From mike.clarkson at baesystems.com Tue May 1 00:37:28 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Mon, 30 Apr 2007 17:37:28 -0700 Subject: mount point labels Message-ID: I'm attempting to create the labeled mount point with the following command: mount -t nfs -o context=system_u:object_r:import_file_t:s0 nas:/vol/home /home/SimulatedImport/output/home The mount point is created without any errors, but the label that I specify in the mount command is not used. Instead of system_u:object_r:import_file_t, the context of the /home/SimulatedImport/output/home is system_u:object_r:nfs_t:s0. ls -dZ /home/SimulatedImport/output/home drwxr-xr-x root root system_u:object_r:nfs_t:s0 /home/m252/SimulatedImport/output/home I'm running RHEL5 with a policy built as mls off of the targeted policy. Does anyone know why the context label is not taking? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Tue May 1 14:17:54 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 01 May 2007 10:17:54 -0400 Subject: trouble using runcon In-Reply-To: References: Message-ID: <1178029074.26421.52.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-04-30 at 13:12 -0700, Clarkson, Mike R (US SSA) wrote: > Whenever I use runcon in my script, I get the error > ?root:system_r:datalabeler_t:s0-s15:c0.c255 is not a valid context?, > regardless of the user, role, type, and mls level that I specify with > the runcon command. Infact, even when I specify the context that I?m > already running in with the runcon statement, I get the above error. > So for instance, if I run the script WITHOUT the runcon command, it > runs fine with the following security context (verified with a ps ?efZ > command): root:system_r:datalabeler_t:s0-s15:c0.c255. But if I run the > script with a runcon statement that specifies the exact same user, > role, type, and mls level I get the error shown above. (please disable html mail in your client when posting to public mail lists) Are you running in permissive mode? In permissive mode, SELinux will allow policy-defined domain transitions to happen even if the context is not fully valid but will still reject those contexts if explicitly specified by an application (e.g. by runcon). Make sure that you have authorized the context in your policy, e.g. - is root authorized for system_r and for s0-s15:c0.c255 via a user declaration? - is system_r authorized for datalabeler_t via a role declaration? > I am using an selinux policy that I built as an mls policy off the > targeted policy. I don't understand - why aren't you using the real MLS policy? And if you want to use MLS, why aren't you following the work on redhat-lspp list and using those packages? -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Tue May 1 14:30:14 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 01 May 2007 10:30:14 -0400 Subject: mount point labels In-Reply-To: References: Message-ID: <1178029814.26421.57.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-04-30 at 17:37 -0700, Clarkson, Mike R (US SSA) wrote: > I?m attempting to create the labeled mount point with the following > command: > > mount -t nfs -o context=system_u:object_r:import_file_t:s0 > nas:/vol/home /home/SimulatedImport/output/home > > > > The mount point is created without any errors, but the label that I > specify in the mount command is not used. Instead of > system_u:object_r:import_file_t, the context of > the /home/SimulatedImport/output/home is system_u:object_r:nfs_t:s0. > > ls -dZ /home/SimulatedImport/output/home > > drwxr-xr-x root root > system_u:object_r:nfs_t:s0 /home/m252/SimulatedImport/output/home > > > > I?m running RHEL5 with a policy built as mls off of the targeted > policy. > > > > Does anyone know why the context label is not taking? Do you already have the same filesystem mounted elsewhere? What versions of kernel and nfs-utils do you have? -- Stephen Smalley National Security Agency From mike.clarkson at baesystems.com Tue May 1 16:20:00 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Tue, 1 May 2007 09:20:00 -0700 Subject: mount point labels References: <1178029814.26421.57.camel@moss-spartans.epoch.ncsc.mil> Message-ID: The kernel version is 2.6.18-8.1.1.el5, and the version of nfs-utils is 1:1.0.9-16.el5. I do already have the same file system automounted elsewhere. Is that causing the problem? By the way, can mount point labels be applied to automounted file systems? If so, how would I do that? Would I put the label into the automount file (auto.*) in the /etc directory? -----Original Message----- From: Stephen Smalley [mailto:sds at tycho.nsa.gov] Sent: Tuesday, May 01, 2007 7:30 AM To: Clarkson, Mike R (US SSA) Cc: fedora-selinux-list at redhat.com; Daniel J Walsh; Eric Paris Subject: Re: mount point labels On Mon, 2007-04-30 at 17:37 -0700, Clarkson, Mike R (US SSA) wrote: > I'm attempting to create the labeled mount point with the following > command: > > mount -t nfs -o context=system_u:object_r:import_file_t:s0 > nas:/vol/home /home/SimulatedImport/output/home > > > > The mount point is created without any errors, but the label that I > specify in the mount command is not used. Instead of > system_u:object_r:import_file_t, the context of > the /home/SimulatedImport/output/home is system_u:object_r:nfs_t:s0. > > ls -dZ /home/SimulatedImport/output/home > > drwxr-xr-x root root > system_u:object_r:nfs_t:s0 /home/m252/SimulatedImport/output/home > > > > I'm running RHEL5 with a policy built as mls off of the targeted > policy. > > > > Does anyone know why the context label is not taking? Do you already have the same filesystem mounted elsewhere? What versions of kernel and nfs-utils do you have? -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Tue May 1 16:42:49 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 01 May 2007 12:42:49 -0400 Subject: mount point labels In-Reply-To: References: <1178029814.26421.57.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1178037769.26421.80.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-05-01 at 09:20 -0700, Clarkson, Mike R (US SSA) wrote: > The kernel version is 2.6.18-8.1.1.el5, and the version of nfs-utils is > 1:1.0.9-16.el5. > > I do already have the same file system automounted elsewhere. Is that > causing the problem? Yes, the context= mount must be applied on the first mount of the filesystem or it has no effect. > By the way, can mount point labels be applied to automounted file > systems? If so, how would I do that? Would I put the label into the > automount file (auto.*) in the /etc directory? You can specify mount options in your automounter maps (like auto.master), so you should be able to specify a context= option there too. I haven't specifically tried it though. -- Stephen Smalley National Security Agency From ftaylor at redhat.com Tue May 1 20:34:53 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Tue, 01 May 2007 14:34:53 -0600 Subject: mount point labels In-Reply-To: <1178037769.26421.80.camel@moss-spartans.epoch.ncsc.mil> References: <1178029814.26421.57.camel@moss-spartans.epoch.ncsc.mil> <1178037769.26421.80.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1178051693.4809.10.camel@localhost.localdomain> On Tue, 2007-05-01 at 12:42 -0400, Stephen Smalley wrote: > > By the way, can mount point labels be applied to automounted file > > systems? If so, how would I do that? Would I put the label into the > > automount file (auto.*) in the /etc directory? > > You can specify mount options in your automounter maps (like > auto.master), so you should be able to specify a context= option there > too. I haven't specifically tried it though. I cannot get this to work in RHEL5. It complains if I have it in auto.master (syntax error), so I tried to place an entry in auto.misc (for /misc). It will mount, but not with the context that I specified. The logs mention that it is using genfs_contexts. Looking at the mounts, I see that the options for the autofs mount point include: context="" So, the options are not getting passed to the mount command, or are being overridden by automount. Any other ideas? Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From sds at tycho.nsa.gov Wed May 2 11:29:44 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 02 May 2007 07:29:44 -0400 Subject: mount point labels In-Reply-To: <1178051693.4809.10.camel@localhost.localdomain> References: <1178029814.26421.57.camel@moss-spartans.epoch.ncsc.mil> <1178037769.26421.80.camel@moss-spartans.epoch.ncsc.mil> <1178051693.4809.10.camel@localhost.localdomain> Message-ID: <1178105384.3443.11.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-05-01 at 14:34 -0600, Forrest Taylor wrote: > On Tue, 2007-05-01 at 12:42 -0400, Stephen Smalley wrote: > > > By the way, can mount point labels be applied to automounted file > > > systems? If so, how would I do that? Would I put the label into the > > > automount file (auto.*) in the /etc directory? > > > > You can specify mount options in your automounter maps (like > > auto.master), so you should be able to specify a context= option there > > too. I haven't specifically tried it though. > > I cannot get this to work in RHEL5. It complains if I have it in > auto.master (syntax error), so I tried to place an entry in auto.misc > (for /misc). It will mount, but not with the context that I specified. > The logs mention that it is using genfs_contexts. > > Looking at the mounts, I see that the options for the autofs mount point > include: context="" > > So, the options are not getting passed to the mount command, or are > being overridden by automount. Any other ideas? File a bug against autofs? -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed May 2 11:35:37 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 02 May 2007 07:35:37 -0400 Subject: trouble using runcon In-Reply-To: <1178029074.26421.52.camel@moss-spartans.epoch.ncsc.mil> References: <1178029074.26421.52.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1178105737.3443.15.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-05-01 at 10:17 -0400, Stephen Smalley wrote: > On Mon, 2007-04-30 at 13:12 -0700, Clarkson, Mike R (US SSA) wrote: > > Whenever I use runcon in my script, I get the error > > ?root:system_r:datalabeler_t:s0-s15:c0.c255 is not a valid context?, > > regardless of the user, role, type, and mls level that I specify with > > the runcon command. Infact, even when I specify the context that I?m > > already running in with the runcon statement, I get the above error. > > So for instance, if I run the script WITHOUT the runcon command, it > > runs fine with the following security context (verified with a ps ?efZ > > command): root:system_r:datalabeler_t:s0-s15:c0.c255. But if I run the > > script with a runcon statement that specifies the exact same user, > > role, type, and mls level I get the error shown above. > > (please disable html mail in your client when posting to public mail > lists) > > Are you running in permissive mode? In permissive mode, SELinux will > allow policy-defined domain transitions to happen even if the context is > not fully valid but will still reject those contexts if explicitly > specified by an application (e.g. by runcon). > > Make sure that you have authorized the context in your policy, e.g. > - is root authorized for system_r and for s0-s15:c0.c255 via a user > declaration? > - is system_r authorized for datalabeler_t via a role declaration? To summarize the solution for the list (discussion went off-list), the problem in this case was lack of permission for the datalabeler_t domain to validate contexts (selinux_validate_context() refpolicy interface), resulting in runcon always failing to validate the context and reporting an invalid context. Likely should file a bug against coreutils for runcon to add strerror(errno) to the error message when security_check_context() fails so that we would see it as a Permission denied. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed May 2 11:49:07 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 02 May 2007 07:49:07 -0400 Subject: trouble using runcon In-Reply-To: References: <1178029074.26421.52.camel@moss-spartans.epoch.ncsc.mil> <1178045614.3443.7.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1178106547.3443.28.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-05-01 at 15:38 -0700, Clarkson, Mike R (US SSA) wrote: > Stephen, > > You were right. Adding selinux_validate_context(datalabeler_t) got me > past the problem and I started getting some useful acv denial messages > in the audit log. I can now successfully run my script using runcon as > follows: > "runcon -u root -r system_r -t datalabeler_t -l s0-s15:c0.c255 > java mls.SimulatedImport.SimulatedDataLabeler $argv[*]" > > However, if I try to specify a different mls level in the runcon > statement it doesn't work. It looks like it fails to kick off the java > process, or at least I can't see the java process running using ps. > > The command I'm trying to use is this: > "runcon -u root -r system_r -t datalabeler_t -l s1 java > mls.SimulatedImport.SimulatedDataLabeler $argv[*]" > > I'm not getting meaningful acv messages in the audit log. Audit2allow is > telling me I need to add allow statements to my policy that I already > have. I think that I'm probably violating some MLS constraint (I find > that audit2allow does not give me useful messages when the problem is > that an MLS constraint is being violated). > > Do either of you have any ideas on what constraint I might be violating? > I already have "mls_process_set_level(datalabeler_t)" in my policy, and > "semanage user -l" and "semanage login -l" both show that root has the > mls range of s0-s15:c0.c255. (re-added fedora-selinux-list to cc line) audit2allow -a -l should only process avc messages since your last policy reload. Is that runcon command running in the datalabeler_t domain already or in a different domain (the caller domain)? If the former, why are you specifying -r system_r -t datalabeler_t at all to runcon (vs. just the components that are changing)? If the latter, then the caller domain needs mls_process_set_level(). Also, you'd have to deal with other MLS-related issues, e.g. if you want that java process to be able to write to your tty (at s0), you'd need to give it mls_fd_use_all_levels() to inherit stdin/stdout/stderr and mls_file_write_down() to write to the tty. But ideally you'd be using newrole -l s1 instead and let it relabel the tty for you properly. You may want to take further follow-ups to redhat-lspp list for MLS-specific issues. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed May 2 12:19:19 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 02 May 2007 08:19:19 -0400 Subject: mount point labels In-Reply-To: <1178105384.3443.11.camel@moss-spartans.epoch.ncsc.mil> References: <1178029814.26421.57.camel@moss-spartans.epoch.ncsc.mil> <1178037769.26421.80.camel@moss-spartans.epoch.ncsc.mil> <1178051693.4809.10.camel@localhost.localdomain> <1178105384.3443.11.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1178108359.3443.42.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-05-02 at 07:29 -0400, Stephen Smalley wrote: > On Tue, 2007-05-01 at 14:34 -0600, Forrest Taylor wrote: > > On Tue, 2007-05-01 at 12:42 -0400, Stephen Smalley wrote: > > > > By the way, can mount point labels be applied to automounted file > > > > systems? If so, how would I do that? Would I put the label into the > > > > automount file (auto.*) in the /etc directory? > > > > > > You can specify mount options in your automounter maps (like > > > auto.master), so you should be able to specify a context= option there > > > too. I haven't specifically tried it though. > > > > I cannot get this to work in RHEL5. It complains if I have it in > > auto.master (syntax error), so I tried to place an entry in auto.misc > > (for /misc). It will mount, but not with the context that I specified. > > The logs mention that it is using genfs_contexts. > > > > Looking at the mounts, I see that the options for the autofs mount point > > include: context="" > > > > So, the options are not getting passed to the mount command, or are > > being overridden by automount. Any other ideas? > > File a bug against autofs? The man page for auto.master says that any remaining command line arguments without leading dashes after the map name are taken as options (-o) to mount. So it seems like a bug if it doesn't pass through the context= option properly. -- Stephen Smalley National Security Agency From dj-oko at o2.pl Wed May 2 20:28:58 2007 From: dj-oko at o2.pl (Kamil) Date: Wed, 02 May 2007 22:28:58 +0200 Subject: Memory protection and system-config-securitylevel Message-ID: <1178137738.7325.23.camel@chello087207029077.chello.pl> Hello everybody Forgive me, if this subject has already been mentioned here, but I simply couldn't find answer anywhere. Few days ago I started system-config-securitylevel. I found something interesting in "Modify SELinux policies". A memory protection - there are four options in there. Two of them are enabled, with a description that if having this enabled is required by some program, it should be reported to bugzilla. I didn't do it, because of very strange effects after turning it off. Disabling "Allow all executable files to map memory areas as executable and readable, which is dangerous and such program should be reported to bugzilla" and "Allow all executable files to mark stack as executable.That shouldn't ever be required" option(translation from polish) made system act very strange. First thing I've observed was that Kobo game stopped working. GMPC stopped playing. Also stuff outside of Fedora like Java and NVidia drivers failed. So I should have "reported to bugzilla" to many application to make it have any sense. Such bug report would be only annoying but according to system-config-securitylevel... What is it with these two options? To make everything work properly they should be enabled, but their description that they should be disabled is confusing. Thank you and forgive me any mess I've done by this post -- Pozdrawiam - Kamil J. Dudek From dwalsh at redhat.com Fri May 4 15:30:57 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 04 May 2007 11:30:57 -0400 Subject: Memory protection and system-config-securitylevel In-Reply-To: <1178137738.7325.23.camel@chello087207029077.chello.pl> References: <1178137738.7325.23.camel@chello087207029077.chello.pl> Message-ID: <463B51B1.2030109@redhat.com> Kamil wrote: > Hello everybody > Forgive me, if this subject has already been mentioned here, but I > simply couldn't find answer anywhere. > > Few days ago I started system-config-securitylevel. I found something > interesting in "Modify SELinux policies". A memory protection - there > are four options in there. Two of them are enabled, with a description > that if having this enabled is required by some program, it should be > reported to bugzilla. I didn't do it, because of very strange effects > after turning it off. > > Disabling > "Allow all executable files to map memory areas as executable and > readable, which is dangerous and such program should be reported to > bugzilla" > and > "Allow all executable files to mark stack as executable.That shouldn't > ever be required" > option(translation from polish) made system act very strange. First > thing I've observed was that Kobo game stopped working. GMPC stopped > playing. Also stuff outside of Fedora like Java and NVidia drivers > failed. So I should have "reported to bugzilla" to many application to > make it have any sense. Such bug report would be only annoying but > according to system-config-securitylevel... > > Java Applications can be labeled java_exec_t (chcon -t java_exec_t PATHTOAPP) Please tell me the path of these apps, so I can set them to default. Which will allow them to have this priv. NVidia should be told to fix their drivers. (Or open source them, their choice :^)) These memory checks are described here SELinux Memory Protection Tests The goal is to move towards, eliminating Writable/Executable memory to help protect systems. For now if you can run with these checked off, you are more secure. We realize that lots of apps are either broken or not labeled correctly. So we need to get the app vendors to fix their apps and to fix the labeling when it is wrong in SELinux. > What is it with these two options? To make everything work properly they > should be enabled, but their description that they should be disabled is > confusing. > > Thank you and forgive me any mess I've done by this post > > From mcepl at redhat.com Fri May 4 20:57:42 2007 From: mcepl at redhat.com (Matej Cepl) Date: Fri, 04 May 2007 22:57:42 +0200 Subject: dump/restore (or "star") and SELinux problems References: <20060426211433.GH27244@satyr.sylvan.com> <463B9203.8040802@utsouthwestern.edu> Message-ID: ["Followup-To:" header set to gmane.linux.redhat.fedora.selinux.] On 2007-05-04, 20:05 GMT, Peter Smith wrote: > Kayvan, did you ever look at using resize2fs? I successfully > used this recently on a Redhat AS 5 system (with SELinux.) > I even used the rescue-cd mode of the AS 5 disk. While > I understand that dump and/or star were giving you trouble, and > you wanted to migrate the FS to LVM, I think you could have > gotten the intended results by using resize2fs. It worked pretty well for me until today -- you should be very careful to make partition (with LVM or whatever) slightly bigger than the filesystem on it. Just to be scrooge I made LVM logical volume of the same number of 4k blocks as filesystem, and ... there is still yum upgrade running on my system, recovering it to at least slightly similar configuration as it was this morning ;-) (it was root partition I was resizing). Oh well, Matej From dj-oko at o2.pl Sat May 5 19:38:24 2007 From: dj-oko at o2.pl (Kamil J. Dudek) Date: Sat, 05 May 2007 21:38:24 +0200 Subject: Memory protection and system-config-securitylevel In-Reply-To: <463B51B1.2030109@redhat.com> References: <1178137738.7325.23.camel@chello087207029077.chello.pl> <463B51B1.2030109@redhat.com> Message-ID: <1178393904.2839.11.camel@chello087207029077.chello.pl> Dnia 04-05-2007, pi? o godzinie 11:30 -0400, Daniel J Walsh napisa?