all of the documentation I have seen about >> installing oracle on a selinux enabled server says to turn off >> selinux. Only 1 document said that oracle and selinux can function >> together. So can oracle and selinux play nice or do I have to turn >> it off? > They should be able to play nice. The only place they might hit would > be if there is a web interface. > Oracle might also be seeking to eek out every bit of performace. > SELinux can add some load between 2-20% depending on which performance > test you run. >> >> Thanks, >> Adam >> >> _________________________________________________________________ >> Find sales, coupons, and free shipping, all in one place! MSN >> Shopping Sales & Deals >> http://shopping.msn.com/content/shp/?ctid=198,ptnrid=176,ptnrdata=200639 >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > "Oracle might also be seeking to eek out every bit of performace. SELinux can add some load between 2-20% depending on which performance test you run." I thoht SELinux's overhead was only for the transitions and file access thereby being a small amount of this total time (est. at 7% untuned.) The web app would be using Oracle's security with a MyWebAppUsername. Yes / No? Could you explain this overhead and where and what is doing it, please. I don't see where it would be any greater than 7% of the volume of transitions and file accesses (which would be different web files. And that would be an Apache overhead whether a DBMS was being used or not. Thank you, Darwin From mantaray_1 at cox.net Fri Jan 12 23:48:48 2007 From: mantaray_1 at cox.net (Ken) Date: Fri, 12 Jan 2007 16:48:48 -0700 Subject: Access attempts Message-ID: <45A81E60.9020409@cox.net> I was hoping someone could help me to understand what might be happening to trigger the access attempts I am blocking with my policy which are listed below. They only seem to appear when I am logged in to the "Blackboard" program at the university I attend. I have already taken several steps to limit what my browser can do, and I do not understand how it can trigger such attempts. ********************** ********************** Jan 11 15:39:17 schoolhost kernel: audit(1168555157.756:587): avc: denied { rawip_send } for saddr=192.168.0.2 src=60945 daddr=129.219.10.40 dest=443 netif=eth0 scontext=system_u:system_r:kernel_t:s15:c0.c255 tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif Jan 11 15:39:17 schoolhost kernel: audit(1168555157.992:588): avc: denied { rawip_send } for saddr=192.168.0.2 src=60945 daddr=129.219.10.40 dest=443 netif=eth0 scontext=system_u:system_r:kernel_t:s15:c0.c255 tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif Jan 11 15:39:18 schoolhost kernel: audit(1168555158.212:590): avc: denied { rawip_send } for saddr=192.168.0.2 src=45910 daddr=129.219.10.30 dest=443 netif=eth0 scontext=system_u:system_r:kernel_t:s15:c0.c255 tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif Jan 11 15:39:19 schoolhost kernel: audit(1168555159.433:600): avc: denied { rawip_send } for pid=2465 comm="X" saddr=192.168.0.2 src=60945 daddr=129.219.10.40 dest=443 netif=eth0 scontext=system_u:system_r:kernel_t:s15:c0.c255 tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif ********************** ********************** Thanks in advance, Ken. From flyingboxcutter at yahoo.com Sat Jan 13 01:48:00 2007 From: flyingboxcutter at yahoo.com (Harley Race) Date: Fri, 12 Jan 2007 17:48:00 -0800 (PST) Subject: Trouble with syslogd and named Message-ID: <670227.43361.qm@web60212.mail.yahoo.com> I am using the bind-chroot package in FC6 and am tying to get named in the chroot to log queries and named activity to /var/log/named/named.log (outside of the chroot) via a logging device in the chroot /dev/log. Selinux is preventing syslogd from creating the device and genereating the following errors: type=AVC msg=audit(1168359275.971:7): avc: denied { search } for pid=1587 comm="syslogd" name="named" dev=dm-3 ino=10704673 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:name d_zone_t:s0 tclass=dir type=SYSCALL msg=audit(1168359275.971:7): arch=40000003 syscall=10 success=no exit=-13 a0=bfcacf08 a1=1b6 a2=c1e120 a3=bfcab31c items=0 ppid=1586 pid=1587 auid=4294967295 uid=0 gid=0 euid=0 suid=0 f suid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="syslogd" exe="/sbin/syslogd" subj=system_u:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1168359275.995:8): avc: denied { search } for pid=1587 comm="syslogd" name="named" dev=dm-3 ino=10704673 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:name d_zone_t:s0 tclass=dir type=SYSCALL msg=audit(1168359275.995:8): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfca8ec0 a2=c1e120 a3=bfcab31c items=0 ppid=1586 pid=1587 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fs uid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="syslogd" exe="/sbin/syslogd" subj=system_u:system_r:syslogd_t:s0 key=(null) I suppose I could use audit2allow to allow this, but am wondering why the policy was changed from FC4 to disable this. ____________________________________________________________________________________ The fish are biting. Get more visitors on your site using Yahoo! Search Marketing. http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php From ejtr at layer3.co.uk Sat Jan 13 22:35:17 2007 From: ejtr at layer3.co.uk (Ted Rule) Date: Sat, 13 Jan 2007 22:35:17 +0000 Subject: Oddity in evolution.if in selinux-policy-devel-2.4.6-23.fc6.noarch.rpm Message-ID: <1168727718.9651.19.camel@topaz.bugfinder.co.uk> The recently released devel rpm, selinux-policy-devel-2.4.6-23.fc6.noarch.rpm, appears to contain an odd 'corruption' in the evolution.if file, viz: /usr/share/selinux/devel/include/apps/evolution.if The end of the interface file contains this set of allow statements: allow staff_evolution_alarm_t staff_t:fifo_file { getattr write }; allow staff_evolution_alarm_t staff_t:unix_stream_socket connectto; allow staff_evolution_alarm_t staff_tmp_t:dir { add_name getattr search setattr write }; allow staff_evolution_alarm_t staff_tmp_t:file { getattr lock read write }; allow staff_evolution_alarm_t staff_tmp_t:sock_file { create write }; allow staff_evolution_alarm_t tmp_t:dir read; allow staff_evolution_exchange_t staff_t:fd use; allow staff_evolution_exchange_t staff_t:fifo_file { getattr write }; allow staff_evolution_exchange_t staff_tmp_t:dir { add_name getattr search setattr write }; allow staff_evolution_exchange_t staff_tmp_t:file { getattr lock read write }; allow staff_evolution_exchange_t staff_tmp_t:sock_file { create write }; allow staff_evolution_server_t staff_t:fifo_file { getattr write }; allow staff_evolution_server_t staff_t:unix_stream_socket connectto; allow staff_evolution_server_t staff_tmp_t:dir { add_name getattr search setattr write }; allow staff_evolution_server_t staff_tmp_t:file { getattr lock read write }; allow staff_evolution_server_t staff_tmp_t:sock_file { create write }; allow staff_evolution_server_t tmp_t:dir { getattr read search }; allow staff_evolution_t default_t:lnk_file read; I had previously downloaded the .23 rpm from the testing area, but I only noticed this today whilst I was trying to build a module to rebuild my anacron module tweak against the .23 policy, and got this error message: [root selinux.local]# make localanacron.pp Compiling strict localanacron module /usr/bin/checkmodule: loading policy configuration from tmp/localanacron.tmp tmp/all_interfaces.conf:7820:ERROR 'syntax error' at token 'allow' on line 3871: allow staff_evolution_alarm_t staff_t:fifo_file { getattr write }; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/localanacron.mod] Error 1 [root at topaz selinux.local]# [root ~]# The error message corresponds to the first rogue line in the interface file; once I'd commented out all the lines, my new module compiled Ok. I checked for any other rogue 'allow' lines in the other interface definitions, but this appears to be the only set of oddities. I made a cursory check elsewhere, and the 2.4.6-21.fc7 policy-devel appears to have the same corruption, whilst the previous stable fc6 rpm, 2.4.6-17.fc6, doesn't. I've also created BZ #222548 containing these notes. -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/ From temlakos at gmail.com Sun Jan 14 18:29:50 2007 From: temlakos at gmail.com (Temlakos) Date: Sun, 14 Jan 2007 13:29:50 -0500 Subject: FlashPlayer 9 Beta refuses to process some Flash content with SELinux enforcing Message-ID: <45AA769E.9040608@gmail.com> Everyone: Has anyone noticed SELinux to refuse permissions to the Flash Player plug-in (or standalone)? And while I'm on the subject: How might I clear one particular application to do something weird, without having to grant such clearance to every such application? For example: VideoLAN Client needs permission to make its memory stack executable. How can I grant such permission to vlc alone and not across the board? Temlakos From tcallawa at redhat.com Sun Jan 14 21:52:12 2007 From: tcallawa at redhat.com (Tom 'spot' Callaway) Date: Sun, 14 Jan 2007 15:52:12 -0600 Subject: sparc64 kernel won't boot with selinux enabled Message-ID: <1168811532.31988.42.camel@localhost.localdomain> I'm working on Aurora, which is a rebuild of Fedora Core for SPARC. Lately, I've been testing with selinux enabled on the targeted policy, but I haven't gotten very far. When I try to boot on a sparc64, I get the following (copied by hand, apologies for any typos, I tried to be accurate): EXT3-fs: mounted filesystem with ordered data mode. audit(1168807648.026:2): enforcing=1 old_enforcing=0 auid=4294967295 security: 3 users, 6 roles, 1584 types, 172 bools, 1 sens, 1024 cats security: 59 classes, 49650 rules security: class dccp_socket not defined in policy security: permission dccp_recv in class node not defined in policy security: permission dccp_send in class node not defined in policy security: permission dccp_recv in class netif not defined in policy security: permission dccp_send in class netif not defined in policy SELinux: Completing initialization SELinux: Setting up existing superblocks. SELinux: initialized (dev dm-0, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts audit(1168807652.930:3): policy loaded auid=4294967295 audit(1168807653.174:4): avc: denied { execmem } for pid=1 comm="init" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process ...And there it sits, as init is denied. :) I found this thread (http://www.redhat.com/archives/fedora-selinux-list/2005-April/msg00037.html) while looking through google for other cases of this error message, and I looked through bugzilla 149819. The sparc64 kernel has CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1, and I tried booting with "checkreqprot=0", but it does not change the result. Booting with selinux=permissive works fine. I booted as selinux=permissive and ran fixfiles relabel, but again, no change seen. Here are the relevant versions of packages which I have installed: kernel-2.6.19-1.2906.al3.4.sparc64.rpm libselinux-1.33.4-2.al3.sparc.rpm libsemanage-1.9.2-1.al3.sparc.rpm libsepol-1.15.3-1.al3.sparc.rpm checkpolicy-1.33.1-2.al3.sparc.rpm policycoreutils-1.33.12-2.al3.sparc.rpm selinux-policy-2.4.6-21.al3.noarch.rpm For obvious reasons (Aurora, like Fedora, enables selinux by default), I'd like to get this fixed. Any ideas where I should go from here? Thanks in advance, ~spot From jsyoung72 at gmail.com Mon Jan 15 10:09:55 2007 From: jsyoung72 at gmail.com (James Young) Date: Mon, 15 Jan 2007 04:09:55 -0600 Subject: Postgres directory context In-Reply-To: <45A78198.1080600@city-fan.org> References: <45A78198.1080600@city-fan.org> Message-ID: Sorry it took me so long to reply back. It's been a busy weekend. Bind mounting worked. I actually changed /home/ to /Data and bind mounted /home/ onto /Data/home and then created /Data/pgsql, changing the default context to those of /var/lib/pgsql. That didn't work, even when I changed /Data to system_u:object_r:var_t, /Data/pgsql to system_u:object_r:var_lib_t, and /Data/pgsql/data to system_u:object_r:postgresql_db_t. I thought maybe selinux only allowed transition to var_lib_t from var_t, and then to postgres_db_t from var_lib_t. Is that how it works with the directory hierarchy? Anyway, I moved /var/lib/pgsql /var/lib/pgsql.bk, bind mounted /Data/pgsql/ to /var/lib/pgsql and remove /etc/sysconfig/pgsql/postgresql. That worked. I just hope the developers don't see stuff like that as a security hole and fix it. Have they changed the wiki? It seems like they have more useful info in there, than what I've found in the past. Then again, most of my visits to the wiki were from Google links. Maybe I just needed to visit the home page. Thanks for all your help. Jim Young On 1/12/07, Paul Howarth wrote: > > James Young wrote: > > Does selinux check context on the whole directory hierarchy when making > a > > decision about permission to enter a directory? That is, when I try to > > access /home/Data/pgsql, will it check the context on /home, then > > /home/Data, and then on /home/Data/pgsql? Or will it only check the > context > > on /home/Data/pgsql? > > > > I want to put a Postgres database in a /home/Data/pgsql/data directory, > but > > the initrc script will not run it there. I can run it as the postgres > user. > > The contexts mirror the /var/lib/pgsql/data directory: > > user_u:object_r:postgres_db_t. The context of /home/Data/pgsql is > > system_u:object_r:var_lib_t. > > The whole hierarchy must be readable. Putting server data under /home > always causes problems. I'd suggest bind mounting /home/Data/pgsql to > /var/lib/pgsql or something similar. > > You could change the context type of /home/Data to var_t but you'd > probably still have issues with /home itself. > > > Does Fedora use the reference policy from Tresys exactly? If not, where > can > > I find the source policy for Fedora. All I can find are the if files. > > The selinux-policy SRPM. > > > Finally, are there any better references for selinux. Everything I've > read > > seems dated. > > http://fedoraproject.org/wiki/SELinux is a decent starting point. > > Paul. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kmacmill at redhat.com Mon Jan 15 16:34:32 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Mon, 15 Jan 2007 11:34:32 -0500 Subject: FlashPlayer 9 Beta refuses to process some Flash content with SELinux enforcing In-Reply-To: <45AA769E.9040608@gmail.com> References: <45AA769E.9040608@gmail.com> Message-ID: <45ABAD18.9050207@redhat.com> Temlakos wrote: > Everyone: > > Has anyone noticed SELinux to refuse permissions to the Flash Player > plug-in (or standalone)? > It normally requires chcon -t textrel_shlib_t .mozilla/plugins/libflashplayer.so. Otherwise, please send any denials related to firefox / flash from /var/log/messages or /var/log/audit/audit.log. > And while I'm on the subject: How might I clear one particular > application to do something weird, without having to grant such > clearance to every such application? For example: VideoLAN Client needs > permission to make its memory stack executable. How can I grant such > permission to vlc alone and not across the board? > chcon -t unconfined_execmem_exec_t /path/to/vlc Karl > Temlakos > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From kmacmill at redhat.com Mon Jan 15 16:43:38 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Mon, 15 Jan 2007 11:43:38 -0500 Subject: sparc64 kernel won't boot with selinux enabled In-Reply-To: <1168811532.31988.42.camel@localhost.localdomain> References: <1168811532.31988.42.camel@localhost.localdomain> Message-ID: <45ABAF3A.7030905@redhat.com> Tom 'spot' Callaway wrote: > I'm working on Aurora, which is a rebuild of Fedora Core for SPARC. > Lately, I've been testing with selinux enabled on the targeted policy, > but I haven't gotten very far. When I try to boot on a sparc64, I get > the following (copied by hand, apologies for any typos, I tried to be > accurate): > [CC'ing selinux list] > EXT3-fs: mounted filesystem with ordered data mode. > audit(1168807648.026:2): enforcing=1 old_enforcing=0 auid=4294967295 > security: 3 users, 6 roles, 1584 types, 172 bools, 1 sens, 1024 cats > security: 59 classes, 49650 rules > security: class dccp_socket not defined in policy > security: permission dccp_recv in class node not defined in policy > security: permission dccp_send in class node not defined in policy > security: permission dccp_recv in class netif not defined in policy > security: permission dccp_send in class netif not defined in policy Seems that there is a mismatch between your policy and the kernel. > SELinux: Completing initialization > SELinux: Setting up existing superblocks. > SELinux: initialized (dev dm-0, type ext3), uses xattr > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs > SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts > SELinux: initialized (dev selinuxfs, type selinuxfs), uses > genfs_contexts > SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs > SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses > genfs_contexts > SELinux: initialized (dev devpts, type devpts), uses transition SIDs > SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs > SELinux: initialized (dev inotifyfs, type inotifyfs), uses > genfs_contexts > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs > SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts > SELinux: initialized (dev pipefs, type pipefs), uses task SIDs > SELinux: initialized (dev sockfs, type sockfs), uses task SIDs > SELinux: initialized (dev proc, type proc), uses genfs_contexts > SELinux: initialized (dev bdev, type bdev), uses genfs_contexts > SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts > SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts > audit(1168807652.930:3): policy loaded auid=4294967295 > audit(1168807653.174:4): avc: denied { execmem } for pid=1 > comm="init" scontext=system_u:system_r:kernel_t:s0 > tcontext=system_u:system_r:kernel_t:s0 tclass=process > > ...And there it sits, as init is denied. :) > Init requiring execmem is surprising to say the least - it certainly doesn't on i386. Are you seeing a lot of execmem denials in the logs? I don't really know what is going on, but there is likely a kernel or compiler / toolchain issue causing overly broad execmem requests. As a work around you can do (after booting into permissive): setsebool -P allow_execmem=1 The next reboot will allow this globally and you may get farther in permissive. You can also change this default in the policy packages. Karl From dwalsh at redhat.com Mon Jan 15 16:52:38 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 15 Jan 2007 11:52:38 -0500 Subject: selinux and oracle In-Reply-To: <45A80FA5.8000703@verizon.net> References: <45A2AD6A.6050508@redhat.com> <45A80FA5.8000703@verizon.net> Message-ID: <45ABB156.8080105@redhat.com> Darwin H. Webb wrote: > Daniel J Walsh wrote: >> Jack Null wrote: >>> I have a RHEL4U4 server that will become an Oracle 10gR2 server in >>> three weeks. Almost all of the documentation I have seen about >>> installing oracle on a selinux enabled server says to turn off >>> selinux. Only 1 document said that oracle and selinux can function >>> together. So can oracle and selinux play nice or do I have to turn >>> it off? >> They should be able to play nice. The only place they might hit >> would be if there is a web interface. >> Oracle might also be seeking to eek out every bit of performace. >> SELinux can add some load between 2-20% depending on which >> performance test you run. >>> >>> Thanks, >>> Adam >>> >>> _________________________________________________________________ >>> Find sales, coupons, and free shipping, all in one place! MSN >>> Shopping Sales & Deals >>> http://shopping.msn.com/content/shp/?ctid=198,ptnrid=176,ptnrdata=200639 >>> >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > "Oracle might also be seeking to eek out every bit of performace. > SELinux can add some load between 2-20% depending on which performance > test you run." > > I thoht SELinux's overhead was only for the transitions and file > access thereby being a small amount of this total time (est. at 7% > untuned.) All access is being checked including things like network traffic. So if the application is doing something the kernel would require an access check on, SELinux will have some overhead. The 20% figure, I believe, comes from Network through put tests. So running a router with SELinux might not be a great idea. > > The web app would be using Oracle's security with a MyWebAppUsername. > Yes / No? > > Could you explain this overhead and where and what is doing it, please. > I don't see where it would be any greater than 7% of the volume of > transitions and file accesses (which would be different web files. And > that would be an Apache overhead whether a DBMS was being used or not. > > Thank you, > > Darwin > From kmacmill at redhat.com Mon Jan 15 16:51:46 2007 From: kmacmill at redhat.com (Karl MacMillan) Date: Mon, 15 Jan 2007 11:51:46 -0500 Subject: [Fwd: Re: sparc64 kernel won't boot with selinux enabled] Message-ID: <45ABB122.4010205@redhat.com> [Forwarding to the correct list this time] Tom 'spot' Callaway wrote: > I'm working on Aurora, which is a rebuild of Fedora Core for SPARC. > Lately, I've been testing with selinux enabled on the targeted policy, > but I haven't gotten very far. When I try to boot on a sparc64, I get > the following (copied by hand, apologies for any typos, I tried to be > accurate): > [CC'ing selinux list] > EXT3-fs: mounted filesystem with ordered data mode. > audit(1168807648.026:2): enforcing=1 old_enforcing=0 auid=4294967295 > security: 3 users, 6 roles, 1584 types, 172 bools, 1 sens, 1024 cats > security: 59 classes, 49650 rules > security: class dccp_socket not defined in policy > security: permission dccp_recv in class node not defined in policy > security: permission dccp_send in class node not defined in policy > security: permission dccp_recv in class netif not defined in policy > security: permission dccp_send in class netif not defined in policy Seems that there is a mismatch between your policy and the kernel. > SELinux: Completing initialization > SELinux: Setting up existing superblocks. > SELinux: initialized (dev dm-0, type ext3), uses xattr > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs > SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts > SELinux: initialized (dev selinuxfs, type selinuxfs), uses > genfs_contexts > SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs > SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses > genfs_contexts > SELinux: initialized (dev devpts, type devpts), uses transition SIDs > SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs > SELinux: initialized (dev inotifyfs, type inotifyfs), uses > genfs_contexts > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs > SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts > SELinux: initialized (dev pipefs, type pipefs), uses task SIDs > SELinux: initialized (dev sockfs, type sockfs), uses task SIDs > SELinux: initialized (dev proc, type proc), uses genfs_contexts > SELinux: initialized (dev bdev, type bdev), uses genfs_contexts > SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts > SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts > audit(1168807652.930:3): policy loaded auid=4294967295 > audit(1168807653.174:4): avc: denied { execmem } for pid=1 > comm="init" scontext=system_u:system_r:kernel_t:s0 > tcontext=system_u:system_r:kernel_t:s0 tclass=process > > ...And there it sits, as init is denied. :) > Init requiring execmem is surprising to say the least - it certainly doesn't on i386. Are you seeing a lot of execmem denials in the logs? I don't really know what is going on, but there is likely a kernel or compiler / toolchain issue causing overly broad execmem requests. As a work around you can do (after booting into permissive): setsebool -P allow_execmem=1 The next reboot will allow this globally and you may get farther in permissive. You can also change this default in the policy packages. Karl -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Mon Jan 15 16:58:12 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 15 Jan 2007 11:58:12 -0500 Subject: Trouble with syslogd and named In-Reply-To: <670227.43361.qm@web60212.mail.yahoo.com> References: <670227.43361.qm@web60212.mail.yahoo.com> Message-ID: <45ABB2A4.1070307@redhat.com> Harley Race wrote: > I am using the bind-chroot package in FC6 and am tying > to get named in the chroot to log queries and named > activity to /var/log/named/named.log (outside of the > chroot) via a logging device in the chroot /dev/log. > Selinux is preventing syslogd from creating the device > and genereating the following errors: > > type=AVC msg=audit(1168359275.971:7): avc: denied { > search } for pid=1587 comm="syslogd" name="named" > dev=dm-3 ino=10704673 > scontext=system_u:system_r:syslogd_t:s0 > tcontext=system_u:object_r:name > d_zone_t:s0 tclass=dir > type=SYSCALL msg=audit(1168359275.971:7): > arch=40000003 syscall=10 success=no exit=-13 > a0=bfcacf08 a1=1b6 a2=c1e120 a3=bfcab31c items=0 > ppid=1586 pid=1587 auid=4294967295 uid=0 gid=0 euid=0 > suid=0 f > suid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="syslogd" > exe="/sbin/syslogd" > subj=system_u:system_r:syslogd_t:s0 key=(null) > type=AVC msg=audit(1168359275.995:8): avc: denied { > search } for pid=1587 comm="syslogd" name="named" > dev=dm-3 ino=10704673 > scontext=system_u:system_r:syslogd_t:s0 > tcontext=system_u:object_r:name > d_zone_t:s0 tclass=dir > type=SYSCALL msg=audit(1168359275.995:8): > arch=40000003 syscall=102 success=no exit=-13 a0=2 > a1=bfca8ec0 a2=c1e120 a3=bfcab31c items=0 ppid=1586 > pid=1587 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fs > uid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="syslogd" > exe="/sbin/syslogd" > subj=system_u:system_r:syslogd_t:s0 key=(null) > > If you execute chcon -t var_log_t named.log does it work. > I suppose I could use audit2allow to allow this, but > am wondering why the policy was changed from FC4 to > disable this. > > > > ____________________________________________________________________________________ > The fish are biting. > Get more visitors on your site using Yahoo! Search Marketing. > http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Mon Jan 15 16:58:54 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 15 Jan 2007 11:58:54 -0500 Subject: Oddity in evolution.if in selinux-policy-devel-2.4.6-23.fc6.noarch.rpm In-Reply-To: <1168727718.9651.19.camel@topaz.bugfinder.co.uk> References: <1168727718.9651.19.camel@topaz.bugfinder.co.uk> Message-ID: <45ABB2CE.7070905@redhat.com> Ted Rule wrote: > The recently released devel rpm, > selinux-policy-devel-2.4.6-23.fc6.noarch.rpm, appears to contain an odd > 'corruption' in the evolution.if file, viz: > > /usr/share/selinux/devel/include/apps/evolution.if > > The end of the interface file contains this set of allow statements: > > allow staff_evolution_alarm_t staff_t:fifo_file { getattr write }; > allow