From ekuns at kilroy.chi.il.us Sat Aug 1 04:16:19 2009 From: ekuns at kilroy.chi.il.us (Edward Kuns) Date: Fri, 31 Jul 2009 23:16:19 -0500 Subject: Many selinux complaints about ps after video card failure caused nouveou to fill /var Message-ID: <1249100179.4148.22.camel@kilroy.chi.il.us> I don't know if selinux was misbehaving or was just doing the best it could on a crippled system. Apparently, my video card failed this morning, causing nouveou to write 3.5 Gig of logs to /var/log/messages in a matter of minutes -- the same text over and over and over. This filled /var. I came upon the computer many hours later. The hard drive light was flickering, so the computer was busy, but the computer was basically crashed. Unreachable from the keyboard, unreachable from the network. To make a long story short, after I replaced the video card and moved an enormous /var/log/messages to another partition for later review, then rebooted, everything came up fine. And the tail end of the logs (when I started cleaning things up) is full of selinux denials, almost all to ps. I look at setroubleshoot and it has 50/50 complaints, almost all about ps running in the context mysqld_safe_t, complaints such as: SELinux is preventing ps (mysqld_safe_t) "getattr" hald_t. SELinux is preventing ps (mysqld_safe_t) "getattr" initrc_t. SELinux is preventing ps (mysqld_safe_t) "getattr" crond_t. Is it worth my sending the full details for these AVCs to this list, or is this an expected or understood misbehavior during /var-full situations? (Or some 3rd option) Thanks Eddie From ekuns at kilroy.chi.il.us Sun Aug 2 20:39:50 2009 From: ekuns at kilroy.chi.il.us (Edward Kuns) Date: Sun, 02 Aug 2009 15:39:50 -0500 Subject: semodule returns "cannot allocate memory" -- Message-ID: <1249245590.3733.25.camel@kilroy.chi.il.us> A module previously loaded disappeared when I had to totally reload policy from scratch on a Fedora 8 -> 11 upgrade. By "totally reload" I mean: # cd /etc/selinux/targeted # mv modules modules.old # yum erase selinux-policy selinux-policy-targeted # yum install selinux-policy selinux-policy-targeted The above fixed my corrupted policy that nothing else appeared to be able to fix, but I forgot to reload some custom modules that I have locally, only one of which seems to be needed today (for mailman). Today I tried to reload this custom module and I got: So I tried to reload it: [root at kilroy policy]# semodule -i mymailman.pp SELinux: Could not load policy file /etc/selinux/targeted/policy/policy.24: Cannot allocate memory /usr/sbin/load_policy: Can't load policy: Cannot allocate memory libsemanage.semanage_reload_policy: load_policy returned error code 2. SELinux: Could not load policy file /etc/selinux/targeted/policy/policy.24: Cannot allocate memory /usr/sbin/load_policy: Can't load policy: Cannot allocate memory libsemanage.semanage_reload_policy: load_policy returned error code 2. semodule: Failed! I rebooted and tried again to the same result. I currently have selinux-policy (and -targeted) 3.6.12-69.fc11. Well, I tried the above again (move and reinstall of policy) and got the following failure on the reinstall: Installing : selinux-policy-3.6.12-69.fc11.noarch 1/4 Installing : selinux-policy-targeted-3.6.12-69.fc11.noarch 2/4 SELinux: Could not load policy file /etc/selinux/targeted/policy/policy.24: Cannot allocate memory /usr/sbin/load_policy: Can't load policy: Cannot allocate memory libsemanage.semanage_reload_policy: load_policy returned error code 2. libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/policy.kern to /etc/selinux/targeted/policy/policy.24. (No such file or directory). semodule: Failed! Installing : setroubleshoot-2.1.14-2.fc11.i586 3/4 Installing : policycoreutils-gui-2.0.62-12.12.fc11.i586 4/4 So now I think I'm worse off than before. How do I fix this? By the way, this server has 4 GB memory, so it's hard to believe I'm truly out of memory. Also, swap is not being used. But if I look in /var/log/messages, I see the following: vmap allocation for size 3801088 failed: use vmalloc= to increase size. How do I fix this, and just how bad is my selinux messed up? Thanks Eddie From ekuns at kilroy.chi.il.us Sun Aug 2 22:06:34 2009 From: ekuns at kilroy.chi.il.us (Edward Kuns) Date: Sun, 02 Aug 2009 17:06:34 -0500 Subject: FIXED Re: semodule returns "cannot allocate memory" In-Reply-To: <1249245590.3733.25.camel@kilroy.chi.il.us> References: <1249245590.3733.25.camel@kilroy.chi.il.us> Message-ID: <1249250794.3966.21.camel@kilroy.chi.il.us> On Sun, 2009-08-02 at 15:39 -0500, Edward Kuns wrote: > [root at kilroy policy]# semodule -i mymailman.pp > SELinux: Could not load policy > file /etc/selinux/targeted/policy/policy.24: Cannot allocate memory > /usr/sbin/load_policy: Can't load policy: Cannot allocate memory > libsemanage.semanage_reload_policy: load_policy returned error code 2. > SELinux: Could not load policy > file /etc/selinux/targeted/policy/policy.24: Cannot allocate memory > /usr/sbin/load_policy: Can't load policy: Cannot allocate memory > libsemanage.semanage_reload_policy: load_policy returned error code 2. > semodule: Failed! I managed to fix this myself. I edited grub.conf and added the following to the end of my kernel's line: vmalloc=192M then rebooted. After rebooting I thoroughly cleaned things out: # cd /etc/selinux # yum erase selinux-policy selinux-policy-targeted # mv targeted targeted.old # yum install selinux-policy selinux-policy-targeted setroubleshoot \ policycoreutils-gui and this time it worked and installed cleanly. I was then able to go add my two custom policies. I recently changed video cards (since the old one blew itself up) and since nouveau misbehaved so badly in this instance and then again with the new video card, I changed back to the nvidia drivers. I suppose this could have caused my system to make greater use of the "vmalloc" area. But does this indicate that policy is getting too large? Or does this indicate that something is funny with my system? Or perhaps that more and more people are going to be running into the default 128M limit and this needs to be raised? Thanks Eddie From ekuns at kilroy.chi.il.us Sun Aug 2 23:03:23 2009 From: ekuns at kilroy.chi.il.us (Edward Kuns) Date: Sun, 02 Aug 2009 18:03:23 -0500 Subject: Did cert_t go away for /var/named/chroot/etc/pki? Message-ID: <1249254203.3966.32.camel@kilroy.chi.il.us> Due to the problems I've described recently, I fully reloaded my selinux policy and finally did a full relabel. During this relabel, I saw things such as the following: restorecon reset /var/named/chroot/etc/pki/dnssec-keys/harvest/time.gov.conf context system_u:object_r:cert_t:s0->system_u:object_r:etc_t:s0 and when I run system-config-selinux and go to "File labeling" and search for pki, indeed I only see pki in the two following file specs: /etc/pki(/.*)? /etc/pki/dovecot(/.*)? The policy currently installed is: selinux-policy-3.6.12-69.fc11.noarch selinux-policy-targeted-3.6.12-69.fc11.noarch Am I missing something? Is this an expected change? Thanks Eddie From sradvan at redhat.com Mon Aug 3 00:20:55 2009 From: sradvan at redhat.com (Scott Radvan) Date: Mon, 3 Aug 2009 10:20:55 +1000 Subject: spamassassin transition Message-ID: <20090803102055.752c05be@redhat.com> Hi, Working on the Postfix chapter in my SELinux managing confined services book [0] and am having trouble with Postfix/spamassassin. I have got email traversing back and forth just fine, but I am trying to invoke a denial or a problem for which I can document the work-around. spamassassin_can_network seems to be a good Boolean to explain, show the denial and then show the work-around for. This Boolean is off by default, which as far as I can tell would stop spamassassin from launching as a daemon listening on the machine's actual IP/interface. But my problem is that it is launching without a problem and listening on the machine's interface without error. I am assuming that it is working fine because the spamassassin processes are only launching as initrc_t, when it should be transitioning to something else..? # ps -eZ | grep spamd unconfined_u:system_r:initrc_t:s0 3085 ? 00:00:01 spamd unconfined_u:system_r:initrc_t:s0 3087 ? 00:00:00 spamd unconfined_u:system_r:initrc_t:s0 3088 ? 00:00:00 spamd # ls -lZ /etc/init.d/spamassassin -rwxr-xr-x. rootrootsystem_u:object_r:initrc_exec_t:s0 /etc/init.d/spamassassin (I tried labelling this differently to this default setting, to spamd_initrc_exec_t, but to no avail.) # getsebool -a | grep spam spamassassin_can_network --> off spamd_enable_home_dirs --> on Basically I need to make sure spamassassin is starting normally so that the Boolean mentioned will block access. So any help is appreciated, should spamassassin as a daemon transition to something other than initrc_t? And how do I get it to do so? Or am I going down the wrong track to get this Boolean which is off by default to do something which I can demonstrate and fix? Thank you, -- Scott Radvan Content Author, Platform (Installation and Deployment) Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com From domg472 at gmail.com Mon Aug 3 08:05:47 2009 From: domg472 at gmail.com (Dominick Grift) Date: Mon, 03 Aug 2009 10:05:47 +0200 Subject: spamassassin transition In-Reply-To: <20090803102055.752c05be@redhat.com> References: <20090803102055.752c05be@redhat.com> Message-ID: <1249286747.11027.9.camel@notebook2.grift.internal> On Mon, 2009-08-03 at 10:20 +1000, Scott Radvan wrote: > Hi, > > > Working on the Postfix chapter in my SELinux managing confined services > book [0] and am having trouble with Postfix/spamassassin. > > I have got email traversing back and forth just fine, but I am trying to > invoke a denial or a problem for which I can document the work-around. > spamassassin_can_network seems to be a good Boolean to explain, show > the denial and then show the work-around for. > > This Boolean is off by default, which as far as I can tell would stop > spamassassin from launching as a daemon listening on the machine's > actual IP/interface. > > But my problem is that it is launching without a problem and listening > on the machine's interface without error. I am assuming that it is > working fine because the spamassassin processes are only launching as > initrc_t, when it should be transitioning to something else..? > > # ps -eZ | grep spamd > unconfined_u:system_r:initrc_t:s0 3085 ? 00:00:01 spamd > unconfined_u:system_r:initrc_t:s0 3087 ? 00:00:00 spamd > unconfined_u:system_r:initrc_t:s0 3088 ? 00:00:00 spamd > > # ls -lZ /etc/init.d/spamassassin > -rwxr-xr-x. > rootrootsystem_u:object_r:initrc_exec_t:s0 /etc/init.d/spamassassin > > (I tried labelling this differently to this default setting, to > spamd_initrc_exec_t, but to no avail.) > > # getsebool -a | grep spam > spamassassin_can_network --> off > spamd_enable_home_dirs --> on > > Basically I need to make sure spamassassin is starting normally so that > the Boolean mentioned will block access. So any help is appreciated, > should spamassassin as a daemon transition to something other than > initrc_t? And how do I get it to do so? > > Or am I going down the wrong track to get this Boolean which is off by > default to do something which I can demonstrate and fix? > > Thank you, Not sure but probably a bug. This is a application domain. i cannot find a init_daemon_domain declaration, meaning initrc_t does not transition. There is a spamassassin_role() in the interface file with a transition defined for users however this interface is probably not called by the user domains. hth So first see if you can get it to run in its domain by restoring the locations mentioned under contexts. If that does -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From fdsubs at t-online.hu Mon Aug 3 08:13:33 2009 From: fdsubs at t-online.hu (Daniel Fazekas) Date: Mon, 3 Aug 2009 10:13:33 +0200 Subject: spamassassin transition In-Reply-To: <20090803102055.752c05be@redhat.com> References: <20090803102055.752c05be@redhat.com> Message-ID: <5521B9DA-B683-4AF6-90F6-07CFF502557E@t-online.hu> On Aug 3, 2009, at 02:20, Scott Radvan wrote: > spamassassin_can_network seems to be a good Boolean to explain, show > the denial and then show the work-around for. > This Boolean is off by default, which as far as I can tell would > stop spamassassin from launching as a daemon listening on the > machine's actual IP/interface. I thought spamassassin_can_network was for allowing SpamAssassin to access various online services, such as Razor2 or Pyzor, for more accurate spam detection. From domg472 at gmail.com Mon Aug 3 08:25:16 2009 From: domg472 at gmail.com (Dominick Grift) Date: Mon, 03 Aug 2009 10:25:16 +0200 Subject: spamassassin transition In-Reply-To: <5521B9DA-B683-4AF6-90F6-07CFF502557E@t-online.hu> References: <20090803102055.752c05be@redhat.com> <5521B9DA-B683-4AF6-90F6-07CFF502557E@t-online.hu> Message-ID: <1249287916.11027.14.camel@notebook2.grift.internal> On Mon, 2009-08-03 at 10:13 +0200, Daniel Fazekas wrote: > On Aug 3, 2009, at 02:20, Scott Radvan wrote: > > > spamassassin_can_network seems to be a good Boolean to explain, show > > the denial and then show the work-around for. > > This Boolean is off by default, which as far as I can tell would > > stop spamassassin from launching as a daemon listening on the > > machine's actual IP/interface. > > I thought spamassassin_can_network was for allowing SpamAssassin to > access various online services, such as Razor2 or Pyzor, for more > accurate spam detection. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list basically it allow spamassassin_t to connect to any tcp port and sendrecv udp. # set tunable if you have spamassassin do DNS lookups tunable_policy(`spamassassin_can_network',` allow spamassassin_t self:tcp_socket create_stream_socket_perms; allow spamassassin_t self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled(spamassassin_t) corenet_all_recvfrom_netlabel(spamassassin_t) corenet_tcp_sendrecv_generic_if(spamassassin_t) corenet_udp_sendrecv_generic_if(spamassassin_t) corenet_tcp_sendrecv_generic_node(spamassassin_t) corenet_udp_sendrecv_generic_node(spamassassin_t) corenet_tcp_sendrecv_all_ports(spamassassin_t) corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) corenet_udp_bind_generic_node(spamassassin_t) sysnet_read_config(spamassassin_t) ') hth -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From mgrepl at redhat.com Mon Aug 3 08:27:41 2009 From: mgrepl at redhat.com (Miroslav Grepl) Date: Mon, 03 Aug 2009 10:27:41 +0200 Subject: Did cert_t go away for /var/named/chroot/etc/pki? In-Reply-To: <1249254203.3966.32.camel@kilroy.chi.il.us> References: <1249254203.3966.32.camel@kilroy.chi.il.us> Message-ID: <4A769F7D.1060103@redhat.com> On 08/03/2009 01:03 AM, Edward Kuns wrote: > Due to the problems I've described recently, I fully reloaded my selinux > policy and finally did a full relabel. During this relabel, I saw > things such as the following: > > restorecon > reset /var/named/chroot/etc/pki/dnssec-keys/harvest/time.gov.conf > context system_u:object_r:cert_t:s0->system_u:object_r:etc_t:s0 > > and when I run system-config-selinux and go to "File labeling" and > search for pki, indeed I only see pki in the two following file specs: > > /etc/pki(/.*)? > /etc/pki/dovecot(/.*)? > > The policy currently installed is: > > selinux-policy-3.6.12-69.fc11.noarch > selinux-policy-targeted-3.6.12-69.fc11.noarch > > Am I missing something? Is this an expected change? > > Thanks > > Eddie > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Eddie, I have a fix for this in selinux-policy-3.6.12-72.fc11 Regards, Miroslav From dwalsh at redhat.com Mon Aug 3 11:40:10 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 03 Aug 2009 07:40:10 -0400 Subject: FIXED Re: semodule returns "cannot allocate memory" In-Reply-To: <1249250794.3966.21.camel@kilroy.chi.il.us> References: <1249245590.3733.25.camel@kilroy.chi.il.us> <1249250794.3966.21.camel@kilroy.chi.il.us> Message-ID: <4A76CC9A.7060705@redhat.com> On 08/02/2009 06:06 PM, Edward Kuns wrote: > On Sun, 2009-08-02 at 15:39 -0500, Edward Kuns wrote: >> [root at kilroy policy]# semodule -i mymailman.pp >> SELinux: Could not load policy >> file /etc/selinux/targeted/policy/policy.24: Cannot allocate memory >> /usr/sbin/load_policy: Can't load policy: Cannot allocate memory >> libsemanage.semanage_reload_policy: load_policy returned error code 2. >> SELinux: Could not load policy >> file /etc/selinux/targeted/policy/policy.24: Cannot allocate memory >> /usr/sbin/load_policy: Can't load policy: Cannot allocate memory >> libsemanage.semanage_reload_policy: load_policy returned error code 2. >> semodule: Failed! > > I managed to fix this myself. I edited grub.conf and added the > following to the end of my kernel's line: > > vmalloc=192M > > then rebooted. After rebooting I thoroughly cleaned things out: > > # cd /etc/selinux > # yum erase selinux-policy selinux-policy-targeted > # mv targeted targeted.old > # yum install selinux-policy selinux-policy-targeted setroubleshoot \ > policycoreutils-gui > > and this time it worked and installed cleanly. I was then able to go > add my two custom policies. > > I recently changed video cards (since the old one blew itself up) and > since nouveau misbehaved so badly in this instance and then again with > the new video card, I changed back to the nvidia drivers. I suppose > this could have caused my system to make greater use of the "vmalloc" > area. But does this indicate that policy is getting too large? Or does > this indicate that something is funny with my system? Or perhaps that > more and more people are going to be running into the default 128M limit > and this needs to be raised? > semodule is now compressing the policy at install time, so this is using more memory then it did before. But the size of policy has grown, but not to the extent to cause huge problems. > Thanks > > Eddie > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Mon Aug 3 11:42:12 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 03 Aug 2009 07:42:12 -0400 