(a): > Kamil wrote: > > Hello everybody > > Forgive me, if this subject has already been mentioned here, but I > > simply couldn't find answer anywhere. > > > > Few days ago I started system-config-securitylevel. I found something > > interesting in "Modify SELinux policies". A memory protection - there > > are four options in there. Two of them are enabled, with a description > > that if having this enabled is required by some program, it should be > > reported to bugzilla. I didn't do it, because of very strange effects > > after turning it off. > > > > Disabling > > "Allow all executable files to map memory areas as executable and > > readable, which is dangerous and such program should be reported to > > bugzilla" > > and > > "Allow all executable files to mark stack as executable.That shouldn't > > ever be required" > > option(translation from polish) made system act very strange. First > > thing I've observed was that Kobo game stopped working. GMPC stopped > > playing. Also stuff outside of Fedora like Java and NVidia drivers > > failed. So I should have "reported to bugzilla" to many application to > > make it have any sense. Such bug report would be only annoying but > > according to system-config-securitylevel... > > > > > Java Applications can be labeled java_exec_t (chcon -t java_exec_t > PATHTOAPP) Please tell me the path of these apps, so I can set them to > default. Which will allow them to have this priv. NVidia should be > told to fix their drivers. (Or open source them, their choice :^)) > > These memory checks are described here > SELinux Memory Protection Tests > > > The goal is to move towards, eliminating Writable/Executable memory to > help protect systems. > For now if you can run with these checked off, you are more secure. We > realize that lots of apps are either broken or not labeled correctly. > So we need to get the app vendors to fix their apps and to fix the > labeling when it is wrong in SELinux. I have enabled only "Allow all executable files to mark stack as executable.That shouldn't ever be required". And everything except external NVidia drivers seems to work fine. The nv driver doesn't make any surprises. But when I disable even that, programs like Kobo Deluxe and glxgears return "Permission denied" error. Should I report this programs to Bugzilla or ignore that hint? > > > > What is it with these two options? To make everything work properly they > > should be enabled, but their description that they should be disabled is > > confusing. > > > > Thank you and forgive me any mess I've done by this post > > > > > -- --- Pozdrawiam - Kamil xmpp:wielkipiec at gmail com From phil at noggle.biz Mon May 7 19:03:20 2007 From: phil at noggle.biz (Philip Tricca) Date: Mon, 07 May 2007 15:03:20 -0400 Subject: problems switching between roles (newrole) Message-ID: <463F77F8.4040004@noggle.biz> Hello List, Question about managing roles: I'm trying to setup my user to have access to both the unprivileged user_r role and the administrative role sysadm_r. My system is FC6 using the latest policy from yum: SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: strict I've created new SELinux user: semanage user -a -R sysadm_r -R user_r -P user MyUser_u I've associated a Linux user with my SELinux user: semanage login -a -s MyUser_u MyUser When I login with my new user I see ... [MyUser at test ~]$ id -Z MyUser_u:user_r:user_t [MyUser at test ~]$ newrole -r sysadm_r -t sysadm_t Authenticating MyUser. Password: failed to exec shell : Permission denied [MyUser at test ~]$ The initial role is user_r which I like. But when MyUser attempts to change to the new role (sysadm_r through use of newrole)... they cannot. type=AVC msg=audit(1178544785.335:2418): avc: denied { transition } for pid=13798 comm="newrole" name="bash" dev=hda3 ino=162298 scontex=MyUser_u:user_r:newrole_t:s0 tcontext=MyUser_u:sysadm_r:sysadm_t:s0 tclass=process The contexts in the avc denied message seem right: MyUser is running the newrole command and has successfully transitioned into the newrole_t domain. The problem seems to be that newrole cannot kick off a shell in the target context (MyUser_u:sysadm_r:sysadm_t). A similar problem seems to arise when associating Linux users with user_r, staff_r and sysadm_r. The user will login with the default staff_r, will be able to newrole up to the sysadm_r role, but cannot change their role to user_r through similar means (newrole -r user_r -t user_t). I'd assume it's a fairly standard practice to make an SELinux user with the user_r and sysadm_r roles, much like using an unprivileged Linux user and only performing admin tasks using root. I'm guessing I missed a step somewhere along the line ... would someone mind pointing out where I went wrong or what I might try to resolve this? Cheers, - Philip From cpebenito at tresys.com Mon May 7 19:33:16 2007 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Mon, 07 May 2007 19:33:16 +0000 Subject: problems switching between roles (newrole) In-Reply-To: <463F77F8.4040004@noggle.biz> References: <463F77F8.4040004@noggle.biz> Message-ID: <1178566396.25271.17.camel@sgc> On Mon, 2007-05-07 at 15:03 -0400, Philip Tricca wrote: > Hello List, > > Question about managing roles: I'm trying to setup my user to have > access to both the unprivileged user_r role and the administrative role > sysadm_r. My system is FC6 using the latest policy from yum: [...] > I've created new SELinux user: > semanage user -a -R sysadm_r -R user_r -P user MyUser_u > > I've associated a Linux user with my SELinux user: > semanage login -a -s MyUser_u MyUser > > When I login with my new user I see ... > > > [MyUser at test ~]$ id -Z > MyUser_u:user_r:user_t > [MyUser at test ~]$ newrole -r sysadm_r -t sysadm_t > Authenticating MyUser. > Password: > failed to exec shell > : Permission denied > [MyUser at test ~]$ > > > The initial role is user_r which I like. But when MyUser attempts to > change to the new role (sysadm_r through use of newrole)... they cannot. > > > type=AVC msg=audit(1178544785.335:2418): avc: denied { transition } > for pid=13798 comm="newrole" name="bash" dev=hda3 ino=162298 > scontex=MyUser_u:user_r:newrole_t:s0 > tcontext=MyUser_u:sysadm_r:sysadm_t:s0 tclass=process > [...] > A similar problem seems to arise when associating Linux users with > user_r, staff_r and sysadm_r. The user will login with the default > staff_r, will be able to newrole up to the sysadm_r role, but cannot > change their role to user_r through similar means (newrole -r user_r -t > user_t). Allowed role changes are defined in the policy, and the stock policy does not allow a change of staff_r <-> user_r or user_r -> sysadm_r. > I'd assume it's a fairly standard practice to make an SELinux user with > the user_r and sysadm_r roles No, user_r is for generic unprivileged users. If you want an unprivileged user that can change to the sysadm_r, you should be using staff_r instead of user_r. User_r and staff_r basically have the same rules except staff_r can change to sysadm_r, where user_r can't. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From phil at noggle.biz Mon May 7 20:04:11 2007 From: phil at noggle.biz (Philip Tricca) Date: Mon, 07 May 2007 16:04:11 -0400 Subject: problems switching between roles (newrole) In-Reply-To: <1178566396.25271.17.camel@sgc> References: <463F77F8.4040004@noggle.biz> <1178566396.25271.17.camel@sgc> Message-ID: <463F863B.1090700@noggle.biz> Christopher J. PeBenito wrote: > On Mon, 2007-05-07 at 15:03 -0400, Philip Tricca wrote: >> Hello List, >> >> Question about managing roles: I'm trying to setup my user to have >> access to both the unprivileged user_r role and the administrative role >> sysadm_r. My system is FC6 using the latest policy from yum: > [...] >> I've created new SELinux user: >> semanage user -a -R sysadm_r -R user_r -P user MyUser_u >> >> I've associated a Linux user with my SELinux user: >> semanage login -a -s MyUser_u MyUser >> >> When I login with my new user I see ... >> >> >> [MyUser at test ~]$ id -Z >> MyUser_u:user_r:user_t >> [MyUser at test ~]$ newrole -r sysadm_r -t sysadm_t >> Authenticating MyUser. >> Password: >> failed to exec shell >> : Permission denied >> [MyUser at test ~]$ >> >> >> The initial role is user_r which I like. But when MyUser attempts to >> change to the new role (sysadm_r through use of newrole)... they cannot. >> >> >> type=AVC msg=audit(1178544785.335:2418): avc: denied { transition } >> for pid=13798 comm="newrole" name="bash" dev=hda3 ino=162298 >> scontex=MyUser_u:user_r:newrole_t:s0 >> tcontext=MyUser_u:sysadm_r:sysadm_t:s0 tclass=process >> > [...] >> A similar problem seems to arise when associating Linux users with >> user_r, staff_r and sysadm_r. The user will login with the default >> staff_r, will be able to newrole up to the sysadm_r role, but cannot >> change their role to user_r through similar means (newrole -r user_r -t >> user_t). > > Allowed role changes are defined in the policy, and the stock policy > does not allow a change of staff_r <-> user_r or user_r -> sysadm_r. > >> I'd assume it's a fairly standard practice to make an SELinux user with >> the user_r and sysadm_r roles > > No, user_r is for generic unprivileged users. If you want an > unprivileged user that can change to the sysadm_r, you should be using > staff_r instead of user_r. User_r and staff_r basically have the same > rules except staff_r can change to sysadm_r, where user_r can't. Excellent! I haven't ventured deep into the policy src yet, but a quick grep on staff_r shows everything you describe quite clearly in the policy/modules/system/userdomain files After putting my user in staff_r & sysadm_r and relabeling my home dir everything works as expected. Thanks, - Philip From jmeile at hotmail.com Wed May 9 12:31:40 2007 From: jmeile at hotmail.com (Josef Meile) Date: Wed, 09 May 2007 14:31:40 +0200 Subject: Allowing a apache to access a user folder by using semanage Message-ID: <4641BF2C.1050009@hotmail.com> Hi, I'm trying to allow apache to read a user folder as follows: % semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" However I still get: May 9 13:42:38 my_host kernel: audit(1178710958.544:17691): avc: denied { search } for pid=4103 comm="httpd" name="data" dev=hda4 ino=2121605 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir This is what semanage reports: & semanage fcontext -l | grep zope /home/zopeuser/data(/.*)? all files system_u:object_r:httpd_t:s0 I know you can do that with audit2allow by generating modules from the error messages. Indeed I cached four errors, generated four modules, then finally I combined them in to this: ---> zopefull.te module zopefull 1.0; require { type httpd_t; type user_home_t; class file read; class file getattr; class lnk_file read; class dir search; } #============= httpd_t ============== allow httpd_t user_home_t:file read; allow httpd_t user_home_t:file getattr; allow httpd_t user_home_t:lnk_file read; allow httpd_t user_home_t:dir search; <--- zopefull.te Which I indeed worked; however, I think it is a complicated and long way, and it does much more than what I want; in fact this gives access to all user folders to httpd and not just to the desired one. Is possible to do this with semanage? By the way, I'm using Fedora Core 6 without X and kernel 2.6.20-1.2948. Best regards Josef Meile From janfrode at tanso.net Wed May 9 14:04:33 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Wed, 9 May 2007 16:04:33 +0200 Subject: Allowing a apache to access a user folder by using semanage References: <4641BF2C.1050009@hotmail.com> Message-ID: On 2007-05-09, Josef Meile wrote: > I'm trying to allow apache to read a user folder as follows: > > % semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" semanage doesn't update the labels of existing files. So you'll need to run "restorecon -R /home/zopeuser/data" before this will work. -jf From hongwei at wustl.edu Wed May 9 18:47:25 2007 From: hongwei at wustl.edu (Hongwei Li) Date: Wed, 9 May 2007 13:47:25 -0500 (CDT) Subject: audit2allow broken? Message-ID: <3089.128.252.11.95.1178736445.squirrel@morpheus.wustl.edu> Hi, I have a fc6 linux box: kernel-2.6.20-1.2944.fc6, selinux-policy-2.4.6-62.fc6 and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6. The system works and I was trying to add some settings to the selinux policy by running audit2allow. It was okay before noon: # audit2allow -M local < /var/log/audit/audit.log # semodule -i local.pp The new modules were added and it works. However, later, I can't do it again, but always get error: # audit2allow -M local < /var/log/audit/audit.log compilation failed: (unknown source)::ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from local.te and the file local.te has only one line: module local 1.0; not like before. Can somebody tell what is wrong? "on line 6" of what file? I reboot the system, still the same. Thanks a lot! Hongwei Li From sds at tycho.nsa.gov Wed May 9 18:53:57 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 09 May 2007 14:53:57 -0400 Subject: audit2allow broken? In-Reply-To: <3089.128.252.11.95.1178736445.squirrel@morpheus.wustl.edu> References: <3089.128.252.11.95.1178736445.squirrel@morpheus.wustl.edu> Message-ID: <1178736837.3504.19.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote: > Hi, > > I have a fc6 linux box: kernel-2.6.20-1.2944.fc6, selinux-policy-2.4.6-62.fc6 > and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6. > The system works and I was trying to add some settings to the selinux policy > by running audit2allow. It was okay before noon: > > # audit2allow -M local < /var/log/audit/audit.log > # semodule -i local.pp > > The new modules were added and it works. However, later, I can't do it again, > but always get error: > > # audit2allow -M local < /var/log/audit/audit.log > compilation failed: > (unknown source)::ERROR 'syntax error' at token '' on line 6: > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > /usr/bin/checkmodule: loading policy configuration from local.te > > and the file local.te has only one line: > > module local 1.0; > > not like before. Can somebody tell what is wrong? "on line 6" of what file? > I reboot the system, still the same. What version of policycoreutils? The implication is that there were no avc denials in /var/log/audit/audit.log, and thus the generated module was empty. Possibly your audit logs were automatically rotated? You should really be using the -a option btw, e.g. audit2allow -a -M local That will pull all messages from audit, including older audit logs I believe. -- Stephen Smalley National Security Agency From hongwei at wustl.edu Wed May 9 19:29:28 2007 From: hongwei at wustl.edu (Hongwei Li) Date: Wed, 9 May 2007 14:29:28 -0500 (CDT) Subject: audit2allow broken? In-Reply-To: <1178736837.3504.19.camel@moss-spartans.epoch.ncsc.mil> References: <3089.128.252.11.95.1178736445.squirrel@morpheus.wustl.edu> <1178736837.3504.19.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <3679.128.252.11.95.1178738968.squirrel@morpheus.wustl.edu> > On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote: >> Hi, >> >> I have a fc6 linux box: kernel-2.6.20-1.2944.fc6, >> selinux-policy-2.4.6-62.fc6 >> and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6. >> The system works and I was trying to add some settings to the selinux policy >> by running audit2allow. It was okay before noon: >> >> # audit2allow -M local < /var/log/audit/audit.log >> # semodule -i local.pp >> >> The new modules were added and it works. However, later, I can't do it >> again, >> but always get error: >> >> # audit2allow -M local < /var/log/audit/audit.log >> compilation failed: >> (unknown source)::ERROR 'syntax error' at token '' on line 6: >> >> /usr/bin/checkmodule: error(s) encountered while parsing configuration >> /usr/bin/checkmodule: loading policy configuration from local.te >> >> and the file local.te has only one line: >> >> module local 1.0; >> >> not like before. Can somebody tell what is wrong? "on line 6" of what file? >> I reboot the system, still the same. > > What version of policycoreutils? > > The implication is that there were no avc denials > in /var/log/audit/audit.log, and thus the generated module was empty. > Possibly your audit logs were automatically rotated? > > You should really be using the -a option btw, e.g. > audit2allow -a -M local > That will pull all messages from audit, including older audit logs I > believe. > > -- > Stephen Smalley > National Security Agency > Yes, you are right -- there was no avc denials in the audit.log. Now, I set enforced and try a squirrelmail plugin change_passwd, it creates some avc denials, and then it works: # audit2allow -a -M local ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i local.pp However, it fails when I run: # semodule -i local.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t shadow_t:file { read }; libsepol.check_assertions: 1 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed Actually, this has been an old problem since fc5 linux (not in fc4 or earlier) -- once set enforced, password cannot be changed from squirrelmail (web site), modules with "shadow..." cannot be added. Is there anyway to change it? The reason is simple: my squirrelmail users need to change their password from within squirrelmail (web site) and I want to set selinux enforced. BTW, I have policycoreutils-1.34.1-7.fc6 and targeted policy. I appreciate all the help! Hongwei Li From ericm24x7 at gmail.com Wed May 9 19:38:16 2007 From: ericm24x7 at gmail.com (eric magaoay) Date: Wed, 09 May 2007 15:38:16 -0400 Subject: allowing tftpd to make pxe functional Message-ID: <46422328.9080609@gmail.com> I'm currently testing the latest rawhide build (F7), and I need help in allowing tftpd traffic (for PXE functionality). My previous work around solution was: setsebool -P tftpd_disable_trans=1 But this is no longer allow under rawhide (F7). I tried running system-config-selinux to search for any entry on tftp or tftpd, but found none. Any other suggestion/workaround without disabling selinux? Here is the output from Selinux troubleshooter: Summary SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to / (rsync_data_t). Detailed Description SELinux denied access requested by /usr/sbin/in.tftpd. It is not expected that this access is required by /usr/sbin/in.tftpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /, restorecon -v / If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:tftpd_t Target Context system_u:object_r:rsync_data_t Target Objects / [ dir ] Affected RPM Packages tftp-server-0.42-4 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.1-1.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name fiji3 Platform Linux fiji3 2.6.21-1.3116.fc7 #1 SMP Thu Apr 26 10:17:55 EDT 2007 x86_64 x86_64 Alert Count 20 First Seen Wed 09 May 2007 02:18:14 PM EDT Last Seen Wed 09 May 2007 02:42:14 PM EDT Local ID 736e2428-de9a-469b-8b77-92bce3a8eacd Line Numbers Raw Audit Messages avc: denied { search } for comm="in.tftpd" dev=sda6 egid=0 euid=0 exe="/usr/sbin/in.tftpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=3697 scontext=user_u:system_r:tftpd_t:s0 sgid=0 subj=user_u:system_r:tftpd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:rsync_data_t:s0 tty=(none) uid=0 From peter.smith at utsouthwestern.edu Wed May 9 19:59:49 2007 From: peter.smith at utsouthwestern.edu (Peter Smith) Date: Wed, 09 May 2007 14:59:49 -0500 Subject: New packages and custom Selinux policies Message-ID: <46422835.3090707@utsouthwestern.edu> I wrote an in-house RPM that is getting installed without error. However, on SELinux Enforcing machines using the targeted policy, it doesn't allow executing my app. I have the following questions about this. *) What's the recommended method for supporting non-core apps to be installed *and* be supported under SELinux policies? I figured I'd create a 2nd RPM that provides a compiled SELinux policy to be added at runtime to the system policy. a) If it is recommended to make 2 seperate RPMs for an application--one for the app and one for the policy--how do you ensure the policy is always loaded with the system? I've opted to create an init script to handle this. b) Should the policy get compiled during the SRPM-RPM build process or should it be compiled out-of-band and then just packaged into the RPM. In other words, with custom policies, is the expectation that you'd need to rebuild them whenever updating SELinux in any way? It appears that there's no provision to support 3rd-party non-core applications as far as SELinux policies are concerned. Thanks, Peter From sds at tycho.nsa.gov Wed May 9 20:11:34 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 09 May 2007 16:11:34 -0400 Subject: audit2allow broken? In-Reply-To: <3679.128.252.11.95.1178738968.squirrel@morpheus.wustl.edu> References: <3089.128.252.11.95.1178736445.squirrel@morpheus.wustl.edu> <1178736837.3504.19.camel@moss-spartans.epoch.ncsc.mil> <3679.128.252.11.95.1178738968.squirrel@morpheus.wustl.edu> Message-ID: <1178741494.3504.42.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-05-09 at 14:29 -0500, Hongwei Li wrote: > > On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote: > >> Hi, > >> > >> I have a fc6 linux box: kernel-2.6.20-1.2944.fc6, > >> selinux-policy-2.4.6-62.fc6 > >> and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6. > >> The system works and I was trying to add some settings to the selinux policy > >> by running audit2allow. It was okay before noon: > >> > >> # audit2allow -M local < /var/log/audit/audit.log > >> # semodule -i local.pp > >> > >> The new modules were added and it works. However, later, I can't do it > >> again, > >> but always get error: > >> > >> # audit2allow -M local < /var/log/audit/audit.log > >> compilation failed: > >> (unknown source)::ERROR 'syntax error' at token '' on line 6: > >> > >> /usr/bin/checkmodule: error(s) encountered while parsing configuration > >> /usr/bin/checkmodule: loading policy configuration from local.te > >> > >> and the file local.te has only one line: > >> > >> module local 1.0; > >> > >> not like before. Can somebody tell what is wrong? "on line 6" of what file? > >> I reboot the system, still the same. > > > > What version of policycoreutils? > > > > The implication is that there were no avc denials > > in /var/log/audit/audit.log, and thus the generated module was empty. > > Possibly your audit logs were automatically rotated? > > > > You should really be using the -a option btw, e.g. > > audit2allow -a -M local > > That will pull all messages from audit, including older audit logs I > > believe. > > > > -- > > Stephen Smalley > > National Security Agency > > > > Yes, you are right -- there was no avc denials in the audit.log. Now, I set > enforced and try a squirrelmail plugin change_passwd, it creates some avc > denials, and then it works: > > # audit2allow -a -M local > ******************** IMPORTANT *********************** > To make this policy package active, execute: > > semodule -i local.pp > > However, it fails when I run: > # semodule -i local.pp > libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t > shadow_t:file { read }; > libsepol.check_assertions: 1 assertion violations occured > libsemanage.semanage_expand_sandbox: Expand module failed > > Actually, this has been an old problem since fc5 linux (not in fc4 or earlier) > -- once set enforced, password cannot be changed from squirrelmail (web site), > modules with "shadow..." cannot be added. Is there anyway to change it? The > reason is simple: my squirrelmail users need to change their password from > within squirrelmail (web site) and I want to set selinux enforced. > > BTW, I have policycoreutils-1.34.1-7.fc6 and targeted policy. Ideally you wouldn't be running that plugin directly in httpd_t. The assertions aka neverallow rules can be overridden, but they are there as a warning to you that you are trying to allow something that is unsafe, in this case allowing your httpd processes to directly access your shadow file. It would be better if that plugin ran in a separate process in its own domain. To allow it anyway, you can create use the refpolicy interface to allow such access, which will also add the type to the right attribute to satisfy the assertion/neverallow rule. In this case, that would mean adding: auth_rw_shadow(httpd_t) to your local.te file and then running: # make -f /usr/share/selinux/devel/Makefile # semodule -i local.pp -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed May 9 20:13:04 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 09 May 2007 16:13:04 -0400 Subject: allowing tftpd to make pxe functional In-Reply-To: <46422328.9080609@gmail.com> References: <46422328.9080609@gmail.com> Message-ID: <1178741584.3504.44.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-05-09 at 15:38 -0400, eric magaoay wrote: > I'm currently testing the latest rawhide build (F7), and I need help in > allowing tftpd traffic (for PXE functionality). > My previous work around solution was: > setsebool -P tftpd_disable_trans=1 > But this is no longer allow under rawhide (F7). I tried running > system-config-selinux to search for any entry on tftp or tftpd, but > found none. Any other suggestion/workaround without disabling selinux? You can use audit2allow to create a policy module to allow the access and add it, e.g. audit2allow -a -M local semodule -i local.pp > > Here is the output from Selinux troubleshooter: > > Summary > SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to / > (rsync_data_t). > > Detailed Description > SELinux denied access requested by /usr/sbin/in.tftpd. It is not > expected > that this access is required by /usr/sbin/in.tftpd and this access may > signal an intrusion attempt. It is also possible that the specific > version > or configuration of the application is causing it to require additional > access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try to > restore the default system file context for /, restorecon -v / If > this does > not work, there is currently no automatic way to allow this access. > Instead, > you can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > Additional Information > > Source Context user_u:system_r:tftpd_t > Target Context system_u:object_r:rsync_data_t > Target Objects / [ dir ] > Affected RPM Packages tftp-server-0.42-4 > [application]filesystem-2.4.6-1.fc7 [target] > Policy RPM selinux-policy-2.6.1-1.