From dwalsh at redhat.com Tue Oct 2 03:58:43 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 01 Oct 2007 23:58:43 -0400 Subject: logrotate and /var/log/rpmpkgs .... In-Reply-To: <4c4ba1530709301029u3488ee93ha822e588a0de0c31@mail.gmail.com> References: <4c4ba1530709301029u3488ee93ha822e588a0de0c31@mail.gmail.com> Message-ID: <4701C1F3.7080002@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom London wrote: > Running latest Rawhide, targeted/enforcing. > > When cron runs logrotate, I get AVC on access to /var/log/rpmpkgs: > > type=AVC msg=audit(1191172944.569:41): avc: denied { getattr } for > pid=6581 comm="logrotate" path="/var/log/rpmpkgs" dev=dm-0 ino=99163 > scontext=system_u:system_r:logrotate_t:s0 > tcontext=system_u:object_r:root_t:s0 tclass=file > type=SYSCALL msg=audit(1191172944.569:41): arch=40000003 syscall=195 > success=no exit=-13 a0=8931228 a1=bfa7b320 a2=5b67ff4 a3=0 items=0 > ppid=6579 pid=6581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="logrotate" > exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0 > key=(null) > > Should there be a directory in /var/log for these logs (with the > appropriate label)? > > tom How is a file in /var/log being labeled rpmpkgs. Looks like this file is created in / and then mv'd to /var/log? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHAcHyrlYvE4MpobMRAhtKAJ9Wqd5+DRddmnkxJCzFp98zKoQmwQCdEF0t z4Qx59yOuDoMKd/84LtZnSo= =0WUx -----END PGP SIGNATURE----- From dwalsh at redhat.com Tue Oct 2 04:03:50 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 02 Oct 2007 00:03:50 -0400 Subject: tmpreaper and /var/cache/man In-Reply-To: <4c4ba1530709281047r61f4c571w8af7bb0f83cbec6f@mail.gmail.com> References: <4c4ba1530709281047r61f4c571w8af7bb0f83cbec6f@mail.gmail.com> Message-ID: <4701C326.3090700@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom London wrote: > Running latest Rawhide, targeted/enforcing. > > tmpreaper is complaining about /var/cache/man: > > /etc/cron.daily/tmpwatch: > > error: opendir error on current directory /var/cache/man/cat1: Permission denied > error: cleanup failed in /var/cache/man/cat1: Permission denied > error: opendir error on current directory /var/cache/man/cat2: Permission denied > error: cleanup failed in /var/cache/man/cat2: Permission denied > error: opendir error on current directory /var/cache/man/cat3: Permission denied > error: cleanup failed in /var/cache/man/cat3: Permission denied > error: opendir error on current directory /var/cache/man/cat4: Permission denied > error: cleanup failed in /var/cache/man/cat4: Permission denied > <<<<>>>> > > and > > type=AVC msg=audit(1191001312.606:91): avc: denied { read } for > pid=12019 comm="tmpwatch" name="cat9" dev=dm-0 ino=65624 > scontext=system_u:system_r:tmpreaper_t:s0 > tcontext=system_u:object_r:man_t:s0 tclass=dir > type=SYSCALL msg=audit(1191001312.606:91): arch=40000003 syscall=5 > success=no exit=-13 a0=804ac12 a1=98800 a2=fd00 a3=0 items=0 > ppid=11987 pid=12019 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="tmpwatch" > exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0 > key=(null) > type=AVC msg=audit(1191001312.608:92): avc: denied { read } for > pid=12020 comm="tmpwatch" name="catn" dev=dm-0 ino=65625 > scontext=system_u:system_r:tmpreaper_t:s0 > tcontext=system_u:object_r:man_t:s0 tclass=dir > type=SYSCALL msg=audit(1191001312.608:92): arch=40000003 syscall=5 > success=no exit=-13 a0=804ac12 a1=98800 a2=fd00 a3=0 items=0 > ppid=11987 pid=12020 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) comm="tmpwatch" > exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0 > key=(null) > > or > > #============= tmpreaper_t ============== > allow tmpreaper_t man_t:dir read; > > [Guessing it wants more than just 'read'.....] > > tom Should be fixed in latest rawhide policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHAcMmrlYvE4MpobMRAlhFAJ9bBdymfBW6hf6MHp30grdhd8dENwCcCLbJ IOOMYvhCq9+vxia22sTVtnI= =dBGS -----END PGP SIGNATURE----- From paul at city-fan.org Tue Oct 2 09:41:33 2007 From: paul at city-fan.org (Paul Howarth) Date: Tue, 02 Oct 2007 10:41:33 +0100 Subject: logrotate and /var/log/rpmpkgs .... In-Reply-To: <4701C1F3.7080002@redhat.com> References: <4c4ba1530709301029u3488ee93ha822e588a0de0c31@mail.gmail.com> <4701C1F3.7080002@redhat.com> Message-ID: <4702124D.1010200@city-fan.org> Daniel J Walsh wrote: > Tom London wrote: >> Running latest Rawhide, targeted/enforcing. >> >> When cron runs logrotate, I get AVC on access to /var/log/rpmpkgs: >> >> type=AVC msg=audit(1191172944.569:41): avc: denied { getattr } for >> pid=6581 comm="logrotate" path="/var/log/rpmpkgs" dev=dm-0 ino=99163 >> scontext=system_u:system_r:logrotate_t:s0 >> tcontext=system_u:object_r:root_t:s0 tclass=file >> type=SYSCALL msg=audit(1191172944.569:41): arch=40000003 syscall=195 >> success=no exit=-13 a0=8931228 a1=bfa7b320 a2=5b67ff4 a3=0 items=0 >> ppid=6579 pid=6581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 >> egid=0 sgid=0 fsgid=0 tty=(none) comm="logrotate" >> exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0 >> key=(null) >> >> Should there be a directory in /var/log for these logs (with the >> appropriate label)? >> >> tom > How is a file in /var/log being labeled rpmpkgs. Looks like this file > is created in / and then mv'd to /var/log? Don't think so; it should be created by /etc/cron.daily/rpm, which on F7 is: /bin/rpm -qa --qf '%{name}-%{version}-%{release}.%{arch}.rpm\n' 2>&1 \ | /bin/sort > /var/log/rpmpkgs Paul. From amessina at messinet.com Tue Oct 2 09:46:24 2007 From: amessina at messinet.com (Anthony Messina) Date: Tue, 2 Oct 2007 04:46:24 -0500 Subject: SELinux denies httpd access to /etc/my.cnf Message-ID: <200710020446.27418.amessina@messinet.com> I get the following in my logs, in permissive mode: avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 subj=root:system_r:httpd_t:s0 suid=48 tclass=file tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48 avc: denied { getattr } for comm="httpd" dev=sda2 egid=48 euid=48 exe="/usr/sbin/httpd" exit=0 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" path="/etc/my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 subj=root:system_r:httpd_t:s0 suid=48 tclass=file tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48 Should httpd be accessing this file? If so, how would I set up that configuration? It seems that if this type of access is necessary, a boolean would be in place. -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: From ian at smallworld.cx Tue Oct 2 10:12:38 2007 From: ian at smallworld.cx (Ian Leonard) Date: Tue, 02 Oct 2007 11:12:38 +0100 Subject: How to fix acv denied errors Message-ID: <47021996.9020309@smallworld.cx> Hi, I am new to SELinux so I may have got this wrong but.... I am using a custom FC6 distribution that I built and installed using Kickstart. After installation I have two errors in the log file: audit(1191322730.172:5): avc: denied { mounton } for pid=1606 comm="mount" name="log" dev=hda1 ino=1035266 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir Oct 2 11:59: kernel: audit(1191322771.771:34): avc: denied { getattr } for pid=1424 comm="rhgb" name=".X0-lock" dev=hda1 ino=485340 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file To take the second one, it seems that the .X0-lock needs to be allowed to run from the rhgb_t context. To fix this I have edited, /etc/selinux/targeted/src/contexts/files/file_contexts (I am running in targeted mode). I added the rhgb_t context to the /tmp.*. Now it seems I have to run 'make load'. However there is no sign of a makefile anywhere (and this is true of my standard FC6 distro). Where am I going wrong. TIA. -- Ian Leonard Please ignore spelling and punctuation - I did. From torbjorn.lindahl at gmail.com Tue Oct 2 10:32:42 2007 From: torbjorn.lindahl at gmail.com (=?ISO-8859-1?Q?Torbj=F8rn_Lindahl?=) Date: Tue, 2 Oct 2007 12:32:42 +0200 Subject: Limiting network activities to certain destination hosts only Message-ID: <3533f9010710020332t4607831mf996da91e5aebc56@mail.gmail.com> Hello list. Is it possible to limit a network connection to certain destination hosts only? Ie suppose I want an update service to only be allowed to contact certain web host, given by either a hostname or an ip address? -- mvh Torbj?rn Lindahl -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Tue Oct 2 11:54:33 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 02 Oct 2007 07:54:33 -0400 Subject: logrotate and /var/log/rpmpkgs .... In-Reply-To: <4702124D.1010200@city-fan.org> References: <4c4ba1530709301029u3488ee93ha822e588a0de0c31@mail.gmail.com> <4701C1F3.7080002@redhat.com> <4702124D.1010200@city-fan.org> Message-ID: <47023179.5030600@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Howarth wrote: > Daniel J Walsh wrote: >> Tom London wrote: >>> Running latest Rawhide, targeted/enforcing. >>> >>> When cron runs logrotate, I get AVC on access to /var/log/rpmpkgs: >>> >>> type=AVC msg=audit(1191172944.569:41): avc: denied { getattr } for >>> pid=6581 comm="logrotate" path="/var/log/rpmpkgs" dev=dm-0 ino=99163 >>> scontext=system_u:system_r:logrotate_t:s0 >>> tcontext=system_u:object_r:root_t:s0 tclass=file >>> type=SYSCALL msg=audit(1191172944.569:41): arch=40000003 syscall=195 >>> success=no exit=-13 a0=8931228 a1=bfa7b320 a2=5b67ff4 a3=0 items=0 >>> ppid=6579 pid=6581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 >>> egid=0 sgid=0 fsgid=0 tty=(none) comm="logrotate" >>> exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0 >>> key=(null) >>> >>> Should there be a directory in /var/log for these logs (with the >>> appropriate label)? >>> >>> tom >> How is a file in /var/log being labeled rpmpkgs. Looks like this file >> is created in / and then mv'd to /var/log? > > Don't think so; it should be created by /etc/cron.daily/rpm, which on F7 > is: > > /bin/rpm -qa --qf '%{name}-%{version}-%{release}.%{arch}.rpm\n' 2>&1 \ > | /bin/sort > /var/log/rpmpkgs > > Paul. But not in F8 #!/bin/sh tmpfile=`/bin/mktemp rpmpkgs.XXXXXXXXX` || exit 1 /bin/rpm -qa --qf '%{name}-%{version}-%{release}.%{arch}.rpm\n' 2>&1 \ | /bin/sort > "$tmpfile" [ -s "$tmpfile" ] || exit 1 /bin/mv "$tmpfile" /var/log/rpmpkgs /bin/chmod 0644 /var/log/rpmpkgs This should be. #!/bin/sh tmpfile=`/bin/mktemp /var/log/rpmpkgs.XXXXXXXXX` || exit 1 /bin/rpm -qa --qf '%{name}-%{version}-%{release}.%{arch}.rpm\n' 2>&1 \ | /bin/sort > "$tmpfile" [ -s "$tmpfile" ] || exit 1 /bin/mv "$tmpfile" /var/log/rpmpkgs /bin/chmod 0644 /var/log/rpmpkgs And the SELinux context would be right. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHAjF4rlYvE4MpobMRAnpoAJ9ScKQeNy7KeZGL8cWRxyHv5lHQgwCgplSN LoUbGhWKU3tbqlXFXP5zV3A= =QoXo -----END PGP SIGNATURE----- From dwalsh at redhat.com Tue Oct 2 11:59:00 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 02 Oct 2007 07:59:00 -0400 Subject: logrotate and /var/log/rpmpkgs .... In-Reply-To: <4702124D.1010200@city-fan.org> References: <4c4ba1530709301029u3488ee93ha822e588a0de0c31@mail.gmail.com> <4701C1F3.7080002@redhat.com> <4702124D.1010200@city-fan.org> Message-ID: <47023284.2030201@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Howarth wrote: > Daniel J Walsh wrote: >> Tom London wrote: >>> Running latest Rawhide, targeted/enforcing. >>> >>> When cron runs logrotate, I get AVC on access to /var/log/rpmpkgs: >>> >>> type=AVC msg=audit(1191172944.569:41): avc: denied { getattr } for >>> pid=6581 comm="logrotate" path="/var/log/rpmpkgs" dev=dm-0 ino=99163 >>> scontext=system_u:system_r:logrotate_t:s0 >>> tcontext=system_u:object_r:root_t:s0 tclass=file >>> type=SYSCALL msg=audit(1191172944.569:41): arch=40000003 syscall=195 >>> success=no exit=-13 a0=8931228 a1=bfa7b320 a2=5b67ff4 a3=0 items=0 >>> ppid=6579 pid=6581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 >>> egid=0 sgid=0 fsgid=0 tty=(none) comm="logrotate" >>> exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0 >>> key=(null) >>> >>> Should there be a directory in /var/log for these logs (with the >>> appropriate label)? >>> >>> tom >> How is a file in /var/log being labeled rpmpkgs. Looks like this file >> is created in / and then mv'd to /var/log? > > Don't think so; it should be created by /etc/cron.daily/rpm, which on F7 > is: > > /bin/rpm -qa --qf '%{name}-%{version}-%{release}.%{arch}.rpm\n' 2>&1 \ > | /bin/sort > /var/log/rpmpkgs > > Paul. https://bugzilla.redhat.com/show_bug.cgi?id=315271 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHAjKErlYvE4MpobMRAuU6AJ0QFYBz2H2YAOmC5VvgawStpuBAYwCg2l8x fvcZ2ZJz16gZXQqpyRvDMic= =fEYr -----END PGP SIGNATURE----- From dwalsh at redhat.com Tue Oct 2 12:06:38 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 02 Oct 2007 08:06:38 -0400 Subject: SELinux denies httpd access to /etc/my.cnf In-Reply-To: <200710020446.27418.amessina@messinet.com> References: <200710020446.27418.amessina@messinet.com> Message-ID: <4702344E.3000005@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anthony Messina wrote: > I get the following in my logs, in permissive mode: > > avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 > exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" > pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 > subj=root:system_r:httpd_t:s0 suid=48 tclass=file > tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48 > > avc: denied { getattr } for comm="httpd" dev=sda2 egid=48 euid=48 > exe="/usr/sbin/httpd" exit=0 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" > path="/etc/my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 > subj=root:system_r:httpd_t:s0 suid=48 tclass=file > tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48 > > Should httpd be accessing this file? If so, how would I set up that > configuration? It seems that if this type of access is necessary, a boolean > would be in place. > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Yes it should have the ability to read it. The only reason there is a type on this file is for database admins to be able to manage it. So will update policy to allow http to read the file. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHAjQ6rlYvE4MpobMRAo3qAJ9NPw7j7xUK9C+vXR+fgc7pAAyrCgCaA0x1 yCZ02A2NwaWzNeLBUZME31U= =UVNb -----END PGP SIGNATURE----- From dwalsh at redhat.com Tue Oct 2 12:10:13 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 02 Oct 2007 08:10:13 -0400 Subject: How to fix acv denied errors In-Reply-To: <47021996.9020309@smallworld.cx> References: <47021996.9020309@smallworld.cx> Message-ID: <47023525.1010803@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ian Leonard wrote: > Hi, > > I am new to SELinux so I may have got this wrong but.... > > > I am using a custom FC6 distribution that I built and installed using > Kickstart. After installation I have two errors in the log file: > > > audit(1191322730.172:5): avc: denied { mounton } for pid=1606 > comm="mount" name="log" dev=hda1 ino=1035266 > scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:object_r:var_log_t:s0 tclass=dir You can allow this by setting the boolean. setsebool -P allow_mounton_anydir 1 > > Oct 2 11:59: kernel: audit(1191322771.771:34): avc: denied { getattr > } for pid=1424 comm="rhgb" name=".X0-lock" dev=hda1 ino=485340 > scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:tmp_t:s0 > tclass=file > > > > To take the second one, it seems that the .X0-lock needs to be allowed > to run from the rhgb_t context. To fix this I have edited, > /etc/selinux/targeted/src/contexts/files/file_contexts (I am running in > targeted mode). I added the rhgb_t context to the /tmp.*. > This is the wrong thing to do. You can add custom rules to policy by executing # grep rhgb_t /var/log/audit/audit.log | audit2allow -M myrhgb # semodule -i myrhgb.pp > Now it seems I have to run 'make load'. However there is no sign of a > makefile anywhere (and this is true of my standard FC6 distro). > > Where am I going wrong. TIA. > What version of policy are you running? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHAjUlrlYvE4MpobMRAtozAKDJ5N50cP0LjmmW+N0nOKCqav/gIgCeMUe0 tQd35jouWhcfYZAZI4w55Tk= =9xtg -----END PGP SIGNATURE----- From dwalsh at redhat.com Tue Oct 2 13:05:13 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 02 Oct 2007 09:05:13 -0400 Subject: dhclient-script avc error f7 In-Reply-To: <20070930090621.GA5632@stanford.edu> References: <20070930090621.GA5632@stanford.edu> Message-ID: <47024209.9010905@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim Fenn wrote: > I recently upgraded a machine from FC6 to F7, and I used to use a > /etc/dhclient-exit-hooks script to call some iptables functions after > bringing up my external interface. This used to work on FC6 as long > as I setsebool -P dhcpc_disable_trans 1, but the policy in F7 no > longer contains such a boolean, so dhclient-script is prevented from > getattr/executing iptables. Is there a simple fix to this, or do I > need to write a policy and compile it? If the latter, any pointers on > what the policy file should contain? > > Thanks for any help, > tim > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You have inspired me to blog. http://danwalsh.livejournal.com/13116.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHAkIJrlYvE4MpobMRAm6CAJ4mD2Y6aoOiZhJ639TOEX1//YR5+QCgpViC OwQmR50bFARj5is4LLiquPI= =0C8V -----END PGP SIGNATURE----- From shintaro.fujiwara at gmail.com Tue Oct 2 17:03:15 2007 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Wed, 3 Oct 2007 02:03:15 +0900 Subject: Intel Network card does not work on SELinux? Message-ID: Hi, I'm having trouble on SELinux, I think. I bought an old note-pc, NEC Lavie M LM500/3. Manufactured in 2002. It has an network controller named "82551QM Fast Ethernet Controller". By that machine, I cannot connect network on targeted enforcing mode. eth0 rises up OK, but ping not reacheable. On disabled, yes. So, I thought it's a SELinux problem. No denied messages, so I have no clues. Not yet done enableaudit everything. I tried to install Intel driver but failed, echoed messages something like, no such file config.h... Any suggestion? Thanks in advance! From fenn at stanford.edu Tue Oct 2 18:07:09 2007 From: fenn at stanford.edu (Tim Fenn) Date: Tue, 2 Oct 2007 11:07:09 -0700 Subject: dhclient-script avc error f7 In-Reply-To: <47024209.9010905@redhat.com> References: <20070930090621.GA5632@stanford.edu> <47024209.9010905@redhat.com> Message-ID: <20071002110709.38140dc9@atbws1.stanford.edu> On Tue, 02 Oct 2007 09:05:13 -0400 Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tim Fenn wrote: > > I recently upgraded a machine from FC6 to F7, and I used to use a > > /etc/dhclient-exit-hooks script to call some iptables functions > > after bringing up my external interface. This used to work on FC6 > > as long as I setsebool -P dhcpc_disable_trans 1, but the policy in > > F7 no longer contains such a boolean, so dhclient-script is > > prevented from getattr/executing iptables. Is there a simple fix > > to this, or do I need to write a policy and compile it? If the > > latter, any pointers on what the policy file should contain? > > > > You have inspired me to blog. > > http://danwalsh.livejournal.com/13116.html Great horney toads, what have I done? ;) Thanks for the feedback Dan, its always appreciated (and thanks for pointing out the error in my previous ways). I recently dove into policy writing, but will rewrite my policy based on the domain transfer suggestion and report back once I have something working. Regards, -Tim From eparis at redhat.com Tue Oct 2 18:25:46 2007 From: eparis at redhat.com (Eric Paris) Date: Tue, 02 Oct 2007 14:25:46 -0400 Subject: Intel Network card does not work on SELinux? In-Reply-To: References: Message-ID: <1191349546.9506.8.camel@localhost.localdomain> On Wed, 2007-10-03 at 02:03 +0900, Shintaro Fujiwara wrote: > Hi, I'm having trouble on SELinux, I think. > > I bought an old note-pc, NEC Lavie M LM500/3. > Manufactured in 2002. > It has an network controller named "82551QM Fast Ethernet Controller". > By that machine, > I cannot connect network on targeted enforcing mode. > eth0 rises up OK, but ping not reacheable. > On disabled, yes. > So, I thought it's a SELinux problem. > No denied messages, so I have no clues. > Not yet done enableaudit everything. > I tried to install Intel driver but failed, > echoed messages something like, > no such file config.h... My only thought is are you looking in the right place? denials may be in /var/log/messages or in /var/log/audit/audit.log depending if the audit subsystem is on. What version of Fedora are you running? /me bets on some mislabeled files from when you ran with selinux off, but if you can find those denials that would help. -Eric From shintaro.fujiwara at gmail.com Tue Oct 2 19:04:11 2007 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Wed, 3 Oct 2007 04:04:11 +0900 Subject: Intel Network card does not work on SELinux? In-Reply-To: <1191349546.9506.8.camel@localhost.localdomain> References: <1191349546.9506.8.camel@localhost.localdomain> Message-ID: Thanks! Eric, but my version is F7 so I read both files. But no denied messages. It's strange and I don't understand why it woks on Default permissive, setenforce 1, and not works on Default enforcing, setenforce 0... And strange enough, maybe once in ten times it works even in Default enforcing... Also, sometimes does not work on Default permissive at all. I think some other reason... or I should relabel again. If it does not work, I manage Default permissive and setenforce 1 for a while. Thanks! 2007/10/3, Eric Paris : > On Wed, 2007-10-03 at 02:03 +0900, Shintaro Fujiwara wrote: > > Hi, I'm having trouble on SELinux, I think. > > > > I bought an old note-pc, NEC Lavie M LM500/3. > > Manufactured in 2002. > > It has an network controller named "82551QM Fast Ethernet Controller". > > By that machine, > > I cannot connect network on targeted enforcing mode. > > eth0 rises up OK, but ping not reacheable. > > On disabled, yes. > > So, I thought it's a SELinux problem. > > No denied messages, so I have no clues. > > Not yet done enableaudit everything. > > I tried to install Intel driver but failed, > > echoed messages something like, > > no such file config.h... > > My only thought is are you looking in the right place? denials may be > in /var/log/messages or in /var/log/audit/audit.log depending if the > audit subsystem is on. What version of Fedora are you running? > > /me bets on some mislabeled files from when you ran with selinux off, > but if you can find those denials that would help. > > -Eric > > From shintaro.fujiwara at gmail.com Tue Oct 2 20:21:25 2007 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Wed, 3 Oct 2007 05:21:25 +0900 Subject: Can't enjoy SEPostgresql Message-ID: Hi, I want to be entertained by SEPostgresql. I succeeded installing my note-pc SEPostgresql. But I can't find any sepostgresql module by semodule -l or cant initialize db. There is nothing /etc/init.d/sepostgresql What's wrong. During the installing process of SEPostgresql, I got errors on dependencies, so I install with option --oldpackage, because I already updated to 2.6.4-43. And I got error on semodule, too after installed SEPostgresql. What's wrong and what should I do? From selinux at gmail.com Tue Oct 2 21:25:20 2007 From: selinux at gmail.com (Tom London) Date: Tue, 2 Oct 2007 14:25:20 -0700 Subject: AVCs on suspend/resume Message-ID: <4c4ba1530710021425h18f65294j3ed0eeb0de7eedbe@mail.gmail.com> Running latest Rawhide, targeted/enforcing. I accidentally did a suspend/resume on my Thinkpad. I got the following AVCs. Sorry, can't tell from this if this happened during suspend or resume. I'm guessing the first AVC (from alsactl) is from /usr/lib/pm-utils/sleep.d/65alsa. There is this code there: #!/bin/bash . /usr/lib/pm-utils/functions case "$1" in hibernate|suspend) alsactl store 0 >/dev/null 2>&1 ;; thaw|resume) alsactl restore 0 >/dev/null 2>&1 ;; *) ;; esac Could there be a leaded file descriptor? /var/log/pm-suspend.log contains: ===== Tue Oct 2 10:45:35 PDT 2007: running hook: /usr/lib/pm-utils/sleep.d/60sysfont ===== /usr/lib/pm-utils/sleep.d/60sysfont: line 7: /dev/tty0: Permission denied 60sysfont has: case "$1" in resume|thaw) setsysfont References: Message-ID: <4702EB83.9020605@ak.jp.nec.com> Shintaro Fujiwara wrote: > Hi, I want to be entertained by SEPostgresql. > > I succeeded installing my note-pc SEPostgresql. > > But I can't find any sepostgresql module by > semodule -l or cant initialize db. > There is nothing /etc/init.d/sepostgresql > What's wrong. You don't succeed to install SE-PostgreSQL :) > During the installing process of SEPostgresql, > I got errors on dependencies, so I install with > option --oldpackage, because > I already updated to 2.6.4-43. You HAVE TO install the selinux-policy package with with object classes/permission related to SE-PostgreSQL. Unfortunatelly, we have not released the package based on the latest selinux-policy. Please apply selinux-policy-2.6.4-42.sepgsql instead. In Fedora 7 system, the default base security policy does not contain any object classes/permissions definition related to database management system, so we have to replace it by the .sepgsql version. > And I got error on semodule, too after installed > SEPostgresql. > What's wrong and what should I do? What kind of errores are happen? Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei From shintaro.fujiwara at gmail.com Wed Oct 3 01:39:51 2007 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Wed, 3 Oct 2007 10:39:51 +0900 Subject: Can't enjoy SEPostgresql In-Reply-To: <4702EB83.9020605@ak.jp.nec.com> References: <4702EB83.9020605@ak.jp.nec.com> Message-ID: Thanks! Kaigai-san. 2007/10/3, KaiGai Kohei : > Shintaro Fujiwara wrote: > > Hi, I want to be entertained by SEPostgresql. > > > > I succeeded installing my note-pc SEPostgresql. > > > > But I can't find any sepostgresql module by > > semodule -l or cant initialize db. > > There is nothing /etc/init.d/sepostgresql > > What's wrong. > > You don't succeed to install SE-PostgreSQL :) Indeed :( > > During the installing process of SEPostgresql, > > I got errors on dependencies, so I install with > > option --oldpackage, because > > I already updated to 2.6.4-43. > > You HAVE TO install the selinux-policy package with > with object classes/permission related to SE-PostgreSQL. OK, now I understand why. > Unfortunatelly, we have not released the package based on > the latest selinux-policy. > Please apply selinux-policy-2.6.4-42.sepgsql instead. All rihgt. I can pickup 2.6.4-42's and try again tonight JST. > In Fedora 7 system, the default base security policy does not > contain any object classes/permissions definition related to > database management system, so we have to replace it by > the .sepgsql version. Got it, buddy. I understand sepgsql needs new classes/permissions stuff. > > And I got error on semodule, too after installed > > SEPostgresql. > > What's wrong and what should I do? > > What kind of errores are happen? I don't have it anymore, but link package failed or something like that. Anyway, I will try again and give you report on it, thanks. > Thanks, > -- > OSS Platform Development Division, NEC > KaiGai Kohei > From shintaro.fujiwara at gmail.com Wed Oct 3 09:30:10 2007 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Wed, 3 Oct 2007 18:30:10 +0900 Subject: Can't enjoy SEPostgresql In-Reply-To: References: <4702EB83.9020605@ak.jp.nec.com> Message-ID: Error message was, like this. module exim's global requirement were not met. exim_exec_t So I semodule -r ed exim and reinstalled. No error this time. 2007/10/3, Shintaro Fujiwara : > Thanks! Kaigai-san. > > 2007/10/3, KaiGai Kohei : > > Shintaro Fujiwara wrote: > > > Hi, I want to be entertained by SEPostgresql. > > > > > > I succeeded installing my note-pc SEPostgresql. > > > > > > But I can't find any sepostgresql module by > > > semodule -l or cant initialize db. > > > There is nothing /etc/init.d/sepostgresql > > > What's wrong. > > > > You don't succeed to install SE-PostgreSQL :) > > Indeed :( > > > > During the installing process of SEPostgresql, > > > I got errors on dependencies, so I install with > > > option --oldpackage, because > > > I already updated to 2.6.4-43. > > > > You HAVE TO install the selinux-policy package with > > with object classes/permission related to SE-PostgreSQL. > > OK, now I understand why. > > > Unfortunatelly, we have not released the package based on > > the latest selinux-policy. > > Please apply selinux-policy-2.6.4-42.sepgsql instead. > > All rihgt. I can pickup 2.6.4-42's and try again tonight JST. > > > In Fedora 7 system, the default base security policy does not > > contain any object classes/permissions definition related to > > database management system, so we have to replace it by > > the .sepgsql version. > > Got it, buddy. > I understand sepgsql needs new classes/permissions stuff. > > > > And I got error on semodule, too after installed > > > SEPostgresql. > > > What's wrong and what should I do? > > > > What kind of errores are happen? > > I don't have it anymore, but link package failed or > something like that. > > Anyway, I will try again and give you report on it, thanks. > > > > Thanks, > > -- > > OSS Platform Development Division, NEC > > KaiGai Kohei > > > From wolfy at nobugconsulting.ro Wed Oct 3 13:59:15 2007 From: wolfy at nobugconsulting.ro (Manuel Wolfshant) Date: Wed, 03 Oct 2007 16:59:15 +0300 Subject: SELinux denies httpd access to /etc/my.cnf In-Reply-To: <4702344E.3000005@redhat.com> References: <200710020446.27418.amessina@messinet.com> <4702344E.3000005@redhat.com> Message-ID: <4703A033.2010800@nobugconsulting.ro> Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Anthony Messina wrote: > >> I get the following in my logs, in permissive mode: >> >> avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 >> exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" >> pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 >> subj=root:system_r:httpd_t:s0 suid=48 tclass=file >> tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48 >> >> avc: denied { getattr } for comm="httpd" dev=sda2 egid=48 euid=48 >> exe="/usr/sbin/httpd" exit=0 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" >> path="/etc/my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 >> subj=root:system_r:httpd_t:s0 suid=48 tclass=file >> tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48 >> >> Should httpd be accessing this file? If so, how would I set up that >> configuration? It seems that if this type of access is necessary, a boolean >> would be in place. >> >> >> > > Yes it should have the ability to read it. The only reason there is a > type on this file is for database admins to be able to manage it. > > So will update policy to allow http to read the file. > > Humm.. /me puzzled Could someone please explain why would the web server (aka httpd) need read access to the configuration of the MySQL server ? I've seen quite a few servers in place and never felt the need to crossmix those two servers daemons with their config files. I've also thought that httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and httpd + DB implies httpd talking to mysqld . From shintaro.fujiwara at gmail.com Wed Oct 3 15:54:07 2007 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Thu, 4 Oct 2007 00:54:07 +0900 Subject: Can't enjoy SEPostgresql(Solved ! Now I'm enjoying.) Message-ID: Could install SE-PostgreSQL on my note-pc. I heard from F8 it would be much easier to install. Thanks, Kohei ! Cheers! 2007/10/3, Shintaro Fujiwara : > Error message was, like this. > > module exim's global requirement were not met. > exim_exec_t > > So I semodule -r ed exim and reinstalled. > No error this time. > > > 2007/10/3, Shintaro Fujiwara : > > Thanks! Kaigai-san. > > > > 2007/10/3, KaiGai Kohei : > > > Shintaro Fujiwara wrote: > > > > Hi, I want to be entertained by SEPostgresql. > > > > > > > > I succeeded installing my note-pc SEPostgresql. > > > > > > > > But I can't find any sepostgresql module by > > > > semodule -l or cant initialize db. > > > > There is nothing /etc/init.d/sepostgresql > > > > What's wrong. > > > > > > You don't succeed to install SE-PostgreSQL :) > > > > Indeed :( > > > > > > During the installing process of SEPostgresql, > > > > I got errors on dependencies, so I install with > > > > option --oldpackage, because > > > > I already updated to 2.6.4-43. > > > > > > You HAVE TO install the selinux-policy package with > > > with object classes/permission related to SE-PostgreSQL. > > > > OK, now I understand why. > > > > > Unfortunatelly, we have not released the package based on > > > the latest selinux-policy. > > > Please apply selinux-policy-2.6.4-42.sepgsql instead. > > > > All rihgt. I can pickup 2.6.4-42's and try again tonight JST. > > > > > In Fedora 7 system, the default base security policy does not > > > contain any object classes/permissions definition related to > > > database management system, so we have to replace it by > > > the .sepgsql version. > > > > Got it, buddy. > > I understand sepgsql needs new classes/permissions stuff. > > > > > > And I got error on semodule, too after installed > > > > SEPostgresql. > > > > What's wrong and what should I do? > > > > > > What kind of errores are happen? > > > > I don't have it anymore, but link package failed or > > something like that. > > > > Anyway, I will try again and give you report on it, thanks. > > > > > > > Thanks, > > > -- > > > OSS Platform Development Division, NEC > > > KaiGai Kohei > > > > > > From dwalsh at redhat.com Wed Oct 3 20:48:19 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 03 Oct 2007 16:48:19 -0400 Subject: Intel Network card does not work on SELinux? In-Reply-To: References: <1191349546.9506.8.camel@localhost.localdomain> Message-ID: <47040013.7060306@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Shintaro Fujiwara wrote: > Thanks! Eric, > but my version is F7 so I read both files. > But no denied messages. > It's strange and I don't understand why it > woks on Default permissive, setenforce 1, > and > not works on Default enforcing, setenforce 0... > > And strange enough, maybe once in ten times it works > even in Default enforcing... > Also, sometimes does not work on Default permissive > at all. > > I think some other reason... > or > I should relabel again. > > If it does not work, > I manage Default permissive and setenforce 1 > for a while. Sound like something is being dontaudited. So this works with setenforce 0/Permissive mode and Does not work with setenforce 1/Enforincing mode. > > Thanks! > > > > 2007/10/3, Eric Paris : >> On Wed, 2007-10-03 at 02:03 +0900, Shintaro Fujiwara wrote: >>> Hi, I'm having trouble on SELinux, I think. >>> >>> I bought an old note-pc, NEC Lavie M LM500/3. >>> Manufactured in 2002. >>> It has an network controller named "82551QM Fast Ethernet Controller". >>> By that machine, >>> I cannot connect network on targeted enforcing mode. >>> eth0 rises up OK, but ping not reacheable. >>> On disabled, yes. >>> So, I thought it's a SELinux problem. >>> No denied messages, so I have no clues. >>> Not yet done enableaudit everything. >>> I tried to install Intel driver but failed, >>> echoed messages something like, >>> no such file config.h... >> My only thought is are you looking in the right place? denials may be >> in /var/log/messages or in /var/log/audit/audit.log depending if the >> audit subsystem is on. What version of Fedora are you running? >> >> /me bets on some mislabeled files from when you ran with selinux off, >> but if you can find those denials that would help. >> >> -Eric >> >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHBAARrlYvE4MpobMRAsw9AJ0VLSanuA/N0Cr73Qav+0gWj5Ss4wCg1MMF q3g16rPeqTZnQ2J/TROlTWI= =xxG0 -----END PGP SIGNATURE----- From fenn at stanford.edu Wed Oct 3 21:56:53 2007 From: fenn at stanford.edu (Tim Fenn) Date: Wed, 3 Oct 2007 14:56:53 -0700 Subject: dhclient-script avc error f7 In-Reply-To: <20071002110709.38140dc9@atbws1.stanford.edu> References: <20070930090621.GA5632@stanford.edu> <47024209.9010905@redhat.com> <20071002110709.38140dc9@atbws1.stanford.edu> Message-ID: <20071003145653.51dcf315@atbws1.stanford.edu> On Tue, 2 Oct 2007 11:07:09 -0700 Tim Fenn wrote: > > I recently dove into policy writing, but will rewrite my policy based > on the domain transfer suggestion and report back once I have > something working. > Here is the policy I cooked up: policy_module(mydhcp,1.0.0) ######################################## # # Declarations # require { type dhcpc_t; type insmod_t; type iptables_t; class rawip_socket { read write }; } iptables_domtrans(dhcpc_t) #============= insmod_t ============== allow insmod_t iptables_t:rawip_socket { read write }; Not sure if it would be best to transfer iptables_t to modutils here? -Tim -- --------------------------------------------------------- Tim Fenn fenn at stanford.edu Stanford University, School of Medicine James H. Clark Center 318 Campus Drive, Room E300 Stanford, CA 94305-5432 Phone: (650) 736-1714 FAX: (650) 736-1961 --------------------------------------------------------- From shintaro.fujiwara at gmail.com Wed Oct 3 21:57:03 2007 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Thu, 4 Oct 2007 06:57:03 +0900 Subject: Intel Network card does not work on SELinux? In-Reply-To: <47040013.7060306@redhat.com> References: <1191349546.9506.8.camel@localhost.localdomain> <47040013.7060306@redhat.com> Message-ID: 2007/10/4, Daniel J Walsh : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Shintaro Fujiwara wrote: > > Thanks! Eric, > > but my version is F7 so I read both files. > > But no denied messages. > > It's strange and I don't understand why it > > woks on Default permissive, setenforce 1, > > and > > not works on Default enforcing, setenforce 0... > > > > And strange enough, maybe once in ten times it works > > even in Default enforcing... > > Also, sometimes does not work on Default permissive > > at all. > > > > I think some other reason... > > or > > I should relabel again. > > > > If it does not work, > > I manage Default permissive and setenforce 1 > > for a while. > Sound like something is being dontaudited. > > So this works with setenforce 0/Permissive mode > and Does not work with setenforce 1/Enforincing mode. > I don't find an answer yet and enableaudit not yet but, I found weired thing that it's different when I login as non root user and su - between when I login as root. And once I fail using network I have to relabel everytime. I just want to make a SE-PostgreSQL machine for Kaigai for the conference and there are no time to analize but I will scrutinize it on Sunday after the conference maybe just doing enableaudit thing. I will give report on it and want to fix this problem forever :-) > > > > Thanks! > > > > > > > > 2007/10/3, Eric Paris : > >> On Wed, 2007-10-03 at 02:03 +0900, Shintaro Fujiwara wrote: > >>> Hi, I'm having trouble on SELinux, I think. > >>> > >>> I bought an old note-pc, NEC Lavie M LM500/3. > >>> Manufactured in 2002. > >>> It has an network controller named "82551QM Fast Ethernet Controller". > >>> By that machine, > >>> I cannot connect network on targeted enforcing mode. > >>> eth0 rises up OK, but ping not reacheable. > >>> On disabled, yes. > >>> So, I thought it's a SELinux problem. > >>> No denied messages, so I have no clues. > >>> Not yet done enableaudit everything. > >>> I tried to install Intel driver but failed, > >>> echoed messages something like, > >>> no such file config.h... > >> My only thought is are you looking in the right place? denials may be > >> in /var/log/messages or in /var/log/audit/audit.log depending if the > >> audit subsystem is on. What version of Fedora are you running? > >> > >> /me bets on some mislabeled files from when you ran with selinux off, > >> but if you can find those denials that would help. > >> > >> -Eric > >> > >> > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFHBAARrlYvE4MpobMRAsw9AJ0VLSanuA/N0Cr73Qav+0gWj5Ss4wCg1MMF > q3g16rPeqTZnQ2J/TROlTWI= > =xxG0 > -----END PGP SIGNATURE----- > From olivares14031 at yahoo.com Wed Oct 3 23:23:42 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 3 Oct 2007 16:23:42 -0700 (PDT) Subject: SELinux is preventing /sbin/ip (ifconfig_t) "write" to pipe (unconfined_t). Message-ID: <543210.99462.qm@web52602.mail.re2.yahoo.com> Summary SELinux is preventing /sbin/ip (ifconfig_t) "write" to pipe (unconfined_t). Detailed Description SELinux denied access requested by /sbin/ip. It is not expected that this access is required by /sbin/ip and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:ifconfig_t Target Context system_u:system_r:unconfined_t Target Objects pipe [ fifo_file ] Affected RPM Packages iproute-2.6.22-2.fc8 [application] Policy RPM selinux-policy-3.0.8-14.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23-0.214.rc8.git2.fc8 #1 SMP Fri Sep 28 17:38:00 EDT 2007 i686 i686 Alert Count 14 First Seen Wed 26 Sep 2007 06:34:54 PM CDT Last Seen Wed 03 Oct 2007 06:18:53 PM CDT Local ID d0527712-8653-4588-9f61-e20604d839bf Line Numbers Raw Audit Messages avc: denied { write } for comm=ip dev=pipefs egid=0 euid=0 exe=/sbin/ip exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=pipe:[12268] pid=3166 scontext=system_u:system_r:ifconfig_t:s0 sgid=0 subj=system_u:system_r:ifconfig_t:s0 suid=0 tclass=fifo_file tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=0 Summary SELinux is preventing /sbin/consoletype (consoletype_t) "write" to pipe (unconfined_t). Detailed Description SELinux denied access requested by /sbin/consoletype. It is not expected that this access is required by /sbin/consoletype and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:consoletype_t Target Context system_u:system_r:unconfined_t Target Objects pipe [ fifo_file ] Affected RPM Packages initscripts-8.56-1 [application] Policy RPM selinux-policy-3.0.8-14.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23-0.214.rc8.git2.fc8 #1 SMP Fri Sep 28 17:38:00 EDT 2007 i686 i686 Alert Count 18 First Seen Wed 26 Sep 2007 06:34:54 PM CDT Last Seen Wed 03 Oct 2007 06:18:53 PM CDT Local ID a29d7946-1930-4194-8c71-7edfbf95f972 Line Numbers Raw Audit Messages avc: denied { write } for comm=consoletype dev=pipefs egid=0 euid=0 exe=/sbin/consoletype exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=pipe:[12164] pid=3131 scontext=system_u:system_r:consoletype_t:s0 sgid=0 subj=system_u:system_r:consoletype_t:s0 suid=0 tclass=fifo_file tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=0 ____________________________________________________________________________________ Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC From mpk2 at enter.net Wed Oct 3 23:58:12 2007 From: mpk2 at enter.net (Michael Klinosky) Date: Wed, 03 Oct 2007 19:58:12 -0400 Subject: ftpd is denied access to a dir Message-ID: <47042C94.8070406@enter.net> I have Fedora 7, using gnome. I installed pure-ftpd (version 1.0.21-12) on my personal computer (for my own use), along with the selinux augment. When I run the server as a xinetd service, and attempt a unix-style log in (with gftp, on my LAN), I get this from gftp: Connected to 10.0.0.50:21 220 (text) 220 (text) USER mpk 331 user mpk OK. Password required. PASS xxxx 530 user authentication failed Disconnected from 10.0.0.50. On 10.0.0.50, this is in the SElinux troubleshooter: >> ALERT 1 Summary SELinux is preventing the ftp daemon from writing files outside the home directory (pure-ftpd). Detailed Description SELinux has denied the ftp daemon write access to directories outside the home directory (pure-ftpd). Someone has logged in via your ftp daemon and is trying to create or write a file. If you only setup ftp to allow anonymous ftp, this could signal a intrusion attempt. Allowing Access If you do not want SELinux preventing ftp from writing files anywhere on the system you need to turn on the allow_ftpd_full_access boolean: "setsebool -P allow_ftpd_full_access=1" The following command will allow this access: setsebool -P allow_ftpd_full_access=1 Additional Information Source Context user_u:system_r:ftpd_t Target Context user_u:object_r:var_run_t Target Objects pure-ftpd [ dir ] Affected RPM Packages pure-ftpd-1.0.21-12.fc7 [application] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_ftpd_full_access Host Name d500.localdomain Platform Linux d500.localdomain 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 i686 Alert Count 6 First Seen Sat 25 Aug 2007 09:54:58 AM EDT Last Seen Sat 25 Aug 2007 10:30:03 AM EDT Local ID a8f17786-d787-4b38-86a2-ce3309391690 Line Numbers Raw Audit Messages avc: denied { create } for comm="pure-ftpd" egid=0 euid=0 exe="/usr/sbin/pure- ftpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="pure-ftpd" pid=28641 scontext=user_u:system_r:ftpd_t:s0 sgid=0 subj=user_u:system_r:ftpd_t:s0 suid=0 tclass=dir tcontext=user_u:object_r:var_run_t:s0 tty=(none) uid=0 ** I issued that command, and it apparently worked (no complaint displayed). >> ALERT 2 Summary SELinux is preventing /usr/sbin/pure-ftpd (ftpd_t) "search" to net (proc_net_t). Detailed Description SELinux denied access requested by /usr/sbin/pure-ftpd. It is not expected that this access is required by /usr/sbin/pure-ftpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for net, restorecon -v net If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:ftpd_t Target Context system_u:object_r:proc_net_t Target Objects net [ dir ] Affected RPM Packages pure-ftpd-1.0.21-12.fc7 [application] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name d500.localdomain Platform Linux d500.localdomain 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 i686 Alert Count 12 First Seen Thu 30 Aug 2007 09:26:07 PM EDT Last Seen Thu 06 Sep 2007 09:30:33 PM EDT Local ID 8958c16e-27eb-4d3f-ad5c-787c1a960769 Line Numbers Raw Audit Messages avc: denied { search } for comm="pure-ftpd" dev=proc egid=0 euid=0 exe="/usr/sbin/pure-ftpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="net" pid=19097 scontext=user_u:system_r:ftpd_t:s0 sgid=0 subj=user_u:system_r:ftpd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:proc_net_t:s0 tty=(none) uid=0 ** I tried to allow access; I saw that there is a directory 'net' in proc: [root at d500 proc]# restorecon -v net lstat(net) failed: Permission denied Now what? Did I do this wrong, or do I need to create a 'local policy module'? Btw - if I run pure-ftpd as a standalone, I can login fine (but I don't want to run it that way). From kaigai at ak.jp.nec.com Thu Oct 4 11:18:15 2007 From: kaigai at ak.jp.nec.com (KaiGai Kohei) Date: Thu, 04 Oct 2007 20:18:15 +0900 Subject: userspace checking in passwd command Message-ID: <4704CBF7.40908@ak.jp.nec.com> Dan, Now, I'm tracking the userspace extensions in passwd command to port them into busybox. check_selinux_access() is defined as an extension of passwd, and it enables to confirm passwd:{passwd} permission when root (uid==0) executes this commans. However, there is a condition to bypass this checking. I cannot make sure the meaning of the condition. See the following implementation of the function. --------------------------- 48 int 49 check_selinux_access(const char *change_user, int change_uid, unsigned int access) 50 { 51 int status = -1; 52 security_context_t user_context; 53 const char *user; 54 55 if (security_getenforce() == 0) { 56 status = 0; 57 } else { 58 if (getprevcon(&user_context) == 0) { 59 context_t c; 60 c = context_new(user_context); 61 user = context_user_get(c); 62 if (change_uid != 0 && strcmp(change_user, user) == 0) { 63 status = 0; 64 } else { 65 struct av_decision avd; 66 int retval; 67 retval = security_compute_av(user_context, 68 user_context, 69 SECCLASS_PASSWD, 70 access, 71 &avd); 72 if ((retval == 0) && 73 ((access & avd.allowed) == access)) { 74 status = 0; 75 } 76 } 77 context_free(c); 78 freecon(user_context); 79 } 80 } 81 return status; 82 } --------------------------- In line 62, it compares the target uid and username, then checking passwd:{passwd} is skipped when UID is non-privileged user and username matched with user field in its security context. Could you tell me the reason why such a checking is applied. If it is not necessary, I think we can use checkPasswdAccess() instead. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei From dwalsh at redhat.com Thu Oct 4 14:47:44 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 04 Oct 2007 10:47:44 -0400 Subject: Intel Network card does not work on SELinux? In-Reply-To: References: <1191349546.9506.8.camel@localhost.localdomain> <47040013.7060306@redhat.com> Message-ID: <4704FD10.8050001@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Shintaro Fujiwara wrote: > 2007/10/4, Daniel J Walsh : > Shintaro Fujiwara wrote: >>>> Thanks! Eric, >>>> but my version is F7 so I read both files. >>>> But no denied messages. >>>> It's strange and I don't understand why it >>>> woks on Default permissive, setenforce 1, >>>> and >>>> not works on Default enforcing, setenforce 0... >>>> >>>> And strange enough, maybe once in ten times it works >>>> even in Default enforcing... >>>> Also, sometimes does not work on Default permissive >>>> at all. >>>> >>>> I think some other reason... >>>> or >>>> I should relabel again. >>>> >>>> If it does not work, >>>> I manage Default permissive and setenforce 1 >>>> for a while. > Sound like something is being dontaudited. > > So this works with setenforce 0/Permissive mode > and Does not work with setenforce 1/Enforincing mode. > > >> I don't find an answer yet and enableaudit not yet but, >> I found weired thing that it's different when I login as non root user >> and su - between when I login as root. >> And once I fail using network I have to relabel everytime. >> I just want to make a SE-PostgreSQL machine for Kaigai for the conference >> and there are no time to analize but I will scrutinize it on Sunday after >> the conference maybe just doing enableaudit thing. >> I will give report on it and want to fix this problem forever :-) > Sounds like just /etc/resolv.conf is getting wrong context. You can just run restorecon -R -v /etc and it will probably fix your problem without a full relabel. >>>> Thanks! >>>> >>>> >>>> >>>> 2007/10/3, Eric Paris : >>>>> On Wed, 2007-10-03 at 02:03 +0900, Shintaro Fujiwara wrote: >>>>>> Hi, I'm having trouble on SELinux, I think. >>>>>> >>>>>> I bought an old note-pc, NEC Lavie M LM500/3. >>>>>> Manufactured in 2002. >>>>>> It has an network controller named "82551QM Fast Ethernet Controller". >>>>>> By that machine, >>>>>> I cannot connect network on targeted enforcing mode. >>>>>> eth0 rises up OK, but ping not reacheable. >>>>>> On disabled, yes. >>>>>> So, I thought it's a SELinux problem. >>>>>> No denied messages, so I have no clues. >>>>>> Not yet done enableaudit everything. >>>>>> I tried to install Intel driver but failed, >>>>>> echoed messages something like, >>>>>> no such file config.h... >>>>> My only thought is are you looking in the right place? denials may be >>>>> in /var/log/messages or in /var/log/audit/audit.log depending if the >>>>> audit subsystem is on. What version of Fedora are you running? >>>>> >>>>> /me bets on some mislabeled files from when you ran with selinux off, >>>>> but if you can find those denials that would help. >>>>> >>>>> -Eric >>>>> >>>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHBP0QrlYvE4MpobMRAljVAJ0YOXGXV1o+WAjKkK85Or0iRv4eWgCbBcti q1FvZmc0Sccbd9NaDynurio= =BnwD -----END PGP SIGNATURE----- From gunchev at gmail.com Thu Oct 4 19:51:59 2007 From: gunchev at gmail.com (Doncho N. Gunchev) Date: Thu, 4 Oct 2007 22:51:59 +0300 Subject: SELinux denies httpd access to /etc/my.cnf In-Reply-To: <4703A033.2010800@nobugconsulting.ro> References: <200710020446.27418.amessina@messinet.com> <4702344E.3000005@redhat.com> <4703A033.2010800@nobugconsulting.ro> Message-ID: <200710042251.59732.gunchev@gmail.com> On Wednesday 2007-10-03 16:59:15 Manuel Wolfshant wrote: > Daniel J Walsh wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Anthony Messina wrote: > > > >> I get the following in my logs, in permissive mode: > >> > >> avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 > >> exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" > >> pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 > >> subj=root:system_r:httpd_t:s0 suid=48 tclass=file > >> tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48 ... > > Yes it should have the ability to read it. The only reason there is a > > type on this file is for database admins to be able to manage it. > > > > So will update policy to allow http to read the file. > > > > > Humm.. /me puzzled > Could someone please explain why would the web server (aka httpd) > need read access to the configuration of the MySQL server ? I've seen > quite a few servers in place and never felt the need to crossmix those > two servers daemons with their config files. I've also thought that > httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and httpd + DB > implies httpd talking to mysqld . Because that's the file mysql clients read their settings too :-( ex: [client] user=mysql_owner socket=/path/to/datadir/mysql/mysql.sock ... http://dev.mysql.com/doc/refman/5.0/en/option-files.html -- Regards, Doncho N. Gunchev, GPG key ID: 0EF40B9E, Key server: pgp.mit.edu From wolfy at nobugconsulting.ro Thu Oct 4 23:22:18 2007 From: wolfy at nobugconsulting.ro (Manuel Wolfshant) Date: Fri, 05 Oct 2007 02:22:18 +0300 Subject: SELinux denies httpd access to /etc/my.cnf In-Reply-To: <200710042251.59732.gunchev@gmail.com> References: <200710020446.27418.amessina@messinet.com> <4702344E.3000005@redhat.com> <4703A033.2010800@nobugconsulting.ro> <200710042251.59732.gunchev@gmail.com> Message-ID: <470575AA.30709@nobugconsulting.ro> On 10/04/2007 10:51 PM, Doncho N. Gunchev wrote: > On Wednesday 2007-10-03 16:59:15 Manuel Wolfshant wrote: > >> Daniel J Walsh wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Anthony Messina wrote: >>> >>> >>>> I get the following in my logs, in permissive mode: >>>> >>>> avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 >>>> exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" >>>> pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 >>>> subj=root:system_r:httpd_t:s0 suid=48 tclass=file >>>> tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48 >>>> > ... > >>> Yes it should have the ability to read it. The only reason there is a >>> type on this file is for database admins to be able to manage it. >>> >>> So will update policy to allow http to read the file. >>> >>> >>> >> Humm.. /me puzzled >> Could someone please explain why would the web server (aka httpd) >> need read access to the configuration of the MySQL server ? I've seen >> quite a few servers in place and never felt the need to crossmix those >> two servers daemons with their config files. I've also thought that >> httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and httpd + DB >> implies httpd talking to mysqld . >> > > Because that's the file mysql clients read their settings too :-( > ex: > [client] > user=mysql_owner > socket=/path/to/datadir/mysql/mysql.sock > ... > http://dev.mysql.com/doc/refman/5.0/en/option-files.html > > Right, but we were talking about the httpd daemon, not about mysql clients (aka "Most MySQL programs can read startup options from option files ", quoting from the page of which you have given the URL ). Or maybe httpd is a mysql client, too, and it just happens that I have never met such a setup ? We are not talking about executing mysql command line tools from web pages, are we ? Manuel From drepper at redhat.com Fri Oct 5 16:52:23 2007 From: drepper at redhat.com (Ulrich Drepper) Date: Fri, 05 Oct 2007 09:52:23 -0700 Subject: AVCs on suspend/resume In-Reply-To: <4c4ba1530710021425h18f65294j3ed0eeb0de7eedbe@mail.gmail.com> References: <4c4ba1530710021425h18f65294j3ed0eeb0de7eedbe@mail.gmail.com> Message-ID: <47066BC7.6080500@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom London wrote: > I'm guessing the first AVC (from alsactl) is from > /usr/lib/pm-utils/sleep.d/65alsa. There is this code there: https://bugzilla.redhat.com/show_bug.cgi?id=305311 - -- ? Ulrich Drepper ? Red Hat, Inc. ? 