Subject: ausearch and terminal In-Reply-To: <545007.19465.qm@web36802.mail.mud.yahoo.com> References: <545007.19465.qm@web36802.mail.mud.yahoo.com> Message-ID: <4A76CD14.30804@redhat.com> On 07/31/2009 08:55 AM, Vadym Chepkov wrote: > I figured it out, apparently you have to add switch --input-logs, when you run it from cron. Don't ask me why, I am puzzled myself. > > Sincerely yours, > Vadym Chepkov > > > --- On Fri, 7/31/09, Daniel J Walsh wrote: > >> From: Daniel J Walsh >> Subject: Re: ausearch and terminal >> To: "Vadym Chepkov" >> Cc: "Fedora SELinux" >> Date: Friday, July 31, 2009, 8:42 AM >> On 07/30/2009 10:38 PM, Vadym Chepkov >> wrote: >>> Hi, >>> >>> I observe a very strange behavior of the ausearch >> utility. >>> audit-1.7.7-6.el5_3.3 >>> >>> # cat /root/bin/autest.sh >>> /sbin/ausearch -m avc| wc -l >>> >>> If I run it, I get expected results: >>> >>> # /root/bin/autest.sh >>> 1563 >>> >>> But if I run it from cron, I get this in e-mail: >>> >>> >>> 0 >>> >>> Why?? >>> >>> Sincerely yours, >>> Vadym Chepkov >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> Is cron being denied the ability to read the >> audit.log? Look for an AVC. >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Steve Grubb can explain. From dwalsh at redhat.com Mon Aug 3 12:07:06 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 03 Aug 2009 08:07:06 -0400 Subject: Many selinux complaints about ps after video card failure caused nouveou to fill /var In-Reply-To: <1249100179.4148.22.camel@kilroy.chi.il.us> References: <1249100179.4148.22.camel@kilroy.chi.il.us> Message-ID: <4A76D2EA.9070602@redhat.com> On 08/01/2009 12:16 AM, Edward Kuns wrote: > I don't know if selinux was misbehaving or was just doing the best it > could on a crippled system. Apparently, my video card failed this > morning, causing nouveou to write 3.5 Gig of logs to /var/log/messages > in a matter of minutes -- the same text over and over and over. This > filled /var. I came upon the computer many hours later. The hard drive > light was flickering, so the computer was busy, but the computer was > basically crashed. Unreachable from the keyboard, unreachable from the > network. > > To make a long story short, after I replaced the video card and moved an > enormous /var/log/messages to another partition for later review, then > rebooted, everything came up fine. And the tail end of the logs (when I > started cleaning things up) is full of selinux denials, almost all to > ps. I look at setroubleshoot and it has 50/50 complaints, almost all > about ps running in the context mysqld_safe_t, complaints such as: > > SELinux is preventing ps (mysqld_safe_t) "getattr" hald_t. > SELinux is preventing ps (mysqld_safe_t) "getattr" initrc_t. > SELinux is preventing ps (mysqld_safe_t) "getattr" crond_t. > > Is it worth my sending the full details for these AVCs to this list, or > is this an expected or understood misbehavior during /var-full > situations? (Or some 3rd option) > > Thanks > > Eddie > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list It probably should be allowed. Adding domain_getattr_all_domains(mysqld_safe_t) To Rawhide. From chepkov at yahoo.com Mon Aug 3 13:25:59 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Mon, 3 Aug 2009 06:25:59 -0700 (PDT) Subject: add a transition rule In-Reply-To: <4A6F0147.9030606@city-fan.org> Message-ID: <266056.87225.qm@web36803.mail.mud.yahoo.com> Hi, My policy is very simplistic local.te apache_content_template(svn) domain_auto_trans(httpd_svn_script_t, sendmail_exec_t, sendmail_t) local.fc # svn /var/svn(/.*)? gen_context(system_u:object_r:httpd_svn_script_ro_t,s0) /var/svn/(.*/)?hooks(/.*)? gen_context(system_u:object_r:httpd_svn_script_exec_t,s0) /var/svn/(.*/)?dav(/.*)? gen_context(system_u:object_r:httpd_svn_script_rw_t,s0) /var/svn/(.*/)?locks(/.*)? gen_context(system_u:object_r:httpd_svn_script_rw_t,s0) /var/svn/(.*/)?db(/.*)? gen_context(system_u:object_r:httpd_svn_script_rw_t,s0) Works well Sincerely yours, Vadym Chepkov --- On Tue, 7/28/09, Paul Howarth wrote: > From: Paul Howarth > Subject: Re: add a transition rule > To: "Vadym Chepkov" > Cc: "Fedora SELinux" > Date: Tuesday, July 28, 2009, 9:46 AM > Hi Vadym, > > On 19/07/09 04:35, Vadym Chepkov wrote: > > I have a script, executed by apache, which is running > in httpd_svn_script_t domain. This script calls > svn-mailer(bin_t) which in turns calls > /usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there > is no transition defined, sendmail still runs in > httpd_svn_script_t and I get humongous amount of avc's. What > would be the proper rule to add to the local policy to make > sendmail running in the proper domain, sendmail_t? > > And for that matter if httpd_can_sendmail -->? > on, shouldn't it be happening automatically? Thank you. > > > > Sincerely yours, > >? ? Vadym Chepkov > > I'm just back off vacation and saw your email. Funnily > enough I wrote an svnmailer policy a few weeks ago, so it > would be interesting to compare notes: > > I've actually split it into two modules, svnmailer for the > policy itself, and svnmailer-extras for additional > interfaces needed in other policy modules. I find this > arrangement is easier to manage when getting policy merged > upstream. > > I made my hook scripts httpd_sys_script_exec_t and > transition from there to httpd_svnmailer_script_t via a > domtrans. The svn repository itself is > httpd_sys_content_rw_t. > > Paul. > From chepkov at yahoo.com Mon Aug 3 13:31:31 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Mon, 3 Aug 2009 06:31:31 -0700 (PDT) Subject: spamassassin transition In-Reply-To: <20090803102055.752c05be@redhat.com> Message-ID: <564044.91153.qm@web36803.mail.mud.yahoo.com> I filed bugzilla report about it, https://bugzilla.redhat.com/show_bug.cgi?id=509644 Sincerely yours, Vadym Chepkov --- On Sun, 8/2/09, Scott Radvan wrote: > From: Scott Radvan > Subject: spamassassin transition > To: fedora-selinux-list at redhat.com > Date: Sunday, August 2, 2009, 8:20 PM > Hi, > > > Working on the Postfix chapter in my SELinux managing > confined services > book [0] and am having trouble with Postfix/spamassassin. > > I have got email traversing back and forth just fine, but I > am trying to > invoke a denial or a problem for which I can document the > work-around. > spamassassin_can_network seems to be a good Boolean to > explain, show > the denial and then show the work-around for. > > This Boolean is off by default, which as far as I can tell > would stop > spamassassin from launching as a daemon listening on the > machine's > actual IP/interface. > > But my problem is that it is launching without a problem > and listening > on the machine's interface without error. I am assuming > that it is > working fine because the spamassassin processes are only > launching as > initrc_t, when it should be transitioning to something > else..? > > # ps -eZ | grep spamd > unconfined_u:system_r:initrc_t:s0 3085 ?? ? > ???00:00:01 spamd > unconfined_u:system_r:initrc_t:s0 3087 ?? ? > ???00:00:00 spamd > unconfined_u:system_r:initrc_t:s0 3088 ?? ? > ???00:00:00 spamd > > # ls -lZ /etc/init.d/spamassassin > -rwxr-xr-x. > rootrootsystem_u:object_r:initrc_exec_t:s0 > /etc/init.d/spamassassin > > (I tried labelling this differently to this default > setting, to > spamd_initrc_exec_t, but to no avail.) > > # getsebool -a? | grep spam > spamassassin_can_network --> off > spamd_enable_home_dirs --> on > > Basically I need to make sure spamassassin is starting > normally so that > the Boolean mentioned will block access. So any help is > appreciated, > should spamassassin as a daemon transition to something > other than > initrc_t? And how do I get it to do so? > > Or am I going down the wrong track to get this Boolean > which is off by > default to do something which I can demonstrate and fix? > > Thank you, > > -- > Scott Radvan > Content Author, Platform (Installation and Deployment) > Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From chepkov at yahoo.com Mon Aug 3 14:23:24 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Mon, 3 Aug 2009 07:23:24 -0700 (PDT) Subject: relabel after policy update Message-ID: <78050.30516.qm@web36802.mail.mud.yahoo.com> Hi, I wonder do I have to relabel system after each policy update, it seems rpm doesn't do a good job: # restorecon -vR /usr restorecon reset /usr/bin/pyzord context system_u:object_r:spamd_exec_t:s0->system_u:object_r:pyzord_exec_t:s0 restorecon reset /usr/bin/razor-report context system_u:object_r:spamc_exec_t:s0->system_u:object_r:razor_exec_t:s0 restorecon reset /usr/bin/razor-admin context system_u:object_r:spamc_exec_t:s0->system_u:object_r:razor_exec_t:s0 restorecon reset /usr/bin/razor-check context system_u:object_r:spamc_exec_t:s0->system_u:object_r:razor_exec_t:s0 restorecon reset /usr/bin/razor-client context system_u:object_r:spamc_exec_t:s0->system_u:object_r:razor_exec_t:s0 restorecon reset /usr/bin/razor-revoke context system_u:object_r:spamc_exec_t:s0->system_u:object_r:razor_exec_t:s0 restorecon reset /usr/bin/pyzor context system_u:object_r:spamc_exec_t:s0->system_u:object_r:pyzor_exec_t:s0 Sincerely yours, Vadym Chepkov From dwalsh at redhat.com Tue Aug 4 11:08:47 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 04 Aug 2009 07:08:47 -0400 Subject: relabel after policy update In-Reply-To: <78050.30516.qm@web36802.mail.mud.yahoo.com> References: <78050.30516.qm@web36802.mail.mud.yahoo.com> Message-ID: <4A7816BF.4090406@redhat.com> On 08/03/2009 10:23 AM, Vadym Chepkov wrote: > Hi, > > I wonder do I have to relabel system after each policy update, it seems rpm doesn't do a good job: > > # restorecon -vR /usr > restorecon reset /usr/bin/pyzord context system_u:object_r:spamd_exec_t:s0->system_u:object_r:pyzord_exec_t:s0 > restorecon reset /usr/bin/razor-report context system_u:object_r:spamc_exec_t:s0->system_u:object_r:razor_exec_t:s0 > restorecon reset /usr/bin/razor-admin context system_u:object_r:spamc_exec_t:s0->system_u:object_r:razor_exec_t:s0 > restorecon reset /usr/bin/razor-check context system_u:object_r:spamc_exec_t:s0->system_u:object_r:razor_exec_t:s0 > restorecon reset /usr/bin/razor-client context system_u:object_r:spamc_exec_t:s0->system_u:object_r:razor_exec_t:s0 > restorecon reset /usr/bin/razor-revoke context system_u:object_r:spamc_exec_t:s0->system_u:object_r:razor_exec_t:s0 > restorecon reset /usr/bin/pyzor context system_u:object_r:spamc_exec_t:s0->system_u:object_r:pyzor_exec_t:s0 > > > Sincerely yours, > Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list These are alias in SELinux policy. restorecon is a little confused in seeing them as different. So no you should not need to run restorecon, rpm usually runs a minimal one in the post install of selinux-policy update anyways. From domg472 at gmail.com Tue Aug 4 12:30:47 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 04 Aug 2009 14:30:47 +0200 Subject: Some AVC denials to consider: Message-ID: <4A7829F7.9000703@gmail.com> dev_rw_generic_files(NetworkManager_t) allow consoletype_t device_t:file { read getattr ioctl }; xserver_rw_xdm_home_files(staff_dbusd_t) allow staff_t staff_screen_t:process sigchld; allow staff_t print_spool_t:dir getattr; allow staff_t screen_var_run_t:fifo_file read; dev_rw_dri(staff_t) allow ifconfig_t device_t:file read; allow mount_t dgrift_t:unix_stream_socket { read write }; allow nscd_t device_t:file read; allow ifconfig_t device_t:file read; allow mount_t dgrift_t:unix_stream_socket { read write }; allow nscd_t device_t:file read; term_use_console(portreserve_t) allow readahead_t proc_kcore_t:file getattr; allow readahead_ self:capability net_admin; allow rpcbind_t self:udp_socket listen; allow xdm_dbusd_t xdm_var_lib_t:dir search; dev_rw_generic_files(auditctl_t) allow readahead_t self:capability net_admin; fs_rw_tmpfs_chr_files(readahead_t) fprintd_dbus_chat(staff_sudo_t) fprintd_dbus_chat(staff_t) fprintd_dbus_chat(fprintd_t) From mgrepl at redhat.com Tue Aug 4 12:37:42 2009 From: mgrepl at redhat.com (Miroslav Grepl) Date: Tue, 04 Aug 2009 14:37:42 +0200 Subject: Some AVC denials to consider: In-Reply-To: <4A7829F7.9000703@gmail.com> References: <4A7829F7.9000703@gmail.com> Message-ID: <4A782B96.8000900@redhat.com> On 08/04/2009 02:30 PM, Dominick Grift wrote: > dev_rw_generic_files(NetworkManager_t) > > allow consoletype_t device_t:file { read getattr ioctl }; > > xserver_rw_xdm_home_files(staff_dbusd_t) > > allow staff_t staff_screen_t:process sigchld; > allow staff_t print_spool_t:dir getattr; > allow staff_t screen_var_run_t:fifo_file read; > dev_rw_dri(staff_t) > > allow ifconfig_t device_t:file read; > > allow mount_t dgrift_t:unix_stream_socket { read write }; > > allow nscd_t device_t:file read; > > allow ifconfig_t device_t:file read; > > allow mount_t dgrift_t:unix_stream_socket { read write }; > > allow nscd_t device_t:file read; > > term_use_console(portreserve_t) > > allow readahead_t proc_kcore_t:file getattr; > allow readahead_ self:capability net_admin; > > allow rpcbind_t self:udp_socket listen; > > allow xdm_dbusd_t xdm_var_lib_t:dir search; > > dev_rw_generic_files(auditctl_t) > > allow readahead_t self:capability net_admin; > fs_rw_tmpfs_chr_files(readahead_t) > > fprintd_dbus_chat(staff_sudo_t) > > fprintd_dbus_chat(staff_t) > > fprintd_dbus_chat(fprintd_t) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list What version of selinux-policy ? Regards, Miroslav From domg472 at gmail.com Tue Aug 4 12:40:56 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 04 Aug 2009 14:40:56 +0200 Subject: Some AVC denials to consider: In-Reply-To: <4A782B96.8000900@redhat.com> References: <4A7829F7.9000703@gmail.com> <4A782B96.8000900@redhat.com> Message-ID: <4A782C58.9010702@gmail.com> On 08/04/2009 02:37 PM, Miroslav Grepl wrote: > On 08/04/2009 02:30 PM, Dominick Grift wrote: >> dev_rw_generic_files(NetworkManager_t) >> >> allow consoletype_t device_t:file { read getattr ioctl }; >> >> xserver_rw_xdm_home_files(staff_dbusd_t) >> >> allow staff_t staff_screen_t:process sigchld; >> allow staff_t print_spool_t:dir getattr; >> allow staff_t screen_var_run_t:fifo_file read; >> dev_rw_dri(staff_t) >> >> allow ifconfig_t device_t:file read; >> >> allow mount_t dgrift_t:unix_stream_socket { read write }; >> >> allow nscd_t device_t:file read; >> >> allow ifconfig_t device_t:file read; >> >> allow mount_t dgrift_t:unix_stream_socket { read write }; >> >> allow nscd_t device_t:file read; >> >> term_use_console(portreserve_t) >> >> allow readahead_t proc_kcore_t:file getattr; >> allow readahead_ self:capability net_admin; >> >> allow rpcbind_t self:udp_socket listen; >> >> allow xdm_dbusd_t xdm_var_lib_t:dir search; >> >> dev_rw_generic_files(auditctl_t) >> >> allow readahead_t self:capability net_admin; >> fs_rw_tmpfs_chr_files(readahead_t) >> >> fprintd_dbus_chat(staff_sudo_t) >> >> fprintd_dbus_chat(staff_t) >> >> fprintd_dbus_chat(fprintd_t) >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > What version of selinux-policy ? > > Regards, > Miroslav selinux-policy-targeted-3.6.12-69.fc11.noarch selinux-policy-3.6.12-69.fc11.noarch on a clean fedora 11 installation (note: semodule -DB could have been enabled/ not in permissive mode) From domg472 at gmail.com Tue Aug 4 12:48:21 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 04 Aug 2009 14:48:21 +0200 Subject: Some AVC denials to consider: In-Reply-To: <4A782C58.9010702@gmail.com> References: <4A7829F7.9000703@gmail.com> <4A782B96.8000900@redhat.com> <4A782C58.9010702@gmail.com> Message-ID: <4A782E15.5080100@gmail.com> On 08/04/2009 02:40 PM, Dominick Grift wrote: > On 08/04/2009 02:37 PM, Miroslav Grepl wrote: >> On 08/04/2009 02:30 PM, Dominick Grift wrote: >>> dev_rw_generic_files(NetworkManager_t) >>> >>> allow consoletype_t device_t:file { read getattr ioctl }; >>> >>> xserver_rw_xdm_home_files(staff_dbusd_t) >>> >>> allow staff_t staff_screen_t:process sigchld; >>> allow staff_t print_spool_t:dir getattr; >>> allow staff_t screen_var_run_t:fifo_file read; >>> dev_rw_dri(staff_t) >>> >>> allow ifconfig_t device_t:file read; >>> >>> allow mount_t dgrift_t:unix_stream_socket { read write }; >>> >>> allow nscd_t device_t:file read; >>> >>> allow ifconfig_t device_t:file read; >>> >>> allow mount_t dgrift_t:unix_stream_socket { read write }; >>> >>> allow nscd_t device_t:file read; >>> >>> term_use_console(portreserve_t) >>> >>> allow readahead_t proc_kcore_t:file getattr; >>> allow readahead_ self:capability net_admin; >>> >>> allow rpcbind_t self:udp_socket listen; >>> >>> allow xdm_dbusd_t xdm_var_lib_t:dir search; >>> >>> dev_rw_generic_files(auditctl_t) >>> >>> allow readahead_t self:capability net_admin; >>> fs_rw_tmpfs_chr_files(readahead_t) >>> >>> fprintd_dbus_chat(staff_sudo_t) >>> >>> fprintd_dbus_chat(staff_t) >>> >>> fprintd_dbus_chat(fprintd_t) Looks like fprintd_dbus_chat(fprintd_t) is a bad translation by audit2allow -R >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> What version of selinux-policy ? >> >> Regards, >> Miroslav > selinux-policy-targeted-3.6.12-69.fc11.noarch > selinux-policy-3.6.12-69.fc11.noarch > > on a clean fedora 11 installation (note: semodule -DB could have been > enabled/ not in permissive mode) If you want to see any specific raw AVC denials let me know From mgrepl at redhat.com Tue Aug 4 13:14:40 2009 From: mgrepl at redhat.com (Miroslav Grepl) Date: Tue, 04 Aug 2009 15:14:40 +0200 Subject: Some AVC denials to consider: In-Reply-To: <4A782E15.5080100@gmail.com> References: <4A7829F7.9000703@gmail.com> <4A782B96.8000900@redhat.com> <4A782C58.9010702@gmail.com> <4A782E15.5080100@gmail.com> Message-ID: <4A783440.3000603@redhat.com> On 08/04/2009 02:48 PM, Dominick Grift wrote: > On 08/04/2009 02:40 PM, Dominick Grift wrote: >> On 08/04/2009 02:37 PM, Miroslav Grepl wrote: >>> On 08/04/2009 02:30 PM, Dominick Grift wrote: >>>> dev_rw_generic_files(NetworkManager_t) >>>> >>>> allow consoletype_t device_t:file { read getattr ioctl }; >>>> >>>> xserver_rw_xdm_home_files(staff_dbusd_t) >>>> >>>> allow staff_t staff_screen_t:process sigchld; >>>> allow staff_t