From fedora01 at grifent.com Thu Nov 1 14:58:19 2007 From: fedora01 at grifent.com (John Griffiths) Date: Thu, 01 Nov 2007 10:58:19 -0400 Subject: SMTP-AUTH Message-ID: <4729E98B.101@grifent.com> I am trying to use dovecot with postfix to provide smtp-auth. The instructions provided by postfix http://www.postfix.org/SASL_README.html works perfectly in Fedora Core 6. Using the exact same procedure in Fedora 7 results in some conflicts between dovecot_auth_t and postfix_private_t. Since using Dovecot for SASL smtp-auth is the preferred way according to Postfix, I suspect there must be something I am missing or maybe there is an oversight in the policies. Using sealert -l on the denial for dovecot results in: Summary SELinux is preventing /usr/libexec/dovecot/dovecot-auth (dovecot_auth_t) "write" to auth (postfix_private_t). Detailed Description SELinux denied access requested by /usr/libexec/dovecot/dovecot-auth. It is not expected that this access is required by /usr/libexec/dovecot/dovecot- auth and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for auth, restorecon -v auth If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:dovecot_auth_t Target Context root:object_r:postfix_private_t Target Objects auth [ sock_file ] Affected RPM Packages dovecot-1.0.5-15.fc7 [application] Policy RPM selinux-policy-2.6.4-48.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name gei.internal.grifent.com Platform Linux gei.internal.grifent.com 2.6.23.1-10.fc7 #1 SMP Fri Oct 19 15:39:08 EDT 2007 i686 i686 Alert Count 2 First Seen Wed Oct 31 03:39:55 2007 Last Seen Wed Oct 31 11:55:12 2007 Local ID 8b0a6068-b654-4151-b82e-c149d3b9d57b Line Numbers Raw Audit Messages avc: denied { write } for comm="dovecot-auth" dev=dm-0 egid=0 euid=0 exe="/usr/libexec/dovecot/dovecot-auth" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="auth" pid=2545 scontext=system_u:system_r:dovecot_auth_t:s0 sgid=0 subj=system_u:system_r:dovecot_auth_t:s0 suid=0 tclass=sock_file tcontext=root:object_r:postfix_private_t:s0 tty=(none) uid=0 Dovecot writes a socket to /var/spool/postfix/private/auth with permissions of 660. This is done when dovecot starts and on FC6, the files is transitioned to be owned by postfix with a group of postfix.The transition of owner/group does not happen of Fedora 7. The auth socket is necessary to do smtp-auth. Did I miss something in the configuration on Fedora 7? Regards, John From dwalsh at redhat.com Thu Nov 1 17:57:01 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 01 Nov 2007 13:57:01 -0400 Subject: unconfined_execmem_t transitions to unconfined_t In-Reply-To: <4c4ba1530710300721qef071ek5e7a2bcd7e1c48f5@mail.gmail.com> References: <4c4ba1530710300721qef071ek5e7a2bcd7e1c48f5@mail.gmail.com> Message-ID: <472A136D.2040709@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom London wrote: > Running latest rawhide, targeted/enforcing. > > Are there any issues allowing transition from 'unconfined_execmem_t' > to 'unconfined_t'? > > /usr/bin/valgrind is 'unconfined_execmem_exec_t', so running > 'valgrind system-config-users' or > 'PYTHONPATH=/usr/share/system-config-users valgrind /usr/bin/python > /usr/share/system-config-users/system-config-users.py' > > produces: > > Summary > SELinux is preventing userhelper (unconfined_execmem_t) "transition" to > /usr/share/system-config-users/system-config-users (unconfined_t). > > Detailed Description > SELinux denied access requested by userhelper. It is not expected that this > access is required by userhelper and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of > the application is causing it to require additional access. > > Allowing Access > You can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > Additional Information > > Source Context system_u:system_r:unconfined_execmem_t > Target Context system_u:system_r:unconfined_t > Target Objects /usr/share/system-config-users/system-config-users > [ process ] > Affected RPM Packages system-config-users-1.2.72-1.fc8 [target] > Policy RPM selinux-policy-3.0.8-40.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.23.1-41.fc8 #1 SMP > Mon Oct 29 18:29:15 EDT 2007 i686 i686 > Alert Count 2 > First Seen Tue 30 Oct 2007 07:08:40 AM PDT > Last Seen Tue 30 Oct 2007 07:09:35 AM PDT > Local ID c1b26ecd-2d55-4e55-85bd-46f718634fce > Line Numbers > > Raw Audit Messages > > avc: denied { transition } for comm=userhelper dev=dm-0 path=/usr/share/system- > config-users/system-config-users pid=5742 > scontext=system_u:system_r:unconfined_execmem_t:s0 tclass=process > tcontext=system_u:system_r:unconfined_t:s0 > > > No this should be allowed. selinux-policy-3.0.8-45.fc8.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHKhNsrlYvE4MpobMRAh2cAJ9ZMeqs9DJPbk8hMpvIdjS4EDXT1ACdF6u8 tF95gYy4qTzqoT8Kximgshw= =2FGb -----END PGP SIGNATURE----- From dwalsh at redhat.com Thu Nov 1 18:10:44 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 01 Nov 2007 14:10:44 -0400 Subject: Another problem with "avc: denied" messages In-Reply-To: <4725D4CF.3020203@smallworld.cx> References: <4725D4CF.3020203@smallworld.cx> Message-ID: <472A16A4.8070303@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ian Leonard wrote: > Hi, > > I have a web app that will create xml files. It has been running for a > while now but has suddenly started giving errors as per below (I guess a > maintenance update did it). > > audit(1193660948.194:421): avc: denied { write } for pid=3358 > comm="eco_upload.cgi" name="2007-10.xml" dev=dm-0 ino=58753075 > scontext=system_u:system_r:httpd_t:s0 > tcontext=user_u:object_r:var_lib_t:s0 tclass=file > > My minimal selinux knowledge has allowed me to fix the problem with the > file, but a new files is created once a month. I am guessing that next > month I will have the same problem. > > I guess I need to do something to the cgi script to allow it to create > the files. > > > Any advice appreciated. > What directory does this file get created in? If this directory was labeled http_sys_content_rw_t it would work. For example if the directory was /var/lib/eco then chcon -R -t httpd_sys_content_rw_t /var/lib/eco/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHKhajrlYvE4MpobMRAv1BAJ9XNkwZABn6Gk0KxDE+WzFOsvmArgCcCamo 737jiAfLBSTOkI8RVXzuuug= =Kdj/ -----END PGP SIGNATURE----- From rauch at totalnetsolutions.net Fri Nov 2 18:58:18 2007 From: rauch at totalnetsolutions.net (Robert C. Auch) Date: Fri, 2 Nov 2007 13:58:18 -0500 Subject: selinux-policy-targeted-2.6.4-49.fc7 blocking httpd from sendmail.postfix Message-ID: <097CDDB70866A24CB3D48CC2713EA0230EE311@tns01.totalnetsolutions.net> I just installed a Fedora Core 7 box, ran yum update yesterday, and installed php5 and apache 2.2.6. SELinux is in Enforcing mode, and is blocking PHP's mail() function from sending: Nov 2 11:05:41 webserver setroubleshoot: SELinux is preventing the sh from using potentially mislabeled files sendmail.postfix (sendmail_exec_t). For complete SELinux messages. run sealert -l c9001c48-5d48-4b7c-9fd7-8400544daa8f sealert says: Source Context user_u:system_r:httpd_t Target Context system_u:object_r:sendmail_exec_t Target Objects /usr/sbin/sendmail.postfix [ file ] Affected RPM Packages postfix-2.4.3-2.fc7 [target] Policy RPM selinux-policy-2.6.4-48.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.httpd_bad_labels If I follow sealert's suggestion and "chcon -t httpd_sys_content_t /usr/sbin/sendmail.postfix", then I get the following (expected to me) errors in /var/log/messages on "service postfix restart": Nov 2 13:38:25 $(server) setroubleshoot: SELinux is preventing postfix-script (postfix_master_t) "getattr" to /usr/sbin/sendmail.postfix (httpd_sys_content_t). For complete SELinux messages. run sealert -l b8bea1cd-10eb-40bc-8d5b-2031b5bceabe According to this post: https://www.redhat.com/archives/fedora-selinux-list/2004-December/msg00033.html, this problem has been seen before and was fixed in selinux-policy-targeted-1.19.8-1. Has that fix been lost, or am I seeing something new? Thanks, Robert Auch -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Sat Nov 3 15:56:32 2007 From: paul at city-fan.org (Paul Howarth) Date: Sat, 3 Nov 2007 15:56:32 +0000 Subject: selinux-policy-targeted-2.6.4-49.fc7 blocking httpd from sendmail.postfix In-Reply-To: <097CDDB70866A24CB3D48CC2713EA0230EE311@tns01.totalnetsolutions.net> References: <097CDDB70866A24CB3D48CC2713EA0230EE311@tns01.totalnetsolutions.net> Message-ID: <20071103155632.55de9b2f@metropolis.intra.city-fan.org> On Fri, 2 Nov 2007 13:58:18 -0500 "Robert C. Auch" wrote: > I just installed a Fedora Core 7 box, ran yum update yesterday, and > installed php5 and apache 2.2.6. SELinux is in Enforcing mode, and > is blocking PHP's mail() function from sending: > > Nov 2 11:05:41 webserver setroubleshoot: SELinux is preventing > the sh from using potentially mislabeled files sendmail.postfix > (sendmail_exec_t). For complete SELinux messages. run sealert -l > c9001c48-5d48-4b7c-9fd7-8400544daa8f > > sealert says: > Source Context user_u:system_r:httpd_t > Target Context system_u:object_r:sendmail_exec_t > Target Objects /usr/sbin/sendmail.postfix [ file ] > Affected RPM Packages postfix-2.4.3-2.fc7 [target] > Policy RPM selinux-policy-2.6.4-48.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.httpd_bad_labels > > If I follow sealert's suggestion and "chcon -t > httpd_sys_content_t /usr/sbin/sendmail.postfix", then I get the > following (expected to me) errors in /var/log/messages on "service > postfix restart": Nov 2 13:38:25 $(server) setroubleshoot: > SELinux is preventing postfix-script (postfix_master_t) "getattr" > to /usr/sbin/sendmail.postfix (httpd_sys_content_t). For > complete SELinux messages. run sealert -l > b8bea1cd-10eb-40bc-8d5b-2031b5bceabe > > According to this post: > https://www.redhat.com/archives/fedora-selinux-list/2004-December/msg00033.html, > this problem has been seen before and was fixed in > selinux-policy-targeted-1.19.8-1. Has that fix been lost, or am I > seeing something new? The context change is definitely the wrong thing to do here; you'll need to change it back to system_u:object_r:sendmail_exec_t. Make sure you have the httpd_can_sendmail and httpd_builtin_scripting booleans set: # setsebool -P httpd_can_sendmail 1 # setsebool -P httpd_builtin_scripting 1 Paul. From anebi at iguanait.com Mon Nov 5 14:20:30 2007 From: anebi at iguanait.com (Ali Nebi) Date: Mon, 05 Nov 2007 16:20:30 +0200 Subject: How to solve these audit messages In-Reply-To: <20071103160012.C6FA373003@hormel.redhat.com> References: <20071103160012.C6FA373003@hormel.redhat.com> Message-ID: <1194272430.18410.19.camel@hugo.iguanait.com> Hi, i want to ask about 2 strange audit messages. The messages are these: Nov 5 14:14:24 asgard kernel: audit(1194268464.097:309): avc: denied { search } for pid=22933 comm="sh" name="src" dev=dm-0 ino=5244065 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:src_t:s0 tclass=dir Nov 5 14:14:24 asgard kernel: audit(1194268464.124:310): avc: denied { getattr } for pid=22933 comm="sh" name="SPECS" dev=dm-0 ino=5865755 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:src_t:s0 tclass=dir i don't know what is the reason sh to try to make something in /usr/src and /usr/src/redhat/SPEC we have not set some script that to have task to do something in these directories. is it possible to be some hack attack ? also i see that scontext is this: scontext=root:system_r:httpd_t:s0 is it possible to understand where is the file that try to use "sh" ? Also the audits: Nov 5 12:03:07 casamerica kernel: audit(1194260587.185:40): avc: denied { read write } for pid=26690 comm="listinfo" name="" dev=sockfs ino=1414447 scontext=system_u:system_r:mailman_cgi_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=unix_stream_socket i have some similar messages related with mailmain, what is the best that i can do to solve these messages? Thanks in advanced! From rauch at totalnetsolutions.net Mon Nov 5 17:25:30 2007 From: rauch at totalnetsolutions.net (Robert C. Auch) Date: Mon, 5 Nov 2007 11:25:30 -0600 Subject: selinux-policy-targeted-2.6.4-49.fc7 blocking httpd from sendmail.postfix References: <097CDDB70866A24CB3D48CC2713EA0230EE311@tns01.totalnetsolutions.net> <20071103155632.55de9b2f@metropolis.intra.city-fan.org> Message-ID: <097CDDB70866A24CB3D48CC2713EA0230EE313@tns01.totalnetsolutions.net> That's it, thanks! -----Original Message----- From: Paul Howarth [mailto:paul at city-fan.org] Sent: Sat 11/3/2007 10:56 AM To: Robert C. Auch Cc: fedora-selinux-list at redhat.com Subject: Re: selinux-policy-targeted-2.6.4-49.fc7 blocking httpd from sendmail.postfix On Fri, 2 Nov 2007 13:58:18 -0500 "Robert C. Auch" wrote: > I just installed a Fedora Core 7 box, ran yum update yesterday, and > installed php5 and apache 2.2.6. SELinux is in Enforcing mode, and > is blocking PHP's mail() function from sending: > > Nov 2 11:05:41 webserver setroubleshoot: SELinux is preventing > the sh from using potentially mislabeled files sendmail.postfix > (sendmail_exec_t). For complete SELinux messages. run sealert -l > c9001c48-5d48-4b7c-9fd7-8400544daa8f > > sealert says: > Source Context user_u:system_r:httpd_t > Target Context system_u:object_r:sendmail_exec_t > Target Objects /usr/sbin/sendmail.postfix [ file ] > Affected RPM Packages postfix-2.4.3-2.fc7 [target] > Policy RPM selinux-policy-2.6.4-48.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.httpd_bad_labels > > If I follow sealert's suggestion and "chcon -t > httpd_sys_content_t /usr/sbin/sendmail.postfix", then I get the > following (expected to me) errors in /var/log/messages on "service > postfix restart": Nov 2 13:38:25 $(server) setroubleshoot: > SELinux is preventing postfix-script (postfix_master_t) "getattr" > to /usr/sbin/sendmail.postfix (httpd_sys_content_t). For > complete SELinux messages. run sealert -l > b8bea1cd-10eb-40bc-8d5b-2031b5bceabe > > According to this post: > https://www.redhat.com/archives/fedora-selinux-list/2004-December/msg00033.html, > this problem has been seen before and was fixed in > selinux-policy-targeted-1.19.8-1. Has that fix been lost, or am I > seeing something new? The context change is definitely the wrong thing to do here; you'll need to change it back to system_u:object_r:sendmail_exec_t. Make sure you have the httpd_can_sendmail and httpd_builtin_scripting booleans set: # setsebool -P httpd_can_sendmail 1 # setsebool -P httpd_builtin_scripting 1 Paul. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Tue Nov 6 15:22:26 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 06 Nov 2007 10:22:26 -0500 Subject: How to solve these audit messages In-Reply-To: <1194272430.18410.19.camel@hugo.iguanait.com> References: <20071103160012.C6FA373003@hormel.redhat.com> <1194272430.18410.19.camel@hugo.iguanait.com> Message-ID: <473086B2.4000401@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ali Nebi wrote: > Hi, > > i want to ask about 2 strange audit messages. The messages are these: > > Nov 5 14:14:24 asgard kernel: audit(1194268464.097:309): avc: denied > { search } for pid=22933 comm="sh" name="src" dev=dm-0 ino=5244065 > scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:src_t:s0 > tclass=dir > Nov 5 14:14:24 asgard kernel: audit(1194268464.124:310): avc: denied > { getattr } for pid=22933 comm="sh" name="SPECS" dev=dm-0 ino=5865755 > scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:src_t:s0 > tclass=dir > > i don't know what is the reason sh to try to make something in /usr/src > and /usr/src/redhat/SPEC > > we have not set some script that to have task to do something in these > directories. is it possible to be some hack attack ? also i see that > scontext is this: scontext=root:system_r:httpd_t:s0 is it possible to > understand where is the file that try to use "sh" ? > > Also the audits: > > Nov 5 12:03:07 casamerica kernel: audit(1194260587.185:40): avc: > denied { read write } for pid=26690 comm="listinfo" name="" dev=sockfs > ino=1414447 scontext=system_u:system_r:mailman_cgi_t:s0 > tcontext=system_u:system_r:httpd_t:s0 tclass=unix_stream_socket > > i have some similar messages related with mailmain, what is the best > that i can do to solve these messages? > > Thanks in advanced! > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I guess that you are running some mod_(php, perl)? script that is trying to look at /usr/src/redhat/SPEC. This is all the info we get from the kernel. I don't know if this is a problem or not. The other avc is a leaked file descriptor in httpd and could be dontaudited, in mailmail_cgi_t. It can safely be ignored. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHMIayrlYvE4MpobMRAvJqAKCpxJhX79gb5AyWWaMDarWDIdFmXwCg4mj8 uV8jei4Xzvv8ybkhX5g1OgA= =NaRf -----END PGP SIGNATURE----- From gene.heskett at verizon.net Wed Nov 7 14:43:50 2007 From: gene.heskett at verizon.net (Gene Heskett) Date: Wed, 07 Nov 2007 09:43:50 -0500 Subject: selinux autorelabel and amanda Message-ID: <200711070943.50077.gene.heskett@verizon.net> Greetings; I got bit pretty hard last night after installing 2.6.24-rc2, and it took about an hour to relabel the whole system. That was ok, and the logs are quieter now, but when it came time to run amanda, the relabel had apparently changed the ctime of everything on the system, so amanda tried to do all incrementals at level 0, and failed of course because the vtape was only 1/4 the size of the system. That flushed, and a couple more runs and it will be back to normal, but it seems to me that there should be an option to preserve ctimes when relabeling. Is that even possible? -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) The San Diego Freeway. Official Parking Lot of the 1984 Olympics! From sds at tycho.nsa.gov Wed Nov 7 15:25:55 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 07 Nov 2007 10:25:55 -0500 Subject: selinux autorelabel and amanda In-Reply-To: <200711070943.50077.gene.heskett@verizon.net> References: <200711070943.50077.gene.heskett@verizon.net> Message-ID: <1194449155.3956.41.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-11-07 at 09:43 -0500, Gene Heskett wrote: > Greetings; > > I got bit pretty hard last night after installing 2.6.24-rc2, and it took > about an hour to relabel the whole system. > > That was ok, and the logs are quieter now, but when it came time to run > amanda, the relabel had apparently changed the ctime of everything on the > system, so amanda tried to do all incrementals at level 0, and failed of > course because the vtape was only 1/4 the size of the system. > > That flushed, and a couple more runs and it will be back to normal, but it > seems to me that there should be an option to preserve ctimes when > relabeling. > > Is that even possible? Not if it actually set the label (extended attribute of the inode) - that always updates the ctime. The question though is why did a relabel occur in the first place, and why were all the labels set? Normally, restorecon / setfiles only sets a file label if it does not match the file contexts configuration, although if run with -F, it will unconditionally set it. ls -lc /path/to/somefile restorecon -v /path/to/somefile ls -lc /path/to/somefile should show no change in ctime if the file was already correctly labeled. However, restorecon -Fv ./foo would force setting of the label, and thus update the ctime. -- Stephen Smalley National Security Agency From selinux at lucullo.it Wed Nov 7 23:07:53 2007 From: selinux at lucullo.it (selinux at lucullo.it) Date: Thu, 08 Nov 2007 00:07:53 +0100 Subject: audit fc6 and java Message-ID: <47324549.308.4a5b.386412219@webmailh3.aruba.it> Hi guys. i have an issue with samba. can someone help me? i need to build a rule for this audit: kernel: audit(1194422951.635:3): avc: denied { execmod } for pid=3418 comm="java" name="libj9thr23.so" dev=hda2 ino=32148 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file is it possible? thank you. From dwalsh at redhat.com Thu Nov 8 03:52:35 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 07 Nov 2007 22:52:35 -0500 Subject: audit fc6 and java In-Reply-To: <47324549.308.4a5b.386412219@webmailh3.aruba.it> References: <47324549.308.4a5b.386412219@webmailh3.aruba.it> Message-ID: <47328803.7070409@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 selinux at lucullo.it wrote: > Hi guys. > > i have an issue with samba. can someone help me? > > i need to build a rule for this audit: > > kernel: audit(1194422951.635:3): avc: denied { execmod } > for pid=3418 comm="java" name="libj9thr23.so" dev=hda2 > ino=32148 scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=file > > is it possible? > > thank you. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list # semanage fcontext -a -t textrel_shlib_t PATHTO/libj9thr23.so # restorecon PATHTO/libj9thr23.so -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHMogDrlYvE4MpobMRAj6PAJ45g+NqoIUylDKesRnPUMiaLtaUlACgih+v 8wrWcSR3C4skRmjgviRaUEg= =f4DX -----END PGP SIGNATURE----- From paul at city-fan.org Fri Nov 9 10:55:43 2007 From: paul at city-fan.org (Paul Howarth) Date: Fri, 09 Nov 2007 10:55:43 +0000 Subject: Mail from cron in Fedora 8 Message-ID: <47343CAF.8050100@city-fan.org> I have a cron job as follows: # crontab -l -u softlib 45 4 * * * /softlib/scripts/updates-sync | Mail -s "Fedora updates subset mirror report" phowarth The script runs reposync to pull in a subset of the updates repo, and I have the output piped into Mail. This has been trouble free up until I upgraded to F8, with selinux-policy-3.0.8-44.fc8. With SELinux in enforcing mode, the email I receive simply says "/usr/sbin/sendmail: Permission denied". I tried creating a local policy module as usual and ended up with this: policy_module(localmisc, 0.0.7) require { type system_mail_t; class netlink_route_socket { bind create getattr nlmsg_read read write }; } #============= system_mail_t ============== allow system_mail_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; unconfined_read_tmp_files(system_mail_t) In permissive mode, this works, but in enforcing mode I just get the usual "Permission denied" message. There are no more avcs in the audit logs, but there is this: type=SELINUX_ERR msg=audit(1194605105.159:168): security_compute_sid: invalid context unconfined_u:unconfined_r:system_mail_t:s0 for scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process type=SYSCALL msg=audit(1194605105.159:168): arch=40000003 syscall=11 success=no exit=-13 a0=805848b a1=9cf82b8 a2=bfcbf338 a3=9cf82b8 items=0 ppid=1537 pid=1550 auid=4294967295 uid=1502 gid=1502 euid=1502 suid=1502 fsuid=1502 egid=1502 sgid=1502 fsgid=1502 tty=(none) comm="Mail" exe="/bin/mail" subj=unconfined_u:unconfined_r:unconfined_crond_t:s0 key=(null) I thought there might be something dontaudited so I tried using enableaudit.pp but the F8 policy doesn't include this. What's the method for finding troublesome dontaudits that need to be allows in F8? Paul. From sds at tycho.nsa.gov Fri Nov 9 13:37:13 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 09 Nov 2007 08:37:13 -0500 Subject: Mail from cron in Fedora 8 In-Reply-To: <47343CAF.8050100@city-fan.org> References: <47343CAF.8050100@city-fan.org> Message-ID: <1194615433.624.9.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2007-11-09 at 10:55 +0000, Paul Howarth wrote: > I have a cron job as follows: > > # crontab -l -u softlib > 45 4 * * * /softlib/scripts/updates-sync | Mail -s "Fedora updates > subset mirror report" phowarth > > The script runs reposync to pull in a subset of the updates repo, and I > have the output piped into Mail. > > This has been trouble free up until I upgraded to F8, with > selinux-policy-3.0.8-44.fc8. > > With SELinux in enforcing mode, the email I receive simply says > "/usr/sbin/sendmail: Permission denied". > > I tried creating a local policy module as usual and ended up with this: > > policy_module(localmisc, 0.0.7) > > require { > type system_mail_t; > class netlink_route_socket { bind create getattr nlmsg_read > read write }; > } > > #============= system_mail_t ============== > allow system_mail_t self:netlink_route_socket { bind create getattr > nlmsg_read read write }; > unconfined_read_tmp_files(system_mail_t) > > > In permissive mode, this works, but in enforcing mode I just get the > usual "Permission denied" message. There are no more avcs in the audit > logs, but there is this: > > type=SELINUX_ERR msg=audit(1194605105.159:168): security_compute_sid: > invalid context unconfined_u:unconfined_r:system_mail_t:s0 for > scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0 > tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process > type=SYSCALL msg=audit(1194605105.159:168): arch=40000003 syscall=11 > success=no exit=-13 a0=805848b a1=9cf82b8 a2=bfcbf338 a3=9cf82b8 items=0 > ppid=1537 pid=1550 auid=4294967295 uid=1502 gid=1502 euid=1502 suid=1502 > fsuid=1502 egid=1502 sgid=1502 fsgid=1502 tty=(none) comm="Mail" > exe="/bin/mail" subj=unconfined_u:unconfined_r:unconfined_crond_t:s0 > key=(null) That indicates a missing role types rule, e.g. role unconfined_r types system_mail_t; Karl, old audit2allow dealt with those errors - new one needs to do likewise. > I thought there might be something dontaudited so I tried using > enableaudit.pp but the F8 policy doesn't include this. What's the method > for finding troublesome dontaudits that need to be allows in F8? semodule -DB will rebuild and reload policy w/o any dontaudit rules. semodule -B will then rebuild and reload policy with them. This is an improvement over enableaudit.pp because it covers all modules, not just base. Fedora SELinux FAQ is way over due for an update... -- Stephen Smalley National Security Agency From paul at city-fan.org Fri Nov 9 21:33:45 2007 From: paul at city-fan.org (Paul Howarth) Date: Fri, 9 Nov 2007 21:33:45 +0000 Subject: Mail from cron in Fedora 8 In-Reply-To: <1194615433.624.9.camel@moss-spartans.epoch.ncsc.mil> References: <47343CAF.8050100@city-fan.org> <1194615433.624.9.