From mmcallis at redhat.com Wed Oct 1 02:01:21 2008 From: mmcallis at redhat.com (Murray McAllister) Date: Wed, 01 Oct 2008 12:01:21 +1000 Subject: Need Info adding\editing to a personal module? In-Reply-To: <1222766693.2427.25.camel@frank-01> References: <1222766693.2427.25.camel@frank-01> Message-ID: <48E2D9F1.9010903@redhat.com> Frank Murphy wrote: > Examples only: > > > If exim gave an avc denial. > > 1: Create policy. > audit2allow -M myexim < /var/log/audit/audit.log > > then enable it. > semodule -i myexim.pp > > 2: If then in a couple of days exim generates another avc denial, > different from the first. > > How does one edid\use audid2allow to include the new avc. > > Have looked at "man audit2allow" and can't seem to grasp an edit from > the options. > > Frank > On the day that it generates another denial, you could try something like: /sbin/ausearch -m avc -ts today | grep x | audit2allow -M myexim2;/usr/sbin/semodule -i myexim2.pp Where "x" is the domain, such as "httpd_t" for Apache. It is probably best to run "/sbin/ausearch -m avc -ts today | grep x" first, to make sure you get the results you want. Cheers. From dwalsh at redhat.com Wed Oct 1 12:37:07 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 01 Oct 2008 08:37:07 -0400 Subject: Alternate OpenSSH ports In-Reply-To: <48E240BF.3080501@manicmethod.com> References: <16de708d0809291331o57506303jaf600e6fd00adb7@mail.gmail.com> <1222720815.5429.77.camel@moss-spartans.epoch.ncsc.mil> <16de708d0809291917w5c1abe6dpfd1a62a7da7b8018@mail.gmail.com> <48E21E92.3070507@redhat.com> <1222780684.19676.55.camel@moss-spartans.epoch.ncsc.mil> <48E240BF.3080501@manicmethod.com> Message-ID: <48E36EF3.1040509@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joshua Brindle wrote: > Stephen Smalley wrote: >> On Tue, 2008-09-30 at 08:41 -0400, Daniel J Walsh wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Arthur Pemberton wrote: >>>> On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley wrote: >>>>> On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote: >>>>>> I'm getting an denial when I attempt o use port 23 as an additional >>>>>> port for sshd. That makes sense. What's the best way to define >>>>>> alternate SSHd ports? >>>>> semanage port -m -t ssh_port_t -p tcp 23 >>>> >>>> When trying this, I get: >>>> sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb >>>> >>>> Even after doing that, I get this on `service sshd restart`: >>>> sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986 >>>> >>>> >>> Please send the output from that command, that number is only local to >>> your machine. >> Wondering if libsemanage does the right thing when the port already >> exists in the base policy, as in this case. It should override the base >> policy definition with the local one, but I'm not 100% sure it does. >> > > There does appear to be a bug, after running: > semanage port -m -t ssh_port_t -p tcp 8021 > > I get: > > [root at misterfreeze ~]# seinfo --portcon=8021 > portcon tcp 8021 system_u:object_r:ssh_port_t:s0 > portcon tcp 8021 system_u:object_r:zope_port_t:s0 > > > I'm not sure when I'll be able to get to this, can you take a look first Dan? Well do you think this is a bug in semanage or sepol? I though you used to get a denial when you tried to do this saying you could not modify a named port. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjjbvMACgkQrlYvE4MpobMEngCfcSWudrlmHqTEpOnnkzWAO154 0BsAn18NWq7l5MckmQH06fPYr+5LvLvV =v6JT -----END PGP SIGNATURE----- From sds at tycho.nsa.gov Wed Oct 1 12:52:26 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 01 Oct 2008 08:52:26 -0400 Subject: Alternate OpenSSH ports In-Reply-To: <16de708d0809291917w5c1abe6dpfd1a62a7da7b8018@mail.gmail.com> References: <16de708d0809291331o57506303jaf600e6fd00adb7@mail.gmail.com> <1222720815.5429.77.camel@moss-spartans.epoch.ncsc.mil> <16de708d0809291917w5c1abe6dpfd1a62a7da7b8018@mail.gmail.com> Message-ID: <1222865546.29743.2.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2008-09-29 at 21:17 -0500, Arthur Pemberton wrote: > On Mon, Sep 29, 2008 at 3:40 PM, Stephen Smalley wrote: > > > > On Mon, 2008-09-29 at 15:31 -0500, Arthur Pemberton wrote: > >> I'm getting an denial when I attempt o use port 23 as an additional > >> port for sshd. That makes sense. What's the best way to define > >> alternate SSHd ports? > > > > semanage port -m -t ssh_port_t -p tcp 23 > > > > When trying this, I get: > sealert -l 819f882a-3d08-41da-bc19-4168c9b8b4cb > > Even after doing that, I get this on `service sshd restart`: > sealert -l 82267d8b-d557-4891-bdb0-26e0feb1e986 A workaround until semanage is fixed to correctly support the above would be to add a local policy module that allows sshd to bind to the telnetd port, e.g. $ cat myssh.te policy_module(myssh, 1.0) require { type sshd_t; type telnetd_port_t; } allow sshd_t telnetd_port_t:tcp_socket name_bind; $ make -f /usr/share/selinux/devel/Makefile myssh.pp $ semodule -i myssh.pp audit2allow should have yielded a similar result. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Wed Oct 1 13:18:47 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 01 Oct 2008 09:18:47 -0400 Subject: Need Info adding\editing to a personal module? In-Reply-To: <1222766693.2427.25.camel@frank-01> References: <1222766693.2427.25.camel@frank-01> Message-ID: <48E378B7.8020507@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frank Murphy wrote: > Examples only: > > > If exim gave an avc denial. > > 1: Create policy. > audit2allow -M myexim < /var/log/audit/audit.log > > then enable it. > semodule -i myexim.pp > > 2: If then in a couple of days exim generates another avc denial, > different from the first. > > How does one edid\use audid2allow to include the new avc. > > Have looked at "man audit2allow" and can't seem to grasp an edit from > the options. > > Frank > You've been blogged. http://danwalsh.livejournal.com/24750.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjjeLcACgkQrlYvE4MpobPtJwCfSBpjyX4XSZYKQt2hZ40oRIoK byQAn3nHH28XUC77lg/O8B4G3sX/UQ90 =IkZx -----END PGP SIGNATURE----- From olivares14031 at yahoo.com Fri Oct 3 00:26:38 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 2 Oct 2008 17:26:38 -0700 (PDT) Subject: npviever on rawhide: denied avcs In-Reply-To: <339253.97746.qm@web52601.mail.re2.yahoo.com> Message-ID: <43404.10751.qm@web52601.mail.re2.yahoo.com> --- On Thu, 10/2/08, Antonio Olivares wrote: > From: Antonio Olivares > Subject: npviever on rawhide: denied avcs > To: fedora-selinux-list at redhat.com > Cc: fedora-test-list at redhat.com > Date: Thursday, October 2, 2008, 5:21 PM > Dear all, > > Doing a dmesg I see some denied avcs for npviewer > > I will attach the file, I have not seen setroubleshoot > kick in to warn me about these avcs. Has anyone else seen > these? > > Thanks, > > Antonio > > > -- > fedora-test-list mailing list > fedora-test-list at redhat.com > To unsubscribe: > https://www.redhat.com/mailman/listinfo/fedora-test-list Messages were not attached, file too big :( Here's preview :) type=1400 audit(1222991578.902:1308): avc: denied { search } for pid=17937 comm="npviewer.bin" name="dbus" dev=dm-0 ino=3276847 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir type=1400 audit(1222991578.902:1309): avc: denied { create } for pid=17937 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=1400 audit(1222991578.903:1310): avc: denied { create } for pid=17937 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=1400 audit(1222991578.922:1311): avc: denied { search } for pid=17937 comm="npviewer.bin" name="dbus" dev=dm-0 ino=3276847 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir Thanks, Antonio From mike.cloaked at gmail.com Fri Oct 3 07:33:33 2008 From: mike.cloaked at gmail.com (Mike) Date: Fri, 3 Oct 2008 07:33:33 +0000 (UTC) Subject: rsync as backup for laptop to desktop external HD Message-ID: I have for many years run backups from laptops on the local LAN to an external USB drive attached to the main desktop machine using rsync -aH. The main desktop is running F8 with SELinux disabled. In recent months I upgraded the laptop to F9 with SELinux enabled. I have just realised that the method I use gives files on the backup drive that have no selinux contexts... so in the event of having to rebuild a laptop and pulling files off the backup drive the selinux contexts would have to be recreated. I am fairly new to SELinux but I presume that merely adding -X to the rsync command would still not produce any contexts on the files that are generated on the backup drive since the machine that is processing the rsync at the receive end has SELinux disabled. At some point the desktop will be upgraded to F9 (and later F10) with SELinux enabled - and I am now not sure if attaching the original external USB drive unchanged would then still result in files without any security contexts on the external drive? If this is the case would I need to label the filesystem on the external drive? What is the best route to getting this backup system working to preserve security contexts for all files (including system areas such as /var /etc ? Thanks From dwalsh at redhat.com Fri Oct 3 13:11:09 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 03 Oct 2008 09:11:09 -0400 Subject: npviever on rawhide: denied avcs In-Reply-To: <43404.10751.qm@web52601.mail.re2.yahoo.com> References: <43404.10751.qm@web52601.mail.re2.yahoo.com> Message-ID: <48E619ED.10400@redhat.com> Antonio Olivares wrote: > > > --- On Thu, 10/2/08, Antonio Olivares wrote: > >> From: Antonio Olivares >> Subject: npviever on rawhide: denied avcs >> To: fedora-selinux-list at redhat.com >> Cc: fedora-test-list at redhat.com >> Date: Thursday, October 2, 2008, 5:21 PM >> Dear all, >> >> Doing a dmesg I see some denied avcs for npviewer >> >> I will attach the file, I have not seen setroubleshoot >> kick in to warn me about these avcs. Has anyone else seen >> these? >> >> Thanks, >> >> Antonio >> >> >> -- >> fedora-test-list mailing list >> fedora-test-list at redhat.com >> To unsubscribe: >> https://www.redhat.com/mailman/listinfo/fedora-test-list > > Messages were not attached, file too big :( > > Here's preview :) > > type=1400 audit(1222991578.902:1308): avc: denied { search } for pid=17937 comm="npviewer.bin" name="dbus" dev=dm-0 ino=3276847 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir > type=1400 audit(1222991578.902:1309): avc: denied { create } for pid=17937 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tclass=unix_dgram_socket > type=1400 audit(1222991578.903:1310): avc: denied { create } for pid=17937 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tclass=unix_dgram_socket > type=1400 audit(1222991578.922:1311): avc: denied { search } for pid=17937 comm="npviewer.bin" name="dbus" dev=dm-0 ino=3276847 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir > > > Thanks, > > Antonio > > > > Looks like npviewer is becoming dbus aware. I will allow it to connect to the dbus server, but I am not sure what service it is trying to communicate with. From gp at dipohl.com Sat Oct 4 10:29:07 2008 From: gp at dipohl.com (Gabriele Pohl) Date: Sat, 04 Oct 2008 12:29:07 +0200 Subject: Revert to default settings after seedit relabel, was: Re: Hello world and first question concerning Munin In-Reply-To: <1221227347.4712.19.camel@moss-spartans.epoch.ncsc.mil> References: <1221222928.3231.129.camel@calex.dipohl.com> <1221227347.4712.19.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <1223116147.3059.32.camel@calex.dipohl.com> Hi Stephen and all, I searched for a possibility to see what rules are defined in the Selinux module for munin. After reading a lot of man pages of all the Selinux tools that I found on my system, without a result for this issue, I took a look to the selinux knowledge base here: http://fedoraproject.org/wiki/SELinux and saw "seedit" selinux policy editor (and accompanying simplified policy language) http://seedit.sourceforge.net/ "You can try SELinux Policy Editor on Fedora Core 6,7,8 or CentOS 4, Cent OS5. It will not affect existing SELinux policies so it is possible to revert to the default settings easily." Hmmm, at the first call it asks for initialization. I agreed. It needs a reboot and after that, all policy rules were replaced by *simple* ones. And mode is now *permissive* not longer *targeted*. I find no possibility to load a module for edit. (as e.g. munin targeted module). So this experiment was useless for my purpose. After switching the mode *targeted* again (but no reboot since now) I see none of the old modules. All contexts are *unconfined*. How can I get the original state back? Am Freitag, den 12.09.2008, 09:49 -0400 schrieb Stephen Smalley: > On Fri, 2008-09-12 at 14:35 +0200, Gabriele Pohl wrote: > > I use Munin (http://munin.projects.linpro.no/) > > Now my first question: > > > > Plugin smart_ is written in Python. > > It calls "smartctl" from the smartmontools package > > (http://smartmontools.sourceforge.net/) to read the > > values of the SMART-Attributes from the harddisks. > > > > #============= munin_t ============== > > allow munin_t fixed_disk_device_t:blk_file getattr; > > ------------------------------- > > > Ideally the munin_t domain itself shouldn't need any access to the raw > device - it should transition into the existing domain for smartd > (fsdaemon_t) upon executing the smartctl program. How can this be done? > I don't know offhand > if the existing munin policy module has such a domain transition rule. I would like to look at the rules definded in the policy module. How can I do this? > However, mere getattr access (i.e. the ability to stat the file) isn't a > big deal, so you could likely grant that one w/o difficulty. What would > be more problematic is allowing read or write access to the raw device. ok, thanks! I'll add this rule as soon as I have my original states restored on the system. Kind regards, Gabriele From gp at dipohl.com Sat Oct 4 16:03:48 2008 From: gp at dipohl.com (Gabriele Pohl) Date: Sat, 04 Oct 2008 18:03:48 +0200 Subject: Revert to default settings after seedit relabel, was: Re: Hello world and first question concerning Munin In-Reply-To: <1223116147.3059.32.camel@calex.dipohl.com> References: <1221222928.3231.129.camel@calex.dipohl.com> <1221227347.4712.19.camel@moss-spartans.epoch.ncsc.mil> <1223116147.3059.32.camel@calex.dipohl.com> Message-ID: <1223136228.3607.1.camel@calex.dipohl.com> Am Samstag, den 04.10.2008, 12:29 +0200 schrieb Gabriele Pohl: > http://seedit.sourceforge.net/ > > "You can try SELinux Policy Editor on Fedora Core 6,7,8 or CentOS 4, > Cent OS5. It will not affect existing SELinux policies so it is > possible to revert to the default settings easily." > > After switching the mode *targeted* again > (but no reboot since now) I see none of the > old modules. All contexts are *unconfined*. this is ok now, after the reboot. > Am Freitag, den 12.09.2008, 09:49 -0400 schrieb Stephen Smalley: > > On Fri, 2008-09-12 at 14:35 +0200, Gabriele Pohl wrote: > > > I use Munin (http://munin.projects.linpro.no/) > > > Now my first question: > > > > I would like to look at the rules definded in > the policy module. How can I do this? this is my question left now. Kind regards, Gabriele From drago01 at gmail.com Sat Oct 4 16:55:42 2008 From: drago01 at gmail.com (drago01) Date: Sat, 4 Oct 2008 18:55:42 +0200 Subject: npviever on rawhide: denied avcs In-Reply-To: <48E619ED.10400@redhat.com> References: <43404.10751.qm@web52601.mail.re2.yahoo.com> <48E619ED.10400@redhat.com> Message-ID: On Fri, Oct 3, 2008 at 3:11 PM, Daniel J Walsh wrote: > Antonio Olivares wrote: >> >> >> --- On Thu, 10/2/08, Antonio Olivares wrote: >> >>> From: Antonio Olivares >>> Subject: npviever on rawhide: denied avcs >>> To: fedora-selinux-list at redhat.com >>> Cc: fedora-test-list at redhat.com >>> Date: Thursday, October 2, 2008, 5:21 PM >>> Dear all, >>> >>> Doing a dmesg I see some denied avcs for npviewer >>> >>> I will attach the file, I have not seen setroubleshoot >>> kick in to warn me about these avcs. Has anyone else seen >>> these? >>> >>> Thanks, >>> >>> Antonio >>> >>> >>> -- >>> fedora-test-list mailing list >>> fedora-test-list at redhat.com >>> To unsubscribe: >>> https://www.redhat.com/mailman/listinfo/fedora-test-list >> >> Messages were not attached, file too big :( >> >> Here's preview :) >> >> type=1400 audit(1222991578.902:1308): avc: denied { search } for pid=17937 comm="npviewer.bin" name="dbus" dev=dm-0 ino=3276847 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir >> type=1400 audit(1222991578.902:1309): avc: denied { create } for pid=17937 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tclass=unix_dgram_socket >> type=1400 audit(1222991578.903:1310): avc: denied { create } for pid=17937 comm="npviewer.bin" scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tclass=unix_dgram_socket >> type=1400 audit(1222991578.922:1311): avc: denied { search } for pid=17937 comm="npviewer.bin" name="dbus" dev=dm-0 ino=3276847 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir >> >> >> Thanks, >> >> Antonio >> >> >> >> > Looks like npviewer is becoming dbus aware. I will allow it to connect > to the dbus server, but I am not sure what service it is trying to > communicate with. the packagekit plugin tryes to connect to daemon? From qinglong at Bolizm.ihep.su Sat Oct 4 17:56:55 2008 From: qinglong at Bolizm.ihep.su (QingLong) Date: Sat, 4 Oct 2008 21:56:55 +0400 Subject: /var/spool mount denied Message-ID: <20081004175655.GJ10452@Bolizm.ihep.su> Hi, All! I've come across problem with mount on Fedora 9 --- various filesystems are mounted read-only, others fails to mount at all due to avc denials during the system startup, e.g.: | | type=1400 audit(1222921979.843:4): avc: denied { mounton } for pid=1887 comm="mount" path="/var/lock" dev=md13 ino=62993 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir | type=1400 audit(1222921979.843:5): avc: denied { mounton } for pid=1887 comm="mount" path="/var/lock" dev=md13 ino=62993 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir [...] | type=1400 audit(1222921980.322:8): avc: denied { mounton } for pid=1887 comm="mount" path="/var/spool" dev=md13 ino=125985 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir | type=1400 audit(1222921980.322:9): avc: denied { mounton } for pid=1887 comm="mount" path="/var/spool" dev=md13 ino=125985 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir [...] | type=1400 audit(1222921980.331:10): avc: denied { mounton } for pid=1887 comm="mount" path="/var/run" dev=md13 ino=136145 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir | type=1400 audit(1222921980.331:11): avc: denied { mounton } for pid=1887 comm="mount" path="/var/run" dev=md13 ino=136145 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir | But after the system startup finishes (many subsystems fail to put locks, etc) manual `mount -a' does magically fix the situation and those filesystems are remounted read-writeable. I guess, the bug has been introduced in Fedora 9 release and is still there. It looks like boot time selinux policies aren't generated depending on fstab thus handling mount point directories and mounted filesystems incorrectly. Maybe I am mistaken, and the problem is caused by some more obscure reasons. Of course, there are chances I am just not aware of some selinux feature or some boolean that should be enabled to get such cases handled right. If so, please correct me and let me know how should I configure selinux to get rid of the problem. Thank you. This behaviour has been displayed by freshly installed Fedora 9, and after `yum update' it continues malfunctioning. My regards. QingLong From paul at city-fan.org Sat Oct 4 18:10:42 2008 From: paul at city-fan.org (Paul Howarth) Date: Sat, 4 Oct 2008 19:10:42 +0100 Subject: /var/spool mount denied In-Reply-To: <20081004175655.GJ10452@Bolizm.ihep.su> References: <20081004175655.GJ10452@Bolizm.ihep.su> Message-ID: <20081004191042.118e9f7e@metropolis.intra.city-fan.org> On Sat, 4 Oct 2008 21:56:55 +0400 QingLong wrote: > Hi, All! > > I've come across problem with mount on Fedora 9 > --- various filesystems are mounted read-only, others fails to mount > at all due to avc denials during the system startup, e.g.: > | > | type=1400 audit(1222921979.843:4): avc: denied { mounton } for > pid=1887 comm="mount" path="/var/lock" dev=md13 ino=62993 > scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:object_r:var_lock_t:s0 tclass=dir | type=1400 > audit(1222921979.843:5): avc: denied { mounton } for pid=1887 > comm="mount" path="/var/lock" dev=md13 ino=62993 > scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:object_r:var_lock_t:s0 tclass=dir [...] | type=1400 > audit(1222921980.322:8): avc: denied { mounton } for pid=1887 > comm="mount" path="/var/spool" dev=md13 ino=125985 > scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:object_r:var_spool_t:s0 tclass=dir | type=1400 > audit(1222921980.322:9): avc: denied { mounton } for pid=1887 > comm="mount" path="/var/spool" dev=md13 ino=125985 > scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:object_r:var_spool_t:s0 tclass=dir [...] | > type=1400 audit(1222921980.331:10): avc: denied { mounton } for > pid=1887 comm="mount" path="/var/run" dev=md13 ino=136145 > scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:object_r:var_run_t:s0 tclass=dir | type=1400 > audit(1222921980.331:11): avc: denied { mounton } for pid=1887 > comm="mount" path="/var/run" dev=md13 ino=136145 > scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:object_r:var_run_t:s0 tclass=dir | But after the > system startup finishes (many subsystems fail to put locks, etc) > manual `mount -a' does magically fix the situation and those > filesystems are remounted read-writeable. > > I guess, the bug has been introduced in Fedora 9 release and is > still there. It looks like boot time selinux policies aren't > generated depending on fstab thus handling mount point directories > and mounted filesystems incorrectly. Maybe I am mistaken, and the > problem is caused by some more obscure reasons. > > Of course, there are chances I am just not aware of some selinux > feature or some boolean that should be enabled to get such cases > handled right. If so, please correct me and let me know how should I > configure selinux to get rid of the problem. Thank you. > > This behaviour has been displayed by freshly installed Fedora 9, > and after `yum update' it continues malfunctioning. You have a somewhat unusual set of point points there. Fix for now: reboot so that all "problem" filesystems are left unmounted (or manually unmount all of them), then change the context type of the mountpoint directories to mnt_t: # chcon -t mnt_t /var/run /var/spool /var/lock It's important that the filesystems are not mounted on these directories when you do this. A "service netfs start" will then re-mount the directories in the same way that it would during the boot process (or you could reboot again). The problem should now have gone away. Paul. From qinglong at Bolizm.ihep.su Sat Oct 4 18:50:10 2008 From: qinglong at Bolizm.ihep.su (QingLong) Date: Sat, 4 Oct 2008 22:50:10 +0400 Subject: /var/spool mount denied In-Reply-To: <20081004191042.118e9f7e@metropolis.intra.city-fan.org> <200810041757.m94HvAuu026729@listman.util.phx.redhat.com> <20081004175655.GJ10452@Bolizm.ihep.su> References: <20081004175655.GJ10452@Bolizm.ihep.su> <20081004191042.118e9f7e@metropolis.intra.city-fan.org> <200810041757.m94HvAuu026729@listman.util.phx.redhat.com> <20081004175655.GJ10452@Bolizm.ihep.su> Message-ID: <20081004185010.GK10452@Bolizm.ihep.su> > > You have a somewhat unusual set of point points there. > Well, I know. But I use to use different fs types and fs parameters (and mount options) as various filesystem parts have different functionality and operating modes. E.g. traditional news spool on a Usenet News server needs lo-o-ots of inodes. > > Fix for now: reboot so that all "problem" filesystems are left > unmounted (or manually unmount all of them), then change the context > type of the mountpoint directories to mnt_t: > > # chcon -t mnt_t /var/run /var/spool /var/lock > Thank you. And a bit more questions, if you let me. Once the problem is in the context of mount points, then how does post-startup manual `mount -a' succeed? I believe it would fail quite in the same manner, wouldn't it? And why don't other ``unusual'' filesystems (I have several others) fail in the same way, but get mounted during startup quite successfully? Aren't there some race conditions? QingLong. From qinglong at Bolizm.ihep.su Sat Oct 4 19:25:19 2008 From: qinglong at Bolizm.ihep.su (QingLong) Date: Sat, 4 Oct 2008 23:25:19 +0400 Subject: Re[2+]: /var/spool mount denied In-Reply-To: <200810041851.m94IpY6x001245@listman.util.phx.redhat.com> <20081004185010.GK10452@Bolizm.ihep.su> References: <200810041851.m94IpY6x001245@listman.util.phx.redhat.com> <20081004175655.GJ10452@Bolizm.ihep.su> <20081004191042.118e9f7e@metropolis.intra.city-fan.org> <200810041757.m94HvAuu026729@listman.util.phx.redhat.com> <20081004175655.GJ10452@Bolizm.ihep.su> <20081004185010.GK10452@Bolizm.ihep.su> Message-ID: <20081004192519.GL10452@Bolizm.ihep.su> > > Fix for now: reboot so that all "problem" filesystems are left > unmounted (or manually unmount all of them), then change the context > type of the mountpoint directories to mnt_t: > > # chcon -t mnt_t /var/run /var/spool /var/lock > Just for curiousity I had changed context of /var/spool and /var/lock but not that of /var/run. Guess what? On the next reboot ALL of those three have been mounted successfully and there have been no complains or denials on /var/run mounting. The problem appears to be not so simple. QingLong. From arequipeno at gmail.com Sun Oct 5 15:19:01 2008 From: arequipeno at gmail.com (Ian Pilcher) Date: Sun, 05 Oct 2008 10:19:01 -0500 Subject: rsync can't write to /var/run/rsyncd.lock Message-ID: selinux-policy-targeted-3.0.8-117.fc8 host=home.icp.selfip.net type=AVC msg=audit(1223194499.218:1065): avc: denied { read write } for pid=9837 comm="rsync" name="rsyncd.lock" dev=dm-1 ino=337788 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file host=home.icp.selfip.net type=SYSCALL msg=audit(1223194499.218:1065): arch=c000003e syscall=2 success=no exit=-13 a0=adfc60 a1=42 a2=180 a3=8 items=0 ppid=9836 pid=9837 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0-s0:c0.c1023 key=(null) -- ======================================================================== Ian Pilcher arequipeno at gmail.com ======================================================================== From paul at city-fan.org Sun Oct 5 20:43:38 2008 From: paul at city-fan.org (Paul Howarth) Date: Sun, 5 Oct 2008 21:43:38 +0100 Subject: /var/spool mount denied In-Reply-To: <20081004185010.GK10452@Bolizm.ihep.su> References: <20081004175655.GJ10452@Bolizm.ihep.su> <20081004191042.118e9f7e@metropolis.intra.city-fan.org> <200810041757.m94HvAuu026729@listman.util.phx.redhat.com> <20081004175655.GJ10452@Bolizm.ihep.su> <20081004185010.GK10452@Bolizm.ihep.su> Message-ID: <20081005214338.0c577894@metropolis.intra.city-fan.org> On Sat, 4 Oct 2008 22:50:10 +0400 QingLong wrote: > > > > You have a somewhat unusual set of point points there. > > > Well, I know. > But I use to use different fs types and fs parameters (and mount > options) as various filesystem parts have different functionality and > operating modes. E.g. traditional news spool on a Usenet News server > needs lo-o-ots of inodes. /var/spool I can understand, but /var/lock and /var/run? > > Fix for now: reboot so that all "problem" filesystems are left > > unmounted (or manually unmount all of them), then change the context > > type of the mountpoint directories to mnt_t: > > > > # chcon -t mnt_t /var/run /var/spool /var/lock > > > Thank you. > > And a bit more questions, if you let me. > Once the problem is in the context of mount points, > then how does post-startup manual `mount -a' succeed? > I believe it would fail quite in the same manner, wouldn't it? No, because when you run "mount" manually like this, it runs "unconfined" - there is no transition to the mount_t domain in SELinux, and hence you're not affected. At boot time, mount is run from an initscript and the transition happens, so mount is constrained about what it can do by SELinux. > And why don't other ``unusual'' filesystems (I have several others) > fail in the same way, but get mounted during startup quite > successfully? Aren't there some race conditions? Many of the more commonly-used mountpoints are configured as such in SELinux policy (/var/spool/mail for instance) and don't cause problems. Paul. From mmcallis at redhat.com Sun Oct 5 23:30:54 2008 From: mmcallis at redhat.com (Murray McAllister) Date: Mon, 06 Oct 2008 09:30:54 +1000 Subject: rsync can't write to /var/run/rsyncd.lock In-Reply-To: References: Message-ID: <48E94E2E.7090507@redhat.com> Ian Pilcher wrote: > selinux-policy-targeted-3.0.8-117.fc8 > > host=home.icp.selfip.net type=AVC msg=audit(1223194499.218:1065): avc: > denied { read write } for pid=9837 comm="rsync" name="rsyncd.lock" > dev=dm-1 ino=337788 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_run_t:s0 tclass=file > > host=home.icp.selfip.net type=SYSCALL msg=audit(1223194499.218:1065): > arch=c000003e syscall=2 success=no exit=-13 a0=adfc60 a1=42 a2=180 a3=8 > items=0 ppid=9836 pid=9837 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" > exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0-s0:c0.c1023 > key=(null) > Hi, On Fedora 9, selinux-policy-3.3.1-95.fc9.noarch and selinux-policy-targeted-3.3.1-95.fc9.noarch: $ grep rsyncd /etc/selinux/targeted/contexts/files/* /etc/selinux/targeted/contexts/files/file_contexts:/var/run/rsyncd\.lock -- system_u:object_r:rsync_log_t:s0 Your first error looks like rsyncd.lock is labeled with the var_run_t type, so maybe it needs to be rsync_log_t type. What output do you get from "grep rsyncd /etc/selinux/targeted/contexts/files/*"? Maybe try running the following as root: /sbin/restorecon -R -v /var/run/ There might be something wrong with rsyncd if it is creating files with the wrong type. From mmcallis at redhat.com Mon Oct 6 00:47:28 2008 From: mmcallis at redhat.com (Murray McAllister) Date: Mon, 06 Oct 2008 10:47:28 +1000 Subject: correct procedure for updating SELinux packages Message-ID: <48E96020.7090705@redhat.com> Hi, To update SELinux packages, should you always use "yum update" and update all packages? Do problems occur if you only upgrade the SELinux packages, and no other packages? Thanks. From dwalsh at redhat.com Mon Oct 6 12:22:40 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 06 Oct 2008 08:22:40 -0400 Subject: Revert to default settings after seedit relabel, was: Re: Hello world and first question concerning Munin In-Reply-To: <1223136228.3607.1.camel@calex.dipohl.com> References: <1221222928.3231.129.camel@calex.dipohl.com> <1221227347.4712.19.camel@moss-spartans.epoch.ncsc.mil> <1223116147.3059.32.camel@calex.dipohl.com> <1223136228.3607.1.camel@calex.dipohl.com> Message-ID: <48EA0310.1050603@redhat.com> Gabriele Pohl wrote: > Am Samstag, den 04.10.2008, 12:29 +0200 schrieb Gabriele Pohl: >> http://seedit.sourceforge.net/ >> >> "You can try SELinux Policy Editor on Fedora Core 6,7,8 or CentOS 4, >> Cent OS5. It will not affect existing SELinux policies so it is >> possible to revert to the default settings easily." >> >> After switching the mode *targeted* again >> (but no reboot since now) I see none of the >> old modules. All contexts are *unconfined*. > > this is ok now, after the reboot. > >> Am Freitag, den 12.09.2008, 09:49 -0400 schrieb Stephen Smalley: >>> On Fri, 2008-09-12 at 14:35 +0200, Gabriele Pohl wrote: >>>> I use Munin (http://munin.projects.linpro.no/) >>>> Now my first question: >>>> >> I would like to look at the rules definded in >> the policy module. How can I do this? > > this is my question left now. > > Kind regards, > > Gabriele > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You can get most of the rules defined for a domain by using sesearch and/or apol sesearch --allow -s munin_t Or you could always down load the src.rpm and just look at the munin.te file. Rawhide version attached. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: munin.te URL: From dwalsh at redhat.com Mon Oct 6 12:25:26 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 06 Oct 2008 08:25:26 -0400 Subject: /var/spool mount denied In-Reply-To: <20081005214338.0c577894@metropolis.intra.city-fan.org> References: <20081004175655.GJ10452@Bolizm.ihep.su> <20081004191042.118e9f7e@metropolis.intra.city-fan.org> <200810041757.m94HvAuu026729@listman.util.phx.redhat.com> <20081004175655.GJ10452@Bolizm.ihep.su> <20081004185010.GK10452@Bolizm.ihep.su> <20081005214338.0c577894@metropolis.intra.city-fan.org> Message-ID: <48EA03B6.9050903@redhat.com> Paul Howarth wrote: > On Sat, 4 Oct 2008 22:50:10 +0400 > QingLong wrote: > >>> You have a somewhat unusual set of point points there. >>> >> Well, I know. >> But I use to use different fs types and fs parameters (and mount >> options) as various filesystem parts have different functionality and >> operating modes. E.g. traditional news spool on a Usenet News server >> needs lo-o-ots of inodes. > > /var/spool I can understand, but /var/lock and /var/run? > >>> Fix for now: reboot so that all "problem" filesystems are left >>> unmounted (or manually unmount all of them), then change the context >>> type of the mountpoint directories to mnt_t: >>> >>> # chcon -t mnt_t /var/run /var/spool /var/lock >>> >> Thank you. >> >> And a bit more questions, if you let me. >> Once the problem is in the context of mount points, >> then how does post-startup manual `mount -a' succeed? >> I believe it would fail quite in the same manner, wouldn't it? > > No, because when you run "mount" manually like this, it runs > "unconfined" - there is no transition to the mount_t domain in SELinux, > and hence you're not affected. At boot time, mount is run from an > initscript and the transition happens, so mount is constrained about > what it can do by SELinux. > >> And why don't other ``unusual'' filesystems (I have several others) >> fail in the same way, but get mounted during startup quite >> successfully? Aren't there some race conditions? > > Many of the more commonly-used mountpoints are configured as such in > SELinux policy (/var/spool/mail for instance) and don't cause problems. > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list setsebool -P allow_mount_anyfile 1 Should allow you to mount files/directories anywhere on your system From dwalsh at redhat.com Mon Oct 6 12:57:11 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 06 Oct 2008 08:57:11 -0400 Subject: rsync can't write to /var/run/rsyncd.lock In-Reply-To: <48E94E2E.7090507@redhat.com> References: <48E94E2E.7090507@redhat.com> Message-ID: <48EA0B27.1070904@redhat.com> Murray McAllister wrote: > Ian Pilcher wrote: >> selinux-policy-targeted-3.0.8-117.fc8 >> >> host=home.icp.selfip.net type=AVC msg=audit(1223194499.218:1065): avc: >> denied { read write } for pid=9837 comm="rsync" name="rsyncd.lock" >> dev=dm-1 ino=337788 scontext=system_u:system_r:rsync_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:var_run_t:s0 tclass=file >> >> host=home.icp.selfip.net type=SYSCALL msg=audit(1223194499.218:1065): >> arch=c000003e syscall=2 success=no exit=-13 a0=adfc60 a1=42 a2=180 a3=8 >> items=0 ppid=9836 pid=9837 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsync" >> exe="/usr/bin/rsync" subj=system_u:system_r:rsync_t:s0-s0:c0.c1023 >> key=(null) >> > Hi, > > On Fedora 9, selinux-policy-3.3.1-95.fc9.noarch and > selinux-policy-targeted-3.3.1-95.fc9.noarch: > > $ grep rsyncd /etc/selinux/targeted/contexts/files/* > > /etc/selinux/targeted/contexts/files/file_contexts:/var/run/rsyncd\.lock > -- system_u:object_r:rsync_log_t:s0 > > Your first error looks like rsyncd.lock is labeled with the var_run_t > type, so maybe it needs to be rsync_log_t type. > > What output do you get from "grep rsyncd > /etc/selinux/targeted/contexts/files/*"? > > Maybe try running the following as root: > > /sbin/restorecon -R -v /var/run/ > > There might be something wrong with rsyncd if it is creating files with > the wrong type. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Well that is actually a bug in F9 in that it should be labeled rsync_var_run_t. I will fix in F9, Rawhide and F8. Changing the context to rsync_log_t or rsync_var_run_t should solve the problem. From ftaylor at redhat.com Mon Oct 6 12:57:45 2008 From: ftaylor at redhat.com (Forrest Taylor) Date: Mon, 06 Oct 2008 08:57:45 -0400 Subject: correct procedure for updating SELinux packages In-Reply-To: <48E96020.7090705@redhat.com> References: <48E96020.7090705@redhat.com> Message-ID: <1223297865.4319.7.camel@localhost.localdomain> On Mon, 2008-10-06 at 10:47 +1000, Murray McAllister wrote: > Hi, > > To update SELinux packages, should you always use "yum update" and > update all packages? > > Do problems occur if you only upgrade the SELinux packages, and no other > packages? There should not be any problem just upgrading the SELinux packages. If you do run into problems, it is a bug and should be files in bugzilla. -- Forrest Taylor Global Learning Services Project Manager III Cell: 303-913-5169 AIM: forresttaylorred Red Hat IRC: forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Mon Oct 6 12:59:25 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 06 Oct 2008 08:59:25 -0400 Subject: correct procedure for updating SELinux packages In-Reply-To: <1223297865.4319.7.camel@localhost.localdomain> References: <48E96020.7090705@redhat.com> <1223297865.4319.7.camel@localhost.localdomain> Message-ID: <48EA0BAD.5070209@redhat.com> Forrest Taylor wrote: > On Mon, 2008-10-06 at 10:47 +1000, Murray McAllister wrote: >> Hi, >> >> To update SELinux packages, should you always use "yum update" and >> update all packages? >> >> Do problems occur if you only upgrade the SELinux packages, and no other >> packages? > > There should not be any problem just upgrading the SELinux packages. If > you do run into problems, it is a bug and should be files in bugzilla. > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I agree you can update those packages alone, any problems is a bug. From arequipeno at gmail.com Mon Oct 6 14:38:23 2008 From: arequipeno at gmail.com (Ian Pilcher) Date: Mon, 06 Oct 2008 09:38:23 -0500 Subject: rsync can't write to /var/run/rsyncd.lock In-Reply-To: <48EA0B27.1070904@redhat.com> References: <48E94E2E.7090507@redhat.com> <48EA0B27.1070904@redhat.com> Message-ID: Daniel J Walsh wrote: > > Changing the context to rsync_log_t or rsync_var_run_t > should solve the problem. > Interestingly, rsync does create the file with the correct context, rsync_var_run_t. restorecon, however, wants to change it back to var_run_t. I'm guessing it got changed by the automatic relabel when I installed the new policy. Thanks! -- ======================================================================== Ian Pilcher arequipeno at gmail.com ======================================================================== From ftaylor at redhat.com Mon Oct 6 15:28:07 2008 From: ftaylor at redhat.com (Forrest Taylor) Date: Mon, 06 Oct 2008 11:28:07 -0400 Subject: rsync as backup for laptop to desktop external HD In-Reply-To: References: Message-ID: <1223306887.4319.20.camel@localhost.localdomain> On Fri, 2008-10-03 at 07:33 +0000, Mike wrote: > I have for many years run backups from laptops on the local LAN to an external > USB drive attached to the main desktop machine using rsync -aH. > The main desktop is running F8 with SELinux disabled. > > In recent months I upgraded the laptop to F9 with SELinux enabled. > > I have just realised that the method I use gives files on the backup drive > that have no selinux contexts... so in the event of having to rebuild a laptop > and pulling files off the backup drive the selinux contexts would have to be > recreated. > > I am fairly new to SELinux but I presume that merely adding -X to the rsync > command would still not produce any contexts on the files that are generated > on the backup drive since the machine that is processing the rsync at the > receive end has SELinux disabled. That is correct. The remote OS does not understand the SELinux contexts, so you will get many errors when you try the -X option. > At some point the desktop will be upgraded to F9 (and later F10) with SELinux > enabled - and I am now not sure if attaching the original external USB drive > unchanged would then still result in files without any security contexts on > the external drive? Be careful using two different operating systems with rsync--if the local OS is trying to backup to the remote OS, and the remote OS doesn't know about the contexts on the local OS, you will again have errors. > If this is the case would I need to label the filesystem on the external drive? > What is the best route to getting this backup system working to preserve > security contexts for all files (including system areas such as /var /etc ? Before it gets too complex, let me just say that you may be able to simply use `restorecon -Rv /etc` to restore contexts to everything in /etc/. This may be the simplest solution. Baring that, the easiest way to get backups with good contexts is to use getfattr to store the current contexts to a file. You will be able to use the file to restore contexts. If you wanted to backup the SELinux attributes for all files/dirs in /etc/, for example, run: getfattr -Rdh -m security.selinux /etc > /etc/SELinux-attrs If you wanted to restore from backup, do the data restore, then run the following: cd / setfattr -h --restore=/etc/SELinux-attrs Run `ls -Z /etc/` to verify proper context. -- Forrest Taylor Global Learning Services Project Manager III Cell: 303-913-5169 AIM: forresttaylorred Red Hat IRC: forrest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From mike.cloaked at gmail.com Mon Oct 6 19:44:20 2008 From: mike.cloaked at gmail.com (Mike) Date: Mon, 6 Oct 2008 19:44:20 +0000 (UTC) Subject: rsync as backup for laptop to desktop external HD References: <1223306887.4319.20.camel@localhost.localdomain> Message-ID: Forrest Taylor redhat.com> writes: > That is correct. The remote OS does not understand the SELinux > contexts, so you will get many errors when you try the -X option. OK I have now run some tests to verify that the backup scheme I had originally hoped would work does indeed work as planned. I have a pre-existing USB drive formatted ext3 that I have been regularly using on a main machine running SELinux disabled as a central backup store for the main directories for several machines on my LAN for some years. This disk contains backups for about half a dozen computers in the local network and I would rather not have to recreate all the files but use the same drive for SELinux enabled machines as I transition to the main machine being SELinux enabled. In order to test viability using the same drive as a backup drive under SELinux I plugged this disk into a laptop USB port directly. The laptop is running F9 with SELinux enabled and fully up to date. The drive plugs in and automagically opens a window in the desktop under Gnome showing the directories in the drive (in this case just one /media/usbdisc3/BACKUPS, and the machine subdirectories are within the BACKUPS directory. The disk is labelled as usbdisc3 so appears as /media/usbdisc3 I then made a new directory at the top level of this drive called test. As a first test I copied the file /etc/resolv to this drive from this machine using the simple command as root: # rsync -aXHv /etc/resolv.conf /media/usbdisc3/test/ Then I umounted the USB drive and plugged it back in from cold. The crucial test was to check the file permissions and contexts which appeared as in the output below: [mike at lapmike2 ~]$ ll -Z /media/usbdisc3/test/ -rw-r--r-- root root system_u:object_r:net_conf_t:s0 resolv.conf checking the original file gave: [mike at lapmike2 ~]$ ll -Z /etc/resolv.conf -rw-r--r-- root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf We can see that the permissions, ownership and security contexts have been preserved in the rsync transfer. Then I booted up a second machine also running f9 with SElinux enabled and on that machine did as root: # rsync -aXHv -e ssh /etc/hosts lapmike2w:/media/usbdisc3/test/ Checking the original file details gave: [mike at lapmike3 ~]$ ll -Z /etc/hosts -rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/hosts and on the machine on which the backup file now resides we can check the newly created file: [mike at lapmike2 ~]$ ll -Z /media/usbdisc3/test/ -rw-r--r-- root root system_u:object_r:etc_t:s0 hosts -rw-r--r-- root root system_u:object_r:net_conf_t:s0 resolv.conf So we see that the all the file attributes have been copied across correctly, and a restore of these files with their extended attributes can be made using rsync -aXHv from the backup drive onto any machine as desired. So this works nicely and the original drive does not need to be reformatted, nor the file system re-created. Running a backup overwriting the original one with no security contexts works fine. From arequipeno at gmail.com Tue Oct 7 14:36:39 2008 From: arequipeno at gmail.com (Ian Pilcher) Date: Tue, 07 Oct 2008 09:36:39 -0500 Subject: nm-system-settings cannot read /var/lib/PolicyKit Message-ID: selinux-policy-targeted-3.0.8-117.fc8 host=home.icp.selfip.net type=AVC msg=audit(1223356599.632:80): avc: denied { read } for pid=3515 comm="nm-system-setti" name="PolicyKit" dev=dm-1 ino=360485 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir host=home.icp.selfip.net type=SYSCALL msg=audit(1223356599.632:80): arch=c000003e syscall=254 success=no exit=-13 a0=6 a1=3d75e0914e a2=306 a3=38cb7529f0 items=0 ppid=3514 pid=3515 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null) Anyone know what is running nm-system-settings? (NetworkManager is turned off.) -- ======================================================================== Ian Pilcher arequipeno at gmail.com ======================================================================== From rtroy at ScienceTools.com Tue Oct 7 19:21:32 2008 From: rtroy at ScienceTools.com (Richard Troy) Date: Tue, 7 Oct 2008 12:21:32 -0700 (PDT) Subject: SUID question Message-ID: Hello All, As it's my first post here, I want to say I'm glad this list exists as I'm pretty sure there are folks who can point me in the right directions, as needed... I've been using unix since the 1970s, so I'm pretty familliar with it, and I've been using Linux - and Red-Hat / Fedora since their early days, too, so in general terms, I'm no novice. However, I've been ignoring SELINUX. When I first tried it, it was a huge disaster and I haven't given it another look, but the time has finally come, primarily because I simply _must_ resolve a problem I strongly suspect is caused by SELINUX, and secondarily because I've got a system that runs on just about everything _but_ selinux and provides compute server (think "grid computing") and sophisticated archival services, and it's to the point where it's time that it work on SELINUX systems, too. So, the more immediate problem: On a Fedora host, a "C" based program that launches all the server functionality (including archiving) has its suid bit set (and gid, too) so it runs as the server installation's owner. It's actually pretty smart by validating its environment hasn't been hacked, etc, and then gets to business. This code has somehow broken during a couple of upgrades of Fedora - I didn't notice it at first because as the developer, I always run it as the development installation's owner and as a fluke apparently others haven't experienced this problem or haven't reported it. Recently, however, someone else went to play with it and it refused. Some simple checks indicated that the SUID bit wasn't being honored. The system has SELINUX installed but disabled - the kernel is 2.6.21-1.3194.fc7. It's trivially easy to prove the suid bit is ignored but _why?_ ...There's no known (to me!) reason this should fail! Any pointers GREATLY appreciated. The less immediate issue is really a quest for pointers to the most appropriate source packages so I can see how other programs solve similar SELINUX related issues. Ideally, this code can both archive and restore any file on the system. In addition, it currently - ignoring SELINUX for a moment - tracks all meta-data changes - ownership and permissions, the various dates associated with a file, etc, in addition to file data, so it has the handy trait of both providing an audit trail and an ability to restore data or meta-data as needed. As such it needs to be able to discover what the security context details are so it can record them, in addition to the obvious need to update SELINUX security details on a per file basis.... I don't even know how to do that from the command line, much less write a program to do it! ...However, I'm sure somewhere these things have been already addressed, such as with tar, etc. Please point me to what you think are appropriate models / code that can be examined, etc. And, if there's a well written tutorial intended for people who are already "up to speed" on everything but SELINUX, it would be greatly appreciated. Thank you, Richard -- Richard Troy, Chief Scientist Science Tools Corporation 510-717-6942 rtroy at ScienceTools.com, http://ScienceTools.com/ From eparis at redhat.com Tue Oct 7 20:49:01 2008 From: eparis at redhat.com (Eric Paris) Date: Tue, 07 Oct 2008 16:49:01 -0400 Subject: SUID question In-Reply-To: References: Message-ID: <1223412541.2994.17.camel@localhost.localdomain> On Tue, 2008-10-07 at 12:21 -0700, Richard Troy wrote: > So, the more immediate problem: On a Fedora host, a "C" based program that > launches all the server functionality (including archiving) has its suid > bit set (and gid, too) so it runs as the server installation's owner. It's > actually pretty smart by validating its environment hasn't been hacked, > etc, and then gets to business. This code has somehow broken during a > couple of upgrades of Fedora - I didn't notice it at first because as the > developer, I always run it as the development installation's owner and as > a fluke apparently others haven't experienced this problem or haven't > reported it. Recently, however, someone else went to play with it and it > refused. Some simple checks indicated that the SUID bit wasn't being > honored. The system has SELINUX installed but disabled - the kernel is > 2.6.21-1.3194.fc7. It's trivially easy to prove the suid bit is ignored > but _why?