From frankly3d at gmail.com Sun Nov 2 12:42:52 2008 From: frankly3d at gmail.com (Frank Murphy) Date: Sun, 02 Nov 2008 12:42:52 +0000 Subject: Unneeded inbuilt *.pp modules Message-ID: <1225629772.17882.4.camel@localhost.localdomain> Is it ok to backup and remove to usb stick, and inbuilt policy modules *.pp not required. ie qemu apache. Things which basically will *definitely* be running on this server. If I click booleans on selinux management, the check marks reappear immediately Frank -- gpg id EB547226 Revoked Forgot Password :( aMSN: Frankly3D http://www.frankly3d.com From frankly3d at gmail.com Sun Nov 2 12:50:16 2008 From: frankly3d at gmail.com (Frank Murphy) Date: Sun, 02 Nov 2008 12:50:16 +0000 Subject: Unneeded inbuilt *.pp modules In-Reply-To: <1225629772.17882.4.camel@localhost.localdomain> References: <1225629772.17882.4.camel@localhost.localdomain> Message-ID: <1225630216.17882.5.camel@localhost.localdomain> On Sun, 2008-11-02 at 12:42 +0000, Frank Murphy wrote: Apologies for self-reply Should be *definitely NOT* From dwalsh at redhat.com Mon Nov 3 20:31:33 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 03 Nov 2008 15:31:33 -0500 Subject: Unneeded inbuilt *.pp modules In-Reply-To: <1225629772.17882.4.camel@localhost.localdomain> References: <1225629772.17882.4.camel@localhost.localdomain> Message-ID: <490F5FA5.1080707@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frank Murphy wrote: > Is it ok to backup and remove to usb stick, > and inbuilt policy modules *.pp not required. > > ie qemu apache. > > Things which basically will *definitely* be running on this server. > > If I click booleans on selinux management, > the check marks reappear immediately > > Frank > Yes the pp files are installed into /etc/selinux/POLICYTYPE/modules/active/modules So the original source is not important and can be removed. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkPX6QACgkQrlYvE4MpobO2cwCdE8yVIh+R/6C0zSvBM5kFjPRd WmgAnjcfeFxvuBHjadp8lm3JvAp45o0Q =M+ll -----END PGP SIGNATURE----- From sundaram at fedoraproject.org Wed Nov 5 19:48:59 2008 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Thu, 06 Nov 2008 01:18:59 +0530 Subject: libavformat and SELinux policy issue Message-ID: <4911F8AB.7010708@fedoraproject.org> Hi, When using mplayer for the past few days, I am getting the following SELinux policy issue: ---- Summary: SELinux is preventing totem-video-thu from loading /usr/lib/sse2/libavformat.so.52.22.1 which requires text relocation. Detailed Description: The totem-video-thu application attempted to load /usr/lib/sse2/libavformat.so.52.22.1 which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/sse2/libavformat.so.52.22.1 to use relocation as a workaround, until the library is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust /usr/lib/sse2/libavformat.so.52.22.1 to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib/sse2/libavformat.so.52.22.1'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib/sse2/libavformat.so.52.22.1'" Fix Command: chcon -t textrel_shlib_t '/usr/lib/sse2/libavformat.so.52.22.1' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:object_r:lib_t:s0 Target Objects /usr/lib/sse2/libavformat.so.52.22.1 [ file ] Source totem-video-thu Source Path /usr/bin/totem-video-thumbnailer Port Host sundaram.redhat.com Source RPM Packages totem-2.24.3-1.fc10 Target RPM Packages ffmpeg-libs-0.4.9-0.51.20080908.fc10 Policy RPM selinux-policy-3.5.13-11.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execmod Host Name sundaram.redhat.com Platform Linux sundaram.redhat.com 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct 30 00:49:42 EDT 2008 i686 i686 Alert Count 719 First Seen Thu 06 Nov 2008 12:51:21 AM IST Last Seen Thu 06 Nov 2008 01:05:40 AM IST Local ID 7e3f9978-5247-4568-9b3b-f14b7db6643c Line Numbers Raw Audit Messages node=sundaram.redhat.com type=AVC msg=audit(1225913740.104:764): avc: denied { execmod } for pid=16396 comm="totem-video-thu" path="/usr/lib/sse2/libavformat.so.52.22.1" dev=dm-0 ino=70735 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file node=sundaram.redhat.com type=SYSCALL msg=audit(1225913740.104:764): arch=40000003 syscall=125 success=no exit=-13 a0=15e2000 a1=ac000 a2=5 a3=b735a350 items=0 ppid=2638 pid=16396 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) --- Rahul From sundaram at fedoraproject.org Wed Nov 5 19:51:00 2008 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Thu, 06 Nov 2008 01:21:00 +0530 Subject: g-p-m SELinux policy denials Message-ID: <4911F924.2050205@fedoraproject.org> Hi, I have the copied the copy of g-p-m related denials below: --- Summary: SELinux is preventing gnome-power-man (xdm_t) "create" to 10357b34dbb443572a67020848c54ed9:runtime (xdm_var_lib_t). Detailed Description: SELinux denied access requested by gnome-power-man. It is not expected that this access is required by gnome-power-man and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for 10357b34dbb443572a67020848c54ed9:runtime, restorecon -v '10357b34dbb443572a67020848c54ed9:runtime' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:xdm_var_lib_t:s0 Target Objects 10357b34dbb443572a67020848c54ed9:runtime [ lnk_file ] Source gnome-power-man Source Path /usr/bin/gnome-power-manager Port Host sundaram.pnq.redhat.com Source RPM Packages gnome-power-manager-2.24.1-3.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-11.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name sundaram.pnq.redhat.com Platform Linux sundaram.pnq.redhat.com 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct 30 00:49:42 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 05 Nov 2008 10:17:25 PM IST Last Seen Wed 05 Nov 2008 10:17:25 PM IST Local ID 5bed64ed-4506-4f5e-aea2-22bef1bd3d82 Line Numbers Raw Audit Messages node=sundaram.pnq.redhat.com type=AVC msg=audit(1225903645.809:25): avc: denied { create } for pid=8176 comm="gnome-power-man" name="10357b34dbb443572a67020848c54ed9:runtime" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=lnk_file node=sundaram.pnq.redhat.com type=SYSCALL msg=audit(1225903645.809:25): arch=40000003 syscall=83 success=no exit=-13 a0=8f31138 a1=8f31040 a2=6d9b660 a3=8f311e0 items=0 ppid=1 pid=8176 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="gnome-power-man" exe="/usr/bin/gnome-power-manager" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) --------------- Summary: SELinux is preventing gnome-power-man (xdm_t) "sendto" xdm_t. Detailed Description: SELinux denied access requested by gnome-power-man. It is not expected that this access is required by gnome-power-man and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Objects None [ unix_dgram_socket ] Source gnome-power-man Source Path /usr/bin/gnome-power-manager Port Host sundaram.pnq.redhat.com Source RPM Packages gnome-power-manager-2.24.1-3.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-11.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name sundaram.pnq.redhat.com Platform Linux sundaram.pnq.redhat.com 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct 30 00:49:42 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 05 Nov 2008 10:17:25 PM IST Last Seen Wed 05 Nov 2008 10:17:25 PM IST Local ID 288d421c-cab3-49b2-9b6b-ac5398816f4d Line Numbers Raw Audit Messages node=sundaram.pnq.redhat.com type=AVC msg=audit(1225903645.846:26): avc: denied { sendto } for pid=8176 comm="gnome-power-man" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket node=sundaram.pnq.redhat.com type=SYSCALL msg=audit(1225903645.846:26): arch=40000003 syscall=102 success=no exit=-13 a0=9 a1=b7127670 a2=a0b234 a3=0 items=0 ppid=1 pid=8176 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="gnome-power-man" exe="/usr/bin/gnome-power-manager" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) --- Rahul From dwalsh at redhat.com Wed Nov 5 20:25:30 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 05 Nov 2008 15:25:30 -0500 Subject: libavformat and SELinux policy issue In-Reply-To: <4911F8AB.7010708@fedoraproject.org> References: <4911F8AB.7010708@fedoraproject.org> Message-ID: <4912013A.7040802@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rahul Sundaram wrote: > Hi, > > When using mplayer for the past few days, I am getting the following > SELinux policy issue: > > ---- > > Summary: > > SELinux is preventing totem-video-thu from loading > /usr/lib/sse2/libavformat.so.52.22.1 which requires text relocation. > > Detailed Description: > > The totem-video-thu application attempted to load > /usr/lib/sse2/libavformat.so.52.22.1 which requires text relocation. > This is a > potential security problem. Most libraries do not need this permission. > Libraries are sometimes coded incorrectly and request this permission. The > SELinux Memory Protection Tests > (http://people.redhat.com/drepper/selinux-mem.html) web page explains > how to > remove this requirement. You can configure SELinux temporarily to allow > /usr/lib/sse2/libavformat.so.52.22.1 to use relocation as a workaround, > until > the library is fixed. Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. > > Allowing Access: > > If you trust /usr/lib/sse2/libavformat.so.52.22.1 to run correctly, you can > change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t > '/usr/lib/sse2/libavformat.so.52.22.1'" You must also change the default > file > context files on the system in order to preserve them even on a full > relabel. > "semanage fcontext -a -t textrel_shlib_t > '/usr/lib/sse2/libavformat.so.52.22.1'" > > Fix Command: > > chcon -t textrel_shlib_t '/usr/lib/sse2/libavformat.so.52.22.1' > > Additional Information: > > Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Context system_u:object_r:lib_t:s0 > Target Objects /usr/lib/sse2/libavformat.so.52.22.1 [ file ] > Source totem-video-thu > Source Path /usr/bin/totem-video-thumbnailer > Port > Host sundaram.redhat.com > Source RPM Packages totem-2.24.3-1.fc10 > Target RPM Packages ffmpeg-libs-0.4.9-0.51.20080908.fc10 > Policy RPM selinux-policy-3.5.13-11.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name allow_execmod > Host Name sundaram.redhat.com > Platform Linux sundaram.redhat.com > 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct 30 > 00:49:42 > EDT 2008 i686 i686 > Alert Count 719 > First Seen Thu 06 Nov 2008 12:51:21 AM IST > Last Seen Thu 06 Nov 2008 01:05:40 AM IST > Local ID 7e3f9978-5247-4568-9b3b-f14b7db6643c > Line Numbers > > Raw Audit Messages > > node=sundaram.redhat.com type=AVC msg=audit(1225913740.104:764): avc: > denied { execmod } for pid=16396 comm="totem-video-thu" > path="/usr/lib/sse2/libavformat.so.52.22.1" dev=dm-0 ino=70735 > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:lib_t:s0 tclass=file > > node=sundaram.redhat.com type=SYSCALL msg=audit(1225913740.104:764): > arch=40000003 syscall=125 success=no exit=-13 a0=15e2000 a1=ac000 a2=5 > a3=b735a350 items=0 ppid=2638 pid=16396 auid=500 uid=500 gid=500 > euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 > comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > --- > > Rahul > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Fixed in selinux-policy-3.5.13-16.fc10 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkSAToACgkQrlYvE4MpobMv5wCfQALSgalWq7bYOyHIHJ+RO5/K l+oAmgLFUAfFxTIB7zLXJbcmcAXltSGP =DGbI -----END PGP SIGNATURE----- From dwalsh at redhat.com Wed Nov 5 20:25:41 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 05 Nov 2008 15:25:41 -0500 Subject: g-p-m SELinux policy denials In-Reply-To: <4911F924.2050205@fedoraproject.org> References: <4911F924.2050205@fedoraproject.org> Message-ID: <49120145.6040202@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rahul Sundaram wrote: > Hi, > > I have the copied the copy of g-p-m related denials below: > > --- > > > Summary: > > SELinux is preventing gnome-power-man (xdm_t) "create" to > 10357b34dbb443572a67020848c54ed9:runtime (xdm_var_lib_t). > > Detailed Description: > > SELinux denied access requested by gnome-power-man. It is not expected > that this > access is required by gnome-power-man and this access may signal an > intrusion > attempt. It is also possible that the specific version or configuration > of the > application is causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for > 10357b34dbb443572a67020848c54ed9:runtime, > > restorecon -v '10357b34dbb443572a67020848c54ed9:runtime' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:object_r:xdm_var_lib_t:s0 > Target Objects 10357b34dbb443572a67020848c54ed9:runtime [ > lnk_file ] > Source gnome-power-man > Source Path /usr/bin/gnome-power-manager > Port > Host sundaram.pnq.redhat.com > Source RPM Packages gnome-power-manager-2.24.1-3.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-11.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name sundaram.pnq.redhat.com > Platform Linux sundaram.pnq.redhat.com > 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct 30 > 00:49:42 > EDT 2008 i686 i686 > Alert Count 1 > First Seen Wed 05 Nov 2008 10:17:25 PM IST > Last Seen Wed 05 Nov 2008 10:17:25 PM IST > Local ID 5bed64ed-4506-4f5e-aea2-22bef1bd3d82 > Line Numbers > > Raw Audit Messages > > node=sundaram.pnq.redhat.com type=AVC msg=audit(1225903645.809:25): avc: > denied { create } for pid=8176 comm="gnome-power-man" > name="10357b34dbb443572a67020848c54ed9:runtime" > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=lnk_file > > node=sundaram.pnq.redhat.com type=SYSCALL msg=audit(1225903645.809:25): > arch=40000003 syscall=83 success=no exit=-13 a0=8f31138 a1=8f31040 > a2=6d9b660 a3=8f311e0 items=0 ppid=1 pid=8176 auid=4294967295 uid=42 > gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) > ses=4294967295 comm="gnome-power-man" exe="/usr/bin/gnome-power-manager" > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > --------------- > > > > Summary: > > SELinux is preventing gnome-power-man (xdm_t) "sendto" xdm_t. > > Detailed Description: > > SELinux denied access requested by gnome-power-man. It is not expected > that this > access is required by gnome-power-man and this access may signal an > intrusion > attempt. It is also possible that the specific version or configuration > of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Objects None [ unix_dgram_socket ] > Source gnome-power-man > Source Path /usr/bin/gnome-power-manager > Port > Host sundaram.pnq.redhat.com > Source RPM Packages gnome-power-manager-2.24.1-3.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-11.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name sundaram.pnq.redhat.com > Platform Linux sundaram.pnq.redhat.com > 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct 30 > 00:49:42 > EDT 2008 i686 i686 > Alert Count 1 > First Seen Wed 05 Nov 2008 10:17:25 PM IST > Last Seen Wed 05 Nov 2008 10:17:25 PM IST > Local ID 288d421c-cab3-49b2-9b6b-ac5398816f4d > Line Numbers > > Raw Audit Messages > > node=sundaram.pnq.redhat.com type=AVC msg=audit(1225903645.846:26): avc: > denied { sendto } for pid=8176 comm="gnome-power-man" > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket > > node=sundaram.pnq.redhat.com type=SYSCALL msg=audit(1225903645.846:26): > arch=40000003 syscall=102 success=no exit=-13 a0=9 a1=b7127670 a2=a0b234 > a3=0 items=0 ppid=1 pid=8176 auid=4294967295 uid=42 gid=42 euid=42 > suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 > comm="gnome-power-man" exe="/usr/bin/gnome-power-manager" > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > > --- > > Rahul > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Fixed in selinux-policy-3.5.13-16.fc10 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkSAUUACgkQrlYvE4MpobMOgwCg5976fVt5ro3TFjeCQa/UWe/n O+kAniXKXOUMqyujwMASpKKOgWqOnDXr =8TtY -----END PGP SIGNATURE----- From dirk.schulz at kinzesberg.de Thu Nov 6 11:28:11 2008 From: dirk.schulz at kinzesberg.de (Dirk H. Schulz) Date: Thu, 06 Nov 2008 12:28:11 +0100 Subject: Generating policies for Nagios on Fedora9 - difficulties Message-ID: Hi folks, I have compiled Nagios 3.05 on Fedora9 (all updates current) and now try to get it running together with SELinux. I have piped the AVC denials from audit.log to audit2allow and generated policies which I loaded using "semodule -i POLNAME.pp". Now I have the weird state that: - Nagios still cannot check postfix' mailqueue with check_mailq - Nagios still cannot write emails to the mailqueue but there is no AVC denials any more in audit.log and Nagios stopped logging to syslog (although it still works as seen on the web pages). There is also no SETroubleshoot messages in /var/log/messages any more. Setting "setenforce 0" makes Nagios run smoothly, so the problem is still related SELinux somehow, but since nothing shows up in the logs any more it is quite difficult to troubleshoot. Logging in general does work, e. g. I can find a "Error code 69 returned from /usr/bin/mailq" in /var/log/maillog every time Nagios runs the mailq check. Changing the setenforce value leads to an entry in audit.log, so even auditd logging partially works. I have even restarted rsyslog with no effect. How do I find out why SELinux is not logging completely any more? And by the way: I also had the phenomenon that auditd claimed lots of denials of ping while Nagios did not have any difficulty pinging - that does not look very trustworthy on the part of SELinux, does it? Any hint or help is appreciated. Dirk From paul at city-fan.org Thu Nov 6 12:09:45 2008 From: paul at city-fan.org (Paul Howarth) Date: Thu, 06 Nov 2008 12:09:45 +0000 Subject: Generating policies for Nagios on Fedora9 - difficulties In-Reply-To: References: Message-ID: <4912DE89.8000001@city-fan.org> Dirk H. Schulz wrote: > Hi folks, > > I have compiled Nagios 3.05 on Fedora9 (all updates current) and now try > to get it running together with SELinux. > > I have piped the AVC denials from audit.log to audit2allow and generated > policies which I loaded using "semodule -i POLNAME.pp". > > Now I have the weird state that: > - Nagios still cannot check postfix' mailqueue with check_mailq > - Nagios still cannot write emails to the mailqueue > but there is no AVC denials any more in audit.log and Nagios stopped > logging to syslog (although it still works as seen on the web pages). > There is also no SETroubleshoot messages in /var/log/messages any more. > > Setting "setenforce 0" makes Nagios run smoothly, so the problem is > still related SELinux somehow, but since nothing shows up in the logs > any more it is quite difficult to troubleshoot. > > Logging in general does work, e. g. I can find a "Error code 69 returned > from /usr/bin/mailq" in /var/log/maillog every time Nagios runs the > mailq check. Changing the setenforce value leads to an entry in > audit.log, so even auditd logging partially works. > > I have even restarted rsyslog with no effect. > > How do I find out why SELinux is not logging completely any more? > > And by the way: I also had the phenomenon that auditd claimed lots of > denials of ping while Nagios did not have any difficulty pinging - that > does not look very trustworthy on the part of SELinux, does it? > > Any hint or help is appreciated. The SELinux denials that you're hitting now are probably dontaudit-ed in pollcy. You can turn off the dontaudit rules using: # semodule -BD and turn them back on using: # semodule -B Be careful with policy generated from audit logs with dontaudit rules turned off to ensure that what you're allowing is actually necessary and not just unrelated noise. Paul. From sds at tycho.nsa.gov Thu Nov 6 14:00:08 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 06 Nov 2008 09:00:08 -0500 Subject: Generating policies for Nagios on Fedora9 - difficulties In-Reply-To: References: Message-ID: <1225980008.814.2.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2008-11-06 at 12:28 +0100, Dirk H. Schulz wrote: > Hi folks, > > I have compiled Nagios 3.05 on Fedora9 (all updates current) and now try to > get it running together with SELinux. > > I have piped the AVC denials from audit.log to audit2allow and generated > policies which I loaded using "semodule -i POLNAME.pp". > > Now I have the weird state that: > - Nagios still cannot check postfix' mailqueue with check_mailq > - Nagios still cannot write emails to the mailqueue > but there is no AVC denials any more in audit.log and Nagios stopped > logging to syslog (although it still works as seen on the web pages). There > is also no SETroubleshoot messages in /var/log/messages any more. > > Setting "setenforce 0" makes Nagios run smoothly, so the problem is still > related SELinux somehow, but since nothing shows up in the logs any more it > is quite difficult to troubleshoot. > > Logging in general does work, e. g. I can find a "Error code 69 returned > from /usr/bin/mailq" in /var/log/maillog every time Nagios runs the mailq > check. Changing the setenforce value leads to an entry in audit.log, so > even auditd logging partially works. > > I have even restarted rsyslog with no effect. > > How do I find out why SELinux is not logging completely any more? semodule -DB will rebuild your policy with all dontaudit rules removed, such that all denials should be audited (some are suppressed via dontaudit to silence noise caused by common application/library probing). That will then generate a lot of avc messages, many of which are of no interest and should not be allowed, but you should then be able to find the one of interest as well. After finding it, run semodule -B to rebuild again with your dontaudit rules included. > And by the way: I also had the phenomenon that auditd claimed lots of > denials of ping while Nagios did not have any difficulty pinging - that > does not look very trustworthy on the part of SELinux, does it? > We'd have to see the actual avc messages to assess what is really happening there. -- Stephen Smalley National Security Agency From sean at bruenor.org Thu Nov 6 19:13:05 2008 From: sean at bruenor.org (Sean E. Millichamp) Date: Thu, 06 Nov 2008 14:13:05 -0500 Subject: Handling labeling on filesystems that don't support SELinux Message-ID: <1225998785.3313.5.camel@sewt> I have been working on SELinux support for Puppet. One issue that has cropped up is the behavior on filesystems which don't support SELinux. They all appear to get a default label, some seem to allow changing the label (VFAT) in a non-persistent manner, some seem to throw "not supported" errors (NFS). How can I detect if a file is on a filesystem which supports SELinux without trying to update the label? The best idea so far as been to parse /proc/mounts and use that to determine what type of filesystem a file lives on, then check it against a whitelist (which would include ext3, xfs, ?) but it seems like there has to be a cleaner/simpler way. What I would like would be a "getfilecon" call that returns the real label, ignoring any mount-time defaults. Any ideas? Thanks, Sean From dirk.schulz at kinzesberg.de Fri Nov 7 08:06:41 2008 From: dirk.schulz at kinzesberg.de (Dirk H. Schulz) Date: Fri, 07 Nov 2008 09:06:41 +0100 Subject: Generating policies for Nagios on Fedora9 - difficulties In-Reply-To: <4912DE89.8000001@city-fan.org> References: <4912DE89.8000001@city-fan.org> Message-ID: <72DD921805AAF508A7190211@file.wkd-druck.org> Paul, --On 6. November 2008 12:09:45 +0000 Paul Howarth wrote: - snip - > > The SELinux denials that you're hitting now are probably dontaudit-ed in > pollcy. You can turn off the dontaudit rules using: > ># semodule -BD > > and turn them back on using: > ># semodule -B Thanks for helping, that was my problem. > > Be careful with policy generated from audit logs with dontaudit rules > turned off to ensure that what you're allowing is actually necessary and > not just unrelated noise. I have tried to use only those denials that seemed related to my problem (that means they contained "mailq" and "postqueue"). No I have got this working. There is another two newbie questions if you allow: - loading a module with semodule -i - is this permanent or temporary regarding reboots? I did not find any hint in web docs and man pages on that. - since I have done this very careful step by step I now have lots of .te and .pp files. Can I simply do ca "cat *.te > all.te" and recompile it or is there a tool that generates a syntactically more compact .te file? Dirk From paul at city-fan.org Fri Nov 7 09:02:10 2008 From: paul at city-fan.org (Paul Howarth) Date: Fri, 7 Nov 2008 09:02:10 +0000 Subject: Generating policies for Nagios on Fedora9 - difficulties In-Reply-To: <72DD921805AAF508A7190211@file.wkd-druck.org> References: <4912DE89.8000001@city-fan.org> <72DD921805AAF508A7190211@file.wkd-druck.org> Message-ID: <20081107090210.25fad5ad@metropolis.intra.city-fan.org> On Fri, 07 Nov 2008 09:06:41 +0100 "Dirk H. Schulz" wrote: > Paul, > > --On 6. November 2008 12:09:45 +0000 Paul Howarth > wrote: > > - snip - > > > > > The SELinux denials that you're hitting now are probably > > dontaudit-ed in pollcy. You can turn off the dontaudit rules using: > > > ># semodule -BD > > > > and turn them back on using: > > > ># semodule -B > > Thanks for helping, that was my problem. > > > > > Be careful with policy generated from audit logs with dontaudit > > rules turned off to ensure that what you're allowing is actually > > necessary and not just unrelated noise. > > I have tried to use only those denials that seemed related to my > problem (that means they contained "mailq" and "postqueue"). No I > have got this working. > > There is another two newbie questions if you allow: > - loading a module with semodule -i - is this permanent or temporary > regarding reboots? I did not find any hint in web docs and man pages > on that. > - since I have done this very careful step by step I now have lots > of .te and .pp files. Can I simply do ca "cat *.te > all.te" and > recompile it or is there a tool that generates a syntactically more > compact .te file? Not sure; all I do in such cases is merge together the "require" clauses at the top and then all of the allow rules/interface calls just follow on all together as if it was just one regular file. Paul. From dwalsh at redhat.com Fri Nov 7 14:56:12 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 07 Nov 2008 09:56:12 -0500 Subject: Generating policies for Nagios on Fedora9 - difficulties In-Reply-To: <72DD921805AAF508A7190211@file.wkd-druck.org> References: <4912DE89.8000001@city-fan.org> <72DD921805AAF508A7190211@file.wkd-druck.org> Message-ID: <4914570C.8050707@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dirk H. Schulz wrote: > Paul, > > --On 6. November 2008 12:09:45 +0000 Paul Howarth > wrote: > > - snip - > >> >> The SELinux denials that you're hitting now are probably dontaudit-ed in >> pollcy. You can turn off the dontaudit rules using: >> >> # semodule -BD >> >> and turn them back on using: >> >> # semodule -B > > Thanks for helping, that was my problem. > >> >> Be careful with policy generated from audit logs with dontaudit rules >> turned off to ensure that what you're allowing is actually necessary and >> not just unrelated noise. > > I have tried to use only those denials that seemed related to my problem > (that means they contained "mailq" and "postqueue"). No I have got this > working. > > There is another two newbie questions if you allow: > - loading a module with semodule -i - is this permanent or temporary > regarding reboots? I did not find any hint in web docs and man pages on > that. Yes they are permanent. > - since I have done this very careful step by step I now have lots of > .te and .pp files. Can I simply do ca "cat *.te > all.te" and recompile > it or is there a tool that generates a syntactically more compact .te file? > Well not exactly, you really can only have one policy_modules() line at the top, So you can edit your all.te and it would work. > Dirk > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkUVwwACgkQrlYvE4MpobOTygCePPBY34l7iG4DeyDnqpQTORvi LJEAnAgLxZAFoznhvNvs0UqtFZERybKn =5C2L -----END PGP SIGNATURE----- From frankly3d at gmail.com Sun Nov 9 10:26:18 2008 From: frankly3d at gmail.com (Frank Murphy) Date: Sun, 09 Nov 2008 10:26:18 +0000 Subject: SELinux is preventing perl (logwatch_t) "execute" to ./ifconfig (ifconfig_exec_t). Message-ID: <4916BACA.3010109@gmail.com> restorecon\Full\fixfiles: relabel not removed avc. --------------------------- Summary: SELinux is preventing perl (logwatch_t) "execute" to ./ifconfig (ifconfig_exec_t). Detailed Description: SELinux denied access requested by perl. It is not expected that this access is required by perl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./ifconfig, restorecon -v './ifconfig' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:ifconfig_exec_t:s0 Target Objects ./ifconfig [ file ] Source perl Source Path /usr/bin/perl Port Host frank-01 Source RPM Packages perl-5.10.0-49.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-11.