444 Castro St ? Mountain View, CA ? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHBmvH2ijCOnn/RHQRAoAGAJsE5bm0yble72ghU6V2C68r/WSC1gCeMae9 e03xyzNFWzlTaqsf6Wepnpo= =In0W -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Oct 5 19:32:23 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 05 Oct 2007 15:32:23 -0400 Subject: userspace checking in passwd command In-Reply-To: <4704CBF7.40908@ak.jp.nec.com> References: <4704CBF7.40908@ak.jp.nec.com> Message-ID: <47069147.1060501@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 KaiGai Kohei wrote: > Dan, > > Now, I'm tracking the userspace extensions in passwd command > to port them into busybox. > > check_selinux_access() is defined as an extension of passwd, > and it enables to confirm passwd:{passwd} permission when > root (uid==0) executes this commans. > However, there is a condition to bypass this checking. > I cannot make sure the meaning of the condition. > > See the following implementation of the function. > --------------------------- > 48 int > 49 check_selinux_access(const char *change_user, int change_uid, unsigned int access) > 50 { > 51 int status = -1; > 52 security_context_t user_context; > 53 const char *user; > 54 > 55 if (security_getenforce() == 0) { > 56 status = 0; > 57 } else { > 58 if (getprevcon(&user_context) == 0) { > 59 context_t c; > 60 c = context_new(user_context); > 61 user = context_user_get(c); > 62 if (change_uid != 0 && strcmp(change_user, user) == 0) { > 63 status = 0; > 64 } else { > 65 struct av_decision avd; > 66 int retval; > 67 retval = security_compute_av(user_context, > 68 user_context, > 69 SECCLASS_PASSWD, > 70 access, > 71 &avd); > 72 if ((retval == 0) && > 73 ((access & avd.allowed) == access)) { > 74 status = 0; > 75 } > 76 } > 77 context_free(c); > 78 freecon(user_context); > 79 } > 80 } > 81 return status; > 82 } > --------------------------- > In line 62, it compares the target uid and username, then checking > passwd:{passwd} is skipped when UID is non-privileged user and username > matched with user field in its security context. > > Could you tell me the reason why such a checking is applied. > If it is not necessary, I think we can use checkPasswdAccess() instead. > > Thanks, This allows the user to change his own password. The idea is to prevent someone running as UID 0 from changing someone elses password unless they have the passwd:passwd priv. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHBpFGrlYvE4MpobMRAgfGAJ4zDCJt9KfqfE5l7O1AX2J9WblEQgCfWIwW 7forpRiq20aXDnu2AouKyAw= =nK/i -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Oct 5 19:35:16 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 05 Oct 2007 15:35:16 -0400 Subject: dhclient-script avc error f7 In-Reply-To: <20071003145653.51dcf315@atbws1.stanford.edu> References: <20070930090621.GA5632@stanford.edu> <47024209.9010905@redhat.com> <20071002110709.38140dc9@atbws1.stanford.edu> <20071003145653.51dcf315@atbws1.stanford.edu> Message-ID: <470691F4.1000509@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim Fenn wrote: > On Tue, 2 Oct 2007 11:07:09 -0700 Tim Fenn wrote: > >> I recently dove into policy writing, but will rewrite my policy based >> on the domain transfer suggestion and report back once I have >> something working. >> > > Here is the policy I cooked up: > > > policy_module(mydhcp,1.0.0) > > ######################################## > # > # Declarations > # > require { > type dhcpc_t; > type insmod_t; > type iptables_t; > class rawip_socket { read write }; > } > > iptables_domtrans(dhcpc_t) > > #============= insmod_t ============== > allow insmod_t iptables_t:rawip_socket { read write }; > > > Not sure if it would be best to transfer iptables_t to modutils here? > > -Tim > This looks like iptables is leaking a file descriptor, and the kernel is checking if insmod_t has access to it. It does not so the kernel closes it and replaces it with /dev/null. So this is not going to affect you code, but should be reported as a bug in iptables. fcntl(fd, F_SETFD, FD_CLOEXEC) should be closed on on open file descriptors before fork/exec. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHBpH0rlYvE4MpobMRAtwMAKDTSbyTUSeXvaMWafn8lxDQ9JpRLgCgzSNU KV2dnNk+NphbkQRFeZiWehg= =OY/M -----END PGP SIGNATURE----- From selinux at gmail.com Sat Oct 6 17:09:52 2007 From: selinux at gmail.com (Tom London) Date: Sat, 6 Oct 2007 10:09:52 -0700 Subject: AVCs on update of selinux-policy-targeted-3.0.8-18.fc8 Message-ID: <4c4ba1530710061009pb16a57fi43295569541daccc@mail.gmail.com> During today's rawhide update I got the following AVCs during the update of selinux-policy-targeted-3.0.8-18.fc8: type=AVC msg=audit(1191690239.759:30): avc: denied { write } for pid=5397 comm="setsebool" path="pipe:[16633]" dev=pipefs ino=16633 scontext=system_u:system_r:setsebool_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=fifo_file type=AVC msg=audit(1191690239.759:30): avc: denied { write } for pid=5397 comm="setsebool" path="pipe:[16633]" dev=pipefs ino=16633 scontext=system_u:system_r:setsebool_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1191690239.759:30): arch=40000003 syscall=11 success=yes exit=0 a0=93b1dc8 a1=93b1058 a2=93b0bc8 a3=0 items=0 ppid=5396 pid=5397 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="setsebool" exe="/usr/sbin/setsebool" subj=system_u:system_r:setsebool_t:s0 key=(null) No error messages from yum..... tom -- Tom London From gunchev at gmail.com Mon Oct 8 15:07:50 2007 From: gunchev at gmail.com (Doncho N. Gunchev) Date: Mon, 8 Oct 2007 18:07:50 +0300 Subject: SELinux denies httpd access to /etc/my.cnf In-Reply-To: <470575AA.30709@nobugconsulting.ro> References: <200710020446.27418.amessina@messinet.com> <200710042251.59732.gunchev@gmail.com> <470575AA.30709@nobugconsulting.ro> Message-ID: <200710081807.51474.gunchev@gmail.com> On Friday 2007-10-05 02:22:18 Manuel Wolfshant wrote: > On 10/04/2007 10:51 PM, Doncho N. Gunchev wrote: > > On Wednesday 2007-10-03 16:59:15 Manuel Wolfshant wrote: > > > >> Daniel J Walsh wrote: > >> > >>> -----BEGIN PGP SIGNED MESSAGE----- > >>> Hash: SHA1 > >>> > >>> Anthony Messina wrote: > >>> > >>> > >>>> I get the following in my logs, in permissive mode: > >>>> > >>>> avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 > >>>> exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 name="my.cnf" > >>>> pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 > >>>> subj=root:system_r:httpd_t:s0 suid=48 tclass=file > >>>> tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48 > >>>> > > ... > > > >>> Yes it should have the ability to read it. The only reason there is a > >>> type on this file is for database admins to be able to manage it. > >>> > >>> So will update policy to allow http to read the file. > >>> > >>> > >>> > >> Humm.. /me puzzled > >> Could someone please explain why would the web server (aka httpd) > >> need read access to the configuration of the MySQL server ? I've seen > >> quite a few servers in place and never felt the need to crossmix those > >> two servers daemons with their config files. I've also thought that > >> httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and httpd + DB > >> implies httpd talking to mysqld . > >> > > > > Because that's the file mysql clients read their settings too :-( > > ex: > > [client] > > user=mysql_owner > > socket=/path/to/datadir/mysql/mysql.sock > > ... > > http://dev.mysql.com/doc/refman/5.0/en/option-files.html > > > > > Right, but we were talking about the httpd daemon, not about mysql > clients (aka "Most MySQL programs can read startup options from option > files ", quoting from the page of which you have given the URL ). Or > maybe httpd is a mysql client, too, and it just happens that I have > never met such a setup ? We are not talking about executing mysql > command line tools from web pages, are we ? > No, I was not talking about apache executing mysql. I though libmysqlclient.so.15 reads /etc/my.cnf (strings libmysqlclient.so.15), but it seems it is configurable (from php.net comments). I tested with # inotifywait /etc/my.cnf on FC7/FC8t3, but restarting apache or running php scripts that access the DB shows no access. I'm almost sure I used this a year ago to change the default encoding, but now it does not work this way any more. In short, sorry, httpd here does not access /etc/my.cnf. Maybe some other module like mod_auth_mysql is responsible, but I have not tested it. Anthony, what modules do you use and do you have any script that executes mysql (the client) directly? What distribution, php, apache and mysql versions...? -- Regards, Doncho N. Gunchev, GPG key ID: 0EF40B9E, Key server: pgp.mit.edu From amessina at messinet.com Mon Oct 8 16:56:27 2007 From: amessina at messinet.com (Anthony Messina) Date: Mon, 8 Oct 2007 11:56:27 -0500 Subject: SELinux denies httpd access to /etc/my.cnf In-Reply-To: <200710081807.51474.gunchev@gmail.com> References: <200710020446.27418.amessina@messinet.com> <470575AA.30709@nobugconsulting.ro> <200710081807.51474.gunchev@gmail.com> Message-ID: <200710081156.30562.amessina@messinet.com> On Monday 08 October 2007 10:07:50 am Doncho N. Gunchev wrote: > On Friday 2007-10-05 02:22:18 Manuel Wolfshant wrote: > > On 10/04/2007 10:51 PM, Doncho N. Gunchev wrote: > > > On Wednesday 2007-10-03 16:59:15 Manuel Wolfshant wrote: > > >> Daniel J Walsh wrote: > > >>> -----BEGIN PGP SIGNED MESSAGE----- > > >>> Hash: SHA1 > > >>> > > >>> Anthony Messina wrote: > > >>>> I get the following in my logs, in permissive mode: > > >>>> > > >>>> avc: denied { read } for comm="httpd" dev=sda2 egid=48 euid=48 > > >>>> exe="/usr/sbin/httpd" exit=32 fsgid=48 fsuid=48 gid=48 items=0 > > >>>> name="my.cnf" pid=27369 scontext=root:system_r:httpd_t:s0 sgid=48 > > >>>> subj=root:system_r:httpd_t:s0 suid=48 tclass=file > > >>>> tcontext=system_u:object_r:mysqld_etc_t:s0 tty=(none) uid=48 > > > > > > ... > > > > > >>> Yes it should have the ability to read it. The only reason there is > > >>> a type on this file is for database admins to be able to manage it. > > >>> > > >>> So will update policy to allow http to read the file. > > >> > > >> Humm.. /me puzzled > > >> Could someone please explain why would the web server (aka httpd) > > >> need read access to the configuration of the MySQL server ? I've seen > > >> quite a few servers in place and never felt the need to crossmix those > > >> two servers daemons with their config files. I've also thought that > > >> httpd reads/uses /etc/httpd/*, mysqld uses /etc/my.cnf and httpd + DB > > >> implies httpd talking to mysqld . > > > > > > Because that's the file mysql clients read their settings too :-( > > > ex: > > > [client] > > > user=mysql_owner > > > socket=/path/to/datadir/mysql/mysql.sock > > > ... > > > http://dev.mysql.com/doc/refman/5.0/en/option-files.html > > > > Right, but we were talking about the httpd daemon, not about mysql > > clients (aka "Most MySQL programs can read startup options from option > > files ", quoting from the page of which you have given the URL ). Or > > maybe httpd is a mysql client, too, and it just happens that I have > > never met such a setup ? We are not talking about executing mysql > > command line tools from web pages, are we ? > > No, I was not talking about apache executing mysql. > > I though libmysqlclient.so.15 reads /etc/my.cnf (strings > libmysqlclient.so.15), but it seems it is configurable (from php.net > comments). I tested with # inotifywait /etc/my.cnf > on FC7/FC8t3, but restarting apache or running php scripts that > access the DB shows no access. I'm almost sure I used this a year > ago to change the default encoding, but now it does not work this > way any more. > > In short, sorry, httpd here does not access /etc/my.cnf. > > Maybe some other module like mod_auth_mysql is responsible, but I > have not tested it. Anthony, what modules do you use and do you > have any script that executes mysql (the client) directly? What > distribution, php, apache and mysql versions...? fedora 7 httpd-2.2.6-1.fc7 php-5.2.4-1.fc7 mysql-server-5.0.45-1.fc7 Loaded Modules: mod_python.c, mod_ssl.c, mod_php5.c, mod_perl.c, mod_cgi.c, mod_suexec.c, mod_rewrite.c, mod_alias.c, mod_userdir.c, mod_speling.c, mod_actions.c, mod_dir.c, mod_negotiation.c, mod_vhost_alias.c, mod_dav_fs.c, mod_info.c, mod_autoindex.c, mod_status.c, mod_dav.c, mod_mime.c, mod_setenvif.c, mod_usertrack.c, mod_headers.c, mod_deflate.c, mod_expires.c, mod_mime_magic.c, mod_ext_filter.c, mod_env.c, mod_logio.c, mod_log_config.c, mod_include.c, mod_authnz_ldap.c, util_ldap.c, mod_authz_default.c, mod_authz_dbm.c, mod_authz_groupfile.c, mod_authz_owner.c, mod_authz_user.c, mod_authz_host.c, mod_authn_default.c, mod_authn_dbm.c, mod_authn_anon.c, mod_authn_alias.c, mod_authn_file.c, mod_auth_digest.c, mod_auth_basic.c, mod_so.c, http_core.c, prefork.c, core.c Server Settings Server Version: Apache/2.2.6 (Unix) DAV/2 PHP/5.2.4 mod_ssl/2.2.6 OpenSSL/0.9.8b mod_python/3.3.1 Python/2.5 mod_perl/2.0.3 Perl/v5.8.8 -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: From ruedarod at cse.psu.edu Tue Oct 9 01:20:14 2007 From: ruedarod at cse.psu.edu (Sandra Rueda) Date: Mon, 8 Oct 2007 21:20:14 -0400 Subject: SELinux Policy Server Message-ID: Hello, I am interested in the SELinux Policy Server Project that is lead by Tresys. I looked for information about it and I downloaded the version of the SELinux Policy Server that is available at sourceforge.net. I have some questions regarding the process to build the server: - The guide indicates that the kernel requires some modifications. However, by reading the readme files inside the package it looks like such modifications were required for those kernels that did not include SELinux by default. Thus fedora core 5 and higher do not really require such modifications. For recent kernel with SElinux support I only need to apply the changes to the selinux policy directory. Is this right? - It looks like the commands included in the package do not work with policies higher than 18. The command checkpolicy complains when I try to compile my reference policy because of the optional policies. Should I look for older versions of the reference policy? - Also, the checkpolicy created with the package does not support the option -M. Does it mean that the current version of the Policy Server does not support the MLS extension? I know this is a project in development but in any case I would like to know. If anyone have answers or comments regarding my questions I would really appreciate any help. Thanks, Sandra -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Tue Oct 9 13:59:28 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 09 Oct 2007 09:59:28 -0400 Subject: SELinux Policy Server In-Reply-To: References: Message-ID: <1191938368.24970.75.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-10-08 at 21:20 -0400, Sandra Rueda wrote: > Hello, > > > I am interested in the SELinux Policy Server Project that is lead by > Tresys. I looked for information about it and I downloaded the version > of the SELinux Policy Server that is available at sourceforge.net. Questions about upstream selinux (i.e. not Fedora-specific) belong on the selinux at tycho.nsa.gov mailing list. Policy server has moved to http://oss.tresys.com/projects/policy-server -- Stephen Smalley National Security Agency From kas at fi.muni.cz Tue Oct 9 16:24:21 2007 From: kas at fi.muni.cz (Jan Kasprzak) Date: Tue, 9 Oct 2007 18:24:21 +0200 Subject: Confining TeX In-Reply-To: <20070227162743.GB24300@fi.muni.cz> References: <20070227162743.GB24300@fi.muni.cz> Message-ID: <20071009162421.GC3722@fi.muni.cz> Few months ago I wrote to this list about confining TeX. So far I have created the policy module, which works for me. But I would like to get some review of this module, as I am still not sure for example when to use the explicit "allow" directive and when some macros instead (like libs_use_ld_so() etc - is there a list of such macros?). Now I want to confine Xvfb - have anybody tried this? Anyway, my tex.te is the following: ------------------------------------------------------------ policy_module(tex, 1.0) require { type bin_t; type default_t; type initrc_t; }; # Executable files from the TeX installation type tex_exec_t; files_type(tex_exec_t); # TeX data files type tex_data_t; files_type(tex_data_t); # Temporary files and TeX output type tex_tmp_t; files_type(tex_tmp_t); # Domain under which the TeX daemon runs type tex_t; domain_type(tex_t); role system_r types tex_t; libs_use_shared_libs(tex_t); libs_use_ld_so(tex_t); miscfiles_read_localization(tex_t); fs_search_all(tex_t); kernel_dontaudit_read_system_state(tex_t); # dvipng reads /proc/meminfo allow tex_t tex_exec_t:lnk_file { getattr read }; allow tex_t tex_exec_t:dir ra_dir_perms; allow tex_t default_t:dir ra_dir_perms; allow tex_t default_t:file getattr; allow tex_t tex_tmp_t:file manage_file_perms; allow tex_t tex_tmp_t:dir { add_entry_dir_perms del_entry_dir_perms }; allow tex_t tex_data_t:file ra_file_perms; allow tex_t tex_data_t:dir ra_dir_perms; allow unconfined_t tex_data_t:file manage_file_perms; allow tex_t bin_t:dir search; allow tex_t initrc_t:fd use; allow tex_t initrc_t:process sigchld; domain_trans(unconfined_t, tex_exec_t, tex_t); domain_trans(initrc_t, tex_exec_t, tex_t); domain_entry_file(tex_t, tex_exec_t); term_dontaudit_use_all_user_ttys(tex_t); files_dontaudit_search_home(tex_t); ------------------------------------------------------------ Thanks, -Yenya -- | Jan "Yenya" Kasprzak | | GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E | | http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ | > So at least in some cases, I think we should "default to stupid, < > but give users rope". --Linus Torvalds < From selinux at gmail.com Tue Oct 9 16:30:04 2007 From: selinux at gmail.com (Tom London) Date: Tue, 9 Oct 2007 09:30:04 -0700 Subject: udev/sound/alsa: needs to read /var/lib/alsa/asound.state (alsa_var_lib_t) In-Reply-To: <20070925150318.GA3409@nostromo.devel.redhat.com> References: <4c4ba1530709250714r5b50e533ra06d472f53026f38@mail.gmail.com> <20070925150318.GA3409@nostromo.devel.redhat.com> Message-ID: <4c4ba1530710090930t1a2cf898r34b574bbd1ae2229@mail.gmail.com> On 9/25/07, Bill Nottingham wrote: > Tom London (selinux at gmail.com) said: > > Running latest rawhide, targeted enforcing. > > > > Booting up, udev (90-alsa.rulles) runs /sbin/salsa to read > > /var/lib/alsa/asound.state. > > Don't fix this in policy, that's just broken in alsa. > > You can't save mixer settings there, as /var may not be mounted when > this runs. *Sigh* > > Bill > More 'sigh': Booting in permissive mode now produces: Oct 9 07:08:33 localhost kernel: audit(1191938899.844:3): avc: denied { read } for pid=1553 comm="alsactl" name="asound.state" dev=dm-0 ino=11076536 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file Oct 9 07:08:33 localhost kernel: audit(1191938899.844:4): avc: denied { getattr } for pid=1553 comm="alsactl" path="/etc/alsa/asound.state" dev=dm-0 ino=11076536 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file Not 100% sure why this now is reported against alsactl (instead of salsa); and shouldn't alsactl be running in 'alsa_t'? I did make one change to 90-alsa.rules: I changed 'RUN+="/sbin/salsa"' to RUN+="/sbin/salsa -l" on both ControlC* and pcm* lines. Not sure if that 'broke something'. tom -- Tom London From kaigai at ak.jp.nec.com Wed Oct 10 04:48:49 2007 From: kaigai at ak.jp.nec.com (KaiGai Kohei) Date: Wed, 10 Oct 2007 13:48:49 +0900 Subject: BUG? in mkswap (Re: The current status of sebusybox project) In-Reply-To: <470C532E.5020108@ak.jp.nec.com> References: <470C532E.5020108@ak.jp.nec.com> Message-ID: <470C59B1.1050306@ak.jp.nec.com> Karel, Can I consider that you are the most appropriate person to report about the following matter? The changelog in util-linux-ng.spec says: | * Wed Mar 8 2006 Karel Zak 2.13-0.17 | - fix #181782 - mkswap selinux relabeling (fix util-linux-2.13-mkswap-selinux.patch) > * /sbin/mkswap (should be ported later.) > - It enables to relabel the target file as "swapfile_t", when we use > a regular file as a swap. In util-linux-ng-2.13-1.fc8.src.rpm, this feature is implemented as follows: at util-linux-ng-2.13/disk-utils/mkswap.c ------------------------------------------------------- 75 #define SELINUX_SWAPFILE_TYPE "swapfile_t" : : 735 #ifdef HAVE_LIBSELINUX 736 if (S_ISREG(statbuf.st_mode) && is_selinux_enabled()) { 737 security_context_t context_string; 738 security_context_t oldcontext; 739 context_t newcontext; 740 741 if ((fgetfilecon(DEV, &oldcontext) < 0) && 742 (errno != ENODATA)) { 743 fprintf(stderr, _("%s: %s: unable to obtain selinux file label: %s\n"), 744 program_name, device_name, 745 strerror(errno)); 746 exit(1); 747 } 748 if (!(newcontext = context_new(oldcontext))) 749 die(_("unable to create new selinux context")); 750 if (context_type_set(newcontext, SELINUX_SWAPFILE_TYPE)) 751 die(_("couldn't compute selinux context")); 752 753 context_string = context_str(newcontext); 754 755 if (strcmp(context_string, oldcontext)!=0) { 756 if (fsetfilecon(DEV, context_string)) { 757 fprintf(stderr, _("%s: unable to relabel %s to %s: %s\n"), 758 program_name, device_name, 759 context_string, 760 strerror(errno)); 761 exit(1); 762 } 763 } 764 context_free(newcontext); 765 freecon(oldcontext); 766 } 767 #endif ------------------------------------------------------- Pay attention around line 741. If fgetfilecon() fails and returns -ENODATA, context_new() will be called with uninitialized oldcontext in the next. Then, it cause a segmentation fault. If you don't want to exit immediately, I think this logic can be changed as follows: ------------------------------------------------------- if (fgetfilecon(DEV, &oldcontext) < 0) { if (errno != ENODATA) { fprintf(stderr, _("%s: %s: unable to obtain selinux file label: %s\n"), program_name, device_name, strerror(errno)); exit(1); } if (matchpathcon(devide_name, statbuf.st_mode, &oldcontext)) die(_("unable to create new selinux context")); } if (!(newcontext = context_new(oldcontext))) die(_("unable to create new selinux context")); ------------------------------------------------------- Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei From selinux at gmail.com Wed Oct 10 14:48:59 2007 From: selinux at gmail.com (Tom London) Date: Wed, 10 Oct 2007 07:48:59 -0700 Subject: udev/sound/alsa: needs to read /var/lib/alsa/asound.state (alsa_var_lib_t) In-Reply-To: <4c4ba1530710090930t1a2cf898r34b574bbd1ae2229@mail.gmail.com> References: <4c4ba1530709250714r5b50e533ra06d472f53026f38@mail.gmail.com> <20070925150318.GA3409@nostromo.devel.redhat.com> <4c4ba1530710090930t1a2cf898r34b574bbd1ae2229@mail.gmail.com> Message-ID: <4c4ba1530710100748y70acc7d5lf1a3fbcd9db4f677@mail.gmail.com> On 10/9/07, Tom London wrote: > On 9/25/07, Bill Nottingham wrote: > > Tom London (selinux at gmail.com) said: > > > Running latest rawhide, targeted enforcing. > > > > > > Booting up, udev (90-alsa.rulles) runs /sbin/salsa to read > > > /var/lib/alsa/asound.state. > > > > Don't fix this in policy, that's just broken in alsa. > > > > You can't save mixer settings there, as /var may not be mounted when > > this runs. *Sigh* > > > > Bill > > > More 'sigh': > > Booting in permissive mode now produces: > > Oct 9 07:08:33 localhost kernel: audit(1191938899.844:3): avc: > denied { read } for pid=1553 comm="alsactl" name="asound.state" > dev=dm-0 ino=11076536 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file > Oct 9 07:08:33 localhost kernel: audit(1191938899.844:4): avc: > denied { getattr } for pid=1553 comm="alsactl" > path="/etc/alsa/asound.state" dev=dm-0 ino=11076536 > scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file > > Not 100% sure why this now is reported against alsactl (instead of > salsa); and shouldn't alsactl be running in 'alsa_t'? > > I did make one change to 90-alsa.rules: I changed 'RUN+="/sbin/salsa"' > to RUN+="/sbin/salsa -l" on both ControlC* and pcm* lines. Not sure if > that 'broke something'. > I've managed to 'make sound come up on boot' by doing the following: 1. Change the 90-alsa.rules entry to: SUBSYSTEM=="sound", KERNEL=="controlC*" RUN+="/sbin/salsa -l %n" SUBSYSTEM=="sound", KERNEL=="pcm*" RUN+="/sbin/salsa" [Not sure if the changes to the first line or if the second line are really needed.....] 