From atsaloli.tech at gmail.com Wed Apr 1 01:22:08 2009 From: atsaloli.tech at gmail.com (Aleksey Tsalolikhin) Date: Tue, 31 Mar 2009 18:22:08 -0700 Subject: PostgreSQL WAL log shipping does not work on Fedora 6 with SE Linux enabled... no error message. What gives? Message-ID: Hi. I am trying to enable WAL log shipping on our PostgreSQL 8.1.10 (upgrade to 8.3.7 is in the works) running on Fedora Core 6 (upgrade to a more recent version is in the works). My PostgreSQL archive_command is 'rsync %p postgres at node2:/file/to/$f References: <71b51ee10903311533x44b1edddiaba08857192c794c@mail.gmail.com> Message-ID: <49D2C4FD.6050508@redhat.com> On 03/31/2009 06:33 PM, Ben Gamari wrote: > Hey everyone, > > Ever since yesterday's big update, I've been unable to login to my > account through gdm. After entering my user name and password, the PAM > conversation continues with gdm asking me, "Would you like to enter a > security context?" On entering "N" the login fails and the gdm greeter > denies login with "Unable to open session" while pausing for some time, > often requiring Ctrl-Alt-Backspace to reclaim control of the computer. > > After entering "N", the following messages appear in /var/log/secure, > >> Mar 31 17:50:13 mercury pam: gdm[5157]: pam_selinux(gdm:session): Unable to get valid context for ben >> Mar 31 17:50:13 mercury pam: gdm[5157]: pam_unix(gdm:session): session opened for user ben by (uid=0) > > After entering my password, the following message appears in > /var/log/audit/audit.log, > >> type=LOGIN msg=audit(1238536335.839:224): login pid=5330 uid=0 old auid=500 new auid=500 old ses=1 new ses=15 > > Followed by the following messages after entering "N" to entering a > context, > >> type=USER_START msg=audit(1238536339.236:225): user pid=5330 uid=0 auid=500 ses=15 subj=unconfined_u:unconfined_ > r:unconfined_ t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="ben" > exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 > res=failed)' >> type=USER_LOGIN msg=audit(1238536339.236:226): user pid=5330 uid=0 auid=500 ses=15 subj=unconfined_u:unconfined_r:unconfined_ t:s0-s0:c0.c1023 msg='uid=500: exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=/dev/tty7 res=failed)' >> type=CRED_DISP msg=audit(1238536339.237:227): user pid=5330 uid=0 auid=500 ses=15 subj=unconfined_u:unconfined_r:unconfined_t :s0-s0:c0.c1023 msg='op=PAM:setcred acct="ben" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)' > > Anyone have any idea what might cause such a failure? I would be more > than happy to provide any information neccessary to identify the > root-cause of the problem. Thanks, > > - Ben > Do you have gdm running as unconfined_t? ps -eZ | grep gdm From atsaloli.tech at gmail.com Wed Apr 1 17:59:10 2009 From: atsaloli.tech at gmail.com (Aleksey Tsalolikhin) Date: Wed, 1 Apr 2009 10:59:10 -0700 Subject: PostgreSQL WAL log shipping does not work on Fedora 6 with SE Linux enabled... no error message. What gives? In-Reply-To: References: Message-ID: I remembered SELinux protects /home directories especially. So I moved "postgres" user's home directory from /home/postgres to /data/postgres, and the WAL rsync works now under SELinux. Thanks! Aleksey From JCZucco at ucs.br Thu Apr 2 17:50:22 2009 From: JCZucco at ucs.br (Jeronimo Zucco) Date: Thu, 02 Apr 2009 14:50:22 -0300 Subject: Trend Micro IWSS AVCs Message-ID: <20090402145022.893819frcu4qyuvy@webmail2.ucs.br> I'm getting some avc's using Trend Micro IWSS (web proxy anti-virus - www.trendmicro.com/en/products/gateway/iwss/evaluate/overview.htm ). Here are the logs: Linux: Red Hat Enterprise Linux Server release 5.2 Policy version: 21 Policy from config file: targeted type=SYSCALL msg=audit(1238693758.307:18): arch=40000003 syscall=125 success=no exit=-13 a0=6a1000 a1=51000 a2=5 a3=bfd8ecf0 items=0 ppid=1 pid=4639 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd" exe="/opt/trend/iwss/bin/iwss-process" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1238693769.018:25): avc: denied { execmod } for pid=4756 comm="ismetricmgmtd" path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0 ino=9231574 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1238693769.018:25): arch=40000003 syscall=125 success=no exit=-13 a0=93b000 a1=5f000 a2=5 a3=bfd4a040 items=0 ppid=4753 pid=4756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ismetricmgmtd" exe="/opt/trend/iwss/bin/ismetricmgmtd" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1238693772.384:32): avc: denied { execmod } for pid=4798 comm="svcmonitor" path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0 ino=9231574 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1238693772.384:32): arch=40000003 syscall=125 success=no exit=-13 a0=895000 a1=5f000 a2=5 a3=bfd7f0b0 items=0 ppid=1 pid=4798 auid=4294967295 uid=502 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="svcmonitor" exe="/opt/trend/iwss/bin/svcmonitor" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1238693775.995:35): avc: denied { execmod } for pid=4889 comm="iwssd" path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0 ino=9166090 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1238693775.995:35): arch=40000003 syscall=125 success=no exit=-13 a0=5ed000 a1=51000 a2=5 a3=bf8afb10 items=0 ppid=1 pid=4889 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd" exe="/opt/trend/iwss/bin/iwss-process" subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1238694058.311:155): avc: denied { execmod } for pid=19765 comm="iwssd" path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0 ino=9166090 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1238694058.311:155): arch=40000003 syscall=125 success=yes exit=0 a0=702000 a1=51000 a2=5 a3=bffed4c0 items=0 ppid=1 pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd" exe="/opt/trend/iwss/bin/iwss-process" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1238694060.596:156): avc: denied { execmod } for pid=19765 comm="iwssd" path="/opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so" dev=dm-0 ino=9166092 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1238694060.596:156): arch=40000003 syscall=125 success=yes exit=0 a0=7de000 a1=53000 a2=5 a3=bffed4c0 items=0 ppid=1 pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd" exe="/opt/trend/iwss/bin/iwss-process" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1238694164.063:188): avc: denied { execmod } for pid=4582 comm="iwssd" path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0 ino=9166090 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1238694164.063:188): arch=40000003 syscall=125 success=yes exit=0 a0=81d000 a1=51000 a2=5 a3=bfecca10 items=0 ppid=1 pid=4582 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd" exe="/opt/trend/iwss/bin/iwss-process" subj=system_u:system_r:initrc_t:s0 key=(null) It was running ok whith target selinux enforced, since december until today. Now I have to put selinux in permissive mode to get IWSS running again. Running audit2allow, I've got this policy: #============= initrc_t ============== allow initrc_t initrc_tmp_t:file execmod; allow initrc_t usr_t:file execmod; #============= unconfined_t ============== allow unconfined_t initrc_tmp_t:file execmod; allow unconfined_t usr_t:file execmod; To permissive, isn't? Any ideia how to fix it? -- Jeronimo Zucco LPIC-1 Linux Professional Institute Certified Universidade de Caxias do Sul - NPDU http://jczucco.blogspot.com --------------------------------------- Essa mensagem foi enviada pelo UCS Mail From domg472 at gmail.com Thu Apr 2 18:57:28 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 02 Apr 2009 20:57:28 +0200 Subject: Trend Micro IWSS AVCs In-Reply-To: <20090402145022.893819frcu4qyuvy@webmail2.ucs.br> References: <20090402145022.893819frcu4qyuvy@webmail2.ucs.br> Message-ID: <1238698648.3516.6.camel@notebook2.grift.internal> On Thu, 2009-04-02 at 14:50 -0300, Jeronimo Zucco wrote: > I'm getting some avc's using Trend Micro IWSS (web proxy anti-virus - > www.trendmicro.com/en/products/gateway/iwss/evaluate/overview.htm ). > Here are the logs: > > > Linux: Red Hat Enterprise Linux Server release 5.2 > Policy version: 21 > Policy from config file: targeted > > > > type=SYSCALL msg=audit(1238693758.307:18): arch=40000003 syscall=125 > success=no exit=-13 a0=6a1000 a1=51000 a2=5 a3=bfd8ecf0 items=0 ppid=1 > pid=4639 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502 > egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd" > exe="/opt/trend/iwss/bin/iwss-process" > subj=system_u:system_r:initrc_t:s0 key=(null) > type=AVC msg=audit(1238693769.018:25): avc: denied { execmod } for > pid=4756 comm="ismetricmgmtd" > path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0 > ino=9231574 scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=file semanage fcontext -a -t textrel_shlib_t /opt/trend/iwss/bin/lib/libReportLogging.so restorecon /opt/trend/iwss/bin/lib/libReportLogging.so > type=SYSCALL msg=audit(1238693769.018:25): arch=40000003 syscall=125 > success=no exit=-13 a0=93b000 a1=5f000 a2=5 a3=bfd4a040 items=0 > ppid=4753 pid=4756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ismetricmgmtd" > exe="/opt/trend/iwss/bin/ismetricmgmtd" > subj=system_u:system_r:initrc_t:s0 key=(null) > type=AVC msg=audit(1238693772.384:32): avc: denied { execmod } for > pid=4798 comm="svcmonitor" > path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0 > ino=9231574 scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=file Same as above > type=SYSCALL msg=audit(1238693772.384:32): arch=40000003 syscall=125 > success=no exit=-13 a0=895000 a1=5f000 a2=5 a3=bfd7f0b0 items=0 ppid=1 > pid=4798 auid=4294967295 uid=502 gid=502 euid=0 suid=0 fsuid=0 > egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 > comm="svcmonitor" exe="/opt/trend/iwss/bin/svcmonitor" > subj=system_u:system_r:initrc_t:s0 key=(null) > type=AVC msg=audit(1238693775.995:35): avc: denied { execmod } for > pid=4889 comm="iwssd" > path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0 > ino=9166090 scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=file semanage fcontext -a -t textrel_shlib_t /opt/trend/iwss/bin/plugin/IWSSPIJavascan.so restorecon /opt/trend/iwss/bin/plugin/IWSSPIJavascan.so > type=SYSCALL msg=audit(1238693775.995:35): arch=40000003 syscall=125 > success=no exit=-13 a0=5ed000 a1=51000 a2=5 a3=bf8afb10 items=0 ppid=1 > pid=4889 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502 > egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd" > exe="/opt/trend/iwss/bin/iwss-process" > subj=system_u:system_r:initrc_t:s0 key=(null) > type=AVC msg=audit(1238694058.311:155): avc: denied { execmod } for > pid=19765 comm="iwssd" > path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0 > ino=9166090 scontext=user_u:system_r:unconfined_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=file Same as above > type=SYSCALL msg=audit(1238694058.311:155): arch=40000003 syscall=125 > success=yes exit=0 a0=702000 a1=51000 a2=5 a3=bffed4c0 items=0 ppid=1 > pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 > egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd" > exe="/opt/trend/iwss/bin/iwss-process" > subj=user_u:system_r:unconfined_t:s0 key=(null) > type=AVC msg=audit(1238694060.596:156): avc: denied { execmod } for > pid=19765 comm="iwssd" > path="/opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so" dev=dm-0 > ino=9166092 scontext=user_u:system_r:unconfined_t:s0 > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file semanage fcontext -a -t textrel_shlib_t /opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so restorecon /opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so > type=SYSCALL msg=audit(1238694060.596:156): arch=40000003 syscall=125 > success=yes exit=0 a0=7de000 a1=53000 a2=5 a3=bffed4c0 items=0 ppid=1 > pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 > egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd" > exe="/opt/trend/iwss/bin/iwss-process" > subj=user_u:system_r:unconfined_t:s0 key=(null) > type=AVC msg=audit(1238694164.063:188): avc: denied { execmod } for > pid=4582 comm="iwssd" > path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0 > ino=9166090 scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file Same as above > type=SYSCALL msg=audit(1238694164.063:188): arch=40000003 syscall=125 > success=yes exit=0 a0=81d000 a1=51000 a2=5 a3=bfecca10 items=0 ppid=1 > pid=4582 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502 > egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd" > exe="/opt/trend/iwss/bin/iwss-process" > subj=system_u:system_r:initrc_t:s0 key=(null) > > > It was running ok whith target selinux enforced, since december until > today. Now I have to put selinux in permissive mode to get IWSS > running again. > > > Running audit2allow, I've got this policy: > > #============= initrc_t ============== > allow initrc_t initrc_tmp_t:file execmod; > allow initrc_t usr_t:file execmod; > > #============= unconfined_t ============== > allow unconfined_t initrc_tmp_t:file execmod; > allow unconfined_t usr_t:file execmod; > > > > To permissive, isn't? Any ideia how to fix it? > Yes too permissive. The Trend Micro IWSS daemon runs in initrc_t (this domain is unconfined and meant for init scripts) You should write policy for this init daemon. From JCZucco at ucs.br Fri Apr 3 11:01:20 2009 From: JCZucco at ucs.br (Jeronimo Zucco) Date: Fri, 03 Apr 2009 08:01:20 -0300 Subject: Trend Micro IWSS AVCs In-Reply-To: <1238698648.3516.6.camel@notebook2.grift.internal> References: <20090402145022.893819frcu4qyuvy@webmail2.ucs.br> <1238698648.3516.6.camel@notebook2.grift.internal> Message-ID: <20090403080120.14096xprhmbk31xc@webmail2.ucs.br> Citando Dominick Grift : > On Thu, 2009-04-02 at 14:50 -0300, Jeronimo Zucco wrote: >> I'm getting some avc's using Trend Micro IWSS (web proxy anti-virus - >> www.trendmicro.com/en/products/gateway/iwss/evaluate/overview.htm ). >> Here are the logs: >> >> >> Linux: Red Hat Enterprise Linux Server release 5.2 >> Policy version: 21 >> Policy from config file: targeted >> >> >> >> type=SYSCALL msg=audit(1238693758.307:18): arch=40000003 syscall=125 >> success=no exit=-13 a0=6a1000 a1=51000 a2=5 a3=bfd8ecf0 items=0 ppid=1 >> pid=4639 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502 >> egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd" >> exe="/opt/trend/iwss/bin/iwss-process" >> subj=system_u:system_r:initrc_t:s0 key=(null) >> type=AVC msg=audit(1238693769.018:25): avc: denied { execmod } for >> pid=4756 comm="ismetricmgmtd" >> path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0 >> ino=9231574 scontext=system_u:system_r:initrc_t:s0 >> tcontext=system_u:object_r:usr_t:s0 tclass=file > > semanage fcontext -a -t > textrel_shlib_t /opt/trend/iwss/bin/lib/libReportLogging.so > restorecon /opt/trend/iwss/bin/lib/libReportLogging.so I've got this error in this command: iscan homedir /etc/iscan or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts, /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin. > >> type=SYSCALL msg=audit(1238693769.018:25): arch=40000003 syscall=125 >> success=no exit=-13 a0=93b000 a1=5f000 a2=5 a3=bfd4a040 items=0 >> ppid=4753 pid=4756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 >> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ismetricmgmtd" >> exe="/opt/trend/iwss/bin/ismetricmgmtd" >> subj=system_u:system_r:initrc_t:s0 key=(null) >> type=AVC msg=audit(1238693772.384:32): avc: denied { execmod } for >> pid=4798 comm="svcmonitor" >> path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0 >> ino=9231574 scontext=system_u:system_r:initrc_t:s0 >> tcontext=system_u:object_r:usr_t:s0 tclass=file > > Same as above > >> type=SYSCALL msg=audit(1238693772.384:32): arch=40000003 syscall=125 >> success=no exit=-13 a0=895000 a1=5f000 a2=5 a3=bfd7f0b0 items=0 ppid=1 >> pid=4798 auid=4294967295 uid=502 gid=502 euid=0 suid=0 fsuid=0 >> egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 >> comm="svcmonitor" exe="/opt/trend/iwss/bin/svcmonitor" >> subj=system_u:system_r:initrc_t:s0 key=(null) >> type=AVC msg=audit(1238693775.995:35): avc: denied { execmod } for >> pid=4889 comm="iwssd" >> path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0 >> ino=9166090 scontext=system_u:system_r:initrc_t:s0 >> tcontext=system_u:object_r:usr_t:s0 tclass=file > > semanage fcontext -a -t > textrel_shlib_t /opt/trend/iwss/bin/plugin/IWSSPIJavascan.so > restorecon /opt/trend/iwss/bin/plugin/IWSSPIJavascan.so More error: iscan homedir /etc/iscan or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts, /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin. > >> type=SYSCALL msg=audit(1238693775.995:35): arch=40000003 syscall=125 >> success=no exit=-13 a0=5ed000 a1=51000 a2=5 a3=bf8afb10 items=0 ppid=1 >> pid=4889 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502 >> egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd" >> exe="/opt/trend/iwss/bin/iwss-process" >> subj=system_u:system_r:initrc_t:s0 key=(null) >> type=AVC msg=audit(1238694058.311:155): avc: denied { execmod } for >> pid=19765 comm="iwssd" >> path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0 >> ino=9166090 scontext=user_u:system_r:unconfined_t:s0 >> tcontext=system_u:object_r:usr_t:s0 tclass=file > > Same as above > >> type=SYSCALL msg=audit(1238694058.311:155): arch=40000003 syscall=125 >> success=yes exit=0 a0=702000 a1=51000 a2=5 a3=bffed4c0 items=0 ppid=1 >> pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 >> egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd" >> exe="/opt/trend/iwss/bin/iwss-process" >> subj=user_u:system_r:unconfined_t:s0 key=(null) >> type=AVC msg=audit(1238694060.596:156): avc: denied { execmod } for >> pid=19765 comm="iwssd" >> path="/opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so" dev=dm-0 >> ino=9166092 scontext=user_u:system_r:unconfined_t:s0 >> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file > > semanage fcontext -a -t > textrel_shlib_t /opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so > restorecon /opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so Same error again: iscan homedir /etc/iscan or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts, /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin. > >> type=SYSCALL msg=audit(1238694060.596:156): arch=40000003 syscall=125 >> success=yes exit=0 a0=7de000 a1=53000 a2=5 a3=bffed4c0 items=0 ppid=1 >> pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 >> egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd" >> exe="/opt/trend/iwss/bin/iwss-process" >> subj=user_u:system_r:unconfined_t:s0 key=(null) >> type=AVC msg=audit(1238694164.063:188): avc: denied { execmod } for >> pid=4582 comm="iwssd" >> path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0 >> ino=9166090 scontext=system_u:system_r:initrc_t:s0 >> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file > > Same as above > >> type=SYSCALL msg=audit(1238694164.063:188): arch=40000003 syscall=125 >> success=yes exit=0 a0=81d000 a1=51000 a2=5 a3=bfecca10 items=0 ppid=1 >> pid=4582 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502 >> egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd" >> exe="/opt/trend/iwss/bin/iwss-process" >> subj=system_u:system_r:initrc_t:s0 key=(null) >> >> >> It was running ok whith target selinux enforced, since december until >> today. Now I have to put selinux in permissive mode to get IWSS >> running again. >> >> >> Running audit2allow, I've got this policy: >> >> #============= initrc_t ============== >> allow initrc_t initrc_tmp_t:file execmod; >> allow initrc_t usr_t:file execmod; >> >> #============= unconfined_t ============== >> allow unconfined_t initrc_tmp_t:file execmod; >> allow unconfined_t usr_t:file execmod; >> >> >> >> To permissive, isn't? Any ideia how to fix it? >> > Yes too permissive. The Trend Micro IWSS daemon runs in initrc_t > (this domain is unconfined and meant for init scripts) > You should write policy for this init daemon. > > > -- Jeronimo Zucco LPIC-1 Linux Professional Institute Certified Universidade de Caxias do Sul - NPDU http://jczucco.blogspot.com --------------------------------------- Essa mensagem foi enviada pelo UCS Mail From dwalsh at redhat.com Fri Apr 3 15:33:55 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 03 Apr 2009 11:33:55 -0400 Subject: Trend Micro IWSS AVCs In-Reply-To: <20090402145022.893819frcu4qyuvy@webmail2.ucs.br> References: <20090402145022.893819frcu4qyuvy@webmail2.ucs.br> Message-ID: <49D62C63.400@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeronimo Zucco wrote: > I'm getting some avc's using Trend Micro IWSS (web proxy anti-virus - > www.trendmicro.com/en/products/gateway/iwss/evaluate/overview.htm ). > Here are the logs: > > > Linux: Red Hat Enterprise Linux Server release 5.2 > Policy version: 21 > Policy from config file: targeted > > > > type=SYSCALL msg=audit(1238693758.307:18): arch=40000003 syscall=125 > success=no exit=-13 a0=6a1000 a1=51000 a2=5 a3=bfd8ecf0 items=0 ppid=1 > pid=4639 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502 > egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd" > exe="/opt/trend/iwss/bin/iwss-process" > subj=system_u:system_r:initrc_t:s0 key=(null) > type=AVC msg=audit(1238693769.018:25): avc: denied { execmod } for > pid=4756 comm="ismetricmgmtd" > path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0 ino=9231574 > scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=file > type=SYSCALL msg=audit(1238693769.018:25): arch=40000003 syscall=125 > success=no exit=-13 a0=93b000 a1=5f000 a2=5 a3=bfd4a040 items=0 > ppid=4753 pid=4756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ismetricmgmtd" > exe="/opt/trend/iwss/bin/ismetricmgmtd" > subj=system_u:system_r:initrc_t:s0 key=(null) > type=AVC msg=audit(1238693772.384:32): avc: denied { execmod } for > pid=4798 comm="svcmonitor" > path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0 ino=9231574 > scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=file > type=SYSCALL msg=audit(1238693772.384:32): arch=40000003 syscall=125 > success=no exit=-13 a0=895000 a1=5f000 a2=5 a3=bfd7f0b0 items=0 ppid=1 > pid=4798 auid=4294967295 uid=502 gid=502 euid=0 suid=0 fsuid=0 egid=502 > sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="svcmonitor" > exe="/opt/trend/iwss/bin/svcmonitor" subj=system_u:system_r:initrc_t:s0 > key=(null) > type=AVC msg=audit(1238693775.995:35): avc: denied { execmod } for > pid=4889 comm="iwssd" > path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0 ino=9166090 > scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=file > type=SYSCALL msg=audit(1238693775.995:35): arch=40000003 syscall=125 > success=no exit=-13 a0=5ed000 a1=51000 a2=5 a3=bf8afb10 items=0 ppid=1 > pid=4889 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502 > egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd" > exe="/opt/trend/iwss/bin/iwss-process" > subj=system_u:system_r:initrc_t:s0 key=(null) > type=AVC msg=audit(1238694058.311:155): avc: denied { execmod } for > pid=19765 comm="iwssd" > path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0 ino=9166090 > scontext=user_u:system_r:unconfined_t:s0 > tcontext=system_u:object_r:usr_t:s0 tclass=file > type=SYSCALL msg=audit(1238694058.311:155): arch=40000003 syscall=125 > success=yes exit=0 a0=702000 a1=51000 a2=5 a3=bffed4c0 items=0 ppid=1 > pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 > sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd" > exe="/opt/trend/iwss/bin/iwss-process" > subj=user_u:system_r:unconfined_t:s0 key=(null) > type=AVC msg=audit(1238694060.596:156): avc: denied { execmod } for > pid=19765 comm="iwssd" > path="/opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so" dev=dm-0 > ino=9166092 scontext=user_u:system_r:unconfined_t:s0 > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file > type=SYSCALL msg=audit(1238694060.596:156): arch=40000003 syscall=125 > success=yes exit=0 a0=7de000 a1=53000 a2=5 a3=bffed4c0 items=0 ppid=1 > pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 > sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd" > exe="/opt/trend/iwss/bin/iwss-process" > subj=user_u:system_r:unconfined_t:s0 key=(null) > type=AVC msg=audit(1238694164.063:188): avc: denied { execmod } for > pid=4582 comm="iwssd" > path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0 ino=9166090 > scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file > type=SYSCALL msg=audit(1238694164.063:188): arch=40000003 syscall=125 > success=yes exit=0 a0=81d000 a1=51000 a2=5 a3=bfecca10 items=0 ppid=1 > pid=4582 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502 > egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd" > exe="/opt/trend/iwss/bin/iwss-process" > subj=system_u:system_r:initrc_t:s0 key=(null) > > > It was running ok whith target selinux enforced, since december until > today. Now I have to put selinux in permissive mode to get IWSS running > again. > > > Running audit2allow, I've got this policy: > > #============= initrc_t ============== > allow initrc_t initrc_tmp_t:file execmod; > allow initrc_t usr_t:file execmod; > > #============= unconfined_t ============== > allow unconfined_t initrc_tmp_t:file execmod; > allow unconfined_t usr_t:file execmod; > > > > To permissive, isn't? Any ideia how to fix it? > > Execmod libraries can be fixed by setting the file context to textrel_shlib_t. chcon -t textrel_shlib_t /opt/trend/iwss/bin/lib/libReportLogging.so You should report this problem to www.trendmicro.com that they built their libraries incorrectly. Attach this link http://people.redhat.com/~drepper/selinux-mem.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknWLGMACgkQrlYvE4MpobNIQwCgpBC/PKkiMn7QwS3s7TZrOz2r g4wAoKF0sWvs7vG7n6KFtPsy13EVNegF =ZBco -----END PGP SIGNATURE----- From rdieter at math.unl.edu Mon Apr 6 17:52:29 2009 From: rdieter at math.unl.edu (Rex Dieter) Date: Mon, 06 Apr 2009 12:52:29 -0500 Subject: kde avc(SELinux prevented kde4-config from writing .kde.)will it be on next selinux policy update? References: <389193.15867.qm@web52601.mail.re2.yahoo.com> <49AFDF35.6040707@redhat.com> <18898.30809.956133.628833@freddi.uddeborg> Message-ID: G?ran Uddeborg wrote: > Daniel J Walsh writes: >> Antonio Olivares wrote: > >> > SELinux prevented kde4-config from writing .kde. > >> > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 >> > Target Context system_u:object_r:root_t:s0 >> > Target Objects .kde [ dir ] > >> This is a bug in kdebase. The kdm login program thinks it's home dir is >> / so it is trying to create /.kde in the root directory. There are bugs >> files on this. > > I don't find the bugzilla. Do you have a reference? https://bugzilla.redhat.com/show_bug.cgi?id=484370 -- Rex From olivares14031 at yahoo.com Mon Apr 6 21:28:44 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 6 Apr 2009 14:28:44 -0700 (PDT) Subject: SELinux is preventing devkit-disks-da (devicekit_disk_t) Message-ID: <884033.95091.qm@web52605.mail.re2.yahoo.com> Dear fellow selinux experts, I got a selinux denial upon mounting a fat32 partition(shared between windows and linux). How can I fix it so that it does not show up again if it does? Summary: SELinux is preventing devkit-disks-da (devicekit_disk_t) "sys_ptrace" devicekit_disk_t. Detailed Description: SELinux denied access requested by devkit-disks-da. It is not expected that this access is required by devkit-disks-da and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 Target Context system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source devkit-disks-da Source Path /usr/libexec/devkit-disks-daemon Port Host antonio-fedora-x86-64 Source RPM Packages DeviceKit-disks-003-9.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.10-8.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name antonio-fedora-x86-64 Platform Linux antonio-fedora-x86-64 2.6.29.1-46.fc11.x86_64 #1 SMP Thu Apr 2 22:34:13 EDT 2009 x86_64 x86_64 Alert Count 2 First Seen Thu 02 Apr 2009 04:36:09 PM CDT Last Seen Mon 06 Apr 2009 04:24:45 PM CDT Local ID 80470692-0d41-4e67-8df2-d03673f897a8 Line Numbers Raw Audit Messages node=antonio-fedora-x86-64 type=AVC msg=audit(1239053085.114:23): avc: denied { sys_ptrace } for pid=2830 comm="devkit-disks-da" capability=19 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=capability node=antonio-fedora-x86-64 type=SYSCALL msg=audit(1239053085.114:23): arch=c000003e syscall=89 success=yes exit=36 a0=7fffb3ce9c00 a1=7fffb3ce9d10 a2=fff a3=7fffb3ce99b0 items=0 ppid=1 pid=2830 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-da" exe="/usr/libexec/devkit-disks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) Regards, Antonio From dwalsh at redhat.com Tue Apr 7 11:03:12 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 07 Apr 2009 07:03:12 -0400 Subject: SELinux is preventing devkit-disks-da (devicekit_disk_t) In-Reply-To: <884033.95091.qm@web52605.mail.re2.yahoo.com> References: <884033.95091.qm@web52605.mail.re2.yahoo.com> Message-ID: <49DB32F0.5030509@redhat.com> On 04/06/2009 05:28 PM, Antonio Olivares wrote: > Dear fellow selinux experts, > > I got a selinux denial upon mounting a fat32 partition(shared between windows and linux). How can I fix it so that it does not show up again if it does? > > Summary: > > SELinux is preventing devkit-disks-da (devicekit_disk_t) "sys_ptrace" > devicekit_disk_t. > > Detailed Description: > > SELinux denied access requested by devkit-disks-da. It is not expected that this > access is required by devkit-disks-da and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 > Target Context system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 > Target Objects None [ capability ] > Source devkit-disks-da > Source Path /usr/libexec/devkit-disks-daemon > Port > Host antonio-fedora-x86-64 > Source RPM Packages DeviceKit-disks-003-9.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.10-8.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name antonio-fedora-x86-64 > Platform Linux antonio-fedora-x86-64 > 2.6.29.1-46.fc11.x86_64 #1 SMP Thu Apr 2 22:34:13 > EDT 2009 x86_64 x86_64 > Alert Count 2 > First Seen Thu 02 Apr 2009 04:36:09 PM CDT > Last Seen Mon 06 Apr 2009 04:24:45 PM CDT > Local ID 80470692-0d41-4e67-8df2-d03673f897a8 > Line Numbers > > Raw Audit Messages > > node=antonio-fedora-x86-64 type=AVC msg=audit(1239053085.114:23): avc: denied { sys_ptrace } for pid=2830 comm="devkit-disks-da" capability=19 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=capability > > node=antonio-fedora-x86-64 type=SYSCALL msg=audit(1239053085.114:23): arch=c000003e syscall=89 success=yes exit=36 a0=7fffb3ce9c00 a1=7fffb3ce9d10 a2=fff a3=7fffb3ce99b0 items=0 ppid=1 pid=2830 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-da" exe="/usr/libexec/devkit-disks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) > > > > > Regards, > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list devicekit_disk_t is a permissive domain so it did not block anything, (success=yes) But you can allow this using audit2allow -M mydevicekit. I will add it to policy although I am not sure what it is doing. From olivares14031 at yahoo.com Wed Apr 8 13:00:21 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 8 Apr 2009 06:00:21 -0700 (PDT) Subject: selinux denying devkit-disks-he? Message-ID: <460733.45310.qm@web52606.mail.re2.yahoo.com> Dear fellow selinux experts, I have a fat32 partition so that I can access files from both windows and linux, I know that it is not needed, but I have become acustomed to one. For some reason or another I cannot mount it :(, selinux is getting in the way, when I try to call it from the desktop I get: Unable to mount 21 GB Filesystem org.freedesktop.devicekit.disks.filesystem-mount-system-internal auth_admin Thanks for any help provided. Regards, Antonio Summary: SELinux is preventing devkit-disks-he (devicekit_disk_t) "sys_rawio" devicekit_disk_t. Detailed Description: SELinux denied access requested by devkit-disks-he. It is not expected that this access is required by devkit-disks-he and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 Target Context system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source devkit-disks-he Source Path /usr/libexec/devkit-disks-helper-ata-smart-collect Port Host antonio-fedora-x86-64 Source RPM Packages DeviceKit-disks-004-0.4.20090406git.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.10-9.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name antonio-fedora-x86-64 Platform Linux antonio-fedora-x86-64 2.6.29.1-52.fc11.x86_64 #1 SMP Mon Apr 6 03:50:07 EDT 2009 x86_64 x86_64 Alert Count 4 First Seen Tue 07 Apr 2009 05:24:02 PM CDT Last Seen Wed 08 Apr 2009 07:55:41 AM CDT Local ID 100225d2-8a03-4744-b428-6ac49dfcee42 Line Numbers Raw Audit Messages node=antonio-fedora-x86-64 type=AVC msg=audit(1239195341.496:17): avc: denied { sys_rawio } for pid=2887 comm="devkit-disks-he" capability=17 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=capability node=antonio-fedora-x86-64 type=SYSCALL msg=audit(1239195341.496:17): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=2285 a2=7fffde692120 a3=3 items=0 ppid=2884 pid=2887 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-he" exe="/usr/libexec/devkit-disks-helper-ata-smart-collect" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) From dwalsh at redhat.com Wed Apr 8 13:06:02 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 08 Apr 2009 09:06:02 -0400 Subject: selinux denying devkit-disks-he? In-Reply-To: <460733.45310.qm@web52606.mail.re2.yahoo.com> References: <460733.45310.qm@web52606.mail.re2.yahoo.com> Message-ID: <49DCA13A.6070102@redhat.com> On 04/08/2009 09:00 AM, Antonio Olivares wrote: > Dear fellow selinux experts, > > I have a fat32 partition so that I can access files from both windows and linux, I know that it is not needed, but I have become acustomed to one. For some reason or another I cannot mount it :(, selinux is getting in the way, when I try to call it from the desktop I get: > > > Unable to mount 21 GB Filesystem > > org.freedesktop.devicekit.disks.filesystem-mount-system-internal auth_admin > > Thanks for any help provided. > > Regards, > > Antonio > > Summary: > > SELinux is preventing devkit-disks-he (devicekit_disk_t) "sys_rawio" > devicekit_disk_t. > > Detailed Description: > > SELinux denied access requested by devkit-disks-he. It is not expected that this > access is required by devkit-disks-he and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 > Target Context system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 > Target Objects None [ capability ] > Source devkit-disks-he > Source Path /usr/libexec/devkit-disks-helper-ata-smart-collect > Port > Host antonio-fedora-x86-64 > Source RPM Packages DeviceKit-disks-004-0.4.20090406git.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.10-9.