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.4-79.fc10.i686 #1 SMP Tue Nov 4 21:56:37 EST 2008 i686 i686 Alert Count 1 First Seen Sun 09 Nov 2008 10:10:33 GMT Last Seen Sun 09 Nov 2008 10:10:33 GMT Local ID e3112123-9c28-4417-ba5e-71236aa7b429 Line Numbers Raw Audit Messages node=frank-01 type=AVC msg=audit(1226225433.356:75): avc: denied { execute } for pid=24728 comm="perl" name="ifconfig" dev=dm-0 ino=4322 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file node=frank-01 type=SYSCALL msg=audit(1226225433.356:75): arch=40000003 syscall=11 success=no exit=-13 a0=9ed4ebc a1=9f7d2a4 a2=bfce9130 a3=bfce8ac8 items=0 ppid=24727 pid=24728 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:logwatch_t:s0 key=(null) -- gpg id EB547226 Revoked Forgot Password :( aMSN: Frankly3D http://www.frankly3d.com From olivares14031 at yahoo.com Sun Nov 9 16:38:00 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Sun, 9 Nov 2008 08:38:00 -0800 (PST) Subject: line 1887 is missing Message-ID: <408693.78863.qm@web52607.mail.re2.yahoo.com> Dear fellow testers and selinux experts, what is in line 1887, I have installed Fedora 10 Preview and I when I try to install a package, I get the following message: Running rpm_check_debug Running Transaction Test /etc/selinux/targeted/contexts/files/file_contexts: line 1887 is missing fields, skipping /etc/selinux/targeted/contexts/files/file_contexts: line 1887 is missing fields, skipping Finished Transaction Test Transaction Test Succeeded Running Transaction /etc/selinux/targeted/contexts/files/file_contexts: line 1887 is missing fields, skipping /etc/selinux/targeted/contexts/files/file_contexts: line 1887 is missing fields, skipping Smolt profile is here: http://www.smolts.org/client/show/pub_52cf9c16-aa07-4697-8df6-7b47eb9855f4 (public) TIA, Antonio From olivares14031 at yahoo.com Sun Nov 9 17:29:50 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Sun, 9 Nov 2008 09:29:50 -0800 (PST) Subject: line 1887 is missing (other problem) In-Reply-To: <408693.78863.qm@web52607.mail.re2.yahoo.com> Message-ID: <606276.6035.qm@web52605.mail.re2.yahoo.com> --- On Sun, 11/9/08, Antonio Olivares wrote: > From: Antonio Olivares > Subject: line 1887 is missing > To: fedora-test-list at redhat.com > Cc: fedora-selinux-list at redhat.com > Date: Sunday, November 9, 2008, 8:38 AM > Dear fellow testers and selinux experts, > > what is in line 1887, I have installed Fedora 10 Preview > and I when I try to install a package, I get the following > message: > > Running rpm_check_debug > Running Transaction Test > /etc/selinux/targeted/contexts/files/file_contexts: line > 1887 is missing fields, skipping > /etc/selinux/targeted/contexts/files/file_contexts: line > 1887 is missing fields, skipping > Finished Transaction Test > Transaction Test Succeeded > Running Transaction > /etc/selinux/targeted/contexts/files/file_contexts: line > 1887 is missing fields, skipping > /etc/selinux/targeted/contexts/files/file_contexts: line > 1887 is missing fields, skipping > > > Smolt profile is here: > > http://www.smolts.org/client/show/pub_52cf9c16-aa07-4697-8df6-7b47eb9855f4 > (public) > > TIA, > > Antonio > > > > > -- > fedora-test-list mailing list > fedora-test-list at redhat.com > To unsubscribe: > https://www.redhat.com/mailman/listinfo/fedora-test-list Now, I guess it does not matter. I believe hard drive has died :( I see ata2.0 BDMA, stat 0x4 cmd c8/00:08:54:ef:56/00:00:00:00:00 ea tag 0 dma 4096 ata2.0 BDMA, stat 0x4 res c8/00:08:54:ef:56/00:00:00:00:00 ea tag 0 dma 4096 Emask 0x9 (media error) ata 2.0:status{DRDY ERR} I will need to look for a spare hard drive for this machine. Till next time. Regards, Antonio From olivares14031 at yahoo.com Sun Nov 9 19:20:20 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Sun, 9 Nov 2008 11:20:20 -0800 (PST) Subject: line 1887 is missing In-Reply-To: <4c4ba1530811090933o35973aaen91f79deecdf0ea39@mail.gmail.com> Message-ID: <972899.64271.qm@web52606.mail.re2.yahoo.com> --- On Sun, 11/9/08, Tom London wrote: > From: Tom London > Subject: Re: line 1887 is missing > To: olivares14031 at yahoo.com > Date: Sunday, November 9, 2008, 9:33 AM > On Sun, Nov 9, 2008 at 8:38 AM, Antonio Olivares > wrote: > > Dear fellow testers and selinux experts, > > > > what is in line 1887, I have installed Fedora 10 > Preview and I when I try to install a package, I get the > following message: > > > > Running rpm_check_debug > > Running Transaction Test > > /etc/selinux/targeted/contexts/files/file_contexts: > line 1887 is missing fields, skipping > > /etc/selinux/targeted/contexts/files/file_contexts: > line 1887 is missing fields, skipping > > Finished Transaction Test > > Transaction Test Succeeded > > Running Transaction > > /etc/selinux/targeted/contexts/files/file_contexts: > line 1887 is missing fields, skipping > > /etc/selinux/targeted/contexts/files/file_contexts: > line 1887 is missing fields, skipping > > > > > > Smolt profile is here: > > > > > http://www.smolts.org/client/show/pub_52cf9c16-aa07-4697-8df6-7b47eb9855f4 > (public) > > > > TIA, > > > > Antonio > > > Would be helpful if you posted with the request for help: > > An example package you were trying to install, > The version of selinux policy files you have installed > (e.g., output > of "rpm -qa selinux\*" > Any local selinux policy modifications you have made (e.g., > via > semanage, semodule) > Any non-Fedora packages you have installed > > Otherwise, unless this is a "general problem" > that everyone is > experiencing, it is very difficult to respond. > > This is not happening to me on a Rawhide updated system. > > tom > -- > Tom London Tom, I am also running 4 other machines with rawhide fully updated :), however I installed to another machine Fedora 10 Preview and I encountered this, however, hard drive seems to be dying. I see errors like below ata2.0 BDMA, stat 0x4 cmd c8/00:08:54:ef:56/00:00:00:00:00 ea tag 0 dma 4096 ata2.0 BDMA, stat 0x4 res c8/00:08:54:ef:56/00:00:00:00:00 ea tag 0 dma 4096 Emask 0x9 (media error) ata 2.0:status{DRDY ERR} I will need to look for a spare hard drive for this machine. Till next time. Thanks for trying to help :) Regards, Antonio From mjc at avtechpulse.com Wed Nov 12 13:08:58 2008 From: mjc at avtechpulse.com (Dr. Michael J. Chudobiak) Date: Wed, 12 Nov 2008 08:08:58 -0500 Subject: logrotate problem Message-ID: <491AD56A.3040305@avtechpulse.com> Hi all, I'm having problems running logrotate from cron. The emails say: /etc/cron.daily/logrotate: error: cannot open current directory: Permission denied logrotate tries to open ".", which works out to "/root". Sure enough, selinux is blocking access to admin_home_t: type=AVC msg=audit(1226489667.211:371): avc: denied { read } for pid=2291 comm="logrotate" name="root" dev=dm-0 ino=2162689 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=SYSCALL msg=audit(1226489667.211:371): arch=40000003 syscall=5 success=no exit=-13 a0=80525d3 a1=8000 a2=0 a3=8000 items=0 ppid=2289 pid=2291 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=39 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) Is this a policy bug? An /.autorelabel didn't fix it. I'm using F10 rawhide. - Mike From dwalsh at redhat.com Wed Nov 12 14:09:20 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 12 Nov 2008 09:09:20 -0500 Subject: logrotate problem In-Reply-To: <491AD56A.3040305@avtechpulse.com> References: <491AD56A.3040305@avtechpulse.com> Message-ID: <491AE390.8060407@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dr. Michael J. Chudobiak wrote: > Hi all, > > I'm having problems running logrotate from cron. The emails say: > > /etc/cron.daily/logrotate: > error: cannot open current directory: Permission denied > > logrotate tries to open ".", which works out to "/root". Sure enough, > selinux is blocking access to admin_home_t: > > type=AVC msg=audit(1226489667.211:371): avc: denied { read } for > pid=2291 comm="logrotate" name="root" dev=dm-0 ino=2162689 > scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:admin_home_t:s0 tclass=dir > type=SYSCALL msg=audit(1226489667.211:371): arch=40000003 syscall=5 > success=no exit=-13 a0=80525d3 a1=8000 a2=0 a3=8000 items=0 ppid=2289 > pid=2291 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=(none) ses=39 comm="logrotate" exe="/usr/sbin/logrotate" > subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) > > > > Is this a policy bug? > > An /.autorelabel didn't fix it. > > I'm using F10 rawhide. > > > - Mike > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Is this standard config, or are you having logrotate look for something in the /root directory? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkka45AACgkQrlYvE4MpobPQcgCcDu4F/30Yh0Oy/S7KytVSt0yy 54kAn2JISpIMCS5VBt0SwbQwofNTTsOK =+LMz -----END PGP SIGNATURE----- From olivares14031 at yahoo.com Fri Nov 14 00:36:00 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 13 Nov 2008 16:36:00 -0800 (PST) Subject: SELinux is preventing gdm-binary (xdm_t) "unlink" to ... and npviewer Message-ID: <592572.58068.qm@web52605.mail.re2.yahoo.com> Dear selinux experts, running fedora 10 preview updated to latest packages [olivares at riohigh2 ~]$ uname -r 2.6.27.5-101.fc10.i686 [olivares at riohigh2 ~]$ rpm -qa selinux* selinux-policy-3.5.13-18.fc10.noarch selinux-policy-targeted-3.5.13-18.fc10.noarch Summary: SELinux is preventing gdm-binary (xdm_t) "unlink" to ./force-display-on-active-vt (var_spool_t). Detailed Description: SELinux is preventing gdm-binary (xdm_t) "unlink" to ./force-display-on-active-vt (var_spool_t). The SELinux type var_spool_t, is a generic type for all files in the directory and very few processes (SELinux Domains) are allowed to write to this SELinux type. This type of denial usual indicates a mislabeled file. By default a file created in a directory has the gets the context of the parent directory, but SELinux policy has rules about the creation of directories, that say if a process running in one SELinux Domain (D1) creates a file in a directory with a particular SELinux File Context (F1) the file gets a different File Context (F2). The policy usually allows the SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for some reason a file (./force-display-on-active-vt) was created with the wrong context, this domain will be denied. The usual solution to this problem is to reset the file context on the target file, restorecon -v './force-display-on-active-vt'. If the file context does not change from var_spool_t, then this is probably a bug in policy. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy package. If it does change, you can try your application again to see if it works. The file context could have been mislabeled by editing the file or moving the file from a different directory, if the file keeps getting mislabeled, check the init scripts to see if they are doing something to mislabel the file. Allowing Access: You can attempt to fix file context by executing restorecon -v './force-display-on-active-vt' Fix Command: restorecon './force-display-on-active-vt' Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_spool_t:s0 Target Objects ./force-display-on-active-vt [ file ] Source gdm-binary Source Path /usr/sbin/gdm-binary Port Host riohigh2 Source RPM Packages gdm-2.24.0-12.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name mislabeled_file Host Name riohigh2 Platform Linux riohigh2 2.6.27.5-94.fc10.i686 #1 SMP Mon Nov 10 15:51:55 EST 2008 i686 athlon Alert Count 17 First Seen Mon 03 Nov 2008 07:08:33 AM CST Last Seen Thu 13 Nov 2008 04:21:21 PM CST Local ID a66adf6c-89d5-4d90-83ca-f34c94bb4d45 Line Numbers Raw Audit Messages node=riohigh2 type=AVC msg=audit(1226614881.881:36): avc: denied { unlink } for pid=2090 comm="gdm-binary" name="force-display-on-active-vt" dev=sda6 ino=190494 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file node=riohigh2 type=SYSCALL msg=audit(1226614881.881:36): arch=40000003 syscall=10 success=no exit=-13 a0=8063b84 a1=0 a2=4f86dc a3=9940400 items=0 ppid=1 pid=2090 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdm-binary" exe="/usr/sbin/gdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing the npviewer.bin from using potentially mislabeled files (/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer). Detailed Description: SELinux has denied npviewer.bin access to potentially mislabeled file(s) (/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer). This means that SELinux will not allow npviewer.bin to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want npviewer.bin to access this files, you need to relabel them using restorecon -v '/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer'. You might want to relabel the entire directory using restorecon -R -v ''. Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 3 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/olivares/.icedteaplugin/icedtea-plugin-to- appletviewer [ fifo_file ] Source npviewer.bin Source Path /usr/lib/nspluginwrapper/npviewer.bin Port Host riohigh2 Source RPM Packages nspluginwrapper-1.1.2-4.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name riohigh2 Platform Linux riohigh2 2.6.27.5-101.fc10.i686 #1 SMP Wed Nov 12 00:50:43 EST 2008 i686 athlon Alert Count 4 First Seen Thu 13 Nov 2008 06:31:50 PM CST Last Seen Thu 13 Nov 2008 06:31:55 PM CST Local ID 81d406be-b7e4-4bf4-a8c7-f12b7c36ee27 Line Numbers Raw Audit Messages node=riohigh2 type=AVC msg=audit(1226622715.909:38): avc: denied { write } for pid=4732 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=sda6 ino=263881 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file node=riohigh2 type=AVC msg=audit(1226622715.909:38): avc: denied { read } for pid=4732 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=sda6 ino=263847 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file node=riohigh2 type=SYSCALL msg=audit(1226622715.909:38): arch=40000003 syscall=11 success=yes exit=0 a0=9e70d28 a1=9e71d40 a2=9e72210 a3=0 items=0 ppid=3572 pid=4732 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null) Has someone else encountered these before and what should I do about them? Thanks, Antonio From dwalsh at redhat.com Fri Nov 14 14:08:39 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Nov 2008 09:08:39 -0500 Subject: SELinux is preventing gdm-binary (xdm_t) "unlink" to ... and npviewer In-Reply-To: <592572.58068.qm@web52605.mail.re2.yahoo.com> References: <592572.58068.qm@web52605.mail.re2.yahoo.com> Message-ID: <491D8667.7080804@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear selinux experts, > > running fedora 10 preview updated to latest packages > > [olivares at riohigh2 ~]$ uname -r > 2.6.27.5-101.fc10.i686 > [olivares at riohigh2 ~]$ rpm -qa selinux* > selinux-policy-3.5.13-18.fc10.noarch > selinux-policy-targeted-3.5.13-18.fc10.noarch > > > Summary: > > SELinux is preventing gdm-binary (xdm_t) "unlink" to > ./force-display-on-active-vt (var_spool_t). > > Detailed Description: > > SELinux is preventing gdm-binary (xdm_t) "unlink" to > ./force-display-on-active-vt (var_spool_t). The SELinux type var_spool_t, is a > generic type for all files in the directory and very few processes (SELinux > Domains) are allowed to write to this SELinux type. This type of denial usual > indicates a mislabeled file. By default a file created in a directory has the > gets the context of the parent directory, but SELinux policy has rules about the > creation of directories, that say if a process running in one SELinux Domain > (D1) creates a file in a directory with a particular SELinux File Context (F1) > the file gets a different File Context (F2). The policy usually allows the > SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for > some reason a file (./force-display-on-active-vt) was created with the wrong > context, this domain will be denied. The usual solution to this problem is to > reset the file context on the target file, restorecon -v > './force-display-on-active-vt'. If the file context does not change from > var_spool_t, then this is probably a bug in policy. Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy > package. If it does change, you can try your application again to see if it > works. The file context could have been mislabeled by editing the file or moving > the file from a different directory, if the file keeps getting mislabeled, check > the init scripts to see if they are doing something to mislabel the file. > > Allowing Access: > > You can attempt to fix file context by executing restorecon -v > './force-display-on-active-vt' > > Fix Command: > > restorecon './force-display-on-active-vt' > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:object_r:var_spool_t:s0 > Target Objects ./force-display-on-active-vt [ file ] > Source gdm-binary > Source Path /usr/sbin/gdm-binary > Port > Host riohigh2 > Source RPM Packages gdm-2.24.0-12.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-18.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name mislabeled_file > Host Name riohigh2 > Platform Linux riohigh2 2.6.27.5-94.fc10.i686 #1 SMP Mon > Nov 10 15:51:55 EST 2008 i686 athlon > Alert Count 17 > First Seen Mon 03 Nov 2008 07:08:33 AM CST > Last Seen Thu 13 Nov 2008 04:21:21 PM CST > Local ID a66adf6c-89d5-4d90-83ca-f34c94bb4d45 > Line Numbers > > Raw Audit Messages > > node=riohigh2 type=AVC msg=audit(1226614881.881:36): avc: denied { unlink } for pid=2090 comm="gdm-binary" name="force-display-on-active-vt" dev=sda6 ino=190494 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file > > node=riohigh2 type=SYSCALL msg=audit(1226614881.881:36): arch=40000003 syscall=10 success=no exit=-13 a0=8063b84 a1=0 a2=4f86dc a3=9940400 items=0 ppid=1 pid=2090 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdm-binary" exe="/usr/sbin/gdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > THe question here is which process created this file? force-display-on-active-vt > > > Summary: > > SELinux is preventing the npviewer.bin from using potentially mislabeled files > (/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer). > > Detailed Description: > > SELinux has denied npviewer.bin access to potentially mislabeled file(s) > (/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer). This means that > SELinux will not allow npviewer.bin to use these files. It is common for users > to edit files in their home directory or tmp directories and then move (mv) them > to system directories. The problem is that the files end up with the wrong file > context which confined applications are not allowed to access. > > Allowing Access: > > If you want npviewer.bin to access this files, you need to relabel them using > restorecon -v '/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer'. > You might want to relabel the entire directory using restorecon -R -v ''. > > Additional Information: > > Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 > 3 > Target Context unconfined_u:object_r:user_home_t:s0 > Target Objects /home/olivares/.icedteaplugin/icedtea-plugin-to- > appletviewer [ fifo_file ] > Source npviewer.bin > Source Path /usr/lib/nspluginwrapper/npviewer.bin > Port > Host riohigh2 > Source RPM Packages nspluginwrapper-1.1.2-4.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-18.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name home_tmp_bad_labels > Host Name riohigh2 > Platform Linux riohigh2 2.6.27.5-101.fc10.i686 #1 SMP Wed > Nov 12 00:50:43 EST 2008 i686 athlon > Alert Count 4 > First Seen Thu 13 Nov 2008 06:31:50 PM CST > Last Seen Thu 13 Nov 2008 06:31:55 PM CST > Local ID 81d406be-b7e4-4bf4-a8c7-f12b7c36ee27 > Line Numbers > > Raw Audit Messages > > node=riohigh2 type=AVC msg=audit(1226622715.909:38): avc: denied { write } for pid=4732 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=sda6 ino=263881 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > > node=riohigh2 type=AVC msg=audit(1226622715.909:38): avc: denied { read } for pid=4732 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=sda6 ino=263847 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > > node=riohigh2 type=SYSCALL msg=audit(1226622715.909:38): arch=40000003 syscall=11 success=yes exit=0 a0=9e70d28 a1=9e71d40 a2=9e72210 a3=0 items=0 ppid=3572 pid=4732 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null) > > > > Has someone else encountered these before and what should I do about them? > > Thanks, > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list If you change the context of this directory to chcon -R -t nsplugin_home_t ~/.icedteaplugin You should eliminate this avc. I will change the layout in selinux-policy-3.5.13-21.fc10 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkdhmcACgkQrlYvE4MpobMjuwCZAZh4YDlxJW30wanjBHUZ15CF EL0AoNjcjHePhXKzyHjPSc4Ed/WaYnXE =m4dV -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Nov 14 14:12:16 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Nov 2008 09:12:16 -0500 Subject: SELinux is preventing gdm-binary (xdm_t) "unlink" to ... and npviewer In-Reply-To: <592572.58068.qm@web52605.mail.re2.yahoo.com> References: <592572.58068.qm@web52605.mail.re2.yahoo.com> Message-ID: <491D8740.50903@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear selinux experts, > > running fedora 10 preview updated to latest packages > > [olivares at riohigh2 ~]$ uname -r > 2.6.27.5-101.fc10.i686 > [olivares at riohigh2 ~]$ rpm -qa selinux* > selinux-policy-3.5.13-18.fc10.noarch > selinux-policy-targeted-3.5.13-18.fc10.noarch > > > Summary: > > SELinux is preventing gdm-binary (xdm_t) "unlink" to > ./force-display-on-active-vt (var_spool_t). > > Detailed Description: > > SELinux is preventing gdm-binary (xdm_t) "unlink" to > ./force-display-on-active-vt (var_spool_t). The SELinux type var_spool_t, is a > generic type for all files in the directory and very few processes (SELinux > Domains) are allowed to write to this SELinux type. This type of denial usual > indicates a mislabeled file. By default a file created in a directory has the > gets the context of the parent directory, but SELinux policy has rules about the > creation of directories, that say if a process running in one SELinux Domain > (D1) creates a file in a directory with a particular SELinux File Context (F1) > the file gets a different File Context (F2). The policy usually allows the > SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for > some reason a file (./force-display-on-active-vt) was created with the wrong > context, this domain will be denied. The usual solution to this problem is to > reset the file context on the target file, restorecon -v > './force-display-on-active-vt'. If the file context does not change from > var_spool_t, then this is probably a bug in policy. Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy > package. If it does change, you can try your application again to see if it > works. The file context could have been mislabeled by editing the file or moving > the file from a different directory, if the file keeps getting mislabeled, check > the init scripts to see if they are doing something to mislabel the file. > > Allowing Access: > > You can attempt to fix file context by executing restorecon -v > './force-display-on-active-vt' > > Fix Command: > > restorecon './force-display-on-active-vt' > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:object_r:var_spool_t:s0 > Target Objects ./force-display-on-active-vt [ file ] > Source gdm-binary > Source Path /usr/sbin/gdm-binary > Port > Host riohigh2 > Source RPM Packages gdm-2.24.0-12.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-18.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name mislabeled_file > Host Name riohigh2 > Platform Linux riohigh2 2.6.27.5-94.fc10.i686 #1 SMP Mon > Nov 10 15:51:55 EST 2008 i686 athlon > Alert Count 17 > First Seen Mon 03 Nov 2008 07:08:33 AM CST > Last Seen Thu 13 Nov 2008 04:21:21 PM CST > Local ID a66adf6c-89d5-4d90-83ca-f34c94bb4d45 > Line Numbers > > Raw Audit Messages > > node=riohigh2 type=AVC msg=audit(1226614881.881:36): avc: denied { unlink } for pid=2090 comm="gdm-binary" name="force-display-on-active-vt" dev=sda6 ino=190494 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file > > node=riohigh2 type=SYSCALL msg=audit(1226614881.881:36): arch=40000003 syscall=10 success=no exit=-13 a0=8063b84 a1=0 a2=4f86dc a3=9940400 items=0 ppid=1 pid=2090 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdm-binary" exe="/usr/sbin/gdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > Actually this looks like a labeling problem restorecon -R -v /var/spool/gdm > > > > > Summary: > > SELinux is preventing the npviewer.bin from using potentially mislabeled files > (/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer). > > Detailed Description: > > SELinux has denied npviewer.bin access to potentially mislabeled file(s) > (/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer). This means that > SELinux will not allow npviewer.bin to use these files. It is common for users > to edit files in their home directory or tmp directories and then move (mv) them > to system directories. The problem is that the files end up with the wrong file > context which confined applications are not allowed to access. > > Allowing Access: > > If you want npviewer.bin to access this files, you need to relabel them using > restorecon -v '/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer'. > You might want to relabel the entire directory using restorecon -R -v ''. > > Additional Information: > > Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 > 3 > Target Context unconfined_u:object_r:user_home_t:s0 > Target Objects /home/olivares/.icedteaplugin/icedtea-plugin-to- > appletviewer [ fifo_file ] > Source npviewer.bin > Source Path /usr/lib/nspluginwrapper/npviewer.bin > Port > Host riohigh2 > Source RPM Packages nspluginwrapper-1.1.2-4.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-18.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name home_tmp_bad_labels > Host Name riohigh2 > Platform Linux riohigh2 2.6.27.5-101.fc10.i686 #1 SMP Wed > Nov 12 00:50:43 EST 2008 i686 athlon > Alert Count 4 > First Seen Thu 13 Nov 2008 06:31:50 PM CST > Last Seen Thu 13 Nov 2008 06:31:55 PM CST > Local ID 81d406be-b7e4-4bf4-a8c7-f12b7c36ee27 > Line Numbers > > Raw Audit Messages > > node=riohigh2 type=AVC msg=audit(1226622715.909:38): avc: denied { write } for pid=4732 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=sda6 ino=263881 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > > node=riohigh2 type=AVC msg=audit(1226622715.909:38): avc: denied { read } for pid=4732 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=sda6 ino=263847 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > > node=riohigh2 type=SYSCALL msg=audit(1226622715.909:38): arch=40000003 syscall=11 success=yes exit=0 a0=9e70d28 a1=9e71d40 a2=9e72210 a3=0 items=0 ppid=3572 pid=4732 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null) > > > > Has someone else encountered these before and what should I do about them? > > Thanks, > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkdh0AACgkQrlYvE4MpobOZ5QCdE1loj7OZLDhBVGrzJcv2PMwE rrYAoLxAM4V9m//DbBKcUbWr5T9cI84r =upDR -----END PGP SIGNATURE----- From olivares14031 at yahoo.com Sat Nov 15 02:02:33 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Fri, 14 Nov 2008 18:02:33 -0800 (PST) Subject: SELinux is preventing gdm-binary (xdm_t) "unlink" to ... and npviewer In-Reply-To: <491D8667.7080804@redhat.com> Message-ID: <112240.29279.qm@web52612.mail.re2.yahoo.com> --- On Fri, 11/14/08, Daniel J Walsh wrote: > From: Daniel J Walsh > Subject: Re: SELinux is preventing gdm-binary (xdm_t) "unlink" to ... and npviewer > To: olivares14031 at yahoo.com > Cc: fedora-selinux-list at redhat.com > Date: Friday, November 14, 2008, 6:08 AM > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Antonio Olivares wrote: > > Dear selinux experts, > > > > running fedora 10 preview updated to latest packages > > > > [olivares at riohigh2 ~]$ uname -r > > 2.6.27.5-101.fc10.i686 > > [olivares at riohigh2 ~]$ rpm -qa selinux* > > selinux-policy-3.5.13-18.fc10.noarch > > selinux-policy-targeted-3.5.13-18.fc10.noarch > > > > > > Summary: > > > > SELinux is preventing gdm-binary (xdm_t) > "unlink" to > > ./force-display-on-active-vt (var_spool_t). > > > > Detailed Description: > > > > SELinux is preventing gdm-binary (xdm_t) > "unlink" to > > ./force-display-on-active-vt (var_spool_t). The > SELinux type var_spool_t, is a > > generic type for all files in the directory and very > few processes (SELinux > > Domains) are allowed to write to this SELinux type. > This type of denial usual > > indicates a mislabeled file. By default a file created > in a directory has the > > gets the context of the parent directory, but SELinux > policy has rules about the > > creation of directories, that say if a process running > in one SELinux Domain > > (D1) creates a file in a directory with a particular > SELinux File Context (F1) > > the file gets a different File Context (F2). The > policy usually allows the > > SELinux Domain (D1) the ability to write, unlink, and > append on (F2). But if for > > some reason a file (./force-display-on-active-vt) was > created with the wrong > > context, this domain will be denied. The usual > solution to this problem is to > > reset the file context on the target file, restorecon > -v > > './force-display-on-active-vt'. If the file > context does not change from > > var_spool_t, then this is probably a bug in policy. > Please file a bug report > > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against the selinux-policy > > package. If it does change, you can try your > application again to see if it > > works. The file context could have been mislabeled by > editing the file or moving > > the file from a different directory, if the file keeps > getting mislabeled, check > > the init scripts to see if they are doing something to > mislabel the file. > > > > Allowing Access: > > > > You can attempt to fix file context by executing > restorecon -v > > './force-display-on-active-vt' > > > > Fix Command: > > > > restorecon './force-display-on-active-vt' > > > > Additional Information: > > > > Source Context > system_u:system_r:xdm_t:s0-s0:c0.c1023 > > Target Context > system_u:object_r:var_spool_t:s0 > > Target Objects > ./force-display-on-active-vt [ file ] > > Source gdm-binary > > Source Path /usr/sbin/gdm-binary > > Port > > Host riohigh2 > > Source RPM Packages gdm-2.24.0-12.fc10 > > Target RPM Packages > > Policy RPM > selinux-policy-3.5.13-18.fc10 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Enforcing > > Plugin Name mislabeled_file > > Host Name riohigh2 > > Platform Linux riohigh2 > 2.6.27.5-94.fc10.i686 #1 SMP Mon > > Nov 10 15:51:55 EST 2008 > i686 athlon > > Alert Count 17 > > First Seen Mon 03 Nov 2008 07:08:33 > AM CST > > Last Seen Thu 13 Nov 2008 04:21:21 > PM CST > > Local ID > a66adf6c-89d5-4d90-83ca-f34c94bb4d45 > > Line Numbers > > > > Raw Audit Messages > > > > node=riohigh2 type=AVC msg=audit(1226614881.881:36): > avc: denied { unlink } for pid=2090 > comm="gdm-binary" > name="force-display-on-active-vt" dev=sda6 > ino=190494 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_spool_t:s0 tclass=file > > > > node=riohigh2 type=SYSCALL > msg=audit(1226614881.881:36): arch=40000003 syscall=10 > success=no exit=-13 a0=8063b84 a1=0 a2=4f86dc a3=9940400 > items=0 ppid=1 pid=2090 auid=4294967295 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) > ses=4294967295 comm="gdm-binary" > exe="/usr/sbin/gdm-binary" > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > > > > THe question here is which process created this file? > force-display-on-active-vt > > > > > > > Summary: > > > > SELinux is preventing the npviewer.bin from using > potentially mislabeled files > > > (/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer). > > > > Detailed Description: > > > > SELinux has denied npviewer.bin access to potentially > mislabeled file(s) > > > (/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer). > This means that > > SELinux will not allow npviewer.bin to use these > files. It is common for users > > to edit files in their home directory or tmp > directories and then move (mv) them > > to system directories. The problem is that the files > end up with the wrong file > > context which confined applications are not allowed to > access. > > > > Allowing Access: > > > > If you want npviewer.bin to access this files, you > need to relabel them using > > restorecon -v > '/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer'. > > You might want to relabel the entire directory using > restorecon -R -v ''. > > > > Additional Information: > > > > Source Context > unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 > > 3 > > Target Context > unconfined_u:object_r:user_home_t:s0 > > Target Objects > /home/olivares/.icedteaplugin/icedtea-plugin-to- > > appletviewer [ fifo_file > ] > > Source npviewer.bin > > Source Path > /usr/lib/nspluginwrapper/npviewer.bin > > Port > > Host riohigh2 > > Source RPM Packages > nspluginwrapper-1.1.2-4.fc10 > > Target RPM Packages > > Policy RPM > selinux-policy-3.5.13-18.fc10 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Enforcing > > Plugin Name home_tmp_bad_labels > > Host Name riohigh2 > > Platform Linux riohigh2 > 2.6.27.5-101.fc10.i686 #1 SMP Wed > > Nov 12 00:50:43 EST 2008 > i686 athlon > > Alert Count 4 > > First Seen Thu 13 Nov 2008 06:31:50 > PM CST > > Last Seen Thu 13 Nov 2008 06:31:55 > PM CST > > Local ID > 81d406be-b7e4-4bf4-a8c7-f12b7c36ee27 > > Line Numbers > > > > Raw Audit Messages > > > > node=riohigh2 type=AVC msg=audit(1226622715.909:38): > avc: denied { write } for pid=4732 > comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" > dev=sda6 ino=263881 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 > tclass=fifo_file > > > > node=riohigh2 type=AVC msg=audit(1226622715.909:38): > avc: denied { read } for pid=4732 > comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" > dev=sda6 ino=263847 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 > tclass=fifo_file > > > > node=riohigh2 type=SYSCALL > msg=audit(1226622715.909:38): arch=40000003 syscall=11 > success=yes exit=0 a0=9e70d28 a1=9e71d40 a2=9e72210 a3=0 > items=0 ppid=3572 pid=4732 auid=500 uid=500 gid=500 euid=500 > suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) > ses=1 comm="npviewer.bin" > exe="/usr/lib/nspluginwrapper/npviewer.bin" > subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > key=(null) > > > > > > > > Has someone else encountered these before and what > should I do about them? > > > > Thanks, > > > > Antonio > > > > > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > If you change the context of this directory to > > chcon -R -t nsplugin_home_t ~/.icedteaplugin > > You should eliminate this avc. I will change the