From fedora02 at grifent.com  Mon Dec  1 20:48:16 2008
From: fedora02 at grifent.com (John Griffiths)
Date: Mon, 01 Dec 2008 15:48:16 -0500
Subject: browser_confine_xguest
Message-ID: <49344D90.8060307@grifent.com>

An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20081201/0fd10439/attachment.htm>

From konrad.azzopardi at gmail.com  Mon Dec  1 22:47:04 2008
From: konrad.azzopardi at gmail.com (Konrad Azzopardi)
Date: Mon, 1 Dec 2008 23:47:04 +0100
Subject: Problem with restorecon
Message-ID: <af1a12460812011447w5b0646b8r7b63e276ba455e9f@mail.gmail.com>

Hi people,

i have the following policy version  installed
selinux-policy-3.3.1-107.fc9.noarch
selinux-policy-devel-3.3.1-107.fc9.noarch
selinux-policy-targeted-3.3.1-107.fc9.noarch

I create an Selinux policy and generated the following filecontexts

[root at MALTA konsu]# semanage fcontext -l | grep yule
/etc/init.d/yule                                   regular file
system_u:object_r:yule_script_exec_t:s0
/var/run/yule.pid                                  regular file
system_u:object_r:yule_var_run_t:s0
/var/log/yule(/.*)?                                regular file
system_u:object_r:yule_log_t:s0
/var/lib/yule(/.*)?                                regular file
system_u:object_r:yule_var_lib_t:s0
/etc/yulerc                                        regular file
system_u:object_r:yule_config_t:s0
/usr/local/sbin/yule                               regular file
system_u:object_r:yule_exec_t:s0

Allt he files seems to become labelled normally as expected except
/etc/init.d/yule

[root at MALTA konsu]# restorecon -R -v /etc/init.d/yule
[root at MALTA konsu]# ls -lrtZ /etc/init.d/yule
-rwx------  root root system_u:object_r:initrc_exec_t:s0 /etc/init.d/yule

I cannot get rid of initrc_exec_t. Although my script is still
confined correctly, I would like to label this file normally, is there
a reason why restorecon fails ?

many thanks
konrad



fedora-selinux-list



From konrad.azzopardi at gmail.com  Mon Dec  1 22:48:49 2008
From: konrad.azzopardi at gmail.com (Konrad Azzopardi)
Date: Mon, 1 Dec 2008 23:48:49 +0100
Subject: interface file
Message-ID: <af1a12460812011448g28f8f788idfcf0b235166049c@mail.gmail.com>

hi there,

A simple question - if i want to create some interface like
corenet_tcp_connect_yule_port(), would it be ok to put it in the
interface file cause i saw a lot of similar macros depracated inside
the interface files ?. If it is not the right place, would the
corenetwork.if.in be the right place ? what is the best way to go
about it ? tnx a lot



From bruno at wolff.to  Mon Dec  1 23:03:03 2008
From: bruno at wolff.to (Bruno Wolff III)
Date: Mon, 1 Dec 2008 17:03:03 -0600
Subject: Problem with restorecon
In-Reply-To: <af1a12460812011447w5b0646b8r7b63e276ba455e9f@mail.gmail.com>
References: <af1a12460812011447w5b0646b8r7b63e276ba455e9f@mail.gmail.com>
Message-ID: <20081201230303.GB30102@wolff.to>

On Mon, Dec 01, 2008 at 23:47:04 +0100,
  Konrad Azzopardi <konrad.azzopardi at gmail.com> wrote:
> 
> I cannot get rid of initrc_exec_t. Although my script is still
> confined correctly, I would like to label this file normally, is there
> a reason why restorecon fails ?

My guess would be that the last matching rule for /etc/init.d/yule is not
the one you have shown.
As far as I can tell the management of rules for restorecon is not complete
as there isn't any easy way to order the rules.
For add on rules you can delete existing ones and re-add them to put them
at the end of the list. That is a pain.

I don't think a list of re's matching complete paths that is order dependent
is the best way to solve this problem. I think it would be better to have
something that matched the tree structure of the file system.



From prauser at aegislawgroup.com  Mon Dec  1 22:32:09 2008
From: prauser at aegislawgroup.com (Paul C. Rauser)
Date: Mon, 01 Dec 2008 17:32:09 -0500 (EST)
Subject: nspluginwrapper and .PDF files
In-Reply-To: <88257294.34741228170430006.JavaMail.root@waste2.aegislawgroup.com>
Message-ID: <1004742961.34811228170729642.JavaMail.root@waste2.aegislawgroup.com>

Over the past several days, I have begin to experiment with enabling the allow_unconfined_nsplugin_transition boolean in a F10 test environment.

One of the most consistent demands from my test users/potential security threats is the ability to open .PDF files.  Using mozplugger to do this launches evince, which throws AVCs all over and is probably undesirable anyway for the reasons listed in Dan Walsh's Nov 4 blog post on http://danwalsh.livejournal.com/

On the other hand, removing mozplugger and using the Adobe Acrobat 8.1.3 Firefox plugin throws lots of AVCs of its own -- and even more when doing things like printing -- and thus may not be the way to go.

If allow_unconfined_nsplugin_transition is to be useful in user land, it seems that the boolean should allow .PDF opening/saving/printing out of the box using either evince or Adobe's reader.  I am happy to bugzilla the AVCs for one or the other and help with testing -- any preference in the community for which one?



Paul C. Rauser 
?gis law group LLP 
901 F Street, N.W. 
Suite 500 

Washington, D.C. 20004 
T: 202 737 3375 
F: 202 737 3330 
E: prauser at aegislawgroup.com 

NOTICE: This communication from Aegis Law Group LLP may contain information that is legally privileged, confidential, or exempt from disclosure. If you are not the intended recipient, please note that any disclosure, copying, distribution, or use of the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by return e-mail and delete all copies. 



From 304702903 at qq.com  Tue Dec  2 09:21:24 2008
From: 304702903 at qq.com (=?ISO-8859-1?B?d2s=?=)
Date: Tue, 2 Dec 2008 17:21:24 +0800
Subject: How can i call a function which is usually used by root? 
Message-ID: <tencent_5A70A01A7D1FCC04149927D6@qq.com>

I want write a c program.And a common user(not in root group) will run this program.
 In this program,I call fread(/dev/sdc...) and fwrite(/dev/sdc),but this call will return "permission no allow".If I use the root user,will be ok.
 How to change to the authority to root's?
 
 I know the  root's password.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20081202/90e61f75/attachment.htm>

From tony.molloy at ul.ie  Tue Dec  2 09:39:16 2008
From: tony.molloy at ul.ie (Tony Molloy)
Date: Tue, 2 Dec 2008 09:39:16 +0000
Subject: iptables denials on Centos
Message-ID: <200812020939.16564.tony.molloy@ul.ie>


Hi,

I'm running several fully updated CentOS 5.2 servers and am trying to get all 
the SELinux denials sorted out.

Here are two of the ones that I've got left. I can generate local policy to 
allow these but is that the best way. The full sealert messages have been 
cut.


1.  SELinux is preventing iptables (iptables_t) "read write" to socket
     (initrc_t). For complete SELinux messages. run sealert -l
     80760bb0-da8f-4fe8-855a-1cfc5789a597

[root at garryowen ~]# sealert -l 80760bb0-da8f-4fe8-855a-1cfc5789a597

Summary:

SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t).

Detailed Description:

SELinux denied access requested by iptables. It is not expected that this 
   ...

Allowing Access:
You can generate a local policy module to allow this access - see FAQ
   ...

Additional Information:

Source Context                system_u:system_r:iptables_t
Target Context                system_u:system_r:initrc_t
Target Objects                socket [ packet_socket ]
Source                        iptables
Source Path                   /sbin/iptables
Port                          <Unknown>
Host                          garryowen.xx.xx.xx
Source RPM Packages           iptables-1.3.5-4.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-137.1.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     garryowen.xx.xx.xx
Platform                      Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5

Raw Audit Messages            

host=garryowen.xx.xx.xx type=AVC msg=audit(1227684250.838:20268): avc:  denied  
{ read write } for  pid=22829 comm="iptables" path="socket:[18015]" 
dev=sockfs ino=18015 scontext=system_u:system_r:iptables_t:s0 
tcontext=system_u:system_r:initrc_t:s0 tclass=packet_socket

host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1227684250.838:20268): 
arch=40000003 syscall=11 success=yes exit=0 a0=9c95470 a1=9c956f8 a2=9c95610 
a3=40 items=0 ppid=5571 pid=22829 auid=4294967295 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" 
exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)


2. SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t). For
    complete SELinux messages. run sealert -l
    879c2152-44ee-4594-96c6-96716fda722b

[root at garryowen ~]#  sealert -l 879c2152-44ee-4594-96c6-96716fda722b

Summary:

SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t).

Detailed Description:

SELinux denied access requested by iptables. It is not expected that this 
   ...

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
   ...

Additional Information:

Source Context                root:system_r:iptables_t
Target Context                system_u:system_r:crond_t:SystemLow-SystemHigh
Target Objects                pipe [ fifo_file ]
Source                        iptables
Source Path                   /sbin/iptables
Port                          <Unknown>
Host                          garryowen.xx.xx.xx
Source RPM Packages           iptables-1.3.5-4.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-137.1.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     garryowen.xx.xx.xx
Platform                      Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5

Raw Audit Messages            

host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc:  denied  
{ read } for  pid=14428 comm="iptables" path="pipe:[1462004]" dev=pipefs 
ino=1462004 scontext=root:system_r:iptables_t:s0 
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file

host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc:  denied  
{ write } for  pid=14428 comm="iptables" path="pipe:[1462005]" dev=pipefs 
ino=1462005 scontext=root:system_r:iptables_t:s0 
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file

host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1228007101.709:31231): 
arch=40000003 syscall=11 success=yes exit=0 a0=9985ab8 a1=9985698 a2=996d5d0 
a3=0 items=0 ppid=14416 pid=14428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=5147 comm="iptables" 
exe="/sbin/iptables" subj=root:system_r:iptables_t:s0 key=(null)


Thanks,

Tony



From sundaram at fedoraproject.org  Tue Dec  2 10:44:48 2008
From: sundaram at fedoraproject.org (Rahul Sundaram)
Date: Tue, 02 Dec 2008 16:14:48 +0530
Subject: installing xine from source yields lots of selinux denials
In-Reply-To: <365293.22617.qm@web52612.mail.re2.yahoo.com>
References: <365293.22617.qm@web52612.mail.re2.yahoo.com>
Message-ID: <493511A0.40703@fedoraproject.org>

Antonio Olivares wrote:
> Dear all,
> 
> Trying to install xine-lib from source *to put in the missing pieces* gives selinux denials with chcon

It would be much simpler to install xine-lib-extras from rpmfusion.

Rahul



From olivares14031 at yahoo.com  Tue Dec  2 12:50:34 2008
From: olivares14031 at yahoo.com (Antonio Olivares)
Date: Tue, 2 Dec 2008 04:50:34 -0800 (PST)
Subject: installing xine from source yields lots of selinux denials
In-Reply-To: <493511A0.40703@fedoraproject.org>
Message-ID: <444526.81201.qm@web52611.mail.re2.yahoo.com>

--- On Tue, 12/2/08, Rahul Sundaram <sundaram at fedoraproject.org> wrote:

> From: Rahul Sundaram <sundaram at fedoraproject.org>
> Subject: Re: installing xine from source yields lots of selinux denials
> To: olivares14031 at yahoo.com
> Cc: fedora-selinux-list at redhat.com
> Date: Tuesday, December 2, 2008, 2:44 AM
> Antonio Olivares wrote:
> > Dear all,
> > 
> > Trying to install xine-lib from source *to put in the
> missing pieces* gives selinux denials with chcon
> 
> It would be much simpler to install xine-lib-extras from
> rpmfusion.
> 
> Rahul

Done!!!

I got it from rpmfusion.  

Regards,

Antonio


      



From olivares14031 at yahoo.com  Tue Dec  2 12:59:16 2008
From: olivares14031 at yahoo.com (Antonio Olivares)
Date: Tue, 2 Dec 2008 04:59:16 -0800 (PST)
Subject: SELinux is preventing npviewer.bin (nsplugin_t) "read" to
	./pulse-shm-4180703699
Message-ID: <445171.68759.qm@web52607.mail.re2.yahoo.com>

Dear fellow selinux experts,

Net avc for npviewer :(  


Summary:

SELinux is preventing npviewer.bin (nsplugin_t) "read" to ./pulse-shm-4180703699
(tmpfs_t).

Detailed Description:

SELinux denied access requested by npviewer.bin. It is not expected that this
access is required by npviewer.bin and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./pulse-shm-4180703699,

restorecon -v './pulse-shm-4180703699'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
                              3
Target Context                unconfined_u:object_r:tmpfs_t:s0
Target Objects                ./pulse-shm-4180703699 [ file ]
Source                        npviewer.bin
Source Path                   /usr/lib/nspluginwrapper/npviewer.bin
Port                          <Unknown>
Host                          riohigh
Source RPM Packages           nspluginwrapper-1.1.4-1.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     riohigh
Platform                      Linux riohigh 2.6.27.5-117.fc10.i686 #1 SMP Tue
                              Nov 18 12:19:59 EST 2008 i686 athlon
Alert Count                   1
First Seen                    Tue 02 Dec 2008 06:57:09 AM CST
Last Seen                     Tue 02 Dec 2008 06:57:09 AM CST
Local ID                      c049e765-9d3b-4384-927a-19797fb78d8d
Line Numbers                  

Raw Audit Messages            

node=riohigh type=AVC msg=audit(1228222629.565:217): avc:  denied  { read } for  pid=4625 comm="npviewer.bin" name="pulse-shm-4180703699" dev=tmpfs ino=36988 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file

node=riohigh type=SYSCALL msg=audit(1228222629.565:217): arch=40000003 syscall=5 success=no exit=-13 a0=bfda08d0 a1=a0000 a2=0 a3=bfda08d0 items=0 ppid=4427 pid=4625 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=13 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)


I try the fix and i get:

[olivares at riohigh ~]$ su -
Password: 
[root at riohigh ~]# restorecon -v './pulse-shm-4180703699'

restorecon:  stat error on ./pulse-shm-4180703699:  No such file or directory
[root at riohigh ~]# 

Thanks,

Antonio 


      



From serue at us.ibm.com  Tue Dec  2 15:31:54 2008
From: serue at us.ibm.com (Serge E. Hallyn)
Date: Tue, 2 Dec 2008 09:31:54 -0600
Subject: How can i call a function which is usually used by root?
In-Reply-To: <tencent_5A70A01A7D1FCC04149927D6@qq.com>
References: <tencent_5A70A01A7D1FCC04149927D6@qq.com>
Message-ID: <20081202153153.GB9225@us.ibm.com>

Quoting wk (304702903 at qq.com):
> I want write a c program.And a common user(not in root group) will run this program.
>  In this program,I call fread(/dev/sdc...) and fwrite(/dev/sdc),but this call will return "permission no allow".If I use the root user,will be ok.
>  How to change to the authority to root's?
>  
>  I know the  root's password.

Offhand I suspect what you need is CAP_SYS_RAWIO (maybe CAP_SYS_ADMIN).
But I don't know how your program is designed so am not sure how to
best give your program that privilege:

	1. Make program setuid root, have it immediately switch
	   to nonroot and keep root in your saved uid so you can move it
	   back to euid when you need to write /dev/sdc.
	   (man setresuid)
	2. Put CAP_SYS_RAWIO in fP (or fI if you can put it in
	   the calling user's pI), then have your program
	   put the capability into pE just when it needs to
	   write to /dev/sdc.
	   (man 7 capabilities)
	3. Write a separate minimal partially privileged helper
	   program which answers requests by your main program.
	   Then you could use selinux to enforce an assured
	   pipeline to prevent anyone else using the helper.
	   (google privilege separation)

-serge



From bob at lorez.org  Tue Dec  2 17:05:38 2008
From: bob at lorez.org (Bob Richmond)
Date: Tue, 02 Dec 2008 09:05:38 -0800
Subject: spamc / spamd communication problem
Message-ID: <49356AE2.9000809@lorez.org>

I'm trying to make spamd listen on a unix domain socket, and let spamc 
connect to it. The question is, I can't figure out the intended 
destination for the spamd socket file (as specified via --socketpath 
passed to spamd and -U to spamc). I see that spamc_t has permission to 
connect to a socket with a type of spamd_tmp_t, but there doesn't appear 
to be an fc rule for where a new socket file would inherit that type.

It makes sense to me that the socket file should exist in 
/var/run/spamassassin/spamd.sock to be consistent, but 
/var/run/spamassassin has a type of spamd_var_run_t, where spamc has no 
permission to connect to a sock_file under. Any help?

I'm running F10, policy version selinux-policy-targeted-3.5.13-18.fc10.

Thanks!



From dwalsh at redhat.com  Tue Dec  2 20:25:38 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 02 Dec 2008 15:25:38 -0500
Subject: preventing unconfined users exec in home and tmp
In-Reply-To: <492CA51F.1000002@redhat.com>
References: <492CA254.30808@redhat.com> <492CA51F.1000002@redhat.com>
Message-ID: <493599C2.2060308@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Murray McAllister wrote:
> Murray McAllister wrote:
>> Hi,
>>
>> I have turned "allow_unconfined_exec_content" off, but unconfined
>> users (unconfined_u) can still execute files in their home directories
>> and /tmp/.
>>
>> I tried adding a user with "useradd -Z unconfined_u". This user can
>> still execute. I could not find any dontaudit rules.
>>
>> Am I missing something?
> I am running Fedora release 10 (Cambridge):
> 
> selinux-policy-targeted-3.5.13-18.fc10.noarch
> selinux-policy-3.5.13-18.fc10.noarch
> selinux-policy-doc-3.5.13-18.fc10.noarch
> libselinux-utils-2.0.73-1.fc10.i386
> libselinux-python-2.0.73-1.fc10.i386
> libselinux-2.0.73-1.fc10.i386
> policycoreutils-2.0.57-11.fc10.i386
> 
> Cheers.
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes this boolean really should not exist, it is caused by calling an
interface.  that allows PARAM to execute user_home_t, but unconfiened_t
can already execute any file on the system so the boolean has no effect.
 The boolean only works for confined users.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1mcIACgkQrlYvE4MpobNI9gCglCtb/KiWAJGUW5Batvngsf3e
dQQAnRsPCndAvOw7o3ADhFL89qZq3fDI
=rUbd
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Tue Dec  2 20:28:16 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 02 Dec 2008 15:28:16 -0500
Subject: Setroubleshootd on FC8 has a major memory leak
In-Reply-To: <492FAAB2.4090205@o2.pl>
References: <492FAAB2.4090205@o2.pl>
Message-ID: <49359A60.4050605@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

spo wrote:
> Hello,
> 
> after 9 days of running it used over 2G (virt, rss ~1G).
> 
> Greetings,
> Edek
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Try this.

# service setroubleshoot stop
>/var/lib/setroubleshoot/audit_listener_database.xml
# service setroubleshoot start

I think your problem is the xml database has grown too large.  Newer
versions of setroubleshoot only allow 50 AVCs.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1mmAACgkQrlYvE4MpobOXPQCg0SN2R317vRM0hYOD5eb7RbCV
HGcAoJnDjUJgWY3xy7q6Pz3IASUiHNXD
=bfgP
-----END PGP SIGNATURE-----



From konrad.azzopardi at gmail.com  Tue Dec  2 20:20:41 2008
From: konrad.azzopardi at gmail.com (Konrad Azzopardi)
Date: Tue, 2 Dec 2008 21:20:41 +0100
Subject: Problem with restorecon
In-Reply-To: <20081201230303.GB30102@wolff.to>
References: <af1a12460812011447w5b0646b8r7b63e276ba455e9f@mail.gmail.com>
	<20081201230303.GB30102@wolff.to>
Message-ID: <af1a12460812021220q67ec360ev8123d0723e3a61a0@mail.gmail.com>

Believe it or not, a reboot fixed it, and this is not windows :)

On Tue, Dec 2, 2008 at 12:03 AM, Bruno Wolff III <bruno at wolff.to> wrote:
> On Mon, Dec 01, 2008 at 23:47:04 +0100,
>  Konrad Azzopardi <konrad.azzopardi at gmail.com> wrote:
>>
>> I cannot get rid of initrc_exec_t. Although my script is still
>> confined correctly, I would like to label this file normally, is there
>> a reason why restorecon fails ?
>
> My guess would be that the last matching rule for /etc/init.d/yule is not
> the one you have shown.
> As far as I can tell the management of rules for restorecon is not complete
> as there isn't any easy way to order the rules.
> For add on rules you can delete existing ones and re-add them to put them
> at the end of the list. That is a pain.
>
> I don't think a list of re's matching complete paths that is order dependent
> is the best way to solve this problem. I think it would be better to have
> something that matched the tree structure of the file system.
>



From dwalsh at redhat.com  Tue Dec  2 20:49:19 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 02 Dec 2008 15:49:19 -0500
Subject: Problem with restorecon
In-Reply-To: <af1a12460812011447w5b0646b8r7b63e276ba455e9f@mail.gmail.com>
References: <af1a12460812011447w5b0646b8r7b63e276ba455e9f@mail.gmail.com>
Message-ID: <49359F4F.2090907@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Konrad Azzopardi wrote:
> Hi people,
> 
> i have the following policy version  installed
> selinux-policy-3.3.1-107.fc9.noarch
> selinux-policy-devel-3.3.1-107.fc9.noarch
> selinux-policy-targeted-3.3.1-107.fc9.noarch
> 
> I create an Selinux policy and generated the following filecontexts
> 
> [root at MALTA konsu]# semanage fcontext -l | grep yule
> /etc/init.d/yule                                   regular file
> system_u:object_r:yule_script_exec_t:s0
> /var/run/yule.pid                                  regular file
> system_u:object_r:yule_var_run_t:s0
> /var/log/yule(/.*)?                                regular file
> system_u:object_r:yule_log_t:s0
> /var/lib/yule(/.*)?                                regular file
> system_u:object_r:yule_var_lib_t:s0
> /etc/yulerc                                        regular file
> system_u:object_r:yule_config_t:s0
> /usr/local/sbin/yule                               regular file
> system_u:object_r:yule_exec_t:s0
> 
> Allt he files seems to become labelled normally as expected except
> /etc/init.d/yule
> 
> [root at MALTA konsu]# restorecon -R -v /etc/init.d/yule
> [root at MALTA konsu]# ls -lrtZ /etc/init.d/yule
> -rwx------  root root system_u:object_r:initrc_exec_t:s0 /etc/init.d/yule
> 
> I cannot get rid of initrc_exec_t. Although my script is still
> confined correctly, I would like to label this file normally, is there
> a reason why restorecon fails ?
> 
> many thanks
> konrad
> 
> 
> 
> fedora-selinux-list
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Make sure you escape the "."s  The regular expression matching does not
always work as expected.


