From selinux at gmail.com Thu Mar 1 02:15:48 2007 From: selinux at gmail.com (Tom London) Date: Wed, 28 Feb 2007 18:15:48 -0800 Subject: AVCs with rawhide policy.... Message-ID: <4c4ba1530702281815s5c3c3899pfca6b5cde3343aff@mail.gmail.com> Running latest rawhide, targeted/enforcing. Get these on boot in /var/log/messages: Feb 28 18:03:58 localhost kernel: audit(1172714587.604:4): avc: denied { getattr } for pid=436 comm="mount" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem and Feb 28 18:03:58 localhost kernel: loop: loaded (max 8 devices) Feb 28 18:03:58 localhost kernel: audit(1172714600.629:6): avc: denied { getattr } for pid=1719 comm="fsck" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Feb 28 18:03:58 localhost kernel: audit(1172714600.923:7): avc: denied { getattr } for pid=1724 comm="mount" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Feb 28 18:03:58 localhost kernel: EXT3 FS on dm-0, internal journal Feb 28 18:03:58 localhost kernel: audit(1172714601.074:8): avc: denied { getattr } for pid=1728 comm="mount" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Feb 28 18:03:58 localhost kernel: audit(1172714601.078:9): avc: denied { getattr } for pid=1729 comm="mount" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Feb 28 18:03:58 localhost kernel: audit(1172714601.082:10): avc: denied { getattr } for pid=1730 comm="mount" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Feb 28 18:03:58 localhost kernel: audit(1172714601.086:11): avc: denied { getattr } for pid=1731 comm="mount" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Feb 28 18:03:58 localhost kernel: audit(1172714601.089:12): avc: denied { getattr } for pid=1732 comm="mount" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem and Feb 28 18:03:58 localhost kernel: audit(1172714602.004:14): avc: denied { getattr } for pid=1787 comm="swapon" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem and Feb 28 18:03:58 localhost kernel: audit(1172714603.821:16): avc: denied { getattr } for pid=1904 comm="iptables-restor" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem and Feb 28 18:03:58 localhost kernel: audit(1172714605.500:17): avc: denied { getattr } for pid=2092 comm="ifconfig" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem I attach audit.log. tom -- Tom London -------------- next part -------------- type=DAEMON_START msg=audit(1172714606.978:8177) auditd start, ver=1.4.2, format=raw, auid=4294967295 pid=2225 res=success, auditd pid=2225 type=CONFIG_CHANGE msg=audit(1172714607.077:19): audit_enabled=1 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 res=1 type=CONFIG_CHANGE msg=audit(1172714607.077:20): audit_enabled=1 old=0 by auid=4294967295 res=1 type=CONFIG_CHANGE msg=audit(1172714607.520:21): audit_backlog_limit=256 old=64 by auid=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1 type=CONFIG_CHANGE msg=audit(1172714607.521:22): audit_backlog_limit=256 old=64 by auid=4294967295 res=1 type=AVC msg=audit(1172714609.640:23): avc: denied { getattr } for pid=2287 comm="mcstransd" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=SYSCALL msg=audit(1172714609.640:23): arch=40000003 syscall=268 success=no exit=-13 a0=d99d8a a1=54 a2=bfc30d40 a3=bfc30d40 items=0 ppid=2286 pid=2287 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mcstransd" exe="/sbin/mcstransd" subj=system_u:system_r:setrans_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1172714611.889:24): avc: denied { getattr } for pid=2329 comm="setroubleshootd" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=SYSCALL msg=audit(1172714611.889:24): arch=40000003 syscall=268 success=no exit=-13 a0=2d0d8a a1=54 a2=bfb4af30 a3=bfb4af30 items=0 ppid=1 pid=2329 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1172714616.631:25): avc: denied { getattr } for pid=2460 comm="ifconfig" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=SYSCALL msg=audit(1172714616.631:25): arch=40000003 syscall=268 success=no exit=-13 a0=e86d8a a1=54 a2=bff8f420 a3=bff8f420 items=0 ppid=2435 pid=2460 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1172714617.216:26): avc: denied { getattr } for pid=2500 comm="ifconfig" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=SYSCALL msg=audit(1172714617.216:26): arch=40000003 syscall=268 success=no exit=-13 a0=6a3d8a a1=54 a2=bfacef50 a3=bfacef50 items=0 ppid=2482 pid=2500 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC msg=audit(1172714619.200:27): avc: denied { getattr } for pid=2573 comm="mount" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=SYSCALL msg=audit(1172714619.200:27): arch=40000003 syscall=268 success=no exit=-13 a0=328d8a a1=54 a2=bffb94a0 a3=bffb94a0 items=0 ppid=2552 pid=2573 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1172714620.853:28): avc: denied { getattr } for pid=2600 comm="mount" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=SYSCALL msg=audit(1172714620.853:28): arch=40000003 syscall=268 success=no exit=-13 a0=144d8a a1=54 a2=bf8de580 a3=bf8de580 items=0 ppid=2597 pid=2600 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1172714620.859:29): avc: denied { getattr } for pid=2601 comm="umount" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=SYSCALL msg=audit(1172714620.859:29): arch=40000003 syscall=268 success=no exit=-13 a0=b74d8a a1=54 a2=bf972d90 a3=bf972d90 items=0 ppid=2597 pid=2601 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1172714621.574:30): avc: denied { getattr } for pid=2603 comm="mount" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=SYSCALL msg=audit(1172714621.574:30): arch=40000003 syscall=268 success=no exit=-13 a0=123d8a a1=54 a2=bfdeb280 a3=bfdeb280 items=0 ppid=2597 pid=2603 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) type=AVC msg=audit(1172714621.581:31): avc: denied { getattr } for pid=2604 comm="umount" name="/" dev=selinuxfs ino=540 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=SYSCALL msg=audit(1172714621.581:31): arch=40000003 syscall=268 success=no exit=-13 a0=e6dd8a a1=54 a2=bfc70220 a3=bfc70220 items=0 ppid=2597 pid=2604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null) type=LABEL_LEVEL_CHANGE msg=audit(1172714631.834:32): user pid=2677 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=HP5MP uri=hp:/par/HP_LaserJet_5MP?device=/dev/parport0 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)' type=LABEL_LEVEL_CHANGE msg=audit(1172714632.094:33): user pid=2677 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=hp_LaserJet_1300 uri=hal:///org/freedesktop/Hal/devices/usb_device_3f0_1017_00CNCB954325_if0_printer_noserial banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)' type=LABEL_LEVEL_CHANGE msg=audit(1172714632.232:34): user pid=2677 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Innopath uri=file:/dev/null banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)' type=LABEL_LEVEL_CHANGE msg=audit(1172714632.233:35): user pid=2677 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Local uri=file:/dev/null banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)' type=USER_ERR msg=audit(1172714649.286:36): user pid=3248 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=? res=failed)' type=USER_AUTH msg=audit(1172714663.308:37): user pid=3322 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: authentication acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_ACCT msg=audit(1172714663.309:38): user pid=3322 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: accounting acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=CRED_ACQ msg=audit(1172714663.310:39): user pid=3322 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: setcred acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=LOGIN msg=audit(1172714663.315:40): login pid=3322 uid=0 old auid=4294967295 new auid=500 type=USER_START msg=audit(1172714663.845:41): user pid=3322 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: session open acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_LOGIN msg=audit(1172714663.847:42): user pid=3322 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=500: exe="/usr/sbin/gdm-binary" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=:0 res=success)' type=USER_AUTH msg=audit(1172714750.042:43): user pid=3898 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_ACCT msg=audit(1172714750.042:44): user pid=3898 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: accounting acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_START msg=audit(1172714750.343:45): user pid=3898 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=CRED_ACQ msg=audit(1172714750.343:46): user pid=3898 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_AUTH msg=audit(1172714885.904:47): user pid=4049 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 res=success)' type=USER_ACCT msg=audit(1172714885.905:48): user pid=4049 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: accounting acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 res=success)' type=USER_START msg=audit(1172714885.968:49): user pid=4049 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 res=success)' type=CRED_ACQ msg=audit(1172714885.969:50): user pid=4049 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/1 res=success)' From sds at tycho.nsa.gov Thu Mar 1 12:04:17 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 01 Mar 2007 07:04:17 -0500 Subject: AVCs with rawhide policy.... In-Reply-To: <4c4ba1530702281815s5c3c3899pfca6b5cde3343aff@mail.gmail.com> References: <4c4ba1530702281815s5c3c3899pfca6b5cde3343aff@mail.gmail.com> Message-ID: <1172750657.19041.529.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-02-28 at 18:15 -0800, Tom London wrote: > Running latest rawhide, targeted/enforcing. > > Get these on boot in /var/log/messages: > > Feb 28 18:03:58 localhost kernel: audit(1172714587.604:4): avc: > denied { getattr } for pid=436 comm="mount" name="/" dev=selinuxfs > ino=540 scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:object_r:security_t:s0 tclass=filesystem Change to libselinux by Steve Grubb. The corresponding change to policy was already committed upstream, so Dan just needs to pull it in (allowing this permission in the selinux_get_fs_mount interface/macro). -- Stephen Smalley National Security Agency From dwalsh at redhat.com Thu Mar 1 14:10:29 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 01 Mar 2007 09:10:29 -0500 Subject: Confining TeX In-Reply-To: <20070227162743.GB24300@fi.muni.cz> References: <20070227162743.GB24300@fi.muni.cz> Message-ID: <45E6DED5.9000506@redhat.com> Jan Kasprzak wrote: > Hello, > > I am implementing a remote TeX server for our users, > and I would like to confine it using SELinux (FC6, targeted policy). > I need help or suggestions on possible approaches. What I want to do > is the following: > > - I have a TeX installation in a separate directory > - I want local users to be able to run TeX commands without restrictions > - I want to have a daemon, running under a separate user, which will handle > remote requests for TeX compilation. Under this user/daemon > the TeX commands should be confined, so that they can only > read TeX data files (the texmf/ tree), execute the TeX sub-commands > (i.e. files under /bin/ directory) - including the rights > to the system libraries, locales, etc. as necessary. And the confined > processes should write only to the texmf-var tree (autogenerated > bitmap fonts, etc.) and to the temporary directory, reserved for > TeX outputs (logs, DVI files, dvips outputs, etc.). > > My current solution is to create the tex_t domain, > and tex_exec_t, tex_data_t, and tex_tmp_t file types, and make the > daemon run "runcon -t tex_t -- tex myfile.tex" instead of plain > "tex myfile.tex". > > > Maybe there are better approaches than this: > > - maybe the "runcon" is not necessary, and TeX executables can be made to > enter the tex_t domain automatically, when started by the UNIX user > under which the daemon runs. > > - or maybe I should use SELinux users or roles instead of domains (?) > > - or maybe the daemon should run under its own special domain? > > The "runcon" approach allows local users to compile also > untrusted TeX sources - i.e. they can be able to run TeX either under their > own context, or via "runcon" in the confined mode. > > I have not seen your policy but a couple of comments: First you said you have a daemon, which means almost never need to use runcon. runcon is really a test program. You write rules to transition from initrc_t to your confined domain and then put an init script in /etc/init.d and it will transition. (With proper labeleing.) If you want to have a program that users will run in the confined environment you could create a context on a small program or script (confinedtext) labeled confinedtex_exec_t, and then write transition rules from like the following domain_auto_trans(unconfined_t, confinedtex_exec_t, tex_t) Then label the script confinedtex_exec_t. Now the users could either run with tex directly or run confinedtex > Any suggestions? > > -Yenya > > From selinux at lucullo.it Thu Mar 1 15:30:05 2007 From: selinux at lucullo.it (selinux at lucullo.it) Date: Thu, 01 Mar 2007 16:30:05 +0100 Subject: radiusd and selinux Message-ID: <45e6f17d.2f2.196f.593718836@webmailh4.aruba.it> hi... i don't understand very well this log: Mar 1 16:07:29 francesca kernel: audit(1172761649.659:16): avc: denied { read } for pid=2843 comm="radiusd" name="unexpected.tdb" dev=hda3 ino=9886366 scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:object_r:samba_var_t:s0 