From dant at cdkkt.com Mon Jun 2 17:25:04 2008 From: dant at cdkkt.com (Daniel B. Thurman) Date: Mon, 02 Jun 2008 10:25:04 -0700 Subject: Issues setting up a 2nd Private DNS server Message-ID: <48442CF0.7070308@cdkkt.com> I am trying to setup a 2nd private DNS server in my private network, behind the firewall (with DNS access enabled) and I am able to resolve all of my local systems. However, I have some problems. One involves SELinux and the other involved forwarding as shown below: 1) SELinux errors are reported only when starting/stopping/restarting named. ++++++++++++++++++++++++++++++++++++++++++++++ Source Context system_u:system_r:named_t:s0 Target Context system_u:system_r:unconfined_t:s0 Target Objects socket [ unix_stream_socket ] Source named-checkconf Source Path /usr/sbin/named-checkconf Port Host gold.cdkkt.com Source RPM Packages bind-9.5.0-26.b3.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-101.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1 SMP Wed May 7 16:50:09 EDT 2008 i686 i686 Alert Count 4 First Seen Mon 02 Jun 2008 10:00:25 AM PDT Last Seen Mon 02 Jun 2008 10:01:43 AM PDT Local ID 7faef252-f1ea-4e36-8f51-167799fcb429 Line Numbers Raw Audit Messages host=gold.cdkkt.com type=AVC msg=audit(1212426103.808:4122): avc: denied { read write } for pid=7037 comm="named" path="socket:[874313]" dev=sockfs ino=874313 scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.808:4122): arch=40000003 syscall=11 success=yes exit=0 a0=9b05a68 a1=9b05e38 a2=9b04fe0 a3=0 items=0 ppid=7036 pid=7037 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) ++++++++++++++++++++++++++++++++++++++++++++++ Source Context system_u:system_r:ndc_t:s0 Target Context system_u:system_r:unconfined_t:s0 Target Objects socket [ unix_stream_socket ] Source rndc Source Path /usr/sbin/rndc Port Host gold.cdkkt.com Source RPM Packages bind-9.5.0-26.b3.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-101.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1 SMP Wed May 7 16:50:09 EDT 2008 i686 i686 Alert Count 4 First Seen Mon 02 Jun 2008 10:00:23 AM PDT Last Seen Mon 02 Jun 2008 10:01:43 AM PDT Local ID cc0e5f4b-aa41-4543-9569-df7d65f83f1c Line Numbers Raw Audit Messages host=gold.cdkkt.com type=AVC msg=audit(1212426103.905:4123): avc: denied { read write } for pid=7064 comm="rndc" path="socket:[874313]" dev=sockfs ino=874313 scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.905:4123): arch=40000003 syscall=11 success=yes exit=0 a0=90000d0 a1=9000078 a2=8fe12e0 a3=0 items=0 ppid=7055 pid=7064 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:ndc_t:s0 key=(null) ++++++++++++++++++++++++++++++++++++++++++++++ Source Context system_u:system_r:mount_t:s0 Target Context system_u:system_r:unconfined_t:s0 Target Objects socket [ unix_stream_socket ] Source umount Source Path /bin/umount Port Host gold.cdkkt.com Source RPM Packages util-linux-ng-2.13.1-2.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-101.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1 SMP Wed May 7 16:50:09 EDT 2008 i686 i686 Alert Count 4 First Seen Mon 02 Jun 2008 10:00:25 AM PDT Last Seen Mon 02 Jun 2008 10:01:43 AM PDT Local ID 439fbb1b-17d2-40b4-9242-744d5d69e303 Line Numbers Raw Audit Messages host=gold.cdkkt.com type=AVC msg=audit(1212426103.790:4120): avc: denied { read write } for pid=7034 comm="mount" path="socket:[874313]" dev=sockfs ino=874313 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.790:4120): arch=40000003 syscall=11 success=yes exit=0 a0=870e610 a1=86e8fa8 a2=86eb2e0 a3=0 items=0 ppid=7014 pid=7034 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) ++++++++++++++++++++++++++++++++++++++++++++++ 2) Forwarders do not work: ++++++++++++++++++++++++++++++++++++++++++++++ ** server can't find msn.com: NXDOMAIN ++++++++++++++++++++++++++++++++++++++++++++++ Please advise, Dan From dwalsh at redhat.com Mon Jun 2 18:27:39 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 02 Jun 2008 14:27:39 -0400 Subject: Issues setting up a 2nd Private DNS server In-Reply-To: <48442CF0.7070308@cdkkt.com> References: <48442CF0.7070308@cdkkt.com> Message-ID: <48443B9B.20102@redhat.com> Daniel B. Thurman wrote: > > I am trying to setup a 2nd private DNS server in my private > network, behind the firewall (with DNS access enabled) and > I am able to resolve all of my local systems. However, I have > some problems. One involves SELinux and the other involved > forwarding as shown below: > > 1) SELinux errors are reported only when starting/stopping/restarting > named. > ++++++++++++++++++++++++++++++++++++++++++++++ > Source Context system_u:system_r:named_t:s0 > Target Context system_u:system_r:unconfined_t:s0 > Target Objects socket [ unix_stream_socket ] > Source named-checkconf > Source Path /usr/sbin/named-checkconf > Port > Host gold.cdkkt.com > Source RPM Packages bind-9.5.0-26.b3.fc8 > Target RPM Packages Policy RPM > selinux-policy-3.0.8-101.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name gold.cdkkt.com > Platform Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1 > SMP Wed > May 7 16:50:09 EDT 2008 i686 i686 > Alert Count 4 > First Seen Mon 02 Jun 2008 10:00:25 AM PDT > Last Seen Mon 02 Jun 2008 10:01:43 AM PDT > Local ID 7faef252-f1ea-4e36-8f51-167799fcb429 > Line Numbers > Raw Audit Messages > host=gold.cdkkt.com type=AVC msg=audit(1212426103.808:4122): avc: > denied { read write } for pid=7037 comm="named" path="socket:[874313]" > dev=sockfs ino=874313 scontext=system_u:system_r:named_t:s0 > tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket > > host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.808:4122): > arch=40000003 syscall=11 success=yes exit=0 a0=9b05a68 a1=9b05e38 > a2=9b04fe0 a3=0 items=0 ppid=7036 pid=7037 auid=500 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="named" > exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) > ++++++++++++++++++++++++++++++++++++++++++++++ > Source Context system_u:system_r:ndc_t:s0 > Target Context system_u:system_r:unconfined_t:s0 > Target Objects socket [ unix_stream_socket ] > Source rndc > Source Path /usr/sbin/rndc > Port > Host gold.cdkkt.com > Source RPM Packages bind-9.5.0-26.b3.fc8 > Target RPM Packages Policy RPM > selinux-policy-3.0.8-101.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name gold.cdkkt.com > Platform Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1 > SMP Wed > May 7 16:50:09 EDT 2008 i686 i686 > Alert Count 4 > First Seen Mon 02 Jun 2008 10:00:23 AM PDT > Last Seen Mon 02 Jun 2008 10:01:43 AM PDT > Local ID cc0e5f4b-aa41-4543-9569-df7d65f83f1c > Line Numbers > Raw Audit Messages > host=gold.cdkkt.com type=AVC msg=audit(1212426103.905:4123): avc: > denied { read write } for pid=7064 comm="rndc" path="socket:[874313]" > dev=sockfs ino=874313 scontext=system_u:system_r:ndc_t:s0 > tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket > > host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.905:4123): > arch=40000003 syscall=11 success=yes exit=0 a0=90000d0 a1=9000078 > a2=8fe12e0 a3=0 items=0 ppid=7055 pid=7064 auid=500 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rndc" > exe="/usr/sbin/rndc" subj=system_u:system_r:ndc_t:s0 key=(null) > ++++++++++++++++++++++++++++++++++++++++++++++ > Source Context system_u:system_r:mount_t:s0 > Target Context system_u:system_r:unconfined_t:s0 > Target Objects socket [ unix_stream_socket ] > Source umount > Source Path /bin/umount > Port > Host gold.cdkkt.com > Source RPM Packages util-linux-ng-2.13.1-2.fc8 > Target RPM Packages Policy RPM > selinux-policy-3.0.8-101.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name gold.cdkkt.com > Platform Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1 > SMP Wed > May 7 16:50:09 EDT 2008 i686 i686 > Alert Count 4 > First Seen Mon 02 Jun 2008 10:00:25 AM PDT > Last Seen Mon 02 Jun 2008 10:01:43 AM PDT > Local ID 439fbb1b-17d2-40b4-9242-744d5d69e303 > Line Numbers > Raw Audit Messages > host=gold.cdkkt.com type=AVC msg=audit(1212426103.790:4120): avc: > denied { read write } for pid=7034 comm="mount" path="socket:[874313]" > dev=sockfs ino=874313 scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket > > host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.790:4120): > arch=40000003 syscall=11 success=yes exit=0 a0=870e610 a1=86e8fa8 > a2=86eb2e0 a3=0 items=0 ppid=7014 pid=7034 auid=500 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" > exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) > ++++++++++++++++++++++++++++++++++++++++++++++ > > 2) Forwarders do not work: > ++++++++++++++++++++++++++++++++++++++++++++++ > ** server can't find msn.com: NXDOMAIN > ++++++++++++++++++++++++++++++++++++++++++++++ > > > Please advise, > Dan > This looks like either a leaked file descriptor, which can be ingored/dontaudited Or it could be a redirection of the terminal to a unix_stream_socket. From dant at cdkkt.com Mon Jun 2 20:21:05 2008 From: dant at cdkkt.com (Daniel B. Thurman) Date: Mon, 02 Jun 2008 13:21:05 -0700 Subject: Issues setting up a 2nd Private DNS server In-Reply-To: <48443B9B.20102@redhat.com> References: <48442CF0.7070308@cdkkt.com> <48443B9B.20102@redhat.com> Message-ID: <48445631.3010902@cdkkt.com> Daniel J Walsh wrote: > > Daniel B. Thurman wrote: > > > > I am trying to setup a 2nd private DNS server in my private > > network, behind the firewall (with DNS access enabled) and > > I am able to resolve all of my local systems. However, I have > > some problems. One involves SELinux and the other involved > > forwarding as shown below: > > > > 1) SELinux errors are reported only when starting/stopping/restarting > > named. > > ++++++++++++++++++++++++++++++++++++++++++++++ > >[snipped!] > > host=gold.cdkkt.com type=AVC msg=audit(1212426103.808:4122): avc: > > denied { read write } for pid=7037 comm="named" path="socket:[874313]" > > dev=sockfs ino=874313 scontext=system_u:system_r:named_t:s0 > > tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket > > > > host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.808:4122): > > arch=40000003 syscall=11 success=yes exit=0 a0=9b05a68 a1=9b05e38 > > a2=9b04fe0 a3=0 items=0 ppid=7036 pid=7037 auid=500 uid=0 gid=0 euid=0 > > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="named" > > exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) > > ++++++++++++++++++++++++++++++++++++++++++++++ > > [snipped!] > > host=gold.cdkkt.com type=AVC msg=audit(1212426103.905:4123): avc: > > denied { read write } for pid=7064 comm="rndc" path="socket:[874313]" > > dev=sockfs ino=874313 scontext=system_u:system_r:ndc_t:s0 > > tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket > > > > host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.905:4123): > > arch=40000003 syscall=11 success=yes exit=0 a0=90000d0 a1=9000078 > > a2=8fe12e0 a3=0 items=0 ppid=7055 pid=7064 auid=500 uid=0 gid=0 euid=0 > > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rndc" > > exe="/usr/sbin/rndc" subj=system_u:system_r:ndc_t:s0 key=(null) > > ++++++++++++++++++++++++++++++++++++++++++++++ > > [snipped!] > > host=gold.cdkkt.com type=AVC msg=audit(1212426103.790:4120): avc: > > denied { read write } for pid=7034 comm="mount" path="socket:[874313]" > > dev=sockfs ino=874313 scontext=system_u:system_r:mount_t:s0 > > tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket > > > > host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.790:4120): > > arch=40000003 syscall=11 success=yes exit=0 a0=870e610 a1=86e8fa8 > > a2=86eb2e0 a3=0 items=0 ppid=7014 pid=7034 auid=500 uid=0 gid=0 euid=0 > > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" > > exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) > > ++++++++++++++++++++++++++++++++++++++++++++++ > > > > 2) Forwarders do not work: > > ++++++++++++++++++++++++++++++++++++++++++++++ > > ** server can't find msn.com: NXDOMAIN > > ++++++++++++++++++++++++++++++++++++++++++++++ > > > > Please advise, > > Dan > > > This looks like either a leaked file descriptor, which can be > ingored/dontaudited > > Or it could be a redirection of the terminal to a unix_stream_socket. > Huh? I am not sure what you are saying nor am I sure what to in fixing these selinux avc errors. As for DNS forwarding, selinux does not seem to have anything to do with preventing forwarding AFAIK, I tested by setting 'setenforce 0', then using nslookup on 'msn.com.' - it still fails. I wonder how to debug the named to see why forwarding fails... can anyone help? Thanks- Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: From cachch at gmail.com Tue Jun 3 05:52:53 2008 From: cachch at gmail.com (Carlos Chavez) Date: Mon, 2 Jun 2008 23:52:53 -0600 Subject: selinux and httpd don't start on boot - message error EAI9 Message-ID: Hello everyone. the HTTP server don't start on boot, it send the following message sort of, it was difficult to copy because it showed only in the start up process and no log messages in any log file. Message: Address Family for Hostname not supported: (EAI 9) alloc_listener failed to setup sockaddr for 127.0.0.1. That is the message sort of. This happen when i setup the option Listen 127.0.0.1:80, when i start manually the httpd server start successfully, but not on boot. It say too that there is an syntax error in the line where is the sentence Listen, but if i run the syntax check the HTTP said the syntax is OK. I'm using fedora 9 with the latest updates. selinux 3.3.1-55 httpd 2.2.8-3 kernel 2.6.25.3-18 -- Cheers. Carlos Ch?vez -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Tue Jun 3 08:13:46 2008 From: paul at city-fan.org (Paul Howarth) Date: Tue, 03 Jun 2008 09:13:46 +0100 Subject: selinux and httpd don't start on boot - message error EAI9 In-Reply-To: References: Message-ID: <4844FD3A.2040604@city-fan.org> Carlos Chavez wrote: > Hello everyone. > > the HTTP server don't start on boot, it send the following message sort of, > it was difficult to copy because it showed only in the start up process and > no log messages in any log file. > > Message: Address Family for Hostname not supported: (EAI 9) alloc_listener > failed to setup sockaddr for 127.0.0.1. > That is the message sort of. > > This happen when i setup the option Listen 127.0.0.1:80, when i start > manually the httpd server start successfully, but not on boot. > > It say too that there is an syntax error in the line where is the sentence > Listen, but if i run the syntax check the HTTP said the syntax is OK. > > I'm using fedora 9 with the latest updates. > selinux 3.3.1-55 > httpd 2.2.8-3 > kernel 2.6.25.3-18 My wild guess at the cause of this would be that NetworkManager hasn't started the network at the time the httpd initscript runs. Are there any indications in the logs (such as avc denials) that this is an selinux issue? Paul. From paul at city-fan.org Tue Jun 3 09:14:06 2008 From: paul at city-fan.org (Paul Howarth) Date: Tue, 03 Jun 2008 10:14:06 +0100 Subject: AVCs from cron.daily (F9) Message-ID: <48450B5E.5040101@city-fan.org> On my work box, which is an up-to-date F9 install, I get a set of AVCs from cron.daily every day, which I don't get on my home boxes. I suspect it's because we use LDAP auth at work. It boils down to this when passed through audit2allow -R: require { type logwatch_t; type locate_t; type tmpreaper_t; type logrotate_t; } #============= locate_t ============== cron_rw_tcp_sockets(locate_t) #============= logrotate_t ============== cron_rw_tcp_sockets(logrotate_t) #============= logwatch_t ============== cron_rw_tcp_sockets(logwatch_t) #============= tmpreaper_t ============== cron_rw_tcp_sockets(tmpreaper_t) Sample AVC: time->Tue Jun 3 05:05:05 2008 type=SYSCALL msg=audit(1212465905.734:5714): arch=c000003e syscall=59 success=yes exit=0 a0=25545d0 a1=2551360 a2=25539a0 a3=8 items=0 ppid=12101 pid=12134 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=605 comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1212465905.734:5714): avc: denied { read write } for pid=12134 comm="tmpwatch" path="socket:[24785059]" dev=sockfs ino=24785059 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket Paul. From kayvan at sylvan.com Tue Jun 3 10:25:17 2008 From: kayvan at sylvan.com (Kayvan A. Sylvan) Date: Tue, 3 Jun 2008 03:25:17 -0700 Subject: Weird SELinux problem after upgrade to F9 In-Reply-To: <4844FD3A.2040604@city-fan.org> References: <4844FD3A.2040604@city-fan.org> Message-ID: <20080603102517.GA9212@satyr.sylvan.com> Hi everyone, Over the last few days, I have managed to upgrade myself from FC4 (yes, really!) all the way to Fedora 9. My system is an X86_64 dual-core Intel box with 8GB of memory and it seems to run so much faster with a smaller memory footprint under F9. Thanks to all the Fedora developers! My problem is that after the upgrades I was getting all sorts of SELinux errors (from practically every application), so I figured that I would go ahead and relabel the filesystems. After the relabel, I was still getting dozens of errors per second, so I changed SELinux to Permissive mode (via /etc/selinux/config), rebooted and the system is now working. However, I would like to get SELinux to work in Enforcing mode. I have the following SELinux related packages installed: # yum list all selinux* Installed Packages selinux-doc.noarch 1.26-1.1 installed selinux-policy.noarch 3.3.1-55.fc9 installed selinux-policy-targeted.noarch 3.3.1-55.fc9 installed Available Packages selinux-policy-devel.noarch 3.3.1-55.fc9 updates selinux-policy-mls.noarch 3.3.1-55.fc9 updates These are the types of errors I was seeing: Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.144:12): avc: denied { getattr } for pid=1495 comm="restorecon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.316:13): avc: denied { getattr } for pid=1503 comm="dmsetup" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.934:14): avc: denied { getattr } for pid=1513 comm="fsck" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486110.804:15): avc: denied { getattr } for pid=1519 comm="mount" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486112.460:16): avc: denied { getattr } for pid=1564 comm="swapon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486124.825:21): avc: denied { getattr } for pid=1907 comm="restorecond" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486125.516:22): avc: denied { getattr } for pid=2015 comm="iptables" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486127.411:23): avc: denied { getattr } for pid=2888 comm="mcstransd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem Jun 3 02:43:58 satyr dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=4598 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus Jun 3 02:43:59 satyr dbus: avc: denied { acquire_svc } for service=org.kde.klauncher spid=4608 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus Any help in getting this working would be very appreciated! Thanks. ---Kayvan -- Kayvan A. Sylvan | Proud husband of | Father to my kids: Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89) http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92) From paul at city-fan.org Tue Jun 3 10:44:12 2008 From: paul at city-fan.org (Paul Howarth) Date: Tue, 03 Jun 2008 11:44:12 +0100 Subject: Sendmail milters in Fedora 8 In-Reply-To: <478E0CE0.7040004@redhat.com> References: <477BC440.9000809@city-fan.org> <478B829C.1090606@city-fan.org> <478B9511.20006@redhat.com> <478B97A6.9050002@city-fan.org> <478B9AC3.9040500@redhat.com> <478B9C12.9000909@city-fan.org> <478BB879.2050604@redhat.com> <478CC7A4.6030008@city-fan.org> <478D0F2E.3050401@redhat.com> <20080116001617.6af19309@metropolis.intra.city-fan.org> <478DE918.1080907@redhat.com> <478DEEB0.3090008@city-fan.org> <478E0CE0.7040004@redhat.com> Message-ID: <4845207C.5080100@city-fan.org> Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Paul Howarth wrote: >> Daniel J Walsh wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Paul Howarth wrote: >>>> On Tue, 15 Jan 2008 14:53:18 -0500 >>>> Daniel J Walsh wrote: >>>> >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> Paul Howarth wrote: >>>>>> Daniel J Walsh wrote: >>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>> Hash: SHA1 >>>>>>> >>>>>>> Paul Howarth wrote: >>>>>>>> Daniel J Walsh wrote: >>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>> Hash: SHA1 >>>>>>>>> >>>>>>>>> Paul Howarth wrote: >>>>>>>>>> Hi Dan, >>>>>>>>>> >>>>>>>>>> Daniel J Walsh wrote: >>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>>>> Hash: SHA1 >>>>>>>>>>> >>>>>>>>>>> Paul Howarth wrote: >>>>>>>>>>>> Paul Howarth wrote: >>>>>>>>>>>>> Since upgrading my mail server from Fedora 7 to Fedora 8, >>>>>>>>>>>>> I've come across some problems with the sockets used for >>>>>>>>>>>>> communication between >>>>>>>>>>>>> sendmail and two of the "milter" plugins I'm using with it, >>>>>>>>>>>>> namely milter-regex and spamass-milter. It's very likely >>>>>>>>>>>>> that other milters >>>>>>>>>>>>> will have similar issues. >>>>>>>>>>>>> >>>>>>>>>>>>> The sockets used are created when the milter starts, as >>>>>>>>>>>>> follows: >>>>>>>>>>>>> >>>>>>>>>>>>> milter-regex: >>>>>>>>>>>>> /var/spool/milter-regex/sock (var_spool_t, inherited from >>>>>>>>>>>>> parent directory) >>>>>>>>>>>>> >>>>>>>>>>>>> spamass-milter: >>>>>>>>>>>>> /var/run/spamass-milter/spamass-milter.sock >>>>>>>>>>>>> (spamd_var_run_t, in policy) >>>>>>>>>>>>> >>>>>>>>>>>>> These are pretty well the upstream locations, though I'm >>>>>>>>>>>>> open to moving the milter-regex socket from /var/spool >>>>>>>>>>>>> to /var/run or elsewhere for consistency. >>>>>>>>>>>>> >>>>>>>>>>>>> Since moving to Fedora 8, I've had to add the following to >>>>>>>>>>>>> local policy to get these milters working: >>>>>>>>>>>>> >>>>>>>>>>>>> allow sendmail_t spamd_var_run_t:dir { search getattr }; >>>>>>>>>>>>> allow sendmail_t spamd_var_run_t:sock_file { getattr write }; >>>>>>>>>>>>> allow sendmail_t var_spool_t:sock_file { getattr write }; >>>>>>>>>>>>> allow sendmail_t initrc_t:unix_stream_socket { read write >>>>>>>>>>>>> connectto }; >>>>>>>>>>>>> >>>>>>>>>>>>> The last of these is the strangest, and relates to Bug >>>>>>>>>>>>> #425958 >>>>>>>>>>>>> (https://bugzilla.redhat.com/show_bug.cgi?id=425958). Whilst >>>>>>>>>>>>> the socket file itself has the context listed above, the >>>>>>>>>>>>> unix domain socket that sendmail connects to is still >>>>>>>>>>>>> initrc_t, as can be seen from the output of "netstat -lpZ": >>>>>>>>>>>>> >>>>>>>>>>>>> ... >>>>>>>>>>>>> unix 2 [ ACC ] STREAM LISTENING 14142 >>>>>>>>>>>>> 5853/spamass-milter system_u:system_r:initrc_t:s0 >>>>>>>>>>>>> /var/run/spamass-milter/spamass-milter.sock >>>>>>>>>>>>> unix 2 [ ACC ] STREAM LISTENING 13794 >>>>>>>>>>>>> 5779/milter-regex system_u:system_r:initrc_t:s0 >>>>>>>>>>>>> /var/spool/milter-regex/sock >>>>>>>>>>>>> ... >>>>>>>>>>>>> >>>>>>>>>>>>> So, my questions are: >>>>>>>>>>>>> >>>>>>>>>>>>> 1. Why are the sockets still initrc_t? >>>>>>>>>>>>> 2. Is this a kernel issue or a userspace issue that should be >>>>>>>>>>>>> fixed in >>>>>>>>>>>>> the milters? >>>>>>>>>>>>> 3. Should there be a standard place for milter sockets to >>>>>>>>>>>>> live, and if >>>>>>>>>>>>> so, where? >>>>>>>>>>>>> 4. How come this worked OK in Fedora 7 and previous releases? >>>>>>>>>>>> Looking at the source code for these applications, I see that >>>>>>>>>>>> both of >>>>>>>>>>>> them use the smfi_setconn() function in the sendmail milter >>>>>>>>>>>> library to >>>>>>>>>>>> set up the sockets. It's therefore likely that this problem is >>>>>>>>>>>> common to >>>>>>>>>>>> all milter applications that use unix domain sockets. >>>>>>>>>>>> >>>>>>>>>>>> I'm now of the opinion that moving the directory locations >>>>>>>>>>>> for these sockets is a bad idea - it would need corresponding >>>>>>>>>>>> changes in people's >>>>>>>>>>>> sendmail configuration files, which would lead to problems for >>>>>>>>>>>> people >>>>>>>>>>>> doing package updates, or installing from upstream sources. >>>>>>>>>>>> Setting different context types for the directories (e.g. make >>>>>>>>>>>> /var/spool/milter-regex spamd_var_run_t) would seem a better >>>>>>>>>>>> option, along with policy tweaks to allow sendmail to do the >>>>>>>>>>>> permissions checks >>>>>>>>>>>> and write to the sockets). >>>>>>>>>>>> >>>>>>>>>>>> I'm still confused about the initrc_t sockets though. >>>>>>>>>>>> >>>>>>>>>>>> Paul. >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> fedora-selinux-list mailing list >>>>>>>>>>>> fedora-selinux-list at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>>>>>>>> Ok I will add this to the next update. >>>>>>>>>> What exactly is "this"? The 4 "allow" rules mentioned above, the >>>>>>>>>> context >>>>>>>>>> type change for /var/spool/milter-regex mentioned later, both? >>>>>>>>>> >>>>>>>>>> Cheers, Paul. >>>>>>>>>> >>>>>>>>> Context change for /var/spool/milter-regex to spamd_var_run_t. >>>>>>>>> sendmail >>>>>>>>> can already use sockets in this directory. >>>>>>>> So that includes the: >>>>>>>> >>>>>>>> allow sendmail_t initrc_t:unix_stream_socket { read write >>>>>>>> connectto } >>>>>>>> >>>>>>>> ? >>>>>>>> >>>>>>>> Cheers, Paul. >>>>>>>> >>>>>>> Nope. I don't know what is running as initrc_t and I would bet >>>>>>> this is a leaked file descriptor. Or at least a redirectiron of >>>>>>> stdin/stdout. >>>>>> I don't think it's a leaked file descriptor - that would be >>>>>> dontaudit-able, right? By not allowing communications with the >>>>>> initrc_t:unix_stream_socket, the milter fails to work: >>>>>> >>>>>> ==> /var/log/audit/audit.log <== >>>>>> type=AVC msg=audit(1200408212.783:142453): avc: denied >>>>>> { connectto } for pid=7805 comm="sendmail" >>>>>> path="/var/spool/milter-regex/sock" >>>>>> scontext=system_u:system_r:sendmail_t:s0 >>>>>> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket >>>>>> type=SYSCALL msg=audit(1200408212.783:142453): arch=40000003 >>>>>> syscall=102 success=no exit=-13 a0=3 a1=bfd9f600 a2=b7f79bd4 a3=0 >>>>>> items=0 ppid=7764 pid=7805 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 >>>>>> egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" >>>>>> exe="/usr/sbin/sendmail.sendmail" >>>>>> subj=system_u:system_r:sendmail_t:s0 key=(null) >>>>>> >>>>>> ==> /var/log/maillog <== >>>>>> Jan 15 14:43:32 goalkeeper sendmail[7805]: NOQUEUE: connect from >>>>>> ard120.neoplus.adsl.tpnet.pl [83.26.189.120] >>>>>> Jan 15 14:43:32 goalkeeper sendmail[7805]: AUTH: available >>>>>> mech=CRAM-MD5 DIGEST-MD5, allowed mech=CRAM-MD5 DIGEST-MD5 LOGIN >>>>>> PLAIN Jan 15 14:43:32 goalkeeper sendmail[7805]: m0FEhW21007805: >>>>>> Milter (milter-regex): error connecting to filter: Permission denied >>>>>> Jan 15 14:43:32 goalkeeper sendmail[7805]: m0FEhW21007805: Milter >>>>>> (milter-regex): to error state >>>>>> Jan 15 14:43:32 goalkeeper sendmail[7805]: m0FEhW21007805: Milter: >>>>>> initialization failed, temp failing commands >>>>>> Jan 15 14:43:32 goalkeeper sendmail[7805]: m0FEhW21007805: SMTP MAIL >>>>>> command () from >>>>>> ard120.neoplus.adsl.tpnet.pl [83.26.189.120] tempfailed (due to >>>>>> previous checks) >>>>>> >>>>>> >>>>>> The initrc_t type shows up in netstat but not in ls: >>>>>> # netstat -aZp | grep initrc >>>>>> tcp 0 0 goalkeeper.intra.:bacula-fd *:* LISTEN >>>>>> 5864/bacula-fd system_u:system_r:initrc_t:s0 >>>>>> udp 0 0 rbldns.intra.cit:domain *:* >>>>>> 5885/rbldnsd system_u:system_r:initrc_t:s0 >>>>>> unix 2 [ ACC ] STREAM LISTENING 14142 >>>>>> 5853/spamass-milter system_u:system_r:initrc_t:s0 >>>>>> /var/run/spamass-milter/spamass-milter.sock >>>>>> unix 2 [ ACC ] STREAM LISTENING 13794 >>>>>> 5779/milter-regex system_u:system_r:initrc_t:s0 >>>>>> /var/spool/milter-regex/sock >>>>>> unix 2 [ ] DGRAM 2150436 >>>>>> 5779/milter-regex system_u:system_r:initrc_t:s0 >>>>>> unix 2 [ ] DGRAM 14141 >>>>>> 5853/spamass-milter system_u:system_r:initrc_t:s0 >>>>>> # ls -lZ /var/run/spamass-milter/spamass-milter.sock >>>>>> /var/spool/milter-regex/sock >>>>>> srwxr-xr-x sa-milt sa-milt system_u:object_r:spamd_var_run_t:s0 >>>>>> /var/run/spamass-milter/spamass-milter.sock >>>>>> srw------- mregex mregex system_u:object_r:spamd_var_run_t:s0 >>>>>> /var/spool/milter-regex/sock >>>>>> >>>>>> >>>>>> Paul. >>>>>> >>>>>> >>>>> Ok then I guess we need to label >>>>> >>>>> chcon -t spamd_exec_t /usr/sbin/spamass-milter >>>>> >>>>> And then build policy off of that. >>>> Whilst that might result in a solution for spamass-milter, it's not >>>> going to help milter-regex or potentially any other milter (they're all >>>> likely to use the same libmilter [sendmail] API for setting up the >>>> sockets). >>>> >>>> There seems to be something odd about sockets in general; the netstat >>>> output quoted above shows a couple of network-listening sockets with >>>> type initrc_t too, from a further two non-milter programs, namely >>>> bacula and rbldnsd. I also see the same issue with nasd and rpc.quotad. >>>> though I can also see a bunch of listening sockets with >>>> system_u:system_r:unconfined_t on my desktop. >>>> >>>> Why might some of these apps transition to unconfined_t and others not? >>>> >>>> And why does "ls" show a different type than "netstat"? >>>> >>>> Paul. >>> ls is showing file context and netstat is showing processes. >>> >>> Processes running as unconfined_t were started by unconfined_t without >>> going through an initrc_exec_t type. So either you started these >>> processes directly or the label of their start up script is wrong >>> >>> ls -lZ /etc/init.d/* >>> >>> restorecon -R -v /etc/init.d >>> >>> Should fix. >> I suspect that the stuff running in unconfined_t gets started as part of >> a Gnome session rather than via an initscript. >> >>> So we need to allow sendmail to read sockets setup by initrc_t? >> Is it true to say (I think it is) that any process started via an >> initscript that doesn't transition to another domain (e.g. stuff that >> nobody has written policy for yet) will be in initrc_t? >> >> If so, the following is currently needed. >> >>> Adding >>> init_stream_connect_script(mailserver_delivery) >>> init_rw_script_stream_sockets(mailserver_delivery) >>> >>> >>> Will allow all programs that deliver mail to read/write/connectto >>> initrc_t unix_stream_sockets. >> This looks right for now, though I'm tempted to hack together policy for >> my two milters at least. What I was thinking of was creating a >> milter_template along the lines of the apache_content_template that >> could be used as a starting point for milter applications (all of which >> will communicate with sendmail [and postfix too for that metter] in the >> same way), and then add on anything necessary for each individual milter >> (some of which would require nothing else, some would require database >> connectivity etc.). >> >> Paul. >> > Sounds good. I've finally got round to a first pass at this, largely because of Bug #447247, where it's clear that new policy for spamass-milter is needed. The policy I've written supports both of the milters that I maintain in Fedora, namely milter-regex and spamass-milter. Comments appreciated. # more milters.{if,fc,te} :::::::::::::: milters.if :::::::::::::: ## Milter mail filters ######################################## ## ## Create a set of derived types for various ## mail filter applications using the milter interface. ## ## ## ## The name to be used for deriving type names. ## ## # template(`milter_template',` # Type that the milter application runs as type milter_$1_t; domain_type(milter_$1_t) role system_r types milter_$1_t; # Type for the executable file type milter_$1_exec_t; init_daemon_domain(milter_$1_t, milter_$1_exec_t) # This type is for pidfiles etc. type milter_$1_var_run_t; files_type(milter_$1_var_run_t); # This type is for spool/cache data etc. type milter_$1_cache_t; files_type(milter_$1_cache_t); # This type is for spool/cache data etc. type milter_$1_spool_t; files_type(milter_$1_spool_t); # This type is for state data etc. type milter_$1_var_lib_t; files_type(milter_$1_var_lib_t); # Generic rules from policygentool files_read_etc_files(milter_$1_t) libs_use_ld_so(milter_$1_t) libs_use_shared_libs(milter_$1_t) miscfiles_read_localization(milter_$1_t) sysnet_dns_name_resolve(milter_$1_t) init_use_fds(milter_$1_t) init_use_script_ptys(milter_$1_t) domain_use_interactive_fds(milter_$1_t) # Allow communication with MTA over a TCP socket # hack since this port has no interfaces since it does not have net_contexts gen_require(` type milter_port_t; ') allow milter_$1_t milter_port_t:tcp_socket name_bind; corenet_tcp_bind_generic_node(milter_$1_t) allow milter_$1_t self:tcp_socket { listen accept }; # Things that most milters will need to do allow milter_$1_t self:fifo_file rw_fifo_file_perms; logging_send_syslog_msg(milter_$1_t) ') ######################################## ## ## MTA communication with spamass-milter socket ## ## ## ## Domain allowed access. ## ## # interface(`milter_spamass_stream_connect',` gen_require(` type milter_spamass_var_run_t, milter_spamass_t; ') stream_connect_pattern($1,milter_spamass_var_run_t,milter_spamass_var_run_t,milter_spamass_t) ') ######################################## ## ## Allow read/write unix stream sockets from spamass-milter ## ## ## ## Domain allowed access. ## ## # interface(`milter_spamass_rw_stream_sockets',` gen_require(` type milter_spamass_t; ') allow $1 milter_spamass_t:unix_stream_socket { read write }; ') ######################################## ## ## MTA communication with milter-regex socket ## ## ## ## Domain allowed access. ## ## # interface(`milter_regex_stream_connect',` gen_require(` type milter_regex_spool_t, milter_regex_t; ') stream_connect_pattern($1,milter_regex_spool_t,milter_regex_spool_t,milter_regex_t) ') :::::::::::::: milters.fc :::::::::::::: #================= contexts for milter-regex ================= /usr/sbin/milter-regex -- gen_context(system_u:object_r:milter_regex_exec_t,s0) /var/spool/milter-regex(/.