/etc/init\.d/yule                                   regular file
system_u:object_r:yule_script_exec_t:s0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1n08ACgkQrlYvE4MpobM2wwCePyFIGH8o2ZstmxdYFJ5eXE2r
vFIAoKv7XAslgUGEs0Rc27TnLMFPBzs0
=Q+CX
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Tue Dec  2 20:50:24 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 02 Dec 2008 15:50:24 -0500
Subject: interface file
In-Reply-To: <af1a12460812011448g28f8f788idfcf0b235166049c@mail.gmail.com>
References: <af1a12460812011448g28f8f788idfcf0b235166049c@mail.gmail.com>
Message-ID: <49359F90.1060402@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Konrad Azzopardi wrote:
> hi there,
> 
> A simple question - if i want to create some interface like
> corenet_tcp_connect_yule_port(), would it be ok to put it in the
> interface file cause i saw a lot of similar macros depracated inside
> the interface files ?. If it is not the right place, would the
> corenetwork.if.in be the right place ? what is the best way to go
> about it ? tnx a lot
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Usually these rules go into the upstream package.  So I would submit
your package for upstream acceptance, but you can put any interface into
the if file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1n5AACgkQrlYvE4MpobOMaQCfVHHCuCt+ebQNO8kJSdOEkUJ1
bPEAn2L6q6vSSHe9kYnoi047ptqWYxL+
=Fh1Z
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Tue Dec  2 20:52:28 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 02 Dec 2008 15:52:28 -0500
Subject: nspluginwrapper and .PDF files
In-Reply-To: <1004742961.34811228170729642.JavaMail.root@waste2.aegislawgroup.com>
References: <1004742961.34811228170729642.JavaMail.root@waste2.aegislawgroup.com>
Message-ID: <4935A00C.5090302@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul C. Rauser wrote:
> Over the past several days, I have begin to experiment with enabling the allow_unconfined_nsplugin_transition boolean in a F10 test environment.
> 
> One of the most consistent demands from my test users/potential security threats is the ability to open .PDF files.  Using mozplugger to do this launches evince, which throws AVCs all over and is probably undesirable anyway for the reasons listed in Dan Walsh's Nov 4 blog post on http://danwalsh.livejournal.com/
> 
> On the other hand, removing mozplugger and using the Adobe Acrobat 8.1.3 Firefox plugin throws lots of AVCs of its own -- and even more when doing things like printing -- and thus may not be the way to go.
> 
> If allow_unconfined_nsplugin_transition is to be useful in user land, it seems that the boolean should allow .PDF opening/saving/printing out of the box using either evince or Adobe's reader.  I am happy to bugzilla the AVCs for one or the other and help with testing -- any preference in the community for which one?
> 
> 
> 
> Paul C. Rauser 
> ?gis law group LLP 
> 901 F Street, N.W. 
> Suite 500 
> 
> Washington, D.C. 20004 
> T: 202 737 3375 
> F: 202 737 3330 
> E: prauser at aegislawgroup.com 
> 
> NOTICE: This communication from Aegis Law Group LLP may contain information that is legally privileged, confidential, or exempt from disclosure. If you are not the intended recipient, please note that any disclosure, copying, distribution, or use of the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by return e-mail and delete all copies. 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Make sure your home directory is properly labeled and install the latest
selinux policy.  selinux-policy-3.5.13-26

# yum upgrade selinux-policy\* --enablerepo=updates-testing
# restorecon -R -v /home

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1oAwACgkQrlYvE4MpobOw3QCfbqFd/HMm3xMIRSoluXuAhexM
6v0AniFlrcR/+fOy1SkbvBoLjh8H4G94
=eCmI
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Tue Dec  2 20:56:05 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 02 Dec 2008 15:56:05 -0500
Subject: iptables denials on Centos
In-Reply-To: <200812020939.16564.tony.molloy@ul.ie>
References: <200812020939.16564.tony.molloy@ul.ie>
Message-ID: <4935A0E5.3060701@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tony Molloy wrote:
> Hi,
> 
> I'm running several fully updated CentOS 5.2 servers and am trying to get all 
> the SELinux denials sorted out.
> 
> Here are two of the ones that I've got left. I can generate local policy to 
> allow these but is that the best way. The full sealert messages have been 
> cut.
> 
> 
> 1.  SELinux is preventing iptables (iptables_t) "read write" to socket
>      (initrc_t). For complete SELinux messages. run sealert -l
>      80760bb0-da8f-4fe8-855a-1cfc5789a597
> 
This is most likely a leaked file descriptor from the tool that is
launching iptables, you can safely add this
> [root at garryowen ~]# sealert -l 80760bb0-da8f-4fe8-855a-1cfc5789a597
> 
> Summary:
> 
> SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by iptables. It is not expected that this 
>    ...
> 
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
>    ...
> 
> Additional Information:
> 
> Source Context                system_u:system_r:iptables_t
> Target Context                system_u:system_r:initrc_t
> Target Objects                socket [ packet_socket ]
> Source                        iptables
> Source Path                   /sbin/iptables
> Port                          <Unknown>
> Host                          garryowen.xx.xx.xx
> Source RPM Packages           iptables-1.3.5-4.el5
> Target RPM Packages           
> Policy RPM                    selinux-policy-2.4.6-137.1.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   catchall
> Host Name                     garryowen.xx.xx.xx
> Platform                      Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5
> 
> Raw Audit Messages            
> 
> host=garryowen.xx.xx.xx type=AVC msg=audit(1227684250.838:20268): avc:  denied  
> { read write } for  pid=22829 comm="iptables" path="socket:[18015]" 
> dev=sockfs ino=18015 scontext=system_u:system_r:iptables_t:s0 
> tcontext=system_u:system_r:initrc_t:s0 tclass=packet_socket
> 
> host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1227684250.838:20268): 
> arch=40000003 syscall=11 success=yes exit=0 a0=9c95470 a1=9c956f8 a2=9c95610 
> a3=40 items=0 ppid=5571 pid=22829 auid=4294967295 uid=0 gid=0 euid=0 suid=0 
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" 
> exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
> 
> 
> 2. SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t). For
>     complete SELinux messages. run sealert -l
>     879c2152-44ee-4594-96c6-96716fda722b
> 
> [root at garryowen ~]#  sealert -l 879c2152-44ee-4594-96c6-96716fda722b
> 
> Summary:
> 
> SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by iptables. It is not expected that this 
>    ...
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
>    ...
> 
> Additional Information:
> 
> Source Context                root:system_r:iptables_t
> Target Context                system_u:system_r:crond_t:SystemLow-SystemHigh
> Target Objects                pipe [ fifo_file ]
> Source                        iptables
> Source Path                   /sbin/iptables
> Port                          <Unknown>
> Host                          garryowen.xx.xx.xx
> Source RPM Packages           iptables-1.3.5-4.el5
> Target RPM Packages           
> Policy RPM                    selinux-policy-2.4.6-137.1.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   catchall
> Host Name                     garryowen.xx.xx.xx
> Platform                      Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5
> 
> Raw Audit Messages            
> 
> host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc:  denied  
> { read } for  pid=14428 comm="iptables" path="pipe:[1462004]" dev=pipefs 
> ino=1462004 scontext=root:system_r:iptables_t:s0 
> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
> 
> host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc:  denied  
> { write } for  pid=14428 comm="iptables" path="pipe:[1462005]" dev=pipefs 
> ino=1462005 scontext=root:system_r:iptables_t:s0 
> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
> 
> host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1228007101.709:31231): 
> arch=40000003 syscall=11 success=yes exit=0 a0=9985ab8 a1=9985698 a2=996d5d0 
> a3=0 items=0 ppid=14416 pid=14428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 
> egid=0 sgid=0 fsgid=0 tty=(none) ses=5147 comm="iptables" 
> exe="/sbin/iptables" subj=root:system_r:iptables_t:s0 key=(null)
> 
> 
> Thanks,
> 
> Tony
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

This is also a leaked file descriptor which can be added.


You should grab the latest preview selinux-policy
selinux-policy-2.4.6-197.el5
for RHEL5.3 and try it out, it has lots of fixes.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1oOUACgkQrlYvE4MpobM5+ACglHd6Oiag5uR7maY9CpDSNJMd
UCEAnRtRSwjGNA5cEkNK3sLavhSrWrZa
=zWKP
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Tue Dec  2 21:17:13 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 02 Dec 2008 16:17:13 -0500
Subject: SELinux is preventing npviewer.bin (nsplugin_t) "read"
	to	./pulse-shm-4180703699
In-Reply-To: <445171.68759.qm@web52607.mail.re2.yahoo.com>
References: <445171.68759.qm@web52607.mail.re2.yahoo.com>
Message-ID: <4935A5D9.3090004@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Dear fellow selinux experts,
> 
> Net avc for npviewer :(  
> 
> 
> Summary:
> 
> SELinux is preventing npviewer.bin (nsplugin_t) "read" to ./pulse-shm-4180703699
> (tmpfs_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by npviewer.bin. It is not expected that this
> access is required by npviewer.bin and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
> 
> Allowing Access:
> 
> Sometimes labeling problems can cause SELinux denials. You could try to restore
> the default system file context for ./pulse-shm-4180703699,
> 
> restorecon -v './pulse-shm-4180703699'
> 
> If this does not work, there is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
>                               3
> Target Context                unconfined_u:object_r:tmpfs_t:s0
> Target Objects                ./pulse-shm-4180703699 [ file ]
> Source                        npviewer.bin
> Source Path                   /usr/lib/nspluginwrapper/npviewer.bin
> Port                          <Unknown>
> Host                          riohigh
> Source RPM Packages           nspluginwrapper-1.1.4-1.fc11
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.5.13-18.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     riohigh
> Platform                      Linux riohigh 2.6.27.5-117.fc10.i686 #1 SMP Tue
>                               Nov 18 12:19:59 EST 2008 i686 athlon
> Alert Count                   1
> First Seen                    Tue 02 Dec 2008 06:57:09 AM CST
> Last Seen                     Tue 02 Dec 2008 06:57:09 AM CST
> Local ID                      c049e765-9d3b-4384-927a-19797fb78d8d
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=riohigh type=AVC msg=audit(1228222629.565:217): avc:  denied  { read } for  pid=4625 comm="npviewer.bin" name="pulse-shm-4180703699" dev=tmpfs ino=36988 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
> 
> node=riohigh type=SYSCALL msg=audit(1228222629.565:217): arch=40000003 syscall=5 success=no exit=-13 a0=bfda08d0 a1=a0000 a2=0 a3=bfda08d0 items=0 ppid=4427 pid=4625 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=13 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
> 
> 
> I try the fix and i get:
> 
> [olivares at riohigh ~]$ su -
> Password: 
> [root at riohigh ~]# restorecon -v './pulse-shm-4180703699'
> 
> restorecon:  stat error on ./pulse-shm-4180703699:  No such file or directory
> [root at riohigh ~]# 
> 
> Thanks,
> 
> Antonio 
> 
> 
>       
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This one has me baffled, on how you created this file.  This file should
be labeled user_tmpfs_t in which case nsplugin would have been allowed
to use it,  But for some reason it got created with the incorrect context.

Could you try to upgrade to the latest policy and see if this still happens.

I tried an experiment as the unconfined user

# mount -t tmpfs_t /dev/shm /mnt
# ls -ldZ /mnt/redhat/
drwxrwxrwt  root root staff_u:object_r:tmpfs_t:s0      /mnt/redhat/
# touch /mnt/redhat/test
# ls -lZ /mnt/redhat/test
- -rw-r--r--  root root staff_u:object_r:user_tmpfs_t:s0 /mnt/redhat/test

Which is what pulseaudio should have done.


Could you check what context pulseaudio is running with

# ps -eZ | grep pulse

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1pdkACgkQrlYvE4MpobNjawCg6EmpLWaQNOK9ndoYgD8GN4TV
HG8AoNJIqutO0vFPPa1tjRW+gLk2V9WU
=L/DR
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Tue Dec  2 21:21:41 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 02 Dec 2008 16:21:41 -0500
Subject: selinux denying a cups printer
In-Reply-To: <200811281206.31640.gene.heskett@verizon.net>
References: <200811281206.31640.gene.heskett@verizon.net>
Message-ID: <4935A6E5.4010901@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gene Heskett wrote:
> Greetings;
> 
> Uptodate F8, targeted setting
> 
> host=coyote.coyote.den type=AVC msg=audit(1227891049.940:679): avc: denied { 
> execute } for pid=6486 comm="cupsd" name="lp3" dev=sda3 ino=104400725 
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
> 
> host=coyote.coyote.den type=SYSCALL msg=audit(1227891049.940:679): 
> arch=40000003 syscall=33 success=no exit=-13 a0=bff13656 a1=1 a2=b7f17ff4 
> a3=b7f18a3c items=0 ppid=6485 pid=6486 auid=0 uid=0 gid=0 euid=0 suid=0 
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cupsd" 
> exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 
> key=(null)
> 
> The troubleshooters recommended fix is a restorecon -v './lp3'
> 
> The only ./lp3 I could find was in /etc/cups.d/interfaces/lp3, and while it 
> did change the context of the file, it does not fix the problem.  This 
> particular driver ppd is the lpr and cupswrapper of the HL2140 driver kit 
> from Brother, and apparently is installed in a /usr/local/Brother subdir by 
> their rpms.
> 
> All this did work flawlessly before I had a drive failure, and it worked after 
> an Fu8 install, but failed sometime in the nearly 2 weeks uptime, as did all 
> my other printer profiles, which I have now deleted and rebuilt, and work 
> except for this one.
> 
> I am going to try touching /.autorelabel and reboot again see if that helps.  
> However, nothing happened the last time I tried that 2 weeks ago...
> 

 grep interfaces /etc/selinux/targeted/contexts/files/file_contexts
/etc/cups/interfaces(/.*)?	system_u:object_r:cupsd_interface_t:s0


chcon -t cupsd_interface_t /etc/cups.d/interfaces/lp3
Should fix it.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1puUACgkQrlYvE4MpobP4agCeOu1UiTOQbStLoXYjuCZ8rVHq
QKgAn0nm7uucimNgultxxSjgtQdKqU1g
=CXYP
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Tue Dec  2 21:32:36 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 02 Dec 2008 16:32:36 -0500
Subject: spamc / spamd communication problem
In-Reply-To: <49356AE2.9000809@lorez.org>
References: <49356AE2.9000809@lorez.org>
Message-ID: <4935A974.1070404@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bob Richmond wrote:
> I'm trying to make spamd listen on a unix domain socket, and let spamc
> connect to it. The question is, I can't figure out the intended
> destination for the spamd socket file (as specified via --socketpath
> passed to spamd and -U to spamc). I see that spamc_t has permission to
> connect to a socket with a type of spamd_tmp_t, but there doesn't appear
> to be an fc rule for where a new socket file would inherit that type.
> 
> It makes sense to me that the socket file should exist in
> /var/run/spamassassin/spamd.sock to be consistent, but
> /var/run/spamassassin has a type of spamd_var_run_t, where spamc has no
> permission to connect to a sock_file under. Any help?
> 
> I'm running F10, policy version selinux-policy-targeted-3.5.13-18.fc10.
> 
> Thanks!
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Currently it is only allowed to connect to a sock file in /tmp,
Although it should be allowed to use /var/run/spamassassin.

I will update policy

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-29.fc10



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1qXQACgkQrlYvE4MpobOpNACeOVVplPU+IG9QALu6UdBLUaMw
0GUAoJ+d23rJPHb5LhSzrPTt/DNEZCnH
=HHE9
-----END PGP SIGNATURE-----



From niftyfedora at niftyegg.com  Wed Dec  3 00:20:33 2008
From: niftyfedora at niftyegg.com (Nifty Fedora Mitch)
Date: Tue, 2 Dec 2008 16:20:33 -0800
Subject: How can i call a function which is usually used by root?
In-Reply-To: <tencent_5A70A01A7D1FCC04149927D6@qq.com>
References: <tencent_5A70A01A7D1FCC04149927D6@qq.com>
Message-ID: <20081203002033.GA4382@compegg.wr.niftyegg.com>

On Tue, Dec 02, 2008 at 05:21:24PM +0800, wk wrote:
> 
>    I want write a c program.And a common user(not in root group) will run
>    this program.
>    In this program,I call fread(/dev/sdc...) and fwrite(/dev/sdc),but this
>    call will return "permission no allow".If I use the root user,will be
>    ok.
>    How to change to the authority to root's?
>    I know the  root's password.

Your best bet is "sudo" or better look at the pairs of tools like:
  
   /usr/bin/system-config-bind
   /usr/sbin/system-config-bind

They take advantage of "consolehelper" and the commone case that
/usr/sbin is not in the search path of commmon users but /usr/bin is.

Note well, From the man page:
       consolehelper  requires that a PAM configuration for every managed pro-
       gram exist.  So to make /sbin/foo or /usr/sbin/foo managed, you need to
       create  a  link  from /usr/bin/foo to /usr/bin/consolehelper and create
       the file /etc/pam.d/foo, normally using the pam_console(8) PAM  module.



-- 
	T o m  M i t c h e l l 
	Found me a new hat, now what?



From olivares14031 at yahoo.com  Thu Dec  4 00:54:06 2008
From: olivares14031 at yahoo.com (Antonio Olivares)
Date: Wed, 3 Dec 2008 16:54:06 -0800 (PST)
Subject: selinux is denying iptables still :(
Message-ID: <668326.83189.qm@web52609.mail.re2.yahoo.com>


Dear fellow selinux experts,

selinux is still denying iptables :(

type=1400 audit(1228351277.178:4): avc:  denied  { write } for  pid=1351 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file    

It also interferes with the booting of newer kernel with many messages of denying stuff with Permission denied.

I'm just reporting this, I have this machine running rawhide and it was also to serve as a mini-dhcp server to get internet to the machines in the classroom.  I got help from fedora-list to get the correct file and all, but selinux is denying this, and I have to keep trying to get it right, and for other people it just works .  

Thanks,

Antonio 


      



From dwalsh at redhat.com  Thu Dec  4 13:53:48 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Thu, 04 Dec 2008 08:53:48 -0500
Subject: selinux is denying iptables still :(
In-Reply-To: <668326.83189.qm@web52609.mail.re2.yahoo.com>
References: <668326.83189.qm@web52609.mail.re2.yahoo.com>
Message-ID: <4937E0EC.7070209@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Dear fellow selinux experts,
> 
> selinux is still denying iptables :(
> 
> type=1400 audit(1228351277.178:4): avc:  denied  { write } for  pid=1351 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file    
> 
> It also interferes with the booting of newer kernel with many messages of denying stuff with Permission denied.
> 
> I'm just reporting this, I have this machine running rawhide and it was also to serve as a mini-dhcp server to get internet to the machines in the classroom.  I got help from fedora-list to get the correct file and all, but selinux is denying this, and I have to keep trying to get it right, and for other people it just works .  
> 
> Thanks,
> 
> Antonio 
> 
> 
>       
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
What policy are you seeing this with?

In F10 policy selinux-policy-3.5.13-26.fc10.noarch

I get

# audit2allow -w -i /tmp/t
type=1400 audit(1228351277.178:4): avc:  denied  { write } for  pid=1351
comm="ip6tables-resto" path="/0" dev=devpts ino=2
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file

	Was caused by:
		Unknown - would be allowed by active policy
		Possible mismatch between this policy and the one under which the
audit message was generated.

		Possible mismatch between current in-memory boolean settings vs.
permanent ones.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk34OwACgkQrlYvE4MpobPiWwCeJ52e7Q4mPWrMFjO53//3C8g7
ocgAoIadJvZzjbZch1mgtzqoZsIgxKZb
=/6oT
-----END PGP SIGNATURE-----



From olivares14031 at yahoo.com  Thu Dec  4 13:56:14 2008
From: olivares14031 at yahoo.com (Antonio Olivares)
Date: Thu, 4 Dec 2008 05:56:14 -0800 (PST)
Subject: selinux is denying iptables still :(
In-Reply-To: <4937E0EC.7070209@redhat.com>
Message-ID: <592669.14319.qm@web52607.mail.re2.yahoo.com>

--- On Thu, 12/4/08, Daniel J Walsh <dwalsh at redhat.com> wrote:

> From: Daniel J Walsh <dwalsh at redhat.com>
> Subject: Re: selinux is denying iptables still :(
> To: olivares14031 at yahoo.com
> Cc: fedora-selinux-list at redhat.com
> Date: Thursday, December 4, 2008, 5:53 AM
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Antonio Olivares wrote:
> > Dear fellow selinux experts,
> > 
> > selinux is still denying iptables :(
> > 
> > type=1400 audit(1228351277.178:4): avc:  denied  {
> write } for  pid=1351 comm="ip6tables-resto"
> path="/0" dev=devpts ino=2
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file    
> > 
> > It also interferes with the booting of newer kernel
> with many messages of denying stuff with Permission denied.
> > 
> > I'm just reporting this, I have this machine
> running rawhide and it was also to serve as a mini-dhcp
> server to get internet to the machines in the classroom.  I
> got help from fedora-list to get the correct file and all,
> but selinux is denying this, and I have to keep trying to
> get it right, and for other people it just works .  
> > 
> > Thanks,
> > 
> > Antonio 
> > 
> > 
> >       
> > 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> >
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> What policy are you seeing this with?

[olivares at localhost ~]$ rpm -qa selinux-policy*
selinux-policy-3.6.1-1.fc11.noarch
selinux-policy-targeted-3.5.13-26.fc10.noarch
selinux-policy-targeted-3.6.1-1.fc11.noarch


> 
> In F10 policy selinux-policy-3.5.13-26.fc10.noarch
> 
> I get
> 
> # audit2allow -w -i /tmp/t
> type=1400 audit(1228351277.178:4): avc:  denied  { write }
> for  pid=1351
> comm="ip6tables-resto" path="/0"
> dev=devpts ino=2
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> 
> 	Was caused by:
> 		Unknown - would be allowed by active policy
> 		Possible mismatch between this policy and the one under
> which the
> audit message was generated.
> 
> 		Possible mismatch between current in-memory boolean
> settings vs.
> permanent ones.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora -
> http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkk34OwACgkQrlYvE4MpobPiWwCeJ52e7Q4mPWrMFjO53//3C8g7
> ocgAoIadJvZzjbZch1mgtzqoZsIgxKZb
> =/6oT
> -----END PGP SIGNATURE-----


      



From dwalsh at redhat.com  Thu Dec  4 14:00:17 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Thu, 04 Dec 2008 09:00:17 -0500
Subject: selinux is denying iptables still :(
In-Reply-To: <592669.14319.qm@web52607.mail.re2.yahoo.com>
References: <592669.14319.qm@web52607.mail.re2.yahoo.com>
Message-ID: <4937E271.6060001@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> --- On Thu, 12/4/08, Daniel J Walsh <dwalsh at redhat.com> wrote:
> 
>> From: Daniel J Walsh <dwalsh at redhat.com>
>> Subject: Re: selinux is denying iptables still :(
>> To: olivares14031 at yahoo.com
>> Cc: fedora-selinux-list at redhat.com
>> Date: Thursday, December 4, 2008, 5:53 AM
> Antonio Olivares wrote:
>>>> Dear fellow selinux experts,
>>>>
>>>> selinux is still denying iptables :(
>>>>
>>>> type=1400 audit(1228351277.178:4): avc:  denied  {
> write } for  pid=1351 comm="ip6tables-resto"
> path="/0" dev=devpts ino=2
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file    
>>>> It also interferes with the booting of newer kernel
> with many messages of denying stuff with Permission denied.
>>>> I'm just reporting this, I have this machine
> running rawhide and it was also to serve as a mini-dhcp
> server to get internet to the machines in the classroom.  I
> got help from fedora-list to get the correct file and all,
> but selinux is denying this, and I have to keep trying to
> get it right, and for other people it just works .  
>>>> Thanks,
>>>>
>>>> Antonio 
>>>>
>>>>
>>>>       
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>>
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> What policy are you seeing this with?
> 
>> [olivares at localhost ~]$ rpm -qa selinux-policy*
>> selinux-policy-3.6.1-1.fc11.noarch
>> selinux-policy-targeted-3.5.13-26.fc10.noarch
>> selinux-policy-targeted-3.6.1-1.fc11.noarch
> 
> 
> In F10 policy selinux-policy-3.5.13-26.fc10.noarch
> 
> I get
> 
> # audit2allow -w -i /tmp/t
> type=1400 audit(1228351277.178:4): avc:  denied  { write }
> for  pid=1351
> comm="ip6tables-resto" path="/0"
> dev=devpts ino=2
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> 
> 	Was caused by:
> 		Unknown - would be allowed by active policy
> 		Possible mismatch between this policy and the one under
> which the
> audit message was generated.
> 
> 		Possible mismatch between current in-memory boolean
> settings vs.
> permanent ones.
> 
> 
Ok fixed in selinux-policy-3.6.1-5.f11
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk34nEACgkQrlYvE4MpobNEYQCgsvnK/+pYP7rA+EmhFr9qiOjO
4D4AniD4aCvtf3xhNjAYBxbs67DEPrkh
=yxmY
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Thu Dec  4 19:34:36 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Thu, 04 Dec 2008 14:34:36 -0500
Subject: browser_confine_xguest
In-Reply-To: <49344D90.8060307@grifent.com>
References: <49344D90.8060307@grifent.com>
Message-ID: <493830CC.7040907@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Griffiths wrote:
> The name/ usage of browser_confine_xguest is a bit confusing and 
> system-config-selinux does not give any enlightenment.
> 
> It may not even matter since I do not have xguest installed, but for academic 
> purposes, does browser_confine_xguest confine the xguest to only browsing the 
> localhost if it is on or off? Dan Walsh's journal seems to indicate that this 
> should be on to allow browsing of the Internet by xguest which would seem to be 
> the opposite of confine.
Well in this case confine is probably a bad name.  Really this boolean
defines whether or not xguest will transition to xguest_mozilla_t when
running firefox.  "Confinement" is in the eye of the beholder.
xguest_mozilla_t can not do as much on the local system as xguest_t so
it is more confined on the local system, but has more access to the
network.  So I guess the boolean should be called transition.

browser_transition_xguest probably would have been a better name, and
boy do I wish we had a means of aliasing boolean names.  Since we picked
so many bad ones over the years.
> 
>     This indicates whether the xguest account will transition to
>     xguest_mozilla_t or not.  If you turn this boolean on, xguest will be able
>     to browse the web using firefox/mozilla.  If you turn it off the account
>     will only be allowed to run mozilla/firefox locally.  You will not have any
>     access to the net. -- http://danwalsh.livejournal.com/13376.html
> 
> Am I just reading this wrong?
> 
> Regards,
> John
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk4MMwACgkQrlYvE4MpobNUWgCeJvSZBFQz9ILu+6s1/7ai7Awg
J9YAoNWFTnKn2PpEsdYtzUIp3TQMJcr2
=cZVi
-----END PGP SIGNATURE-----



From olivares14031 at yahoo.com  Fri Dec  5 00:41:34 2008
From: olivares14031 at yahoo.com (Antonio Olivares)
Date: Thu, 4 Dec 2008 16:41:34 -0800 (PST)
Subject: boot in permissive mode to boot 2.6.28-0.106.rc6.git4.fc11.i686
Message-ID: <478912.83755.qm@web52602.mail.re2.yahoo.com>

Dear fellow selinux experts,

Thanks to Tom London for the tip to boot the new kernel, using enforcing=0, I see some denied avc's at startup

SELinux: initialized (dev sda3, type ext3), uses xattr                          
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs              
Adding 1574328k swap on /dev/sda5.  Priority:-1 extents:1 across:1574328k       
Adding 1540088k swap on /dev/mapper/VolGroup00-LogVol01.  Priority:-2 extents:1 across:1540088k                                                                 
SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts   
type=1400 audit(1228436635.068:4): avc:  denied  { sys_tty_config } for  pid=1536 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability                    
NET: Registered protocol family 10                                              
lo: Disabled Privacy Extensions                                                 
ip6_tables: (C) 2000-2006 Netfilter Core Team                                   
type=1400 audit(1228436636.405:5): avc:  denied  { write } for  pid=1562 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file                      
eth0: no IPv6 routers present                                                   
eth1:  setting full-duplex.                                                     
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
RPC: Registered udp transport module.                                           
RPC: Registered tcp transport module.                                           
SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts     
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts             
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts             
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts             
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
Bluetooth: Core ver 2.13                                                        
NET: Registered protocol family 31                                              
Bluetooth: HCI device and connection manager initialized                        
Bluetooth: HCI socket layer initialized                                         
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
Bluetooth: L2CAP ver 2.11                                                       
Bluetooth: L2CAP socket layer initialized                                       
Bluetooth: BNEP (Ethernet Emulation) ver 1.3                                    
Bluetooth: BNEP filters: protocol multicast                                     
Bridge firewalling registered                                                   
Bluetooth: SCO (Voice Link) ver 0.6                                             
Bluetooth: SCO socket layer initialized                                         
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
eth1: no IPv6 routers present                                                   
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b0            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
fuse init (API version 7.10)                                                    
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: initialized (dev fuse, type fuse), uses genfs_contexts                 
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
type=1400 audit(1228436728.479:6): avc:  denied  { read open } for  pid=3011 comm="kded4" name="Trolltech.conf" dev=dm-0 ino=6064321 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file                                                                         
type=1400 audit(1228436728.500:7): avc:  denied  { lock } for  pid=3011 comm="kded4" path="/home/olivares/.config/Trolltech.conf" dev=dm-0 ino=6064321 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file                                                       
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:a1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:a1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
type=1400 audit(1228436734.312:8): avc:  denied  { search open } for  pid=3018 comm="polkit-read-aut" name="dbus" dev=dm-0 ino=3276848 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir                                                                              
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
type=1400 audit(1228436734.312:9): avc:  denied  { write } for  pid=3018 comm="polkit-read-aut" name="system_bus_socket" dev=dm-0 ino=3276857 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file                                                                 
type=1400 audit(1228436734.312:10): avc:  denied  { connectto } for  pid=3018 comm="polkit-read-aut" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket                                                      
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c180            
type=1400 audit(1228436738.188:11): avc:  denied  { write } for  pid=3009 comm="klauncher" name="gkrellm.desktop" dev=dm-0 ino=6161169 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file                                                                       
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
type=1400 audit(1228436768.597:12): avc:  denied  { read open } for  pid=3092 comm="gkrellm" name="eth0" dev=dm-0 ino=6062973 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=1400 audit(1228436769.217:13): avc:  denied  { write } for  pid=3092 comm="gkrellm" name="eth0" dev=dm-0 ino=6062973 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file    
type=1400 audit(1228436770.787:14): avc:  denied  { lock } for  pid=3100 comm="python" path="/home/olivares/.config/Trolltech.conf" dev=dm-0 ino=6064321 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file                                                     
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:a1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:a1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
type=1400 audit(1228436860.935:15): avc:  denied  { write } for  pid=3092 comm="gkrellm" name=".gkrellm2" dev=dm-0 ino=6062959 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=dir
type=1400 audit(1228436860.935:16): avc:  denied  { add_name } for  pid=3092 comm="gkrellm" name="user-config.new" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=dir            
type=1400 audit(1228436860.954:17): avc:  denied  { remove_name } for  pid=3092 comm="gkrellm" name="user-config.new" dev=dm-0 ino=15368195 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=dir                                                                   
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
type=1400 audit(1228437353.337:18): avc:  denied  { read open } for  pid=3525 comm="bash" name=".bash_history" dev=dm-0 ino=1507343 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1228437402.855:19): avc:  denied  { read open } for  pid=3488 comm="konsole" name="Trolltech.conf" dev=dm-0 ino=6064321 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff


[root at localhost ~]# tail -f /var/log/messages
Dec  4 18:35:48 localhost kernel: SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff                                                          
Dec  4 18:35:48 localhost kernel: SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
Dec  4 18:35:48 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
Dec  4 18:35:48 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
Dec  4 18:35:48 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
Dec  4 18:35:52 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1b6
Dec  4 18:35:53 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
Dec  4 18:35:53 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
Dec  4 18:35:53 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
Dec  4 18:35:53 localhost kernel: type=1400 audit(1228437353.337:18): avc:  denied  { read open } for  pid=3525 comm="bash" name=".bash_history" dev=dm-0 ino=1507343 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file

Hope this helps in some way if the policies have not been loaded.  Thanks also to Mr. Dan Walsh in the troubles with iptables and selinux:

[olivares at localhost ~]$ dmesg | grep 'iptables'
type=1400 audit(1228436636.405:5): avc:  denied  { write } for  pid=1562 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file


I hope this also gets fixed to get the dhcp server going :)

Regards,

Antonio 


      



From dwalsh at redhat.com  Fri Dec  5 14:18:56 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Fri, 05 Dec 2008 09:18:56 -0500
Subject: boot in permissive mode to boot 2.6.28-0.106.rc6.git4.fc11.i686
In-Reply-To: <478912.83755.qm@web52602.mail.re2.yahoo.com>
References: <478912.83755.qm@web52602.mail.re2.yahoo.com>
Message-ID: <49393850.3040601@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Dear fellow selinux experts,
> 
> Thanks to Tom London for the tip to boot the new kernel, using enforcing=0, I see some denied avc's at startup
> 
> SELinux: initialized (dev sda3, type ext3), uses xattr                          
> SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs              
> Adding 1574328k swap on /dev/sda5.  Priority:-1 extents:1 across:1574328k       
> Adding 1540088k swap on /dev/mapper/VolGroup00-LogVol01.  Priority:-2 extents:1 across:1540088k                                                                 
> SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts   
> type=1400 audit(1228436635.068:4): avc:  denied  { sys_tty_config } for  pid=1536 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability                    
> NET: Registered protocol family 10                                              
> lo: Disabled Privacy Extensions                                                 
> ip6_tables: (C) 2000-2006 Netfilter Core Team                                   
> type=1400 audit(1228436636.405:5): avc:  denied  { write } for  pid=1562 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file                      
> eth0: no IPv6 routers present                                                   
> eth1:  setting full-duplex.                                                     
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> RPC: Registered udp transport module.                                           
> RPC: Registered tcp transport module.                                           
> SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts     
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: initialized (dev autofs, type autofs), uses genfs_contexts             
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: initialized (dev autofs, type autofs), uses genfs_contexts             
> SELinux: initialized (dev autofs, type autofs), uses genfs_contexts             
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> Bluetooth: Core ver 2.13                                                        
> NET: Registered protocol family 31                                              
> Bluetooth: HCI device and connection manager initialized                        
> Bluetooth: HCI socket layer initialized                                         
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> Bluetooth: L2CAP ver 2.11                                                       
> Bluetooth: L2CAP socket layer initialized                                       
> Bluetooth: BNEP (Ethernet Emulation) ver 1.3                                    
> Bluetooth: BNEP filters: protocol multicast                                     
> Bridge firewalling registered                                                   
> Bluetooth: SCO (Voice Link) ver 0.6                                             
> Bluetooth: SCO socket layer initialized                                         
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> eth1: no IPv6 routers present                                                   
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b0            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> fuse init (API version 7.10)                                                    
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: initialized (dev fuse, type fuse), uses genfs_contexts                 
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> type=1400 audit(1228436728.479:6): avc:  denied  { read open } for  pid=3011 comm="kded4" name="Trolltech.conf" dev=dm-0 ino=6064321 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file                                                                         
> type=1400 audit(1228436728.500:7): avc:  denied  { lock } for  pid=3011 comm="kded4" path="/home/olivares/.config/Trolltech.conf" dev=dm-0 ino=6064321 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file                                                       
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:a1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:a1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> type=1400 audit(1228436734.312:8): avc:  denied  { search open } for  pid=3018 comm="polkit-read-aut" name="dbus" dev=dm-0 ino=3276848 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir                                                                              
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> type=1400 audit(1228436734.312:9): avc:  denied  { write } for  pid=3018 comm="polkit-read-aut" name="system_bus_socket" dev=dm-0 ino=3276857 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file                                                                 
> type=1400 audit(1228436734.312:10): avc:  denied  { connectto } for  pid=3018 comm="polkit-read-aut" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket                                                      
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c180            
> type=1400 audit(1228436738.188:11): avc:  denied  { write } for  pid=3009 comm="klauncher" name="gkrellm.desktop" dev=dm-0 ino=6161169 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file                                                                       
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> type=1400 audit(1228436768.597:12): avc:  denied  { read open } for  pid=3092 comm="gkrellm" name="eth0" dev=dm-0 ino=6062973 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file
> type=1400 audit(1228436769.217:13): avc:  denied  { write } for  pid=3092 comm="gkrellm" name="eth0" dev=dm-0 ino=6062973 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file    
> type=1400 audit(1228436770.787:14): avc:  denied  { lock } for  pid=3100 comm="python" path="/home/olivares/.config/Trolltech.conf" dev=dm-0 ino=6064321 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file                                                     
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:a1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:a1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> type=1400 audit(1228436860.935:15): avc:  denied  { write } for  pid=3092 comm="gkrellm" name=".gkrellm2" dev=dm-0 ino=6062959 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=dir
> type=1400 audit(1228436860.935:16): avc:  denied  { add_name } for  pid=3092 comm="gkrellm" name="user-config.new" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=dir            
> type=1400 audit(1228436860.954:17): avc:  denied  { remove_name } for  pid=3092 comm="gkrellm" name="user-config.new" dev=dm-0 ino=15368195 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=dir                                                                   
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ed            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1fd            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
> type=1400 audit(1228437353.337:18): avc:  denied  { read open } for  pid=3525 comm="bash" name=".bash_history" dev=dm-0 ino=1507343 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
> type=1400 audit(1228437402.855:19): avc:  denied  { read open } for  pid=3488 comm="konsole" name="Trolltech.conf" dev=dm-0 ino=6064321 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
> SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
> 
> 
> [root at localhost ~]# tail -f /var/log/messages
> Dec  4 18:35:48 localhost kernel: SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff                                                          
> Dec  4 18:35:48 localhost kernel: SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1ff
> Dec  4 18:35:48 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
> Dec  4 18:35:48 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
> Dec  4 18:35:48 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
> Dec  4 18:35:52 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1b6
> Dec  4 18:35:53 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
> Dec  4 18:35:53 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
> Dec  4 18:35:53 localhost kernel: SELinux: WARNING: inside open_file_mask_to_avwith unknown mode:c1ff
> Dec  4 18:35:53 localhost kernel: type=1400 audit(1228437353.337:18): avc:  denied  { read open } for  pid=3525 comm="bash" name=".bash_history" dev=dm-0 ino=1507343 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
> 
> Hope this helps in some way if the policies have not been loaded.  Thanks also to Mr. Dan Walsh in the troubles with iptables and selinux:
> 
> [olivares at localhost ~]$ dmesg | grep 'iptables'
> type=1400 audit(1228436636.405:5): avc:  denied  { write } for  pid=1562 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> 
> 
> I hope this also gets fixed to get the dhcp server going :)
> 
> Regards,
> 
> Antonio 
> 
> 
>       
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
All of these except consoletype should be in
selinux-policy-3.6.1-6.fc11.noarch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk5OFAACgkQrlYvE4MpobNyjACg5oZkUUqCQqx1pE8Fenmehzsx
984AoNbViejgmggazD5pKxvjaE83amzX
=whei
-----END PGP SIGNATURE-----



From eparis at redhat.com  Fri Dec  5 14:28:04 2008
From: eparis at redhat.com (Eric Paris)
Date: Fri, 05 Dec 2008 09:28:04 -0500
Subject: boot in permissive mode to boot 2.6.28-0.106.rc6.git4.fc11.i686
In-Reply-To: <49393850.3040601@redhat.com>
References: <478912.83755.qm@web52602.mail.re2.yahoo.com>
	<49393850.3040601@redhat.com>
Message-ID: <1228487284.3441.2.camel@localhost.localdomain>

On Fri, 2008-12-05 at 09:18 -0500, Daniel J Walsh wrote:
>     
> > SELinux: WARNING: inside open_file_mask_to_av with unknown mode:c1b6            

Also to everyone who might be seeing these, they shouldn't hurt anything
except performance.  I didn't realize this was going to get turned on so
soon so I never fixed it/shut these up....   They are an inconvenience,
but shouldn't be a problem.

-Eric



From pemboa at gmail.com  Sat Dec  6 05:13:13 2008
From: pemboa at gmail.com (Arthur Pemberton)
Date: Fri, 5 Dec 2008 23:13:13 -0600
Subject: Centos 5 + RPMForge : SELinux block OpenVPN form using
Message-ID: <16de708d0812052113o45adfbe3p31caf1bfc17c684d@mail.gmail.com>

Audit message is:

host=moriarty type=AVC msg=audit(1228539599.507:62): avc:  denied  {
execstack } for  pid=4737 comm="openvpn"
scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:system_r:openvpn
_t:s0 tclass=process

host=moriarty type=SYSCALL msg=audit(1228539599.507:62): arch=40000003
syscall=125 success=no exit=-13 a0=bfd77000 a1=1000 a2=1000007
a3=fffff000 items=0 ppid=4727 pid=4737 auid=50
0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
ses=6 comm="openvpn" exe="/usr/sbin/openvpn"
subj=user_u:system_r:openvpn_t:s0 key=(null)

setroubleshoot had no suggestion. This only happens when the init
script is used. Direct infovation of openvpn as root does not cause
this.

this google search suggests that this is a fairly popular problem with
no published solution (that I've seen):
http://www.google.com/search?q=liblzo2.so.2%3A+cannot+enable+executable+stack+as+shared+object+requires%3A+Permission+denied%22&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

-- 
Fedora 9 : sulphur is good for the skin
( www.pembo13.com )



From pemboa at gmail.com  Sat Dec  6 08:23:14 2008
From: pemboa at gmail.com (Arthur Pemberton)
Date: Sat, 6 Dec 2008 02:23:14 -0600
Subject: Sharing config file between daemons
Message-ID: <16de708d0812060023j5801eda4q4848e8d1ac75438c@mail.gmail.com>

What is the best way to share a config file (user passwords) between
httpd and squid? They use different contexts. When I tried to point
squid to httpd's config, it got blocked.

-- 
Fedora 9 : sulphur is good for the skin
( www.pembo13.com )



From paul at city-fan.org  Sat Dec  6 09:05:31 2008
From: paul at city-fan.org (Paul Howarth)
Date: Sat, 6 Dec 2008 09:05:31 +0000
Subject: Centos 5 + RPMForge : SELinux block OpenVPN form using
In-Reply-To: <16de708d0812052113o45adfbe3p31caf1bfc17c684d@mail.gmail.com>
References: <16de708d0812052113o45adfbe3p31caf1bfc17c684d@mail.gmail.com>
Message-ID: <20081206090531.29db9bfa@metropolis.intra.city-fan.org>

On Fri, 5 Dec 2008 23:13:13 -0600
"Arthur Pemberton" <pemboa at gmail.com> wrote:

> Audit message is:
> 
> host=moriarty type=AVC msg=audit(1228539599.507:62): avc:  denied  {
> execstack } for  pid=4737 comm="openvpn"
> scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:system_r:openvpn
> _t:s0 tclass=process
> 
> host=moriarty type=SYSCALL msg=audit(1228539599.507:62): arch=40000003
> syscall=125 success=no exit=-13 a0=bfd77000 a1=1000 a2=1000007
> a3=fffff000 items=0 ppid=4727 pid=4737 auid=50
> 0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
> ses=6 comm="openvpn" exe="/usr/sbin/openvpn"
> subj=user_u:system_r:openvpn_t:s0 key=(null)
> 
> setroubleshoot had no suggestion. This only happens when the init
> script is used. Direct infovation of openvpn as root does not cause
> this.
> 
> this google search suggests that this is a fairly popular problem with
> no published solution (that I've seen):
> http://www.google.com/search?q=liblzo2.so.2%3A+cannot+enable+executable+stack+as+shared+object+requires%3A+Permission+denied%22&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
> 

Does the same problem happen if you use the lzo and openvpn from EPEL?

Paul.



From Valdis.Kletnieks at vt.edu  Sat Dec  6 09:44:26 2008
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
Date: Sat, 06 Dec 2008 04:44:26 -0500
Subject: selinux-policy-3.6.1-6.src.rpm - a WTF in policy-20081111.patch?
Message-ID: <52187.1228556666@turing-police.cc.vt.edu>

Seen in policy-20081111.patch:

grep -n wm policy* | grep ' :x_draw'
policy-20081111.patch:3763:+allow wm_t :x_drawable { get_property setattr show receive manage send read getattr list_child set_property };

Am I senile, or is something missing before that ":"?

(Don't ask how I found it, 'tis a long and sordid tale.. I may be posting
about the original issue separately).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20081206/72c642f3/attachment.sig>

From wolfy at nobugconsulting.ro  Sat Dec  6 11:17:02 2008
From: wolfy at nobugconsulting.ro (Manuel Wolfshant)
Date: Sat, 06 Dec 2008 13:17:02 +0200
Subject: Centos 5 + RPMForge : SELinux block OpenVPN form using
In-Reply-To: <20081206090531.29db9bfa@metropolis.intra.city-fan.org>
References: <16de708d0812052113o45adfbe3p31caf1bfc17c684d@mail.gmail.com>
	<20081206090531.29db9bfa@metropolis.intra.city-fan.org>
Message-ID: <493A5F2E.2090203@nobugconsulting.ro>

On 12/06/2008 11:05 AM, Paul Howarth wrote:
> On Fri, 5 Dec 2008 23:13:13 -0600
> "Arthur Pemberton" <pemboa at gmail.com> wrote:
>
>   
>> Audit message is:
>>
>> host=moriarty type=AVC msg=audit(1228539599.507:62): avc:  denied  {
>> execstack } for  pid=4737 comm="openvpn"
>> scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:system_r:openvpn
>> _t:s0 tclass=process
>>
>> host=moriarty type=SYSCALL msg=audit(1228539599.507:62): arch=40000003
>> syscall=125 success=no exit=-13 a0=bfd77000 a1=1000 a2=1000007
>> a3=fffff000 items=0 ppid=4727 pid=4737 auid=50
>> 0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
>> ses=6 comm="openvpn" exe="/usr/sbin/openvpn"
>> subj=user_u:system_r:openvpn_t:s0 key=(null)
>>
>> setroubleshoot had no suggestion. This only happens when the init
>> script is used. Direct infovation of openvpn as root does not cause
>> this.
>>
>> this google search suggests that this is a fairly popular problem with
>> no published solution (that I've seen):
>> http://www.google.com/search?q=liblzo2.so.2%3A+cannot+enable+executable+stack+as+shared+object+requires%3A+Permission+denied%22&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
>>
>>     
>
> Does the same problem happen if you use the lzo and openvpn from EPEL?
>   
openvpn from EPEL (+ the stack off libs needed and taken from EPEL, too 
) worked for me fine ever since it has been included over there. I am 
using openvpn-2.1-0.29.rc15.el5.x86_64 in this very moment.
The version from rpmforge did indeed exhibit the same error as Paul has 
seen (reason for the switch to EPEL, to be honest)



From wolfy at nobugconsulting.ro  Sat Dec  6 11:17:42 2008
From: wolfy at nobugconsulting.ro (Manuel Wolfshant)
Date: Sat, 06 Dec 2008 13:17:42 +0200
Subject: Centos 5 + RPMForge : SELinux block OpenVPN form using
In-Reply-To: <493A5F2E.2090203@nobugconsulting.ro>
References: <16de708d0812052113o45adfbe3p31caf1bfc17c684d@mail.gmail.com>
	<20081206090531.29db9bfa@metropolis.intra.city-fan.org>
	<493A5F2E.2090203@nobugconsulting.ro>
Message-ID: <493A5F56.2060500@nobugconsulting.ro>

On 12/06/2008 01:17 PM, Manuel Wolfshant wrote:
> On 12/06/2008 11:05 AM, Paul Howarth wrote:
>> On Fri, 5 Dec 2008 23:13:13 -0600
>> "Arthur Pemberton" <pemboa at gmail.com> wrote:
>>
>>  
>>> Audit message is:
>>>
>>> host=moriarty type=AVC msg=audit(1228539599.507:62): avc:  denied  {
>>> execstack } for  pid=4737 comm="openvpn"
>>> scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:system_r:openvpn
>>> _t:s0 tclass=process
>>>
>>> host=moriarty type=SYSCALL msg=audit(1228539599.507:62): arch=40000003
>>> syscall=125 success=no exit=-13 a0=bfd77000 a1=1000 a2=1000007
>>> a3=fffff000 items=0 ppid=4727 pid=4737 auid=50
>>> 0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
>>> ses=6 comm="openvpn" exe="/usr/sbin/openvpn"
>>> subj=user_u:system_r:openvpn_t:s0 key=(null)
>>>
>>> setroubleshoot had no suggestion. This only happens when the init
>>> script is used. Direct infovation of openvpn as root does not cause
>>> this.
>>>
>>> this google search suggests that this is a fairly popular problem with
>>> no published solution (that I've seen):
>>> http://www.google.com/search?q=liblzo2.so.2%3A+cannot+enable+executable+stack+as+shared+object+requires%3A+Permission+denied%22&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a 
>>>
>>>
>>>     
>>
>> Does the same problem happen if you use the lzo and openvpn from EPEL?
>>   
> openvpn from EPEL (+ the stack off libs needed and taken from EPEL, 
> too ) worked for me fine ever since it has been included over there. I 
> am using openvpn-2.1-0.29.rc15.el5.x86_64 in this very moment.
> The version from rpmforge did indeed exhibit the same error as Paul 
> has seen (reason for the switch to EPEL, to be honest)
sorry, I meant "Arthur has seen"



From dwalsh at redhat.com  Sat Dec  6 11:37:26 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Sat, 06 Dec 2008 06:37:26 -0500
Subject: Centos 5 + RPMForge : SELinux block OpenVPN form using
In-Reply-To: <493A5F56.2060500@nobugconsulting.ro>
References: <16de708d0812052113o45adfbe3p31caf1bfc17c684d@mail.gmail.com>	<20081206090531.29db9bfa@metropolis.intra.city-fan.org>	<493A5F2E.2090203@nobugconsulting.ro>
	<493A5F56.2060500@nobugconsulting.ro>
Message-ID: <493A63F6.2000204@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Manuel Wolfshant wrote:
> On 12/06/2008 01:17 PM, Manuel Wolfshant wrote:
>> On 12/06/2008 11:05 AM, Paul Howarth wrote:
>>> On Fri, 5 Dec 2008 23:13:13 -0600
>>> "Arthur Pemberton" <pemboa at gmail.com> wrote:
>>>
>>>  
>>>> Audit message is:
>>>>
>>>> host=moriarty type=AVC msg=audit(1228539599.507:62): avc:  denied  {
>>>> execstack } for  pid=4737 comm="openvpn"
>>>> scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:system_r:openvpn
>>>> _t:s0 tclass=process
>>>>
>>>> host=moriarty type=SYSCALL msg=audit(1228539599.507:62): arch=40000003
>>>> syscall=125 success=no exit=-13 a0=bfd77000 a1=1000 a2=1000007
>>>> a3=fffff000 items=0 ppid=4727 pid=4737 auid=50
>>>> 0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
>>>> ses=6 comm="openvpn" exe="/usr/sbin/openvpn"
>>>> subj=user_u:system_r:openvpn_t:s0 key=(null)
>>>>
>>>> setroubleshoot had no suggestion. This only happens when the init
>>>> script is used. Direct infovation of openvpn as root does not cause
>>>> this.
>>>>
>>>> this google search suggests that this is a fairly popular problem with
>>>> no published solution (that I've seen):
>>>> http://www.google.com/search?q=liblzo2.so.2%3A+cannot+enable+executable+stack+as+shared+object+requires%3A+Permission+denied%22&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
>>>>
>>>>
>>>>     
>>>
>>> Does the same problem happen if you use the lzo and openvpn from EPEL?
>>>   
>> openvpn from EPEL (+ the stack off libs needed and taken from EPEL,
>> too ) worked for me fine ever since it has been included over there. I
>> am using openvpn-2.1-0.29.rc15.el5.x86_64 in this very moment.
>> The version from rpmforge did indeed exhibit the same error as Paul
>> has seen (reason for the switch to EPEL, to be honest)
> sorry, I meant "Arthur has seen"
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Always better to use the EPEL versions, but you can also try to use
execstack -c to clear the execstack flag.  Usually execstack means an
app was built correctly and does not really need execstack.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk6Y/YACgkQrlYvE4MpobPJQQCcCR/bCt2mEP9p/OpeSmtEqUpC
7CMAn3Ta/LhQaa0gEO/KaNkAij3dkj+/
=Nmwi
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Sat Dec  6 11:38:46 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Sat, 06 Dec 2008 06:38:46 -0500
Subject: selinux-policy-3.6.1-6.src.rpm - a WTF in policy-20081111.patch?
In-Reply-To: <52187.1228556666@turing-police.cc.vt.edu>
References: <52187.1228556666@turing-police.cc.vt.edu>
Message-ID: <493A6446.1050309@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Valdis.Kletnieks at vt.edu wrote:
> Seen in policy-20081111.patch:
> 
> grep -n wm policy* | grep ' :x_draw'
> policy-20081111.patch:3763:+allow wm_t :x_drawable { get_property setattr show receive manage send read getattr list_child set_property };
> 
> Am I senile, or is something missing before that ":"?
> 
> (Don't ask how I found it, 'tis a long and sordid tale.. I may be posting
> about the original issue separately).
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes this patch is wrong, although wm is not an included policy module so
it would not get compiled in.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk6ZEUACgkQrlYvE4MpobOt3ACgj1eHejiPZrj1bpjC8kcaCspc
Q8wAn3D9D/rZHKBhFKcrPDnBW6tm4H6z
=j7l+
-----END PGP SIGNATURE-----



From craigwhite at azapple.com  Sat Dec  6 16:38:10 2008
From: craigwhite at azapple.com (Craig White)
Date: Sat, 06 Dec 2008 09:38:10 -0700
Subject: upgrade to F10 - local memcached policy tosses error
Message-ID: <1228581490.629.6.camel@lin-workstation.azapple.com>

doing upgrade to F10 reports this error when installing package...

  Updating       : selinux-policy-targeted
182/397
libsepol.context_from_record: type memcached_port_t is not defined
libsepol.context_from_record: could not create context structure
(Invalid argument).
libsepol.port_from_record: could not create port structure for range
11211:11211 (tcp) (Invalid argument).
libsepol.sepol_port_modify: could not load port range 11211 - 11211
(tcp) (Invalid argument).
libsemanage.dbase_policydb_modify: could not modify record value
(Invalid argument).
libsemanage.semanage_base_merge_components: could not merge local
modifications into policy (Invalid argument).
semodule:  Failed!

grep finds the argument here...
# grep -r 11211 /etc/selinux/
/etc/selinux/targeted/modules/active/ports.local:portcon tcp 11211
system_u:object_r:memcached_port_t:s0

Is this something I need to worry about/fix?  (I do use memcached in a
RAILS development application)

Craig



From bruno at wolff.to  Sat Dec  6 17:14:53 2008
From: bruno at wolff.to (Bruno Wolff III)
Date: Sat, 6 Dec 2008 11:14:53 -0600
Subject: Sharing config file between daemons
In-Reply-To: <16de708d0812060023j5801eda4q4848e8d1ac75438c@mail.gmail.com>
References: <16de708d0812060023j5801eda4q4848e8d1ac75438c@mail.gmail.com>
Message-ID: <20081206171453.GA841@wolff.to>

On Sat, Dec 06, 2008 at 02:23:14 -0600,
  Arthur Pemberton <pemboa at gmail.com> wrote:
> What is the best way to share a config file (user passwords) between
> httpd and squid? They use different contexts. When I tried to point
> squid to httpd's config, it got blocked.

Dan has a blog entry about sharing files between two domains at:
http://danwalsh.livejournal.com/24147.html



From dant at cdkkt.com  Sat Dec  6 18:33:16 2008
From: dant at cdkkt.com (Daniel B. Thurman)
Date: Sat, 06 Dec 2008 10:33:16 -0800
Subject: It's that spamass-milter thing again...
Message-ID: <493AC56C.9050302@cdkkt.com>


I posted a long investigation of the interaction between
sendmail, spamassassin, and spamass-milter in Fedora
User's group.  You can go there to get the full details of
that investigation, if you'd like:

Author: Daniel B. Thurman
Subject: F8 (and FX?]: Sendmail, Spamassassin, and Spamass-Milter issues.

As it seems, it appears that spamass-milter is the crux of the problem:
1) Starting spamass-milter from services (/etc/init.d) fails to create a 
socket
2) Starting spamass-milter does not properly set it's socks security 
context.
These problems appear for both F8 and F9.

But in any case, starting spamass-milter manually:
# spamass-milter -p '/var/run/spamass-milter/spamass-milter.sock' -f

But unfortunately the security context is wrong, which is:
srwxr-xr-x   root root unconfined_u:object_r:var_run_r:s0 
spamass-milter.sock

Even so, setroubleshoot, says to do the following:
restorecon -v '/var/run/spamass-milter/spamass-milter.sock',

Changes the security context to:
srwxr-xr-x  root root system_u:object_r:spamd_var_run_t:s0 
spamass-milter.sock

Which I believe is still incorrect, because it is assigned to 
spamd_var_run_t,
in my opinion, is still not allowing sendmail rights to access this filter.