staff_evolution_alarm_t staff_t:unix_stream_socket connectto; > allow staff_evolution_alarm_t staff_tmp_t:dir { add_name getattr search > setattr write }; > allow staff_evolution_alarm_t staff_tmp_t:file { getattr lock read > write }; > allow staff_evolution_alarm_t staff_tmp_t:sock_file { create write }; > allow staff_evolution_alarm_t tmp_t:dir read; > > allow staff_evolution_exchange_t staff_t:fd use; > allow staff_evolution_exchange_t staff_t:fifo_file { getattr write }; > allow staff_evolution_exchange_t staff_tmp_t:dir { add_name getattr > search setattr write }; > allow staff_evolution_exchange_t staff_tmp_t:file { getattr lock read > write }; > allow staff_evolution_exchange_t staff_tmp_t:sock_file { create write }; > > allow staff_evolution_server_t staff_t:fifo_file { getattr write }; > allow staff_evolution_server_t staff_t:unix_stream_socket connectto; > allow staff_evolution_server_t staff_tmp_t:dir { add_name getattr search > setattr write }; > allow staff_evolution_server_t staff_tmp_t:file { getattr lock read > write }; > allow staff_evolution_server_t staff_tmp_t:sock_file { create write }; > allow staff_evolution_server_t tmp_t:dir { getattr read search }; > > allow staff_evolution_t default_t:lnk_file read; > > > I had previously downloaded the .23 rpm from the testing area, but I > only noticed this today whilst I was trying to build a module to rebuild > my anacron module tweak against the .23 policy, and got this error > message: > > [root selinux.local]# make localanacron.pp > Compiling strict localanacron module > /usr/bin/checkmodule: loading policy configuration from > tmp/localanacron.tmp > tmp/all_interfaces.conf:7820:ERROR 'syntax error' at token 'allow' on > line 3871: > > allow staff_evolution_alarm_t staff_t:fifo_file { getattr write }; > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/localanacron.mod] Error 1 > [root at topaz selinux.local]# > > [root ~]# > > > The error message corresponds to the first rogue line in the interface > file; once I'd commented out all the lines, my new module compiled Ok. I > checked for any other rogue 'allow' lines in the other interface > definitions, but this appears to be the only set of oddities. > > I made a cursory check elsewhere, and the 2.4.6-21.fc7 policy-devel > appears to have the same corruption, whilst the previous stable fc6 rpm, > 2.4.6-17.fc6, doesn't. > > I've also created BZ #222548 containing these notes. > > > Yes this is a bug. Remove those excess lines from the bottom of evolution.if. From dwalsh at redhat.com Mon Jan 15 17:01:04 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 15 Jan 2007 12:01:04 -0500 Subject: Oddity in evolution.if in selinux-policy-devel-2.4.6-23.fc6.noarch.rpm In-Reply-To: <45ABB2CE.7070905@redhat.com> References: <1168727718.9651.19.camel@topaz.bugfinder.co.uk> <45ABB2CE.7070905@redhat.com> Message-ID: <45ABB350.2010707@redhat.com> Daniel J Walsh wrote: > Ted Rule wrote: >> The recently released devel rpm, >> selinux-policy-devel-2.4.6-23.fc6.noarch.rpm, appears to contain an odd >> 'corruption' in the evolution.if file, viz: >> >> /usr/share/selinux/devel/include/apps/evolution.if >> >> The end of the interface file contains this set of allow statements: >> allow staff_evolution_alarm_t staff_t:fifo_file { getattr write }; >> allow staff_evolution_alarm_t staff_t:unix_stream_socket connectto; >> allow staff_evolution_alarm_t staff_tmp_t:dir { add_name getattr search >> setattr write }; >> allow staff_evolution_alarm_t staff_tmp_t:file { getattr lock read >> write }; >> allow staff_evolution_alarm_t staff_tmp_t:sock_file { create write }; >> allow staff_evolution_alarm_t tmp_t:dir read; >> >> allow staff_evolution_exchange_t staff_t:fd use; >> allow staff_evolution_exchange_t staff_t:fifo_file { getattr write }; >> allow staff_evolution_exchange_t staff_tmp_t:dir { add_name getattr >> search setattr write }; >> allow staff_evolution_exchange_t staff_tmp_t:file { getattr lock read >> write }; >> allow staff_evolution_exchange_t staff_tmp_t:sock_file { create write }; >> >> allow staff_evolution_server_t staff_t:fifo_file { getattr write }; >> allow staff_evolution_server_t staff_t:unix_stream_socket connectto; >> allow staff_evolution_server_t staff_tmp_t:dir { add_name getattr search >> setattr write }; >> allow staff_evolution_server_t staff_tmp_t:file { getattr lock read >> write }; >> allow staff_evolution_server_t staff_tmp_t:sock_file { create write }; >> allow staff_evolution_server_t tmp_t:dir { getattr read search }; >> >> allow staff_evolution_t default_t:lnk_file read; >> >> >> I had previously downloaded the .23 rpm from the testing area, but I >> only noticed this today whilst I was trying to build a module to rebuild >> my anacron module tweak against the .23 policy, and got this error >> message: >> >> [root selinux.local]# make localanacron.pp >> Compiling strict localanacron module >> /usr/bin/checkmodule: loading policy configuration from >> tmp/localanacron.tmp >> tmp/all_interfaces.conf:7820:ERROR 'syntax error' at token 'allow' on >> line 3871: >> >> allow staff_evolution_alarm_t staff_t:fifo_file { getattr write }; >> /usr/bin/checkmodule: error(s) encountered while parsing configuration >> make: *** [tmp/localanacron.mod] Error 1 >> [root at topaz selinux.local]# >> >> [root ~]# >> >> >> The error message corresponds to the first rogue line in the interface >> file; once I'd commented out all the lines, my new module compiled Ok. I >> checked for any other rogue 'allow' lines in the other interface >> definitions, but this appears to be the only set of oddities. >> >> I made a cursory check elsewhere, and the 2.4.6-21.fc7 policy-devel >> appears to have the same corruption, whilst the previous stable fc6 rpm, >> 2.4.6-17.fc6, doesn't. >> >> I've also created BZ #222548 containing these notes. >> >> >> > Yes this is a bug. Remove those excess lines from the bottom of > evolution.if. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Fixed in selinux-policy-2.4.6-27 From flyingboxcutter at yahoo.com Mon Jan 15 17:50:01 2007 From: flyingboxcutter at yahoo.com (Harley Race) Date: Mon, 15 Jan 2007 09:50:01 -0800 (PST) Subject: Trouble with syslogd and named In-Reply-To: <45ABB2A4.1070307@redhat.com> Message-ID: <480716.97178.qm@web60216.mail.yahoo.com> --- Daniel J Walsh wrote: > If you execute chcon -t var_log_t named.log does it > work. Unfortunately, no. I tried that before trying to get your help. I still get the same errors (listed below): logd_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir type=SYSCALL msg=audit(1168881210.223:807): arch=40000003 syscall=10 success=no exit=-13 a0=bfc96f7d a1=1b6 a2=699120 a3=bfc95e8c items=0 ppid=20859 pid=20860 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="syslogd" exe="/sbin/syslogd" subj=user_u:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1168881210.223:808): avc: denied { search } for pid=20860 comm="syslogd" name="named" dev=dm-3 ino=10704673 scontext=user_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir type=SYSCALL msg=audit(1168881210.223:808): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfc93a30 a2=699120 a3=bfc95e8c items=0 ppid=20859 pid=20860 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="syslogd" exe="/sbin/syslogd" subj=user_u:system_r:syslogd_t:s0 key=(null) Maybe I am missing some thing here, but shouldn't syslogd be able to create the device "/dev/log" in the chroot for named? ____________________________________________________________________________________ Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited From dwalsh at redhat.com Mon Jan 15 18:01:39 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 15 Jan 2007 13:01:39 -0500 Subject: Trouble with syslogd and named In-Reply-To: <480716.97178.qm@web60216.mail.yahoo.com> References: <480716.97178.qm@web60216.mail.yahoo.com> Message-ID: <45ABC183.6070904@redhat.com> Harley Race wrote: > --- Daniel J Walsh wrote: > > >> If you execute chcon -t var_log_t named.log does it >> work. >> > > Unfortunately, no. I tried that before trying to get > your help. I still get the same errors (listed > below): > > logd_t:s0 tcontext=system_u:object_r:named_zone_t:s0 > tclass=dir > type=SYSCALL msg=audit(1168881210.223:807): > arch=40000003 syscall=10 success=no exit=-13 > a0=bfc96f7d a1=1b6 a2=699120 a3=bfc95e8c items=0 > ppid=20859 pid=20860 auid=500 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) > comm="syslogd" exe="/sbin/syslogd" > subj=user_u:system_r:syslogd_t:s0 key=(null) > type=AVC msg=audit(1168881210.223:808): avc: denied > { search } for pid=20860 comm="syslogd" name="named" > dev=dm-3 ino=10704673 > scontext=user_u:system_r:syslogd_t:s0 > tcontext=system_u:object_r:named_zone_t:s0 tclass=dir > type=SYSCALL msg=audit(1168881210.223:808): > arch=40000003 syscall=102 success=no exit=-13 a0=2 > a1=bfc93a30 a2=699120 a3=bfc95e8c items=0 ppid=20859 > pid=20860 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="syslogd" > exe="/sbin/syslogd" subj=user_u:system_r:syslogd_t:s0 > key=(null) > > Maybe I am missing some thing here, but shouldn't > syslogd be able to create the device "/dev/log" in the > chroot for named? > > Well you can either add custom policy using audit2allow, or you could have syslog write to /var/log/named.log and then mount -o bind into /var/named/chroot like they do with the other stuff. If I understand correctly what you are trying to do. From thethirddoorontheleft at verizon.net Mon Jan 15 21:04:25 2007 From: thethirddoorontheleft at verizon.net (Darwin H. Webb) Date: Mon, 15 Jan 2007 13:04:25 -0800 Subject: selinux and oracle In-Reply-To: <45ABB156.8080105@redhat.com> References: <45A2AD6A.6050508@redhat.com> <45A80FA5.8000703@verizon.net> <45ABB156.8080105@redhat.com> Message-ID: <45ABEC59.9010606@verizon.net> Daniel J Walsh wrote: > Darwin H. Webb wrote: >> Daniel J Walsh wrote: >>> Jack Null wrote: >>>> I have a RHEL4U4 server that will become an Oracle 10gR2 server in >>>> three weeks. Almost all of the documentation I have seen about >>>> installing oracle on a selinux enabled server says to turn off >>>> selinux. Only 1 document said that oracle and selinux can function >>>> together. So can oracle and selinux play nice or do I have to turn >>>> it off? >>> They should be able to play nice. The only place they might hit >>> would be if there is a web interface. >>> Oracle might also be seeking to eek out every bit of performace. >>> SELinux can add some load between 2-20% depending on which >>> performance test you run. >>>> >>>> Thanks, >>>> Adam >>>> >>>> _________________________________________________________________ >>>> Find sales, coupons, and free shipping, all in one place! MSN >>>> Shopping Sales & Deals >>>> http://shopping.msn.com/content/shp/?ctid=198,ptnrid=176,ptnrdata=200639 >>>> >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >> "Oracle might also be seeking to eek out every bit of performace. >> SELinux can add some load between 2-20% depending on which >> performance test you run." >> >> I thoht SELinux's overhead was only for the transitions and file >> access thereby being a small amount of this total time (est. at 7% >> untuned.) > All access is being checked including things like network traffic. So > if the application is doing something the kernel would require an > access check on, SELinux will have some overhead. The 20% figure, I > believe, comes from Network through put tests. So running a router > with SELinux might not be a great idea. >> >> The web app would be using Oracle's security with a MyWebAppUsername. >> Yes / No? >> >> Could you explain this overhead and where and what is doing it, please. >> I don't see where it would be any greater than 7% of the volume of >> transitions and file accesses (which would be different web files. >> And that would be an Apache overhead whether a DBMS was being used or >> not. >> >> Thank you, >> >> Darwin >> > > > The tests at this link show about an overall 7%. http://people.redhat.com/jmorris/selinux/bench/results/summary.txt The only 2 tests that look strange are pipes and the 2 procs tbench tests. This is from 2003, do you know if anyone has run this again with the newer security checks and gncc 4.1.1? These 2 tests could have been a fluc (1,3,4 procs were not affected.) The overhead of SELinux would increase proportional to the volume, but not increase dis-proportionally except for possibly some interaction at some load point near total saturation of most resources, This usually is a sign of queues being dumped and reestablished. Darwin From flyingboxcutter at yahoo.com Tue Jan 16 03:47:36 2007 From: flyingboxcutter at yahoo.com (Harley Race) Date: Mon, 15 Jan 2007 19:47:36 -0800 (PST) Subject: Trouble with syslogd and named In-Reply-To: <45ABC183.6070904@redhat.com> Message-ID: <276394.58887.qm@web60224.mail.yahoo.com> --- Daniel J Walsh wrote: > Well you can either add custom policy using > audit2allow, or you could > have syslog write to /var/log/named.log and then > mount -o bind into > /var/named/chroot like they do with the other stuff. > > > If I understand correctly what you are trying to do. > Well in the past, what I did was create a chroot for bind using the bind-chroot rpm. Since bind was not able to able to write to /var/log/named/named.log outside of the chroot, I would create a socket "/dev/log" inside of the chroot by modifying /etc/sysconfig/syslog with the line OPTIONS_SYSLOGD="-m 0 -a /var/named/chroot/named/dev/log". That would create the socket and bind would write to /var/log/named/named.log. For some reason, now the selinux policy for named will not allow this to happen. What I am trying to find out is was this changed by design? If so, why? I am not trying to be a nuisance, rather I am trying to learn. Thanks. ____________________________________________________________________________________ Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited From flyingboxcutter at yahoo.com Tue Jan 16 03:57:36 2007 From: flyingboxcutter at yahoo.com (Harley Race) Date: Mon, 15 Jan 2007 19:57:36 -0800 (PST) Subject: Trouble with syslogd and named In-Reply-To: <45ABC183.6070904@redhat.com> Message-ID: <359890.48193.qm@web60212.mail.yahoo.com> Sorry, the options line for /etc/sysconfig/syslog should read: OPTIONS_SYSLOGD="-m 0 -a /var/named/chroot/dev/log" ____________________________________________________________________________________ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com From sds at tycho.nsa.gov Tue Jan 16 12:22:46 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 16 Jan 2007 07:22:46 -0500 Subject: sparc64 kernel won't boot with selinux enabled In-Reply-To: <45ABAF3A.7030905@redhat.com> References: <1168811532.31988.42.camel@localhost.localdomain> <45ABAF3A.7030905@redhat.com> Message-ID: <1168950166.22731.22.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-01-15 at 11:43 -0500, Karl MacMillan wrote: > Tom 'spot' Callaway wrote: > > I'm working on Aurora, which is a rebuild of Fedora Core for SPARC. > > Lately, I've been testing with selinux enabled on the targeted policy, > > but I haven't gotten very far. When I try to boot on a sparc64, I get > > the following (copied by hand, apologies for any typos, I tried to be > > accurate): > > > > [CC'ing selinux list] > > > EXT3-fs: mounted filesystem with ordered data mode. > > audit(1168807648.026:2): enforcing=1 old_enforcing=0 auid=4294967295 > > security: 3 users, 6 roles, 1584 types, 172 bools, 1 sens, 1024 cats > > security: 59 classes, 49650 rules > > security: class dccp_socket not defined in policy > > security: permission dccp_recv in class node not defined in policy > > security: permission dccp_send in class node not defined in policy > > security: permission dccp_recv in class netif not defined in policy > > security: permission dccp_send in class netif not defined in policy > > Seems that there is a mismatch between your policy and the kernel. > > > SELinux: Completing initialization > > SELinux: Setting up existing superblocks. > > SELinux: initialized (dev dm-0, type ext3), uses xattr > > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs > > SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts > > SELinux: initialized (dev selinuxfs, type selinuxfs), uses > > genfs_contexts > > SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs > > SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses > > genfs_contexts > > SELinux: initialized (dev devpts, type devpts), uses transition SIDs > > SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs > > SELinux: initialized (dev inotifyfs, type inotifyfs), uses > > genfs_contexts > > SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs > > SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts > > SELinux: initialized (dev pipefs, type pipefs), uses task SIDs > > SELinux: initialized (dev sockfs, type sockfs), uses task SIDs > > SELinux: initialized (dev proc, type proc), uses genfs_contexts > > SELinux: initialized (dev bdev, type bdev), uses genfs_contexts > > SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts > > SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts > > audit(1168807652.930:3): policy loaded auid=4294967295 > > audit(1168807653.174:4): avc: denied { execmem } for pid=1 > > comm="init" scontext=system_u:system_r:kernel_t:s0 > > tcontext=system_u:system_r:kernel_t:s0 tclass=process > > > > ...And there it sits, as init is denied. :) > > > > Init requiring execmem is surprising to say the least - it certainly > doesn't on i386. Are you seeing a lot of execmem denials in the logs? I > don't really know what is going on, but there is likely a kernel or > compiler / toolchain issue causing overly broad execmem requests. Compiler / toolchain problem; we've seen the same thing in the past on ppc32 and ia64, e.g. see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178747 Those were ultimately resolved by toolchain changes and rebuilt userland, but the temporary fix was to disable the exec* checks in the kernel for those architectures. > > As a work around you can do (after booting into permissive): > > setsebool -P allow_execmem=1 > > The next reboot will allow this globally and you may get farther in > permissive. You can also change this default in the policy packages. -- Stephen Smalley National Security Agency From linux_4ever at yahoo.com Tue Jan 16 13:44:12 2007 From: linux_4ever at yahoo.com (Steve G) Date: Tue, 16 Jan 2007 05:44:12 -0800 (PST) Subject: Trouble with syslogd and named In-Reply-To: <359890.48193.qm@web60212.mail.yahoo.com> Message-ID: <784067.90473.qm@web51511.mail.yahoo.com> >OPTIONS_SYSLOGD="-m 0 -a /var/named/chroot/dev/log" It is possible and even desirable for syslog to be able to create a log device. Maybe syslogd needs to be patched to set the context of the log device? I think that's the only flexible solution since an admin could give any path as an argument to -a. -Steve ____________________________________________________________________________________ The fish are biting. Get more visitors on your site using Yahoo! Search Marketing. http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php From dwalsh at redhat.com Tue Jan 16 20:35:16 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 16 Jan 2007 15:35:16 -0500 Subject: selinux and oracle In-Reply-To: <45ABEC59.9010606@verizon.net> References: <45A2AD6A.6050508@redhat.com> <45A80FA5.8000703@verizon.net> <45ABB156.8080105@redhat.com> <45ABEC59.9010606@verizon.net> Message-ID: <45AD3704.3050106@redhat.com> Darwin H. Webb wrote: > Daniel J Walsh wrote: >> Darwin H. Webb wrote: >>> Daniel J Walsh wrote: >>>> Jack Null wrote: >>>>> I have a RHEL4U4 server that will become an Oracle 10gR2 server in >>>>> three weeks. Almost all of the documentation I have seen about >>>>> installing oracle on a selinux enabled server says to turn off >>>>> selinux. Only 1 document said that oracle and selinux can >>>>> function together. So can oracle and selinux play nice or do I >>>>> have to turn it off? >>>> They should be able to play nice. The only place they might hit >>>> would be if there is a web interface. >>>> Oracle might also be seeking to eek out every bit of performace. >>>> SELinux can add some load between 2-20% depending on which >>>> performance test you run. >>>>> >>>>> Thanks, >>>>> Adam >>>>> >>>>> _________________________________________________________________ >>>>> Find sales, coupons, and free shipping, all in one place! MSN >>>>> Shopping Sales & Deals >>>>> http://shopping.msn.com/content/shp/?ctid=198,ptnrid=176,ptnrdata=200639 >>>>> >>>>> >>>>> -- >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> >>>> >>> "Oracle might also be seeking to eek out every bit of performace. >>> SELinux can add some load between 2-20% depending on which >>> performance test you run." >>> >>> I thoht SELinux's overhead was only for the transitions and file >>> access thereby being a small amount of this total time (est. at 7% >>> untuned.) >> All access is being checked including things like network traffic. >> So if the application is doing something the kernel would require an >> access check on, SELinux will have some overhead. The 20% figure, I >> believe, comes from Network through put tests. So running a router >> with SELinux might not be a great idea. >>> >>> The web app would be using Oracle's security with a >>> MyWebAppUsername. Yes / No? >>> >>> Could you explain this overhead and where and what is doing it, please. >>> I don't see where it would be any greater than 7% of the volume of >>> transitions and file accesses (which would be different web files. >>> And that would be an Apache overhead whether a DBMS was being used >>> or not. >>> >>> Thank you, >>> >>> Darwin >>> >> >> >> > The tests at this link show about an overall 7%. > > http://people.redhat.com/jmorris/selinux/bench/results/summary.txt > > The only 2 tests that look strange are pipes and the 2 procs tbench > tests. > This is from 2003, do you know if anyone has run this again with the > newer security checks and gncc 4.1.1? > > These 2 tests could have been a fluc (1,3,4 procs were not affected.) > The overhead of SELinux would increase proportional to the volume, but > not increase dis-proportionally except for possibly some interaction > at some load point near total saturation of most resources, This > usually is a sign of queues being dumped and reestablished. > > Darwin > I hope to publish some more extensive performance tests on RHEL5 by the end of the week. From dwalsh at redhat.com Wed Jan 17 16:43:41 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 17 Jan 2007 11:43:41 -0500 Subject: Trouble with syslogd and named In-Reply-To: <784067.90473.qm@web51511.mail.yahoo.com> References: <784067.90473.qm@web51511.mail.yahoo.com> Message-ID: <45AE523D.7000609@redhat.com> Steve G wrote: >> OPTIONS_SYSLOGD="-m 0 -a /var/named/chroot/dev/log" >> > > > It is possible and even desirable for syslog to be able to create a log device. > Maybe syslogd needs to be patched to set the context of the log device? I think > that's the only flexible solution since an admin could give any path as an > argument to -a. > > -Steve > > No if you want to change the file context, you need to use semanage. The problem here is that syslog is not allowed to search through /var/named directories. For this you need custom policy. Use something like audit2allow -M mysyslog -i /var/log/audit/audit.log to generate the policy. > > ____________________________________________________________________________________ > The fish are biting. > Get more visitors on your site using Yahoo! Search Marketing. > http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From steve at adsi-m4.com Wed Jan 17 17:32:19 2007 From: steve at adsi-m4.com (Steve Friedman) Date: Wed, 17 Jan 2007 12:32:19 -0500 (EST) Subject: Another syslog issue (disable_syslogd_trans interaction) Message-ID: Another problem that I just discovered with syslog is, with syslogd_disable_trans=1, /dev/log is labelled device_t and not dev_log_t (thus breaking a number of other apps). I discovered this with syslog-ng, but suspect that it will be the same with syslog. (This was BZ'ed as 222195.) Steve Friedman From mantaray_1 at cox.net Wed Jan 17 20:32:51 2007 From: mantaray_1 at cox.net (Ken) Date: Wed, 17 Jan 2007 13:32:51 -0700 Subject: [Fwd: Re: Access attempts] Message-ID: <45AE87F3.7060009@cox.net> An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Thu Jan 18 14:38:08 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 18 Jan 2007 09:38:08 -0500 Subject: [Fwd: Re: Access attempts] In-Reply-To: <45AE87F3.7060009@cox.net> References: <45AE87F3.7060009@cox.net> Message-ID: <1169131088.22731.258.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-01-17 at 13:32 -0700, Ken wrote: > I just realized I sent this to myself instead of to the list... > > -------- Original Message -------- > Subject: > Re: Access attempts > Date: > Fri, 12 Jan 2007 17:13:13 -0700 > From: > Ken > To: > Ken > References: > <45A81E60.9020409 at cox.net> > > > Ken wrote: > > I was hoping someone could help me to understand what might be > > happening to trigger the access attempts I am blocking with my policy > > which are listed below. They only seem to appear when I am logged in > > to the "Blackboard" program at the university I attend. I have > > already taken several steps to limit what my browser can do, and I do > > not understand how it can trigger such attempts. > > ********************** > > ********************** > > Jan 11 15:39:17 schoolhost kernel: audit(1168555157.756:587): avc: > > denied { rawip_send } for saddr=192.168.0.2 src=60945 > > daddr=129.219.10.40 dest=443 netif=eth0 > > scontext=system_u:system_r:kernel_t:s15:c0.c255 > > tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif > > > > Jan 11 15:39:17 schoolhost kernel: audit(1168555157.992:588): avc: > > denied { rawip_send } for saddr=192.168.0.2 src=60945 > > daddr=129.219.10.40 dest=443 netif=eth0 > > scontext=system_u:system_r:kernel_t:s15:c0.c255 > > tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif > > > > Jan 11 15:39:18 schoolhost kernel: audit(1168555158.212:590): avc: > > denied { rawip_send } for saddr=192.168.0.2 src=45910 > > daddr=129.219.10.30 dest=443 netif=eth0 > > scontext=system_u:system_r:kernel_t:s15:c0.c255 > > tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif > > > > Jan 11 15:39:19 schoolhost kernel: audit(1168555159.433:600): avc: > > denied { rawip_send } for pid=2465 comm="X" saddr=192.168.0.2 > > src=60945 daddr=129.219.10.40 dest=443 netif=eth0 > > scontext=system_u:system_r:kernel_t:s15:c0.c255 > > tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif > > ********************** > > ********************** > > > > Thanks in advance, > > Ken. > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > I just noticed that I sent the wrong part of the log. I accidentally > removed this from the previous post instead of the repeated messages: > > ************ > ************ > Jan 11 15:39:18 schoolhost kernel: audit(1168555158.481:593): avc: > denied { rawip_send } for pid=417 comm="kjournald" saddr=192.168.0.2 > src=45910 daddr=129.219.10.30 dest=443 netif=eth0 > scontext=system_u:system_r:kernel_t:s15:c0.c255 > tcontext=system_u:object_r:netif_eth0_t:s0-s15:c0.c255 tclass=netif > ************ > ************ > > My concern is that somehow the browser seems to be able to entice other > running processes, such as "X" and "kjournald" to attempt Internet access. No, the avc message is just misleading. The pid/comm information for network layer permission checks is unreliable because the packet send/recv isn't necessarily happening in the context of the process that initiated the send or that will handle the recv. Note in particular the use of kernel_t in the scontext; that is a kernel socket, e.g. ICMP traffic. -- Stephen Smalley National Security Agency From tjb at unh.edu Thu Jan 18 19:20:23 2007 From: tjb at unh.edu (Thomas J. Baker) Date: Thu, 18 Jan 2007 14:20:23 -0500 Subject: Selinux, Oracle, DBD::Oracle, RHEL5B2 Message-ID: <1169148023.28386.34.camel@raptor.sr.unh.edu> I'm trying to set up a a mod_perl/oracle website on an RHEL5B2 system. I installed the oracle-xe-client rpm, DBD::Oracle, etc. Almost got everything working except for this selinux problem (http log error): [Thu Jan 18 14:01:31 2007] [error] [client xxx] install_driver(Oracle) failed: Can't load '/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DBD/Oracle/Oracle.so' for module DBD::Oracle: libclntsh.so.10.1: cannot enable executable stack as shared object requires: Permission denied at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/DynaLoader.pm line 230.