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name antonio-fedora-x86-64 > Platform Linux antonio-fedora-x86-64 > 2.6.29.1-52.fc11.x86_64 #1 SMP Mon Apr 6 03:50:07 > EDT 2009 x86_64 x86_64 > Alert Count 4 > First Seen Tue 07 Apr 2009 05:24:02 PM CDT > Last Seen Wed 08 Apr 2009 07:55:41 AM CDT > Local ID 100225d2-8a03-4744-b428-6ac49dfcee42 > Line Numbers > > Raw Audit Messages > > node=antonio-fedora-x86-64 type=AVC msg=audit(1239195341.496:17): avc: denied { sys_rawio } for pid=2887 comm="devkit-disks-he" capability=17 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=capability > > node=antonio-fedora-x86-64 type=SYSCALL msg=audit(1239195341.496:17): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=2285 a2=7fffde692120 a3=3 items=0 ppid=2884 pid=2887 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-he" exe="/usr/libexec/devkit-disks-helper-ata-smart-collect" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) > > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Fixed in the policy in koji selinux-policy-3.6.12-1.fc11 Tomorrows rawhide. BTW devicekit_disk is a permissive domain ("success=yes") So you can ignore this avc. Nothing was blocked. From BGinn at symark.com Thu Apr 9 01:11:47 2009 From: BGinn at symark.com (Brian Ginn) Date: Wed, 8 Apr 2009 18:11:47 -0700 Subject: SELinux policy for fsetfilecon() in libselinux Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CB0@dragonfly.symark.com> I am attempting to use the fsetfilecon() call within a C program. Several other libselinux calls are working OK, but this call fails in enforcing mode (it works in permissive mode). The audit.log and audit2allow are suggesting policy code that I already have in the policy. I suspect that I'm being bitten by a "don't audit" rule somewhere. Is there a reference policy macro that I can include to get fsetfilecon() to work? Note: I already included selinux_get_enforce_mode( t_selinux_api_t ); To get the security_getenforce() function to work. Thanks, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Thu Apr 9 02:08:39 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 08 Apr 2009 22:08:39 -0400 Subject: SELinux policy for fsetfilecon() in libselinux In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CB0@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CB0@dragonfly.symark.com> Message-ID: <49DD58A7.9090606@redhat.com> On 04/08/2009 09:11 PM, Brian Ginn wrote: > I am attempting to use the fsetfilecon() call within a C program. Several other libselinux calls are working OK, but this call fails in enforcing mode (it works in permissive mode). > > > > The audit.log and audit2allow are suggesting policy code that I already have in the policy. > > I suspect that I'm being bitten by a "don't audit" rule somewhere. > > > > Is there a reference policy macro that I can include to get fsetfilecon() to work? > > > > Note: I already included > > selinux_get_enforce_mode( t_selinux_api_t ); > > To get the security_getenforce() function to work. > > > > > > Thanks, > > Brian > > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You are most likely hitting a constraint. If you run your avc messages through audit2why, you will probably see it is a constraint. If you are changing the user componant of a file you need to domain_obj_id_change_exemption() ######################################## ## ## Makes caller an exception to the constraint preventing ## changing the user identity in object contexts. ## ## ## ## The process type to make an exception to the constraint. ## ## ## # interface(`domain_obj_id_change_exemption',` gen_require(` attribute can_change_object_identity; ') typeattribute $1 can_change_object_identity; ') From craigwhite at azapple.com Thu Apr 9 15:44:24 2009 From: craigwhite at azapple.com (Craig White) Date: Thu, 09 Apr 2009 08:44:24 -0700 Subject: postfix fifo file Message-ID: <1239291864.869.271.camel@lin-workstation.azapple.com> This is from a newly setup CentOS 5.3 server...and I definitely don't understand what it's wanting to make it happy. # sealert -l 6208be6e-3fb4-4748-80e8-769687066b83 Summary: SELinux is preventing postfix-script (postfix_master_t) "ioctl" to pipe (crond_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by postfix-script. It is not expected that this access is required by postfix-script and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:system_r:postfix_master_t Target Context system_u:system_r:crond_t:SystemLow-SystemHigh Target Objects pipe [ fifo_file ] Source postfix-script Source Path /bin/bash Port Host srv1.azapple.com Source RPM Packages bash-3.2-24.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name srv1.azapple.com Platform Linux srv1.azapple.com 2.6.18-128.1.1.el5 #1 SMP Wed Mar 25 18:15:30 EDT 2009 i686 i686 Alert Count 8 First Seen Thu Apr 2 04:34:40 2009 Last Seen Thu Apr 9 04:17:20 2009 Local ID 6208be6e-3fb4-4748-80e8-769687066b83 Line Numbers Raw Audit Messages host=srv1.azapple.com type=AVC msg=audit(1239275840.489:3152): avc: denied { ioctl } for pid=11778 comm="postfix-script" path="pipe:[1634010]" dev=pipefs ino=1634010 scontext=user_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file host=srv1.azapple.com type=SYSCALL msg=audit(1239275840.489:3152): arch=40000003 syscall=54 success=no exit=-22 a0=0 a1=5401 a2=bfc30d40 a3=bfc30e4c items=0 ppid=11761 pid=11778 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=212 comm="postfix-script" exe="/bin/bash" subj=user_u:system_r:postfix_master_t:s0 key=(null) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From BGinn at symark.com Fri Apr 10 00:38:14 2009 From: BGinn at symark.com (Brian Ginn) Date: Thu, 9 Apr 2009 17:38:14 -0700 Subject: levels in targeted mode Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CBA@dragonfly.symark.com> I am using RHEL5 with SELINUXTYPE=targeted in enforcing mode. If I ssh as root to that host, id -Z reports root:system_r:unconfined_t:SystemLow-SystemHigh which includes a level. If I ssh as a user to that same host, id -Z reports user_u:system_r:unconfined_t which does not include a level. As that user, If I su -, id -z reports user_u:system_r:unconfined_t If I then execute: newrole -l SystemLow-SystemHigh I get an error: Error: you are not allowed to change levels on a non secure terminal I get the same behavior from sudo bash. Questions: 1: Does root's SystemLow-SystemHigh level actually mean anything in targeted mode? 2: Why does newrole consider the ssh terminal insecure, when ssh as root will give me the "full level"? 3: Is there a way to get from not having a level to SystemLow-SystemHigh? Thanks Brian From BGinn at symark.com Fri Apr 10 01:02:42 2009 From: BGinn at symark.com (Brian Ginn) Date: Thu, 9 Apr 2009 18:02:42 -0700 Subject: Problem creating apol file context index Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CBB@dragonfly.symark.com> I have RHEL 5, and Fedora 9 running in under vmware fusion on a MacBook Pro. Apol hangs (on both) when trying to create a file context index. There is no output at all for several hours, then I kill it. I don't remember the name right now, but I found a command line utility to create (the same?) index, but that hangs as well. Could it be that I'm not waiting long enough? Or maybe apol won't work in a VM? Any other thoughts? Thanks, Brian From dwalsh at redhat.com Fri Apr 10 11:15:27 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 10 Apr 2009 07:15:27 -0400 Subject: postfix fifo file In-Reply-To: <1239291864.869.271.camel@lin-workstation.azapple.com> References: <1239291864.869.271.camel@lin-workstation.azapple.com> Message-ID: <49DF2A4F.6010103@redhat.com> On 04/09/2009 11:44 AM, Craig White wrote: > This is from a newly setup CentOS 5.3 server...and I definitely don't > understand what it's wanting to make it happy. > > # sealert -l 6208be6e-3fb4-4748-80e8-769687066b83 > > Summary: > > SELinux is preventing postfix-script (postfix_master_t) "ioctl" to pipe > (crond_t). > > Detailed Description: > > [SELinux is in permissive mode, the operation would have been denied but > was permitted due to permissive mode.] > > SELinux denied access requested by postfix-script. It is not expected > that this access is required by postfix-script and this access may > signal an intrusion attempt. It is also possible that the specific > version or configuration of the application is causing it to require > additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable SELinux protection altogether. Disabling SELinux protection is > not recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context user_u:system_r:postfix_master_t > Target Context > system_u:system_r:crond_t:SystemLow-SystemHigh > Target Objects pipe [ fifo_file ] > Source postfix-script > Source Path /bin/bash > Port > Host srv1.azapple.com > Source RPM Packages bash-3.2-24.el5 > Target RPM Packages > Policy RPM selinux-policy-2.4.6-203.el5 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name catchall > Host Name srv1.azapple.com > Platform Linux srv1.azapple.com 2.6.18-128.1.1.el5 > #1 SMP > Wed Mar 25 18:15:30 EDT 2009 i686 i686 > Alert Count 8 > First Seen Thu Apr 2 04:34:40 2009 > Last Seen Thu Apr 9 04:17:20 2009 > Local ID 6208be6e-3fb4-4748-80e8-769687066b83 > Line Numbers > > Raw Audit Messages > > host=srv1.azapple.com type=AVC msg=audit(1239275840.489:3152): avc: > denied { ioctl } for pid=11778 comm="postfix-script" > path="pipe:[1634010]" dev=pipefs ino=1634010 > scontext=user_u:system_r:postfix_master_t:s0 > tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file > > host=srv1.azapple.com type=SYSCALL msg=audit(1239275840.489:3152): > arch=40000003 syscall=54 success=no exit=-22 a0=0 a1=5401 a2=bfc30d40 > a3=bfc30e4c items=0 ppid=11761 pid=11778 auid=0 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=212 > comm="postfix-script" exe="/bin/bash" > subj=user_u:system_r:postfix_master_t:s0 key=(null) > > > This look like postfix trying to communicate with the pipe from cron (stdout). Current policy allows read/write/getattr but no ioctl. You can add this access via # grep postfix /var/log/audit/audit.log | audit2allow -mypostfix # semodule -i mypostfix.pp I will add this fix to RHEL5.4 policy, Preview should be available on http://people.redhat.com/dwalsh/SELinux/RHEL5 selinux-policy-2.4.6-223.el5 From shintaro.fujiwara at gmail.com Fri Apr 10 13:07:38 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Fri, 10 Apr 2009 22:07:38 +0900 Subject: [ANN]segatex-7.71 released Message-ID: You can search which interface can access to target domains, object class and permissions. https://sourceforge.net/projects/segatex/ -- http://intrajp.no-ip.com/ Home Page From craigwhite at azapple.com Fri Apr 10 13:27:25 2009 From: craigwhite at azapple.com (Craig White) Date: Fri, 10 Apr 2009 06:27:25 -0700 Subject: postfix fifo file In-Reply-To: <49DF2A4F.6010103@redhat.com> References: <1239291864.869.271.camel@lin-workstation.azapple.com> <49DF2A4F.6010103@redhat.com> Message-ID: <1239370045.13027.8.camel@lin-workstation.azapple.com> On Fri, 2009-04-10 at 07:15 -0400, Daniel J Walsh wrote: > On 04/09/2009 11:44 AM, Craig White wrote: > > This is from a newly setup CentOS 5.3 server...and I definitely don't > > understand what it's wanting to make it happy. > > > > # sealert -l 6208be6e-3fb4-4748-80e8-769687066b83 > > > > Summary: > > > > SELinux is preventing postfix-script (postfix_master_t) "ioctl" to pipe > > (crond_t). > > > > Detailed Description: > > > > [SELinux is in permissive mode, the operation would have been denied but > > was permitted due to permissive mode.] > > > > SELinux denied access requested by postfix-script. It is not expected > > that this access is required by postfix-script and this access may > > signal an intrusion attempt. It is also possible that the specific > > version or configuration of the application is causing it to require > > additional access. > > > > Allowing Access: > > > > You can generate a local policy module to allow this access - see FAQ > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > > disable SELinux protection altogether. Disabling SELinux protection is > > not recommended. > > Please file a bug report > > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > > against this package. > > > > Additional Information: > > > > Source Context user_u:system_r:postfix_master_t > > Target Context > > system_u:system_r:crond_t:SystemLow-SystemHigh > > Target Objects pipe [ fifo_file ] > > Source postfix-script > > Source Path /bin/bash > > Port > > Host srv1.azapple.com > > Source RPM Packages bash-3.2-24.el5 > > Target RPM Packages > > Policy RPM selinux-policy-2.4.6-203.el5 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Permissive > > Plugin Name catchall > > Host Name srv1.azapple.com > > Platform Linux srv1.azapple.com 2.6.18-128.1.1.el5 > > #1 SMP > > Wed Mar 25 18:15:30 EDT 2009 i686 i686 > > Alert Count 8 > > First Seen Thu Apr 2 04:34:40 2009 > > Last Seen Thu Apr 9 04:17:20 2009 > > Local ID 6208be6e-3fb4-4748-80e8-769687066b83 > > Line Numbers > > > > Raw Audit Messages > > > > host=srv1.azapple.com type=AVC msg=audit(1239275840.489:3152): avc: > > denied { ioctl } for pid=11778 comm="postfix-script" > > path="pipe:[1634010]" dev=pipefs ino=1634010 > > scontext=user_u:system_r:postfix_master_t:s0 > > tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file > > > > host=srv1.azapple.com type=SYSCALL msg=audit(1239275840.489:3152): > > arch=40000003 syscall=54 success=no exit=-22 a0=0 a1=5401 a2=bfc30d40 > > a3=bfc30e4c items=0 ppid=11761 pid=11778 auid=0 uid=0 gid=0 euid=0 > > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=212 > > comm="postfix-script" exe="/bin/bash" > > subj=user_u:system_r:postfix_master_t:s0 key=(null) > > > > > > > This look like postfix trying to communicate with the pipe from cron > (stdout). Current policy allows read/write/getattr but no ioctl. > > You can add this access via > # grep postfix /var/log/audit/audit.log | audit2allow -mypostfix > # semodule -i mypostfix.pp > > I will add this fix to RHEL5.4 policy, Preview should be available on > > http://people.redhat.com/dwalsh/SELinux/RHEL5 > > selinux-policy-2.4.6-223.el5 ---- Thanks, will do. I take it then that the admonition to file a bugzilla report is not necessary? Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sds at tycho.nsa.gov Fri Apr 10 13:22:38 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 10 Apr 2009 09:22:38 -0400 Subject: levels in targeted mode In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CBA@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CBA@dragonfly.symark.com> Message-ID: <1239369758.16752.9.camel@localhost.localdomain> On Thu, 2009-04-09 at 17:38 -0700, Brian Ginn wrote: > I am using RHEL5 with SELINUXTYPE=targeted in enforcing mode. > > If I ssh as root to that host, id -Z reports > root:system_r:unconfined_t:SystemLow-SystemHigh > which includes a level. > > If I ssh as a user to that same host, id -Z reports > user_u:system_r:unconfined_t > which does not include a level. > > As that user, If I su -, id -z reports > user_u:system_r:unconfined_t > > If I then execute: > newrole -l SystemLow-SystemHigh > I get an error: > Error: you are not allowed to change levels on a non secure terminal > > I get the same behavior from sudo bash. > > > Questions: > 1: Does root's SystemLow-SystemHigh level actually mean anything in targeted mode? Search for "Multi-Category Security" aka MCS. Not to be confused with MLS. > 2: Why does newrole consider the ssh terminal insecure, when ssh as root will give me the "full level"? The newrole non-secure terminal issue has to do with switching levels when using a pty - newrole can only relabel one end of the pty, but other end remains unchanged, thereby allowing downgrading of data. You can allow it by adding the type of your pty (e.g. unconfined_devpts_t or whatever you see as the type field of ls -Z `tty`) to /etc/selinux/targeted/contexts/securetty_types. > 3: Is there a way to get from not having a level to SystemLow-SystemHigh? First you have to authorize the user for a non-trivial range, using semanage or system-config-selinux. -- Stephen Smalley National Security Agency From robert at ascenium.com Sat Apr 11 03:50:35 2009 From: robert at ascenium.com (Robert Mykland) Date: Fri, 10 Apr 2009 20:50:35 -0700 Subject: Policies for Devices? Message-ID: <49E0138B.9050907@ascenium.com> Folks, Is there a way I can use policies to prevent a specific device, say a USB key, from being written to except by one specific application? If so, how would I go about writing that? Thanks in Advance, -- Robert. -- Robert Mykland Voice: (831) 212-0622 Founder/CTO Ascenium Corporation "A new world of computing fulfilling people's lives" From dwalsh at redhat.com Sat Apr 11 11:03:33 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 11 Apr 2009 07:03:33 -0400 Subject: Policies for Devices? In-Reply-To: <49E0138B.9050907@ascenium.com> References: <49E0138B.9050907@ascenium.com> Message-ID: <49E07905.1010908@redhat.com> On 04/10/2009 11:50 PM, Robert Mykland wrote: > Folks, > > Is there a way I can use policies to prevent a specific device, say a > USB key, from being written to except by one specific application? If > so, how would I go about writing that? > > Thanks in Advance, > > -- Robert. > If you define a new device_type and assign it to the device, then you can prevent all confined domains from using the type. Obviously unconfined domains and domains that need to work with all devices will still be able to access the device. From dwalsh at redhat.com Mon Apr 13 11:36:22 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 13 Apr 2009 07:36:22 -0400 Subject: postfix fifo file In-Reply-To: <1239370045.13027.8.camel@lin-workstation.azapple.com> References: <1239291864.869.271.camel@lin-workstation.azapple.com> <49DF2A4F.6010103@redhat.com> <1239370045.13027.8.camel@lin-workstation.azapple.com> Message-ID: <49E323B6.7040405@redhat.com> On 04/10/2009 09:27 AM, Craig White wrote: > On Fri, 2009-04-10 at 07:15 -0400, Daniel J Walsh wrote: >> On 04/09/2009 11:44 AM, Craig White wrote: >>> This is from a newly setup CentOS 5.3 server...and I definitely don't >>> understand what it's wanting to make it happy. >>> >>> # sealert -l 6208be6e-3fb4-4748-80e8-769687066b83 >>> >>> Summary: >>> >>> SELinux is preventing postfix-script (postfix_master_t) "ioctl" to pipe >>> (crond_t). >>> >>> Detailed Description: >>> >>> [SELinux is in permissive mode, the operation would have been denied but >>> was permitted