tclass=file Mar 1 16:07:29 francesca kernel: audit(1172761649.703:17): avc: denied { create } for pid=2843 comm="radiusd" scontext=system_u:system_r:radiusd_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=netlink_route_socket thank you in advance for the help. vittorio From dwalsh at redhat.com Thu Mar 1 18:23:43 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 01 Mar 2007 13:23:43 -0500 Subject: radiusd and selinux In-Reply-To: <45e6f17d.2f2.196f.593718836@webmailh4.aruba.it> References: <45e6f17d.2f2.196f.593718836@webmailh4.aruba.it> Message-ID: <45E71A2F.5000205@redhat.com> selinux at lucullo.it wrote: > hi... > > i don't understand very well this log: > > Mar 1 16:07:29 francesca kernel: audit(1172761649.659:16): > avc: denied { read } for pid=2843 comm="radiusd" > name="unexpected.tdb" dev=hda3 ino=9886366 > scontext=system_u:system_r:radiusd_t:s0 > tcontext=system_u:object_r:samba_var_t:s0 tclass=file > Mar 1 16:07:29 francesca kernel: audit(1172761649.703:17): > avc: denied { create } for pid=2843 comm="radiusd" > scontext=system_u:system_r:radiusd_t:s0 > tcontext=system_u:system_r:radiusd_t:s0 > tclass=netlink_route_socket > It shows two things. One is radius trying to read a file under a directory labeled samba_var_t. (unexecpected.tdb). Does radius usually read the either /var/lib/samba or /var/spool/samba or /var/cache/samba? The second one is definitely a bug in policy. You can create a policy module to allow these two accesses by executing grep radius /var/log/audit/audit.log | audit2allow -M myradius And loading the policy module. > > thank you in advance for the help. > > vittorio > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From selinux at gmail.com Fri Mar 2 23:59:47 2007 From: selinux at gmail.com (Tom London) Date: Fri, 2 Mar 2007 15:59:47 -0800 Subject: ConsoleKit AVC Message-ID: <4c4ba1530703021559r6913b8f5y45480b02c421fa11@mail.gmail.com> One more AVC from ConsoleKit: type=AVC msg=audit(1172877528.598:13): avc: denied { write } for pid=2896 comm="console-kit-dae" name="run" dev=dm-0 ino=65576 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1172877528.598:13): arch=40000003 syscall=5 success=no exit=-13 a0=805280c a1=2c1 a2=1a4 a3=bfffb6b0 items=0 ppid=2895 pid=2896 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0 key=(null) tom -- Tom London From selinux at gmail.com Mon Mar 5 04:42:05 2007 From: selinux at gmail.com (Tom London) Date: Sun, 4 Mar 2007 20:42:05 -0800 Subject: AVC from gnome 'eject' Message-ID: <4c4ba1530703042042l481249dfq81cbcf3a97bfadaf@mail.gmail.com> Running latest Rawhide, targeted/enforcing. Trying to unmount/eject CD by right-clicking on its icon and selecting 'eject' does the unmount, but fails to eject (produces an error popup). Found this in /var/log/audit/audit.log: type=AVC msg=audit(1173069472.190:85): avc: denied { setexec } for pid=10486 comm="userhelper" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=process type=SYSCALL msg=audit(1173069472.190:85): arch=40000003 syscall=4 success=no exit=-13 a0=4 a1=8cefa48 a2=1c a3=43469be9 items=0 ppid=10485 pid=10486 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="userhelper" exe="/usr/sbin/userhelper" subj=system_u:system_r:hald_t:s0 key=(null) tom -- Tom London From selinux at gmail.com Mon Mar 5 14:43:12 2007 From: selinux at gmail.com (Tom London) Date: Mon, 5 Mar 2007 06:43:12 -0800 Subject: AVC from gnome 'eject' In-Reply-To: <4c4ba1530703042042l481249dfq81cbcf3a97bfadaf@mail.gmail.com> References: <4c4ba1530703042042l481249dfq81cbcf3a97bfadaf@mail.gmail.com> Message-ID: <4c4ba1530703050643x171c469en283578445d13b613@mail.gmail.com> On 3/4/07, Tom London wrote: > Running latest Rawhide, targeted/enforcing. > > Trying to unmount/eject CD by right-clicking on its icon and selecting > 'eject' does the unmount, but fails to eject (produces an error > popup). > > Found this in /var/log/audit/audit.log: > > type=AVC msg=audit(1173069472.190:85): avc: denied { setexec } for > pid=10486 comm="userhelper" scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:system_r:hald_t:s0 tclass=process > type=SYSCALL msg=audit(1173069472.190:85): arch=40000003 syscall=4 > success=no exit=-13 a0=4 a1=8cefa48 a2=1c a3=43469be9 items=0 > ppid=10485 pid=10486 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="userhelper" > exe="/usr/sbin/userhelper" subj=system_u:system_r:hald_t:s0 key=(null) > Running this with enforcing=0 (and with today's hal update), I get: type=AVC msg=audit(1173105610.525:31): avc: denied { write } for pid=4022 comm="userhelper" name="eject" dev=dm-0 ino=11075786 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1173105610.525:31): arch=40000003 syscall=5 success=yes exit=3 a0=8140240 a1=2 a2=bfc60de4 a3=0 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="userhelper" exe="/usr/sbin/userhelper" subj=system_u:system_r:hald_t:s0 key=(null) type=USER_AUTH msg=audit(1173105610.525:32): user pid=4022 uid=0 auid=4294967295 subj=system_u:system_r:hald_t:s0 msg='PAM: authentication acct=root : exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=? res=success)' type=USER_ACCT msg=audit(1173105610.525:33): user pid=4022 uid=0 auid=4294967295 subj=system_u:system_r:hald_t:s0 msg='PAM: accounting acct=root : exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=? res=success)' type=AVC msg=audit(1173105610.525:34): avc: denied { setexec } for pid=4022 comm="userhelper" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=process type=SYSCALL msg=audit(1173105610.525:34): arch=40000003 syscall=4 success=yes exit=34 a0=4 a1=81402a8 a2=22 a3=43469be9 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="userhelper" exe="/usr/sbin/userhelper" subj=system_u:system_r:hald_t:s0 key=(null) type=AVC msg=audit(1173105610.525:35): avc: denied { transition } for pid=4022 comm="userhelper" name="eject" dev=dm-0 ino=5481827 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process type=AVC msg=audit(1173105610.525:35): avc: denied { siginh } for pid=4022 comm="eject" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process type=AVC msg=audit(1173105610.525:35): avc: denied { rlimitinh } for pid=4022 comm="eject" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process type=AVC msg=audit(1173105610.525:35): avc: denied { noatsecure } for pid=4022 comm="eject" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1173105610.525:35): arch=40000003 syscall=11 success=yes exit=0 a0=8141180 a1=bfc61090 a2=81411d0 a3=2 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="eject" exe="/usr/sbin/eject" subj=system_u:system_r:unconfined_t:s0 key=(null) type=AVC_PATH msg=audit(1173105610.525:35): path="/usr/sbin/eject" -- Tom London From vikigoyal at gmail.com Sat Mar 10 13:28:39 2007 From: vikigoyal at gmail.com (Vikram Goyal) Date: Sat, 10 Mar 2007 18:58:39 +0530 Subject: dovecot wants to access squid cache dir Message-ID: <20070310132839.GA14221@fc6host.fc6domain> hello, I am using FC6. Running selinux in targeted mode. selinux-policy-targeted-2.4.6-41 dovecot-1.0-1.1.rc15.fc6 Using dovecot I get the following audit messages. ---------------------------------------------------------------- type=USER_AUTH msg=audit(1173532461.741:31): user pid=14121 uid=0 auid=500 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=vikram : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0.0.1, terminal=dovecot res=success)' type=USER_ACCT msg=audit(1173532461.753:32): user pid=14121 uid=0 auid=500 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=vikram : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0.0.1, terminal=dovecot res=success)' type=AVC msg=audit(1173532461.781:33): avc: denied { getattr } for pid=14124 comm="dovecot" name="/" dev=sda6 ino=2 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir type=SYSCALL msg=audit(1173532461.781:33): arch=40000003 syscall=195 success=no exit=-13 a0=8f6a942 a1=bfff2068 a2=a5bff4 a3=8f6a94d items=0 ppid=14104 pid=14124 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=0 fsgid=500 tty=(none) comm="dovecot" exe="/usr/sbin/dovecot" subj=user_u:system_r:dovecot_t:s0 key=(null) type=AVC_PATH msg=audit(1173532461.781:33): path="/usr/sbin" type=AVC msg=audit(1173532461.785:34): avc: denied { getattr } for pid=14124 comm="dovecot" name="/" dev=sda11 ino=2 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:squid_cache_t:s0 tclass=dir type=SYSCALL msg=audit(1173532461.785:34): arch=40000003 syscall=195 success=no exit=-13 a0=8f6a943 a1=bfff2068 a2=a5bff4 a3=8f6a955 items=0 ppid=14104 pid=14124 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=0 fsgid=500 tty=(none) comm="dovecot" exe="/usr/sbin/dovecot" subj=user_u:system_r:dovecot_t:s0 key=(null) type=AVC_PATH msg=audit(1173532461.785:34): path="/var/spool/squid" ---------------------------------------------------------------- The advice audit2allow gives me: root at fc6host ~]# audit2allow allow dovecot_t sbin_t:dir getattr; allow dovecot_t squid_cache_t:dir getattr; I have allowed it for now but I'm not sure. please advice. Thanks! -- vikram... |||||||| |||||||| ^^'''''^^||root||^^^'''''''^^ // \\ )) //(( \\// \\ // /\\ || \\ || / )) (( \\ -- DISCLAIMER: Use of this advanced computing technology does not imply an endorsement of Western industrial civilization. -- . - ~|~ = Registered Linux User #285795 From ftaylor at redhat.com Sat Mar 10 16:55:49 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Sat, 10 Mar 2007 09:55:49 -0700 Subject: Making a python/shell script run in httpd_t (or some other domain) Message-ID: <1173545749.32426.17.camel@papa.taylor.com> I am trying to make a python script run in the httpd_t domain on RHEL5 RC4. I have assigned the script the httpd_exec_t type. I searched the archives, and I saw an earlier post that stated that I should use the -E option to python: #!/usr/bin/python -E I see the same entry in python scripts like setroubleshootd. However, when I try to run my script (or setroubleshootd, for that matter) directly, it runs in unconfined_t. I have the same problem with shell executables. Any tips? run_init will run as expected, but it does also ask for the root password. I know that I could change the pam.d/ entry, but I don't want to do that at this point. I created an init script that simply calls the executable. This works as expected, as long as the script starts with the interpreter (e.g., #!/bin/bash). If I leave out that line, it does not transition. Any idea why? Thanks, Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dac at tresys.com Mon Mar 12 11:54:11 2007 From: dac at tresys.com (David Caplan) Date: Mon, 12 Mar 2007 07:54:11 -0400 Subject: Making a python/shell script run in httpd_t (or some other domain) In-Reply-To: <1173545749.32426.17.camel@papa.taylor.com> Message-ID: <6FE441CD9F0C0C479F2D88F959B015889A3531@exchange.columbia.tresys.com> > -----Original Message----- > From: fedora-selinux-list-bounces at redhat.com > [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of > Forrest Taylor > Sent: Saturday, March 10, 2007 11:56 AM > To: fedora-selinux-list at redhat.com > Subject: Making a python/shell script run in httpd_t (or some > other domain) > > I am trying to make a python script run in the httpd_t domain > on RHEL5 RC4. I have assigned the script the httpd_exec_t > type. I searched the archives, and I saw an earlier post > that stated that I should use the -E option to python: > > #!/usr/bin/python -E > > I see the same entry in python scripts like setroubleshootd. > However, when I try to run my script (or setroubleshootd, for > that matter) directly, it runs in unconfined_t. I have the > same problem with shell executables. Any tips? > You need to make sure you have all the rules required for your source domain to transition to your target domain. The unconfined_t domain generally does not transition; it is designed to run most things in its domain which has a wide range of permissions (hence the name "unconfined"). You need these three rules to permit a transition: allow source_domain target_domain:process transition; allow source_domain entrypoint_type:file {read getattr execute}; allow target_domain entrypoint_type:file entrypoint; If you want the transition to be automatic, you also need a type_transition rule: type_transition source_domain entrypoint_type:process target_domain; You can use apol's domain transition analysis to test your policy to make sure you have all the necessary rules. There is also a good explanation of domain transitions in the Help menu. (Or Chapter 5 of _Selinux by Example_ :)) You also probably don't want to run your script in httpd_t, but in a more restricted domain. > run_init will run as expected, but it does also ask for the > root password. I know that I could change the pam.d/ entry, > but I don't want to do that at this point. > > I created an init script that simply calls the executable. > This works as expected, as long as the script starts with the > interpreter (e.g., #!/bin/bash). If I leave out that line, > it does not transition. Any idea why? > > Thanks, > > Forrest > From sds at tycho.nsa.gov Mon Mar 12 12:53:27 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 12 Mar 2007 08:53:27 -0400 Subject: Making a python/shell script run in httpd_t (or some other domain) In-Reply-To: <1173545749.32426.17.camel@papa.taylor.com> References: <1173545749.32426.17.camel@papa.taylor.com> Message-ID: <1173704007.2738.24.