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20071109213345.3c37ff27@metropolis.intra.city-fan.org> On Fri, 09 Nov 2007 08:37:13 -0500 Stephen Smalley wrote: > On Fri, 2007-11-09 at 10:55 +0000, Paul Howarth wrote: > > I have a cron job as follows: > > > > # crontab -l -u softlib > > 45 4 * * * /softlib/scripts/updates-sync | Mail -s "Fedora updates > > subset mirror report" phowarth > > > > The script runs reposync to pull in a subset of the updates repo, > > and I have the output piped into Mail. > > > > This has been trouble free up until I upgraded to F8, with > > selinux-policy-3.0.8-44.fc8. > > > > With SELinux in enforcing mode, the email I receive simply says > > "/usr/sbin/sendmail: Permission denied". > > > > I tried creating a local policy module as usual and ended up with > > this: > > > > policy_module(localmisc, 0.0.7) > > > > require { > > type system_mail_t; > > class netlink_route_socket { bind create getattr > > nlmsg_read read write }; > > } > > > > #============= system_mail_t ============== > > allow system_mail_t self:netlink_route_socket { bind create getattr > > nlmsg_read read write }; > > unconfined_read_tmp_files(system_mail_t) > > > > > > In permissive mode, this works, but in enforcing mode I just get > > the usual "Permission denied" message. There are no more avcs in > > the audit logs, but there is this: > > > > type=SELINUX_ERR msg=audit(1194605105.159:168): > > security_compute_sid: invalid context > > unconfined_u:unconfined_r:system_mail_t:s0 for > > scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0 > > tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process > > type=SYSCALL msg=audit(1194605105.159:168): arch=40000003 > > syscall=11 success=no exit=-13 a0=805848b a1=9cf82b8 a2=bfcbf338 > > a3=9cf82b8 items=0 ppid=1537 pid=1550 auid=4294967295 uid=1502 > > gid=1502 euid=1502 suid=1502 fsuid=1502 egid=1502 sgid=1502 > > fsgid=1502 tty=(none) comm="Mail" exe="/bin/mail" > > subj=unconfined_u:unconfined_r:unconfined_crond_t:s0 key=(null) > > That indicates a missing role types rule, e.g. > role unconfined_r types system_mail_t; > > Karl, old audit2allow dealt with those errors - new one needs to do > likewise. Thanks very much; the resulting policy module fixes the problem: policy_module(localmisc, 0.0.8) require { type system_mail_t; class netlink_route_socket { bind create getattr nlmsg_read read write }; } #============= system_mail_t ============== role unconfined_r types system_mail_t; allow system_mail_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; unconfined_read_tmp_files(system_mail_t) Is there any food reason why this shouldn't be in the default policy? I'd have thought sending mail from cron jobs was a fairly common thing to do? > > I thought there might be something dontaudited so I tried using > > enableaudit.pp but the F8 policy doesn't include this. What's the > > method for finding troublesome dontaudits that need to be allows in > > F8? > > semodule -DB will rebuild and reload policy w/o any dontaudit rules. > semodule -B will then rebuild and reload policy with them. > > This is an improvement over enableaudit.pp because it covers all > modules, not just base. Thanks; noted for future reference. Cheers, Paul. From cent.urio at gmx.net Sat Nov 10 20:21:26 2007 From: cent.urio at gmx.net (Markus Rudel) Date: Sat, 10 Nov 2007 21:21:26 +0100 Subject: Fedora Core 7 Policy examples to trim root users rights Message-ID: Hello everybody, I'm currently looking into SELinux on Fedora Core 7. Right now, I've read "SELinux by Example" as well as several other documents on the net. But no document covers Fedora 7. Is there documentation especially made for Fedora 7? My main goals in using SELinux are: Trim root user rights: root and normal users shouldn't be able to access other user files. There should be one seperate user besides root, who can control and grant access to SELinux rights. The examples from "SELinux by Example" (page 309 to 311) don't work for me. the newrole command to switch to user admin don't work. Limiting access to insmod, lsmod etc. to avoid loading further kernel modules (I know, the same effect could be accomplished by using a static kernel, but I'm interested in limiting access to kernel modules while using a modular kernel). Limiting access to /dev/kmen to avoid reading memory Maybe someone can help me with some example policies. I'm not so much interested in restraining processes, right now, my only concern and idea is to limit access to files and folders. This is because almost everything under Linux works with files. So the idea is to control access on just a few files. This would be very helpful for me. Right now, I'm smacking my head on the table. After installing and trying strict, refpolicy and mls policy, I'm stuck. Thanks for your help Markus From olivares14031 at yahoo.com Sun Nov 11 16:40:37 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Sun, 11 Nov 2007 08:40:37 -0800 (PST) Subject: gdm has problems with selinux or vice versa Message-ID: <806354.53265.qm@web52608.mail.re2.yahoo.com> Dear all, after updating and getting the INIT: error that I had posted before, I can login by pressing enter and get X, however, when starting up I am greeted by setroubleshooter with some messages [olivares at localhost ~]$ cat /etc/fedora-release Fedora release 8.90 (Rawhide) [olivares at localhost ~]$ date Sun Nov 11 10:40:25 CST 2007 [olivares at localhost ~]$ I try to apply the fix suggested, but it does not seem to be working :( Summary SELinux is preventing gdm (xdm_t) "execute" to (rpm_exec_t). Detailed Description SELinux denied access requested by gdm. It is not expected that this access is required by gdm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for , restorecon -v If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh Target Context system_u:object_r:rpm_exec_t Target Objects None [ file ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-44.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost Platform Linux localhost 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 athlon Alert Count 162 First Seen Sun 11 Nov 2007 09:11:06 AM CST Last Seen Sun 11 Nov 2007 10:36:27 AM CST Local ID f3168196-46ac-4951-ab61-b3b218534bb2 Line Numbers Raw Audit Messages avc: denied { execute } for comm=gdm dev=dm-0 name=rpm pid=8443 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=file tcontext=system_u:object_r:rpm_exec_t:s0 Summary SELinux is preventing gdm (xdm_t) "getattr" to /bin/rpm (rpm_exec_t). Detailed Description SELinux denied access requested by gdm. It is not expected that this access is required by gdm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /bin/rpm, restorecon -v /bin/rpm If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh Target Context system_u:object_r:rpm_exec_t Target Objects /bin/rpm [ file ] Affected RPM Packages rpm-4.4.2.2-7.fc9 [target] Policy RPM selinux-policy-3.0.8-44.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost Platform Linux localhost 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 athlon Alert Count 180 First Seen Sun 11 Nov 2007 09:11:06 AM CST Last Seen Sun 11 Nov 2007 10:36:27 AM CST Local ID e1676a84-c6d0-45b8-97d7-c7cae2d755c1 Line Numbers Raw Audit Messages avc: denied { getattr } for comm=gdm dev=dm-0 egid=0 euid=0 exe=/bin/bash exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/bin/rpm pid=8443 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:rpm_exec_t:s0 tty=(none) uid=0 Thanks, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From spng.yang at gmail.com Mon Nov 12 09:04:22 2007 From: spng.yang at gmail.com (Ken YANG) Date: Mon, 12 Nov 2007 17:04:22 +0800 Subject: Fedora Core 7 Policy examples to trim root users rights In-Reply-To: References: Message-ID: <47381716.8080609@gmail.com> Markus Rudel wrote: > Hello everybody, > > I'm currently looking into SELinux on Fedora Core 7. Right now, I've > read "SELinux by Example" as well as several other documents on the net. > But no document covers Fedora 7. > > Is there documentation especially made for Fedora 7? Fedora wiki has some docs for SELinux in Fedora(not for 7), which has some useful informations > > My main goals in using SELinux are: > > Trim root user rights: > root and normal users shouldn't be able to access other user files. > There should be one seperate user besides root, who can control and > grant access to SELinux rights. The examples from "SELinux by Example" > (page 309 to 311) don't work for me. the newrole command to switch to > user admin don't work. > > Limiting access to insmod, lsmod etc. to avoid loading further kernel > modules (I know, the same effect could be accomplished by using a static > kernel, but I'm interested in limiting access to kernel modules while > using a modular kernel). > > Limiting access to /dev/kmen to avoid reading memory in F8 development cycle, dan has finished the merge of strict and targeted policy. In the current F8 selinux policy, there are some special users, like xguest, which are confined only to do certain things, including web browse(by firefox)... i think that these relative policy are good example for your goal > > > Maybe someone can help me with some example policies. I'm not so much > interested in restraining processes, right now, my only concern and idea > is to limit access to files and folders. This is because almost > everything under Linux works with files. So the idea is to control > access on just a few files. This would be very helpful for me. > > Right now, I'm smacking my head on the table. After installing and > trying strict, refpolicy and mls policy, I'm stuck. > > > Thanks for your help > Markus > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Mon Nov 12 19:23:58 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 12 Nov 2007 14:23:58 -0500 Subject: gdm has problems with selinux or vice versa In-Reply-To: <806354.53265.qm@web52608.mail.re2.yahoo.com> References: <806354.53265.qm@web52608.mail.re2.yahoo.com> Message-ID: <4738A84E.4060500@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear all, > > after updating and getting the INIT: error that I had posted before, I can login by pressing enter and get X, however, when starting up I am greeted by setroubleshooter with some messages > > [olivares at localhost ~]$ cat /etc/fedora-release > Fedora release 8.90 (Rawhide) > [olivares at localhost ~]$ date > Sun Nov 11 10:40:25 CST 2007 > [olivares at localhost ~]$ > > I try to apply the fix suggested, but it does not seem to be working :( > > Summary > SELinux is preventing gdm (xdm_t) "execute" to (rpm_exec_t). > > Detailed Description > SELinux denied access requested by gdm. It is not expected that this access > is required by gdm and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application > is causing it to require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try to > restore the default system file context for , restorecon -v > If this does not work, there is currently no automatic way to > allow this access. Instead, you can generate a local policy module to allow > this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 > Or you can disable SELinux protection altogether. Disabling SELinux > protection is not recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. > > Additional Information > > Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh > Target Context system_u:object_r:rpm_exec_t > Target Objects None [ file ] > Affected RPM Packages > Policy RPM selinux-policy-3.0.8-44.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name localhost > Platform Linux localhost 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 > 13:55:12 EDT 2007 i686 athlon > Alert Count 162 > First Seen Sun 11 Nov 2007 09:11:06 AM CST > Last Seen Sun 11 Nov 2007 10:36:27 AM CST > Local ID f3168196-46ac-4951-ab61-b3b218534bb2 > Line Numbers > > Raw Audit Messages > > avc: denied { execute } for comm=gdm dev=dm-0 name=rpm pid=8443 > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=file > tcontext=system_u:object_r:rpm_exec_t:s0 > > > > > > Summary > SELinux is preventing gdm (xdm_t) "getattr" to /bin/rpm (rpm_exec_t). > > Detailed Description > SELinux denied access requested by gdm. It is not expected that this access > is required by gdm and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application > is causing it to require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try to > restore the default system file context for /bin/rpm, restorecon -v /bin/rpm > If this does not work, there is currently no automatic way to allow this > access. Instead, you can generate a local policy module to allow this > access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you > can disable SELinux protection altogether. Disabling SELinux protection is > not recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. > > Additional Information > > Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh > Target Context system_u:object_r:rpm_exec_t > Target Objects /bin/rpm [ file ] > Affected RPM Packages rpm-4.4.2.2-7.fc9 [target] > Policy RPM selinux-policy-3.0.8-44.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name localhost > Platform Linux localhost 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 > 13:55:12 EDT 2007 i686 athlon > Alert Count 180 > First Seen Sun 11 Nov 2007 09:11:06 AM CST > Last Seen Sun 11 Nov 2007 10:36:27 AM CST > Local ID e1676a84-c6d0-45b8-97d7-c7cae2d755c1 > Line Numbers > > Raw Audit Messages > > avc: denied { getattr } for comm=gdm dev=dm-0 egid=0 euid=0 exe=/bin/bash > exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/bin/rpm pid=8443 > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0 > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file > tcontext=system_u:object_r:rpm_exec_t:s0 tty=(none) uid=0 > > > Thanks, > > Antonio > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > This looks like you are not logging in with the correct context. IE You are staying in the xdm_t context. id -Z Will show you what context you are logging in as. You should be unconfined_t. If this is true, I would guess you have a badly labeled system and you probably need to relabel touch /.autorelabel; reboot will fix the labeling. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHOKhOrlYvE4MpobMRAuTvAKCFLJLVmRKSGwe61gXDvMXUbxrgtgCgg8A0 CIoG4YHFOd45YF4deKAOE8I= =gHid -----END PGP SIGNATURE----- From olivares14031 at yahoo.com Mon Nov 12 23:39:22 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 12 Nov 2007 15:39:22 -0800 (PST) Subject: gdm has problems with selinux or vice versa In-Reply-To: <4738A84E.4060500@redhat.com> Message-ID: <163307.85217.qm@web52606.mail.re2.yahoo.com> --- Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Antonio Olivares wrote: > > Dear all, > > > > after updating and getting the INIT: error that I > had posted before, I can login by pressing enter and > get X, however, when starting up I am greeted by > setroubleshooter with some messages > > > > [olivares at localhost ~]$ cat /etc/fedora-release > > Fedora release 8.90 (Rawhide) > > [olivares at localhost ~]$ date > > Sun Nov 11 10:40:25 CST 2007 > > [olivares at localhost ~]$ > > > > I try to apply the fix suggested, but it does not > seem to be working :( > > > > Summary > > SELinux is preventing gdm (xdm_t) "execute" to > (rpm_exec_t). > > > > Detailed Description > > SELinux denied access requested by gdm. It is > not expected that this access > > is required by gdm and this access may signal > an intrusion attempt. It is > > also possible that the specific version or > configuration of the application > > is causing it to require additional access. > > > > Allowing Access > > Sometimes labeling problems can cause SELinux > denials. You could try to > > restore the default system file context for > , restorecon -v > > If this does not work, there is > currently no automatic way to > > allow this access. Instead, you can generate > a local policy module to allow > > this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 > > Or you can disable SELinux protection > altogether. Disabling SELinux > > protection is not recommended. Please file a > > > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > > > Additional Information > > > > Source Context > system_u:system_r:xdm_t:SystemLow-SystemHigh > > Target Context > system_u:object_r:rpm_exec_t > > Target Objects None [ file ] > > Affected RPM Packages > > Policy RPM > selinux-policy-3.0.8-44.fc8 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Enforcing > > Plugin Name > plugins.catchall_file > > Host Name localhost > > Platform Linux localhost > 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 > > 13:55:12 EDT 2007 > i686 athlon > > Alert Count 162 > > First Seen Sun 11 Nov 2007 > 09:11:06 AM CST > > Last Seen Sun 11 Nov 2007 > 10:36:27 AM CST > > Local ID > f3168196-46ac-4951-ab61-b3b218534bb2 > > Line Numbers > > > > Raw Audit Messages > > > > avc: denied { execute } for comm=gdm dev=dm-0 > name=rpm pid=8443 > > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tclass=file > > tcontext=system_u:object_r:rpm_exec_t:s0 > > > > > > > > > > > > Summary > > SELinux is preventing gdm (xdm_t) "getattr" to > /bin/rpm (rpm_exec_t). > > > > Detailed Description > > SELinux denied access requested by gdm. It is > not expected that this access > > is required by gdm and this access may signal > an intrusion attempt. It is > > also possible that the specific version or > configuration of the application > > is causing it to require additional access. > > > > Allowing Access > > Sometimes labeling problems can cause SELinux > denials. You could try to > > restore the default system file context for > /bin/rpm, restorecon -v /bin/rpm > > If this does not work, there is currently no > automatic way to allow this > > access. Instead, you can generate a local > policy module to allow this > > access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 > Or you > > can disable SELinux protection altogether. > Disabling SELinux protection is > > not recommended. Please file a > > > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > > > Additional Information > > > > Source Context > system_u:system_r:xdm_t:SystemLow-SystemHigh > > Target Context > system_u:object_r:rpm_exec_t > > Target Objects /bin/rpm [ file ] > > Affected RPM Packages rpm-4.4.2.2-7.fc9 > [target] > > Policy RPM > selinux-policy-3.0.8-44.fc8 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Enforcing > > Plugin Name > plugins.catchall_file > > Host Name localhost > > Platform Linux localhost > 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 > > 13:55:12 EDT 2007 > i686 athlon > > Alert Count 180 > > First Seen Sun 11 Nov 2007 > 09:11:06 AM CST > > Last Seen Sun 11 Nov 2007 > 10:36:27 AM CST > > Local ID > e1676a84-c6d0-45b8-97d7-c7cae2d755c1 > > Line Numbers > > > > Raw Audit Messages > > > > avc: denied { getattr } for comm=gdm dev=dm-0 > egid=0 euid=0 exe=/bin/bash > > exit=-13 fsgid=0 fsuid=0 gid=0 items=0 > path=/bin/rpm pid=8443 > > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > sgid=0 > > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 > tclass=file > > tcontext=system_u:object_r:rpm_exec_t:s0 > tty=(none) uid=0 > > > > > > Thanks, > > > > Antonio > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > > This looks like you are not logging in with the > correct context. IE You > are staying in the xdm_t context. > > id -Z > > Will show you what context you are logging in as. > You should be > unconfined_t. > > If this is true, I would guess you have a badly > labeled system and you > probably need to relabel > > touch /.autorelabel; reboot > > will fix the labeling. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > === message truncated === [olivares at localhost ~]$ su - Password: [root at localhost ~]# id -Z system_u:system_r:unconfined_t [root at localhost ~]# will do # touch /.autorelabel; reboot and report back if successful/failure. Regards, Antonio ____________________________________________________________________________________ Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now. http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ From olivares14031 at yahoo.com Tue Nov 13 00:12:39 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 12 Nov 2007 16:12:39 -0800 (PST) Subject: gdm has problems with selinux or vice versa In-Reply-To: <163307.85217.qm@web52606.mail.re2.yahoo.com> Message-ID: <21540.20556.qm@web52612.mail.re2.yahoo.com> --- Antonio Olivares wrote: > > --- Daniel J Walsh wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Antonio Olivares wrote: > > > Dear all, > > > > > > after updating and getting the INIT: error that > I > > had posted before, I can login by pressing enter > and > > get X, however, when starting up I am greeted by > > setroubleshooter with some messages > > > > > > [olivares at localhost ~]$ cat /etc/fedora-release > > > Fedora release 8.90 (Rawhide) > > > [olivares at localhost ~]$ date > > > Sun Nov 11 10:40:25 CST 2007 > > > [olivares at localhost ~]$ > > > > > > I try to apply the fix suggested, but it does > not > > seem to be working :( === message truncated === ./touch autorelabel did not fix anything :( Still see these Summary SELinux is preventing gdm (xdm_t) "getattr" to /bin/rpm (rpm_exec_t). Detailed Description SELinux denied access requested by gdm. It is not expected that this access is required by gdm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /bin/rpm, restorecon -v /bin/rpm If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh Target Context system_u:object_r:rpm_exec_t Target Objects /bin/rpm [ file ] Affected RPM Packages rpm-4.4.2.2-7.fc9 [target] Policy RPM selinux-policy-3.0.8-44.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost Platform Linux localhost 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 athlon Alert Count 4401 First Seen Sun 11 Nov 2007 09:11:06 AM CST Last Seen Mon 12 Nov 2007 06:09:42 PM CST Local ID e1676a84-c6d0-45b8-97d7-c7cae2d755c1 Line Numbers Raw Audit Messages avc: denied { getattr } for comm=gdm dev=dm-0 egid=0 euid=0 exe=/bin/bash exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/bin/rpm pid=4958 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:rpm_exec_t:s0 tty=(none) uid=0 Thanks, Antonio ____________________________________________________________________________________ Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ From dwalsh at redhat.com Tue Nov 13 21:43:56 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 13 Nov 2007 16:43:56 -0500 Subject: SMTP-AUTH In-Reply-To: <4729E98B.101@grifent.com> References: <4729E98B.101@grifent.com> Message-ID: <473A1A9C.2010301@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Griffiths wrote: > I am trying to use dovecot with postfix to provide smtp-auth. The > instructions provided by postfix http://www.postfix.org/SASL_README.html > works perfectly in Fedora Core 6. > > Using the exact same procedure in Fedora 7 results in some conflicts > between dovecot_auth_t and postfix_private_t. Since using Dovecot for > SASL smtp-auth is the preferred way according to Postfix, I suspect > there must be something I am missing or maybe there is an oversight in > the policies. > > Using sealert -l on the denial for dovecot results in: > > Summary > SELinux is preventing /usr/libexec/dovecot/dovecot-auth > (dovecot_auth_t) > "write" to auth (postfix_private_t). > > Detailed Description > SELinux denied access requested by > /usr/libexec/dovecot/dovecot-auth. It is > not expected that this access is required by > /usr/libexec/dovecot/dovecot- > auth and this access may signal an intrusion attempt. It is also > possible > that the specific version or configuration of the application is > causing it > to require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You > could try to > restore the default system file context for auth, restorecon -v > auth If this > > does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this > access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you > can disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > > against this package. > > Additional Information > > Source Context system_u:system_r:dovecot_auth_t > Target Context root:object_r:postfix_private_t > Target Objects auth [ sock_file ] > Affected RPM Packages dovecot-1.0.5-15.fc7 [application] > Policy RPM selinux-policy-2.6.4-48.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name gei.internal.grifent.com > Platform Linux gei.internal.grifent.com > 2.6.23.1-10.fc7 #1 > SMP Fri Oct 19 15:39:08 EDT 2007 i686 i686 > Alert Count 2 > First Seen Wed Oct 31 03:39:55 2007 > Last Seen Wed Oct 31 11:55:12 2007 > Local ID 8b0a6068-b654-4151-b82e-c149d3b9d57b > Line Numbers > > Raw Audit Messages > > avc: denied { write } for comm="dovecot-auth" dev=dm-0 egid=0 euid=0 > exe="/usr/libexec/dovecot/dovecot-auth" exit=-13 fsgid=0 fsuid=0 > gid=0 items=0 > name="auth" pid=2545 scontext=system_u:system_r:dovecot_auth_t:s0 sgid=0 > subj=system_u:system_r:dovecot_auth_t:s0 suid=0 tclass=sock_file > tcontext=root:object_r:postfix_private_t:s0 tty=(none) uid=0 > > Dovecot writes a socket to /var/spool/postfix/private/auth with > permissions of 660. This is done when dovecot starts and on FC6, the > files is transitioned to be owned by postfix with a group of postfix.The > transition of owner/group does not happen of Fedora 7. > > The auth socket is necessary to do smtp-auth. > > Did I miss something in the configuration on Fedora 7? > > Regards, > John > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Should be fixed in selinux-policy-2.6.4-57.fc7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHOhqcrlYvE4MpobMRAp7rAJoDiFjYZt2usUQic+pTuqyWJq0qrwCfc29Z pNpS5Lco7hbv4uKffJhUjIQ= =MhZ2 -----END PGP SIGNATURE----- From Per.t.Sjoholm at flysta.net Wed Nov 14 08:27:22 2007 From: Per.t.Sjoholm at flysta.net (Per Sjoholm) Date: Wed, 14 Nov 2007 09:27:22 +0100 Subject: home_dir default_t Message-ID: <473AB16A.2020407@flysta.net> I have som problem with alerts of default_t and relabel does not solve the problem Running FC7 I have my machine local home under /home_l /home is used for nfs/autofs #> genhomedircon #> touch /.autorelabel ; reboot /home_l/*/* gets labeled with default_t restorecon -v -R /home_l labels with user_home_t Why is there a differns between autorelabel and restorecon Why does autorelabel sets /home and /home_l to default_t -- Per Sj?holm Spanga, Stockholm, Sweden From sdl.web at gmail.com Tue Nov 13 21:43:45 2007 From: sdl.web at gmail.com (Leo) Date: Tue, 13 Nov 2007 21:43:45 +0000 Subject: SELinux is preventing /usr/sbin/dictd (dictd_t) "write" to (var_run_t) Message-ID: Hi there, I am not able to start `dictd' in F8. Any ideas? Best, -- .: Leo :. [ sdl.web AT gmail.com ] .: [ GPG Key: 9283AA3F ] :. Use the best OS -- http://www.fedoraproject.org/ From gene.heskett at verizon.net Wed Nov 14 10:29:52 2007 From: gene.heskett at verizon.net (Gene Heskett) Date: Wed, 14 Nov 2007 05:29:52 -0500 Subject: audit2allow failure Message-ID: <200711140529.52226.gene.heskett@verizon.net> Greetings; Running selinux in permissive mode, the /var/log/audit/audit.log was filling up with squawks re cron jobs. Seeing an example on how to run audit2allow, I thought I'd try it to see if that would shut the muttering up. [root at coyote ~]# audit2allow -M local -i /var/log/audit/audit.log compilation failed: (unknown source)::ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from local.te I can't see anything different about line 6 of the log, but here is a head of that file: type=USER_ACCT msg=audit(1193734801.287:27922): user pid=11880 uid=0 auid=4294967295 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=CRED_ACQ msg=audit(1193734801.288:27923): user pid=11880 uid=0 auid=4294967295 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=USER_START msg=audit(1193734801.288:27924): user pid=11880 uid=0 auid=4294967295 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=CRED_DISP msg=audit(1193734801.312:27925): user pid=11880 uid=0 auid=4294967295 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=USER_END msg=audit(1193734801.312:27926): user pid=11880 uid=0 auid=4294967295 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=USER_ACCT msg=audit(1193734861.316:27927): user pid=11969 uid=0 auid=4294967295 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=CRED_ACQ msg=audit(1193734861.316:27928): user pid=11969 uid=0 auid=4294967295 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' contents of local.te: ------ module local 1.0; EOF ------ The example command line shown above is I assume is correct, is it not? -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Operative (to Mal): "You can not make me angry." Inara: "Please - spend an hour with him!" --"Serenity" From shintaro.fujiwara at gmail.com Wed Nov 14 13:14:36 2007 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Wed, 14 Nov 2007 22:14:36 +0900 Subject: segatex_suite-2.3-forF7 released!! Message-ID: Wrapped semodule. Now you can audit2allow and make module, install,update,remove. Not only your own but existing ones. All you have to do is just push buttons. -- Shintaro Fujiwara segatex project (SELinux policy tool) http://sourceforge.net/projects/segatex/ Home page http://intrajp.no-ip.com/ Blog http://intrajp.no-ip.com/nucleus/ CMS http://intrajp.no-ip.com/xoops/ Wiki http://intrajp.no-ip.com/pukiwiki/ From dwalsh at redhat.com Wed Nov 14 16:18:05 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 14 Nov 2007 11:18:05 -0500 Subject: home_dir default_t In-Reply-To: <473AB16A.2020407@flysta.net> References: <473AB16A.2020407@flysta.net> Message-ID: <473B1FBD.9020908@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Per Sjoholm wrote: > I have som problem with alerts of default_t and relabel does not solve > the problem > Running FC7 > I have my machine local home under /home_l /home is used for nfs/autofs > > #> genhomedircon > #> touch /.autorelabel ; reboot > /home_l/*/* gets labeled with default_t > > restorecon -v -R /home_l > labels with user_home_t > > Why is there a differns between autorelabel and restorecon > Why does autorelabel sets /home and /home_l to default_t > Does the system know that /home_l is a homedir? IE Do you have a password record that tells it this? Or did you use semanage fcontext -a -t user_home_t '/home_l(/.*)?' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHOx+9rlYvE4MpobMRApzEAJsEinMr3v6rXM+AcuE2+m/OaI9kGwCdG4+S uZJzjRbOg+eF3Tc7DtCBan0= =QzNj -----END PGP SIGNATURE----- From dwalsh at redhat.com Wed Nov 14 16:42:36 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 14 Nov 2007 11:42:36 -0500 Subject: SELinux is preventing /usr/sbin/dictd (dictd_t) "write" to (var_run_t) In-Reply-To: References: Message-ID: <473B257C.3050407@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Leo wrote: > Hi there, > > I am not able to start `dictd' in F8. Any ideas? > > Best, Yes it is not able to write its pid file. I don't have a dict for it, so hard for me to test. If you run in permissive mode what avcs does it generate. I will allow it to write pidfile in selinux-policy-3.0.8-54. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHOyV7rlYvE4MpobMRAs0NAKDo52tuQYbUbAZ4C1Gm5GO7+FwM/gCg0MEY BdkjCgyS9vL1FYejYIbcXuw= =LPi2 -----END PGP SIGNATURE----- From dwalsh at redhat.com Wed Nov 14 16:44:09 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 14 Nov 2007 11:44:09 -0500 Subject: audit2allow failure In-Reply-To: <200711140529.52226.gene.heskett@verizon.net> References: <200711140529.52226.gene.heskett@verizon.net> Message-ID: <473B25D9.30400@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gene Heskett wrote: > Greetings; > > Running selinux in permissive mode, the /var/log/audit/audit.log was filling > up with squawks re cron jobs. Seeing an example on how to run audit2allow, I > thought I'd try it to see if that would shut the muttering up. > > [root at coyote ~]# audit2allow -M local -i /var/log/audit/audit.log > compilation failed: > (unknown source)::ERROR 'syntax error' at token '' on line 6: > > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > /usr/bin/checkmodule: loading policy configuration from local.te > > I can't see anything different about line 6 of the log, but here is a head of > that file: > > type=USER_ACCT msg=audit(1193734801.287:27922): user pid=11880 uid=0 > auid=4294967295 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > type=CRED_ACQ msg=audit(1193734801.288:27923): user pid=11880 uid=0 > auid=4294967295 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > type=USER_START msg=audit(1193734801.288:27924): user pid=11880 uid=0 > auid=4294967295 msg='PAM: session open acct=root : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > type=CRED_DISP msg=audit(1193734801.312:27925): user pid=11880 uid=0 > auid=4294967295 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > type=USER_END msg=audit(1193734801.312:27926): user pid=11880 uid=0 > auid=4294967295 msg='PAM: session close acct=root : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > type=USER_ACCT msg=audit(1193734861.316:27927): user pid=11969 uid=0 > auid=4294967295 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > type=CRED_ACQ msg=audit(1193734861.316:27928): user pid=11969 uid=0 > auid=4294967295 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > > > contents of local.te: > ------ > module local 1.0; > > > > EOF > ------ > > The example command line shown above is I assume is correct, is it not? > Those are not avc messages. They are standard audit messages generated by the audit system. So since audit2allow did not find any avc messages it is failing. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHOyXYrlYvE4MpobMRAkoyAKDMPonZj157sHtxdG4pXjo006bPzQCgiDd4 uanVb4jYUbkBkjv+mHjvSJI= =89cl -----END PGP SIGNATURE----- From dwalsh at redhat.com Wed Nov 14 17:10:13 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 14 Nov 2007 12:10:13 -0500 Subject: Mail from cron in Fedora 8 In-Reply-To: <20071109213345.3c37ff27@metropolis.intra.city-fan.org> References: <47343CAF.8050100@city-fan.org> <1194615433.624.9.camel@moss-spartans.epoch.ncsc.mil> <20071109213345.3c37ff27@metropolis.intra.city-fan.org> Message-ID: <473B2BF5.4020000@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Howarth wrote: > On Fri, 09 Nov 2007 08:37:13 -0500 > Stephen Smalley wrote: > >> On Fri, 2007-11-09 at 10:55 +0000, Paul Howarth wrote: >>> I have a cron job as follows: >>> >>> # crontab -l -u softlib >>> 45 4 * * * /softlib/scripts/updates-sync | Mail -s "Fedora updates >>> subset mirror report" phowarth >>> >>> The script runs reposync to pull in a subset of the updates repo, >>> and I have the output piped into Mail. >>> >>> This has been trouble free up until I upgraded to F8, with >>> selinux-policy-3.0.8-44.fc8. >>> >>> With SELinux in enforcing mode, the email I receive simply says >>> "/usr/sbin/sendmail: Permission denied". >>> >>> I tried creating a local policy module as usual and ended up with >>> this: >>> >>> policy_module(localmisc, 0.0.7) >>> >>> require { >>> type system_mail_t; >>> class netlink_route_socket { bind create getattr >>> nlmsg_read read write }; >>> } >>> >>> #============= system_mail_t ============== >>> allow system_mail_t self:netlink_route_socket { bind create getattr >>> nlmsg_read read write }; >>> unconfined_read_tmp_files(system_mail_t) >>> >>> >>> In permissive mode, this works, but in enforcing mode I just get >>> the usual "Permission denied" message. There are no more avcs in >>> the audit logs, but there is this: >>> >>> type=SELINUX_ERR msg=audit(1194605105.159:168): >>> security_compute_sid: invalid context >>> unconfined_u:unconfined_r:system_mail_t:s0 for >>> scontext=unconfined_u:unconfined_r:unconfined_crond_t:s0 >>> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=process >>> type=SYSCALL msg=audit(1194605105.159:168): arch=40000003 >>> syscall=11 success=no exit=-13 a0=805848b a1=9cf82b8 a2=bfcbf338 >>> a3=9cf82b8 items=0 ppid=1537 pid=1550 auid=4294967295 uid=1502 >>> gid=1502 euid=1502 suid=1502 fsuid=1502 egid=1502 sgid=1502 >>> fsgid=1502 tty=(none) comm="Mail" exe="/bin/mail" >>> subj=unconfined_u:unconfined_r:unconfined_crond_t:s0 key=(null) >> That indicates a missing role types rule, e.g. >> role unconfined_r types system_mail_t; >> >> Karl, old audit2allow dealt with those errors - new one needs to do >> likewise. > > Thanks very much; the resulting policy module fixes the problem: > > policy_module(localmisc, 0.0.8) > > require { > type system_mail_t; > class netlink_route_socket { bind create getattr nlmsg_read > read write }; } > > #============= system_mail_t ============== > role unconfined_r types system_mail_t; > allow system_mail_t self:netlink_route_socket { bind create getattr > nlmsg_read read write }; > unconfined_read_tmp_files(system_mail_t) > > > Is there any food reason why this shouldn't be in the default policy? > I'd have thought sending mail from cron jobs was a fairly common thing > to do? > > >>> I thought there might be something dontaudited so I tried using >>> enableaudit.pp but the F8 policy doesn't include this. What's the >>> method for finding troublesome dontaudits that need to be allows in >>> F8? >> semodule -DB will rebuild and reload policy w/o any dontaudit rules. >> semodule -B will then rebuild and reload policy with them. >> >> This is an improvement over enableaudit.pp because it covers all >> modules, not just base. > > Thanks; noted for future reference. > > Cheers, Paul. I think selinux-policy-3.0.8-54 should have all of these rules in it. If not 53. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHOyv1rlYvE4MpobMRAjMCAJ9kziMiAikgwkarRkjXbTzarup/NgCgqHql Jf/HDsaOABUdNbZhlhFoVdc= =FnpJ -----END PGP SIGNATURE----- From knute at frazmtn.com Thu Nov 15 03:32:23 2007 From: knute at frazmtn.com (Knute Johnson) Date: Wed, 14 Nov 2007 19:32:23 -0800 Subject: Problem getting samba share running Message-ID: <473B4D47.14897.296692@knute.frazmtn.com> No matter what I try, I keep getting a selinux error when I create a share in my home directory. I've enabled home directories and set read/write in the booleans, I've set the directory to rw for all users, and I've tried several different contexts, samba_share_t, public_content_rw_t and at least one other with the same results. Here is the message I get: avc: denied { read } for comm=nmbd dev=inotifyfs path=inotify pid=3296 scontext=system_u:system_r:nmbd_t:s0 tclass=dir tcontext=system_u:object_r:inotifyfs_t:s0 I've looked at the tutorials and they all apparently lack some vital information that 'every body knows' except me :-). Any help would be appreciated. Thanks, -- Knute Johnson Molon Labe... From sds at tycho.nsa.gov Thu Nov 15 14:03:22 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 15 Nov 2007 09:03:22 -0500 Subject: Problem getting samba share running In-Reply-To: <473B4D47.14897.296692@knute.frazmtn.com> References: <473B4D47.14897.296692@knute.frazmtn.com> Message-ID: <1195135402.18480.15.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-11-14 at 19:32 -0800, Knute Johnson wrote: > No matter what I try, I keep getting a selinux error when I create a > share in my home directory. I've enabled home directories and set > read/write in the booleans, I've set the directory to rw for all > users, and I've tried several different contexts, samba_share_t, > public_content_rw_t and at least one other with the same results. > Here is the message I get: > > avc: denied { read } for comm=nmbd dev=inotifyfs path=inotify > pid=3296 scontext=system_u:system_r:nmbd_t:s0 tclass=dir > tcontext=system_u:object_r:inotifyfs_t:s0 > > I've looked at the tutorials and they all apparently lack some vital > information that 'every body knows' except me :-). > > Any help would be appreciated. inotifyfs is a pseudo filesystem for the kernel's inotify API (monitoring file system events). You can allow it via a local policy module using audit2allow until it gets added to the default policy. -- Stephen Smalley National Security Agency From knute at frazmtn.com Thu Nov 15 18:49:22 2007 From: knute at frazmtn.com (Knute Johnson) Date: Thu, 15 Nov 2007 10:49:22 -0800 Subject: [unclassified] Re: Problem getting samba share running In-Reply-To: <1195135402.18480.15.camel@moss-spartans.epoch.ncsc.mil> References: <473B4D47.14897.296692@knute.frazmtn.com>, <1195135402.18480.15.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <473C2432.27627.47B08@knute.frazmtn.com> >On Wed, 2007-11-14 at 19:32 -0800, Knute Johnson wrote: >> No matter what I try, I keep getting a selinux error when I create a >> share in my home directory. I've enabled home directories and set >> read/write in the booleans, I've set the directory to rw for all >> users, and I've tried several different contexts, samba_share_t, >> public_content_rw_t and at least one other with the same results. >> Here is the message I get: >> >> avc: denied { read } for comm=nmbd dev=inotifyfs path=inotify >> pid=3296 scontext=system_u:system_r:nmbd_t:s0 tclass=dir >> tcontext=system_u:object_r:inotifyfs_t:s0 >> >> I've looked at the tutorials and they all apparently lack some vital >> information that 'every body knows' except me :-). >> >> Any help would be appreciated. > >inotifyfs is a pseudo filesystem for the kernel's inotify API >(monitoring file system events). You can allow it via a local policy >module using audit2allow until it gets added to the default policy. > >-- >Stephen Smalley >National Security Agency Stephen: Thanks for your response. I need a little more help. I managed to create the local.te file but I can't make/reload/ or load it. The help files I found searching about say I need package selinux-policy- targeted-sources. There doesn't seem to be one of those packages for F8. Where do I go from here? Thanks, -- Knute Johnson Molon Labe... From sds at tycho.nsa.gov Thu Nov 15 18:55:16 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 15 Nov 2007 13:55:16 -0500 Subject: [unclassified] Re: Problem getting samba share running In-Reply-To: <473C2432.27627.47B08@knute.frazmtn.com> References: <473B4D47.14897.296692@knute.frazmtn.com> , <1195135402.18480.15.camel@moss-spartans.epoch.ncsc.mil> <473C2432.27627.47B08@knute.frazmtn.com> Message-ID: <1195152916.18480.75.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-11-15 at 10:49 -0800, Knute Johnson wrote: > >On Wed, 2007-11-14 at 19:32 -0800, Knute Johnson wrote: > >> No matter what I try, I keep getting a selinux error when I create a > >> share in my home directory. I've enabled home directories and set > >> read/write in the booleans, I've set the directory to rw for all > >> users, and I've tried several different contexts, samba_share_t, > >> public_content_rw_t and at least one other with the same results. > >> Here is the message I get: > >> > >> avc: denied { read } for comm=nmbd dev=inotifyfs path=inotify > >> pid=3296 scontext=system_u:system_r:nmbd_t:s0 tclass=dir > >> tcontext=system_u:object_r:inotifyfs_t:s0 > >> > >> I've looked at the tutorials and they all apparently lack some vital > >> information that 'every body knows' except me :-). > >> > >> Any help would be appreciated. > > > >inotifyfs is a pseudo filesystem for the kernel's inotify API > >(monitoring file system events). You can allow it via a local policy > >module using audit2allow until it gets added to the default policy. > > > >-- > >Stephen Smalley > >National Security Agency > > Stephen: > > Thanks for your response. I need a little more help. I managed to > create the local.te file but I can't make/reload/ or load it. The > help files I found searching about say I need package selinux-policy- > targeted-sources. There doesn't seem to be one of those packages for > F8. Where do I go from here? The -sources package was only for Fedora <= 4 and RHEL4; Fedora >= 5 and RHEL5 have loadable policy modules - no need to install or build the full policy sources anymore. You can compile that local.te file manually with checkmodule, package it with semodule_package, and install it with semodule, but the easier way to do things is: # audit2allow -M local < /var/log/audit/audit.log (or /var/log/messages or wherever that avc message appears) # semodule -i local.pp -- Stephen Smalley National Security Agency From knute at frazmtn.com Thu Nov 15 23:39:18 2007 From: knute at frazmtn.com (Knute Johnson) Date: Thu, 15 Nov 2007 15:39:18 -0800 Subject: [unclassified] Re: Problem getting samba share running In-Reply-To: <1195152916.18480.75.camel@moss-spartans.epoch.ncsc.mil> References: <473B4D47.14897.296692@knute.frazmtn.com>, <473C2432.27627.47B08@knute.frazmtn.com>, <1195152916.18480.75.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <473C6826.19079.80AD6@knute.frazmtn.com> >On Thu, 2007-11-15 at 10:49 -0800, Knute Johnson wrote: >> >On Wed, 2007-11-14 at 19:32 -0800, Knute Johnson wrote: >> >> No matter what I try, I keep getting a selinux error when I create a >> >> share in my home directory. I've enabled home directories and set >> >> read/write in the booleans, I've set the directory to rw for all >> >> users, and I've tried several different contexts, samba_share_t, >> >> public_content_rw_t and at least one other with the same results. >> >> Here is the message I get: >> >> >> >> avc: denied { read } for comm=nmbd dev=inotifyfs path=inotify >> >> pid=3296 scontext=system_u:system_r:nmbd_t:s0 tclass=dir >> >> tcontext=system_u:object_r:inotifyfs_t:s0 >> >> >> >> I've looked at the tutorials and they all apparently lack some vital >> >> information that 'every body knows' except me :-). >> >> >> >> Any help would be appreciated. >> > >> >inotifyfs is a pseudo filesystem for the kernel's inotify API >> >(monitoring file system events). You can allow it via a local policy >> >module using audit2allow until it gets added to the default policy. >> > >> >-- >> >Stephen Smalley >> >National Security Agency >> >> Stephen: >> >> Thanks for your response. I need a little more help. I managed to >> create the local.te file but I can't make/reload/ or load it. The >> help files I found searching about say I need package selinux-policy- >> targeted-sources. There doesn't seem to be one of those packages for >> F8. Where do I go from here? > >The -sources package was only for Fedora <= 4 and RHEL4; Fedora >= 5 and >RHEL5 have loadable policy modules - no need to install or build the >full policy sources anymore. > >You can compile that local.te file manually with checkmodule, package it >with semodule_package, and install it with semodule, but the easier way >to do things is: ># audit2allow -M local < /var/log/audit/audit.log (or /var/log/messages >or wherever that avc message appears) ># semodule -i local.pp Thanks very much Stephen. That worked great to get rid of that wrinkle. -- Knute Johnson Molon Labe... From olivares14031 at yahoo.com Fri Nov 16 02:01:13 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 15 Nov 2007 18:01:13 -0800 (PST) Subject: problems with /dev/slamr0, mknod/insmod Message-ID: <232293.46273.qm@web52603.mail.re2.yahoo.com> Dear all, On a fedora 8 machine with clean install, deleted Fedora 6 and started fresh, I get a warning about insmod as I did with Fedora 7, on Fedora 7 the problem went away, but on Fedora 8, setroubleshoot will warm me more than it did before so I kindly ask for guidance as to how to generate policy to allow the /dev/slamr0 to run without problems with selinux. avc: denied { setattr } for comm=chgrp dev=tmpfs egid=0 euid=0 exe=/bin/chgrp exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=slamr0 pid=1890 scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 I'll attach the selinux-alert that I got and ask for guidance to resolve this issue. TIA, Antonio ____________________________________________________________________________________ Get easy, one-click access to your favorites. Make Yahoo! your homepage. http://www.yahoo.com/r/hs -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: selinux_alert-1.txt URL: From amarkelov at pluscom.ru Sun Nov 11 19:42:27 2007 From: amarkelov at pluscom.ru (Markelov Andrey) Date: Sun, 11 Nov 2007 22:42:27 +0300 Subject: Fedora 8: SELinux doesn't allow to manually start sshd? Message-ID: Hello! My system: Fedora 8, selinux-policy-3.0.8-44 in targeted mode. I log in to the system as ordinary user and then do su -. When I try to start sshd daemon in Fedora 8 by typing "service sshd start" I receive "Permission denied" message and this entry in audit.log: type=SELINUX_ERR msg=audit(1194792116.506:236): security_compute_sid: invalid context unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 for scontext=unconfined_u:system_r:initrc_t:s0 tcontext=system_u:object_r:sshd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1194792116.506:236): arch=40000003 syscall=11 success=yes exit=0 a0=8f58ab0 a1=8f58658 a2=8f451c0 a3=0 items=0 ppid=11059 pid=11068 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) When I try to start sshd my id -Z is: unconfined_u:system_r:unconfined_t I have some questions: 1) How can I explain that SELINUX_ERR message and "subj=..." in SYSCALL message? 2) Is it normal situation? In RHEL5 the "su -; service sshd start" commands work fine. 3) How can I enable "service sshd start" in that situation? ____ Andrey Markelov Plus Communications Phone: +7(495)777-0-111 ext.533 From tmraz at redhat.com Fri Nov 16 08:27:32 2007 From: tmraz at redhat.com (Tomas Mraz) Date: Fri, 16 Nov 2007 09:27:32 +0100 Subject: Fedora 8: SELinux doesn't allow to manually start sshd? In-Reply-To: References: Message-ID: <1195201652.5377.3.camel@vespa.kabelta.loc> On Sun, 2007-11-11 at 22:42 +0300, Markelov Andrey wrote: > Hello! > > My system: > Fedora 8, selinux-policy-3.0.8-44 in targeted mode. > > I log in to the system as ordinary user and then do su -. > When I try to start sshd daemon in Fedora 8 by typing "service sshd start" > I receive "Permission denied" message and this entry in audit.log: > > type=SELINUX_ERR msg=audit(1194792116.506:236): security_compute_sid: invalid context unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 for scontext=unconfined_u:system_r:initrc_t:s0 tcontext=system_u:object_r:sshd_exec_t:s0 tclass=process > type=SYSCALL msg=audit(1194792116.506:236): arch=40000003 syscall=11 success=yes exit=0 a0=8f58ab0 a1=8f58658 a2=8f451c0 a3=0 items=0 ppid=11059 pid=11068 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) > > When I try to start sshd my id -Z is: > unconfined_u:system_r:unconfined_t > > I have some questions: > 1) How can I explain that SELINUX_ERR message and "subj=..." in SYSCALL message? > 2) Is it normal situation? In RHEL5 the "su -; service sshd start" commands work fine. > 3) How can I enable "service sshd start" in that situation? You just need to upgrade to selinux-policy-3.0.8-53.fc8. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From spng.yang at gmail.com Fri Nov 16 09:24:26 2007 From: spng.yang at gmail.com (Ken YANG) Date: Fri, 16 Nov 2007 17:24:26 +0800 Subject: Fedora 8: SELinux doesn't allow to manually start sshd? In-Reply-To: References: Message-ID: <473D61CA.90102@gmail.com> Markelov Andrey wrote: > Hello! > > My system: > Fedora 8, selinux-policy-3.0.8-44 in targeted mode. > > I log in to the system as ordinary user and then do su -. > When I try to start sshd daemon in Fedora 8 by typing "service sshd start" > I receive "Permission denied" message and this entry in audit.log: > > type=SELINUX_ERR msg=audit(1194792116.506:236): security_compute_sid: invalid context unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 for scontext=unconfined_u:system_r:initrc_t:s0 tcontext=system_u:object_r:sshd_exec_t:s0 tclass=process > type=SYSCALL msg=audit(1194792116.506:236): arch=40000003 syscall=11 success=yes exit=0 a0=8f58ab0 a1=8f58658 a2=8f451c0 a3=0 items=0 ppid=11059 pid=11068 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) > > When I try to start sshd my id -Z is: > unconfined_u:system_r:unconfined_t > > I have some questions: > 1) How can I explain that SELINUX_ERR message and "subj=..." in SYSCALL message? above messages is not selinux err messages, is audit log. > 2) Is it normal situation? In RHEL5 the "su -; service sshd start" commands work fine. is abnormal, i can start sshd in 42 selinux-policy > 3) How can I enable "service sshd start" in that situation? as i said above, what avc(selinux err) you got? did you run setroubleshoot? > ____ > Andrey Markelov > Plus Communications > Phone: +7(495)777-0-111 ext.533 > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From Per.t.Sjoholm at flysta.net Fri Nov 16 10:11:25 2007 From: Per.t.Sjoholm at flysta.net (Per Sjoholm) Date: Fri, 16 Nov 2007 11:11:25 +0100 Subject: home_dir default_t In-Reply-To: <473B1FBD.9020908@redhat.com> References: <473AB16A.2020407@flysta.net> <473B1FBD.9020908@redhat.com> Message-ID: <473D6CCD.5000401@flysta.net> Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Per Sjoholm wrote: > >> I have som problem with alerts of default_t and relabel does not solve >> the problem >> Running FC7 >> I have my machine local home under /home_l /home is used for nfs/autofs >> >> #> genhomedircon >> #> touch /.autorelabel ; reboot >> /home_l/*/* gets labeled with default_t >> >> restorecon -v -R /home_l >> labels with user_home_t >> >> Why is there a differns between autorelabel and restorecon >> Why does autorelabel sets /home and /home_l to default_t >> >> > Does the system know that /home_l is a homedir? IE Do you have a > password record that tells it this? Or did you use > semanage fcontext -a -t user_home_t '/home_l(/.*)?' > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFHOx+9rlYvE4MpobMRApzEAJsEinMr3v6rXM+AcuE2+m/OaI9kGwCdG4+S > uZJzjRbOg+eF3Tc7DtCBan0= > =QzNj > -----END PGP SIGNATURE----- > There are records with /home_l in /etc/passwd No records with /home $ grep home /etc/passwd user1:x:1000:1000::/home_l/user1:/bin/bash user2:x:1001:1001::/home_l/user2:/bin/bash $ ls -Zd /home_l /home drwxr-xr-x root root system_u:object_r:default_t /home drwxr-xr-x root root system_u:object_r:home_root_t /home_l $ ls -Z /home_l /home /home: /home_l: drwx------ user1 user1 user_u:object_r:user_home_dir_t user1 drwx------ user2 user2 user_u:object_r:user_home_dir_t user2 /Per From amarkelov at pluscom.ru Fri Nov 16 11:05:46 2007 From: amarkelov at pluscom.ru (Andrey Markelov) Date: Fri, 16 Nov 2007 14:05:46 +0300 Subject: Fedora 8: SELinux doesn't allow to manually start sshd? In-Reply-To: <473D61CA.90102@gmail.com> References: <473D61CA.90102@gmail.com> Message-ID: <20071116140546.17df5429.amarkelov@pluscom.ru> On Fri, 16 Nov 2007 17:24:26 +0800 Ken YANG wrote: > Markelov Andrey wrote: > > Hello! > > > > My system: > > Fedora 8, selinux-policy-3.0.8-44 in targeted mode. > > > > I log in to the system as ordinary user and then do su -. > > When I try to start sshd daemon in Fedora 8 by typing "service sshd start" > > I receive "Permission denied" message and this entry in audit.log: > > > > type=SELINUX_ERR msg=audit(1194792116.506:236): security_compute_sid: invalid context unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 for scontext=unconfined_u:system_r:initrc_t:s0 tcontext=system_u:object_r:sshd_exec_t:s0 tclass=process > > type=SYSCALL msg=audit(1194792116.506:236): arch=40000003 syscall=11 success=yes exit=0 a0=8f58ab0 a1=8f58658 a2=8f451c0 a3=0 items=0 ppid=11059 pid=11068 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) > > > > When I try to start sshd my id -Z is: > > unconfined_u:system_r:unconfined_t > > > > I have some questions: > > 1) How can I explain that SELINUX_ERR message and "subj=..." in SYSCALL message? > > above messages is not selinux err messages, is audit log. > > > 2) Is it normal situation? In RHEL5 the "su -; service sshd start" commands work fine. > > is abnormal, i can start sshd in 42 selinux-policy > > > 3) How can I enable "service sshd start" in that situation? > > as i said above, what avc(selinux err) you got? > did you run setroubleshoot? That was my problem. No AVC messages. Only two audit messages. But now with selinux-policy-3.0.8-47.fc8 I don't have this problem. > > > ____ > > Andrey Markelov > > Plus Communications > > Phone: +7(495)777-0-111 ext.533 > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > -- Andrey Markelov, Plus Communications Phone: +7(495)777-0-111 ext.533 From selinux at gmail.com Fri Nov 16 15:27:02 2007 From: selinux at gmail.com (Tom London) Date: Fri, 16 Nov 2007 07:27:02 -0800 Subject: setroubleshoot, xdm AVCs Message-ID: <4c4ba1530711160727x8e99000g9efcb0aea3968668@mail.gmail.com> Just noticed the following. I'm running 'mostly Rawhide' (except for f8 gdm, mesa-*--7.1-0.4.fc9 and selinux-policy-3.0.8-56.fc8). Got them booting in permissive mode: [root at localhost ~]# audit2allow -i log #============= setroubleshootd_t ============== allow setroubleshootd_t self:capability sys_nice; allow setroubleshootd_t self:process setsched; allow setroubleshootd_t sysctl_net_t:dir search; allow setroubleshootd_t tmp_t:dir read; #============= xdm_xserver_t ============== allow xdm_xserver_t hwdata_t:dir search; allow xdm_xserver_t hwdata_t:file { read getattr }; [root at localhost ~]# I attach the complete /var/log/audit/audit.log. tom -- Tom London -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: selinux-log.txt URL: From wwoods at redhat.com Fri Nov 16 17:50:47 2007 From: wwoods at redhat.com (Will Woods) Date: Fri, 16 Nov 2007 12:50:47 -0500 Subject: Fedora 8: SELinux doesn't allow to manually start sshd? In-Reply-To: References: Message-ID: <1195235447.5812.2.camel@metroid.rdu.redhat.com> On Sun, 2007-11-11 at 22:42 +0300, Markelov Andrey wrote: > Hello! > > My system: > Fedora 8, selinux-policy-3.0.8-44 in targeted mode. > > I log in to the system as ordinary user and then do su -. > When I try to start sshd daemon in Fedora 8 by typing "service sshd start" > I receive "Permission denied" message and this entry in audit.log: I'm pretty sure this is on the Common Bugs page already: http://fedoraproject.org/wiki/Bugs/F8Common#sshd-selinux -w -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From sdl.web at gmail.com Fri Nov 16 18:29:12 2007 From: sdl.web at gmail.com (Leo) Date: Fri, 16 Nov 2007 18:29:12 +0000 Subject: SELinux is preventing /usr/sbin/dictd (dictd_t) "write" to (var_run_t) References: <473B257C.3050407@redhat.com> Message-ID: On 2007-11-14 16:42 +0000, Daniel J Walsh wrote: > Leo wrote: >> Hi there, >> >> I am not able to start `dictd' in F8. Any ideas? >> >> Best, > Yes it is not able to write its pid file. > > I don't have a dict for it, so hard for me to test. If you run in > permissive mode what avcs does it generate. " Yum install dictd service dictd start " This is enough to test. > > I will allow it to write pidfile in selinux-policy-3.0.8-54. Thanks. Look forward to it. -- .: Leo :. [ sdl.web AT gmail.com ] .: [ GPG Key: 9283AA3F ] :. Use the best OS -- http://www.fedoraproject.org/ From gene.heskett at verizon.net Sat Nov 17 09:31:17 2007 From: gene.heskett at verizon.net (Gene Heskett) Date: Sat, 17 Nov 2007 04:31:17 -0500 Subject: auditd fails to start on FC6 system, newer kernels effect? Message-ID: <200711170431.17700.gene.heskett@verizon.net> Greetings; FC6 system, uptodate, kernel 2.6.24-rc3, but this has existed since I re-enabled selinux in permissive mode just to see what complained. The manpage says to use the -f option for foreground troubleshooting, so here goes: [root at coyote linux-2.6.24-rc3]# man auditd [root at coyote linux-2.6.24-rc3]# which auditd /sbin/auditd [root at coyote linux-2.6.24-rc3]# auditd -f Config file /etc/audit/auditd.conf opened for parsing log_file_parser called with: /var/log/audit/audit.log log_format_parser called with: RAW priority_boost_parser called with: 3 flush_parser called with: INCREMENTAL freq_parser called with: 20 num_logs_parser called with: 4 dispatch_parser called with: /sbin/audispd qos_parser called with: lossy max_log_size_parser called with: 5 max_log_size_action_parser called with: ROTATE space_left_parser called with: 75 space_action_parser called with: SYSLOG action_mail_acct_parser called with: root admin_space_left_parser called with: 50 admin_space_left_action_parser called with: SUSPEND disk_full_action_parser called with: SUSPEND disk_error_action_parser called with: SUSPEND Started dispatcher: /sbin/audispd pid: 7828 type=DAEMON_START msg=audit(1195291550.719:1106) auditd start, ver=1.4.2, format=raw, auid=4294967295 pid=7824 res=success, auditd pid=7824 config_manager init complete Error setting audit daemon pid (Connection refused) type=DAEMON_ABORT msg=audit(1195291550.720:1107) auditd error halt, auid=4294967295 pid=7824 res=failed, auditd pid=7824 Unable to set audit pid, exiting The audit daemon is exiting. Error setting audit daemon pid (Connection refused) [root at coyote linux-2.6.24-rc3]# Connection refused sounds as if something else isn't running that should be, but no direct clue, so what else needs to run too, before auditd? -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) meeting, n.: An assembly of people coming together to decide what person or department not represented in the room must solve a problem. From kwhiskerz at yahoo.ca Sat Nov 17 19:07:30 2007 From: kwhiskerz at yahoo.ca (kwhiskerz) Date: Sat, 17 Nov 2007 12:07:30 -0700 Subject: selinux blocks lircmd Message-ID: <200711171207.30153.kwhiskerz@yahoo.ca> SELinux is blocking the lircmd remote-controlled mouse from starting. I have lirc properly set up and am able to use it to control amarok, kaffeine &c when I start irkick, so I know that the remote is not defective and that the system is reading the signals sent. I use the lircm mouse to control programs remotely. I have the mouse defined in xorg.conf and it used to work perfectly in f7 (when I had, in frustration, disabled selinux). In f8, I insist on finally using selinux in the default enforcing mode. The problem with lircmd has been persisting since about f3 or f4 and since then, I have had to disable selinux to get it to work. After all of this time, there must be a way for linux software to co-exist with selinux? Xorg.0.log excerpt: (**) Option "Protocol" "IMPS/2" (**) LircMouse: Device: "/dev/lircm" (**) LircMouse: Protocol: "IMPS/2" (**) Option "SendCoreEvents" (**) LircMouse: always reports core events (**) Option "Device" "/dev/lircm" (EE) xf86OpenSerial: Cannot open device /dev/lircm Permission denied. (EE) LircMouse: cannot open input device (EE) PreInit failed for input device "LircMouse" (II) UnloadModule: "mouse" >From the SELinux troubleshooter: SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "read write" to (device_t). Raw Audit Messages: avc: denied { read write } for comm=X dev=tmpfs egid=0 euid=0 exe=/usr/bin/Xorg exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=lircm pid=2076 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=fifo_file tcontext=system_u:object_r:device_t:s0 tty=tty7 uid=0 From kwhiskerz at yahoo.ca Sun Nov 18 09:34:43 2007 From: kwhiskerz at yahoo.ca (kwhiskerz) Date: Sun, 18 Nov 2007 02:34:43 -0700 Subject: selinux blocks lircmd Message-ID: <200711180234.43975.kwhiskerz@yahoo.ca> I had hoped that selinux would finally work. When I installed f8 and saw that it was set to enforcing and all but the lircmd mouse worked, I was encouraged. Perhaps it will finally work after all, once that problem is solved. Then came a policy update this afternoon and I rebooted and when I looked, I saw that the system had been put into permissive mode. Now everything works just great. I was really hoping that everything would finally work great in enforcing, but I guess there must be a reason for permissive. So, what is the difference between enforcing and permissive (since permissive is not disabled)? Does it block some things, but not everything? From amessina at messinet.com Sun Nov 18 12:53:13 2007 From: amessina at messinet.com (Anthony Messina) Date: Sun, 18 Nov 2007 06:53:13 -0600 Subject: selinux blocks lircmd In-Reply-To: <200711180234.43975.kwhiskerz@yahoo.ca> References: <200711180234.43975.kwhiskerz@yahoo.ca> Message-ID: <200711180653.17255.amessina@messinet.com> On Sunday 18 November 2007 03:34:43 am kwhiskerz wrote: > So, what is the difference between enforcing and permissive (since > permissive is not disabled)? Does it block some things, but not everything? generally, permissive mode logs what would be blocked in enforcing mode, but doesn't actually block it. that way, you can see what would happen if you turned enforcing on. -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: From ynakam at hitachisoft.jp Mon Nov 19 04:47:01 2007 From: ynakam at hitachisoft.jp (Yuichi Nakamura) Date: Mon, 19 Nov 2007 13:47:01 +0900 Subject: ANN: SELinux Policy Editor 2.2.0 Message-ID: <20071119133250.BBC3.YNAKAM@hitachisoft.jp> Hi. We've released SELinux Policy Editor(SEEdit) 2.2.0. SEEdit is a tool to write policy easily. Changes from 2.1.0. 1) Policy development for embedded device support. You can develop policy for embedded devices by SEEdit. 2) Improved SPDL compiler. seedit-conveter(Program that convert SPDL to selinux policy) does not use local file information, labeling rule has been changed. By that, you can cross-develop policy for embedded devices. For non-embedded people, speed to convert SPDL to SELinux policy has become faster. 3) Support Fedora 8. For detail, please look at http://seedit.sourceforge.net/ Regards, -- Yuichi Nakamura Hitachi Software Engineering Co., Ltd. Japan SELinux Users Group(JSELUG): http://www.selinux.gr.jp/ SELinux Policy Editor: http://seedit.sourceforge.net/ From olivares14031 at yahoo.com Mon Nov 19 13:35:11 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 19 Nov 2007 05:35:11 -0800 (PST) Subject: SELinux is preventing X (xdm_xserver_t) "search" to (hwdata_t). Message-ID: <223526.52252.qm@web52605.mail.re2.yahoo.com> After applying rawhide updates and starting up to new kernel 2.6.24-0.38.rc2.git6.fc9, setroubleshoot kicked in and gave the following alert: Summary SELinux is preventing X (xdm_xserver_t) "search" to (hwdata_t). Detailed Description SELinux denied access requested by X. It is not expected that this access is required by X and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for , restorecon -v If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_xserver_t Target Context system_u:object_r:hwdata_t Target Objects None [ dir ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-44.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost Platform Linux localhost 2.6.24-0.38.rc2.git6.fc9 #1 SMP Fri Nov 16 17:20:39 EST 2007 i686 athlon Alert Count 1 First Seen Mon 19 Nov 2007 07:25:42 AM CST Last Seen Mon 19 Nov 2007 07:25:42 AM CST Local ID a1fc1316-a17e-43d6-8163-a6899b0cc65c Line Numbers Raw Audit Messages avc: denied { search } for comm=X dev=dm-0 name=hwdata pid=2802 scontext=system_u:system_r:xdm_xserver_t:s0 tclass=dir tcontext=system_u:object_r:hwdata_t:s0 Regards, Antonio ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs From olivares14031 at yahoo.com Mon Nov 19 13:37:18 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 19 Nov 2007 05:37:18 -0800 (PST) Subject: SELinux is preventing the ck-get-x11-serv from using potentially mislabeled files (). Message-ID: <742014.45299.qm@web52612.mail.re2.yahoo.com> Just as I sent out the other mail about the selinux denying X I have gotten this one, what should I do? Advice/comments/suggestions are welcome. Regards, Antonio Summary SELinux is preventing the ck-get-x11-serv from using potentially mislabeled files (). Detailed Description SELinux has denied ck-get-x11-serv access to potentially mislabeled file(s) (). This means that SELinux will not allow ck-get-x11-serv to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access If you want ck-get-x11-serv to access this files, you need to relabel them using restorecon -v . You might want to relabel the entire directory using restorecon -R -v . Additional Information Source Context system_u:system_r:consolekit_t Target Context system_u:object_r:user_home_t Target Objects None [ file ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-44.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.home_tmp_bad_labels Host Name localhost Platform Linux localhost 2.6.24-0.38.rc2.git6.fc9 #1 SMP Fri Nov 16 17:20:39 EST 2007 i686 athlon Alert Count 5 First Seen Sun 11 Nov 2007 09:40:02 AM CST Last Seen Mon 19 Nov 2007 07:25:44 AM CST Local ID fa84efec-ad7f-46d6-a356-d16d9235b774 Line Numbers Raw Audit Messages avc: denied { read } for comm=ck-get-x11-serv dev=dm-0 name=.Xauthority pid=2874 scontext=system_u:system_r:consolekit_t:s0 tclass=file tcontext=system_u:object_r:user_home_t:s0 ____________________________________________________________________________________ Get easy, one-click access to your favorites. Make Yahoo! your homepage. http://www.yahoo.com/r/hs From sds at tycho.nsa.gov Mon Nov 19 18:23:25 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 19 Nov 2007 13:23:25 -0500 Subject: auditd fails to start on FC6 system, newer kernels effect? In-Reply-To: <200711170431.17700.gene.heskett@verizon.net> References: <200711170431.17700.gene.heskett@verizon.net> Message-ID: <1195496605.7546.115.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2007-11-17 at 04:31 -0500, Gene Heskett wrote: > Greetings; > > FC6 system, uptodate, kernel 2.6.24-rc3, but this has existed since I > re-enabled selinux in permissive mode just to see what complained. > > The manpage says to use the -f option for foreground troubleshooting, so here > goes: > > [root at coyote linux-2.6.24-rc3]# man auditd > [root at coyote linux-2.6.24-rc3]# which auditd > /sbin/auditd > [root at coyote linux-2.6.24-rc3]# auditd -f > Config file /etc/audit/auditd.conf opened for parsing > log_file_parser called with: /var/log/audit/audit.log > log_format_parser called with: RAW > priority_boost_parser called with: 3 > flush_parser called with: INCREMENTAL > freq_parser called with: 20 > num_logs_parser called with: 4 > dispatch_parser called with: /sbin/audispd > qos_parser called with: lossy > max_log_size_parser called with: 5 > max_log_size_action_parser called with: ROTATE > space_left_parser called with: 75 > space_action_parser called with: SYSLOG > action_mail_acct_parser called with: root > admin_space_left_parser called with: 50 > admin_space_left_action_parser called with: SUSPEND > disk_full_action_parser called with: SUSPEND > disk_error_action_parser called with: SUSPEND > Started dispatcher: /sbin/audispd pid: 7828 > type=DAEMON_START msg=audit(1195291550.719:1106) auditd start, ver=1.4.2, > format=raw, auid=4294967295 pid=7824 res=success, auditd pid=7824 > config_manager init complete > Error setting audit daemon pid (Connection refused) > type=DAEMON_ABORT msg=audit(1195291550.720:1107) auditd error halt, > auid=4294967295 pid=7824 res=failed, auditd pid=7824 > Unable to set audit pid, exiting > The audit daemon is exiting. > Error setting audit daemon pid (Connection refused) > [root at coyote linux-2.6.24-rc3]# > > Connection refused sounds as if something else isn't running that should be, > but no direct clue, so what else needs to run too, before auditd? More of a question for linux-audit (cc'd). Offhand, I'd guess that the ECONNREFUSED is coming from the netlink code, but I don't know why. Running it under strace might be illuminating. -- Stephen Smalley National Security Agency From jouni at viikarit.com Mon Nov 19 18:41:29 2007 From: jouni at viikarit.com (Jouni Viikari) Date: Mon, 19 Nov 2007 20:41:29 +0200 Subject: Cron after upgrade (FC6 -> FC8) Message-ID: <1195497689.24270.13.camel@pappa.viikarit.com> Is it possible to run crontab job as a root any more on FC8? I get this in /var/log/cron and job is not run: ... crond[2511]: (root) Unauthorized SELinux context (cron/root) Thanks, Jouni # ls -lZ /var/spool/cron/ -rw------- root root system_u:object_r:unconfined_cron_spool_t root # rpm -qa | grep selinux-policy-targeted selinux-policy-targeted-3.0.8-53.fc8 I just tried my luck (just guessing): # chcon -t sysadm_crond_t /var/spool/cron/root chcon: failed to change context of /var/spool/cron/root to system_u:object_r:sysadm_crond_t: Permission denied From dwalsh at redhat.com Mon Nov 19 20:05:47 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 19 Nov 2007 15:05:47 -0500 Subject: selinux blocks lircmd In-Reply-To: <200711171207.30153.kwhiskerz@yahoo.ca> References: <200711171207.30153.kwhiskerz@yahoo.ca> Message-ID: <4741EC9B.7060301@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 kwhiskerz wrote: > SELinux is blocking the lircmd remote-controlled mouse from starting. > > I have lirc properly set up and am able to use it to control amarok, kaffeine > &c when I start irkick, so I know that the remote is not defective and that > the system is reading the signals sent. > > I use the lircm mouse to control programs remotely. I have the mouse defined > in xorg.conf and it used to work perfectly in f7 (when I had, in frustration, > disabled selinux). > > In f8, I insist on finally using selinux in the default enforcing mode. The > problem with lircmd has been persisting since about f3 or f4 and since then, > I have had to disable selinux to get it to work. After all of this time, > there must be a way for linux software to co-exist with selinux? > > Xorg.0.log excerpt: > > (**) Option "Protocol" "IMPS/2" > (**) LircMouse: Device: "/dev/lircm" > (**) LircMouse: Protocol: "IMPS/2" > (**) Option "SendCoreEvents" > (**) LircMouse: always reports core events > (**) Option "Device" "/dev/lircm" > (EE) xf86OpenSerial: Cannot open device /dev/lircm > Permission denied. > (EE) LircMouse: cannot open input device > (EE) PreInit failed for input device "LircMouse" > (II) UnloadModule: "mouse" > >>From the SELinux troubleshooter: > > SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "read write" to > (device_t). > > Raw Audit Messages: > > avc: denied { read write } for comm=X dev=tmpfs egid=0 euid=0 > exe=/usr/bin/Xorg exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=lircm pid=2076 > scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0 > subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=fifo_file > tcontext=system_u:object_r:device_t:s0 tty=tty7 uid=0 > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list We do not have a mapping for the device. If you chcon -t mouse_device_t /dev/lircm It should work. Did you ever report this as a bugzilla? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQeybrlYvE4MpobMRAiZgAKDWth9BJkEHGIL8OiNyYNHxSKDPFwCfTUGj 4y9Wq2gxhaMUZybrfykIVlo= =mlxc -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Nov 19 20:08:17 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 19 Nov 2007 15:08:17 -0500 Subject: selinux blocks lircmd In-Reply-To: <4741EC9B.7060301@redhat.com> References: <200711171207.30153.kwhiskerz@yahoo.ca> <4741EC9B.7060301@redhat.com> Message-ID: <4741ED31.6040804@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel J Walsh wrote: > kwhiskerz wrote: >> SELinux is blocking the lircmd remote-controlled mouse from starting. > >> I have lirc properly set up and am able to use it to control amarok, kaffeine >> &c when I start irkick, so I know that the remote is not defective and that >> the system is reading the signals sent. > >> I use the lircm mouse to control programs remotely. I have the mouse defined >> in xorg.conf and it used to work perfectly in f7 (when I had, in frustration, >> disabled selinux). > >> In f8, I insist on finally using selinux in the default enforcing mode. The >> problem with lircmd has been persisting since about f3 or f4 and since then, >> I have had to disable selinux to get it to work. After all of this time, >> there must be a way for linux software to co-exist with selinux? > >> Xorg.0.log excerpt: > >> (**) Option "Protocol" "IMPS/2" >> (**) LircMouse: Device: "/dev/lircm" >> (**) LircMouse: Protocol: "IMPS/2" >> (**) Option "SendCoreEvents" >> (**) LircMouse: always reports core events >> (**) Option "Device" "/dev/lircm" >> (EE) xf86OpenSerial: Cannot open device /dev/lircm >> Permission denied. >> (EE) LircMouse: cannot open input device >> (EE) PreInit failed for input device "LircMouse" >> (II) UnloadModule: "mouse" > >> >From the SELinux troubleshooter: > >> SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "read write" to >> (device_t). > >> Raw Audit Messages: > >> avc: denied { read write } for comm=X dev=tmpfs egid=0 euid=0 >> exe=/usr/bin/Xorg exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=lircm pid=2076 >> scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0 >> subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=fifo_file >> tcontext=system_u:object_r:device_t:s0 tty=tty7 uid=0 > >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > We do not have a mapping for the device. If you > > chcon -t mouse_device_t /dev/lircm > > It should work. > > Did you ever report this as a bugzilla? - -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list Fixed in selinux-policy-3.0.8-58.fc8 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQe0xrlYvE4MpobMRArSaAKDdZL9f29tmmGyKx1kVrBmAjph35wCfTa75 OMWsJaXP+4k7ae3fEIgH0Hg= =e6u0 -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Nov 19 20:10:54 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 19 Nov 2007 15:10:54 -0500 Subject: SELinux is preventing X (xdm_xserver_t) "search" to (hwdata_t). In-Reply-To: <223526.52252.qm@web52605.mail.re2.yahoo.com> References: <223526.52252.qm@web52605.mail.re2.yahoo.com> Message-ID: <4741EDCE.5000303@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > After applying rawhide updates and starting up to new kernel 2.6.24-0.38.rc2.git6.fc9, setroubleshoot kicked in and gave the following alert: > > Summary > SELinux is preventing X (xdm_xserver_t) "search" to (hwdata_t). > > Detailed Description > SELinux denied access requested by X. It is not expected that this access is > required by X and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try to > restore the default system file context for , restorecon -v > If this does not work, there is currently no automatic way to > allow this access. Instead, you can generate a local policy module to allow > this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 > Or you can disable SELinux protection altogether. Disabling SELinux > protection is not recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. > > Additional Information > > Source Context system_u:system_r:xdm_xserver_t > Target Context system_u:object_r:hwdata_t > Target Objects None [ dir ] > Affected RPM Packages > Policy RPM selinux-policy-3.0.8-44.