From spng.yang at gmail.com Fri Jun 1 06:40:37 2007 From: spng.yang at gmail.com (Ken YANG) Date: Fri, 01 Jun 2007 14:40:37 +0800 Subject: gnome-settings-daemon fails in strict policy at version 2301 Message-ID: <465FBF65.90602@gmail.com> i check out policy from svn at version 2301, and build at FC7 Rawhide. after switching from target to strict, i can not make my gnome-settings-daemon work well: ### the detail contexts is in thread: http://marc.info/?l=selinux&m=118050940823692&w=2 ### i login as normal user through X window, but i got another errors: "Fails to execute program: /usr/libexec/gnome-settings-daemon" corresponding avc were: type=AVC msg=audit(1180319582.421:32): avc: denied { execute } for pid=1855 comm="dbus-daemon" name="gnome-settings-daemon" dev=sda1 ino=215756 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1180319582.421:32): avc: denied { execute_no_trans } for pid=1855 comm="dbus-daemon" name="gnome-settings-daemon" dev=sda1 ino=215756 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file i add two template call in dbus_per_role_template() to remove these tow errors: corecmd_exec_bin($1_dbusd_t) additionally, there are still another erros about gnome-settings-daemon: type=AVC msg=audit(1180319581.037:31): avc: denied { search } for pid=1844 comm="dbus-daemon" name="yangshao" dev=sda1 ino=1407785 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir i user a interface to remove this denied error: userdom_search_user_home_dirs($1,$1_dbusd_t) (also in dbus_per_role_template()) after re-make and reboot, i got another errors: "... /usr/libexec/gnome-settings-daemon received singal 6..." it seemed that gnome-settings-daemon received SIGABRT signal, and i found an avc denied messages: type=AVC msg=audit(1180493663.406:31): avc: denied { getsched } for pid=1856 comm="gnome-settings-" scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:user_r:user_dbusd_t:s0 tclass=process so i permit getsched of user_dbusd_t to try to fix this "signal 6" errors: allow $1_dbusd_t self:process { getattr sigkill signal getsched }; but after adding this, gnome-settings-daemon exit with status 1 after rebooting, and some avc denied messages came out: type=AVC msg=audit(1180494884.832:87): avc: denied { search } for pid=2112 comm="gnome-settings-" name=".X11-unix" dev=sda1 ino=327976 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1180494884.840:88): avc: denied { create } for pid=2112 comm="gnome-settings-" scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:user_r:user_dbusd_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1180494884.840:89): avc: denied { name_connect } for pid=2112 comm="gnome-settings-" dest=6000 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket i wonder are these errors caused by my modification, and how to make the gnome-settings-daemon work??? thanks in advance From tmraz at redhat.com Fri Jun 1 07:47:17 2007 From: tmraz at redhat.com (Tomas Mraz) Date: Fri, 01 Jun 2007 09:47:17 +0200 Subject: Some enhancements for pam_namespace Message-ID: <1180684037.28908.9.camel@perun.kabelta.loc> I've implemented some enhancements for pam_namespace which can be used for temporary logons. These enhancements were proposed by Dan Walsh. Please review if you're interested. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241226 https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=155825 -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From bobk at ocf.berkeley.edu Sat Jun 2 00:22:19 2007 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Fri, 01 Jun 2007 17:22:19 -0700 Subject: Fedora 7 nvidia issues Message-ID: <1180743739.6049.14.camel@chaucer> Hi, folks. I'm having a few issues with nvidia on a fresh install of F7. During startup I see messages that state that nvidia can't create: /dev/nvidia0 /dev/nvidia1 /dev/nvidia2 /dev/nvidia3 /dev/nvidiactl kmod-nvidia-96xx-1.0.9631-12.2.6.21_1.3194.fc7 xorg-x11-drv-nvidia-96xx-1.0.9631-11.lvn7 Here are the relevant avcs while running in permissive mode: Jun 1 12:48:17 chaucer kernel: audit(1180702076.657:2): policy loaded auid=4294967295 Jun 1 12:48:17 chaucer kernel: audit(1180727282.123:3): avc: denied { getattr } for pid=410 comm="cp" name="nvidia0" dev =sda2 ino=1944970 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=chr_file Jun 1 12:48:17 chaucer kernel: audit(1180727282.123:4): avc: denied { create } for pid=410 comm="cp" name="nvidia0" scon text=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=chr_file Jun 1 12:48:17 chaucer kernel: audit(1180727282.123:5): avc: denied { setattr } for pid=410 comm="cp" name="nvidia0" dev =tmpfs ino=1644 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=chr_file Thanks, Bob From bobk at ocf.berkeley.edu Sat Jun 2 00:27:29 2007 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Fri, 01 Jun 2007 17:27:29 -0700 Subject: Fedora 7 Alsa avc Message-ID: <1180744049.6049.17.camel@chaucer> I'm getting this avc on F7 but audio seems to be working fine. But I thought that I would report it anyway. Relevant avc: Jun 1 12:48:17 chaucer kernel: audit(1180727286.622:6): avc: denied { search } for pid=1076 comm="salsa" name="root" dev =sda2 ino=940065 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir From selinux at gmail.com Sat Jun 2 19:59:02 2007 From: selinux at gmail.com (Tom London) Date: Sat, 2 Jun 2007 12:59:02 -0700 Subject: AVC from dhclient on boot.... Message-ID: <4c4ba1530706021259q1887cf97oda167ea751304cf@mail.gmail.com> Seeing this for the last few days on Rawhide: Jun 2 12:24:36 localhost kernel: e1000: eth0: e1000_watchdog: NIC Link is Up 100 Mbps Full Duplex, Flow Control: RX/TX Jun 2 12:24:36 localhost kernel: e1000: eth0: e1000_watchdog: 10/100 speed: disabling TSO Jun 2 12:24:36 localhost kernel: audit(1180812265.018:8): avc: denied { getattr } for pid=2101 comm="dhclient-script" name="setfiles" dev=dm-0 ino=11337869 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file Not sure where this comes from. There is a call to 'cp -fp', could that be it? tom -- Tom London From selinux at gmail.com Sat Jun 2 20:05:32 2007 From: selinux at gmail.com (Tom London) Date: Sat, 2 Jun 2007 13:05:32 -0700 Subject: AVC from dhclient on boot.... In-Reply-To: <4c4ba1530706021259q1887cf97oda167ea751304cf@mail.gmail.com> References: <4c4ba1530706021259q1887cf97oda167ea751304cf@mail.gmail.com> Message-ID: <4c4ba1530706021305y733e96b1t267db2e30a58d8ed@mail.gmail.com> On 6/2/07, Tom London wrote: > Seeing this for the last few days on Rawhide: > > Jun 2 12:24:36 localhost kernel: e1000: eth0: e1000_watchdog: NIC > Link is Up 100 Mbps Full Duplex, Flow Control: RX/TX > Jun 2 12:24:36 localhost kernel: e1000: eth0: e1000_watchdog: 10/100 > speed: disabling TSO > Jun 2 12:24:36 localhost kernel: audit(1180812265.018:8): avc: > denied { getattr } for pid=2101 comm="dhclient-script" > name="setfiles" dev=dm-0 ino=11337869 > scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file > > Not sure where this comes from. > > There is a call to 'cp -fp', could that be it? > BZ'd here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=242259 -- Tom London From unc at gmx.ch Sat Jun 2 22:12:23 2007 From: unc at gmx.ch (Nils Caspar) Date: Sun, 03 Jun 2007 00:12:23 +0200 Subject: "Could not change policy booleans" Message-ID: <4661EB47.2060108@gmx.ch> Hi I'd like to change some policy booleans. For example httpd_can_network_connect. So I tried this (as root): > /usr/sbin/setsebool -P httpd_can_network_connect=1 But than I get "Could not change policy booleans". This works: > /usr/sbin/setsebool httpd_can_network_connect=1 I could put this into a boot script ;) In /var/log/messages, I get the following entry: > Jun 3 00:02:56 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=3) : exe="/bin/dbus-daemon" (sauid=500, hostname=?, addr=?, terminal=?) Have you any ideas? Cu Nils From knute at frazmtn.com Sat Jun 2 23:50:52 2007 From: knute at frazmtn.com (Knute Johnson) Date: Sat, 02 Jun 2007 16:50:52 -0700 Subject: Fedora 7 nvidia issues In-Reply-To: <1180743739.6049.14.camel@chaucer> References: <1180743739.6049.14.camel@chaucer> Message-ID: <46619FEC.30626.471DB0@knute.frazmtn.com> >Hi, folks. I'm having a few issues with nvidia on a fresh install of F7. >During startup I see messages that state that nvidia can't create: > >/dev/nvidia0 >/dev/nvidia1 >/dev/nvidia2 >/dev/nvidia3 >/dev/nvidiactl > >kmod-nvidia-96xx-1.0.9631-12.2.6.21_1.3194.fc7 >xorg-x11-drv-nvidia-96xx-1.0.9631-11.lvn7 > >Here are the relevant avcs while running in permissive mode: > >Jun 1 12:48:17 chaucer kernel: audit(1180702076.657:2): policy loaded >auid=4294967295 >Jun 1 12:48:17 chaucer kernel: audit(1180727282.123:3): avc: denied >{ getattr } for pid=410 comm="cp" name="nvidia0" dev >=sda2 ino=1944970 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 >tcontext=system_u:object_r:etc_t:s0 tclass=chr_file >Jun 1 12:48:17 chaucer kernel: audit(1180727282.123:4): avc: denied >{ create } for pid=410 comm="cp" name="nvidia0" scon >text=system_u:system_r:udev_t:s0-s0:c0.c1023 >tcontext=system_u:object_r:etc_t:s0 tclass=chr_file >Jun 1 12:48:17 chaucer kernel: audit(1180727282.123:5): avc: denied >{ setattr } for pid=410 comm="cp" name="nvidia0" dev >=tmpfs ino=1644 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 >tcontext=system_u:object_r:etc_t:s0 tclass=chr_file > >Thanks, > >Bob Bob: I had the same problem when I installed kmod-nvidia. I'm not sure what caused the issues but right after I installed it I logged out and then logged in and it worked fine but gave me the same messages you got when I rebooted. I uninstalled and rebooted and still had the error messages. I thought it was a selinux issue so I relabled the whole disk. Then I rebooted again and reinstalled kmod-nvidia then immediately rebooted again. This time it worked fine. So I'm not sure that what the fix was, the relabling or the rebooting immediately, but give it a try. -- Knute Johnson Molon Labe... From fedora at leemhuis.info Sun Jun 3 06:14:11 2007 From: fedora at leemhuis.info (Thorsten Leemhuis) Date: Sun, 03 Jun 2007 08:14:11 +0200 Subject: Fedora 7 nvidia issues In-Reply-To: <1180743739.6049.14.camel@chaucer> References: <1180743739.6049.14.camel@chaucer> Message-ID: <46625C33.8090803@leemhuis.info> On 02.06.2007 02:22, Bob Kashani wrote: > Hi, folks. I'm having a few issues with nvidia on a fresh install of F7. > During startup I see messages that state that nvidia can't create: > > /dev/nvidia0 > /dev/nvidia1 > /dev/nvidia2 > /dev/nvidia3 > /dev/nvidiactl > > kmod-nvidia-96xx-1.0.9631-12.2.6.21_1.3194.fc7 > xorg-x11-drv-nvidia-96xx-1.0.9631-11.lvn7 > > Here are the relevant avcs while running in permissive mode: > [...] I heard I should be fixed with the latest update pushed by livna. CU thl From bobk at ocf.berkeley.edu Sun Jun 3 06:40:36 2007 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Sat, 02 Jun 2007 23:40:36 -0700 Subject: Fedora 7 nvidia issues In-Reply-To: <46625C33.8090803@leemhuis.info> References: <1180743739.6049.14.camel@chaucer> <46625C33.8090803@leemhuis.info> Message-ID: <1180852836.3713.2.camel@chaucer> On Sun, 2007-06-03 at 08:14 +0200, Thorsten Leemhuis wrote: > On 02.06.2007 02:22, Bob Kashani wrote: > > Hi, folks. I'm having a few issues with nvidia on a fresh install of F7. > > During startup I see messages that state that nvidia can't create: > > > > /dev/nvidia0 > > /dev/nvidia1 > > /dev/nvidia2 > > /dev/nvidia3 > > /dev/nvidiactl > > > > kmod-nvidia-96xx-1.0.9631-12.2.6.21_1.3194.fc7 > > xorg-x11-drv-nvidia-96xx-1.0.9631-11.lvn7 > > > > Here are the relevant avcs while running in permissive mode: > > [...] > > I heard I should be fixed with the latest update pushed by livna. Yes, I just ran a 'yum update' and it seems to be fixed now. :) Many thanks, for all the replies. Bob From gauret at free.fr Sun Jun 3 12:33:44 2007 From: gauret at free.fr (Aurelien Bompard) Date: Sun, 03 Jun 2007 14:33:44 +0200 Subject: Udev AVC spawning a script Message-ID: Hi, I comaintain synce (a framework to connect to PocketPC devices) in Fedora, and since Fedora 7 it does not autoconnect the device when plugged in. Autoconnection is done by an Udev rule : # cat /etc/udev/rules.d/60-synce.rules ACTION=="add", SUBSYSTEM=="usb_device", SYSFS{idVendor}=="0bb4", SYSFS{idProduct}=="0a06", SYMLINK+="ipaq", RUN+="/usr/bin/synce-serial-start" synce-serial-start is a shell script that sources a file: /usr/share/synce/synce-serial-common On F7, I get AVC messages for getattr and read permissions from synce-serial-start to this file: type=AVC msg=audit(1180872169.345:3815): avc: denied { getattr } for pid=31270 comm="synce-serial-st" name="synce-serial-common" dev=sda2 ino=438256 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file type=AVC_PATH msg=audit(1180872169.345:3815): path="/usr/share/synce/synce-serial-common" type=AVC msg=audit(1180872169.345:3816): avc: denied { read } for pid=31270 comm="synce-serial-st" name="synce-serial-common" dev=sda2 ino=438256 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file How should I label /usr/share/synce/synce-serial-common to allow access from udev_t ? And in general, how can I view which labels are allowed (and in which way) for a given type ? Thanks ! Aur?lien -- http://aurelien.bompard.org ~~~~ Jabber : abompard at jabber.fr echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlbxq' | dc From linux_4ever at yahoo.com Sun Jun 3 13:05:33 2007 From: linux_4ever at yahoo.com (Steve G) Date: Sun, 3 Jun 2007 06:05:33 -0700 (PDT) Subject: "Could not change policy booleans" In-Reply-To: <4661EB47.2060108@gmx.ch> Message-ID: <808892.53185.qm@web51510.mail.re2.yahoo.com> >So I tried this (as root): >/usr/sbin/setsebool -P httpd_can_network_connect=1 >But than I get "Could not change policy booleans". That should have worked. That should be the correct syntax. Was there an avc associated with trying to set this? Also, are you completed updated on selinux packages? >This works: > /usr/sbin/setsebool httpd_can_network_connect=1 >I could put this into a boot script ;) You shouldn't have to do that. I just checked this on a fully updated fc6 machine and it works fine. >In /var/log/messages, I get the following entry: > Jun 3 00:02:56 localhost dbus: Can't send to audit system: USER_AVC >avc: received policyload notice (seqno=3) : exe="/bin/dbus-daemon" >(sauid=500, hostname=?, addr=?, terminal=?) That should have been solved by an update to dbus in fc6 a month ago. What Fedora release are you running? Are you completely updated? -Steve ____________________________________________________________________________________ Pinpoint customers who are looking for what you sell. http://searchmarketing.yahoo.com/ From unc at gmx.ch Sun Jun 3 13:47:20 2007 From: unc at gmx.ch (Nils Caspar) Date: Sun, 03 Jun 2007 15:47:20 +0200 Subject: "Could not change policy booleans" In-Reply-To: <808892.53185.qm@web51510.mail.re2.yahoo.com> References: <808892.53185.qm@web51510.mail.re2.yahoo.com> Message-ID: <4662C668.9000604@gmx.ch> > That should have been solved by an update to dbus in fc6 a month ago. What Fedora > release are you running? Are you completely updated? I'm running a full updated fedora 7. > That should have worked. That should be the correct syntax. Was there an avc > associated with trying to set this? There was no other warning. I have the same problem in an other fedora 7 VM. Maybe it's a fedora 7 bug... :( From bobk at ocf.berkeley.edu Mon Jun 4 00:08:26 2007 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Sun, 03 Jun 2007 17:08:26 -0700 Subject: Samba log files have wrong context? Message-ID: <1180915706.3030.11.camel@chaucer> SELinux keeps complaining that the file contexts for log files in /var/log/samba are wrong. All of the files are labeled samba_log_t but it seems to want samba_share_t, is this correct? This is what selinux troubleshooter reports: Summary SELinux is preventing samba (/usr/sbin/smbd) "append" to log.chaucer (samba_log_t). Detailed Description SELinux denied samba access to log.chaucer. If you want to share this directory with samba it has to have a file context label of samba_share_t. If you did not intend to use log.chaucer as a samba repository it could indicate either a bug or it could signal a intrusion attempt. Allowing Access You can alter the file context by executing chcon -R -t samba_share_t log.chaucer The following command will allow this access: chcon -R -t samba_share_t log.chaucer Additional Information Source Context system_u:system_r:smbd_t Target Context system_u:object_r:samba_log_t Target Objects log.chaucer [ file ] Affected RPM Packages samba-3.0.25-2.fc7 [application] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.samba_share Host Name chaucer Platform Linux chaucer 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 3 First Seen Sun 03 Jun 2007 04:50:41 PM PDT Last Seen Sun 03 Jun 2007 04:50:41 PM PDT Local ID ef44bd9c-87aa-4898-9c3d-bb0a3def2ade Line Numbers Raw Audit Messages avc: denied { append } for comm="smbd" dev=sda2 egid=0 euid=0 exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="log.chaucer" pid=2945 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:samba_log_t:s0 tty=(none) uid=0 From dwalsh at redhat.com Mon Jun 4 13:44:02 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 04 Jun 2007 09:44:02 -0400 Subject: AVC from dhclient on boot.... In-Reply-To: <4c4ba1530706021305y733e96b1t267db2e30a58d8ed@mail.gmail.com> References: <4c4ba1530706021259q1887cf97oda167ea751304cf@mail.gmail.com> <4c4ba1530706021305y733e96b1t267db2e30a58d8ed@mail.gmail.com> Message-ID: <46641722.8010102@redhat.com> Tom London wrote: > On 6/2/07, Tom London wrote: >> Seeing this for the last few days on Rawhide: >> >> Jun 2 12:24:36 localhost kernel: e1000: eth0: e1000_watchdog: NIC >> Link is Up 100 Mbps Full Duplex, Flow Control: RX/TX >> Jun 2 12:24:36 localhost kernel: e1000: eth0: e1000_watchdog: 10/100 >> speed: disabling TSO >> Jun 2 12:24:36 localhost kernel: audit(1180812265.018:8): avc: >> denied { getattr } for pid=2101 comm="dhclient-script" >> name="setfiles" dev=dm-0 ino=11337869 >> scontext=system_u:system_r:dhcpc_t:s0 >> tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file >> >> Not sure where this comes from. >> >> There is a call to 'cp -fp', could that be it? >> > BZ'd here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=242259 > setfiles/restorecon now share the same context setfiles_exec_t. dhcpc is executing restorecon in some of its scripts, I would guess. There is a major policy update for Rawhide, that I have been working on that should fix these problems. (Merging Strict/Targeted policy). But it might break other stuff so I am trying to work out the major bugs. From dwalsh at redhat.com Mon Jun 4 13:51:39 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 04 Jun 2007 09:51:39 -0400 Subject: Udev AVC spawning a script In-Reply-To: References: Message-ID: <466418EB.3010004@redhat.com> Aurelien Bompard wrote: > Hi, > > I comaintain synce (a framework to connect to PocketPC devices) in Fedora, > and since Fedora 7 it does not autoconnect the device when plugged in. > > Autoconnection is done by an Udev rule : > # cat /etc/udev/rules.d/60-synce.rules > ACTION=="add", SUBSYSTEM=="usb_device", SYSFS{idVendor}=="0bb4", > SYSFS{idProduct}=="0a06", SYMLINK+="ipaq", > RUN+="/usr/bin/synce-serial-start" > > synce-serial-start is a shell script that sources a > file: /usr/share/synce/synce-serial-common > > On F7, I get AVC messages for getattr and read permissions from > synce-serial-start to this file: > > type=AVC msg=audit(1180872169.345:3815): avc: denied { getattr } for > pid=31270 comm="synce-serial-st" name="synce-serial-common" dev=sda2 > ino=438256 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:usr_t:s0 tclass=file > > type=AVC_PATH msg=audit(1180872169.345:3815): > path="/usr/share/synce/synce-serial-common" > > type=AVC msg=audit(1180872169.345:3816): avc: denied { read } for > pid=31270 comm="synce-serial-st" name="synce-serial-common" dev=sda2 > ino=438256 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:usr_t:s0 tclass=file > > How should I label /usr/share/synce/synce-serial-common to allow access from > udev_t ? > And in general, how can I view which labels are allowed (and in which way) > for a given type ? > > Thanks ! > > Aur?lien > I will update policy to allow this priv ( 2.6.4-13). I don't think you should relabel the file. Discoving what a domain can do is somewhat difficult. There are tools in setools that allow you to make queries. Like can this domain access this type? And you can probably generate a report of all the types a domain can access. Also reading the policy is not that difficult. files_read_usr_files(udev_t) Adds the privs. From dwalsh at redhat.com Mon Jun 4 18:39:04 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 04 Jun 2007 14:39:04 -0400 Subject: Samba log files have wrong context? In-Reply-To: <1180915706.3030.11.camel@chaucer> References: <1180915706.3030.11.camel@chaucer> Message-ID: <46645C48.7000107@redhat.com> Bob Kashani wrote: > SELinux keeps complaining that the file contexts for log files > in /var/log/samba are wrong. All of the files are labeled samba_log_t > but it seems to want samba_share_t, is this correct? > > This is what selinux troubleshooter reports: > > Summary > SELinux is preventing samba (/usr/sbin/smbd) "append" to log.chaucer > (samba_log_t). > > Detailed Description > SELinux denied samba access to log.chaucer. If you want to share > this > directory with samba it has to have a file context label of > samba_share_t. > If you did not intend to use log.chaucer as a samba repository it > could > indicate either a bug or it could signal a intrusion attempt. > > Allowing Access > You can alter the file context by executing chcon -R -t > samba_share_t > log.chaucer > > The following command will allow this access: > chcon -R -t samba_share_t log.chaucer > > Additional Information > > Source Context system_u:system_r:smbd_t > Target Context system_u:object_r:samba_log_t > Target Objects log.chaucer [ file ] > Affected RPM Packages samba-3.0.25-2.fc7 [application] > Policy RPM selinux-policy-2.6.4-8.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.samba_share > Host Name chaucer > Platform Linux chaucer 2.6.21-1.3194.fc7 #1 SMP Wed > May 23 > 22:35:01 EDT 2007 i686 athlon > Alert Count 3 > First Seen Sun 03 Jun 2007 04:50:41 PM PDT > Last Seen Sun 03 Jun 2007 04:50:41 PM PDT > Local ID ef44bd9c-87aa-4898-9c3d-bb0a3def2ade > Line Numbers > > Raw Audit Messages > > avc: denied { append } for comm="smbd" dev=sda2 egid=0 euid=0 > exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 > name="log.chaucer" > pid=2945 scontext=system_u:system_r:smbd_t:s0 sgid=0 > subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file > tcontext=system_u:object_r:samba_log_t:s0 tty=(none) uid=0 > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > No this is broken policy. It will be fixed in selinux-policy-2.6.4-13.fc7 You can use grep samba_log_t /var/log/audit/audit.log | audit2allow -M mysamba semodule -i mysamba.pp To allow this on your machine. From olivares14031 at yahoo.com Mon Jun 4 18:30:43 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 4 Jun 2007 11:30:43 -0700 (PDT) Subject: mknod denials, avcs from dmesg please help Message-ID: <662902.59324.qm@web52601.mail.re2.yahoo.com> Dear Selinux experts, I have successfully loaded Fedora 7 on a machine that refused to boot it with a kernel panic. I am on track with it but selinux is getting in my way. I have done [root at localhost ~]# restorecon -v / [root at localhost ~]# touch /.autorelabel; reboot three times and still these avcs refuse to go away. Summary SELinux is preventing access to files with the default label, default_t. Detailed Description SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. Allowing Access If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot" Additional Information Source Context system_u:system_r:consolekit_t Target Context system_u:object_r:default_t Target Objects root [ dir ] Affected RPM Packages ConsoleKit-x11-0.2.1-2.fc7 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.default Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 1 First Seen Sun 03 Jun 2007 11:10:16 PM CDT Last Seen Sun 03 Jun 2007 11:10:16 PM CDT Local ID 2ea0300c-de6c-4cb1-a4a7-edbca6d8fcf1 Line Numbers Raw Audit Messages avc: denied { search } for comm="ck-get-x11-serv" dev=dm-0 egid=0 euid=0 exe="/usr/libexec/ck-get-x11-server-pid" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="root" pid=2512 scontext=system_u:system_r:consolekit_t:s0 sgid=0 subj=system_u:system_r:consolekit_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0 Summary SELinux is preventing /bin/mknod (insmod_t) "write" to / (device_t). Detailed Description SELinux denied access requested by /bin/mknod. It is not expected that this access is required by /bin/mknod and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /, restorecon -v / If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:insmod_t Target Context system_u:object_r:device_t Target Objects / [ dir ] Affected RPM Packages coreutils-6.9-2.fc7 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 1 First Seen Sun 03 Jun 2007 11:52:01 PM CDT Last Seen Sun 03 Jun 2007 11:52:01 PM CDT Local ID 2f4ccd0d-5eab-4194-9ce2-9b424aed8163 Line Numbers Raw Audit Messages avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2893 scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 Here are them again from dmesg. audit(1180944508.786:4): avc: denied { write } for pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir and SELinux: initialized (dev sda1, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs audit(1180944512.785:5): enforcing=0 old_enforcing=1 auid=4294967295 audit(1180944712.754:6): avc: denied { getattr } for pid=996 comm="setfiles" name="mdstat" dev=proc ino=-268435296 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file audit(1180944712.754:7): avc: denied { getattr } for pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1180944712.754:8): avc: denied { read } for pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1180944712.754:9): avc: denied { search } for pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1180944712.754:10): avc: denied { getattr } for pid=996 comm="setfiles" name="smp_affinity" dev=proc ino=-268435372 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=file audit(1180944712.754:11): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file audit(1180944712.754:12): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir audit(1180944712.754:13): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file audit(1180944712.754:14): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir audit(1180944712.754:15): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file audit(1180944712.754:16): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir audit(1180944712.754:17): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file audit(1180944712.754:18): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file audit(1180944712.754:19): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=dir audit(1180944712.754:20): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file audit(1180944712.754:21): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file audit(1180944712.754:22): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=file audit(1180944712.754:23): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=dir audit(1180944712.754:24): avc: denied { getattr } for pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir audit(1180944712.754:25): avc: denied { read } for pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir audit(1180944712.754:26): avc: denied { search } for pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir audit(1180944712.754:27): avc: denied { getattr } for pid=996 comm="setfiles" name="packet" dev=proc ino=-268435293 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file audit(1180944712.754:28): avc: denied { getattr } for pid=996 comm="setfiles" name="kcore" dev=proc ino=-268435434 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file audit(1180944712.754:29): avc: denied { getattr } for pid=996 comm="setfiles" name="kmsg" dev=proc ino=-268435447 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file audit(1180944712.754:30): avc: denied { getattr } for pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir audit(1180944712.754:31): avc: denied { read } for pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir audit(1180944712.754:32): avc: denied { search } for pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir audit(1180944712.754:33): avc: denied { getattr } for pid=996 comm="setfiles" name="10" dev=proc ino=7925 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file audit(1180944712.754:34): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=7905 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file audit(1180944712.754:35): avc: denied { getattr } for pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir audit(1180944712.754:36): avc: denied { read } for pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir audit(1180944712.754:37): avc: denied { search } for pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir audit(1180944712.754:38): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=7962 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file audit(1180944712.754:39): avc: denied { getattr } for pid=996 comm="setfiles" name="cwd" dev=proc ino=7970 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lnk_file audit(1180944716.754:40): avc: denied { getattr } for pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir audit(1180944716.754:41): avc: denied { read } for pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir audit(1180944716.754:42): avc: denied { search } for pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir audit(1180944716.754:43): avc: denied { getattr } for pid=996 comm="setfiles" name="0" dev=proc ino=9478 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=lnk_file audit(1180944716.754:44): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=9458 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=file audit(1180944716.754:45): avc: denied { getattr } for pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir audit(1180944716.754:46): avc: denied { read } for pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir audit(1180944716.754:47): avc: denied { search } for pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir audit(1180944716.754:48): avc: denied { getattr } for pid=996 comm="setfiles" name="0" dev=proc ino=9597 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lnk_file audit(1180944716.754:49): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=9577 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=file audit(1180944820.238:50): avc: denied { create } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1180944820.238:51): avc: denied { write } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1180944820.238:52): avc: denied { nlmsg_relay } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1180944820.238:53): avc: denied { audit_write } for pid=995 comm="setfiles" capability=29 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability audit(1180944820.238:54): avc: denied { read } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1180944820.238:55): enforcing=1 old_enforcing=0 auid=4294967295 Suggestions/advice as to how to fix this are greatly appreciated. [olivares at localhost ~]$ uname -a Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon i386 GNU/Linux [olivares at localhost ~]$ cat /etc/fedora-release Fedora release 7 (Moonshine) [olivares at localhost ~]$ Regards, Antonio ____________________________________________________________________________________ We won't tell. Get more on shows you hate to love (and love to hate): Yahoo! TV's Guilty Pleasures list. http://tv.yahoo.com/collections/265 From dwalsh at redhat.com Mon Jun 4 18:55:57 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 04 Jun 2007 14:55:57 -0400 Subject: mknod denials, avcs from dmesg please help In-Reply-To: <662902.59324.qm@web52601.mail.re2.yahoo.com> References: <662902.59324.qm@web52601.mail.re2.yahoo.com> Message-ID: <4664603D.2090904@redhat.com> Ok the avc audit(1180944508.786:4): avc: denied { write } for pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir Looks like the interesting one. The rest were caused by you doing a restorecon -R -v /, or the original mislabeling of /root. What node is insmod trying to create in /dev? Do you have any idea what is going on here? This is very strange that you would get this avc since insmod_t is supposed to be unconfined in FC-7 Also From olivares14031 at yahoo.com Mon Jun 4 20:33:41 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 4 Jun 2007 13:33:41 -0700 (PDT) Subject: mknod denials, avcs from dmesg please help Message-ID: <890918.96454.qm@web52610.mail.re2.yahoo.com> ----- Original Message ---- From: Daniel J Walsh To: Antonio Olivares Cc: fedora-selinux-list at redhat.com Sent: Monday, June 4, 2007 1:55:57 PM Subject: Re: mknod denials, avcs from dmesg please help Ok the avc audit(1180944508.786:4): avc: denied { write } for pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir Looks like the interesting one. The rest were caused by you doing a restorecon -R -v /, or the original mislabeling of /root. What node is insmod trying to create in /dev? Do you have any idea what is going on here? This is very strange that you would get this avc since insmod_t is supposed to be unconfined in FC-7 Also Thank you for responding. Indeed it is the mknod entry that is causing trouble. I use smartlink modem and thus I have added to /etc/modprobe.conf alias char-major-243 slusb alias char-major-242 slamr install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0) so that I do not have to type as root user (su -) modprobe ungrab-winmodem, modprobe slamr, slmodemd -c USA /dev/slamr0 everytime I start up the computer. This is for automation. As a result of this denied avc, automation of loading slamr module fails. This is the only one now causing trouble audit(1180952201.602:4): avc: denied { write } for pid=675 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir How should I tackle this one, without disabling selinux, or setting it to permissive? Thanks, Antonio ____________________________________________________________________________________ Be a PS3 game guru. Get your game face on with the latest PS3 news and previews at Yahoo! Games. http://videogames.yahoo.com/platform?platform=120121 From dwalsh at redhat.com Mon Jun 4 20:52:18 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 04 Jun 2007 16:52:18 -0400 Subject: mknod denials, avcs from dmesg please help In-Reply-To: <890918.96454.qm@web52610.mail.re2.yahoo.com> References: <890918.96454.qm@web52610.mail.re2.yahoo.com> Message-ID: <46647B82.3040804@redhat.com> Antonio Olivares wrote: > ----- Original Message ---- > From: Daniel J Walsh > To: Antonio Olivares > Cc: fedora-selinux-list at redhat.com > Sent: Monday, June 4, 2007 1:55:57 PM > Subject: Re: mknod denials, avcs from dmesg please help > > Ok the avc > > audit(1180944508.786:4): avc: denied { write } for pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir > > Looks like the interesting one. The rest were caused by you doing a restorecon -R -v /, or the original mislabeling of /root. > > What node is insmod trying to create in /dev? Do you have any idea what is going on here? > > This is very strange that you would get this avc since insmod_t is supposed to be unconfined in FC-7 > > Also > > > Thank you for responding. Indeed it is the mknod entry that is causing trouble. I use smartlink modem and thus I have added to /etc/modprobe.conf > > alias char-major-243 slusb > alias char-major-242 slamr > install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0) > > so that I do not have to type as root user (su -) modprobe ungrab-winmodem, modprobe slamr, slmodemd -c USA /dev/slamr0 everytime I start up the computer. This is for automation. As a result of this denied avc, automation of loading slamr module fails. > > This is the only one now causing trouble > > audit(1180952201.602:4): avc: denied { write } for pid=675 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir > > How should I tackle this one, without disabling selinux, or setting it to permissive? > > Thanks, > > Antonio > > > # grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod # semodule -i myinsmod.pp will customize your policy to allow mknod to work. > > > > ____________________________________________________________________________________ > Be a PS3 game guru. > Get your game face on with the latest PS3 news and previews at Yahoo! Games. > http://videogames.yahoo.com/platform?platform=120121 > From olivares14031 at yahoo.com Mon Jun 4 22:27:07 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 4 Jun 2007 15:27:07 -0700 (PDT) Subject: mknod denials, avcs from dmesg please help Message-ID: <415536.28276.qm@web52604.mail.re2.yahoo.com> ----- Original Message ---- From: Daniel J Walsh To: Antonio Olivares Cc: fedora-selinux-list at redhat.com Sent: Monday, June 4, 2007 3:52:18 PM Subject: Re: mknod denials, avcs from dmesg please help Antonio Olivares wrote: > ----- Original Message ---- > From: Daniel J Walsh > To: Antonio Olivares > Cc: fedora-selinux-list at redhat.com > Sent: Monday, June 4, 2007 1:55:57 PM > Subject: Re: mknod denials, avcs from dmesg please help > > Ok the avc > > audit(1180944508.786:4): avc: denied { write } for pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir > > Looks like the interesting one. The rest were caused by you doing a restorecon -R -v /, or the original mislabeling of /root. > > What node is insmod trying to create in /dev? Do you have any idea what is going on here? > > This is very strange that you would get this avc since insmod_t is supposed to be unconfined in FC-7 > > Also > > > Thank you for responding. Indeed it is the mknod entry that is causing trouble. I use smartlink modem and thus I have added to /etc/modprobe.conf > > alias char-major-243 slusb > alias char-major-242 slamr > install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0) > > so that I do not have to type as root user (su -) modprobe ungrab-winmodem, modprobe slamr, slmodemd -c USA /dev/slamr0 everytime I start up the computer. This is for automation. As a result of this denied avc, automation of loading slamr module fails. > > This is the only one now causing trouble > > audit(1180952201.602:4): avc: denied { write } for pid=675 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir > > How should I tackle this one, without disabling selinux, or setting it to permissive? > > Thanks, > > Antonio > > > # grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod # semodule -i myinsmod.pp will customize your policy to allow mknod to work. > > > > ____________________________________________________________________________________ > Be a PS3 game guru. > Get your game face on with the latest PS3 news and previews at Yahoo! Games. > http://videogames.yahoo.com/platform?platform=120121 > Thanks for the help, but [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod compilation failed: sh: /usr/bin/checkmodule: No such file or directory [root at localhost ~]# semodule -i myinsmod.pp semodule: Could not read file 'myinsmod.pp': [root at localhost ~]# which packages should I have to install in order for this to work? Regards, Antonio ____________________________________________________________________________________ The fish are biting. Get more visitors on your site using Yahoo! Search Marketing. http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php From olivares14031 at yahoo.com Tue Jun 5 00:49:47 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 4 Jun 2007 17:49:47 -0700 (PDT) Subject: mknod issue, checkpolicy wa missing now loaded. Message-ID: <324395.89437.qm@web52606.mail.re2.yahoo.com> Daniel, checkpolicy was the one that was missing. Sorry for not figuring it out. And thanks for helping me out with selinux. [olivares at localhost ~]$ rpm -qa checkpolicy [olivares at localhost ~]$ rpm -qa selinux* selinux-policy-targeted-2.6.4-8.fc7 selinux-policy-2.6.4-8.fc7 [root at localhost ~]# yum install checkpolicy Loading "installonlyn" plugin Setting up Install Process Parsing package install arguments fedora 100% |=========================| 2.1 kB 00:00 primary.sqlite.bz2 100% |=========================| 3.8 MB 15:16 updates 100% |=========================| 1.9 kB 00:00 primary.sqlite.bz2 100% |=========================| 95 kB 00:20 Resolving Dependencies --> Running transaction check ---> Package checkpolicy.i386 0:2.0.2-1.fc7 set to be updated Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Installing: checkpolicy i386 2.0.2-1.fc7 fedora 256 k Transaction Summary ============================================================================= Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 256 k Is this ok [y/N]: y Downloading Packages: (1/1): checkpolicy-2.0.2- 100% |=========================| 256 kB 00:50 warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2 Importing GPG key 0x4F2A6FD2 "Fedora Project " from /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora Is this ok [y/N]: y Importing GPG key 0xDB42A60E "Red Hat, Inc " from /etc/pki/rpm-gpg/RPM-GPG-KEY Is this ok [y/N]: y Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: checkpolicy ######################### [1/1] Installed: checkpolicy.i386 0:2.0.2-1.fc7 Complete! [root at localhost ~]# [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i myinsmod.pp [root at localhost ~]# semodule -i myinsmod.pp Regards, Antonio ____________________________________________________________________________________ Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html From nwaero at northwest-aero.com Tue Jun 5 01:18:25 2007 From: nwaero at northwest-aero.com (John Lindgren) Date: Mon, 04 Jun 2007 18:18:25 -0700 Subject: dovecot_auth_t wants capability audit_write and netlink_audit_socket create Message-ID: <4664B9E1.10107@northwest-aero.com> Hi, New to this list, not totally new to selinux. Running F7 with everything current (06/04/2007), policy is selinux-policy-targeted-2.6.4-8.fc7. cat /var/log/audit/audit.log: type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } for pid=13774 comm="dovecot-auth" capability=29 scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket cat /var/log/audit/audit.log | audit2allow -M local: cat local.te: module local 1.0; require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; } #============= dovecot_auth_t ============== allow dovecot_auth_t self:capability audit_write; allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read }; semodule -i local.pp: libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:capability { audit_write }; libsepol.check_assertions: 2 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! Should I add something magical (what, I'm not sure) to the .te to allow this anyway? Or is there something missing from the distribution targeted policy? Or edit the base policy and recompile the whole thing? Or... Anyone else having this problem? John From matt at gillens.us Tue Jun 5 01:25:51 2007 From: matt at gillens.us (Matthew Gillen) Date: Mon, 04 Jun 2007 21:25:51 -0400 Subject: dovecot_auth_t wants capability audit_write and netlink_audit_socket create In-Reply-To: <4664B9E1.10107@northwest-aero.com> References: <4664B9E1.10107@northwest-aero.com> Message-ID: <4664BB9F.8000903@gillens.us> John Lindgren wrote: > Hi, > New to this list, not totally new to selinux. > > Running F7 with everything current (06/04/2007), policy is > selinux-policy-targeted-2.6.4-8.fc7. > > cat /var/log/audit/audit.log: > type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } > for pid=13774 comm="dovecot-auth" capability=29 > scontext=root:system_r:dovecot_auth_t:s0 > tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability > > type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for > pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 > tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket > > > cat /var/log/audit/audit.log | audit2allow -M local: > > > cat local.te: > module local 1.0; > > require { > type dovecot_auth_t; > class capability audit_write; > class netlink_audit_socket { write nlmsg_relay create read }; > } > > #============= dovecot_auth_t ============== > allow dovecot_auth_t self:capability audit_write; > allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay > create read }; > > > semodule -i local.pp: > libsepol.check_assertion_helper: assertion on line 0 violated by allow > dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > dovecot_auth_t dovecot_auth_t:capability { audit_write }; > libsepol.check_assertions: 2 assertion violations occured > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > > Should I add something magical (what, I'm not sure) to the .te to allow > this anyway? Or is there something missing from the distribution > targeted policy? Or edit the base policy and recompile the whole thing? > Or... > > Anyone else having this problem? Yep, I am. Got tired of tinkering last night and just put it in permissive mode for the time being. I'm getting slightly different .te file, but ultimately the same 2 assertion violations. Matt From nwaero at northwest-aero.com Tue Jun 5 03:08:01 2007 From: nwaero at northwest-aero.com (John Lindgren) Date: Mon, 04 Jun 2007 20:08:01 -0700 Subject: dovecot_auth_t wants capability audit_write and netlink_audit_socket create In-Reply-To: <4664BB9F.8000903@gillens.us> References: <4664B9E1.10107@northwest-aero.com> <4664BB9F.8000903@gillens.us> Message-ID: <4664D391.6020705@northwest-aero.com> Hi Matthew, Do you have this as well? fixfiles check; matchpathcon_filespec_add: conflicting specifications for /var/lib/dovecot/ssl-parameters.dat and /var/run/dovecot/login/ssl-parameters.dat, using system_u:object_r:dovecot_var_run_t:s0. Don't know if there is a connection yet... not expert. John Matthew Gillen wrote: > John Lindgren wrote: > >>Hi, >>New to this list, not totally new to selinux. >> >>Running F7 with everything current (06/04/2007), policy is >>selinux-policy-targeted-2.6.4-8.fc7. >> >>cat /var/log/audit/audit.log: >>type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } >>for pid=13774 comm="dovecot-auth" capability=29 >>scontext=root:system_r:dovecot_auth_t:s0 >>tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability >> >>type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for >>pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 >>tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket >> >> >>cat /var/log/audit/audit.log | audit2allow -M local: >> >> >>cat local.te: >>module local 1.0; >> >>require { >> type dovecot_auth_t; >> class capability audit_write; >> class netlink_audit_socket { write nlmsg_relay create read }; >>} >> >>#============= dovecot_auth_t ============== >>allow dovecot_auth_t self:capability audit_write; >>allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay >>create read }; >> >> >>semodule -i local.pp: >>libsepol.check_assertion_helper: assertion on line 0 violated by allow >>dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; >>libsepol.check_assertion_helper: assertion on line 0 violated by allow >>dovecot_auth_t dovecot_auth_t:capability { audit_write }; >>libsepol.check_assertions: 2 assertion violations occured >>libsemanage.semanage_expand_sandbox: Expand module failed >>semodule: Failed! >> >>Should I add something magical (what, I'm not sure) to the .te to allow >>this anyway? Or is there something missing from the distribution >>targeted policy? Or edit the base policy and recompile the whole thing? >>Or... >> >>Anyone else having this problem? > > > Yep, I am. Got tired of tinkering last night and just put it in permissive > mode for the time being. > > I'm getting slightly different .te file, but ultimately the same 2 assertion > violations. > > Matt > From tmraz at redhat.com Tue Jun 5 07:38:08 2007 From: tmraz at redhat.com (Tomas Mraz) Date: Tue, 05 Jun 2007 09:38:08 +0200 Subject: [redhat-lspp] Some enhancements for pam_namespace In-Reply-To: <20070604171037.GB2040@w-m-p.com> References: <1180684037.28908.9.camel@perun.kabelta.loc> <20070604171037.GB2040@w-m-p.com> Message-ID: <1181029088.2506.11.camel@perun.kabelta.loc> On Mon, 2007-06-04 at 12:10 -0500, Klaus Weidner wrote: > On Fri, Jun 01, 2007 at 09:47:17AM +0200, Tomas Mraz wrote: > > I've implemented some enhancements for pam_namespace which can be used > > for temporary logons. These enhancements were proposed by Dan Walsh. > > Please review if you're interested. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241226 > > https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=155825 > > I like the functionality, but I'm starting to think that pam_namespace > may get too complex if too many special cases get added. Rather than > implementing a complex ad-hoc language for the namespace conf file, would > it make sense to provide the option of calling an external script, giving > it username and context etc. as arguments, and using its output as a list > of namespace configurations? > > That way, you could keep policy decisions in the script. That would help just with the ~xguest part of the enhancements but this change is really simple and doesn't affect much of the code. However the temp dir part must be handled in the module directly. The only change could be instead of calling 'rm -rf' directly to call something like namespace.remove script. But as the only logical thing is to remove the temporary directory anyway I don't think it is worth the hassle. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From shin216 at xf7.so-net.ne.jp Tue Jun 5 09:35:52 2007 From: shin216 at xf7.so-net.ne.jp (Shintaro Fujiwara) Date: Tue, 05 Jun 2007 18:35:52 +0900 Subject: dovecot_auth_t wants capability audit_write and netlink_audit_socket create In-Reply-To: <4664BB9F.8000903@gillens.us> References: <4664B9E1.10107@northwest-aero.com> <4664BB9F.8000903@gillens.us> Message-ID: <1181036152.2452.1.camel@mama.intrajp-yokosuka.co.jp> 2007-06-04 (?) ? 21:25 -0400 ? Matthew Gillen ????????: > John Lindgren wrote: > > Hi, > > New to this list, not totally new to selinux. > > > > Running F7 with everything current (06/04/2007), policy is > > selinux-policy-targeted-2.6.4-8.fc7. > > > > cat /var/log/audit/audit.log: > > type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } > > for pid=13774 comm="dovecot-auth" capability=29 > > scontext=root:system_r:dovecot_auth_t:s0 > > tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability > > > > type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for > > pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 > > tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket > > > > > > cat /var/log/audit/audit.log | audit2allow -M local: > > > > > > cat local.te: > > module local 1.0; > > > > require { > > type dovecot_auth_t; > > class capability audit_write; > > class netlink_audit_socket { write nlmsg_relay create read }; > > } > > > > #============= dovecot_auth_t ============== > > allow dovecot_auth_t self:capability audit_write; > > allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay > > create read }; > > > > > > semodule -i local.pp: > > libsepol.check_assertion_helper: assertion on line 0 violated by allow > > dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; > > libsepol.check_assertion_helper: assertion on line 0 violated by allow > > dovecot_auth_t dovecot_auth_t:capability { audit_write }; > > libsepol.check_assertions: 2 assertion violations occured > > libsemanage.semanage_expand_sandbox: Expand module failed > > semodule: Failed! > > > > Should I add something magical (what, I'm not sure) to the .te to allow > > this anyway? Or is there something missing from the distribution > > targeted policy? Or edit the base policy and recompile the whole thing? > > Or... > > > > Anyone else having this problem? > > Yep, I am. Got tired of tinkering last night and just put it in permissive > mode for the time being. > > I'm getting slightly different .te file, but ultimately the same 2 assertion > violations. > > Matt > Same here ... I yum installed every selinux related packages. I made localaudit.pp typing #audit2allow -i /var/log/audit/audit.log -m localaudit > localaudit.te at /usr/share/selinux/devel #semodule -i localaudit.pp violation reported by libsepol.chek_assertions local_login_t local_login_t:netlink_audit_socket { nlmsg_relay }; local_login_t local_login_t:capability { audit_write }; local_login_t local_login_t:capability { audit_control }; So,I commented those lines on localaudit.te including require brace. This time I succeeded installing localaudit.pp. I restarted my machine setting Enforcing/strict. During the startup process, I could see Keymap had failed. I can't login from console. I typed like a US key not jp106, still I can't. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From olivares14031 at yahoo.com Tue Jun 5 11:11:21 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 5 Jun 2007 04:11:21 -0700 (PDT) Subject: mknod still not working after suggested fix Message-ID: <352502.93943.qm@web52605.mail.re2.yahoo.com> selinux is still not allowing mknod to do its job. I have to manually create the device node every boot [root at localhost ~]# mknod -m 600 /dev/slamr0 c 242 0 [1]+ Done gedit /boot/grub/grub.conf [root at localhost ~]# modprobe ungrab-winmodem [root at localhost ~]# modprobe slamr [root at localhost ~]# slmodemd -c USA /dev/slamr0 & [1] 2709 [root at localhost ~]# SmartLink Soft Modem: version 2.9.11 Jun 4 2007 00:14:21 symbolic link `/dev/ttySL0' -> `/dev/pts/1' created. modem `slamr0' created. TTY is `/dev/pts/1' Use `/dev/ttySL0' as modem device, Ctrl+C for termination. audit(1181023411.825:4): avc: denied { mknod } for pid=673 comm="mknod" capability=27 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=capability [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i myinsmod.pp [root at localhost ~]# semodule -i myinsmod.pp What should I try now? Regards, Antonio ____________________________________________________________________________________ Get the Yahoo! toolbar and be alerted to new email wherever you're surfing. http://new.toolbar.yahoo.com/toolbar/features/mail/index.php From sds at tycho.nsa.gov Tue Jun 5 12:38:36 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 05 Jun 2007 08:38:36 -0400 Subject: dovecot_auth_t wants capability audit_write and netlink_audit_socket create In-Reply-To: <4664B9E1.10107@northwest-aero.com> References: <4664B9E1.10107@northwest-aero.com> Message-ID: <1181047116.25769.6.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-06-04 at 18:18 -0700, John Lindgren wrote: > Hi, > New to this list, not totally new to selinux. > > Running F7 with everything current (06/04/2007), policy is > selinux-policy-targeted-2.6.4-8.fc7. > > cat /var/log/audit/audit.log: > type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } > for pid=13774 comm="dovecot-auth" capability=29 > scontext=root:system_r:dovecot_auth_t:s0 > tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability > > type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for > pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 > tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket > > > cat /var/log/audit/audit.log | audit2allow -M local: > > > cat local.te: > module local 1.0; > > require { > type dovecot_auth_t; > class capability audit_write; > class netlink_audit_socket { write nlmsg_relay create read }; > } > > #============= dovecot_auth_t ============== > allow dovecot_auth_t self:capability audit_write; > allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay > create read }; > > > semodule -i local.pp: > libsepol.check_assertion_helper: assertion on line 0 violated by allow > dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > dovecot_auth_t dovecot_auth_t:capability { audit_write }; > libsepol.check_assertions: 2 assertion violations occured > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > > Should I add something magical (what, I'm not sure) to the .te to allow > this anyway? Or is there something missing from the distribution > targeted policy? Or edit the base policy and recompile the whole thing? > Or... > > Anyone else having this problem? The policy contains certain assertions (neverallow rules) to prevent accidental adding of allow rules that are highly security sensitive or that indicate a mistake in labeling. To override such assertions, you have to add an appropriate type attribute to the type to enable it to pass the neverallow rule. This is usually done by using the right refpolicy interface. In this case, that appears to be: logging_send_audit_msg(dovecot_auth_t) So replace those two allow rules with the above interface call. Karl, any reason audit2allow didn't find that interface automatically? -- Stephen Smalley National Security Agency From dwalsh at redhat.com Tue Jun 5 13:19:55 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 05 Jun 2007 09:19:55 -0400 Subject: mknod denials, avcs from dmesg please help In-Reply-To: <415536.28276.qm@web52604.mail.re2.yahoo.com> References: <415536.28276.qm@web52604.mail.re2.yahoo.com> Message-ID: <466562FB.3030602@redhat.com> Antonio Olivares wrote: > ----- Original Message ---- > From: Daniel J Walsh > To: Antonio Olivares > Cc: fedora-selinux-list at redhat.com > Sent: Monday, June 4, 2007 3:52:18 PM > Subject: Re: mknod denials, avcs from dmesg please help > > Antonio Olivares wrote: > >> ----- Original Message ---- >> From: Daniel J Walsh >> To: Antonio Olivares >> Cc: fedora-selinux-list at redhat.com >> Sent: Monday, June 4, 2007 1:55:57 PM >> Subject: Re: mknod denials, avcs from dmesg please help >> >> Ok the avc >> >> audit(1180944508.786:4): avc: denied { write } for pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir >> >> Looks like the interesting one. The rest were caused by you doing a restorecon -R -v /, or the original mislabeling of /root. >> >> What node is insmod trying to create in /dev? Do you have any idea what is going on here? >> >> This is very strange that you would get this avc since insmod_t is supposed to be unconfined in FC-7 >> >> Also >> >> >> Thank you for responding. Indeed it is the mknod entry that is causing trouble. I use smartlink modem and thus I have added to /etc/modprobe.conf >> >> alias char-major-243 slusb >> alias char-major-242 slamr >> install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0) >> >> so that I do not have to type as root user (su -) modprobe ungrab-winmodem, modprobe slamr, slmodemd -c USA /dev/slamr0 everytime I start up the computer. This is for automation. As a result of this denied avc, automation of loading slamr module fails. >> >> This is the only one now causing trouble >> >> audit(1180952201.602:4): avc: denied { write } for pid=675 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir >> >> How should I tackle this one, without disabling selinux, or setting it to permissive? >> >> Thanks, >> >> Antonio >> >> >> >> > # grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod > # semodule -i myinsmod.pp > > will customize your policy to allow mknod to work. > >> >> ____________________________________________________________________________________ >> Be a PS3 game guru. >> Get your game face on with the latest PS3 news and previews at Yahoo! Games. >> http://videogames.yahoo.com/platform?platform=120121 >> >> > > Thanks for the help, but > > [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod > compilation failed: > sh: /usr/bin/checkmodule: No such file or directory > [root at localhost ~]# semodule -i myinsmod.pp > semodule: Could not read file 'myinsmod.pp': > [root at localhost ~]# > > which packages should I have to install in order for this to work? > > Regards, > > Antonio > > > yum install checkpolicy > > > > ____________________________________________________________________________________ > The fish are biting. > Get more visitors on your site using Yahoo! Search Marketing. > http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php > From dwalsh at redhat.com Tue Jun 5 13:22:32 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 05 Jun 2007 09:22:32 -0400 Subject: mknod still not working after suggested fix In-Reply-To: <352502.93943.qm@web52605.mail.re2.yahoo.com> References: <352502.93943.qm@web52605.mail.re2.yahoo.com> Message-ID: <46656398.8060807@redhat.com> Antonio Olivares wrote: > selinux is still not allowing mknod to do its job. > > I have to manually create the device node every boot > > [root at localhost ~]# mknod -m 600 /dev/slamr0 c 242 0 > [1]+ Done gedit /boot/grub/grub.conf > [root at localhost ~]# modprobe ungrab-winmodem > [root at localhost ~]# modprobe slamr > [root at localhost ~]# slmodemd -c USA /dev/slamr0 & > [1] 2709 > [root at localhost ~]# SmartLink Soft Modem: version 2.9.11 Jun 4 2007 00:14:21 > symbolic link `/dev/ttySL0' -> `/dev/pts/1' created. > modem `slamr0' created. TTY is `/dev/pts/1' > Use `/dev/ttySL0' as modem device, Ctrl+C for termination. > > > > audit(1181023411.825:4): avc: denied { mknod } for pid=673 comm="mknod" capability=27 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=capability > > > [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod > ******************** IMPORTANT *********************** > To make this policy package active, execute: > > semodule -i myinsmod.pp > > [root at localhost ~]# semodule -i myinsmod.pp > > What should I try now? > > Regards, > > Antonio > > > Are you seeing other avc messages? Please attach the myinsmod.te and your audit.log > > > ____________________________________________________________________________________ > Get the Yahoo! toolbar and be alerted to new email wherever you're surfing. > http://new.toolbar.yahoo.com/toolbar/features/mail/index.php > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From mike.clarkson at baesystems.com Tue Jun 5 17:31:29 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Tue, 5 Jun 2007 10:31:29 -0700 Subject: where is list_dir_perms defined? Message-ID: I run across things like list_dir_perms and r_file_perms in allow rules in my SELinux policy, but I have no idea where these are defined. Can someone point me to the location where these are defined? Thanks From mantaray_1 at cox.net Tue Jun 5 18:59:12 2007 From: mantaray_1 at cox.net (Ken) Date: Tue, 05 Jun 2007 11:59:12 -0700 Subject: SELinux Permission Documentation In-Reply-To: <465E1B37.30102@cox.net> References: <465E1B37.30102@cox.net> Message-ID: <4665B280.6030405@cox.net> Ken wrote: > What can be sent and received as rawip to and from kernel_t, and what > are the limitations of what can be done with the data? I am interested > in understanding the security implications of this (and other) SELinux > permissions. Is there anyone who can direct me to reference materials > that explain the security implications of allowing various SELinux > permissions? > Update: It appears that allowing rawip did not fix the problem, but that it was only a coincidence that the site worked for me after making the change; so understanding this permission is now less important to me. I am assuming that since no one answered any of my emails regarding permission documentation that there is none. With this this in mind, I have a suggestion for those who have a good understanding of SELinux: Please create documentation that will allow an individual to research and understand the security implications of various permissions without the need for taking the time to gain an extensive knowledge of the LSM and SELinux. This would be very helpful to me (and I am sure to many other people as well) since I only want to learn what I need to in order to secure my system, and having a source of information would eliminate the need to know enough to extract the information myself. - Ken - From phil at noggle.biz Tue Jun 5 20:09:39 2007 From: phil at noggle.biz (Philip Tricca) Date: Tue, 05 Jun 2007 16:09:39 -0400 Subject: where is list_dir_perms defined? Message-ID: <4665C303.4090507@noggle.biz> Clarkson, Mike R (US SSA) wrote: > I run across things like list_dir_perms and r_file_perms in allow > rules in my SELinux policy, but I have no idea where these are > defined. Can someone point me to the location where these are defined? list_dir_perms: this is a common object permission set required for a domain to list the contents of a directory. r_file_perms is the same thing but for reading a file. For details like this you should really take a look at the reference policy sources. These things are in the directory: serefpolicy-version/policy/support/ grep -iIr 'define(`list_dir_perms' * Good luck, - Philip From nwaero at northwest-aero.com Tue Jun 5 20:25:54 2007 From: nwaero at northwest-aero.com (John Lindgren) Date: Tue, 05 Jun 2007 13:25:54 -0700 Subject: dovecot_auth_t wants capability audit_write and netlink_audit_socket create In-Reply-To: <1181047116.25769.6.camel@moss-spartans.epoch.ncsc.mil> References: <4664B9E1.10107@northwest-aero.com> <1181047116.25769.6.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4665C6D2.4040908@northwest-aero.com> Hello Stephan, # rpm -qa | grep policy selinux-policy-devel-2.6.4-8.fc7 checkpolicy-2.0.2-1.fc7 selinux-policy-targeted-2.6.4-8.fc7 selinux-policy-2.6.4-8.fc7 policycoreutils-2.0.16-2.fc7 # cat local.te module local 1.0; require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; } #============= dovecot_auth_t ============== logging_send_audit_msg(dovecot_auth_t); # make -f /usr/share/selinux/devel/Makefile Compiling targeted local module /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp local.te:11:ERROR 'permission ioctl is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission getattr is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission setattr is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission append is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission bind is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission connect is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission getopt is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission setopt is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission shutdown is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 local.te:11:ERROR 'permission nlmsg_read is not defined for class netlink_audit_socket' at token ';' on line 80631: allow dovecot_auth_t self:netlink_audit_socket { { create { ioctl read getattr write setattr append bind connect getopt setopt shutdown } } nlmsg_read nlmsg_relay }; #line 11 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/local.mod] Error 1 But besides that, is the problem dovecot_auth failing or is it pam failing? With dovecot in debug mode, and selinux enabled so that pop logins through pam will fail, here are some logs of a failed login: # cat /var/log/maillog | grep dovecot Jun 5 12:48:07 post dovecot: auth(default): client in: CONT 1 AGpvaG5ueQBxd2VdW3A= Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): lookup service=dovecot Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): pam_authenticate() failed: System error Jun 5 12:48:09 post dovecot: auth(default): client out: FAIL 1 user=johnny # cat /var/log/secure Jun 5 12:48:07 post dovecot-auth: PAM audit_open() failed: Permission denied # cat /var/log/audit/audit.log type=AVC msg=audit(1181073390.217:27910): avc: denied { create } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1181073390.217:27910): arch=40000003 syscall=102 success=yes exit=14 a0=1 a1=bfd2b540 a2=220ff4 a3=0 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=AVC msg=audit(1181073390.217:27911): avc: denied { write } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1181073390.217:27911): avc: denied { nlmsg_relay } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root :system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=USER_AUTH msg=audit(1181073390.217:27912): user pid=9030 uid=0 auid=0 subj= root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)' type=SYSCALL msg=audit(1181073390.217:27911): arch=40000003 syscall=102 success=yes exit=164 a0=b a1=bfd207c0 a2=220ff4 a3=bfd27200 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=AVC msg=audit(1181073390.217:27913): avc: denied { read } for pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1181073390.217:27913): arch=40000003 syscall=102 success=yes exit=36 a0=c a1=bfd20770 a2=220ff4 a3=e items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=root:system_r:dovecot_auth_t:s0 key=(null) type=USER_ACCT msg=audit(1181073390.217:27914): user pid=9030 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)' Here's a successful one with selinux in permissive: # cat /var/log/audit/audit.log type=USER_AUTH msg=audit(1181074280.291:28027): user pid=11306 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot res=success)' type=USER_ACCT msg=audit(1181074280.291:28028): user pid=11306 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot res=success)' What next? John Stephen Smalley wrote: > On Mon, 2007-06-04 at 18:18 -0700, John Lindgren wrote: > >>Hi, >>New to this list, not totally new to selinux. >> >>Running F7 with everything current (06/04/2007), policy is >>selinux-policy-targeted-2.6.4-8.fc7. >> >>cat /var/log/audit/audit.log: >>type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } >>for pid=13774 comm="dovecot-auth" capability=29 >>scontext=root:system_r:dovecot_auth_t:s0 >>tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability >> >>type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for >>pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 >>tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket >> >> >>cat /var/log/audit/audit.log | audit2allow -M local: >> >> >>cat local.te: >>module local 1.0; >> >>require { >> type dovecot_auth_t; >> class capability audit_write; >> class netlink_audit_socket { write nlmsg_relay create read }; >>} >> >>#============= dovecot_auth_t ============== >>allow dovecot_auth_t self:capability audit_write; >>allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay >>create read }; >> >> >>semodule -i local.pp: >>libsepol.check_assertion_helper: assertion on line 0 violated by allow >>dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; >>libsepol.check_assertion_helper: assertion on line 0 violated by allow >>dovecot_auth_t dovecot_auth_t:capability { audit_write }; >>libsepol.check_assertions: 2 assertion violations occured >>libsemanage.semanage_expand_sandbox: Expand module failed >>semodule: Failed! >> >>Should I add something magical (what, I'm not sure) to the .te to allow >>this anyway? Or is there something missing from the distribution >>targeted policy? Or edit the base policy and recompile the whole thing? >>Or... >> >>Anyone else having this problem? > > > The policy contains certain assertions (neverallow rules) to prevent > accidental adding of allow rules that are highly security sensitive or > that indicate a mistake in labeling. > > To override such assertions, you have to add an appropriate type > attribute to the type to enable it to pass the neverallow rule. This is > usually done by using the right refpolicy interface. In this case, that > appears to be: > logging_send_audit_msg(dovecot_auth_t) > > So replace those two allow rules with the above interface call. > > Karl, any reason audit2allow didn't find that interface automatically? > From dwalsh at redhat.com Tue Jun 5 21:15:00 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 05 Jun 2007 17:15:00 -0400 Subject: dovecot_auth_t wants capability audit_write and netlink_audit_socket create In-Reply-To: <4665C6D2.4040908@northwest-aero.com> References: <4664B9E1.10107@northwest-aero.com> <1181047116.25769.6.camel@moss-spartans.epoch.ncsc.mil> <4665C6D2.4040908@northwest-aero.com> Message-ID: <4665D254.5050902@redhat.com> John Lindgren wrote: > Hello Stephan, > > # rpm -qa | grep policy > selinux-policy-devel-2.6.4-8.fc7 > checkpolicy-2.0.2-1.fc7 > selinux-policy-targeted-2.6.4-8.fc7 > selinux-policy-2.6.4-8.fc7 > policycoreutils-2.0.16-2.fc7 > > # cat local.te > > module local 1.0; > > require { > type dovecot_auth_t; > class capability audit_write; > class netlink_audit_socket { write nlmsg_relay create read }; > } > > #============= dovecot_auth_t ============== > logging_send_audit_msg(dovecot_auth_t); > > > # make -f /usr/share/selinux/devel/Makefile > Compiling targeted local module > /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp > local.te:11:ERROR 'permission ioctl is not defined for class > netlink_audit_socket' at token ';' on line 80631: > allow dovecot_auth_t self:netlink_audit_socket { { create { > ioctl read getattr write setattr append bind connect getopt setopt > shutdown } } nlmsg_read nlmsg_relay }; > #line 11 > local.te:11:ERROR 'permission getattr is not defined for class > netlink_audit_socket' at token ';' on line 80631: > allow dovecot_auth_t self:netlink_audit_socket { { create { > ioctl read getattr write setattr append bind connect getopt setopt > shutdown } } nlmsg_read nlmsg_relay }; > #line 11 > local.te:11:ERROR 'permission setattr is not defined for class > netlink_audit_socket' at token ';' on line 80631: > allow dovecot_auth_t self:netlink_audit_socket { { create { > ioctl read getattr write setattr append bind connect getopt setopt > shutdown } } nlmsg_read nlmsg_relay }; > #line 11 > local.te:11:ERROR 'permission append is not defined for class > netlink_audit_socket' at token ';' on line 80631: > allow dovecot_auth_t self:netlink_audit_socket { { create { > ioctl read getattr write setattr append bind connect getopt setopt > shutdown } } nlmsg_read nlmsg_relay }; > #line 11 > local.te:11:ERROR 'permission bind is not defined for class > netlink_audit_socket' at token ';' on line 80631: > allow dovecot_auth_t self:netlink_audit_socket { { create { > ioctl read getattr write setattr append bind connect getopt setopt > shutdown } } nlmsg_read nlmsg_relay }; > #line 11 > local.te:11:ERROR 'permission connect is not defined for class > netlink_audit_socket' at token ';' on line 80631: > allow dovecot_auth_t self:netlink_audit_socket { { create { > ioctl read getattr write setattr append bind connect getopt setopt > shutdown } } nlmsg_read nlmsg_relay }; > #line 11 > local.te:11:ERROR 'permission getopt is not defined for class > netlink_audit_socket' at token ';' on line 80631: > allow dovecot_auth_t self:netlink_audit_socket { { create { > ioctl read getattr write setattr append bind connect getopt setopt > shutdown } } nlmsg_read nlmsg_relay }; > #line 11 > local.te:11:ERROR 'permission setopt is not defined for class > netlink_audit_socket' at token ';' on line 80631: > allow dovecot_auth_t self:netlink_audit_socket { { create { > ioctl read getattr write setattr append bind connect getopt setopt > shutdown } } nlmsg_read nlmsg_relay }; > #line 11 > local.te:11:ERROR 'permission shutdown is not defined for class > netlink_audit_socket' at token ';' on line 80631: > allow dovecot_auth_t self:netlink_audit_socket { { create { > ioctl read getattr write setattr append bind connect getopt setopt > shutdown } } nlmsg_read nlmsg_relay }; > #line 11 > local.te:11:ERROR 'permission nlmsg_read is not defined for class > netlink_audit_socket' at token ';' on line 80631: > allow dovecot_auth_t self:netlink_audit_socket { { create { > ioctl read getattr write setattr append bind connect getopt setopt > shutdown } } nlmsg_read nlmsg_relay }; > #line 11 > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/local.mod] Error 1 > > > But besides that, is the problem dovecot_auth failing or is it pam > failing? With dovecot in debug mode, and selinux enabled so that pop > logins through pam will fail, here are some logs of a failed login: > > # cat /var/log/maillog | grep dovecot > Jun 5 12:48:07 post dovecot: auth(default): client in: CONT 1 > AGpvaG5ueQBxd2VdW3A= > Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): > lookup service=dovecot > Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): > pam_authenticate() failed: System error > Jun 5 12:48:09 post dovecot: auth(default): client out: FAIL 1 > user=johnny > > > # cat /var/log/secure > Jun 5 12:48:07 post dovecot-auth: PAM audit_open() failed: Permission > denied > > > # cat /var/log/audit/audit.log > type=AVC msg=audit(1181073390.217:27910): avc: denied { create } for > pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 > tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket > type=SYSCALL msg=audit(1181073390.217:27910): arch=40000003 > syscall=102 success=yes exit=14 a0=1 a1=bfd2b540 a2=220ff4 a3=0 > items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" > exe="/usr/libexec/dovecot/dovecot-auth" > subj=root:system_r:dovecot_auth_t:s0 key=(null) > type=AVC msg=audit(1181073390.217:27911): avc: denied { write } for > pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 > tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket > type=AVC msg=audit(1181073390.217:27911): avc: denied { nlmsg_relay > } for pid=9030 comm="dovecot-auth" > scontext=root:system_r:dovecot_auth_t:s0 tcontext=root > :system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=USER_AUTH > msg=audit(1181073390.217:27912): user pid=9030 uid=0 auid=0 subj= > root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=wayne : > exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17, > addr=71.113.46.17, terminal=dovecot res=success)' > type=SYSCALL msg=audit(1181073390.217:27911): arch=40000003 > syscall=102 success=yes exit=164 a0=b a1=bfd207c0 a2=220ff4 > a3=bfd27200 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" > exe="/usr/libexec/dovecot/dovecot-auth" > subj=root:system_r:dovecot_auth_t:s0 key=(null) > type=AVC msg=audit(1181073390.217:27913): avc: denied { read } for > pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 > tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket > type=SYSCALL msg=audit(1181073390.217:27913): arch=40000003 > syscall=102 success=yes exit=36 a0=c a1=bfd20770 a2=220ff4 a3=e > items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" > exe="/usr/libexec/dovecot/dovecot-auth" > subj=root:system_r:dovecot_auth_t:s0 key=(null) > type=USER_ACCT msg=audit(1181073390.217:27914): user pid=9030 uid=0 > auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting > acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth" > (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)' > > Here's a successful one with selinux in permissive: > > # cat /var/log/audit/audit.log > type=USER_AUTH msg=audit(1181074280.291:28027): user pid=11306 uid=0 > auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: authentication > acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" > (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot > res=success)' > type=USER_ACCT msg=audit(1181074280.291:28028): user pid=11306 uid=0 > auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting > acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" > (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot > res=success)' > > What next? > > John > > Stephen Smalley wrote: >> On Mon, 2007-06-04 at 18:18 -0700, John Lindgren wrote: >> >>> Hi, >>> New to this list, not totally new to selinux. >>> >>> Running F7 with everything current (06/04/2007), policy is >>> selinux-policy-targeted-2.6.4-8.fc7. >>> >>> cat /var/log/audit/audit.log: >>> type=AVC msg=audit(1181003986.020:18662): avc: denied { >>> audit_write } for pid=13774 comm="dovecot-auth" capability=29 >>> scontext=root:system_r:dovecot_auth_t:s0 >>> tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability >>> >>> type=AVC msg=audit(1181003859.499:18627): avc: denied { create } >>> for pid=1352 0 comm="dovecot-auth" >>> scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys >>> tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket >>> >>> >>> cat /var/log/audit/audit.log | audit2allow -M local: >>> >>> >>> cat local.te: >>> module local 1.0; >>> >>> require { >>> type dovecot_auth_t; >>> class capability audit_write; >>> class netlink_audit_socket { write nlmsg_relay create read }; >>> } >>> >>> #============= dovecot_auth_t ============== >>> allow dovecot_auth_t self:capability audit_write; >>> allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay >>> create read }; >>> >>> >>> semodule -i local.pp: >>> libsepol.check_assertion_helper: assertion on line 0 violated by >>> allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket { >>> nlmsg_relay }; >>> libsepol.check_assertion_helper: assertion on line 0 violated by >>> allow dovecot_auth_t dovecot_auth_t:capability { audit_write }; >>> libsepol.check_assertions: 2 assertion violations occured >>> libsemanage.semanage_expand_sandbox: Expand module failed >>> semodule: Failed! >>> >>> Should I add something magical (what, I'm not sure) to the .te to >>> allow this anyway? Or is there something missing from the >>> distribution targeted policy? Or edit the base policy and recompile >>> the whole thing? Or... >>> >>> Anyone else having this problem? >> >> >> The policy contains certain assertions (neverallow rules) to prevent >> accidental adding of allow rules that are highly security sensitive or >> that indicate a mistake in labeling. >> >> To override such assertions, you have to add an appropriate type >> attribute to the type to enable it to pass the neverallow rule. This is >> usually done by using the right refpolicy interface. In this case, that >> appears to be: >> logging_send_audit_msg(dovecot_auth_t) >> >> So replace those two allow rules with the above interface call. >> >> Karl, any reason audit2allow didn't find that interface automatically? >> Please try selinux-policy-2.6.4-13.fc7 currently in testing and moving to updates. From nwaero at northwest-aero.com Tue Jun 5 21:30:41 2007 From: nwaero at northwest-aero.com (John Lindgren) Date: Tue, 05 Jun 2007 14:30:41 -0700 Subject: dovecot_auth_t wants capability audit_write and netlink_audit_socket create In-Reply-To: <4665D254.5050902@redhat.com> References: <4664B9E1.10107@northwest-aero.com> <1181047116.25769.6.camel@moss-spartans.epoch.ncsc.mil> <4665C6D2.4040908@northwest-aero.com> <4665D254.5050902@redhat.com> Message-ID: <4665D601.4000804@northwest-aero.com> I defined the other permissions in local.te so that it would compile and then installed local.pp. Switching to setenforce 1 dovecot logins with pam now WORK!... as far as I can tell. ;) Will upgrade to the new policy later tonight. Should I then remove the local.pp I just compiled and see what messages I get? John Daniel J Walsh wrote: > John Lindgren wrote: > >> Hello Stephan, >> >> # rpm -qa | grep policy >> selinux-policy-devel-2.6.4-8.fc7 >> checkpolicy-2.0.2-1.fc7 >> selinux-policy-targeted-2.6.4-8.fc7 >> selinux-policy-2.6.4-8.fc7 >> policycoreutils-2.0.16-2.fc7 >> >> # cat local.te >> >> module local 1.0; >> >> require { >> type dovecot_auth_t; >> class capability audit_write; >> class netlink_audit_socket { write nlmsg_relay create read }; >> } >> >> #============= dovecot_auth_t ============== >> logging_send_audit_msg(dovecot_auth_t); >> >> >> # make -f /usr/share/selinux/devel/Makefile >> Compiling targeted local module >> /usr/bin/checkmodule: loading policy configuration from tmp/local.tmp >> local.te:11:ERROR 'permission ioctl is not defined for class >> netlink_audit_socket' at token ';' on line 80631: >> allow dovecot_auth_t self:netlink_audit_socket { { create { >> ioctl read getattr write setattr append bind connect getopt setopt >> shutdown } } nlmsg_read nlmsg_relay }; >> #line 11 >> local.te:11:ERROR 'permission getattr is not defined for class >> netlink_audit_socket' at token ';' on line 80631: >> allow dovecot_auth_t self:netlink_audit_socket { { create { >> ioctl read getattr write setattr append bind connect getopt setopt >> shutdown } } nlmsg_read nlmsg_relay }; >> #line 11 >> local.te:11:ERROR 'permission setattr is not defined for class >> netlink_audit_socket' at token ';' on line 80631: >> allow dovecot_auth_t self:netlink_audit_socket { { create { >> ioctl read getattr write setattr append bind connect getopt setopt >> shutdown } } nlmsg_read nlmsg_relay }; >> #line 11 >> local.te:11:ERROR 'permission append is not defined for class >> netlink_audit_socket' at token ';' on line 80631: >> allow dovecot_auth_t self:netlink_audit_socket { { create { >> ioctl read getattr write setattr append bind connect getopt setopt >> shutdown } } nlmsg_read nlmsg_relay }; >> #line 11 >> local.te:11:ERROR 'permission bind is not defined for class >> netlink_audit_socket' at token ';' on line 80631: >> allow dovecot_auth_t self:netlink_audit_socket { { create { >> ioctl read getattr write setattr append bind connect getopt setopt >> shutdown } } nlmsg_read nlmsg_relay }; >> #line 11 >> local.te:11:ERROR 'permission connect is not defined for class >> netlink_audit_socket' at token ';' on line 80631: >> allow dovecot_auth_t self:netlink_audit_socket { { create { >> ioctl read getattr write setattr append bind connect getopt setopt >> shutdown } } nlmsg_read nlmsg_relay }; >> #line 11 >> local.te:11:ERROR 'permission getopt is not defined for class >> netlink_audit_socket' at token ';' on line 80631: >> allow dovecot_auth_t self:netlink_audit_socket { { create { >> ioctl read getattr write setattr append bind connect getopt setopt >> shutdown } } nlmsg_read nlmsg_relay }; >> #line 11 >> local.te:11:ERROR 'permission setopt is not defined for class >> netlink_audit_socket' at token ';' on line 80631: >> allow dovecot_auth_t self:netlink_audit_socket { { create { >> ioctl read getattr write setattr append bind connect getopt setopt >> shutdown } } nlmsg_read nlmsg_relay }; >> #line 11 >> local.te:11:ERROR 'permission shutdown is not defined for class >> netlink_audit_socket' at token ';' on line 80631: >> allow dovecot_auth_t self:netlink_audit_socket { { create { >> ioctl read getattr write setattr append bind connect getopt setopt >> shutdown } } nlmsg_read nlmsg_relay }; >> #line 11 >> local.te:11:ERROR 'permission nlmsg_read is not defined for class >> netlink_audit_socket' at token ';' on line 80631: >> allow dovecot_auth_t self:netlink_audit_socket { { create { >> ioctl read getattr write setattr append bind connect getopt setopt >> shutdown } } nlmsg_read nlmsg_relay }; >> #line 11 >> /usr/bin/checkmodule: error(s) encountered while parsing configuration >> make: *** [tmp/local.mod] Error 1 >> >> >> But besides that, is the problem dovecot_auth failing or is it pam >> failing? With dovecot in debug mode, and selinux enabled so that pop >> logins through pam will fail, here are some logs of a failed login: >> >> # cat /var/log/maillog | grep dovecot >> Jun 5 12:48:07 post dovecot: auth(default): client in: CONT 1 >> AGpvaG5ueQBxd2VdW3A= >> Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): >> lookup service=dovecot >> Jun 5 12:48:07 post dovecot: auth(default): pam(johnny,66.52.219.4): >> pam_authenticate() failed: System error >> Jun 5 12:48:09 post dovecot: auth(default): client out: FAIL 1 >> user=johnny >> >> >> # cat /var/log/secure >> Jun 5 12:48:07 post dovecot-auth: PAM audit_open() failed: Permission >> denied >> >> >> # cat /var/log/audit/audit.log >> type=AVC msg=audit(1181073390.217:27910): avc: denied { create } for >> pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 >> tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket >> type=SYSCALL msg=audit(1181073390.217:27910): arch=40000003 >> syscall=102 success=yes exit=14 a0=1 a1=bfd2b540 a2=220ff4 a3=0 >> items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 >> egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" >> exe="/usr/libexec/dovecot/dovecot-auth" >> subj=root:system_r:dovecot_auth_t:s0 key=(null) >> type=AVC msg=audit(1181073390.217:27911): avc: denied { write } for >> pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 >> tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket >> type=AVC msg=audit(1181073390.217:27911): avc: denied { nlmsg_relay >> } for pid=9030 comm="dovecot-auth" >> scontext=root:system_r:dovecot_auth_t:s0 tcontext=root >> :system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket type=USER_AUTH >> msg=audit(1181073390.217:27912): user pid=9030 uid=0 auid=0 subj= >> root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=wayne : >> exe="/usr/libexec/dovecot/dovecot-auth" (hostname=71.113.46.17, >> addr=71.113.46.17, terminal=dovecot res=success)' >> type=SYSCALL msg=audit(1181073390.217:27911): arch=40000003 >> syscall=102 success=yes exit=164 a0=b a1=bfd207c0 a2=220ff4 >> a3=bfd27200 items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 >> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" >> exe="/usr/libexec/dovecot/dovecot-auth" >> subj=root:system_r:dovecot_auth_t:s0 key=(null) >> type=AVC msg=audit(1181073390.217:27913): avc: denied { read } for >> pid=9030 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 >> tcontext=root:system_r:dovecot_auth_t:s0 tclass=netlink_audit_socket >> type=SYSCALL msg=audit(1181073390.217:27913): arch=40000003 >> syscall=102 success=yes exit=36 a0=c a1=bfd20770 a2=220ff4 a3=e >> items=0 ppid=4348 pid=9030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 >> egid=0 sgid=0 fsgid=0 tty=(none) comm="dovecot-auth" >> exe="/usr/libexec/dovecot/dovecot-auth" >> subj=root:system_r:dovecot_auth_t:s0 key=(null) >> type=USER_ACCT msg=audit(1181073390.217:27914): user pid=9030 uid=0 >> auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting >> acct=wayne : exe="/usr/libexec/dovecot/dovecot-auth" >> (hostname=71.113.46.17, addr=71.113.46.17, terminal=dovecot res=success)' >> >> Here's a successful one with selinux in permissive: >> >> # cat /var/log/audit/audit.log >> type=USER_AUTH msg=audit(1181074280.291:28027): user pid=11306 uid=0 >> auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: authentication >> acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" >> (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot >> res=success)' >> type=USER_ACCT msg=audit(1181074280.291:28028): user pid=11306 uid=0 >> auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting >> acct=tgates : exe="/usr/libexec/dovecot/dovecot-auth" >> (hostname=67.170.64.125, addr=67.170.64.125, terminal=dovecot >> res=success)' >> >> What next? >> >> John >> >> Stephen Smalley wrote: >> >>> On Mon, 2007-06-04 at 18:18 -0700, John Lindgren wrote: >>> >>>> Hi, >>>> New to this list, not totally new to selinux. >>>> >>>> Running F7 with everything current (06/04/2007), policy is >>>> selinux-policy-targeted-2.6.4-8.fc7. >>>> >>>> cat /var/log/audit/audit.log: >>>> type=AVC msg=audit(1181003986.020:18662): avc: denied { >>>> audit_write } for pid=13774 comm="dovecot-auth" capability=29 >>>> scontext=root:system_r:dovecot_auth_t:s0 >>>> tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability >>>> >>>> type=AVC msg=audit(1181003859.499:18627): avc: denied { create } >>>> for pid=1352 0 comm="dovecot-auth" >>>> scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys >>>> tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket >>>> >>>> >>>> cat /var/log/audit/audit.log | audit2allow -M local: >>>> >>>> >>>> cat local.te: >>>> module local 1.0; >>>> >>>> require { >>>> type dovecot_auth_t; >>>> class capability audit_write; >>>> class netlink_audit_socket { write nlmsg_relay create read }; >>>> } >>>> >>>> #============= dovecot_auth_t ============== >>>> allow dovecot_auth_t self:capability audit_write; >>>> allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay >>>> create read }; >>>> >>>> >>>> semodule -i local.pp: >>>> libsepol.check_assertion_helper: assertion on line 0 violated by >>>> allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket { >>>> nlmsg_relay }; >>>> libsepol.check_assertion_helper: assertion on line 0 violated by >>>> allow dovecot_auth_t dovecot_auth_t:capability { audit_write }; >>>> libsepol.check_assertions: 2 assertion violations occured >>>> libsemanage.semanage_expand_sandbox: Expand module failed >>>> semodule: Failed! >>>> >>>> Should I add something magical (what, I'm not sure) to the .te to >>>> allow this anyway? Or is there something missing from the >>>> distribution targeted policy? Or edit the base policy and recompile >>>> the whole thing? Or... >>>> >>>> Anyone else having this problem? >>> >>> >>> >>> The policy contains certain assertions (neverallow rules) to prevent >>> accidental adding of allow rules that are highly security sensitive or >>> that indicate a mistake in labeling. >>> >>> To override such assertions, you have to add an appropriate type >>> attribute to the type to enable it to pass the neverallow rule. This is >>> usually done by using the right refpolicy interface. In this case, that >>> appears to be: >>> logging_send_audit_msg(dovecot_auth_t) >>> >>> So replace those two allow rules with the above interface call. >>> >>> Karl, any reason audit2allow didn't find that interface automatically? >>> > Please try selinux-policy-2.6.4-13.fc7 currently in testing and moving > to updates. > From bobk at ocf.berkeley.edu Tue Jun 5 21:33:10 2007 From: bobk at ocf.berkeley.edu (Bob Kashani) Date: Tue, 05 Jun 2007 14:33:10 -0700 Subject: rhgb avcs Message-ID: <1181079191.3193.2.camel@chaucer> I'm getting these avcs for rhgb (rhgb works fine though). Jun 5 13:04:38 chaucer kernel: audit(1181073867.313:9): avc: denied { search } for pid=1186 comm="rhgb" name="root" dev= sda2 ino=940065 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=dir From dwalsh at redhat.com Tue Jun 5 21:41:56 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 05 Jun 2007 17:41:56 -0400 Subject: dovecot_auth_t wants capability audit_write and netlink_audit_socket create In-Reply-To: <4665D601.4000804@northwest-aero.com> References: <4664B9E1.10107@northwest-aero.com> <1181047116.25769.6.camel@moss-spartans.epoch.ncsc.mil> <4665C6D2.4040908@northwest-aero.com> <4665D254.5050902@redhat.com> <4665D601.4000804@northwest-aero.com> Message-ID: <4665D8A4.9030801@redhat.com> John Lindgren wrote: > I defined the other permissions in local.te so that it would compile > and then installed local.pp. Switching to setenforce 1 dovecot logins > with pam now WORK!... as far as I can tell. ;) > > Will upgrade to the new policy later tonight. > > Should I then remove the local.pp I just compiled and see what > messages I get? > > John yes From nwaero at northwest-aero.com Tue Jun 5 21:51:58 2007 From: nwaero at northwest-aero.com (John Lindgren) Date: Tue, 05 Jun 2007 14:51:58 -0700 Subject: dovecot_auth_t wants capability audit_write and netlink_audit_socket create In-Reply-To: <4665D8A4.9030801@redhat.com> References: <4664B9E1.10107@northwest-aero.com> <1181047116.25769.6.camel@moss-spartans.epoch.ncsc.mil> <4665C6D2.4040908@northwest-aero.com> <4665D254.5050902@redhat.com> <4665D601.4000804@northwest-aero.com> <4665D8A4.9030801@redhat.com> Message-ID: <4665DAFE.1010701@northwest-aero.com> Thank You for your help! John Daniel J Walsh wrote: > John Lindgren wrote: > >> I defined the other permissions in local.te so that it would compile >> and then installed local.pp. Switching to setenforce 1 dovecot logins >> with pam now WORK!... as far as I can tell. ;) >> >> Will upgrade to the new policy later tonight. >> >> Should I then remove the local.pp I just compiled and see what >> messages I get? >> >> John > > yes > From nnm.one at gmail.com Tue Jun 5 22:48:30 2007 From: nnm.one at gmail.com (Paul S) Date: Wed, 6 Jun 2007 00:48:30 +0200 Subject: selinux-policy-strict bug Message-ID: <9e8747560706051548o5eb541chcf9ae209afa06c7b@mail.gmail.com> selinux-policy-strict seems to fail with allowing remote access to the sshd on Fedora7 (2.6.21-1.3194.fc7). I've installed Fedora7 with all the package collections disabled for a minimal system in the installer, installed the necessary tools for selinux and the strict policy and enabled it. Installed sshd, touched /.autorelabel and rebooted (twice). When enabling the enforced mode, and try to ssh from the LAN, I get avc messages because of denied access ("permission denied" after entering the password on the client). I tried to make a module for allowing it but I get assertions when installing the modules. ####################################################### [root at area51 sshd]# cat MYsshd.te module MYsshd 1.0; require { type staff_t; type user_home_dir_t; type sshd_t; class file { write ioctl }; class capability { audit_control audit_write }; class netlink_audit_socket { create nlmsg_relay write read }; } #============= sshd_t ============== allow sshd_t self:capability { audit_control audit_write }; allow sshd_t self:netlink_audit_socket { create nlmsg_relay read write }; #============= staff_t ============= allow staff_t user_home_dir_t:file { write ioctl }; ------------------------------------------------------- [root at area51 sshd]# semodule -i MYsshd.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_control }; libsepol.check_assertions: 3 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! ####################################################### cat /var/log/messages | audit2allow -M MYautogen semodule -i MYautogen.pp ------------------------------------------------------- libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t security_t:security { load_policy }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t staff_xserver_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow local_login_t local_login_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t setfiles_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t staff_xserver_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow local_login_t local_login_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow setfiles_t setfiles_t:capability { audit_write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow local_login_t local_login_t:capability { audit_control }; libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t sshd_t:capability { audit_control }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t staff_t:capability { audit_control }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t staff_t:capability { sys_module }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t shadow_t:file { write create }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_t shadow_t:file { write create }; libsepol.check_assertion_helper: assertion on line 0 violated by allow staff_xserver_t shadow_t:file { read }; libsepol.check_assertions: 16 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! -------------- next part -------------- An HTML attachment was scrubbed... URL: From nwaero at northwest-aero.com Tue Jun 5 22:51:25 2007 From: nwaero at northwest-aero.com (John Lindgren) Date: Tue, 05 Jun 2007 15:51:25 -0700 Subject: dovecot_auth_t wants capability audit_write and netlink_audit_socket create In-Reply-To: <4665DAFE.1010701@northwest-aero.com> References: <4664B9E1.10107@northwest-aero.com> <1181047116.25769.6.camel@moss-spartans.epoch.ncsc.mil> <4665C6D2.4040908@northwest-aero.com> <4665D254.5050902@redhat.com> <4665D601.4000804@northwest-aero.com> <4665D8A4.9030801@redhat.com> <4665DAFE.1010701@northwest-aero.com> Message-ID: <4665E8ED.9030708@northwest-aero.com> Just to close this thread out: I upgraded to: # rpm -qa|grep selinux-policy selinux-policy-targeted-2.6.4-13.fc7 selinux-policy-2.6.4-13.fc7 selinux-policy-devel-2.6.4-13.fc7 removed the the local.pp I made earlier: # semodule -r local forced a reload of the policy: # semodule -R rotated the audit log: # logrotate -f /etc/logrotate.d/audit Then I went and exercised the mail system, sendmail, mailman, MailScanner, spamassissin, clamav, f-prot, squirrelmail, apache... I remember when it was simpler. took a look at the fresh audit.log # audit2allow -a And there were all the usual suspects: #============= clamscan_t ============== allow clamscan_t clamd_var_lib_t:dir { write remove_name add_name }; allow clamscan_t clamd_var_lib_t:file { write create unlink }; allow clamscan_t initrc_tmp_t:dir { search setattr read create write getattr rmd ir remove_name add_name }; allow clamscan_t initrc_tmp_t:file { write getattr read lock create unlink }; allow clamscan_t tmpfs_t:dir { read search getattr }; allow clamscan_t tmpfs_t:file { read getattr }; allow clamscan_t var_spool_t:file { read write }; #============= httpd_t ============== allow httpd_t pop_port_t:tcp_socket name_connect; #============= procmail_t ============== allow procmail_t var_spool_t:file read; #============= system_mail_t ============== allow system_mail_t httpd_t:file read; But notice, NO DOVECOT! made a module: # cat /var/log/audit/audit.log | audit2allow -M localMAIL installed it: # semodule -i localMAIL.pp put selinux back into enforce: # setenforce 1 and re-rotated the log: # logrotate -f /etc/logrotate.d/audit Then sat back and waited for the phone to ring... {quiet} Confirmed with: # audit2allow -a And got nothing. Everything working great now. New policy package fixed dovecot problem, Thanks Again. John John Lindgren wrote: > Thank You for your help! > > John > > Daniel J Walsh wrote: > >> John Lindgren wrote: >> >>> I defined the other permissions in local.te so that it would compile >>> and then installed local.pp. Switching to setenforce 1 dovecot logins >>> with pam now WORK!... as far as I can tell. ;) >>> >>> Will upgrade to the new policy later tonight. >>> >>> Should I then remove the local.pp I just compiled and see what >>> messages I get? >>> >>> John >> >> >> yes >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From mjs at CLEMSON.EDU Tue Jun 5 23:20:08 2007 From: mjs at CLEMSON.EDU (Matthew Saltzman) Date: Tue, 05 Jun 2007 19:20:08 -0400 Subject: Alsa and /etc/ in F7 Message-ID: <1181085608.3284.6.camel@vincent52.localdomain> Every time I suspend my laptop, I get the following from the troubleshooter: SELinux is preventing /sbin/alsactl (alsa_t) "write" to etc (etc_t). The suggestion to restorecon /etc doesn't seem very sensible, and doesn't change anything anyway (so the suggestion is that it's a policy bug). >From the Additional Information: Source Context: system_u:system_r:alsa_t Target Context: system_u:object_r:etc_t Target Objects: etc [ dir ] Affected RPM Packages: alsa-utils-1.0.14-0.5.rc2.fc7 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM: selinux-policy-2.6.4-8.fc7 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.mislabeled_file From sds at tycho.nsa.gov Wed Jun 6 12:36:01 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 06 Jun 2007 08:36:01 -0400 Subject: SELinux Permission Documentation In-Reply-To: <4665B280.6030405@cox.net> References: <465E1B37.30102@cox.net> <4665B280.6030405@cox.net> Message-ID: <1181133361.3699.22.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-06-05 at 11:59 -0700, Ken wrote: > Ken wrote: > > What can be sent and received as rawip to and from kernel_t, and what > > are the limitations of what can be done with the data? I am interested > > in understanding the security implications of this (and other) SELinux > > permissions. Is there anyone who can direct me to reference materials > > that explain the security implications of allowing various SELinux > > permissions? > > > Update: > It appears that allowing rawip did not fix the problem, but that it was > only a coincidence that the site worked for me after making the change; > so understanding this permission is now less important to me. > > > I am assuming that since no one answered any of my emails regarding > permission documentation that there is none. With this this in mind, I > have a suggestion for those who have a good understanding of SELinux: > Please create documentation that will allow an individual to research > and understand the security implications of various permissions without > the need for taking the time to gain an extensive knowledge of the LSM > and SELinux. This would be very helpful to me (and I am sure to many > other people as well) since I only want to learn what I need to in order > to secure my system, and having a source of information would eliminate > the need to know enough to extract the information myself. Hi, There are some resources available, but not quite in the form that I think you wanted. 1) Reference policy documentation of its modules and interfaces locally viewable by running /usr/share/selinux/devel/policyhelp, or at: http://oss.tresys.com/docs/refpolicy/api/ I think that this is really more suited to what you want, except that it is done on the higher level abstractions/interfaces of refpolicy instead of the individual permissions (and it needs more detail). 2) Overview of Classes and Permissions http://www.tresys.com/selinux/obj_perms_help.html These describe the meaning of the classes and permissions, but only in general terms, not for specific domains/types. 3) SELinux Policy Writing Class Slides http://www.tresys.com/selinux/selinux-course-outline (click on the slide titles to download them) This helps with understanding the policy constructs in general, but won't give much detail about individual classes/perms except for the specific cases covered. 4) SELinux by Example book http://www.phptr.com/bookstore/product.asp?isbn=0131963694&rl=1 This has an appendix much like the overview in (2), but like (3), I think most of this book is more oriented toward the policy concepts and constructs than the individual classes/perms. 5) Original SELinux tech report http://www.nsa.gov/selinux/papers/slinux-abs.cfm This was the original description of the classes and permissions and their rationales, although there have naturally been changes over time. 6) LSM-based SELinux tech report http://www.nsa.gov/selinux/papers/module-abs.cfm This described how the implementation changed for LSM and mapped the LSM hooks to SELinux permission checks, so while it can be useful in understanding the checks, it is too tied to the implementation to really meet your request. I think we'd all agree that better end user documentation is needed. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Jun 6 12:44:28 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 06 Jun 2007 08:44:28 -0400 Subject: Alsa and /etc/ in F7 In-Reply-To: <1181085608.3284.6.camel@vincent52.localdomain> References: <1181085608.3284.6.camel@vincent52.localdomain> Message-ID: <1181133868.3699.28.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-06-05 at 19:20 -0400, Matthew Saltzman wrote: > Every time I suspend my laptop, I get the following from the > troubleshooter: > > SELinux is preventing /sbin/alsactl (alsa_t) "write" to etc (etc_t). Specific avc message from /var/log/audit/audit.log or /var/log/messages? We need to know the precise file/directory being modified there. > > The suggestion to restorecon /etc doesn't seem very sensible, and > doesn't change anything anyway (so the suggestion is that it's a policy > bug). > > >From the Additional Information: > > Source Context: system_u:system_r:alsa_t > Target Context: system_u:object_r:etc_t > Target Objects: etc [ dir ] > Affected RPM Packages: alsa-utils-1.0.14-0.5.rc2.fc7 > [application]filesystem-2.4.6-1.fc7 [target] > Policy RPM: selinux-policy-2.6.4-8.fc7 > Selinux Enabled: True > Policy Type: targeted > MLS Enabled: True > Enforcing Mode: Enforcing > Plugin Name: plugins.mislabeled_file > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Jun 6 12:53:11 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 06 Jun 2007 08:53:11 -0400 Subject: selinux-policy-strict bug In-Reply-To: <9e8747560706051548o5eb541chcf9ae209afa06c7b@mail.gmail.com> References: <9e8747560706051548o5eb541chcf9ae209afa06c7b@mail.gmail.com> Message-ID: <1181134391.3699.36.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-06-06 at 00:48 +0200, Paul S wrote: > selinux-policy-strict seems to fail with allowing remote access to the > sshd on Fedora7 (2.6.21-1.3194.fc7). I've installed Fedora7 with all > the package collections disabled for a minimal system in the > installer, installed the necessary tools for selinux and the strict > policy and enabled it. Installed sshd, touched /.autorelabel and > rebooted (twice). When enabling the enforced mode, and try to ssh from > the LAN, I get avc messages because of denied access ("permission > denied" after entering the password on the client). I tried to make a > module for allowing it but I get assertions when installing the > modules. Already reported, try updating to latest policy. Or add: require { attribute can_set_loginuid; attribute can_send_audit_msg; } typeattribute sshd_t can_set_loginuid, can_send_audit_msg; to your .te file. > > ####################################################### > > [root at area51 sshd]# cat MYsshd.te > module MYsshd 1.0; > > require { > type staff_t; > type user_home_dir_t; > type sshd_t; > class file { write ioctl }; > class capability { audit_control audit_write }; > class netlink_audit_socket { create nlmsg_relay write read }; > } > > #============= sshd_t ============== > allow sshd_t self:capability { audit_control audit_write }; > allow sshd_t self:netlink_audit_socket { create nlmsg_relay read > write }; > > #============= staff_t ============= > allow staff_t user_home_dir_t:file { write ioctl }; > > ------------------------------------------------------- > > [root at area51 sshd]# semodule -i MYsshd.pp > libsepol.check_assertion_helper: assertion on line 0 violated by allow > sshd_t sshd_t:netlink_audit_socket { nlmsg_relay }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > sshd_t sshd_t:capability { audit_write }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > sshd_t sshd_t:capability { audit_control }; > libsepol.check_assertions: 3 assertion violations occured > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > > ####################################################### > > cat /var/log/messages | audit2allow -M MYautogen > semodule -i MYautogen.pp > > ------------------------------------------------------- > > libsepol.check_assertion_helper: assertion on line 0 violated by allow > staff_t security_t:security { load_policy }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > staff_xserver_t staff_xserver_t:netlink_audit_socket { nlmsg_relay }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > local_login_t local_login_t:netlink_audit_socket { nlmsg_relay }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > sshd_t sshd_t:netlink_audit_socket { nlmsg_relay }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > setfiles_t setfiles_t:netlink_audit_socket { nlmsg_relay }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > staff_xserver_t staff_xserver_t:capability { audit_write }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > local_login_t local_login_t:capability { audit_write }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > sshd_t sshd_t:capability { audit_write }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > setfiles_t setfiles_t:capability { audit_write }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > local_login_t local_login_t:capability { audit_control }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > sshd_t sshd_t:capability { audit_control }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > staff_t staff_t:capability { audit_control }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > staff_t staff_t:capability { sys_module }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > staff_xserver_t shadow_t:file { write create }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > staff_t shadow_t:file { write create }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow > staff_xserver_t shadow_t:file { read }; > libsepol.check_assertions: 16 assertion violations occured > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From nichol425 at gmail.com Wed Jun 6 23:50:08 2007 From: nichol425 at gmail.com (nichol425) Date: Wed, 6 Jun 2007 16:50:08 -0700 Subject: Firewall problem Message-ID: <93922c8b0706061650o46ea1388sf4947ac0fb455106@mail.gmail.com> Hi folks; I am having problems to add ports on my new installed Fedora7. I am using GUI tools system/administration/Firewall and SElinux the input my admin password as requested. I click otherports and find out the "add+" button is gray out. If I added the port the system will not take it. On my Fedora 6 the "add +" button is green. the other issue is I can not add time server as well. The same "add+" button is grayed out. Did I missed something ?? Can anyone advise how to fix it. Thanks Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: From piotreek23 at gmail.com Thu Jun 7 06:18:11 2007 From: piotreek23 at gmail.com (piotreek) Date: Thu, 7 Jun 2007 08:18:11 +0200 Subject: AVC Denied Dhcp and Iptables. Message-ID: <112c19290706062318i6e39f009mba1bebe366097d2f@mail.gmail.com> Hi guys i found some strange messages in my logs. It seams that selinux is blocking a dhcp an Iptables. I found similar post on group about DHCP but my messages are different.I am using FC7 latest policy update didn't resolve the problem. P.S I am using firestater as my firewall. Have a look Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:4): avc: denied { execute } for pid=1775 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:5): avc: denied { getattr } for pid=1775 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:6): avc: denied { getattr } for pid=1775 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:7): avc: denied { execute } for pid=1776 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:8): avc: denied { getattr } for pid=1776 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:9): avc: denied { getattr } for pid=1776 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:10): avc: denied { execute } for pid=1778 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:11): avc: denied { getattr } for pid=1778 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:12): avc: denied { getattr } for pid=1778 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.975:13): audit_pid=1863 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 Greatings Peter -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at gillens.us Thu Jun 7 17:22:05 2007 From: matt at gillens.us (Matthew Gillen) Date: Thu, 07 Jun 2007 13:22:05 -0400 Subject: openvpn on fedora 7 Message-ID: <46683EBD.707@gillens.us> I had to add the following module before openvpn would work. The first issue was that openvpn didn't have permission to write a .pid file to /var/run/openvpn. The other problem seemed to be that a TCP socket could not be created (the name_connect part). The dac_override is something that I don't get. Why would openvpn need that? Unix permissions problems? Here's the additional policy: ----------------------------- require { type openvpn_t; type openvpn_port_t; type openvpn_var_run_t; class capability dac_override; class tcp_socket name_connect; class dir { write search add_name }; } #============= openvpn_t ============== allow openvpn_t openvpn_port_t:tcp_socket name_connect; allow openvpn_t openvpn_var_run_t:dir { write search add_name }; allow openvpn_t self:capability dac_override; ----------------------------- Thanks, Matt From wart at kobold.org Thu Jun 7 17:50:34 2007 From: wart at kobold.org (Michael Thomas) Date: Thu, 07 Jun 2007 10:50:34 -0700 Subject: udev file access Message-ID: <4668456A.3080604@kobold.org> I installed a custom udev rule in /etc/udev/rules.d/ that invokes a shell script to backup my usb thumb drive whenever it's plugged in. The script makes use of 'mkdir', 'find', and 'dd' to create the backup. The backups are created in a /images/backups directory, that has the default label 'user_u:object_r:file_t'. When udev launches the script, I get avcs because udev isn't allowed to write to file_t (not surprising): avc: denied { read } for comm="find" dev=sda3 egid=0 euid=0 exe="/usr/bin/find" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=4539 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir tcontext=system_u:object_r:file_t:s0 tty=(none) uid=0 How should this backup directory get labeled so that udev can write to it? Or should I create a custom file context for backup files and then give udev_t permission to write to the backup file context? --Mike From pierre.juhen at wanadoo.fr Thu Jun 7 20:25:52 2007 From: pierre.juhen at wanadoo.fr (Pierre JUHEN) Date: Thu, 07 Jun 2007 22:25:52 +0200 Subject: Bug in selinux-policy-strict.noarch 0:2.6.4-13.fc7 Message-ID: <466869D0.60004@pierre.juhen> I was not able to install selinux-policy-strict.noarch 0:2.6.4-13.fc7 : Here is the trace. Thanks, _______________________________________________________ yum install selinux-policy-strict Loading "installonlyn" plugin Setting up Install Process Parsing package install arguments livna 100% |=========================| 1.1 kB 00:00 fedora 100% |=========================| 2.1 kB 00:00 updates 100% |=========================| 1.9 kB 00:00 Resolving Dependencies --> Running transaction check ---> Package selinux-policy-strict.noarch 0:2.6.4-13.fc7 set to be