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name fiji3 > Platform Linux fiji3 2.6.21-1.3116.fc7 #1 SMP Thu > Apr 26 > 10:17:55 EDT 2007 x86_64 x86_64 > Alert Count 20 > First Seen Wed 09 May 2007 02:18:14 PM EDT > Last Seen Wed 09 May 2007 02:42:14 PM EDT > Local ID 736e2428-de9a-469b-8b77-92bce3a8eacd > Line Numbers > > Raw Audit Messages > > avc: denied { search } for comm="in.tftpd" dev=sda6 egid=0 euid=0 > exe="/usr/sbin/in.tftpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" > pid=3697 scontext=user_u:system_r:tftpd_t:s0 sgid=0 > subj=user_u:system_r:tftpd_t:s0 suid=0 tclass=dir > tcontext=system_u:object_r:rsync_data_t:s0 tty=(none) uid=0 > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From jmeile at hotmail.com Wed May 9 20:09:27 2007 From: jmeile at hotmail.com (Josef Meile) Date: Wed, 09 May 2007 22:09:27 +0200 Subject: Allowing a apache to access a user folder by using semanage In-Reply-To: References: <4641BF2C.1050009@hotmail.com> Message-ID: <46422A77.7030907@hotmail.com> Hi Jan >> I'm trying to allow apache to read a user folder as follows: >> >> % semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" > > semanage doesn't update the labels of existing files. So you'll > need to run "restorecon -R /home/zopeuser/data" before this > will work. I did what you suggested; however lots of messages like this appeared: restorecon set context /home/zopeuser/data/certs/demoCA/certs->system_u:object_r:httpd_t:s0 failed:'Permission denied' Then I tried: fixfiles restore But again I got lots of errors like this: /sbin/setfiles: unable to relabel /home/zopeuser/data/certs/demoCA to system_u:object_r:httpd_t:s0 /home/zopeuser/data/certs/demoCA/crl: Permission denied Even this doesn't works: % touch /.autorelabel % reboot But this is I got in the message log after rebooting: May 9 22:16:39 my_host kernel: audit(1178741787.823:58): avc: denied { relabelto } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=dir May 9 22:16:39 my_host kernel: audit(1178741787.823:59): avc: denied { associate } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:object_r:httpd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem May 9 22:16:39 my_host kernel: audit(1178741787.834:60): avc: denied { read } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=dir May 9 22:16:39 my_host kernel: audit(1178741787.834:61): avc: denied { search } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=dir Till here I don't know what to do. Unfortunately must documentation I found talk about using the "Security Level and Firewall" menu entry from Gnome, but I don't have X nor I want to install it. Thanks for the reply anyway. From phil at noggle.biz Wed May 9 19:28:14 2007 From: phil at noggle.biz (Philip Tricca) Date: Wed, 09 May 2007 15:28:14 -0400 Subject: MySQL 4.1 & SELinux on FC6 In-Reply-To: <462E22B8.7030900@noggle.biz> References: <462E22B8.7030900@noggle.biz> Message-ID: <464220CE.4020308@noggle.biz> phil wrote: > I'm performing a bit of an experiment setting up some software on FC6 > and confining it in an SELinux domain. In taking a survey of potential > obstacles, I've run into something that I'm hoping y'all can provide > some guidance on. The application I'm setting up was initially deployed > on RHEL4 (SELinux disabled) and thus depends on MySQL (version 4.1). In > developing policy I'd really like to use the most up to date modular > policy from FC6 (anticipating our transition to RHEL5), but the MySQL > packaged in FC6 is 5.0. > > From my perspective, my options are: > (1) try using MySQL 5.0 and hope the application doesn't break (cross > your fingers) > (2) install MySQL 4.1 (from source / older package) and try to use the > FC6 policy for MySQL 5.0 and hope that works. > > I'm not really sure which is the best choice (though option 1 does seem > like higher risk) so I thought I'd ask for some advice. Has anyone used > the FC6 MySQL policy with older versions of MySQL? Am I nuts for even > trying this? > > There's another team working to bring this software up to date for > deployment on RHEL5 but naturally our efforts are in parallel so I can't > benefit from their work just yet (nor can I, or do I want to monkey > around in their Java code). I could always develop my policy on the > older RHEL4 platform and use our standard build but when integration > begins that would put me way behind the ball as (from what I understand) > the policy in RHEL5 is vastly improved / different, which is why I'm > trying to use FC6 in my initial tests. I just realized I screwed up the subject line in my original post. apache 4.1 should have read MySQL 4.1. My bad. Just for posterity I figure I'd respond to my own email in the case that someone has to perform a similar task. I was successful in getting an old MySQL 4.1 rpm from the MySQL website up and running using the policy module that ships with FC6. It was a surprisingly good exercise in MySQL configuration (which I had hoped to avoid) and policy module writing / manipulation. I'm not sure if MySQL 5.X still uses the my_print_defaults helper program to parse the my.cnf file, but a domain for this was missing from the existing policy module. I wrote one (just enough to run and read /etc/my.cnf) and I've got a running MySQL 4.1 using strict policy. It's interesting to see how an application is configured can effect the policy. The 4.1 RPM from MySQL-AB ships with all logs, run files and db files in the same directory ... not very conducive to getting the file contexts right. Either way, alls well that ends well. Cheers, - Philip From sds at tycho.nsa.gov Wed May 9 20:19:13 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 09 May 2007 16:19:13 -0400 Subject: Allowing a apache to access a user folder by using semanage In-Reply-To: <46422A77.7030907@hotmail.com> References: <4641BF2C.1050009@hotmail.com> <46422A77.7030907@hotmail.com> Message-ID: <1178741953.3504.50.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-05-09 at 22:09 +0200, Josef Meile wrote: > Hi Jan > > >> I'm trying to allow apache to read a user folder as follows: > >> > >> % semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" > > > > semanage doesn't update the labels of existing files. So you'll > > need to run "restorecon -R /home/zopeuser/data" before this > > will work. > I did what you suggested; however lots of messages like this appeared: > > restorecon set context > /home/zopeuser/data/certs/demoCA/certs->system_u:object_r:httpd_t:s0 > failed:'Permission denied' > > Then I tried: > fixfiles restore > > But again I got lots of errors like this: > > /sbin/setfiles: unable to relabel /home/zopeuser/data/certs/demoCA to > system_u:object_r:httpd_t:s0 > /home/zopeuser/data/certs/demoCA/crl: Permission denied > > Even this doesn't works: > % touch /.autorelabel > % reboot > > But this is I got in the message log after rebooting: > > May 9 22:16:39 my_host kernel: audit(1178741787.823:58): avc: denied > { relabelto } for pid=1368 comm="setfiles" name="data" dev=hda4 > ino=2121605 scontext=system_u:system_r:setfiles_t:s0 > tcontext=system_u:object_r:httpd_t:s0 tclass=dir > May 9 22:16:39 my_host kernel: audit(1178741787.823:59): avc: denied > { associate } for pid=1368 comm="setfiles" name="data" dev=hda4 > ino=2121605 scontext=system_u:object_r:httpd_t:s0 > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > May 9 22:16:39 my_host kernel: audit(1178741787.834:60): avc: denied > { read } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 > scontext=system_u:system_r:setfiles_t:s0 > tcontext=system_u:object_r:httpd_t:s0 tclass=dir > May 9 22:16:39 my_host kernel: audit(1178741787.834:61): avc: denied > { search } for pid=1368 comm="setfiles" name="data" dev=hda4 > ino=2121605 scontext=system_u:system_r:setfiles_t:s0 > tcontext=system_u:object_r:httpd_t:s0 tclass=dir httpd_t is a domain for a process, not a type for a file. You shouldn't be trying to label a file with it. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Wed May 9 20:21:04 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 09 May 2007 16:21:04 -0400 Subject: audit2allow broken? In-Reply-To: <1178741249.2951.26.camel@localhost.localdomain> References: <3089.128.252.11.95.1178736445.squirrel@morpheus.wustl.edu> <1178736837.3504.19.camel@moss-spartans.epoch.ncsc.mil> <1178741249.2951.26.camel@localhost.localdomain> Message-ID: <1178742064.3504.52.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-05-09 at 16:07 -0400, Karl MacMillan wrote: > On Wed, 2007-05-09 at 14:53 -0400, Stephen Smalley wrote: > > On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote: > > > Hi, > > > > > > I have a fc6 linux box: kernel-2.6.20-1.2944.fc6, selinux-policy-2.4.6-62.fc6 > > > and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6. > > > The system works and I was trying to add some settings to the selinux policy > > > by running audit2allow. It was okay before noon: > > > > > > # audit2allow -M local < /var/log/audit/audit.log > > > # semodule -i local.pp > > > > > > The new modules were added and it works. However, later, I can't do it again, > > > but always get error: > > > > > > # audit2allow -M local < /var/log/audit/audit.log > > > compilation failed: > > > (unknown source)::ERROR 'syntax error' at token '' on line 6: > > > > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > > /usr/bin/checkmodule: loading policy configuration from local.te > > > > > > and the file local.te has only one line: > > > > > > module local 1.0; > > > > > > not like before. Can somebody tell what is wrong? "on line 6" of what file? > > > I reboot the system, still the same. > > > > What version of policycoreutils? > > > > The implication is that there were no avc denials > > in /var/log/audit/audit.log, and thus the generated module was empty. > > How did the old audit2allow handle this? Presumably a message saying > that there are no messages would be preferable. ./audit2allow -M local < /dev/null Generating type enforcment file: local.te ./audit2allow: No AVC messages found. -- Stephen Smalley National Security Agency From jmeile at hotmail.com Wed May 9 20:50:46 2007 From: jmeile at hotmail.com (Josef Meile) Date: Wed, 09 May 2007 22:50:46 +0200 Subject: Allowing a apache to access a user folder by using semanage In-Reply-To: <1178741953.3504.50.camel@moss-spartans.epoch.ncsc.mil> References: <4641BF2C.1050009@hotmail.com> <46422A77.7030907@hotmail.com> <1178741953.3504.50.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <46423426.1030209@hotmail.com> Hi Stephen > httpd_t is a domain for a process, not a type for a file. You shouldn't > be trying to label a file with it. > Ok, then is httpd_sys_content_t the right one? I solve it as follows: semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" chcon -R -t httpd_sys_content_t /home/zopeuser/data It works now, but is it the correct way? Regards Josef From hongwei at wustl.edu Wed May 9 21:05:07 2007 From: hongwei at wustl.edu (Hongwei Li) Date: Wed, 9 May 2007 16:05:07 -0500 (CDT) Subject: audit2allow broken? In-Reply-To: <1178741494.3504.42.camel@moss-spartans.epoch.ncsc.mil> References: <3089.128.252.11.95.1178736445.squirrel@morpheus.wustl.edu> <1178736837.3504.19.camel@moss-spartans.epoch.ncsc.mil> <3679.128.252.11.95.1178738968.squirrel@morpheus.wustl.edu> <1178741494.3504.42.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1116.128.252.11.95.1178744707.squirrel@morpheus.wustl.edu> > On Wed, 2007-05-09 at 14:29 -0500, Hongwei Li wrote: >> > On Wed, 2007-05-09 at 13:47 -0500, Hongwei Li wrote: >> >> Hi, >> >> >> >> I have a fc6 linux box: kernel-2.6.20-1.2944.fc6, >> >> selinux-policy-2.4.6-62.fc6 >> >> and selinux-policy-targeted-2.4.6-62.fc6, audit-1.4.2-5.fc6. ... >> > >> > The implication is that there were no avc denials >> > in /var/log/audit/audit.log, and thus the generated module was empty. >> > Possibly your audit logs were automatically rotated? >> > >> > You should really be using the -a option btw, e.g. >> > audit2allow -a -M local >> > That will pull all messages from audit, including older audit logs I >> > believe. >> > >> > -- >> > Stephen Smalley >> > National Security Agency >> > >> ... >> >> However, it fails when I run: >> # semodule -i local.pp >> libsepol.check_assertion_helper: assertion on line 0 violated by allow >> httpd_t >> shadow_t:file { read }; >> libsepol.check_assertions: 1 assertion violations occured >> libsemanage.semanage_expand_sandbox: Expand module failed >> >> Actually, this has been an old problem since fc5 linux (not in fc4 or >> earlier) >> -- once set enforced, password cannot be changed from squirrelmail (web >> site), >> modules with "shadow..." cannot be added. Is there anyway to change it? The >> reason is simple: my squirrelmail users need to change their password from >> within squirrelmail (web site) and I want to set selinux enforced. >> >> BTW, I have policycoreutils-1.34.1-7.fc6 and targeted policy. > > Ideally you wouldn't be running that plugin directly in httpd_t. > > The assertions aka neverallow rules can be overridden, but they are > there as a warning to you that you are trying to allow something that is > unsafe, in this case allowing your httpd processes to directly access > your shadow file. It would be better if that plugin ran in a separate > process in its own domain. > > To allow it anyway, you can create use the refpolicy interface to allow > such access, which will also add the type to the right attribute to > satisfy the assertion/neverallow rule. In this case, that would mean > adding: > auth_rw_shadow(httpd_t) > to your local.te file and then running: > # make -f /usr/share/selinux/devel/Makefile > # semodule -i local.pp > > -- > Stephen Smalley > National Security Agency Thank you for help! However, I got error when doing it. # make -f /usr/share/selinux/devel/Makefile Compiling targeted localb module /usr/bin/checkmodule: loading policy configuration from tmp/localb.tmp localb.te:6:ERROR 'syntax error' at token '' on line 78455: /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/localb.mod] Error 1 My local.te is: module local 1.0; require { type portmap_t; type home_root_t; type system_mail_t; type nfsd_t; type crond_t; type httpd_t; type restorecon_t; type shadow_t; class dir { search getattr }; class file read; class fifo_file read; } auth_rw_shadow(httpd_t); #============= httpd_t ============== allow httpd_t shadow_t:file read; #============= nfsd_t ============== allow nfsd_t crond_t:fifo_file read; #============= portmap_t ============== allow portmap_t crond_t:fifo_file read; #============= restorecon_t ============== allow restorecon_t crond_t:fifo_file read; #============= system_mail_t ============== allow system_mail_t home_root_t:dir { search getattr }; allow system_mail_t httpd_t:file read; What "syntax error" is? Did I add the line auth_rw_shadow(httpd_t); incorrectly? I have selinux-policy-devel.noarch 0:2.4.6-62.fc6 installed. Thanks! Hongwei From mykleb at no.ibm.com Wed May 9 21:15:07 2007 From: mykleb at no.ibm.com (Jan-Frode Myklebust) Date: Wed, 9 May 2007 23:15:07 +0200 Subject: Allowing a apache to access a user folder by using semanage References: <4641BF2C.1050009@hotmail.com> <46422A77.7030907@hotmail.com> <1178741953.3504.50.camel@moss-spartans.epoch.ncsc.mil> <46423426.1030209@hotmail.com> Message-ID: On 2007-05-09, Josef Meile wrote: > Ok, then is httpd_sys_content_t the right one? I solve it as follows: > > semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" > chcon -R -t httpd_sys_content_t /home/zopeuser/data > The semanage command should have set httpd_sys_content_t, not httpd_t. semanage fcontext -a -t httpd_sys_content_t "/home/zopeuser/data(/.*)?" restorecon -R /home/zopeuser/data ... I guess the restorecon will fail on a few symlinks again, but get the rest right. I'd prefer restorecon over "chcon -t" just to make sure the labeling rules are right, and woun't get wrong if you ever do a full "touch /.autorelabel". -jf From jmeile at hotmail.com Wed May 9 21:16:42 2007 From: jmeile at hotmail.com (Josef Meile) Date: Wed, 09 May 2007 23:16:42 +0200 Subject: Allowing a apache to access a user folder by using semanage In-Reply-To: <46423426.1030209@hotmail.com> References: <4641BF2C.1050009@hotmail.com> <46422A77.7030907@hotmail.com> <1178741953.3504.50.camel@moss-spartans.epoch.ncsc.mil> <46423426.1030209@hotmail.com> Message-ID: <46423A3A.9040002@hotmail.com> > Ok, then is httpd_sys_content_t the right one? I solve it as follows: > > semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" > chcon -R -t httpd_sys_content_t /home/zopeuser/data > > It works now, but is it the correct way? A small correction there. It should be semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" chcon -R -t httpd_sys_content_t /home/zopeuser If you don't give access to the user's root directory, then apache will still fail. From janfrode at tanso.net Wed May 9 21:18:03 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Wed, 9 May 2007 23:18:03 +0200 Subject: New packages and custom Selinux policies References: <46422835.3090707@utsouthwestern.edu> Message-ID: Check: http://fedoraproject.org/wiki/PackagingDrafts/SELinux http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules -jf From jmeile at hotmail.com Wed May 9 21:22:21 2007 From: jmeile at hotmail.com (Josef Meile) Date: Wed, 09 May 2007 23:22:21 +0200 Subject: Allowing a apache to access a user folder by using semanage In-Reply-To: References: <4641BF2C.1050009@hotmail.com> <46422A77.7030907@hotmail.com> <1178741953.3504.50.camel@moss-spartans.epoch.ncsc.mil> <46423426.1030209@hotmail.com> Message-ID: <46423B8D.5040805@hotmail.com> > The semanage command should have set httpd_sys_content_t, not httpd_t. > > semanage fcontext -a -t httpd_sys_content_t "/home/zopeuser/data(/.*)?" > restorecon -R /home/zopeuser/data > > ... I guess the restorecon will fail on a few symlinks again, but get > the rest right. I'd prefer restorecon over "chcon -t" just to make sure > the labeling rules are right, and woun't get wrong if you ever do a full > "touch /.autorelabel". Yup, that works too. Thanks Josef From peter.smith at utsouthwestern.edu Wed May 9 21:27:25 2007 From: peter.smith at utsouthwestern.edu (Peter Smith) Date: Wed, 09 May 2007 16:27:25 -0500 Subject: New packages and custom Selinux policies In-Reply-To: References: <46422835.3090707@utsouthwestern.edu> Message-ID: <46423CBD.60804@utsouthwestern.edu> Jan-Frode Myklebust wrote: > Check: > > http://fedoraproject.org/wiki/PackagingDrafts/SELinux > http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules > > > -jf > > Perfect. Thank you. P From paul at city-fan.org Thu May 10 08:55:12 2007 From: paul at city-fan.org (Paul Howarth) Date: Thu, 10 May 2007 09:55:12 +0100 Subject: New packages and custom Selinux policies In-Reply-To: <46422835.3090707@utsouthwestern.edu> References: <46422835.3090707@utsouthwestern.edu> Message-ID: <4642DDF0.5050109@city-fan.org> Peter Smith wrote: > I wrote an in-house RPM that is getting installed without error. > However, on SELinux Enforcing machines using the targeted policy, it > doesn't allow executing my app. I have the following questions about this. > > *) What's the recommended method for supporting non-core apps to be > installed *and* be supported under SELinux policies? I figured I'd > create a 2nd RPM that provides a compiled SELinux policy to be added at > runtime to the system policy. > a) If it is recommended to make 2 seperate RPMs for an application--one > for the app and one for the policy--how do you ensure the policy is > always loaded with the system? I've opted to create an init script to > handle this. > b) Should the policy get compiled during the SRPM-RPM build process or > should it be compiled out-of-band and then just packaged into the RPM. > In other words, with custom policies, is the expectation that you'd need > to rebuild them whenever updating SELinux in any way? Start here: http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules > It appears that there's no provision to support 3rd-party non-core > applications as far as SELinux policies are concerned. Not so. The standard Fedora policy contains contexts for binary nvidia driver modules and Adobe Reader for instance, which certainly aren't core. Paul. From sds at tycho.nsa.gov Thu May 10 12:15:23 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 10 May 2007 08:15:23 -0400 Subject: audit2allow broken? In-Reply-To: <1116.128.252.11.95.1178744707.squirrel@morpheus.wustl.edu> References: <3089.128.252.11.95.1178736445.squirrel@morpheus.wustl.edu> <1178736837.3504.19.camel@moss-spartans.epoch.ncsc.mil> <3679.128.252.11.95.1178738968.squirrel@morpheus.wustl.edu> <1178741494.3504.42.camel@moss-spartans.epoch.ncsc.mil> <1116.128.252.11.95.1178744707.squirrel@morpheus.wustl.edu> Message-ID: <1178799323.3504.55.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-05-09 at 16:05 -0500, Hongwei Li wrote: > Thank you for help! However, I got error when doing it. > # make -f /usr/share/selinux/devel/Makefile > Compiling targeted localb module > /usr/bin/checkmodule: loading policy configuration from tmp/localb.tmp > localb.te:6:ERROR 'syntax error' at token '' on line 78455: > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/localb.mod] Error 1 The above error is on something called "localb.te", not "local.te". Do you have multiple .te files in your working directory? If so, move them elsewhere or move local.te into its own subdirectory, cd there, and try again. > > > My local.te is: > > module local 1.0; > > require { > type portmap_t; > type home_root_t; > type system_mail_t; > type nfsd_t; > type crond_t; > type httpd_t; > type restorecon_t; > type shadow_t; > class dir { search getattr }; > class file read; > class fifo_file read; > } > > auth_rw_shadow(httpd_t); > > #============= httpd_t ============== > allow httpd_t shadow_t:file read; > > #============= nfsd_t ============== > allow nfsd_t crond_t:fifo_file read; > > #============= portmap_t ============== > allow portmap_t crond_t:fifo_file read; > > #============= restorecon_t ============== > allow restorecon_t crond_t:fifo_file read; > > #============= system_mail_t ============== > allow system_mail_t home_root_t:dir { search getattr }; > allow system_mail_t httpd_t:file read; > > > What "syntax error" is? Did I add the line > auth_rw_shadow(httpd_t); > incorrectly? > > I have selinux-policy-devel.noarch 0:2.4.6-62.fc6 installed. > > Thanks! > > Hongwei > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Thu May 10 12:18:25 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 10 May 2007 08:18:25 -0400 Subject: Allowing a apache to access a user folder by using semanage In-Reply-To: <46423A3A.9040002@hotmail.com> References: <4641BF2C.1050009@hotmail.com> <46422A77.7030907@hotmail.com> <1178741953.3504.50.camel@moss-spartans.epoch.ncsc.mil> <46423426.1030209@hotmail.com> <46423A3A.9040002@hotmail.com> Message-ID: <1178799505.3504.59.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-05-09 at 23:16 +0200, Josef Meile wrote: > > Ok, then is httpd_sys_content_t the right one? I solve it as follows: > > > > semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" > > chcon -R -t httpd_sys_content_t /home/zopeuser/data > > > > It works now, but is it the correct way? > > A small correction there. It should be > semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" > chcon -R -t httpd_sys_content_t /home/zopeuser > > If you don't give access to the user's root directory, then apache will > still fail. The semanage command should also use httpd_sys_content_t, and you should run restorecon -R /home/zopeuser/data after the semanage command rather than using chcon. semanage adds the entry to the system's file_contexts.local mapping, and restorecon then consults the system's file contexts files to determine the right context to apply. Do you really want to allow apache to fully access the user's home directory? If you just want to allow search access so that it can traverse the user home directory to reach the data subdirectory, there should be a boolean (httpd_enable_homedirs) that you can enable. -- Stephen Smalley National Security Agency From jmeile at hotmail.com Thu May 10 13:30:12 2007 From: jmeile at hotmail.com (Josef Meile) Date: Thu, 10 May 2007 15:30:12 +0200 Subject: Allowing a apache to access a user folder by using semanage In-Reply-To: <1178799505.3504.59.camel@moss-spartans.epoch.ncsc.mil> References: <4641BF2C.1050009@hotmail.com> <46422A77.7030907@hotmail.com> <1178741953.3504.50.camel@moss-spartans.epoch.ncsc.mil> <46423426.1030209@hotmail.com> <46423A3A.9040002@hotmail.com> <1178799505.3504.59.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <46431E64.6000003@hotmail.com> Hi Stephen >>> Ok, then is httpd_sys_content_t the right one? I solve it as follows: >>> >>> semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" >>> chcon -R -t httpd_sys_content_t /home/zopeuser/data >>> >>> It works now, but is it the correct way? >> A small correction there. It should be >> semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" >> chcon -R -t httpd_sys_content_t /home/zopeuser >> >> If you don't give access to the user's root directory, then apache will >> still fail. > > The semanage command should also use httpd_sys_content_t, and you should > run restorecon -R /home/zopeuser/data after the semanage command rather > than using chcon. semanage adds the entry to the system's > file_contexts.local mapping, and restorecon then consults the system's > file contexts files to determine the right context to apply. Yes, you are right. That's what Jan-Frode Myklebust point me on a previous post and that's what I finally did. It is working now. > Do you really want to allow apache to fully access the user's home > directory? No, I don't. Finally I gave apache access to the /home/zopeuser folder and full access to the /home/zopeuser/data as follows: #Apache will be able to access the folder but not the files inside it semanage fcontext -a -f -d -t httpd_sys_content_t "/home/zopeuser" #Apache will be able to access all this folder, its files and subfolders semanage fcontext -a -t httpd_sys_content_t "/home/zopeuser/data(/.*)?" #apply changes restorecon -R /home/zopeuser > If you just want to allow search access so that it can > traverse the user home directory to reach the data subdirectory, there > should be a boolean (httpd_enable_homedirs) that you can enable. I'm aware of that boolean and it seems to be the simplest solution; however, I have other user folders, which I don't want apache accesses, so, I opted to the semanage alternative. Thanks and have a nice day Josef From hongwei at wustl.edu Thu May 10 14:11:36 2007 From: hongwei at wustl.edu (Hongwei Li) Date: Thu, 10 May 2007 09:11:36 -0500 (CDT) Subject: audit2allow broken? In-Reply-To: <1178799323.3504.55.camel@moss-spartans.epoch.ncsc.mil> References: <3089.128.252.11.95.1178736445.squirrel@morpheus.wustl.edu> <1178736837.3504.19.camel@moss-spartans.epoch.ncsc.mil> <3679.128.252.11.95.1178738968.squirrel@morpheus.wustl.edu> <1178741494.3504.42.camel@moss-spartans.epoch.ncsc.mil> <1116.128.252.11.95.1178744707.squirrel@morpheus.wustl.edu> <1178799323.3504.55.