2. Added the following 'local' policy: module fixsalsa 1.0; require { type udev_t; type alsa_etc_rw_t; class file { read getattr }; } #============= udev_t ============== allow udev_t alsa_etc_rw_t:file { read getattr }; System now boots without AVCs in either /var/log/messages or /var/log/audit/audit.log, and sound is properly saved on shutdown and restored on boot. I am a bit confused, since /sbin/salsa is alsa_exec_t, so shouldn't udev_t transition to alsa_t? tom -- Tom London From olivares14031 at yahoo.com Mon Oct 8 22:40:44 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 8 Oct 2007 15:40:44 -0700 (PDT) Subject: SELinux is preventing /usr/bin/vlc from changing the access protection of Message-ID: <20071008224044.14647.qmail@web52608.mail.re2.yahoo.com> memory on the heap To: fedora-test-list at redhat.com Cc: fedora-selinux-list at redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <47195.13984.qm at web52608.mail.re2.yahoo.com> Dear all, I have finished installing vlc from livna-devel repo, and upon starting it, Selinux setroubleshooter greets me with the following: What is a heap? What should I do? Thanks in Advance, Antonio Summary SELinux is preventing /usr/bin/vlc from changing the access protection of memory on the heap. Detailed Description The /usr/bin/vlc application attempted to change the access protection of memory on the heap (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. If /usr/bin/vlc does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access If you want /usr/bin/vlc to continue, you must turn on the allow_execheap boolean. Note: This boolean will affect all applications on the system. The following command will allow this access: setsebool -P allow_execheap=1 Additional Information Source Context system_u:system_r:unconfined_t Target Context system_u:system_r:unconfined_t Target Objects None [ process ] Affected RPM Packages vlc-0.8.6c-5.lvn8 [application] Policy RPM selinux-policy-3.0.8-18.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_execheap Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23-0.222.rc9.git4.fc8 #1 SMP Sat Oct 6 13:53:58 EDT 2007 i686 i686 Alert Count 2 First Seen Mon 08 Oct 2007 05:36:54 PM CDT Last Seen Mon 08 Oct 2007 05:36:55 PM CDT Local ID a7f4dbf5-ffcd-472d-b654-8d68c350adad Line Numbers Raw Audit Messages avc: denied { execheap } for comm=wxvlc egid=500 euid=500 exe=/usr/bin/vlc exit=-13 fsgid=500 fsuid=500 gid=500 items=0 pid=13225 scontext=system_u:system_r:unconfined_t:s0 sgid=500 subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500 ____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting From dwalsh at redhat.com Wed Oct 10 19:39:31 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 10 Oct 2007 15:39:31 -0400 Subject: SELinux is preventing /usr/bin/vlc from changing the access protection of In-Reply-To: <20071008224044.14647.qmail@web52608.mail.re2.yahoo.com> References: <20071008224044.14647.qmail@web52608.mail.re2.yahoo.com> Message-ID: <470D2A73.2040603@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > memory on the heap > To: fedora-test-list at redhat.com > Cc: fedora-selinux-list at redhat.com > MIME-Version: 1.0 > Content-Type: text/plain; charset=iso-8859-1 > Content-Transfer-Encoding: 8bit > Message-ID: <47195.13984.qm at web52608.mail.re2.yahoo.com> > > Dear all, > > I have finished installing vlc from livna-devel repo, > and upon starting it, Selinux setroubleshooter greets > me with the following: > > What is a heap? What should I do? > > Thanks in Advance, > > Antonio > > Summary > SELinux is preventing /usr/bin/vlc from changing > the access protection of > memory on the heap. > > Detailed Description > The /usr/bin/vlc application attempted to change > the access protection of > memory on the heap (e.g., allocated using malloc). > This is a potential > security problem. Applications should not be > doing this. Applications are > sometimes coded incorrectly and request this > permission. The > http://people.redhat.com/drepper/selinux-mem.html > web page explains how to > remove this requirement. If /usr/bin/vlc does not > work and you need it to > work, you can configure SELinux temporarily to > allow this access until the > application is fixed. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > Allowing Access > If you want /usr/bin/vlc to continue, you must > turn on the allow_execheap > boolean. Note: This boolean will affect all > applications on the system. > > The following command will allow this access: > setsebool -P allow_execheap=1 > > Additional Information > > Source Context > system_u:system_r:unconfined_t > Target Context > system_u:system_r:unconfined_t > Target Objects None [ process ] > Affected RPM Packages vlc-0.8.6c-5.lvn8 > [application] > Policy RPM > selinux-policy-3.0.8-18.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.allow_execheap > Host Name localhost.localdomain > Platform Linux > localhost.localdomain > > 2.6.23-0.222.rc9.git4.fc8 #1 SMP Sat Oct 6 > 13:53:58 EDT 2007 i686 > i686 > Alert Count 2 > First Seen Mon 08 Oct 2007 05:36:54 > PM CDT > Last Seen Mon 08 Oct 2007 05:36:55 > PM CDT > Local ID > a7f4dbf5-ffcd-472d-b654-8d68c350adad > Line Numbers > > Raw Audit Messages > > avc: denied { execheap } for comm=wxvlc egid=500 > euid=500 exe=/usr/bin/vlc > exit=-13 fsgid=500 fsuid=500 gid=500 items=0 pid=13225 > scontext=system_u:system_r:unconfined_t:s0 sgid=500 > subj=system_u:system_r:unconfined_t:s0 suid=500 > tclass=process > tcontext=system_u:system_r:unconfined_t:s0 tty=(none) > uid=500 > > > > > > ____________________________________________________________________________________ > Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. > http://smallbusiness.yahoo.com/webhosting > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Did you read what the troubleshoot told you? It explains pretty much your options. You can turn off execheap protection, or you can not run the program. You should report this as a bug to the maintainers of vlc. Follow the links provided by the troubleshooter to find out more about execheap. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHDSpzrlYvE4MpobMRAnwdAKDnMI6TS4J5uaPPduS2ej/Ei7kC0gCfTiMU aTOzgTNoH2vgLVT3OYwGa+Q= =EsTw -----END PGP SIGNATURE----- From kwizart at gmail.com Wed Oct 10 21:50:52 2007 From: kwizart at gmail.com (KH KH) Date: Wed, 10 Oct 2007 23:50:52 +0200 Subject: Fwd: SELinux is preventing /usr/bin/vlc from changing the access protection of In-Reply-To: References: <20071008224044.14647.qmail@web52608.mail.re2.yahoo.com> <470D2A73.2040603@redhat.com> Message-ID: ---------- Forwarded message ---------- From: KH KH Date: 10 oct. 2007 23:49 Subject: Re: SELinux is preventing /usr/bin/vlc from changing the access protection of To: Daniel J Walsh 2007/10/10, Daniel J Walsh : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Antonio Olivares wrote: > Did you read what the troubleshoot told you? It explains pretty much > your options. You can turn off execheap protection, or you can not run > the program. You should report this as a bug to the maintainers of vlc. I'm the maintainer of vlc...(from the mentionned repository). Well for now, I don't know if this can be fixed without tweaking the code... I would avoid doing this...unless the only way to solve it... (read from execheap http://people.redhat.com/drepper/selinux-mem.html) Others builds was working fine with previous Fedora version (only F-8 seems affected)... Nicolas (kwizart) > Follow the links provided by the troubleshooter to find out more about > execheap. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFHDSpzrlYvE4MpobMRAnwdAKDnMI6TS4J5uaPPduS2ej/Ei7kC0gCfTiMU > aTOzgTNoH2vgLVT3OYwGa+Q= > =EsTw > -----END PGP SIGNATURE----- > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From selinux at gmail.com Thu Oct 11 17:00:54 2007 From: selinux at gmail.com (Tom London) Date: Thu, 11 Oct 2007 10:00:54 -0700 Subject: How to test if SELinux is 'running' Message-ID: <4c4ba1530710111000yef9ea4el63a8e7babd971e24@mail.gmail.com> What is the 'approved' method for determining if SELinux is 'running', that is, active, and in either enforcing or permissive mode? If my feeble memory serves me, there used to be a 'isSELinux' or some such, but I can't seem to find this anymore. I'd like to modify some scripts to work both with and without SELinux active, e.g., vmware. It is currently testing against the contents of /selinux/enforce, but that does not seem right.... Thanks, tom -- Tom London From selinux at gmail.com Thu Oct 11 17:13:06 2007 From: selinux at gmail.com (Tom London) Date: Thu, 11 Oct 2007 10:13:06 -0700 Subject: How to test if SELinux is 'running' In-Reply-To: <4c4ba1530710111000yef9ea4el63a8e7babd971e24@mail.gmail.com> References: <4c4ba1530710111000yef9ea4el63a8e7babd971e24@mail.gmail.com> Message-ID: <4c4ba1530710111013t73891d53na02257aff3eb9054@mail.gmail.com> On 10/11/07, Tom London wrote: > What is the 'approved' method for determining if SELinux is 'running', > that is, active, and in either enforcing or permissive mode? > > If my feeble memory serves me, there used to be a 'isSELinux' or some > such, but I can't seem to find this anymore. > > I'd like to modify some scripts to work both with and without SELinux > active, e.g., vmware. It is currently testing against the contents of > /selinux/enforce, but that does not seem right.... > > Thanks, > tom > -- Sorry, found it, 'selinuxenabled'. That still the 'approved way'? tom -- Tom London From jdennis at redhat.com Thu Oct 11 17:13:17 2007 From: jdennis at redhat.com (John Dennis) Date: Thu, 11 Oct 2007 13:13:17 -0400 Subject: How to test if SELinux is 'running' In-Reply-To: <4c4ba1530710111000yef9ea4el63a8e7babd971e24@mail.gmail.com> References: <4c4ba1530710111000yef9ea4el63a8e7babd971e24@mail.gmail.com> Message-ID: <470E59AD.9090307@redhat.com> Tom London wrote: > What is the 'approved' method for determining if SELinux is 'running', > that is, active, and in either enforcing or permissive mode? > > If my feeble memory serves me, there used to be a 'isSELinux' or some > such, but I can't seem to find this anymore. > > I'd like to modify some scripts to work both with and without SELinux > active, e.g., vmware. It is currently testing against the contents of > /selinux/enforce, but that does not seem right.... > > Thanks, > tom selinuxenabled and getenforce should do the trick -- John Dennis From sds at tycho.nsa.gov Thu Oct 11 17:07:29 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 11 Oct 2007 13:07:29 -0400 Subject: How to test if SELinux is 'running' In-Reply-To: <4c4ba1530710111000yef9ea4el63a8e7babd971e24@mail.gmail.com> References: <4c4ba1530710111000yef9ea4el63a8e7babd971e24@mail.gmail.com> Message-ID: <1192122449.608.6.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-10-11 at 10:00 -0700, Tom London wrote: > What is the 'approved' method for determining if SELinux is 'running', > that is, active, and in either enforcing or permissive mode? > > If my feeble memory serves me, there used to be a 'isSELinux' or some > such, but I can't seem to find this anymore. > > I'd like to modify some scripts to work both with and without SELinux > active, e.g., vmware. It is currently testing against the contents of > /selinux/enforce, but that does not seem right.... What kind of scripts? Python scripts can use the python bindings to libselinux to directly invoke is_selinux_enabled(), security_getenforce(), and/or selinux_getenforcemode(). Shell scripts can execute selinuxenabled (as a boolean condition, exiting with 0 for true and 1 for false, just like /bin/true and /bin/false, for use in conditional statements - no output), getenforce (displaying the Enforcing/Permissive/Disabled status as output), or sestatus (displaying more information). -- Stephen Smalley National Security Agency From selinux at gmail.com Thu Oct 11 17:51:29 2007 From: selinux at gmail.com (Tom London) Date: Thu, 11 Oct 2007 10:51:29 -0700 Subject: How to test if SELinux is 'running' In-Reply-To: <1192122449.608.6.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba1530710111000yef9ea4el63a8e7babd971e24@mail.gmail.com> <1192122449.608.6.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4c4ba1530710111051u5c46d28an1468fff94ef0e034@mail.gmail.com> On 10/11/07, Stephen Smalley wrote: > On Thu, 2007-10-11 at 10:00 -0700, Tom London wrote: > > What is the 'approved' method for determining if SELinux is 'running', > > that is, active, and in either enforcing or permissive mode? > > > > If my feeble memory serves me, there used to be a 'isSELinux' or some > > such, but I can't seem to find this anymore. > > > > I'd like to modify some scripts to work both with and without SELinux > > active, e.g., vmware. It is currently testing against the contents of > > /selinux/enforce, but that does not seem right.... > > What kind of scripts? Python scripts can use the python bindings to > libselinux to directly invoke is_selinux_enabled(), > security_getenforce(), and/or selinux_getenforcemode(). > > Shell scripts can execute selinuxenabled (as a boolean condition, > exiting with 0 for true and 1 for false, just like /bin/true > and /bin/false, for use in conditional statements - no output), > getenforce (displaying the Enforcing/Permissive/Disabled status as > output), or sestatus (displaying more information). > vmware, in particular, runs a shell script. Here was the 'before' test: if [ "`cat /selinux/enforce 2> /dev/null`" = "1" ]; then This had the (erroneous?) behavior of only executing the 'then' clause if SELinux is active and in enforcing mode. So permissive mode borks this. Here is how I changed it: if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled ; then Seems to work (I booted w/ enforcing=0)..... Any chance that selinuxenabled would get installed someplace else? tom -- Tom London From doug at dupreeinc.com Thu Oct 11 20:16:53 2007 From: doug at dupreeinc.com (Doug Thistlethwaite) Date: Thu, 11 Oct 2007 13:16:53 -0700 Subject: SELinux problem after sendmail.mc modification. Message-ID: <470E84B5.6010503@dupreeinc.com> Hello, I hope somebody has seen this before. I am not sure if it is a bug or my not completely understanding how SELinux works. My mail server was working fine secured by SELinux running in enforcing mode. Our company lost connection the the Internet for a couple days so I edited sendmail.mc to skip the domain check for the duration. I edited the file ran MAKE and restarted the sendmail process. I also disabled spamd because all of the email would be internal. Well SELinux didn't like what I did and started to produce lots of AVC messages and provided solutions to most of them. I followed the suggestion in the "Allowing Access" section of the setroubleshoot browser and most of the messages went away. After about a dozen of these messages, I decided to just have the system "relabel on next reboot" using the SELinux management tool. When that didn't fix the problem, I just disabled SELinux until the Internet connection was fixed. So the connection was fixed, I fixed the sendmail.mc file to be exactly the same as before the problem. I used MAKE on the file and relabeled the SELinux during a reboot and reset SELinux to enforcement mode. Spamd will not start in enforcement mode. I get the following setroubleshoot message: Summary SELinux is preventing spamd (spamd_t) "search" to mail (httpd_sys_content_t). Detailed Description SELinux denied access requested by spamd. It is not expected that this access is required by spamd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for mail, restorecon -v mail If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context: system_u:system_r:spamd_t Target Context: system_u:object_r:httpd_sys_content_t Target Objects: mail [ dir ] Affected RPM Packages: Policy RPM: selinux-policy-2.6.4-46.fc7 Selinux Enabled: TruePolicy Type: targetedMLS Enabled: True Enforcing Mode: Permissive Plugin Name: plugins.catchall_file When I ran the suggested fix "restorecon -v mail" I get the following error message: lstat(mail) failed: No such file or directory I was under the impression that if I relabeled the system everything would be reset, but obviously I am incorrect... I have also received other AVC messages all relating to sendmail files. I was not sure if these would help so I did not include them in this message (This questions is already pretty long!). Any idea how I can get spamd to run in enforcing mode -and- get SELinux to be happy again? Thanks, Doug From cra at WPI.EDU Thu Oct 11 22:01:25 2007 From: cra at WPI.EDU (Chuck Anderson) Date: Thu, 11 Oct 2007 18:01:25 -0400 Subject: xinetd rsync --daemon problems Message-ID: <20071011220125.GV4751@angus.ind.WPI.EDU> I'm using Fedora Core 6, and trying to start a rsync daemon via xinetd. The default configuration is: # default: off # description: The rsync server is a good addition to an ftp server, as it \ # allows crc checksumming etc. service rsync { disable = no socket_type = stream wait = no user = root server = /usr/bin/rsync server_args = --daemon log_on_failure += USERID } With this rsyncd.conf: motd file = /etc/rsyncd.motd pid file = /var/run/rsyncd.pid port = 873 uid = rsyncd gid = mirror use chroot = yes max connections = 10 log file = /var/log/rsyncd.log read only = yes hosts allow = 127.0.0.1, ::1, etc.... #hosts deny = 0.0.0.0/0, :: ignore nonreadable = yes transfer logging = yes timeout = 600 dont compress = * [fedora-linux-core] path = /srv/ftp/pub/fedora/linux/core comment = Fedora Linux Core [fedora-linux-core-updates] path = /srv/ftp/pub/fedora/linux/core/updates comment = Fedora Linux Core Updates [fedora-linux-extras] path = /srv/ftp/pub/fedora/linux/extras comment = Fedora Linux Extras [fedora-linux-core-test] path = /srv/ftp/pub/fedora/linux/core/test comment = Fedora Linux Core Test [fedora-linux-releases] path = /srv/ftp/pub/fedora/linux/releases comment = Fedora Linux Releases [fedora-linux-development] path = /srv/ftp/pub/fedora/linux/development comment = Fedora Linux Development [fedora-enchilada] path = /srv/ftp/pub/fedora comment = Fedora - The whole enchilada [fedora-linux-updates] path = /srv/ftp/pub/fedora/linux/updates comment = Fedora Linux Updates [fedora-web] path = /srv/ftp/pub/fedora/web comment = Web content for Fedora Linux mirrors I get these AVCs when running from xinetd and making a client connection that I don't get if I start the daemon directly via "rsync --daemon" as root: type=AVC msg=audit(1192132336.713:3464): avc: denied { lock } for pid=8488 comm="rsync" name="rsyncd.lock" dev=dm-4 ino=2064435 scontext=user_u:system_r:rsync_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1192132336.713:3464): arch=40000003 syscall=221 success=no exit=-13 a0=4 a1=d a2=bff80730 a3=bff80730 items=0 ppid=8167 pid=8488 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=user_u:system_r:rsync_t:s0 key=(null) type=AVC_PATH msg=audit(1192132336.713:3464): path="/var/run/rsyncd.lock" type=AVC msg=audit(1192132400.044:3465): avc: denied { bind } for pid=8499 comm="rsync" scontext=user_u:system_r:rsync_t:s0 tcontext=user_u:system_r:rsync_t:s0 tclass=netlink_route_socket type=SYSCALL msg=audit(1192132400.044:3465): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf8f4674 a2=4df50ff4 a3=3 items=0 ppid=8167 pid=8499 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=user_u:system_r:rsync_t:s0 key=(null) I tried creating and loading a policy module: # grep "rsync" /var/log/audit/audit.log | audit2allow -M rsyncd # semodule -i rsyncd.pp Here is rsyncd.te: module rsyncd 1.0; require { type var_run_t; type rsync_t; class netlink_route_socket create; class file { read write }; } #============= rsync_t ============== allow rsync_t self:netlink_route_socket create; allow rsync_t var_run_t:file { read write }; But I still get these AVCs: type=AVC msg=audit(1192139751.238:3586): avc: denied { bind } for pid=9311 comm="rsync" scontext=user_u:system_r:rsync_t:s0 tcontext=user_u:system_r:rsync_t:s0 tclass=netlink_route_socket type=SYSCALL msg=audit(1192139751.238:3586): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfbb6144 a2=4df50ff4 a3=3 items=0 ppid=8732 pid=9311 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=user_u:system_r:rsync_t:s0 key=(null) Additionally, when using xinetd I don't ever get any log messages in /var/log/rsyncd.log like I do when I run "rsync --daemon" directly: 2007/10/11 17:08:01 [8613] rsyncd version 2.6.9 starting, listening on port 873 2007/10/11 17:08:13 [8616] connect from dustpuppy.wpi.edu (2001:468:616:8c9:213:72ff:fe74:da15) 2007/10/11 17:08:13 [8616] rsync on fedora-enchilada/linux/ from dustpuppy.wpi.edu (2001:468:616:8c9:213:72ff:fe74:da15) 2007/10/11 21:08:13 [8616] building file list 2007/10/11 21:08:13 [8616] sent 1629 bytes received 106 bytes total size 19 From dwalsh at redhat.com Thu Oct 11 22:19:55 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 11 Oct 2007 18:19:55 -0400 Subject: How to test if SELinux is 'running' In-Reply-To: <4c4ba1530710111051u5c46d28an1468fff94ef0e034@mail.gmail.com> References: <4c4ba1530710111000yef9ea4el63a8e7babd971e24@mail.gmail.com> <1192122449.608.6.camel@moss-spartans.epoch.ncsc.mil> <4c4ba1530710111051u5c46d28an1468fff94ef0e034@mail.gmail.com> Message-ID: <470EA18B.6020000@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom London wrote: > On 10/11/07, Stephen Smalley wrote: >> On Thu, 2007-10-11 at 10:00 -0700, Tom London wrote: >>> What is the 'approved' method for determining if SELinux is 'running', >>> that is, active, and in either enforcing or permissive mode? >>> >>> If my feeble memory serves me, there used to be a 'isSELinux' or some >>> such, but I can't seem to find this anymore. >>> >>> I'd like to modify some scripts to work both with and without SELinux >>> active, e.g., vmware. It is currently testing against the contents of >>> /selinux/enforce, but that does not seem right.... >> What kind of scripts? Python scripts can use the python bindings to >> libselinux to directly invoke is_selinux_enabled(), >> security_getenforce(), and/or selinux_getenforcemode(). >> >> Shell scripts can execute selinuxenabled (as a boolean condition, >> exiting with 0 for true and 1 for false, just like /bin/true >> and /bin/false, for use in conditional statements - no output), >> getenforce (displaying the Enforcing/Permissive/Disabled status as >> output), or sestatus (displaying more information). >> > vmware, in particular, runs a shell script. > > Here was the 'before' test: > if [ "`cat /selinux/enforce 2> /dev/null`" = "1" ]; then > > This had the (erroneous?) behavior of only executing the 'then' clause > if SELinux is active and in enforcing mode. So permissive mode borks > this. > > Here is how I changed it: > if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled ; then > > Seems to work (I booted w/ enforcing=0)..... > > Any chance that selinuxenabled would get installed someplace else? > > tom Not likely. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHDqGLrlYvE4MpobMRApjAAKDFuOJT6X4EXEXQjBxInxzrGfryqQCgnkZh po7B4irBh0jehj/FCj/2TxE= =X1xJ -----END PGP SIGNATURE----- From paul at city-fan.org Fri Oct 12 00:17:22 2007 From: paul at city-fan.org (Paul Howarth) Date: Fri, 12 Oct 2007 01:17:22 +0100 Subject: SELinux problem after sendmail.mc modification. In-Reply-To: <470E84B5.6010503@dupreeinc.com> References: <470E84B5.6010503@dupreeinc.com> Message-ID: <20071012011722.14be30fe@metropolis.intra.city-fan.org> On Thu, 11 Oct 2007 13:16:53 -0700 Doug Thistlethwaite wrote: > Hello, > > I hope somebody has seen this before. I am not sure if it is a bug or > my not completely understanding how SELinux works. > > My mail server was working fine secured by SELinux running in > enforcing mode. Our company lost connection the the Internet for a > couple days so I edited sendmail.mc to skip the domain check for the > duration. I edited the file ran MAKE and restarted the sendmail > process. I also disabled spamd because all of the email would be > internal. > > Well SELinux didn't like what I did and started to produce lots of > AVC messages and provided solutions to most of them. I followed the > suggestion in the "Allowing Access" section of the setroubleshoot > browser and most of the messages went away. After about a dozen of > these messages, I decided to just have the system "relabel on next > reboot" using the SELinux management tool. When that didn't fix the > problem, I just disabled SELinux until the Internet connection was > fixed. > > So the connection was fixed, I fixed the sendmail.mc file to be > exactly the same as before the problem. I used MAKE on the file and > relabeled the SELinux during a reboot and reset SELinux to > enforcement mode. > > Spamd will not start in enforcement mode. I get the following > setroubleshoot message: > > Summary > SELinux is preventing spamd (spamd_t) "search" to mail > (httpd_sys_content_t). Somehow you seem to have some important mail-related dir (and maybe more) labelled as httpd_sys_content_t. Maybe /etc/mail? > I was under the impression that if I relabeled the system everything > would be reset, but obviously I am incorrect... > > I have also received other AVC messages all relating to sendmail > files. I was not sure if these would help so I did not include them > in this message (This questions is already pretty long!). > > Any idea how I can get spamd to run in enforcing mode -and- get > SELinux to be happy again? httpd_sys_content_t is a customizable type and hence not subject to being relabelled normally. Try: # restorecon -FRv /etc/mail /var/spool/mail Paul. From dwalsh at redhat.com Fri Oct 12 13:40:25 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 12 Oct 2007 09:40:25 -0400 Subject: BUG? in mkswap (Re: The current status of sebusybox project) In-Reply-To: <470C59B1.1050306@ak.jp.nec.com> References: <470C532E.5020108@ak.jp.nec.com> <470C59B1.1050306@ak.jp.nec.com> Message-ID: <470F7949.3090108@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 KaiGai Kohei wrote: > Karel, > > Can I consider that you are the most appropriate person to report > about the following matter? > > The changelog in util-linux-ng.spec says: > | * Wed Mar 8 2006 Karel Zak 2.13-0.17 > | - fix #181782 - mkswap selinux relabeling (fix util-linux-2.13-mkswap-selinux.patch) > >> * /sbin/mkswap (should be ported later.) >> - It enables to relabel the target file as "swapfile_t", when we use >> a regular file as a swap. > > In util-linux-ng-2.13-1.fc8.src.rpm, this feature is implemented > as follows: > > at util-linux-ng-2.13/disk-utils/mkswap.c > ------------------------------------------------------- > 75 #define SELINUX_SWAPFILE_TYPE "swapfile_t" > : : > 735 #ifdef HAVE_LIBSELINUX > 736 if (S_ISREG(statbuf.st_mode) && is_selinux_enabled()) { > 737 security_context_t context_string; > 738 security_context_t oldcontext; > 739 context_t newcontext; > 740 > 741 if ((fgetfilecon(DEV, &oldcontext) < 0) && > 742 (errno != ENODATA)) { > 743 fprintf(stderr, _("%s: %s: unable to obtain selinux file label: %s\n"), > 744 program_name, device_name, > 745 strerror(errno)); > 746 exit(1); > 747 } > 748 if (!