print_spool_t:dir getattr; >>>> allow staff_t screen_var_run_t:fifo_file read; >>>> dev_rw_dri(staff_t) >>>> >>>> allow ifconfig_t device_t:file read; >>>> >>>> allow mount_t dgrift_t:unix_stream_socket { read write }; >>>> >>>> allow nscd_t device_t:file read; >>>> >>>> allow ifconfig_t device_t:file read; >>>> >>>> allow mount_t dgrift_t:unix_stream_socket { read write }; >>>> >>>> allow nscd_t device_t:file read; >>>> >>>> term_use_console(portreserve_t) >>>> >>>> allow readahead_t proc_kcore_t:file getattr; >>>> allow readahead_ self:capability net_admin; >>>> >>>> allow rpcbind_t self:udp_socket listen; >>>> >>>> allow xdm_dbusd_t xdm_var_lib_t:dir search; >>>> >>>> dev_rw_generic_files(auditctl_t) >>>> >>>> allow readahead_t self:capability net_admin; >>>> fs_rw_tmpfs_chr_files(readahead_t) >>>> >>>> fprintd_dbus_chat(staff_sudo_t) >>>> >>>> fprintd_dbus_chat(staff_t) >>>> >>>> fprintd_dbus_chat(fprintd_t) > Looks like fprintd_dbus_chat(fprintd_t) is a bad translation by > audit2allow -R >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> What version of selinux-policy ? >>> >>> Regards, >>> Miroslav >> selinux-policy-targeted-3.6.12-69.fc11.noarch >> selinux-policy-3.6.12-69.fc11.noarch >> >> on a clean fedora 11 installation (note: semodule -DB could have been >> enabled/ not in permissive mode) > > If you want to see any specific raw AVC denials let me know Send me audit.log to mgrepl at redhat.com Thanks From mgrepl at redhat.com Tue Aug 4 14:29:39 2009 From: mgrepl at redhat.com (Miroslav Grepl) Date: Tue, 04 Aug 2009 16:29:39 +0200 Subject: Some AVC denials to consider: In-Reply-To: <4A782E15.5080100@gmail.com> References: <4A7829F7.9000703@gmail.com> <4A782B96.8000900@redhat.com> <4A782C58.9010702@gmail.com> <4A782E15.5080100@gmail.com> Message-ID: <4A7845D3.7000306@redhat.com> On 08/04/2009 02:48 PM, Dominick Grift wrote: > On 08/04/2009 02:40 PM, Dominick Grift wrote: >> On 08/04/2009 02:37 PM, Miroslav Grepl wrote: >>> On 08/04/2009 02:30 PM, Dominick Grift wrote: >>>> dev_rw_generic_files(NetworkManager_t) >>>> >>>> allow consoletype_t device_t:file { read getattr ioctl }; >>>> >>>> xserver_rw_xdm_home_files(staff_dbusd_t) >>>> >>>> allow staff_t staff_screen_t:process sigchld; >>>> allow staff_t print_spool_t:dir getattr; >>>> allow staff_t screen_var_run_t:fifo_file read; >>>> dev_rw_dri(staff_t) >>>> >>>> allow ifconfig_t device_t:file read; >>>> >>>> allow mount_t dgrift_t:unix_stream_socket { read write }; >>>> >>>> allow nscd_t device_t:file read; >>>> >>>> allow ifconfig_t device_t:file read; >>>> >>>> allow mount_t dgrift_t:unix_stream_socket { read write }; >>>> >>>> allow nscd_t device_t:file read; >>>> >>>> term_use_console(portreserve_t) >>>> >>>> allow readahead_t proc_kcore_t:file getattr; >>>> allow readahead_ self:capability net_admin; >>>> >>>> allow rpcbind_t self:udp_socket listen; >>>> >>>> allow xdm_dbusd_t xdm_var_lib_t:dir search; >>>> >>>> dev_rw_generic_files(auditctl_t) >>>> >>>> allow readahead_t self:capability net_admin; >>>> fs_rw_tmpfs_chr_files(readahead_t) >>>> >>>> fprintd_dbus_chat(staff_sudo_t) >>>> >>>> fprintd_dbus_chat(staff_t) >>>> >>>> fprintd_dbus_chat(fprintd_t) > Looks like fprintd_dbus_chat(fprintd_t) is a bad translation by > audit2allow -R >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> What version of selinux-policy ? >>> >>> Regards, >>> Miroslav >> selinux-policy-targeted-3.6.12-69.fc11.noarch >> selinux-policy-3.6.12-69.fc11.noarch >> >> on a clean fedora 11 installation (note: semodule -DB could have been >> enabled/ not in permissive mode) > > If you want to see any specific raw AVC denials let me know At least there is a problem with /dev/null labeling. For example from your audit.log type=AVC msg=audit(1249386885.044:43034): avc: denied { read } for pid=12059 comm="ip" path="/dev/null" dev=tmpfs ino=1005228 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file /dev/null should be a device and labeled null_device_t There is a bug relating to /dev/null labeling. Look at the comment from Dan. https://bugzilla.redhat.com/show_bug.cgi?id=515096#c1 From choeger at cs.tu-berlin.de Tue Aug 4 16:18:25 2009 From: choeger at cs.tu-berlin.de (Christoph =?ISO-8859-1?Q?H=F6ger?=) Date: Tue, 04 Aug 2009 18:18:25 +0200 Subject: java processbuilder and SELinux Message-ID: <1249402705.8296.10.camel@choeger5.umpa.netz> Hi, I found that (somehow quite old googling brought up fc3) issue on my f10 desktop: I have a self compiled (proprietary - so no SELinux policy available) program in my home dir. Running it via a terminal works fine. But running from a java process (in that case eclipse) using a ProcessBuilder returned: cannot restore segment prot after reloc: Permission denied I already thought that this was something SELinux related and I know that the developers of that certain tool had no security in mind and I stumbled about textrel_shlib_t and allow_execmod, and indeed allow_execmod fixed that issue (I'll need to relabel soon). But two things seem really weird to me: 1. from a normal terminal using bash I can start that prog. Why? 2. There is no audit message in audit.log (and I had no "SELinux prevented..." popup) Is that a bug? any suggestions on that? Bugzilla? Christoph -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From mica1884 at gmail.com Tue Aug 4 18:57:09 2009 From: mica1884 at gmail.com (Ryan Gandy) Date: Tue, 4 Aug 2009 14:57:09 -0400 Subject: SELinux and Wine Message-ID: <1df9930e0908041157r7a96cf1cw693eafc45f133237@mail.gmail.com> Hello, I use FC11 64 bit and have the default (add/remove software) installation for both SELinux and Wine. I've been trying to get my Windows programs to run but see entries in my setroubleshoot log regarding Wine not being cleared for "allow_execmem" or "mmap_zero." I'm not that experienced with it, but I gather enabling either of these would be a bad thing from what I've already seen on google. Is there a way I can get Wine to run without effectively disabling SELinux? Regards, Ryan -------------- next part -------------- An HTML attachment was scrubbed... URL: From eparis at redhat.com Tue Aug 4 20:25:15 2009 From: eparis at redhat.com (Eric Paris) Date: Tue, 04 Aug 2009 16:25:15 -0400 Subject: SELinux and Wine In-Reply-To: <1df9930e0908041157r7a96cf1cw693eafc45f133237@mail.gmail.com> References: <1df9930e0908041157r7a96cf1cw693eafc45f133237@mail.gmail.com> Message-ID: <1249417515.2361.31.camel@dhcp231-106.rdu.redhat.com> On Tue, 2009-08-04 at 14:57 -0400, Ryan Gandy wrote: > Hello, > > I use FC11 64 bit and have the default (add/remove software) > installation for both SELinux and Wine. I've been trying to get my > Windows programs to run but see entries in my setroubleshoot log > regarding Wine not being cleared for "allow_execmem" or "mmap_zero." > I'm not that experienced with it, but I gather enabling either of > these would be a bad thing from what I've already seen on google. Is > there a way I can get Wine to run without effectively disabling > SELinux? For the most part? No. Wine does things which are bad for system security. You can disable security just for wine (define wine as a permissive domain using semanage) of you can allow the things it wants using the booleans which I'm guessing setroubleshoot suggested. You are much better off allowing the mmap_zero boolean than you are setting the mmap_zero proc tunable to 0. As for execmem I'm surprised that one isn't already being allowed, might be a bug? -Eric From sradvan at redhat.com Tue Aug 4 22:52:30 2009 From: sradvan at redhat.com (Scott Radvan) Date: Wed, 5 Aug 2009 08:52:30 +1000 Subject: spamassassin transition In-Reply-To: <564044.91153.qm@web36803.mail.mud.yahoo.com> References: <20090803102055.752c05be@redhat.com> <564044.91153.qm@web36803.mail.mud.yahoo.com> Message-ID: <20090805085230.57c3601a@redhat.com> On Mon, 3 Aug 2009 06:31:31 -0700 (PDT) Vadym Chepkov wrote: > > I filed bugzilla report about it, > https://bugzilla.redhat.com/show_bug.cgi?id=509644 > Sincerely yours, > Vadym Chepkov Great, thank you for this! It fixed my problem. -- Scott Radvan Content Author, Platform (Installation and Deployment) Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com From dwalsh at redhat.com Wed Aug 5 11:59:26 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 05 Aug 2009 07:59:26 -0400 Subject: Some AVC denials to consider: In-Reply-To: <4A7829F7.9000703@gmail.com> References: <4A7829F7.9000703@gmail.com> Message-ID: <4A79741E.3030706@redhat.com> On 08/04/2009 08:30 AM, Dominick Grift wrote: > dev_rw_generic_files(NetworkManager_t) > This looks very wrong. Need to see AVC related to this. > allow consoletype_t device_t:file { read getattr ioctl }; > THis looks like a mislabeled file. As Miroslav pointed out later is this the problem with /dev/null being a file? > xserver_rw_xdm_home_files(staff_dbusd_t) > We should add xserver_use_xdm(($1_dbusd_t) to dbus.if Then add allow $1 xdm_home_t:file append_file_perms; to xserver_use_xdm > allow staff_t staff_screen_t:process sigchld; > allow staff_t print_spool_t:dir getattr; > allow staff_t screen_var_run_t:fifo_file read; add allow $3 $1_screen_t:process sigchld; to screen_role_template Although it does not look like we transition to screen by default now. Add lpd_list_spool(staff_t to staff.te allow staff_t screen_var_run_t:fifo_file read; Looks like a leak, add dontaudit $3 $1_var_run_t:fifo_file read; to scree_role_template > dev_rw_dri(staff_t) > This is probably not a good idea, I believe this is an easy way to attack the system I think we currently have dev_dontaudit_rw_dri($1) > allow ifconfig_t device_t:file read; > > allow mount_t dgrift_t:unix_stream_socket { read write }; > Leak? Whatever is execing mount is leaking a file descriptor. Added a new plugin to setroubleshoot to detect links BTW. > allow nscd_t device_t:file read; > > allow ifconfig_t device_t:file read; > > allow mount_t dgrift_t:unix_stream_socket { read write } > > allow nscd_t device_t:file read; > > term_use_console(portreserve_t) > This seems like strange one. > allow readahead_t proc_kcore_t:file getattr; > allow readahead_ self:capability net_admin; Rawhide has kernel_dontaudit_getattr_core_if(readahead_t) dontaudit readahead_t self:capability { net_admin sys_tty_config }; > > allow rpcbind_t self:udp_socket listen; > Rawhide has ifdef(`hide_broken_symptoms',` dontaudit rpcbind_t self:udp_socket listen; ') > allow xdm_dbusd_t xdm_var_lib_t:dir search; > Change dbus_role_template to use xserver_use_xdm, Add xserver_search_xdm_lib($1) to xserver_use_xdm > dev_rw_generic_files(auditctl_t) > Looks like a leak > allow readahead_t self:capability net_admin; > fs_rw_tmpfs_chr_files(readahead_t) > fs_dontaudit_use_tmpfs_chr_dev(readahead_t) is in rawhide > fprintd_dbus_chat(staff_sudo_t) > Add optional_policy(` fprintd_dbus_chat($1_sudo_t) ') to sudo_role_template > fprintd_dbus_chat(staff_t) > > fprintd_dbus_chat(fprintd_t) > Add optional_policy(` fprintd_dbus_chat($1_t) ') to userdom_restricted_xwindows_user_template fprintd_dbus_chat(fprintd_t) Does not make sense. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From sds at tycho.nsa.gov Wed Aug 5 12:58:52 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 05 Aug 2009 08:58:52 -0400 Subject: SELinux and Wine In-Reply-To: <1df9930e0908041157r7a96cf1cw693eafc45f133237@mail.gmail.com> References: <1df9930e0908041157r7a96cf1cw693eafc45f133237@mail.gmail.com> Message-ID: <1249477132.21455.30.camel@moss-pluto.epoch.ncsc.mil> On Tue, 2009-08-04 at 14:57 -0400, Ryan Gandy wrote: > Hello, > > I use FC11 64 bit and have the default (add/remove software) > installation for both SELinux and Wine. I've been trying to get my > Windows programs to run but see entries in my setroubleshoot log > regarding Wine not being cleared for "allow_execmem" or "mmap_zero." > I'm not that experienced with it, but I gather enabling either of > these would be a bad thing from what I've already seen on google. Is > there a way I can get Wine to run without effectively disabling > SELinux? Post the actual avc denials. wine_t should already have the necessary permissions. Sounds like you are running wine in unconfined_t instead? -- Stephen Smalley National Security Agency From dwalsh at redhat.com Wed Aug 5 21:41:14 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 05 Aug 2009 17:41:14 -0400 Subject: SELinux and Wine In-Reply-To: <1df9930e0908041157r7a96cf1cw693eafc45f133237@mail.gmail.com> References: <1df9930e0908041157r7a96cf1cw693eafc45f133237@mail.gmail.com> Message-ID: <4A79FC7A.4050509@redhat.com> On 08/04/2009 02:57 PM, Ryan Gandy wrote: > Hello, > > I use FC11 64 bit and have the default (add/remove software) installation > for both SELinux and Wine. I've been trying to get my Windows programs to > run but see entries in my setroubleshoot log regarding Wine not being > cleared for "allow_execmem" or "mmap_zero." I'm not that experienced with > it, but I gather enabling either of these would be a bad thing from what > I've already seen on google. Is there a way I can get Wine to run without > effectively disabling SELinux? > > Regards, > > Ryan > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list What is the wine executables label ls -lZ PATHTO/wine From mgrepl at redhat.com Wed Aug 5 22:13:01 2009 From: mgrepl at redhat.com (Miroslav Grepl) Date: Thu, 06 Aug 2009 00:13:01 +0200 Subject: Some AVC denials to consider: In-Reply-To: <4A79741E.3030706@redhat.com> References: <4A7829F7.9000703@gmail.com> <4A79741E.3030706@redhat.com> Message-ID: <4A7A03ED.4090700@redhat.com> On 08/05/2009 01:59 PM, Daniel J Walsh wrote: > On 08/04/2009 08:30 AM, Dominick Grift wrote: > >> dev_rw_generic_files(NetworkManager_t) >> >> > This looks very wrong. Need to see AVC related to this. > > >> allow consoletype_t device_t:file { read getattr ioctl }; >> >> > THis looks like a mislabeled file. As Miroslav pointed out later is this the problem with /dev/null being a file? > > >> xserver_rw_xdm_home_files(staff_dbusd_t) >> >> > We should add > > xserver_use_xdm(($1_dbusd_t) to dbus.if > Then add > allow $1 xdm_home_t:file append_file_perms; > to xserver_use_xdm > > >> allow staff_t staff_screen_t:process sigchld; >> allow staff_t print_spool_t:dir getattr; >> allow staff_t screen_var_run_t:fifo_file read; >> > > add > allow $3 $1_screen_t:process sigchld; > to screen_role_template > Although it does not look like we transition to screen by default now. > > Add > > lpd_list_spool(staff_t > > to staff.te > > allow staff_t screen_var_run_t:fifo_file read; > Looks like a leak, add > > dontaudit $3 $1_var_run_t:fifo_file read; > > to scree_role_template > > >> dev_rw_dri(staff_t) >> >> > This is probably not a good idea, I believe this is an easy way to attack the system > I think we currently have > > dev_dontaudit_rw_dri($1) > > >> allow ifconfig_t device_t:file read; >> >> allow mount_t dgrift_t:unix_stream_socket { read write }; >> >> > Leak? Whatever is execing mount is leaking a file descriptor. Added a new plugin to setroubleshoot to detect links BTW. > > >> allow nscd_t device_t:file read; >> >> allow ifconfig_t device_t:file read; >> >> allow mount_t dgrift_t:unix_stream_socket { read write } >> >> allow nscd_t device_t:file read; >> >> term_use_console(portreserve_t) >> >> > This seems like strange one. > > >> allow readahead_t proc_kcore_t:file getattr; >> > > > >> allow readahead_ self:capability net_admin; >> > Rawhide has > > kernel_dontaudit_getattr_core_if(readahead_t) > dontaudit readahead_t self:capability { net_admin sys_tty_config }; > > >> allow rpcbind_t self:udp_socket listen; >> >> > Rawhide has > > ifdef(`hide_broken_symptoms',` > dontaudit rpcbind_t self:udp_socket listen; > ') > >> allow xdm_dbusd_t xdm_var_lib_t:dir search; >> >> > Change dbus_role_template to use > xserver_use_xdm, > > Add xserver_search_xdm_lib($1) to xserver_use_xdm > > >> dev_rw_generic_files(auditctl_t) >> >> > Looks like a leak > >> allow readahead_t self:capability net_admin; >> fs_rw_tmpfs_chr_files(readahead_t) >> >> > fs_dontaudit_use_tmpfs_chr_dev(readahead_t) > is in rawhide > >> fprintd_dbus_chat(staff_sudo_t) >> >> > Add > optional_policy(` > fprintd_dbus_chat($1_sudo_t) > ') > to > sudo_role_template > >> fprintd_dbus_chat(staff_t) >> >> fprintd_dbus_chat(fprintd_t) >> >> > > Add > optional_policy(` > fprintd_dbus_chat($1_t) > ') > to > userdom_restricted_xwindows_user_template > > > fprintd_dbus_chat(fprintd_t) > Does not make sense. > >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Changes added to selinux-policy-3.6.12-74.fc11 Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From sradvan at redhat.com Thu Aug 6 00:40:47 2009 From: sradvan at redhat.com (Scott Radvan) Date: Thu, 6 Aug 2009 10:40:47 +1000 Subject: SELinux managing confined services guide - call for review Message-ID: <20090806104047.04bb6f3f@redhat.com> Hi, Having added many new chapters/services, the Fedora SELinux managing confined services guide is very close to reaching publication. I would greatly appreciate any and all comments or corrections: http://sradvan.fedorapeople.org/SELinux_Managing_Confined_Services/en-US/ Cheers, -- Scott Radvan Content Author, Platform (Installation and Deployment) Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com From mica1884 at gmail.com Thu Aug 6 04:15:47 2009 From: mica1884 at gmail.com (Ryan Gandy) Date: Thu, 6 Aug 2009 00:15:47 -0400 Subject: SELinux and Wine In-Reply-To: <1df9930e0908041157r7a96cf1cw693eafc45f133237@mail.gmail.com> References: <1df9930e0908041157r7a96cf1cw693eafc45f133237@mail.gmail.com> Message-ID: <1df9930e0908052115t1d44b820g99a077d10899aea@mail.gmail.com> Oops. Hit the wrong button by mistake, here you go. Whole stack of AVC denials. Aug 3 16:39:41 TechComm kernel: type=1400 audit(1249331981.357:15701): avc: denied { mmap_zero } for pid=3752 comm="wine-preloader" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=memprotect Aug 3 16:39:41 TechComm kernel: type=1400 audit(1249331981.357:15702): avc: denied { execmem } for pid=3752 comm="wine-preloader" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process