layout in > selinux-policy-3.5.13-21.fc10 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - > http://enigmail.mozdev.org > > iEYEARECAAYFAkkdhmcACgkQrlYvE4MpobMjuwCZAZh4YDlxJW30wanjBHUZ15CF > EL0AoNjcjHePhXKzyHjPSc4Ed/WaYnXE > =m4dV > -----END PGP SIGNATURE----- I tried the chcon command and this is what happened Nov 14 20:00:05 localhost kernel: type=1400 audit(1226714405.352:155): avc: denied { write } for pid=5155 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-0 ino=7734395 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 20:00:05 localhost kernel: type=1400 audit(1226714405.352:156): avc: denied { read } for pid=5155 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-0 ino=7734394 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 20:00:05 localhost kernel: type=1400 audit(1226714405.388:157): avc: denied { write } for pid=5159 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-0 ino=7734395 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 20:00:05 localhost kernel: type=1400 audit(1226714405.388:158): avc: denied { read } for pid=5159 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-0 ino=7734394 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 20:00:15 localhost kernel: type=1400 audit(1226714415.618:159): avc: denied { write } for pid=5166 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-0 ino=7734395 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 20:00:15 localhost kernel: type=1400 audit(1226714415.618:160): avc: denied { read } for pid=5166 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-0 ino=7734394 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 20:00:15 localhost kernel: type=1400 audit(1226714415.654:161): avc: denied { write } for pid=5169 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-0 ino=7734395 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 20:00:15 localhost kernel: type=1400 audit(1226714415.654:162): avc: denied { read } for pid=5169 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-0 ino=7734394 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 20:00:22 localhost kernel: type=1400 audit(1226714422.242:163): avc: denied { write } for pid=5176 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-0 ino=7734395 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 20:00:22 localhost kernel: type=1400 audit(1226714422.242:164): avc: denied { read } for pid=5176 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-0 ino=7734394 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 20:00:22 localhost kernel: type=1400 audit(1226714422.279:165): avc: denied { write } for pid=5179 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-0 ino=7734395 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 20:00:22 localhost kernel: type=1400 audit(1226714422.279:166): avc: denied { read } for pid=5179 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-0 ino=7734394 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file ^C [root at localhost ~]# chcon -R -t nsplugin_home_t ~/.icedteaplugin chcon: cannot access `/root/.icedteaplugin': No such file or directory Thanks, Antonio From olivares14031 at yahoo.com Sat Nov 15 02:10:16 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Fri, 14 Nov 2008 18:10:16 -0800 (PST) Subject: avc: denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid" Message-ID: <262297.69156.qm@web52601.mail.re2.yahoo.com> Dear fellow selinux experts, I am trying to make one of my machines a dhcp server to connect other machines to the internet, see thread in Fedora list if applicable, I have achieved a breakthrough, but selinux denies it :( [root at localhost ~]# dhcpd -f Internet Systems Consortium DHCP Server 4.0.0 Copyright 2004-2007 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Warning: subnet 10.154.19.0/27 overlaps subnet 10.154.19.0/24 Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file Wrote 0 leases to leases file. Listening on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24 Sending on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24 Sending on Socket/fallback/fallback-net ^C [root at localhost ~]# service dhcpd stop [root at localhost ~]# service dhcpd start Starting dhcpd: [ OK ] but now selinux gets in the way :( Nov 14 20:03:40 localhost kernel: type=1400 audit(1226714620.135:183): avc: denied { read } for pid=5267 comm="dhcpd" name="dhcpd.pid" dev=dm-0 ino=3244731 scontext=unconfined_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file Nov 14 20:03:40 localhost kernel: type=1400 audit(1226714620.135:184): avc: denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid" dev=dm-0 ino=3244731scontext=unconfined_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file Nov 14 20:03:40 localhost dhcpd: Can't create PID file /var/run/dhcpd.pid: Permission denied. How can I allow it to work? Setroubleshoot has not kicked in to warn me so I do not know a fix as of this moment :( Regards, Antonio From frankly3d at gmail.com Sat Nov 15 08:49:21 2008 From: frankly3d at gmail.com (Frank Murphy) Date: Sat, 15 Nov 2008 08:49:21 +0000 Subject: SELinux is preventing perl (logwatch_t) "execute_no_trans" to /sbin/ifconfig, (ifconfig_exec_t). Message-ID: <491E8D11.3000707@gmail.com> SELinux is preventing perl (logwatch_t) "execute_no_trans" to /sbin/ifconfig (ifconfig_exec_t). Detailed Description: SELinux denied access requested by perl. It is not expected that this access is required by perl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /sbin/ifconfig, restorecon -v '/sbin/ifconfig' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:ifconfig_exec_t:s0 Target Objects /sbin/ifconfig [ file ] Source perl Source Path /usr/bin/perl Port Host frank-01 Source RPM Packages perl-5.10.0-49.fc10 Target RPM Packages net-tools-1.60-91.fc10 Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-101.fc10.i686 #1 SMP Wed Nov 12 00:50:43 EST 2008 i686 i686 Alert Count 3 First Seen Thu 13 Nov 2008 09:29:27 GMT Last Seen Sat 15 Nov 2008 08:19:22 GMT Local ID a75e0d31-b307-4710-8ad1-2185f020504d Line Numbers Raw Audit Messages node=frank-01 type=AVC msg=audit(1226737162.411:32): avc: denied { execute_no_trans } for pid=4097 comm="perl" path="/sbin/ifconfig" dev=dm-0 ino=4322 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file node=frank-01 type=SYSCALL msg=audit(1226737162.411:32): arch=40000003 syscall=11 success=no exit=-13 a0=9e01ebc a1=9eaa2a4 a2=bfb79fc0 a3=bfb79958 items=0 ppid=4096 pid=4097 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:logwatch_t:s0 key=(null) From paul at city-fan.org Sat Nov 15 08:51:28 2008 From: paul at city-fan.org (Paul Howarth) Date: Sat, 15 Nov 2008 08:51:28 +0000 Subject: SELinux is preventing gdm-binary (xdm_t) "unlink" to ... and npviewer In-Reply-To: <112240.29279.qm@web52612.mail.re2.yahoo.com> References: <491D8667.7080804@redhat.com> <112240.29279.qm@web52612.mail.re2.yahoo.com> Message-ID: <20081115085128.7309cf2a@metropolis.intra.city-fan.org> On Fri, 14 Nov 2008 18:02:33 -0800 (PST) Antonio Olivares wrote: > --- On Fri, 11/14/08, Daniel J Walsh wrote: > > > From: Daniel J Walsh > > Subject: Re: SELinux is preventing gdm-binary (xdm_t) "unlink" > > to ... and npviewer To: olivares14031 at yahoo.com > > Cc: fedora-selinux-list at redhat.com > > Date: Friday, November 14, 2008, 6:08 AM > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Antonio Olivares wrote: > > > Dear selinux experts, > > > > > > running fedora 10 preview updated to latest packages > > > > > > [olivares at riohigh2 ~]$ uname -r > > > 2.6.27.5-101.fc10.i686 > > > [olivares at riohigh2 ~]$ rpm -qa selinux* > > > selinux-policy-3.5.13-18.fc10.noarch > > > selinux-policy-targeted-3.5.13-18.fc10.noarch > > > > > > > > > Summary: > > > > > > SELinux is preventing gdm-binary (xdm_t) > > "unlink" to > > > ./force-display-on-active-vt (var_spool_t). > > > > > > Detailed Description: > > > > > > SELinux is preventing gdm-binary (xdm_t) > > "unlink" to > > > ./force-display-on-active-vt (var_spool_t). The > > SELinux type var_spool_t, is a > > > generic type for all files in the directory and very > > few processes (SELinux > > > Domains) are allowed to write to this SELinux type. > > This type of denial usual > > > indicates a mislabeled file. By default a file created > > in a directory has the > > > gets the context of the parent directory, but SELinux > > policy has rules about the > > > creation of directories, that say if a process running > > in one SELinux Domain > > > (D1) creates a file in a directory with a particular > > SELinux File Context (F1) > > > the file gets a different File Context (F2). The > > policy usually allows the > > > SELinux Domain (D1) the ability to write, unlink, and > > append on (F2). But if for > > > some reason a file (./force-display-on-active-vt) was > > created with the wrong > > > context, this domain will be denied. The usual > > solution to this problem is to > > > reset the file context on the target file, restorecon > > -v > > > './force-display-on-active-vt'. If the file > > context does not change from > > > var_spool_t, then this is probably a bug in policy. > > Please file a bug report > > > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > > against the selinux-policy > > > package. If it does change, you can try your > > application again to see if it > > > works. The file context could have been mislabeled by > > editing the file or moving > > > the file from a different directory, if the file keeps > > getting mislabeled, check > > > the init scripts to see if they are doing something to > > mislabel the file. > > > > > > Allowing Access: > > > > > > You can attempt to fix file context by executing > > restorecon -v > > > './force-display-on-active-vt' > > > > > > Fix Command: > > > > > > restorecon './force-display-on-active-vt' > > > > > > Additional Information: > > > > > > Source Context > > system_u:system_r:xdm_t:s0-s0:c0.c1023 > > > Target Context > > system_u:object_r:var_spool_t:s0 > > > Target Objects > > ./force-display-on-active-vt [ file ] > > > Source gdm-binary > > > Source Path /usr/sbin/gdm-binary > > > Port > > > Host riohigh2 > > > Source RPM Packages gdm-2.24.0-12.fc10 > > > Target RPM Packages > > > Policy RPM > > selinux-policy-3.5.13-18.fc10 > > > Selinux Enabled True > > > Policy Type targeted > > > MLS Enabled True > > > Enforcing Mode Enforcing > > > Plugin Name mislabeled_file > > > Host Name riohigh2 > > > Platform Linux riohigh2 > > 2.6.27.5-94.fc10.i686 #1 SMP Mon > > > Nov 10 15:51:55 EST 2008 > > i686 athlon > > > Alert Count 17 > > > First Seen Mon 03 Nov 2008 07:08:33 > > AM CST > > > Last Seen Thu 13 Nov 2008 04:21:21 > > PM CST > > > Local ID > > a66adf6c-89d5-4d90-83ca-f34c94bb4d45 > > > Line Numbers > > > > > > Raw Audit Messages > > > > > > node=riohigh2 type=AVC msg=audit(1226614881.881:36): > > avc: denied { unlink } for pid=2090 > > comm="gdm-binary" > > name="force-display-on-active-vt" dev=sda6 > > ino=190494 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:var_spool_t:s0 tclass=file > > > > > > node=riohigh2 type=SYSCALL > > msg=audit(1226614881.881:36): arch=40000003 syscall=10 > > success=no exit=-13 a0=8063b84 a1=0 a2=4f86dc a3=9940400 > > items=0 ppid=1 pid=2090 auid=4294967295 uid=0 gid=0 euid=0 > > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) > > ses=4294967295 comm="gdm-binary" > > exe="/usr/sbin/gdm-binary" > > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > > > > > > > THe question here is which process created this file? > > force-display-on-active-vt > > > > > > > > > > > Summary: > > > > > > SELinux is preventing the npviewer.bin from using > > potentially mislabeled files > > > > > (/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer). > > > > > > Detailed Description: > > > > > > SELinux has denied npviewer.bin access to potentially > > mislabeled file(s) > > > > > (/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer). > > This means that > > > SELinux will not allow npviewer.bin to use these > > files. It is common for users > > > to edit files in their home directory or tmp > > directories and then move (mv) them > > > to system directories. The problem is that the files > > end up with the wrong file > > > context which confined applications are not allowed to > > access. > > > > > > Allowing Access: > > > > > > If you want npviewer.bin to access this files, you > > need to relabel them using > > > restorecon -v > > '/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer'. > > > You might want to relabel the entire directory using > > restorecon -R -v ''. > > > > > > Additional Information: > > > > > > Source Context > > unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 > > > 3 > > > Target Context > > unconfined_u:object_r:user_home_t:s0 > > > Target Objects > > /home/olivares/.icedteaplugin/icedtea-plugin-to- > > > appletviewer [ fifo_file > > ] > > > Source npviewer.bin > > > Source Path > > /usr/lib/nspluginwrapper/npviewer.bin > > > Port > > > Host riohigh2 > > > Source RPM Packages > > nspluginwrapper-1.1.2-4.fc10 > > > Target RPM Packages > > > Policy RPM > > selinux-policy-3.5.13-18.fc10 > > > Selinux Enabled True > > > Policy Type targeted > > > MLS Enabled True > > > Enforcing Mode Enforcing > > > Plugin Name home_tmp_bad_labels > > > Host Name riohigh2 > > > Platform Linux riohigh2 > > 2.6.27.5-101.fc10.i686 #1 SMP Wed > > > Nov 12 00:50:43 EST 2008 > > i686 athlon > > > Alert Count 4 > > > First Seen Thu 13 Nov 2008 06:31:50 > > PM CST > > > Last Seen Thu 13 Nov 2008 06:31:55 > > PM CST > > > Local ID > > 81d406be-b7e4-4bf4-a8c7-f12b7c36ee27 > > > Line Numbers > > > > > > Raw Audit Messages > > > > > > node=riohigh2 type=AVC msg=audit(1226622715.909:38): > > avc: denied { write } for pid=4732 > > comm="npviewer.bin" > > path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" > > dev=sda6 ino=263881 > > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > > tcontext=unconfined_u:object_r:user_home_t:s0 > > tclass=fifo_file > > > > > > node=riohigh2 type=AVC msg=audit(1226622715.909:38): > > avc: denied { read } for pid=4732 > > comm="npviewer.bin" > > path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" > > dev=sda6 ino=263847 > > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > > tcontext=unconfined_u:object_r:user_home_t:s0 > > tclass=fifo_file > > > > > > node=riohigh2 type=SYSCALL > > msg=audit(1226622715.909:38): arch=40000003 syscall=11 > > success=yes exit=0 a0=9e70d28 a1=9e71d40 a2=9e72210 a3=0 > > items=0 ppid=3572 pid=4732 auid=500 uid=500 gid=500 euid=500 > > suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) > > ses=1 comm="npviewer.bin" > > exe="/usr/lib/nspluginwrapper/npviewer.bin" > > subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > > key=(null) > > > > > > > > > > > > Has someone else encountered these before and what > > should I do about them? > > > > > > Thanks, > > > > > > Antonio > > > > > > > > > > > > > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > If you change the context of this directory to > > > > chcon -R -t nsplugin_home_t ~/.icedteaplugin > > > > You should eliminate this avc. I will change the layout in > > selinux-policy-3.5.13-21.fc10 > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.9 (GNU/Linux) > > Comment: Using GnuPG with Fedora - > > http://enigmail.mozdev.org > > > > iEYEARECAAYFAkkdhmcACgkQrlYvE4MpobMjuwCZAZh4YDlxJW30wanjBHUZ15CF > > EL0AoNjcjHePhXKzyHjPSc4Ed/WaYnXE > > =m4dV > > -----END PGP SIGNATURE----- > > I tried the chcon command and this is what happened > > Nov 14 20:00:05 localhost kernel: type=1400 > audit(1226714405.352:155): avc: denied { write } for pid=5155 > comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" > dev=dm-0 ino=7734395 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 > 20:00:05 localhost kernel: type=1400 audit(1226714405.352:156): avc: > denied { read } for pid=5155 comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" > dev=dm-0 ino=7734394 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 > 20:00:05 localhost kernel: type=1400 audit(1226714405.388:157): avc: > denied { write } for pid=5159 comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" > dev=dm-0 ino=7734395 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 > 20:00:05 localhost kernel: type=1400 audit(1226714405.388:158): avc: > denied { read } for pid=5159 comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" > dev=dm-0 ino=7734394 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 > 20:00:15 localhost kernel: type=1400 audit(1226714415.618:159): avc: > denied { write } for pid=5166 comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" > dev=dm-0 ino=7734395 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 > 20:00:15 localhost kernel: type=1400 audit(1226714415.618:160): avc: > denied { read } for pid=5166 comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" > dev=dm-0 ino=7734394 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 > 20:00:15 localhost kernel: type=1400 audit(1226714415.654:161): avc: > denied { write } for pid=5169 comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" > dev=dm-0 ino=7734395 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 > 20:00:15 localhost kernel: type=1400 audit(1226714415.654:162): avc: > denied { read } for pid=5169 comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" > dev=dm-0 ino=7734394 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 > 20:00:22 localhost kernel: type=1400 audit(1226714422.242:163): avc: > denied { write } for pid=5176 comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" > dev=dm-0 ino=7734395 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 > 20:00:22 localhost kernel: type=1400 audit(1226714422.242:164): avc: > denied { read } for pid=5176 comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" > dev=dm-0 ino=7734394 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 > 20:00:22 localhost kernel: type=1400 audit(1226714422.279:165): avc: > denied { write } for pid=5179 comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" > dev=dm-0 ino=7734395 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file Nov 14 > 20:00:22 localhost kernel: type=1400 audit(1226714422.279:166): avc: > denied { read } for pid=5179 comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" > dev=dm-0 ino=7734394 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file ^C > [root at localhost ~]# chcon -R -t nsplugin_home_t ~/.icedteaplugin > chcon: cannot access `/root/.icedteaplugin': No such file or > directory The SELinux denials are for the "olivares" user, not "root". So you need to run the chcon command as user olivares. Paul. From paul at city-fan.org Sat Nov 15 08:54:56 2008 From: paul at city-fan.org (Paul Howarth) Date: Sat, 15 Nov 2008 08:54:56 +0000 Subject: avc: denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid" In-Reply-To: <262297.69156.qm@web52601.mail.re2.yahoo.com> References: <262297.69156.qm@web52601.mail.re2.yahoo.com> Message-ID: <20081115085456.73266454@metropolis.intra.city-fan.org> On Fri, 14 Nov 2008 18:10:16 -0800 (PST) Antonio Olivares wrote: > Dear fellow selinux experts, > > I am trying to make one of my machines a dhcp server to connect other > machines to the internet, see thread in Fedora list if applicable, I > have achieved a breakthrough, but selinux denies it :( > > [root at localhost ~]# dhcpd -f > Internet Systems Consortium DHCP Server 4.0.0 > Copyright 2004-2007 Internet Systems Consortium. > All rights reserved. > For info, please visit http://www.isc.org/sw/dhcp/ > Warning: subnet 10.154.19.0/27 overlaps subnet 10.154.19.0/24 > Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were > not specified in the config file Wrote 0 leases to leases file. > Listening on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24 > Sending on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24 > Sending on Socket/fallback/fallback-net > ^C > [root at localhost ~]# service dhcpd stop > [root at localhost ~]# service dhcpd start > Starting dhcpd: [ OK ] > > > but now selinux gets in the way :( > > Nov 14 20:03:40 localhost kernel: type=1400 > audit(1226714620.135:183): avc: denied { read } for pid=5267 > comm="dhcpd" name="dhcpd.pid" dev=dm-0 ino=3244731 > scontext=unconfined_u:system_r:dhcpd_t:s0 > tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file Nov 14 > 20:03:40 localhost kernel: type=1400 audit(1226714620.135:184): avc: > denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid" > dev=dm-0 ino=3244731scontext=unconfined_u:system_r:dhcpd_t:s0 > tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file Nov 14 > 20:03:40 localhost dhcpd: Can't create PID file /var/run/dhcpd.pid: > Permission denied. > > How can I allow it to work? > > Setroubleshoot has not kicked in to warn me so I do not know a fix as > of this moment :( /var/run/dhcpd.pid should be dhcpd_var_run_t, not var_run_t. Try: # restorecon -v /var/run /var/run/dhcpd.pid Paul. From olivares14031 at yahoo.com Sat Nov 15 14:44:06 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Sat, 15 Nov 2008 06:44:06 -0800 (PST) Subject: avc: denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid" In-Reply-To: <20081115085456.73266454@metropolis.intra.city-fan.org> Message-ID: <295423.31937.qm@web52608.mail.re2.yahoo.com> --- On Sat, 11/15/08, Paul Howarth wrote: > From: Paul Howarth > Subject: Re: avc: denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid" > To: olivares14031 at yahoo.com > Cc: fedora-selinux-list at redhat.com > Date: Saturday, November 15, 2008, 12:54 AM > On Fri, 14 Nov 2008 18:10:16 -0800 (PST) > Antonio Olivares wrote: > > > Dear fellow selinux experts, > > > > I am trying to make one of my machines a dhcp server > to connect other > > machines to the internet, see thread in Fedora list if > applicable, I > > have achieved a breakthrough, but selinux denies it :( > > > > > [root at localhost ~]# dhcpd -f > > Internet Systems Consortium DHCP Server 4.0.0 > > Copyright 2004-2007 Internet Systems Consortium. > > All rights reserved. > > For info, please visit http://www.isc.org/sw/dhcp/ > > Warning: subnet 10.154.19.0/27 overlaps subnet > 10.154.19.0/24 > > Not searching LDAP since ldap-server, ldap-port and > ldap-base-dn were > > not specified in the config file Wrote 0 leases to > leases file. > > Listening on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24 > > Sending on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24 > > Sending on Socket/fallback/fallback-net > > ^C > > [root at localhost ~]# service dhcpd stop > > [root at localhost ~]# service dhcpd start > > Starting dhcpd: > [ OK ] > > > > > > but now selinux gets in the way :( > > > > Nov 14 20:03:40 localhost kernel: type=1400 > > audit(1226714620.135:183): avc: denied { read } for > pid=5267 > > comm="dhcpd" name="dhcpd.pid" > dev=dm-0 ino=3244731 > > scontext=unconfined_u:system_r:dhcpd_t:s0 > > tcontext=unconfined_u:object_r:var_run_t:s0 > tclass=file Nov 14 > > 20:03:40 localhost kernel: type=1400 > audit(1226714620.135:184): avc: > > denied { write } for pid=5267 comm="dhcpd" > name="dhcpd.pid" > > dev=dm-0 > ino=3244731scontext=unconfined_u:system_r:dhcpd_t:s0 > > tcontext=unconfined_u:object_r:var_run_t:s0 > tclass=file Nov 14 > > 20:03:40 localhost dhcpd: Can't create PID file > /var/run/dhcpd.pid: > > Permission denied. > > > > How can I allow it to work? > > > > Setroubleshoot has not kicked in to warn me so I do > not know a fix as > > of this moment :( > > /var/run/dhcpd.pid should be dhcpd_var_run_t, not > var_run_t. > > Try: > # restorecon -v /var/run /var/run/dhcpd.pid > > Paul. Thanks, I will try that later today. Regards, Antonio From bruno at wolff.to Sun Nov 16 07:57:31 2008 From: bruno at wolff.to (Bruno Wolff III) Date: Sun, 16 Nov 2008 01:57:31 -0600 Subject: Which permission to execute a script? Message-ID: <20081116075731.GA2129@wolff.to> I was making a modified version of the guest policy that needed to be able to edit and run some perl scripts that also are visible to the web server. I used the manage_files macro and allowed execute, but I can't run the script directly. But I can run it via perl. For example: [tomarndt at wolff area]$ ./newcheck.pl -bash: ./newcheck.pl: /usr/bin/perl: bad interpreter: Permission denied [tomarndt at wolff area]$ perl ./newcheck.pl Ownership counts: Ownership of games with owners owning less than 10 new games. newcheck.pl starts with: #!/usr/bin/perl This is the modified policy for tom_t: policy_module(tom,1.0.0) ######################################## # # Declarations # userdom_restricted_user_template(tom) require { type httpd_sys_content_t; type httpd_sys_script_exec_t; type postgresql_tmp_t; type postgresql_t; } ######################################## # # tom local policy # optional_policy(` qmail_per_role_template(tom,tom_t,tom_r) ') manage_dirs_pattern(tom_t, httpd_sys_content_t, httpd_sys_content_t) manage_files_pattern(tom_t, httpd_sys_content_t, httpd_sys_content_t) manage_files_pattern(tom_t, httpd_sys_script_exec_t, httpd_sys_script_exec_t) allow tom_t postgresql_tmp_t:sock_file write; allow tom_t postgresql_t:unix_stream_socket connectto; allow tom_t httpd_sys_script_exec_t:file execute; From olivares14031 at yahoo.com Sun Nov 16 17:47:47 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Sun, 16 Nov 2008 09:47:47 -0800 (PST) Subject: type=1400 audit(1226855594.878:4): avc: denied { write } for pid=1429 comm="ip6tables-resto" Message-ID: <382230.56832.qm@web52605.mail.re2.yahoo.com> In trying to configure the server, iptables returns a selinux denial ip6_tables: (C) 2000-2006 Netfilter Core Team type=1400 audit(1226855594.878:4): avc: denied { write } for pid=1429 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file setroubleshooter has not kicked in, and it is configured to run: [root at localhost ~]# chkconfig setroubleshoot --list setroubleshoot 0:off 1:off 2:off 3:on 4:on 5:on 6:off [root at localhost ~]# Thanks, Antonio From tmz at pobox.com Sun Nov 16 20:11:27 2008 From: tmz at pobox.com (Todd Zullinger) Date: Sun, 16 Nov 2008 15:11:27 -0500 Subject: Mailman AVCs Message-ID: <20081116201127.GI20204@inocybe.teonanacatl.org> In response to a thread on the mailman-users list regarding problems creating a new list via mailman's web interface?, I did some testing on CentOS 5 and Fedora 9. There are a small number of SELinux denials when using mailman with postfix that would be nice to get fixed up. For background, mailman has some nice integration with postfix which allows list aliases to be setup automatically (as opposed to having an admin manually add new list aliases to /etc/aliases or what have you). This is documented in the mailman install manual?. When setting up mailman to work with postfix, the following denials are seen on Fedora 9 (they are slightly different on CentOS 5, unsurprisingly): type=AVC msg=audit(1226861409.980:83): avc: denied { search } for pid=24239 comm="postalias" name="postfix" dev=sda2 ino=213317 scontext=unconfined_u:system_r:mailman_cgi_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir type=AVC msg=audit(1226861409.980:83): avc: denied { read } for pid=24239 comm="postalias" name="main.cf" dev=sda2 ino=216184 scontext=unconfined_u:system_r:mailman_cgi_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file type=AVC msg=audit(1226861409.990:84): avc: denied { getattr } for pid=24239 comm="postalias" path="/etc/postfix/main.cf" dev=sda2 ino=216184 scontext=unconfined_u:system_r:mailman_cgi_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file type=AVC msg=audit(1226861755.237:93): avc: denied { read write } for pid=24597 comm="mailman" path="socket:[1115689]" dev=sockfs ino=1115689 scontext=system_u:system_r:mailman_mail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=udp_socket Using audit2allow, I ended up with the following policy: module mailmanpostfix 1.0; require { type mailman_cgi_t; type mailman_mail_t; type postfix_etc_t; type postfix_local_t; class dir search; class file { read getattr }; class udp_socket { read write }; } #============= mailman_cgi_t ============== allow mailman_cgi_t postfix_etc_t:dir search; allow mailman_cgi_t postfix_etc_t:file { read getattr }; #============= mailman_mail_t ============== allow mailman_mail_t postfix_local_t:udp_socket { read write }; I'd love to help get this integrated into the official SELinux policy packages for Fedora (and CentOS/RHEL if possible). I am not certain if the above policy can be tightened up or not. Any help there would be very much appreciated. ? http://www.mail-archive.com/mailman-users%40python.org/msg51591.html (The policy from the denials on CentOS 5 are in this thread.) ? http://www.gnu.org/software/mailman/mailman-install/node12.html and http://www.gnu.org/software/mailman/mailman-install/node13.html -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Happiness is like peeing on yourself. Everyone can see it, but only you can feel its warmth -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available URL: From ivazqueznet at gmail.com Mon Nov 17 01:21:50 2008 From: ivazqueznet at gmail.com (Ignacio Vazquez-Abrams) Date: Sun, 16 Nov 2008 20:21:50 -0500 Subject: Which permission to execute a script? In-Reply-To: <20081116075731.GA2129@wolff.to> References: <20081116075731.GA2129@wolff.to> Message-ID: <1226884910.736.6.camel@ignacio.lan> On Sun, 2008-11-16 at 01:57 -0600, Bruno Wolff III wrote: > I was making a modified version of the guest policy that needed to be able > to edit and run some perl scripts that also are visible to the web server. > I used the manage_files macro and allowed execute, but I can't run the > script directly. But I can run it via perl. > > For example: > > [tomarndt at wolff area]$ ./newcheck.pl > -bash: ./newcheck.pl: /usr/bin/perl: bad interpreter: Permission denied > [tomarndt at wolff area]$ perl ./newcheck.pl Sounds like a EOL issue. Try running dos2unix on it. -- Ignacio Vazquez-Abrams PLEASE don't CC me; I'm already subscribed -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From bruno at wolff.to Mon Nov 17 03:39:28 2008 From: bruno at wolff.to (Bruno Wolff III) Date: Sun, 16 Nov 2008 21:39:28 -0600 Subject: Which permission to execute a script? In-Reply-To: <20081116075731.GA2129@wolff.to> References: <20081116075731.GA2129@wolff.to> Message-ID: <20081117033928.GA2804@wolff.to> On Sun, Nov 16, 2008 at 01:57:31 -0600, Bruno Wolff III wrote: > I was making a modified version of the guest policy that needed to be able > to edit and run some perl scripts that also are visible to the web server. > I used the manage_files macro and allowed execute, but I can't run the > script directly. But I can run it via perl. Being told how to turn auditing back on for guest roles would also be helpful as then I could find the missing permission from the logs. From dwalsh at redhat.com Mon Nov 17 14:33:50 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 17 Nov 2008 09:33:50 -0500 Subject: Which permission to execute a script? In-Reply-To: <20081116075731.GA2129@wolff.to> References: <20081116075731.GA2129@wolff.to> Message-ID: <492180CE.7080600@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bruno Wolff III wrote: > I was making a modified version of the guest policy that needed to be able > to edit and run some perl scripts that also are visible to the web server. > I used the manage_files macro and allowed execute, but I can't run the > script directly. But I can run it via perl. > > For example: > > [tomarndt at wolff area]$ ./newcheck.pl > -bash: ./newcheck.pl: /usr/bin/perl: bad interpreter: Permission denied > [tomarndt at wolff area]$ perl ./newcheck.pl > > Ownership counts: > > Ownership of games with owners owning less than 10 new games. > > newcheck.pl starts with: > #!