(newcontext = context_new(oldcontext))) > 749 die(_("unable to create new selinux context")); > 750 if (context_type_set(newcontext, SELINUX_SWAPFILE_TYPE)) > 751 die(_("couldn't compute selinux context")); > 752 > 753 context_string = context_str(newcontext); > 754 > 755 if (strcmp(context_string, oldcontext)!=0) { > 756 if (fsetfilecon(DEV, context_string)) { > 757 fprintf(stderr, _("%s: unable to relabel %s to %s: %s\n"), > 758 program_name, device_name, > 759 context_string, > 760 strerror(errno)); > 761 exit(1); > 762 } > 763 } > 764 context_free(newcontext); > 765 freecon(oldcontext); > 766 } > 767 #endif > ------------------------------------------------------- > > Pay attention around line 741. > If fgetfilecon() fails and returns -ENODATA, context_new() will be > called with uninitialized oldcontext in the next. Then, it cause > a segmentation fault. > > If you don't want to exit immediately, I think this logic can be > changed as follows: > ------------------------------------------------------- > if (fgetfilecon(DEV, &oldcontext) < 0) { > if (errno != ENODATA) { > fprintf(stderr, _("%s: %s: unable to obtain selinux file label: %s\n"), > program_name, device_name, > strerror(errno)); > exit(1); > } > if (matchpathcon(devide_name, statbuf.st_mode, &oldcontext)) > die(_("unable to create new selinux context")); > } > if (!(newcontext = context_new(oldcontext))) > die(_("unable to create new selinux context")); > ------------------------------------------------------- > > Thanks, Please open a bugzilla. Too easy to lease in email. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHD3lJrlYvE4MpobMRAuEsAJ47goFYNYHeuFgqES9Tjns+5/J29gCdE5j+ hUHoowS2WpBJsNU09/4ZaDA= =kC64 -----END PGP SIGNATURE----- From kaigai at kaigai.gr.jp Fri Oct 12 15:57:54 2007 From: kaigai at kaigai.gr.jp (KaiGai Kohei) Date: Sat, 13 Oct 2007 00:57:54 +0900 Subject: [busybox:01238] Re: BUG? in mkswap (Re: The current status of sebusybox project) In-Reply-To: <470F7949.3090108@redhat.com> References: <470C532E.5020108@ak.jp.nec.com> <470C59B1.1050306@ak.jp.nec.com> <470F7949.3090108@redhat.com> Message-ID: <470F9982.1060105@kaigai.gr.jp> - snip - >> If you don't want to exit immediately, I think this logic can be >> changed as follows: >> ------------------------------------------------------- >> if (fgetfilecon(DEV, &oldcontext) < 0) { >> if (errno != ENODATA) { >> fprintf(stderr, _("%s: %s: unable to obtain selinux file label: %s\n"), >> program_name, device_name, >> strerror(errno)); >> exit(1); >> } >> if (matchpathcon(devide_name, statbuf.st_mode, &oldcontext)) >> die(_("unable to create new selinux context")); >> } >> if (!(newcontext = context_new(oldcontext))) >> die(_("unable to create new selinux context")); >> ------------------------------------------------------- >> >> Thanks, > Please open a bugzilla. Too easy to lease in email. OK, I opened a report at bugzilla. https://bugzilla.redhat.com/show_bug.cgi?id=329641 -- KaiGai Kohei From doug at dupreeinc.com Fri Oct 12 20:40:25 2007 From: doug at dupreeinc.com (Doug Thistlethwaite) Date: Fri, 12 Oct 2007 13:40:25 -0700 Subject: SELinux problem after sendmail.mc modification. In-Reply-To: <6FE441CD9F0C0C479F2D88F959B01588011004F8@exchange.columbia.tresys.com> References: <6FE441CD9F0C0C479F2D88F959B01588011004F8@exchange.columbia.tresys.com> Message-ID: <470FDBB9.2040906@dupreeinc.com> David, Thanks for the quick reply. I answered your questions in-line below: David Caplan wrote: > Doug, > > > ... >> My mail server was working fine secured by SELinux running in enforcing mode. Our company lost connection the the Internet for a couple days so I edited sendmail.mc to skip the domain check for the duration. I edited the file ran MAKE and restarted the sendmail process. I also disabled spamd because all of the email would be internal. >> >> > > Did you do all of the above as root/unconfined_t? The most likely > problem (at least at that point) was a labeling problem. As you are > running targeted policy it should not have caused a problem. > > I assume that I did. I was logged in as root and did not even know until know that something called unconfirmed_t existed. Initially, I entered the commands suggested by setroubleshoot. > >> Well SELinux didn't like what I did and started to produce lots of AVC >> messages and provided solutions to most of them. I followed the >> suggestion in the "Allowing Access" section of the setroubleshoot >> browser and most of the messages went away. >> > > Does that mean you added a local policy module? > I don't think so. I entered commands like the following: (Copied from my command buffer) chcon -t httpd_sys_content_t /etc/mail/local-host-names chcon -t httpd_sys_content_t /etc/mail/trusted-users chcon -t httpd_sys_content_t submit.cf chcon -t httpd_sys_content_t clientmqueue chcon -t httpd_sys_content_t anon_inode:[eventpoll] The last one wouldn't work and this is when I decided to just disable SELinux until my internet connection was restored. > >> After about a dozen of these >> messages, I decided to just have the system "relabel on next reboot" >> using the SELinux management tool. When that didn't fix the problem, I >> just disabled SELinux until the Internet connection was fixed. >> >> So the connection was fixed, I fixed the sendmail.mc file to be exactly the same as before the problem. I used MAKE on the file and relabeled >> the SELinux during a reboot and reset SELinux to enforcement mode. Spamd will not start in enforcement mode. I get the following >> setroubleshoot message: >> >> > > The indication below (in the "Additional Information" section) says that > you are in Permissive, not Enforcing. Of course, things should work in > Permissive mode. > > Yes, I switch to Permissive mode so my users were not burried in spam. The same messages were there in Enforcing mode. >> Summary >> SELinux is preventing spamd (spamd_t) "search" to mail >> (httpd_sys_content_t). >> >> > > It doesn't seem like spamd should need access to httpd* files. If you > are in Permissive mode that may not be what your problem is. What is the > file related to this message (i.e., the path of the target directory > that is labeled with httpd_sys_content_t)? > I have no idea. The information in my first message is everything that was dsiplayed in setroubleshoot window. Other messages in the setroubleshoot window show file names, but this one doesn't. How would I find this out? > >> Detailed Description >> SELinux denied access requested by spamd. It is not expected that this >> access is required by spamd and this access may signal an intrusion >> attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. >> >> Allowing Access >> Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for mail, restorecon -v mail If >> >> this does not work, there is currently no automatic way to allow this >> access. Instead, you can generate a local policy module to allow this >> access - see FAQ Or you can disable SELinux protection altogether. >> Disabling SELinux protection is not recommended. Please file a bug >> report against this package. >> >> Additional Information >> Source Context: system_u:system_r:spamd_t >> Target Context: system_u:object_r:httpd_sys_content_t >> Target Objects: mail [ dir ] >> Affected RPM Packages: >> Policy RPM: selinux-policy-2.6.4-46.fc7 >> Selinux Enabled: TruePolicy Type: targetedMLS Enabled: True >> Enforcing Mode: Permissive >> Plugin Name: plugins.catchall_file >> >> >> When I ran the suggested fix "restorecon -v mail" I get the following >> error message: >> lstat(mail) failed: No such file or directory >> >> > > I think you want to run this in the directory above the mail directory > (e.g., this is typically /etc). Everything in /etc/mail should be > labeled with etc_mail_t. You should also run it with -R. For example: > # restorecon -v mail > lstat(mail) failed: No such file or directory > # cd /etc > # restorecon -v mail > # chcon -t file_t mail/sendmail.mc > # restorecon -v mail > # ls -Z mail/sendmail.mc > -rw-r--r-- root root system_u:object_r:file_t mail/sendmail.mc > # restorecon -Rv mail > restorecon reset /etc/mail/sendmail.mc context > system_u:object_r:file_t:s0->system_u:object_r:etc_mail_t:s0 > # > > I ran the suggested commands and restarted sendmail, spamassassin and I did the same restorecon command for any file listed in the error messages. After this I sent an email through a web interface. I got the following errors in setroubleshoot: #1 Summary SELinux is preventing spamd (spamd_t) "search" to mail(httpd_sys_content_t). Detailed Description SELinux denied access requested by spamd. It is not expected that this access is required by spamd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for mail, restorecon -v mail If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context root:system_r:spamd_t Target Context system_u:object_r:httpd_sys_content_t Target Objects mail [ dir ] Affected RPM Packages Policy RPM selinux-policy-2.6.4-46.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall_file Host Name mail.dupreeinc.com Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 #1 SMP Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 Alert Count 1 First Seen Thu 11 Oct 2007 03:32:24 PM PDT Last Seen Thu 11 Oct 2007 03:32:24 PM PDT Local ID d478c85c-d36f-4fa3-9371-2ab3f4bb05f5 Line Numbers Raw Audit Messages avc: denied { search } for comm="spamd" dev=dm-0 egid=0 euid=0 exe="/usr/bin/perl" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="mail" pid=31883 scontext=root:system_r:spamd_t:s0 sgid=0 subj=root:system_r:spamd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:httpd_sys_content_t:s0 tty=pts1 uid=0 #2 Summary SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files submit.cf (etc_mail_t). Detailed Description SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially mislabeled files submit.cf. This means that SELinux will not allow http to use these files. Many third party apps install html files in directories that SELinux policy can not predict. These directories have to be labeled with a file context which httpd can accesss. Allowing Access If you want to change the file context of submit.cf so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t submit.cf. You can look at the httpd_selinux man page for additional information. Additional Information Source Context system_u:system_r:httpd_sys_script_t Target Context system_u:object_r:etc_mail_t Target Objects submit.cf [ file ] Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application] Policy RPM selinux-policy-2.6.4-46.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.httpd_bad_labels Host Name mail.dupreeinc.com Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 #1 SMP Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 Alert Count 1 First Seen Thu 11 Oct 2007 03:33:03 PM PDT Last Seen Thu 11 Oct 2007 03:33:03 PM PDT Local ID e67e0ecc-909e-44ba-8a80-106228c8e348 Line Numbers Raw Audit Messages avc: denied { read } for comm="sendmail" dev=dm-0 egid=51 euid=48 exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48 items=0 name="submit.cf" pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48 #3 Summary SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files /etc/mail/submit.cf (etc_mail_t). Detailed Description SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially mislabeled files /etc/mail/submit.cf. This means that SELinux will not allow http to use these files. Many third party apps install html files in directories that SELinux policy can not predict. These directories have to be labeled with a file context which httpd can accesss. Allowing Access If you want to change the file context of /etc/mail/submit.cf so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t /etc/mail/submit.cf. You can look at the httpd_selinux man page for additional information. Additional Information Source Context system_u:system_r:httpd_sys_script_t Target Context system_u:object_r:etc_mail_t Target Objects /etc/mail/submit.cf [ file ] Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application]sendmail-8.14.1-4.2.fc7 [target] Policy RPM selinux-policy-2.6.4-46.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.httpd_bad_labels Host Name mail.dupreeinc.com Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 #1 SMP Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 Alert Count 1 First Seen Thu 11 Oct 2007 03:33:03 PM PDT Last Seen Thu 11 Oct 2007 03:33:03 PM PDT Local ID 10bd0547-6b5c-4b86-96e6-6bb16af2a64d Line Numbers Raw Audit Messages avc: denied { getattr } for comm="sendmail" dev=dm-0 egid=51 euid=48 exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48 items=0 name="submit.cf" path="/etc/mail/submit.cf" pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48 #4 Summary SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t) "create" to (httpd_sys_script_t). Detailed Description SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not expected that this access is required by /usr/sbin/sendmail.sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:httpd_sys_script_t Target Context system_u:system_r:httpd_sys_script_t Target Objects None [ unix_dgram_socket ] Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application] Policy RPM selinux-policy-2.6.4-46.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall Host Name mail.dupreeinc.com Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 #1 SMP Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 Alert Count 1 First Seen Thu 11 Oct 2007 03:33:03 PM PDT Last Seen Thu 11 Oct 2007 03:33:03 PM PDT Local ID ef574580-2190-4edc-8e54-b92181831531 Line Numbers Raw Audit Messages avc: denied { create } for comm="sendmail" egid=51 euid=48 exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48 items=0 pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=unix_dgram_socket tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48 #5 Summary SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t) "sendto" to /dev/log (syslogd_t). Detailed Description SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not expected that this access is required by /usr/sbin/sendmail.sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:httpd_sys_script_t Target Context system_u:system_r:syslogd_t Target Objects /dev/log [ unix_dgram_socket ] Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application] Policy RPM selinux-policy-2.6.4-46.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall Host Name mail.dupreeinc.com Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 #1 SMP Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 Alert Count 1 First Seen Thu 11 Oct 2007 03:33:03 PM PDT Last Seen Thu 11 Oct 2007 03:33:03 PM PDT Local ID 831be357-c006-4d42-8ab7-1634e2035ef4 Line Numbers Raw Audit Messages avc: denied { sendto } for comm="sendmail" dev=tmpfs egid=51 euid=48 exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48 items=0 name="log" path="/dev/log" pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=unix_dgram_socket tcontext=system_u:system_r:syslogd_t:s0 tty=(none) uid=48 #6 Summary SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t) "write" to (httpd_sys_script_t). Detailed Description SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not expected that this access is required by /usr/sbin/sendmail.sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:httpd_sys_script_t Target Context system_u:system_r:httpd_sys_script_t Target Objects None [ unix_dgram_socket ] Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application] Policy RPM selinux-policy-2.6.4-46.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall Host Name mail.dupreeinc.com Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 #1 SMP Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 Alert Count 1 First Seen Thu 11 Oct 2007 03:33:03 PM PDT Last Seen Thu 11 Oct 2007 03:33:03 PM PDT Local ID a793410a-36e5-4685-b82a-c7a0ddee7c44 Line Numbers Raw Audit Messages avc: denied { write } for comm="sendmail" egid=51 euid=48 exe="/usr/sbin/sendmail.sendmail" exit=141 fsgid=51 fsuid=48 gid=48 items=0 pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=unix_dgram_socket tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48 #7 Summary SELinux is preventing the /usr/sbin/sendmail.sendmail from using potentially mislabeled files anon_inode:[eventpoll] (anon_inodefs_t). Detailed Description SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially mislabeled files anon_inode:[eventpoll]. This means that SELinux will not allow http to use these files. Many third party apps install html files in directories that SELinux policy can not predict. These directories have to be labeled with a file context which httpd can accesss. Allowing Access If you want to change the file context of anon_inode:[eventpoll] so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t anon_inode:[eventpoll]. You can look at the httpd_selinux man page for additional information. Additional Information Source Context system_u:system_r:httpd_sys_script_t Target Context system_u:object_r:anon_inodefs_t Target Objects anon_inode:[eventpoll] [ file ] Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application] Policy RPM selinux-policy-2.6.4-46.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.httpd_bad_labels Host Name mail.dupreeinc.com Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 #1 SMP Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 Alert Count 1 First Seen Thu 11 Oct 2007 03:33:03 PM PDT Last Seen Thu 11 Oct 2007 03:33:03 PM PDT Local ID 5c2f5b86-899e-44d6-ba25-906180a5731d Line Numbers Raw Audit Messages avc: denied { read, write } for comm="sendmail" dev=anon_inodefs egid=51 euid=48 exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48 items=0 name="[eventpoll]" path="anon_inode:[eventpoll]" pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file tcontext=system_u:object_r:anon_inodefs_t:s0 tty=(none) uid=48 -------------- next part -------------- An HTML attachment was scrubbed... URL: From doug at dupreeinc.com Fri Oct 12 20:54:25 2007 From: doug at dupreeinc.com (Doug Thistlethwaite) Date: Fri, 12 Oct 2007 13:54:25 -0700 Subject: SELinux problem after sendmail.mc modification. In-Reply-To: <20071012011722.14be30fe@metropolis.intra.city-fan.org> References: <470E84B5.6010503@dupreeinc.com> <20071012011722.14be30fe@metropolis.intra.city-fan.org> Message-ID: <470FDF01.2040406@dupreeinc.com> Paul, Thank you for the suggestion. I tried the command you recommended and spamd no longer has an error when the sendmail and spamassassin services are started. However, I am still having problems with my webmail client sending messages. I have the setourbleshoot messages included in the message I replied to David on this list. I wonder what I did to cause these problems. If you have suggestions on the other error messages, I would greatly appriciate hearing them. Thank you for the help! Doug Paul Howarth wrote: > On Thu, 11 Oct 2007 13:16:53 -0700 > Doug Thistlethwaite wrote: > > >> Hello, >> >> I hope somebody has seen this before. I am not sure if it is a bug or >> my not completely understanding how SELinux works. >> >> My mail server was working fine secured by SELinux running in >> enforcing mode. Our company lost connection the the Internet for a >> couple days so I edited sendmail.mc to skip the domain check for the >> duration. I edited the file ran MAKE and restarted the sendmail >> process. I also disabled spamd because all of the email would be >> internal. >> >> Well SELinux didn't like what I did and started to produce lots of >> AVC messages and provided solutions to most of them. I followed the >> suggestion in the "Allowing Access" section of the setroubleshoot >> browser and most of the messages went away. After about a dozen of >> these messages, I decided to just have the system "relabel on next >> reboot" using the SELinux management tool. When that didn't fix the >> problem, I just disabled SELinux until the Internet connection was >> fixed. >> >> So the connection was fixed, I fixed the sendmail.mc file to be >> exactly the same as before the problem. I used MAKE on the file and >> relabeled the SELinux during a reboot and reset SELinux to >> enforcement mode. >> >> Spamd will not start in enforcement mode. I get the following >> setroubleshoot message: >> >> Summary >> SELinux is preventing spamd (spamd_t) "search" to mail >> (httpd_sys_content_t). >> > > Somehow you seem to have some important mail-related dir (and maybe > more) labelled as httpd_sys_content_t. Maybe /etc/mail? > > >> I was under the impression that if I relabeled the system everything >> would be reset, but obviously I am incorrect... >> >> I have also received other AVC messages all relating to sendmail >> files. I was not sure if these would help so I did not include them >> in this message (This questions is already pretty long!). >> >> Any idea how I can get spamd to run in enforcing mode -and- get >> SELinux to be happy again? >> > > httpd_sys_content_t is a customizable type and hence not subject to > being relabelled normally. > > Try: > # restorecon -FRv /etc/mail /var/spool/mail > > Paul. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Mon Oct 15 19:30:01 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 15 Oct 2007 15:30:01 -0400 Subject: udev/sound/alsa: needs to read /var/lib/alsa/asound.state (alsa_var_lib_t) In-Reply-To: <4c4ba1530710100748y70acc7d5lf1a3fbcd9db4f677@mail.gmail.com> References: <4c4ba1530709250714r5b50e533ra06d472f53026f38@mail.gmail.com> <20070925150318.GA3409@nostromo.devel.redhat.com> <4c4ba1530710090930t1a2cf898r34b574bbd1ae2229@mail.gmail.com> <4c4ba1530710100748y70acc7d5lf1a3fbcd9db4f677@mail.gmail.com> Message-ID: <4713BFB9.3000508@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom London wrote: > On 10/9/07, Tom London wrote: >> On 9/25/07, Bill Nottingham wrote: >>> Tom London (selinux at gmail.com) said: >>>> Running latest rawhide, targeted enforcing. >>>> >>>> Booting up, udev (90-alsa.rulles) runs /sbin/salsa to read >>>> /var/lib/alsa/asound.state. >>> Don't fix this in policy, that's just broken in alsa. >>> >>> You can't save mixer settings there, as /var may not be mounted when >>> this runs. *Sigh* >>> >>> Bill >>> >> More 'sigh': >> >> Booting in permissive mode now produces: >> >> Oct 9 07:08:33 localhost kernel: audit(1191938899.844:3): avc: >> denied { read } for pid=1553 comm="alsactl" name="asound.state" >> dev=dm-0 ino=11076536 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file >> Oct 9 07:08:33 localhost kernel: audit(1191938899.844:4): avc: >> denied { getattr } for pid=1553 comm="alsactl" >> path="/etc/alsa/asound.state" dev=dm-0 ino=11076536 >> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file >> >> Not 100% sure why this now is reported against alsactl (instead of >> salsa); and shouldn't alsactl be running in 'alsa_t'? >> >> I did make one change to 90-alsa.rules: I changed 'RUN+="/sbin/salsa"' >> to RUN+="/sbin/salsa -l" on both ControlC* and pcm* lines. Not sure if >> that 'broke something'. >> > > I've managed to 'make sound come up on boot' by doing the following: > > 1. Change the 90-alsa.rules entry to: > SUBSYSTEM=="sound", KERNEL=="controlC*" RUN+="/sbin/salsa -l %n" > SUBSYSTEM=="sound", KERNEL=="pcm*" RUN+="/sbin/salsa" > > [Not sure if the changes to the first line or if the second line are > really needed.....] > > 2. Added the following 'local' policy: > > module fixsalsa 1.0; > > require { > type udev_t; > type alsa_etc_rw_t; > class file { read getattr }; > } > > #============= udev_t ============== > allow udev_t alsa_etc_rw_t:file { read getattr }; > > System now boots without AVCs in either /var/log/messages or > /var/log/audit/audit.log, and sound is properly saved on shutdown and > restored on boot. > > I am a bit confused, since /sbin/salsa is alsa_exec_t, so shouldn't > udev_t transition to alsa_t? > > tom It should now. policy 3.0.8-22 at least -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHE7+4rlYvE4MpobMRAhclAKCGUn4wXzDfC2WlwtHx1/FRLUpT2ACgl1Dh 22Pf1Lw/ermDF82cg+iLSUk= =s3kT -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Oct 15 19:34:02 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 15 Oct 2007 15:34:02 -0400 Subject: SELinux problem after sendmail.mc modification. In-Reply-To: <470FDBB9.2040906@dupreeinc.com> References: <6FE441CD9F0C0C479F2D88F959B01588011004F8@exchange.columbia.tresys.com> <470FDBB9.2040906@dupreeinc.com> Message-ID: <4713C0AA.9030409@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Doug Thistlethwaite wrote: > David, Thanks for the quick reply. I answered your questions in-line > below: > > David Caplan wrote: >> Doug, >> >> ... >>> My mail server was working fine secured by SELinux running in >>> enforcing mode. Our company lost connection the the Internet for a >>> couple days so I edited sendmail.mc to skip the domain check for the >>> duration. I edited the file ran MAKE and restarted the sendmail >>> process. I also disabled spamd because all of the email would be >>> internal. >>> >>> >> >> Did you do all of the above as root/unconfined_t? The most likely >> problem (at least at that point) was a labeling problem. As you are >> running targeted policy it should not have caused a problem. >> >> > I assume that I did. I was logged in as root and did not even know > until know that something called unconfirmed_t existed. Initially, I > entered the commands suggested by setroubleshoot. >> >>> Well SELinux didn't like what I did and started to produce lots of AVC >>> messages and provided solutions to most of them. I followed the >>> suggestion in the "Allowing Access" section of the setroubleshoot >>> browser and most of the messages went away. >> >> Does that mean you added a local policy module? >> > > I don't think so. I entered commands like the following: (Copied from > my command buffer) > > chcon -t httpd_sys_content_t /etc/mail/local-host-names > chcon -t httpd_sys_content_t /etc/mail/trusted-users > chcon -t httpd_sys_content_t submit.cf > chcon -t httpd_sys_content_t clientmqueue > chcon -t httpd_sys_content_t anon_inode:[eventpoll] > > The last one wouldn't work and this is when I decided to just disable > SELinux until my internet connection was restored. > > >> >>> After about a dozen of these >>> messages, I decided to just have the system "relabel on next reboot" >>> using the SELinux management tool. When that didn't fix the problem, I >>> just disabled SELinux until the Internet connection was fixed. >>> >>> So the connection was fixed, I fixed the sendmail.mc file to be >>> exactly the same as before the problem. I used MAKE on the file and >>> relabeled >>> the SELinux during a reboot and reset SELinux to enforcement mode. >>> Spamd will