\n at (eval 11) line 3\nCompilation failed in require at (eval 11) line 3.\nPerhaps a required shared library or dll isn't installed where expected\n at /web1/perl/Lib/Layout2/Core/Initializer.pm line 191\n\t(in cleanup) Can't call method "disconnect" on an undefined value at /web1/perl/Lib/Layout2/Core/Initializer.pm line 206.\n I've tried turning off execstack on the affected oracle shared libs but that didn't work. First I turned it off on libclntsh.so.10.1 but got the same error about libnnz10.so so I turned it off on that. Then I got [Thu Jan 18 14:06:29 2007] [error] [client xxx] install_driver(Oracle) failed: Can't load '/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DBD/Oracle/Oracle.so' for module DBD::Oracle: /usr/lib/oracle/xe/app/oracle/product/10.2.0/client/lib/libnnz10.so: cannot restore segment prot after reloc: Permission denied at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/DynaLoader.pm line 230.\n at (eval 11) line 3\nCompilation failed in require at (eval 11) line 3.\nPerhaps a required shared library or dll isn't installed where expected\n at /web1/perl/Lib/Layout2/Core/Initializer.pm line 191\n\t(in cleanup) Can't call method "disconnect" on an undefined value at /web1/perl/Lib/Layout2/Core/Initializer.pm line 206.\n Turning on allow_exec{mem,mod,heap} didn't help. I should add that turning off enforcing makes everything work. Is there any type I can label the oracle libs so this works? Thanks, tjb -- ======================================================================= | Thomas Baker email: tjb at unh.edu | | Systems Programmer | | Research Computing Center voice: (603) 862-4490 | | University of New Hampshire fax: (603) 862-1761 | | 332 Morse Hall | | Durham, NH 03824 USA http://wintermute.sr.unh.edu/~tjb | ======================================================================= From linux_4ever at yahoo.com Fri Jan 19 11:29:57 2007 From: linux_4ever at yahoo.com (Steve G) Date: Fri, 19 Jan 2007 03:29:57 -0800 (PST) Subject: Selinux, Oracle, DBD::Oracle, RHEL5B2 In-Reply-To: <1169148023.28386.34.camel@raptor.sr.unh.edu> Message-ID: <20070119112957.58185.qmail@web51504.mail.yahoo.com> >Almost got everything working except for this selinux problem (http log error): We need to see the avcs associated with this. -Steve ____________________________________________________________________________________ No need to miss a message. Get email on-the-go with Yahoo! Mail for Mobile. Get started. http://mobile.yahoo.com/mail From tjb at unh.edu Fri Jan 19 14:03:50 2007 From: tjb at unh.edu (Thomas J. Baker) Date: Fri, 19 Jan 2007 09:03:50 -0500 Subject: Selinux, Oracle, DBD::Oracle, RHEL5B2 In-Reply-To: <20070119112957.58185.qmail@web51504.mail.yahoo.com> References: <20070119112957.58185.qmail@web51504.mail.yahoo.com> Message-ID: <1169215430.1933.24.camel@raptor.sr.unh.edu> On Fri, 2007-01-19 at 03:29 -0800, Steve G wrote: > >Almost got everything working except for this selinux problem (http log error): > > We need to see the avcs associated with this. > > -Steve > I get type=AVC msg=audit(1169215302.727:10760): avc: denied { execheap } for pid=25241 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=process type=SYSCALL msg=audit(1169215302.727:10760): arch=40000003 syscall=125 success=no exit=-13 a0=7653000 a1=1e7000 a2=5 a3=bfb540f0 items=0 ppid=25239 pid=25241 auid=4490 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) that coincides with the httpd log of [Fri Jan 19 09:01:42 2007] [error] [client 132.177.241.80] install_driver(Oracle) failed: Can't load '/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DBD/Oracle/Oracle.so' for module DBD::Oracle: /usr/lib/oracle/xe/app/oracle/product/10.2.0/client/lib/libnnz10.so: cannot restore segment prot after reloc: Permission denied at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/DynaLoader.pm line 230.\n at (eval 11) line 3\nCompilation failed in require at (eval 11) line 3.\nPerhaps a required shared library or dll isn't installed where expected\n at /web1/perl/Lib/Layout2/Core/Initializer.pm line 191\n\t(in cleanup) Can't call method "disconnect" on an undefined value at /web1/perl/Lib/Layout2/Core/Initializer.pm line 206.\n I've turned on execheap and restarted the webserver but still get this same error. tjb -- ======================================================================= | Thomas Baker email: tjb at unh.edu | | Systems Programmer | | Research Computing Center voice: (603) 862-4490 | | University of New Hampshire fax: (603) 862-1761 | | 332 Morse Hall | | Durham, NH 03824 USA http://wintermute.sr.unh.edu/~tjb | ======================================================================= From ejtr at layer3.co.uk Fri Jan 19 15:05:28 2007 From: ejtr at layer3.co.uk (Ted Rule) Date: Fri, 19 Jan 2007 15:05:28 +0000 Subject: pidof -c fails under FC6/strict Message-ID: <1169219128.3523.16.camel@topaz.bugfinder.co.uk> There appears to be a generic problem with "pidof -c" under SELinux enforcing which has the side-effect of confusing some of the init.d scripts. In particular, the following services - at least - fail to shut down or report status cleanly: acpid hidd vsftpd smartd autofs mcstrans syslog-ng ( but not syslogd .. ) The common feature is that these daemons lack a corresponding /var/run/.pid; in the case of syslog-ng, of course, the real pid has the "wrong" name. During shutdown, /etc/init.d/functions:killproc() searches for the pidfile, and if it fails to find one, it searches for a pid with a matching exec name via the __pids_pidof() function. ... # Output PIDs of matching processes, found using pidof __pids_pidof() { pidof -c -o $$ -o $PPID -o %PPID -x "$1" || \ pidof -c -o $$ -o $PPID -o %PPID -x "${1##*/}" } ... When invoked in SELinux permissive, all is well, and the correct pid is located, but under enforcing, ( selinux-policy-strict-2.4.6-27 in my case), "pidof -c" returns a null string. This in turn, causes killproc to assume that the service is dead. FWIW, FC4/strict/enforcing is Ok where pidof has a -c option, whilst RHEL4 doesn't appear to have a -c option to pidof anyway. The latest pidof appears to use readlink() to compare the value of /proc//exe for any matching pids - older pidof's used stat(). Needless to say, logs don't show any AVC's when I try to run the rogue pidof calls. By way of example, one can read the basic process list from sysadm_t, and then show that pidof -c -x fails where pidof -x works. Similarly, I've used run_init to emulate the behaviour of the boot scripts running pidof: [root at topaz ~]# ps axZ | grep smartd system_u:system_r:fsdaemon_t 2871 ? S 0:00 /usr/sbin/smartd -q never staff_u:sysadm_r:sysadm_t 3375 pts/0 R+ 0:00 grep smartd [root at topaz ~]# [root at topaz ~]# pidof -x /usr/sbin/smartd 2871 [root at topaz ~]# pidof -x smartd 2871 [root at topaz ~]# [root at topaz ~]# pidof -c -x /usr/sbin/smartd [root at topaz ~]# pidof -c -x smartd [root at topaz ~]# run_init pidof -c -x /usr/sbin/smartd Authenticating root. Password: [root at topaz ~]# [root at topaz ~]# run_init pidof -x /usr/sbin/smartd Authenticating root. Password: 2871 [root at topaz ~]# As a variant on these tests, I've tried to directly ls and readlink the exe in question; ls fails to read the symlink and errors, whilst readlink silently returns with a null. [root at topaz ~]# ls -ldZ /proc/2871/exe ls: cannot read symbolic link /proc/2871/exe: Permission denied lrwxrwxrwx root root system_u:system_r:fsdaemon_t /proc/2871/exe [root at topaz ~]# run_init ls -ldZ /proc/2871/exe Authenticating root. Password: lrwxrwxrwx root root system_u:system_r:fsdaemon_t /proc/2871/exe [root at topaz ~]# [root at topaz ~]# run_init ls -lZ /proc/2871/exe Authenticating root. Password: ls: /proc/2871/exe: Permission denied [root at topaz ~]# readlink /proc/2871/exec [root at topaz ~]# [root at topaz ~]# run_init readlink /proc/2871/exec Authenticating root. Password: [root at topaz ~]# As a workround for the present, I've simply removed the -c option from /etc/init.d/functions:__pids_pidof() I'm currently running: selinux-policy-strict-2.4.6-27.fc6 kernel-2.6.18-1.2869 SysVinit-2.86-14 Should this be logged as a bug under SELinux policy or SysVinit? Does this bug affect targeted policy as well? Is there some simple extra permission which could be granted to initrc_t and sysadm_t which would let them perform readlink /proc//exe, and hence pidof -c ? -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/ From sds at tycho.nsa.gov Fri Jan 19 15:22:44 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 19 Jan 2007 10:22:44 -0500 Subject: pidof -c fails under FC6/strict In-Reply-To: <1169219128.3523.16.camel@topaz.bugfinder.co.uk> References: <1169219128.3523.16.camel@topaz.bugfinder.co.uk> Message-ID: <1169220164.22731.538.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-01-19 at 15:05 +0000, Ted Rule wrote: > There appears to be a generic problem with "pidof -c" under SELinux > enforcing which has the side-effect of confusing some of the init.d > scripts. > > In particular, the following services - at least - fail to shut down or > report status cleanly: > > acpid > hidd > vsftpd > smartd > autofs > mcstrans > syslog-ng ( but not syslogd .. ) > > The common feature is that these daemons lack a corresponding > /var/run/.pid; in the case of syslog-ng, of course, the real > pid has the "wrong" name. > > During shutdown, /etc/init.d/functions:killproc() searches for the > pidfile, and if it fails to find one, it searches for a pid with a > matching exec name via the __pids_pidof() function. > > ... > # Output PIDs of matching processes, found using pidof > __pids_pidof() { > pidof -c -o $$ -o $PPID -o %PPID -x "$1" || \ > pidof -c -o $$ -o $PPID -o %PPID -x "${1##*/}" > } > ... > > When invoked in SELinux permissive, all is well, and the correct pid is > located, but under enforcing, ( selinux-policy-strict-2.4.6-27 in my > case), "pidof -c" returns a null string. This in turn, causes killproc > to assume that the service is dead. > > FWIW, FC4/strict/enforcing is Ok where pidof has a -c option, whilst > RHEL4 doesn't appear to have a -c option to pidof anyway. > > The latest pidof appears to use readlink() to compare the value > of /proc//exe for any matching pids - older pidof's used stat(). > > Needless to say, logs don't show any AVC's when I try to run the rogue > pidof calls. > > By way of example, one can read the basic process list from sysadm_t, > and then show that pidof -c -x fails where pidof -x works. Similarly, > I've used run_init to emulate the behaviour of the boot scripts running > pidof: > > [root at topaz ~]# ps axZ | grep smartd > system_u:system_r:fsdaemon_t 2871 ? S > 0:00 /usr/sbin/smartd -q never > staff_u:sysadm_r:sysadm_t 3375 pts/0 R+ 0:00 grep smartd > [root at topaz ~]# > [root at topaz ~]# pidof -x /usr/sbin/smartd > 2871 > [root at topaz ~]# pidof -x smartd > 2871 > [root at topaz ~]# > [root at topaz ~]# pidof -c -x /usr/sbin/smartd > > [root at topaz ~]# pidof -c -x smartd > > [root at topaz ~]# run_init pidof -c -x /usr/sbin/smartd > Authenticating root. > Password: > > [root at topaz ~]# > [root at topaz ~]# run_init pidof -x /usr/sbin/smartd > Authenticating root. > Password: > 2871 > [root at topaz ~]# > > As a variant on these tests, I've tried to directly ls and readlink the > exe in question; ls fails to read the symlink and errors, whilst > readlink silently returns with a null. > > [root at topaz ~]# ls -ldZ /proc/2871/exe > ls: cannot read symbolic link /proc/2871/exe: Permission denied > lrwxrwxrwx root root system_u:system_r:fsdaemon_t /proc/2871/exe > [root at topaz ~]# run_init ls -ldZ /proc/2871/exe > Authenticating root. > Password: > lrwxrwxrwx root root system_u:system_r:fsdaemon_t /proc/2871/exe > [root at topaz ~]# > > [root at topaz ~]# run_init ls -lZ /proc/2871/exe > Authenticating root. > Password: > ls: /proc/2871/exe: Permission denied > > [root at topaz ~]# readlink /proc/2871/exec > [root at topaz ~]# > > [root at topaz ~]# run_init readlink /proc/2871/exec > Authenticating root. > Password: > [root at topaz ~]# > > As a workround for the present, I've simply removed the -c option > from /etc/init.d/functions:__pids_pidof() > > I'm currently running: > > selinux-policy-strict-2.4.6-27.fc6 > kernel-2.6.18-1.2869 > SysVinit-2.86-14 > > Should this be logged as a bug under SELinux policy or SysVinit? > > Does this bug affect targeted policy as well? > > Is there some simple extra permission which could be granted to initrc_t > and sysadm_t which would let them perform readlink /proc//exe, and > hence pidof -c ? Changes in the kernel (separate from selinux) altered permission checking on proc such that ptrace checks are applied pervasively when accessing another task's /proc/pid entries (this was done as part of the containers work). Thus, policy has to allow ptrace permission between the respective domains to support such accesses (and these are usually covered up by dontaudit rules to suppress noise on e.g. ps -el and the like). In the future, I'd like to see proc permission checking revised to distinguish read-only access to process state vs. full ptrace access. -- Stephen Smalley National Security Agency From drepper at redhat.com Fri Jan 19 19:11:40 2007 From: drepper at redhat.com (Ulrich Drepper) Date: Fri, 19 Jan 2007 11:11:40 -0800 Subject: pidof -c fails under FC6/strict In-Reply-To: <1169220164.22731.538.camel@moss-spartans.epoch.ncsc.mil> References: <1169219128.3523.16.camel@topaz.bugfinder.co.uk> <1169220164.22731.538.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <45B117EC.3060302@redhat.com> Stephen Smalley wrote: > In the future, I'd like to see proc permission checking revised to > distinguish read-only access to process state vs. full ptrace access. That would have to be much more detailed than just read/writer vs read-only. ptrace reads can leak information (especially a no-no for MLS but also for normal operation). For instance, you don't want to allow poking a process to get randomization values/seeds like the one used for pointer encryption. So, you'd have to go into great detail and maybe even split the functionality of a single ptrace or /proc operation in minute parts which might or might not be allowed. -- ? Ulrich Drepper ? Red Hat, Inc. ? 444 Castro St ? Mountain View, CA ? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 251 bytes Desc: OpenPGP digital signature URL: From sds at tycho.nsa.gov Fri Jan 19 20:04:23 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 19 Jan 2007 15:04:23 -0500 Subject: pidof -c fails under FC6/strict In-Reply-To: <45B117EC.3060302@redhat.com> References: <1169219128.3523.16.camel@topaz.bugfinder.co.uk> <1169220164.22731.538.camel@moss-spartans.epoch.ncsc.mil> <45B117EC.3060302@redhat.com> Message-ID: <1169237063.22731.650.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-01-19 at 11:11 -0800, Ulrich Drepper wrote: > Stephen Smalley wrote: > > In the future, I'd like to see proc permission checking revised to > > distinguish read-only access to process state vs. full ptrace access. > > That would have to be much more detailed than just read/writer vs > read-only. ptrace reads can leak information (especially a no-no for > MLS but also for normal operation). For instance, you don't want to > allow poking a process to get randomization values/seeds like the one > used for pointer encryption. > > So, you'd have to go into great detail and maybe even split the > functionality of a single ptrace or /proc operation in minute parts > which might or might not be allowed. Understood, but the current situation leads to overly permissive policy (or excessive use of dontaudits and limited functionality) just to give some visibility into the process state. Having to allow domain A full ptrace control over domain B just to let domain A see some of domain B's /proc/pid state is overkill. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Fri Jan 19 20:44:28 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 19 Jan 2007 15:44:28 -0500 Subject: Selinux, Oracle, DBD::Oracle, RHEL5B2 In-Reply-To: <1169215430.1933.24.camel@raptor.sr.unh.edu> References: <20070119112957.58185.qmail@web51504.mail.yahoo.com> <1169215430.1933.24.camel@raptor.sr.unh.edu> Message-ID: <45B12DAC.7000006@redhat.com> Thomas J. Baker wrote: > On Fri, 2007-01-19 at 03:29 -0800, Steve G wrote: > >>> Almost got everything working except for this selinux problem (http log error): >>> >> We need to see the avcs associated with this. >> >> -Steve >> >> > > I get > > type=AVC msg=audit(1169215302.727:10760): avc: denied { execheap } for > pid=25241 comm="httpd" scontext=user_u:system_r:httpd_t:s0 > tcontext=user_u:system_r:httpd_t:s0 tclass=process > type=SYSCALL msg=audit(1169215302.727:10760): arch=40000003 syscall=125 > success=no exit=-13 a0=7653000 a1=1e7000 a2=5 a3=bfb540f0 items=0 > ppid=25239 pid=25241 auid=4490 uid=48 gid=48 euid=48 suid=48 fsuid=48 > egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" > subj=user_u:system_r:httpd_t:s0 key=(null) > > that coincides with the httpd log of > > > [Fri Jan 19 09:01:42 2007] [error] [client 132.177.241.80] > install_driver(Oracle) failed: Can't load > '/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DBD/Oracle/Oracle.so' for module DBD::Oracle: /usr/lib/oracle/xe/app/oracle/product/10.2.0/client/lib/libnnz10.so: cannot restore segment prot after reloc: Permission denied at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/DynaLoader.pm line 230.\n at (eval 11) line 3\nCompilation failed in require at (eval 11) line 3.\nPerhaps a required shared library or dll isn't installed where expected\n at /web1/perl/Lib/Layout2/Core/Initializer.pm line 191\n\t(in cleanup) Can't call method "disconnect" on an undefined value at /web1/perl/Lib/Layout2/Core/Initializer.pm line 206.\n > > I've turned on execheap and restarted the webserver but still get this > same error. > > tjb > chcon -t textrel_shlib_t /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DBD/Oracle/Oracle.so chcon -t textrel_shlib_t /usr/lib/oracle/xe/app/oracle/product/10.2.0/client/lib/libnnz10.so From mantaray_1 at cox.net Sat Jan 20 03:08:27 2007 From: mantaray_1 at cox.net (Ken) Date: Fri, 19 Jan 2007 20:08:27 -0700 Subject: [Fwd: Re: Access attempts] In-Reply-To: <1169131088.22731.258.camel@moss-spartans.epoch.ncsc.mil> References: <45AE87F3.7060009@cox.net> <1169131088.22731.258.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <45B187AB.2040003@cox.net> An HTML attachment was scrubbed... URL: From cannewilson at tiscali.co.uk Sun Jan 21 12:24:21 2007 From: cannewilson at tiscali.co.uk (Anne Wilson) Date: Sun, 21 Jan 2007 12:24:21 +0000 Subject: Worrying AVC messages Message-ID: <200701211224.21506.cannewilson@tiscali.co.uk> I'm seeing a lot of AVC message, a sample of which is type=AVC msg=audit(1162463326.809:49): avc: denied { search } for pid=4186 comm="postmap" name="nscd" dev=hdb1 ino=195773 type=AVC msg=audit(1162483288.034:31): avc: denied { write } for pid=5804 comm="ip" name="[23145]" dev=pipefs ino=23145 type=AVC msg=audit(1162483738.762:39): avc: denied { write } for pid=7191 comm="ip" name="[27659]" dev=pipefs ino=27659 type=AVC msg=audit(1169284673.188:58): avc: denied { ioctl } for pid=4212 comm="smartd" name="hda" dev=tmpfs ino=879 type=AVC msg=audit(1162495544.436:62): avc: denied { write } for pid=28024 comm="setfiles" name="[120832]" dev=pipefs ino=120832 type=AVC_PATH msg=audit(1169310171.523:150): path="/dev/bus/usb/001/004" type=AVC msg=audit(1169310172.778:151): avc: denied { read } for pid=2996 comm="hald-addon-stor" name="hdd" dev=tmpfs ino=7431 I don't really understand what is going on. 'postmap' to me implies postfix, which seems odd. There are many such messages about smartd. This is something I'd want to be working. Why is this blocked? Can/Should I enable it? How? I looked at /dev/bus/usb/001/004 but I can't tell what this is. I'm guessing that it's a card-reader, but it's sheer guesswork. I'd be glad of any hints. SELinux hasn't really caused me any problems up to now, but one of my projects, which I'll address in a later thread, may be being blocked, so I need to start to understand more. Thanks Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From wart at kobold.org Sun Jan 21 19:24:14 2007 From: wart at kobold.org (Wart) Date: Sun, 21 Jan 2007 11:24:14 -0800 Subject: httpd and tcp_connect Message-ID: <45B3BDDE.2080903@kobold.org> I'm receiving the following avc denial from a game package that's under review[1]: Jan 21 10:55:49 localhost kernel: audit(1169405749.338:3): avc: denied { name_connect } for pid=2661 comm="httpd" dest=19382 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket The package includes a php-based web application and a python daemon backend. The php webapp communicates with the python daemon through tcp sockets. From the avc denial it appears that this communication fails because httpd is not allowed to establish tcp connections. This seems like a valid security restriction, except in this case I do want to allow it. How can I configure the httpd policy to allow tcp connections, but only to localhost and only on the python daemon's ports (19380-19383)? --Wart [1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219972 From ejtr at layer3.co.uk Sun Jan 21 23:05:23 2007 From: ejtr at layer3.co.uk (Ted Rule) Date: Sun, 21 Jan 2007 23:05:23 +0000 Subject: Cron mail problem with FC6/strict Message-ID: <1169420723.3503.10.camel@topaz.bugfinder.co.uk> A little while ago, I found that anacron wasn't running correctly under FC6/strict, which led to me add a temporary fixup .te for its operation. Once I had that in place, I finally received the cron.daily and logwatch Emails every day shortly after bootup. With that in place, I recently took to leaving the machine powered overnight, which of course led to all the Cron jobs running via crond instead of anacron. Oddly, I noticed that the logwatch Email arrived, but NOT the cron.daily summary Email. Looking further, I found this odd avc: Jan 21 21:29:51 topaz kernel: audit(1169414991.423:988): avc: denied { entrypoint } for pid=4891 comm="crond" name="sendmail.sendmail" dev=hda6 ino=1313020 scontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file i.e. the crond child process running in system_crond_t was apparently unable to run sendmail. Just to be curious, I added this permission: auditallow system_crond_t sendmail_exec_t:file execute and saw this: Jan 21 21:30:51 topaz kernel: audit(1169415051.521:993): avc: granted { execute } for pid=4909 comm="crond" name="sendmail.sendmail" dev=hda6 ino=1313020 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file Jan 21 21:30:51 topaz kernel: audit(1169415051.521:994): avc: denied { entrypoint } for pid=4909 comm="crond" name="sendmail.sendmail" dev=hda6 ino=1313020 i.e. crond was apparently allowed to execute sendmail but got caught with the 'entrypoint' denial slightly later on. As an added test, I created a per-minute Cron Job which itself invoked /bin/mail which in turn called sendmail and a few invocations of sleep (the sleeps just to make it slightly easier to read the process list changes). Jan 21 21:31:11 topaz kernel: audit(1169415071.651:996): avc: granted { execute } for pid=4938 comm="mail" name="sendmail.sendmail" dev=hda6 ino=1313020 scontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file Jan 21 21:31:11 topaz kernel: audit(1169415071.651:997): avc: granted { read execute } for pid=4938 comm="sendmail" name="sendmail.sendmail" dev=hda6 ino=1313020 scontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file Jan 21 21:31:51 topaz kernel: audit(1169415111.704:999): avc: granted { execute } for pid=4947 comm="crond" name="sendmail.sendmail" dev=hda6 ino=1313020 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file Jan 21 21:31:51 topaz kernel: audit(1169415111.704:1000): avc: denied { entrypoint } for pid=4947 comm="crond" name="sendmail.sendmail" dev=hda6 ino=1313020 scontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file i.e. the call the sendmail from system_crond_t within the Cron job by something other than the crond binary itself worked Ok, but when crond tried to invoke, it just sulked. If I went to permissive mode the log was filled with avc's indicating that crond's direct invocation of sendmail failed to transition to system_mail_t, even though these two interface calls appear to exist in the policy: mta_send_mail(crond_t) mta_send_mail(system_crond_t) For both anacron and crond launched invocations of cron.daily/0logwatch, of course, logwatch itself invokes sendmail from logwatch_t, so the problem doesn't arise. I'm currently using selinux-policy-strict-2.4.6-27 I also tried adding this permission: allow system_crond_t sendmail_exec_t:file entrypoint but this didn't really help; crond:system_crond_t stubbornly refused to transition to system_mail_t. Since all the invocations from within Jobs running as system_crond_t and also from anacron running as system_crond_t invoked sendmail Ok, my presumption is that there's something in crond's own use of libselinux which is confusing matters and preventing Email's being created. Looking at the policy source a little bit more, mta_send_mail() calls domain_auto_trans() which in turn calls domain_trans(). Way back in FC4 policy, I can see that domain_trans()'s definition contains an entry that suggests I actually need to add allow system_mail_t sendmail_exec_t:file entrypoint since the entrypoint permission appears to take the child_domain's type as its first parameter, (which itself implies that the log entry is slightly awry, just to be confusing...): domain_trans(parent_domain, program_type, child_domain) ... allow $3 $2:file entrypoint; The FC6 policy source seems to have no automatic entrypoint permission within the domain_trans() definition but does have the domain_entry_file() interface. Just for fun, therefore, I tried adding this: domain_entry_file(system_mail_t, sendmail_exec_t) All to no avail, I'm afraid; I continue to be unable to get crond to directly execute sendmail. Can anyone enlighten me, please? -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/ -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/ From tjb at unh.edu Mon Jan 22 13:55:08 2007 From: tjb at unh.edu (Thomas J. Baker) Date: Mon, 22 Jan 2007 08:55:08 -0500 Subject: Selinux, Oracle, DBD::Oracle, RHEL5B2 In-Reply-To: <45B12DAC.7000006@redhat.com> References: <20070119112957.58185.qmail@web51504.mail.yahoo.com> <1169215430.1933.24.camel@raptor.sr.unh.edu> <45B12DAC.7000006@redhat.com> Message-ID: <1169474108.1878.8.camel@raptor.sr.unh.edu> On Fri, 2007-01-19 at 15:44 -0500, Daniel J Walsh wrote: > Thomas J. Baker wrote: > > On Fri, 2007-01-19 at 03:29 -0800, Steve G wrote: > > > >>> Almost got everything working except for this selinux problem (http log error): > >>> > >> We need to see the avcs associated with this. > >> > >> -Steve > >> > >> > > > > I get > > > > type=AVC msg=audit(1169215302.727:10760): avc: denied { execheap } for > > pid=25241 comm="httpd" scontext=user_u:system_r:httpd_t:s0 > > tcontext=user_u:system_r:httpd_t:s0 tclass=process > > type=SYSCALL msg=audit(1169215302.727:10760): arch=40000003 syscall=125 > > success=no exit=-13 a0=7653000 a1=1e7000 a2=5 a3=bfb540f0 items=0 > > ppid=25239 pid=25241 auid=4490 uid=48 gid=48 euid=48 suid=48 fsuid=48 > > egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" > > subj=user_u:system_r:httpd_t:s0 key=(null) > > > > that coincides with the httpd log of > > > > > > [Fri Jan 19 09:01:42 2007] [error] [client 132.177.241.80] > > install_driver(Oracle) failed: Can't load > > '/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DBD/Oracle/Oracle.so' for module DBD::Oracle: /usr/lib/oracle/xe/app/oracle/product/10.2.0/client/lib/libnnz10.so: cannot restore segment prot after reloc: Permission denied at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/DynaLoader.pm line 230.