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4131.128.252.11.95.1178806296.squirrel@morpheus.wustl.edu> > On Wed, 2007-05-09 at 16:05 -0500, Hongwei Li wrote: >> Thank you for help! However, I got error when doing it. >> # make -f /usr/share/selinux/devel/Makefile >> Compiling targeted localb module >> /usr/bin/checkmodule: loading policy configuration from tmp/localb.tmp >> localb.te:6:ERROR 'syntax error' at token '' on line 78455: >> >> >> /usr/bin/checkmodule: error(s) encountered while parsing configuration >> make: *** [tmp/localb.mod] Error 1 > > The above error is on something called "localb.te", not "local.te". > Do you have multiple .te files in your working directory? If so, move > them elsewhere or move local.te into its own subdirectory, cd there, and > try again. > Yes, I did have localb.te for testing. I removed it, rerun the command and now it is working. Thank you very, very much! Hongwei From tibbs at math.uh.edu Thu May 10 14:45:34 2007 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 10 May 2007 09:45:34 -0500 Subject: New packages and custom Selinux policies In-Reply-To: <4642DDF0.5050109@city-fan.org> References: <46422835.3090707@utsouthwestern.edu> <4642DDF0.5050109@city-fan.org> Message-ID: >>>>> "PH" == Paul Howarth writes: PH> Start here: PH> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules Is there a good reason for this not getting onto the FPC agenda so that it can get finalized and written into the guidelines? - J< From kokseng at ieee.org Fri May 11 10:39:06 2007 From: kokseng at ieee.org (Lee Kok Seng) Date: Fri, 11 May 2007 18:39:06 +0800 Subject: [PATCH] genhomedircon Message-ID: I believe the logic in testing the file_contexts fc regular expression against candidate home directory listed in /etc/passwd for non-system user may have a problem. For example, I have postgresql installed under /opt/pgsql, database at /pgsql/pgdb and have a username pgsql, setting the home directory to /pgsql/home. Currently, FC5 selinux policy has serveral fc rules like this: /var/lib/pgsql/data/* Due to the way python's re.search is called, instead of using all possible fc rules in file_context to try match the candidate home directory, it does it the other way. Resulting in erroneously flagging rule conflict. Have I confused myself? If not, the following patch will fix the problem, which it did for me. Note that if you do not place home directories away from /home, you may never experience this problem, and hence has no need for this patch. /ks ------------------------------------------------------------------------ ------------------------------------ --- /usr/sbin/genhomedircon.orig 2006-06-07 23:10:33.000000000 +0800 +++ /usr/sbin/genhomedircon 2007-05-09 15:14:23.000000000 +0800 @@ -295,8 +295,8 @@ regex = re.sub("\(\/\.\*\)\?", "", regex) regex = regex + "/*$" - if re.search(home, regex, 0): - return 1 + if re.search(regex, home, 0): + return 1 except: continue return 0 From sds at tycho.nsa.gov Fri May 11 11:53:11 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 11 May 2007 07:53:11 -0400 Subject: [PATCH] genhomedircon In-Reply-To: References: Message-ID: <1178884391.3504.142.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-05-11 at 18:39 +0800, Lee Kok Seng wrote: > I believe the logic in testing the file_contexts fc regular > expression against > candidate home directory listed in /etc/passwd for non-system user may > have a problem. > > For example, > > I have postgresql installed under /opt/pgsql, database at /pgsql/pgdb > and have a username pgsql, setting the home directory to /pgsql/home. > > Currently, FC5 selinux policy has serveral fc rules like this: > > /var/lib/pgsql/data/* > > Due to the way python's re.search is called, instead of using all > possible > fc rules in file_context to try match the candidate home directory, > it does > it the other way. Resulting in erroneously flagging rule conflict. > > Have I confused myself? If not, the following patch will fix the > problem, > which it did for me. > > Note that if you do not place home directories away from /home, you may > never experience this problem, and hence has no need for this patch. > > /ks > ------------------------------------------------------------------------ > ------------------------------------ > > --- /usr/sbin/genhomedircon.orig 2006-06-07 23:10:33.000000000 > +0800 > +++ /usr/sbin/genhomedircon 2007-05-09 15:14:23.000000000 +0800 > @@ -295,8 +295,8 @@ > > regex = re.sub("\(\/\.\*\)\?", "", regex) > regex = regex + "/*$" > - if re.search(home, regex, 0): > - return 1 > + if re.search(regex, home, 0): > + return 1 > except: > continue > return 0 > Thanks, already received this from Dan Walsh on the upstream selinux list. Applied in policycoreutils 2.0.17 (trunk) and 1.34.10 (stable). -- Stephen Smalley National Security Agency From snoussisouhail at yahoo.fr Fri May 11 16:17:47 2007 From: snoussisouhail at yahoo.fr (Souhail Snoussi) Date: Fri, 11 May 2007 18:17:47 +0200 (CEST) Subject: Fedora core 5 Message-ID: <63895.82611.qm@web27003.mail.ukl.yahoo.com> Avec un grand respect que je m?adresse ? vous et j?esp?re que vous m?aider, Merci. J?ai install? Fedora Core 5 sur mon PC Portable (Toshiba version A 100-483) et j?ai trouv? un probl?me concernant la carte Wifi car il ne d?tecte pas les r?seaux et m?me le p?riph?rique Wireless. De m?me j?ai un modem ADSL que je l?ai utilis? avant sous Windows et maintenant je ne sais pas comment l?install? sous linux puisque je ne poss?de que le cd d?installation sous Windows. Merci pour votre attention et j?attend votre aide. --------------------------------- Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail -------------- next part -------------- An HTML attachment was scrubbed... URL: From wolfy at nobugconsulting.ro Mon May 14 00:12:42 2007 From: wolfy at nobugconsulting.ro (Manuel Wolfshant) Date: Mon, 14 May 2007 03:12:42 +0300 Subject: Fedora core 5 In-Reply-To: <63895.82611.qm@web27003.mail.ukl.yahoo.com> References: <63895.82611.qm@web27003.mail.ukl.yahoo.com> Message-ID: <4647A97A.30806@nobugconsulting.ro> On 05/11/2007 07:17 PM, Souhail Snoussi wrote: > Avec un grand respect que je m?adresse ? vous et j?esp?re que vous > m?aider, Merci. > J?ai install? Fedora Core 5 sur mon PC Portable (Toshiba version A > 100-483) et j?ai trouv? un probl?me concernant la carte Wifi car il ne > d?tecte pas les r?seaux et m?me le p?riph?rique Wireless. > De m?me j?ai un modem ADSL que je l?ai utilis? avant sous Windows et > maintenant je ne sais pas comment l?install? sous linux puisque je ne > poss?de que le cd d?installation sous Windows. > Merci pour votre attention ? et j?attend votre aide. Votre message doit etre redigee en anglais et envoyee a fedora at redhat.com. La liste fedora-selinux est dediee au problemes liee avec SELinux sous Fedora, pas aux celles generales de Fedora. N'oubliez pas d'attacher - si possible - plus d'informations avec les testes que vous avez fait et les version de logiciel (surtout kernel et pilots). Your message should be written in English and sent to fedora at redhat.com. fedora-selinux only deals with SELinux problems in Fedora. Please also supply - if possible - more information about the tests you have performed and the software version (especially drivers and kernel) From dwalsh at redhat.com Mon May 14 20:15:21 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 14 May 2007 16:15:21 -0400 Subject: allowing tftpd to make pxe functional In-Reply-To: <1178741584.3504.44.camel@moss-spartans.epoch.ncsc.mil> References: <46422328.9080609@gmail.com> <1178741584.3504.44.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4648C359.3050502@redhat.com> Stephen Smalley wrote: > On Wed, 2007-05-09 at 15:38 -0400, eric magaoay wrote: > >> I'm currently testing the latest rawhide build (F7), and I need help in >> allowing tftpd traffic (for PXE functionality). >> My previous work around solution was: >> setsebool -P tftpd_disable_trans=1 >> But this is no longer allow under rawhide (F7). I tried running >> system-config-selinux to search for any entry on tftp or tftpd, but >> found none. Any other suggestion/workaround without disabling selinux? >> > > You can use audit2allow to create a policy module to allow the access > and add it, e.g. > audit2allow -a -M local > semodule -i local.pp > > We should always advise something like audit2allow -a -M mytftp semodule -i mytftp.pp Since if you do this twice your first change will be removed. >> Here is the output from Selinux troubleshooter: >> >> Summary >> SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to / >> (rsync_data_t). >> >> Detailed Description >> SELinux denied access requested by /usr/sbin/in.tftpd. It is not >> expected >> that this access is required by /usr/sbin/in.tftpd and this access may >> signal an intrusion attempt. It is also possible that the specific >> version >> or configuration of the application is causing it to require additional >> access. >> >> Allowing Access >> Sometimes labeling problems can cause SELinux denials. You could try to >> restore the default system file context for /, restorecon -v / If >> this does >> not work, there is currently no automatic way to allow this access. >> Instead, >> you can generate a local policy module to allow this access - see >> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can >> disable >> SELinux protection altogether. Disabling SELinux protection is not >> recommended. Please file a >> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi >> against this package. >> >> Additional Information >> >> Source Context user_u:system_r:tftpd_t >> Target Context system_u:object_r:rsync_data_t >> Target Objects / [ dir ] >> Affected RPM Packages tftp-server-0.42-4 >> [application]filesystem-2.4.6-1.fc7 [target] >> Policy RPM selinux-policy-2.6.1-1.fc7 >> Selinux Enabled True >> Policy Type targeted >> MLS Enabled True >> Enforcing Mode Enforcing >> Plugin Name plugins.catchall_file >> Host Name fiji3 >> Platform Linux fiji3 2.6.21-1.3116.fc7 #1 SMP Thu >> Apr 26 >> 10:17:55 EDT 2007 x86_64 x86_64 >> Alert Count 20 >> First Seen Wed 09 May 2007 02:18:14 PM EDT >> Last Seen Wed 09 May 2007 02:42:14 PM EDT >> Local ID 736e2428-de9a-469b-8b77-92bce3a8eacd >> Line Numbers >> >> Raw Audit Messages >> >> avc: denied { search } for comm="in.tftpd" dev=sda6 egid=0 euid=0 >> exe="/usr/sbin/in.tftpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" >> pid=3697 scontext=user_u:system_r:tftpd_t:s0 sgid=0 >> subj=user_u:system_r:tftpd_t:s0 suid=0 tclass=dir >> tcontext=system_u:object_r:rsync_data_t:s0 tty=(none) uid=0 >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> From kokseng at ieee.org Tue May 15 04:13:50 2007 From: kokseng at ieee.org (Lee Kok Seng) Date: Tue, 15 May 2007 12:13:50 +0800 Subject: [SCRIPT] avctree Message-ID: <59D8113C-6023-44CD-AB29-2A2945C1BDE5@ieee.org> Hello, While diagnosing avc messages, I found the log message too spread-out to form a mental picture, since the lack of some rules often result in several domain domains barking. This reminds me of unforgiving Ada compilers spilling out loads of messages. I did not want to use audit2allow too quickly until I understood what the machine is not happy with. So, I needed a message format that let me to that. Here is a simple perl script to parse log files for avc denial messages, index, sort them, and print them in tree (single depth) view, which I hastily put together last night. I hope it will help others as it did for me. Please feel free to modify it for your own use. You can index the message by any key, for example scontext, tcontext, action, name and etc. You can also specify the log files to parse. By default, the script trim the context string of the _u, _r and _t, which are good for rule readability in source files, but clutter diagnostic print out. However, if this bothers you, disable trimming by --trim=no option. To get help and condition of usage, avctree --help. It is best to pipe the output to less so that you can navigate. A typical partial print out is as follows (this one indexed by tcontext): # ------------------------------------------------------------------------ --------[tcontext] | +-[root-object-default ] | +<- system-system-initrc_su su(1753) : dir : search : home : dm-0 : 49182 | +-[root-object-selinux_config] | +<- root-system-semanage semodule(3584) : dir : rename : active : sdb1 : 49833 | +-[root-object-user_home ] | +<- root-system-semanage semodule(10359) : lnk_file : read : targeted : sdb1 : 98758 | +<- root-system-semanage semodule(11006) : lnk_file : read : policy : sdb1 : 98764 | +<- root-system-semanage semodule(3584) : lnk_file : read : targeted : sdb1 : 98758 | +-[system-object-default ] | +<- system-system-initrc_su su(1753) : dir : search : / : dm-0 : 2 | +<- system-system-hald hald(1958) : dir : getattr : / : dm-0 : 2 | No PP module for this script yet. This script use basic Perl features, so, as along you have base Perl package installed, it should work. Be happy to hear any comments or suggestion for improving this. /ks #------------------------------------------- cut here ----------------------------------------- #!/usr/bin/perl -w sub lmsg { print < /var/log/ messages, /var/log/kernel --tags : Show time and audit tags --key=key,... : List messages indexed-sorted by specified key no argument or all => all keys Not specified => scontext,tcontext,action,comm,name --trim=yes|no|1|0 : Trim context string. Default: yes --help ----------------------------------------------------------------------- --------------------- Examples: a. $thisScript --key=scontext Print avc messages indexed-sorted by source context. b. $thisScript --key=tcontext Print avc messages indexed-sorted by target context. c. $thisScript --key=comm Print avc messages indexed-sorted by command executed. d. $thisScript --key=name Print avc messages indexed-sorted by target object's name. e. $thisScript --key=all or $thisScript --key Print avc messages indexed-sorted by all keys. f. $thisScript Print avc messages indexed-sorted by scontext, tcontext, comm, name (default) g. $thisScript --trim=no Print avc messages without trimming context string. h. $thisScript --log=/var/log/messages,/var/log/messages.1,/var/ log/messages.2 Print avc messages from log files listed (delimited by comma). i. $thisScript --tags Print avc messages, including in each message the log time tag and audit tag. USAGETXT exit -1; } # my $logARG; # Log files to parse my $tagsARG; # Show time and audit tags my $catARG; # Categories to print my $helpARG; # Help my $trimARG; # Trim context string for readability usage(), exit unless GetOptions( 'log:s' => \$logARG, 'tags!' => \$tagsARG, 'key:s' => \$catARG, 'trim:s' => \$trimARG, 'help!' => \$helpARG ); usage() if (defined($helpARG)); ## ------------------------------------------------------------------------ ---------------------- ## Option: skip tags my $skiptags = defined($tagsARG)?0:1; ## Option: log files my @logOPT = grep -d $_, split /,|\n|\r/, $logARG if (defined($logARG)); @logOPT = ('/var/log/messages','/var/log/kernel','/var/log/debug') if (defined($logARG) && ((!scalar @logOPT) || grep /all/, @logOPT)); @logOPT = ('/var/log/kernel') if (!scalar @logOPT && -d '/var/log/ kernel'); @logOPT = ('/var/log/messages') if (!scalar @logOPT); ## Option: Category my @catOPT = split /,|\n|\r/, $catARG if (defined($catARG)); my @catDEF = ('scontext','tcontext','comm','name'); ## Option: Trim my $trimOPT = defined($trimARG) ? ($trimARG =~ /no|0|/i ? 0 : 1 ) : 1; ## ------------------------------------------------------------------------ ---------------------- # ## Regular expression for parsing avc's 'denied' messages my $avcRE = qr/^(\w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{2})[\s\w]+:\s*audit\ (([\d.:]+)\)\s*:\s*avc\s*:\s*denied\s+\{\s+(\w+)\s+}\s+for\s+(.*)/; ## Holds indexed avc message records my %avc; ## ------------------------------------------------------------------------ ---------------------- ## contextFMT # Format context string for readability sub contextFMT { my $ctxt = shift; my ($u,$r,$t,$l) = split /:/, $ctxt; $u =~ s/(.*)_./$1/; $r =~ s/(.*)_./$1/; $t =~ s/(.*)_./$1/; return $u . '-' . $r . '-' . $t; } ## ------------------------------------------------------------------------ ---------------------- ## readLOG log-file-name # Reads the specified log file sub readLOG { my $avc = shift; my $logfile = shift; my $logsn = ($logfile =~ /.*\/(.*)$/)[0]; my $tmax = defined($avc->{'_tcontext_max_'})?$avc-> {'_tcontext_max_'}:0; my $smax = defined($avc->{'_scontext_max_'})?$avc-> {'_scontext_max_'}:0; open LOGF, '<' . $logfile || die "Cannot open input file: $logfile"; while () { s/\r|\n//g; next if (!$_); next if (!/\s+avc:\s+/); my ($timetag, $audit, $action, $detail) = ($_ =~ /$avcRE/); next if (!defined($action)||!defined($detail)||!defined($timetag)||! defined($audit)); # okay, we have a avc 'denied' message my %this; # this hash will keep the message's key=value my @fields = split /\s|\r|\n/, $detail; foreach (@fields) { next if (!$_); my ($key,$val) = split/=/; next if (!$key||!$val); $val =~ s/[\"\']*([^\"\']*)[\"\']*/$1/; $this{"$key"} = $val; } next if (!defined($this{'scontext'}) || !defined($this{'tcontext'})); $this{'action'} = $action; $this{'timetag'} = $timetag; $this{'audit'} = $audit; $this{'file'}= $logsn; if ($trimOPT) { $this{'scontext'} = contextFMT($this{'scontext'}); $this{'tcontext'} = contextFMT($this{'tcontext'}); } $smax = length($this{'scontext'}) if ($smax < length($this {'scontext'})); $tmax = length($this{'tcontext'}) if ($tmax < length($this {'tcontext'})); # Okay, let's index the records with various keys foreach (keys %this) { next if (/audit|timetag|file/); $avc->{$_} = {} if (!defined($avc->{$_})); $avc->{$_}->{$this{$_}} = [()] if (!defined($avc->{$_}->{$this {$_}})); push @{$avc->{$_}->{$this{$_}}}, \%this; } } close LOGF; $avc->{'_scontext_max_'} = $smax; $avc->{'_tcontext_max_'} = $tmax; } ## ------------------------------------------------------------------------ ---------------------- ## # keyTREE key # Show selected key in a tree view sub keyTREE { my $avc = shift; my $kcat = shift; my $showfile = shift; my $hcat = $avc->{$kcat}; my $lvl = 1; my $isSctx = ($kcat =~ /scontext/); my $isTctx = ($kcat =~ /tcontext/); my $smax = $isSctx ? 0 : $avc->{'_scontext_max_'}; my $tmax = $isTctx ? 0 : $avc->{'_tcontext_max_'}; return if (/_scontext_max_|_tcontext_max_/); print "\n# "; for ($_=0; $_ < 80; $_++) {print "-";} print "[", $kcat, "]\n"; foreach my $kmsg (sort keys %$hcat) { printf "|\n+-[%-*s]\n", $smax, $hcat->{$kmsg}[0]->{$kcat}; $lvl++; my $buf; my $i; my $cnt = scalar @{$hcat->{$kmsg}}; foreach my $hmsg (@{$hcat->{$kmsg}}) { $buf .= sprintf "%s %-*s %s %-*s %s%s(%s) : %s : %s %s%s%s\n", $isTctx? '+<-' : '+->', $smax, $isSctx?'':$hmsg->{'scontext'}, $isTctx||$isSctx ? '' : '-+->', $tmax, $isTctx?'':$hmsg->{'tcontext'}, defined($showfile)? $hmsg->{'file'}.'> ':'', $hmsg->{'comm'}, $hmsg->{'pid'}, $hmsg->{'tclass'}, $hmsg->{'action'}, defined($hmsg->{'name'})?': '.$hmsg->{'name'}:'', defined($hmsg->{'key'})?' : '.$hmsg->{'key'}:'', defined($hmsg->{'dev'})?' : '.$hmsg->{'dev'} . (defined($hmsg-> {'ino'})?' : '.$hmsg->{'ino'}:'') : '' ; $i = $lvl; $buf = '| ' . $buf while (--$i); print $buf; $buf = ""; foreach my $kmsg (sort keys %$hmsg) { next if ($kmsg =~ /file|scontext|tcontext|comm|pid|tclass|action| name|dev|ino|key|$kcat/); next if ($skiptags && $kmsg =~ /timetag|audit/); $buf .= sprintf "%s=%s ", $kmsg, $hmsg->{$kmsg}; } if ($buf) { $buf = sprintf "%*s%s\n", ($cnt==1)?$smax+$tmax+10+2:$smax+$tmax +10, ,"", $buf; $i = (--$cnt)? $lvl:$lvl-1; $buf = '| ' . $buf while ($i--); print $buf; $buf = ""; } } $lvl--; } $lvl--; } ## ------------------------------------------------------------------------ ---------------------- # Parse log files readLOG(\%avc, $_) foreach (@logOPT); # Decide which category to print @catOPT = (sort keys %avc) if (defined($catARG) && (! scalar @catOPT) || grep /all/, at catOPT ) ; @catOPT = @catDEF if (!defined($catARG)); print "\n> Copyright (C) 2007, LEE, \"Kok Seng\" (kokseng at ieee dot org)"; print "\n> Notice: get help and condition of usage inforamtion regarding this script: $thisScript --help\n"; keyTREE(\%avc, $_,scalar @logOPT > 1?1:undef) foreach (@catOPT); ## ------------------------------------------------------------------------ ---------------------- # vim :ts=4:sw=4: 1; -------------- next part -------------- An HTML attachment was scrubbed... URL: From cra at WPI.EDU Tue May 15 06:32:06 2007 From: cra at WPI.EDU (Chuck Anderson) Date: Tue, 15 May 2007 02:32:06 -0400 Subject: allowing tftpd to make pxe functional In-Reply-To: <46422328.9080609@gmail.com> References: <46422328.9080609@gmail.com> Message-ID: <20070515063206.GB4900@angus.ind.WPI.EDU> On Wed, May 09, 2007 at 03:38:16PM -0400, eric magaoay wrote: > Summary > SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to / > (rsync_data_t). > Source Context user_u:system_r:tftpd_t > Target Context system_u:object_r:rsync_data_t > Target Objects / [ dir ] I believe your / is labelled incorrectly. Mine is: system_u:object_r:root_t From mike.clarkson at baesystems.com Tue May 15 15:54:20 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Tue, 15 May 2007 08:54:20 -0700 Subject: runcon vs newrole Message-ID: What are the differences between and advantages/disadvantages of the following two commands: runcon -l s1 newrole -l s1 --c From mike.clarkson at baesystems.com Tue May 15 16:07:52 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Tue, 15 May 2007 09:07:52 -0700 Subject: runcon cmd preventing default domain transition Message-ID: I have my policy set up to do a domain transition from the datalabeler_t domain to the import_t domain when the datalabeler_t domain executes the SimulatedImport (type import_exec_t) executable. This works fine until I execute the SimulatedImport executable using a runcon command: "runcon -l s1 SimulatedImport" The intent is to start the import_t domain at the s1 level, but the runcon command prevents the default domain transition from occurring. I found I had to use the following to force the domain transition while also setting the level of the process: "runcon -t import_t -l s1 SimulatedImport" Can anyone tell me why I have to explicitly set the type to get the domain transition to occur? The policy is set up to do the domain transition by default when the ImportExecutable is executed in the datalabeler_t domain, and this works fine when I don't use the runcon command, but then the import_t domain is not running at the level that I want. Thanks, Mike From dwalsh at redhat.com Tue May 15 18:24:13 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 15 May 2007 14:24:13 -0400 Subject: runcon vs newrole In-Reply-To: References: Message-ID: <4649FACD.6060908@redhat.com> Clarkson, Mike R (US SSA) wrote: > What are the differences between and advantages/disadvantages of the > following two commands: > > runcon -l s1 > newrole -l s1 --c > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Of the top of my head newrole will change the terminal to the level you want to output. So if the app read/writes to the terminal it will work. runcon will not so terminal apps will fail. Writing SystemHigh to a SystemLow terminal should not work. From dwalsh at redhat.com Tue May 15 18:28:04 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 15 May 2007 14:28:04 -0400 Subject: runcon cmd preventing default domain transition In-Reply-To: References: Message-ID: <4649FBB4.4030407@redhat.com> Clarkson, Mike R (US SSA) wrote: > I have my policy set up to do a domain transition from the datalabeler_t > domain to the import_t domain when the datalabeler_t domain executes the > SimulatedImport (type import_exec_t) executable. This works fine until I > execute the SimulatedImport executable using a runcon command: "runcon > -l s1 SimulatedImport" > > The intent is to start the import_t domain at the s1 level, but the > runcon command prevents the default domain transition from occurring. I > found I had to use the following to force the domain transition while > also setting the level of the process: "runcon -t import_t -l s1 > SimulatedImport" > > Can anyone tell me why I have to explicitly set the type to get the > domain transition to occur? The policy is set up to do the domain > transition by default when the ImportExecutable is executed in the > datalabeler_t domain, and this works fine when I don't use the runcon > command, but then the import_t domain is not running at the level that I > want. > > Thanks, > Mike > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > runcon is doing a setexeccon which will override the transition. So the code does a getprevcon to get the context of the process running runcon. It then changes the componant of the security context you selected and does a setexeccon. So if I am running syadm_u:sysadm_r:systadm_t:s0 and I run runcon -l s1 SimulatedImport It will attempt a setexeccon("sysadm_u:sysadm_r:sysadm_t:s1") and then exec the app. No transition will happen. From dwalsh at redhat.com Tue May 15 18:32:25 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 15 May 2007 14:32:25 -0400 Subject: runcon cmd preventing default domain transition In-Reply-To: References: Message-ID: <4649FCB9.6000608@redhat.com> Clarkson, Mike R (US SSA) wrote: > I have my policy set up to do a domain transition from the datalabeler_t > domain to the import_t domain when the datalabeler_t domain executes the > SimulatedImport (type import_exec_t) executable. This works fine until I > execute the SimulatedImport executable using a runcon