not start in enforcement mode. I get the following >>> setroubleshoot message: >>> >>> >> >> The indication below (in the "Additional Information" section) says that >> you are in Permissive, not Enforcing. Of course, things should work in >> Permissive mode. >> >> > Yes, I switch to Permissive mode so my users were not burried in spam. > The same messages were there in Enforcing mode. >>> Summary >>> SELinux is preventing spamd (spamd_t) "search" to mail >>> (httpd_sys_content_t). >>> >>> >> >> It doesn't seem like spamd should need access to httpd* files. If you >> are in Permissive mode that may not be what your problem is. What is the >> file related to this message (i.e., the path of the target directory >> that is labeled with httpd_sys_content_t)? >> > I have no idea. The information in my first message is everything that > was dsiplayed in setroubleshoot window. Other messages in the > setroubleshoot window show file names, but this one doesn't. How would > I find this out? >> >>> Detailed Description >>> SELinux denied access requested by spamd. It is not expected that this >>> access is required by spamd and this access may signal an intrusion >>> attempt. It is also possible that the specific version or >>> configuration of the application is causing it to require additional >>> access. >>> >>> Allowing Access >>> Sometimes labeling problems can cause SELinux denials. You could try >>> to restore the default system file context for mail, restorecon -v >>> mail If >>> this does not work, there is currently no automatic way to allow >>> this >>> access. Instead, you can generate a local policy module to allow this >>> access - see FAQ Or you can disable SELinux protection altogether. >>> Disabling SELinux protection is not recommended. Please file a bug >>> report against this package. >>> >>> Additional Information >>> Source Context: system_u:system_r:spamd_t >>> Target Context: system_u:object_r:httpd_sys_content_t >>> Target Objects: mail [ dir ] >>> Affected RPM Packages: >>> Policy RPM: selinux-policy-2.6.4-46.fc7 >>> Selinux Enabled: TruePolicy Type: targetedMLS Enabled: True >>> Enforcing Mode: Permissive >>> Plugin Name: plugins.catchall_file >>> >>> >>> When I ran the suggested fix "restorecon -v mail" I get the following >>> error message: >>> lstat(mail) failed: No such file or directory >>> >>> >> >> I think you want to run this in the directory above the mail directory >> (e.g., this is typically /etc). Everything in /etc/mail should be >> labeled with etc_mail_t. You should also run it with -R. For example: >> # restorecon -v mail >> lstat(mail) failed: No such file or directory >> # cd /etc >> # restorecon -v mail >> # chcon -t file_t mail/sendmail.mc >> # restorecon -v mail >> # ls -Z mail/sendmail.mc >> -rw-r--r-- root root system_u:object_r:file_t mail/sendmail.mc >> # restorecon -Rv mail >> restorecon reset /etc/mail/sendmail.mc context >> system_u:object_r:file_t:s0->system_u:object_r:etc_mail_t:s0 >> # >> >> > I ran the suggested commands and restarted sendmail, spamassassin and I > did the same restorecon command for any file listed in the error > messages. After this I sent an email through a web interface. I got > the following errors in setroubleshoot: > > #1 > > Summary > SELinux is preventing spamd (spamd_t) "search" to > mail(httpd_sys_content_t). > > Detailed Description > SELinux denied access requested by spamd. It is not expected that > this access is required by spamd and this access may signal an intrusion > attempt. > It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try > to restore the default system file context for mail, restorecon -v mail > If this > does not work, there is currently no automatic way to allow this access. > Instead, you can generate a local policy module to allow this access > - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you > can disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > Additional Information > Source Context root:system_r:spamd_t > Target Context system_u:object_r:httpd_sys_content_t > Target Objects mail [ dir ] > Affected RPM Packages Policy RPM > selinux-policy-2.6.4-46.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.catchall_file > Host Name mail.dupreeinc.com > Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 > #1 SMP > Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 > Alert Count 1 > First Seen Thu 11 Oct 2007 03:32:24 PM PDT > Last Seen Thu 11 Oct 2007 03:32:24 PM PDT > Local ID d478c85c-d36f-4fa3-9371-2ab3f4bb05f5 > Line Numbers > Raw Audit Messages > avc: denied { search } for comm="spamd" dev=dm-0 egid=0 euid=0 > exe="/usr/bin/perl" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="mail" > pid=31883 > scontext=root:system_r:spamd_t:s0 sgid=0 subj=root:system_r:spamd_t:s0 > suid=0 > tclass=dir tcontext=system_u:object_r:httpd_sys_content_t:s0 tty=pts1 > uid=0 > > #2 > > Summary > SELinux is preventing the /usr/sbin/sendmail.sendmail from using > potentially mislabeled files submit.cf (etc_mail_t). > > Detailed Description > SELinux has denied the /usr/sbin/sendmail.sendmail access to > potentially mislabeled files submit.cf. This means that SELinux will > not allow http to > use these files. Many third party apps install html files in > directories that SELinux policy can not predict. These directories have > to be labeled > with a file context which httpd can accesss. > > Allowing Access > If you want to change the file context of submit.cf so that the httpd > daemon can access it, you need to execute it using chcon -t > httpd_sys_content_t > submit.cf. You can look at the httpd_selinux man page for additional > information. > > Additional Information > Source Context system_u:system_r:httpd_sys_script_t > Target Context system_u:object_r:etc_mail_t > Target Objects submit.cf [ file ] > Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application] > Policy RPM selinux-policy-2.6.4-46.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.httpd_bad_labels > Host Name mail.dupreeinc.com > Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 > #1 SMP > Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 > Alert Count 1 > First Seen Thu 11 Oct 2007 03:33:03 PM PDT > Last Seen Thu 11 Oct 2007 03:33:03 PM PDT > Local ID e67e0ecc-909e-44ba-8a80-106228c8e348 > Line Numbers > Raw Audit Messages > avc: denied { read } for comm="sendmail" dev=dm-0 egid=51 euid=48 > exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48 > items=0 > name="submit.cf" pid=31906 > scontext=system_u:system_r:httpd_sys_script_t:s0 > sgid=51 subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file > tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48 > > > #3 > Summary > SELinux is preventing the /usr/sbin/sendmail.sendmail from using > potentially mislabeled files /etc/mail/submit.cf (etc_mail_t). > > Detailed Description > SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially > mislabeled files /etc/mail/submit.cf. This means that SELinux will not > allow http to use these files. Many third party apps install html > files in > directories that SELinux policy can not predict. These directories > have to > be labeled with a file context which httpd can accesss. > > Allowing Access > If you want to change the file context of /etc/mail/submit.cf so that > the > httpd daemon can access it, you need to execute it using chcon -t > httpd_sys_content_t /etc/mail/submit.cf. You can look at the > httpd_selinux > man page for additional information. > > Additional Information > Source Context system_u:system_r:httpd_sys_script_t > Target Context system_u:object_r:etc_mail_t > Target Objects /etc/mail/submit.cf [ file ] > Affected RPM Packages sendmail-8.14.1-4.2.fc7 > [application]sendmail-8.14.1-4.2.fc7 > [target] > Policy RPM selinux-policy-2.6.4-46.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.httpd_bad_labels > Host Name mail.dupreeinc.com > Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 > #1 SMP > Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 > Alert Count 1 > First Seen Thu 11 Oct 2007 03:33:03 PM PDT > Last Seen Thu 11 Oct 2007 03:33:03 PM PDT > Local ID 10bd0547-6b5c-4b86-96e6-6bb16af2a64d > Line Numbers > Raw Audit Messages > avc: denied { getattr } for comm="sendmail" dev=dm-0 egid=51 euid=48 > exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48 > items=0 > name="submit.cf" path="/etc/mail/submit.cf" pid=31906 > scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 > subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file > tcontext=system_u:object_r:etc_mail_t:s0 tty=(none) uid=48 > > > #4 > Summary > SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t) > "create" to (httpd_sys_script_t). > > Detailed Description > SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is > not > expected that this access is required by /usr/sbin/sendmail.sendmail and > this access may signal an intrusion attempt. It is also possible that > the > specific version or configuration of the application is causing it to > require additional access. > > Allowing Access > You can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. > > Additional Information > Source Context system_u:system_r:httpd_sys_script_t > Target Context system_u:system_r:httpd_sys_script_t > Target Objects None [ unix_dgram_socket ] > Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application] > Policy RPM selinux-policy-2.6.4-46.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.catchall > Host Name mail.dupreeinc.com > Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 > #1 SMP > Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 > Alert Count 1 > First Seen Thu 11 Oct 2007 03:33:03 PM PDT > Last Seen Thu 11 Oct 2007 03:33:03 PM PDT > Local ID ef574580-2190-4edc-8e54-b92181831531 > Line Numbers > Raw Audit Messages > avc: denied { create } for comm="sendmail" egid=51 euid=48 > exe="/usr/sbin/sendmail.sendmail" exit=3 fsgid=51 fsuid=48 gid=48 > items=0 > pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 > subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 > tclass=unix_dgram_socket > tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48 > > #5 > > Summary > SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t) > "sendto" to /dev/log (syslogd_t). > > Detailed Description > SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is > not > expected that this access is required by /usr/sbin/sendmail.sendmail and > this access may signal an intrusion attempt. It is also possible that > the > specific version or configuration of the application is causing it to > require additional access. > > Allowing Access > You can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > Additional Information > Source Context system_u:system_r:httpd_sys_script_t > Target Context system_u:system_r:syslogd_t > Target Objects /dev/log [ unix_dgram_socket ] > Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application] > Policy RPM selinux-policy-2.6.4-46.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.catchall > Host Name mail.dupreeinc.com > Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 > #1 SMP > Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 > Alert Count 1 > First Seen Thu 11 Oct 2007 03:33:03 PM PDT > Last Seen Thu 11 Oct 2007 03:33:03 PM PDT > Local ID 831be357-c006-4d42-8ab7-1634e2035ef4 > Line Numbers > Raw Audit Messages > avc: denied { sendto } for comm="sendmail" dev=tmpfs egid=51 euid=48 > exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48 > items=0 > name="log" path="/dev/log" pid=31906 > scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 > subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 > tclass=unix_dgram_socket > tcontext=system_u:system_r:syslogd_t:s0 tty=(none) uid=48 > > > #6 > > Summary > SELinux is preventing /usr/sbin/sendmail.sendmail (httpd_sys_script_t) > "write" to (httpd_sys_script_t). > > Detailed Description > SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is > not > expected that this access is required by /usr/sbin/sendmail.sendmail and > this access may signal an intrusion attempt. It is also possible that > the > specific version or configuration of the application is causing it to > require additional access. > > Allowing Access > You can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > Additional Information > Source Context system_u:system_r:httpd_sys_script_t > Target Context system_u:system_r:httpd_sys_script_t > Target Objects None [ unix_dgram_socket ] > Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application] > Policy RPM selinux-policy-2.6.4-46.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.catchall > Host Name mail.dupreeinc.com > Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 > #1 SMP > Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 > Alert Count 1 > First Seen Thu 11 Oct 2007 03:33:03 PM PDT > Last Seen Thu 11 Oct 2007 03:33:03 PM PDT > Local ID a793410a-36e5-4685-b82a-c7a0ddee7c44 > Line Numbers > Raw Audit Messages > avc: denied { write } for comm="sendmail" egid=51 euid=48 > exe="/usr/sbin/sendmail.sendmail" exit=141 fsgid=51 fsuid=48 gid=48 > items=0 > pid=31906 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 > subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 > tclass=unix_dgram_socket > tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48 > > #7 > > Summary > SELinux is preventing the /usr/sbin/sendmail.sendmail from using > potentially > mislabeled files anon_inode:[eventpoll] (anon_inodefs_t). > > Detailed Description > SELinux has denied the /usr/sbin/sendmail.sendmail access to potentially > mislabeled files anon_inode:[eventpoll]. This means that SELinux > will not > allow http to use these files. Many third party apps install html > files in > directories that SELinux policy can not predict. These directories > have to > be labeled with a file context which httpd can accesss. > > Allowing Access > If you want to change the file context of anon_inode:[eventpoll] so > that the > httpd daemon can access it, you need to execute it using chcon -t > httpd_sys_content_t anon_inode:[eventpoll]. You can look at the > httpd_selinux man page for additional information. > > Additional Information > Source Context system_u:system_r:httpd_sys_script_t > Target Context system_u:object_r:anon_inodefs_t > Target Objects anon_inode:[eventpoll] [ file ] > Affected RPM Packages sendmail-8.14.1-4.2.fc7 [application] > Policy RPM selinux-policy-2.6.4-46.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name plugins.httpd_bad_labels > Host Name mail.dupreeinc.com > Platform Linux mail.dupreeinc.com 2.6.22.9-91.fc7 > #1 SMP > Thu Sep 27 20:47:39 EDT 2007 x86_64 x86_64 > Alert Count 1 > First Seen Thu 11 Oct 2007 03:33:03 PM PDT > Last Seen Thu 11 Oct 2007 03:33:03 PM PDT > Local ID 5c2f5b86-899e-44d6-ba25-906180a5731d > Line Numbers > Raw Audit Messages > avc: denied { read, write } for comm="sendmail" dev=anon_inodefs egid=51 > euid=48 > exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=48 gid=48 > items=0 > name="[eventpoll]" path="anon_inode:[eventpoll]" pid=31906 > scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=51 > subj=system_u:system_r:httpd_sys_script_t:s0 suid=48 tclass=file > tcontext=system_u:object_r:anon_inodefs_t:s0 tty=(none) uid=48 > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Set the boolean httpd_can_sendmail on setsebool -P httpd_can_sendmail 1 This will allow httpd_sys_script_t to transition to sendmail_t and you should be able to send mail. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHE8CprlYvE4MpobMRAsMVAKCvAuPho1Fl9XPhPPUkz80ugE86twCg3qSd ktdQGZH0gLkZO+stG0moaac= =1/ar -----END PGP SIGNATURE----- From mike.clarkson at baesystems.com Tue Oct 16 17:10:27 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Tue, 16 Oct 2007 10:10:27 -0700 Subject: policycoreutils version References: <1192535730.8702.4.camel@moss-spartans.epoch.ncsc.mil> Message-ID: Is "policycoreutils 2.0.19 or later" available as a Red Hat rpm or do I need to download this from another source? It's much easier for me to get approval to download directly from Red Hat then from other sources but it looks like 1.33.12 is the current version from Red Hat. > -----Original Message----- > From: Stephen Smalley [mailto:sds at tycho.nsa.gov] > Sent: Tuesday, October 16, 2007 4:56 AM > To: Clarkson, Mike R (US SSA) > Cc: selinux at tycho.nsa.gov; Joshua Brindle > Subject: Re: newrole authentication > > On Mon, 2007-10-15 at 16:12 -0700, Clarkson, Mike R (US SSA) wrote: > > Will someone point me to information or send me an example on how to set > > up newrole so that is does not ask for a password, so that it can by > > used like this within software "newrole -l s1 -- -c "? > > You need policycoreutils 2.0.19 or later, or you need to back port that > change to whatever newrole you have. > > See: > http://marc.info/?t=117769973100008&r=1&w=2 > http://marc.info/?l=selinux&m=117865153827263&w=2 > > Then you can set up a /etc/selinux/newrole_pam.conf file with e.g.: > /path/to/cmd newrole-noauth > and you can set up a /etc/pam.d/newrole-noauth file with pam_permit.so > as the auth module. > > -- > Stephen Smalley > National Security Agency From anebi at iguanait.com Thu Oct 18 07:58:35 2007 From: anebi at iguanait.com (Ali Nebi) Date: Thu, 18 Oct 2007 10:58:35 +0300 Subject: Question About Amavisd audit messages In-Reply-To: <20071016160013.C94EB732F3@hormel.redhat.com> References: <20071016160013.C94EB732F3@hormel.redhat.com> Message-ID: <1192694315.14128.2.camel@hugo.iguanait.com> Hi, i want to ask about some audit messages realted with amavisd. I get this kind of messages: Oct 16 16:35:21 hermod kernel: audit(1192545321.959:4): avc: denied { name_bind } for pid=15305 comm="amavisd" src=3551 scontext=system_u:system_r:amavis_t:s0 tcontext=system _u:object_r:apcupsd_port_t:s0 tclass=udp_socket Oct 17 06:41:11 hermod kernel: audit(1192596071.584:5): avc: denied { name_bind } for pid=1135 comm="amavisd" src=5353 scontext=system_u:system_r:amavis_t:s0 tcontext=system_ u:object_r:howl_port_t:s0 tclass=udp_socket Oct 17 14:45:13 hermod kernel: audit(1192625113.850:6): avc: denied { name_bind } for pid=8183 comm="amavisd" src=7004 scontext=system_u:system_r:amavis_t:s0 tcontext=system_ u:object_r:afs_ka_port_t:s0 tclass=udp_socket Oct 17 22:33:30 hermod kernel: audit(1192653210.933:7): avc: denied { name_bind } for pid=20082 comm="amavisd" src=7004 scontext=system_u:system_r:amavis_t:s0 tcontext=system _u:object_r:afs_ka_port_t:s0 tclass=udp_socket Oct 17 23:00:40 hermod kernel: audit(1192654840.481:8): avc: denied { name_bind } for pid=21759 comm="amavisd" src=7007 scontext=system_u:system_r:amavis_t:s0 tcontext=system _u:object_r:afs_bos_port_t:s0 tclass=udp_socket Oct 18 08:59:38 hermod kernel: audit(1192690778.529:9): avc: denied { name_bind } for pid=25286 comm="amavisd" src=5353 scontext=system_u:system_r:amavis_t:s0 tcontext=system _u:object_r:howl_port_t:s0 tclass=udp_socket Oct 18 09:32:09 hermod kernel: audit(1192692729.031:10): avc: denied { name_bind } for pid=28781 comm="amavisd" src=1194 scontext=system_u:system_r:amavis_t:s0 tcontext=syste m_u:object_r:openvpn_port_t:s0 tclass=udp_socket These are a part of them, i allowed some of these, but there are many of these with different udp ports. What can i do to solve this problem, because amavisd try every time with a different port and i can't allow all of them? Thank in advanced! From gene.heskett at verizon.net Thu Oct 18 12:19:34 2007 From: gene.heskett at verizon.net (Gene Heskett) Date: Thu, 18 Oct 2007 08:19:34 -0400 Subject: SELinux revisited In-Reply-To: <200710180414.29745.gene.heskett@verizon.net> References: <200710180325.21026.gene.heskett@verizon.net> <471710AA.3050103@warmcat.com> <200710180414.29745.gene.heskett@verizon.net> Message-ID: <200710180819.34950.gene.heskett@verizon.net> On Thursday 18 October 2007, Gene Heskett wrote: >On Thursday 18 October 2007, Andy Green wrote: >>Somebody in the thread at some point said: >>> Greetings; >>> >>> Running 2.6.23 here, on a AMD XP-2800, gig of ram, lots of drive. >>> >>> I thought maybe I should give selinux another chance here. So I removed >>> the selinux=0 in my grub.conf, and edited its .conf file in >>> /etc/sysconfig to set it for permissive. >>> >>> On the reboot, the relabel wasn't done, so I looked around and reset a >>> fresh /.autorelabel file and rebooted again. It was already present >>> however. >>> >>> This time it did a very short autorelabel, maybe 2 screens full and was >>> done in just a couple of seconds, at which point it went into yet another >>> reboot cycle making me think it was stuck in a loop or something. >> >>Sounds like you are going about it in a good way FWIW. >> >>> But the next reboot then had auditd advise me there was an error in line >>> 16 of /etc/audit/auditd.rules. >> >>That file looks like this here, in full: >> >># This file contains the auditctl rules that are loaded >># whenever the audit daemon is started via the initscripts. >># The rules are simply the parameters that would be passed >># to auditctl. >> >># First rule - delete all >>-D >> >># Increase the buffers to survive stress events. >># Make this bigger for busy systems >>-b 320 >> >># Feel free to add below this line. See auditctl man page >> >> >>Here's the state of the selinux packages here for reference >> >># rpm -qa | grep selinux >>libselinux-2.0.14-9.fc7 >>libselinux-python-2.0.14-9.fc7 >>selinux-policy-targeted-2.6.4-48.fc7 >>selinux-policy-2.6.4-48.fc7 >># rpm -qa | grep audit >>audit-libs-python-1.5.6-2.fc7 >>audit-libs-1.5.6-2.fc7 >>audit-1.5.6-2.fc7 > >All fc6 here, but uptodate. > >># chkconfig --list | grep audit >>auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off >> >>I would nuke the entries at the end of your /etc/audit/auditd.rules and >>retry. > >I'll give that a shot tomorrow, its getting sleepy out around here, 4am & > I've already lost any chance at beauty sleep, which wouldn't help at my age > anyway. :) > >>-Andy > >Thanks Andy. > Ok, up again, nuked a pint of coffee but its too hot yet. I commented that line 16 in audit.rules, and it moved the error to line 17, so I commented that one too. Step & repeat until there is only one active line in the file, line 15. -------------- # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 320 # Feel free to add below this line. See auditctl man page -a exit,always -S chroot #-a exit,always -S chdir -F obj_type=dhclient_t #-a exit,always -S chdir -F obj_type=sendmail_t #-a exit,always -S chdir -F obj_type=mcstransd_t #-a exit,always -S chdir -F obj_type=sshd_t #-a exit,always -S chdir -F obj_type=ntpd_t #-a exit,always -S chdir -F obj_type=samba_t #-a exit,always -S chdir -F obj_type=named_t #-a exit,always -S chdir -F obj_type=klogd_t #-a exit,always -S chdir -F obj_type=crond_t #-a exit,always -S chdir -F obj_type=httpd_t #-a exit,always -S chdir -F obj_type=auditd_t #-a exit,always -S chdir -F obj_type=portmap_t #-a exit,always -S chdir -F obj_type=syslogd_t ----------- Now it seems to me that those rules were there for a reason, and to have to comment all but the first one out to get rid of the error: --------- [root at coyote audit]# service auditd restart Stopping auditd: [ OK ] Starting auditd: [ OK ] Error sending add rule data request (Unknown error 524) There was an error in line 27 of /etc/audit/audit.rules [root at coyote audit]# vim audit.rules [root at coyote audit]# service auditd restart Stopping auditd: [ OK ] Starting auditd: [ OK ] ---------- isn't the real problem, so what do the experts here think? SELinux is running in permissive mode, and seems to be logging res=success for everything so far, so it may be possible to set it to targeted. I figured if I tried it on a known, fully working system, that would be a hell of a lot more accurate test than trying to make it work on a fresh install, which forced me to disable it months ago. Would it have logged res=denied for anything if set to permissive? -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) A Vulcan can no sooner be disloyal than he can exist without breathing. -- Kirk, "The Menagerie", stardate 3012.4 From sds at tycho.nsa.gov Thu Oct 18 13:54:24 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 18 Oct 2007 09:54:24 -0400 Subject: SELinux revisited In-Reply-To: <200710180819.34950.gene.heskett@verizon.net> References: <200710180325.21026.gene.heskett@verizon.net> <471710AA.3050103@warmcat.com> <200710180414.29745.gene.heskett@verizon.net> <200710180819.34950.gene.heskett@verizon.net> Message-ID: <1192715664.32671.32.