\n at (eval 11) line 3\nCompilation failed in require at (eval 11) line 3.\nPerhaps a required shared library or dll isn't installed where expected\n at /web1/perl/Lib/Layout2/Core/Initializer.pm line 191\n\t(in cleanup) Can't call method "disconnect" on an undefined value at /web1/perl/Lib/Layout2/Core/Initializer.pm line 206.\n > > > > I've turned on execheap and restarted the webserver but still get this > > same error. > > > > tjb > > > chcon -t textrel_shlib_t > /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DBD/Oracle/Oracle.so > > chcon -t textrel_shlib_t /usr/lib/oracle/xe/app/oracle/product/10.2.0/client/lib/libnnz10.so > I tried it and it still fails: [root at contact tjb]# ls -lZ /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DBD/Oracle/Oracle.so /usr/lib/oracle/xe/app/oracle/product/10.2.0/client/lib/libnnz10.so -r-xr-xr-x oracle dba system_u:object_r:textrel_shlib_t /usr/lib/oracle/xe/app/oracle/product/10.2.0/client/lib/libnnz10.so -r-xr-xr-x root root user_u:object_r:textrel_shlib_t /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DBD/Oracle/Oracle.so [root at contact tjb]# tail /var/log/audit/audit.log type=DAEMON_ROTATE msg=audit(1169473901.462:136) auditd sending auid=4490 pid=28184 subj=user_u:system_r:initrc_t:s0, auditd pid=2224 type=AVC msg=audit(1169473909.870:13982): avc: denied { search } for pid=28197 comm="httpd" name="" dev=0:29 ino=23085536 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1169473909.870:13982): arch=40000003 syscall=195 success=no exit=-13 a0=925e540 a1=bf98c3fc a2=493ff4 a3=925e540 items=0 ppid=28196 pid=28197 auid=4490 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1169473918.068:13983): avc: denied { execheap } for pid=28200 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=process type=SYSCALL msg=audit(1169473918.068:13983): arch=40000003 syscall=125 success=no exit=-13 a0=24cd000 a1=1e7000 a2=5 a3=bf98bf30 items=0 ppid=28198 pid=28200 auid=4490 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) tjb -- ======================================================================= | Thomas Baker email: tjb at unh.edu | | Systems Programmer | | Research Computing Center voice: (603) 862-4490 | | University of New Hampshire fax: (603) 862-1761 | | 332 Morse Hall | | Durham, NH 03824 USA http://wintermute.sr.unh.edu/~tjb | ======================================================================= From sds at tycho.nsa.gov Mon Jan 22 14:49:47 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 22 Jan 2007 09:49:47 -0500 Subject: Worrying AVC messages In-Reply-To: <200701211224.21506.cannewilson@tiscali.co.uk> References: <200701211224.21506.cannewilson@tiscali.co.uk> Message-ID: <1169477387.8180.58.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2007-01-21 at 12:24 +0000, Anne Wilson wrote: > I'm seeing a lot of AVC message, a sample of which is > > type=AVC msg=audit(1162463326.809:49): avc: denied { search } for pid=4186 > comm="postmap" name="nscd" dev=hdb1 ino=195773 > > type=AVC msg=audit(1162483288.034:31): avc: denied { write } for pid=5804 > comm="ip" name="[23145]" dev=pipefs ino=23145 > > type=AVC msg=audit(1162483738.762:39): avc: denied { write } for pid=7191 > comm="ip" name="[27659]" dev=pipefs ino=27659 > > type=AVC msg=audit(1169284673.188:58): avc: denied { ioctl } for pid=4212 > comm="smartd" name="hda" dev=tmpfs ino=879 > > type=AVC msg=audit(1162495544.436:62): avc: denied { write } for pid=28024 > comm="setfiles" name="[120832]" dev=pipefs ino=120832 > > type=AVC_PATH msg=audit(1169310171.523:150): path="/dev/bus/usb/001/004" > type=AVC msg=audit(1169310172.778:151): avc: denied { read } for pid=2996 > comm="hald-addon-stor" name="hdd" dev=tmpfs ino=7431 > > I don't really understand what is going on. 'postmap' to me implies postfix, > which seems odd. > > There are many such messages about smartd. This is something I'd want to be > working. Why is this blocked? Can/Should I enable it? How? > > I looked at /dev/bus/usb/001/004 but I can't tell what this is. I'm guessing > that it's a card-reader, but it's sheer guesswork. > > I'd be glad of any hints. SELinux hasn't really caused me any problems up to > now, but one of my projects, which I'll address in a later thread, may be > being blocked, so I need to start to understand more. You don't seem to have included the scontext, tcontext, and tclass information, which is the real basis for the permission denial. You can also get supplemental information about each avc denial by enabling system call auditing. Requires installing "audit" and adding at least one audit rule to enable collection of the full audit context. This will provide you with information like the system call number and arguments, the path that has been looked up, etc. audit2allow can be used to generate a local policy module to allow permissions as appropriate; see its man page and the Fedora SELinux FAQ. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon Jan 22 17:01:25 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 22 Jan 2007 12:01:25 -0500 Subject: Selinux, Oracle, DBD::Oracle, RHEL5B2 In-Reply-To: <1169474108.1878.8.camel@raptor.sr.unh.edu> References: <20070119112957.58185.qmail@web51504.mail.yahoo.com> <1169215430.1933.24.camel@raptor.sr.unh.edu> <45B12DAC.7000006@redhat.com> <1169474108.1878.8.camel@raptor.sr.unh.edu> Message-ID: <45B4EDE5.2080204@redhat.com> Thomas J. Baker wrote: > On Fri, 2007-01-19 at 15:44 -0500, Daniel J Walsh wrote: > >> Thomas J. Baker wrote: >> >>> On Fri, 2007-01-19 at 03:29 -0800, Steve G wrote: >>> >>> >>>>> Almost got everything working except for this selinux problem (http log error): >>>>> >>>>> >>>> We need to see the avcs associated with this. >>>> >>>> -Steve >>>> >>>> >>>> >>> I get >>> >>> type=AVC msg=audit(1169215302.727:10760): avc: denied { execheap } for >>> pid=25241 comm="httpd" scontext=user_u:system_r:httpd_t:s0 >>> tcontext=user_u:system_r:httpd_t:s0 tclass=process >>> type=SYSCALL msg=audit(1169215302.727:10760): arch=40000003 syscall=125 >>> success=no exit=-13 a0=7653000 a1=1e7000 a2=5 a3=bfb540f0 items=0 >>> ppid=25239 pid=25241 auid=4490 uid=48 gid=48 euid=48 suid=48 fsuid=48 >>> egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" >>> subj=user_u:system_r:httpd_t:s0 key=(null) >>> >>> that coincides with the httpd log of >>> >>> >>> [Fri Jan 19 09:01:42 2007] [error] [client 132.177.241.80] >>> install_driver(Oracle) failed: Can't load >>> '/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DBD/Oracle/Oracle.so' for module DBD::Oracle: /usr/lib/oracle/xe/app/oracle/product/10.2.0/client/lib/libnnz10.so: cannot restore segment prot after reloc: Permission denied at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/DynaLoader.pm line 230.\n at (eval 11) line 3\nCompilation failed in require at (eval 11) line 3.\nPerhaps a required shared library or dll isn't installed where expected\n at /web1/perl/Lib/Layout2/Core/Initializer.pm line 191\n\t(in cleanup) Can't call method "disconnect" on an undefined value at /web1/perl/Lib/Layout2/Core/Initializer.pm line 206.\n >>> >>> I've turned on execheap and restarted the webserver but still get this >>> same error. >>> >>> tjb >>> >>> >> chcon -t textrel_shlib_t >> /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DBD/Oracle/Oracle.so >> >> chcon -t textrel_shlib_t /usr/lib/oracle/xe/app/oracle/product/10.2.0/client/lib/libnnz10.so >> >> > > I tried it and it still fails: > > [root at contact tjb]# ls > -lZ /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DBD/Oracle/Oracle.so /usr/lib/oracle/xe/app/oracle/product/10.2.0/client/lib/libnnz10.so > -r-xr-xr-x oracle dba > system_u:object_r:textrel_shlib_t /usr/lib/oracle/xe/app/oracle/product/10.2.0/client/lib/libnnz10.so > -r-xr-xr-x root root > user_u:object_r:textrel_shlib_t /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/DBD/Oracle/Oracle.so > > > [root at contact tjb]# tail /var/log/audit/audit.log > type=DAEMON_ROTATE msg=audit(1169473901.462:136) auditd sending > auid=4490 pid=28184 subj=user_u:system_r:initrc_t:s0, auditd pid=2224 > type=AVC msg=audit(1169473909.870:13982): avc: denied { search } for > pid=28197 comm="httpd" name="" dev=0:29 ino=23085536 > scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 > tclass=dir > type=SYSCALL msg=audit(1169473909.870:13982): arch=40000003 syscall=195 > success=no exit=-13 a0=925e540 a1=bf98c3fc a2=493ff4 a3=925e540 items=0 > ppid=28196 pid=28197 auid=4490 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" > subj=user_u:system_r:httpd_t:s0 key=(null) > type=AVC msg=audit(1169473918.068:13983): avc: denied { execheap } for > pid=28200 comm="httpd" scontext=user_u:system_r:httpd_t:s0 > tcontext=user_u:system_r:httpd_t:s0 tclass=process > type=SYSCALL msg=audit(1169473918.068:13983): arch=40000003 syscall=125 > success=no exit=-13 a0=24cd000 a1=1e7000 a2=5 a3=bf98bf30 items=0 > ppid=28198 pid=28200 auid=4490 uid=48 gid=48 euid=48 suid=48 fsuid=48 > egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" > subj=user_u:system_r:httpd_t:s0 key=(null) > > > tjb > For this failure you will need custom policy. grep execheap /var/log/audit/audit.log | audit2allow -M myhttp Will create a loadable policy module to allow this. Are you exporting files via nfs also? From bofh1234 at hotmail.com Mon Jan 22 19:19:07 2007 From: bofh1234 at hotmail.com (Adam Turk) Date: Mon, 22 Jan 2007 14:19:07 -0500 Subject: selinux and oracle In-Reply-To: <45AD3704.3050106@redhat.com> Message-ID: Hello again, I was able to install Oracle 10gR2 on RHEL4U4 with selinux in targeted enforcing mode. No selinux messages in /var/log/messages or dmesg. I found a couple of scripts that will start and shutdown the database and enterprise manager on boot and shutdown. I had a couple of problems with this part and I am not sure if selinux is the problem or not. Let me explain then I will post the code. I created a file called oracle in /etc/rc.d/init.d. I ran chkconfig oracle reset. I then ran service oracle start. The database wouldn't start. oracle calls the script dbstart which needs ORACLE_HOME defined. If I add a export ORACLE_HOME=/path/to/oracle to dbstart everything works. If I remove the export then the database won't start. I was under the assumption that when I set ORACLE_HOME in oracle it would be able to be used by dbstart. This does not appear to be true. Is this a selinux problem, or did I misunderstand something? To get the database to start I added the export ORACLE_HOME to /etc/profile. Also when I do a init 6 or init 0 the oracle service doesn't shutdown i.e. no shutting down oracle ................ Thanks, #!/bin/bash # # chkconfig: 35 95 1 # description: init script to start/stop oracle database 9i, TNS listener, EMS # # DON'T FORGET TO MODIFY /etc/oratab AND CHANGE THE LAST VARIBLE TO Y # chmod 750 this file export ORACLE_HOME=/u01/app/oracle/product/10.2.0/db_1 export ORACLE_BIN=$ORACLE_HOME/bin export ORACLE_SID=jrd export LD_LIBRARY_PATH=$ORACLE_HOME/lib export ORACLE_USER=oracle export PATH=$PATH:$ORACLE_BIN if [ ! -f $ORACLE_BIN/dbstart ] then echo "Oracle startup: cannot start" exit fi # see how we are called: case $1 in start) su - $ORACLE_USER -c $ORACLE_BIN/dbstart # su - $ORACLE_USER -c "$ORACLE_BIN/emctl start dbconsole" ;; stop) # su - $ORACLE_USER -c "$ORACLE_BIN/emctl stop dbconsole" su - $ORACLE_USER -c $ORACLE_BIN/dbshut ;; *) echo "Usage: $0 {start|stop}" ;; esac _________________________________________________________________ Invite your Hotmail contacts to join your friends list with Windows Live Spaces http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us From cannewilson at tiscali.co.uk Mon Jan 22 20:22:04 2007 From: cannewilson at tiscali.co.uk (Anne Wilson) Date: Mon, 22 Jan 2007 20:22:04 +0000 Subject: Worrying AVC messages In-Reply-To: <1169494830.3287.22.camel@moss-spartans.epoch.ncsc.mil> References: <200701211224.21506.cannewilson@tiscali.co.uk> <200701221859.07395.cannewilson@tiscali.co.uk> <1169494830.3287.22.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200701222022.04363.cannewilson@tiscali.co.uk> On Monday 22 January 2007 19:40, Stephen Smalley wrote: > On Mon, 2007-01-22 at 18:59 +0000, Anne Wilson wrote: > > On Monday 22 January 2007 14:49, you wrote: > > > > Hi, Stephen. I'm very new to all this, so bear with me if I don't give > > you the right info first try :-) > > Why take discussion off-list? > Sorry - not intentional. A new folder in KMail, and I forgot to set up Mailing List Management. > > > You don't seem to have included the scontext, tcontext, and tclass > > > information, which is the real basis for the permission denial. > > > > > > You can also get supplemental information about each avc denial by > > > enabling system call auditing. Requires installing "audit" and adding > > > at least one audit rule to enable collection of the full audit context. > > > This will provide you with information like the system call number and > > > arguments, the path that has been looked up, etc. > > > > I have audit.log and I get logwatch messages, so I think audit is working > > properly. Where do I look to see if rules have been made? They would > > probably be defaults, as I'm sure I haven't made any myself. > > /sbin/auditctl -l will list any rules. auditctl man page will show you > some examples of rules, which you can apply manually via auditctl or by > putting into /etc/audit/audit.rules and re-starting auditd. Any rule > will suffice, as the goal is just to get the audit system to start > collecting information for use when an avc message happens; it used to > always do that proactively, but that caused performance issues, so they > disabled it when there are no audit rules in place. > Fine. I'll see what I can do with this. > > Is this the kind of info you need? > > > > type=AVC msg=audit(1162463326.809:49): avc: denied { search } for > > pid=4186 comm="postmap" name="nscd" dev=hdb1 ino=195773 > > scontext=user_u:system_r:postfix_map_t:s0 > > tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir > > type=SYSCALL msg=audit(1162463326.809:49): arch=40000003 syscall=102 > > success=no exit=-2 a0=3 a1=bf915688 a2=67eff4 a3=4 items=0 ppid=4147 > > pid=4186 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > > tty=pts5 comm="postmap" exe="/usr/sbin/postmap" > > subj=user_u:system_r:postfix_map_t:s0 key=(null) > > Yes, that shows the security contexts of the source (process) and the > target (in this case, a directory). audit2allow will turn those > messages into allow rules, e.g. > su - > audit2allow -a -M local > semodule -i local.pp > Examples are always helpful :-) > > type=AVC msg=audit(1169487905.785:178): avc: denied { read } for > > pid=2965 comm="hald-addon-stor" name="hdc" dev=tmpfs ino=7065 > > scontext=system_u:system_r:hald_t:s0 > > tcontext=system_u:object_r:device_t:s0 tclass=blk_file > > type=SYSCALL msg=audit(1169487905.785:178): arch=40000003 syscall=5 > > success=yes exit=4 a0=96e1ac6 a1=8880 a2=0 a3=8880 items=0 ppid=2940 > > pid=2965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > fsgid=0 tty=(none) comm="hald-addon-stor" > > exe="/usr/libexec/hald-addon-storage" subj=system_u:system_r:hald_t:s0 > > key=(null) > > Question on this one is why this device node has a generic type > (device_t) rather than a specific one (e.g. removable_device_t). > I suspect that this is my video capture card, a pci card for use with an analogue camcorder. I had been trying to write udev rules to track video0 and video1, so that webcam and camcorder capture could always be found. The device is listed currently under video1. Udevinfo doesn't walk the sys tree for this card, the way it does for the webcam. Perhaps that's part of the puzzle? > > type=AVC msg=audit(1169489443.261:186): avc: denied { read } for > > pid=4482 comm="smartd" name="hda" dev=tmpfs ino=879 > > scontext=system_u:system_r:fsdaemon_t:s0 > > tcontext=system_u:object_r:device_t:s0 tclass=blk_file > > type=SYSCALL msg=audit(1169489443.261:186): arch=40000003 syscall=5 > > success=yes exit=3 a0=99c60a0 a1=800 a2=c3c490 a3=c42cae items=0 ppid=1 > > pid=4482 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > fsgid=0 tty=(none) comm="smartd" exe="/usr/sbin/smartd" > > subj=system_u:system_r:fsdaemon_t:s0 key=(null) > > Likewise. > This I don't understand. I've seen messages like this for hdb as well. They are standard hdds. > > > audit2allow can be used to generate a local policy module to allow > > > permissions as appropriate; see its man page and the Fedora SELinux > > > FAQ. > > Thanks for the help so far. I'll catch up on the reading. Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From cpebenito at tresys.com Mon Jan 22 20:47:47 2007 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Mon, 22 Jan 2007 15:47:47 -0500 Subject: Cron mail problem with FC6/strict In-Reply-To: <1169420723.3503.10.camel@topaz.bugfinder.co.uk> References: <1169420723.3503.10.camel@topaz.bugfinder.co.uk> Message-ID: <1169498867.15056.9.camel@sgc.columbia.tresys.com> On Sun, 2007-01-21 at 23:05 +0000, Ted Rule wrote: > A little while ago, I found that anacron wasn't running correctly under > FC6/strict, which led to me add a temporary fixup .te for its operation. > Once I had that in place, I finally received the cron.daily and logwatch > Emails every day shortly after bootup. > > With that in place, I recently took to leaving the machine powered > overnight, which of course led to all the Cron jobs running via crond > instead of anacron. > > Oddly, I noticed that the logwatch Email arrived, but NOT the cron.daily > summary Email. > > Looking further, I found this odd avc: > > Jan 21 21:29:51 topaz kernel: audit(1169414991.423:988): avc: denied > { entrypoint } for pid=4891 comm="crond" name="sendmail.sendmail" > dev=hda6 ino=1313020 > scontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file > > i.e. the crond child process running in system_crond_t was apparently > unable to run sendmail. Is this supposed to be cron emailing the output of the cron jobs or the cron job itself emailing something? -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From pandalists at free.fr Tue Jan 23 17:36:08 2007 From: pandalists at free.fr (pandalists at free.fr) Date: Tue, 23 Jan 2007 18:36:08 +0100 Subject: chcat problem Message-ID: <1169573768.45b64788f2a80@imp.free.fr> Hi, I am currently trying teach myself SELinux on a Fedora FC6 box (VMware), configured with the strict policy running in permissive mode. I followed the instructions provided on http://james-morris.livejournal.com/8228.html to play with MCS functions, but I get an error when I try to assign a category "Public" to an unprivileged user "foo" with the chcat command (as root, with sysadm role) ----------------------------------------------- # chcat -l -- +Public foo libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user foo exceeds allow ed range s0 for SELinux user user_u libsemanage.validate_handler: seuser mapping [foo -> (user_u, s0-s0:c0)] is inva lid libsemanage.dbase_llist_iterate: could not iterate over records ----------------------------------------------- Other techniques to achieve the same result (e.g. trying to assign this category with semanage) leads the same error. ----------------------------------------------- # semanage login -l __default__ user_u s0 foo user_u s0 root root SystemLow-SystemHigh system_u system_u SystemLow-SystemHigh # semanage user -l root sysadm s0 SystemLow-SystemHigh system_r sy sadm_r staff_r staff_u staff s0 SystemLow-SystemHigh sysadm_r st aff_r sysadm_u sysadm s0 SystemLow-SystemHigh sysadm_r system_u user s0 SystemLow-SystemHigh system_r user_u user s0 s0 user_r ----------------------------------------------- My setrans.conf file contains : s0:c0=Public s0:c1=Confidential s0:c2=Secret s0:c3=TopSecret Any idea? Apart from that, setting a category on a non-existing file leads to a segmentation fault : # chcat -- +Public doesnotexist.txt Segmentation fault Thanks for your help, Ben From cannewilson at tiscali.co.uk Tue Jan 23 19:33:12 2007 From: cannewilson at tiscali.co.uk (Anne Wilson) Date: Tue, 23 Jan 2007 19:33:12 +0000 Subject: Worrying AVC messages In-Reply-To: <1169494830.3287.22.camel@moss-spartans.epoch.ncsc.mil> References: <200701211224.21506.cannewilson@tiscali.co.uk> <200701221859.07395.cannewilson@tiscali.co.uk> <1169494830.3287.22.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200701231933.13136.cannewilson@tiscali.co.uk> On Monday 22 January 2007 19:40, Stephen Smalley wrote: > > type=AVC msg=audit(1162463326.809:49): avc: denied { search } for > > pid=4186 comm="postmap" name="nscd" dev=hdb1 ino=195773 > > scontext=user_u:system_r:postfix_map_t:s0 > > tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir > > type=SYSCALL msg=audit(1162463326.809:49): arch=40000003 syscall=102 > > success=no exit=-2 a0=3 a1=bf915688 a2=67eff4 a3=4 items=0 ppid=4147 > > pid=4186 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > > tty=pts5 comm="postmap" exe="/usr/sbin/postmap" > > subj=user_u:system_r:postfix_map_t:s0 key=(null) > > Yes, that shows the security contexts of the source (process) and the > target (in this case, a directory). audit2allow will turn those > messages into allow rules, e.g. > su - > audit2allow -a -M local > semodule -i local.pp > After reading the man pages I find that I'm no wiser as to what this is doing. I understand the first and last lines, but could you explain how you build the audit2allow line, and what it actually does? Thanks Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From sds at tycho.nsa.gov Tue Jan 23 19:58:32 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 23 Jan 2007 14:58:32 -0500 Subject: Worrying AVC messages In-Reply-To: <200701231933.13136.cannewilson@tiscali.co.uk> References: <200701211224.21506.cannewilson@tiscali.co.uk> <200701221859.07395.cannewilson@tiscali.co.uk> <1169494830.3287.22.camel@moss-spartans.epoch.ncsc.mil> <200701231933.13136.cannewilson@tiscali.co.uk> Message-ID: <1169582312.15390.54.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-01-23 at 19:33 +0000, Anne Wilson wrote: > On Monday 22 January 2007 19:40, Stephen Smalley wrote: > > > type=AVC msg=audit(1162463326.809:49): avc: denied { search } for > > > pid=4186 comm="postmap" name="nscd" dev=hdb1 ino=195773 > > > scontext=user_u:system_r:postfix_map_t:s0 > > > tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir > > > type=SYSCALL msg=audit(1162463326.809:49): arch=40000003 syscall=102 > > > success=no exit=-2 a0=3 a1=bf915688 a2=67eff4 a3=4 items=0 ppid=4147 > > > pid=4186 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > > > tty=pts5 comm="postmap" exe="/usr/sbin/postmap" > > > subj=user_u:system_r:postfix_map_t:s0 key=(null) > > > > Yes, that shows the security contexts of the source (process) and the > > target (in this case, a directory). audit2allow will turn those > > messages into allow rules, e.g. > > su - > > audit2allow -a -M local > > semodule -i local.pp > > > After reading the man pages I find that I'm no wiser as to what this is doing. > I understand the first and last lines, but could you explain how you build > the audit2allow line, and what it actually does? audit2allow is just a filter that reads avc messages and emits policy rules that would allow them. The -a option tells it to check both /var/log/messages and the audit logs for avc messages (using ausearch for processing the audit logs). The -M local option tells it to generate a loadable policy module named "local". Upon completion, you should have the following files in the current directory: 1) local.te - the policy source generated by audit2allow based on the avc messages, 2) local.mod - binary representation of the same, created by checkmodule, 3) local.pp - policy package file, containing local.mod and optionally other policy components (but not in this case), created by semodule_package. The last file is then loadable via semodule -i. When semodule -i completes, your policy has been updated and loaded into the kernel. -- Stephen Smalley National Security Agency From linux_4ever at yahoo.com Tue Jan 23 22:08:00 2007 From: linux_4ever at yahoo.com (Steve G) Date: Tue, 23 Jan 2007 14:08:00 -0800 (PST) Subject: [Fwd: Re: Access attempts] In-Reply-To: <1169131088.22731.258.