Aug 3 16:39:41 TechComm kernel: type=1400 audit(1249331981.364:15703): avc: denied { execmem } for pid=3752 comm="wine" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process Aug 3 16:39:41 TechComm kernel: type=1400 audit(1249331981.448:15704): avc: denied { execmem } for pid=3752 comm="wineboot.exe" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process Aug 3 16:39:41 TechComm kernel: type=1400 audit(1249331981.448:15705): avc: denied { execmem } for pid=3752 comm="wineboot.exe" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process Aug 3 16:39:41 TechComm kernel: type=1400 audit(1249331981.463:15706): avc: denied { execmem } for pid=3752 comm="wineboot.exe" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process Aug 3 21:43:59 TechComm setroubleshoot: SELinux is preventing wine-preloader (staff_t) "mmap_zero" staff_t. For complete SELinux messages. run sealert -l b44029ea-892c-471b-a1b8-b8acaa833ed3 Aug 3 21:43:59 TechComm setroubleshoot: SELinux is preventing wine-preloader (staff_t) "execmem" to (staff_t). For complete SELinux messages. run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456 Aug 3 21:44:00 TechComm setroubleshoot: SELinux is preventing wine (staff_t) "execmem" to (staff_t). For complete SELinux messages. run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456 Aug 3 21:44:00 TechComm setroubleshoot: SELinux is preventing wine-preloader (staff_t) "mmap_zero" staff_t. For complete SELinux messages. run sealert -l b44029ea-892c-471b-a1b8-b8acaa833ed3 Aug 3 21:44:01 TechComm setroubleshoot: SELinux is preventing wine-preloader (staff_t) "execmem" to (staff_t). For complete SELinux messages. run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456 Aug 3 21:44:01 TechComm setroubleshoot: SELinux is preventing wine (staff_t) "execmem" to (staff_t). For complete SELinux messages. run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456 Aug 3 21:44:02 TechComm setroubleshoot: SELinux is preventing wineboot.exe (staff_t) "execmem" to (staff_t). For complete SELinux messages. run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456 Aug 3 21:44:02 TechComm setroubleshoot: SELinux is preventing wineboot.exe (staff_t) "execmem" to (staff_t). For complete SELinux messages. run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456 Aug 3 21:44:02 TechComm setroubleshoot: SELinux is preventing wineboot.exe (staff_t) "execmem" to (staff_t). For complete SELinux messages. run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456 Aug 3 21:44:03 TechComm setroubleshoot: SELinux is preventing wineboot.exe (staff_t) "execmem" to (staff_t). For complete SELinux messages. run sealert -l 3f98f29b-2c41-47a1-aec3-15daa0ad0456 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Thu Aug 6 12:03:24 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 06 Aug 2009 08:03:24 -0400 Subject: SELinux and Wine In-Reply-To: <1df9930e0908052115t1d44b820g99a077d10899aea@mail.gmail.com> References: <1df9930e0908041157r7a96cf1cw693eafc45f133237@mail.gmail.com> <1df9930e0908052115t1d44b820g99a077d10899aea@mail.gmail.com> Message-ID: <1249560204.5213.19.camel@moss-pluto.epoch.ncsc.mil> On Thu, 2009-08-06 at 00:15 -0400, Ryan Gandy wrote: > Oops. Hit the wrong button by mistake, here you go. Whole stack of > AVC denials. > > Aug 3 16:39:41 TechComm kernel: type=1400 > audit(1249331981.357:15701): avc: denied { mmap_zero } for pid=3752 > comm="wine-preloader" scontext=staff_u:staff_r: > staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 > tclass=memprotect > Aug 3 16:39:41 TechComm kernel: type=1400 > audit(1249331981.357:15702): avc: denied { execmem } for pid=3752 > comm="wine-preloader" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 > tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process > Aug 3 16:39:41 TechComm kernel: type=1400 Hmm...so there is no transition defined from the confined user domains to wine_t, only from unconfined_t. That is likely intentional since wine_t is unconfined under targeted policy (there is a unconfined_domain_noaudit() call in wine.te). -- Stephen Smalley National Security Agency From misc.lists at blueyonder.co.uk Thu Aug 6 19:45:54 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Thu, 06 Aug 2009 20:45:54 +0100 Subject: HPLIP and Fedora9 Message-ID: <1249587954.9612.14.camel@localhost.localdomain> Hello all, I tried today to install the latest hplip package from http://hplipopensource.com to use the printer driver for my HP Printer on my Fedora 9 system (I plan to upgrade to Fedora 11 in the next few weeks). The install package warns you to turn off selinux so I setenforce 0. I assumed that I would be able to write a policy before resuming enforcing mode. The install went fine with no avcs. I then tried to print a test page and got 3 avcs (I can post in full if required). SELinux is preventing hp (hplip_t) "name_bind" howl_port_t. SELinux is preventing hp (hplip_t) "search" to ./dbus (system_dbusd_var_run_t). SELinux is preventing hpcups (cupsd_t) "name_bind" howl_port_t. From these I tried to create a policy using audit2allow. This is what it proposed: ########################################## # cat myhplip.te policy_module(myhplip, 9.0.1) require { type cupsd_t; type hplip_t; type system_dbusd_t; class unix_stream_socket { write connectto search }; } #============= cupsd_t ============== corenet_udp_bind_howl_port(cupsd_t) #============= hplip_t ============== allow hplip_t system_dbusd_t:unix_stream_socket { write connectto search }; corenet_udp_bind_howl_port(hplip_t) ########################################## "make -f" worked OK on this, but when I tried semodule -i I got the following error: [root at localhost selinux]# semodule -i myhplip.pp libsepol.permission_copy_callback: Module myhplip depends on permission search in class unix_stream_socket, not satisfied libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! Is there any way I can resolve this? The only existing bug I can find on hplip is 516078 (https://bugzilla.redhat.com/show_bug.cgi?id=516078) is it related? Thanks in advance for any help or suggestions... Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From peterjb at mtaonline.net Thu Aug 6 22:21:15 2009 From: peterjb at mtaonline.net (Peter Joseph) Date: Thu, 6 Aug 2009 15:21:15 -0700 (PDT) Subject: SELinux Reset Message-ID: <24855587.post@talk.nabble.com> While experimenting with SELinux, I finally managed to lock myself out of the system. The only way to get back in, I had to add "selinux=0" to the end of the kernel line. Now, if I run in a permissive mode the following message appears when I try to log in: "Could not connect to session bus: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination "org.freedesktop.DBus)." I am forced to go back to the grub prompt and disable SELinux again, in order to get in. What is the best way to reset SEL to its original state? -- View this message in context: http://www.nabble.com/SELinux-Reset-tp24855587p24855587.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From justinmattock at gmail.com Thu Aug 6 23:10:06 2009 From: justinmattock at gmail.com (Justin P. Mattock) Date: Thu, 06 Aug 2009 16:10:06 -0700 Subject: SELinux Reset In-Reply-To: <24855587.post@talk.nabble.com> References: <24855587.post@talk.nabble.com> Message-ID: <4A7B62CE.6040506@gmail.com> Peter Joseph wrote: > While experimenting with SELinux, I finally managed to lock myself out of the > system. The only way to get back in, I had to add "selinux=0" to the end of > the kernel line. > Now, if I run in a permissive mode the following message appears when I try > to log in: > > "Could not connect to session bus: An SELinux policy prevents this sender > from sending this message to this recipient (rejected message had sender > "(unset)" interface "org.freedesktop.DBus" member "Hello" error name > "(unset)" destination "org.freedesktop.DBus)." > > I am forced to go back to the grub prompt and disable SELinux again, in > order to get in. What is the best way to reset SEL to its original state? > try updating dbus (message is something in /etc/dbus-1/*) for the policy use enforcing=0 for permissive selinux=0 to disable completely Justin P. Mattock From trevor.hemsley at codefarm.com Fri Aug 7 10:24:29 2009 From: trevor.hemsley at codefarm.com (Trevor Hemsley) Date: Fri, 07 Aug 2009 11:24:29 +0100 Subject: Conflicting contexts for httpd and Samba Message-ID: <4A7C00DD.10703@codefarm.com> I have a machine where I am trying to turn on selinux in enforcing mode - currently running in permissive mode while I sort out what's likely to stop working. On this machine I have both Samba and Apache. The Samba server has shares on a disk partition that's mounted on /share and I was getting AVCs for this so I used semanage and restorecon to mark all directories on there as context samba_share_t. Works great except that one directory on that share is also used by Apache and then I started getting AVCs for that dir whenever someone tried to access its content over http. Having done some reading I then tried to mark that directory as context public_content_t and that gets rid of the AVCs for http but I get them back for the Samba server instead :( The directory in question that resides on the /share partition is used by the Sophos Anti-Virus Enterprise Console to keep copies of all its install materials and locally cached copies of all the AV definition files. We have a Windows XP machine that runs the Enterprise Console and this updates the AV definitions on the Samba share about every 5 minutes - so Samba needs to have update access to the directory in question. For users outside the main office we also make the Sophos AV definitions available over https so Apache needs to be able to read the same directory that Samba can write to. Both Samba and Apache processes are running on the same machine and are accessing /share as a local file system. I can see booleans that let Apache access Samba shares as network drives but not as local file systems. These are the sort of AVCs I am currently getting and I'm now out of ideas about how to solve this. Does anyone have any suggestions please? [root at here manifests]# ausearch -i -a 12027 ---- type=SYSCALL msg=audit(07/08/09 09:14:50.432:12027) : arch=x86_64 syscall=open success=yes exit=41 a0=7fff3638c690 a1=42 a2=1f4 a3=4a7bf08a items=0 ppid=5277 pid=460 auid=unset uid=SophosEmLibUser1 gid=root euid=SophosEmLibUser1 suid=root fsuid=SophosEmLibUser1 egid=Domain Users sgid=root fsgid=Domain Users tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(07/08/09 09:14:50.432:12027) : avc: denied { create } for pid=460 comm=smbd name=pws-bcr.ide scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file type=AVC msg=audit(07/08/09 09:14:50.432:12027) : avc: denied { add_name } for pid=460 comm=smbd name=pws-bcr.ide scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=dir type=AVC msg=audit(07/08/09 09:14:50.432:12027) : avc: denied { write } for pid=460 comm=smbd name=savxp dev=drbd3 ino=2293891 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=dir [root at here manifests]# ausearch -i -a 12028 ---- type=SYSCALL msg=audit(07/08/09 09:14:50.434:12028) : arch=x86_64 syscall=ftruncate success=yes exit=0 a0=29 a1=0 a2=2ad636132320 a3=1 items=0 ppid=5277 pid=460 auid=unset uid=SophosEmLibUser1 gid=root euid=SophosEmLibUser1 suid=root fsuid=SophosEmLibUser1 egid=Domain Users sgid=root fsgid=Domain Users tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(07/08/09 09:14:50.434:12028) : avc: denied { write } for pid=460 comm=smbd name=pws-bcr.ide dev=drbd3 ino=2850949 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file [root at here manifests]# ausearch -i -a 12029 ---- type=SYSCALL msg=audit(07/08/09 09:14:50.440:12029) : arch=x86_64 syscall=utimes success=yes exit=0 a0=7fff3638b4d0 a1=7fff3638a9a0 a2=71be1 a3=0 items=0 ppid=5277 pid=460 auid=unset uid=SophosEmLibUser1 gid=root euid=SophosEmLibUser1 suid=root fsuid=SophosEmLibUser1 egid=Domain Users sgid=root fsgid=Domain Users tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(07/08/09 09:14:50.440:12029) : avc: denied { setattr } for pid=460 comm=smbd name=pws-bcr.ide dev=drbd3 ino=2850949 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file [root at here manifests]# ausearch -i -a 12030 ---- type=SYSCALL msg=audit(07/08/09 09:14:52.556:12030) : arch=x86_64 syscall=unlink success=yes exit=0 a0=2ad63619e430 a1=2ad63619e430 a2=0 a3=2ad623feab20 items=0 ppid=5277 pid=460 auid=unset uid=SophosEmLibUser1 gid=root euid=SophosEmLibUser1 suid=root fsuid=SophosEmLibUser1 egid=Domain Users sgid=root fsgid=Domain Users tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(07/08/09 09:14:52.556:12030) : avc: denied { unlink } for pid=460 comm=smbd name=cidsync.upd dev=drbd3 ino=1572898 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file type=AVC msg=audit(07/08/09 09:14:52.556:12030) : avc: denied { remove_name } for pid=460 comm=smbd name=cidsync.upd dev=drbd3 ino=1572898 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=dir [root at here manifests]# ausearch -i -a 12031 ---- type=SYSCALL msg=audit(07/08/09 09:14:52.559:12031) : arch=x86_64 syscall=stat success=yes exit=0 a0=7fff3638adb8 a1=7fff3638b1a0 a2=7fff3638b1a0 a3=0 items=0 ppid=5277 pid=460 auid=unset uid=SophosEmLibUser1 gid=root euid=SophosEmLibUser1 suid=root fsuid=SophosEmLibUser1 egid=Domain Users sgid=root fsgid=Domain Users tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(07/08/09 09:14:52.559:12031) : avc: denied { getattr } for pid=460 comm=smbd path=/codefarm/backups dev=dm-15 ino=2 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir type=AVC msg=audit(07/08/09 09:14:52.559:12031) : avc: denied { search } for pid=460 comm=smbd name=codefarm dev=dm-0 ino=819201 scontext=system_u:system_r:smbd_t:s0 tcontext=user_u:object_r:default_t:s0 tclass=dir [root at here manifests]# ausearch -i -a 12032 ---- type=SYSCALL msg=audit(07/08/09 09:14:52.559:12032) : arch=x86_64 syscall=stat success=yes exit=0 a0=2ad636320285 a1=7fff3638ae60 a2=7fff3638ae60 a3=0 items=0 ppid=5277 pid=460 auid=unset uid=SophosEmLibUser1 gid=root euid=SophosEmLibUser1 suid=root fsuid=SophosEmLibUser1 egid=Domain Users sgid=root fsgid=Domain Users tty=(none) ses=4294967295 comm=smbd exe=/usr/sbin/smbd subj=system_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(07/08/09 09:14:52.559:12032) : avc: denied { getattr } for pid=460 comm=smbd path=/proc/sys/fs/binfmt_misc dev=binfmt_misc ino=6477 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir [root at here manifests]# -- Trevor Hemsley Infrastructure Engineer ................................................. * C A L Y P S O * Brighton, UK OFFICE +44 (0) 1273 666 350 FAX +44 (0) 1273 666 351 ................................................. www.calypso.com This electronic-mail might contain confidential information intended only for the use by the entity named. If the reader of this message is not the intended recipient, the reader is hereby notified that any dissemination, distribution or copying is strictly prohibited. * P * /*/ Please consider the environment before printing this e-mail /*/ From paul at city-fan.org Fri Aug 7 10:36:47 2009 From: paul at city-fan.org (Paul Howarth) Date: Fri, 07 Aug 2009 11:36:47 +0100 Subject: Conflicting contexts for httpd and Samba In-Reply-To: <4A7C00DD.10703@codefarm.com> References: <4A7C00DD.10703@codefarm.com> Message-ID: <4A7C03BF.8090206@city-fan.org> On 07/08/09 11:24, Trevor Hemsley wrote: > I have a machine where I am trying to turn on selinux in enforcing mode > - currently running in permissive mode while I sort out what's likely to > stop working. On this machine I have both Samba and Apache. The Samba > server has shares on a disk partition that's mounted on /share and I was > getting AVCs for this so I used semanage and restorecon to mark all > directories on there as context samba_share_t. Works great except that > one directory on that share is also used by Apache and then I started > getting AVCs for that dir whenever someone tried to access its content > over http. Having done some reading I then tried to mark that directory > as context public_content_t and that gets rid of the AVCs for http but I > get them back for the Samba server instead :( > > The directory in question that resides on the /share partition is used > by the Sophos Anti-Virus Enterprise Console to keep copies of all its > install materials and locally cached copies of all the AV definition > files. We have a Windows XP machine that runs the Enterprise Console and > this updates the AV definitions on the Samba share about every 5 minutes > - so Samba needs to have update access to the directory in question. > > For users outside the main office we also make the Sophos AV definitions > available over https so Apache needs to be able to read the same > directory that Samba can write to. Both Samba and Apache processes are > running on the same machine and are accessing /share as a local file > system. I can see booleans that let Apache access Samba shares as > network drives but not as local file systems. > > These are the sort of AVCs I am currently getting and I'm now out of > ideas about how to solve this. Does anyone have any suggestions please? Label your directory (assuming it's called /share/sophos here) public_content_rw_t: # semanage fcontext -a -t public_content_rw_t '/share/sophos(/.