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name localhost > Platform Linux localhost 2.6.24-0.38.rc2.git6.fc9 #1 SMP > Fri Nov 16 17:20:39 EST 2007 i686 athlon > Alert Count 1 > First Seen Mon 19 Nov 2007 07:25:42 AM CST > Last Seen Mon 19 Nov 2007 07:25:42 AM CST > Local ID a1fc1316-a17e-43d6-8163-a6899b0cc65c > Line Numbers > > Raw Audit Messages > > avc: denied { search } for comm=X dev=dm-0 name=hwdata pid=2802 > scontext=system_u:system_r:xdm_xserver_t:s0 tclass=dir > tcontext=system_u:object_r:hwdata_t:s0 > > > > Regards, > > Antonio > > > > > ____________________________________________________________________________________ > Never miss a thing. Make Yahoo your home page. > http://www.yahoo.com/r/hs > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Fixed in selinux-policy-3.1.2-1.fc9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQe3NrlYvE4MpobMRAkbOAJkB4EnsgZYQ2yLZKhtM/2can5z9owCgin7+ 5tI+hCnfD5t9He9ZBHvFcxo= =PXaa -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Nov 19 20:22:49 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 19 Nov 2007 15:22:49 -0500 Subject: SELinux is preventing the ck-get-x11-serv from using potentially mislabeled files (). In-Reply-To: <742014.45299.qm@web52612.mail.re2.yahoo.com> References: <742014.45299.qm@web52612.mail.re2.yahoo.com> Message-ID: <4741F099.3050107@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Just as I sent out the other mail about the selinux denying X I have gotten this one, what should I do? Advice/comments/suggestions are welcome. > > Regards, > > Antonio > > Summary > SELinux is preventing the ck-get-x11-serv from using potentially mislabeled > files (). > > Detailed Description > SELinux has denied ck-get-x11-serv access to potentially mislabeled file(s) > (). This means that SELinux will not allow ck-get-x11-serv to use > these files. It is common for users to edit files in their home directory > or tmp directories and then move (mv) them to system directories. The > problem is that the files end up with the wrong file context which confined > applications are not allowed to access. > > Allowing Access > If you want ck-get-x11-serv to access this files, you need to relabel them > using restorecon -v . You might want to relabel the entire > directory using restorecon -R -v . > > Additional Information > > Source Context system_u:system_r:consolekit_t > Target Context system_u:object_r:user_home_t > Target Objects None [ file ] > Affected RPM Packages > Policy RPM selinux-policy-3.0.8-44.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.home_tmp_bad_labels > Host Name localhost > Platform Linux localhost 2.6.24-0.38.rc2.git6.fc9 #1 SMP > Fri Nov 16 17:20:39 EST 2007 i686 athlon > Alert Count 5 > First Seen Sun 11 Nov 2007 09:40:02 AM CST > Last Seen Mon 19 Nov 2007 07:25:44 AM CST > Local ID fa84efec-ad7f-46d6-a356-d16d9235b774 > Line Numbers > > Raw Audit Messages > > avc: denied { read } for comm=ck-get-x11-serv dev=dm-0 name=.Xauthority pid=2874 > scontext=system_u:system_r:consolekit_t:s0 tclass=file > tcontext=system_u:object_r:user_home_t:s0 > > > > > > > ____________________________________________________________________________________ > Get easy, one-click access to your favorites. > Make Yahoo! your homepage. > http://www.yahoo.com/r/hs > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This is strange, we worked to change startx to prvent this situation. I will update policy to dontaudit this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQfCZrlYvE4MpobMRAt2hAJ925CgGfugXwWMIElpz+Eue+h/SowCgwNbj yikbgqVuAIsMDCHBhiyM6Fw= =eikC -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Nov 19 20:23:28 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 19 Nov 2007 15:23:28 -0500 Subject: Cron after upgrade (FC6 -> FC8) In-Reply-To: <1195497689.24270.13.camel@pappa.viikarit.com> References: <1195497689.24270.13.camel@pappa.viikarit.com> Message-ID: <4741F0C0.8050009@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jouni Viikari wrote: > Is it possible to run crontab job as a root any more on FC8? I get this > in /var/log/cron and job is not run: > > ... crond[2511]: (root) Unauthorized SELinux context (cron/root) > > > Thanks, > > Jouni > > > # ls -lZ /var/spool/cron/ > -rw------- root root system_u:object_r:unconfined_cron_spool_t root > > # rpm -qa | grep selinux-policy-targeted > selinux-policy-targeted-3.0.8-53.fc8 > > I just tried my luck (just guessing): > > # chcon -t sysadm_crond_t /var/spool/cron/root > chcon: failed to change context of /var/spool/cron/root to > system_u:object_r:sysadm_crond_t: Permission denied > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Fixed in selinux-policy-3.0.8-56 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQfC/rlYvE4MpobMRAvhpAKDr0zq4SZZnj65fLZFm4bjjW8Gc5QCfe4wb dw+hq1FLw0IafEJkBtH1afU= =+yEf -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Nov 19 20:28:18 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 19 Nov 2007 15:28:18 -0500 Subject: home_dir default_t In-Reply-To: <473D6CCD.5000401@flysta.net> References: <473AB16A.2020407@flysta.net> <473B1FBD.9020908@redhat.com> <473D6CCD.5000401@flysta.net> Message-ID: <4741F1E2.6050702@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Per Sjoholm wrote: > Daniel J Walsh wrote: > Per Sjoholm wrote: > >>>> I have som problem with alerts of default_t and relabel does not solve >>>> the problem >>>> Running FC7 >>>> I have my machine local home under /home_l /home is used for nfs/autofs >>>> >>>> #> genhomedircon >>>> #> touch /.autorelabel ; reboot >>>> /home_l/*/* gets labeled with default_t >>>> >>>> restorecon -v -R /home_l >>>> labels with user_home_t >>>> >>>> Why is there a differns between autorelabel and restorecon >>>> Why does autorelabel sets /home and /home_l to default_t >>>> >>>> > Does the system know that /home_l is a homedir? IE Do you have a > password record that tells it this? Or did you use > There are records with /home_l in /etc/passwd > No records with /home > $ grep home /etc/passwd > user1:x:1000:1000::/home_l/user1:/bin/bash > user2:x:1001:1001::/home_l/user2:/bin/bash > $ ls -Zd /home_l /home > drwxr-xr-x root root system_u:object_r:default_t /home > drwxr-xr-x root root system_u:object_r:home_root_t /home_l > $ ls -Z /home_l /home > /home: > /home_l: > drwx------ user1 user1 user_u:object_r:user_home_dir_t user1 > drwx------ user2 user2 user_u:object_r:user_home_dir_t user2 > /Per Ok Then I would just add the rule semanage fcontext -a -t home_root_t /home_l -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQfHirlYvE4MpobMRAvWbAJwK2xMApz7xDwiXs0i011Xs6/jBSQCfR0o1 qi3F/GdL//0Fwp0ZKo1zLOI= =equU -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Nov 19 20:29:37 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 19 Nov 2007 15:29:37 -0500 Subject: SELinux is preventing /usr/sbin/dictd (dictd_t) "write" to (var_run_t) In-Reply-To: References: <473B257C.3050407@redhat.com> Message-ID: <4741F231.20002@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Leo wrote: > On 2007-11-14 16:42 +0000, Daniel J Walsh wrote: >> Leo wrote: >>> Hi there, >>> >>> I am not able to start `dictd' in F8. Any ideas? >>> >>> Best, >> Yes it is not able to write its pid file. >> >> I don't have a dict for it, so hard for me to test. If you run in >> permissive mode what avcs does it generate. > > " > Yum install dictd > > service dictd start Not for me. :^( service dictd start Starting dictd: no dictionaries installed [FAILED] > " > This is enough to test. > >> I will allow it to write pidfile in selinux-policy-3.0.8-54. > > Thanks. Look forward to it. > 56 was released over the weekend. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQfIxrlYvE4MpobMRAmDtAKCTvKqCpRTzJXtb/hyb6V3vBfg0AgCfQ7BY d5FuDm9WOItMadAmiQ3I96U= =oQ5i -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Nov 19 20:32:53 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 19 Nov 2007 15:32:53 -0500 Subject: problems with /dev/slamr0, mknod/insmod In-Reply-To: <232293.46273.qm@web52603.mail.re2.yahoo.com> References: <232293.46273.qm@web52603.mail.re2.yahoo.com> Message-ID: <4741F2F5.7070905@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear all, > > On a fedora 8 machine with clean install, deleted Fedora 6 and started fresh, I get a warning about insmod as I did with Fedora 7, on Fedora 7 the problem went away, but on Fedora 8, setroubleshoot will warm me more than it did before so I kindly ask for guidance as to how to generate policy to allow the /dev/slamr0 to run without problems with selinux. > > avc: denied { setattr } for comm=chgrp dev=tmpfs egid=0 euid=0 exe=/bin/chgrp > exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=slamr0 pid=1890 > scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0 > suid=0 tclass=chr_file tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 > > > I'll attach the selinux-alert that I got and ask for guidance to resolve this issue. > > TIA, > > Antonio > > > > > ____________________________________________________________________________________ > Get easy, one-click access to your favorites. > Make Yahoo! your homepage. > http://www.yahoo.com/r/hs > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list The problem is this is non labeled. Adding /dev/slamr[0-9]+ -c system_u:object_r:tty_device_t:s0 to selinux-policy-3.0.8-56 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQfL1rlYvE4MpobMRAg0ZAJ9+gpcBOm3En+gVrAM+cTuuZJMbFACg3nGD S/SrOMkjaXdWhNTzktWYoZQ= =vDym -----END PGP SIGNATURE----- From linux_4ever at yahoo.com Mon Nov 19 20:34:42 2007 From: linux_4ever at yahoo.com (Steve G) Date: Mon, 19 Nov 2007 12:34:42 -0800 (PST) Subject: auditd fails to start on FC6 system, newer kernels effect? Message-ID: <491554.40079.qm@web51502.mail.re2.yahoo.com> > FC6 system, uptodate, kernel 2.6.24-rc3, Where did this kernel come from & does it have the same config options that Fedora uses? > but this has existed since I re-enabled > selinux in permissive mode just to see what complained. What happens when you boot a normal Fedora kernel? > Connection refused sounds as if something else isn't running > that should be, but no direct clue, so what else needs to > run too, before auditd? I have a feeling something is not right with the kernel if selinux is in permissive and its failing to connect. -Steve ____________________________________________________________________________________ Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ From olivares14031 at yahoo.com Mon Nov 19 20:52:31 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 19 Nov 2007 12:52:31 -0800 (PST) Subject: SELinux is preventing X (xdm_xserver_t) "search" to (hwdata_t). In-Reply-To: <4741EDCE.5000303@redhat.com> Message-ID: <269330.94641.qm@web52608.mail.re2.yahoo.com> --- Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Antonio Olivares wrote: > > After applying rawhide updates and starting up to > new kernel 2.6.24-0.38.rc2.git6.fc9, setroubleshoot > kicked in and gave the following alert: > > > > Summary > > SELinux is preventing X (xdm_xserver_t) > "search" to (hwdata_t). > > > > Detailed Description > > SELinux denied access requested by X. It is > not expected that this access is > > required by X and this access may signal an > intrusion attempt. It is also > > possible that the specific version or > configuration of the application is > > causing it to require additional access. > > > > Allowing Access > > Sometimes labeling problems can cause SELinux > denials. You could try to > > restore the default system file context for > , restorecon -v > > If this does not work, there is > currently no automatic way to > > allow this access. Instead, you can generate > a local policy module to allow > > this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 > > Or you can disable SELinux protection > altogether. Disabling SELinux > > protection is not recommended. Please file a > > > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > > > Additional Information > > > > Source Context > system_u:system_r:xdm_xserver_t > > Target Context > system_u:object_r:hwdata_t > > Target Objects None [ dir ] > > Affected RPM Packages > > Policy RPM > selinux-policy-3.0.8-44.fc8 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Enforcing > > Plugin Name > plugins.catchall_file > > Host Name localhost > > Platform Linux localhost > 2.6.24-0.38.rc2.git6.fc9 #1 SMP > > Fri Nov 16 17:20:39 > EST 2007 i686 athlon > > Alert Count 1 > > First Seen Mon 19 Nov 2007 > 07:25:42 AM CST > > Last Seen Mon 19 Nov 2007 > 07:25:42 AM CST > > Local ID > a1fc1316-a17e-43d6-8163-a6899b0cc65c > > Line Numbers > > > > Raw Audit Messages > > > > avc: denied { search } for comm=X dev=dm-0 > name=hwdata pid=2802 > > scontext=system_u:system_r:xdm_xserver_t:s0 > tclass=dir > > tcontext=system_u:object_r:hwdata_t:s0 > > > > > > > > Regards, > > > > Antonio > > > > > > > > > > > ____________________________________________________________________________________ > > Never miss a thing. Make Yahoo your home page. > > http://www.yahoo.com/r/hs > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Fixed in selinux-policy-3.1.2-1.fc9 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - > http://enigmail.mozdev.org > > iD8DBQFHQe3NrlYvE4MpobMRAkbOAJkB4EnsgZYQ2yLZKhtM/2can5z9owCgin7+ > 5tI+hCnfD5t9He9ZBHvFcxo= > =PXaa > -----END PGP SIGNATURE----- > Thanks! :) Regards, Antonio ____________________________________________________________________________________ Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ From kwhiskerz at yahoo.ca Tue Nov 20 03:42:29 2007 From: kwhiskerz at yahoo.ca (kwhiskerz) Date: Mon, 19 Nov 2007 20:42:29 -0700 Subject: policy confusion Message-ID: <200711192042.29500.kwhiskerz@yahoo.ca> I want to give selinux a try. I have it set to enforcing. I noticed that there are 2 policy types: targetted and seedit. It is currently set to seedit, although I changed nothing. Which should I use? From spng.yang at gmail.com Tue Nov 20 06:16:52 2007 From: spng.yang at gmail.com (Ken YANG) Date: Tue, 20 Nov 2007 14:16:52 +0800 Subject: policy confusion In-Reply-To: <200711192042.29500.kwhiskerz@yahoo.ca> References: <200711192042.29500.kwhiskerz@yahoo.ca> Message-ID: <47427BD4.8060807@gmail.com> kwhiskerz ??: > I want to give selinux a try. > > I have it set to enforcing. I noticed that there are 2 policy types: targetted > and seedit. It is currently set to seedit, although I changed nothing. Which > should I use? seedit is from: http://seedit.sourceforge.net/ targeted is from upstream. if you use Fedora, the "targeted" policy is default. It's depend on you to use which one > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From adam.huffman at gmail.com Tue Nov 20 12:33:02 2007 From: adam.huffman at gmail.com (Adam Huffman) Date: Tue, 20 Nov 2007 12:33:02 +0000 Subject: Problems with sendmail after upgrade to F8 Message-ID: <608c44bf0711200433r27bea4f1j9f1b966393a84484@mail.gmail.com> After yum upgrading from F7 to F8, I'm seeing alerts whenever fetchmail brings in new mail, even after a complete relabelling of the system: Summary SELinux is preventing sendmail (sendmail_t) "search" to (unconfined_home_dir_t). Detailed Description SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for , restorecon -v If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:sendmail_t Target Context unconfined_u:object_r:unconfined_home_dir_t Target Objects None [ dir ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-56.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name saintloup.smith.man.ac.uk Platform Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64 Alert Count 18 First Seen Tue Nov 20 12:15:53 2007 Last Seen Tue Nov 20 12:30:59 2007 Local ID 3c789a3b-b8f8-4b21-a34a-bc198b90be73 Line Numbers Raw Audit Messages avc: denied { search } for comm=sendmail dev=dm-1 name=adam pid=5161 scontext=system_u:system_r:sendmail_t:s0 tclass=dir tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 Summary SELinux is preventing /usr/sbin/sendmail.sendmail (sendmail_t) "getattr" to /home/adam (unconfined_home_dir_t). Detailed Description SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not expected that this access is required by /usr/sbin/sendmail.sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /home/adam, restorecon -v /home/adam If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:sendmail_t Target Context unconfined_u:object_r:unconfined_home_dir_t Target Objects /home/adam [ dir ] Affected RPM Packages sendmail-8.14.1-4.2.fc8 [application] Policy RPM selinux-policy-3.0.8-56.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name saintloup.smith.man.ac.uk Platform Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64 Alert Count 66 First Seen Tue Nov 20 12:15:53 2007 Last Seen Tue Nov 20 12:30:59 2007 Local ID a9ca1470-2510-4d05-baa4-48f8aa3b4474 Line Numbers Raw Audit Messages avc: denied { getattr } for comm=sendmail dev=dm-1 egid=500 euid=500 exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=500 fsuid=500 gid=500 items=0 path=/home/adam pid=5161 scontext=system_u:system_r:sendmail_t:s0 sgid=500 subj=system_u:system_r:sendmail_t:s0 suid=500 tclass=dir tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tty=(none) uid=0 I've not seen anything about sendmail in recent selinux-policy builds - is something else wrong here? From jk at lutty.net Tue Nov 20 13:31:06 2007 From: jk at lutty.net (Laurent Jacquot) Date: Tue, 20 Nov 2007 14:31:06 +0100 Subject: files contexts override via policy module Message-ID: <1195565466.10117.0.camel@jack.lutty.net> Hello, I am sure this is a FAQ or a feature, but I want to know how to work around: I have cxoffice installed in my F8 home dir and I want some lib labeled as textrel_shlib_t, but I cannot override the default user_home_t home label via a policy module. NOTE1 it works if the directory is not under /home NOTE2 there is nothing in the logs if it fails NOTE3 It has been so since the introduction of modular policy in selinux What is what I have tried so far in F8. [root at jack sel]#cat local.fc #cxoffice #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*\.exe -- system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so -- system_u:object_r:textrel_shlib_t:s0 [root at jack sel]#semodule_package -o local.pp -m local.mod -f local.fc [root at jack sel]#semodule -i local.pp [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so [root at jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so (If i use the system-config-selinux UI, I can see the new entry in the tab context among all the regexp) Using semanage, it works: [root at jack sel]#semodule -r local [root at jack sel]#semanage fcontext -a -t textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so [root at jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so -rwxr-xr-x alex alex system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so and the custom rule appears in system-config-selinux UI at the end of the policy. So how do I have my module install my contexts the same way as semanage? Should I bugzilla it? BTW, how do system-config-selinux browse the file context policy? Is it possible to see also the rules and type definition? TIA jk From dwalsh at redhat.com Tue Nov 20 13:32:41 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 20 Nov 2007 08:32:41 -0500 Subject: Problems with sendmail after upgrade to F8 In-Reply-To: <608c44bf0711200433r27bea4f1j9f1b966393a84484@mail.gmail.com> References: <608c44bf0711200433r27bea4f1j9f1b966393a84484@mail.gmail.com> Message-ID: <4742E1F9.4070506@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adam Huffman wrote: > After yum upgrading from F7 to F8, I'm seeing alerts whenever > fetchmail brings in new mail, even after a complete relabelling of the > system: > > > > Summary > SELinux is preventing sendmail (sendmail_t) "search" to > (unconfined_home_dir_t). > > Detailed Description > SELinux denied access requested by sendmail. It is not expected that this > access is required by sendmail and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of > the application is causing it to require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try to > restore the default system file context for , restorecon -v > If this does not work, there is currently no automatic way to > allow this access. Instead, you can generate a local policy module to allow > this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 > Or you can disable SELinux protection altogether. Disabling SELinux > protection is not recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. > > Additional Information > > Source Context system_u:system_r:sendmail_t > Target Context unconfined_u:object_r:unconfined_home_dir_t > Target Objects None [ dir ] > Affected RPM Packages > Policy RPM selinux-policy-3.0.8-56.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name saintloup.smith.man.ac.uk > Platform Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1 > SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64 > Alert Count 18 > First Seen Tue Nov 20 12:15:53 2007 > Last Seen Tue Nov 20 12:30:59 2007 > Local ID 3c789a3b-b8f8-4b21-a34a-bc198b90be73 > Line Numbers > > Raw Audit Messages > > avc: denied { search } for comm=sendmail dev=dm-1 name=adam pid=5161 > scontext=system_u:system_r:sendmail_t:s0 tclass=dir > tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 > > Summary > SELinux is preventing /usr/sbin/sendmail.sendmail (sendmail_t) "getattr" to > /home/adam (unconfined_home_dir_t). > > Detailed Description > SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not > expected that this access is required by /usr/sbin/sendmail.sendmail and > this access may signal an intrusion attempt. It is also possible that the > specific version or configuration of the application is causing it to > require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try to > restore the default system file context for /home/adam, restorecon -v > /home/adam If this does not work, there is currently no automatic way to > allow this access. Instead, you can generate a local policy module to allow > this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 > Or you can disable SELinux protection altogether. Disabling SELinux > protection is not recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. > > Additional Information > > Source Context system_u:system_r:sendmail_t > Target Context unconfined_u:object_r:unconfined_home_dir_t > Target Objects /home/adam [ dir ] > Affected RPM Packages sendmail-8.14.1-4.2.fc8 [application] > Policy RPM selinux-policy-3.0.8-56.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name saintloup.smith.man.ac.uk > Platform Linux saintloup.smith.man.ac.uk 2.6.23.1-49.fc8 #1 > SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64 > Alert Count 66 > First Seen Tue Nov 20 12:15:53 2007 > Last Seen Tue Nov 20 12:30:59 2007 > Local ID a9ca1470-2510-4d05-baa4-48f8aa3b4474 > Line Numbers > > Raw Audit Messages > > avc: denied { getattr } for comm=sendmail dev=dm-1 egid=500 euid=500 > exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=500 fsuid=500 gid=500 items=0 > path=/home/adam pid=5161 scontext=system_u:system_r:sendmail_t:s0 sgid=500 > subj=system_u:system_r:sendmail_t:s0 suid=500 tclass=dir > tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tty=(none) uid=0 > > > I've not seen anything about sendmail in recent selinux-policy builds > - is something else wrong here? > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Does everything seem to be working correctly? IE Are you getting your mail? This looks like sendmail is being executed from your home dir and it is doing a getattr on it (On current working directory), which is generating the AVC. If is not causing a problem. YOu should use audit2allow to generate dontaudit rule. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQuH5rlYvE4MpobMRAvsAAKDp8LXKk1nkcywmn7GIPl2Q9qAaXwCfarGN 5QOtH0QW6efPg1Zt5BL45nk= =poHR -----END PGP SIGNATURE----- From dwalsh at redhat.com Tue Nov 20 13:39:57 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 20 Nov 2007 08:39:57 -0500 Subject: files contexts override via policy module In-Reply-To: <1195565466.10117.0.camel@jack.lutty.net> References: <1195565466.10117.0.camel@jack.lutty.net> Message-ID: <4742E3AD.9050600@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Laurent Jacquot wrote: > Hello, > I am sure this is a FAQ or a feature, but I want to know how to work > around: > > I have cxoffice installed in my F8 home dir and I want some lib labeled > as textrel_shlib_t, but I cannot override the default user_home_t home > label via a policy module. > > NOTE1 it works if the directory is not under /home > NOTE2 there is nothing in the logs if it fails > NOTE3 It has been so since the introduction of modular policy in selinux > > What is what I have tried so far in F8. > [root at jack sel]#cat local.fc > #cxoffice > #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*\.exe -- > system_u:object_r:textrel_shlib_t:s0 > > /home/alex/cxoffice/lib/wine/kernel32.dll.so -- > system_u:object_r:textrel_shlib_t:s0 > > [root at jack sel]#semodule_package -o local.pp -m local.mod -f local.fc > [root at jack sel]#semodule -i local.pp > [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > -rwxr-xr-x alex alex > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > [root at jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so > [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > -rwxr-xr-x alex alex > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > > > (If i use the system-config-selinux UI, I can see the new entry in the > tab context among all the regexp) > > Using semanage, it works: > [root at jack sel]#semodule -r local > [root at jack sel]#semanage fcontext -a -t > textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so > [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > -rwxr-xr-x alex alex > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > [root at jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so > [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > -rwxr-xr-x alex alex > system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > > and the custom rule appears in system-config-selinux UI at the end of > the policy. > > So how do I have my module install my contexts the same way as semanage? > Should I bugzilla it? > > BTW, how do system-config-selinux browse the file context policy? Is it > possible to see also the rules and type definition? > > TIA > jk > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This looks like a bug in libsemanage or in the file context labeling algorithm. I believe matchpatcon is reading in file_contexts, file_contexts.homedirs, file_contexts.local and taking the last entry. So using semodule to add a pp file updates the file_contexts file, in which case the homedirs is overriding. semanage fcontext updates the file_contexts.local. If you tried HOME_DIR/\.cxoffice/dotwine/drive_c(/.*)?/.*\.exe -- system_u:object_r:textrel_shlib_t:s0 It should update the file_context.homedirs file. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQuOtrlYvE4MpobMRAuuCAJ4sXPEh9DMDNxUV+avHT09uvAa62QCfbneq YBf3ZtQ4UGTOrOys4K4FGps= =VT+4 -----END PGP SIGNATURE----- From jk at lutty.net Tue Nov 20 14:15:39 2007 From: jk at lutty.net (Laurent Jacquot) Date: Tue, 20 Nov 2007 15:15:39 +0100 Subject: files contexts override via policy module In-Reply-To: <4742E3AD.9050600@redhat.com> References: <1195565466.10117.0.camel@jack.lutty.net> <4742E3AD.9050600@redhat.com> Message-ID: <1195568139.10117.4.camel@jack.lutty.net> Le mardi 20 novembre 2007 ? 08:39 -0500, Daniel J Walsh a ?crit : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Laurent Jacquot wrote: > > Hello, > > I am sure this is a FAQ or a feature, but I want to know how to work > > around: > > > > I have cxoffice installed in my F8 home dir and I want some lib labeled > > as textrel_shlib_t, but I cannot override the default user_home_t home > > label via a policy module. > > > > NOTE1 it works if the directory is not under /home > > NOTE2 there is nothing in the logs if it fails > > NOTE3 It has been so since the introduction of modular policy in selinux > > > > What is what I have tried so far in F8. > > [root at jack sel]#cat local.fc > > #cxoffice > > #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*\.exe -- > > system_u:object_r:textrel_shlib_t:s0 > > > > /home/alex/cxoffice/lib/wine/kernel32.dll.so -- > > system_u:object_r:textrel_shlib_t:s0 > > > > [root at jack sel]#semodule_package -o local.pp -m local.mod -f local.fc > > [root at jack sel]#semodule -i local.pp > > [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > > -rwxr-xr-x alex alex > > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > > [root at jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so > > [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > > -rwxr-xr-x alex alex > > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > > > > > > (If i use the system-config-selinux UI, I can see the new entry in the > > tab context among all the regexp) > > > > Using semanage, it works: > > [root at jack sel]#semodule -r local > > [root at jack sel]#semanage fcontext -a -t > > textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so > > [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > > -rwxr-xr-x alex alex > > system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > > [root at jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so > > [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so > > -rwxr-xr-x alex alex > > system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so > > > > and the custom rule appears in system-config-selinux UI at the end of > > the policy. > > > > So how do I have my module install my contexts the same way as semanage? > > Should I bugzilla it? > > > > BTW, how do system-config-selinux browse the file context policy? Is it > > possible to see also the rules and type definition? > > > > TIA > > jk > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > This looks like a bug in libsemanage or in the file context labeling > algorithm. > > I believe matchpatcon is reading in file_contexts, > file_contexts.homedirs, file_contexts.local and taking the last entry. > > > So using semodule to add a pp file updates the file_contexts file, in > which case the homedirs is overriding. semanage fcontext updates the > file_contexts.local. > > > If you tried > > HOME_DIR/\.cxoffice/dotwine/drive_c(/.*)?/.*\.exe -- > system_u:object_r:textrel_shlib_t:s0 > > It should update the file_context.homedirs file. > > I confirm this works. Thanks! Should I bugzilla it or is it the way it should be? jk From dwalsh at redhat.com Tue Nov 20 14:56:28 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 20 Nov 2007 09:56:28 -0500 Subject: files contexts override via policy module In-Reply-To: <1195568139.10117.4.camel@jack.lutty.net> References: <1195565466.10117.0.camel@jack.lutty.net> <4742E3AD.9050600@redhat.com> <1195568139.10117.4.camel@jack.lutty.net> Message-ID: <4742F59C.1050405@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Laurent Jacquot wrote: > Le mardi 20 novembre 2007 ? 08:39 -0500, Daniel J Walsh a ?crit : >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Laurent Jacquot wrote: >>> Hello, >>> I am sure this is a FAQ or a feature, but I want to know how to work >>> around: >>> >>> I have cxoffice installed in my F8 home dir and I want some lib labeled >>> as textrel_shlib_t, but I cannot override the default user_home_t home >>> label via a policy module. >>> >>> NOTE1 it works if the directory is not under /home >>> NOTE2 there is nothing in the logs if it fails >>> NOTE3 It has been so since the introduction of modular policy in selinux >>> >>> What is what I have tried so far in F8. >>> [root at jack sel]#cat local.fc >>> #cxoffice >>> #/home/alex/.cxoffice/dotwine/drive_c(/.*)?/.*\.exe -- >>> system_u:object_r:textrel_shlib_t:s0 >>> >>> /home/alex/cxoffice/lib/wine/kernel32.dll.so -- >>> system_u:object_r:textrel_shlib_t:s0 >>> >>> [root at jack sel]#semodule_package -o local.pp -m local.mod -f local.fc >>> [root at jack sel]#semodule -i local.pp >>> [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> -rwxr-xr-x alex alex >>> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> [root at jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> -rwxr-xr-x alex alex >>> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> >>> >>> (If i use the system-config-selinux UI, I can see the new entry in the >>> tab context among all the regexp) >>> >>> Using semanage, it works: >>> [root at jack sel]#semodule -r local >>> [root at jack sel]#semanage fcontext -a -t >>> textrel_shlib_t /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> -rwxr-xr-x alex alex >>> system_u:object_r:user_home_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> [root at jack sel]#restorecon /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> [root at jack sel]#ls -Z /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> -rwxr-xr-x alex alex >>> system_u:object_r:textrel_shlib_t:s0 /home/alex/cxoffice/lib/wine/kernel32.dll.so >>> >>> and the custom rule appears in system-config-selinux UI at the end of >>> the policy. >>> >>> So how do I have my module install my contexts the same way as semanage? >>> Should I bugzilla it? >>> >>> BTW, how do system-config-selinux browse the file context policy? Is it >>> possible to see also the rules and type definition? >>> >>> TIA >>> jk >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> This looks like a bug in libsemanage or in the file context labeling >> algorithm. >> >> I believe matchpatcon is reading in file_contexts, >> file_contexts.homedirs, file_contexts.local and taking the last entry. >> >> >> So using semodule to add a pp file updates the file_contexts file, in >> which case the homedirs is overriding. semanage fcontext updates the >> file_contexts.local. >> >> >> If you tried >> >> HOME_DIR/\.cxoffice/dotwine/drive_c(/.*)?/.*\.exe -- >> system_u:object_r:textrel_shlib_t:s0 >> >> It should update the file_context.homedirs file. >> >> > I confirm this works. Thanks! > Should I bugzilla it or is it the way it should be? > > jk > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You can bugzilla it, but it probably should be brought up for discussion on the list. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQvWcrlYvE4MpobMRAsbWAJ9pO9S8n1Vg/wqo241AfVmovasw4gCeMVlS 8zDcYbim3RQLRTEHILlfEtw= =LxQ0 -----END PGP SIGNATURE----- From ftaylor at redhat.com Tue Nov 20 20:50:10 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Tue, 20 Nov 2007 13:50:10 -0700 Subject: restorecond not expanding ~ Message-ID: <1195591810.26492.17.camel@papa.taylor.com> I am using RHEL5.1 selinux-policy-targeted-2.4.6-104.el5. restorecond is not properly expanding the ~ or other wildcards in /etc/selinux/restorecond.conf. By default, restorecond.conf includes: ~/public_html However, if I create that directory as a normal user, it gets the standard context (user_home_t). If I explicitly put the full path (e.g., /home/student/public_html), it works as expected. Does (or will) restorecond support wildcards/regex? Thanks, Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From drepper at redhat.com Tue Nov 20 20:58:56 2007 From: drepper at redhat.com (Ulrich Drepper) Date: Tue, 20 Nov 2007 12:58:56 -0800 Subject: restorecond not expanding ~ In-Reply-To: <1195591810.26492.17.camel@papa.taylor.com> References: <1195591810.26492.17.camel@papa.taylor.com> Message-ID: <47434A90.5040200@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Forrest Taylor wrote: > I am using RHEL5.1 selinux-policy-targeted-2.4.6-104.el5. restorecond > is not properly expanding the ~ or other wildcards > in /etc/selinux/restorecond.conf. By default, restorecond.conf > includes: > ~/public_html And how would you want to expand ~ ? This is a context-sensitive value. restorecond runs as root so ~/foo is /root/foo? You cannot expect the program to pull down the list of all accounts and expand ~/foo for all user accounts. There might be a case for supporting * but I think the files which have to be handled through restorecond should remain small, so this isn't really that important. - -- ? Ulrich Drepper ? Red Hat, Inc. ? 444 Castro St ? Mountain View, CA ? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHQ0qQ2ijCOnn/RHQRAunDAKCp5hPd6zTCBlzWBD3mAbK+2HPhPwCcCkw+ b7IHoqwPTKKQ1/MucGrNIFA= =74MW -----END PGP SIGNATURE----- From sds at tycho.nsa.gov Tue Nov 20 21:10:41 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 20 Nov 2007 16:10:41 -0500 Subject: restorecond not expanding ~ In-Reply-To: <1195591810.26492.17.camel@papa.taylor.com> References: <1195591810.26492.17.camel@papa.taylor.com> Message-ID: <1195593041.20910.97.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2007-11-20 at 13:50 -0700, Forrest Taylor wrote: > I am using RHEL5.1 selinux-policy-targeted-2.4.6-104.el5. restorecond > is not properly expanding the ~ or other wildcards > in /etc/selinux/restorecond.conf. By default, restorecond.conf > includes: > ~/public_html > > However, if I create that directory as a normal user, it gets the > standard context (user_home_t). If I explicitly put the full path > (e.g., /home/student/public_html), it works as expected. > > Does (or will) restorecond support wildcards/regex? Wildcards/regex, no. Tilde should be expanded to user home directories for users presently logged in to the system (based on utmp). Try running it with -d -v. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Tue Nov 20 21:55:41 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 20 Nov 2007 16:55:41 -0500 Subject: restorecond not expanding ~ In-Reply-To: <1195593041.20910.97.camel@moss-spartans.epoch.ncsc.mil> References: <1195591810.26492.17.camel@papa.taylor.com> <1195593041.20910.97.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <474357DD.7050309@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Smalley wrote: > On Tue, 2007-11-20 at 13:50 -0700, Forrest Taylor wrote: >> I am using RHEL5.1 selinux-policy-targeted-2.4.6-104.el5. restorecond >> is not properly expanding the ~ or other wildcards >> in /etc/selinux/restorecond.conf. By default, restorecond.conf >> includes: >> ~/public_html >> >> However, if I create that directory as a normal user, it gets the >> standard context (user_home_t). If I explicitly put the full path >> (e.g., /home/student/public_html), it works as expected. >> >> Does (or will) restorecond support wildcards/regex? > > Wildcards/regex, no. Tilde should be expanded to user home directories > for users presently logged in to the system (based on utmp). > > Try running it with -d -v. > I haven't checked for a while. But yes it is supposed to check ~/FILE It does this by watching the utmp file, for users logging in and then adds the homedir to its list of directories to watch. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHQ1fdrlYvE4MpobMRAjm8AJ9ErZlpxIAqW67Ku8Bl7vQhSVApGgCgxjH2 tfuLTFhi9zoISehWc4XcvU8= =OZba -----END PGP SIGNATURE----- From jouni at viikarit.com Wed Nov 21 10:53:33 2007 From: jouni at viikarit.com (Jouni Viikari) Date: Wed, 21 Nov 2007 12:53:33 +0200 (EET) Subject: Cron after upgrade (FC6 -> FC8) In-Reply-To: <4741F0C0.8050009@redhat.com> References: <1195497689.24270.13.camel@pappa.viikarit.com> <4741F0C0.8050009@redhat.com> Message-ID: On Mon, 19 Nov 2007, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jouni Viikari wrote: >> Is it possible to run crontab job as a root any more on FC8? I get this >> in /var/log/cron and job is not run: >> >> ... crond[2511]: (root) Unauthorized SELinux context (cron/root) >> >> >> Thanks, >> >> Jouni >> >> >> # ls -lZ /var/spool/cron/ >> -rw------- root root system_u:object_r:unconfined_cron_spool_t root >> >> # rpm -qa | grep selinux-policy-targeted >> selinux-policy-targeted-3.0.8-53.fc8 >> >> I just tried my luck (just guessing): >> >> # chcon -t sysadm_crond_t /var/spool/cron/root >> chcon: failed to change context of /var/spool/cron/root to >> system_u:object_r:sysadm_crond_t: Permission denied >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Fixed in selinux-policy-3.0.8-56 Did not solve it: crond[2511]: (root) Unauthorized SELinux context(cron/root). # rpm -qa | grep selinux-policy selinux-policy-targeted-3.0.8-56.fc8 selinux-policy-3.0.8-56.fc8 BTW, I wonder how to fix this message which is continuously popping up in the right way? Which version is correct: /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/awstats(/.*)? (system_u:object_r:httpd_sys_script_rw_t:s0 and system_u:object_r:awstats_var_lib_t:s0). /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /usr/share/awstats/wwwroot/cgi-bin(/.*)? (system_u:object_r:httpd_sys_script_exec_t:s0 and system_u:object_r:httpd_awstats_script_exec_t:s0). Just noticed that it looks like also my SquirrelMail is broken: avc: denied { search } for comm=sendmail dev=dm-0 egid=51 euid=48 exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0 name=mail pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=dir tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48 avc: denied { getattr } for comm=sendmail dev=dm-0 egid=51 euid=48 exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0 path=/etc/mail pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=dir tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48 avc: denied { create } for comm=sendmail egid=51 euid=48 exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0 pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=unix_dgram_socket tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48 From dwalsh at redhat.com Wed Nov 21 15:53:59 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 21 Nov 2007 10:53:59 -0500 Subject: Cron after upgrade (FC6 -> FC8) In-Reply-To: References: <1195497689.24270.13.camel@pappa.viikarit.com> <4741F0C0.8050009@redhat.com> Message-ID: <47445497.3030200@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jouni Viikari wrote: > On Mon, 19 Nov 2007, Daniel J Walsh wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Jouni Viikari wrote: >>> Is it possible to run crontab job as a root any more on FC8? I get this >>> in /var/log/cron and job is not run: >>> >>> ... crond[2511]: (root) Unauthorized SELinux context (cron/root) >>> >>> >>> Thanks, >>> >>> Jouni >>> >>> >>> # ls -lZ /var/spool/cron/ >>> -rw------- root root system_u:object_r:unconfined_cron_spool_t root >>> >>> # rpm -qa | grep selinux-policy-targeted >>> selinux-policy-targeted-3.0.8-53.fc8 >>> >>> I just tried my luck (just guessing): >>> >>> # chcon -t sysadm_crond_t /var/spool/cron/root >>> chcon: failed to change context of /var/spool/cron/root to >>> system_u:object_r:sysadm_crond_t: Permission denied >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> Fixed in selinux-policy-3.0.8-56 > > Did not solve it: > > crond[2511]: (root) Unauthorized SELinux context(cron/root). > > # rpm -qa | grep selinux-policy > selinux-policy-targeted-3.0.8-56.fc8 > selinux-policy-3.0.8-56.fc8 > > > BTW, I wonder how to fix this message which is continuously popping up > in the right way? Which version is correct: > > /etc/selinux/targeted/contexts/files/file_contexts: Multiple different > specifications for /var/lib/awstats(/.*)? > (system_u:object_r:httpd_sys_script_rw_t:s0 and > system_u:object_r:awstats_var_lib_t:s0). > /etc/selinux/targeted/contexts/files/file_contexts: Multiple different > specifications for /usr/share/awstats/wwwroot/cgi-bin(/.*)? > (system_u:object_r:httpd_sys_script_exec_t:s0 and > system_u:object_r:httpd_awstats_script_exec_t:s0). These looks like you did some local customization of these directrories. I would remove your local mods. semanage fcontext -d '/usr/share/awstats/wwwroot/cgi-bin(/.*)?' semanage fcontext -d '/var/lib/awstats(/.*)?' I would almost always go with the more specific. :^) > > > Just noticed that it looks like also my SquirrelMail is broken: > > avc: denied { search } for comm=sendmail dev=dm-0 egid=51 euid=48 > exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0 > name=mail pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 > subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=dir > tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48 > > avc: denied { getattr } for comm=sendmail dev=dm-0 egid=51 euid=48 > exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0 > path=/etc/mail pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0 > sgid=51 > subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=dir > tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48 > > avc: denied { create } for comm=sendmail egid=51 euid=48 > exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=48 gid=48 items=0 > pid=4066 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 > subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 > tclass=unix_dgram_socket > tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48 > setsebool -P http_can_sendmail 1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHRFSWrlYvE4MpobMRAtUOAJ9vqkqyDyJyiRLoJlbhvGvvfTgB9gCfUKgA N7vFvYgvjAgAkDjk88qst9s= =uIyS -----END PGP SIGNATURE----- From lists at ebourne.me.uk Thu Nov 22 00:02:24 2007 From: lists at ebourne.me.uk (Martin Ebourne) Date: Thu, 22 Nov 2007 00:02:24 +0000 Subject: pam_ssh Message-ID: <1195689744.17483.4.camel@avenin.ebourne.me.uk> Hi, Since I upgraded to Fedora 8 selinux has started blocking pam_ssh (sets up ssh-agent when you log in) from working. I've made a policy module which I plan to propose for the rpm (see below) but I wanted to check here first to make sure it's all sane. All the permissions I've granted were asked for at some point on the gdm login, it took several iterations to get it working. I've copied them for console and ssh since I also have it configured for those. Any feedback welcome. Cheers, Martin. policy_module(pam_ssh,VERSION) require { type local_login_t; type local_login_tmp_t; type ssh_agent_exec_t; type sshd_t; type xdm_t; type user_home_ssh_t; type var_run_t; class dir { write add_name }; class file { read getattr execute execute_no_trans }; class sock_file create; } allow local_login_t ssh_agent_exec_t:file { read execute execute_no_trans }; allow local_login_t user_home_ssh_t:file { read getattr }; allow local_login_t var_run_t:dir { write add_name }; allow local_login_t var_run_t:file { create read getattr }; allow local_login_t local_login_tmp_t:sock_file create; allow sshd_t ssh_agent_exec_t:file { read execute execute_no_trans }; allow sshd_t user_home_ssh_t:file { read getattr }; allow sshd_t var_run_t:dir { write add_name }; allow sshd_t var_run_t:file { create read getattr }; allow sshd_t local_login_tmp_t:sock_file create; allow xdm_t ssh_agent_exec_t:file { read execute execute_no_trans }; allow xdm_t user_home_ssh_t:file { read getattr }; allow xdm_t var_run_t:dir { write add_name }; allow xdm_t var_run_t:file { create read getattr }; allow xdm_t local_login_tmp_t:sock_file create; From phaceton at gmail.com Thu Nov 22 06:42:49 2007 From: phaceton at gmail.com (Peter Harmsen) Date: Thu, 22 Nov 2007 07:42:49 +0100 Subject: adding ssh capability to xguest user role Message-ID: <3655f5d90711212242x43a083a1y34fcc4e408e6b732@mail.gmail.com> Hello, Great addition the guest and xguest user roles. Now I have changed with the SELinux management tool under user mappings the user role for a specific user account from user_u to xguest_u. Works like a charm and I'am pretty pleased. If only i could give that user ssh access given the above scenario. -- I have made this letter longer than usual, because i lack the time to make it short. From paul at city-fan.org Thu Nov 22 10:21:10 2007 From: paul at city-fan.org (Paul Howarth) Date: Thu, 22 Nov 2007 10:21:10 +0000 Subject: AVCs whilst installing latest F8 update batch Message-ID: <47455816.9000405@city-fan.org> Got a bunch of AVCs whilst installing these updates today: Nov 22 07:50:15 Updated: bind-libs - 32:9.5.0-18.a7.fc8.x86_64 Nov 22 07:50:17 Updated: pilot-link - 2:0.12.2-7.fc8.x86_64 Nov 22 07:50:20 Updated: bind - 32:9.5.0-18.a7.fc8.x86_64 Nov 22 07:50:22 Updated: smolt - 1.0-1.fc8.noarch Nov 22 07:50:25 Updated: system-config-firewall-tui - 1.0.11-1.fc8.noarch Nov 22 07:50:25 Updated: bind-utils - 32:9.5.0-18.a7.fc8.x86_64 Nov 22 07:50:29 Updated: system-config-firewall - 1.0.11-1.fc8.noarch Nov 22 07:50:29 Updated: smolt-firstboot - 1.0-1.fc8.noarch Nov 22 07:50:35 Updated: bind-chroot - 32:9.5.0-18.a7.fc8.x86_64 Nov 22 07:50:37 Updated: setroubleshoot-plugins - 1.10.4-1.fc8.noarch Nov 22 07:50:38 Updated: libao - 0.8.8-2.fc8.x86_64 Nov 22 07:50:40 Updated: pilot-link - 2:0.12.2-7.fc8.i386 Piping the AVCs into audit2allow -R yielded: require { type named_conf_t; type setfiles_t; type proc_t; class lnk_file relabelfrom; class dir relabelfrom; class file relabelfrom; class filesystem associate; } #============= named_conf_t ============== allow named_conf_t proc_t:filesystem associate; #============= setfiles_t ============== allow setfiles_t self:dir relabelfrom; allow setfiles_t self:file relabelfrom; allow setfiles_t self:lnk_file relabelfrom; kernel_getattr_core_if(setfiles_t) kernel_getattr_message_if(setfiles_t) kernel_read_device_sysctls(setfiles_t) kernel_read_kernel_sysctls(setfiles_t) kernel_read_net_sysctls(setfiles_t) kernel_read_software_raid_state(setfiles_t) kernel_read_vm_sysctls(setfiles_t) As far as I can see, the updates installed OK. I can post the raw audit messages if it's useful. Paul. From orcanbahri at yahoo.com Thu Nov 22 18:03:23 2007 From: orcanbahri at yahoo.com (scorpion_9) Date: Thu, 22 Nov 2007 10:03:23 -0800 (PST) Subject: selinux blocks lircmd In-Reply-To: <4741EC9B.7060301@redhat.com> References: <200711171207.30153.kwhiskerz@yahoo.ca> <4741EC9B.7060301@redhat.com> Message-ID: <13871620.post@talk.nabble.com> Daniel J Walsh wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > kwhiskerz wrote: >> SELinux is blocking the lircmd remote-controlled mouse from starting. >> >> I have lirc properly set up and am able to use it to control amarok, >> kaffeine >> &c when I start irkick, so I know that the remote is not defective and >> that >> the system is reading the signals sent. >> >> I use the lircm mouse to control programs remotely. I have the mouse >> defined >> in xorg.conf and it used to work perfectly in f7 (when I had, in >> frustration, >> disabled selinux). >> >> In f8, I insist on finally using selinux in the default enforcing mode. >> The >> problem with lircmd has been persisting since about f3 or f4 and since >> then, >> I have had to disable selinux to get it to work. After all of this time, >> there must be a way for linux software to co-exist with selinux? >> >> Xorg.0.log excerpt: >> >> (**) Option "Protocol" "IMPS/2" >> (**) LircMouse: Device: "/dev/lircm" >> (**) LircMouse: Protocol: "IMPS/2" >> (**) Option "SendCoreEvents" >> (**) LircMouse: always reports core events >> (**) Option "Device" "/dev/lircm" >> (EE) xf86OpenSerial: Cannot open device /dev/lircm >> Permission denied. >> (EE) LircMouse: cannot open input device >> (EE) PreInit failed for input device "LircMouse" >> (II) UnloadModule: "mouse" >> >>>From the SELinux troubleshooter: >> >> SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "read write" to >> (device_t). >> >> Raw Audit Messages: >> >> avc: denied { read write } for comm=X dev=tmpfs egid=0 euid=0 >> exe=/usr/bin/Xorg exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=lircm >> pid=2076 >> scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0 >> subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 >> tclass=fifo_file >> tcontext=system_u:object_r:device_t:s0 tty=tty7 uid=0 >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > We do not have a mapping for the device. If you > > chcon -t mouse_device_t /dev/lircm > > It should work. > > Did you ever report this as a bugzilla? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFHQeybrlYvE4MpobMRAiZgAKDWth9BJkEHGIL8OiNyYNHxSKDPFwCfTUGj > 4y9Wq2gxhaMUZybrfykIVlo= > =mlxc > -----END PGP SIGNATURE----- > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Hi, I have the same problem and I tried what you said. It gives me: [root at desitter ~]# chcon -t mouse_device_t /dev/lircm chcon: failed to change context of /dev/lircm to system_u:object_r:mouse_device_t:s0: Permission denied I also tried the selinux-policy-3.0.8-58.fc8 rpm. Same error. I can't get the /dev/lircm work with X. -- View this message in context: http://www.nabble.com/selinux-blocks-lircmd-tf4827770.html#a13871620 Sent from the Fedora SELinux List mailing list archive at Nabble.com. From mjc at avtechpulse.com Fri Nov 23 13:50:10 2007 From: mjc at avtechpulse.com (Dr. Michael J. Chudobiak) Date: Fri, 23 Nov 2007 08:50:10 -0500 Subject: gdm + selinux problem Message-ID: <4746DA92.2000204@avtechpulse.com> Hi all, After an F7 -> F8 upgrade, I can't start the xorg server in enforcing mode. Logs say things like: type=AVC msg=audit(1195824979.681:23): avc: denied { getattr } for pid=2585 comm="gdm-binary" path="/tmp/.X11-unix" dev=dm-0 ino=8871462 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1195824979.681:23): arch=40000003 syscall=196 success=yes exit=0 a0=8090daf a1=bfb4d320 a2=c2bff4 a3=3 items=0 ppid=1 pid=2585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="gdm-binary" exe="/usr/sbin/gdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) audit2allow says: #============= cupsd_t ============== allow cupsd_t nscd_t:nscd shmemserv; #============= iptables_t ============== allow iptables_t nscd_t:nscd shmemserv; #============= nfsd_t ============== allow nfsd_t nscd_t:nscd { shmemserv getserv }; #============= ntpd_t ============== allow ntpd_t nscd_t:nscd shmemserv; #============= sendmail_t ============== allow sendmail_t fail2ban_log_t:file append; allow sendmail_t initrc_t:unix_stream_socket { read write }; allow sendmail_t nscd_t:nscd shmemserv; #============= system_mail_t ============== allow system_mail_t nscd_t:nscd shmemserv; #============= xdm_t ============== allow xdm_t initrc_tmp_t:dir { getattr setattr }; #============= xdm_xserver_t ============== allow xdm_xserver_t initrc_tmp_t:dir { write getattr search add_name }; allow xdm_xserver_t initrc_tmp_t:sock_file create; Now... how would this have happened? Should I just run the above commands to fix everything, or is there a deeper bug / issue? Help appreciated! - Mike From knute at frazmtn.com Sun Nov 25 08:45:22 2007 From: knute at frazmtn.com (Knute Johnson) Date: Sun, 25 Nov 2007 00:45:22 -0800 Subject: Weird selinux problem with sendmail Message-ID: <4748C5A2.23978.20AB858@knute.frazmtn.com> I loaded F8 onto my old mail server computer and started to reassemble it. But I'm getting a strange message from sendmail and a selinux avc to go with it. I do not have a .forward file and I have an almost identical system running that doesn't have one either and doesn't give any errors. I don't know if this is a sendmail problem or a selinux problem. The mail comes and goes OK. Any ideas? Thanks, knute... Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward /home/knute/.forward.www: Permission denied Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward /home/knute/.forward: Permission denied Nov 25 00:40:55 www kernel: audit(1195980055.494:277): avc: denied { getattr } for pid=7949 comm="sendmail" path="/home/knute" dev=dm-0 ino=262146 scontext=unconfined_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir -- Knute Johnson Molon Labe... From shintaro.fujiwara at gmail.com Mon Nov 26 09:39:07 2007 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Mon, 26 Nov 2007 18:39:07 +0900 Subject: [ANN]segatex-4.00 released ! Message-ID: Updated style and feel. Works on Fedora 7,8. Wrapped Audit2allow semodule Generates needed files in /root/segatex. Can generate refpolicy-style module (now test). Can edit policies. Can set permissive/enforcing. Sestatus always updated. Refpolicy analizing. Generates needed files in /root/segatex. All you have to do is just push buttons. Please read README. Contributors are written in a file. Will be updated periodically. -- Shintaro Fujiwara segatex project (SELinux policy tool) http://sourceforge.net/projects/segatex/ Home page http://intrajp.no-ip.com/ Blog http://intrajp.no-ip.com/nucleus/ CMS http://intrajp.no-ip.com/xoops/ Wiki http://intrajp.no-ip.com/pukiwiki/ From adam.huffman at gmail.com Mon Nov 26 13:34:58 2007 From: adam.huffman at gmail.com (Adam Huffman) Date: Mon, 26 Nov 2007 13:34:58 +0000 Subject: Weird selinux problem with sendmail In-Reply-To: <4748C5A2.23978.20AB858@knute.frazmtn.com> References: <4748C5A2.23978.20AB858@knute.frazmtn.com> Message-ID: <608c44bf0711260534y5d0a83abp378296975281ea92@mail.gmail.com> On Nov 25, 2007 8:45 AM, Knute Johnson wrote: > I loaded F8 onto my old mail server computer and started to > reassemble it. But I'm getting a strange message from sendmail and a > selinux avc to go with it. I do not have a .forward file and I have > an almost identical system running that doesn't have one either and > doesn't give any errors. I don't know if this is a sendmail problem > or a selinux problem. The mail comes and goes OK. Any ideas? > > Thanks, > > knute... > > Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward > /home/knute/.forward.www: Permission denied > Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward > /home/knute/.forward: Permission denied > > Nov 25 00:40:55 www kernel: audit(1195980055.494:277): avc: denied > { getattr } for pid=7949 comm="sendmail" path="/home/knute" dev=dm-0 > ino=262146 scontext=unconfined_u:system_r:sendmail_t:s0 > tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir I don't have any ideas for solving it but I'm seeing very similar messages, on a box upgraded from F7 to F8. Adam From mike.clarkson at baesystems.com Mon Nov 26 17:46:29 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Mon, 26 Nov 2007 09:46:29 -0800 Subject: mls file level Message-ID: When a process creates a file, by default the file has the same mls level as the process. Is there a policy rule that can change the default behavior? I'm looking for something similar to the range_transition rule except that I want it to work for file level. Thanks From paul at city-fan.org Mon Nov 26 17:49:51 2007 From: paul at city-fan.org (Paul Howarth) Date: Mon, 26 Nov 2007 17:49:51 +0000 Subject: Weird selinux problem with sendmail In-Reply-To: <4748C5A2.23978.20AB858@knute.frazmtn.com> References: <4748C5A2.23978.20AB858@knute.frazmtn.com> Message-ID: <474B073F.8000309@city-fan.org> Knute Johnson wrote: > I loaded F8 onto my old mail server computer and started to > reassemble it. But I'm getting a strange message from sendmail and a > selinux avc to go with it. I do not have a .forward file and I have > an almost identical system running that doesn't have one either and > doesn't give any errors. I don't know if this is a sendmail problem > or a selinux problem. The mail comes and goes OK. Any ideas? > > Thanks, > > knute... > > Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward > /home/knute/.forward.www: Permission denied > Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward > /home/knute/.forward: Permission denied > > Nov 25 00:40:55 www kernel: audit(1195980055.494:277): avc: denied > { getattr } for pid=7949 comm="sendmail" path="/home/knute" dev=dm-0 > ino=262146 scontext=unconfined_u:system_r:sendmail_t:s0 > tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir This looks to be sendmail checking to see if you have a .forward file and getting an SELinux denial when it does so. Since you don't have one, the failure doesn't have an impact. I don't know where the unconfined_home_dir_t comes from though. I'm running F8 with targeted policy and the home directories are user_home_dir_t rather than unconfined_home_dir_t. What's the output of: # sestatus and: # ls -lZ /home/knute and: # restorecon -Fv /home/knute Paul. From sds at tycho.nsa.gov Mon Nov 26 17:59:38 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 26 Nov 2007 12:59:38 -0500 Subject: mls file level In-Reply-To: References: Message-ID: <1196099978.26679.8.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-11-26 at 09:46 -0800, Clarkson, Mike R (US SSA) wrote: > When a process creates a file, by default the file has the same mls > level as the process. Is there a policy rule that can change the default > behavior? I'm looking for something similar to the range_transition rule > except that I want it to work for file level. If your checkpolicy and kernel support policy version 21, then you can define range_transition statements with class specifiers, ala: range_transition ; -- Stephen Smalley National Security Agency From paulmcav at queda.net Mon Nov 26 19:10:14 2007 From: paulmcav at queda.net (Paul McAvoy) Date: Mon, 26 Nov 2007 11:10:14 -0800 Subject: Qustion regarding: selinux / perl-cgi / iptables Message-ID: <3d765ec40711261110k2a1ddcbcuf16acf6477c5fa6b@mail.gmail.com> Hi, I was wondering if anyone has information or can direct me to more details on the following: I have been using a perl cgi script on a personal web-server of mine to control access to SSH. Essentially, it is a knock-knock system. I would go to a specific URL with the cgi, enter some information, and the perl script would add my ip address to the allowed list for SSH in the fire-wall. I have been working on learning the details with SElinux, and trying to come up with some rules to allow the script to work correctly. There appears to be some kind of conflict either related to the script itself, or being run through httpd and getting access to the IPTables command tools. The CGI script (written in perl) is SUID root. Httpd runs the script. The script will run the iptables command line tools to examine the table (to see if the ip address is already allowed), and also to add a new ip address to the allowed list. My current method of trying to create the appropriate policy is to continue testing the cgi-script, watching the audit log, and running audit2allow on the selected audit messages. My current policy is: ... require { type modules_conf_t; type modules_dep_t; type sysctl_modprobe_t; type boot_t; type httpd_sys_script_t; type modules_object_t; class capability net_raw; class dir { getattr search }; class file { read getattr }; class rawip_socket { getopt create }; } #============= httpd_sys_script_t ============== allow httpd_sys_script_t boot_t:dir getattr; allow httpd_sys_script_t modules_conf_t:file { read getattr }; allow httpd_sys_script_t modules_dep_t:file read; allow httpd_sys_script_t modules_object_t:dir search; allow httpd_sys_script_t self:capability net_raw; allow httpd_sys_script_t self:rawip_socket { getopt create }; ... So, my question boils down to this: (I'm running Fedora Core 7) Do I just continue running the audit2allow repeatedly to create a policy to do what I want? Is there a better way to solve this problem? I am concerned that just creating a policy to allow my script to run will create other more substantial holes. I am also open to creating a tool to update my iptables some other way. Maybe perl-cgi is not the best method? Thanks in advance for any information! - Paul -- Paul McAvoy http://www.queda.net From kwhiskerz at yahoo.ca Mon Nov 26 18:29:29 2007 From: kwhiskerz at yahoo.ca (kwhiskerz) Date: Mon, 26 Nov 2007 11:29:29 -0700 Subject: selinux blocks lircmd Message-ID: <200711261129.29938.kwhiskerz@yahoo.ca> Dan might be working on it. At least he seemed to be before the Thanksgiving week started (we only get one day). The only way I have been able to get it working was to use selinux in permissive... but that defeats the purpose, since it's only displaying errors but not doing its job. Hopefully this will be solved once and for all. The problem has existed since selinux was first incorporated and resolution is long overdue. From knute at frazmtn.com Mon Nov 26 22:48:54 2007 From: knute at frazmtn.com (Knute Johnson) Date: Mon, 26 Nov 2007 14:48:54 -0800 Subject: Weird selinux problem with sendmail In-Reply-To: <608c44bf0711260534y5d0a83abp378296975281ea92@mail.gmail.com> References: <4748C5A2.23978.20AB858@knute.frazmtn.com>, <608c44bf0711260534y5d0a83abp378296975281ea92@mail.gmail.com> Message-ID: <474ADCD6.11922.F265B@knute.frazmtn.com> >On Nov 25, 2007 8:45 AM, Knute Johnson wrote: >> I loaded F8 onto my old mail server computer and started to >> reassemble it. But I'm getting a strange message from sendmail and a >> selinux avc to go with it. I do not have a .forward file and I have >> an almost identical system running that doesn't have one either and >> doesn't give any errors. I don't know if this is a sendmail problem >> or a selinux problem. The mail comes and goes OK. Any ideas? >> >> Thanks, >> >> knute... >> >> Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward >> /home/knute/.forward.www: Permission denied >> Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward >> /home/knute/.forward: Permission denied >> >> Nov 25 00:40:55 www kernel: audit(1195980055.494:277): avc: denied >> { getattr } for pid=7949 comm="sendmail" path="/home/knute" dev=dm-0 >> ino=262146 scontext=unconfined_u:system_r:sendmail_t:s0 >> tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir > > >I don't have any ideas for solving it but I'm seeing very similar >messages, on a box upgraded from F7 to F8. > >Adam Well then by now it has probably resolved itself if you done an upgrade. Mine took about an hour after the upgrade to stop the messages. -- Knute Johnson Molon Labe... From knute at frazmtn.com Mon Nov 26 22:48:54 2007 From: knute at frazmtn.com (Knute Johnson) Date: Mon, 26 Nov 2007 14:48:54 -0800 Subject: Weird selinux problem with sendmail In-Reply-To: <474B073F.8000309@city-fan.org> References: <4748C5A2.23978.20AB858@knute.frazmtn.com>, <474B073F.8000309@city-fan.org> Message-ID: <474ADCD6.27200.F262C@knute.frazmtn.com> >Knute Johnson wrote: >> I loaded F8 onto my old mail server computer and started to >> reassemble it. But I'm getting a strange message from sendmail and a >> selinux avc to go with it. I do not have a .forward file and I have >> an almost identical system running that doesn't have one either and >> doesn't give any errors. I don't know if this is a sendmail problem >> or a selinux problem. The mail comes and goes OK. Any ideas? >> >> Thanks, >> >> knute... >> >> Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward >> /home/knute/.forward.www: Permission denied >> Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward >> /home/knute/.forward: Permission denied >> >> Nov 25 00:40:55 www kernel: audit(1195980055.494:277): avc: denied >> { getattr } for pid=7949 comm="sendmail" path="/home/knute" dev=dm-0 >> ino=262146 scontext=unconfined_u:system_r:sendmail_t:s0 >> tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir > >This looks to be sendmail checking to see if you have a .forward file >and getting an SELinux denial when it does so. Since you don't have one, >the failure doesn't have an impact. > >I don't know where the unconfined_home_dir_t comes from though. I'm >running F8 with targeted policy and the home directories are >user_home_dir_t rather than unconfined_home_dir_t. > >What's the output of: > ># sestatus > >and: > ># ls -lZ /home/knute > >and: > ># restorecon -Fv /home/knute > >Paul. The problem resolved itself about an hour after I did a yum update. -- Knute Johnson Molon Labe... From mstuff at read.org.nz Mon Nov 26 22:27:53 2007 From: mstuff at read.org.nz (Morgan Read) Date: Tue, 27 Nov 2007 11:27:53 +1300 Subject: Weird selinux problem with sendmail In-Reply-To: <608c44bf0711260534y5d0a83abp378296975281ea92@mail.gmail.com> References: <4748C5A2.23978.20AB858@knute.frazmtn.com> <608c44bf0711260534y5d0a83abp378296975281ea92@mail.gmail.com> Message-ID: <1196116060.3066.4.camel@morgansmachine.lan> On Mon, 2007-11-26 at 13:34 +0000, Adam Huffman wrote: > On Nov 25, 2007 8:45 AM, Knute Johnson wrote: > > I loaded F8 onto my old mail server computer and started to > > reassemble it. But I'm getting a strange message from sendmail and a > > selinux avc to go with it. I do not have a .forward file and I have > > an almost identical system running that doesn't have one either and > > doesn't give any errors. I don't know if this is a sendmail problem > > or a selinux problem. The mail comes and goes OK. Any ideas? > > > > Thanks, > > > > knute... > > > > Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward > > /home/knute/.forward.www: Permission denied > > Nov 25 00:32:39 www sendmail[7802]: lAP8Wche007801: forward > > /home/knute/.forward: Permission denied > > > > Nov 25 00:40:55 www kernel: audit(1195980055.494:277): avc: denied > > { getattr } for pid=7949 comm="sendmail" path="/home/knute" dev=dm-0 > > ino=262146 scontext=unconfined_u:system_r:sendmail_t:s0 > > tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir (I'd like to jump in here - I was about to file a bug against sendmail, but thought I'd check the lists first!) I have a similar looking problem after moving to f8 and setting up my /etc/aliases so that user "morgan" is the person that should get root's mail (as I have done previously). Similar ref to unconfined_home_dir_t - but I know little about this stuff. I'm not getting my mail. I've copied at bottom three example selinux_alerts, the most recent from each of three streams of alerts I seem to be accumulating in the "setroubleshoot browser". Hope this helps, and I'm interested in any answers. Regards, M. selinux_alert_22-11-07-1.45 Summary SELinux is preventing sendmail (sendmail_t) "getattr" to /home/morgan (unconfined_home_dir_t). Detailed Description SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /home/morgan, restorecon -v /home/morgan If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:sendmail_t Target Context unconfined_u:object_r:unconfined_home_dir_t Target Objects /home/morgan [ dir ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-56.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name morgansmachine.lan Platform Linux morgansmachine.lan 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007 i686 i686 Alert Count 2 First Seen Wed 21 Nov 2007 09:50:53 AM NZDT Last Seen Thu 22 Nov 2007 01:45:01 PM NZDT Local ID 33456cfd-f6bf-4857-8690-f681680cd24c Line Numbers Raw Audit Messages avc: denied { getattr } for comm=sendmail dev=dm-1 path=/home/morgan pid=14769 scontext=system_u:system_r:sendmail_t:s0 tclass=dir tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 selinux_alert_27-11-07-9.45 Summary SELinux is preventing sendmail (sendmail_t) "search" to (unconfined_home_dir_t). Detailed Description SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for , restorecon -v If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:sendmail_t Target Context unconfined_u:object_r:unconfined_home_dir_t Target Objects None [ dir ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-56.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name morgansmachine.lan Platform Linux morgansmachine.lan 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007 i686 i686 Alert Count 5 First Seen Wed 21 Nov 2007 09:50:53 AM NZDT Last Seen Tue 27 Nov 2007 09:45:51 AM NZDT Local ID b60f5a23-575f-4489-89c7-ab71e8be786d Line Numbers Raw Audit Messages avc: denied { search } for comm=sendmail dev=dm-1 name=morgan pid=5918 scontext=system_u:system_r:sendmail_t:s0 tclass=dir tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 selinux_alert_27-11-07-10.10 Summary SELinux is preventing sendmail (sendmail_t) "getattr" to /home/morgan (unconfined_home_dir_t). Detailed Description SELinux denied access requested by sendmail. /home/morgan may be a mislabeled. /home/morgan default SELinux type is user_home_dir_t, while its current type is unconfined_home_dir_t. Changing this file back to the default type, may fix your problem. File contexts can get assigned to a file can following ways.
  • Files created in a directory recieve the file context of the parent directory by default.
  • Users can change the file context on a file using tools like chcon, or restorecon.
  • The kernel can decide via policy that an application running as context A Creating a file in a directory labeled B will create files labeled C.
This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. Of course this could also indicate a bug in SELinux, in that the file should not be labeled with this type. If you believe this is a bug, please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access You can restore the default system context to this file by executing the restorecon command. restorecon /home/morgan, if this file is a directory, you can recursively restore using restorecon -R /home/morgan. The following command will allow this access: restorecon /home/morgan Additional Information Source Context system_u:system_r:sendmail_t Target Context unconfined_u:object_r:unconfined_home_dir_t Target Objects /home/morgan [ dir ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-56.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.restorecon Host Name morgansmachine.lan Platform Linux morgansmachine.lan 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007 i686 i686 Alert Count 9 First Seen Fri 23 Nov 2007 07:04:40 PM NZDT Last Seen Tue 27 Nov 2007 10:10:04 AM NZDT Local ID 96c556ec-4c09-4641-90d0-8c4be7082c66 Line Numbers Raw Audit Messages avc: denied { getattr } for comm=sendmail dev=dm-1 path=/home/morgan pid=7760 scontext=system_u:system_r:sendmail_t:s0 tclass=dir tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 -- Getting errors: "There are problems with the signature" (or similar)? Update your system by installing certificates from CAcert Inc, see here: http://wiki.cacert.org/wiki/BrowserClients?#head-259758ec5ba51c5205cfb179cf60e0b54d9e378b Or, if Internet Explorer is your default browser, simply click this link: http://www.cacert.org/index.php?id=17 Morgan Read NEW ZEALAND fedora: Freedom Forever! http://fedoraproject.org/wiki/Overview "By choosing not to ship any proprietary or binary drivers, Fedora does differ from other distributions. ..." Quote: Max Spevik http://interviews.slashdot.org/article.pl?sid=06/08/17/177220 RMS on fedora: http://fedoraproject.org/wiki/FreeSoftwareAnalysis/FSF -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3549 bytes Desc: not available URL: From olivares14031 at yahoo.com Tue Nov 27 01:21:34 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 26 Nov 2007 17:21:34 -0800 (PST) Subject: SELinux is preventing gdm (xdm_t) "execute" to (rpm_exec_t). et ALL Message-ID: <863792.85130.qm@web52610.mail.re2.yahoo.com> Dear all, I have been applying the updates and still settroubleshoot pops up and gives the messages: Summary SELinux is preventing gdm (xdm_t) "execute" to (rpm_exec_t). Detailed Description SELinux denied access requested by gdm. It is not expected that this access is required by gdm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for , restorecon -v If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh Target Context system_u:object_r:rpm_exec_t Target Objects None [ file ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-44.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost Platform Linux localhost 2.6.24-0.42.rc3.git1.fc9 #1 SMP Sat Nov 24 05:51:18 EST 2007 i686 athlon Alert Count 9010 First Seen Sun 11 Nov 2007 09:11:06 AM CST Last Seen Mon 26 Nov 2007 07:17:44 PM CST Local ID f3168196-46ac-4951-ab61-b3b218534bb2 Line Numbers Raw Audit Messages avc: denied { execute } for comm=gdm dev=dm-0 name=rpm pid=22631 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=file tcontext=system_u:object_r:rpm_exec_t:s0 Summary SELinux is preventing gdm (xdm_t) "getattr" to /bin/rpm (rpm_exec_t). Detailed Description SELinux denied access requested by gdm. It is not expected that this access is required by gdm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /bin/rpm, restorecon -v /bin/rpm If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh Target Context system_u:object_r:rpm_exec_t Target Objects /bin/rpm [ file ] Affected RPM Packages rpm-4.4.2.2-11.fc9 [target] Policy RPM selinux-policy-3.0.8-44.