command: "runcon > -l s1 SimulatedImport" > > The intent is to start the import_t domain at the s1 level, but the > runcon command prevents the default domain transition from occurring. I > found I had to use the following to force the domain transition while > also setting the level of the process: "runcon -t import_t -l s1 > SimulatedImport" > > Can anyone tell me why I have to explicitly set the type to get the > domain transition to occur? The policy is set up to do the domain > transition by default when the ImportExecutable is executed in the > datalabeler_t domain, and this works fine when I don't use the runcon > command, but then the import_t domain is not running at the level that I > want. > > Thanks, > Mike > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > You might get what you want to happen by executing runcon -l s1 sh -- -c SimulatedImport From mike.clarkson at baesystems.com Tue May 15 20:51:06 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Tue, 15 May 2007 13:51:06 -0700 Subject: link error when using getcon Message-ID: Can anyone help me out with this link error? % g++ -L/usr/lib64 -lselinux -o SimulatedImport SimulatedImport.cc /tmp/cc2AWYzw.o(.text+0x1ab): In function `main': : undefined reference to `getcon(char**)' collect2: ld returned 1 exit status I thought that all I needed to link in was libselinux.a, located at /usr/lib64/libselinux.a I have the following lines in SimulatedImport.cc: security_context_t *context = 0; int gcrtn = getcon(context); Thanks, Mike From dwalsh at redhat.com Wed May 16 01:20:22 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 15 May 2007 21:20:22 -0400 Subject: link error when using getcon In-Reply-To: References: Message-ID: <464A5C56.1030202@redhat.com> Clarkson, Mike R (US SSA) wrote: > Can anyone help me out with this link error? > > % g++ -L/usr/lib64 -lselinux -o SimulatedImport SimulatedImport.cc > /tmp/cc2AWYzw.o(.text+0x1ab): In function `main': > : undefined reference to `getcon(char**)' > collect2: ld returned 1 exit status > > I thought that all I needed to link in was libselinux.a, located at > /usr/lib64/libselinux.a > > I have the following lines in SimulatedImport.cc: > security_context_t *context = 0; > int gcrtn = getcon(context); > > Thanks, > Mike > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Do you need? extern "C" { /// Get declaration for f(int i, char c, float x)/ #include } From mike.clarkson at baesystems.com Wed May 16 16:43:42 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Wed, 16 May 2007 09:43:42 -0700 Subject: link error when using getcon References: <464A5C56.1030202@redhat.com> Message-ID: That worked. I forgot that libselinx was compiled as C and not c++. Thank you! > -----Original Message----- > From: Daniel J Walsh [mailto:dwalsh at redhat.com] > Sent: Tuesday, May 15, 2007 6:20 PM > To: Clarkson, Mike R (US SSA) > Cc: fedora-selinux-list at redhat.com > Subject: Re: link error when using getcon > > Clarkson, Mike R (US SSA) wrote: > > Can anyone help me out with this link error? > > > > % g++ -L/usr/lib64 -lselinux -o SimulatedImport SimulatedImport.cc > > /tmp/cc2AWYzw.o(.text+0x1ab): In function `main': > > : undefined reference to `getcon(char**)' > > collect2: ld returned 1 exit status > > > > I thought that all I needed to link in was libselinux.a, located at > > /usr/lib64/libselinux.a > > > > I have the following lines in SimulatedImport.cc: > > security_context_t *context = 0; > > int gcrtn = getcon(context); > > > > Thanks, > > Mike > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > Do you need? > > extern "C" { > /// Get declaration for f(int i, char c, float x)/ > #include > } From kokseng at ieee.org Thu May 17 06:29:58 2007 From: kokseng at ieee.org (Lee Kok Seng) Date: Thu, 17 May 2007 14:29:58 +0800 Subject: [SCRIPT] avctree 1.0.4 Message-ID: Hello, Here is version 1.0.4 of the script previously posted. a. Added regular expression (perl) to select messages to display e.g avctree --re="context=~/java/" will show any avc message that has 'java' in scontext *or* tcontext. e.g avctree --re="*=~/initrc/" will show any avc messages that has 'su' anywhere. b. Added message selection based on age of message e.g avctree --age 3h will show avc messages not older than 3 hours from when you run the script. c. Added 'unique' format of print e.g avctree --uniq will show avc messages that are unique once, i.e. scontext, tcontext, comm, name, dev, ino, key all match up (except time tag, audit tag, pid ... so, use with this in mind) Try this: avctree --uniq --age 1d /ks p/s: This post may have duplicates resulting in problem in posting this update. Sorry if so. This will also be 'it' for the time being, having got this script to give me the productivity I need to work with selinux. ------------------------------------------------------ cut --------------------------------------------- #!/usr/bin/perl -w sub lmsg { print < /var/log/ messages, /var/log/kernel --tags : Show time and audit tags --key=key,... : List messages indexed-sorted by specified key no argument or all => all keys Not specified => scontext,tcontext,action,comm,name --trim=yes|no|1|0 : Trim context string. Default: yes --re="expr" : Filter using rsupplied regular expression special: a. To match either scontext or tcontext, specify --re="context=~/^(dhcp|su)/" which will match scontext or tcontext if either starts wuth dhcp or su. b. To match any key's value, specify --re="*=~/dhcp|su/" which will print all messages that has dhcp or su in any key's value --age[=time-spec] : Show messages that are not older than specified age. time spec := numeric[unit] numeric := integer or float default: 10 unit := s | m | h | d | w default: m --uniq : Show in unique format. --help ----------------------------------------------------------------------- --------------------- Examples: a. $thisScript --key=scontext Print avc messages indexed-sorted by source context. b. $thisScript --key=tcontext Print avc messages indexed-sorted by target context. c. $thisScript --key=comm Print avc messages indexed-sorted by command executed. d. $thisScript --key=name Print avc messages indexed-sorted by target object's name. e. $thisScript --key=all or $thisScript --key Print avc messages indexed-sorted by all keys. f. $thisScript Print avc messages indexed-sorted by scontext, tcontext, comm, name (default) g. $thisScript --trim=no Print avc messages without trimming context string. h. $thisScript --log=/var/log/messages,/var/log/messages.1,/var/ log/messages.2 Print avc messages from log files listed (delimited by comma). i. $thisScript --tags Print avc messages, including in each message the log time tag and audit tag. j. $thisScript --re="name=~/dhcp/ && comm=~/dhcp/" Print avc messages which has dhcp in name or comm USAGETXT exit -1; } # my $logARG; # Log files to parse my $tagsARG; # Show time and audit tags my $catARG; # Categories to print my $helpARG; # Help my $trimARG; # Trim context string for readability my $ageARG; # Age specification my $reARG; # Regular Expression my $uniqARG; # Unique format usage(), exit unless GetOptions( 'log:s' => \$logARG, 'tags!' => \$tagsARG, 'key:s' => \$catARG, 'trim:s' => \$trimARG, 're:s' => \$reARG, 'age:s' => \$ageARG, 'uniq!' => \$uniqARG, 'help!' => \$helpARG ); usage() if (defined($helpARG)); ## ------------------------------------------------------------------------ ---------------------- ## Option: skip tags my $skiptags = defined($tagsARG)?0:1; ## Option: log files my @logOPT = grep -e $_, split /,|\n|\r/, $logARG if (defined ($logARG)); @logOPT = ('/var/log/messages','/var/log/kernel','/var/log/debug','/ var//log/audit') if (defined($logARG) && ((!scalar @logOPT) || grep /all/, @logOPT)); @logOPT = ('/var/log/audit') if (!scalar @logOPT && -e '/var/log/ audit'); @logOPT = ('/var/log/kernel') if (!scalar @logOPT && -e '/var/log/ kernel'); @logOPT = ('/var/log/messages') if (!scalar @logOPT); ## Option: Category my @catOPT = split /,|\n|\r/, $catARG if (defined($catARG)); my @catDEF = ('scontext','tcontext','comm','name'); ## Option: Trim my $trimOPT = defined($trimARG) ? ($trimARG =~ /no|0|/i ? 0 : 1 ) : 1; ## Option: regular expression my @reOPT = split /,|\n|\r/, $reARG if (defined($reARG)); ## Option: age my @ageOPT = split /,|\n|\r/, $ageARG if (defined($ageARG)); @ageOPT = ('10m') if (defined($ageARG) && !scalar @ageOPT); my ($age, $tu) = ($ageOPT[0] =~ /\s*([\d\.]+)\s*([smhdw]).*/); undef $ageARG if (!defined($age)); $age *= defined($tu)?($tu eq 'm'?60:($tu eq 'h'?3600:($tu eq 'd'? 86400:($tu eq 'w'?604800:1)))):1 if (defined($ageARG)); ## ------------------------------------------------------------------------ ---------------------- # ## Regular expression for parsing avc's 'denied' messages my $avcRE = qr/^(\w{3}\s+\d{2}\s+\d{2}:\d{2}:\d{2})[\s\w]+:\s*audit\ (([\d.:]+)\)\s*:\s*avc\s*:\s*denied\s+\{\s+([\w\s]+)\s+}\s+for\s+(.*)/; ## Holds indexed avc message records my %avc; my $epoch = time(); ## ------------------------------------------------------------------------ ---------------------- ## contextFMT # Format context string for readability sub contextFMT { my $ctxt = shift; my ($u,$r,$t,$l) = split /:/, $ctxt; $u =~ s/(.*)_./$1/; $r =~ s/(.*)_./$1/; $t =~ s/(.*)_./$1/; return $u . '-' . $r . '-' . $t; } ## ------------------------------------------------------------------------ ---------------------- ## prepRE reference-avc reference-re-list # Prepare regular expression from user supplied string sub prepRE { my $avc = shift; my $reOPT = shift; my @re = @$reOPT; if (grep /\*\s*=~/, @re) { my @restr; push @restr, /\s*\*\s*=~\s*\/([^\/]+)\/\s*/g foreach (@re); my $str = "{my \$ret=0; (\$ret |= ("; s/(.*)/\$this{\$_}=~\/$_\// foreach (@restr); $str .= join ' || ', @restr; $str .= ")) foreach (keys \%this); \$ret;}"; #print "\nprepRE=$str"; return $str; } else { # tbd : improve on regex / ... / parsing s/\s*context\s*(=~\s*\/[^\/]+\/)\s*/\(scontext$1||tcontext$1\)/g foreach (@re); s/\s*(\w+)\s*=~/\$this\{\'$1\'\} =~/g foreach (@re); my $str = '(' . join(' ) || ( ' , @re) . ')'; $str =~ s/\|\|\s*\(\s*\)//g; return $str; } } ## ------------------------------------------------------------------------ ---------------------- ## readLOG log-file-name # Reads the specified log file sub readLOG { my $avc = shift; my $logfile = shift; my $reopt = shift; my $logsn = ($logfile =~ /.*\/(.*)$/)[0]; my $tmax = defined($avc->{'_tcontext_max_'})?$avc-> {'_tcontext_max_'}:0; my $smax = defined($avc->{'_scontext_max_'})?$avc-> {'_scontext_max_'}:0; my $rex = undef; open LOGF, '<' . $logfile || die "Cannot open input file: $logfile"; while () { s/\r|\n//g; next if (!$_); next if (!/\s+avc:\s+/); my ($timetag, $audit, $action, $detail) = ($_ =~ /$avcRE/); next if (!defined($action)||!defined($detail)||!defined($timetag)||! defined($audit)); # okay, we have a avc 'denied' message my %this; # this hash will keep the message's key=value my @fields = split /\s|\r|\n/, $detail; foreach (@fields) { next if (!$_); my ($key,$val) = split/=/; next if (!$key||!$val); $val =~ s/[\"\']*([^\"\']*)[\"\']*/$1/; $this{"$key"} = $val; } # check age of message if (defined($ageARG) && defined($audit)) { my ($tm) = ($audit =~ /([\d+\.]+).*/); next if (defined($tm) && $epoch - $tm > $age); } # Filter, if specified $rex = prepRE($avc, $reopt) if (!defined($rex) && defined($reopt)); next if (defined($rex) && ! eval $rex ); $this{'action'} = $action; $this{'timetag'} = $timetag; $this{'audit'} = $audit; $this{'file'}= $logsn; if ($trimOPT) { $this{'scontext'} = contextFMT($this{'scontext'}); $this{'tcontext'} = contextFMT($this{'tcontext'}); } $smax = length($this{'scontext'}) if ($smax < length($this {'scontext'})); $tmax = length($this{'tcontext'}) if ($tmax < length($this {'tcontext'})); # Check if this message is unique my $uniq = 1; if (defined($uniqARG)&&defined($avc{'scontext'})&&defined($avc {'scontext'}->{$this{'scontext'}})) { foreach (@{$avc{'scontext'}->{$this{'scontext'}}}) { if ($_->{'tcontext'} eq $this{'tcontext'} && ($_->{'comm'} eq $this{'comm'})&& ($_->{'name'} eq $this{'name'}) && ($_->{'tclass'} eq $this{'tclass'}) && ($_->{'action'} eq $this{'action'}) && (!defined($_->{'dev'}) || $_->{'dev'} eq $this{'dev'}) && (!defined($_->{'ino'}) || $_->{'ino'} eq $this{'ino'}) && (!defined($_->{'key'}) || $_->{'key'} eq $this{'key'}) ) { $_->{'_same_'} = [()] if (!defined($_->{'_same_'})); push @{$_->{'_same_'}}, \%this; $uniq = 0; last; } } } next if (!$uniq); # Okay, let's index the records with various keys foreach (keys %this) { next if (/audit|timetag|file|_same_/); $avc->{$_} = {} if (!defined($avc->{$_})); $avc->{$_}->{$this{$_}} = [()] if (!defined($avc->{$_}->{$this {$_}})); push @{$avc->{$_}->{$this{$_}}}, \%this; } } close LOGF; $avc->{'_scontext_max_'} = $smax; $avc->{'_tcontext_max_'} = $tmax; } ## ------------------------------------------------------------------------ ---------------------- ## # keyTREE key # Show selected key in a tree view sub keyTREE { my $avc = shift; my $kcat = shift; my $showfile = shift; my $hcat = $avc->{$kcat}; my $lvl = 1; my $isSctx = ($kcat =~ /scontext/); my $isTctx = ($kcat =~ /tcontext/); my $smax = $isSctx ? 0 : $avc->{'_scontext_max_'}; my $tmax = $isTctx ? 0 : $avc->{'_tcontext_max_'}; return if (/_scontext_max_|_tcontext_max_/); print "\n# "; for ($_=0; $_ < 80; $_++) {print "-";} print "[", $kcat, "]\n"; foreach my $kmsg (sort keys %$hcat) { printf "|\n+-[%-*s]\n", $smax, $hcat->{$kmsg}[0]->{$kcat}; $lvl++; my $buf; my $i; my $cnt = scalar @{$hcat->{$kmsg}}; foreach my $hmsg (@{$hcat->{$kmsg}}) { $buf .= sprintf "%s %-*s %s %-*s %s%s(%s) : %s : %s %s%s%s\n", $isTctx? '+<-' : '+->', $smax, $isSctx?'':$hmsg->{'scontext'}, $isTctx||$isSctx ? '' : '-+->', $tmax, $isTctx?'':$hmsg->{'tcontext'}, defined($showfile)? $hmsg->{'file'}.'> ':'', $hmsg->{'comm'}, $hmsg->{'pid'}, $hmsg->{'tclass'}, $hmsg->{'action'}, defined($hmsg->{'name'})?': '.$hmsg->{'name'}:'', defined($hmsg->{'key'})?' : '.$hmsg->{'key'}:'', defined($hmsg->{'dev'})?' : '.$hmsg->{'dev'} . (defined($hmsg-> {'ino'})?' : '.$hmsg->{'ino'}:'') : '' ; $i = $lvl; $buf = '| ' . $buf while (--$i); print $buf; $buf = ""; foreach my $kmsg (sort keys %$hmsg) { next if ($kmsg =~ /file|scontext|tcontext|comm|pid|tclass|action| name|dev|ino|key|_same_|$kcat/); next if ($skiptags && $kmsg =~ /timetag|audit/); $buf .= sprintf "%s=%s ", $kmsg, $hmsg->{$kmsg}; } $buf .= sprintf "+-[%u] similar message%s", scalar @{$hmsg-> {'_same_'}}, scalar @{$hmsg->{'_same_'}} > 1 ? 's':'' if (defined($uniqARG) && defined($hmsg->{'_same_'})); if ($buf) { $buf = sprintf "%*s%s\n", ($cnt==1)?$smax+$tmax+10+2:$smax+$tmax +10, ,"", $buf; $i = (--$cnt)? $lvl:$lvl-1; $buf = '| ' . $buf while ($i--); print $buf; $buf = ""; } } $lvl--; } $lvl--; } ## ------------------------------------------------------------------------ ---------------------- # Parse log files my @logLIST=@logOPT; readLOG(\%avc, $_, scalar @reOPT?\@reOPT:undef) foreach (@logLIST); # Decide which category to print @catOPT = (sort keys %avc) if (defined($catARG) && (! scalar @catOPT) || grep /all/, at catOPT ) ; @catOPT = @catDEF if (!defined($catARG)); print "\n> $thisScript version $version, Copyright (C) 2007, LEE, \"Kok Seng\" (kokseng at ieee dot org)"; print "\n> Notice: get help and condition of usage inforamtion regarding this script: $thisScript --help"; print "\n> File(s) parsed: ", join ', ', @logOPT, " Key(s) : ", join ', ', @catOPT; print "\n> Regular expression = ", join ' or ', @reOPT if (scalar @reOPT); print "\n> Age not more than ", $ageARG, " (", $age, " seconds)" if (defined($ageARG)); print "\n> Unique mode is ON" if (defined($uniqARG)); print "\n"; keyTREE(\%avc, $_,scalar @logOPT > 1?1:undef) foreach (@catOPT); ## ------------------------------------------------------------------------ ---------------------- # vim :ts=4:sw=4: 1; From mike.clarkson at baesystems.com Thu May 17 23:06:20 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Thu, 17 May 2007 16:06:20 -0700 Subject: setrans.conf References: <464A5C56.1030202@redhat.com> Message-ID: I read that the setrans.conf file maps human readable names to the sensitivities and categories in SELinux, and that this file is created using semanage. After manning semanage I don't see how to create the mapping. Can anyone help me out. Thanks From sundaram at fedoraproject.org Thu May 17 23:35:25 2007 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Fri, 18 May 2007 05:05:25 +0530 Subject: [SCRIPT] avctree 1.0.4 In-Reply-To: References: Message-ID: <464CE6BD.7060702@fedoraproject.org> Lee Kok Seng wrote: > Hello, > > Here is version 1.0.4 of the script previously posted. > a. Added regular expression (perl) to select messages to display > e.g avctree --re="context=~/java/" will show any avc message > that has 'java' in > scontext *or* tcontext. > e.g avctree --re="*=~/initrc/" will show any avc messages that has > 'su' anywhere. > > b. Added message selection based on age of message > e.g avctree --age 3h will show avc messages not older than 3 hours > from when you run the script. > > c. Added 'unique' format of print > e.g avctree --uniq will show avc messages that are unique once, i.e. > scontext, tcontext, comm, > name, dev, ino, key all match up (except time tag, audit tag, pid ... > so, use with this in mind) > > Try this: avctree --uniq --age 1d > > /ks How about submitting and maintaining this as a package in Fedora? http://fedoraproject.org/wiki/PackageMaintainers/Join Rahul From kokseng at ieee.org Fri May 18 09:09:55 2007 From: kokseng at ieee.org (Lee Kok Seng) Date: Fri, 18 May 2007 17:09:55 +0800 Subject: [SCRIPT] avctree 1.0.4 In-Reply-To: <464CE6BD.7060702@fedoraproject.org> References: <464CE6BD.7060702@fedoraproject.org> Message-ID: On 18 May 2007, at 7:35 AM, Rahul Sundaram wrote: > Lee Kok Seng wrote: >> Hello, >> Here is version 1.0.4 of the script previously posted. >> a. Added regular expression (perl) to select messages to display >> e.g avctree --re="context=~/java/" will show any avc >> message that has 'java' in >> scontext *or* tcontext. >> e.g avctree --re="*=~/initrc/" will show any avc messages >> that has 'su' anywhere. >> b. Added message selection based on age of message >> e.g avctree --age 3h will show avc messages not older than 3 >> hours from when you run the script. >> c. Added 'unique' format of print >> e.g avctree --uniq will show avc messages that are unique >> once, i.e. scontext, tcontext, comm, >> name, dev, ino, key all match up (except time tag, audit tag, >> pid ... so, use with this in mind) >> Try this: avctree --uniq --age 1d >> /ks > > How about submitting and maintaining this as a package in Fedora? > > http://fedoraproject.org/wiki/PackageMaintainers/Join > > Rahul > No issue with me, but this is a simple script, does it warrant being a package? Let me understand more what kind of work it takes to going down that path. From wolfy at nobugconsulting.ro Fri May 18 09:57:12 2007 From: wolfy at nobugconsulting.ro (Manuel Wolfshant) Date: Fri, 18 May 2007 12:57:12 +0300 Subject: [SCRIPT] avctree 1.0.4 In-Reply-To: References: Message-ID: <464D7878.6050003@nobugconsulting.ro> Lee Kok Seng wrote: > Hello, > > Here is version 1.0.4 of the script previously posted. > Hi Under centos 4.5 (perl-5.8.5-36.RHEL4.i386) and Fedora 6 (perl-5.8.8-10) I get: Use of uninitialized value in pattern match (m//) at ./avctree.pl line 133. > pl version 1.0.4+, Copyright (C) 2007, LEE, "Kok Seng" (kokseng at ieee dot org) Could you please fix this ? manuel From wolfy at nobugconsulting.ro Fri May 18 10:02:23 2007 From: wolfy at nobugconsulting.ro (Manuel Wolfshant) Date: Fri, 18 May 2007 13:02:23 +0300 Subject: [SCRIPT] avctree 1.0.4 In-Reply-To: References: Message-ID: <464D79AF.4000006@nobugconsulting.ro> Lee Kok Seng wrote: > Hello, > > Here is version 1.0.4 of the script previously posted. And this is on another centos (4.4) : [root at imap ~]# ./avctree.pl --log=all Use of uninitialized value in pattern match (m//) at ./avctree.pl line 133. readline() on closed filehandle LOGF at ./avctree.pl line 197. readline() on closed filehandle LOGF at ./avctree.pl line 197. From jdennis at redhat.com Fri May 18 15:57:14 2007 From: jdennis at redhat.com (John Dennis) Date: Fri, 18 May 2007 11:57:14 -0400 Subject: [SCRIPT] avctree 1.0.4 In-Reply-To: References: <464CE6BD.7060702@fedoraproject.org> Message-ID: <1179503835.13650.13.camel@junko.usersys.redhat.com> On Fri, 2007-05-18 at 17:09 +0800, Lee Kok Seng wrote: > On 18 May 2007, at 7:35 AM, Rahul Sundaram wrote: > > > Lee Kok Seng wrote: > >> Hello, > >> Here is version 1.0.4 of the script previously posted. > >> a. Added regular expression (perl) to select messages to display > > > > How about submitting and maintaining this as a package in Fedora? > > > > http://fedoraproject.org/wiki/PackageMaintainers/Join > No issue with me, but this is a simple script, does it warrant being > a package? > Let me understand more what kind of work it takes to going down that > path. FYI the audit package now includes a parsing library (auparse). It is witten in C and includes a python binding. It is also capable of performing searches. The thinking is auparse will be utilized by several pieces of audit technology and will serve as the base technology for audit parsing. Note, at the moment it is just a library of routines, but I imagine shortly the package will also include a front end utility. Utilizing the audit parsing support in the audit RPM is probably preferable to introducing new RPM's. -- John Dennis From kokseng at ieee.org Sat May 19 00:03:24 2007 From: kokseng at ieee.org (Lee Kok Seng) Date: Sat, 19 May 2007 08:03:24 +0800 Subject: [SCRIPT] avctree 1.0.4 In-Reply-To: <464D7878.6050003@nobugconsulting.ro> References: <464D7878.6050003@nobugconsulting.ro> Message-ID: <2005F702-2468-448F-BB37-37AFC0CAAE0F@ieee.org> On 18 May 2007, at 5:57 PM, Manuel Wolfshant wrote: > Lee Kok Seng wrote: >> Hello, >> >> Here is version 1.0.4 of the script previously posted. >> > Hi > > Under centos 4.5 (perl-5.8.5-36.RHEL4.i386) and Fedora 6 > (perl-5.8.8-10) I get: > > Use of uninitialized value in pattern match (m//) at ./avctree.pl > line 133. > > > pl version 1.0.4+, Copyright (C) 2007, LEE, "Kok Seng" (kokseng > at ieee dot org) > > > Could you please fix this ? > > manuel > Lee Kok Seng wrote: > Hello, > > Here is version 1.0.4 of the script previously posted. > And this is on another centos (4.4) : [root at imap ~]# ./avctree.pl --log=all Use of uninitialized value in pattern match (m//) at ./avctree.pl line 133. readline() on closed filehandle LOGF at ./avctree.pl line 197. readline() on closed filehandle LOGF at ./avctree.pl line 197. Hello, Thanks for the report. Here is the fix. /ks -------------------------------------------------------------- [cut]---------------------------------------------------------- Index: avctree =================================================================== --- avctree (revision 21) +++ avctree (working copy) @@ -27,7 +27,7 @@ # 1.0.2 --re option allow context to mean scontext or tcontext, all to mean any key # 1.0.3 added --age option to select based on age of message # 1.0.4 added --uniq option to show messages that are unique -my $version='1.0.4+'; +my $version='1.0.4++'; use strict; use warnings; my ($thisScript) = ($0 =~ /.*?\/*(\w+)$/); @@ -115,7 +115,7 @@ my $skiptags = defined($tagsARG)?0:1; ## Option: log files my @logOPT = grep -e $_, split /,|\n|\r/, $logARG if (defined ($logARG)); - at logOPT = ('/var/log/messages','/var/log/kernel','/var/log/debug','/ var//log/audit') + at logOPT = ('/var/log/audit','/var/log/kernel','/var/log/messages','/ var/log/debug') if (defined($logARG) && ((!scalar @logOPT) || grep /all/, @logOPT)); @logOPT = ('/var/log/audit') if (!scalar @logOPT && -e '/var/log/ audit'); @logOPT = ('/var/log/kernel') if (!scalar @logOPT && -e '/var/log/ kernel'); @@ -130,7 +130,7 @@ ## Option: age my @ageOPT = split /,|\n|\r/, $ageARG if (defined($ageARG)); @ageOPT = ('10m') if (defined($ageARG) && !scalar @ageOPT); -my ($age, $tu) = ($ageOPT[0] =~ /\s*([\d\.]+)\s*([smhdw]).*/); +my ($age, $tu) = ($ageOPT[0] =~ /\s*([\d\.]+)\s*([smhdw]).*/) if @ageOPT; undef $ageARG if (!defined($age)); $age *= defined($tu)?($tu eq 'm'?60:($tu eq 'h'?3600:($tu eq 'd'? 86400:($tu eq 'w'?604800:1)))):1 if (defined($ageARG)); ## ------------------------------------------------------------------------ ---------------------- @@ -191,7 +191,8 @@ my $tmax = defined($avc->{'_tcontext_max_'})?$avc-> {'_tcontext_max_'}:0; my $smax = defined($avc->{'_scontext_max_'})?$avc-> {'_scontext_max_'}:0; my $rex = undef; - + + return if ( ! -e $logfile ); open LOGF, '<' . $logfile || die "Cannot open input file: $logfile"; while () { @@ -235,16 +236,19 @@ # Check if this message is unique my $uniq = 1; + #print "\n $this{scontext} $this{tcontext} $this{comm} $this {action} $this{tclass}"; if (defined($uniqARG)&&defined($avc{'scontext'})&&defined($avc {'scontext'}->{$this{'scontext'}})) { foreach (@{$avc{'scontext'}->{$this{'scontext'}}}) { + #print "\n $_->{scontext} $_->{tcontext} $_->{comm} $_-> {action} $_->{tclass}"; + if ($_->{'tcontext'} eq $this{'tcontext'} && ($_->{'comm'} eq $this{'comm'})&& - ($_->{'name'} eq $this{'name'}) && ($_->{'tclass'} eq $this{'tclass'}) && ($_->{'action'} eq $this{'action'}) && - (!defined($_->{'dev'}) || $_->{'dev'} eq $this{'dev'}) && - (!defined($_->{'ino'}) || $_->{'ino'} eq $this{'ino'}) && - (!defined($_->{'key'}) || $_->{'key'} eq $this{'key'}) + (!defined($_->{'name'}) || (defined($this{'name'}) && $_-> {'name'} eq $this{'name'})) && + (!defined($_->{'dev'}) || (defined($this{'dev'}) && $_->{'dev'} eq $this{'dev'})) && + (!defined($_->{'ino'}) || (defined($this{'ino'}) && $_->{'ino'} eq $this{'ino'})) && + (!defined($_->{'key'}) || (defined($this{'key'}) && $_->{'key'} eq $this{'key'})) ) { $_->{'_same_'} = [()] if (!defined($_->{'_same_'})); push @{$_->{'_same_'}}, \%this; @@ -336,10 +340,11 @@ readLOG(\%avc, $_, scalar @reOPT?