_ fs mounted with nosuid? this is not an selinux'ism.... > The less immediate issue is really a quest for pointers to the most > appropriate source packages so I can see how other programs solve similar > SELINUX related issues. Ideally, this code can both archive and restore > any file on the system. In addition, it currently - ignoring SELINUX for a > moment - tracks all meta-data changes - ownership and permissions, the > various dates associated with a file, etc, in addition to file data, so it > has the handy trait of both providing an audit trail and an ability to > restore data or meta-data as needed. As such it needs to be able to > discover what the security context details are so it can record them, in > addition to the obvious need to update SELINUX security details on a per > file basis.... I don't even know how to do that from the command line, > much less write a program to do it! ...However, I'm sure somewhere these > things have been already addressed, such as with tar, etc. rsync I think was the first package to do this. tar now has selinux label capabilities. you can either get at it though the libselinux interfaces or directly use get/setxattr looking at the security.selinux namespace. Assuming your program runs unconfined (as most things do by default if you don't write policy for them) selinux shouldn't be getting in your way of this type of operation..... I don't think libselinux has much in the way of docs other than grabbing the code and looking at what interfaces it provides... From extremoburo at gmail.com Wed Oct 8 09:37:17 2008 From: extremoburo at gmail.com (Fabrizio Buratta) Date: Wed, 8 Oct 2008 11:37:17 +0200 Subject: selinux context disappear after nfs mount Message-ID: <48e871f70810080237k69e7f729wf2f0f6776d7e7f2e@mail.gmail.com> Hi everybody. I'm trying to mount an nfs server ( a raid5 nas ) on my centos4. Afterward i want a script inside apache cgi-bin directory to be able to do any file and dir operations. Let's say i want a context capable of apache r/w operations on my mount dir, then i execute: mount -t nfs -o context=system_u:object_r:httpd_sys_script_rw_t mynas:/external_dir /mnt/my_mount_dir it does mount my external dir but if i execute ls -Z i see: drwxrwxrwx 254 254 storage Where's my context? obviously my script is not able to write on this directory and selinux complains: type=AVC msg=audit(1223458283.439:3794033): avc: denied { getattr } for pid=21669 comm="python" name="var" dev=dm-0 ino=261121 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_t tclass=dir type=SYSCALL msg=audit(1223458283.439:3794033): arch=40000003 syscall=196 success=no exit=-13 a0=bfed2bd0 a1=bfed1f0c a2=3bfff4 a3=bfed2bd0 items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python" type=AVC_PATH msg=audit(1223458283.439:3794033): path="/var" type=CWD msg=audit(1223458283.439:3794033): cwd="/var/www/cgi-bin" type=PATH msg=audit(1223458283.439:3794033): name="/var" flags=0 inode=261121 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1223458286.050:3794034): avc: denied { search } for pid=21669 comm="python" name="mnt" dev=dm-0 ino=718081 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:mnt_t tclass=dir type=SYSCALL msg=audit(1223458286.050:3794034): arch=40000003 syscall=195 success=no exit=-13 a0=9294de8 a1=bfed2610 a2=3bfff4 a3=b7e5014c items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python" type=CWD msg=audit(1223458286.050:3794034): cwd="/var/www/cgi-bin" type=PATH msg=audit(1223458286.050:3794034): name="/mnt/storage/nightly/testfile" flags=1 inode=718081 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1223458286.051:3794035): avc: denied { search } for pid=21669 comm="python" name="mnt" dev=dm-0 ino=718081 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:mnt_t tclass=dir type=SYSCALL msg=audit(1223458286.051:3794035): arch=40000003 syscall=5 success=no exit=-13 a0=9294de8 a1=8241 a2=1b6 a3=8241 items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python" type=CWD msg=audit(1223458286.051:3794035): cwd="/var/www/cgi-bin" type=PATH msg=audit(1223458286.051:3794035): name="/mnt/storage/nightly/testfile" flags=310 inode=718081 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 Of course i'm using a python script. Until now i did not try to compile a local selinux policy in order to allow that kind of operations ( i would avoid it if possible ) Any suggestion? Thanks, Fab. From dwalsh at redhat.com Wed Oct 8 11:37:12 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 08 Oct 2008 07:37:12 -0400 Subject: selinux context disappear after nfs mount In-Reply-To: <48e871f70810080237k69e7f729wf2f0f6776d7e7f2e@mail.gmail.com> References: <48e871f70810080237k69e7f729wf2f0f6776d7e7f2e@mail.gmail.com> Message-ID: <48EC9B68.2060902@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fabrizio Buratta wrote: > Hi everybody. > > I'm trying to mount an nfs server ( a raid5 nas ) on my centos4. > Afterward i want > a script inside apache cgi-bin directory to be able to do any file and > dir operations. > > Let's say i want a context capable of apache r/w operations on my > mount dir, then i execute: > > mount -t nfs -o context=system_u:object_r:httpd_sys_script_rw_t > mynas:/external_dir /mnt/my_mount_dir > > it does mount my external dir but if i execute ls -Z i see: > > drwxrwxrwx 254 254 storage > > Where's my context? obviously my script is not able to write on this > directory and selinux complains: > > type=AVC msg=audit(1223458283.439:3794033): avc: denied { getattr } > for pid=21669 comm="python" name="var" dev=dm-0 ino=261121 > scontext=root:system_r:httpd_sys_script_t > tcontext=system_u:object_r:var_t tclass=dir > type=SYSCALL msg=audit(1223458283.439:3794033): arch=40000003 > syscall=196 success=no exit=-13 a0=bfed2bd0 a1=bfed1f0c a2=3bfff4 > a3=bfed2bd0 items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python" > type=AVC_PATH msg=audit(1223458283.439:3794033): path="/var" > type=CWD msg=audit(1223458283.439:3794033): cwd="/var/www/cgi-bin" > type=PATH msg=audit(1223458283.439:3794033): name="/var" flags=0 > inode=261121 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 > type=AVC msg=audit(1223458286.050:3794034): avc: denied { search } > for pid=21669 comm="python" name="mnt" dev=dm-0 ino=718081 > scontext=root:system_r:httpd_sys_script_t > tcontext=system_u:object_r:mnt_t tclass=dir > type=SYSCALL msg=audit(1223458286.050:3794034): arch=40000003 > syscall=195 success=no exit=-13 a0=9294de8 a1=bfed2610 a2=3bfff4 > a3=b7e5014c items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python" > type=CWD msg=audit(1223458286.050:3794034): cwd="/var/www/cgi-bin" > type=PATH msg=audit(1223458286.050:3794034): > name="/mnt/storage/nightly/testfile" flags=1 inode=718081 dev=fd:00 > mode=040755 ouid=0 ogid=0 rdev=00:00 > type=AVC msg=audit(1223458286.051:3794035): avc: denied { search } > for pid=21669 comm="python" name="mnt" dev=dm-0 ino=718081 > scontext=root:system_r:httpd_sys_script_t > tcontext=system_u:object_r:mnt_t tclass=dir > type=SYSCALL msg=audit(1223458286.051:3794035): arch=40000003 > syscall=5 success=no exit=-13 a0=9294de8 a1=8241 a2=1b6 a3=8241 > items=1 pid=21669 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 > egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python" > type=CWD msg=audit(1223458286.051:3794035): cwd="/var/www/cgi-bin" > type=PATH msg=audit(1223458286.051:3794035): > name="/mnt/storage/nightly/testfile" flags=310 inode=718081 dev=fd:00 > mode=040755 ouid=0 ogid=0 rdev=00:00 > > Of course i'm using a python script. > Until now i did not try to compile a local selinux policy in order > to allow that kind of operations ( i would avoid it if possible ) > > Any suggestion? > > Thanks, > Fab. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You have two problems. #============= httpd_sys_script_t ============== allow httpd_sys_script_t mnt_t:dir search; You need to load a custom policy to allow you cgi scripts to read through the /mnt directory allow httpd_sys_script_t var_t:dir getattr; This one does not make sense this rule should be allowed in all default policies? What policy are you running. Apache scripts should be able to search/getattr on var_t in order to use /var/www/ Neither of these avc's are much of a security risk to allow. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjsm2cACgkQrlYvE4MpobMIFQCg4SenCLanOIaIIc0m5ozndTR5 HX4An26oG117iKH1aqsETEWJw9CrfiUf =cY7A -----END PGP SIGNATURE----- From dwalsh at redhat.com Wed Oct 8 14:59:58 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 08 Oct 2008 10:59:58 -0400 Subject: nm-system-settings cannot read /var/lib/PolicyKit In-Reply-To: References: Message-ID: <48ECCAEE.6070900@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ian Pilcher wrote: > selinux-policy-targeted-3.0.8-117.fc8 > > host=home.icp.selfip.net type=AVC msg=audit(1223356599.632:80): avc: > denied { read } for pid=3515 comm="nm-system-setti" name="PolicyKit" > dev=dm-1 ino=360485 > scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:hald_var_lib_t:s0 tclass=dir > host=home.icp.selfip.net type=SYSCALL msg=audit(1223356599.632:80): > arch=c000003e syscall=254 success=no exit=-13 a0=6 a1=3d75e0914e a2=306 > a3=38cb7529f0 items=0 ppid=3514 pid=3515 auid=4294967295 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 > comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" > subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null) > > Anyone know what is running nm-system-settings? (NetworkManager is > turned off.) > Has policykit been backported to F8? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjsyu4ACgkQrlYvE4MpobOY9wCfc0Wv3uYnQqgNZUPGN4rpZTKJ 8wcAoKf4dOCdbrYjpZN6joruhAhXyTMq =Ik1Z -----END PGP SIGNATURE----- From dwalsh at redhat.com Wed Oct 8 15:04:00 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 08 Oct 2008 11:04:00 -0400 Subject: SUID question In-Reply-To: <1223412541.2994.17.camel@localhost.localdomain> References: <1223412541.2994.17.camel@localhost.localdomain> Message-ID: <48ECCBE0.6000001@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eric Paris wrote: > On Tue, 2008-10-07 at 12:21 -0700, Richard Troy wrote: > >> So, the more immediate problem: On a Fedora host, a "C" based program that >> launches all the server functionality (including archiving) has its suid >> bit set (and gid, too) so it runs as the server installation's owner. It's >> actually pretty smart by validating its environment hasn't been hacked, >> etc, and then gets to business. This code has somehow broken during a >> couple of upgrades of Fedora - I didn't notice it at first because as the >> developer, I always run it as the development installation's owner and as >> a fluke apparently others haven't experienced this problem or haven't >> reported it. Recently, however, someone else went to play with it and it >> refused. Some simple checks indicated that the SUID bit wasn't being >> honored. The system has SELINUX installed but disabled - the kernel is >> 2.6.21-1.3194.fc7. It's trivially easy to prove the suid bit is ignored >> but _why?_ > > fs mounted with nosuid? this is not an selinux'ism.... > >> The less immediate issue is really a quest for pointers to the most >> appropriate source packages so I can see how other programs solve similar >> SELINUX related issues. Ideally, this code can both archive and restore >> any file on the system. In addition, it currently - ignoring SELINUX for a >> moment - tracks all meta-data changes - ownership and permissions, the >> various dates associated with a file, etc, in addition to file data, so it >> has the handy trait of both providing an audit trail and an ability to >> restore data or meta-data as needed. As such it needs to be able to >> discover what the security context details are so it can record them, in >> addition to the obvious need to update SELINUX security details on a per >> file basis.... I don't even know how to do that from the command line, >> much less write a program to do it! ...However, I'm sure somewhere these >> things have been already addressed, such as with tar, etc. > > rsync I think was the first package to do this. tar now has selinux > label capabilities. you can either get at it though the libselinux > interfaces or directly use get/setxattr looking at the security.selinux > namespace. Assuming your program runs unconfined (as most things do by > default if you don't write policy for them) selinux shouldn't be getting > in your way of this type of operation..... > > I don't think libselinux has much in the way of docs other than grabbing > the code and looking at what interfaces it provides... > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You probably want to look at the following SELinux functions. man getfilecon man setfilecon man setfscreatecon # ls -lZ FILE Will list the file context # chcon CONTEXT FILE Will change the context. # restorecon FILE Will ask the system what it should be labeled and make it so. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjsy+AACgkQrlYvE4MpobP/zgCg69jY4IRJChHB+mcS4jDn+Q/I U8MAoNSVB0F5GQ4tttTVr8ZnouhMvAtf =k1UZ -----END PGP SIGNATURE----- From arequipeno at gmail.com Wed Oct 8 16:40:52 2008 From: arequipeno at gmail.com (Ian Pilcher) Date: Wed, 08 Oct 2008 11:40:52 -0500 Subject: nm-system-settings cannot read /var/lib/PolicyKit In-Reply-To: <48ECCAEE.6070900@redhat.com> References: <48ECCAEE.6070900@redhat.com> Message-ID: Daniel J Walsh wrote: > Has policykit been backported to F8? [pilcher at home ~]$ rpm -qf /var/lib/PolicyKit PolicyKit-0.6-2.fc8 Apparently so. -- ======================================================================== Ian Pilcher arequipeno at gmail.com ======================================================================== From sundaram at fedoraproject.org Thu Oct 9 07:59:39 2008 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Thu, 09 Oct 2008 13:29:39 +0530 Subject: writable memory segment: mplayer Message-ID: <48EDB9EB.2080905@fedoraproject.org> Hi Since Fedora doesn't include this software, should a exception be added to the SELinux policy? "If you trust mplayer to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/bin/mplayer'". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/bin/mplayer'" Rahul From extremoburo at gmail.com Thu Oct 9 08:40:37 2008 From: extremoburo at gmail.com (Fabrizio Buratta) Date: Thu, 9 Oct 2008 10:40:37 +0200 Subject: selinux context disappear after nfs mount In-Reply-To: <48EC9B68.2060902@redhat.com> References: <48e871f70810080237k69e7f729wf2f0f6776d7e7f2e@mail.gmail.com> <48EC9B68.2060902@redhat.com> Message-ID: <48e871f70810090140qe86633aj70c8445f6b7de1f8@mail.gmail.com> > You have two problems. > > #============= httpd_sys_script_t ============== > allow httpd_sys_script_t mnt_t:dir search; > > You need to load a custom policy to allow you cgi scripts to read > through the /mnt directory > > allow httpd_sys_script_t var_t:dir getattr; > > This one does not make sense this rule should be allowed in all default > policies? What policy are you running. Apache scripts should be able > to search/getattr on var_t in order to use /var/www/ > > Neither of these avc's are much of a security risk to allow. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkjsm2cACgkQrlYvE4MpobMIFQCg4SenCLanOIaIIc0m5ozndTR5 > HX4An26oG117iKH1aqsETEWJw9CrfiUf > =cY7A > -----END PGP SIGNATURE----- > My policy version is 18, the package: 1.17.30-2.150.el4 I will try with a custom policy thus, I'll tell you if i face further issues. Thanks a lot, Fab From sds at tycho.nsa.gov Thu Oct 9 12:45:59 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 09 Oct 2008 08:45:59 -0400 Subject: writable memory segment: mplayer In-Reply-To: <48EDB9EB.2080905@fedoraproject.org> References: <48EDB9EB.2080905@fedoraproject.org> Message-ID: <1223556359.13181.9.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2008-10-09 at 13:29 +0530, Rahul Sundaram wrote: > Hi > > > Since Fedora doesn't include this software, should a exception be added > to the SELinux policy? > > "If you trust mplayer to run correctly, you can change the context of > the executable to unconfined_execmem_exec_t. "chcon -t > unconfined_execmem_exec_t '/usr/bin/mplayer'". You must also change the > default file context files on the system in order to preserve them even > on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t > '/usr/bin/mplayer'" I'd recommend always telling the user to run the semanage command first, and then run restorecon /usr/bin/mplayer afterward to set it on disk, rather than having to separately specify the type via chcon. setroubleshoot really shouldn't ever tell the user to use chcon IMHO. -- Stephen Smalley National Security Agency From extremoburo at gmail.com Thu Oct 9 13:06:29 2008 From: extremoburo at gmail.com (Fabrizio Buratta) Date: Thu, 9 Oct 2008 15:06:29 +0200 Subject: selinux context disappear after nfs mount In-Reply-To: <48e871f70810090140qe86633aj70c8445f6b7de1f8@mail.gmail.com> References: <48e871f70810080237k69e7f729wf2f0f6776d7e7f2e@mail.gmail.com> <48EC9B68.2060902@redhat.com> <48e871f70810090140qe86633aj70c8445f6b7de1f8@mail.gmail.com> Message-ID: <48e871f70810090606i24cd8b34x5f37dc24b6d64d7@mail.gmail.com> This is what i set : local.te: allow httpd_sys_script_t mnt_t:dir search; allow httpd_sys_script_t var_t:dir getattr; allow httpd_sys_script_t nfs_t:dir { search write add_name }; allow httpd_sys_script_t nfs_t:file { create unlink getattr append read write setattr }; Fab. 2008/10/9 Fabrizio Buratta : >> You have two problems. >> >> #============= httpd_sys_script_t ============== >> allow httpd_sys_script_t mnt_t:dir search; >> >> You need to load a custom policy to allow you cgi scripts to read >> through the /mnt directory >> >> allow httpd_sys_script_t var_t:dir getattr; >> >> This one does not make sense this rule should be allowed in all default >> policies? What policy are you running. Apache scripts should be able >> to search/getattr on var_t in order to use /var/www/ >> >> Neither of these avc's are much of a security risk to allow. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.9 (GNU/Linux) >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org >> >> iEYEARECAAYFAkjsm2cACgkQrlYvE4MpobMIFQCg4SenCLanOIaIIc0m5ozndTR5 >> HX4An26oG117iKH1aqsETEWJw9CrfiUf >> =cY7A >> -----END PGP SIGNATURE----- >> > > My policy version is 18, > > the package: 1.17.30-2.150.el4 > > I will try with a custom policy thus, > > I'll tell you if i face further issues. > > Thanks a lot, > > Fab > From paul at city-fan.org Thu Oct 9 13:17:30 2008 From: paul at city-fan.org (Paul Howarth) Date: Thu, 09 Oct 2008 14:17:30 +0100 Subject: writable memory segment: mplayer In-Reply-To: <1223556359.13181.9.camel@moss-spartans.epoch.ncsc.mil> References: <48EDB9EB.2080905@fedoraproject.org> <1223556359.13181.9.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <48EE046A.2060706@city-fan.org> Stephen Smalley wrote: > On Thu, 2008-10-09 at 13:29 +0530, Rahul Sundaram wrote: >> Hi >> >> >> Since Fedora doesn't include this software, should a exception be added >> to the SELinux policy? >> >> "If you trust mplayer to run correctly, you can change the context of >> the executable to unconfined_execmem_exec_t. "chcon -t >> unconfined_execmem_exec_t '/usr/bin/mplayer'". You must also change the >> default file context files on the system in order to preserve them even >> on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t >> '/usr/bin/mplayer'" > > I'd recommend always telling the user to run the semanage command first, > and then run restorecon /usr/bin/mplayer afterward to set it on disk, > rather than having to separately specify the type via chcon. > setroubleshoot really shouldn't ever tell the user to use chcon IMHO. Fedora doesn't include the software, but SELinux policy already includes contexts for it, e.g. on F-9: # semanage fcontext -l | grep mplayer /usr/bin/xine regular file system_u:object_r:mplayer_exec_t:s0 /usr/bin/mplayer regular file system_u:object_r:mplayer_exec_t:s0 /usr/lib/vmware/bin/vmplayer regular file system_u:object_r:vmware_exec_t:s0 /usr/lib64/vmware/bin/vmplayer regular file system_u:object_r:vmware_exec_t:s0 So if the current policy isn't right, can't we just fix it and be done with it rather than adding extra corner cases to setroubleshoot? Or is it that the default policy works except when using particular binary codecs that do weird stuff? Paul. From sundaram at fedoraproject.org Fri Oct 10 00:04:26 2008 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Fri, 10 Oct 2008 05:34:26 +0530 Subject: writable memory segment: mplayer In-Reply-To: <48EE046A.2060706@city-fan.org> References: <48EDB9EB.2080905@fedoraproject.org> <1223556359.13181.9.camel@moss-spartans.epoch.ncsc.mil> <48EE046A.2060706@city-fan.org> Message-ID: <48EE9C0A.6050707@fedoraproject.org> Paul Howarth wrote: > Or is it that the default policy works except when using particular > binary codecs that do weird stuff? I don't have any binary codecs doing "weird stuff". This is just mplayer from Livna complaining in rawhide constantly. So looks like policy fixes are needed. Rahul From fedora02 at grifent.com Fri Oct 10 19:06:26 2008 From: fedora02 at grifent.com (John Griffiths) Date: Fri, 10 Oct 2008 15:06:26 -0400 Subject: new postfix will not run. Message-ID: <48EFA7B2.406@grifent.com> selinux is preventing the update of postfix to run. The yum update of postfix includes a directory /var/lib/postfix but postfix is prevented from using the directory by selinux. I think the policy needs to be updated. Summary: SELinux is preventing master (postfix_master_t) "write" to ./postfix (var_lib_t). Detailed Description: SELinux is preventing master (postfix_master_t) "write" to ./postfix (var_lib_t). The SELinux type var_lib_t, is a generic type for all files in the directory and very few processes (SELinux Domains) are allowed to write to this SELinux type. This type of denial usual indicates a mislabeled file. By default a file created in a directory has the gets the context of the parent directory, but SELinux policy has rules about the creation of directories, that say if a process running in one SELinux Domain (D1) creates a file in a directory with a particular SELinux File Context (F1) the file gets a different File Context (F2). The policy usually allows the SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for some reason a file (./postfix) was created with the wrong context, this domain will be denied. The usual solution to this problem is to reset the file context on the target file, restorecon -v './postfix'. If the file context does not change from var_lib_t, then this is probably a bug in policy. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy package. If it does change, you can try your application again to see if it works. The file context could have been mislabeled by editing the file or moving the file from a different directory, if the file keeps getting mislabeled, check the init scripts to see if they are doing something to mislabel the file. Allowing Access: You can attempt to fix file context by executing restorecon -v './postfix' The following command will allow this access: restorecon './postfix' Additional Information: Source Context unconfined_u:system_r:postfix_master_t Target Context system_u:object_r:var_lib_t Target Objects ./postfix [ dir ] Source master Source Path /usr/libexec/postfix/master Port Host elijah.suretrak21.net Source RPM Packages postfix-2.5.5-1.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-117.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name mislabeled_file Host Name elijah.suretrak21.net Platform Linux elijah.suretrak21.net 2.6.26.5-28.fc8 #1 SMP Sat Sep 20 09:32:58 EDT 2008 i686 i686 Alert Count 3 First Seen Thu 09 Oct 2008 09:40:21 AM EDT Last Seen Fri 10 Oct 2008 02:39:57 PM EDT Local ID b11cda56-461f-44af-8fd8-3866e11f4833 Line Numbers Raw Audit Messages host=elijah.suretrak21.net type=AVC msg=audit(1223663997.824:9826): avc: denied { write } for pid=1805 comm="master" name="postfix" dev=dm-0 ino=784360 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir host=elijah.suretrak21.net type=SYSCALL msg=audit(1223663997.824:9826): arch=40000003 syscall=5 success=no exit=-13 a0=b9d8a560 a1=c2 a2=1a4 a3=0 items=0 ppid=1758 pid=1805 auid=500 uid=0 gid=0 euid=89 suid=0 fsuid=89 egid=89 sgid=0 fsgid=89 tty=(none) ses=1415 comm="master" exe="/usr/libexec/postfix/master" subj=unconfined_u:system_r:postfix_master_t:s0 key=(null) Rather than write a policy change #============= postfix_master_t ============== allow postfix_master_t var_lib_t:dir write; as a work around I changed the context of /var/lib/postfix to postfix_etc_t which allows postfix to run. Regards, John Griffiths From fdsubs at t-online.hu Fri Oct 10 19:18:09 2008 From: fdsubs at t-online.hu (Daniel Fazekas) Date: Fri, 10 Oct 2008 21:18:09 +0200 Subject: new postfix will not run. In-Reply-To: <48EFA7B2.406@grifent.com> References: <48EFA7B2.406@grifent.com> Message-ID: <4A31D656-E582-40B2-B764-7AEA2A6E1542@t-online.hu> On Oct 10, 2008, at 21:06, John Griffiths wrote: > selinux is preventing the update of postfix to run. > The yum update of postfix includes a directory /var/lib/postfix but > postfix is prevented from using the directory by selinux. I think > the policy needs to be updated. There's also a Bugzilla entry for it already: https://bugzilla.redhat.com/show_bug.cgi?id=466235 From joe at nall.com Sat Oct 11 02:36:51 2008 From: joe at nall.com (Joe Nall) Date: Fri, 10 Oct 2008 21:36:51 -0500 Subject: Why is rolemap m4 expanded Message-ID: <4D0C865F-C707-49A7-9BAB-659F46AE5C74@nall.com> /usr/share/selinux/devel/include/rolemap looks like this for a default selinux-policy-3.5.10 install (minus the comments): user_r user user_t staff_r staff staff_t sysadm_r sysadm sysadm_t The rolemap in the source rpm looks like: user_r user user_t staff_r staff staff_t sysadm_r sysadm sysadm_t ifdef(`enable_mls',` secadm_r secadm secadm_t auditadm_r auditadm auditadm_t ') The enable_mls clause is lost in the installation m4 expansion. Why is this file m4 processed on installation? joe From fedora02 at grifent.com Sun Oct 12 04:44:41 2008 From: fedora02 at grifent.com (John Griffiths) Date: Sun, 12 Oct 2008 00:44:41 -0400 Subject: new postfix will not run. In-Reply-To: <20081011160014.D63146197A2@hormel.redhat.com> References: <20081011160014.D63146197A2@hormel.redhat.com> Message-ID: <48F180B9.2010800@grifent.com> An HTML attachment was scrubbed... URL: From joe at nall.com Mon Oct 13 03:19:13 2008 From: joe at nall.com (Joe Nall) Date: Sun, 12 Oct 2008 22:19:13 -0500 Subject: Yet another role question Message-ID: <15A1DDF1-85B5-476C-8E9C-004DE58A0BA4@nall.com> It appears that per role template expansion is disabled in the modules shipped with fedora selinux-policy 3.5.10 but enabled for modules compiled with the resulting policy (which uses a different Makefile). Why is there a difference? joe from the policy Makefile: # perrole-expansion modulename,outputfile define perrole-expansion echo "No longer doing perrole-expansion" # $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 # $(call parse-rolemap,$1,$2) # $(verbose) echo "')" >> $2 # $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 # $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 # $(call parse-rolemap-compat,$1,$2) # $(verbose) echo "')" >> $2 endef from /usr/share/selinux/devel/include/Makefile: # peruser-expansion modulename,outputfile define peruser-expansion $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 $(call parse-rolemap,$1,$2) $(verbose) echo "')" >> $2 $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2 $(call parse-rolemap-compat,$1,$2) $(verbose) echo "')" >> $2 endef From ekuns at kilroy.chi.il.us Mon Oct 13 04:44:47 2008 From: ekuns at kilroy.chi.il.us (Edward Kuns) Date: Sun, 12 Oct 2008 23:44:47 -0500 Subject: Selinux config to get gutenprint 5.2 beta working under Fedora 8 Message-ID: <1223873087.26463.230.camel@kilroy.chi.il.us> I just bought a printer that only works well via the gutenprint 5.2 beta 4 from openprinting.org. The selinux configuration to allow gutenprint to function is: /opt/gutenprint/ppds/.