*)?' # restorecon -rF /share/sophos Give samba write access to public_content_rw_t: # setsebool -P allow_smbd_anon_write=1 Cheers, Paul. From dwalsh at redhat.com Fri Aug 7 10:39:05 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 07 Aug 2009 06:39:05 -0400 Subject: SELinux and Wine In-Reply-To: <1249560204.5213.19.camel@moss-pluto.epoch.ncsc.mil> References: <1df9930e0908041157r7a96cf1cw693eafc45f133237@mail.gmail.com> <1df9930e0908052115t1d44b820g99a077d10899aea@mail.gmail.com> <1249560204.5213.19.camel@moss-pluto.epoch.ncsc.mil> Message-ID: <4A7C0449.1000402@redhat.com> On 08/06/2009 08:03 AM, Stephen Smalley wrote: > On Thu, 2009-08-06 at 00:15 -0400, Ryan Gandy wrote: >> Oops. Hit the wrong button by mistake, here you go. Whole stack of >> AVC denials. >> >> Aug 3 16:39:41 TechComm kernel: type=1400 >> audit(1249331981.357:15701): avc: denied { mmap_zero } for pid=3752 >> comm="wine-preloader" scontext=staff_u:staff_r: >> staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 >> tclass=memprotect >> Aug 3 16:39:41 TechComm kernel: type=1400 >> audit(1249331981.357:15702): avc: denied { execmem } for pid=3752 >> comm="wine-preloader" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 >> tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process >> Aug 3 16:39:41 TechComm kernel: type=1400 > > Hmm...so there is no transition defined from the confined user domains > to wine_t, only from unconfined_t. That is likely intentional since > wine_t is unconfined under targeted policy (there is a > unconfined_domain_noaudit() call in wine.te). > If you build a policy with policy_module(mywine, 1.0) gen_require(` type staff_t; role staff_r; ') wine_role(staff_t, staff_r) You should be able to try out the staff_wine_t type. From dwalsh at redhat.com Fri Aug 7 10:46:04 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 07 Aug 2009 06:46:04 -0400 Subject: SELinux and Wine In-Reply-To: <4A7C0449.1000402@redhat.com> References: <1df9930e0908041157r7a96cf1cw693eafc45f133237@mail.gmail.com> <1df9930e0908052115t1d44b820g99a077d10899aea@mail.gmail.com> <1249560204.5213.19.camel@moss-pluto.epoch.ncsc.mil> <4A7C0449.1000402@redhat.com> Message-ID: <4A7C05EC.6010704@redhat.com> On 08/07/2009 06:39 AM, Daniel J Walsh wrote: > On 08/06/2009 08:03 AM, Stephen Smalley wrote: >> On Thu, 2009-08-06 at 00:15 -0400, Ryan Gandy wrote: >>> Oops. Hit the wrong button by mistake, here you go. Whole stack of >>> AVC denials. >>> >>> Aug 3 16:39:41 TechComm kernel: type=1400 >>> audit(1249331981.357:15701): avc: denied { mmap_zero } for pid=3752 >>> comm="wine-preloader" scontext=staff_u:staff_r: >>> staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 >>> tclass=memprotect >>> Aug 3 16:39:41 TechComm kernel: type=1400 >>> audit(1249331981.357:15702): avc: denied { execmem } for pid=3752 >>> comm="wine-preloader" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 >>> tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process >>> Aug 3 16:39:41 TechComm kernel: type=1400 >> Hmm...so there is no transition defined from the confined user domains >> to wine_t, only from unconfined_t. That is likely intentional since >> wine_t is unconfined under targeted policy (there is a >> unconfined_domain_noaudit() call in wine.te). >> > If you build a policy with > > policy_module(mywine, 1.0) > gen_require(` > type staff_t; > role staff_r; > ') > > wine_role(staff_t, staff_r) > > You should be able to try out the staff_wine_t type. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Of course wine_t is an unconfined_domain if you have not removed the unoconfined module from policy. If you do not want staff_t to be able to run unconfined domains and you have the unconfined module installed, you do not want to allow this transition. From dwalsh at redhat.com Fri Aug 7 11:00:56 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 07 Aug 2009 07:00:56 -0400 Subject: SELinux Reset In-Reply-To: <24855587.post@talk.nabble.com> References: <24855587.post@talk.nabble.com> Message-ID: <4A7C0968.2010901@redhat.com> On 08/06/2009 06:21 PM, Peter Joseph wrote: > While experimenting with SELinux, I finally managed to lock myself out of the > system. The only way to get back in, I had to add "selinux=0" to the end of > the kernel line. > Now, if I run in a permissive mode the following message appears when I try > to log in: > > "Could not connect to session bus: An SELinux policy prevents this sender > from sending this message to this recipient (rejected message had sender > "(unset)" interface "org.freedesktop.DBus" member "Hello" error name > "(unset)" destination "org.freedesktop.DBus)." > > I am forced to go back to the grub prompt and disable SELinux again, in > order to get in. What is the best way to reset SEL to its original state? I have no idea what is going on on your system. I would figure you either have a problem with labeling, or you have a problem upgrading from an older version of SELInux. Did you upgrade or was this a fresh install? If an Upgrade, what version to what version Also what does # semanage login -l show? # semodule -l | grep unconfined Show? From sds at tycho.nsa.gov Fri Aug 7 12:08:10 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 07 Aug 2009 08:08:10 -0400 Subject: SELinux Reset In-Reply-To: <24855587.post@talk.nabble.com> References: <24855587.post@talk.nabble.com> Message-ID: <1249646890.5213.66.camel@moss-pluto.epoch.ncsc.mil> On Thu, 2009-08-06 at 15:21 -0700, Peter Joseph wrote: > While experimenting with SELinux, I finally managed to lock myself out of the > system. The only way to get back in, I had to add "selinux=0" to the end of > the kernel line. > Now, if I run in a permissive mode the following message appears when I try > to log in: > > "Could not connect to session bus: An SELinux policy prevents this sender > from sending this message to this recipient (rejected message had sender > "(unset)" interface "org.freedesktop.DBus" member "Hello" error name > "(unset)" destination "org.freedesktop.DBus)." > > I am forced to go back to the grub prompt and disable SELinux again, in > order to get in. What is the best way to reset SEL to its original state? Boot with enforcing=0 to come up in permissive mode (i.e. stay enabled, log any denials that would occur, but don't enforce them). Then look for avc denial messages in /var/log/messages or /var/log/audit/audit.log. Those will help indicate what it is going wrong and what needs to be fixed. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Aug 7 13:00:46 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 07 Aug 2009 09:00:46 -0400 Subject: HPLIP and Fedora9 In-Reply-To: <1249587954.9612.14.camel@localhost.localdomain> References: <1249587954.9612.14.camel@localhost.localdomain> Message-ID: <1249650046.5213.73.camel@moss-pluto.epoch.ncsc.mil> On Thu, 2009-08-06 at 20:45 +0100, Arthur Dent wrote: > Hello all, > > I tried today to install the latest hplip package from > http://hplipopensource.com to use the printer driver for my HP Printer > on my Fedora 9 system (I plan to upgrade to Fedora 11 in the next few > weeks). The install package warns you to turn off selinux so I > setenforce 0. I assumed that I would be able to write a policy before > resuming enforcing mode. > > The install went fine with no avcs. I then tried to print a test page > and got 3 avcs (I can post in full if required). Yes, please do. And file a bug against policycoreutils - this looks like a bug in audit2allow/sepolgen (wrongly merging audit rules with different keys). > > SELinux is preventing hp (hplip_t) "name_bind" howl_port_t. > SELinux is preventing hp (hplip_t) "search" to ./dbus > (system_dbusd_var_run_t). > SELinux is preventing hpcups (cupsd_t) "name_bind" howl_port_t. > > From these I tried to create a policy using audit2allow. This is what it > proposed: > > ########################################## > # cat myhplip.te > policy_module(myhplip, 9.0.1) > > require { > type cupsd_t; > type hplip_t; > type system_dbusd_t; > class unix_stream_socket { write connectto search }; > } > > #============= cupsd_t ============== > corenet_udp_bind_howl_port(cupsd_t) > > #============= hplip_t ============== > allow hplip_t system_dbusd_t:unix_stream_socket { write connectto > search }; > corenet_udp_bind_howl_port(hplip_t) > > ########################################## > > "make -f" worked OK on this, but when I tried semodule -i I got the > following error: > > [root at localhost selinux]# semodule -i myhplip.pp > libsepol.permission_copy_callback: Module myhplip depends on permission > search in class unix_stream_socket, not satisfied > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! > > > Is there any way I can resolve this? > > The only existing bug I can find on hplip is 516078 > (https://bugzilla.redhat.com/show_bug.cgi?id=516078) is it related? > > > Thanks in advance for any help or suggestions... > > Mark > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From rramkarthik at gmail.com Fri Aug 7 15:31:56 2009 From: rramkarthik at gmail.com (ramkarthik) Date: Fri, 07 Aug 2009 21:01:56 +0530 Subject: (no subject) Message-ID: <1249659116.15342.0.camel@localhost.localdomain> From peterjb at mtaonline.net Fri Aug 7 22:08:42 2009 From: peterjb at mtaonline.net (Peter Joseph) Date: Fri, 7 Aug 2009 15:08:42 -0700 (PDT) Subject: SELinux Reset In-Reply-To: <4A7C0968.2010901@redhat.com> References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> Message-ID: <24872725.post@talk.nabble.com> This is a fresh install , Kernel Linux 2.6.29.4-167.fc11.i586 ___________________________________________________ # semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 ___________________________________________________ # module -l | grep unconfined unconfined 3.0.1 unconfineduser 1.0.0 ___________________________________________________ Using enforcing=0 results in inability to log in. "Could not acquire name on session bus" Looked into ? /etc/dbus-1/*, did not recognized anything as being out of ordinary that would need updating (what do I know?). I am thinking about re-installation and then try to duplicate the error. There should be a way of fixing this. Daniel J Walsh wrote: > > On 08/06/2009 06:21 PM, Peter Joseph wrote: >> While experimenting with SELinux, I finally managed to lock myself out of >> the..... > > I have no idea what is going on on your system. I would figure you either > have a problem with labeling, or you > have a problem upgrading from an older version of SELInux. > > Did you upgrade or was this a fresh install? > If an Upgrade, what version to what version > > Also what does > > # semanage login -l > show? > # semodule -l | grep unconfined > Show? > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- View this message in context: http://www.nabble.com/SELinux-Reset-tp24855587p24872725.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From justinmattock at gmail.com Fri Aug 7 22:56:33 2009 From: justinmattock at gmail.com (Justin P. Mattock) Date: Fri, 07 Aug 2009 15:56:33 -0700 Subject: SELinux Reset In-Reply-To: <24872725.post@talk.nabble.com> References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> <24872725.post@talk.nabble.com> Message-ID: <4A7CB121.7000708@gmail.com> Peter Joseph wrote: > This is a fresh install , Kernel Linux 2.6.29.4-167.fc11.i586 > ___________________________________________________ > # semanage login -l > > Login Name SELinux User MLS/MCS Range > > __default__ unconfined_u s0-s0:c0.c1023 > root unconfined_u s0-s0:c0.c1023 > system_u system_u s0-s0:c0.c1023 > ___________________________________________________ > # module -l | grep unconfined > > unconfined 3.0.1 > unconfineduser 1.0.0 > ___________________________________________________ > Using enforcing=0 results in inability to log in. "Could not acquire name > on session bus" > Looked into ? /etc/dbus-1/*, did not recognized anything as being out of > ordinary that would need updating (what do I know?). > > I am thinking about re-installation and then try to duplicate the error. > There should be a way of fixing this. > > > Daniel J Walsh wrote: > >> On 08/06/2009 06:21 PM, Peter Joseph wrote: >> >>> While experimenting with SELinux, I finally managed to lock myself out of >>> the..... >>> >> I have no idea what is going on on your system. I would figure you either >> have a problem with labeling, or you >> have a problem upgrading from an older version of SELInux. >> >> Did you upgrade or was this a fresh install? >> If an Upgrade, what version to what version >> >> Also what does >> >> # semanage login -l >> show? >> # semodule -l | grep unconfined >> Show? >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> >> > > Hmm, this should not happen on a fresh fedora 11 install. from just looking, it sounds like the dbus user is not correct. i.g. on my system I have built dbus to have a user name. if I look in /etc/group it says messagebus:x:111:myname distros I think do this differently. Justin P. Mattock From peterjb at mtaonline.net Fri Aug 7 23:42:22 2009 From: peterjb at mtaonline.net (Peter Joseph) Date: Fri, 7 Aug 2009 16:42:22 -0700 (PDT) Subject: SELinux Reset In-Reply-To: <4A7CB121.7000708@gmail.com> References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> <24872725.post@talk.nabble.com> <4A7CB121.7000708@gmail.com> Message-ID: <24873486.post@talk.nabble.com> Hmm, this should not happen on a fresh fedora 11 install. from just looking, it sounds like the dbus user is not correct. i.g. on my system I have built dbus to have a user name. if I look in /etc/group it says messagebus:x:111:myname distros I think do this differently. Justin P. Mattock -- Yes, I looked into /etc/group - dbus user is set as follows: dbus:x:81: fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- View this message in context: http://www.nabble.com/SELinux-Reset-tp24855587p24873486.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From justinmattock at gmail.com Sat Aug 8 00:07:06 2009 From: justinmattock at gmail.com (Justin P. Mattock) Date: Fri, 07 Aug 2009 17:07:06 -0700 Subject: SELinux Reset In-Reply-To: <24873486.post@talk.nabble.com> References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> <24872725.post@talk.nabble.com> <4A7CB121.7000708@gmail.com> <24873486.post@talk.nabble.com> Message-ID: <4A7CC1AA.7070205@gmail.com> Peter Joseph wrote: > > Hmm, this should not happen on a fresh > fedora 11 install. > from just looking, it sounds > like the dbus user is not correct. i.g. on my system > I have built dbus to have a user name. > if I look in /etc/group > it says > messagebus:x:111:myname > distros I think do this differently. > > Justin P. Mattock > -- > > Yes, I looked into /etc/group - dbus user is set as follows: > dbus:x:81: > > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > hmm. that looks right. what you might try, is loading a fresh dbus install from source(if you feel comfortable with that) and during the ./configure stage add the dbus-user switch then after installing add your name to /etc/group(or before installing) dbus:x:81:yourname this way you know that dbus is compiled with you as the username, and that any other issue might be in /etc/dbus-1/* in some config file.(or check /etc/dbus-1/* first before compiling) heres a good set of instructions: http://www.linuxfromscratch.org/lfs/view/development/ Justin P. Mattock From maximilianbianco at gmail.com Sat Aug 8 02:08:26 2009 From: maximilianbianco at gmail.com (max bianco) Date: Fri, 7 Aug 2009 22:08:26 -0400 Subject: SELinux Reset In-Reply-To: <24872725.post@talk.nabble.com> References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> <24872725.post@talk.nabble.com> Message-ID: On Fri, Aug 7, 2009 at 6:08 PM, Peter Joseph wrote: > > This is a fresh install , Kernel Linux 2.6.29.4-167.fc11.i586 > ___________________________________________________ > # semanage login -l > > Login Name ? ? ? ? ? ? ? ?SELinux User ? ? ? ? ? ? ?MLS/MCS Range > > __default__ ? ? ? ? ? ? ? unconfined_u ? ? ? ? ? ? ?s0-s0:c0.c1023 > root ? ? ? ? ? ? ? ? ? ? ?unconfined_u ? ? ? ? ? ? ?s0-s0:c0.c1023 > system_u ? ? ? ? ? ? ? ? ?system_u ? ? ? ? ? ? ? ? ?s0-s0:c0.c1023 > ___________________________________________________ > # module -l | grep unconfined > > unconfined ? ? ?3.0.1 > unconfineduser ?1.0.0 > ___________________________________________________ > Using enforcing=0 results in inability to log in. ?"Could not acquire name > on session bus" > Looked into ? /etc/dbus-1/*, did not recognized anything as being out of > ordinary that would need updating (what do I know?). > > I am thinking about re-installation and then try to duplicate the error. > There should be a way of fixing this. > You mentioned that you were experimenting but you didn't elaborate , were you trying to install refpolicy or something? From peterjb at mtaonline.net Sat Aug 8 04:52:51 2009 From: peterjb at mtaonline.net (Peter Joseph) Date: Fri, 7 Aug 2009 21:52:51 -0700 (PDT) Subject: SELinux Reset In-Reply-To: References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> <24872725.post@talk.nabble.com> Message-ID: <24875131.post@talk.nabble.com> >You mentioned that you were experimenting but you didn't elaborate , >were you trying to install refpolicy or something? -- I was studying the effects of Boolean settings on the system (yes I am new to all this) and during my last trial I got distracted and did not record the changes. As I said before, I am going to trash the system and start allover again. I don't want to waste anyone's time trying to resolve this. If I pinpoint the cause I will post the results. Everyone's help is greatly appreciated. ps The "enforcing=0 autorelabel" does not work either. fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- View this message in context: http://www.nabble.com/SELinux-Reset-tp24855587p24875131.