Whatever the actual problem is., I am still getting errors in the 
message/maillog log
files saying that spamass-milter fails to run the filter.

For testing, I tried to manually set the socket to: sendmail_var_t or
sendmail_t, but chcon denies permissions to do so.  I am unable
to test to see what the security context actually should be.

Please note, that I did not have any more problems with spamass-milter
for awhile, until the latest releases of F8 has broken it.  I also note 
that F9
broke as well.

Can someone please help?

Thanks!
Dan Thurman



From dwm at enoyolf.org  Sun Dec  7 00:48:07 2008
From: dwm at enoyolf.org (Doug Maxey)
Date: Sat, 06 Dec 2008 18:48:07 -0600
Subject: It's that spamass-milter thing again...
In-Reply-To: <493AC56C.9050302@cdkkt.com>
References: <493AC56C.9050302@cdkkt.com>
Message-ID: <10114.1228610887@jerryjeff.riw.enoyolf.org>


On Sat, 06 Dec 2008 10:33:16 PST, "Daniel B. Thurman" wrote:
[snip]
> 
> Can someone please help?
> 

I don't have any input on what works, just wanted to chime in to say 
there is at least one other site that is having the very same issues. 

Paul Howarth had some example code for enabling some other milters to play 
with sendmail, but AFAICT it never went any where.

++doug




From icon at fedoraproject.org  Sun Dec  7 01:54:54 2008
From: icon at fedoraproject.org (Konstantin Ryabitsev)
Date: Sat, 6 Dec 2008 20:54:54 -0500
Subject: upgrade to F10 - local memcached policy tosses error
In-Reply-To: <1228581490.629.6.camel@lin-workstation.azapple.com>
References: <1228581490.629.6.camel@lin-workstation.azapple.com>
Message-ID: <f8f6300f0812061754q55236c91sd28eba586e3cbdd4@mail.gmail.com>

On Sat, Dec 6, 2008 at 11:38 AM, Craig White <craigwhite at azapple.com> wrote:
> doing upgrade to F10 reports this error when installing package...
>
>  Updating       : selinux-policy-targeted
> 182/397
> libsepol.context_from_record: type memcached_port_t is not defined
> libsepol.context_from_record: could not create context structure
> (Invalid argument).
> libsepol.port_from_record: could not create port structure for range
> 11211:11211 (tcp) (Invalid argument).
> libsepol.sepol_port_modify: could not load port range 11211 - 11211
> (tcp) (Invalid argument).
> libsemanage.dbase_policydb_modify: could not modify record value
> (Invalid argument).
> libsemanage.semanage_base_merge_components: could not merge local
> modifications into policy (Invalid argument).
> semodule:  Failed!
>
> grep finds the argument here...
> # grep -r 11211 /etc/selinux/
> /etc/selinux/targeted/modules/active/ports.local:portcon tcp 11211
> system_u:object_r:memcached_port_t:s0
>
> Is this something I need to worry about/fix?  (I do use memcached in a
> RAILS development application)

I'm guessing you installed memcached-selinux package before the upgrade?

Cheers,
-- 
Konstantin Ryabitsev
Montr?al, Qu?bec



From craigwhite at azapple.com  Sun Dec  7 02:26:51 2008
From: craigwhite at azapple.com (Craig White)
Date: Sat, 06 Dec 2008 19:26:51 -0700
Subject: upgrade to F10 - local memcached policy tosses error
In-Reply-To: <f8f6300f0812061754q55236c91sd28eba586e3cbdd4@mail.gmail.com>
References: <1228581490.629.6.camel@lin-workstation.azapple.com>
	<f8f6300f0812061754q55236c91sd28eba586e3cbdd4@mail.gmail.com>
Message-ID: <1228616811.2699.22.camel@lin-workstation.azapple.com>

On Sat, 2008-12-06 at 20:54 -0500, Konstantin Ryabitsev wrote:
> On Sat, Dec 6, 2008 at 11:38 AM, Craig White <craigwhite at azapple.com> wrote:
> > doing upgrade to F10 reports this error when installing package...
> >
> >  Updating       : selinux-policy-targeted
> > 182/397
> > libsepol.context_from_record: type memcached_port_t is not defined
> > libsepol.context_from_record: could not create context structure
> > (Invalid argument).
> > libsepol.port_from_record: could not create port structure for range
> > 11211:11211 (tcp) (Invalid argument).
> > libsepol.sepol_port_modify: could not load port range 11211 - 11211
> > (tcp) (Invalid argument).
> > libsemanage.dbase_policydb_modify: could not modify record value
> > (Invalid argument).
> > libsemanage.semanage_base_merge_components: could not merge local
> > modifications into policy (Invalid argument).
> > semodule:  Failed!
> >
> > grep finds the argument here...
> > # grep -r 11211 /etc/selinux/
> > /etc/selinux/targeted/modules/active/ports.local:portcon tcp 11211
> > system_u:object_r:memcached_port_t:s0
> >
> > Is this something I need to worry about/fix?  (I do use memcached in a
> > RAILS development application)
> 
> I'm guessing you installed memcached-selinux package before the upgrade?
----
I ran 'preupgrade' and then a 'yum update' which seemed to pick up some
missed stuff.

If the returned order of grep is to be believed, then no...

# grep selinux upgrade.log*
upgrade.log:Upgrading libselinux-2.0.73-1.fc10.i386
upgrade.log:Upgrading libselinux-utils-2.0.73-1.fc10.i386
upgrade.log:Upgrading libselinux-devel-2.0.73-1.fc10.i386
upgrade.log:Upgrading libselinux-python-2.0.73-1.fc10.i386
upgrade.log:Upgrading selinux-policy-3.5.13-18.fc10.noarch
upgrade.log:Upgrading selinux-policy-targeted-3.5.13-18.fc10.noarch
upgrade.log:Upgrading memcached-selinux-1.2.5-2.fc10.i386

Craig



From paul at city-fan.org  Sun Dec  7 13:08:08 2008
From: paul at city-fan.org (Paul Howarth)
Date: Sun, 7 Dec 2008 13:08:08 +0000
Subject: It's that spamass-milter thing again...
In-Reply-To: <10114.1228610887@jerryjeff.riw.enoyolf.org>
References: <493AC56C.9050302@cdkkt.com>
	<10114.1228610887@jerryjeff.riw.enoyolf.org>
Message-ID: <20081207130808.5a5e3490@metropolis.intra.city-fan.org>

On Sat, 06 Dec 2008 18:48:07 -0600
Doug Maxey <dwm at enoyolf.org> wrote:

> 
> On Sat, 06 Dec 2008 10:33:16 PST, "Daniel B. Thurman" wrote:
> [snip]
> > 
> > Can someone please help?
> > 
> 
> I don't have any input on what works, just wanted to chime in to say 
> there is at least one other site that is having the very same issues. 
> 
> Paul Howarth had some example code for enabling some other milters to
> play with sendmail, but AFAICT it never went any where.

The code has very recently been merged in upstream selinux reference
policy. I'm hoping that Dan will include it in updates to
selinux-policy soon, though he's reluctant to update F8 policy for a
non-security issue so close to F8 EOL.

You might want to chime in on one or more of the following buzgilla
tickets:

https://bugzilla.redhat.com/show_bug.cgi?id=446975
(spamass-milter pid file denials)

https://bugzilla.redhat.com/show_bug.cgi?id=452248
(RFE: make the milter more postfix-friendly)

https://bugzilla.redhat.com/show_bug.cgi?id=455820
(AVC errors when launching spamc (spamass-milter for sendmail))

Paul.





From dwm at enoyolf.org  Sun Dec  7 17:09:35 2008
From: dwm at enoyolf.org (Doug Maxey)
Date: Sun, 07 Dec 2008 11:09:35 -0600
Subject: It's that spamass-milter thing again...
In-Reply-To: <20081207130808.5a5e3490@metropolis.intra.city-fan.org>
References: <493AC56C.9050302@cdkkt.com>
	<10114.1228610887@jerryjeff.riw.enoyolf.org>
	<20081207130808.5a5e3490@metropolis.intra.city-fan.org>
Message-ID: <321.1228669775@jerryjeff.riw.enoyolf.org>


On Sun, 07 Dec 2008 13:08:08 GMT, Paul Howarth wrote:
> On Sat, 06 Dec 2008 18:48:07 -0600
> Doug Maxey <dwm at enoyolf.org> wrote:
[snip]
> 
> The code has very recently been merged in upstream selinux reference
> policy. I'm hoping that Dan will include it in updates to
> selinux-policy soon, 

That would be wonderful.

> though he's reluctant to update F8 policy for a
> non-security issue so close to F8 EOL.
> 
> You might want to chime in on one or more of the following buzgilla
> tickets:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=446975
> (spamass-milter pid file denials)
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=452248
> (RFE: make the milter more postfix-friendly)
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=455820
> (AVC errors when launching spamc (spamass-milter for sendmail))

Thanks, will look into those when $DAYJOB is not taking up 200% of my 
time. :)

++doug




From goeran at uddeborg.se  Sun Dec  7 21:10:30 2008
From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg)
Date: Sun, 7 Dec 2008 22:10:30 +0100
Subject: What is wrong when spamc is not allowed to connect to spamd?
Message-ID: <18748.15302.206863.621563@gargle.gargle.HOWL>

I'm gradually upgrading to Fedora 10 using yum, so I suspect this
problem might be that some package is not yet upgraded.  But I can't
understand what it could be.

I'm running spamassassin using the lines

    DROPPRIVS=yes
    INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc

in /etc/procmailrc.  After upgrading to Fedora 10 policy and
spamassassin I get these AVC:s

    time->Sun Dec  7 20:01:46 2008
    type=SYSCALL msg=audit(1228676506.702:50): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=1358850 a2=10 a3=8 items=0 ppid=3558 pid=3559 auid=4294967295 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
    type=AVC msg=audit(1228676506.702:50): avc:  denied  { name_connect } for  pid=3559 comm="spamc" dest=783 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket

I.e., spamc isn't allowed to connect to spamd's TCP socket.

Looking in the spamassassin.te source I see that spamc_t is allowed to
connect to spamd_t:unix_stream_socket but I can't see anything that
would allow it to connect to a tcp_socket of any type.

Looking at the spamassassin code, I spamd would create and spamc use a
unix-domain socket if given explicit path to it, but in the default
configuration I can't see anything that would add those flags.

I've enabled spamassassin_can_network as a temporary workaround, but
that shouldn't be necessary just to use spamc, should it?

What am I missing here?



From adam at physco.com  Sun Dec  7 21:52:57 2008
From: adam at physco.com (Adam D. Ligas)
Date: Sun, 07 Dec 2008 16:52:57 -0500
Subject: SELinux error with icecast package
Message-ID: <1228686777.2869.16.camel@Q>

Hey folks,

I've got a bunch of SELinux errors on my newly installed F10 server.
I'm a decently knowledgeable Linux user, but SELinux is pretty much over
my head at this point.

Rather then spam the IRC channel, I thought I would send a series of
messages with the various errors to this list.  If this is not the
appropriate place to do this, please let me know and accept my apology
in advance.

This error occurred when installing icecast from the standard Fedora
repo.  According to the GUI troubleshoot tool, it tried it more then
once.

--- Begin SELinux Alert 1 ---
Summary:

SELinux is preventing nscd (nscd_t) "read" unconfined_notrans_t.

Detailed Description:

SELinux denied access requested by nscd. It is not expected that this
access is
required by nscd and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application
is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:nscd_t:s0
Target Context
unconfined_u:system_r:unconfined_notrans_t:s0
Target Objects                pipe [ fifo_file ]
Source                        nscd
Source Path                   /usr/sbin/nscd
Port                          <Unknown>
Host                          boris
Source RPM Packages           nscd-2.9-2
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     boris
Platform                      Linux boris 2.6.27.5-117.fc10.i686 #1 SMP
Tue Nov
                              18 12:19:59 EST 2008 i686 athlon
Alert Count                   4
First Seen                    Sat 06 Dec 2008 04:16:14 PM EST
Last Seen                     Sat 06 Dec 2008 04:16:14 PM EST
Local ID                      cd43cbcd-4bae-4524-b52f-f8ab36f00764
Line Numbers                  

Raw Audit Messages            

node=boris type=AVC msg=audit(1228598174.876:203): avc:  denied
{ read } for  pid=5357 comm="nscd" path="pipe:[35289]" dev=pipefs
ino=35289 scontext=unconfined_u:system_r:nscd_t:s0
tcontext=unconfined_u:system_r:unconfined_notrans_t:s0 tclass=fifo_file

node=boris type=SYSCALL msg=audit(1228598174.876:203): arch=40000003
syscall=11 success=yes exit=0 a0=8056c6b a1=bfb25c24 a2=bfb25c38 a3=0
items=0 ppid=5352 pid=5357 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="nscd" exe="/usr/sbin/nscd"
subj=unconfined_u:system_r:nscd_t:s0 key=(null)
--- End SELinux Alert ---

When I removed the package with yum, it threw this error a bunch more
times and added an additional one:

--- Begin SELinux Alert 2 ---
Summary:

SELinux prevented semanage from using the terminal 0.

Detailed Description:

SELinux prevented semanage from using the terminal 0. In most cases
daemons do
not need to interact with the terminal, usually these avc messages can
be
ignored. All of the confined daemons should have dontaudit rules around
using
the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
selinux-policy.
If you would like to allow all daemons to interact with the terminal,
you can
turn on the allow_daemons_use_tty boolean.

Allowing Access:

Changing the "allow_daemons_use_tty" boolean to true will allow this
access:
"setsebool -P allow_daemons_use_tty=1."

Fix Command:

setsebool -P allow_daemons_use_tty=1

Additional Information:

Source Context                unconfined_u:system_r:semanage_t:s0
Target Context                unconfined_u:object_r:devpts_t:s0
Target Objects                0 [ chr_file ]
Source                        semanage
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          boris
Source RPM Packages           python-2.5.2-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_daemons_use_tty
Host Name                     boris
Platform                      Linux boris 2.6.27.5-117.fc10.i686 #1 SMP
Tue Nov
                              18 12:19:59 EST 2008 i686 athlon
Alert Count                   1
First Seen                    Sun 07 Dec 2008 04:34:19 PM EST
Last Seen                     Sun 07 Dec 2008 04:34:19 PM EST
Local ID                      5ff62f2f-d05d-46b3-9624-b1308e1a06f6
Line Numbers                  

Raw Audit Messages            

node=boris type=AVC msg=audit(1228685659.553:6520): avc:  denied  { read
write } for  pid=32355 comm="semanage" name="0" dev=devpts ino=2
scontext=unconfined_u:system_r:semanage_t:s0
tcontext=unconfined_u:object_r:devpts_t:s0 tclass=chr_file

node=boris type=SYSCALL msg=audit(1228685659.553:6520): arch=40000003
syscall=11 success=yes exit=0 a0=8050a82 a1=bf871adc a2=0 a3=0 items=0
ppid=32354 pid=32355 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=3 comm="semanage" exe="/usr/bin/python"
subj=unconfined_u:system_r:semanage_t:s0 key=(null)
-- End SELinux Alert ---

The second one includes some instructions to repair the error, but it
seems to be an "all or nothing" sort of command, and it seems even
weirder to run it after I've uninstalled the package that appears to be
using it.

Thoughts?

- Adam



From adam at physco.com  Sun Dec  7 22:00:55 2008
From: adam at physco.com (Adam D. Ligas)
Date: Sun, 07 Dec 2008 17:00:55 -0500
Subject: SELinux Error Configuring Samba
Message-ID: <1228687255.2869.22.camel@Q>

Hey folks,

I'm trying to setup Samba on this F10 server.  To do so, I am trying to
run a program out of the "System" menu.

Menu path:
System -> Administration -> Samba

The program does not run.  Instead, SELinux comes up with the following
error.

--- Begin SELinux Alert ---
Summary:

SELinux is preventing polkitd (polkit_t) "search" to ./32587
(unconfined_notrans_t).

Detailed Description:

SELinux denied access requested by polkitd. It is not expected that this
access
is required by polkitd and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./32587,

restorecon -v './32587'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:polkit_t:s0-s0:c0.c1023
Target Context
unconfined_u:system_r:unconfined_notrans_t:s0
Target Objects                ./32587 [ dir ]
Source                        polkitd
Source Path                   /usr/libexec/polkitd
Port                          <Unknown>
Host                          boris
Source RPM Packages           PolicyKit-0.9-3.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     boris
Platform                      Linux boris 2.6.27.5-117.fc10.i686 #1 SMP
Tue Nov
                              18 12:19:59 EST 2008 i686 athlon
Alert Count                   1
First Seen                    Sun 07 Dec 2008 04:53:54 PM EST
Last Seen                     Sun 07 Dec 2008 04:53:54 PM EST
Local ID                      7f00770b-bdcb-4561-8b3f-14960c89329d
Line Numbers                  

Raw Audit Messages            

node=boris type=AVC msg=audit(1228686834.70:6634): avc:  denied
{ search } for  pid=32595 comm="polkitd" name="32587" dev=proc
ino=817686 scontext=system_u:system_r:polkit_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:unconfined_notrans_t:s0 tclass=dir

node=boris type=SYSCALL msg=audit(1228686834.70:6634): arch=40000003
syscall=5 success=no exit=-13 a0=9b55dd8 a1=8000 a2=0 a3=8000 items=0
ppid=1 pid=32595 auid=4294967295 uid=87 gid=87 euid=87 suid=87 fsuid=87
egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkitd"
exe="/usr/libexec/polkitd"
subj=system_u:system_r:polkit_t:s0-s0:c0.c1023 key=(null)
--- End SELinux Alert ---

The resolution instructions do not work as listed above.  Basically, I
don't think restorecon can find the directory - I think its made when
you try to run the program.  Each time you run it, you get a separate
SELinux error with a different numbered directory at the end of the
command.

Thoughts?

- Adam



From adam at physco.com  Sun Dec  7 22:14:25 2008
From: adam at physco.com (Adam D. Ligas)
Date: Sun, 07 Dec 2008 17:14:25 -0500
Subject: SELinux Error with bonobo-activation-server
Message-ID: <1228688065.2869.31.camel@Q>

Hey folks,

I installed the VNC server package from the Fedora repo on my F10
server, and then edited my .vnc/xstartup file to allow a normal desktop
environment.

Now, each time the server boots, Nautilus bombs out with the following
error:

"Nautilus cannot be used now, due to an unexpected error from Bonobo
when attempting to locate the factory.  Killing bonobo-activation-server
and restarting Nautilus may help fix the problem".

In conjunction with this dialog box, I get the following SELinux error.

--- Begin SELinux Error ---
Summary:

SELinux is preventing ck-get-x11-serv (consolekit_t) "connectto"
unconfined_notrans_t.

Detailed Description:

SELinux denied access requested by ck-get-x11-serv. It is not expected
that this
access is required by ck-get-x11-serv and this access may signal an
intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context
system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context                system_u:system_r:unconfined_notrans_t:s0
Target Objects                002F746D702F2E5831312D756E69782F5831 [
                              unix_stream_socket ]
Source                        ck-get-x11-serv
Source Path                   /usr/libexec/ck-get-x11-server-pid
Port                          <Unknown>
Host                          boris
Source RPM Packages           ConsoleKit-x11-0.3.0-2.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     boris
Platform                      Linux boris 2.6.27.5-117.fc10.i686 #1 SMP
Tue Nov
                              18 12:19:59 EST 2008 i686 athlon
Alert Count                   2
First Seen                    Sat 06 Dec 2008 04:40:19 PM EST
Last Seen                     Sun 07 Dec 2008 05:04:49 PM EST
Local ID                      a654e04f-23ae-4f1e-8c47-9583cd2b5c27
Line Numbers                  

Raw Audit Messages            

node=boris type=AVC msg=audit(1228687489.309:9): avc:  denied
{ connectto } for  pid=2291 comm="ck-get-x11-serv"
path=002F746D702F2E5831312D756E69782F5831
scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023
tcontext=system_u:system_r:unconfined_notrans_t:s0
tclass=unix_stream_socket

node=boris type=SYSCALL msg=audit(1228687489.309:9): arch=40000003
syscall=102 success=no exit=-13 a0=3 a1=bfc677c0 a2=61a160 a3=11 items=0
ppid=2290 pid=2291 auid=4294967295 uid=500 gid=504 euid=500 suid=500
fsuid=500 egid=504 sgid=504 fsgid=504 tty=(none) ses=4294967295
comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid"
subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
--- End SELinux Error ---

The workaround for now is to SSH to the server, kill -9 the bonobo
process, and then restart the vncserver service.  But I would like to
remove all of those steps if at all possible.

Thoughts?

- Adam



From gp at dipohl.com  Mon Dec  8 11:40:57 2008
From: gp at dipohl.com (Gabriele Pohl)
Date: Mon, 08 Dec 2008 12:40:57 +0100
Subject: reject of org.freedesktop.PackageKit.Transaction
Message-ID: <1228736457.3046.19.camel@calex.dipohl.com>

Hi,

I got the following Error Message from 
the PackageKit today:

"A security policy in place prevents this sender from sending this
message to this recipient, see message bus configuration file (rejected
message had interface "org.freedesktop.PackageKit.Transaction" member
"Cancel" error name "(unset)" destination "org.freedesktop.PackageKit")"

What shall I do to solve it? 
Which configuration file is meant?

/etc/dbus-1/:
-rw-r--r-- 1 root root 2524  5. Dez 21:14 session.conf
drwxr-xr-x 2 root root 4096  5. Dez 21:14 session.d
-rw-r--r-- 1 root root 3368  5. Dez 21:14 system.conf
drwxr-xr-x 2 root root 4096  5. Dez 21:14 system.d

ls -lR /etc/dbus-1/system.d/org.freedesktop.*
-rw-r--r-- 1 root root 396  6. Sep
11:55 /etc/dbus-1/system.d/org.freedesktop.PackageKitAptBackend.conf
-rw-r--r-- 1 root root 610  6. Sep
11:55 /etc/dbus-1/system.d/org.freedesktop.PackageKit.conf
-rw-r--r-- 1 root root 573  6. Sep
11:55 /etc/dbus-1/system.d/org.freedesktop.PackageKitTestBackend.conf
-rw-r--r-- 1 root root 396  6. Sep
11:55 /etc/dbus-1/system.d/org.freedesktop.PackageKitYumBackend.conf
-rw-r--r-- 1 root root 365 30. Jun
18:02 /etc/dbus-1/system.d/org.freedesktop.PolicyKit.conf

rpm -qa | grep policy
seedit-policy-2.2.0-2.fc9.i386
selinux-policy-3.3.1-111.fc9.noarch
checkpolicy-2.0.16-3.fc9.i386
policycoreutils-gui-2.0.52-8.fc9.i386
selinux-policy-targeted-3.3.1-111.fc9.noarch
policycoreutils-2.0.52-8.fc9.i386
selinux-policy-devel-3.3.1-111.fc9.noarch

rpm -q dbus
dbus-1.2.6-1.fc9.i386

-Gabriele




From olivares14031 at yahoo.com  Tue Dec  9 00:44:15 2008
From: olivares14031 at yahoo.com (Antonio Olivares)
Date: Mon, 8 Dec 2008 16:44:15 -0800 (PST)
Subject: denied avc's on rawhide 
Message-ID: <177228.383.qm@web52603.mail.re2.yahoo.com>

Dear fellow testers and selinux experts,

After updating to latest updates, I get several selinux denials, but setroubleshoot does not display, them.   I get to see them when the system starts and that is it :(

[olivares at localhost ~]$ rpm -qa selinux*                                        
[olivares at localhost ~]$ rpm -qa selinux
[olivares at localhost ~]$ rpm -qa selinux-policy*
selinux-policy-3.6.1-6.fc11.noarch             
selinux-policy-targeted-3.6.1-6.fc11.noarch    
[olivares at localhost ~]$ dmesg | grep 'avc'
type=1400 audit(1228782900.945:4): avc:  denied  { sys_tty_config } for  pid=709 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability                     
type=1400 audit(1228782901.610:5): avc:  denied  { sys_tty_config } for  pid=716 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability                     
type=1400 audit(1228782924.617:6): avc:  denied  { sys_tty_config } for  pid=1471 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability                    
type=1400 audit(1228782926.009:7): avc:  denied  { write } for  pid=1497 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file                      
type=1400 audit(1228782928.136:8): avc:  denied  { sys_tty_config } for  pid=1672 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability
type=1400 audit(1228782964.027:9): avc:  denied  { sys_tty_config } for  pid=1688 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability
type=1400 audit(1228782991.682:10): avc:  denied  { search } for  pid=2415 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
type=1400 audit(1228782992.039:11): avc:  denied  { search } for  pid=2445 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
type=1400 audit(1228782993.853:12): avc:  denied  { search } for  pid=2482 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
type=1400 audit(1228782995.570:13): avc:  denied  { search } for  pid=2574 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
type=1400 audit(1228783019.890:14): avc:  denied  { search } for  pid=2845 comm="polkit-read-aut" name="dbus" dev=dm-0 ino=3276848 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
[olivares at localhost ~]$


Regards,

Antonio 


      



From dsikora at redhat.com  Tue Dec  9 14:15:32 2008
From: dsikora at redhat.com (Doug Sikora)
Date: Tue, 9 Dec 2008 09:15:32 -0500 (EST)
Subject: using selinux to allow only certain hosts or networks
Message-ID: <1321429836.152671228832132169.JavaMail.root@zmail03.collab.prod.int.phx2.redhat.com>

The below rules came from audit2allow,

allow test_t inaddr_any_node_t:tcp_socket node_bind;
allow test_t inaddr_any_node_t:udp_socket node_bind;

Instead of allowing "any_node" I would like to limit this to specific hosts and or networks.

Does anyone know the syntax for this?