* -- system_u:object_r:cupsd_rw_etc_t:s0 /opt/gutenprint/s?bin/.* -- system_u:object_r:lpr_exec_t:s0 /opt/gutenprint/cups/lib/filter/.* -- system_u:object_r:bin_t:s0 I have verified that this configuration works. I haven't verified that it's the minimal configuration, but it's based on existing printer configurations from selinux. Eddie From mmcallis at redhat.com Mon Oct 13 23:57:08 2008 From: mmcallis at redhat.com (Murray McAllister) Date: Tue, 14 Oct 2008 09:57:08 +1000 Subject: running star archive through restorecon Message-ID: <48F3E054.8080900@redhat.com> Hi, This is probably user error, sorry :) 1. touch file{1,2}; ls -Z -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0 file1 -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0 file2 2. chcon -l s0:c2 file{1,2}; ls -Z -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file1 -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file2 2. star -xattr -H exustar -c -f test.star file{1,2} star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k). 3. cd /var/www/html/ 4. sudo star -x -f test.star | restorecon -f - 5. ls -Z -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file1 -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file2 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 test.star file1 and file2 are still s0:c2. When I perform the same steps with tar (using tar --selinux), in step 5, file1 and file2 use s0. Does anyone have any pointers as to where I've gone wrong? I don't get any denials when running "sudo star -x -f test.star | restorecon -f -". I am using: Fedora release 9.92 (Rawhide) star-1.5a84-6.fc10.i386 tar-1.20-3.fc10.i386 policycoreutils-2.0.57-1.fc10.i386 selinux-policy-targeted-3.5.10-3.fc10.noarch selinux-policy-3.5.10-3.fc10.noarch Cheers :) From mmcallis at redhat.com Tue Oct 14 00:03:57 2008 From: mmcallis at redhat.com (Murray McAllister) Date: Tue, 14 Oct 2008 10:03:57 +1000 Subject: running star archive through restorecon In-Reply-To: <48F3E054.8080900@redhat.com> References: <48F3E054.8080900@redhat.com> Message-ID: <48F3E1ED.8090408@redhat.com> Murray McAllister wrote: > Hi, > > This is probably user error, sorry :) > > 1. touch file{1,2}; ls -Z > -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0 file1 > -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0 file2 > > 2. chcon -l s0:c2 file{1,2}; ls -Z > -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file1 > -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file2 > > 2. star -xattr -H exustar -c -f test.star file{1,2} > star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k). > > 3. cd /var/www/html/ > > 4. sudo star -x -f test.star | restorecon -f - > > 5. ls -Z > -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file1 > -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file2 > -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 > test.star I've obviously done something wrong since file1 and file2 are also user_home_t type :( > > file1 and file2 are still s0:c2. When I perform the same steps with tar > (using tar --selinux), in step 5, file1 and file2 use s0. > > Does anyone have any pointers as to where I've gone wrong? I don't get > any denials when running "sudo star -x -f test.star | restorecon -f -". > > I am using: > > Fedora release 9.92 (Rawhide) > star-1.5a84-6.fc10.i386 > tar-1.20-3.fc10.i386 > policycoreutils-2.0.57-1.fc10.i386 > selinux-policy-targeted-3.5.10-3.fc10.noarch > selinux-policy-3.5.10-3.fc10.noarch > > Cheers :) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From hichamlinux at gmail.com Tue Oct 14 10:09:01 2008 From: hichamlinux at gmail.com (hicham) Date: Tue, 14 Oct 2008 10:09:01 +0000 Subject: SELinux is preventing nm-system-setti (NetworkManager_t) Message-ID: <309547d30810140309u43450d46wa9474ba6228f81d3@mail.gmail.com> Hello Everytime, I log on on fedora 8, I get the setroubleshoot browser popup with this: "Summary : SELinux is preventing nm-system-setti (NetworkManager_t) "read" to ./PolicyKit (hald_var_lib_t). Detailed Description : SELinux denied access requested by nm-system-setti. It is not expected that this access is required by nm-system-setti and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./PolicyKit, restorecon -v './PolicyKit' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. " "this access may signal an intrusion attempt", is someone is trying to get into my computer ? how do I fix that ? thanks From dwalsh at redhat.com Wed Oct 15 01:17:35 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 14 Oct 2008 21:17:35 -0400 Subject: selinux context disappear after nfs mount In-Reply-To: <48e871f70810090606i24cd8b34x5f37dc24b6d64d7@mail.gmail.com> References: <48e871f70810080237k69e7f729wf2f0f6776d7e7f2e@mail.gmail.com> <48EC9B68.2060902@redhat.com> <48e871f70810090140qe86633aj70c8445f6b7de1f8@mail.gmail.com> <48e871f70810090606i24cd8b34x5f37dc24b6d64d7@mail.gmail.com> Message-ID: <48F544AF.6000404@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fabrizio Buratta wrote: > This is what i set : > > local.te: > > allow httpd_sys_script_t mnt_t:dir search; > allow httpd_sys_script_t var_t:dir getattr; > allow httpd_sys_script_t nfs_t:dir { search write add_name }; > allow httpd_sys_script_t nfs_t:file { create unlink getattr append > read write setattr }; > > Fab. > > > 2008/10/9 Fabrizio Buratta : >>> You have two problems. >>> >>> #============= httpd_sys_script_t ============== >>> allow httpd_sys_script_t mnt_t:dir search; >>> >>> You need to load a custom policy to allow you cgi scripts to read >>> through the /mnt directory >>> >>> allow httpd_sys_script_t var_t:dir getattr; >>> >>> This one does not make sense this rule should be allowed in all default >>> policies? What policy are you running. Apache scripts should be able >>> to search/getattr on var_t in order to use /var/www/ >>> >>> Neither of these avc's are much of a security risk to allow. >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.9 (GNU/Linux) >>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org >>> >>> iEYEARECAAYFAkjsm2cACgkQrlYvE4MpobMIFQCg4SenCLanOIaIIc0m5ozndTR5 >>> HX4An26oG117iKH1aqsETEWJw9CrfiUf >>> =cY7A >>> -----END PGP SIGNATURE----- >>> >> My policy version is 18, >> >> the package: 1.17.30-2.150.el4 >> >> I will try with a custom policy thus, >> >> I'll tell you if i face further issues. >> >> Thanks a lot, >> >> Fab >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Looks good. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkj1RK8ACgkQrlYvE4MpobMXeACgifZn5MM318/JD+cIScFyYEwn NqEAoMW3SG5x7U4nWSvS6ra2UGyjCAla =UtsL -----END PGP SIGNATURE----- From dwalsh at redhat.com Wed Oct 15 12:27:43 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Oct 2008 08:27:43 -0400 Subject: Yet another role question In-Reply-To: <15A1DDF1-85B5-476C-8E9C-004DE58A0BA4@nall.com> References: <15A1DDF1-85B5-476C-8E9C-004DE58A0BA4@nall.com> Message-ID: <48F5E1BF.1000108@redhat.com> Joe Nall wrote: > It appears that per role template expansion is disabled in the modules > shipped with fedora selinux-policy 3.5.10 but enabled for modules > compiled with the resulting policy (which uses a different Makefile). > > Why is there a difference? > > joe > > from the policy Makefile: > > # perrole-expansion modulename,outputfile > define perrole-expansion > echo "No longer doing perrole-expansion" > # $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 > # $(call parse-rolemap,$1,$2) > # $(verbose) echo "')" >> $2 > > # $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 > # $(verbose) echo "errprint(\`Warning: per_userdomain_templates > have been renamed to per_role_templates > (""$1""_per_userdomain_template)'__endline__)" >> $2 > # $(call parse-rolemap-compat,$1,$2) > # $(verbose) echo "')" >> $2 > endef > > from /usr/share/selinux/devel/include/Makefile: > > # peruser-expansion modulename,outputfile > define peruser-expansion > $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2 > $(call parse-rolemap,$1,$2) > $(verbose) echo "')" >> $2 > > $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2 > $(verbose) echo "errprint(\`Warning: per_userdomain_templates > have been renamed to per_role_templates > (""$1""_per_userdomain_template)'__endline__)" >> $2 > $(call parse-rolemap-compat,$1,$2) > $(verbose) echo "')" >> $2 > endef > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list It is a bug. Automatic per role expansion is a mistake. Please open a bugzilla. (With a patch if possible. :^) From dwalsh at redhat.com Wed Oct 15 12:34:54 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Oct 2008 08:34:54 -0400 Subject: Selinux config to get gutenprint 5.2 beta working under Fedora 8 In-Reply-To: <1223873087.26463.230.camel@kilroy.chi.il.us> References: <1223873087.26463.230.camel@kilroy.chi.il.us> Message-ID: <48F5E36E.4080407@redhat.com> Edward Kuns wrote: > I just bought a printer that only works well via the gutenprint 5.2 beta > 4 from openprinting.org. The selinux configuration to allow gutenprint > to function is: > > /opt/gutenprint/ppds/.* -- system_u:object_r:cupsd_rw_etc_t:s0 > /opt/gutenprint/s?bin/.* -- system_u:object_r:lpr_exec_t:s0 > /opt/gutenprint/cups/lib/filter/.* -- system_u:object_r:bin_t:s0 > > I have verified that this configuration works. I haven't verified that > it's the minimal configuration, but it's based on existing printer > configurations from selinux. > > Eddie > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I will update f9 f10 and RHEL5/U3 policy. From dwalsh at redhat.com Wed Oct 15 12:37:09 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Oct 2008 08:37:09 -0400 Subject: running star archive through restorecon In-Reply-To: <48F3E1ED.8090408@redhat.com> References: <48F3E054.8080900@redhat.com> <48F3E1ED.8090408@redhat.com> Message-ID: <48F5E3F5.90008@redhat.com> Murray McAllister wrote: > Murray McAllister wrote: >> Hi, >> >> This is probably user error, sorry :) >> >> 1. touch file{1,2}; ls -Z >> -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0 file1 >> -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0 file2 >> >> 2. chcon -l s0:c2 file{1,2}; ls -Z >> -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file1 >> -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file2 >> >> 2. star -xattr -H exustar -c -f test.star file{1,2} >> star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k). >> >> 3. cd /var/www/html/ >> >> 4. sudo star -x -f test.star | restorecon -f - >> restorecon -f - needs output. I think you need to add a -v to the star command. >> 5. ls -Z >> -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file1 >> -rw-rw-r-- murray murray unconfined_u:object_r:user_home_t:s0:c2 file2 >> -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 >> test.star > I've obviously done something wrong since file1 and file2 are also > user_home_t type :( >> >> file1 and file2 are still s0:c2. When I perform the same steps with >> tar (using tar --selinux), in step 5, file1 and file2 use s0. >> >> Does anyone have any pointers as to where I've gone wrong? I don't get >> any denials when running "sudo star -x -f test.star | restorecon -f -". >> >> I am using: >> >> Fedora release 9.92 (Rawhide) >> star-1.5a84-6.fc10.i386 >> tar-1.20-3.fc10.i386 >> policycoreutils-2.0.57-1.fc10.i386 >> selinux-policy-targeted-3.5.10-3.fc10.noarch >> selinux-policy-3.5.10-3.fc10.noarch >> >> Cheers :) >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Wed Oct 15 12:38:29 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Oct 2008 08:38:29 -0400 Subject: SELinux is preventing nm-system-setti (NetworkManager_t) In-Reply-To: <309547d30810140309u43450d46wa9474ba6228f81d3@mail.gmail.com> References: <309547d30810140309u43450d46wa9474ba6228f81d3@mail.gmail.com> Message-ID: <48F5E445.5080509@redhat.com> hicham wrote: > Hello > Everytime, I log on on fedora 8, I get the setroubleshoot browser > popup with this: > "Summary : > SELinux is preventing nm-system-setti (NetworkManager_t) "read" to > ./PolicyKit (hald_var_lib_t). > Detailed Description : > SELinux denied access requested by nm-system-setti. It is not expected > that this access is required by nm-system-setti and this access may > signal an intrusion attempt. It is also possible that the specific > version or configuration of the application is causing it to require > additional access. > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could try > to restore the default system file context for ./PolicyKit, restorecon > -v './PolicyKit' If this does not work, there is currently no > automatic way to allow this access. Instead, you can generate a local > policy module to allow this access - see FAQ Or you can disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a bug report against this package. " > > "this access may signal an intrusion attempt", is someone is trying to > get into my computer ? > No > how do I fix that ? > What policy do you have installed? NetworkManager was updated and an appropriate policy update has not happened, yet. > thanks > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Wed Oct 15 12:47:36 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Oct 2008 08:47:36 -0400 Subject: writable memory segment: mplayer In-Reply-To: <48EE9C0A.6050707@fedoraproject.org> References: <48EDB9EB.2080905@fedoraproject.org> <1223556359.13181.9.camel@moss-spartans.epoch.ncsc.mil> <48EE046A.2060706@city-fan.org> <48EE9C0A.6050707@fedoraproject.org> Message-ID: <48F5E668.4060004@redhat.com> Rahul Sundaram wrote: > Paul Howarth wrote: > >> Or is it that the default policy works except when using particular >> binary codecs that do weird stuff? > > I don't have any binary codecs doing "weird stuff". This is just mplayer > from Livna complaining in rawhide constantly. So looks like policy fixes > are needed. > > Rahul > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Ok I will run it as unconfined_execmem_t but you need to report a bug to mplayer. From dwalsh at redhat.com Wed Oct 15 12:49:24 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Oct 2008 08:49:24 -0400 Subject: writable memory segment: mplayer In-Reply-To: <48F5E668.4060004@redhat.com> References: <48EDB9EB.2080905@fedoraproject.org> <1223556359.13181.9.camel@moss-spartans.epoch.ncsc.mil> <48EE046A.2060706@city-fan.org> <48EE9C0A.6050707@fedoraproject.org> <48F5E668.4060004@redhat.com> Message-ID: <48F5E6D4.9070404@redhat.com> Daniel J Walsh wrote: > Rahul Sundaram wrote: >> Paul Howarth wrote: >> >>> Or is it that the default policy works except when using particular >>> binary codecs that do weird stuff? >> I don't have any binary codecs doing "weird stuff". This is just mplayer >> from Livna complaining in rawhide constantly. So looks like policy fixes >> are needed. >> >> Rahul >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Ok I will run it as unconfined_execmem_t but you need to report a bug to > mplayer. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I put out selinux-policy-3.0.8-119.fc8 last night, should be in fedora testing soon, or you can download it from koji. Please try this out to see if it solves your problem. From olivares14031 at yahoo.com Thu Oct 16 11:40:55 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 16 Oct 2008 04:40:55 -0700 (PDT) Subject: Denied avcs Message-ID: <950377.8195.qm@web52607.mail.re2.yahoo.com> Dear fellow testers and selinux experts, I have encountered several avcs. I want to ask you for advice before applying the suggested fixes. Summary: SELinux is preventing knotify4 from making the program stack executable. Detailed Description: The knotify4 application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If knotify4 does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/bin/knotify4'" Fix Command: chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source knotify4 Source Path /usr/bin/knotify4 Port Host riohigh Source RPM Packages kdebase-runtime-4.1.2-3.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.10-3.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execstack Host Name riohigh Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10 01:26:26 EDT 2008 i686 athlon Alert Count 2 First Seen Thu 16 Oct 2008 06:33:56 AM CDT Last Seen Thu 16 Oct 2008 06:33:56 AM CDT Local ID d2171be2-9d07-43e0-83bf-95f7f3e5e666 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1224156836.173:93): avc: denied { execstack } for pid=2874 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=riohigh type=SYSCALL msg=audit(1224156836.173:93): arch=40000003 syscall=125 success=no exit=-13 a0=bf9c9000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2874 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing hal-acl-tool (hald_acl_t) "sys_resource" hald_acl_t. Detailed Description: SELinux denied access requested by hal-acl-tool. It is not expected that this access is required by hal-acl-tool and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:hald_acl_t:s0 Target Context system_u:system_r:hald_acl_t:s0 Target Objects None [ capability ] Source hal-acl-tool Source Path /usr/libexec/hal-acl-tool Port Host riohigh Source RPM Packages hal-0.5.12-3.20081013git.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.10-3.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10 01:26:26 EDT 2008 i686 athlon Alert Count 73 First Seen Sat 04 Oct 2008 11:10:27 AM CDT Last Seen Thu 16 Oct 2008 06:33:03 AM CDT Local ID 16181f84-ddf2-4510-bd51-aef5ff647a63 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1224156783.891:89): avc: denied { sys_resource } for pid=2568 comm="hal-acl-tool" capability=24 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=capability node=riohigh type=SYSCALL msg=audit(1224156783.891:89): arch=40000003 syscall=4 success=yes exit=2057 a0=5 a1=b7ff4000 a2=809 a3=809 items=0 ppid=1834 pid=2568 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null) Summary: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. Detailed Description: SELinux denied access requested by console-kit-dae. It is not expected that this access is required by console-kit-dae and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source console-kit-dae Source Path /usr/sbin/console-kit-daemon Port Host riohigh Source RPM Packages ConsoleKit-0.3.0-2.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.10-3.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10 01:26:26 EDT 2008 i686 athlon Alert Count 87 First Seen Fri 03 Oct 2008 06:14:33 PM CDT Last Seen Thu 16 Oct 2008 06:33:02 AM CDT Local ID 0c8f36ea-d6b2-4646-ba59-1cdf5e6a0ee0 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1224156782.948:86): avc: denied { sys_resource } for pid=1770 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=riohigh type=SYSCALL msg=audit(1224156782.948:86): arch=40000003 syscall=4 success=yes exit=674 a0=1a a1=8c4b790 a2=2a2 a3=8c4b790 items=0 ppid=1 pid=1770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) I had not encountered these ones before. And before applying the fixes, I will ask if no one has encountered these ones before. TIA, Antonio From dwalsh at redhat.com Thu Oct 16 21:47:46 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 16 Oct 2008 17:47:46 -0400 Subject: Denied avcs In-Reply-To: <950377.8195.qm@web52607.mail.re2.yahoo.com> References: <950377.8195.qm@web52607.mail.re2.yahoo.com> Message-ID: <48F7B682.9060405@redhat.com> Antonio Olivares wrote: > Dear fellow testers and selinux experts, > > I have encountered several avcs. I want to ask you for advice before applying the suggested fixes. > > > Summary: > > SELinux is preventing knotify4 from making the program stack executable. > > Detailed Description: > > The knotify4 application attempted to make its stack executable. This is a > potential security problem. This should never ever be necessary. Stack memory is > not executable on most OSes these days and this will not change. Executable > stack memory is one of the biggest security problems. An execstack error might > in fact be most likely raised by malicious code. Applications are sometimes > coded incorrectly and request this permission. The SELinux Memory Protection > Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how > to remove this requirement. If knotify4 does not work and you need it to work, > you can configure SELinux temporarily to allow this access until the application > is fixed. Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. > > Allowing Access: > > Sometimes a library is accidentally marked with the execstack flag, if you find > a library with this flag you can clear it with the execstack -c LIBRARY_PATH. > Then retry your application. If the app continues to not work, you can turn the > flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to > run correctly, you can change the context of the executable to > unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t > '/usr/bin/knotify4'" You must also change the default file context files on the > system in order to preserve them even on a full relabel. "semanage fcontext -a > -t unconfined_execmem_exec_t '/usr/bin/knotify4'" > > Fix Command: > > chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4' > > Additional Information: > > Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Objects None [ process ] > Source knotify4 > Source Path /usr/bin/knotify4 > Port > Host riohigh > Source RPM Packages kdebase-runtime-4.1.2-3.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.10-3.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name allow_execstack > Host Name riohigh > Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10 > 01:26:26 EDT 2008 i686 athlon > Alert Count 2 > First Seen Thu 16 Oct 2008 06:33:56 AM CDT > Last Seen Thu 16 Oct 2008 06:33:56 AM CDT > Local ID d2171be2-9d07-43e0-83bf-95f7f3e5e666 > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1224156836.173:93): avc: denied { execstack } for pid=2874 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process > > node=riohigh type=SYSCALL msg=audit(1224156836.173:93): arch=40000003 syscall=125 success=no exit=-13 a0=bf9c9000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2874 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > > > > Summary: > > SELinux is preventing hal-acl-tool (hald_acl_t) "sys_resource" hald_acl_t. > > Detailed Description: > > SELinux denied access requested by hal-acl-tool. It is not expected that this > access is required by hal-acl-tool and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:hald_acl_t:s0 > Target Context system_u:system_r:hald_acl_t:s0 > Target Objects None [ capability ] > Source hal-acl-tool > Source Path /usr/libexec/hal-acl-tool > Port > Host riohigh > Source RPM Packages hal-0.5.12-3.20081013git.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.10-3.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10 > 01:26:26 EDT 2008 i686 athlon > Alert Count 73 > First Seen Sat 04 Oct 2008 11:10:27 AM CDT > Last Seen Thu 16 Oct 2008 06:33:03 AM CDT > Local ID 16181f84-ddf2-4510-bd51-aef5ff647a63 > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1224156783.891:89): avc: denied { sys_resource } for pid=2568 comm="hal-acl-tool" capability=24 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=capability > > node=riohigh type=SYSCALL msg=audit(1224156783.891:89): arch=40000003 syscall=4 success=yes exit=2057 a0=5 a1=b7ff4000 a2=809 a3=809 items=0 ppid=1834 pid=2568 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null) > > > > Summary: > > SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" > consolekit_t. > > Detailed Description: > > SELinux denied access requested by console-kit-dae. It is not expected that this > access is required by console-kit-dae and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 > Target Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 > Target Objects None [ capability ] > Source console-kit-dae > Source Path /usr/sbin/console-kit-daemon > Port > Host riohigh > Source RPM Packages ConsoleKit-0.3.0-2.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.10-3.