From lanny at ieee.org Sat Sep 1 10:32:02 2007 From: lanny at ieee.org (Lanny Marcus) Date: Sat, 01 Sep 2007 05:32:02 -0500 Subject: Webmin bug, with SELinux in Permissive Mode Message-ID: <1188642722.3306.11.camel@dell2400.homelan> I found a bug in Webmin. The author of Webmin is also a SELinux newbie. (this is the first time I have enabled SELinux) He would like me to post and try to find help, from experienced SELinux users. He wrote: > Unfortunately I am a newbie when it comes to selinux too :-( > What I am looking for is a way to selinux that any process can write > to a file. I suspect that the chcon command can do this, but am not > sure how.. Prior to the above, he wrote: > Ok, thanks ... I see the problem. Webmin opens the log file > /var/webmin/miniserv.error and connects STDERR to it, then runs other > commands like iptables, which inherits the STDERR file descriptor. > This is generally a good thing, as any error output from the iptables > command will go to that log file. > > But with selinux enabled, this fails as iptables doesn't have the > security context needed to write to that file. Is there a chcon option > or other command that can allow a file to be written by any process? > If so, I should update Webmin to run that on the error log file. This bug is at the below URL: If someone can explain, in simple terms, what needs to be done, that will be greatly appreciated! TIA, Lanny From dwalsh at redhat.com Sat Sep 1 10:57:45 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 01 Sep 2007 06:57:45 -0400 Subject: Webmin bug, with SELinux in Permissive Mode In-Reply-To: <1188642722.3306.11.camel@dell2400.homelan> References: <1188642722.3306.11.camel@dell2400.homelan> Message-ID: <46D945A9.1030109@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lanny Marcus wrote: > I found a bug in Webmin. The author of Webmin is also a SELinux > newbie. (this is the first time I have enabled SELinux) > He would like me to post and try to find help, from > experienced SELinux users. He wrote: > >> Unfortunately I am a newbie when it comes to selinux too :-( >> What I am looking for is a way to selinux that any process can write >> to a file. I suspect that the chcon command can do this, but am not >> sure how.. > > Prior to the above, he wrote: >> Ok, thanks ... I see the problem. Webmin opens the log file >> /var/webmin/miniserv.error and connects STDERR to it, then runs other >> commands like iptables, which inherits the STDERR file descriptor. >> This is generally a good thing, as any error output from the iptables >> command will go to that log file. >> >> But with selinux enabled, this fails as iptables doesn't have the >> security context needed to write to that file. Is there a chcon option >> or other command that can allow a file to be written by any process? >> If so, I should update Webmin to run that on the error log file. > > This bug is at the below URL: > > > If someone can explain, in simple terms, what needs to be done, that > will be greatly appreciated! TIA, Lanny > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This explanation and description of the problem are fine. We probably need a custom policy for webmin to allow iptables to write to scripts running as webmin, since catching stderr is important. There is no file context that can be set to allow this. As I recall from the original bug report, iptables was also trying to communicate with another open file descriptor. This one I beleive should be closed on exec. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG2UWprlYvE4MpobMRAvGqAJ9meO4o+9xNfujEPxInoOYmweK6LQCeP5Vi vGbdEz40YSeDTRKvwFVayR8= =AYDf -----END PGP SIGNATURE----- From jdennis at redhat.com Sun Sep 2 16:54:47 2007 From: jdennis at redhat.com (John Dennis) Date: Sun, 02 Sep 2007 12:54:47 -0400 Subject: setroubleshootd using excessive memory In-Reply-To: References: Message-ID: <1188752087.4216.3.camel@junko.usersys.redhat.com> On Fri, 2007-08-31 at 23:28 +0000, Martin Ebourne wrote: > Just noticed a problem with my laptop fully using swap and a major > culprit seems to be setroubleshootd. From top it appeared to be using > excessive vsize: Would you do me a favor to help diagnose this and check two things for me? 1) Do a wc on /var/lib/setroubleshoot/audit_listener_database.xml (you'll need to be root). 2) Open the sealert browser and see if you've got any alerts with very high counts, or an excessive number of alerts. Thanks! -- John Dennis From lists at ebourne.me.uk Sun Sep 2 21:24:17 2007 From: lists at ebourne.me.uk (Martin Ebourne) Date: Sun, 02 Sep 2007 22:24:17 +0100 Subject: setroubleshootd using excessive memory In-Reply-To: <1188752087.4216.3.camel@junko.usersys.redhat.com> References: <1188752087.4216.3.camel@junko.usersys.redhat.com> Message-ID: <1188768257.1683.4.camel@avenin.ebourne.me.uk> On Sun, 2007-09-02 at 12:54 -0400, John Dennis wrote: > On Fri, 2007-08-31 at 23:28 +0000, Martin Ebourne wrote: > > Just noticed a problem with my laptop fully using swap and a major > > culprit seems to be setroubleshootd. From top it appeared to be using > > excessive vsize: > > Would you do me a favor to help diagnose this and check two things for > me? Sure > 1) Do a wc on /var/lib/setroubleshoot/audit_listener_database.xml > (you'll need to be root). 2622 8075 124241 /var/lib/setroubleshoot/audit_listener_database.xml This file is world readable on mine - should it not be? -rw-r--r-- 1 root root 122K 2007-09-02 22:21 /var/lib/setroubleshoot/audit_listener_database.xml > 2) Open the sealert browser and see if you've got any alerts with very > high counts, or an excessive number of alerts. 32 different alerts. The highest scorers are: 230 of avc: denied { search } for comm="modprobe" dev=dm-0 egid=0 euid=0 exe="/sbin/modprobe" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="root" pid=32248 scontext=user_u:system_r:insmod_t:s0 sgid=0 subj=user_u:system_r:insmod_t:s0 suid=0 tclass=dir tcontext=root:object_r:user_home_dir_t:s0 tty=pts2 uid=0 40 of avc: denied { search } for comm="sm-notify" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/sm-notify" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="root" pid=32223 scontext=user_u:system_r:rpcd_t:s0 sgid=0 subj=user_u:system_r:rpcd_t:s0 suid=0 tclass=dir tcontext=root:object_r:user_home_dir_t:s0 tty=(none) uid=0 27 of avc: denied { read, write } for comm="pickup" dev=anon_inodefs egid=0 euid=0 exe="/usr/libexec/postfix/pickup" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="[eventpoll]" path="anon_inode:[eventpoll]" pid=19768 scontext=system_u:system_r:postfix_pickup_t:s0 sgid=0 subj=system_u:system_r:postfix_pickup_t:s0 suid=0 tclass=file tcontext=system_u:object_r:unlabeled_t:s0 tty=(none) uid=0 The rest are single digits. Cheers, Martin. From fedora01 at grifent.com Sun Sep 2 22:05:45 2007 From: fedora01 at grifent.com (John Griffiths) Date: Sun, 02 Sep 2007 18:05:45 -0400 Subject: gallery2 policy In-Reply-To: <46D882B4.3000606@redhat.com> References: <20070831160012.9EA8D737BA@hormel.redhat.com> <46D84400.4090008@grifent.com> <46D84D9E.7000406@grifent.com> <46D84F66.1030008@grifent.com> <46D882B4.3000606@redhat.com> Message-ID: <46DB33B9.4020400@grifent.com> Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What OS and what version of policy are you running. You might want to > yum update selinux-policy > kernel-2.6.22.2-42.fc6 selinux-policy-2.4.6-80.fc6 I believe these are current for FC6. I did a forced switch of my syslog and httpd. Then I put selinux into permissive mode. Then, I wiped out my gallery2 and reinstalled. I am doing a multisite gallery2 installation just as a point of reference. I installed every module from the full download. After that I added a few pictures; deleted some. Added pictures from a samba share on the server. Added pictures from a web page. Added a new album and deleted it, added and deleted watermark png graphic files, and generated watermarked pictures and thumbnails. Then I changed the email address of the administrator and enabled email notification of user registrations. I tried to exercise gallery2; I know I did not exercise every branch of code, but I think I did much of what many will do. Then did a cat /var/log/messages | audit2allow -m gallery2 > ~jrg3/downloads/gallery2/selinux/gallery.te.new This is the new policy source (I have not implemented it.): module gallery2 1.0; require { type mail_spool_t; type unlabeled_t; type acct_data_t; type httpd_sys_script_t; type boot_t; type httpd_t; type default_t; type home_root_t; type var_yp_t; type httpd_tmp_t; type named_zone_t; type samba_share_t; type var_t; type lost_found_t; type xserver_log_t; class lnk_file read; class file { read write getattr }; class dir { read getattr }; } #============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_tmp_t:file { read getattr }; allow httpd_sys_script_t unlabeled_t:file { read write }; allow httpd_sys_script_t var_t:file { read getattr }; #============= httpd_t ============== allow httpd_t acct_data_t:dir getattr; allow httpd_t boot_t:dir getattr; allow httpd_t default_t:file getattr; allow httpd_t default_t:lnk_file read; allow httpd_t home_root_t:dir read; allow httpd_t lost_found_t:dir getattr; allow httpd_t mail_spool_t:dir getattr; allow httpd_t mail_spool_t:lnk_file read; allow httpd_t named_zone_t:dir getattr; allow httpd_t samba_share_t:dir getattr; allow httpd_t var_t:dir read; allow httpd_t var_yp_t:dir getattr; allow httpd_t xserver_log_t:dir getattr; That a comprehensive list of rules. The installation does a look up of directories as you enter partial paths. It looks for host names. The samba share is in /home/. The shared gallery2 code base is in /var/www. The data store is in /var/www/g2data/, and the gallery2 multisite is in http:////pictures/. The context on the shared code base is system_u:object_r:httpd_sys_content_t. There are perl, java script, java applets, and shell scripts in the gallery2 modules. They are also labeled system_u:object_r:httpd_sys_content_t. I suspect they should be system_u:object_r:httpd_sys_script_exec_t. I searched in the selinux wiki but did not find any guidelines for labeling scripts and executables in the html contexts. I would think those files should be treated like cgi but am not clear on that. Would that change things? Is there any guidance on which files should have the context httpd_sys_script_exec_t? I kept a copies of the messages log file, the httpd access and error logs, so all that information is available. Thanks for the help. Regards, John Griffiths From spng.yang at gmail.com Mon Sep 3 06:34:52 2007 From: spng.yang at gmail.com (Ken YANG) Date: Mon, 03 Sep 2007 14:34:52 +0800 Subject: lost+found labeling In-Reply-To: References: Message-ID: <46DBAB0C.9030802@gmail.com> Stephanos Manos wrote: > Hi > > I'm in the proses of building a hole server and i was wondering what is > the correct way of labeling the lost+found directory of various file > systems that will be mounted under the /srv. I have labeled /srv as > public_content_rw_t with > semanage fcontext -a -t public_content_rw_t '/srv(/.*)?' > but that results to lost+found being labeled as public_content_rw_t so i > also run > semange fcontext -a -f -d -t lost_found_t '/srv/(.*/)lost\+found' > > my question is: > in /etc/selinux/targeted/contexts/files/file_contexts i see two lines > for /lost+found > a. /lost\+found/.* <> > b. /lost\+found -d system_u:object_r:lost_found_t:s0 > > the second is created with the above mentioned command > who do i create the first or i don't needed? the first one is about the content in lost+found, and the second is about the directory lost+found, i think you also find the "-d" item. the label rules you create through "semanage fcontext" are in: /etc/selinux/targeted/contexts/files/file_contexts.local > > Regards > > Stephanos Manos > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From andy at warmcat.com Wed Sep 5 10:21:23 2007 From: andy at warmcat.com (Andy Green) Date: Wed, 05 Sep 2007 11:21:23 +0100 Subject: gitweb Message-ID: <46DE8323.6000009@warmcat.com> Hi folks - I have migrated a dedicated server from "FC4" (a very strange FC4 with lilo, xfs-formatted partitions, no selinux, and a Debian kernel) provided by a 1&1 to F7 with only one outstanding minor selinux problem. (The adventures of converting it are documented at http://warmcat.com/_wp/?p=35 if anyone is interested). gitweb no longer works properly with selinux in targeted/enforcing mode. Sep 5 13:23:37 warmcat kernel: audit(1188995017.593:84): avc: denied { read } for pid=3649 comm="gitweb.cgi" name="cgi-bin" dev=md7 ino=5079272 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=dir dev=md7 is /var, it seems the inode in question is /var/www/cgi-bin # ll -Zd /var/www/cgi-bin drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t /var/www/cgi-bin # ll -Z /var/www/cgi-bin -rw-r--r-- root apache system_u:object_r:httpd_sys_content_t git-favicon.png -rw-r--r-- root apache system_u:object_r:httpd_sys_content_t git-logo.png drwxr-xr-x root apache system_u:object_r:httpd_sys_script_exec_t gitweb -rwxr-xr-x root apache system_u:object_r:httpd_sys_script_exec_t gitweb.cgi -rw-r--r-- root apache system_u:object_r:httpd_sys_content_t gitweb.css -rwxr-xr-x root apache system_u:object_r:httpd_sys_script_exec_t gitweb_defaults.pl -rwxr-xr-x root apache system_u:object_r:httpd_sys_script_exec_t gitweb.perl -rw-r--r-- root apache system_u:object_r:httpd_sys_script_exec_t projects.list Does anyone have any advice about the right way to resolve this? -Andy From mike.clarkson at baesystems.com Wed Sep 5 20:06:29 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Wed, 5 Sep 2007 13:06:29 -0700 Subject: polyinstantiation of the /tmp dir Message-ID: I'm trying to set up polyinstantiation of the /tmp directory using RHEL5. The /etc/security/namespace.conf file shows the following line as needing to be uncommented out: /tmp /tmp-inst/ level root,adm The /usr/share/doc/pam-0.99.6.2/txts/README.pam_namespace file describes the format of the /etc/security/namespace.conf file, and the allowable values. For the entry it lists the following valid values: "user", "context", "both". It doesn't list "level" as a valid value. However, "level" is the only value that I can get to work. With "user", "context", or "both", I get the following error when I attempt to use newrole to change the level of my shell: "pam_open_session failed with Cannot make/remove an entry for the specified session" Any ideas as to why? And what other values are valid other than "level" Thanks From andy at warmcat.com Thu Sep 6 08:59:47 2007 From: andy at warmcat.com (Andy Green) Date: Thu, 06 Sep 2007 09:59:47 +0100 Subject: gitweb In-Reply-To: <46DE8323.6000009@warmcat.com> References: <46DE8323.6000009@warmcat.com> Message-ID: <46DFC183.8030100@warmcat.com> Somebody in the thread at some point said: > gitweb no longer works properly with selinux in targeted/enforcing mode. I got it working and wrote it up here: http://warmcat.com/_wp/?p=36 -Andy From tmraz at redhat.com Thu Sep 6 13:50:11 2007 From: tmraz at redhat.com (Tomas Mraz) Date: Thu, 06 Sep 2007 15:50:11 +0200 Subject: polyinstantiation of the /tmp dir In-Reply-To: References: Message-ID: <1189086611.18167.55.camel@vespa.kabelta.loc> On Wed, 2007-09-05 at 13:06 -0700, Clarkson, Mike R (US SSA) wrote: > I'm trying to set up polyinstantiation of the /tmp directory using > RHEL5. The /etc/security/namespace.conf file shows the following line as > needing to be uncommented out: > /tmp /tmp-inst/ level root,adm > > The /usr/share/doc/pam-0.99.6.2/txts/README.pam_namespace file describes > the format of the /etc/security/namespace.conf file, and the allowable > values. For the entry it lists the following valid values: > "user", "context", "both". It doesn't list "level" as a valid value. > However, "level" is the only value that I can get to work. With "user", > "context", or "both", I get the following error when I attempt to use > newrole to change the level of my shell: > "pam_open_session failed with Cannot make/remove an entry for > the specified session" > > Any ideas as to why? There can be various reasons. Use the 'debug' option of pam_namespace to get some debug messages in /var/log/secure which may give some more insight on this. > And what other values are valid other than "level" The documentation is a little bit outdated. The valid values are "user", "context" and "level". -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From icon at fedoraproject.org Thu Sep 6 16:43:12 2007 From: icon at fedoraproject.org (Konstantin Ryabitsev) Date: Thu, 6 Sep 2007 12:43:12 -0400 Subject: Labelling a new port Message-ID: Hello, all: I'm trying to write a policy for memcached, but I'm not sure how I'd declare a new memcached_port_t (11211/tcp). Any pointers? TIA! Cheers, -- Konstantin Ryabitsev Montr?al, Qu?bec From mike.clarkson at baesystems.com Thu Sep 6 17:33:12 2007 From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA)) Date: Thu, 6 Sep 2007 10:33:12 -0700 Subject: polyinstantiation of the /tmp dir References: <1189086611.18167.55.camel@vespa.kabelta.loc> Message-ID: > -----Original Message----- > From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list- > bounces at redhat.com] On Behalf Of Tomas Mraz > Sent: Thursday, September 06, 2007 6:50 AM > To: fedora-selinux-list at redhat.com > Subject: Re: polyinstantiation of the /tmp dir > > On Wed, 2007-09-05 at 13:06 -0700, Clarkson, Mike R (US SSA) wrote: > > I'm trying to set up polyinstantiation of the /tmp directory using > > RHEL5. The /etc/security/namespace.conf file shows the following line as > > needing to be uncommented out: > > /tmp /tmp-inst/ level root,adm > > > > The /usr/share/doc/pam-0.99.6.2/txts/README.pam_namespace file describes > > the format of the /etc/security/namespace.conf file, and the allowable > > values. For the entry it lists the following valid values: > > "user", "context", "both". It doesn't list "level" as a valid value. > > However, "level" is the only value that I can get to work. With "user", > > "context", or "both", I get the following error when I attempt to use > > newrole to change the level of my shell: > > "pam_open_session failed with Cannot make/remove an entry for > > the specified session" > > > > Any ideas as to why? > There can be various reasons. Use the 'debug' option of pam_namespace to > get some debug messages in /var/log/secure which may give some more > insight on this. > > > And what other values are valid other than "level" > The documentation is a little bit outdated. The valid values are "user", > "context" and "level". > Could you explain the difference between "level" and "context"? Here is what I'm seeing: If I have "/tmp /tmp-inst/ level root,adm" in the namespace.conf file, when I use the command "newrole -l s4:c10,c20", I get the following entry under the /tmp-inst directory: system_u:object_r:tmp_t:s4:c10,c20-s4:c0.c255_mr_clarkson. This entry contains both my name as well as the full security context of the shell that I've newroled to (the destination shell). If I have "/tmp /tmp-inst/ context root,adm" in the namespace.conf file, when I use the command "newrole -l s4:c10,c20", I get the following entry under the /tmp-inst directory: system_u:object_r:tmp_t:s0-s15:c0.c255_mr_clarkson. This entry contains both my name as well as the full security context of the shell that I've newroled from (the origination shell). Is this the expected behavior? Thanks > -- > Tomas Mraz > No matter how far down the wrong road you've gone, turn back. > Turkish proverb > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From stefan at sf-net.com Thu Sep 6 18:18:21 2007 From: stefan at sf-net.com (Stefan Schulze Frielinghaus) Date: Thu, 6 Sep 2007 20:18:21 +0200 Subject: Labelling a new port In-Reply-To: References: Message-ID: <7312DE97-0B10-4674-AD51-0EBD7875A4FA@sf-net.com> You can add ports via semange e.g. "semanage port -a -t memcached_port_t -p tcp 11211" see semanage(8) for more details PS: you need to declare the type in your policy before executing the command. look at modules/kernel/corenetwork.te for some examples On 06.09.2007, at 18:43, Konstantin Ryabitsev wrote: > Hello, all: > > I'm trying to write a policy for memcached, but I'm not sure how I'd > declare a new memcached_port_t (11211/tcp). Any pointers? > > TIA! > > Cheers, > -- > Konstantin Ryabitsev > Montr?al, Qu?bec > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From sds at tycho.nsa.gov Thu Sep 6 18:39:20 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 06 Sep 2007 14:39:20 -0400 Subject: polyinstantiation of the /tmp dir In-Reply-To: References: <1189086611.18167.55.camel@vespa.kabelta.loc> Message-ID: <1189103960.3617.175.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2007-09-06 at 10:33 -0700, Clarkson, Mike R (US SSA) wrote: > > > -----Original Message----- > > From: fedora-selinux-list-bounces at redhat.com > [mailto:fedora-selinux-list- > > bounces at redhat.com] On Behalf Of Tomas Mraz > > Sent: Thursday, September 06, 2007 6:50 AM > > To: fedora-selinux-list at redhat.com > > Subject: Re: polyinstantiation of the /tmp dir > > > > On Wed, 2007-09-05 at 13:06 -0700, Clarkson, Mike R (US SSA) wrote: > > > I'm trying to set up polyinstantiation of the /tmp directory using > > > RHEL5. The /etc/security/namespace.conf file shows the following > line as > > > needing to be uncommented out: > > > /tmp /tmp-inst/ level root,adm > > > > > > The /usr/share/doc/pam-0.99.6.2/txts/README.pam_namespace file > describes > > > the format of the /etc/security/namespace.conf file, and the > allowable > > > values. For the entry it lists the following valid values: > > > "user", "context", "both". It doesn't list "level" as a valid value. > > > However, "level" is the only value that I can get to work. With > "user", > > > "context", or "both", I get the following error when I attempt to > use > > > newrole to change the level of my shell: > > > "pam_open_session failed with Cannot make/remove an entry for > > > the specified session" > > > > > > Any ideas as to why? > > There can be various reasons. Use the 'debug' option of pam_namespace > to > > get some debug messages in /var/log/secure which may give some more > > insight on this. > > > > > And what other values are valid other than "level" > > The documentation is a little bit outdated. The valid values are > "user", > > "context" and "level". > > > > Could you explain the difference between "level" and "context"? Here is > what I'm seeing: > > If I have "/tmp /tmp-inst/ level > root,adm" in the namespace.conf file, when I use the command "newrole -l > s4:c10,c20", I get the following entry under the /tmp-inst directory: > system_u:object_r:tmp_t:s4:c10,c20-s4:c0.c255_mr_clarkson. This entry > contains both my name as well as the full security context of the shell > that I've newroled to (the destination shell). > > If I have "/tmp /tmp-inst/ context root,adm" in the > namespace.conf file, when I use the command "newrole -l s4:c10,c20", I > get the following entry under the /tmp-inst directory: > system_u:object_r:tmp_t:s0-s15:c0.c255_mr_clarkson. This entry contains > both my name as well as the full security context of the shell that I've > newroled from (the origination shell). > > Is this the expected behavior? At present, you shouldn't really use the context option at all. It may eventually get used for role-based polyinstantiation, but that isn't clear right now. -- Stephen Smalley National Security Agency From ftaylor at redhat.com Thu Sep 6 18:51:04 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Thu, 06 Sep 2007 12:51:04 -0600 Subject: Labelling a new port In-Reply-To: References: Message-ID: <1189104664.5175.18.camel@localhost.localdomain> On Thu, 2007-09-06 at 12:43 -0400, Konstantin Ryabitsev wrote: > Hello, all: > > I'm trying to write a policy for memcached, but I'm not sure how I'd > declare a new memcached_port_t (11211/tcp). Any pointers? First, you need to build a module and load it into the policy: Create a file in /root called memcached that contains the following: module memcached 1.0.0; require { attribute port_type; }; type memcache_port_t, port_type; Build it and load it: cd /root make -f /usr/share/selinux/devel/Makefile (if that file doesn't exist, install the selinux-policy-devel package) semodule -i memcached.pp Second, use semanage to associate the port with the new port name: semanage port -a -t memcache_port_t -p tcp 11211 Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From stefmanos at gmail.com Thu Sep 6 21:09:49 2007 From: stefmanos at gmail.com (Stephanos Manos) Date: Fri, 07 Sep 2007 00:09:49 +0300 Subject: lost+found labeling In-Reply-To: <46DBAB0C.9030802@gmail.com> References: <46DBAB0C.9030802@gmail.com> Message-ID: Ken YANG wrote: > Stephanos Manos wrote: >> Hi >> >> I'm in the proses of building a hole server and i was wondering what is >> the correct way of labeling the lost+found directory of various file >> systems that will be mounted under the /srv. I have labeled /srv as >> public_content_rw_t with >> semanage fcontext -a -t public_content_rw_t '/srv(/.*)?' >> but that results to lost+found being labeled as public_content_rw_t so i >> also run >> semange fcontext -a -f -d -t lost_found_t '/srv/(.*/)lost\+found' >> >> my question is: >> in /etc/selinux/targeted/contexts/files/file_contexts i see two lines >> for /lost+found >> a. /lost\+found/.* <> >> b. /lost\+found -d system_u:object_r:lost_found_t:s0 >> >> the second is created with the above mentioned command >> who do i create the first or i don't needed? > > the first one is about the content in lost+found, and the second is > about the directory lost+found, i think you also find the "-d" item. > > the label rules you create through "semanage fcontext" are in: > > /etc/selinux/targeted/contexts/files/file_contexts.local > Yes i know that. when i issue the above mentioned semange fcontext command i see the following line created in /etc/selinux/targeted/contexts/files/file_contexts.local /srv/(.*/)lost\+found -d system_u:object_r:lost_found_t:s0 but how do i create a line that is /srv/(.*/)lost\+found/.* <> in the file_contexts.local or i don't need it? Stephanos > >> Regards >> >> Stephanos Manos >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > From wart at kobold.org Thu Sep 6 21:18:57 2007 From: wart at kobold.org (Michael Thomas) Date: Thu, 06 Sep 2007 14:18:57 -0700 Subject: Labelling a new port In-Reply-To: <7312DE97-0B10-4674-AD51-0EBD7875A4FA@sf-net.com> References: <7312DE97-0B10-4674-AD51-0EBD7875A4FA@sf-net.com> Message-ID: <46E06EC1.4050505@kobold.org> Stefan Schulze Frielinghaus wrote: > You can add ports via semange e.g. "semanage port -a -t memcached_port_t > -p tcp 11211" > > see semanage(8) for more details > > PS: you need to declare the type in your policy before executing the > command. look at modules/kernel/corenetwork.te for some examples > > On 06.09.2007, at 18:43, Konstantin Ryabitsev wrote: > >> Hello, all: >> >> I'm trying to write a policy for memcached, but I'm not sure how I'd >> declare a new memcached_port_t (11211/tcp). Any pointers? If you want to manage the port for a daemon that is started/stopped via an init script, then the best place to put the 'semanage port -a ...' command is in the init script itself. This will ensure that the port definition is set and removed when the daemon starts/stops. Putting it in the spec file and running at package install time is not enough because I don't believe that the semanage'd ports persist after a reboot. start() { ... if selinuxenabled ; then /usr/sbin/semanage port -a -t memcached_port_t -p tcp 12111 &>/dev/null || : fi ... } stop() { ... if selinuxenabled ; then /usr/sbin/semanage port -d -t memcached_port_t -p tcp 11211 &>/dev/null || : fi ... } --Wart From ftaylor at redhat.com Thu Sep 6 21:51:31 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Thu, 06 Sep 2007 15:51:31 -0600 Subject: Labelling a new port In-Reply-To: <46E06EC1.4050505@kobold.org> References: <7312DE97-0B10-4674-AD51-0EBD7875A4FA@sf-net.com> <46E06EC1.4050505@kobold.org> Message-ID: <1189115491.5175.24.camel@localhost.localdomain> On Thu, 2007-09-06 at 14:18 -0700, Michael Thomas wrote: > If you want to manage the port for a daemon that is started/stopped via > an init script, then the best place to put the 'semanage port -a ...' > command is in the init script itself. This will ensure that the port > definition is set and removed when the daemon starts/stops. Putting it > in the spec file and running at package install time is not enough > because I don't believe that the semanage'd ports persist after a reboot. Actually, the port does persist across a reboot, because semanage rebuilds the binary policy (that's the reason that it takes so long to run). Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From sf181257 at students.mimuw.edu.pl Fri Sep 7 07:59:44 2007 From: sf181257 at students.mimuw.edu.pl (=?ISO-8859-2?Q?=22Stanis=B3aw_T=2E_Findeisen=22?=) Date: Fri, 07 Sep 2007 09:59:44 +0200 Subject: Postfix (FC7) Message-ID: <46E104F0.4080201@students.mimuw.edu.pl> Hello Hopefully you Fedora/SELinux developers already know that Postfix does not work correctly by default in Fedora Core 7? audit(1189079035.093:14): avc: denied { append } for pid=2573 comm="local" name="stf" dev=sda1 ino=5881977 scontext=system_u:system_r:postfix_local_t:s0 tcontext=root:object_r:mail_spool_t:s0 tclass=file This used to happen to me when I tried (as an ordinary user) to send email to myself. The file that Postfix was trying to append to was my own mail file (/var/spool/mail/stf). I had to add this rule: allow postfix_local_t mail_spool_t:file append; What's more, it turned out that checkmodule (policy language compiler) is not present, so I had to install one from Fedora Core 6. -- "Serce medrcow jest w domu zaloby, a serce glupcow w domu wesela." (Koh 7:4) From sf181257 at students.mimuw.edu.pl Fri Sep 7 08:04:46 2007 From: sf181257 at students.mimuw.edu.pl (=?ISO-8859-2?Q?=22Stanis=B3aw_T=2E_Findeisen=22?=) Date: Fri, 07 Sep 2007 10:04:46 +0200 Subject: order of rules? Message-ID: <46E1061E.5000207@students.mimuw.edu.pl> Please tell me if the following is correct about resource access in SELinux: (1) everything is denied by default (2) administrator can add "allow" rules (3) SO, there is nothing about "rule chains", like in iptables. There is just rule SET. In other words, order of rules is not significant. True or false? Thanks. -- "Serce medrcow jest w domu zaloby, a serce glupcow w domu wesela." (Koh 7:4) From eparis at redhat.com Fri Sep 7 12:40:20 2007 From: eparis at redhat.com (Eric Paris) Date: Fri, 07 Sep 2007 08:40:20 -0400 Subject: order of rules? In-Reply-To: <46E1061E.5000207@students.mimuw.edu.pl> References: <46E1061E.5000207@students.mimuw.edu.pl> Message-ID: <1189168820.3418.80.camel@localhost.localdomain> On Fri, 2007-09-07 at 10:04 +0200, "Stanis?aw T. Findeisen" wrote: > Please tell me if the following is correct about resource access in SELinux: > > (1) everything is denied by default > (2) administrator can add "allow" rules > (3) SO, there is nothing about "rule chains", like in iptables. There is > just rule SET. In other words, order of rules is not significant. I'm going to have to go with, True. -Eric From eparis at redhat.com Fri Sep 7 12:42:34 2007 From: eparis at redhat.com (Eric Paris) Date: Fri, 07 Sep 2007 08:42:34 -0400 Subject: Postfix (FC7) In-Reply-To: <46E104F0.4080201@students.mimuw.edu.pl> References: <46E104F0.4080201@students.mimuw.edu.pl> Message-ID: <1189168954.3418.83.camel@localhost.localdomain> On Fri, 2007-09-07 at 09:59 +0200, "Stanis?aw T. Findeisen" wrote: [I'll let dan comment on the postfix policy] > What's more, it turned out that checkmodule (policy language compiler) > is not present, so I had to install one from Fedora Core 6. [paris at localhost ~]$ cat /etc/fedora-release Fedora release 7 (Moonshine) [paris at localhost ~]$ rpm -qf `which checkmodule` checkpolicy-2.0.3-1.fc7 [paris at localhost ~]$ rpm -ql checkpolicy /usr/bin/checkmodule /usr/bin/checkpolicy /usr/share/man/man8/checkmodule.8.gz /usr/share/man/man8/checkpolicy.8.gz [paris at localhost ~]$ Seems to be there for me..... -Eric From sf181257 at students.mimuw.edu.pl Fri Sep 7 13:32:39 2007 From: sf181257 at students.mimuw.edu.pl (=?UTF-8?B?IlN0YW5pc8WCYXcgVC4gRmluZGVpc2VuIg==?=) Date: Fri, 07 Sep 2007 15:32:39 +0200 Subject: Postfix (FC7) In-Reply-To: <1189168954.3418.83.camel@localhost.localdomain> References: <46E104F0.4080201@students.mimuw.edu.pl> <1189168954.3418.83.camel@localhost.localdomain> Message-ID: <46E152F7.20505@students.mimuw.edu.pl> Which Fedora version do you use? Mine is 64 bit. Eric Paris wrote: > On Fri, 2007-09-07 at 09:59 +0200, "Stanis?aw T. Findeisen" wrote: > > [I'll let dan comment on the postfix policy] > >> What's more, it turned out that checkmodule (policy language compiler) >> is not present, so I had to install one from Fedora Core 6. > > [paris at localhost ~]$ cat /etc/fedora-release > Fedora release 7 (Moonshine) > [paris at localhost ~]$ rpm -qf `which checkmodule` > checkpolicy-2.0.3-1.fc7 > [paris at localhost ~]$ rpm -ql checkpolicy > /usr/bin/checkmodule > /usr/bin/checkpolicy > /usr/share/man/man8/checkmodule.8.gz > /usr/share/man/man8/checkpolicy.8.gz > [paris at localhost ~]$ > > Seems to be there for me..... > > -Eric > > -- "Serce medrcow jest w domu zaloby, a serce glupcow w domu wesela." (Koh 7:4) From eparis at redhat.com Fri Sep 7 13:47:33 2007 From: eparis at redhat.com (Eric Paris) Date: Fri, 07 Sep 2007 09:47:33 -0400 Subject: Postfix (FC7) In-Reply-To: <46E152F7.20505@students.mimuw.edu.pl> References: <46E104F0.4080201@students.mimuw.edu.pl> <1189168954.3418.83.camel@localhost.localdomain> <46E152F7.20505@students.mimuw.edu.pl> Message-ID: <1189172853.3418.87.camel@localhost.localdomain> On Fri, 2007-09-07 at 15:32 +0200, "Stanis?aw T. Findeisen" wrote: > Which Fedora version do you use? Mine is 64 bit. Huh, looks like you are right.... Anyway you could get the F7 version right out of the build system rather than from F6. http://koji.fedoraproject.org/koji/buildinfo?buildID=7991 /me goes poking to find out where the x86_64 version is. -Eric > > Eric Paris wrote: > > On Fri, 2007-09-07 at 09:59 +0200, "Stanis?aw T. Findeisen" wrote: > > > > [I'll let dan comment on the postfix policy] > > > >> What's more, it turned out that checkmodule (policy language compiler) > >> is not present, so I had to install one from Fedora Core 6. > > > > [paris at localhost ~]$ cat /etc/fedora-release > > Fedora release 7 (Moonshine) > > [paris at localhost ~]$ rpm -qf `which checkmodule` > > checkpolicy-2.0.3-1.fc7 > > [paris at localhost ~]$ rpm -ql checkpolicy > > /usr/bin/checkmodule > > /usr/bin/checkpolicy > > /usr/share/man/man8/checkmodule.8.gz > > /usr/share/man/man8/checkpolicy.8.gz > > [paris at localhost ~]$ > > > > Seems to be there for me..... > > > > -Eric > > > > > From eparis at redhat.com Fri Sep 7 14:12:13 2007 From: eparis at redhat.com (Eric Paris) Date: Fri, 07 Sep 2007 10:12:13 -0400 Subject: Postfix (FC7) In-Reply-To: <1189172853.3418.87.camel@localhost.localdomain> References: <46E104F0.4080201@students.mimuw.edu.pl> <1189168954.3418.83.camel@localhost.localdomain> <46E152F7.20505@students.mimuw.edu.pl> <1189172853.3418.87.camel@localhost.localdomain> Message-ID: <1189174333.3418.92.camel@localhost.localdomain> On Fri, 2007-09-07 at 09:47 -0400, Eric Paris wrote: > On Fri, 2007-09-07 at 15:32 +0200, "Stanis?aw T. Findeisen" wrote: > > Which Fedora version do you use? Mine is 64 bit. > > Huh, looks like you are right.... Anyway you could get the F7 version > right out of the build system rather than from F6. > > http://koji.fedoraproject.org/koji/buildinfo?buildID=7991 > > /me goes poking to find out where the x86_64 version is. > > -Eric Its in the fedora-updates repo. Not sure why it isn't in the fedora repo, but anyway if you have the fedora-updates repo enabled you should be able to grab it with yum. If not you can grab it from a mirror. http://www.gtlib.gatech.edu/pub/fedora.redhat/linux/updates/7/x86_64/checkpolicy-2.0.3-1.fc7.x86_64.rpm -Eric > > > > > > Eric Paris wrote: > > > On Fri, 2007-09-07 at 09:59 +0200, "Stanis?aw T. Findeisen" wrote: > > > > > > [I'll let dan comment on the postfix policy] > > > > > >> What's more, it turned out that checkmodule (policy language compiler) > > >> is not present, so I had to install one from Fedora Core 6. > > > > > > [paris at localhost ~]$ cat /etc/fedora-release > > > Fedora release 7 (Moonshine) > > > [paris at localhost ~]$ rpm -qf `which checkmodule` > > > checkpolicy-2.0.3-1.fc7 > > > [paris at localhost ~]$ rpm -ql checkpolicy > > > /usr/bin/checkmodule > > > /usr/bin/checkpolicy > > > /usr/share/man/man8/checkmodule.8.gz > > > /usr/share/man/man8/checkpolicy.8.gz > > > [paris at localhost ~]$ > > > > > > Seems to be there for me..... > > > > > > -Eric > > > > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From sf181257 at students.mimuw.edu.pl Fri Sep 7 14:23:01 2007 From: sf181257 at students.mimuw.edu.pl (=?UTF-8?B?IlN0YW5pc8WCYXcgVC4gRmluZGVpc2VuIg==?=) Date: Fri, 07 Sep 2007 16:23:01 +0200 Subject: Postfix (FC7) In-Reply-To: <1189174333.3418.92.camel@localhost.localdomain> References: <46E104F0.4080201@students.mimuw.edu.pl> <1189168954.3418.83.camel@localhost.localdomain> <46E152F7.20505@students.mimuw.edu.pl> <1189172853.3418.87.camel@localhost.localdomain> <1189174333.3418.92.camel@localhost.localdomain> Message-ID: <46E15EC5.8020403@students.mimuw.edu.pl> Thank you. Eric Paris wrote: > On Fri, 2007-09-07 at 09:47 -0400, Eric Paris wrote: >> On Fri, 2007-09-07 at 15:32 +0200, "Stanis?aw T. Findeisen" wrote: >>> Which Fedora version do you use? Mine is 64 bit. >> Huh, looks like you are right.... Anyway you could get the F7 version >> right out of the build system rather than from F6. >> >> http://koji.fedoraproject.org/koji/buildinfo?buildID=7991 >> >> /me goes poking to find out where the x86_64 version is. >> >> -Eric > > Its in the fedora-updates repo. Not sure why it isn't in the fedora > repo, but anyway if you have the fedora-updates repo enabled you should > be able to grab it with yum. If not you can grab it from a mirror. > > http://www.gtlib.gatech.edu/pub/fedora.redhat/linux/updates/7/x86_64/checkpolicy-2.0.3-1.fc7.x86_64.rpm > > -Eric > >> >>> Eric Paris wrote: >>>> On Fri, 2007-09-07 at 09:59 +0200, "Stanis?aw T. Findeisen" wrote: >>>> >>>> [I'll let dan comment on the postfix policy] >>>> >>>>> What's more, it turned out that checkmodule (policy language compiler) >>>>> is not present, so I had to install one from Fedora Core 6. >>>> [paris at localhost ~]$ cat /etc/fedora-release >>>> Fedora release 7 (Moonshine) >>>> [paris at localhost ~]$ rpm -qf `which checkmodule` >>>> checkpolicy-2.0.3-1.fc7 >>>> [paris at localhost ~]$ rpm -ql checkpolicy >>>> /usr/bin/checkmodule >>>> /usr/bin/checkpolicy >>>> /usr/share/man/man8/checkmodule.8.gz >>>> /usr/share/man/man8/checkpolicy.8.gz >>>> [paris at localhost ~]$ >>>> >>>> Seems to be there for me..... >>>> >>>> -Eric >>>> >>>> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- "Serce medrcow jest w domu zaloby, a serce glupcow w domu wesela." (Koh 7:4) From stefan at sf-net.com Fri Sep 7 16:30:29 2007 From: stefan at sf-net.com (Stefan Schulze Frielinghaus) Date: Fri, 7 Sep 2007 18:30:29 +0200 Subject: Labelling a new port In-Reply-To: <46E06EC1.4050505@kobold.org> References: <7312DE97-0B10-4674-AD51-0EBD7875A4FA@sf-net.com> <46E06EC1.4050505@kobold.org> Message-ID: <5C09E8E7-0EC3-4A8F-A969-600C0691D72B@sf-net.com> On 06.09.2007, at 23:18, Michael Thomas wrote: > Stefan Schulze Frielinghaus wrote: >> You can add ports via semange e.g. "semanage port -a -t >> memcached_port_t >> -p tcp 11211" >> >> see semanage(8) for more details >> >> PS: you need to declare the type in your policy before executing the >> command. look at modules/kernel/corenetwork.te for some examples >> >> On 06.09.2007, at 18:43, Konstantin Ryabitsev wrote: >> >>> Hello, all: >>> >>> I'm trying to write a policy for memcached, but I'm not sure how I'd >>> declare a new memcached_port_t (11211/tcp). Any pointers? > > If you want to manage the port for a daemon that is started/stopped > via > an init script, then the best place to put the 'semanage port -a ...' > command is in the init script itself. This will ensure that the port > definition is set and removed when the daemon starts/stops. > Putting it > in the spec file and running at package install time is not enough > because I don't believe that the semanage'd ports persist after a > reboot. > > start() { > ... > if selinuxenabled ; then > /usr/sbin/semanage port -a -t memcached_port_t -p tcp 12111 > &>/dev/null || : > fi > ... > } > > stop() { > ... > if selinuxenabled ; then > /usr/sbin/semanage port -d -t memcached_port_t -p tcp 11211 > &>/dev/null || : > fi > ... > } What additional security benefit should this bring if you add and remove the port type via an init script? On the contrary I think this harms rather than hardens the system. Because if you remove the port type by running the init script with the stop option every application with network access can now send data over this port (with no further allow statements). But if you would have led the port type no application with additional allow statements on port xyz could send data over this port. In the end you could trust sooner that data. From piotreek23 at gmail.com Fri Sep 7 17:16:26 2007 From: piotreek23 at gmail.com (piotreek23 at gmail.com) Date: Fri, 07 Sep 2007 19:16:26 +0200 Subject: Postfix (FC7) In-Reply-To: <46E104F0.4080201@students.mimuw.edu.pl> References: <46E104F0.4080201@students.mimuw.edu.pl> Message-ID: <46E1876A.3090103@gmail.com> Stanis?aw T. Findeisen pisze: > Hello > > Hopefully you Fedora/SELinux developers already know that Postfix does > not work correctly by default in Fedora Core 7? > > audit(1189079035.093:14): avc: denied { append } for > pid=2573 comm="local" name="stf" dev=sda1 ino=5881977 > scontext=system_u:system_r:postfix_local_t:s0 > tcontext=root:object_r:mail_spool_t:s0 tclass=file > > This used to happen to me when I tried (as an ordinary user) to send > email to myself. The file that Postfix was trying to append to was my > own mail file (/var/spool/mail/stf). > > I had to add this rule: > > allow postfix_local_t mail_spool_t:file append; > > What's more, it turned out that checkmodule (policy language compiler) > is not present, so I had to install one from Fedora Core 6. > Yep i can confrim it. It is broken from last postfix update i think. From icon at fedoraproject.org Sat Sep 8 00:00:05 2007 From: icon at fedoraproject.org (Konstantin Ryabitsev) Date: Fri, 7 Sep 2007 20:00:05 -0400 Subject: My first policy (memcached) Message-ID: Hello, all: I'm finally done with my very first selinux policy, and I would much appreciate if some of you could look over it to see if it's sane. Found here: http://icon.fedorapeople.org/f/memcached/memcached.te http://icon.fedorapeople.org/f/memcached/memcached.fc Nothing in the .if file. For reference, there's a .spec and daemon init files in the same directory Any comments or improvement suggestions would be gratefully welcomed! Cheers, -- Konstantin Ryabitsev Montr?al, Qu?bec From spng.yang at gmail.com Sat Sep 8 08:55:10 2007 From: spng.yang at gmail.com (Ken YANG) Date: Sat, 08 Sep 2007 16:55:10 +0800 Subject: lost+found labeling In-Reply-To: References: <46DBAB0C.9030802@gmail.com> Message-ID: <46E2636E.8030508@gmail.com> Stephanos Manos wrote: > Ken YANG wrote: >> Stephanos Manos wrote: >>> Hi >>> >>> I'm in the proses of building a hole server and i was wondering what is >>> the correct way of labeling the lost+found directory of various file >>> systems that will be mounted under the /srv. I have labeled /srv as >>> public_content_rw_t with >>> semanage fcontext -a -t public_content_rw_t '/srv(/.*)?' >>> but that results to lost+found being labeled as public_content_rw_t so i >>> also run >>> semange fcontext -a -f -d -t lost_found_t '/srv/(.*/)lost\+found' >>> >>> my question is: >>> in /etc/selinux/targeted/contexts/files/file_contexts i see two lines >>> for /lost+found >>> a. /lost\+found/.* <> >>> b. /lost\+found -d system_u:object_r:lost_found_t:s0 >>> >>> the second is created with the above mentioned command >>> who do i create the first or i don't needed? >> the first one is about the content in lost+found, and the second is >> about the directory lost+found, i think you also find the "-d" item. >> >> the label rules you create through "semanage fcontext" are in: >> >> /etc/selinux/targeted/contexts/files/file_contexts.local >> > Yes i know that. when i issue the above mentioned semange fcontext > command i see the following line created in > /etc/selinux/targeted/contexts/files/file_contexts.local > > /srv/(.*/)lost\+found -d system_u:object_r:lost_found_t:s0 > > but how do i create a line that is > /srv/(.*/)lost\+found/.* <> > > in the file_contexts.local > > or i don't need it? the need of this line depends on your purpose. This line means the context of files you created in the dir are labeled according to the creating process and containing directory, if no policy rules about it. i think you should keep this line in your file context file > > Stephanos > >>> Regards >>> >>> Stephanos Manos >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From stefmanos at gmail.com Sat Sep 8 10:36:08 2007 From: stefmanos at gmail.com (Stephanos Manos) Date: Sat, 08 Sep 2007 13:36:08 +0300 Subject: lost+found labeling In-Reply-To: <46E2636E.8030508@gmail.com> References: <46DBAB0C.9030802@gmail.com> <46E2636E.8030508@gmail.com> Message-ID: Ken YANG wrote: > Stephanos Manos wrote: >> Ken YANG wrote: >>> Stephanos Manos wrote: >>>> Hi >>>> >>>> I'm in the proses of building a hole server and i was wondering what is >>>> the correct way of labeling the lost+found directory of various file >>>> systems that will be mounted under the /srv. I have labeled /srv as >>>> public_content_rw_t with >>>> semanage fcontext -a -t public_content_rw_t '/srv(/.*)?' >>>> but that results to lost+found being labeled as public_content_rw_t so i >>>> also run >>>> semange fcontext -a -f -d -t lost_found_t '/srv/(.*/)lost\+found' >>>> >>>> my question is: >>>> in /etc/selinux/targeted/contexts/files/file_contexts i see two lines >>>> for /lost+found >>>> a. /lost\+found/.* <> >>>> b. /lost\+found -d system_u:object_r:lost_found_t:s0 >>>> >>>> the second is created with the above mentioned command >>>> who do i create the first or i don't needed? >>> the first one is about the content in lost+found, and the second is >>> about the directory lost+found, i think you also find the "-d" item. >>> >>> the label rules you create through "semanage fcontext" are in: >>> >>> /etc/selinux/targeted/contexts/files/file_contexts.local >>> >> Yes i know that. when i issue the above mentioned semange fcontext >> command i see the following line created in >> /etc/selinux/targeted/contexts/files/file_contexts.local >> >> /srv/(.*/)lost\+found -d system_u:object_r:lost_found_t:s0 >> >> but how do i create a line that is >> /srv/(.*/)lost\+found/.* <> >> >> in the file_contexts.local >> >> or i don't need it? > > the need of this line depends on your purpose. This line means > the context of files you created in the dir are labeled according to > the creating process and containing directory, if no policy rules > about it. > > i think you should keep this line in your file context file The question is: witch is the correct command that creates the line since direct editing of the file is not recommended ? Stephanos > >> Stephanos >> >>>> Regards >>>> >>>> Stephanos Manos >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > From spng.yang at gmail.com Sat Sep 8 12:02:10 2007 From: spng.yang at gmail.com (Ken YANG) Date: Sat, 08 Sep 2007 20:02:10 +0800 Subject: lost+found labeling In-Reply-To: References: <46DBAB0C.9030802@gmail.com> <46E2636E.8030508@gmail.com> Message-ID: <46E28F42.8070506@gmail.com> Stephanos Manos wrote: > Ken YANG wrote: >> Stephanos Manos wrote: >>> Ken YANG wrote: >>>> Stephanos Manos wrote: >>>>> Hi >>>>> >>>>> I'm in the proses of building a hole server and i was wondering what is >>>>> the correct way of labeling the lost+found directory of various file >>>>> systems that will be mounted under the /srv. I have labeled /srv as >>>>> public_content_rw_t with >>>>> semanage fcontext -a -t public_content_rw_t '/srv(/.*)?' >>>>> but that results to lost+found being labeled as public_content_rw_t so i >>>>> also run >>>>> semange fcontext -a -f -d -t lost_found_t '/srv/(.*/)lost\+found' >>>>> >>>>> my question is: >>>>> in /etc/selinux/targeted/contexts/files/file_contexts i see two lines >>>>> for /lost+found >>>>> a. /lost\+found/.* <> >>>>> b. /lost\+found -d system_u:object_r:lost_found_t:s0 >>>>> >>>>> the second is created with the above mentioned command >>>>> who do i create the first or i don't needed? >>>> the first one is about the content in lost+found, and the second is >>>> about the directory lost+found, i think you also find the "-d" item. >>>> >>>> the label rules you create through "semanage fcontext" are in: >>>> >>>> /etc/selinux/targeted/contexts/files/file_contexts.local >>>> >>> Yes i know that. when i issue the above mentioned semange fcontext >>> command i see the following line created in >>> /etc/selinux/targeted/contexts/files/file_contexts.local >>> >>> /srv/(.*/)lost\+found -d system_u:object_r:lost_found_t:s0 >>> >>> but how do i create a line that is >>> /srv/(.*/)lost\+found/.* <> >>> >>> in the file_contexts.local >>> >>> or i don't need it? >> the need of this line depends on your purpose. This line means >> the context of files you created in the dir are labeled according to >> the creating process and containing directory, if no policy rules >> about it. >> >> i think you should keep this line in your file context file > > The question is: > witch is the correct command that creates the line since direct editing > of the file is not recommended ? there is no need to write such line in file_context.local, if there is not rule for the file, their context will inherit from creating process and containing dir, unless the file system is pseudo-filesystem > > Stephanos > >>> Stephanos >>> >>>>> Regards >>>>> >>>>> Stephanos Manos >>>>> >>>>> -- >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From bruno at wolff.to Sat Sep 8 19:43:04 2007 From: bruno at wolff.to (Bruno Wolff III) Date: Sat, 8 Sep 2007 14:43:04 -0500 Subject: order of rules? In-Reply-To: <1189168820.3418.80.camel@localhost.localdomain> References: <46E1061E.5000207@students.mimuw.edu.pl> <1189168820.3418.80.camel@localhost.localdomain> Message-ID: <20070908194304.GA28466@wolff.to> On Fri, Sep 07, 2007 at 08:40:20 -0400, Eric Paris wrote: > On Fri, 2007-09-07 at 10:04 +0200, "Stanis?aw T. Findeisen" wrote: > > Please tell me if the following is correct about resource access in SELinux: > > > > (1) everything is denied by default > > (2) administrator can add "allow" rules > > (3) SO, there is nothing about "rule chains", like in iptables. There is > > just rule SET. In other words, order of rules is not significant. > > I'm going to have to go with, True. There is ordering in the file_contexts file used for relabelling. From selinux at gmail.com Mon Sep 10 00:54:48 2007 From: selinux at gmail.com (Tom London) Date: Sun, 9 Sep 2007 17:54:48 -0700 Subject: setroubleshootd: write access to "system_bus_socket" ....? Message-ID: <4c4ba1530709091754k7d80a60n614e5b7a624f4574@mail.gmail.com> Running latest rawhide, targeted/enforcing. Just started noticing this: type=AVC msg=audit(1189383749.641:16): avc: denied { write } for pid=3307 comm="setroubleshootd" name="system_bus_socket" dev=dm-0 ino=65933 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1189383749.641:16): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf980f90 a2=8c5474 a3=0 items=0 ppid=1 pid=3307 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) [tbl at localhost ~]$ ls -lZ /var/run/dbus/system* srwxrwxrwx root root system_u:object_r:system_dbusd_var_run_t /var/run/dbus/system_bus_socket [tbl at localhost ~]$ tom -- Tom London From cppbala at yahoo.com Mon Sep 10 11:07:28 2007 From: cppbala at yahoo.com (bala) Date: Mon, 10 Sep 2007 04:07:28 -0700 (PDT) Subject: anybody running backup and virus scanner solution on SELinux Message-ID: <232396.25621.qm@web35104.mail.mud.yahoo.com> Hi All, We would like to know, anybody using commercial [OR] open source based backup and virus scanner products on SELinux environement. pls share and suggest some products that runs and tested on SELinux environment. thanks in advance, -bala- ____________________________________________________________________________________ Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222 From wart at kobold.org Mon Sep 10 18:01:02 2007 From: wart at kobold.org (Michael Thomas) Date: Mon, 10 Sep 2007 11:01:02 -0700 Subject: Labelling a new port In-Reply-To: <5C09E8E7-0EC3-4A8F-A969-600C0691D72B@sf-net.com> References: <7312DE97-0B10-4674-AD51-0EBD7875A4FA@sf-net.com> <46E06EC1.4050505@kobold.org> <5C09E8E7-0EC3-4A8F-A969-600C0691D72B@sf-net.com> Message-ID: <46E5865E.80900@kobold.org> Stefan Schulze Frielinghaus wrote: > > On 06.09.2007, at 23:18, Michael Thomas wrote: > >> Stefan Schulze Frielinghaus wrote: >>> You can add ports via semange e.g. "semanage port -a -t memcached_port_t >>> -p tcp 11211" >>> >>> see semanage(8) for more details >>> >>> PS: you need to declare the type in your policy before executing the >>> command. look at modules/kernel/corenetwork.te for some examples >>> >>> On 06.09.2007, at 18:43, Konstantin Ryabitsev wrote: >>> >>>> Hello, all: >>>> >>>> I'm trying to write a policy for memcached, but I'm not sure how I'd >>>> declare a new memcached_port_t (11211/tcp). Any pointers? >> >> If you want to manage the port for a daemon that is started/stopped via >> an init script, then the best place to put the 'semanage port -a ...' >> command is in the init script itself. This will ensure that the port >> definition is set and removed when the daemon starts/stops. Putting it >> in the spec file and running at package install time is not enough >> because I don't believe that the semanage'd ports persist after a reboot. >> >> start() { >> ... >> if selinuxenabled ; then >> /usr/sbin/semanage port -a -t memcached_port_t -p tcp 12111 >> &>/dev/null || : >> fi >> ... >> } >> >> stop() { >> ... >> if selinuxenabled ; then >> /usr/sbin/semanage port -d -t memcached_port_t -p tcp 11211 >> &>/dev/null || : >> fi >> ... >> } > > What additional security benefit should this bring if you add and remove > the port type via an init script? On the contrary I think this harms > rather than hardens the system. Because if you remove the port type by > running the init script with the stop option every application with > network access can now send data over this port (with no further allow > statements). But if you would have led the port type no application with > additional allow statements on port xyz could send data over this port. > In the end you could trust sooner that data. You make a good argument: removing the port may not be necessary. But you should still add the port in the init script. If selinux is disabled when the package is installed then the port won't get added, because 'semanage port -a' will fail. If the admin later enables selinux then the port won't have the proper label and the service will fail when using the port. --Wart From ftaylor at redhat.com Tue Sep 11 22:08:26 2007 From: ftaylor at redhat.com (Forrest Taylor) Date: Tue, 11 Sep 2007 16:08:26 -0600 Subject: My first policy (memcached) In-Reply-To: References: Message-ID: <1189548506.5198.34.camel@localhost.localdomain> On Fri, 2007-09-07 at 20:00 -0400, Konstantin Ryabitsev wrote: > Hello, all: > > I'm finally done with my very first selinux policy, and I would much > appreciate if some of you could look over it to see if it's sane. > Found here: > > http://icon.fedorapeople.org/f/memcached/memcached.te > http://icon.fedorapeople.org/f/memcached/memcached.fc > > Nothing in the .if file. For reference, there's a .spec and daemon > init files in the same directory > > Any comments or improvement suggestions would be gratefully welcomed! Looks nice. I don't have a clue what memcached is supposed to do to verify the security aspect, but the .te and .fc files look good. Forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From olivares14031 at yahoo.com Wed Sep 12 13:13:59 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 12 Sep 2007 06:13:59 -0700 (PDT) Subject: denied avc for wine Message-ID: <201200.48551.qm@web52601.mail.re2.yahoo.com> Finally, the denied avc for wine appeared. Wine started working yesterday and it is running now and here is the avc denial for it. Summary SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "unix_read unix_write" to (wine_t). Detailed Description SELinux denied access requested by /usr/bin/Xorg. It is not expected that this access is required by /usr/bin/Xorg and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_xserver_t:SystemLow- SystemHigh Target Context system_u:system_r:wine_t Target Objects None [ shm ] Affected RPM Packages xorg-x11-server-Xorg-1.3.0.0-23.fc8 [application] Policy RPM selinux-policy-3.0.7-10.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost Platform Linux localhost 2.6.23-0.174.rc6.fc8 #1 SMP Tue Sep 11 19:06:17 EDT 2007 i686 athlon Alert Count 2 First Seen Wed 12 Sep 2007 08:10:49 AM CDT Last Seen Wed 12 Sep 2007 08:10:49 AM CDT Local ID 8b5115b9-d7d8-40de-8f2b-5ffb7e7ecfb7 Line Numbers Raw Audit Messages avc: denied { unix_read, unix_write } for comm=X egid=0 euid=0 exe=/usr/bin/Xorg exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2440 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=shm tcontext=system_u:system_r:wine_t:s0 tty=tty7 uid=0 Please advice on how to deal with this. I was quiet and using another computer but now since wine started working I came back to it and I saw this. Thanks, Antonio ____________________________________________________________________________________ Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC From dwalsh at redhat.com Wed Sep 12 14:18:17 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 12 Sep 2007 10:18:17 -0400 Subject: My first policy (memcached) In-Reply-To: References: Message-ID: <46E7F529.7050104@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Konstantin Ryabitsev wrote: > Hello, all: > > I'm finally done with my very first selinux policy, and I would much > appreciate if some of you could look over it to see if it's sane. > Found here: > > http://icon.fedorapeople.org/f/memcached/memcached.te > http://icon.fedorapeople.org/f/memcached/memcached.fc > > Nothing in the .if file. For reference, there's a .spec and daemon > init files in the same directory > > Any comments or improvement suggestions would be gratefully welcomed! > > Cheers, Looks good, I think you will need some interfaces though. rpm -qi memcached ... Description : memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Do web applications communicate with this daemon over the network port? Please submit to upstream for approval, Then lets get it into fedora. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG5/UorlYvE4MpobMRAtldAKCIkyvjzBPOYvxy83tRfJhIDau3QQCghuOP rmx1byeoBv8Fyf9ByaJ53sw= =HMFM -----END PGP SIGNATURE----- From icon at fedoraproject.org Wed Sep 12 14:22:42 2007 From: icon at fedoraproject.org (Konstantin Ryabitsev) Date: Wed, 12 Sep 2007 10:22:42 -0400 Subject: My first policy (memcached) In-Reply-To: <46E7F529.7050104@redhat.com> References: <46E7F529.7050104@redhat.com> Message-ID: On 9/12/07, Daniel J Walsh wrote: > Do web applications communicate with this daemon over the network port? Yes, normally via tcp. I don't think they actually use unix sockets. What kind of interface(s) would be useful for that? > Please submit to upstream for approval, Then lets get it into fedora. By upstream, do you mean the packager, or the very upstream? -- Konstantin Ryabitsev Montr?al, Qu?bec From olivares14031 at yahoo.com Wed Sep 12 15:37:12 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 12 Sep 2007 08:37:12 -0700 (PDT) Subject: maxima fails to load because of selinux, other things happening Message-ID: <129801.49492.qm@web52610.mail.re2.yahoo.com> Dear all, I am having difficulties with maxima because of selinux. Other denied avcs have been corrected by following troubleshooters advice. avc: denied { create } for comm="newaliases" egid=51 euid=0 exe="/usr/sbin/sendmail.sendmail" exit=-13 fsgid=51 fsuid=0 gid=0 items=0 name="aliases.db" pid=7643 scontext=system_u:system_r:sendmail_t:s0 sgid=51 subj=system_u:system_r:sendmail_t:s0 suid=0 tclass=file tcontext=system_u:object_r:etc_aliases_t:s0 tty=(none) uid=0 restorecon -v aliases.db [olivares at localhost ~]$ su - Password: [root at localhost ~]# restorecon -v aliases.db restorecon: stat error on aliases.db: No such file or directory [root at localhost ~]# avc: denied { execmem } for comm="mplayer" egid=500 euid=500 exe="/usr/local/bin/mplayer" exit=-13 fsgid=500 fsuid=500 gid=500 items=0 pid=3151 scontext=system_u:system_r:unconfined_t:s0 sgid=500 subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500 [root at localhost ~]# chcon -t unconfined_execmem_exec_t /usr/local/bin/mplayer [root at localhost ~]# semanage fcontext -a -t unconfined_execmem_exec_t /usr/local/bin/mplayer [root at localhost ~]# [olivares at localhost ~]$ maxima & [1] 3834 [olivares at localhost ~]$ xmaxima & [2] 3859 [1] Segmentation fault maxima [olivares at localhost ~]$ su - Password: [root at localhost ~]# chcon -t unconfined_execmem_exec_t /usr/lib/maxima/5.13.0/binary-gcl/maxima [root at localhost ~]# semanage fcontext -a -t unconfined_execmem_exec_t /usr/lib/maxima/5.13.0/binary-gcl/maxima [root at localhost ~]# chcon -t unconfined_execmem_exec_t /usr/lib/maxima/5.13.0/binary-gcl/maxima [root at localhost ~]# [root at localhost ~]# chcon -t textrel_shlib_t /usr/lib/maxima/5.13.0/binary-gcl/maxima [root at localhost ~]# semanage fcontext -a -t textrel_shlib_t /usr/lib/maxima/5.13.0/binary-gcl/maxima [root at localhost ~]# Did not work so I filed a bug report: https://bugzilla.redhat.com/show_bug.cgi?id=287761 Regards, Antonio ____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting From selinux at gmail.com Wed Sep 12 16:18:18 2007 From: selinux at gmail.com (Tom London) Date: Wed, 12 Sep 2007 09:18:18 -0700 Subject: cups/snmpd_var_lib_t Message-ID: <4c4ba1530709120918oe0682ffjb1877b98d3ba648b@mail.gmail.com> Got this when printing: Summary SELinux is preventing /usr/lib/cups/backend/hp (cupsd_t) "getattr" to /usr/share/snmp/mibs/.index (snmpd_var_lib_t). Detailed Description SELinux denied access requested by /usr/lib/cups/backend/hp. It is not expected that this access is required by /usr/lib/cups/backend/hp and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /usr/share/snmp/mibs/.index, restorecon -v /usr/share/snmp/mibs/.index If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:cupsd_t:SystemLow-SystemHigh Target Context system_u:object_r:snmpd_var_lib_t Target Objects /usr/share/snmp/mibs/.index [ file ] Affected RPM Packages hplip-2.7.7-4.fc8 [application] Policy RPM selinux-policy-3.0.7-10.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23-0.174.rc6.fc8 #1 SMP Tue Sep 11 19:06:17 EDT 2007 i686 i686 Alert Count 4 First Seen Wed 12 Sep 2007 09:09:26 AM PDT Last Seen Wed 12 Sep 2007 09:11:38 AM PDT Local ID 147ebf61-d964-48b7-b572-befcad9e1411 Line Numbers Raw Audit Messages avc: denied { getattr } for comm=hp dev=dm-0 egid=7 euid=4 exe=/usr/lib/cups/backend/hp exit=-13 fsgid=7 fsuid=4 gid=7 items=0 path=/usr/share/snmp/mibs/.index pid=6246 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=file tcontext=system_u:object_r:snmpd_var_lib_t:s0 tty=(none) uid=4 -- Tom London From filter at stevenstromer.com Wed Sep 12 19:44:53 2007 From: filter at stevenstromer.com (Steven Stromer) Date: Wed, 12 Sep 2007 15:44:53 -0400 Subject: Error: setroubleshootd dead but subsys locked Message-ID: <46E841B5.7070102@stevenstromer.com> Had a strange, and as yet unexplained, 'event' (I wasn't in front of the machine when things went weird) that took place while a system was left running a large rsync over ssh. On returning, a majority of the directories under /var vanished, and a number of services refused to start after a reboot, including auditd, nfsd, system message bus, hpiod, hpssd, mysql, syslogd, httpd, sm-client, and setroubleshootd. In the cases of most of these services, there seemed to be problems either with orphaned /var/run/*.pid files, or with orphaned /var/lock/subsys/* lock files. Also, many services were reporting 'subsys locked'. Deleting orphaned files, followed by relabeling the filesystem selinux permissions did the trick, with relabeling being the key to getting things going again. Debugging was made more challenging by the fact that I had no logs to refer to. Now, almost all seems well, but I can't get setroubleshootd to start unless I select 'setroubleshootd_disable_trans'. Without this checked, setroubleshootd seems to start, but then fails: [root at file1 subsys]# rm setroubleshootd rm: remove regular empty file `setroubleshootd'? y [root at file1 subsys]# service setroubleshoot status setroubleshootd is stopped [root at file1 subsys]# service setroubleshoot start Starting setroubleshootd: [ OK ] [root at file1 subsys]# service setroubleshoot status setroubleshootd dead but subsys locked Attempting to run setroubleshoot generates the error: 'attempt to open server connection failed: (2, 'No such file or directory') Since someone might ask about permissions: [root at file1 subsys]# ls -laRZ /var/log | grep setroubleshoot drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t setroubleshoot /var/log/setroubleshoot: drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t . -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t setroubleshootd.log -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t setroubleshootd.log.1 -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t setroubleshootd.log.2 Can anyone explain why setroubleshootd_disable_trans should need to be selected? Also, since this entire event seems to have close ties to selinux, would anyone have an idea what might have happened to this system? Thanks for any ideas; it's been a long day... Steven Stromer From selinux at gmail.com Wed Sep 12 20:00:44 2007 From: selinux at gmail.com (Tom London) Date: Wed, 12 Sep 2007 13:00:44 -0700 Subject: funny AVC from virt-manager Message-ID: <4c4ba1530709121300v182dc84bh7f912d7690944540@mail.gmail.com> Running latest rawhide. If I try to 'run/open' a kvm virtual machine using virt-manager, I get the following AVC: type=AVC msg=audit(1189626420.012:34): avc: denied { execmem } for pid=8603 comm="/usr/share/virt" scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1189626420.012:34): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=1000000 a2=7 a3=121 items=0 ppid=8602 pid=8603 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="/usr/share/virt" exe="/usr/bin/python" subj=system_u:system_r:unconfined_t:s0 key=(null) Notice the reference to '/usr/share/virt'. This doesn't exist (but /usr/share/virt-manager does exist). Ignoring the evident problem with virt-manager, any idea why the 'audit trail' would appear to be messed up? tom -- Tom London From jdennis at redhat.com Wed Sep 12 20:20:50 2007 From: jdennis at redhat.com (John Dennis) Date: Wed, 12 Sep 2007 16:20:50 -0400 Subject: Error: setroubleshootd dead but subsys locked In-Reply-To: <46E841B5.7070102@stevenstromer.com> References: <46E841B5.7070102@stevenstromer.com> Message-ID: <1189628450.9569.6.camel@finch.boston.redhat.com> On Wed, 2007-09-12 at 15:44 -0400, Steven Stromer wrote: > Had a strange, and as yet unexplained, 'event' (I wasn't in front of the > machine when things went weird) that took place while a system was left > running a large rsync over ssh. On returning, a majority of the > directories under /var vanished, and a number of services refused to > start after a reboot, including auditd, nfsd, system message bus, hpiod, > hpssd, mysql, syslogd, httpd, sm-client, and setroubleshootd. > > In the cases of most of these services, there seemed to be problems > either with orphaned /var/run/*.pid files, or with orphaned > /var/lock/subsys/* lock files. Also, many services were reporting > 'subsys locked'. Deleting orphaned files, followed by relabeling the > filesystem selinux permissions did the trick, with relabeling being the > key to getting things going again. Debugging was made more challenging > by the fact that I had no logs to refer to. > > Now, almost all seems well, but I can't get setroubleshootd to start > unless I select 'setroubleshootd_disable_trans'. Without this checked, > setroubleshootd seems to start, but then fails: > > [root at file1 subsys]# rm setroubleshootd > rm: remove regular empty file `setroubleshootd'? y > [root at file1 subsys]# service setroubleshoot status > setroubleshootd is stopped > [root at file1 subsys]# service setroubleshoot start > Starting setroubleshootd: [ OK ] > [root at file1 subsys]# service setroubleshoot status > setroubleshootd dead but subsys locked > > > Attempting to run setroubleshoot generates the error: > > 'attempt to open server connection failed: (2, 'No such file or directory') > > > Since someone might ask about permissions: > > [root at file1 subsys]# ls -laRZ /var/log | grep setroubleshoot > drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t > setroubleshoot > /var/log/setroubleshoot: > drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t . > -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t > setroubleshootd.log > -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t > setroubleshootd.log.1 > -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t > setroubleshootd.log.2 > > > Can anyone explain why setroubleshootd_disable_trans should need to be > selected? Also, since this entire event seems to have close ties to > selinux, would anyone have an idea what might have happened to this system? > > > Thanks for any ideas; it's been a long day... > > Steven Stromer You didn't say what OS version you're running :-) This looks a lot like known problems in rawhide (fedora development). If you are running rawhide then do you have the latest selinux-policy rpm install? The latest audit? If setroubleshoot still does not start please look for errors in /var/log/setroubleshoot/setroubleshootd.log BTW, setroubleshoot failing to start will not harm your system in any manner nor would it likely to have been the cause of any of your previous problems. -- John Dennis From wart at kobold.org Wed Sep 12 21:09:44 2007 From: wart at kobold.org (Michael Thomas) Date: Wed, 12 Sep 2007 14:09:44 -0700 Subject: Nagios Web Interface and SELinux In-Reply-To: <46D5F51E.20206@kobold.org> References: <8719b8230612031148x69f8ba99q2d75173b5468733e@mail.gmail.com> <457451D6.9050209@redhat.com> <46D5F51E.20206@kobold.org> Message-ID: <46E85598.5020403@kobold.org> I've been seeing two other avc denials running nagios on RHEL5. As far as I can tell, they don't appear to be causing any problems in the application itself, and can probably be dontaudit'd: type=AVC msg=audit(1189631147.313:467272): avc: denied { read write } for pid=14940 comm="status.cgi" name="[13034671]" dev=sockfs ino=13034671 scontext=user_u:system_r:nagios_cgi_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=tcp_socket type=AVC msg=audit(1189631147.514:467273): avc: denied { read } for pid=14972 comm="ping" name="nagios.cmd" dev=dm-0 ino=52887564 scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:var_spool_t:s0 tclass=fifo_file --Wart From filter at stevenstromer.com Wed Sep 12 22:57:48 2007 From: filter at stevenstromer.com (Steven Stromer) Date: Wed, 12 Sep 2007 18:57:48 -0400 Subject: Error: setroubleshootd dead but subsys locked In-Reply-To: <1189628450.9569.6.camel@finch.boston.redhat.com> References: <46E841B5.7070102@stevenstromer.com> <1189628450.9569.6.camel@finch.boston.redhat.com> Message-ID: <19E1D5BB-DBB8-43AE-85F5-802BD64C0BCB@stevenstromer.com> >> Had a strange, and as yet unexplained, 'event' (I wasn't in front >> of the >> machine when things went weird) that took place while a system was >> left >> running a large rsync over ssh. On returning, a majority of the >> directories under /var vanished, and a number of services refused to >> start after a reboot, including auditd, nfsd, system message bus, >> hpiod, >> hpssd, mysql, syslogd, httpd, sm-client, and setroubleshootd. >> >> In the cases of most of these services, there seemed to be problems >> either with orphaned /var/run/*.pid files, or with orphaned >> /var/lock/subsys/* lock files. Also, many services were reporting >> 'subsys locked'. Deleting orphaned files, followed by relabeling the >> filesystem selinux permissions did the trick, with relabeling >> being the >> key to getting things going again. Debugging was made more >> challenging >> by the fact that I had no logs to refer to. >> >> Now, almost all seems well, but I can't get setroubleshootd to start >> unless I select 'setroubleshootd_disable_trans'. Without this >> checked, >> setroubleshootd seems to start, but then fails: >> >> [root at file1 subsys]# rm setroubleshootd >> rm: remove regular empty file `setroubleshootd'? y >> [root at file1 subsys]# service setroubleshoot status >> setroubleshootd is stopped >> [root at file1 subsys]# service setroubleshoot start >> Starting setroubleshootd: [ OK ] >> [root at file1 subsys]# service setroubleshoot status >> setroubleshootd dead but subsys locked >> >> >> Attempting to run setroubleshoot generates the error: >> >> 'attempt to open server connection failed: (2, 'No such file or >> directory') >> >> >> Since someone might ask about permissions: >> >> [root at file1 subsys]# ls -laRZ /var/log | grep setroubleshoot >> drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t >> setroubleshoot >> /var/log/setroubleshoot: >> drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t . >> -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t >> setroubleshootd.log >> -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t >> setroubleshootd.log.1 >> -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t >> setroubleshootd.log.2 >> >> >> Can anyone explain why setroubleshootd_disable_trans should need >> to be >> selected? Also, since this entire event seems to have close ties to >> selinux, would anyone have an idea what might have happened to >> this system? >> >> >> Thanks for any ideas; it's been a long day... >> >> Steven Stromer > > You didn't say what OS version you're running :-) This looks a lot > like > known problems in rawhide (fedora development). If you are running > rawhide then do you have the latest selinux-policy rpm install? The > latest audit? > Thanks for the reply. I am running FC6, 2.6.22.4-45.fc6. I'm on the standard FC6 path, not development, though I'd be really interested to see any documentation regarding the 'known problems in rawhide'. Unless the system faulted and restarted, activating package updates that had not yet witnessed a reboot, I can't see how any updates were applied. As far as policy and audit packages, I have: selinux-policy.noarch 2.4.6-80.fc6 installed selinux-policy-targeted.noarch 2.4.6-80.fc6 installed audit.i386 1.4.2-5.fc6 installed audit-libs.i386 1.4.2-5.fc6 installed audit-libs-python.i386 1.4.2-5.fc6 installed > If setroubleshoot still does not start please look for errors > in /var/log/setroubleshoot/setroubleshootd.log At present setroubleshootd logs are entirely empty. /var/logs was wiped during the 'event' and my backups of these files were also empty. > > BTW, setroubleshoot failing to start will not harm your system in any > manner nor would it likely to have been the cause of any of your > previous problems. This I know. it is the last little consequence of a much larger issue. I am honestly more concerned with why so many directories and files disappeared from /var (despite the fact that I have no disk errors) and why selinux permissions had to be changed to get things that were working previously to be able to work again. Any further leads would be VERY much appreciated! > -- > John Dennis From olivares14031 at yahoo.com Wed Sep 12 23:32:09 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 12 Sep 2007 16:32:09 -0700 (PDT) Subject: selinux denies wine and xorg Message-ID: <115791.58597.qm@web52612.mail.re2.yahoo.com> https://bugzilla.redhat.com/show_bug.cgi?id=288671 Just following the advice given here: Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Summary SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "unix_read unix_write" to (wine_t). Detailed Description SELinux denied access requested by /usr/bin/Xorg. It is not expected that this access is required by /usr/bin/Xorg and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_xserver_t:SystemLow- SystemHigh Target Context system_u:system_r:wine_t Target Objects None [ shm ] Affected RPM Packages xorg-x11-server-Xorg-1.3.0.0-23.fc8 [application] Policy RPM selinux-policy-3.0.7-10.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost Platform Linux localhost 2.6.23-0.174.rc6.fc8 #1 SMP Tue Sep 11 19:06:17 EDT 2007 i686 athlon Alert Count 4 First Seen Wed 12 Sep 2007 08:10:49 AM CDT Last Seen Wed 12 Sep 2007 06:23:24 PM CDT Local ID 8b5115b9-d7d8-40de-8f2b-5ffb7e7ecfb7 Line Numbers Raw Audit Messages avc: denied { unix_read, unix_write } for comm=X egid=0 euid=0 exe=/usr/bin/Xorg exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2447 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=shm tcontext=system_u:system_r:wine_t:s0 tty=tty7 uid=0 ____________________________________________________________________________________ Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel and lay it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 From ltamas at gytk.sote.hu Thu Sep 13 11:27:08 2007 From: ltamas at gytk.sote.hu (=?ISO-8859-2?Q?Ludman_Tam=E1s?=) Date: Thu, 13 Sep 2007 13:27:08 +0200 Subject: Squirrelmail_disk_quota_plugin Message-ID: <46E91E8C.5020109@gytk.sote.hu> Hi all, sorry my bad english, I hope you understant my problem. I would like to use Squirrelmail's plugin: quota_check, but SELinux don't allowed this... "...disk quota plugin: Uses the *nix quota binary as wwwquota to get information about and show the disk quota usage of the user logged in. It incorporates Flash movies to display more attractive and interactive information. ..." I tried these: [root at modules]# cat /var/log/audit/audit.log | audit2allow -m local > local [root at modules]# checkmodule -M -m -o local.mod local.te checkmodule: loading policy configuration from local.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 6) to local.mod [root at modules]# semodule_package -o local.pp -m local.mod [root at modules]# semodule -i local.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t s libsepol.check_assertions: 1 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed and I tried with another, but the result is equal than above : # make -f /usr/share/selinux/devel/Makefile # semodule -i local.pp ______________________________________________ in my audit.log: .... type=AVC msg=audit(1189681628.573:13563): avc: denied { read } for pid=31798 comm="sudo" name="shadow" dev=md8 ino=1949004 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1189681628.573:13564): avc: denied { write } for pid=31798 comm="sudo" name="log" dev=tmpfs ino=11165 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file type=AVC msg=audit(1189681697.332:13578): avc: denied { read } for pid=31845 comm="sudo" name="shadow" dev=md8 ino=1949004 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1189681697.332:13579): avc: denied { getattr } for pid=31845 comm="sudo" name="shadow" dev=md8 ino=1949004 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1189681697.334:13580): avc: denied { write } for pid=31845 comm="sudo" name="log" dev=tmpfs ino=11165 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file type=AVC msg=audit(1189681697.334:13580): avc: denied { sendto } for pid=31845 comm="sudo" name="log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1189681704.450:13587): avc: denied { read } for pid=31858 comm="sudo" name="shadow" dev=md8 ino=1949004 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1189681704.450:13588): avc: denied { getattr } for pid=31858 comm="sudo" name="shadow" dev=md8 ino=1949004 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1189681776.487:13607): avc: denied { search } for pid=31945 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir type=AVC msg=audit(1189681776.489:13608): avc: denied { getattr } for pid=31945 comm="wwwquota" name="md6" dev=tmpfs ino=7380 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=AVC msg=audit(1189681776.490:13609): avc: denied { quotaget } for pid=31945 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=AVC msg=audit(1189681826.629:13630): avc: denied { search } for pid=31975 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir type=AVC msg=audit(1189681826.631:13631): avc: denied { getattr } for pid=31975 comm="wwwquota" name="md6" dev=tmpfs ino=7380 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=AVC msg=audit(1189681826.632:13632): avc: denied { quotaget } for pid=31975 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ..... ______________________________________________ in my /etc/sudoers: ... apache ALL=NOPASSWD: /usr/bin/wwwquota -v [A-z]* ... ______________________________________________ in my /etc/selinux/config: SELINUX=enforcing SELINUXTYPE=targeted SETLOCALDEFS=0 ______________________________________________ My system is: Fedora Core 6, kernel 2.6.22.2-42.fc6 libselinux.i386 1.33.4-2.fc6 libselinux-devel.i386 1.33.4-2.fc6 selinux-policy.noarch 2.4.6-80.fc6 selinux-policy-devel.noarch 2.4.6-80.fc6 selinux-policy-mls.noarch 2.4.6-80.fc6 selinux-policy-strict.noarch 2.4.6-80.fc6 selinux-policy-targeted.noarch 2.4.6-80.fc6 What can I do? Thanx a lot, everybody. LT From torbjorn.lindahl at gmail.com Thu Sep 13 13:16:46 2007 From: torbjorn.lindahl at gmail.com (=?ISO-8859-1?Q?Torbj=F8rn_Lindahl?=) Date: Thu, 13 Sep 2007 15:16:46 +0200 Subject: more fine grained access in /etc Message-ID: <3533f9010709130616u7f1e26ccub02ea4c1167a9f44@mail.gmail.com> Hello, I am writing an application that I want to limit using selinux. audit.log shows that it wants access to /etc/nsswitch.conf and /etc/hosts - which doesn't seem to unreasonable, however both these have types etc_t , and allowing myapp_t to read etc_t would also give it access to for example /etc/passwd, which i do not want. Do I have to invent a new type for these two files to be able to keep my application from the other etc_t files in /etc ? -- mvh Torbj?rn Lindahl -------------- next part -------------- An HTML attachment was scrubbed... URL: From tmz at pobox.com Thu Sep 13 16:21:32 2007 From: tmz at pobox.com (Todd Zullinger) Date: Thu, 13 Sep 2007 12:21:32 -0400 Subject: Error: setroubleshootd dead but subsys locked In-Reply-To: <1189628450.9569.6.camel@finch.boston.redhat.com> References: <46E841B5.7070102@stevenstromer.com> <1189628450.9569.6.camel@finch.boston.redhat.com> Message-ID: <20070913162132.GC19611@psilocybe.teonanacatl.org> John, John Dennis wrote: > You didn't say what OS version you're running :-) This looks a lot > like known problems in rawhide (fedora development). If you are > running rawhide then do you have the latest selinux-policy rpm > install? The latest audit? I've seen a very similar problem as Steven on F-7 with setroublshoot 1.10.1-1.fc7 from updates-testing. I noted it in bodhi a few days ago (I'm not sure of bodhi copies you on comments made there or not). https://admin.fedoraproject.org/updates/testing/F7/setroubleshoot-1.10.1-1.fc7 > If setroubleshoot still does not start please look for errors > in /var/log/setroubleshoot/setroubleshootd.log The error I get is: [rpc.ERROR] exception DBusException: org.freedesktop.DBus.Error.AccessDenied: Failed to connect to socket /var/run/dbus/system_bus_so cket: Permission denied I don't if that's the same thing Steven is seeing or not. For now, I've reverted to setroubleshoot-1.9.4-2.fc7. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It is OK to let your mind go blank, but please turn off the sound. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available URL: From olivares14031 at yahoo.com Thu Sep 13 22:42:01 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 13 Sep 2007 15:42:01 -0700 (PDT) Subject: hald denied avcs for Fedora Core 6 Message-ID: <607733.20058.qm@web52607.mail.re2.yahoo.com> Dear all, I am getting the following denied avcs for hald upon startup/shutdown. The selinux policy is up to date, how can I fix this? There is no troubleshooter like in fedora 7 which suggests a fix. audit(1189722647.486:4): avc: denied { use } for pid=3098 comm="hald" name="console" dev=tmpfs ino=1083 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd audit(1189722647.487:5): avc: denied { use } for pid=3098 comm="hald" name="console" dev=tmpfs ino=1083 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd audit(1189722647.488:6): avc: denied { use } for pid=3098 comm="hald" name="console" dev=tmpfs ino=1083 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd [olivares at localhost ~]$ rpm -qa selinux* selinux-policy-2.4.6-80.fc6 selinux-policy-targeted-2.4.6-80.fc6 [olivares at localhost ~]$ Thanks, Antonio ____________________________________________________________________________________ Tonight's top picks. What will you watch tonight? Preview the hottest shows on Yahoo! TV. http://tv.yahoo.com/ From filter at stevenstromer.com Wed Sep 12 14:20:18 2007 From: filter at stevenstromer.com (Steven Stromer) Date: Wed, 12 Sep 2007 10:20:18 -0400 Subject: Error: setroubleshootd dead but subsys locked (Repost) Message-ID: Had a strange, and as yet unexplained, 'event' (I wasn't in front of the machine when things went weird) that took place while a system was left running a large rsync over ssh. On returning, a majority of the directories under /var vanished, and a number of services refused to start after a reboot, including auditd, nfsd, system message bus, hpiod, hpssd, mysql, syslogd, httpd, sm-client, and setroubleshootd. In the cases of most of these services, there seemed to be problems either with orphaned /var/run/*.pid files, or with orphaned /var/lock/subsys/* lock files. Also, many services were reporting 'subsys locked'. Deleting orphaned files, followed by relabeling the filesystem selinux permissions did the trick, with relabeling being the key to getting things going again. Debugging was made more challenging by the fact that I had no logs to refer to. Now, almost all seems well, but I can't get setroubleshootd to start unless I select 'setroubleshootd_disable_trans'. Without this checked, setroubleshootd seems to start, but then fails: [root at file1 subsys]# rm setroubleshootd rm: remove regular empty file `setroubleshootd'? y [root at file1 subsys]# service setroubleshoot status setroubleshootd is stopped [root at file1 subsys]# service setroubleshoot start Starting setroubleshootd: [ OK ] [root at file1 subsys]# service setroubleshoot status setroubleshootd dead but subsys locked Attempting to run setroubleshoot generates the error: 'attempt to open server connection failed: (2, 'No such file or directory') Since someone might ask about permissions: [root at file1 subsys]# ls -laRZ /var/log | grep setroubleshoot drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t setroubleshoot /var/log/setroubleshoot: drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t . -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t setroubleshootd.log -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t setroubleshootd.log.1 -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t setroubleshootd.log.2 Can anyone explain why setroubleshootd_disable_trans should need to be selected? Also, since this entire event seems to have close ties to selinux, would anyone have an idea what might have happened to this system? Thanks for any ideas; it's been a long day... Steven Stromer From filter at stevenstromer.com Tue Sep 11 23:55:30 2007 From: filter at stevenstromer.com (Steven Stromer) Date: Tue, 11 Sep 2007 19:55:30 -0400 Subject: Error: setroubleshootd dead but subsys locked Message-ID: Had a strange, and as yet unexplained, 'event' (I wasn't in front of the machine when things went weird) that took place while a system was left running a large rsync over ssh. On returning, a majority of the directories under /var vanished, and a number of services refused to start after a reboot, including auditd, nfsd, system message bus, hpiod, hpssd, mysql, syslogd, httpd, sm-client, and setroubleshootd. In the cases of most of these services, there seemed to be problems either with orphaned /var/run/*.pid files, or with orphaned /var/lock/subsys/* lock files. Also, many services were reporting 'subsys locked'. Deleting orphaned files, followed by relabeling the filesystem selinux permissions did the trick, with relabeling being the key to getting things going again. Debugging was made more challenging by the fact that I had no logs to refer to. Now, almost all seems well, but I can't get setroubleshootd to start unless I select 'setroubleshootd_disable_trans'. Without this checked, setroubleshootd seems to start, but then fails: [root at file1 subsys]# rm setroubleshootd rm: remove regular empty file `setroubleshootd'? y [root at file1 subsys]# service setroubleshoot status setroubleshootd is stopped [root at file1 subsys]# service setroubleshoot start Starting setroubleshootd: [ OK ] [root at file1 subsys]# service setroubleshoot status setroubleshootd dead but subsys locked Attempting to run setroubleshoot generates the error: 'attempt to open server connection failed: (2, 'No such file or directory') Since someone might ask about permissions: [root at file1 subsys]# ls -laRZ /var/log | grep setroubleshoot drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t setroubleshoot /var/log/setroubleshoot: drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t . -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t setroubleshootd.log -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t setroubleshootd.log.1 -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t setroubleshootd.log.2 Can anyone explain why setroubleshootd_disable_trans should need to be selected? Also, since this entire event seems to have close ties to selinux, would anyone have an idea what might have happened to this system? Thanks for any ideas; it's been a long day... Steven Stromer From goeran at uddeborg.se Sun Sep 16 20:42:13 2007 From: goeran at uddeborg.se (=?iso-8859-1?Q?G=F6ran?= Uddeborg) Date: Sun, 16 Sep 2007 22:42:13 +0200 Subject: Write denied, but no write attempted!?! Message-ID: <18157.38181.477566.553015@mimmi.uddeborg.se> I'm using xdm rather than gdm. SELinux prevents /sbin/pam_console_apply (pam_console_t) "write" to /var/log/xdm.log (var_log_t). It happens once every time someone logs in or out. See the attached mail from SETroubleshoot for an example. To understand what is going on, I tried to strace the processes. But pam_console_apply doesn't attempt to write anything at all! See the attached (compressed) strace from pid 4480, the process mentioned in the SETroubleshoot mail. Xdm has stderr pointing to /var/log/xdm.log, so it's not unlikely that the open fd is inherited by pam_console_apply. But if the inheritance itself was disallowed, wouldn't it be a "use" that would be denied by SELinux rather than a "write"? What am I missing? (The system is not up-to-date. It is possible this message would go away with an upgrade. I'm not looking for a way to get rid of the message here, I'm trying to understand what is going on.) -------------- next part -------------- An embedded message was scrubbed... From: SELinux_Troubleshoot at freddi.uddeborg.se Subject: [SELinux AVC Alert] SELinux is preventing /sbin/pam_console_apply (pam_console_t) "write" to /var/log/xdm.log (var_log_t). Date: Sun, 16 Sep 2007 20:11:10 -0000 Size: 10996 URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: #xdm.4480.bz2 Type: application/octet-stream Size: 10447 bytes Desc: Strace of pam_cansole_apply URL: From sds at tycho.nsa.gov Mon Sep 17 13:16:58 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 17 Sep 2007 09:16:58 -0400 Subject: Write denied, but no write attempted!?! In-Reply-To: <18157.38181.477566.553015@mimmi.uddeborg.se> References: <18157.38181.477566.553015@mimmi.uddeborg.se> Message-ID: <1190035018.4034.19.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2007-09-16 at 22:42 +0200, G?ran Uddeborg wrote: > I'm using xdm rather than gdm. SELinux prevents > /sbin/pam_console_apply (pam_console_t) "write" to /var/log/xdm.log > (var_log_t). It happens once every time someone logs in or out. See > the attached mail from SETroubleshoot for an example. > > To understand what is going on, I tried to strace the processes. But > pam_console_apply doesn't attempt to write anything at all! See the > attached (compressed) strace from pid 4480, the process mentioned in > the SETroubleshoot mail. > > Xdm has stderr pointing to /var/log/xdm.log, so it's not unlikely that > the open fd is inherited by pam_console_apply. But if the inheritance > itself was disallowed, wouldn't it be a "use" that would be denied by > SELinux rather than a "write"? > > What am I missing? > > (The system is not up-to-date. It is possible this message would go > away with an upgrade. I'm not looking for a way to get rid of the > message here, I'm trying to understand what is going on.) SELinux rechecks access to open files upon execve if the security context of the process is changing, and when descriptors are passed across local IPC. That revalidation includes both the fd use check (can the process use an open file description created by another security context, potentially communicating/interfering with that context by means of the open file's seek pointer and flags) and the file read/write checks (can the process access the file in a manner consistent with the open file description)? -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon Sep 17 20:56:58 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 17 Sep 2007 16:56:58 -0400 Subject: hald denied avcs for Fedora Core 6 In-Reply-To: <607733.20058.qm@web52607.mail.re2.yahoo.com> References: <607733.20058.qm@web52607.mail.re2.yahoo.com> Message-ID: <46EEEA1A.2070206@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear all, > > I am getting the following denied avcs for hald upon startup/shutdown. The selinux policy is up to date, how can I fix this? There is no troubleshooter like in fedora 7 which suggests a fix. > > audit(1189722647.486:4): avc: denied { use } for pid=3098 comm="hald" name="console" dev=tmpfs ino=1083 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd > audit(1189722647.487:5): avc: denied { use } for pid=3098 comm="hald" name="console" dev=tmpfs ino=1083 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd > audit(1189722647.488:6): avc: denied { use } for pid=3098 comm="hald" name="console" dev=tmpfs ino=1083 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd > > [olivares at localhost ~]$ rpm -qa selinux* > selinux-policy-2.4.6-80.fc6 > selinux-policy-targeted-2.4.6-80.fc6 > [olivares at localhost ~]$ > > > Thanks, > > Antonio > > > > > > ____________________________________________________________________________________ > Tonight's top picks. What will you watch tonight? Preview the hottest shows on Yahoo! TV. > http://tv.yahoo.com/ > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-seli grep hald /var/log/audit/audit.log | audit2allow -M myhald semodule -i myhald.pp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG7uoarlYvE4MpobMRAqAvAKC7QJepCnpzmaI0TomdHCDxTQaaowCfSGf1 t5WTaOnECgeTrx+Gq+oivoU= =Tt3r -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Sep 17 21:04:06 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 17 Sep 2007 17:04:06 -0400 Subject: Squirrelmail_disk_quota_plugin In-Reply-To: <46E91E8C.5020109@gytk.sote.hu> References: <46E91E8C.5020109@gytk.sote.hu> Message-ID: <46EEEBC6.4070400@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ludman Tam?s wrote: > Hi all, > sorry my bad english, I hope you understant my problem. > I would like to use Squirrelmail's plugin: quota_check, but SELinux > don't allowed this... > "...disk quota plugin: Uses the *nix quota binary as wwwquota to get > information about and show the disk quota usage of the user logged in. > It incorporates Flash movies to display more attractive and interactive > information. ..." > > > I tried these: > [root at modules]# cat /var/log/audit/audit.log | audit2allow -m local > local > [root at modules]# checkmodule -M -m -o local.mod local.te > checkmodule: loading policy configuration from local.te > checkmodule: policy configuration loaded > checkmodule: writing binary representation (version 6) to local.mod > [root at modules]# semodule_package -o local.pp -m local.mod > [root at modules]# semodule -i local.pp > libsepol.check_assertion_helper: assertion on line 0 violated by allow > httpd_t s > libsepol.check_assertions: 1 assertion violations occured > libsemanage.semanage_expand_sandbox: Expand module failed > > and I tried with another, but the result is equal than above : > # make -f /usr/share/selinux/devel/Makefile > # semodule -i local.pp > > ______________________________________________ > in my audit.log: > .... > > type=AVC msg=audit(1189681628.573:13563): avc: denied { read } for > pid=31798 comm="sudo" name="shadow" dev=md8 ino=1949004 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:shadow_t:s0 tclass=file > type=AVC msg=audit(1189681628.573:13564): avc: denied { write } for > pid=31798 comm="sudo" name="log" dev=tmpfs ino=11165 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:device_t:s0 tclass=sock_file > type=AVC msg=audit(1189681697.332:13578): avc: denied { read } for > pid=31845 comm="sudo" name="shadow" dev=md8 ino=1949004 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:shadow_t:s0 tclass=file > type=AVC msg=audit(1189681697.332:13579): avc: denied { getattr } for > pid=31845 comm="sudo" name="shadow" dev=md8 ino=1949004 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:shadow_t:s0 tclass=file > type=AVC msg=audit(1189681697.334:13580): avc: denied { write } for > pid=31845 comm="sudo" name="log" dev=tmpfs ino=11165 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:device_t:s0 tclass=sock_file > type=AVC msg=audit(1189681697.334:13580): avc: denied { sendto } for > pid=31845 comm="sudo" name="log" scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket > type=AVC msg=audit(1189681704.450:13587): avc: denied { read } for > pid=31858 comm="sudo" name="shadow" dev=md8 ino=1949004 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:shadow_t:s0 tclass=file > type=AVC msg=audit(1189681704.450:13588): avc: denied { getattr } for > pid=31858 comm="sudo" name="shadow" dev=md8 ino=1949004 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:shadow_t:s0 tclass=file > type=AVC msg=audit(1189681776.487:13607): avc: denied { search } for > pid=31945 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir > type=AVC msg=audit(1189681776.489:13608): avc: denied { getattr } for > pid=31945 comm="wwwquota" name="md6" dev=tmpfs ino=7380 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file > type=AVC msg=audit(1189681776.490:13609): avc: denied { quotaget } > for pid=31945 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > type=AVC msg=audit(1189681826.629:13630): avc: denied { search } for > pid=31975 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir > type=AVC msg=audit(1189681826.631:13631): avc: denied { getattr } for > pid=31975 comm="wwwquota" name="md6" dev=tmpfs ino=7380 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file > type=AVC msg=audit(1189681826.632:13632): avc: denied { quotaget } > for pid=31975 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > > ..... > ______________________________________________ > > in my /etc/sudoers: > ... > apache ALL=NOPASSWD: /usr/bin/wwwquota -v [A-z]* > ... > ______________________________________________ > in my /etc/selinux/config: > > SELINUX=enforcing > SELINUXTYPE=targeted > SETLOCALDEFS=0 > ______________________________________________ > > My system is: > Fedora Core 6, kernel 2.6.22.2-42.fc6 > libselinux.i386 1.33.4-2.fc6 > libselinux-devel.i386 1.33.4-2.fc6 > selinux-policy.noarch 2.4.6-80.fc6 > selinux-policy-devel.noarch 2.4.6-80.fc6 > selinux-policy-mls.noarch 2.4.6-80.fc6 > selinux-policy-strict.noarch 2.4.6-80.fc6 > selinux-policy-targeted.noarch 2.4.6-80.fc6 > > What can I do? > > Thanx a lot, everybody. > > LT > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list The policy compiler is blocking you from reading shadow_t. Read this weeks blog http://danwalsh.livejournal.com/12333.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG7uvGrlYvE4MpobMRAs6LAJ9P1fvq6pYQYuBt364WvXWfHFMMswCg0DsN RekIfR2lfunBjjDSAfyLoOo= =TlPz -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Sep 17 21:06:55 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 17 Sep 2007 17:06:55 -0400 Subject: more fine grained access in /etc In-Reply-To: <3533f9010709130616u7f1e26ccub02ea4c1167a9f44@mail.gmail.com> References: <3533f9010709130616u7f1e26ccub02ea4c1167a9f44@mail.gmail.com> Message-ID: <46EEEC6F.3050200@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Torbj?rn Lindahl wrote: > Hello, I am writing an application that I want to limit using selinux. > > audit.log shows that it wants access to /etc/nsswitch.conf and /etc/hosts - > which doesn't seem to unreasonable, however both these have types etc_t , > and allowing myapp_t to read etc_t would also give it access to for example > /etc/passwd, which i do not want. > > > Do I have to invent a new type for these two files to be able to keep my > application from the other etc_t files in /etc ? > > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Yes you can, but the more different file_context that you have in /etc, the harder they will be to maintain. Reading /etc/passwd is not as dangerous as being able to read /etc/shadow. So consider if this is really necessary. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG7uxvrlYvE4MpobMRAk+5AJ9UZPJZq++LfpMZMRyF62bvWCOTqQCgsdly +DO1I81MDsGkD0L3p3RiV/4= =WV5q -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Sep 17 21:14:57 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 17 Sep 2007 17:14:57 -0400 Subject: My first policy (memcached) In-Reply-To: References: <46E7F529.7050104@redhat.com> Message-ID: <46EEEE51.9070103@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Konstantin Ryabitsev wrote: > On 9/12/07, Daniel J Walsh wrote: >> Do web applications communicate with this daemon over the network port? > > Yes, normally via tcp. I don't think they actually use unix sockets. > What kind of interface(s) would be useful for that? > You need to define a port type memcached_port_t; port_type(memcached_port_t) allow memcached_t memcached_port_t:tcp_socket name_bind; Interfaces would be something like interface(`memcached_port_connect'. ` gen_require (` type memcached_port_t; ') allow $1 memcached_port_t:tcp_port name_connect; ') Finally need to execute semanage port -a -m memcached_port_t -P tcp 11211 >> Please submit to upstream for approval, Then lets get it into fedora. > > By upstream, do you mean the packager, or the very upstream? > Either. If the packager wants to ship it with his product all the better. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG7u5RrlYvE4MpobMRArK1AKDjZ0NSoyeK6WrY9iF4Ora0iwztUACgp4zp pVSCOBwM5Kp0FBoEQ7uH+4Y= =SxRq -----END PGP SIGNATURE----- From torbjorn.lindahl at gmail.com Tue Sep 18 11:03:13 2007 From: torbjorn.lindahl at gmail.com (=?ISO-8859-1?Q?Torbj=F8rn_Lindahl?=) Date: Tue, 18 Sep 2007 13:03:13 +0200 Subject: more fine grained access in /etc In-Reply-To: <46EEEC6F.3050200@redhat.com> References: <3533f9010709130616u7f1e26ccub02ea4c1167a9f44@mail.gmail.com> <46EEEC6F.3050200@redhat.com> Message-ID: <3533f9010709180403r3f1c1c34o495653778f8bfc98@mail.gmail.com> Good point. I probably can live with that. Still I am not sure if I would like it to have full access to all files labelled etc_t . It would be nice to be able to single out only a few of them. Perhaps I should look at something other than the targeted policy. On 9/17/07, Daniel J Walsh wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Torbj?rn Lindahl wrote: > > Hello, I am writing an application that I want to limit using selinux. > > > > audit.log shows that it wants access to /etc/nsswitch.conf and > /etc/hosts - > > which doesn't seem to unreasonable, however both these have types etc_t > , > > and allowing myapp_t to read etc_t would also give it access to for > example > > /etc/passwd, which i do not want. > > > > > > Do I have to invent a new type for these two files to be able to keep my > > application from the other etc_t files in /etc ? > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Yes you can, but the more different file_context that you have in /etc, > the harder they will be to maintain. > > Reading /etc/passwd is not as dangerous as being able to read > /etc/shadow. So consider if this is really necessary. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFG7uxvrlYvE4MpobMRAk+5AJ9UZPJZq++LfpMZMRyF62bvWCOTqQCgsdly > +DO1I81MDsGkD0L3p3RiV/4= > =WV5q > -----END PGP SIGNATURE----- > -- mvh Torbj?rn Lindahl -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Tue Sep 18 16:36:27 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 18 Sep 2007 12:36:27 -0400 Subject: Error: setroubleshootd dead but subsys locked In-Reply-To: <19E1D5BB-DBB8-43AE-85F5-802BD64C0BCB@stevenstromer.com> References: <46E841B5.7070102@stevenstromer.com> <1189628450.9569.6.camel@finch.boston.redhat.com> <19E1D5BB-DBB8-43AE-85F5-802BD64C0BCB@stevenstromer.com> Message-ID: <46EFFE8B.1060109@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steven Stromer wrote: >>> Had a strange, and as yet unexplained, 'event' (I wasn't in front of the >>> machine when things went weird) that took place while a system was left >>> running a large rsync over ssh. On returning, a majority of the >>> directories under /var vanished, and a number of services refused to >>> start after a reboot, including auditd, nfsd, system message bus, hpiod, >>> hpssd, mysql, syslogd, httpd, sm-client, and setroubleshootd. >>> >>> In the cases of most of these services, there seemed to be problems >>> either with orphaned /var/run/*.pid files, or with orphaned >>> /var/lock/subsys/* lock files. Also, many services were reporting >>> 'subsys locked'. Deleting orphaned files, followed by relabeling the >>> filesystem selinux permissions did the trick, with relabeling being the >>> key to getting things going again. Debugging was made more challenging >>> by the fact that I had no logs to refer to. >>> >>> Now, almost all seems well, but I can't get setroubleshootd to start >>> unless I select 'setroubleshootd_disable_trans'. Without this checked, >>> setroubleshootd seems to start, but then fails: >>> >>> [root at file1 subsys]# rm setroubleshootd >>> rm: remove regular empty file `setroubleshootd'? y >>> [root at file1 subsys]# service setroubleshoot status >>> setroubleshootd is stopped >>> [root at file1 subsys]# service setroubleshoot start >>> Starting setroubleshootd: [ OK ] >>> [root at file1 subsys]# service setroubleshoot status >>> setroubleshootd dead but subsys locked >>> >>> >>> Attempting to run setroubleshoot generates the error: >>> >>> 'attempt to open server connection failed: (2, 'No such file or >>> directory') >>> >>> >>> Since someone might ask about permissions: >>> >>> [root at file1 subsys]# ls -laRZ /var/log | grep setroubleshoot >>> drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t >>> setroubleshoot >>> /var/log/setroubleshoot: >>> drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t . >>> -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t >>> setroubleshootd.log >>> -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t >>> setroubleshootd.log.1 >>> -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t >>> setroubleshootd.log.2 >>> >>> >>> Can anyone explain why setroubleshootd_disable_trans should need to be >>> selected? Also, since this entire event seems to have close ties to >>> selinux, would anyone have an idea what might have happened to this >>> system? >>> >>> >>> Thanks for any ideas; it's been a long day... >>> >>> Steven Stromer >> >> You didn't say what OS version you're running :-) This looks a lot like >> known problems in rawhide (fedora development). If you are running >> rawhide then do you have the latest selinux-policy rpm install? The >> latest audit? >> > > Thanks for the reply. I am running FC6, 2.6.22.4-45.fc6. I'm on the > standard FC6 path, not development, though I'd be really interested to > see any documentation regarding the 'known problems in rawhide'. Unless > the system faulted and restarted, activating package updates that had > not yet witnessed a reboot, I can't see how any updates were applied. As > far as policy and audit packages, I have: > > selinux-policy.noarch 2.4.6-80.fc6 installed > selinux-policy-targeted.noarch 2.4.6-80.fc6 installed > audit.i386 1.4.2-5.fc6 installed > audit-libs.i386 1.4.2-5.fc6 installed > audit-libs-python.i386 1.4.2-5.fc6 installed > >> If setroubleshoot still does not start please look for errors >> in /var/log/setroubleshoot/setroubleshootd.log > > At present setroubleshootd logs are entirely empty. /var/logs was wiped > during the 'event' and my backups of these files were also empty. > >> >> BTW, setroubleshoot failing to start will not harm your system in any >> manner nor would it likely to have been the cause of any of your >> previous problems. > > This I know. it is the last little consequence of a much larger issue. I > am honestly more concerned with why so many directories and files > disappeared from /var (despite the fact that I have no disk errors) and > why selinux permissions had to be changed to get things that were > working previously to be able to work again. Any further leads would be > VERY much appreciated! > >> -- >> John Dennis > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This sounds a lot like a labeling problem. Since you recreated all the directories under /var, you might not have labeled them correctly. You can relabel them by executing restorecon -R -v /var or you can relabel the entire system by executing touch /.autorelabel; reboot -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG7/6LrlYvE4MpobMRAlkfAJ9/kOFoCJrHIQY8q01wecpunX2IOACdFbmc 65rle/j9PUryAIIHVe0Lgxs= =ChHO -----END PGP SIGNATURE----- From dwalsh at redhat.com Tue Sep 18 16:46:05 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 18 Sep 2007 12:46:05 -0400 Subject: funny AVC from virt-manager In-Reply-To: <4c4ba1530709121300v182dc84bh7f912d7690944540@mail.gmail.com> References: <4c4ba1530709121300v182dc84bh7f912d7690944540@mail.gmail.com> Message-ID: <46F000CD.7010607@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom London wrote: > Running latest rawhide. > > If I try to 'run/open' a kvm virtual machine using virt-manager, I get > the following AVC: > > type=AVC msg=audit(1189626420.012:34): avc: denied { execmem } for > pid=8603 comm="/usr/share/virt" > scontext=system_u:system_r:unconfined_t:s0 > tcontext=system_u:system_r:unconfined_t:s0 tclass=process > type=SYSCALL msg=audit(1189626420.012:34): arch=40000003 syscall=192 > success=no exit=-13 a0=0 a1=1000000 a2=7 a3=121 items=0 ppid=8602 > pid=8603 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 > sgid=500 fsgid=500 tty=(none) comm="/usr/share/virt" > exe="/usr/bin/python" subj=system_u:system_r:unconfined_t:s0 > key=(null) > > Notice the reference to '/usr/share/virt'. This doesn't exist (but > /usr/share/virt-manager does exist). > > Ignoring the evident problem with virt-manager, any idea why the > 'audit trail' would appear to be messed up? > > tom I wonder if virt-manager is changing it's argv[0] to /usr/share/virt or if this is a bug in the kernel. Now why it wants execmem is also curious. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG8ADMrlYvE4MpobMRAlK7AJ9fbi9nVW5JOLn+JCjo6VbI+C1iJgCeOsWX JSdV5wpOs0dnYqiIfKBk+ZU= =1XDg -----END PGP SIGNATURE----- From dwalsh at redhat.com Tue Sep 18 16:47:02 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 18 Sep 2007 12:47:02 -0400 Subject: selinux denies wine and xorg In-Reply-To: <1189777539.7686.1.camel@localhost.localdomain> References: <115791.58597.qm@web52612.mail.re2.yahoo.com> <1189777539.7686.1.camel@localhost.localdomain> Message-ID: <46F00106.9010702@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adam Jackson wrote: > On Wed, 2007-09-12 at 16:32 -0700, Antonio Olivares wrote: >> https://bugzilla.redhat.com/show_bug.cgi?id=288671 >> >> Just following the advice given here: >> Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi >> >> against this package. >> >> Summary >> SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "unix_read unix_write" >> to (wine_t). >> >> Detailed Description >> SELinux denied access requested by /usr/bin/Xorg. It is not expected that >> this access is required by /usr/bin/Xorg and this access may signal an >> intrusion attempt. It is also possible that the specific version or >> configuration of the application is causing it to require additional access. >> >> Allowing Access >> You can generate a local policy module to allow this access - see >> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable >> SELinux protection altogether. Disabling SELinux protection is not >> recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi >> against this package. >> >> Additional Information >> >> Source Context system_u:system_r:xdm_xserver_t:SystemLow- >> SystemHigh >> Target Context system_u:system_r:wine_t >> Target Objects None [ shm ] > > That's... quite odd. Whatever shm objects X wants to talk to should be > fine, but it's not clear what kind of object it is from this report. > > - ajax > Fixed in selinux-policy-3.0.8-1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG8AEGrlYvE4MpobMRAkidAJ4huVxe/B0n5N4JOkDPP5i0S7KN8wCfVOLl bRs/0rnjIRVkG6Fv/QE/hjA= =CQ93 -----END PGP SIGNATURE----- From dwalsh at redhat.com Tue Sep 18 16:48:27 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 18 Sep 2007 12:48:27 -0400 Subject: more fine grained access in /etc In-Reply-To: <3533f9010709180403r3f1c1c34o495653778f8bfc98@mail.gmail.com> References: <3533f9010709130616u7f1e26ccub02ea4c1167a9f44@mail.gmail.com> <46EEEC6F.3050200@redhat.com> <3533f9010709180403r3f1c1c34o495653778f8bfc98@mail.gmail.com> Message-ID: <46F0015B.7050006@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Torbj?rn Lindahl wrote: > Good point. > I probably can live with that. > > Still I am not sure if I would like it to have full access to all files > labelled etc_t . It would be nice to be able to single out only a few of > them. Perhaps I should look at something other than the targeted policy. > > On 9/17/07, Daniel J Walsh wrote: > Torbj?rn Lindahl wrote: >>>> Hello, I am writing an application that I want to limit using selinux. >>>> >>>> audit.log shows that it wants access to /etc/nsswitch.conf and > /etc/hosts - >>>> which doesn't seem to unreasonable, however both these have types etc_t > , >>>> and allowing myapp_t to read etc_t would also give it access to for > example >>>> /etc/passwd, which i do not want. >>>> >>>> >>>> Do I have to invent a new type for these two files to be able to keep my >>>> application from the other etc_t files in /etc ? >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Yes you can, but the more different file_context that you have in /etc, > the harder they will be to maintain. > > Reading /etc/passwd is not as dangerous as being able to read > /etc/shadow. So consider if this is really necessary. >> > ------------------------------------------------------------------------ > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list All of the current policies including mls allow reading of etc_t for most domains, and /etc/passwd is labeled etc_t. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG8AFbrlYvE4MpobMRAtxMAKCXrwFqgATmTBQoNip52wmaHXFowQCgj0Ld Jz2zh2M8ID/nkU4Rgod4UVw= =8+JV -----END PGP SIGNATURE----- From olivares14031 at yahoo.com Tue Sep 18 23:15:17 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 18 Sep 2007 16:15:17 -0700 (PDT) Subject: hald denied avcs for Fedora Core 6 In-Reply-To: <46EEEA1A.2070206@redhat.com> Message-ID: <504933.99930.qm@web52601.mail.re2.yahoo.com> --- Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Antonio Olivares wrote: > > Dear all, > > > > I am getting the following denied avcs for hald > upon startup/shutdown. The selinux policy is up to > date, how can I fix this? There is no > troubleshooter like in fedora 7 which suggests a > fix. > > > > audit(1189722647.486:4): avc: denied { use } for > pid=3098 comm="hald" name="console" dev=tmpfs > ino=1083 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=fd > > audit(1189722647.487:5): avc: denied { use } for > pid=3098 comm="hald" name="console" dev=tmpfs > ino=1083 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=fd > > audit(1189722647.488:6): avc: denied { use } for > pid=3098 comm="hald" name="console" dev=tmpfs > ino=1083 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=fd > > > > [olivares at localhost ~]$ rpm -qa selinux* > > selinux-policy-2.4.6-80.fc6 > > selinux-policy-targeted-2.4.6-80.fc6 > > [olivares at localhost ~]$ > > > > > > Thanks, > > > > Antonio > > > > > > > > > > > > > ____________________________________________________________________________________ > > Tonight's top picks. What will you watch tonight? > Preview the hottest shows on Yahoo! TV. > > http://tv.yahoo.com/ > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-seli > grep hald /var/log/audit/audit.log | audit2allow -M > myhald > semodule -i myhald.pp > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - > http://enigmail.mozdev.org > > iD8DBQFG7uoarlYvE4MpobMRAqAvAKC7QJepCnpzmaI0TomdHCDxTQaaowCfSGf1 > t5WTaOnECgeTrx+Gq+oivoU= > =Tt3r > -----END PGP SIGNATURE----- > Thanks Daniel for responding, however applying your commands fails with the following messages: [root at localhost ~]# grep hald /var/log/audit/audit.log | audit2allow -M myhald grep: /var/log/audit/audit.log: No such file or directory compilation failed: sh: /usr/bin/checkmodule: No such file or directory [root at localhost ~]# semodule -i myhald.pp semodule: Could not read file 'myhald.pp': [root at localhost ~]# Thanks, Antonio ____________________________________________________________________________________ Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. http://sims.yahoo.com/ From spng.yang at gmail.com Wed Sep 19 04:43:37 2007 From: spng.yang at gmail.com (Ken YANG) Date: Wed, 19 Sep 2007 12:43:37 +0800 Subject: hald denied avcs for Fedora Core 6 In-Reply-To: <504933.99930.qm@web52601.mail.re2.yahoo.com> References: <504933.99930.qm@web52601.mail.re2.yahoo.com> Message-ID: <46F0A8F9.9000800@gmail.com> Antonio Olivares wrote: > --- Daniel J Walsh wrote: > > Antonio Olivares wrote: >>>> Dear all, >>>> >>>> I am getting the following denied avcs for hald > upon startup/shutdown. The selinux policy is up to > date, how can I fix this? There is no > troubleshooter like in fedora 7 which suggests a > fix. >>>> audit(1189722647.486:4): avc: denied { use } for > pid=3098 comm="hald" name="console" dev=tmpfs > ino=1083 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=fd >>>> audit(1189722647.487:5): avc: denied { use } for > pid=3098 comm="hald" name="console" dev=tmpfs > ino=1083 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=fd >>>> audit(1189722647.488:6): avc: denied { use } for > pid=3098 comm="hald" name="console" dev=tmpfs > ino=1083 scontext=system_u:system_r:hald_t:s0 > tcontext=system_u:system_r:init_t:s0 tclass=fd >>>> [olivares at localhost ~]$ rpm -qa selinux* >>>> selinux-policy-2.4.6-80.fc6 >>>> selinux-policy-targeted-2.4.6-80.fc6 >>>> [olivares at localhost ~]$ >>>> >>>> >>>> Thanks, >>>> >>>> Antonio >>>> >>>> >>>> >>>> >>>> >>>> >> ____________________________________________________________________________________ >>>> Tonight's top picks. What will you watch tonight? > Preview the hottest shows on Yahoo! TV. >>>> http://tv.yahoo.com/ >>>> >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> > https://www.redhat.com/mailman/listinfo/fedora-seli > grep hald /var/log/audit/audit.log | audit2allow -M > myhald > semodule -i myhald.pp >> > Thanks Daniel for responding, however applying your > commands fails with the following messages: > [root at localhost ~]# grep hald /var/log/audit/audit.log > | audit2allow -M myhald > grep: /var/log/audit/audit.log: No such file or > directory > compilation failed: > sh: /usr/bin/checkmodule: No such file or directory do you have checkpolicy package installed? the "checkmodule" command is in checkpolicy package > [root at localhost ~]# semodule -i myhald.pp > semodule: Could not read file 'myhald.pp': > [root at localhost ~]# > Thanks, > Antonio > ____________________________________________________________________________________ > Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. > http://sims.yahoo.com/ > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From torbjorn.lindahl at gmail.com Wed Sep 19 09:09:14 2007 From: torbjorn.lindahl at gmail.com (=?ISO-8859-1?Q?Torbj=F8rn_Lindahl?=) Date: Wed, 19 Sep 2007 11:09:14 +0200 Subject: more fine grained access in /etc In-Reply-To: <46F0015B.7050006@redhat.com> References: <3533f9010709130616u7f1e26ccub02ea4c1167a9f44@mail.gmail.com> <46EEEC6F.3050200@redhat.com> <3533f9010709180403r3f1c1c34o495653778f8bfc98@mail.gmail.com> <46F0015B.7050006@redhat.com> Message-ID: <3533f9010709190209g31b7dce1q28052d47f0954cb3@mail.gmail.com> I see. In that case I am not going to push this topic much further. Thanks for your assistance! But wouldn't it be nice to have an allow mechanism in SELinux in which I could grant access based on it's existing access. What I want to achieve is to be able to add a rule like "If process can read etc_t, then it can also read etc_foo_t" That would allow me to change context of individual files, and grant access to them by process who already have etc_t, and I wouldn't have to redefine almost the entire selinux context tree just to target a few individual files in /etc for my app. T. On 9/18/07, Daniel J Walsh wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Torbj?rn Lindahl wrote: > > Good point. > > I probably can live with that. > > > > Still I am not sure if I would like it to have full access to all files > > labelled etc_t . It would be nice to be able to single out only a few of > > them. Perhaps I should look at something other than the targeted policy. > > > > On 9/17/07, Daniel J Walsh wrote: > > Torbj?rn Lindahl wrote: > >>>> Hello, I am writing an application that I want to limit using > selinux. > >>>> > >>>> audit.log shows that it wants access to /etc/nsswitch.conf and > > /etc/hosts - > >>>> which doesn't seem to unreasonable, however both these have types > etc_t > > , > >>>> and allowing myapp_t to read etc_t would also give it access to for > > example > >>>> /etc/passwd, which i do not want. > >>>> > >>>> > >>>> Do I have to invent a new type for these two files to be able to keep > my > >>>> application from the other etc_t files in /etc ? > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > ------------------------------------------------------------------------ > >>>> > >>>> -- > >>>> fedora-selinux-list mailing list > >>>> fedora-selinux-list at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Yes you can, but the more different file_context that you have in /etc, > > the harder they will be to maintain. > > > > Reading /etc/passwd is not as dangerous as being able to read > > /etc/shadow. So consider if this is really necessary. > >> > > > ------------------------------------------------------------------------ > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > All of the current policies including mls allow reading of etc_t for > most domains, and /etc/passwd is labeled etc_t. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFG8AFbrlYvE4MpobMRAtxMAKCXrwFqgATmTBQoNip52wmaHXFowQCgj0Ld > Jz2zh2M8ID/nkU4Rgod4UVw= > =8+JV > -----END PGP SIGNATURE----- > -- mvh Torbj?rn Lindahl -------------- next part -------------- An HTML attachment was scrubbed... URL: From ltamas at gytk.sote.hu Wed Sep 19 11:43:34 2007 From: ltamas at gytk.sote.hu (=?ISO-8859-2?Q?Ludman_Tam=E1s?=) Date: Wed, 19 Sep 2007 13:43:34 +0200 Subject: Squirrelmail_disk_quota_plugin In-Reply-To: <46E91E8C.5020109@gytk.sote.hu> References: <46E91E8C.5020109@gytk.sote.hu> Message-ID: <46F10B66.8000108@gytk.sote.hu> I found an (copy+paste) error in my first mail. this is the correct: ... [root at modules]# cat /var/log/audit/audit.log | audit2allow -m local > local.te ... Ludman Tam?s ?rta: > I tried these: > [root at modules]# cat /var/log/audit/audit.log | audit2allow -m local > > local > [root at modules]# checkmodule -M -m -o local.mod local.te > checkmodule: loading policy configuration from local.te > checkmodule: policy configuration loaded > checkmodule: writing binary representation (version 6) to local.mod > [root at modules]# semodule_package -o local.pp -m local.mod > [root at modules]# semodule -i local.pp > libsepol.check_assertion_helper: assertion on line 0 violated by allow > httpd_t s > libsepol.check_assertions: 1 assertion violations occured > libsemanage.semanage_expand_sandbox: Expand module failed -- Ludman Tam?s m?rn?k-informatikus Semmelweis Egyetem, Gy?gyszer?sztudom?nyi Kar Semmelweis University Faculty Of Pharmacy H-1092 Budapest, Hungary H?gyes Endre utca 7-9. Tel.: (+36 1) 476-3600/3033 mell?k From olivares14031 at yahoo.com Wed Sep 19 12:47:21 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 19 Sep 2007 05:47:21 -0700 (PDT) Subject: hald denied avcs for Fedora Core 6 In-Reply-To: <46F0A8F9.9000800@gmail.com> Message-ID: <730509.32451.qm@web52601.mail.re2.yahoo.com> --- Ken YANG wrote: > Antonio Olivares wrote: > > --- Daniel J Walsh wrote: > > > > Antonio Olivares wrote: > >>>> Dear all, > >>>> > >>>> I am getting the following denied avcs for hald > > upon startup/shutdown. The selinux policy is up > to > > date, how can I fix this? There is no > > troubleshooter like in fedora 7 which suggests a > > fix. > >>>> audit(1189722647.486:4): avc: denied { use } > for > > pid=3098 comm="hald" name="console" dev=tmpfs > > ino=1083 scontext=system_u:system_r:hald_t:s0 > > tcontext=system_u:system_r:init_t:s0 tclass=fd > >>>> audit(1189722647.487:5): avc: denied { use } > for > > pid=3098 comm="hald" name="console" dev=tmpfs > > ino=1083 scontext=system_u:system_r:hald_t:s0 > > tcontext=system_u:system_r:init_t:s0 tclass=fd > >>>> audit(1189722647.488:6): avc: denied { use } > for > > pid=3098 comm="hald" name="console" dev=tmpfs > > ino=1083 scontext=system_u:system_r:hald_t:s0 > > tcontext=system_u:system_r:init_t:s0 tclass=fd > >>>> [olivares at localhost ~]$ rpm -qa selinux* > >>>> selinux-policy-2.4.6-80.fc6 > >>>> selinux-policy-targeted-2.4.6-80.fc6 > >>>> [olivares at localhost ~]$ > >>>> > >>>> > >>>> Thanks, > >>>> > >>>> Antonio > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >> > ____________________________________________________________________________________ > >>>> Tonight's top picks. What will you watch > tonight? > > Preview the hottest shows on Yahoo! TV. > >>>> http://tv.yahoo.com/ > >>>> > >>>> > >>>> -- > >>>> fedora-selinux-list mailing list > >>>> fedora-selinux-list at redhat.com > >>>> > > > https://www.redhat.com/mailman/listinfo/fedora-seli > > grep hald /var/log/audit/audit.log | audit2allow > -M > > myhald > > semodule -i myhald.pp > >> > > Thanks Daniel for responding, however applying > your > > commands fails with the following messages: > > > [root at localhost ~]# grep hald > /var/log/audit/audit.log > > | audit2allow -M myhald > > grep: /var/log/audit/audit.log: No such file or > > directory > > compilation failed: > > sh: /usr/bin/checkmodule: No such file or > directory > > do you have checkpolicy package installed? the > "checkmodule" > command is in checkpolicy package > > > [root at localhost ~]# semodule -i myhald.pp > > semodule: Could not read file 'myhald.pp': > > [root at localhost ~]# > > > Thanks, > > > Antonio > > > > > > ____________________________________________________________________________________ > > Moody friends. Drama queens. Your life? Nope! - > their life, your story. Play Sims Stories at Yahoo! > Games. > > http://sims.yahoo.com/ > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > > You have hit the nail in the coffin. checkpolicy is not installed. [olivares at localhost ~]$ rpm -qa check-policy [olivares at localhost ~]$ rpm -qa checkpolicy I'll yum install it and then report back. I am thinking of moving this fc6 machine to f8t2, should I wait till this bug is resolved/proceed with the updates? Regards, Antonio ____________________________________________________________________________________ Tonight's top picks. What will you watch tonight? Preview the hottest shows on Yahoo! TV. http://tv.yahoo.com/ From sds at tycho.nsa.gov Wed Sep 19 12:59:26 2007 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 19 Sep 2007 08:59:26 -0400 Subject: more fine grained access in /etc In-Reply-To: <3533f9010709190209g31b7dce1q28052d47f0954cb3@mail.gmail.com> References: <3533f9010709130616u7f1e26ccub02ea4c1167a9f44@mail.gmail.com> <46EEEC6F.3050200@redhat.com> <3533f9010709180403r3f1c1c34o495653778f8bfc98@mail.gmail.com> <46F0015B.7050006@redhat.com> <3533f9010709190209g31b7dce1q28052d47f0954cb3@mail.gmail.com> Message-ID: <1190206766.25863.2.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2007-09-19 at 11:09 +0200, Torbj?rn Lindahl wrote: > I see. In that case I am not going to push this topic much further. > Thanks for your assistance! > > But wouldn't it be nice to have an allow mechanism in SELinux in which > I could grant access based on it's existing access. What I want to > achieve is to be able to add a rule like "If process can read etc_t, > then it can also read etc_foo_t" > > That would allow me to change context of individual files, and grant > access to them by process who already have etc_t, and I wouldn't have > to redefine almost the entire selinux context tree just to target a > few individual files in /etc for my app. A notion of type inheritance has been discussed previously on selinux list (the upstream list for general selinux discussion, as opposed to this list which is Fedora-specific), and has come up again recently. The devil of course is in the details... -- Stephen Smalley National Security Agency From selinux at gmail.com Wed Sep 19 14:42:58 2007 From: selinux at gmail.com (Tom London) Date: Wed, 19 Sep 2007 07:42:58 -0700 Subject: unconfined_execmem_t and dbus,avahi Message-ID: <4c4ba1530709190742q1974a175r498df810bea2a0b8@mail.gmail.com> Running latest Rawhide, targeted/enforcing. I run rhythmbox in 'unconfined_execmem_t' to allow it to load an MP3 library (allows me to play stuff from my iPod). I get the following AVCs (the first from /var/log/messages). (I'm guessing the second is from rhythmbox too). Sep 19 07:17:25 localhost dbus: avc: denied { acquire_svc } for service=org.gnome.Rhythmbox spid=5080 scontext=system_u:system_r:unconfined_execmem_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=dbus type=USER_AVC msg=audit(1190211461.162:23): user pid=3090 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.Avahi.Server member=GetAPIVersion dest=org.freedesktop.Avahi spid=5080 tpid=4092 scontext=system_u:system_r:unconfined_execmem_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' Issues to allow such? tom -- Tom London From olivares14031 at yahoo.com Fri Sep 21 00:28:06 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 20 Sep 2007 17:28:06 -0700 (PDT) Subject: selinux errors on rawhide despite update Message-ID: <918476.31163.qm@web52610.mail.re2.yahoo.com> I have updated this machine running rawhide and I still see many of these. Did they not get fixed with the new selinux-policy? Summary SELinux is preventing python (cupsd_config_t) "read" to 003 (usb_device_t). Detailed Description SELinux denied access requested by python. It is not expected that this access is required by python and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for 003, restorecon -v 003 If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:cupsd_config_t Target Context system_u:object_r:usb_device_t Target Objects 003 [ chr_file ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-3.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost Platform Linux localhost 2.6.23-0.189.rc6.git8.fc8 #1 SMP Wed Sep 19 20:34:10 EDT 2007 i686 athlon Alert Count 6 First Seen Mon 17 Sep 2007 07:07:18 PM CDT Last Seen Thu 20 Sep 2007 07:16:40 PM CDT Local ID cbf278e4-fbdc-4926-9daf-0eca08b62ddd Line Numbers Raw Audit Messages avc: denied { read } for comm=python dev=tmpfs egid=0 euid=0 exe=/usr/bin/python exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=003 pid=2326 scontext=system_u:system_r:cupsd_config_t:s0 sgid=0 subj=system_u:system_r:cupsd_config_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:usb_device_t:s0 tty=(none) uid=0 avc: denied { read } for comm=python dev=tmpfs egid=0 euid=0 exe=/usr/bin/python exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=001 pid=2326 scontext=system_u:system_r:cupsd_config_t:s0 sgid=0 subj=system_u:system_r:cupsd_config_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:usb_device_t:s0 tty=(none) uid=0 Might not the new policy have been updated? Thanks, Antonio ____________________________________________________________________________________ Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. http://farechase.yahoo.com/ From olivares14031 at yahoo.com Fri Sep 21 13:12:21 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Fri, 21 Sep 2007 06:12:21 -0700 (PDT) Subject: SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "unix_read unix_write" to (wine_t). Message-ID: <945756.41162.qm@web52612.mail.re2.yahoo.com> Are any of the testers still seeing this after the updates? Summary SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "unix_read unix_write" to (wine_t). Detailed Description SELinux denied access requested by /usr/bin/Xorg. It is not expected that this access is required by /usr/bin/Xorg and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 Target Context system_u:system_r:wine_t:s0 Target Objects None [ shm ] Affected RPM Packages xorg-x11-server-Xorg-1.3.0.0-24.fc8 [application] Policy RPM selinux-policy-3.0.8-2.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23-0.187.rc6.git7.fc8 #1 SMP Tue Sep 18 18:05:52 EDT 2007 i686 i686 Alert Count 122 First Seen Fri 21 Sep 2007 08:05:30 AM CDT Last Seen Fri 21 Sep 2007 08:06:41 AM CDT Local ID 0ccdd94f-6b5d-4d1c-a03c-90f450f7d265 Line Numbers Raw Audit Messages avc: denied { unix_read, unix_write } for comm=X egid=0 euid=0 exe=/usr/bin/Xorg exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2484 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=shm tcontext=system_u:system_r:wine_t:s0 tty=tty7 uid=0 Regards, Antonio ____________________________________________________________________________________ Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=list&sid=396545469 From dwalsh at redhat.com Fri Sep 21 13:20:16 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 21 Sep 2007 09:20:16 -0400 Subject: SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "unix_read unix_write" to (wine_t). In-Reply-To: <945756.41162.qm@web52612.mail.re2.yahoo.com> References: <945756.41162.qm@web52612.mail.re2.yahoo.com> Message-ID: <46F3C510.9040803@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Are any of the testers still seeing this after the updates? > > Summary > SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "unix_read unix_write" > to (wine_t). > > Detailed Description > SELinux denied access requested by /usr/bin/Xorg. It is not expected that > this access is required by /usr/bin/Xorg and this access may signal an > intrusion attempt. It is also possible that the specific version or > configuration of the application is causing it to require additional access. > > Allowing Access > You can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > Additional Information > > Source Context system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 > Target Context system_u:system_r:wine_t:s0 > Target Objects None [ shm ] > Affected RPM Packages xorg-x11-server-Xorg-1.3.0.0-24.fc8 [application] > Policy RPM selinux-policy-3.0.8-2.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain > 2.6.23-0.187.rc6.git7.fc8 #1 SMP Tue Sep 18 > 18:05:52 EDT 2007 i686 i686 > Alert Count 122 > First Seen Fri 21 Sep 2007 08:05:30 AM CDT > Last Seen Fri 21 Sep 2007 08:06:41 AM CDT > Local ID 0ccdd94f-6b5d-4d1c-a03c-90f450f7d265 > Line Numbers > > Raw Audit Messages > > avc: denied { unix_read, unix_write } for comm=X egid=0 euid=0 exe=/usr/bin/Xorg > exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2484 > scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0 > subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=shm > tcontext=system_u:system_r:wine_t:s0 tty=tty7 uid=0 > > > > > Regards, > > Antonio > > > > > > ____________________________________________________________________________________ > Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. > http://answers.yahoo.com/dir/?link=list&sid=396545469 > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Should be fixed in today's rawhide. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG88UPrlYvE4MpobMRAkMlAJ4qplZJukXhywqt+ogt2Rw6FAZJ4gCfZXSq 4Ueq2ba7hGetrPYRLLCe8K4= =lwu7 -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Sep 21 13:20:32 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 21 Sep 2007 09:20:32 -0400 Subject: selinux errors on rawhide despite update In-Reply-To: <918476.31163.qm@web52610.mail.re2.yahoo.com> References: <918476.31163.qm@web52610.mail.re2.yahoo.com> Message-ID: <46F3C520.4090007@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > I have updated this machine running rawhide and I still see many of these. Did they not get fixed with the new selinux-policy? > > Summary > SELinux is preventing python (cupsd_config_t) "read" to 003 (usb_device_t). > > Detailed Description > SELinux denied access requested by python. It is not expected that this > access is required by python and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of > the application is causing it to require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try to > restore the default system file context for 003, restorecon -v 003 If this > does not work, there is currently no automatic way to allow this access. > Instead, you can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > Additional Information > > Source Context system_u:system_r:cupsd_config_t > Target Context system_u:object_r:usb_device_t > Target Objects 003 [ chr_file ] > Affected RPM Packages > Policy RPM selinux-policy-3.0.8-3.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name localhost > Platform Linux localhost 2.6.23-0.189.rc6.git8.fc8 #1 SMP > Wed Sep 19 20:34:10 EDT 2007 i686 athlon > Alert Count 6 > First Seen Mon 17 Sep 2007 07:07:18 PM CDT > Last Seen Thu 20 Sep 2007 07:16:40 PM CDT > Local ID cbf278e4-fbdc-4926-9daf-0eca08b62ddd > Line Numbers > > Raw Audit Messages > > avc: denied { read } for comm=python dev=tmpfs egid=0 euid=0 exe=/usr/bin/python > exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=003 pid=2326 > scontext=system_u:system_r:cupsd_config_t:s0 sgid=0 > subj=system_u:system_r:cupsd_config_t:s0 suid=0 tclass=chr_file > tcontext=system_u:object_r:usb_device_t:s0 tty=(none) uid=0 > > > avc: denied { read } for comm=python dev=tmpfs egid=0 euid=0 exe=/usr/bin/python exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=001 pid=2326 scontext=system_u:system_r:cupsd_config_t:s0 sgid=0 subj=system_u:system_r:cupsd_config_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:usb_device_t:s0 tty=(none) uid=0 > > > Might not the new policy have been updated? > > Thanks, > > Antonio > > > > > > ____________________________________________________________________________________ > Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. > http://farechase.yahoo.com/ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Will be fixed in tomorrows rawhide. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG88UgrlYvE4MpobMRAmUTAJsF2tf0kKZna09xYuEXj1LwNWTTRwCgx5ef ZdBGerLMIigBNyVDOEIOjig= =v9j3 -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Sep 21 13:24:05 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 21 Sep 2007 09:24:05 -0400 Subject: more fine grained access in /etc In-Reply-To: <3533f9010709190209g31b7dce1q28052d47f0954cb3@mail.gmail.com> References: <3533f9010709130616u7f1e26ccub02ea4c1167a9f44@mail.gmail.com> <46EEEC6F.3050200@redhat.com> <3533f9010709180403r3f1c1c34o495653778f8bfc98@mail.gmail.com> <46F0015B.7050006@redhat.com> <3533f9010709190209g31b7dce1q28052d47f0954cb3@mail.gmail.com> Message-ID: <46F3C5F5.60509@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Torbj?rn Lindahl wrote: > I see. In that case I am not going to push this topic much further. Thanks > for your assistance! > > But wouldn't it be nice to have an allow mechanism in SELinux in which I > could grant access based on it's existing access. What I want to achieve is > to be able to add a rule like "If process can read etc_t, then it can also > read etc_foo_t" > > That would allow me to change context of individual files, and grant access > to them by process who already have etc_t, and I wouldn't have to redefine > almost the entire selinux context tree just to target a few individual files > in /etc for my app. > > T. > > On 9/18/07, Daniel J Walsh wrote: > Torbj?rn Lindahl wrote: >>>> Good point. >>>> I probably can live with that. >>>> >>>> Still I am not sure if I would like it to have full access to all files >>>> labelled etc_t . It would be nice to be able to single out only a few of >>>> them. Perhaps I should look at something other than the targeted policy. >>>> >>>> On 9/17/07, Daniel J Walsh wrote: >>>> Torbj?rn Lindahl wrote: >>>>>>> Hello, I am writing an application that I want to limit using > selinux. >>>>>>> audit.log shows that it wants access to /etc/nsswitch.conf and >>>> /etc/hosts - >>>>>>> which doesn't seem to unreasonable, however both these have types > etc_t >>>> , >>>>>>> and allowing myapp_t to read etc_t would also give it access to for >>>> example >>>>>>> /etc/passwd, which i do not want. >>>>>>> >>>>>>> >>>>>>> Do I have to invent a new type for these two files to be able to keep > my >>>>>>> application from the other etc_t files in /etc ? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> > ------------------------------------------------------------------------ >>>>>>> -- >>>>>>> fedora-selinux-list mailing list >>>>>>> fedora-selinux-list at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> Yes you can, but the more different file_context that you have in /etc, >>>> the harder they will be to maintain. >>>> >>>> Reading /etc/passwd is not as dangerous as being able to read >>>> /etc/shadow. So consider if this is really necessary. >>>> ------------------------------------------------------------------------ >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > All of the current policies including mls allow reading of etc_t for > most domains, and /etc/passwd is labeled etc_t. >> > ------------------------------------------------------------------------ > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list We could do something like this with attributes. If you created an attribute of etc_filetype Then gave etc_t this attribute, change the interfaces that say files_read_etc_files() to use the attribute instead of the file. Now when you create new file types, you could define them as etc_filetype. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG88X1rlYvE4MpobMRAh/8AJ9uoVJrZiiC+tTtTxvbbShtBA0cgACgu/uq cE+Qw2lNiysCa+OBX1+prVk= =MjEE -----END PGP SIGNATURE----- From tibbs at math.uh.edu Fri Sep 21 15:28:36 2007 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 21 Sep 2007 10:28:36 -0500 Subject: more fine grained access in /etc In-Reply-To: <46F3C5F5.60509@redhat.com> References: <3533f9010709130616u7f1e26ccub02ea4c1167a9f44@mail.gmail.com> <46EEEC6F.3050200@redhat.com> <3533f9010709180403r3f1c1c34o495653778f8bfc98@mail.gmail.com> <46F0015B.7050006@redhat.com> <3533f9010709190209g31b7dce1q28052d47f0954cb3@mail.gmail.com> <46F3C5F5.60509@redhat.com> Message-ID: >>>>> "DJW" == Daniel J Walsh writes: DJW> We could do something like this with attributes. I wonder if this would help my situation with denyhosts. The problem with denyhosts is that it needs to write to /etc/hosts.deny, which means that from the standpoint of selinux it needs to write to etc_t, which means it gets to write to /etc/passwd as well. I've not bothered to even attempt to write a policy for denyhosts given that it would be mostly pointless if it would still get to trash /etc. - J< From dwalsh at redhat.com Fri Sep 21 17:06:54 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 21 Sep 2007 13:06:54 -0400 Subject: more fine grained access in /etc In-Reply-To: References: <3533f9010709130616u7f1e26ccub02ea4c1167a9f44@mail.gmail.com> <46EEEC6F.3050200@redhat.com> <3533f9010709180403r3f1c1c34o495653778f8bfc98@mail.gmail.com> <46F0015B.7050006@redhat.com> <3533f9010709190209g31b7dce1q28052d47f0954cb3@mail.gmail.com> <46F3C5F5.60509@redhat.com> Message-ID: <46F3FA2E.6010901@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason L Tibbitts III wrote: >>>>>> "DJW" == Daniel J Walsh writes: > > DJW> We could do something like this with attributes. > > I wonder if this would help my situation with denyhosts. The problem > with denyhosts is that it needs to write to /etc/hosts.deny, which > means that from the standpoint of selinux it needs to write to etc_t, > which means it gets to write to /etc/passwd as well. I've not > bothered to even attempt to write a policy for denyhosts given that it > would be mostly pointless if it would still get to trash /etc. > > - J< You would change the context of denyhosts to denyhosts_etc_rw_t and they write a rule saying allpw denyhost_t denyhost_etc_rw_t:file manage_file_perms files_etc_filetrans(denyhost_t, denyhost_etc_rw_t; file) This would allow denyhost_t to only write to files labeled denyhost_etc_rw_t, and be able to create files in /etc/ labeled denyhost_etc_rw_t. It will not allow you to write to files labeled etc_t, So you cannot overwrite /etc/passwd. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG8/ourlYvE4MpobMRAuk0AJkB+G9WeyRgEd2uPpZgFHTFkmZZtACgk0YY OS5p0HAdXGfY/uLWB8Fi3PQ= =hlPZ -----END PGP SIGNATURE----- From selinux at gmail.com Fri Sep 21 21:27:33 2007 From: selinux at gmail.com (Tom London) Date: Fri, 21 Sep 2007 14:27:33 -0700 Subject: udev_t and alsa_var_lib_t.... Message-ID: <4c4ba1530709211427y65499c10nca46214bb37f63a0@mail.gmail.com> Running latest Rawhide. Get these in /var/log/messages before auditd starts: Sep 21 14:03:47 localhost kernel: audit(1190408616.016:4): avc: denied { search } for pid=1835 comm="salsa" name="alsa" dev=dm-0 ino=688427 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=dir Sep 21 14:03:47 localhost kernel: audit(1190408616.016:5): avc: denied { search } for pid=1834 comm="salsa" name="alsa" dev=dm-0 ino=688427 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=dir Sep 21 14:03:47 localhost kernel: audit(1190408616.016:6): avc: denied { search } for pid=1837 comm="salsa" name="alsa" dev=dm-0 ino=688427 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=dir Sep 21 14:03:47 localhost kernel: audit(1190408616.016:7): avc: denied { search } for pid=1836 comm="salsa" name="alsa" dev=dm-0 ino=688427 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=dir Believe this is from /etc/udev/rules/90-alsa.rules: SUBSYSTEM=="sound", KERNEL=="controlC*" RUN+="/sbin/salsa" SUBSYSTEM=="sound", KERNEL=="pcm*" RUN+="/sbin/salsa" Appears to be trying to read /var/lib/alsa/asound.state and restoring audio state to previously set values. tom -- Tom London From olivares14031 at yahoo.com Sat Sep 22 00:11:19 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Fri, 21 Sep 2007 17:11:19 -0700 (PDT) Subject: many selinux alerts hard to keep up, this one unix_read unix_write to (wine_t). occurs most Message-ID: <91652.76348.qm@web52604.mail.re2.yahoo.com> SELinux is preventing python (cupsd_config_t) "read" to 002 (usb_device_t). SELinux is preventing python (cupsd_config_t) "read write" to 002 (usb_device_t). SELinux is preventing python (cupsd_config_t) "read" to 004 (usb_device_t). SELinux is preventing python (cupsd_config_t) "read" to 001 (usb_device_t). + ..., + This one does not want to go away -> SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "unix_read unix_write" to (wine_t). http://www.geocities.com/olivares14031/selinux-20070921.txt Not complaining, only making them aware so that these ills can be cured. Antonio ____________________________________________________________________________________ Tonight's top picks. What will you watch tonight? Preview the hottest shows on Yahoo! TV. http://tv.yahoo.com/ From selinux at gmail.com Sat Sep 22 18:58:47 2007 From: selinux at gmail.com (Tom London) Date: Sat, 22 Sep 2007 11:58:47 -0700 Subject: New NetworkManager, wireless, .... Message-ID: <4c4ba1530709221158x75575095v66056649a148b77@mail.gmail.com> Running latest Rawhide, targeted. In enforcing mode, NetworkManager (i.e., nm-applet) doesn't 'see' my wireless stuff. Rebooting in permissive, NetworkManager now 'sees' the wireless networks. In enforcing mode, I get this: #============= system_dbusd_t ============== allow system_dbusd_t lib_t:file execute_no_trans; In permissive mode, I get the following AVCs: #============= NetworkManager_t ============== allow NetworkManager_t system_dbusd_t:netlink_selinux_socket { read write }; allow NetworkManager_t var_log_t:dir { write search add_name }; allow NetworkManager_t var_log_t:file { create getattr }; #============= system_dbusd_t ============== allow system_dbusd_t lib_t:file execute_no_trans; I attach both audit logs. tom -- Tom London -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: log-enforcing.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: log-permissive.txt URL: From olivares14031 at yahoo.com Mon Sep 24 12:00:48 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 24 Sep 2007 05:00:48 -0700 (PDT) Subject: SELinux is preventing /sbin/setfiles (setfiles_t) "write" to pipe:[37965] (rpm_t) Message-ID: <37559.45020.qm@web52607.mail.re2.yahoo.com> Summary SELinux is preventing /sbin/setfiles (setfiles_t) "write" to pipe:[37965] (rpm_t). Detailed Description SELinux denied access requested by /sbin/setfiles. It is not expected that this access is required by /sbin/setfiles and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:setfiles_t Target Context system_u:system_r:rpm_t Target Objects pipe:[37965] [ fifo_file ] Affected RPM Packages policycoreutils-2.0.25-14.fc8 [application] Policy RPM selinux-policy-3.0.8-3.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost Platform Linux localhost 2.6.23-0.189.rc6.git8.fc8 #1 SMP Wed Sep 19 20:34:10 EDT 2007 i686 athlon Alert Count 2 First Seen Mon 24 Sep 2007 06:33:12 AM CDT Last Seen Mon 24 Sep 2007 06:33:13 AM CDT Local ID 1bf48637-4571-49ee-b8e4-2d2952c9168a Line Numbers Raw Audit Messages avc: denied { write } for comm=restorecon dev=pipefs egid=0 euid=0 exe=/sbin/setfiles exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=pipe:[37965] pid=3179 scontext=system_u:system_r:setfiles_t:s0 sgid=0 subj=system_u:system_r:setfiles_t:s0 suid=0 tclass=fifo_file tcontext=system_u:system_r:rpm_t:s0 tty=(none) uid=0 ____________________________________________________________________________________ Pinpoint customers who are looking for what you sell. http://searchmarketing.yahoo.com/ From tibbs at math.uh.edu Mon Sep 24 17:42:01 2007 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 24 Sep 2007 12:42:01 -0500 Subject: Allowing httpd to connect to specific sockets Message-ID: So I have this AVC: avc: denied { name_connect } for pid=9045 comm="httpd" dest=9680 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket which comes from a PHP script trying to open a socket. This is no big deal. I believe that setting httpd_can_network_connect should fix it. However, I was wondering if it's possible to restrict the destination port to 9680, or restrict the destination host at all? - J< From dwalsh at redhat.com Mon Sep 24 21:55:39 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 24 Sep 2007 17:55:39 -0400 Subject: Allowing httpd to connect to specific sockets In-Reply-To: References: Message-ID: <46F8325B.5020006@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason L Tibbitts III wrote: > So I have this AVC: > > avc: denied { name_connect } for pid=9045 comm="httpd" dest=9680 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > > which comes from a PHP script trying to open a socket. This is no big > deal. I believe that setting httpd_can_network_connect should fix it. > However, I was wondering if it's possible to restrict the destination > port to 9680, or restrict the destination host at all? > > - J< > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Hope you don't mind but I answered in my blog. http://danwalsh.livejournal.com/12928.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG+DJbrlYvE4MpobMRAiH4AJ4u6HrNAnDB1Yp5gjWdMOlx6KwHwQCguAcA h5GSxWz/Qp2XcGIdwJIDZrA= =waZt -----END PGP SIGNATURE----- From tibbs at math.uh.edu Mon Sep 24 22:35:30 2007 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 24 Sep 2007 17:35:30 -0500 Subject: Allowing httpd to connect to specific sockets In-Reply-To: <46F8325B.5020006@redhat.com> References: <46F8325B.5020006@redhat.com> Message-ID: >>>>> "DJW" == Daniel J Walsh writes: DJW> Hope you don't mind but I answered in my blog. No problem at all; thanks. And given that I've only tweaked things using semanage, my question now is whether there's anything I need to do to make sure that the policy modification via semodule is persistent. - J< From dwalsh at redhat.com Tue Sep 25 12:35:54 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 25 Sep 2007 08:35:54 -0400 Subject: Allowing httpd to connect to specific sockets In-Reply-To: References: <46F8325B.5020006@redhat.com> Message-ID: <46F900AA.2070907@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason L Tibbitts III wrote: >>>>>> "DJW" == Daniel J Walsh writes: > > DJW> Hope you don't mind but I answered in my blog. > > No problem at all; thanks. And given that I've only tweaked things > using semanage, my question now is whether there's anything I need to > do to make sure that the policy modification via semodule is > persistent. > > - J< Nope semodule/semanage are always persistant. the only thing that is ever not persistant is setsebool without the -P qualifier. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG+QCqrlYvE4MpobMRAqymAJ9eXGoet9fsOPFrm/dJ2apDwxlaHwCfajt5 VbB5xL+60XyVc/6viJQJOEk= =BGZl -----END PGP SIGNATURE----- From olivares14031 at yahoo.com Tue Sep 25 14:02:03 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 25 Sep 2007 07:02:03 -0700 (PDT) Subject: SELinux is preventing /usr/lib/cups/backend/hp (hplip_t) "read write" to socket:[41030] (cupsd_t). Message-ID: <541524.37528.qm@web52610.mail.re2.yahoo.com> Thanks for fixing the other issues :) Now this one started as of today :( Summary SELinux is preventing /usr/lib/cups/backend/hp (hplip_t) "read write" to socket:[41030] (cupsd_t). Detailed Description SELinux denied access requested by /usr/lib/cups/backend/hp. It is not expected that this access is required by /usr/lib/cups/backend/hp and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:hplip_t:SystemLow-SystemHigh Target Context system_u:system_r:cupsd_t:SystemLow-SystemHigh Target Objects socket:[41030] [ unix_stream_socket ] Affected RPM Packages hplip-2.7.7-4.fc8 [application] Policy RPM selinux-policy-3.0.8-11.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost Platform Linux localhost 2.6.23-0.202.rc8.fc8 #1 SMP Mon Sep 24 22:09:05 EDT 2007 i686 athlon Alert Count 1 First Seen Tue 25 Sep 2007 08:54:39 AM CDT Last Seen Tue 25 Sep 2007 08:54:39 AM CDT Local ID 7cbc1a88-cda1-4ff4-b13b-218173d9ae7f Line Numbers Raw Audit Messages avc: denied { read, write } for comm=hp dev=sockfs egid=7 euid=4 exe=/usr/lib/cups/backend/hp exit=0 fsgid=7 fsuid=4 gid=7 items=0 path=socket:[41030] pid=3214 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 sgid=7 subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 suid=4 tclass=unix_stream_socket tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tty=(none) uid=4 Thanks, Antonio ____________________________________________________________________________________ Pinpoint customers who are looking for what you sell. http://searchmarketing.yahoo.com/ From selinux at gmail.com Tue Sep 25 14:14:19 2007 From: selinux at gmail.com (Tom London) Date: Tue, 25 Sep 2007 07:14:19 -0700 Subject: udev/sound/alsa: needs to read /var/lib/alsa/asound.state (alsa_var_lib_t) Message-ID: <4c4ba1530709250714r5b50e533ra06d472f53026f38@mail.gmail.com> Running latest rawhide, targeted enforcing. Booting up, udev (90-alsa.rulles) runs /sbin/salsa to read /var/lib/alsa/asound.state. Get these in /var/log/messages: Sep 25 06:48:13 localhost kernel: audit(1190728078.763:6): avc: denied { read } for pid=1789 comm="salsa" name="asound.state" dev=dm-0 ino=688429 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=file Sep 25 06:55:25 localhost kernel: audit(1190728512.708:5): avc: denied { getattr } for pid=1793 comm="salsa" path="/var/lib/alsa/asound.state" dev=dm-0 ino=688429 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=file tom [Sorry if I incompletely reported this before, since policy now allows directory to be read. There was a change in alsa-utils that mistakenly moved 'salsa' to /bin/salsa, so I stopped gettting AVCs. alsa-utils fixed now.] -- Tom London From twaugh at redhat.com Tue Sep 25 14:37:57 2007 From: twaugh at redhat.com (Tim Waugh) Date: Tue, 25 Sep 2007 15:37:57 +0100 Subject: SELinux is preventing /usr/lib/cups/backend/hp (hplip_t) "read write" to socket:[41030] (cupsd_t). In-Reply-To: <541524.37528.qm@web52610.mail.re2.yahoo.com> References: <541524.37528.qm@web52610.mail.re2.yahoo.com> Message-ID: <1190731077.6748.20.camel@cyberelk.elk> On Tue, 2007-09-25 at 07:02 -0700, Antonio Olivares wrote: > Summary > SELinux is preventing /usr/lib/cups/backend/hp (hplip_t) "read write" to > socket:[41030] (cupsd_t). I sent Dan Walsh the fix for this earlier today, and I'm looking at the last remaining SELinux audit messages from HPLIP now. Tim. */ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From notting at redhat.com Tue Sep 25 15:03:19 2007 From: notting at redhat.com (Bill Nottingham) Date: Tue, 25 Sep 2007 11:03:19 -0400 Subject: udev/sound/alsa: needs to read /var/lib/alsa/asound.state (alsa_var_lib_t) In-Reply-To: <4c4ba1530709250714r5b50e533ra06d472f53026f38@mail.gmail.com> References: <4c4ba1530709250714r5b50e533ra06d472f53026f38@mail.gmail.com> Message-ID: <20070925150318.GA3409@nostromo.devel.redhat.com> Tom London (selinux at gmail.com) said: > Running latest rawhide, targeted enforcing. > > Booting up, udev (90-alsa.rulles) runs /sbin/salsa to read > /var/lib/alsa/asound.state. Don't fix this in policy, that's just broken in alsa. You can't save mixer settings there, as /var may not be mounted when this runs. *Sigh* Bill From hhoffman at ip-solutions.net Tue Sep 25 18:59:38 2007 From: hhoffman at ip-solutions.net (Harry Hoffman) Date: Tue, 25 Sep 2007 14:59:38 -0400 Subject: postfix ldap selinux (centos5) Message-ID: <46F95A9A.2080503@ip-solutions.net> My apologies if this is the wrong list and there is a rhel/centos specific selinux list... Trying to run postfix-2.2.3 on centos5. I'm using LDAP for maps and authentication. Everytime I run postqueue -p (to show the mail queue) the command times out. The following messages are logged in /var/log/maillog: Sep 25 14:50:03 mail1 postfix/showq[9842]: nss_ldap: failed to bind to LDAP serv er ldap://localhost/: Can't contact LDAP server Sep 25 14:50:03 mail1 postfix/showq[9842]: nss_ldap: failed to bind to LDAP serv er ldap://localhost/: Can't contact LDAP server Sep 25 14:50:03 mail1 postfix/showq[9842]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Sep 25 14:50:07 mail1 postfix/showq[9842]: nss_ldap: failed to bind to LDAP serv er ldap://localhost/: Can't contact LDAP server The following AVCs show up in /var/log/audit/audit.log: type=AVC msg=audit(1190746203.204:2162): avc: denied { create } for pid=9842 comm="showq" scontext=root:system_r:postfix_showq_t:s0 tcontext=root:system_r:po stfix_showq_t:s0 tclass=netlink_route_socket type=SYSCALL msg=audit(1190746203.204:2162): arch=40000003 syscall=102 success=n o exit=-13 a0=1 a1=bfb679e4 a2=484ff4 a3=bfb67c61 items=0 ppid=9835 pid=9842 aui d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) comm= "showq" exe="/usr/libexec/postfix/showq" subj=root:system_r:postfix_showq_t:s0 k ey=(null) type=AVC msg=audit(1190746203.204:2163): avc: denied { name_connect } for pid =9842 comm="showq" dest=389 scontext=root:system_r:postfix_showq_t:s0 tcontext=s ystem_u:object_r:ldap_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1190746203.204:2163): arch=40000003 syscall=102 success=n o exit=-13 a0=3 a1=bfb67b10 a2=1251b18 a3=973d6a0 items=0 ppid=9835 pid=9842 aui d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) comm= "showq" exe="/usr/libexec/postfix/showq" subj=root:system_r:postfix_showq_t:s0 k ey=(null) type=AVC msg=audit(1190746203.204:2164): avc: denied { create } for pid=9842 comm="showq" scontext=root:system_r:postfix_showq_t:s0 tcontext=root:system_r:po stfix_showq_t:s0 tclass=netlink_route_socket type=SYSCALL msg=audit(1190746203.204:2164): arch=40000003 syscall=102 success=n o exit=-13 a0=1 a1=bfb679e4 a2=484ff4 a3=bfb67c61 items=0 ppid=9835 pid=9842 aui d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) comm= "showq" exe="/usr/libexec/postfix/showq" subj=root:system_r:postfix_showq_t:s0 k ey=(null) type=AVC msg=audit(1190746203.204:2165): avc: denied { name_connect } for pid =9842 comm="showq" dest=389 scontext=root:system_r:postfix_showq_t:s0 tcontext=s ystem_u:object_r:ldap_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1190746203.204:2165): arch=40000003 syscall=102 success=n o exit=-13 a0=3 a1=bfb67b10 a2=1251b18 a3=9755b90 items=0 ppid=9835 pid=9842 aui d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) comm= "showq" exe="/usr/libexec/postfix/showq" subj=root:system_r:postfix_showq_t:s0 k ey=(null) type=AVC msg=audit(1190746207.205:2166): avc: denied { create } for pid=9842 comm="showq" scontext=root:system_r:postfix_showq_t:s0 tcontext=root:system_r:po stfix_showq_t:s0 tclass=netlink_route_socket type=SYSCALL msg=audit(1190746207.205:2166): arch=40000003 syscall=102 success=n o exit=-13 a0=1 a1=bfb679e4 a2=484ff4 a3=bfb67c61 items=0 ppid=9835 pid=9842 aui d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) comm= "showq" exe="/usr/libexec/postfix/showq" subj=root:system_r:postfix_showq_t:s0 k ey=(null) type=AVC msg=audit(1190746207.205:2167): avc: denied { name_connect } for pid =9842 comm="showq" dest=389 scontext=root:system_r:postfix_showq_t:s0 tcontext=s ystem_u:object_r:ldap_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1190746207.205:2167): arch=40000003 syscall=102 success=n o exit=-13 a0=3 a1=bfb67b10 a2=1251b18 a3=973d660 items=0 ppid=9835 pid=9842 aui d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) comm= "showq" exe="/usr/libexec/postfix/showq" subj=root:system_r:postfix_showq_t:s0 k ey=(null) From dwalsh at redhat.com Tue Sep 25 19:07:45 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 25 Sep 2007 15:07:45 -0400 Subject: postfix ldap selinux (centos5) In-Reply-To: <46F95A9A.2080503@ip-solutions.net> References: <46F95A9A.2080503@ip-solutions.net> Message-ID: <46F95C81.9050501@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Harry Hoffman wrote: > My apologies if this is the wrong list and there is a rhel/centos > specific selinux list... > > Trying to run postfix-2.2.3 on centos5. I'm using LDAP for maps and > authentication. > > Everytime I run postqueue -p (to show the mail queue) the command times > out. > > The following messages are logged in /var/log/maillog: > Sep 25 14:50:03 mail1 postfix/showq[9842]: nss_ldap: failed to bind to > LDAP serv > er ldap://localhost/: Can't contact LDAP server > Sep 25 14:50:03 mail1 postfix/showq[9842]: nss_ldap: failed to bind to > LDAP serv > er ldap://localhost/: Can't contact LDAP server > Sep 25 14:50:03 mail1 postfix/showq[9842]: nss_ldap: reconnecting to > LDAP server > (sleeping 4 seconds)... > Sep 25 14:50:07 mail1 postfix/showq[9842]: nss_ldap: failed to bind to > LDAP serv > er ldap://localhost/: Can't contact LDAP server > > > The following AVCs show up in /var/log/audit/audit.log: > > type=AVC msg=audit(1190746203.204:2162): avc: denied { create } for > pid=9842 > comm="showq" scontext=root:system_r:postfix_showq_t:s0 > tcontext=root:system_r:po > stfix_showq_t:s0 tclass=netlink_route_socket > type=SYSCALL msg=audit(1190746203.204:2162): arch=40000003 syscall=102 > success=n > o exit=-13 a0=1 a1=bfb679e4 a2=484ff4 a3=bfb67c61 items=0 ppid=9835 > pid=9842 aui > d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 > tty=(none) comm= > "showq" exe="/usr/libexec/postfix/showq" > subj=root:system_r:postfix_showq_t:s0 k > ey=(null) > type=AVC msg=audit(1190746203.204:2163): avc: denied { name_connect } > for pid > =9842 comm="showq" dest=389 scontext=root:system_r:postfix_showq_t:s0 > tcontext=s > ystem_u:object_r:ldap_port_t:s0 tclass=tcp_socket > type=SYSCALL msg=audit(1190746203.204:2163): arch=40000003 syscall=102 > success=n > o exit=-13 a0=3 a1=bfb67b10 a2=1251b18 a3=973d6a0 items=0 ppid=9835 > pid=9842 aui > d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 > tty=(none) comm= > "showq" exe="/usr/libexec/postfix/showq" > subj=root:system_r:postfix_showq_t:s0 k > ey=(null) > type=AVC msg=audit(1190746203.204:2164): avc: denied { create } for > pid=9842 > comm="showq" scontext=root:system_r:postfix_showq_t:s0 > tcontext=root:system_r:po > stfix_showq_t:s0 tclass=netlink_route_socket > type=SYSCALL msg=audit(1190746203.204:2164): arch=40000003 syscall=102 > success=n > o exit=-13 a0=1 a1=bfb679e4 a2=484ff4 a3=bfb67c61 items=0 ppid=9835 > pid=9842 aui > d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 > tty=(none) comm= > "showq" exe="/usr/libexec/postfix/showq" > subj=root:system_r:postfix_showq_t:s0 k > ey=(null) > type=AVC msg=audit(1190746203.204:2165): avc: denied { name_connect } > for pid > =9842 comm="showq" dest=389 scontext=root:system_r:postfix_showq_t:s0 > tcontext=s > ystem_u:object_r:ldap_port_t:s0 tclass=tcp_socket > type=SYSCALL msg=audit(1190746203.204:2165): arch=40000003 syscall=102 > success=n > o exit=-13 a0=3 a1=bfb67b10 a2=1251b18 a3=9755b90 items=0 ppid=9835 > pid=9842 aui > d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 > tty=(none) comm= > "showq" exe="/usr/libexec/postfix/showq" > subj=root:system_r:postfix_showq_t:s0 k > ey=(null) > type=AVC msg=audit(1190746207.205:2166): avc: denied { create } for > pid=9842 > comm="showq" scontext=root:system_r:postfix_showq_t:s0 > tcontext=root:system_r:po > stfix_showq_t:s0 tclass=netlink_route_socket > type=SYSCALL msg=audit(1190746207.205:2166): arch=40000003 syscall=102 > success=n > o exit=-13 a0=1 a1=bfb679e4 a2=484ff4 a3=bfb67c61 items=0 ppid=9835 > pid=9842 aui > d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 > tty=(none) comm= > "showq" exe="/usr/libexec/postfix/showq" > subj=root:system_r:postfix_showq_t:s0 k > ey=(null) > type=AVC msg=audit(1190746207.205:2167): avc: denied { name_connect } > for pid > =9842 comm="showq" dest=389 scontext=root:system_r:postfix_showq_t:s0 > tcontext=s > ystem_u:object_r:ldap_port_t:s0 tclass=tcp_socket > type=SYSCALL msg=audit(1190746207.205:2167): arch=40000003 syscall=102 > success=n > o exit=-13 a0=3 a1=bfb67b10 a2=1251b18 a3=973d660 items=0 ppid=9835 > pid=9842 aui > d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 > tty=(none) comm= > "showq" exe="/usr/libexec/postfix/showq" > subj=root:system_r:postfix_showq_t:s0 k > ey=(null) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Please try the u1 policy, preview available on http://people.redhat.com/dwalsh/SELinux/RHEL5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG+VyBrlYvE4MpobMRAlfGAJwK0tgxzEHDk7R1WKWbjlzOpv0nLwCcCQ4D +5SxtFt6x6M6EnmqqbIkHAY= =F7NU -----END PGP SIGNATURE----- From amarkelov at pluscom.ru Wed Sep 26 08:43:13 2007 From: amarkelov at pluscom.ru (Andrey Markelov) Date: Wed, 26 Sep 2007 12:43:13 +0400 Subject: selinux-policy man pages translation (Russian) Message-ID: <20070926124313.6338783f.amarkelov@pluscom.ru> Hi all. I have opened a bug #306521. Another man pages translations to Russian after policycoreutils (bug #250741). I translated all man pages from selinux-policy (refpolicy) to Russian language. I hope it it will be useful for security specialists in my country and will take part in SELinux popularisation. -- Andrey Markelov, Plus Communications Phone: +7(495)777-0-111 ext.533 From olivares14031 at yahoo.com Wed Sep 26 23:42:20 2007 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 26 Sep 2007 16:42:20 -0700 (PDT) Subject: new avcs from setroubleshoot browser Message-ID: <453217.12501.qm@web52606.mail.re2.yahoo.com> Dear all, New avcs have appeared: Summary SELinux is preventing /sbin/ip (ifconfig_t) "write" to pipe (unconfined_t). Detailed Description SELinux denied access requested by /sbin/ip. It is not expected that this access is required by /sbin/ip and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:ifconfig_t Target Context system_u:system_r:unconfined_t Target Objects pipe [ fifo_file ] Affected RPM Packages iproute-2.6.22-2.fc8 [application] Policy RPM selinux-policy-3.0.8-13.