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From justinmattock at gmail.com Sat Aug 8 05:09:16 2009 From: justinmattock at gmail.com (Justin P. Mattock) Date: Fri, 07 Aug 2009 22:09:16 -0700 Subject: SELinux Reset In-Reply-To: <24875131.post@talk.nabble.com> References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> <24872725.post@talk.nabble.com> <24875131.post@talk.nabble.com> Message-ID: <4A7D087C.2040805@gmail.com> Peter Joseph wrote: >> You mentioned that you were experimenting but you didn't elaborate , >> were you trying to install refpolicy or something? >> > > -- > I was studying the effects of Boolean settings on the system (yes I am new > to all this) and during my last trial I got distracted and did not record > the changes. As I said before, I am going to trash the system and start > allover again. I don't want to waste anyone's time trying to resolve this. > If I pinpoint the cause I will post the results. Everyone's help is > greatly appreciated. > ps > The "enforcing=0 autorelabel" does not work either. > > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > enforcing =0 should work. are you putting it the right area in grub/lilo? also you should be able to just change /etc/selinux/config set to permissive mode to avoid using the boot command line. or setenforce 0 and echo 0 > /selinux/enforce to put the policy in permissive mode until things get cleaned. Justin P. Mattock From peterjb at mtaonline.net Sat Aug 8 07:03:22 2009 From: peterjb at mtaonline.net (Peter Joseph) Date: Sat, 8 Aug 2009 00:03:22 -0700 (PDT) Subject: SELinux Reset In-Reply-To: <4A7D087C.2040805@gmail.com> References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> <24872725.post@talk.nabble.com> <24875131.post@talk.nabble.com> <4A7D087C.2040805@gmail.com> Message-ID: <24875604.post@talk.nabble.com> >enforcing =0 should work. >are you putting it the right area in grub/lilo? >also you should be able to just change >/etc/selinux/config >set to permissive mode to avoid using the boot command line. >or >setenforce 0 >and >echo 0 > /selinux/enforce >to put the policy in permissive mode until things get cleaned. >Justin P. Mattock -- SELinux has to be completely DISABLED for anybody to log in. Changing /etc/selinux/config to a permissive mode is of no use. I am thinking about trying to change all booleans from deny to allow (wow, what a monstrous task). After all, that is how this trouble started in the first place. PJ fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- View this message in context: http://www.nabble.com/SELinux-Reset-tp24855587p24875604.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From justinmattock at gmail.com Sat Aug 8 07:45:07 2009 From: justinmattock at gmail.com (Justin P. Mattock) Date: Sat, 08 Aug 2009 00:45:07 -0700 Subject: SELinux Reset In-Reply-To: <24875604.post@talk.nabble.com> References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> <24872725.post@talk.nabble.com> <24875131.post@talk.nabble.com> <4A7D087C.2040805@gmail.com> <24875604.post@talk.nabble.com> Message-ID: <4A7D2D03.7010403@gmail.com> Peter Joseph wrote: >> enforcing =0 should work. >> are you putting it the right area in grub/lilo? >> also you should be able to just change >> /etc/selinux/config >> set to permissive mode to avoid using the boot command line. >> or >> setenforce 0 >> and >> echo 0> /selinux/enforce >> to put the policy in permissive mode until things get cleaned. >> Justin P. Mattock >> > -- > SELinux has to be completely DISABLED for anybody to log in. Changing > /etc/selinux/config to a permissive mode is of no use. > I am thinking about trying to change all booleans from deny to allow (wow, > what a monstrous task). After all, that is how this trouble started in the > first place. > PJ > > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > yeah but booleans don't mess with the MBR or the bootloader of the kernel? Justin P. Mattock From jmorris at namei.org Mon Aug 10 01:15:03 2009 From: jmorris at namei.org (James Morris) Date: Mon, 10 Aug 2009 11:15:03 +1000 (EST) Subject: HPLIP and Fedora9 In-Reply-To: <1249650046.5213.73.camel@moss-pluto.epoch.ncsc.mil> References: <1249587954.9612.14.camel@localhost.localdomain> <1249650046.5213.73.camel@moss-pluto.epoch.ncsc.mil> Message-ID: On Fri, 7 Aug 2009, Stephen Smalley wrote: > On Thu, 2009-08-06 at 20:45 +0100, Arthur Dent wrote: > > Hello all, > > > > I tried today to install the latest hplip package from > > http://hplipopensource.com to use the printer driver for my HP Printer > > on my Fedora 9 system (I plan to upgrade to Fedora 11 in the next few > > weeks). The install package warns you to turn off selinux so I > > setenforce 0. Ironically, HPLIP is an example of why you need SELinux enabled: http://blog.namei.org/2007/12/19/selinux-mitigates-hplip-vulnerability/ -- James Morris From sds at tycho.nsa.gov Mon Aug 10 11:45:05 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 10 Aug 2009 07:45:05 -0400 Subject: SELinux Reset In-Reply-To: <4A7D2D03.7010403@gmail.com> References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> <24872725.post@talk.nabble.com> <24875131.post@talk.nabble.com> <4A7D087C.2040805@gmail.com> <24875604.post@talk.nabble.com> <4A7D2D03.7010403@gmail.com> Message-ID: <1249904705.2422.19.camel@moss-pluto.epoch.ncsc.mil> On Sat, 2009-08-08 at 00:45 -0700, Justin P. Mattock wrote: > Peter Joseph wrote: > >> enforcing =0 should work. > >> are you putting it the right area in grub/lilo? > >> also you should be able to just change > >> /etc/selinux/config > >> set to permissive mode to avoid using the boot command line. > >> or > >> setenforce 0 > >> and > >> echo 0> /selinux/enforce > >> to put the policy in permissive mode until things get cleaned. > >> Justin P. Mattock > >> > > -- > > SELinux has to be completely DISABLED for anybody to log in. Changing > > /etc/selinux/config to a permissive mode is of no use. > > I am thinking about trying to change all booleans from deny to allow (wow, > > what a monstrous task). After all, that is how this trouble started in the > > first place. > > PJ > > > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > > > > yeah but booleans don't mess with the > MBR or the bootloader of the kernel? No, they are part of the policy image (if set persistently). But the booleans only affect what allow rules are enabled at any given time. If the system is in permissive mode, then the boolean settings shouldn't prevent anything from working; they will just affect what avc denials get logged. enforcing=0 on the kernel command line or SELINUX=permissive in /etc/selinux/config should resolve any SELinux-related denials. Out of curiosity, you didn't happen to change the xserver_object_manager boolean, did you? -- Stephen Smalley National Security Agency From maximilianbianco at gmail.com Mon Aug 10 13:06:45 2009 From: maximilianbianco at gmail.com (max bianco) Date: Mon, 10 Aug 2009 09:06:45 -0400 Subject: SELinux Reset In-Reply-To: <1249904705.2422.19.camel@moss-pluto.epoch.ncsc.mil> References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> <24872725.post@talk.nabble.com> <24875131.post@talk.nabble.com> <4A7D087C.2040805@gmail.com> <24875604.post@talk.nabble.com> <4A7D2D03.7010403@gmail.com> <1249904705.2422.19.camel@moss-pluto.epoch.ncsc.mil> Message-ID: On Mon, Aug 10, 2009 at 7:45 AM, Stephen Smalley wrote: > On Sat, 2009-08-08 at 00:45 -0700, Justin P. Mattock wrote: >> Peter Joseph wrote: >> >> enforcing =0 should work. >> >> are you putting it the right area in grub/lilo? >> >> also you should be able to just change >> >> /etc/selinux/config >> >> set to permissive mode to avoid using the boot command line. >> >> or >> >> setenforce 0 >> >> and >> >> echo 0> ?/selinux/enforce >> >> to put the policy in permissive mode until things get cleaned. >> >> Justin P. Mattock >> >> >> > -- >> > SELinux has to be completely DISABLED for anybody to log in. ?Changing >> > /etc/selinux/config to a permissive mode is of no use. >> > I am thinking about trying to change all booleans from deny to allow (wow, >> > what a monstrous task). ?After all, that is how this trouble started in the >> > first place. >> > PJ >> > >> > fedora-selinux-list mailing list >> > fedora-selinux-list at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > >> > >> > >> > >> yeah but booleans don't mess with the >> MBR or the bootloader of the kernel? > > No, they are part of the policy image (if set persistently). > > But the booleans only affect what allow rules are enabled at any given > time. ?If the system is in permissive mode, then the boolean settings > shouldn't prevent anything from working; they will just affect what avc > denials get logged. > > enforcing=0 on the kernel command line or SELINUX=permissive > in /etc/selinux/config should resolve any SELinux-related denials. > > Out of curiosity, you didn't happen to change the xserver_object_manager > boolean, did you? > It was the unconfined_login boolean that got him. -- The convoluted wording of legalisms grew up around the necessity to hide from ourselves the violence we intend toward each other. Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. You have done violence to him, consumed his energy. Elaborate euphemisms may conceal your intent to kill, but behind any use of power over another the ultimate assumption remains: "I feed on your energy." -Addenda to Orders in Council The Emperor Paul Muad'dib From dwalsh at redhat.com Mon Aug 10 13:55:35 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 10 Aug 2009 09:55:35 -0400 Subject: SELinux Reset In-Reply-To: References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> <24872725.post@talk.nabble.com> <24875131.post@talk.nabble.com> <4A7D087C.2040805@gmail.com> <24875604.post@talk.nabble.com> <4A7D2D03.7010403@gmail.com> <1249904705.2422.19.camel@moss-pluto.epoch.ncsc.mil> Message-ID: <4A8026D7.10802@redhat.com> On 08/10/2009 09:06 AM, max bianco wrote: > On Mon, Aug 10, 2009 at 7:45 AM, Stephen Smalley wrote: >> On Sat, 2009-08-08 at 00:45 -0700, Justin P. Mattock wrote: >>> Peter Joseph wrote: >>>>> enforcing =0 should work. >>>>> are you putting it the right area in grub/lilo? >>>>> also you should be able to just change >>>>> /etc/selinux/config >>>>> set to permissive mode to avoid using the boot command line. >>>>> or >>>>> setenforce 0 >>>>> and >>>>> echo 0> /selinux/enforce >>>>> to put the policy in permissive mode until things get cleaned. >>>>> Justin P. Mattock >>>>> >>>> -- >>>> SELinux has to be completely DISABLED for anybody to log in. Changing >>>> /etc/selinux/config to a permissive mode is of no use. >>>> I am thinking about trying to change all booleans from deny to allow (wow, >>>> what a monstrous task). After all, that is how this trouble started in the >>>> first place. >>>> PJ >>>> >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> >>>> >>>> >>>> >>> yeah but booleans don't mess with the >>> MBR or the bootloader of the kernel? >> >> No, they are part of the policy image (if set persistently). >> >> But the booleans only affect what allow rules are enabled at any given >> time. If the system is in permissive mode, then the boolean settings >> shouldn't prevent anything from working; they will just affect what avc >> denials get logged. >> >> enforcing=0 on the kernel command line or SELINUX=permissive >> in /etc/selinux/config should resolve any SELinux-related denials. >> >> Out of curiosity, you didn't happen to change the xserver_object_manager >> boolean, did you? >> > It was the unconfined_login boolean that got him. > > > So disabling unconfined_login boolean stopped him from being able to login? From justinmattock at gmail.com Mon Aug 10 14:21:45 2009 From: justinmattock at gmail.com (Justin P. Mattock) Date: Mon, 10 Aug 2009 07:21:45 -0700 Subject: SELinux Reset In-Reply-To: <4A8026D7.10802@redhat.com> References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> <24872725.post@talk.nabble.com> <24875131.post@talk.nabble.com> <4A7D087C.2040805@gmail.com> <24875604.post@talk.nabble.com> <4A7D2D03.7010403@gmail.com> <1249904705.2422.19.camel@moss-pluto.epoch.ncsc.mil> <4A8026D7.10802@redhat.com> Message-ID: <4A802CF9.5090700@gmail.com> Daniel J Walsh wrote: > On 08/10/2009 09:06 AM, max bianco wrote: > >> On Mon, Aug 10, 2009 at 7:45 AM, Stephen Smalley wrote: >> >>> On Sat, 2009-08-08 at 00:45 -0700, Justin P. Mattock wrote: >>> >>>> Peter Joseph wrote: >>>> >>>>>> enforcing =0 should work. >>>>>> are you putting it the right area in grub/lilo? >>>>>> also you should be able to just change >>>>>> /etc/selinux/config >>>>>> set to permissive mode to avoid using the boot command line. >>>>>> or >>>>>> setenforce 0 >>>>>> and >>>>>> echo 0> /selinux/enforce >>>>>> to put the policy in permissive mode until things get cleaned. >>>>>> Justin P. Mattock >>>>>> >>>>>> >>>>> -- >>>>> SELinux has to be completely DISABLED for anybody to log in. Changing >>>>> /etc/selinux/config to a permissive mode is of no use. >>>>> I am thinking about trying to change all booleans from deny to allow (wow, >>>>> what a monstrous task). After all, that is how this trouble started in the >>>>> first place. >>>>> PJ >>>>> >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>> >>>>> >>>>> >>>>> >>>>> >>>> yeah but booleans don't mess with the >>>> MBR or the bootloader of the kernel? >>>> >>> No, they are part of the policy image (if set persistently). >>> >>> But the booleans only affect what allow rules are enabled at any given >>> time. If the system is in permissive mode, then the boolean settings >>> shouldn't prevent anything from working; they will just affect what avc >>> denials get logged. >>> >>> enforcing=0 on the kernel command line or SELINUX=permissive >>> in /etc/selinux/config should resolve any SELinux-related denials. >>> >>> Out of curiosity, you didn't happen to change the xserver_object_manager >>> boolean, did you? >>> >>> >> It was the unconfined_login boolean that got him. >> >> >> >> > So disabling unconfined_login boolean stopped him from being able to login? > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Still confused on how he was not able to use lilo/grub command option.(unless he was putting enforcing/selinux on the wrong line. As for the unconfined_login I can see how they got stuck (probably needed to make enableaudit to see the extra denials). Justin P. Mattock From sds at tycho.nsa.gov Mon Aug 10 14:34:17 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 10 Aug 2009 10:34:17 -0400 Subject: SELinux Reset In-Reply-To: <4A802CF9.5090700@gmail.com> References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> <24872725.post@talk.nabble.com> <24875131.post@talk.nabble.com> <4A7D087C.2040805@gmail.com> <24875604.post@talk.nabble.com> <4A7D2D03.7010403@gmail.com> <1249904705.2422.19.camel@moss-pluto.epoch.ncsc.mil> <4A8026D7.10802@redhat.com> <4A802CF9.5090700@gmail.com> Message-ID: <1249914857.2422.49.camel@moss-pluto.epoch.ncsc.mil> On Mon, 2009-08-10 at 07:21 -0700, Justin P. Mattock wrote: > Daniel J Walsh wrote: > > On 08/10/2009 09:06 AM, max bianco wrote: > > > >> On Mon, Aug 10, 2009 at 7:45 AM, Stephen Smalley wrote: > >> > >>> On Sat, 2009-08-08 at 00:45 -0700, Justin P. Mattock wrote: > >>> > >>>> Peter Joseph wrote: > >>>> > >>>>>> enforcing =0 should work. > >>>>>> are you putting it the right area in grub/lilo? > >>>>>> also you should be able to just change > >>>>>> /etc/selinux/config > >>>>>> set to permissive mode to avoid using the boot command line. > >>>>>> or > >>>>>> setenforce 0 > >>>>>> and > >>>>>> echo 0> /selinux/enforce > >>>>>> to put the policy in permissive mode until things get cleaned. > >>>>>> Justin P. Mattock > >>>>>> > >>>>>> > >>>>> -- > >>>>> SELinux has to be completely DISABLED for anybody to log in. Changing > >>>>> /etc/selinux/config to a permissive mode is of no use. > >>>>> I am thinking about trying to change all booleans from deny to allow (wow, > >>>>> what a monstrous task). After all, that is how this trouble started in the > >>>>> first place. > >>>>> PJ > >>>>> > >>>>> fedora-selinux-list mailing list > >>>>> fedora-selinux-list at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>> yeah but booleans don't mess with the > >>>> MBR or the bootloader of the kernel? > >>>> > >>> No, they are part of the policy image (if set persistently). > >>> > >>> But the booleans only affect what allow rules are enabled at any given > >>> time. If the system is in permissive mode, then the boolean settings > >>> shouldn't prevent anything from working; they will just affect what avc > >>> denials get logged. > >>> > >>> enforcing=0 on the kernel command line or SELINUX=permissive > >>> in /etc/selinux/config should resolve any SELinux-related denials. > >>> > >>> Out of curiosity, you didn't happen to change the xserver_object_manager > >>> boolean, did you? > >>> > >>> > >> It was the unconfined_login boolean that got him. > >> > >> > >> > >> > > So disabling unconfined_login boolean stopped him from being able to login? > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > Still confused on how he was not able to use lilo/grub > command option.(unless he was putting enforcing/selinux > on the wrong line. > > As for the unconfined_login I can see how they got stuck > (probably needed to make enableaudit to see the extra denials). It would have changed not only permission checks but also the list of reachable contexts returned by libselinux when asked by pam_selinux. Which could have led to no legal contexts being available for the user and thus unable to login. -- Stephen Smalley National Security Agency From maximilianbianco at gmail.com Mon Aug 10 14:10:36 2009 From: maximilianbianco at gmail.com (max bianco) Date: Mon, 10 Aug 2009 10:10:36 -0400 Subject: SELinux Reset In-Reply-To: <4A8026D7.10802@redhat.com> References: <24855587.post@talk.nabble.com> <24872725.post@talk.nabble.com> <24875131.post@talk.nabble.com> <4A7D087C.2040805@gmail.com> <24875604.post@talk.nabble.com> <4A7D2D03.7010403@gmail.com> <1249904705.2422.19.camel@moss-pluto.epoch.ncsc.mil> <4A8026D7.10802@redhat.com> Message-ID: On Mon, Aug 10, 2009 at 9:55 AM, Daniel J Walsh wrote: > On 08/10/2009 09:06 AM, max bianco wrote: >> On Mon, Aug 10, 2009 at 7:45 AM, Stephen Smalley wrote: >>> On Sat, 2009-08-08 at 00:45 -0700, Justin P. Mattock wrote: >>>> Peter Joseph wrote: >>>>>> enforcing =0 should work. >>>>>> are you putting it the right area in grub/lilo? >>>>>> also you should be able to just change >>>>>> /etc/selinux/config >>>>>> set to permissive mode to avoid using the boot command line. >>>>>> or >>>>>> setenforce 0 >>>>>> and >>>>>> echo 0> ?