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10 > 01:26:26 EDT 2008 i686 athlon > Alert Count 87 > First Seen Fri 03 Oct 2008 06:14:33 PM CDT > Last Seen Thu 16 Oct 2008 06:33:02 AM CDT > Local ID 0c8f36ea-d6b2-4646-ba59-1cdf5e6a0ee0 > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1224156782.948:86): avc: denied { sys_resource } for pid=1770 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability > > node=riohigh type=SYSCALL msg=audit(1224156782.948:86): arch=40000003 syscall=4 success=yes exit=674 a0=1a a1=8c4b790 a2=2a2 a3=8c4b790 items=0 ppid=1 pid=1770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) > > > > I had not encountered these ones before. And before applying the fixes, I will ask if no one has encountered these ones before. > > TIA, > > > Antonio > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list The sys_resource ones seem to be a bug in the kernel, since every confined domain seems to be getting a denial. The exstack one is probably caused by a badly built executable or a bad library. You can execute the chcon command to allow it to run or turn off the check. From olivares14031 at yahoo.com Thu Oct 16 22:27:52 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 16 Oct 2008 15:27:52 -0700 (PDT) Subject: selinux denies dmesg Message-ID: <59787.23742.qm@web52605.mail.re2.yahoo.com> Dear fellow selinux experts, After recovering from a kernel panic to check up on the filesystem, I run dmesg and I encounter some avc's [olivares at riohigh ~]$ dmesg | grep avc type=1400 audit(1224195506.669:4): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability type=1400 audit(1224195506.669:5): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability type=1400 audit(1224195506.669:6): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability type=1400 audit(1224195506.669:7): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability type=1400 audit(1224195506.670:8): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability type=1400 audit(1224195506.670:9): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability type=1400 audit(1224195506.670:10): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability type=1400 audit(1224195506.670:11): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability type=1400 audit(1224195506.670:12): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability type=1400 audit(1224195506.670:13): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability I have just updated to a newer kernel 2.6.27-13 and new selinux policy updates :) [olivares at riohigh ~]$ rpm -qa selinux* selinux-policy-3.5.12-2.fc10.noarch selinux-policy-targeted-3.5.12-2.fc10.noarch [olivares at riohigh ~]$ What do I do? Thanks, Antonio From sds at tycho.nsa.gov Fri Oct 17 14:32:53 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 17 Oct 2008 10:32:53 -0400 Subject: selinux denies dmesg In-Reply-To: <59787.23742.qm@web52605.mail.re2.yahoo.com> References: <59787.23742.qm@web52605.mail.re2.yahoo.com> Message-ID: <1224253973.19562.28.camel@moss-spartans.epoch.ncsc.mil> On Thu, 2008-10-16 at 15:27 -0700, Antonio Olivares wrote: > Dear fellow selinux experts, > > After recovering from a kernel panic to check up on the filesystem, I run dmesg and I encounter some avc's > > [olivares at riohigh ~]$ dmesg | grep avc > type=1400 audit(1224195506.669:4): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > type=1400 audit(1224195506.669:5): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > type=1400 audit(1224195506.669:6): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > type=1400 audit(1224195506.669:7): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > type=1400 audit(1224195506.670:8): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > type=1400 audit(1224195506.670:9): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > type=1400 audit(1224195506.670:10): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > type=1400 audit(1224195506.670:11): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > type=1400 audit(1224195506.670:12): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > type=1400 audit(1224195506.670:13): avc: denied { sys_resource } for pid=1534 comm="dmesg" capability=24 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > > I have just updated to a newer kernel 2.6.27-13 and new selinux policy updates :) > > [olivares at riohigh ~]$ rpm -qa selinux* > selinux-policy-3.5.12-2.fc10.noarch > selinux-policy-targeted-3.5.12-2.fc10.noarch > [olivares at riohigh ~]$ > > > What do I do? Enable syscall auditing and find out what syscall triggered the CAP_SYS_RESOURCE check. -- Stephen Smalley National Security Agency From olivares14031 at yahoo.com Fri Oct 17 15:39:16 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Fri, 17 Oct 2008 08:39:16 -0700 (PDT) Subject: selinux denies dmesg In-Reply-To: <1224253973.19562.28.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <130504.70532.qm@web52607.mail.re2.yahoo.com> --- On Fri, 10/17/08, Stephen Smalley wrote: > From: Stephen Smalley > Subject: Re: selinux denies dmesg > To: olivares14031 at yahoo.com > Cc: fedora-selinux-list at redhat.com > Date: Friday, October 17, 2008, 7:32 AM > On Thu, 2008-10-16 at 15:27 -0700, Antonio Olivares wrote: > > Dear fellow selinux experts, > > > > After recovering from a kernel panic to check up on > the filesystem, I run dmesg and I encounter some avc's > > > > [olivares at riohigh ~]$ dmesg | grep avc > > type=1400 audit(1224195506.669:4): avc: denied { > sys_resource } for pid=1534 comm="dmesg" > capability=24 scontext=system_u:system_r:dmesg_t:s0 > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > type=1400 audit(1224195506.669:5): avc: denied { > sys_resource } for pid=1534 comm="dmesg" > capability=24 scontext=system_u:system_r:dmesg_t:s0 > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > type=1400 audit(1224195506.669:6): avc: denied { > sys_resource } for pid=1534 comm="dmesg" > capability=24 scontext=system_u:system_r:dmesg_t:s0 > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > type=1400 audit(1224195506.669:7): avc: denied { > sys_resource } for pid=1534 comm="dmesg" > capability=24 scontext=system_u:system_r:dmesg_t:s0 > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > type=1400 audit(1224195506.670:8): avc: denied { > sys_resource } for pid=1534 comm="dmesg" > capability=24 scontext=system_u:system_r:dmesg_t:s0 > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > type=1400 audit(1224195506.670:9): avc: denied { > sys_resource } for pid=1534 comm="dmesg" > capability=24 scontext=system_u:system_r:dmesg_t:s0 > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > type=1400 audit(1224195506.670:10): avc: denied { > sys_resource } for pid=1534 comm="dmesg" > capability=24 scontext=system_u:system_r:dmesg_t:s0 > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > type=1400 audit(1224195506.670:11): avc: denied { > sys_resource } for pid=1534 comm="dmesg" > capability=24 scontext=system_u:system_r:dmesg_t:s0 > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > type=1400 audit(1224195506.670:12): avc: denied { > sys_resource } for pid=1534 comm="dmesg" > capability=24 scontext=system_u:system_r:dmesg_t:s0 > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > type=1400 audit(1224195506.670:13): avc: denied { > sys_resource } for pid=1534 comm="dmesg" > capability=24 scontext=system_u:system_r:dmesg_t:s0 > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > > > > > I have just updated to a newer kernel 2.6.27-13 and > new selinux policy updates :) > > > > [olivares at riohigh ~]$ rpm -qa selinux* > > selinux-policy-3.5.12-2.fc10.noarch > > selinux-policy-targeted-3.5.12-2.fc10.noarch > > [olivares at riohigh ~]$ > > > > > > What do I do? > > Enable syscall auditing and find out what syscall triggered > the > CAP_SYS_RESOURCE check. > > -- > Stephen Smalley > National Security Agency How do I do that: > Enable syscall auditing and find out what syscall triggered > the > CAP_SYS_RESOURCE check. > If there is a way to do it? I feel that Selinux should not get in the way of dmesg and other important system commands. Why does it deny it? Seatroubleshooter has not appeared and on other machine without ext4 I see the following denials: [olivares at localhost ~]$ dmesg | grep 'avc' type=1400 audit(1224252291.136:4): avc: denied { write } for pid=1459 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file type=1400 audit(1224252414.451:5): avc: denied { execstack } for pid=2951 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process [olivares at localhost ~]$ dmesg | grep 'avcs' [olivares at localhost ~]$ dmesg | grep avc type=1400 audit(1224252291.136:4): avc: denied { write } for pid=1459 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file type=1400 audit(1224252414.451:5): avc: denied { execstack } for pid=2951 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process [olivares at localhost ~]$ Thanks, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From sds at tycho.nsa.gov Fri Oct 17 16:38:42 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 17 Oct 2008 12:38:42 -0400 Subject: selinux denies dmesg In-Reply-To: <130504.70532.qm@web52607.mail.re2.yahoo.com> References: <130504.70532.qm@web52607.mail.re2.yahoo.com> Message-ID: <1224261522.19562.63.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2008-10-17 at 08:39 -0700, Antonio Olivares wrote: > > > --- On Fri, 10/17/08, Stephen Smalley wrote: > > > From: Stephen Smalley > > Subject: Re: selinux denies dmesg > > To: olivares14031 at yahoo.com > > Cc: fedora-selinux-list at redhat.com > > Date: Friday, October 17, 2008, 7:32 AM > > On Thu, 2008-10-16 at 15:27 -0700, Antonio Olivares wrote: > > > Dear fellow selinux experts, > > > > > > After recovering from a kernel panic to check up on > > the filesystem, I run dmesg and I encounter some avc's > > > > > > [olivares at riohigh ~]$ dmesg | grep avc > > > type=1400 audit(1224195506.669:4): avc: denied { > > sys_resource } for pid=1534 comm="dmesg" > > capability=24 scontext=system_u:system_r:dmesg_t:s0 > > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > > type=1400 audit(1224195506.669:5): avc: denied { > > sys_resource } for pid=1534 comm="dmesg" > > capability=24 scontext=system_u:system_r:dmesg_t:s0 > > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > > type=1400 audit(1224195506.669:6): avc: denied { > > sys_resource } for pid=1534 comm="dmesg" > > capability=24 scontext=system_u:system_r:dmesg_t:s0 > > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > > type=1400 audit(1224195506.669:7): avc: denied { > > sys_resource } for pid=1534 comm="dmesg" > > capability=24 scontext=system_u:system_r:dmesg_t:s0 > > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > > type=1400 audit(1224195506.670:8): avc: denied { > > sys_resource } for pid=1534 comm="dmesg" > > capability=24 scontext=system_u:system_r:dmesg_t:s0 > > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > > type=1400 audit(1224195506.670:9): avc: denied { > > sys_resource } for pid=1534 comm="dmesg" > > capability=24 scontext=system_u:system_r:dmesg_t:s0 > > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > > type=1400 audit(1224195506.670:10): avc: denied { > > sys_resource } for pid=1534 comm="dmesg" > > capability=24 scontext=system_u:system_r:dmesg_t:s0 > > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > > type=1400 audit(1224195506.670:11): avc: denied { > > sys_resource } for pid=1534 comm="dmesg" > > capability=24 scontext=system_u:system_r:dmesg_t:s0 > > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > > type=1400 audit(1224195506.670:12): avc: denied { > > sys_resource } for pid=1534 comm="dmesg" > > capability=24 scontext=system_u:system_r:dmesg_t:s0 > > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > > type=1400 audit(1224195506.670:13): avc: denied { > > sys_resource } for pid=1534 comm="dmesg" > > capability=24 scontext=system_u:system_r:dmesg_t:s0 > > tcontext=system_u:system_r:dmesg_t:s0 tclass=capability > > > > > > > > > I have just updated to a newer kernel 2.6.27-13 and > > new selinux policy updates :) > > > > > > [olivares at riohigh ~]$ rpm -qa selinux* > > > selinux-policy-3.5.12-2.fc10.noarch > > > selinux-policy-targeted-3.5.12-2.fc10.noarch > > > [olivares at riohigh ~]$ > > > > > > > > > What do I do? > > > > Enable syscall auditing and find out what syscall triggered > > the > > CAP_SYS_RESOURCE check. > > > > -- > > Stephen Smalley > > National Security Agency > > How do I do that: > > > Enable syscall auditing and find out what syscall triggered > > the > > CAP_SYS_RESOURCE check. > > > > If there is a way to do it? Do you have auditd running? Try running: /sbin/ausearch -m AVC -sv no > I feel that Selinux should not get in the way of dmesg and other important system commands. Why does it deny it? > > Seatroubleshooter has not appeared and on other machine without ext4 I see the following denials: > > [olivares at localhost ~]$ dmesg | grep 'avc' > type=1400 audit(1224252291.136:4): avc: denied { write } for pid=1459 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file > type=1400 audit(1224252414.451:5): avc: denied { execstack } for pid=2951 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process > [olivares at localhost ~]$ dmesg | grep 'avcs' > [olivares at localhost ~]$ dmesg | grep avc > type=1400 audit(1224252291.136:4): avc: denied { write } for pid=1459 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file > type=1400 audit(1224252414.451:5): avc: denied { execstack } for pid=2951 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process > [olivares at localhost ~]$ > > > Thanks, > > Antonio > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com -- Stephen Smalley National Security Agency From odin743 at hotmail.com Fri Oct 17 17:17:20 2008 From: odin743 at hotmail.com (lionel ong) Date: Fri, 17 Oct 2008 17:17:20 +0000 Subject: Qns on SELinux policy tool on fedora 7 Message-ID: Hi! I am Lionel and I have just suscribed to the fedora-selinux-list . I have been working on fedora 7 recently and is currently testing out the policy management tool provided by SELinux. Does anyone knows how to use the tool to create a policy such that it makes Firefox work on any other TCP port other than its default port 80? Does the "file name" the tool requires me to enter really matters? or does it just require the correct executable to be selected? Any advice would be a great help! Thanks! _________________________________________________________________ Easily publish your photos to your Spaces with Photo Gallery. http://get.live.com/photogallery/overview -------------- next part -------------- An HTML attachment was scrubbed... URL: From sundaram at fedoraproject.org Fri Oct 17 20:10:29 2008 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Sat, 18 Oct 2008 01:40:29 +0530 Subject: libavfilter SELinux policy issue Message-ID: <48F8F135.90307@fedoraproject.org> Hi. This makes Firefox crash if SELinux is in enforcing mode. Summary: SELinux is preventing ld-linux.so.2 from loading /usr/lib/libavfilter.so.0.1.0 which requires text relocation. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] The ld-linux.so.2 application attempted to load /usr/lib/libavfilter.so.0.1.0 which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/libavfilter.so.0.1.0 to use relocation as a workaround, until the library is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust /usr/lib/libavfilter.so.0.1.0 to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib/libavfilter.so.0.1.0'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib/libavfilter.so.0.1.0'" Fix Command: chcon -t textrel_shlib_t '/usr/lib/libavfilter.so.0.1.0' Additional Information: Source Context system_u:system_r:prelink_t:s0-s0:c0.c1023 Target Context system_u:object_r:lib_t:s0 Target Objects /usr/lib/libavfilter.so.0.1.0 [ file ] Source ld-linux.so.2 Source Path /lib/ld-2.8.90.so Port Host sundaram Source RPM Packages glibc-2.8.90-13 Target RPM Packages ffmpeg-libs-0.4.9-0.50.20080908.fc10 Policy RPM selinux-policy-3.5.10-3.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name allow_execmod Host Name sundaram Platform Linux sundaram 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug 4 14:08:11 EDT 2008 i686 i686 Alert Count 1 First Seen Fri 17 Oct 2008 04:05:58 AM IST Last Seen Fri 17 Oct 2008 04:05:58 AM IST Local ID 5bf00553-84ae-49ea-a793-7977855b9541 Line Numbers Raw Audit Messages node=sundaram type=AVC msg=audit(1224196558.619:111): avc: denied { execmod } for pid=27387 comm="ld-linux.so.2" path="/usr/lib/libavfilter.so.0.1.0" dev=dm-0 ino=68753 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file node=sundaram type=SYSCALL msg=audit(1224196558.619:111): arch=40000003 syscall=125 success=yes exit=0 a0=111000 a1=3000 a2=5 a3=bfbedde0 items=0 ppid=27136 pid=27387 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10 comm="ld-linux.so.2" exe="/lib/ld-2.8.90.so" subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null) Rahul From sundaram at fedoraproject.org Fri Oct 17 20:13:35 2008 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Sat, 18 Oct 2008 01:43:35 +0530 Subject: Mplayer Firefox plugin - SELinux policy issue Message-ID: <48F8F1EF.9000900@fedoraproject.org> Hi, Summary: SELinux is preventing firefox from changing a writable memory segment executable. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] The firefox application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If firefox does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust firefox to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/lib/firefox-3.0.2/firefox'". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/lib/firefox-3.0.2/firefox'" Fix Command: chcon -t unconfined_execmem_exec_t '/usr/lib/firefox-3.0.2/firefox' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source mplayer Source Path /usr/bin/mplayer Port Host sundaram Source RPM Packages firefox-3.0.2-1.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.12-2.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name allow_execmem Host Name sundaram Platform Linux sundaram2.6.27-13.fc10.i686 #1 SMP Wed Oct 15 02:06:26 EDT 2008 i686 i686 Alert Count 2203 First Seen Thu 09 Oct 2008 01:27:29 PM IST Last Seen Sat 18 Oct 2008 01:38:06 AM IST Local ID 38a635ac-3f04-4c17-a077-0fc45f309767 Line Numbers Raw Audit Messages node=type=AVC msg=audit(1224274086.429:152): avc: denied { execmem } for pid=30194 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=sundaram type=SYSCALL msg=audit(1224274086.429:152): arch=40000003 syscall=125 success=yes exit=0 a0=b2ce4000 a1=1000 a2=5 a3=bfaf8f0c items=0 ppid=30180 pid=30194 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.0.2/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) --- Rahul From sundaram at fedoraproject.org Fri Oct 17 22:44:46 2008 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Sat, 18 Oct 2008 04:14:46 +0530 Subject: SELinux troubleshooter Message-ID: <48F9155E.2070608@fedoraproject.org> Hi, It would be nice if I could just tell SELinux troubleshooter not to show me alerts at all or filter out particular set of alerts so I don't get repeated popups say when building a live cd or for known issues. It is otherwise quite annoying at times and I have to kill it to get it to shut up. Rahul From odin743 at hotmail.com Sat Oct 18 09:55:26 2008 From: odin743 at hotmail.com (lionel ong) Date: Sat, 18 Oct 2008 09:55:26 +0000 Subject: =?windows-1256?q?Question_on_SELinux=FE?= Message-ID: Hi! I am currently exploring the SELinux policy management GUI tool (polgengui) and trying to create a policy to stop Firefox from using its default port 80, so that when I do a *netstat *command on the terminal, the Firefox application will not be shown using tcp port 80 but some other tcp port instead. Is there any commands on terminal or ways to use the tool that I could use to accomplish the above? Thanks for your time! Regards, Lionel _________________________________________________________________ Join the Fantasy Football club and win cash prizes here! http://fantasyfootball.sg.msn.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From sundaram at fedoraproject.org Sat Oct 18 12:03:44 2008 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Sat, 18 Oct 2008 17:33:44 +0530 Subject: SELinux and VLC player Message-ID: <48F9D0A0.7040309@fedoraproject.org> Hi Summary: SELinux is preventing vlc from making the program stack executable. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] The vlc application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If vlc does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust vlc to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/bin/vlc'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/bin/vlc'" Fix Command: chcon -t unconfined_execmem_exec_t '/usr/bin/vlc' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source vlc Source Path /usr/bin/vlc Port Host sundaram Source RPM Packages vlc-core-0.9.4-1.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.12-3.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name allow_execstack Host Name sundaram Platform Linux sundaram 2.6.27-13.fc10.i686 #1 SMP Wed Oct 15 02:06:26 EDT 2008 i686 i686 Alert Count 1 First Seen Sat 18 Oct 2008 08:18:06 AM IST Last Seen Sat 18 Oct 2008 08:18:06 AM IST Local ID 84968ddd-4d14-4680-8692-66835b0c5e43 Line Numbers Raw Audit Messages node=sundaram type=AVC msg=audit(1224298086.835:270): avc: denied { execstack } for pid=25126 comm="vlc" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=sundaram type=SYSCALL msg=audit(1224298086.835:270): arch=40000003 syscall=125 success=yes exit=0 a0=bf8a4000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=25126 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="vlc" exe="/usr/bin/vlc" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Rahul From sundaram at fedoraproject.org Sat Oct 18 12:05:49 2008 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Sat, 18 Oct 2008 17:35:49 +0530 Subject: SELinux, VLC and text relocation Message-ID: <48F9D11D.9020201@fedoraproject.org> Hi Summary: SELinux is preventing vlc from loading /usr/lib/vlc/codec/librealvideo_plugin.so which requires text relocation. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] The vlc application attempted to load /usr/lib/vlc/codec/librealvideo_plugin.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/vlc/codec/librealvideo_plugin.so to use relocation as a workaround, until the library is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust /usr/lib/vlc/codec/librealvideo_plugin.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib/vlc/codec/librealvideo_plugin.so'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib/vlc/codec/librealvideo_plugin.so'" Fix Command: chcon -t textrel_shlib_t '/usr/lib/vlc/codec/librealvideo_plugin.so' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:object_r:lib_t:s0 Target Objects /usr/lib/vlc/codec/librealvideo_plugin.so [ file ] Source vlc Source Path /usr/bin/vlc Port Host sundaram Source RPM Packages vlc-core-0.9.4-1.fc10 Target RPM Packages vlc-core-0.9.4-1.fc10 Policy RPM selinux-policy-3.5.12-3.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name allow_execmod Host Name sundaram Platform Linux sundaram 2.6.27-13.fc10.i686 #1 SMP Wed Oct 15 02:06:26 EDT 2008 i686 i686 Alert Count 1 First Seen Sat 18 Oct 2008 08:18:07 AM IST Last Seen Sat 18 Oct 2008 08:18:07 AM IST Local ID 046cbf7a-5c30-4f56-8e3a-01169befcb34 Line Numbers Raw Audit Messages node=sundaram type=AVC msg=audit(1224298087.506:271): avc: denied { execmod } for pid=25126 comm="vlc" path="/usr/lib/vlc/codec/librealvideo_plugin.so" dev=dm-0 ino=246161 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file node=sundaram type=SYSCALL msg=audit(1224298087.506:271): arch=40000003 syscall=125 success=yes exit=0 a0=7859000 a1=19000 a2=5 a3=bf8a3690 items=0 ppid=1 pid=25126 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="vlc" exe="/usr/bin/vlc" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Rahul From paul at city-fan.org Sat Oct 18 12:25:59 2008 From: paul at city-fan.org (Paul Howarth) Date: Sat, 18 Oct 2008 13:25:59 +0100 Subject: Question on =?windows-1256?q?SELinux=FE?= In-Reply-To: References: Message-ID: <20081018132559.555ae69d@metropolis.intra.city-fan.org> On Sat, 18 Oct 2008 09:55:26 +0000 lionel ong wrote: > > Hi! > I am currently exploring the SELinux policy management GUI tool > (polgengui) and trying to create a policy to stop Firefox from using > its default port 80, so that when I do a *netstat *command on the > terminal, the Firefox application will not be shown using tcp port 80 > but some other tcp port instead. Is there any commands on terminal or > ways to use the tool that I could use to accomplish the above? Thanks > for your time! Regards, Lionel Port 80 is the port that the websites firefox connects to use; if you prevent firefox from connecting to websites on port 80 it's just not going to work at all, unless you're trying to force it through a proxy on a different port perhaps? Paul. From olivares14031 at yahoo.com Mon Oct 20 12:40:38 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 20 Oct 2008 05:40:38 -0700 (PDT) Subject: selinux is denying consolekit, hal?, ..., Message-ID: <868290.53207.qm@web52606.mail.re2.yahoo.com> Dear fellow selinux experts, selinux is at it again, this time, setroubleshoot shot out the warnings: Summary: SELinux is preventing hal-acl-tool (hald_acl_t) "sys_resource" hald_acl_t. Detailed Description: SELinux denied access requested by hal-acl-tool. It is not expected that this access is required by hal-acl-tool and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:hald_acl_t:s0 Target Context system_u:system_r:hald_acl_t:s0 Target Objects None [ capability ] Source hal-acl-tool Source Path /usr/libexec/hal-acl-tool Port Host riohigh Source RPM Packages hal-0.5.12-3.20081013git.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-1.