\@reOPT:undef) foreach (@logLIST); # Decide which category to print @catOPT = (sort keys %avc) if (defined($catARG) && (! scalar @catOPT) || grep /all/, at catOPT ) ; - at catOPT = @catDEF if (!defined($catARG)); + at catOPT = grep !/^\s*$/, @catDEF if (!defined($catARG)); print "\n> $thisScript version $version, Copyright (C) 2007, LEE, \"Kok Seng\" (kokseng at ieee dot org)"; print "\n> Notice: get help and condition of usage inforamtion regarding this script: $thisScript --help"; -print "\n> File(s) parsed: ", join ', ', @logOPT, " Key(s) : ", join ', ', @catOPT; +print "\n> File(s) parsed: ", join ', ', @logOPT; +print "\n> Key(s) : " . join(', ', @catOPT); print "\n> Regular expression = ", join ' or ', @reOPT if (scalar @reOPT); print "\n> Age not more than ", $ageARG, " (", $age, " seconds)" if (defined($ageARG)); print "\n> Unique mode is ON" if (defined($uniqARG)); From kwizart at gmail.com Sat May 19 14:53:49 2007 From: kwizart at gmail.com (KH KH) Date: Sat, 19 May 2007 16:53:49 +0200 Subject: Need to handle xorg-x11-drv-nvidia with selinux-policy! Message-ID: Hello >From here http://www.nvnews.net/vbulletin/showthread.php?t=72490 There is a need to handle xorg-x11-drv-nvidia package with Selinux: This was previously documented to be done manually on documentation that uses livna package... The nvidia installer detect it but livna package uses a different scheme so it has be be handled somewhere else... This can be done into the xorg-x11-drv-nvidia package or into selinux-policy (the second is the prefered choice if possible). Because it deal with versioned libs i wonder if i can be possible to handle it easily with the selinux-policy package ? Thx for any advices (i will submit a bug for selinux-policy if it is possible) Nicolas (kwizart) From dwalsh at redhat.com Mon May 21 14:22:34 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 21 May 2007 10:22:34 -0400 Subject: Need to handle xorg-x11-drv-nvidia with selinux-policy! In-Reply-To: References: Message-ID: <4651AB2A.3050904@redhat.com> KH KH wrote: > Hello > >> From here http://www.nvnews.net/vbulletin/showthread.php?t=72490 > There is a need to handle xorg-x11-drv-nvidia package with Selinux: > This was previously documented to be done manually on documentation > that uses livna package... > The nvidia installer detect it but livna package uses a different > scheme so it has be be handled somewhere else... > > This can be done into the xorg-x11-drv-nvidia package or into > selinux-policy (the second is the prefered choice if possible). > > Because it deal with versioned libs i wonder if i can be possible to > handle it easily with the selinux-policy package ? > > Thx for any advices (i will submit a bug for selinux-policy if it is > possible) > > Nicolas (kwizart) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list u1 update has these fixes (preview available on http://people.redhat.com/dwalsh/SELinux/RHEL5 Of course if nvidia would just fix the way they build their libraries, this would probably not be a problem From sds at tycho.nsa.gov Mon May 21 19:02:10 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 21 May 2007 15:02:10 -0400 Subject: runcon vs newrole In-Reply-To: <4649FACD.6060908@redhat.com> References: <4649FACD.6060908@redhat.com> Message-ID: <1179774130.3036.4.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-05-15 at 14:24 -0400, Daniel J Walsh wrote: > Clarkson, Mike R (US SSA) wrote: > > What are the differences between and advantages/disadvantages of the > > following two commands: > > > > runcon -l s1 > > newrole -l s1 --c > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > Of the top of my head > > newrole will change the terminal to the level you want to output. So if > the app read/writes to the terminal it will work. > > runcon will not so terminal apps will fail. Writing SystemHigh to a > SystemLow terminal should not work. Further, newrole runs in its own domain and allows for transitions from less privileged contexts to more privileged contexts, while runcon runs in the caller's domain and requires the caller to already be sufficiently privileged to directly make the transition. -- Stephen Smalley National Security Agency From kwizart at gmail.com Tue May 22 10:16:25 2007 From: kwizart at gmail.com (KH KH) Date: Tue, 22 May 2007 12:16:25 +0200 Subject: Need to handle xorg-x11-drv-nvidia with selinux-policy! In-Reply-To: <4651AB2A.3050904@redhat.com> References: <4651AB2A.3050904@redhat.com> Message-ID: 2007/5/21, Daniel J Walsh : > KH KH wrote: > > Hello > > > >> From here http://www.nvnews.net/vbulletin/showthread.php?t=72490 > > There is a need to handle xorg-x11-drv-nvidia package with Selinux: > > This was previously documented to be done manually on documentation > > that uses livna package... > > The nvidia installer detect it but livna package uses a different > > scheme so it has be be handled somewhere else... > > > > This can be done into the xorg-x11-drv-nvidia package or into > > selinux-policy (the second is the prefered choice if possible). > > > > Because it deal with versioned libs i wonder if i can be possible to > > handle it easily with the selinux-policy package ? > > > > Thx for any advices (i will submit a bug for selinux-policy if it is > > possible) > > > > Nicolas (kwizart) > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > u1 update has these fixes (preview available on > http://people.redhat.com/dwalsh/SELinux/RHEL5 Well i didn't riched to check (which one may i check ?) > Of course if nvidia would just fix the way they build their libraries, > this would probably not be a problem > Should we request it to nVidia ? Is is related to CFLAGS and $RPM_OPT_FLAGS ? Well i forgot to say that livna packaging scheme uses a different path for theses libraries (to prevent replacement issue)... And i also don't know currently if the new lib ( libnvidia-wfb.so.%{version} - provided with version > 97xx ) is concern by the need to change the selinux context... If i take care of the Selinux context inside xorg-x11-drv-nvidia i will have in %post section: (where nvidialibdir is %{_libdir}/nvidia ) %{_sbindir}/semanage fcontext -a -t textrel_shlib_t %{_libdir}/xorg/modules/drivers/nvidia_drv.so &>/dev/null %{_sbindir}/semanage fcontext -a -t textrel_shlib_t %{_libdir}/xorg/modules/extensions/nvidia/libglx.so.%{version} &>/dev/null %{_sbindir}/semanage fcontext -a -t textrel_shlib_t %{nvidialibdir}/libGLcore.so.%{version} &>/dev/null %{_sbindir}/semanage fcontext -a -t textrel_shlib_t %{nvidialibdir}/libnvidia-tls.so.1 &>/dev/null if sestatus |egrep -q 'SELinux status.*enabled' then restorecon %{_libdir}/xorg/modules/drivers/nvidia_drv.so %{_libdir}/xorg/modules/extensions/nvidia/libglx.so.%{version} %{nvidialibdir}/libGLcore.so.%{version} %{nvidialibdir}/libnvidia-tls.so.1 &>/dev/null || : fi || : Thx for you advices! Nicolas (kwizart) From dwalsh at redhat.com Tue May 22 13:33:14 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 22 May 2007 09:33:14 -0400 Subject: Need to handle xorg-x11-drv-nvidia with selinux-policy! In-Reply-To: References: <4651AB2A.3050904@redhat.com> Message-ID: <4652F11A.5000307@redhat.com> KH KH wrote: > 2007/5/21, Daniel J Walsh : >> KH KH wrote: >> > Hello >> > >> >> From here http://www.nvnews.net/vbulletin/showthread.php?t=72490 >> > There is a need to handle xorg-x11-drv-nvidia package with Selinux: >> > This was previously documented to be done manually on documentation >> > that uses livna package... >> > The nvidia installer detect it but livna package uses a different >> > scheme so it has be be handled somewhere else... >> > >> > This can be done into the xorg-x11-drv-nvidia package or into >> > selinux-policy (the second is the prefered choice if possible). >> > >> > Because it deal with versioned libs i wonder if i can be possible to >> > handle it easily with the selinux-policy package ? >> > >> > Thx for any advices (i will submit a bug for selinux-policy if it is >> > possible) >> > >> > Nicolas (kwizart) >> > >> > -- >> > fedora-selinux-list mailing list >> > fedora-selinux-list at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> u1 update has these fixes (preview available on >> http://people.redhat.com/dwalsh/SELinux/RHEL5 > > Well i didn't riched to check (which one may i check ?) I am not sure what you are asking? You can check the poicy in http://people.redhat.com/dwalsh/SELinux/RHEL5 > >> Of course if nvidia would just fix the way they build their libraries, >> this would probably not be a problem >> > Should we request it to nVidia ? Is is related to CFLAGS and > $RPM_OPT_FLAGS ? > Yes. It has to do with using -fpic or -fPIC in the CFLAGS. > Well i forgot to say that livna packaging scheme uses a different path > for theses libraries (to prevent replacement issue)... And i also > don't know currently if the new lib ( libnvidia-wfb.so.%{version} - > provided with version > 97xx ) is concern by the need to change the > selinux context... > > If i take care of the Selinux context inside xorg-x11-drv-nvidia i > will have in %post section: (where nvidialibdir is %{_libdir}/nvidia ) > You can check the default context of the path with matchpathcon. def_con=`matchpathcon -n %{_libdir}/xorg/modules/drivers/nvidia_drv.so` if [ $def_con != "system_u:object_r:textrel_shlib_t" ]; then > %{_sbindir}/semanage fcontext -a -t textrel_shlib_t > %{_libdir}/xorg/modules/drivers/nvidia_drv.so &>/dev/null fi > %{_sbindir}/semanage fcontext -a -t textrel_shlib_t > %{_libdir}/xorg/modules/extensions/nvidia/libglx.so.%{version} > &>/dev/null > %{_sbindir}/semanage fcontext -a -t textrel_shlib_t > %{nvidialibdir}/libGLcore.so.%{version} &>/dev/null > %{_sbindir}/semanage fcontext -a -t textrel_shlib_t > %{nvidialibdir}/libnvidia-tls.so.1 &>/dev/null > if sestatus |egrep -q 'SELinux status.*enabled' > then > restorecon %{_libdir}/xorg/modules/drivers/nvidia_drv.so > %{_libdir}/xorg/modules/extensions/nvidia/libglx.so.%{version} > %{nvidialibdir}/libGLcore.so.%{version} > %{nvidialibdir}/libnvidia-tls.so.1 &>/dev/null || : > fi || : > > Thx for you advices! > > Nicolas (kwizart) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From mike.clarkson at baesystems.com Tue May 22 20:26:35 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Tue, 22 May 2007 13:26:35 -0700 Subject: runcon vs newrole References: <4649FACD.6060908@redhat.com> <1179774130.3036.4.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Thanks for the response. Based on your comments, am I correct in thinking that it is better to provide trusted selinux aware domains access to runcon rather than newrole, since runcon will restrict those domains to do only what the selinux policy allows? > -----Original Message----- > From: Stephen Smalley [mailto:sds at tycho.nsa.gov] > Sent: Monday, May 21, 2007 12:02 PM > To: Daniel J Walsh > Cc: Clarkson, Mike R (US SSA); fedora-selinux-list at redhat.com > Subject: Re: runcon vs newrole > > On Tue, 2007-05-15 at 14:24 -0400, Daniel J Walsh wrote: > > Clarkson, Mike R (US SSA) wrote: > > > What are the differences between and advantages/disadvantages of the > > > following two commands: > > > > > > runcon -l s1 > > > newrole -l s1 --c > > > > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > Of the top of my head > > > > newrole will change the terminal to the level you want to output. So if > > the app read/writes to the terminal it will work. > > > > runcon will not so terminal apps will fail. Writing SystemHigh to a > > SystemLow terminal should not work. > > Further, newrole runs in its own domain and allows for transitions from > less privileged contexts to more privileged contexts, while runcon runs > in the caller's domain and requires the caller to already be > sufficiently privileged to directly make the transition. > > -- > Stephen Smalley > National Security Agency From kumardineshwar at gmail.com Wed May 23 04:43:00 2007 From: kumardineshwar at gmail.com (Dineshwar Kumar) Date: Wed, 23 May 2007 10:13:00 +0530 Subject: fedora-selinux-list Digest, Vol 39, Issue 21 In-Reply-To: <20070522160013.0C98E73685@hormel.redhat.com> References: <20070522160013.0C98E73685@hormel.redhat.com> Message-ID: Hi, I am new to the selinux policy can any one tell me what is this. i am using snmp to read the nfs mounted dir "content_directory". than i got this entry in my log. 05.22.2007 04:46:53 EDT 172.25.33.140 kernel: audit( 1179391601.031:1144058): avc: denied { search } for pid=19687 comm="snmpd" name="content_directory" dev=0:15 ino=14609954 scontext=system_u:system_r:snmpd_t tcontext=root:object_r:nfs_t tclass=dir on the parent dir the selinux policy is this [root at INP-AS-11 /]# ls -Z /usr/local/PServer41SP2/server/nodes/momentum/archives/public_html/ drwxrwxrwx supportp supportp user_u:object_r:usr_t admin drwxrwxrwx supportp supportp user_u:object_r:usr_t cliks drwxrwxrwx root root cliksdmrroot -rw-rw-r-- supportp supportp user_u:object_r:usr_t cliks.tgz drwxrwxrwx supportp supportp user_u:object_r:usr_t css -rwxrwxrwx supportp supportp user_u:object_r:usr_t index.jsp drwxrwxrwx supportp supportp user_u:object_r:usr_t pramati_admin_help drwxrwxrwx supportp supportp user_u:object_r:usr_t WEB-INF [root at INP-AS-11 /]# ls -Z /usr/local/PServer41SP2/server/nodes/momentum/archives/public_html/cliksdmrroot/ drwxrwxrwx nfsnobod nfsnobod content_directory drwxrwxrwx nfsnobod nfsnobod dfxmldirectory drwxrwxrwx nfsnobod nfsnobod dmrnormal drwxrwxrwx nfsnobod nfsnobod exportarea drwxrwxrwx nfsnobod nfsnobod kmexportarea drwxrwxrwx nfsnobod nfsnobod kmnwpath drwxrwxrwx nfsnobod nfsnobod kmtemprepository drwxrwxrwx nfsnobod nfsnobod kmxmlrepository drwxrwxrwx nfsnobod nfsnobod lmsdirectory -rwxrwxrwx nfsnobod nfsnobod log4j.properties drwxrwxrwx nfsnobod nfsnobod tedirectory drwxrwxrwx nfsnobod nfsnobod umdirectory drwxrwxrwx nfsnobod nfsnobod WEB-INF drwxrwxrwx nfsnobod nfsnobod wsdirectory With Thanks, Dinesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Wed May 23 13:24:34 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 23 May 2007 09:24:34 -0400 Subject: fedora-selinux-list Digest, Vol 39, Issue 21 In-Reply-To: References: <20070522160013.0C98E73685@hormel.redhat.com> Message-ID: <46544092.9090908@redhat.com> Dineshwar Kumar wrote: > Hi, > > > I am new to the selinux policy can any one tell me what is this. i am > using snmp to read the nfs mounted dir "content_directory". than i got > this entry in my log. > > > > 05.22.2007 04:46:53 EDT 172.25.33.140 > kernel: audit(1179391601.031:1144058): avc: > denied { search } for pid=19687 comm="snmpd" > name="content_directory" dev=0:15 ino=14609954 > scontext=system_u:system_r:snmpd_t tcontext=root:object_r:nfs_t > tclass=dir > > > This means that SELinux policy will not allow the snmpd daemon to search/read nfs file systems. If you want to allow this permission you can add it using audit2allow -M mysnmpd -i /var/log/audit/audit.log > > on the parent dir the selinux policy is this > > > [root at INP-AS-11 /]# ls -Z > /usr/local/PServer41SP2/server/nodes/momentum/archives/public_html/ > drwxrwxrwx supportp supportp user_u:object_r:usr_t admin > drwxrwxrwx supportp supportp user_u:object_r:usr_t cliks > drwxrwxrwx root root > cliksdmrroot > -rw-rw-r-- supportp supportp user_u:object_r:usr_t cliks.tgz > drwxrwxrwx supportp supportp user_u:object_r:usr_t css > -rwxrwxrwx supportp supportp user_u:object_r:usr_t index.jsp > drwxrwxrwx supportp supportp user_u:object_r:usr_t > pramati_admin_help > drwxrwxrwx supportp supportp user_u:object_r:usr_t WEB-INF > > > > > [root at INP-AS-11 /]# ls -Z > /usr/local/PServer41SP2/server/nodes/momentum/archives/public_html/cliksdmrroot/ > drwxrwxrwx nfsnobod nfsnobod > content_directory > drwxrwxrwx nfsnobod nfsnobod > dfxmldirectory > drwxrwxrwx nfsnobod nfsnobod dmrnormal > drwxrwxrwx nfsnobod nfsnobod exportarea > drwxrwxrwx nfsnobod nfsnobod > kmexportarea > drwxrwxrwx nfsnobod nfsnobod kmnwpath > drwxrwxrwx nfsnobod nfsnobod > kmtemprepository > drwxrwxrwx nfsnobod nfsnobod > kmxmlrepository > drwxrwxrwx nfsnobod nfsnobod > lmsdirectory > -rwxrwxrwx nfsnobod nfsnobod > log4j.properties > drwxrwxrwx nfsnobod nfsnobod > tedirectory > drwxrwxrwx nfsnobod nfsnobod umdirectory > drwxrwxrwx nfsnobod nfsnobod WEB-INF > drwxrwxrwx nfsnobod nfsnobod > wsdirectory > > > > > With Thanks, > Dinesh > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From beres.laszlo at sys-admin.hu Wed May 23 15:59:44 2007 From: beres.laszlo at sys-admin.hu (BERES Laszlo) Date: Wed, 23 May 2007 17:59:44 +0200 Subject: RHEL5 LVM snapshot problem Message-ID: <465464F0.4010502@sys-admin.hu> Hello there, look what I found on my fresh RHEL5 Server installation: [root at station5 ~]# lvcreate -L 16M -s -n data-backup /dev/volgroup/data /sbin/modprobe: execlp failed: Permission denied /sbin/modprobe failed: 13 snapshot: Required device-mapper target(s) not detected in your kernel lvcreate: Create a logical volume avc: denied { execute } for comm="lvcreate" dev=hda2 egid=0 euid=0 exe="/usr/sbin/lvm" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="modprobe" pid=2845 scontext=root:system_r:lvm_t:s0-s0:c0.c1023 sgid=0 subj=root:system_r:lvm_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:insmod_exec_t:s0 tty=pts0 uid=0 -- B?RES L?szl? RHCE, RHCX senior IT engineer, trainer From dwalsh at redhat.com Wed May 23 17:26:54 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 23 May 2007 13:26:54 -0400 Subject: RHEL5 LVM snapshot problem In-Reply-To: <465464F0.4010502@sys-admin.hu> References: <465464F0.4010502@sys-admin.hu> Message-ID: <4654795E.6020406@redhat.com> BERES Laszlo wrote: > Hello there, > > look what I found on my fresh RHEL5 Server installation: > > [root at station5 ~]# lvcreate -L 16M -s -n data-backup /dev/volgroup/data > /sbin/modprobe: execlp failed: Permission denied > /sbin/modprobe failed: 13 > snapshot: Required device-mapper target(s) not detected in your kernel > lvcreate: Create a logical volume > > avc: denied { execute } for comm="lvcreate" dev=hda2 egid=0 euid=0 > exe="/usr/sbin/lvm" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 > name="modprobe" pid=2845 scontext=root:system_r:lvm_t:s0-s0:c0.c1023 > sgid=0 subj=root:system_r:lvm_t:s0-s0:c0.c1023 suid=0 tclass=file > tcontext=system_u:object_r:insmod_exec_t:s0 tty=pts0 uid=0 > > Please open a bugzilla. From mantaray_1 at cox.net Wed May 23 22:11:41 2007 From: mantaray_1 at cox.net (Ken) Date: Wed, 23 May 2007 15:11:41 -0700 Subject: kernel_t and rawip Message-ID: <4654BC1D.9010104@cox.net> I became interested in SELinux primarily to increase the level of security I have when I am connected to the Internet, and until recently I have not allowed kernel_t to send or receive rawip over the Internet. I have recently allowed this because I was having difficulty making an online payment without this enabled. Since enabling this, I have wondered what the security implications of allowing kernel_t to send and receive rawip on the Internet are; and I was hoping someone could direct me to a good source for technical information about the security implications of allowing various permissions. From mike.clarkson at baesystems.com Thu May 24 00:29:38 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Wed, 23 May 2007 17:29:38 -0700 Subject: redefining the numer of sensitivities and reconfiguring users and login References: <4654BC1D.9010104@cox.net> Message-ID: I'm trying to reduce the number of sensitivities from 16 to 5 (s0 - s4) Looks like I can redefine the number of sensitivities in the build.conf file and Makefile file and then use "make load" to make the change take effect. Is that correct? I assume that I'll need to use fixfiles to relabel any files that have contexts with sensitivity levels greater than s4. Is that correct? Before reducing the number of sensitivities, I wanted to reconfigure the users and login using semanage. I've defined SystemHigh to be s4:c0.c255 in the setrans.conf file. This is what "semanage user -l" returns: # semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles m2_u user SystemLow SystemLow-s15:c0.c255 system_r user_r root user SystemLow SystemLow-s15:c0.c255 system_r sysadm_r user_r system_u user SystemLow SystemLow-s15:c0.c255 system_r user_u user SystemLow SystemLow-s15:c0.c255 system_r user_r I can change both the m2_u and user_u users to have a range of SystemLow-SystemHigh, but only in permissive mode. If in enforcing mode, I get the following error: # semanage user -m -r SystemLow-SystemHigh user_u libsepol.mls_from_string: invalid MLS context SystemLow-SystemHigh libsepol.mls_from_string: could not construct mls context structure libsepol.sepol_user_modify: could not load (null) into policy libsemanage.dbase_policydb_modify: could not modify record value libsemanage.semanage_base_merge_components: could not merge local modifications into policy /usr/sbin/semanage: Could not modify SELinux user user_u Even in permissive mode I can not change the root or system_u users. In permissive mode I get the following error message: # semanage user -m -r SystemLow-SystemHigh system_u libsepol.context_read_and_validate: invalid security context libsepol.policydb_from_image: policy image is invalid /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. /usr/sbin/semanage: Could not modify SELinux user system_u "policy image is invalid" sounds particularly bad I'm running as Linux user root and SELinux user root. Here is an output of id: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),101(pkcs 11) context=root:system_r:unconfined_t:SystemLow-s15:c0.c255 Can anyone help with what I need to do? Thanks From cpebenito at tresys.com Thu May 24 14:54:49 2007 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Thu, 24 May 2007 14:54:49 +0000 Subject: kernel_t and rawip In-Reply-To: <4654BC1D.9010104@cox.net> References: <4654BC1D.9010104@cox.net> Message-ID: <1180018489.10995.70.camel@sgc.columbia.tresys.com> On Wed, 2007-05-23 at 15:11 -0700, Ken wrote: > I became interested in SELinux primarily to increase the level of > security I have when I am connected to the Internet, and until recently > I have not allowed kernel_t to send or receive rawip over the Internet. > I have recently allowed this because I was having difficulty making an > online payment without this enabled. Since enabling this, I have > wondered what the security implications of allowing kernel_t to send and > receive rawip on the Internet are; Its normal behavior, the kernel needs the permission so can handle ICMP traffic, e.g. ping replies, destination unreachable, etc. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From ericm24x7 at gmail.com Thu May 24 15:43:22 2007 From: ericm24x7 at gmail.com (eric) Date: Thu, 24 May 2007 11:43:22 -0400 Subject: allowing tftpd to make pxe functional In-Reply-To: <20070515063206.GB4900@angus.ind.WPI.EDU> References: <46422328.9080609@gmail.com> <20070515063206.GB4900@angus.ind.WPI.EDU> Message-ID: <4655B29A.2090400@gmail.com> Chuck Anderson wrote: > On Wed, May 09, 2007 at 03:38:16PM -0400, eric magaoay wrote: > >> Summary >> SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to / >> (rsync_data_t). >> Source Context user_u:system_r:tftpd_t >> Target Context system_u:object_r:rsync_data_t >> Target Objects / [ dir ] >> > > I believe your / is labelled incorrectly. Mine is: > > system_u:object_r:root_t I have 2 questions: 1. Is there a justification for using root_t instead of tftpd_t? 2. Is "search" to "/" means searching for absolute root directory or root directory of tftp defined in xinetd, which is "/a" in my case? From cpebenito at tresys.com Thu May 24 18:17:21 2007 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Thu, 24 May 2007 18:17:21 +0000 Subject: allowing tftpd to make pxe functional In-Reply-To: <4655B29A.2090400@gmail.com> References: <46422328.9080609@gmail.com> <20070515063206.GB4900@angus.ind.WPI.EDU> <4655B29A.2090400@gmail.com> Message-ID: <1180030641.10995.79.camel@sgc.columbia.tresys.com> On Thu, 2007-05-24 at 11:43 -0400, eric wrote: > Chuck Anderson wrote: > > On Wed, May 09, 2007 at 03:38:16PM -0400, eric magaoay wrote: > > > >> Summary > >> SELinux is preventing /usr/sbin/in.tftpd (tftpd_t) "search" to / > >> (rsync_data_t). > >> Source Context user_u:system_r:tftpd_t > >> Target Context system_u:object_r:rsync_data_t > >> Target Objects / [ dir ] > >> > > > > I believe your / is labelled incorrectly. Mine is: > > > > system_u:object_r:root_t > I have 2 questions: > 1. Is there a justification for using root_t instead of tftpd_t? root_t specifically exists to label the / directory of the system, not the root of the directory you are exporting over tftp. Its not specific to the tftp policy. If you change the type of / to something other than root_t, then many things can go wrong, since all domains should be able to at least search /. > 2. Is "search" to "/" means searching for absolute root directory or > root directory of tftp defined in xinetd, which is "/a" in my case? It means the real root directory. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From mantaray_1 at cox.net Fri May 25 18:53:56 2007 From: mantaray_1 at cox.net (Ken) Date: Fri, 25 May 2007 11:53:56 -0700 Subject: kernel_t and rawip Message-ID: <465730C4.9040701@cox.net> I inadvertently sent this to cpebenito at tresys.com rather than to the list. Here it is for the list: Christopher J. PeBenito wrote: > On Wed, 2007-05-23 at 15:11 -0700, Ken wrote: >> I became interested in SELinux primarily to increase the level of security I have when I am connected to the Internet, and until recently I have not allowed kernel_t to send or receive rawip over the Internet. I have recently allowed this because I was having difficulty making an online payment without this enabled. Since enabling this, I have wondered what the security implications of allowing kernel_t to send and receive rawip on the Internet are; > > Its normal behavior, the kernel needs the permission so can handle ICMP > traffic, e.g. ping replies, destination unreachable, etc. > I am aware of ICMP traffic, but even the best programs and protocols can be unexpectedly vulnerable to exploitation; and from a logical perspective, I have (completely and unconditionally) opened my system to allow a particular type of communication with outside connections -- at least with respect to SELinux. My interest is in learning what the logical limits are with respect to what can be sent and received as rawip to and from kernel_t; and what the limitations of what can be done with the data are. I was hoping there is a document compiled somewhere that provides this (and similar) information. - Ken - -------------- next part -------------- An embedded message was scrubbed... From: Ken Subject: Re: kernel_t and rawip Date: Fri, 25 May 2007 11:47:09 -0700 Size: 1923 URL: From phil at noggle.biz Fri May 25 20:16:38 2007 From: phil at noggle.biz (Philip Tricca) Date: Fri, 25 May 2007 16:16:38 -0400 Subject: avc denial using runuser from initrc_exec_t Message-ID: <46574426.50808@noggle.biz> I'm trying to fix up an init scrip to play nice with SELinux (strict policy 2.6.6-69.fc6). Digging through mailing list archives I found recommendations to replace the use of su with /sbin/runuser for the change from root to a lesser privileged user. My problem comes when calling /sbin/runuser. I get 2 avcs: type=AVC msg=audit(blah): avc: denied { search } for pid=XXXX comm="runuser" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:local_login_ts0-s0:c0.c1023 tclass=key type=AVC msg=audit(blah): avc: denied { create } for pid=XXXX comm="runuser" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_audit_socket Every daemon on my system seems to set its own uid (has allow X_t self:capability { ... setuid setgid ...}) so I've been unable to find an example of an init script (initrc_exec_t) that uses runuser. From what I've gathered this would require adding some permissions to the initrc_t domain, so either I'm doing something wrong (the likely case) or if runuser is intended to be used from init scripts (it is used in /etc/init.d/functions) then initrc_t should have these privileges ... any thoughts? TIA, - Philip From janfrode at tanso.net Fri May 25 21:22:40 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 25 May 2007 23:22:40 +0200 Subject: defining syslogd_var_lib_t conditionally ? Message-ID: syslog-ng has a /var/lib/syslog-ng, but there's no syslogd_var_lib_t in the RHEL5 policy. So I create the below module. But, what happens if RHEL comes out with an updated policy that includes syslogd_var_lib_t? Should I maybe wrap the definition in a check for if it already exist ? ------------------------------------------------------------------------------ module syslog_ng 1.0.3; # The followin two lines are what I'm asking about: type syslogd_var_lib_t; files_type(syslogd_var_lib_t) require { class sock_file { getattr unlink }; class tcp_socket { create bind setopt name_bind node_bind listen }; class dir { search write add_name }; class file { create write getattr read }; type device_t; type syslogd_t; type rsh_port_t; type inaddr_any_node_t; type var_lib_t; type syslogd_var_lib_t; }; allow syslogd_t device_t:sock_file { getattr unlink }; allow syslogd_t rsh_port_t:tcp_socket name_bind; allow syslogd_t inaddr_any_node_t:tcp_socket node_bind; allow syslogd_t self:tcp_socket { create listen bind setopt }; allow syslogd_t syslogd_var_lib_t:dir { search write add_name }; allow syslogd_t syslogd_var_lib_t:file { create write getattr read }; allow syslogd_t var_lib_t:dir search; ------------------------------------------------------------------------------ -jf From janfrode at tanso.net Fri May 25 20:50:23 2007 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 25 May 2007 22:50:23 +0200 Subject: RPM with seperate selinux package Message-ID: I've been building syslog-ng RPMs, with the needed selinux module as a separate sub-package following the instructions at: http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules but there's a problem with the logics of having the selinux package "Requires: main package", as then the main package will get installed and started before there is a working policy installed. So, is there any way of re-ordering this, without having the main package depend on the selinux package? i.e. I want to allow someone to install only the syslog-ng-2.0.4-12.i386.rpm if they don't want the selinux module, but I want the selinux module to be installed first if both are installed in the same operation. My current srpm --> http://tanso.net/yum/packages/syslog-ng-2.0.4-12.src.rpm -jf From anders at trudheim.co.uk Mon May 28 20:03:37 2007 From: anders at trudheim.co.uk (Anders Karlsson) Date: Mon, 28 May 2007 21:03:37 +0100 Subject: Odd SELinux denials Message-ID: <200705282103.37723.anders@trudheim.co.uk> Hi there, I updated my system on the 26th, and after an involuntary restart this evening, if I have SELinux enabled, xend will not start. The errors in the logs are the following. audit(1180381236.512:338): avc: denied { execute } for pid=7781 comm="python" name="bash" dev=dm-0 ino=1376288 scontext=user_u:system_r:xend_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file audit(1180381236.664:339): avc: denied { execute } for pid=7793 comm="python" name="bash" dev=dm-0 ino=1376288 scontext=user_u:system_r:xend_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file audit(1180381237.276:340): avc: denied { execute } for pid=7797 comm="python" name="bash" dev=dm-0 ino=1376288 scontext=user_u:system_r:xend_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file I have run a "restorecon -R /" to attempt to correct this, but it makes no difference. The installed SELinux packages are: libselinux.x86_64 1.33.4-2.fc6 installed libselinux.i386 1.33.4-2.fc6 installed libselinux-python.x86_64 1.33.4-2.fc6 installed selinux-policy.noarch 2.4.6-69.fc6 installed selinux-policy-targeted.noarch 2.4.6-69.fc6 installed I have re-installed these, just in case, and rerun restorecon. Enabling SELinux still gives the same errors. I am no expert on SELinux (and I failed the RHS333 exam :-/ ) and I am a bit stumped on this one. Does anyone have an idea what is wrong and what I can try to resolve this? Thanks! /Anders From dwalsh at redhat.com Tue May 29 16:58:18 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 29 May 2007 12:58:18 -0400 Subject: avc denial using runuser from initrc_exec_t In-Reply-To: <46574426.50808@noggle.biz> References: <46574426.50808@noggle.biz> Message-ID: <465C5BAA.8040500@redhat.com> Philip Tricca wrote: > I'm trying to fix up an init scrip to play nice with SELinux (strict > policy 2.6.6-69.fc6). Digging through mailing list archives I found > recommendations to replace the use of su with /sbin/runuser for the > change from root to a lesser privileged user. My problem comes when > calling /sbin/runuser. I get 2 avcs: > > type=AVC msg=audit(blah): avc: denied { search } for pid=XXXX > comm="runuser" scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:system_r:local_login_ts0-s0:c0.c1023 tclass=key > > type=AVC msg=audit(blah): avc: denied { create } for pid=XXXX > comm="runuser" scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_audit_socket > > Every daemon on my system seems to set its own uid (has allow X_t > self:capability { ... setuid setgid ...}) so I've been unable to find > an example of an init script (initrc_exec_t) that uses runuser. From > what I've gathered this would require adding some permissions to the > initrc_t domain, so either I'm doing something wrong (the likely case) > or if runuser is intended to be used from init scripts (it is used in > /etc/init.d/functions) then initrc_t should have these privileges ... > any thoughts? > > TIA, > - Philip > What was the original reason for attempting any of this? What avc's are you seeing in your applications? If you are running your own daemons, they should just work and not need you to change anything. (In targeted policy at least.) > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Tue May 29 17:03:01 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 29 May 2007 13:03:01 -0400 Subject: Odd SELinux denials In-Reply-To: <200705282103.37723.anders@trudheim.co.uk> References: <200705282103.37723.anders@trudheim.co.uk> Message-ID: <465C5CC5.7050807@redhat.com> Anders Karlsson wrote: > Hi there, > > I updated my system on the 26th, and after an involuntary restart this > evening, if I have SELinux enabled, xend will not start. The errors in the > logs are the following. > > audit(1180381236.512:338): avc: denied { execute } for pid=7781 > comm="python" name="bash" dev=dm-0 ino=1376288 > scontext=user_u:system_r:xend_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 > tclass=file > audit(1180381236.664:339): avc: denied { execute } for pid=7793 > comm="python" name="bash" dev=dm-0 ino=1376288 > scontext=user_u:system_r:xend_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 > tclass=file > audit(1180381237.276:340): avc: denied { execute } for pid=7797 > comm="python" name="bash" dev=dm-0 ino=1376288 > scontext=user_u:system_r:xend_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 > tclass=file > > I have run a "restorecon -R /" to attempt to correct this, but it makes no > difference. > > The installed SELinux packages are: > libselinux.x86_64 1.33.4-2.fc6 installed > libselinux.i386 1.33.4-2.fc6 installed > libselinux-python.x86_64 1.33.4-2.fc6 installed > selinux-policy.noarch 2.4.6-69.fc6 installed > selinux-policy-targeted.noarch 2.4.6-69.fc6 installed > > I have re-installed these, just in case, and rerun restorecon. Enabling > SELinux still gives the same errors. > > I am no expert on SELinux (and I failed the RHS333 exam :-/ ) and I am a bit > stumped on this one. Does anyone have an idea what is wrong and what I can > try to resolve this? > > I will update policy to allow this 2.4.6-74.fc6 , For now to make it work you by creating a local policy customization. # grep xend /var/log/audit/audit.log | audit2allow -M myxen # semodule -i myxen.pp > Thanks! > > /Anders > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From sds at tycho.nsa.gov Tue May 29 17:38:36 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 29 May 2007 13:38:36 -0400 Subject: runcon vs newrole In-Reply-To: References: <4649FACD.6060908@redhat.com> <1179774130.3036.4.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1180460316.3340.97.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-05-22 at 13:26 -0700, Clarkson, Mike R (US SSA) wrote: > Thanks for the response. > > Based on your comments, am I correct in thinking that it is better to > provide trusted selinux aware domains access to runcon rather than > newrole, since runcon will restrict those domains to do only what the > selinux policy allows? That doesn't sound right. runcon itself doesn't restrict anything; it is just a utility that runs in the domain of the caller and has no more (or less) permissions than its caller. Even the ability to execute the runcon code is uninteresting. The operating system is what controls the ability to transition. Use runcon only when the caller is already trusted (and trustworthy) to directly effect the transition and when the caller will take whatever actions are necessary to properly set up the environment for the new context. Use newrole when you want some enforced separation between the caller and the new context and you want the newrole program to handle setting up the environment for the new context (e.g. polyinstantiated directories). -- Stephen Smalley National Security Agency From phil at noggle.biz Tue May 29 19:56:15 2007 From: phil at noggle.biz (Philip Tricca) Date: Tue, 29 May 2007 15:56:15 -0400 Subject: avc denial using runuser from initrc_exec_t In-Reply-To: <465C5BAA.8040500@redhat.com> References: <46574426.50808@noggle.biz> <465C5BAA.8040500@redhat.com> Message-ID: <465C855F.1060905@noggle.biz> Daniel J Walsh wrote: > Philip Tricca wrote: >> I'm trying to fix up an init scrip to play nice with SELinux (strict >> policy 2.6.6-69.fc6). Digging through mailing list archives I found >> recommendations to replace the use of su with /sbin/runuser for the >> change from root to a lesser privileged user. My problem comes when >> calling /sbin/runuser. I get 2 avcs: >> >> type=AVC msg=audit(blah): avc: denied { search } for pid=XXXX >> comm="runuser" scontext=system_u:system_r:initrc_t:s0 >> tcontext=system_u:system_r:local_login_ts0-s0:c0.c1023 tclass=key >> >> type=AVC msg=audit(blah): avc: denied { create } for pid=XXXX >> comm="runuser" scontext=system_u:system_r:initrc_t:s0 >> tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_audit_socket >> >> Every daemon on my system seems to set its own uid (has allow X_t >> self:capability { ... setuid setgid ...}) so I've been unable to find >> an example of an init script (initrc_exec_t) that uses runuser. From >> what I've gathered this would require adding some permissions to the >> initrc_t domain, so either I'm doing something wrong (the likely case) >> or if runuser is intended to be used from init scripts (it is used in >> /etc/init.d/functions) then initrc_t should have these privileges ... >> any thoughts? >> >> TIA, >> - Philip >> > What was the original reason for attempting any of this? I'm attempting to run a daemon of my own creation (a java web-app running in a tomcat container) in a strict policy domain of my own creation as well. > What avc's are you seeing in your applications? My script initially used "su" to give up root permissions for my web-app (run as a less privileged user). Running the "su" command in my script gives an avc: type=AVC msg=audit(blah): avc: denied { search } for pid=2616 comm="su" scontext=system_u:system_r:initrc_su_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=key The script was still able to run my web-app as the lesser privileged user (avc did not prevent "su" from doing its job). Hoping to eliminate this AVC without using an ignore rule or pushing changes into the initrc_su_t domain I started searching through mailing list archives and ran across recommendations to use the "runuser" program in place of "su". ref: https://www.redhat.com/archives/fedora-selinux-list/2004-October/msg00007.html This however resulted in the two AVCs listed in my original message, and a script unable to switch to the lesser privileged user. I thought this to be strange since runuser is used as part of the FC6 LSB functions in /etc/init.d/functions (specifically the daemon () function). I guess no one is using that function and the current strict policy? > If you are running your own daemons, they should just work and not > need you to change anything. Correct, my script as written used "su" and that worked, though it did result in the one AVC noted above. Attempting to use "runuser" in place of "su" in starting my daemon (which transitions into its own domain) is where I ran into this problem. I figured I'd query the list to see if anyone had thoughts as to which should be used in an init script for starting a deamon (this seems to be "su" since it works with the existing init/initrc policy and "runuser" doesn't). > In targeted policy at least.) I haven't tried this in targeted policy so I can't say whether or not that would work. I'm using strict policy version 2.6.6-69.fc6 as noted in my initial message. Thanks for the quick response! - Philip From anders at trudheim.co.uk Tue May 29 20:02:16 2007 From: anders at trudheim.co.uk (Anders Karlsson) Date: Tue, 29 May 2007 21:02:16 +0100 Subject: Odd SELinux denials In-Reply-To: <465C5CC5.7050807@redhat.com> References: <200705282103.37723.anders@trudheim.co.uk> <465C5CC5.7050807@redhat.com> Message-ID: <200705292102.16511.anders@trudheim.co.uk> On Tuesday 29 May 2007 18:03:01 Daniel J Walsh wrote: > [selinux, xend, python and bash - execute denial] > > I will update policy to allow this > > 2.4.6-74.fc6 That is smashing news. > , For now to make it work you by creating a local policy customization. > > # grep xend /var/log/audit/audit.log | audit2allow -M myxen > # semodule -i myxen.pp Once the two VM's are not in use by others (i.e. later tonight) I will do this. What is the procedure for removing this once the 2.4.6-74.fc6 policy is released? # semodule -r myxen.pp # rm ... ? Thanks! /Anders From mcepl at redhat.com Tue May 29 21:25:06 2007 From: mcepl at redhat.com (Matej Cepl) Date: Tue, 29 May 2007 23:25:06 +0200 Subject: setroubleshootd AVC denials??? Message-ID: Hi, I am afraid, my notebook got to some unrecognized state -- even setroubleshootd gets AVC denials and sealert cannot get connection! I tried relabelling but not much has changed. Yes, it is the same notebook as in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215722#c15 and I have put my audit.log on http://www.ceplovi.cz/matej/tmp/audit.log.bz2 Is there any hope in getting my notebook back into being 100% free of AVC denials? Thanks for any reply, Matej From jdennis at redhat.com Tue May 29 21:47:00 2007 From: jdennis at redhat.com (John Dennis) Date: Tue, 29 May 2007 17:47:00 -0400 Subject: setroubleshootd AVC denials??? In-Reply-To: References: Message-ID: <1180475220.10041.34.camel@finch.boston.redhat.com> On Tue, 2007-05-29 at 23:25 +0200, Matej Cepl wrote: > Hi, > > I am afraid, my notebook got to some unrecognized state -- even > setroubleshootd gets AVC denials and sealert cannot get > connection! I tried relabelling but not much has changed. Yes, it > is the same notebook as in > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=215722#c15 updated bz with instructions on how to check if setroubleshootd is running which is the most plausible explanation for why sealert cannot connect. > and I have put my audit.log on > http://www.ceplovi.cz/matej/tmp/audit.log.bz2 Hmm... I get: 403 Permission denied Please add data like this as attachments to the bugzilla, that's the only way we can track it. -- John Dennis From mcepl at redhat.com Tue May 29 22:11:05 2007 From: mcepl at redhat.com (Matej Cepl) Date: Wed, 30 May 2007 00:11:05 +0200 Subject: setroubleshootd AVC denials??? References: <1180475220.10041.34.camel@finch.boston.redhat.com> Message-ID: On 2007-05-29, 21:47 GMT, John Dennis wrote: > updated bz with instructions on how to check if setroubleshootd > is running which is the most plausible explanation for why > sealert cannot connect. Nonsense, of course it is and it was running. sealert has been now for the last five minutes trying to get connection to setroubleshootd (or wherever, showing ``Server load'' message all the time). >> and I have put my audit.log on >> http://www.ceplovi.cz/matej/tmp/audit.log.bz2 > > Hmm... I get: 403 Permission denied That should be fixed and it has been attached to the bug 215722 as well (although, we should really make from it a new bug; this one used to be around selinux problems with postfix -- which are not fixed anyway). Matej From dwalsh at redhat.com Wed May 30 03:26:29 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 29 May 2007 23:26:29 -0400 Subject: Odd SELinux denials In-Reply-To: <200705292102.16511.anders@trudheim.co.uk> References: <200705282103.37723.anders@trudheim.co.uk> <465C5CC5.7050807@redhat.com> <200705292102.16511.anders@trudheim.co.uk> Message-ID: <465CEEE5.4070603@redhat.com> Anders Karlsson wrote: > On Tuesday 29 May 2007 18:03:01 Daniel J Walsh wrote: > >> [selinux, xend, python and bash - execute denial] >> >> I will update policy to allow this >> >> 2.4.6-74.fc6 >> > > That is smashing news. > > >> , For now to make it work you by creating a local policy customization. >> >> # grep xend /var/log/audit/audit.log | audit2allow -M myxen >> # semodule -i myxen.pp >> > > Once the two VM's are not in use by others (i.e. later tonight) I will do > this. > What is the procedure for removing this once the 2.4.6-74.fc6 policy is > released? > > # semodule -r myxen.pp > # rm ... ? > > Thanks! > > /Anders > semodule -r myxen From ejtr at layer3.co.uk Wed May 30 08:48:37 2007 From: ejtr at layer3.co.uk (Ted Rule) Date: Wed, 30 May 2007 09:48:37 +0100 Subject: chkpwd_exec_t / crond issue in policy-2.4.6-69 Message-ID: <1180514917.3732.21.camel@topaz.bugfinder.co.uk> I recently upgraded policy from selinux-policy-strict-2.4.6-57.fc6 to selinux-policy-strict-2.4.6-69.fc6. As a consequence of which I started to see the following errors in /var/log/cron every 10minutes: ... May 30 07:40:01 topaz crond[3717]: Authentication service cannot retrieve authentication info May 30 07:40:01 topaz crond[3717]: CRON (root) ERROR: failed to open PAM security session: Success May 30 07:40:01 topaz crond[3717]: CRON (root) ERROR: cannot set security context May 30 07:50:01 topaz crond[3727]: Authentication service cannot retrieve authentication info May 30 07:50:01 topaz crond[3727]: CRON (root) ERROR: failed to open PAM security session: Success May 30 07:50:01 topaz crond[3727]: CRON (root) ERROR: cannot set security context ... Meanwhile, SELinux/syslog errors shows: May 30 02:40:01 topaz kernel: audit(1180489201.806:13): avc: denied { execute } for pid=3860 comm="crond" name="unix_chkpwd" dev=hda2 ino=453913 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file May 30 02:40:01 topaz crond[3860]: pam_unix(crond:account): helper binary execve failed: Permission denied May 30 02:40:01 topaz crond[3859]: Authentication service cannot retrieve authentication info The cron Job which appeared to error was for sysstat, as in: [root at topaz ~]# cat /etc/cron.d/sysstat # run system activity accounting tool every 10 minutes */10 * * * * root /usr/lib/sa/sa1 1 1 # generate a daily summary of process accounting at 23:53 53 23 * * * root /usr/lib/sa/sa2 -A [root at topaz ~]# Looking at the policy changes for cron in policy 69, I see that the auth_domtrans_chk_passwd(crond_t) transition has been removed, ( see diff below ). By adding this entry back into the selinux policy for crond_t, I was apparently able to restore correct operation of cron: auth_domtrans_chk_passwd(crond_t) Is that the correct fix, or does the problem really lie in recoding crond itself to use unix_update instead of unix_chkpwd ?? =================================================================== ... [root at topaz BUILD]# diff -uNr serefpolicy-2.4.6-57/policy/modules/services/cron.te serefpolicy-2.4.6-69/policy/modules/services/cron.te --- serefpolicy-2.4.6-57/policy/modules/services/cron.te 2007-04-27 08:47:01.000000000 +0100 +++ serefpolicy-2.4.6-69/policy/modules/services/cron.te 2007-05-30 08:57:20.000000000 +0100 @@ -73,7 +73,9 @@ # Cron Local policy # -allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control }; +allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search }; +logging_set_loginuid(crond_t) +logging_send_audit_msg(crond_t) dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; @@ -117,7 +119,7 @@ term_dontaudit_use_console(crond_t) # need auth_chkpwd to check for locked accounts. -auth_domtrans_chk_passwd(crond_t) +auth_domtrans_upd_passwd(crond_t) corecmd_exec_shell(crond_t) corecmd_list_sbin(crond_t) [root at topaz BUILD]# ... ... [root at topaz BUILD]# diff -uNr serefpolicy-2.4.6-57/policy/modules/system/authlogin.fc serefpolicy-2.4.6-69/policy/modules/system/authlogin.fc --- serefpolicy-2.4.6-57/policy/modules/system/authlogin.fc 2006-11-29 17:04:51.000000000 +0000 +++ serefpolicy-2.4.6-69/policy/modules/system/authlogin.fc 2007-05-30 08:57:20.000000000 +0100 @@ -14,6 +14,7 @@ /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) ifdef(`distro_suse', ` /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') [root at topaz BUILD]# ... -- Ted Rule Director, Layer3 Systems Ltd W: http://www.layer3.co.uk/ From tmraz at redhat.com Wed May 30 09:19:24 2007 From: tmraz at redhat.com (Tomas Mraz) Date: Wed, 30 May 2007 11:19:24 +0200 Subject: chkpwd_exec_t / crond issue in policy-2.4.6-69 In-Reply-To: <1180514917.3732.21.camel@topaz.bugfinder.co.uk> References: <1180514917.3732.21.camel@topaz.bugfinder.co.uk> Message-ID: <1180516764.15584.2.camel@perun.kabelta.loc> On Wed, 2007-05-30 at 09:48 +0100, Ted Rule wrote: > Looking at the policy changes for cron in policy 69, I see that the > auth_domtrans_chk_passwd(crond_t) transition has been removed, ( see > diff below ). > > > By adding this entry back into the selinux policy for crond_t, I was > apparently able to restore correct operation of cron: > > auth_domtrans_chk_passwd(crond_t) > > > Is that the correct fix, or does the problem really lie in recoding > crond itself to use unix_update instead of unix_chkpwd ?? Actually I just need to release update of pam in FC-6. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From tony.molloy at ul.ie Wed May 30 10:36:26 2007 From: tony.molloy at ul.ie (Tony Molloy) Date: Wed, 30 May 2007 11:36:26 +0100 Subject: AVC messages Message-ID: <200705301136.26213.tony.molloy@ul.ie> Hi, I've got httpd running on CentOS-5 with all the latest update. I'm getting the following AVC denied messages from SElinux. Now I don't want to disable SElinux for the httpd daemon as this server will be available on the internet. 1. [root at alpha ~]# sealert -l 8c3ce37b-fbf3-459b-87d9-e4c4727276eb Summary SELinux is preventing /usr/sbin/httpd (httpd_t) "sys_nice" access to (httpd_t). Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for , restorecon -v . Raw Audit Messages avc: denied { sys_nice } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=2241 scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0 suid=0 tclass=capability tcontext=system_u:system_r:httpd_t:s0 tty=(none) uid=0 2. [root at alpha ~]# sealert -l 87d837ba-bae0-4cbc-8a93-344e6dc67295 Summary SELinux is preventing the /bin/netstat from using potentially mislabeled files net (proc_net_t). Detailed Description SELinux has denied the /bin/netstat access to potentially mislabeled files net. This means that SELinux will not allow http to use these files. Many third party apps install html files in directories that SELinux policy can not predict. These directories have to be labeled with a file context which httpd can accesss. Allowing Access If you want to change the file context of net so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t.net. You can look at the httpd_selinux man page for additional information. Raw Audit Messages avc: denied { read } for comm="netstat" dev=proc egid=0 euid=0 exe="/bin/netstat" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="net" pid=2255 scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:proc_net_t:s0 tty=(none) uid=0 3. [root at alpha ~]# sealert -l b6d8bb36-32f7-4b10-9c09-331c6298fede Summary SELinux is preventing /bin/netstat (httpd_t) "create" access to (httpd_t). Raw Audit Messages avc: denied { create } for comm="netstat" egid=0 euid=0 exe="/bin/netstat" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2255 scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0 suid=0 tclass=socket tcontext=system_u:system_r:httpd_t:s0 tty=(none) uid=0 The test server seems to be working OK, so are these messages I can safely ignore. Alternatively how can I get rid of them without disaling SElinux for the httpd server. Regards, Tony -- Tony Molloy. System Manager. Dept. of Comp. Sci. University of Limerick -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftaylor at redhat.com Wed May 30 13:25:33 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Wed, 30 May 2007 07:25:33 -0600 Subject: AVC messages In-Reply-To: <200705301136.26213.tony.molloy@ul.ie> References: <200705301136.26213.tony.molloy@ul.ie> Message-ID: <1180531533.31613.29.camel@papa.taylor.com> On Wed, 2007-05-30 at 11:36 +0100, Tony Molloy wrote: > Hi, > > I've got httpd running on CentOS-5 with all the latest update. > > I'm getting the following AVC denied messages from SElinux. Now I > don't want to disable SElinux for the httpd daemon as this server will > be available on the internet. > > 1. > > [root at alpha ~]# sealert -l 8c3ce37b-fbf3-459b-87d9-e4c4727276eb > > Summary > > SELinux is preventing /usr/sbin/httpd (httpd_t) "sys_nice" access to > > (httpd_t). > > Allowing Access > > Sometimes labeling problems can cause SELinux denials. You could try > > to restore the default system file context for , > > restorecon -v . > > Raw Audit Messages > > avc: denied { sys_nice } for comm="httpd" egid=0 euid=0 > exe="/usr/sbin/httpd" > > exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=2241 > > scontext=system_u:system_r:httpd_t:s0 sgid=0 > subj=system_u:system_r:httpd_t:s0 > > suid=0 tclass=capability tcontext=system_u:system_r:httpd_t:s0 tty= > (none) uid=0 Are you trying to set the nice level here? > 2. > > [root at alpha ~]# sealert -l 87d837ba-bae0-4cbc-8a93-344e6dc67295 > > Summary > > SELinux is preventing the /bin/netstat from using potentially > > mislabeled files net (proc_net_t). > > Detailed Description > > SELinux has denied the /bin/netstat access to potentially mislabeled > > files net. This means that SELinux will not allow http to use these > > files. Many third party apps install html files in directories that > > SELinux policy can not predict. These directories have to be labeled > > with a file context which httpd can accesss. > > Allowing Access > > If you want to change the file context of net so that the httpd daemon > > can access it, you need to execute it using > > chcon -t httpd_sys_content_t.net. > > You can look at the httpd_selinux man page for additional information. > > Raw Audit Messages > > avc: denied { read } for comm="netstat" dev=proc egid=0 euid=0 > > exe="/bin/netstat" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="net" > pid=2255 scontext=system_u:system_r:httpd_t:s0 sgid=0 > subj=system_u:system_r:httpd_t:s0 > > suid=0 tclass=dir tcontext=system_u:object_r:proc_net_t:s0 tty=(none) > uid=0 Is netstat mislabeled, or is the web server trying to get to /proc/net? What does `ls -Z /bin/netstat` show? > 3. > > [root at alpha ~]# sealert -l b6d8bb36-32f7-4b10-9c09-331c6298fede > > Summary > > SELinux is preventing /bin/netstat (httpd_t) "create" access to > > (httpd_t). > > Raw Audit Messages > > avc: denied { create } for comm="netstat" egid=0 euid=0 > exe="/bin/netstat" > > exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2255 > > scontext=system_u:system_r:httpd_t:s0 sgid=0 > subj=system_u:system_r:httpd_t:s0 > > suid=0 tclass=socket tcontext=system_u:system_r:httpd_t:s0 tty=(none) > uid=0 > > The test server seems to be working OK, so are these messages I can > safely ignore. Alternatively how can I get rid of them without > disaling SElinux for the httpd server. I am curious about these netstat errors. Are you running something on your web server that is running netstat? It is fairly easy to setup some rules to ignore these errors, but you should investigate them first. Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Wed May 30 17:01:58 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 30 May 2007 13:01:58 -0400 Subject: avc denial using runuser from initrc_exec_t In-Reply-To: <465C855F.1060905@noggle.biz> References: <46574426.50808@noggle.biz> <465C5BAA.8040500@redhat.com> <465C855F.1060905@noggle.biz> Message-ID: <465DAE06.3040109@redhat.com> Philip Tricca wrote: > Daniel J Walsh wrote: >> Philip Tricca wrote: >>> I'm trying to fix up an init scrip to play nice with SELinux (strict >>> policy 2.6.6-69.fc6). Digging through mailing list archives I found >>> recommendations to replace the use of su with /sbin/runuser for the >>> change from root to a lesser privileged user. My problem comes when >>> calling /sbin/runuser. I get 2 avcs: >>> >>> type=AVC msg=audit(blah): avc: denied { search } for pid=XXXX >>> comm="runuser" scontext=system_u:system_r:initrc_t:s0 >>> tcontext=system_u:system_r:local_login_ts0-s0:c0.c1023 tclass=key >>> >>> type=AVC msg=audit(blah): avc: denied { create } for pid=XXXX >>> comm="runuser" scontext=system_u:system_r:initrc_t:s0 >>> tcontext=system_u:system_r:initrc_t:s0 tclass=netlink_audit_socket >>> >>> Every daemon on my system seems to set its own uid (has allow X_t >>> self:capability { ... setuid setgid ...}) so I've been unable to >>> find an example of an init script (initrc_exec_t) that uses >>> runuser. From what I've gathered this would require adding some >>> permissions to the initrc_t domain, so either I'm doing something >>> wrong (the likely case) or if runuser is intended to be used from >>> init scripts (it is used in /etc/init.d/functions) then initrc_t >>> should have these privileges ... any thoughts? >>> >>> TIA, >>> - Philip >>> >> What was the original reason for attempting any of this? > > I'm attempting to run a daemon of my own creation (a java web-app > running in a tomcat container) in a strict policy domain of my own > creation as well. > > > What avc's are you seeing in your applications? > > My script initially used "su" to give up root permissions for my > web-app (run as a less privileged user). Running the "su" command in > my script gives an avc: > > > type=AVC msg=audit(blah): avc: denied { search } for pid=2616 > comm="su" scontext=system_u:system_r:initrc_su_t:s0 > tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=key > > Ok this is caused because local_login has created a key ring that future authentication domains will look at (I believe). This would not happen on boot up since init would have started the domain directly. > The script was still able to run my web-app as the lesser privileged > user (avc did not prevent "su" from doing its job). Hoping to > eliminate this AVC without using an ignore rule or pushing changes > into the initrc_su_t domain I started searching through mailing list > archives and ran across recommendations to use the "runuser" program > in place of "su". > ref: > https://www.redhat.com/archives/fedora-selinux-list/2004-October/msg00007.html > > > This however resulted in the two AVCs listed in my original message, > and a script unable to switch to the lesser privileged user. I > thought this to be strange since runuser is used as part of the FC6 > LSB functions in /etc/init.d/functions (specifically the daemon () > function). I guess no one is using that function and the current > strict policy? > > > If you are running your own daemons, they should just work and not > > need you to change anything. > > Correct, my script as written used "su" and that worked, though it > did result in the one AVC noted above. Attempting to use "runuser" in > place of "su" in starting my daemon (which transitions into its own > domain) is where I ran into this problem. > > I figured I'd query the list to see if anyone had thoughts as to which > should be used in an init script for starting a deamon (this seems to > be "su" since it works with the existing init/initrc policy and > "runuser" doesn't). > > > In targeted policy at least.) > > I haven't tried this in targeted policy so I can't say whether or not > that would work. I'm using strict policy version 2.6.6-69.fc6 as > noted in my initial message. > The problem is that runuser does not have a policy defined for it and in strict policy initrc_t does not have setuid capability. So it can not run runuser. I think the real fix would be to add a policy for runuser or add setuid for initrc_t > Thanks for the quick response! > - Philip From dwalsh at redhat.com Wed May 30 17:10:20 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 30 May 2007 13:10:20 -0400 Subject: setroubleshootd AVC denials??? In-Reply-To: References: <1180475220.10041.34.camel@finch.boston.redhat.com> Message-ID: <465DAFFC.6050906@redhat.com> Matej Cepl wrote: > On 2007-05-29, 21:47 GMT, John Dennis wrote: > >> updated bz with instructions on how to check if setroubleshootd >> is running which is the most plausible explanation for why >> sealert cannot connect. >> > > Nonsense, of course it is and it was running. sealert has been > now for the last five minutes trying to get connection to > setroubleshootd (or wherever, showing ``Server load'' message all > the time). > > >>> and I have put my audit.log on >>> http://www.ceplovi.cz/matej/tmp/audit.log.bz2 >>> >> Hmm... I get: 403 Permission denied >> > > That should be fixed and it has been attached to the bug 215722 > as well (although, we should really make from it a new bug; this > one used to be around selinux problems with postfix -- which are > not fixed anyway). > > Matej > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > What platform are you seeing these on. execmem execstack should not be required for setroubleshoot. Looks like avahi is trying to communicate with dbus running as unconfined_execmem_t? You seem to be running a script from hal called hibernate? From mcepl at redhat.com Wed May 30 20:32:21 2007 From: mcepl at redhat.com (Matej Cepl) Date: Wed, 30 May 2007 22:32:21 +0200 Subject: setroubleshootd AVC denials??? References: <1180475220.10041.34.camel@finch.boston.redhat.com> <465DAFFC.6050906@redhat.com> Message-ID: On 2007-05-30, 17:10 GMT, Daniel J Walsh wrote: > What platform are you seeing these on. i386, actually Dell Inspiron 2200 (a cheap notebook) > execmem execstack should not be required for setroubleshoot. What can I say? > Looks like avahi is trying to communicate with dbus running as > unconfined_execmem_t? Again, there shouldn't be anything special about avahi. > You seem to be running a script from hal called hibernate? Actually, this might be the only modification of the system -- I use a modified kernel from http://mhensler.de/swsusp/ (the only difference from stock kernels should be suspend2 patch -- http://www.suspend2.net/ ) and it has some modified utilities as well, among which is a shell script hibernate (switching off services, removing modules, and in other ways making computer palatable for suspending process) and modified pm-utils, which are probably running hibernate instead of whatever-is-a-standard suspend process in out-of-stock Fedora. If pm-utils are using hal to run hibernate, I have no idea. Am I the only one running suspend2 with SELinux on? Does it make any sense? Matej From selinux at gmail.com Thu May 31 00:36:51 2007 From: selinux at gmail.com (Tom London) Date: Wed, 30 May 2007 17:36:51 -0700 Subject: Error spew from today's rawhide.... Message-ID: <4c4ba1530705301736r119dc4b8u26fa083346863780@mail.gmail.com> Got this with today's rawhide: Updating : selinux-policy-targeted ##################### [ 51/150] usage: /sbin/setfiles [-dnpqvW] [-o filename] [-r alt_root_path ] spec_file pathname... usage: /sbin/setfiles -c policyfile spec_file usage: /sbin/setfiles -s [-dnqvW] [-o filename ] spec_file libsemanage.semanage_install_active: setfiles returned error code 1. libsepol.sepol_genbools_array: boolean httpd_can_sendmail no longer in policy usage: /sbin/setfiles [-dnpqvW] [-o filename] [-r alt_root_path ] spec_file pathname... usage: /sbin/setfiles -c policyfile spec_file usage: /sbin/setfiles -s [-dnqvW] [-o filename ] spec_file libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed! Updating : logwatch ##################### [ 52/150] This was updating to 2.6.5-2.fc8 tom -- Tom London From mantaray_1 at cox.net Thu May 31 00:47:51 2007 From: mantaray_1 at cox.net (Ken) Date: Wed, 30 May 2007 17:47:51 -0700 Subject: SELinux Permission Documentation Message-ID: <465E1B37.30102@cox.net> What can be sent and received as rawip to and from kernel_t, and what are the limitations of what can be done with the data? I am interested in understanding the security implications of this (and other) SELinux permissions. Is there anyone who can direct me to reference materials that explain the security implications of allowing various SELinux permissions? From ian-list at securitypimp.com Thu May 31 16:26:49 2007 From: ian-list at securitypimp.com (Ian Lists) Date: Thu, 31 May 2007 16:26:49 +0000 (UTC) Subject: VGScan and LVScan writing to tmp files Message-ID: <32398266.281180628809376.JavaMail.root@postal.insourcedsecurity.com> I am running into an issue on several RHEL5 servers when installing a Veritas ECC agent. It appears that the agent is trying to use LVM commands to write to a temp file and SELinux is preventing it. Does anyone have any ideas on how to resolve this issue. Thanks, Ian type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Out_file_1.tmp type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Err_file_2.tmp type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Out_file_1.tmp type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Err_file_2.tmp type=SYSCALL msg=audit(05/31/2007 15:28:24.750:1074) : arch=i386 syscall=execve success=yes exit=0 a0=8191df0 a1=8191e48 a2=8191ea0 a3=8191e48 items=0 ppid=18497 pid=18518 auid=imarks uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 comm=vgscan exe=/sbin/lvm.static subj=user_u:system_r:lvm_t:s0 key=(null) type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Err_file_2.tmp dev=dm-4 ino=382125 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Out_file_1.tmp dev=dm-4 ino=382124 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Err_file_2.tmp dev=dm-4 ino=382125 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Out_file_1.tmp dev=dm-4 ino=382124 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(05/31/2007 15:32:17.305:1121) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=8440c70 a1=8042 a2=1ff a3=8042 items=0 ppid=18962 pid=18997 auid=imarks uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 comm=lvm exe=/usr/sbin/lvm subj=user_u:system_r:lvm_t:s0 key=(null) type=AVC msg=audit(05/31/2007 15:32:17.305:1121) : avc: denied { write } for pid=18997 comm=lvm name=.cache dev=dm-0 ino=7003 scontext=user_u:system_r:lvm_t:s0 tcontext=root:object_r:lvm_etc_t:s0 tclass=file From ian-list at securitypimp.com Thu May 31 17:15:30 2007 From: ian-list at securitypimp.com (Ian Lists) Date: Thu, 31 May 2007 17:15:30 +0000 (UTC) Subject: VGScan and LVScan writing to tmp files In-Reply-To: <32398266.281180628809376.JavaMail.root@postal.insourcedsecurity.com> Message-ID: <20607963.371180631730227.JavaMail.root@postal.insourcedsecurity.com> Correction, it's EMC ECC Agent, not Veritas. ----- Original Message ----- From: "Ian Lists" To: fedora-selinux-list at redhat.com Sent: Thursday, May 31, 2007 12:26:49 PM (GMT-0500) America/New_York Subject: VGScan and LVScan writing to tmp files I am running into an issue on several RHEL5 servers when installing a Veritas ECC agent. It appears that the agent is trying to use LVM commands to write to a temp file and SELinux is preventing it. Does anyone have any ideas on how to resolve this issue. Thanks, Ian type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Out_file_1.tmp type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Err_file_2.tmp type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Out_file_1.tmp type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Err_file_2.tmp type=SYSCALL msg=audit(05/31/2007 15:28:24.750:1074) : arch=i386 syscall=execve success=yes exit=0 a0=8191df0 a1=8191e48 a2=8191ea0 a3=8191e48 items=0 ppid=18497 pid=18518 auid=imarks uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 comm=vgscan exe=/sbin/lvm.static subj=user_u:system_r:lvm_t:s0 key=(null) type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Err_file_2.tmp dev=dm-4 ino=382125 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Out_file_1.tmp dev=dm-4 ino=382124 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Err_file_2.tmp dev=dm-4 ino=382125 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Out_file_1.tmp dev=dm-4 ino=382124 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(05/31/2007 15:32:17.305:1121) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=8440c70 a1=8042 a2=1ff a3=8042 items=0 ppid=18962 pid=18997 auid=imarks uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 comm=lvm exe=/usr/sbin/lvm subj=user_u:system_r:lvm_t:s0 key=(null) type=AVC msg=audit(05/31/2007 15:32:17.305:1121) : avc: denied { write } for pid=18997 comm=lvm name=.cache dev=dm-0 ino=7003 scontext=user_u:system_r:lvm_t:s0 tcontext=root:object_r:lvm_etc_t:s0 tclass=file -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Thu May 31 18:26:44 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 31 May 2007 14:26:44 -0400 Subject: VGScan and LVScan writing to tmp files In-Reply-To: <32398266.281180628809376.JavaMail.root@postal.insourcedsecurity.com> References: <32398266.281180628809376.JavaMail.root@postal.insourcedsecurity.com> Message-ID: <465F1364.9050005@redhat.com> Ian Lists wrote: > I am running into an issue on several RHEL5 servers when installing a Veritas ECC agent. It appears that the agent is trying to use LVM commands to write to a temp file and SELinux is preventing it. Does anyone have any ideas on how to resolve this issue. > > Thanks, > Ian > > > > > type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Out_file_1.tmp > type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Err_file_2.tmp > type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Out_file_1.tmp > type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Err_file_2.tmp > type=SYSCALL msg=audit(05/31/2007 15:28:24.750:1074) : arch=i386 syscall=execve success=yes exit=0 a0=8191df0 a1=8191e48 a2=8191ea0 a3=8191e48 items=0 ppid=18497 pid=18518 auid=imarks uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 comm=vgscan exe=/sbin/lvm.static subj=user_u:system_r:lvm_t:s0 key=(null) > type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Err_file_2.tmp dev=dm-4 ino=382125 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file > type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Out_file_1.tmp dev=dm-4 ino=382124 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file > type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Err_file_2.tmp dev=dm-4 ino=382125 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file > type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Out_file_1.tmp dev=dm-4 ino=382124 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file > > > > type=SYSCALL msg=audit(05/31/2007 15:32:17.305:1121) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=8440c70 a1=8042 a2=1ff a3=8042 items=0 ppid=18962 pid=18997 auid=imarks uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 comm=lvm exe=/usr/sbin/lvm subj=user_u:system_r:lvm_t:s0 key=(null) > type=AVC msg=audit(05/31/2007 15:32:17.305:1121) : avc: denied { write } for pid=18997 comm=lvm name=.cache dev=dm-0 ino=7003 scontext=user_u:system_r:lvm_t:s0 tcontext=root:object_r:lvm_etc_t:s0 tclass=file > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > The following commands should make it work. # restorecon -R -v /etc/lvm # semanage fcontext -a -t lvm_tmp_t /usr/ecc/exec/MLR520(/.*)? # restorecon -R -v /usr/ecc/exec From ian-list at securitypimp.com Thu May 31 19:42:44 2007 From: ian-list at securitypimp.com (Ian Lists) Date: Thu, 31 May 2007 19:42:44 +0000 (UTC) Subject: VGScan and LVScan writing to tmp files In-Reply-To: <465F1364.9050005@redhat.com> Message-ID: <31977486.401180640564803.JavaMail.root@postal.insourcedsecurity.com> Thank you, that worked great! ----- Original Message ----- From: "Daniel J Walsh" To: "Ian Lists" Cc: fedora-selinux-list at redhat.com Sent: Thursday, May 31, 2007 2:26:44 PM (GMT-0500) America/New_York Subject: Re: VGScan and LVScan writing to tmp files Ian Lists wrote: > I am running into an issue on several RHEL5 servers when installing a Veritas ECC agent. It appears that the agent is trying to use LVM commands to write to a temp file and SELinux is preventing it. Does anyone have any ideas on how to resolve this issue. > > Thanks, > Ian > > > > > type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Out_file_1.tmp > type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Err_file_2.tmp > type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Out_file_1.tmp > type=AVC_PATH msg=audit(05/31/2007 15:28:24.750:1074) : path=/usr/ecc/exec/MLR520/Err_file_2.tmp > type=SYSCALL msg=audit(05/31/2007 15:28:24.750:1074) : arch=i386 syscall=execve success=yes exit=0 a0=8191df0 a1=8191e48 a2=8191ea0 a3=8191e48 items=0 ppid=18497 pid=18518 auid=imarks uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 comm=vgscan exe=/sbin/lvm.static subj=user_u:system_r:lvm_t:s0 key=(null) > type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Err_file_2.tmp dev=dm-4 ino=382125 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file > type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Out_file_1.tmp dev=dm-4 ino=382124 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file > type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Err_file_2.tmp dev=dm-4 ino=382125 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file > type=AVC msg=audit(05/31/2007 15:28:24.750:1074) : avc: denied { write } for pid=18518 comm=vgscan name=Out_file_1.tmp dev=dm-4 ino=382124 scontext=user_u:system_r:lvm_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file > > > > type=SYSCALL msg=audit(05/31/2007 15:32:17.305:1121) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=8440c70 a1=8042 a2=1ff a3=8042 items=0 ppid=18962 pid=18997 auid=imarks uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 comm=lvm exe=/usr/sbin/lvm subj=user_u:system_r:lvm_t:s0 key=(null) > type=AVC msg=audit(05/31/2007 15:32:17.305:1121) : avc: denied { write } for pid=18997 comm=lvm name=.cache dev=dm-0 ino=7003 scontext=user_u:system_r:lvm_t:s0 tcontext=root:object_r:lvm_etc_t:s0 tclass=file > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > The following commands should make it work. # restorecon -R -v /etc/lvm # semanage fcontext -a -t lvm_tmp_t /usr/ecc/exec/MLR520(/.*)? # restorecon -R -v /usr/ecc/exec