/selinux/enforce >>>>>> to put the policy in permissive mode until things get cleaned. >>>>>> Justin P. Mattock >>>>>> >>>>> -- >>>>> SELinux has to be completely DISABLED for anybody to log in. ?Changing >>>>> /etc/selinux/config to a permissive mode is of no use. >>>>> I am thinking about trying to change all booleans from deny to allow (wow, >>>>> what a monstrous task). ?After all, that is how this trouble started in the >>>>> first place. >>>>> PJ >>>>> >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>> >>>>> >>>>> >>>>> >>>> yeah but booleans don't mess with the >>>> MBR or the bootloader of the kernel? >>> >>> No, they are part of the policy image (if set persistently). >>> >>> But the booleans only affect what allow rules are enabled at any given >>> time. ?If the system is in permissive mode, then the boolean settings >>> shouldn't prevent anything from working; they will just affect what avc >>> denials get logged. >>> >>> enforcing=0 on the kernel command line or SELINUX=permissive >>> in /etc/selinux/config should resolve any SELinux-related denials. >>> >>> Out of curiosity, you didn't happen to change the xserver_object_manager >>> boolean, did you? >>> >> It was the unconfined_login boolean that got him. >> >> >> > So disabling unconfined_login boolean stopped him from being able to login? > That's what he told me. I told him to check xserver_allow_execmem and unconfined_login. It would have hit the list but I did the reply instead of reply all. Anyway he said the unconfined_login fixed his problem. here it is: On Sun, Aug 9, 2009 at 4:51 PM, wrote: >>check the xserver_allow_execmem and unconfined_login booleans. > > You got it! The problem stems from unconfined_login --> off. > > Thanks for your help. > > pj > From dant at cdkkt.com Mon Aug 10 15:18:54 2009 From: dant at cdkkt.com (Daniel B. Thurman) Date: Mon, 10 Aug 2009 08:18:54 -0700 Subject: F9: sendmail AVC complaint Message-ID: <4A803A5E.9070608@cdkkt.com> I got this AVC complaint fairly recently so please let me know how to fix this one thanks! File: /var/log/messages ================================================= setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read" to /var/log/messages (var_log_t). For complete SELinux messages. run sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2 $ sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2 ================================================= Summary: SELinux is preventing sendmail (system_mail_t) "read" to /var/log/messages (var_log_t). Detailed Description: SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/log/messages, restorecon -v '/var/log/messages' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log/messages [ file ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port Host mysystem.mydomain.com Source RPM Packages sendmail-8.14.2-4.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-135.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name mysystem.mydomain.com Platform Linux mysystem.mydomain.com 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686 Alert Count 1 First Seen Mon Aug 10 04:47:23 2009 Last Seen Mon Aug 10 04:47:23 2009 Local ID 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2 Line Numbers Raw Audit Messages node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350): avc: denied { read } for pid=16757 comm="sendmail" path="/var/log/messages" dev=sda6 ino=86361 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350): avc: denied { read } for pid=16757 comm="sendmail" path="/var/log/secure" dev=sda6 ino=86369 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350): avc: denied { read } for pid=16757 comm="sendmail" path="/var/log/maillog" dev=sda6 ino=4956165 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=mysystem.mydomain.com type=SYSCALL msg=audit(1249904843.352:37350): arch=40000003 syscall=11 success=yes exit=0 a0=8f4e3d0 a1=8f4e458 a2=8f4da48 a3=0 items=0 ppid=16704 pid=16757 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=6305 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) From peterjb at mtaonline.net Mon Aug 10 17:26:27 2009 From: peterjb at mtaonline.net (Peter Joseph) Date: Mon, 10 Aug 2009 10:26:27 -0700 (PDT) Subject: SELinux Reset In-Reply-To: References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> <24872725.post@talk.nabble.com> <24875131.post@talk.nabble.com> <4A7D087C.2040805@gmail.com> <24875604.post@talk.nabble.com> <4A7D2D03.7010403@gmail.com> <1249904705.2422.19.camel@moss-pluto.epoch.ncsc.mil> <4A8026D7.10802@redhat.com> Message-ID: <24903910.post@talk.nabble.com> >>> It was the unconfined_login boolean that got him >> >> So disabling unconfined_login boolean stopped him from being able to >> login? That is correct. [root at rf57 active]# cat booleans.local # This file is auto-generated by libsemanage # Do not edit directly. allow_xserver_execmem=1 unconfined_login=0 __________________________________ Not being able to solve the problem I re-installed F11 and change the default setting of unconfined_login again. Sure enough, the only way to get back in is by setting selinux=0. I tried all sorts of ways to restore it to its default, but the problem I am running into is: root at rf57 r5f7]# /usr/sbin/getenforce Disabled [root at rf57 r5f7]# /usr/sbin/getsebool unconfined_login /usr/sbin/getsebool: SELinux is disabled [root at rf57 selinux]# setsebool unconfined_login 1 setsebool: SELinux is disabled. There has to be a way of getting around this. -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- View this message in context: http://www.nabble.com/SELinux-Reset-tp24855587p24903910.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From sds at tycho.nsa.gov Mon Aug 10 17:38:30 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 10 Aug 2009 13:38:30 -0400 Subject: SELinux Reset In-Reply-To: <24903910.post@talk.nabble.com> References: <24855587.post@talk.nabble.com> <4A7C0968.2010901@redhat.com> <24872725.post@talk.nabble.com> <24875131.post@talk.nabble.com> <4A7D087C.2040805@gmail.com> <24875604.post@talk.nabble.com> <4A7D2D03.7010403@gmail.com> <1249904705.2422.19.camel@moss-pluto.epoch.ncsc.mil> <4A8026D7.10802@redhat.com> <24903910.post@talk.nabble.com> Message-ID: <1249925910.2422.60.camel@moss-pluto.epoch.ncsc.mil> On Mon, 2009-08-10 at 10:26 -0700, Peter Joseph wrote: > >>> It was the unconfined_login boolean that got him > >> > >> So disabling unconfined_login boolean stopped him from being able to > >> login? > > That is correct. > > [root at rf57 active]# cat booleans.local > # This file is auto-generated by libsemanage > # Do not edit directly. > > allow_xserver_execmem=1 > unconfined_login=0 > __________________________________ > > Not being able to solve the problem I re-installed F11 and change the > default setting of unconfined_login again. Sure enough, the only way to > get back in is by setting selinux=0. > > I tried all sorts of ways to restore it to its default, but the problem I am > running into is: > > root at rf57 r5f7]# /usr/sbin/getenforce > Disabled > > [root at rf57 r5f7]# /usr/sbin/getsebool unconfined_login > /usr/sbin/getsebool: SELinux is disabled > > [root at rf57 selinux]# setsebool unconfined_login 1 > setsebool: SELinux is disabled. > > There has to be a way of getting around this. Hmm..setsebool probably shouldn't require SELinux to be enabled (but you'd want the -P option anyway to set it persistently). What about semanage or system-config-selinux, e.g.: semanage boolean -m --on unconfined_login Or you could edit the file directly (despite the comments) and run semodule -B afterward. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Mon Aug 10 17:45:32 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 10 Aug 2009 13:45:32 -0400 Subject: F9: sendmail AVC complaint In-Reply-To: <4A803A5E.9070608@cdkkt.com> References: <4A803A5E.9070608@cdkkt.com> Message-ID: <4A805CBC.6060900@redhat.com> On 08/10/2009 11:18 AM, Daniel B. Thurman wrote: > > I got this AVC complaint fairly recently so please > let me know how to fix this one thanks! > > File: /var/log/messages > ================================================= > setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read" to > /var/log/messages (var_log_t). For complete SELinux messages. run > sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2 > > > $ sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2 > ================================================= > Summary: > > SELinux is preventing sendmail (system_mail_t) "read" to /var/log/messages > (var_log_t). > > Detailed Description: > > SELinux denied access requested by sendmail. It is not expected that > this access > is required by sendmail and this access may signal an intrusion attempt. > It is > also possible that the specific version or configuration of the > application is > causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for /var/log/messages, > > restorecon -v '/var/log/messages' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context > system_u:system_r:system_mail_t:s0-s0:c0.c1023 > Target Context system_u:object_r:var_log_t:s0 > Target Objects /var/log/messages [ file ] > Source sendmail > Source Path /usr/sbin/sendmail.sendmail > Port > Host mysystem.mydomain.com > Source RPM Packages sendmail-8.14.2-4.fc9 > Target RPM Packages Policy RPM > selinux-policy-3.3.1-135.fc9 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name mysystem.mydomain.com > Platform Linux mysystem.mydomain.com > 2.6.27.25-78.2.56.fc9.i686 #1 > SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686 > Alert Count 1 > First Seen Mon Aug 10 04:47:23 2009 > Last Seen Mon Aug 10 04:47:23 2009 > Local ID 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2 > Line Numbers > Raw Audit Messages > node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350): > avc: denied { read } for pid=16757 comm="sendmail" > path="/var/log/messages" dev=sda6 ino=86361 > scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_log_t:s0 tclass=file > > node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350): > avc: denied { read } for pid=16757 comm="sendmail" > path="/var/log/secure" dev=sda6 ino=86369 > scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_log_t:s0 tclass=file > > node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350): > avc: denied { read } for pid=16757 comm="sendmail" > path="/var/log/maillog" dev=sda6 ino=4956165 > scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_log_t:s0 tclass=file > > node=mysystem.mydomain.com type=SYSCALL msg=audit(1249904843.352:37350): > arch=40000003 syscall=11 success=yes exit=0 a0=8f4e3d0 a1=8f4e458 > a2=8f4da48 a3=0 items=0 ppid=16704 pid=16757 auid=0 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=6305 > comm="sendmail" exe="/usr/sbin/sendmail.sendmail" > subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Well Number one Fedora 9 is no longer supported. Please upgrade to F10 or preferably F11. If you do not want to do this, you can add custom policy # grep sendmail /var/log/audit/audit.log | audit2allow -M mysendmail # semodule -i mysendmail.pp From dant at cdkkt.com Mon Aug 10 17:56:00 2009 From: dant at cdkkt.com (Daniel B. Thurman) Date: Mon, 10 Aug 2009 10:56:00 -0700 Subject: F9: sendmail AVC complaint In-Reply-To: <4A805CBC.6060900@redhat.com> References: <4A803A5E.9070608@cdkkt.com> <4A805CBC.6060900@redhat.com> Message-ID: <4A805F30.8030602@cdkkt.com> Daniel J Walsh wrote: > On 08/10/2009 11:18 AM, Daniel B. Thurman wrote: > >> I got this AVC complaint fairly recently so please >> let me know how to fix this one thanks! >> >> File: /var/log/messages >> ================================================= >> setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read" to >> /var/log/messages (var_log_t). For complete SELinux messages. run >> sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2 >> >> >> $ sealert -l 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2 >> ================================================= >> Summary: >> >> SELinux is preventing sendmail (system_mail_t) "read" to /var/log/messages >> (var_log_t). >> >> Detailed Description: >> >> SELinux denied access requested by sendmail. It is not expected that >> this access >> is required by sendmail and this access may signal an intrusion attempt. >> It is >> also possible that the specific version or configuration of the >> application is >> causing it to require additional access. >> >> Allowing Access: >> >> Sometimes labeling problems can cause SELinux denials. You could try to >> restore >> the default system file context for /var/log/messages, >> >> restorecon -v '/var/log/messages' >> >> If this does not work, there is currently no automatic way to allow this >> access. >> Instead, you can generate a local policy module to allow this access - >> see FAQ >> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can >> disable >> SELinux protection altogether. Disabling SELinux protection is not >> recommended. >> Please file a bug report >> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >> against this package. >> >> Additional Information: >> >> Source Context >> system_u:system_r:system_mail_t:s0-s0:c0.c1023 >> Target Context system_u:object_r:var_log_t:s0 >> Target Objects /var/log/messages [ file ] >> Source sendmail >> Source Path /usr/sbin/sendmail.sendmail >> Port >> Host mysystem.mydomain.com >> Source RPM Packages sendmail-8.14.2-4.fc9 >> Target RPM Packages Policy RPM >> selinux-policy-3.3.1-135.fc9 >> Selinux Enabled True >> Policy Type targeted >> MLS Enabled True >> Enforcing Mode Enforcing >> Plugin Name catchall_file >> Host Name mysystem.mydomain.com >> Platform Linux mysystem.mydomain.com >> 2.6.27.25-78.2.56.fc9.i686 #1 >> SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686 >> Alert Count 1 >> First Seen Mon Aug 10 04:47:23 2009 >> Last Seen Mon Aug 10 04:47:23 2009 >> Local ID 5672ff6c-ad2c-4d3b-aa2b-4c53178ed5f2 >> Line Numbers >> Raw Audit Messages >> node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350): >> avc: denied { read } for pid=16757 comm="sendmail" >> path="/var/log/messages" dev=sda6 ino=86361 >> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:var_log_t:s0 tclass=file >> >> node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350): >> avc: denied { read } for pid=16757 comm="sendmail" >> path="/var/log/secure" dev=sda6 ino=86369 >> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:var_log_t:s0 tclass=file >> >> node=mysystem.mydomain.com type=AVC msg=audit(1249904843.352:37350): >> avc: denied { read } for pid=16757 comm="sendmail" >> path="/var/log/maillog" dev=sda6 ino=4956165 >> scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:var_log_t:s0 tclass=file >> >> node=mysystem.mydomain.com type=SYSCALL msg=audit(1249904843.352:37350): >> arch=40000003 syscall=11 success=yes exit=0 a0=8f4e3d0 a1=8f4e458 >> a2=8f4da48 a3=0 items=0 ppid=16704 pid=16757 auid=0 uid=0 gid=0 euid=0 >> suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=6305 >> comm="sendmail" exe="/usr/sbin/sendmail.sendmail" >> subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > > Well Number one Fedora 9 is no longer supported. Please upgrade to F10 or preferably F11. > > If you do not want to do this, you can add custom policy > > # grep sendmail /var/log/audit/audit.log | audit2allow -M mysendmail > # semodule -i mysendmail.pp > Thanks! Dan From peterjb at mtaonline.net Mon Aug 10 19:10:23 2009 From: peterjb at mtaonline.net (Peter Joseph) Date: Mon, 10 Aug 2009 12:10:23 -0700 (PDT) Subject: SELinux Reset In-Reply-To: <24855587.post@talk.nabble.com> References: <24855587.post@talk.nabble.com> Message-ID: <24905702.post@talk.nabble.com> Peter Joseph wrote: > >>While experimenting with SELinux, I finally managed to lock myself out of the system. The only way to get back in, I had >to add "selinux=0" to the end of the kernel line. >>Now, if I run in a permissive mode the following message appears when I try to log in: > >>"Could not connect to session bus: An SELinux policy prevents this sender from sending this message to this recipient >(rejected message had sender "(unset)" interface "org.freedesktop.DBus" member "Hello" error name "(unset)" destination >"org.freedesktop.DBus)." > >>I am forced to go back to the grub prompt and disable SELinux again, in order to get in. What is the best way to reset >SEL to its original state? > Problem solved. Appending selinux=0 to the end of the kernel line enabled me to get back into the system, however, I found no way of working with SELinux on account of it being disabled. Appending unconfined_login = 1 instead, brought me to a root prompt with SELinux enabled. Used the following to check and restore: # getsebool unconfined_login unconfined_login --> off # setsebool -P unconfined_login=1 # getsebool unconfined_login unconfined_login --> on # poweroff One thing though, the "unconfined_login = 1" added to the kernel line has to contain a space before and after the equal sign. -- View this message in context: http://www.nabble.com/SELinux-Reset-tp24855587p24905702.