Thanks
Doug



From dwalsh at redhat.com  Tue Dec  9 19:59:53 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 09 Dec 2008 14:59:53 -0500
Subject: What is wrong when spamc is not allowed to connect to spamd?
In-Reply-To: <18748.15302.206863.621563@gargle.gargle.HOWL>
References: <18748.15302.206863.621563@gargle.gargle.HOWL>
Message-ID: <493ECE39.7070400@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

G?ran Uddeborg wrote:
> I'm gradually upgrading to Fedora 10 using yum, so I suspect this
> problem might be that some package is not yet upgraded.  But I can't
> understand what it could be.
> 
> I'm running spamassassin using the lines
> 
>     DROPPRIVS=yes
>     INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc
> 
> in /etc/procmailrc.  After upgrading to Fedora 10 policy and
> spamassassin I get these AVC:s
> 
>     time->Sun Dec  7 20:01:46 2008
>     type=SYSCALL msg=audit(1228676506.702:50): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=1358850 a2=10 a3=8 items=0 ppid=3558 pid=3559 auid=4294967295 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
>     type=AVC msg=audit(1228676506.702:50): avc:  denied  { name_connect } for  pid=3559 comm="spamc" dest=783 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket
> 
> I.e., spamc isn't allowed to connect to spamd's TCP socket.
> 
> Looking in the spamassassin.te source I see that spamc_t is allowed to
> connect to spamd_t:unix_stream_socket but I can't see anything that
> would allow it to connect to a tcp_socket of any type.
> 
> Looking at the spamassassin code, I spamd would create and spamc use a
> unix-domain socket if given explicit path to it, but in the default
> configuration I can't see anything that would add those flags.
> 
> I've enabled spamassassin_can_network as a temporary workaround, but
> that shouldn't be necessary just to use spamc, should it?
> 
> What am I missing here?
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Seems reasonable,
Fixed in selinux-policy-3.5.13-34.fc10
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk+zjkACgkQrlYvE4MpobO3+ACeLA3B+oLt5y2OvvFiEVOirnt8
OWQAnjGzyq+0cXUUiyUHoIPXNbqAM0td
=AmvN
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Tue Dec  9 20:00:18 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 09 Dec 2008 15:00:18 -0500
Subject: reject of org.freedesktop.PackageKit.Transaction
In-Reply-To: <1228736457.3046.19.camel@calex.dipohl.com>
References: <1228736457.3046.19.camel@calex.dipohl.com>
Message-ID: <493ECE52.4060200@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gabriele Pohl wrote:
> Hi,
> 
> I got the following Error Message from 
> the PackageKit today:
> 
> "A security policy in place prevents this sender from sending this
> message to this recipient, see message bus configuration file (rejected
> message had interface "org.freedesktop.PackageKit.Transaction" member
> "Cancel" error name "(unset)" destination "org.freedesktop.PackageKit")"
> 
> What shall I do to solve it? 
> Which configuration file is meant?
> 
> /etc/dbus-1/:
> -rw-r--r-- 1 root root 2524  5. Dez 21:14 session.conf
> drwxr-xr-x 2 root root 4096  5. Dez 21:14 session.d
> -rw-r--r-- 1 root root 3368  5. Dez 21:14 system.conf
> drwxr-xr-x 2 root root 4096  5. Dez 21:14 system.d
> 
> ls -lR /etc/dbus-1/system.d/org.freedesktop.*
> -rw-r--r-- 1 root root 396  6. Sep
> 11:55 /etc/dbus-1/system.d/org.freedesktop.PackageKitAptBackend.conf
> -rw-r--r-- 1 root root 610  6. Sep
> 11:55 /etc/dbus-1/system.d/org.freedesktop.PackageKit.conf
> -rw-r--r-- 1 root root 573  6. Sep
> 11:55 /etc/dbus-1/system.d/org.freedesktop.PackageKitTestBackend.conf
> -rw-r--r-- 1 root root 396  6. Sep
> 11:55 /etc/dbus-1/system.d/org.freedesktop.PackageKitYumBackend.conf
> -rw-r--r-- 1 root root 365 30. Jun
> 18:02 /etc/dbus-1/system.d/org.freedesktop.PolicyKit.conf
> 
> rpm -qa | grep policy
> seedit-policy-2.2.0-2.fc9.i386
> selinux-policy-3.3.1-111.fc9.noarch
> checkpolicy-2.0.16-3.fc9.i386
> policycoreutils-gui-2.0.52-8.fc9.i386
> selinux-policy-targeted-3.3.1-111.fc9.noarch
> policycoreutils-2.0.52-8.fc9.i386
> selinux-policy-devel-3.3.1-111.fc9.noarch
> 
> rpm -q dbus
> dbus-1.2.6-1.fc9.i386
> 
> -Gabriele
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Not an SELinux issue
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk+zlIACgkQrlYvE4MpobNhdgCfcYBVDAiamhFRvbyhvL11/VBN
taIAnR+dqU1u4PAfxK1ndGq7NMExJnNk
=xMXI
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Tue Dec  9 20:42:26 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 09 Dec 2008 15:42:26 -0500
Subject: denied avc's on rawhide
In-Reply-To: <177228.383.qm@web52603.mail.re2.yahoo.com>
References: <177228.383.qm@web52603.mail.re2.yahoo.com>
Message-ID: <493ED832.5070307@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Dear fellow testers and selinux experts,
> 
> After updating to latest updates, I get several selinux denials, but setroubleshoot does not display, them.   I get to see them when the system starts and that is it :(
> 
> [olivares at localhost ~]$ rpm -qa selinux*                                        
> [olivares at localhost ~]$ rpm -qa selinux
> [olivares at localhost ~]$ rpm -qa selinux-policy*
> selinux-policy-3.6.1-6.fc11.noarch             
> selinux-policy-targeted-3.6.1-6.fc11.noarch    
> [olivares at localhost ~]$ dmesg | grep 'avc'
> type=1400 audit(1228782900.945:4): avc:  denied  { sys_tty_config } for  pid=709 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability                     
> type=1400 audit(1228782901.610:5): avc:  denied  { sys_tty_config } for  pid=716 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability                     
> type=1400 audit(1228782924.617:6): avc:  denied  { sys_tty_config } for  pid=1471 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability                    
> type=1400 audit(1228782926.009:7): avc:  denied  { write } for  pid=1497 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file                      
> type=1400 audit(1228782928.136:8): avc:  denied  { sys_tty_config } for  pid=1672 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability
> type=1400 audit(1228782964.027:9): avc:  denied  { sys_tty_config } for  pid=1688 comm="consoletype" capability=26 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:consoletype_t:s0 tclass=capability
> type=1400 audit(1228782991.682:10): avc:  denied  { search } for  pid=2415 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
> type=1400 audit(1228782992.039:11): avc:  denied  { search } for  pid=2445 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
> type=1400 audit(1228782993.853:12): avc:  denied  { search } for  pid=2482 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
> type=1400 audit(1228782995.570:13): avc:  denied  { search } for  pid=2574 comm="python" name=".local" dev=dm-0 ino=1507729 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
> type=1400 audit(1228783019.890:14): avc:  denied  { search } for  pid=2845 comm="polkit-read-aut" name="dbus" dev=dm-0 ino=3276848 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
> [olivares at localhost ~]$
> 
> 
> Regards,
> 
> Antonio 
> 
> 
>       
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
If you update to selinux-policy-3.6.1-8.fc11.noarch
These should be fixed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk+2DIACgkQrlYvE4MpobN1TwCdF5LmqDAhnTEkvYVDYeahBzAW
ddsAoLmrjp/0XyRA/5kiNLPqDxJ0xega
=euz2
-----END PGP SIGNATURE-----



From olivares14031 at yahoo.com  Wed Dec 10 00:43:44 2008
From: olivares14031 at yahoo.com (Antonio Olivares)
Date: Tue, 9 Dec 2008 16:43:44 -0800 (PST)
Subject: denied avc's on rawhide
In-Reply-To: <493ED832.5070307@redhat.com>
Message-ID: <95580.59017.qm@web52607.mail.re2.yahoo.com>

> If you update to selinux-policy-3.6.1-8.fc11.noarch
> These should be fixed.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora -
> http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkk+2DIACgkQrlYvE4MpobN1TwCdF5LmqDAhnTEkvYVDYeahBzAW
> ddsAoLmrjp/0XyRA/5kiNLPqDxJ0xega
> =euz2
> -----END PGP SIGNATURE-----

Yes, they are :), thank you very much.  Now selinux is denying the setroubleshoot daemon from kicking in :(, selinux denying itself in some ways.  I got new avcs:

[olivares at riohigh ~]$ dmesg | grep 'avc'
type=1400 audit(1228868792.540:4): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
type=1400 audit(1228868792.546:5): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
type=1400 audit(1228868792.569:6): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
type=1400 audit(1228868792.574:7): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
type=1400 audit(1228868792.582:8): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
type=1400 audit(1228868792.600:9): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
type=1400 audit(1228868792.617:10): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
type=1400 audit(1228868792.647:11): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
type=1400 audit(1228868792.653:12): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
type=1400 audit(1228868792.665:13): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
type=1400 audit(1228868798.247:59): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
type=1400 audit(1228868798.259:60): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
type=1400 audit(1228868798.269:61): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
type=1400 audit(1228868798.277:62): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
type=1400 audit(1228868798.283:63): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
type=1400 audit(1228868798.296:64): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
type=1400 audit(1228868798.304:65): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
type=1400 audit(1228868798.309:66): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
type=1400 audit(1228868798.322:67): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
type=1400 audit(1228868798.354:68): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
type=1400 audit(1228868811.296:89): avc:  denied  { read } for  pid=2492 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=23265 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
type=1400 audit(1228868811.414:90): avc:  denied  { read } for  pid=2492 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=23265 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
type=1400 audit(1228868818.290:91): avc:  denied  { read } for  pid=2502 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
type=1400 audit(1228868818.597:92): avc:  denied  { read } for  pid=2502 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
type=1400 audit(1228868932.171:93): avc:  denied  { read } for  pid=2502 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
type=1400 audit(1228868932.997:94): avc:  denied  { read write } for  pid=2537 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file                                                                           
type=1400 audit(1228868932.997:95): avc:  denied  { read append } for  pid=2537 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file                                                                          
type=1400 audit(1228868978.329:96): avc:  denied  { read } for  pid=3281 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
type=1400 audit(1228868978.569:97): avc:  denied  { read } for  pid=3281 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
type=1400 audit(1228868986.153:98): avc:  denied  { read } for  pid=3281 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
type=1400 audit(1228868986.899:99): avc:  denied  { read write } for  pid=3315 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
type=1400 audit(1228868986.899:100): avc:  denied  { read append } for  pid=3315 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
type=1400 audit(1228868986.901:101): avc:  denied  { read } for  pid=3315 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
type=1400 audit(1228868986.906:102): avc:  denied  { unlink } for  pid=3315 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
[olivares at riohigh ~]$ rpm -qa selinux-policy
selinux-policy-3.6.1-8.fc11.noarch


Thanks,

Antonio 


      



From dwalsh at redhat.com  Wed Dec 10 16:33:19 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Wed, 10 Dec 2008 11:33:19 -0500
Subject: denied avc's on rawhide
In-Reply-To: <95580.59017.qm@web52607.mail.re2.yahoo.com>
References: <95580.59017.qm@web52607.mail.re2.yahoo.com>
Message-ID: <493FEF4F.5070505@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
>> If you update to selinux-policy-3.6.1-8.fc11.noarch
>> These should be fixed.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Fedora -
>> http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkk+2DIACgkQrlYvE4MpobN1TwCdF5LmqDAhnTEkvYVDYeahBzAW
>> ddsAoLmrjp/0XyRA/5kiNLPqDxJ0xega
>> =euz2
>> -----END PGP SIGNATURE-----
> 
> Yes, they are :), thank you very much.  Now selinux is denying the setroubleshoot daemon from kicking in :(, selinux denying itself in some ways.  I got new avcs:
> 
> [olivares at riohigh ~]$ dmesg | grep 'avc'
> type=1400 audit(1228868792.540:4): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
> type=1400 audit(1228868792.546:5): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
> type=1400 audit(1228868792.569:6): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
> type=1400 audit(1228868792.574:7): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
> type=1400 audit(1228868792.582:8): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
> type=1400 audit(1228868792.600:9): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir               
> type=1400 audit(1228868792.617:10): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868792.647:11): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868792.653:12): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868792.665:13): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.247:59): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.259:60): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.269:61): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.277:62): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.283:63): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.296:64): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.304:65): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.309:66): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.322:67): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868798.354:68): avc:  denied  { write } for  pid=2038 comm="setroubleshootd" name="plugins" dev=sda5 ino=142832 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> type=1400 audit(1228868811.296:89): avc:  denied  { read } for  pid=2492 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=23265 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
> type=1400 audit(1228868811.414:90): avc:  denied  { read } for  pid=2492 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=23265 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
> type=1400 audit(1228868818.290:91): avc:  denied  { read } for  pid=2502 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
> type=1400 audit(1228868818.597:92): avc:  denied  { read } for  pid=2502 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
> type=1400 audit(1228868932.171:93): avc:  denied  { read } for  pid=2502 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
> type=1400 audit(1228868932.997:94): avc:  denied  { read write } for  pid=2537 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file                                                                           
> type=1400 audit(1228868932.997:95): avc:  denied  { read append } for  pid=2537 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file                                                                          
> type=1400 audit(1228868978.329:96): avc:  denied  { read } for  pid=3281 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
> type=1400 audit(1228868978.569:97): avc:  denied  { read } for  pid=3281 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file          
> type=1400 audit(1228868986.153:98): avc:  denied  { read } for  pid=3281 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868986.899:99): avc:  denied  { read write } for  pid=3315 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868986.899:100): avc:  denied  { read append } for  pid=3315 comm="gdm-session-wor" name=".xsession-errors" dev=sda5 ino=298 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868986.901:101): avc:  denied  { read } for  pid=3315 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> type=1400 audit(1228868986.906:102): avc:  denied  { unlink } for  pid=3315 comm="gdm-session-wor" name=".dmrc" dev=sda5 ino=18585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> [olivares at riohigh ~]$ rpm -qa selinux-policy
> selinux-policy-3.6.1-8.fc11.noarch
> 
> 
> Thanks,
> 
> Antonio 
> 
> 
>       
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
restorecon -R -v ~/

Also did you edit some files in /usr/share/setroubleshoot/plugins directory?

pychecker  /usr/share/setroubleshoot/plugins/*.py

Should fix


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk/708ACgkQrlYvE4MpobPPJACeKiH91oxxXywvIiHKvad0qSnM
U0kAoNpMW3+vCD8lInhtdvAwtgn+nuk5
=/cQM
-----END PGP SIGNATURE-----



From olivares14031 at yahoo.com  Wed Dec 10 18:17:20 2008
From: olivares14031 at yahoo.com (Antonio Olivares)
Date: Wed, 10 Dec 2008 10:17:20 -0800 (PST)
Subject: denied avc's on rawhide
In-Reply-To: <493FEF4F.5070505@redhat.com>
Message-ID: <806301.39310.qm@web52606.mail.re2.yahoo.com>

--- On Wed, 12/10/08, Daniel J Walsh <dwalsh at redhat.com> wrote:

> From: Daniel J Walsh <dwalsh at redhat.com>
> Subject: Re: denied avc's on rawhide
> To: olivares14031 at yahoo.com
> Cc: fedora-test-list at redhat.com, fedora-selinux-list at redhat.com
> Date: Wednesday, December 10, 2008, 8:33 AM
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Antonio Olivares wrote:
> >> If you update to
> selinux-policy-3.6.1-8.fc11.noarch
> >> These should be fixed.
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.4.9 (GNU/Linux)
> >> Comment: Using GnuPG with Fedora -
> >> http://enigmail.mozdev.org
> >>
> >>
> iEYEARECAAYFAkk+2DIACgkQrlYvE4MpobN1TwCdF5LmqDAhnTEkvYVDYeahBzAW
> >> ddsAoLmrjp/0XyRA/5kiNLPqDxJ0xega
> >> =euz2
> >> -----END PGP SIGNATURE-----
> > 
> > Yes, they are :), thank you very much.  Now selinux is
> denying the setroubleshoot daemon from kicking in :(,
> selinux denying itself in some ways.  I got new avcs:
> > 
> > [olivares at riohigh ~]$ dmesg | grep 'avc'
> > type=1400 audit(1228868792.540:4): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> 
> > type=1400 audit(1228868792.546:5): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> 
> > type=1400 audit(1228868792.569:6): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> 
> > type=1400 audit(1228868792.574:7): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> 
> > type=1400 audit(1228868792.582:8): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> 
> > type=1400 audit(1228868792.600:9): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> 
> > type=1400 audit(1228868792.617:10): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> > type=1400 audit(1228868792.647:11): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> > type=1400 audit(1228868792.653:12): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> > type=1400 audit(1228868792.665:13): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> > type=1400 audit(1228868798.247:59): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> > type=1400 audit(1228868798.259:60): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> > type=1400 audit(1228868798.269:61): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> > type=1400 audit(1228868798.277:62): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> > type=1400 audit(1228868798.283:63): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> > type=1400 audit(1228868798.296:64): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> > type=1400 audit(1228868798.304:65): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> > type=1400 audit(1228868798.309:66): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> > type=1400 audit(1228868798.322:67): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> > type=1400 audit(1228868798.354:68): avc:  denied  {
> write } for  pid=2038 comm="setroubleshootd"
> name="plugins" dev=sda5 ino=142832
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:usr_t:s0 tclass=dir              
> > type=1400 audit(1228868811.296:89): avc:  denied  {
> read } for  pid=2492 comm="gdm-session-wor"
> name=".dmrc" dev=sda5 ino=23265
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_home_t:s0 tclass=file      
>    
> > type=1400 audit(1228868811.414:90): avc:  denied  {
> read } for  pid=2492 comm="gdm-session-wor"
> name=".dmrc" dev=sda5 ino=23265
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_home_t:s0 tclass=file      
>    
> > type=1400 audit(1228868818.290:91): avc:  denied  {
> read } for  pid=2502 comm="gdm-session-wor"
> name=".dmrc" dev=sda5 ino=18585
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_home_t:s0 tclass=file      
>    
> > type=1400 audit(1228868818.597:92): avc:  denied  {
> read } for  pid=2502 comm="gdm-session-wor"
> name=".dmrc" dev=sda5 ino=18585
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_home_t:s0 tclass=file      
>    
> > type=1400 audit(1228868932.171:93): avc:  denied  {
> read } for  pid=2502 comm="gdm-session-wor"
> name=".dmrc" dev=sda5 ino=18585
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_home_t:s0 tclass=file      
>    
> > type=1400 audit(1228868932.997:94): avc:  denied  {
> read write } for  pid=2537 comm="gdm-session-wor"
> name=".xsession-errors" dev=sda5 ino=298
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_home_t:s0 tclass=file      
>                                                             
>        
> > type=1400 audit(1228868932.997:95): avc:  denied  {
> read append } for  pid=2537 comm="gdm-session-wor"
> name=".xsession-errors" dev=sda5 ino=298
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_home_t:s0 tclass=file      
>                                                             
>       
> > type=1400 audit(1228868978.329:96): avc:  denied  {
> read } for  pid=3281 comm="gdm-session-wor"
> name=".dmrc" dev=sda5 ino=18585
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_home_t:s0 tclass=file      
>    
> > type=1400 audit(1228868978.569:97): avc:  denied  {
> read } for  pid=3281 comm="gdm-session-wor"
> name=".dmrc" dev=sda5 ino=18585
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_home_t:s0 tclass=file      
>    
> > type=1400 audit(1228868986.153:98): avc:  denied  {
> read } for  pid=3281 comm="gdm-session-wor"
> name=".dmrc" dev=sda5 ino=18585
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> > type=1400 audit(1228868986.899:99): avc:  denied  {
> read write } for  pid=3315 comm="gdm-session-wor"
> name=".xsession-errors" dev=sda5 ino=298
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> > type=1400 audit(1228868986.899:100): avc:  denied  {
> read append } for  pid=3315 comm="gdm-session-wor"
> name=".xsession-errors" dev=sda5 ino=298
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> > type=1400 audit(1228868986.901:101): avc:  denied  {
> read } for  pid=3315 comm="gdm-session-wor"
> name=".dmrc" dev=sda5 ino=18585
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> > type=1400 audit(1228868986.906:102): avc:  denied  {
> unlink } for  pid=3315 comm="gdm-session-wor"
> name=".dmrc" dev=sda5 ino=18585
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xauth_home_t:s0 tclass=file
> > [olivares at riohigh ~]$ rpm -qa selinux-policy
> > selinux-policy-3.6.1-8.fc11.noarch
> > 
> > 
> > Thanks,
> > 
> > Antonio 
> > 
> > 
> >       
> > 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> >
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> restorecon -R -v ~/
> 
I'll try that.  Thanks :)
> Also did you edit some files in
> /usr/share/setroubleshoot/plugins directory?
No, I have not messed with anything manually.  
> 
> pychecker  /usr/share/setroubleshoot/plugins/*.py
> 
> Should fix
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora -
> http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkk/708ACgkQrlYvE4MpobPPJACeKiH91oxxXywvIiHKvad0qSnM
> U0kAoNpMW3+vCD8lInhtdvAwtgn+nuk5
> =/cQM
> -----END PGP SIGNATURE-----

Will report back.  Thank you for advising.

Regards,

Antonio 


      



From olivares14031 at yahoo.com  Thu Dec 11 01:06:17 2008
From: olivares14031 at yahoo.com (Antonio Olivares)
Date: Wed, 10 Dec 2008 17:06:17 -0800 (PST)
Subject: iptables denied by selinux
Message-ID: <978559.74701.qm@web52603.mail.re2.yahoo.com>

Dear all,

I have still yet to make the dhcpd server work because of selinux.  I have been patient, but I am getting frustrated :(

[olivares at localhost ~]$ dmesg | grep avc
type=1400 audit(1228956840.530:4): avc:  denied  { write } for  pid=1499 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
[olivares at localhost ~]$ 


I have already ran touch /.autorelabel; reboot 
and all of the other denials have been cleared but this one.  I am not yet taking selinux off or getting that desparate, because when I booted in enforcing=0 mode for other troubles, the dhcpd server still did not work, but the iptables message was still there :(

Please advice me, I do not want to throw the towel yet!

Regards,

Antonio 


      



From paul at city-fan.org  Thu Dec 11 09:38:09 2008
From: paul at city-fan.org (Paul Howarth)
Date: Thu, 11 Dec 2008 09:38:09 +0000
Subject: iptables denied by selinux
In-Reply-To: <978559.74701.qm@web52603.mail.re2.yahoo.com>
References: <978559.74701.qm@web52603.mail.re2.yahoo.com>
Message-ID: <4940DF81.6010608@city-fan.org>

Antonio Olivares wrote:
> Dear all,
> 
> I have still yet to make the dhcpd server work because of selinux.  I have been patient, but I am getting frustrated :(
> 
> [olivares at localhost ~]$ dmesg | grep avc
> type=1400 audit(1228956840.530:4): avc:  denied  { write } for  pid=1499 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> [olivares at localhost ~]$ 
> 
> 
> I have already ran touch /.autorelabel; reboot 
> and all of the other denials have been cleared but this one.  I am not yet taking selinux off or getting that desparate, because when I booted in enforcing=0 mode for other troubles, the dhcpd server still did not work, but the iptables message was still there :(
> 
> Please advice me, I do not want to throw the towel yet!

Why do you think the DHCP server problem is SELinux related? The AVC 
here appears to be from starting the ip6tables service, and you say that 
the DCHP server still doesn't work in permissive mode...

What, if any, messages do you see in /var/log/messages from dhcpd?

Paul.



From olivares14031 at yahoo.com  Thu Dec 11 13:08:32 2008
From: olivares14031 at yahoo.com (Antonio Olivares)
Date: Thu, 11 Dec 2008 05:08:32 -0800 (PST)
Subject: iptables denied by selinux
In-Reply-To: <4940DF81.6010608@city-fan.org>
Message-ID: <366881.76824.qm@web52611.mail.re2.yahoo.com>

--- On Thu, 12/11/08, Paul Howarth <paul at city-fan.org> wrote:

> From: Paul Howarth <paul at city-fan.org>
> Subject: Re: iptables denied by selinux
> To: olivares14031 at yahoo.com, "Fedora SELinux support list" <fedora-selinux-list at redhat.com>
> Date: Thursday, December 11, 2008, 1:38 AM
> Antonio Olivares wrote:
> > Dear all,
> > 
> > I have still yet to make the dhcpd server work because
> of selinux.  I have been patient, but I am getting
> frustrated :(
> > 
> > [olivares at localhost ~]$ dmesg | grep avc
> > type=1400 audit(1228956840.530:4): avc:  denied  {
> write } for  pid=1499 comm="ip6tables-resto"
> path="/0" dev=devpts ino=2
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> > [olivares at localhost ~]$ 
> > 
> > I have already ran touch /.autorelabel; reboot and all
> of the other denials have been cleared but this one.  I am
> not yet taking selinux off or getting that desparate,
> because when I booted in enforcing=0 mode for other
> troubles, the dhcpd server still did not work, but the
> iptables message was still there :(
> > 
> > Please advice me, I do not want to throw the towel
> yet!
> 
> Why do you think the DHCP server problem is SELinux
> related? The AVC here appears to be from starting the
> ip6tables service, and you say that the DCHP server still
> doesn't work in permissive mode...
> 
> What, if any, messages do you see in /var/log/messages from
> dhcpd?
> 
> Paul.

Well I overlooked the 6 in ip6tables-resto and blamed it on selinux.  Mr. Walsh added it to the policy to fix the other selinux error, but the machines on the DHCP server get ip's, dns and all and cannot surf so I easily blamed it on selinux.  Sorry for that.  What else could be interfering here?

Here's output of tail -f /var/log/messages:

Dec 11 07:01:32 localhost dhcpd: DHCPDISCOVER from 00:d0:b7:c1:09:58 via eth1
Dec 11 07:01:33 localhost dhcpd: DHCPOFFER on 192.168.0.2 to 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
Dec 11 07:01:33 localhost dhcpd: Wrote 3 leases to leases file.
Dec 11 07:01:33 localhost dhcpd: DHCPREQUEST for 192.168.0.2 (192.168.0.1) from 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
Dec 11 07:01:33 localhost dhcpd: DHCPACK on 192.168.0.2 to 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
Dec 11 07:02:34 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:34 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:02:37 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:37 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:02:53 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:53 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:02:57 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:57 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:09 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:09 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:13 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:13 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:21 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:21 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:25 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:25 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1

Sorry but I overlooked the 6 in the selinux denied avc.  Does it make a difference with the server?  