updated Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Installing: selinux-policy-strict noarch 2.6.4-13.fc7 updates 1.6 M Transaction Summary ============================================================================= Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 1.6 M Is this ok [y/N]: y Downloading Packages: (1/1): selinux-policy-str 100% |=========================| 1.6 MB 00:26 Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: selinux-policy-strict ######################### [1/1] libsepol.context_from_record: type unconfined_execmem_exec_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:unconfined_execmem_exec_t:s0 to sid /etc/selinux/strict/contexts/files/file_contexts: line 597 has invalid context system_u:object_r:unconfined_execmem_exec_t:s0 libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed! Installed: selinux-policy-strict.noarch 0:2.6.4-13.fc7 Complete! From tony.molloy at ul.ie Fri Jun 8 07:31:42 2007 From: tony.molloy at ul.ie (Tony Molloy) Date: Fri, 8 Jun 2007 08:31:42 +0100 Subject: openvpn on fedora 7 In-Reply-To: <46683EBD.707@gillens.us> References: <46683EBD.707@gillens.us> Message-ID: <200706080831.42219.tony.molloy@ul.ie> On Thursday 07 June 2007 18:22, Matthew Gillen wrote: > I had to add the following module before openvpn would work. The first > issue was that openvpn didn't have permission to write a .pid file to > /var/run/openvpn. The other problem seemed to be that a TCP socket could > not be created (the name_connect part). > > The dac_override is something that I don't get. Why would openvpn need > that? Unix permissions problems? > > Here's the additional policy: > ----------------------------- > require { > type openvpn_t; > type openvpn_port_t; > type openvpn_var_run_t; > class capability dac_override; > class tcp_socket name_connect; > class dir { write search add_name }; > } > > #============= openvpn_t ============== > allow openvpn_t openvpn_port_t:tcp_socket name_connect; > allow openvpn_t openvpn_var_run_t:dir { write search add_name }; > allow openvpn_t self:capability dac_override; > ----------------------------- > > Thanks, > Matt > > -- Matt, Thanks very much for the policy. But as a SElinux noobe how does one actually use it. Regards, Tony > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From matt at gillens.us Fri Jun 8 13:14:38 2007 From: matt at gillens.us (Matthew Gillen) Date: Fri, 08 Jun 2007 09:14:38 -0400 Subject: openvpn on fedora 7 In-Reply-To: <200706080831.42219.tony.molloy@ul.ie> References: <46683EBD.707@gillens.us> <200706080831.42219.tony.molloy@ul.ie> Message-ID: <4669563E.1000708@gillens.us> Tony Molloy wrote: > On Thursday 07 June 2007 18:22, Matthew Gillen wrote: >> I had to add the following module before openvpn would work. The first >> issue was that openvpn didn't have permission to write a .pid file to >> /var/run/openvpn. The other problem seemed to be that a TCP socket could >> not be created (the name_connect part). >> >> The dac_override is something that I don't get. Why would openvpn need >> that? Unix permissions problems? >> >> Here's the additional policy: >> ----------------------------- module openvpn 1.0; >> require { >> type openvpn_t; >> type openvpn_port_t; >> type openvpn_var_run_t; >> class capability dac_override; >> class tcp_socket name_connect; >> class dir { write search add_name }; >> } >> >> #============= openvpn_t ============== >> allow openvpn_t openvpn_port_t:tcp_socket name_connect; >> allow openvpn_t openvpn_var_run_t:dir { write search add_name }; >> allow openvpn_t self:capability dac_override; >> ----------------------------- >> >> Thanks, >> Matt >> >> -- > > Matt, > > Thanks very much for the policy. But as a SElinux noobe how does one actually > use it. Put the text above into a file named openvpn.te (note I added a line to the original before the 'require' section, I'm not sure if it's needed). Then execute the following commands: checkmodule -M -m -o openvpn.mod openvpn.te semodule_package -o openvpn.pp -m openvpn.mod # build .pp file semodule -i openvpn.pp #insert the module into the current policy You'll need the 'checkpolicy' and 'policycoreutils' rpms installed at the very least. That should be all there is to it. Matt From phil at noggle.biz Fri Jun 8 15:43:54 2007 From: phil at noggle.biz (Philip Tricca) Date: Fri, 08 Jun 2007 11:43:54 -0400 Subject: openvpn on fedora 7 In-Reply-To: <46683EBD.707@gillens.us> References: <46683EBD.707@gillens.us> Message-ID: <4669793A.2060401@noggle.biz> Matthew Gillen wrote: > I had to add the following module before openvpn would work. The first issue > was that openvpn didn't have permission to write a .pid file to > /var/run/openvpn. The other problem seemed to be that a TCP socket could not > be created (the name_connect part). > > The dac_override is something that I don't get. Why would openvpn need that? > Unix permissions problems? I believe "dac_override" means that a process running as root is trying to violate the DAC policy. Consider a file owned by user Alice with rw permissions for the owner, all else denied (600). Historically the root user is identified by the kernel and all DAC checks are bypassed. SELinux prevents processes running with roots uid from doing such things. This is a good example of SELinux attempting to turn root into just another regular user. I've run into these things when my daemon, which is typically run as a lesser privileged user, is run as root. dac_override avcs were generated for reading all of the config files and writing to the log files (the ones that were already created). > Here's the additional policy: > ----------------------------- > require { > type openvpn_t; > type openvpn_port_t; > type openvpn_var_run_t; > class capability dac_override; > class tcp_socket name_connect; > class dir { write search add_name }; > } > > #============= openvpn_t ============== > allow openvpn_t openvpn_port_t:tcp_socket name_connect; > allow openvpn_t openvpn_var_run_t:dir { write search add_name }; > allow openvpn_t self:capability dac_override; > ----------------------------- If I'm wrong here I trust some of the more knowledgeable folks will chime in and correct me :-) Cheers, - Philip From ryvore at gmail.com Fri Jun 8 16:05:16 2007 From: ryvore at gmail.com (David-Alexandre Davidson) Date: Fri, 08 Jun 2007 12:05:16 -0400 Subject: Bug in selinux-policy-strict.noarch 0:2.6.4-13.fc7 In-Reply-To: <466869D0.60004@pierre.juhen> References: <466869D0.60004@pierre.juhen> Message-ID: <46697E3C.1060807@gmail.com> I have the exact same problem. I didn't notice at first because it was installed within a script and yum report a success. But When I rebooted with in a permissive state I have bunch of audit, and /etc/selinux/strict/modules/active/modules is empty. semodule --list returns an empty list also. > I was not able to install selinux-policy-strict.noarch 0:2.6.4-13.fc7 : > > Here is the trace. > > Thanks, > > > _______________________________________________________ > > yum install selinux-policy-strict > Loading "installonlyn" plugin > Setting up Install Process > Parsing package install arguments > livna 100% |=========================| 1.1 kB > 00:00 > fedora 100% |=========================| 2.1 kB > 00:00 > updates 100% |=========================| 1.9 kB > 00:00 > Resolving Dependencies > --> Running transaction check > ---> Package selinux-policy-strict.noarch 0:2.6.4-13.fc7 set to be > updated > > Dependencies Resolved > > ============================================================================= > > Package Arch Version Repository > Size > ============================================================================= > > Installing: > selinux-policy-strict noarch 2.6.4-13.fc7 updates > 1.6 M > > Transaction Summary > ============================================================================= > > Install 1 Package(s) > Update 0 Package(s) > Remove 0 Package(s) > > Total download size: 1.6 M > Is this ok [y/N]: y > Downloading Packages: > (1/1): selinux-policy-str 100% |=========================| 1.6 MB > 00:26 > Running Transaction Test > Finished Transaction Test > Transaction Test Succeeded > Running Transaction > Installing: selinux-policy-strict ######################### [1/1] > libsepol.context_from_record: type unconfined_execmem_exec_t is not > defined > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert > system_u:object_r:unconfined_execmem_exec_t:s0 to sid > /etc/selinux/strict/contexts/files/file_contexts: line 597 has > invalid context system_u:object_r:unconfined_execmem_exec_t:s0 > libsemanage.semanage_install_active: setfiles returned error code 1. > semodule: Failed! > > Installed: selinux-policy-strict.noarch 0:2.6.4-13.fc7 > Complete! > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From matt at gillens.us Fri Jun 8 17:17:25 2007 From: matt at gillens.us (Matthew Gillen) Date: Fri, 08 Jun 2007 13:17:25 -0400 Subject: openvpn on fedora 7 In-Reply-To: <4669793A.2060401@noggle.biz> References: <46683EBD.707@gillens.us> <4669793A.2060401@noggle.biz> Message-ID: <46698F25.6000005@gillens.us> Philip Tricca wrote: > Matthew Gillen wrote: >> I had to add the following module before openvpn would work. The >> first issue >> was that openvpn didn't have permission to write a .pid file to >> /var/run/openvpn. The other problem seemed to be that a TCP socket >> could not >> be created (the name_connect part). >> >> The dac_override is something that I don't get. Why would openvpn >> need that? >> Unix permissions problems? > > I believe "dac_override" means that a process running as root is trying > to violate the DAC policy. Consider a file owned by user Alice with rw > permissions for the owner, all else denied (600). Historically the root > user is identified by the kernel and all DAC checks are bypassed. > SELinux prevents processes running with roots uid from doing such > things. This is a good example of SELinux attempting to turn root into > just another regular user. That's pretty cool. > I've run into these things when my daemon, which is typically run as a > lesser privileged user, is run as root. dac_override avcs were > generated for reading all of the config files and writing to the log > files (the ones that were already created). Ok, so probably the unix permissions on /var/run/openvpn are messed up, where it's owned by the openvpn user but it writes the pid file while running as root before it drops privs. So if I fixed the unix perms I could probably purge the dac_override part. Thanks for the explanation. Matt From mantaray_1 at cox.net Sat Jun 9 00:34:49 2007 From: mantaray_1 at cox.net (Ken) Date: Fri, 08 Jun 2007 17:34:49 -0700 Subject: SELinux Permission Documentation In-Reply-To: <1181133361.3699.22.camel@moss-spartans.epoch.ncsc.mil> References: <465E1B37.30102@cox.net> <4665B280.6030405@cox.net> <1181133361.3699.22.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4669F5A9.4080107@cox.net> Stephen Smalley wrote: > On Tue, 2007-06-05 at 11:59 -0700, Ken wrote: >> Ken wrote: >>> What can be sent and received as rawip to and from kernel_t, and what >>> are the limitations of what can be done with the data? I am interested >>> in understanding the security implications of this (and other) SELinux >>> permissions. Is there anyone who can direct me to reference materials >>> that explain the security implications of allowing various SELinux >>> permissions? >>> >> Update: >> It appears that allowing rawip did not fix the problem, but that it was >> only a coincidence that the site worked for me after making the change; >> so understanding this permission is now less important to me. >> >> >> I am assuming that since no one answered any of my emails regarding >> permission documentation that there is none. With this this in mind, I >> have a suggestion for those who have a good understanding of SELinux: >> Please create documentation that will allow an individual to research >> and understand the security implications of various permissions without >> the need for taking the time to gain an extensive knowledge of the LSM >> and SELinux. This would be very helpful to me (and I am sure to many >> other people as well) since I only want to learn what I need to in order >> to secure my system, and having a source of information would eliminate >> the need to know enough to extract the information myself. > > Hi, > > There are some resources available, but not quite in the form that I > think you wanted. > > 1) Reference policy documentation of its modules and interfaces > locally viewable by running /usr/share/selinux/devel/policyhelp, or at: > http://oss.tresys.com/docs/refpolicy/api/ > I think that this is really more suited to what you want, except that it > is done on the higher level abstractions/interfaces of refpolicy instead > of the individual permissions (and it needs more detail). > > 2) Overview of Classes and Permissions > http://www.tresys.com/selinux/obj_perms_help.html > These describe the meaning of the classes and permissions, but only in > general terms, not for specific domains/types. > > 3) SELinux Policy Writing Class Slides > http://www.tresys.com/selinux/selinux-course-outline > (click on the slide titles to download them) > This helps with understanding the policy constructs in general, but > won't give much detail about individual classes/perms except for the > specific cases covered. > > 4) SELinux by Example book > http://www.phptr.com/bookstore/product.asp?isbn=0131963694&rl=1 > This has an appendix much like the overview in (2), but like (3), I > think most of this book is more oriented toward the policy concepts and > constructs than the individual classes/perms. > > 5) Original SELinux tech report > http://www.nsa.gov/selinux/papers/slinux-abs.cfm > This was the original description of the classes and permissions and > their rationales, although there have naturally been changes over time. > > 6) LSM-based SELinux tech report > http://www.nsa.gov/selinux/papers/module-abs.cfm > This described how the implementation changed for LSM and mapped the LSM hooks > to SELinux permission checks, so while it can be useful in understanding > the checks, it is too tied to the implementation to really meet your > request. > > I think we'd all agree that better end user documentation is needed. > It will probably be a while before I can investigate all the material you have listed, but I wanted to thank you before the post became too old. I have already reviewed some of the material, and at present I agree that it would be very helpful to have more detailed documentation of the basic SELinux permissions. - Ken - From ndsharma3101 at gmail.com Sat Jun 9 11:23:46 2007 From: ndsharma3101 at gmail.com (Nitish Dutt) Date: Sat, 9 Jun 2007 16:53:46 +0530 Subject: checkpolicy Message-ID: <22daaea00706090423w39c4a414w384988f03a9b26a3@mail.gmail.com> Hi everybody actually i am newbie to this open source world and just working on SElinux as my project.I had started studying source code of checkpolicy component of Selinux but im not getting from where to start and wats d function of each file in the checkpolicy package.culd any body pls help me out wid dat......... -------------- next part -------------- An HTML attachment was scrubbed... URL: From foxdoismil at yahoo.com Sat Jun 9 17:53:51 2007 From: foxdoismil at yahoo.com (Fox 2000) Date: Sat, 9 Jun 2007 10:53:51 -0700 (PDT) Subject: Swat (samba configurator) working with SELinux Message-ID: <283580.12033.qm@web32803.mail.mud.yahoo.com> Hello, I have a problem with Swat Samba configurator module and SElinux: SELinux=permissive => Swat works. SELinux= enforcing => can't login to swat. I've alread searched the internet for support, but it looks like SELinux is something people still do not understand well. I include myself in this situation. All the answers I get is turn SELinux off. I believe there must be a better idea than that! Thanks for your time reading/answering this. All the Best, Fochi ____________________________________________________________________________________ Park yourself in front of a world of choices in alternative vehicles. Visit the Yahoo! Auto Green Center. http://autos.yahoo.com/green_center/ From ftaylor at redhat.com Sun Jun 10 02:26:18 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Sat, 09 Jun 2007 20:26:18 -0600 Subject: Swat (samba configurator) working with SELinux In-Reply-To: <283580.12033.qm@web32803.mail.mud.yahoo.com> References: <283580.12033.qm@web32803.mail.mud.yahoo.com> Message-ID: <1181442378.1301.6.camel@papa.taylor.com> On Sat, 2007-06-09 at 10:53 -0700, Fox 2000 wrote: > Hello, > > I have a problem with Swat Samba configurator module > and SElinux: > > SELinux=permissive => Swat works. > SELinux= enforcing => can't login to swat. > > I've alread searched the internet for support, but it > looks like SELinux is something people still do not > understand well. I include myself in this situation. > > All the answers I get is turn SELinux off. I believe > there must be a better idea than that! > > Thanks for your time reading/answering this. Which version are you running? Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From piotreek23 at gmail.com Sun Jun 10 17:56:36 2007 From: piotreek23 at gmail.com (piotreek23 at gmail.com) Date: Sun, 10 Jun 2007 19:56:36 +0200 Subject: Turboprint and FC7 Message-ID: <466C3B54.1000104@gmail.com> Hi guys im using turboprint drivers for my IP 1000 Canon. When i try to print from Open Office i get this below: sealert -l 26616fa9-ba9f-44fb-9cf2-d1940f15217f Summary SELinux is preventing /lib/ld-2.6.so (cupsd_t) "execmem" to (cupsd_t). Detailed Description SELinux denied access requested by /lib/ld-2.6.so. It is not expected that this access is required by /lib/ld-2.6.so and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:cupsd_t:SystemLow-SystemHigh Target Context system_u:system_r:cupsd_t:SystemLow-SystemHigh Target Objects None [ process ] Affected RPM Packages glibc-2.6-3 [application] Policy RPM selinux-policy-2.6.4-13.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall Host Name c79-70.icpnet.pl Platform Linux *.icpnet.pl 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 1 First Seen Sun Jun 10 19:48:42 2007 Last Seen Sun Jun 10 19:48:42 2007 Local ID 26616fa9-ba9f-44fb-9cf2-d1940f15217f Line Numbers Raw Audit Messages avc: denied { execmem } for comm="ld-linux.so.2" egid=7 euid=4 exe="/lib/ld-2.6.so" exit=0 fsgid=7 fsuid=4 gid=7 items=0 pid=3240 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=process tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tty=(none) uid=4 On Fc 6 turboprint was working fine. From selinux at gmail.com Sun Jun 10 20:45:25 2007 From: selinux at gmail.com (Tom London) Date: Sun, 10 Jun 2007 13:45:25 -0700 Subject: audio-entropd needs some help.... Message-ID: <4c4ba1530706101345udbda791gc185f3fd79927cbd@mail.gmail.com> Running latest Rawhide, targeted. Running in enforcing mode, audio-entropyd fails to start. Flipping to permissive mode and restarting, I get these: type=AVC msg=audit(1181506748.052:78): avc: denied { read write } for pid=8712 comm="audio-entropyd" name="random" dev=tmpfs ino=3167 scontext=system_u:system_r:entropyd_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1181506748.052:78): arch=40000003 syscall=5 success=yes exit=4 a0=804a2b3 a1=2 a2=0 a3=bfbbdef0 items=0 ppid=1 pid=8712 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="audio-entropyd" exe="/usr/sbin/audio-entropyd" subj=system_u:system_r:entropyd_t:s0 key=(null) type=AVC msg=audit(1181506748.052:79): avc: denied { dac_override } for pid=8712 comm="audio-entropyd" capability=1 scontext=system_u:system_r:entropyd_t:s0 tcontext=system_u:system_r:entropyd_t:s0 tclass=capability type=SYSCALL msg=audit(1181506748.052:79): arch=40000003 syscall=5 success=yes exit=5 a0=804a268 a1=0 a2=45ef7fc0 a3=804a268 items=0 ppid=1 pid=8712 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="audio-entropyd" exe="/usr/sbin/audio-entropyd" subj=system_u:system_r:entropyd_t:s0 key=(null) Looks like it wants read/write access to /dev/random plus dac_override. tom -- Tom London From jprats at cesca.es Sun Jun 10 22:58:02 2007 From: jprats at cesca.es (Jordi Prats) Date: Mon, 11 Jun 2007 00:58:02 +0200 Subject: SELinux & Xen Message-ID: <466C81FA.2020702@cesca.es> Hi all, I've read this brief documentation on the fedora and RHEL5 documentation page: http://fedoraproject.org/wiki/Docs/Fedora7VirtQuickStart#head-42db86c47fbb6d5abc7c6e5d931028d74d1b4102 https://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Virtualization-en-US/ch-virt-selinux-considerations.html I'm understanding that this will grant access to the device to the xen daemon (xend) # semanage fcontext -a -t xen_image _t -f -b /dev/sda2 # restorecon /dev/sda2 But there's any way that you can be sure that a given domain can't acces to data on a other xen guest (a diferent device) using selinux? So, the Xen guest A could only acces to /dev/sda, and Xen guest B could only acces to /dev/sdb but they both are using the same xend daemon. Thank you very much! Jordi -- ...................................................................... __ / / Jordi Prats Catal? C E / S / C A Departament de Sistemes /_/ Centre de Supercomputaci? de Catalunya Gran Capit?, 2-4 (Edifici Nexus) ? 08034 Barcelona T. 93 205 6464 ? F. 93 205 6979 ? jprats at cesca.es ...................................................................... pgp:0x5D0D1321 ...................................................................... From jmorris at namei.org Mon Jun 11 04:32:59 2007 From: jmorris at namei.org (James Morris) Date: Mon, 11 Jun 2007 00:32:59 -0400 (EDT) Subject: SELinux & Xen In-Reply-To: <466C81FA.2020702@cesca.es> References: <466C81FA.2020702@cesca.es> Message-ID: On Mon, 11 Jun 2007, Jordi Prats wrote: > But there's any way that you can be sure that a given domain can't acces > to data on a other xen guest (a diferent device) using selinux? > > So, the Xen guest A could only acces to /dev/sda, and Xen guest B could > only acces to /dev/sdb but they both are using the same xend daemon. There's some experimental work on providing SELinux style controls over Xen, see http://lists.xensource.com/archives/html/xense-devel/ -- James Morris From dwalsh at redhat.com Mon Jun 11 17:36:07 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 11 Jun 2007 13:36:07 -0400 Subject: dovecot_auth_t wants capability audit_write and netlink_audit_socket create In-Reply-To: <4665E8ED.9030708@northwest-aero.com> References: <4664B9E1.10107@northwest-aero.com> <1181047116.25769.6.camel@moss-spartans.epoch.ncsc.mil> <4665C6D2.4040908@northwest-aero.com> <4665D254.5050902@redhat.com> <4665D601.4000804@northwest-aero.com> <4665D8A4.9030801@redhat.com> <4665DAFE.1010701@northwest-aero.com> <4665E8ED.9030708@northwest-aero.com> Message-ID: <466D8807.2000905@redhat.com> John Lindgren wrote: > Just to close this thread out: > > I upgraded to: > # rpm -qa|grep selinux-policy > selinux-policy-targeted-2.6.4-13.fc7 > selinux-policy-2.6.4-13.fc7 > selinux-policy-devel-2.6.4-13.fc7 > > removed the the local.pp I made earlier: > # semodule -r local > > forced a reload of the policy: > # semodule -R > > rotated the audit log: > # logrotate -f /etc/logrotate.d/audit > > Then I went and exercised the mail system, sendmail, mailman, > MailScanner, spamassissin, clamav, f-prot, squirrelmail, apache... I > remember when it was simpler. > > took a look at the fresh audit.log > # audit2allow -a > > And there were all the usual suspects: > #============= clamscan_t ============== > allow clamscan_t clamd_var_lib_t:dir { write remove_name add_name }; > allow clamscan_t clamd_var_lib_t:file { write create unlink }; clamscan writes file in /var/lib/clamav? > > allow clamscan_t initrc_tmp_t:dir { search setattr read create write > getattr rmd > ir remove_name add_name }; This should probably be dontaudited especially the create/write parts > allow clamscan_t initrc_tmp_t:file { write getattr read lock create > unlink }; > allow clamscan_t tmpfs_t:dir { read search getattr }; > allow clamscan_t tmpfs_t:file { read getattr }; What are these for? > allow clamscan_t var_spool_t:file { read write }; > This looks like something is mislabeled? What file is labeled var_spool_t that clamscan is trying to write? > #============= httpd_t ============== > allow httpd_t pop_port_t:tcp_socket name_connect; > setsebool -P httpd_can_sendmail=1 should fix this > #============= procmail_t ============== > allow procmail_t var_spool_t:file read; > Same mislabeled file from above? > #============= system_mail_t ============== > allow system_mail_t httpd_t:file read; Why would system mail be looking at httpd process data? > > But notice, NO DOVECOT! > > > made a module: > # cat /var/log/audit/audit.log | audit2allow -M localMAIL > > installed it: > # semodule -i localMAIL.pp > > put selinux back into enforce: > # setenforce 1 > > and re-rotated the log: > # logrotate -f /etc/logrotate.d/audit > > Then sat back and waited for the phone to ring... {quiet} > > Confirmed with: > # audit2allow -a > > And got nothing. Everything working great now. > > New policy package fixed dovecot problem, Thanks Again. > > John > > John Lindgren wrote: >> Thank You for your help! >> >> John >> >> Daniel J Walsh wrote: >> >>> John Lindgren wrote: >>> >>>> I defined the other permissions in local.te so that it would >>>> compile and then installed local.pp. Switching to setenforce 1 >>>> dovecot logins with pam now WORK!... as far as I can tell. ;) >>>> >>>> Will upgrade to the new policy later tonight. >>>> >>>> Should I then remove the local.pp I just compiled and see what >>>> messages I get? >>>> >>>> John >>> >>> >>> yes >>> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> From dwalsh at redhat.com Mon Jun 11 17:38:05 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 11 Jun 2007 13:38:05 -0400 Subject: Alsa and /etc/ in F7 In-Reply-To: <1181133868.3699.28.camel@moss-spartans.epoch.ncsc.mil> References: <1181085608.3284.6.camel@vincent52.localdomain> <1181133868.3699.28.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <466D887D.9010102@redhat.com> Stephen Smalley wrote: > On Tue, 2007-06-05 at 19:20 -0400, Matthew Saltzman wrote: > >> Every time I suspend my laptop, I get the following from the >> troubleshooter: >> >> SELinux is preventing /sbin/alsactl (alsa_t) "write" to etc (etc_t). >> > > Specific avc message from /var/log/audit/audit.log or /var/log/messages? > > We need to know the precise file/directory being modified there. > > Probably /etc/asound.state This is mislabeled. And I believe should be fixed in latest polcy (2.6.4-13) >> The suggestion to restorecon /etc doesn't seem very sensible, and >> doesn't change anything anyway (so the suggestion is that it's a policy >> bug). >> >> >From the Additional Information: >> >> Source Context: system_u:system_r:alsa_t >> Target Context: system_u:object_r:etc_t >> Target Objects: etc [ dir ] >> Affected RPM Packages: alsa-utils-1.0.14-0.5.rc2.fc7 >> [application]filesystem-2.4.6-1.fc7 [target] >> Policy RPM: selinux-policy-2.6.4-8.fc7 >> Selinux Enabled: True >> Policy Type: targeted >> MLS Enabled: True >> Enforcing Mode: Enforcing >> Plugin Name: plugins.mislabeled_file >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> From dwalsh at redhat.com Mon Jun 11 17:39:01 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 11 Jun 2007 13:39:01 -0400 Subject: Firewall problem In-Reply-To: <93922c8b0706061650o46ea1388sf4947ac0fb455106@mail.gmail.com> References: <93922c8b0706061650o46ea1388sf4947ac0fb455106@mail.gmail.com> Message-ID: <466D88B5.7020003@redhat.com> nichol425 wrote: > Hi folks; > > I am having problems to add ports on my new installed Fedora7. > I am using GUI tools system/administration/Firewall and SElinux the > input my admin password as requested. I click otherports and find out > the "add+" button is gray out. > If I added the port the system will not take it. > > On my Fedora 6 the "add +" button is green. > the other issue is I can not add time server as well. The same "add+" > button is grayed out. > > Did I missed something ?? Can anyone advise how to fix it. > > Thanks > Jim > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You are asking on the wrong list. You should ask on the Fedora list. From dwalsh at redhat.com Mon Jun 11 17:41:33 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 11 Jun 2007 13:41:33 -0400 Subject: AVC Denied Dhcp and Iptables. In-Reply-To: <112c19290706062318i6e39f009mba1bebe366097d2f@mail.gmail.com> References: <112c19290706062318i6e39f009mba1bebe366097d2f@mail.gmail.com> Message-ID: <466D894D.20508@redhat.com> piotreek wrote: > Hi guys i found some strange messages in my logs. It seams that > selinux is blocking a dhcp an Iptables. > I found similar post on group about DHCP but my messages are > different.I am using FC7 latest policy update didn't resolve the problem. > P.S I am using firestater as my firewall. I believe you will need to write custom policy to make this work. You can simply add these rules using audit2allow. # grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc # semodule -i mydhcpc.pp Having dhcpc allowed to turn on/off firewall rules is of debatable security risk. > Have a look > > Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:4): avc: denied > { execute } for pid=1775 comm="sh" name="iptables" dev=sdb1 > ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file > Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:5): avc: denied > { getattr } for pid=1775 comm="sh" name="iptables" dev=sdb1 > ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file > Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:6): avc: denied > { getattr } for pid=1775 comm="sh" name="iptables" dev=sdb1 > ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file > Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:7): avc: denied > { execute } for pid=1776 comm="sh" name="iptables" dev=sdb1 > ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file > Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:8): avc: denied > { getattr } for pid=1776 comm="sh" name="iptables" dev=sdb1 > ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file > Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:9): avc: denied > { getattr } for pid=1776 comm="sh" name="iptables" dev=sdb1 > ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file > Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:10): avc: denied > { execute } for pid=1778 comm="sh" name="iptables" dev=sdb1 > ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file > Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:11): avc: denied > { getattr } for pid=1778 comm="sh" name="iptables" dev=sdb1 > ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file > Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:12): avc: denied > { getattr } for pid=1778 comm="sh" name="iptables" dev=sdb1 > ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file > Jun 7 08:08:54 c79-70 kernel: audit(1181196527.975:13): > audit_pid=1863 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 > Greatings Peter > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Mon Jun 11 17:48:33 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 11 Jun 2007 13:48:33 -0400 Subject: Bug in selinux-policy-strict.noarch 0:2.6.4-13.fc7 In-Reply-To: <46697E3C.1060807@gmail.com> References: <466869D0.60004@pierre.juhen> <46697E3C.1060807@gmail.com> Message-ID: <466D8AF1.4000508@redhat.com> David-Alexandre Davidson wrote: > I have the exact same problem. > > I didn't notice at first because it was installed within a script and > yum report a success. > But When I rebooted with in a permissive state I have bunch of audit, > and > /etc/selinux/strict/modules/active/modules is empty. > semodule --list returns an empty list also. > > > >> I was not able to install selinux-policy-strict.noarch 0:2.6.4-13.fc7 : >> >> Here is the trace. >> >> Thanks, >> >> >> _______________________________________________________ >> >> yum install selinux-policy-strict >> Loading "installonlyn" plugin >> Setting up Install Process >> Parsing package install arguments >> livna 100% |=========================| 1.1 kB >> 00:00 >> fedora 100% |=========================| 2.1 kB >> 00:00 >> updates 100% |=========================| 1.9 kB >> 00:00 >> Resolving Dependencies >> --> Running transaction check >> ---> Package selinux-policy-strict.noarch 0:2.6.4-13.fc7 set to be >> updated >> >> Dependencies Resolved >> >> ============================================================================= >> >> Package Arch Version Repository >> Size >> ============================================================================= >> >> Installing: >> selinux-policy-strict noarch 2.6.4-13.fc7 updates >> 1.6 M >> >> Transaction Summary >> ============================================================================= >> >> Install 1 Package(s) >> Update 0 Package(s) >> Remove 0 Package(s) >> >> Total download size: 1.6 M >> Is this ok [y/N]: y >> Downloading Packages: >> (1/1): selinux-policy-str 100% |=========================| 1.6 MB >> 00:26 >> Running Transaction Test >> Finished Transaction Test >> Transaction Test Succeeded >> Running Transaction >> Installing: selinux-policy-strict ######################### >> [1/1] >> libsepol.context_from_record: type unconfined_execmem_exec_t is not >> defined >> libsepol.context_from_record: could not create context structure >> libsepol.context_from_string: could not create context structure >> libsepol.sepol_context_to_sid: could not convert >> system_u:object_r:unconfined_execmem_exec_t:s0 to sid >> /etc/selinux/strict/contexts/files/file_contexts: line 597 has >> invalid context system_u:object_r:unconfined_execmem_exec_t:s0 >> libsemanage.semanage_install_active: setfiles returned error code 1. >> semodule: Failed! >> >> Installed: selinux-policy-strict.noarch 0:2.6.4-13.fc7 >> Complete! >> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This will be fixed in 2.6.4-14 From dwalsh at redhat.com Mon Jun 11 17:49:40 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 11 Jun 2007 13:49:40 -0400 Subject: checkpolicy In-Reply-To: <22daaea00706090423w39c4a414w384988f03a9b26a3@mail.gmail.com> References: <22daaea00706090423w39c4a414w384988f03a9b26a3@mail.gmail.com> Message-ID: <466D8B34.9080506@redhat.com> Nitish Dutt wrote: > Hi everybody > actually i am newbie to this open source world and just working on > SElinux as my project.I had started studying source code of > checkpolicy component of Selinux but im not getting from where to > start and wats d function of each file in the checkpolicy > package.culd any body pls help me out wid dat......... > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Questions like this should be asked on selinux development list selinux at tycho.nsa.gov From dwalsh at redhat.com Mon Jun 11 17:50:25 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 11 Jun 2007 13:50:25 -0400 Subject: Swat (samba configurator) working with SELinux In-Reply-To: <1181442378.1301.6.camel@papa.taylor.com> References: <283580.12033.qm@web32803.mail.mud.yahoo.com> <1181442378.1301.6.camel@papa.taylor.com> Message-ID: <466D8B61.6080700@redhat.com> Forrest Taylor wrote: > On Sat, 2007-06-09 at 10:53 -0700, Fox 2000 wrote: > >> Hello, >> >> I have a problem with Swat Samba configurator module >> and SElinux: >> >> SELinux=permissive => Swat works. >> SELinux= enforcing => can't login to swat. >> >> I've alread searched the internet for support, but it >> looks like SELinux is something people still do not >> understand well. I include myself in this situation. >> >> All the answers I get is turn SELinux off. I believe >> there must be a better idea than that! >> >> Thanks for your time reading/answering this. >> > > Which version are you running? > > Forrest > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list We need the avc message from /var/log/audit/audit.log or /var/log/messages From piotreek23 at gmail.com Mon Jun 11 18:03:27 2007 From: piotreek23 at gmail.com (piotreek) Date: Mon, 11 Jun 2007 20:03:27 +0200 Subject: AVC Denied Dhcp and Iptables. In-Reply-To: <112c19290706111101k25c106dp8620a59d6f823c95@mail.gmail.com> References: <112c19290706062318i6e39f009mba1bebe366097d2f@mail.gmail.com> <466D894D.20508@redhat.com> <112c19290706111101k25c106dp8620a59d6f823c95@mail.gmail.com> Message-ID: <112c19290706111103t6a79eb8esfe036a88cca53d13@mail.gmail.com> 2007/6/11, piotreek : > > 2007/6/11, Daniel J Walsh : > > > > piotreek wrote: > > > Hi guys i found some strange messages in my logs. It seams that > > > selinux is blocking a dhcp an Iptables. > > > I found similar post on group about DHCP but my messages are > > > different.I am using FC7 latest policy update didn't resolve the > > problem. > > > P.S I am using firestater as my firewall. > > I believe you will need to write custom policy to make this work. You > > can simply add these rules using audit2allow. > > > > # grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc > > > > # semodule -i mydhcpc.pp > > > > Having dhcpc allowed to turn on/off firewall rules is of debatable > > security risk. > > > THX but i found what causing problem. Firestarter was causing this > messages. After uninstall i i have writ-ed my own Iptables script. And > strange messages disappeared. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Mon Jun 11 18:13:52 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 11 Jun 2007 14:13:52 -0400 Subject: openvpn on fedora 7 In-Reply-To: <46698F25.6000005@gillens.us> References: <46683EBD.707@gillens.us> <4669793A.2060401@noggle.biz> <46698F25.6000005@gillens.us> Message-ID: <466D90E0.2090604@redhat.com> Matthew Gillen wrote: > Philip Tricca wrote: > >> Matthew Gillen wrote: >> >>> I had to add the following module before openvpn would work. The >>> first issue >>> was that openvpn didn't have permission to write a .pid file to >>> /var/run/openvpn. The other problem seemed to be that a TCP socket >>> could not >>> be created (the name_connect part). >>> >>> The dac_override is something that I don't get. Why would openvpn >>> need that? >>> Unix permissions problems? >>> >> I believe "dac_override" means that a process running as root is trying >> to violate the DAC policy. Consider a file owned by user Alice with rw >> permissions for the owner, all else denied (600). Historically the root >> user is identified by the kernel and all DAC checks are bypassed. >> SELinux prevents processes running with roots uid from doing such >> things. This is a good example of SELinux attempting to turn root into >> just another regular user. >> > > That's pretty cool. > > >> I've run into these things when my daemon, which is typically run as a >> lesser privileged user, is run as root. dac_override avcs were >> generated for reading all of the config files and writing to the log >> files (the ones that were already created). >> > > Ok, so probably the unix permissions on /var/run/openvpn are messed up, where > it's owned by the openvpn user but it writes the pid file while running as > root before it drops privs. So if I fixed the unix perms I could probably > purge the dac_override part. > > Thanks for the explanation. > > Matt > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > I have added these rules to selinux-policy-2.6.4-14 From dwalsh at redhat.com Mon Jun 11 18:16:23 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 11 Jun 2007 14:16:23 -0400 Subject: udev file access In-Reply-To: <4668456A.3080604@kobold.org> References: <4668456A.3080604@kobold.org> Message-ID: <466D9177.90102@redhat.com> Michael Thomas wrote: > I installed a custom udev rule in /etc/udev/rules.d/ that invokes a > shell script to backup my usb thumb drive whenever it's plugged in. The > script makes use of 'mkdir', 'find', and 'dd' to create the backup. The > backups are created in a /images/backups directory, that has the default > label 'user_u:object_r:file_t'. > > When udev launches the script, I get avcs because udev isn't allowed to > write to file_t (not surprising): > > avc: denied { read } for comm="find" dev=sda3 egid=0 euid=0 > exe="/usr/bin/find" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" > pid=4539 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0 > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir > tcontext=system_u:object_r:file_t:s0 tty=(none) uid=0 > > How should this backup directory get labeled so that udev can write to > it? Or should I create a custom file context for backup files and then > give udev_t permission to write to the backup file context? > > --Mike > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > You could mount your usb device as udev_var_run_t and udev would be allowed to write to it. Or you can write custom policy. From selinux at gmail.com Mon Jun 11 19:07:43 2007 From: selinux at gmail.com (Tom London) Date: Mon, 11 Jun 2007 12:07:43 -0700 Subject: audio-entropd needs some help.... In-Reply-To: <4c4ba1530706101345udbda791gc185f3fd79927cbd@mail.gmail.com> References: <4c4ba1530706101345udbda791gc185f3fd79927cbd@mail.gmail.com> Message-ID: <4c4ba1530706111207i4ebc30c4u883188efba0417cf@mail.gmail.com> On 6/10/07, Tom London wrote: > Running latest Rawhide, targeted. > > Running in enforcing mode, audio-entropyd fails to start. > > Flipping to permissive mode and restarting, I get these: > > type=AVC msg=audit(1181506748.052:78): avc: denied { read write } > for pid=8712 comm="audio-entropyd" name="random" dev=tmpfs ino=3167 > scontext=system_u:system_r:entropyd_t:s0 > tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file > type=SYSCALL msg=audit(1181506748.052:78): arch=40000003 syscall=5 > success=yes exit=4 a0=804a2b3 a1=2 a2=0 a3=bfbbdef0 items=0 ppid=1 > pid=8712 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) comm="audio-entropyd" > exe="/usr/sbin/audio-entropyd" subj=system_u:system_r:entropyd_t:s0 > key=(null) > type=AVC msg=audit(1181506748.052:79): avc: denied { dac_override } > for pid=8712 comm="audio-entropyd" capability=1 > scontext=system_u:system_r:entropyd_t:s0 > tcontext=system_u:system_r:entropyd_t:s0 tclass=capability > type=SYSCALL msg=audit(1181506748.052:79): arch=40000003 syscall=5 > success=yes exit=5 a0=804a268 a1=0 a2=45ef7fc0 a3=804a268 items=0 > ppid=1 pid=8712 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) comm="audio-entropyd" > exe="/usr/sbin/audio-entropyd" subj=system_u:system_r:entropyd_t:s0 > key=(null) > > Looks like it wants read/write access to /dev/random plus dac_override. > Seemed to have missed this one: type=AVC msg=audit(1181576467.185:18): avc: denied { ioctl } for pid=3214 comm="audio-entropyd" name="random" dev=tmpfs ino=3258 scontext=system_u:system_r:entropyd_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1181576467.185:18): arch=40000003 syscall=54 success=no exit=-13 a0=4 a1=80045200 a2=bfd346dc a3=bfd30630 items=0 ppid=1 pid=3214 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="audio-entropyd" exe="/usr/sbin/audio-entropyd" subj=system_u:system_r:entropyd_t:s0 key=(null) type=AVC_PATH msg=audit(1181576467.185:18): path="/dev/random" tom -- Tom London From tcallawa at redhat.com Mon Jun 11 21:16:31 2007 From: tcallawa at redhat.com (Tom "spot" Callaway) Date: Mon, 11 Jun 2007 16:16:31 -0500 Subject: audio-entropd needs some help.... In-Reply-To: <4c4ba1530706111207i4ebc30c4u883188efba0417cf@mail.gmail.com> References: <4c4ba1530706101345udbda791gc185f3fd79927cbd@mail.gmail.com> <4c4ba1530706111207i4ebc30c4u883188efba0417cf@mail.gmail.com> Message-ID: <1181596591.4596.1.camel@localhost.localdomain> On Mon, 2007-06-11 at 12:07 -0700, Tom London wrote: > On 6/10/07, Tom London wrote: > > Running latest Rawhide, targeted. > > > > Running in enforcing mode, audio-entropyd fails to start. > > > > Flipping to permissive mode and restarting, I get these: (audit messages snipped) I tried to make a module for audio-entropyd to fix this, but it doesn't seem to do the job. Can anyone advise me on what I'm doing wrong? Here are my three files: http://people.redhat.com/tcallawa/selinux/ Thanks in advance, ~spot From paul at city-fan.org Tue Jun 12 09:31:31 2007 From: paul at city-fan.org (Paul Howarth) Date: Tue, 12 Jun 2007 10:31:31 +0100 Subject: "Could not change policy booleans" In-Reply-To: <4662C668.9000604@gmx.ch> References: <808892.53185.qm@web51510.mail.re2.yahoo.com> <4662C668.9000604@gmx.ch> Message-ID: <466E67F3.8070406@city-fan.org> Nils Caspar wrote: >> That should have been solved by an update to dbus in fc6 a month ago. > What Fedora >> release are you running? Are you completely updated? > I'm running a full updated fedora 7. > >> That should have worked. That should be the correct syntax. Was there > an avc >> associated with trying to set this? > There was no other warning. > > I have the same problem in an other fedora 7 VM. Maybe it's a fedora 7 > bug... :( I've just hit the same problem on a fresh Fedora 7 install, with all released updates. Paul. From sds at tycho.nsa.gov Tue Jun 12 11:32:45 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 12 Jun 2007 07:32:45 -0400 Subject: audio-entropd needs some help.... In-Reply-To: <1181596591.4596.1.camel@localhost.localdomain> References: <4c4ba1530706101345udbda791gc185f3fd79927cbd@mail.gmail.com> <4c4ba1530706111207i4ebc30c4u883188efba0417cf@mail.gmail.com> <1181596591.4596.1.camel@localhost.localdomain> Message-ID: <1181647965.17547.5.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-06-11 at 16:16 -0500, Tom "spot" Callaway wrote: > On Mon, 2007-06-11 at 12:07 -0700, Tom London wrote: > > On 6/10/07, Tom London wrote: > > > Running latest Rawhide, targeted. > > > > > > Running in enforcing mode, audio-entropyd fails to start. > > > > > > Flipping to permissive mode and restarting, I get these: > > (audit messages snipped) > > I tried to make a module for audio-entropyd to fix this, but it doesn't > seem to do the job. Can anyone advise me on what I'm doing wrong? > > Here are my three files: > > http://people.redhat.com/tcallawa/selinux/ > > Thanks in advance, Can you clarify what you mean by "doesn't seem to do the job"? You still get avc denials? Which ones? Some avc denials may be caused by components other than the TE rules, audit2why tries to diagnose them (but is pretty klunky at present). -- Stephen Smalley National Security Agency From number.cruncher at ntlworld.com Tue Jun 12 14:36:12 2007 From: number.cruncher at ntlworld.com (Number Cruncher) Date: Tue, 12 Jun 2007 15:36:12 +0100 Subject: apcupsd problems on FC7 Message-ID: <466EAF5C.9080209@ntlworld.com> I have an APC UPS supporting one of our web servers and would like to keep SELinux enabled, but the apcupsd is unable to run its support script /etc/apcupsd/apccontrol when a power out even occurs. This script is needed to gracefully inform users and power off the machine cleanly. Jun 12 12:51:40 web kernel: audit(1181649100.560:15): avc: denied { execute } for pid=4129 comm="apcupsd" name="apccontrol" dev=dm-0 ino=1870532 sconte xt=root:system_r:apcupsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file Jun 12 12:51:40 web kernel: audit(1181649100.560:16): avc: denied { execute } for pid=4130 comm="apcupsd" name="apccontrol" dev=dm-0 ino=1870532 sconte xt=root:system_r:apcupsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file I've tried writing a local policy, but just seem to propagate the problem: module local 1.0; require { type bin_t; type apcupsd_t; type net_conf_t; type etc_t; type shell_exec_t; type hostname_exec_t; type proc_t; class file { read execute getattr execute_no_trans }; class dir search; class lnk_file read; } #============= apcupsd_t ============== allow apcupsd_t etc_t:file execute; allow apcupsd_t etc_t:file execute_no_trans; allow apcupsd_t net_conf_t:file read; allow apcupsd_t bin_t:dir search; allow apcupsd_t bin_t:lnk_file read; allow apcupsd_t shell_exec_t:file execute; allow apcupsd_t shell_exec_t:file read; allow apcupsd_t bin_t:file { read getattr execute execute_no_trans }; allow apcupsd_t hostname_exec_t:file { read execute getattr }; allow apcupsd_t proc_t:file {read getattr}; type=AVC msg=audit(1181656523.928:210): avc: denied { read write } for pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933 scontext=root:system_r:apcupsd _t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1181656523.928:210): arch=40000003 syscall=5 success=no exit=-13 a0=4997c08b a1=8002 a2=0 a3=4997c091 items=0 ppid=1 pid=7520 auid=4294 967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5 tty=(none) comm="wall" exe="/usr/bin/wall" subj=root:system_r:apcupsd_t:s0 key=(null) type=AVC msg=audit(1181656523.928:211): avc: denied { read } for pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933 scontext=root:system_r:apcupsd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1181656523.928:211): arch=40000003 syscall=5 success=no exit=-13 a0=4997c08b a1=8000 a2=0 a3=4997c091 items=0 ppid=1 pid=7520 auid=4294 967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5 tty=(none) comm="wall" exe="/usr/bin/wall" subj=root:system_r:apcupsd_t:s0 key=(null) type=AVC msg=audit(1181656523.928:212): avc: denied { read write } for pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933 scontext=root:system_r:apcupsd _t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1181656523.928:212): arch=40000003 syscall=5 success=no exit=-13 a0=4997c08b a1=8002 a2=0 a3=4997c091 items=0 ppid=1 pid=7520 auid=4294 967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5 tty=(none) comm="wall" exe="/usr/bin/wall" subj=root:system_r:apcupsd_t:s0 key=(null) type=AVC msg=audit(1181656523.928:213): avc: denied { read } for pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933 scontext=root:system_r:apcupsd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1181656523.928:213): arch=40000003 syscall=5 success=no exit=-13 a0=4997c08b a1=8000 a2=0 a3=4997c091 items=0 ppid=1 pid=7520 auid=4294 967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5 tty=(none) comm="wall" exe="/usr/bin/wall" subj=root:system_r:apcupsd_t:s0 key=(null) type=USER_AVC msg=audit(1181656637.910:214): user pid=1869 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload noti ce (seqno=14) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' System: kernel-2.6.21-1.3226.fc7 selinux-policy-2.6.4-13.fc7 Any help appreciated, Simon From tcallawa at redhat.com Tue Jun 12 15:39:21 2007 From: tcallawa at redhat.com (Tom "spot" Callaway) Date: Tue, 12 Jun 2007 10:39:21 -0500 Subject: audio-entropd needs some help.... In-Reply-To: <1181647965.17547.5.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba1530706101345udbda791gc185f3fd79927cbd@mail.gmail.com> <4c4ba1530706111207i4ebc30c4u883188efba0417cf@mail.gmail.com> <1181596591.4596.1.camel@localhost.localdomain> <1181647965.17547.5.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1181662761.3557.3.camel@localhost.localdomain> On Tue, 2007-06-12 at 07:32 -0400, Stephen Smalley wrote: > On Mon, 2007-06-11 at 16:16 -0500, Tom "spot" Callaway wrote: > > On Mon, 2007-06-11 at 12:07 -0700, Tom London wrote: > > > On 6/10/07, Tom London wrote: > > > > Running latest Rawhide, targeted. > > > > > > > > Running in enforcing mode, audio-entropyd fails to start. > > > > > > > > Flipping to permissive mode and restarting, I get these: > > > > (audit messages snipped) > > > > I tried to make a module for audio-entropyd to fix this, but it doesn't > > seem to do the job. Can anyone advise me on what I'm doing wrong? > > > > Here are my three files: > > > > http://people.redhat.com/tcallawa/selinux/ > > > > Thanks in advance, > > Can you clarify what you mean by "doesn't seem to do the job"? You > still get avc denials? Which ones? I'm still getting similar avc denials: Raw Audit Messages :avc: denied { read, write } for comm="audio-entropyd" dev=tmpfs egid=0 euid=0 exe="/usr/sbin/audio-entropyd" exit=4 fsgid=0 fsuid=0 gid=0 items=0 name="random" pid=3939 scontext=user_u:system_r:entropyd_t:s0 sgid=0 subj=user_u:system_r:entropyd_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:random_device_t:s0 tty=(none) uid=0 Raw Audit Messages :avc: denied { dac_override } for comm="audio-entropyd" egid=0 euid=0 exe="/usr/sbin/audio-entropyd" exit=5 fsgid=0 fsuid=0 gid=0 items=0 pid=3939 scontext=user_u:system_r:entropyd_t:s0 sgid=0 subj=user_u:system_r:entropyd_t:s0 suid=0 tclass=capability tcontext=user_u:system_r:entropyd_t:s0 tty=(none) uid=0 ~spot From dwalsh at redhat.com Tue Jun 12 17:00:46 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 12 Jun 2007 13:00:46 -0400 Subject: "Could not change policy booleans" In-Reply-To: <466E67F3.8070406@city-fan.org> References: <808892.53185.qm@web51510.mail.re2.yahoo.com> <4662C668.9000604@gmx.ch> <466E67F3.8070406@city-fan.org> Message-ID: <466ED13E.3060100@redhat.com> Paul Howarth wrote: > Nils Caspar wrote: >>> That should have been solved by an update to dbus in fc6 a month ago. >> What Fedora >>> release are you running? Are you completely updated? >> I'm running a full updated fedora 7. >> >>> That should have worked. That should be the correct syntax. Was there >> an avc >>> associated with trying to set this? >> There was no other warning. >> >> I have the same problem in an other fedora 7 VM. Maybe it's a fedora 7 >> bug... :( > > I've just hit the same problem on a fresh Fedora 7 install, with all > released updates. > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Does this fix the problem? restorecon -R -v /etc/selinux/targeted From dwalsh at redhat.com Tue Jun 12 17:07:27 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 12 Jun 2007 13:07:27 -0400 Subject: audio-entropd needs some help.... In-Reply-To: <1181662761.3557.3.camel@localhost.localdomain> References: <4c4ba1530706101345udbda791gc185f3fd79927cbd@mail.gmail.com> <4c4ba1530706111207i4ebc30c4u883188efba0417cf@mail.gmail.com> <1181596591.4596.1.camel@localhost.localdomain> <1181647965.17547.5.camel@moss-spartans.epoch.ncsc.mil> <1181662761.3557.3.camel@localhost.localdomain> Message-ID: <466ED2CF.4010809@redhat.com> Tom "spot" Callaway wrote: > On Tue, 2007-06-12 at 07:32 -0400, Stephen Smalley wrote: > >> On Mon, 2007-06-11 at 16:16 -0500, Tom "spot" Callaway wrote: >> >>> On Mon, 2007-06-11 at 12:07 -0700, Tom London wrote: >>> >>>> On 6/10/07, Tom London wrote: >>>> >>>>> Running latest Rawhide, targeted. >>>>> >>>>> Running in enforcing mode, audio-entropyd fails to start. >>>>> >>>>> Flipping to permissive mode and restarting, I get these: >>>>> >>> (audit messages snipped) >>> >>> I tried to make a module for audio-entropyd to fix this, but it doesn't >>> seem to do the job. Can anyone advise me on what I'm doing wrong? >>> >>> Here are my three files: >>> >>> http://people.redhat.com/tcallawa/selinux/ >>> >>> Thanks in advance, >>> >> Can you clarify what you mean by "doesn't seem to do the job"? You >> still get avc denials? Which ones? >> > > I'm still getting similar avc denials: > > Raw Audit Messages :avc: denied { read, write } for > comm="audio-entropyd" dev=tmpfs egid=0 euid=0 > exe="/usr/sbin/audio-entropyd" exit=4 fsgid=0 fsuid=0 gid=0 items=0 > name="random" pid=3939 scontext=user_u:system_r:entropyd_t:s0 sgid=0 > subj=user_u:system_r:entropyd_t:s0 suid=0 tclass=chr_file > tcontext=system_u:object_r:random_device_t:s0 tty=(none) uid=0 > > Raw Audit Messages :avc: denied { dac_override } for > comm="audio-entropyd" egid=0 euid=0 exe="/usr/sbin/audio-entropyd" > exit=5 fsgid=0 fsuid=0 gid=0 items=0 pid=3939 > scontext=user_u:system_r:entropyd_t:s0 sgid=0 > subj=user_u:system_r:entropyd_t:s0 suid=0 tclass=capability > tcontext=user_u:system_r:entropyd_t:s0 tty=(none) uid=0 > > ~spot > > > Are you sure you installed you pp file? semodule -l Will list the installed modules. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From olivares14031 at yahoo.com Tue Jun 12 20:52:34 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 12 Jun 2007 13:52:34 -0700 (PDT) Subject: mknod problem still present denied avc's Message-ID: <247577.65677.qm@web52606.mail.re2.yahoo.com> dmesg returns audit(1181681041.681:4): avc: denied { add_name } for pid=739 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir After I did this again [olivares at localhost ~]$ su - Password: [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i myinsmod.pp [root at localhost ~]# semodule -i myinsmod.pp [root at localhost ~]# Selinux troubleshooter returned this: avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2766 scontext=user_u:system_r:insmod_t:s0 sgid=0 subj=user_u:system_r:insmod_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=pts0 uid=0 Policy RPM: selinux-policy-2.6.4-8.fc7 Affected RPM Packages: coreutils-6.9-2.fc7 [application]Policy RPM: selinux-policy-2.6.4-12.fc7 How can I effectively fix this? This is my /etc/modprobe.conf [root at localhost Download]# cat /etc/modprobe.conf alias eth0 8139too alias scsi_hostadapter sata_via alias scsi_hostadapter1 pata_via alias snd-card-0 snd-via82xx options snd-card-0 index=0 options snd-via82xx index=0 install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0) [root at localhost Download]# Thanks, Antonio ____________________________________________________________________________________ Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC From ftaylor at redhat.com Tue Jun 12 21:42:33 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Tue, 12 Jun 2007 15:42:33 -0600 Subject: Hierarchy for sensitivity levels Message-ID: <1181684553.5153.18.camel@localhost.localdomain> I am teaching class this week and I had an interesting question from a student. We were discussing sensitivities and categories, and a student wondered about the hierarchical nature of sensitivities and categories. Assuming that s0 is unclassified, s1 is classified, s2 is secret and s3 is top secret, and s0 From amessina at messinet.com Tue Jun 12 22:21:57 2007 From: amessina at messinet.com (Anthony Messina) Date: Tue, 12 Jun 2007 17:21:57 -0500 Subject: apcupsd problems on FC7 In-Reply-To: <466EAF5C.9080209@ntlworld.com> References: <466EAF5C.9080209@ntlworld.com> Message-ID: <200706121722.01136.amessina@messinet.com> On Tuesday 12 June 2007 09:36:12 Number Cruncher wrote: > I have an APC UPS supporting one of our web servers and would like to > keep SELinux enabled, but the apcupsd is unable to run its support > script /etc/apcupsd/apccontrol when a power out even occurs. This script > is needed to gracefully inform users and power off the machine cleanly. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=237744 -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From paul at city-fan.org Wed Jun 13 09:00:04 2007 From: paul at city-fan.org (Paul Howarth) Date: Wed, 13 Jun 2007 10:00:04 +0100 Subject: "Could not change policy booleans" In-Reply-To: <466ED13E.3060100@redhat.com> References: <808892.53185.qm@web51510.mail.re2.yahoo.com> <4662C668.9000604@gmx.ch> <466E67F3.8070406@city-fan.org> <466ED13E.3060100@redhat.com> Message-ID: <466FB214.6040505@city-fan.org> Daniel J Walsh wrote: > Paul Howarth wrote: >> Nils Caspar wrote: >>>> That should have been solved by an update to dbus in fc6 a month ago. >>> What Fedora >>>> release are you running? Are you completely updated? >>> I'm running a full updated fedora 7. >>> >>>> That should have worked. That should be the correct syntax. Was there >>> an avc >>>> associated with trying to set this? >>> There was no other warning. >>> >>> I have the same problem in an other fedora 7 VM. Maybe it's a fedora 7 >>> bug... :( >> >> I've just hit the same problem on a fresh Fedora 7 install, with all >> released updates. >> >> Paul. >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Does this fix the problem? > > restorecon -R -v /etc/selinux/targeted No; there are no AVC denials in the audit log (at least not relating to this...) so I don't think it's an SELinux permissions issue. Updating to the latest selinux package updates from updates-testing hasn't helped either. Paul. From sds at tycho.nsa.gov Wed Jun 13 12:49:23 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 13 Jun 2007 08:49:23 -0400 Subject: "Could not change policy booleans" In-Reply-To: <466FB214.6040505@city-fan.org> References: <808892.53185.qm@web51510.mail.re2.yahoo.com> <4662C668.9000604@gmx.ch> <466E67F3.8070406@city-fan.org> <466ED13E.3060100@redhat.com> <466FB214.6040505@city-fan.org> Message-ID: <1181738963.17547.323.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-06-13 at 10:00 +0100, Paul Howarth wrote: > Daniel J Walsh wrote: > > Paul Howarth wrote: > >> Nils Caspar wrote: > >>>> That should have been solved by an update to dbus in fc6 a month ago. > >>> What Fedora > >>>> release are you running? Are you completely updated? > >>> I'm running a full updated fedora 7. > >>> > >>>> That should have worked. That should be the correct syntax. Was there > >>> an avc > >>>> associated with trying to set this? > >>> There was no other warning. > >>> > >>> I have the same problem in an other fedora 7 VM. Maybe it's a fedora 7 > >>> bug... :( > >> > >> I've just hit the same problem on a fresh Fedora 7 install, with all > >> released updates. > >> > >> Paul. > >> > >> -- > >> fedora-selinux-list mailing list > >> fedora-selinux-list at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Does this fix the problem? > > > > restorecon -R -v /etc/selinux/targeted > > No; there are no AVC denials in the audit log (at least not relating to > this...) so I don't think it's an SELinux permissions issue. > > Updating to the latest selinux package updates from updates-testing > hasn't helped either. Bug in setsebool (it is actually succeeding, but falling through to the error path and thus incorrectly saying that it failed, as a result of a "build fix"). Fixed in policycoreutils 2.0.21. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed Jun 13 13:10:49 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 13 Jun 2007 09:10:49 -0400 Subject: Hierarchy for sensitivity levels In-Reply-To: <1181684553.5153.18.camel@localhost.localdomain> References: <1181684553.5153.18.camel@localhost.localdomain> Message-ID: <1181740249.17547.337.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-06-12 at 15:42 -0600, Forrest Taylor wrote: > I am teaching class this week and I had an interesting question from a > student. We were discussing sensitivities and categories, and a student > wondered about the hierarchical nature of sensitivities and categories. > Assuming that s0 is unclassified, s1 is classified, s2 is secret and s3 > is top secret, and s0 you also have access to s2, s1, s0. Is there a way to throw categories > in here so that users who have access to s3 do not necessarily have > access to all of s2 and lower? The dominance function is based on both the sensitivities and the category sets. A dominates B iff A's sensitivity >= B's sensitivity and A's category set is a superset of B's category set. The possible relationships are dominates, dominated by, equivalent, or incomparable. Under BLP/MLS, A can only read from B if A dominates B, and A can only write to B if A is dominated by B. Many MLS systems further limit A to only allow writing to B if A is equivalent to B, even though that isn't strictly required for BLP. To violate those properties (no read up, no write down), A has to be in a TE domain that is marked with one of the type attributes used as exceptions in the MLS constraints. -- Stephen Smalley National Security Agency From paul at city-fan.org Wed Jun 13 13:35:52 2007 From: paul at city-fan.org (Paul Howarth) Date: Wed, 13 Jun 2007 14:35:52 +0100 Subject: "Could not change policy booleans" In-Reply-To: <1181738963.17547.323.camel@moss-spartans.epoch.ncsc.mil> References: <808892.53185.qm@web51510.mail.re2.yahoo.com> <4662C668.9000604@gmx.ch> <466E67F3.8070406@city-fan.org> <466ED13E.3060100@redhat.com> <466FB214.6040505@city-fan.org> <1181738963.17547.323.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <466FF2B8.9020003@city-fan.org> Stephen Smalley wrote: > On Wed, 2007-06-13 at 10:00 +0100, Paul Howarth wrote: >> Daniel J Walsh wrote: >>> Paul Howarth wrote: >>>> Nils Caspar wrote: >>>>>> That should have been solved by an update to dbus in fc6 a month ago. >>>>> What Fedora >>>>>> release are you running? Are you completely updated? >>>>> I'm running a full updated fedora 7. >>>>> >>>>>> That should have worked. That should be the correct syntax. Was there >>>>> an avc >>>>>> associated with trying to set this? >>>>> There was no other warning. >>>>> >>>>> I have the same problem in an other fedora 7 VM. Maybe it's a fedora 7 >>>>> bug... :( >>>> I've just hit the same problem on a fresh Fedora 7 install, with all >>>> released updates. >>>> >>>> Paul. >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> Does this fix the problem? >>> >>> restorecon -R -v /etc/selinux/targeted >> No; there are no AVC denials in the audit log (at least not relating to >> this...) so I don't think it's an SELinux permissions issue. >> >> Updating to the latest selinux package updates from updates-testing >> hasn't helped either. > > Bug in setsebool (it is actually succeeding, but falling through to the > error path and thus incorrectly saying that it failed, as a result of a > "build fix"). Fixed in policycoreutils 2.0.21. Ah, saves me having to put something in an initscript :-) FC7 has policycoreutils-2.0.16-5.fc7 (from updates-testing), which seems a long way behind 2.0.21. Is a fix likely any time soon? Paul. From sds at tycho.nsa.gov Wed Jun 13 13:42:08 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 13 Jun 2007 09:42:08 -0400 Subject: "Could not change policy booleans" In-Reply-To: <466FF2B8.9020003@city-fan.org> References: <808892.53185.qm@web51510.mail.re2.yahoo.com> <4662C668.9000604@gmx.ch> <466E67F3.8070406@city-fan.org> <466ED13E.3060100@redhat.com> <466FB214.6040505@city-fan.org> <1181738963.17547.323.camel@moss-spartans.epoch.ncsc.mil> <466FF2B8.9020003@city-fan.org> Message-ID: <1181742128.17547.341.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-06-13 at 14:35 +0100, Paul Howarth wrote: > Stephen Smalley wrote: > > On Wed, 2007-06-13 at 10:00 +0100, Paul Howarth wrote: > >> Daniel J Walsh wrote: > >>> Paul Howarth wrote: > >>>> Nils Caspar wrote: > >>>>>> That should have been solved by an update to dbus in fc6 a month ago. > >>>>> What Fedora > >>>>>> release are you running? Are you completely updated? > >>>>> I'm running a full updated fedora 7. > >>>>> > >>>>>> That should have worked. That should be the correct syntax. Was there > >>>>> an avc > >>>>>> associated with trying to set this? > >>>>> There was no other warning. > >>>>> > >>>>> I have the same problem in an other fedora 7 VM. Maybe it's a fedora 7 > >>>>> bug... :( > >>>> I've just hit the same problem on a fresh Fedora 7 install, with all > >>>> released updates. > >>>> > >>>> Paul. > >>>> > >>>> -- > >>>> fedora-selinux-list mailing list > >>>> fedora-selinux-list at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>> Does this fix the problem? > >>> > >>> restorecon -R -v /etc/selinux/targeted > >> No; there are no AVC denials in the audit log (at least not relating to > >> this...) so I don't think it's an SELinux permissions issue. > >> > >> Updating to the latest selinux package updates from updates-testing > >> hasn't helped either. > > > > Bug in setsebool (it is actually succeeding, but falling through to the > > error path and thus incorrectly saying that it failed, as a result of a > > "build fix"). Fixed in policycoreutils 2.0.21. > > Ah, saves me having to put something in an initscript :-) > > FC7 has policycoreutils-2.0.16-5.fc7 (from updates-testing), which seems > a long way behind 2.0.21. Is a fix likely any time soon? I sent Dan the patch separately as well, in case he wants to just apply it without updating otherwise. -- Stephen Smalley National Security Agency From tmz at pobox.com Wed Jun 13 14:15:14 2007 From: tmz at pobox.com (Todd Zullinger) Date: Wed, 13 Jun 2007 10:15:14 -0400 Subject: "Could not change policy booleans" In-Reply-To: <1181742128.17547.341.camel@moss-spartans.epoch.ncsc.mil> References: <808892.53185.qm@web51510.mail.re2.yahoo.com> <4662C668.9000604@gmx.ch> <466E67F3.8070406@city-fan.org> <466ED13E.3060100@redhat.com> <466FB214.6040505@city-fan.org> <1181738963.17547.323.camel@moss-spartans.epoch.ncsc.mil> <466FF2B8.9020003@city-fan.org> <1181742128.17547.341.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20070613141514.GH27612@psilocybe.teonanacatl.org> Stephen Smalley wrote: > I sent Dan the patch separately as well, in case he wants to just > apply it without updating otherwise. It looks to be applied to the F-7 branch for 2.0.16-6: https://www.redhat.com/archives/fedora-extras-commits/2007-June/msg02348.html -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ...this would be the best of all possible worlds, if there were no religion in it. -- John Adams, Letter to Thomas Jefferson, 1816 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available URL: From rdieter at math.unl.edu Wed Jun 13 17:50:45 2007 From: rdieter at math.unl.edu (Rex Dieter) Date: Wed, 13 Jun 2007 12:50:45 -0500 Subject: kdebase: selinux preventing appending to /var/log/kdm.log ? Message-ID: See also: http://bugzilla.redhat.com/243505 Raw Audit Messages avc: denied { append } for comm="pam_console_app" dev=sda6 egid=500 euid=0 exe="/sbin/pam_console_apply" exit=0 fsgid=500 fsuid=0 gid=500 items=0 name="kdm.log" path="/var/log/kdm.log" pid=3804 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 sgid=500 subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:xserver_log_t:s0 tty=(none) uid=0 Any advice on how best to address this? -- Rex From dwalsh at redhat.com Thu Jun 14 14:02:35 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 14 Jun 2007 10:02:35 -0400 Subject: mknod problem still present denied avc's In-Reply-To: <247577.65677.qm@web52606.mail.re2.yahoo.com> References: <247577.65677.qm@web52606.mail.re2.yahoo.com> Message-ID: <46714A7B.3000108@redhat.com> Antonio Olivares wrote: > dmesg returns > > audit(1181681041.681:4): avc: denied { add_name } for pid=739 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir > > After I did this again > > [olivares at localhost ~]$ su - > Password: > [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod > ******************** IMPORTANT *********************** > To make this policy package active, execute: > > semodule -i myinsmod.pp > > [root at localhost ~]# semodule -i myinsmod.pp > [root at localhost ~]# > > Selinux troubleshooter returned this: > > avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2766 scontext=user_u:system_r:insmod_t:s0 sgid=0 subj=user_u:system_r:insmod_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=pts0 uid=0 > > Yes you allowed add_name to the directory now it is complaing about the write. It is best to put the machine in permissive mode, Run the app to completion, then generate the policy and retest in enforcing mode. setenforce 0 run test grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod semodule -i myinsmod.pp setenforce 1 run test > Policy RPM: selinux-policy-2.6.4-8.fc7 > > Affected RPM Packages: coreutils-6.9-2.fc7 [application]Policy RPM: selinux-policy-2.6.4-12.fc7 > > > How can I effectively fix this? > > This is my /etc/modprobe.conf > > [root at localhost Download]# cat /etc/modprobe.conf > alias eth0 8139too > alias scsi_hostadapter sata_via > alias scsi_hostadapter1 pata_via > alias snd-card-0 snd-via82xx > options snd-card-0 index=0 > options snd-via82xx index=0 > install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0) > [root at localhost Download]# > > Thanks, > > Antonio > > > > > ____________________________________________________________________________________ > Yahoo! oneSearch: Finally, mobile search > that gives answers, not web links. > http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Thu Jun 14 14:05:42 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 14 Jun 2007 10:05:42 -0400 Subject: kdebase: selinux preventing appending to /var/log/kdm.log ? In-Reply-To: References: Message-ID: <46714B36.6080103@redhat.com> Rex Dieter wrote: > See also: > http://bugzilla.redhat.com/243505 > > Raw Audit Messages > > avc: denied { append } for comm="pam_console_app" dev=sda6 egid=500 euid=0 > exe="/sbin/pam_console_apply" exit=0 fsgid=500 fsuid=0 gid=500 items=0 > name="kdm.log" path="/var/log/kdm.log" pid=3804 > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 sgid=500 > subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0 tclass=file > tcontext=system_u:object_r:xserver_log_t:s0 tty=(none) uid=0 > > Well you have a few of choices. 1. Ignore it for now, since I doubt it causes any problem. 2. Write custom policy for it. # grep pam_console_t /var/log/audit/audit.log | audit2allow -M mypamconsole # semodule -i mypamconsole.pp 3. Wait for the next policy update which will write a rule to dontaudit this. > > Any advice on how best to address this? > > -- Rex > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Thu Jun 14 14:14:03 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 14 Jun 2007 10:14:03 -0400 Subject: kdebase: selinux preventing appending to /var/log/kdm.log ? In-Reply-To: <46714C62.3010502@math.unl.edu> References: <46714B36.6080103@redhat.com> <46714C62.3010502@math.unl.edu> Message-ID: <46714D2B.1070705@redhat.com> Rex Dieter wrote: > Daniel J Walsh wrote: >> Rex Dieter wrote: >>> See also: >>> http://bugzilla.redhat.com/243505 >>> >>> Raw Audit Messages >>> >>> avc: denied { append } for comm="pam_console_app" dev=sda6 egid=500 >>> euid=0 >>> exe="/sbin/pam_console_apply" exit=0 fsgid=500 fsuid=0 gid=500 items=0 >>> name="kdm.log" path="/var/log/kdm.log" pid=3804 >>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 sgid=500 >>> subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0 tclass=file >>> tcontext=system_u:object_r:xserver_log_t:s0 tty=(none) uid=0 >>> >>> >> Well you have a few of choices. >> >> 1. Ignore it for now, since I doubt it causes any problem. >> >> 2. Write custom policy for it. >> >> # grep pam_console_t /var/log/audit/audit.log | audit2allow -M >> mypamconsole >> # semodule -i mypamconsole.pp >> >> 3. Wait for the next policy update which will write a rule to >> dontaudit this. > > Would it be-better/help if kdm.log was in /var/log/kdm/ dir instead of > /var/log/ directly? > > -- Rex Ordinarily yes, but in this case it does not matter. The problem is a redirection of stdout to the log file and pam_console_t does not have permission to write there. So it generates an avc when it starts pam_console. pam_console runs anyways and completes. From dwalsh at redhat.com Thu Jun 14 14:15:12 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 14 Jun 2007 10:15:12 -0400 Subject: "Could not change policy booleans" In-Reply-To: <1181742128.17547.341.camel@moss-spartans.epoch.ncsc.mil> References: <808892.53185.qm@web51510.mail.re2.yahoo.com> <4662C668.9000604@gmx.ch> <466E67F3.8070406@city-fan.org> <466ED13E.3060100@redhat.com> <466FB214.6040505@city-fan.org> <1181738963.17547.323.camel@moss-spartans.epoch.ncsc.mil> <466FF2B8.9020003@city-fan.org> <1181742128.17547.341.