*)? gen_context(system_u:object_r:milter_regex_spool_t,s0) #================= contexts for spamass-milter ================= /usr/sbin/spamass-milter -- gen_context(system_u:object_r:milter_spamass_exec_t,s0) /var/run/spamass-milter\.pid -- gen_context(system_u:object_r:milter_spamass_var_run_t,s0) /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:milter_spamass_var_run_t,s0) :::::::::::::: milters.te :::::::::::::: policy_module(milters,0.0.7) require { attribute port_type; } type milter_port_t, port_type; #============= milter-regex policy ============== milter_template(regex) # Config is in /etc/mail/milter-regex.conf mta_read_config(milter_regex_t) # The milter creates a socket in /var/spool/milter-regex/ # for communication with sendmail files_search_spool(milter_regex_t) manage_sock_files_pattern(milter_regex_t,milter_regex_spool_t,milter_regex_spool_t) # It removes any existing socket (not owned by root) whilst running as root # and then calls setgid() and setuid() to drop privileges allow milter_regex_t self:capability { setuid setgid dac_override }; #============= spamass-milter policy ============== milter_template(spamass) # The milter creates a socket in /var/run/spamass-milter/ # for communication with sendmail manage_files_pattern(milter_spamass_t,milter_spamass_var_run_t,milter_spamass_var_run_t) manage_sock_files_pattern(milter_spamass_t,milter_spamass_var_run_t,milter_spamass_var_run_t) # The main job of the milter is to pipe spam through spamc and act on the result spamassassin_domtrans_spamc(milter_spamass_t) # When used with -b or -B options, the milter invokes sendmail to send mail # to a spamtrap address, using popen() corecmd_exec_shell(milter_spamass_t) corecmd_read_bin_symlinks(milter_spamass_t) corecmd_search_bin(milter_spamass_t) kernel_read_system_state(milter_spamass_t) mta_send_mail(milter_spamass_t) #============= extra stuff that will need adding to other modules ============= require { class file append; type sendmail_t; type spamc_t; type system_mail_t; type user_home_t; } #============= sendmail_t ============== milter_spamass_stream_connect(sendmail_t) milter_regex_stream_connect(sendmail_t) #============= system_mail_t ============== milter_spamass_rw_stream_sockets(system_mail_t) #============= spamc_t ============== # Leaky file descriptor when delivering local mail when passing through spamc? # # procmail log userdom_dontaudit_append_unpriv_home_content_files(spamc_t) # # message body for locally-originated mail mta_dontaudit_rw_queue(spamc_t) Paul. From cachch at gmail.com Tue Jun 3 11:46:19 2008 From: cachch at gmail.com (Carlos Chavez) Date: Tue, 3 Jun 2008 05:46:19 -0600 Subject: selinux and httpd don't start on boot - message error EAI9 In-Reply-To: <4844FD3A.2040604@city-fan.org> References: <4844FD3A.2040604@city-fan.org> Message-ID: Hi Paul. No, there is no avc denials error messages or other selinux related error messages in the logs. The error messages that i post is showed only in the start up process but no other messages is send to any log file. What i did in order to associated the error to selinux was stoped selinux, when i stop selinux and restart the PC the httpd start with no problems at boot time. I'm not sure about the NetworkManager in the logs it seems that load correctly at boot time and set the network parameter as soon as the process start, no delay for that. I have configure the ntpd to synchronize the date/time and this works fine, this need the network device setup, so i think the NetworkManager works too. Cheers. Carlos Ch?vez. 2008/6/3 Paul Howarth : > Carlos Chavez wrote: > >> Hello everyone. >> >> the HTTP server don't start on boot, it send the following message sort >> of, >> it was difficult to copy because it showed only in the start up process >> and >> no log messages in any log file. >> >> Message: Address Family for Hostname not supported: (EAI 9) alloc_listener >> failed to setup sockaddr for 127.0.0.1. >> That is the message sort of. >> >> This happen when i setup the option Listen 127.0.0.1:80, when i start >> manually the httpd server start successfully, but not on boot. >> >> It say too that there is an syntax error in the line where is the sentence >> Listen, but if i run the syntax check the HTTP said the syntax is OK. >> >> I'm using fedora 9 with the latest updates. >> selinux 3.3.1-55 >> httpd 2.2.8-3 >> kernel 2.6.25.3-18 >> > > My wild guess at the cause of this would be that NetworkManager hasn't > started the network at the time the httpd initscript runs. > > Are there any indications in the logs (such as avc denials) that this is an > selinux issue? > > Paul. > -- Carlos Ch?vez -------------- next part -------------- An HTML attachment was scrubbed... URL: From eparis at redhat.com Tue Jun 3 12:09:49 2008 From: eparis at redhat.com (Eric Paris) Date: Tue, 03 Jun 2008 08:09:49 -0400 Subject: selinux and httpd don't start on boot - message error EAI9 In-Reply-To: References: <4844FD3A.2040604@city-fan.org> Message-ID: <1212494989.3362.4.camel@localhost.localdomain> On Tue, 2008-06-03 at 05:46 -0600, Carlos Chavez wrote: > Hi Paul. > > No, there is no avc denials error messages or other selinux related > error messages in the logs. > The error messages that i post is showed only in the start up process > but no other messages is send to any log file. > > What i did in order to associated the error to selinux was stoped > selinux, when i stop selinux and restart the PC the httpd start with > no problems at boot time. > > I'm not sure about the NetworkManager in the logs it seems that load > correctly at boot time and set the network parameter as soon as the > process start, no delay for that. > > I have configure the ntpd to synchronize the date/time and this works > fine, this need the network device setup, so i think the > NetworkManager works too. Are you sure you are looking in the right place for those selinux denial messages? look for 'denied' in /var/log/messages and look at the output of ausearch -m AVC -Eric From kayvan at sylvan.com Tue Jun 3 23:48:02 2008 From: kayvan at sylvan.com (Kayvan A. Sylvan) Date: Tue, 3 Jun 2008 16:48:02 -0700 Subject: Weird SELinux problem after upgrade to F9 In-Reply-To: <20080603102517.GA9212@satyr.sylvan.com> References: <4844FD3A.2040604@city-fan.org> <20080603102517.GA9212@satyr.sylvan.com> Message-ID: <20080603234802.GA23034@satyr.sylvan.com> Does anyone have any suggestions here? I would really love to get SELinux working correctly on my F9 upgraded box. What can I do to debug this? On Tue, Jun 03, 2008 at 03:25:17AM -0700, Kayvan A. Sylvan wrote: > Hi everyone, > > Over the last few days, I have managed to upgrade myself from FC4 (yes, > really!) all the way to Fedora 9. > > My system is an X86_64 dual-core Intel box with 8GB of memory and it seems to > run so much faster with a smaller memory footprint under F9. Thanks to > all the Fedora developers! > > My problem is that after the upgrades I was getting all sorts of SELinux > errors (from practically every application), so I figured that I would > go ahead and relabel the filesystems. After the relabel, I was still > getting dozens of errors per second, so I changed SELinux to Permissive > mode (via /etc/selinux/config), rebooted and the system is now working. > > However, I would like to get SELinux to work in Enforcing mode. > > I have the following SELinux related packages installed: > > # yum list all selinux* > Installed Packages > > selinux-doc.noarch 1.26-1.1 installed > selinux-policy.noarch 3.3.1-55.fc9 installed > selinux-policy-targeted.noarch 3.3.1-55.fc9 installed > > Available Packages > selinux-policy-devel.noarch 3.3.1-55.fc9 updates > selinux-policy-mls.noarch 3.3.1-55.fc9 updates > > These are the types of errors I was seeing: > > Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.144:12): avc: denied { getattr } for pid=1495 comm="restorecon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.316:13): avc: denied { getattr } for pid=1503 comm="dmsetup" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.934:14): avc: denied { getattr } for pid=1513 comm="fsck" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486110.804:15): avc: denied { getattr } for pid=1519 comm="mount" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486112.460:16): avc: denied { getattr } for pid=1564 comm="swapon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486124.825:21): avc: denied { getattr } for pid=1907 comm="restorecond" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486125.516:22): avc: denied { getattr } for pid=2015 comm="iptables" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486127.411:23): avc: denied { getattr } for pid=2888 comm="mcstransd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:43:58 satyr dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=4598 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus > Jun 3 02:43:59 satyr dbus: avc: denied { acquire_svc } for service=org.kde.klauncher spid=4608 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus > > > Any help in getting this working would be very appreciated! > > Thanks. > > ---Kayvan > -- > Kayvan A. Sylvan | Proud husband of | Father to my kids: > Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89) > http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Kayvan A. Sylvan | Proud husband of | Father to my kids: Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89) http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From cachch at gmail.com Wed Jun 4 06:29:49 2008 From: cachch at gmail.com (Carlos Chavez) Date: Wed, 4 Jun 2008 00:29:49 -0600 Subject: selinux and httpd don't start on boot - message error EAI9 In-Reply-To: <1212494989.3362.4.camel@localhost.localdomain> References: <4844FD3A.2040604@city-fan.org> <1212494989.3362.4.camel@localhost.localdomain> Message-ID: Hi Eric. I think so. cat /var/log/messages | grep denied cat /var/log/messages | grep avc any command show no output and ausearch -m AVC show this: ---- time->Tue Jun 3 23:39:03 2008 type=SYSCALL msg=audit(1212557943.344:16): arch=40000003 syscall=11 success=yes exit=0 a0=9872498 a1=9870c50 a2=9870af0 a3=0 items=0 ppid=2878 pid=2879 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(1212557943.344:16): avc: denied { read write } for pid=2879 comm="NetworkManager" path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.data" dev=dm-0 ino=8356254 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1212557943.344:16): avc: denied { read write } for pid=2879 comm="NetworkManager" path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.index" dev=dm-0 ino=8356253 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file that messages was when a restart the NetworkManager as root on a shell. Cheers. Carlos Ch?vez. 2008/6/3 Eric Paris : > On Tue, 2008-06-03 at 05:46 -0600, Carlos Chavez wrote: > > Hi Paul. > > > > No, there is no avc denials error messages or other selinux related > > error messages in the logs. > > The error messages that i post is showed only in the start up process > > but no other messages is send to any log file. > > > > What i did in order to associated the error to selinux was stoped > > selinux, when i stop selinux and restart the PC the httpd start with > > no problems at boot time. > > > > I'm not sure about the NetworkManager in the logs it seems that load > > correctly at boot time and set the network parameter as soon as the > > process start, no delay for that. > > > > I have configure the ntpd to synchronize the date/time and this works > > fine, this need the network device setup, so i think the > > NetworkManager works too. > > Are you sure you are looking in the right place for those selinux denial > messages? look for 'denied' in /var/log/messages and look at the output > of ausearch -m AVC > > -Eric > > -- Carlos Ch?vez -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Wed Jun 4 08:39:25 2008 From: paul at city-fan.org (Paul Howarth) Date: Wed, 04 Jun 2008 09:39:25 +0100 Subject: selinux and httpd don't start on boot - message error EAI9 In-Reply-To: References: <4844FD3A.2040604@city-fan.org> <1212494989.3362.4.camel@localhost.localdomain> Message-ID: <484654BD.80808@city-fan.org> Carlos Chavez wrote: > Hi Eric. > I think so. > > cat /var/log/messages | grep denied > cat /var/log/messages | grep avc > > any command show no output and > > ausearch -m AVC > > show this: > > ---- > time->Tue Jun 3 23:39:03 2008 > type=SYSCALL msg=audit(1212557943.344:16): arch=40000003 syscall=11 > success=yes exit=0 a0=9872498 a1=9870c50 a2=9870af0 a3=0 items=0 > ppid=2878 pid=2879 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=pts2 ses=1 comm="NetworkManager" > exe="/usr/sbin/NetworkManager" > subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) > type=AVC msg=audit(1212557943.344:16): avc: denied { read write } > for pid=2879 comm="NetworkManager" > path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.data" dev=dm-0 > ino=8356254 scontext=unconfined_u:system_r:NetworkManager_t:s0 > tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file > type=AVC msg=audit(1212557943.344:16): avc: denied { read write } > for pid=2879 comm="NetworkManager" > path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.index" dev=dm-0 > ino=8356253 scontext=unconfined_u:system_r:NetworkManager_t:s0 > tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file > > that messages was when a restart the NetworkManager as root on a shell. You need to be looking in /var/log/audit/audit.log rather than /var/log/messages if you're running auditd. Paul. From eparis at redhat.com Wed Jun 4 13:25:37 2008 From: eparis at redhat.com (Eric Paris) Date: Wed, 04 Jun 2008 09:25:37 -0400 Subject: selinux and httpd don't start on boot - message error EAI9 In-Reply-To: References: <4844FD3A.2040604@city-fan.org> <1212494989.3362.4.camel@localhost.localdomain> Message-ID: <1212585937.2863.3.camel@localhost.localdomain> On Wed, 2008-06-04 at 00:29 -0600, Carlos Chavez wrote: > Hi Eric. > I think so. > > cat /var/log/messages | grep denied > cat /var/log/messages | grep avc > > any command show no output and > > ausearch -m AVC > > show this: > ---- > time->Tue Jun 3 23:39:03 2008 > > type=SYSCALL msg=audit(1212557943.344:16): arch=40000003 syscall=11 success=yes exit=0 a0=9872498 a1=9870c50 a2=9870af0 a3=0 items=0 ppid=2878 pid=2879 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) > > type=AVC msg=audit(1212557943.344:16): avc: denied { read write } for pid=2879 comm="NetworkManager" path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.data" dev=dm-0 ino=8356254 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file > > type=AVC msg=audit(1212557943.344:16): avc: denied { read write } for pid=2879 comm="NetworkManager" path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.index" dev=dm-0 ino=8356253 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file > > that messages was when a restart the NetworkManager as root on a > shell. > > Cheers. > Carlos Ch?vez. Huh... If you system is new enough to support it, can you try semodule -DB and then reboot after it comes up and fails give us the output of ausearch -m AVC again... -Eric From mjc at avtechpulse.com Wed Jun 4 13:39:18 2008 From: mjc at avtechpulse.com (Dr. Michael J. Chudobiak) Date: Wed, 04 Jun 2008 09:39:18 -0400 Subject: strange messages while installing selinux-policy-targeted Message-ID: <48469B06.8080406@avtechpulse.com> I can't seem to make selinux run on one of my systems. Can anyone make sense of these odd installation messages: Running Transaction Installing : selinux-policy-targeted [1/1] libsemanage.dbase_llist_query: could not query record value (No such file or directory). /usr/sbin/semanage: range not supported on Non MLS machines /usr/sbin/semanage: range not supported on Non MLS machines /usr/sbin/semanage: range not supported on Non MLS machines libsepol.sepol_user_modify: MLS is enabled, but no MLS default level was defined for user guest_u libsepol.sepol_user_modify: could not load (null) into policy libsemanage.dbase_policydb_modify: could not modify record value libsemanage.semanage_base_merge_components: could not merge local modifications into policy /usr/sbin/semanage: Could not add SELinux user guest_u libsepol.sepol_user_modify: MLS is enabled, but no MLS default level was defined for user xguest_u libsepol.sepol_user_modify: could not load (null) into policy libsemanage.dbase_policydb_modify: could not modify record value libsemanage.semanage_base_merge_components: could not merge local modifications into policy /usr/sbin/semanage: Could not add SELinux user xguest_u Installed: selinux-policy-targeted.noarch 0:3.3.1-55.fc9 Complete! - Mike From dwalsh at redhat.com Wed Jun 4 19:05:55 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 04 Jun 2008 15:05:55 -0400 Subject: AVCs from cron.daily (F9) In-Reply-To: <48450B5E.5040101@city-fan.org> References: <48450B5E.5040101@city-fan.org> Message-ID: <4846E793.4020209@redhat.com> Paul Howarth wrote: > On my work box, which is an up-to-date F9 install, I get a set of AVCs > from cron.daily every day, which I don't get on my home boxes. I suspect > it's because we use LDAP auth at work. It boils down to this when passed > through audit2allow -R: > > require { > type logwatch_t; > type locate_t; > type tmpreaper_t; > type logrotate_t; > } > > #============= locate_t ============== > cron_rw_tcp_sockets(locate_t) > > #============= logrotate_t ============== > cron_rw_tcp_sockets(logrotate_t) > > #============= logwatch_t ============== > cron_rw_tcp_sockets(logwatch_t) > > #============= tmpreaper_t ============== > cron_rw_tcp_sockets(tmpreaper_t) > > > Sample AVC: > time->Tue Jun 3 05:05:05 2008 > type=SYSCALL msg=audit(1212465905.734:5714): arch=c000003e syscall=59 > success=yes exit=0 a0=25545d0 a1=2551360 a2=25539a0 a3=8 items=0 > ppid=12101 pid=12134 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) ses=605 comm="tmpwatch" > exe="/usr/sbin/tmpwatch" > subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1212465905.734:5714): avc: denied { read write } > for pid=12134 comm="tmpwatch" path="socket:[24785059]" dev=sockfs > ino=24785059 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 > tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Leaked file descriptor in nssldap? From dwalsh at redhat.com Wed Jun 4 19:13:08 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 04 Jun 2008 15:13:08 -0400 Subject: Weird SELinux problem after upgrade to F9 In-Reply-To: <20080603102517.GA9212@satyr.sylvan.com> References: <4844FD3A.2040604@city-fan.org> <20080603102517.GA9212@satyr.sylvan.com> Message-ID: <4846E944.30302@redhat.com> Kayvan A. Sylvan wrote: > Hi everyone, > > Over the last few days, I have managed to upgrade myself from FC4 (yes, > really!) all the way to Fedora 9. > > My system is an X86_64 dual-core Intel box with 8GB of memory and it seems to > run so much faster with a smaller memory footprint under F9. Thanks to > all the Fedora developers! > > My problem is that after the upgrades I was getting all sorts of SELinux > errors (from practically every application), so I figured that I would > go ahead and relabel the filesystems. After the relabel, I was still > getting dozens of errors per second, so I changed SELinux to Permissive > mode (via /etc/selinux/config), rebooted and the system is now working. > > However, I would like to get SELinux to work in Enforcing mode. > > I have the following SELinux related packages installed: > > # yum list all selinux* > Installed Packages > > selinux-doc.noarch 1.26-1.1 installed > selinux-policy.noarch 3.3.1-55.fc9 installed > selinux-policy-targeted.noarch 3.3.1-55.fc9 installed > > Available Packages > selinux-policy-devel.noarch 3.3.1-55.fc9 updates > selinux-policy-mls.noarch 3.3.1-55.fc9 updates > > These are the types of errors I was seeing: > > Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.144:12): avc: denied { getattr } for pid=1495 comm="restorecon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.316:13): avc: denied { getattr } for pid=1503 comm="dmsetup" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486109.934:14): avc: denied { getattr } for pid=1513 comm="fsck" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486110.804:15): avc: denied { getattr } for pid=1519 comm="mount" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:42:12 satyr kernel: type=1400 audit(1212486112.460:16): avc: denied { getattr } for pid=1564 comm="swapon" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486124.825:21): avc: denied { getattr } for pid=1907 comm="restorecond" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486125.516:22): avc: denied { getattr } for pid=2015 comm="iptables" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:42:13 satyr kernel: type=1400 audit(1212486127.411:23): avc: denied { getattr } for pid=2888 comm="mcstransd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:setrans_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > Jun 3 02:43:58 satyr dbus: avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=4598 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus > Jun 3 02:43:59 satyr dbus: avc: denied { acquire_svc } for service=org.kde.klauncher spid=4608 scontext=user_u:system_r:update_modules_t:s0 tcontext=user_u:system_r:update_modules_t:s0 tclass=dbus > > > Any help in getting this working would be very appreciated! > > Thanks. > > ---Kayvan You might need to check your user database semanage user -l semanage login -l From dwalsh at redhat.com Wed Jun 4 19:16:31 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 04 Jun 2008 15:16:31 -0400 Subject: strange messages while installing selinux-policy-targeted In-Reply-To: <48469B06.8080406@avtechpulse.com> References: <48469B06.8080406@avtechpulse.com> Message-ID: <4846EA0F.70405@redhat.com> Dr. Michael J. Chudobiak wrote: > I can't seem to make selinux run on one of my systems. Can anyone make > sense of these odd installation messages: > > > Running Transaction > Installing : selinux-policy-targeted [1/1] > > libsemanage.dbase_llist_query: could not query record value (No such > file or directory). > /usr/sbin/semanage: range not supported on Non MLS machines > /usr/sbin/semanage: range not supported on Non MLS machines > /usr/sbin/semanage: range not supported on Non MLS machines > libsepol.sepol_user_modify: MLS is enabled, but no MLS default level was > defined for user guest_u > libsepol.sepol_user_modify: could not load (null) into policy > libsemanage.dbase_policydb_modify: could not modify record value > libsemanage.semanage_base_merge_components: could not merge local > modifications into policy > /usr/sbin/semanage: Could not add SELinux user guest_u > libsepol.sepol_user_modify: MLS is enabled, but no MLS default level was > defined for user xguest_u > libsepol.sepol_user_modify: could not load (null) into policy > libsemanage.dbase_policydb_modify: could not modify record value > libsemanage.semanage_base_merge_components: could not merge local > modifications into policy > /usr/sbin/semanage: Could not add SELinux user xguest_u > > Installed: selinux-policy-targeted.noarch 0:3.3.1-55.fc9 > Complete! > > > - Mike > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Are you installing on a disable machine? From paul at city-fan.org Wed Jun 4 19:19:50 2008 From: paul at city-fan.org (Paul Howarth) Date: Wed, 4 Jun 2008 20:19:50 +0100 Subject: AVCs from cron.daily (F9) In-Reply-To: <4846E793.4020209@redhat.com> References: <48450B5E.5040101@city-fan.org> <4846E793.4020209@redhat.com> Message-ID: <20080604201950.2ea03a55@metropolis.intra.city-fan.org> On Wed, 04 Jun 2008 15:05:55 -0400 Daniel J Walsh wrote: > Paul Howarth wrote: > > On my work box, which is an up-to-date F9 install, I get a set of > > AVCs from cron.daily every day, which I don't get on my home boxes. > > I suspect it's because we use LDAP auth at work. It boils down to > > this when passed through audit2allow -R: > > > > require { > > type logwatch_t; > > type locate_t; > > type tmpreaper_t; > > type logrotate_t; > > } > > > > #============= locate_t ============== > > cron_rw_tcp_sockets(locate_t) > > > > #============= logrotate_t ============== > > cron_rw_tcp_sockets(logrotate_t) > > > > #============= logwatch_t ============== > > cron_rw_tcp_sockets(logwatch_t) > > > > #============= tmpreaper_t ============== > > cron_rw_tcp_sockets(tmpreaper_t) > > > > > > Sample AVC: > > time->Tue Jun 3 05:05:05 2008 > > type=SYSCALL msg=audit(1212465905.734:5714): arch=c000003e > > syscall=59 success=yes exit=0 a0=25545d0 a1=2551360 a2=25539a0 a3=8 > > items=0 ppid=12101 pid=12134 auid=0 uid=0 gid=0 euid=0 suid=0 > > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=605 comm="tmpwatch" > > exe="/usr/sbin/tmpwatch" > > subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null) > > type=AVC msg=audit(1212465905.734:5714): avc: denied { read > > write } for pid=12134 comm="tmpwatch" path="socket:[24785059]" > > dev=sockfs ino=24785059 > > scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 > > tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 > > tclass=tcp_socket > > > > Paul. > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Leaked file descriptor in nssldap? I expect so. The denials don't seem to cause any problems but it would be nice if they were dontaudited. Paul. From dwalsh at redhat.com Wed Jun 4 19:53:51 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 04 Jun 2008 15:53:51 -0400 Subject: AVCs from cron.daily (F9) In-Reply-To: <20080604201950.2ea03a55@metropolis.intra.city-fan.org> References: <48450B5E.5040101@city-fan.org> <4846E793.4020209@redhat.com> <20080604201950.2ea03a55@metropolis.intra.city-fan.org> Message-ID: <4846F2CF.7070208@redhat.com> Paul Howarth wrote: > On Wed, 04 Jun 2008 15:05:55 -0400 > Daniel J Walsh wrote: > >> Paul Howarth wrote: >>> On my work box, which is an up-to-date F9 install, I get a set of >>> AVCs from cron.daily every day, which I don't get on my home boxes. >>> I suspect it's because we use LDAP auth at work. It boils down to >>> this when passed through audit2allow -R: >>> >>> require { >>> type logwatch_t; >>> type locate_t; >>> type tmpreaper_t; >>> type logrotate_t; >>> } >>> >>> #============= locate_t ============== >>> cron_rw_tcp_sockets(locate_t) >>> >>> #============= logrotate_t ============== >>> cron_rw_tcp_sockets(logrotate_t) >>> >>> #============= logwatch_t ============== >>> cron_rw_tcp_sockets(logwatch_t) >>> >>> #============= tmpreaper_t ============== >>> cron_rw_tcp_sockets(tmpreaper_t) >>> >>> >>> Sample AVC: >>> time->Tue Jun 3 05:05:05 2008 >>> type=SYSCALL msg=audit(1212465905.734:5714): arch=c000003e >>> syscall=59 success=yes exit=0 a0=25545d0 a1=2551360 a2=25539a0 a3=8 >>> items=0 ppid=12101 pid=12134 auid=0 uid=0 gid=0 euid=0 suid=0 >>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=605 comm="tmpwatch" >>> exe="/usr/sbin/tmpwatch" >>> subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null) >>> type=AVC msg=audit(1212465905.734:5714): avc: denied { read >>> write } for pid=12134 comm="tmpwatch" path="socket:[24785059]" >>> dev=sockfs ino=24785059 >>> scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 >>> tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 >>> tclass=tcp_socket >>> >>> Paul. >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> Leaked file descriptor in nssldap? > > I expect so. The denials don't seem to cause any problems but it would > be nice if they were dontaudited. > > Paul. It would be nicer if the nssldap would be fixed... I am working it. From kayvan at sylvan.com Wed Jun 4 22:05:22 2008 From: kayvan at sylvan.com (Kayvan A. Sylvan) Date: Wed, 4 Jun 2008 15:05:22 -0700 Subject: Weird SELinux problem after upgrade to F9 In-Reply-To: <4846E944.30302@redhat.com> References: <4844FD3A.2040604@city-fan.org> <20080603102517.GA9212@satyr.sylvan.com> <4846E944.30302@redhat.com> Message-ID: <20080604220522.GA29221@satyr.sylvan.com> On Wed, Jun 04, 2008 at 03:13:08PM -0400, Daniel J Walsh wrote: > You might need to check your user database > > semanage user -l > semanage login -l I do not know anything about how this is supposed to look. Here is what the commands report: [root at satyr ~]# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles root user s0 SystemLow-SystemHigh system_r sysadm_r user_r system_u user s0 SystemLow-SystemHigh system_r user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r [root at satyr ~]# semanage login -l Login Name SELinux User MLS/MCS Range __default__ user_u s0 root root -s0:c0.c255 system_u system_u SystemLow-SystemHigh From eparis at redhat.com Thu Jun 5 21:35:15 2008 From: eparis at redhat.com (Eric Paris) Date: Thu, 05 Jun 2008 17:35:15 -0400 Subject: [RFC] -v2 livecd running and selinux enforcing Message-ID: <1212701715.2863.60.camel@localhost.localdomain> Still ongoing selinux policy and toolchain work in this area is needed and I should do more testing on a host machine with selinux disabled but this is the livecd patch I've got working as of today. I think that I want to make my print >> sys.stderr message actually be fatal. The reason for this is because setting selinux --disabled in the kickstart and not having /usr/sbin/lokkit results in an enabled livecd which doesn't work... No reason to just print a message and not stop the work if we know for sure the results are useless... This patch also has the f.close() fix that I sent yesterday, so it might not apply if you already applied that one... -Eric diff -Naupr imgcreate.orig/creator.py imgcreate/creator.py --- imgcreate.orig/creator.py 2008-05-06 12:16:08.000000000 -0400 +++ imgcreate/creator.py 2008-06-05 17:10:36.561313078 -0400 @@ -23,6 +23,7 @@ import sys import tempfile import shutil +import selinux import yum import rpm @@ -402,6 +403,52 @@ class ImageCreator(object): fstab.write(self._get_fstab()) fstab.close() + def __create_selinuxfs(self): + # if selinux exists on the host we need to lie to the chroot + if os.path.exists("/selinux/enforce"): + selinux_dir = self._instroot + "/selinux" + + # enforce=0 tells the chroot selinux is not enforcing + # policyvers=999 tell the chroot to make the highest version of policy it can + files = (('/enforce', '0'), + ('/policyvers', '999')) + for (file, value) in files: + fd = os.open(selinux_dir + file, os.O_WRONLY | os.O_TRUNC | os.O_CREAT) + os.write(fd, value) + os.close(fd) + + # we steal mls from the host system for now, might be best to always set it to 1???? + files = ("/mls",) + for file in files: + shutil.copyfile("/selinux" + file, selinux_dir + file) + + # make /load -> /dev/null so chroot policy loads don't hurt anything + os.mknod(selinux_dir + "/load", 0666 | stat.S_IFCHR, os.makedev(1, 3)) + + # selinux is on in the kickstart, so clean up as best we can to start + if kickstart.selinux_enabled(self.ks): + # label the fs like it is a root before the bind mounting + arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot] + subprocess.call(arglist, close_fds = True) + # these dumb things don't get magically fixed, so make the user generic + for f in ("/proc", "/sys", "/selinux"): + arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f] + subprocess.call(arglist, close_fds = True) + + def __destroy_selinuxfs(self): + # if the system was running selinux clean up our lies + if os.path.exists("/selinux/enforce"): + files = ('/enforce', + '/policyvers', + '/mls', + '/load') + for file in files: + try: + os.unlink(self._instroot + "/selinux" + file) + except OSError: + pass + + def mount(self, base_on = None, cachedir = None): """Setup the target filesystem in preparation for an install. @@ -427,7 +474,7 @@ class ImageCreator(object): self._mount_instroot(base_on) - for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum"): + for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum", "/sys", "/proc", "/selinux"): makedirs(self._instroot + d) cachesrc = cachedir or (self.__builddir + "/yum-cache") @@ -439,10 +486,6 @@ class ImageCreator(object): (cachesrc, "/var/cache/yum")]: self.__bindmounts.append(BindChrootMount(f, self._instroot, dest)) - # /selinux should only be mounted if selinux is enabled (enforcing or permissive) - if kickstart.selinux_enabled(self.ks): - self.__bindmounts.append(BindChrootMount("/selinux", self._instroot, None)) - # Create minimum /dev origumask = os.umask(0000) devices = [('null', 1, 3, 0666), @@ -460,6 +503,8 @@ class ImageCreator(object): os.symlink('/proc/self/fd/2', self._instroot + "/dev/stderr") os.umask(origumask) + self.__create_selinuxfs() + self._do_bindmounts() os.symlink("../proc/mounts", self._instroot + "/etc/mtab") @@ -479,6 +524,8 @@ class ImageCreator(object): except OSError: pass + self.__destroy_selinuxfs() + self._undo_bindmounts() self._unmount_instroot() @@ -543,7 +590,17 @@ class ImageCreator(object): for pkg in kickstart.get_excluded(self.ks, self._get_excluded_packages()): ayum.deselectPackage(pkg) - + + # if the system is running selinux and the kickstart wants it disabled + # we need /usr/sbin/lokkit + def __can_handle_selinux(self, ayum): + has_req = 1 + file = "/usr/sbin/lokkit" + if not kickstart.selinux_enabled(self.ks) and os.path.exists("/selinux/enforce"): + has_req = ayum.installHasFile(file) + if not has_req: + print >> sys.stderr, "Dude, you need a package which provides %s for your selinux setup to work" %(file) + def install(self, repo_urls = {}): """Install packages into the install root. @@ -579,6 +636,9 @@ class ImageCreator(object): self.__select_packages(ayum) self.__select_groups(ayum) self.__deselect_packages(ayum) + + self.__can_handle_selinux(ayum) + ayum.runInstall() except yum.Errors.RepoError, e: raise CreatorError("Unable to download from repo : %s" % (e,)) diff -Naupr imgcreate.orig/kickstart.py imgcreate/kickstart.py --- imgcreate.orig/kickstart.py 2008-05-06 12:16:08.000000000 -0400 +++ imgcreate/kickstart.py 2008-06-04 14:56:35.033603440 -0400 @@ -369,14 +369,15 @@ class SelinuxConfig(KickstartConfig): path = self.path(fn) f = file(path, "w+") os.chmod(path, 0644) + f.close() if ksselinux.selinux == ksconstants.SELINUX_DISABLED: return - if not os.path.exists(self.path("/sbin/restorecon")): + if os.path.exists(self.path("/sbin/restorecon")): + self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"]) + else: return - self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"]) - def apply(self, ksselinux): if os.path.exists(self.path("/usr/sbin/lokkit")): args = ["/usr/sbin/lokkit", "-f", "--quiet", "--nostart"] diff -Naupr imgcreate.orig/yuminst.py imgcreate/yuminst.py --- imgcreate.orig/yuminst.py 2008-05-06 12:16:08.000000000 -0400 +++ imgcreate/yuminst.py 2008-06-05 17:00:00.574631892 -0400 @@ -79,7 +79,7 @@ class LiveCDYum(yum.YumBase): def selectPackage(self, pkg): """Select a given package. Can be specified with name.arch or name*""" return self.install(pattern = pkg) - + def deselectPackage(self, pkg): """Deselect package. Can be specified as name.arch or name*""" sp = pkg.rsplit(".", 2) @@ -138,6 +138,20 @@ class LiveCDYum(yum.YumBase): repo.setCallback(TextProgress()) self.repos.add(repo) return repo + + def installHasFile(self, file): + has_file = 0 + provides_pkg = self.whatProvides(file, None, None) + dlpkgs = map(lambda x: x.po, filter(lambda txmbr: txmbr.ts_state in ("i", "u"), self.tsInfo.getMembers())) + for p in dlpkgs: + for q in provides_pkg: + if (p == q): + has_file = 1 + if has_file: + return True + else: + return False + def runInstall(self): os.environ["HOME"] = "/" From kayvan at sylvan.com Thu Jun 5 23:10:12 2008 From: kayvan at sylvan.com (Kayvan A. Sylvan) Date: Thu, 5 Jun 2008 16:10:12 -0700 Subject: SOLVED: Weird SELinux problem after upgrade to F9 In-Reply-To: <1212701715.2863.60.camel@localhost.localdomain> References: <1212701715.2863.60.camel@localhost.localdomain> Message-ID: <20080605231012.GA8570@satyr.sylvan.com> > On Wed, Jun 04, 2008 at 03:13:08PM -0400, Daniel J Walsh wrote: >> You might need to check your user database >> >> semanage user -l >> semanage login -l Thank you for this hint. I tracked the issue to a manifestation of the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=443852 The fix was to do as one of the comments in the bug report suggested. First, I downloaded both the F7 and F9 selinux-policy* packages. Then, I did as follows: 1) mv /etc/selinux /etc/selinux.old 2) rpm --oldpackage -Uvh selinux-policy*fc7* 3) boot into the F9 rescue mode 4) chroot /mnt/sysimage 5) rpm -Uvh selinux-policy*fc9* (this last step took a long time, but the upgrade fixed the user_u issues while operating in a sane SELinux environment) 6) Reboot Thanks a lot for the pointer! Best regards, ---Kayvan -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From katzj at redhat.com Fri Jun 6 02:08:39 2008 From: katzj at redhat.com (Jeremy Katz) Date: Thu, 05 Jun 2008 22:08:39 -0400 Subject: [RFC] -v2 livecd running and selinux enforcing In-Reply-To: <1212701715.2863.60.camel@localhost.localdomain> References: <1212701715.2863.60.camel@localhost.localdomain> Message-ID: <1212718119.12346.4.camel@aglarond.local> This looks good. Just a couple of (minor) tweaks/questions * Doesn't want to apply cleanly to current tip of git. Should be straight-forward to fix, if you don't have the time, I can * Any chance of splitting it into two chunks (one for the main bit, a second for the "selinux --enforcing request, but no lokkit in the package list)? Again, I can if not On Thu, 2008-06-05 at 17:35 -0400, Eric Paris wrote: > Still ongoing selinux policy and toolchain work in this area is needed > and I should do more testing on a host machine with selinux disabled but > this is the livecd patch I've got working as of today. I think that I > want to make my print >> sys.stderr message actually be fatal. The > reason for this is because setting selinux --disabled in the kickstart > and not having /usr/sbin/lokkit results in an enabled livecd which > doesn't work... No reason to just print a message and not stop the > work if we know for sure the results are useless... Sure, and it's early enough to be reasonable. Just switch the print to raise CreatorError and things will get torn down correctly too > This patch also has the f.close() fix that I sent yesterday, so it might > not apply if you already applied that one... Yeah, I pushed it right after you sent it In any case, I can fix those little things up tomorrow if you want to move on to something else and just get this committed, pushed and the relevant bug closed. And then we can hopefully get some more testing than just the two of us Jeremy From eparis at redhat.com Fri Jun 6 20:11:53 2008 From: eparis at redhat.com (eparis at redhat.com) Date: Fri, 6 Jun 2008 16:11:53 -0400 Subject: [PATCH 1/2] LiveCD - Add fake /selinux so livecd can run in enforcing Message-ID: <1212783114-3654-1-git-send-email-eparis@redhat.com> From: Eric Paris This patch adds a /selinux directory to a newly created livecd compose which will allow the tools inside the chroot to interoperate with the live system successfully. Signed-off-by: Eric Paris --- imgcreate/creator.py | 55 ++++++++++++++++++++++++++++++++++++++++++++--- imgcreate/kickstart.py | 2 +- 2 files changed, 52 insertions(+), 5 deletions(-) diff --git a/imgcreate/creator.py b/imgcreate/creator.py index 5d010a1..f65f7d4 100644 --- a/imgcreate/creator.py +++ b/imgcreate/creator.py @@ -24,6 +24,7 @@ import tempfile import shutil import logging +import selinux import yum import rpm @@ -421,6 +422,52 @@ class ImageCreator(object): os.symlink('/proc/self/fd/2', self._instroot + "/dev/stderr") os.umask(origumask) + def __create_selinuxfs(self): + # if selinux exists on the host we need to lie to the chroot + if os.path.exists("/selinux/enforce"): + selinux_dir = self._instroot + "/selinux" + + # enforce=0 tells the chroot selinux is not enforcing + # policyvers=999 tell the chroot to make the highest version of policy it can + files = (('/enforce', '0'), + ('/policyvers', '999')) + for (file, value) in files: + fd = os.open(selinux_dir + file, os.O_WRONLY | os.O_TRUNC | os.O_CREAT) + os.write(fd, value) + os.close(fd) + + # we steal mls from the host system for now, might be best to always set it to 1???? + files = ("/mls",) + for file in files: + shutil.copyfile("/selinux" + file, selinux_dir + file) + + # make /load -> /dev/null so chroot policy loads don't hurt anything + os.mknod(selinux_dir + "/load", 0666 | stat.S_IFCHR, os.makedev(1, 3)) + + # selinux is on in the kickstart, so clean up as best we can to start + if kickstart.selinux_enabled(self.ks): + # label the fs like it is a root before the bind mounting + arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot] + subprocess.call(arglist, close_fds = True) + # these dumb things don't get magically fixed, so make the user generic + for f in ("/proc", "/sys", "/selinux"): + arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f] + subprocess.call(arglist, close_fds = True) + + def __destroy_selinuxfs(self): + # if the system was running selinux clean up our lies + if os.path.exists("/selinux/enforce"): + files = ('/enforce', + '/policyvers', + '/mls', + '/load') + for file in files: + try: + os.unlink(self._instroot + "/selinux" + file) + except OSError: + pass + + def mount(self, base_on = None, cachedir = None): """Setup the target filesystem in preparation for an install. @@ -446,7 +493,7 @@ class ImageCreator(object): self._mount_instroot(base_on) - for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum"): + for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum", "/sys", "/proc", "/selinux"): makedirs(self._instroot + d) cachesrc = cachedir or (self.__builddir + "/yum-cache") @@ -458,9 +505,7 @@ class ImageCreator(object): (cachesrc, "/var/cache/yum")]: self.__bindmounts.append(BindChrootMount(f, self._instroot, dest)) - # /selinux should only be mounted if selinux is enabled (enforcing or permissive) - if kickstart.selinux_enabled(self.ks): - self.__bindmounts.append(BindChrootMount("/selinux", self._instroot, None)) + self.__create_selinuxfs() self._do_bindmounts() @@ -483,6 +528,8 @@ class ImageCreator(object): except OSError: pass + self.__destroy_selinuxfs() + self._undo_bindmounts() self._unmount_instroot() diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py index c83e795..180cea2 100644 --- a/imgcreate/kickstart.py +++ b/imgcreate/kickstart.py @@ -389,7 +389,7 @@ class SelinuxConfig(KickstartConfig): if not os.path.exists(self.path("/sbin/restorecon")): return - self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"]) + self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"]) def apply(self, ksselinux): if os.path.exists(self.path("/usr/sbin/lokkit")): -- 1.5.5.3 From eparis at redhat.com Fri Jun 6 20:11:54 2008 From: eparis at redhat.com (eparis at redhat.com) Date: Fri, 6 Jun 2008 16:11:54 -0400 Subject: [PATCH 2/2] LiveCD - add test for /sbin/lokkit if it is needed for selinux config In-Reply-To: <1212783114-3654-1-git-send-email-eparis@redhat.com> References: <1212783114-3654-1-git-send-email-eparis@redhat.com> Message-ID: <1212783114-3654-2-git-send-email-eparis@redhat.com> From: Eric Paris This patch adds a new function ayum.installHasFile() which tells if the install image is going to contain a given file. We then use this new function to make sure lokkit is going to be present so that we will be able to disable selinux inside the image if the kickstart was configured that way. If we cannot accomidate the kickstart setting we error the build. Signed-off-by: Eric Paris --- imgcreate/creator.py | 12 +++++++++++- imgcreate/yuminst.py | 10 ++++++++++ 2 files changed, 21 insertions(+), 1 deletions(-) diff --git a/imgcreate/creator.py b/imgcreate/creator.py index f65f7d4..c9ed60c 100644 --- a/imgcreate/creator.py +++ b/imgcreate/creator.py @@ -594,7 +594,14 @@ class ImageCreator(object): for pkg in kickstart.get_excluded(self.ks, self._get_excluded_packages()): ayum.deselectPackage(pkg) - + + # if the system is running selinux and the kickstart wants it disabled + # we need /usr/sbin/lokkit + def __can_handle_selinux(self, ayum): + file = "/usr/sbin/lokkit" + if not kickstart.selinux_enabled(self.ks) and os.path.exists("/selinux/enforce") and not ayum.installHasFile(file): + raise CreatorError("Unable to disable SELinux because the installed package set did not include the file %s" % (file)) + def install(self, repo_urls = {}): """Install packages into the install root. @@ -630,6 +637,9 @@ class ImageCreator(object): self.__select_packages(ayum) self.__select_groups(ayum) self.__deselect_packages(ayum) + + self.__can_handle_selinux(ayum) + ayum.runInstall() except yum.Errors.RepoError, e: raise CreatorError("Unable to download from repo : %s" % (e,)) diff --git a/imgcreate/yuminst.py b/imgcreate/yuminst.py index aebb822..dd5b189 100644 --- a/imgcreate/yuminst.py +++ b/imgcreate/yuminst.py @@ -139,6 +139,16 @@ class LiveCDYum(yum.YumBase): repo.setCallback(TextProgress()) self.repos.add(repo) return repo + + def installHasFile(self, file): + provides_pkg = self.whatProvides(file, None, None) + dlpkgs = map(lambda x: x.po, filter(lambda txmbr: txmbr.ts_state in ("i", "u"), self.tsInfo.getMembers())) + for p in dlpkgs: + for q in provides_pkg: + if (p == q): + return True + return False + def runInstall(self): os.environ["HOME"] = "/" -- 1.5.5.3 From sds at tycho.nsa.gov Mon Jun 9 14:12:57 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 09 Jun 2008 10:12:57 -0400 Subject: [PATCH 1/2] LiveCD - Add fake /selinux so livecd can run in enforcing In-Reply-To: <1212783114-3654-1-git-send-email-eparis@redhat.com> References: <1212783114-3654-1-git-send-email-eparis@redhat.com> Message-ID: <1213020777.9375.35.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2008-06-06 at 16:11 -0400, eparis at redhat.com wrote: > From: Eric Paris > > This patch adds a /selinux directory to a newly created livecd compose which > will allow the tools inside the chroot to interoperate with the live system > successfully. > > Signed-off-by: Eric Paris > --- > imgcreate/creator.py | 55 ++++++++++++++++++++++++++++++++++++++++++++--- > imgcreate/kickstart.py | 2 +- > 2 files changed, 52 insertions(+), 5 deletions(-) > > diff --git a/imgcreate/creator.py b/imgcreate/creator.py > index 5d010a1..f65f7d4 100644 > --- a/imgcreate/creator.py > +++ b/imgcreate/creator.py > @@ -24,6 +24,7 @@ import tempfile > import shutil > import logging > > +import selinux > import yum > import rpm > > @@ -421,6 +422,52 @@ class ImageCreator(object): > os.symlink('/proc/self/fd/2', self._instroot + "/dev/stderr") > os.umask(origumask) > > + def __create_selinuxfs(self): > + # if selinux exists on the host we need to lie to the chroot > + if os.path.exists("/selinux/enforce"): > + selinux_dir = self._instroot + "/selinux" > + > + # enforce=0 tells the chroot selinux is not enforcing > + # policyvers=999 tell the chroot to make the highest version of policy it can > + files = (('/enforce', '0'), > + ('/policyvers', '999')) > + for (file, value) in files: > + fd = os.open(selinux_dir + file, os.O_WRONLY | os.O_TRUNC | os.O_CREAT) > + os.write(fd, value) > + os.close(fd) > + > + # we steal mls from the host system for now, might be best to always set it to 1???? This might be a problem for building RHEL 4 images, since MLS wasn't enabled there. I'm not certain though - I believe that there were compatibility fixes put into RHEL 4 kernel updates to allow them to mount filesystems modified under RHEL 5, so a modern RHEL 4 kernel would ignore any MLS component in the context. But the policy Makefile could be confused by /selinux/mls==1 there. > + files = ("/mls",) > + for file in files: > + shutil.copyfile("/selinux" + file, selinux_dir + file) > + > + # make /load -> /dev/null so chroot policy loads don't hurt anything > + os.mknod(selinux_dir + "/load", 0666 | stat.S_IFCHR, os.makedev(1, 3)) > + > + # selinux is on in the kickstart, so clean up as best we can to start > + if kickstart.selinux_enabled(self.ks): > + # label the fs like it is a root before the bind mounting > + arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot] > + subprocess.call(arglist, close_fds = True) > + # these dumb things don't get magically fixed, so make the user generic > + for f in ("/proc", "/sys", "/selinux"): > + arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f] > + subprocess.call(arglist, close_fds = True) > + > + def __destroy_selinuxfs(self): > + # if the system was running selinux clean up our lies > + if os.path.exists("/selinux/enforce"): > + files = ('/enforce', > + '/policyvers', > + '/mls', > + '/load') > + for file in files: > + try: > + os.unlink(self._instroot + "/selinux" + file) > + except OSError: > + pass > + > + > def mount(self, base_on = None, cachedir = None): > """Setup the target filesystem in preparation for an install. > > @@ -446,7 +493,7 @@ class ImageCreator(object): > > self._mount_instroot(base_on) > > - for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum"): > + for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum", "/sys", "/proc", "/selinux"): > makedirs(self._instroot + d) > > cachesrc = cachedir or (self.__builddir + "/yum-cache") > @@ -458,9 +505,7 @@ class ImageCreator(object): > (cachesrc, "/var/cache/yum")]: > self.__bindmounts.append(BindChrootMount(f, self._instroot, dest)) > > - # /selinux should only be mounted if selinux is enabled (enforcing or permissive) > - if kickstart.selinux_enabled(self.ks): > - self.__bindmounts.append(BindChrootMount("/selinux", self._instroot, None)) > + self.__create_selinuxfs() > > self._do_bindmounts() > > @@ -483,6 +528,8 @@ class ImageCreator(object): > except OSError: > pass > > + self.__destroy_selinuxfs() > + > self._undo_bindmounts() > > self._unmount_instroot() > diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py > index c83e795..180cea2 100644 > --- a/imgcreate/kickstart.py > +++ b/imgcreate/kickstart.py > @@ -389,7 +389,7 @@ class SelinuxConfig(KickstartConfig): > if not os.path.exists(self.path("/sbin/restorecon")): > return > > - self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"]) > + self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"]) I assume that this is running the restorecon program from the chroot rather than the host restorecon program. Any issues there with the (potentially older) restorecon in the image not providing the same set of options or behavior? > def apply(self, ksselinux): > if os.path.exists(self.path("/usr/sbin/lokkit")): -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Jun 9 14:14:23 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 09 Jun 2008 10:14:23 -0400 Subject: [PATCH 2/2] LiveCD - add test for /sbin/lokkit if it is needed for selinux config In-Reply-To: <1212783114-3654-2-git-send-email-eparis@redhat.com> References: <1212783114-3654-1-git-send-email-eparis@redhat.com> <1212783114-3654-2-git-send-email-eparis@redhat.com> Message-ID: <1213020863.9375.38.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2008-06-06 at 16:11 -0400, eparis at redhat.com wrote: > From: Eric Paris > > This patch adds a new function ayum.installHasFile() which tells if the install > image is going to contain a given file. We then use this new function to make > sure lokkit is going to be present so that we will be able to disable selinux > inside the image if the kickstart was configured that way. If we cannot > accomidate the kickstart setting we error the build. Do you really need lokkit or can you just manually rewrite /etc/selinux/config (i.e. just sed -e "s/SELINUX=enforcing/SELINUX=disabled/")? > > Signed-off-by: Eric Paris > --- > imgcreate/creator.py | 12 +++++++++++- > imgcreate/yuminst.py | 10 ++++++++++ > 2 files changed, 21 insertions(+), 1 deletions(-) > > diff --git a/imgcreate/creator.py b/imgcreate/creator.py > index f65f7d4..c9ed60c 100644 > --- a/imgcreate/creator.py > +++ b/imgcreate/creator.py > @@ -594,7 +594,14 @@ class ImageCreator(object): > for pkg in kickstart.get_excluded(self.ks, > self._get_excluded_packages()): > ayum.deselectPackage(pkg) > - > + > + # if the system is running selinux and the kickstart wants it disabled > + # we need /usr/sbin/lokkit > + def __can_handle_selinux(self, ayum): > + file = "/usr/sbin/lokkit" > + if not kickstart.selinux_enabled(self.ks) and os.path.exists("/selinux/enforce") and not ayum.installHasFile(file): > + raise CreatorError("Unable to disable SELinux because the installed package set did not include the file %s" % (file)) > + > def install(self, repo_urls = {}): > """Install packages into the install root. > > @@ -630,6 +637,9 @@ class ImageCreator(object): > self.__select_packages(ayum) > self.__select_groups(ayum) > self.__deselect_packages(ayum) > + > + self.__can_handle_selinux(ayum) > + > ayum.runInstall() > except yum.Errors.RepoError, e: > raise CreatorError("Unable to download from repo : %s" % (e,)) > diff --git a/imgcreate/yuminst.py b/imgcreate/yuminst.py > index aebb822..dd5b189 100644 > --- a/imgcreate/yuminst.py > +++ b/imgcreate/yuminst.py > @@ -139,6 +139,16 @@ class LiveCDYum(yum.YumBase): > repo.setCallback(TextProgress()) > self.repos.add(repo) > return repo > + > + def installHasFile(self, file): > + provides_pkg = self.whatProvides(file, None, None) > + dlpkgs = map(lambda x: x.po, filter(lambda txmbr: txmbr.ts_state in ("i", "u"), self.tsInfo.getMembers())) > + for p in dlpkgs: > + for q in provides_pkg: > + if (p == q): > + return True > + return False > + > > def runInstall(self): > os.environ["HOME"] = "/" -- Stephen Smalley National Security Agency From katzj at redhat.com Mon Jun 9 14:50:35 2008 From: katzj at redhat.com (Jeremy Katz) Date: Mon, 09 Jun 2008 10:50:35 -0400 Subject: [PATCH 1/2] LiveCD - Add fake /selinux so livecd can run in enforcing In-Reply-To: <1213020777.9375.35.camel@moss-spartans.epoch.ncsc.mil> References: <1212783114-3654-1-git-send-email-eparis@redhat.com> <1213020777.9375.35.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1213023035.27449.10.camel@aglarond.local> On Mon, 2008-06-09 at 10:12 -0400, Stephen Smalley wrote: > > + # we steal mls from the host system for now, might be best to always set it to 1???? > > This might be a problem for building RHEL 4 images, since MLS wasn't > enabled there. I'm not certain though - I believe that there were > compatibility fixes put into RHEL 4 kernel updates to allow them to > mount filesystems modified under RHEL 5, so a modern RHEL 4 kernel would > ignore any MLS component in the context. But the policy Makefile could > be confused by /selinux/mls==1 there. Building a RHEL4 live image is all but certain to involve a number of additional and probably larger challenges. Just getting RHEL5 ones to build takes some contortions at this point. > > - self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"]) > > + self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"]) > > I assume that this is running the restorecon program from the chroot > rather than the host restorecon program. Any issues there with the > (potentially older) restorecon in the image not providing the same set > of options or behavior? Yes, and this is definitely a possible concern. At the same time, if people aren't building really old images that don't support all the options, we should take advantage of what we can. So it's a bit of a "use what we think we need, if someone wants to build something old where that's not available, adapt" Jeremy From jam at zoidtechnologies.com Mon Jun 9 21:30:55 2008 From: jam at zoidtechnologies.com (Jeff MacDonald) Date: Mon, 9 Jun 2008 17:30:55 -0400 Subject: [ccosta@gmail.com: Re: [PHP] Problems connecting (from php to pg)] Message-ID: <20080609213055.GE10566@zoidtechnologies.com> Greetings, I felt this would be of interest to the selinux list, so I am forwarding it along. Regards, jam ----- Forwarded message from Carlos Costa ----- Date: Mon, 9 Jun 2008 22:50:15 +0200 From: Carlos Costa To: Daniel Alejandro Cc: pgsql-php at postgresql.org Subject: Re: [PHP] Problems connecting (from php to pg) Thank you, Daniel and all. My problem was not related to pg, but to selinux. I disabled selinux, and all runs fine now. On Mon, Jun 9, 2008 at 10:17 PM, Daniel Alejandro wrote: > 2008/6/7 Carlos Costa : >> Hello all, >> >> I've the "standard connection error": >> >> Unable to connect to PostgreSQL server: could not connect to server: >> Permission denied. >> Is the server running on host "localhost" and accepting TCP/IP >> connections on port 5432? >> >> The system is, yes, running and -I think- accepting TCP/IP connections >> (I've tested this with netstat, I can connect to it with psql -h >> localhost, and so). >> >> In the server where I am testing this I have FC7 installed, so the php >> and the pgsql-php packages are: >> >> PHP Version 5.2.6 >> PostgreSQL(libpq) Version 8.2.7 >> >> I think that there is a problem in the pgsql-php module. I've created >> a ssh tunnel, and trying the connection to the same database from >> other server (with PHP Version 5.2.5-3 and pgsql that supports >> postgresql 8.3.0). >> >> The postgresql version in the server is the 8.3.0. >> >> What can we do? I am doing these tests with a simple php code (just a >> pg_connect()). >> >> Thanks in advance, >> Carlos. >> >> -- >> Sent via pgsql-php mailing list (pgsql-php at postgresql.org) >> To make changes to your subscription: >> http://www.postgresql.org/mailpref/pgsql-php >> > Did you check your pg_hba.conf file ??? > > Bye :) > -- > Daniel Carrero Canales > -- Sent via pgsql-php mailing list (pgsql-php at postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-php ----- End forwarded message ----- From paul at city-fan.org Mon Jun 9 22:09:52 2008 From: paul at city-fan.org (Paul Howarth) Date: Mon, 9 Jun 2008 23:09:52 +0100 Subject: [ccosta@gmail.com: Re: [PHP] Problems connecting (from php to pg)] In-Reply-To: <20080609213055.GE10566@zoidtechnologies.com> References: <20080609213055.GE10566@zoidtechnologies.com> Message-ID: <20080609230952.437e4141@metropolis.intra.city-fan.org> On Mon, 9 Jun 2008 17:30:55 -0400 Jeff MacDonald wrote: > Greetings, > > I felt this would be of interest to the selinux list, so I am > forwarding it along. > > Regards, > jam > > ----- Forwarded message from Carlos Costa ----- > > Date: Mon, 9 Jun 2008 22:50:15 +0200 > From: Carlos Costa > To: Daniel Alejandro > Cc: pgsql-php at postgresql.org > Subject: Re: [PHP] Problems connecting (from php to pg) > > Thank you, Daniel and all. My problem was not related to pg, but to > selinux. I disabled selinux, and all runs fine now. > > On Mon, Jun 9, 2008 at 10:17 PM, Daniel Alejandro > wrote: > > 2008/6/7 Carlos Costa : > >> Hello all, > >> > >> I've the "standard connection error": > >> > >> Unable to connect to PostgreSQL server: could not connect to > >> server: Permission denied. > >> Is the server running on host "localhost" and accepting TCP/IP > >> connections on port 5432? > >> > >> The system is, yes, running and -I think- accepting TCP/IP > >> connections (I've tested this with netstat, I can connect to it > >> with psql -h localhost, and so). I suspect that: # setsebool httpd_can_network_connect_db=1 might have been enough to fix this. Sigh. Paul. From cachch at gmail.com Tue Jun 10 04:03:10 2008 From: cachch at gmail.com (Carlos Chavez) Date: Mon, 9 Jun 2008 22:03:10 -0600 Subject: selinux and httpd don't start on boot - message error EAI9 In-Reply-To: <1212585937.2863.3.camel@localhost.localdomain> References: <4844FD3A.2040604@city-fan.org> <1212494989.3362.4.camel@localhost.localdomain> <1212585937.2863.3.camel@localhost.localdomain> Message-ID: Unfortunately the list has a limit so i can not post the full list of messages, the following is just part of the messages related to the httpd: type=AVC msg=audit(1213067949.988:317): avc: denied { search } for pid=2004 comm="httpd" name="selinux" dev=dm-0 ino=5235563 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1213067949.988:317): arch=40000003 syscall=5 success=no exit=-13 a0=196e92 a1=8000 a2=1b6 a3=0 items=0 ppid=2003 pid=2004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1213067949.991:318): avc: denied { search } for pid=2004 comm="httpd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1213067949.991:318): arch=40000003 syscall=195 success=no exit=-13 a0=bfc9b81c a1=bfc9b7bc a2=555ff4 a3=bfc9b81c items=0 ppid=2003 pid=2004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1213067949.991:319): avc: denied { search } for pid=2004 comm="httpd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1213067949.991:319): arch=40000003 syscall=5 success=no exit=-13 a0=bfc9b7f4 a1=8000 a2=0 a3=8000 items=0 ppid=2003 pid=2004 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=MAC_CONFIG_CHANGE msg=audit(1213069227.345:1828): bool=httpd_can_network_connect val=1 old_val=0 auid=500 ses=1 type=MAC_CONFIG_CHANGE msg=audit(1213069266.437:1833): bool=httpd_can_network_connect_db val=1 old_val=0 auid=500 ses=1 Cheers. Carlos Ch?vez. 2008/6/4 Eric Paris : > On Wed, 2008-06-04 at 00:29 -0600, Carlos Chavez wrote: > > Hi Eric. > > I think so. > > > > cat /var/log/messages | grep denied > > cat /var/log/messages | grep avc > > > > any command show no output and > > > > ausearch -m AVC > > > > show this: > > ---- > > time->Tue Jun 3 23:39:03 2008 > > > > type=SYSCALL msg=audit(1212557943.344:16): arch=40000003 syscall=11 > success=yes exit=0 a0=9872498 a1=9870c50 a2=9870af0 a3=0 items=0 ppid=2878 > pid=2879 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=pts2 ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" > subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) > > > > type=AVC msg=audit(1212557943.344:16): avc: denied { read write } for > pid=2879 comm="NetworkManager" > path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.data" dev=dm-0 > ino=8356254 scontext=unconfined_u:system_r:NetworkManager_t:s0 > tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file > > > > type=AVC msg=audit(1212557943.344:16): avc: denied { read write } for > pid=2879 comm="NetworkManager" > path="/var/tmp/kdecache-cchavez/kpc/kde-icon-cache.index" dev=dm-0 > ino=8356253 scontext=unconfined_u:system_r:NetworkManager_t:s0 > tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file > > > > that messages was when a restart the NetworkManager as root on a > > shell. > > > > Cheers. > > Carlos Ch?vez. > > Huh... If you system is new enough to support it, can you try > > semodule -DB > and then reboot > after it comes up and fails give us the output of ausearch -m AVC > again... > > -Eric > > -- Carlos Ch?vez -------------- next part -------------- An HTML attachment was scrubbed... URL: From prakashkhallalli at gmail.com Tue Jun 10 11:44:24 2008 From: prakashkhallalli at gmail.com (prakash hallalli) Date: Tue, 10 Jun 2008 17:14:24 +0530 Subject: [MLS Policy]:- MLS policy problem when manully restart the servers . Message-ID: <994219730806100444h3be95463u7b55213fed797045@mail.gmail.com> Hi All I have configured SELinux on ContOS 5.1. I have configured the RBAC using MLS (Multilevel Security) Policy. Now i am trying to restart the system services and they are not restarting and it is throwing some error message. I have a question here, with mls policy enabled will i be able to restart the system service? If yes then what to do and If no what is the reason? Steps to reproduce: 1) MLS Policy configuration. 1. Install selinux-policy-mls 2. Set SELINUXTYPE=MLS in /etc/selinux/config file 3. touch ./autorelabel; on root's home directory, and reboot the machine. 4. While machine is rebooting, change the GRUB parameter. enforcing=0 2) Now system is in permissive mode and SELinux status is as follows. # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 21 policy from config file: mls 3) Restart the system services and they restart successfully. [root at turtle11 ~]# service nfs restart Shutting down NFS mountd: [FAILED] Shutting down NFS daemon: [FAILED] Shutting down NFS quotas: [FAILED] Shutting down NFS services: [FAILED] Starting NFS services: [ OK ] Starting NFS quotas: [ OK ] Starting NFS daemon: [ OK ] Starting NFS mountd: [ OK ] 4) Now i am setting enforcing mode using setenforce command. root at turtle11 ~]#setenforce 1 root at turtle11 ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: mls 5) a) Now system is in enforcing mode and i am trying to restart the system service. The restart will result in error message. root at turtle11 ~]#service nfs restart /sbin/consoletype: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory /sbin/consoletype: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory nfs: unrecognized service b) When I trying to login it will show the following error. turtle login: smbldap3 /bin/login:error while loading shared libraries: libcrypt.so.1:failed to map segment from shared object: Permission denied /sbin/mingetty: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Permission denied c) When using su command. root at turtle11 ~]# su smbldap3 su: error while loading shared libraries: libpam.so.0: failed to map segment from shared object: Permission denied I am not sure what is going on. I referred to many websites and PDFs but couldn't get the proper solution. please help me. Thanks Prakash. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Tue Jun 10 12:07:22 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 10 Jun 2008 08:07:22 -0400 Subject: [MLS Policy]:- MLS policy problem when manully restart the servers . In-Reply-To: <994219730806100444h3be95463u7b55213fed797045@mail.gmail.com> References: <994219730806100444h3be95463u7b55213fed797045@mail.gmail.com> Message-ID: <1213099642.30576.76.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2008-06-10 at 17:14 +0530, prakash hallalli wrote: > Hi All > > I have configured SELinux on ContOS 5.1. I have configured the RBAC > using MLS (Multilevel Security) Policy. > Now i am trying to restart the system services and they are not > restarting and it is throwing some error message. > I have a question here, with mls policy enabled will i be able to > restart the system service? If yes then what to do and If no what is > the reason? > > Steps to reproduce: > > 1) MLS Policy configuration. > > 1. Install selinux-policy-mls > 2. Set SELINUXTYPE=MLS in /etc/selinux/config file > 3. touch ./autorelabel; on root's home directory, and reboot the > machine. > 4. While machine is rebooting, change the GRUB parameter. > enforcing=0 > > 2) Now system is in permissive mode and SELinux status is as follows. > > # sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: enforcing > Policy version: 21 > policy from config file: mls > > 3) Restart the system services and they restart successfully. > > [root at turtle11 ~]# service nfs restart > Shutting down NFS mountd: [FAILED] > Shutting down NFS daemon: [FAILED] > Shutting down NFS quotas: [FAILED] > Shutting down NFS services: [FAILED] > Starting NFS services: [ > OK ] > Starting NFS quotas: [ > OK ] > Starting NFS daemon: [ > OK ] > Starting NFS mountd: [ > OK ] > > 4) Now i am setting enforcing mode using setenforce command. > > root at turtle11 ~]#setenforce 1 > root at turtle11 ~]# sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing > Mode from config file: enforcing > Policy version: 21 > Policy from config file: mls > > 5) a) Now system is in enforcing mode and i am trying to restart the > system service. The restart will result in error message. > > root at turtle11 ~]#service nfs restart > /sbin/consoletype: error while loading shared libraries: libc.so.6: > cannot open shared object file: No such file or directory > /sbin/consoletype: error while loading shared libraries: libc.so.6: > cannot open shared object file: No such file or directory This suggests that libc.so.6 has the wrong label. In older versions of the policy, this was a difference between targeted and strict/mls policies. Boot in single-user mode and run fixfiles -F relabel. > nfs: unrecognized service > > b) When I trying to login it will show the following error. > > turtle login: smbldap3 > /bin/login:error while loading shared libraries: libcrypt.so.1:failed > to map segment from shared object: Permission denied > /sbin/mingetty: error while loading shared libraries: libc.so.6: > failed to map segment from shared object: Permission denied > > c) When using su command. > > root at turtle11 ~]# su smbldap3 > su: error while loading shared libraries: libpam.so.0: failed to map > segment from shared object: Permission denied > > I am not sure what is going on. I referred to many websites and PDFs > but couldn't get the proper solution. > > please help me. > > Thanks > Prakash. > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From cra at WPI.EDU Tue Jun 10 12:42:09 2008 From: cra at WPI.EDU (Chuck Anderson) Date: Tue, 10 Jun 2008 08:42:09 -0400 Subject: [MLS Policy]:- MLS policy problem when manully restart the servers . In-Reply-To: <994219730806100444h3be95463u7b55213fed797045@mail.gmail.com> References: <994219730806100444h3be95463u7b55213fed797045@mail.gmail.com> Message-ID: <20080610124209.GB20510@angus.ind.WPI.EDU> On Tue, Jun 10, 2008 at 05:14:24PM +0530, prakash hallalli wrote: > Steps to reproduce: > > 1) MLS Policy configuration. > > 1. Install selinux-policy-mls > 2. Set SELINUXTYPE=MLS in /etc/selinux/config file > 3. touch ./autorelabel; on root's home directory, and reboot the machine. This should be: touch /.autorelabel i.e., the file should be made in the / directory, not root's home directory /root. Did you see the machine do the relabel after you rebooted? From dant at cdkkt.com Tue Jun 10 15:00:25 2008 From: dant at cdkkt.com (Dan Thurman) Date: Tue, 10 Jun 2008 08:00:25 -0700 Subject: Problems with DNS logging Message-ID: <200806100800.25553.dant@cdkkt.com> I discovered that my logging somewhat failed: 1) I tried to use the link provided to submit a buzilla and apparently it brought up bluefish and within asks for my account name and password, and I tried to save this file but in doing so it failed to backup the file, so I clicked "continue" and it froze up. What am I doing wrong? 2) The specific selinux error is as follows: ============================================= Summary: SELinux is preventing named (named_t) "write" to ./named (named_conf_t). Detailed Description: SELinux denied access requested by named. It is not expected that this access is required by named and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./named, restorecon -v './named' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:named_t:s0 Target Context system_u:object_r:named_conf_t:s0 Target Objects ./named [ dir ] Source named Source Path /usr/sbin/named Port Host gold.cdkkt.com Source RPM Packages bind-9.5.0-27.rc1.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-109.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name gold.cdkkt.com Platform Linux gold.cdkkt.com 2.6.25.4-10.fc8 #1 SMP Thu May 22 23:34:09 EDT 2008 i686 i686 Alert Count 3 First Seen Tue 10 Jun 2008 07:38:58 AM PDT Last Seen Tue 10 Jun 2008 07:52:54 AM PDT Local ID 616a532f-b429-435d-bf97-e1d8427cc638 Line Numbers Raw Audit Messages host=gold.cdkkt.com type=AVC msg=audit(1213109574.740:334): avc: denied { write } for pid=10160 comm="named" name="named" dev=sdb5 ino=2622969 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=dir host=gold.cdkkt.com type=SYSCALL msg=audit(1213109574.740:334): arch=40000003 syscall=38 success=no exit=-13 a0=b543b4e8 a1=b7ea5ad2 a2=470214 a3=b7ea5ad2 items=0 ppid=10158 pid=10160 auid=500 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=1 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) Thanks! Dan From prakashkhallalli at gmail.com Tue Jun 10 15:35:37 2008 From: prakashkhallalli at gmail.com (prakash hallalli) Date: Tue, 10 Jun 2008 21:05:37 +0530 Subject: Fwd: [MLS Policy]:- MLS policy problem when manully restart the servers . In-Reply-To: <994219730806100822w657f571p7f4a61a0433e6313@mail.gmail.com> References: <994219730806100444h3be95463u7b55213fed797045@mail.gmail.com> <1213099642.30576.76.camel@moss-spartans.epoch.ncsc.mil> <994219730806100822w657f571p7f4a61a0433e6313@mail.gmail.com> Message-ID: <994219730806100835m1b53d475ie39d800adcd8bcc6@mail.gmail.com> Hi I have followed the same steps what you are given the information to change the libc.so.6 file label. Now user will be able to login to the system it not showing any error message while login time. But still i am not able do system restart services. Now it showing error message is unrecognized service. I have received the following error messages. [root at turtle11 ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 21 Policy from config file: mls [root at turtle11 ~]# service nfs restart Shutting down NFS mountd: [ OK ] Shutting down NFS daemon: [ OK ] Shutting down NFS quotas: [ OK ] Shutting down NFS services: [ OK ] Starting NFS services: [ OK ] Starting NFS quotas: [ OK ] Starting NFS daemon: [ OK ] Starting NFS mountd: [ OK ] [root at turtle11 ~]# setenforce 1 [root at turtle11 ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: mls [root at turtle11 ~]# service nfs restart nfs: unrecognized service [root at turtle11 ~]# service ldap restart ldap: unrecognized service [root at turtle11 ~]# service samba restart samba: unrecognized service [root at turtle11 ~]# service named restart named: unrecognized service [root at turtle11 ~]# Please help me, what should i do. Thanks, prakash On Tue, Jun 10, 2008 at 5:37 PM, Stephen Smalley wrote: > > On Tue, 2008-06-10 at 17:14 +0530, prakash hallalli wrote: > > Hi All > > > > I have configured SELinux on ContOS 5.1. I have configured the RBAC > > using MLS (Multilevel Security) Policy. > > Now i am trying to restart the system services and they are not > > restarting and it is throwing some error message. > > I have a question here, with mls policy enabled will i be able to > > restart the system service? If yes then what to do and If no what is > > the reason? > > > > Steps to reproduce: > > > > 1) MLS Policy configuration. > > > > 1. Install selinux-policy-mls > > 2. Set SELINUXTYPE=MLS in /etc/selinux/config file > > 3. touch ./autorelabel; on root's home directory, and reboot the > > machine. > > 4. While machine is rebooting, change the GRUB parameter. > > enforcing=0 > > > > 2) Now system is in permissive mode and SELinux status is as follows. > > > > # sestatus > > SELinux status: enabled > > SELinuxfs mount: /selinux > > Current mode: permissive > > Mode from config file: enforcing > > Policy version: 21 > > policy from config file: mls > > > > 3) Restart the system services and they restart successfully. > > > > [root at turtle11 ~]# service nfs restart > > Shutting down NFS mountd: [FAILED] > > Shutting down NFS daemon: [FAILED] > > Shutting down NFS quotas: [FAILED] > > Shutting down NFS services: [FAILED] > > Starting NFS services: [ > > OK ] > > Starting NFS quotas: [ > > OK ] > > Starting NFS daemon: [ > > OK ] > > Starting NFS mountd: [ > > OK ] > > > > 4) Now i am setting enforcing mode using setenforce command. > > > > root at turtle11 ~]#setenforce 1 > > root at turtle11 ~]# sestatus > > SELinux status: enabled > > SELinuxfs mount: /selinux > > Current mode: enforcing > > Mode from config file: enforcing > > Policy version: 21 > > Policy from config file: mls > > > > 5) a) Now system is in enforcing mode and i am trying to restart the > > system service. The restart will result in error message. > > > > root at turtle11 ~]#service nfs restart > > /sbin/consoletype: error while loading shared libraries: libc.so.6: > > cannot open shared object file: No such file or directory > > /sbin/consoletype: error while loading shared libraries: libc.so.6: > > cannot open shared object file: No such file or directory > > This suggests that libc.so.6 has the wrong label. In older versions of > the policy, this was a difference between targeted and strict/mls > policies. Boot in single-user mode and run fixfiles -F relabel. > > > nfs: unrecognized service > > > > b) When I trying to login it will show the following error. > > > > turtle login: smbldap3 > > /bin/login:error while loading shared libraries: libcrypt.so.1:failed > > to map segment from shared object: Permission denied > > /sbin/mingetty: error while loading shared libraries: libc.so.6: > > failed to map segment from shared object: Permission denied > > > > c) When using su command. > > > > root at turtle11 ~]# su smbldap3 > > su: error while loading shared libraries: libpam.so.0: failed to map > > segment from shared object: Permission denied > > > > I am not sure what is going on. I referred to many websites and PDFs > > but couldn't get the proper solution. > > > > please help me. > > > > Thanks > > Prakash. > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- > Stephen Smalley > National Security Agency > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dant at cdkkt.com Tue Jun 10 15:52:48 2008 From: dant at cdkkt.com (Dan Thurman) Date: Tue, 10 Jun 2008 08:52:48 -0700 Subject: Problems with DNS logging {SOLVED] In-Reply-To: <200806100800.25553.dant@cdkkt.com> References: <200806100800.25553.dant@cdkkt.com> Message-ID: <200806100852.49034.dant@cdkkt.com> On Tuesday 10 June 2008 08:00:25 am Daniel B. Thurman wrote: > I discovered that my logging somewhat failed: > 1) I tried to use the link provided to submit a buzilla and > ??? apparently it brought up bluefish and within asks for my > ??? account name and password, and I tried to save this file > ??? but in doing so it failed to backup the file, so I clicked "continue" > ??? and it froze up.? What am I doing wrong? > 2) The specific selinux error is as follows: > [snipped!] I solved (2) above. Apparently restorecon incorrectly set the named directory to the wrong context (named_conf_t) so I had to manually set it to named_log_t. As for (1) above, I would still like to know how to get the bugzilla part working, but it is not a high priority for me at this time. Thanks- Dan From prakashkhallalli at gmail.com Wed Jun 11 15:02:24 2008 From: prakashkhallalli at gmail.com (prakash hallalli) Date: Wed, 11 Jun 2008 20:32:24 +0530 Subject: [MLS Policy]:- MLS policy enforcing mode problem when manully restart the system services. Message-ID: <994219730806110802r7c0f711el2f40593ca37c002f@mail.gmail.com> HI ALL I have configured SELinux on ContOS 5.1. I have configured the RBAC using MLS (Multilevel Security) Policy using enforcing mode. I am trying to restart the system services and they are not restarting and it is throwing some error message. Steps to reproduce: 1 ) MLS Policy configuration. 1. Install selinux-policy-mls 2. Set SELINUXTYPE=MLS in /etc/selinux/config file 3. touch ./autorelabel; on root's home directory, and reboot the machine. 4. While machine is rebooting, change the GRUB parameter. enforcing=0 2) Now system is in permissive mode and SELinux status is as follows. [root at turtle11 ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 21 Policy from config file: mls 3) Restart the system services and they restart successfully. [root at turtle11 ~]# service nfs restart Shutting down NFS mountd: [ OK ] Shutting down NFS daemon: [ OK ] Shutting down NFS quotas: [ OK ] Shutting down NFS services: [ OK ] Starting NFS services: [ OK ] Starting NFS quotas: [ OK ] Starting NFS daemon: [ OK ] Starting NFS mountd: [ OK ] 3) Now i am setting enforcing mode using setenforce command. root at turtle11 ~]#setenforce 1 root at turtle11 ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: mls 4) a) Now system is in enforcing mode and i am trying to restart the system service. The restart will result in error message. [root at turtle11 ~]# service nfs restart nfs: unrecognized service [root at turtle11 ~]# run_init /etc/init.d/nfs restart Authenticating root. Password: XXXXXX run_init: incorrect password for root authentication failed. [root at turtle11 ~]# [root at turtle11 ~]# run_init /etc/init.d/ldap restart Authenticating root. Password: XXXXXX run_init: incorrect password for root authentication failed. 5) I am using sysadm_r [root at turtle11 ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh [root at turtle11 ~]# 6) This is i am getting /sbin/ausearch log messages. [root at turtle11 ~]#/sbin/ausearch -i -m AVC -sv no type=SYSCALL msg=audit(06/11/2008 20:01:29.285:130367) : arch=x86_64 syscall=recvfrom success=no exit=-13(Permission denied) a0=5 a1=7fff60825b40 a2=5dc a3=0 items=0 ppid=1 pid=3103 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=dhcpd exe=/usr/sbin/dhcpd subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(06/11/2008 20:01:29.285:130367) : avc: denied { read } for pid=3103 comm=dhcpd lport=1 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=rawip_socket please help me. what is going on. Thanks Prakash. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Wed Jun 11 15:08:41 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 11 Jun 2008 11:08:41 -0400 Subject: [MLS Policy]:- MLS policy enforcing mode problem when manully restart the system services. In-Reply-To: <994219730806110802r7c0f711el2f40593ca37c002f@mail.gmail.com> References: <994219730806110802r7c0f711el2f40593ca37c002f@mail.gmail.com> Message-ID: <1213196921.17842.52.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2008-06-11 at 20:32 +0530, prakash hallalli wrote: > HI ALL > I have configured SELinux on ContOS 5.1. I have configured the RBAC > using MLS (Multilevel Security) Policy using enforcing mode. I am > trying to restart the system services and they are not restarting and > it is throwing some error message. > > Steps to reproduce: > > 1 ) MLS Policy configuration. > > 1. Install selinux-policy-mls > 2. Set SELINUXTYPE=MLS in /etc/selinux/config file > 3. touch ./autorelabel; on root's home directory, and reboot the > machine. As others noted, this should have been touch /.autorelabel, not touch ./autorelabel on root's home directory. But I don't think that is relevant any more - you already manually relabeled. > 4. While machine is rebooting, change the GRUB parameter. > enforcing=0 > > 2) Now system is in permissive mode and SELinux status is as follows. > > [root at turtle11 ~]# sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: enforcing > Policy version: 21 > Policy from config file: mls > > 3) Restart the system services and they restart successfully. > > [root at turtle11 ~]# service nfs restart > Shutting down NFS mountd: [ OK ] > Shutting down NFS daemon: [ OK ] > Shutting down NFS quotas: [ OK ] > Shutting down NFS services: [ OK ] > Starting NFS services: [ > OK ] > Starting NFS quotas: [ > OK ] > Starting NFS daemon: [ OK ] > Starting NFS mountd: [ OK ] > > 3) Now i am setting enforcing mode using setenforce command. > > root at turtle11 ~]#setenforce 1 > root at turtle11 ~]# sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing > Mode from config file: enforcing > Policy version: 21 > Policy from config file: mls > > 4) a) Now system is in enforcing mode and i am trying to restart the > system service. The restart will result in error message. > > [root at turtle11 ~]# service nfs restart > nfs: unrecognized service > > [root at turtle11 ~]# run_init /etc/init.d/nfs restart > Authenticating root. > Password: XXXXXX > run_init: incorrect password for root > authentication failed. > [root at turtle11 ~]# > > [root at turtle11 ~]# run_init /etc/init.d/ldap restart > Authenticating root. > Password: XXXXXX > run_init: incorrect password for root > authentication failed. This implies that the existing policy isn't allowing these domains to do what they need to perform the authentication. Elsewhere you said you are using ldap, so they may need additional permissions for the network lookup. > 5) I am using sysadm_r > > [root at turtle11 ~]# id > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh > [root at turtle11 ~]# > > 6) This is i am getting /sbin/ausearch log messages. > > [root at turtle11 ~]#/sbin/ausearch -i -m AVC -sv no > type=SYSCALL msg=audit(06/11/2008 20:01:29.285:130367) : arch=x86_64 > syscall=recvfrom success=no exit=-13(Permission denied) a0=5 > a1=7fff60825b40 a2=5dc a3=0 items=0 ppid=1 pid=3103 auid=root uid=root > gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root > tty=(none) comm=dhcpd exe=/usr/sbin/dhcpd > subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) > type=AVC msg=audit(06/11/2008 20:01:29.285:130367) : avc: denied > { read } for pid=3103 comm=dhcpd lport=1 > scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 > tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=rawip_socket On this one, as I said, dhcpd shouldn't be running in sysadm_t. How did you start it? -- Stephen Smalley National Security Agency From maximilianbianco at gmail.com Wed Jun 11 19:53:38 2008 From: maximilianbianco at gmail.com (max) Date: Wed, 11 Jun 2008 15:53:38 -0400 Subject: SELinux References/Books Message-ID: <48502D42.4030905@gmail.com> I would prefer to get a desktop reference rather than having to refer to online documents or the hardcopies of individual papers I have printed off, many of which are also dated. In any case I feel like I have learned enough that I can open a book on the subject of SELinux and not get completely lost. It looks like I have basically two options : SELinux by Example: Using Security Enhanced Linux (Prentice Hall Open Source Software Development Series) by Frank Mayer, Karl MacMillan, and David Caplan (Paperback - Aug 6, 2006) SELinux: NSA's Open Source Security Enhanced Linux by Bill McCarty (Paperback - Oct 11, 2004) - Illustrated The first is more recent so I am leaning that way but I have seen opinions that suggest even it is way out of date. I don't mind spending money on a good book, reading is one of my favorite past times, but I don't want anything so dated that it won't serve as a decent reference for the near future (next year or so). I understand nothing is going to be up to the minute. Should I purchase one? or are they too out of date to even serve as good references? This is definitely something I am interested in learning about or I wouldn't bother to ask. Suggestions and advice from all corners of reality welcome. Max -- An unwillingness to embarrass oneself makes learning more difficult From sds at tycho.nsa.gov Wed Jun 11 20:49:10 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 11 Jun 2008 16:49:10 -0400 Subject: SELinux References/Books In-Reply-To: <48502D42.4030905@gmail.com> References: <48502D42.4030905@gmail.com> Message-ID: <1213217350.17842.140.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2008-06-11 at 15:53 -0400, max wrote: > I would prefer to get a desktop reference rather than having to refer > to online documents or the hardcopies of individual papers I have > printed off, many of which are also dated. In any case I feel like I > have learned enough that I can open a book on the subject of SELinux and > not get completely lost. It looks like I have basically two options : > > SELinux by Example: Using Security Enhanced Linux (Prentice Hall Open > Source Software Development Series) by Frank Mayer, Karl MacMillan, and > David Caplan (Paperback - Aug 6, 2006) > > SELinux: NSA's Open Source Security Enhanced Linux by Bill McCarty > (Paperback - Oct 11, 2004) - Illustrated > > The first is more recent so I am leaning that way but I have seen > opinions that suggest even it is way out of date. I don't mind spending > money on a good book, reading is one of my favorite past times, but I > don't want anything so dated that it won't serve as a decent reference > for the near future (next year or so). I understand nothing is going to > be up to the minute. Should I purchase one? or are they too out of date > to even serve as good references? This is definitely something I am > interested in learning about or I wouldn't bother to ask. Suggestions > and advice from all corners of reality welcome. What kind of information are you looking for? The first, more recent, book includes discussion of reference policy and policy modules and thus is relatively consistent with what you find in modern SELinux, although newer developments like system-config-selinux, setroubleshoot, etc naturally don't appear in it. It was written during the development of Fedora Core 5, which marked the transition of SELinux from the old way (example policy, monolithic policy) to the new way (reference policy, modular policy, semanage). -- Stephen Smalley National Security Agency From prakashkhallalli at gmail.com Thu Jun 12 12:14:29 2008 From: prakashkhallalli at gmail.com (prakash hallalli) Date: Thu, 12 Jun 2008 17:44:29 +0530 Subject: [MLS Policy]:- MLS policy enforcing mode problem when manully restart the system services. In-Reply-To: <1213196921.17842.52.camel@moss-spartans.epoch.ncsc.mil> References: <994219730806110802r7c0f711el2f40593ca37c002f@mail.gmail.com> <1213196921.17842.52.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <994219730806120514t68c2c1f9td2d1b076ce95ef51@mail.gmail.com> HI All I have to configure the Role-based access control (RBAC) for smbldap user. How should i set the roles for users and which policy i should use? Now i am using MLS Policy for configure the RBAC. I am not sure this the correct way for configure the RBAC on CentOS 5.1. Please help me what i am going wrong. Thanks, Prakash, On Wed, Jun 11, 2008 at 8:38 PM, Stephen Smalley wrote: > > On Wed, 2008-06-11 at 20:32 +0530, prakash hallalli wrote: > > HI ALL > > I have configured SELinux on ContOS 5.1. I have configured the RBAC > > using MLS (Multilevel Security) Policy using enforcing mode. I am > > trying to restart the system services and they are not restarting and > > it is throwing some error message. > > > > Steps to reproduce: > > > > 1 ) MLS Policy configuration. > > > > 1. Install selinux-policy-mls > > 2. Set SELINUXTYPE=MLS in /etc/selinux/config file > > 3. touch ./autorelabel; on root's home directory, and reboot the > > machine. > > As others noted, this should have been touch /.autorelabel, not > touch ./autorelabel on root's home directory. But I don't think that is > relevant any more - you already manually relabeled. > > > 4. While machine is rebooting, change the GRUB parameter. > > enforcing=0 > > > > 2) Now system is in permissive mode and SELinux status is as follows. > > > > [root at turtle11 ~]# sestatus > > SELinux status: enabled > > SELinuxfs mount: /selinux > > Current mode: permissive > > Mode from config file: enforcing > > Policy version: 21 > > Policy from config file: mls > > > > 3) Restart the system services and they restart successfully. > > > > [root at turtle11 ~]# service nfs restart > > Shutting down NFS mountd: [ OK ] > > Shutting down NFS daemon: [ OK ] > > Shutting down NFS quotas: [ OK ] > > Shutting down NFS services: [ OK ] > > Starting NFS services: [ > > OK ] > > Starting NFS quotas: [ > > OK ] > > Starting NFS daemon: [ OK ] > > Starting NFS mountd: [ OK ] > > > > 3) Now i am setting enforcing mode using setenforce command. > > > > root at turtle11 ~]#setenforce 1 > > root at turtle11 ~]# sestatus > > SELinux status: enabled > > SELinuxfs mount: /selinux > > Current mode: enforcing > > Mode from config file: enforcing > > Policy version: 21 > > Policy from config file: mls > > > > 4) a) Now system is in enforcing mode and i am trying to restart the > > system service. The restart will result in error message. > > > > [root at turtle11 ~]# service nfs restart > > nfs: unrecognized service > > > > [root at turtle11 ~]# run_init /etc/init.d/nfs restart > > Authenticating root. > > Password: XXXXXX > > run_init: incorrect password for root > > authentication failed. > > [root at turtle11 ~]# > > > > [root at turtle11 ~]# run_init /etc/init.d/ldap restart > > Authenticating root. > > Password: XXXXXX > > run_init: incorrect password for root > > authentication failed. > > This implies that the existing policy isn't allowing these domains to do > what they need to perform the authentication. Elsewhere you said you > are using ldap, so they may need additional permissions for the network > lookup. > > > 5) I am using sysadm_r > > > > [root at turtle11 ~]# id > > uid=0(root) gid=0(root) > > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > > context=root:sysadm_r:sysadm_t:SystemLow-SystemHigh > > [root at turtle11 ~]# > > > > 6) This is i am getting /sbin/ausearch log messages. > > > > [root at turtle11 ~]#/sbin/ausearch -i -m AVC -sv no > > type=SYSCALL msg=audit(06/11/2008 20:01:29.285:130367) : arch=x86_64 > > syscall=recvfrom success=no exit=-13(Permission denied) a0=5 > > a1=7fff60825b40 a2=5dc a3=0 items=0 ppid=1 pid=3103 auid=root uid=root > > gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root > > tty=(none) comm=dhcpd exe=/usr/sbin/dhcpd > > subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) > > type=AVC msg=audit(06/11/2008 20:01:29.285:130367) : avc: denied > > { read } for pid=3103 comm=dhcpd lport=1 > > scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 > > tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=rawip_socket > > On this one, as I said, dhcpd shouldn't be running in sysadm_t. > How did you start it? > > -- > Stephen Smalley > National Security Agency > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Thu Jun 12 13:49:09 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 12 Jun 2008 09:49:09 -0400 Subject: Problems with DNS logging {SOLVED] In-Reply-To: <200806100852.49034.dant@cdkkt.com> References: <200806100800.25553.dant@cdkkt.com> <200806100852.49034.dant@cdkkt.com> Message-ID: <48512955.8040302@redhat.com> Dan Thurman wrote: > On Tuesday 10 June 2008 08:00:25 am Daniel B. Thurman wrote: >> I discovered that my logging somewhat failed: >> 1) I tried to use the link provided to submit a buzilla and >> apparently it brought up bluefish and within asks for my >> account name and password, and I tried to save this file >> but in doing so it failed to backup the file, so I clicked "continue" >> and it froze up. What am I doing wrong? >> 2) The specific selinux error is as follows: >> [snipped!] > > I solved (2) above. Apparently restorecon incorrectly > set the named directory to the wrong context (named_conf_t) > so I had to manually set it to named_log_t. > > As for (1) above, I would still like to know how to get > the bugzilla part working, but it is not a high priority > for me at this time. > > Thanks- > Dan > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list What directory is named trying to write to? If you are trying to have named update zone files, do you have named_write_master_zones boolean turned on? setsebool -P named_write_master_zones=1 From dwalsh at redhat.com Thu Jun 12 13:53:00 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 12 Jun 2008 09:53:00 -0400 Subject: Weird SELinux problem after upgrade to F9 In-Reply-To: <20080604220522.GA29221@satyr.sylvan.com> References: <4844FD3A.2040604@city-fan.org> <20080603102517.GA9212@satyr.sylvan.com> <4846E944.30302@redhat.com> <20080604220522.GA29221@satyr.sylvan.com> Message-ID: <48512A3C.20307@redhat.com> Kayvan A. Sylvan wrote: > On Wed, Jun 04, 2008 at 03:13:08PM -0400, Daniel J Walsh wrote: >> You might need to check your user database >> >> semanage user -l >> semanage login -l > > I do not know anything about how this is supposed to look. Here is > what the commands report: > > [root at satyr ~]# semanage user -l > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range SELinux Roles > > root user s0 SystemLow-SystemHigh system_r sysadm_r user_r > system_u user s0 SystemLow-SystemHigh system_r > user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r > > [root at satyr ~]# semanage login -l > > Login Name SELinux User MLS/MCS Range > > __default__ user_u s0 > root root -s0:c0.c255 > system_u system_u SystemLow-SystemHigh > Kayvan A. Sylvan wrote: > On Wed, Jun 04, 2008 at 03:13:08PM -0400, Daniel J Walsh wrote: >> You might need to check your user database >> >> semanage user -l >> semanage login -l > > I do not know anything about how this is supposed to look. Here is > what the commands report: > > [root at satyr ~]# semanage user -l > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range SELinux Roles > > root user s0 SystemLow-SystemHigh system_r sysadm_r user_r > system_u user s0 SystemLow-SystemHigh system_r > user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r > > [root at satyr ~]# semanage login -l > > Login Name SELinux User MLS/MCS Range > > __default__ user_u s0 > root root -s0:c0.c255 > system_u system_u SystemLow-SystemHigh > This is an upgrade problem. For some reason the selinux policy trigger did not fire so the default login on your machine is not setup for unconfined users. If you execute the following three commands it should fix your system # semanage user -a -S targeted -P user -R "unconfined_r system_r" -r0-s0:c0.c1023 unconfined_u # semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__ # semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root From maximilianbianco at gmail.com Thu Jun 12 15:03:35 2008 From: maximilianbianco at gmail.com (max) Date: Thu, 12 Jun 2008 11:03:35 -0400 Subject: [Fwd: [Fedora8] SElinux bug] Message-ID: <48513AC7.5060201@gmail.com> Found on fedora list. -------- Original Message -------- Subject: [Fedora8] SElinux bug Date: Thu, 12 Jun 2008 15:58:58 +0100 From: hicham Reply-To: For users of Fedora To: For users of Fedora Hello I had this morning a "freeze", where I could not shutdown X server or the laptop properly, looking at /var/log/messages: I found what I suspect a selinux bug : Jun 12 12:19:00 laptop kernel: SELinux: out of range capability -555425744 Jun 12 12:19:00 laptop kernel: ------------[ cut here ]------------ Jun 12 12:19:00 laptop kernel: kernel BUG at security/selinux/hooks.c:1332! Jun 12 12:19:00 laptop kernel: invalid opcode: 0000 [#1] SMP Jun 12 12:19:00 laptop kernel: Modules linked in: iptable_nat xt_limit xt_tcpudp iptable_mangle ipt_LOG ipt_MASQUERADE nf_nat xt_DSCP ipt_REJE CT nf_conntrack_irc nf_conntrack_ftp nf_conntrack_ipv4 xt_state nf_conntrack iptable_filter ip_tables x_tables pppoatm pppoe pppox ppp_synctty ppp_async ppp_generic slhc appletalk ipx p8023 ipv6 cpufreq_ondemand acpi_cpufreq vfat fat dm_mirror dm_multipath dm_mod parport_pc smsc_ircc 2 parport irda crc_ccitt pcspkr floppy serio_raw snd_intel8x0 snd_seq_dummy snd_seq_oss video snd_seq_midi_event snd_seq output snd_seq_device snd_intel8x0m fglrx(P)(U) snd_ac97_codec snd_pcm_oss ac97_bus tg3 snd_mixer_oss snd_pcm wmi snd_timer battery snd ac soundcore snd_page_alloc button iTCO_wdt i2c_i801 i2c_core iTCO_vendor_support joydev speedtch usbatm sr_mod cdrom atm sg pata_acpi ata_generic ata_piix libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd [last unloaded: microcode] Jun 12 12:19:00 laptop kernel: Jun 12 12:19:00 laptop kernel: Pid: 2036, comm: X Tainted: P (2.6.25.4-10.fc8 #1) Jun 12 12:19:00 laptop kernel: EIP: 0060:[] EFLAGS: 00213246 CPU: 0 Jun 12 12:19:00 laptop kernel: EIP is at task_has_capability+0x46/0x79 Jun 12 12:19:00 laptop kernel: EAX: 00000030 EBX: dee4e030 ECX: c07195e4 EDX: 00000000 Jun 12 12:19:00 laptop kernel: ESI: df191740 EDI: df18deb0 EBP: df18debc ESP: df18de6c Jun 12 12:19:00 laptop kernel: DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Jun 12 12:19:00 laptop kernel: Process X (pid: 2036, ti=df18d000 task=df160000 task.ti=df18d000) Jun 12 12:19:00 laptop kernel: Stack: c06d7792 dee4e030 df160000 00000003 df160000 dee4e030 00000000 00000000 Jun 12 12:19:00 laptop kernel: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 Jun 12 12:19:00 laptop kernel: 00000000 dee4e030 df160000 df148000 df18decc c04cd2c2 df160000 e0d000c0 Jun 12 12:19:00 laptop kernel: Call Trace: Jun 12 12:19:00 laptop kernel: [] ? selinux_capable+0x1f/0x23 Jun 12 12:19:00 laptop kernel: [] ? security_capable+0xc/0xe Jun 12 12:19:00 laptop kernel: [] ? __capable+0xb/0x1f Jun 12 12:19:00 laptop kernel: [] ? firegl_cmmqs_CWDDE32+0x0/0x110 [fglrx] Jun 12 12:19:00 laptop kernel: [] ? capable+0x10/0x12 Jun 12 12:19:00 laptop kernel: [] ? firegl_ioctl+0xe7/0x220 [fglrx] Jun 12 12:19:00 laptop kernel: [] ? ktime_get_ts+0x45/0x49 Jun 12 12:19:00 laptop kernel: [] ? ktime_get+0x13/0x2f Jun 12 12:19:00 laptop kernel: [] ? ip_firegl_ioctl+0xe/0x10 [fglrx] Jun 12 12:19:00 laptop kernel: [] ? vfs_ioctl+0x4e/0x67 Jun 12 12:19:00 laptop kernel: [] ? do_vfs_ioctl+0x262/0x279 Jun 12 12:19:00 laptop kernel: [] ? selinux_file_ioctl+0xa8/0xab Jun 12 12:19:00 laptop kernel: [] ? sys_ioctl+0x40/0x5c Jun 12 12:19:00 laptop kernel: [] ? syscall_call+0x7/0xb Jun 12 12:19:00 laptop kernel: ======================= Jun 12 12:19:00 laptop kernel: Code: 05 00 00 89 d0 f3 ab 8b 4d b8 89 d8 b2 04 c1 f8 05 c6 45 bc 03 89 5d c4 89 4d c0 74 19 48 74 11 53 68 92 77 6d c0 e8 fd 9e f5 ff <0f> 0b 58 5a eb fe ba 45 00 00 00 8b 46 08 83 e3 1f 0f b7 f2 8d Jun 12 12:19:00 laptop kernel: EIP: [] task_has_capability+0x46/0x79 SS:ESP 0068:df18de6c Jun 12 12:19:00 laptop kernel: ---[ end trace fd35f97fc34637fa ]--- Jun 12 12:19:00 laptop kernel: [fglrx:firegl_release] *ERROR* device busy: 1 0 Jun 12 12:19:00 laptop kernel: [fglrx] release failed with code -EBUSY -- fedora-list mailing list fedora-list at redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list -- An unwillingness to embarrass oneself makes learning more difficult From sds at tycho.nsa.gov Thu Jun 12 16:32:16 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 12 Jun 2008 12:32:16 -0400 Subject: [Fwd: [Fedora8] SElinux bug] In-Reply-To: <48513AC7.5060201@gmail.com> References: <48513AC7.5060201@gmail.com> Message-ID: <1213288336.17842.187.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2008-06-12 at 11:03 -0400, max wrote: > Found on fedora list. > > -------- Original Message -------- > Subject: [Fedora8] SElinux bug > Date: Thu, 12 Jun 2008 15:58:58 +0100 > From: hicham > Reply-To: For users of Fedora > To: For users of Fedora > > Hello > I had this morning a "freeze", where I could not shutdown X server or > the laptop properly, looking at /var/log/messages: > I found what I suspect a selinux bug : > > Jun 12 12:19:00 laptop kernel: SELinux: out of range capability -555425744 That's not a bug in SELinux, but rather in the caller - passing an illegal value to capable(). > Jun 12 12:19:00 laptop kernel: ------------[ cut here ]------------ > Jun 12 12:19:00 laptop kernel: kernel BUG at security/selinux/hooks.c:1332! > Jun 12 12:19:00 laptop kernel: invalid opcode: 0000 [#1] SMP > Jun 12 12:19:00 laptop kernel: Modules linked in: iptable_nat xt_limit > xt_tcpudp iptable_mangle ipt_LOG ipt_MASQUERADE nf_nat xt_DSCP > ipt_REJE > CT nf_conntrack_irc nf_conntrack_ftp nf_conntrack_ipv4 xt_state > nf_conntrack iptable_filter ip_tables x_tables pppoatm pppoe pppox > ppp_synctty > ppp_async ppp_generic slhc appletalk ipx p8023 ipv6 cpufreq_ondemand > acpi_cpufreq vfat fat dm_mirror dm_multipath dm_mod parport_pc > smsc_ircc > 2 parport irda crc_ccitt pcspkr floppy serio_raw snd_intel8x0 > snd_seq_dummy snd_seq_oss video snd_seq_midi_event snd_seq output > snd_seq_device > snd_intel8x0m fglrx(P)(U) snd_ac97_codec snd_pcm_oss ac97_bus tg3 fglrx being the guilty culprit. > snd_mixer_oss snd_pcm wmi snd_timer battery snd ac soundcore > snd_page_alloc > button iTCO_wdt i2c_i801 i2c_core iTCO_vendor_support joydev speedtch > usbatm sr_mod cdrom atm sg pata_acpi ata_generic ata_piix libata > sd_mod > scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd [last unloaded: > microcode] > Jun 12 12:19:00 laptop kernel: > Jun 12 12:19:00 laptop kernel: Pid: 2036, comm: X Tainted: P > (2.6.25.4-10.fc8 #1) > Jun 12 12:19:00 laptop kernel: EIP: 0060:[] EFLAGS: 00213246 > CPU: 0 > Jun 12 12:19:00 laptop kernel: EIP is at task_has_capability+0x46/0x79 > Jun 12 12:19:00 laptop kernel: EAX: 00000030 EBX: dee4e030 ECX: > c07195e4 EDX: 00000000 > Jun 12 12:19:00 laptop kernel: ESI: df191740 EDI: df18deb0 EBP: > df18debc ESP: df18de6c > Jun 12 12:19:00 laptop kernel: DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 > Jun 12 12:19:00 laptop kernel: Process X (pid: 2036, ti=df18d000 > task=df160000 task.ti=df18d000) > Jun 12 12:19:00 laptop kernel: Stack: c06d7792 dee4e030 df160000 > 00000003 df160000 dee4e030 00000000 00000000 > Jun 12 12:19:00 laptop kernel: 00000000 00000000 00000000 > 00000000 00000000 00000000 00000000 00000000 > Jun 12 12:19:00 laptop kernel: 00000000 dee4e030 df160000 > df148000 df18decc c04cd2c2 df160000 e0d000c0 > Jun 12 12:19:00 laptop kernel: Call Trace: > Jun 12 12:19:00 laptop kernel: [] ? selinux_capable+0x1f/0x23 > Jun 12 12:19:00 laptop kernel: [] ? security_capable+0xc/0xe > Jun 12 12:19:00 laptop kernel: [] ? __capable+0xb/0x1f > Jun 12 12:19:00 laptop kernel: [] ? > firegl_cmmqs_CWDDE32+0x0/0x110 [fglrx] > Jun 12 12:19:00 laptop kernel: [] ? capable+0x10/0x12 > Jun 12 12:19:00 laptop kernel: [] ? firegl_ioctl+0xe7/0x220 > [fglrx] > Jun 12 12:19:00 laptop kernel: [] ? ktime_get_ts+0x45/0x49 > Jun 12 12:19:00 laptop kernel: [] ? ktime_get+0x13/0x2f > Jun 12 12:19:00 laptop kernel: [] ? ip_firegl_ioctl+0xe/0x10 > [fglrx] > Jun 12 12:19:00 laptop kernel: [] ? vfs_ioctl+0x4e/0x67 > Jun 12 12:19:00 laptop kernel: [] ? do_vfs_ioctl+0x262/0x279 > Jun 12 12:19:00 laptop kernel: [] ? selinux_file_ioctl+0xa8/0xab > Jun 12 12:19:00 laptop kernel: [] ? sys_ioctl+0x40/0x5c > Jun 12 12:19:00 laptop kernel: [] ? syscall_call+0x7/0xb > Jun 12 12:19:00 laptop kernel: ======================= > Jun 12 12:19:00 laptop kernel: Code: 05 00 00 89 d0 f3 ab 8b 4d b8 89 > d8 b2 04 c1 f8 05 c6 45 bc 03 89 5d c4 89 4d c0 74 19 48 74 11 53 68 > 92 77 6d c0 e8 fd 9e f5 ff <0f> 0b 58 5a eb fe ba 45 00 00 00 8b 46 08 > 83 e3 1f 0f b7 f2 8d > Jun 12 12:19:00 laptop kernel: EIP: [] > task_has_capability+0x46/0x79 SS:ESP 0068:df18de6c > Jun 12 12:19:00 laptop kernel: ---[ end trace fd35f97fc34637fa ]--- > Jun 12 12:19:00 laptop kernel: [fglrx:firegl_release] *ERROR* device > busy: 1 0 > Jun 12 12:19:00 laptop kernel: [fglrx] release failed with code -EBUSY > > -- > fedora-list mailing list > fedora-list at redhat.com > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Thu Jun 12 17:01:44 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 12 Jun 2008 13:01:44 -0400 Subject: [MLS Policy]:- MLS policy enforcing mode problem when manully restart the system services. In-Reply-To: <994219730806120514t68c2c1f9td2d1b076ce95ef51@mail.gmail.com> References: <994219730806110802r7c0f711el2f40593ca37c002f@mail.gmail.com> <1213196921.17842.52.camel@moss-spartans.epoch.ncsc.mil> <994219730806120514t68c2c1f9td2d1b076ce95ef51@mail.gmail.com> Message-ID: <1213290104.17842.206.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2008-06-12 at 17:44 +0530, prakash hallalli wrote: > HI All > I have to configure the Role-based access control (RBAC) for smbldap > user. > How should i set the roles for users and which policy i should use? > > Now i am using MLS Policy for configure the RBAC. > I am not sure this the correct way for configure the RBAC on CentOS > 5.1. > > Please help me what i am going wrong. If you only want support for user roles, then you don't need -mls policy. You can use -strict policy (prior to F8), or in F8 or later you can just map users to roles via semanage while using the default targeted policy. -- Stephen Smalley National Security Agency From maximilianbianco at gmail.com Thu Jun 12 18:00:40 2008 From: maximilianbianco at gmail.com (max bianco) Date: Thu, 12 Jun 2008 14:00:40 -0400 Subject: SELinux References/Books In-Reply-To: <1213273867.17842.179.camel@moss-spartans.epoch.ncsc.mil> References: <48502D42.4030905@gmail.com> <1213217350.17842.140.camel@moss-spartans.epoch.ncsc.mil> <4850518E.8030508@gmail.com> <1213273867.17842.179.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Thu, Jun 12, 2008 at 8:31 AM, Stephen Smalley wrote: > > On Wed, 2008-06-11 at 18:28 -0400, max wrote: >> Stephen Smalley wrote: >> > On Wed, 2008-06-11 at 15:53 -0400, max wrote: >> >> I would prefer to get a desktop reference rather than having to refer >> >> to online documents or the hardcopies of individual papers I have >> >> printed off, many of which are also dated. In any case I feel like I >> >> have learned enough that I can open a book on the subject of SELinux and >> >> not get completely lost. It looks like I have basically two options : >> >> >> >> SELinux by Example: Using Security Enhanced Linux (Prentice Hall Open >> >> Source Software Development Series) by Frank Mayer, Karl MacMillan, and >> >> David Caplan (Paperback - Aug 6, 2006) >> >> >> >> SELinux: NSA's Open Source Security Enhanced Linux by Bill McCarty >> >> (Paperback - Oct 11, 2004) - Illustrated >> >> >> >> The first is more recent so I am leaning that way but I have seen >> >> opinions that suggest even it is way out of date. I don't mind spending >> >> money on a good book, reading is one of my favorite past times, but I >> >> don't want anything so dated that it won't serve as a decent reference >> >> for the near future (next year or so). I understand nothing is going to >> >> be up to the minute. Should I purchase one? or are they too out of date >> >> to even serve as good references? This is definitely something I am >> >> interested in learning about or I wouldn't bother to ask. Suggestions >> >> and advice from all corners of reality welcome. >> > >> > What kind of information are you looking for? >> > >> > The first, more recent, book includes discussion of reference policy and >> > policy modules and thus is relatively consistent with what you find in >> > modern SELinux, although newer developments like system-config-selinux, >> > setroubleshoot, etc naturally don't appear in it. It was written during >> > the development of Fedora Core 5, which marked the transition of SELinux >> > from the old way (example policy, monolithic policy) to the new way >> > (reference policy, modular policy, semanage). >> > >> >> Well I'd like to learn it all but I think a practical approach would >> mean learning to write policy first, since that is a skill I could put >> to use now. I don't expect it will be easy but that's ok, I have some >> time right now and I'd like to learn the policy language. If the first >> book covers this then I will get it. Is there a better reference for >> aspiring policy writers? I don't care about the gui tools so much, not >> that they aren't useful but I prefer to do most things myself and not >> automate it since this brings me less understanding. > > Yes, the first book covers the policy language and provides an > introduction to writing a policy module, although specific interfaces > and patterns are always evolving in the reference policy. > oss.tresys.com/projects/refpolicy is a good resource for detailed > refpolicy documentation, and the interface documentation is also locally > installed on your system under /usr/share/doc/selinux-policy-x.y.z/html. > > I don't know of a better reference at present, although it seems like we > are overdue for an updated edition of it, which could be significantly > simplified by dropping all discussion of Fedora Core 3 and 4 conventions > and focusing more specifically on how things are done now, although it > no doubt would retain some of the older information for RHEL 4 users. > > -- > Stephen Smalley > National Security Agency > > Yes a more up to date reference would be nice but SELinux by Example will do for starters. I went ahead and had the local bookstore order it in so I could flip through it before I buy it but it seems inevitable that I will make this purchase no matter what. One thing that I notice a lot of people trying to do with computers in general is memorize things. A bad idea I think, people want quick answers but without an understanding of the underlying system it just creates more confusion and ultimately leads to bigger blunders. Ego of course also gets in the way, nobody wants to look stupid so often questions go unasked, I am working on abandoning that notion as it seems to be one of the biggest barriers to learning, though a modicum of judgment is still required but I don't know if that can be taught you just have to learn it over time. Getting to know the system is of course going to require some real focus but I think in the long run it makes for a better understanding, even if it means it takes twice (or more) as long to get to my goal. One of the real barriers to understanding and acceptance is good consistent documentation that people can turn too, advancement shouldn't get frozen for the sake of publishing a book but if the basics are solid and unlikely to change too much then I think its time for an up to date reference. If you want a newcomers perspective I personally would be happy to provide it but also don't forget the mailing lists. I am sure I am not the only one trying to learn this and looking for a good guide. Posting bits to the various selinux related lists for feedback from the experienced and inexperienced users would certainly help as far as coverage and readability are concerned. Another thing I can think of, though I don't know how feasible it is, is the notion of a moderated thread. I like my mailing lists unmoderated but say for instance you want to post a how to or work on one. The thread would be restricted to one or more persons posting to it until they are finished working out whatever it is and then opened for comments. There may be many factors here that I am unaware of or that simply aren't occurring to me right now. I can't be the first person to have such an idea and it will of course be pointed out that live journals work much the same but here my point is the scope of the audience that you are reaching on a mailing list vs. an individual blog of which there are hundred's of thousands if not millions. Also it would help by adding more transparency to the process. I am no expert on mailing lists or email servers but I thought it might be worth floating the idea anyway. The other thing I noticed, while at the bookstore, is that various/most of the Linux magazines on the shelf right now have articles on security in them and one, i forget which, has a piece on SELinux. It seems its a hot topic everywhere I look. Cspan aired a rerun, from yesterday I think, of a hearing on computer spyware. I think congressmen Nelson(florida) and Pryor(?) were running the show. One of them maybe a senator but anyway there is apparently some legislation on the horizon. They had a couple of reps from various places there, including a guy from Symantec. I didn't watch the whole thing but in what I saw nobody mentioned the real problem. As far as I am concerned the "real" problem is having the widespread use of an operating system that makes things like drive by downloads so easy in the first place, where most of the security rests with a program(anti virus) that relies almost exclusively on updates but that is another debate and probably not one worth having anyway. Unfortunately it will probably take a major virus outbreak, on a scale we have yet to see, or a massive, widespread, and very public breach of security to wake people up. I will go ahead and shutdown here, my real point is that it seems people are starting to pay a lot more attention :^). Thanks for the feedback. Max -- I am altering the deal. Pray I do not alter it any further. --Darth Vader From maximilianbianco at gmail.com Thu Jun 12 19:18:42 2008 From: maximilianbianco at gmail.com (max bianco) Date: Thu, 12 Jun 2008 15:18:42 -0400 Subject: [Fwd: [Fedora8] SElinux bug] In-Reply-To: <1213288336.17842.187.camel@moss-spartans.epoch.ncsc.mil> References: <48513AC7.5060201@gmail.com> <1213288336.17842.187.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Thu, Jun 12, 2008 at 12:32 PM, Stephen Smalley wrote: > > On Thu, 2008-06-12 at 11:03 -0400, max wrote: >> Found on fedora list. >> >> -------- Original Message -------- >> Subject: [Fedora8] SElinux bug >> Date: Thu, 12 Jun 2008 15:58:58 +0100 >> From: hicham >> Reply-To: For users of Fedora >> To: For users of Fedora >> >> Hello >> I had this morning a "freeze", where I could not shutdown X server or >> the laptop properly, looking at /var/log/messages: >> I found what I suspect a selinux bug : >> >> Jun 12 12:19:00 laptop kernel: SELinux: out of range capability -555425744 > > That's not a bug in SELinux, but rather in the caller - passing an > illegal value to capable(). > >> Jun 12 12:19:00 laptop kernel: ------------[ cut here ]------------ >> Jun 12 12:19:00 laptop kernel: kernel BUG at security/selinux/hooks.c:1332! >> Jun 12 12:19:00 laptop kernel: invalid opcode: 0000 [#1] SMP >> Jun 12 12:19:00 laptop kernel: Modules linked in: iptable_nat xt_limit >> xt_tcpudp iptable_mangle ipt_LOG ipt_MASQUERADE nf_nat xt_DSCP >> ipt_REJE >> CT nf_conntrack_irc nf_conntrack_ftp nf_conntrack_ipv4 xt_state >> nf_conntrack iptable_filter ip_tables x_tables pppoatm pppoe pppox >> ppp_synctty >> ppp_async ppp_generic slhc appletalk ipx p8023 ipv6 cpufreq_ondemand >> acpi_cpufreq vfat fat dm_mirror dm_multipath dm_mod parport_pc >> smsc_ircc >> 2 parport irda crc_ccitt pcspkr floppy serio_raw snd_intel8x0 >> snd_seq_dummy snd_seq_oss video snd_seq_midi_event snd_seq output >> snd_seq_device >> snd_intel8x0m fglrx(P)(U) snd_ac97_codec snd_pcm_oss ac97_bus tg3 > > fglrx being the guilty culprit. > So did fglrx freeze the machine or did SELinux? if the latter is this sort of behavior configurable in some way? What i mean is can SELinux, be configured to respond in particular ways in the event of some unknown or unexpected event? Say I want it to segfault in a situation like this or kill X and drop to runlevel three, prohibit remote access entirely or maybe all but one particular node, and send an email alert to the administrator. I am not suggesting this behavior for the average desktop but in certain environments a segfault might be preferable to a potential compromise. Though I am sure false alarms would cause quite a few grumbles not to mention soiled pants. -- I am altering the deal. Pray I do not alter it any further. --Darth Vader From jmorris at namei.org Thu Jun 12 23:13:22 2008 From: jmorris at namei.org (James Morris) Date: Fri, 13 Jun 2008 09:13:22 +1000 (EST) Subject: [Fwd: [Fedora8] SElinux bug] In-Reply-To: References: <48513AC7.5060201@gmail.com> <1213288336.17842.187.camel@moss-spartans.epoch.ncsc.mil> Message-ID: On Thu, 12 Jun 2008, max bianco wrote: > >> snd_intel8x0m fglrx(P)(U) snd_ac97_codec snd_pcm_oss ac97_bus tg3 > > > > fglrx being the guilty culprit. > > > > So did fglrx freeze the machine or did SELinux? The binary fglrx driver has a bug in it, which we can't fix, because we don't have the source. It's a general problem with binary drivers. - James -- James Morris From cra at WPI.EDU Fri Jun 13 00:34:42 2008 From: cra at WPI.EDU (Chuck Anderson) Date: Thu, 12 Jun 2008 20:34:42 -0400 Subject: F9: su and sudo don't work as user Message-ID: <20080613003442.GB6406@angus.ind.WPI.EDU> Ok, I thought this was a known issue but I can't seem to find it mentioned anywhere. I have a F9 system that "su" and "sudo" don't work on. I noticed that my context was user_u rather than unconfined_u: Login on the console as cra: [cra at system 20:25:34 /home/cra]>id uid=10002(cra) gid=10002(cra) groups=1000(netops),2011(mirror),10002(cra) context=user_u:user_r:user_t:s0 [cra at system 20:25:36 /home/cra]>su /bin/su: Permission denied. [cra at system 20:25:37 /home/cra]>sudo sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted So I tried to go in as root and fix the context like this: Login on the console as root: [root at system ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 22 Policy from config file: targeted [root at system ~]# setenforce 0 [root at system ~]# semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0 root root s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 [root at system ~]# semanage login -m -s unconfined_u root libsemanage.validate_handler: selinux user unconfined_u does not exist (No such file or directory). libsemanage.validate_handler: seuser mapping [root -> (unconfined_u, s0-s0:c0.c1023)] is invalid (No such file or directory). libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory). /usr/sbin/semanage: Could not modify login mapping for root [root at system ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 22 Policy from config file: targeted [root at system ~]# setenforce 1 [root at system ~]# exit But it didn't work as you can see. I'm running these versions: kernel-2.6.25.4-30.fc9.x86_64 selinux-policy-targeted-3.3.1-64.fc9.noarch Can someone please help? Thanks. From sds at tycho.nsa.gov Fri Jun 13 12:26:30 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 13 Jun 2008 08:26:30 -0400 Subject: F9: su and sudo don't work as user In-Reply-To: <20080613003442.GB6406@angus.ind.WPI.EDU> References: <20080613003442.GB6406@angus.ind.WPI.EDU> Message-ID: <1213359990.17842.326.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2008-06-12 at 20:34 -0400, Chuck Anderson wrote: > Ok, I thought this was a known issue but I can't seem to find it > mentioned anywhere. I have a F9 system that "su" and "sudo" don't > work on. I noticed that my context was user_u rather than > unconfined_u: They shouldn't work from user_u, as that user identity/role isn't supposed to be able to use them (unprivileged user). > > Login on the console as cra: > > [cra at system 20:25:34 /home/cra]>id > uid=10002(cra) gid=10002(cra) groups=1000(netops),2011(mirror),10002(cra) context=user_u:user_r:user_t:s0 > [cra at system 20:25:36 /home/cra]>su > /bin/su: Permission denied. > [cra at system 20:25:37 /home/cra]>sudo > sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted > > So I tried to go in as root and fix the context like this: > > Login on the console as root: > > [root at system ~]# sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing > Mode from config file: enforcing > Policy version: 22 > Policy from config file: targeted > > [root at system ~]# setenforce 0 > [root at system ~]# semanage login -l > > Login Name SELinux User MLS/MCS Range > > __default__ unconfined_u s0 > root root s0-s0:c0.c1023 > system_u system_u s0-s0:c0.c1023 semanage user -l shows what? > > [root at system ~]# semanage login -m -s unconfined_u root > libsemanage.validate_handler: selinux user unconfined_u does not exist (No such file or directory). > libsemanage.validate_handler: seuser mapping [root -> (unconfined_u, s0-s0:c0.c1023)] is invalid (No such file or directory). > libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory). > /usr/sbin/semanage: Could not modify login mapping for root > > [root at system ~]# sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: enforcing > Policy version: 22 > Policy from config file: targeted > > [root at system ~]# setenforce 1 > [root at system ~]# exit > > But it didn't work as you can see. I'm running these versions: > > kernel-2.6.25.4-30.fc9.x86_64 > selinux-policy-targeted-3.3.1-64.fc9.noarch > > Can someone please help? > > Thanks. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From cra at WPI.EDU Fri Jun 13 14:09:52 2008 From: cra at WPI.EDU (Chuck Anderson) Date: Fri, 13 Jun 2008 10:09:52 -0400 Subject: F9: su and sudo don't work as user In-Reply-To: <1213359990.17842.326.camel@moss-spartans.epoch.ncsc.mil> References: <20080613003442.GB6406@angus.ind.WPI.EDU> <1213359990.17842.326.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20080613140952.GP20510@angus.ind.WPI.EDU> On Fri, Jun 13, 2008 at 08:26:30AM -0400, Stephen Smalley wrote: > They shouldn't work from user_u, as that user identity/role isn't > supposed to be able to use them (unprivileged user). Right, I was trying to fix that, and apparently failed. > > [root at system ~]# semanage login -l > > > > Login Name SELinux User MLS/MCS Range > > > > __default__ unconfined_u s0 > > root root s0-s0:c0.c1023 > > system_u system_u s0-s0:c0.c1023 > > semanage user -l shows what? I didn't know there was a "user" in addition to "login": # semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles root unconfined s0 s0-s0:c0.c1023 system_r staff_r unconfined_r sysadm_r staff_u staff s0 s0-s0:c0.c1023 system_r staff_r sysadm_r sysadm_u sysadm s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r user_u user s0 s0 user_r Now it seems obvious--I'm missing the unconfined_u user. Comparing this to a working F9 system: Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u guest s0 s0 guest_r root user s0 s0-s0:c0.c1023 system_r staff_r unconfined_r sysadm_r staff_u user s0 s0-s0:c0.c1023 system_r staff_r sysadm_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_u unconfined s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u xguest s0 s0 xguest_r How do I fix this? Thanks. From sds at tycho.nsa.gov Fri Jun 13 14:21:39 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 13 Jun 2008 10:21:39 -0400 Subject: F9: su and sudo don't work as user In-Reply-To: <20080613140952.GP20510@angus.ind.WPI.EDU> References: <20080613003442.GB6406@angus.ind.WPI.EDU> <1213359990.17842.326.camel@moss-spartans.epoch.ncsc.mil> <20080613140952.GP20510@angus.ind.WPI.EDU> Message-ID: <1213366899.17842.340.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2008-06-13 at 10:09 -0400, Chuck Anderson wrote: > On Fri, Jun 13, 2008 at 08:26:30AM -0400, Stephen Smalley wrote: > > They shouldn't work from user_u, as that user identity/role isn't > > supposed to be able to use them (unprivileged user). > > Right, I was trying to fix that, and apparently failed. > > > > [root at system ~]# semanage login -l > > > > > > Login Name SELinux User MLS/MCS Range > > > > > > __default__ unconfined_u s0 > > > root root s0-s0:c0.c1023 > > > system_u system_u s0-s0:c0.c1023 > > > > semanage user -l shows what? > > I didn't know there was a "user" in addition to "login": > > # semanage user -l > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range SELinux Roles > > root unconfined s0 s0-s0:c0.c1023 system_r staff_r unconfined_r sysadm_r > staff_u staff s0 s0-s0:c0.c1023 system_r staff_r sysadm_r > sysadm_u sysadm s0 s0-s0:c0.c1023 sysadm_r > system_u user s0 s0-s0:c0.c1023 system_r > user_u user s0 s0 user_r > > Now it seems obvious--I'm missing the unconfined_u user. > > Comparing this to a working F9 system: > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range SELinux Roles > > guest_u guest s0 s0 guest_r > root user s0 s0-s0:c0.c1023 system_r staff_r unconfined_r sysadm_r > staff_u user s0 s0-s0:c0.c1023 system_r staff_r sysadm_r > sysadm_u user s0 s0-s0:c0.c1023 sysadm_r > system_u user s0 s0-s0:c0.c1023 system_r > unconfined_u unconfined s0 s0-s0:c0.c1023 system_r unconfined_r > user_u user s0 s0 user_r > xguest_u xguest s0 s0 xguest_r > > How do I fix this? Looks like the same problem reported by Kayvan (Weird SELinux problem after upgrade to F9). semanage user -a -P user -R "unconfined_r system_r" -rs0-s0:c0.c1023 unconfined_u semanage user acts on SELinux users, i.e. users defined in the kernel policy, which these days are used as "authorized role sets" rather than individual users. semanage login acts on Linux users, who are then mapped to SELinux users in policy. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Fri Jun 13 19:55:45 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 13 Jun 2008 15:55:45 -0400 Subject: Fwd: [MLS Policy]:- MLS policy problem when manully restart the servers . In-Reply-To: <994219730806100835m1b53d475ie39d800adcd8bcc6@mail.gmail.com> References: <994219730806100444h3be95463u7b55213fed797045@mail.gmail.com> <1213099642.30576.76.camel@moss-spartans.epoch.ncsc.mil> <994219730806100822w657f571p7f4a61a0433e6313@mail.gmail.com> <994219730806100835m1b53d475ie39d800adcd8bcc6@mail.gmail.com> Message-ID: <4852D0C1.6020008@redhat.com> prakash hallalli wrote: > Hi > I have followed the same steps what you are given the information to change > the libc.so.6 file label. Now user will be able to login to the system it > not showing any error message while login time. But still i am not able do > system restart services. Now it showing error message is unrecognized > service. > > I have received the following error messages. > > [root at turtle11 ~]# sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: enforcing > Policy version: 21 > Policy from config file: mls > > [root at turtle11 ~]# service nfs restart > Shutting down NFS mountd: [ OK ] > Shutting down NFS daemon: [ OK ] > Shutting down NFS quotas: [ OK ] > Shutting down NFS services: [ OK ] > Starting NFS services: [ OK ] > Starting NFS quotas: [ OK ] > Starting NFS daemon: [ OK ] > Starting NFS mountd: [ OK ] > > [root at turtle11 ~]# setenforce 1 > [root at turtle11 ~]# sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing > Mode from config file: enforcing > Policy version: 21 > Policy from config file: mls > > [root at turtle11 ~]# service nfs restart > nfs: unrecognized service > > [root at turtle11 ~]# service ldap restart > ldap: unrecognized service > > [root at turtle11 ~]# service samba restart > samba: unrecognized service > > [root at turtle11 ~]# service named restart > named: unrecognized service > [root at turtle11 ~]# > > Please help me, what should i do. > > Thanks, > prakash > > > > > > > On Tue, Jun 10, 2008 at 5:37 PM, Stephen Smalley wrote: > >> On Tue, 2008-06-10 at 17:14 +0530, prakash hallalli wrote: >>> Hi All >>> >>> I have configured SELinux on ContOS 5.1. I have configured the RBAC >>> using MLS (Multilevel Security) Policy. >>> Now i am trying to restart the system services and they are not >>> restarting and it is throwing some error message. >>> I have a question here, with mls policy enabled will i be able to >>> restart the system service? If yes then what to do and If no what is >>> the reason? >>> >>> Steps to reproduce: >>> >>> 1) MLS Policy configuration. >>> >>> 1. Install selinux-policy-mls >>> 2. Set SELINUXTYPE=MLS in /etc/selinux/config file >>> 3. touch ./autorelabel; on root's home directory, and reboot the >>> machine. >>> 4. While machine is rebooting, change the GRUB parameter. >>> enforcing=0 >>> >>> 2) Now system is in permissive mode and SELinux status is as follows. >>> >>> # sestatus >>> SELinux status: enabled >>> SELinuxfs mount: /selinux >>> Current mode: permissive >>> Mode from config file: enforcing >>> Policy version: 21 >>> policy from config file: mls >>> >>> 3) Restart the system services and they restart successfully. >>> >>> [root at turtle11 ~]# service nfs restart >>> Shutting down NFS mountd: [FAILED] >>> Shutting down NFS daemon: [FAILED] >>> Shutting down NFS quotas: [FAILED] >>> Shutting down NFS services: [FAILED] >>> Starting NFS services: [ >>> OK ] >>> Starting NFS quotas: [ >>> OK ] >>> Starting NFS daemon: [ >>> OK ] >>> Starting NFS mountd: [ >>> OK ] >>> >>> 4) Now i am setting enforcing mode using setenforce command. >>> >>> root at turtle11 ~]#setenforce 1 >>> root at turtle11 ~]# sestatus >>> SELinux status: enabled >>> SELinuxfs mount: /selinux >>> Current mode: enforcing >>> Mode from config file: enforcing >>> Policy version: 21 >>> Policy from config file: mls >>> >>> 5) a) Now system is in enforcing mode and i am trying to restart the >>> system service. The restart will result in error message. >>> >>> root at turtle11 ~]#service nfs restart >>> /sbin/consoletype: error while loading shared libraries: libc.so.6: >>> cannot open shared object file: No such file or directory >>> /sbin/consoletype: error while loading shared libraries: libc.so.6: >>> cannot open shared object file: No such file or directory >> This suggests that libc.so.6 has the wrong label. In older versions of >> the policy, this was a difference between targeted and strict/mls >> policies. Boot in single-user mode and run fixfiles -F relabel. >> >>> nfs: unrecognized service >>> >>> b) When I trying to login it will show the following error. >>> >>> turtle login: smbldap3 >>> /bin/login:error while loading shared libraries: libcrypt.so.1:failed >>> to map segment from shared object: Permission denied >>> /sbin/mingetty: error while loading shared libraries: libc.so.6: >>> failed to map segment from shared object: Permission denied >>> >>> c) When using su command. >>> >>> root at turtle11 ~]# su smbldap3 >>> su: error while loading shared libraries: libpam.so.0: failed to map >>> segment from shared object: Permission denied >>> >>> I am not sure what is going on. I referred to many websites and PDFs >>> but couldn't get the proper solution. >>> >>> please help me. >>> >>> Thanks >>> Prakash. >>> >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> -- >> Stephen Smalley >> National Security Agency >> >> > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Try # run_init service nfs restart From olivares14031 at yahoo.com Sat Jun 14 04:44:46 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Fri, 13 Jun 2008 21:44:46 -0700 (PDT) Subject: f9 selinux complaint opening dvd reader .hal-mtab-lock In-Reply-To: <48534A1B.8050606@verizon.net> Message-ID: <842897.52885.qm@web52610.mail.re2.yahoo.com> --- On Fri, 6/13/08, Skunk Worx wrote: > From: Skunk Worx > Subject: f9 selinux complaint opening dvd reader .hal-mtab-lock > To: "For users of Fedora Core releases" > Date: Friday, June 13, 2008, 9:33 PM > When I open my DVD reader by pushing the button I get a > sheriff badge. > > Should I just apply the "Fix Command"? > --- > John > > Summary > SELinux prevented umount from mounting on the file or > directory > "/media/.hal-mtab-lock" (type "mnt_t"). > > Detailed Description > SELinux prevented umount from mounting a filesystem on the > file or > directory "/media/.hal-mtab-lock" of type > "mnt_t". By default SELinux > limits the mounting of filesystems to only some files or > directories > (those with types that have the mountpoint attribute). The > type "mnt_t" > does not have this attribute. You can either relabel the > file or > directory or set the boolean > "allow_mount_anyfile" to true to allow > mounting on any file or directory. > > Allowing Access > Changing the "allow_mount_anyfile" boolean to > true will allow this > access: "setsebool -P allow_mount_anyfile=1." > > Fix Command > setsebool -P allow_mount_anyfile=1 > > Additional Information > Source Context: system_u:system_r:mount_t:s0 > Target Context: system_u:object_r:mnt_t:s0 > Target Objects: /media/.hal-mtab-lock [ file ] > Source: umount > Source Path: /bin/umount > Port: > Host: localhost.localdomain > Source RPM Packages: util-linux-ng-2.13.1-6.fc9 > Target RPM Packages: > Policy RPM: selinux-policy-3.3.1-64.fc9 > Selinux Enabled: True > Policy Type: targeted > MLS Enabled: True > Enforcing Mode: Enforcing > Plugin Name: allow_mount_anyfile > Host Name: localhost.localdomain > Platform: Linux localhost.localdomain > 2.6.25.6-55.fc9.x86_64 #1 SMP Tue > Jun 10 16:05:21 EDT 2008 x86_64 x86_64 > Alert Count: 7 > First Seen: Sun 25 May 2008 01:45:46 AM PDT > Last Seen: Fri 13 Jun 2008 09:20:53 PM PDT > Local ID: eb563b96-3949-4532-8792-f239a145eef7 > Line Numbers: > > Raw Audit Messages : > host=localhost.localdomain type=AVC > msg=audit(1213417253.89:56): avc: > denied { read write } for pid=3267 comm="umount" > path="/media/.hal-mtab-lock" dev=dm-0 ino=4505604 > > scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:object_r:mnt_t:s0 tclass=file > > host=localhost.localdomain type=SYSCALL > msg=audit(1213417253.89:56): > arch=c000003e syscall=59 success=yes exit=0 a0=403665 > a1=7fff5c756200 > a2=7fff5c756888 a3=0 items=0 ppid=3266 pid=3267 > auid=4294967295 uid=0 > gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) > ses=4294967295 comm="umount" > exe="/bin/umount" > subj=system_u:system_r:mount_t:s0 key=(null) > > -- > fedora-list mailing list > fedora-list at redhat.com > To unsubscribe: > https://www.redhat.com/mailman/listinfo/fedora-list I get the same thing :( I applied the suggested fix, but still see the same CCD: fedora-selinux-list at redhat.com Summary: SELinux prevented umount from mounting on the file or directory "/media/.hal-mtab-lock" (type "mnt_t"). Detailed Description: SELinux prevented umount from mounting a filesystem on the file or directory "/media/.hal-mtab-lock" of type "mnt_t". By default SELinux limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). The type "mnt_t" does not have this attribute. You can either relabel the file or directory or set the boolean "allow_mount_anyfile" to true to allow mounting on any file or directory. Allowing Access: Changing the "allow_mount_anyfile" boolean to true will allow this access: "setsebool -P allow_mount_anyfile=1." Fix Command: setsebool -P allow_mount_anyfile=1 Additional Information: Source Context system_u:system_r:mount_t:s0 Target Context system_u:object_r:mnt_t:s0 Target Objects /media/.hal-mtab-lock [ file ] Source umount Source Path /bin/umount Port Host localhost.localdomain Source RPM Packages util-linux-ng-2.13.1-6.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-51.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_mount_anyfile Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25.6-55.fc9.x86_64 #1 SMP Tue Jun 10 16:05:21 EDT 2008 x86_64 x86_64 Alert Count 3 First Seen Wed 11 Jun 2008 09:10:49 PM CDT Last Seen Fri 13 Jun 2008 11:43:08 PM CDT Local ID 035edd4c-51d5-49fb-b01f-6468353b5b2d Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1213418588.58:32): avc: denied { write } for pid=3290 comm="umount" path="/media/.hal-mtab-lock" dev=dm-0 ino=1785859 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1213418588.58:32): arch=c000003e syscall=59 success=yes exit=0 a0=403665 a1=7fffd7da1770 a2=7fffd7da1df8 a3=0 items=0 ppid=3289 pid=3290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null) I manually ejected a data cd. Thanks, Antonio From tmz at pobox.com Sat Jun 14 06:25:52 2008 From: tmz at pobox.com (Todd Zullinger) Date: Sat, 14 Jun 2008 02:25:52 -0400 Subject: f9 selinux complaint opening dvd reader .hal-mtab-lock In-Reply-To: <842897.52885.qm@web52610.mail.re2.yahoo.com> References: <48534A1B.8050606@verizon.net> <842897.52885.qm@web52610.mail.re2.yahoo.com> Message-ID: <20080614062552.GC2641@inocybe.teonanacatl.org> Antonio Olivares wrote: > I get the same thing :( > > I applied the suggested fix, but still see the same > > CCD: fedora-selinux-list at redhat.com The update which fixes this should hit the mirrors tomorrow. https://admin.fedoraproject.org/updates/F9/FEDORA-2008-5311 -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ People demand freedom of speech to make up for the freedom of thought which they avoid. -- Soren Aabye Kierkegaard (1813-1855) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available URL: From goeran at uddeborg.se Sat Jun 14 09:33:48 2008 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Sat, 14 Jun 2008 11:33:48 +0200 Subject: What to do about "invalid context" Message-ID: <18515.36988.937287.194925@mimmi.uddeborg.se> Could anyone explain what is wrong when I get the error below? The problem: I get error messages when I try to run crontab. mimmi> env LANG=en_US.utf8 crontab -l Authentication service cannot retrieve authentication info You (g?ran) are not allowed to access to (crontab) because of pam configuration. What I have found out: In the audit log there is this entry: mimmi> sudo ausearch -a 3208 ---- time->Sat Jun 14 11:17:09 2008 type=SYSCALL msg=audit(1213435029.953:3208): arch=c000003e syscall=59 success=no exit=-13 a0=7f7c49c10238 a1=7fff57b9d760 a2=7f7c49e11f50 a3=7f7c4f562a70 items=0 ppid=5234 pid=5236 auid=503 uid=0 gid=503 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1213435029.953:3208): security_compute_sid: invalid context unconfined_u:unconfined_r:updpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=process Using strace I see that crontab tries to exec /sbin/unix_update and fails, which I suppose is what this message is about: 4826 execve("/sbin/unix_update", ["/sbin/unix_update", "g\303\266ran", "verify"], [/* 0 vars */]) = -1 EACCES (Permission denied) My first though was that maybe the label on unix_update had not been correctly updated in some upgrade or so. But doing a restorecon on it didn't change its context (system_u:object_r:updpwd_exec_t:s0). I assume there is something broken in the host configurations, rather than some bug in the policy. But I don't understand what it is or what to do about it. I'm usually able to figure out "type=AVC"/"avc:?denied" issues, but what do I do about a "type=SELINUX_ERR"/"invalid context"? From craigwhite at azapple.com Sat Jun 14 15:05:56 2008 From: craigwhite at azapple.com (Craig White) Date: Sat, 14 Jun 2008 08:05:56 -0700 Subject: simple question with home serviing ruby on rails web site Message-ID: <1213455956.6327.44.camel@lin-workstation.azapple.com> I'm running in permissive mode so all I'm getting is warnings but I'm wondering the best way to solve this... error every time httpd starts... SELinux has denied httpd access to potentially mislabeled file(s) (./svn-new). This means that SELinux will not allow httpd to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing AccessIf you want httpd to access this files, you need to relabel them using restorecon -v './svn-new'. You might want to relabel the entire directory using restorecon -R -v './svn-new'. Additional InformationSource Context: system_u:system_r:httpd_t:SystemLow-SystemHighTarget Context: user_u:object_r:user_home_tTarget Objects: ./svn-new [ dir ]Source: httpdSource Path: /usr/sbin/httpd /home/craig/svn-new is an svn checkout and is the 'RAILS ROOT' directory for the web server. $ ls -ldZ /home/craig/svn-new/ drwxrwxr-x craig craig user_u:object_r:user_home_t /home/craig/svn-new/ This is on Fedora 9. In the past, I could have used system-config-security and set selinux to allow web page serving from user home directories but I don't see that tool any more. What's the best way to handle this? Craig From paul at city-fan.org Sat Jun 14 15:51:18 2008 From: paul at city-fan.org (Paul Howarth) Date: Sat, 14 Jun 2008 16:51:18 +0100 Subject: simple question with home serviing ruby on rails web site In-Reply-To: <1213455956.6327.44.camel@lin-workstation.azapple.com> References: <1213455956.6327.44.camel@lin-workstation.azapple.com> Message-ID: <20080614165118.4d54c5a0@metropolis.intra.city-fan.org> On Sat, 14 Jun 2008 08:05:56 -0700 Craig White wrote: > I'm running in permissive mode so all I'm getting is warnings but I'm > wondering the best way to solve this... > > error every time httpd starts... > > SELinux has denied httpd access to potentially mislabeled file(s) > (./svn-new). This means that SELinux will not allow httpd to use these > files. It is common for users to edit files in their home directory or > tmp directories and then move (mv) them to system directories. The > problem is that the files end up with the wrong file context which > confined applications are not allowed to access. Allowing AccessIf you > want httpd to access this files, you need to relabel them using > restorecon -v './svn-new'. You might want to relabel the entire > directory using restorecon -R -v './svn-new'. Additional > InformationSource Context: > system_u:system_r:httpd_t:SystemLow-SystemHighTarget Context: > user_u:object_r:user_home_tTarget Objects: ./svn-new [ dir ]Source: > httpdSource Path: /usr/sbin/httpd > > > /home/craig/svn-new is an svn checkout and is the 'RAILS ROOT' > directory for the web server. > > $ ls -ldZ /home/craig/svn-new/ > drwxrwxr-x craig craig > user_u:object_r:user_home_t /home/craig/svn-new/ > > This is on Fedora 9. In the past, I could have used > system-config-security and set selinux to allow web page serving from > user home directories but I don't see that tool any more. > > What's the best way to handle this? Easiest is just to fix the contexts of the files: # semanage fcontext -a -t httpd_sys_content_t '/home/craig/svn-new(/.*)?' # restorecon -rv /home/craig/svn-new I'm not familiar with rails or how you maintain your svn checkout, so httpd_sys_content_t may not be the appropriate type for all of the content (are there any scripts in there, are you uploading content via ftp, samba, etc.?). Since you're in permissive mode, it's not going to cause you any problem other than possibly different warnings though. If you maintain the checkout by manually doing an "svn update" from your regular account, and the content isn't "executed" by httpd, httpd_sys_content_t should be fine. Paul. From craigwhite at azapple.com Sat Jun 14 16:40:44 2008 From: craigwhite at azapple.com (Craig White) Date: Sat, 14 Jun 2008 09:40:44 -0700 Subject: ****Re: simple question with home serviing ruby on rails web site In-Reply-To: <20080614165118.4d54c5a0@metropolis.intra.city-fan.org> References: <1213455956.6327.44.camel@lin-workstation.azapple.com> <20080614165118.4d54c5a0@metropolis.intra.city-fan.org> Message-ID: <1213461644.6327.62.camel@lin-workstation.azapple.com> On Sat, 2008-06-14 at 16:51 +0100, Paul Howarth wrote: > On Sat, 14 Jun 2008 08:05:56 -0700 > Craig White wrote: > > > I'm running in permissive mode so all I'm getting is warnings but I'm > > wondering the best way to solve this... > > > > error every time httpd starts... > > > > SELinux has denied httpd access to potentially mislabeled file(s) > > (./svn-new). This means that SELinux will not allow httpd to use these > > files. It is common for users to edit files in their home directory or > > tmp directories and then move (mv) them to system directories. The > > problem is that the files end up with the wrong file context which > > confined applications are not allowed to access. Allowing AccessIf you > > want httpd to access this files, you need to relabel them using > > restorecon -v './svn-new'. You might want to relabel the entire > > directory using restorecon -R -v './svn-new'. Additional > > InformationSource Context: > > system_u:system_r:httpd_t:SystemLow-SystemHighTarget Context: > > user_u:object_r:user_home_tTarget Objects: ./svn-new [ dir ]Source: > > httpdSource Path: /usr/sbin/httpd > > > > > > /home/craig/svn-new is an svn checkout and is the 'RAILS ROOT' > > directory for the web server. > > > > $ ls -ldZ /home/craig/svn-new/ > > drwxrwxr-x craig craig > > user_u:object_r:user_home_t /home/craig/svn-new/ > > > > This is on Fedora 9. In the past, I could have used > > system-config-security and set selinux to allow web page serving from > > user home directories but I don't see that tool any more. > > > > What's the best way to handle this? > > Easiest is just to fix the contexts of the files: > > # semanage fcontext -a -t httpd_sys_content_t > '/home/craig/svn-new(/.*)?' > # restorecon -rv /home/craig/svn-new > > I'm not familiar with rails or how you maintain your svn checkout, so > httpd_sys_content_t may not be the appropriate type for all of the > content (are there any scripts in there, are you uploading content via > ftp, samba, etc.?). Since you're in permissive mode, it's not going to > cause you any problem other than possibly different warnings though. > If you maintain the checkout by manually doing an "svn update" from > your regular account, and the content isn't "executed" by httpd, > httpd_sys_content_t should be fine. ---- Thanks Paul...miss you on the Fedora-list I'm a bit confused myself because in essence, httpd is just a proxy to the ruby/rails 'mongrel' which is a http server in ruby running the ruby processes and is providing dhtml on higher ports as the user. FWIW...httpd runs as user 'apache' (as ususal) mongrels run as regular 'user' (me) all files and folders inside the subdirectory we are discussing... (/home/craig/svn-new) are owned by me (not root, not apache) I ran the commands that you suggested (ignoring the alerts raised by the first command) and then restarted httpd service and got a new alert... SELinux is preventing the httpd from using potentially mislabeled files (2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429). Detailed Description[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]SELinux has denied httpd access to potentially mislabeled file(s) (2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429). This means that SELinux will not allow httpd to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing AccessIf you want httpd to access this files, you need to relabel them using restorecon -v '2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429'. You might want to relabel the entire directory using restorecon -R -v ''. Additional InformationSource Context: unconfined_u:system_r:httpd_tTarget Context: unconfined_u:object_r:user_tmp_tTarget Objects: 2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429 This is my new development system and I obviously will be doing svn commit/update operations in this directory and it was created by a checkout. There is a 'tmp' directory in the RAILS_ROOT directory (/home/craig/svn-new/th-db/branches/phase5) which holds... - temporary pdf files put there by ruby before 'merging' database data with pdftk - subdirectories but the only 'non-empty' subdirectory is one called 'pids' which holds the pid for the backgroundrd (a separate ruby process that runs long running processes in the background). I'm wondering if this directory shouldn't have some different contexts... My desire is to have a plan to manage selinux contexts when it comes time to merge this on my production server. Thanks Craig From prakashkhallalli at gmail.com Sun Jun 15 16:36:08 2008 From: prakashkhallalli at gmail.com (prakash hallalli) Date: Sun, 15 Jun 2008 22:06:08 +0530 Subject: Fwd: [MLS Policy]:- Problem for mapping between the Linux user to SELinux user for fedora 8 In-Reply-To: <994219730806141122w149320aewfd31bbdcd3c887b5@mail.gmail.com> References: <994219730806141122w149320aewfd31bbdcd3c887b5@mail.gmail.com> Message-ID: <994219730806150936o7e70cf41n360713f693819ec8@mail.gmail.com> Hi... Now I am trying to configuring RBAC using MLS (Multilevel Security) Policy for fedora 8. Because i have read danwalsh jornal he side MLS policy is more use full for RBAC. * http://danwalsh.livejournal.com/?skip=40 Using RBAC In FC5/MLS Policy* So i am using MLS policy for RBAC. Here i have installed MLS packages and changed to targeted policy in to mls policy. Then i have configured the roles for users but i couldn't set the roles because when i am setting the roles it will display the error message. Steps to reproduce: 1) Adding the SELinux audit user using semanage command. # semanage user -a -R staff_r -R auditadm_r -P staff audit_u 2) Here i am checking SELinux user. [root at turtle2 ~]# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles audit_u staff SystemLow SystemLow staff_r auditadm_r root sysadm SystemLow SystemLow:SystemLow-SystemHigh system_r sysadm_r staff_r secadm_r auditadm_r staff_u staff SystemLow SystemLow:SystemLow-SystemHigh sysadm_r staff_r secadm_r auditadm_r sysadm_u sysadm SystemLow SystemLow:SystemLow-SystemHigh sysadm_r system_u user SystemLow SystemLow:SystemLow-SystemHigh system_r user_u user SystemLow SystemLow system_r user_r [root at turtle2 ~]# 3) Now i am setting the Linux user to SELinux users, when i am setting the SELinux user it will throw the error message as follows. [root at turtle2 ~]# semanage login -a -s audit -r SystemLow-SystemHigh prakash libsemanage.validate_handler: selinux user audit does not exist No such file or directory. libsemanage.validate_handler: seuser mapping [prakash -> (audit, s0-s15:c0.c1023)] is invalid No such file or directory. libsemanage.dbase_llist_iterate: could not iterate over records No such file or directory. /usr/sbin/semanage: Could not add login mapping for prakash [root at turtle2 ~]# 4) I am using sysadm_r root information as follows [root at turtle2 ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t:SystemLow:SystemLow-SystemHigh [root at turtle2 ~]# 5) This is i am getting audit log messages using ausearch command. [root at turtle2 ~]# ausearch -i -m AVC -sv no type=SYSCALL msg=audit(06/02/2008 22:09:05.165:6877768) : arch=i386 syscall=read success=no exit=-13(Permission denied) a0=3 a1=9098808 a2=400 a3=400 items=0 ppid=1 pid=2060 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=gam_server exe=/usr/libexec/gam_server subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(06/02/2008 22:09:05.165:6877768) : avc: denied { read } for pid=2060 comm=gam_server path=inotify dev=inotifyfs ino=1 scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir I don't know why its throwing this error. I have searched in to google but i couldn't find. Please help me what should i do. Thanks, Prakash -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Mon Jun 16 10:39:04 2008 From: paul at city-fan.org (Paul Howarth) Date: Mon, 16 Jun 2008 11:39:04 +0100 Subject: ****Re: simple question with home serviing ruby on rails web site In-Reply-To: <1213461644.6327.62.camel@lin-workstation.azapple.com> References: <1213455956.6327.44.camel@lin-workstation.azapple.com> <20080614165118.4d54c5a0@metropolis.intra.city-fan.org> <1213461644.6327.62.camel@lin-workstation.azapple.com> Message-ID: <485642C8.1060604@city-fan.org> Craig White wrote: > On Sat, 2008-06-14 at 16:51 +0100, Paul Howarth wrote: >> On Sat, 14 Jun 2008 08:05:56 -0700 >> Craig White wrote: >> >>> I'm running in permissive mode so all I'm getting is warnings but I'm >>> wondering the best way to solve this... >>> >>> error every time httpd starts... >>> >>> SELinux has denied httpd access to potentially mislabeled file(s) >>> (./svn-new). This means that SELinux will not allow httpd to use these >>> files. It is common for users to edit files in their home directory or >>> tmp directories and then move (mv) them to system directories. The >>> problem is that the files end up with the wrong file context which >>> confined applications are not allowed to access. Allowing AccessIf you >>> want httpd to access this files, you need to relabel them using >>> restorecon -v './svn-new'. You might want to relabel the entire >>> directory using restorecon -R -v './svn-new'. Additional >>> InformationSource Context: >>> system_u:system_r:httpd_t:SystemLow-SystemHighTarget Context: >>> user_u:object_r:user_home_tTarget Objects: ./svn-new [ dir ]Source: >>> httpdSource Path: /usr/sbin/httpd >>> >>> >>> /home/craig/svn-new is an svn checkout and is the 'RAILS ROOT' >>> directory for the web server. >>> >>> $ ls -ldZ /home/craig/svn-new/ >>> drwxrwxr-x craig craig >>> user_u:object_r:user_home_t /home/craig/svn-new/ >>> >>> This is on Fedora 9. In the past, I could have used >>> system-config-security and set selinux to allow web page serving from >>> user home directories but I don't see that tool any more. >>> >>> What's the best way to handle this? >> Easiest is just to fix the contexts of the files: >> >> # semanage fcontext -a -t httpd_sys_content_t >> '/home/craig/svn-new(/.*)?' >> # restorecon -rv /home/craig/svn-new >> >> I'm not familiar with rails or how you maintain your svn checkout, so >> httpd_sys_content_t may not be the appropriate type for all of the >> content (are there any scripts in there, are you uploading content via >> ftp, samba, etc.?). Since you're in permissive mode, it's not going to >> cause you any problem other than possibly different warnings though. >> If you maintain the checkout by manually doing an "svn update" from >> your regular account, and the content isn't "executed" by httpd, >> httpd_sys_content_t should be fine. > ---- > Thanks Paul...miss you on the Fedora-list Thanks; when I had the first of my two children in September 2005 there were a lot more demands on my time and some things I'd enjoyed devoting a lot of my time to just had to go, and fedora-list was one of those. > I'm a bit confused myself because in essence, httpd is just a proxy to > the ruby/rails 'mongrel' which is a http server in ruby running the ruby > processes and is providing dhtml on higher ports as the user. > > FWIW...httpd runs as user 'apache' (as ususal) > mongrels run as regular 'user' (me) > all files and folders inside the subdirectory we are discussing... > (/home/craig/svn-new) are owned by me (not root, not apache) The conventional unix ownership and permissions make very little difference as far as SELinux is concerned, so although you need to get them right, they're not going to affect the file contexts needed. What context is mongrels running in (try the -Z option of ps)? How does that process get started (via an initscript?)? > I ran the commands that you suggested (ignoring the alerts raised by the > first command) and then restarted httpd service and got a new alert... > > SELinux is preventing the httpd from using potentially mislabeled files > (2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429). Detailed Description[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]SELinux has denied httpd access to potentially mislabeled file(s) (2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429). > > This means that SELinux will not allow httpd to use these files. It is > common for users to edit files in their home directory or tmp > directories and then move (mv) them to system directories. The problem > is that the files end up with the wrong file context which confined > applications are not allowed to access. Allowing AccessIf you want httpd > to access this files, you need to relabel them using restorecon -v > '2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429'. > > You might want to relabel the entire directory using restorecon -R -v > ''. Additional InformationSource Context: > unconfined_u:system_r:httpd_tTarget Context: > unconfined_u:object_r:user_tmp_tTarget Objects: > 2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429 > > This is my new development system and I obviously will be doing svn > commit/update operations in this directory and it was created by a > checkout. > > There is a 'tmp' directory in the RAILS_ROOT directory > (/home/craig/svn-new/th-db/branches/phase5) which holds... > - temporary pdf files put there by ruby before 'merging' database data > with pdftk > - subdirectories but the only 'non-empty' subdirectory is one called > 'pids' which holds the pid for the backgroundrd (a separate ruby process > that runs long running processes in the background). > > I'm wondering if this directory shouldn't have some different > contexts... > > My desire is to have a plan to manage selinux contexts when it comes > time to merge this on my production server. You probably need to run the ruby process confined so that it generates files that are readable by httpd. It might actually work ok running as httpd_t given how closely related the processes are. Paul. From craigwhite at azapple.com Mon Jun 16 12:12:43 2008 From: craigwhite at azapple.com (Craig White) Date: Mon, 16 Jun 2008 05:12:43 -0700 Subject: ****Re: ****Re: simple question with home serviing ruby on rails web site In-Reply-To: <485642C8.1060604@city-fan.org> References: <1213455956.6327.44.camel@lin-workstation.azapple.com> <20080614165118.4d54c5a0@metropolis.intra.city-fan.org> <1213461644.6327.62.camel@lin-workstation.azapple.com> <485642C8.1060604@city-fan.org> Message-ID: <1213618363.6327.185.camel@lin-workstation.azapple.com> On Mon, 2008-06-16 at 11:39 +0100, Paul Howarth wrote: > Craig White wrote: > > On Sat, 2008-06-14 at 16:51 +0100, Paul Howarth wrote: > >> On Sat, 14 Jun 2008 08:05:56 -0700 > >> Craig White wrote: > >> > >>> I'm running in permissive mode so all I'm getting is warnings but I'm > >>> wondering the best way to solve this... > >>> > >>> error every time httpd starts... > >>> > >>> SELinux has denied httpd access to potentially mislabeled file(s) > >>> (./svn-new). This means that SELinux will not allow httpd to use these > >>> files. It is common for users to edit files in their home directory or > >>> tmp directories and then move (mv) them to system directories. The > >>> problem is that the files end up with the wrong file context which > >>> confined applications are not allowed to access. Allowing AccessIf you > >>> want httpd to access this files, you need to relabel them using > >>> restorecon -v './svn-new'. You might want to relabel the entire > >>> directory using restorecon -R -v './svn-new'. Additional > >>> InformationSource Context: > >>> system_u:system_r:httpd_t:SystemLow-SystemHighTarget Context: > >>> user_u:object_r:user_home_tTarget Objects: ./svn-new [ dir ]Source: > >>> httpdSource Path: /usr/sbin/httpd > >>> > >>> > >>> /home/craig/svn-new is an svn checkout and is the 'RAILS ROOT' > >>> directory for the web server. > >>> > >>> $ ls -ldZ /home/craig/svn-new/ > >>> drwxrwxr-x craig craig > >>> user_u:object_r:user_home_t /home/craig/svn-new/ > >>> > >>> This is on Fedora 9. In the past, I could have used > >>> system-config-security and set selinux to allow web page serving from > >>> user home directories but I don't see that tool any more. > >>> > >>> What's the best way to handle this? > >> Easiest is just to fix the contexts of the files: > >> > >> # semanage fcontext -a -t httpd_sys_content_t > >> '/home/craig/svn-new(/.*)?' > >> # restorecon -rv /home/craig/svn-new > >> > >> I'm not familiar with rails or how you maintain your svn checkout, so > >> httpd_sys_content_t may not be the appropriate type for all of the > >> content (are there any scripts in there, are you uploading content via > >> ftp, samba, etc.?). Since you're in permissive mode, it's not going to > >> cause you any problem other than possibly different warnings though. > >> If you maintain the checkout by manually doing an "svn update" from > >> your regular account, and the content isn't "executed" by httpd, > >> httpd_sys_content_t should be fine. > > ---- > > Thanks Paul...miss you on the Fedora-list > > Thanks; when I had the first of my two children in September 2005 there > were a lot more demands on my time and some things I'd enjoyed devoting > a lot of my time to just had to go, and fedora-list was one of those. > > > I'm a bit confused myself because in essence, httpd is just a proxy to > > the ruby/rails 'mongrel' which is a http server in ruby running the ruby > > processes and is providing dhtml on higher ports as the user. > > > > FWIW...httpd runs as user 'apache' (as ususal) > > mongrels run as regular 'user' (me) > > all files and folders inside the subdirectory we are discussing... > > (/home/craig/svn-new) are owned by me (not root, not apache) > > The conventional unix ownership and permissions make very little > difference as far as SELinux is concerned, so although you need to get > them right, they're not going to affect the file contexts needed. > > What context is mongrels running in (try the -Z option of ps)? How does > that process get started (via an initscript?)? ---- yes, a SysV initscript...(running 2 mongrels at present... port & pid #'s 3000 & 3001) # ps auxZ|grep mongrel unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh root 7079 0.0 0.0 4120 732 pts/6 S+ 05:02 0:00 grep mongrel root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27313 0.0 3.0 45068 30164 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5 --user craig --group craig -p 3000 -P log/mongrel.3000.pid -l log/mongrel.3000.log root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27316 0.0 2.9 45052 29468 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5 --user craig --group craig -p 3001 -P log/mongrel.3001.pid -l log/mongrel.3001.log ---- > > > I ran the commands that you suggested (ignoring the alerts raised by the > > first command) and then restarted httpd service and got a new alert... > > > > SELinux is preventing the httpd from using potentially mislabeled files > > (2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429). Detailed Description[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]SELinux has denied httpd access to potentially mislabeled file(s) (2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429). > > > > This means that SELinux will not allow httpd to use these files. It is > > common for users to edit files in their home directory or tmp > > directories and then move (mv) them to system directories. The problem > > is that the files end up with the wrong file context which confined > > applications are not allowed to access. Allowing AccessIf you want httpd > > to access this files, you need to relabel them using restorecon -v > > '2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429'. > > > > You might want to relabel the entire directory using restorecon -R -v > > ''. Additional InformationSource Context: > > unconfined_u:system_r:httpd_tTarget Context: > > unconfined_u:object_r:user_tmp_tTarget Objects: > > 2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429 > > > > This is my new development system and I obviously will be doing svn > > commit/update operations in this directory and it was created by a > > checkout. > > > > There is a 'tmp' directory in the RAILS_ROOT directory > > (/home/craig/svn-new/th-db/branches/phase5) which holds... > > - temporary pdf files put there by ruby before 'merging' database data > > with pdftk > > - subdirectories but the only 'non-empty' subdirectory is one called > > 'pids' which holds the pid for the backgroundrd (a separate ruby process > > that runs long running processes in the background). > > > > I'm wondering if this directory shouldn't have some different > > contexts... > > > > My desire is to have a plan to manage selinux contexts when it comes > > time to merge this on my production server. > > You probably need to run the ruby process confined so that it generates > files that are readable by httpd. It might actually work ok running as > httpd_t given how closely related the processes are. ---- I'm sort of unclear on what you are telling me here. What did happen after I made the change you suggested on Saturday is that the 4:02 rotation log restart of httpd stopped triggering selinux alerts but a full restart of httpd service does generate the latest alert. I could conceivably run the mongrels as user 'apache' except that the permissions on some of the folders would have to be changed because there are some directories that files are written into by the ruby web server...so I try to just run as user. Thanks Craig Thanks Craig From paul at city-fan.org Mon Jun 16 12:29:29 2008 From: paul at city-fan.org (Paul Howarth) Date: Mon, 16 Jun 2008 13:29:29 +0100 Subject: ****Re: ****Re: simple question with home serviing ruby on rails web site In-Reply-To: <1213618363.6327.185.camel@lin-workstation.azapple.com> References: <1213455956.6327.44.camel@lin-workstation.azapple.com> <20080614165118.4d54c5a0@metropolis.intra.city-fan.org> <1213461644.6327.62.camel@lin-workstation.azapple.com> <485642C8.1060604@city-fan.org> <1213618363.6327.185.camel@lin-workstation.azapple.com> Message-ID: <48565CA9.8010609@city-fan.org> Craig White wrote: > On Mon, 2008-06-16 at 11:39 +0100, Paul Howarth wrote: >> Craig White wrote: >>> On Sat, 2008-06-14 at 16:51 +0100, Paul Howarth wrote: >>>> On Sat, 14 Jun 2008 08:05:56 -0700 >>>> Craig White wrote: >>> I'm a bit confused myself because in essence, httpd is just a proxy to >>> the ruby/rails 'mongrel' which is a http server in ruby running the ruby >>> processes and is providing dhtml on higher ports as the user. >>> >>> FWIW...httpd runs as user 'apache' (as ususal) >>> mongrels run as regular 'user' (me) >>> all files and folders inside the subdirectory we are discussing... >>> (/home/craig/svn-new) are owned by me (not root, not apache) >> The conventional unix ownership and permissions make very little >> difference as far as SELinux is concerned, so although you need to get >> them right, they're not going to affect the file contexts needed. >> >> What context is mongrels running in (try the -Z option of ps)? How does >> that process get started (via an initscript?)? > ---- > yes, a SysV initscript...