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2007-03-10 at 09:55 -0700, Forrest Taylor wrote: > I am trying to make a python script run in the httpd_t domain on RHEL5 > RC4. I have assigned the script the httpd_exec_t type. I searched the > archives, and I saw an earlier post that stated that I should use the -E > option to python: > > #!/usr/bin/python -E > > I see the same entry in python scripts like setroubleshootd. However, > when I try to run my script (or setroubleshootd, for that matter) > directly, it runs in unconfined_t. I have the same problem with shell > executables. Any tips? unconfined_t transitions to initrc_t upon running an init script, and then initrc_t transitions to the appropriate domain (e.g. httpd_t) upon executing the program. That has been the case for Fedora Core 4 and later, I believe. There is no direct transition from unconfined_t to httpd_t. Providing such direct transitions, as in Fedora Core 3, caused a number of problems in cases where you didn't actually want to run a program in the same domain when directly run by the user vs. when run by an init script. You can of course always force the transition via runcon -t, if allowed by policy. > run_init will run as expected, but it does also ask for the root > password. I know that I could change the pam.d/ entry, but I don't want > to do that at this point. runcon should work for you as long as you start unconfined and the program has the right type. > I created an init script that simply calls the executable. This works > as expected, as long as the script starts with the interpreter (e.g., > #!/bin/bash). If I leave out that line, it does not transition. Any > idea why? If you trace the execution, you'll see there is a difference in what happens for those two situations. With the #!/bin/bash header, the kernel can directly launch the interpreter upon exec of the script, and thus we can perform a domain transition based on the script there (although you should only ever do that when the calling domain is more trusted than the called domain, since script execution has an inherent race condition and scripts are so susceptible to caller influence). Without the header, the kernel will reject the script upon direct exec, and the shell falls back to exec'ing the intepreter with the script as an argument, at which point the kernel doesn't see it at all as relevant to the exec call (thus no domain transition). -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Mar 12 13:48:04 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 12 Mar 2007 09:48:04 -0400 Subject: Making a python/shell script run in httpd_t (or some other domain) In-Reply-To: <1173704007.2738.24.camel@moss-spartans.epoch.ncsc.mil> References: <1173545749.32426.17.camel@papa.taylor.com> <1173704007.2738.24.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1173707284.2738.59.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-03-12 at 08:53 -0400, Stephen Smalley wrote: > On Sat, 2007-03-10 at 09:55 -0700, Forrest Taylor wrote: > > I am trying to make a python script run in the httpd_t domain on RHEL5 > > RC4. I have assigned the script the httpd_exec_t type. I searched the > > archives, and I saw an earlier post that stated that I should use the -E > > option to python: > > > > #!/usr/bin/python -E > > > > I see the same entry in python scripts like setroubleshootd. However, > > when I try to run my script (or setroubleshootd, for that matter) > > directly, it runs in unconfined_t. I have the same problem with shell > > executables. Any tips? > > unconfined_t transitions to initrc_t upon running an init script, and > then initrc_t transitions to the appropriate domain (e.g. httpd_t) upon > executing the program. That has been the case for Fedora Core 4 and > later, I believe. There is no direct transition from unconfined_t to > httpd_t. Providing such direct transitions, as in Fedora Core 3, caused > a number of problems in cases where you didn't actually want to run a > program in the same domain when directly run by the user vs. when run by > an init script. You can of course always force the transition via > runcon -t, if allowed by policy. > > > run_init will run as expected, but it does also ask for the root > > password. I know that I could change the pam.d/ entry, but I don't want > > to do that at this point. > > runcon should work for you as long as you start unconfined and the > program has the right type. > > > I created an init script that simply calls the executable. This works > > as expected, as long as the script starts with the interpreter (e.g., > > #!/bin/bash). If I leave out that line, it does not transition. Any > > idea why? > > If you trace the execution, you'll see there is a difference in what > happens for those two situations. With the #!/bin/bash header, the > kernel can directly launch the interpreter upon exec of the script, and > thus we can perform a domain transition based on the script there > (although you should only ever do that when the calling domain is more > trusted than the called domain, since script execution has an inherent > race condition and scripts are so susceptible to caller influence). > Without the header, the kernel will reject the script upon direct exec, > and the shell falls back to exec'ing the intepreter with the script as > an argument, at which point the kernel doesn't see it at all as relevant > to the exec call (thus no domain transition). Of course, someone could instrument the shell to call security_compute_create(3) and setexeccon(3) in the latter case to emulate the domain transition, similar to runcon -c. The shell would need to gracefully fall back if denied permission though, as it often won't be able to do that when run in a confined domain. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon Mar 12 15:03:06 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 12 Mar 2007 11:03:06 -0400 Subject: dovecot wants to access squid cache dir In-Reply-To: <20070310132839.GA14221@fc6host.fc6domain> References: <20070310132839.GA14221@fc6host.fc6domain> Message-ID: <45F56BAA.9050007@redhat.com> Vikram Goyal wrote: > hello, > > I am using FC6. Running selinux in targeted mode. > > selinux-policy-targeted-2.4.6-41 > dovecot-1.0-1.1.rc15.fc6 > > Using dovecot I get the following audit messages. > ---------------------------------------------------------------- > type=USER_AUTH msg=audit(1173532461.741:31): user pid=14121 uid=0 auid=500 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=vikram : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0.0.1, terminal=dovecot res=success)' > type=USER_ACCT msg=audit(1173532461.753:32): user pid=14121 uid=0 auid=500 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=vikram : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0.0.1, terminal=dovecot res=success)' > type=AVC msg=audit(1173532461.781:33): avc: denied { getattr } for pid=14124 comm="dovecot" name="/" dev=sda6 ino=2 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir > type=SYSCALL msg=audit(1173532461.781:33): arch=40000003 syscall=195 success=no exit=-13 a0=8f6a942 a1=bfff2068 a2=a5bff4 a3=8f6a94d items=0 ppid=14104 pid=14124 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=0 fsgid=500 tty=(none) comm="dovecot" exe="/usr/sbin/dovecot" subj=user_u:system_r:dovecot_t:s0 key=(null) > type=AVC_PATH msg=audit(1173532461.781:33): path="/usr/sbin" > type=AVC msg=audit(1173532461.785:34): avc: denied { getattr } for pid=14124 comm="dovecot" name="/" dev=sda11 ino=2 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:squid_cache_t:s0 tclass=dir > type=SYSCALL msg=audit(1173532461.785:34): arch=40000003 syscall=195 success=no exit=-13 a0=8f6a943 a1=bfff2068 a2=a5bff4 a3=8f6a955 items=0 ppid=14104 pid=14124 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=0 fsgid=500 tty=(none) comm="dovecot" exe="/usr/sbin/dovecot" subj=user_u:system_r:dovecot_t:s0 key=(null) > type=AVC_PATH msg=audit(1173532461.785:34): path="/var/spool/squid" > ---------------------------------------------------------------- > > The advice audit2allow gives me: > > root at fc6host ~]# audit2allow > allow dovecot_t sbin_t:dir getattr; > I will add to next policy > allow dovecot_t squid_cache_t:dir getattr; > Probably should be dontaudited looks like dovecot is just listing /var/spool > I have allowed it for now but I'm not sure. > > please advice. > > Thanks! > From selinux at gmail.com Tue Mar 13 14:23:47 2007 From: selinux at gmail.com (Tom London) Date: Tue, 13 Mar 2007 07:23:47 -0700 Subject: sysfs AVC from today's Rawhide... Message-ID: <4c4ba1530703130723l1f01a53apc00f9f3d37145164@mail.gmail.com> targeted/enforcing. Seems to occur during gnome login.... type=AVC msg=audit(1173794972.786:18): avc: denied { write } for pid=3358 comm="modprobe" name="config" dev=sysfs ino=8517 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=SYSCALL msg=audit(1173794972.786:18): arch=40000003 syscall=11 success=yes exit=0 a0=bfabe678 a1=bfabd638 a2=bfabf020 a3=400 items=0 ppid=3335 pid=3358 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 comm="modprobe" exe="/sbin/modprobe" subj=system_u:system_r:insmod_t:s0-s0:c0.c1023 key=(null) type=AVC_PATH msg=audit(1173794972.786:18): path="/sys/devices/pci0000:00/0000:00:02.0/config" -- Tom London From selinux at gmail.com Tue Mar 13 14:28:05 2007 From: selinux at gmail.com (Tom London) Date: Tue, 13 Mar 2007 07:28:05 -0700 Subject: sysfs AVC from today's Rawhide... In-Reply-To: <4c4ba1530703130723l1f01a53apc00f9f3d37145164@mail.gmail.com> References: <4c4ba1530703130723l1f01a53apc00f9f3d37145164@mail.gmail.com> Message-ID: <4c4ba1530703130728r50de3609u81c2291581964aa3@mail.gmail.com> On 3/13/07, Tom London wrote: > targeted/enforcing. Seems to occur during gnome login.... > > type=AVC msg=audit(1173794972.786:18): avc: denied { write } for > pid=3358 comm="modprobe" name="config" dev=sysfs ino=8517 > scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:sysfs_t:s0 tclass=file > type=SYSCALL msg=audit(1173794972.786:18): arch=40000003 syscall=11 > success=yes exit=0 a0=bfabe678 a1=bfabd638 a2=bfabf020 a3=400 items=0 > ppid=3335 pid=3358 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=tty7 comm="modprobe" exe="/sbin/modprobe" > subj=system_u:system_r:insmod_t:s0-s0:c0.c1023 key=(null) > type=AVC_PATH msg=audit(1173794972.786:18): > path="/sys/devices/pci0000:00/0000:00:02.0/config" > > Sorry for filing this here, not sure which component this would go against....: Here are some more from /var/log/messages: Mar 13 07:09:11 localhost kernel: audit(1173794898.399:2): enforcing=1 old_enforcing=0 auid=4294967295 Mar 13 07:09:11 localhost kernel: audit(1173794898.899:3): policy loaded auid=4294967295 Mar 13 07:09:11 localhost kernel: audit(1173794903.294:4): avc: denied { getattr } for pid=477 comm="start_udev" name="pts" dev=tmpfs ino=1054 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=dir Mar 13 07:09:11 localhost kernel: sd 0:0:0:0: Attached scsi generic sg0 type 0 <<<<>>>> Mar 13 07:09:11 localhost kernel: usbcore: registered new interface driver hci_usb Mar 13 07:09:11 localhost kernel: ipw3945: Detected Intel PRO/Wireless 3945ABG Network Connection Mar 13 07:09:11 localhost kernel: audit(1173794909.293:5): avc: denied { setattr } for pid=1522 comm="chown" name="cmd" dev=sysfs ino=7725 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file Mar 13 07:09:11 localhost kernel: audit(1173794909.293:6): avc: denied { setattr } for pid=1523 comm="chmod" name="cmd" dev=sysfs ino=7725 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file Mar 13 07:09:11 localhost kernel: audit(1173794909.293:7): avc: denied { read } for pid=1524 comm="ipw3945d" name="ipw3945d.pid" dev=dm-0 ino=66333 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file Mar 13 07:09:11 localhost kernel: floppy0: no floppy controllers found -- Tom London From dwalsh at redhat.com Tue Mar 13 19:08:09 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 13 Mar 2007 15:08:09 -0400 Subject: permitting execmod for a application In-Reply-To: References: Message-ID: <45F6F699.1080005@redhat.com> Till Maas wrote: > Hello, > > I am trying to package virtualbox for fedora and do not know enough to > create the needed files for it. At the moment it contains executables > in /opt/VirtualBox (this will change) that need execmod permissions. > > Can someone please give a example that create the context, labels the files > and permits execmod? > > execmod should only be required for a shared library. You can get selinux to allow this by executing chcon -t texrel_shlib_t PATHTOLIB If possible could you build the library to not require this type. > Regards, > Till > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From gajownik at gmail.com Thu Mar 15 19:07:29 2007 From: gajownik at gmail.com (Dawid Gajownik) Date: Thu, 15 Mar 2007 20:07:29 +0100 Subject: mount.cifs and credentials file Message-ID: <45F99971.6090007@gmail.com> Hi! What's the proper security context of credentials file used by mount.cifs? samba_selinux did not help me and cifs_t is not what I am looking for: audit(1173946014.366:6): avc: denied { read } for pid=2237 comm="mount.cifs" name=".smbcredential-polsl" dev=sda1 ino=2195809 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:cifs_t:s0 tclass=file I've got this line in my fstab: //dionizos/usr /srv/dionizos cifs credentials=/root/.smbcredential-polsl,uid=gajownik,gid=users,file_mode=0666,dir_mode=0777 0 0 Regards, Dawid -- ^_* From paul at city-fan.org Fri Mar 16 09:01:50 2007 From: paul at city-fan.org (Paul Howarth) Date: Fri, 16 Mar 2007 09:01:50 +0000 Subject: mount.cifs and credentials file In-Reply-To: <45F99971.6090007@gmail.com> References: <45F99971.6090007@gmail.com> Message-ID: <45FA5CFE.8050708@city-fan.org> Dawid Gajownik wrote: > Hi! > What's the proper security context of credentials file used by > mount.cifs? samba_selinux did not help me and cifs_t is not what I am > looking for: > > audit(1173946014.366:6): avc: denied { read } for pid=2237 > comm="mount.cifs" name=".smbcredential-polsl" dev=sda1 ino=2195809 > scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:cifs_t:s0 > tclass=file > > I've got this line in my fstab: > > //dionizos/usr /srv/dionizos cifs > credentials=/root/.smbcredential-polsl,uid=gajownik,gid=users,file_mode=0666,dir_mode=0777 > 0 0 You're probably having problems with trying to read /root before you even get to the credentials file. What I use is this: //METROPOLIS/Public\040Data /mnt/samba/public.data cifs uid=paul,gid=paul,credentials=/etc/samba/smbcredentials.paul,dir_mode=0755,file_mode=0644 0 0 $ ls -lZ /etc/samba -rw-r--r-- root root system_u:object_r:samba_etc_t lmhosts -rw------- root root user_u:object_r:samba_secrets_t passdb.tdb -rw------- root root user_u:object_r:samba_secrets_t secrets.tdb -rw-r--r-- root root system_u:object_r:samba_etc_t smb.conf -rw------- root root user_u:object_r:samba_etc_t smbcredentials.paul -rw-r--r-- root root system_u:object_r:samba_etc_t smbusers Paul. From gajownik at gmail.com Fri Mar 16 12:44:00 2007 From: gajownik at gmail.com (Dawid Gajownik) Date: Fri, 16 Mar 2007 13:44:00 +0100 Subject: mount.cifs and credentials file In-Reply-To: <45FA5CFE.8050708@city-fan.org> References: <45F99971.6090007@gmail.com> <45FA5CFE.8050708@city-fan.org> Message-ID: <9aa7c6490703160544yc19088cr1644fd6950f6d1d4@mail.gmail.com> On 3/16/07, Paul Howarth wrote: > You're probably having problems with trying to read /root before you > even get to the credentials file. What I use is this: May I ask you what version of selinux-policy-targeted do you have in your system? I changed configuration and still have AVC messages: audit(1174047007.131:6): avc: denied { read } for pid=2242 comm="mount.cifs" name="smbcredential-polsl" dev=sda1 ino=131578 scontext=system_u:system_r:mount_t:s0 tcontext=user_u:object_r:samba_etc_t:s0 tclass=file [gajownik at cyklop ~]$ ls -lZ /etc/samba/ -rw-r--r-- root root system_u:object_r:samba_etc_t lmhosts -rw-r--r-- root root system_u:object_r:samba_etc_t smb.conf -rw------- root root user_u:object_r:samba_etc_t smbcredential-polsl [gajownik at cyklop ~]$ fstab: //dionizos/usr /srv/dionizos cifs credentials=/etc/samba/smbcredential-polsl,uid=gajownik,gid=users,file_mode=0666,dir _mode=0777 0 0 selinux-policy-targeted-2.4.6-42.fc6 From paul at city-fan.org Fri Mar 16 13:18:42 2007 From: paul at city-fan.org (Paul Howarth) Date: Fri, 16 Mar 2007 13:18:42 +0000 Subject: mount.cifs and credentials file In-Reply-To: <9aa7c6490703160544yc19088cr1644fd6950f6d1d4@mail.gmail.com> References: <45F99971.6090007@gmail.com> <45FA5CFE.8050708@city-fan.org> <9aa7c6490703160544yc19088cr1644fd6950f6d1d4@mail.gmail.com> Message-ID: <45FA9932.5080706@city-fan.org> Dawid Gajownik wrote: > On 3/16/07, Paul Howarth wrote: >> You're probably having problems with trying to read /root before you >> even get to the credentials file. What I use is this: > > May I ask you what version of selinux-policy-targeted do you have in > your system? I changed configuration and still have AVC messages: > > audit(1174047007.131:6): avc: denied { read } for pid=2242 > comm="mount.cifs" name="smbcredential-polsl" dev=sda1 ino=131578 > scontext=system_u:system_r:mount_t:s0 > tcontext=user_u:object_r:samba_etc_t:s0 tclass=file > > [gajownik at cyklop ~]$ ls -lZ /etc/samba/ > -rw-r--r-- root root system_u:object_r:samba_etc_t lmhosts > -rw-r--r-- root root system_u:object_r:samba_etc_t smb.conf > -rw------- root root user_u:object_r:samba_etc_t smbcredential-polsl > [gajownik at cyklop ~]$ > > fstab: > //dionizos/usr /srv/dionizos cifs > credentials=/etc/samba/smbcredential-polsl,uid=gajownik,gid=users,file_mode=0666,dir > > _mode=0777 0 0 > > selinux-policy-targeted-2.4.6-42.fc6 Curious: # rpm -q selinux-policy selinux-policy-2.4.6-42.fc6 I haven't changed my setup for this for a long time though, and it's been working fine. Looking at the policy sources, I think it may be working for me because I have the allow_mount_anyfile boolean set (I have some ISO images loopback mounted, and needed the boolean set to do that). Paul. From wwoods at redhat.com Fri Mar 16 16:20:01 2007 From: wwoods at redhat.com (Will Woods) Date: Fri, 16 Mar 2007 12:20:01 -0400 Subject: selinux policy change yields unbootable initrd Message-ID: <1174062001.3140.1.camel@metroid.rdu.redhat.com> (See my other mail on the subject here: http://redhat.com/archives/fedora-test-list/2007-March/msg00295.html ) Something in selinux-policy-2.5.8-4.fc7 (and I think -3 as well) is denying ldconfig permission to create symlinks in /tmp. mkinitrd uses ldconfig to set up the symlinks in the initrd it creates (in a temp dir under /tmp), so then nash won't load (missing ld-linux.so.2), so your system won't boot. Here's the relevant info, triggered when installing a new kernel (which runs mkinitrd): avc: denied { create } for comm="ldconfig" egid=0 euid=0 exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0 sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0 Hope this helps, -w -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From gajownik at gmail.com Fri Mar 16 17:06:51 2007 From: gajownik at gmail.com (Dawid Gajownik) Date: Fri, 16 Mar 2007 18:06:51 +0100 Subject: mount.cifs and credentials file In-Reply-To: <45FA9932.5080706@city-fan.org> References: <45F99971.6090007@gmail.com> <45FA5CFE.8050708@city-fan.org> <9aa7c6490703160544yc19088cr1644fd6950f6d1d4@mail.gmail.com> <45FA9932.5080706@city-fan.org> Message-ID: <45FACEAB.6010700@gmail.com> Dnia 03/16/2007 02:18 PM, U?ytkownik Paul Howarth napisa?: > Looking at the policy sources, I think it may be working for me because > I have the allow_mount_anyfile boolean set You're right, changing this boolean to 'on' allowed to mount this network share on system boot. Is there any other way to resolve this problem? I would like not to relax to much SELinux policy. Anyway, thanks for you help :) -- ^_* From Euman at surry.net Fri Mar 16 18:06:44 2007 From: Euman at surry.net (Euman) Date: Fri, 16 Mar 2007 14:06:44 -0400 Subject: selinux policy change yields unbootable initrd In-Reply-To: <1174062001.3140.1.camel@metroid.rdu.redhat.com> References: <1174062001.3140.1.camel@metroid.rdu.redhat.com> Message-ID: <1174068404.3094.11.camel@localhost.localdomain> On Fri, 2007-03-16 at 12:20 -0400, Will Woods wrote: > Here's the relevant info, triggered when installing a new kernel (which > runs mkinitrd): > > avc: denied { create } for comm="ldconfig" egid=0 euid=0 > exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 > name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0 > sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file > tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0 > > Hope this helps, > > -w Hello to all, Ive been following this issue on several other list and here is what seems to be the problem as far as some FedoraProject see's the issue.. Look at -> http://fedoraproject.org/wiki/F7Test2/ReleaseNotes -> [Problems with mkinitrd] they mention the rpm ordering issue and updating anaconda via an .img pkg This is my first mail to the list, glad to be here. Kind Regards, Euman From wwoods at redhat.com Fri Mar 16 18:26:36 2007 From: wwoods at redhat.com (Will Woods) Date: Fri, 16 Mar 2007 18:26:36 +0000 Subject: selinux policy change yields unbootable initrd In-Reply-To: <1174068404.3094.11.camel@localhost.localdomain> References: <1174062001.3140.1.camel@metroid.rdu.redhat.com> <1174068404.3094.11.camel@localhost.localdomain> Message-ID: <1174069596.3140.17.camel@metroid.rdu.redhat.com> On Fri, 2007-03-16 at 14:06 -0400, Euman wrote: > Ive been following this issue on several other list and here is what > seems to be the problem as far as some FedoraProject see's the issue.. > > Look at -> > http://fedoraproject.org/wiki/F7Test2/ReleaseNotes > > -> > [Problems with mkinitrd] > > they mention the rpm ordering issue and updating anaconda via an > .img pkg That's a different bug. That bug is a problem with the installer trying to install the mkinitrd package - it would sometimes get stuck in an infinite loop on 64-bit machines. My problem is that the SELinux policy is denying mkinitrd some permissions it needs to be able to create a working initrd. Or, rather, it *was* - it seems to work with selinux-policy-2.5.8-5.fc7. The changelog mentions prelink, not ldconfig, so I'm not sure what actually changed and whether the problem is really fixed or if I'm just not seeing it now. How could I get a diff between the two policies? Thanks, -w -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From wwoods at redhat.com Fri Mar 16 18:28:48 2007 From: wwoods at redhat.com (Will Woods) Date: Fri, 16 Mar 2007 18:28:48 +0000 Subject: selinux policy change yields unbootable initrd In-Reply-To: <1174069596.3140.17.camel@metroid.rdu.redhat.com> References: <1174062001.3140.1.camel@metroid.rdu.redhat.com> <1174068404.3094.11.camel@localhost.localdomain> <1174069596.3140.17.camel@metroid.rdu.redhat.com> Message-ID: <1174069728.3140.19.camel@metroid.rdu.redhat.com> On Fri, 2007-03-16 at 18:26 +0000, Will Woods wrote: > My problem is that the SELinux policy is denying mkinitrd some > permissions it needs to be able to create a working initrd. > > Or, rather, it *was* - it seems to work with selinux-policy-2.5.8-5.fc7. > The changelog mentions prelink, not ldconfig, so I'm not sure what > actually changed and whether the problem is really fixed or if I'm just > not seeing it now. Whoops, strike that - I didn't get an setroubleshoot popup, but the initrd is still broken. -w -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From paul at city-fan.org Mon Mar 19 11:57:36 2007 From: paul at city-fan.org (Paul Howarth) Date: Mon, 19 Mar 2007 11:57:36 +0000 Subject: logwatch AVCs Message-ID: <45FE7AB0.90308@city-fan.org> FC6, on a system using LDAP auth: type=AVC msg=audit(1174305023.309:160): avc: denied { create } for pid=5320 comm="perl" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=netlink_route_socket type=SYSCALL msg=audit(1174305023.309:160): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfafaf20 a2=4933dff4 a3=bfafb19d items=0 ppid=5318 pid=5320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1174305023.311:161): avc: denied { create } for pid=5320 comm="perl" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=SYSCALL msg=audit(1174305023.311:161): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfafb2a4 a2=4933dff4 a3=14 items=0 ppid=5318 pid=5320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) I added rules: # Allow logwatch to send syslog messages and read the routing table allow logwatch_t self:netlink_route_socket { r_netlink_socket_perms }; logging_send_syslog_msg(logwatch_t) The syslog messages being sent were along the lines of: Mar 19 11:52:33 xy01m005 perl: nss_ldap: failed to bind to LDAP server ldap://10.1.0.65: Can't contact LDAP server Mar 19 11:52:33 xy01m005 perl: nss_ldap: could not search LDAP server - Server is unavailable Mar 19 11:52:34 xy01m005 perl: nss_ldap: failed to bind to LDAP server ldap://10.1.0.65: Can't contact LDAP server Mar 19 11:52:34 xy01m005 perl: nss_ldap: failed to bind to LDAP server ldap://10.1.0.65: Can't contact LDAP server Mar 19 11:52:34 xy01m005 perl: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... So these were valid messages that I needed to see... Paul. From sds at tycho.nsa.gov Mon Mar 19 13:09:25 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 19 Mar 2007 09:09:25 -0400 Subject: selinux policy change yields unbootable initrd In-Reply-To: <1174062001.3140.1.camel@metroid.rdu.redhat.com> References: <1174062001.3140.1.camel@metroid.rdu.redhat.com> Message-ID: <1174309765.22565.21.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-03-16 at 12:20 -0400, Will Woods wrote: > (See my other mail on the subject here: > http://redhat.com/archives/fedora-test-list/2007-March/msg00295.html ) > > Something in selinux-policy-2.5.8-4.fc7 (and I think -3 as well) is > denying ldconfig permission to create symlinks in /tmp. mkinitrd uses > ldconfig to set up the symlinks in the initrd it creates (in a temp dir > under /tmp), so then nash won't load (missing ld-linux.so.2), so your > system won't boot. > > Here's the relevant info, triggered when installing a new kernel (which > runs mkinitrd): > > avc: denied { create } for comm="ldconfig" egid=0 euid=0 > exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 > name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0 > sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file > tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0 We shouldn't allow ldconfig to create files with rpm_script_tmp_t (private temporary file type for rpm scriptlets), so something is wrong here. How is the parent directory created? -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Mar 19 13:22:18 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 19 Mar 2007 09:22:18 -0400 Subject: selinux policy change yields unbootable initrd In-Reply-To: <1174069596.3140.17.camel@metroid.rdu.redhat.com> References: <1174062001.3140.1.camel@metroid.rdu.redhat.com> <1174068404.3094.11.camel@localhost.localdomain> <1174069596.3140.17.camel@metroid.rdu.redhat.com> Message-ID: <1174310538.22565.32.