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <46714D70.80605@redhat.com> Stephen Smalley wrote: > On Wed, 2007-06-13 at 14:35 +0100, Paul Howarth wrote: > >> Stephen Smalley wrote: >> >>> On Wed, 2007-06-13 at 10:00 +0100, Paul Howarth wrote: >>> >>>> Daniel J Walsh wrote: >>>> >>>>> Paul Howarth wrote: >>>>> >>>>>> Nils Caspar wrote: >>>>>> >>>>>>>> That should have been solved by an update to dbus in fc6 a month ago. >>>>>>>> >>>>>>> What Fedora >>>>>>> >>>>>>>> release are you running? Are you completely updated? >>>>>>>> >>>>>>> I'm running a full updated fedora 7. >>>>>>> >>>>>>> >>>>>>>> That should have worked. That should be the correct syntax. Was there >>>>>>>> >>>>>>> an avc >>>>>>> >>>>>>>> associated with trying to set this? >>>>>>>> >>>>>>> There was no other warning. >>>>>>> >>>>>>> I have the same problem in an other fedora 7 VM. Maybe it's a fedora 7 >>>>>>> bug... :( >>>>>>> >>>>>> I've just hit the same problem on a fresh Fedora 7 install, with all >>>>>> released updates. >>>>>> >>>>>> Paul. >>>>>> >>>>>> -- >>>>>> fedora-selinux-list mailing list >>>>>> fedora-selinux-list at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>>> >>>>> Does this fix the problem? >>>>> >>>>> restorecon -R -v /etc/selinux/targeted >>>>> >>>> No; there are no AVC denials in the audit log (at least not relating to >>>> this...) so I don't think it's an SELinux permissions issue. >>>> >>>> Updating to the latest selinux package updates from updates-testing >>>> hasn't helped either. >>>> >>> Bug in setsebool (it is actually succeeding, but falling through to the >>> error path and thus incorrectly saying that it failed, as a result of a >>> "build fix"). Fixed in policycoreutils 2.0.21. >>> >> Ah, saves me having to put something in an initscript :-) >> >> FC7 has policycoreutils-2.0.16-5.fc7 (from updates-testing), which seems >> a long way behind 2.0.21. Is a fix likely any time soon? >> > > I sent Dan the patch separately as well, in case he wants to just apply > it without updating otherwise. > Fixed in policycoreutils -2.0.16-6.fc7 From paul at city-fan.org Thu Jun 14 14:45:28 2007 From: paul at city-fan.org (Paul Howarth) Date: Thu, 14 Jun 2007 15:45:28 +0100 Subject: "Could not change policy booleans" In-Reply-To: <46714D70.80605@redhat.com> References: <808892.53185.qm@web51510.mail.re2.yahoo.com> <4662C668.9000604@gmx.ch> <466E67F3.8070406@city-fan.org> <466ED13E.3060100@redhat.com> <466FB214.6040505@city-fan.org> <1181738963.17547.323.camel@moss-spartans.epoch.ncsc.mil> <466FF2B8.9020003@city-fan.org> <1181742128.17547.341.camel@moss-spartans.epoch.ncsc.mil> <46714D70.80605@redhat.com> Message-ID: <46715488.2050706@city-fan.org> Daniel J Walsh wrote: > Stephen Smalley wrote: >> On Wed, 2007-06-13 at 14:35 +0100, Paul Howarth wrote: >> >>> Stephen Smalley wrote: >>> >>>> On Wed, 2007-06-13 at 10:00 +0100, Paul Howarth wrote: >>>> >>>>> Daniel J Walsh wrote: >>>>> >>>>>> Paul Howarth wrote: >>>>>> >>>>>>> Nils Caspar wrote: >>>>>>> >>>>>>>>> That should have been solved by an update to dbus in fc6 a >>>>>>>>> month ago. >>>>>>>>> >>>>>>>> What Fedora >>>>>>>> >>>>>>>>> release are you running? Are you completely updated? >>>>>>>>> >>>>>>>> I'm running a full updated fedora 7. >>>>>>>> >>>>>>>> >>>>>>>>> That should have worked. That should be the correct syntax. Was >>>>>>>>> there >>>>>>>>> >>>>>>>> an avc >>>>>>>> >>>>>>>>> associated with trying to set this? >>>>>>>>> >>>>>>>> There was no other warning. >>>>>>>> >>>>>>>> I have the same problem in an other fedora 7 VM. Maybe it's a >>>>>>>> fedora 7 >>>>>>>> bug... :( >>>>>>>> >>>>>>> I've just hit the same problem on a fresh Fedora 7 install, with >>>>>>> all released updates. >>>>>>> >>>>>>> Paul. >>>>>>> >>>>>>> -- >>>>>>> fedora-selinux-list mailing list >>>>>>> fedora-selinux-list at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>>>> >>>>>> Does this fix the problem? >>>>>> >>>>>> restorecon -R -v /etc/selinux/targeted >>>>>> >>>>> No; there are no AVC denials in the audit log (at least not >>>>> relating to this...) so I don't think it's an SELinux permissions >>>>> issue. >>>>> >>>>> Updating to the latest selinux package updates from updates-testing >>>>> hasn't helped either. >>>>> >>>> Bug in setsebool (it is actually succeeding, but falling through to the >>>> error path and thus incorrectly saying that it failed, as a result of a >>>> "build fix"). Fixed in policycoreutils 2.0.21. >>>> >>> Ah, saves me having to put something in an initscript :-) >>> >>> FC7 has policycoreutils-2.0.16-5.fc7 (from updates-testing), which >>> seems a long way behind 2.0.21. Is a fix likely any time soon? >>> >> >> I sent Dan the patch separately as well, in case he wants to just apply >> it without updating otherwise. >> > Fixed in policycoreutils > -2.0.16-6.fc7 Thanks. On an unrelated issue, where does the version number in the selinux-policy package come from? Upstream seems to do date-based releases rather than version number-based. I ask because I need to update my policy module for mod_fcgid and I'll need different versions for F7 (using patterns) and older releases (using create_file_perms etc.). Paul. From dwalsh at redhat.com Thu Jun 14 15:58:02 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 14 Jun 2007 11:58:02 -0400 Subject: "Could not change policy booleans" In-Reply-To: <46715488.2050706@city-fan.org> References: <808892.53185.qm@web51510.mail.re2.yahoo.com> <4662C668.9000604@gmx.ch> <466E67F3.8070406@city-fan.org> <466ED13E.3060100@redhat.com> <466FB214.6040505@city-fan.org> <1181738963.17547.323.camel@moss-spartans.epoch.ncsc.mil> <466FF2B8.9020003@city-fan.org> <1181742128.17547.341.camel@moss-spartans.epoch.ncsc.mil> <46714D70.80605@redhat.com> <46715488.2050706@city-fan.org> Message-ID: <4671658A.7080702@redhat.com> Paul Howarth wrote: > Daniel J Walsh wrote: >> Stephen Smalley wrote: >>> On Wed, 2007-06-13 at 14:35 +0100, Paul Howarth wrote: >>> >>>> Stephen Smalley wrote: >>>> >>>>> On Wed, 2007-06-13 at 10:00 +0100, Paul Howarth wrote: >>>>> >>>>>> Daniel J Walsh wrote: >>>>>> >>>>>>> Paul Howarth wrote: >>>>>>> >>>>>>>> Nils Caspar wrote: >>>>>>>> >>>>>>>>>> That should have been solved by an update to dbus in fc6 a >>>>>>>>>> month ago. >>>>>>>>>> >>>>>>>>> What Fedora >>>>>>>>> >>>>>>>>>> release are you running? Are you completely updated? >>>>>>>>>> >>>>>>>>> I'm running a full updated fedora 7. >>>>>>>>> >>>>>>>>> >>>>>>>>>> That should have worked. That should be the correct syntax. >>>>>>>>>> Was there >>>>>>>>>> >>>>>>>>> an avc >>>>>>>>> >>>>>>>>>> associated with trying to set this? >>>>>>>>>> >>>>>>>>> There was no other warning. >>>>>>>>> >>>>>>>>> I have the same problem in an other fedora 7 VM. Maybe it's a >>>>>>>>> fedora 7 >>>>>>>>> bug... :( >>>>>>>>> >>>>>>>> I've just hit the same problem on a fresh Fedora 7 install, >>>>>>>> with all released updates. >>>>>>>> >>>>>>>> Paul. >>>>>>>> >>>>>>>> -- >>>>>>>> fedora-selinux-list mailing list >>>>>>>> fedora-selinux-list at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>>>>> >>>>>>> Does this fix the problem? >>>>>>> >>>>>>> restorecon -R -v /etc/selinux/targeted >>>>>>> >>>>>> No; there are no AVC denials in the audit log (at least not >>>>>> relating to this...) so I don't think it's an SELinux permissions >>>>>> issue. >>>>>> >>>>>> Updating to the latest selinux package updates from >>>>>> updates-testing hasn't helped either. >>>>>> >>>>> Bug in setsebool (it is actually succeeding, but falling through >>>>> to the >>>>> error path and thus incorrectly saying that it failed, as a result >>>>> of a >>>>> "build fix"). Fixed in policycoreutils 2.0.21. >>>>> >>>> Ah, saves me having to put something in an initscript :-) >>>> >>>> FC7 has policycoreutils-2.0.16-5.fc7 (from updates-testing), which >>>> seems a long way behind 2.0.21. Is a fix likely any time soon? >>>> >>> >>> I sent Dan the patch separately as well, in case he wants to just apply >>> it without updating otherwise. >>> >> Fixed in policycoreutils >> -2.0.16-6.fc7 > > Thanks. > > On an unrelated issue, where does the version number in the > selinux-policy package come from? Upstream seems to do date-based > releases rather than version number-based. I ask because I need to > update my policy module for mod_fcgid and I'll need different versions > for F7 (using patterns) and older releases (using create_file_perms > etc.). > > Paul. It comes from me. selinux-policy-2.3.4 Everytime I release My own modifications I increment the last digit, everytime I merge with upstream I update the middle number, and reset the last digit to 1. Everytime there is a major change to policy example-reference I increment the first. digit. If you do a rpm -qi selinux-policy It will show you the revision this policy is based off of. BTW, I am working on merging strict and targeted policy in Rawhide which will increment the major number. selinux-policy-3.0.1 will be released soon. From paul at city-fan.org Thu Jun 14 16:15:06 2007 From: paul at city-fan.org (Paul Howarth) Date: Thu, 14 Jun 2007 17:15:06 +0100 Subject: "Could not change policy booleans" In-Reply-To: <4671658A.7080702@redhat.com> References: <808892.53185.qm@web51510.mail.re2.yahoo.com> <4662C668.9000604@gmx.ch> <466E67F3.8070406@city-fan.org> <466ED13E.3060100@redhat.com> <466FB214.6040505@city-fan.org> <1181738963.17547.323.camel@moss-spartans.epoch.ncsc.mil> <466FF2B8.9020003@city-fan.org> <1181742128.17547.341.camel@moss-spartans.epoch.ncsc.mil> <46714D70.80605@redhat.com> <46715488.2050706@city-fan.org> <4671658A.7080702@redhat.com> Message-ID: <4671698A.6080601@city-fan.org> Daniel J Walsh wrote: > Paul Howarth wrote: >> On an unrelated issue, where does the version number in the >> selinux-policy package come from? Upstream seems to do date-based >> releases rather than version number-based. I ask because I need to >> update my policy module for mod_fcgid and I'll need different versions >> for F7 (using patterns) and older releases (using create_file_perms >> etc.). >> >> Paul. > It comes from me. > > selinux-policy-2.3.4 > > Everytime I release My own modifications I increment the last digit, > everytime I merge with upstream I update the middle number, and reset > the last digit to 1. Everytime there is a major change to policy > example-reference I increment the first. digit. If you do a > > rpm -qi selinux-policy > It will show you the revision this policy is based off of. That works on F7 but not on FC6 or earlier, where the latest update doesn't include the svn revision in %description. I'll check through cvs and figure out which selinux-policy package version the things I need came in at. > BTW, I am working on merging strict and targeted policy in Rawhide > which will increment the major number. selinux-policy-3.0.1 will be > released soon. More fun to look forward to! Paul. From mjs at CLEMSON.EDU Thu Jun 14 16:15:43 2007 From: mjs at CLEMSON.EDU (Matthew Saltzman) Date: Thu, 14 Jun 2007 12:15:43 -0400 Subject: SELinux is preventing ifup-eth (udev_t) "getattr" to /etc/dhclient-eth1.conf (dhcp_etc_t). Message-ID: <1181837743.6329.21.camel@vincent52.localdomain> I occasionally have to remove and re-insert my ipw2200 driver module. Every time I do, the following is generated: SELinux denied access requested by ifup-eth. It is not expected that this access is required by ifup-eth and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Source Context: system_u:system_r:udev_t:SystemLow-SystemHigh Target Context: system_u:object_r:dhcp_etc_t Target Objects: /etc/dhclient-eth1.conf [ file ] Affected RPM Packages: Policy RPM: selinux-policy-2.6.4-13.fc7 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall_file Host Name: xxxxxxxxxxxxxxxxxx Platform: Linux xxxxxxxxxxxxxxx 2.6.20-1.2952.fc6 #1 SMP Wed May 16 18:59:18 EDT 2007 i686 i686 Alert Count: 23 First Seen: Sun 10 Jun 2007 03:15:44 AM EDT Last Seen: Wed 13 Jun 2007 09:30:46 PM EDT Local ID: 244d5474-af72-4c98-8d63-2e3a43c9457a Line Numbers: Raw Audit Messages : avc: denied { getattr } for comm="ifup-eth" dev=dm-0 egid=0 euid=0 exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="dhclient-eth1.conf" path="/etc/dhclient-eth1.conf" pid=11020 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:dhcp_etc_t:s0 tty=(none) uid=0 Thanks. From ftaylor at redhat.com Thu Jun 14 16:42:47 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Thu, 14 Jun 2007 10:42:47 -0600 Subject: Hierarchy for sensitivity levels In-Reply-To: <1181740249.17547.337.camel@moss-spartans.epoch.ncsc.mil> References: <1181684553.5153.18.camel@localhost.localdomain> <1181740249.17547.337.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1181839367.5170.1.camel@localhost.localdomain> On Wed, 2007-06-13 at 09:10 -0400, Stephen Smalley wrote: > On Tue, 2007-06-12 at 15:42 -0600, Forrest Taylor wrote: > > I am teaching class this week and I had an interesting question from a > > student. We were discussing sensitivities and categories, and a student > > wondered about the hierarchical nature of sensitivities and categories. > > Assuming that s0 is unclassified, s1 is classified, s2 is secret and s3 > > is top secret, and s0 > you also have access to s2, s1, s0. Is there a way to throw categories > > in here so that users who have access to s3 do not necessarily have > > access to all of s2 and lower? > > The dominance function is based on both the sensitivities and the > category sets. A dominates B iff A's sensitivity >= B's sensitivity and > A's category set is a superset of B's category set. The possible > relationships are dominates, dominated by, equivalent, or incomparable. > > Under BLP/MLS, A can only read from B if A dominates B, and A can only > write to B if A is dominated by B. Many MLS systems further limit A to > only allow writing to B if A is equivalent to B, even though that isn't > strictly required for BLP. To violate those properties (no read up, no > write down), A has to be in a TE domain that is marked with one of the > type attributes used as exceptions in the MLS constraints. Excellent. I had only seen sensitivities in heirarchy, so it is good to know that categories can also be included. Thanks, Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From phil.m.edwards at gmail.com Thu Jun 14 22:41:25 2007 From: phil.m.edwards at gmail.com (Phil Edwards) Date: Thu, 14 Jun 2007 18:41:25 -0400 Subject: new (updated) FC7 system getting auditing errors Message-ID: <82c42b950706141541y39f2ef46w4fecefb4c772d945@mail.gmail.com> Hi. I've just installed FC7, updated its packages, but made few other changes so far; no changes at all to selinux (I wouldn't know how, and there is no full-time sysadmin). The messages log is filling up with stuff like this: dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=2) : exe="/bin/dbus-daemon" (sauid=539, hostname=?, addr=?, terminal=?) nscd: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=2) : exe="?" (sauid=28, hostname=?, addr=?, terminal=?) dbus and nscd are the nosiest culprits. Googling for what look like the key phrases gets me tons of hits from 2005, but nothing recent and nothing pertaining to FC7 (but having never used an FC release before, I could be wrong). Could somebody please tell me how to turn this noise off? From olivares14031 at yahoo.com Fri Jun 15 02:24:12 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 14 Jun 2007 19:24:12 -0700 (PDT) Subject: mknod problem still present denied avc's Message-ID: <48623.62341.qm@web52608.mail.re2.yahoo.com> ----- Original Message ---- From: Daniel J Walsh To: Antonio Olivares Cc: fedora-selinux-list at redhat.com Sent: Thursday, June 14, 2007 9:02:35 AM Subject: Re: mknod problem still present denied avc's Antonio Olivares wrote: > dmesg returns > > audit(1181681041.681:4): avc: denied { add_name } for pid=739 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir > > After I did this again > > [olivares at localhost ~]$ su - > Password: > [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod > ******************** IMPORTANT *********************** > To make this policy package active, execute: > > semodule -i myinsmod.pp > > [root at localhost ~]# semodule -i myinsmod.pp > [root at localhost ~]# > > Selinux troubleshooter returned this: > > avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2766 scontext=user_u:system_r:insmod_t:s0 sgid=0 subj=user_u:system_r:insmod_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=pts0 uid=0 > > Yes you allowed add_name to the directory now it is complaing about the write. It is best to put the machine in permissive mode, Run the app to completion, then generate the policy and retest in enforcing mode. setenforce 0 run test grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod semodule -i myinsmod.pp setenforce 1 run test > Policy RPM: selinux-policy-2.6.4-8.fc7 > > Affected RPM Packages: coreutils-6.9-2.fc7 [application]Policy RPM: selinux-policy-2.6.4-12.fc7 > > > How can I effectively fix this? > > This is my /etc/modprobe.conf > > [root at localhost Download]# cat /etc/modprobe.conf > alias eth0 8139too > alias scsi_hostadapter sata_via > alias scsi_hostadapter1 pata_via > alias snd-card-0 snd-via82xx > options snd-card-0 index=0 > options snd-via82xx index=0 > install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0) > [root at localhost Download]# > > Thanks, > > Antonio > > > > > ____________________________________________________________________________________ > Yahoo! oneSearch: Finally, mobile search > that gives answers, not web links. > http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Did as you instructed. Set Selinux to permissive mode, recreated the dev/slamr0 using mknod and upon rebooting with selinux enabled it works!! [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i myinsmod.pp [root at localhost ~]# semodule -i myinsmod.pp [root at localhost ~]# setenforce 1 but the message still appears audit(1181873499.608:3): avc: denied { create } for pid=751 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file I have checked with the troubleshooter and it recommends me to do restorecon -v /dev/slamr0 [root at localhost ~]# restorecon -v /dev/slamr0 [root at localhost ~]# ls /dev/slamr0 -l crw-rw---- 1 root root 242, 0 2007-06-14 21:11 /dev/slamr0 [root at localhost ~]# Here is the summary from setroubleshoot browser. Summary SELinux is preventing sh (insmod_t) "getattr" access to device /dev/slamr0. Detailed Description SELinux has denied the sh (insmod_t) "getattr" access to device /dev/slamr0. /dev/slamr0 is mislabeled, this device has the default label of the /dev directory, which should not happen. All Character and/or Block Devices should have a label. You can attempt to change the label of the file using restorecon -v /dev/slamr0. If this device remains labeled device_t, then this is a bug in SELinux policy. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the selinux-policy package. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for /dev/slamr0, you can use chcon -t SIMILAR_TYPE /dev/slamr0, If this fixes the problem, you can make this permanent by executing semanage fcontext -a -t SIMILAR_TYPE /dev/slamr0 If the restorecon changes the context, this indicates that the application that created the device, created it without using SELinux APIs. If you can figure out which application created the device, please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this application. Allowing Access Attempt restorecon -v /dev/slamr0 or chcon -t SIMILAR_TYPE /dev/slamr0 Additional Information Source Context system_u:system_r:insmod_t Target Context system_u:object_r:device_t Target Objects /dev/slamr0 [ chr_file ] Affected RPM Packages Policy RPM selinux-policy-2.6.4-12.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.device Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.21-1.3226.fc7 #1 SMP Sat Jun 9 22:23:35 EDT 2007 i686 athlon Alert Count 1 First Seen Thu 14 Jun 2007 06:26:18 PM CDT Last Seen Thu 14 Jun 2007 06:26:18 PM CDT Local ID 04c18a63-7a70-462e-8937-018923ab95bf Line Numbers Raw Audit Messages avc: denied { getattr } for comm="sh" dev=tmpfs egid=0 euid=0 exe="/bin/bash" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="slamr0" path="/dev/slamr0" pid=2265 scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 Thanks for helping, Antonio ____________________________________________________________________________________ Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=list&sid=396545469 From dwalsh at redhat.com Fri Jun 15 11:00:22 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 15 Jun 2007 07:00:22 -0400 Subject: new (updated) FC7 system getting auditing errors In-Reply-To: <82c42b950706141541y39f2ef46w4fecefb4c772d945@mail.gmail.com> References: <82c42b950706141541y39f2ef46w4fecefb4c772d945@mail.gmail.com> Message-ID: <46727146.4090902@redhat.com> Phil Edwards wrote: > Hi. I've just installed FC7, updated its packages, but made few other > changes so far; no changes at all to selinux (I wouldn't know how, and > there is no full-time sysadmin). > > The messages log is filling up with stuff like this: > > dbus: Can't send to audit system: USER_AVC avc: received policyload > notice (seqno=2) : exe="/bin/dbus-daemon" (sauid=539, hostname=?, > addr=?, terminal=?) > nscd: Can't send to audit system: USER_AVC avc: received policyload > notice (seqno=2) : exe="?" (sauid=28, hostname=?, addr=?, terminal=?) > > dbus and nscd are the nosiest culprits. > > Googling for what look like the key phrases gets me tons of hits from > 2005, but nothing recent and nothing pertaining to FC7 (but having > never used an FC release before, I could be wrong). > > Could somebody please tell me how to turn this noise off? These are not SELinux errors so to speak, they are auditing errors. When you update policy probably during a yum update, any application that is running as a SELinux policy enforcer, gets a message from the kernel telling that the policy has been updated. These apps then attempt to send a message to the audit system stating that they have reloaded the policy. These errors are generated because the applications are running as a normal user and are not allowed to send to the audit.log. So the audit subsystem sends a message to /var/log/messages. So other then filling you /var/log/messages file, these errors can be ignored. The dbus error has been fixed in FC6 and seems to have resurfaced. I have not seen the nscd error. Both should be reported as bugzillas to nscd, and dbus. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Fri Jun 15 11:03:32 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 15 Jun 2007 07:03:32 -0400 Subject: mknod problem still present denied avc's In-Reply-To: <48623.62341.qm@web52608.mail.re2.yahoo.com> References: <48623.62341.qm@web52608.mail.re2.yahoo.com> Message-ID: <46727204.1000305@redhat.com> Antonio Olivares wrote: > ----- Original Message ---- > From: Daniel J Walsh > To: Antonio Olivares > Cc: fedora-selinux-list at redhat.com > Sent: Thursday, June 14, 2007 9:02:35 AM > Subject: Re: mknod problem still present denied avc's > > Antonio Olivares wrote: > >> dmesg returns >> >> audit(1181681041.681:4): avc: denied { add_name } for pid=739 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir >> >> After I did this again >> >> [olivares at localhost ~]$ su - >> Password: >> [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod >> ******************** IMPORTANT *********************** >> To make this policy package active, execute: >> >> semodule -i myinsmod.pp >> >> [root at localhost ~]# semodule -i myinsmod.pp >> [root at localhost ~]# >> >> Selinux troubleshooter returned this: >> >> avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2766 scontext=user_u:system_r:insmod_t:s0 sgid=0 subj=user_u:system_r:insmod_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=pts0 uid=0 >> >> >> > Yes you allowed add_name to the directory now it is complaing about the > write. It is best to put the machine in permissive mode, Run the app to > completion, then generate the policy and > retest in enforcing mode. > > setenforce 0 > run test > grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod > semodule -i myinsmod.pp > setenforce 1 > run test > >> Policy RPM: selinux-policy-2.6.4-8.fc7 >> >> Affected RPM Packages: coreutils-6.9-2.fc7 [application]Policy RPM: selinux-policy-2.6.4-12.fc7 >> >> >> How can I effectively fix this? >> >> This is my /etc/modprobe.conf >> >> [root at localhost Download]# cat /etc/modprobe.conf >> alias eth0 8139too >> alias scsi_hostadapter sata_via >> alias scsi_hostadapter1 pata_via >> alias snd-card-0 snd-via82xx >> options snd-card-0 index=0 >> options snd-via82xx index=0 >> install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0) >> [root at localhost Download]# >> >> Thanks, >> >> Antonio >> >> >> >> >> ____________________________________________________________________________________ >> Yahoo! oneSearch: Finally, mobile search >> that gives answers, not web links. >> http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > > Did as you instructed. Set Selinux to permissive mode, recreated the dev/slamr0 using mknod and upon rebooting with selinux enabled it works!! > > [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod > ******************** IMPORTANT *********************** > To make this policy package active, execute: > > semodule -i myinsmod.pp > > [root at localhost ~]# semodule -i myinsmod.pp > [root at localhost ~]# setenforce 1 > > but the message still appears > > audit(1181873499.608:3): avc: denied { create } for pid=751 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file > > I have checked with the troubleshooter and it recommends me to do > restorecon -v /dev/slamr0 > > [root at localhost ~]# restorecon -v /dev/slamr0 > [root at localhost ~]# ls /dev/slamr0 -l > crw-rw---- 1 root root 242, 0 2007-06-14 21:11 /dev/slamr0 > [root at localhost ~]# > > Here is the summary from setroubleshoot browser. > > Summary > SELinux is preventing sh (insmod_t) "getattr" access to device /dev/slamr0. > > Detailed Description > SELinux has denied the sh (insmod_t) "getattr" access to device /dev/slamr0. > /dev/slamr0 is mislabeled, this device has the default label of the /dev > directory, which should not happen. All Character and/or Block Devices > should have a label. You can attempt to change the label of the file using > restorecon -v /dev/slamr0. If this device remains labeled device_t, then > this is a bug in SELinux policy. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the selinux-policy > package. If you look at the other similar devices labels, ls -lZ > /dev/SIMILAR, and find a type that would work for /dev/slamr0, you can use > chcon -t SIMILAR_TYPE /dev/slamr0, If this fixes the problem, you can make > this permanent by executing semanage fcontext -a -t SIMILAR_TYPE /dev/slamr0 > If the restorecon changes the context, this indicates that the application > that created the device, created it without using SELinux APIs. If you can > figure out which application created the device, please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this application. > > Allowing Access > Attempt restorecon -v /dev/slamr0 or chcon -t SIMILAR_TYPE /dev/slamr0 > > Additional Information > > Source Context system_u:system_r:insmod_t > Target Context system_u:object_r:device_t > Target Objects /dev/slamr0 [ chr_file ] > Affected RPM Packages > Policy RPM selinux-policy-2.6.4-12.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.device > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.21-1.3226.fc7 #1 > SMP Sat Jun 9 22:23:35 EDT 2007 i686 athlon > Alert Count 1 > First Seen Thu 14 Jun 2007 06:26:18 PM CDT > Last Seen Thu 14 Jun 2007 06:26:18 PM CDT > Local ID 04c18a63-7a70-462e-8937-018923ab95bf > Line Numbers > > Raw Audit Messages > > avc: denied { getattr } for comm="sh" dev=tmpfs egid=0 euid=0 exe="/bin/bash" > exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="slamr0" path="/dev/slamr0" pid=2265 > scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0 > suid=0 tclass=chr_file tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 > > > Thanks for helping, > > Antonio > > > > > > > ____________________________________________________________________________________ > Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. > http://answers.yahoo.com/dir/?link=list&sid=396545469 > Please attach the te file that you have generated. Also please update to selinux-policy-2.6.4-14.fc7 to see if the fix in there solves your problem. From mc-al34luc at sbcglobal.net Fri Jun 15 14:51:31 2007 From: mc-al34luc at sbcglobal.net (Mike Carney) Date: Fri, 15 Jun 2007 07:51:31 -0700 Subject: Vanilla F7 install + Xen: selinux problems on guest creation. Message-ID: Greetings, Just installed F7 from DVD, and installed Xen/Xen kernel. Then ran yum to pick up the latest updates. When attempting to create a F7 guest using virt-install, I see the following errors in the audit.log, and the creation fails: type=AVC msg=audit(1181917818.119:37): avc: denied { write } for pid=3032 comm="block" name="xen" dev=sda7 ino=29298 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1181917818.119:37): arch=40000003 syscall=5 success=no exit=-13 a0=9aba538 a1=8441 a2=1b6 a3=8441 items=0 ppid=3029 pid=3032 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="block" exe="/bin/bash" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1181917818.139:38): avc: denied { write } for pid=3041 comm="vif-bridge" name="xen" dev=sda7 ino=29298 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1181917818.139:38): arch=40000003 syscall=5 success=no exit=-13 a0=9947ad0 a1=8441 a2=1b6 a3=8441 items=0 ppid=3035 pid=3041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="vif-bridge" exe="/bin/bash" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1181917918.741:55): avc: denied { write } for pid=3269 comm="vif-bridge" name="xen" dev=sda7 ino=29298 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1181917918.741:55): arch=40000003 syscall=5 success=no exit=-13 a0=84f7ad0 a1=8441 a2=1b6 a3=8441 items=0 ppid=3266 pid=3269 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="vif-bridge" exe="/bin/bash" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1181917918.853:56): avc: denied { write } for pid=3290 comm="xen-hotplug-cle" name="xen" dev=sda7 ino=29298 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1181917918.853:56): arch=40000003 syscall=5 success=no exit=-13 a0=850db58 a1=8441 a2=1b6 a3=8441 items=0 ppid=3275 pid=3290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="xen-hotplug-cle" exe="/bin/bash" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1181917918.893:57): avc: denied { write } for pid=3289 comm="block" name="xen" dev=sda7 ino=29298 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1181917918.893:57): arch=40000003 syscall=5 success=no exit=-13 a0=9b4d548 a1=8441 a2=1b6 a3=8441 items=0 ppid=3268 pid=3289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="block" exe="/bin/bash" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1181917918.941:58): avc: denied { write } for pid=3300 comm="xen-hotplug-cle" name="xen" dev=sda7 ino=29298 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1181917918.941:58): arch=40000003 syscall=5 success=no exit=-13 a0=930fb68 a1=8441 a2=1b6 a3=8441 items=0 ppid=3268 pid=3300 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="xen-hotplug-cle" exe="/bin/bash" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) audit2allow recommends the following policy rule: audit2allow < audit.log #============= udev_t ============== allow udev_t xend_var_log_t:dir write; Has this fix already been made, or do I need to load this change into the policy db myself? Thanks! From paul at city-fan.org Sun Jun 17 14:27:25 2007 From: paul at city-fan.org (Paul Howarth) Date: Sun, 17 Jun 2007 15:27:25 +0100 Subject: dovecot_auth_t wants capability audit_write and netlink_audit_socket create In-Reply-To: <4665E8ED.9030708@northwest-aero.com> References: <4664B9E1.10107@northwest-aero.com> <1181047116.25769.6.camel@moss-spartans.epoch.ncsc.mil> <4665C6D2.4040908@northwest-aero.com> <4665D254.5050902@redhat.com> <4665D601.4000804@northwest-aero.com> <4665D8A4.9030801@redhat.com> <4665DAFE.1010701@northwest-aero.com> <4665E8ED.9030708@northwest-aero.com> Message-ID: <1182090455.5622.2.camel@metropolis.intra.city-fan.org> On Tue, 2007-06-05 at 15:51 -0700, John Lindgren wrote: > Just to close this thread out: > > I upgraded to: > # rpm -qa|grep selinux-policy > selinux-policy-targeted-2.6.4-13.fc7 > selinux-policy-2.6.4-13.fc7 > selinux-policy-devel-2.6.4-13.fc7 > > removed the the local.pp I made earlier: > # semodule -r local > > forced a reload of the policy: > # semodule -R > > rotated the audit log: > # logrotate -f /etc/logrotate.d/audit > > Then I went and exercised the mail system, sendmail, mailman, > MailScanner, spamassissin, clamav, f-prot, squirrelmail, apache... I > remember when it was simpler. > > took a look at the fresh audit.log > # audit2allow -a > > And there were all the usual suspects: > #============= clamscan_t ============== > allow clamscan_t clamd_var_lib_t:dir { write remove_name add_name }; > allow clamscan_t clamd_var_lib_t:file { write create unlink }; > allow clamscan_t initrc_tmp_t:dir { search setattr read create write > getattr rmd > ir remove_name add_name }; > allow clamscan_t initrc_tmp_t:file { write getattr read lock create > unlink }; > allow clamscan_t tmpfs_t:dir { read search getattr }; > allow clamscan_t tmpfs_t:file { read getattr }; > allow clamscan_t var_spool_t:file { read write }; > > #============= httpd_t ============== > allow httpd_t pop_port_t:tcp_socket name_connect; > > #============= procmail_t ============== > allow procmail_t var_spool_t:file read; > > #============= system_mail_t ============== > allow system_mail_t httpd_t:file read; > > But notice, NO DOVECOT! > > > made a module: > # cat /var/log/audit/audit.log | audit2allow -M localMAIL > > installed it: > # semodule -i localMAIL.pp > > put selinux back into enforce: > # setenforce 1 > > and re-rotated the log: > # logrotate -f /etc/logrotate.d/audit > > Then sat back and waited for the phone to ring... {quiet} > > Confirmed with: > # audit2allow -a > > And got nothing. Everything working great now. > > New policy package fixed dovecot problem, Thanks Again. I've still got a problem with dovecot-auth (selinux-policy-2.6.4-14.fc7) I needed to add the following: # Allow dovecot to check passwords allow dovecot_auth_t updpwd_exec_t:file { execute execute_no_trans }; before dovecot-auth could run /sbin/unix-update and authenticate IMAP clients. Paul. From chaos-selinux at glassonion.org Mon Jun 18 18:30:48 2007 From: chaos-selinux at glassonion.org (Chaos Golubitsky) Date: Mon, 18 Jun 2007 14:30:48 -0400 Subject: useradd failure under ldap with tls Message-ID: <20070618183048.GG25589@glassonion.org> When i manage user data via LDAP (using pam_ldap), useradd/usermod/etc fail when run from scripts. In particular, e.g. # yum install httpd fails because the "useradd apache" commands hangs. Audit2allow suggests: allow useradd_t urandom_device_t:chr_file { getattr read }; If i modify my LDAP configuration so that connections are not encrypted using TLS, the useradd succeeds. I think that, when LDAP is in use, anyone who needs to query the passwd or group map [1] should be able to read /dev/urandom so they can initiate TLS LDAP connections. But i don't know enough about the layout of the SELinux policy to speculate on whether the problem is that: (a) The PAM/LDAP client policy is ignorant of TLS (b) The useradd/etc policy is ignorant of LDAP (c) Something else Any suggestions would be appreciated. I have "solved" this for my own purposes the hackish way (i.e. by doing what audit2allow recommends, as a standalone module), but i'd like to be able to recommend a real patch. Thanks. Chaos [1] The useradd/usermod/etc commands need to query passwd maps in order to fail with an error if a central user conflicts with the user being created. From dwalsh at redhat.com Mon Jun 18 19:39:28 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 18 Jun 2007 15:39:28 -0400 Subject: useradd failure under ldap with tls In-Reply-To: <20070618183048.GG25589@glassonion.org> References: <20070618183048.GG25589@glassonion.org> Message-ID: <4676DF70.5050104@redhat.com> Chaos Golubitsky wrote: > When i manage user data via LDAP (using pam_ldap), useradd/usermod/etc > fail when run from scripts. In particular, e.g. > > # yum install httpd > > fails because the "useradd apache" commands hangs. > > Audit2allow suggests: > > allow useradd_t urandom_device_t:chr_file { getattr read }; > > If i modify my LDAP configuration so that connections are not encrypted > using TLS, the useradd succeeds. > > > I think that, when LDAP is in use, anyone who needs to query the passwd > or group map [1] should be able to read /dev/urandom so they can initiate > TLS LDAP connections. But i don't know enough about the layout of the > SELinux policy to speculate on whether the problem is that: > (a) The PAM/LDAP client policy is ignorant of TLS > (b) The useradd/etc policy is ignorant of LDAP > (c) Something else > > Any suggestions would be appreciated. I have "solved" this for my own > purposes the hackish way (i.e. by doing what audit2allow recommends, as > a standalone module), but i'd like to be able to recommend a real patch. > > Thanks. > > Chaos > > [1] The useradd/usermod/etc commands need to query passwd maps in order > to fail with an error if a central user conflicts with the user being > created. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Which os are you using. I will make the change. From kwade at redhat.com Mon Jun 18 23:34:08 2007 From: kwade at redhat.com (Karsten Wade) Date: Mon, 18 Jun 2007 16:34:08 -0700 Subject: documentation plans Message-ID: <1182209648.21966.282.camel@erato.phig.org> Since the release of Fedora 7, we have been watching the statistics for our new content location, http://docs.fedoraproject.org. In a recent thread on f-docs-l[1], Google referrer statistics[2] show that SELinux questions are a sizeable percentage (over 10%) of incoming search terms. Unfortunately. Why? Because: * The content they are hitting most is the FC3 SELinux FAQ * The top search keyphrase is "disable selinux", with "selinux disable" as number four (all of which take you to the FC3 FAQ) * Users cannot find anything useful that we'd want them to have The proposal[3] of the Fedora Docs team is this: 1. We gather all content that we have[4] that is not Fedora-specific and push that up to grow and be maintained on selinuxproject.org 2. A Fedora Docs writer, Paulo Santos, will help watch that content on selinuxproject.org. This becomes a new location for us to collaborate on distro-neutral community docs. 3. Paulo works up Fedora-specific content, from what exists in Fedora and added to by all of you, and that becomes new "SELinux for Fedora" content that Fedora Docs plans to maintain. Your help is much needed. 4. In all the locations where you find SELinux content in .*fedoraproject.org, we repopulate or redirect to a single Fedora SELinux content page. From that page we link to the upstream canonical docs on selinuxproject.org and provide the Fedora variant on that content. Barring someone stepping up and putting a partial or full-time resource on this writing, a job I no longer do at Red Hat, this is going to be the best way to generate and maintain SELinux open content. By using open collaboration tools (Wiki, Plone), it will be *much* easier for someone such as Dan Walsh to do a brain dump and have it be polished, formalized, and published. Thoughts? - Karsten [1] http://www.redhat.com/archives/fedora-docs-list/2007-June/msg00084.html [2] Use your browser's keyword search to find SELinux/selinux stuff: http://fedoraproject.org/awstats/docs/awstats.docs.fedoraproject.org.html [3] http://www.redhat.com/archives/fedora-docs-list/2007-June/msg00077.html [4] This page has a short list of locations we are going to pull content from: http://fedoraproject.org/wiki/Docs/Drafts/SELinux -- Karsten Wade, 108 Editor ^ Fedora Documentation Project Sr. Developer Relations Mgr. | fedoraproject.org/wiki/DocsProject quaid.108.redhat.com | gpg key: AD0E0C41 ////////////////////////////////// \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From jdennis at redhat.com Tue Jun 19 02:05:26 2007 From: jdennis at redhat.com (John Dennis) Date: Mon, 18 Jun 2007 22:05:26 -0400 Subject: documentation plans In-Reply-To: <1182209648.21966.282.camel@erato.phig.org> References: <1182209648.21966.282.camel@erato.phig.org> Message-ID: <1182218726.29737.16.camel@junko.usersys.redhat.com> On Mon, 2007-06-18 at 16:34 -0700, Karsten Wade wrote: > Thoughts? Sounds like a reasonable plan and I think you've identified one of the problems with SELinux, there is quite a bit of doc available, but it's scattered, it really needs to be coalesced into one location, this sounds like a good way to accomplish that goal. I take it that selinuxproject.org is new. Who is hosting this? Fedora project? -- John Dennis From jdennis at redhat.com Tue Jun 19 02:33:51 2007 From: jdennis at redhat.com (John Dennis) Date: Mon, 18 Jun 2007 22:33:51 -0400 Subject: documentation plans In-Reply-To: <7a41c4bc0706181912k4c026d29u9d21f21f68eb7225@mail.gmail.com> References: <1182209648.21966.282.camel@erato.phig.org> <1182218726.29737.16.camel@junko.usersys.redhat.com> <7a41c4bc0706181912k4c026d29u9d21f21f68eb7225@mail.gmail.com> Message-ID: <1182220431.29737.26.camel@junko.usersys.redhat.com> On 6/19/07, John Dennis wrote: > I take it that selinuxproject.org is new. Who is hosting > this? > On Tue, 2007-06-19 at 04:12 +0200, Paulo Santos wrote: > I'm not aware of selinuxproject.org under Fedora Project > infrastructure. Silly me, this is James Morris's domain, I just didn't recognize it with the different content. -- John Dennis From cfzeitler at yahoo.com Tue Jun 19 03:08:24 2007 From: cfzeitler at yahoo.com (charles f. zeitler) Date: Mon, 18 Jun 2007 20:08:24 -0700 (PDT) Subject: problem trying to transition to sysadm_r Message-ID: <369637.11061.qm@web82513.mail.mud.yahoo.com> when i enter: newrole -r sysadm_r at the cli, i get: Couldn't get default type. can someone give me a hint/tip/clue? thanx charles zeitler : Do What Thou Wilt : : Shall Be : : The Whole of The Law : From spng.yang at gmail.com Tue Jun 19 10:20:32 2007 From: spng.yang at gmail.com (Ken YANG) Date: Tue, 19 Jun 2007 18:20:32 +0800 Subject: problem trying to transition to sysadm_r In-Reply-To: <369637.11061.qm@web82513.mail.mud.yahoo.com> References: <369637.11061.qm@web82513.mail.mud.yahoo.com> Message-ID: <4677ADF0.6030103@gmail.com> charles f. zeitler wrote: > when i enter: > newrole -r sysadm_r > at the cli, > i get: > Couldn't get default type. > > can someone give me a hint/tip/clue? what's your selinux policy type? the default type is in /etc/selinux/TYPE/contexts/default_type additionally, what the context of your login user? user_u, staff? > > thanx > > charles zeitler > > : Do What Thou Wilt : > > : Shall Be : > > : The Whole of The Law : > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From sds at tycho.nsa.gov Tue Jun 19 11:48:02 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 19 Jun 2007 07:48:02 -0400 Subject: problem trying to transition to sysadm_r In-Reply-To: <369637.11061.qm@web82513.mail.mud.yahoo.com> References: <369637.11061.qm@web82513.mail.mud.yahoo.com> Message-ID: <1182253682.15064.9.