(running 2 mongrels at present... port & pid > #'s 3000 & 3001) > > # ps auxZ|grep mongrel > unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh root 7079 > 0.0 0.0 4120 732 pts/6 S+ 05:02 0:00 grep mongrel > root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27313 0.0 3.0 45068 > 30164 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d > -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5 > --user craig --group craig -p 3000 -P log/mongrel.3000.pid -l > log/mongrel.3000.log > root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27316 0.0 2.9 45052 > 29468 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d > -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5 > --user craig --group craig -p 3001 -P log/mongrel.3001.pid -l > log/mongrel.3001.log > ---- OK, so they're running as unconfined_t at the moment. >>> I ran the commands that you suggested (ignoring the alerts raised by the >>> first command) and then restarted httpd service and got a new alert... >>> >>> SELinux is preventing the httpd from using potentially mislabeled files >>> (2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429). Detailed Description[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]SELinux has denied httpd access to potentially mislabeled file(s) (2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429). >>> >>> This means that SELinux will not allow httpd to use these files. It is >>> common for users to edit files in their home directory or tmp >>> directories and then move (mv) them to system directories. The problem >>> is that the files end up with the wrong file context which confined >>> applications are not allowed to access. Allowing AccessIf you want httpd >>> to access this files, you need to relabel them using restorecon -v >>> '2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429'. >>> >>> You might want to relabel the entire directory using restorecon -R -v >>> ''. Additional InformationSource Context: >>> unconfined_u:system_r:httpd_tTarget Context: >>> unconfined_u:object_r:user_tmp_tTarget Objects: >>> 2F7661722F746D702F6B646563616368652D63726169672F6B70632F6B64652D69636F6E2D63616368652E64617461202864656C6574656429 >>> >>> This is my new development system and I obviously will be doing svn >>> commit/update operations in this directory and it was created by a >>> checkout. >>> >>> There is a 'tmp' directory in the RAILS_ROOT directory >>> (/home/craig/svn-new/th-db/branches/phase5) which holds... >>> - temporary pdf files put there by ruby before 'merging' database data >>> with pdftk >>> - subdirectories but the only 'non-empty' subdirectory is one called >>> 'pids' which holds the pid for the backgroundrd (a separate ruby process >>> that runs long running processes in the background). >>> >>> I'm wondering if this directory shouldn't have some different >>> contexts... >>> >>> My desire is to have a plan to manage selinux contexts when it comes >>> time to merge this on my production server. >> You probably need to run the ruby process confined so that it generates >> files that are readable by httpd. It might actually work ok running as >> httpd_t given how closely related the processes are. > ---- > I'm sort of unclear on what you are telling me here. What did happen > after I made the change you suggested on Saturday is that the 4:02 > rotation log restart of httpd stopped triggering selinux alerts but a > full restart of httpd service does generate the latest alert. > > I could conceivably run the mongrels as user 'apache' except that the > permissions on some of the folders would have to be changed because > there are some directories that files are written into by the ruby web > server...so I try to just run as user. Don't change anything about the regular Unix permissions at the moment; I guess that for a production server you'd create a separate account for the Ruby stuff to run as. What would be an interesting experiment would be to run the Ruby stuff in the same SELinux context as httpd. Try changing the context type of /usr/bin/mongrel_rails to httpd_exec_t and restart the services. # chcon -t httpd_exec_t /usr/bin/mongrel_rails I'm not sure whether this will make things better or worse but it should eliminate some problems for the two httpd-like bits talking to each other. Paul. From sds at tycho.nsa.gov Mon Jun 16 13:04:31 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 16 Jun 2008 09:04:31 -0400 Subject: What to do about "invalid context" In-Reply-To: <18515.36988.937287.194925@mimmi.uddeborg.se> References: <18515.36988.937287.194925@mimmi.uddeborg.se> Message-ID: <1213621471.15523.57.camel@moss-spartans.epoch.ncsc.mil> On Sat, 2008-06-14 at 11:33 +0200, G?ran Uddeborg wrote: > Could anyone explain what is wrong when I get the error below? > > The problem: > > I get error messages when I try to run crontab. > > mimmi> env LANG=en_US.utf8 crontab -l > > Authentication service cannot retrieve authentication info > You (g?ran) are not allowed to access to (crontab) because of pam configuration. > > What I have found out: > > In the audit log there is this entry: > > mimmi> sudo ausearch -a 3208 > ---- > time->Sat Jun 14 11:17:09 2008 > type=SYSCALL msg=audit(1213435029.953:3208): arch=c000003e syscall=59 success=no exit=-13 a0=7f7c49c10238 a1=7fff57b9d760 a2=7f7c49e11f50 a3=7f7c4f562a70 items=0 ppid=5234 pid=5236 auid=503 uid=0 gid=503 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 key=(null) > type=SELINUX_ERR msg=audit(1213435029.953:3208): security_compute_sid: invalid context unconfined_u:unconfined_r:updpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=process > > > Using strace I see that crontab tries to exec /sbin/unix_update and > fails, which I suppose is what this message is about: > > 4826 execve("/sbin/unix_update", ["/sbin/unix_update", "g\303\266ran", "verify"], [/* 0 vars */]) = -1 EACCES (Permission denied) > > My first though was that maybe the label on unix_update had not been > correctly updated in some upgrade or so. But doing a restorecon on > it didn't change its context (system_u:object_r:updpwd_exec_t:s0). > > > I assume there is something broken in the host configurations, rather > than some bug in the policy. But I don't understand what it is or > what to do about it. I'm usually able to figure out > "type=AVC"/"avc: denied" issues, but what do I do about a > "type=SELINUX_ERR"/"invalid context"? Missing role-type statement, ala: # cat myupdpwd.te module myupdate 1.0; require { role unconfined_r; type updpwd_exec_t; } role unconfined_r types updpwd_exec_t; # make -f /usr/share/selinux/devel/Makefile myupdpwd.pp # semodule -i myupdpwd.pp -- Stephen Smalley National Security Agency From craigwhite at azapple.com Mon Jun 16 12:42:15 2008 From: craigwhite at azapple.com (Craig White) Date: Mon, 16 Jun 2008 05:42:15 -0700 Subject: ****Re: ****Re: simple question with home serviing ruby on rails web site In-Reply-To: <48565CA9.8010609@city-fan.org> References: <1213455956.6327.44.camel@lin-workstation.azapple.com> <20080614165118.4d54c5a0@metropolis.intra.city-fan.org> <1213461644.6327.62.camel@lin-workstation.azapple.com> <485642C8.1060604@city-fan.org> <1213618363.6327.185.camel@lin-workstation.azapple.com> <48565CA9.8010609@city-fan.org> Message-ID: <1213620135.6327.190.camel@lin-workstation.azapple.com> On Mon, 2008-06-16 at 13:29 +0100, Paul Howarth wrote: > Craig White wrote: > > On Mon, 2008-06-16 at 11:39 +0100, Paul Howarth wrote: > >> Craig White wrote: > >>> On Sat, 2008-06-14 at 16:51 +0100, Paul Howarth wrote: > >>>> On Sat, 14 Jun 2008 08:05:56 -0700 > >>>> Craig White wrote: > >>> I'm a bit confused myself because in essence, httpd is just a proxy to > >>> the ruby/rails 'mongrel' which is a http server in ruby running the ruby > >>> processes and is providing dhtml on higher ports as the user. > >>> > >>> FWIW...httpd runs as user 'apache' (as ususal) > >>> mongrels run as regular 'user' (me) > >>> all files and folders inside the subdirectory we are discussing... > >>> (/home/craig/svn-new) are owned by me (not root, not apache) > >> The conventional unix ownership and permissions make very little > >> difference as far as SELinux is concerned, so although you need to get > >> them right, they're not going to affect the file contexts needed. > >> > >> What context is mongrels running in (try the -Z option of ps)? How does > >> that process get started (via an initscript?)? > > ---- > > yes, a SysV initscript...(running 2 mongrels at present... port & pid > > #'s 3000 & 3001) > > > > # ps auxZ|grep mongrel > > unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh root 7079 > > 0.0 0.0 4120 732 pts/6 S+ 05:02 0:00 grep mongrel > > root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27313 0.0 3.0 45068 > > 30164 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d > > -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5 > > --user craig --group craig -p 3000 -P log/mongrel.3000.pid -l > > log/mongrel.3000.log > > root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27316 0.0 2.9 45052 > > 29468 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d > > -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5 > > --user craig --group craig -p 3001 -P log/mongrel.3001.pid -l > > log/mongrel.3001.log > > ---- > > OK, so they're running as unconfined_t at the moment. > > > > > I could conceivably run the mongrels as user 'apache' except that the > > permissions on some of the folders would have to be changed because > > there are some directories that files are written into by the ruby web > > server...so I try to just run as user. > > Don't change anything about the regular Unix permissions at the moment; > I guess that for a production server you'd create a separate account for > the Ruby stuff to run as. > > What would be an interesting experiment would be to run the Ruby stuff > in the same SELinux context as httpd. Try changing the context type of > /usr/bin/mongrel_rails to httpd_exec_t and restart the services. > > # chcon -t httpd_exec_t /usr/bin/mongrel_rails > > I'm not sure whether this will make things better or worse but it should > eliminate some problems for the two httpd-like bits talking to each other. ---- that seems to have cleared things up - I had to restart both mongrel_cluster service and then the httpd service - I did get an error the first time through but subsequent restarts seems to have cleared it up. Thanks Craig From prakashkhallalli at gmail.com Mon Jun 16 14:09:02 2008 From: prakashkhallalli at gmail.com (prakash hallalli) Date: Mon, 16 Jun 2008 19:39:02 +0530 Subject: Fwd: [MLS Policy]:- Problem for mapping between the Linux user to SELinux user for fedora 8 In-Reply-To: <994219730806150936o7e70cf41n360713f693819ec8@mail.gmail.com> References: <994219730806141122w149320aewfd31bbdcd3c887b5@mail.gmail.com> <994219730806150936o7e70cf41n360713f693819ec8@mail.gmail.com> Message-ID: <994219730806160709r7a44d418j37374ce70e2aaf36@mail.gmail.com> Hi... Now I am trying to configuring RBAC using MLS (Multilevel Security) Policy for fedora 8. Because i have read danwalsh jornal he side MLS policy is more use full for RBAC. * http://danwalsh.livejournal.com/?skip=40 Using RBAC In FC5/MLS Policy* So i am using MLS policy for RBAC. Here i have installed MLS packages and changed to targeted policy in to mls policy. Then i have configured the roles for users but i couldn't set the roles because when i am setting the roles it will display the error message. Steps to reproduce: 1) Adding the SELinux audit user using semanage command. # semanage user -a -R staff_r -R auditadm_r -P staff audit_u 2) Here i am checking SELinux user. [root at turtle2 ~]# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles audit_u staff SystemLow SystemLow staff_r auditadm_r root sysadm SystemLow SystemLow:SystemLow-SystemHigh system_r sysadm_r staff_r secadm_r auditadm_r staff_u staff SystemLow SystemLow:SystemLow-SystemHigh sysadm_r staff_r secadm_r auditadm_r sysadm_u sysadm SystemLow SystemLow:SystemLow-SystemHigh sysadm_r system_u user SystemLow SystemLow:SystemLow-SystemHigh system_r user_u user SystemLow SystemLow system_r user_r [root at turtle2 ~]# 3) Now i am setting the Linux user to SELinux users, when i am setting the SELinux user it will throw the error message as follows. [root at turtle2 ~]# semanage login -a -s audit -r SystemLow-SystemHigh prakash libsemanage.validate_handler: selinux user audit does not exist No such file or directory. libsemanage.validate_handler: seuser mapping [prakash -> (audit, s0-s15:c0.c1023)] is invalid No such file or directory. libsemanage.dbase_llist_iterate: could not iterate over records No such file or directory. /usr/sbin/semanage: Could not add login mapping for prakash [root at turtle2 ~]# 4) I am using sysadm_r root information as follows [root at turtle2 ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t:SystemLow:SystemLow-SystemHigh [root at turtle2 ~]# 5) This is i am getting audit log messages using ausearch command. [root at turtle2 ~]# ausearch -i -m AVC -sv no type=SYSCALL msg=audit(06/02/2008 22:09:05.165:6877768) : arch=i386 syscall=read success=no exit=-13(Permission denied) a0=3 a1=9098808 a2=400 a3=400 items=0 ppid=1 pid=2060 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=gam_server exe=/usr/libexec/gam_server subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(06/02/2008 22:09:05.165:6877768) : avc: denied { read } for pid=2060 comm=gam_server path=inotify dev=inotifyfs ino=1 scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir I don't know why its throwing this error. I have searched in to google but i couldn't find. Please help me what should i do. Thanks, Prakash -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Mon Jun 16 14:40:25 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 16 Jun 2008 10:40:25 -0400 Subject: Fwd: [MLS Policy]:- Problem for mapping between the Linux user to SELinux user for fedora 8 In-Reply-To: <994219730806150936o7e70cf41n360713f693819ec8@mail.gmail.com> References: <994219730806141122w149320aewfd31bbdcd3c887b5@mail.gmail.com> <994219730806150936o7e70cf41n360713f693819ec8@mail.gmail.com> Message-ID: <1213627225.15523.89.camel@moss-spartans.epoch.ncsc.mil> On Sun, 2008-06-15 at 22:06 +0530, prakash hallalli wrote: > Hi... > > Now I am trying to configuring RBAC using MLS (Multilevel Security) > Policy for fedora 8. > Because i have read danwalsh jornal he side MLS policy is more use > full for RBAC. Again, to clarify, you don't have to use MLS policy if all you want is roles. And Fedora 9 is the latest release of Fedora. > http://danwalsh.livejournal.com/?skip=40 > Using RBAC In FC5/MLS Policy > > So i am using MLS policy for RBAC. Here i have installed MLS packages > and changed to targeted policy in to mls policy. > Then i have configured the roles for users but i couldn't set the > roles because when i am setting the roles it will display the error > message. > > Steps to reproduce: > > 1) Adding the SELinux audit user using semanage command. > > # semanage user -a -R staff_r -R auditadm_r -P staff audit_u > > 2) Here i am checking SELinux user. > > [root at turtle2 ~]# semanage user -l > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range > SELinux Roles > > audit_u staff SystemLow SystemLow > staff_r auditadm_r > root sysadm SystemLow SystemLow:SystemLow-SystemHigh > system_r sysadm_r staff_r secadm_r auditadm_r > staff_u staff SystemLow SystemLow:SystemLow-SystemHigh > sysadm_r staff_r secadm_r auditadm_r > sysadm_u sysadm SystemLow SystemLow:SystemLow-SystemHigh > sysadm_r > system_u user SystemLow SystemLow:SystemLow-SystemHigh > system_r > user_u user SystemLow SystemLow > system_r user_r > [root at turtle2 ~]# > > 3) Now i am setting the Linux user to SELinux users, when i am setting > the SELinux user it will throw the error message as follows. > > [root at turtle2 ~]# semanage login -a -s audit -r SystemLow-SystemHigh > prakash > libsemanage.validate_handler: selinux user audit does not exist No > such file or directory. > libsemanage.validate_handler: seuser mapping [prakash -> (audit, > s0-s15:c0.c1023)] is invalid No such file or directory. > libsemanage.dbase_llist_iterate: could not iterate over records No > such file or directory. > /usr/sbin/semanage: Could not add login mapping for prakash > [root at turtle2 ~]# You typed "audit" rather than "audit_u" above. Looks like a typo in the blog. > > 4) I am using sysadm_r root information as follows > > [root at turtle2 ~]# id > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=root:sysadm_r:sysadm_t:SystemLow:SystemLow-SystemHigh > [root at turtle2 ~]# > > 5) This is i am getting audit log messages using ausearch command. > > [root at turtle2 ~]# ausearch -i -m AVC -sv no > type=SYSCALL msg=audit(06/02/2008 22:09:05.165:6877768) : arch=i386 > syscall=read success=no exit=-13(Permission denied) a0=3 a1=9098808 > a2=400 a3=400 items=0 ppid=1 pid=2060 auid=unset uid=root gid=root > euid=root suid=root fsuid=root egid=root sgid=root fsgid=root > tty=(none) comm=gam_server exe=/usr/libexec/gam_server > subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null) > type=AVC msg=audit(06/02/2008 22:09:05.165:6877768) : avc: denied > { read } for pid=2060 comm=gam_server path=inotify dev=inotifyfs > ino=1 scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir > > I don't know why its throwing this error. I have searched in to google > but i couldn't find. > > Please help me what should i do. > > Thanks, > Prakash > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From dant at cdkkt.com Mon Jun 16 15:36:34 2008 From: dant at cdkkt.com (Daniel B. Thurman) Date: Mon, 16 Jun 2008 08:36:34 -0700 Subject: What is the proper context for .strigi? Message-ID: <48568882.2080008@cdkkt.com> I have run into a problem of limted space for .strigi which was located in my home directory, so I decided to move ~/.strigi to another partition with ample space and created a symbolic link from ~/.strigi to the new location on a different partition. Selinux is reporting: SELinux is preventing strigidaemon (unconfined_t) "mmap_zero" to (unconfined_t). So, what is the proper context for .strigi and all of the files/directories contained within? Thanks! Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Mon Jun 16 15:51:28 2008 From: paul at city-fan.org (Paul Howarth) Date: Mon, 16 Jun 2008 16:51:28 +0100 Subject: What is the proper context for .strigi? In-Reply-To: <48568882.2080008@cdkkt.com> References: <48568882.2080008@cdkkt.com> Message-ID: <48568C00.3090801@city-fan.org> Daniel B. Thurman wrote: > I have run into a problem of limted space for .strigi > which was located in my home directory, so I decided > to move ~/.strigi to another partition with ample space > and created a symbolic link from ~/.strigi to the new > location on a different partition. > > Selinux is reporting: > SELinux is preventing strigidaemon (unconfined_t) "mmap_zero" to > (unconfined_t). > > So, what is the proper context for .strigi and all of the files/directories > contained within? You'll find that bind mounts work much better than symlinks from an SELinux point of view. This reminds me to ask though, where is homedir_template as used by genhomedircon now? I can't find it in Fedora 9 and anything I've tried editing that looks like it might be it gets overwritten when I run genhomedircon. Paul. From eparis at redhat.com Mon Jun 16 16:10:52 2008 From: eparis at redhat.com (Eric Paris) Date: Mon, 16 Jun 2008 12:10:52 -0400 Subject: What is the proper context for .strigi? In-Reply-To: <48568882.2080008@cdkkt.com> References: <48568882.2080008@cdkkt.com> Message-ID: <1213632652.3029.48.camel@localhost.localdomain> On Mon, 2008-06-16 at 08:36 -0700, Daniel B. Thurman wrote: > I have run into a problem of limted space for .strigi > which was located in my home directory, so I decided > to move ~/.strigi to another partition with ample space > and created a symbolic link from ~/.strigi to the new > location on a different partition. > > Selinux is reporting: > SELinux is preventing strigidaemon (unconfined_t) "mmap_zero" to > (unconfined_t). I'm ignoring your question because I have no idea, but I can say that this denial has nothing at all to do with the location of .strigi. This denial say that the program is calling mmap with MAP_FIXED on an area of memory < 64k (usually when people ask for this they ask for NULL). This is very rarely not needed by any program. emulators like wine sometimes need this and if so I'd suggest actually writing policy around strigidaemon to allow this permission rather than twiddle the boolean or allow it in proc.... -Eric From sds at tycho.nsa.gov Mon Jun 16 16:18:44 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 16 Jun 2008 12:18:44 -0400 Subject: What is the proper context for .strigi? In-Reply-To: <48568C00.3090801@city-fan.org> References: <48568882.2080008@cdkkt.com> <48568C00.3090801@city-fan.org> Message-ID: <1213633124.15523.100.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2008-06-16 at 16:51 +0100, Paul Howarth wrote: > Daniel B. Thurman wrote: > > I have run into a problem of limted space for .strigi > > which was located in my home directory, so I decided > > to move ~/.strigi to another partition with ample space > > and created a symbolic link from ~/.strigi to the new > > location on a different partition. > > > > Selinux is reporting: > > SELinux is preventing strigidaemon (unconfined_t) "mmap_zero" to > > (unconfined_t). > > > > So, what is the proper context for .strigi and all of the files/directories > > contained within? > > You'll find that bind mounts work much better than symlinks from an > SELinux point of view. > > This reminds me to ask though, where is homedir_template as used by > genhomedircon now? I can't find it in Fedora 9 and anything I've tried > editing that looks like it might be it gets overwritten when I run > genhomedircon. genhomedircon functionality was taken into libsemanage in order to address various problems with the external implementation, and homedir_template is generated (from template entries in the .fc files) and used within the module sandbox, not made externally accessible. /usr/sbin/genhomedircon is now just a script that invokes semodule -Bn to regenerate the policy. -- Stephen Smalley National Security Agency From dant at cdkkt.com Mon Jun 16 16:31:02 2008 From: dant at cdkkt.com (Daniel B. Thurman) Date: Mon, 16 Jun 2008 09:31:02 -0700 Subject: What is the proper context for .strigi? In-Reply-To: <48568C00.3090801@city-fan.org> References: <48568882.2080008@cdkkt.com> <48568C00.3090801@city-fan.org> Message-ID: <48569546.40304@cdkkt.com> Paul Howarth wrote: > Daniel B. Thurman wrote: > > I have run into a problem of limted space for .strigi > > which was located in my home directory, so I decided > > to move ~/.strigi to another partition with ample space > > and created a symbolic link from ~/.strigi to the new > > location on a different partition. > > > > Selinux is reporting: > > SELinux is preventing strigidaemon (unconfined_t) "mmap_zero" to > > (unconfined_t). > > > > So, what is the proper context for .strigi and all of the > files/directories > > contained within? > You'll find that bind mounts work much better than symlinks from an > SELinux point of view. Uh, ok - I'll have to look into that again. I forget how this is done. > > This reminds me to ask though, where is homedir_template as used by > genhomedircon now? I can't find it in Fedora 9 and anything I've tried > editing that looks like it might be it gets overwritten when I run > genhomedircon. > Um, dunno. I am running F8. BTW: I am getting hammered with SELinux complaining on the above reported error. It looks like a runaway process and hammering both of my CPUs badly. How do I temporarily shutdown strigidaemon for now until I can get this issue resolved? Thanks! Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: From goeran at uddeborg.se Tue Jun 17 18:36:48 2008 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Tue, 17 Jun 2008 20:36:48 +0200 Subject: What to do about "invalid context" In-Reply-To: <1213621471.15523.57.camel@moss-spartans.epoch.ncsc.mil> References: <18515.36988.937287.194925@mimmi.uddeborg.se> <1213621471.15523.57.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <18520.1088.113978.329084@mimmi.uddeborg.se> Stephen Smalley writes: > role unconfined_r types updpwd_exec_t; Aha, now I get it! It's the role-type combination that is not allowed, and thus "invalid". Thanks! A little detail, though. It's the type updpwd_t, not updpwd_exec_t that should be allowed, isn't it? Unless I'm mistaken, it's the file that has the *_exec_t type, but the resulting process domain is *_t. I did create my module following your pattern, but using updpwd_t, and the crontab command works again. So it seems it was the right thing to do. Or have I done something I shouldn't do after all? From sds at tycho.nsa.gov Tue Jun 17 18:44:39 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 17 Jun 2008 14:44:39 -0400 Subject: What to do about "invalid context" In-Reply-To: <18520.1088.113978.329084@mimmi.uddeborg.se> References: <18515.36988.937287.194925@mimmi.uddeborg.se> <1213621471.15523.57.camel@moss-spartans.epoch.ncsc.mil> <18520.1088.113978.329084@mimmi.uddeborg.se> Message-ID: <1213728279.32066.79.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2008-06-17 at 20:36 +0200, G?ran Uddeborg wrote: > Stephen Smalley writes: > > role unconfined_r types updpwd_exec_t; > > Aha, now I get it! It's the role-type combination that is not > allowed, and thus "invalid". Thanks! > > A little detail, though. It's the type updpwd_t, not updpwd_exec_t > that should be allowed, isn't it? Unless I'm mistaken, it's the file > that has the *_exec_t type, but the resulting process domain is *_t. > > I did create my module following your pattern, but using updpwd_t, and > the crontab command works again. So it seems it was the right thing > to do. Or have I done something I shouldn't do after all? Oops, my mistake - yes, you wanted the domain type, not the executable type there. audit2allow is actually supposed to handle those errors too, but it seems to be broken at the moment for them. -- Stephen Smalley National Security Agency From tibbs at math.uh.edu Tue Jun 17 21:22:19 2008 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 17 Jun 2008 16:22:19 -0500 Subject: chcon in %post Message-ID: I just came across a package that does this: %post /usr/bin/chcon -t unconfined_execmem_exec_t %{_libexecdir}/haddock.bin >/dev/null 2>&1 || : rpmlint complains bitterly about it, and honestly I'm really not sure what's supposed to happen here. This is a ghc-compiled binary. (ghc is a Haskell compiler.) So, if you have a binary in a package that really needs this context, is running chcon in %post the right way to do it? - J< From eparis at redhat.com Tue Jun 17 21:52:33 2008 From: eparis at redhat.com (Eric Paris) Date: Tue, 17 Jun 2008 17:52:33 -0400 Subject: chcon in %post In-Reply-To: References: Message-ID: <1213739553.3029.92.camel@localhost.localdomain> On Tue, 2008-06-17 at 16:22 -0500, Jason L Tibbitts III wrote: > I just came across a package that does this: > > %post > /usr/bin/chcon -t unconfined_execmem_exec_t %{_libexecdir}/haddock.bin >/dev/null 2>&1 || : > > rpmlint complains bitterly about it, and honestly I'm really not sure > what's supposed to happen here. This is a ghc-compiled binary. (ghc > is a Haskell compiler.) > > So, if you have a binary in a package that really needs this context, > is running chcon in %post the right way to do it? I'd suggest getting the filecontext into policy so that RPM lays it down that way. And no chcon is not the right way (reverted on system relabel). use semanage fcontext -a and then restorecon if you cannot for some reason push the correct context upstream into policy. From stefan at seekline.net Sat Jun 21 17:42:38 2008 From: stefan at seekline.net (Stefan Schulze Frielinghaus) Date: Sat, 21 Jun 2008 19:42:38 +0200 Subject: polyinstation and removable media Message-ID: <1214070158.4162.9.camel@vogon> Something strange happens when /tmp and /var/tmp are polyinstantiated for all of my users except root and adm. /etc/security/namespace.conf: /tmp tmpfs tmpfs root,adm /var/tmp tmpfs tmpfs root,adm When the user logs into a GDM session using GNOME and plugs in a USB-Stick, DVD or whatever the device is _not_ mounted. Everything else works fine. The directory in /media is created and everything is setup correctly but the final mount command is not issued. The logfiles don't speak that much but maybe this is a little hint. Jun 21 19:20:19 test kernel: sd 0:0:0:0: [sda] Attached SCSI removable disk Jun 21 19:20:19 test console-kit-daemon[1629]: WARNING: Couldn't read /proc/2766/environ: Error reading file '/proc/2766/environ': No such process Jun 21 19:20:20 test hald: mounted /dev/sda1 on behalf of uid 500 Jun 21 19:20:20 test gnome-keyring-daemon[2647]: adding removable location: volume_uuid_47DB_BAD8 at /media/blub And here is a logfile without polyinstantiation: Jun 21 19:25:00 test kernel: sd 1:0:0:0: [sda] Attached SCSI removable disk Jun 21 19:25:00 test kernel: sd 1:0:0:0: Attached scsi generic sg0 type 0 Jun 21 19:25:01 test gnome-keyring-daemon[3746]: adding removable location: volume_uuid_47DB_BAD8 at /media/blub Jun 21 19:25:01 test hald: mounted /dev/sda1 on behalf of uid 500 Both logs say that the media was mounted but that's not true if polyinstantiated. Maybe something related to the ?console-kit-daemon warning message? Does someone has an idea or can confirm this? Best regards Stefan From tmraz at redhat.com Mon Jun 23 11:47:37 2008 From: tmraz at redhat.com (Tomas Mraz) Date: Mon, 23 Jun 2008 13:47:37 +0200 Subject: polyinstation and removable media In-Reply-To: <1214070158.4162.9.camel@vogon> References: <1214070158.4162.9.camel@vogon> Message-ID: <1214221657.5983.10.camel@vespa.frost.loc> On Sat, 2008-06-21 at 19:42 +0200, Stefan Schulze Frielinghaus wrote: > Something strange happens when /tmp and /var/tmp are polyinstantiated > for all of my users except root and adm. > > /etc/security/namespace.conf: > > /tmp tmpfs tmpfs root,adm > /var/tmp tmpfs tmpfs root,adm > > When the user logs into a GDM session using GNOME and plugs in a > USB-Stick, DVD or whatever the device is _not_ mounted. Everything else > works fine. The directory in /media is created and everything is setup > correctly but the final mount command is not issued. .... > Both logs say that the media was mounted but that's not true if > polyinstantiated. Maybe something related to the ?console-kit-daemon > warning message? > > Does someone has an idea or can confirm this? The pam_namespace unshares the mount namespaces between parent (system) and child (user shell) processes. By default all the mount points are marked as private in kernel, that means the changes on the mount points are not visible among the unshared namespaces. You have to mark the /media directory as rshared mount point somewhere in the system startup scripts. mount --bind /media /media mount --make-rshared /media Or you can do it the other way around as Russell Coker suggests - that means make everything shared except the tmp directories. mount --make-shared / mount --bind /tmp /tmp mount --make-private /tmp mount --bind /var/tmp /var/tmp mount --make-private /var/tmp -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From dwalsh at redhat.com Mon Jun 23 12:56:12 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 23 Jun 2008 08:56:12 -0400 Subject: ****Re: ****Re: simple question with home serviing ruby on rails web site In-Reply-To: <1213620135.6327.190.camel@lin-workstation.azapple.com> References: <1213455956.6327.44.camel@lin-workstation.azapple.com> <20080614165118.4d54c5a0@metropolis.intra.city-fan.org> <1213461644.6327.62.camel@lin-workstation.azapple.com> <485642C8.1060604@city-fan.org> <1213618363.6327.185.camel@lin-workstation.azapple.com> <48565CA9.8010609@city-fan.org> <1213620135.6327.190.camel@lin-workstation.azapple.com> Message-ID: <485F9D6C.1080102@redhat.com> Craig White wrote: > On Mon, 2008-06-16 at 13:29 +0100, Paul Howarth wrote: >> Craig White wrote: >>> On Mon, 2008-06-16 at 11:39 +0100, Paul Howarth wrote: >>>> Craig White wrote: >>>>> On Sat, 2008-06-14 at 16:51 +0100, Paul Howarth wrote: >>>>>> On Sat, 14 Jun 2008 08:05:56 -0700 >>>>>> Craig White wrote: >>>>> I'm a bit confused myself because in essence, httpd is just a proxy to >>>>> the ruby/rails 'mongrel' which is a http server in ruby running the ruby >>>>> processes and is providing dhtml on higher ports as the user. >>>>> >>>>> FWIW...httpd runs as user 'apache' (as ususal) >>>>> mongrels run as regular 'user' (me) >>>>> all files and folders inside the subdirectory we are discussing... >>>>> (/home/craig/svn-new) are owned by me (not root, not apache) >>>> The conventional unix ownership and permissions make very little >>>> difference as far as SELinux is concerned, so although you need to get >>>> them right, they're not going to affect the file contexts needed. >>>> >>>> What context is mongrels running in (try the -Z option of ps)? How does >>>> that process get started (via an initscript?)? >>> ---- >>> yes, a SysV initscript...(running 2 mongrels at present... port & pid >>> #'s 3000 & 3001) >>> >>> # ps auxZ|grep mongrel >>> unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh root 7079 >>> 0.0 0.0 4120 732 pts/6 S+ 05:02 0:00 grep mongrel >>> root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27313 0.0 3.0 45068 >>> 30164 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d >>> -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5 >>> --user craig --group craig -p 3000 -P log/mongrel.3000.pid -l >>> log/mongrel.3000.log >>> root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27316 0.0 2.9 45052 >>> 29468 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d >>> -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5 >>> --user craig --group craig -p 3001 -P log/mongrel.3001.pid -l >>> log/mongrel.3001.log >>> ---- >> OK, so they're running as unconfined_t at the moment. >> >>> I could conceivably run the mongrels as user 'apache' except that the >>> permissions on some of the folders would have to be changed because >>> there are some directories that files are written into by the ruby web >>> server...so I try to just run as user. >> Don't change anything about the regular Unix permissions at the moment; >> I guess that for a production server you'd create a separate account for >> the Ruby stuff to run as. >> >> What would be an interesting experiment would be to run the Ruby stuff >> in the same SELinux context as httpd. Try changing the context type of >> /usr/bin/mongrel_rails to httpd_exec_t and restart the services. >> >> # chcon -t httpd_exec_t /usr/bin/mongrel_rails >> >> I'm not sure whether this will make things better or worse but it should >> eliminate some problems for the two httpd-like bits talking to each other. > ---- > that seems to have cleared things up - I had to restart both > mongrel_cluster service and then the httpd service - I did get an error > the first time through but subsequent restarts seems to have cleared it > up. > > Thanks > > Craig > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Is this the correct context for mongrel_rails? IE Is this basically a http web server? How does it get started on boot? From dwalsh at redhat.com Mon Jun 23 13:04:32 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 23 Jun 2008 09:04:32 -0400 Subject: chcon in %post In-Reply-To: <1213739553.3029.92.camel@localhost.localdomain> References: <1213739553.3029.92.camel@localhost.localdomain> Message-ID: <485F9F60.6040502@redhat.com> Eric Paris wrote: > On Tue, 2008-06-17 at 16:22 -0500, Jason L Tibbitts III wrote: >> I just came across a package that does this: >> >> %post >> /usr/bin/chcon -t unconfined_execmem_exec_t %{_libexecdir}/haddock.bin >/dev/null 2>&1 || : >> >> rpmlint complains bitterly about it, and honestly I'm really not sure >> what's supposed to happen here. This is a ghc-compiled binary. (ghc >> is a Haskell compiler.) >> >> So, if you have a binary in a package that really needs this context, >> is running chcon in %post the right way to do it? > > I'd suggest getting the filecontext into policy so that RPM lays it down > that way. And no chcon is not the right way (reverted on system > relabel). use semanage fcontext -a and then restorecon if you cannot > for some reason push the correct context upstream into policy. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I just fixed a bugzilla to label all the Haskell apps as unconfined_execmem_exec_t until haskell is fixed. We need a better way to handle apps that need execmem in policy for non unconfined_t users. Currently we have mono, java, wine, unconfined_execmem_exec_t, all basically giving the same privs usertype +execmem. From craigwhite at azapple.com Mon Jun 23 13:06:42 2008 From: craigwhite at azapple.com (Craig White) Date: Mon, 23 Jun 2008 06:06:42 -0700 Subject: ****Re: ****Re: simple question with home serviing ruby on rails web site In-Reply-To: <485F9D6C.1080102@redhat.com> References: <1213455956.6327.44.camel@lin-workstation.azapple.com> <20080614165118.4d54c5a0@metropolis.intra.city-fan.org> <1213461644.6327.62.camel@lin-workstation.azapple.com> <485642C8.1060604@city-fan.org> <1213618363.6327.185.camel@lin-workstation.azapple.com> <48565CA9.8010609@city-fan.org> <1213620135.6327.190.camel@lin-workstation.azapple.com> <485F9D6C.1080102@redhat.com> Message-ID: <1214226402.23218.6.camel@lin-workstation.azapple.com> On Mon, 2008-06-23 at 08:56 -0400, Daniel J Walsh wrote: > Craig White wrote: > > On Mon, 2008-06-16 at 13:29 +0100, Paul Howarth wrote: > >> Craig White wrote: > >>> On Mon, 2008-06-16 at 11:39 +0100, Paul Howarth wrote: > >>>> Craig White wrote: > >>>>> On Sat, 2008-06-14 at 16:51 +0100, Paul Howarth wrote: > >>>>>> On Sat, 14 Jun 2008 08:05:56 -0700 > >>>>>> Craig White wrote: > >>>>> I'm a bit confused myself because in essence, httpd is just a proxy to > >>>>> the ruby/rails 'mongrel' which is a http server in ruby running the ruby > >>>>> processes and is providing dhtml on higher ports as the user. > >>>>> > >>>>> FWIW...httpd runs as user 'apache' (as ususal) > >>>>> mongrels run as regular 'user' (me) > >>>>> all files and folders inside the subdirectory we are discussing... > >>>>> (/home/craig/svn-new) are owned by me (not root, not apache) > >>>> The conventional unix ownership and permissions make very little > >>>> difference as far as SELinux is concerned, so although you need to get > >>>> them right, they're not going to affect the file contexts needed. > >>>> > >>>> What context is mongrels running in (try the -Z option of ps)? How does > >>>> that process get started (via an initscript?)