Thanks,

Antonio 


      



From olivares14031 at yahoo.com  Thu Dec 11 13:15:17 2008
From: olivares14031 at yahoo.com (Antonio Olivares)
Date: Thu, 11 Dec 2008 05:15:17 -0800 (PST)
Subject: new avc's on rawhide
Message-ID: <161037.48412.qm@web52610.mail.re2.yahoo.com>

Dear all,

Selinux is denying some unknown things which I have no idea here:

type=1401 audit(1229001124.306:10): security_compute_sid:  invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process
type=1401 audit(1229001126.375:11): security_compute_sid:  invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process
type=1401 audit(1229001143.573:12): security_compute_sid:  invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process

type=1401 audit(1228999637.368:5): security_compute_sid:  invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process
type=1401 audit(1228999646.221:6): security_compute_sid:  invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process
npviewer.bin[9213] general protection ip:1132f8c sp:bf86f140 error:0 in libflashplayer.so[dc7000+951000]

Thanks,

Antonio 


      



From mailinglists at lonecoder.net  Thu Dec 11 13:27:08 2008
From: mailinglists at lonecoder.net (Tarek W.)
Date: Thu, 11 Dec 2008 13:27:08 +0000
Subject: iptables denied by selinux
In-Reply-To: <9103ca1c0812110525n1af706d7qa3b48dc26ae5efac@mail.gmail.com>
References: <4940DF81.6010608@city-fan.org>
	<366881.76824.qm@web52611.mail.re2.yahoo.com>
	<9103ca1c0812110525n1af706d7qa3b48dc26ae5efac@mail.gmail.com>
Message-ID: <9103ca1c0812110527n59f4e055s76833be6a7420a34@mail.gmail.com>

iptables isn't low enough the networking stack to block dhcpd. Only ebtables
can look that low and I don't think it's standard in Fedora.

T

On Thu, Dec 11, 2008 at 1:25 PM, Tarek W. <mailinglists at lonecoder.net>wrote:

> iptables isn't low enough the networking stack to block dhcpd. Only
> ebtables can look that low and I don't think it's standard in Fedora.
>
> T
>
>
> On Thu, Dec 11, 2008 at 1:08 PM, Antonio Olivares <olivares14031 at yahoo.com
> > wrote:
>
>> --- On Thu, 12/11/08, Paul Howarth <paul at city-fan.org> wrote:
>>
>> > From: Paul Howarth <paul at city-fan.org>
>> > Subject: Re: iptables denied by selinux
>> > To: olivares14031 at yahoo.com, "Fedora SELinux support list" <
>> fedora-selinux-list at redhat.com>
>> > Date: Thursday, December 11, 2008, 1:38 AM
>> > Antonio Olivares wrote:
>> > > Dear all,
>> > >
>> > > I have still yet to make the dhcpd server work because
>> > of selinux.  I have been patient, but I am getting
>> > frustrated :(
>> > >
>> > > [olivares at localhost ~]$ dmesg | grep avc
>> > > type=1400 audit(1228956840.530:4): avc:  denied  {
>> > write } for  pid=1499 comm="ip6tables-resto"
>> > path="/0" dev=devpts ino=2
>> > scontext=system_u:system_r:iptables_t:s0
>> > tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
>> > > [olivares at localhost ~]$
>> > >
>> > > I have already ran touch /.autorelabel; reboot and all
>> > of the other denials have been cleared but this one.  I am
>> > not yet taking selinux off or getting that desparate,
>> > because when I booted in enforcing=0 mode for other
>> > troubles, the dhcpd server still did not work, but the
>> > iptables message was still there :(
>> > >
>> > > Please advice me, I do not want to throw the towel
>> > yet!
>> >
>> > Why do you think the DHCP server problem is SELinux
>> > related? The AVC here appears to be from starting the
>> > ip6tables service, and you say that the DCHP server still
>> > doesn't work in permissive mode...
>> >
>> > What, if any, messages do you see in /var/log/messages from
>> > dhcpd?
>> >
>> > Paul.
>>
>> Well I overlooked the 6 in ip6tables-resto and blamed it on selinux.  Mr.
>> Walsh added it to the policy to fix the other selinux error, but the
>> machines on the DHCP server get ip's, dns and all and cannot surf so I
>> easily blamed it on selinux.  Sorry for that.  What else could be
>> interfering here?
>>
>> Here's output of tail -f /var/log/messages:
>>
>> Dec 11 07:01:32 localhost dhcpd: DHCPDISCOVER from 00:d0:b7:c1:09:58 via
>> eth1
>> Dec 11 07:01:33 localhost dhcpd: DHCPOFFER on 192.168.0.2 to
>> 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
>> Dec 11 07:01:33 localhost dhcpd: Wrote 3 leases to leases file.
>> Dec 11 07:01:33 localhost dhcpd: DHCPREQUEST for 192.168.0.2 (192.168.0.1)
>> from 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
>> Dec 11 07:01:33 localhost dhcpd: DHCPACK on 192.168.0.2 to
>> 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
>> Dec 11 07:02:34 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:02:34 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>> Dec 11 07:02:37 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:02:37 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>> Dec 11 07:02:53 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:02:53 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>> Dec 11 07:02:57 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:02:57 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>> Dec 11 07:04:09 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:04:09 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>> Dec 11 07:04:13 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:04:13 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>> Dec 11 07:04:21 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:04:21 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>> Dec 11 07:04:25 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
>> Dec 11 07:04:25 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>>
>> Sorry but I overlooked the 6 in the selinux denied avc.  Does it make a
>> difference with the server?
>>
>> Thanks,
>>
>> Antonio
>>
>>
>>
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20081211/2581cb1b/attachment.htm>

From dwalsh at redhat.com  Thu Dec 11 14:36:56 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Thu, 11 Dec 2008 09:36:56 -0500
Subject: new avc's on rawhide
In-Reply-To: <161037.48412.qm@web52610.mail.re2.yahoo.com>
References: <161037.48412.qm@web52610.mail.re2.yahoo.com>
Message-ID: <49412588.5030802@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Dear all,
> 
> Selinux is denying some unknown things which I have no idea here:
> 
> type=1401 audit(1229001124.306:10): security_compute_sid:  invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process
> type=1401 audit(1229001126.375:11): security_compute_sid:  invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process
> type=1401 audit(1229001143.573:12): security_compute_sid:  invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process
> 
> type=1401 audit(1228999637.368:5): security_compute_sid:  invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process
> type=1401 audit(1228999646.221:6): security_compute_sid:  invalid context unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=process
> npviewer.bin[9213] general protection ip:1132f8c sp:bf86f140 error:0 in libflashplayer.so[dc7000+951000]
> 
> Thanks,
> 
> Antonio 
> 
> 
>       
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Fixed in selinux-policy-3.6.1-10.fc11

If you want to fix it for now, you need to add the rule

 gen_require(`
	type unconfined_java_t;
	role unconfined_r;
')

role unconfined_r types unconfined_java_t;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklBJYgACgkQrlYvE4MpobMQwwCfaintHBXDgpqQAtJB+Tb7OH0K
bgkAnRGysRi6Crk4mKSjqeGIdn40FeoE
=DyUs
-----END PGP SIGNATURE-----



From bruno at wolff.to  Thu Dec 11 16:33:07 2008
From: bruno at wolff.to (Bruno Wolff III)
Date: Thu, 11 Dec 2008 10:33:07 -0600
Subject: iptables denied by selinux
In-Reply-To: <9103ca1c0812110527n59f4e055s76833be6a7420a34@mail.gmail.com>
References: <4940DF81.6010608@city-fan.org>
	<366881.76824.qm@web52611.mail.re2.yahoo.com>
	<9103ca1c0812110525n1af706d7qa3b48dc26ae5efac@mail.gmail.com>
	<9103ca1c0812110527n59f4e055s76833be6a7420a34@mail.gmail.com>
Message-ID: <20081211163307.GA5429@wolff.to>

On Thu, Dec 11, 2008 at 13:27:08 +0000,
  "Tarek W." <mailinglists at lonecoder.net> wrote:
> iptables isn't low enough the networking stack to block dhcpd. Only ebtables
> can look that low and I don't think it's standard in Fedora.

Fedora has ebtables in its repository. So it's standard in that sense.



From mailinglists at lonecoder.net  Thu Dec 11 16:49:05 2008
From: mailinglists at lonecoder.net (Tarek W.)
Date: Thu, 11 Dec 2008 16:49:05 +0000
Subject: iptables denied by selinux
In-Reply-To: <20081211163307.GA5429@wolff.to>
References: <4940DF81.6010608@city-fan.org>
	<366881.76824.qm@web52611.mail.re2.yahoo.com>
	<9103ca1c0812110525n1af706d7qa3b48dc26ae5efac@mail.gmail.com>
	<9103ca1c0812110527n59f4e055s76833be6a7420a34@mail.gmail.com>
	<20081211163307.GA5429@wolff.to>
Message-ID: <9103ca1c0812110849u33f57321ja811600beb5cc91d@mail.gmail.com>

Ah, OK. Sorry, my info is a bit dated on that front. Does Fedora still ship
ebtables compiled into the kernel but no userspace binaries?

T

On Thu, Dec 11, 2008 at 4:33 PM, Bruno Wolff III <bruno at wolff.to> wrote:

> On Thu, Dec 11, 2008 at 13:27:08 +0000,
>   "Tarek W." <mailinglists at lonecoder.net> wrote:
> > iptables isn't low enough the networking stack to block dhcpd. Only
> ebtables
> > can look that low and I don't think it's standard in Fedora.
>
> Fedora has ebtables in its repository. So it's standard in that sense.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20081211/f5e23836/attachment.htm>

From bruno at wolff.to  Thu Dec 11 16:52:51 2008
From: bruno at wolff.to (Bruno Wolff III)
Date: Thu, 11 Dec 2008 10:52:51 -0600
Subject: iptables denied by selinux
In-Reply-To: <9103ca1c0812110849u33f57321ja811600beb5cc91d@mail.gmail.com>
References: <4940DF81.6010608@city-fan.org>
	<366881.76824.qm@web52611.mail.re2.yahoo.com>
	<9103ca1c0812110525n1af706d7qa3b48dc26ae5efac@mail.gmail.com>
	<9103ca1c0812110527n59f4e055s76833be6a7420a34@mail.gmail.com>
	<20081211163307.GA5429@wolff.to>
	<9103ca1c0812110849u33f57321ja811600beb5cc91d@mail.gmail.com>
Message-ID: <20081211165251.GB7231@wolff.to>

On Thu, Dec 11, 2008 at 16:49:05 +0000,
  "Tarek W." <mailinglists at lonecoder.net> wrote:
> Ah, OK. Sorry, my info is a bit dated on that front. Does Fedora still ship
> ebtables compiled into the kernel but no userspace binaries?

ebtables is there, see the following rpm output:

[root at cerberus bruno]# rpm -ql ebtables
/etc/ethertypes
/etc/rc.d/init.d/ebtables
/etc/sysconfig/ebtables-config
/etc/sysconfig/ebtables.broute
/etc/sysconfig/ebtables.filter
/etc/sysconfig/ebtables.nat
/sbin/ebtables
/sbin/ebtables-restore
/sbin/ebtables-save
/usr/lib64/ebtables
/usr/lib64/ebtables/libebt_802_3.so
/usr/lib64/ebtables/libebt_among.so
/usr/lib64/ebtables/libebt_arp.so
/usr/lib64/ebtables/libebt_arpreply.so
/usr/lib64/ebtables/libebt_ip.so
/usr/lib64/ebtables/libebt_limit.so
/usr/lib64/ebtables/libebt_log.so
/usr/lib64/ebtables/libebt_mark.so
/usr/lib64/ebtables/libebt_mark_m.so
/usr/lib64/ebtables/libebt_nat.so
/usr/lib64/ebtables/libebt_pkttype.so
/usr/lib64/ebtables/libebt_redirect.so
/usr/lib64/ebtables/libebt_standard.so
/usr/lib64/ebtables/libebt_stp.so
/usr/lib64/ebtables/libebt_ulog.so
/usr/lib64/ebtables/libebt_vlan.so
/usr/lib64/ebtables/libebtable_broute.so
/usr/lib64/ebtables/libebtable_filter.so
/usr/lib64/ebtables/libebtable_nat.so
/usr/lib64/ebtables/libebtc.so
/usr/share/doc/ebtables-2.0.8
/usr/share/doc/ebtables-2.0.8/COPYING
/usr/share/doc/ebtables-2.0.8/ChangeLog
/usr/share/doc/ebtables-2.0.8/THANKS
/usr/share/man/man8/ebtables.8.gz



From ekuns at kilroy.chi.il.us  Thu Dec 11 17:23:22 2008
From: ekuns at kilroy.chi.il.us (Edward Kuns)
Date: Thu, 11 Dec 2008 11:23:22 -0600
Subject: I believe that selinux saved me from a certain attack
Message-ID: <1229016202.3979.60.camel@kilroy.chi.il.us>

Almost a week ago, some AVCs brought to my attention by setroubleshoot
made me look into system logs.  There were three complaints of:

SELinux is preventing the sh from using potentially mislabeled files
(./x).

Source Context:  system_u:system_r:httpd_t:s0
Target Context:  system_u:object_r:httpd_tmp_t:s0
Target Objects:  ./x [ file ]
First Seen:  Fri 05 Dec 2008 04:32:12 AM CST
Last Seen:  Fri 05 Dec 2008 04:32:12 AM CST

and twenty complaints of:

SELinux is preventing the http daemon from connecting to the itself or
the relay ports

Source Context:  system_u:system_r:httpd_t:s0
Target Context:  system_u:object_r:http_cache_port_t:s0
Target Objects:  None [ tcp_socket ]
Source:  wget
Source Path:  /usr/bin/wget
Port:  8080
First Seen:  Fri 05 Dec 2008 04:32:09 AM CST
Last Seen:  Fri 05 Dec 2008 04:34:34 AM CST

This lead me to look in my http access logs, where I found:

74.247.251.227 - - [05/Dec/2008:04:32:11 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1348 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"
74.247.251.227 - - [05/Dec/2008:04:32:12 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1338 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"
74.247.251.227 - - [05/Dec/2008:04:32:12 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1340 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"
74.247.251.227 - - [05/Dec/2008:04:32:08 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1426 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"

Looking in the http error log, I see prodigious complaints at the same
time, but also for my later wordtrans use (so I had something to compare
against).  It looks like wordtrans-web tries to create a .kde directory,
among other things.  The only significant difference between the error
logs of my access and the attack is that during the attack I see one
instance of

sh: /var/tmp/x: Permission denied
sh: line 0: exec: /var/tmp/x: cannot execute: Permission denied

among the rest of the errors generated by wordtrans.  (I didn't see
a /var/tmp/x, but I didn't look until somewhat later.)

I did my own wordtrans access and there was not just the POST but a
bunch of GETs before that to load the web page.  This difference made it
clear that wordtrans was the attack vector so I googled for "http attack
wordtrans" and found that the version of wordtrans I have installed is
successfully attackable:

http://www.juniper.net/security/auto/vulnerabilities/vuln30027.html

If not for selinux, this attack certainly would have been successful and
unnoticed.  While selinux stopped this attack, I still did an "rpm -e
wordtrans-web" as it was only installed as a cool toy, not anything I
need.

The full AVCs are listed below, from the attack, in case this is of
interest.

I thought I would share this in case it was useful or interesting.
Thank you for your work on improved security!

           Eddie


type=AVC msg=audit(1228473129.823:148293): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473129.823:148293): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473130.824:148294): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473130.824:148294): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473132.155:148295): avc:  denied  { execute } for
pid=31642 comm="sh" name="x" dev=dm-2 ino=32828
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1228473132.155:148295): arch=40000003 syscall=11
success=no exit=-13 a0=853a2a0 a1=853a280 a2=8538b10 a3=853a280 items=0
ppid=31641 pid=31642 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh"
exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473132.155:148296): avc:  denied  { execute } for
pid=31642 comm="sh" name="x" dev=dm-2 ino=32828
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1228473132.155:148296): arch=40000003 syscall=33
success=no exit=-13 a0=853a2a0 a1=1 a2=11 a3=853a2a0 items=0 ppid=31641
pid=31642 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473132.155:148297): avc:  denied  { execute } for
pid=31642 comm="sh" name="x" dev=dm-2 ino=32828
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1228473132.155:148297): arch=40000003 syscall=33
success=no exit=-13 a0=853a2a0 a1=1 a2=11 a3=853a2a0 items=0 ppid=31641
pid=31642 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473132.824:148298): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473132.824:148298): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473135.824:148299): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473135.824:148299): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473139.824:148300): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473139.824:148300): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473144.825:148301): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473144.825:148301): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473150.825:148302): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473150.825:148302): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473157.825:148303): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473157.825:148303): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473165.825:148304): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473165.825:148304): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473174.825:148305): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473174.825:148305): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473184.825:148306): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473184.825:148306): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473194.825:148307): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473194.825:148307): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473204.826:148308): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473204.826:148308): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473214.826:148309): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473214.826:148309): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473221.544:148310): avc:  denied  { read write }
for  pid=31674 comm="mailman" path="socket:[69554624]" dev=sockfs
ino=69554624 scontext=system_u:system_r:mailman_mail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket

type=SYSCALL msg=audit(1228473221.544:148310): arch=40000003 syscall=11
success=yes exit=0 a0=8715e78 a1=8715f48 a2=87154f8 a3=40 items=0
ppid=31673 pid=31674 auid=4294967295 uid=8 gid=12 euid=8 suid=8 fsuid=8
egid=41 sgid=41 fsgid=41 tty=(none) ses=4294967295 comm="mailman"
exe="/usr/lib/mailman/mail/mailman"
subj=system_u:system_r:mailman_mail_t:s0 key=(null)

type=AVC msg=audit(1228473224.826:148311): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473224.826:148311): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473234.826:148312): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473234.826:148312): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473244.826:148313): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473244.826:148313): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473254.826:148314): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473254.826:148314): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473264.826:148315): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473264.826:148315): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473274.826:148316): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473274.826:148316): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)



From mike.clarkson at baesystems.com  Thu Dec 11 17:57:55 2008
From: mike.clarkson at baesystems.com (Clarkson, Mike R (US SSA))
Date: Thu, 11 Dec 2008 09:57:55 -0800
Subject: using selinux to allow only certain hosts or networks
Message-ID: <7b4e7t$as2as@dmzms99902.na.baesystems.com>

I've never done it but I think you can accomplish what you want by
setting up netfilter rules using iptables to label the incoming packets
from the specific hosts/networks that you wish to allow. Since ip
addresses can be spoofed, it won't be very secure unless you use ipsec. 

Josh Brindle wrote a good article on secure networking with SELinux:
http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinu
x/


> -----Original Message-----
> From: fedora-selinux-list-bounces at redhat.com
[mailto:fedora-selinux-list-
> bounces at redhat.com] On Behalf Of Doug Sikora
> Sent: Tuesday, December 09, 2008 6:16 AM
> To: fedora-selinux-list at redhat.com
> Subject: using selinux to allow only certain hosts or networks
> 
> The below rules came from audit2allow,
> 
> allow test_t inaddr_any_node_t:tcp_socket node_bind;
> allow test_t inaddr_any_node_t:udp_socket node_bind;
> 
> Instead of allowing "any_node" I would like to limit this to specific
> hosts and or networks.
> 
> Does anyone know the syntax for this?
> 
> Thanks
> Doug
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list




From mailinglists at lonecoder.net  Thu Dec 11 18:21:34 2008
From: mailinglists at lonecoder.net (Tarek W.)
Date: Thu, 11 Dec 2008 18:21:34 +0000
Subject: iptables denied by selinux
In-Reply-To: <20081211165251.GB7231@wolff.to>
References: <4940DF81.6010608@city-fan.org>
	<366881.76824.qm@web52611.mail.re2.yahoo.com>
	<9103ca1c0812110525n1af706d7qa3b48dc26ae5efac@mail.gmail.com>
	<9103ca1c0812110527n59f4e055s76833be6a7420a34@mail.gmail.com>
	<20081211163307.GA5429@wolff.to>
	<9103ca1c0812110849u33f57321ja811600beb5cc91d@mail.gmail.com>
	<20081211165251.GB7231@wolff.to>
Message-ID: <9103ca1c0812111021s35b46d19t728e8d9518ab9ca5@mail.gmail.com>

Very nice. Thanks for that. I don't have access to a Linux atm, thanks
again.

T

On Thu, Dec 11, 2008 at 4:52 PM, Bruno Wolff III <bruno at wolff.to> wrote:

> On Thu, Dec 11, 2008 at 16:49:05 +0000,
>   "Tarek W." <mailinglists at lonecoder.net> wrote:
> > Ah, OK. Sorry, my info is a bit dated on that front. Does Fedora still
> ship
> > ebtables compiled into the kernel but no userspace binaries?
>
> ebtables is there, see the following rpm output:
>
> [root at cerberus bruno]# rpm -ql ebtables
> /etc/ethertypes
> /etc/rc.d/init.d/ebtables
> /etc/sysconfig/ebtables-config
> /etc/sysconfig/ebtables.broute
> /etc/sysconfig/ebtables.filter
> /etc/sysconfig/ebtables.nat
> /sbin/ebtables
> /sbin/ebtables-restore
> /sbin/ebtables-save
> /usr/lib64/ebtables
> /usr/lib64/ebtables/libebt_802_3.so
> /usr/lib64/ebtables/libebt_among.so
> /usr/lib64/ebtables/libebt_arp.so
> /usr/lib64/ebtables/libebt_arpreply.so
> /usr/lib64/ebtables/libebt_ip.so
> /usr/lib64/ebtables/libebt_limit.so
> /usr/lib64/ebtables/libebt_log.so
> /usr/lib64/ebtables/libebt_mark.so
> /usr/lib64/ebtables/libebt_mark_m.so
> /usr/lib64/ebtables/libebt_nat.so
> /usr/lib64/ebtables/libebt_pkttype.so
> /usr/lib64/ebtables/libebt_redirect.so
> /usr/lib64/ebtables/libebt_standard.so
> /usr/lib64/ebtables/libebt_stp.so
> /usr/lib64/ebtables/libebt_ulog.so
> /usr/lib64/ebtables/libebt_vlan.so
> /usr/lib64/ebtables/libebtable_broute.so
> /usr/lib64/ebtables/libebtable_filter.so
> /usr/lib64/ebtables/libebtable_nat.so
> /usr/lib64/ebtables/libebtc.so
> /usr/share/doc/ebtables-2.0.8
> /usr/share/doc/ebtables-2.0.8/COPYING
> /usr/share/doc/ebtables-2.0.8/ChangeLog
> /usr/share/doc/ebtables-2.0.8/THANKS
> /usr/share/man/man8/ebtables.8.gz
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20081211/abccb9fa/attachment.htm>

From dsikora at redhat.com  Thu Dec 11 19:27:44 2008
From: dsikora at redhat.com (Doug Sikora)
Date: Thu, 11 Dec 2008 14:27:44 -0500 (EST)
Subject: I believe that selinux saved me from a certain attack
In-Reply-To: <1229016202.3979.60.camel@kilroy.chi.il.us>
Message-ID: <1646832514.836491229023664966.JavaMail.root@zmail03.collab.prod.int.phx2.redhat.com>

Thanks for sharing this, it is helpful!

Doug 

----- Original Message -----
From: "Edward Kuns" <ekuns at kilroy.chi.il.us>
To: fedora-selinux-list at redhat.com
Sent: Thursday, December 11, 2008 12:23:22 PM GMT -05:00 US/Canada Eastern
Subject: I believe that selinux saved me from a certain attack

Almost a week ago, some AVCs brought to my attention by setroubleshoot
made me look into system logs.  There were three complaints of:

SELinux is preventing the sh from using potentially mislabeled files
(./x).

Source Context:  system_u:system_r:httpd_t:s0
Target Context:  system_u:object_r:httpd_tmp_t:s0
Target Objects:  ./x [ file ]
First Seen:  Fri 05 Dec 2008 04:32:12 AM CST
Last Seen:  Fri 05 Dec 2008 04:32:12 AM CST

and twenty complaints of:

SELinux is preventing the http daemon from connecting to the itself or
the relay ports

Source Context:  system_u:system_r:httpd_t:s0
Target Context:  system_u:object_r:http_cache_port_t:s0
Target Objects:  None [ tcp_socket ]
Source:  wget
Source Path:  /usr/bin/wget
Port:  8080
First Seen:  Fri 05 Dec 2008 04:32:09 AM CST
Last Seen:  Fri 05 Dec 2008 04:34:34 AM CST

This lead me to look in my http access logs, where I found:

74.247.251.227 - - [05/Dec/2008:04:32:11 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1348 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"
74.247.251.227 - - [05/Dec/2008:04:32:12 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1338 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"
74.247.251.227 - - [05/Dec/2008:04:32:12 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1340 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"
74.247.251.227 - - [05/Dec/2008:04:32:08 -0600]
"POST /wordtrans/wordtrans.php HTTP/1.1" 200 1426 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98)"

Looking in the http error log, I see prodigious complaints at the same
time, but also for my later wordtrans use (so I had something to compare
against).  It looks like wordtrans-web tries to create a .kde directory,
among other things.  The only significant difference between the error
logs of my access and the attack is that during the attack I see one
instance of

sh: /var/tmp/x: Permission denied
sh: line 0: exec: /var/tmp/x: cannot execute: Permission denied

among the rest of the errors generated by wordtrans.  (I didn't see
a /var/tmp/x, but I didn't look until somewhat later.)

I did my own wordtrans access and there was not just the POST but a
bunch of GETs before that to load the web page.  This difference made it
clear that wordtrans was the attack vector so I googled for "http attack
wordtrans" and found that the version of wordtrans I have installed is
successfully attackable:

http://www.juniper.net/security/auto/vulnerabilities/vuln30027.html

If not for selinux, this attack certainly would have been successful and
unnoticed.  While selinux stopped this attack, I still did an "rpm -e
wordtrans-web" as it was only installed as a cool toy, not anything I
need.

The full AVCs are listed below, from the attack, in case this is of
interest.

I thought I would share this in case it was useful or interesting.
Thank you for your work on improved security!