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-03-16 at 18:26 +0000, Will Woods wrote: > On Fri, 2007-03-16 at 14:06 -0400, Euman wrote: > > > Ive been following this issue on several other list and here is what > > seems to be the problem as far as some FedoraProject see's the issue.. > > > > Look at -> > > http://fedoraproject.org/wiki/F7Test2/ReleaseNotes > > > > -> > > [Problems with mkinitrd] > > > > they mention the rpm ordering issue and updating anaconda via an > > .img pkg > > That's a different bug. > > That bug is a problem with the installer trying to install the mkinitrd > package - it would sometimes get stuck in an infinite loop on 64-bit > machines. > > My problem is that the SELinux policy is denying mkinitrd some > permissions it needs to be able to create a working initrd. > > Or, rather, it *was* - it seems to work with selinux-policy-2.5.8-5.fc7. > The changelog mentions prelink, not ldconfig, so I'm not sure what > actually changed and whether the problem is really fixed or if I'm just > not seeing it now. > > How could I get a diff between the two policies? If you want a comparison of the actual kernel binary policies, you can use sediff from setools to display a semantic diff of them. -- Stephen Smalley National Security Agency From wwoods at redhat.com Mon Mar 19 20:21:21 2007 From: wwoods at redhat.com (Will Woods) Date: Mon, 19 Mar 2007 16:21:21 -0400 Subject: selinux policy change yields unbootable initrd In-Reply-To: <1174309765.22565.21.camel@moss-spartans.epoch.ncsc.mil> References: <1174062001.3140.1.camel@metroid.rdu.redhat.com> <1174309765.22565.21.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1174335681.3140.43.camel@metroid.rdu.redhat.com> On Mon, 2007-03-19 at 09:09 -0400, Stephen Smalley wrote: > On Fri, 2007-03-16 at 12:20 -0400, Will Woods wrote: > > Here's the relevant info, triggered when installing a new kernel > (which > > runs mkinitrd): > > > > avc: denied { create } for comm="ldconfig" egid=0 euid=0 > > exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 > > name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0 > > sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file > > tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0 > > We shouldn't allow ldconfig to create files with rpm_script_tmp_t > (private temporary file type for rpm scriptlets), so something is > wrong here. How is the parent directory created? It's created by 'mktemp -d' in mkinitrd: MNTIMAGE=`mktemp -d ${TMPDIR}/initrd.XXXXXX` [create directory layout in $MNTIMAGE] mkdir -p $MNTIMAGE/lib/firmware [copy binaries and libraries into $MNTIMAGE] /sbin/ldconfig -r "$MNTIMAGE" This is running as part of the kernel RPM's %post script, so it makes some sense that the target would have a context of rpm_script_tmp_t. As you can see, mkinitrd *does* require that ldconfig be able to create symlinks with rpm_script_tmp_t (or some other tmp_t). Otherwise we end up with non-bootable initrds, which is what we're seeing in rawhide right now. -w -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From wwoods at redhat.com Mon Mar 19 21:48:46 2007 From: wwoods at redhat.com (Will Woods) Date: Mon, 19 Mar 2007 17:48:46 -0400 Subject: selinux policy change yields unbootable initrd In-Reply-To: <1174335681.3140.43.camel@metroid.rdu.redhat.com> References: <1174062001.3140.1.camel@metroid.rdu.redhat.com> <1174309765.22565.21.camel@moss-spartans.epoch.ncsc.mil> <1174335681.3140.43.camel@metroid.rdu.redhat.com> Message-ID: <1174340926.3140.47.camel@metroid.rdu.redhat.com> On Mon, 2007-03-19 at 16:21 -0400, Will Woods wrote: > As you can see, mkinitrd *does* require that ldconfig be able to create > symlinks with rpm_script_tmp_t (or some other tmp_t). Otherwise we end > up with non-bootable initrds, which is what we're seeing in rawhide > right now. dwalsh built a new selinux-policy package (2.5.8-8.fc7) which fixes this problem for me. The new package should be public in rawhide tomorrow, so we'll find out for sure if it's fixed then. Thanks for all your help, folks! -w -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From Euman at surry.net Wed Mar 21 01:53:00 2007 From: Euman at surry.net (Euman) Date: Tue, 20 Mar 2007 21:53:00 -0400 Subject: wondering ?? Message-ID: <1174441980.2833.3.camel@localhost.localdomain> Wondering when someone will fix the init issue for kernels past 1981.fc7 I cant figure it out, obviously. Would like to boot 2999.fc7 so its been a boog for awhile. -- Registered Linux User #380358 From mattdm at mattdm.org Wed Mar 21 02:11:17 2007 From: mattdm at mattdm.org (Matthew Miller) Date: Tue, 20 Mar 2007 22:11:17 -0400 Subject: wondering ?? In-Reply-To: <1174441980.2833.3.camel@localhost.localdomain> References: <1174441980.2833.3.camel@localhost.localdomain> Message-ID: <20070321021117.GA24829@jadzia.bu.edu> On Tue, Mar 20, 2007 at 09:53:00PM -0400, Euman wrote: > Wondering when someone will fix the init issue for kernels past 1981.fc7 > I cant figure it out, obviously. Would like to boot 2999.fc7 so its been > a boog for awhile. You mean , or just the thing where sometimes mkinitrd is blocked by selinux because the policy is out of sync? -- Matthew Miller mattdm at mattdm.org Boston University Linux ------> From dwalsh at redhat.com Wed Mar 21 03:30:35 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 20 Mar 2007 23:30:35 -0400 Subject: permitting execmod for a application In-Reply-To: References: <45F6F699.1080005@redhat.com> Message-ID: <4600A6DB.2080308@redhat.com> Till Maas wrote: > Daniel J Walsh wrote: > > >> execmod should only be required for a shared library. You can get >> selinux to allow this by executing >> >> chcon -t texrel_shlib_t PATHTOLIB >> > > Thanks, this works. > > >> If possible could you build the library to not require this type. >> > > Is there a guide how to do this? I.e. what normally leads to this problem > and to solve it without having to read a lot of selinux? I know, I should > read more about it, but I absolutely do not have so much time for this > right now :-( > > Regards, > Till > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > http://people.redhat.com/~drepper/selinux-mem.html explains the memory checks. I would advise you to install setroubleshoot which should help you with other selinux errors. From paul at city-fan.org Wed Mar 21 11:22:05 2007 From: paul at city-fan.org (Paul Howarth) Date: Wed, 21 Mar 2007 11:22:05 +0000 Subject: mount.cifs and credentials file In-Reply-To: <45FACEAB.6010700@gmail.com> References: <45F99971.6090007@gmail.com> <45FA5CFE.8050708@city-fan.org> <9aa7c6490703160544yc19088cr1644fd6950f6d1d4@mail.gmail.com> <45FA9932.5080706@city-fan.org> <45FACEAB.6010700@gmail.com> Message-ID: <4601155D.4030808@city-fan.org> Dawid Gajownik wrote: > Dnia 03/16/2007 02:18 PM, U?ytkownik Paul Howarth napisa?: >> Looking at the policy sources, I think it may be working for me >> because I have the allow_mount_anyfile boolean set > > You're right, changing this boolean to 'on' allowed to mount this > network share on system boot. Is there any other way to resolve this > problem? I would like not to relax to much SELinux policy. Alternative approach. Put the credentials file directly under /etc (or some new, private directory within /etc) and run "restorecon" on it, which should label it etc_t. Since /etc/fstab is etc_t and mount must be able to read *that*, it should be able to read the credentials file too. Paul. From gajownik at gmail.com Wed Mar 21 11:43:44 2007 From: gajownik at gmail.com (Dawid Gajownik) Date: Wed, 21 Mar 2007 12:43:44 +0100 Subject: mount.cifs and credentials file In-Reply-To: <4601155D.4030808@city-fan.org> References: <45F99971.6090007@gmail.com> <45FA5CFE.8050708@city-fan.org> <9aa7c6490703160544yc19088cr1644fd6950f6d1d4@mail.gmail.com> <45FA9932.5080706@city-fan.org> <45FACEAB.6010700@gmail.com> <4601155D.4030808@city-fan.org> Message-ID: <9aa7c6490703210443j7ff70727i8565c00f13434c08@mail.gmail.com> On 3/21/07, Paul Howarth wrote: > Alternative approach. Put the credentials file directly under /etc (or > some new, private directory within /etc) and run "restorecon" on it, > which should label it etc_t. Since /etc/fstab is etc_t and mount must be > able to read *that*, it should be able to read the credentials file too. Great! It works. Thanks! IMHO samba_selinux manpage should provide information about security context of credentials file(s). May someone fix it, please? Regards, Dawid From spng.yang at gmail.com Thu Mar 22 08:01:17 2007 From: spng.yang at gmail.com (Nerazzurri.YANG) Date: Thu, 22 Mar 2007 16:01:17 +0800 Subject: target policy 2.5.9-2 in fc7 prevent mono Message-ID: <460237CD.3010602@gmail.com> hi all, in fc7 rawhide, with target policy 2.5.9-2, will prevent mono from doing something. avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03 egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500 gid=500 inode=55866 item=0 items=1 mode=0100644 name="make-it-fail" obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500 path="/proc/3185/make-it-fail" pid=3091 rdev=00:00 scontext=user_u:system_r:mono_t:s0 sgid=500 subj=user_u:system_r:mono_t:s0 suid=500 tclass=file tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500 avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03 egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500 gid=500 inode=55852 item=0 items=1 mode=0100600 name="mem" obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500 path="/proc/3185/mem" pid=3091 rdev=00:00 scontext=user_u:system_r:mono_t:s0 sgid=500 subj=user_u:system_r:mono_t:s0 suid=500 tclass=file tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500 avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03 egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500 gid=500 inode=55864 item=0 items=1 mode=0100644 name="oom_adj" obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500 path="/proc/3185/oom_adj" pid=3091 rdev=00:00 scontext=user_u:system_r:mono_t:s0 sgid=500 subj=user_u:system_r:mono_t:s0 suid=500 tclass=file tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500 avc: denied { write } for comm="beagled" cwd="/home/yangshao" dev=00:03 egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500 gid=500 inode=55865 item=0 items=1 mode=0100644 name="loginuid" obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500 path="/proc/3185/loginuid" pid=3091 rdev=00:00 scontext=user_u:system_r:mono_t:s0 sgid=500 subj=user_u:system_r:mono_t:s0 suid=500 tclass=file tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500 avc: denied { setattr } for comm="beagled" cwd="/home/yangshao" dev=00:03 egid=500 euid=500 exe="/usr/bin/mono" exit=-13 fsgid=500 fsuid=500 gid=500 inode=160224 item=0 items=1 mode=0100644 name="oom_adj" obj=user_u:system_r:unconfined_t:s0 ogid=500 ouid=500 path="/proc/3117/oom_adj" pid=3091 rdev=00:00 scontext=user_u:system_r:mono_t:s0 sgid=500 subj=user_u:system_r:mono_t:s0 suid=500 tclass=file tcontext=user_u:system_r:unconfined_t:s0 tty=(none) uid=500 ...... as i know, this problem happens from target policy 2.5.8-8. i wrote a loadable module, after installing, such problems had not happened again until now. there is only a ".te" file in this module: " module mymono 1.0; require { type unconfined_t; type mono_t; class file { write setattr }; } #============= mono_t ============== allow mono_t unconfined_t:file { write setattr }; " can anyone can guide me if the '.te' file has something wrong. i know, in reference policy, we should use interface, but i am a newbie for selinux policy, i don't know how to begin writing policy using interface? From selinux at lucullo.it Tue Mar 27 14:26:53 2007 From: selinux at lucullo.it (selinux at lucullo.it) Date: Tue, 27 Mar 2007 15:26:53 +0100 Subject: Fwd: winbindd fc6 and selinux Message-ID: <460929ad.5b.5c52.855454767@webmailh3.aruba.it> Hi, can someone tell me if this is a security policy error? this is a piece of /var/log/messages kernel: audit(1175003984.841:87): avc: denied { unlink } for pid=2967 comm="winbindd" name="pipe" dev=hda3 ino=9886377 scontext=system_u:system_r:winbind_t:s0 tcontext=s ystem_u:object_r:samba_var_t:s0 tclass=sock_file Mar 27 15:59:44 francesca winbindd[2967]: [2007/03/27 15:59:44, 0] lib/util_sock.c:create_pipe_sock(1308) Mar 27 15:59:44 francesca winbindd[2967]: bind failed on pipe socket /var/cache/samba/winbindd_privileged/pipe: Address already in use how can i fix it? thank you in advance From selinux at lucullo.it Tue Mar 27 14:28:03 2007 From: selinux at lucullo.it (selinux at lucullo.it) Date: Tue, 27 Mar 2007 15:28:03 +0100 Subject: fc6 and samba Message-ID: <460929f3.274.5fc6.1741639592@webmailh3.aruba.it> hi, my samba installation on fc6 has some problems due to selinux. this is the issue: -------------------------------------------------------- Mar 27 16:14:11 francesca kernel: audit(1175004851.436:88): avc: denied { unlink } for pid=3414 comm="winbindd" name="pipe" dev=hda3 ino=9886377 scontext=root:system_r:winbind_t:s0 tcontext=syste m_u:object_r:samba_var_t:s0 tclass=sock_file Mar 27 16:14:11 francesca winbindd[3414]: [2007/03/27 16:14:11, 0] lib/util_sock.c:create_pipe_sock(1308) Mar 27 16:14:11 francesca winbindd[3414]: bind failed on pipe socket /var/cache/samba/winbindd_privileged/pipe: Address already in use Mar 27 16:14:24 francesca smbd[3420]: [2007/03/27 16:14:24, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) Mar 27 16:14:24 francesca smbd[3420]: get_md4pw: Workstation FRANCESCA$: no account in domain Mar 27 16:14:24 francesca smbd[3420]: [2007/03/27 16:14:24, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) Mar 27 16:14:24 francesca smbd[3420]: _net_auth2: failed to get machine password for account FRANCESCA$: NT_STATUS_ACCESS_DENIED Mar 27 16:14:29 francesca smbd[3421]: [2007/03/27 16:14:29, 0] passdb/pdb_interface.c:pdb_default_create_user(368) Mar 27 16:14:29 francesca kernel: audit(1175004869.820:89): avc: denied { search } for pid=3422 comm="smbd" name="bin" dev=hda2 ino=928929 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o bject_r:bin_t:s0 tclass=dir Mar 27 16:14:29 francesca smbd[3421]: _samr_create_user: Running the command `/usrbin/smbldap-useradd -w "francesca$"' gave 82 Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 16:14:34, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) Mar 27 16:14:34 francesca smbd[3424]: get_md4pw: Workstation FRANCESCA$: no account in domain Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 16:14:34, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) Mar 27 16:14:34 francesca smbd[3424]: _net_auth2: failed to get machine password for account FRANCESCA$: NT_STATUS_ACCESS_DENIED Mar 27 16:14:38 francesca kernel: audit(1175004878.895:90): avc: denied { search } for pid=3426 comm="smbd" name="bin" dev=hda2 ino=928929 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o bject_r:bin_t:s0 tclass=dir Mar 27 16:14:38 francesca smbd[3425]: [2007/03/27 16:14:38, 0] passdb/pdb_interface.c:pdb_default_create_user(368) Mar 27 16:14:38 francesca smbd[3425]: _samr_create_user: Running the command `/usrbin/smbldap-useradd -w "francesca$"' gave 82 -------------------------------- and this is the samba commands: [root at francesca ~]# ls -Zla /usr/bin/smb* -rwxr-xr-x 1 system_u:object_r:bin_t root root 2112904 Feb 7 23:54 /usr/bin/smbcacls -rwxr-xr-x 1 system_u:object_r:bin_t root root 1184704 Feb 7 23:54 /usr/bin/smbclient -rwxr-xr-x 1 system_u:object_r:bin_t root root 748868 Feb 7 23:54 /usr/bin/smbcontrol -rwxr-xr-x 1 system_u:object_r:bin_t root root 2002924 Feb 7 23:54 /usr/bin/smbcquotas -rwxr-xr-x 1 system_u:object_r:bin_t root root 10240 Nov 21 17:21 /usr/bin/smbencrypt -rwxr-xr-x 1 system_u:object_r:bin_t root root 2080808 Feb 7 23:54 /usr/bin/smbget -rwxr-xr-x 1 system_u:object_r:bin_t root root 2006952 Feb 7 23:54 /usr/bin/smbpasswd -rwxr-xr-x 1 system_u:object_r:bin_t root root 2295 Feb 7 23:53 /usr/bin/smbprint -rwxr-xr-x 1 system_u:object_r:bin_t root root 913140 Feb 7 23:54 /usr/bin/smbspool -rwxr-xr-x 1 system_u:object_r:bin_t root root 728000 Feb 7 23:54 /usr/bin/smbstatus -rwxr-xr-x 1 system_u:object_r:bin_t root root 4896 Feb 7 23:53 /usr/bin/smbtar -rwxr-xr-x 1 system_u:object_r:bin_t root root 1093408 Feb 7 23:54 /usr/bin/smbtree how can i fix this problem? thank you in advance. vittorio From dwalsh at redhat.com Tue Mar 27 15:22:54 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 27 Mar 2007 11:22:54 -0400 Subject: fc6 and samba In-Reply-To: <460929f3.274.5fc6.1741639592@webmailh3.aruba.it> References: <460929f3.274.5fc6.1741639592@webmailh3.aruba.it> Message-ID: <460936CE.8030403@redhat.com> selinux at lucullo.it wrote: > hi, > > my samba installation on fc6 has some problems due to > selinux. > > this is the issue: > > > > -------------------------------------------------------- > > Mar 27 16:14:11 francesca kernel: audit(1175004851.436:88): > avc: denied { unlink } for pid=3414 comm="winbindd" > name="pipe" dev=hda3 ino=9886377 > scontext=root:system_r:winbind_t:s0 tcontext=syste > m_u:object_r:samba_var_t:s0 tclass=sock_file > Mar 27 16:14:11 francesca winbindd[3414]: [2007/03/27 > 16:14:11, 0] lib/util_sock.c:create_pipe_sock(1308) > Mar 27 16:14:11 francesca winbindd[3414]: bind failed on > pipe socket /var/cache/samba/winbindd_privileged/pipe: > Address already in use > Mar 27 16:14:24 francesca smbd[3420]: [2007/03/27 16:14:24, > 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) > Mar 27 16:14:24 francesca smbd[3420]: get_md4pw: > Workstation FRANCESCA$: no account in domain > Mar 27 16:14:24 francesca smbd[3420]: [2007/03/27 16:14:24, > 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) > Mar 27 16:14:24 francesca smbd[3420]: _net_auth2: failed > to get machine password for account FRANCESCA$: > NT_STATUS_ACCESS_DENIED > Mar 27 16:14:29 francesca smbd[3421]: [2007/03/27 16:14:29, > 0] passdb/pdb_interface.c:pdb_default_create_user(368) > Mar 27 16:14:29 francesca kernel: audit(1175004869.820:89): > avc: denied { search } for pid=3422 comm="smbd" > name="bin" dev=hda2 ino=928929 > scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o > bject_r:bin_t:s0 tclass=dir > Mar 27 16:14:29 francesca smbd[3421]: _samr_create_user: > Running the command `/usrbin/smbldap-useradd -w > "francesca$"' gave 82 > Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 16:14:34, > 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) > Mar 27 16:14:34 francesca smbd[3424]: get_md4pw: > Workstation FRANCESCA$: no account in domain > Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 16:14:34, > 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) > Mar 27 16:14:34 francesca smbd[3424]: _net_auth2: failed > to get machine password for account FRANCESCA$: > NT_STATUS_ACCESS_DENIED > Mar 27 16:14:38 francesca kernel: audit(1175004878.895:90): > avc: denied { search } for pid=3426 comm="smbd" > name="bin" dev=hda2 ino=928929 > scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o > bject_r:bin_t:s0 tclass=dir > Mar 27 16:14:38 francesca smbd[3425]: [2007/03/27 16:14:38, > 0] passdb/pdb_interface.c:pdb_default_create_user(368) > Mar 27 16:14:38 francesca smbd[3425]: _samr_create_user: > Running the command `/usrbin/smbldap-useradd -w > "francesca$"' gave 82 > -------------------------------- > > > and this is the samba commands: > > [root at francesca ~]# ls -Zla /usr/bin/smb* > -rwxr-xr-x 1 system_u:object_r:bin_t root root > 2112904 Feb 7 23:54 /usr/bin/smbcacls > -rwxr-xr-x 1 system_u:object_r:bin_t root root > 1184704 Feb 7 23:54 /usr/bin/smbclient > -rwxr-xr-x 1 system_u:object_r:bin_t root root > 748868 Feb 7 23:54 /usr/bin/smbcontrol > -rwxr-xr-x 1 system_u:object_r:bin_t root root > 2002924 Feb 7 23:54 /usr/bin/smbcquotas > -rwxr-xr-x 1 system_u:object_r:bin_t root root > 10240 Nov 21 17:21 /usr/bin/smbencrypt > -rwxr-xr-x 1 system_u:object_r:bin_t root root > 2080808 Feb 7 23:54 /usr/bin/smbget > -rwxr-xr-x 1 system_u:object_r:bin_t root root > 2006952 Feb 7 23:54 /usr/bin/smbpasswd > -rwxr-xr-x 1 system_u:object_r:bin_t root root > 2295 Feb 7 23:53 /usr/bin/smbprint > -rwxr-xr-x 1 system_u:object_r:bin_t root root > 913140 Feb 7 23:54 /usr/bin/smbspool > -rwxr-xr-x 1 system_u:object_r:bin_t root root > 728000 Feb 7 23:54 /usr/bin/smbstatus > -rwxr-xr-x 1 system_u:object_r:bin_t root root > 4896 Feb 7 23:53 /usr/bin/smbtar > -rwxr-xr-x 1 system_u:object_r:bin_t root root > 1093408 Feb 7 23:54 /usr/bin/smbtree > > how can i fix this problem? > > thank you in advance. > > vittorio > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Easiest thing to do is to create a loadable policy module and install it. You can do this with the following commands. audit2allow -i /var/log/audit/audit.log -M mysamba semodule -i mysamba.pp This will add the following two rules to policy allow smbd_t bin_t:dir search; # WHICH I HAVE ALREADY ADDED TO THE NEXT FC6 UPDATE. #============= winbind_t ============== allow winbind_t samba_var_t:sock_file unlink; # THIS IS CAUSED BY A LABELING PROBLEM, WHICH WILL ALSO BE FIXED IN THE NEXT UPDATE. selinux-policy-2.4.6-48 From dwalsh at redhat.com Tue Mar 27 15:24:09 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 27 Mar 2007 11:24:09 -0400 Subject: Fwd: winbindd fc6 and selinux In-Reply-To: <460929ad.5b.5c52.855454767@webmailh3.aruba.it> References: <460929ad.5b.5c52.855454767@webmailh3.aruba.it> Message-ID: <46093719.9080108@redhat.com> selinux at lucullo.it wrote: > Hi, > > can someone tell me if this is a security policy error? > > this is a piece of /var/log/messages > > kernel: audit(1175003984.841:87): avc: denied { unlink } > for pid=2967 comm="winbindd" name="pipe" dev=hda3 > ino=9886377 scontext=system_u:system_r:winbind_t:s0 > tcontext=s > ystem_u:object_r:samba_var_t:s0 tclass=sock_file > Mar 27 15:59:44 francesca winbindd[2967]: [2007/03/27 > 15:59:44, 0] lib/util_sock.c:create_pipe_sock(1308) > Mar 27 15:59:44 francesca winbindd[2967]: bind failed on > pipe socket /var/cache/samba/winbindd_privileged/pipe: > Address already in use > > how can i fix it? > > thank you in advance > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > This looks like a labeling problem /var/cache/samba/winbindd_privileged/pipe restorecon -R -v /var/cache/samba From selinux at lucullo.it Tue Mar 27 16:51:34 2007 From: selinux at lucullo.it (selinux at lucullo.it) Date: Tue, 27 Mar 2007 17:51:34 +0100 Subject: fc6 and samba Message-ID: <46094b96.2ea.165f.1307156977@webmailh5.aruba.it> thank you.. i will try right now... ...but i have a question about the ls -Z command: can i change the security context of these files /usr/bin/smb* that changing the policy rules instead? thank you again ----- Original Message ----- Da : Daniel J Walsh A : "selinux at lucullo.it" Cc: fedora-selinux-list at redhat.com Oggetto : Re: fc6 and samba Data : Tue, 27 Mar 2007 11:22:54 -0400 > selinux at lucullo.it wrote: > > hi, > > > > my samba installation on fc6 has some problems due to > > selinux. > > > > this is the issue: > > > > > > > > -------------------------------------------------------- > > > > Mar 27 16:14:11 francesca kernel: > > audit(1175004851.436:88): avc: denied { unlink } for > > pid=3414 comm="winbindd" name="pipe" dev=hda3 > > ino=9886377 scontext=root:system_r:winbind_t:s0 > > tcontext=syste m_u:object_r:samba_var_t:s0 > > tclass=sock_file Mar 27 16:14:11 francesca > > winbindd[3414]: [2007/03/27 16:14:11, 0] > > lib/util_sock.c:create_pipe_sock(1308) Mar 27 16:14:11 > > francesca winbindd[3414]: bind failed on pipe socket > > /var/cache/samba/winbindd_privileged/pipe: Address > > already in use Mar 27 16:14:24 francesca smbd[3420]: > > [2007/03/27 16:14:24, 0] > > rpc_server/srv_netlog_nt.c:get_md4pw(242) Mar 27 > > 16:14:24 francesca smbd[3420]: get_md4pw: Workstation > > FRANCESCA$: no account in domain Mar 27 16:14:24 > > francesca smbd[3420]: [2007/03/27 16:14:24, 0] > > rpc_server/srv_netlog_nt.c:_net_auth_2(461) Mar 27 > > 16:14:24 francesca smbd[3420]: _net_auth2: failed to > > get machine password for account FRANCESCA$: > > NT_STATUS_ACCESS_DENIED Mar 27 16:14:29 francesca > > smbd[3421]: [2007/03/27 16:14:29, 0] > > passdb/pdb_interface.c:pdb_default_create_user(368) Mar > > 27 16:14:29 francesca kernel: audit(1175004869.820:89): > > avc: denied { search } for pid=3422 comm="smbd" > > name="bin" dev=hda2 ino=928929 > > scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o > > bject_r:bin_t:s0 tclass=dir Mar 27 16:14:29 francesca > > smbd[3421]: _samr_create_user: Running the command > > `/usrbin/smbldap-useradd -w "francesca$"' gave 82 > > Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 > > 16:14:34, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) > > Mar 27 16:14:34 francesca smbd[3424]: get_md4pw: > > Workstation FRANCESCA$: no account in domain > > Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 > > 16:14:34, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) > > Mar 27 16:14:34 francesca smbd[3424]: _net_auth2: > > failed to get machine password for account FRANCESCA$: > > NT_STATUS_ACCESS_DENIED > > Mar 27 16:14:38 francesca kernel: > > audit(1175004878.895:90): avc: denied { search } for > > pid=3426 comm="smbd" name="bin" dev=hda2 ino=928929 > > scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o > > bject_r:bin_t:s0 tclass=dir > > Mar 27 16:14:38 francesca smbd[3425]: [2007/03/27 > > 16:14:38, 0] > > passdb/pdb_interface.c:pdb_default_create_user(368) Mar > > 27 16:14:38 francesca smbd[3425]: _samr_create_user: > > Running the command `/usrbin/smbldap-useradd -w > > "francesca$"' gave 82 -------------------------------- > > > > > > and this is the samba commands: > > > > [root at francesca ~]# ls -Zla /usr/bin/smb* > > -rwxr-xr-x 1 system_u:object_r:bin_t root root > > 2112904 Feb 7 23:54 /usr/bin/smbcacls > > -rwxr-xr-x 1 system_u:object_r:bin_t root root > > 1184704 Feb 7 23:54 /usr/bin/smbclient > > -rwxr-xr-x 1 system_u:object_r:bin_t root root > > 748868 Feb 7 23:54 /usr/bin/smbcontrol > > -rwxr-xr-x 1 system_u:object_r:bin_t root root > > 2002924 Feb 7 23:54 /usr/bin/smbcquotas > > -rwxr-xr-x 1 system_u:object_r:bin_t root root > > 10240 Nov 21 17:21 /usr/bin/smbencrypt > > -rwxr-xr-x 1 system_u:object_r:bin_t root root > > 2080808 Feb 7 23:54 /usr/bin/smbget > > -rwxr-xr-x 1 system_u:object_r:bin_t root root > > 2006952 Feb 7 23:54 /usr/bin/smbpasswd > > -rwxr-xr-x 1 system_u:object_r:bin_t root root > > 2295 Feb 7 23:53 /usr/bin/smbprint > > -rwxr-xr-x 1 system_u:object_r:bin_t root root > > 913140 Feb 7 23:54 /usr/bin/smbspool > > -rwxr-xr-x 1 system_u:object_r:bin_t root root > > 728000 Feb 7 23:54 /usr/bin/smbstatus > > -rwxr-xr-x 1 system_u:object_r:bin_t root root > > 4896 Feb 7 23:53 /usr/bin/smbtar > > -rwxr-xr-x 1 system_u:object_r:bin_t root root > > 1093408 Feb 7 23:54 /usr/bin/smbtree > > > > how can i fix this problem? > > > > thank you in advance. > > > > vittorio > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > Easiest thing to do is to create a loadable policy module > and install it. You can do this with the following > commands. > > audit2allow -i /var/log/audit/audit.log -M mysamba > semodule -i mysamba.pp > > This will add the following two rules to policy > > allow smbd_t bin_t:dir search; # WHICH I HAVE ALREADY > ADDED TO THE NEXT FC6 UPDATE. > > #============= winbind_t ============== > allow winbind_t samba_var_t:sock_file unlink; # THIS IS > CAUSED BY A LABELING PROBLEM, WHICH WILL ALSO BE FIXED IN > THE NEXT UPDATE. > > selinux-policy-2.4.6-48 > > > > > > From justin.conover at gmail.com Tue Mar 27 17:49:40 2007 From: justin.conover at gmail.com (Justin Conover) Date: Tue, 27 Mar 2007 12:49:40 -0500 Subject: selinux problem building dbus Message-ID: On rawhide I was building garnome and dbus was failing with the following: make[5]: Entering directory `/home/justin/downloads/garnome-2.18.0/freedesktop/dbus/work/main.d/dbus- 1.0.2/bus' if cc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -DDAEMON_NAME=\"dbus-daemon\" -DDBUS_COMPILATION -DDBUS_SYSTEM_CONFIG_FILE=\""/home/justin/garnome/etc/dbus-1/system.conf"\" -DDBUS_SESSION_CONFIG_FILE=\""/home/justin/garnome/etc/dbus-1/session.conf"\" -I/home/justin/garnome/include -I/home/justin/garnome/include -L/home/justin/garnome/lib -O2 -pipe -Wall -Wchar-subscripts -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wcast-align -Wsign-compare -Wdeclaration-after-statement -fno-common -fPIC -MT selinux.o -MD -MP -MF ".deps/selinux.Tpo" -c -o selinux.o selinux.c; \ then mv -f ".deps/selinux.Tpo" ".deps/selinux.Po"; else rm -f ".deps/selinux.Tpo"; exit 1; fi In file included from selinux.c:37: /usr/include/selinux/avc.h:307: error: expected ')' before 'event' /usr/include/selinux/avc.h:311: error: expected ';', ',' or ')' before 'uint32_t' selinux.c: In function 'bus_selinux_full_init': selinux.c:309: warning: implicit declaration of function 'avc_add_callback' selinux.c:309: warning: nested extern declaration of 'avc_add_callback' make[5]: *** [selinux.o] Error 1 make[5]: Leaving directory `/home/justin/downloads/garnome- 2.18.0 /freedesktop/dbus/work/main.d/dbus-1.0.2/bus' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/home/justin/downloads/garnome-2.18.0 /freedesktop/dbus/work/main.d/dbus-1.0.2' make[3]: *** [all] Error 2 make[3]: Leaving directory `/home/justin/downloads/garnome-2.18.0 /freedesktop/dbus/work/main.d/dbus-1.0.2' make[2]: *** [build-work/main.d/dbus-1.0.2/Makefile] Error 2 make[2]: Leaving directory `/home/justin/downloads/garnome- 2.18.0 /freedesktop/dbus' make[1]: *** [../../freedesktop/dbus/cookies/main.d/install] Error 2 make[1]: Leaving directory `/home/justin/downloads/garnome-2.18.0 /platform/gnome-vfs' make: *** [../../platform/gnome-vfs/cookies/main.d/install] Error 2 Joseph helped me track it down to this: # diff -u /usr/include/selinux/avc.h /usr/include/selinux/avc.h.orig --- /usr/include/selinux/avc.h 2007-03-27 12:42:21.000000000 -0500 +++ /usr/include/selinux/avc.h.orig 2007-03-27 12:41:21.000000000 -0500 @@ -304,11 +304,11 @@ * -%1 if insufficient memory exists to add the callback. */ int avc_add_callback(int (*callback) - (u_int32_t event, security_id_t ssid, + (uint32_t event, security_id_t ssid, security_id_t tsid, security_class_t tclass, access_vector_t perms, access_vector_t * out_retained), - u_int32_t events, security_id_t ssid, + uint32_t events, security_id_t ssid, security_id_t tsid, security_class_t tclass, access_vector_t perms); Was this a change on purpose or should I open a bug against libselinux-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Tue Mar 27 17:55:45 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 27 Mar 2007 13:55:45 -0400 Subject: selinux problem building dbus In-Reply-To: References: Message-ID: <1175018145.3864.397.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-03-27 at 12:49 -0500, Justin Conover wrote: > On rawhide I was building garnome and dbus was failing with the > following: > > make[5]: Entering directory `/home/justin/downloads > /garnome-2.18.0/freedesktop/dbus/work/main.d/dbus- 1.0.2/bus' > if cc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -DDAEMON_NAME=\"dbus-daemon\" > -DDBUS_COMPILATION -DDBUS_SYSTEM_CONFIG_FILE= > \""/home/justin/garnome/etc/dbus-1/system.conf"\" > -DDBUS_SESSION_CONFIG_FILE= > \""/home/justin/garnome/etc/dbus-1/session.conf"\" > -I/home/justin/garnome/include -I/home/justin/garnome/include > -L/home/justin/garnome/lib -O2 -pipe -Wall -Wchar-subscripts > -Wmissing-declarations -Wmissing-prototypes -Wnested-externs > -Wpointer-arith -Wcast-align -Wsign-compare > -Wdeclaration-after-statement -fno-common -fPIC -MT selinux.o -MD -MP > -MF ".deps/selinux.Tpo" -c -o selinux.o selinux.c; \ > then mv -f ".deps/selinux.Tpo" ".deps/selinux.Po"; else rm -f > ".deps/selinux.Tpo"; exit 1; fi > In file included from selinux.c:37: > /usr/include/selinux/avc.h:307: error: expected ')' before 'event' > /usr/include/selinux/avc.h:311: error: expected ';', ',' or ')' before > 'uint32_t' > selinux.c: In function 'bus_selinux_full_init': > selinux.c:309: warning: implicit declaration of function > 'avc_add_callback' > selinux.c:309: warning: nested extern declaration of > 'avc_add_callback' > make[5]: *** [selinux.o] Error 1 > make[5]: Leaving directory `/home/justin/downloads/garnome- > 2.18.0/freedesktop/dbus/work/main.d/dbus-1.0.2/bus' > make[4]: *** [all-recursive] Error 1 > make[4]: Leaving directory > `/home/justin/downloads/garnome-2.18.0/freedesktop/dbus/work/main.d/dbus-1.0.2' > make[3]: *** [all] Error 2 > make[3]: Leaving directory > `/home/justin/downloads/garnome-2.18.0/freedesktop/dbus/work/main.d/dbus-1.0.2' > make[2]: *** [build-work/main.d/dbus-1.0.2/Makefile] Error 2 > make[2]: Leaving directory `/home/justin/downloads/garnome- > 2.18.0/freedesktop/dbus' > make[1]: *** [../../freedesktop/dbus/cookies/main.d/install] Error 2 > make[1]: Leaving directory > `/home/justin/downloads/garnome-2.18.0/platform/gnome-vfs' > make: *** [../../platform/gnome-vfs/cookies/main.d/install] Error 2 > > Joseph helped me track it down to this: > > # diff -u /usr/include/selinux/avc.h /usr/include/selinux/avc.h.orig > --- /usr/include/selinux/avc.h 2007-03-27 12:42:21.000000000 -0500 > +++ /usr/include/selinux/avc.h.orig 2007-03-27 12:41: 21.000000000 > -0500 > @@ -304,11 +304,11 @@ > * -%1 if insufficient memory exists to add the callback. > */ > int avc_add_callback(int (*callback) > - (u_int32_t event, security_id_t ssid, > + (uint32_t event, security_id_t ssid, > security_id_t tsid, security_class_t > tclass, > access_vector_t perms, > access_vector_t * out_retained), > - u_int32_t events, security_id_t ssid, > + uint32_t events, security_id_t ssid, > security_id_t tsid, security_class_t > tclass, > access_vector_t perms); > > Was this a change on purpose or should I open a bug against > libselinux-devel Should already be fixed in the latest one (adds a #include to avc.h). The types were all converted over to the stdint forms. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Wed Mar 28 18:54:20 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 28 Mar 2007 14:54:20 -0400 Subject: fc6 and samba In-Reply-To: <46094b96.2ea.165f.1307156977@webmailh5.aruba.it> References: <46094b96.2ea.165f.1307156977@webmailh5.aruba.it> Message-ID: <460AB9DC.5090107@redhat.com> selinux at lucullo.it wrote: > thank you.. i will try right now... > > ...but i have a question about the ls -Z command: > > can i change the security context of these files > > /usr/bin/smb* > > > Yes but that will not necessarily fix your problem. If you chcon -t bin_t, they will no longer transition and SELinux will not effect them. But this could cause other applications that use winbind or samba some problems. > that changing the policy rules instead? > > thank you again > > > ----- Original Message ----- > Da : Daniel J Walsh > A : "selinux at lucullo.it" > Cc: fedora-selinux-list at redhat.com > Oggetto : Re: fc6 and samba > Data : Tue, 27 Mar 2007 11:22:54 -0400 > > >> selinux at lucullo.it wrote: >> >>> hi, >>> >>> my samba installation on fc6 has some problems due to >>> selinux. >>> >>> this is the issue: >>> >>> >>> >>> -------------------------------------------------------- >>> >>> Mar 27 16:14:11 francesca kernel: >>> audit(1175004851.436:88): avc: denied { unlink } for >>> pid=3414 comm="winbindd" name="pipe" dev=hda3 >>> ino=9886377 scontext=root:system_r:winbind_t:s0 >>> tcontext=syste m_u:object_r:samba_var_t:s0 >>> tclass=sock_file Mar 27 16:14:11 francesca >>> winbindd[3414]: [2007/03/27 16:14:11, 0] >>> lib/util_sock.c:create_pipe_sock(1308) Mar 27 16:14:11 >>> francesca winbindd[3414]: bind failed on pipe socket >>> /var/cache/samba/winbindd_privileged/pipe: Address >>> already in use Mar 27 16:14:24 francesca smbd[3420]: >>> [2007/03/27 16:14:24, 0] >>> rpc_server/srv_netlog_nt.c:get_md4pw(242) Mar 27 >>> 16:14:24 francesca smbd[3420]: get_md4pw: Workstation >>> FRANCESCA$: no account in domain Mar 27 16:14:24 >>> francesca smbd[3420]: [2007/03/27 16:14:24, 0] >>> rpc_server/srv_netlog_nt.c:_net_auth_2(461) Mar 27 >>> 16:14:24 francesca smbd[3420]: _net_auth2: failed to >>> get machine password for account FRANCESCA$: >>> NT_STATUS_ACCESS_DENIED Mar 27 16:14:29 francesca >>> smbd[3421]: [2007/03/27 16:14:29, 0] >>> passdb/pdb_interface.c:pdb_default_create_user(368) Mar >>> 27 16:14:29 francesca kernel: audit(1175004869.820:89): >>> avc: denied { search } for pid=3422 comm="smbd" >>> name="bin" dev=hda2 ino=928929 >>> scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o >>> bject_r:bin_t:s0 tclass=dir Mar 27 16:14:29 francesca >>> smbd[3421]: _samr_create_user: Running the command >>> `/usrbin/smbldap-useradd -w "francesca$"' gave 82 >>> Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 >>> 16:14:34, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) >>> Mar 27 16:14:34 francesca smbd[3424]: get_md4pw: >>> Workstation FRANCESCA$: no account in domain >>> Mar 27 16:14:34 francesca smbd[3424]: [2007/03/27 >>> 16:14:34, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) >>> Mar 27 16:14:34 francesca smbd[3424]: _net_auth2: >>> failed to get machine password for account FRANCESCA$: >>> NT_STATUS_ACCESS_DENIED >>> Mar 27 16:14:38 francesca kernel: >>> audit(1175004878.895:90): avc: denied { search } for >>> pid=3426 comm="smbd" name="bin" dev=hda2 ino=928929 >>> scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:o >>> bject_r:bin_t:s0 tclass=dir >>> Mar 27 16:14:38 francesca smbd[3425]: [2007/03/27 >>> 16:14:38, 0] >>> passdb/pdb_interface.c:pdb_default_create_user(368) Mar >>> 27 16:14:38 francesca smbd[3425]: _samr_create_user: >>> Running the command `/usrbin/smbldap-useradd -w >>> "francesca$"' gave 82 -------------------------------- >>> >>> >>> and this is the samba commands: >>> >>> [root at francesca ~]# ls -Zla /usr/bin/smb* >>> -rwxr-xr-x 1 system_u:object_r:bin_t root root >>> 2112904 Feb 7 23:54 /usr/bin/smbcacls >>> -rwxr-xr-x 1 system_u:object_r:bin_t root root >>> 1184704 Feb 7 23:54 /usr/bin/smbclient >>> -rwxr-xr-x 1 system_u:object_r:bin_t root root >>> 748868 Feb 7 23:54 /usr/bin/smbcontrol >>> -rwxr-xr-x 1 system_u:object_r:bin_t root root >>> 2002924 Feb 7 23:54 /usr/bin/smbcquotas >>> -rwxr-xr-x 1 system_u:object_r:bin_t root root >>> 10240 Nov 21 17:21 /usr/bin/smbencrypt >>> -rwxr-xr-x 1 system_u:object_r:bin_t root root >>> 2080808 Feb 7 23:54 /usr/bin/smbget >>> -rwxr-xr-x 1 system_u:object_r:bin_t root root >>> 2006952 Feb 7 23:54 /usr/bin/smbpasswd >>> -rwxr-xr-x 1 system_u:object_r:bin_t root root >>> 2295 Feb 7 23:53 /usr/bin/smbprint >>> -rwxr-xr-x 1 system_u:object_r:bin_t root root >>> 913140 Feb 7 23:54 /usr/bin/smbspool >>> -rwxr-xr-x 1 system_u:object_r:bin_t root root >>> 728000 Feb 7 23:54 /usr/bin/smbstatus >>> -rwxr-xr-x 1 system_u:object_r:bin_t root root >>> 4896 Feb 7 23:53 /usr/bin/smbtar >>> -rwxr-xr-x 1 system_u:object_r:bin_t root root >>> 1093408 Feb 7 23:54 /usr/bin/smbtree >>> >>> how can i fix this problem? >>> >>> thank you in advance. >>> >>> vittorio >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> >>> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>> >>> >> Easiest thing to do is to create a loadable policy module >> and install it. You can do this with the following >> commands. >> >> audit2allow -i /var/log/audit/audit.log -M mysamba >> semodule -i mysamba.pp >> >> This will add the following two rules to policy >> >> allow smbd_t bin_t:dir search; # WHICH I HAVE ALREADY >> ADDED TO THE NEXT FC6 UPDATE. >> >> #============= winbind_t ============== >> allow winbind_t samba_var_t:sock_file unlink; # THIS IS >> CAUSED BY A LABELING PROBLEM, WHICH WILL ALSO BE FIXED IN >> THE NEXT UPDATE. >> >> selinux-policy-2.4.6-48 >> >> >> >> >> >> >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From spng.yang at gmail.com Thu Mar 29 11:43:57 2007 From: spng.yang at gmail.com (Ken YANG) Date: Thu, 29 Mar 2007 19:43:57 +0800 Subject: "HASHTAB_OVERFLOW" undeclared In-Reply-To: <1175166411.3864.504.camel@moss-spartans.epoch.ncsc.mil> References: <460B2925.1080403@gmail.com> <1175166411.3864.504.