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <322520.68308.qm@web51507.mail.yahoo.com> >No, the avc message is just misleading. The pid/comm information for >network layer permission checks is unreliable because the packet >send/recv isn't necessarily happening in the context of the process that >initiated the send or that will handle the recv. Seems like this should be fixed. Everything in the audit message needs to be accurate. I think a bug should be filed against the kernel for this. -Steve ____________________________________________________________________________________ Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains. http://farechase.yahoo.com/promo-generic-14795097 From cannewilson at tiscali.co.uk Wed Jan 24 10:10:16 2007 From: cannewilson at tiscali.co.uk (Anne Wilson) Date: Wed, 24 Jan 2007 10:10:16 +0000 Subject: Worrying AVC messages In-Reply-To: <1169582312.15390.54.camel@moss-spartans.epoch.ncsc.mil> References: <200701211224.21506.cannewilson@tiscali.co.uk> <200701231933.13136.cannewilson@tiscali.co.uk> <1169582312.15390.54.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200701241010.16284.cannewilson@tiscali.co.uk> On Tuesday 23 January 2007 19:58, Stephen Smalley wrote: > audit2allow is just a filter that reads avc messages and emits policy > rules that would allow them. The -a option tells it to check > both /var/log/messages and the audit logs for avc messages (using > ausearch for processing the audit logs). The -M local option tells it > to generate a loadable policy module named "local". Upon completion, > you should have the following files in the current directory: > 1) local.te - the policy source generated by audit2allow based on the > avc messages, > 2) local.mod - binary representation of the same, created by > checkmodule, > 3) local.pp - policy package file, containing local.mod and optionally > other policy components (but not in this case), created by > semodule_package. > > The last file is then loadable via semodule -i. > When semodule -i completes, your policy has been updated and loaded into > the kernel. All done, and those three files are in /root. Is that the correct place for them? If I have understood you correctly, by doing that I have told it to 'approve' the making of rules to deal with all the denials found there. At the moment I don't think there is anything dangerous in the log, but I presume that there are times when you would not want everything added. What happens about those situations? Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From sds at tycho.nsa.gov Wed Jan 24 12:49:56 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 24 Jan 2007 07:49:56 -0500 Subject: [Fwd: Re: Access attempts] In-Reply-To: <322520.68308.qm@web51507.mail.yahoo.com> References: <322520.68308.qm@web51507.mail.yahoo.com> Message-ID: <1169642996.15390.76.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-01-23 at 14:08 -0800, Steve G wrote: > >No, the avc message is just misleading. The pid/comm information for > >network layer permission checks is unreliable because the packet > >send/recv isn't necessarily happening in the context of the process that > >initiated the send or that will handle the recv. > > Seems like this should be fixed. Everything in the audit message needs to be > accurate. I think a bug should be filed against the kernel for this. Ok, feel free. Requires the network permission checks (in sock_rcv_skb and ip_postroute_last) to pass some kind of flag (e.g. via a new field in the avc_audit_data struct) to the avc to indicate that it shouldn't try to log the pid/comm information for current. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Jan 24 13:13:26 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 24 Jan 2007 08:13:26 -0500 Subject: Worrying AVC messages In-Reply-To: <200701241010.16284.cannewilson@tiscali.co.uk> References: <200701211224.21506.cannewilson@tiscali.co.uk> <200701231933.13136.cannewilson@tiscali.co.uk> <1169582312.15390.54.camel@moss-spartans.epoch.ncsc.mil> <200701241010.16284.cannewilson@tiscali.co.uk> Message-ID: <1169644406.15390.91.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-01-24 at 10:10 +0000, Anne Wilson wrote: > On Tuesday 23 January 2007 19:58, Stephen Smalley wrote: > > audit2allow is just a filter that reads avc messages and emits policy > > rules that would allow them. The -a option tells it to check > > both /var/log/messages and the audit logs for avc messages (using > > ausearch for processing the audit logs). The -M local option tells it > > to generate a loadable policy module named "local". Upon completion, > > you should have the following files in the current directory: > > 1) local.te - the policy source generated by audit2allow based on the > > avc messages, > > 2) local.mod - binary representation of the same, created by > > checkmodule, > > 3) local.pp - policy package file, containing local.mod and optionally > > other policy components (but not in this case), created by > > semodule_package. > > > > The last file is then loadable via semodule -i. > > When semodule -i completes, your policy has been updated and loaded into > > the kernel. > > All done, and those three files are in /root. Is that the correct place for > them? audit2allow just generates files to the current working directory. Then semodule -i local.pp takes that .pp file's contents and feeds it to libsemanage, which pushes it into the policy module store (under /etc/selinux/targeted/modules) and rebuilds the policy. > If I have understood you correctly, by doing that I have told it to 'approve' > the making of rules to deal with all the denials found there. Correct. > At the moment > I don't think there is anything dangerous in the log, but I presume that > there are times when you would not want everything added. What happens about > those situations? Some of the denials you listed suggested a problem with device node labeling, so those bear investigating. What you have done is put into place a temporary workaround to let your system operate until a correct fix is determined. Ultimately, clean fixes for the underlying issues should go into the upstream policy, which is why it is important to report such denials to this list or the upstream selinux list. audit2allow presently has no intelligence to it, but there is work in progress to provide a smarter tool that will help in making decisions. There are alternatives to directly allowing the denied access, such as: - if the access isn't truly required for operation, you can just suppress the audit messages via dontaudit rules instead of allow rules, - you can introduce new domains and/or types for the processes and/or objects involved, so that you only end up allowing access for the specific processes and/or objects rather than everything presently in that domain/type. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Jan 24 13:22:13 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 24 Jan 2007 08:22:13 -0500 Subject: Worrying AVC messages In-Reply-To: <1169644406.15390.91.camel@moss-spartans.epoch.ncsc.mil> References: <200701211224.21506.cannewilson@tiscali.co.uk> <200701231933.13136.cannewilson@tiscali.co.uk> <1169582312.15390.54.camel@moss-spartans.epoch.ncsc.mil> <200701241010.16284.cannewilson@tiscali.co.uk> <1169644406.15390.91.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1169644933.15390.97.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-01-24 at 08:13 -0500, Stephen Smalley wrote: > On Wed, 2007-01-24 at 10:10 +0000, Anne Wilson wrote: > > On Tuesday 23 January 2007 19:58, Stephen Smalley wrote: > > > audit2allow is just a filter that reads avc messages and emits policy > > > rules that would allow them. The -a option tells it to check > > > both /var/log/messages and the audit logs for avc messages (using > > > ausearch for processing the audit logs). The -M local option tells it > > > to generate a loadable policy module named "local". Upon completion, > > > you should have the following files in the current directory: > > > 1) local.te - the policy source generated by audit2allow based on the > > > avc messages, > > > 2) local.mod - binary representation of the same, created by > > > checkmodule, > > > 3) local.pp - policy package file, containing local.mod and optionally > > > other policy components (but not in this case), created by > > > semodule_package. > > > > > > The last file is then loadable via semodule -i. > > > When semodule -i completes, your policy has been updated and loaded into > > > the kernel. > > > > All done, and those three files are in /root. Is that the correct place for > > them? > > audit2allow just generates files to the current working directory. Then > semodule -i local.pp takes that .pp file's contents and feeds it to > libsemanage, which pushes it into the policy module store > (under /etc/selinux/targeted/modules) and rebuilds the policy. > > > If I have understood you correctly, by doing that I have told it to 'approve' > > the making of rules to deal with all the denials found there. > > Correct. > > > At the moment > > I don't think there is anything dangerous in the log, but I presume that > > there are times when you would not want everything added. What happens about > > those situations? > > Some of the denials you listed suggested a problem with device node > labeling, so those bear investigating. What you have done is put into > place a temporary workaround to let your system operate until a correct > fix is determined. Ultimately, clean fixes for the underlying issues > should go into the upstream policy, which is why it is important to > report such denials to this list or the upstream selinux list. > > audit2allow presently has no intelligence to it, but there is work in > progress to provide a smarter tool that will help in making decisions. > There are alternatives to directly allowing the denied access, such as: > - if the access isn't truly required for operation, you can just > suppress the audit messages via dontaudit rules instead of allow rules, > - you can introduce new domains and/or types for the processes and/or > objects involved, so that you only end up allowing access for the > specific processes and/or objects rather than everything presently in > that domain/type. Also, I should note that certain allow rules will be automatically rejected due to assertions present in the base policy, so if your audit2allow output happens to include such allow rules, the semodule -i local.pp command will fail with a policy assertion failure. That is one way to catch unsafe rules, by defining a set of assertions in the base policy (but the current set of assertions is by no means exhaustive). There are also hooks in libsemanage to permit other policy checkers/verifiers to be run whenever a module is inserted, and there is work on a policy management server that can apply a meta-policy over policy changes. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Wed Jan 24 13:47:09 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 24 Jan 2007 08:47:09 -0500 Subject: selinux and oracle In-Reply-To: References: Message-ID: <45B7635D.6070701@redhat.com> Adam Turk wrote: > Hello again, > > I was able to install Oracle 10gR2 on RHEL4U4 with selinux in targeted > enforcing mode. No selinux messages in /var/log/messages or dmesg. I > found a couple of scripts that will start and shutdown the database > and enterprise manager on boot and shutdown. I had a couple of > problems with this part and I am not sure if selinux is the problem or > not. Let me explain then I will post the code. > > I created a file called oracle in /etc/rc.d/init.d. I ran chkconfig > oracle reset. I then ran service oracle start. The database wouldn't > start. oracle calls the script dbstart which needs ORACLE_HOME > defined. If I add a export ORACLE_HOME=/path/to/oracle to dbstart > everything works. If I remove the export then the database won't > start. I was under the assumption that when I set ORACLE_HOME in > oracle it would be able to be used by dbstart. This does not appear > to be true. Is this a selinux problem, or did I misunderstand > something? To get the database to start I added the export > ORACLE_HOME to /etc/profile. Also when I do a init 6 or init 0 the > oracle service doesn't shutdown i.e. no shutting down oracle > ................ > I would doubt this is an SELinux problem. You can always check for avc messages in /var/log/messages. You can also temporarily turn off enforcing mode "setenforce 0", then try it. If it is still broken while SELinux is in permissive mode, it is most likely not an SELinux problem. > Thanks, > > > #!/bin/bash > # > # chkconfig: 35 95 1 > # description: init script to start/stop oracle database 9i, TNS > listener, EMS > # > # DON'T FORGET TO MODIFY /etc/oratab AND CHANGE THE LAST VARIBLE TO Y > # chmod 750 this file > export ORACLE_HOME=/u01/app/oracle/product/10.2.0/db_1 > export ORACLE_BIN=$ORACLE_HOME/bin > export ORACLE_SID=jrd > export LD_LIBRARY_PATH=$ORACLE_HOME/lib > export ORACLE_USER=oracle > > export PATH=$PATH:$ORACLE_BIN > > if [ ! -f $ORACLE_BIN/dbstart ] > then > echo "Oracle startup: cannot start" > exit > fi > > # see how we are called: > case $1 in > start) > su - $ORACLE_USER -c $ORACLE_BIN/dbstart > # su - $ORACLE_USER -c "$ORACLE_BIN/emctl start dbconsole" > ;; > stop) > # su - $ORACLE_USER -c "$ORACLE_BIN/emctl stop dbconsole" > su - $ORACLE_USER -c $ORACLE_BIN/dbshut > ;; > *) > echo "Usage: $0 {start|stop}" > ;; > esac > > _________________________________________________________________ > Invite your Hotmail contacts to join your friends list with Windows > Live Spaces > http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us > > From dwalsh at redhat.com Wed Jan 24 13:58:14 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 24 Jan 2007 08:58:14 -0500 Subject: httpd and tcp_connect In-Reply-To: <45B3BDDE.2080903@kobold.org> References: <45B3BDDE.2080903@kobold.org> Message-ID: <45B765F6.7030403@redhat.com> Wart wrote: > I'm receiving the following avc denial from a game package that's > under review[1]: > > Jan 21 10:55:49 localhost kernel: audit(1169405749.338:3): avc: > denied { name_connect } for pid=2661 comm="httpd" dest=19382 > scontext=user_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > > The package includes a php-based web application and a python daemon > backend. The php webapp communicates with the python daemon through > tcp sockets. > > From the avc denial it appears that this communication fails because > httpd is not allowed to establish tcp connections. This seems like a > valid security restriction, except in this case I do want to allow it. > > How can I configure the httpd policy to allow tcp connections, but > only to localhost and only on the python daemon's ports (19380-19383)? > > --Wart Ok this can be fixed in multiple different ways. One would be to allow httpd to connect to any port setsebool -P httpd_can_network_connect=1 This would lessen your security, since httpd would now be able to connect to any port Another would be to add the ports to http_port_t via semanage semanage port -a -t http_port_t -p tcp 19380-19383 This would be better in that http is allowed to connect to http_port_t by default, but now it can also bind to these additional ports. The best solution would be to make a loadable policy module, and define a new port, something like Create a te file like the following #cat webapp.te policy_module(webapp, 1.0); require { type httpd_t; }; type webapp_port_t; allow httpd_t webapp_port_t:tcp_socket name_connect; # make -f /usr/share/selinux/targeted/include/Makefile webapp.pp # semodule -i webapp.pp # semanage port -a -t webapp_port_t -p tcp 19380-19383 > [1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219972 > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From cannewilson at tiscali.co.uk Wed Jan 24 15:18:27 2007 From: cannewilson at tiscali.co.uk (Anne Wilson) Date: Wed, 24 Jan 2007 15:18:27 +0000 Subject: Worrying AVC messages In-Reply-To: <1169644406.15390.91.camel@moss-spartans.epoch.ncsc.mil> References: <200701211224.21506.cannewilson@tiscali.co.uk> <200701241010.16284.cannewilson@tiscali.co.uk> <1169644406.15390.91.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200701241518.27987.cannewilson@tiscali.co.uk> On Wednesday 24 January 2007 13:13, Stephen Smalley wrote: > > Some of the denials you listed suggested a problem with device node > labeling, so those bear investigating. What you have done is put into > place a temporary workaround to let your system operate until a correct > fix is determined. Ultimately, clean fixes for the underlying issues > should go into the upstream policy, which is why it is important to > report such denials to this list or the upstream selinux list. > Please tell me if I can do anything to help in the way of investigation or testing. As a non-programmer this is the only way I can pay back for the help I get. Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From dwalsh at redhat.com Wed Jan 24 16:52:09 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 24 Jan 2007 11:52:09 -0500 Subject: Worrying AVC messages In-Reply-To: <200701241518.27987.cannewilson@tiscali.co.uk> References: <200701211224.21506.cannewilson@tiscali.co.uk> <200701241010.16284.cannewilson@tiscali.co.uk> <1169644406.15390.91.camel@moss-spartans.epoch.ncsc.mil> <200701241518.27987.cannewilson@tiscali.co.uk> Message-ID: <45B78EB9.5020608@redhat.com> Anne Wilson wrote: > On Wednesday 24 January 2007 13:13, Stephen Smalley wrote: > >> Some of the denials you listed suggested a problem with device node >> labeling, so those bear investigating. What you have done is put into >> place a temporary workaround to let your system operate until a correct >> fix is determined. Ultimately, clean fixes for the underlying issues >> should go into the upstream policy, which is why it is important to >> report such denials to this list or the upstream selinux list. >> >> > Please tell me if I can do anything to help in the way of investigation or > testing. As a non-programmer this is the only way I can pay back for the > help I get. > > Anne > > There were two different types of avc in your email. The first concerning postfix should be fixed in the next update. Getting the /dev/video1 to come up properly is the other. Something is wrong in the way you are telling udev to create these devices, unfortunately I have no idea, how to fix. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Wed Jan 24 17:23:32 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 24 Jan 2007 12:23:32 -0500 Subject: chcat problem In-Reply-To: <1169573768.45b64788f2a80@imp.free.fr> References: <1169573768.45b64788f2a80@imp.free.fr> Message-ID: <45B79614.1070908@redhat.com> pandalists at free.fr wrote: > Hi, > > I am currently trying teach myself SELinux on a Fedora FC6 box (VMware), > configured with the strict policy running in permissive mode. > > I followed the instructions provided on > http://james-morris.livejournal.com/8228.html to play with MCS functions, but I > get an error when I try to assign a category "Public" to an unprivileged user > "foo" with the chcat command (as root, with sysadm role) > > ----------------------------------------------- > # chcat -l -- +Public foo > > libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user foo exceeds allow > ed range s0 for SELinux user user_u > libsemanage.validate_handler: seuser mapping [foo -> (user_u, s0-s0:c0)] is inva > lid > libsemanage.dbase_llist_iterate: could not iterate over records > ----------------------------------------------- > > Looks like a bug. Does chcon -l -- +s0:c0 foo work? > Other techniques to achieve the same result (e.g. trying to assign this category > with semanage) leads the same error. > > ----------------------------------------------- > # semanage login -l > __default__ user_u s0 > foo user_u s0 > root root SystemLow-SystemHigh > system_u system_u SystemLow-SystemHigh > > # semanage user -l > root sysadm s0 SystemLow-SystemHigh system_r sy > sadm_r staff_r > staff_u staff s0 SystemLow-SystemHigh sysadm_r st > aff_r > sysadm_u sysadm s0 SystemLow-SystemHigh sysadm_r > system_u user s0 SystemLow-SystemHigh system_r > user_u user s0 s0 user_r > ----------------------------------------------- > > My setrans.conf file contains : > > s0:c0=Public > s0:c1=Confidential > s0:c2=Secret > s0:c3=TopSecret > > Any idea? > > > Apart from that, setting a category on a non-existing file leads to a > segmentation fault : > # chcat -- +Public doesnotexist.txt > Segmentation fault > > libselinux python binding has a bug. Fixed in libselinux-1.33.4-3.el5, libselinux-1.34.0-3.fc7 > Thanks for your help, > > Ben > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From cannewilson at tiscali.co.uk Wed Jan 24 18:50:29 2007 From: cannewilson at tiscali.co.uk (Anne Wilson) Date: Wed, 24 Jan 2007 18:50:29 +0000 Subject: Worrying AVC messages In-Reply-To: <45B78EB9.5020608@redhat.com> References: <200701211224.21506.cannewilson@tiscali.co.uk> <200701241518.27987.cannewilson@tiscali.co.uk> <45B78EB9.5020608@redhat.com> Message-ID: <200701241850.34411.cannewilson@tiscali.co.uk> On Wednesday 24 January 2007 16:52, Daniel J Walsh wrote: > > There were two different types of avc in your email. The first > concerning postfix should be fixed in the next update. Getting the > /dev/video1 to come up properly is the other. Something is wrong in > the way you are telling udev to create these devices, unfortunately I > have no idea, how to fix. > /dev/video1 isn't a problem. There's the usual issue of which order the video*s are allocated, and I tried to create udev rules to handle this. One works, one doesn't. This works: KERNEL=="video*", SYSFS{model}=="Pixart PAC207-BCA", SYMLINK+="webcam" and /dev/webcam points to the correct /dev/video*, whichever one matches the model. This doesn't - the /dev/DC10+ never gets created: KERNEL=="video*", SUBSYSTEM=="video4linux", SYSFS{name}=="DC10plus_0_", SYSFS{dev}=="81:1", SYMLINK+="DC10plus", GROUP="video" This is a pci capture card. The definintions were taken directly from udevinfo. I've read until my eyes closed, without getting any further with this. I can live with the situation, but I'd love to have it really working. I appreciate that you are all very busy people, but as I said before, if I can help, I will. Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From bofh1234 at hotmail.com Wed Jan 24 19:48:39 2007 From: bofh1234 at hotmail.com (Adam Turk) Date: Wed, 24 Jan 2007 14:48:39 -0500 Subject: selinux and oracle In-Reply-To: <45B7635D.6070701@redhat.com> Message-ID: >From: Daniel J Walsh >>Adam Turk wrote: >>Hello again, >> >>I was able to install Oracle 10gR2 on RHEL4U4 with selinux in targeted >>enforcing mode. No selinux messages in /var/log/messages or dmesg. I >>found a couple of scripts that will start and shutdown the database and >>enterprise manager on boot and shutdown. I had a couple of problems with >>this part and I am not sure if selinux is the problem or not. Let me >>explain then I will post the code. >> >>I created a file called oracle in /etc/rc.d/init.d. I ran chkconfig >>oracle reset. I then ran service oracle start. The database wouldn't >>start. oracle calls the script dbstart which needs ORACLE_HOME defined. >>If I add a export ORACLE_HOME=/path/to/oracle to dbstart everything works. >> If I remove the export then the database won't start. I was under the >>assumption that when I set ORACLE_HOME in oracle it would be able to be >>used by dbstart. This does not appear to be true. Is this a selinux >>problem, or did I misunderstand something? To get the database to start I >>added the export ORACLE_HOME to /etc/profile. Also when I do a init 6 or >>init 0 the oracle service doesn't shutdown i.e. no shutting down oracle >>................ >> >I would doubt this is an SELinux problem. You can always check for avc >messages in /var/log/messages. You can also temporarily turn off enforcing >mode "setenforce 0", then try it. If it is still broken while SELinux is >in permissive mode, it is most likely not an SELinux problem. SELinux is not causing the environmnet variable problem I discribed. I will leave the ORACLE_HOME in /etc/profile and call it done. On a side note, shouldn't selinux messages go into a /var/log/selinux file instead of messages? Thanks, _________________________________________________________________ >From predictions to trailers, check out the MSN Entertainment Guide to the Academy Awards? http://movies.msn.com/movies/oscars2007/?icid=ncoscartagline1 From dwalsh at redhat.com Wed Jan 24 21:26:52 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 24 Jan 2007 16:26:52 -0500 Subject: selinux and oracle In-Reply-To: References: Message-ID: <45B7CF1C.2050002@redhat.com> Adam Turk wrote: >> From: Daniel J Walsh >>> Adam Turk wrote: >>> Hello again, >>> >>> I was able to install Oracle 10gR2 on RHEL4U4 with selinux in >>> targeted enforcing mode. No selinux messages in /var/log/messages >>> or dmesg. I found a couple of scripts that will start and shutdown >>> the database and enterprise manager on boot and shutdown. I had a >>> couple of problems with this part and I am not sure if selinux is >>> the problem or not. Let me explain then I will post the code. >>> >>> I created a file called oracle in /etc/rc.d/init.d. I ran chkconfig >>> oracle reset. I then ran service oracle start. The database >>> wouldn't start. oracle calls the script dbstart which needs >>> ORACLE_HOME defined. If I add a export ORACLE_HOME=/path/to/oracle >>> to dbstart everything works. If I remove the export then the >>> database won't start. I was under the assumption that when I set >>> ORACLE_HOME in oracle it would be able to be used by dbstart. This >>> does not appear to be true. Is this a selinux problem, or did I >>> misunderstand something? To get the database to start I added the >>> export ORACLE_HOME to /etc/profile. Also when I do a init 6 or init >>> 0 the oracle service doesn't shutdown i.e. no shutting down oracle >>> ................ >>> >> I would doubt this is an SELinux problem. You can always check for >> avc messages in /var/log/messages. You can also temporarily turn off >> enforcing mode "setenforce 0", then try it. If it is still broken >> while SELinux is in permissive mode, it is most likely not an SELinux >> problem. > > SELinux is not causing the environmnet variable problem I discribed. > I will leave the ORACLE_HOME in /etc/profile and call it done. > > On a side note, shouldn't selinux messages go into a /var/log/selinux > file instead of messages? > In RHEL5 they go to /var/log/audit/audit.log if auditing is turned on. > Thanks, > > _________________________________________________________________ > From predictions to trailers, check out the MSN Entertainment Guide to > the Academy Awards? > http://movies.msn.com/movies/oscars2007/?icid=ncoscartagline1 > From dwalsh at redhat.com Wed Jan 24 21:28:29 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 24 Jan 2007 16:28:29 -0500 Subject: Worrying AVC messages In-Reply-To: <200701241850.34411.cannewilson@tiscali.co.uk> References: <200701211224.21506.cannewilson@tiscali.co.uk> <200701241518.27987.cannewilson@tiscali.co.uk> <45B78EB9.5020608@redhat.com> <200701241850.34411.cannewilson@tiscali.co.uk> Message-ID: <45B7CF7D.7070200@redhat.com> Anne Wilson wrote: > On Wednesday 24 January 2007 16:52, Daniel J Walsh wrote: > >> There were two different types of avc in your email. The first >> concerning postfix should be fixed in the next update. Getting the >> /dev/video1 to come up properly is the other. Something is wrong in >> the way you are telling udev to create these devices, unfortunately I >> have no idea, how to fix. >> >> > /dev/video1 isn't a problem. There's the usual issue of which order the > video*s are allocated, and I tried to create udev rules to handle this. One > works, one doesn't. > > This works: > > KERNEL=="video*", SYSFS{model}=="Pixart PAC207-BCA", SYMLINK+="webcam" > > and /dev/webcam points to the correct /dev/video*, whichever one matches the > model. > > This doesn't - the /dev/DC10+ never gets created: > > KERNEL=="video*", SUBSYSTEM=="video4linux", SYSFS{name}=="DC10plus_0_", > SYSFS{dev}=="81:1", SYMLINK+="DC10plus", GROUP="video" > > This is a pci capture card. The definintions were taken directly from > udevinfo. > > I've read until my eyes closed, without getting any further with this. I can > live with the situation, but I'd love to have it really working. I > appreciate that you are all very busy people, but as I said before, if I can > help, I will. > > Yes I think you would be better off asking at the fedora-list rather than here. More people would understand udev there. > Anne > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From cannewilson at tiscali.co.uk Wed Jan 24 21:52:31 2007 From: cannewilson at tiscali.co.uk (Anne Wilson) Date: Wed, 24 Jan 2007 21:52:31 +0000 Subject: Worrying AVC messages In-Reply-To: <45B7CF7D.7070200@redhat.com> References: <200701211224.21506.cannewilson@tiscali.co.uk> <200701241850.34411.cannewilson@tiscali.co.uk> <45B7CF7D.7070200@redhat.com> Message-ID: <200701242152.31732.cannewilson@tiscali.co.uk> On Wednesday 24 January 2007 21:28, Daniel J Walsh wrote: > > Yes I think you would be better off asking at the fedora-list rather > than here. More people would understand udev there. > It seems not. But thanks to all for the help so far. Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From ejtr at layer3.co.uk Wed Jan 24 22:56:25 2007 From: ejtr at layer3.co.uk (Ted Rule) Date: Wed, 24 Jan 2007 22:56:25 +0000 Subject: Cron mail problem with FC6/strict In-Reply-To: <1169498867.15056.9.camel@sgc.columbia.tresys.com> References: <1169420723.3503.10.camel@topaz.bugfinder.co.uk> <1169498867.15056.9.camel@sgc.columbia.tresys.com> Message-ID: <1169679385.3570.4.camel@topaz.bugfinder.co.uk> On Mon, 2007-01-22 at 15:47 -0500, Christopher J. PeBenito wrote: > On Sun, 2007-01-21 at 23:05 +0000, Ted Rule wrote: > > A little while ago, I found that anacron wasn't running correctly under > > FC6/strict, which led to me add a temporary fixup .te for its operation. > > Once I had that in place, I finally received the cron.daily and logwatch > > Emails every day shortly after bootup. > > > > With that in place, I recently took to leaving the machine powered > > overnight, which of course led to all the Cron jobs running via crond > > instead of anacron. > > > > Oddly, I noticed that the logwatch Email arrived, but NOT the cron.daily > > summary Email. > > > > Looking further, I found this odd avc: > > > > Jan 21 21:29:51 topaz kernel: audit(1169414991.423:988): avc: denied > > { entrypoint } for pid=4891 comm="crond" name="sendmail.sendmail" > > dev=hda6 ino=1313020 > > scontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file > > > > i.e. the crond child process running in system_crond_t was apparently > > unable to run sendmail. > > Is this supposed to be cron emailing the output of the cron jobs or the > cron job itself emailing something? The former: my tests so far indicate that the latter seems to work Ok. >From what I can deduce in the source, I believe that crond starts in crond_t, forks a crond child, which it then setexeccon's into system_crond_t to run the Job. This, in turn forks a sendmail process to pick up the stdout/stderr from the Job, and also forks another process - the Job itself. As a result, you end up with something like this: 101 crond_t crond 102 system_crond_t \ crond 103 system_crond_t \ cron-job-script 104 system_mail_t \ sendmail where stdout/stderr from the cron-job-script are routed into the sendmail stdin, with email subject line and other parameters injected from pid 102. I also believe that pid 104 is not created at all until some output is generated by pid 103 - hence silent Cron Jobs don't create the avc denials for sendmail. sendmail directly launched by pid 103 is Ok according to my tests, but seemingly sendmail launched by pid 102 gronks. -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/ From dblistsub-fedora at yahoo.it Wed Jan 24 22:48:43 2007 From: dblistsub-fedora at yahoo.it (Davide Bolcioni) Date: Wed, 24 Jan 2007 23:48:43 +0100 Subject: tzdata-update AVC caused by pam_console ? Message-ID: <200701242348.43255.dblistsub-fedora@yahoo.it> Greetings, I am investigating the following AVCs Jan 6 18:12:25 camelot kernel: audit(1168103545.309:4): avc: denied { use } for pid=2302 comm="tzdata-update" name="tty1" dev=tmpfs ino=1745 scontext=root:system_r:tzdata_t:s0-s0:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd Jan 6 18:12:25 camelot kernel: audit(1168103545.310:5): avc: denied { use } for pid=2302 comm="tzdata-update" name="tty1" dev=tmpfs ino=1745 scontext=root:system_r:tzdata_t:s0-s0:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd which occurred when updating tzdata just after upgrading from Fedora Core 5 to Fedora Core 6. During the same update I also encountered http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=222179 but I did not see the above two lines mentioned (the inode 1745 matched /dev/tty1 at the time). I just tried running tzdata-update from an xterm and when logged at the console, but the above no longer happens. At present I have: $ ls -lZ /dev/tty1 crw--w---- root tty root:object_r:tty_device_t /dev/tty1 so I wonder if the above just got fixed in the meantime or there is some interaction with pam_console using different labeling from what the policy expects - I was running in runlevel 1 at the time. Thank you for your consideration, Davide Bolcioni -- There is no place like /home. From selinux at gmail.com Thu Jan 25 00:39:27 2007 From: selinux at gmail.com (Tom London) Date: Wed, 24 Jan 2007 16:39:27 -0800 Subject: console-kit-domain Message-ID: <4c4ba1530701241639x24b6f1e4x4965177dc440b5de@mail.gmail.com> Running latest rawhide, targeted/enforcing. 'console-kit-daemon' is running as initrc_t. I'm getting the following AVC: type=USER_AVC msg=audit(1169660835.581:34): user pid=2558 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit spid=3363 tpid=3018 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' [root at localhost ~]# ls -lZ /usr/sbin/console* -rwxr-xr-x root root system_u:object_r:sbin_t /usr/sbin/console-kit-daemon [root at localhost ~]# Should /usr/sbin/console-kit-daemon be xdm_exec_t ? tom [Not sure how to BZ this.... ConsoleKit package is not listed in bugzilla.] -- Tom London From ejtr at layer3.co.uk Thu Jan 25 10:07:08 2007 From: ejtr at layer3.co.uk (Ted Rule) Date: Thu, 25 Jan 2007 10:07:08 +0000 Subject: anacron under FC6/SELinux/strict In-Reply-To: <1168272461.3569.37.camel@topaz.bugfinder.co.uk> References: <1168209454.3534.20.camel@topaz.bugfinder.co.uk> <1168255768.3638.19.camel@topaz.bugfinder.co.uk> <1168268331.3569.7.camel@topaz.bugfinder.co.uk> <1168272461.3569.37.camel@topaz.bugfinder.co.uk> Message-ID: <1169719629.3575.12.camel@topaz.bugfinder.co.uk> Since my last workround for this, I've updated to selinux-policy-strict-2.4.6-27, and I've also found another side-effect, which I had previously overlooked; the /etc/cron.daily/0anacron script needs to run anacron itself so that crond can effectively update anacron's timestamp files in /var/spool/anacron. Default policy would allow for this, but because I'd relabelled anacron itself, I needed to add: can_exec(system_crond_t, anacron_exec_t) Similarly, the latest default policy already contains some of the .fc fixes I needed. Hence my revised anacron policy is now the following - together with the manual relabelling of /usr/sbin/anacron itself to anacron_exec_t. cat /root/selinux.local/localanacron.fc # anacrond executable will have: # label: system_u:object_r:anacron_exec_t # MLS sensitivity: s0 # MCS categories: # We cant easily override the /usr/sbin/anacron setting in Fedora policy, # so we create a clone binary and label as anacron_exec_t /usr/sbin/anacrond -- gen_context(system_u:object_r:anacron_exec_t,s0) # The latest 2.4.6-23 policy already contains this: #/var/lock/subsys/anacron -- gen_context(system_u:object_r:cron_lock_t,s0) # The latest 2.4.6-23 policy already contains this: #/var/spool/anacron(/.*)? gen_context(system_u:object_r:cron_spool_t,s0) cat /root/selinux.local/localanacron.fc policy_module(localanacron,0.1.2) require { type system_crond_t; type system_crond_lock_t; type cron_spool_t; type crond_var_run_t; } ######################################## # # Anacron local policy # type anacron_exec_t; corecmd_executable_file(anacron_exec_t) # anacron transitions directly to system_crond_t, # rather than crond_t because it doesnt currently # perform a setexeccon internally init_daemon_domain(system_crond_t,anacron_exec_t) # Additional permissions for system_crond_t / anacron under # strict, when system_crond_t != crond_t ifdef(`strict_policy',` # Allow anacron to update spool files in /var/spool/anacron allow system_crond_t cron_spool_t:file create_file_perms; # Allow anacron to write to /var/run/anacron.pid allow system_crond_t crond_var_run_t:file create_file_perms; files_pid_filetrans(system_crond_t,crond_var_run_t,file) # Allow anacron to handle creation of files in the # /var/lock directory. (anacron) allow system_crond_t system_crond_lock_t:file manage_file_perms; files_lock_filetrans(system_crond_t,system_crond_lock_t,file) # Allow crond to run anacron so as to update /var/spool/anacron # timestamp files can_exec(system_crond_t, anacron_exec_t) ') FWIW, I've created BZ#224328 noting the problem and this patch. On Mon, 2007-01-08 at 16:07 +0000, Ted Rule wrote: > I've patched my local FC6 strict policy to accommodate the use of > anacron; as the machine is generally powered off overnight, anacron gets > far more usage than crond. The FC6 strict policy, > selinux-policy-2.4.6-17.fc6.noarch.rpm, appeared to fail to run the > overnight jobs in the correct domains. > > Whilst investigating the issue, I noted the following: > > crond starts up in crond_t, but seemingly transitions itself to > system_crond_t via setexeccon(). > > anacron is also started in crond_t, but doesn't bother to call > setexeccon(), and hence remains forever in crond_t. > > Under targeted policy only, crond_t is a typealias for system_crond_t > > The various auto-transitions to logrotate_t, logwatch_t and so on, are > apparently linked to system_crond_t rather than crond_t. Hence > anacron jobs never transition to system_crond_t, unless the policy is > targeted, in which case anacron is already in system_crond_t by virtue > of the typealias. > > The fcron package in Extras appears to have sufficient functionality to > replace both anacron and cron, and also knows about setexeccon(), but I > didn't investigate this further. > > The nsarefpolicy contains a separate transition from initrc_t to > system_crond_t for anacron_exec_t, but the latest FC6 policy, > (selinux-policy-2.4.6-17.fc6.noarch.rpm), has both the anacron_exec_t > definition and the alternative transition patched out. > > The latest rawhide policy contains some additional fixes for anacron > covering /var/spool/anacron and /var/lock usage, but not the > anacron_exec_t definition or the initrc_t -> system_crond_t transition. > > Because the cron.fc already defines a label for /usr/sbin/anacron, I've > manually labelled /usr/sbin/anacron to anacron_exec_t for the present. > Obviously this label will be undone by any /.autorelabel I'm forced to > invoke, until such time as this patch, or an equivalent fix, is > released. > > My current patch module, incorporating the cron fixes already in > selinux-policy-2.4.6-21.fc6.noarch.rpm, is as below. The ifdef strict > clause at the end avoids a double definition of the same policy on > targeted where crond_t and system_crond_t are the same thing. > > I guess that in an ideal world, anacron itself would be patched to > launch all it's child jobs in system_crond_t, further emulating crond's > behaviour, and thereby avoiding this fixup. > > > [root at topaz ~]# cat /root/selinux.local/localanacron.fc > # anacrond executable will have: > # label: system_u:object_r:anacron_exec_t > # MLS sensitivity: s0 > # MCS categories: > > # We cant easily override the /usr/sbin/anacron setting in Fedora > policy, so we create > # a clone binary and label as anacron_exec_t > /usr/sbin/anacrond -- > gen_context(system_u:object_r:anacron_exec_t,s0) > > /var/lock/subsys/anacron -- > gen_context(system_u:object_r:system_crond_lock_t,s0) > /var/spool/anacron(/.*)? > gen_context(system_u:object_r:cron_spool_t,s0) > [root at topaz ~]# > > > [root at topaz ~]# cat /root/selinux.local/localanacron.te > > policy_module(localanacron,0.1.1) > > require { > type system_crond_t; > type system_crond_lock_t; > type cron_spool_t; > type crond_var_run_t; > } > > ######################################## > # > # Anacron local policy > # > > type anacron_exec_t; > corecmd_executable_file(anacron_exec_t) > > # anacron transitions directly to system_crond_t, > # rather than crond_t because it doesnt currently > # perform a setexeccon internally > init_daemon_domain(system_crond_t,anacron_exec_t) > > # Allow anacron to update spool files in /var/spool/anacron > allow system_crond_t cron_spool_t:file create_file_perms; > > # This is to handle creation of files in /var/lock directory. (anacron) > allow system_crond_t system_crond_lock_t:file create_file_perms; > files_lock_filetrans(system_crond_t,system_crond_lock_t,file) > > # Allow anacron to write to /var/run/anacron.pid > ifdef(`strict_policy',` > allow system_crond_t crond_var_run_t:file create_file_perms; > files_pid_filetrans(system_crond_t,crond_var_run_t,file) > ') > [root at topaz ~]# > -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/ From pandalists at free.fr Thu Jan 25 13:38:18 2007 From: pandalists at free.fr (pandalists at free.fr) Date: Thu, 25 Jan 2007 14:38:18 +0100 Subject: chcat problem In-Reply-To: <45B79614.1070908@redhat.com> References: <1169573768.45b64788f2a80@imp.free.fr> <45B79614.1070908@redhat.com> Message-ID: <1169732298.45b8b2caea688@imp.free.fr> > > ----------------------------------------------- > > # chcat -l -- +Public foo > > > > libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user foo exceeds > allow > > ed range s0 for SELinux user user_u > > libsemanage.validate_handler: seuser mapping [foo -> (user_u, s0-s0:c0)] is > inva > > lid > > libsemanage.dbase_llist_iterate: could not iterate over records > > ----------------------------------------------- > > > > > Looks like a bug. Does > > chcon -l -- +s0:c0 foo > work? Not either. However, I have applied the patch you sent on the list (policycoreutils-chcat.patch). I do not have the error anymore, but it _seems_ that categories are not assigned to the users : # chcat -l +Public foo # chcat -L -l foo foo: s0 Ben From dwalsh at redhat.com Thu Jan 25 13:21:07 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 25 Jan 2007 08:21:07 -0500 Subject: tzdata-update AVC caused by pam_console ? In-Reply-To: <200701242348.43255.dblistsub-fedora@yahoo.it> References: <200701242348.43255.dblistsub-fedora@yahoo.it> Message-ID: <45B8AEC3.9030905@redhat.com> Davide Bolcioni wrote: > Greetings, > I am investigating the following AVCs > > Jan 6 18:12:25 camelot kernel: audit(1168103545.309:4): avc: denied { use } > for pid=2302 comm="tzdata-update" name="tty1" dev=tmpfs ino=1745 > scontext=root:system_r:tzdata_t:s0-s0:c0.c255 > tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd > Jan 6 18:12:25 camelot kernel: audit(1168103545.310:5): avc: denied { use } > for pid=2302 comm="tzdata-update" name="tty1" dev=tmpfs ino=1745 > scontext=root:system_r:tzdata_t:s0-s0:c0.c255 > tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd > > which occurred when updating tzdata just after upgrading from Fedora Core 5 to > Fedora Core 6. During the same update I also encountered > > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=222179 > > but I did not see the above two lines mentioned (the inode 1745 > matched /dev/tty1 at the time). I just tried running tzdata-update from an > xterm and when logged at the console, but the above no longer happens. At > present I have: > > $ ls -lZ /dev/tty1 > crw--w---- root tty root:object_r:tty_device_t /dev/tty1 > > so I wonder if the above just got fixed in the meantime or there is some > interaction with pam_console using different labeling from what the policy > expects - I was running in runlevel 1 at the time. > > This indicates that you logged in on a terminal and somehow restarted tzdata, which tried to access the open file descriptor hooked to the terminal. I have added a locallogin_dontaudit_use_fds(tzdata_t) to the next policy update. > Thank you for your consideration, > Davide Bolcioni > From dwalsh at redhat.com Thu Jan 25 13:22:49 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 25 Jan 2007 08:22:49 -0500 Subject: console-kit-domain In-Reply-To: <4c4ba1530701241639x24b6f1e4x4965177dc440b5de@mail.gmail.com> References: <4c4ba1530701241639x24b6f1e4x4965177dc440b5de@mail.gmail.com> Message-ID: <45B8AF29.4050001@redhat.com> Tom London wrote: > Running latest rawhide, targeted/enforcing. > > 'console-kit-daemon' is running as initrc_t. > > I'm getting the following AVC: > > type=USER_AVC msg=audit(1169660835.581:34): user pid=2558 uid=81 > auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: > denied { send_msg } for msgtype=method_call > interface=org.freedesktop.ConsoleKit.Manager > member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit > spid=3363 tpid=3018 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : > exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' > > [root at localhost ~]# ls -lZ /usr/sbin/console* > -rwxr-xr-x root root system_u:object_r:sbin_t > /usr/sbin/console-kit-daemon > [root at localhost ~]# > > Should /usr/sbin/console-kit-daemon be xdm_exec_t ? > > tom > > [Not sure how to BZ this.... ConsoleKit package is not listed in > bugzilla.] I don't know what ConsoleKit is? Is it a replacement for xdm? Still running in RHEL5, until GA so I am a little behind on my Rawhide use. From sds at tycho.nsa.gov Thu Jan 25 13:28:06 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 25 Jan 2007 08:28:06 -0500 Subject: console-kit-domain In-Reply-To: <45B8AF29.4050001@redhat.com> References: <4c4ba1530701241639x24b6f1e4x4965177dc440b5de@mail.gmail.com> <45B8AF29.4050001@redhat.com> Message-ID: <1169731686.15390.242.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-01-25 at 08:22 -0500, Daniel J Walsh wrote: > Tom London wrote: > > Running latest rawhide, targeted/enforcing. > > > > 'console-kit-daemon' is running as initrc_t. > > > > I'm getting the following AVC: > > > > type=USER_AVC msg=audit(1169660835.581:34): user pid=2558 uid=81 > > auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: > > denied { send_msg } for msgtype=method_call > > interface=org.freedesktop.ConsoleKit.Manager > > member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit > > spid=3363 tpid=3018 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > > tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : > > exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' > > > > [root at localhost ~]# ls -lZ /usr/sbin/console* > > -rwxr-xr-x root root system_u:object_r:sbin_t > > /usr/sbin/console-kit-daemon > > [root at localhost ~]# > > > > Should /usr/sbin/console-kit-daemon be xdm_exec_t ? > > > > tom > > > > [Not sure how to BZ this.... ConsoleKit package is not listed in > > bugzilla.] > I don't know what ConsoleKit is? Is it a replacement for xdm? Still > running in RHEL5, until GA so I am a little behind on my Rawhide use. Described as a "system-wide service that tracks users, sessions, and seats." Dependency of multi-seat and fast user switching support. See: http://fedoraproject.org/wiki/Desktop/FastUserSwitching From dsugar at tresys.com Thu Jan 25 21:21:54 2007 From: dsugar at tresys.com (Dave Sugar) Date: Thu, 25 Jan 2007 16:21:54 -0500 Subject: ANN: SELinux Policy IDE (SLIDE) Message-ID: <1169760114.14483.2.camel@localhost.localdomain> Version 1.0 of the SELinux Policy IDE (SLIDE) from Tresys is now available for download from the Tresys Open Source website at http://oss.tresys.com. SLIDE is an Eclipse plug-in that integrates with the SELinux Reference Policy to provide a development environment for building SELinux policy. SLIDE features: * A graphical user interface for policy development, including policy syntax highlighting, context suggestions, and integrated compilation. * Integration with SELinux Reference Policy, including quick lookup and documentation for interfaces. * Wizards and easy to use templates to automate common tasks from creating a new SELinux policy to adding an interface into an existing module. * Integrated remote policy installation and audit log monitoring, to facilitate policy testing. * Seamless integration with the power of standard Eclipse. Version 1.0 highlights: * Integration of online help into the SLIDE plugin. * Display of distinct icon for disabled modules. * Improved documentation on the open source web site. If you would like to contribute, currently the best help would be to test and provide feedback on the SLIDE plugin and SLIDE Remote. From wart at kobold.org Fri Jan 26 06:03:47 2007 From: wart at kobold.org (Wart) Date: Thu, 25 Jan 2007 22:03:47 -0800 Subject: httpd and tcp_connect In-Reply-To: <45B765F6.7030403@redhat.com> References: <45B3BDDE.2080903@kobold.org> <45B765F6.7030403@redhat.com> Message-ID: <45B999C3.8030202@kobold.org> Daniel J Walsh wrote: > The best solution would be to make a loadable policy module, and define > a new port, something like > > Create a te file like the following > > #cat webapp.te > policy_module(webapp, 1.0); > > require { > type httpd_t; > > }; > > type webapp_port_t; > > allow httpd_t webapp_port_t:tcp_socket name_connect; > # make -f /usr/share/selinux/targeted/include/Makefile webapp.pp > # semodule -i webapp.pp > # semanage port -a -t webapp_port_t -p tcp 19380-19383 Thanks for the tip. This worked just fine. Now that I have a working policy for this server + web application, I'm trying to get it all packaged up nicely. I've got a policy that works, but to package it properly I'd have to split up rules between the webapp component and the server component, with dependencies between them. I'm sure with some more work I could do this, but it starts to become trickier to package. It seems like it would be much easier to manage if it were all part of the upstream selinux reference policy instead. What is the best way to go about submitting new policies to be included in the reference policy? --Mike From galaxy4sale at gmail.com Fri Jan 26 17:18:01 2007 From: galaxy4sale at gmail.com (bx) Date: Fri, 26 Jan 2007 12:18:01 -0500 Subject: SELinux Policy/Flask Classes from scratch Message-ID: <4fd2719c0701260918n3b7ba69fn50270a8d116b5291@mail.gmail.com> Hello, Let me apologize if this is the wrong place to ask this question, but I figure that those well versed in SELinux can help me. I have been reading a ton about SELinux and Flask, and I haven't found anything that answered my question. I am working on creating a security policy from scratch and followed the tutorial the IBM published ( http://www-128.ibm.com/developerworks/linux/library/l-selinux.html). After taking a look at the bare bones policy.conf file it generated, it got me thinking- I don't need to have something as granular as SELinux allows me to be. In fact it would simplify things if I could change the granularity. How would SELinux be affected if I were to remove some of the class definitions and took anything that referred to those classes out of my policy? Would SELinux just not enforce anything on those types of objects, would SELinux completely disallow all use of those objects or would it just break SELinux? Thank you for your time and help, Rebecca -------------- next part -------------- An HTML attachment was scrubbed... URL: From wart at kobold.org Fri Jan 26 17:36:03 2007 From: wart at kobold.org (Michael Thomas) Date: Fri, 26 Jan 2007 09:36:03 -0800 Subject: script executables Message-ID: <45BA3C03.1080606@kobold.org> I'm working on selinux protection for a python script daemon that is started inside of an init.d script. Inside the init.d script the python daemon is invoked as: python myscript.py --daemon --pid=... --log=... I'd like to have this process run under its own domain. The worst thing I could do is to relabel python with that domain, but that would just be really bad and sloppy, and not really an option. Another option that I've gotten to work is to use a wrapper shell script to invoke the python commands. The init.d script invokes the wrapper script, which is labeled with the desired domain. But I was wondering of there was another way to get myscript.py to run under a specific domain without using an application-specific wrapper. Something like 'sedomainexec myappd_t python myscript.py --daemon ...' Is the wrapper script my only option? --Wart From sds at tycho.nsa.gov Fri Jan 26 17:50:30 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 26 Jan 2007 12:50:30 -0500 Subject: SELinux Policy/Flask Classes from scratch In-Reply-To: <4fd2719c0701260918n3b7ba69fn50270a8d116b5291@mail.gmail.com> References: <4fd2719c0701260918n3b7ba69fn50270a8d116b5291@mail.gmail.com> Message-ID: <1169833830.15390.308.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-01-26 at 12:18 -0500, bx wrote: > Hello, > Let me apologize if this is the wrong place to ask this question, > but I figure that those well versed in SELinux can help me. I have > been reading a ton about SELinux and Flask, and I haven't found > anything that answered my question. > > I am working on creating a security policy from scratch I'd suggest leveraging the reference policy instead as a baseline, then customize it as desired. http://oss.tresys.com/projects/refpolicy > and followed the tutorial the IBM published > (http://www-128.ibm.com/developerworks/linux/library/l-selinux.html). > After taking a look at the bare bones policy.conf file it generated, > it got me thinking- I don't need to have something as granular as > SELinux allows me to be. In fact it would simplify things if I could > change the granularity. How would SELinux be affected if I were to > remove some of the class definitions and took anything that referred > to those classes out of my policy? Would SELinux just not enforce > anything on those types of objects, would SELinux completely disallow > all use of those objects or would it just break SELinux? At present, removing kernel classes would lead to permission denials or breakage. See the thread starting with: http://marc.theaimsgroup.com/?l=selinux&m=116499002502432&w=2 Note however this isn't just a matter of granularity of protection, but rather completeness of protection; if you were to disable SELinux enforcement for a given object class, then you are removing all control on those objects, enabling them to serve as a way of bypassing policy. Changing the granularity of protection would just mean folding multiple classes together, e.g. handle all of the file-related classes as one, which you can achieve in policy by use of macros rather than needing to change the kernel. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Jan 26 17:54:13 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 26 Jan 2007 12:54:13 -0500 Subject: script executables In-Reply-To: <45BA3C03.1080606@kobold.org> References: <45BA3C03.1080606@kobold.org> Message-ID: <1169834053.15390.310.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-01-26 at 09:36 -0800, Michael Thomas wrote: > I'm working on selinux protection for a python script daemon that is > started inside of an init.d script. Inside the init.d script the python > daemon is invoked as: > > python myscript.py --daemon --pid=... --log=... > > I'd like to have this process run under its own domain. The worst thing > I could do is to relabel python with that domain, but that would just be > really bad and sloppy, and not really an option. > > Another option that I've gotten to work is to use a wrapper shell script > to invoke the python commands. The init.d script invokes the wrapper > script, which is labeled with the desired domain. > > But I was wondering of there was another way to get myscript.py to run > under a specific domain without using an application-specific wrapper. > Something like 'sedomainexec myappd_t python myscript.py --daemon ...' > Is the wrapper script my only option? If myscript.py starts with #!//usr/bin/python -E, then you can just label the file with an appropriate _exec_t type and have it automatically transition into its own domain. SELinux supports domain transitions on scripts (unlike setuid), although naturally you should only do that when you trust the calling domain. You can also use runcon -t to manually launch a program of any kind in a particular domain. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Jan 26 17:58:25 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 26 Jan 2007 12:58:25 -0500 Subject: script executables In-Reply-To: <1169834053.15390.310.camel@moss-spartans.epoch.ncsc.mil> References: <45BA3C03.1080606@kobold.org> <1169834053.15390.310.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1169834305.15390.313.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-01-26 at 12:54 -0500, Stephen Smalley wrote: > On Fri, 2007-01-26 at 09:36 -0800, Michael Thomas wrote: > > I'm working on selinux protection for a python script daemon that is > > started inside of an init.d script. Inside the init.d script the python > > daemon is invoked as: > > > > python myscript.py --daemon --pid=... --log=... > > > > I'd like to have this process run under its own domain. The worst thing > > I could do is to relabel python with that domain, but that would just be > > really bad and sloppy, and not really an option. > > > > Another option that I've gotten to work is to use a wrapper shell script > > to invoke the python commands. The init.d script invokes the wrapper > > script, which is labeled with the desired domain. > > > > But I was wondering of there was another way to get myscript.py to run > > under a specific domain without using an application-specific wrapper. > > Something like 'sedomainexec myappd_t python myscript.py --daemon ...' > > Is the wrapper script my only option? > > If myscript.py starts with #!//usr/bin/python -E, then you can just > label the file with an appropriate _exec_t type and have it > automatically transition into its own domain. SELinux supports domain > transitions on scripts (unlike setuid), although naturally you should > only do that when you trust the calling domain. Of course, this only happens upon direct execution of the script, not when you just pass it as an argument to python. > > You can also use runcon -t to manually launch a program of any kind in a > particular domain. > -- Stephen Smalley National Security Agency From wart at kobold.org Fri Jan 26 18:25:55 2007 From: wart at kobold.org (Michael Thomas) Date: Fri, 26 Jan 2007 10:25:55 -0800 Subject: script executables In-Reply-To: <1169834053.15390.310.camel@moss-spartans.epoch.ncsc.mil> References: <45BA3C03.1080606@kobold.org> <1169834053.15390.310.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <45BA47B3.1010607@kobold.org> Stephen Smalley wrote: > On Fri, 2007-01-26 at 09:36 -0800, Michael Thomas wrote: >> I'm working on selinux protection for a python script daemon that is >> started inside of an init.d script. Inside the init.d script the python >> daemon is invoked as: >> >> python myscript.py --daemon --pid=... --log=... >> >> I'd like to have this process run under its own domain. The worst thing >> I could do is to relabel python with that domain, but that would just be >> really bad and sloppy, and not really an option. >> >> Another option that I've gotten to work is to use a wrapper shell script >> to invoke the python commands. The init.d script invokes the wrapper >> script, which is labeled with the desired domain. >> >> But I was wondering of there was another way to get myscript.py to run >> under a specific domain without using an application-specific wrapper. >> Something like 'sedomainexec myappd_t python myscript.py --daemon ...' >> Is the wrapper script my only option? > > If myscript.py starts with #!//usr/bin/python -E, then you can just > label the file with an appropriate _exec_t type and have it > automatically transition into its own domain. SELinux supports domain > transitions on scripts (unlike setuid), although naturally you should > only do that when you trust the calling domain. > > You can also use runcon -t to manually launch a program of any kind in a > particular domain. runcon is exactly what I need. Thanks! Unfortunately... It seems that runcon is greedy about parsing command line options. If I use any '--foo' arguments to my command, runcon interprets them as its own arguments and usually throws an error: # runcon system_u:object_r:httpd_exec_t ls --all runcon: unrecognized option `--all' Usage: runcon CONTEXT COMMAND [args] or: runcon [ -c ] [-u USER] [-r ROLE] [-t TYPE] [-l RANGE] COMMAND [args] Run a program in a different security context. CONTEXT Complete security context -c, --compute compute process transition context before modifying -t, --type=TYPE type (for same role as parent) -u, --user=USER user identity -r, --role=ROLE role -l, --range=RANGE levelrange --help display this help and exit --version output version information and exit I'll file this in bugzilla. --Wart From sds at tycho.nsa.gov Fri Jan 26 18:26:07 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 26 Jan 2007 13:26:07 -0500 Subject: script executables In-Reply-To: <45BA47B3.1010607@kobold.org> References: <45BA3C03.1080606@kobold.org> <1169834053.15390.310.camel@moss-spartans.epoch.ncsc.mil> <45BA47B3.1010607@kobold.org> Message-ID: <1169835967.15390.334.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-01-26 at 10:25 -0800, Michael Thomas wrote: > Stephen Smalley wrote: > > On Fri, 2007-01-26 at 09:36 -0800, Michael Thomas wrote: > >> I'm working on selinux protection for a python script daemon that is > >> started inside of an init.d script. Inside the init.d script the python > >> daemon is invoked as: > >> > >> python myscript.py --daemon --pid=... --log=... > >> > >> I'd like to have this process run under its own domain. The worst thing > >> I could do is to relabel python with that domain, but that would just be > >> really bad and sloppy, and not really an option. > >> > >> Another option that I've gotten to work is to use a wrapper shell script > >> to invoke the python commands. The init.d script invokes the wrapper > >> script, which is labeled with the desired domain. > >> > >> But I was wondering of there was another way to get myscript.py to run > >> under a specific domain without using an application-specific wrapper. > >> Something like 'sedomainexec myappd_t python myscript.py --daemon ...' > >> Is the wrapper script my only option? > > > > If myscript.py starts with #!//usr/bin/python -E, then you can just > > label the file with an appropriate _exec_t type and have it > > automatically transition into its own domain. SELinux supports domain > > transitions on scripts (unlike setuid), although naturally you should > > only do that when you trust the calling domain. > > > > You can also use runcon -t to manually launch a program of any kind in a > > particular domain. > > runcon is exactly what I need. Thanks! > > Unfortunately... It seems that runcon is greedy about parsing command > line options. If I use any '--foo' arguments to my command, runcon > interprets them as its own arguments and usually throws an error: > > # runcon system_u:object_r:httpd_exec_t ls --all That's a file context, not a process context. And you can disable option parsing via the usual trick, "--", e.g. runcon -t httpd_t -- ls --all but that will fail on the entrypoint permission check. So you are better off doing: chcon -t httpd_exec_t myscript.py and letting it do an automatic transition via direct execution, e.g. ./myscript.py > runcon: unrecognized option `--all' > Usage: runcon CONTEXT COMMAND [args] > or: runcon [ -c ] [-u USER] [-r ROLE] [-t TYPE] [-l RANGE] COMMAND > [args] > Run a program in a different security context. > > CONTEXT Complete security context > -c, --compute compute process transition context before modifying > -t, --type=TYPE type (for same role as parent) > -u, --user=USER user identity > -r, --role=ROLE role > -l, --range=RANGE levelrange > --help display this help and exit > --version output version information and exit > > > I'll file this in bugzilla. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Jan 26 18:27:57 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 26 Jan 2007 13:27:57 -0500 Subject: script executables In-Reply-To: <1169835967.15390.334.camel@moss-spartans.epoch.ncsc.mil> References: <45BA3C03.1080606@kobold.org> <1169834053.15390.310.camel@moss-spartans.epoch.ncsc.mil> <45BA47B3.1010607@kobold.org> <1169835967.15390.334.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1169836077.15390.336.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-01-26 at 13:26 -0500, Stephen Smalley wrote: > On Fri, 2007-01-26 at 10:25 -0800, Michael Thomas wrote: > > Stephen Smalley wrote: > > > On Fri, 2007-01-26 at 09:36 -0800, Michael Thomas wrote: > > >> I'm working on selinux protection for a python script daemon that is > > >> started inside of an init.d script. Inside the init.d script the python > > >> daemon is invoked as: > > >> > > >> python myscript.py --daemon --pid=... --log=... > > >> > > >> I'd like to have this process run under its own domain. The worst thing > > >> I could do is to relabel python with that domain, but that would just be > > >> really bad and sloppy, and not really an option. > > >> > > >> Another option that I've gotten to work is to use a wrapper shell script > > >> to invoke the python commands. The init.d script invokes the wrapper > > >> script, which is labeled with the desired domain. > > >> > > >> But I was wondering of there was another way to get myscript.py to run > > >> under a specific domain without using an application-specific wrapper. > > >> Something like 'sedomainexec myappd_t python myscript.py --daemon ...' > > >> Is the wrapper script my only option? > > > > > > If myscript.py starts with #!//usr/bin/python -E, then you can just > > > label the file with an appropriate _exec_t type and have it > > > automatically transition into its own domain. SELinux supports domain > > > transitions on scripts (unlike setuid), although naturally you should > > > only do that when you trust the calling domain. > > > > > > You can also use runcon -t to manually launch a program of any kind in a > > > particular domain. > > > > runcon is exactly what I need. Thanks! > > > > Unfortunately... It seems that runcon is greedy about parsing command > > line options. If I use any '--foo' arguments to my command, runcon > > interprets them as its own arguments and usually throws an error: > > > > # runcon system_u:object_r:httpd_exec_t ls --all > > That's a file context, not a process context. > > And you can disable option parsing via the usual trick, "--", e.g. > runcon -t httpd_t -- ls --all > > but that will fail on the entrypoint permission check. So you are > better off doing: > chcon -t httpd_exec_t myscript.py > and letting it do an automatic transition via direct execution, e.g. > ./myscript.py Although I don't think you want it running directly in httpd_t. You do have a separate domain for your application, right? > > > runcon: unrecognized option `--all' > > Usage: runcon CONTEXT COMMAND [args] > > or: runcon [ -c ] [-u USER] [-r ROLE] [-t TYPE] [-l RANGE] COMMAND > > [args] > > Run a program in a different security context. > > > > CONTEXT Complete security context > > -c, --compute compute process transition context before modifying > > -t, --type=TYPE type (for same role as parent) > > -u, --user=USER user identity > > -r, --role=ROLE role > > -l, --range=RANGE levelrange > > --help display this help and exit > > --version output version information and exit > > > > > > I'll file this in bugzilla. > > -- Stephen Smalley National Security Agency From wart at kobold.org Fri Jan 26 18:48:25 2007 From: wart at kobold.org (Michael Thomas) Date: Fri, 26 Jan 2007 10:48:25 -0800 Subject: script executables In-Reply-To: <1169836077.15390.336.camel@moss-spartans.epoch.ncsc.mil> References: <45BA3C03.1080606@kobold.org> <1169834053.15390.310.camel@moss-spartans.epoch.ncsc.mil> <45BA47B3.1010607@kobold.org> <1169835967.15390.334.camel@moss-spartans.epoch.ncsc.mil> <1169836077.15390.336.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <45BA4CF9.2020305@kobold.org> Stephen Smalley wrote: > On Fri, 2007-01-26 at 13:26 -0500, Stephen Smalley wrote: >> On Fri, 2007-01-26 at 10:25 -0800, Michael Thomas wrote: >>> Stephen Smalley wrote: >>>> On Fri, 2007-01-26 at 09:36 -0800, Michael Thomas wrote: >>>>> I'm working on selinux protection for a python script daemon that is >>>>> started inside of an init.d script. Inside the init.d script the python >>>>> daemon is invoked as: >>>>> >>>>> python myscript.py --daemon --pid=... --log=... >>>>> >>>>> I'd like to have this process run under its own domain. The worst thing >>>>> I could do is to relabel python with that domain, but that would just be >>>>> really bad and sloppy, and not really an option. >>>>> >>>>> Another option that I've gotten to work is to use a wrapper shell script >>>>> to invoke the python commands. The init.d script invokes the wrapper >>>>> script, which is labeled with the desired domain. >>>>> >>>>> But I was wondering of there was another way to get myscript.py to run >>>>> under a specific domain without using an application-specific wrapper. >>>>> Something like 'sedomainexec myappd_t python myscript.py --daemon ...' >>>>> Is the wrapper script my only option? >>>> If myscript.py starts with #!//usr/bin/python -E, then you can just >>>> label the file with an appropriate _exec_t type and have it >>>> automatically transition into its own domain. SELinux supports domain >>>> transitions on scripts (unlike setuid), although naturally you should >>>> only do that when you trust the calling domain. >>>> >>>> You can also use runcon -t to manually launch a program of any kind in a >>>> particular domain. >>> runcon is exactly what I need. Thanks! >>> >>> Unfortunately... It seems that runcon is greedy about parsing command >>> line options. If I use any '--foo' arguments to my command, runcon >>> interprets them as its own arguments and usually throws an error: >>> >>> # runcon system_u:object_r:httpd_exec_t ls --all >> That's a file context, not a process context. My bad. But it still showed the problem. >> And you can disable option parsing via the usual trick, "--", e.g. >> runcon -t httpd_t -- ls --all Ah, I see that now in the man page, but not on the --help output of runcon. >> but that will fail on the entrypoint permission check. That explains this: type=AVC msg=audit(1169836492.684:217): avc: denied { entrypoint } for pid=3542 comm="runcon" name="python" dev=dm-0 ino=3312390 scontext=user_u:system_r:pokerd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file Couldn't I just add this to my policy file, or is it too dangerous?: allow pokerd_t bin_t:file entrypoint; So you are >> better off doing: >> chcon -t httpd_exec_t myscript.py >> and letting it do an automatic transition via direct execution, e.g. >> ./myscript.py That won't work in this case, unfortunately. The full command that I'm running is: /usr/bin/python /usr/bin/twistd --pidfile=/var/run/poker-network/poker-server.pid --python /usr/lib/python2.5/site-packages/pokernetwork/pokerserver.py --... It's a python script framework (twistd) that is invoking the real application specified on the command line. As before, it wouldn't make sense to label the entire framework. I'm working with the app developers to see if they can work around this and invoke the script directly, but for now I have to assume that it might not be an option. > Although I don't think you want it running directly in httpd_t. > You do have a separate domain for your application, right? Yes, I have a separate domain for my app. I was just using httpd_t as a test. Thanks for the help, --Wart From sds at tycho.nsa.gov Fri Jan 26 19:08:57 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 26 Jan 2007 14:08:57 -0500 Subject: script executables In-Reply-To: <45BA4CF9.2020305@kobold.org> References: <45BA3C03.1080606@kobold.org> <1169834053.15390.310.camel@moss-spartans.epoch.ncsc.mil> <45BA47B3.1010607@kobold.org> <1169835967.15390.334.camel@moss-spartans.epoch.ncsc.mil> <1169836077.15390.336.camel@moss-spartans.epoch.ncsc.mil> <45BA4CF9.2020305@kobold.org> Message-ID: <1169838537.15390.344.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-01-26 at 10:48 -0800, Michael Thomas wrote: > That explains this: > > type=AVC msg=audit(1169836492.684:217): avc: denied { entrypoint } for > pid=3542 comm="runcon" name="python" dev=dm-0 ino=3312390 > scontext=user_u:system_r:pokerd_t:s0 tcontext=system_u:object_r:bin_t:s0 > tclass=file > > Couldn't I just add this to my policy file, or is it too dangerous?: > > allow pokerd_t bin_t:file entrypoint; It doesn't make much difference in this case, since it is a script and it isn't particularly privileged (any more so than the caller). But use the refpolicy interface instead: domain_entry_file(pokerd_t, bin_t) > That won't work in this case, unfortunately. The full command that I'm > running is: > > /usr/bin/python /usr/bin/twistd > --pidfile=/var/run/poker-network/poker-server.pid --python > /usr/lib/python2.5/site-packages/pokernetwork/pokerserver.py --... > > It's a python script framework (twistd) that is invoking the real > application specified on the command line. As before, it wouldn't make > sense to label the entire framework. I'm working with the app > developers to see if they can work around this and invoke the script > directly, but for now I have to assume that it might not be an option. Ok. -- Stephen Smalley National Security Agency From galaxy4sale at gmail.com Fri Jan 26 20:34:27 2007 From: galaxy4sale at gmail.com (bx) Date: Fri, 26 Jan 2007 15:34:27 -0500 Subject: SELinux Policy/Flask Classes from scratch In-Reply-To: <1169833830.15390.308.camel@moss-spartans.epoch.ncsc.mil> References: <4fd2719c0701260918n3b7ba69fn50270a8d116b5291@mail.gmail.com> <1169833830.15390.308.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4fd2719c0701261234u3739b44fxd6f91344e6a60bc1@mail.gmail.com> On 1/26/07, Stephen Smalley wrote: I'd suggest leveraging the reference policy instead as a baseline, then > customize it as desired. > http://oss.tresys.com/projects/refpolicy > > I took a look at the reference policy and I am not sure how it can help me. I am not trying to use SELinux to constrain programs and daemons to sandboxes, instead I would like to use it to create restricted system administrator accounts. Although in the future, I may want to end up hardening apache, etc, however at this point, that is not my focus. My approach would be similar to the targeted policy, in which there is an "unconfined" base domain in which most things roam. I understand that in theory the reference policy would be a good approach due to its modular approach, however I do not know where to start to get myself my base unconfined layer I want. I am open to suggestions. > At present, removing kernel classes would lead to permission denials or > breakage. See the thread starting with: > http://marc.theaimsgroup.com/ ?l=selinux&m=116499002502432&w=2 > Note however this isn't just a matter of granularity of protection, but > rather completeness of protection; if you were to disable SELinux > enforcement for a given object class, then you are removing all control > on those objects, enabling them to serve as a way of bypassing policy. > Changing the granularity of protection would just mean folding multiple > classes together, e.g. handle all of the file-related classes as one, > which you can achieve in policy by use of macros rather than needing to > change the kernel. This makes absolute sense, thank you. I will use macros to create the granularity I desire. I appreciate your help, Rebecca -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Fri Jan 26 20:37:28 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 26 Jan 2007 15:37:28 -0500 Subject: SELinux Policy/Flask Classes from scratch In-Reply-To: <4fd2719c0701261234u3739b44fxd6f91344e6a60bc1@mail.gmail.com> References: <4fd2719c0701260918n3b7ba69fn50270a8d116b5291@mail.gmail.com> <1169833830.15390.308.camel@moss-spartans.epoch.ncsc.mil> <4fd2719c0701261234u3739b44fxd6f91344e6a60bc1@mail.gmail.com> Message-ID: <1169843848.15390.385.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-01-26 at 15:34 -0500, bx wrote: > On 1/26/07, Stephen Smalley wrote: > I'd suggest leveraging the reference policy instead as > a baseline, then > customize it as desired. > http://oss.tresys.com/projects/refpolicy > > I took a look at the reference policy and I am not sure how it > can help me. I am not trying to use SELinux to constrain > programs and daemons to sandboxes, instead I would like to use > it to create restricted system administrator accounts. > Although in the future, I may want to end up hardening apache, > etc, however at this point, that is not my focus. My approach > would be similar to the targeted policy, in which there is an > "unconfined" base domain in which most things roam. I > understand that in theory the reference policy would be a good > approach due to its modular approach, however I do not know > where to start to get myself my base unconfined layer I want. > I am open to suggestions. All policies are built from the reference policy these days, including the Fedora -targeted policy (and the -strict policy and the -mls policy). They are just different configurations of it. -strict policy has a notion of user roles already, whereas -targeted does not (at present). -- Stephen Smalley National Security Agency From dwalsh at redhat.com Fri Jan 26 22:28:06 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 26 Jan 2007 17:28:06 -0500 Subject: httpd and tcp_connect In-Reply-To: <45B999C3.8030202@kobold.org> References: <45B3BDDE.2080903@kobold.org> <45B765F6.7030403@redhat.com> <45B999C3.8030202@kobold.org> Message-ID: <45BA8076.6000906@redhat.com> Wart wrote: > Daniel J Walsh wrote: >> The best solution would be to make a loadable policy module, and >> define a new port, something like >> >> Create a te file like the following >> >> #cat webapp.te >> policy_module(webapp, 1.0); >> >> require { >> type httpd_t; >> >> }; >> >> type webapp_port_t; >> >> allow httpd_t webapp_port_t:tcp_socket name_connect; >> # make -f /usr/share/selinux/targeted/include/Makefile webapp.pp >> # semodule -i webapp.pp >> # semanage port -a -t webapp_port_t -p tcp 19380-19383 > > Thanks for the tip. This worked just fine. Now that I have a working > policy for this server + web application, I'm trying to get it all > packaged up nicely. I've got a policy that works, but to package it > properly I'd have to split up rules between the webapp component and > the server component, with dependencies between them. I'm sure with > some more work I could do this, but it starts to become trickier to > package. It seems like it would be much easier to manage if it were > all part of the upstream selinux reference policy instead. > > What is the best way to go about submitting new policies to be > included in the reference policy? > > --Mike > Submit it as a patch to the selinux at tycho.nsa.gov mailing list, and request that it get upstreamed. From cannewilson at tiscali.co.uk Mon Jan 29 11:26:08 2007 From: cannewilson at tiscali.co.uk (Anne Wilson) Date: Mon, 29 Jan 2007 11:26:08 +0000 Subject: PAM problems Message-ID: <200701291126.13899.cannewilson@tiscali.co.uk> From logwatch: **Unmatched Entries** userhelper[20994]: PAM [error: /lib/security/lib/security/pam_permit.so: cannot open shared object file: No such file or directory]: 1 Time(s) userhelper[20994]: PAM [error: /lib/security/lib/security/pam_rootok.so: cannot open shared object file: No such file or directory]: 1 Time(s) userhelper[20994]: PAM [error: /lib/security/lib/security/pam_stack.so: cannot open shared object file: No such file or directory]: 1 Time(s) userhelper[20994]: PAM [error: /lib/security/lib/security/pam_timestamp.so: cannot open shared object file: No such file or directory]: 1 Time(s) userhelper[20994]: PAM [error: /lib/security/lib/security/pam_xauth.so: cannot open shared object file: No such file or directory]: 1 Time(s) userhelper[20994]: PAM adding faulty module: /lib/security/lib/security/pam_permit.so: 1 Time(s) userhelper[20994]: PAM adding faulty module: /lib/security/lib/security/pam_rootok.so: 1 Time(s) userhelper[20994]: PAM adding faulty module: /lib/security/lib/security/pam_stack.so: 1 Time(s) userhelper[20994]: PAM adding faulty module: /lib/security/lib/security/pam_timestamp.so: 1 Time(s) userhelper[20994]: PAM adding faulty module: /lib/security/lib/security/pam_xauth.so: 1 Time(s) userhelper[20994]: PAM unable to dlopen(/lib/security/lib/security/pam_permit.so): 1 Time(s) userhelper[20994]: PAM unable to dlopen(/lib/security/lib/security/pam_rootok.so): 1 Time(s) userhelper[20994]: PAM unable to dlopen(/lib/security/lib/security/pam_stack.so): 1 Time(s) userhelper[20994]: PAM unable to dlopen(/lib/security/lib/security/pam_timestamp.so): 1 Time(s) userhelper[20994]: PAM unable to dlopen(/lib/security/lib/security/pam_xauth.so): 1 Time(s) userhelper[21001]: PAM [error: /lib/security/lib/security/pam_permit.so: cannot open shared object file: No such file or directory]: 1 Time(s) userhelper[21001]: PAM [error: /lib/security/lib/security/pam_rootok.so: cannot open shared object file: No such file or directory]: 1 Time(s) userhelper[21001]: PAM [error: /lib/security/lib/security/pam_stack.so: cannot open shared object file: No such file or directory]: 1 Time(s) userhelper[21001]: PAM [error: /lib/security/lib/security/pam_timestamp.so: cannot open shared object file: No such file or directory]: 1 Time(s) userhelper[21001]: PAM [error: /lib/security/lib/security/pam_xauth.so: cannot open shared object file: No such file or directory]: 1 Time(s) userhelper[21001]: PAM adding faulty module: /lib/security/lib/security/pam_permit.so: 1 Time(s) userhelper[21001]: PAM adding faulty module: /lib/security/lib/security/pam_rootok.so: 1 Time(s) userhelper[21001]: PAM adding faulty module: /lib/security/lib/security/pam_stack.so: 1 Time(s) userhelper[21001]: PAM adding faulty module: /lib/security/lib/security/pam_timestamp.so: 1 Time(s) userhelper[21001]: PAM adding faulty module: /lib/security/lib/security/pam_xauth.so: 1 Time(s) userhelper[21001]: PAM unable to dlopen(/lib/security/lib/security/pam_permit.so): 1 Time(s) userhelper[21001]: PAM unable to dlopen(/lib/security/lib/security/pam_rootok.so): 1 Time(s) userhelper[21001]: PAM unable to dlopen(/lib/security/lib/security/pam_stack.so): 1 Time(s) userhelper[21001]: PAM unable to dlopen(/lib/security/lib/security/pam_timestamp.so): 1 Time(s) userhelper[21001]: PAM unable to dlopen(/lib/security/lib/security/pam_xauth.so): 1 Time(s) What's happening? Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From tmraz at redhat.com Mon Jan 29 13:20:07 2007 From: tmraz at redhat.com (Tomas Mraz) Date: Mon, 29 Jan 2007 14:20:07 +0100 Subject: PAM problems In-Reply-To: <200701291126.13899.cannewilson@tiscali.co.uk> References: <200701291126.13899.cannewilson@tiscali.co.uk> Message-ID: <1170076807.3407.7.camel@perun.kabelta.loc> On Mon, 2007-01-29 at 11:26 +0000, Anne Wilson wrote: > From logwatch: > > **Unmatched Entries** > userhelper[20994]: PAM [error: /lib/security/lib/security/pam_permit.so: > cannot open shared object file: No such file or directory]: 1 Time(s) .... > dlopen(/lib/security/lib/security/pam_timestamp.so): 1 Time(s) > userhelper[21001]: PAM unable to > dlopen(/lib/security/lib/security/pam_xauth.so): 1 Time(s) > > What's happening? It seems like some pam configuration files on the computer in /etc/pam.d/ are messed up. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From sds at tycho.nsa.gov Mon Jan 29 13:46:59 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 29 Jan 2007 08:46:59 -0500 Subject: PAM problems In-Reply-To: <200701291126.13899.cannewilson@tiscali.co.uk> References: <200701291126.13899.cannewilson@tiscali.co.uk> Message-ID: <1170078419.8720.37.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-01-29 at 11:26 +0000, Anne Wilson wrote: > From logwatch: > > **Unmatched Entries** > userhelper[20994]: PAM [error: /lib/security/lib/security/pam_permit.so: > cannot open shared object file: No such file or directory]: 1 Time(s) Notice the duplication in the paths ("/lib/security/" twice). What is in your /etc/pam.d/* files? (not selinux related AFAICS) > userhelper[20994]: PAM [error: /lib/security/lib/security/pam_rootok.so: > cannot open shared object file: No such file or directory]: 1 Time(s) > userhelper[20994]: PAM [error: /lib/security/lib/security/pam_stack.so: > cannot open shared object file: No such file or directory]: 1 Time(s) > userhelper[20994]: PAM > [error: /lib/security/lib/security/pam_timestamp.so: cannot open shared > object file: No such file or directory]: 1 Time(s) > userhelper[20994]: PAM [error: /lib/security/lib/security/pam_xauth.so: > cannot open shared object file: No such file or directory]: 1 Time(s) > userhelper[20994]: PAM adding faulty > module: /lib/security/lib/security/pam_permit.so: 1 Time(s) > userhelper[20994]: PAM adding faulty > module: /lib/security/lib/security/pam_rootok.so: 1 Time(s) > userhelper[20994]: PAM adding faulty > module: /lib/security/lib/security/pam_stack.so: 1 Time(s) > userhelper[20994]: PAM adding faulty > module: /lib/security/lib/security/pam_timestamp.so: 1 Time(s) > userhelper[20994]: PAM adding faulty > module: /lib/security/lib/security/pam_xauth.so: 1 Time(s) > userhelper[20994]: PAM unable to > dlopen(/lib/security/lib/security/pam_permit.so): 1 Time(s) > userhelper[20994]: PAM unable to > dlopen(/lib/security/lib/security/pam_rootok.so): 1 Time(s) > userhelper[20994]: PAM unable to > dlopen(/lib/security/lib/security/pam_stack.so): 1 Time(s) > userhelper[20994]: PAM unable to > dlopen(/lib/security/lib/security/pam_timestamp.so): 1 Time(s) > userhelper[20994]: PAM unable to > dlopen(/lib/security/lib/security/pam_xauth.so): 1 Time(s) > userhelper[21001]: PAM [error: /lib/security/lib/security/pam_permit.so: > cannot open shared object file: No such file or directory]: 1 Time(s) > userhelper[21001]: PAM [error: /lib/security/lib/security/pam_rootok.so: > cannot open shared object file: No such file or directory]: 1 Time(s) > userhelper[21001]: PAM [error: /lib/security/lib/security/pam_stack.so: > cannot open shared object file: No such file or directory]: 1 Time(s) > userhelper[21001]: PAM > [error: /lib/security/lib/security/pam_timestamp.so: cannot open shared > object file: No such file or directory]: 1 Time(s) > userhelper[21001]: PAM [error: /lib/security/lib/security/pam_xauth.so: > cannot open shared object file: No such file or directory]: 1 Time(s) > userhelper[21001]: PAM adding faulty > module: /lib/security/lib/security/pam_permit.so: 1 Time(s) > userhelper[21001]: PAM adding faulty > module: /lib/security/lib/security/pam_rootok.so: 1 Time(s) > userhelper[21001]: PAM adding faulty > module: /lib/security/lib/security/pam_stack.so: 1 Time(s) > userhelper[21001]: PAM adding faulty > module: /lib/security/lib/security/pam_timestamp.so: 1 Time(s) > userhelper[21001]: PAM adding faulty > module: /lib/security/lib/security/pam_xauth.so: 1 Time(s) > userhelper[21001]: PAM unable to > dlopen(/lib/security/lib/security/pam_permit.so): 1 Time(s) > userhelper[21001]: PAM unable to > dlopen(/lib/security/lib/security/pam_rootok.so): 1 Time(s) > userhelper[21001]: PAM unable to > dlopen(/lib/security/lib/security/pam_stack.so): 1 Time(s) > userhelper[21001]: PAM unable to > dlopen(/lib/security/lib/security/pam_timestamp.so): 1 Time(s) > userhelper[21001]: PAM unable to > dlopen(/lib/security/lib/security/pam_xauth.so): 1 Time(s) > > What's happening? > > Anne > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From cannewilson at tiscali.co.uk Mon Jan 29 14:00:15 2007 From: cannewilson at tiscali.co.uk (Anne Wilson) Date: Mon, 29 Jan 2007 14:00:15 +0000 Subject: PAM problems In-Reply-To: <1170078419.8720.37.camel@moss-spartans.epoch.ncsc.mil> References: <200701291126.13899.cannewilson@tiscali.co.uk> <1170078419.8720.37.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200701291400.20518.cannewilson@tiscali.co.uk> On Monday 29 January 2007 13:46, Stephen Smalley wrote: > On Mon, 2007-01-29 at 11:26 +0000, Anne Wilson wrote: > > From logwatch: > > > > **Unmatched Entries** > > userhelper[20994]: PAM [error: > > /lib/security/lib/security/pam_permit.so: cannot open shared object file: > > No such file or directory]: 1 Time(s) > > Notice the duplication in the paths ("/lib/security/" twice). What is > in your /etc/pam.d/* files? > Mp subdirectories. I'll check out the individual files, but the ones I've looked at look perfectly OK to me. > (not selinux related AFAICS) > OK - it was all those 'security' references that fooled me :-) I'll investigate as best I can. Thanks to both of you for answering. Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From sds at tycho.nsa.gov Mon Jan 29 14:04:35 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 29 Jan 2007 09:04:35 -0500 Subject: PAM problems In-Reply-To: <200701291400.20518.cannewilson@tiscali.co.uk> References: <200701291126.13899.cannewilson@tiscali.co.uk> <1170078419.8720.37.camel@moss-spartans.epoch.ncsc.mil> <200701291400.20518.cannewilson@tiscali.co.uk> Message-ID: <1170079475.8720.40.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-01-29 at 14:00 +0000, Anne Wilson wrote: > On Monday 29 January 2007 13:46, Stephen Smalley wrote: > > On Mon, 2007-01-29 at 11:26 +0000, Anne Wilson wrote: > > > From logwatch: > > > > > > **Unmatched Entries** > > > userhelper[20994]: PAM [error: > > > /lib/security/lib/security/pam_permit.so: cannot open shared object file: > > > No such file or directory]: 1 Time(s) > > > > Notice the duplication in the paths ("/lib/security/" twice). What is > > in your /etc/pam.d/* files? > > > Mp subdirectories. I'll check out the individual files, but the ones I've > looked at look perfectly OK to me. rpm -V pam -- Stephen Smalley National Security Agency From cannewilson at tiscali.co.uk Mon Jan 29 14:08:29 2007 From: cannewilson at tiscali.co.uk (Anne Wilson) Date: Mon, 29 Jan 2007 14:08:29 +0000 Subject: PAM problems In-Reply-To: <200701291400.20518.cannewilson@tiscali.co.uk> References: <200701291126.13899.cannewilson@tiscali.co.uk> <1170078419.8720.37.camel@moss-spartans.epoch.ncsc.mil> <200701291400.20518.cannewilson@tiscali.co.uk> Message-ID: <200701291408.29369.cannewilson@tiscali.co.uk> On Monday 29 January 2007 14:00, Anne Wilson wrote: > On Monday 29 January 2007 13:46, Stephen Smalley wrote: > > On Mon, 2007-01-29 at 11:26 +0000, Anne Wilson wrote: > > > From logwatch: > > > > > > **Unmatched Entries** > > > userhelper[20994]: PAM [error: > > > /lib/security/lib/security/pam_permit.so: cannot open shared object > > > file: No such file or directory]: 1 Time(s) > > > > Notice the duplication in the paths ("/lib/security/" twice). What is > > in your /etc/pam.d/* files? > > Mp subdirectories. I'll check out the individual files, but the ones I've Typo, sorry :-) 'No subdirectories' > looked at look perfectly OK to me. > > > (not selinux related AFAICS) > > OK - it was all those 'security' references that fooled me :-) I'll > investigate as best I can. Thanks to both of you for answering. > > Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From eparis at redhat.com Fri Jan 26 17:50:58 2007 From: eparis at redhat.com (Eric Paris) Date: Fri, 26 Jan 2007 12:50:58 -0500 Subject: SELinux Policy/Flask Classes from scratch In-Reply-To: <4fd2719c0701260918n3b7ba69fn50270a8d116b5291@mail.gmail.com> References: <4fd2719c0701260918n3b7ba69fn50270a8d116b5291@mail.gmail.com> Message-ID: <1169833858.4011.6.camel@localhost.localdomain> On Fri, 2007-01-26 at 12:18 -0500, bx wrote: > I am working on creating a security policy from scratch and followed > the tutorial the IBM published > (http://www-128.ibm.com/developerworks/linux/library/l-selinux.html). > After taking a look at the bare bones policy.conf file it generated, > it got me thinking- I don't need to have something as granular as > SELinux allows me to be. In fact it would simplify things if I could > change the granularity. How would SELinux be affected if I were to > remove some of the class definitions and took anything that referred > to those classes out of my policy? Would SELinux just not enforce > anything on those types of objects, would SELinux completely disallow > all use of those objects or would it just break SELinux? Assuming you are talking about the definition of classes and permissions in policy/flask/* pretty much it would just break. The class and permission definitions from policy and the kernel are supposed to match. Recent kernel changes (2.6.18 and later I belive) have allowed policy to load which does not define all of the classes and permissions defined in the kernel, but it still enforces decisions over those classes and permissions. Since there cannot be any allow rules for those classes in the policy everything gets denied. I still have an old half baked patch which allows the policy to decide if it wants to enforce decisions on undefined classes and permissions but I haven't had time to make it work according to all the suggestions I received when I submitted it. So for now, you pretty much just have to use them all. -Eric From sds at tycho.nsa.gov Mon Jan 29 14:15:46 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 29 Jan 2007 09:15:46 -0500 Subject: SELinux Policy/Flask Classes from scratch In-Reply-To: <1169833858.4011.6.camel@localhost.localdomain> References: <4fd2719c0701260918n3b7ba69fn50270a8d116b5291@mail.gmail.com> <1169833858.4011.6.camel@localhost.localdomain> Message-ID: <1170080146.8720.43.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-01-26 at 12:50 -0500, Eric Paris wrote: > On Fri, 2007-01-26 at 12:18 -0500, bx wrote: > > I am working on creating a security policy from scratch and followed > > the tutorial the IBM published > > (http://www-128.ibm.com/developerworks/linux/library/l-selinux.html). > > After taking a look at the bare bones policy.conf file it generated, > > it got me thinking- I don't need to have something as granular as > > SELinux allows me to be. In fact it would simplify things if I could > > change the granularity. How would SELinux be affected if I were to > > remove some of the class definitions and took anything that referred > > to those classes out of my policy? Would SELinux just not enforce > > anything on those types of objects, would SELinux completely disallow > > all use of those objects or would it just break SELinux? > > Assuming you are talking about the definition of classes and permissions > in policy/flask/* pretty much it would just break. The class and > permission definitions from policy and the kernel are supposed to match. > Recent kernel changes (2.6.18 and later I belive) have allowed policy to > load which does not define all of the classes and permissions defined in > the kernel, but it still enforces decisions over those classes and > permissions. Since there cannot be any allow rules for those classes in > the policy everything gets denied. > > I still have an old half baked patch which allows the policy to decide > if it wants to enforce decisions on undefined classes and permissions > but I haven't had time to make it work according to all the suggestions > I received when I submitted it. So for now, you pretty much just have > to use them all. Yep, and all of patches to date only allow for the case where new classes or permissions at the end of the lists are omitted (e.g. for kernels with new classes or perms not yet defined by the current policy), not for arbitrary creation of "holes" in the class or permission mappings (i.e. if you remove a class from anywhere but the end, then policy definitions will end up with subsequent classes off-by-one from the expected values by the kernel, and that should always be rejected by the kernel). -- Stephen Smalley National Security Agency From cannewilson at tiscali.co.uk Mon Jan 29 14:34:33 2007 From: cannewilson at tiscali.co.uk (Anne Wilson) Date: Mon, 29 Jan 2007 14:34:33 +0000 Subject: PAM problems In-Reply-To: <1170079475.8720.40.camel@moss-spartans.epoch.ncsc.mil> References: <200701291126.13899.cannewilson@tiscali.co.uk> <200701291400.20518.cannewilson@tiscali.co.uk> <1170079475.8720.40.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <200701291434.33980.cannewilson@tiscali.co.uk> On Monday 29 January 2007 14:04, Stephen Smalley wrote: > On Mon, 2007-01-29 at 14:00 +0000, Anne Wilson wrote: > > On Monday 29 January 2007 13:46, Stephen Smalley wrote: > > > On Mon, 2007-01-29 at 11:26 +0000, Anne Wilson wrote: > > > > From logwatch: > > > > > > > > **Unmatched Entries** > > > > userhelper[20994]: PAM [error: > > > > /lib/security/lib/security/pam_permit.so: cannot open shared object > > > > file: No such file or directory]: 1 Time(s) > > > > > > Notice the duplication in the paths ("/lib/security/" twice). What is > > > in your /etc/pam.d/* files? > > > > Mp subdirectories. I'll check out the individual files, but the ones > > I've looked at look perfectly OK to me. > > rpm -V pam ....L... c /etc/pam.d/system-auth S.5....T c /etc/security/console.perms.d/50-default.perms Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From goeran at uddeborg.se Tue Jan 30 16:58:40 2007 From: goeran at uddeborg.se (=?iso-8859-1?q?G=F6ran_Uddeborg?=) Date: Tue, 30 Jan 2007 17:58:40 +0100 Subject: Crossover Message-ID: <17855.31040.653674.536727@mimmi.uddeborg.se> Crossover installs under /opt/cxoffice by default. The rules for wine-style programs does not seem to cover that hierarchy, and just trying to run things gives a lot of denied execmods. I assume just mirroring the settings for regular wine is fine for Crossover too: /opt/cxoffice/lib/wine/.+\.so system_u:object_r:textrel_shlib_t:s0 /opt/cxoffice/bin/wine system_u:object_r:wine_exec_t:s0 I changed the files (only directly with chcon) and it appears to work. At least so far, we have not used this too much yet. Does this make sense? Do you want a bugzilla about it? From ronald645 at gmail.com Tue Jan 30 17:55:10 2007 From: ronald645 at gmail.com (Ronald) Date: Tue, 30 Jan 2007 18:55:10 +0100 Subject: Selinux is ignoring me Message-ID: <45BF867E.50708@gmail.com> My problem can be viewed here: http://forums.fedoraforum.org/showthread.php?p=734545#post734545 No one answered on the forums. Can someone help me on the mailinglist? I'm trying to understand the system, so I can hopefully write a manual (or HOWTO) for the forums. Can anybody help me with my problem? And some good links will be appreciated as well. The ones from google give hits that rever to non-existing files... From paul at city-fan.org Tue Jan 30 18:27:18 2007 From: paul at city-fan.org (Paul Howarth) Date: Tue, 30 Jan 2007 18:27:18 +0000 Subject: Selinux is ignoring me In-Reply-To: <45BF867E.50708@gmail.com> References: <45BF867E.50708@gmail.com> Message-ID: <45BF8E06.4010605@city-fan.org> Ronald wrote: > My problem can be viewed here: > http://forums.fedoraforum.org/showthread.php?p=734545#post734545 > > No one answered on the forums. Can someone help me on the mailinglist? > I'm trying to understand the system, so I can hopefully write a manual > (or HOWTO) for the forums. > > Can anybody help me with my problem? And some good links will be > appreciated as well. The ones from google give hits that rever to > non-existing files... Try rebooting and adding "enforcing=0" as an additional boot parameter to boot in permissive mode. Then, do: # setsebool -P secure_mode_policyload 0 See if that helps. Paul. From melaina at libero.it Wed Jan 31 05:04:59 2007 From: melaina at libero.it (melaina at libero.it) Date: Wed, 31 Jan 2007 06:04:59 +0100 Subject: Mail problems... Message-ID: Hello! I have just started playing a bit with SELinux in permissive mode on my system. I have qmail with spamassassin installed; the only AVC denied messages I get (after I relabeled the system and fixed domains on a couple of log files), is the following: Jan 30 20:23:13 drake kernel: audit(1170210193.998:8): avc: denied { read } for pid=11862 comm="sendmail" name="RsmVLSTr" dev=loop0 ino=20 scontext=user_u: system_r:system_mail_t tcontext=user_u:object_r:httpd_sys_script_rw_t tclass=fil e Jan 30 20:23:13 drake kernel: audit(1170210193.998:9): avc: denied { read wr ite } for pid=11862 comm="sendmail" name="jk-runtime-status" dev=hda5 ino=49827 49 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:httpd_log_t tclass=file Jan 30 20:23:14 drake kernel: audit(1170210194.019:10): avc: denied { ioctl } for pid=11863 comm="qmail-scanner-q" name="error_log" dev=hda5 ino=4984894 sc ontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:httpd_log_t tcla ss=file Jan 30 20:23:14 drake kernel: audit(1170210194.026:11): avc: denied { read } for pid=11863 comm="sperl5.8.5" name="mounts" dev=proc ino=777453584 scontext= user_u:system_r:system_mail_t tcontext=user_u:system_r:system_mail_t tclass=file Jan 30 20:23:14 drake kernel: audit(1170210194.026:12): avc: denied { getatt r } for pid=11863 comm="sperl5.8.5" name="mounts" dev=proc ino=777453584 sconte xt=user_u:system_r:system_mail_t tcontext=user_u:system_r:system_mail_t tclass=f ile Jan 30 20:23:15 drake kernel: audit(1170210195.204:13): avc: denied { append } for pid=11863 comm="perl5.8.5" name="qmail-queue.log" dev=hda5 ino=5130271 s context=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tcl ass=file Jan 30 20:23:15 drake kernel: audit(1170210195.204:14): avc: denied { ioctl } for pid=11863 comm="perl5.8.5" name="qmail-queue.log" dev=hda5 ino=5130271 sc ontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tcla ss=file Jan 30 20:23:15 drake kernel: audit(1170210195.205:15): avc: denied { getatt r } for pid=11863 comm="perl5.8.5" name="qmail-queue.log" dev=hda5 ino=5130271 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tc lass=file Jan 30 20:23:15 drake kernel: audit(1170210195.206:16): avc: denied { read } for pid=11863 comm="perl5.8.5" name="qmail-scanner-queue-version.txt" dev=hda5 ino=5130273 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:v ar_spool_t tclass=file Jan 30 20:23:15 drake kernel: audit(1170210195.208:17): avc: denied { write } for pid=11863 comm="perl5.8.5" name="tmp" dev=hda5 ino=5195094 scontext=user_ u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tclass=dir Jan 30 20:23:15 drake kernel: audit(1170210195.208:18): avc: denied { add_na me } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com1170210195772118 63" scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_ t tclass=dir Jan 30 20:23:15 drake kernel: audit(1170210195.208:19): avc: denied { create } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863 " scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tc lass=dir Jan 30 20:23:15 drake kernel: audit(1170210195.409:20): avc: denied { create } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863 " scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tc lass=file Jan 30 20:23:15 drake kernel: audit(1170210195.410:21): avc: denied { ioctl } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=file Jan 30 20:23:15 drake kernel: audit(1170210195.410:22): avc: denied { getatt r } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com11702101957721186 3" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:o bject_r:var_spool_t tclass=file Jan 30 20:23:15 drake kernel: audit(1170210195.414:23): avc: denied { write } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=file Jan 30 20:23:15 drake kernel: audit(1170210195.418:24): avc: denied { link } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:obje ct_r:var_spool_t tclass=file Jan 30 20:23:15 drake kernel: audit(1170210195.419:25): avc: denied { remove _name } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com1170210195772 11863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=syst em_u:object_r:var_spool_t tclass=dir Jan 30 20:23:15 drake kernel: audit(1170210195.419:26): avc: denied { unlink } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863 " dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:ob ject_r:var_spool_t tclass=file Jan 30 20:23:15 drake kernel: audit(1170210195.424:27): avc: denied { read w rite } for pid=11864 comm="sh" name="tty" dev=tmpfs ino=1804 scontext=user_u:sy stem_r:system_mail_t tcontext=system_u:object_r:devtty_t tclass=chr_file Jan 30 20:23:15 drake kernel: audit(1170210195.431:28): avc: denied { read } for pid=11865 comm="sh" name="drake.mydomain.com117021019577211863" dev=hda 5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:va r_spool_t tclass=file Jan 30 20:23:15 drake kernel: audit(1170210195.434:29): avc: denied { write } for pid=11865 comm="reformime" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5408221 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=dir Jan 30 20:23:15 drake kernel: audit(1170210195.434:30): avc: denied { add_na me } for pid=11865 comm="reformime" name="1170210195.11865-0.drake.mydomain. com" scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tclass=dir Jan 30 20:23:15 drake kernel: audit(1170210195.739:31): avc: denied { read } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5408221 scontext=user_u:system_r:system_mail_t tcontext=user_u:obje ct_r:var_spool_t tclass=dir Jan 30 20:23:15 drake kernel: audit(1170210195.755:32): avc: denied { read } for pid=11863 comm="perl5.8.5" name="tmp" dev=hda5 ino=4980740 scontext=user_u :system_r:system_mail_t tcontext=system_u:object_r:var_t tclass=lnk_file Jan 30 20:23:15 drake kernel: audit(1170210195.795:33): avc: denied { execut e } for pid=11867 comm="perl5.8.5" name="find" dev=hda5 ino=5297451 scontext=us er_u:system_r:system_mail_t tcontext=system_u:object_r:file_t tclass=file Jan 30 20:23:15 drake kernel: audit(1170210195.796:34): avc: denied { execut e_no_trans } for pid=11867 comm="perl5.8.5" name="find" dev=hda5 ino=5297451 sc ontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:file_t tclass=fi le Jan 30 20:23:15 drake kernel: audit(1170210195.796:35): avc: denied { read } for pid=11867 comm="perl5.8.5" name="find" dev=hda5 ino=5297451 scontext=user_ u:system_r:system_mail_t tcontext=system_u:object_r:file_t tclass=file Jan 30 20:23:15 drake kernel: audit(1170210195.798:36): avc: denied { search } for pid=11867 comm="find" name="selinux" dev=hda5 ino=557257 scontext=user_u :system_r:system_mail_t tcontext=system_u:object_r:selinux_config_t tclass=dir Jan 30 20:23:15 drake kernel: audit(1170210195.798:37): avc: denied { read } for pid=11867 comm="find" name="config" dev=hda5 ino=557274 scontext=user_u:sy stem_r:system_mail_t tcontext=user_u:object_r:selinux_config_t tclass=file Jan 30 20:23:15 drake kernel: audit(1170210195.798:38): avc: denied { getatt r } for pid=11867 comm="find" name="config" dev=hda5 ino=557274 scontext=user_u :system_r:system_mail_t tcontext=user_u:object_r:selinux_config_t tclass=file Jan 30 20:23:15 drake kernel: audit(1170210195.860:39): avc: denied { read } for pid=11871 comm="rm" name="qscan" dev=hda5 ino=5130256 scontext=user_u:syst em_r:system_mail_t tcontext=system_u:object_r:var_spool_t tclass=dir Jan 30 20:23:15 drake kernel: audit(1170210195.860:40): avc: denied { remove _name } for pid=11871 comm="rm" name="1170210195.11865-0.drake.mydomain.com" dev=hda5 ino=5408222 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=dir Jan 30 20:23:15 drake kernel: audit(1170210195.861:41): avc: denied { rmdir } for pid=11871 comm="rm" name="drake.mydomain.com117021019577211863" dev=hd a5 ino=5408221 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:v ar_spool_t tclass=dir Jan 30 20:23:15 drake kernel: audit(1170210195.873:42): avc: denied { sigchl d } for pid=1 comm="init" scontext=user_u:system_r:system_mail_t tcontext=user_ u:system_r:unconfined_t tclass=process Any directions to fix this? Thanks! ------------------------------------------------------ Mutuo da 200.000 ?? Tassi ridotti da 4.25%. Solo per richieste online. Mutuionline.it http://click.libero.it/mutuionline31ge07