           Eddie


type=AVC msg=audit(1228473129.823:148293): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473129.823:148293): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473130.824:148294): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473130.824:148294): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473132.155:148295): avc:  denied  { execute } for
pid=31642 comm="sh" name="x" dev=dm-2 ino=32828
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1228473132.155:148295): arch=40000003 syscall=11
success=no exit=-13 a0=853a2a0 a1=853a280 a2=8538b10 a3=853a280 items=0
ppid=31641 pid=31642 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh"
exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473132.155:148296): avc:  denied  { execute } for
pid=31642 comm="sh" name="x" dev=dm-2 ino=32828
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1228473132.155:148296): arch=40000003 syscall=33
success=no exit=-13 a0=853a2a0 a1=1 a2=11 a3=853a2a0 items=0 ppid=31641
pid=31642 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473132.155:148297): avc:  denied  { execute } for
pid=31642 comm="sh" name="x" dev=dm-2 ino=32828
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1228473132.155:148297): arch=40000003 syscall=33
success=no exit=-13 a0=853a2a0 a1=1 a2=11 a3=853a2a0 items=0 ppid=31641
pid=31642 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473132.824:148298): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473132.824:148298): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473135.824:148299): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473135.824:148299): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473139.824:148300): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473139.824:148300): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473144.825:148301): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473144.825:148301): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473150.825:148302): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473150.825:148302): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473157.825:148303): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473157.825:148303): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473165.825:148304): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473165.825:148304): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473174.825:148305): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473174.825:148305): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473184.825:148306): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473184.825:148306): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473194.825:148307): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473194.825:148307): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473204.826:148308): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473204.826:148308): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473214.826:148309): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473214.826:148309): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473221.544:148310): avc:  denied  { read write }
for  pid=31674 comm="mailman" path="socket:[69554624]" dev=sockfs
ino=69554624 scontext=system_u:system_r:mailman_mail_t:s0
tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket

type=SYSCALL msg=audit(1228473221.544:148310): arch=40000003 syscall=11
success=yes exit=0 a0=8715e78 a1=8715f48 a2=87154f8 a3=40 items=0
ppid=31673 pid=31674 auid=4294967295 uid=8 gid=12 euid=8 suid=8 fsuid=8
egid=41 sgid=41 fsgid=41 tty=(none) ses=4294967295 comm="mailman"
exe="/usr/lib/mailman/mail/mailman"
subj=system_u:system_r:mailman_mail_t:s0 key=(null)

type=AVC msg=audit(1228473224.826:148311): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473224.826:148311): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473234.826:148312): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473234.826:148312): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473244.826:148313): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473244.826:148313): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473254.826:148314): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473254.826:148314): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473264.826:148315): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473264.826:148315): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228473274.826:148316): avc:  denied
{ name_connect } for  pid=31619 comm="wget" dest=8080
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1228473274.826:148316): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf93be20 a2=bf93bed0 a3=8081fa0 items=0
ppid=31618 pid=31619 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="wget"
exe="/usr/bin/wget" subj=system_u:system_r:httpd_t:s0 key=(null)

--
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list



From sds at tycho.nsa.gov  Thu Dec 11 19:32:48 2008
From: sds at tycho.nsa.gov (Stephen Smalley)
Date: Thu, 11 Dec 2008 14:32:48 -0500
Subject: using selinux to allow only certain hosts or networks
In-Reply-To: <1321429836.152671228832132169.JavaMail.root@zmail03.collab.prod.int.phx2.redhat.com>
References: <1321429836.152671228832132169.JavaMail.root@zmail03.collab.prod.int.phx2.redhat.com>
Message-ID: <1229023968.29351.6.camel@localhost.localdomain>

On Tue, 2008-12-09 at 09:15 -0500, Doug Sikora wrote:
> The below rules came from audit2allow,
> 
> allow test_t inaddr_any_node_t:tcp_socket node_bind;
> allow test_t inaddr_any_node_t:udp_socket node_bind;
> 
> Instead of allowing "any_node" I would like to limit this to specific hosts and or networks.
> 
> Does anyone know the syntax for this?

Note that the check above is only dealing with binding to an address,
not sending/receiving packets.  Is binding what you want to limit to
specific addresses?

If so, you need to define types for the addresses (via local policy
module) and map the addresses to those types (via semanage node).

-- 
Stephen Smalley
National Security Agency



From dsikora at redhat.com  Thu Dec 11 19:44:20 2008
From: dsikora at redhat.com (Doug Sikora)
Date: Thu, 11 Dec 2008 14:44:20 -0500 (EST)
Subject: using selinux to allow only certain hosts or networks
In-Reply-To: <1229023968.29351.6.camel@localhost.localdomain>
Message-ID: <1896322799.841751229024660617.JavaMail.root@zmail03.collab.prod.int.phx2.redhat.com>

thanks Stephen, 

Is there another option for sending/receiving packets ?
In this situation , I would like both.

I did get this information from Forrest (Thanks again Forrest) concerning the base policy. Once I reviewed the source code it wasn't too bad to figure out. It makes a good reference. I am adding it to this thread.

#########BEGIN

To limit this, you have to recompile the base policy package and define
a new node name.

For instance, the inaddr_any_node_t is defined:

type inaddr_any_node_t alias node_inaddr_any_t, node_type;
nodecon 0.0.0.0 255.255.255.255 system_u:object_r:inaddr_any_node_t


Similarly, you could do the same thing for a new type:

type blue_node_t, node_type;
nodecon 10.0.5.1 255.255.255.255 system_u:object_r:blue_node_t

The problem in implementing this, is that you have to have the exact IP
address that will be used in the field.  Also, changing the base policy
means you have to redo this change every time there is a new policy
provided by Red Hat (as an update).

########END



Doug 

----- Original Message -----
From: "Stephen Smalley" <sds at tycho.nsa.gov>
To: "Doug Sikora" <dsikora at redhat.com>
Cc: fedora-selinux-list at redhat.com
Sent: Thursday, December 11, 2008 2:32:48 PM GMT -05:00 US/Canada Eastern
Subject: Re: using selinux to allow only certain hosts or networks

On Tue, 2008-12-09 at 09:15 -0500, Doug Sikora wrote:
> The below rules came from audit2allow,
> 
> allow test_t inaddr_any_node_t:tcp_socket node_bind;
> allow test_t inaddr_any_node_t:udp_socket node_bind;
> 
> Instead of allowing "any_node" I would like to limit this to specific hosts and or networks.
> 
> Does anyone know the syntax for this?

Note that the check above is only dealing with binding to an address,
not sending/receiving packets.  Is binding what you want to limit to
specific addresses?

If so, you need to define types for the addresses (via local policy
module) and map the addresses to those types (via semanage node).

-- 
Stephen Smalley
National Security Agency



From sds at tycho.nsa.gov  Thu Dec 11 19:53:50 2008
From: sds at tycho.nsa.gov (Stephen Smalley)
Date: Thu, 11 Dec 2008 14:53:50 -0500
Subject: using selinux to allow only certain hosts or networks
In-Reply-To: <1896322799.841751229024660617.JavaMail.root@zmail03.collab.prod.int.phx2.redhat.com>
References: <1896322799.841751229024660617.JavaMail.root@zmail03.collab.prod.int.phx2.redhat.com>
Message-ID: <1229025230.29351.10.camel@localhost.localdomain>

On Thu, 2008-12-11 at 14:44 -0500, Doug Sikora wrote:
> thanks Stephen, 
> 
> Is there another option for sending/receiving packets ?

Sending/receiving of packets is controlled by other permission checks.
There are the secmark-based checks (label packets via iptables, use
the :packet send/recv permissions to control), and there are the labeled
networking checks (configure netlabel or labeled ipsec and apply their
checks).

> In this situation , I would like both.
> 
> I did get this information from Forrest (Thanks again Forrest) concerning the base policy. Once I reviewed the source code it wasn't too bad to figure out. It makes a good reference. I am adding it to this thread.

If your version of semanage supports the node contexts, then you
shouldn't have to rebuild your base policy.

> #########BEGIN
> 
> To limit this, you have to recompile the base policy package and define
> a new node name.
> 
> For instance, the inaddr_any_node_t is defined:
> 
> type inaddr_any_node_t alias node_inaddr_any_t, node_type;
> nodecon 0.0.0.0 255.255.255.255 system_u:object_r:inaddr_any_node_t
> 
> 
> Similarly, you could do the same thing for a new type:
> 
> type blue_node_t, node_type;
> nodecon 10.0.5.1 255.255.255.255 system_u:object_r:blue_node_t
> 
> The problem in implementing this, is that you have to have the exact IP
> address that will be used in the field.  Also, changing the base policy
> means you have to redo this change every time there is a new policy
> provided by Red Hat (as an update).
> 
> ########END
> 
> 
> 
> Doug 
> 
> ----- Original Message -----
> From: "Stephen Smalley" <sds at tycho.nsa.gov>
> To: "Doug Sikora" <dsikora at redhat.com>
> Cc: fedora-selinux-list at redhat.com
> Sent: Thursday, December 11, 2008 2:32:48 PM GMT -05:00 US/Canada Eastern
> Subject: Re: using selinux to allow only certain hosts or networks
> 
> On Tue, 2008-12-09 at 09:15 -0500, Doug Sikora wrote:
> > The below rules came from audit2allow,
> > 
> > allow test_t inaddr_any_node_t:tcp_socket node_bind;
> > allow test_t inaddr_any_node_t:udp_socket node_bind;
> > 
> > Instead of allowing "any_node" I would like to limit this to specific hosts and or networks.
> > 
> > Does anyone know the syntax for this?
> 
> Note that the check above is only dealing with binding to an address,
> not sending/receiving packets.  Is binding what you want to limit to
> specific addresses?
> 
> If so, you need to define types for the addresses (via local policy
> module) and map the addresses to those types (via semanage node).
> 
-- 
Stephen Smalley
National Security Agency



From alex.slesarev at gmail.com  Fri Dec 12 06:34:51 2008
From: alex.slesarev at gmail.com (Alexander Slesarev)
Date: Fri, 12 Dec 2008 16:34:51 +1000
Subject: suexec with fcgid-script in userdir site
Message-ID: <4942060B.704@gmail.com>

Hello!

I have a site in my userdir working via fcgid-script. But this script is
not working - SELinux prevents it.

SELinux is preventing suexec (httpd_suexec_t) "getattr" to
/home/nuald/public_html/codedgers/trunk/src/codedgers/site.fcgi
(httpd_unconfined_script_exec_t).

AVC raw messages:

host=elc6002.eellc.ru type=AVC msg=audit(1227234886.189:172): avc:
denied  { getattr } for  pid=9514 comm="suexec"
path="/home/nuald/public_html/codedgers/trunk/src/codedgers/site.fcgi"
dev=dm-2 ino=361072 scontext=unconfined_u:system_r:httpd_suexec_t:s0
tcontext=unconfined_u:object_r:httpd_unconfined_script_exec_t:s0 tclass=file
host=elc6002.eellc.ru type=SYSCALL msg=audit(1227234886.189:172):
arch=40000003 syscall=196 success=no exit=-13 a0=bff4efe1 a1=bff4c8a4
a2=2acff4 a3=bff4efe1 items=0 ppid=9328 pid=9514 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=(none) ses=1 comm="suexec" exe="/usr/sbin/suexec"
subj=unconfined_u:system_r:httpd_suexec_t:s0 key=(null)

What can I do? I tried different scenarios but nothing helps.

By the way - there is httpd_suexec_disable_trans boolean? I can't set it up.

I'm using Fedora 10 with all latest updates. Thanks in advance.

-- 
Best regards, Alexander Slesarev.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20081212/e90b4203/attachment.sig>

From paul at city-fan.org  Fri Dec 12 07:38:49 2008
From: paul at city-fan.org (Paul Howarth)
Date: Fri, 12 Dec 2008 07:38:49 +0000
Subject: suexec with fcgid-script in userdir site
In-Reply-To: <4942060B.704@gmail.com>
References: <4942060B.704@gmail.com>
Message-ID: <20081212073849.3dbf6dc2@metropolis.intra.city-fan.org>

On Fri, 12 Dec 2008 16:34:51 +1000
Alexander Slesarev <alex.slesarev at gmail.com> wrote:

> Hello!
> 
> I have a site in my userdir working via fcgid-script. But this script
> is not working - SELinux prevents it.
> 
> SELinux is preventing suexec (httpd_suexec_t) "getattr" to
> /home/nuald/public_html/codedgers/trunk/src/codedgers/site.fcgi
> (httpd_unconfined_script_exec_t).
> 
> AVC raw messages:
> 
> host=elc6002.eellc.ru type=AVC msg=audit(1227234886.189:172): avc:
> denied  { getattr } for  pid=9514 comm="suexec"
> path="/home/nuald/public_html/codedgers/trunk/src/codedgers/site.fcgi"
> dev=dm-2 ino=361072 scontext=unconfined_u:system_r:httpd_suexec_t:s0
> tcontext=unconfined_u:object_r:httpd_unconfined_script_exec_t:s0
> tclass=file host=elc6002.eellc.ru type=SYSCALL
> msg=audit(1227234886.189:172): arch=40000003 syscall=196 success=no
> exit=-13 a0=bff4efe1 a1=bff4c8a4 a2=2acff4 a3=bff4efe1 items=0
> ppid=9328 pid=9514 auid=500 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="suexec"
> exe="/usr/sbin/suexec" subj=unconfined_u:system_r:httpd_suexec_t:s0
> key=(null)
> 
> What can I do? I tried different scenarios but nothing helps.
> 
> By the way - there is httpd_suexec_disable_trans boolean? I can't set
> it up.
> 
> I'm using Fedora 10 with all latest updates. Thanks in advance.

There have been no disable_trans booleans for a long time as they can
result in labelling problems when used. However, in Fedora 10 you can
make httpd_suexec_t a permissive domain without putting the whole
system in permissive mode:

semanage permissive -a httpd_suexec_t

Paul.



From nico at altiva.fr  Fri Dec 12 09:53:15 2008
From: nico at altiva.fr (NM)
Date: Fri, 12 Dec 2008 09:53:15 +0000 (UTC)
Subject: Is SELinux blocking all forward-only mail agents? (esmtp/ssmtp)
Message-ID: <ghtcab$1v7$1@ger.gmane.org>

I didn't want to have a full-fledged MTA on my machines; I tried both 
esmtp and ssmtp, and both seem unable to work without tripping on 
SELinux. It looks like they always inherit the context of the calling 
program, which doesn't have the rights to, say, connect outside on port 
25.

Is there a way?


Summary:

SELinux is preventing sendmail (logwatch_t) "name_connect" smtp_port_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but 
was permitted due to permissive mode.]

SELinux denied access requested by sendmail. It is not expected that this 
access 
is required by sendmail and this access may signal an intrusion attempt. 
It is
also possible that the specific version or configuration of the 
application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can 
disable SELinux protection altogether. Disabling SELinux protection is not 
recommended. 
Please file a bug report (http://bugzilla.redhat.com/bugzilla/
enter_bug.cgi) against this package.

Additional Information:

Source Context                system_u:system_r:logwatch_t:s0-s0:c0.c1023
Target Context                system_u:object_r:smtp_port_t:s0
Target Objects                None [ tcp_socket ]
Source                        sendmail
Source Path                   /usr/sbin/ssmtp
Port                          25
Host                          lin1195
Source RPM Packages           ssmtp-2.61-11.7.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     lin1195
Platform                      Linux lin1195 2.6.27.5-117.fc10.x86_64 #1 
SMP Tue
                              Nov 18 11:58:53 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 12 Dec 2008 04:02:05 AM CET
Last Seen                     Fri 12 Dec 2008 04:02:05 AM CET
Local ID                      631702fa-42b7-444d-b62e-fe50df41bf9f
Line Numbers                  

Raw Audit Messages            

node=lin1195 type=AVC msg=audit(1229050925.485:1082): avc:  denied  
{ name_connect } for  pid=22689 comm="sendmail" dest=25 
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket

node=lin1195 type=SYSCALL msg=audit(1229050925.485:1082): arch=c000003e 
syscall=42 success=yes exit=0 a0=3 a1=ad2d90 a2=10 a3=3b4856da70 items=0 
ppid=22433 pid=22689 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=122 comm="sendmail" exe="/usr/sbin/ssmtp" 
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)





From paul at city-fan.org  Fri Dec 12 10:18:52 2008
From: paul at city-fan.org (Paul Howarth)
Date: Fri, 12 Dec 2008 10:18:52 +0000
Subject: Is SELinux blocking all forward-only mail agents? (esmtp/ssmtp)
In-Reply-To: <ghtcab$1v7$1@ger.gmane.org>
References: <ghtcab$1v7$1@ger.gmane.org>
Message-ID: <49423A8C.5050400@city-fan.org>

NM wrote:
> I didn't want to have a full-fledged MTA on my machines; I tried both 
> esmtp and ssmtp, and both seem unable to work without tripping on 
> SELinux. It looks like they always inherit the context of the calling 
> program, which doesn't have the rights to, say, connect outside on port 
> 25.
> 
> Is there a way?

Long term, policy for this type of forwarder would need to be written.

Short term, you could try re-using the sendmail policy:

e.g.
# chcon -t sendmail_exec_t /path/to/ssmtp

See if that helps.

Paul.



From nico at altiva.fr  Fri Dec 12 10:23:15 2008
From: nico at altiva.fr (NM)
Date: Fri, 12 Dec 2008 10:23:15 +0000 (UTC)
Subject: Is SELinux blocking all forward-only mail agents? (esmtp/ssmtp)
References: <ghtcab$1v7$1@ger.gmane.org> <49423A8C.5050400@city-fan.org>
Message-ID: <ghte2j$1v6$2@ger.gmane.org>

On Fri, 12 Dec 2008 10:18:52 +0000, Paul Howarth wrote:

> Long term, policy for this type of forwarder would need to be written.
> 
> Short term, you could try re-using the sendmail policy:
> 
> e.g.
> # chcon -t sendmail_exec_t /path/to/ssmtp
> 
> See if that helps.

Thanks, will try.



From btodger at yahoo.com  Sat Dec 13 14:45:39 2008
From: btodger at yahoo.com (Bert Todger)
Date: Sat, 13 Dec 2008 06:45:39 -0800 (PST)
Subject: AVC for rpcbind
Message-ID: <334324.84222.qm@web52107.mail.re2.yahoo.com>

Hello all,

Following a yum update to my two F9 machines I now find that the NFS
services I have enabled to share files between the machines fails. On
closer inspection it seems that rpcbind is now denied on both machines.

I have absolutely no idea what rpcbind does, but I do know putting them
into permissive mode allows rpcbind and then the NFS services start
normally.

What should I do? 

Thanks in advance

BT


Summary:

SELinux is preventing rpcbind (rpcbind_t) "setgid" rpcbind_t. 

Detailed Description:

SELinux denied access requested by rpcbind. It is not expected that this
access is required by rpcbind and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ Or
you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package.

Additional Information:

Source Context:         unconfined_u:system_r:rpcbind_t:s0
Target Context:         unconfined_u:system_r:rpcbind_t:s0
Target Objects:         None [ capability ]
Source:         rpcbind
Source Path:    /sbin/rpcbind
Port:   <Unknown>
Host:   mydomain.com
Source RPM Packages:    rpcbind-0.1.7-1.fc9
Target RPM Packages:    
Policy RPM:     selinux-policy-3.3.1-111.fc9
Selinux Enabled:        True
Policy Type:    targeted
MLS Enabled:    True
Enforcing Mode:         Enforcing
Plugin Name:    catchall
Host Name:      mydomain.com
Platform:       Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct
17 14:52:14 EDT 2008 i686 i686
Alert Count:    1
First Seen:     Fri Dec 12 19:51:54 2008
Last Seen:      Fri Dec 12 19:51:54 2008
Local ID:       88e9ae88-4654-4ee6-99a1-34a6dafdcff5
Line Numbers:   

Raw Audit Messages :

node=mydomain.com type=AVC msg=audit(1229111514.633:6512): avc: denied {
setgid } for pid=20774 comm="rpcbind" capability=6
scontext=unconfined_u:system_r:rpcbind_t:s0
tcontext=unconfined_u:system_r:rpcbind_t:s0 tclass=capability

node=mydomain.com type=SYSCALL msg=audit(1229111514.633:6512):
arch=40000003 syscall=214 success=no exit=-1 a0=20 a1=2db9bc a2=2105b0
a3=bf9daeb0 items=0 ppid=20773 pid=20774 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="rpcbind" exe="/sbin/rpcbind"
subj=unconfined_u:system_r:rpcbind_t:s0 key=(null)


      



From tibbs at math.uh.edu  Sat Dec 13 17:04:31 2008
From: tibbs at math.uh.edu (Jason L Tibbitts III)
Date: 13 Dec 2008 11:04:31 -0600
Subject: AVC for rpcbind
In-Reply-To: <334324.84222.qm@web52107.mail.re2.yahoo.com>
References: <334324.84222.qm@web52107.mail.re2.yahoo.com>
Message-ID: <ufaskosm2g0.fsf@epithumia.math.uh.edu>

>>>>> "BT" == Bert Todger <btodger at yahoo.com> writes:

BT> I have absolutely no idea what rpcbind does, but I do know putting
BT> them into permissive mode allows rpcbind and then the NFS services
BT> start normally.

I just updated to the selinux-policy-* packages from updates-testing.
Unfortunately the rpcbind update was pushed out before the selinux
policy update even though this problem was known.

 - J<



From pemboa at gmail.com  Sun Dec 14 07:21:46 2008
From: pemboa at gmail.com (Arthur Pemberton)
Date: Sun, 14 Dec 2008 01:21:46 -0600
Subject: What is the proper way to use an alternate public_html path?
Message-ID: <16de708d0812132321j9b836f8radbb4ef97d6f2303@mail.gmail.com>

i would like to use ~/Public insted of ~/public_html.

What is the proper way to do this such that restorecon respects the change?

-- 
Fedora 9 : sulphur is good for the skin
( www.pembo13.com )



From btodger at yahoo.com  Sun Dec 14 11:41:29 2008
From: btodger at yahoo.com (Bert Todger)
Date: Sun, 14 Dec 2008 03:41:29 -0800 (PST)
Subject: AVC for rpcbind
In-Reply-To: <ufaskosm2g0.fsf@epithumia.math.uh.edu>
Message-ID: <51840.37406.qm@web52101.mail.re2.yahoo.com>

Ooops - sorry. I forgot to check my mailing preferences and the last reply went direct to Jason. Back on list...

--- On Sat, 12/13/08, Jason L Tibbitts III <tibbs at math.uh.edu> wrote:

> From: Jason L Tibbitts III <tibbs at math.uh.edu>
> Subject: Re: AVC for rpcbind
> To: btodger at yahoo.com
> Cc: fedora-selinux-list at redhat.com
> Date: Saturday, December 13, 2008, 11:04 AM
> >>>>> "BT" == Bert Todger
> <btodger at yahoo.com> writes:
> 
> BT> I have absolutely no idea what rpcbind does, but I
> do know putting
> BT> them into permissive mode allows rpcbind and then
> the NFS services
> BT> start normally.
> 
> I just updated to the selinux-policy-* packages from
> updates-testing.
> Unfortunately the rpcbind update was pushed out before the
> selinux
> policy update even though this problem was known.
> 
>  - J<

OK - Thanks for that. But what exactly does it mean for me?

Should I create a policy? Should I just wait for a fix? (if so what is the likely timescale?) or should I just leave it in Permissive mode for the time-being?

Thanks for your help...

BT


      



From paul at city-fan.org  Sun Dec 14 16:09:12 2008
From: paul at city-fan.org (Paul Howarth)
Date: Sun, 14 Dec 2008 16:09:12 +0000
Subject: What is the proper way to use an alternate public_html path?
In-Reply-To: <16de708d0812132321j9b836f8radbb4ef97d6f2303@mail.gmail.com>
References: <16de708d0812132321j9b836f8radbb4ef97d6f2303@mail.gmail.com>
Message-ID: <20081214160912.7b714d8c@metropolis.intra.city-fan.org>

On Sun, 14 Dec 2008 01:21:46 -0600
"Arthur Pemberton" <pemboa at gmail.com> wrote:

> i would like to use ~/Public insted of ~/public_html.
> 
> What is the proper way to do this such that restorecon respects the
> change?

I do it by creating a local policy module (localmisc) and put this (I
use ~/WWW for this purpose) in localmisc.fc:

HOME_DIR/WWW(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)

Paul.



From mcepl at redhat.com  Mon Dec 15 09:40:58 2008
From: mcepl at redhat.com (Matej Cepl)
Date: Mon, 15 Dec 2008 10:40:58 +0100
Subject: What is the proper way to use an alternate public_html path?
References: <16de708d0812132321j9b836f8radbb4ef97d6f2303@mail.gmail.com>
	<20081214160912.7b714d8c@metropolis.intra.city-fan.org>
Message-ID: <aalh16xrmb.ln2@ppp1053.in.ipex.cz>

On 2008-12-14, 16:09 GMT, Paul Howarth wrote:
>> i would like to use ~/Public insted of ~/public_html.
>> 
>> What is the proper way to do this such that restorecon respects the
>> change?
>
> I do it by creating a local policy module (localmisc) and put this (I
> use ~/WWW for this purpose) in localmisc.fc:
>
> HOME_DIR/WWW(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)

I think you could be all right just with semanage

semanage fcontext -a \
    -t httpd_user_content_t \
    '/home/.*/Public(/.*)?'

should be enough. Of course, you have to fiddle with the regexp 
to suit your configuration.

Mat?j



From paul at city-fan.org  Mon Dec 15 10:06:40 2008
From: paul at city-fan.org (Paul Howarth)
Date: Mon, 15 Dec 2008 10:06:40 +0000
Subject: What is the proper way to use an alternate public_html path?
In-Reply-To: <aalh16xrmb.ln2@ppp1053.in.ipex.cz>
References: <16de708d0812132321j9b836f8radbb4ef97d6f2303@mail.gmail.com>	<20081214160912.7b714d8c@metropolis.intra.city-fan.org>
	<aalh16xrmb.ln2@ppp1053.in.ipex.cz>
Message-ID: <49462C30.5080702@city-fan.org>

Matej Cepl wrote:
> On 2008-12-14, 16:09 GMT, Paul Howarth wrote:
>>> i would like to use ~/Public insted of ~/public_html.
>>>
>>> What is the proper way to do this such that restorecon respects the
>>> change?
>> I do it by creating a local policy module (localmisc) and put this (I
>> use ~/WWW for this purpose) in localmisc.fc:
>>
>> HOME_DIR/WWW(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
> 
> I think you could be all right just with semanage
> 
> semanage fcontext -a \
>     -t httpd_user_content_t \
>     '/home/.*/Public(/.*)?'
> 
> should be enough. Of course, you have to fiddle with the regexp 
> to suit your configuration.

I used to use semanage for this but I find that using a local policy 
module (I invariably need the odd rule or two to allow for local 
configuration strangeness) makes it easier to see what policy 
customizations I've made and to change them if necessary - manageability 
is better this way I think. Using HOME_DIR should also cater for those 
people that have home directories somewhere other than straight under /home.

Paul.



From mcepl at redhat.com  Mon Dec 15 10:53:51 2008
From: mcepl at redhat.com (Matej Cepl)
Date: Mon, 15 Dec 2008 11:53:51 +0100
Subject: What is the proper way to use an alternate public_html path?
References: <16de708d0812132321j9b836f8radbb4ef97d6f2303@mail.gmail.com>
	<20081214160912.7b714d8c@metropolis.intra.city-fan.org>
	<aalh16xrmb.ln2@ppp1053.in.ipex.cz> <49462C30.5080702@city-fan.org>
Message-ID: <viph16x3be.ln2@ppp1053.in.ipex.cz>

On 2008-12-15, 10:06 GMT, Paul Howarth wrote:
> I used to use semanage for this but I find that using a local 
> policy module (I invariably need the odd rule or two to allow 
> for local configuration strangeness) makes it easier to see 
> what policy customizations I've made and to change them if 
> necessary - manageability is better this way I think.

Yeah, not fighting against local modules, just think that it is 
easier to use semanage and 

semanage fcontext -l -C

goes long way in making it painless.

> HOME_DIR should also cater for those people that have home 
> directories somewhere other than straight under /home.

Sure, I was just too lazy to find out whether HOME_DIR works with 
semanage, plus when the change is strictly local, then 
administrator of the system, should be able to know where his 
homedirs are.

Mat?j



From sundaram at fedoraproject.org  Mon Dec 15 12:44:30 2008
From: sundaram at fedoraproject.org (Rahul Sundaram)
Date: Mon, 15 Dec 2008 18:14:30 +0530
Subject: chcon and semanage
Message-ID: <4946512E.3040105@fedoraproject.org>

Hi,

sealert suggests these changes if I try to run some software in a stock 
Fedora 10 box with no updates:

----

/usr/bin/chcon -t textrel_shlib_t '/usr/lib/sse2/libpostproc.so.51.2.0'
/usr/bin/chcon -t textrel_shlib_t '/usr/lib/sse2/libswscale.so.0.6.1'

---

I assume these changes are not going to be persistent. What is the 
semanage equivalent and why doesn't sealert suggest that instead?

Rahul



From dwalsh at redhat.com  Mon Dec 15 14:09:19 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Mon, 15 Dec 2008 09:09:19 -0500
Subject: chcon and semanage
In-Reply-To: <4946512E.3040105@fedoraproject.org>
References: <4946512E.3040105@fedoraproject.org>
Message-ID: <4946650F.5010204@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rahul Sundaram wrote:
> Hi,
> 
> sealert suggests these changes if I try to run some software in a stock
> Fedora 10 box with no updates:
> 
> ----
> 
> /usr/bin/chcon -t textrel_shlib_t '/usr/lib/sse2/libpostproc.so.51.2.0'
> /usr/bin/chcon -t textrel_shlib_t '/usr/lib/sse2/libswscale.so.0.6.1'
> 
> ---
> 
> I assume these changes are not going to be persistent. What is the
> semanage equivalent and why doesn't sealert suggest that instead?
> 
> Rahul
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
# semanage fcontext -t  textrel_shlib_t
'/usr/lib/sse2/libpostproc.so.51.2.0'
# restorecon  /usr/lib/sse2/libpostproc.so.51.2.0

It probably should, although this fix is in the updated selinux-policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklGZQ8ACgkQrlYvE4MpobPnZgCg5EEk9wxjyLSyOiHJklCS/7uw
UEQAniIGKahYDULundzX+2ExlnW3soGC
=Q3u9
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Mon Dec 15 14:11:08 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Mon, 15 Dec 2008 09:11:08 -0500
Subject: suexec with fcgid-script in userdir site
In-Reply-To: <20081212073849.3dbf6dc2@metropolis.intra.city-fan.org>
References: <4942060B.704@gmail.com>
	<20081212073849.3dbf6dc2@metropolis.intra.city-fan.org>
Message-ID: <4946657C.9060303@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:
> On Fri, 12 Dec 2008 16:34:51 +1000
> Alexander Slesarev <alex.slesarev at gmail.com> wrote:
> 
>> Hello!
>>
>> I have a site in my userdir working via fcgid-script. But this script
>> is not working - SELinux prevents it.
>>
>> SELinux is preventing suexec (httpd_suexec_t) "getattr" to
>> /home/nuald/public_html/codedgers/trunk/src/codedgers/site.fcgi
>> (httpd_unconfined_script_exec_t).
>>
>> AVC raw messages:
>>
>> host=elc6002.eellc.ru type=AVC msg=audit(1227234886.189:172): avc:
>> denied  { getattr } for  pid=9514 comm="suexec"
>> path="/home/nuald/public_html/codedgers/trunk/src/codedgers/site.fcgi"
>> dev=dm-2 ino=361072 scontext=unconfined_u:system_r:httpd_suexec_t:s0
>> tcontext=unconfined_u:object_r:httpd_unconfined_script_exec_t:s0
>> tclass=file host=elc6002.eellc.ru type=SYSCALL
>> msg=audit(1227234886.189:172): arch=40000003 syscall=196 success=no
>> exit=-13 a0=bff4efe1 a1=bff4c8a4 a2=2acff4 a3=bff4efe1 items=0
>> ppid=9328 pid=9514 auid=500 uid=500 gid=500 euid=500 suid=500
>> fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="suexec"
>> exe="/usr/sbin/suexec" subj=unconfined_u:system_r:httpd_suexec_t:s0
>> key=(null)
>>
>> What can I do? I tried different scenarios but nothing helps.
>>
>> By the way - there is httpd_suexec_disable_trans boolean? I can't set
>> it up.
>>
>> I'm using Fedora 10 with all latest updates. Thanks in advance.
> 
> There have been no disable_trans booleans for a long time as they can
> result in labelling problems when used. However, in Fedora 10 you can
> make httpd_suexec_t a permissive domain without putting the whole
> system in permissive mode:
> 
> semanage permissive -a httpd_suexec_t
> 
> Paul.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Or simply add the permission to the system

# grep site.fcgi /var/log/audit/audit.log | audit2allow -M mycgi
# semodule -i mycgi.pp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklGZXwACgkQrlYvE4MpobOj2gCeJwYhcroBA+7zNrCriCRqvV1L
QjAAnA0GyA2KjFyFdhCta8QGYhGdF4CB
=u9Vm
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Mon Dec 15 14:22:55 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Mon, 15 Dec 2008 09:22:55 -0500
Subject: Is SELinux blocking all forward-only mail agents? (esmtp/ssmtp)
In-Reply-To: <ghte2j$1v6$2@ger.gmane.org>
References: <ghtcab$1v7$1@ger.gmane.org> <49423A8C.5050400@city-fan.org>
	<ghte2j$1v6$2@ger.gmane.org>
Message-ID: <4946683F.7030405@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NM wrote:
> On Fri, 12 Dec 2008 10:18:52 +0000, Paul Howarth wrote:
> 
>> Long term, policy for this type of forwarder would need to be written.
>>
>> Short term, you could try re-using the sendmail policy:
>>
>> e.g.
>> # chcon -t sendmail_exec_t /path/to/ssmtp
>>
>> See if that helps.
> 
> Thanks, will try.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I will add labeling for


/usr/sbin/ssmtp 		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/bin/esmtp    		-- gen_context(system_u:object_r:sendmail_exec_t,s0)

To the policy packages.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklGaD8ACgkQrlYvE4MpobP+zQCdFIKkY0r+2ww1DQZwY4zaAwCL
1wYAoMyDbqaM4Y9wulTlWIQ6DosXY0hO
=lq9v
-----END PGP SIGNATURE-----



From wolfy at nobugconsulting.ro  Wed Dec 17 02:43:22 2008
From: wolfy at nobugconsulting.ro (Manuel Wolfshant)
Date: Wed, 17 Dec 2008 04:43:22 +0200
Subject: Is SELinux blocking all forward-only mail agents? (esmtp/ssmtp)
In-Reply-To: <4946683F.7030405@redhat.com>
References: <ghtcab$1v7$1@ger.gmane.org>
	<49423A8C.5050400@city-fan.org>	<ghte2j$1v6$2@ger.gmane.org>
	<4946683F.7030405@redhat.com>
Message-ID: <4948674A.5050006@nobugconsulting.ro>

On 12/15/2008 04:22 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> NM wrote:
>   
>> On Fri, 12 Dec 2008 10:18:52 +0000, Paul Howarth wrote:
>>
>>     
>>> Long term, policy for this type of forwarder would need to be written.
>>>
>>> Short term, you could try re-using the sendmail policy:
>>>
>>> e.g.
>>> # chcon -t sendmail_exec_t /path/to/ssmtp
>>>
>>> See if that helps.
>>>       
>> Thanks, will try.
>>
>>     
> I will add labeling for
>
>
> /usr/sbin/ssmtp 		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
> /usr/bin/esmtp    		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
>
> To the policy packages.
>   
Thanks, Dan!
Now, asking as maintainer of these packages in EPEL: any chance of 
propagating this policy changes to RHEL 4/5 ?




From dwalsh at redhat.com  Wed Dec 17 16:04:40 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Wed, 17 Dec 2008 11:04:40 -0500
Subject: Is SELinux blocking all forward-only mail agents? (esmtp/ssmtp)
In-Reply-To: <4948674A.5050006@nobugconsulting.ro>
References: <ghtcab$1v7$1@ger.gmane.org>	<49423A8C.5050400@city-fan.org>	<ghte2j$1v6$2@ger.gmane.org>	<4946683F.7030405@redhat.com>
	<4948674A.5050006@nobugconsulting.ro>
Message-ID: <49492318.4070306@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Manuel Wolfshant wrote:
> On 12/15/2008 04:22 PM, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> NM wrote:
>>  
>>> On Fri, 12 Dec 2008 10:18:52 +0000, Paul Howarth wrote:
>>>
>>>    
>>>> Long term, policy for this type of forwarder would need to be written.
>>>>
>>>> Short term, you could try re-using the sendmail policy:
>>>>
>>>> e.g.
>>>> # chcon -t sendmail_exec_t /path/to/ssmtp
>>>>
>>>> See if that helps.
>>>>       
>>> Thanks, will try.
>>>
>>>     
>> I will add labeling for
>>
>>
>> /usr/sbin/ssmtp         --
>> gen_context(system_u:object_r:sendmail_exec_t,s0)
>> /usr/bin/esmtp            --
>> gen_context(system_u:object_r:sendmail_exec_t,s0)
>>
>> To the policy packages.
>>   
> Thanks, Dan!
> Now, asking as maintainer of these packages in EPEL: any chance of
> propagating this policy changes to RHEL 4/5 ?
> 
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
5.3 policy currently preview at selinux-policy-2.4.6-201.el5  will have
the fixed labeling.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklJIxgACgkQrlYvE4MpobMoWgCdGXQWEFLWiR4WKkRqzMiLuNyh
jgEAoLyN4Ns4ogcw5iNkp00A6JPGimqX
=HZX5
-----END PGP SIGNATURE-----



From vince.rafale at gmail.com  Thu Dec 18 14:48:43 2008
From: vince.rafale at gmail.com (Vince Le Port)
Date: Thu, 18 Dec 2008 15:48:43 +0100
Subject: Error compiling the fedora selinux policy
Message-ID: <494A62CB.8070200@gmail.com>

Hi list,

I have got a problem while compiling the fedora selinux policy sources.
Here is the way I do it :

#rpm -ivh selinux-policy-3.5.13-30.fc10.src.rpm
#cd rpmbuild/SPECS/
#rpmbuild -bp selinux-policy.spec
#cd ../BUILD/
#make install-src

I modified the build.conf in that way

TYPE = mcs
NAME = refpolicy
DISTRO = redhat
DIRECT_INITRC = n
MONOLITHIC = n
MLS_SENS = 16
MLS_CATS = 256
MCS_CATS = 1024
QUIET = n

#make conf
#make policy

and unhappily, I got the following error ..

/usr/bin/checkmodule:  loading policy configuration from base.conf
policy/modules/kernel/domain.te":97:ERROR 'unknown type userdomain' at
token ';' on line 9242:
        dontaudit domain userdomain:key search;

If I comment out this line, I got others errors, so it seems unending ..

How can I fix that ?
Is it normal that I have errors when compiling a fedora RPM ?

Regards,

Vince



From dwalsh at redhat.com  Thu Dec 18 19:31:33 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Thu, 18 Dec 2008 14:31:33 -0500
Subject: Error compiling the fedora selinux policy
In-Reply-To: <494A62CB.8070200@gmail.com>
References: <494A62CB.8070200@gmail.com>
Message-ID: <494AA515.6000800@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vince Le Port wrote:
> Hi list,
> 
> I have got a problem while compiling the fedora selinux policy sources.
> Here is the way I do it :
> 
> #rpm -ivh selinux-policy-3.5.13-30.fc10.src.rpm
> #cd rpmbuild/SPECS/
> #rpmbuild -bp selinux-policy.spec
> #cd ../BUILD/
> #make install-src
> 
> I modified the build.conf in that way
> 
> TYPE = mcs
> NAME = refpolicy
> DISTRO = redhat
> DIRECT_INITRC = n
> MONOLITHIC = n
> MLS_SENS = 16
> MLS_CATS = 256
> MCS_CATS = 1024
> QUIET = n
> 
> #make conf
> #make policy
> 
> and unhappily, I got the following error ..
> 
> /usr/bin/checkmodule:  loading policy configuration from base.conf
> policy/modules/kernel/domain.te":97:ERROR 'unknown type userdomain' at
> token ';' on line 9242:
>         dontaudit domain userdomain:key search;
> 
> If I comment out this line, I got others errors, so it seems unending ..
> 
> How can I fix that ?
> Is it normal that I have errors when compiling a fedora RPM ?
> 
> Regards,
> 
> Vince
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You need to read the spec file and see how it is building the source.

What exactly are you trying to do?   If you are trying to make small
changes to the policy you do not need to use the src rpm?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklKpRUACgkQrlYvE4MpobOhOgCguTS1pPHM1ls0xac90hOshjKW
P7kAn22Dwl/+k9FJzFQ72GvFMdCqaXLM
=1Zvm
-----END PGP SIGNATURE-----



From loganjerry at gmail.com  Thu Dec 18 22:40:10 2008
From: loganjerry at gmail.com (Jerry James)
Date: Thu, 18 Dec 2008 15:40:10 -0700
Subject: GCL
Message-ID: <870180fe0812181440v1be0faan99e899cc960a6670@mail.gmail.com>

I have been told that the Fedora builders run with SELinux disabled.
In that case, is it necessary continue with bz #472780?  Can I just
include the policy I attached to that bug in the GCL source RPM and
stop worrying about build-time permissions?  Do I need somebody's
permission (no pun intended) to do that?

Thanks,
-- 
Jerry James
http://loganjerry.googlepages.com/



From sakaia at jp.fujitsu.com  Mon Dec 22 07:09:24 2008
From: sakaia at jp.fujitsu.com (Atsushi SAKAI)
Date: Mon, 22 Dec 2008 16:09:24 +0900
Subject: Question about SELinux Policy compilation
Message-ID: <20081222070932.1B1561805B@m021.s.css.fujitsu.com>

Hi,

I have a basic question about SELinux Policy compilation on Fedora10.

I do follows to
# rpm -i selinux-policy-3.5.13-18.fc10.src.rpm
# cd /root/rpmbuild/SPEC
# rpmbuild -bp selinux-policy.spec
# cd /root/rpmbuild/BUILD/serefpolicy-3.5.13
# make conf
# make policy

Then I met following errors.
Is there any good pointer to solve this problem.

Compiling refpolicy policy.23
/usr/bin/checkpolicy policy.conf -o policy.23
/usr/bin/checkpolicy: loading policy configuration from policy.conf
policy/modules/services/hal.te":11:ERROR 'syntax error' at token 'typeattribute' on line 929917
#line 11
        typeattribute hald_t daemon;
checkpolicy: error(s) encounterd while parsing configuration
make: *** [policy.23] Error1



Thanks
Atsushi SAKAI





From dant at cdkkt.com  Mon Dec 22 22:08:34 2008
From: dant at cdkkt.com (Daniel B. Thurman)
Date: Mon, 22 Dec 2008 14:08:34 -0800
Subject: F9: Problems with Spamassassin
Message-ID: <49500FE2.7000903@cdkkt.com>


I am getting bombed Spamassassin for which SELinux is complaining:

Dec 22 14:03:01 gold setroubleshoot: SELinux is preventing the 
spamassassin (spamassassin_t) from binding to port 31120. For complete 
SELinux messages. run sealert -l d55ced24-a79c-4712-9ed3-854874f886e3

Please note, this is message one of *many* reports for which the port 
numbers
are running up and down the port numbers in the thousands... and failing...

Did I mis-configure Spamassassin or is this an SELinux issue?

=========================================================
# sealert -l d55ced24-a79c-4712-9ed3-854874f886e3:


Summary:

SELinux is preventing the spamassassin (spamassassin_t) from binding to port
32733.

Detailed Description:

SELinux has denied the spamassassin from binding to a network port 32733 
which
does not have an SELinux type associated with it. If spamassassin is 
supposed to
be allowed to listen on this port, you can use the semanage command to 
add this
port to a port type that spamassassin_t can bind to. semanage port -l 
will list
all port types. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the 
selinux-policy
package. If spamassassin is not supposed to bind to this port, this 
could signal
a intrusion attempt. If this system is running as an NIS Client, turning 
on the
allow_ypbind boolean, may fix the problem. setsebool -P allow_ypbind=1.

Allowing Access:

If you want to allow spamassassin to bind to this port semanage port -a -t
PORT_TYPE -p PROTOCOL 32733 Where PORT_TYPE is a type that 
spamassassin_t can
bind and PROTOCOL is udp or tcp.

Additional Information:

Source Context                system_u:system_r:spamassassin_t:s0
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ udp_socket ]
Source                        spamassassin
Source Path                   /usr/bin/perl
Port                          32733
Host                          gold.cdkkt.com
Source RPM Packages          
Target RPM Packages          
Policy RPM                    selinux-policy-3.3.1-111.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   bind_ports
Host Name                     gold.cdkkt.com
Platform                      Linux gold.cdkkt.com 2.6.27.7-53.fc9.i686 
#1 SMP
                              Thu Nov 27 02:29:03 EST 2008 i686 i686
Alert Count                   3378
First Seen                    Mon Dec 22 14:00:08 2008
Last Seen                     Mon Dec 22 14:00:20 2008
Local ID                      d55ced24-a79c-4712-9ed3-854874f886e3
Line Numbers                 

Raw Audit Messages           

node=gold.cdkkt.com type=AVC msg=audit(1229983220.80:14243): avc:  
denied  { name_bind } for  pid=6493 comm="spamassassin" src=32733 
scontext=system_u:system_r:spamassassin_t:s0 
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
=========================================================

Thanks!
Dan



From dwalsh at redhat.com  Tue Dec 23 16:45:52 2008
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 23 Dec 2008 11:45:52 -0500
Subject: F9: Problems with Spamassassin
In-Reply-To: <49500FE2.7000903@cdkkt.com>
References: <49500FE2.7000903@cdkkt.com>
Message-ID: <495115C0.9050204@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel B. Thurman wrote:
> 
> I am getting bombed Spamassassin for which SELinux is complaining:
> 
> Dec 22 14:03:01 gold setroubleshoot: SELinux is preventing the
> spamassassin (spamassassin_t) from binding to port 31120. For complete
> SELinux messages. run sealert -l d55ced24-a79c-4712-9ed3-854874f886e3
> 
> Please note, this is message one of *many* reports for which the port
> numbers
> are running up and down the port numbers in the thousands... and failing...
> 
> Did I mis-configure Spamassassin or is this an SELinux issue?
> 
> =========================================================
> # sealert -l d55ced24-a79c-4712-9ed3-854874f886e3:
> 
> 
> Summary:
> 
> SELinux is preventing the spamassassin (spamassassin_t) from binding to
> port
> 32733.
> 
> Detailed Description:
> 
> SELinux has denied the spamassassin from binding to a network port 32733
> which
> does not have an SELinux type associated with it. If spamassassin is
> supposed to
> be allowed to listen on this port, you can use the semanage command to
> add this
> port to a port type that spamassassin_t can bind to. semanage port -l
> will list
> all port types. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
> selinux-policy
> package. If spamassassin is not supposed to bind to this port, this
> could signal
> a intrusion attempt. If this system is running as an NIS Client, turning
> on the
> allow_ypbind boolean, may fix the problem. setsebool -P allow_ypbind=1.
> 
> Allowing Access:
> 
> If you want to allow spamassassin to bind to this port semanage port -a -t
> PORT_TYPE -p PROTOCOL 32733 Where PORT_TYPE is a type that
> spamassassin_t can
> bind and PROTOCOL is udp or tcp.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:spamassassin_t:s0
> Target Context                system_u:object_r:port_t:s0
> Target Objects                None [ udp_socket ]
> Source                        spamassassin
> Source Path                   /usr/bin/perl
> Port                          32733
> Host                          gold.cdkkt.com
> Source RPM Packages          Target RPM Packages          Policy
> RPM                    selinux-policy-3.3.1-111.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   bind_ports
> Host Name                     gold.cdkkt.com
> Platform                      Linux gold.cdkkt.com 2.6.27.7-53.fc9.i686
> #1 SMP
>                              Thu Nov 27 02:29:03 EST 2008 i686 i686
> Alert Count                   3378
> First Seen                    Mon Dec 22 14:00:08 2008
> Last Seen                     Mon Dec 22 14:00:20 2008
> Local ID                      d55ced24-a79c-4712-9ed3-854874f886e3
> Line Numbers                
> Raw Audit Messages          
> node=gold.cdkkt.com type=AVC msg=audit(1229983220.80:14243): avc: 
> denied  { name_bind } for  pid=6493 comm="spamassassin" src=32733
> scontext=system_u:system_r:spamassassin_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
> =========================================================
> 
> Thanks!
> Dan
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Does turning on the boolean

spamassassin_can_network solve your problem.

setsebool -P spamassassin_can_network 1


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklRFcAACgkQrlYvE4MpobORbACg1oeeeFUAJJM0PdTuCX8eD+fB
G0UAn3nE7sio3R/ld6dSt2PJINPLo8oe
=UrIM
-----END PGP SIGNATURE-----



From pemboa at gmail.com  Sun Dec 28 04:35:33 2008
From: pemboa at gmail.com (Arthur Pemberton)
Date: Sat, 27 Dec 2008 22:35:33 -0600
Subject: Are there any plans for generic contexts?
Message-ID: <16de708d0812272035l263cdb5ao7de76cb99b7f2354@mail.gmail.com>

Are there any plans for generic contexts? If not consider this a suggestion.

It would be useful if there were more generic contexts, for example
'shared_content_t'. Which all targeted daemons that share files (such
as httpd, smbd, vsftpd) would all have access to these files. I am
aware that I can probably write my own policy to allow this, but it
seems like a fairly common use case.

Just tonight I wanted to make some web code I was working on available
via a samba share so I could work a bit more fluidly form my laptop.
But the files are already labeled for sharing under httpd.

On another machine, I give access to samba to one dir, and would also
like to have access form httpd. For certain situations, even vsftpd.

-- 
Fedora 9 : sulphur is good for the skin
( www.pembo13.com )



From frankly3d at fedoraproject.org  Sun Dec 28 12:26:56 2008
From: frankly3d at fedoraproject.org (Frank Murphy)
Date: Sun, 28 Dec 2008 12:26:56 +0000
Subject: avc Dead-Letter? Fedora 10
Message-ID: <49577090.1010603@fedoraproject.org>

This is the first Fedora I've come across a files called dead-letter.
I don't use sendmail, exim is installed, if relevant.


Summary:

SELinux is preventing the sendmail from using potentially mislabeled files
(./dead.letter).

Detailed Description:

SELinux has denied sendmail access to potentially mislabeled file(s)
(./dead.letter). This means that SELinux will not allow sendmail to use
these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem
is that
the files end up with the wrong file context which confined applications
are not
allowed to access.

Allowing Access:

If you want sendmail to access this files, you need to relabel them using
restorecon -v './dead.letter'. You might want to relabel the entire
directory
using restorecon -R -v './dead.letter'.

Additional Information:

Source Context                system_u:system_r:logwatch_t:s0
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                ./dead.letter [ dir ]
Source                        sendmail
Source Path                   /usr/sbin/ssmtp
Port                          <Unknown>
Host                          frank01.frankly3d.local
Source RPM Packages           ssmtp-2.61-11.7.fc10
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-34.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     frank01.frankly3d.local
Platform                      Linux frank01.frankly3d.local
                              2.6.27.9-159.fc10.i686 #1 SMP Tue Dec 16
15:12:04
                              EST 2008 i686 i686
Alert Count                   1
First Seen                    Sun 28 Dec 2008 12:18:46 GMT
Last Seen                     Sun 28 Dec 2008 12:18:46 GMT
Local ID                      6feff0bd-d81b-472e-8c9b-a4538c69479f
Line Numbers

Raw Audit Messages

node=frank01.frankly3d.local type=AVC msg=audit(1230466726.28:154): avc:
 denied  { add_name } for  pid=4443 comm="sendmail" name="dead.letter"
scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=frank01.frankly3d.local type=SYSCALL msg=audit(1230466726.28:154):
arch=40000003 syscall=5 success=no exit=-13 a0=97312d0 a1=441 a2=1b6
a3=440 items=0 ppid=4311 pid=4443 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="sendmail" exe="/usr/sbin/ssmtp"
subj=system_u:system_r:logwatch_t:s0 key=(null)


====================================================
Dead-Letter contents
====================================================

/etc/cron.daily/0logwatch:

sendmail: Cannot open mail:25
/etc/cron.daily/rkhunter:

send-mail: Cannot open mail:25
send-mail: Cannot open mail:25


/bin/sh: opt/f-prot/fpscan: No such file or directory



From paul at city-fan.org  Sun Dec 28 13:20:14 2008
From: paul at city-fan.org (Paul Howarth)
Date: Sun, 28 Dec 2008 13:20:14 +0000
Subject: Are there any plans for generic contexts?
In-Reply-To: <16de708d0812272035l263cdb5ao7de76cb99b7f2354@mail.gmail.com>
References: <16de708d0812272035l263cdb5ao7de76cb99b7f2354@mail.gmail.com>
Message-ID: <20081228132014.681aabe3@metropolis.intra.city-fan.org>

On Sat, 27 Dec 2008 22:35:33 -0600
"Arthur Pemberton" <pemboa at gmail.com> wrote:

> Are there any plans for generic contexts? If not consider this a
> suggestion.
> 
> It would be useful if there were more generic contexts, for example
> 'shared_content_t'. Which all targeted daemons that share files (such
> as httpd, smbd, vsftpd) would all have access to these files. I am
> aware that I can probably write my own policy to allow this, but it
> seems like a fairly common use case.
> 
> Just tonight I wanted to make some web code I was working on available
> via a samba share so I could work a bit more fluidly form my laptop.
> But the files are already labeled for sharing under httpd.
> 
> On another machine, I give access to samba to one dir, and would also
> like to have access form httpd. For certain situations, even vsftpd.

public_content_t and public_content_rw_t have been available for a long
time to support this between ftp, http, samba, nfs, tftp, and rsync
daemons.

public_content_t is read-only to all daemons.

public_content_rw_t is read-only to all daemons but writable by any
daemon that has the appropriate boolean set:

allow_ftpd_anon_write
allow_httpd_anon_write
allow_httpd_sys_script_anon
allow_nfsd_anon_write
allow_rsync_anon_write
allow_smbd_anon_write
tftp_anon_write

Setting these booleans allows the associated daemon to write to
public_content_rw_t.

Paul.