/usr/bin/perl > > This is the modified policy for tom_t: > > policy_module(tom,1.0.0) > > ######################################## > # > # Declarations > # > > userdom_restricted_user_template(tom) > > require { > type httpd_sys_content_t; > type httpd_sys_script_exec_t; > type postgresql_tmp_t; > type postgresql_t; > } > > ######################################## > # > # tom local policy > # > > > optional_policy(` > qmail_per_role_template(tom,tom_t,tom_r) > ') > > manage_dirs_pattern(tom_t, httpd_sys_content_t, httpd_sys_content_t) > manage_files_pattern(tom_t, httpd_sys_content_t, httpd_sys_content_t) > manage_files_pattern(tom_t, httpd_sys_script_exec_t, httpd_sys_script_exec_t) > > allow tom_t postgresql_tmp_t:sock_file write; > allow tom_t postgresql_t:unix_stream_socket connectto; > allow tom_t httpd_sys_script_exec_t:file execute; > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list getsebool -a | grep xgues allow_xguest_exec_content --> off xguest is not allowed by default to execute anything in its home dir. Turning on this boolean should allow it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkhgM4ACgkQrlYvE4MpobMUlwCgos9O2+96RoMXEpMRRTvAXFeG pyIAn2QtlkvXDObfqzKjOBtdbOGFcmkR =N7MO -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Nov 17 14:36:20 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 17 Nov 2008 09:36:20 -0500 Subject: type=1400 audit(1226855594.878:4): avc: denied { write } for pid=1429 comm="ip6tables-resto" In-Reply-To: <382230.56832.qm@web52605.mail.re2.yahoo.com> References: <382230.56832.qm@web52605.mail.re2.yahoo.com> Message-ID: <49218164.107@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > In trying to configure the server, iptables returns a selinux denial > > ip6_tables: (C) 2000-2006 Netfilter Core Team > type=1400 audit(1226855594.878:4): avc: denied { write } for pid=1429 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file > > setroubleshooter has not kicked in, and it is configured to run: > > [root at localhost ~]# chkconfig setroubleshoot --list > setroubleshoot 0:off 1:off 2:off 3:on 4:on 5:on 6:off > [root at localhost ~]# > > > Thanks, > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list # /sbin/service setroubleshoot status # ps -eZ | grep seal > type=1400 audit(1226855594.878:4): avc: denied { write } for pid=1429 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file Probably needs a custom policy to allow it. Not sure if this is really necessary or if this could be dont audited. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkhgWQACgkQrlYvE4MpobM1DQCfQbUKCnHJOYrbBQhwQM0/lA1V VuMAniR/ZfTGxKUCVqk8KCCdpMfYspFv =pPUo -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Nov 17 14:45:21 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 17 Nov 2008 09:45:21 -0500 Subject: Handling labeling on filesystems that don't support SELinux In-Reply-To: <1225998785.3313.5.camel@sewt> References: <1225998785.3313.5.camel@sewt> Message-ID: <49218381.4050509@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sean E. Millichamp wrote: > I have been working on SELinux support for Puppet. One issue that has > cropped up is the behavior on filesystems which don't support SELinux. > > They all appear to get a default label, some seem to allow changing the > label (VFAT) in a non-persistent manner, some seem to throw "not > supported" errors (NFS). > > How can I detect if a file is on a filesystem which supports SELinux > without trying to update the label? > > The best idea so far as been to parse /proc/mounts and use that to > determine what type of filesystem a file lives on, then check it against > a whitelist (which would include ext3, xfs, ?) but it seems like there > has to be a cleaner/simpler way. > > What I would like would be a "getfilecon" call that returns the real > label, ignoring any mount-time defaults. > > Any ideas? > > Thanks, > Sean > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I have been waiting for some one else to respond to this. I think this would be better sent to the nsa selinux list for better discussion. The problem with your parsing of the /proc/mounts is that it would not give you an accurate idea of what supports and what does not support SELinux labeling. Also this can change over time. If I mount an ext3 file system with a context mount, then it will no longer allow you to set the file context. I think the best idea is just attempt to assign the context and if it fails, ignore the error. I guess you can report it, if in verbose mode as a warning. Others may have different ideas. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkhg4EACgkQrlYvE4MpobMPMgCgm+G/Pyrll2CKHUynWftA7Shq phMAnAwTXQQ+mQH33EjP20o9iM7gaVvE =eDjj -----END PGP SIGNATURE----- From bruno at wolff.to Mon Nov 17 15:16:07 2008 From: bruno at wolff.to (Bruno Wolff III) Date: Mon, 17 Nov 2008 09:16:07 -0600 Subject: Which permission to execute a script? In-Reply-To: <492180CE.7080600@redhat.com> References: <20081116075731.GA2129@wolff.to> <492180CE.7080600@redhat.com> Message-ID: <20081117151607.GC5217@wolff.to> On Mon, Nov 17, 2008 at 09:33:50 -0500, Daniel J Walsh wrote: > > Bruno Wolff III wrote: > > I was making a modified version of the guest policy that needed to be able > > to edit and run some perl scripts that also are visible to the web server. > > I used the manage_files macro and allowed execute, but I can't run the > > script directly. But I can run it via perl. > > > > For example: > > > > [tomarndt at wolff area]$ ./newcheck.pl > > -bash: ./newcheck.pl: /usr/bin/perl: bad interpreter: Permission denied > > getsebool -a | grep xgues > allow_xguest_exec_content --> off > > xguest is not allowed by default to execute anything in its home dir. > Turning on this boolean should allow it. I tried this and it didn't work. I think there is something else going on though, as I got a different error before I added: allow tom_t httpd_sys_script_exec_t:file execute; I think that running a shell script needs something else, but I don't know what. From dwalsh at redhat.com Mon Nov 17 15:18:30 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 17 Nov 2008 10:18:30 -0500 Subject: SELinux is preventing gdm-binary (xdm_t) "unlink" to ... and npviewer In-Reply-To: <112240.29279.qm@web52612.mail.re2.yahoo.com> References: <112240.29279.qm@web52612.mail.re2.yahoo.com> Message-ID: <49218B46.3040308@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > --- On Fri, 11/14/08, Daniel J Walsh wrote: > >> From: Daniel J Walsh >> Subject: Re: SELinux is preventing gdm-binary (xdm_t) "unlink" to ... and npviewer >> To: olivares14031 at yahoo.com >> Cc: fedora-selinux-list at redhat.com >> Date: Friday, November 14, 2008, 6:08 AM > Antonio Olivares wrote: >>>> Dear selinux experts, >>>> >>>> running fedora 10 preview updated to latest packages >>>> >>>> [olivares at riohigh2 ~]$ uname -r >>>> 2.6.27.5-101.fc10.i686 >>>> [olivares at riohigh2 ~]$ rpm -qa selinux* >>>> selinux-policy-3.5.13-18.fc10.noarch >>>> selinux-policy-targeted-3.5.13-18.fc10.noarch >>>> >>>> >>>> Summary: >>>> >>>> SELinux is preventing gdm-binary (xdm_t) > "unlink" to >>>> ./force-display-on-active-vt (var_spool_t). >>>> >>>> Detailed Description: >>>> >>>> SELinux is preventing gdm-binary (xdm_t) > "unlink" to >>>> ./force-display-on-active-vt (var_spool_t). The > SELinux type var_spool_t, is a >>>> generic type for all files in the directory and very > few processes (SELinux >>>> Domains) are allowed to write to this SELinux type. > This type of denial usual >>>> indicates a mislabeled file. By default a file created > in a directory has the >>>> gets the context of the parent directory, but SELinux > policy has rules about the >>>> creation of directories, that say if a process running > in one SELinux Domain >>>> (D1) creates a file in a directory with a particular > SELinux File Context (F1) >>>> the file gets a different File Context (F2). The > policy usually allows the >>>> SELinux Domain (D1) the ability to write, unlink, and > append on (F2). But if for >>>> some reason a file (./force-display-on-active-vt) was > created with the wrong >>>> context, this domain will be denied. The usual > solution to this problem is to >>>> reset the file context on the target file, restorecon > -v >>>> './force-display-on-active-vt'. If the file > context does not change from >>>> var_spool_t, then this is probably a bug in policy. > Please file a bug report >>>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against the selinux-policy >>>> package. If it does change, you can try your > application again to see if it >>>> works. The file context could have been mislabeled by > editing the file or moving >>>> the file from a different directory, if the file keeps > getting mislabeled, check >>>> the init scripts to see if they are doing something to > mislabel the file. >>>> Allowing Access: >>>> >>>> You can attempt to fix file context by executing > restorecon -v >>>> './force-display-on-active-vt' >>>> >>>> Fix Command: >>>> >>>> restorecon './force-display-on-active-vt' >>>> >>>> Additional Information: >>>> >>>> Source Context > system_u:system_r:xdm_t:s0-s0:c0.c1023 >>>> Target Context > system_u:object_r:var_spool_t:s0 >>>> Target Objects > ./force-display-on-active-vt [ file ] >>>> Source gdm-binary >>>> Source Path /usr/sbin/gdm-binary >>>> Port >>>> Host riohigh2 >>>> Source RPM Packages gdm-2.24.0-12.fc10 >>>> Target RPM Packages >>>> Policy RPM > selinux-policy-3.5.13-18.fc10 >>>> Selinux Enabled True >>>> Policy Type targeted >>>> MLS Enabled True >>>> Enforcing Mode Enforcing >>>> Plugin Name mislabeled_file >>>> Host Name riohigh2 >>>> Platform Linux riohigh2 > 2.6.27.5-94.fc10.i686 #1 SMP Mon >>>> Nov 10 15:51:55 EST 2008 > i686 athlon >>>> Alert Count 17 >>>> First Seen Mon 03 Nov 2008 07:08:33 > AM CST >>>> Last Seen Thu 13 Nov 2008 04:21:21 > PM CST >>>> Local ID > a66adf6c-89d5-4d90-83ca-f34c94bb4d45 >>>> Line Numbers >>>> >>>> Raw Audit Messages >>>> >>>> node=riohigh2 type=AVC msg=audit(1226614881.881:36): > avc: denied { unlink } for pid=2090 > comm="gdm-binary" > name="force-display-on-active-vt" dev=sda6 > ino=190494 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_spool_t:s0 tclass=file >>>> node=riohigh2 type=SYSCALL > msg=audit(1226614881.881:36): arch=40000003 syscall=10 > success=no exit=-13 a0=8063b84 a1=0 a2=4f86dc a3=9940400 > items=0 ppid=1 pid=2090 auid=4294967295 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) > ses=4294967295 comm="gdm-binary" > exe="/usr/sbin/gdm-binary" > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) >>>> > THe question here is which process created this file? > force-display-on-active-vt > >>>> >>>> Summary: >>>> >>>> SELinux is preventing the npviewer.bin from using > potentially mislabeled files > (/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer). >>>> Detailed Description: >>>> >>>> SELinux has denied npviewer.bin access to potentially > mislabeled file(s) > (/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer). > This means that >>>> SELinux will not allow npviewer.bin to use these > files. It is common for users >>>> to edit files in their home directory or tmp > directories and then move (mv) them >>>> to system directories. The problem is that the files > end up with the wrong file >>>> context which confined applications are not allowed to > access. >>>> Allowing Access: >>>> >>>> If you want npviewer.bin to access this files, you > need to relabel them using >>>> restorecon -v > '/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer'. >>>> You might want to relabel the entire directory using > restorecon -R -v ''. >>>> Additional Information: >>>> >>>> Source Context > unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 >>>> 3 >>>> Target Context > unconfined_u:object_r:user_home_t:s0 >>>> Target Objects > /home/olivares/.icedteaplugin/icedtea-plugin-to- >>>> appletviewer [ fifo_file > ] >>>> Source npviewer.bin >>>> Source Path > /usr/lib/nspluginwrapper/npviewer.bin >>>> Port >>>> Host riohigh2 >>>> Source RPM Packages > nspluginwrapper-1.1.2-4.fc10 >>>> Target RPM Packages >>>> Policy RPM > selinux-policy-3.5.13-18.fc10 >>>> Selinux Enabled True >>>> Policy Type targeted >>>> MLS Enabled True >>>> Enforcing Mode Enforcing >>>> Plugin Name home_tmp_bad_labels >>>> Host Name riohigh2 >>>> Platform Linux riohigh2 > 2.6.27.5-101.fc10.i686 #1 SMP Wed >>>> Nov 12 00:50:43 EST 2008 > i686 athlon >>>> Alert Count 4 >>>> First Seen Thu 13 Nov 2008 06:31:50 > PM CST >>>> Last Seen Thu 13 Nov 2008 06:31:55 > PM CST >>>> Local ID > 81d406be-b7e4-4bf4-a8c7-f12b7c36ee27 >>>> Line Numbers >>>> >>>> Raw Audit Messages >>>> >>>> node=riohigh2 type=AVC msg=audit(1226622715.909:38): > avc: denied { write } for pid=4732 > comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" > dev=sda6 ino=263881 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 > tclass=fifo_file >>>> node=riohigh2 type=AVC msg=audit(1226622715.909:38): > avc: denied { read } for pid=4732 > comm="npviewer.bin" > path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" > dev=sda6 ino=263847 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:user_home_t:s0 > tclass=fifo_file >>>> node=riohigh2 type=SYSCALL > msg=audit(1226622715.909:38): arch=40000003 syscall=11 > success=yes exit=0 a0=9e70d28 a1=9e71d40 a2=9e72210 a3=0 > items=0 ppid=3572 pid=4732 auid=500 uid=500 gid=500 euid=500 > suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) > ses=1 comm="npviewer.bin" > exe="/usr/lib/nspluginwrapper/npviewer.bin" > subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > key=(null) >>>> >>>> >>>> Has someone else encountered these before and what > should I do about them? >>>> Thanks, >>>> >>>> Antonio >>>> >>>> >>>> >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > If you change the context of this directory to > > chcon -R -t nsplugin_home_t ~/.icedteaplugin > > You should eliminate this avc. I will change the layout in > selinux-policy-3.5.13-21.fc10 > I tried the chcon command and this is what happened > Nov 14 20:00:05 localhost kernel: type=1400 audit(1226714405.352:155): avc: denied { write } for pid=5155 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-0 ino=7734395 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > Nov 14 20:00:05 localhost kernel: type=1400 audit(1226714405.352:156): avc: denied { read } for pid=5155 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-0 ino=7734394 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > Nov 14 20:00:05 localhost kernel: type=1400 audit(1226714405.388:157): avc: denied { write } for pid=5159 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-0 ino=7734395 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > Nov 14 20:00:05 localhost kernel: type=1400 audit(1226714405.388:158): avc: denied { read } for pid=5159 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-0 ino=7734394 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > Nov 14 20:00:15 localhost kernel: type=1400 audit(1226714415.618:159): avc: denied { write } for pid=5166 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-0 ino=7734395 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > Nov 14 20:00:15 localhost kernel: type=1400 audit(1226714415.618:160): avc: denied { read } for pid=5166 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-0 ino=7734394 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > Nov 14 20:00:15 localhost kernel: type=1400 audit(1226714415.654:161): avc: denied { write } for pid=5169 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-0 ino=7734395 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > Nov 14 20:00:15 localhost kernel: type=1400 audit(1226714415.654:162): avc: denied { read } for pid=5169 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-0 ino=7734394 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > Nov 14 20:00:22 localhost kernel: type=1400 audit(1226714422.242:163): avc: denied { write } for pid=5176 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-0 ino=7734395 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > Nov 14 20:00:22 localhost kernel: type=1400 audit(1226714422.242:164): avc: denied { read } for pid=5176 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-0 ino=7734394 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > Nov 14 20:00:22 localhost kernel: type=1400 audit(1226714422.279:165): avc: denied { write } for pid=5179 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-plugin-to-appletviewer" dev=dm-0 ino=7734395 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > Nov 14 20:00:22 localhost kernel: type=1400 audit(1226714422.279:166): avc: denied { read } for pid=5179 comm="npviewer.bin" path="/home/olivares/.icedteaplugin/icedtea-appletviewer-to-plugin" dev=dm-0 ino=7734394 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=fifo_file > ^C > [root at localhost ~]# chcon -R -t nsplugin_home_t ~/.icedteaplugin > chcon: cannot access `/root/.icedteaplugin': No such file or directory > Thanks, > Antonio You need to do it on your homedir. chcon -R -t nsplugin_home_t /home/olivares/.icedteaplugin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkhi0YACgkQrlYvE4MpobO/oACg5NGTHl+/8iFrKemEsgRt7Lzj rhAAn0Z/fS83Ae9J2XtyE9JBAC/vwsGo =H1lb -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Nov 17 15:21:29 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 17 Nov 2008 10:21:29 -0500 Subject: SELinux is preventing perl (logwatch_t) "execute_no_trans" to /sbin/ifconfig, (ifconfig_exec_t). In-Reply-To: <491E8D11.3000707@gmail.com> References: <491E8D11.3000707@gmail.com> Message-ID: <49218BF9.6010904@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frank Murphy wrote: > SELinux is preventing perl (logwatch_t) "execute_no_trans" to /sbin/ifconfig > (ifconfig_exec_t). > > Detailed Description: > > SELinux denied access requested by perl. It is not expected that this > access is > required by perl and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for /sbin/ifconfig, > > restorecon -v '/sbin/ifconfig' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:logwatch_t:s0 > Target Context system_u:object_r:ifconfig_exec_t:s0 > Target Objects /sbin/ifconfig [ file ] > Source perl > Source Path /usr/bin/perl > Port > Host frank-01 > Source RPM Packages perl-5.10.0-49.fc10 > Target RPM Packages net-tools-1.60-91.fc10 > Policy RPM selinux-policy-3.5.13-18.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name frank-01 > Platform Linux frank-01 2.6.27.5-101.fc10.i686 #1 > SMP Wed > Nov 12 00:50:43 EST 2008 i686 i686 > Alert Count 3 > First Seen Thu 13 Nov 2008 09:29:27 GMT > Last Seen Sat 15 Nov 2008 08:19:22 GMT > Local ID a75e0d31-b307-4710-8ad1-2185f020504d > Line Numbers > > Raw Audit Messages > > node=frank-01 type=AVC msg=audit(1226737162.411:32): avc: denied { > execute_no_trans } for pid=4097 comm="perl" path="/sbin/ifconfig" > dev=dm-0 ino=4322 scontext=system_u:system_r:logwatch_t:s0 > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file > > node=frank-01 type=SYSCALL msg=audit(1226737162.411:32): arch=40000003 > syscall=11 success=no exit=-13 a0=9e01ebc a1=9eaa2a4 a2=bfb79fc0 > a3=bfb79958 items=0 ppid=4096 pid=4097 auid=4294967295 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 > comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:logwatch_t:s0 > key=(null) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Do you know what script logwatch is trying to restart? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkhi/kACgkQrlYvE4MpobP+IACfVm0lKQURgySUk9aGlAooQsyG diYAoKQ+lGDiWAo4F6KTGvZubEzrsZVt =g5LE -----END PGP SIGNATURE----- From sds at tycho.nsa.gov Mon Nov 17 15:26:45 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 17 Nov 2008 10:26:45 -0500 Subject: Handling labeling on filesystems that don't support SELinux In-Reply-To: <49218381.4050509@redhat.com> References: <1225998785.3313.5.camel@sewt> <49218381.4050509@redhat.com> Message-ID: <1226935605.25156.51.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2008-11-17 at 09:45 -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Sean E. Millichamp wrote: > > I have been working on SELinux support for Puppet. One issue that has > > cropped up is the behavior on filesystems which don't support SELinux. > > > > They all appear to get a default label, some seem to allow changing the > > label (VFAT) in a non-persistent manner, some seem to throw "not > > supported" errors (NFS). > > > > How can I detect if a file is on a filesystem which supports SELinux > > without trying to update the label? > > > > The best idea so far as been to parse /proc/mounts and use that to > > determine what type of filesystem a file lives on, then check it against > > a whitelist (which would include ext3, xfs, ?) but it seems like there > > has to be a cleaner/simpler way. > > > > What I would like would be a "getfilecon" call that returns the real > > label, ignoring any mount-time defaults. > > > > Any ideas? > > > > Thanks, > > Sean > > > > > I have been waiting for some one else to respond to this. I think this > would be better sent to the nsa selinux list for better discussion. > > The problem with your parsing of the /proc/mounts is that it would not > give you an accurate idea of what supports and what does not support > SELinux labeling. Also this can change over time. > > If I mount an ext3 file system with a context mount, then it will no > longer allow you to set the file context. I think the best idea is just > attempt to assign the context and if it fails, ignore the error. I > guess you can report it, if in verbose mode as a warning. > > Others may have different ideas. You'd want to distinguish EOPNOTSUPP from other errors in that case. But note that this won't catch certain filesystems (like the vfat example he gave), as changing the in-core context of a file labeled via genfscon rules is supported presently. We could possibly change that to also return EOPNOTSUPP. The problem with using getfilecon() to probe for support is that SELinux always assigns some security context to each file for access control purposes, even if the underlying filesystem doesn't support storage. If we had separate getfilecon() vs. getxattr() kernel interface ala FreeBSD, applications could test for support for storage separately, but that isn't the case and is unlikely to change. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon Nov 17 15:34:58 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 17 Nov 2008 10:34:58 -0500 Subject: Which permission to execute a script? In-Reply-To: <20081117151607.GC5217@wolff.to> References: <20081116075731.GA2129@wolff.to> <492180CE.7080600@redhat.com> <20081117151607.GC5217@wolff.to> Message-ID: <49218F22.70603@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bruno Wolff III wrote: > On Mon, Nov 17, 2008 at 09:33:50 -0500, > Daniel J Walsh wrote: >> Bruno Wolff III wrote: >>> I was making a modified version of the guest policy that needed to be able >>> to edit and run some perl scripts that also are visible to the web server. >>> I used the manage_files macro and allowed execute, but I can't run the >>> script directly. But I can run it via perl. >>> >>> For example: >>> >>> [tomarndt at wolff area]$ ./newcheck.pl >>> -bash: ./newcheck.pl: /usr/bin/perl: bad interpreter: Permission denied >> getsebool -a | grep xgues >> allow_xguest_exec_content --> off >> >> xguest is not allowed by default to execute anything in its home dir. >> Turning on this boolean should allow it. > > I tried this and it didn't work. I think there is something else going on > though, as I got a different error before I added: > allow tom_t httpd_sys_script_exec_t:file execute; > I think that running a shell script needs something else, but I don't know > what. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Yes you are right. I did not read your message fully. You are trying to execute an apache script, http_sys_script_exec_t, which is not allowed without the rule you added. If you change the label to http_user_script_exec_t it should be able to execute. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkhjyEACgkQrlYvE4MpobNIlwCfZAVy2T//eSdXTmCpfqrIFTAx O9oAoIBT0+htYNSfQO1H33ruU/rQ0qqc =qOHN -----END PGP SIGNATURE----- From sean at bruenor.org Mon Nov 17 16:16:49 2008 From: sean at bruenor.org (Sean E. Millichamp) Date: Mon, 17 Nov 2008 11:16:49 -0500 Subject: Handling labeling on filesystems that don't support SELinux In-Reply-To: <1226935605.25156.51.camel@moss-spartans.epoch.ncsc.mil> References: <1225998785.3313.5.camel@sewt> <49218381.4050509@redhat.com> <1226935605.25156.51.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1226938609.3282.34.camel@sewt> On Mon, 2008-11-17 at 10:26 -0500, Stephen Smalley wrote: > On Mon, 2008-11-17 at 09:45 -0500, Daniel J Walsh wrote: > > I have been waiting for some one else to respond to this. I think this > > would be better sent to the nsa selinux list for better discussion. > > > > The problem with your parsing of the /proc/mounts is that it would not > > give you an accurate idea of what supports and what does not support > > SELinux labeling. Also this can change over time. > > > > If I mount an ext3 file system with a context mount, then it will no > > longer allow you to set the file context. I think the best idea is just > > attempt to assign the context and if it fails, ignore the error. I > > guess you can report it, if in verbose mode as a warning. > > > > Others may have different ideas. > > You'd want to distinguish EOPNOTSUPP from other errors in that case. > But note that this won't catch certain filesystems (like the vfat > example he gave), as changing the in-core context of a file labeled via > genfscon rules is supported presently. We could possibly change that to > also return EOPNOTSUPP. > > The problem with using getfilecon() to probe for support is that SELinux > always assigns some security context to each file for access control > purposes, even if the underlying filesystem doesn't support storage. If > we had separate getfilecon() vs. getxattr() kernel interface ala > FreeBSD, applications could test for support for storage separately, but > that isn't the case and is unlikely to change. Hmm... I believe that checking for an error at assignment time is not going to be a workable solution for Puppet. The problem is that Puppet prepares what it needs to do in a transaction before doing it. Take the situation where /usr/local is NFS mounted: # ls -Z /usr/local/bin/foo -rwxr-xr-x root root system_u:object_r:nfs_t:s0 /usr/local/bin/foo # matchpathcon /usr/local/bin/foo /usr/local/bin/foo system_u:object_r:bin_t:s0 Then you run puppet with a manifest that includes management of /usr/local/bin/foo. The first thing Puppet does is determine default values. For SELinux this means a call to matchpathcon. Then Puppet determines the current values with lgetfilecon. It notices that the default value for the type should be bin_t, but the current is nfs_t so it adds changing the type to its list of things to do. As it is building this list it reports on the things it intends to do. Once it determines all of the actions that it needs to take only then does it perform the setfilecon call to update the context. Even if we catch and silently ignore the error here the logging for the steps it intends to take will occur on every single Puppet run, filling the logs with what amounts to garbage and making email reports of changes essentially useless (as you would get an email on every run telling you of the changes it was going to make). Performing a setfilecon call to the same context that exists during the first phase to determine if a value can be set would be the only way I could see to handle this, but it violates Puppet's promise of not touching anything during a noop run and will update the ctime of the file. In the case of filesystems which behave like vfat Puppet would set the label the first time following the mount and until it is remounted wouldn't generate any additional messages. Filesystems which behave like NFS are the real problem case though and NFS is far more likely to be mounted at a spot where matchpathcon returns a default then (for example) vfat is. I'm not a fan of hardcoding a whitelist of supported filesystems for the very reasons Dan mentioned but it sounds like there isn't a good option for Puppet at the moment (and since I couldn't find any better options, this is what is going into the next Puppet release). No chance of seeing a "supports_setfilecon" type call? Sean From sds at tycho.nsa.gov Mon Nov 17 16:34:24 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 17 Nov 2008 11:34:24 -0500 Subject: Handling labeling on filesystems that don't support SELinux In-Reply-To: <1226938609.3282.34.camel@sewt> References: <1225998785.3313.5.camel@sewt> <49218381.4050509@redhat.com> <1226935605.25156.51.camel@moss-spartans.epoch.ncsc.mil> <1226938609.3282.34.camel@sewt> Message-ID: <1226939664.25156.70.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2008-11-17 at 11:16 -0500, Sean E. Millichamp wrote: > Hmm... I believe that checking for an error at assignment time is not > going to be a workable solution for Puppet. > > The problem is that Puppet prepares what it needs to do in a transaction > before doing it. Take the situation where /usr/local is NFS mounted: > > # ls -Z /usr/local/bin/foo > -rwxr-xr-x root root system_u:object_r:nfs_t:s0 /usr/local/bin/foo > # matchpathcon /usr/local/bin/foo > /usr/local/bin/foo system_u:object_r:bin_t:s0 > > Then you run puppet with a manifest that includes management > of /usr/local/bin/foo. Can you explain what it means for puppet to manage a NFS-mounted filesystem? I'd tend to think that file management would happen on the server, not on a client. And puppet could easily run into problems with e.g. setting ownership/mode information on a NFS-mounted filesystem due to squashroot, uid/gid remapping, etc. > The first thing Puppet does is determine default > values. For SELinux this means a call to matchpathcon. Then Puppet > determines the current values with lgetfilecon. It notices that the > default value for the type should be bin_t, but the current is nfs_t so > it adds changing the type to its list of things to do. As it is > building this list it reports on the things it intends to do. > > Once it determines all of the actions that it needs to take only then > does it perform the setfilecon call to update the context. Even if we > catch and silently ignore the error here the logging for the steps it > intends to take will occur on every single Puppet run, filling the logs > with what amounts to garbage and making email reports of changes > essentially useless (as you would get an email on every run telling you > of the changes it was going to make). > > Performing a setfilecon call to the same context that exists during the > first phase to determine if a value can be set would be the only way I > could see to handle this, but it violates Puppet's promise of not > touching anything during a noop run and will update the ctime of the > file. > > In the case of filesystems which behave like vfat Puppet would set the > label the first time following the mount and until it is remounted > wouldn't generate any additional messages. Filesystems which behave > like NFS are the real problem case though and NFS is far more likely to > be mounted at a spot where matchpathcon returns a default then (for > example) vfat is. > > I'm not a fan of hardcoding a whitelist of supported filesystems for the > very reasons Dan mentioned but it sounds like there isn't a good option > for Puppet at the moment (and since I couldn't find any better options, > this is what is going into the next Puppet release). Ok - that's essentially what Dan does in his /sbin/fixfiles script as well. > No chance of > seeing a "supports_setfilecon" type call? Possibly an interface could be added to selinuxfs and wrapped with a libselinux function of that nature. Or possibly we could export that via a new mount option that shows up in /proc/mounts since we now support exporting information about context mounts there? There are already mount options for user_xattr and acl for example, but not explicitly for security contexts. -- Stephen Smalley National Security Agency From sean at bruenor.org Mon Nov 17 17:02:25 2008 From: sean at bruenor.org (Sean E. Millichamp) Date: Mon, 17 Nov 2008 12:02:25 -0500 Subject: Handling labeling on filesystems that don't support SELinux In-Reply-To: <1226939664.25156.70.camel@moss-spartans.epoch.ncsc.mil> References: <1225998785.3313.5.camel@sewt> <49218381.4050509@redhat.com> <1226935605.25156.51.camel@moss-spartans.epoch.ncsc.mil> <1226938609.3282.34.camel@sewt> <1226939664.25156.70.