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost Platform Linux localhost 2.6.24-0.42.rc3.git1.fc9 #1 SMP Sat Nov 24 05:51:18 EST 2007 i686 athlon Alert Count 4515 First Seen Sun 11 Nov 2007 09:11:06 AM CST Last Seen Mon 26 Nov 2007 10:38:27 AM CST Local ID e1676a84-c6d0-45b8-97d7-c7cae2d755c1 Line Numbers Raw Audit Messages avc: denied { getattr } for comm=gdm dev=dm-0 path=/bin/rpm pid=3871 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=file tcontext=system_u:object_r:rpm_exec_t:s0 I have done what it recommends for me to do, however, the warnings continue. [root at localhost ~]# restorecon -v /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/bin/sbcl. [root at localhost ~]# restorecon -v /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/bin/sbcl. [root at localhost ~]# restorecon -v /bin/rpm /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/bin/sbcl. [root at localhost ~]# restorecon -v /bin/rpm /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/bin/sbcl. [root at localhost ~]# [root at localhost ~]# yum list updates Loading "skip-broken" plugin Loading "refresh-updatesd" plugin development 100% |=========================| 2.1 kB 00:00 texlive 100% |=========================| 951 B 00:00 [root at localhost ~]# does not list any for selinux, selinux-policy's etc. What should I do? Regards, Antonio ____________________________________________________________________________________ Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now. http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ From mike.clarkson at baesystems.com Tue Nov 27 16:36:39 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Tue, 27 Nov 2007 08:36:39 -0800 Subject: policy compile error Message-ID: I just downloaded the policy source from redhat (serefpolicy-2.4.6) and attempted to build a strict-mls loadable module policy and got the following compile error: Compiling mls base module /usr/bin/checkmodule -M base.conf -o tmp/base.mod /usr/bin/checkmodule: loading policy configuration from base.conf policy/modules/kernel/domain.te:174:ERROR 'unknown type ipsec_spd_t' at token ';' on line 10298: allow domain ipsec_spd_t:association polmatch; #line 174 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/base.mod] Error 1 Here is the offending portion of domain.te: ifdef(`enable_mls',` tunable_policy(`allow_netlabel',` kernel_raw_recvfrom_unlabeled(domain) kernel_tcp_recvfrom_unlabeled(domain) kernel_udp_recvfrom_unlabeled(domain) ') tunable_policy(`allow_ipsec_label',` ipsec_labeled(domain) ') ') Since domain is a base module and ipsec is a loadable module, doesn't the call to the ipsec_labeled interface need to be wrapped in an optional_policy statement? Since nesting conditional statements aren't supported, I had to comment out the tunable_policy statement to get this to compile: #tunable_policy(`allow_ipsec_label',` optional_policy(` ipsec_labeled(domain) ') #') What's the right fix for this? From mike.clarkson at baesystems.com Wed Nov 28 01:33:50 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Tue, 27 Nov 2007 17:33:50 -0800 Subject: unconfined_domtrans_to strict equivalent Message-ID: I'm in the process of converting from a targeted-mls to a strict-mls policy. In the targeted policy, when users log in they enter into the unconfined_t domain. Therefore several of my domains, which are started up from the unconfined_t domain, use the unconfined_domtrans_to interface to allow automatic domain transitions from the unconfined domain to my domains. After converting, these domains will be started from one of the user domains defined in the strict policy (either staff_t or sysadm_t). I've searched through the userdomain.if file but haven't found an equivalent interface to unconfined_domtrans_to. Can someone point me in the right direction? Thanks From rgsalisbury at exemail.com.au Wed Nov 28 03:12:38 2007 From: rgsalisbury at exemail.com.au (Roger Salisbury) Date: Wed, 28 Nov 2007 14:12:38 +1100 Subject: selinux out smarted itself. "Multiple different specifications" One FILE But two types labled ------------- (system_u:object_r:home_root_t:s0 and system_u:object_r:boot_t:s0). Message-ID: <020001c8316c$88498e10$8b00a8c0@rogersxp> ----------- a challenge for selinux------------ Hi fellow selinux uses ... How can you fix labeling when the selinux tools don't allow you to. Selinux commands complain & refuse to work. Tradition selinux commands don't work. IE chcon, restorecon , fixfiles, setfiles etc..I Need an *expert* here, .......... PROBLEM is : my /boot directory has : :boot_t: and :home_root_t: .......... together labled --- see below. and I can't fix it. do we have to edit the "inode" directly?? Having two types on one file I believe should *never* happen but -- it has. Should be one ":boot_t:" or the other ":home_root_t:" but never *both*! I think I know how it happened -- but that's not the issue right now -- how do you fix it?? The security of selinux normaly is designed to prevent adhoc changes --- so this is why it is difficult... but with root password their would be a solution somehow. Thx Roger Salisbury Below is the setfiles display: /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /boot/lost\+found/.*. /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /boot (system_u:object_r:home_root_t:s0 and system_u:object_r:boot_t:s0). /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /boot/\.journal. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /boot/lost\+found. setfiles: labeling files under /boot setfiles: labeling files under /boot matchpathcon_filespec_eval: hash table stats: 28 elements, 28/65536 buckets used, longest chain length 1 setfiles: Done. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rgsalisbury at exemail.com.au Wed Nov 28 03:14:44 2007 From: rgsalisbury at exemail.com.au (Roger Salisbury) Date: Wed, 28 Nov 2007 14:14:44 +1100 Subject: Question --- can this list be viewed online via a web browser?? (fedora-selinux-list-request@redhat.com) Message-ID: <020d01c8316c$d2f85c20$8b00a8c0@rogersxp> Just new to the list : fedora-selinux-list at redhat.com Question --- can this list be viewed online via a web browser?? If so it is not obvious during signup. Thx Roger -------------- next part -------------- An HTML attachment was scrubbed... URL: From spng.yang at gmail.com Wed Nov 28 05:18:38 2007 From: spng.yang at gmail.com (Ken YANG) Date: Wed, 28 Nov 2007 13:18:38 +0800 Subject: [Bug] about the bug with semanage Message-ID: <474CFA2E.5090709@gmail.com> hi selinuxers: several days, i remmeber someone report a bug about semanage in non-english locale: -(:11:30:$)-> locale LANG=zh_CN.UTF-8 LC_CTYPE="zh_CN.UTF-8" LC_NUMERIC="zh_CN.UTF-8" LC_TIME="zh_CN.UTF-8" LC_COLLATE="zh_CN.UTF-8" LC_MONETARY="zh_CN.UTF-8" LC_MESSAGES="zh_CN.UTF-8" LC_PAPER="zh_CN.UTF-8" LC_NAME="zh_CN.UTF-8" LC_ADDRESS="zh_CN.UTF-8" LC_TELEPHONE="zh_CN.UTF-8" LC_MEASUREMENT="zh_CN.UTF-8" LC_IDENTIFICATION="zh_CN.UTF-8" LC_ALL= -(yangshao at NZzi:pts/4)--------------------(~)-(3/133)- -(:13:17:$)-> sudo semanage login -l /usr/sbin/semanage: ascii -(:11:02:$)-> LANG=C sudo semanage login -l Login Name SELinux User MLS/MCS Range __default__ system_u s0 root root -s0:c0.c255 system_u system_u SystemLow-SystemHigh i notice this bug is fixed in F9 rawhide, but F8 has not From selinux at gmail.com Wed Nov 28 15:11:24 2007 From: selinux at gmail.com (Tom London) Date: Wed, 28 Nov 2007 07:11:24 -0800 Subject: yum update failure for selinux-policy-targeted-3.1.2-1.fc9.noarch.rpm Message-ID: <4c4ba1530711280711g7ca9d62dmbd13ff3549ad23bf@mail.gmail.com> Doing a 'yum udpdate' of today's Rawhide, I get a freeze at updating selinux-policy-targeted. Killing this (after about 30 minutes), and running 'rpm -Uvh --force selinux-policy-targeted-3.1.2-1.fc9.noarch.rpm'), I get scads of messages like the following: libsepol.check_assertion_helper: assertion on line 0 violated by allow unconfined_crond_t user_chkpwd_t:process { fork sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh setcurrent setkeycreate setsockcreate }; libsepol.check_assertion_helper: assertion on line 0 violated by allow unconfined_crond_t calamaris_t:process { fork sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh setcurrent setkeycreate setsockcreate }; libsepol.check_assertion_helper: assertion on line 0 violated by allow unconfined_crond_t mailman_queue_t:process { fork sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh setcurrent setkeycreate setsockcreate }; libsepol.check_assertion_helper: assertion on line 0 violated by allow rpm_script_t unconfined_crond_t:process { sigchld }; libsepol.check_assertions: 426 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! [root at localhost packages]# tom -- Tom London From selinux at gmail.com Wed Nov 28 18:50:15 2007 From: selinux at gmail.com (Tom London) Date: Wed, 28 Nov 2007 10:50:15 -0800 Subject: yum update failure for selinux-policy-targeted-3.1.2-1.fc9.noarch.rpm In-Reply-To: <4c4ba1530711280711g7ca9d62dmbd13ff3549ad23bf@mail.gmail.com> References: <4c4ba1530711280711g7ca9d62dmbd13ff3549ad23bf@mail.gmail.com> Message-ID: <4c4ba1530711281050j33e3a750tae5ceb35a8f37225@mail.gmail.com> Looks like selinux-policy-targeted-3.1.2-2.fc9.noarch.rpm fixes this. Thanks! tom [root at localhost Downloads]# rpm -Uvh selinux*3.1.2-2* Preparing... ########################################### [100%] 1:selinux-policy ########################################### [ 33%] 2:selinux-policy-devel ########################################### [ 67%] 3:selinux-policy-targeted########################################### [100%] libsepol.sepol_genbools_array: boolean allow_java_execstack no longer in policy libsepol.sepol_genbools_array: boolean allow_mounton_anydir no longer in policy libsepol.sepol_genbools_array: boolean allow_tftp_anon_write no longer in policy libsepol.sepol_genbools_array: boolean allow_unconfined_exec_content no longer in policy libsepol.sepol_genbools_array: boolean allow_unlabeled_packets no longer in policy libsepol.sepol_genbools_array: boolean mail_read_content no longer in policy [root at localhost Downloads]# -- Tom London From aleksander.adamowski.fedora at altkom.pl Wed Nov 28 20:16:19 2007 From: aleksander.adamowski.fedora at altkom.pl (Aleksander Adamowski) Date: Wed, 28 Nov 2007 21:16:19 +0100 Subject: RHEL5 + strict policy: Unprivileged user cron - "Unauthorized SELinux context" Message-ID: <474DCC93.8000401@altkom.pl> Hi! I'm using selinux-policy-strict-2.4.6-30.el5. I've added a job to apache's crontab (crontab -e -u apache). Now I can see those errors in /var/log/cron: crond[27249]: (apache) Unauthorized SELinux context, but SELinux in permissive mode, continuing (cron/apache) crond[29358]: (apache) NULL security context for user, but SELinux in permissive mode, continuing () Google search found a suggestion that FC6 cron policy is broken, resulting in similar symptoms (but for root instead of apache user), but what about RHEL5? I've also added a simple apache cronjob that simply writes output from "id -Z" to a file in /tmp and it has written the following context data: root:system_r:crond_t:SystemLow-SystemHigh Why is the user root? Shouldn't it be user_u or system_u or something like that? -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl From sds at tycho.nsa.gov Wed Nov 28 20:37:14 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 28 Nov 2007 15:37:14 -0500 Subject: RHEL5 + strict policy: Unprivileged user cron - "Unauthorized SELinux context" In-Reply-To: <474DCC93.8000401@altkom.pl> References: <474DCC93.8000401@altkom.pl> Message-ID: <1196282234.13820.74.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-11-28 at 21:16 +0100, Aleksander Adamowski wrote: > Hi! > > I'm using selinux-policy-strict-2.4.6-30.el5. > > I've added a job to apache's crontab (crontab -e -u apache). > > Now I can see those errors in /var/log/cron: > > crond[27249]: (apache) Unauthorized SELinux context, but SELinux in > permissive mode, continuing (cron/apache) > crond[29358]: (apache) NULL security context for user, but SELinux in > permissive mode, continuing () > > > Google search found a suggestion that FC6 cron policy is broken, > resulting in similar symptoms (but for root instead of apache user), but > what about RHEL5? > > I've also added a simple apache cronjob that simply writes output from > "id -Z" to a file in /tmp and it has written the following context data: > > root:system_r:crond_t:SystemLow-SystemHigh > > Why is the user root? Shouldn't it be user_u or system_u or something > like that? Sounds like it just stayed in crond's context since it failed the check and the system was permissive. Naturally, in enforcing mode, it would have not executed the job at all. crond computes a context for the user's cron job in the usual manner, then applies a entrypoint permission check between that context and the file context on the crontab file (which gets picked up from a combination of its creator and the parent directory). If that check fails, then crond refuses to execute the crontab commands in that process context. The check is intended to prevent injection of commands from one context into another via crontab, unless authorized by policy of course. I'd have expected it to try to run the cron job in user_u:user_r: user_crond_t:s0 since apache wouldn't have a specific entry in seusers. So it would have wanted the crontab file to have user_cron_spool_t on it, which would have happened if a user_t process created it. If instead an admin created it and it got sysadm_cron_spool_t or staff_cron_spool_t, that might explain it. So you could relabel it or allow that permission. First though check the current label on the crontab file. -- Stephen Smalley National Security Agency From paul at city-fan.org Thu Nov 29 00:10:36 2007 From: paul at city-fan.org (Paul Howarth) Date: Thu, 29 Nov 2007 00:10:36 +0000 Subject: Question --- can this list be viewed online via a web browser?? (fedora-selinux-list-request@redhat.com) In-Reply-To: <020d01c8316c$d2f85c20$8b00a8c0@rogersxp> References: <020d01c8316c$d2f85c20$8b00a8c0@rogersxp> Message-ID: <20071129001036.710aefe9@metropolis.intra.city-fan.org> On Wed, 28 Nov 2007 14:14:44 +1100 "Roger Salisbury" wrote: Just new to the list : > fedora-selinux-list at redhat.com > Question --- can this list be viewed online via a web browser?? It's archived in several places: http://www.redhat.com/archives/fedora-selinux-list/ http://www.opensubscriber.com/messages/fedora-selinux-list at redhat.com/topic.html http://marc.info/?l=fedora-selinux-list&r=1&w=2 http://blog.gmane.org/gmane.linux.redhat.fedora.selinux Cheers, Paul. From aleksander.adamowski.fedora at altkom.pl Thu Nov 29 00:10:58 2007 From: aleksander.adamowski.fedora at altkom.pl (Aleksander Adamowski) Date: Thu, 29 Nov 2007 01:10:58 +0100 Subject: RHEL5 + strict policy: Unprivileged user cron - "Unauthorized SELinux context" In-Reply-To: <1196282234.13820.74.camel@moss-spartans.epoch.ncsc.mil> References: <474DCC93.8000401@altkom.pl> <1196282234.13820.74.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <474E0392.6020805@altkom.pl> Stephen Smalley pisze: > On Wed, 2007-11-28 at 21:16 +0100, Aleksander Adamowski wrote: > >> crond[27249]: (apache) Unauthorized SELinux context, but SELinux in >> permissive mode, continuing (cron/apache) >> crond[29358]: (apache) NULL security context for user, but SELinux in >> permissive mode, continuing () >> > > Sounds like it just stayed in crond's context since it failed the check > and the system was permissive. Naturally, in enforcing mode, it would > have not executed the job at all. > > crond computes a context for the user's cron job in the usual manner, > then applies a entrypoint permission check between that context and the > file context on the crontab file (which gets picked up from a > combination of its creator and the parent directory). If that check > fails, then crond refuses to execute the crontab commands in that > process context. The check is intended to prevent injection of commands > from one context into another via crontab, unless authorized by policy > of course. > That's reasonable. > I'd have expected it to try to run the cron job in user_u:user_r: > user_crond_t:s0 since apache wouldn't have a specific entry in seusers. > So it would have wanted the crontab file to have user_cron_spool_t on > it, which would have happened if a user_t process created it. If > instead an admin created it and it got sysadm_cron_spool_t or > staff_cron_spool_t, that might explain it. So you could relabel it or > allow that permission. First though check the current label on the > crontab file. > Yes, you're right. That was precisely the cause. I've used "crontab -e -u apache" as root. The files in /var/spool/cron got sysadm_cron_spool_t type (the full context was root:object_r:sysadm_cron_spool_t). After running "fixfiles relabel /var/spool/cron/", the apache crontab got system_u:object_r:user_cron_spool_t. Now cron runs fine and doesn't log anything suspicious. IMHO crontab should be modified to relabel crontab files that are edited using the "-u" option, but this is a question to Dan - should I file a new bug to bugzilla.redhat.com on this? -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl From spng.yang at gmail.com Thu Nov 29 06:42:03 2007 From: spng.yang at gmail.com (Ken YANG) Date: Thu, 29 Nov 2007 14:42:03 +0800 Subject: [Bug] some problems about setroubleshoot Message-ID: <474E5F3B.7080704@gmail.com> hi all: in my F8(update) with setroubleshoot: setroubleshoot-1.10.7-1.fc8.noarch my setroubleshoot often close connect: connection lost on /var/run/setroubleshoot/setroubleshoot_server i found a error message in setroubleshoot log: 2007-11-29 10:02:41,561 [email.WARNING] ???????????? /var/lib/setroubleshoot/email_alert_recipients, No such file or directory in english is: 2007-11-29 10:02:41,561 [email.WARNING] can not open file: /var/lib/setroubleshoot/email_alert_recipients, No such file or directory and after i restart setroubleshoot $ sudo service setroubleshoot restart ???? setroubleshootd?? [OK] ???? setroubleshootd?? [OK] i got: /var/lib/setroubleshoot/audit_listener_database.xml:570: parser error : Input is not proper UTF-8, indicate encoding ! Bytes: 0xDF 0x20 0xE8 0xAE ?????????? ? ???????????????????????? restorecon -v Hi, After an install of F8 I have a problem with pre-existing user directories. I did a full install of F8 with SELinux in enforcing mode and kept my existing user directories in /users. At the end of the install I did a "fixfiles relabel". Now when I try to login to my account I'm told that my home directory does not exist. It does. The problem appears to be SELinux because when I disable it everything works. Some info: ls -al| /home/testacc ( account created during the install ) drwx------ testacc testacc system_u:object_r:user_home_dir_t . drwxr-xr-x root root system_u:object_r:home_root_t .. -rw-r--r-- testacc testacc system_u:object_r:user_home_t .bash_logout .... ls -alZ /users/molloyt ( my home directory ) drwx------ molloyt csstaff system_u:object_r:default_t . drwxr-xr-x root root system_u:object_r:default_t .. -rw-r--r-- molloyt csstaff user_u:object_r:default_t 3rd-monday .... The SELinux permissions on the home directory, the owing directory and the contents of the home directory are wrong. So two questions: 1. how can I reset the permissions. 2. was the problem caused by the "fixfiles relabel" which I did at the end of the install. If I had unmounted the /users partition before I did that would I have been OK. Thanks, Tony From jdennis at redhat.com Thu Nov 29 15:09:27 2007 From: jdennis at redhat.com (John Dennis) Date: Thu, 29 Nov 2007 10:09:27 -0500 Subject: [Bug] some problems about setroubleshoot In-Reply-To: <474E5F3B.7080704@gmail.com> References: <474E5F3B.7080704@gmail.com> Message-ID: <474ED627.3000108@redhat.com> Ken YANG wrote: > > hi all: > > in my F8(update) with setroubleshoot: > > setroubleshoot-1.10.7-1.fc8.noarch > > my setroubleshoot often close connect: > > connection lost on /var/run/setroubleshoot/setroubleshoot_server > > i found a error message in setroubleshoot log: > > 2007-11-29 10:02:41,561 [email.WARNING] ???????????? > /var/lib/setroubleshoot/email_alert_recipients, No such file or directory > > in english is: > > 2007-11-29 10:02:41,561 [email.WARNING] can not open file: > /var/lib/setroubleshoot/email_alert_recipients, No such file or directory > > > and after i restart setroubleshoot > > $ sudo service setroubleshoot restart > ???? setroubleshootd?? [OK] > ???? setroubleshootd?? [OK] > > > i got: > > /var/lib/setroubleshoot/audit_listener_database.xml:570: parser error : > Input is not proper UTF-8, indicate encoding ! > Bytes: 0xDF 0x20 0xE8 0xAE > ?????????? ? ???????????????????????? restorecon -v > in english is: > > /var/lib/setroubleshoot/audit_listener_database.xml:570: parser error : > Input is not proper UTF-8, indicate encoding ! > Bytes: 0xDF 0x20 0xE8 0xAE > If you want to access this file??you should use restorecon -v < unknown > > above english error messages is translated by me, not setroubleshoot > original error messages. > > because i doubt that the error is caused by chinese locale, so i keep > the "chinese error message" from setroubleshoot. My system runs in > LANG=zh_CN.UTF-8 > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Please file a bug report at http://bugzilla.redhat.com under the setroubleshoot component. The message about email_alert_recipients is a non-issue. It appears as though a chinese bad translation been entered into the alert database. This occurs because the setroubleshoot-plugins (seperate package) have translations for each alert. When the alert fires the translation from your locale is copied into your alert database. It looks like the .po file has bad UTF-8. When you file the bug report please attach the /var/lib/setroubleshoot/audit_listener_database.xml file and specify the rpm versions of setroubleshoot, setroubleshoot-server, and setroubleshoot-plugins and the locale your system is set to. Thank you -- John Dennis From speichertechniken at yahoo.de Fri Nov 30 00:52:29 2007 From: speichertechniken at yahoo.de (Harald Beugler-Bell) Date: Fri, 30 Nov 2007 00:52:29 +0000 (GMT) Subject: AW: RHEL5 + strict policy: Unprivileged user cron - "Unauthorized SELinux context" Message-ID: <783545.32918.qm@web27710.mail.ukl.yahoo.com> I got a similar problem when trying to run cron as root. It looks like selinux is unable to get the correct user context of the crond process crond[5587]: (*system*) NULL security context for user () crond[5587]: CRON (root) ERROR: failed to change SELinux context crond[5587]: CRON (root) ERROR: cannot set security context The file context of the cron file is set according to default context: $ ls -lZ /etc/cron.d/testing-cron -rw-r--r-- root root system_u:object_r:system_cron_spool_t:s0 /etc/cron.d/testing-cron $ ps -efZ | grep crond staff_u:system_r:crond_t:s0 root 14922 1 0 00:19 ? 00:00:00 /usr/sbin/crond start $ /usr/sbin/semanage login -l | egrep "root|system" root root s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 bash-3.1# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5 (Tikanga) vixie-cron-4.1-66.1.el5 libselinux-1.33.4-2.el5 libselinux-python-1.33.4-2.el5 selinux-policy-strict-2.4.6-79.el5 selinux-policy-2.4.6-79.el5 any help is welcome. thanks Hari ----- Urspr?ngliche Mail ---- Von: Aleksander Adamowski An: fedora-selinux-list at redhat.com Gesendet: Mittwoch, den 28. November 2007, 16:10:58 Uhr Betreff: Re: RHEL5 + strict policy: Unprivileged user cron - "Unauthorized SELinux context" Stephen Smalley pisze: > On Wed, 2007-11-28 at 21:16 +0100, Aleksander Adamowski wrote: > >> crond[27249]: (apache) Unauthorized SELinux context, but SELinux in >> permissive mode, continuing (cron/apache) >> crond[29358]: (apache) NULL security context for user, but SELinux in >> permissive mode, continuing () >> > > Sounds like it just stayed in crond's context since it failed the check > and the system was permissive. Naturally, in enforcing mode, it would > have not executed the job at all. > > crond computes a context for the user's cron job in the usual manner, > then applies a entrypoint permission check between that context and the > file context on the crontab file (which gets picked up from a > combination of its creator and the parent directory). If that check > fails, then crond refuses to execute the crontab commands in that > process context. The check is intended to prevent injection of commands > from one context into another via crontab, unless authorized by policy > of course. > That's reasonable. > I'd have expected it to try to run the cron job in user_u:user_r: > user_crond_t:s0 since apache wouldn't have a specific entry in seusers. > So it would have wanted the crontab file to have user_cron_spool_t on > it, which would have happened if a user_t process created it. If > instead an admin created it and it got sysadm_cron_spool_t or > staff_cron_spool_t, that might explain it. So you could relabel it or > allow that permission. First though check the current label on the > crontab file. > Yes, you're right. That was precisely the cause. I've used "crontab -e -u apache" as root. The files in /var/spool/cron got sysadm_cron_spool_t type (the full context was root:object_r:sysadm_cron_spool_t). After running "fixfiles relabel /var/spool/cron/", the apache crontab got system_u:object_r:user_cron_spool_t. Now cron runs fine and doesn't log anything suspicious. IMHO crontab should be modified to relabel crontab files that are edited using the "-u" option, but this is a question to Dan - should I file a new bug to bugzilla.redhat.com on this? -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list ___________________________________________________________ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de