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat Oct 18 20:35:56 EDT 2008 i686 athlon Alert Count 25 First Seen Thu 16 Oct 2008 05:21:21 PM CDT Last Seen Mon 20 Oct 2008 07:22:37 AM CDT Local ID 2dda3b9b-7240-47c2-9865-4e1c1971771c Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1224505357.902:104): avc: denied { sys_resource } for pid=3200 comm="hal-acl-tool" capability=24 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=capability node=riohigh type=SYSCALL msg=audit(1224505357.902:104): arch=40000003 syscall=4 success=yes exit=2132 a0=4 a1=b7f94000 a2=854 a3=854 items=0 ppid=1873 pid=3200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null) Summary: SELinux is preventing knotify4 from making the program stack executable. Detailed Description: The knotify4 application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If knotify4 does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/bin/knotify4'" Fix Command: chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source knotify4 Source Path /usr/bin/knotify4 Port Host riohigh Source RPM Packages kdebase-runtime-4.1.2-5.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-1.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execstack Host Name riohigh Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat Oct 18 20:35:56 EDT 2008 i686 athlon Alert Count 2 First Seen Mon 20 Oct 2008 07:21:30 AM CDT Last Seen Mon 20 Oct 2008 07:21:30 AM CDT Local ID eebb1d00-400c-4898-888b-ae7a132cd800 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1224505290.544:95): avc: denied { execstack } for pid=2883 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=riohigh type=SYSCALL msg=audit(1224505290.544:95): arch=40000003 syscall=125 success=no exit=-13 a0=bf983000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2883 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. Detailed Description: SELinux denied access requested by console-kit-dae. It is not expected that this access is required by console-kit-dae and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source console-kit-dae Source Path /usr/sbin/console-kit-daemon Port Host riohigh Source RPM Packages ConsoleKit-0.3.0-2.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-1.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat Oct 18 20:35:56 EDT 2008 i686 athlon Alert Count 23 First Seen Thu 16 Oct 2008 04:27:59 PM CDT Last Seen Mon 20 Oct 2008 07:20:39 AM CDT Local ID 18c02e39-31cf-4b70-b999-fa910c61d822 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1224505239.547:88): avc: denied { sys_resource } for pid=1810 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability node=riohigh type=SYSCALL msg=audit(1224505239.547:88): arch=40000003 syscall=4 success=yes exit=672 a0=1a a1=9fb1758 a2=2a0 a3=9fb1758 items=0 ppid=1 pid=1810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing sm-notify (rpcd_t) "sys_resource" rpcd_t. Detailed Description: SELinux denied access requested by sm-notify. It is not expected that this access is required by sm-notify and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:rpcd_t:s0 Target Context unconfined_u:system_r:rpcd_t:s0 Target Objects None [ capability ] Source rpc.statd Source Path /sbin/rpc.statd Port Host riohigh Source RPM Packages nfs-utils-1.1.3-6.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.12-2.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10 01:26:26 EDT 2008 i686 athlon Alert Count 2 First Seen Thu 16 Oct 2008 05:15:06 PM CDT Last Seen Thu 16 Oct 2008 05:15:06 PM CDT Local ID cc9a1241-41d6-4b07-aa8c-4d2701763004 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1224195306.728:103): avc: denied { sys_resource } for pid=7184 comm="sm-notify" capability=24 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:system_r:rpcd_t:s0 tclass=capability node=riohigh type=SYSCALL msg=audit(1224195306.728:103): arch=40000003 syscall=4 success=yes exit=5 a0=5 a1=bffbd700 a2=5 a3=5 items=0 ppid=7183 pid=7184 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sm-notify" exe="/usr/sbin/sm-notify" subj=unconfined_u:system_r:rpcd_t:s0 key=(null) Which ones should I file bugs against, if there are any to file? I have seen knotify and selinux again, this one is filed. Do I need more info? Thanks, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rdieter at math.unl.edu Mon Oct 20 13:37:06 2008 From: rdieter at math.unl.edu (Rex Dieter) Date: Mon, 20 Oct 2008 08:37:06 -0500 Subject: libavfilter SELinux policy issue References: <48F8F135.90307@fedoraproject.org> Message-ID: Rahul Sundaram wrote: > Hi. > > This makes Firefox crash if SELinux is in enforcing mode. > > Summary: > > SELinux is preventing ld-linux.so.2 from loading > /usr/lib/libavfilter.so.0.1.0 > which requires text relocation. See also: https://bugzilla.rpmfusion.org/show_bug.cgi?id=72 -- Rex From jdennis at redhat.com Mon Oct 20 13:45:43 2008 From: jdennis at redhat.com (John Dennis) Date: Mon, 20 Oct 2008 09:45:43 -0400 Subject: SELinux troubleshooter In-Reply-To: <48F9155E.2070608@fedoraproject.org> References: <48F9155E.2070608@fedoraproject.org> Message-ID: <48FC8B87.5090205@redhat.com> Rahul Sundaram wrote: > Hi, > > It would be nice if I could just tell SELinux troubleshooter not to > show me alerts at all or filter out particular set of alerts so I > don't get repeated popups say when building a live cd or for known > issues. It is otherwise quite annoying at times and I have to kill it > to get it to shut up. You can filter alerts. In the alert browser is a checkbox next to each alert labelled "Quiet". If you check that you wont get notifications for that alert. -- John Dennis From sundaram at fedoraproject.org Mon Oct 20 17:46:54 2008 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Mon, 20 Oct 2008 23:16:54 +0530 Subject: SELinux troubleshooter In-Reply-To: <48FC8B87.5090205@redhat.com> References: <48F9155E.2070608@fedoraproject.org> <48FC8B87.5090205@redhat.com> Message-ID: <48FCC40E.5080207@fedoraproject.org> John Dennis wrote: > Rahul Sundaram wrote: >> Hi, >> >> It would be nice if I could just tell SELinux troubleshooter not to >> show me alerts at all or filter out particular set of alerts so I >> don't get repeated popups say when building a live cd or for known >> issues. It is otherwise quite annoying at times and I have to kill it >> to get it to shut up. > You can filter alerts. In the alert browser is a checkbox next to each > alert labelled "Quiet". If you check that you wont get notifications for > that alert. That doesn't allow me to select more than one. This should be more easier than checking them one by one. Rahul From dwalsh at redhat.com Mon Oct 20 17:57:08 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 20 Oct 2008 13:57:08 -0400 Subject: selinux is denying consolekit, hal?, ..., In-Reply-To: <868290.53207.qm@web52606.mail.re2.yahoo.com> References: <868290.53207.qm@web52606.mail.re2.yahoo.com> Message-ID: <48FCC674.9010209@redhat.com> Antonio Olivares wrote: > Dear fellow selinux experts, > > selinux is at it again, this time, setroubleshoot shot out the warnings: > > > Summary: > > SELinux is preventing hal-acl-tool (hald_acl_t) "sys_resource" hald_acl_t. > > Detailed Description: > > SELinux denied access requested by hal-acl-tool. It is not expected that this > access is required by hal-acl-tool and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:hald_acl_t:s0 > Target Context system_u:system_r:hald_acl_t:s0 > Target Objects None [ capability ] > Source hal-acl-tool > Source Path /usr/libexec/hal-acl-tool > Port > Host riohigh > Source RPM Packages hal-0.5.12-3.20081013git.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-1.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat > Oct 18 20:35:56 EDT 2008 i686 athlon > Alert Count 25 > First Seen Thu 16 Oct 2008 05:21:21 PM CDT > Last Seen Mon 20 Oct 2008 07:22:37 AM CDT > Local ID 2dda3b9b-7240-47c2-9865-4e1c1971771c > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1224505357.902:104): avc: denied { sys_resource } for pid=3200 comm="hal-acl-tool" capability=24 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=capability > > node=riohigh type=SYSCALL msg=audit(1224505357.902:104): arch=40000003 syscall=4 success=yes exit=2132 a0=4 a1=b7f94000 a2=854 a3=854 items=0 ppid=1873 pid=3200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null) > > > Summary: > > SELinux is preventing knotify4 from making the program stack executable. > > Detailed Description: > > The knotify4 application attempted to make its stack executable. This is a > potential security problem. This should never ever be necessary. Stack memory is > not executable on most OSes these days and this will not change. Executable > stack memory is one of the biggest security problems. An execstack error might > in fact be most likely raised by malicious code. Applications are sometimes > coded incorrectly and request this permission. The SELinux Memory Protection > Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how > to remove this requirement. If knotify4 does not work and you need it to work, > you can configure SELinux temporarily to allow this access until the application > is fixed. Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. > > Allowing Access: > > Sometimes a library is accidentally marked with the execstack flag, if you find > a library with this flag you can clear it with the execstack -c LIBRARY_PATH. > Then retry your application. If the app continues to not work, you can turn the > flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to > run correctly, you can change the context of the executable to > unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t > '/usr/bin/knotify4'" You must also change the default file context files on the > system in order to preserve them even on a full relabel. "semanage fcontext -a > -t unconfined_execmem_exec_t '/usr/bin/knotify4'" > > Fix Command: > > chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4' > > Additional Information: > > Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Objects None [ process ] > Source knotify4 > Source Path /usr/bin/knotify4 > Port > Host riohigh > Source RPM Packages kdebase-runtime-4.1.2-5.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-1.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name allow_execstack > Host Name riohigh > Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat > Oct 18 20:35:56 EDT 2008 i686 athlon > Alert Count 2 > First Seen Mon 20 Oct 2008 07:21:30 AM CDT > Last Seen Mon 20 Oct 2008 07:21:30 AM CDT > Local ID eebb1d00-400c-4898-888b-ae7a132cd800 > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1224505290.544:95): avc: denied { execstack } for pid=2883 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process > > node=riohigh type=SYSCALL msg=audit(1224505290.544:95): arch=40000003 syscall=125 success=no exit=-13 a0=bf983000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2883 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > > Summary: > > SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" > consolekit_t. > > Detailed Description: > > SELinux denied access requested by console-kit-dae. It is not expected that this > access is required by console-kit-dae and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 > Target Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 > Target Objects None [ capability ] > Source console-kit-dae > Source Path /usr/sbin/console-kit-daemon > Port > Host riohigh > Source RPM Packages ConsoleKit-0.3.0-2.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-1.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat > Oct 18 20:35:56 EDT 2008 i686 athlon > Alert Count 23 > First Seen Thu 16 Oct 2008 04:27:59 PM CDT > Last Seen Mon 20 Oct 2008 07:20:39 AM CDT > Local ID 18c02e39-31cf-4b70-b999-fa910c61d822 > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1224505239.547:88): avc: denied { sys_resource } for pid=1810 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability > > node=riohigh type=SYSCALL msg=audit(1224505239.547:88): arch=40000003 syscall=4 success=yes exit=672 a0=1a a1=9fb1758 a2=2a0 a3=9fb1758 items=0 ppid=1 pid=1810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) > > > Summary: > > SELinux is preventing sm-notify (rpcd_t) "sys_resource" rpcd_t. > > Detailed Description: > > SELinux denied access requested by sm-notify. It is not expected that this > access is required by sm-notify and this access may signal an intrusion attempt. > It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:system_r:rpcd_t:s0 > Target Context unconfined_u:system_r:rpcd_t:s0 > Target Objects None [ capability ] > Source rpc.statd > Source Path /sbin/rpc.statd > Port > Host riohigh > Source RPM Packages nfs-utils-1.1.3-6.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.12-2.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10 > 01:26:26 EDT 2008 i686 athlon > Alert Count 2 > First Seen Thu 16 Oct 2008 05:15:06 PM CDT > Last Seen Thu 16 Oct 2008 05:15:06 PM CDT > Local ID cc9a1241-41d6-4b07-aa8c-4d2701763004 > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1224195306.728:103): avc: denied { sys_resource } for pid=7184 comm="sm-notify" capability=24 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:system_r:rpcd_t:s0 tclass=capability > > node=riohigh type=SYSCALL msg=audit(1224195306.728:103): arch=40000003 syscall=4 success=yes exit=5 a0=5 a1=bffbd700 a2=5 a3=5 items=0 ppid=7183 pid=7184 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sm-notify" exe="/usr/sbin/sm-notify" subj=unconfined_u:system_r:rpcd_t:s0 key=(null) > > > Which ones should I file bugs against, if there are any to file? > > I have seen knotify and selinux again, this one is filed. Do I need more info? > > Thanks, > > Antonio > > > > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list These should be filed against the kernel. These tools should not suddenly need sys_resource. I believe this is a kernel bug. From rdieter at math.unl.edu Mon Oct 20 19:31:53 2008 From: rdieter at math.unl.edu (Rex Dieter) Date: Mon, 20 Oct 2008 14:31:53 -0500 Subject: selinux is denying consolekit, hal?, ..., References: <868290.53207.qm@web52606.mail.re2.yahoo.com> Message-ID: Antonio Olivares wrote: > Dear fellow selinux experts, > > selinux is at it again, this time, setroubleshoot shot out the warnings: Any 3rd-party software installed? Say, like a binary X/kernel driver? :) -- Rex From olivares14031 at yahoo.com Tue Oct 21 22:42:45 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 21 Oct 2008 15:42:45 -0700 (PDT) Subject: Contents of fedora-selinux-list Digest, Vol 56, Issue 19 In-Reply-To: <20081021160019.7BF6C8E0127@hormel.redhat.com> Message-ID: <293522.67340.qm@web52604.mail.re2.yahoo.com> --- On Tue, 10/21/08, fedora-selinux-list-request at redhat.com wrote: > From: fedora-selinux-list-request at redhat.com > Subject: fedora-selinux-list Digest, Vol 56, Issue 19 > To: fedora-selinux-list at redhat.com > Date: Tuesday, October 21, 2008, 9:00 AM > Send fedora-selinux-list mailing list submissions to > fedora-selinux-list at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > or, via email, send a message with subject or body > 'help' to > fedora-selinux-list-request at redhat.com > > You can reach the person managing the list at > fedora-selinux-list-owner at redhat.com > > When replying, please edit your Subject line so it is more > specific > than "Re: Contents of fedora-selinux-list > Message: 2 > Date: Mon, 20 Oct 2008 13:57:08 -0400 > From: Daniel J Walsh > Subject: Re: selinux is denying consolekit, hal?, ..., > To: olivares14031 at yahoo.com > Cc: fedora-selinux-list at redhat.com > Message-ID: <48FCC674.9010209 at redhat.com> > Content-Type: text/plain; charset=ISO-8859-1 > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > These should be filed against the kernel. These tools > should not > suddenly need sys_resource. I believe this is a kernel > bug. I will wait then because we just got a new kernel, and it would be a waste of time and resources to file against a kernel that is no longer there :( I hope that you and others won't get upset, unless the new kernel behaves the same way, then absolutely like absolute value of x |x| :) Thanks, > > > ------------------------------ > > Message: 3 > Date: Mon, 20 Oct 2008 14:31:53 -0500 > From: Rex Dieter > Subject: Re: selinux is denying consolekit, hal?, ..., > To: fedora-selinux-list at redhat.com > Message-ID: > Content-Type: text/plain; charset=us-ascii > > Antonio Olivares wrote: > > > Dear fellow selinux experts, > > > > selinux is at it again, this time, setroubleshoot shot > out the warnings: > > Any 3rd-party software installed? Say, like a binary > X/kernel driver? :) Nope! Regular nv driver as comes default. I used to like testing nvidia drivers before, but none anymore as it is a hassle to have to build them everytime a new kernel comes out(yes I have heard of livna,and freshrpms and now rpmfusion), I do not want to go there yet. Thanks, Antonio > > -- Rex > > > > ------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > End of fedora-selinux-list Digest, Vol 56, Issue 19 > *************************************************** __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From paul at city-fan.org Wed Oct 22 11:45:27 2008 From: paul at city-fan.org (Paul Howarth) Date: Wed, 22 Oct 2008 12:45:27 +0100 Subject: Policy module building on rawhide Message-ID: <48FF1257.20201@city-fan.org> My module builds are failing on rawhide: $ /usr/bin/make NAME=mls -f /usr/share/selinux/devel/Makefile cat: /selinux/mls: No such file or directory Compiling mls fastcgi module m4: tmp/fastcgi.mod.role: No such file or directory make: *** [tmp/fastcgi.mod] Error 1 The commands being run, according to "make -n" are: $ make -n NAME=mls -f /usr/share/selinux/devel/Makefile cat: /selinux/mls: No such file or directory echo "Compiling mls fastcgi module" test -d tmp || mkdir -p tmp m4 -D enable_mls -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/loadable_module.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt tmp/all_interfaces.conf fastcgi.te tmp/fastcgi.mod.role > tmp/fastcgi.tmp /usr/bin/checkmodule -M -m tmp/fastcgi.tmp -o tmp/fastcgi.mod m4 -D enable_mls -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/loadable_module.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt fastcgi.fc > tmp/fastcgi.mod.fc echo "Creating mls fastcgi.pp policy package" /usr/bin/semodule_package -o fastcgi.pp -m tmp/fastcgi.mod -f tmp/fastcgi.mod.fc rm tmp/fastcgi.mod.fc tmp/fastcgi.mod I'm guessing the missing .mod.role file would have been created by the commented-out rule in /usr/share/selinux/devel/include/Makefile: tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module" @test -d $(@D) || mkdir -p $(@D) # $(call peruser-expansion,$(basename $(@F)),$@.role) $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ Do I need to do something different for F10, or is this a bug? Paul. From sds at tycho.nsa.gov Wed Oct 22 12:58:11 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 22 Oct 2008 08:58:11 -0400 Subject: Policy module building on rawhide In-Reply-To: <48FF1257.20201@city-fan.org> References: <48FF1257.20201@city-fan.org> Message-ID: <1224680291.29917.1.camel@moss-spartans.epoch.ncsc.mil> On Wed, 2008-10-22 at 12:45 +0100, Paul Howarth wrote: > My module builds are failing on rawhide: > > $ /usr/bin/make NAME=mls -f /usr/share/selinux/devel/Makefile Why NAME=mls? > cat: /selinux/mls: No such file or directory ls /selinux shows what? grep selinux /proc/mounts /proc/filesystems > Compiling mls fastcgi module > m4: tmp/fastcgi.mod.role: No such file or directory > make: *** [tmp/fastcgi.mod] Error 1 > > The commands being run, according to "make -n" are: > > $ make -n NAME=mls -f /usr/share/selinux/devel/Makefile > cat: /selinux/mls: No such file or directory > echo "Compiling mls fastcgi module" > test -d tmp || mkdir -p tmp > m4 -D enable_mls -D distro_redhat -D hide_broken_symptoms -D > mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s > /usr/share/selinux/devel/include/support/all_perms.spt > /usr/share/selinux/devel/include/support/file_patterns.spt > /usr/share/selinux/devel/include/support/ipc_patterns.spt > /usr/share/selinux/devel/include/support/loadable_module.spt > /usr/share/selinux/devel/include/support/misc_macros.spt > /usr/share/selinux/devel/include/support/misc_patterns.spt > /usr/share/selinux/devel/include/support/mls_mcs_macros.spt > /usr/share/selinux/devel/include/support/obj_perm_sets.spt > tmp/all_interfaces.conf fastcgi.te tmp/fastcgi.mod.role > tmp/fastcgi.tmp > /usr/bin/checkmodule -M -m tmp/fastcgi.tmp -o tmp/fastcgi.mod > m4 -D enable_mls -D distro_redhat -D hide_broken_symptoms -D > mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 > /usr/share/selinux/devel/include/support/all_perms.spt > /usr/share/selinux/devel/include/support/file_patterns.spt > /usr/share/selinux/devel/include/support/ipc_patterns.spt > /usr/share/selinux/devel/include/support/loadable_module.spt > /usr/share/selinux/devel/include/support/misc_macros.spt > /usr/share/selinux/devel/include/support/misc_patterns.spt > /usr/share/selinux/devel/include/support/mls_mcs_macros.spt > /usr/share/selinux/devel/include/support/obj_perm_sets.spt fastcgi.fc > > tmp/fastcgi.mod.fc > echo "Creating mls fastcgi.pp policy package" > /usr/bin/semodule_package -o fastcgi.pp -m tmp/fastcgi.mod -f > tmp/fastcgi.mod.fc > rm tmp/fastcgi.mod.fc tmp/fastcgi.mod > > I'm guessing the missing .mod.role file would have been created by the > commented-out rule in /usr/share/selinux/devel/include/Makefile: > > tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te > @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module" > @test -d $(@D) || mkdir -p $(@D) > # $(call peruser-expansion,$(basename $(@F)),$@.role) > $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) > $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ > > Do I need to do something different for F10, or is this a bug? > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From paul at city-fan.org Wed Oct 22 13:01:44 2008 From: paul at city-fan.org (Paul Howarth) Date: Wed, 22 Oct 2008 14:01:44 +0100 Subject: Policy module building on rawhide In-Reply-To: <1224680291.29917.1.camel@moss-spartans.epoch.ncsc.mil> References: <48FF1257.20201@city-fan.org> <1224680291.29917.1.camel@moss-spartans.epoch.ncsc.mil> Message-ID: <48FF2438.20604@city-fan.org> Stephen Smalley wrote: > On Wed, 2008-10-22 at 12:45 +0100, Paul Howarth wrote: >> My module builds are failing on rawhide: >> >> $ /usr/bin/make NAME=mls -f /usr/share/selinux/devel/Makefile > > Why NAME=mls? > >> cat: /selinux/mls: No such file or directory > > ls /selinux shows what? > grep selinux /proc/mounts /proc/filesystems This is for building policy module packages in a mock chroot for mls and targeted policy on a host running targeted policy. The approach has worked for every release from FC5 until now. Paul. From shintaro.fujiwara at gmail.com Thu Oct 23 22:10:58 2008 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Fri, 24 Oct 2008 07:10:58 +0900 Subject: Permissive domain how-to? Message-ID: Hi, I want to set permissive some domain as Mr Walsh gave us a hint, but when I tried to do that, [root at notepc ~]# semanage permissive -a zabbix_t /usr/sbin/semanage: Permission denied Another one was same result. Why ? -- http://intrajp.no-ip.com/ Home Page -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Fri Oct 24 14:52:20 2008 From: paul at city-fan.org (Paul Howarth) Date: Fri, 24 Oct 2008 15:52:20 +0100 Subject: Question on =?windows-1256?q?SELinux=FE?= In-Reply-To: References: <20081018132559.555ae69d@metropolis.intra.city-fan.org> Message-ID: <20081024155220.46308159@metropolis.intra.city-fan.org> On Sat, 18 Oct 2008 12:34:53 +0000 lionel ong wrote: > > > Date: Sat, 18 Oct 2008 13:25:59 +0100> From: paul at city-fan.org> To: > > odin743 at hotmail.com> CC: fedora-selinux-list at redhat.com> Subject: > > Re: Question on SELinux?> > On Sat, 18 Oct 2008 09:55:26 +0000> > > lionel ong wrote:> > > > Port 80 is the port > > that the websites firefox connects to use; if you> prevent firefox > > from connecting to websites on port 80 it's just not> going to work > > at all, unless you're trying to force it through a proxy> on a > > different port perhaps?> > Paul. > Hi, yes I understand that the firefox will fail to work, but I am > just trying out the things policies can do, it's ok if firefox fails. > Do you know how I could stop firefox from using Port 80 and uses some > other port? Regards, Lionel I've never done anything like that but I guess a good starting point would be xguest (see http://danwalsh.livejournal.com/14778.html) and tweaking policy from there. Paul. From eparis at redhat.com Fri Oct 24 19:05:28 2008 From: eparis at redhat.com (Eric Paris) Date: Fri, 24 Oct 2008 15:05:28 -0400 Subject: Permissive domain how-to? In-Reply-To: References: Message-ID: <1224875128.3404.85.camel@localhost.localdomain> On Fri, 2008-10-24 at 07:10 +0900, Shintaro Fujiwara wrote: > Hi, I want to set permissive some domain as Mr Walsh gave us a hint, > but when I tried to do that, > > [root at notepc ~]# semanage permissive -a zabbix_t > /usr/sbin/semanage: Permission denied > > Another one was same result. > > Why ? Obviously semanage permissive could use some work.... [root at paris-laptop ~]# semanage permissive -a zabbix_t Traceback (most recent call last): File "/usr/sbin/semanage", line 477, in process_args(sys.argv[1:]) File "/usr/sbin/semanage", line 376, in process_args OBJECT.add(target) File "/usr/lib/python2.5/site-packages/seobject.py", line 345, in add mc.create_module_package(filename, 1) File "/usr/lib/python2.5/site-packages/sepolgen/module.py", line 172, in create_module_package self.refpol_build(sourcename) File "/usr/lib/python2.5/site-packages/sepolgen/module.py", line 186, in refpol_build raise RuntimeError("compilation failed:\n%s" % self.last_output) RuntimeError: compilation failed: Compiling targeted permissive_zabbix_t module m4: tmp/permissive_zabbix_t.mod.role: No such file or directory make: *** [tmp/permissive_zabbix_t.mod] Error 1 You might be able to give some more info running strace -o /tmp/semanage.strace -s 1024 semanage permissive -a zabbix_t On the other hand you could build your own module by hand while we wait on dan to help us out with semamage.... policy_module(permissivezabbix, 1.0) gen_require(` type zabbix_t; ') permissive zabbix_t; checkmodule -M -m -o permissivezabbix.mod permissivezabbix.te semodule_package -o permissivezabbix.pp -m permissivezabbix.mod semodule -i permissivezabbix.pp From dwalsh at redhat.com Fri Oct 24 19:10:43 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 24 Oct 2008 15:10:43 -0400 Subject: Permissive domain how-to? In-Reply-To: References: Message-ID: <49021DB3.204@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Shintaro Fujiwara wrote: > Hi, I want to set permissive some domain as Mr Walsh gave us a hint, > but when I tried to do that, > > [root at notepc ~]# semanage permissive -a zabbix_t > /usr/sbin/semanage: Permission denied > > Another one was same result. > > Why ? > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You need to be root. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkCHbMACgkQrlYvE4MpobO+VwCfcuIYQbvA4n+vhfm84LQH+vre R4sAoOBlCcBT16ZEwRWIDR9C43aaZDgB =MLJV -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Oct 24 19:14:27 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 24 Oct 2008 15:14:27 -0400 Subject: Permissive domain how-to? In-Reply-To: <1224875128.3404.85.camel@localhost.localdomain> References: <1224875128.3404.85.camel@localhost.localdomain> Message-ID: <49021E93.4000106@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eric Paris wrote: > On Fri, 2008-10-24 at 07:10 +0900, Shintaro Fujiwara wrote: >> Hi, I want to set permissive some domain as Mr Walsh gave us a hint, >> but when I tried to do that, >> >> [root at notepc ~]# semanage permissive -a zabbix_t >> /usr/sbin/semanage: Permission denied >> >> Another one was same result. >> >> Why ? > > Obviously semanage permissive could use some work.... > > [root at paris-laptop ~]# semanage permissive -a zabbix_t > Traceback (most recent call last): > File "/usr/sbin/semanage", line 477, in > process_args(sys.argv[1:]) > File "/usr/sbin/semanage", line 376, in process_args > OBJECT.add(target) > File "/usr/lib/python2.5/site-packages/seobject.py", line 345, in add > mc.create_module_package(filename, 1) > File "/usr/lib/python2.5/site-packages/sepolgen/module.py", line 172, in create_module_package > self.refpol_build(sourcename) > File "/usr/lib/python2.5/site-packages/sepolgen/module.py", line 186, in refpol_build > raise RuntimeError("compilation failed:\n%s" % self.last_output) > RuntimeError: compilation failed: > Compiling targeted permissive_zabbix_t module > m4: tmp/permissive_zabbix_t.mod.role: No such file or directory > make: *** [tmp/permissive_zabbix_t.mod] Error 1 > > You might be able to give some more info running > > strace -o /tmp/semanage.strace -s 1024 semanage permissive -a zabbix_t > > On the other hand you could build your own module by hand while we wait > on dan to help us out with semamage.... > > policy_module(permissivezabbix, 1.0) > gen_require(` > type zabbix_t; > ') > permissive zabbix_t; > > checkmodule -M -m -o permissivezabbix.mod permissivezabbix.te > semodule_package -o permissivezabbix.pp -m permissivezabbix.mod > semodule -i permissivezabbix.pp > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Building modulular policy is broken in rawhide. So either form would not work. Fixed in selinux-policy-3.5.13-7.fc10 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkCHpMACgkQrlYvE4MpobOfBACgnnj1vMBhiDUppcoUp7VR+pUE z9AAnRywfSaUcmDIhbN/AZ4XFixY2s6D =maTl -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Oct 24 19:27:31 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 24 Oct 2008 15:27:31 -0400 Subject: Question on =?windows-1256?q?SELinux=FE?= In-Reply-To: <20081024155220.46308159@metropolis.intra.city-fan.org> References: <20081018132559.555ae69d@metropolis.intra.city-fan.org> <20081024155220.46308159@metropolis.intra.city-fan.org> Message-ID: <490221A3.8000801@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Howarth wrote: > On Sat, 18 Oct 2008 12:34:53 +0000 > lionel ong wrote: > >>> Date: Sat, 18 Oct 2008 13:25:59 +0100> From: paul at city-fan.org> To: >>> odin743 at hotmail.com> CC: fedora-selinux-list at redhat.com> Subject: >>> Re: Question on SELinux?> > On Sat, 18 Oct 2008 09:55:26 +0000> >>> lionel ong wrote:> > > > Port 80 is the port >>> that the websites firefox connects to use; if you> prevent firefox >>> from connecting to websites on port 80 it's just not> going to work >>> at all, unless you're trying to force it through a proxy> on a >>> different port perhaps?> > Paul. >> Hi, yes I understand that the firefox will fail to work, but I am >> just trying out the things policies can do, it's ok if firefox fails. >> Do you know how I could stop firefox from using Port 80 and uses some >> other port? Regards, Lionel > > I've never done anything like that but I guess a good starting point > would be xguest (see http://danwalsh.livejournal.com/14778.html) and > tweaking policy from there. > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Start with the following policy and add ports that you would allow. policy_module(myuser, 1.0.0) role myuser_r; userdom_restricted_xwindows_user_template(muser) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkCIaMACgkQrlYvE4MpobMHUACfRYAnQt1HjrRnhnGx3RpAceBB FpAAnjWNh+MT9FVknPHpudyQ9reTvZ5+ =Jtwr -----END PGP SIGNATURE----- From olivares14031 at yahoo.com Fri Oct 24 20:56:04 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Fri, 24 Oct 2008 13:56:04 -0700 (PDT) Subject: knotify4, NetworkManager (NetworkManager_t) "read write" unconfined_t., .. Message-ID: <394142.89605.qm@web52602.mail.re2.yahoo.com> Dear all(selinux experts and testers) , despite updating selinux-policy packages and relabeling, I am still seeing denied avcs from setroubleshoot Selinux preventing all of the above plus ip (ifconfig_t) "read write" unconfined_t :( Summary: SELinux is preventing ip (ifconfig_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by ip. It is not expected that this access is required by ip and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:ifconfig_t Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Objects socket [ unix_stream_socket ] Source ip Source Path /sbin/ip Port Host localhost.localdomain Source RPM Packages iproute-2.6.26-1.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-3.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.3-34.rc1.fc10.i686 #1 SMP Tue Oct 21 01:39:53 EDT 2008 i686 i686 Alert Count 43 First Seen Fri 24 Oct 2008 01:33:46 PM CDT Last Seen Fri 24 Oct 2008 01:33:53 PM CDT Local ID 16290580-6020-4615-908e-c7b32e828a7a Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=SYSCALL msg=audit(1224873233.717:83): arch=40000003 syscall=11 success=yes exit=0 a0=9ddcb98 a1=9dadeb0 a2=9ddcd60 a3=0 items=0 ppid=3901 pid=3912 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="ip" exe="/sbin/ip" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) Summary: SELinux is preventing NetworkManager (NetworkManager_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by NetworkManager. It is not expected that this access is required by NetworkManager and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:NetworkManager_t Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Objects socket [ unix_stream_socket ] Source NetworkManager Source Path /usr/sbin/NetworkManager Port Host localhost.localdomain Source RPM Packages NetworkManager-0.7.0-0.11.svn4201.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-3.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.3-34.rc1.fc10.i686 #1 SMP Tue Oct 21 01:39:53 EDT 2008 i686 i686 Alert Count 1 First Seen Fri 24 Oct 2008 01:35:56 PM CDT Last Seen Fri 24 Oct 2008 01:35:56 PM CDT Local ID 6f715f57-6bca-45b3-aa02-dc34581b3423 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=SYSCALL msg=audit(1224873356.766:92): arch=40000003 syscall=11 success=yes exit=0 a0=8642bd8 a1=8642a20 a2=8642ee8 a3=0 items=0 ppid=4003 pid=4004 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) Summary: SELinux is preventing knotify4 from making the program stack executable. Detailed Description: The knotify4 application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If knotify4 does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/bin/knotify4'" Fix Command: chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Objects None [ process ] Source nspluginscan Source Path /usr/bin/nspluginscan Port Host localhost.localdomain Source RPM Packages kdebase-runtime-4.1.2-5.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-5.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execstack Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.3-39.fc10.i686 #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686 Alert Count 38 First Seen Mon 28 Jul 2008 10:50:50 PM CDT Last Seen Fri 24 Oct 2008 03:15:46 PM CDT Local ID d1193200-ba21-44ee-bdf0-5b24a80cdb04 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1224879346.180:21): avc: denied { execstack } for pid=2823 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=localhost.localdomain type=SYSCALL msg=audit(1224879346.180:21): arch=40000003 syscall=125 success=no exit=-13 a0=bfdef000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2823 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by dhclient. It is not expected that this access is required by dhclient and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:dhcpc_t:SystemLow-SystemHigh Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Objects socket [ unix_stream_socket ] Source dhclient Source Path /sbin/dhclient Port Host localhost.localdomain Source RPM Packages dhclient-4.0.0-30.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-5.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.3-39.fc10.i686 #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686 Alert Count 2 First Seen Fri 24 Oct 2008 01:45:01 PM CDT Last Seen Fri 24 Oct 2008 03:17:34 PM CDT Local ID 4c789a6b-2778-4d68-bb82-4fa4b8547db5 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=SYSCALL msg=audit(1224879454.396:26): arch=40000003 syscall=11 success=yes exit=0 a0=96aa660 a1=96aa6d0 a2=96a4b68 a3=0 items=0 ppid=3066 pid=3115 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) I had a very difficult time updating this machine because i could not get a connection. [olivares at localhost ~]$ su - Password: [root at localhost ~]# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:18 Base address:0xe000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32 errors:0 dropped:0 overruns:0 frame:0 TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1760 (1.7 KiB) TX bytes:1760 (1.7 KiB) pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) wlan0 Link encap:Ethernet HWaddr 00:16:E3:F3:09:DB UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) wmaster0 Link encap:UNSPEC HWaddr 00-16-E3-F3-09-DB-F4-EF-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) [root at localhost ~]# ifconfig -a | more eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:18 Base address:0xe000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32 errors:0 dropped:0 overruns:0 frame:0 TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1760 (1.7 KiB) TX bytes:1760 (1.7 KiB) pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 [root at localhost ~]# dhclient eth0 Nothing to flush. PING 10.154.19.1 (10.154.19.1) from 10.154.19.179 eth0: 56(84) bytes of data. --- 10.154.19.1 ping statistics --- 4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3000ms pipe 3 [root at localhost ~]# ifconfig -a | more eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:18 Base address:0xe000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:35 errors:0 dropped:0 overruns:0 frame:0 TX packets:35 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2096 (2.0 KiB) TX bytes:2096 (2.0 KiB) pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 I had to change the mac address of the machine to another one that could get access so that I could apply the updates. First one knotify is a bug that I have reported: https://bugzilla.redhat.com/show_bug.cgi?id=467210 but was closed because it was not an selinux bug, who has the hot potato now? I keep seeing this on two of my three machines :( Has someone else seen this? Thanks, Antonio From olivares14031 at yahoo.com Fri Oct 24 22:05:05 2008 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Fri, 24 Oct 2008 15:05:05 -0700 (PDT) Subject: knotify4, NetworkManager (NetworkManager_t) "read write" unconfined_t., .. In-Reply-To: Message-ID: <947996.47893.qm@web52602.mail.re2.yahoo.com> --- On Fri, 10/24/08, Rex Dieter wrote: > From: Rex Dieter > Subject: Re: knotify4, NetworkManager (NetworkManager_t) "read write" unconfined_t., .. > To: fedora-test-list at redhat.com > Cc: fedora-selinux-list at redhat.com > Date: Friday, October 24, 2008, 2:48 PM > Antonio Olivares wrote: > > > > First one knotify is a bug that I have reported: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=467210 > > > > but was closed because it was not an selinux bug, who > has the hot potato > > now? I keep seeing this on two of my three machines > :( Has someone else > > seen this? > > Not reproducible. Are you *sure* you have no 3rd-party > software installed? > > I ask, because I've seen quite a few spurious similar > reports, and they *all* were due to various 3rd-party crud > (usually nvidia binary X drivers). > Absolutely positively sure I have no third party stuff on both machines. How can I prove it if there is a way to prove it. It is strange that one of the three machines in which I run rawhide works perfectly well and have no complaints on knotify. Thanks, Antonio > > -- Rex > > > -- > fedora-test-list mailing list > fedora-test-list at redhat.com > To unsubscribe: > https://www.redhat.com/mailman/listinfo/fedora-test-list From timothy.renner at gmail.com Fri Oct 24 22:38:15 2008 From: timothy.renner at gmail.com (Timothy Renner) Date: Fri, 24 Oct 2008 15:38:15 -0700 Subject: How can I find out what all the SELinux transactions are? Message-ID: <49024E57.5040106@gmail.com> Is there any debug stream available that can tell me what is being processed by the SELinux system? Specifically, I'd like to be able to follow the trail from starting an executable, through its state transitions, what files it reads, and what their file contexts are, and what transitions happen as it calls external programs. Thanks, -Tim From dwalsh at redhat.com Sat Oct 25 10:26:04 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 25 Oct 2008 06:26:04 -0400 Subject: knotify4, NetworkManager (NetworkManager_t) "read write" unconfined_t., .. In-Reply-To: <394142.89605.qm@web52602.mail.re2.yahoo.com> References: <394142.89605.qm@web52602.mail.re2.yahoo.com> Message-ID: <4902F43C.6030403@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear all(selinux experts and testers) , > > despite updating selinux-policy packages and relabeling, I am still seeing denied avcs from setroubleshoot > > Selinux preventing all of the above plus ip (ifconfig_t) "read write" unconfined_t :( > > Summary: > > SELinux is preventing ip (ifconfig_t) "read write" unconfined_t. > > Detailed Description: > > SELinux denied access requested by ip. It is not expected that this access is > required by ip and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:system_r:ifconfig_t > Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Objects socket [ unix_stream_socket ] > Source ip > Source Path /sbin/ip > Port > Host localhost.localdomain > Source RPM Packages iproute-2.6.26-1.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-3.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain > 2.6.27.3-34.rc1.fc10.i686 #1 SMP Tue Oct 21 > 01:39:53 EDT 2008 i686 i686 > Alert Count 43 > First Seen Fri 24 Oct 2008 01:33:46 PM CDT > Last Seen Fri 24 Oct 2008 01:33:53 PM CDT > Local ID 16290580-6020-4615-908e-c7b32e828a7a > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=SYSCALL msg=audit(1224873233.717:83): arch=40000003 syscall=11 success=yes exit=0 a0=9ddcb98 a1=9dadeb0 a2=9ddcd60 a3=0 items=0 ppid=3901 pid=3912 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="ip" exe="/sbin/ip" subj=unconfined_u:system_r:ifconfig_t:s0 key=(null) > > > > Summary: > > SELinux is preventing NetworkManager (NetworkManager_t) "read write" > unconfined_t. > > Detailed Description: > > SELinux denied access requested by NetworkManager. It is not expected that this > access is required by NetworkManager and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:system_r:NetworkManager_t > Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Objects socket [ unix_stream_socket ] > Source NetworkManager > Source Path /usr/sbin/NetworkManager > Port > Host localhost.localdomain > Source RPM Packages NetworkManager-0.7.0-0.11.svn4201.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-3.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain > 2.6.27.3-34.rc1.fc10.i686 #1 SMP Tue Oct 21 > 01:39:53 EDT 2008 i686 i686 > Alert Count 1 > First Seen Fri 24 Oct 2008 01:35:56 PM CDT > Last Seen Fri 24 Oct 2008 01:35:56 PM CDT > Local ID 6f715f57-6bca-45b3-aa02-dc34581b3423 > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224873356.766:92): avc: denied { read write } for pid=4004 comm="NetworkManager" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=SYSCALL msg=audit(1224873356.766:92): arch=40000003 syscall=11 success=yes exit=0 a0=8642bd8 a1=8642a20 a2=8642ee8 a3=0 items=0 ppid=4003 pid=4004 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) > > > Summary: > > SELinux is preventing knotify4 from making the program stack executable. > > Detailed Description: > > The knotify4 application attempted to make its stack executable. This is a > potential security problem. This should never ever be necessary. Stack memory is > not executable on most OSes these days and this will not change. Executable > stack memory is one of the biggest security problems. An execstack error might > in fact be most likely raised by malicious code. Applications are sometimes > coded incorrectly and request this permission. The SELinux Memory Protection > Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how > to remove this requirement. If knotify4 does not work and you need it to work, > you can configure SELinux temporarily to allow this access until the application > is fixed. Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. > > Allowing Access: > > Sometimes a library is accidentally marked with the execstack flag, if you find > a library with this flag you can clear it with the execstack -c LIBRARY_PATH. > Then retry your application. If the app continues to not work, you can turn the > flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to > run correctly, you can change the context of the executable to > unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t > '/usr/bin/knotify4'" You must also change the default file context files on the > system in order to preserve them even on a full relabel. "semanage fcontext -a > -t unconfined_execmem_exec_t '/usr/bin/knotify4'" > > Fix Command: > > chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4' > > Additional Information: > > Source Context unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Objects None [ process ] > Source nspluginscan > Source Path /usr/bin/nspluginscan > Port > Host localhost.localdomain > Source RPM Packages kdebase-runtime-4.1.2-5.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-5.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name allow_execstack > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.27.3-39.fc10.i686 > #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686 > Alert Count 38 > First Seen Mon 28 Jul 2008 10:50:50 PM CDT > Last Seen Fri 24 Oct 2008 03:15:46 PM CDT > Local ID d1193200-ba21-44ee-bdf0-5b24a80cdb04 > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1224879346.180:21): avc: denied { execstack } for pid=2823 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process > > node=localhost.localdomain type=SYSCALL msg=audit(1224879346.180:21): arch=40000003 syscall=125 success=no exit=-13 a0=bfdef000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2823 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > > Summary: > > SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t. > > Detailed Description: > > SELinux denied access requested by dhclient. It is not expected that this access > is required by dhclient and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:system_r:dhcpc_t:SystemLow-SystemHigh > Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Objects socket [ unix_stream_socket ] > Source dhclient > Source Path /sbin/dhclient > Port > Host localhost.localdomain > Source RPM Packages dhclient-4.0.0-30.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-5.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.27.3-39.fc10.i686 > #1 SMP Wed Oct 22 21:35:19 EDT 2008 i686 i686 > Alert Count 2 > First Seen Fri 24 Oct 2008 01:45:01 PM CDT > Last Seen Fri 24 Oct 2008 03:17:34 PM CDT > Local ID 4c789a6b-2778-4d68-bb82-4fa4b8547db5 > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=AVC msg=audit(1224879454.396:26): avc: denied { read write } for pid=3115 comm="dhclient" path="socket:[10645]" dev=sockfs ino=10645 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=localhost.localdomain type=SYSCALL msg=audit(1224879454.396:26): arch=40000003 syscall=11 success=yes exit=0 a0=96aa660 a1=96aa6d0 a2=96a4b68 a3=0 items=0 ppid=3066 pid=3115 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) > > > > I had a very difficult time updating this machine because i could not get a connection. > > [olivares at localhost ~]$ su - > Password: > [root at localhost ~]# ifconfig -a > eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 > BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > Interrupt:18 Base address:0xe000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:32 errors:0 dropped:0 overruns:0 frame:0 > TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:1760 (1.7 KiB) TX bytes:1760 (1.7 KiB) > > pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46 > BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > wlan0 Link encap:Ethernet HWaddr 00:16:E3:F3:09:DB > UP BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > wmaster0 Link encap:UNSPEC HWaddr 00-16-E3-F3-09-DB-F4-EF-00-00-00-00-00-00-00-00 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > [root at localhost ~]# ifconfig -a | more > eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 > BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > Interrupt:18 Base address:0xe000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:32 errors:0 dropped:0 overruns:0 frame:0 > TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:1760 (1.7 KiB) TX bytes:1760 (1.7 KiB) > > pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46 > BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > [root at localhost ~]# dhclient eth0 > Nothing to flush. > PING 10.154.19.1 (10.154.19.1) from 10.154.19.179 eth0: 56(84) bytes of data. > > --- 10.154.19.1 ping statistics --- > 4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3000ms > pipe 3 > [root at localhost ~]# ifconfig -a | more > eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 > BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > Interrupt:18 Base address:0xe000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:35 errors:0 dropped:0 overruns:0 frame:0 > TX packets:35 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:2096 (2.0 KiB) TX bytes:2096 (2.0 KiB) > > pan0 Link encap:Ethernet HWaddr 36:F3:C2:B0:9B:46 > BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > > > I had to change the mac address of the machine to another one that could get access so that I could apply the updates. > > First one knotify is a bug that I have reported: > > https://bugzilla.redhat.com/show_bug.cgi?id=467210 > > but was closed because it was not an selinux bug, who has the hot potato now? I keep seeing this on two of my three machines :( > Has someone else seen this? > > Thanks, > > Antonio > > > > > The unix_stream_socket is a leaked file descriptor. node=localhost.localdomain type=AVC msg=audit(1224873233.717:83): avc: denied { read write } for pid=3912 comm="ip" path="socket:[11145]" dev=sockfs ino=11145 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket These can be dontaudited or allowed using # grep ifconfig /var/log/audit/audit.log | audit2allow -m mypol # semodule -i mypol.pp Probably a bug in one of the kde routines that should be calling fcntl(fd, F_SETFD, FD_CLOEXEC) before executing the script to bring up the network. The execstack one is caused by nvidia library? Do you have a libGL on the system somewhere which is causing this. I think you will have to turn on the allow_execstack boolean to get this one to go away, or remove the proprietary software. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkC9DwACgkQrlYvE4MpobNKlQCfTmGPlBluyLvIW/3Is0MaDSFT b50AnRvmGC8OMNp2uRRY0otv603FO6KQ =GQN1 -----END PGP SIGNATURE----- From dwalsh at redhat.com Sat Oct 25 10:28:14 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 25 Oct 2008 06:28:14 -0400 Subject: How can I find out what all the SELinux transactions are? In-Reply-To: <49024E57.5040106@gmail.com> References: <49024E57.5040106@gmail.com> Message-ID: <4902F4BE.1020908@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Timothy Renner wrote: > Is there any debug stream available that can tell me what is being > processed by the SELinux system? Specifically, I'd like to be able to > follow the trail from starting an executable, through its state > transitions, what files it reads, and what their file contexts are, and > what transitions happen as it calls external programs. > > Thanks, > -Tim > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You can probably setup the auditing subsystem to track this. Not that I would know how. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkC9L4ACgkQrlYvE4MpobP+WgCeJOjpkZH03GvokKX0H50GpVxL 2CMAn232/BX6lIe+fEO+G4ZzrC/Ltt0Q =y8iY -----END PGP SIGNATURE----- From frankly3d at gmail.com Sat Oct 25 17:33:39 2008 From: frankly3d at gmail.com (Frank Murphy) Date: Sat, 25 Oct 2008 18:33:39 +0100 Subject: myexim01.te contents: Does it look ok? Message-ID: <1224956019.3788.5.camel@frank-01> Scenario Rebuilt server fresh F8 install then yum update. Below follows myexim01.te Original AVC(s) can be included if necessary. ====================================================== module myexim01 1.0; require { type system_crond_t; type system_mail_t; type system_crond_var_run_t; type audisp_t; type system_mail_tmp_t; type exim_t; class capability sys_nice; class fifo_file getattr; class file { read append }; } #============= audisp_t ============== allow audisp_t self:capability sys_nice; #============= exim_t ============== allow exim_t system_crond_t:fifo_file getattr; allow exim_t system_mail_tmp_t:file read; #============= system_mail_t ============== allow system_mail_t system_crond_var_run_t:file append; ========================================================= Frank -- gpg id EB547226 Revoked Forgot Password :( aMSN: Frankly3D http://www.frankly3d.com From niftyfedora at niftyegg.com Sat Oct 25 22:45:43 2008 From: niftyfedora at niftyegg.com (Nifty Fedora Mitch) Date: Sat, 25 Oct 2008 15:45:43 -0700 Subject: How can I find out what all the SELinux transactions are? In-Reply-To: <49024E57.5040106@gmail.com> References: <49024E57.5040106@gmail.com> Message-ID: <20081025224543.GA3333@compegg.wr.niftyegg.com> On Fri, Oct 24, 2008 at 03:38:15PM -0700, Timothy Renner wrote: > > Is there any debug stream available that can tell me what is being > processed by the SELinux system? Specifically, I'd like to be able to > follow the trail from starting an executable, through its state > transitions, what files it reads, and what their file contexts are, and > what transitions happen as it calls external programs. Most of this is visible in strace. Some post processing will fill in the gaps. Try something like: strace -f -o /tmp/trace-my-subshell sh bash id program exit exit Look at the system calls for mmap, fstat, setcon, open, read, write, access, close, etc. to see what files it reads, attempts to read, writes, attempts to write, libraries and so on. After building a list of files you can use 'stat' to learn what the context of each file is. $ stat -Z /etc/shadow $ stat -Z /etc/passwd Most but not all interactions can just be seen with strace. If you are more interested in tracing SELinux itself some value may be found by running in permissive mode. Like tracing SUID/SGID processes Hawthorne and Heisenberg issues come to play. You will not be able to trace stuff beyond your level. -- T o m M i t c h e l l Found me a new hat, now what? From gene.heskett at verizon.net Sun Oct 26 08:43:00 2008 From: gene.heskett at verizon.net (Gene Heskett) Date: Sun, 26 Oct 2008 04:43:00 -0400 Subject: logrotate problems, again. Message-ID: <200810260443.00539.gene.heskett@verizon.net> Greetings; Like most who run fetchmail, I have cobbled up a script for logrotate to maintain the logs. Unforch, every time I think I have it running correctly for about a month, then selinux has to get into the act. From an email I got this morning: ------ /etc/cron.daily/logrotate: system_u:system_r:unconfined_t:s0 is not a valid context error: error running non-shared postrotate script for /var/log/fetchmail.log of '/var/log/fetchmail.log ' -------- So I assume its failed again. ------------------- [root at coyote ~]# ls -l --lcontext /var/log/fetchmail.* -rw------- 1 system_u:object_r:var_log_t:s0 gene gene 0 2008-10-26 03:13 /var/log/fetchmail.log -rw-r--r-- 1 system_u:object_r:var_log_t:s0 gene gene 80343007 2008-09-28 06:13 /var/log/fetchmail.log-20080928 -rw------- 1 system_u:object_r:var_log_t:s0 gene gene 202387 2008-10-05 05:09 /var/log/fetchmail.log-20081005.gz -rw------- 1 system_u:object_r:var_log_t:s0 gene gene 197849 2008-10-12 05:09 /var/log/fetchmail.log-20081012.gz -rw------- 1 system_u:object_r:var_log_t:s0 gene gene 196517 2008-10-19 05:09 /var/log/fetchmail.log-20081019.gz -rw------- 1 system_u:object_r:var_log_t:s0 gene gene 3298789 2008-10-26 03:13 /var/log/fetchmail.log-20081026 -------------------- And I haven't fixed anything. And as can be seen from the size, it did fail. Here is that stanza of logrotate's input 'mail' script: --------------------------------- # Logrotate file for fetchmail.log and procmail.log /var/log/fetchmail.log { missingok compress notifempty weekly rotate 5 create 0600 gene gene postrotate /usr/bin/killall fetchmail sleep 1 ======== # It appears that the non-logged in syntax is incorrect, so it did not restart # fetchmail, causing the email above. runcon -t unconfined_t -- runuser -l -c "fetchmail -d 90 --fetchmailrc /home/gene/.fetchmailrc" gene # So the above line has been commented, and this line substituted, which # worked to restart fetchmail right now. su gene -c "fetchmail -d 90 --fetchmailrc /home/gene/.fetchmailrc" # Which explains the email message from anacron, but this still leaves the # question as to why the log was NOT rotated. It was not. Next question: # Does anacron have rights to su to gene? ======== endscript } /var/log/procmail.log { missingok compress notifempty weekly rotate 5 create 0600 gene gene } ----------------------------- Its a bit confusing to me because the syntax I must use when I launch fetchmail from rc.local, where no one is logged in yet during the bootup, is different from the syntax I have to use when I'm logged in, usually as root. And here, since it runs 24/7, there is me logged in. What is the permanent cure for this problem please? Thanks. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Where does it go when you flush? From dcarter at entertain-me.com Sun Oct 26 15:01:28 2008 From: dcarter at entertain-me.com (David Carter) Date: Sun, 26 Oct 2008 12:31:28 -0230 Subject: init_script_type versus init_script_file Message-ID: Good morning. I'm trying to build a module package but I'm running into issues with these macros. When I build in my FC9 development environment, I require init_script_file. When I use mock, it will only build using init_script_type. Why the difference, and what do I do about it? While I might expect issues across versions, I don't expect a difference when my mock target and my build environment are the same. Also, if FC10 is different from FC9, how do I handle that? TIA - Dave From sds at tycho.nsa.gov Mon Oct 27 12:59:15 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 27 Oct 2008 08:59:15 -0400 Subject: How can I find out what all the SELinux transactions are? In-Reply-To: <49024E57.5040106@gmail.com> References: <49024E57.5040106@gmail.com> Message-ID: <1225112355.31818.3.camel@moss-spartans.epoch.ncsc.mil> On Fri, 2008-10-24 at 15:38 -0700, Timothy Renner wrote: > Is there any debug stream available that can tell me what is being > processed by the SELinux system? Specifically, I'd like to be able to > follow the trail from starting an executable, through its state > transitions, what files it reads, and what their file contexts are, and > what transitions happen as it calls external programs. Options: - Use system call auditing (see man pages for autrace, auditctl, auditd; ask questions on linux-audit at redhat.com). or - Add auditallow rules to the domain for the program in order to trigger auditing of permission grantings. And of course, denials are already audited by SELinux by default. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon Oct 27 18:44:44 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 27 Oct 2008 14:44:44 -0400 Subject: myexim01.te contents: Does it look ok? In-Reply-To: <1224956019.3788.5.camel@frank-01> References: <1224956019.3788.5.camel@frank-01> Message-ID: <49060C1C.7080500@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frank Murphy wrote: > Scenario > Rebuilt server fresh F8 install then yum update. > > Below follows myexim01.te > Original AVC(s) can be included if necessary. > ====================================================== > > module myexim01 1.0; > > require { > type system_crond_t; > type system_mail_t; > type system_crond_var_run_t; > type audisp_t; > type system_mail_tmp_t; > type exim_t; > class capability sys_nice; > class fifo_file getattr; > class file { read append }; > } > > #============= audisp_t ============== > allow audisp_t self:capability sys_nice; > > #============= exim_t ============== > allow exim_t system_crond_t:fifo_file getattr; > allow exim_t system_mail_tmp_t:file read; > > #============= system_mail_t ============== > allow system_mail_t system_crond_var_run_t:file append; > > > ========================================================= > > Frank > Yes these look fine. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEUEARECAAYFAkkGDBwACgkQrlYvE4MpobNUOQCYs8JK1EKEW4viLNuOG6rF7MQ5 8QCcDoovylUo21/u71VNlJAt1WR5ST0= =PC3f -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Oct 27 19:08:13 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 27 Oct 2008 15:08:13 -0400 Subject: init_script_type versus init_script_file In-Reply-To: References: Message-ID: <4906119D.6000202@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Carter wrote: > Good morning. > > I'm trying to build a module package but I'm running into issues with > these macros. When I build in my FC9 development environment, I require > init_script_file. When I use mock, it will only build using > init_script_type. Why the difference, and what do I do about it? > > While I might expect issues across versions, I don't expect a difference > when my mock target and my build environment are the same. > > Also, if FC10 is different from FC9, how do I handle that? > > TIA > - Dave > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list init_script_file is what you should use. That is what upstream wants. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkGEZ0ACgkQrlYvE4MpobNadgCgl2r7MXSlnl6JDSGjkGmAOF9d qaIAoKWgRaDHkiGBuKphhPrpD53FBp6A =QyPf -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Oct 27 19:18:31 2008 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 27 Oct 2008 15:18:31 -0400 Subject: logrotate problems, again. In-Reply-To: <200810260443.00539.gene.heskett@verizon.net> References: <200810260443.00539.gene.heskett@verizon.net> Message-ID: <49061407.3040305@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gene Heskett wrote: > Greetings; > > Like most who run fetchmail, I have cobbled up a script for logrotate to > maintain the logs. > > Unforch, every time I think I have it running correctly for about a month, > then selinux has to get into the act. From an email I got this morning: > ------ > /etc/cron.daily/logrotate: > > system_u:system_r:unconfined_t:s0 is not a valid context > error: error running non-shared postrotate script for /var/log/fetchmail.log > of '/var/log/fetchmail.log ' > -------- > > So I assume its failed again. > ------------------- > [root at coyote ~]# ls -l --lcontext /var/log/fetchmail.* > -rw------- 1 system_u:object_r:var_log_t:s0 gene gene 0 2008-10-26 > 03:13 /var/log/fetchmail.log > -rw-r--r-- 1 system_u:object_r:var_log_t:s0 gene gene 80343007 2008-09-28 > 06:13 /var/log/fetchmail.log-20080928 > -rw------- 1 system_u:object_r:var_log_t:s0 gene gene 202387 2008-10-05 > 05:09 /var/log/fetchmail.log-20081005.gz > -rw------- 1 system_u:object_r:var_log_t:s0 gene gene 197849 2008-10-12 > 05:09 /var/log/fetchmail.log-20081012.gz > -rw------- 1 system_u:object_r:var_log_t:s0 gene gene 196517 2008-10-19 > 05:09 /var/log/fetchmail.log-20081019.gz > -rw------- 1 system_u:object_r:var_log_t:s0 gene gene 3298789 2008-10-26 > 03:13 /var/log/fetchmail.log-20081026 > -------------------- > > And I haven't fixed anything. And as can be seen from the size, it did fail. > > Here is that stanza of logrotate's input 'mail' script: > --------------------------------- > # Logrotate file for fetchmail.log and procmail.log > > /var/log/fetchmail.log { > missingok > compress > notifempty > weekly > rotate 5 > create 0600 gene gene > postrotate > /usr/bin/killall fetchmail > sleep 1 > ======== > # It appears that the non-logged in syntax is incorrect, so it did not restart > # fetchmail, causing the email above. > runcon -t unconfined_t -- runuser -l -c "fetchmail -d > 90 --fetchmailrc /home/gene/.fetchmailrc" gene > This command is asking the system to run a process as system_u:system_r:unconfined_t which is not valid on F9 or Rawhide. And this is probably not something you want to do. > # So the above line has been commented, and this line substituted, which > # worked to restart fetchmail right now. > > su gene -c "fetchmail -d 90 --fetchmailrc /home/gene/.fetchmailrc" > > # Which explains the email message from anacron, but this still leaves the > # question as to why the log was NOT rotated. It was not. Next question: > # Does anacron have rights to su to gene? > > ======== > endscript > } > /var/log/procmail.log { > missingok > compress > notifempty > weekly > rotate 5 > create 0600 gene gene > } > ----------------------------- > > Its a bit confusing to me because the syntax I must use when I launch > fetchmail from rc.local, where no one is logged in yet during the bootup, is > different from the syntax I have to use when I'm logged in, usually as root. > And here, since it runs 24/7, there is me logged in. > > What is the permanent cure for this problem please? > > Thanks. > I am not sure why logrotate could not rotate the log file. Is the script trying to run fetchmail as the user gene? What AVC are you seeing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkGFAcACgkQrlYvE4MpobPrlACg2deOqAPyGnXHxlZCp67GgJhq N0UAn2HXxw85mT5MPlhekOg8PkQRMb4J =vtX/ -----END PGP SIGNATURE----- From tibbs at math.uh.edu Mon Oct 27 19:25:30 2008 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 27 Oct 2008 14:25:30 -0500 Subject: myexim01.te contents: Does it look ok? In-Reply-To: <49060C1C.7080500@redhat.com> References: <1224956019.3788.5.camel@frank-01> <49060C1C.7080500@redhat.com> Message-ID: Just FYI, I found that I needed the following additional bits in order to get exim and spamassassin working without spewing AVCs on F9: module local 1.0; require { type exim_spool_t; type spamd_t; type exim_t; class dir { write search read remove_name create getattr add_name }; class file { rename setattr read create ioctl write getattr link unlink append }; } #============= spamd_t ============== allow spamd_t exim_spool_t:dir { write search read remove_name create getattr add_name }; allow spamd_t exim_spool_t:file { rename setattr read create getattr write ioctl link unlink append }; - J< From dcarter at entertain-me.com Mon Oct 27 20:30:15 2008 From: dcarter at entertain-me.com (David Carter) Date: Mon, 27 Oct 2008 18:00:15 -0230 Subject: init_script_type versus init_script_file In-Reply-To: <4906119D.6000202@redhat.com> References: <4906119D.6000202@redhat.com> Message-ID: <8BF78182-31F2-4264-92CC-C06CB1E03CB7@entertain-me.com> This doesn't solve my problem of building on FC9 though... On Oct 27, 2008, at 4:38 PM, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > David Carter wrote: >> Good morning. >> >> I'm trying to build a module package but I'm running into issues with >> these macros. When I build in my FC9 development environment, I >> require >> init_script_file. When I use mock, it will only build using >> init_script_type. Why the difference, and what do I do about it? >> >> While I might expect issues across versions, I don't expect a >> difference >> when my mock target and my build environment are the same. >> >> Also, if FC10 is different from FC9, how do I handle that? >> >> TIA >> - Dave >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > init_script_file is what you should use. That is what upstream wants. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkkGEZ0ACgkQrlYvE4MpobNadgCgl2r7MXSlnl6JDSGjkGmAOF9d > qaIAoKWgRaDHkiGBuKphhPrpD53FBp6A > =QyPf > -----END PGP SIGNATURE----- > From timothy.renner at gmail.com Mon Oct 27 21:34:40 2008 From: timothy.renner at gmail.com (Timothy Renner) Date: Mon, 27 Oct 2008 14:34:40 -0700 Subject: File contexts and how are files labeled? Message-ID: <490633F0.6070109@gmail.com> First off, thanks for the answers about finding out the SELinux transactions... autrace was the way to go.... Now I have a more fundamental problem... In the file context labels, there are two rules that conflict: /sbin/.* all files system_u:object_r:bin_t:s0 and /sbin/mount.mymounter regular file system_u:object_r:myfile_exec_t:s0 The problem though is that the file gets labeled under the blanket /sbin/.* context, rather than the more specific one: > ls -lZ /sbin/mount.mymounter lrwxrwxrwx root root system_u:object_r:bin_t /sbin/mount.mymounter -> /myproject/sbin/mymounter Any thoughts on this? Can someone explain how the file context is derived from the rules? Is it as simple as whichever matches first? And does anyone know a way around this labeling problem, assuming I cannot remove the /sbin/.* rule, but can only add rules through a policy module. Thanks again, -Tim From mmcallis at redhat.com Mon Oct 27 22:13:06 2008 From: mmcallis at redhat.com (Murray McAllister) Date: Tue, 28 Oct 2008 08:13:06 +1000 Subject: File contexts and how are files labeled? In-Reply-To: <490633F0.6070109@gmail.com> References: <490633F0.6070109@gmail.com> Message-ID: <49063CF2.5060602@redhat.com> Timothy Renner wrote: > First off, thanks for the answers about finding out the SELinux > transactions... autrace was the way to go.... Now I have a more > fundamental problem... In the file context labels, there are two rules > that conflict: > > /sbin/.* all files system_u:object_r:bin_t:s0 > > and > > /sbin/mount.mymounter regular file system_u:object_r:myfile_exec_t:s0 > > The problem though is that the file gets labeled under the blanket > /sbin/.* context, rather than the more specific one: > > > ls -lZ /sbin/mount.mymounter > lrwxrwxrwx root root system_u:object_r:bin_t > /sbin/mount.mymounter -> /myproject/sbin/mymounter I tried this on Fedora Rawhide and it worked. I also have your /sbin/* rule. Did you run "restorecon /sbin/mount.mymounter" after adding the rule? I don't know how this works for symbolic links. You might have to add a rule (and run restorecon) for /myproject/sbin/mymounter > > Any thoughts on this? Can someone explain how the file context is > derived from the rules? Is it as simple as whichever matches first? > And does anyone know a way around this labeling problem, assuming I > cannot remove the /sbin/.* rule, but can only add rules through a policy > module. > Thanks again, > -Tim > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From paul at city-fan.org Mon Oct 27 22:34:35 2008 From: paul at city-fan.org (Paul Howarth) Date: Mon, 27 Oct 2008 22:34:35 +0000 Subject: File contexts and how are files labeled? In-Reply-To: <49063CF2.5060602@redhat.com> References: <490633F0.6070109@gmail.com> <49063CF2.5060602@redhat.com> Message-ID: <20081027223435.7225f1bc@metropolis.intra.city-fan.org> On Tue, 28 Oct 2008 08:13:06 +1000 Murray McAllister wrote: > Timothy Renner wrote: > > First off, thanks for the answers about finding out the SELinux > > transactions... autrace was the way to go.... Now I have a more > > fundamental problem... In the file context labels, there are two > > rules that conflict: > > > > /sbin/.* all files system_u:object_r:bin_t:s0 > > > > and > > > > /sbin/mount.mymounter regular file > > system_u:object_r:myfile_exec_t:s0 > > > > The problem though is that the file gets labeled under the blanket > > /sbin/.* context, rather than the more specific one: > > > > > ls -lZ /sbin/mount.mymounter > > lrwxrwxrwx root root system_u:object_r:bin_t > > /sbin/mount.mymounter -> /myproject/sbin/mymounter > I tried this on Fedora Rawhide and it worked. I also have > your /sbin/* rule. Did you run "restorecon /sbin/mount.mymounter" > after adding the rule? > > I don't know how this works for symbolic links. You might have to add > a rule (and run restorecon) for /myproject/sbin/mymounter > > > > Any thoughts on this? Can someone explain how the file context is > > derived from the rules? Is it as simple as whichever matches > > first? And does anyone know a way around this labeling problem, > > assuming I cannot remove the /sbin/.* rule, but can only add rules > > through a policy module. Regular files, directories, sockets, symlinks etc. can all have different contexts for the same path specification. So specifying the type for regular files won't have any effect on symlinks. For how to specify contexts for different file types using semanage, see the "--ftype" option in the manpage for semanage. Regarding how contexts are matched, I asked about it a long while ago and wrote down a summary of what I was told here: http://www.city-fan.org/tips/SeLinuxQuickRef See "File Contexts Sort Ordering" at the bottom of the page. Paul. From bruno at wolff.to Tue Oct 28 04:55:06 2008 From: bruno at wolff.to (Bruno Wolff III) Date: Mon, 27 Oct 2008 23:55:06 -0500 Subject: File contexts and how are files labeled? In-Reply-To: <490633F0.6070109@gmail.com> References: <490633F0.6070109@gmail.com> Message-ID: <20081028045506.GA8350@wolff.to> On Mon, Oct 27, 2008 at 14:34:40 -0700, Timothy Renner wrote: > > Any thoughts on this? Can someone explain how the file context is > derived from the rules? Is it as simple as whichever matches first? > And does anyone know a way around this labeling problem, assuming I > cannot remove the /sbin/.* rule, but can only add rules through a policy > module. The patterns are only used when relabelling. When files are created there is a default context based on the domain of the process and the context of the directory the file is being created in. Applications can also create files with specific contexts. I don't remember the relabelling priority. It is probably either the first matching rule or the last matching rule as deciding which is more specific is hard in general and that route probably wasn't chosen. From sds at tycho.nsa.gov Tue Oct 28 12:10:11 2008 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 28 Oct 2008 08:10:11 -0400 Subject: File contexts and how are files labeled? In-Reply-To: <490633F0.6070109@gmail.com> References: <490633F0.6070109@gmail.com> Message-ID: <1225195811.5266.8.camel@moss-spartans.epoch.ncsc.mil> On Mon, 2008-10-27 at 14:34 -0700, Timothy Renner wrote: > First off, thanks for the answers about finding out the SELinux > transactions... autrace was the way to go.... Now I have a more > fundamental problem... In the file context labels, there are two rules > that conflict: > > /sbin/.* all files system_u:object_r:bin_t:s0 > > and > > /sbin/mount.mymounter regular file system_u:object_r:myfile_exec_t:s0 > > The problem though is that the file gets labeled under the blanket > /sbin/.* context, rather than the more specific one: > > > ls -lZ /sbin/mount.mymounter > lrwxrwxrwx root root system_u:object_r:bin_t > /sbin/mount.mymounter -> /myproject/sbin/mymounter > > Any thoughts on this? Can someone explain how the file context is > derived from the rules? Is it as simple as whichever matches first? > And does anyone know a way around this labeling problem, assuming I > cannot remove the /sbin/.* rule, but can only add rules through a policy > module. You don't want that context on the symlink but on the file it references. So specify the path of the referenced file, not the symlink, in your module's .fc file. -- Stephen Smalley National Security Agency From paul at city-fan.org Thu Oct 30 01:18:40 2008 From: paul at city-fan.org (Paul Howarth) Date: Thu, 30 Oct 2008 01:18:40 +0000 Subject: pptp 1.7.2 Message-ID: <20081030011840.249debcf@metropolis.intra.city-fan.org> pptp 1.7.2 has been in Fedora for some time now and I had some local policy tweaks to make it work for ages but never got round to mentioning them here. So here goes. I add these to make my ADSL link work: # pptp 1.7.2 # Calls /sbin/ip via popen() to read and modify routes corecmd_exec_shell(pptp_t) sysnet_domtrans_ifconfig(pptp_t) # Needs to look up names auth_use_nsswitch(pptp_t) # Calls getsockopt() allow pptp_t self:fifo_file getattr; # Not sure what this is about kernel_read_system_state(pptp_t) I also get this at startup, which is an SELinux issue but I'm unsire what to do about it as it doesn't stop things working: Warning: can't open options file /root/.ppprc: Permission denied Paul. From dsikora at redhat.com Thu Oct 30 18:57:48 2008 From: dsikora at redhat.com (Doug Sikora) Date: Thu, 30 Oct 2008 14:57:48 -0400 (EDT) Subject: using apol Message-ID: <1234372656.811651225393068447.JavaMail.root@zmail02.collab.prod.int.phx2.redhat.com> Hi all, I am using apol on a fedora9 box to analyze policy(s) copied over from a rhel5.2 box. when doing file-->open and selecting modular policy I can load base.pp just fine. when going back again to do the same but adding precompiled modules (these modules are known good) I click on Add, then select the "whatever.pp" module the module version and path is populated and all looks good, but when I click on OK to actually load the policy and the modules I get: "The selected file does not appear to be a valid SELinux POlicy Could not open policy" Any suggestions?