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-10-18 at 08:19 -0400, Gene Heskett wrote: > On Thursday 18 October 2007, Gene Heskett wrote: > >On Thursday 18 October 2007, Andy Green wrote: > >>Somebody in the thread at some point said: > >>> Greetings; > >>> > >>> Running 2.6.23 here, on a AMD XP-2800, gig of ram, lots of drive. > >>> > >>> I thought maybe I should give selinux another chance here. So I removed > >>> the selinux=0 in my grub.conf, and edited its .conf file in > >>> /etc/sysconfig to set it for permissive. > >>> > >>> On the reboot, the relabel wasn't done, so I looked around and reset a > >>> fresh /.autorelabel file and rebooted again. It was already present > >>> however. > >>> > >>> This time it did a very short autorelabel, maybe 2 screens full and was > >>> done in just a couple of seconds, at which point it went into yet another > >>> reboot cycle making me think it was stuck in a loop or something. > >> > >>Sounds like you are going about it in a good way FWIW. > >> > >>> But the next reboot then had auditd advise me there was an error in line > >>> 16 of /etc/audit/auditd.rules. > >> > >>That file looks like this here, in full: > >> > >># This file contains the auditctl rules that are loaded > >># whenever the audit daemon is started via the initscripts. > >># The rules are simply the parameters that would be passed > >># to auditctl. > >> > >># First rule - delete all > >>-D > >> > >># Increase the buffers to survive stress events. > >># Make this bigger for busy systems > >>-b 320 > >> > >># Feel free to add below this line. See auditctl man page > >> > >> > >>Here's the state of the selinux packages here for reference > >> > >># rpm -qa | grep selinux > >>libselinux-2.0.14-9.fc7 > >>libselinux-python-2.0.14-9.fc7 > >>selinux-policy-targeted-2.6.4-48.fc7 > >>selinux-policy-2.6.4-48.fc7 > >># rpm -qa | grep audit > >>audit-libs-python-1.5.6-2.fc7 > >>audit-libs-1.5.6-2.fc7 > >>audit-1.5.6-2.fc7 > > > >All fc6 here, but uptodate. > > > >># chkconfig --list | grep audit > >>auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off > >> > >>I would nuke the entries at the end of your /etc/audit/auditd.rules and > >>retry. > > > >I'll give that a shot tomorrow, its getting sleepy out around here, 4am & > > I've already lost any chance at beauty sleep, which wouldn't help at my age > > anyway. :) > > > >>-Andy > > > >Thanks Andy. > > > Ok, up again, nuked a pint of coffee but its too hot yet. > > I commented that line 16 in audit.rules, and it moved the error to line 17, so > I commented that one too. > > Step & repeat until there is only one active line in the file, line 15. > -------------- > # This file contains the auditctl rules that are loaded > # whenever the audit daemon is started via the initscripts. > # The rules are simply the parameters that would be passed > # to auditctl. > > # First rule - delete all > -D > > # Increase the buffers to survive stress events. > # Make this bigger for busy systems > -b 320 > > # Feel free to add below this line. See auditctl man page > > -a exit,always -S chroot > #-a exit,always -S chdir -F obj_type=dhclient_t > #-a exit,always -S chdir -F obj_type=sendmail_t > #-a exit,always -S chdir -F obj_type=mcstransd_t > #-a exit,always -S chdir -F obj_type=sshd_t > #-a exit,always -S chdir -F obj_type=ntpd_t > #-a exit,always -S chdir -F obj_type=samba_t > #-a exit,always -S chdir -F obj_type=named_t > #-a exit,always -S chdir -F obj_type=klogd_t > #-a exit,always -S chdir -F obj_type=crond_t > #-a exit,always -S chdir -F obj_type=httpd_t > #-a exit,always -S chdir -F obj_type=auditd_t > #-a exit,always -S chdir -F obj_type=portmap_t > #-a exit,always -S chdir -F obj_type=syslogd_t > ----------- > Now it seems to me that those rules were there for a reason, and to have to > comment all but the first one out to get rid of the error: > --------- > [root at coyote audit]# service auditd restart > Stopping auditd: [ OK ] > Starting auditd: [ OK ] > Error sending add rule data request (Unknown error 524) > There was an error in line 27 of /etc/audit/audit.rules > [root at coyote audit]# vim audit.rules > [root at coyote audit]# service auditd restart > Stopping auditd: [ OK ] > Starting auditd: [ OK ] > ---------- > isn't the real problem, so what do the experts here think? Normally the default audit.rules doesn't contain any filters. Perhaps the audit maintainer accidentally shipped an audit.rules with some test filters? Those particular filters might not work on older kernels. > SELinux is running in permissive mode, and seems to be logging res=success for > everything so far, so it may be possible to set it to targeted. I figured if > I tried it on a known, fully working system, that would be a hell of a lot > more accurate test than trying to make it work on a fresh install, which > forced me to disable it months ago. > > Would it have logged res=denied for anything if set to permissive? No, because permissive doesn't return an error from the system call. So you are still looking for avc messages, e.g. /sbin/ausearch -i -m avc, as indications that something would have been denied by SELinux. setroubleshoot should report them too if you have that installed. -- Stephen Smalley National Security Agency From selinux at gmail.com Thu Oct 18 14:37:29 2007 From: selinux at gmail.com (Tom London) Date: Thu, 18 Oct 2007 07:37:29 -0700 Subject: setroubleshoot question: database.xml ? Message-ID: <4c4ba1530710180737w2716f798vae690afca9c6c86b@mail.gmail.com> I noticed that the initscript for setroubleshoot has a 'cleardb' entry that refers to /var/lib/setroubleshoot/database.xml: cleardb(){ running=0 [ -e /var/lock/subsys/$prog ] && running=1 [ $running == 1 ] && stop echo $"Clearing database" rm -f /var/lib/setroubleshoot/database.xml [ $running == 1 ] && start return 0 } But I don't seem to have that file: [tbl at localhost init.d]$ ls -l /var/lib/setroubleshoot total 256 -rw------- 1 root root 251139 2007-10-11 09:42 audit_listener_database.xml [tbl at localhost init.d]$ /usr/lib/python2.5/site-packages/setroubleshoot/config.py refers to audit_listener: 'database' : { 'database_dir' : { 'value' : '/var/lib/setroubleshoot', 'description' : '', }, 'filename' : { 'value' : 'audit_listener', 'description' : '', Is there a mismatch here? My over reading? tom -- Tom London From sds at tycho.nsa.gov Thu Oct 18 14:33:35 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 18 Oct 2007 10:33:35 -0400 Subject: setroubleshoot question: database.xml ? In-Reply-To: <4c4ba1530710180737w2716f798vae690afca9c6c86b@mail.gmail.com> References: <4c4ba1530710180737w2716f798vae690afca9c6c86b@mail.gmail.com> Message-ID: <1192718015.32671.35.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-10-18 at 07:37 -0700, Tom London wrote: > I noticed that the initscript for setroubleshoot has a 'cleardb' entry > that refers to /var/lib/setroubleshoot/database.xml: > > cleardb(){ > running=0 > [ -e /var/lock/subsys/$prog ] && running=1 > [ $running == 1 ] && stop > echo $"Clearing database" > rm -f /var/lib/setroubleshoot/database.xml > [ $running == 1 ] && start > return 0 > } > > But I don't seem to have that file: > > [tbl at localhost init.d]$ ls -l /var/lib/setroubleshoot > total 256 > -rw------- 1 root root 251139 2007-10-11 09:42 audit_listener_database.xml > [tbl at localhost init.d]$ > > /usr/lib/python2.5/site-packages/setroubleshoot/config.py refers to > audit_listener: > > 'database' : { > 'database_dir' : { > 'value' : '/var/lib/setroubleshoot', > 'description' : '', > }, > 'filename' : { > 'value' : 'audit_listener', > 'description' : '', > > Is there a mismatch here? My over reading? looks like a bug to me - bugzilla it. -- Stephen Smalley National Security Agency From selinux at gmail.com Thu Oct 18 14:53:50 2007 From: selinux at gmail.com (Tom London) Date: Thu, 18 Oct 2007 07:53:50 -0700 Subject: setroubleshoot question: database.xml ? In-Reply-To: <1192718015.32671.35.camel@moss-spartans.epoch.ncsc.mil> References: <4c4ba1530710180737w2716f798vae690afca9c6c86b@mail.gmail.com> <1192718015.32671.35.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <4c4ba1530710180753y68403a2an17747918554365b2@mail.gmail.com> On 10/18/07, Stephen Smalley wrote: > On Thu, 2007-10-18 at 07:37 -0700, Tom London wrote: > > I noticed that the initscript for setroubleshoot has a 'cleardb' entry > > that refers to /var/lib/setroubleshoot/database.xml: > > > > cleardb(){ > > running=0 > > [ -e /var/lock/subsys/$prog ] && running=1 > > [ $running == 1 ] && stop > > echo $"Clearing database" > > rm -f /var/lib/setroubleshoot/database.xml > > [ $running == 1 ] && start > > return 0 > > } > > > > But I don't seem to have that file: > > > > [tbl at localhost init.d]$ ls -l /var/lib/setroubleshoot > > total 256 > > -rw------- 1 root root 251139 2007-10-11 09:42 audit_listener_database.xml > > [tbl at localhost init.d]$ > > > > /usr/lib/python2.5/site-packages/setroubleshoot/config.py refers to > > audit_listener: > > > > 'database' : { > > 'database_dir' : { > > 'value' : '/var/lib/setroubleshoot', > > 'description' : '', > > }, > > 'filename' : { > > 'value' : 'audit_listener', > > 'description' : '', > > > > Is there a mismatch here? My over reading? > > looks like a bug to me - bugzilla it. > > -- > Stephen Smalley > National Security Agency > > Done: https://bugzilla.redhat.com/show_bug.cgi?id=338071 -- Tom London From mjs at CLEMSON.EDU Thu Oct 18 17:23:24 2007 From: mjs at CLEMSON.EDU (Matthew Saltzman) Date: Thu, 18 Oct 2007 13:23:24 -0400 Subject: SELinux revisited In-Reply-To: <200710180819.34950.gene.heskett@verizon.net> References: <200710180325.21026.gene.heskett@verizon.net> <471710AA.3050103@warmcat.com> <200710180414.29745.gene.heskett@verizon.net> <200710180819.34950.gene.heskett@verizon.net> Message-ID: <1192728204.9767.6.camel@vincent52.localdomain> On Thu, 2007-10-18 at 08:19 -0400, Gene Heskett wrote: > On Thursday 18 October 2007, Gene Heskett wrote: > >On Thursday 18 October 2007, Andy Green wrote: > >>Somebody in the thread at some point said: > >>> Greetings; > >>> > >>> Running 2.6.23 here, on a AMD XP-2800, gig of ram, lots of drive. > >>> > >>> I thought maybe I should give selinux another chance here. So I removed > >>> the selinux=0 in my grub.conf, and edited its .conf file in > >>> /etc/sysconfig to set it for permissive. > >>> > >>> On the reboot, the relabel wasn't done, so I looked around and reset a > >>> fresh /.autorelabel file and rebooted again. It was already present > >>> however. > >>> > >>> This time it did a very short autorelabel, maybe 2 screens full and was > >>> done in just a couple of seconds, at which point it went into yet another > >>> reboot cycle making me think it was stuck in a loop or something. > >> > >>Sounds like you are going about it in a good way FWIW. > >> > >>> But the next reboot then had auditd advise me there was an error in line > >>> 16 of /etc/audit/auditd.rules. > >> > >>That file looks like this here, in full: > >> > >># This file contains the auditctl rules that are loaded > >># whenever the audit daemon is started via the initscripts. > >># The rules are simply the parameters that would be passed > >># to auditctl. > >> > >># First rule - delete all > >>-D > >> > >># Increase the buffers to survive stress events. > >># Make this bigger for busy systems > >>-b 320 > >> > >># Feel free to add below this line. See auditctl man page > >> > >> > >>Here's the state of the selinux packages here for reference > >> > >># rpm -qa | grep selinux > >>libselinux-2.0.14-9.fc7 > >>libselinux-python-2.0.14-9.fc7 > >>selinux-policy-targeted-2.6.4-48.fc7 > >>selinux-policy-2.6.4-48.fc7 > >># rpm -qa | grep audit > >>audit-libs-python-1.5.6-2.fc7 > >>audit-libs-1.5.6-2.fc7 > >>audit-1.5.6-2.fc7 > > > >All fc6 here, but uptodate. > > > >># chkconfig --list | grep audit > >>auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off > >> > >>I would nuke the entries at the end of your /etc/audit/auditd.rules and > >>retry. > > > >I'll give that a shot tomorrow, its getting sleepy out around here, 4am & > > I've already lost any chance at beauty sleep, which wouldn't help at my age > > anyway. :) > > > >>-Andy > > > >Thanks Andy. > > > Ok, up again, nuked a pint of coffee but its too hot yet. > > I commented that line 16 in audit.rules, and it moved the error to line 17, so > I commented that one too. > > Step & repeat until there is only one active line in the file, line 15. > -------------- > # This file contains the auditctl rules that are loaded > # whenever the audit daemon is started via the initscripts. > # The rules are simply the parameters that would be passed > # to auditctl. > > # First rule - delete all > -D > > # Increase the buffers to survive stress events. > # Make this bigger for busy systems > -b 320 > > # Feel free to add below this line. See auditctl man page > > -a exit,always -S chroot > #-a exit,always -S chdir -F obj_type=dhclient_t > #-a exit,always -S chdir -F obj_type=sendmail_t > #-a exit,always -S chdir -F obj_type=mcstransd_t > #-a exit,always -S chdir -F obj_type=sshd_t > #-a exit,always -S chdir -F obj_type=ntpd_t > #-a exit,always -S chdir -F obj_type=samba_t > #-a exit,always -S chdir -F obj_type=named_t > #-a exit,always -S chdir -F obj_type=klogd_t > #-a exit,always -S chdir -F obj_type=crond_t > #-a exit,always -S chdir -F obj_type=httpd_t > #-a exit,always -S chdir -F obj_type=auditd_t > #-a exit,always -S chdir -F obj_type=portmap_t > #-a exit,always -S chdir -F obj_type=syslogd_t > ----------- > Now it seems to me that those rules were there for a reason, and to have to > comment all but the first one out to get rid of the error: > --------- > [root at coyote audit]# service auditd restart > Stopping auditd: [ OK ] > Starting auditd: [ OK ] > Error sending add rule data request (Unknown error 524) > There was an error in line 27 of /etc/audit/audit.rules > [root at coyote audit]# vim audit.rules > [root at coyote audit]# service auditd restart > Stopping auditd: [ OK ] > Starting auditd: [ OK ] > ---------- > isn't the real problem, so what do the experts here think? I don't know the rule syntax, but just looking at the source, it appears to me that the rule on line 15 is malformed (at least compared to the others). If that rule is not complete in itself, the error would appear when it tries to use the following line to complete it. What happens if you comment line 15? > > SELinux is running in permissive mode, and seems to be logging res=success for > everything so far, so it may be possible to set it to targeted. I figured if > I tried it on a known, fully working system, that would be a hell of a lot > more accurate test than trying to make it work on a fresh install, which > forced me to disable it months ago. > > Would it have logged res=denied for anything if set to permissive? > -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs From dwalsh at redhat.com Fri Oct 19 18:39:11 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 19 Oct 2007 14:39:11 -0400 Subject: Question About Amavisd audit messages In-Reply-To: <1192694315.14128.2.camel@hugo.iguanait.com> References: <20071016160013.C94EB732F3@hormel.redhat.com> <1192694315.14128.2.camel@hugo.iguanait.com> Message-ID: <4718F9CF.4070201@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ali Nebi wrote: > Hi, > > i want to ask about some audit messages realted with amavisd. > > I get this kind of messages: > > Oct 16 16:35:21 hermod kernel: audit(1192545321.959:4): avc: denied > { name_bind } for pid=15305 comm="amavisd" src=3551 > scontext=system_u:system_r:amavis_t:s0 tcontext=system > _u:object_r:apcupsd_port_t:s0 tclass=udp_socket > Oct 17 06:41:11 hermod kernel: audit(1192596071.584:5): avc: denied > { name_bind } for pid=1135 comm="amavisd" src=5353 > scontext=system_u:system_r:amavis_t:s0 tcontext=system_ > u:object_r:howl_port_t:s0 tclass=udp_socket > Oct 17 14:45:13 hermod kernel: audit(1192625113.850:6): avc: denied > { name_bind } for pid=8183 comm="amavisd" src=7004 > scontext=system_u:system_r:amavis_t:s0 tcontext=system_ > u:object_r:afs_ka_port_t:s0 tclass=udp_socket > Oct 17 22:33:30 hermod kernel: audit(1192653210.933:7): avc: denied > { name_bind } for pid=20082 comm="amavisd" src=7004 > scontext=system_u:system_r:amavis_t:s0 tcontext=system > _u:object_r:afs_ka_port_t:s0 tclass=udp_socket > Oct 17 23:00:40 hermod kernel: audit(1192654840.481:8): avc: denied > { name_bind } for pid=21759 comm="amavisd" src=7007 > scontext=system_u:system_r:amavis_t:s0 tcontext=system > _u:object_r:afs_bos_port_t:s0 tclass=udp_socket > Oct 18 08:59:38 hermod kernel: audit(1192690778.529:9): avc: denied > { name_bind } for pid=25286 comm="amavisd" src=5353 > scontext=system_u:system_r:amavis_t:s0 tcontext=system > _u:object_r:howl_port_t:s0 tclass=udp_socket > Oct 18 09:32:09 hermod kernel: audit(1192692729.031:10): avc: denied > { name_bind } for pid=28781 comm="amavisd" src=1194 > scontext=system_u:system_r:amavis_t:s0 tcontext=syste > m_u:object_r:openvpn_port_t:s0 tclass=udp_socket > > These are a part of them, i allowed some of these, but there are many of > these with different udp ports. What can i do to solve this problem, > because amavisd try every time with a different port and i can't allow > all of them? > > Thank in advanced! > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list amavis_t is binding to random ports > 1024 occasionaly it is hitting a named port and getting a denial. At that point it goes off and gets another port. When it gets a port that is not defined, it succeeds. The policy needs a dontaudit rule to remove these avcs. So the combination in policy is necessary. corenet_udp_bind_generic_port(amavis_t) corenet_dontaudit_udp_bind_all_ports(amavis_t) This basically says amavis_t can bind to any udp port labeled port_t and it it attempts to bind to a port that is labeled anything other then port_t, dontaudit. This is will be fixed in selinux-policy-3.0.8.28 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHGPnOrlYvE4MpobMRAvPyAJ0fs1IU8A5199OIb+jdCMDwC2gK8QCg0+WH 41MApzTqBRFXg+gc2xQuuRU= =M/Wj -----END PGP SIGNATURE----- From cra at WPI.EDU Fri Oct 19 18:42:33 2007 From: cra at WPI.EDU (Chuck Anderson) Date: Fri, 19 Oct 2007 14:42:33 -0400 Subject: allowing in.tftpd to read/write files? Message-ID: <20071019184233.GQ4751@angus.ind.WPI.EDU> How do I allow tftpd to write files? I changed the context to "system_u:object_r:public_content_rw_t:s0" but that doesn't work. Also I'm using /var/tftp instead of /tftpboot, and there doesn't seem to be any file_contexts set up for /var/tftp. I manually set the context to match that of /tftpboot: drwxr-xr-x root root system_u:object_r:tftpdir_t /tftpboot// drwxrwsr-x tftp tftp system_u:object_r:tftpdir_t /var/tftp/ -rw-rw-rw- cra tftp system_u:object_r:public_content_rw_t /var/tftp/testfile type=AVC msg=audit(1192818715.964:10131): avc: denied { write } for pid=15860 comm="in.tftpd" name="testfile" dev=dm-4 ino=84549655 scontext=user_u:system_r:tftpd_t:s0 tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file type=SYSCALL msg=audit(1192818715.964:10131): arch=40000003 syscall=5 success=no exit=-13 a0=805fa02 a1=8041 a2=1b6 a3=8041 items=0 ppid=15781 pid=15860 auid=10002 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) comm="in.tftpd" exe="/usr/sbin/in.tftpd" subj=user_u:system_r:tftpd_t:s0 key=(null) Thanks. From cra at WPI.EDU Fri Oct 19 18:57:23 2007 From: cra at WPI.EDU (Chuck Anderson) Date: Fri, 19 Oct 2007 14:57:23 -0400 Subject: allowing in.tftpd to read/write files? In-Reply-To: <20071019184233.GQ4751@angus.ind.WPI.EDU> References: <20071019184233.GQ4751@angus.ind.WPI.EDU> Message-ID: <20071019185723.GR4751@angus.ind.WPI.EDU> On Fri, Oct 19, 2007 at 02:42:33PM -0400, Chuck Anderson wrote: > How do I allow tftpd to write files? I ended up creating the following local policy. Should this type of thing be put into the standard policy package? #cat /root/tftp.te module tftp 1.0; require { type public_content_t; type tftpd_t; type public_content_rw_t; class dir search; class file { read write getattr }; } #============= tftpd_t ============== allow tftpd_t public_content_rw_t:file { write read getattr }; allow tftpd_t public_content_t:dir search; allow tftpd_t public_content_t:file { read getattr }; From dwalsh at redhat.com Fri Oct 19 18:59:58 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 19 Oct 2007 14:59:58 -0400 Subject: allowing in.tftpd to read/write files? In-Reply-To: <20071019184233.GQ4751@angus.ind.WPI.EDU> References: <20071019184233.GQ4751@angus.ind.WPI.EDU> Message-ID: <4718FEAE.6070802@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck Anderson wrote: > How do I allow tftpd to write files? I changed the context to > "system_u:object_r:public_content_rw_t:s0" but that doesn't work. > Also I'm using /var/tftp instead of /tftpboot, and there doesn't seem > to be any file_contexts set up for /var/tftp. I manually set the > context to match that of /tftpboot: > > drwxr-xr-x root root system_u:object_r:tftpdir_t /tftpboot// > drwxrwsr-x tftp tftp system_u:object_r:tftpdir_t /var/tftp/ > > -rw-rw-rw- cra tftp system_u:object_r:public_content_rw_t /var/tftp/testfile > > type=AVC msg=audit(1192818715.964:10131): avc: denied { write } for > pid=15860 comm="in.tftpd" name="testfile" dev=dm-4 > ino=84549655 scontext=user_u:system_r:tftpd_t:s0 > tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file > type=SYSCALL msg=audit(1192818715.964:10131): arch=40000003 syscall=5 > success=no exit=-13 a0=805fa02 a1=8041 a2=1b6 a3=8041 items=0 > ppid=15781 pid=15860 auid=10002 uid=99 gid=99 euid=99 suid=99 fsuid=99 > egid=99 sgid=99 fsgid=99 tty=(none) comm="in.tftpd" > exe="/usr/sbin/in.tftpd" subj=user_u:system_r:tftpd_t:s0 key=(null) > > Thanks. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I did not even know you could updload with tftp. Is this common? I would think this is dangerous and insecure, but with SELinux you could make it a little more secure. tftp can only read public_content policy So we have three options. 1 Use audit2allow to generate policy to allow tftp to write to the files/directory you want. 2. convince me or upstream that tftp should be able to write to public_content_rw_t. BTW, I was at WPI this past Tuesday at the Robot Symposium. It was quite good. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHGP6urlYvE4MpobMRAgHjAKDb45z3W1JULWg/8VmkXr2BReRWAwCg126n 4NPy8tcl5A5ztiCOJIKAP5E= =8i2h -----END PGP SIGNATURE----- From cra at WPI.EDU Fri Oct 19 20:58:57 2007 From: cra at WPI.EDU (Chuck Anderson) Date: Fri, 19 Oct 2007 16:58:57 -0400 Subject: allowing in.tftpd to read/write files? In-Reply-To: <4718FEAE.6070802@redhat.com> References: <20071019184233.GQ4751@angus.ind.WPI.EDU> <4718FEAE.6070802@redhat.com> Message-ID: <20071019205857.GS4751@angus.ind.WPI.EDU> On Fri, Oct 19, 2007 at 02:59:58PM -0400, Daniel J Walsh wrote: > Is this common? I would think this is dangerous and insecure, but with > SELinux you could make it a little more secure. Well, I suppose it is somewhat less common than reading, but there are many embedded-type devices that can only get/put files via TFTP. > tftp can only read public_content policy Strange that I had to add policy to allow it to read. Here is the sequence of events: 1. When I installed this server and set up TFTP, I changed /etc/xinetd.d/tftp to use the /var/tftp directory instead of /tftpboot: # default: off # description: The tftp server serves files using the trivial file transfer \ # protocol. The tftp protocol is often used to boot diskless \ # workstations, download configuration files to network-aware printers, \ # and to start the installation process for some operating systems. service tftp { socket_type = dgram protocol = udp wait = yes user = root server = /usr/sbin/in.tftpd server_args = -c -s /var/tftp disable = no per_source = 11 cps = 100 2 flags = IPv4 } 2. All files in /var/tftp had the default labeling (This is Fedora Core 6 BTW). According to older audit logs, this was: user_u:object_r:var_t:s0 3. Reading worked fine with var_t files!?! 4. I tried to upload a file via TFTP, and it failed. 5. I saw the audit messages and tried relabelling everything as public_content: chcon system_u:object_r:tftpdir_t /var/tftp chcon -R system_u:object_r:public_content_t /var/tftp/* chcon system_u:object_r:public_content_rw_t /var/tftp/select-files-to-be-writeable 6. I noticed that reading failed. So var_t files could be read, but public_content_t files could not. Strange. 7. I created local policy to allow tftp to read public_content_t and read/write public_content_rw_t. > 1 Use audit2allow to generate policy to allow tftp to write to the > files/directory you want. Done. See my other message. > 2. convince me or upstream that tftp should be able to write to > public_content_rw_t. I think this would be a good idea. Perhaps at the same time we should make sure /var/tftp is in file_contexts, and make sure public_content_t works for reading as well (perhaps this was already fixed in Fedora 7 or newer policy). > BTW, I was at WPI this past Tuesday at the Robot Symposium. It was > quite good. Darn. I would have been nice to meet you in person. Glad you liked it. From Per.t.Sjoholm at flysta.net Fri Oct 19 21:27:28 2007 From: Per.t.Sjoholm at flysta.net (Per Sjoholm) Date: Fri, 19 Oct 2007 23:27:28 +0200 Subject: allowing in.tftpd to read/write files? In-Reply-To: <4718FEAE.6070802@redhat.com> References: <20071019184233.GQ4751@angus.ind.WPI.EDU> <4718FEAE.6070802@redhat.com> Message-ID: <47192140.6000906@flysta.net> tftp is used both for booting network devices like switches, routers, ADSL modem etc.... And also to let them save a configuration file or a log file. Often there are no alternatives for these devices. Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Chuck Anderson wrote: > >> How do I allow tftpd to write files? I changed the context to >> "system_u:object_r:public_content_rw_t:s0" but that doesn't work. >> Also I'm using /var/tftp instead of /tftpboot, and there doesn't seem >> to be any file_contexts set up for /var/tftp. I manually set the >> context to match that of /tftpboot: >> >> drwxr-xr-x root root system_u:object_r:tftpdir_t /tftpboot// >> drwxrwsr-x tftp tftp system_u:object_r:tftpdir_t /var/tftp/ >> >> -rw-rw-rw- cra tftp system_u:object_r:public_content_rw_t /var/tftp/testfile >> >> type=AVC msg=audit(1192818715.964:10131): avc: denied { write } for >> pid=15860 comm="in.tftpd" name="testfile" dev=dm-4 >> ino=84549655 scontext=user_u:system_r:tftpd_t:s0 >> tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file >> type=SYSCALL msg=audit(1192818715.964:10131): arch=40000003 syscall=5 >> success=no exit=-13 a0=805fa02 a1=8041 a2=1b6 a3=8041 items=0 >> ppid=15781 pid=15860 auid=10002 uid=99 gid=99 euid=99 suid=99 fsuid=99 >> egid=99 sgid=99 fsgid=99 tty=(none) comm="in.tftpd" >> exe="/usr/sbin/in.tftpd" subj=user_u:system_r:tftpd_t:s0 key=(null) >> >> Thanks. >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > I did not even know you could updload with tftp. > > Is this common? I would think this is dangerous and insecure, but with > SELinux you could make it a little more secure. > > tftp can only read public_content policy > > So we have three options. > > 1 Use audit2allow to generate policy to allow tftp to write to the > files/directory you want. > > 2. convince me or upstream that tftp should be able to write to > public_content_rw_t. > > BTW, I was at WPI this past Tuesday at the Robot Symposium. It was > quite good. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFHGP6urlYvE4MpobMRAgHjAKDb45z3W1JULWg/8VmkXr2BReRWAwCg126n > 4NPy8tcl5A5ztiCOJIKAP5E= > =8i2h > -----END PGP SIGNATURE----- > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From wolfy at nobugconsulting.ro Sat Oct 20 14:48:48 2007 From: wolfy at nobugconsulting.ro (Manuel Wolfshant) Date: Sat, 20 Oct 2007 17:48:48 +0300 Subject: allowing in.tftpd to read/write files? In-Reply-To: <47192140.6000906@flysta.net> References: <20071019184233.GQ4751@angus.ind.WPI.EDU> <4718FEAE.6070802@redhat.com> <47192140.6000906@flysta.net> Message-ID: <471A1550.5030903@nobugconsulting.ro> On 10/20/2007 12:27 AM, Per Sjoholm wrote: > tftp is used both for booting network devices like switches, routers, > ADSL modem etc.... > And also to let them save a configuration file or a log file. I use tftp almost weekly to backup the config of my Cisco and HP switches (i.e. transfer them from the devices to a storage server). From linux_4ever at yahoo.com Sun Oct 21 13:12:26 2007 From: linux_4ever at yahoo.com (Steve G) Date: Sun, 21 Oct 2007 06:12:26 -0700 (PDT) Subject: SELinux revisited Message-ID: <575405.62452.qm@web51511.mail.re2.yahoo.com> Hi, >>> But the next reboot then had auditd advise me there was an error in line >>> 16 of /etc/audit/auditd.rules. Which audit package are you using? FWIW, audit and selinux are different subsystems. If you have audit problems, it would be more helpful to change the subject line so that it catches my attention. I do not read every SE Linux email. :) >-a exit,always -S chroot >#-a exit,always -S chdir -F obj_type=dhclient_t >----------- >Now it seems to me that those rules were there for a reason, and to have to >comment all but the first one out to get rid of the error: These are not default audit rules. you or someone with access to your machine would have put these there. Did they work when you originally installed them and they quit working recently? >Starting auditd: [ OK ] >Error sending add rule data request (Unknown error 524) >There was an error in line 27 of /etc/audit/audit.rules To know what is happening, I'd need to know your audit package version and kernel version. And then I'd need to see the actual rule and an strace of loading just that one rule from the command line. >isn't the real problem, so what do the experts here think? The audit system compliments SE Linux in that it records the results of Access Vector Calculations (AVCs) whenever the rules say to. But SE Linux will work without the audit system. >SELinux is running in permissive mode, and seems to be logging res=success for >everything so far, SE Linux does not record "res=" fields. That is the audit system doing its normal stuff. To see if you have denials, I'd run the summary report: "aureport --start today" to see if you have anything in the avc row. If so, you can ;look deeper with "aureport --start today --avc -i" You would look for denied in the second to last column of each row. An example: 1. 