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1226941345.3282.53.camel@sewt> On Mon, 2008-11-17 at 11:34 -0500, Stephen Smalley wrote: > Can you explain what it means for puppet to manage a NFS-mounted > filesystem? I'd tend to think that file management would happen on the > server, not on a client. And puppet could easily run into problems with > e.g. setting ownership/mode information on a NFS-mounted filesystem due > to squashroot, uid/gid remapping, etc. Managing a file essentially means "ensure the existence/absence of a file/directory, its ownership/permissions, and contents". The first use case that pops to mind is for NFS servers where you can't run Puppet on the server itself (an appliance device). Then you would need to manage the files from one or more clients. The big difference between SELinux contexts and the other attributes is that in the absence of uid/gid/mode being explicitly specified Puppet sees the default as "nil". This causes Puppet to ignore those attributes and, if creating a file, will just default to the umask/user that Puppet is running with. With SELinux the proper way to determine the default is to ask matchpathcon - so for any file where the user doesn't explicitly specify a context but matchpathcon returns one there is a non-nil default, causing Puppet to try to make the file in-sync if the actual doesn't match it. If an NFS filesystem was mounted at /mnt/nfs on my Fedora 9 system matchpathcon won't return a default for /mnt/nfs/foo so Puppet won't trigger any SELinux actions (unless the user explicitly lists a context). > > I'm not a fan of hardcoding a whitelist of supported filesystems for the > > very reasons Dan mentioned but it sounds like there isn't a good option > > for Puppet at the moment (and since I couldn't find any better options, > > this is what is going into the next Puppet release). > > Ok - that's essentially what Dan does in his /sbin/fixfiles script as > well. Ah, I just skimmed the script. I feel much better about this approach now and it will hopefully suffice. Also, since the whitelist exclusion is only for determining defaults, a user that wanted to actively manage an SELinux context could still explicitly list it in the file attributes and Puppet will try to set it regardless. > > No chance of > > seeing a "supports_setfilecon" type call? > > Possibly an interface could be added to selinuxfs and wrapped with a > libselinux function of that nature. > > Or possibly we could export that via a new mount option that shows up > in /proc/mounts since we now support exporting information about context > mounts there? There are already mount options for user_xattr and acl > for example, but not explicitly for security contexts. We'll see how well the filesystem whitelist works. I think it will probably be good enough - at least for the foreseeable future. Thanks for the feedback. Sean From olivares14031 at yahoo.com Mon Nov 17 22:22:14 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 17 Nov 2008 14:22:14 -0800 (PST) Subject: avc: denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid" In-Reply-To: <20081115085456.73266454@metropolis.intra.city-fan.org> Message-ID: <418923.53043.qm@web52605.mail.re2.yahoo.com> > /var/run/dhcpd.pid should be dhcpd_var_run_t, not > var_run_t. > > Try: > # restorecon -v /var/run /var/run/dhcpd.pid > > Paul. Tried that several times and now I get : Nov 17 16:18:15 localhost kernel: type=1400 audit(1226960295.233:8): avc: denied { read write } for pid=11094 comm="restorecon" path="socket:[12486]" dev=sockfs ino=12486 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Thank you very much for helping :) Regards, Antonio From dwalsh at redhat.com Mon Nov 17 22:25:08 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 17 Nov 2008 17:25:08 -0500 Subject: avc: denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid" In-Reply-To: <418923.53043.qm@web52605.mail.re2.yahoo.com> References: <418923.53043.qm@web52605.mail.re2.yahoo.com> Message-ID: <4921EF44.5000502@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: >> /var/run/dhcpd.pid should be dhcpd_var_run_t, not >> var_run_t. >> >> Try: >> # restorecon -v /var/run /var/run/dhcpd.pid >> >> Paul. > > Tried that several times and now I get : > > Nov 17 16:18:15 localhost kernel: type=1400 audit(1226960295.233:8): avc: denied { read write } for pid=11094 comm="restorecon" path="socket:[12486]" dev=sockfs ino=12486 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > > > > Thank you very much for helping :) > > Regards, > > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list That looks like a leaked file descriptor. Are you using a konsole? kde has a known leak. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkh70QACgkQrlYvE4MpobNCvQCfZk4LO2bqX3rb4dtM4v/v6k3L 1NgAnjzKVXC8Og/LQzZ7RKsvZ9ikOpx8 =aMwo -----END PGP SIGNATURE----- From olivares14031 at yahoo.com Mon Nov 17 22:27:26 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 17 Nov 2008 14:27:26 -0800 (PST) Subject: avc: denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid" In-Reply-To: <4921EF44.5000502@redhat.com> Message-ID: <510636.64238.qm@web52601.mail.re2.yahoo.com> --- On Mon, 11/17/08, Daniel J Walsh wrote: > From: Daniel J Walsh > Subject: Re: avc: denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid" > To: olivares14031 at yahoo.com > Cc: "Paul Howarth" , fedora-selinux-list at redhat.com > Date: Monday, November 17, 2008, 2:25 PM > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Antonio Olivares wrote: > >> /var/run/dhcpd.pid should be dhcpd_var_run_t, not > >> var_run_t. > >> > >> Try: > >> # restorecon -v /var/run /var/run/dhcpd.pid > >> > >> Paul. > > > > Tried that several times and now I get : > > > > Nov 17 16:18:15 localhost kernel: type=1400 > audit(1226960295.233:8): avc: denied { read write } for > pid=11094 comm="restorecon" > path="socket:[12486]" dev=sockfs ino=12486 > scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tclass=unix_stream_socket > > > > > > > > > > Thank you very much for helping :) > > > > Regards, > > > > > > Antonio > > > > > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > That looks like a leaked file descriptor. Are you using a > konsole? Yes and working on KDE > > kde has a known leak. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - > http://enigmail.mozdev.org > > iEYEARECAAYFAkkh70QACgkQrlYvE4MpobNCvQCfZk4LO2bqX3rb4dtM4v/v6k3L > 1NgAnjzKVXC8Og/LQzZ7RKsvZ9ikOpx8 > =aMwo > -----END PGP SIGNATURE----- Thanks, Antonio From bruno at wolff.to Mon Nov 17 23:07:42 2008 From: bruno at wolff.to (Bruno Wolff III) Date: Mon, 17 Nov 2008 17:07:42 -0600 Subject: Which permission to execute a script? In-Reply-To: <49218F22.70603@redhat.com> References: <20081116075731.GA2129@wolff.to> <492180CE.7080600@redhat.com> <20081117151607.GC5217@wolff.to> <49218F22.70603@redhat.com> Message-ID: <20081117230742.GA20242@wolff.to> On Mon, Nov 17, 2008 at 10:34:58 -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Bruno Wolff III wrote: > > On Mon, Nov 17, 2008 at 09:33:50 -0500, > > Daniel J Walsh wrote: > >> Bruno Wolff III wrote: > >>> I was making a modified version of the guest policy that needed to be able > >>> to edit and run some perl scripts that also are visible to the web server. > >>> I used the manage_files macro and allowed execute, but I can't run the > >>> script directly. But I can run it via perl. > >>> > >>> For example: > >>> > >>> [tomarndt at wolff area]$ ./newcheck.pl > >>> -bash: ./newcheck.pl: /usr/bin/perl: bad interpreter: Permission denied > >> getsebool -a | grep xgues > > You are trying to execute an apache script, http_sys_script_exec_t, > which is not allowed without the rule you added. > > If you change the label to http_user_script_exec_t it should be able to > execute. There doesn't seem to be a http_user_script_exec_t type. Probably it's a typo, but I didn't see a way to get a full list and didn't manage to guess the correct name. I still think there is something odd about this though. I can run the perl script using perl, just not as a script invoked from bash. I am not seeing avc's in the audit log for these failed attempts, so I am having trouble figuring out what is happening. Does running a bash script transition to another context when starting from a guest context? I tried setting each of allow_guest_exec_content and allow_xguest_exec_content to on. (I am trying to make a modified guest policy for someone ssh'ing in to my server.) Neither of those seemed to help. In the short run, running 'perl newcheck.pl' instead of ./newcheck.pl isn't really a big deal, but I'd like to try and make it work normally. From bruno at wolff.to Tue Nov 18 01:07:40 2008 From: bruno at wolff.to (Bruno Wolff III) Date: Mon, 17 Nov 2008 19:07:40 -0600 Subject: Which permission to execute a script? In-Reply-To: <20081117230742.GA20242@wolff.to> References: <20081116075731.GA2129@wolff.to> <492180CE.7080600@redhat.com> <20081117151607.GC5217@wolff.to> <49218F22.70603@redhat.com> <20081117230742.GA20242@wolff.to> Message-ID: <20081118010740.GA29740@wolff.to> On Mon, Nov 17, 2008 at 17:07:42 -0600, Bruno Wolff III wrote: > > There doesn't seem to be a http_user_script_exec_t type. Probably it's a > typo, but I didn't see a way to get a full list and didn't manage to > guess the correct name. Yep, typo. For the archive, 'seinfo -t' provides a list of types. The guest policy (at least my modified version) does not allow access to files labelled httpd_user_script_exec_t. I'll keep putzing with this. From bruno at wolff.to Tue Nov 18 05:22:42 2008 From: bruno at wolff.to (Bruno Wolff III) Date: Mon, 17 Nov 2008 23:22:42 -0600 Subject: Which permission to execute a script? In-Reply-To: <20081118010740.GA29740@wolff.to> References: <20081116075731.GA2129@wolff.to> <492180CE.7080600@redhat.com> <20081117151607.GC5217@wolff.to> <49218F22.70603@redhat.com> <20081117230742.GA20242@wolff.to> <20081118010740.GA29740@wolff.to> Message-ID: <20081118052242.GA18976@wolff.to> On Mon, Nov 17, 2008 at 19:07:40 -0600, Bruno Wolff III wrote: > On Mon, Nov 17, 2008 at 17:07:42 -0600, > Bruno Wolff III wrote: > > > > There doesn't seem to be a http_user_script_exec_t type. Probably it's a > > typo, but I didn't see a way to get a full list and didn't manage to > > guess the correct name. > > Yep, typo. For the archive, 'seinfo -t' provides a list of types. > > The guest policy (at least my modified version) does not allow access to > files labelled httpd_user_script_exec_t. > > I'll keep putzing with this. I have it working now. In the end I needed to give both execute and execute_no_trans permission for tom_t running httpd_sys_script_exec_t. The allow_xguest_exec_content and allow_guest_exec_content booleans didn't seem to make a difference. Going forward I might want to spend the time to dial this policy back as I am executing the scripts with those types as an unconfined user (or perhaps I should use the user_u role) and I'd like to prevent tom_t from changing them (or replacing the files) with selinux. I was having trouble finding what the manage_files_pattern and manage_dirs_pattern macros expand to and exactly what functions some of the permissions allow. Is there any good documentation of these things online? From olivares14031 at yahoo.com Tue Nov 18 13:49:15 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 18 Nov 2008 05:49:15 -0800 (PST) Subject: installing xine from source yields lots of selinux denials Message-ID: <365293.22617.qm@web52612.mail.re2.yahoo.com> Dear all, Trying to install xine-lib from source *to put in the missing pieces* gives selinux denials with chcon Summary: SELinux is preventing chcon (unconfined_t) "mac_admin" unconfined_t. Detailed Description: SELinux denied access requested by chcon. It is not expected that this access is required by chcon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0 Target Objects None [ capability2 ] Source chcon Source Path /usr/bin/chcon Port Host emachines-3 Source RPM Packages coreutils-6.12-17.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name emachines-3 Platform Linux emachines-3 2.6.27.5-109.fc10.x86_64 #1 SMP Thu Nov 13 20:12:05 EST 2008 x86_64 x86_64 Alert Count 60 First Seen Tue 18 Nov 2008 07:47:03 AM CST Last Seen Tue 18 Nov 2008 07:48:36 AM CST Local ID 395c28ed-1aab-4d88-9105-57cecfd55b14 Line Numbers Raw Audit Messages node=emachines-3 type=AVC msg=audit(1227016116.77:132): avc: denied { mac_admin } for pid=3757 comm="chcon" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=capability2 node=emachines-3 type=SYSCALL msg=audit(1227016116.77:132): arch=c000003e syscall=188 success=no exit=-22 a0=133e670 a1=6236f9 a2=133fa40 a3=21 items=0 ppid=3751 pid=3757 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null) Thanks, Antonio From dwalsh at redhat.com Tue Nov 18 16:18:29 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 18 Nov 2008 11:18:29 -0500 Subject: installing xine from source yields lots of selinux denials In-Reply-To: <365293.22617.qm@web52612.mail.re2.yahoo.com> References: <365293.22617.qm@web52612.mail.re2.yahoo.com> Message-ID: <4922EAD5.7090208@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear all, > > Trying to install xine-lib from source *to put in the missing pieces* gives selinux denials with chcon > > > Summary: > > SELinux is preventing chcon (unconfined_t) "mac_admin" unconfined_t. > > Detailed Description: > > SELinux denied access requested by chcon. It is not expected that this access is > required by chcon and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:unconfined_r:unconfined_t:s0 > Target Context unconfined_u:unconfined_r:unconfined_t:s0 > Target Objects None [ capability2 ] > Source chcon > Source Path /usr/bin/chcon > Port > Host emachines-3 > Source RPM Packages coreutils-6.12-17.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-18.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name emachines-3 > Platform Linux emachines-3 2.6.27.5-109.fc10.x86_64 #1 SMP > Thu Nov 13 20:12:05 EST 2008 x86_64 x86_64 > Alert Count 60 > First Seen Tue 18 Nov 2008 07:47:03 AM CST > Last Seen Tue 18 Nov 2008 07:48:36 AM CST > Local ID 395c28ed-1aab-4d88-9105-57cecfd55b14 > Line Numbers > > Raw Audit Messages > > node=emachines-3 type=AVC msg=audit(1227016116.77:132): avc: denied { mac_admin } for pid=3757 comm="chcon" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=capability2 > > node=emachines-3 type=SYSCALL msg=audit(1227016116.77:132): arch=c000003e syscall=188 success=no exit=-22 a0=133e670 a1=6236f9 a2=133fa40 a3=21 items=0 ppid=3751 pid=3757 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null) > > > > > Thanks, > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Please report as a bug to xine. This means they are trying to lay down file context that the host does not know about, they should never do this, and they should work with SELinux developers to do the right thing. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkki6tUACgkQrlYvE4MpobP0xgCgrxhXB6jC131v43iP+LrCxmiF 6usAoJQFKqkf7XZYq6ZojkiZi2mxwBaI =eeZ/ -----END PGP SIGNATURE----- From vince.rafale at gmail.com Tue Nov 18 16:36:07 2008 From: vince.rafale at gmail.com (Vince Le Port) Date: Tue, 18 Nov 2008 17:36:07 +0100 Subject: MCS process transition and categories problem Message-ID: <4922EEF7.1040402@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all, I am currently experiencing some trouble in modifying a process MCS category. Here is the problem: I have got a user who is in s0:c1.c2 Then this user launches a process which thus runs in the same range (s0:c1.c2) A setcon() is made to move the context process into a restriction : s0:c1 By adding, a new allow rule thanks to a module, this step works great. allow user_t self:process { setcurrent dyntransition }; Once in this restricted context, it seems impossible to run another setcon(), in order to move into s0:c2 or return into the initial context s0:c1.c2. Here is the error launched by audit : type=AVC msg=audit(1224638358.893:242): avc: denied { dyntransition } for pid=26212 comm="prog" scontext=user_u:user_r:user_t:s0:c1 tcontext=user_u:user_r:user_t:s0:c2 tclass=process Is it possible to add a rule which will allow the process to re-enter in s0:c1.c2 context or to enter into s0:c2 from s0:c1 ? Regards, Vince -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJIu73CkDrToteDh0RAj0KAKDOxJ+azZFToxlGAJx102Fpc7PxugCfawIB cNDQr9UdmyiwGZxul3Jz1IA= =9kOV -----END PGP SIGNATURE----- From mike.cloaked at gmail.com Tue Nov 18 21:11:31 2008 From: mike.cloaked at gmail.com (MikeC) Date: Tue, 18 Nov 2008 21:11:31 +0000 (UTC) Subject: Further on SElinux and kismet Message-ID: Some days ago I was trying to run kismet on a system with F9 running SElinux and kismet failed to start and complained about being unable to write to the file ssid_map which was in the normal user main dir. There was an AVC denial indicating that kismet was not permitted to access that file. It was suggested that I make kismet look at /var/lib/kismet instead. Having tried again this evening and changed kismet.conf so that %h/ was changed to /var/lib/kismet/ then kismet still fails to start and the terminal window gives: Will attempt to put networkmanager to sleep... Allowing clients to fetch WEP keys. WARNING: Disabling GPS logging. SSID cloak file did not exist, it will be created. FATAL: Could not open SSID track file '/var/lib/kismet/ssid_map' for writing: Permission denied Sending termination request to channel control child 3538... Waiting for channel control child 3538 to exit... WARNING: Sometimes cards don't always come out of monitor mode cleanly. If your card is not fully working, you may need to restart or reconfigure it for normal operation. Trying to wake networkmanager back up... WARNING: Failed to connect to DBUS system, will not be able to control networkmanager: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied WARNING: Failed to send 'wake' command to networkmanager via DBUS, NM may still be inactive.Kismet exiting. Done. I checked the contexts: [root at lapmike2 kismet]# ll -Zld /var/lib/kismet drwxrwx--- 2 system_u:object_r:kismet_var_lib_t:s0 root kismet 4096 2008-11-18 20:59 /var/lib/kismet [root at lapmike2 kismet]# ll -Z /var/lib/kismet -rw-rw-rw- root root unconfined_u:object_r:kismet_var_lib_t:s0 ssid_map Any ideas how to fix this - in the above there is no AVC denial but I am guessing that SElinux may still be involved? From Katrina.Scally at gdc4s.com Tue Nov 18 22:35:32 2008 From: Katrina.Scally at gdc4s.com (Scally, Katrina-P54861) Date: Tue, 18 Nov 2008 15:35:32 -0700 Subject: Setting context for shm created with shm_open() Message-ID: Hello, I am creating shared memory using shm_open() as opposed to using SysV IPC. The shared memory is created as a mapped file under /dev/shm. The default type for this file is tmpfs_t. I would like to define my own type, say my_tmpfs_t, and associate it with the file in /dev/shm. With the appropriate policy in place I can do this via chcon from the command line. However, if I specify the context in the fc file it is not applied. I performed a fixfiles relabel and it didn't appear as if it was looking in this directory. Is this approach the best way to use SELinux with POSIX IPC? Can I relabel files in /dev/shm? The contents of my module are shown below: * * * .if * * * * * * .te * * * type my_tmpfs_t; files_type(my_tmpfs_t) * * * .fc * * * /dev/shm/my_data -- gen_context(system_u:object_r:my_tmpfs_t, s0) Thank you. > This email message is for the sole use of the intended recipient(s) > and may contain GDC4S confidential or privileged information. Any > unauthorized review, use, disclosure or distribution is prohibited. If > you are not an intended recipient, please contact the sender by reply > email and destroy all copies of the original message. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Katrina.Scally at gdc4s.com Tue Nov 18 22:35:32 2008 From: Katrina.Scally at gdc4s.com (Scally, Katrina-P54861) Date: Tue, 18 Nov 2008 15:35:32 -0700 Subject: Setting context for shm created with shm_open() Message-ID: Hello, I am creating shared memory using shm_open() as opposed to using SysV IPC. The shared memory is created as a mapped file under /dev/shm. The default type for this file is tmpfs_t. I would like to define my own type, say my_tmpfs_t, and associate it with the file in /dev/shm. With the appropriate policy in place I can do this via chcon from the command line. However, if I specify the context in the fc file it is not applied. I performed a fixfiles relabel and it didn't appear as if it was looking in this directory. Is this approach the best way to use SELinux with POSIX IPC? Can I relabel files in /dev/shm? The contents of my module are shown below: * * * .if * * * * * * .te * * * type my_tmpfs_t; files_type(my_tmpfs_t) * * * .fc * * * /dev/shm/my_data -- gen_context(system_u:object_r:my_tmpfs_t, s0) Thank you. > This email message is for the sole use of the intended recipient(s) > and may contain GDC4S confidential or privileged information. Any > unauthorized review, use, disclosure or distribution is prohibited. If > you are not an intended recipient, please contact the sender by reply > email and destroy all copies of the original message. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Wed Nov 19 13:08:53 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 19 Nov 2008 08:08:53 -0500 Subject: Setting context for shm created with shm_open() In-Reply-To: References: Message-ID: <1227100133.12003.6.camel@moss-spartans.epoch.ncsc.mil> On Tue, 2008-11-18 at 15:35 -0700, Scally, Katrina-P54861 wrote: > Hello, > > I am creating shared memory using shm_open() as opposed to using SysV > IPC. The shared memory is created as a mapped file under /dev/shm. > The default type for this file is tmpfs_t. I would like to define my > own type, say my_tmpfs_t, and associate it with the file in /dev/shm. > With the appropriate policy in place I can do this via chcon from the > command line. However, if I specify the context in the fc file it is > not applied. I performed a fixfiles relabel and it didn't appear as > if it was looking in this directory. Is this approach the best way to > use SELinux with POSIX IPC? Can I relabel files in /dev/shm? The > contents of my module are shown below: You should use a type transition rule (file_type_auto_trans) to cause files you create at runtime to get the right type upon creation. The .fc files are for labeling of persistent files at install time and for preserving the labels on such files across a relabel, but none of that applies to shared memory objects. fixfiles only labels persistent filesystems that support attributes. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Wed Nov 19 13:24:22 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 19 Nov 2008 08:24:22 -0500 Subject: Further on SElinux and kismet In-Reply-To: References: Message-ID: <49241386.1060804@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MikeC wrote: > Some days ago I was trying to run kismet on a system with F9 running > SElinux and kismet failed to start and complained about being unable > to write to the file ssid_map which was in the normal user main dir. > There was an AVC denial indicating that kismet was not permitted to access > that file. > > It was suggested that I make kismet look at /var/lib/kismet instead. > > Having tried again this evening and changed kismet.conf so that > %h/ was changed to /var/lib/kismet/ then kismet still fails to start and the > terminal window gives: > > Will attempt to put networkmanager to sleep... > Allowing clients to fetch WEP keys. > WARNING: Disabling GPS logging. > SSID cloak file did not exist, it will be created. > FATAL: Could not open SSID track file '/var/lib/kismet/ssid_map' for writing: > Permission denied > Sending termination request to channel control child 3538... > Waiting for channel control child 3538 to exit... > WARNING: Sometimes cards don't always come out of monitor mode > cleanly. If your card is not fully working, you may need to > restart or reconfigure it for normal operation. > Trying to wake networkmanager back up... > WARNING: Failed to connect to DBUS system, will not be able to control > networkmanager: Failed to connect to socket /var/run/dbus/system_bus_socket: > Permission denied > WARNING: Failed to send 'wake' command to networkmanager via DBUS, NM may still > be inactive.Kismet exiting. > Done. > > I checked the contexts: > [root at lapmike2 kismet]# ll -Zld /var/lib/kismet > drwxrwx--- 2 system_u:object_r:kismet_var_lib_t:s0 root kismet 4096 2008-11-18 > 20:59 /var/lib/kismet > [root at lapmike2 kismet]# ll -Z /var/lib/kismet > -rw-rw-rw- root root unconfined_u:object_r:kismet_var_lib_t:s0 ssid_map > > Any ideas how to fix this - in the above there is no AVC denial but I am > guessing that SElinux may still be involved? > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Looks like kismet is trying to dbus communicate with NetworkManager, I can add that. Some of the avc's that you submitted indicate that kismet is trying to load kernel modules, which is not something we want to add. > FATAL: Could not open SSID track file '/var/lib/kismet/ssid_map' for writing: Not sure what is causing this? Is this a regular file? Could you send me your configuration so I could try this out? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkkE4YACgkQrlYvE4MpobNxCQCfbeTojME8BHRdWkTxetN31+Ct KrEAn0r+y5WJX7VXlUKFDB7UilmKjgG4 =61VX -----END PGP SIGNATURE----- From olivares14031 at yahoo.com Wed Nov 19 13:25:42 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 19 Nov 2008 05:25:42 -0800 (PST) Subject: Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.439:5): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" Message-ID: <926395.1943.qm@web52603.mail.re2.yahoo.com> Dear fellow selinux experts, npviewer is causing lots of trouble. Firefox freezes and I have to kill it/terminate it and restart it just to post :( What should I do, I have filed bugs on this several times :( Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.439:5): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.548:6): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.659:7): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.694:8): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.732:9): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.764:10): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.790:11): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.816:12): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.841:13): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem Nov 19 07:14:02 localhost kernel: __ratelimit: 42 callbacks suppressed Nov 19 07:14:02 localhost kernel: type=1400 audit(1227100442.317:28): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem Thanks, Antonio From loganjerry at gmail.com Wed Nov 19 17:58:20 2008 From: loganjerry at gmail.com (Jerry James) Date: Wed, 19 Nov 2008 10:58:20 -0700 Subject: GCL Message-ID: <870180fe0811190958n50ae2da0qe0ddeb0fd89e70dc@mail.gmail.com> Once upon a time on fedora-devel-list, Daniel J Walsh wrote: > +/usr/bin/gcl -- gen_context(system_u:object_r:execmem_exec_t,s0) > > > Will be in selinux-policy-3.5.13-19.fc10 I've done some experimenting, and I think I need a couple of modifications to this. First, it turns out that GCL needs both execmem and execheap permissions. Do I need to create a gcl_exec_t type to combine those? Second, /usr/bin/gcl is just a shell script. It does an exec of /usr/lib/gcl-%{version}/unixport/saved_ansi_gcl, which is the saved Lisp image, along with appropriate command line options. I don't expect permissions to persist across an exec (but tell me if I'm wrong), so I think I need the policy to mention the saved image instead of /usr/bin/gcl. There are some problems associated with this: 1) The /usr/lib prefix is used on both 32-bit and 64-bit platforms, which is bad. I'll see if I can get that fixed, but it appears to require some code changes (i.e., not just makefile changes). 2) The GCL build process can produce multiple image files, with various combinations of options (such as profiling, ANSI vs. CLtL1 support, a GUI, etc.). Fedora has only ever shipped one image, but I can see an argument for producing a profiling version of the standard image and making /usr/bin/gcl choose between them based on command line arguments. In any case, all of the image names start with "saved_". The upshot of all this is that, to make the policy future-proof, I really need the execmem + execheap permissions for all files that match this pattern: /usr/lib*/gcl-*/unixport/saved_* Is that okay? If so, how do I proceed? Thanks for helping out an SELinux newbie. -- Jerry James http://loganjerry.googlepages.com/ From gene.heskett at verizon.net Wed Nov 19 18:00:18 2008 From: gene.heskett at verizon.net (Gene Heskett) Date: Wed, 19 Nov 2008 13:00:18 -0500 Subject: seliux denying spamd write access to its own user home dir Message-ID: <200811191300.18674.gene.heskett@verizon.net> Greetings; Just recovering from a drive failure, and just now managed to get enough perl deps installed to run spamassassin. I modified the spamassassin script in /etc/init.d to run it as the same user that fetches the mail, also fixed the spamassassin in /etc/sysconfig to match, and according to htop, the spamd's are running as that user. But, selinux is still having a cow for every incoming message. ========= Source Context:??system_u:system_r:spamd_t:s0 Target Context:??system_u:object_r:home_root_t:s0 Target Objects:??./user_prefs [ file ] ===temp end of snip >From that, here is that file: [root at coyote .spamassassin]# ls -l user_prefs -rw-r--r-- 1 gene gene 1164 2006-01-16 13:45 user_prefs [root at coyote .spamassassin]# ls -l --context user_prefs -rw-r--r-- gene gene system_u:object_r:home_root_t:s0 user_prefs ===back to troubleshooter output host=coyote.coyote.den type=AVC msg=audit(1227116423.127:797): avc: denied { write } for pid=7118 comm="spamd" name="user_prefs" dev=sda3 ino=74942440 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=file host=coyote.coyote.den type=SYSCALL msg=audit(1227116423.127:797): arch=40000003 syscall=5 success=no exit=-13 a0=9a83590 a1=8241 a2=1b6 a3=8241 items=0 ppid=7116 pid=7118 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null) ========= Secondary Q: when are we going to be able to copy & paste from the selinuxtroubleshooter screen and preserve the ^%$*^%$( formatting? I have performed the troubleshooter recommended fix: setsebool -P spamd_enable_home_dirs=1 and restarted spamassassin several times. Perms or context problem with the /home dirs? A bug? Or I need to do an autorelabel? The /home dirs, FWIW, were copied from another drive by mc & then 'chown -R user:user' when the copy was finished which may not have been the correct thing to do FAIK. But it was the only way I could preserve an email corpus that is in the 10Gb area for size. There are no entries for spamassassin or spamd in /etc/group that I could use to make that file a member of. Fix please? Thanks. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) "Truth never comes into the world but like a bastard, to the ignominy of him that brought her birth." -- Milton From paul at city-fan.org Wed Nov 19 23:28:04 2008 From: paul at city-fan.org (Paul Howarth) Date: Wed, 19 Nov 2008 23:28:04 +0000 Subject: seliux denying spamd write access to its own user home dir In-Reply-To: <200811191300.18674.gene.heskett@verizon.net> References: <200811191300.18674.gene.heskett@verizon.net> Message-ID: <20081119232804.110379ff@metropolis.intra.city-fan.org> On Wed, 19 Nov 2008 13:00:18 -0500 Gene Heskett wrote: > Greetings; > > Just recovering from a drive failure, and just now managed to get > enough perl deps installed to run spamassassin. > > I modified the spamassassin script in /etc/init.d to run it as the > same user that fetches the mail, also fixed the spamassassin > in /etc/sysconfig to match, and according to htop, the spamd's are > running as that user. > > But, selinux is still having a cow for every incoming message. > ========= > Source Context:??system_u:system_r:spamd_t:s0 > Target Context:??system_u:object_r:home_root_t:s0 > Target Objects:??./user_prefs [ file ] > ===temp end of snip > > >From that, here is that file: > [root at coyote .spamassassin]# ls -l user_prefs > -rw-r--r-- 1 gene gene 1164 2006-01-16 13:45 user_prefs > [root at coyote .spamassassin]# ls -l --context user_prefs > -rw-r--r-- gene gene system_u:object_r:home_root_t:s0 user_prefs > > ===back to troubleshooter output > > host=coyote.coyote.den type=AVC msg=audit(1227116423.127:797): avc: > denied { write } for pid=7118 comm="spamd" name="user_prefs" dev=sda3 > ino=74942440 scontext=system_u:system_r:spamd_t:s0 > tcontext=system_u:object_r:home_root_t:s0 tclass=file > > host=coyote.coyote.den type=SYSCALL msg=audit(1227116423.127:797): > arch=40000003 syscall=5 success=no exit=-13 a0=9a83590 a1=8241 a2=1b6 > a3=8241 items=0 ppid=7116 pid=7118 auid=0 uid=501 gid=501 euid=501 > suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 > comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 > key=(null) ========= > Secondary Q: when are we going to be able to copy & paste from the > selinuxtroubleshooter screen and preserve the ^%$*^%$( formatting? > > I have performed the troubleshooter recommended fix: > > setsebool -P spamd_enable_home_dirs=1 > > and restarted spamassassin several times. > > Perms or context problem with the /home dirs? > > A bug? > > Or I need to do an autorelabel? > > The /home dirs, FWIW, were copied from another drive by mc & then > 'chown -R user:user' when the copy was finished which may not have > been the correct thing to do FAIK. But it was the only way I could > preserve an email corpus that is in the 10Gb area for size. > > There are no entries for spamassassin or spamd in /etc/group that I > could use to make that file a member of. > > Fix please? Regular unix usernames and groups will make little difference to SELinux. What you need is the right SELinux labelling for the files. Try this: # restorecon -RF /home/*/.spamassassin/ On F9 at least, I believe ~/.spamassassin should have context type user_spamassassin_home_t rather than home_root_t which is what you seem to have now. If this fixes things for you, it's likely that there are other similar issues that will need fixing up, and doing a relabel will be a good idea when you can spare the time. Paul. From gene.heskett at verizon.net Thu Nov 20 03:43:50 2008 From: gene.heskett at verizon.net (Gene Heskett) Date: Wed, 19 Nov 2008 22:43:50 -0500 Subject: seliux denying spamd write access to its own user home dir In-Reply-To: <20081119232804.110379ff@metropolis.intra.city-fan.org> References: <200811191300.18674.gene.heskett@verizon.net> <20081119232804.110379ff@metropolis.intra.city-fan.org> Message-ID: <200811192243.50055.gene.heskett@verizon.net> On Wednesday 19 November 2008, Paul Howarth wrote: >On Wed, 19 Nov 2008 13:00:18 -0500 > >Gene Heskett wrote: >> Greetings; >> >> Just recovering from a drive failure, and just now managed to get >> enough perl deps installed to run spamassassin. >> >> I modified the spamassassin script in /etc/init.d to run it as the >> same user that fetches the mail, also fixed the spamassassin >> in /etc/sysconfig to match, and according to htop, the spamd's are >> running as that user. >> >> But, selinux is still having a cow for every incoming message. >> ========= >> Source Context:??system_u:system_r:spamd_t:s0 >> Target Context:??system_u:object_r:home_root_t:s0 >> Target Objects:??./user_prefs [ file ] >> ===temp end of snip >> >> >From that, here is that file: >> >> [root at coyote .spamassassin]# ls -l user_prefs >> -rw-r--r-- 1 gene gene 1164 2006-01-16 13:45 user_prefs >> [root at coyote .spamassassin]# ls -l --context user_prefs >> -rw-r--r-- gene gene system_u:object_r:home_root_t:s0 user_prefs >> >> ===back to troubleshooter output >> >> host=coyote.coyote.den type=AVC msg=audit(1227116423.127:797): avc: >> denied { write } for pid=7118 comm="spamd" name="user_prefs" dev=sda3 >> ino=74942440 scontext=system_u:system_r:spamd_t:s0 >> tcontext=system_u:object_r:home_root_t:s0 tclass=file >> >> host=coyote.coyote.den type=SYSCALL msg=audit(1227116423.127:797): >> arch=40000003 syscall=5 success=no exit=-13 a0=9a83590 a1=8241 a2=1b6 >> a3=8241 items=0 ppid=7116 pid=7118 auid=0 uid=501 gid=501 euid=501 >> suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 >> comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 >> key=(null) ========= >> Secondary Q: when are we going to be able to copy & paste from the >> selinuxtroubleshooter screen and preserve the ^%$*^%$( formatting? >> >> I have performed the troubleshooter recommended fix: >> >> setsebool -P spamd_enable_home_dirs=1 >> >> and restarted spamassassin several times. >> >> Perms or context problem with the /home dirs? >> >> A bug? >> >> Or I need to do an autorelabel? >> >> The /home dirs, FWIW, were copied from another drive by mc & then >> 'chown -R user:user' when the copy was finished which may not have >> been the correct thing to do FAIK. But it was the only way I could >> preserve an email corpus that is in the 10Gb area for size. >> >> There are no entries for spamassassin or spamd in /etc/group that I >> could use to make that file a member of. >> >> Fix please? > >Regular unix usernames and groups will make little difference to >SELinux. What you need is the right SELinux labelling for the files. > >Try this: ># restorecon -RF /home/*/.spamassassin/ > I can do this right now, hang on. Quick, less than a second. Now we wait to see if it throw up another icon to match the incoming mail beep. Yes, it took nearly a minute after procmail.log showed it, for it to get here, and now another mail has arrived with no alert and denial. Thanks Paul, and a big bow in your direction. >On F9 at least, I believe ~/.spamassassin should have context type >user_spamassassin_home_t rather than home_root_t which is what you seem >to have now. > >If this fixes things for you, it's likely that there are other similar >issues that will need fixing up, and doing a relabel will be a good >idea when you can spare the time. > >Paul. I did a "touch /.autorelabel" about tuesday evening after one install, and it seemed to be ignored on the reboot. Is that not the correct method? Thanks again. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Sic transit gloria mundi. [So passes away the glory of this world.] -- Thomas `a Kempis From paul at city-fan.org Thu Nov 20 07:21:19 2008 From: paul at city-fan.org (Paul Howarth) Date: Thu, 20 Nov 2008 07:21:19 +0000 Subject: seliux denying spamd write access to its own user home dir In-Reply-To: <200811192243.50055.gene.heskett@verizon.net> References: <200811191300.18674.gene.heskett@verizon.net> <20081119232804.110379ff@metropolis.intra.city-fan.org> <200811192243.50055.gene.heskett@verizon.net> Message-ID: <20081120072119.1a36649e@metropolis.intra.city-fan.org> On Wed, 19 Nov 2008 22:43:50 -0500 Gene Heskett wrote: > >Try this: > ># restorecon -RF /home/*/.spamassassin/ > > > I can do this right now, hang on. Quick, less than a second. Now we > wait to see if it throw up another icon to match the incoming mail > beep. Yes, it took nearly a minute after procmail.log showed it, for > it to get here, and now another mail has arrived with no alert and > denial. > > Thanks Paul, and a big bow in your direction. Thanks. > >On F9 at least, I believe ~/.spamassassin should have context type > >user_spamassassin_home_t rather than home_root_t which is what you > >seem to have now. > > > >If this fixes things for you, it's likely that there are other > >similar issues that will need fixing up, and doing a relabel will be > >a good idea when you can spare the time. > > > >Paul. > > I did a "touch /.autorelabel" about tuesday evening after one > install, and it seemed to be ignored on the reboot. Is that not the > correct method? That is the correct method. Are you sure there wasn't a typo? If the file has been ignored, it should still be there now. Paul. From nlam87346 at library.usyd.edu.au Thu Nov 20 09:03:03 2008 From: nlam87346 at library.usyd.edu.au (Nikolas Lam) Date: Thu, 20 Nov 2008 20:03:03 +1100 Subject: root vs system cron jobs (MLS_LEVEL) Message-ID: <1227171783.18998.105.camel@zaniah.library.usyd.edu.au> Hi On Fedora 9, we've got a symlink in /etc/cron.daily/ to /usr/local/bin/checkmailspool which ultimately tries to run /usr/sbin/postqueue -p It works if you call it via the root user's crontab, but not when you put the script in /etc/cron.daily/. (I've included the sealert output below). When called by the "system" cron (in which the denial occurs) id -Z output is system_u:system_r:system_crond_t:s0-s0:c0.c1023 OTOH, the root cron (which works) shows root:unconfined_r:unconfined_t:s0-s0:c0.c1023 I've just read crontab(5) which mentions setting MLS_LEVEL on the first line of the crontab, but it seems to suggest that this would apply (perhaps unnecessarily) to all the jobs run in that crontab. What's the recommended method to get this one script working from within /etc/cron.daily/ ? Regards, Nik Lam Summary: SELinux is preventing postqueue (postfix_postqueue_t) "connectto" to /var/spool/postfix/public/showq (unconfined_t). Detailed Description: SELinux denied access requested by postqueue. It is not expected that this access is required by postqueue and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:postfix_postqueue_t:s0-s0:c0.c10 23 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects /var/spool/postfix/public/showq [ unix_stream_socket ] Source postqueue Source Path /usr/sbin/postqueue Port Host replaced.example.com Source RPM Packages postfix-2.5.5-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-107.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name replaced.example.com Platform Linux replaced.example.com 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug 4 14:08:11 EDT 2008 i686 i686 Alert Count 38 First Seen Tue Nov 4 05:04:42 2008 Last Seen Thu Nov 20 05:04:42 2008 Local ID f5f4066b-d167-44ca-9c00-afd71f485225 Line Numbers Raw Audit Messages host=replaced.example.com type=AVC msg=audit(1227117882.675:17773): avc: denied { connectto } for pid=15651 comm="postqueue" path="/var/spool/postfix/public/showq" scontext=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket host=replaced.example.com type=SYSCALL msg=audit(1227117882.675:17773): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa89e00 a2=b808eff4 a3=bfa89e6a items=0 ppid=15647 pid=15651 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=90 sgid=90 fsgid=90 tty=(none) ses=2419 comm="postqueue" exe="/usr/sbin/postqueue" subj=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023 key=(null) From dwalsh at redhat.com Thu Nov 20 13:31:47 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 20 Nov 2008 08:31:47 -0500 Subject: Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.439:5): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" In-Reply-To: <926395.1943.qm@web52603.mail.re2.yahoo.com> References: <926395.1943.qm@web52603.mail.re2.yahoo.com> Message-ID: <492566C3.70306@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear fellow selinux experts, > > npviewer is causing lots of trouble. Firefox freezes and I have to kill it/terminate it and restart it just to post :( > > What should I do, I have filed bugs on this several times :( > > Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.439:5): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem > Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.548:6): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem > Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.659:7): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem > Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.694:8): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem > Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.732:9): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem > Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.764:10): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem > Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.790:11): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem > Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.816:12): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem > Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.841:13): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem > Nov 19 07:14:02 localhost kernel: __ratelimit: 42 callbacks suppressed > Nov 19 07:14:02 localhost kernel: type=1400 audit(1227100442.317:28): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem > > > Thanks, > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Are you using mozplugin? If yes, and you want to continue to use it, you should turn off nsplugin protection. Mozplugger runs tools like openoffice under nsplugin and openoffice can not run properly if confined by nsplugin. setsebool -P allow_unconfined_nsplugin_transition 0 Or you can remove mozplugger rpm -e mozplugger In either case you need to restart firefox. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkklZsMACgkQrlYvE4MpobMuNQCgviQtvgYRjYjOYdvrwIYAyaQl U3oAoKMhVBY3ASZ3XQ82oke/Mlp126Z8 =2pV8 -----END PGP SIGNATURE----- From olivares14031 at yahoo.com Thu Nov 20 13:38:06 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 20 Nov 2008 05:38:06 -0800 (PST) Subject: Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.439:5): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" In-Reply-To: <492566C3.70306@redhat.com> Message-ID: <478288.9346.qm@web52607.mail.re2.yahoo.com> --- On Thu, 11/20/08, Daniel J Walsh wrote: > From: Daniel J Walsh > Subject: Re: Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.439:5): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" > To: olivares14031 at yahoo.com > Cc: fedora-selinux-list at redhat.com > Date: Thursday, November 20, 2008, 5:31 AM > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Antonio Olivares wrote: > > Dear fellow selinux experts, > > > > npviewer is causing lots of trouble. Firefox freezes > and I have to kill it/terminate it and restart it just to > post :( > > > > What should I do, I have filed bugs on this several > times :( > > > > Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.439:5): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem > > Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.548:6): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem > > Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.659:7): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem > > Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.694:8): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem > > Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.732:9): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem > > Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.764:10): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem > > Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.790:11): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem > > Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.816:12): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem > > Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.841:13): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem > > Nov 19 07:14:02 localhost kernel: __ratelimit: 42 > callbacks suppressed > > Nov 19 07:14:02 localhost kernel: type=1400 > audit(1227100442.317:28): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem > > > > > > Thanks, > > > > Antonio > > > > > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Are you using mozplugin? [root at localhost ~]# rpm -qa mozplugger [root at localhost ~]# rpm -qa mozplugger* [root at localhost ~]# > If yes, and you want to continue > to use it, > you should turn off nsplugin protection. Mozplugger runs > tools like > openoffice under nsplugin and openoffice can not run > properly if > confined by nsplugin. > > setsebool -P allow_unconfined_nsplugin_transition 0 > > Or you can remove mozplugger > > rpm -e mozplugger > > In either case you need to restart firefox. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - > http://enigmail.mozdev.org > > iEYEARECAAYFAkklZsMACgkQrlYvE4MpobMuNQCgviQtvgYRjYjOYdvrwIYAyaQl > U3oAoKMhVBY3ASZ3XQ82oke/Mlp126Z8 > =2pV8 > -----END PGP SIGNATURE----- I will try the fix: setsebool -P allow_unconfined_nsplugin_transition 0 Hopefully this goes away :) Regards, Antonio From dwalsh at redhat.com Thu Nov 20 16:23:34 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 20 Nov 2008 11:23:34 -0500 Subject: Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.439:5): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" In-Reply-To: <478288.9346.qm@web52607.mail.re2.yahoo.com> References: <478288.9346.qm@web52607.mail.re2.yahoo.com> Message-ID: <49258F06.10008@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > --- On Thu, 11/20/08, Daniel J Walsh wrote: > >> From: Daniel J Walsh >> Subject: Re: Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.439:5): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" >> To: olivares14031 at yahoo.com >> Cc: fedora-selinux-list at redhat.com >> Date: Thursday, November 20, 2008, 5:31 AM > Antonio Olivares wrote: >>>> Dear fellow selinux experts, >>>> >>>> npviewer is causing lots of trouble. Firefox freezes > and I have to kill it/terminate it and restart it just to > post :( >>>> What should I do, I have filed bugs on this several > times :( >>>> Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.439:5): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem >>>> Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.548:6): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem >>>> Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.659:7): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem >>>> Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.694:8): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem >>>> Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.732:9): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem >>>> Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.764:10): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem >>>> Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.790:11): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem >>>> Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.816:12): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem >>>> Nov 19 07:13:55 localhost kernel: type=1400 > audit(1227100435.841:13): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem >>>> Nov 19 07:14:02 localhost kernel: __ratelimit: 42 > callbacks suppressed >>>> Nov 19 07:14:02 localhost kernel: type=1400 > audit(1227100442.317:28): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > key=5678293 > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > tclass=sem >>>> >>>> Thanks, >>>> >>>> Antonio >>>> >>>> >>>> >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Are you using mozplugin? > >> [root at localhost ~]# rpm -qa mozplugger >> [root at localhost ~]# rpm -qa mozplugger* >> [root at localhost ~]# > > If yes, and you want to continue > to use it, > you should turn off nsplugin protection. Mozplugger runs > tools like > openoffice under nsplugin and openoffice can not run > properly if > confined by nsplugin. > > setsebool -P allow_unconfined_nsplugin_transition 0 > > Or you can remove mozplugger > > rpm -e mozplugger > > In either case you need to restart firefox. > > I will try the fix: setsebool -P allow_unconfined_nsplugin_transition 0 > Hopefully this goes away :) > Regards, > Antonio > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Did you label firefox as execmem_exec_t? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkljwYACgkQrlYvE4MpobMIgACfWxBolOA2eyi1EWR6R6XPUOTq byAAoIE2lg93S10+tZmSZmtz8bAiMSq9 =FGVB -----END PGP SIGNATURE----- From tibbs at math.uh.edu Thu Nov 20 17:23:49 2008 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 20 Nov 2008 11:23:49 -0600 Subject: Selinux issues in user-compiled code Message-ID: A while back I made the decision to enable selinux on all of my user desktops. It hasn't really been all that painful; generally the issues I have are with proprietary software, essentially all of which it seems has one issue or another. This morning I received the following question from a user: ----- Can you explain why I often get a linker error: "cannot restore segment prot after reloc: Permission denied" running code I've built in my home directory.But then if I rerun once or twice it will execute properly. It's not always the same library that the linker complains about.... ----- Unfortunately I don't really know how to answer. I can handle selinux at a system level, because if I know some program has an issue I can just change a file context and things work. But I've no idea how to deal with code that users might compile, or where to point them for info in writing code that doesn't have these issues. - J< From dwalsh at redhat.com Thu Nov 20 19:49:08 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 20 Nov 2008 14:49:08 -0500 Subject: Selinux issues in user-compiled code In-Reply-To: References: Message-ID: <4925BF34.5050708@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason L Tibbitts III wrote: > A while back I made the decision to enable selinux on all of my user > desktops. It hasn't really been all that painful; generally the > issues I have are with proprietary software, essentially all of which > it seems has one issue or another. > > This morning I received the following question from a user: > > ----- > Can you explain why I often get a linker error: > > "cannot restore segment prot after reloc: Permission denied" > > running code I've built in my home directory.But then if I rerun once > or twice it will execute properly. It's not always the same library > that the linker complains about.... > ----- > > Unfortunately I don't really know how to answer. I can handle selinux > at a system level, because if I know some program has an issue I can > just change a file context and things work. But I've no idea how to > deal with code that users might compile, or where to point them for > info in writing code that doesn't have these issues. > > - J< > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This means you have an execmod or execmem problem in your code. You might have a library that was build incorrectly missing -PIC ? http://people.redhat.com/~drepper/selinux-mem.html http://danwalsh.livejournal.com/6117.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkklvzQACgkQrlYvE4MpobO95wCgld4420fozCsyegcojTcYZiK+ Gj8AoNLYrDQPYpxdprJuHgryIwXrNKSE =fx+2 -----END PGP SIGNATURE----- From olivares14031 at yahoo.com Thu Nov 20 22:05:51 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 20 Nov 2008 14:05:51 -0800 (PST) Subject: selinux is denying iptables, how can I get the dhcp server working Message-ID: <275904.14456.qm@web52606.mail.re2.yahoo.com> Dear all, After I got the rules and many things down, now selinux comes in and denies iptables http://fcp.surfsite.org/modules/newbb/viewtopic.php?topic_id=64110&forum=12 https://www.redhat.com/archives/fedora-list/2008-November/msg01208.html https://www.redhat.com/archives/fedora-list/2008-November/msg01640.html I see the following: type=1400 audit(1227217617.326:6): avc: denied { write } for pid=10490 comm="iptables-save" path="/etc/sysconfig/iptables" dev=dm-0 ino=28345626 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file Thanks, Antonio From olivares14031 at yahoo.com Thu Nov 20 22:11:35 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 20 Nov 2008 14:11:35 -0800 (PST) Subject: Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.439:5): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" In-Reply-To: <49258F06.10008@redhat.com> Message-ID: <849488.89494.qm@web52607.mail.re2.yahoo.com> --- On Thu, 11/20/08, Daniel J Walsh wrote: > From: Daniel J Walsh > Subject: Re: Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.439:5): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" > To: olivares14031 at yahoo.com > Cc: fedora-selinux-list at redhat.com > Date: Thursday, November 20, 2008, 8:23 AM > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Antonio Olivares wrote: > > --- On Thu, 11/20/08, Daniel J Walsh > wrote: > > > >> From: Daniel J Walsh > >> Subject: Re: Nov 19 07:13:55 localhost kernel: > type=1400 audit(1227100435.439:5): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" > >> To: olivares14031 at yahoo.com > >> Cc: fedora-selinux-list at redhat.com > >> Date: Thursday, November 20, 2008, 5:31 AM > > Antonio Olivares wrote: > >>>> Dear fellow selinux experts, > >>>> > >>>> npviewer is causing lots of trouble. > Firefox freezes > > and I have to kill it/terminate it and restart it just > to > > post :( > >>>> What should I do, I have filed bugs on > this several > > times :( > >>>> Nov 19 07:13:55 localhost kernel: > type=1400 > > audit(1227100435.439:5): avc: denied { unix_read > > unix_write } for pid=3833 > comm="npviewer.bin" > > key=5678293 > > > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > > > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > > tclass=sem > >>>> Nov 19 07:13:55 localhost kernel: > type=1400 > > audit(1227100435.548:6): avc: denied { unix_read > > unix_write } for pid=3833 > comm="npviewer.bin" > > key=5678293 > > > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > > > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > > tclass=sem > >>>> Nov 19 07:13:55 localhost kernel: > type=1400 > > audit(1227100435.659:7): avc: denied { unix_read > > unix_write } for pid=3833 > comm="npviewer.bin" > > key=5678293 > > > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > > > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > > tclass=sem > >>>> Nov 19 07:13:55 localhost kernel: > type=1400 > > audit(1227100435.694:8): avc: denied { unix_read > > unix_write } for pid=3833 > comm="npviewer.bin" > > key=5678293 > > > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > > > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > > tclass=sem > >>>> Nov 19 07:13:55 localhost kernel: > type=1400 > > audit(1227100435.732:9): avc: denied { unix_read > > unix_write } for pid=3833 > comm="npviewer.bin" > > key=5678293 > > > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > > > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > > tclass=sem > >>>> Nov 19 07:13:55 localhost kernel: > type=1400 > > audit(1227100435.764:10): avc: denied { unix_read > > unix_write } for pid=3833 > comm="npviewer.bin" > > key=5678293 > > > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > > > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > > tclass=sem > >>>> Nov 19 07:13:55 localhost kernel: > type=1400 > > audit(1227100435.790:11): avc: denied { unix_read > > unix_write } for pid=3833 > comm="npviewer.bin" > > key=5678293 > > > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > > > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > > tclass=sem > >>>> Nov 19 07:13:55 localhost kernel: > type=1400 > > audit(1227100435.816:12): avc: denied { unix_read > > unix_write } for pid=3833 > comm="npviewer.bin" > > key=5678293 > > > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > > > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > > tclass=sem > >>>> Nov 19 07:13:55 localhost kernel: > type=1400 > > audit(1227100435.841:13): avc: denied { unix_read > > unix_write } for pid=3833 > comm="npviewer.bin" > > key=5678293 > > > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > > > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > > tclass=sem > >>>> Nov 19 07:14:02 localhost kernel: > __ratelimit: 42 > > callbacks suppressed > >>>> Nov 19 07:14:02 localhost kernel: > type=1400 > > audit(1227100442.317:28): avc: denied { unix_read > > unix_write } for pid=3833 > comm="npviewer.bin" > > key=5678293 > > > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > > > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 > > tclass=sem > >>>> > >>>> Thanks, > >>>> > >>>> Antonio > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> fedora-selinux-list mailing list > >>>> fedora-selinux-list at redhat.com > >>>> > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > Are you using mozplugin? > > > >> [root at localhost ~]# rpm -qa mozplugger > >> [root at localhost ~]# rpm -qa mozplugger* > >> [root at localhost ~]# > > > > If yes, and you want to continue > > to use it, > > you should turn off nsplugin protection. Mozplugger > runs > > tools like > > openoffice under nsplugin and openoffice can not run > > properly if > > confined by nsplugin. > > > > setsebool -P allow_unconfined_nsplugin_transition 0 > > > > Or you can remove mozplugger > > > > rpm -e mozplugger > > > > In either case you need to restart firefox. > > > > > I will try the fix: setsebool -P > allow_unconfined_nsplugin_transition 0 > > > Hopefully this goes away :) > > > Regards, > > > Antonio > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Did you label firefox as execmem_exec_t? No! How would I do that? I have not messed with anything other than updating the flash plugin through yum directly from Adobe :( Here's something else that I see: npviewer.bin[7578] general protection ip:1168f8c sp:bfca8b00 error:0 in libflashplayer.so[dfd000+951000] npviewer.bin[9952] general protection ip:1168f8c sp:bfc4f2b0 error:0 in libflashplayer.so[dfd000+951000] Thanks, Antonio > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - > http://enigmail.mozdev.org > > iEYEARECAAYFAkkljwYACgkQrlYvE4MpobMIgACfWxBolOA2eyi1EWR6R6XPUOTq > byAAoIE2lg93S10+tZmSZmtz8bAiMSq9 > =FGVB > -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Nov 21 13:15:19 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 21 Nov 2008 08:15:19 -0500 Subject: selinux is denying iptables, how can I get the dhcp server working In-Reply-To: <275904.14456.qm@web52606.mail.re2.yahoo.com> References: <275904.14456.qm@web52606.mail.re2.yahoo.com> Message-ID: <4926B467.9070104@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear all, > > After I got the rules and many things down, now selinux comes in and denies iptables > > http://fcp.surfsite.org/modules/newbb/viewtopic.php?topic_id=64110&forum=12 > > https://www.redhat.com/archives/fedora-list/2008-November/msg01208.html > > https://www.redhat.com/archives/fedora-list/2008-November/msg01640.html > > I see the following: > > type=1400 audit(1227217617.326:6): avc: denied { write } for pid=10490 comm="iptables-save" path="/etc/sysconfig/iptables" dev=dm-0 ino=28345626 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file > > > Thanks, > > Antonio > > > > It works for me. My file is being saved to /etc/sysconfig/iptables.save though? Did you change the config? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkmtGcACgkQrlYvE4MpobNFCACbB/mYpP33brGDwFs7utmR6P6H ZFcAoKtyO3lgz295dANLaHl7j/XUkBIg =PlPa -----END PGP SIGNATURE----- From cra at WPI.EDU Fri Nov 21 14:11:33 2008 From: cra at WPI.EDU (Chuck Anderson) Date: Fri, 21 Nov 2008 09:11:33 -0500 Subject: restorecon isn't restoring what matchpathcon shows Message-ID: <20081121141133.GA20122@angus.ind.WPI.EDU> There are a bunch of files and directories in my F10 home dirs that have type unconfined_u:object_r:user_home_t, but matchpathcon says they are supposed to be system_u:object_r:user_home_t. I tried to run restorecon but it isn't changing the type: [root at l 9:06:49 /home/install]#matchpathcon /home/install/Templates /home/install/Templates system_u:object_r:user_home_t:s0 [root at l 9:06:51 /home/install]#ls -lZd Templates drwxr-xr-x install install unconfined_u:object_r:user_home_t:s0 Templates/ [root at l 9:06:56 /home/install]#restorecon -R Templates [root at l 9:07:07 /home/install]#ls -lZd Templates drwxr-xr-x install install unconfined_u:object_r:user_home_t:s0 Templates/ [root at l 9:07:10 /home/install]#su - install [install at l ~]$ restorecon -R . [install at l ~]$ restorecon -R Templates/ [install at l ~]$ logout [root at l 9:08:23 /home/install]#ls -lZd Templates drwxr-xr-x install install unconfined_u:object_r:user_home_t:s0 Templates/ Why does this happen? From paul at city-fan.org Fri Nov 21 14:20:49 2008 From: paul at city-fan.org (Paul Howarth) Date: Fri, 21 Nov 2008 14:20:49 +0000 Subject: restorecon isn't restoring what matchpathcon shows In-Reply-To: <20081121141133.GA20122@angus.ind.WPI.EDU> References: <20081121141133.GA20122@angus.ind.WPI.EDU> Message-ID: <4926C3C1.3070807@city-fan.org> Chuck Anderson wrote: > There are a bunch of files and directories in my F10 home dirs that > have type unconfined_u:object_r:user_home_t, but matchpathcon says > they are supposed to be system_u:object_r:user_home_t. I tried to run > restorecon but it isn't changing the type: > > [root at l 9:06:49 /home/install]#matchpathcon /home/install/Templates > /home/install/Templates system_u:object_r:user_home_t:s0 > [root at l 9:06:51 /home/install]#ls -lZd Templates > drwxr-xr-x install install unconfined_u:object_r:user_home_t:s0 > Templates/ > [root at l 9:06:56 /home/install]#restorecon -R Templates > [root at l 9:07:07 /home/install]#ls -lZd Templates > drwxr-xr-x install install unconfined_u:object_r:user_home_t:s0 > Templates/ > > [root at l 9:07:10 /home/install]#su - install > [install at l ~]$ restorecon -R . > [install at l ~]$ restorecon -R Templates/ > [install at l ~]$ logout > [root at l 9:08:23 /home/install]#ls -lZd Templates > drwxr-xr-x install install unconfined_u:object_r:user_home_t:s0 > Templates/ > > Why does this happen? restorecon doesn't change the user part of a context unless you use -F. Paul. From sds at tycho.nsa.gov Fri Nov 21 14:20:57 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 21 Nov 2008 09:20:57 -0500 Subject: restorecon isn't restoring what matchpathcon shows In-Reply-To: <20081121141133.GA20122@angus.ind.WPI.EDU> References: <20081121141133.GA20122@angus.ind.WPI.EDU> Message-ID: <1227277257.7319.28.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2008-11-21 at 09:11 -0500, Chuck Anderson wrote: > There are a bunch of files and directories in my F10 home dirs that > have type unconfined_u:object_r:user_home_t, but matchpathcon says > they are supposed to be system_u:object_r:user_home_t. I tried to run > restorecon but it isn't changing the type: > > [root at l 9:06:49 /home/install]#matchpathcon /home/install/Templates > /home/install/Templates system_u:object_r:user_home_t:s0 > [root at l 9:06:51 /home/install]#ls -lZd Templates > drwxr-xr-x install install unconfined_u:object_r:user_home_t:s0 > Templates/ > [root at l 9:06:56 /home/install]#restorecon -R Templates > [root at l 9:07:07 /home/install]#ls -lZd Templates > drwxr-xr-x install install unconfined_u:object_r:user_home_t:s0 > Templates/ > > [root at l 9:07:10 /home/install]#su - install > [install at l ~]$ restorecon -R . > [install at l ~]$ restorecon -R Templates/ > [install at l ~]$ logout > [root at l 9:08:23 /home/install]#ls -lZd Templates > drwxr-xr-x install install unconfined_u:object_r:user_home_t:s0 > Templates/ > > Why does this happen? The type is correct; only the user is wrong. restorecon ignores differences in the user by default. restorecon -F if you truly care. -- Stephen Smalley National Security Agency From elihusmails at gmail.com Fri Nov 21 17:08:48 2008 From: elihusmails at gmail.com (Elihu Smails) Date: Fri, 21 Nov 2008 12:08:48 -0500 Subject: Installing MLS policy on Fedora 9 Message-ID: <9f066ee90811210908q22369e9fm77a4f21132cff6ea@mail.gmail.com> I have installed Fedora 9 and wanted to install the MLS Policy. I performed the following steps: 1. Install Fedora 9 2. Install Patches 3. Reboot 4. yum install -y selinux-policy-mls 5. Open /etc/selinux/config and change the following: SELINUX=enforcing SELINUXTYPE=targeted to SELINUX=permissive SELINUXTYPE=mls 6. touch /.autorelabel 7. Reboot. The relabelling works fine 8. Set SELINUX to enforcing in /etc/selinux/config 9. Reboot. I get many error messages about the file system and it drops me into a single user shell. Can someone please tell me what the proper steps are. Thank you. From sds at tycho.nsa.gov Fri Nov 21 18:38:33 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 21 Nov 2008 13:38:33 -0500 Subject: Installing MLS policy on Fedora 9 In-Reply-To: <9f066ee90811210908q22369e9fm77a4f21132cff6ea@mail.gmail.com> References: <9f066ee90811210908q22369e9fm77a4f21132cff6ea@mail.gmail.com> Message-ID: <1227292713.7319.40.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2008-11-21 at 12:08 -0500, Elihu Smails wrote: > I have installed Fedora 9 and wanted to install the MLS Policy. I > performed the following steps: > > 1. Install Fedora 9 > 2. Install Patches > 3. Reboot > 4. yum install -y selinux-policy-mls > 5. Open /etc/selinux/config and change the following: > SELINUX=enforcing > SELINUXTYPE=targeted > > to > > SELINUX=permissive > SELINUXTYPE=mls > > 6. touch /.autorelabel > 7. Reboot. The relabelling works fine > 8. Set SELINUX to enforcing in /etc/selinux/config > 9. Reboot. I get many error messages about the file system and it > drops me into a single user shell. > > Can someone please tell me what the proper steps are. I think we'd have to see the details of the errors, but the LSPP configuration only covers a subset of the system and of course was for a specific set of RHEL5 packages. If you boot permissive instead, what avc messages do you get? -- Stephen Smalley National Security Agency From cra at WPI.EDU Fri Nov 21 19:21:42 2008 From: cra at WPI.EDU (Chuck Anderson) Date: Fri, 21 Nov 2008 14:21:42 -0500 Subject: restorecon isn't restoring what matchpathcon shows In-Reply-To: <1227277257.7319.28.camel@moss-spartans.epoch.ncsc.mil> References: <20081121141133.GA20122@angus.ind.WPI.EDU> <1227277257.7319.28.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <20081121192142.GA23648@angus.ind.WPI.EDU> > > [root at l 9:08:23 /home/install]#ls -lZd Templates > > drwxr-xr-x install install unconfined_u:object_r:user_home_t:s0 > > Templates/ > > > > Why does this happen? > > The type is correct; only the user is wrong. restorecon ignores > differences in the user by default. restorecon -F if you truly care. Thanks for the clarification. I'm sure I got tripped up by this before... I was getting lots of SELinux alerts related to /home//.{gconf,ssh,...} dotfiles. From dwalsh at redhat.com Fri Nov 21 20:00:10 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 21 Nov 2008 15:00:10 -0500 Subject: Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.439:5): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" In-Reply-To: <849488.89494.qm@web52607.mail.re2.yahoo.com> References: <849488.89494.qm@web52607.mail.re2.yahoo.com> Message-ID: <4927134A.2090804@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > > > --- On Thu, 11/20/08, Daniel J Walsh wrote: > >> From: Daniel J Walsh >> Subject: Re: Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.439:5): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" >> To: olivares14031 at yahoo.com >> Cc: fedora-selinux-list at redhat.com >> Date: Thursday, November 20, 2008, 8:23 AM > Antonio Olivares wrote: >>>> --- On Thu, 11/20/08, Daniel J Walsh > wrote: >>>>> From: Daniel J Walsh >>>>> Subject: Re: Nov 19 07:13:55 localhost kernel: > type=1400 audit(1227100435.439:5): avc: denied { unix_read > unix_write } for pid=3833 comm="npviewer.bin" >>>>> To: olivares14031 at yahoo.com >>>>> Cc: fedora-selinux-list at redhat.com >>>>> Date: Thursday, November 20, 2008, 5:31 AM >>>> Antonio Olivares wrote: >>>>>>> Dear fellow selinux experts, >>>>>>> >>>>>>> npviewer is causing lots of trouble. > Firefox freezes >>>> and I have to kill it/terminate it and restart it just > to >>>> post :( >>>>>>> What should I do, I have filed bugs on > this several >>>> times :( >>>>>>> Nov 19 07:13:55 localhost kernel: > type=1400 >>>> audit(1227100435.439:5): avc: denied { unix_read >>>> unix_write } for pid=3833 > comm="npviewer.bin" >>>> key=5678293 >>>> > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 >>>> tclass=sem >>>>>>> Nov 19 07:13:55 localhost kernel: > type=1400 >>>> audit(1227100435.548:6): avc: denied { unix_read >>>> unix_write } for pid=3833 > comm="npviewer.bin" >>>> key=5678293 >>>> > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 >>>> tclass=sem >>>>>>> Nov 19 07:13:55 localhost kernel: > type=1400 >>>> audit(1227100435.659:7): avc: denied { unix_read >>>> unix_write } for pid=3833 > comm="npviewer.bin" >>>> key=5678293 >>>> > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 >>>> tclass=sem >>>>>>> Nov 19 07:13:55 localhost kernel: > type=1400 >>>> audit(1227100435.694:8): avc: denied { unix_read >>>> unix_write } for pid=3833 > comm="npviewer.bin" >>>> key=5678293 >>>> > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 >>>> tclass=sem >>>>>>> Nov 19 07:13:55 localhost kernel: > type=1400 >>>> audit(1227100435.732:9): avc: denied { unix_read >>>> unix_write } for pid=3833 > comm="npviewer.bin" >>>> key=5678293 >>>> > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 >>>> tclass=sem >>>>>>> Nov 19 07:13:55 localhost kernel: > type=1400 >>>> audit(1227100435.764:10): avc: denied { unix_read >>>> unix_write } for pid=3833 > comm="npviewer.bin" >>>> key=5678293 >>>> > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 >>>> tclass=sem >>>>>>> Nov 19 07:13:55 localhost kernel: > type=1400 >>>> audit(1227100435.790:11): avc: denied { unix_read >>>> unix_write } for pid=3833 > comm="npviewer.bin" >>>> key=5678293 >>>> > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 >>>> tclass=sem >>>>>>> Nov 19 07:13:55 localhost kernel: > type=1400 >>>> audit(1227100435.816:12): avc: denied { unix_read >>>> unix_write } for pid=3833 > comm="npviewer.bin" >>>> key=5678293 >>>> > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 >>>> tclass=sem >>>>>>> Nov 19 07:13:55 localhost kernel: > type=1400 >>>> audit(1227100435.841:13): avc: denied { unix_read >>>> unix_write } for pid=3833 > comm="npviewer.bin" >>>> key=5678293 >>>> > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 >>>> tclass=sem >>>>>>> Nov 19 07:14:02 localhost kernel: > __ratelimit: 42 >>>> callbacks suppressed >>>>>>> Nov 19 07:14:02 localhost kernel: > type=1400 >>>> audit(1227100442.317:28): avc: denied { unix_read >>>> unix_write } for pid=3833 > comm="npviewer.bin" >>>> key=5678293 >>>> > scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 >>>> tclass=sem >>>>>>> Thanks, >>>>>>> >>>>>>> Antonio >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> fedora-selinux-list mailing list >>>>>>> fedora-selinux-list at redhat.com >>>>>>> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> Are you using mozplugin? >>>> >>>>> [root at localhost ~]# rpm -qa mozplugger >>>>> [root at localhost ~]# rpm -qa mozplugger* >>>>> [root at localhost ~]# >>>> If yes, and you want to continue >>>> to use it, >>>> you should turn off nsplugin protection. Mozplugger > runs >>>> tools like >>>> openoffice under nsplugin and openoffice can not run >>>> properly if >>>> confined by nsplugin. >>>> >>>> setsebool -P allow_unconfined_nsplugin_transition 0 >>>> >>>> Or you can remove mozplugger >>>> >>>> rpm -e mozplugger >>>> >>>> In either case you need to restart firefox. >>>> >>>> I will try the fix: setsebool -P > allow_unconfined_nsplugin_transition 0 > >>>> Hopefully this goes away :) >>>> Regards, >>>> Antonio > > > >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Did you label firefox as execmem_exec_t? > >> No! How would I do that? I have not messed with anything other than updating the flash plugin through yum directly from Adobe :( > >> Here's something else that I see: > >> npviewer.bin[7578] general protection ip:1168f8c sp:bfca8b00 error:0 in libflashplayer.so[dfd000+951000] >> npviewer.bin[9952] general protection ip:1168f8c sp:bfc4f2b0 error:0 in libflashplayer.so[dfd000+951000] > > >> Thanks, > >> Antonio What avc are you getting now? > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkknE0oACgkQrlYvE4MpobNqywCeKldGjUai6U0BZWVACuugnHk8 25kAniq5MLfOAwjMCNEw/sSvyUuiqpy/ =wdry -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Nov 21 20:03:46 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 21 Nov 2008 15:03:46 -0500 Subject: restorecon isn't restoring what matchpathcon shows In-Reply-To: <20081121192142.GA23648@angus.ind.WPI.EDU> References: <20081121141133.GA20122@angus.ind.WPI.EDU> <1227277257.7319.28.camel@moss-spartans.epoch.ncsc.mil> <20081121192142.GA23648@angus.ind.WPI.EDU> Message-ID: <49271422.9010604@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck Anderson wrote: >>> [root at l 9:08:23 /home/install]#ls -lZd Templates >>> drwxr-xr-x install install unconfined_u:object_r:user_home_t:s0 >>> Templates/ >>> >>> Why does this happen? >> The type is correct; only the user is wrong. restorecon ignores >> differences in the user by default. restorecon -F if you truly care. > > Thanks for the clarification. I'm sure I got tripped up by this > before... > > I was getting lots of SELinux alerts related to > /home//.{gconf,ssh,...} dotfiles. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list These were probably related to nsplugin_t, which requires the homedir to be labeled correctly. You can use restorecond to help you manage this. User componant of selinux context is pretty much ignored in targeted policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkknFCIACgkQrlYvE4MpobMMkwCeMzMCr4nbJywNlK1Aj2xW20gz 28EAn3fYUdH+c5VC73jMuWqv4ZdKYzPq =c5TP -----END PGP SIGNATURE----- From frankly3d at fedoraproject.org Sat Nov 22 09:25:19 2008 From: frankly3d at fedoraproject.org (Frank Murphy) Date: Sat, 22 Nov 2008 09:25:19 +0000 Subject: F10 Logwatch and avc(s) long post Message-ID: <4927CFFF.1020301@fedoraproject.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------A snip from the logwatch included at end----------------- Summary: SELinux is preventing netstat (logwatch_t) "search" to (sysctl_net_t). Detailed Description: SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for , restorecon -v '' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:sysctl_net_t:s0 Target Objects None [ dir ] Source ifconfig Source Path /sbin/ifconfig Port Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 4 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID 144ff94f-abf9-47ba-8ab6-bda6cceb41e8 Line Numbers Raw Audit Messages node=frank-01 type=AVC msg=audit(1227345433.820:48): avc: denied { search } for pid=4085 comm="netstat" scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir node=frank-01 type=SYSCALL msg=audit(1227345433.820:48): arch=40000003 syscall=33 success=no exit=-13 a0=805f195 a1=4 a2=ffffffff a3=8064020 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null) Summary: SELinux is preventing netstat (logwatch_t) "read" to ./unix (proc_net_t). Detailed Description: SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./unix, restorecon -v './unix' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects ./unix [ file ] Source ifconfig Source Path /sbin/ifconfig Port Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 2 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID c323266d-4b2a-4e47-9b13-eeb640939573 Line Numbers Raw Audit Messages node=frank-01 type=AVC msg=audit(1227345433.820:45): avc: denied { read } for pid=4085 comm="netstat" name="unix" dev=proc ino=4026531984 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file node=frank-01 type=SYSCALL msg=audit(1227345433.820:45): arch=40000003 syscall=33 success=no exit=-13 a0=805c8b9 a1=4 a2=ffffffff a3=8064360 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null) Summary: SELinux is preventing netstat (logwatch_t) "read" to ./if_inet6 (proc_net_t). Detailed Description: SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./if_inet6, restorecon -v './if_inet6' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects ./if_inet6 [ file ] Source ifconfig Source Path /sbin/ifconfig Port Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 4 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID 9de63b84-aff8-4a49-bc45-510abd4637b3 Line Numbers Raw Audit Messages node=frank-01 type=AVC msg=audit(1227345433.820:46): avc: denied { read } for pid=4085 comm="netstat" name="if_inet6" dev=proc ino=4026532168 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file node=frank-01 type=SYSCALL msg=audit(1227345433.820:46): arch=40000003 syscall=33 success=no exit=-13 a0=805f29e a1=4 a2=ffffffff a3=8064180 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null) Summary: SELinux is preventing netstat (logwatch_t) "read" to ./dev (proc_net_t). Detailed Description: SELinux denied access requested by netstat. It is not expected that this access is required by netstat and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./dev, restorecon -v './dev' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects ./dev [ file ] Source ifconfig Source Path /sbin/ifconfig Port Host frank-01 Source RPM Packages net-tools-1.60-91.fc10 Target RPM Packages filesystem-2.4.19-1.fc10 Policy RPM selinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 6 First Seen Sat 22 Nov 2008 09:17:13 GMT Last Seen Sat 22 Nov 2008 09:17:13 GMT Local ID 44eb7259-6162-4669-9b01-b5d48a63aaa5 Line Numbers Raw Audit Messages node=frank-01 type=AVC msg=audit(1227345433.855:51): avc: denied { read } for pid=4085 comm="netstat" name="dev" dev=proc ino=4026531957 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file node=frank-01 type=SYSCALL msg=audit(1227345433.855:51): arch=40000003 syscall=5 success=no exit=-13 a0=805ff47 a1=0 a2=1b6 a3=0 items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null) Logwatch: --------------------- Network Report Begin ------------------------ Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output. ------------- Network Interfaces --------------- Ethernet : 1 Other : 1 Total : 2 ------------- Ethernet ------------------------- eth1 Link encap:Ethernet HWaddr 00:19:E0:7A:40:4C ------------- Other ---------------------------- lo Link encap:Local Loopback ------------- Network Interfaces --------------- ------------- Network statistics --------------- 1: lo: mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth1: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:19:e0:7a:40:4c brd ff:ff:ff:ff:ff:ff inet 192.168.0.5/24 brd 192.168.0.255 scope global eth1 inet6 fe80::219:e0ff:fe7a:404c/64 scope link valid_lft forever preferred_lft forever Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output. Warning: cannot open /proc/net/dev (Permission denied). Limited output. Iface MTU RX-ERR TX-ERR eth1 1500 no BMRU lo 16436 no LRU ------------- Network statistics --------------- ---------------------- Network Report End ------------------------- - -- gpg id EB547226 Revoked Forgot Password :( aMSN: Frankly3D http://www.frankly3d.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkknz/8ACgkQzrcOE0b3RmITUgCfR/8BYJmpAiluEAH0SWqOtXnr QUgAn1bhRbsmlsZGyJEsTlwl2MNcp57J =fMiJ -----END PGP SIGNATURE----- From dwalsh at redhat.com Sat Nov 22 13:01:27 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 22 Nov 2008 08:01:27 -0500 Subject: F10 Logwatch and avc(s) long post In-Reply-To: <4927CFFF.1020301@fedoraproject.org> References: <4927CFFF.1020301@fedoraproject.org> Message-ID: <492802A7.80404@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frank Murphy wrote: > ------------A snip from the logwatch included at end----------------- > > > Summary: > > SELinux is preventing netstat (logwatch_t) "search" to > (sysctl_net_t). > > Detailed Description: > > SELinux denied access requested by netstat. It is not expected that this > access > is required by netstat and this access may signal an intrusion attempt. > It is > also possible that the specific version or configuration of the > application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for , > > restorecon -v '' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:logwatch_t:s0 > Target Context system_u:object_r:sysctl_net_t:s0 > Target Objects None [ dir ] > Source ifconfig > Source Path /sbin/ifconfig > Port > Host frank-01 > Source RPM Packages net-tools-1.60-91.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-18.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name frank-01 > Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 > SMP Tue > Nov 18 12:19:59 EST 2008 i686 i686 > Alert Count 4 > First Seen Sat 22 Nov 2008 09:17:13 GMT > Last Seen Sat 22 Nov 2008 09:17:13 GMT > Local ID 144ff94f-abf9-47ba-8ab6-bda6cceb41e8 > Line Numbers > > Raw Audit Messages > > node=frank-01 type=AVC msg=audit(1227345433.820:48): avc: denied { > search } for pid=4085 comm="netstat" > scontext=system_u:system_r:logwatch_t:s0 > tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir > > node=frank-01 type=SYSCALL msg=audit(1227345433.820:48): arch=40000003 > syscall=33 success=no exit=-13 a0=805f195 a1=4 a2=ffffffff a3=8064020 > items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" > exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null) > > > > > Summary: > > SELinux is preventing netstat (logwatch_t) "read" to ./unix (proc_net_t). > > Detailed Description: > > SELinux denied access requested by netstat. It is not expected that this > access > is required by netstat and this access may signal an intrusion attempt. > It is > also possible that the specific version or configuration of the > application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for ./unix, > > restorecon -v './unix' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:logwatch_t:s0 > Target Context system_u:object_r:proc_net_t:s0 > Target Objects ./unix [ file ] > Source ifconfig > Source Path /sbin/ifconfig > Port > Host frank-01 > Source RPM Packages net-tools-1.60-91.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-18.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name frank-01 > Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 > SMP Tue > Nov 18 12:19:59 EST 2008 i686 i686 > Alert Count 2 > First Seen Sat 22 Nov 2008 09:17:13 GMT > Last Seen Sat 22 Nov 2008 09:17:13 GMT > Local ID c323266d-4b2a-4e47-9b13-eeb640939573 > Line Numbers > > Raw Audit Messages > > node=frank-01 type=AVC msg=audit(1227345433.820:45): avc: denied { > read } for pid=4085 comm="netstat" name="unix" dev=proc ino=4026531984 > scontext=system_u:system_r:logwatch_t:s0 > tcontext=system_u:object_r:proc_net_t:s0 tclass=file > > node=frank-01 type=SYSCALL msg=audit(1227345433.820:45): arch=40000003 > syscall=33 success=no exit=-13 a0=805c8b9 a1=4 a2=ffffffff a3=8064360 > items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" > exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null) > > > > > Summary: > > SELinux is preventing netstat (logwatch_t) "read" to ./if_inet6 > (proc_net_t). > > Detailed Description: > > SELinux denied access requested by netstat. It is not expected that this > access > is required by netstat and this access may signal an intrusion attempt. > It is > also possible that the specific version or configuration of the > application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for ./if_inet6, > > restorecon -v './if_inet6' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:logwatch_t:s0 > Target Context system_u:object_r:proc_net_t:s0 > Target Objects ./if_inet6 [ file ] > Source ifconfig > Source Path /sbin/ifconfig > Port > Host frank-01 > Source RPM Packages net-tools-1.60-91.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-18.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name frank-01 > Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 > SMP Tue > Nov 18 12:19:59 EST 2008 i686 i686 > Alert Count 4 > First Seen Sat 22 Nov 2008 09:17:13 GMT > Last Seen Sat 22 Nov 2008 09:17:13 GMT > Local ID 9de63b84-aff8-4a49-bc45-510abd4637b3 > Line Numbers > > Raw Audit Messages > > node=frank-01 type=AVC msg=audit(1227345433.820:46): avc: denied { > read } for pid=4085 comm="netstat" name="if_inet6" dev=proc > ino=4026532168 scontext=system_u:system_r:logwatch_t:s0 > tcontext=system_u:object_r:proc_net_t:s0 tclass=file > > node=frank-01 type=SYSCALL msg=audit(1227345433.820:46): arch=40000003 > syscall=33 success=no exit=-13 a0=805f29e a1=4 a2=ffffffff a3=8064180 > items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" > exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null) > > > > > Summary: > > SELinux is preventing netstat (logwatch_t) "read" to ./dev (proc_net_t). > > Detailed Description: > > SELinux denied access requested by netstat. It is not expected that this > access > is required by netstat and this access may signal an intrusion attempt. > It is > also possible that the specific version or configuration of the > application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for ./dev, > > restorecon -v './dev' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:logwatch_t:s0 > Target Context system_u:object_r:proc_net_t:s0 > Target Objects ./dev [ file ] > Source ifconfig > Source Path /sbin/ifconfig > Port > Host frank-01 > Source RPM Packages net-tools-1.60-91.fc10 > Target RPM Packages filesystem-2.4.19-1.fc10 > Policy RPM selinux-policy-3.5.13-18.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name frank-01 > Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 > SMP Tue > Nov 18 12:19:59 EST 2008 i686 i686 > Alert Count 6 > First Seen Sat 22 Nov 2008 09:17:13 GMT > Last Seen Sat 22 Nov 2008 09:17:13 GMT > Local ID 44eb7259-6162-4669-9b01-b5d48a63aaa5 > Line Numbers > > Raw Audit Messages > > node=frank-01 type=AVC msg=audit(1227345433.855:51): avc: denied { > read } for pid=4085 comm="netstat" name="dev" dev=proc ino=4026531957 > scontext=system_u:system_r:logwatch_t:s0 > tcontext=system_u:object_r:proc_net_t:s0 tclass=file > > node=frank-01 type=SYSCALL msg=audit(1227345433.855:51): arch=40000003 > syscall=5 success=no exit=-13 a0=805ff47 a1=0 a2=1b6 a3=0 items=0 > ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" > exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null) > > > Logwatch: > --------------------- Network Report Begin ------------------------ > > Warning: cannot open /proc/net/dev (Permission denied). Limited output. > Warning: cannot open /proc/net/dev (Permission denied). Limited output. > Warning: cannot open /proc/net/dev (Permission denied). Limited output. > > > ------------- Network Interfaces --------------- > > Ethernet : 1 > Other : 1 > Total : 2 > > > ------------- Ethernet ------------------------- > > eth1 Link encap:Ethernet HWaddr 00:19:E0:7A:40:4C > > > ------------- Other ---------------------------- > > lo Link encap:Local Loopback > > > ------------- Network Interfaces --------------- > > > > > ------------- Network statistics --------------- > > 1: lo: mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth1: mtu 1500 qdisc pfifo_fast > state UNKNOWN qlen 1000 > link/ether 00:19:e0:7a:40:4c brd ff:ff:ff:ff:ff:ff > inet 192.168.0.5/24 brd 192.168.0.255 scope global eth1 > inet6 fe80::219:e0ff:fe7a:404c/64 scope link > valid_lft forever preferred_lft forever > > Warning: cannot open /proc/net/dev (Permission denied). Limited output. > Warning: cannot open /proc/net/dev (Permission denied). Limited output. > Warning: cannot open /proc/net/dev (Permission denied). Limited output. > Iface MTU RX-ERR TX-ERR > eth1 1500 no BMRU > lo 16436 no LRU > > > ------------- Network statistics --------------- > > > > ---------------------- Network Report End ------------------------- > > So you have logwatch execing netstat? Do you know what script is doing this? - -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkoAqYACgkQrlYvE4MpobMv2QCg2CH2dEpOAnFbH8oNz9emo9TD tpUAoL5SJbXO8i/VnLqsqTNUgKIJsCr/ =LUW/ -----END PGP SIGNATURE----- From frankly3d at fedoraproject.org Sat Nov 22 13:10:44 2008 From: frankly3d at fedoraproject.org (Frank Murphy) Date: Sat, 22 Nov 2008 13:10:44 +0000 Subject: F10 Logwatch and avc(s) long post In-Reply-To: <492802A7.80404@redhat.com> References: <4927CFFF.1020301@fedoraproject.org> <492802A7.80404@redhat.com> Message-ID: <492804D4.1040304@fedoraproject.org> Daniel J Walsh wrote: > > > So you have logwatch execing netstat? Do you know what script is doing > this? /usr/share/logwatch/default.conf/logwatch.conf pasteed to: The only real change is a #Service = "-zz-network", and Detail = Med Frank http://fpaste.org/paste/664 -- gpg id EB547226 Revoked Forgot Password :( aMSN: Frankly3D http://www.frankly3d.com From cra at WPI.EDU Sat Nov 22 16:20:07 2008 From: cra at WPI.EDU (Chuck Anderson) Date: Sat, 22 Nov 2008 11:20:07 -0500 Subject: F10 Logwatch and avc(s) long post In-Reply-To: <492804D4.1040304@fedoraproject.org> References: <4927CFFF.1020301@fedoraproject.org> <492802A7.80404@redhat.com> <492804D4.1040304@fedoraproject.org> Message-ID: <20081122162007.GA4689@angus.ind.WPI.EDU> On Sat, Nov 22, 2008 at 01:10:44PM +0000, Frank Murphy wrote: > Daniel J Walsh wrote: > > > > > > So you have logwatch execing netstat? Do you know what script is doing > > this? > > /usr/share/logwatch/default.conf/logwatch.conf pasteed to: > > The only real change is a #Service = "-zz-network", and Detail = Med There are a few scripts that are disabled by default. The "-zz-network" means "disable the zz-network script". By commenting that out, you are reenabling the zz-network script. Here are the services which are disabled by default which probably don't have SELinux rules for them yet: Service = "-zz-network" # Prevents execution of zz-network service, which # prints useful network configuration info. Service = "-zz-sys" # Prevents execution of zz-sys service, which # prints useful system configuration info. Service = "-eximstats" # Prevents execution of eximstats service, which # is a wrapper for the eximstats program. The scripts that run when these are re-enabled are in /usr/share/logwatch/scripts/services/. From my reading of the zz-network script, it calls the following programs: /sbin/chkconfig /usr/bin/vtysh /usr/sbin/routeadm /sbin/ip netstat ifconfig and reads the following files: /etc/sysctl.conf /proc/sys/net/ipv4/ip_forward From olivares14031 at yahoo.com Mon Nov 24 12:58:03 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 24 Nov 2008 04:58:03 -0800 (PST) Subject: selinux denies iptables Message-ID: <869098.24198.qm@web52603.mail.re2.yahoo.com> Dear all, I am still having trouble setting up the dhcp server because selinux denies iptables type=1400 audit(1227530280.458:4): avc: denied { write } for pid=1430 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file Thanks in Advance, Antonio From dwalsh at redhat.com Mon Nov 24 13:27:12 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 24 Nov 2008 08:27:12 -0500 Subject: selinux denies iptables In-Reply-To: <869098.24198.qm@web52603.mail.re2.yahoo.com> References: <869098.24198.qm@web52603.mail.re2.yahoo.com> Message-ID: <492AABB0.40400@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear all, > > I am still having trouble setting up the dhcp server because selinux denies iptables > > type=1400 audit(1227530280.458:4): avc: denied { write } for pid=1430 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file > > Thanks in Advance, > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I would doubt this is actually blocking anything, but you can easily customize policy by executing. # grep iptables /var/log/audit/audit.log | audit2allow -M myiptables # semodule -i myiptables.pp I have added the above rules to the next update of F9/F10 policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkqq7AACgkQrlYvE4MpobOGbgCg4wDlOBTJlitDr2RJZnn2xC4G xmIAnjPufGnazbn8EHFRl91ROy/u4CcB =utED -----END PGP SIGNATURE----- From olivares14031 at yahoo.com Mon Nov 24 13:57:15 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 24 Nov 2008 05:57:15 -0800 (PST) Subject: selinux denies iptables In-Reply-To: <492AABB0.40400@redhat.com> Message-ID: <30567.67367.qm@web52602.mail.re2.yahoo.com> --- On Mon, 11/24/08, Daniel J Walsh wrote: > From: Daniel J Walsh > Subject: Re: selinux denies iptables > To: olivares14031 at yahoo.com > Cc: fedora-selinux-list at redhat.com > Date: Monday, November 24, 2008, 5:27 AM > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Antonio Olivares wrote: > > Dear all, > > > > I am still having trouble setting up the dhcp server > because selinux denies iptables > > > > type=1400 audit(1227530280.458:4): avc: denied { > write } for pid=1430 comm="ip6tables-resto" > path="/0" dev=devpts ino=2 > scontext=system_u:system_r:iptables_t:s0 > tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file > > > > Thanks in Advance, > > > > Antonio > > > > > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > I would doubt this is actually blocking anything, but you > can easily > customize policy by executing. > > > # grep iptables /var/log/audit/audit.log | audit2allow -M > myiptables > # semodule -i myiptables.pp > > I have added the above rules to the next update of F9/F10 > policy. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - > http://enigmail.mozdev.org > > iEYEARECAAYFAkkqq7AACgkQrlYvE4MpobOGbgCg4wDlOBTJlitDr2RJZnn2xC4G > xmIAnjPufGnazbn8EHFRl91ROy/u4CcB > =utED > -----END PGP SIGNATURE----- [olivares at localhost ~]$ su - Password: [root at localhost ~]# grep iptables /var/log/audit/audit.log | audit2allow -M myiptables compilation failed: myiptables.te:6:ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from myiptables.te [root at localhost ~]# what do I do now? Thanks, Antonio From dwalsh at redhat.com Mon Nov 24 15:14:41 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 24 Nov 2008 10:14:41 -0500 Subject: GCL In-Reply-To: <870180fe0811190958n50ae2da0qe0ddeb0fd89e70dc@mail.gmail.com> References: <870180fe0811190958n50ae2da0qe0ddeb0fd89e70dc@mail.gmail.com> Message-ID: <492AC4E1.3020909@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jerry James wrote: > Once upon a time on fedora-devel-list, Daniel J Walsh wrote: >> +/usr/bin/gcl -- gen_context(system_u:object_r:execmem_exec_t,s0) >> >> >> Will be in selinux-policy-3.5.13-19.fc10 > > I've done some experimenting, and I think I need a couple of > modifications to this. First, it turns out that GCL needs both > execmem and execheap permissions. Do I need to create a gcl_exec_t > type to combine those? > > Second, /usr/bin/gcl is just a shell script. It does an exec of > /usr/lib/gcl-%{version}/unixport/saved_ansi_gcl, which is the saved > Lisp image, along with appropriate command line options. I don't > expect permissions to persist across an exec (but tell me if I'm > wrong), so I think I need the policy to mention the saved image > instead of /usr/bin/gcl. There are some problems associated with > this: > Ok, is the GCL package available in Fedora? This probably should be opened as a bugzilla. If gcl really needs execheap, we need to create a new policy for it, since execmem_exec_t apps currently do not get this and I really don't want to give them this. I guess I would like to hear Ulrich Drepper chime in on this need. > 1) The /usr/lib prefix is used on both 32-bit and 64-bit platforms, > which is bad. I'll see if I can get that fixed, but it appears to > require some code changes (i.e., not just makefile changes). > > 2) The GCL build process can produce multiple image files, with > various combinations of options (such as profiling, ANSI vs. CLtL1 > support, a GUI, etc.). Fedora has only ever shipped one image, but I > can see an argument for producing a profiling version of the standard > image and making /usr/bin/gcl choose between them based on command > line arguments. In any case, all of the image names start with > "saved_". > > The upshot of all this is that, to make the policy future-proof, I > really need the execmem + execheap permissions for all files that > match this pattern: > > /usr/lib*/gcl-*/unixport/saved_* > > Is that okay? If so, how do I proceed? Thanks for helping out an > SELinux newbie. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkqxOEACgkQrlYvE4MpobNPpwCeN96Zuin+Y8uNkq/Ge4baPSaq hf8An2mUwKqFGTC98SHpiyqWeUNWOk30 =kRad -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Nov 24 15:22:24 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 24 Nov 2008 10:22:24 -0500 Subject: F10 Logwatch and avc(s) long post In-Reply-To: <4927CFFF.1020301@fedoraproject.org> References: <4927CFFF.1020301@fedoraproject.org> Message-ID: <492AC6B0.2060506@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frank Murphy wrote: > ------------A snip from the logwatch included at end----------------- > > > Summary: > > SELinux is preventing netstat (logwatch_t) "search" to > (sysctl_net_t). > > Detailed Description: > > SELinux denied access requested by netstat. It is not expected that this > access > is required by netstat and this access may signal an intrusion attempt. > It is > also possible that the specific version or configuration of the > application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for , > > restorecon -v '' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:logwatch_t:s0 > Target Context system_u:object_r:sysctl_net_t:s0 > Target Objects None [ dir ] > Source ifconfig > Source Path /sbin/ifconfig > Port > Host frank-01 > Source RPM Packages net-tools-1.60-91.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-18.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name frank-01 > Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 > SMP Tue > Nov 18 12:19:59 EST 2008 i686 i686 > Alert Count 4 > First Seen Sat 22 Nov 2008 09:17:13 GMT > Last Seen Sat 22 Nov 2008 09:17:13 GMT > Local ID 144ff94f-abf9-47ba-8ab6-bda6cceb41e8 > Line Numbers > > Raw Audit Messages > > node=frank-01 type=AVC msg=audit(1227345433.820:48): avc: denied { > search } for pid=4085 comm="netstat" > scontext=system_u:system_r:logwatch_t:s0 > tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir > > node=frank-01 type=SYSCALL msg=audit(1227345433.820:48): arch=40000003 > syscall=33 success=no exit=-13 a0=805f195 a1=4 a2=ffffffff a3=8064020 > items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" > exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null) > > > > > Summary: > > SELinux is preventing netstat (logwatch_t) "read" to ./unix (proc_net_t). > > Detailed Description: > > SELinux denied access requested by netstat. It is not expected that this > access > is required by netstat and this access may signal an intrusion attempt. > It is > also possible that the specific version or configuration of the > application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for ./unix, > > restorecon -v './unix' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:logwatch_t:s0 > Target Context system_u:object_r:proc_net_t:s0 > Target Objects ./unix [ file ] > Source ifconfig > Source Path /sbin/ifconfig > Port > Host frank-01 > Source RPM Packages net-tools-1.60-91.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-18.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name frank-01 > Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 > SMP Tue > Nov 18 12:19:59 EST 2008 i686 i686 > Alert Count 2 > First Seen Sat 22 Nov 2008 09:17:13 GMT > Last Seen Sat 22 Nov 2008 09:17:13 GMT > Local ID c323266d-4b2a-4e47-9b13-eeb640939573 > Line Numbers > > Raw Audit Messages > > node=frank-01 type=AVC msg=audit(1227345433.820:45): avc: denied { > read } for pid=4085 comm="netstat" name="unix" dev=proc ino=4026531984 > scontext=system_u:system_r:logwatch_t:s0 > tcontext=system_u:object_r:proc_net_t:s0 tclass=file > > node=frank-01 type=SYSCALL msg=audit(1227345433.820:45): arch=40000003 > syscall=33 success=no exit=-13 a0=805c8b9 a1=4 a2=ffffffff a3=8064360 > items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" > exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null) > > > > > Summary: > > SELinux is preventing netstat (logwatch_t) "read" to ./if_inet6 > (proc_net_t). > > Detailed Description: > > SELinux denied access requested by netstat. It is not expected that this > access > is required by netstat and this access may signal an intrusion attempt. > It is > also possible that the specific version or configuration of the > application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for ./if_inet6, > > restorecon -v './if_inet6' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:logwatch_t:s0 > Target Context system_u:object_r:proc_net_t:s0 > Target Objects ./if_inet6 [ file ] > Source ifconfig > Source Path /sbin/ifconfig > Port > Host frank-01 > Source RPM Packages net-tools-1.60-91.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-18.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name frank-01 > Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 > SMP Tue > Nov 18 12:19:59 EST 2008 i686 i686 > Alert Count 4 > First Seen Sat 22 Nov 2008 09:17:13 GMT > Last Seen Sat 22 Nov 2008 09:17:13 GMT > Local ID 9de63b84-aff8-4a49-bc45-510abd4637b3 > Line Numbers > > Raw Audit Messages > > node=frank-01 type=AVC msg=audit(1227345433.820:46): avc: denied { > read } for pid=4085 comm="netstat" name="if_inet6" dev=proc > ino=4026532168 scontext=system_u:system_r:logwatch_t:s0 > tcontext=system_u:object_r:proc_net_t:s0 tclass=file > > node=frank-01 type=SYSCALL msg=audit(1227345433.820:46): arch=40000003 > syscall=33 success=no exit=-13 a0=805f29e a1=4 a2=ffffffff a3=8064180 > items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" > exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null) > > > > > Summary: > > SELinux is preventing netstat (logwatch_t) "read" to ./dev (proc_net_t). > > Detailed Description: > > SELinux denied access requested by netstat. It is not expected that this > access > is required by netstat and this access may signal an intrusion attempt. > It is > also possible that the specific version or configuration of the > application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for ./dev, > > restorecon -v './dev' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:logwatch_t:s0 > Target Context system_u:object_r:proc_net_t:s0 > Target Objects ./dev [ file ] > Source ifconfig > Source Path /sbin/ifconfig > Port > Host frank-01 > Source RPM Packages net-tools-1.60-91.fc10 > Target RPM Packages filesystem-2.4.19-1.fc10 > Policy RPM selinux-policy-3.5.13-18.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name frank-01 > Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1 > SMP Tue > Nov 18 12:19:59 EST 2008 i686 i686 > Alert Count 6 > First Seen Sat 22 Nov 2008 09:17:13 GMT > Last Seen Sat 22 Nov 2008 09:17:13 GMT > Local ID 44eb7259-6162-4669-9b01-b5d48a63aaa5 > Line Numbers > > Raw Audit Messages > > node=frank-01 type=AVC msg=audit(1227345433.855:51): avc: denied { > read } for pid=4085 comm="netstat" name="dev" dev=proc ino=4026531957 > scontext=system_u:system_r:logwatch_t:s0 > tcontext=system_u:object_r:proc_net_t:s0 tclass=file > > node=frank-01 type=SYSCALL msg=audit(1227345433.855:51): arch=40000003 > syscall=5 success=no exit=-13 a0=805ff47 a1=0 a2=1b6 a3=0 items=0 > ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" > exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null) > > > Logwatch: > --------------------- Network Report Begin ------------------------ > > Warning: cannot open /proc/net/dev (Permission denied). Limited output. > Warning: cannot open /proc/net/dev (Permission denied). Limited output. > Warning: cannot open /proc/net/dev (Permission denied). Limited output. > > > ------------- Network Interfaces --------------- > > Ethernet : 1 > Other : 1 > Total : 2 > > > ------------- Ethernet ------------------------- > > eth1 Link encap:Ethernet HWaddr 00:19:E0:7A:40:4C > > > ------------- Other ---------------------------- > > lo Link encap:Local Loopback > > > ------------- Network Interfaces --------------- > > > > > ------------- Network statistics --------------- > > 1: lo: mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth1: mtu 1500 qdisc pfifo_fast > state UNKNOWN qlen 1000 > link/ether 00:19:e0:7a:40:4c brd ff:ff:ff:ff:ff:ff > inet 192.168.0.5/24 brd 192.168.0.255 scope global eth1 > inet6 fe80::219:e0ff:fe7a:404c/64 scope link > valid_lft forever preferred_lft forever > > Warning: cannot open /proc/net/dev (Permission denied). Limited output. > Warning: cannot open /proc/net/dev (Permission denied). Limited output. > Warning: cannot open /proc/net/dev (Permission denied). Limited output. > Iface MTU RX-ERR TX-ERR > eth1 1500 no BMRU > lo 16436 no LRU > > > ------------- Network statistics --------------- > > > > ---------------------- Network Report End ------------------------- > > - -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list Added allow rules to selinux-policy-3.5.13-22 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkqxrAACgkQrlYvE4MpobP75ACggumLDviEfgnwU0b6P5otda3n eHoAoJOAFq8zK+qzcYWcoGngI7+6tGbC =LsFR -----END PGP SIGNATURE----- From loganjerry at gmail.com Mon Nov 24 15:38:59 2008 From: loganjerry at gmail.com (Jerry James) Date: Mon, 24 Nov 2008 08:38:59 -0700 Subject: GCL In-Reply-To: <492AC4E1.3020909@redhat.com> References: <870180fe0811190958n50ae2da0qe0ddeb0fd89e70dc@mail.gmail.com> <492AC4E1.3020909@redhat.com> Message-ID: <870180fe0811240738i2512d2e9ia47214043aa33a47@mail.gmail.com> On Mon, Nov 24, 2008 at 8:14 AM, Daniel J Walsh wrote: > Ok, is the GCL package available in Fedora? This probably should be > opened as a bugzilla. If gcl really needs execheap, we need to create a > new policy for it, since execmem_exec_t apps currently do not get this > and I really don't want to give them this. I guess I would like to hear > Ulrich Drepper chime in on this need. The GCL package has been in Fedora since 2005, but has not built successfully for months. I recently took over as maintainer and am trying to get it into a buildable state again. I've fixed the other problems; this seems to be the final blocker. If I make the saved images have type execmem_exec_t, then the build produces the "early" image successfully. When that image runs and tries to load up a bunch of Lisp files to produce the final image, SELinux kills it with an AVC denial that mentions execheap. I mentioned on fedora-devel-list that making the saved images have type java_exec_t produces a successful build. If you can tell me how to test with exactly execmem + execheap privileges, then I can make sure there is nothing else in the java_exec_t set that GCL needs. Otherwise, we may have to go through multiple iterations of "no wait, GCL needs one more permission". Do I need to audit the source code to discover the reason for the execheap need? I can guess; it's probably (eval form) that needs it, but I don't know that for sure. Say the word and I'll make a bugzilla entry for this. Thanks for your help. -- Jerry James http://loganjerry.googlepages.com/ From dwalsh at redhat.com Mon Nov 24 15:40:56 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 24 Nov 2008 10:40:56 -0500 Subject: Which permission to execute a script? In-Reply-To: <20081118052242.GA18976@wolff.to> References: <20081116075731.GA2129@wolff.to> <492180CE.7080600@redhat.com> <20081117151607.GC5217@wolff.to> <49218F22.70603@redhat.com> <20081117230742.GA20242@wolff.to> <20081118010740.GA29740@wolff.to> <20081118052242.GA18976@wolff.to> Message-ID: <492ACB08.3080708@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bruno Wolff III wrote: > On Mon, Nov 17, 2008 at 19:07:40 -0600, > Bruno Wolff III wrote: >> On Mon, Nov 17, 2008 at 17:07:42 -0600, >> Bruno Wolff III wrote: >>> There doesn't seem to be a http_user_script_exec_t type. Probably it's a >>> typo, but I didn't see a way to get a full list and didn't manage to >>> guess the correct name. >> Yep, typo. For the archive, 'seinfo -t' provides a list of types. >> >> The guest policy (at least my modified version) does not allow access to >> files labelled httpd_user_script_exec_t. >> >> I'll keep putzing with this. > > I have it working now. In the end I needed to give both execute and > execute_no_trans permission for tom_t running httpd_sys_script_exec_t. > > The allow_xguest_exec_content and allow_guest_exec_content booleans > didn't seem to make a difference. > > Going forward I might want to spend the time to dial this policy back > as I am executing the scripts with those types as an unconfined user > (or perhaps I should use the user_u role) and I'd like to prevent tom_t > from changing them (or replacing the files) with selinux. > > I was having trouble finding what the manage_files_pattern and > manage_dirs_pattern macros expand to and exactly what functions some > of the permissions allow. Is there any good documentation of these things > online? A couple of things, people have asked for the ability to stop the execution of programs in the homedir. So the least priv app does not have the ability to execute content. Since xguest has the ability to execute perl, sh, python and other interpreters, the value of shutting down execution in the homedir is questionable. This means ~/bin/myscript.sh will fail, but sh ~/bin/myscript.sh will work. The blocking of execution does work for all compiled code. The policy is for the boolean allows the execution of user_home_t, but not other labeled file in the homedir, which is a bug. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkqywcACgkQrlYvE4MpobNYZQCfYVlEjsxEouyMpe2yJgxnZEOV 7QcAn0Ys5OU0YLQU75I4fFaRFmzK11Ec =GyTO -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Nov 24 15:43:10 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 24 Nov 2008 10:43:10 -0500 Subject: GCL In-Reply-To: <870180fe0811240738i2512d2e9ia47214043aa33a47@mail.gmail.com> References: <870180fe0811190958n50ae2da0qe0ddeb0fd89e70dc@mail.gmail.com> <492AC4E1.3020909@redhat.com> <870180fe0811240738i2512d2e9ia47214043aa33a47@mail.gmail.com> Message-ID: <492ACB8E.7080600@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jerry James wrote: > On Mon, Nov 24, 2008 at 8:14 AM, Daniel J Walsh wrote: >> Ok, is the GCL package available in Fedora? This probably should be >> opened as a bugzilla. If gcl really needs execheap, we need to create a >> new policy for it, since execmem_exec_t apps currently do not get this >> and I really don't want to give them this. I guess I would like to hear >> Ulrich Drepper chime in on this need. > > The GCL package has been in Fedora since 2005, but has not built > successfully for months. I recently took over as maintainer and am > trying to get it into a buildable state again. I've fixed the other > problems; this seems to be the final blocker. > > If I make the saved images have type execmem_exec_t, then the build > produces the "early" image successfully. When that image runs and > tries to load up a bunch of Lisp files to produce the final image, > SELinux kills it with an AVC denial that mentions execheap. I > mentioned on fedora-devel-list that making the saved images have type > java_exec_t produces a successful build. If you can tell me how to > test with exactly execmem + execheap privileges, then I can make sure > there is nothing else in the java_exec_t set that GCL needs. > Otherwise, we may have to go through multiple iterations of "no wait, > GCL needs one more permission". > > Do I need to audit the source code to discover the reason for the > execheap need? I can guess; it's probably (eval form) that needs it, > but I don't know that for sure. > > Say the word and I'll make a bugzilla entry for this. Thanks for your help. Yes, please open a bugzilla. We can make a duplicate policy for GCL to java, with execheap. But we need to track this via bugzilla. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkqy44ACgkQrlYvE4MpobNJrQCfSR9kDnPc9i8mUy94mOZtJ+th nTcAniypT1D+gpNMV3x8F8onG1wUKn66 =UnCw -----END PGP SIGNATURE----- From loganjerry at gmail.com Mon Nov 24 15:52:49 2008 From: loganjerry at gmail.com (Jerry James) Date: Mon, 24 Nov 2008 08:52:49 -0700 Subject: GCL In-Reply-To: <492ACB8E.7080600@redhat.com> References: <870180fe0811190958n50ae2da0qe0ddeb0fd89e70dc@mail.gmail.com> <492AC4E1.3020909@redhat.com> <870180fe0811240738i2512d2e9ia47214043aa33a47@mail.gmail.com> <492ACB8E.7080600@redhat.com> Message-ID: <870180fe0811240752y72a76044jfcbcc57f4018560e@mail.gmail.com> On Mon, Nov 24, 2008 at 8:43 AM, Daniel J Walsh wrote: > Yes, please open a bugzilla. > > We can make a duplicate policy for GCL to java, with execheap. But we > need to track this via bugzilla. Okay, here it is. https://bugzilla.redhat.com/show_bug.cgi?id=472780 Thanks, -- Jerry James http://loganjerry.googlepages.com/ From bruno at wolff.to Mon Nov 24 16:43:10 2008 From: bruno at wolff.to (Bruno Wolff III) Date: Mon, 24 Nov 2008 10:43:10 -0600 Subject: Which permission to execute a script? In-Reply-To: <492ACB08.3080708@redhat.com> References: <20081116075731.GA2129@wolff.to> <492180CE.7080600@redhat.com> <20081117151607.GC5217@wolff.to> <49218F22.70603@redhat.com> <20081117230742.GA20242@wolff.to> <20081118010740.GA29740@wolff.to> <20081118052242.GA18976@wolff.to> <492ACB08.3080708@redhat.com> Message-ID: <20081124164310.GB7615@wolff.to> On Mon, Nov 24, 2008 at 10:40:56 -0500, Daniel J Walsh wrote: > > A couple of things, people have asked for the ability to stop the > execution of programs in the homedir. So the least priv app does not > have the ability to execute content. Since xguest has the ability to > execute perl, sh, python and other interpreters, the value of shutting > down execution in the homedir is questionable. This means > ~/bin/myscript.sh will fail, but sh ~/bin/myscript.sh will work. The > blocking of execution does work for all compiled code. OK, that explains what I was seeing. > The policy is for the boolean allows the execution of user_home_t, but > not other labeled file in the homedir, which is a bug. And I think that explains why changing the booleans didn't fix my specific situation. Thanks for the explanation. From mmcallis at redhat.com Wed Nov 26 01:11:48 2008 From: mmcallis at redhat.com (Murray McAllister) Date: Wed, 26 Nov 2008 11:11:48 +1000 Subject: preventing unconfined users exec in home and tmp Message-ID: <492CA254.30808@redhat.com> Hi, I have turned "allow_unconfined_exec_content" off, but unconfined users (unconfined_u) can still execute files in their home directories and /tmp/. I tried adding a user with "useradd -Z unconfined_u". This user can still execute. I could not find any dontaudit rules. Am I missing something? Thanks. From mmcallis at redhat.com Wed Nov 26 01:23:43 2008 From: mmcallis at redhat.com (Murray McAllister) Date: Wed, 26 Nov 2008 11:23:43 +1000 Subject: preventing unconfined users exec in home and tmp In-Reply-To: <492CA254.30808@redhat.com> References: <492CA254.30808@redhat.com> Message-ID: <492CA51F.1000002@redhat.com> Murray McAllister wrote: > Hi, > > I have turned "allow_unconfined_exec_content" off, but unconfined users > (unconfined_u) can still execute files in their home directories and /tmp/. > > I tried adding a user with "useradd -Z unconfined_u". This user can > still execute. I could not find any dontaudit rules. > > Am I missing something? I am running Fedora release 10 (Cambridge): selinux-policy-targeted-3.5.13-18.fc10.noarch selinux-policy-3.5.13-18.fc10.noarch selinux-policy-doc-3.5.13-18.fc10.noarch libselinux-utils-2.0.73-1.fc10.i386 libselinux-python-2.0.73-1.fc10.i386 libselinux-2.0.73-1.fc10.i386 policycoreutils-2.0.57-11.fc10.i386 Cheers. From dhighley at highley-recommended.com Wed Nov 26 15:33:31 2008 From: dhighley at highley-recommended.com (David Highley) Date: Wed, 26 Nov 2008 07:33:31 -0800 (PST) Subject: How to HTTP Serve Fedora Distribution Message-ID: <200811261533.mAQFXVsr028058@douglas.highley-recommended.com> How can we set up HTTP serving of Fedora distribution since we can not label the files in the ISO? What we have tried: - copy ISO file into web tree - loopback mount the ISO to /mnt - symlink /mnt into the web tree or - create directory in web tree - loopback mount the ISO to directory in web tree Selinux blocks access to the distribution. The only solution we are aware of is to drop the pants on selinux by going to permissive mode. David Highley From paul at city-fan.org Wed Nov 26 15:39:33 2008 From: paul at city-fan.org (Paul Howarth) Date: Wed, 26 Nov 2008 15:39:33 +0000 Subject: How to HTTP Serve Fedora Distribution In-Reply-To: <200811261533.mAQFXVsr028058@douglas.highley-recommended.com> References: <200811261533.mAQFXVsr028058@douglas.highley-recommended.com> Message-ID: <492D6DB5.8020806@city-fan.org> David Highley wrote: > How can we set up HTTP serving of Fedora distribution since we can not > label the files in the ISO? What we have tried: > - copy ISO file into web tree > - loopback mount the ISO to /mnt > - symlink /mnt into the web tree > or > - create directory in web tree > - loopback mount the ISO to directory in web tree > > Selinux blocks access to the distribution. The only solution we are > aware of is to drop the pants on selinux by going to permissive mode. I put the ISO file in my web tree and loopback mount it with a context option, e.g. in fstab: /srv/nb/distros/fc10/os/x86_64/iso/Fedora-10-x86_64-DVD.iso /srv/nb/distros/fc10/os/x86_64/dvd iso9660 _netdev,ro,loop,fscontext=system_u:object_r:public_content_t:s0 0 0 /srv/nb/distros/fc10/os/i386/iso/Fedora-10-i386-DVD.iso /srv/nb/distros/fc10/os/i386/dvd iso9660 _netdev,ro,loop,fscontext=system_u:object_r:public_content_t:s0 0 0 The resulting hierarchy can be exported using ftp, http, rsync, samba, etc. Paul. From dhighley at highley-recommended.com Wed Nov 26 22:57:28 2008 From: dhighley at highley-recommended.com (David Highley) Date: Wed, 26 Nov 2008 14:57:28 -0800 (PST) Subject: How to HTTP Serve Fedora Distribution In-Reply-To: <492DC626.1070802@redhat.com> Message-ID: <200811262257.mAQMvSB6030782@douglas.highley-recommended.com> "Murray McAllister wrote:" > > David Highley wrote: > > How can we set up HTTP serving of Fedora distribution since we can not > > label the files in the ISO? What we have tried: > > - copy ISO file into web tree > > - loopback mount the ISO to /mnt > > - symlink /mnt into the web tree > > or > > - create directory in web tree > > - loopback mount the ISO to directory in web tree > > > > Selinux blocks access to the distribution. The only solution we are > > aware of is to drop the pants on selinux by going to permissive mode. > > > > David Highley > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Hi, > > Paul seemed to have answered your question. There are some examples of > overriding SELinux contexts with the mount command here: > > > > Hope that helps, > > Cheers. > Yes, Paul did answer my question. We were not aware that options had been added to the mount command. From spojenie at o2.pl Fri Nov 28 08:24:18 2008 From: spojenie at o2.pl (spo) Date: Fri, 28 Nov 2008 09:24:18 +0100 Subject: Setroubleshootd on FC8 has a major memory leak Message-ID: <492FAAB2.4090205@o2.pl> Hello, after 9 days of running it used over 2G (virt, rss ~1G). Greetings, Edek From gene.heskett at verizon.net Fri Nov 28 17:06:31 2008 From: gene.heskett at verizon.net (Gene Heskett) Date: Fri, 28 Nov 2008 12:06:31 -0500 Subject: selinux denying a cups printer Message-ID: <200811281206.31640.gene.heskett@verizon.net> Greetings; Uptodate F8, targeted setting host=coyote.coyote.den type=AVC msg=audit(1227891049.940:679): avc: denied { execute } for pid=6486 comm="cupsd" name="lp3" dev=sda3 ino=104400725 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file host=coyote.coyote.den type=SYSCALL msg=audit(1227891049.940:679): arch=40000003 syscall=33 success=no exit=-13 a0=bff13656 a1=1 a2=b7f17ff4 a3=b7f18a3c items=0 ppid=6485 pid=6486 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) The troubleshooters recommended fix is a restorecon -v './lp3' The only ./lp3 I could find was in /etc/cups.d/interfaces/lp3, and while it did change the context of the file, it does not fix the problem. This particular driver ppd is the lpr and cupswrapper of the HL2140 driver kit from Brother, and apparently is installed in a /usr/local/Brother subdir by their rpms. All this did work flawlessly before I had a drive failure, and it worked after an Fu8 install, but failed sometime in the nearly 2 weeks uptime, as did all my other printer profiles, which I have now deleted and rebuilt, and work except for this one. I am going to try touching /.autorelabel and reboot again see if that helps. However, nothing happened the last time I tried that 2 weeks ago... -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Q: How many IBM CPU's does it take to do a logical right shift? A: 33. 1 to hold the bits and 32 to push the register. From gene.heskett at verizon.net Fri Nov 28 17:33:53 2008 From: gene.heskett at verizon.net (Gene Heskett) Date: Fri, 28 Nov 2008 12:33:53 -0500 Subject: selinux denying a cups printer [followup] In-Reply-To: <200811281206.31640.gene.heskett@verizon.net> References: <200811281206.31640.gene.heskett@verizon.net> Message-ID: <200811281233.53027.gene.heskett@verizon.net> On Friday 28 November 2008, Gene Heskett wrote: >Greetings; > >Uptodate F8, targeted setting > >host=coyote.coyote.den type=AVC msg=audit(1227891049.940:679): avc: denied { >execute } for pid=6486 comm="cupsd" name="lp3" dev=sda3 ino=104400725 >scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 >tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file > >host=coyote.coyote.den type=SYSCALL msg=audit(1227891049.940:679): >arch=40000003 syscall=33 success=no exit=-13 a0=bff13656 a1=1 a2=b7f17ff4 >a3=b7f18a3c items=0 ppid=6485 pid=6486 auid=0 uid=0 gid=0 euid=0 suid=0 >fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cupsd" >exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 >key=(null) > >The troubleshooters recommended fix is a restorecon -v './lp3' > >The only ./lp3 I could find was in /etc/cups.d/interfaces/lp3, and while it >did change the context of the file, it does not fix the problem. This >particular driver ppd is the lpr and cupswrapper of the HL2140 driver kit >from Brother, and apparently is installed in a /usr/local/Brother subdir by >their rpms. > >All this did work flawlessly before I had a drive failure, and it worked > after an Fu8 install, but failed sometime in the nearly 2 weeks uptime, as > did all my other printer profiles, which I have now deleted and rebuilt, > and work except for this one. > >I am going to try touching /.autorelabel and reboot again see if that helps. >However, nothing happened the last time I tried that 2 weeks ago... The autorelabel was done, but it didn't help. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Anyone can hold the helm when the sea is calm. -- Publius Syrus