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <460BA67D.40807@gmail.com> Stephen Smalley wrote: > On Thu, 2007-03-29 at 10:49 +0800, Ken YANG wrote: >> i want to use findcon to find a type "tmpfs_t". >> but in FC, there is setools* package contaning findcon. >> i find that secmds(findcon) is in setools-console subpackage >> why fc has not this subpackage? > > That's a question for Dan Walsh (cc'd above) or fedora-selinux-list. ok, i have cc to fedora-selinux-list > >> i down a setools-3.1-1.src.rpm from tresys site, and encounter >> a build error: >> >> policy_extend.c: In function 'qpol_policy_build_attrs_from_map': >> policy_extend.c:170: error: 'HASHTAB_OVERFLOW' undeclared (first use in >> this function) >> policy_extend.c:170: error: (Each undeclared identifier is reported only >> once >> policy_extend.c:170: error: for each function it appears in.) >> policy_extend.c: In function 'qpol_policy_fill_attr_holes': >> policy_extend.c:246: error: 'HASHTAB_OVERFLOW' undeclared (first use in >> this function) >> make[4]: *** [policy_extend.o] Error 1 >> make[4]: Leaving directory >> `/workbench/rpmbuild/BUILD/setools-3.1/libqpol/src' >> >> >> i have not find "HASHTAB_OVERFLOW" in selinux trunk, especially in >> libsepol. where is this symbol defined? > > Those error codes were replaced by standard ones > (include/sepol/errcodes.h) in the trunk version of libsepol, so you > would need to build setools against the stable branch version of > libsepol until they update setools. thank you. i play some tricks on the setools :-) in the spec file of setools-3.1-3.fc7, i find "findcon" and other cmds had been removed: rm -f ${RPM_BUILD_ROOT}/usr/bin/findcon rm -f ${RPM_BUILD_ROOT}/usr/bin/replcon rm -f ${RPM_BUILD_ROOT}/usr/bin/searchcon rm -f ${RPM_BUILD_ROOT}/usr/bin/indexcon rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/searchcon.1 rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/indexcon.1 rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/replcon.1 rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/findcon.1 rm -rf ${RPM_BUILD_ROOT}%{_includedir}/libsefs/sqlite so i comment "findcon relative" items, and add corresponding items in "files" list. it seems that this kind of "findcon" works. this is a temporary method, i just want to use findcon to search certain context > >> by the way, i want checkout setools and try again, but tresys "open >> source project" site can not access, maybe is temporary :-) > > Appears to be up now. > From sds at tycho.nsa.gov Thu Mar 29 11:55:56 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 29 Mar 2007 07:55:56 -0400 Subject: "HASHTAB_OVERFLOW" undeclared In-Reply-To: <460BA67D.40807@gmail.com> References: <460B2925.1080403@gmail.com> <1175166411.3864.504.camel@moss-spartans.epoch.ncsc.mil> <460BA67D.40807@gmail.com> Message-ID: <1175169356.3864.523.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-03-29 at 19:43 +0800, Ken YANG wrote: > Stephen Smalley wrote: > > On Thu, 2007-03-29 at 10:49 +0800, Ken YANG wrote: > >> i want to use findcon to find a type "tmpfs_t". > >> but in FC, there is setools* package contaning findcon. > >> i find that secmds(findcon) is in setools-console subpackage > >> why fc has not this subpackage? > > > > That's a question for Dan Walsh (cc'd above) or fedora-selinux-list. > > ok, i have cc to fedora-selinux-list > > > > >> i down a setools-3.1-1.src.rpm from tresys site, and encounter > >> a build error: > >> > >> policy_extend.c: In function 'qpol_policy_build_attrs_from_map': > >> policy_extend.c:170: error: 'HASHTAB_OVERFLOW' undeclared (first use in > >> this function) > >> policy_extend.c:170: error: (Each undeclared identifier is reported only > >> once > >> policy_extend.c:170: error: for each function it appears in.) > >> policy_extend.c: In function 'qpol_policy_fill_attr_holes': > >> policy_extend.c:246: error: 'HASHTAB_OVERFLOW' undeclared (first use in > >> this function) > >> make[4]: *** [policy_extend.o] Error 1 > >> make[4]: Leaving directory > >> `/workbench/rpmbuild/BUILD/setools-3.1/libqpol/src' > >> > >> > >> i have not find "HASHTAB_OVERFLOW" in selinux trunk, especially in > >> libsepol. where is this symbol defined? > > > > Those error codes were replaced by standard ones > > (include/sepol/errcodes.h) in the trunk version of libsepol, so you > > would need to build setools against the stable branch version of > > libsepol until they update setools. > > thank you. > > i play some tricks on the setools :-) > > in the spec file of setools-3.1-3.fc7, i find "findcon" and other cmds > had been removed: > > rm -f ${RPM_BUILD_ROOT}/usr/bin/findcon > rm -f ${RPM_BUILD_ROOT}/usr/bin/replcon > rm -f ${RPM_BUILD_ROOT}/usr/bin/searchcon > rm -f ${RPM_BUILD_ROOT}/usr/bin/indexcon > rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/searchcon.1 > rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/indexcon.1 > rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/replcon.1 > rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/findcon.1 > rm -rf ${RPM_BUILD_ROOT}%{_includedir}/libsefs/sqlite > > > so i comment "findcon relative" items, and add corresponding items > in "files" list. > > it seems that this kind of "findcon" works. > > this is a temporary method, i just want to use findcon to search > certain context How does it differ from find . -context ...? -- Stephen Smalley National Security Agency From spng.yang at gmail.com Fri Mar 30 02:28:45 2007 From: spng.yang at gmail.com (Ken YANG) Date: Fri, 30 Mar 2007 10:28:45 +0800 Subject: "HASHTAB_OVERFLOW" undeclared In-Reply-To: <1175169356.3864.523.camel@moss-spartans.epoch.ncsc.mil> References: <460B2925.1080403@gmail.com> <1175166411.3864.504.camel@moss-spartans.epoch.ncsc.mil> <460BA67D.40807@gmail.com> <1175169356.3864.523.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <460C75DD.1030204@gmail.com> Stephen Smalley wrote: > On Thu, 2007-03-29 at 19:43 +0800, Ken YANG wrote: >> Stephen Smalley wrote: >>> On Thu, 2007-03-29 at 10:49 +0800, Ken YANG wrote: >>>> i want to use findcon to find a type "tmpfs_t". >>>> but in FC, there is setools* package contaning findcon. >>>> i find that secmds(findcon) is in setools-console subpackage >>>> why fc has not this subpackage? >>> That's a question for Dan Walsh (cc'd above) or fedora-selinux-list. >> ok, i have cc to fedora-selinux-list >> >>>> i down a setools-3.1-1.src.rpm from tresys site, and encounter >>>> a build error: >>>> >>>> policy_extend.c: In function 'qpol_policy_build_attrs_from_map': >>>> policy_extend.c:170: error: 'HASHTAB_OVERFLOW' undeclared (first use in >>>> this function) >>>> policy_extend.c:170: error: (Each undeclared identifier is reported only >>>> once >>>> policy_extend.c:170: error: for each function it appears in.) >>>> policy_extend.c: In function 'qpol_policy_fill_attr_holes': >>>> policy_extend.c:246: error: 'HASHTAB_OVERFLOW' undeclared (first use in >>>> this function) >>>> make[4]: *** [policy_extend.o] Error 1 >>>> make[4]: Leaving directory >>>> `/workbench/rpmbuild/BUILD/setools-3.1/libqpol/src' >>>> >>>> >>>> i have not find "HASHTAB_OVERFLOW" in selinux trunk, especially in >>>> libsepol. where is this symbol defined? >>> Those error codes were replaced by standard ones >>> (include/sepol/errcodes.h) in the trunk version of libsepol, so you >>> would need to build setools against the stable branch version of >>> libsepol until they update setools. >> thank you. >> >> i play some tricks on the setools :-) >> >> in the spec file of setools-3.1-3.fc7, i find "findcon" and other cmds >> had been removed: >> >> rm -f ${RPM_BUILD_ROOT}/usr/bin/findcon >> rm -f ${RPM_BUILD_ROOT}/usr/bin/replcon >> rm -f ${RPM_BUILD_ROOT}/usr/bin/searchcon >> rm -f ${RPM_BUILD_ROOT}/usr/bin/indexcon >> rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/searchcon.1 >> rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/indexcon.1 >> rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/replcon.1 >> rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/findcon.1 >> rm -rf ${RPM_BUILD_ROOT}%{_includedir}/libsefs/sqlite >> >> >> so i comment "findcon relative" items, and add corresponding items >> in "files" list. >> >> it seems that this kind of "findcon" works. >> >> this is a temporary method, i just want to use findcon to search >> certain context > > How does it differ from find . -context ...? actually, i forgot it also can be done by "find" :-)) for my purpose, find certaindir -context "tmpfs_t" is same with findcon. but maybe these commands, such as indexcon, will be useful for diagnosing problem in another machine, as said by Christopher j. PeBenito in selinux list > From dwalsh at redhat.com Fri Mar 30 14:57:20 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 30 Mar 2007 10:57:20 -0400 Subject: "HASHTAB_OVERFLOW" undeclared In-Reply-To: <460C75DD.1030204@gmail.com> References: <460B2925.1080403@gmail.com> <1175166411.3864.504.camel@moss-spartans.epoch.ncsc.mil> <460BA67D.40807@gmail.com> <1175169356.3864.523.camel@moss-spartans.epoch.ncsc.mil> <460C75DD.1030204@gmail.com> Message-ID: <460D2550.3010000@redhat.com> Ken YANG wrote: > Stephen Smalley wrote: >> On Thu, 2007-03-29 at 19:43 +0800, Ken YANG wrote: >>> Stephen Smalley wrote: >>>> On Thu, 2007-03-29 at 10:49 +0800, Ken YANG wrote: >>>>> i want to use findcon to find a type "tmpfs_t". >>>>> but in FC, there is setools* package contaning findcon. >>>>> i find that secmds(findcon) is in setools-console subpackage >>>>> why fc has not this subpackage? >>>> That's a question for Dan Walsh (cc'd above) or fedora-selinux-list. >>> ok, i have cc to fedora-selinux-list >>> >>>>> i down a setools-3.1-1.src.rpm from tresys site, and encounter >>>>> a build error: >>>>> >>>>> policy_extend.c: In function 'qpol_policy_build_attrs_from_map': >>>>> policy_extend.c:170: error: 'HASHTAB_OVERFLOW' undeclared (first >>>>> use in this function) >>>>> policy_extend.c:170: error: (Each undeclared identifier is >>>>> reported only once >>>>> policy_extend.c:170: error: for each function it appears in.) >>>>> policy_extend.c: In function 'qpol_policy_fill_attr_holes': >>>>> policy_extend.c:246: error: 'HASHTAB_OVERFLOW' undeclared (first >>>>> use in this function) >>>>> make[4]: *** [policy_extend.o] Error 1 >>>>> make[4]: Leaving directory >>>>> `/workbench/rpmbuild/BUILD/setools-3.1/libqpol/src' >>>>> >>>>> >>>>> i have not find "HASHTAB_OVERFLOW" in selinux trunk, especially in >>>>> libsepol. where is this symbol defined? >>>> Those error codes were replaced by standard ones >>>> (include/sepol/errcodes.h) in the trunk version of libsepol, so you >>>> would need to build setools against the stable branch version of >>>> libsepol until they update setools. >>> thank you. >>> >>> i play some tricks on the setools :-) >>> >>> in the spec file of setools-3.1-3.fc7, i find "findcon" and other cmds >>> had been removed: >>> >>> rm -f ${RPM_BUILD_ROOT}/usr/bin/findcon >>> rm -f ${RPM_BUILD_ROOT}/usr/bin/replcon >>> rm -f ${RPM_BUILD_ROOT}/usr/bin/searchcon >>> rm -f ${RPM_BUILD_ROOT}/usr/bin/indexcon >>> rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/searchcon.1 >>> rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/indexcon.1 >>> rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/replcon.1 >>> rm -f ${RPM_BUILD_ROOT}/usr/share/man/man1/findcon.1 >>> rm -rf ${RPM_BUILD_ROOT}%{_includedir}/libsefs/sqlite >>> >>> >>> so i comment "findcon relative" items, and add corresponding items >>> in "files" list. >>> >>> it seems that this kind of "findcon" works. >>> >>> this is a temporary method, i just want to use findcon to search >>> certain context >> >> How does it differ from find . -context ...? > > actually, i forgot it also can be done by "find" :-)) > for my purpose, > > find certaindir -context "tmpfs_t" > > is same with findcon. > > but maybe these commands, such as indexcon, will be useful > for diagnosing problem in another machine, as said by > Christopher j. PeBenito in selinux list > >> > > setools-3_1-4_fc7 will have those tools. From knute at frazmtn.com Fri Mar 30 23:34:23 2007 From: knute at frazmtn.com (Knute Johnson) Date: Fri, 30 Mar 2007 16:34:23 -0700 Subject: Ooops! I've hosed up selinux, help! Message-ID: <460D3C0F.26510.13611E@knute.frazmtn.com> I was playing around with the security settings on my FC6 box and reset a couple of selinux options. Which ones you ask? Darned if I can remember. Anyway, it prevents X from starting correctly so I can't go in and run the security program and fix it. If I disable selinux, X starts just fine but the options for selinux are not available in the security program. Even if you start it with selinux off and the set it on, the options don't show up. Is there a way to reset all options to default without running X? Thanks very much, -- Knute Johnson Molon Labe... From knute at frazmtn.com Sat Mar 31 17:37:14 2007 From: knute at frazmtn.com (Knute Johnson) Date: Sat, 31 Mar 2007 10:37:14 -0700 Subject: Ooops! I've hosed up selinux, help! In-Reply-To: <460D3C0F.26510.13611E@knute.frazmtn.com> References: <460D3C0F.26510.13611E@knute.frazmtn.com> Message-ID: <460E39DA.30003.627439@knute.frazmtn.com> >I was playing around with the security settings on my FC6 box and >reset a couple of selinux options. Which ones you ask? Darned if I >can remember. Anyway, it prevents X from starting correctly so I >can't go in and run the security program and fix it. If I disable >selinux, X starts just fine but the options for selinux are not >available in the security program. Even if you start it with selinux >off and the set it on, the options don't show up. Is there a way to >reset all options to default without running X? > >Thanks very much, > >-- >Knute Johnson >Molon Labe... I've unhosed it. I started the computer and let X fail to start without trying any of the fixit options. Then I set enforcing off and started X. Then I could see the options in the security settting program and figured out which ones I had been messing with and put them back. It works fine now. Thanks, -- Knute Johnson Molon Labe...