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-06-18 at 20:08 -0700, charles f. zeitler wrote: > when i enter: > newrole -r sysadm_r > at the cli, > i get: > Couldn't get default type. > > can someone give me a hint/tip/clue? Fedora by default uses "targeted" policy rather than "strict" policy, and therefore has no notion of user roles and domains (only specific programs are confined, not users under "targeted" policy). See the Fedora SELinux FAQ. If you want strict policy, you have to install selinux-policy-strict and switch your /etc/selinux/config SELINUXTYPE definition to it, then reboot and relabel (typically in permissive mode the first time to allow that initial boot to succeed). -- Stephen Smalley National Security Agency From chaos-selinux at glassonion.org Tue Jun 19 11:58:45 2007 From: chaos-selinux at glassonion.org (Chaos Golubitsky) Date: Tue, 19 Jun 2007 07:58:45 -0400 Subject: useradd failure under ldap with tls In-Reply-To: <4676DF70.5050104@redhat.com> References: <20070618183048.GG25589@glassonion.org> <4676DF70.5050104@redhat.com> Message-ID: <20070619115845.GA10595@glassonion.org> On Mon, 18 Jun, 2007 at 15:39:28 -0400, Daniel J Walsh wrote: > Which os are you using. I will make the change. I first noticed this behavior on Fedora Core 5, but i have also seen it on FC6 and RHEL5. I haven't tested Fedora 7. Thanks. Chaos From jmorris at namei.org Tue Jun 19 12:37:08 2007 From: jmorris at namei.org (James Morris) Date: Tue, 19 Jun 2007 08:37:08 -0400 (EDT) Subject: documentation plans In-Reply-To: <1182220431.29737.26.camel@junko.usersys.redhat.com> References: <1182209648.21966.282.camel@erato.phig.org> <1182218726.29737.16.camel@junko.usersys.redhat.com> <7a41c4bc0706181912k4c026d29u9d21f21f68eb7225@mail.gmail.com> <1182220431.29737.26.camel@junko.usersys.redhat.com> Message-ID: On Mon, 18 Jun 2007, John Dennis wrote: > On 6/19/07, John Dennis wrote: > > I take it that selinuxproject.org is new. Who is hosting > > this? > > > On Tue, 2007-06-19 at 04:12 +0200, Paulo Santos wrote: > > I'm not aware of selinuxproject.org under Fedora Project > > infrastructure. > > Silly me, this is James Morris's domain, I just didn't recognize it with > the different content. The wiki is being hosted by RH currently. -- James Morris From dwalsh at redhat.com Tue Jun 19 13:58:36 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 19 Jun 2007 09:58:36 -0400 Subject: useradd failure under ldap with tls In-Reply-To: <20070619115845.GA10595@glassonion.org> References: <20070618183048.GG25589@glassonion.org> <4676DF70.5050104@redhat.com> <20070619115845.GA10595@glassonion.org> Message-ID: <4677E10C.5020508@redhat.com> Chaos Golubitsky wrote: > On Mon, 18 Jun, 2007 at 15:39:28 -0400, Daniel J Walsh wrote: > > >> Which os are you using. I will make the change. >> > > I first noticed this behavior on Fedora Core 5, but i have also seen it > on FC6 and RHEL5. I haven't tested Fedora 7. > > Thanks. > > Chaos > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > F7 selinux-policy-2.6.4-17 Has this fix F8 selinux-policy-3.0.1 Will have fix RHEL5/FC6 selinux-policy-2.4.6-76 will have fix From cfzeitler at yahoo.com Tue Jun 19 16:41:00 2007 From: cfzeitler at yahoo.com (charles f. zeitler) Date: Tue, 19 Jun 2007 09:41:00 -0700 (PDT) Subject: problem trying to transition to sysadm_r In-Reply-To: <1182253682.15064.9.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <732503.46698.qm@web82507.mail.mud.yahoo.com> --- Stephen Smalley wrote: > On Mon, 2007-06-18 at 20:08 -0700, charles f. zeitler wrote: > > when i enter: > > newrole -r sysadm_r > > at the cli, > > i get: > > Couldn't get default type. > > > > can someone give me a hint/tip/clue? > > Fedora by default uses "targeted" policy rather than "strict" policy, > and therefore has no notion of user roles and domains (only specific > programs are confined, not users under "targeted" policy). See the > Fedora SELinux FAQ. > > If you want strict policy, you have to install selinux-policy-strict and > switch your /etc/selinux/config SELINUXTYPE definition to it, then > reboot and relabel (typically in permissive mode the first time to allow > that initial boot to succeed). > > -- > Stephen Smalley > National Security Agency > > thank you. new thread, then. charles zeitler : Do What Thou Wilt : : Shall Be : : The Whole of The Law : From cfzeitler at yahoo.com Tue Jun 19 16:48:21 2007 From: cfzeitler at yahoo.com (charles f. zeitler) Date: Tue, 19 Jun 2007 09:48:21 -0700 (PDT) Subject: inability to import keys/ set firewall properties Message-ID: <904747.60185.qm@web82512.mail.mud.yahoo.com> when trying to import keys, rpm is unable to get a lock. using system-config-securitylevel, attempted changes do not "stick", opened ports don't show up in the "other ports" window, if firewall is disabled, it is re-enabled. is selinux keeping me from doing sysadmin things? charles zeitler : Do What Thou Wilt : : Shall Be : : The Whole of The Law : From wwoods at redhat.com Tue Jun 19 16:48:41 2007 From: wwoods at redhat.com (Will Woods) Date: Tue, 19 Jun 2007 12:48:41 -0400 Subject: crond_t avc messages with selinux-policy-targeted-2.6.4-17.fc7 Message-ID: <1182271721.2998.4.camel@metroid.rdu.redhat.com> This is happening once per minute - every time cron runs. urgh. Using vixie-cron-4.1-82.fc7. avc: denied { audit_control } for comm="crond" egid=0 euid=0 exe="/usr/sbin/crond" exit=-1 fsgid=0 fsuid=0 gid=0 items=0 pid=4230 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 suid=0 tclass=capability tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tty=(none) uid=0 -w -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From mantaray_1 at cox.net Tue Jun 19 19:21:31 2007 From: mantaray_1 at cox.net (Ken) Date: Tue, 19 Jun 2007 12:21:31 -0700 Subject: documentation plans In-Reply-To: <1182209648.21966.282.camel@erato.phig.org> References: <1182209648.21966.282.camel@erato.phig.org> Message-ID: <46782CBB.6080302@cox.net> Karsten Wade wrote: > Since the release of Fedora 7, we have been watching the statistics for > our new content location, http://docs.fedoraproject.org. In a recent > thread on f-docs-l[1], Google referrer statistics[2] show that SELinux > questions are a sizeable percentage (over 10%) of incoming search terms. > > Unfortunately. Why? Because: > > * The content they are hitting most is the FC3 SELinux FAQ > * The top search keyphrase is "disable selinux", with "selinux disable" > as number four (all of which take you to the FC3 FAQ) > * Users cannot find anything useful that we'd want them to have > > The proposal[3] of the Fedora Docs team is this: > > 1. We gather all content that we have[4] that is not Fedora-specific and > push that up to grow and be maintained on selinuxproject.org > > 2. A Fedora Docs writer, Paulo Santos, will help watch that content on > selinuxproject.org. This becomes a new location for us to collaborate > on distro-neutral community docs. > > 3. Paulo works up Fedora-specific content, from what exists in Fedora > and added to by all of you, and that becomes new "SELinux for Fedora" > content that Fedora Docs plans to maintain. Your help is much needed. > > 4. In all the locations where you find SELinux content > in .*fedoraproject.org, we repopulate or redirect to a single Fedora > SELinux content page. From that page we link to the upstream canonical > docs on selinuxproject.org and provide the Fedora variant on that > content. > > Barring someone stepping up and putting a partial or full-time resource > on this writing, a job I no longer do at Red Hat, this is going to be > the best way to generate and maintain SELinux open content. By using > open collaboration tools (Wiki, Plone), it will be *much* easier for > someone such as Dan Walsh to do a brain dump and have it be polished, > formalized, and published. > > Thoughts? > > - Karsten > > [1] http://www.redhat.com/archives/fedora-docs-list/2007-June/msg00084.html > > [2] Use your browser's keyword search to find SELinux/selinux stuff: > > http://fedoraproject.org/awstats/docs/awstats.docs.fedoraproject.org.html > > [3] http://www.redhat.com/archives/fedora-docs-list/2007-June/msg00077.html > > [4] This page has a short list of locations we are going to pull content > from: http://fedoraproject.org/wiki/Docs/Drafts/SELinux > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I just wanted to let you know that I believe this is an excellent idea; and also share my observation that permission-specific documentation (at the basic or "atomic" level) seems to have been a low priority so far, and I believe it would be very helpful to many people to have this type of documentation available. -Ken- From dwalsh at redhat.com Tue Jun 19 20:19:14 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 19 Jun 2007 16:19:14 -0400 Subject: crond_t avc messages with selinux-policy-targeted-2.6.4-17.fc7 In-Reply-To: <1182271721.2998.4.camel@metroid.rdu.redhat.com> References: <1182271721.2998.4.camel@metroid.rdu.redhat.com> Message-ID: <46783A42.6000400@redhat.com> Will Woods wrote: > This is happening once per minute - every time cron runs. urgh. Using > vixie-cron-4.1-82.fc7. > > avc: denied { audit_control } for comm="crond" egid=0 euid=0 > exe="/usr/sbin/crond" exit=-1 fsgid=0 fsuid=0 gid=0 items=0 pid=4230 > scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 sgid=0 > subj=system_u:system_r:crond_t:s0-s0:c0.c1023 suid=0 tclass=capability > tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tty=(none) uid=0 > > -w > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list selinux-policy -2.6.4-20.fc7 Should fix all your problems with cron. From dwalsh at redhat.com Wed Jun 20 10:47:46 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 20 Jun 2007 06:47:46 -0400 Subject: Vanilla F7 install + Xen: selinux problems on guest creation. In-Reply-To: References: Message-ID: <467905D2.5060908@redhat.com> Mike Carney wrote: > Greetings, > > Just installed F7 from DVD, and installed Xen/Xen kernel. Then ran yum to > pick up the latest updates. When attempting to create a F7 guest using > virt-install, I see the following errors in the audit.log, and the creation > fails: > > type=AVC msg=audit(1181917818.119:37): avc: denied { write } for pid=3032 > comm="block" name="xen" dev=sda7 ino=29298 > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir > type=SYSCALL msg=audit(1181917818.119:37): arch=40000003 syscall=5 > success=no exit=-13 a0=9aba538 a1=8441 a2=1b6 a3=8441 items=0 ppid=3029 > pid=3032 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) comm="block" exe="/bin/bash" > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1181917818.139:38): avc: denied { write } for pid=3041 > comm="vif-bridge" name="xen" dev=sda7 ino=29298 > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir > type=SYSCALL msg=audit(1181917818.139:38): arch=40000003 syscall=5 > success=no exit=-13 a0=9947ad0 a1=8441 a2=1b6 a3=8441 items=0 ppid=3035 > pid=3041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) comm="vif-bridge" exe="/bin/bash" > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1181917918.741:55): avc: denied { write } for pid=3269 > comm="vif-bridge" name="xen" dev=sda7 ino=29298 > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir > type=SYSCALL msg=audit(1181917918.741:55): arch=40000003 syscall=5 > success=no exit=-13 a0=84f7ad0 a1=8441 a2=1b6 a3=8441 items=0 ppid=3266 > pid=3269 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) comm="vif-bridge" exe="/bin/bash" > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1181917918.853:56): avc: denied { write } for pid=3290 > comm="xen-hotplug-cle" name="xen" dev=sda7 ino=29298 > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir > type=SYSCALL msg=audit(1181917918.853:56): arch=40000003 syscall=5 > success=no exit=-13 a0=850db58 a1=8441 a2=1b6 a3=8441 items=0 ppid=3275 > pid=3290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) comm="xen-hotplug-cle" exe="/bin/bash" > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1181917918.893:57): avc: denied { write } for pid=3289 > comm="block" name="xen" dev=sda7 ino=29298 > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir > type=SYSCALL msg=audit(1181917918.893:57): arch=40000003 syscall=5 > success=no exit=-13 a0=9b4d548 a1=8441 a2=1b6 a3=8441 items=0 ppid=3268 > pid=3289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) comm="block" exe="/bin/bash" > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1181917918.941:58): avc: denied { write } for pid=3300 > comm="xen-hotplug-cle" name="xen" dev=sda7 ino=29298 > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir > type=SYSCALL msg=audit(1181917918.941:58): arch=40000003 syscall=5 > success=no exit=-13 a0=930fb68 a1=8441 a2=1b6 a3=8441 items=0 ppid=3268 > pid=3300 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) comm="xen-hotplug-cle" exe="/bin/bash" > subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) > > audit2allow recommends the following policy rule: > audit2allow < audit.log > > > #============= udev_t ============== > allow udev_t xend_var_log_t:dir write; > > Has this fix already been made, or do I need to load this change into the > policy db myself? > > Thanks! > > Try selinux-policy-2.6.4-20 in fedora-testing. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Wed Jun 20 11:08:40 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 20 Jun 2007 07:08:40 -0400 Subject: RPM with seperate selinux package In-Reply-To: References: Message-ID: <46790AB8.2000100@redhat.com> Jan-Frode Myklebust wrote: > I've been building syslog-ng RPMs, with the needed selinux module > as a separate sub-package following the instructions at: > > http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules > > but there's a problem with the logics of having the selinux package > "Requires: main package", as then the main package will get installed > and started before there is a working policy installed. > > So, is there any way of re-ordering this, without having the main > package depend on the selinux package? i.e. I want to allow someone > to install only the syslog-ng-2.0.4-12.i386.rpm if they don't want > the selinux module, but I want the selinux module to be installed > first if both are installed in the same operation. > > My current srpm --> http://tanso.net/yum/packages/syslog-ng-2.0.4-12.src.rpm > > > I think it would be better to just ship the policy pp file in your rpm. But looking through your policy, most of it is already in the base policy. allow syslogd_t device_t:sock_file { getattr unlink }; > This looks like a bug, It should not happen allow syslogd_t rsh_port_t:tcp_socket name_bind; allow syslogd_t inaddr_any_node_t:tcp_socket node_bind; allow syslogd_t self:tcp_socket { create listen bind setopt }; > In FC7 allow syslogd_t syslogd_var_lib_t:dir { search write add_name }; allow syslogd_t syslogd_var_lib_t:file { create write getattr read }; > This should be added to FC7 > -jf > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From bruno at wolff.to Thu Jun 21 21:18:43 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Thu, 21 Jun 2007 16:18:43 -0500 Subject: Is there a way to set default MCS labels for file creation? Message-ID: <20070621211843.GA3333@wolff.to> Is there a way to set a default set of labels for newly created files based on file paths or role? From bruno at wolff.to Thu Jun 21 21:55:13 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Thu, 21 Jun 2007 16:55:13 -0500 Subject: Is there a way to set default MCS labels for file creation? In-Reply-To: <20070621211843.GA3333@wolff.to> References: <20070621211843.GA3333@wolff.to> Message-ID: <20070621215513.GA10127@wolff.to> On Thu, Jun 21, 2007 at 16:18:43 -0500, Bruno Wolff III wrote: > Is there a way to set a default set of labels for newly created files > based on file paths or role? The context of this question is from the point of the user who wants their files categorized automatically in most cases, based on either the directory the files are placed in or what role they are running as. I think the semanage command can be used by system administrators to set defaults based on path names on behalf of users, but it would be nice if the users had a bit more control so they didn't have to bug the admins to set their defaults. From fdsubs at t-online.hu Fri Jun 22 05:03:45 2007 From: fdsubs at t-online.hu (Daniel Fazekas) Date: Fri, 22 Jun 2007 07:03:45 +0200 Subject: dovecot_auth_t wants capability audit_write and netlink_audit_socket create In-Reply-To: <1182090455.5622.2.camel@metropolis.intra.city-fan.org> References: <4664B9E1.10107@northwest-aero.com> <1181047116.25769.6.camel@moss-spartans.epoch.ncsc.mil> <4665C6D2.4040908@northwest-aero.com> <4665D254.5050902@redhat.com> <4665D601.4000804@northwest-aero.com> <4665D8A4.9030801@redhat.com> <4665DAFE.1010701@northwest-aero.com> <4665E8ED.9030708@northwest-aero.com> <1182090455.5622.2.camel@metropolis.intra.city-fan.org> Message-ID: <41F09763-BA73-4E4C-8CCE-737A4B046C4E@t-online.hu> On Jun 17, 2007, at 16:27, Paul Howarth wrote: > I've still got a problem with dovecot-auth (selinux- > policy-2.6.4-14.fc7) > I needed to add the following: > # Allow dovecot to check passwords > allow dovecot_auth_t updpwd_exec_t:file { execute execute_no_trans }; > > before dovecot-auth could run /sbin/unix-update and authenticate IMAP > clients. I've got pretty much the same problem -- dovecot failing to authenticate IMAP clients through PAM if selinux enforcing is enabled. However, even what Paul posted doesn't solve it for me. dovecot-1.0.1-12.fc7 selinux-policy-targeted-2.6.4-14.fc7 dovecot is left to use the default settings, passdb: driver: pam userdb: driver: passwd audit messages I'm getting are like: avc: denied { execute } for pid=4978 comm="dovecot-auth" name="unix_update" dev=dm-0 ino=96698486 scontext=user_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file other log messages on the failure: unix_chkpwd[4911]: could not get username from shadow (username)) dovecot-auth: pam_unix(dovecot:account): unix_update returned error 9 dovecot: auth(default): pam(username,addr): lookup service=dovecot dovecot: auth(default): pam(username,addr): pam_acct_mgmt() failed: Authentication service cannot retrieve authentication info Through a couple iterations of audit2allow and making a new module, I came up with this (pretty much the same Paul posted): require { type dovecot_auth_t; type updpwd_exec_t; class file { read execute execute_no_trans }; } allow dovecot_auth_t updpwd_exec_t:file { read execute execute_no_trans }; Which did succeed in eliminating all audit denial messages, yet it still keeps on failing and authentication still doesn't work. As soon as I do setenforce 0 everything starts functioning fine. Any ideas how could I make it work without disabling selinux? From paul at city-fan.org Fri Jun 22 07:46:16 2007 From: paul at city-fan.org (Paul Howarth) Date: Fri, 22 Jun 2007 08:46:16 +0100 Subject: dovecot_auth_t wants capability audit_write and netlink_audit_socket create In-Reply-To: <41F09763-BA73-4E4C-8CCE-737A4B046C4E@t-online.hu> References: <4664B9E1.10107@northwest-aero.com> <1181047116.25769.6.camel@moss-spartans.epoch.ncsc.mil> <4665C6D2.4040908@northwest-aero.com> <4665D254.5050902@redhat.com> <4665D601.4000804@northwest-aero.com> <4665D8A4.9030801@redhat.com> <4665DAFE.1010701@northwest-aero.com> <4665E8ED.9030708@northwest-aero.com> <1182090455.5622.2.camel@metropolis.intra.city-fan.org> <41F09763-BA73-4E4C-8CCE-737A4B046C4E@t-online.hu> Message-ID: <467B7E48.7050707@city-fan.org> Daniel Fazekas wrote: > On Jun 17, 2007, at 16:27, Paul Howarth wrote: > >> I've still got a problem with dovecot-auth (selinux-policy-2.6.4-14.fc7) >> I needed to add the following: >> # Allow dovecot to check passwords >> allow dovecot_auth_t updpwd_exec_t:file { execute execute_no_trans }; >> >> before dovecot-auth could run /sbin/unix-update and authenticate IMAP >> clients. > > I've got pretty much the same problem -- dovecot failing to authenticate > IMAP clients through PAM if selinux enforcing is enabled. > However, even what Paul posted doesn't solve it for me. > > dovecot-1.0.1-12.fc7 > selinux-policy-targeted-2.6.4-14.fc7 > > dovecot is left to use the default settings, > passdb: > driver: pam > userdb: > driver: passwd > > audit messages I'm getting are like: > avc: denied { execute } for pid=4978 comm="dovecot-auth" > name="unix_update" dev=dm-0 ino=96698486 > scontext=user_u:system_r:dovecot_auth_t:s0 > tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file > > other log messages on the failure: > unix_chkpwd[4911]: could not get username from shadow (username)) > dovecot-auth: pam_unix(dovecot:account): unix_update returned error 9 > dovecot: auth(default): pam(username,addr): lookup service=dovecot > dovecot: auth(default): pam(username,addr): pam_acct_mgmt() failed: > Authentication service cannot retrieve authentication info > > Through a couple iterations of audit2allow and making a new module, I > came up with this (pretty much the same Paul posted): > require { > type dovecot_auth_t; > type updpwd_exec_t; > class file { read execute execute_no_trans }; > } > allow dovecot_auth_t updpwd_exec_t:file { read execute execute_no_trans }; > > Which did succeed in eliminating all audit denial messages, yet it still > keeps on failing and authentication still doesn't work. > > As soon as I do > setenforce 0 > everything starts functioning fine. > > Any ideas how could I make it work without disabling selinux? The problem was caused by the recent PAM update: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244534 Try updating selinux-policy from updates-testing: # yum --enablerepo=updates-testing update selinux-policy\* Paul. From dwalsh at redhat.com Fri Jun 22 15:49:38 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 22 Jun 2007 11:49:38 -0400 Subject: Turboprint and FC7 In-Reply-To: <466C3B54.1000104@gmail.com> References: <466C3B54.1000104@gmail.com> Message-ID: <467BEF92.4050007@redhat.com> piotreek23 at gmail.com wrote: > Hi guys im using turboprint drivers for my IP 1000 Canon. When i try > to print from Open Office i get this below: > > > sealert -l 26616fa9-ba9f-44fb-9cf2-d1940f15217f > Summary > SELinux is preventing /lib/ld-2.6.so (cupsd_t) "execmem" to > (cupsd_t). > > Detailed Description > SELinux denied access requested by /lib/ld-2.6.so. It is not > expected that > this access is required by /lib/ld-2.6.so and this access may > signal an > intrusion attempt. It is also possible that the specific version or > configuration of the application is causing it to require > additional access. > > Allowing Access > You can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > Additional Information > > Source Context > system_u:system_r:cupsd_t:SystemLow-SystemHigh > Target Context > system_u:system_r:cupsd_t:SystemLow-SystemHigh > Target Objects None [ process ] > Affected RPM Packages glibc-2.6-3 [application] > Policy RPM selinux-policy-2.6.4-13.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.catchall > Host Name c79-70.icpnet.pl > Platform Linux *.icpnet.pl 2.6.21-1.3194.fc7 #1 SMP > Wed May 23 22:35:01 EDT 2007 i686 athlon > Alert Count 1 > First Seen Sun Jun 10 19:48:42 2007 > Last Seen Sun Jun 10 19:48:42 2007 > Local ID 26616fa9-ba9f-44fb-9cf2-d1940f15217f > Line Numbers > > Raw Audit Messages > > avc: denied { execmem } for comm="ld-linux.so.2" egid=7 euid=4 > exe="/lib/ld-2.6.so" exit=0 fsgid=7 fsuid=4 gid=7 items=0 pid=3240 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7 > subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=process > tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tty=(none) uid=4 > > > On Fc 6 turboprint was working fine. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Sorry about missing this, my junk mail filters ate it. This looks like a badly written application that would require execmem. You can allow this by executing # grep execmem /var/log/audit/audit/audit.log | audit2allow -M mycups # semodule -i mycups.pp You should report this as a bug to turboprint. This link explains the violation SELinux Memory Protection Tests From bruno at wolff.to Fri Jun 22 22:01:09 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Fri, 22 Jun 2007 17:01:09 -0500 Subject: Is there a way to set default MCS labels for file creation? In-Reply-To: <20070621211843.GA3333@wolff.to> References: <20070621211843.GA3333@wolff.to> Message-ID: <20070622220109.GA17641@wolff.to> On Thu, Jun 21, 2007 at 16:18:43 -0500, Bruno Wolff III wrote: > Is there a way to set a default set of labels for newly created files > based on file paths or role? I found information stating the default type comes from the type of the directory in which the file is created, but my testing indicates that the categories do not default to that of the directory the file is created in. They seem to come from your current context. I tried dropping categories using newrole with the -l option, but it wouldn't let me do that. "Error: you are not allowed to change levels on a non secure terminal" From jmorris at namei.org Sat Jun 23 15:15:11 2007 From: jmorris at namei.org (James Morris) Date: Sat, 23 Jun 2007 11:15:11 -0400 (EDT) Subject: Is there a way to set default MCS labels for file creation? In-Reply-To: <20070622220109.GA17641@wolff.to> References: <20070621211843.GA3333@wolff.to> <20070622220109.GA17641@wolff.to> Message-ID: On Fri, 22 Jun 2007, Bruno Wolff III wrote: > On Thu, Jun 21, 2007 at 16:18:43 -0500, > Bruno Wolff III wrote: > > Is there a way to set a default set of labels for newly created files > > based on file paths or role? > > I found information stating the default type comes from the type of the > directory in which the file is created, Not for MCS labels, though. MCS labels can't currently be applied to directories, although the potentially could, and then files created under the directories could receive MCS labels based upon the parent directory and the creating process. The idea was to keep it as absolutely simple as possible and for users to explicitly label each object with MCS labels (so there are no inheritance semantics, for example). This whole area is under review, and there's been some discussion of using TE for user labeling (cc'd Karl and Stephen). - James -- James Morris From bruno at wolff.to Sat Jun 23 17:19:13 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Sat, 23 Jun 2007 12:19:13 -0500 Subject: Is there a way to set default MCS labels for file creation? In-Reply-To: References: <20070621211843.GA3333@wolff.to> <20070622220109.GA17641@wolff.to> Message-ID: <20070623171913.GA11613@wolff.to> On Sat, Jun 23, 2007 at 11:15:11 -0400, James Morris wrote: > > Not for MCS labels, though. MCS labels can't currently be applied to > directories, although the potentially could, and then files created under > the directories could receive MCS labels based upon the parent directory > and the creating process. The idea was to keep it as absolutely simple as > possible and for users to explicitly label each object with MCS labels (so > there are no inheritance semantics, for example). Thanks for the explanation. From paul at city-fan.org Tue Jun 26 10:38:34 2007 From: paul at city-fan.org (Paul Howarth) Date: Tue, 26 Jun 2007 11:38:34 +0100 Subject: ftpd and PAM Message-ID: <4680ECAA.5090809@city-fan.org> The PAM config files for vsftpd and prpftpd look like this: #%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include system-auth account include system-auth session include system-auth session required pam_loginuid.so So it makes sense for ftpd_t to be able to set the login uid and create a session keyring: logging_set_loginuid(ftpd_t) allow ftpd_t self:key { write search link }; Curiously, I've done this locally but still get this AVC when logging in on proftpd, with an open dovecot IMAP session on the same server: type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key Paul. From paul at city-fan.org Tue Jun 26 11:14:31 2007 From: paul at city-fan.org (Paul Howarth) Date: Tue, 26 Jun 2007 12:14:31 +0100 Subject: ftpd and PAM In-Reply-To: <4680ECAA.5090809@city-fan.org> References: <4680ECAA.5090809@city-fan.org> Message-ID: <4680F517.8020506@city-fan.org> Paul Howarth wrote: > The PAM config files for vsftpd and prpftpd look like this: > > #%PAM-1.0 > session optional pam_keyinit.so force revoke > auth required pam_listfile.so item=user sense=deny > file=/etc/vsftpd/ftpusers onerr=succeed > auth required pam_shells.so > auth include system-auth > account include system-auth > session include system-auth > session required pam_loginuid.so > > So it makes sense for ftpd_t to be able to set the login uid and create > a session keyring: > > logging_set_loginuid(ftpd_t) > allow ftpd_t self:key { write search link }; > > > Curiously, I've done this locally but still get this AVC when logging in > on proftpd, with an open dovecot IMAP session on the same server: > > type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for > pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 > tcontext=root:system_r:dovecot_t:s0 tclass=key FWIW, I'm also getting in /var/log/secure: Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() failed: Operation not permitted Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session closed for user paul Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): System error Jun 26 12:09:42 goalkeeper proftpd[25559]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed. I don't see any AVCs to go with these, and adding: logging_send_audit_msg(ftpd_t) doesn't seem to help. Paul. From dwalsh at redhat.com Tue Jun 26 11:27:19 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 26 Jun 2007 07:27:19 -0400 Subject: ftpd and PAM In-Reply-To: <4680F517.8020506@city-fan.org> References: <4680ECAA.5090809@city-fan.org> <4680F517.8020506@city-fan.org> Message-ID: <4680F817.7040108@redhat.com> Paul Howarth wrote: > Paul Howarth wrote: >> The PAM config files for vsftpd and prpftpd look like this: >> >> #%PAM-1.0 >> session optional pam_keyinit.so force revoke >> auth required pam_listfile.so item=user sense=deny >> file=/etc/vsftpd/ftpusers onerr=succeed >> auth required pam_shells.so >> auth include system-auth >> account include system-auth >> session include system-auth >> session required pam_loginuid.so >> >> So it makes sense for ftpd_t to be able to set the login uid and >> create a session keyring: >> >> logging_set_loginuid(ftpd_t) >> allow ftpd_t self:key { write search link }; >> >> >> Curiously, I've done this locally but still get this AVC when logging >> in on proftpd, with an open dovecot IMAP session on the same server: >> >> type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for >> pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 >> tcontext=root:system_r:dovecot_t:s0 tclass=key > > FWIW, I'm also getting in /var/log/secure: > > Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() > failed: Operation not permitted > Jun 26 12:09:42 goalkeeper proftpd[25559]: > goalkeeper.intra.city-fan.org > (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error > Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session > closed for user paul > Jun 26 12:09:42 goalkeeper proftpd[25559]: > goalkeeper.intra.city-fan.org > (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): > System error > Jun 26 12:09:42 goalkeeper proftpd[25559]: > goalkeeper.intra.city-fan.org > (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed. > > I don't see any AVCs to go with these, and adding: > > logging_send_audit_msg(ftpd_t) > > doesn't seem to help. > > Paul. > This could be caused by proftp not running as root and not having the auth_write capability. So a DAC error could be causing this problem. type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key I have no idea what this even means. :^) One of these days I need to investigate the kernel keyring. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From paul at city-fan.org Tue Jun 26 11:55:32 2007 From: paul at city-fan.org (Paul Howarth) Date: Tue, 26 Jun 2007 12:55:32 +0100 Subject: ftpd and PAM In-Reply-To: <4680F817.7040108@redhat.com> References: <4680ECAA.5090809@city-fan.org> <4680F517.8020506@city-fan.org> <4680F817.7040108@redhat.com> Message-ID: <4680FEB4.10308@city-fan.org> Daniel J Walsh wrote: > Paul Howarth wrote: >> Paul Howarth wrote: >>> The PAM config files for vsftpd and prpftpd look like this: >>> >>> #%PAM-1.0 >>> session optional pam_keyinit.so force revoke >>> auth required pam_listfile.so item=user sense=deny >>> file=/etc/vsftpd/ftpusers onerr=succeed >>> auth required pam_shells.so >>> auth include system-auth >>> account include system-auth >>> session include system-auth >>> session required pam_loginuid.so >>> >>> So it makes sense for ftpd_t to be able to set the login uid and >>> create a session keyring: >>> >>> logging_set_loginuid(ftpd_t) >>> allow ftpd_t self:key { write search link }; >>> >>> >>> Curiously, I've done this locally but still get this AVC when logging >>> in on proftpd, with an open dovecot IMAP session on the same server: >>> >>> type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for >>> pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 >>> tcontext=root:system_r:dovecot_t:s0 tclass=key >> >> FWIW, I'm also getting in /var/log/secure: >> >> Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() >> failed: Operation not permitted >> Jun 26 12:09:42 goalkeeper proftpd[25559]: >> goalkeeper.intra.city-fan.org >> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error >> Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): session >> closed for user paul >> Jun 26 12:09:42 goalkeeper proftpd[25559]: >> goalkeeper.intra.city-fan.org >> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): >> System error >> Jun 26 12:09:42 goalkeeper proftpd[25559]: >> goalkeeper.intra.city-fan.org >> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed. >> >> I don't see any AVCs to go with these, and adding: >> >> logging_send_audit_msg(ftpd_t) >> >> doesn't seem to help. >> >> Paul. >> > This could be caused by proftp not running as root and not having the > auth_write capability. So a DAC error could be causing this problem. Proftpd runs as nobody out of the box; what would I need to change to fix this? Which object's DAC permissions are the problem? > type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for > pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 > tcontext=root:system_r:dovecot_t:s0 tclass=key > > I have no idea what this even means. :^) One of these days I need to > investigate the kernel keyring. It doesn't seem to cause any problem, but I would like to know what it is if you ever figure it out. Cheers, Paul. From dwalsh at redhat.com Tue Jun 26 12:20:24 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 26 Jun 2007 08:20:24 -0400 Subject: ftpd and PAM In-Reply-To: <4680FEB4.10308@city-fan.org> References: <4680ECAA.5090809@city-fan.org> <4680F517.8020506@city-fan.org> <4680F817.7040108@redhat.com> <4680FEB4.10308@city-fan.org> Message-ID: <46810488.2010409@redhat.com> Paul Howarth wrote: > Daniel J Walsh wrote: >> Paul Howarth wrote: >>> Paul Howarth wrote: >>>> The PAM config files for vsftpd and prpftpd look like this: >>>> >>>> #%PAM-1.0 >>>> session optional pam_keyinit.so force revoke >>>> auth required pam_listfile.so item=user sense=deny >>>> file=/etc/vsftpd/ftpusers onerr=succeed >>>> auth required pam_shells.so >>>> auth include system-auth >>>> account include system-auth >>>> session include system-auth >>>> session required pam_loginuid.so >>>> >>>> So it makes sense for ftpd_t to be able to set the login uid and >>>> create a session keyring: >>>> >>>> logging_set_loginuid(ftpd_t) >>>> allow ftpd_t self:key { write search link }; >>>> >>>> >>>> Curiously, I've done this locally but still get this AVC when >>>> logging in on proftpd, with an open dovecot IMAP session on the >>>> same server: >>>> >>>> type=AVC msg=audit(1182853960.377:103383): avc: denied { link } >>>> for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 >>>> tcontext=root:system_r:dovecot_t:s0 tclass=key >>> >>> FWIW, I'm also getting in /var/log/secure: >>> >>> Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() >>> failed: Operation not permitted >>> Jun 26 12:09:42 goalkeeper proftpd[25559]: >>> goalkeeper.intra.city-fan.org >>> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error >>> Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): >>> session closed for user paul >>> Jun 26 12:09:42 goalkeeper proftpd[25559]: >>> goalkeeper.intra.city-fan.org >>> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): >>> System error >>> Jun 26 12:09:42 goalkeeper proftpd[25559]: >>> goalkeeper.intra.city-fan.org >>> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed. >>> >>> I don't see any AVCs to go with these, and adding: >>> >>> logging_send_audit_msg(ftpd_t) >>> >>> doesn't seem to help. >>> >>> Paul. >>> >> This could be caused by proftp not running as root and not having the >> auth_write capability. So a DAC error could be causing this problem. > > Proftpd runs as nobody out of the box; what would I need to change to > fix this? Which object's DAC permissions are the problem? proftpd would need to start as root and then setuid to "nobody" When it does setuid it would need to keep AUDIT_WRITE capability. > >> type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for >> pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 >> tcontext=root:system_r:dovecot_t:s0 tclass=key >> >> I have no idea what this even means. :^) One of these days I need to >> investigate the kernel keyring. > > It doesn't seem to cause any problem, but I would like to know what it > is if you ever figure it out. > > Cheers, Paul. > From paul at city-fan.org Tue Jun 26 14:36:58 2007 From: paul at city-fan.org (Paul Howarth) Date: Tue, 26 Jun 2007 15:36:58 +0100 Subject: ftpd and PAM In-Reply-To: <46810488.2010409@redhat.com> References: <4680ECAA.5090809@city-fan.org> <4680F517.8020506@city-fan.org> <4680F817.7040108@redhat.com> <4680FEB4.10308@city-fan.org> <46810488.2010409@redhat.com> Message-ID: <4681248A.2050706@city-fan.org> Daniel J Walsh wrote: > Paul Howarth wrote: >> Daniel J Walsh wrote: >>> Paul Howarth wrote: >>>> Paul Howarth wrote: >>>>> The PAM config files for vsftpd and prpftpd look like this: >>>>> >>>>> #%PAM-1.0 >>>>> session optional pam_keyinit.so force revoke >>>>> auth required pam_listfile.so item=user sense=deny >>>>> file=/etc/vsftpd/ftpusers onerr=succeed >>>>> auth required pam_shells.so >>>>> auth include system-auth >>>>> account include system-auth >>>>> session include system-auth >>>>> session required pam_loginuid.so >>>>> >>>>> So it makes sense for ftpd_t to be able to set the login uid and >>>>> create a session keyring: >>>>> >>>>> logging_set_loginuid(ftpd_t) >>>>> allow ftpd_t self:key { write search link }; >>>>> >>>>> >>>>> Curiously, I've done this locally but still get this AVC when >>>>> logging in on proftpd, with an open dovecot IMAP session on the >>>>> same server: >>>>> >>>>> type=AVC msg=audit(1182853960.377:103383): avc: denied { link } >>>>> for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 >>>>> tcontext=root:system_r:dovecot_t:s0 tclass=key >>>> >>>> FWIW, I'm also getting in /var/log/secure: >>>> >>>> Jun 26 12:09:42 goalkeeper proftpd: PAM audit_log_user_message() >>>> failed: Operation not permitted >>>> Jun 26 12:09:42 goalkeeper proftpd[25559]: >>>> goalkeeper.intra.city-fan.org >>>> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(setcred): System error >>>> Jun 26 12:09:42 goalkeeper proftpd: pam_unix(proftpd:session): >>>> session closed for user paul >>>> Jun 26 12:09:42 goalkeeper proftpd[25559]: >>>> goalkeeper.intra.city-fan.org >>>> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - PAM(close_session): >>>> System error >>>> Jun 26 12:09:42 goalkeeper proftpd[25559]: >>>> goalkeeper.intra.city-fan.org >>>> (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed. >>>> >>>> I don't see any AVCs to go with these, and adding: >>>> >>>> logging_send_audit_msg(ftpd_t) >>>> >>>> doesn't seem to help. >>>> >>>> Paul. >>>> >>> This could be caused by proftp not running as root and not having the >>> auth_write capability. So a DAC error could be causing this problem. >> >> Proftpd runs as nobody out of the box; what would I need to change to >> fix this? Which object's DAC permissions are the problem? > proftpd would need to start as root and then setuid to "nobody" When it > does setuid it would need to keep AUDIT_WRITE capability. OK thanks. It does most of this already. There's a proftpd module mod_cap that gets built by default and allows the specification of capabilities to retain, but unfortunately CAP_AUDIT_WRITE isn't one of the capabilities it manipulates. However, a quick patch fixed that and now it seems OK: Jun 26 14:33:44 goalkeeper proftpd: pam_unix(proftpd:session): session opened for user paul by (uid=0) Jun 26 14:33:44 goalkeeper proftpd[30169]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - USER paul: Login successful. Jun 26 14:33:48 goalkeeper proftpd: pam_unix(proftpd:session): session closed for user paul Jun 26 14:33:48 goalkeeper proftpd[30169]: goalkeeper.intra.city-fan.org (::ffff:192.168.2.20[::ffff:192.168.2.20]) - FTP session closed. Paul. From pravinth_g at yahoo.co.uk Tue Jun 26 18:40:21 2007 From: pravinth_g at yahoo.co.uk (Pravinth Ganesan) Date: Tue, 26 Jun 2007 14:40:21 -0400 Subject: Pravinth has Tagged you! :) Message-ID: <200706261840.l5QIeLbj014007@mx2.redhat.com> An HTML attachment was scrubbed... URL: From bruno at wolff.to Tue Jun 26 22:17:01 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Tue, 26 Jun 2007 17:17:01 -0500 Subject: Is there a simple way to allow execmem for a single binary? Message-ID: <20070626221701.GA16919@wolff.to> I have a propietary app (iHEAT) that is getting execmem denials. I would prefer to allow just this one app to be able to do that rather than disabling the check for everything. I am using the targeted policy in Fedora 7. I saw there was a context type unconfined_execmem, but that doesn't seem to permit execution. Is there some context I can use or perhaps I need to relabel a library and not the executable? From mothra at parsnip.evansville.edu Wed Jun 27 04:25:08 2007 From: mothra at parsnip.evansville.edu (mothra) Date: Tue, 26 Jun 2007 23:25:08 -0500 (CDT) Subject: Spamassassin + Procmail + Lockfile + SELinux = broken Message-ID: <46062.75.16.230.125.1182918308.squirrel@parsnip.evansville.edu> I'm rather green, and have had some trouble deciphering a lot of the SELinux stuff. Any help would be great. I'm using procmail to filter mail through spamassassin (SA), but SELinux appears to be interfering. I say this because if I turn off enforcing, mail gets through properly tagged by SA. With SELinux on, messages are not tagged by SA. The log looks like this: Jun 26 23:07:51 parsnip kernel: audit(1182917271.036:1779): enforcing=1 old_enforcing=0 auid=4294967295 Jun 26 23:07:51 parsnip dbus: avc: received setenforce notice (enforcing=1) Jun 26 23:08:04 parsnip kernel: audit(1182917284.795:1780): avc: denied { search } for pid=28116 comm="spamassassin" name="tmp" dev=sda3 ino=26738689 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir My (rather ignorant) read is that procmail_t and tmp_t are not matching (procmail does try to write a lockfile). And what I have gleaned is that I either need some sort of rule that somehow matches these two, or I need to change some tags (on my /tmp directory?) to allow this to proceed. Am I anywhere near the ballpark? I tried audit2why to decipher this, but it complained that it didn't understand policies outside of the range 15-20. Audit2allow returns allow procmail_t tmp_t:di search; But I'm not sure what to do with it... Thanks in advance for any help! - Lowell From paul at city-fan.org Wed Jun 27 07:48:22 2007 From: paul at city-fan.org (Paul Howarth) Date: Wed, 27 Jun 2007 08:48:22 +0100 Subject: Spamassassin + Procmail + Lockfile + SELinux = broken In-Reply-To: <46062.75.16.230.125.1182918308.squirrel@parsnip.evansville.edu> References: <46062.75.16.230.125.1182918308.squirrel@parsnip.evansville.edu> Message-ID: <1182930502.25883.2.camel@metropolis.intra.city-fan.org> On Tue, 2007-06-26 at 23:25 -0500, mothra wrote: > I'm rather green, and have had some trouble deciphering a lot of the > SELinux stuff. Any help would be great. I'm using procmail to filter > mail through spamassassin (SA), but SELinux appears to be interfering. I > say this because if I turn off enforcing, mail gets through properly > tagged by SA. With SELinux on, messages are not tagged by SA. The log > looks like this: > > Jun 26 23:07:51 parsnip kernel: audit(1182917271.036:1779): enforcing=1 > old_enforcing=0 auid=4294967295 > Jun 26 23:07:51 parsnip dbus: avc: received setenforce notice (enforcing=1) > Jun 26 23:08:04 parsnip kernel: audit(1182917284.795:1780): avc: denied > { search } for pid=28116 comm="spamassassin" name="tmp" dev=sda3 > ino=26738689 scontext=user_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=dir > > My (rather ignorant) read is that procmail_t and tmp_t are not matching > (procmail does try to write a lockfile). And what I have gleaned is that > I either need some sort of rule that somehow matches these two, or I need > to change some tags (on my /tmp directory?) to allow this to proceed. > > Am I anywhere near the ballpark? I tried audit2why to decipher this, but > it complained that it didn't understand policies outside of the range > 15-20. Audit2allow returns > > allow procmail_t tmp_t:di search; > > But I'm not sure what to do with it... > > Thanks in advance for any help! What is your procmail recipe for spamassassin? I've had more success using "/usr/bin/spamc" rather than "/usr/bin/spamassassin" in the past. Paul. From dwalsh at redhat.com Wed Jun 27 11:26:53 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 27 Jun 2007 07:26:53 -0400 Subject: Is there a simple way to allow execmem for a single binary? In-Reply-To: <20070626221701.GA16919@wolff.to> References: <20070626221701.GA16919@wolff.to> Message-ID: <4682497D.7010305@redhat.com> Bruno Wolff III wrote: > I have a propietary app (iHEAT) that is getting execmem denials. I would > prefer to allow just this one app to be able to do that rather than disabling > the check for everything. I am using the targeted policy in Fedora 7. > I saw there was a context type unconfined_execmem, but that doesn't seem > to permit execution. > > Is there some context I can use or perhaps I need to relabel a library and > not the executable? > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > You could always fix your app. :^) chcon -t unconfined_execmem_exec_t YOURBADAPP From dwalsh at redhat.com Wed Jun 27 11:35:07 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 27 Jun 2007 07:35:07 -0400 Subject: Spamassassin + Procmail + Lockfile + SELinux = broken In-Reply-To: <46062.75.16.230.125.1182918308.squirrel@parsnip.evansville.edu> References: <46062.75.16.230.125.1182918308.squirrel@parsnip.evansville.edu> Message-ID: <46824B6B.8010401@redhat.com> mothra wrote: > I'm rather green, and have had some trouble deciphering a lot of the > SELinux stuff. Any help would be great. I'm using procmail to filter > mail through spamassassin (SA), but SELinux appears to be interfering. I > say this because if I turn off enforcing, mail gets through properly > tagged by SA. With SELinux on, messages are not tagged by SA. The log > looks like this: > > Jun 26 23:07:51 parsnip kernel: audit(1182917271.036:1779): enforcing=1 > old_enforcing=0 auid=4294967295 > Jun 26 23:07:51 parsnip dbus: avc: received setenforce notice (enforcing=1) > Jun 26 23:08:04 parsnip kernel: audit(1182917284.795:1780): avc: denied > { search } for pid=28116 comm="spamassassin" name="tmp" dev=sda3 > ino=26738689 scontext=user_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=dir > > My (rather ignorant) read is that procmail_t and tmp_t are not matching > (procmail does try to write a lockfile). And what I have gleaned is that > I either need some sort of rule that somehow matches these two, or I need > to change some tags (on my /tmp directory?) to allow this to proceed. > > Am I anywhere near the ballpark? I tried audit2why to decipher this, but > it complained that it didn't understand policies outside of the range > 15-20. Audit2allow returns > > allow procmail_t tmp_t:di search; > > But I'm not sure what to do with it... > > Thanks in advance for any help! > > - Lowell > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > What os/version are running? audit2why saying that it does noot understand policy > 20 sounds like you have a partially upgraded system? From mothra at parsnip.evansville.edu Wed Jun 27 15:31:52 2007 From: mothra at parsnip.evansville.edu (mothra) Date: Wed, 27 Jun 2007 10:31:52 -0500 Subject: Spamassassin + Procmail + Lockfile + SELinux = broken In-Reply-To: <46824B6B.8010401@redhat.com> References: <46062.75.16.230.125.1182918308.squirrel@parsnip.evansville.edu> <46824B6B.8010401@redhat.com> Message-ID: <20070627153152.GA2663@parsnip.evansville.edu> Thanks Paul and Daniel: My procmail invocation is: :0fw * < 256000 | /usr/bin/spamassassin And I see that I'm missing the lock (:) on this one, so I think my comment about procmail writing a lockfile was in error. I looked into spamc as an alternative - seems to work without a problem. Thanks for the tip Paul. The OS is Fedora Core 5, which I've been (somewhat blindly) updating with yum (no extra configuration on yum - just running it out of the box). Yum never complained, so I did not suspect that the system was partially upgraded. To be explicit, I've not yet tried to upgrade to FC6 or FC7. For the record, current status is [root at parsnip ~]# rpm -qa | grep policy selinux-policy-2.3.7-2.fc5 selinux-policy-targeted-2.3.7-2.fc5 policycoreutils-1.30.10-2.fc5 I guess the urgency on this is pretty low now that I've got the filter up and running (via spamc). But I'm still curious as to what I would have to have done if spamc didn't exist. I'm concerned about how many more SELinux bullets I can dodge... :) >I'm rather green, and have had some trouble deciphering a lot of the >SELinux stuff. Any help would be great. I'm using procmail to filter >mail through spamassassin (SA), but SELinux appears to be interfering. I >say this because if I turn off enforcing, mail gets through properly >tagged by SA. With SELinux on, messages are not tagged by SA. The log >looks like this: > >Jun 26 23:07:51 parsnip kernel: audit(1182917271.036:1779): enforcing=1 >old_enforcing=0 auid=4294967295 >Jun 26 23:07:51 parsnip dbus: avc: received setenforce notice >(enforcing=1) >Jun 26 23:08:04 parsnip kernel: audit(1182917284.795:1780): avc: denied >{ search } for pid=28116 comm="spamassassin" name="tmp" dev=sda3 >ino=26738689 scontext=user_u:system_r:procmail_t:s0 >tcontext=system_u:object_r:tmp_t:s0 tclass=dir > >My (rather ignorant) read is that procmail_t and tmp_t are not matching >(procmail does try to write a lockfile). And what I have gleaned is that >I either need some sort of rule that somehow matches these two, or I need >to change some tags (on my /tmp directory?) to allow this to proceed. > >Am I anywhere near the ballpark? I tried audit2why to decipher this, but >it complained that it didn't understand policies outside of the range >15-20. Audit2allow returns > > allow procmail_t tmp_t:di search; > >But I'm not sure what to do with it... > >Thanks in advance for any help! > >- Lowell From bruno at wolff.to Wed Jun 27 15:32:24 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Wed, 27 Jun 2007 10:32:24 -0500 Subject: Targeted/MCS feedback on F7 Message-ID: <20070627153224.GB15118@wolff.to> I played around a bit with using MCS under the targeted policy and wanted to provide some feedback. Adding labels for context levels doesn't seem to work quite right. For example: [root at cerberus ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=user_u:sysadm_r:unconfined_t [root at cerberus ~]# semanage translation -a -T test1 s0:c1 /etc/init.d/functions: line 19: /sbin/consoletype: Permission denied /etc/profile.d/lang.sh: line 49: /sbin/consoletype: Permission denied basename: write error: Permission denied basename: write error: Permission denied env: /etc/init.d/mcstrans: Permission denied I have to restart the mcstrans service to get the label names to show up. Having the context type for new files include all of the labels is a pain. While this is probably more safe from a forgetting to label a file perspective, it ends up labelling a lot of files you aren't going to be aware of. For example when I tried ending my experiment and took away access to categories, I found that some of my gnome profile files had been labelled with categories and I could no longer access them. I think some system updates I did during the experiment also resulted in files being labelled with categories as some of the gnome default files were inaccessible to me. While trying to fix this I found that chcat doesn't seem to do recursive labelling. While I could use find and xargs, a -r option would be nice. However, instead of trying find and xargs I tried fixfiles instead. The good and bad news is that fixfiles solved my immediate problem and the files were relabelled without categories. However, that suggests that if people are using MCS labelling and do a relabel of their system for some reason, all of the category labels are going to be lost. I think if I were going to use such a system, I would want to have a command to set the default category labels to apply (and another to check what they are set to). And I would want to make sure things like config files didn't get labelled. Working at the shell level this wouldn't be a problem, but if you are doing things from the desktop this would be harder to do. Maybe there could be a new context for a user's config files and those wouldn't get labelled the same as other files do by default. From bruno at wolff.to Wed Jun 27 15:12:19 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Wed, 27 Jun 2007 10:12:19 -0500 Subject: Is there a simple way to allow execmem for a single binary? In-Reply-To: <4682497D.7010305@redhat.com> References: <20070626221701.GA16919@wolff.to> <4682497D.7010305@redhat.com> Message-ID: <20070627151219.GA15118@wolff.to> On Wed, Jun 27, 2007 at 07:26:53 -0400, Daniel J Walsh wrote: > Bruno Wolff III wrote: > >I have a propietary app (iHEAT) that is getting execmem denials. I would > >prefer to allow just this one app to be able to do that rather than > >disabling > >the check for everything. I am using the targeted policy in Fedora 7. > >I saw there was a context type unconfined_execmem, but that doesn't seem > >to permit execution. > > > >Is there some context I can use or perhaps I need to relabel a library and > >not the executable? > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list at redhat.com > >https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > You could always fix your app. :^) Unfortunately I can't. I am just happy there is a Linux client so I don't still have to keep a windows machine in my office. > chcon -t unconfined_execmem_exec_t YOURBADAPP Thanks! From tony.molloy at ul.ie Thu Jun 28 08:55:15 2007 From: tony.molloy at ul.ie (Tony Molloy) Date: Thu, 28 Jun 2007 09:55:15 +0100 Subject: Relabeling question Message-ID: <200706280955.15853.tony.molloy@ul.ie> Hi, This is on CentOS but it's a SELinux question. I have a filesystem which I need to make available under ftp ( vsftpd ) httpd ( apache ) and NFS. It contains our local mirrors. What should the permissions and the SELInux context be on the filesystem and how can I relabel it so that it can be available under all three. The current permissions/SELinux context are drwxr-xr-x root root system_u:object_r:default_t mirrors and I want something like drwxr-xr-x root root root:object_r:public_content_t TEST Thanks, Tony From amessina at messinet.com Thu Jun 28 11:23:29 2007 From: amessina at messinet.com (Anthony Messina) Date: Thu, 28 Jun 2007 06:23:29 -0500 Subject: Relabeling question In-Reply-To: <200706280955.15853.tony.molloy@ul.ie> References: <200706280955.15853.tony.molloy@ul.ie> Message-ID: <200706280623.33695.amessina@messinet.com> On Thursday 28 June 2007 03:55:15 am Tony Molloy wrote: > Hi, > > This is on CentOS but it's a SELinux question. > > I have a filesystem which I need to make available under ftp ( vsftpd ) > httpd ( apache ) and NFS. It contains our local mirrors. > > What should the permissions and the SELInux context be on the filesystem > and how can I relabel it so that it can be available under all three. > > The current permissions/SELinux context are > > drwxr-xr-x root root system_u:object_r:default_t mirrors > > and I want something like > > drwxr-xr-x root root root:object_r:public_content_t TEST you do want the public_content_t (or perhaps the public_content_rw_t if it's not read only). you may also need to check booleans to allow the different daemons to write to the pubilc_content_t areas: allow_ftpd_anon_write --> off allow_httpd_anon_write --> off allow_httpd_apcupsd_cgi_script_anon_write --> off allow_httpd_bugzilla_script_anon_write --> off allow_httpd_squid_script_anon_write --> off allow_httpd_sys_script_anon_write --> off allow_nfsd_anon_write --> on allow_rsync_anon_write --> off allow_smbd_anon_write --> on -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: From shazyboy.linux at gmail.com Thu Jun 28 11:43:50 2007 From: shazyboy.linux at gmail.com (shazyboy khan) Date: Thu, 28 Jun 2007 16:43:50 +0500 Subject: SeLinux and Fc 6 Message-ID: <7e531af80706280443q22e2350egd5fc3343a2b9d649@mail.gmail.com> Hi I use fedora core 6. I need to work on ipsec netlabels but cannot understand some tutorials because things change very frequency. How I understand selinux? Loadable Policy Modules? Ipsec? Any simple and complete tutorial? Where is policy in text format? How I compile? Any good gui tools? Do I need lspp kernel? What mode is suitable for mentioned work: strict or targeted? Whats the difference? Permissive I guess on the other side is suitable for experimentation. Any other suggestions? tankoo shazyboy. From sundaram at fedoraproject.org Fri Jun 29 01:07:21 2007 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Fri, 29 Jun 2007 06:37:21 +0530 Subject: Proactive SELinux fixes from automatic collection of logs Message-ID: <46845B49.2080906@fedoraproject.org> Hi There are many instances where SELinux policy causes AVC denials while running programs. Some of these are policy issues, some actual bugs in the program or security issues and others where the denial is rather harmless and can be ignored for all practical purposes. It is sometimes tedious to go and file a bug report methodologically on all these denials in hope that we uncover and fix real policy issues. What would be better is for users to run in some opt-in program that automatically sends either the audit or messages log or both to central server and the SELinux developers proactively fix policy issues without the overhead of users filing bug reports. I would gladly run a program and I would guess that many users would find this a much better and easier way to report issues. We could even tie this to a GUI and first boot in the installer. Kind of a smolt (http://smolt.fedoraproject.org/stats) for SELinux if you will. Comments? Rahul From tony.molloy at ul.ie Fri Jun 29 08:41:37 2007 From: tony.molloy at ul.ie (Tony Molloy) Date: Fri, 29 Jun 2007 09:41:37 +0100 Subject: Relabeling question In-Reply-To: <200706280623.33695.amessina@messinet.com> References: <200706280955.15853.tony.molloy@ul.ie> <200706280623.33695.amessina@messinet.com> Message-ID: <200706290941.37992.tony.molloy@ul.ie> On Thursday 28 June 2007 12:23, Anthony Messina wrote: > On Thursday 28 June 2007 03:55:15 am Tony Molloy wrote: > > Hi, > > > > This is on CentOS but it's a SELinux question. > > > > I have a filesystem which I need to make available under ftp ( vsftpd ) > > httpd ( apache ) and NFS. It contains our local mirrors. > > > > What should the permissions and the SELInux context be on the filesystem > > and how can I relabel it so that it can be available under all three. > > > > The current permissions/SELinux context are > > > > drwxr-xr-x root root system_u:object_r:default_t mirrors > > > > and I want something like > > > > drwxr-xr-x root root root:object_r:public_content_t TEST > > you do want the public_content_t (or perhaps the public_content_rw_t if > it's not read only). > This is a read only mirror site so public_content_t should be enough. How do I do that. > you may also need to check booleans to allow the different daemons to write > to the pubilc_content_t areas: > > allow_ftpd_anon_write --> off > allow_httpd_anon_write --> off > allow_httpd_apcupsd_cgi_script_anon_write --> off > allow_httpd_bugzilla_script_anon_write --> off > allow_httpd_squid_script_anon_write --> off > allow_httpd_sys_script_anon_write --> off > allow_nfsd_anon_write --> on > allow_rsync_anon_write --> off > allow_smbd_anon_write --> on I looked at the booleans with system-config-selinux and set those I thought I needed. Thanks, Tony From amessina at messinet.com Fri Jun 29 12:39:02 2007 From: amessina at messinet.com (Anthony Messina) Date: Fri, 29 Jun 2007 07:39:02 -0500 Subject: Relabeling question In-Reply-To: <200706290941.37992.tony.molloy@ul.ie> References: <200706280955.15853.tony.molloy@ul.ie> <200706280623.33695.amessina@messinet.com> <200706290941.37992.tony.molloy@ul.ie> Message-ID: <200706290739.06196.amessina@messinet.com> On Friday 29 June 2007 03:41:37 am Tony Molloy wrote: > On Thursday 28 June 2007 12:23, Anthony Messina wrote: > > On Thursday 28 June 2007 03:55:15 am Tony Molloy wrote: > > > I have a filesystem which I need to make available under ftp ( vsftpd ) > > > httpd ( apache ) and NFS. It contains our local mirrors. > > > > > > What should the permissions and the SELInux context be on the > > > filesystem and how can I relabel it so that it can be available under > > > all three. > > > > > > The current permissions/SELinux context are > > > > > > drwxr-xr-x root root system_u:object_r:default_t mirrors > > > > > > and I want something like > > > > > > drwxr-xr-x root root root:object_r:public_content_t TEST > > > > you do want the public_content_t (or perhaps the public_content_rw_t if > > it's not read only). > > This is a read only mirror site so public_content_t should be enough. > How do I do that. to change the context of files, you can use the chcon utility. man chcon. it should be something like: "chcon -R -t public_content_t TEST" which will recursively relabel TEST directory everything under it with the right context. you should also create a file as /etc/selinux/targeted/contexts/files/file_contexts.local which contains a line like /TEST(/.*)? system_u:object_r:public_content_rw_t:s0 that way, that directory will have a "default" context -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: From tony.molloy at ul.ie Fri Jun 29 14:13:58 2007 From: tony.molloy at ul.ie (Tony Molloy) Date: Fri, 29 Jun 2007 15:13:58 +0100 Subject: Relabeling question In-Reply-To: <200706290739.06196.amessina@messinet.com> References: <200706280955.15853.tony.molloy@ul.ie> <200706290941.37992.tony.molloy@ul.ie> <200706290739.06196.amessina@messinet.com> Message-ID: <200706291513.58380.tony.molloy@ul.ie> On Friday 29 June 2007 13:39, Anthony Messina wrote: > On Friday 29 June 2007 03:41:37 am Tony Molloy wrote: > > On Thursday 28 June 2007 12:23, Anthony Messina wrote: > > > On Thursday 28 June 2007 03:55:15 am Tony Molloy wrote: > > > > I have a filesystem which I need to make available under ftp ( vsftpd > > > > ) httpd ( apache ) and NFS. It contains our local mirrors. > > > > > > > > What should the permissions and the SELInux context be on the > > > > filesystem and how can I relabel it so that it can be available under > > > > all three. > > > > > > > > The current permissions/SELinux context are > > > > > > > > drwxr-xr-x root root system_u:object_r:default_t mirrors > > > > > > > > and I want something like > > > > > > > > drwxr-xr-x root root root:object_r:public_content_t TEST > > > > > > you do want the public_content_t (or perhaps the public_content_rw_t if > > > it's not read only). > > > > This is a read only mirror site so public_content_t should be enough. > > How do I do that. > > to change the context of files, you can use the chcon utility. man chcon. > it should be something like: > > "chcon -R -t public_content_t TEST" > > which will recursively relabel TEST directory everything under it with the > right context. > > you should also create a file > as /etc/selinux/targeted/contexts/files/file_contexts.local > which contains a line like > > /TEST(/.*)? system_u:object_r:public_content_rw_t:s0 > > that way, that directory will have a "default" context Thanks, I'll give that a try. I'm doing a install on that server at the moment. Tony From jdennis at redhat.com Fri Jun 29 14:17:17 2007 From: jdennis at redhat.com (John Dennis) Date: Fri, 29 Jun 2007 10:17:17 -0400 Subject: Proactive SELinux fixes from automatic collection of logs In-Reply-To: <46845B49.2080906@fedoraproject.org> References: <46845B49.2080906@fedoraproject.org> Message-ID: <1183126637.801.41.camel@junko.usersys.redhat.com> On Fri, 2007-06-29 at 06:37 +0530, Rahul Sundaram wrote: > Hi > > There are many instances where SELinux policy causes AVC denials while > running programs. Some of these are policy issues, some actual bugs in > the program or security issues and others where the denial is rather > harmless and can be ignored for all practical purposes. > > It is sometimes tedious to go and file a bug report methodologically on > all these denials in hope that we uncover and fix real policy issues. > What would be better is for users to run in some opt-in program that > automatically sends either the audit or messages log or both to central > server and the SELinux developers proactively fix policy issues without > the overhead of users filing bug reports. > > I would gladly run a program and I would guess that many users would > find this a much better and easier way to report issues. We could even > tie this to a GUI and first boot in the installer. Kind of a smolt > (http://smolt.fedoraproject.org/stats) for SELinux if you will. Comments? We already have something much like you're suggesting. A while ago it was recognized that diagnosing and addressing SELlinux AVC denials was a significant problem. We designed and built a tool to help with that, it's called setroubleshoot. It has a daemon that runs with root priveleges and a user space desktop GUI component that will alert you to any AVC denial and analyze it. You get a notification on your desktop and GUI tool which allows you to browse your AVC denials in a user friendly interpretation. See: https://hosted.fedoraproject.org/projects/setroubleshoot During the design phase of the tool we considered automatic bug reporting and the design of the tool would support automatic bug reporting. However, we elected to not implement automatic bug reporting for the following reasons: 1) Not all AVC denials are bugs. In fact many are due to correctly operations the sys admin must explicitly enable via a policy boolean. One of the primary jobs of setroubleshoot is to automatically detect these cases and tell the user how to configure the policy. 2) The information contained in an AVC denial is security sensitive. It would be a huge security hole to automatically transmit any of this information in the form of a bug report or other notification channel. 3) Automatic collection of user generated reports was an extra development effort which also requires a central service. Implementing the feature and resources to then manage this central service was deemed out of scope, especially taking into consideration points 1 and 2 above. The conclusion is that when user's see an AVC and have it automatically interpreted (very easy with setroubleshoot) it is then up to them to decide if it's really a bug (could just be policy configuration) and if it is a bug if they want to export information which might be security sensitive. If they elect to report then they can simply copy the report out of the setroublehoot GUI and paste it into a bugzilla. Should there be a button which says "submit as bug report" in the GUI. Sure that might be a very handy feature but at the moment bugzilla requires an authenticated account to generate a new bug report. We also don't want to flood bugzilla with duplicates via automated submission. When setroubleshoot was designed it took the duplicate report issue into account and it can recognize the same issue occuring on multiple systems so that only one report would be generated. But that requires submitting a setroubleshoot report to an intermediary central server which then interacts with bugzilla. -- John Dennis From jdennis at redhat.com Fri Jun 29 15:58:14 2007 From: jdennis at redhat.com (John Dennis) Date: Fri, 29 Jun 2007 11:58:14 -0400 Subject: Proactive SELinux fixes from automatic collection of logs In-Reply-To: <7a41c4bc0706290833r4a853b6cp851cb57c2e68e265@mail.gmail.com> References: <46845B49.2080906@fedoraproject.org> <1183126637.801.41.camel@junko.usersys.redhat.com> <7a41c4bc0706290833r4a853b6cp851cb57c2e68e265@mail.gmail.com> Message-ID: <1183132694.801.57.camel@junko.usersys.redhat.com> On Fri, 2007-06-29 at 17:33 +0200, Paulo Santos wrote: > John and Daniel, > > In which case would then be used the application[1] that Daniel wants > the Infrastructure Team to host ? > > [1] http://fedoraproject.org/wiki/Infrastructure/RFR/SELinux > > From what you say, the setroubleshoot tool is already a pretty > complete application. Let me explain Dan's request so you can see it in context. One of the features of setroubleshoot is its ability to scan a log file and analyze AVC denials. You can already do this in the GUI. But for folks who don't have setroubleshoot installed the idea was folks could go to a web page and upload the log file and have the CGI script perform the analysis and display the results. The request you cite was for CGI support for this. I believe the CGI is already written, it just needs "a place to live". BTW, log file analysis is a compromise because the analysis parts of the tool cannot interrogate the system for information not in the log, this may result in a less thorough analysis. BTW, I realized after sending my earlier reply it contained a number of typos and I didn't proofread it, my apologies if it made it hard to read. -- John Dennis From bruno at wolff.to Fri Jun 29 20:44:41 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Fri, 29 Jun 2007 15:44:41 -0500 Subject: Relabeling question In-Reply-To: <200706290739.06196.amessina@messinet.com> References: <200706280955.15853.tony.molloy@ul.ie> <200706280623.33695.amessina@messinet.com> <200706290941.37992.tony.molloy@ul.ie> <200706290739.06196.amessina@messinet.com> Message-ID: <20070629204441.GA11478@wolff.to> On Fri, Jun 29, 2007 at 07:39:02 -0500, Anthony Messina wrote: > > you should also create a file > as /etc/selinux/targeted/contexts/files/file_contexts.local > which contains a line like The new way is to do this using semanage. If you edit those files the changes don't take effect immediately. From bruno at wolff.to Fri Jun 29 15:25:16 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Fri, 29 Jun 2007 10:25:16 -0500 Subject: Proactive SELinux fixes from automatic collection of logs In-Reply-To: <46845B49.2080906@fedoraproject.org> References: <46845B49.2080906@fedoraproject.org> Message-ID: <20070629152516.GB4430@wolff.to> On Fri, Jun 29, 2007 at 06:37:21 +0530, Rahul Sundaram wrote: > > I would gladly run a program and I would guess that many users would > find this a much better and easier way to report issues. We could even > tie this to a GUI and first boot in the installer. Kind of a smolt > (http://smolt.fedoraproject.org/stats) for SELinux if you will. Comments? Make sure you have a way to detect people doing odd things so you don't waste your time tracking down nonproblems. For example when playing with MCS labels recently I managed to install some package updates with additional labels that prevented me from using them later. So you need to think about what kind of customization information you need to include along with the acv messages. From olivares14031 at yahoo.com Tue Jun 5 22:23:47 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 05 Jun 2007 22:23:47 -0000 Subject: mknod still not working after suggested fix Message-ID: <141664.85492.qm@web52610.mail.re2.yahoo.com> ----- Original Message ---- From: Daniel J Walsh To: Antonio Olivares Cc: fedora-selinux-list at redhat.com Sent: Tuesday, June 5, 2007 8:22:32 AM Subject: Re: mknod still not working after suggested fix Antonio Olivares wrote: > selinux is still not allowing mknod to do its job. > > I have to manually create the device node every boot > > [root at localhost ~]# mknod -m 600 /dev/slamr0 c 242 0 > [1]+ Done gedit /boot/grub/grub.conf > [root at localhost ~]# modprobe ungrab-winmodem > [root at localhost ~]# modprobe slamr > [root at localhost ~]# slmodemd -c USA /dev/slamr0 & > [1] 2709 > [root at localhost ~]# SmartLink Soft Modem: version 2.9.11 Jun 4 2007 00:14:21 > symbolic link `/dev/ttySL0' -> `/dev/pts/1' created. > modem `slamr0' created. TTY is `/dev/pts/1' > Use `/dev/ttySL0' as modem device, Ctrl+C for termination. > > > > audit(1181023411.825:4): avc: denied { mknod } for pid=673 comm="mknod" capability=27 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=capability > > > [root at localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod > ******************** IMPORTANT *********************** > To make this policy package active, execute: > > semodule -i myinsmod.pp > > [root at localhost ~]# semodule -i myinsmod.pp > > What should I try now? > > Regards, > > Antonio > > > Are you seeing other avc messages? Please attach the myinsmod.te and your audit.log > > > ____________________________________________________________________________________ > Get the Yahoo! toolbar and be alerted to new email wherever you're surfing. > http://new.toolbar.yahoo.com/toolbar/features/mail/index.php > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > [root at localhost ~]# cat myinsmod.te module myinsmod 1.0; require { type insmod_t; type device_t; class dir write; } #============= insmod_t ============== allow insmod_t device_t:dir write; [root at localhost ~]# Attachment was neglected by yahoo mail, sent it to text file and attached as auditlog.txt [root at localhost audit]# cat audit.log | more type=DAEMON_START msg=audit(1180930151.012:6690) auditd start, ver=1.5.3, format =raw, auid=4294967295 pid=1558 res=success, auditd pid=1558 type=CONFIG_CHANGE msg=audit(1180930150.723:15): audit_enabled=1 old=0 by auid=4 294967295 subj=system_u:system_r:auditd_t:s0 res=1 type=CONFIG_CHANGE msg=audit(1180930150.723:16): audit_enabled=1 old=0 by auid=4 294967295 res=1 type=CONFIG_CHANGE msg=audit(1180930150.723:17): audit_backlog_limit=320 old=64 by auid=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1 type=CONFIG_CHANGE msg=audit(1180930150.723:18): audit_backlog_limit=320 old=64 by auid=4294967295 res=1 type=USER_AUTH msg=audit(1180930198.716:19): user pid=2385 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: authentication ac ct=? : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=failed)' type=USER_LOGIN msg=audit(1180930199.216:20): user pid=2385 uid=0 auid=429496729 5 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='acct=olivares: exe="/ bin/login" (hostname=?, addr=?, terminal=tty1 res=failed)' type=USER_AUTH msg=audit(1180930208.714:21): user pid=2385 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: authentication ac ct=root : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=USER_ACCT msg=audit(1180930208.714:22): user pid=2385 uid=0 auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: accounting acct=r oot : exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)' type=LOGIN msg=audit(1180930209.214:23): login pid=2385 uid=0 old auid=429496729 .... Thank you very much for your patience and your kindness with this issue. , Antonio ____________________________________________________________________________________ We won't tell. Get more on shows you hate to love (and love to hate): Yahoo! TV's Guilty Pleasures list. http://tv.yahoo.com/collections/265 -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: auditlog.txt URL: