From jmorris at namei.org Tue Apr 1 23:41:01 2008 From: jmorris at namei.org (James Morris) Date: Wed, 2 Apr 2008 10:41:01 +1100 (EST) Subject: ANN: SELinux Developer Summit 2008, Ottawa Message-ID: ---------------------------------------------------------------------------- SELinux Developer Summit 2008, Ottawa ---------------------------------------------------------------------------- This is to announce the 2008 SELinux Developer Summit, which is to be held in Ottawa on the 22nd of July, as an OLS mini-summit. The SELinux Developer Summit will be a one day summit intended to provide a forum for focused technical discussion regarding current and future development plans for SELinux and related Flask/TE projects. The intended audience will consist of current SELinux developers, system/security administrators, distribution organizers/packagers, and power users. The format will be a mix of presentations and moderated discussion, including a panel where attendees will be invited to submit questions and feedback. ** This will be an open event, although, to attend, you will be required to be registered for the 2008 Linux Symposium. ** A Call for Participation (CFP) will be issued on 7th April, 2008. If you wish to submit a presentation or panel topic, please do so then. To contact the organizing team, send email to: selinux-summit-team AT namei.org Also refer to the resources below for more information. [1] SELinux Developer Summit: http://selinuxproject.org/page/Developer_Summit_2008 [2] OLS mini-summits: http://www.linuxsymposium.org/2008/minisummits.php ---------------------------------------------------------------------------- -- James Morris From lordmorgul at gmail.com Wed Apr 2 07:14:55 2008 From: lordmorgul at gmail.com (Andrew Farris) Date: Wed, 2 Apr 2008 00:14:55 -0700 Subject: preventing console-kit-dae (consolekit_t) "read" to (polkit_var_lib_t) on restart Message-ID: <8b14d9940804020014v36a1f2b9l4187702fdb89093e@mail.gmail.com> This occurs on Rawhide when trying to 'Restart' from Gnome System menu. My user does have policykit authorization to restart the system (others logged in or not) and to shutdown the system, but neither work. At the moment I have to logout, then switch to VT1 and reboot. GDM cannot restart either. SELinux is preventing console-kit-dae (consolekit_t) "read" to ./org.freedesktop.hal.device-access.sound.override (polkit_var_lib_t). Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:polkit_var_lib_t:s0 Target Objects ./org.freedesktop.hal.device-access.sound.override [ file ] Source console-kit-dae Source Path /usr/sbin/console-kit-daemon Port Host cirithungol Source RPM Packages ConsoleKit-0.2.10-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-26.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name cirithungol Platform Linux cirithungol 2.6.25-0.172.rc7.git4.fc9.i686 #1 SMP Fri Mar 28 21:46:59 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 02 Apr 2008 12:00:41 AM PDT Last Seen Wed 02 Apr 2008 12:00:41 AM PDT Local ID bade6013-09c9-4ca8-afba-3632172a3fc9 Line Numbers Raw Audit Messages host=cirithungol type=AVC msg=audit(1207119641.661:3387): avc: denied { read } for pid=2192 comm="console-kit-dae" name="org.freedesktop.hal.device-access.sound.override" dev=dm-0 ino=727047 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:polkit_var_lib_t:s0 tclass=file host=cirithungol type=SYSCALL msg=audit(1207119641.661:3387): arch=40000003 syscall=5 success=no exit=-13 a0=98d1918 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=2192 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) -- Andrew Farris www.lordmorgul.net gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29 revoked key 0xC99B1DF3 no longer used No one now has, and no one will ever again get, the big picture. - Daniel Geer From lordmorgul at gmail.com Wed Apr 2 07:27:38 2008 From: lordmorgul at gmail.com (Andrew Farris) Date: Wed, 2 Apr 2008 00:27:38 -0700 Subject: samba ro filesystems bool not effective Message-ID: <8b14d9940804020027j6d5b20f1hf725204d57aa8704@mail.gmail.com> This denial is preventing access to a filesystem I have shared via samba. Whenever a system connects to the samba share the denial occurs several times, and the share is empty when viewed from the client. My home dir can be shared fine through samba but not /media/archive (see below). Filesystem is mounted by: LABEL=archive /media/archive vfat auto,rw,async,users,group,nosuid,noexec,shortname=lower,fmask=0013,dmask=0002,gid=555 0 0 > ls -alFshnZ drwxrwxr-x 0 555 system_u:object_r:dosfs_t:s0 archive/ I have already setsebool -P samba_export_all_ro=1 and verified it is set in system-config-selinux. It seems not to have any effect here. I set (true): samba_export_all_ro, samba_export_all_rw, samba_export_fusefs I set (false: samba_enable_home_dirs, use_samba_home_dirs, samba_run_unconfined With those settings... my home dir is shared and accessible via samba, but the ro share is not. What is going on here? SELinux is preventing the samba daemon from serving r/o local files to remote clients. Detailed Description: SELinux has preventing the samba daemon (smbd) from reading files on the local system. If you have not exported these file systems, this could signals an intrusion. Allowing Access: If you want to export file systems using samba you need to turn on the samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1". Fix Command: setsebool -P samba_export_all_ro=1 Additional Information: Source Context unconfined_u:system_r:smbd_t:s0 Target Context system_u:object_r:dosfs_t:s0 Target Objects / [ dir ] Source smbd Source Path /usr/sbin/smbd Port Host cirithungol Source RPM Packages samba-3.2.0-1.pre2.8.fc9 Target RPM Packages filesystem-2.4.12-1.fc9 Policy RPM selinux-policy-3.3.1-26.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name samba_export_all_ro Host Name cirithungol Platform Linux cirithungol 2.6.25-0.172.rc7.git4.fc9.i686 #1 SMP Fri Mar 28 21:46:59 EDT 2008 i686 i686 Alert Count 40 First Seen Mon 31 Mar 2008 11:18:08 PM PDT Last Seen Tue 01 Apr 2008 02:30:29 PM PDT Local ID 431fbfb7-e677-45d9-98b9-0a23ea0ab572 Line Numbers Raw Audit Messages host=cirithungol type=AVC msg=audit(1207085429.4:3307): avc: denied { read } for pid=10886 comm="smbd" name="/" dev=sdc3 ino=1 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir host=cirithungol type=SYSCALL msg=audit(1207085429.4:3307): arch=40000003 syscall=5 success=no exit=-13 a0=b9157d60 a1=98800 a2=2f a3=b9157d10 items=0 ppid=6064 pid=10886 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=1 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null) -- Andrew Farris www.lordmorgul.net gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29 revoked key 0xC99B1DF3 no longer used No one now has, and no one will ever again get, the big picture. - Daniel Geer From phosmane at ntis.gov Wed Apr 2 17:22:05 2008 From: phosmane at ntis.gov (pselinux) Date: Wed, 2 Apr 2008 10:22:05 -0700 (PDT) Subject: php with oci8 Message-ID: <16447650.post@talk.nabble.com> Hi, I am compiling php 5.2.5 with OCI8 on centOS 5. I have installed the following from oracle oracle-instantclient-basic-10.2.0.3-1 oracle-instantclient-sqlplus-10.2.0.3-1 oracle-instantclient-devel-10.2.0.3-1 These were the compile used while configure php './configure' '--prefix=/usr/local/php-5.2.5' '--cache-file=../config.cache' '--with-libdir=lib' '--with-config-file-path=/usr/local/php-5.2.5/etc' '--with-config-file-scan-dir=/usr/local/php-5.2.5/etc/php.d' '--disable-debug' '--with-pic' '--disable-rpath' '--with-pear' '--with-bz2' '--with-curl' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' '--with-png-dir=/usr' '--enable-gd-native-ttf' '--with-gettext' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-pspell' '--with-pcre-regex' '--with-zlib' '--with-layout=GNU' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx' '--with-kerberos' '--enable-ucd-snmp-hack' '--with-snmp=shared,/usr' '--with-unixODBC=shared,/usr' '--enable-shmop' '--enable-calendar' '--with-mime-magic=/etc/httpd/conf/magic' '--without-sqlite' '--with-libxml-dir=/usr' '--enable-dom=shared' '--with-pgsql=shared' '--disable-dba' '--disable-xmlreader' '--disable-xmlwriter' '--without-gdbm' '--with-gd=shared' '--with-imap=shared' '--with-imap-ssl' '--with-mysql=shared,/usr' '--with-mysqli=shared,/usr/bin/mysql_config' '--enable-mbstring=shared' '--enable-mbregex' '--with-libmbfl' '--with-pdo-mysql=shared,/usr/bin/mysql_config' '--enable-pdo=shared' '--with-pdo-odbc=shared,unixODBC,/usr' '--with-xmlrpc=shared' '--with-ncurses=shared' '--with-ldap=shared' '--with-pdo-pgsql=shared,/usr' '--without-pdo-sqlite' '--with-db4=/usr' '--enable-force-cgi-redirect' '--enable-pcntl' '--with-xsl=shared,/usr' '--enable-xmlreader=shared' '--enable-xmlwriter=shared' '--enable-fastcgi' '--enable-cgi' '--with-apxs2=/usr/sbin/apxs' '--with-oci8=shared,instantclient,/usr/lib/oracle/10.2.0.3/client/lib' '--enable-sigchild' Compile and install was successful. Apache was not working and these are the sealert messages, i am putting here only summary, raw audit message and suggestions, which i followed in the same order below to make Apache work 1. Summary SELinux is preventing /usr/local/php-5.2.5/bin/php from loading /usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so which requires text relocation. Raw Audit Messages avc: denied { execmod } for comm="php" dev=dm-0 egid=0 euid=0 exe="/usr/local/php-5.2.5/bin/php" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path="/usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so" pid=27356 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:lib_t:s0 tty=pts1 uid=0 chcon -t textrel_shlib_t /usr/lib/oracle/10.2.0.3/client/lib/*.so 2. SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to (httpd_t). Raw Audit Messages avc: denied { execstack } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=27907 scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0 suid=0 tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0 setsebool -P httpd_disable_trans=1 3. Summary SELinux is preventing /usr/sbin/httpd from changing the access protection of memory on the heap. Raw Audit Messages avc: denied { execheap } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=3913 scontext=root:system_r:initrc_t:s0 sgid=0 subj=root:system_r:initrc_t:s0 suid=0 tclass=process tcontext=root:system_r:initrc_t:s0 tty=(none) uid=0 setsebool -P allow_execheap=1 Has anybody compiled PHP 5 with Oracle client on Redhat or Centos 5 with out any selinux issues? Is this the known issue or my procedures are wrong. I have tried compiling couple of weeks back with Red Hat ent5 php source rpms and got the same selinux errors. Any possible help to put back allow_execheap=0 httpd_disable_trans=0. Thanks. -- View this message in context: http://www.nabble.com/php-with-oci8-tp16447650p16447650.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From phosmane at ntis.gov Wed Apr 2 20:24:46 2008 From: phosmane at ntis.gov (pselinux) Date: Wed, 2 Apr 2008 13:24:46 -0700 (PDT) Subject: php with oci8 Message-ID: <16447650.post@talk.nabble.com> Hi, I am compiling php 5.2.5 with OCI8 on centOS 5. I have installed the following from oracle oracle-instantclient-basic-10.2.0.3-1 oracle-instantclient-sqlplus-10.2.0.3-1 oracle-instantclient-devel-10.2.0.3-1 These were the compile used while configure php './configure' '--prefix=/usr/local/php-5.2.5' '--cache-file=../config.cache' '--with-libdir=lib' '--with-config-file-path=/usr/local/php-5.2.5/etc' '--with-config-file-scan-dir=/usr/local/php-5.2.5/etc/php.d' '--disable-debug' '--with-pic' '--disable-rpath' '--with-pear' '--with-bz2' '--with-curl' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' '--with-png-dir=/usr' '--enable-gd-native-ttf' '--with-gettext' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-pspell' '--with-pcre-regex' '--with-zlib' '--with-layout=GNU' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx' '--with-kerberos' '--enable-ucd-snmp-hack' '--with-snmp=shared,/usr' '--with-unixODBC=shared,/usr' '--enable-shmop' '--enable-calendar' '--with-mime-magic=/etc/httpd/conf/magic' '--without-sqlite' '--with-libxml-dir=/usr' '--enable-dom=shared' '--with-pgsql=shared' '--disable-dba' '--disable-xmlreader' '--disable-xmlwriter' '--without-gdbm' '--with-gd=shared' '--with-imap=shared' '--with-imap-ssl' '--with-mysql=shared,/usr' '--with-mysqli=shared,/usr/bin/mysql_config' '--enable-mbstring=shared' '--enable-mbregex' '--with-libmbfl' '--with-pdo-mysql=shared,/usr/bin/mysql_config' '--enable-pdo=shared' '--with-pdo-odbc=shared,unixODBC,/usr' '--with-xmlrpc=shared' '--with-ncurses=shared' '--with-ldap=shared' '--with-pdo-pgsql=shared,/usr' '--without-pdo-sqlite' '--with-db4=/usr' '--enable-force-cgi-redirect' '--enable-pcntl' '--with-xsl=shared,/usr' '--enable-xmlreader=shared' '--enable-xmlwriter=shared' '--enable-fastcgi' '--enable-cgi' '--with-apxs2=/usr/sbin/apxs' '--with-oci8=shared,instantclient,/usr/lib/oracle/10.2.0.3/client/lib' '--enable-sigchild' Compile and install was successful. Apache was not working and these are the sealert messages, i am putting here only summary, raw audit message and suggestions, which i followed in the same order below to make Apache work 1. Summary SELinux is preventing /usr/local/php-5.2.5/bin/php from loading /usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so which requires text relocation. Raw Audit Messages avc: denied { execmod } for comm="php" dev=dm-0 egid=0 euid=0 exe="/usr/local/php-5.2.5/bin/php" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path="/usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so" pid=27356 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:lib_t:s0 tty=pts1 uid=0 chcon -t textrel_shlib_t /usr/lib/oracle/10.2.0.3/client/lib/*.so 2. SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to (httpd_t). Raw Audit Messages avc: denied { execstack } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=27907 scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0 suid=0 tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0 setsebool -P httpd_disable_trans=1 3. Summary SELinux is preventing /usr/sbin/httpd from changing the access protection of memory on the heap. Raw Audit Messages avc: denied { execheap } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=3913 scontext=root:system_r:initrc_t:s0 sgid=0 subj=root:system_r:initrc_t:s0 suid=0 tclass=process tcontext=root:system_r:initrc_t:s0 tty=(none) uid=0 setsebool -P allow_execheap=1 Has anybody compiled PHP 5 with Oracle client on Redhat or Centos 5 with out any selinux issues? Is this the known issue or my procedures are wrong. I have tried compiling couple of weeks back with Red Hat ent5 php source rpms and got the same selinux errors. Any possible help to put back allow_execheap=0 httpd_disable_trans=0. Thanks. -- View this message in context: http://www.nabble.com/php-with-oci8-tp16447650p16447650.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From phosmane at ntis.gov Wed Apr 2 20:55:58 2008 From: phosmane at ntis.gov (Pad Hosmane) Date: Wed, 2 Apr 2008 16:55:58 -0400 Subject: php and oci8 issues Message-ID: <8647E63ABA86C941B70F1058189C22E5065BB218@ntis_exchange.ntis2.gov> Hi, I am compiling php 5.2.5 with OCI8 on centOS 5. I have installed the following from oracle oracle-instantclient-basic-10.2.0.3-1 oracle-instantclient-sqlplus-10.2.0.3-1 oracle-instantclient-devel-10.2.0.3-1 These were the compile used while configure php './configure' '--prefix=/usr/local/php-5.2.5' '--cache-file=../config.cache' '--with-libdir=lib' '--with-config-file-path=/usr/local/php-5.2.5/etc' '--with-config-file-scan-dir=/usr/local/php-5.2.5/etc/php.d' '--disable-debug' '--with-pic' '--disable-rpath' '--with-pear' '--with-bz2' '--with-curl' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' '--with-png-dir=/usr' '--enable-gd-native-ttf' '--with-gettext' '--with-gmp' '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-pspell' '--with-pcre-regex' '--with-zlib' '--with-layout=GNU' '--enable-exif' '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx' '--with-kerberos' '--enable-ucd-snmp-hack' '--with-snmp=shared,/usr' '--with-unixODBC=shared,/usr' '--enable-shmop' '--enable-calendar' '--with-mime-magic=/etc/httpd/conf/magic' '--without-sqlite' '--with-libxml-dir=/usr' '--enable-dom=shared' '--with-pgsql=shared' '--disable-dba' '--disable-xmlreader' '--disable-xmlwriter' '--without-gdbm' '--with-gd=shared' '--with-imap=shared' '--with-imap-ssl' '--with-mysql=shared,/usr' '--with-mysqli=shared,/usr/bin/mysql_config' '--enable-mbstring=shared' '--enable-mbregex' '--with-libmbfl' '--with-pdo-mysql=shared,/usr/bin/mysql_config' '--enable-pdo=shared' '--with-pdo-odbc=shared,unixODBC,/usr' '--with-xmlrpc=shared' '--with-ncurses=shared' '--with-ldap=shared' '--with-pdo-pgsql=shared,/usr' '--without-pdo-sqlite' '--with-db4=/usr' '--enable-force-cgi-redirect' '--enable-pcntl' '--with-xsl=shared,/usr' '--enable-xmlreader=shared' '--enable-xmlwriter=shared' '--enable-fastcgi' '--enable-cgi' '--with-apxs2=/usr/sbin/apxs' '--with-oci8=shared,instantclient,/usr/lib/oracle/10.2.0.3/client/lib' '--enable-sigchild' Compile and install was successful. Apache was not working and these are the sealert messages, i am putting here only summary, raw audit message and suggestions, which i followed in the same order below to make Apache work 1. Summary SELinux is preventing /usr/local/php-5.2.5/bin/php from loading /usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so which requires text relocation. Raw Audit Messages avc: denied { execmod } for comm="php" dev=dm-0 egid=0 euid=0 exe="/usr/local/php-5.2.5/bin/php" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path="/usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so" pid=27356 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:lib_t:s0 tty=pts1 uid=0 chcon -t textrel_shlib_t /usr/lib/oracle/10.2.0.3/client/lib/*.so 2. SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to (httpd_t). Raw Audit Messages avc: denied { execstack } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=27907 scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0 suid=0 tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0 setsebool -P httpd_disable_trans=1 3. Summary SELinux is preventing /usr/sbin/httpd from changing the access protection of memory on the heap. Raw Audit Messages avc: denied { execheap } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=3913 scontext=root:system_r:initrc_t:s0 sgid=0 subj=root:system_r:initrc_t:s0 suid=0 tclass=process tcontext=root:system_r:initrc_t:s0 tty=(none) uid=0 setsebool -P allow_execheap=1 Has anybody compiled PHP 5 with Oracle client on Redhat or Centos 5 with out any selinux issues? Is this the known issue or my procedures are wrong. I have tried compiling couple of weeks back with Red Hat ent5 php source rpms and got the same selinux errors. Any possible help to put back allow_execheap=0 httpd_disable_trans=0. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sundaram at fedoraproject.org Thu Apr 3 03:49:36 2008 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Thu, 03 Apr 2008 09:19:36 +0530 Subject: enabling selinux Message-ID: <47F453D0.6050201@fedoraproject.org> Hi, I did a yum upgrade from Fedora 8 to Rawhide and disabled SELinux during the upgrade just to avoid issues. Now that I finished upgrading, I tried setting it to on and in enforcing mode. Relabeling proceeded as expected though seemed slower than usual. After bootup, I noticed that it says it is in permissive mode. Lots of things have changed including the init system and I am not sure what to check. Can someone help me out? # cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=enabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0 ---- # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: error (Success) Policy version: 22 Policy from config file: targeted # rpm -qa | grep -i selinux libselinux-2.0.61-1.fc9.i386 selinux-policy-targeted-3.3.1-26.fc9.noarch Rahul From lordmorgul at gmail.com Thu Apr 3 04:09:05 2008 From: lordmorgul at gmail.com (Andrew Farris) Date: Wed, 02 Apr 2008 21:09:05 -0700 Subject: enabling selinux In-Reply-To: <47F45723.5040702@gmail.com> References: <47F453D0.6050201@fedoraproject.org> <47F45723.5040702@gmail.com> Message-ID: <47F45861.9060502@gmail.com> Andrew Farris wrote: > Rahul Sundaram wrote: >> # rpm -qa | grep -i selinux >> >> libselinux-2.0.61-1.fc9.i386 >> selinux-policy-targeted-3.3.1-26.fc9.noarch > > You're missing the main policy rpm: > yum install selinux-policy Sry, first reply went off-list. You need the policy as well as sub-policy, so you'd want selinux-policy and selinux-policy-targeted or selinux-policy and selinux-policy-mls for instance. -- Andrew Farris www.lordmorgul.net gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29 revoked key 0xC99B1DF3 no longer used No one now has, and no one will ever again get, the big picture. - Daniel Geer ---- ---- From sundaram at fedoraproject.org Thu Apr 3 05:20:51 2008 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Thu, 03 Apr 2008 10:50:51 +0530 Subject: enabling selinux In-Reply-To: <47F45861.9060502@gmail.com> References: <47F453D0.6050201@fedoraproject.org> <47F45723.5040702@gmail.com> <47F45861.9060502@gmail.com> Message-ID: <47F46933.7070702@fedoraproject.org> Andrew Farris wrote: > Andrew Farris wrote: >> Rahul Sundaram wrote: >>> # rpm -qa | grep -i selinux >>> >>> libselinux-2.0.61-1.fc9.i386 >>> selinux-policy-targeted-3.3.1-26.fc9.noarch >> >> You're missing the main policy rpm: >> yum install selinux-policy > > Sry, first reply went off-list. You need the policy as well as > sub-policy, so you'd want selinux-policy and selinux-policy-targeted or > selinux-policy and selinux-policy-mls for instance. That doesn't make any difference. I have # rpm -qa | grep -i selinux libselinux-2.0.61-1.fc9.i386 selinux-policy-targeted-3.3.1-26.fc9.noarch selinux-policy-3.3.1-26.fc9.noarch libselinux-python-2.0.61-1.fc9.i386 sestatus still shows permissive. Rahul From sundaram at fedoraproject.org Thu Apr 3 05:37:13 2008 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Thu, 03 Apr 2008 11:07:13 +0530 Subject: enabling selinux In-Reply-To: <4D25F22093241741BC1D0EEBC2DBB1DA011FAC1199@EX-SEA5-D.ant.amazon.com> References: <47F453D0.6050201@fedoraproject.org> <4D25F22093241741BC1D0EEBC2DBB1DA011FAC1199@EX-SEA5-D.ant.amazon.com> Message-ID: <47F46D09.2010607@fedoraproject.org> Nesser, Phil wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - From your email below: > > > # cat /etc/selinux/config > > # This file controls the state of SELinux on the system. > # SELINUX= can take one of these three values: > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - SELinux is fully disabled. > SELINUX=enabled > ^^^^^^^^^^^^^^^ > > Change to: SELINUX=enforcing > > SELINUX=enabled gets you permissive mode. Duh. Thanks. Rahul From jmorris at namei.org Fri Apr 4 10:16:06 2008 From: jmorris at namei.org (James Morris) Date: Fri, 4 Apr 2008 21:16:06 +1100 (EST) Subject: ANN: 2008 SELinux Developer Summit CFP Message-ID: --------------------------------------------------------------------------- 2008 SELinux Developer Summit Call For Participation (CFP) --------------------------------------------------------------------------- The call for participation for the 2008 SELinux Developer Summit is now open. The summit will be held July 22nd in Ottawa. See the original announcement[1] for the summit and the summit wiki page[2] for background about the summit and summaries of prior summits. Note that all attendees of the mini-summit must be registered as attendees of the Linux Symposium [3]. The focus of this year's summit will be usability and infrastructure. Usability topics of interest include (but are not limited to) policy development, administration, and desktop integration. Infrastructure topics of interest include (but are not limited to) embedded systems, label translation, userspace object managers, network filesystems, and labeled networking. Other topics relating to SELinux technology, flexible mandatory access control, and its application to real-world problems are also of interest for this symposium. Such topics might include: * Updates on the various Linux distributions using SELinux * Flexible MAC in other operating systems * Case studies and application experience with flexible MAC * User and customer concerns and needs Forms of participation include: * Technical presentations (20-30 minutes each, papers are optional) * Discussions (submitter acts as facilitator) * Panels (submitter acts as moderator) * Lightning talks (work-in-progress reports) No marketing pitches will be accepted. Proposals may be sent to the organizing team at: selinux-summit-team AT namei.org In your proposal, please identify the form of participation, the amount of time you expect to need, and a title and abstract describing the topic you wish to cover. If you wish to attend the summit without presenting, please also send a notification of your intent to attend to the organizing team at the above alias. ** Whether presenting or just attending, you must register for the Linux Symposium[3] in order to attend the SELinux Developer Summit. ** This CFP will end on April 18. Participants will be notified by April 25, and the schedule will be published on April 02. [1] SELinux Summit announcement, http://marc.info/?l=selinux&m=120716549912011&w=2 [2] SELinux Summit wiki page, http://selinuxproject.org/page/Developer_Summit_2008 [3] Linux Symposium, http://www.linuxsymposium.org/2008/ ---------------------------------------------------------------------------- -- James Morris From dwalsh at redhat.com Sat Apr 5 11:26:20 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 05 Apr 2008 07:26:20 -0400 Subject: php with oci8 In-Reply-To: <16447650.post@talk.nabble.com> References: <16447650.post@talk.nabble.com> Message-ID: <47F761DC.8000901@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 pselinux wrote: > Hi, > I am compiling php 5.2.5 with OCI8 on centOS 5. I have installed the > following from oracle > > oracle-instantclient-basic-10.2.0.3-1 > oracle-instantclient-sqlplus-10.2.0.3-1 > oracle-instantclient-devel-10.2.0.3-1 > > These were the compile used while configure php > > './configure' '--prefix=/usr/local/php-5.2.5' '--cache-file=../config.cache' > '--with-libdir=lib' '--with-config-file-path=/usr/local/php-5.2.5/etc' > '--with-config-file-scan-dir=/usr/local/php-5.2.5/etc/php.d' > '--disable-debug' '--with-pic' '--disable-rpath' '--with-pear' '--with-bz2' > '--with-curl' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr' > '--with-png-dir=/usr' '--enable-gd-native-ttf' '--with-gettext' '--with-gmp' > '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-pspell' > '--with-pcre-regex' '--with-zlib' '--with-layout=GNU' '--enable-exif' > '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem' > '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx' '--with-kerberos' > '--enable-ucd-snmp-hack' '--with-snmp=shared,/usr' > '--with-unixODBC=shared,/usr' '--enable-shmop' '--enable-calendar' > '--with-mime-magic=/etc/httpd/conf/magic' '--without-sqlite' > '--with-libxml-dir=/usr' '--enable-dom=shared' '--with-pgsql=shared' > '--disable-dba' '--disable-xmlreader' '--disable-xmlwriter' '--without-gdbm' > '--with-gd=shared' '--with-imap=shared' '--with-imap-ssl' > '--with-mysql=shared,/usr' '--with-mysqli=shared,/usr/bin/mysql_config' > '--enable-mbstring=shared' '--enable-mbregex' '--with-libmbfl' > '--with-pdo-mysql=shared,/usr/bin/mysql_config' '--enable-pdo=shared' > '--with-pdo-odbc=shared,unixODBC,/usr' '--with-xmlrpc=shared' > '--with-ncurses=shared' '--with-ldap=shared' '--with-pdo-pgsql=shared,/usr' > '--without-pdo-sqlite' '--with-db4=/usr' '--enable-force-cgi-redirect' > '--enable-pcntl' '--with-xsl=shared,/usr' '--enable-xmlreader=shared' > '--enable-xmlwriter=shared' '--enable-fastcgi' '--enable-cgi' > '--with-apxs2=/usr/sbin/apxs' > '--with-oci8=shared,instantclient,/usr/lib/oracle/10.2.0.3/client/lib' > '--enable-sigchild' > > Compile and install was successful. Apache was not working and these are the > sealert messages, i am putting here only summary, raw audit message and > suggestions, which i followed in the same order below to make Apache work > > > 1. Summary > SELinux is preventing /usr/local/php-5.2.5/bin/php from loading > /usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so which requires text > relocation. > > Raw Audit Messages > > avc: denied { execmod } for comm="php" dev=dm-0 egid=0 euid=0 > exe="/usr/local/php-5.2.5/bin/php" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 > path="/usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so" pid=27356 > scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0 > subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file > tcontext=system_u:object_r:lib_t:s0 tty=pts1 uid=0 > > chcon -t textrel_shlib_t /usr/lib/oracle/10.2.0.3/client/lib/*.so > > > 2. SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to > (httpd_t). > Raw Audit Messages > > avc: denied { execstack } for comm="httpd" egid=0 euid=0 > exe="/usr/sbin/httpd" > exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=27907 > scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0 > suid=0 > tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0 > > setsebool -P httpd_disable_trans=1 > > 3. Summary > SELinux is preventing /usr/sbin/httpd from changing the access > protection of > memory on the heap. > Raw Audit Messages > > avc: denied { execheap } for comm="httpd" egid=0 euid=0 > exe="/usr/sbin/httpd" > exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=3913 > scontext=root:system_r:initrc_t:s0 > sgid=0 subj=root:system_r:initrc_t:s0 suid=0 tclass=process > tcontext=root:system_r:initrc_t:s0 tty=(none) uid=0 > > setsebool -P allow_execheap=1 > > > > Has anybody compiled PHP 5 with Oracle client on Redhat or Centos 5 with out > any selinux issues? Is this the known issue or my procedures are wrong. I > have tried compiling couple of weeks back with Red Hat ent5 php source rpms > and got the same selinux errors. Any possible help to put back > allow_execheap=0 httpd_disable_trans=0. > > Thanks. > > > Seems the oracle php applications is doing some bad things with memory. It is basically attempting to make it both writeable and executable at the same time. This can cause potential problems as described in http://people.redhat.com/~drepper/selinux-mem.html and http://danwalsh.livejournal.com/16975.html You should probably report this as a bug to oracle, and you can customize your policy to allow this access using audit2allow # grep http /var/log/audit/audit.log | audit2allow -M myhttp # semodule -i myhttp.pp This should allow you to run these oracle apps with SELinux in enforcing mode. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkf3YdwACgkQrlYvE4MpobO/GACgsA5VR0ssGrwZlIddxm/1WPJa gawAoMJ8eSXysoImLtX46S+rkfXIrQ3t =wb1A -----END PGP SIGNATURE----- From phosmane at ntis.gov Sat Apr 5 14:49:36 2008 From: phosmane at ntis.gov (Pad Hosmane) Date: Sat, 5 Apr 2008 10:49:36 -0400 Subject: php with oci8 In-Reply-To: <47F761DC.8000901@redhat.com> References: <16447650.post@talk.nabble.com> <47F761DC.8000901@redhat.com> Message-ID: <8647E63ABA86C941B70F1058189C22E5065BB226@ntis_exchange.ntis2.gov> > > > Has anybody compiled PHP 5 with Oracle client on Redhat or Centos 5 with out > any selinux issues? Is this the known issue or my procedures are wrong. I > have tried compiling couple of weeks back with Red Hat ent5 php source rpms > and got the same selinux errors. Any possible help to put back > allow_execheap=0 httpd_disable_trans=0. > > Thanks. > > > Seems the oracle php applications is doing some bad things with memory. It is basically attempting to make it both writeable and executable at the same time. This can cause potential problems as described in http://people.redhat.com/~drepper/selinux-mem.html and http://danwalsh.livejournal.com/16975.html You should probably report this as a bug to oracle, and you can customize your policy to allow this access using audit2allow # grep http /var/log/audit/audit.log | audit2allow -M myhttp # semodule -i myhttp.pp This should allow you to run these oracle apps with SELinux in enforcing mode. Hi Dan, Thank you for the reply. I found this on Oracle website ------------------------------------------------------------------------ ---- 5.2 Error While Loading Shared Library When SELinux is Enforcing on Oracle Enterprise Linux 5.0 and Red Hat Enterprise Linux 5.0 SQL*Plus and Oracle Call Interface (OCI) program calls fail with SELinux in the Enforcing mode on Oracle Enterprise Linux 5.0 and Red Hat Enterprise Linux 5.0. Refer to the OracleMetaLink note 454196.1 for more details about the issue. Workaround: Shift SELinux to Permissive mode on the system. This issue is tracked with Oracle bugs 6140224 and 6342166. ------------------------------------------------------------------------ ---- The above comment can be found at: http://download.oracle.com/docs/cd/B28359_01/relnotes.111/b32001/toc.htm #CJAFABGC I don't have Oracle Meta link access to get more details. Thanks, PH From valent.turkovic at gmail.com Sun Apr 6 08:37:24 2008 From: valent.turkovic at gmail.com (Valent Turkovic) Date: Sun, 6 Apr 2008 10:37:24 +0200 Subject: gconf alert In-Reply-To: <47F7D134.8030404@redhat.com> References: <64b14b300803210436s4042e579n9519c9d211a87dba@mail.gmail.com> <64b14b300803250234l6393f54bs9b0ae63322bfe52c@mail.gmail.com> <64b14b300803250251p698a8cc6wb679ddebcc320133@mail.gmail.com> <64b14b300803270308g1dd84d2av247ed1f3ba31e651@mail.gmail.com> <64b14b300803270339m79ba848x44b6d949c598651e@mail.gmail.com> <47EBDB28.5070302@redhat.com> <64b14b300803280447w18c862bcnac23b26617c86056@mail.gmail.com> <47EE7494.3040609@redhat.com> <64b14b300804010138t6afbc61am68e3a0a35360e734@mail.gmail.com> <47F7D134.8030404@redhat.com> Message-ID: <64b14b300804060137u4354117j4e006ece9ff13b81@mail.gmail.com> On Sat, Apr 5, 2008 at 9:21 PM, Daniel J Walsh wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Valent Turkovic wrote: > > On Sat, Mar 29, 2008 at 6:55 PM, Daniel J Walsh wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> Valent Turkovic wrote: > >> > >>> On Thu, Mar 27, 2008 at 6:36 PM, John Dennis wrote: > >> >> Valent Turkovic wrote: > >> >> > I'm creating live cds under rawhide and I have selinux in permissive > >> >> > mode, could that be reason I'm seeing these hundreds of alerts? > >> >> > >> >> https://www.redhat.com/archives/fedora-selinux-list/2008-March/msg00130.html > >> >> > >> >> -- > >> >> John Dennis > >> >> > >> > > >> > Ok, I'm an idiot :) I got so much going on at once (work, moving to > >> > new apartment, etc...) that I totally forgot I got this replied > >> > already. > >> > > >> > But I want to keep in permissive an not enforcing mode so is just > >> > "load_policy" enough ? > >> > > >> > Cheers, > >> > Valent. > >> > > >> load_policy and you might need to kill any processes that are running as > >> unlabeled_t. Potentially you could have files that are mislabeled. > > > > > > > > I made several load_policy and relabels with reboot ans I still see > > these errors! > > Do you have any idea why? > > > > Cheers, > > Valent > > . > > > > > Do you have two policy files in /etc/selinux/targeted/policy? # ls -al /etc/selinux/targeted/policy total 4056 drwxr-xr-x 2 root root 4096 2008-04-03 23:05 . drwxr-xr-x 5 root root 4096 2008-04-03 23:05 .. -rw-r--r-- 1 root root 4128435 2008-04-03 23:05 policy.21 as you can see I have only on file in policy directory > If you do, remove the lower version and then execute load_policy, > Relabel the file in question and you should not have a problem. If the > file is in /tmp you can remove it or set its label to tmp_t. I'm going now to move all files from /tmp to another folder and then if reboot succeeds I'll delete those files and see if I still see selinux alerts. So you haven't seen this kind of error? Nobody has reported anything similar? Valent. -- http://kernelreloaded.blog385.com/ linux, blog, anime, spirituality, windsurf, wireless registered as user #367004 with the Linux Counter, http://counter.li.org. ICQ: 2125241, Skype: valent.turkovic From valent.turkovic at gmail.com Sun Apr 6 09:01:16 2008 From: valent.turkovic at gmail.com (Valent Turkovic) Date: Sun, 6 Apr 2008 11:01:16 +0200 Subject: gconf alert In-Reply-To: <64b14b300804060137u4354117j4e006ece9ff13b81@mail.gmail.com> References: <64b14b300803210436s4042e579n9519c9d211a87dba@mail.gmail.com> <64b14b300803250251p698a8cc6wb679ddebcc320133@mail.gmail.com> <64b14b300803270308g1dd84d2av247ed1f3ba31e651@mail.gmail.com> <64b14b300803270339m79ba848x44b6d949c598651e@mail.gmail.com> <47EBDB28.5070302@redhat.com> <64b14b300803280447w18c862bcnac23b26617c86056@mail.gmail.com> <47EE7494.3040609@redhat.com> <64b14b300804010138t6afbc61am68e3a0a35360e734@mail.gmail.com> <47F7D134.8030404@redhat.com> <64b14b300804060137u4354117j4e006ece9ff13b81@mail.gmail.com> Message-ID: <64b14b300804060201i236990afo25e6790e2f8ac65b@mail.gmail.com> On Sun, Apr 6, 2008 at 10:37 AM, Valent Turkovic wrote: > > On Sat, Apr 5, 2008 at 9:21 PM, Daniel J Walsh wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Valent Turkovic wrote: > > > On Sat, Mar 29, 2008 at 6:55 PM, Daniel J Walsh wrote: > > >> -----BEGIN PGP SIGNED MESSAGE----- > > >> Hash: SHA1 > > >> > > >> Valent Turkovic wrote: > > >> > > >>> On Thu, Mar 27, 2008 at 6:36 PM, John Dennis wrote: > > >> >> Valent Turkovic wrote: > > >> >> > I'm creating live cds under rawhide and I have selinux in permissive > > >> >> > mode, could that be reason I'm seeing these hundreds of alerts? > > >> >> > > >> >> https://www.redhat.com/archives/fedora-selinux-list/2008-March/msg00130.html > > >> >> > > >> >> -- > > >> >> John Dennis > > >> >> > > >> > > > >> > Ok, I'm an idiot :) I got so much going on at once (work, moving to > > >> > new apartment, etc...) that I totally forgot I got this replied > > >> > already. > > >> > > > >> > But I want to keep in permissive an not enforcing mode so is just > > >> > "load_policy" enough ? > > >> > > > >> > Cheers, > > >> > Valent. > > >> > > > >> load_policy and you might need to kill any processes that are running as > > >> unlabeled_t. Potentially you could have files that are mislabeled. > > > > > > > > > > > > I made several load_policy and relabels with reboot ans I still see > > > these errors! > > > Do you have any idea why? > > > > > > Cheers, > > > Valent > > > . > > > > > > > > Do you have two policy files in /etc/selinux/targeted/policy? > > # ls -al /etc/selinux/targeted/policy > total 4056 > drwxr-xr-x 2 root root 4096 2008-04-03 23:05 . > drwxr-xr-x 5 root root 4096 2008-04-03 23:05 .. > -rw-r--r-- 1 root root 4128435 2008-04-03 23:05 policy.21 > > as you can see I have only on file in policy directory > > > > If you do, remove the lower version and then execute load_policy, > > Relabel the file in question and you should not have a problem. If the > > file is in /tmp you can remove it or set its label to tmp_t. > > I'm going now to move all files from /tmp to another folder and then > if reboot succeeds I'll delete those files and see if I still see > selinux alerts. > > So you haven't seen this kind of error? Nobody has reported anything similar? > > > > Valent. > > -- > http://kernelreloaded.blog385.com/ > linux, blog, anime, spirituality, windsurf, wireless > registered as user #367004 with the Linux Counter, http://counter.li.org. > ICQ: 2125241, Skype: valent.turkovic > Even after deleting all files in /tmp folder I still see these two alerts (in attachemen). I investigated alert about saved_state.tmp file and with locate file command I found this: /home/valentt/.gconfd/saved_state does that give you any more clues why I'm seeing these alerts? I'm now in Fedora 8 not in Rawhide but in Rawhide I see same alerts. Is it possible that livecd-creator does some things and breaks selinux in some way that you still aren't aware of? Valent. -- http://kernelreloaded.blog385.com/ linux, blog, anime, spirituality, windsurf, wireless registered as user #367004 with the Linux Counter, http://counter.li.org. ICQ: 2125241, Skype: valent.turkovic -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: selinux_alert1.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: selinux_alert2.txt URL: From pedro.lamarao at mndfck.org Sun Apr 6 23:11:35 2008 From: pedro.lamarao at mndfck.org (=?UTF-8?B?UGVkcm8gTGFtYXLDo28=?=) Date: Sun, 06 Apr 2008 20:11:35 -0300 Subject: Fedora 8: NetworkManager, OpenVPN and SELinux Message-ID: Hello all. I'm experimenting with a VPN connection set up through the NetworkManager panel applet. I have all certificate and key files stored in my home directory. Trying to start this VPN connection triggers an AVC DENIED. host=localhost.localdomain type=AVC msg=audit(1207523029.36:66): avc: denied { read } for pid=6400 comm="openvpn" name="pedro.crt" dev=dm-2 ino=2408465 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1207523029.36:66): arch=40000003 syscall=5 success=no exit=-13 a0=bfa7ef0b a1=8000 a2=1b6 a3=8d23660 items=0 ppid=6396 pid=6400 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null) It seems to me that this denial makes complete sense, since OpenVPN should not be reading users' files. On the other hand, this NetworkManager configuration functionality should allow users to use their own files -- that is, it seems users are not required to be root and place files in /etc/openvpn. Also, most users won't be knowledgeable enough to know how to change file label -- and this would be error prone, if there was ever a full relabel in the filesystem. I'll be using all files in /etc/openvpn while this is not sorted out to exercise NetworkManager. -- P. From cra at WPI.EDU Tue Apr 8 16:27:12 2008 From: cra at WPI.EDU (Chuck Anderson) Date: Tue, 8 Apr 2008 12:27:12 -0400 Subject: can't print to cups-pdf Message-ID: <20080408162712.GC17578@angus.ind.WPI.EDU> Trying to print to Cups-PDF from firefox generates this AVC: Summary: SELinux is preventing cups-pdf (cups_pdf_t) "write" to ./cups (cupsd_log_t). Detailed Description: SELinux denied access requested by cups-pdf. It is not expected that this access is required by cups-pdf and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./cups, restorecon -v './cups' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 Target Context system_u:object_r:cupsd_log_t:s0 Target Objects ./cups [ dir ] Source cups-pdf Source Path /usr/lib/cups/backend/cups-pdf Port Host foo Source RPM Packages cups-pdf-2.4.7-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-29.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name foo Platform Linux foo 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 1 First Seen Tue 08 Apr 2008 12:24:18 PM EDT Last Seen Tue 08 Apr 2008 12:24:18 PM EDT Local ID 4eded59e-c154-4e5b-b62c-d9dbf0a482cd Line Numbers Raw Audit Messages host=foo type=AVC msg=audit(1207671858.666:72): avc: denied { write } for pid=6315 comm="cups-pdf" name="cups" dev=dm-1 ino=565527 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_log_t:s0 tclass=dir host=foo type=SYSCALL msg=audit(1207671858.666:72): arch=40000003 syscall=5 success=no exit=-13 a0=bfb9f674 a1=441 a2=1b6 a3=440 items=0 ppid=2232 pid=6315 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" subj=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 key=(null) From choeger at cs.tu-berlin.de Wed Apr 9 22:57:17 2008 From: choeger at cs.tu-berlin.de (=?ISO-8859-15?Q?Christoph_H=F6ger?=) Date: Thu, 10 Apr 2008 00:57:17 +0200 Subject: Confining Firefox Message-ID: <47FD49CD.3090705@cs.tu-berlin.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I've just read Daniels livejournal entry about confining firefox. One thing that hit me, when I dug a little depper into SELinux last semester, was that firefox can actually read ~/.ssh I don't know _any_ reason why it should. And I assume this is one kind of access, that SELinux should prevent. Away from talking about explicit deny rules, I would suggest, that in fedora 9 you (the active SELinux developers) deny it using something like a "unconfined_for_all_applications_but_firefox_and_fellows_t" to cut off those security relevant directories. Otherwise the next *-plugin exploit could crack even hole enterprise networks by reading admins ssh keys. regards christoph ps: What is the current state of getting a real "High-Level-Language(TM)" for SELinux configuration? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFH/UnNhMBO4cVSGS8RAgW2AKCnHBJnEc0MMRWEYh4WgInpLmVzugCfSjkQ 3KHcUVRPd2g9sux9ZBWlofE= =TTfw -----END PGP SIGNATURE----- From olivares14031 at yahoo.com Thu Apr 10 00:10:19 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 9 Apr 2008 17:10:19 -0700 (PDT) Subject: flood of selinux avcs, settroubleshoot all over the place(sorry for all the avcs) Message-ID: <456478.73196.qm@web52609.mail.re2.yahoo.com> Dear all, Here are all the selinux errors that I have encountered. I apologize for putting in all at the same time, but I am just overwhelmed at the amount. I guess setroubleshoot daemon got happy and started sending all the avcs encountered. Thank you for advice given in advance. Regards, Antonio Summary: SELinux is preventing gvfsd-trash (staff_t) "dac_override" to (staff_t). Detailed Description: SELinux denied access requested by gvfsd-trash. It is not expected that this access is required by gvfsd-trash and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:staff_r:staff_t:SystemLow-SystemHigh Target Context root:staff_r:staff_t:SystemLow-SystemHigh Target Objects None [ capability ] Source pulseaudio Source Path /usr/bin/pulseaudio Port Host localhost.localdomain Source RPM Packages gvfs-0.2.3-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-29.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 39 First Seen Wed 09 Apr 2008 07:03:20 PM CDT Last Seen Wed 09 Apr 2008 07:03:45 PM CDT Local ID d2fbeab2-c5e1-4968-a58a-3897ade13c01 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207785825.117:127): avc: denied { dac_override } for pid=5405 comm="gvfsd-trash" capability=1 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=capability host=localhost.localdomain type=AVC msg=audit(1207785825.117:127): avc: denied { dac_read_search } for pid=5405 comm="gvfsd-trash" capability=2 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=capability host=localhost.localdomain type=SYSCALL msg=audit(1207785825.117:127): arch=40000003 syscall=196 success=no exit=-13 a0=86652e8 a1=b741b1e0 a2=d14ff4 a3=0 items=0 ppid=5404 pid=5405 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="gvfsd-trash" exe="/usr/libexec/gvfsd-trash" subj=root:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing escd (staff_t) "read write" to ./636F6F6C6B6579706B313173452D47617465203020302D30 (auth_cache_t). Detailed Description: SELinux denied access requested by escd. It is not expected that this access is required by escd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./636F6F6C6B6579706B313173452D47617465203020302D30, restorecon -v './636F6F6C6B6579706B313173452D47617465203020302D30' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:staff_r:staff_t:SystemLow-SystemHigh Target Context system_u:object_r:auth_cache_t Target Objects ./636F6F6C6B6579706B313173452D47617465203020302D30 [ file ] Source escd Source Path /usr/lib/esc-1.0.1/escd Port Host localhost.localdomain Source RPM Packages esc-1.0.1-9.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-29.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 09 Apr 2008 07:03:22 PM CDT Last Seen Wed 09 Apr 2008 07:03:22 PM CDT Local ID 6cd2e4ee-4e7e-4112-adcc-b3705916d481 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207785802.447:91): avc: denied { read write } for pid=5282 comm="escd" name=636F6F6C6B6579706B313173452D47617465203020302D30 dev=dm-0 ino=2485540 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auth_cache_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1207785802.447:91): arch=40000003 syscall=5 success=no exit=-13 a0=8a45540 a1=20002 a2=180 a3=0 items=0 ppid=1 pid=5282 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="escd" exe="/usr/lib/esc-1.0.1/escd" subj=root:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing pulseaudio (staff_t) "ipc_lock" to (staff_t). Detailed Description: SELinux denied access requested by pulseaudio. It is not expected that this access is required by pulseaudio and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:staff_r:staff_t:SystemLow-SystemHigh Target Context root:staff_r:staff_t:SystemLow-SystemHigh Target Objects None [ capability ] Source gnome-keyring-d Source Path /usr/bin/gnome-keyring-daemon Port Host localhost.localdomain Source RPM Packages pulseaudio-0.9.10-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-29.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 15 First Seen Wed 09 Apr 2008 07:03:06 PM CDT Last Seen Wed 09 Apr 2008 07:03:21 PM CDT Local ID 638ce06f-cd52-41b7-8f87-c3296b7b9c4e Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207785801.262:89): avc: denied { ipc_lock } for pid=5217 comm="pulseaudio" capability=14 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=capability host=localhost.localdomain type=SYSCALL msg=audit(1207785801.262:89): arch=40000003 syscall=150 success=yes exit=0 a0=b6804000 a1=3c84 a2=195cb4 a3=3c84 items=0 ppid=5214 pid=5217 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=root:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing gvfs-fuse-daemo (staff_t) "sys_admin" to (staff_t). Detailed Description: SELinux denied access requested by gvfs-fuse-daemo. It is not expected that this access is required by gvfs-fuse-daemo and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:staff_r:staff_t:SystemLow-SystemHigh Target Context root:staff_r:staff_t:SystemLow-SystemHigh Target Objects None [ capability ] Source gvfs-fuse-daemo Source Path /usr/libexec/gvfs-fuse-daemon Port Host localhost.localdomain Source RPM Packages gvfs-fuse-0.2.3-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-29.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 09 Apr 2008 07:03:21 PM CDT Last Seen Wed 09 Apr 2008 07:03:21 PM CDT Local ID f714cec5-eca8-4de6-a60b-d07f6e690250 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207785801.751:90): avc: denied { sys_admin } for pid=5256 comm="gvfs-fuse-daemo" capability=21 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=capability host=localhost.localdomain type=SYSCALL msg=audit(1207785801.751:90): arch=40000003 syscall=21 success=no exit=-1 a0=90654d0 a1=9064940 a2=9065510 a3=6 items=0 ppid=1 pid=5256 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="gvfs-fuse-daemo" exe="/usr/libexec/gvfs-fuse-daemon" subj=root:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing firefox (staff_t) "setuid" to (staff_t). Detailed Description: SELinux denied access requested by firefox. It is not expected that this access is required by firefox and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:staff_r:staff_t:SystemLow-SystemHigh Target Context root:staff_r:staff_t:SystemLow-SystemHigh Target Objects None [ capability ] Source firefox Source Path /usr/lib/firefox-3.0b5/firefox Port Host localhost.localdomain Source RPM Packages firefox-3.0-0.53.beta5.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-29.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 14 First Seen Wed 09 Apr 2008 07:04:12 PM CDT Last Seen Wed 09 Apr 2008 07:04:12 PM CDT Local ID 728a632a-191d-449d-b1a1-aa9cff7a16f1 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207785852.141:144): avc: denied { setuid } for pid=5422 comm="firefox" capability=7 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=capability host=localhost.localdomain type=SYSCALL msg=audit(1207785852.141:144): arch=40000003 syscall=208 success=yes exit=0 a0=ffffffff a1=0 a2=ffffffff a3=bfee4c1c items=0 ppid=5408 pid=5422 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="firefox" exe="/usr/lib/firefox-3.0b5/firefox" subj=root:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing firefox (staff_t) "write" to ./firefox-3.0b5 (lib_t). Detailed Description: SELinux denied access requested by firefox. It is not expected that this access is required by firefox and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./firefox-3.0b5, restorecon -v './firefox-3.0b5' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:staff_r:staff_t:SystemLow-SystemHigh Target Context system_u:object_r:lib_t Target Objects ./firefox-3.0b5 [ dir ] Source firefox Source Path /usr/lib/firefox-3.0b5/firefox Port Host localhost.localdomain Source RPM Packages firefox-3.0-0.53.beta5.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-29.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 09 Apr 2008 07:03:48 PM CDT Last Seen Wed 09 Apr 2008 07:03:52 PM CDT Local ID ba8ecec3-9fce-4945-92ed-d9640d5a0ea7 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207785832.379:129): avc: denied { write } for pid=5422 comm="firefox" name="firefox-3.0b5" dev=dm-0 ino=4287001 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir host=localhost.localdomain type=SYSCALL msg=audit(1207785832.379:129): arch=40000003 syscall=5 success=no exit=-13 a0=85ec4f0 a1=82c1 a2=1a4 a3=82c1 items=0 ppid=5408 pid=5422 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="firefox" exe="/usr/lib/firefox-3.0b5/firefox" subj=root:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing pulseaudio (staff_t) "sys_resource" to (staff_t). Detailed Description: SELinux denied access requested by pulseaudio. It is not expected that this access is required by pulseaudio and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:staff_r:staff_t:SystemLow-SystemHigh Target Context root:staff_r:staff_t:SystemLow-SystemHigh Target Objects None [ capability ] Source pulseaudio Source Path /usr/bin/pulseaudio Port Host localhost.localdomain Source RPM Packages pulseaudio-0.9.10-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-29.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 2 First Seen Wed 09 Apr 2008 07:03:20 PM CDT Last Seen Wed 09 Apr 2008 07:03:20 PM CDT Local ID 40e0b7ff-cb5f-42de-8f1d-8302ea0c173f Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207785800.594:72): avc: denied { sys_resource } for pid=5217 comm="pulseaudio" capability=24 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=capability host=localhost.localdomain type=SYSCALL msg=audit(1207785800.594:72): arch=40000003 syscall=75 success=no exit=-1 a0=e a1=bfa8cd1c a2=d14ff4 a3=e items=0 ppid=5214 pid=5217 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="pulseaudio" exe="/usr/bin/pulseaudio" subj=root:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing bash (staff_t) "write" to ./ccache (var_t). Detailed Description: SELinux denied access requested by bash. It is not expected that this access is required by bash and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./ccache, restorecon -v './ccache' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:staff_r:staff_t:SystemLow-SystemHigh Target Context system_u:object_r:var_t Target Objects ./ccache [ dir ] Source bash Source Path /bin/bash Port Host localhost.localdomain Source RPM Packages bash-3.2-22.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-29.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 09 Apr 2008 07:03:18 PM CDT Last Seen Wed 09 Apr 2008 07:03:18 PM CDT Local ID 8b8507ac-7e45-4ce0-b52f-b25b6c69c03f Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207785798.523:69): avc: denied { write } for pid=5092 comm="bash" name="ccache" dev=dm-0 ino=2485510 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir host=localhost.localdomain type=SYSCALL msg=audit(1207785798.523:69): arch=40000003 syscall=33 success=no exit=-13 a0=9eaad78 a1=2 a2=d14ff4 a3=0 items=0 ppid=4990 pid=5092 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="bash" exe="/bin/bash" subj=root:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing gnome-session (staff_t) "write" to ./fontconfig (fonts_t). Detailed Description: SELinux denied access requested by gnome-session. It is not expected that this access is required by gnome-session and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./fontconfig, restorecon -v './fontconfig' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:staff_r:staff_t:SystemLow-SystemHigh Target Context system_u:object_r:fonts_t Target Objects ./fontconfig [ dir ] Source gnome-session Source Path /usr/bin/gnome-session Port Host localhost.localdomain Source RPM Packages gnome-session-2.22.1-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-29.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 09 Apr 2008 07:03:18 PM CDT Last Seen Wed 09 Apr 2008 07:03:18 PM CDT Local ID fddf24c2-0902-4a50-8909-4bd30c0839b6 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207785798.732:70): avc: denied { write } for pid=5092 comm="gnome-session" name="fontconfig" dev=dm-0 ino=2387443 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir host=localhost.localdomain type=SYSCALL msg=audit(1207785798.732:70): arch=40000003 syscall=33 success=no exit=-13 a0=8536358 a1=2 a2=a85694 a3=852daa8 items=0 ppid=4990 pid=5092 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="gnome-session" exe="/usr/bin/gnome-session" subj=root:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing escd (user_t) "write" to ./coolkey (auth_cache_t). Detailed Description: SELinux denied access requested by escd. It is not expected that this access is required by escd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./coolkey, restorecon -v './coolkey' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:user_r:user_t Target Context system_u:object_r:auth_cache_t Target Objects ./coolkey [ dir ] Source escd Source Path /usr/lib/esc-1.0.1/escd Port Host localhost.localdomain Source RPM Packages esc-1.0.1-9.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-29.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 4 First Seen Wed 09 Apr 2008 06:34:01 PM CDT Last Seen Wed 09 Apr 2008 07:02:51 PM CDT Local ID 08e479ee-11d3-4d0c-892c-e8ce4f8beb7b Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207785771.193:60): avc: denied { write } for pid=4321 comm="escd" name="coolkey" dev=dm-0 ino=2485506 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:auth_cache_t:s0 tclass=dir host=localhost.localdomain type=SYSCALL msg=audit(1207785771.193:60): arch=40000003 syscall=5 success=no exit=-13 a0=88b4ba0 a1=4c2 a2=180 a3=88b3508 items=0 ppid=1 pid=4321 auid=502 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=3 comm="escd" exe="/usr/lib/esc-1.0.1/escd" subj=user_u:user_r:user_t:s0 key=(null) Summary: SELinux is preventing userhelper (user_t) "read write" to ./eject (userhelper_conf_t). Detailed Description: SELinux denied access requested by userhelper. It is not expected that this access is required by userhelper and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./eject, restorecon -v './eject' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:user_r:user_t Target Context system_u:object_r:userhelper_conf_t Target Objects ./eject [ file ] Source userhelper Source Path /usr/sbin/userhelper Port Host localhost.localdomain Source RPM Packages usermode-1.96-1 Target RPM Packages Policy RPM selinux-policy-3.3.1-29.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 3 First Seen Wed 09 Apr 2008 06:34:03 PM CDT Last Seen Wed 09 Apr 2008 06:54:10 PM CDT Local ID 971298b0-6bc0-4ee0-a08e-efb07076dd3d Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207785250.626:49): avc: denied { read write } for pid=4559 comm="userhelper" name="eject" dev=dm-0 ino=4055485 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:userhelper_conf_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1207785250.626:49): arch=40000003 syscall=5 success=no exit=-13 a0=82e3508 a1=2 a2=b809cee0 a3=82e3530 items=0 ppid=4558 pid=4559 auid=502 uid=502 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=(none) ses=3 comm="userhelper" exe="/usr/sbin/userhelper" subj=user_u:user_r:user_t:s0 key=(null) Summary: SELinux is preventing userhelper (user_t) "read" to ./eject (userhelper_conf_t). Detailed Description: SELinux denied access requested by userhelper. It is not expected that this access is required by userhelper and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./eject, restorecon -v './eject' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:user_r:user_t Target Context system_u:object_r:userhelper_conf_t Target Objects ./eject [ file ] Source userhelper Source Path /usr/sbin/userhelper Port Host localhost.localdomain Source RPM Packages usermode-1.96-1 Target RPM Packages Policy RPM selinux-policy-3.3.1-29.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 3 First Seen Wed 09 Apr 2008 06:34:03 PM CDT Last Seen Wed 09 Apr 2008 06:54:10 PM CDT Local ID fe10c9ad-5af2-4402-b68e-8d6951329af6 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207785250.628:50): avc: denied { read } for pid=4559 comm="userhelper" name="eject" dev=dm-0 ino=4055485 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:userhelper_conf_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1207785250.628:50): arch=40000003 syscall=5 success=no exit=-13 a0=82e3508 a1=0 a2=b809cee0 a3=82e3530 items=0 ppid=4558 pid=4559 auid=502 uid=502 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=(none) ses=3 comm="userhelper" exe="/usr/sbin/userhelper" subj=user_u:user_r:user_t:s0 key=(null) Summary: SELinux is preventing escd (user_t) "read write" to ./636F6F6C6B6579706B313173452D47617465203020302D353031 (auth_cache_t). Detailed Description: SELinux denied access requested by escd. It is not expected that this access is required by escd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./636F6F6C6B6579706B313173452D47617465203020302D353031, restorecon -v './636F6F6C6B6579706B313173452D47617465203020302D353031' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:user_r:user_t Target Context system_u:object_r:auth_cache_t Target Objects ./636F6F6C6B6579706B313173452D47617465203020302D35 3031 [ file ] Source escd Source Path /usr/lib/esc-1.0.1/escd Port Host localhost.localdomain Source RPM Packages esc-1.0.1-9.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-29.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 2 First Seen Wed 09 Apr 2008 06:49:21 PM CDT Last Seen Wed 09 Apr 2008 06:51:48 PM CDT Local ID 655d0a34-ec8a-4327-ae0c-a21175fccec7 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207785108.494:39): avc: denied { read write } for pid=3737 comm="escd" name=636F6F6C6B6579706B313173452D47617465203020302D353031 dev=dm-0 ino=2485541 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:auth_cache_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1207785108.494:39): arch=40000003 syscall=5 success=no exit=-13 a0=880aba0 a1=20002 a2=180 a3=0 items=0 ppid=1 pid=3737 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=2 comm="escd" exe="/usr/lib/esc-1.0.1/escd" subj=user_u:user_r:user_t:s0 key=(null) Summary: SELinux is preventing wine-preloader (user_t) "mmap_zero" to (user_t). Detailed Description: SELinux denied access requested by wine-preloader. It is not expected that this access is required by wine-preloader and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:user_r:user_t Target Context user_u:user_r:user_t Target Objects None [ memprotect ] Source wine-preloader Source Path /usr/bin/wine-preloader Port Host localhost.localdomain Source RPM Packages wine-core-0.9.58-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-29.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 09 Apr 2008 06:50:02 PM CDT Last Seen Wed 09 Apr 2008 06:50:02 PM CDT Local ID 6f6e94e5-fbf2-43ea-b941-dba1d1da982b Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207785002.401:35): avc: denied { mmap_zero } for pid=3847 comm="wine-preloader" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=memprotect host=localhost.localdomain type=SYSCALL msg=audit(1207785002.401:35): arch=40000003 syscall=90 success=no exit=-13 a0=bfed76dc a1=bfed76dc a2=60000000 a3=bfed76dc items=0 ppid=1 pid=3847 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=2 comm="wine-preloader" exe="/usr/bin/wine-preloader" subj=user_u:user_r:user_t:s0 key=(null) Summary: SELinux prevented X from using the terminal tty0. Detailed Description: SELinux prevented X from using the terminal tty0. In most cases daemons do not need to interact with the terminal, usually these avc messages can be ignored. All of the confined daemons should have dontaudit rules around using the terminal. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy. If you would like to allow all daemons to interact with the terminal, you can turn on the allow_daemons_use_tty boolean. Allowing Access: Changing the "allow_daemons_use_tty" boolean to true will allow this access: "setsebool -P allow_daemons_use_tty=1." Fix Command: setsebool -P allow_daemons_use_tty=1 Additional Information: Source Context user_u:user_r:user_t Target Context system_u:object_r:tty_device_t Target Objects tty0 [ chr_file ] Source X Source Path /usr/bin/Xorg Port Host localhost.localdomain Source RPM Packages xorg-x11-server-Xorg-1.4.99.901-17.20080401.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-28.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_daemons_use_tty Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.201.rc8.git4.fc9.i686 #1 SMP Sun Apr 6 21:55:27 EDT 2008 i686 i686 Alert Count 8 First Seen Fri 04 Apr 2008 06:52:01 PM CDT Last Seen Mon 07 Apr 2008 08:13:50 PM CDT Local ID 4c3eddb6-6a5d-420f-a3de-1649183f872c Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207617230.297:90): avc: denied { setattr } for pid=5319 comm="X" name="tty0" dev=tmpfs ino=255 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file host=localhost.localdomain type=SYSCALL msg=audit(1207617230.297:90): arch=40000003 syscall=212 success=no exit=-13 a0=81bc13b a1=0 a2=0 a3=bfbd70b4 items=0 ppid=5318 pid=5319 auid=502 uid=502 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=tty1 ses=8 comm="X" exe="/usr/bin/Xorg" subj=user_u:user_r:user_t:s0 key=(null) Summary: SELinux is preventing gdb (xdm_t) "write" to ./rpm (rpm_var_lib_t). Detailed Description: SELinux denied access requested by gdb. It is not expected that this access is required by gdb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./rpm, restorecon -v './rpm' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh Target Context system_u:object_r:rpm_var_lib_t Target Objects ./rpm [ dir ] Source gdb Source Path /usr/bin/gdb Port Host localhost.localdomain Source RPM Packages gdb-6.8-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-26.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.195.rc8.git1.fc9.i686 #1 SMP Thu Apr 3 09:42:34 EDT 2008 i686 i686 Alert Count 196 First Seen Fri 04 Apr 2008 06:48:42 PM CDT Last Seen Fri 04 Apr 2008 07:56:14 PM CDT Local ID bf5f7ea8-f1a0-46bb-ade6-45dc659e7c1f Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207356974.98:206): avc: denied { write } for pid=2534 comm="gdb" name="rpm" dev=dm-0 ino=2387395 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir host=localhost.localdomain type=SYSCALL msg=audit(1207356974.98:206): arch=40000003 syscall=33 success=no exit=-13 a0=a3ddfb8 a1=2 a2=3547a4 a3=a3dde80 items=0 ppid=2533 pid=2534 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdb" exe="/usr/bin/gdb" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing gdb (xdm_t) "getattr" to /var/lib/rpm/Packages (rpm_var_lib_t). Detailed Description: SELinux denied access requested by gdb. It is not expected that this access is required by gdb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/lib/rpm/Packages, restorecon -v '/var/lib/rpm/Packages' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh Target Context system_u:object_r:rpm_var_lib_t Target Objects /var/lib/rpm/Packages [ file ] Source gdb Source Path /usr/bin/gdb Port Host localhost.localdomain Source RPM Packages gdb-6.8-1.fc9 Target RPM Packages rpm-4.4.2.3-1.fc9 Policy RPM selinux-policy-3.3.1-26.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.195.rc8.git1.fc9.i686 #1 SMP Thu Apr 3 09:42:34 EDT 2008 i686 i686 Alert Count 196 First Seen Fri 04 Apr 2008 06:48:42 PM CDT Last Seen Fri 04 Apr 2008 07:56:14 PM CDT Local ID adc70120-316b-494e-a25a-1a9f014c0282 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1207356974.99:207): avc: denied { getattr } for pid=2534 comm="gdb" path="/var/lib/rpm/Packages" dev=dm-0 ino=2387402 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1207356974.99:207): arch=40000003 syscall=195 success=no exit=-13 a0=a3ddf98 a1=bf9e3e9c a2=d14ff4 a3=64 items=0 ppid=2533 pid=2534 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdb" exe="/usr/bin/gdb" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From choeger at cs.tu-berlin.de Thu Apr 10 08:56:16 2008 From: choeger at cs.tu-berlin.de (Christoph =?ISO-8859-1?Q?H=F6ger?=) Date: Thu, 10 Apr 2008 10:56:16 +0200 Subject: Fedora 8: NetworkManager, OpenVPN and SELinux In-Reply-To: References: Message-ID: <1207817776.2898.1.camel@choeger5> Am Sonntag, den 06.04.2008, 20:11 -0300 schrieb Pedro Lamar?o: > Hello all. > > I'm experimenting with a VPN connection set up through the > NetworkManager panel applet. > > I have all certificate and key files stored in my home directory. > > Trying to start this VPN connection triggers an AVC DENIED. > > host=localhost.localdomain type=AVC msg=audit(1207523029.36:66): avc: > denied { read } for pid=6400 comm="openvpn" name="pedro.crt" dev=dm-2 > ino=2408465 scontext=system_u:system_r:openvpn_t:s0 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file > > host=localhost.localdomain type=SYSCALL msg=audit(1207523029.36:66): > arch=40000003 syscall=5 success=no exit=-13 a0=bfa7ef0b a1=8000 a2=1b6 > a3=8d23660 items=0 ppid=6396 pid=6400 auid=500 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="openvpn" > exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null) > > It seems to me that this denial makes complete sense, since OpenVPN > should not be reading users' files. > > On the other hand, this NetworkManager configuration functionality > should allow users to use their own files -- that is, it seems users are > not required to be root and place files in /etc/openvpn. > > Also, most users won't be knowledgeable enough to know how to change > file label -- and this would be error prone, if there was ever a full > relabel in the filesystem. > > I'll be using all files in /etc/openvpn while this is not sorted out to > exercise NetworkManager. > > -- > P. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Hi, there is a special SELinux Boolean for that: openvpn_enable_homedirs You can set this via setsebool or use the SELinux Manager. regards Christoph From dtimms at iinet.net.au Thu Apr 10 12:48:40 2008 From: dtimms at iinet.net.au (David Timms) Date: Thu, 10 Apr 2008 22:48:40 +1000 Subject: mrtg selinux denials in default configuration Message-ID: <47FE0CA8.5010705@iinet.net.au> I'm getting selinux denials with a default install of mrtg. I found a bug opened/ and closed notabug: https://bugzilla.redhat.com/show_bug.cgi?id=439953 However, that relates to a custom user config that calls a script, and the response was that matching policy needs to be built. In my case mrtg is running completely default {which may well be fully useless - I haven't learnt enough about it yet}. Should there be selinux denials on a default install of a package ? DaveT. From dtimms at iinet.net.au Thu Apr 10 13:14:54 2008 From: dtimms at iinet.net.au (David Timms) Date: Thu, 10 Apr 2008 23:14:54 +1000 Subject: mrtg selinux denials in default configuration In-Reply-To: <47FE0CA8.5010705@iinet.net.au> References: <47FE0CA8.5010705@iinet.net.au> Message-ID: <47FE12CE.6030903@iinet.net.au> David Timms wrote: > Should there be selinux denials on a default install of a package ? audit item attached. DT. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: selin.mrtg.txt URL: From jk at lutty.net Thu Apr 10 17:58:32 2008 From: jk at lutty.net (Laurent Jacquot) Date: Thu, 10 Apr 2008 19:58:32 +0200 Subject: loadkey avc denied Message-ID: <1207850312.5587.49.camel@jack.lutty.net> Hello, Every time I reboot, I have those 9 AVCs in /var/log/messages: Apr 3 19:18:35 jack kernel: audit(1207243095.907:4): avc: denied { sys_admin } for pid=1707 comm="loadkeys" capability=21 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability Apr 3 19:18:35 jack kernel: audit(1207243095.907:5): avc: denied { sys_admin } for pid=1707 comm="loadkeys" capability=21 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability Apr 3 19:18:35 jack kernel: audit(1207243095.907:6): avc: denied { sys_admin } for pid=1707 comm="loadkeys" capability=21 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability Apr 3 19:18:35 jack kernel: audit(1207243095.907:7): avc: denied { sys_admin } for pid=1707 comm="loadkeys" capability=21 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability Apr 3 19:18:35 jack kernel: audit(1207243095.907:8): avc: denied { sys_admin } for pid=1707 comm="loadkeys" capability=21 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability Apr 3 19:18:35 jack kernel: audit(1207243095.907:9): avc: denied { sys_admin } for pid=1707 comm="loadkeys" capability=21 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability Apr 3 19:18:35 jack kernel: audit(1207243095.907:10): avc: denied { sys_admin } for pid=1707 comm="loadkeys" capability=21 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability Apr 3 19:18:35 jack kernel: audit(1207243095.907:11): avc: denied { sys_admin } for pid=1707 comm="loadkeys" capability=21 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability Apr 3 19:18:35 jack kernel: audit(1207243095.907:12): avc: denied { sys_admin } for pid=1707 comm="loadkeys" capability=21 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability They are generated before audit runs. What are they trying to tell me? Should I relabel something or bug it? TIA Laurent From jk at lutty.net Thu Apr 10 18:11:35 2008 From: jk at lutty.net (Laurent Jacquot) Date: Thu, 10 Apr 2008 20:11:35 +0200 Subject: setsebool ok & smb denied Message-ID: <1207851095.5587.56.camel@jack.lutty.net> Hello, on my F8 up2date, SMB is denied read access to user_iceauth_home_t context even if I have: [root at jack ~]# getsebool -a |grep samba samba_domain_controller --> off samba_enable_home_dirs --> on samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> on samba_share_nfs --> off use_samba_home_dirs --> on Should I bugzilla it? and also dontaudit, allow or deny? R?sum?: SELinux is preventing the samba daemon from reading users' home directories. Description d?taill?e: SELinux has denied the samba daemon access to users' home directories. Someone is attempting to access your home directories via your samba daemon. If you only setup samba to share non-home directories, this probably signals a intrusion attempt. For more information on SELinux integration with samba, look at the samba_selinux man page. (man samba_selinux) Autoriser l'acc?s: Si vous souhaitez que samba partage des r?pertoires personnels vous devez activer le bool?en samba_enable_home_dirs : "setsebool -P samba_enable_home_dirs=1" La commande suivante autorisera cet acc?s : setsebool -P samba_enable_home_dirs=1 Informations compl?mentaires: Contexte source system_u:system_r:smbd_t:s0 Contexte cible system_u:object_r:user_iceauth_home_t:s0 Objets du contexte /home/alex/.ICEauthority [ file ] Source smbd Source Path /usr/sbin/smbd Port Host jack.lutty.net Source RPM Packages samba-3.0.28a-0.fc8 Target RPM Packages Politique RPM selinux-policy-3.0.8-95.fc8 Selinux activ? True Type de politique targeted MLS activ? True Mode strict Enforcing Nom du plugin samba_enable_home_dirs Nom de l'h?te jack.lutty.net Plateforme Linux jack.lutty.net 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:54:46 EDT 2008 i686 i686 Compteur d'alertes 28 First Seen ven 04 avr 2008 23:16:29 CEST Last Seen mer 09 avr 2008 16:34:17 CEST Local ID d2ee22f9-866b-4305-94c8-a029aee20c19 Num?ros des lignes Messages d'audit bruts host=jack.lutty.net type=AVC msg=audit(1207751657.63:1353): avc: denied { getattr } for pid=32716 comm="smbd" path="/home/alex/.ICEauthority" dev=dm-11 ino=850503 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:user_iceauth_home_t:s0 tclass=file host=jack.lutty.net type=SYSCALL msg=audit(1207751657.63:1353): arch=40000003 syscall=195 success=no exit=-13 a0=bfc33194 a1=bfc32914 a2=4c5ff4 a3=bfc32914 items=0 ppid=3346 pid=32716 auid=4294967295 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null) jk From dwalsh at redhat.com Thu Apr 10 19:52:31 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 10 Apr 2008 15:52:31 -0400 Subject: Confining Firefox In-Reply-To: <47FD49CD.3090705@cs.tu-berlin.de> References: <47FD49CD.3090705@cs.tu-berlin.de> Message-ID: <47FE6FFF.5040406@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christoph H?ger wrote: > Hi, > > I've just read Daniels livejournal entry about confining firefox. > One thing that hit me, when I dug a little depper into SELinux last > semester, was that firefox can actually read ~/.ssh > I don't know _any_ reason why it should. > And I assume this is one kind of access, that SELinux should prevent. > Away from talking about explicit deny rules, I would suggest, that in > fedora 9 you (the active SELinux developers) deny it using something > like a "unconfined_for_all_applications_but_firefox_and_fellows_t" to > cut off those security relevant directories. > Otherwise the next *-plugin exploit could crack even hole enterprise > networks by reading admins ssh keys. If you run your plugins in confined mode # setsebool -P allow_unconfined_nsplugin_transition=1 # yum install nspluginwrapper # restorecon -R -v ~/ None of the plugins will be allowed to read directories like .ssh or .gpg in your home directory. firefox is really difficult to confine, but with nsplugin you can confine the plugins fairly well. > > regards > > christoph > > > ps: What is the current state of getting a real > "High-Level-Language(TM)" for SELinux configuration? - -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkf+b/4ACgkQrlYvE4MpobPs9QCfUp5K8B2Hldig0Zfi9j2Fncug aIcAoNoW0dIbzyY/+AdIuC2czZBP52E5 =mVBD -----END PGP SIGNATURE----- From dwalsh at redhat.com Thu Apr 10 19:57:48 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 10 Apr 2008 15:57:48 -0400 Subject: mrtg selinux denials in default configuration In-Reply-To: <47FE12CE.6030903@iinet.net.au> References: <47FE0CA8.5010705@iinet.net.au> <47FE12CE.6030903@iinet.net.au> Message-ID: <47FE713C.2090102@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Timms wrote: > David Timms wrote: >> Should there be selinux denials on a default install of a package ? > audit item attached. > > DT. > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Your /root directory is labeled incorrectly. restorecon -R -v /root Should fix. That is what setroubleshoot suggested, did you try it. Default installs should not be generating AVC's -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkf+cTwACgkQrlYvE4MpobMjDACfYngwMvtz5tVgs0niXSEStBrR gc0AoIAjcKC85DpETBumjap9YMsuQCu7 =gdb2 -----END PGP SIGNATURE----- From dwalsh at redhat.com Thu Apr 10 20:00:13 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 10 Apr 2008 16:00:13 -0400 Subject: loadkey avc denied In-Reply-To: <1207850312.5587.49.camel@jack.lutty.net> References: <1207850312.5587.49.camel@jack.lutty.net> Message-ID: <47FE71CD.4000504@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Laurent Jacquot wrote: > Hello, > Every time I reboot, I have those 9 AVCs in /var/log/messages: > > Apr 3 19:18:35 jack kernel: audit(1207243095.907:4): avc: denied > { sys_admin } for pid=1707 comm="loadkeys" capability=21 > scontext=system_u:system_r:loadkeys_t:s0 > tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability > Apr 3 19:18:35 jack kernel: audit(1207243095.907:5): avc: denied > { sys_admin } for pid=1707 comm="loadkeys" capability=21 > scontext=system_u:system_r:loadkeys_t:s0 > tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability > Apr 3 19:18:35 jack kernel: audit(1207243095.907:6): avc: denied > { sys_admin } for pid=1707 comm="loadkeys" capability=21 > scontext=system_u:system_r:loadkeys_t:s0 > tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability > Apr 3 19:18:35 jack kernel: audit(1207243095.907:7): avc: denied > { sys_admin } for pid=1707 comm="loadkeys" capability=21 > scontext=system_u:system_r:loadkeys_t:s0 > tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability > Apr 3 19:18:35 jack kernel: audit(1207243095.907:8): avc: denied > { sys_admin } for pid=1707 comm="loadkeys" capability=21 > scontext=system_u:system_r:loadkeys_t:s0 > tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability > Apr 3 19:18:35 jack kernel: audit(1207243095.907:9): avc: denied > { sys_admin } for pid=1707 comm="loadkeys" capability=21 > scontext=system_u:system_r:loadkeys_t:s0 > tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability > Apr 3 19:18:35 jack kernel: audit(1207243095.907:10): avc: denied > { sys_admin } for pid=1707 comm="loadkeys" capability=21 > scontext=system_u:system_r:loadkeys_t:s0 > tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability > Apr 3 19:18:35 jack kernel: audit(1207243095.907:11): avc: denied > { sys_admin } for pid=1707 comm="loadkeys" capability=21 > scontext=system_u:system_r:loadkeys_t:s0 > tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability > Apr 3 19:18:35 jack kernel: audit(1207243095.907:12): avc: denied > { sys_admin } for pid=1707 comm="loadkeys" capability=21 > scontext=system_u:system_r:loadkeys_t:s0 > tcontext=system_u:system_r:loadkeys_t:s0 tclass=capability > > They are generated before audit runs. > What are they trying to tell me? Should I relabel something or bug it? > > TIA > Laurent > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This is saying loadkeys is requesting a sys_admin capability. I have no idea why, and have never seen it before. You can add this rule by executing # dmesg | audit2allow -M myloadkeys # semodule -i myloadkeys.pp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEUEARECAAYFAkf+ccwACgkQrlYvE4MpobNDYQCY0lGhLJux23bezHvmnWC9MUCJ rwCg2H8EwY0V31A35UBXm++kumHRu4Y= =/js5 -----END PGP SIGNATURE----- From dwalsh at redhat.com Thu Apr 10 20:01:20 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 10 Apr 2008 16:01:20 -0400 Subject: setsebool ok & smb denied In-Reply-To: <1207851095.5587.56.camel@jack.lutty.net> References: <1207851095.5587.56.camel@jack.lutty.net> Message-ID: <47FE7210.9040307@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Laurent Jacquot wrote: > Hello, > on my F8 up2date, SMB is denied read access to user_iceauth_home_t > context even if I have: > > > [root at jack ~]# getsebool -a |grep samba > samba_domain_controller --> off > samba_enable_home_dirs --> on > samba_export_all_ro --> off > samba_export_all_rw --> off > samba_run_unconfined --> on > samba_share_nfs --> off > use_samba_home_dirs --> on > > Should I bugzilla it? and also dontaudit, allow or deny? > > > R?sum?: > > SELinux is preventing the samba daemon from reading users' home > directories. > > Description d?taill?e: > > SELinux has denied the samba daemon access to users' home directories. > Someone > is attempting to access your home directories via your samba daemon. If > you only > setup samba to share non-home directories, this probably signals a > intrusion > attempt. For more information on SELinux integration with samba, look at > the > samba_selinux man page. (man samba_selinux) > > Autoriser l'acc?s: > > Si vous souhaitez que samba partage des r?pertoires personnels vous > devez > activer le bool?en samba_enable_home_dirs : "setsebool -P > samba_enable_home_dirs=1" > > La commande suivante autorisera cet acc?s : > > setsebool -P samba_enable_home_dirs=1 > > Informations compl?mentaires: > > Contexte source system_u:system_r:smbd_t:s0 > Contexte cible system_u:object_r:user_iceauth_home_t:s0 > Objets du contexte /home/alex/.ICEauthority [ file ] > Source smbd > Source Path /usr/sbin/smbd > Port > Host jack.lutty.net > Source RPM Packages samba-3.0.28a-0.fc8 > Target RPM Packages > Politique RPM selinux-policy-3.0.8-95.fc8 > Selinux activ? True > Type de politique targeted > MLS activ? True > Mode strict Enforcing > Nom du plugin samba_enable_home_dirs > Nom de l'h?te jack.lutty.net > Plateforme Linux jack.lutty.net 2.6.24.4-64.fc8 #1 > SMP Sat > Mar 29 09:54:46 EDT 2008 i686 i686 > Compteur d'alertes 28 > First Seen ven 04 avr 2008 23:16:29 CEST > Last Seen mer 09 avr 2008 16:34:17 CEST > Local ID d2ee22f9-866b-4305-94c8-a029aee20c19 > Num?ros des lignes > > Messages d'audit bruts > > host=jack.lutty.net type=AVC msg=audit(1207751657.63:1353): avc: denied > { getattr } for pid=32716 comm="smbd" path="/home/alex/.ICEauthority" > dev=dm-11 ino=850503 scontext=system_u:system_r:smbd_t:s0 > tcontext=system_u:object_r:user_iceauth_home_t:s0 tclass=file > > host=jack.lutty.net type=SYSCALL msg=audit(1207751657.63:1353): > arch=40000003 syscall=195 success=no exit=-13 a0=bfc33194 a1=bfc32914 > a2=4c5ff4 a3=bfc32914 items=0 ppid=3346 pid=32716 auid=4294967295 > uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 > tty=(none) comm="smbd" exe="/usr/sbin/smbd" > subj=system_u:system_r:smbd_t:s0 key=(null) > > jk > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list bugzilla. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkf+chAACgkQrlYvE4MpobM1QACg2j5hJ4jTFDWtlesuhBSTtDui phwAnRcmyRf9YE767ud+uknxRI2TvEXa =3TfP -----END PGP SIGNATURE----- From dwalsh at redhat.com Thu Apr 10 20:08:17 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 10 Apr 2008 16:08:17 -0400 Subject: gconf alert In-Reply-To: <64b14b300804060201i236990afo25e6790e2f8ac65b@mail.gmail.com> References: <64b14b300803210436s4042e579n9519c9d211a87dba@mail.gmail.com> <64b14b300803250251p698a8cc6wb679ddebcc320133@mail.gmail.com> <64b14b300803270308g1dd84d2av247ed1f3ba31e651@mail.gmail.com> <64b14b300803270339m79ba848x44b6d949c598651e@mail.gmail.com> <47EBDB28.5070302@redhat.com> <64b14b300803280447w18c862bcnac23b26617c86056@mail.gmail.com> <47EE7494.3040609@redhat.com> <64b14b300804010138t6afbc61am68e3a0a35360e734@mail.gmail.com> <47F7D134.8030404@redhat.com> <64b14b300804060137u4354117j4e006ece9ff13b81@mail.gmail.com> <64b14b300804060201i236990afo25e6790e2f8ac65b@mail.gmail.com> Message-ID: <47FE73B1.7020605@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Valent Turkovic wrote: > On Sun, Apr 6, 2008 at 10:37 AM, Valent Turkovic > wrote: >> On Sat, Apr 5, 2008 at 9:21 PM, Daniel J Walsh wrote: >> > >> > -----BEGIN PGP SIGNED MESSAGE----- >> > Hash: SHA1 >> > >> > Valent Turkovic wrote: >> > > On Sat, Mar 29, 2008 at 6:55 PM, Daniel J Walsh wrote: >> > >> -----BEGIN PGP SIGNED MESSAGE----- >> > >> Hash: SHA1 >> > >> >> > >> Valent Turkovic wrote: >> > >> >> > >>> On Thu, Mar 27, 2008 at 6:36 PM, John Dennis wrote: >> > >> >> Valent Turkovic wrote: >> > >> >> > I'm creating live cds under rawhide and I have selinux in permissive >> > >> >> > mode, could that be reason I'm seeing these hundreds of alerts? >> > >> >> >> > >> >> https://www.redhat.com/archives/fedora-selinux-list/2008-March/msg00130.html >> > >> >> >> > >> >> -- >> > >> >> John Dennis >> > >> >> >> > >> > >> > >> > Ok, I'm an idiot :) I got so much going on at once (work, moving to >> > >> > new apartment, etc...) that I totally forgot I got this replied >> > >> > already. >> > >> > >> > >> > But I want to keep in permissive an not enforcing mode so is just >> > >> > "load_policy" enough ? >> > >> > >> > >> > Cheers, >> > >> > Valent. >> > >> > >> > >> load_policy and you might need to kill any processes that are running as >> > >> unlabeled_t. Potentially you could have files that are mislabeled. >> > > >> > > >> > > >> > > I made several load_policy and relabels with reboot ans I still see >> > > these errors! >> > > Do you have any idea why? >> > > >> > > Cheers, >> > > Valent >> > > . >> > > >> > > >> > Do you have two policy files in /etc/selinux/targeted/policy? >> >> # ls -al /etc/selinux/targeted/policy >> total 4056 >> drwxr-xr-x 2 root root 4096 2008-04-03 23:05 . >> drwxr-xr-x 5 root root 4096 2008-04-03 23:05 .. >> -rw-r--r-- 1 root root 4128435 2008-04-03 23:05 policy.21 >> >> as you can see I have only on file in policy directory >> >> >> > If you do, remove the lower version and then execute load_policy, >> > Relabel the file in question and you should not have a problem. If the >> > file is in /tmp you can remove it or set its label to tmp_t. >> >> I'm going now to move all files from /tmp to another folder and then >> if reboot succeeds I'll delete those files and see if I still see >> selinux alerts. >> >> So you haven't seen this kind of error? Nobody has reported anything similar? >> >> >> >> Valent. >> >> -- >> http://kernelreloaded.blog385.com/ >> linux, blog, anime, spirituality, windsurf, wireless >> registered as user #367004 with the Linux Counter, http://counter.li.org. >> ICQ: 2125241, Skype: valent.turkovic >> > > > Even after deleting all files in /tmp folder I still see these two > alerts (in attachemen). > > I investigated alert about saved_state.tmp file and with locate file > command I found this: > /home/valentt/.gconfd/saved_state > > does that give you any more clues why I'm seeing these alerts? I'm now > in Fedora 8 not in Rawhide but in Rawhide I see same alerts. > > Is it possible that livecd-creator does some things and breaks selinux > in some way that you still aren't aware of? > > Valent. > > You should run restorecon on your homedir. restorecon -R -v ~/ The loading of a different policy will invalidate file context on disk that the new policy does not understand. But reloading the original policy should change the context badk to something that is understood. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkf+c7EACgkQrlYvE4MpobMgWwCffNmGfQExWCWIps7jHy5a1QeJ Cg0An0dGx1WckFnRoAdp/ZuFpTQEiLqo =6uxi -----END PGP SIGNATURE----- From dtimms at iinet.net.au Thu Apr 10 22:12:26 2008 From: dtimms at iinet.net.au (David Timms) Date: Fri, 11 Apr 2008 08:12:26 +1000 Subject: mrtg selinux denials in default configuration In-Reply-To: <47FE713C.2090102@redhat.com> References: <47FE0CA8.5010705@iinet.net.au> <47FE12CE.6030903@iinet.net.au> <47FE713C.2090102@redhat.com> Message-ID: <47FE90CA.1020302@iinet.net.au> Daniel J Walsh wrote: > David Timms wrote: >> David Timms wrote: >>> Should there be selinux denials on a default install of a package ? >> audit item attached. > Your /root directory is labeled incorrectly. I did a touch /.autorelabel and reboot yesterday morning, and made the setroubleshooter work. These have occurred since then. There is some old .xauth files from last year in the folder, but none seem to have incorrect context. > restorecon -R -v /root Tried restorecon -R -v -n /root - there were no replies. restorecon -R -v /root - there was also no replies. My understanding is that any files that needed their secontext restored woudl have been echoed. > Should fix. That is what setroubleshoot suggested, did you try it. No. Is {restorecon -v './root'} the same as the above ? It does not echo any response either. > Default installs should not be generating AVC's Does that include an upgrade F8-F9beta ? In any case I'm doing a full relabel again, after I send this message, and I'll see if that solves it... From cannewilson at googlemail.com Fri Apr 11 09:02:54 2008 From: cannewilson at googlemail.com (Anne Wilson) Date: Fri, 11 Apr 2008 10:02:54 +0100 Subject: Confining Firefox In-Reply-To: <47FE6FFF.5040406@redhat.com> References: <47FD49CD.3090705@cs.tu-berlin.de> <47FE6FFF.5040406@redhat.com> Message-ID: <200804111002.54632.cannewilson@googlemail.com> On Thursday 10 April 2008 08:52:31 pm Daniel J Walsh wrote: > If you run your plugins in confined mode > > # setsebool -P allow_unconfined_nsplugin_transition=1 > # yum install nspluginwrapper > # restorecon -R -v ~/ > > None of the plugins will be allowed to read directories like .ssh or > .gpg in your home directory. > > firefox is really difficult to confine, but with nsplugin you can > confine the plugins fairly well. Could you please clarify for me - Does the restorecon need to be run every time anything is installed to the ~/? (How many places do I have to check to make everything use the GB keyboard layout? In some places it does use it, in others it doesn't. It's driving me mad!) Anne From cannewilson at googlemail.com Fri Apr 11 09:21:22 2008 From: cannewilson at googlemail.com (Anne Wilson) Date: Fri, 11 Apr 2008 10:21:22 +0100 Subject: Confining Firefox In-Reply-To: <200804111002.54632.cannewilson@googlemail.com> References: <47FD49CD.3090705@cs.tu-berlin.de> <47FE6FFF.5040406@redhat.com> <200804111002.54632.cannewilson@googlemail.com> Message-ID: <200804111021.22639.cannewilson@googlemail.com> On Friday 11 April 2008 10:02:54 am Anne Wilson wrote: > (How many places do I have to check to make everything use the GB keyboard > layout? ?In some places it does use it, in others it doesn't. ?It's driving > me mad!) Don't answer that. I'll start a new thread Anne From sds at tycho.nsa.gov Fri Apr 11 13:33:19 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 11 Apr 2008 09:33:19 -0400 Subject: Confining Firefox In-Reply-To: <200804111002.54632.cannewilson@googlemail.com> References: <47FD49CD.3090705@cs.tu-berlin.de> <47FE6FFF.5040406@redhat.com> <200804111002.54632.cannewilson@googlemail.com> Message-ID: <1207920799.21223.854.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2008-04-11 at 10:02 +0100, Anne Wilson wrote: > On Thursday 10 April 2008 08:52:31 pm Daniel J Walsh wrote: > > If you run your plugins in confined mode > > > > # setsebool -P allow_unconfined_nsplugin_transition=1 > > # yum install nspluginwrapper > > # restorecon -R -v ~/ > > > > None of the plugins will be allowed to read directories like .ssh or > > .gpg in your home directory. > > > > firefox is really difficult to confine, but with nsplugin you can > > confine the plugins fairly well. > > Could you please clarify for me - Does the restorecon need to be run every > time anything is installed to the ~/? Only if the default inheritance or type transition rule doesn't yield the desired type for the file. That can happen if you e.g. move aside a directory and re-create it and it needs its own distinct type from the parent directory in order to differentiate it in policy. You can also avoid the need to manually run restorecon by configuring restorecond to watch for the specific directories and/or files in question (via /etc/selinux/restorecond.conf), in which case the daemon will automatically label those files upon creation. -- Stephen Smalley National Security Agency From cra at WPI.EDU Fri Apr 11 15:15:09 2008 From: cra at WPI.EDU (Chuck Anderson) Date: Fri, 11 Apr 2008 11:15:09 -0400 Subject: AVC everytime I launch a tab in firefox from gnome-terminal Message-ID: <20080411151509.GD21548@angus.ind.WPI.EDU> Every time I launch a tab from a URL in gnome-terminal, I get this AVC: Hmm why is this program set-uid root? >ls -l /usr/lib/nspluginwrapper/plugin-config -rwsr-xr-x 1 root root 60048 2008-03-11 10:02 /usr/lib/nspluginwrapper/plugin-config* Summary: SELinux is preventing plugin-config (nsplugin_config_t) "execstack" to (nsplugin_config_t). Detailed Description: SELinux denied access requested by plugin-config. It is not expected that this access is required by plugin-config and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_config_t:s0-s0: c0.c1023 Target Context unconfined_u:unconfined_r:nsplugin_config_t:s0-s0: c0.c1023 Target Objects None [ process ] Source plugin-config Source Path /usr/lib/nspluginwrapper/plugin-config Port Host dustpuppy.wpi.edu Source RPM Packages nspluginwrapper-0.9.91.5-26.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-31.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name dustpuppy.wpi.edu Platform Linux dustpuppy.wpi.edu 2.6.25-0.204.rc8.git4.fc9.i686 #1 SMP Mon Apr 7 11:33:46 EDT 2008 i686 i686 Alert Count 14 First Seen Tue 08 Apr 2008 03:07:02 PM EDT Last Seen Fri 11 Apr 2008 11:02:14 AM EDT Local ID 3be91387-8d68-4700-868a-cc02880ae589 Line Numbers Raw Audit Messages host=dustpuppy.wpi.edu type=AVC msg=audit(1207926134.511:4168): avc: denied { execstack } for pid=30324 comm="plugin-config" scontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 tclass=process host=dustpuppy.wpi.edu type=SYSCALL msg=audit(1207926134.511:4168): arch=40000003 syscall=125 success=no exit=-13 a0=bff95000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=30322 pid=30324 auid=10002 uid=10002 gid=10002 euid=0 suid=0 fsuid=0 egid=10002 sgid=10002 fsgid=10002 tty=(none) ses=1 comm="plugin-config" exe="/usr/lib/nspluginwrapper/plugin-config" subj=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 key=(null) From cra at WPI.EDU Fri Apr 11 15:25:08 2008 From: cra at WPI.EDU (Chuck Anderson) Date: Fri, 11 Apr 2008 11:25:08 -0400 Subject: AVC everytime I launch a tab in firefox from gnome-terminal In-Reply-To: <20080411151509.GD21548@angus.ind.WPI.EDU> References: <20080411151509.GD21548@angus.ind.WPI.EDU> Message-ID: <20080411152508.GE21548@angus.ind.WPI.EDU> On Fri, Apr 11, 2008 at 11:15:09AM -0400, Chuck Anderson wrote: > Every time I launch a tab from a URL in gnome-terminal, I get this > AVC: > > Hmm why is this program set-uid root? > > >ls -l /usr/lib/nspluginwrapper/plugin-config > -rwsr-xr-x 1 root root 60048 2008-03-11 10:02 /usr/lib/nspluginwrapper/plugin-config* > > host=dustpuppy.wpi.edu type=AVC msg=audit(1207926134.511:4168): avc: > denied { execstack } for pid=30324 comm="plugin-config" > scontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 > tclass=process I opened a bug on nspluginwrapper to get some questions answered: https://bugzilla.redhat.com/show_bug.cgi?id=442065 From joe at nall.com Mon Apr 14 02:44:36 2008 From: joe at nall.com (Joe Nall) Date: Sun, 13 Apr 2008 21:44:36 -0500 Subject: Rawhide MLS policy.22 and policy.23 Message-ID: <5DAB5527-0F66-44C8-8DA5-9D50DC3B63EB@nall.com> I have an MLS policy.22 and policy.23 on current rawhide. The system boots and runs policy.22. sedispol doesn't like policy.23. What controls which policy is in use? Is 22 the correct policy to be running today? joe From sds at tycho.nsa.gov Mon Apr 14 12:31:41 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 14 Apr 2008 08:31:41 -0400 Subject: Rawhide MLS policy.22 and policy.23 In-Reply-To: <5DAB5527-0F66-44C8-8DA5-9D50DC3B63EB@nall.com> References: <5DAB5527-0F66-44C8-8DA5-9D50DC3B63EB@nall.com> Message-ID: <1208176301.18883.18.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2008-04-13 at 21:44 -0500, Joe Nall wrote: > I have an MLS policy.22 and policy.23 on current rawhide. The system > boots and runs policy.22. sedispol doesn't like policy.23. What > controls which policy is in use? Is 22 the correct policy to be > running today? Known problem. The way it is supposed to work (and used to work prior to moving initial policy load into the initrd for upstart) is that libsemanage would always generate the latest policy version supported by libsepol, and libselinux would always try to load the latest policy version supported by libsepol, and libselinux could use libsepol to downgrade that policy to one understood by the kernel as needed. The problem now in Fedora 9 / rawhide is that initial policy load happens from nash on the initrd, and uses the libsepol pulled into the initrd when it was built (i.e. when the kernel was installed). Thus, you can end up with an older libsepol on the initrd than exists on the real root, and have a system where nash can NOT load the latest policy generated by libsemanage. To fix, either a) rebuild your initrd so that you have the latest libsepol in it (this should happen automatically on next kernel install), or b) force the libsepol on the real root to generate policy.22 instead by putting policy-version = 22 in /etc/selinux/semanage.conf and then run semodule -B to rebuild. setools should have been rebuilt recently to pick up the new libsepol (it uses the static lib and has to be rebuilt for newer ones). -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Apr 14 18:18:03 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 14 Apr 2008 14:18:03 -0400 Subject: Rawhide MLS policy.22 and policy.23 In-Reply-To: <1208176301.18883.18.camel@moss-spartans.epoch.ncsc.mil> References: <5DAB5527-0F66-44C8-8DA5-9D50DC3B63EB@nall.com> <1208176301.18883.18.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1208197083.18883.119.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2008-04-14 at 08:31 -0400, Stephen Smalley wrote: > On Sun, 2008-04-13 at 21:44 -0500, Joe Nall wrote: > > I have an MLS policy.22 and policy.23 on current rawhide. The system > > boots and runs policy.22. sedispol doesn't like policy.23. What > > controls which policy is in use? Is 22 the correct policy to be > > running today? > > Known problem. The way it is supposed to work (and used to work prior > to moving initial policy load into the initrd for upstart) is that > libsemanage would always generate the latest policy version supported by > libsepol, and libselinux would always try to load the latest policy > version supported by libsepol, and libselinux could use libsepol to > downgrade that policy to one understood by the kernel as needed. > > The problem now in Fedora 9 / rawhide is that initial policy load > happens from nash on the initrd, and uses the libsepol pulled into the > initrd when it was built (i.e. when the kernel was installed). Thus, > you can end up with an older libsepol on the initrd than exists on the > real root, and have a system where nash can NOT load the latest policy > generated by libsemanage. > > To fix, either a) rebuild your initrd so that you have the latest > libsepol in it (this should happen automatically on next kernel > install), or b) force the libsepol on the real root to generate > policy.22 instead by putting policy-version = 22 > in /etc/selinux/semanage.conf and then run semodule -B to rebuild. > > setools should have been rebuilt recently to pick up the new libsepol > (it uses the static lib and has to be rebuilt for newer ones). Oops, sedispol comes from checkpolicy, not setools. And it doesn't look like checkpolicy has been rebuilt for the newer libsepol (checkpolicy -V only reports version 22). Dan? -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon Apr 14 19:37:14 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 14 Apr 2008 15:37:14 -0400 Subject: AVC everytime I launch a tab in firefox from gnome-terminal In-Reply-To: <20080411152508.GE21548@angus.ind.WPI.EDU> References: <20080411151509.GD21548@angus.ind.WPI.EDU> <20080411152508.GE21548@angus.ind.WPI.EDU> Message-ID: <4803B26A.9060505@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck Anderson wrote: > On Fri, Apr 11, 2008 at 11:15:09AM -0400, Chuck Anderson wrote: >> Every time I launch a tab from a URL in gnome-terminal, I get this >> AVC: >> >> Hmm why is this program set-uid root? >> >>> ls -l /usr/lib/nspluginwrapper/plugin-config >> -rwsr-xr-x 1 root root 60048 2008-03-11 10:02 /usr/lib/nspluginwrapper/plugin-config* >> >> host=dustpuppy.wpi.edu type=AVC msg=audit(1207926134.511:4168): avc: >> denied { execstack } for pid=30324 comm="plugin-config" >> scontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 >> tcontext=unconfined_u:unconfined_r:nsplugin_config_t:s0-s0:c0.c1023 >> tclass=process > > I opened a bug on nspluginwrapper to get some questions answered: > > https://bugzilla.redhat.com/show_bug.cgi?id=442065 > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This is probably caused by some evil/badly written plugin If you turn on the allow_nsplugin_execmem boolean, the app should work. setsebool -P allow_nsplugin_execmem=1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgDsmoACgkQrlYvE4MpobOT/wCfdOtXYbfDUROz1zr4o1xNy4YK mwwAn1b872R1MyLoHeZyjrEA40+KBQ61 =0bi/ -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Apr 14 19:39:44 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 14 Apr 2008 15:39:44 -0400 Subject: mrtg selinux denials in default configuration In-Reply-To: <47FE90CA.1020302@iinet.net.au> References: <47FE0CA8.5010705@iinet.net.au> <47FE12CE.6030903@iinet.net.au> <47FE713C.2090102@redhat.com> <47FE90CA.1020302@iinet.net.au> Message-ID: <4803B300.9010701@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Timms wrote: > Daniel J Walsh wrote: >> David Timms wrote: >>> David Timms wrote: >>>> Should there be selinux denials on a default install of a package ? >>> audit item attached. > >> Your /root directory is labeled incorrectly. > I did a touch /.autorelabel and reboot yesterday morning, and made the > setroubleshooter work. These have occurred since then. There is some old > .xauth files from last year in the folder, but none seem to have > incorrect context. > >> restorecon -R -v /root > Tried restorecon -R -v -n /root > - there were no replies. > > restorecon -R -v /root > - there was also no replies. > My understanding is that any files that needed their secontext restored > woudl have been echoed. > >> Should fix. That is what setroubleshoot suggested, did you try it. > No. > Is {restorecon -v './root'} the same as the above ? > It does not echo any response either. > >> Default installs should not be generating AVC's > Does that include an upgrade F8-F9beta ? > > In any case I'm doing a full relabel again, after I send this message, > and I'll see if that solves it... > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list No the upgrade from F8-F9 Beta will create avc's. :^( I am working on fixing these. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgDswAACgkQrlYvE4MpobPAXwCfRkanAojdPEtLXTAL7hmzhYtZ FQkAoMOe3UiHDYDbimJnUF0lQVV0/Qzh =QETz -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Apr 14 19:40:10 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 14 Apr 2008 15:40:10 -0400 Subject: mrtg selinux denials in default configuration In-Reply-To: <47FE90CA.1020302@iinet.net.au> References: <47FE0CA8.5010705@iinet.net.au> <47FE12CE.6030903@iinet.net.au> <47FE713C.2090102@redhat.com> <47FE90CA.1020302@iinet.net.au> Message-ID: <4803B31A.2020207@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Timms wrote: > Daniel J Walsh wrote: >> David Timms wrote: >>> David Timms wrote: >>>> Should there be selinux denials on a default install of a package ? >>> audit item attached. > >> Your /root directory is labeled incorrectly. > I did a touch /.autorelabel and reboot yesterday morning, and made the > setroubleshooter work. These have occurred since then. There is some old > .xauth files from last year in the folder, but none seem to have > incorrect context. > >> restorecon -R -v /root > Tried restorecon -R -v -n /root > - there were no replies. > > restorecon -R -v /root > - there was also no replies. > My understanding is that any files that needed their secontext restored > woudl have been echoed. > >> Should fix. That is what setroubleshoot suggested, did you try it. > No. > Is {restorecon -v './root'} the same as the above ? > It does not echo any response either. > >> Default installs should not be generating AVC's > Does that include an upgrade F8-F9beta ? > > In any case I'm doing a full relabel again, after I send this message, > and I'll see if that solves it... > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list # semanage user -l # semanage login -l -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgDsxoACgkQrlYvE4MpobOR0gCfT8/PZqIkYNAfXgLdj48DW7XR HPIAoI7odaO50NgrU7jmFB6LGZ7rXRum =t+Ki -----END PGP SIGNATURE----- From voegi at magnet.ch Mon Apr 14 20:49:19 2008 From: voegi at magnet.ch (voegi) Date: Mon, 14 Apr 2008 13:49:19 -0700 (PDT) Subject: SELinux prevents Samba from sharing NTFS mounts. Message-ID: <16677407.post@talk.nabble.com> Petteri Kautonen wrote: > > Daniel J Walsh wrote: > It mounts the partition but the context according > to 'ls --lcontext' still is system_u:object_r:fusefs_t. > I have the same problem. How did you solve this? Thank you! -- View this message in context: http://www.nabble.com/SELinux-prevents-Samba-from-sharing-NTFS-mounts.-tp14310313p16677407.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From petteri.kautonen at pp.inet.fi Tue Apr 15 09:06:25 2008 From: petteri.kautonen at pp.inet.fi (Petteri Kautonen) Date: Tue, 15 Apr 2008 12:06:25 +0300 Subject: SELinux prevents Samba from sharing NTFS mounts. In-Reply-To: <2506295.43121208176494020.JavaMail.nabble@isper.nabble.com> References: <2506295.43121208176494020.JavaMail.nabble@isper.nabble.com> Message-ID: <48047011.8010208@pp.inet.fi> An HTML attachment was scrubbed... URL: From lz at csltd.com.ua Tue Apr 15 12:00:47 2008 From: lz at csltd.com.ua (Leonid Zeitlin) Date: Tue, 15 Apr 2008 15:00:47 +0300 Subject: Samba access to /var/www/html and webalizer Message-ID: Hi all, I want to export my /var/www/html directory via Samba. Man samba_selinux suggests: "If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t." Ok, I did just that and relabeled /var/www/html as public_content_rw_t. I found that Samba still cannot access /var/www/html, because /var/www was still labelled httpd_sys_content_t. Ok, I relabled /var/www as well. Now I see that webalizer can't work. It can't enter its directory /var/www/usage, because /var/www is labelled public_content_t and webalizer can't search this directory. Short of setting samba_export_all_rw, is there a way to get both Samba and Webalizer to work? Perhaps webalizer should be allowed to read/search public_content_t and public_content_rw_t? Thanks, Leonid From dtimms at iinet.net.au Tue Apr 15 12:51:19 2008 From: dtimms at iinet.net.au (David Timms) Date: Tue, 15 Apr 2008 22:51:19 +1000 Subject: mrtg selinux denials in default configuration In-Reply-To: <4803B31A.2020207@redhat.com> References: <47FE0CA8.5010705@iinet.net.au> <47FE12CE.6030903@iinet.net.au> <47FE713C.2090102@redhat.com> <47FE90CA.1020302@iinet.net.au> <4803B31A.2020207@redhat.com> Message-ID: <4804A4C7.1030505@iinet.net.au> Daniel J Walsh wrote: > # semanage user -l > # semanage login -l #assume DJW_REQUESTING_RESULT: # semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Lvl MCS Range SELinux Roles root user s0 SystemLow-SystemHigh system_r staff_r unconfined_r sysadm_r staff_u user s0 SystemLow-SystemHigh system_r staff_r sysadm_r sysadm_u user s0 SystemLow-SystemHigh sysadm_r system_u user s0 SystemLow-SystemHigh system_r unconfined_u unconfined s0 SystemLow-SystemHigh system_r unconfined_r user_u user s0 s0 user_r # semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u SystemLow-SystemHigh root unconfined_u SystemLow-SystemHigh system_u system_u SystemLow-SystemHigh As an aside, I erased mrtg yesterday - mo more mrtg denials. Reinstalled mrtg just now, mrtg denials every five minutes. It is also possible that when originally installed under F8, that I attempted to configure it, but I can't find any evidence of that in /etc ...etc. My other machine doesn't popup the denials with a default install, so I expect there must be some invalid or selinux not configured to match service requirements. === Actually running same -l on another f9beta notebook: # semanage user -l {has the ones above plus:} Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u guest s0 s0 guest_r xguest_u xguest s0 s0 xguest_r # semanage login -l {same 3 items, except the selinux user for root is different}. Login Name SELinux User MLS/MCS Range root root SystemLow-SystemHigh Given autorelabel doesn't seem to solve it, is it worth {possible} to rpm -e the targeted policy, then reinstall it - or am I barking up the wrong tree ? ===== DaveT. From dwalsh at redhat.com Tue Apr 15 13:57:26 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 15 Apr 2008 09:57:26 -0400 Subject: mrtg selinux denials in default configuration In-Reply-To: <4804A4C7.1030505@iinet.net.au> References: <47FE0CA8.5010705@iinet.net.au> <47FE12CE.6030903@iinet.net.au> <47FE713C.2090102@redhat.com> <47FE90CA.1020302@iinet.net.au> <4803B31A.2020207@redhat.com> <4804A4C7.1030505@iinet.net.au> Message-ID: <4804B446.5010808@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Timms wrote: > Daniel J Walsh wrote: >> # semanage user -l >> # semanage login -l > #assume DJW_REQUESTING_RESULT: > > # semanage user -l > Labeling MLS/ MLS/ > SELinux User Prefix MCS Lvl MCS Range > SELinux Roles > > root user s0 SystemLow-SystemHigh > system_r staff_r unconfined_r sysadm_r > staff_u user s0 SystemLow-SystemHigh > system_r staff_r sysadm_r > sysadm_u user s0 SystemLow-SystemHigh > sysadm_r > system_u user s0 SystemLow-SystemHigh > system_r > unconfined_u unconfined s0 SystemLow-SystemHigh > system_r unconfined_r > user_u user s0 s0 user_r > > # semanage login -l > Login Name SELinux User MLS/MCS Range > > > __default__ unconfined_u SystemLow-SystemHigh > root unconfined_u SystemLow-SystemHigh > system_u system_u SystemLow-SystemHigh > > As an aside, I erased mrtg yesterday - mo more mrtg denials. > Reinstalled mrtg just now, mrtg denials every five minutes. It is also > possible that when originally installed under F8, that I attempted to > configure it, but I can't find any evidence of that in /etc ...etc. My > other machine doesn't popup the denials with a default install, so I > expect there must be some invalid or selinux not configured to match > service requirements. > === > Actually running same -l on another f9beta notebook: > # semanage user -l {has the ones above plus:} > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range > SELinux Roles > > guest_u guest s0 s0 > guest_r > xguest_u xguest s0 s0 > xguest_r > > # semanage login -l {same 3 items, except the selinux user for root is > different}. > Login Name SELinux User MLS/MCS Range > > > root root SystemLow-SystemHigh > > Given autorelabel doesn't seem to solve it, is it worth {possible} to > rpm -e the targeted policy, then reinstall it - or am I barking up the > wrong tree ? > ===== > > DaveT. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Ok I looked at the bugzilla, looks like mrtg is execing top which is reading all process /proc information. Does it need to be able to read all this, or can I dontaudit it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgEtEYACgkQrlYvE4MpobPnWgCfWlInfyvJgskvev32mFqTWAos Kq0AnROErPbG2Ycqk3MW3Bal0kJSG7r5 =wtxK -----END PGP SIGNATURE----- From maximilianbianco at gmail.com Tue Apr 15 14:39:12 2008 From: maximilianbianco at gmail.com (max bianco) Date: Tue, 15 Apr 2008 10:39:12 -0400 Subject: Fail2ban and SELinux Message-ID: I recently installed fail2ban on my F8 box. I don't allow remote access to my box but it had been mentioned recently so I decided to test it out. I installed it a few days ago but didn't do anything with it till last night. I had forgotten about it but I was perusing log files and saw 21 AVC's related it to it. I pulled up my services gui and sure enough it wasn't running. I tried to start it and got denied(it wouldn't start from a terminal at all, complaining that the service is unrecognized). No problem , i expected as much when I saw the AVC's in my log files but I always try things more than once so I tried to start it a second time and this time and every time after it started without generating a denial. Is this because I manually started the service? That doesn't make sense because then it would have worked the first time as well but it didn't. I see that there is a policy module for fail2ban but if the module is in place then shouldn't it have run without issues? Why 21 AVC's and then its working? I am learning my way around SELinux but I don't feel comfortable enough to troubleshoot this problem correctly, so where do I start? Max From dwalsh at redhat.com Tue Apr 15 20:11:53 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 15 Apr 2008 16:11:53 -0400 Subject: Fail2ban and SELinux In-Reply-To: References: Message-ID: <48050C09.7050204@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 max bianco wrote: > I recently installed fail2ban on my F8 box. I don't allow remote > access to my box but it had been mentioned recently so I decided to > test it out. I installed it a few days ago but didn't do anything with > it till last night. I had forgotten about it but I was perusing log > files and saw 21 AVC's related it to it. I pulled up my services gui > and sure enough it wasn't running. I tried to start it and got > denied(it wouldn't start from a terminal at all, complaining that the > service is unrecognized). No problem , i expected as much when I saw > the AVC's in my log files but I always try things more than once so I > tried to start it a second time and this time and every time after it > started without generating a denial. Is this because I manually > started the service? That doesn't make sense because then it would > have worked the first time as well but it didn't. I see that there is > a policy module for fail2ban but if the module is in place then > shouldn't it have run without issues? Why 21 AVC's and then its > working? I am learning my way around SELinux but I don't feel > comfortable enough to troubleshoot this problem correctly, so where do > I start? > > Max > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Was there a policy upgrade during this time? Problem might have been fixed. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgFDAgACgkQrlYvE4MpobPV/QCfVDYAYn8V7Btn081z5jxnH40I Ir0An01mXmK2SGbqTF9tYeR6GV4py55Y =WFHE -----END PGP SIGNATURE----- From kwade at redhat.com Wed Apr 16 20:57:10 2008 From: kwade at redhat.com (Karsten 'quaid' Wade) Date: Wed, 16 Apr 2008 13:57:10 -0700 Subject: Fedora buildsys and SELinux Message-ID: <1208379430.5019.286.camel@calliope.phig.org> As announced on fedora-devel-list[1], we'd like to come to a resolution (consensus, actions) on the challenges we have with SELinux in the Fedora build system. I expect the following: * All the parties are here now needed to figure this out * Someone better than me is going to reply with specifics about what is not working in the buildsys * We all agree it's pretty important to get this figured out in a good way One example of a project blocking on this work is the Fedora spin server. We would have to put a non-SELinux secured server in the loop somewhere for the actual spin building, and any way we do that is going to be hacky and whacky. The main problem I see outside of the technical issues is a marketing one. Fedora's infrastructure is a set of open tools that anyone can download and make work themselves. We know that people do that. Fedora Infrastructure is a feature producer; just as Fedora Docs supplies a full-course documentation toolchain, so does Infrastructure supply a full-course FLOSS project toolset.[2] We do *not* want to be explaining that a new feature doesn't work with SELinux. At the very minimum, we have been consistent about the value of SELinux in Fedora, and to ship something as a Fedora feature that cannot run under SELinux ... well, that would be bad. This is why other Fedora folks are asking the Fedora SELinux team to take this off the backburner. Thanks - Karsten [1] https://www.redhat.com/archives/fedora-devel-list/2008-April/msg01064.html [2] Yep, that's right; Fedora Infrastructure is a feature of Fedora. For example, the new grid project 'Fedora Sleepwalker' is looking to get integrated into firstboot or some kind of JoinBuddy. When that happens, adding your install to the Fedora Sleepwalker grid is going to be touted as a major feature for that release. -- Karsten Wade, Sr. Developer Community Mgr. Dev Fu : http://developer.redhatmagazine.com Fedora : http://quaid.fedorapeople.org gpg key : AD0E0C41 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From jmorris at namei.org Wed Apr 16 23:45:14 2008 From: jmorris at namei.org (James Morris) Date: Thu, 17 Apr 2008 09:45:14 +1000 (EST) Subject: Fedora buildsys and SELinux In-Reply-To: <1208379430.5019.286.camel@calliope.phig.org> References: <1208379430.5019.286.camel@calliope.phig.org> Message-ID: On Wed, 16 Apr 2008, Karsten 'quaid' Wade wrote: > As announced on fedora-devel-list[1], we'd like to come to a resolution > (consensus, actions) on the challenges we have with SELinux in the > Fedora build system. > > I expect the following: > > * All the parties are here now needed to figure this out > * Someone better than me is going to reply with specifics about what is > not working in the buildsys > * We all agree it's pretty important to get this figured out in a good > way Can you please explain specifically what the problem is? -- James Morris From dtimms at iinet.net.au Wed Apr 16 23:49:42 2008 From: dtimms at iinet.net.au (David Timms) Date: Thu, 17 Apr 2008 09:49:42 +1000 Subject: mrtg selinux denials in default configuration In-Reply-To: <4804B446.5010808@redhat.com> References: <47FE0CA8.5010705@iinet.net.au> <47FE12CE.6030903@iinet.net.au> <47FE713C.2090102@redhat.com> <47FE90CA.1020302@iinet.net.au> <4803B31A.2020207@redhat.com> <4804A4C7.1030505@iinet.net.au> <4804B446.5010808@redhat.com> Message-ID: <48069096.9040207@iinet.net.au> Daniel J Walsh wrote: >... > Ok I looked at the bugzilla, looks like mrtg is execing top which is > reading all process /proc information. Does it need to be able to read > all this, or can I dontaudit it. Dan, I really don't know the answer to that - I haven't got around to understanding / configuring mrtg at all. I got the impression from that bug that the poster had a specific configuration that was causing that - and that he would have to create allow rules for it to work, whereas I don't seem to have any configuration for mrtg {except what is provided in the rpm - a crond */5 min run using it's default config /etc/mrtg/mrtg.cfg A can confirm that commenting the /etc/cron.d/mrtg command stops the denials, but I don't understand why my other F9Beta++ machine doesn't generate the same denials. As an aside: is there a way to perform an rpm -V to verify the packages v on-disk contexts ? I could do this for mrtg and all it's requirements. DaveT. From olivares14031 at yahoo.com Wed Apr 16 23:54:17 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 16 Apr 2008 16:54:17 -0700 (PDT) Subject: selinux denies X, but can get in via permissive mode Message-ID: <515539.55310.qm@web52606.mail.re2.yahoo.com> Dear all, *** fedora 7 ==> Fedora rawhide machine. booting with enforcing=0 parameter. Could not su - before, but with enforcing=0 can now. The following warning comes up. How can I fix to boot normally, Thanks, Antonio Summary: SELinux prevented X from using the terminal /dev/tty7. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux prevented X from using the terminal /dev/tty7. In most cases daemons do not need to interact with the terminal, usually these avc messages can be ignored. All of the confined daemons should have dontaudit rules around using the terminal. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy. If you would like to allow all daemons to interact with the terminal, you can turn on the allow_daemons_use_tty boolean. Allowing Access: Changing the "allow_daemons_use_tty" boolean to true will allow this access: "setsebool -P allow_daemons_use_tty=1." Fix Command: setsebool -P allow_daemons_use_tty=1 Additional Information: Source Context user_u:user_r:user_t Target Context system_u:object_r:tty_device_t Target Objects /dev/tty7 [ chr_file ] Source X Source Path /usr/bin/Xorg Port Host localhost.localdomain Source RPM Packages xorg-x11-server-Xorg-1.4.99.901-21.20080407.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-33.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name allow_daemons_use_tty Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25-0.218.rc8.git7.fc9.i686 #1 SMP Wed Apr 9 20:35:56 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 16 Apr 2008 06:51:08 PM CDT Last Seen Wed 16 Apr 2008 06:51:08 PM CDT Local ID 08f38222-ea43-4584-b095-04504b198679 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1208389868.367:37): avc: denied { ioctl } for pid=2431 comm="X" path="/dev/tty7" dev=tmpfs ino=237 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file host=localhost.localdomain type=SYSCALL msg=audit(1208389868.367:37): arch=40000003 syscall=54 success=yes exit=0 a0=7 a1=4b30 a2=640ba6 a3=51eb851f items=0 ppid=2430 pid=2431 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=tty7 ses=1 comm="X" exe="/usr/bin/Xorg" subj=user_u:user_r:user_t:s0 key=(null) ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ From jreiser at BitWagon.com Thu Apr 17 00:14:00 2008 From: jreiser at BitWagon.com (John Reiser) Date: Wed, 16 Apr 2008 17:14:00 -0700 Subject: Fedora buildsys and SELinux In-Reply-To: References: <1208379430.5019.286.camel@calliope.phig.org> Message-ID: <48069648.1060203@BitWagon.com> >> the challenges we have with SELinux in the Fedora build system. > Can you please explain specifically what the problem is? One of the problems is that the result of a pungi compose that is performed with SELinux enforcing, does not install SELinux enabled by default, because [a chain of events] the DVD/CD does not contain the policy file, partly because under enforcing you cannot create a virtualized /dev/null that has the right context. http://bugzilla.redhat.com/show_bug.cgi?id=343861 http://bugzilla.redhat.com/show_bug.cgi?id=343851 The workaround is "setenforce 0" during the pungi compose. In general, it looks to me like SELinux itself cannot be virtualized. [I really didn't expect it, but nevertheless I cannot find it.] This means that any time you want to "fake it", then you must turn off enforcing, or create a full virtualized OS instance that has enforcing off. -- From notting at redhat.com Thu Apr 17 00:22:56 2008 From: notting at redhat.com (Bill Nottingham) Date: Wed, 16 Apr 2008 20:22:56 -0400 Subject: Fedora buildsys and SELinux In-Reply-To: References: <1208379430.5019.286.camel@calliope.phig.org> Message-ID: <20080417002256.GA30919@nostromo.devel.redhat.com> James Morris (jmorris at namei.org) said: > > * All the parties are here now needed to figure this out > > * Someone better than me is going to reply with specifics about what is > > not working in the buildsys > > * We all agree it's pretty important to get this figured out in a good > > way > > Can you please explain specifically what the problem is? You cannot create files in a chroot of a context not known by the host policy. This means that if your host is running RHEL 5, you are unable to compose any trees/images/livecds with SELinux enabled for later releases. Bill From jmorris at namei.org Thu Apr 17 00:43:17 2008 From: jmorris at namei.org (James Morris) Date: Thu, 17 Apr 2008 10:43:17 +1000 (EST) Subject: Fedora buildsys and SELinux In-Reply-To: <20080417002256.GA30919@nostromo.devel.redhat.com> References: <1208379430.5019.286.camel@calliope.phig.org> <20080417002256.GA30919@nostromo.devel.redhat.com> Message-ID: On Wed, 16 Apr 2008, Bill Nottingham wrote: > James Morris (jmorris at namei.org) said: > > > * All the parties are here now needed to figure this out > > > * Someone better than me is going to reply with specifics about what is > > > not working in the buildsys > > > * We all agree it's pretty important to get this figured out in a good > > > way > > > > Can you please explain specifically what the problem is? > > You cannot create files in a chroot of a context not known by the > host policy. This means that if your host is running RHEL 5, you are > unable to compose any trees/images/livecds with SELinux enabled for > later releases. Ok, that's what I suspected. One of the possible plans for this is to allow a process to run in a separate policy namespace, and probably also utilize namespace support in general. This is non-trivial and needs more analysis. - James -- James Morris From kwade at redhat.com Thu Apr 17 02:24:37 2008 From: kwade at redhat.com (Karsten 'quaid' Wade) Date: Wed, 16 Apr 2008 19:24:37 -0700 Subject: Fedora buildsys and SELinux In-Reply-To: References: <1208379430.5019.286.camel@calliope.phig.org> <20080417002256.GA30919@nostromo.devel.redhat.com> Message-ID: <1208399077.5019.323.camel@calliope.phig.org> On Thu, 2008-04-17 at 10:43 +1000, James Morris wrote: > On Wed, 16 Apr 2008, Bill Nottingham wrote: > > > James Morris (jmorris at namei.org) said: > > > > * All the parties are here now needed to figure this out > > > > * Someone better than me is going to reply with specifics about what is > > > > not working in the buildsys > > > > * We all agree it's pretty important to get this figured out in a good > > > > way > > > > > > Can you please explain specifically what the problem is? > > > > You cannot create files in a chroot of a context not known by the > > host policy. This means that if your host is running RHEL 5, you are > > unable to compose any trees/images/livecds with SELinux enabled for > > later releases. > > Ok, that's what I suspected. > > One of the possible plans for this is to allow a process to run in a > separate policy namespace, and probably also utilize namespace support in > general. > > This is non-trivial and needs more analysis. Thanks. When we get to the point of needing to justify resource allocation on the Red Hat side, I'm here to present the "Fedora leadership request", if needed. Otherwise, not sure if this is going to be important enough to the intersecting sets of Fedoran and SELinux hacker who are not part of the @redhat.com set. - Karsten -- Karsten Wade, Sr. Developer Community Mgr. Dev Fu : http://developer.redhatmagazine.com Fedora : http://quaid.fedorapeople.org gpg key : AD0E0C41 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From notting at redhat.com Thu Apr 17 03:23:47 2008 From: notting at redhat.com (Bill Nottingham) Date: Wed, 16 Apr 2008 23:23:47 -0400 Subject: Fedora buildsys and SELinux In-Reply-To: References: <1208379430.5019.286.camel@calliope.phig.org> <20080417002256.GA30919@nostromo.devel.redhat.com> Message-ID: <20080417032347.GA7021@nostromo.devel.redhat.com> James Morris (jmorris at namei.org) said: > > You cannot create files in a chroot of a context not known by the > > host policy. This means that if your host is running RHEL 5, you are > > unable to compose any trees/images/livecds with SELinux enabled for > > later releases. > > Ok, that's what I suspected. > > One of the possible plans for this is to allow a process to run in a > separate policy namespace, and probably also utilize namespace support in > general. > > This is non-trivial and needs more analysis. Incidentally, this is also one of the blockers for policy-in-packages, rather than a monolithic one. Bill From dwalsh at redhat.com Thu Apr 17 12:31:43 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 17 Apr 2008 08:31:43 -0400 Subject: mrtg selinux denials in default configuration In-Reply-To: <48069096.9040207@iinet.net.au> References: <47FE0CA8.5010705@iinet.net.au> <47FE12CE.6030903@iinet.net.au> <47FE713C.2090102@redhat.com> <47FE90CA.1020302@iinet.net.au> <4803B31A.2020207@redhat.com> <4804A4C7.1030505@iinet.net.au> <4804B446.5010808@redhat.com> <48069096.9040207@iinet.net.au> Message-ID: <4807432F.7060200@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Timms wrote: > Daniel J Walsh wrote: >> ... >> Ok I looked at the bugzilla, looks like mrtg is execing top which is >> reading all process /proc information. Does it need to be able to read >> all this, or can I dontaudit it. > > Dan, I really don't know the answer to that - I haven't got around to > understanding / configuring mrtg at all. I got the impression from that > bug that the poster had a specific configuration that was causing that - > and that he would have to create allow rules for it to work, whereas I > don't seem to have any configuration for mrtg {except what is provided > in the rpm - a crond */5 min run using it's default config > /etc/mrtg/mrtg.cfg > > A can confirm that commenting the /etc/cron.d/mrtg command stops the > denials, but I don't understand why my other F9Beta++ machine doesn't > generate the same denials. > > As an aside: is there a way to perform an rpm -V to verify the packages > v on-disk contexts ? I could do this for mrtg and all it's requirements. > > DaveT. Not really but you can do a fixfiles -R mrtg restore to read the rpm database and fix the labels on disk. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgHQy8ACgkQrlYvE4MpobPPzgCfd81hsUnlz1zSSQnYhXR2r6AY GF8An3Bmnut5i0iZtNcpcCcS6hvmXgZC =WwPm -----END PGP SIGNATURE----- From sds at tycho.nsa.gov Thu Apr 17 13:12:59 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 17 Apr 2008 09:12:59 -0400 Subject: Fedora buildsys and SELinux In-Reply-To: <20080417032347.GA7021@nostromo.devel.redhat.com> References: <1208379430.5019.286.camel@calliope.phig.org> <20080417002256.GA30919@nostromo.devel.redhat.com> <20080417032347.GA7021@nostromo.devel.redhat.com> Message-ID: <1208437979.18883.358.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2008-04-16 at 23:23 -0400, Bill Nottingham wrote: > James Morris (jmorris at namei.org) said: > > > You cannot create files in a chroot of a context not known by the > > > host policy. This means that if your host is running RHEL 5, you are > > > unable to compose any trees/images/livecds with SELinux enabled for > > > later releases. > > > > Ok, that's what I suspected. > > > > One of the possible plans for this is to allow a process to run in a > > separate policy namespace, and probably also utilize namespace support in > > general. > > > > This is non-trivial and needs more analysis. > > Incidentally, this is also one of the blockers for policy-in-packages, > rather than a monolithic one. I assume you mean setting down unknown file labels rather than per-namespace or per-chroot policy support. I think they are related but different. The former is required if you always plan to install the files _before_ loading the policy. The latter is required primarily for getting any scriptlets to run in the right security contexts so that any files they create are labeled appropriately within the chroot. Also, I wanted to emphasize that chroot is different than unsharing the filesystem namespace, and per-chroot policy is not the same thing as per-namespace policy. I'd expect though that it would actually be a per-process policy mechanism, with most processes sharing the same policy but programs like rpm being able to unshare policy from their parent and then load a private policy to be applied only to their descendants. -- Stephen Smalley National Security Agency From serue at us.ibm.com Thu Apr 17 17:55:30 2008 From: serue at us.ibm.com (Serge E. Hallyn) Date: Thu, 17 Apr 2008 12:55:30 -0500 Subject: selinux mini-summit sub-policy topic Message-ID: <20080417175530.GA21302@sergelap.austin.ibm.com> Hi, It appears many of us have a related policy issue. The Fedora folks want to be able to create distro images under a chroot or namespace with selinux enforcing, but with the distro images having different policy from the host. I don't know whether they want to be able to run tests under that image, or only be able to write down potentially unknown labels so as to be able to lay the image down on disk. The fmac (opensolaris) folks may want to be able to load different policies in different zones. The linux containers folks (and I) want basically the same thing as zones folks, that, is to support container administrators loading their own policy. My plan had been to pull together what I can to propose a LISA paper, so I was hoping to really get geared up this week after finishing other papers. (This is free time stuff, and has been on the back burner for a year now.) In the containers case, I am starting to use the type namespace (container1.subtype1) to confine a container policy, where subtype1 in container1 is known to the host as container1.subtype1. This leaves MLS and MCS unsupported ATM. Dan Walsh is working policy for xen/qemu images, however that is not really related as the vm has its own OS. I'm mentioning it here in case I'm wrong. Are there other projects needing similar support? There used to be a problem with rpms being able to create files with not-yet-defined types, which may be more similar to the fedora problem above, and I have no idea whether/how that ended up being resolved. Is it worth proposing a joint topic for discussion at the selinux mini-summit? It could take several formats, from a meeting amongst ourselves followd by a panel discussion, to a set of lightning talks, to a 30 minute joint presentation where we present what we talk about in emails before OLS. thanks, -serge From olivares14031 at yahoo.com Fri Apr 18 01:56:14 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 17 Apr 2008 18:56:14 -0700 (PDT) Subject: selinux denies X, but can get in via permissive mode In-Reply-To: <480742D3.90006@redhat.com> Message-ID: <68811.8658.qm@web52611.mail.re2.yahoo.com> --- Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Antonio Olivares wrote: > > --- Dennis Jacobfeuerborn > > wrote: > > > >> Antonio Olivares wrote: > >>> No, I tried > >>> # touch ./autorelabel > >> That should be "touch /.autorelabel" > >> > >> Regards, > >> Dennis > >> > >> -- > >> fedora-test-list mailing list > >> fedora-test-list at redhat.com > >> To unsubscribe: > >> > > > https://www.redhat.com/mailman/listinfo/fedora-test-list > > > > I did it the right way as you write it correctly. > But > > still get a bunch of errors. I have to still boot > > with enforcing=0 because the selinux denials are > too > > much to handle. The setroubleshooter utility > fires > > like the fastest guns in the west. It will need > to > > wait for a bigger fix than the ones in the avcs > > message to fix. > > > > Regards, > > > > Antonio > > > > > > > ____________________________________________________________________________________ > > Be a better friend, newshound, and > > know-it-all with Yahoo! Mobile. Try it now. > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > > > I would try the following commands, they should have > executed during the > upgrade. > > # semanage user -a -S targeted -P user -R > "unconfined_r system_r" -r > s0-s0:c0.c1023 unconfined_u > # semanage login -m -S targeted -P user -s > "unconfined_u" -r > s0-s0:c0.c1023 __default__ > # semanage login -m -S targeted -P user -s > "unconfined_u" -r > s0-s0:c0.c1023 root > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - > http://enigmail.mozdev.org > > iEYEARECAAYFAkgHQtMACgkQrlYvE4MpobODCACfcX5PPphfMlvt2/Ch07zeG2aC > EPgAoJA67HOTXJljsothzYv27pxx/Lwy > =rSbx > -----END PGP SIGNATURE----- > > -- > fedora-test-list mailing list > fedora-test-list at redhat.com > To unsubscribe: > https://www.redhat.com/mailman/listinfo/fedora-test-list > Dan, Thank you very much. The above commands cured the illness, along with the su - errors as well. [olivares at localhost ~]$ su - Password: [root at localhost ~]# Regards, Antonio ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ From maximilianbianco at gmail.com Fri Apr 18 02:02:04 2008 From: maximilianbianco at gmail.com (max bianco) Date: Thu, 17 Apr 2008 22:02:04 -0400 Subject: Fail2ban and SELinux In-Reply-To: References: <48050C09.7050204@redhat.com> <48057032.4040608@gmail.com> <4805F31B.1070305@redhat.com> <48076C03.5050407@redhat.com> Message-ID: On Thu, Apr 17, 2008 at 1:37 PM, max bianco wrote: > > On Thu, Apr 17, 2008 at 1:22 PM, max bianco wrote: > > > > On Thu, Apr 17, 2008 at 11:25 AM, Daniel J Walsh wrote: > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > max bianco wrote: > > > > On Wed, Apr 16, 2008 at 8:37 AM, Daniel J Walsh wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > > > >> Hash: SHA1 > > > >> > > > >> > > > >> > > > >> max wrote: > > > >> > Daniel J Walsh wrote: > > > >> >> -----BEGIN PGP SIGNED MESSAGE----- > > > >> >> Hash: SHA1 > > > >> >> > > > >> >> max bianco wrote: > > > >> >>> I recently installed fail2ban on my F8 box. I don't allow remote > > > >> >>> access to my box but it had been mentioned recently so I decided to > > > >> >>> test it out. I installed it a few days ago but didn't do anything with > > > >> >>> it till last night. I had forgotten about it but I was perusing log > > > >> >>> files and saw 21 AVC's related it to it. I pulled up my services gui > > > >> >>> and sure enough it wasn't running. I tried to start it and got > > > >> >>> denied(it wouldn't start from a terminal at all, complaining that the > > > >> >>> service is unrecognized). No problem , i expected as much when I saw > > > >> >>> the AVC's in my log files but I always try things more than once so I > > > >> >>> tried to start it a second time and this time and every time after it > > > >> >>> started without generating a denial. Is this because I manually > > > >> >>> started the service? That doesn't make sense because then it would > > > >> >>> have worked the first time as well but it didn't. I see that there is > > > >> >>> a policy module for fail2ban but if the module is in place then > > > >> >>> shouldn't it have run without issues? Why 21 AVC's and then its > > > >> >>> working? I am learning my way around SELinux but I don't feel > > > >> >>> comfortable enough to troubleshoot this problem correctly, so where do > > > >> >>> I start? > > > >> >>> > > > >> >>> Max > > > >> >>> > > > >> >>> -- > > > >> >>> fedora-selinux-list mailing list > > > >> >>> fedora-selinux-list at redhat.com > > > >> >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > >> >> Was there a policy upgrade during this time? Problem might have been > > > >> >> fixed. > > > >> >> > > > >> > The time between my first manual attempt to start fail2ban,which > > > >> > generated an SELinux Denial, and the second, which started the service, > > > >> > was about 30 seconds. I checked the logs again today this is a portion > > > >> > of the output from yesterday and today : > > > >> > > > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] > > > >> >> setroubleshoot generated AVC, exiting to avoid recursion, > > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC > > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 > > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] audit > > > >> >> event#012host=localhost.localdomain type=AVC > > > >> >> msg=audit(1208229871.594:256): avc: denied { write } for pid=2530 > > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382 > > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 > > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0 > > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL > > > >> >> msg=audit(1208229871.594:256): arch=c000003e syscall=21 success=no > > > >> >> exit=-13 a0=eaf2f0 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2530 > > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" > > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null) > > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] > > > >> >> setroubleshoot generated AVC, exiting to avoid recursion, > > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC > > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 > > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] audit > > > >> >> event#012host=localhost.localdomain type=AVC > > > >> >> msg=audit(1208229871.595:257): avc: denied { write } for pid=2530 > > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382 > > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 > > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0 > > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL > > > >> >> msg=audit(1208229871.595:257): arch=c000003e syscall=21 success=no > > > >> >> exit=-13 a0=d684a0 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2530 > > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" > > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null) > > > >> >> Apr 15 17:26:32 localhost setroubleshoot: SELinux is preventing > > > >> >> fail2ban-server (fail2ban_t) "getattr" to / (security_t). For complete > > > >> >> SELinux messages. run sealert -l fe77e9af-a0e1-442b-a176-08f2db381144 > > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing > > > >> >> fail2ban-server (fail2ban_t) "read" to ./config (selinux_config_t). > > > >> >> For complete SELinux messages. run sealert -l > > > >> >> 99f22448-5c31-4a6f-8f55-02f7404fba5d > > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing > > > >> >> fail2ban-server (fail2ban_t) "search" to / (security_t). For complete > > > >> >> SELinux messages. run sealert -l 85b915f3-5a0b-4a2b-9bf1-c3a88bdd5951 > > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing > > > >> >> fail2ban-server (fail2ban_t) "search" to / (security_t). For complete > > > >> >> SELinux messages. run sealert -l 85b915f3-5a0b-4a2b-9bf1-c3a88bdd5951 > > > >> >> Apr 15 17:26:37 localhost setroubleshoot: [program.ERROR] > > > >> >> setroubleshoot generated AVC, exiting to avoid recursion, > > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC > > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 > > > >> >> Apr 15 17:26:37 localhost setroubleshoot: SELinux is preventing > > > >> >> iptables (iptables_t) "read write" to socket (fail2ban_t). For > > > >> >> complete SELinux messages. run sealert -l > > > >> >> 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2 > > > >> >> Apr 15 17:26:37 localhost setroubleshoot: [program.ERROR] audit > > > >> >> event#012host=localhost.localdomain type=AVC > > > >> >> msg=audit(1208294790.920:161): avc: denied { write } for pid=2506 > > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382 > > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 > > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0 > > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL > > > >> >> msg=audit(1208294790.920:161): arch=c000003e syscall=21 success=no > > > >> >> exit=-13 a0=dbf500 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2506 > > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" > > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null) > > > >> > > > > >> > At this point Fail2ban reports it is running .That is only a small > > > >> > portion of what is generated but maybe it can give you an idea. > > > >> > Subsequently SETroubleshoot crashes, specifically it says: connection > > > >> > lost /var/run/setroubleshoot/setroubleshoot_server. The other thing is > > > >> > that I stopped the fail2ban service and rebooted but SETroubleshoot is > > > >> > still crashing, it will generate an AVC when I try to run it then all > > > >> > the output is lost before I can read the AVC. As i have been flipping > > > >> > back and forth typing this, checking logs, restarting > > > >> > SETroubleshoot(about six or seven times now), SETroubleshoot is now up > > > >> > and running like nothing happened. Now that SETroubleshoot is running I > > > >> > expected to find additional AVC's from today but the last one is from > > > >> > yesterday concerning fail2ban. The Alert Count should show 22 not 21 > > > >> > like it does (if we count the one I got the first time i tried to start > > > >> > fail2ban manually) > > > >> > > > > >> > This is the AVC i was getting from Fail2ban before all this ....stuff > > > >> > went haywire on me. > > > >> > > > > >> > > > > >> > Summary: > > > >> > > > > >> > SELinux is preventing fail2ban-server (fail2ban_t) "connectto" to > > > >> > > > > >> > 002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > >> > > > > >> > (rpm_t). > > > >> > > > > >> > Detailed Description: > > > >> > > > > >> > SELinux denied access requested by fail2ban-server. It is not expected > > > >> > that this > > > >> > access is required by fail2ban-server and this access may signal an > > > >> > intrusion > > > >> > attempt. It is also possible that the specific version or configuration > > > >> > of the > > > >> > application is causing it to require additional access. > > > >> > > > > >> > Allowing Access: > > > >> > > > > >> > You can generate a local policy module to allow this access - see FAQ > > > >> > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > > > >> > disable > > > >> > SELinux protection altogether. Disabling SELinux protection is not > > > >> > recommended. > > > >> > Please file a bug report > > > >> > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > > > >> > against this package. > > > >> > > > > >> > Additional Information: > > > >> > > > > >> > Source Context system_u:system_r:fail2ban_t:s0 > > > >> > Target Context system_u:system_r:rpm_t:s0 > > > >> > Target Objects 002F746D702F66616D2D726F6F742D00000000000000000000 > > > >> > > > > >> > 00000000000000000000000000000000000000000000000000 > > > >> > > > > >> > 00000000000000000000000000000000000000000000000000 > > > >> > > > > >> > 00000000000000000000000000000000000000000000000000 > > > >> > 0000000000000000 [ unix_stream_socket ] > > > >> > Source fail2ban-server > > > >> > Source Path /usr/bin/python > > > >> > Port > > > >> > Host localhost.localdomain > > > >> > Source RPM Packages python-2.5.1-15.fc8 > > > >> > Target RPM Packages > > > >> > Policy RPM selinux-policy-3.0.8-95.fc8 > > > >> > Selinux Enabled True > > > >> > Policy Type targeted > > > >> > MLS Enabled True > > > >> > Enforcing Mode Enforcing > > > >> > Plugin Name catchall > > > >> > Host Name localhost.localdomain > > > >> > Platform Linux localhost.localdomain > > > >> > 2.6.24.4-64.fc8 #1 SMP > > > >> > Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64 > > > >> > Alert Count 21 > > > >> > First Seen Mon 14 Apr 2008 10:38:42 PM EDT > > > >> > Last Seen Mon 14 Apr 2008 10:38:43 PM EDT > > > >> > Local ID 13bee4e4-ca74-488b-a4df-15f5bf78987f > > > >> > Line Numbers > > > >> > > > > >> > Raw Audit Messages > > > >> > > > > >> > host=localhost.localdomain type=AVC msg=audit(1208227123.34:107): avc: > > > >> > denied { connectto } for pid=6314 comm="fail2ban-server" > > > >> > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > >> > scontext=system_u:system_r:fail2ban_t:s0 > > > >> > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > >> > > > > >> > host=localhost.localdomain type=SYSCALL msg=audit(1208227123.34:107): > > > >> > arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fffe5116700 a2=6e > > > >> > a3=0 items=0 ppid=1 pid=6314 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > > >> > egid=0 sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" > > > >> > exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > >> > > > > >> > > > > >> > Now that I have SETroubleshoot running i tried the sealert command > > > >> > suggested in the log files : > > > >> > > > > >> > [root at localhost log]# sealert -l 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2 > > > >> > failed to connect to server: Connection refused > > > >> > [root at localhost log]# sealert -l 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2 > > > >> > query_alerts error (1003): id (6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2) not > > > >> > found > > > >> > > > > >> > Ran it twice, second time it worked. > > > >> > I hope i'm not confusing anyone , i'll repost the order of events if > > > >> > need be. I hesitate to file a bug when it could just be me making rookie > > > >> > mistakes. I will try to reproduce again tomorrow on this box and my > > > >> > other F8 to see what I can see but if you have any advice it would be > > > >> > gratefully received. > > > >> > > > > >> > > > > >> > Max > > > >> > > > > >> Please send me your /var/log/audit/audit.log > > > >> > > > >> -----BEGIN PGP SIGNATURE----- > > > >> Version: GnuPG v1.4.9 (GNU/Linux) > > > >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > > >> > > > >> iEYEARECAAYFAkgF8xsACgkQrlYvE4MpobN1owCdEbzCCIj7piE2fFt+PgK/nnEW > > > >> GtgAnRk1OXQzWbBAelxUsa5xR/P5QX6c > > > >> =ayhr > > > >> -----END PGP SIGNATURE----- > > > >> > > > > Looks like several drafts of my mail hit the list, sorry about that > > > > but I had to revise once setroubleshoot started working. Strange, i'll > > > > have to look into it later or maybe its just gmail or thunderbird(time > > > > to fire up wireshark!!). Anyway I'll send the audit.log from that box > > > > once I get back to it. Different F8 box(i686), installed fail2ban, > > > > started service and generated AVC(almost identical) but SETroubleshoot > > > > doesn't crash like it does on the x86_64 box at least not so far. All > > > > of the following is from the i686 box , a portion of audit.log follows > > > > this AVC: > > > > > > > > > > > > Summary: > > > > > > > > SELinux is preventing fail2ban-server (fail2ban_t) "connectto" to > > > > 002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > (rpm_t). > > > > > > > > Detailed Description: > > > > > > > > SELinux denied access requested by fail2ban-server. It is not expected that this > > > > access is required by fail2ban-server and this access may signal an intrusion > > > > attempt. It is also possible that the specific version or configuration of the > > > > application is causing it to require additional access. > > > > > > > > Allowing Access: > > > > > > > > You can generate a local policy module to allow this access - see FAQ > > > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > > > > SELinux protection altogether. Disabling SELinux protection is not recommended. > > > > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > > > > against this package. > > > > > > > > Additional Information: > > > > > > > > Source Context system_u:system_r:fail2ban_t > > > > Target Context system_u:system_r:rpm_t > > > > Target Objects 002F746D702F66616D2D726F6F742D00000000000000000000 > > > > 00000000000000000000000000000000000000000000000000 > > > > 00000000000000000000000000000000000000000000000000 > > > > 00000000000000000000000000000000000000000000000000 > > > > 0000000000000000 [ unix_stream_socket ] > > > > Source fail2ban-server > > > > Source Path /usr/bin/python > > > > Port > > > > Host localhost.localdomain > > > > Source RPM Packages python-2.5.1-15.fc8 > > > > Target RPM Packages > > > > Policy RPM selinux-policy-3.0.8-95.fc8 > > > > Selinux Enabled True > > > > Policy Type targeted > > > > MLS Enabled True > > > > Enforcing Mode Enforcing > > > > Plugin Name catchall > > > > Host Name localhost.localdomain > > > > Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP > > > > Sat Mar 29 09:54:46 EDT 2008 i686 athlon > > > > Alert Count 26 > > > > First Seen Wed 16 Apr 2008 08:39:06 AM EDT > > > > Last Seen Wed 16 Apr 2008 08:39:08 AM EDT > > > > Local ID ede0cda2-138a-4222-936b-289297d95cee > > > > Line Numbers > > > > > > > > Raw Audit Messages > > > > > > > > host=localhost.localdomain type=AVC msg=audit(1208349548.205:47): avc: > > > > denied { connectto } for pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > > > > > host=localhost.localdomain type=SYSCALL msg=audit(1208349548.205:47): > > > > arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfefa2b0 > > > > a2=165110 a3=b7f9602c items=0 ppid=1 pid=3045 auid=500 uid=0 gid=0 > > > > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) > > > > comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > > > > > > > > > > > > > > > > > > > > > > > > > I am posting a portion of the audit.log relating to fail2ban as the > > > > entire log is quite large. If you want the whole thing unedited then I > > > > will attach it. I think this should be more than enough, i didn't > > > > parse it , just a simple copy and paste. I don't know what you may or > > > > may not find relevant here so it goes from a couple of entries before > > > > fail2ban is mentioned and a few after the last mention of fail2ban. > > > > Most of the entries look identical and end in key=(null) maybe i could > > > > just dismiss it but i take all the AVC's seriously until I know > > > > better: > > > > > > > > > > > > type=USER_START msg=audit(1208349505.423:21): user pid=2891 uid=500 > > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > msg='op=PAM:session_open acct=root exe="/usr/sbin/userhelper" > > > > (hostname=?, addr=?, terminal=? res=success)' > > > > type=AVC msg=audit(1208349546.967:22): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349546.967:22): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349546.976:23): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349546.976:23): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.028:24): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.028:24): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.080:25): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.080:25): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.132:26): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.132:26): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.184:27): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.184:27): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.236:28): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.236:28): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.288:29): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.288:29): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.341:30): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.341:30): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.393:31): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.393:31): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.445:32): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.445:32): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.497:33): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.497:33): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.549:34): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.549:34): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.601:35): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.601:35): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.651:36): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.651:36): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.702:37): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.702:37): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.752:38): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.752:38): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.803:39): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.803:39): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.853:40): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.853:40): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.904:41): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.904:41): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.954:42): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.954:42): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349548.004:43): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349548.004:43): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349548.054:44): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349548.054:44): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349548.105:45): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349548.105:45): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349548.155:46): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349548.155:46): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349548.205:47): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349548.205:47): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=USER_AUTH msg=audit(1208350171.618:48): user pid=3098 uid=500 > > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > msg='op=PAM:authentication acct=root exe="/usr/sbin/userhelper" > > > > (hostname=?, addr=?, terminal=? res=success)' > > > > type=USER_ACCT msg=audit(1208350171.620:49): user pid=3098 uid=500 > > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > msg='op=PAM:accounting acct=root exe="/usr/sbin/userhelper" > > > > (hostname=?, addr=?, terminal=? res=success)' > > > > type=USER_START msg=audit(1208350171.650:50): user pid=3098 uid=500 > > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > msg='op=PAM:session_open acct=root exe="/usr/sbin/userhelper" > > > > (hostname=?, addr=?, terminal=? res=success)' > > > > type=USER_AUTH msg=audit(1208350461.693:51): user pid=3142 uid=500 > > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > msg='op=PAM:authentication acct=root exe="/bin/su" (hostname=?, > > > > addr=?, terminal=pts/1 res=success)' > > > > type=USER_ACCT msg=audit(1208350461.697:52): user pid=3142 uid=500 > > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > msg='op=PAM:accounting acct=root exe="/bin/su" (hostname=?, addr=?, > > > > terminal=pts/1 res=success)' > > > > type=USER_START msg=audit(1208350461.711:53): user pid=3142 uid=500 > > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > msg='op=PAM:session_open acct=root exe="/bin/su" (hostname=?, addr=?, > > > > terminal=pts/1 res=success)' > > > > > > > > Thanks for the help, > > > > > > > This is either a leaked file descriptor or gam_server running as rpm_t. > > > > > > ps -eZ | grep rpm_t > > > > > > failtoban should not be trying to communicate with a service running > > > rpm_t. If you find gam_server running as rpm_t kill it and fail2ban > > > should work. > > > > > > > > [root at localhost ~]# ps -eZ | grep rpm_t > > system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd > > system_u:system_r:rpm_t 2587 ? 00:00:00 gam_server > > > > I'll kill the gam_server as you suggest. I will try same on x86_64 box > > to see if its the same problem. If its not then i will post the > > audit.log from it that I promised yesterday. Either way I'll post back > > once i get in front of other f8 box. > > > > Thanks again, > > > > Max > > > I'm not in front of the other box yet but I killed the other instance > of gam_server and reran the command. > > [root at localhost ~]# ps -eZ | grep rpm_t > system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd > system_u:system_r:rpm_t 4074 ? 00:00:00 gam_server > > it came back right away so I killed it again and rechecked several > times and now it appears to have finally died. > [root at localhost ~]# kill 4074 > > > [root at localhost ~]# ps -eZ | grep rpm_t > system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd > > > Max > Gmail is buggy for some reason. I' ll try and keep this coherent. On the i686 box, after I found and killed gam_server( i had to do it twice for it to stay dead) I then got a couple more AVC's (posting AVC's and observations follow): SELinux is preventing iptables (iptables_t) "read write" to socket (fail2ban_t). Detailed Description: SELinux denied access requested by iptables. It is not expected that this access is required by iptables and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:iptables_t Target Context system_u:system_r:fail2ban_t Target Objects socket [ unix_stream_socket ] Source iptables Source Path /sbin/iptables Port Host localhost.localdomain Source RPM Packages iptables-1.3.8-6.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-95.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:54:46 EDT 2008 i686 athlon Alert Count 12 First Seen Thu 17 Apr 2008 01:47:41 PM EDT Last Seen Thu 17 Apr 2008 02:19:47 PM EDT Local ID b0d85376-fbd1-48a7-8dff-65a0ff3c4148 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc: denied { read write } for pid=4622 comm="iptables" path="socket:[35210]" dev=sockfs ino=35210 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc: denied { read write } for pid=4622 comm="iptables" path="socket:[35227]" dev=sockfs ino=35227 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc: denied { read write } for pid=4622 comm="iptables" path="socket:[35683]" dev=sockfs ino=35683 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket host=localhost.localdomain type=SYSCALL msg=audit(1208456387.335:77): arch=40000003 syscall=11 success=yes exit=0 a0=9a5af50 a1=9a5a998 a2=9a5afa8 a3=40 items=0 ppid=4571 pid=4622 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null) Ok. That one is about iptables. Soon as I started fail2ban , the log showed 3 AVC's as above. Stop Fail2ban and three more generated. Did it twice to see if it was consistent. Started fail2ban twice, each time I started it generated 3 AVC's as above, same when I stopped it , generated 3 AVC's per instance. So 12 total. When I stopped Fail2ban, within a couple of minutes(can't be more exact didn't have a stop watch) saw a new AVC(only after it stops, observations follow AVC): Summary: SELinux is preventing gam_server (fail2ban_t) "getattr" to / (fs_t). Detailed Description: SELinux denied access requested by gam_server. It is not expected that this access is required by gam_server and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:fail2ban_t Target Context system_u:object_r:fs_t Target Objects / [ filesystem ] Source gam_server Source Path Port Host localhost.localdomain Source RPM Packages Target RPM Packages filesystem-2.4.11-1.fc8 Policy RPM selinux-policy-3.0.8-95.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:54:46 EDT 2008 i686 athlon Alert Count 2 First Seen Thu 17 Apr 2008 01:52:02 PM EDT Last Seen Thu 17 Apr 2008 02:20:17 PM EDT Local ID 9ce8514d-7677-4bb5-a59d-f70c8e8c755f Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1208456417.400:78): avc: denied { getattr } for pid=4573 comm="gam_server" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem Ok. After I stop Fail2ban i get one instance of this AVC related to gam_server. I started and stopped Fail2ban twice so two AVC's related to gam_server, once after each time I stop fail2ban. No I don't think anyone is stupid, just being clear for my sake and yours. Also ran : ps -eZ | grep rpm_t gam_server still dead. That was on i686 box. BTW had to kill gam_server twice on x86_64 box for it to stay dead, same as on i686. The x86_64 box is the same for the iptables AVC. Same ratio, 3 AVC's generated when starting fail2ban and 3 AVC's when stopping fail2ban. The difference is that the AVC generated after you stop fail2ban is related to sendmail(observations follow AVC): Summary: SELinux is preventing sendmail (system_mail_t) "read write" to socket (fail2ban_t). Detailed Description: SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:system_mail_t:s0 Target Context system_u:system_r:fail2ban_t:s0 Target Objects socket [ unix_stream_socket ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port Host localhost.localdomain Source RPM Packages sendmail-8.14.2-1.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-95.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64 Alert Count 2 First Seen Thu 17 Apr 2008 08:28:37 PM EDT Last Seen Thu 17 Apr 2008 08:30:34 PM EDT Local ID 10c3cca0-4bc2-4fcf-845a-0b0cc2793482 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc: denied { read write } for pid=3345 comm="sendmail" path="socket:[22805]" dev=sockfs ino=22805 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc: denied { read write } for pid=3345 comm="sendmail" path="socket:[22823]" dev=sockfs ino=22823 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc: denied { read write } for pid=3345 comm="sendmail" path="socket:[23071]" dev=sockfs ino=23071 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket host=localhost.localdomain type=SYSCALL msg=audit(1208478634.133:31): arch=c000003e syscall=59 success=yes exit=0 a0=8c9860 a1=8c98a0 a2=8c96f0 a3=37e81529f0 items=0 ppid=3343 pid=3345 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null) Checked processes on x86_64 no sendmail was or is running. Service isn't usually running and isn't now. Looks like a policy bug or both boxes have been tampered with, you tell me, Sulphur is here so they will get nuked soon enough. The sendmail bug may explain the strange behavior I have seen out of Thunderbird and Gmail but sendmail AVC is only generated on x86_64 box, which incidentally is where I saw wierd behavior out of Thunderbird but that may be separate issue, I don't think there is enough evidence yet to make that conclusion despite my feeling that it is related, i'll just have to keep my eyes peeled. I would file a bug report but I'd like to understand this first so I might suggest, even if I can't code, a fix but if you have to explain it ...the bug would end up being read by someone that subscribes to this list so.....let me know, I will file it if you ask me to. If logs, etc are needed I will supply them but if its a genuine bug it should be easily reproducible in under 30 minutes. I checked for processes running as fs_t and system_mail_t before, during, and after starting/stopping fail2ban on x86_64 box, I don't see anything. I feel like i am forgetting something, anyway let me know about the bug report or if you want more logs etc... Thanks, Max From ekuns at kilroy.chi.il.us Sun Apr 20 16:30:14 2008 From: ekuns at kilroy.chi.il.us (Edward Kuns) Date: Sun, 20 Apr 2008 11:30:14 -0500 Subject: AVCs from restarting httpd but only when in permissive mode Message-ID: <1208709014.30908.86.camel@kilroy.chi.il.us> I had to reboot earlier this week because X crashed in a way that took out my keyboard, requiring a reboot to get the keyboard to work again. And when I temporarily set to permissive some time ago to do some testing, then set back to enforcing, somehow my "default" mode got left in permissive. That's now fixed and I'm back in enforcing mode. Anyway, after the reboot I came up in permissive mode, which is how I discovered this. If I restart httpd while in permissive mode, I get two AVCs. If I restart httpd while in enforcing mode, I get none. Is this normal or expected? Since I only get these AVCs while in permissive mode, there's no error in httpd logs to look for. (And when I look anyway, all I see is normal "starting up" sorts of messages.) type=AVC msg=audit(1208684921.858:22475): avc: denied { read write } for pid=2956 comm="httpd" name="context" dev=selinuxfs ino=5 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1208684921.858:22475): arch=40000003 syscall=5 success=yes exit=14 a0=bfc89488 a1=8002 a2=0 a3=8002 items=0 ppid=1 pid=2956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1208684921.858:22476): avc: denied { check_context } for pid=2956 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security type=SYSCALL msg=audit(1208684921.858:22476): arch=40000003 syscall=4 success=yes exit=33 a0=e a1=b931e310 a2=21 a3=b931e310 items=0 ppid=1 pid=2956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) Eddie -- Eddie Kuns | Home: ekuns at kilroy.chi.il.us --------------/ URL: http://kilroy.chi.il.us/ "Ah, savory cheese puffs, made inedible by time and fate." -- The Tick From hal_bg at yahoo.com Sun Apr 20 21:46:43 2008 From: hal_bg at yahoo.com (Hal) Date: Sun, 20 Apr 2008 14:46:43 -0700 (PDT) Subject: SELinux, NFS and xguest In-Reply-To: Message-ID: <396970.21702.qm@web32203.mail.mud.yahoo.com> Hi all, I have a simple question: Is there any way to use NFS home dirs for xguest users? Will NFS4 work with selinux for normal and xguest user homes? If yes, where can I read more? Regards, Hal ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ From hal_bg at yahoo.com Sun Apr 20 21:54:38 2008 From: hal_bg at yahoo.com (Hal) Date: Sun, 20 Apr 2008 14:54:38 -0700 (PDT) Subject: SELinux and GFS In-Reply-To: <396970.21702.qm@web32203.mail.mud.yahoo.com> Message-ID: <423837.67610.qm@web32201.mail.mud.yahoo.com> Hi again, another simple question: Is selinux supported in GFS and vice versa? I know GFS2 is supposed to work with selinux, but GFS2 is far from being stable. What about the stable GFS? regards, Hal ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ From adam.huffman at gmail.com Mon Apr 21 14:30:02 2008 From: adam.huffman at gmail.com (Adam Huffman) Date: Mon, 21 Apr 2008 15:30:02 +0100 Subject: Denials when installing from updates-testing Message-ID: <608c44bf0804210730w54596abdpf098333f16c64d17@mail.gmail.com> This morning I used yum to install the latest packages from the updates-testing repository for F8. Some SELinux denials meant that problems were reported with a lot of these updates e.g. Updating : libxml2 ##################### [ 1/145] error: %post(libxml2-2.6.32-1.fc8.x86_64) scriptlet failed, exit status 255 Updating : gtk2 ##################### [ 2/145] error: %post(gtk2-2.12.8-2.fc8.x86_64) scriptlet failed, exit status 255 Updating : libxslt ##################### [ 3/145] error: %post(libxslt-1.1.23-1.fc8.x86_64) scriptlet failed, exit status 255 Updating : evolution-data-server ##################### [ 4/145] error: %post(evolution-data-server-1.12.3-5.fc8.x86_64) scriptlet failed, exit status 255 and here are excerpts of the sealert messages: Summary: SELinux is preventing yum (mono_t) "transition" to /sbin/ldconfig (rpm_script_t). Source Context unconfined_u:system_r:mono_t:SystemLow-SystemHigh Target Context unconfined_u:system_r:rpm_script_t:SystemLow-SystemHigh Target Objects /sbin/ldconfig [ process ] Source yum Source Path /usr/bin/python Port Source RPM Packages python-2.5.1-15.fc8 Target RPM Packages glibc-2.7-2 Policy RPM selinux-policy-3.0.8-95.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Raw Audit Messages type=AVC msg=audit(1208774766.511:30956): avc: denied { transition } for pid=4487 comm="yum" path="/sbin/ldconfig" dev=dm-0 ino=852080 scontext=unconfined_u:system_r:mono_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1208774766.511:30956): arch=c000003e syscall=59 success=no exit=-13 a0=1637234f a1=7fff43a32a40 a2=947ac50 a3=3d4fc13bb2 items=0 ppid=4089 pid=4487 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts9 comm="yum" exe="/usr/bin/python" subj=unconfined_u:system_r:mono_t:s0-s0:c0.c1023 key=(null) and Summary: SELinux is preventing yum (mono_t) "transition" to /bin/bash (rpm_script_t). Additional Information: Source Context unconfined_u:system_r:mono_t:SystemLow-SystemHigh Target Context unconfined_u:system_r:rpm_script_t:SystemLow-SystemHigh Target Objects /bin/bash [ process ] Source yum Source Path /usr/bin/python Port Source RPM Packages python-2.5.1-15.fc8 Target RPM Packages bash-3.2-20.fc8 Policy RPM selinux-policy-3.0.8-95.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Alert Count 69 First Seen Mon 07 Apr 2008 13:02:19 BST Last Seen Mon 21 Apr 2008 11:46:06 BST Local ID e148a133-5374-43a6-953b-45076d5c667b Line Numbers Raw Audit Messages type=AVC msg=audit(1208774766.470:30955): avc: denied { transition } for pid=4486 comm="yum" path="/bin/bash" dev=dm-0 ino=65580 scontext=unconfined_u:system_r:mono_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1208774766.470:30955): arch=c000003e syscall=59 success=no exit=-13 a0=1658931a a1=7fff43a32a40 a2=947ac50 a3=3d4fc13bb2 items=0 ppid=4089 pid=4486 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts9 comm="yum" exe="/usr/bin/python" subj=unconfined_u:system_r:mono_t:s0-s0:c0.c1023 key=(null) Does this look like a local problem and relabelling is needed? Adam From dwalsh at redhat.com Mon Apr 21 19:32:43 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 21 Apr 2008 15:32:43 -0400 Subject: Denials when installing from updates-testing In-Reply-To: <608c44bf0804210730w54596abdpf098333f16c64d17@mail.gmail.com> References: <608c44bf0804210730w54596abdpf098333f16c64d17@mail.gmail.com> Message-ID: <480CEBDB.6040502@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adam Huffman wrote: > This morning I used yum to install the latest packages from the > updates-testing repository for F8. Some SELinux denials meant that > problems were reported with a lot of these updates e.g. > > Updating : libxml2 ##################### [ 1/145] > error: %post(libxml2-2.6.32-1.fc8.x86_64) scriptlet failed, exit status 255 > Updating : gtk2 ##################### [ 2/145] > error: %post(gtk2-2.12.8-2.fc8.x86_64) scriptlet failed, exit status 255 > Updating : libxslt ##################### [ 3/145] > error: %post(libxslt-1.1.23-1.fc8.x86_64) scriptlet failed, exit status 255 > Updating : evolution-data-server ##################### [ 4/145] > error: %post(evolution-data-server-1.12.3-5.fc8.x86_64) scriptlet > failed, exit status 255 > > and here are excerpts of the sealert messages: > > Summary: > > SELinux is preventing yum (mono_t) "transition" to /sbin/ldconfig > (rpm_script_t). > > Source Context unconfined_u:system_r:mono_t:SystemLow-SystemHigh > Target Context > unconfined_u:system_r:rpm_script_t:SystemLow-SystemHigh > Target Objects /sbin/ldconfig [ process ] > Source yum > Source Path /usr/bin/python > Port > > Source RPM Packages python-2.5.1-15.fc8 > Target RPM Packages glibc-2.7-2 > Policy RPM selinux-policy-3.0.8-95.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > > > Raw Audit Messages > > type=AVC msg=audit(1208774766.511:30956): avc: denied { transition } > for pid=4487 comm="yum" path="/sbin/ldconfig" dev=dm-0 ino=852080 > scontext=unconfined_u:system_r:mono_t:s0-s0:c0.c1023 > tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 > tclass=process > > type=SYSCALL msg=audit(1208774766.511:30956): arch=c000003e syscall=59 > success=no exit=-13 a0=1637234f a1=7fff43a32a40 a2=947ac50 > a3=3d4fc13bb2 items=0 ppid=4089 pid=4487 auid=500 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts9 comm="yum" > exe="/usr/bin/python" subj=unconfined_u:system_r:mono_t:s0-s0:c0.c1023 > key=(null) > > and > > Summary: > > SELinux is preventing yum (mono_t) "transition" to /bin/bash (rpm_script_t). > > Additional Information: > > Source Context unconfined_u:system_r:mono_t:SystemLow-SystemHigh > Target Context > unconfined_u:system_r:rpm_script_t:SystemLow-SystemHigh > Target Objects /bin/bash [ process ] > Source yum > Source Path /usr/bin/python > Port > Source RPM Packages python-2.5.1-15.fc8 > Target RPM Packages bash-3.2-20.fc8 > Policy RPM selinux-policy-3.0.8-95.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Alert Count 69 > First Seen Mon 07 Apr 2008 13:02:19 BST > Last Seen Mon 21 Apr 2008 11:46:06 BST > Local ID e148a133-5374-43a6-953b-45076d5c667b > Line Numbers > > Raw Audit Messages > > type=AVC msg=audit(1208774766.470:30955): avc: denied { transition } > for pid=4486 comm="yum" path="/bin/bash" dev=dm-0 ino=65580 > scontext=unconfined_u:system_r:mono_t:s0-s0:c0.c1023 > tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 > tclass=process > > type=SYSCALL msg=audit(1208774766.470:30955): arch=c000003e syscall=59 > success=no exit=-13 a0=1658931a a1=7fff43a32a40 a2=947ac50 > a3=3d4fc13bb2 items=0 ppid=4089 pid=4486 auid=500 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts9 comm="yum" > exe="/usr/bin/python" subj=unconfined_u:system_r:mono_t:s0-s0:c0.c1023 > key=(null) > > Does this look like a local problem and relabelling is needed? > Well why would yum be running as mono_t? So this looks like something is definitely wrong with your machine. Probably labeling. > Adam > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgM69sACgkQrlYvE4MpobPiZQCghe5p/qVzmYGqeW6mwnXtvhuH lgIAn0TMStfqPnh/DNDgwDESiPm3Sghh =5SWY -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Apr 21 19:35:28 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 21 Apr 2008 15:35:28 -0400 Subject: AVCs from restarting httpd but only when in permissive mode In-Reply-To: <1208709014.30908.86.camel@kilroy.chi.il.us> References: <1208709014.30908.86.camel@kilroy.chi.il.us> Message-ID: <480CEC80.8090704@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Edward Kuns wrote: > I had to reboot earlier this week because X crashed in a way that took > out my keyboard, requiring a reboot to get the keyboard to work again. > And when I temporarily set to permissive some time ago to do some > testing, then set back to enforcing, somehow my "default" mode got left > in permissive. That's now fixed and I'm back in enforcing mode. > Anyway, after the reboot I came up in permissive mode, which is how I > discovered this. > > If I restart httpd while in permissive mode, I get two AVCs. If I > restart httpd while in enforcing mode, I get none. Is this normal or > expected? Since I only get these AVCs while in permissive mode, there's > no error in httpd logs to look for. (And when I look anyway, all I see > is normal "starting up" sorts of messages.) > > type=AVC msg=audit(1208684921.858:22475): avc: denied { read write } > for pid=2956 comm="httpd" name="context" dev=selinuxfs ino=5 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:security_t:s0 tclass=file > type=SYSCALL msg=audit(1208684921.858:22475): arch=40000003 syscall=5 > success=yes exit=14 a0=bfc89488 a1=8002 a2=0 a3=8002 items=0 ppid=1 > pid=2956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" > subj=system_u:system_r:httpd_t:s0 key=(null) > type=AVC msg=audit(1208684921.858:22476): avc: denied > { check_context } for pid=2956 comm="httpd" > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:security_t:s0 tclass=security > type=SYSCALL msg=audit(1208684921.858:22476): arch=40000003 syscall=4 > success=yes exit=33 a0=e a1=b931e310 a2=21 a3=b931e310 items=0 ppid=1 > pid=2956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" > subj=system_u:system_r:httpd_t:s0 key=(null) > > Eddie > Yes, a previous dontaudit would have stopped the library that http is loading from executing the "check_context" code, so enforcing would get no avc's while permissive reports them. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgM7H8ACgkQrlYvE4MpobNhHACgmMpctdBxmY0pKCoqoH8524sO lBUAoNroH3KNAtyttBJrNb6UvffN8Bqc =lxs1 -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Apr 21 19:40:16 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 21 Apr 2008 15:40:16 -0400 Subject: SELinux, NFS and xguest In-Reply-To: <396970.21702.qm@web32203.mail.mud.yahoo.com> References: <396970.21702.qm@web32203.mail.mud.yahoo.com> Message-ID: <480CEDA0.802@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hal wrote: > Hi all, > I have a simple question: > Is there any way to use NFS home dirs for xguest users? > Will NFS4 work with selinux for normal and xguest user homes? > If yes, where can I read more? > > Regards, > Hal > > > ____________________________________________________________________________________ > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ Yes. I am working on the policy for confined users using nfs now. NFS and NFS4 currently do not support labeling, although this is being worked on. The system treats all files/directory as being labeled nfs_t, or you can override with a mount option. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgM7Z8ACgkQrlYvE4MpobMfzACfT9DH7OjI6D0eB3eAiewz4Apo vwsAoOKT9bhhl8GuS/SuVud/2sum7bk2 =GAZq -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Apr 21 19:40:39 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 21 Apr 2008 15:40:39 -0400 Subject: SELinux and GFS In-Reply-To: <423837.67610.qm@web32201.mail.mud.yahoo.com> References: <423837.67610.qm@web32201.mail.mud.yahoo.com> Message-ID: <480CEDB7.2080705@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hal wrote: > Hi again, > another simple question: > Is selinux supported in GFS and vice versa? > I know GFS2 is supposed to work with selinux, > but GFS2 is far from being stable. > What about the stable GFS? They should both work. > > regards, > Hal > > > ____________________________________________________________________________________ > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgM7bcACgkQrlYvE4MpobO15gCeM9ciHhJw93V3rPy75ZkRxJHi NDQAn3uC6Gov8e9YDNPShJ3C1CWPjiaO =jI6d -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Apr 21 19:48:51 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 21 Apr 2008 15:48:51 -0400 Subject: Fail2ban and SELinux In-Reply-To: References: <48050C09.7050204@redhat.com> <48057032.4040608@gmail.com> <4805F31B.1070305@redhat.com> <48076C03.5050407@redhat.com> Message-ID: <480CEFA3.30906@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 max bianco wrote: > On Thu, Apr 17, 2008 at 1:37 PM, max bianco wrote: >> On Thu, Apr 17, 2008 at 1:22 PM, max bianco wrote: >> > >> > On Thu, Apr 17, 2008 at 11:25 AM, Daniel J Walsh wrote: >> > > >> > > -----BEGIN PGP SIGNED MESSAGE----- >> > > Hash: SHA1 >> > > >> > > max bianco wrote: >> > > > On Wed, Apr 16, 2008 at 8:37 AM, Daniel J Walsh wrote: >> > > >> -----BEGIN PGP SIGNED MESSAGE----- >> > > >> Hash: SHA1 >> > > >> >> > > >> >> > > >> >> > > >> max wrote: >> > > >> > Daniel J Walsh wrote: >> > > >> >> -----BEGIN PGP SIGNED MESSAGE----- >> > > >> >> Hash: SHA1 >> > > >> >> >> > > >> >> max bianco wrote: >> > > >> >>> I recently installed fail2ban on my F8 box. I don't allow remote >> > > >> >>> access to my box but it had been mentioned recently so I decided to >> > > >> >>> test it out. I installed it a few days ago but didn't do anything with >> > > >> >>> it till last night. I had forgotten about it but I was perusing log >> > > >> >>> files and saw 21 AVC's related it to it. I pulled up my services gui >> > > >> >>> and sure enough it wasn't running. I tried to start it and got >> > > >> >>> denied(it wouldn't start from a terminal at all, complaining that the >> > > >> >>> service is unrecognized). No problem , i expected as much when I saw >> > > >> >>> the AVC's in my log files but I always try things more than once so I >> > > >> >>> tried to start it a second time and this time and every time after it >> > > >> >>> started without generating a denial. Is this because I manually >> > > >> >>> started the service? That doesn't make sense because then it would >> > > >> >>> have worked the first time as well but it didn't. I see that there is >> > > >> >>> a policy module for fail2ban but if the module is in place then >> > > >> >>> shouldn't it have run without issues? Why 21 AVC's and then its >> > > >> >>> working? I am learning my way around SELinux but I don't feel >> > > >> >>> comfortable enough to troubleshoot this problem correctly, so where do >> > > >> >>> I start? >> > > >> >>> >> > > >> >>> Max >> > > >> >>> >> > > >> >>> -- >> > > >> >>> fedora-selinux-list mailing list >> > > >> >>> fedora-selinux-list at redhat.com >> > > >> >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > >> >> Was there a policy upgrade during this time? Problem might have been >> > > >> >> fixed. >> > > >> >> >> > > >> > The time between my first manual attempt to start fail2ban,which >> > > >> > generated an SELinux Denial, and the second, which started the service, >> > > >> > was about 30 seconds. I checked the logs again today this is a portion >> > > >> > of the output from yesterday and today : >> > > >> > >> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] >> > > >> >> setroubleshoot generated AVC, exiting to avoid recursion, >> > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC >> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 >> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] audit >> > > >> >> event#012host=localhost.localdomain type=AVC >> > > >> >> msg=audit(1208229871.594:256): avc: denied { write } for pid=2530 >> > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382 >> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 >> > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0 >> > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL >> > > >> >> msg=audit(1208229871.594:256): arch=c000003e syscall=21 success=no >> > > >> >> exit=-13 a0=eaf2f0 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2530 >> > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" >> > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null) >> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] >> > > >> >> setroubleshoot generated AVC, exiting to avoid recursion, >> > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC >> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 >> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] audit >> > > >> >> event#012host=localhost.localdomain type=AVC >> > > >> >> msg=audit(1208229871.595:257): avc: denied { write } for pid=2530 >> > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382 >> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 >> > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0 >> > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL >> > > >> >> msg=audit(1208229871.595:257): arch=c000003e syscall=21 success=no >> > > >> >> exit=-13 a0=d684a0 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2530 >> > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" >> > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null) >> > > >> >> Apr 15 17:26:32 localhost setroubleshoot: SELinux is preventing >> > > >> >> fail2ban-server (fail2ban_t) "getattr" to / (security_t). For complete >> > > >> >> SELinux messages. run sealert -l fe77e9af-a0e1-442b-a176-08f2db381144 >> > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing >> > > >> >> fail2ban-server (fail2ban_t) "read" to ./config (selinux_config_t). >> > > >> >> For complete SELinux messages. run sealert -l >> > > >> >> 99f22448-5c31-4a6f-8f55-02f7404fba5d >> > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing >> > > >> >> fail2ban-server (fail2ban_t) "search" to / (security_t). For complete >> > > >> >> SELinux messages. run sealert -l 85b915f3-5a0b-4a2b-9bf1-c3a88bdd5951 >> > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing >> > > >> >> fail2ban-server (fail2ban_t) "search" to / (security_t). For complete >> > > >> >> SELinux messages. run sealert -l 85b915f3-5a0b-4a2b-9bf1-c3a88bdd5951 >> > > >> >> Apr 15 17:26:37 localhost setroubleshoot: [program.ERROR] >> > > >> >> setroubleshoot generated AVC, exiting to avoid recursion, >> > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC >> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 >> > > >> >> Apr 15 17:26:37 localhost setroubleshoot: SELinux is preventing >> > > >> >> iptables (iptables_t) "read write" to socket (fail2ban_t). For >> > > >> >> complete SELinux messages. run sealert -l >> > > >> >> 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2 >> > > >> >> Apr 15 17:26:37 localhost setroubleshoot: [program.ERROR] audit >> > > >> >> event#012host=localhost.localdomain type=AVC >> > > >> >> msg=audit(1208294790.920:161): avc: denied { write } for pid=2506 >> > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382 >> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 >> > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0 >> > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL >> > > >> >> msg=audit(1208294790.920:161): arch=c000003e syscall=21 success=no >> > > >> >> exit=-13 a0=dbf500 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2506 >> > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" >> > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null) >> > > >> > >> > > >> > At this point Fail2ban reports it is running .That is only a small >> > > >> > portion of what is generated but maybe it can give you an idea. >> > > >> > Subsequently SETroubleshoot crashes, specifically it says: connection >> > > >> > lost /var/run/setroubleshoot/setroubleshoot_server. The other thing is >> > > >> > that I stopped the fail2ban service and rebooted but SETroubleshoot is >> > > >> > still crashing, it will generate an AVC when I try to run it then all >> > > >> > the output is lost before I can read the AVC. As i have been flipping >> > > >> > back and forth typing this, checking logs, restarting >> > > >> > SETroubleshoot(about six or seven times now), SETroubleshoot is now up >> > > >> > and running like nothing happened. Now that SETroubleshoot is running I >> > > >> > expected to find additional AVC's from today but the last one is from >> > > >> > yesterday concerning fail2ban. The Alert Count should show 22 not 21 >> > > >> > like it does (if we count the one I got the first time i tried to start >> > > >> > fail2ban manually) >> > > >> > >> > > >> > This is the AVC i was getting from Fail2ban before all this ....stuff >> > > >> > went haywire on me. >> > > >> > >> > > >> > >> > > >> > Summary: >> > > >> > >> > > >> > SELinux is preventing fail2ban-server (fail2ban_t) "connectto" to >> > > >> > >> > > >> > 002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > >> > >> > > >> > (rpm_t). >> > > >> > >> > > >> > Detailed Description: >> > > >> > >> > > >> > SELinux denied access requested by fail2ban-server. It is not expected >> > > >> > that this >> > > >> > access is required by fail2ban-server and this access may signal an >> > > >> > intrusion >> > > >> > attempt. It is also possible that the specific version or configuration >> > > >> > of the >> > > >> > application is causing it to require additional access. >> > > >> > >> > > >> > Allowing Access: >> > > >> > >> > > >> > You can generate a local policy module to allow this access - see FAQ >> > > >> > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can >> > > >> > disable >> > > >> > SELinux protection altogether. Disabling SELinux protection is not >> > > >> > recommended. >> > > >> > Please file a bug report >> > > >> > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >> > > >> > against this package. >> > > >> > >> > > >> > Additional Information: >> > > >> > >> > > >> > Source Context system_u:system_r:fail2ban_t:s0 >> > > >> > Target Context system_u:system_r:rpm_t:s0 >> > > >> > Target Objects 002F746D702F66616D2D726F6F742D00000000000000000000 >> > > >> > >> > > >> > 00000000000000000000000000000000000000000000000000 >> > > >> > >> > > >> > 00000000000000000000000000000000000000000000000000 >> > > >> > >> > > >> > 00000000000000000000000000000000000000000000000000 >> > > >> > 0000000000000000 [ unix_stream_socket ] >> > > >> > Source fail2ban-server >> > > >> > Source Path /usr/bin/python >> > > >> > Port >> > > >> > Host localhost.localdomain >> > > >> > Source RPM Packages python-2.5.1-15.fc8 >> > > >> > Target RPM Packages >> > > >> > Policy RPM selinux-policy-3.0.8-95.fc8 >> > > >> > Selinux Enabled True >> > > >> > Policy Type targeted >> > > >> > MLS Enabled True >> > > >> > Enforcing Mode Enforcing >> > > >> > Plugin Name catchall >> > > >> > Host Name localhost.localdomain >> > > >> > Platform Linux localhost.localdomain >> > > >> > 2.6.24.4-64.fc8 #1 SMP >> > > >> > Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64 >> > > >> > Alert Count 21 >> > > >> > First Seen Mon 14 Apr 2008 10:38:42 PM EDT >> > > >> > Last Seen Mon 14 Apr 2008 10:38:43 PM EDT >> > > >> > Local ID 13bee4e4-ca74-488b-a4df-15f5bf78987f >> > > >> > Line Numbers >> > > >> > >> > > >> > Raw Audit Messages >> > > >> > >> > > >> > host=localhost.localdomain type=AVC msg=audit(1208227123.34:107): avc: >> > > >> > denied { connectto } for pid=6314 comm="fail2ban-server" >> > > >> > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > >> > scontext=system_u:system_r:fail2ban_t:s0 >> > > >> > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > >> > >> > > >> > host=localhost.localdomain type=SYSCALL msg=audit(1208227123.34:107): >> > > >> > arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fffe5116700 a2=6e >> > > >> > a3=0 items=0 ppid=1 pid=6314 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 >> > > >> > egid=0 sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" >> > > >> > exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > >> > >> > > >> > >> > > >> > Now that I have SETroubleshoot running i tried the sealert command >> > > >> > suggested in the log files : >> > > >> > >> > > >> > [root at localhost log]# sealert -l 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2 >> > > >> > failed to connect to server: Connection refused >> > > >> > [root at localhost log]# sealert -l 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2 >> > > >> > query_alerts error (1003): id (6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2) not >> > > >> > found >> > > >> > >> > > >> > Ran it twice, second time it worked. >> > > >> > I hope i'm not confusing anyone , i'll repost the order of events if >> > > >> > need be. I hesitate to file a bug when it could just be me making rookie >> > > >> > mistakes. I will try to reproduce again tomorrow on this box and my >> > > >> > other F8 to see what I can see but if you have any advice it would be >> > > >> > gratefully received. >> > > >> > >> > > >> > >> > > >> > Max >> > > >> > >> > > >> Please send me your /var/log/audit/audit.log >> > > >> >> > > >> -----BEGIN PGP SIGNATURE----- >> > > >> Version: GnuPG v1.4.9 (GNU/Linux) >> > > >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org >> > > >> >> > > >> iEYEARECAAYFAkgF8xsACgkQrlYvE4MpobN1owCdEbzCCIj7piE2fFt+PgK/nnEW >> > > >> GtgAnRk1OXQzWbBAelxUsa5xR/P5QX6c >> > > >> =ayhr >> > > >> -----END PGP SIGNATURE----- >> > > >> >> > > > Looks like several drafts of my mail hit the list, sorry about that >> > > > but I had to revise once setroubleshoot started working. Strange, i'll >> > > > have to look into it later or maybe its just gmail or thunderbird(time >> > > > to fire up wireshark!!). Anyway I'll send the audit.log from that box >> > > > once I get back to it. Different F8 box(i686), installed fail2ban, >> > > > started service and generated AVC(almost identical) but SETroubleshoot >> > > > doesn't crash like it does on the x86_64 box at least not so far. All >> > > > of the following is from the i686 box , a portion of audit.log follows >> > > > this AVC: >> > > > >> > > > >> > > > Summary: >> > > > >> > > > SELinux is preventing fail2ban-server (fail2ban_t) "connectto" to >> > > > 002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > (rpm_t). >> > > > >> > > > Detailed Description: >> > > > >> > > > SELinux denied access requested by fail2ban-server. It is not expected that this >> > > > access is required by fail2ban-server and this access may signal an intrusion >> > > > attempt. It is also possible that the specific version or configuration of the >> > > > application is causing it to require additional access. >> > > > >> > > > Allowing Access: >> > > > >> > > > You can generate a local policy module to allow this access - see FAQ >> > > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable >> > > > SELinux protection altogether. Disabling SELinux protection is not recommended. >> > > > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >> > > > against this package. >> > > > >> > > > Additional Information: >> > > > >> > > > Source Context system_u:system_r:fail2ban_t >> > > > Target Context system_u:system_r:rpm_t >> > > > Target Objects 002F746D702F66616D2D726F6F742D00000000000000000000 >> > > > 00000000000000000000000000000000000000000000000000 >> > > > 00000000000000000000000000000000000000000000000000 >> > > > 00000000000000000000000000000000000000000000000000 >> > > > 0000000000000000 [ unix_stream_socket ] >> > > > Source fail2ban-server >> > > > Source Path /usr/bin/python >> > > > Port >> > > > Host localhost.localdomain >> > > > Source RPM Packages python-2.5.1-15.fc8 >> > > > Target RPM Packages >> > > > Policy RPM selinux-policy-3.0.8-95.fc8 >> > > > Selinux Enabled True >> > > > Policy Type targeted >> > > > MLS Enabled True >> > > > Enforcing Mode Enforcing >> > > > Plugin Name catchall >> > > > Host Name localhost.localdomain >> > > > Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP >> > > > Sat Mar 29 09:54:46 EDT 2008 i686 athlon >> > > > Alert Count 26 >> > > > First Seen Wed 16 Apr 2008 08:39:06 AM EDT >> > > > Last Seen Wed 16 Apr 2008 08:39:08 AM EDT >> > > > Local ID ede0cda2-138a-4222-936b-289297d95cee >> > > > Line Numbers >> > > > >> > > > Raw Audit Messages >> > > > >> > > > host=localhost.localdomain type=AVC msg=audit(1208349548.205:47): avc: >> > > > denied { connectto } for pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > >> > > > host=localhost.localdomain type=SYSCALL msg=audit(1208349548.205:47): >> > > > arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfefa2b0 >> > > > a2=165110 a3=b7f9602c items=0 ppid=1 pid=3045 auid=500 uid=0 gid=0 >> > > > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) >> > > > comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > I am posting a portion of the audit.log relating to fail2ban as the >> > > > entire log is quite large. If you want the whole thing unedited then I >> > > > will attach it. I think this should be more than enough, i didn't >> > > > parse it , just a simple copy and paste. I don't know what you may or >> > > > may not find relevant here so it goes from a couple of entries before >> > > > fail2ban is mentioned and a few after the last mention of fail2ban. >> > > > Most of the entries look identical and end in key=(null) maybe i could >> > > > just dismiss it but i take all the AVC's seriously until I know >> > > > better: >> > > > >> > > > >> > > > type=USER_START msg=audit(1208349505.423:21): user pid=2891 uid=500 >> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 >> > > > msg='op=PAM:session_open acct=root exe="/usr/sbin/userhelper" >> > > > (hostname=?, addr=?, terminal=? res=success)' >> > > > type=AVC msg=audit(1208349546.967:22): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349546.967:22): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349546.976:23): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349546.976:23): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.028:24): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.028:24): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.080:25): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.080:25): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.132:26): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.132:26): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.184:27): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.184:27): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.236:28): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.236:28): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.288:29): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.288:29): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.341:30): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.341:30): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.393:31): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.393:31): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.445:32): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.445:32): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.497:33): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.497:33): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.549:34): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.549:34): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.601:35): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.601:35): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.651:36): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.651:36): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.702:37): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.702:37): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.752:38): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.752:38): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.803:39): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.803:39): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.853:40): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.853:40): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.904:41): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.904:41): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.954:42): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.954:42): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349548.004:43): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349548.004:43): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349548.054:44): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349548.054:44): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349548.105:45): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349548.105:45): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349548.155:46): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349548.155:46): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349548.205:47): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349548.205:47): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=USER_AUTH msg=audit(1208350171.618:48): user pid=3098 uid=500 >> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 >> > > > msg='op=PAM:authentication acct=root exe="/usr/sbin/userhelper" >> > > > (hostname=?, addr=?, terminal=? res=success)' >> > > > type=USER_ACCT msg=audit(1208350171.620:49): user pid=3098 uid=500 >> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 >> > > > msg='op=PAM:accounting acct=root exe="/usr/sbin/userhelper" >> > > > (hostname=?, addr=?, terminal=? res=success)' >> > > > type=USER_START msg=audit(1208350171.650:50): user pid=3098 uid=500 >> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 >> > > > msg='op=PAM:session_open acct=root exe="/usr/sbin/userhelper" >> > > > (hostname=?, addr=?, terminal=? res=success)' >> > > > type=USER_AUTH msg=audit(1208350461.693:51): user pid=3142 uid=500 >> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 >> > > > msg='op=PAM:authentication acct=root exe="/bin/su" (hostname=?, >> > > > addr=?, terminal=pts/1 res=success)' >> > > > type=USER_ACCT msg=audit(1208350461.697:52): user pid=3142 uid=500 >> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 >> > > > msg='op=PAM:accounting acct=root exe="/bin/su" (hostname=?, addr=?, >> > > > terminal=pts/1 res=success)' >> > > > type=USER_START msg=audit(1208350461.711:53): user pid=3142 uid=500 >> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 >> > > > msg='op=PAM:session_open acct=root exe="/bin/su" (hostname=?, addr=?, >> > > > terminal=pts/1 res=success)' >> > > > >> > > > Thanks for the help, >> > > > >> > > This is either a leaked file descriptor or gam_server running as rpm_t. >> > > >> > > ps -eZ | grep rpm_t >> > > >> > > failtoban should not be trying to communicate with a service running >> > > rpm_t. If you find gam_server running as rpm_t kill it and fail2ban >> > > should work. >> > > >> > > >> > [root at localhost ~]# ps -eZ | grep rpm_t >> > system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd >> > system_u:system_r:rpm_t 2587 ? 00:00:00 gam_server >> > >> > I'll kill the gam_server as you suggest. I will try same on x86_64 box >> > to see if its the same problem. If its not then i will post the >> > audit.log from it that I promised yesterday. Either way I'll post back >> > once i get in front of other f8 box. >> > >> > Thanks again, >> > >> > Max >> > >> I'm not in front of the other box yet but I killed the other instance >> of gam_server and reran the command. >> >> [root at localhost ~]# ps -eZ | grep rpm_t >> system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd >> system_u:system_r:rpm_t 4074 ? 00:00:00 gam_server >> >> it came back right away so I killed it again and rechecked several >> times and now it appears to have finally died. >> [root at localhost ~]# kill 4074 >> >> >> [root at localhost ~]# ps -eZ | grep rpm_t >> system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd >> >> >> Max >> > Gmail is buggy for some reason. I' ll try and keep this coherent. On > the i686 box, after I found and killed gam_server( i had to do it > twice for it to stay dead) I then got a couple more AVC's (posting > AVC's and observations follow): > > SELinux is preventing iptables (iptables_t) "read write" to socket (fail2ban_t). > > Detailed Description: > > SELinux denied access requested by iptables. It is not expected that this access > is required by iptables and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:iptables_t > Target Context system_u:system_r:fail2ban_t > Target Objects socket [ unix_stream_socket ] > Source iptables > Source Path /sbin/iptables > Port > Host localhost.localdomain > Source RPM Packages iptables-1.3.8-6.fc8 > Target RPM Packages > Policy RPM selinux-policy-3.0.8-95.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP > Sat Mar 29 09:54:46 EDT 2008 i686 athlon > Alert Count 12 > First Seen Thu 17 Apr 2008 01:47:41 PM EDT > Last Seen Thu 17 Apr 2008 02:19:47 PM EDT > Local ID b0d85376-fbd1-48a7-8dff-65a0ff3c4148 > Line Numbers > > Raw Audit Messages > > host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc: > denied { read write } for pid=4622 comm="iptables" > path="socket:[35210]" dev=sockfs ino=35210 > scontext=system_u:system_r:iptables_t:s0 > tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc: > denied { read write } for pid=4622 comm="iptables" > path="socket:[35227]" dev=sockfs ino=35227 > scontext=system_u:system_r:iptables_t:s0 > tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc: > denied { read write } for pid=4622 comm="iptables" > path="socket:[35683]" dev=sockfs ino=35683 > scontext=system_u:system_r:iptables_t:s0 > tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > host=localhost.localdomain type=SYSCALL msg=audit(1208456387.335:77): > arch=40000003 syscall=11 success=yes exit=0 a0=9a5af50 a1=9a5a998 > a2=9a5afa8 a3=40 items=0 ppid=4571 pid=4622 auid=500 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="iptables" > exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null) > These are leaked file descriptors from fail2ban and should be reported to them. fcntl(fd, F_SETFD, FD_CLOSEXEC) Should be called on all open file descriptors. > > > Ok. That one is about iptables. Soon as I started fail2ban , the log > showed 3 AVC's as above. Stop Fail2ban and three more generated. Did > it twice to see if it was consistent. Started fail2ban twice, each > time I started it generated 3 AVC's as above, same when I stopped it , > generated 3 AVC's per instance. So 12 total. When I stopped Fail2ban, > within a couple of minutes(can't be more exact didn't have a stop > watch) saw a new AVC(only after it stops, observations follow AVC): > > Summary: > > SELinux is preventing gam_server (fail2ban_t) "getattr" to / (fs_t). > > Detailed Description: > > SELinux denied access requested by gam_server. It is not expected that this > access is required by gam_server and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:fail2ban_t > Target Context system_u:object_r:fs_t > Target Objects / [ filesystem ] > Source gam_server > Source Path > Port > Host localhost.localdomain > Source RPM Packages > Target RPM Packages filesystem-2.4.11-1.fc8 > Policy RPM selinux-policy-3.0.8-95.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP > Sat Mar 29 09:54:46 EDT 2008 i686 athlon > Alert Count 2 > First Seen Thu 17 Apr 2008 01:52:02 PM EDT > Last Seen Thu 17 Apr 2008 02:20:17 PM EDT > Local ID 9ce8514d-7677-4bb5-a59d-f70c8e8c755f > Line Numbers > > Raw Audit Messages > > host=localhost.localdomain type=AVC msg=audit(1208456417.400:78): avc: > denied { getattr } for pid=4573 comm="gam_server" name="/" dev=dm-0 > ino=2 scontext=system_u:system_r:fail2ban_t:s0 > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > > > Ok. After I stop Fail2ban i get one instance of this AVC related to > gam_server. I started and stopped Fail2ban twice so two AVC's related > to gam_server, once after each time I stop fail2ban. No I don't think > anyone is stupid, just being clear for my sake and yours. Also ran : > ps -eZ | grep rpm_t gam_server still dead. That was on i686 box. BTW > had to kill gam_server twice on x86_64 box for it to stay dead, same > as on i686. The x86_64 box is the same for the iptables AVC. Same > ratio, 3 AVC's generated when starting fail2ban and 3 AVC's when > stopping fail2ban. The difference is that the AVC generated after you > stop fail2ban is related to sendmail(observations follow AVC): > > Summary: > > SELinux is preventing sendmail (system_mail_t) "read write" to socket > (fail2ban_t). > > Detailed Description: > > SELinux denied access requested by sendmail. It is not expected that this access > is required by sendmail and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:system_mail_t:s0 > Target Context system_u:system_r:fail2ban_t:s0 > Target Objects socket [ unix_stream_socket ] > Source sendmail > Source Path /usr/sbin/sendmail.sendmail > Port > Host localhost.localdomain > Source RPM Packages sendmail-8.14.2-1.fc8 > Target RPM Packages > Policy RPM selinux-policy-3.0.8-95.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP > Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64 > Alert Count 2 > First Seen Thu 17 Apr 2008 08:28:37 PM EDT > Last Seen Thu 17 Apr 2008 08:30:34 PM EDT > Local ID 10c3cca0-4bc2-4fcf-845a-0b0cc2793482 > Line Numbers > > Raw Audit Messages > > host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc: > denied { read write } for pid=3345 comm="sendmail" > path="socket:[22805]" dev=sockfs ino=22805 > scontext=system_u:system_r:system_mail_t:s0 > tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc: > denied { read write } for pid=3345 comm="sendmail" > path="socket:[22823]" dev=sockfs ino=22823 > scontext=system_u:system_r:system_mail_t:s0 > tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc: > denied { read write } for pid=3345 comm="sendmail" > path="socket:[23071]" dev=sockfs ino=23071 > scontext=system_u:system_r:system_mail_t:s0 > tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > host=localhost.localdomain type=SYSCALL msg=audit(1208478634.133:31): > arch=c000003e syscall=59 success=yes exit=0 a0=8c9860 a1=8c98a0 > a2=8c96f0 a3=37e81529f0 items=0 ppid=3343 pid=3345 auid=500 uid=0 > gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) > comm="sendmail" exe="/usr/sbin/sendmail.sendmail" > subj=system_u:system_r:system_mail_t:s0 key=(null) Leaked file descriptor > > Checked processes on x86_64 no sendmail was or is running. Service > isn't usually running and isn't now. > Looks like a policy bug or both boxes have been tampered with, you > tell me, Sulphur is here so they will get nuked soon enough. The > sendmail bug may explain the strange behavior I have seen out of > Thunderbird and Gmail but sendmail AVC is only generated on x86_64 > box, which incidentally is where I saw wierd behavior out of > Thunderbird but that may be separate issue, I don't think there is > enough evidence yet to make that conclusion despite my feeling that it > is related, i'll just have to keep my eyes peeled. I would file a bug > report but I'd like to understand this first so I might suggest, even > if I can't code, a fix but if you have to explain it ...the bug would > end up being read by someone that subscribes to this list so.....let > me know, I will file it if you ask me to. If logs, etc are needed I > will supply them but if its a genuine bug it should be easily > reproducible in under 30 minutes. I checked for processes running as > fs_t and system_mail_t before, during, and after starting/stopping > fail2ban on x86_64 box, I don't see anything. I feel like i am > forgetting something, anyway let me know about the bug report or if > you want more logs etc... > > Thanks, > > Max The problems reported are in fail2ban except for the gam_server problem. I will add fixes in the next update for Fedora 8 selinux-policy-3.0.8-101 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgM76MACgkQrlYvE4MpobNrGwCfXl9F8ypMLfql6is9LjjDzfkm vY8AmgI2f9X78n0y2sWr81R//JIfKUgh =9y0s -----END PGP SIGNATURE----- From eparis at redhat.com Mon Apr 21 20:08:49 2008 From: eparis at redhat.com (Eric Paris) Date: Mon, 21 Apr 2008 16:08:49 -0400 Subject: SELinux, NFS and xguest In-Reply-To: <480CEDA0.802@redhat.com> References: <396970.21702.qm@web32203.mail.mud.yahoo.com> <480CEDA0.802@redhat.com> Message-ID: <1208808529.2985.75.camel@localhost.localdomain> On Mon, 2008-04-21 at 15:40 -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hal wrote: > > Hi all, > > I have a simple question: > > Is there any way to use NFS home dirs for xguest users? > > Will NFS4 work with selinux for normal and xguest user homes? > > If yes, where can I read more? > > > > Regards, > > Hal > > > > > > ____________________________________________________________________________________ > > Be a better friend, newshound, and > > know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > Yes. I am working on the policy for confined users using nfs now. > NFS and NFS4 currently do not support labeling, although this is being > worked on. The system treats all files/directory as being labeled > nfs_t, or you can override with a mount option. At the moment only NFSv3 can be overridden with mount options. NFSv4 support will appear in 2.6.26..... -Eric From dwalsh at redhat.com Tue Apr 22 14:02:36 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 22 Apr 2008 10:02:36 -0400 Subject: Fedora buildsys and SELinux In-Reply-To: <20080417002256.GA30919@nostromo.devel.redhat.com> References: <1208379430.5019.286.camel@calliope.phig.org> <20080417002256.GA30919@nostromo.devel.redhat.com> Message-ID: <480DEFFC.3070305@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bill Nottingham wrote: > James Morris (jmorris at namei.org) said: >>> * All the parties are here now needed to figure this out >>> * Someone better than me is going to reply with specifics about what is >>> not working in the buildsys >>> * We all agree it's pretty important to get this figured out in a good >>> way >> Can you please explain specifically what the problem is? > > You cannot create files in a chroot of a context not known by the > host policy. This means that if your host is running RHEL 5, you are > unable to compose any trees/images/livecds with SELinux enabled for > later releases. > > Bill > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Just catching up on this email chain. The far more insidious problem is the act of loading policy in the chroot effects the kernel of the host. So processes that are running in the host become invalidated when the client loads a policy. This happens even in the case where you are building a chroot environment on the SAME os. Since the spec file is running semanage commands to modify and add unconfined_t users, the unconfined processes of the parent and potential labels become unknown to the kernel for a period of time, which ends up labeling the files and processes as unlabeled_t. When this happens files labeled unlabeled_t can not be accesses by confined process and if a process becomes unlabeled_t it will not be allowed any access on the box, which can cause the process to crash or go into in infinite loop. If I build a livedvd, I end setenforce 0 livedvd ... load_policy setenforce 1 And sometimes I still need to fixfiles restore -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgN7/wACgkQrlYvE4MpobNzEgCgysNQd6+WuH9GrSSTJy2YZuwd cNwAn2ioJTeBG416OT+CITaKwoAjWsC9 =/F7+ -----END PGP SIGNATURE----- From tmraz at redhat.com Tue Apr 22 14:58:33 2008 From: tmraz at redhat.com (Tomas Mraz) Date: Tue, 22 Apr 2008 16:58:33 +0200 Subject: Fedora buildsys and SELinux In-Reply-To: <480DEFFC.3070305@redhat.com> References: <1208379430.5019.286.camel@calliope.phig.org> <20080417002256.GA30919@nostromo.devel.redhat.com> <480DEFFC.3070305@redhat.com> Message-ID: <1208876313.6157.40.camel@vespa.frost.loc> > Bill Nottingham wrote: > > James Morris (jmorris at namei.org) said: > >>> * All the parties are here now needed to figure this out > >>> * Someone better than me is going to reply with specifics about what is > >>> not working in the buildsys > >>> * We all agree it's pretty important to get this figured out in a good > >>> way > >> Can you please explain specifically what the problem is? > > > > You cannot create files in a chroot of a context not known by the > > host policy. This means that if your host is running RHEL 5, you are > > unable to compose any trees/images/livecds with SELinux enabled for > > later releases. > > > > Bill > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Just catching up on this email chain. > > The far more insidious problem is the act of loading policy in the > chroot effects the kernel of the host. So processes that are running in > the host become invalidated when the client loads a policy. This > happens even in the case where you are building a chroot environment on > the SAME os. Since the spec file is running semanage commands to modify > and add unconfined_t users, the unconfined processes of the parent and > potential labels become unknown to the kernel for a period of time, > which ends up labeling the files and processes as unlabeled_t. When > this happens files labeled unlabeled_t can not be accesses by confined > process and if a process becomes unlabeled_t it will not be allowed any > access on the box, which can cause the process to crash or go into in > infinite loop. If I build a livedvd, I end > > setenforce 0 > livedvd ... > load_policy > setenforce 1 > And sometimes I still need to > fixfiles restore Could it be solved by kernel preventing loading the policy when the process which tries that is in the chroot? It seems to me that it doesn't make any sense to allow that. Then with enabling creating files with a context unknown to the policy the machine could run in enforcing mode although the process which does the compose would of course have to be unconfined. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From eparis at redhat.com Tue Apr 22 15:11:38 2008 From: eparis at redhat.com (Eric Paris) Date: Tue, 22 Apr 2008 11:11:38 -0400 Subject: Fedora buildsys and SELinux In-Reply-To: <1208876313.6157.40.camel@vespa.frost.loc> References: <1208379430.5019.286.camel@calliope.phig.org> <20080417002256.GA30919@nostromo.devel.redhat.com> <480DEFFC.3070305@redhat.com> <1208876313.6157.40.camel@vespa.frost.loc> Message-ID: <1208877098.2985.99.camel@localhost.localdomain> On Tue, 2008-04-22 at 16:58 +0200, Tomas Mraz wrote: > > Bill Nottingham wrote: > > > James Morris (jmorris at namei.org) said: > > >>> * All the parties are here now needed to figure this out > > >>> * Someone better than me is going to reply with specifics about what is > > >>> not working in the buildsys > > >>> * We all agree it's pretty important to get this figured out in a good > > >>> way > > >> Can you please explain specifically what the problem is? > > > > > > You cannot create files in a chroot of a context not known by the > > > host policy. This means that if your host is running RHEL 5, you are > > > unable to compose any trees/images/livecds with SELinux enabled for > > > later releases. > > > > > > Bill > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Just catching up on this email chain. > > > > The far more insidious problem is the act of loading policy in the > > chroot effects the kernel of the host. So processes that are running in > > the host become invalidated when the client loads a policy. This > > happens even in the case where you are building a chroot environment on > > the SAME os. Since the spec file is running semanage commands to modify > > and add unconfined_t users, the unconfined processes of the parent and > > potential labels become unknown to the kernel for a period of time, > > which ends up labeling the files and processes as unlabeled_t. When > > this happens files labeled unlabeled_t can not be accesses by confined > > process and if a process becomes unlabeled_t it will not be allowed any > > access on the box, which can cause the process to crash or go into in > > infinite loop. If I build a livedvd, I end > > > > setenforce 0 > > livedvd ... > > load_policy > > setenforce 1 > > And sometimes I still need to > > fixfiles restore > > Could it be solved by kernel preventing loading the policy when the > process which tries that is in the chroot? It seems to me that it > doesn't make any sense to allow that. Then with enabling creating files > with a context unknown to the policy the machine could run in enforcing > mode although the process which does the compose would of course have to > be unconfined. How about changes to selinuxfs? mount selinuxfs /chroot/selinux -t selinuxfs -o ro if we are mounted with ro we make everything inside ro so the process inside the chroot using the chroot version of selinuxfs couldn't screw the system. Still doesn't allow laying down invalid types on disk, is that a problem today? Although I didn't like the rpm demands for illegal types this seems like a case where we might want to take that patch... -Eric From sds at tycho.nsa.gov Tue Apr 22 15:55:11 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 22 Apr 2008 11:55:11 -0400 Subject: Fedora buildsys and SELinux In-Reply-To: <1208437979.18883.358.camel@moss-spartans.epoch.ncsc.mil> References: <1208379430.5019.286.camel@calliope.phig.org> <20080417002256.GA30919@nostromo.devel.redhat.com> <20080417032347.GA7021@nostromo.devel.redhat.com> <1208437979.18883.358.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1208879711.15796.143.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2008-04-17 at 09:12 -0400, Stephen Smalley wrote: > On Wed, 2008-04-16 at 23:23 -0400, Bill Nottingham wrote: > > James Morris (jmorris at namei.org) said: > > > > You cannot create files in a chroot of a context not known by the > > > > host policy. This means that if your host is running RHEL 5, you are > > > > unable to compose any trees/images/livecds with SELinux enabled for > > > > later releases. > > > > > > Ok, that's what I suspected. > > > > > > One of the possible plans for this is to allow a process to run in a > > > separate policy namespace, and probably also utilize namespace support in > > > general. > > > > > > This is non-trivial and needs more analysis. > > > > Incidentally, this is also one of the blockers for policy-in-packages, > > rather than a monolithic one. > > I assume you mean setting down unknown file labels rather than > per-namespace or per-chroot policy support. I think they are related > but different. The former is required if you always plan to install the > files _before_ loading the policy. The latter is required primarily for > getting any scriptlets to run in the right security contexts so that any > files they create are labeled appropriately within the chroot. BTW, for reference, a patch to support setting down unknown file labels was posted here a couple of years ago: http://marc.info/?l=selinux&m=114771094617968&w=2 But unfortunately we weren't able to sort the remaining issues discussed in that thread. > Also, I wanted to emphasize that chroot is different than unsharing the > filesystem namespace, and per-chroot policy is not the same thing as > per-namespace policy. I'd expect though that it would actually be a > per-process policy mechanism, with most processes sharing the same > policy but programs like rpm being able to unshare policy from their > parent and then load a private policy to be applied only to their > descendants. > -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Tue Apr 22 15:59:13 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 22 Apr 2008 11:59:13 -0400 Subject: Fedora buildsys and SELinux In-Reply-To: <1208876313.6157.40.camel@vespa.frost.loc> References: <1208379430.5019.286.camel@calliope.phig.org> <20080417002256.GA30919@nostromo.devel.redhat.com> <480DEFFC.3070305@redhat.com> <1208876313.6157.40.camel@vespa.frost.loc> Message-ID: <1208879953.15796.148.