due to permissive mode.] >>> >>> SELinux denied access requested by postfix-script. It is not expected >>> that this access is required by postfix-script and this access may >>> signal an intrusion attempt. It is also possible that the specific >>> version or configuration of the application is causing it to require >>> additional access. >>> >>> Allowing Access: >>> >>> You can generate a local policy module to allow this access - see FAQ >>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can >>> disable SELinux protection altogether. Disabling SELinux protection is >>> not recommended. >>> Please file a bug report >>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >>> against this package. >>> >>> Additional Information: >>> >>> Source Context user_u:system_r:postfix_master_t >>> Target Context >>> system_u:system_r:crond_t:SystemLow-SystemHigh >>> Target Objects pipe [ fifo_file ] >>> Source postfix-script >>> Source Path /bin/bash >>> Port >>> Host srv1.azapple.com >>> Source RPM Packages bash-3.2-24.el5 >>> Target RPM Packages >>> Policy RPM selinux-policy-2.4.6-203.el5 >>> Selinux Enabled True >>> Policy Type targeted >>> MLS Enabled True >>> Enforcing Mode Permissive >>> Plugin Name catchall >>> Host Name srv1.azapple.com >>> Platform Linux srv1.azapple.com 2.6.18-128.1.1.el5 >>> #1 SMP >>> Wed Mar 25 18:15:30 EDT 2009 i686 i686 >>> Alert Count 8 >>> First Seen Thu Apr 2 04:34:40 2009 >>> Last Seen Thu Apr 9 04:17:20 2009 >>> Local ID 6208be6e-3fb4-4748-80e8-769687066b83 >>> Line Numbers >>> >>> Raw Audit Messages >>> >>> host=srv1.azapple.com type=AVC msg=audit(1239275840.489:3152): avc: >>> denied { ioctl } for pid=11778 comm="postfix-script" >>> path="pipe:[1634010]" dev=pipefs ino=1634010 >>> scontext=user_u:system_r:postfix_master_t:s0 >>> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file >>> >>> host=srv1.azapple.com type=SYSCALL msg=audit(1239275840.489:3152): >>> arch=40000003 syscall=54 success=no exit=-22 a0=0 a1=5401 a2=bfc30d40 >>> a3=bfc30e4c items=0 ppid=11761 pid=11778 auid=0 uid=0 gid=0 euid=0 >>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=212 >>> comm="postfix-script" exe="/bin/bash" >>> subj=user_u:system_r:postfix_master_t:s0 key=(null) >>> >>> >>> >> This look like postfix trying to communicate with the pipe from cron >> (stdout). Current policy allows read/write/getattr but no ioctl. >> >> You can add this access via >> # grep postfix /var/log/audit/audit.log | audit2allow -mypostfix >> # semodule -i mypostfix.pp >> >> I will add this fix to RHEL5.4 policy, Preview should be available on >> >> http://people.redhat.com/dwalsh/SELinux/RHEL5 >> >> selinux-policy-2.4.6-223.el5 > ---- > Thanks, will do. > > I take it then that the admonition to file a bugzilla report is not > necessary? > > Craig > > Yes don't bother, I will fix it. From BGinn at symark.com Tue Apr 14 00:21:09 2009 From: BGinn at symark.com (Brian Ginn) Date: Mon, 13 Apr 2009 17:21:09 -0700 Subject: indexcon errors on Fedora 9 64-bit Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CC6@dragonfly.symark.com> Using lsof, I discovered that indexcon hung at my home directory. Looking there, I saw a .gvfs directory with rwx------ perms Even though indexcon was running by root unconfined, I thought this might be a problem. I had to kill a few processes to change the directories permissions. Then, indexcon got a lot further, but hung at /lib/modules/2.6.25-14.fc9.x86_64 There, I found a couple symlinks that do not exist. I removed them. Then, indexcon errors out with: ERROR: Could not read SELinux file context for /proc/sys/kernel. ls -Z /proc/sys/kernel shows all the files have a "?" for the context. Any suggestions? Thanks, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Tue Apr 14 13:42:33 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 14 Apr 2009 09:42:33 -0400 Subject: indexcon errors on Fedora 9 64-bit In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CC6@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CC6@dragonfly.symark.com> Message-ID: <49E492C9.7030506@redhat.com> On 04/13/2009 08:21 PM, Brian Ginn wrote: > Using lsof, I discovered that indexcon hung at my home directory. > > Looking there, I saw a .gvfs directory with rwx------ perms > > Even though indexcon was running by root unconfined, I thought this > > might be a problem. I had to kill a few processes to change the > > directories permissions. > > > > Then, indexcon got a lot further, but hung at /lib/modules/2.6.25-14.fc9.x86_64 > > There, I found a couple symlinks that do not exist. I removed them. > > > > Then, indexcon errors out with: > > ERROR: Could not read SELinux file context for /proc/sys/kernel. > > > > ls -Z /proc/sys/kernel shows all the files have a "?" for the context. > > > > Any suggestions? > > > > > > > > Thanks, > > Brian > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Seems like a bug, indexcon should probably not be looking into file systems that do not support xattrs, and should definitely not hang. From olivares14031 at yahoo.com Tue Apr 14 20:11:57 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 14 Apr 2009 13:11:57 -0700 (PDT) Subject: selinux and crontab one-more-time Message-ID: <447518.60061.qm@web52604.mail.re2.yahoo.com> Dear fellow Selinux experts, I have encountered this before, apparently it has not gone away. Running Fedora 11 Beta. I have a small crontab file that will shutdown the machine at 4:15 pm : [students at antonio-fedora-x86-64 ~]$ crontab -l # min hour day-of-month month day-of-week command 15 16 * * 1-5 /usr/bin/poweroff >/dev/null 2>&1 Seatroubleshooter comes up and gives me the following: In the other machine running rawhide I can't even access crontab -l, it tells me that I cannot do anything I have no authorizations :( Summary: SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by crontab. It is not expected that this access is required by crontab and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0 .c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source crontab Source Path /usr/bin/crontab Port Host antonio-fedora-x86-64 Source RPM Packages cronie-1.2-7.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name antonio-fedora-x86-64 Platform Linux antonio-fedora-x86-64 2.6.29.1-68.fc11.x86_64 #1 SMP Sat Apr 11 02:20:46 EDT 2009 x86_64 x86_64 Alert Count 53 First Seen Tue 14 Apr 2009 03:58:24 PM CDT Last Seen Tue 14 Apr 2009 04:06:56 PM CDT Local ID 5b712474-909f-4775-a5d6-bf5a78404916 Line Numbers Raw Audit Messages node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12989]" dev=sockfs ino=12989 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=antonio-fedora-x86-64 type=SYSCALL msg=audit(1239743216.390:74): arch=c000003e syscall=59 success=yes exit=0 a0=acb200 a1=ac0d10 a2=adeda0 a3=7fff2149c340 items=0 ppid=19528 pid=19560 auid=501 uid=501 gid=501 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null) Thank you in Advance, Antonio From BGinn at symark.com Tue Apr 14 23:01:08 2009 From: BGinn at symark.com (Brian Ginn) Date: Tue, 14 Apr 2009 16:01:08 -0700 Subject: MCS Levels and Ranges Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CD1@dragonfly.symark.com> How should I interpret the following? The MCS Level and Range are confusing me. Or perhaps the difference between user and login is confusing me. 'semanage login -l' shows user_u has Range s0 'semanage user -l' shows user_u has Level s0 and Range SystemLow-SystemHigh [root at rhel5 ~]# semanage login -l Login Name SELinux User MLS/MCS Range __default__ user_u s0 root root SystemLow-SystemHigh [root at rhel5 ~]# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles root user s0 SystemLow-SystemHigh system_r sysadm_r user_r system_u user s0 SystemLow-SystemHigh system_r user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r [root at rhel5 ~]# From BGinn at symark.com Tue Apr 14 23:19:52 2009 From: BGinn at symark.com (Brian Ginn) Date: Tue, 14 Apr 2009 16:19:52 -0700 Subject: levels in targeted mode In-Reply-To: <1239369758.16752.9.camel@localhost.localdomain> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CBA@dragonfly.symark.com> <1239369758.16752.9.camel@localhost.localdomain> Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CD2@dragonfly.symark.com> Thanks for the answers! They bring up more questions for me, though. As a user_u, with a non-secure tty, after 'su -', it makes some sense that newrole won't let me change the level. >From that same non-secure terminal, however, I can ssh root at localhost and get all the access I want. For both of those examples, I used ssh to get to the host, and both ptys have the type devpts_t, so I am not sure why one is considered more secure than the other. I can envision that for many installations, making some pty types secure via /etc/selinux/targeted/contexts/securetty_types is an acceptable practice - even desired. >From a more paranoid security viewpoint, wouldn't there be some installations where any non-secure terminal should be prohibited from gaining access to the sensitive data? So, I am wondering 1) From that same non-secure terminal, should 'ssh root at localhost' be allowed to get a terminal that is considered secure? 2) Should a terminal from any non-SELinux host be considered non-secure and be prevented from accessing sensitive data? Thanks, Brian -----Original Message----- From: Stephen Smalley [mailto:sds at tycho.nsa.gov] Sent: Friday, April 10, 2009 6:23 AM To: Brian Ginn Cc: 'fedora-selinux-list at redhat.com' Subject: Re: levels in targeted mode On Thu, 2009-04-09 at 17:38 -0700, Brian Ginn wrote: > I am using RHEL5 with SELINUXTYPE=targeted in enforcing mode. > > If I ssh as root to that host, id -Z reports > root:system_r:unconfined_t:SystemLow-SystemHigh > which includes a level. > > If I ssh as a user to that same host, id -Z reports > user_u:system_r:unconfined_t > which does not include a level. > > As that user, If I su -, id -z reports > user_u:system_r:unconfined_t > > If I then execute: > newrole -l SystemLow-SystemHigh > I get an error: > Error: you are not allowed to change levels on a non secure terminal > > I get the same behavior from sudo bash. > > > Questions: > 1: Does root's SystemLow-SystemHigh level actually mean anything in targeted mode? Search for "Multi-Category Security" aka MCS. Not to be confused with MLS. > 2: Why does newrole consider the ssh terminal insecure, when ssh as root will give me the "full level"? The newrole non-secure terminal issue has to do with switching levels when using a pty - newrole can only relabel one end of the pty, but other end remains unchanged, thereby allowing downgrading of data. You can allow it by adding the type of your pty (e.g. unconfined_devpts_t or whatever you see as the type field of ls -Z `tty`) to /etc/selinux/targeted/contexts/securetty_types. > 3: Is there a way to get from not having a level to SystemLow-SystemHigh? First you have to authorize the user for a non-trivial range, using semanage or system-config-selinux. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Wed Apr 15 12:20:33 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Apr 2009 08:20:33 -0400 Subject: selinux and crontab one-more-time In-Reply-To: <447518.60061.qm@web52604.mail.re2.yahoo.com> References: <447518.60061.qm@web52604.mail.re2.yahoo.com> Message-ID: <49E5D111.8080605@redhat.com> On 04/14/2009 04:11 PM, Antonio Olivares wrote: > Dear fellow Selinux experts, > > I have encountered this before, apparently it has not gone away. Running Fedora 11 Beta. I have a small crontab file that will shutdown the machine at 4:15 pm : > > [students at antonio-fedora-x86-64 ~]$ crontab -l > # min hour day-of-month month day-of-week command > 15 16 * * 1-5 /usr/bin/poweroff>/dev/null 2>&1 > > Seatroubleshooter comes up and gives me the following: > > In the other machine running rawhide I can't even access crontab -l, it tells me that I cannot do anything I have no authorizations :( > > Summary: > > SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t. > > Detailed Description: > > SELinux denied access requested by crontab. It is not expected that this access > is required by crontab and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0 > .c1023 > Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Objects socket [ unix_stream_socket ] > Source crontab > Source Path /usr/bin/crontab > Port > Host antonio-fedora-x86-64 > Source RPM Packages cronie-1.2-7.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.12-3.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name antonio-fedora-x86-64 > Platform Linux antonio-fedora-x86-64 > 2.6.29.1-68.fc11.x86_64 #1 SMP Sat Apr 11 02:20:46 > EDT 2009 x86_64 x86_64 > Alert Count 53 > First Seen Tue 14 Apr 2009 03:58:24 PM CDT > Last Seen Tue 14 Apr 2009 04:06:56 PM CDT > Local ID 5b712474-909f-4775-a5d6-bf5a78404916 > Line Numbers > > Raw Audit Messages > > node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12989]" dev=sockfs ino=12989 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=antonio-fedora-x86-64 type=SYSCALL msg=audit(1239743216.390:74): arch=c000003e syscall=59 success=yes exit=0 a0=acb200 a1=ac0d10 a2=adeda0 a3=7fff2149c340 items=0 ppid=19528 pid=19560 auid=501 uid=501 gid=501 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null) > > > > > Thank you in Advance, > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I tried everything you described and it worked fine. THe unconfined_t:unix_stream_socket is coming from the leaked file descriptor in Konsole, I believe. From sds at tycho.nsa.gov Wed Apr 15 12:27:28 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 15 Apr 2009 08:27:28 -0400 Subject: MCS Levels and Ranges In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CD1@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CD1@dragonfly.symark.com> Message-ID: <1239798448.27560.10.camel@localhost.localdomain> On Tue, 2009-04-14 at 16:01 -0700, Brian Ginn wrote: > How should I interpret the following? > The MCS Level and Range are confusing me. > Or perhaps the difference between user and login is confusing me. > > 'semanage login -l' shows user_u has Range s0 > 'semanage user -l' shows user_u has Level s0 and Range SystemLow-SystemHigh No, semanage login -l shows that by default, all Linux users are mapped to the SELinux user identity user_u and assigned the range s0 at login time. semanage user -l shows that SELinux user identity user_u is authorized for the range SystemLow-SystemHigh in the security policy. There are two distinct user identities: 1) The Linux user identities as defined by the passwd database, 2) The SELinux user identities defined in the security policy configuration. semanage login acts on the "seusers" configuration, which defines how to map each Linux user identity to a SELinux user identity and a login range. semanage user acts on the policy-defined SELinux user identities and their associated roles and range. The range for the Linux user must be a subset of the range for the SELinux user. But multiple Linux users with different ranges might be mapped to a single SELinux user whose range covers all of their individual ranges. > > [root at rhel5 ~]# semanage login -l > > Login Name SELinux User MLS/MCS Range > > __default__ user_u s0 > root root SystemLow-SystemHigh > [root at rhel5 ~]# semanage user -l > > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range SELinux Roles > > root user s0 SystemLow-SystemHigh system_r sysadm_r user_r > system_u user s0 SystemLow-SystemHigh system_r > user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r > [root at rhel5 ~]# > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From olivares14031 at yahoo.com Wed Apr 15 12:38:07 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 15 Apr 2009 05:38:07 -0700 (PDT) Subject: selinux and crontab one-more-time In-Reply-To: <49E5D111.8080605@redhat.com> Message-ID: <935810.16531.qm@web52605.mail.re2.yahoo.com> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > I tried everything you described and it worked fine. THe > unconfined_t:unix_stream_socket is coming from the leaked > file > descriptor in Konsole, I believe. It is working, but on the other machine I can't edit crontab. Only on this one. But why do I see this message? Thanks, Antonio From sds at tycho.nsa.gov Wed Apr 15 12:45:01 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 15 Apr 2009 08:45:01 -0400 Subject: levels in targeted mode In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CD2@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CBA@dragonfly.symark.com> <1239369758.16752.9.camel@localhost.localdomain> <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5CD2@dragonfly.symark.com> Message-ID: <1239799501.27560.20.camel@localhost.localdomain> On Tue, 2009-04-14 at 16:19 -0700, Brian Ginn wrote: > Thanks for the answers! They bring up more questions for me, though. > > As a user_u, with a non-secure tty, after 'su -', it makes some sense that newrole won't let me change the level. > > >From that same non-secure terminal, however, I can ssh root at localhost and get all the access I want. > > For both of those examples, I used ssh to get to the host, and both ptys have the type devpts_t, so I am not sure why one is considered more secure than the other. > > I can envision that for many installations, making some pty types secure via /etc/selinux/targeted/contexts/securetty_types is an acceptable practice - even desired. > > >From a more paranoid security viewpoint, wouldn't there be some installations where any non-secure terminal should be prohibited from gaining access to the sensitive data? > So, I am wondering > 1) From that same non-secure terminal, should 'ssh root at localhost' be allowed to get a terminal that is considered secure? > 2) Should a terminal from any non-SELinux host be considered non-secure and be prevented from accessing sensitive data? I think that under the LSPP configuration, sshd is configured to run in a mode where it preserves the security context of the client (which it obtains via labeled networking), and thus the session security context is preserved across ssh. In both cases, it is driven by the LSPP/MLS requirements to prevent unauthorized downgrading of information across levels. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Wed Apr 15 13:09:38 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 15 Apr 2009 09:09:38 -0400 Subject: selinux and crontab one-more-time In-Reply-To: <935810.16531.qm@web52605.mail.re2.yahoo.com> References: <935810.16531.qm@web52605.mail.re2.yahoo.com> Message-ID: <49E5DC92.6070204@redhat.com> On 04/15/2009 08:38 AM, Antonio Olivares wrote: >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> I tried everything you described and it worked fine. THe >> unconfined_t:unix_stream_socket is coming from the leaked >> file >> descriptor in Konsole, I believe. > > It is working, but on the other machine I can't edit crontab. Only on this one. But why do I see this message? > > Thanks, > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Is the other machine fully upgraded to the latest policy? Make sure the policy installed successfully. yum reinstall selinux-policy-targeted The message is caused by leaks in file descriptors within Konsole. From olivares14031 at yahoo.com Wed Apr 15 22:28:28 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 15 Apr 2009 15:28:28 -0700 (PDT) Subject: selinux and crontab one-more-time In-Reply-To: <49E5DC92.6070204@redhat.com> Message-ID: <45030.71041.qm@web52601.mail.re2.yahoo.com> --- On Wed, 4/15/09, Daniel J Walsh wrote: > From: Daniel J Walsh > Subject: Re: selinux and crontab one-more-time > To: olivares14031 at yahoo.com > Cc: fedora-selinux-list at redhat.com > Date: Wednesday, April 15, 2009, 6:09 AM > On 04/15/2009 08:38 AM, Antonio Olivares wrote: > >> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> I tried everything you described and it worked > fine. THe > >> unconfined_t:unix_stream_socket is coming from the > leaked > >> file > >> descriptor in Konsole, I believe. > > > > It is working, but on the other machine I can't > edit crontab. Only on this one. But why do I see this > message? > > > > Thanks, > > > > Antonio > > > > > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Is the other machine fully upgraded to the latest policy? > Make sure the > policy installed successfully. > > yum reinstall selinux-policy-targeted > > The message is caused by leaks in file descriptors within > Konsole. [olivares at riohigh ~]$ whoami olivares [olivares at riohigh ~]$ crontab -l cron/olivares: Permission denied [olivares at riohigh ~]$ crontab -e cron/olivares: Permission denied [olivares at riohigh ~]$ dmesg | grep 'avc' [olivares at riohigh ~]$ rpm -qa selinux-policy-targeted selinux-policy-targeted-3.6.12-4.fc11.noarch Doing the steps you outlined. [root at riohigh ~]# yum reinstall selinux-policy-targeted Setting up Reinstall Process Resolving Dependencies --> Running transaction check ---> Package selinux-policy-targeted.noarch 0:3.6.12-4.fc11 set to be erased ---> Package selinux-policy-targeted.noarch 0:3.6.12-4.fc11 set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: selinux-policy-targeted noarch 3.6.12-4.fc11 rawhide 2.1 M Removing: selinux-policy-targeted noarch 3.6.12-4.fc11 installed 2.3 M Transaction Summary ================================================================================ Install 1 Package(s) Update 0 Package(s) Remove 1 Package(s) Total download size: 2.1 M Is this ok [y/N]: y Downloading Packages: selinux-policy-targeted-3.6.12-4.fc11.noarch.rpm | 2.1 MB 00:02 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Erasing : selinux-policy-targeted 1/2 Installing : selinux-policy-targeted 1/2 Removed: selinux-policy-targeted.noarch 0:3.6.12-4.fc11 Installed: selinux-policy-targeted.noarch 0:3.6.12-4.fc11 Complete! makes no difference :(, Can't modify my crontab to change certain things. [olivares at riohigh ~]$ crontab -l cron/olivares: Permission denied [olivares at riohigh ~]$ crontab -e cron/olivares: Permission denied Regards, Antonio From olivares14031 at yahoo.com Thu Apr 16 00:13:09 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 15 Apr 2009 17:13:09 -0700 (PDT) Subject: setroubleshootd[2488] general protection ip:3d96a99884 sp:7fff6ce7ef00 error:0 in libpython2.6.so.1.0[3d96a00000+1690 Message-ID: <918684.37843.qm@web52607.mail.re2.yahoo.com> Seeing the following: setroubleshootd[2488] general protection ip:3d96a99884 sp:7fff6ce7ef00 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2520] general protection ip:3d96a99884 sp:7fff6f406210 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2523] general protection ip:3d96a99884 sp:7fffd481a8a0 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2536] general protection ip:3d96a99884 sp:7fffe9bcfc50 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2538] general protection ip:3d96a99884 sp:7fff183f0470 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2566] general protection ip:3d96a99884 sp:7fff000430c0 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2584] general protection ip:3d96a99884 sp:7fffce3cd450 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2589] general protection ip:3d96a99884 sp:7fffb77a2820 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2591] general protection ip:3d96a99884 sp:7fff8bcdf2c0 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2596] general protection ip:3d96a99884 sp:7fff941f1270 error:0 in libpython2.6.so.1.0[3d96a00000+169000] __ratelimit: 10 callbacks suppressed setroubleshootd[2633] general protection ip:3d96a99884 sp:7fff7fa78af0 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2637] general protection ip:3d96a99884 sp:7fffb3799560 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2642] general protection ip:3d96a99884 sp:7fff57bfdc80 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2649] general protection ip:3d96a99884 sp:7fff3329f320 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2653] general protection ip:3d96a99884 sp:7fffb5e04e80 error:0 in libpython2.6.so.1.0[3d96a00000+169000] eth0: no IPv6 routers present setroubleshootd[2656] general protection ip:3d96a99884 sp:7fff0ccb48f0 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2658] general protection ip:3d96a99884 sp:7ffff6c67ce0 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2660] general protection ip:3d96a99884 sp:7fffb05495d0 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2663] general protection ip:3d96a99884 sp:7ffffc783800 error:0 in libpython2.6.so.1.0[3d96a00000+169000] setroubleshootd[2704] general protection ip:3d96a99884 sp:7fff106486c0 error:0 in libpython2.6.so.1.0[3d96a00000+169000] What is wrong? Or is it just me? Regards, Antonio From ivazqueznet at gmail.com Thu Apr 16 00:42:20 2009 From: ivazqueznet at gmail.com (Ignacio Vazquez-Abrams) Date: Wed, 15 Apr 2009 20:42:20 -0400 Subject: setroubleshootd[2488] general protection ip:3d96a99884 sp:7fff6ce7ef00 error:0 in libpython2.6.so.1.0[3d96a00000+1690 In-Reply-To: <918684.37843.qm@web52607.mail.re2.yahoo.com> References: <918684.37843.qm@web52607.mail.re2.yahoo.com> Message-ID: <1239842540.3744.85.camel@ignacio.lan> On Wed, 2009-04-15 at 17:13 -0700, Antonio Olivares wrote: > Seeing the following: > > setroubleshootd[2488] general protection ip:3d96a99884 sp:7fff6ce7ef00 error:0 in libpython2.6.so.1.0[3d96a00000+169000] https://bugzilla.redhat.com/show_bug.cgi?id=492737 -- Ignacio Vazquez-Abrams PLEASE don't CC me; I'm already subscribed -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From shintaro.fujiwara at gmail.com Mon Apr 20 12:32:26 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Mon, 20 Apr 2009 21:32:26 +0900 Subject: How can I set label to symbolic link ? Message-ID: I wrote a policy which declares some label to symbolic link, and I restoreconed, but failed ? Am I stupid or what should I do to this ? Thanks. -- http://intrajp.no-ip.com/ Home Page From shintaro.fujiwara at gmail.com Mon Apr 20 12:47:05 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Mon, 20 Apr 2009 21:47:05 +0900 Subject: How can I set label to symbolic link ? In-Reply-To: <49EC6D17.5000808@redhat.com> References: <49EC6D17.5000808@redhat.com> Message-ID: Here it is , sir... Well, actually I'm trying to write my segatex policy. /usr/bin/segatex is actually link to /usr/bin/consolehelper In my INSTALL script I declared, ################################## ln -s /usr/bin/consolehelper /usr/bin/segatex ################################## I've been running my program in unconfined domain for several years, but I want to confine it now. So, I tried to label segatex_exec_t to /usr/bin/segatex. Made it fine, install all-right. I could find segatex module, you know... But alas, I could not restorecon nor autorelabel. Why? # segatex executable will have: # label: system_u:object_r:segatex_exec_t # MLS sensitivity: s0 # MCS categories: /usr/bin/segatex -- gen_context(system_u:object_r:segatex_exec_t,s0) /usr/share/segatex(/.*)? -- gen_context(system_u:object_r:segatex_etc_t,s0) 2009/4/20 Daniel J Walsh : > On 04/20/2009 08:32 AM, Shintaro Fujiwara wrote: >> >> I wrote a policy which declares some label to symbolic link, and I >> restoreconed, but failed ? >> >> Am I stupid or what should I do to this ? >> >> Thanks. >> > What does you fc file look like? > -- http://intrajp.no-ip.com/ Home Page From paul at city-fan.org Mon Apr 20 12:53:53 2009 From: paul at city-fan.org (Paul Howarth) Date: Mon, 20 Apr 2009 13:53:53 +0100 Subject: How can I set label to symbolic link ? In-Reply-To: References: <49EC6D17.5000808@redhat.com> Message-ID: <49EC7061.4040705@city-fan.org> Shintaro Fujiwara wrote: > Here it is , sir... > > Well, actually I'm trying to write my segatex policy. > /usr/bin/segatex is actually link to /usr/bin/consolehelper > > In my INSTALL script I declared, > ################################## > ln -s /usr/bin/consolehelper /usr/bin/segatex > ################################## > > I've been running my program in unconfined domain for several years, > but I want to confine it now. > So, I tried to label segatex_exec_t to /usr/bin/segatex. > > Made it fine, install all-right. > > I could find segatex module, you know... > But alas, I could not restorecon nor autorelabel. > > Why? > > > # segatex executable will have: > # label: system_u:object_r:segatex_exec_t > # MLS sensitivity: s0 > # MCS categories: > > /usr/bin/segatex -- > gen_context(system_u:object_r:segatex_exec_t,s0) > /usr/share/segatex(/.*)? -- > gen_context(system_u:object_r:segatex_etc_t,s0) You have "--" between /usr/bin/segatex and gen_context..., which means that your context specification applies only to regular files (not symlinks) called /usr/bin/segatex. You could use "-l" instead of "--" to specify a symlink, or just leave that field blank to mean anything (file, directory, socket, symlink etc.). Paul. From dwalsh at redhat.com Mon Apr 20 12:57:11 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 20 Apr 2009 08:57:11 -0400 Subject: How can I set label to symbolic link ? In-Reply-To: References: <49EC6D17.5000808@redhat.com> Message-ID: <49EC7127.1000503@redhat.com> On 04/20/2009 08:47 AM, Shintaro Fujiwara wrote: > Here it is , sir... > > Well, actually I'm trying to write my segatex policy. > /usr/bin/segatex is actually link to /usr/bin/consolehelper > > In my INSTALL script I declared, > ################################## > ln -s /usr/bin/consolehelper /usr/bin/segatex > ################################## > > I've been running my program in unconfined domain for several years, > but I want to confine it now. > So, I tried to label segatex_exec_t to /usr/bin/segatex. > > Made it fine, install all-right. > > I could find segatex module, you know... > But alas, I could not restorecon nor autorelabel. > > Why? > > > # segatex executable will have: > # label: system_u:object_r:segatex_exec_t > # MLS sensitivity: s0 > # MCS categories: > > /usr/bin/segatex -- > gen_context(system_u:object_r:segatex_exec_t,s0) > /usr/share/segatex(/.*)? -- > gen_context(system_u:object_r:segatex_etc_t,s0) > The -- tells the system to only label standard files with the segatext label. If you eliminate "--" it will match everything. If you want to match only symbolic links you would use "-l", Directories "-d". The same symbols that ls uses at the begining of a ls line. > > > > 2009/4/20 Daniel J Walsh: >> On 04/20/2009 08:32 AM, Shintaro Fujiwara wrote: >>> I wrote a policy which declares some label to symbolic link, and I >>> restoreconed, but failed ? >>> >>> Am I stupid or what should I do to this ? >>> >>> Thanks. >>> >> What does you fc file look like? >> > > > From shintaro.fujiwara at gmail.com Mon Apr 20 13:20:59 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Mon, 20 Apr 2009 22:20:59 +0900 Subject: How can I set label to symbolic link ? In-Reply-To: <49EC7127.1000503@redhat.com> References: <49EC6D17.5000808@redhat.com> <49EC7127.1000503@redhat.com> Message-ID: Yeha! These days, I've been writing my program and discarded contrivances that you invented... That reminds me old book that Yuichi wrote several years ago. And also thanks to your documentation on web recently. I will ship my segatex with its own policy in a few days. THKS! 2009/4/20 Daniel J Walsh : > On 04/20/2009 08:47 AM, Shintaro Fujiwara wrote: >> >> Here it is , sir... >> >> Well, actually I'm trying to write my segatex policy. >> /usr/bin/segatex is actually link to /usr/bin/consolehelper >> >> In my INSTALL script I declared, >> ################################## >> ln -s /usr/bin/consolehelper /usr/bin/segatex >> ################################## >> >> I've been running my program in unconfined domain for several years, >> but I want to confine it now. >> So, I tried to label segatex_exec_t to /usr/bin/segatex. >> >> Made it fine, install all-right. >> >> I could find segatex module, you know... >> But alas, ?I could not restorecon nor autorelabel. >> >> Why? >> >> >> # segatex executable will have: >> # label: system_u:object_r:segatex_exec_t >> # MLS sensitivity: s0 >> # MCS categories: >> >> /usr/bin/segatex ? ? ? ? -- >> gen_context(system_u:object_r:segatex_exec_t,s0) >> /usr/share/segatex(/.*)? ? ? ? ? -- >> gen_context(system_u:object_r:segatex_etc_t,s0) >> > > The -- tells the system to only label standard files with the segatext > label. > > If you eliminate "--" ?it will match everything. ?If you want to match only > symbolic links you would use "-l", Directories "-d". ?The same symbols that > ls uses at the begining of a ls line. >> >> >> >> 2009/4/20 Daniel J Walsh: >>> >>> On 04/20/2009 08:32 AM, Shintaro Fujiwara wrote: >>>> >>>> I wrote a policy which declares some label to symbolic link, and I >>>> restoreconed, but failed ? >>>> >>>> Am I stupid or what should I do to this ? >>>> >>>> Thanks. >>>> >>> What does you fc file look like? >>> >> >> >> > > -- http://intrajp.no-ip.com/ Home Page From shintaro.fujiwara at gmail.com Mon Apr 20 13:23:22 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Mon, 20 Apr 2009 22:23:22 +0900 Subject: How can I set label to symbolic link ? In-Reply-To: <49EC7061.4040705@city-fan.org> References: <49EC6D17.5000808@redhat.com> <49EC7061.4040705@city-fan.org> Message-ID: OK, actually I copied it from acct.fc which is the front runner of policy in admin. I've been reluctant to consult any SELinux book, you know... I will fix this and hopefully I can write a good policy with the help from my friends... THKS! 2009/4/20 Paul Howarth : > Shintaro Fujiwara wrote: >> >> Here it is , sir... >> >> Well, actually I'm trying to write my segatex policy. >> /usr/bin/segatex is actually link to /usr/bin/consolehelper >> >> In my INSTALL script I declared, >> ################################## >> ln -s /usr/bin/consolehelper /usr/bin/segatex >> ################################## >> >> I've been running my program in unconfined domain for several years, >> but I want to confine it now. >> So, I tried to label segatex_exec_t to /usr/bin/segatex. >> >> Made it fine, install all-right. >> >> I could find segatex module, you know... >> But alas, ?I could not restorecon nor autorelabel. >> >> Why? >> >> >> # segatex executable will have: >> # label: system_u:object_r:segatex_exec_t >> # MLS sensitivity: s0 >> # MCS categories: >> >> /usr/bin/segatex ? ? ? ? -- >> gen_context(system_u:object_r:segatex_exec_t,s0) >> /usr/share/segatex(/.*)? ? ? ? ? -- >> gen_context(system_u:object_r:segatex_etc_t,s0) > > You have "--" between /usr/bin/segatex and gen_context..., which means that > your context specification applies only to regular files (not symlinks) > called /usr/bin/segatex. You could use "-l" instead of "--" to specify a > symlink, or just leave that field blank to mean anything (file, directory, > socket, symlink etc.). > > Paul. > > -- http://intrajp.no-ip.com/ Home Page From shintaro.fujiwara at gmail.com Mon Apr 20 13:29:14 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Mon, 20 Apr 2009 22:29:14 +0900 Subject: How can I set label to symbolic link ? In-Reply-To: <49EC7127.1000503@redhat.com> References: <49EC6D17.5000808@redhat.com> <49EC7127.1000503@redhat.com> Message-ID: But, what does -- stands for, in regular Linux admin work ? I will forget it easily. Or am I dumb fool not knowing Linux commands? 2009/4/20 Daniel J Walsh : > On 04/20/2009 08:47 AM, Shintaro Fujiwara wrote: >> >> Here it is , sir... >> >> Well, actually I'm trying to write my segatex policy. >> /usr/bin/segatex is actually link to /usr/bin/consolehelper >> >> In my INSTALL script I declared, >> ################################## >> ln -s /usr/bin/consolehelper /usr/bin/segatex >> ################################## >> >> I've been running my program in unconfined domain for several years, >> but I want to confine it now. >> So, I tried to label segatex_exec_t to /usr/bin/segatex. >> >> Made it fine, install all-right. >> >> I could find segatex module, you know... >> But alas, ?I could not restorecon nor autorelabel. >> >> Why? >> >> >> # segatex executable will have: >> # label: system_u:object_r:segatex_exec_t >> # MLS sensitivity: s0 >> # MCS categories: >> >> /usr/bin/segatex ? ? ? ? -- >> gen_context(system_u:object_r:segatex_exec_t,s0) >> /usr/share/segatex(/.*)? ? ? ? ? -- >> gen_context(system_u:object_r:segatex_etc_t,s0) >> > > The -- tells the system to only label standard files with the segatext > label. > > If you eliminate "--" ?it will match everything. ?If you want to match only > symbolic links you would use "-l", Directories "-d". ?The same symbols that > ls uses at the begining of a ls line. >> >> >> >> 2009/4/20 Daniel J Walsh: >>> >>> On 04/20/2009 08:32 AM, Shintaro Fujiwara wrote: >>>> >>>> I wrote a policy which declares some label to symbolic link, and I >>>> restoreconed, but failed ? >>>> >>>> Am I stupid or what should I do to this ? >>>> >>>> Thanks. >>>> >>> What does you fc file look like? >>> >> >> >> > > -- http://intrajp.no-ip.com/ Home Page From dwalsh at redhat.com Mon Apr 20 13:45:06 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 20 Apr 2009 09:45:06 -0400 Subject: How can I set label to symbolic link ? In-Reply-To: References: <49EC6D17.5000808@redhat.com> <49EC7127.1000503@redhat.com> Message-ID: <49EC7C62.8090109@redhat.com> On 04/20/2009 09:29 AM, Shintaro Fujiwara wrote: > But, what does -- stands for, in regular Linux admin work ? > I will forget it easily. > > Or am I dumb fool not knowing Linux commands? > > > 2009/4/20 Daniel J Walsh: >> On 04/20/2009 08:47 AM, Shintaro Fujiwara wrote: >>> Here it is , sir... >>> >>> Well, actually I'm trying to write my segatex policy. >>> /usr/bin/segatex is actually link to /usr/bin/consolehelper >>> >>> In my INSTALL script I declared, >>> ################################## >>> ln -s /usr/bin/consolehelper /usr/bin/segatex >>> ################################## >>> >>> I've been running my program in unconfined domain for several years, >>> but I want to confine it now. >>> So, I tried to label segatex_exec_t to /usr/bin/segatex. >>> >>> Made it fine, install all-right. >>> >>> I could find segatex module, you know... >>> But alas, I could not restorecon nor autorelabel. >>> >>> Why? >>> >>> >>> # segatex executable will have: >>> # label: system_u:object_r:segatex_exec_t >>> # MLS sensitivity: s0 >>> # MCS categories: >>> >>> /usr/bin/segatex -- >>> gen_context(system_u:object_r:segatex_exec_t,s0) >>> /usr/share/segatex(/.*)? -- >>> gen_context(system_u:object_r:segatex_etc_t,s0) >>> >> The -- tells the system to only label standard files with the segatext >> label. >> >> If you eliminate "--" it will match everything. If you want to match only >> symbolic links you would use "-l", Directories "-d". The same symbols that >> ls uses at the begining of a ls line. >>> >>> >>> 2009/4/20 Daniel J Walsh: >>>> On 04/20/2009 08:32 AM, Shintaro Fujiwara wrote: >>>>> I wrote a policy which declares some label to symbolic link, and I >>>>> restoreconed, but failed ? >>>>> >>>>> Am I stupid or what should I do to this ? >>>>> >>>>> Thanks. >>>>> >>>> What does you fc file look like? >>>> >>> >>> >> > > > The first "-", I believe, is just an indicator for the tools to use an option. The second is the is just the "file type" as used in the ls command. The first letter is the output of ls -l ls -l /etc ... lrwxrwxrwx. 1 root root 22 2008-06-12 21:55 grub.conf -> ../boot/grub/grub.conf ... -rw-r--r--. 1 root root 3101 2009-03-30 10:55 /etc/passwd ... drwxr-xr-x. 2 root root 4096 2009-02-13 08:51 squid From fedora03 at grifent.com Mon Apr 20 15:51:02 2009 From: fedora03 at grifent.com (John Griffiths) Date: Mon, 20 Apr 2009 11:51:02 -0400 Subject: kde4 AVC Message-ID: <49EC99E6.2080305@grifent.com> I occasionally get: Summary: SELinux prevented kde4-config from writing ./.kde. Detailed Description: SELinux prevented kde4-config from writing ./.kde. If ./.kde is a core file, you may want to allow this. If ./.kde is not a core file, this could signal a intrusion attempt. Allowing Access: Changing the "allow_daemons_dump_core" boolean to true will allow this access: "setsebool -P allow_daemons_dump_core=1." Fix Command: setsebool -P allow_daemons_dump_core=1 Additional Information: Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh Target Context system_u:object_r:root_t Target Objects ./.kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port Host elijah.suretrak21.net Source RPM Packages kdelibs-4.2.1-4.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-54.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_daemons_dump_core Host Name elijah.suretrak21.net Platform Linux elijah.suretrak21.net 2.6.27.21-170.2.56.fc10.i686 #1 SMP Mon Mar 23 23:37:54 EDT 2009 i686 i686 Alert Count 2 First Seen Wed 15 Apr 2009 11:56:28 AM EDT Last Seen Wed 15 Apr 2009 01:11:24 PM EDT Local ID 1391a7fb-e6fd-4c5f-b5bf-9c9354857f3a Line Numbers Raw Audit Messages node=elijah.suretrak21.net type=AVC msg=audit(1239815484.398:11): avc: denied { create } for pid=3132 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir node=elijah.suretrak21.net type=SYSCALL msg=audit(1239815484.398:11): arch=40000003 syscall=39 success=no exit=-13 a0=8464158 a1=1c0 a2=279ce8c a3=1 items=0 ppid=3131 pid=3132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) selinux is preventing kde4 from writing to my .kde directory in my home directory. The suggestion to allow core dumps is obviously incorrect in this situation. I can build a local policy to correct this but would think it effects far more user than I and may indicate a need for a policy fix. Regards, John From shintaro.fujiwara at gmail.com Mon Apr 20 16:40:46 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Tue, 21 Apr 2009 01:40:46 +0900 Subject: How can I set label to symbolic link ? In-Reply-To: <49EC7C62.8090109@redhat.com> References: <49EC6D17.5000808@redhat.com> <49EC7127.1000503@redhat.com> <49EC7C62.8090109@redhat.com> Message-ID: Thank you, sir. That'll make sense to me. 2009/4/20 Daniel J Walsh : > On 04/20/2009 09:29 AM, Shintaro Fujiwara wrote: >> >> But, what does -- stands for, in regular Linux admin work ? >> I will forget it easily. >> >> Or am I dumb fool not knowing Linux commands? >> >> >> 2009/4/20 Daniel J Walsh: >>> >>> On 04/20/2009 08:47 AM, Shintaro Fujiwara wrote: >>>> >>>> Here it is , sir... >>>> >>>> Well, actually I'm trying to write my segatex policy. >>>> /usr/bin/segatex is actually link to /usr/bin/consolehelper >>>> >>>> In my INSTALL script I declared, >>>> ################################## >>>> ln -s /usr/bin/consolehelper /usr/bin/segatex >>>> ################################## >>>> >>>> I've been running my program in unconfined domain for several years, >>>> but I want to confine it now. >>>> So, I tried to label segatex_exec_t to /usr/bin/segatex. >>>> >>>> Made it fine, install all-right. >>>> >>>> I could find segatex module, you know... >>>> But alas, ?I could not restorecon nor autorelabel. >>>> >>>> Why? >>>> >>>> >>>> # segatex executable will have: >>>> # label: system_u:object_r:segatex_exec_t >>>> # MLS sensitivity: s0 >>>> # MCS categories: >>>> >>>> /usr/bin/segatex ? ? ? ? -- >>>> gen_context(system_u:object_r:segatex_exec_t,s0) >>>> /usr/share/segatex(/.*)? ? ? ? ? -- >>>> gen_context(system_u:object_r:segatex_etc_t,s0) >>>> >>> The -- tells the system to only label standard files with the segatext >>> label. >>> >>> If you eliminate "--" ?it will match everything. ?If you want to match >>> only >>> symbolic links you would use "-l", Directories "-d". ?The same symbols >>> that >>> ls uses at the begining of a ls line. >>>> >>>> >>>> 2009/4/20 Daniel J Walsh: >>>>> >>>>> On 04/20/2009 08:32 AM, Shintaro Fujiwara wrote: >>>>>> >>>>>> I wrote a policy which declares some label to symbolic link, and I >>>>>> restoreconed, but failed ? >>>>>> >>>>>> Am I stupid or what should I do to this ? >>>>>> >>>>>> Thanks. >>>>>> >>>>> What does you fc file look like? >>>>> >>>> >>>> >>> >> >> >> > > The first "-", I believe, is just an indicator for the tools to use an > option. ?The second is the is just the "file type" as used in the ls > command. ?The first letter is the output of ls -l > > ls -l /etc > > ... > lrwxrwxrwx. ?1 root ? ? ? ? root ? ? ? ?22 2008-06-12 21:55 grub.conf -> > ../boot/grub/grub.conf > ... > -rw-r--r--. 1 root root 3101 2009-03-30 10:55 /etc/passwd > ... > drwxr-xr-x. ?2 root ? ? ? ? root ? ? ?4096 2009-02-13 08:51 squid > > -- http://intrajp.no-ip.com/ Home Page From tony.molloy at ul.ie Tue Apr 21 11:31:14 2009 From: tony.molloy at ul.ie (Tony Molloy) Date: Tue, 21 Apr 2009 12:31:14 +0100 Subject: How to label top level non default dirs Message-ID: <200904211231.15259.tony.molloy@ul.ie> Hi, If I have a top level non default directory say for argument called /data. This directory contains various scripts and text files which should be available to everyone. Now when I do an install it gets the default selinux context file_t. But this generates lots of AVC's if I set selinux to enforcing. What should I label this directory as. Regards, Tony -- Dept. of Comp. Sci. University of Limerick. From domg472 at gmail.com Tue Apr 21 11:58:15 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 21 Apr 2009 13:58:15 +0200 Subject: How to label top level non default dirs In-Reply-To: <200904211231.15259.tony.molloy@ul.ie> References: <200904211231.15259.tony.molloy@ul.ie> Message-ID: <1240315095.6753.11.camel@notebook2.grift.internal> On Tue, 2009-04-21 at 12:31 +0100, Tony Molloy wrote: > Hi, > > If I have a top level non default directory say for argument called /data. > This directory contains various scripts and text files which should be > available to everyone. Now when I do an install it gets the default selinux > context file_t. But this generates lots of AVC's if I set selinux to > enforcing. What should I label this directory as. > > Regards, > > Tony > Depends on what you want to use it for. For example you can label it root_t if you want to put in folders that resemble /var or /etc or /home/user etc. You can also label /data var_t if that it what you will use it for. Or you can for example label /data user_home_t if you want to store user_content there. It just depends on how you will use /data. -/data(root_t)---/user_content(user_home_t) \-/var(var_t) \-/etc(etc_t) \-/custom(some_custom_type_t) \- etcetc for example: if you want to store web content in /data you would label it httpd_sys_content_t (just like /var/www is labeled that type) From dwalsh at redhat.com Tue Apr 21 12:25:52 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 21 Apr 2009 08:25:52 -0400 Subject: How to label top level non default dirs In-Reply-To: <200904211231.15259.tony.molloy@ul.ie> References: <200904211231.15259.tony.molloy@ul.ie> Message-ID: <49EDBB50.2080000@redhat.com> On 04/21/2009 07:31 AM, Tony Molloy wrote: > Hi, > > If I have a top level non default directory say for argument called /data. > This directory contains various scripts and text files which should be > available to everyone. Now when I do an install it gets the default selinux > context file_t. But this generates lots of AVC's if I set selinux to > enforcing. What should I label this directory as. > > Regards, > > Tony > You should never get a file/directory labeled file_t. These should only be able to be created on machines without SELInux. file_t means no label at all. If you run restorecon on /data it will get assigned default_t. restorecon -R -v /data This label should be available to the unconfined user and not available to any confined domain. That will probably fix most of your avc's If you wanted to label it like a home directory you could set it's labeling to user_home_t. # semanage fcontext -a -t user_home_t '/data(/.*)?' # restorecon -R -v /data This would allow all confined domains that have access to the home directory access to these files. If you want to give access to apache, you might need to assign a different context. From tony.molloy at ul.ie Tue Apr 21 13:43:42 2009 From: tony.molloy at ul.ie (Tony Molloy) Date: Tue, 21 Apr 2009 14:43:42 +0100 Subject: How to label top level non default dirs Message-ID: <200904211443.42852.tony.molloy@ul.ie> On Tuesday 21 April 2009 13:25:52 you wrote: > On 04/21/2009 07:31 AM, Tony Molloy wrote: > > Hi, > > > > If I have a top level non default directory say for argument called > > /data. This directory contains various scripts and text files which > > should be available to everyone. Now when I do an install it gets the > > default selinux context file_t. But this generates lots of AVC's if I set > > selinux to enforcing. What should I label this directory as. > > > > Regards, > > > > Tony > > You should never get a file/directory labeled file_t. These should only > be able to be created on machines without SELInux. file_t means no > label at all. If you run restorecon on /data it will get assigned > default_t. > > restorecon -R -v /data These were old partitions left over from previous installs. The restorecon changed them to default_t. So that worked. > > This label should be available to the unconfined user and not available > to any confined domain. That will probably fix most of your avc's If > you wanted to label it like a home directory you could set it's labeling > to user_home_t. > > # semanage fcontext -a -t user_home_t '/data(/.*)?' > # restorecon -R -v /data > > This would allow all confined domains that have access to the home > directory access to these files. If you want to give access to apache, > you might need to assign a different context. The situation is I have a partition on all my servers called /archive which survives re-installs. This contains several directories for eg. /archive/extra-software for extra software to be installed on the server after a re-install /archive/gpg-keys the gpg-keys to be installed /archive/server-config-script A script to be run after an install to configure the server Now this script needs to be able to write to /archive to log what it did. So I was wondering if there was a context which should be used for this type of situation. I suppose I could label it as a home directory. Thanks, Tony -- Dept. of Comp. Sci. University of Limerick. From sradvan at redhat.com Thu Apr 23 04:25:45 2009 From: sradvan at redhat.com (Scott Radvan) Date: Thu, 23 Apr 2009 14:25:45 +1000 Subject: SELinux managing-confined-services guide - call for review Message-ID: <20090423142545.189129ea@redhat.com> Hi all, The Fedora SELinux managing-confined-services guide I have been working on is nearing completion. I would greatly appreciate any and all comments or corrections that anyone has on it. It is available here: http://sradvan.fedorapeople.org/SELinux_Managing_Confined_Services/en-US/ Cheers, -- Scott Radvan Content Author, Platform (Installation and Deployment) Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com From tony.molloy at ul.ie Thu Apr 23 08:32:33 2009 From: tony.molloy at ul.ie (Tony Molloy) Date: Thu, 23 Apr 2009 09:32:33 +0100 Subject: semodule denial Message-ID: <200904230932.34152.tony.molloy@ul.ie> Hi, I'm getting the following denial on a fully updated Centos 5.3 system with ( selinux-policy-2.4.6-203.el5.noarch ) Summary: SELinux is preventing semodule (semanage_t) "getattr" to / (fs_t). Detailed Description: SELinux denied access requested by semodule. It is not expected that this access is required by semodule and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:semanage_t:SystemLow-SystemHigh Target Context system_u:object_r:fs_t Target Objects / [ filesystem ] Source semodule Source Path Port Host a.b.c.d Source RPM Packages Target RPM Packages filesystem-2.4.0-2.el5.centos Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name a.b.c.d Platform Linux a.b.c.d 2.6.18-128.1.6.el5 #1 SMP Wed Apr 1 09:10:25 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Thu Apr 23 08:53:08 2009 Last Seen Thu Apr 23 08:53:08 2009 Local ID 227642bc-dd66-4a04-bcad-13c3d52e5e63 Line Numbers Raw Audit Messages host=a.b.c.d type=AVC msg=audit(1240473188.358:3149): avc: denied { getattr } for pid=29325 comm="semodule" name="/" dev=sda5 ino=2 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem I can generate local policy but is that the best solution Regards, Tony -- Dept. of Comp. Sci. University of Limerick. From domg472 at gmail.com Thu Apr 23 10:40:15 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 23 Apr 2009 12:40:15 +0200 Subject: SELinux managing-confined-services guide - call for review In-Reply-To: <20090423142545.189129ea@redhat.com> References: <20090423142545.189129ea@redhat.com> Message-ID: <1240483215.3402.10.camel@notebook2.grift.internal> On Thu, 2009-04-23 at 14:25 +1000, Scott Radvan wrote: > The Fedora SELinux managing-confined-services guide I have been working > on is nearing completion. > > I would greatly appreciate any and all comments or corrections that > anyone has on it. Nice, thank you. Currently i only have a few comments: -By default, Linux users run unconfined in Fedora, which is why the testfile file is labeled with the SELinux unconfined_u user +testfile is labeled with the SELinux unconfined_u user because a unix user that is mapped to the unconfined_u SELinux user created the file. Maybe you can mention "semanage boolean' instead of /or besides get/setsebool. semanage can do it as well and it might be easier for people that do not know better if a lot of this stuff is done in a centralized place. I think dwalsh is working on getting semanage to do most of this stuff. So that one doesnt have to use 4 different utils to get something done. semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file From domg472 at gmail.com Thu Apr 23 10:50:16 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 23 Apr 2009 12:50:16 +0200 Subject: SELinux managing-confined-services guide - call for review In-Reply-To: <20090423142545.189129ea@redhat.com> References: <20090423142545.189129ea@redhat.com> Message-ID: <1240483816.3402.12.camel@notebook2.grift.internal> On Thu, 2009-04-23 at 14:25 +1000, Scott Radvan wrote: > I would greatly appreciate any and all comments or corrections that > anyone has on it. Small typo here: - To resolve this labeling issue, run the restoreconv -R -v /var/named/dynamic command as the Linux root user. + To resolve this labeling issue, run the restorecon -R -v /var/named/dynamic command as the Linux root user. From domg472 at gmail.com Thu Apr 23 11:21:22 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 23 Apr 2009 13:21:22 +0200 Subject: SELinux managing-confined-services guide - call for review In-Reply-To: <20090423142545.189129ea@redhat.com> References: <20090423142545.189129ea@redhat.com> Message-ID: <1240485682.3402.21.camel@notebook2.grift.internal> On Thu, 2009-04-23 at 14:25 +1000, Scott Radvan wrote: > I would greatly appreciate any and all comments or corrections that > anyone has on it. I like the examples, unfortunately with regard to for example Apache you do not have an example for each boolean. That would probably be too much, but it would be the best way to shows when to use which boolean or combination of booleans. For example we have had an issue on #fedora-selinux were httpd couldnt do some permission to httpd_sys_content_t. setroubleshoot suggested httpd_unified, but even with that bool set to true, httpd was not able to do (i forgot which permission it was) to the file. I suggested to the user to just label the file httpd_sys_content_rw_t and get it over with. (this worked) However later dwalsh suggested that this wasnt just solved by httpd_unified because it required a combination of booleans to be set. im not sure i remember correct which combination this was but i think: httpd_enable_cgi, httpd_unified, httpd_enable_homedir my point is that the idea of including examples is a very good idea in my view but that there arent so many examples. From zoroufi at gmail.com Thu Apr 23 11:45:16 2009 From: zoroufi at gmail.com (Mohammad zoroufi) Date: Thu, 23 Apr 2009 15:15:16 +0330 Subject: No Read Up No Write Down Message-ID: Dear All, After switching on SELinux in MLS enforcing mode, I'd like to know how the slogan of "no read up, no write down" works. I created some text files with the following descriptions TestFile_S0 system_u:object_r:usr_t:s0 TestFile_S0C2 system_u:object_r:usr_t:s0:c2 TestFile_S1 system_u:object_r:usr_t:s1 TestFile_S2 system_u:object_r:usr_t:s2 TestFile_S2C11 system_u:object_r:usr_t:s2:c11 TestFile_S2C5 system_u:object_r:usr_t:s2:c5 TestFile_S3 system_u:object_r:usr_t:s3 TestFile_S3C14 system_u:object_r:usr_t:s3:c14 TestFile_S3C5 system_u:object_r:usr_t:s3:c5 After creating these text file, I went to create users having different security clearance; The clearance of each created user is listed bellow: *Login Name SELinux User Role MLS/MCS Range* first x_first xguest_r s0 second x_second sysadm_r s3-s3:c5.c15 third x_third sysadm_r s1:c3.c15-s3:c5.c10 forth x_forth system_r s1-s1:c0.c10 root root system_r s0-s15:c0.c1023 having the clearance delegated for each user I expect user first have read write access to TestFile_S0 and just write access to all other files; user second have read access to files such as TestFile_S0, TestFile_S0C2, TestFile_S2, TestFile_S2C5, TestFile_S2C11 and only write access to TestFile_S3, TestFile_S3C14. when I switch to MLS enforcing mode I see something else. These users have no permission to write to files they expect they have write access to. I'd like to know the where this problem originates Moreover when user first wants to take a list of the directory contents only TestFile_S0, TestFile_S1, TestFile_S2 are listed not else; user second sees TestFile_S0, TestFile_S1, TestFile2, TestFile3; users third and root sees all files; user forth sees just TestFile_S0 not more. I don't know why such lists are taken when I'd like to take a list. Any comment is wellcome Best Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Thu Apr 23 12:31:53 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 23 Apr 2009 08:31:53 -0400 Subject: semodule denial In-Reply-To: <200904230932.34152.tony.molloy@ul.ie> References: <200904230932.34152.tony.molloy@ul.ie> Message-ID: <49F05FB9.5000800@redhat.com> On 04/23/2009 04:32 AM, Tony Molloy wrote: > host=a.b.c.d type=AVC msg=audit(1240473188.358:3149): avc: denied { > getattr } for pid=29325 comm="semodule" name="/" dev=sda5 ino=2 > scontext=root:system_r:semanage_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem I am working home today so I don't have access to my RHEL5 box. Could you check the latest RHEL5.4 policy preview available on http://people.redhat.com/dwalsh/SELinux/RHEL5 To see if this problem is fixed. From chanson at TrustedCS.com Thu Apr 23 14:22:12 2009 From: chanson at TrustedCS.com (chanson at TrustedCS.com) Date: Thu, 23 Apr 2009 10:22:12 -0400 Subject: No Read Up No Write Down In-Reply-To: References: Message-ID: <170D6ABBBA770349AA49582A86FCED15F1560B@HAVOC.tcs-sec.com> Hi, The MLS policy is defined via the MLS contraints file (http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/mls). The default MLS policy in SELinux a modified Bell-LaPadula that enforces "no read up, write equal". The process clearance label isn't going to really come up into play for these access decisions, the effective SL of process is the key factor being utilized, as known as "l1" in the mls constraint language. The type of the process of the process is very important when analyzing the results. There are certain types, such as sysadm_t, which have mls privileges, such as mlsfileread (http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/s ystem/userdomain.if#L1214). All of this impacts the ability to read and write files on the system. A couple fo slidesets on the MLS implementation are available below.... http://selinux-symposium.org/2005/presentations/session3/3-3-hanson.pdf http://selinux-symposium.org/2006/slides/08-mls.pdf -Chad ________________________________ From: fedora-selinux-list-bounces at redhat.com [mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of Mohammad zoroufi Sent: Thursday, April 23, 2009 6:45 AM To: fedora-selinux-list at redhat.com Subject: No Read Up No Write Down Dear All, After switching on SELinux in MLS enforcing mode, I'd like to know how the slogan of "no read up, no write down" works. I created some text files with the following descriptions TestFile_S0 system_u:object_r:usr_t:s0 TestFile_S0C2 system_u:object_r:usr_t:s0:c2 TestFile_S1 system_u:object_r:usr_t:s1 TestFile_S2 system_u:object_r:usr_t:s2 TestFile_S2C11 system_u:object_r:usr_t:s2:c11 TestFile_S2C5 system_u:object_r:usr_t:s2:c5 TestFile_S3 system_u:object_r:usr_t:s3 TestFile_S3C14 system_u:object_r:usr_t:s3:c14 TestFile_S3C5 system_u:object_r:usr_t:s3:c5 After creating these text file, I went to create users having different security clearance; The clearance of each created user is listed bellow: Login Name SELinux User Role MLS/MCS Range first x_first xguest_r s0 second x_second sysadm_r s3-s3:c5.c15 third x_third sysadm_r s1:c3.c15-s3:c5.c10 forth x_forth system_r s1-s1:c0.c10 root root system_r s0-s15:c0.c1023 having the clearance delegated for each user I expect user first have read write access to TestFile_S0 and just write access to all other files; user second have read access to files such as TestFile_S0, TestFile_S0C2, TestFile_S2, TestFile_S2C5, TestFile_S2C11 and only write access to TestFile_S3, TestFile_S3C14. when I switch to MLS enforcing mode I see something else. These users have no permission to write to files they expect they have write access to. I'd like to know the where this problem originates Moreover when user first wants to take a list of the directory contents only TestFile_S0, TestFile_S1, TestFile_S2 are listed not else; user second sees TestFile_S0, TestFile_S1, TestFile2, TestFile3; users third and root sees all files; user forth sees just TestFile_S0 not more. I don't know why such lists are taken when I'd like to take a list. Any comment is wellcome Best Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From domg472 at gmail.com Thu Apr 23 19:40:00 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 23 Apr 2009 21:40:00 +0200 Subject: SELinux managing-confined-services guide - call for review In-Reply-To: <1240485682.3402.21.camel@notebook2.grift.internal> References: <20090423142545.189129ea@redhat.com> <1240485682.3402.21.camel@notebook2.grift.internal> Message-ID: <1240515601.6891.2.camel@notebook2.grift.internal> On Thu, 2009-04-23 at 13:21 +0200, Dominick Grift wrote: > On Thu, 2009-04-23 at 14:25 +1000, Scott Radvan wrote: > > > I would greatly appreciate any and all comments or corrections that > > anyone has on it. > > I like the examples, unfortunately with regard to for example Apache you > do not have an example for each boolean. That would probably be too > much, but it would be the best way to shows when to use which boolean or > combination of booleans. > > For example we have had an issue on #fedora-selinux were httpd couldnt > do some permission to httpd_sys_content_t. > > setroubleshoot suggested httpd_unified, but even with that bool set to > true, httpd was not able to do (i forgot which permission it was) to the > file. > > I suggested to the user to just label the file httpd_sys_content_rw_t > and get it over with. (this worked) > > However later dwalsh suggested that this wasnt just solved by > httpd_unified because it required a combination of booleans to be set. > > im not sure i remember correct which combination this was but i think: > > httpd_enable_cgi, httpd_unified, httpd_enable_homedir > > my point is that the idea of including examples is a very good idea in > my view but that there arent so many examples. Actually the example i gave here just does not work. There is a bug in fedora Apache policy. We have had another guy with the same issue in #selinux today and httpd_unified does not work. confirmed it. From tony.molloy at ul.ie Fri Apr 24 07:48:48 2009 From: tony.molloy at ul.ie (Tony Molloy) Date: Fri, 24 Apr 2009 08:48:48 +0100 Subject: semodule denial In-Reply-To: <49F05FB9.5000800@redhat.com> References: <200904230932.34152.tony.molloy@ul.ie> <49F05FB9.5000800@redhat.com> Message-ID: <200904240848.49081.tony.molloy@ul.ie> On Thursday 23 April 2009 13:31:53 you wrote: > On 04/23/2009 04:32 AM, Tony Molloy wrote: > > host=a.b.c.d type=AVC msg=audit(1240473188.358:3149): avc: denied { > > getattr } for pid=29325 comm="semodule" name="/" dev=sda5 ino=2 > > scontext=root:system_r:semanage_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > > I am working home today so I don't have access to my RHEL5 box. Could > you check the latest RHEL5.4 policy preview available on > > http://people.redhat.com/dwalsh/SELinux/RHEL5 > > To see if this problem is fixed. Daniel, I'm just re-installin the test server now. I've downloaded all the rpms, which ones do you want me to install. libsemanage-1.9.1-4.2.el5.x86_64.rpm Thanks, Tony -- Dept. of Comp. Sci. University of Limerick. From dwalsh at redhat.com Fri Apr 24 10:58:19 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 24 Apr 2009 06:58:19 -0400 Subject: semodule denial In-Reply-To: <200904240848.49081.tony.molloy@ul.ie> References: <200904230932.34152.tony.molloy@ul.ie> <49F05FB9.5000800@redhat.com> <200904240848.49081.tony.molloy@ul.ie> Message-ID: <49F19B4B.4010407@redhat.com> On 04/24/2009 03:48 AM, Tony Molloy wrote: > On Thursday 23 April 2009 13:31:53 you wrote: >> On 04/23/2009 04:32 AM, Tony Molloy wrote: >>> host=a.b.c.d type=AVC msg=audit(1240473188.358:3149): avc: denied { >>> getattr } for pid=29325 comm="semodule" name="/" dev=sda5 ino=2 >>> scontext=root:system_r:semanage_t:s0-s0:c0.c1023 >>> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem >> I am working home today so I don't have access to my RHEL5 box. Could >> you check the latest RHEL5.4 policy preview available on >> >> http://people.redhat.com/dwalsh/SELinux/RHEL5 >> >> To see if this problem is fixed. > > Daniel, > > I'm just re-installin the test server now. I've downloaded all the rpms, > which ones do you want me to install. libsemanage-1.9.1-4.2.el5.x86_64.rpm > > Thanks, > > Tony > selinux-policy From olivares14031 at yahoo.com Mon Apr 27 22:10:01 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 27 Apr 2009 15:10:01 -0700 (PDT) Subject: Selinux is denying access to files with the default label, default_t and preventing ck-get-x11-serv (consolekit_t) "search" xdm_var_run_t. Message-ID: <973443.76091.qm@web52608.mail.re2.yahoo.com> I'll copy/paste alerts one by one : Summary: SELinux is preventing access to files with the default label, default_t. Detailed Description: SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. Allowing Access: If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot" Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects .kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port Host gray Source RPM Packages kdelibs-4.2.2-9.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-9.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name default Host Name gray Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr 20 15:33:38 EDT 2009 x86_64 x86_64 Alert Count 92 First Seen Thu 23 Apr 2009 08:34:03 PM CDT Last Seen Tue 28 Apr 2009 04:52:40 PM CDT Local ID bfed3a21-1e6d-40ce-bd73-53aaabd164a7 Line Numbers Raw Audit Messages node=gray type=AVC msg=audit(1240955560.271:36): avc: denied { search } for pid=1767 comm="kde4-config" name=".kde" dev=dm-0 ino=262 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir node=gray type=SYSCALL msg=audit(1240955560.271:36): arch=c000003e syscall=6 success=no exit=-13 a0=6e5e58 a1=7fff38fa1be0 a2=7fff38fa1be0 a3=21 items=0 ppid=1766 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing access to files with the default label, default_t. Detailed Description: SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. Allowing Access: If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot" Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects /.kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port Host gray Source RPM Packages kdelibs-4.2.2-9.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-9.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name default Host Name gray Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr 20 15:33:38 EDT 2009 x86_64 x86_64 Alert Count 28 First Seen Thu 23 Apr 2009 08:34:03 PM CDT Last Seen Tue 28 Apr 2009 04:52:40 PM CDT Local ID 6da3a105-c4c8-4352-bd0e-3f438b1634a8 Line Numbers Raw Audit Messages node=gray type=AVC msg=audit(1240955560.107:34): avc: denied { getattr } for pid=1767 comm="kde4-config" path="/.kde" dev=dm-0 ino=262 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir node=gray type=SYSCALL msg=audit(1240955560.107:34): arch=c000003e syscall=6 success=no exit=-13 a0=7fff38fa1c80 a1=7fff38fa1b80 a2=7fff38fa1b80 a3=6d3b20 items=0 ppid=1766 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing ck-get-x11-serv (consolekit_t) "search" xdm_var_run_t. Detailed Description: SELinux denied access requested by ck-get-x11-serv. It is not expected that this access is required by ck-get-x11-serv and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Context system_u:object_r:xdm_var_run_t:s0 Target Objects gdm [ dir ] Source ck-get-x11-serv Source Path /usr/libexec/ck-get-x11-server-pid Port Host gray Source RPM Packages ConsoleKit-x11-0.3.0-8.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-9.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name gray Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr 20 15:33:38 EDT 2009 x86_64 x86_64 Alert Count 9 First Seen Thu 23 Apr 2009 03:55:23 PM CDT Last Seen Tue 28 Apr 2009 04:52:47 PM CDT Local ID 93d6261d-88da-4ca0-9328-743e29739a13 Line Numbers Raw Audit Messages node=gray type=AVC msg=audit(1240955567.631:44): avc: denied { search } for pid=1938 comm="ck-get-x11-serv" name="gdm" dev=dm-0 ino=263869 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir node=gray type=SYSCALL msg=audit(1240955567.631:44): arch=c000003e syscall=21 success=no exit=-13 a0=7fff62086fab a1=4 a2=0 a3=7fff62083710 items=0 ppid=1937 pid=1938 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) I have tried the fixes. I still see the same sealerts :( touch, reboot autorelabel. I have booted in permissive mode and still see the alters :( Should I file a bug here? Thanks, Antonio From olivares14031 at yahoo.com Mon Apr 27 22:12:19 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 27 Apr 2009 15:12:19 -0700 (PDT) Subject: SELinux is preventing npviewer.bin (nsplugin_t) "unix_read unix_write" unconfined_java_t. Message-ID: <396292.64924.qm@web52603.mail.re2.yahoo.com> Just as I sent the other message, I got this one: Summary: SELinux is preventing npviewer.bin (nsplugin_t) "unix_read unix_write" unconfined_java_t. Detailed Description: SELinux denied access requested by npviewer.bin. It is not expected that this access is required by npviewer.bin and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 3 Target Context unconfined_u:unconfined_r:unconfined_java_t:s0-s0: c0.c1023 Target Objects None [ sem ] Source npviewer.bin Source Path /usr/lib64/nspluginwrapper/npviewer.bin Port Host gray Source RPM Packages nspluginwrapper-1.3.0-5.