? > >>> ---- > >>> yes, a SysV initscript...(running 2 mongrels at present... port & pid > >>> #'s 3000 & 3001) > >>> > >>> # ps auxZ|grep mongrel > >>> unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh root 7079 > >>> 0.0 0.0 4120 732 pts/6 S+ 05:02 0:00 grep mongrel > >>> root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27313 0.0 3.0 45068 > >>> 30164 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d > >>> -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5 > >>> --user craig --group craig -p 3000 -P log/mongrel.3000.pid -l > >>> log/mongrel.3000.log > >>> root:unconfined_r:unconfined_t:-s0:c0.c255 craig 27316 0.0 2.9 45052 > >>> 29468 ? Sl Jun15 0:10 /usr/bin/ruby /usr/bin/mongrel_rails start -d > >>> -e development -a 127.0.0.1 -c /home/craig/svn-new/th-db/branches/phase5 > >>> --user craig --group craig -p 3001 -P log/mongrel.3001.pid -l > >>> log/mongrel.3001.log > >>> ---- > >> OK, so they're running as unconfined_t at the moment. > >> > >>> I could conceivably run the mongrels as user 'apache' except that the > >>> permissions on some of the folders would have to be changed because > >>> there are some directories that files are written into by the ruby web > >>> server...so I try to just run as user. > >> Don't change anything about the regular Unix permissions at the moment; > >> I guess that for a production server you'd create a separate account for > >> the Ruby stuff to run as. > >> > >> What would be an interesting experiment would be to run the Ruby stuff > >> in the same SELinux context as httpd. Try changing the context type of > >> /usr/bin/mongrel_rails to httpd_exec_t and restart the services. > >> > >> # chcon -t httpd_exec_t /usr/bin/mongrel_rails > >> > >> I'm not sure whether this will make things better or worse but it should > >> eliminate some problems for the two httpd-like bits talking to each other. > > ---- > > that seems to have cleared things up - I had to restart both > > mongrel_cluster service and then the httpd service - I did get an error > > the first time through but subsequent restarts seems to have cleared it > > up. > > > > Thanks > Is this the correct context for mongrel_rails? IE Is this basically a > http web server? How does it get started on boot? ---- seems to be the correct context for mongrel_rails - the sealert's have stopped. Yes, mongrel_rails is essentially a ruby language web server which runs as 'user' on a high numbered port and as is typical configuration, uses apache (httpd) to proxy the connections to a number of 'mongrels' (configurable) to spread the connections since rails itself is not thread safe. It is started at boot by a sysv initscript Craig From kaigai at ak.jp.nec.com Tue Jun 24 02:45:38 2008 From: kaigai at ak.jp.nec.com (KaiGai Kohei) Date: Tue, 24 Jun 2008 11:45:38 +0900 Subject: unpriv user domain <--> SE-PostgreSQL Message-ID: <48605FD2.3060607@ak.jp.nec.com> Dan, At the selinux-policy-3.4.2, you pulled the latest upstreamed refpolicy which contains a set of SE-PostgreSQL policies, but it neglected to merge an interface invocation at userdom_unpriv_user_template(), as follows: optional_policy(` postgresql_userdom_template($1,$1_t,$1_r) ') It prevents user_t, staff_t, ... to access SE-PostgreSQL. Could you update it? Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei From adam.huffman at gmail.com Tue Jun 24 11:57:20 2008 From: adam.huffman at gmail.com (Adam Huffman) Date: Tue, 24 Jun 2008 12:57:20 +0100 Subject: KVM image problems Message-ID: <4860E120.2060206@gmail.com> Having applied Dan Walsh's suggested fix for a SpamAssassin problem, I'm now seeing errors when running a virtual machine via KVM. The image was created in virt-install quite a while ago: -rwxr-xr-x root root system_u:object_r:xen_image_t XP1 However, after changing to enforcing mode I saw lots of these errors: > > Summary: > > SELinux is preventing qemu-kvm (qemu_t) "write" to /var/lib/xen/images/XP1 > (xen_image_t). > > Detailed Description: > > SELinux denied access requested by qemu-kvm. It is not expected that > this access > is required by qemu-kvm and this access may signal an intrusion > attempt. It is > also possible that the specific version or configuration of the > application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try > to restore > the default system file context for /var/lib/xen/images/XP1, > > restorecon -v '/var/lib/xen/images/XP1' > > If this does not work, there is currently no automatic way to allow > this access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:qemu_t > Target Context user_u:object_r:xen_image_t > Target Objects /var/lib/xen/images/XP1 [ file ] > Source qemu-kvm > Source Path /usr/bin/qemu-kvm > Port > Host saintloup.smith.man.ac.uk > Source RPM Packages kvm-65-7.fc9 > Target RPM Packages > Policy RPM selinux-policy-3.3.1-64.fc9 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name saintloup.smith.man.ac.uk > Platform Linux saintloup.smith.man.ac.uk > 2.6.25.6-55.fc9.x86_64 #1 SMP Tue Jun 10 > 16:05:21 > EDT 2008 x86_64 x86_64 > Alert Count 105 > First Seen Tue 24 Jun 2008 11:14:08 BST > Last Seen Tue 24 Jun 2008 11:15:23 BST > Local ID ae1ef75a-23f4-495d-af20-604d56fa2cde > Line Numbers > > Raw Audit Messages > > host=saintloup.smith.man.ac.uk type=AVC > msg=audit(1214302523.807:45871): avc: denied { write } for pid=6827 > comm="qemu-kvm" path="/var/lib/xen/images/XP1" dev=dm-6 ino=2621983 > scontext=system_u:system_r:qemu_t:s0 > tcontext=user_u:object_r:xen_image_t:s0 tclass=file > > host=saintloup.smith.man.ac.uk type=SYSCALL > msg=audit(1214302523.807:45871): arch=c000003e syscall=1 success=no > exit=-13 a0=5 a1=364ea00 a2=200 a3=1 items=0 ppid=3284 pid=6827 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" > exe="/usr/bin/qemu-kvm" subj=system_u:system_r:qemu_t:s0 key=(null) > > I received a permission denied error when I tried manually to change the file to system_u:system_r:qemu_t and restorecon -v doesn't seem to do anything. Adam From berrange at redhat.com Tue Jun 24 13:49:09 2008 From: berrange at redhat.com (Daniel P. Berrange) Date: Tue, 24 Jun 2008 14:49:09 +0100 Subject: KVM image problems In-Reply-To: <4860E120.2060206@gmail.com> References: <4860E120.2060206@gmail.com> Message-ID: <20080624134909.GA2156@redhat.com> On Tue, Jun 24, 2008 at 12:57:20PM +0100, Adam Huffman wrote: > Having applied Dan Walsh's suggested fix for a SpamAssassin problem, I'm > now seeing errors when running a virtual machine via KVM. > > The image was created in virt-install quite a while ago: > > -rwxr-xr-x root root system_u:object_r:xen_image_t XP1 > > However, after changing to enforcing mode I saw lots of these errors: Xen is not KVM. Your image has the xen_image_t label because its in /var/lib/xen/images By default KVM images live in /var/lib/libvirt/images/ and have virt_image_t label. Xen probably ought to be allowed to read virt_image_t and then we should change /var/lib/xen/images/ to also be virt_image_t and get rid of xen_image_t. It is not nice to have different labels and locations for different virt technology. So we should make sure everything is using the generic virt_image_t In the meantime you can either move your images or relabel them to be virT_image_t for use with KVM Regards, Daniel. -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| From linuxweb at gmail.com Tue Jun 24 15:09:13 2008 From: linuxweb at gmail.com (Johnny Tan) Date: Tue, 24 Jun 2008 11:09:13 -0400 Subject: rsyncd can't open log file, but there are no avc messages Message-ID: <48610E19.6040604@gmail.com> I'm stumped. I run a Java app called Solr, which does search indexing. My solr server creates the index, then I have a bunch of solr clients that rsync that index over. The rsync itself is fine, that works. The problem is it won't write to the appropriate logfile, which is: /opt/solr/logs/rsyncd.log /opt/solr/logs is a symlink to /var/log/store. Here's how it looks: == [root at solr:~]# ls -l /opt/solr/ lrwxrwxrwx 1 tomcat tomcat 14 Apr 29 13:52 logs -> /var/log/store [root at solr:~]# ls -ldZ /opt/solr/logs/ drwxr-xr-x tomcat tomcat user_u:object_r:var_log_t /opt/solr/logs/ [root at solr:~]# ls -ldZ /var/log/store drwxr-xr-x tomcat tomcat user_u:object_r:var_log_t /var/log/store [root at solr:~]# ls -Z /opt/solr/logs/rsyncd.log -rw-rw-rw- tomcat tomcat user_u:object_r:var_log_t /var/log/store/rsyncd.log == Note that the mode is 666 on the rsyncd.log. When a client tries to connect, though, I get, in /var/log/messages: Jun 24 10:15:02 solr rsyncd[19355]: rsync: failed to open log-file /opt/solr/logs/rsyncd.log: Permission denied (13) But there are no avc denials (no, I don't have audit package installed, so all avc messages go to /var/log/messages -- I do get avc denials for other things). So, at first, I didn't think it was selinux-related, and tried to troubleshoot general unix permissions. But got nowhere. Then I noticed... when I put selinux in permissive mode, it works -- rsyncd properly logs to the above file. When I set it back to enforcing, I get the above error in /var/log/messages and nothing in the rsyncd.log, but no avc denials either. Any ideas? If it helps, here's how my rsyncd module looks like: == module solrrsync 1.0; require { type initrc_tmp_t; type port_t; type var_log_t; type restorecon_t; type rsync_t; type usr_t; class netlink_route_socket { read create bind getattr write nlmsg_read }; class lnk_file read; class file { read write getattr create append }; class tcp_socket { name_connect name_bind }; class dir { write add_name }; } #============= restorecon_t ============== allow restorecon_t initrc_tmp_t:file { read write }; allow restorecon_t usr_t:lnk_file read; allow restorecon_t var_log_t:lnk_file read; #============= rsync_t ============== allow rsync_t initrc_tmp_t:file { read write }; allow rsync_t port_t:tcp_socket { name_connect name_bind }; allow rsync_t self:netlink_route_socket { read create bind getattr write nlmsg_read }; allow rsync_t usr_t:lnk_file read; allow rsync_t usr_t:file { read getattr }; allow rsync_t var_log_t:lnk_file read; allow rsync_t var_log_t:dir { write add_name }; allow rsync_t var_log_t:file { read write getattr create append }; From adam.huffman at gmail.com Tue Jun 24 15:34:43 2008 From: adam.huffman at gmail.com (Adam Huffman) Date: Tue, 24 Jun 2008 16:34:43 +0100 Subject: KVM image problems In-Reply-To: <20080624134909.GA2156@redhat.com> References: <4860E120.2060206@gmail.com> <20080624134909.GA2156@redhat.com> Message-ID: <48611413.70304@gmail.com> Daniel P. Berrange wrote: > On Tue, Jun 24, 2008 at 12:57:20PM +0100, Adam Huffman wrote: > >> Having applied Dan Walsh's suggested fix for a SpamAssassin problem, I'm >> now seeing errors when running a virtual machine via KVM. >> >> The image was created in virt-install quite a while ago: >> >> -rwxr-xr-x root root system_u:object_r:xen_image_t XP1 >> >> However, after changing to enforcing mode I saw lots of these errors: >> > > Xen is not KVM. > > Your image has the xen_image_t label because its in /var/lib/xen/images > > Yes, I always found that location a bit odd, but that's where I was told to put them the last time I had similar trouble (i.e. if I didn't put them in /var/lib/xen/images, they wouldn't pick up the right context). > By default KVM images live in /var/lib/libvirt/images/ and have > virt_image_t label. Xen probably ought to be allowed to read virt_image_t > and then we should change /var/lib/xen/images/ to also be virt_image_t > and get rid of xen_image_t. It is not nice to have different labels and > locations for different virt technology. So we should make sure everything > is using the generic virt_image_t > > That would be simpler, yes. > In the meantime you can either move your images or relabel them to be > virT_image_t for use with KVM > > Yes, I've relabeled and that seems to have worked for now. On a related point, will I need to apply virt_image_t to .iso files I'm mounting in these VMs? Thanks, Adam From paul at city-fan.org Tue Jun 24 15:37:22 2008 From: paul at city-fan.org (Paul Howarth) Date: Tue, 24 Jun 2008 16:37:22 +0100 Subject: rsyncd can't open log file, but there are no avc messages In-Reply-To: <48610E19.6040604@gmail.com> References: <48610E19.6040604@gmail.com> Message-ID: <486114B2.7060903@city-fan.org> Johnny Tan wrote: > I'm stumped. > > I run a Java app called Solr, which does search indexing. My solr server > creates the index, then I have a bunch of solr clients that rsync that > index over. > > The rsync itself is fine, that works. The problem is it won't write to > the appropriate logfile, which is: > /opt/solr/logs/rsyncd.log > > /opt/solr/logs is a symlink to /var/log/store. > > Here's how it looks: > > == > > [root at solr:~]# ls -l /opt/solr/ > lrwxrwxrwx 1 tomcat tomcat 14 Apr 29 13:52 logs -> /var/log/store > > [root at solr:~]# ls -ldZ /opt/solr/logs/ > drwxr-xr-x tomcat tomcat user_u:object_r:var_log_t /opt/solr/logs/ > > [root at solr:~]# ls -ldZ /var/log/store > drwxr-xr-x tomcat tomcat user_u:object_r:var_log_t /var/log/store > > [root at solr:~]# ls -Z /opt/solr/logs/rsyncd.log > -rw-rw-rw- tomcat tomcat user_u:object_r:var_log_t > /var/log/store/rsyncd.log > > == > > Note that the mode is 666 on the rsyncd.log. When a client tries to > connect, though, I get, in /var/log/messages: > > Jun 24 10:15:02 solr rsyncd[19355]: rsync: failed to open log-file > /opt/solr/logs/rsyncd.log: Permission denied (13) > > But there are no avc denials (no, I don't have audit package installed, > so all avc messages go to /var/log/messages -- I do get avc denials for > other things). > > So, at first, I didn't think it was selinux-related, and tried to > troubleshoot general unix permissions. But got nowhere. > > Then I noticed... when I put selinux in permissive mode, it works -- > rsyncd properly logs to the above file. When I set it back to enforcing, > I get the above error in /var/log/messages and nothing in the > rsyncd.log, but no avc denials either. > > > Any ideas? Turn off the dontaudit rules: # semodule -DB You should then see the AVCs and be able to generate the policy module you need. You can then turn back on the dontaduit rules: # semodule -B Paul. From linuxweb at gmail.com Tue Jun 24 16:02:03 2008 From: linuxweb at gmail.com (Johnny Tan) Date: Tue, 24 Jun 2008 12:02:03 -0400 Subject: rsyncd can't open log file, but there are no avc messages In-Reply-To: <486114B2.7060903@city-fan.org> References: <48610E19.6040604@gmail.com> <486114B2.7060903@city-fan.org> Message-ID: <48611A7B.2020103@gmail.com> Paul Howarth wrote: > Turn off the dontaudit rules: > # semodule -DB > > You should then see the AVCs and be able to generate the policy module > you need. > > You can then turn back on the dontaduit rules: > # semodule -B I don't have dontaudit turned on to begin with. As I mentioned, I *do* see AVCs for other selinux problems. For this particular problem, I do *not* see AVCs. However, when I set selinux to Permissive, it works. So I think it's selinux-related, but there are not AVCs to give me clues. johnn From jdennis at redhat.com Tue Jun 24 16:21:36 2008 From: jdennis at redhat.com (John Dennis) Date: Tue, 24 Jun 2008 12:21:36 -0400 Subject: rsyncd can't open log file, but there are no avc messages In-Reply-To: <48611A7B.2020103@gmail.com> References: <48610E19.6040604@gmail.com> <486114B2.7060903@city-fan.org> <48611A7B.2020103@gmail.com> Message-ID: <48611F10.9070706@redhat.com> Johnny Tan wrote: > Paul Howarth wrote: >> Turn off the dontaudit rules: >> # semodule -DB >> >> You should then see the AVCs and be able to generate the policy >> module you need. >> >> You can then turn back on the dontaduit rules: >> # semodule -B > > I don't have dontaudit turned on to begin with. As I mentioned, I *do* > see AVCs for other selinux problems. I think you're misunderstanding what dontaudit does. There are specific policy rules which have a dontaudit flag associated with them which says even if you are auditing don't log this particular denial. What has been suggested is you disable those donaudit flags so you see ALL the denials, not just those which do not currently have the dontaudit flag set on them, which is your current situation. -- John Dennis From linuxweb at gmail.com Tue Jun 24 16:39:40 2008 From: linuxweb at gmail.com (Johnny Tan) Date: Tue, 24 Jun 2008 12:39:40 -0400 Subject: rsyncd can't open log file, but there are no avc messages In-Reply-To: <48611F10.9070706@redhat.com> References: <48610E19.6040604@gmail.com> <486114B2.7060903@city-fan.org> <48611A7B.2020103@gmail.com> <48611F10.9070706@redhat.com> Message-ID: <4861234C.2010307@gmail.com> John Dennis wrote: > Johnny Tan wrote: >> Paul Howarth wrote: >>> Turn off the dontaudit rules: >>> # semodule -DB >>> >>> You should then see the AVCs and be able to generate the policy >>> module you need. >>> >>> You can then turn back on the dontaduit rules: >>> # semodule -B >> >> I don't have dontaudit turned on to begin with. As I mentioned, I *do* >> see AVCs for other selinux problems. > I think you're misunderstanding what dontaudit does. There are specific > policy rules which have a dontaudit flag associated with them which says > even if you are auditing don't log this particular denial. Ok, got it. Is there a similar option for older (i.e., RHEL-5) versions? policycoreutils-1.33.12-12.el5 johnn From sds at tycho.nsa.gov Tue Jun 24 16:58:54 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 24 Jun 2008 12:58:54 -0400 Subject: rsyncd can't open log file, but there are no avc messages In-Reply-To: <4861234C.2010307@gmail.com> References: <48610E19.6040604@gmail.com> <486114B2.7060903@city-fan.org> <48611A7B.2020103@gmail.com> <48611F10.9070706@redhat.com> <4861234C.2010307@gmail.com> Message-ID: <1214326734.32762.262.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2008-06-24 at 12:39 -0400, Johnny Tan wrote: > John Dennis wrote: > > Johnny Tan wrote: > >> Paul Howarth wrote: > >>> Turn off the dontaudit rules: > >>> # semodule -DB > >>> > >>> You should then see the AVCs and be able to generate the policy > >>> module you need. > >>> > >>> You can then turn back on the dontaduit rules: > >>> # semodule -B > >> > >> I don't have dontaudit turned on to begin with. As I mentioned, I *do* > >> see AVCs for other selinux problems. > > I think you're misunderstanding what dontaudit does. There are specific > > policy rules which have a dontaudit flag associated with them which says > > even if you are auditing don't log this particular denial. > > Ok, got it. Is there a similar option for older (i.e., > RHEL-5) versions? > policycoreutils-1.33.12-12.el5 Not unless RH back-ported the support. But in older releases, you could instead install an enableaudit.pp file, e.g. semodule -b /usr/share/selinux/targeted/enableaudit.pp semodule -b /usr/share/selinux/targeted/base.pp However that only dealt with dontaudit rules in the base module. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Wed Jun 25 11:24:01 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 25 Jun 2008 07:24:01 -0400 Subject: KVM image problems In-Reply-To: <48611413.70304@gmail.com> References: <4860E120.2060206@gmail.com> <20080624134909.GA2156@redhat.com> <48611413.70304@gmail.com> Message-ID: <48622AD1.2040508@redhat.com> Adam Huffman wrote: > Daniel P. Berrange wrote: >> On Tue, Jun 24, 2008 at 12:57:20PM +0100, Adam Huffman wrote: >> >>> Having applied Dan Walsh's suggested fix for a SpamAssassin problem, >>> I'm now seeing errors when running a virtual machine via KVM. >>> >>> The image was created in virt-install quite a while ago: >>> >>> -rwxr-xr-x root root system_u:object_r:xen_image_t XP1 >>> >>> However, after changing to enforcing mode I saw lots of these errors: >>> >> >> Xen is not KVM. >> >> Your image has the xen_image_t label because its in /var/lib/xen/images >> >> > Yes, I always found that location a bit odd, but that's where I was told > to put them > the last time I had similar trouble (i.e. if I didn't put them in > /var/lib/xen/images, they wouldn't > pick up the right context). > >> By default KVM images live in /var/lib/libvirt/images/ and have >> virt_image_t label. Xen probably ought to be allowed to read virt_image_t >> and then we should change /var/lib/xen/images/ to also be virt_image_t >> and get rid of xen_image_t. It is not nice to have different labels and >> locations for different virt technology. So we should make sure >> everything >> is using the generic virt_image_t >> >> > > That would be simpler, yes. >> In the meantime you can either move your images or relabel them to be >> virT_image_t for use with KVM >> >> > Yes, I've relabeled and that seems to have worked for now. > > On a related point, will I need to apply virt_image_t to .iso files I'm > mounting in > these VMs? > > Thanks, > Adam > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list No just image files. From psztoch at finn.pl Sat Jun 28 10:01:55 2008 From: psztoch at finn.pl (Przemyslaw Sztoch) Date: Sat, 28 Jun 2008 03:01:55 -0700 (PDT) Subject: rsyncd and pre-xfer/post-xfer exec problem with FC8 selinux Message-ID: <18161913.post@talk.nabble.com> Running fully updated Fedora 8, trying to upload somefiles via rsync, and getting a couple of denials (on server with xinetd&rsyncd): avc: denied { read } for pid=20530 comm="rsync" name="sh" dev=dm-0 ino=1507433 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file avc: denied { execute } for pid=20530 comm="rsync" name="bash" dev=dm-0 ino=1507343 sc ontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file avc: denied { read } for pid=20530 comm="rsync" name="bash" dev=dm-0 ino=1507343 scont ext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file avc: denied { execute_no_trans } for pid=20530 comm="rsync" path="/bin/bash" dev=dm-0 ino=1507343 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file avc: denied { getattr } for pid=20530 comm="sh" path="/bin/bash" dev=dm-0 ino=1507343 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file My rsyncd.conf: use chroot = yes max connections = 50 log file = /var/log/rsync.log uid = autobackup gid = users [autobackup] path = /opt/autobackup read only = no write only = yes list = no uid = autobackup incoming chmod = u=rw,go-rwx transfer logging = yes pre-xfer exec = /usr/local/bin/autobackup-hook pre post-xfer exec = /usr/local/bin/autobackup-hook post What should I do to use pre/post scripts in rsync? -- View this message in context: http://www.nabble.com/rsyncd-and-pre-xfer-post-xfer-exec-problem-with-FC8-selinux-tp18161913p18161913.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From frankly3d at gmail.com Sat Jun 28 10:11:25 2008 From: frankly3d at gmail.com (Frank Murphy) Date: Sat, 28 Jun 2008 11:11:25 +0100 Subject: Fedora 9 SELinux is preventing sendmail (exim_t) "getattr" to pipe (system_crond_t) Message-ID: <1214647885.16511.3.camel@frank-01> I think this has to do with exim trying to send logs? Should I actually bug-report? or just use the audit2allow -M local < /tmp/avcs Frank Summary: SELinux is preventing sendmail (exim_t) "getattr" to pipe (system_crond_t). Detailed Description: SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:exim_t:s0 Target Context system_u:system_r:system_crond_t:s0 Target Objects pipe [ fifo_file ] Source sendmail Source Path /usr/sbin/exim Port Host frank-01 Source RPM Packages exim-4.69-4.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-69.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name frank-01 Platform Linux frank-01 2.6.25.6-55.fc9.i686 #1 SMP Tue Jun 10 16:27:49 EDT 2008 i686 i686 Alert Count 3 First Seen Sat 28 Jun 2008 11:01:27 IST Last Seen Sat 28 Jun 2008 11:01:27 IST Local ID 675df78e-7627-418a-8d0b-2f9943cd7033 Line Numbers Raw Audit Messages host=frank-01 type=AVC msg=audit(1214647287.324:61): avc: denied { getattr } for pid=16267 comm="sendmail" path="pipe:[94447]" dev=pipefs ino=94447 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:system_r:system_crond_t:s0 tclass=fifo_file host=frank-01 type=SYSCALL msg=audit(1214647287.324:61): arch=40000003 syscall=197 success=no exit=-13 a0=1 a1=bf812f64 a2=981ff4 a3=b805d84c items=0 ppid=1 pid=16267 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/exim" subj=system_u:system_r:exim_t:s0 key=(null) From joe at nall.com Sat Jun 28 19:07:42 2008 From: joe at nall.com (Joe Nall) Date: Sat, 28 Jun 2008 14:07:42 -0500 Subject: audit2allow failure in rawhide Message-ID: <30DEB205-7908-477F-839B-D46D8CF6F96D@nall.com> While playing with rawhide/mls/permissive+Ted Toth's wm policy: [root at xtest log]# audit2allow app.main() File "/usr/bin/audit2allow", line 338, in main self.__output() File "/usr/bin/audit2allow", line 314, in __output g.add_role_types(self.__role_types) AttributeError: PolicyGenerator instance has no attribute 'add_role_types' From selinux at gmail.com Sat Jun 28 19:45:19 2008 From: selinux at gmail.com (Tom London) Date: Sat, 28 Jun 2008 12:45:19 -0700 Subject: audit2allow failure in rawhide In-Reply-To: <30DEB205-7908-477F-839B-D46D8CF6F96D@nall.com> References: <30DEB205-7908-477F-839B-D46D8CF6F96D@nall.com> Message-ID: <4c4ba1530806281245j18c3774ege46f3414c52baf13@mail.gmail.com> On Sat, Jun 28, 2008 at 12:07 PM, Joe Nall wrote: > While playing with rawhide/mls/permissive+Ted Toth's wm policy: > > [root at xtest log]# audit2allow Traceback (most recent call last): > File "/usr/bin/audit2allow", line 344, in > app.main() > File "/usr/bin/audit2allow", line 338, in main > self.__output() > File "/usr/bin/audit2allow", line 314, in __output > g.add_role_types(self.__role_types) > AttributeError: PolicyGenerator instance has no attribute 'add_role_types' > This is fixed in selinux-policy-3.4.2-8.fc10.noarch and associated packages. Should be in rawhide..... tom -- Tom London From dwalsh at redhat.com Sun Jun 29 12:40:22 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sun, 29 Jun 2008 08:40:22 -0400 Subject: rsyncd and pre-xfer/post-xfer exec problem with FC8 selinux In-Reply-To: <18161913.post@talk.nabble.com> References: <18161913.post@talk.nabble.com> Message-ID: <486782B6.3030505@redhat.com> Przemyslaw Sztoch wrote: > Running fully updated Fedora 8, trying to upload somefiles via rsync, and > getting a couple of denials (on server with xinetd&rsyncd): > > avc: denied { read } for pid=20530 comm="rsync" name="sh" dev=dm-0 > ino=1507433 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file > > avc: denied { execute } for pid=20530 comm="rsync" name="bash" dev=dm-0 > ino=1507343 sc > ontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:shell_exec_t:s0 tclass=file > > avc: denied { read } for pid=20530 comm="rsync" name="bash" dev=dm-0 > ino=1507343 scont > ext=system_u:system_r:rsync_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:shell_exec_t:s0 tclass=file > > avc: denied { execute_no_trans } for pid=20530 comm="rsync" > path="/bin/bash" dev=dm-0 > ino=1507343 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:shell_exec_t:s0 tclass=file > > avc: denied { getattr } for pid=20530 comm="sh" path="/bin/bash" dev=dm-0 > ino=1507343 > scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:shell_exec_t:s0 tclass=file > > My rsyncd.conf: > use chroot = yes > max connections = 50 > log file = /var/log/rsync.log > uid = autobackup > gid = users > > [autobackup] > path = /opt/autobackup > read only = no > write only = yes > list = no > uid = autobackup > incoming chmod = u=rw,go-rwx > transfer logging = yes > pre-xfer exec = /usr/local/bin/autobackup-hook pre > post-xfer exec = /usr/local/bin/autobackup-hook post > > What should I do to use pre/post scripts in rsync? > Did not know these existed. What do you do in these scripts? From dwalsh at redhat.com Sun Jun 29 12:41:00 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sun, 29 Jun 2008 08:41:00 -0400 Subject: audit2allow failure in rawhide In-Reply-To: <4c4ba1530806281245j18c3774ege46f3414c52baf13@mail.gmail.com> References: <30DEB205-7908-477F-839B-D46D8CF6F96D@nall.com> <4c4ba1530806281245j18c3774ege46f3414c52baf13@mail.gmail.com> Message-ID: <486782DC.4010501@redhat.com> Tom London wrote: > On Sat, Jun 28, 2008 at 12:07 PM, Joe Nall wrote: >> While playing with rawhide/mls/permissive+Ted Toth's wm policy: >> >> [root at xtest log]# audit2allow > Traceback (most recent call last): >> File "/usr/bin/audit2allow", line 344, in >> app.main() >> File "/usr/bin/audit2allow", line 338, in main >> self.__output() >> File "/usr/bin/audit2allow", line 314, in __output >> g.add_role_types(self.__role_types) >> AttributeError: PolicyGenerator instance has no attribute 'add_role_types' >> > This is fixed in selinux-policy-3.4.2-8.fc10.noarch and associated packages. > > Should be in rawhide..... > > tom Actually it is in policycoreutils, but it should be in rawhide now. From shintaro.fujiwara at gmail.com Sun Jun 29 13:41:15 2008 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Sun, 29 Jun 2008 22:41:15 +0900 Subject: segatex-6.50 released Message-ID: Hi, guys. I released segatex-6.50. ################################################## In this version... It pops up Widget when denied message happens. ################################################## It can do anything you need when you configure SELinux thing. Enjoy. http://sourceforge.net/projects/segatex/ -- http://intrajp.no-ip.com/ Home Page From psztoch at finn.pl Sun Jun 29 21:15:57 2008 From: psztoch at finn.pl (=?ISO-8859-2?Q?Przemys=B3aw_Sztoch?=) Date: Sun, 29 Jun 2008 23:15:57 +0200 Subject: rsyncd and pre-xfer/post-xfer exec problem with FC8 selinux In-Reply-To: <486782B6.3030505@redhat.com> References: <18161913.post@talk.nabble.com> <486782B6.3030505@redhat.com> Message-ID: <4867FB8D.90209@finn.pl> Daniel J Walsh pisze: > Przemyslaw Sztoch wrote: >> What should I do to use pre/post scripts in rsync? > Did not know these existed. What do you do in these scripts? I.e. (of course I talks about rsyncD, not normal rsync mode): 1. Report and e-mail notification. 2. Filter (deny of transmission) - access lists based at bash scripts (if/test/for/grep etc) Rsync should have access to bash and to exec new type for rsync_scripts_t. Of course bool selinux parametr to enable access to rsync_scripts_t will be great. -- Przemys?aw Sztoch LTC Sp. z o.o. From jonathan.stott at gmail.com Mon Jun 30 10:26:43 2008 From: jonathan.stott at gmail.com (Jonathan Stott) Date: Mon, 30 Jun 2008 11:26:43 +0100 Subject: Creating a custom user role Message-ID: <20080630112643.20a8cad8@hzhangpg02.ph.man.ac.uk> Hi I'm on FC9, and I would like to create a user based on guest_u who is almost as unprivileged as that role, but is allowed to ssh out. So I opened up the polgengui tool kit and selected 'minimal terminal user role' I then also allowed it access to the guest role as an additional role. (I'm not sure if this step is required) I then allowed the role to connect to port 22 And then made the policy files. On running the script, I got the message '/usr/sbin/semanage: You must specify a prefix', which lead me to look a little closer at the generated file. One thing I noticed was that amongst the roles to be assigned to the new role was 'system_r', which I believe is the system administration role, so removing that and adding a prefix of user, I could then run the script and install the role. Adding it as the role for the user I want to allow ssh access out to, I then tried to login, which got me the message Unable to get valid context for username Setting the user to guest_u or user_u works fine, though. What did I do wrong? Regards, Jonathan. From dwalsh at redhat.com Mon Jun 30 12:36:30 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 30 Jun 2008 08:36:30 -0400 Subject: Fedora 9 SELinux is preventing sendmail (exim_t) "getattr" to pipe (system_crond_t) In-Reply-To: <1214647885.16511.3.camel@frank-01> References: <1214647885.16511.3.camel@frank-01> Message-ID: <4868D34E.70407@redhat.com> Frank Murphy wrote: > I think this has to do with exim trying to send logs? > Should I actually bug-report? > or just use the > audit2allow -M local < /tmp/avcs > > Frank > > Summary: > > SELinux is preventing sendmail (exim_t) "getattr" to pipe > (system_crond_t). > > Detailed Description: > > SELinux denied access requested by sendmail. It is not expected that > this access > is required by sendmail and this access may signal an intrusion attempt. > It is > also possible that the specific version or configuration of the > application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:exim_t:s0 > Target Context system_u:system_r:system_crond_t:s0 > Target Objects pipe [ fifo_file ] > Source sendmail > Source Path /usr/sbin/exim > Port > Host frank-01 > Source RPM Packages exim-4.69-4.fc9 > Target RPM Packages > Policy RPM selinux-policy-3.3.1-69.fc9 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name frank-01 > Platform Linux frank-01 2.6.25.6-55.fc9.i686 #1 SMP > Tue Jun > 10 16:27:49 EDT 2008 i686 i686 > Alert Count 3 > First Seen Sat 28 Jun 2008 11:01:27 IST > Last Seen Sat 28 Jun 2008 11:01:27 IST > Local ID 675df78e-7627-418a-8d0b-2f9943cd7033 > Line Numbers > > Raw Audit Messages > > host=frank-01 type=AVC msg=audit(1214647287.324:61): avc: denied > { getattr } for pid=16267 comm="sendmail" path="pipe:[94447]" > dev=pipefs ino=94447 scontext=system_u:system_r:exim_t:s0 > tcontext=system_u:system_r:system_crond_t:s0 tclass=fifo_file > > host=frank-01 type=SYSCALL msg=audit(1214647287.324:61): arch=40000003 > syscall=197 success=no exit=-13 a0=1 a1=bf812f64 a2=981ff4 a3=b805d84c > items=0 ppid=1 pid=16267 auid=4294967295 uid=93 gid=93 euid=93 suid=93 > fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 > comm="sendmail" exe="/usr/sbin/exim" subj=system_u:system_r:exim_t:s0 > key=(null) > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I will update policy to allow this. Although this probably does not stop anything from functioning properly.