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2008-04-22 at 16:58 +0200, Tomas Mraz wrote: > > Bill Nottingham wrote: > > > James Morris (jmorris at namei.org) said: > > >>> * All the parties are here now needed to figure this out > > >>> * Someone better than me is going to reply with specifics about what is > > >>> not working in the buildsys > > >>> * We all agree it's pretty important to get this figured out in a good > > >>> way > > >> Can you please explain specifically what the problem is? > > > > > > You cannot create files in a chroot of a context not known by the > > > host policy. This means that if your host is running RHEL 5, you are > > > unable to compose any trees/images/livecds with SELinux enabled for > > > later releases. > > > > > > Bill > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Just catching up on this email chain. > > > > The far more insidious problem is the act of loading policy in the > > chroot effects the kernel of the host. So processes that are running in > > the host become invalidated when the client loads a policy. This > > happens even in the case where you are building a chroot environment on > > the SAME os. Since the spec file is running semanage commands to modify > > and add unconfined_t users, the unconfined processes of the parent and > > potential labels become unknown to the kernel for a period of time, > > which ends up labeling the files and processes as unlabeled_t. When > > this happens files labeled unlabeled_t can not be accesses by confined > > process and if a process becomes unlabeled_t it will not be allowed any > > access on the box, which can cause the process to crash or go into in > > infinite loop. If I build a livedvd, I end > > > > setenforce 0 > > livedvd ... > > load_policy > > setenforce 1 > > And sometimes I still need to > > fixfiles restore > > Could it be solved by kernel preventing loading the policy when the > process which tries that is in the chroot? It seems to me that it > doesn't make any sense to allow that. Then with enabling creating files > with a context unknown to the policy the machine could run in enforcing > mode although the process which does the compose would of course have to > be unconfined. Why mount selinuxfs within the chroot at all? Policy load isn't possible without selinuxfs. I had thought though that they wanted/needed to load the policy with scope limited to children of rpm so that package scriptlets will run in the correct domain and files created by them will be labeled as expected for the image being built rather than based on the host policy. Which is rather complicated - it requires a per-process policy pointer and some way to deal with files that may be visible both to scriptlets within the chroot and to rpm and other processes outside of it. -- Stephen Smalley National Security Agency From hal_bg at yahoo.com Tue Apr 22 16:10:21 2008 From: hal_bg at yahoo.com (Hal) Date: Tue, 22 Apr 2008 09:10:21 -0700 (PDT) Subject: SELinux, NFS and xguest In-Reply-To: <1208808529.2985.75.camel@localhost.localdomain> Message-ID: <969834.69915.qm@web32203.mail.mud.yahoo.com> What are the mount options you were talking about? I could not find a way to override nfs_t label. --- Eric Paris wrote: > On Mon, 2008-04-21 at 15:40 -0400, Daniel J Walsh wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hal wrote: > > > Hi all, > > > I have a simple question: > > > Is there any way to use NFS home dirs for xguest users? > > > Will NFS4 work with selinux for normal and xguest user homes? > > > If yes, where can I read more? > > > > > > Regards, > > > Hal > > > > > > > > > > ____________________________________________________________________________________ > > > Be a better friend, newshound, and > > > know-it-all with Yahoo! Mobile. Try it now. > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > Yes. I am working on the policy for confined users using nfs now. > > NFS and NFS4 currently do not support labeling, although this is being > > worked on. The system treats all files/directory as being labeled > > nfs_t, or you can override with a mount option. > > At the moment only NFSv3 can be overridden with mount options. NFSv4 > support will appear in 2.6.26..... > > -Eric > > ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ From sds at tycho.nsa.gov Tue Apr 22 16:38:44 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 22 Apr 2008 12:38:44 -0400 Subject: Fedora buildsys and SELinux In-Reply-To: <1208879711.15796.143.camel@moss-spartans.epoch.ncsc.mil> References: <1208379430.5019.286.camel@calliope.phig.org> <20080417002256.GA30919@nostromo.devel.redhat.com> <20080417032347.GA7021@nostromo.devel.redhat.com> <1208437979.18883.358.camel@moss-spartans.epoch.ncsc.mil> <1208879711.15796.143.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1208882324.15796.151.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2008-04-22 at 11:55 -0400, Stephen Smalley wrote: > On Thu, 2008-04-17 at 09:12 -0400, Stephen Smalley wrote: > > On Wed, 2008-04-16 at 23:23 -0400, Bill Nottingham wrote: > > > James Morris (jmorris at namei.org) said: > > > > > You cannot create files in a chroot of a context not known by the > > > > > host policy. This means that if your host is running RHEL 5, you are > > > > > unable to compose any trees/images/livecds with SELinux enabled for > > > > > later releases. > > > > > > > > Ok, that's what I suspected. > > > > > > > > One of the possible plans for this is to allow a process to run in a > > > > separate policy namespace, and probably also utilize namespace support in > > > > general. > > > > > > > > This is non-trivial and needs more analysis. > > > > > > Incidentally, this is also one of the blockers for policy-in-packages, > > > rather than a monolithic one. > > > > I assume you mean setting down unknown file labels rather than > > per-namespace or per-chroot policy support. I think they are related > > but different. The former is required if you always plan to install the > > files _before_ loading the policy. The latter is required primarily for > > getting any scriptlets to run in the right security contexts so that any > > files they create are labeled appropriately within the chroot. > > BTW, for reference, a patch to support setting down unknown file labels > was posted here a couple of years ago: > http://marc.info/?l=selinux&m=114771094617968&w=2 And the last version of that patch was: http://marc.info/?l=selinux&m=114840466518263&w=2 Not that it applies cleanly anymore, of course. > But unfortunately we weren't able to sort the remaining issues discussed > in that thread. > > > Also, I wanted to emphasize that chroot is different than unsharing the > > filesystem namespace, and per-chroot policy is not the same thing as > > per-namespace policy. I'd expect though that it would actually be a > > per-process policy mechanism, with most processes sharing the same > > policy but programs like rpm being able to unshare policy from their > > parent and then load a private policy to be applied only to their > > descendants. > > -- Stephen Smalley National Security Agency From eparis at redhat.com Tue Apr 22 18:14:30 2008 From: eparis at redhat.com (Eric Paris) Date: Tue, 22 Apr 2008 14:14:30 -0400 Subject: SELinux, NFS and xguest In-Reply-To: <969834.69915.qm@web32203.mail.mud.yahoo.com> References: <969834.69915.qm@web32203.mail.mud.yahoo.com> Message-ID: <1208888070.2985.104.camel@localhost.localdomain> On Tue, 2008-04-22 at 09:10 -0700, Hal wrote: > What are the mount options you were talking about? > I could not find a way to override nfs_t label. For NFSv3 you should be able to use context=system_u:object_r:httpd_sys_content_t:s0 (or whatever label you want) see mount(8) very recent kernels (2.6.25 devel timeframe) and nfs-utils allow usage of context= rootcontext= and fscontext= if you are trying to mount the same server in multiple places with multiple label you may need to look at the nosharecache option.... Someday we will have real labeling support on NFS. Someday -Eric > > --- Eric Paris wrote: > > > On Mon, 2008-04-21 at 15:40 -0400, Daniel J Walsh wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > Hal wrote: > > > > Hi all, > > > > I have a simple question: > > > > Is there any way to use NFS home dirs for xguest users? > > > > Will NFS4 work with selinux for normal and xguest user homes? > > > > If yes, where can I read more? > > > > > > > > Regards, > > > > Hal > > > > > > > > > > > > > > > ____________________________________________________________________________________ > > > > Be a better friend, newshound, and > > > > know-it-all with Yahoo! Mobile. Try it now. > > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > > Yes. I am working on the policy for confined users using nfs now. > > > NFS and NFS4 currently do not support labeling, although this is being > > > worked on. The system treats all files/directory as being labeled > > > nfs_t, or you can override with a mount option. > > > > At the moment only NFSv3 can be overridden with mount options. NFSv4 > > support will appear in 2.6.26..... > > > > -Eric > > > > > > > > ____________________________________________________________________________________ > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ From cra at WPI.EDU Tue Apr 22 18:21:03 2008 From: cra at WPI.EDU (Chuck Anderson) Date: Tue, 22 Apr 2008 14:21:03 -0400 Subject: port numbers for sctp support? Message-ID: <20080422182103.GJ7449@angus.ind.WPI.EDU> Is sctp support planned? #semanage port -a -t ssh_sctp_port_t -p sctp 22 /usr/sbin/semanage: Protocol udp or tcp is required From dwalsh at redhat.com Tue Apr 22 19:20:16 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 22 Apr 2008 15:20:16 -0400 Subject: Fedora buildsys and SELinux In-Reply-To: <1208879953.15796.148.camel@moss-spartans.epoch.ncsc.mil> References: <1208379430.5019.286.camel@calliope.phig.org> <20080417002256.GA30919@nostromo.devel.redhat.com> <480DEFFC.3070305@redhat.com> <1208876313.6157.40.camel@vespa.frost.loc> <1208879953.15796.148.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <480E3A70.6090901@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Smalley wrote: > On Tue, 2008-04-22 at 16:58 +0200, Tomas Mraz wrote: >>> Bill Nottingham wrote: >>>> James Morris (jmorris at namei.org) said: >>>>>> * All the parties are here now needed to figure this out >>>>>> * Someone better than me is going to reply with specifics about what is >>>>>> not working in the buildsys >>>>>> * We all agree it's pretty important to get this figured out in a good >>>>>> way >>>>> Can you please explain specifically what the problem is? >>>> You cannot create files in a chroot of a context not known by the >>>> host policy. This means that if your host is running RHEL 5, you are >>>> unable to compose any trees/images/livecds with SELinux enabled for >>>> later releases. >>>> >>>> Bill >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> Just catching up on this email chain. >>> >>> The far more insidious problem is the act of loading policy in the >>> chroot effects the kernel of the host. So processes that are running in >>> the host become invalidated when the client loads a policy. This >>> happens even in the case where you are building a chroot environment on >>> the SAME os. Since the spec file is running semanage commands to modify >>> and add unconfined_t users, the unconfined processes of the parent and >>> potential labels become unknown to the kernel for a period of time, >>> which ends up labeling the files and processes as unlabeled_t. When >>> this happens files labeled unlabeled_t can not be accesses by confined >>> process and if a process becomes unlabeled_t it will not be allowed any >>> access on the box, which can cause the process to crash or go into in >>> infinite loop. If I build a livedvd, I end >>> >>> setenforce 0 >>> livedvd ... >>> load_policy >>> setenforce 1 >>> And sometimes I still need to >>> fixfiles restore >> Could it be solved by kernel preventing loading the policy when the >> process which tries that is in the chroot? It seems to me that it >> doesn't make any sense to allow that. Then with enabling creating files >> with a context unknown to the policy the machine could run in enforcing >> mode although the process which does the compose would of course have to >> be unconfined. > > Why mount selinuxfs within the chroot at all? Policy load isn't > possible without selinuxfs. > > I had thought though that they wanted/needed to load the policy with > scope limited to children of rpm so that package scriptlets will run in > the correct domain and files created by them will be labeled as expected > for the image being built rather than based on the host policy. Which > is rather complicated - it requires a per-process policy pointer and > some way to deal with files that may be visible both to scriptlets > within the chroot and to rpm and other processes outside of it. > Well currently livecd tools to a relabel at the end. So we still have the problem of the labels being correct when the dvd is complete. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgOOnAACgkQrlYvE4MpobNtGgCdGbX4swbPMBsnC+BpL6PTNEWM x4QAoKd+OpqR7ycGKZviGeb+ywYnQyjE =O3UV -----END PGP SIGNATURE----- From dwalsh at redhat.com Tue Apr 22 19:21:35 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 22 Apr 2008 15:21:35 -0400 Subject: port numbers for sctp support? In-Reply-To: <20080422182103.GJ7449@angus.ind.WPI.EDU> References: <20080422182103.GJ7449@angus.ind.WPI.EDU> Message-ID: <480E3ABF.2020109@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck Anderson wrote: > Is sctp support planned? > > #semanage port -a -t ssh_sctp_port_t -p sctp 22 > /usr/sbin/semanage: Protocol udp or tcp is required > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list TCP Port 22 is labeled ssh_port_t. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgOOr8ACgkQrlYvE4MpobPkaQCgw+Cmd5TEW/Io3Eq6R0aU3xeP pC8AoLp63plhgLHVRL/rQvh2P6LllYCz =H2R1 -----END PGP SIGNATURE----- From cra at WPI.EDU Tue Apr 22 19:25:52 2008 From: cra at WPI.EDU (Chuck Anderson) Date: Tue, 22 Apr 2008 15:25:52 -0400 Subject: port numbers for sctp support? In-Reply-To: <480E3ABF.2020109@redhat.com> References: <20080422182103.GJ7449@angus.ind.WPI.EDU> <480E3ABF.2020109@redhat.com> Message-ID: <20080422192552.GM7449@angus.ind.WPI.EDU> On Tue, Apr 22, 2008 at 03:21:35PM -0400, Daniel J Walsh wrote: > TCP Port 22 is labeled ssh_port_t. For TCP, yes. I need SCTP, a different IP protocol. From dwalsh at redhat.com Tue Apr 22 19:42:07 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 22 Apr 2008 15:42:07 -0400 Subject: port numbers for sctp support? In-Reply-To: <20080422192552.GM7449@angus.ind.WPI.EDU> References: <20080422182103.GJ7449@angus.ind.WPI.EDU> <480E3ABF.2020109@redhat.com> <20080422192552.GM7449@angus.ind.WPI.EDU> Message-ID: <480E3F8F.3070502@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck Anderson wrote: > On Tue, Apr 22, 2008 at 03:21:35PM -0400, Daniel J Walsh wrote: >> TCP Port 22 is labeled ssh_port_t. > > For TCP, yes. I need SCTP, a different IP protocol. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I have no idea if this is handled SCTP Are you seeing AVC messages? You might want to bring this up for discussion on Developer list. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgOP48ACgkQrlYvE4MpobNDdQCgsr4usMZttCbcaq+SyuMCHav1 H58AoJ+wWJqxTKvkbyq37/cGVryzah/F =ibh6 -----END PGP SIGNATURE----- From sds at tycho.nsa.gov Tue Apr 22 20:02:52 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 22 Apr 2008 16:02:52 -0400 Subject: port numbers for sctp support? In-Reply-To: <480E3F8F.3070502@redhat.com> References: <20080422182103.GJ7449@angus.ind.WPI.EDU> <480E3ABF.2020109@redhat.com> <20080422192552.GM7449@angus.ind.WPI.EDU> <480E3F8F.3070502@redhat.com> Message-ID: <1208894572.15796.185.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2008-04-22 at 15:42 -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Chuck Anderson wrote: > > On Tue, Apr 22, 2008 at 03:21:35PM -0400, Daniel J Walsh wrote: > >> TCP Port 22 is labeled ssh_port_t. > > > > For TCP, yes. I need SCTP, a different IP protocol. > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > I have no idea if this is handled SCTP Are you seeing AVC messages? Should show up as name_bind checks on port_t:rawip_socket, as per: http://marc.info/?l=fedora-selinux-list&m=112806295900352&w=2 Policy toolchain doesn't presently allow specification of port contexts for anything other than udp or tcp, although I think the kernel side would support it just fine. So we'd need to update libsepol/libsemanage first, then adjust seobject.py to recognize "sctp". Along with checkpolicy. -- Stephen Smalley National Security Agency From freeslkr.wl6x at mailnull.com Wed Apr 23 04:59:18 2008 From: freeslkr.wl6x at mailnull.com (freeslkr) Date: Wed, 23 Apr 2008 04:59:18 +0000 (UTC) Subject: postfix with maildir delivery Message-ID: Hello, I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs everytime postfix delivers mail to the maildir directories. It looks like postfix doesn't have permission to create files. For example, from /var/log/messages: SELinux is preventing local (postfix_local_t) "link" to ./1208923427.P3686.myhost (mail_spool_t) from /var/log/audit/audit.log: type=AVC msg=audit(1208923427.350:95): avc: denied { link } for pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3 ino=819271 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0 a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none) comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null) Is my interpretation correct. If so, is it likely that this could be corrected in a future policy version? Thank you for you help From maximilianbianco at gmail.com Wed Apr 23 15:56:47 2008 From: maximilianbianco at gmail.com (max bianco) Date: Wed, 23 Apr 2008 11:56:47 -0400 Subject: Fedora buildsys and SELinux In-Reply-To: <480E3A70.6090901@redhat.com> References: <1208379430.5019.286.camel@calliope.phig.org> <20080417002256.GA30919@nostromo.devel.redhat.com> <480DEFFC.3070305@redhat.com> <1208876313.6157.40.camel@vespa.frost.loc> <1208879953.15796.148.camel@moss-spartans.epoch.ncsc.mil> <480E3A70.6090901@redhat.com> Message-ID: On Tue, Apr 22, 2008 at 3:20 PM, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Stephen Smalley wrote: > > On Tue, 2008-04-22 at 16:58 +0200, Tomas Mraz wrote: > >>> Bill Nottingham wrote: > >>>> James Morris (jmorris at namei.org) said: > >>>>>> * All the parties are here now needed to figure this out > >>>>>> * Someone better than me is going to reply with specifics about what is > >>>>>> not working in the buildsys > >>>>>> * We all agree it's pretty important to get this figured out in a good > >>>>>> way > >>>>> Can you please explain specifically what the problem is? > >>>> You cannot create files in a chroot of a context not known by the > >>>> host policy. This means that if your host is running RHEL 5, you are > >>>> unable to compose any trees/images/livecds with SELinux enabled for > >>>> later releases. > >>>> > >>>> Bill > >>>> > >>>> -- > >>>> fedora-selinux-list mailing list > >>>> fedora-selinux-list at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>> Just catching up on this email chain. > >>> > >>> The far more insidious problem is the act of loading policy in the > >>> chroot effects the kernel of the host. So processes that are running in > >>> the host become invalidated when the client loads a policy. This > >>> happens even in the case where you are building a chroot environment on > >>> the SAME os. Since the spec file is running semanage commands to modify > >>> and add unconfined_t users, the unconfined processes of the parent and > >>> potential labels become unknown to the kernel for a period of time, > >>> which ends up labeling the files and processes as unlabeled_t. When > >>> this happens files labeled unlabeled_t can not be accesses by confined > >>> process and if a process becomes unlabeled_t it will not be allowed any > >>> access on the box, which can cause the process to crash or go into in > >>> infinite loop. If I build a livedvd, I end > >>> > >>> setenforce 0 > >>> livedvd ... > >>> load_policy > >>> setenforce 1 > >>> And sometimes I still need to > >>> fixfiles restore > >> Could it be solved by kernel preventing loading the policy when the > >> process which tries that is in the chroot? It seems to me that it > >> doesn't make any sense to allow that. Then with enabling creating files > >> with a context unknown to the policy the machine could run in enforcing > >> mode although the process which does the compose would of course have to > >> be unconfined. > > > > Why mount selinuxfs within the chroot at all? Policy load isn't > > possible without selinuxfs. > > > > I had thought though that they wanted/needed to load the policy with > > scope limited to children of rpm so that package scriptlets will run in > > the correct domain and files created by them will be labeled as expected > > for the image being built rather than based on the host policy. Which > > is rather complicated - it requires a per-process policy pointer and > > some way to deal with files that may be visible both to scriptlets > > within the chroot and to rpm and other processes outside of it. > > > Well currently livecd tools to a relabel at the end. So we still have > the problem of the labels being correct when the dvd is complete. > I am trying to keep up with this conversation and I don't expect anyone to stop and explain all this but.... Can the image be built on a remote host?or a virtualized one(i caught but do not completely understand the comment about being unable to virtualize SELinux)? Would this not rather neatly avoid the chroot problem(assuming I am understanding the problem correctly)? Which if i understand it right is that you cannot load policy in the chroot because the policy applies itself or is getting applied to the running kernel even though it is not intended for that kernel but the one in the image, which is of course not running. Perhaps these things have been considered already but are not feasible? Mind you I have no idea how to implement this, I am just beating my little gnat wings off the west coast of Africa hoping I can cause the typhoon in south america. I haven't been able to find much in the way of documentation on the fedora build system. if anyone has a pointer to good docs, assuming they exist, I would appreciate the link, what little I have found seems incomplete or unfinished. Max From cannewilson at googlemail.com Wed Apr 23 17:33:10 2008 From: cannewilson at googlemail.com (Anne Wilson) Date: Wed, 23 Apr 2008 18:33:10 +0100 Subject: postfix with maildir delivery In-Reply-To: References: Message-ID: <200804231833.11076.cannewilson@googlemail.com> On Wednesday 23 April 2008 05:59, freeslkr wrote: > Hello, > > I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs > everytime postfix delivers mail to the maildir directories. It looks > like postfix doesn't have permission to create files. For example, > > from /var/log/messages: > > SELinux is preventing local (postfix_local_t) "link" to > ./1208923427.P3686.myhost (mail_spool_t) > > from /var/log/audit/audit.log: > > type=AVC msg=audit(1208923427.350:95): avc: denied { link } for > pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3 > ino=819271 scontext=system_u:system_r:postfix_local_t:s0 > tcontext=system_u:object_r:mail_spool_t:s0 tclass=file > > type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e > syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0 > a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0 > euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none) > comm="local" exe="/usr/libexec/postfix/local" > subj=system_u:system_r:postfix_local_t:s0 key=(null) > > Is my interpretation correct. If so, is it likely that this could be > corrected in a future policy version? > Try 'sealert -b' and find the message relating to this. It will give you a command to run, to tell selinux that you need this. Anne From freeslkr.wl6x at mailnull.com Thu Apr 24 05:17:44 2008 From: freeslkr.wl6x at mailnull.com (freeslkr) Date: Thu, 24 Apr 2008 05:17:44 +0000 (UTC) Subject: postfix with maildir delivery References: <200804231833.11076.cannewilson@googlemail.com> Message-ID: Anne Wilson googlemail.com> writes: > On Wednesday 23 April 2008 05:59, freeslkr wrote: > > Hello, > > > > I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs > > everytime postfix delivers mail to the maildir directories. It looks > > like postfix doesn't have permission to create files. For example, > > > > from /var/log/messages: > > > > SELinux is preventing local (postfix_local_t) "link" to > > ./1208923427.P3686.myhost (mail_spool_t) > > > > from /var/log/audit/audit.log: > > > > type=AVC msg=audit(1208923427.350:95): avc: denied { link } for > > pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3 > > ino=819271 scontext=system_u:system_r:postfix_local_t:s0 > > tcontext=system_u:object_r:mail_spool_t:s0 tclass=file > > > > type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e > > syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0 > > a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0 > > euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none) > > comm="local" exe="/usr/libexec/postfix/local" > > subj=system_u:system_r:postfix_local_t:s0 key=(null) > > > > Is my interpretation correct. If so, is it likely that this could be > > corrected in a future policy version? > > > Try 'sealert -b' and find the message relating to this. It will give you a > command to run, to tell selinux that you need this. > > Anne This yields: Summary SELinux is preventing local (postfix_local_t) "link" to ./1208923427.P3686.myhost (mail_spool_t). Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by local. It is not expected that this access is required by local and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./1208923427.P3686.myhost, restorecon -v './1208923427.P3686.myhost' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context: system_u:system_r:postfix_local_t:s0 Target Context: system_u:object_r:mail_spool_t:s0 Target Objects: ./1208923427.P3686.myhost [ file ] Source: local Source Path: /usr/libexec/postfix/local Port: Host: myhost Source RPM Packages: postfix-2.4.5-2.fc8 Target RPM Packages: Policy RPM: selinux-policy-3.0.8-95.fc8 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: catchall_file Host Name: myhost Platform: Linux myhost 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64 Alert Count: 1 First Seen: Tue 22 Apr 2008 10:03:47 PM MDT Last Seen: Tue 22 Apr 2008 10:03:47 PM MDT Local ID: fb3bbd5f-23c2-40f2-a656-f02a0ce7fab7 Line Numbers: Furthermore, `grep postfix audit.log | audit2allow` gives #============= postfix_local_t ============== allow postfix_local_t mail_spool_t:file link; From cannewilson at googlemail.com Thu Apr 24 07:59:34 2008 From: cannewilson at googlemail.com (Anne Wilson) Date: Thu, 24 Apr 2008 08:59:34 +0100 Subject: postfix with maildir delivery In-Reply-To: References: <200804231833.11076.cannewilson@googlemail.com> Message-ID: <200804240859.35172.cannewilson@googlemail.com> On Thursday 24 April 2008 06:17:44 freeslkr wrote: > Sometimes labeling problems can cause SELinux denials. You could try > ? to restore the default system file context for ./1208923427.P3686.myhost, > ? restorecon -v './1208923427.P3686.myhost' That looks as though it is a message address? If so, I'd try "restorecon -v 'yourMailDirectory'. Usually it's enough to just copy the restorecon and paste it into a root terminal. Maybe someone with more selinux skill will tell you a better solution than mine, but I think it would be OK. Anne -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. URL: From sds at tycho.nsa.gov Thu Apr 24 16:58:55 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 24 Apr 2008 12:58:55 -0400 Subject: Fedora buildsys and SELinux In-Reply-To: <1208882324.15796.151.camel@moss-spartans.epoch.ncsc.mil> References: <1208379430.5019.286.camel@calliope.phig.org> <20080417002256.GA30919@nostromo.devel.redhat.com> <20080417032347.GA7021@nostromo.devel.redhat.com> <1208437979.18883.358.camel@moss-spartans.epoch.ncsc.mil> <1208879711.15796.143.camel@moss-spartans.epoch.ncsc.mil> <1208882324.15796.151.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1209056335.15796.475.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2008-04-22 at 12:38 -0400, Stephen Smalley wrote: > On Tue, 2008-04-22 at 11:55 -0400, Stephen Smalley wrote: > > On Thu, 2008-04-17 at 09:12 -0400, Stephen Smalley wrote: > > > On Wed, 2008-04-16 at 23:23 -0400, Bill Nottingham wrote: > > > > James Morris (jmorris at namei.org) said: > > > > > > You cannot create files in a chroot of a context not known by the > > > > > > host policy. This means that if your host is running RHEL 5, you are > > > > > > unable to compose any trees/images/livecds with SELinux enabled for > > > > > > later releases. > > > > > > > > > > Ok, that's what I suspected. > > > > > > > > > > One of the possible plans for this is to allow a process to run in a > > > > > separate policy namespace, and probably also utilize namespace support in > > > > > general. > > > > > > > > > > This is non-trivial and needs more analysis. > > > > > > > > Incidentally, this is also one of the blockers for policy-in-packages, > > > > rather than a monolithic one. > > > > > > I assume you mean setting down unknown file labels rather than > > > per-namespace or per-chroot policy support. I think they are related > > > but different. The former is required if you always plan to install the > > > files _before_ loading the policy. The latter is required primarily for > > > getting any scriptlets to run in the right security contexts so that any > > > files they create are labeled appropriately within the chroot. > > > > BTW, for reference, a patch to support setting down unknown file labels > > was posted here a couple of years ago: > > http://marc.info/?l=selinux&m=114771094617968&w=2 > > And the last version of that patch was: > http://marc.info/?l=selinux&m=114840466518263&w=2 > Not that it applies cleanly anymore, of course. Note for anyone trying to revive that patch: please be sure to introduce a new security class for that permission instead of adding it to the security class as I did in that patch, so that we can be certain that this new ability won't be allowed to unconfined domains by default. We do not want unconfined_t user shells to be able to set arbitrary label values w/o no warning that it wasn't valid; we want to limit this to specific programs like rpm that will be aware of the implications and (hopefully) do some validity checking of their own afterward. -- Stephen Smalley National Security Agency From jczucco at ucs.br Sat Apr 26 18:52:22 2008 From: jczucco at ucs.br (Jeronimo Zucco) Date: Sat, 26 Apr 2008 15:52:22 -0300 Subject: Portuguese documentation available Message-ID: <1209235942.481379e635d01@webmail.ucs.br> I wrote some documentation about selinux in portuguese. If you want to read it, please access: http://jczucco.googlepages.com/selinux.html -- Jeronimo Zucco LPIC-1 Linux Professional Institute Certified http://jczucco.blogspot.com --------------------------------------- Essa mensagem foi enviada pelo UCS Mail From freeslkr.wl6x at mailnull.com Sun Apr 27 04:19:21 2008 From: freeslkr.wl6x at mailnull.com (freeslkr) Date: Sun, 27 Apr 2008 04:19:21 +0000 (UTC) Subject: postfix with maildir delivery References: Message-ID: freeslkr mailnull.com> writes: > Hello, > > I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs > everytime postfix delivers mail to the maildir directories. It looks > like postfix doesn't have permission to create files. For example, > > from /var/log/messages: > > SELinux is preventing local (postfix_local_t) "link" to > ./1208923427.P3686.myhost (mail_spool_t) > > from /var/log/audit/audit.log: > > type=AVC msg=audit(1208923427.350:95): avc: denied { link } for > pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3 > ino=819271 scontext=system_u:system_r:postfix_local_t:s0 > tcontext=system_u:object_r:mail_spool_t:s0 tclass=file > > type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e > syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0 > a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0 > euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none) > comm="local" exe="/usr/libexec/postfix/local" > subj=system_u:system_r:postfix_local_t:s0 key=(null) > > Is my interpretation correct. If so, is it likely that this could be > corrected in a future policy version? > > Thank you for you help I'll first note that reverting to mbox files in /var/spool/mail works just fine. Blundering along here ... file:///usr/share/doc/selinux-policy-3.0.8/html/services_postfix.html says allow_postfix_local_write_mail_spool Default value: false Description: Allow postfix_local domain full write access to mail_spool directories This sounds like what I need. But, it seems that it's already set. $ getsebool allow_postfix_local_write_mail_spool allow_postfix_local_write_mail_spool --> on $ cd /var/spool $ ls -Zd mail drwxrwxr-x root mail system_u:object_r:mail_spool_t:s0 mail $ ls -Zd mail/* drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX $ ls -Zd mail/*/* drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX/cur drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX/new drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX/tmp $ ls -Z mail/*/*/new -rw------- XXXX XXXX system_u:object_r:mail_spool_t:s0 1209227463.Vfd03Ic8046M24695.myhost To me, it _looks_ postfix should be able to create new files in /var/spool/mail/*/*, but this is being denied. In the selinux-policy source rpm, there are three files that seem to be related to postfix: postfix.{fc,if,te}. Obviously, I don't understand how all of this works, but there are no direct references to mail_spool_t or /var/spool/mail or /var/mail in these files. /var/spool/postfix has type postfix_spool_t, so naively I try $ chcon --recursive --type postfix_spool_t /var/spool/mail but that causes numerous AVC denied messages. Using audit2allow: $ grep -e postfix -e mail /var/log/audit/audit.log | audit2allow #============= postfix_local_t ============== allow postfix_local_t mail_spool_t:file link; Now, if I can just figure out what to do with this .... Thanks to anyone that shares some insight here.