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-9.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name gray Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr 20 15:33:38 EDT 2009 x86_64 x86_64 Alert Count 2 First Seen Tue 28 Apr 2009 05:08:56 PM CDT Last Seen Tue 28 Apr 2009 05:08:56 PM CDT Local ID 9c2334d3-9938-4dac-9be2-41980e1cdcd4 Line Numbers Raw Audit Messages node=gray type=AVC msg=audit(1240956536.52:59): avc: denied { unix_read unix_write } for pid=4852 comm="npviewer.bin" key=-583345475 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 tclass=sem node=gray type=SYSCALL msg=audit(1240956536.52:59): arch=c000003e syscall=64 success=no exit=-13 a0=dd3adabd a1=1 a2=380 a3=7ffffabb11d0 items=0 ppid=3116 pid=4852 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib64/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null) From rchapman at aardvark.com.au Tue Apr 28 01:12:13 2009 From: rchapman at aardvark.com.au (Richard Chapman) Date: Tue, 28 Apr 2009 09:12:13 +0800 Subject: Selinux is denying access to files with the default label, default_t and preventing ck-get-x11-serv (consolekit_t) "search" xdm_var_run_t. In-Reply-To: <973443.76091.qm@web52608.mail.re2.yahoo.com> References: <973443.76091.qm@web52608.mail.re2.yahoo.com> Message-ID: <49F657ED.5040205@aardvark.com.au> Hi Antonio When I first enable selinux - I had problems getting the system to relabel properly. I had a discussion about it on this thread: http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17914&start=0#forumpost65139 The solution which worked for me is towards the end of this thread. I think I had to update some policy modules before issuing the relabel request. From memory - the problem arose because I upgraded from Centos 5.0 to 5.2 before enabling selinux. I'm running 5.3 now - and selinux is working OK - but I still have some issues with some of my server applications (webmin in particular). Richard. Antonio Olivares wrote: > I'll copy/paste alerts one by one : > > > Summary: > > SELinux is preventing access to files with the default label, default_t. > > Detailed Description: > > SELinux permission checks on files labeled default_t are being denied. These > files/directories have the default label on them. This can indicate a labeling > problem, especially if the files being referred to are not top level > directories. Any files/directories under standard system directories, /usr, > /var. /dev, /tmp, ..., should not be labeled with the default label. The default > label is for files/directories which do not have a label on a parent directory. > So if you create a new directory in / you might legitimately get this label. > > Allowing Access: > > If you want a confined domain to use these files you will probably need to > relabel the file/directory with chcon. In some cases it is just easier to > relabel the system, to relabel execute: "touch /.autorelabel; reboot" > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:object_r:default_t:s0 > Target Objects .kde [ dir ] > Source kde4-config > Source Path /usr/bin/kde4-config > Port > Host gray > Source RPM Packages kdelibs-4.2.2-9.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.12-9.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name default > Host Name gray > Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr > 20 15:33:38 EDT 2009 x86_64 x86_64 > Alert Count 92 > First Seen Thu 23 Apr 2009 08:34:03 PM CDT > Last Seen Tue 28 Apr 2009 04:52:40 PM CDT > Local ID bfed3a21-1e6d-40ce-bd73-53aaabd164a7 > Line Numbers > > Raw Audit Messages > > node=gray type=AVC msg=audit(1240955560.271:36): avc: denied { search } for pid=1767 comm="kde4-config" name=".kde" dev=dm-0 ino=262 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir > > node=gray type=SYSCALL msg=audit(1240955560.271:36): arch=c000003e syscall=6 success=no exit=-13 a0=6e5e58 a1=7fff38fa1be0 a2=7fff38fa1be0 a3=21 items=0 ppid=1766 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > > > Summary: > > SELinux is preventing access to files with the default label, default_t. > > Detailed Description: > > SELinux permission checks on files labeled default_t are being denied. These > files/directories have the default label on them. This can indicate a labeling > problem, especially if the files being referred to are not top level > directories. Any files/directories under standard system directories, /usr, > /var. /dev, /tmp, ..., should not be labeled with the default label. The default > label is for files/directories which do not have a label on a parent directory. > So if you create a new directory in / you might legitimately get this label. > > Allowing Access: > > If you want a confined domain to use these files you will probably need to > relabel the file/directory with chcon. In some cases it is just easier to > relabel the system, to relabel execute: "touch /.autorelabel; reboot" > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:object_r:default_t:s0 > Target Objects /.kde [ dir ] > Source kde4-config > Source Path /usr/bin/kde4-config > Port > Host gray > Source RPM Packages kdelibs-4.2.2-9.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.12-9.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name default > Host Name gray > Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr > 20 15:33:38 EDT 2009 x86_64 x86_64 > Alert Count 28 > First Seen Thu 23 Apr 2009 08:34:03 PM CDT > Last Seen Tue 28 Apr 2009 04:52:40 PM CDT > Local ID 6da3a105-c4c8-4352-bd0e-3f438b1634a8 > Line Numbers > > Raw Audit Messages > > node=gray type=AVC msg=audit(1240955560.107:34): avc: denied { getattr } for pid=1767 comm="kde4-config" path="/.kde" dev=dm-0 ino=262 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir > > node=gray type=SYSCALL msg=audit(1240955560.107:34): arch=c000003e syscall=6 success=no exit=-13 a0=7fff38fa1c80 a1=7fff38fa1b80 a2=7fff38fa1b80 a3=6d3b20 items=0 ppid=1766 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > > > Summary: > > SELinux is preventing ck-get-x11-serv (consolekit_t) "search" xdm_var_run_t. > > Detailed Description: > > SELinux denied access requested by ck-get-x11-serv. It is not expected that this > access is required by ck-get-x11-serv and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 > Target Context system_u:object_r:xdm_var_run_t:s0 > Target Objects gdm [ dir ] > Source ck-get-x11-serv > Source Path /usr/libexec/ck-get-x11-server-pid > Port > Host gray > Source RPM Packages ConsoleKit-x11-0.3.0-8.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.12-9.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name gray > Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr > 20 15:33:38 EDT 2009 x86_64 x86_64 > Alert Count 9 > First Seen Thu 23 Apr 2009 03:55:23 PM CDT > Last Seen Tue 28 Apr 2009 04:52:47 PM CDT > Local ID 93d6261d-88da-4ca0-9328-743e29739a13 > Line Numbers > > Raw Audit Messages > > node=gray type=AVC msg=audit(1240955567.631:44): avc: denied { search } for pid=1938 comm="ck-get-x11-serv" name="gdm" dev=dm-0 ino=263869 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir > > node=gray type=SYSCALL msg=audit(1240955567.631:44): arch=c000003e syscall=21 success=no exit=-13 a0=7fff62086fab a1=4 a2=0 a3=7fff62083710 items=0 ppid=1937 pid=1938 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) > > > > I have tried the fixes. I still see the same sealerts :( > > touch, reboot autorelabel. > > I have booted in permissive mode and still see the alters :( > > Should I file a bug here? > > Thanks, > > Antonio > > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From dwalsh at redhat.com Tue Apr 28 12:22:33 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 28 Apr 2009 08:22:33 -0400 Subject: Selinux is denying access to files with the default label, default_t and preventing ck-get-x11-serv (consolekit_t) "search" xdm_var_run_t. In-Reply-To: <973443.76091.qm@web52608.mail.re2.yahoo.com> References: <973443.76091.qm@web52608.mail.re2.yahoo.com> Message-ID: <49F6F509.70507@redhat.com> On 04/27/2009 06:10 PM, Antonio Olivares wrote: > I'll copy/paste alerts one by one : > > > Summary: > > SELinux is preventing access to files with the default label, default_t. > > Detailed Description: > > SELinux permission checks on files labeled default_t are being denied. These > files/directories have the default label on them. This can indicate a labeling > problem, especially if the files being referred to are not top level > directories. Any files/directories under standard system directories, /usr, > /var. /dev, /tmp, ..., should not be labeled with the default label. The default > label is for files/directories which do not have a label on a parent directory. > So if you create a new directory in / you might legitimately get this label. > > Allowing Access: > > If you want a confined domain to use these files you will probably need to > relabel the file/directory with chcon. In some cases it is just easier to > relabel the system, to relabel execute: "touch /.autorelabel; reboot" > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:object_r:default_t:s0 > Target Objects .kde [ dir ] > Source kde4-config > Source Path /usr/bin/kde4-config > Port > Host gray > Source RPM Packages kdelibs-4.2.2-9.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.12-9.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name default > Host Name gray > Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr > 20 15:33:38 EDT 2009 x86_64 x86_64 > Alert Count 92 > First Seen Thu 23 Apr 2009 08:34:03 PM CDT > Last Seen Tue 28 Apr 2009 04:52:40 PM CDT > Local ID bfed3a21-1e6d-40ce-bd73-53aaabd164a7 > Line Numbers > > Raw Audit Messages > > node=gray type=AVC msg=audit(1240955560.271:36): avc: denied { search } for pid=1767 comm="kde4-config" name=".kde" dev=dm-0 ino=262 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir > > node=gray type=SYSCALL msg=audit(1240955560.271:36): arch=c000003e syscall=6 success=no exit=-13 a0=6e5e58 a1=7fff38fa1be0 a2=7fff38fa1be0 a3=21 items=0 ppid=1766 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > > > Summary: > > SELinux is preventing access to files with the default label, default_t. > > Detailed Description: > > SELinux permission checks on files labeled default_t are being denied. These > files/directories have the default label on them. This can indicate a labeling > problem, especially if the files being referred to are not top level > directories. Any files/directories under standard system directories, /usr, > /var. /dev, /tmp, ..., should not be labeled with the default label. The default > label is for files/directories which do not have a label on a parent directory. > So if you create a new directory in / you might legitimately get this label. > > Allowing Access: > > If you want a confined domain to use these files you will probably need to > relabel the file/directory with chcon. In some cases it is just easier to > relabel the system, to relabel execute: "touch /.autorelabel; reboot" > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:object_r:default_t:s0 > Target Objects /.kde [ dir ] > Source kde4-config > Source Path /usr/bin/kde4-config > Port > Host gray > Source RPM Packages kdelibs-4.2.2-9.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.12-9.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name default > Host Name gray > Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr > 20 15:33:38 EDT 2009 x86_64 x86_64 > Alert Count 28 > First Seen Thu 23 Apr 2009 08:34:03 PM CDT > Last Seen Tue 28 Apr 2009 04:52:40 PM CDT > Local ID 6da3a105-c4c8-4352-bd0e-3f438b1634a8 > Line Numbers > > Raw Audit Messages > > node=gray type=AVC msg=audit(1240955560.107:34): avc: denied { getattr } for pid=1767 comm="kde4-config" path="/.kde" dev=dm-0 ino=262 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir > > node=gray type=SYSCALL msg=audit(1240955560.107:34): arch=c000003e syscall=6 success=no exit=-13 a0=7fff38fa1c80 a1=7fff38fa1b80 a2=7fff38fa1b80 a3=6d3b20 items=0 ppid=1766 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > > > Summary: > > SELinux is preventing ck-get-x11-serv (consolekit_t) "search" xdm_var_run_t. > > Detailed Description: > > SELinux denied access requested by ck-get-x11-serv. It is not expected that this > access is required by ck-get-x11-serv and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 > Target Context system_u:object_r:xdm_var_run_t:s0 > Target Objects gdm [ dir ] > Source ck-get-x11-serv > Source Path /usr/libexec/ck-get-x11-server-pid > Port > Host gray > Source RPM Packages ConsoleKit-x11-0.3.0-8.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.12-9.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name gray > Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr > 20 15:33:38 EDT 2009 x86_64 x86_64 > Alert Count 9 > First Seen Thu 23 Apr 2009 03:55:23 PM CDT > Last Seen Tue 28 Apr 2009 04:52:47 PM CDT > Local ID 93d6261d-88da-4ca0-9328-743e29739a13 > Line Numbers > > Raw Audit Messages > > node=gray type=AVC msg=audit(1240955567.631:44): avc: denied { search } for pid=1938 comm="ck-get-x11-serv" name="gdm" dev=dm-0 ino=263869 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir > > node=gray type=SYSCALL msg=audit(1240955567.631:44): arch=c000003e syscall=21 success=no exit=-13 a0=7fff62086fab a1=4 a2=0 a3=7fff62083710 items=0 ppid=1937 pid=1938 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) > > > > I have tried the fixes. I still see the same sealerts :( > > touch, reboot autorelabel. > > I have booted in permissive mode and still see the alters :( > > Should I file a bug here? > > Thanks, > > Antonio > > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list /.kde is not a labeling problem, it is a bug in kdm that thinks its homedir is /. So it put its the .kde directory there and this /.kde got the default_t label. You can change this by executing # semanage fcontext -a -t xdm_var_run_t '/\.kde(/.*)?' # restorecon -R -v /.kde The consolekit bug is fixed in the -20 policy package. From olivares14031 at yahoo.com Tue Apr 28 12:42:03 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 28 Apr 2009 05:42:03 -0700 (PDT) Subject: Selinux is denying access to files with the default label, default_t and preventing ck-get-x11-serv (consolekit_t) "search" xdm_var_run_t. In-Reply-To: <49F6F509.70507@redhat.com> Message-ID: <551032.97580.qm@web52611.mail.re2.yahoo.com> > /.kde is not a labeling problem, it is a bug in kdm that > thinks its > homedir is /. So it put its the .kde directory there and > this /.kde got > the default_t label. You can change this by executing > # semanage fcontext -a -t xdm_var_run_t > '/\.kde(/.*)?' > # restorecon -R -v /.kde > > The consolekit bug is fixed in the -20 policy package. Applied :) [olivares at gray ~]$ su - Password: [root at gray ~]# semanage fcontext -a -t xdm_var_run_t '/\.kde(/.*)?' [root at gray ~]# restorecon -R -v /.kde restorecon reset /.kde context system_u:object_r:default_t:s0->system_u:object_r:xdm_var_run_t:s0 restorecon reset /.kde/share context system_u:object_r:default_t:s0->system_u:object_r:xdm_var_run_t:s0 restorecon reset /.kde/share/config context system_u:object_r:default_t:s0->system_u:object_r:xdm_var_run_t:s0 [root at gray ~]# Thanks for your help. Regards, Antonio From chepkov at yahoo.com Tue Apr 28 13:46:23 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Tue, 28 Apr 2009 06:46:23 -0700 (PDT) Subject: scp only using SELinux Message-ID: <469635.32561.qm@web36806.mail.mud.yahoo.com> Hi, I wonder if it is possible to achieve "scp only" capability for a user just by using SELinux? Basically I want a user to be able to only upload/download files from his home via scp/sftp and nothing else. Thank you. Sincerely yours, Vadym Chepkov From dwalsh at redhat.com Tue Apr 28 16:21:47 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 28 Apr 2009 12:21:47 -0400 Subject: SELinux is preventing npviewer.bin (nsplugin_t) "unix_read unix_write" unconfined_java_t. In-Reply-To: <396292.64924.qm@web52603.mail.re2.yahoo.com> References: <396292.64924.qm@web52603.mail.re2.yahoo.com> Message-ID: <49F72D1B.4060104@redhat.com> On 04/27/2009 06:12 PM, Antonio Olivares wrote: > Just as I sent the other message, I got this one: > > > Summary: > > SELinux is preventing npviewer.bin (nsplugin_t) "unix_read unix_write" > unconfined_java_t. > > Detailed Description: > > SELinux denied access requested by npviewer.bin. It is not expected that this > access is required by npviewer.bin and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 > 3 > Target Context unconfined_u:unconfined_r:unconfined_java_t:s0-s0: > c0.c1023 > Target Objects None [ sem ] > Source npviewer.bin > Source Path /usr/lib64/nspluginwrapper/npviewer.bin > Port > Host gray > Source RPM Packages nspluginwrapper-1.3.0-5.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.12-9.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name gray > Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr > 20 15:33:38 EDT 2009 x86_64 x86_64 > Alert Count 2 > First Seen Tue 28 Apr 2009 05:08:56 PM CDT > Last Seen Tue 28 Apr 2009 05:08:56 PM CDT > Local ID 9c2334d3-9938-4dac-9be2-41980e1cdcd4 > Line Numbers > > Raw Audit Messages > > node=gray type=AVC msg=audit(1240956536.52:59): avc: denied { unix_read unix_write } for pid=4852 comm="npviewer.bin" key=-583345475 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023 tclass=sem > > node=gray type=SYSCALL msg=audit(1240956536.52:59): arch=c000003e syscall=64 success=no exit=-13 a0=dd3adabd a1=1 a2=380 a3=7ffffabb11d0 items=0 ppid=3116 pid=4852 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib64/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null) > > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Fixed in selinux-policy-3.6.12-24.fc11.noarch