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23-0.202.rc8.fc8 #1 SMP Mon Sep 24 22:09:05 EDT 2007 i686 i686 Alert Count 3 First Seen Wed 26 Sep 2007 06:34:54 PM CDT Last Seen Wed 26 Sep 2007 06:34:54 PM CDT Local ID d0527712-8653-4588-9f61-e20604d839bf Line Numbers Raw Audit Messages avc: denied { write } for comm=ip dev=pipefs egid=0 euid=0 exe=/sbin/ip exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=pipe:[11604] pid=3103 scontext=system_u:system_r:ifconfig_t:s0 sgid=0 subj=system_u:system_r:ifconfig_t:s0 suid=0 tclass=fifo_file tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=0 Summary SELinux is preventing consoletype (consoletype_t) "read" to pipe (unconfined_t). Detailed Description SELinux denied access requested by consoletype. It is not expected that this access is required by consoletype and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:consoletype_t Target Context system_u:system_r:unconfined_t Target Objects pipe [ fifo_file ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-13.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23-0.202.rc8.fc8 #1 SMP Mon Sep 24 22:09:05 EDT 2007 i686 i686 Alert Count 2 First Seen Wed 26 Sep 2007 06:34:54 PM CDT Last Seen Wed 26 Sep 2007 06:34:54 PM CDT Local ID 8b0eaa38-b9e4-4472-9cd0-ddd5b686793e Line Numbers Raw Audit Messages avc: denied { read } for comm=consoletype dev=pipefs path=pipe:[11541] pid=3036 scontext=system_u:system_r:consoletype_t:s0 tclass=fifo_file tcontext=system_u:system_r:unconfined_t:s0 How do I deal with these. I am seeing this only on one of the machines. On the other two are fine. Crossing my fingers. Thanks, Antonio ____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting From rob.myers at gtri.gatech.edu Thu Sep 27 14:33:32 2007 From: rob.myers at gtri.gatech.edu (rob myers) Date: Thu, 27 Sep 2007 10:33:32 -0400 Subject: .if installation Message-ID: <1190903612.7280.11.camel@rxm-581b.stl.gtri.gatech.edu> hello it seems like selinux policy module rpms should install their interfaces into /usr/share/selinux/devel/include, but this is missing from http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules. are there negative consequences of doing so? see the suggested changes below. rob. --- PackagingDrafts-SELinux-PolicyModules.txt.orig 2007-09-27 10:03:39.000000000 -0400 +++ PackagingDrafts-SELinux-PolicyModules.txt 2007-09-27 10:12:38.000000000 -0400 @@ -321,7 +321,7 @@ BuildRequires: checkpolicy, selinux-pol Requires: selinux-policy >= %{selinux_policyver} %endif Requires: %{name} = %{version}-%{release} -Requires(post): /usr/sbin/semodule, /sbin/restorecon +Requires(post): /usr/sbin/semodule, /sbin/restorecon, /usr/bin/sepolgen-ifgen Requires(postun): /usr/sbin/semodule, /sbin/restorecon %description selinux @@ -360,6 +360,11 @@ do done cd - +# Install SELinux interfaces +install -d %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} +install -p -m 644 SELinux/%{modulename}.if \ + %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if + # Hardlink identical policy module packages together /usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux @@ -375,6 +380,8 @@ do done # Fix up non-standard directory context /sbin/restorecon %{_localstatedir}/cache/myapp || : +# Regenerate interfaces information for polgen +/usr/bin/sepolgen-ifgen || : %postun selinux # Clean up after package removal @@ -398,6 +405,7 @@ fi %defattr(-,root,root,0755) %doc SELinux/* %{_datadir}/selinux/*/%{modulename}.pp +%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if %changelog * Mon Jul 31 2006 John Doe 0.01-1 @@ -425,7 +433,8 @@ BuildRequires: checkpolicy, selinux-pol %if "%{selinux_policyver}" != "" Requires: selinux-policy >= %{selinux_policyver} %endif -Requires(post): /usr/sbin/semodule, /sbin/fixfiles, myapp +Requires(post): /usr/sbin/semodule, /sbin/fixfiles, /usr/bin/sepolgen-ifgen +Requires(post): myapp Requires(postun): /usr/sbin/semodule %prep @@ -461,6 +470,11 @@ do done cd - +# Install SELinux interfaces +install -d %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} +install -p -m 644 SELinux/%{modulename}.if \ + %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if + # Hardlink identical policy module packages together /usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux @@ -476,6 +490,8 @@ do done # Fix up non-standard directory context /sbin/fixfiles -R myapp restore || : +# Regenerate interfaces information for polgen +/usr/bin/sepolgen-ifgen || : %postun # Clean up after package removal @@ -492,6 +508,7 @@ fi %doc ChangeLog AUTHOR COPYING SELinux/* %{_bindir}/myapp %{_datadir}/selinux/*/%{modulename}.pp +%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if %changelog * Mon Jul 31 2006 John Doe 0.01-1 From cra at WPI.EDU Thu Sep 27 15:05:33 2007 From: cra at WPI.EDU (Chuck Anderson) Date: Thu, 27 Sep 2007 11:05:33 -0400 Subject: loopback mounting public_content_t (iso images) Message-ID: <20070927150533.GG3789@angus.ind.WPI.EDU> When I reboot my mirror server, I always get these avc's and it fails to automatically mount my iso's: Sep 27 10:30:33 sinclair kernel: audit(1190903394.348:4): avc: denied { read } for pid=4163 comm="mount" name="enigma-i386-disc1.iso" dev=dm-6 ino=191775508 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file Here is the corresponding entry from /etc/fstab: /srv/ftp/pub/linux/distributions/redhat/linux/7.2/en/iso/i386/enigma-i386-disc1.iso /srv/ftp/pub/mnt/enigma-i386-disc1 iso9660 ro,context=system_u:object_r:public_content_t,loop=/dev/loop10,nosuid,nodev 0 0 I tried something like this in /etc/rc.d/rc.local: # make loop devices 0-199 and redo mount /usr/local/sbin/mkloops mount -a Where "mkloops" does this: #!/bin/bash #set -x for i in 0 1; do for j in 0 1 2 3 4 5 6 7 8 9; do for k in 0 1 2 3 4 5 6 7 8 9; do n=$(echo ${i}${j}${k} | sed -e's/^0\+//g') [ -z $n ] && n=0 [ ! -e /dev/loop${n} ] && mknod -m 0640 /dev/loop${n} b 7 ${n} chown root:disk /dev/loop${n} done done done Any suggestions on how to allow a file to be loop mounted and also shared via FTP/HTTP/RSYNC? Thanks. From cra at WPI.EDU Thu Sep 27 15:10:39 2007 From: cra at WPI.EDU (Chuck Anderson) Date: Thu, 27 Sep 2007 11:10:39 -0400 Subject: loopback mounting public_content_t (iso images) In-Reply-To: <20070927150533.GG3789@angus.ind.WPI.EDU> References: <20070927150533.GG3789@angus.ind.WPI.EDU> Message-ID: <20070927151039.GH3789@angus.ind.WPI.EDU> On Thu, Sep 27, 2007 at 11:05:33AM -0400, Chuck Anderson wrote: > Any suggestions on how to allow a file to be loop mounted and also > shared via FTP/HTTP/RSYNC? I forgot to mention, that after bootup, I can log in as root and do this to fix it: mount -a From paul at city-fan.org Thu Sep 27 15:14:07 2007 From: paul at city-fan.org (Paul Howarth) Date: Thu, 27 Sep 2007 16:14:07 +0100 Subject: loopback mounting public_content_t (iso images) In-Reply-To: <20070927151039.GH3789@angus.ind.WPI.EDU> References: <20070927150533.GG3789@angus.ind.WPI.EDU> <20070927151039.GH3789@angus.ind.WPI.EDU> Message-ID: <46FBC8BF.1040309@city-fan.org> Chuck Anderson wrote: > On Thu, Sep 27, 2007 at 11:05:33AM -0400, Chuck Anderson wrote: >> Any suggestions on how to allow a file to be loop mounted and also >> shared via FTP/HTTP/RSYNC? > > I forgot to mention, that after bootup, I can log in as root and do > this to fix it: > > mount -a Try this: setsebool -P allow_mount_anyfile 1 To try this out without rebooting, unmount your loop files and try remounting them using: # service netfs start Try doing this before and after setting the boolean to see what difference it makes. Paul. From dwalsh at redhat.com Fri Sep 28 13:42:09 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 28 Sep 2007 09:42:09 -0400 Subject: .if installation In-Reply-To: <1190903612.7280.11.camel@rxm-581b.stl.gtri.gatech.edu> References: <1190903612.7280.11.camel@rxm-581b.stl.gtri.gatech.edu> Message-ID: <46FD04B1.8080404@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 rob myers wrote: > hello > > it seems like selinux policy module rpms should install their interfaces > into /usr/share/selinux/devel/include, but this is missing from > http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules. > > are there negative consequences of doing so? > > see the suggested changes below. > > rob. > > --- PackagingDrafts-SELinux-PolicyModules.txt.orig 2007-09-27 10:03:39.000000000 -0400 > +++ PackagingDrafts-SELinux-PolicyModules.txt 2007-09-27 10:12:38.000000000 -0400 > @@ -321,7 +321,7 @@ BuildRequires: checkpolicy, selinux-pol > Requires: selinux-policy >= %{selinux_policyver} > %endif > Requires: %{name} = %{version}-%{release} > -Requires(post): /usr/sbin/semodule, /sbin/restorecon > +Requires(post): /usr/sbin/semodule, /sbin/restorecon, /usr/bin/sepolgen-ifgen > Requires(postun): /usr/sbin/semodule, /sbin/restorecon > > %description selinux > @@ -360,6 +360,11 @@ do > done > cd - > > +# Install SELinux interfaces > +install -d %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} > +install -p -m 644 SELinux/%{modulename}.if \ > + %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if > + > # Hardlink identical policy module packages together > /usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux > > @@ -375,6 +380,8 @@ do > done > # Fix up non-standard directory context > /sbin/restorecon %{_localstatedir}/cache/myapp || : > +# Regenerate interfaces information for polgen > +/usr/bin/sepolgen-ifgen || : > > %postun selinux > # Clean up after package removal > @@ -398,6 +405,7 @@ fi > %defattr(-,root,root,0755) > %doc SELinux/* > %{_datadir}/selinux/*/%{modulename}.pp > +%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if > > %changelog > * Mon Jul 31 2006 John Doe 0.01-1 > @@ -425,7 +433,8 @@ BuildRequires: checkpolicy, selinux-pol > %if "%{selinux_policyver}" != "" > Requires: selinux-policy >= %{selinux_policyver} > %endif > -Requires(post): /usr/sbin/semodule, /sbin/fixfiles, myapp > +Requires(post): /usr/sbin/semodule, /sbin/fixfiles, /usr/bin/sepolgen-ifgen > +Requires(post): myapp > Requires(postun): /usr/sbin/semodule > > %prep > @@ -461,6 +470,11 @@ do > done > cd - > > +# Install SELinux interfaces > +install -d %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} > +install -p -m 644 SELinux/%{modulename}.if \ > + %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if > + > # Hardlink identical policy module packages together > /usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux > > @@ -476,6 +490,8 @@ do > done > # Fix up non-standard directory context > /sbin/fixfiles -R myapp restore || : > +# Regenerate interfaces information for polgen > +/usr/bin/sepolgen-ifgen || : > > %postun > # Clean up after package removal > @@ -492,6 +508,7 @@ fi > %doc ChangeLog AUTHOR COPYING SELinux/* > %{_bindir}/myapp > %{_datadir}/selinux/*/%{modulename}.pp > +%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if > > %changelog > * Mon Jul 31 2006 John Doe 0.01-1 > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I think they should be installed there. You will need to run sepolgen-ifgen if you want audit2allow to find them. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG/QSxrlYvE4MpobMRAqcPAJ9bZsc0PIJZ06UrAQedpi+rKedDYgCeLr1J Ab2M9pov6aSu+MddlycEFTU= =NrP5 -----END PGP SIGNATURE----- From cra at WPI.EDU Fri Sep 28 14:31:14 2007 From: cra at WPI.EDU (Chuck Anderson) Date: Fri, 28 Sep 2007 10:31:14 -0400 Subject: loopback mounting public_content_t (iso images) In-Reply-To: <46FBC8BF.1040309@city-fan.org> References: <20070927150533.GG3789@angus.ind.WPI.EDU> <20070927151039.GH3789@angus.ind.WPI.EDU> <46FBC8BF.1040309@city-fan.org> Message-ID: <20070928143114.GK3789@angus.ind.WPI.EDU> On Thu, Sep 27, 2007 at 04:14:07PM +0100, Paul Howarth wrote: > setsebool -P allow_mount_anyfile 1 > > To try this out without rebooting, unmount your loop files and try > remounting them using: > > # service netfs start > > Try doing this before and after setting the boolean to see what > difference it makes. That works, thanks! From ian-list at securitypimp.com Fri Sep 28 14:48:15 2007 From: ian-list at securitypimp.com (Ian Lists) Date: Fri, 28 Sep 2007 14:48:15 +0000 (UTC) Subject: Allowing httpd to connect to specific sockets In-Reply-To: <46F8325B.5020006@redhat.com> Message-ID: <28655593.1431190990895881.JavaMail.root@postal.insourcedsecurity.com> This howto is exactly what I have been looking for. I am trying to allow apache to connect to a listening stunnel process at localhost:9002. I think I have created mystunnel.te correctly, but I keep getting errors when I try to run the make against it. Here are the steps I have take so far. # cat > mystunnel.te << _EOF policy_module(mystunnel,1.0.0) gen_require(\` type httpd_t; ') type stunnel_port_t; corenet_port(stunnel_port_t) allow httpd_t stunnel_port_t:tcp_socket name_connect; _EOF # make -f/usr/share/selinux/devel/Makefile Compiling targeted mystunnel module /usr/bin/checkmodule: loading policy configuration from tmp/mystunnel.tmp mystunnel.te:8:ERROR 'syntax error' at token 'corenet_port' on line 77035: type stunnel_port_t; corenet_port(stunnel_port_t) /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/mystunnel.mod] Error 1 Thanks, Ian ----- Original Message ----- From: "Daniel J Walsh" To: "Jason L Tibbitts III" Cc: fedora-selinux-list at redhat.com Sent: Monday, September 24, 2007 5:55:39 PM (GMT-0500) America/New_York Subject: Re: Allowing httpd to connect to specific sockets -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason L Tibbitts III wrote: > So I have this AVC: > > avc: denied { name_connect } for pid=9045 comm="httpd" dest=9680 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > > which comes from a PHP script trying to open a socket. This is no big > deal. I believe that setting httpd_can_network_connect should fix it. > However, I was wondering if it's possible to restrict the destination > port to 9680, or restrict the destination host at all? > > - J< > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Hope you don't mind but I answered in my blog. http://danwalsh.livejournal.com/12928.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG+DJbrlYvE4MpobMRAiH4AJ4u6HrNAnDB1Yp5gjWdMOlx6KwHwQCguAcA h5GSxWz/Qp2XcGIdwJIDZrA= =waZt -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Fri Sep 28 15:22:10 2007 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 28 Sep 2007 11:22:10 -0400 Subject: Allowing httpd to connect to specific sockets In-Reply-To: <28655593.1431190990895881.JavaMail.root@postal.insourcedsecurity.com> References: <28655593.1431190990895881.JavaMail.root@postal.insourcedsecurity.com> Message-ID: <46FD1C22.2090005@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ian Lists wrote: > This howto is exactly what I have been looking for. I am trying to allow apache to connect to a listening stunnel process at localhost:9002. I think I have created mystunnel.te correctly, but I keep getting errors when I try to run the make against it. > > Here are the steps I have take so far. > > > # cat > mystunnel.te << _EOF > policy_module(mystunnel,1.0.0) > > gen_require(\` > type httpd_t; > ') > > type stunnel_port_t; > corenet_port(stunnel_port_t) > > allow httpd_t stunnel_port_t:tcp_socket name_connect; > _EOF > > # make -f/usr/share/selinux/devel/Makefile > Compiling targeted mystunnel module > /usr/bin/checkmodule: loading policy configuration from tmp/mystunnel.tmp > mystunnel.te:8:ERROR 'syntax error' at token 'corenet_port' on line 77035: > type stunnel_port_t; > corenet_port(stunnel_port_t) > /usr/bin/checkmodule: error(s) encountered while parsing configuration > make: *** [tmp/mystunnel.mod] Error 1 > > What version of the policy are you using? You can just remove this corenet_port call for now, I believe everything will still work. grep -r corenet_port /usr/share/selinux/devel/include > > Thanks, > > Ian > > > ----- Original Message ----- > From: "Daniel J Walsh" > To: "Jason L Tibbitts III" > Cc: fedora-selinux-list at redhat.com > Sent: Monday, September 24, 2007 5:55:39 PM (GMT-0500) America/New_York > Subject: Re: Allowing httpd to connect to specific sockets > > Jason L Tibbitts III wrote: >> So I have this AVC: > >> avc: denied { name_connect } for pid=9045 comm="httpd" dest=9680 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > >> which comes from a PHP script trying to open a socket. This is no big >> deal. I believe that setting httpd_can_network_connect should fix it. >> However, I was wondering if it's possible to restrict the destination >> port to 9680, or restrict the destination host at all? > >> - J< > >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Hope you don't mind but I answered in my blog. > > > http://danwalsh.livejournal.com/12928.html > > > - -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list - -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG/RwirlYvE4MpobMRAoBsAKDVU2o4BEK2KxsMCUO1cdqic+8o8QCgyD6W tSmG7IqjiFxsKcCudw0pXk4= =VNRS -----END PGP SIGNATURE----- From selinux at gmail.com Fri Sep 28 17:47:25 2007 From: selinux at gmail.com (Tom London) Date: Fri, 28 Sep 2007 10:47:25 -0700 Subject: tmpreaper and /var/cache/man Message-ID: <4c4ba1530709281047r61f4c571w8af7bb0f83cbec6f@mail.gmail.com> Running latest Rawhide, targeted/enforcing. tmpreaper is complaining about /var/cache/man: /etc/cron.daily/tmpwatch: error: opendir error on current directory /var/cache/man/cat1: Permission denied error: cleanup failed in /var/cache/man/cat1: Permission denied error: opendir error on current directory /var/cache/man/cat2: Permission denied error: cleanup failed in /var/cache/man/cat2: Permission denied error: opendir error on current directory /var/cache/man/cat3: Permission denied error: cleanup failed in /var/cache/man/cat3: Permission denied error: opendir error on current directory /var/cache/man/cat4: Permission denied error: cleanup failed in /var/cache/man/cat4: Permission denied <<<<>>>> and type=AVC msg=audit(1191001312.606:91): avc: denied { read } for pid=12019 comm="tmpwatch" name="cat9" dev=dm-0 ino=65624 scontext=system_u:system_r:tmpreaper_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir type=SYSCALL msg=audit(1191001312.606:91): arch=40000003 syscall=5 success=no exit=-13 a0=804ac12 a1=98800 a2=fd00 a3=0 items=0 ppid=11987 pid=12019 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0 key=(null) type=AVC msg=audit(1191001312.608:92): avc: denied { read } for pid=12020 comm="tmpwatch" name="catn" dev=dm-0 ino=65625 scontext=system_u:system_r:tmpreaper_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir type=SYSCALL msg=audit(1191001312.608:92): arch=40000003 syscall=5 success=no exit=-13 a0=804ac12 a1=98800 a2=fd00 a3=0 items=0 ppid=11987 pid=12020 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0 key=(null) or #============= tmpreaper_t ============== allow tmpreaper_t man_t:dir read; [Guessing it wants more than just 'read'.....] tom -- Tom London From fenn at stanford.edu Sun Sep 30 09:06:22 2007 From: fenn at stanford.edu (Tim Fenn) Date: Sun, 30 Sep 2007 05:06:22 -0400 Subject: dhclient-script avc error f7 Message-ID: <20070930090621.GA5632@stanford.edu> I recently upgraded a machine from FC6 to F7, and I used to use a /etc/dhclient-exit-hooks script to call some iptables functions after bringing up my external interface. This used to work on FC6 as long as I setsebool -P dhcpc_disable_trans 1, but the policy in F7 no longer contains such a boolean, so dhclient-script is prevented from getattr/executing iptables. Is there a simple fix to this, or do I need to write a policy and compile it? If the latter, any pointers on what the policy file should contain? Thanks for any help, tim From selinux at gmail.com Sun Sep 30 17:29:04 2007 From: selinux at gmail.com (Tom London) Date: Sun, 30 Sep 2007 10:29:04 -0700 Subject: logrotate and /var/log/rpmpkgs .... Message-ID: <4c4ba1530709301029u3488ee93ha822e588a0de0c31@mail.gmail.com> Running latest Rawhide, targeted/enforcing. When cron runs logrotate, I get AVC on access to /var/log/rpmpkgs: type=AVC msg=audit(1191172944.569:41): avc: denied { getattr } for pid=6581 comm="logrotate" path="/var/log/rpmpkgs" dev=dm-0 ino=99163 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file type=SYSCALL msg=audit(1191172944.569:41): arch=40000003 syscall=195 success=no exit=-13 a0=8931228 a1=bfa7b320 a2=5b67ff4 a3=0 items=0 ppid=6579 pid=6581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0 key=(null) Should there be a directory in /var/log for these logs (with the appropriate label)? tom -- Tom London