10/15/2007 20:14:07 vpnc-script user_u:system_r:vpnc_t:s0 stat file getattr system_u:object_r:var_run_t:s0 denied 180 >Would it have logged res=denied for anything if set to permissive? You need to look for "denied" in avc records. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From linux_4ever at yahoo.com Sun Oct 21 13:19:58 2007 From: linux_4ever at yahoo.com (Steve G) Date: Sun, 21 Oct 2007 06:19:58 -0700 (PDT) Subject: SELinux revisited Message-ID: <419109.28932.qm@web51509.mail.re2.yahoo.com> >> # This file contains the auditctl rules that are loaded >> # whenever the audit daemon is started via the initscripts. >> # The rules are simply the parameters that would be passed >> # to auditctl. >> >> # First rule - delete all >> -D >> >> # Increase the buffers to survive stress events. >> # Make this bigger for busy systems >> -b 320 >> >> # Feel free to add below this line. See auditctl man page >> >> -a exit,always -S chroot >> #-a exit,always -S chdir -F obj_type=dhclient_t > >I don't know the rule syntax, but just looking at the source, it appears >to me that the rule on line 15 is malformed (at least compared to the >others). All of those rules look fine for audit package > 1.3 and kernel probably > 2.6.21. But those rules are not default and would have taken some research to come up with since I know of no public examples of auditing by selinux context. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From Per.t.Sjoholm at flysta.net Sun Oct 21 14:31:07 2007 From: Per.t.Sjoholm at flysta.net (Per Sjoholm) Date: Sun, 21 Oct 2007 16:31:07 +0200 Subject: Run webapp/MoinMoin as a SELinux domain Message-ID: <471B62AB.9080507@flysta.net> I would like to lock down different web apps run by httpd(apache). As it is today only way to let MoinMoin send email is to allow all to use sendmail. I use a db and that means that every application is allow to ... Is it possible to have httpd confined and only open needed net resources for certain apps ? To use some form of m4 macro. /var/www/moin/xyx/cgi-bin/moin.cgi -> httpd-xyz_t /var/www/moin/xxx/cgi-bin/moin.cgi -> httpd-xxx_t -- Per Sj?holm Spanga, Stockholm, Sweden From gene.heskett at verizon.net Sun Oct 21 15:18:26 2007 From: gene.heskett at verizon.net (Gene Heskett) Date: Sun, 21 Oct 2007 11:18:26 -0400 Subject: SELinux revisited In-Reply-To: <419109.28932.qm@web51509.mail.re2.yahoo.com> References: <419109.28932.qm@web51509.mail.re2.yahoo.com> Message-ID: <200710211118.26779.gene.heskett@verizon.net> On Sunday 21 October 2007, Steve G wrote: [...] >>> # Feel free to add below this line. See auditctl man page >>> >>> -a exit,always -S chroot >>> #-a exit,always -S chdir -F obj_type=dhclient_t >> >>I don't know the rule syntax, but just looking at the source, it > > appears > >>to me that the rule on line 15 is malformed (at least compared to the >>others). > >All of those rules look fine for audit package > 1.3 and kernel probably > > 2.6.21. But those rules are not default and would have taken some research > to come up with since I know of no public examples of auditing by selinux > context. So what should line 15 look like today? -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Mix a little foolishness with your serious plans; it's lovely to be silly at the right moment. -- Horace From linux_4ever at yahoo.com Sun Oct 21 18:01:08 2007 From: linux_4ever at yahoo.com (Steve G) Date: Sun, 21 Oct 2007 11:01:08 -0700 (PDT) Subject: SELinux revisited Message-ID: <456541.59075.qm@web51504.mail.re2.yahoo.com> > >All of those rules look fine for audit package > 1.3 and > > kernel probably > 2.6.21. But those rules are not default > > and would have taken some research to come up with > > since I know of no public examples of auditing by selinux > > context. > > So what should line 15 look like today? There is no line 15. The default audit rules are simply 14 lines ending with feel free to add rules below this. And that is where all your problems are. The audit by obj_type would have a very esoteric use and would encode knowledge of a specific selinux policy, so its not something I'd ever ship by default - even in sample rules. -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From kaigai at ak.jp.nec.com Mon Oct 22 08:53:39 2007 From: kaigai at ak.jp.nec.com (KaiGai Kohei) Date: Mon, 22 Oct 2007 17:53:39 +0900 Subject: [busybox:01282] Re: BUG? in mkswap (Re: The current status of sebusybox project) In-Reply-To: <20071022083620.GT6325@petra.dvoda.cz> References: <470C532E.5020108@ak.jp.nec.com> <470C59B1.1050306@ak.jp.nec.com> <20071022083620.GT6325@petra.dvoda.cz> Message-ID: <471C6513.9070008@ak.jp.nec.com> Karel Zak wrote: > On Wed, Oct 10, 2007 at 01:48:49PM +0900, KaiGai Kohei wrote: >> Can I consider that you are the most appropriate person to report >> about the following matter? > > Yes. > >> Pay attention around line 741. >> If fgetfilecon() fails and returns -ENODATA, context_new() will be >> called with uninitialized oldcontext in the next. Then, it cause >> a segmentation fault. > > Thanks for your patch. Applied to upstream repository. (I've added > "Signed-off-by: KaiGai Kohei ", I hope you > agree.) I agree the additional "Signed-off-by:" line, of course. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei From gene.heskett at verizon.net Mon Oct 22 13:35:32 2007 From: gene.heskett at verizon.net (Gene Heskett) Date: Mon, 22 Oct 2007 09:35:32 -0400 Subject: spamassassin as user is denied Message-ID: <200710220935.32071.gene.heskett@verizon.net> Greetings; How do I fix the subject. It runs as root ok, but not as a common user. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?] From sds at tycho.nsa.gov Mon Oct 22 13:49:48 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 22 Oct 2007 09:49:48 -0400 Subject: spamassassin as user is denied In-Reply-To: <200710220935.32071.gene.heskett@verizon.net> References: <200710220935.32071.gene.heskett@verizon.net> Message-ID: <1193060988.24622.16.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2007-10-22 at 09:35 -0400, Gene Heskett wrote: > Greetings; > > How do I fix the subject. It runs as root ok, but not as a common user. avc messages? -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon Oct 22 19:37:58 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 22 Oct 2007 15:37:58 -0400 Subject: Run webapp/MoinMoin as a SELinux domain In-Reply-To: <471B62AB.9080507@flysta.net> References: <471B62AB.9080507@flysta.net> Message-ID: <471CFC16.6060105@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Per Sjoholm wrote: > I would like to lock down different web apps run by httpd(apache). > As it is today only way to let MoinMoin send email is to allow all to > use sendmail. > I use a db and that means that every application is allow to ... > > Is it possible to have httpd confined and only open needed net resources > for certain > apps ? > To use some form of m4 macro. > /var/www/moin/xyx/cgi-bin/moin.cgi -> httpd-xyz_t > /var/www/moin/xxx/cgi-bin/moin.cgi -> httpd-xxx_t > Well you could write your own policy for the cgi yes. system-config-selinux/polgengui makes this fairly easy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHHPwWrlYvE4MpobMRAgLkAJ9hiTquSjtv5TdcPQerP6Mmsk1kLACgkt1M NrUlW/XKy3wWO+ZPZ9VhEHA= =UdbV -----END PGP SIGNATURE----- From piotreek23 at gmail.com Fri Oct 26 18:49:37 2007 From: piotreek23 at gmail.com (piotreek) Date: Fri, 26 Oct 2007 20:49:37 +0200 Subject: Postfix Problems FC 7 Message-ID: <112c19290710261149n50689719med1eb2820d437b67@mail.gmail.com> Hi >From a certain time i have problem running up postfix. When i type from the console /etc/init.d/postfix startevery thing seams to be ok. But status command reports that postfix is down. I searched it up and found strange AVC Denied read messages. I tried to relabel whole filesystem but whichout luck. When i stop SELINUX evertything is working. Can somebody help me? This is the message i get in audit.log ----SNIP--------------- type=AVC msg=audit(1193424403.481:1513): avc: denied { read } for pid=18309 comm="master" name="services" dev=sdb1 ino=3891850 scontext=user_u:system_r:postfix_master_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1193424403.481:1513): arch=40000003 syscall=5 success=no exit=-13 a0=735321 a1=0 a2=1b6 a3=8034b6c8 items=0 ppid=1 pid=18309 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="master" exe="/usr/libexec/postfix/master" subj=user_u:system_r:postfix_master_t:s0 key=(null) type=AVC msg=audit(1193424403.488:1514): avc: denied { read } for pid=18309 comm="master" name="services" dev=sdb1 ino=3891850 scontext=user_u:system_r:postfix_master_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1193424403.488:1514): arch=40000003 syscall=5 success=no exit=-13 a0=735321 a1=0 a2=1b6 a3=8034b6c8 items=0 ppid=1 pid=18309 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="master" exe="/usr/libexec/postfix/master" subj=user_u:system_r:postfix_master_t:s0 key=(null) type=AVC msg=audit(1193424403.489:1515): avc: denied { read } for pid=18309 comm="master" name="services" dev=sdb1 ino=3891850 scontext=user_u:system_r:postfix_master_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1193424403.489:1515): arch=40000003 syscall=5 success=no exit=-13 a0=735321 a1=0 a2=1b6 a3=8034b6c8 items=0 ppid=1 pid=18309 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="master" exe="/usr/libexec/postfix/master" subj=user_u:system_r:postfix_master_t:s0 key=(null) type=AVC msg=audit(1193424403.490:1516): avc: denied { read } for pid=18309 comm="master" name="services" dev=sdb1 ino=3891850 scontext=user_u:system_r:postfix_master_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1193424403.490:1516): arch=40000003 syscall=5 success=no exit=-13 a0=735321 a1=0 a2=1b6 a3=8034b6c8 items=0 ppid=1 pid=18309 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="master" exe="/usr/libexec/postfix/master" subj=user_u:system_r:postfix_master_t:s0 key=(null) type=AVC msg=audit(1193424403.491:1517): avc: denied { read } for pid=18309 comm="master" name="services" dev=sdb1 ino=3891850 scontext=user_u:system_r:postfix_master_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1193424403.491:1517): arch=40000003 syscall=5 success=no exit=-13 a0=735321 a1=0 a2=1b6 a3=8034b730 items=0 ppid=1 pid=18309 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="master" exe="/usr/libexec/postfix/master" subj=user_u:system_r:postfix_master_t:s0 key=(null) ---------------Snip------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: From piotreek23 at gmail.com Sat Oct 27 19:37:00 2007 From: piotreek23 at gmail.com (piotreek) Date: Sat, 27 Oct 2007 21:37:00 +0200 Subject: Postfix Problems FC 7 In-Reply-To: <112c19290710261149n50689719med1eb2820d437b67@mail.gmail.com> References: <112c19290710261149n50689719med1eb2820d437b67@mail.gmail.com> Message-ID: <112c19290710271237i37fbae20q54874f5d6cd58e01@mail.gmail.com> Hi. I found resolution. I forced check file system using e2fsck and relabeled then again SElinux context for files.Something what repaired and postfix seams running ok now. :) 2007/10/26, piotreek : > > Hi > From a certain time i have problem running up postfix. When i type from > the console /etc/init.d/postfix startevery thing seams to be ok. But status > command reports that postfix is down. I searched it up and found strange AVC > Denied read messages. > I tried to relabel whole filesystem but whichout luck. When i stop SELINUX > evertything is working. > Can somebody help me? > This is the message i get in audit.log > ----SNIP--------------- > type=AVC msg=audit(1193424403.481 :1513): avc: denied { read } for > pid=18309 comm="master" name="services" dev=sdb1 ino=3891850 > scontext=user_u:system_r:postfix_master_t:s0 > tcontext=user_u:object_r:tmp_t:s0 tclass=file > type=SYSCALL msg=audit( 1193424403.481:1513): arch=40000003 syscall=5 > success=no exit=-13 a0=735321 a1=0 a2=1b6 a3=8034b6c8 items=0 ppid=1 > pid=18309 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) comm="master" exe="/usr/libexec/postfix/master" > subj=user_u:system_r:postfix_master_t:s0 key=(null) > type=AVC msg=audit(1193424403.488:1514): avc: denied { read } for > pid=18309 comm="master" name="services" dev=sdb1 ino=3891850 > scontext=user_u:system_r:postfix_master_t:s0 > tcontext=user_u:object_r:tmp_t:s0 tclass=file > type=SYSCALL msg=audit(1193424403.488:1514): arch=40000003 syscall=5 > success=no exit=-13 a0=735321 a1=0 a2=1b6 a3=8034b6c8 items=0 ppid=1 > pid=18309 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) comm="master" exe="/usr/libexec/postfix/master" > subj=user_u:system_r:postfix_master_t:s0 key=(null) > type=AVC msg=audit(1193424403.489:1515): avc: denied { read } for > pid=18309 comm="master" name="services" dev=sdb1 ino=3891850 > scontext=user_u:system_r:postfix_master_t:s0 > tcontext=user_u:object_r:tmp_t:s0 tclass=file > type=SYSCALL msg=audit(1193424403.489:1515): arch=40000003 syscall=5 > success=no exit=-13 a0=735321 a1=0 a2=1b6 a3=8034b6c8 items=0 ppid=1 > pid=18309 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) comm="master" exe="/usr/libexec/postfix/master" > subj=user_u:system_r:postfix_master_t:s0 key=(null) > type=AVC msg=audit(1193424403.490:1516): avc: denied { read } for > pid=18309 comm="master" name="services" dev=sdb1 ino=3891850 > scontext=user_u:system_r:postfix_master_t:s0 > tcontext=user_u:object_r:tmp_t:s0 tclass=file > type=SYSCALL msg=audit(1193424403.490:1516): arch=40000003 syscall=5 > success=no exit=-13 a0=735321 a1=0 a2=1b6 a3=8034b6c8 items=0 ppid=1 > pid=18309 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) comm="master" exe="/usr/libexec/postfix/master" > subj=user_u:system_r:postfix_master_t:s0 key=(null) > type=AVC msg=audit(1193424403.491:1517): avc: denied { read } for > pid=18309 comm="master" name="services" dev=sdb1 ino=3891850 > scontext=user_u:system_r:postfix_master_t:s0 > tcontext=user_u:object_r:tmp_t:s0 tclass=file > type=SYSCALL msg=audit(1193424403.491:1517): arch=40000003 syscall=5 > success=no exit=-13 a0=735321 a1=0 a2=1b6 a3=8034b730 items=0 ppid=1 > pid=18309 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) comm="master" exe="/usr/libexec/postfix/master" > subj=user_u:system_r:postfix_master_t:s0 key=(null) > ---------------Snip------------------------ > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alirezacm at yahoo.com Mon Oct 29 05:29:03 2007 From: alirezacm at yahoo.com (AliReza AliReza) Date: Sun, 28 Oct 2007 22:29:03 -0700 (PDT) Subject: problem in linux fc7 with openwebmail Message-ID: <21602.32210.qm@web59307.mail.re1.yahoo.com> install openwebmail and mail server send and receive mail with no problem but i try to send mail with attach file when click send this error apeare "500 internal server error" but mail send to destination .please help me what can i do? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ian at smallworld.cx Mon Oct 29 12:40:47 2007 From: ian at smallworld.cx (Ian Leonard) Date: Mon, 29 Oct 2007 12:40:47 +0000 Subject: Another problem with "avc: denied" messages Message-ID: <4725D4CF.3020203@smallworld.cx> Hi, I have a web app that will create xml files. It has been running for a while now but has suddenly started giving errors as per below (I guess a maintenance update did it). audit(1193660948.194:421): avc: denied { write } for pid=3358 comm="eco_upload.cgi" name="2007-10.xml" dev=dm-0 ino=58753075 scontext=system_u:system_r:httpd_t:s0 tcontext=user_u:object_r:var_lib_t:s0 tclass=file My minimal selinux knowledge has allowed me to fix the problem with the file, but a new files is created once a month. I am guessing that next month I will have the same problem. I guess I need to do something to the cgi script to allow it to create the files. Any advice appreciated. -- Ian Leonard Please ignore spelling and punctuation - I did. From anebi at iguanait.com Tue Oct 30 11:32:12 2007 From: anebi at iguanait.com (Ali Nebi) Date: Tue, 30 Oct 2007 13:32:12 +0200 Subject: Avc messages about awstats.pl and some mailmain commands Message-ID: <1193743932.3571.12.camel@hugo.iguanait.com> Hi, in one of the servers where is installed fedora 6, i get some avc messages, that i don't know why they appear and how is the right wat to fix them - don't audit, or to allow them. The messages from the logs are related with awstats. It is installed on the server and using for statistics for some web sites. Also some messages are related to mailmain. What can i do to fix this kind of messages? The messages are these: Oct 21 13:16:08 casamerica kernel: audit(1192965368.811:2780): avc: denied { read write } for pid=32746 comm="listinfo" name="" dev=sockfs ino=14911345 scontext=user_u:system_r:mailman_cgi_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=unix_stream_socket Oct 21 17:30:59 casamerica kernel: audit(1192980659.987:2781): avc: denied { read write } for pid=2111 comm="listinfo" name="" dev=sockfs ino=15003495 scontext=user_u:system_r:mailman_cgi_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=unix_stream_socket Oct 21 18:48:55 casamerica kernel: audit(1192985335.997:2782): avc: denied { read write } for pid=2742 comm="admin" name="" dev=sockfs ino=15037931 scontext=user_u:system_r:mailman_cgi_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=unix_stream_socket Oct 21 20:29:59 casamerica kernel: audit(1192991399.010:2783): avc: denied { read write } for pid=3539 comm="listinfo" name="" dev=sockfs ino=15143224 scontext=user_u:system_r:mailman_cgi_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=unix_stream_socket Oct 21 20:33:13 casamerica kernel: audit(1192991593.143:2784): avc: denied { read write } for pid=3598 comm="confirm" name="" dev=sockfs ino=15159312 scontext=user_u:system_r:mailman_cgi_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=unix_stream_socket Oct 21 20:56:58 casamerica kernel: audit(1192993018.053:2785): avc: denied { create } for pid=3721 comm="awstats.pl" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket Oct 21 20:56:58 casamerica kernel: audit(1192993018.053:2786): avc: denied { connect } for pid=3721 comm="awstats.pl" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext= user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket Oct 21 20:56:58 casamerica kernel: audit(1192993018.054:2787): avc: denied { write } for pid=3721 comm="awstats.pl" laddr=87.106.8.16 lport=52760 faddr=87.106.8.251 fport=53 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket Oct 21 20:56:58 casamerica kernel: audit(1192993018.054:2788): avc: denied { udp_send } for pid=3721 comm="awstats.pl" saddr=87.106.8.16 src=52760 daddr=87.106.8.251 dest=53 netif=eth0 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:netif_t:s0 tclass=netif Oct 21 20:56:58 casamerica kernel: audit(1192993018.054:2789): avc: denied { udp_send } for pid=3721 comm="awstats.pl" saddr=87.106.8.16 src=52760 daddr=87.106.8.251 dest=53 netif=eth0 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=node Oct 21 20:56:58 casamerica kernel: audit(1192993018.054:2790): avc: denied { send_msg } for pid=3721 comm="awstats.pl" saddr=87.106.8.16 src=52760 daddr=87.106.8.251 dest=53 netif=eth0 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:dns_port_t:s0 tclass=udp_socket Oct 28 17:29:00 hermod kernel: audit(1193588940.609:7): avc: denied { search } for pid=996 comm="python" name="log" dev=dm-0 ino=57212956 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir Oct 28 17:45:38 hermod kernel: audit(1193589938.861:8): avc: denied { search } for pid=1774 comm="python" name="log" dev=dm-0 ino=57212956 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir the last messages for python try to access /var/log, but i get these messages. What is the best decision to solve these audits? I'm trying to understand selinux principles and try to moving the server to enforce mode. Thanks in advanced! From stefan at seekline.net Tue Oct 30 12:24:02 2007 From: stefan at seekline.net (Stefan Schulze Frielinghaus) Date: Tue, 30 Oct 2007 12:24:02 +0000 Subject: Avc messages about awstats.pl and some mailmain commands In-Reply-To: <1193743932.3571.12.camel@hugo.iguanait.com> References: <1193743932.3571.12.camel@hugo.iguanait.com> Message-ID: <1193747042.3060.2.camel@vogon> On Tue, 2007-10-30 at 13:32 +0200, Ali Nebi wrote: [...] > Oct 21 20:56:58 casamerica kernel: audit(1192993018.053:2785): avc: > denied { create } for pid=3721 comm="awstats.pl" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket [...] > What is the best decision to solve these audits? I'm trying to > understand selinux principles and try to moving the server to enforce > mode. You need a policy for Awstats. The latest refpolicy release (http://oss.tresys.com/files/refpolicy/refpolicy-20070928.tar.bz2) includes awstats. I guess Fedora 6 doesn't include the latest policy for awstats. cheers, Stefan From anebi at iguanait.com Tue Oct 30 12:31:27 2007 From: anebi at iguanait.com (Ali Nebi) Date: Tue, 30 Oct 2007 14:31:27 +0200 Subject: Avc messages about awstats.pl and some mailmain commands In-Reply-To: <1193747042.3060.2.camel@vogon> References: <1193743932.3571.12.camel@hugo.iguanait.com> <1193747042.3060.2.camel@vogon> Message-ID: <1193747487.3571.15.camel@hugo.iguanait.com> On Tue, 2007-10-30 at 12:24 +0000, Stefan Schulze Frielinghaus wrote: > On Tue, 2007-10-30 at 13:32 +0200, Ali Nebi wrote: > [...] > > Oct 21 20:56:58 casamerica kernel: audit(1192993018.053:2785): avc: > > denied { create } for pid=3721 comm="awstats.pl" > > scontext=user_u:system_r:httpd_sys_script_t:s0 > > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket > [...] > > What is the best decision to solve these audits? I'm trying to > > understand selinux principles and try to moving the server to enforce > > mode. > > You need a policy for Awstats. The latest refpolicy release > (http://oss.tresys.com/files/refpolicy/refpolicy-20070928.tar.bz2) > includes awstats. I guess Fedora 6 doesn't include the latest policy for > awstats. > > cheers, > Stefan > Perfect, thanks. I will install it. Yes, i checked for awstats, but i think it doesn't include the latest policy until now. Thanks again From stefan at seekline.net Tue Oct 30 12:42:50 2007 From: stefan at seekline.net (Stefan Schulze Frielinghaus) Date: Tue, 30 Oct 2007 12:42:50 +0000 Subject: Avc messages about awstats.pl and some mailmain commands In-Reply-To: <1193747487.3571.15.camel@hugo.iguanait.com> References: <1193743932.3571.12.camel@hugo.iguanait.com> <1193747042.3060.2.camel@vogon> <1193747487.3571.15.camel@hugo.iguanait.com> Message-ID: <1193748170.3060.8.camel@vogon> On Tue, 2007-10-30 at 14:31 +0200, Ali Nebi wrote: > On Tue, 2007-10-30 at 12:24 +0000, Stefan Schulze Frielinghaus wrote: > > On Tue, 2007-10-30 at 13:32 +0200, Ali Nebi wrote: > > [...] > > > Oct 21 20:56:58 casamerica kernel: audit(1192993018.053:2785): avc: > > > denied { create } for pid=3721 comm="awstats.pl" > > > scontext=user_u:system_r:httpd_sys_script_t:s0 > > > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=udp_socket > > [...] > > > What is the best decision to solve these audits? I'm trying to > > > understand selinux principles and try to moving the server to enforce > > > mode. > > > > You need a policy for Awstats. The latest refpolicy release > > (http://oss.tresys.com/files/refpolicy/refpolicy-20070928.tar.bz2) > > includes awstats. I guess Fedora 6 doesn't include the latest policy for > > awstats. > > > > cheers, > > Stefan > > > > Perfect, thanks. I will install it. Yes, i checked for awstats, but i think it doesn't include the latest policy until now. > Thanks again Just wanted to mention: You don't need to install the whole refpolicy. This would mean you substitute the selinux policy of fedora core 6 (which I wouldn't suggest). Just get the awstats.te, awstats.fc, awstats.if files copy them to e.g. /root/selinux and install the selinux-policy-devel rpm package. Build the awstats module and install only this one. cheers, Stefan From selinux at gmail.com Tue Oct 30 14:21:21 2007 From: selinux at gmail.com (Tom London) Date: Tue, 30 Oct 2007 07:21:21 -0700 Subject: unconfined_execmem_t transitions to unconfined_t Message-ID: <4c4ba1530710300721qef071ek5e7a2bcd7e1c48f5@mail.gmail.com> Running latest rawhide, targeted/enforcing. Are there any issues allowing transition from 'unconfined_execmem_t' to 'unconfined_t'? /usr/bin/valgrind is 'unconfined_execmem_exec_t', so running 'valgrind system-config-users' or 'PYTHONPATH=/usr/share/system-config-users valgrind /usr/bin/python /usr/share/system-config-users/system-config-users.py' produces: Summary SELinux is preventing userhelper (unconfined_execmem_t) "transition" to /usr/share/system-config-users/system-config-users (unconfined_t). Detailed Description SELinux denied access requested by userhelper. It is not expected that this access is required by userhelper and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:unconfined_execmem_t Target Context system_u:system_r:unconfined_t Target Objects /usr/share/system-config-users/system-config-users [ process ] Affected RPM Packages system-config-users-1.2.72-1.fc8 [target] Policy RPM selinux-policy-3.0.8-40.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23.1-41.fc8 #1 SMP Mon Oct 29 18:29:15 EDT 2007 i686 i686 Alert Count 2 First Seen Tue 30 Oct 2007 07:08:40 AM PDT Last Seen Tue 30 Oct 2007 07:09:35 AM PDT Local ID c1b26ecd-2d55-4e55-85bd-46f718634fce Line Numbers Raw Audit Messages avc: denied { transition } for comm=userhelper dev=dm-0 path=/usr/share/system- config-users/system-config-users pid=5742 scontext=system_u:system_r:unconfined_execmem_t:s0 tclass=process tcontext=system_u:system_r:unconfined_t:s0 -- Tom London