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From sds at tycho.nsa.gov Mon Aug 10 19:39:17 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 10 Aug 2009 15:39:17 -0400 Subject: SELinux Reset In-Reply-To: <24905702.post@talk.nabble.com> References: <24855587.post@talk.nabble.com> <24905702.post@talk.nabble.com> Message-ID: <1249933157.2422.61.camel@moss-pluto.epoch.ncsc.mil> On Mon, 2009-08-10 at 12:10 -0700, Peter Joseph wrote: > > Peter Joseph wrote: > > > >>While experimenting with SELinux, I finally managed to lock myself out of > the system. The only way to get back in, I had >to add "selinux=0" to the > end of the kernel line. > >>Now, if I run in a permissive mode the following message appears when I > try to log in: > > > >>"Could not connect to session bus: An SELinux policy prevents this sender > from sending this message to this recipient >(rejected message had sender > "(unset)" interface "org.freedesktop.DBus" member "Hello" error name > "(unset)" destination >"org.freedesktop.DBus)." > > > >>I am forced to go back to the grub prompt and disable SELinux again, in > order to get in. What is the best way to reset >SEL to its original state? > > > > Problem solved. > > Appending selinux=0 to the end of the kernel line enabled me to get back > into the system, however, I found no way of working with SELinux on account > of it being disabled. > Appending unconfined_login = 1 instead, brought me to a root prompt with > SELinux enabled. > Used the following to check and restore: > > # getsebool unconfined_login > unconfined_login --> off > > # setsebool -P unconfined_login=1 > > # getsebool unconfined_login > unconfined_login --> on > > # poweroff > > One thing though, the "unconfined_login = 1" added to the kernel line has to > contain a space before and after the equal sign. I think that just caused it to boot to runlevel 1, i.e. single-user mode. AFAIK, the kernel command line isn't used for booleans at all, but an integer argument will be taken as the runlevel by init. -- Stephen Smalley National Security Agency From peterjb at mtaonline.net Mon Aug 10 20:45:48 2009 From: peterjb at mtaonline.net (Peter Joseph) Date: Mon, 10 Aug 2009 13:45:48 -0700 (PDT) Subject: SELinux Reset In-Reply-To: <1249933157.2422.61.camel@moss-pluto.epoch.ncsc.mil> References: <24855587.post@talk.nabble.com> <24905702.post@talk.nabble.com> <1249933157.2422.61.camel@moss-pluto.epoch.ncsc.mil> Message-ID: <24907209.post@talk.nabble.com> Stephen Smalley wrote: > > I think that just caused it to boot to runlevel 1, i.e. single-user > mode. AFAIK, the kernel command line isn't used for booleans at all, > but an integer argument will be taken as the runlevel by init. > > -- > Stephen Smalley > National Security Agency > > You are absolutely right - thanks for bringing this to my attention (as I > said before, I am quite new to Linux). > This does, however, bring up a security question. It seems to me that by > editing the end of the kernel line at grub prompt to contain "1" can > compromise the system by turning over the entire control. As long as > someone has access to an idle machine, local or remote, there is no way it > can be protected (perhaps by using the boot-loader password - will have to > try that). > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- View this message in context: http://www.nabble.com/SELinux-Reset-tp24855587p24907209.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From rchapman at aardvark.com.au Tue Aug 11 01:05:38 2009 From: rchapman at aardvark.com.au (Richard Chapman) Date: Tue, 11 Aug 2009 09:05:38 +0800 Subject: AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). Message-ID: <4A80C3E2.7090407@aardvark.com.au> I am running Centos 5.3 in permissive mode - and recently I started getting 4 avcs every time I boot the server. I am not sure - but I think these might have started when I changed my desktop from Gnome to KDE. I have tried the relabelling suggested in the AVC - but this hasn't fixed it. Does it look like I have something set up wrong - or is there a policy problem? Richard. Summary SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied setxkbmap access to potentially mislabeled file(s) (./.X11-unix). This means that SELinux will not allow setxkbmap to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access If you want setxkbmap to access this files, you need to relabel them using restorecon -v './.X11-unix'. You might want to relabel the entire directory using restorecon -R -v './.X11-unix'. Additional Information Source Context: system_u:system_r:rhgb_t Target Context: system_u:object_r:initrc_tmp_t Target Objects: ./.X11-unix [ dir ] Source: setxkbmap Source Path: /usr/bin/setxkbmap Port: Host: C5.aardvark.com.au Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: home_tmp_bad_labels Host Name: C5.aardvark.com.au Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue Aug 4 20:19:25 EDT 2009 x86_64 x86_64 Alert Count: 34 First Seen: Sun Jan 11 17:55:13 2009 Last Seen: Mon Aug 10 18:13:15 2009 Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 Line Numbers: Raw Audit Messages : host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) Summary SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied setxkbmap access to potentially mislabeled file(s) (./.X11-unix). This means that SELinux will not allow setxkbmap to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access If you want setxkbmap to access this files, you need to relabel them using restorecon -v './.X11-unix'. You might want to relabel the entire directory using restorecon -R -v './.X11-unix'. Additional Information Source Context: system_u:system_r:rhgb_t Target Context: system_u:object_r:initrc_tmp_t Target Objects: ./.X11-unix [ dir ] Source: setxkbmap Source Path: /usr/bin/setxkbmap Port: Host: C5.aardvark.com.au Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: home_tmp_bad_labels Host Name: C5.aardvark.com.au Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue Aug 4 20:19:25 EDT 2009 x86_64 x86_64 Alert Count: 35 First Seen: Sun Jan 11 17:55:13 2009 Last Seen: Mon Aug 10 18:13:16 2009 Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 Line Numbers: Raw Audit Messages : host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) Summary SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied setxkbmap access to potentially mislabeled file(s) (./.X11-unix). This means that SELinux will not allow setxkbmap to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access If you want setxkbmap to access this files, you need to relabel them using restorecon -v './.X11-unix'. You might want to relabel the entire directory using restorecon -R -v './.X11-unix'. Additional Information Source Context: system_u:system_r:rhgb_t Target Context: system_u:object_r:initrc_tmp_t Target Objects: ./.X11-unix [ dir ] Source: setxkbmap Source Path: /usr/bin/setxkbmap Port: Host: C5.aardvark.com.au Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: home_tmp_bad_labels Host Name: C5.aardvark.com.au Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue Aug 4 20:19:25 EDT 2009 x86_64 x86_64 Alert Count: 36 First Seen: Sun Jan 11 17:55:13 2009 Last Seen: Mon Aug 10 18:13:17 2009 Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 Line Numbers: Raw Audit Messages : host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13 a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13 a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) Summary SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied setxkbmap access to potentially mislabeled file(s) (./.X11-unix). This means that SELinux will not allow setxkbmap to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access If you want setxkbmap to access this files, you need to relabel them using restorecon -v './.X11-unix'. You might want to relabel the entire directory using restorecon -R -v './.X11-unix'. Additional Information Source Context: system_u:system_r:rhgb_t Target Context: system_u:object_r:initrc_tmp_t Target Objects: ./.X11-unix [ dir ] Source: setxkbmap Source Path: /usr/bin/setxkbmap Port: Host: C5.aardvark.com.au Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: home_tmp_bad_labels Host Name: C5.aardvark.com.au Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue Aug 4 20:19:25 EDT 2009 x86_64 x86_64 Alert Count: 37 First Seen: Sun Jan 11 17:55:13 2009 Last Seen: Mon Aug 10 18:13:19 2009 Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 Line Numbers: Raw Audit Messages : host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) From linuxking at live.com Tue Aug 11 16:26:02 2009 From: linuxking at live.com (John Smith) Date: Tue, 11 Aug 2009 17:26:02 +0100 Subject: Testing SELinux Message-ID: Hello, I'm doing a testing for SELinux, so far I have create a domain for a special program. It does work correctly. I have not given the domain any permissions to access any top leve directories or their subdirectories since I am running it in chroot. The thing when it came to testing now, I have created some bash files, and labelled with with exec as the entry to the domain. But even after changing the default security context for these bash files, when executing them, the still be in unconfined domain instead of entering the new domain for testing. Anyone can identify where is the problem? Thanks in advance _________________________________________________________________ Windows Live Messenger: Thanks for 10 great years?enjoy free winks and emoticons. http://clk.atdmt.com/UKM/go/157562755/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From goeran at uddeborg.se Tue Aug 11 18:45:28 2009 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Tue, 11 Aug 2009 20:45:28 +0200 Subject: Confining a wine application Message-ID: <19073.48200.534937.986699@freddi.uddeborg> I'm running Spotify (a streaming music service, http://www.spotify.com/). They don't have a native Linux client, but they recommend Linux users to use the Windows client under wine. And it does indeed work fine. But I'm not completely comfortable with running this application unconfined. After all, it is a binary blob I download that does a lot of network traffic. Who knows what bugs it may contain? So I was considering if it would be able to write an SELinux policy module for it, to confine it. As it is a wine application, the binary that runs is wine. For obvious reasons, I do not want all wine applications to be confined by this policy. Is there some good way to do this? One possible way, I guess, would be to write a small wrapper binary that starts wine with Spotify, and make sure that program transitions into some spotify_t domain. This domain would not be allowed to transition further into wine_t. I could then implement the spotify module as a stripped down version of the wine module. I assume it would work, wouldn't it? It would be slightly fragile, in that I need to remember to not start spotify "directly", but always use the wrapper. Is there a better way to do this? Has anybody else made some efforts in confining specific wine applications? Thoughts and ideas are welcome! From sds at tycho.nsa.gov Tue Aug 11 19:35:14 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 11 Aug 2009 15:35:14 -0400 Subject: Testing SELinux In-Reply-To: References: Message-ID: <1250019314.2422.143.camel@moss-pluto.epoch.ncsc.mil> On Tue, 2009-08-11 at 17:26 +0100, John Smith wrote: > Hello, > I'm doing a testing for SELinux, so far I have create a domain for a > special program. It does work correctly. > I have not given the domain any permissions to access any top leve > directories or their subdirectories since I am running it in chroot. > The thing when it came to testing now, I have created some bash files, > and labelled with with exec as the entry to the domain. > But even after changing the default security context for these bash > files, when executing them, the still be in unconfined domain instead > of entering the new domain for testing. > Anyone can identify where is the problem? Do the bash scripts have the #!/bin/bash header? If not, then the kernel won't execute them and bash will fall back to reading them as input files, in which case they won't transition. If you strace the script with and without the header, you'll see that the actual sequence differs. -- Stephen Smalley National Security Agency From paul at city-fan.org Tue Aug 11 19:32:25 2009 From: paul at city-fan.org (Paul Howarth) Date: Tue, 11 Aug 2009 20:32:25 +0100 Subject: Testing SELinux In-Reply-To: References: Message-ID: <20090811203225.6dbb2468@metropolis.intra.city-fan.org> On Tue, 11 Aug 2009 17:26:02 +0100 John Smith wrote: > > Hello, > I'm doing a testing for SELinux, so far I have create a domain for a > special program. It does work correctly. I have not given the domain > any permissions to access any top leve directories or their > subdirectories since I am running it in chroot. The thing when it > came to testing now, I have created some bash files, and labelled > with with exec as the entry to the domain. But even after changing > the default security context for these bash files, when executing > them, the still be in unconfined domain instead of entering the new > domain for testing. Anyone can identify where is the problem? Transitioning to a domain usually happens via an initscript; if you want to be able to transition to your new domain from an unconfined domain, you'll need to add that transition specifically into your policy. Is your program normally started from an initscript? Paul. From mike.cloaked at gmail.com Tue Aug 11 21:20:46 2009 From: mike.cloaked at gmail.com (Mike Cloaked) Date: Tue, 11 Aug 2009 14:20:46 -0700 (PDT) Subject: rsync as backup from f11 to F10 - issues Message-ID: <24925988.post@talk.nabble.com> I have been running backups using rsync from various machines on my LAN onto a main (F10) machine into which is plugged a usb external drive that takes the backup files. This year the machine into which the backup drive is plugged has been running F10 fully up to date, and with SELinux fully enforcing. Machines on the LAN have been running backups across the network using an rsync command within a script which essentially does: rsync --delete -aXH --exclude blah /opt home1:/media/usbdrive/BACKUPS/myhostname and similar for other directories. This has worked fine until I installed F11 on some of the machines in the LAN, with ext4 filesystems on them. Trying the same thing in this case gave AVC denials on the machine (running F10) to which the the external usb drive was attached (and with an ext3 filesystem to take the backups) The AVC contained: Summary SELinux is preventing rsync (unconfined_t) "mac_admin" unconfined_t. Detailed Description SELinux denied access requested by rsync. It is not expected that this access is required by rsync and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context:??unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Target Context:??unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Target Objects:??None [ capability2 ] Source:??rsync Source Path:??/usr/bin/rsync Port:?? Host:??home1.xxxxxxxxx Source RPM Packages:??rsync-3.0.6-0.fc10 Target RPM Packages:??Policy RPM:??selinux-policy-3.5.13-67.fc10Selinux Enabled:??TruePolicy Type:??targeted MLS Enabled:??True Enforcing Mode:??Enforcing Plugin Name:??catchall Host Name:??home1.xxxxxxxxx Platform:??Linux home1.xxxxxxxxxx 2.6.27.29-170.2.78.fc10.i686 #1 SMP Fri Jul 31 04:40:15 EDT 2009 i686 i686 Alert Count:??72 First Seen:??Tue 11 Aug 2009 08:45:24 PM BST Last Seen:??Tue 11 Aug 2009 08:57:08 PM BST Local ID:??2f39a50c-7f62-4e03-aa28-5826d349f52a Line Numbers:?? Raw Audit Messages : node=home1.xxxxxxxxxxxxxx type=AVC msg=audit(1250020628.16:1141): avc: denied { mac_admin } for pid=18683 comm="rsync" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 node=home1.xxxxxxxxxxxxxx type=SYSCALL msg=audit(1250020628.16:1141): arch=40000003 syscall=227 success=no exit=-22 a0=bfc81358 a1=9e3808c a2=9e38068 a3=24 items=0 ppid=18663 pid=18683 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=145 comm="rsync" exe="/usr/bin/rsync" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) This seems to stem from a context incompatibility between F10 and F11. My work-around is as follows: I have made a new ext4 filesystem on the external drive using mke2fs -t ext4 and labelling it using e2label, and then running the backup with the drive attached to a machine running F11 with SElinux enforcing and which has an ext4 filesystem for / and /opt. Now I am currently running a backup from one of the other machines on the LAN which is also running F11 with SElinux enforcing and so far I am not seeing AVC denials. My question is whether there is a workaround for the original scenario backup up files from the F11 machines onto an external drive with ext3 connected to an F10 machine with ext3 filesystem. Or is the filesystem a red herring and the problem stemming from selinux alone? You may ask why I need to copy the extended attributes - it surely makes life easier if I restore files later. -- View this message in context: http://www.nabble.com/rsync-as-backup-from-f11-to-F10---issues-tp24925988p24925988.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From mike.cloaked at gmail.com Tue Aug 11 21:30:34 2009 From: mike.cloaked at gmail.com (Mike Cloaked) Date: Tue, 11 Aug 2009 14:30:34 -0700 (PDT) Subject: rsync as backup from f11 to F10 - issues In-Reply-To: <24925988.post@talk.nabble.com> References: <24925988.post@talk.nabble.com> Message-ID: <24926122.post@talk.nabble.com> Mike Cloaked wrote: > > > Machines on the LAN have been running backups across the network using an > rsync command within a script which essentially does: > rsync --delete -aXH --exclude blah /opt > home1:/media/usbdrive/BACKUPS/myhostname > and similar for other directories. > > This has worked fine until I installed F11 on some of the machines in the > LAN, with ext4 filesystems on them. > > Trying the same thing in this case gave AVC denials on the machine > (running F10) to which the the external usb drive was attached (and with > an ext3 filesystem to take the backups) > > The AVC contained: > Summary > SELinux is preventing rsync (unconfined_t) "mac_admin" unconfined_t. > > I wonder if this is related to https://bugzilla.redhat.com/show_bug.cgi?id=510649 -- View this message in context: http://www.nabble.com/rsync-as-backup-from-f11-to-F10---issues-tp24925988p24926122.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From anmajumd at cisco.com Tue Aug 11 22:54:34 2009 From: anmajumd at cisco.com (Anamitra Dutta Majumdar (anmajumd)) Date: Tue, 11 Aug 2009 15:54:34 -0700 Subject: Confining Applications running as root user In-Reply-To: <19073.48200.534937.986699@freddi.uddeborg> References: <19073.48200.534937.986699@freddi.uddeborg> Message-ID: <4EF101F7236DB443A8FABF8164BFBD0C082EA6B6@xmb-sjc-223.amer.cisco.com> We are trying to migrate our existing security policies to SELinux. We are new to SELinux and hence are finding it difficult to map our existing policies. In our existing policy, all applications (including ones running as root user) with the exception of insmod and modprobe, are denied access to /lib directory. How would we go about writing such a policy without actually confining every application manually, since that would indeed be cumbersome? Thanks, Anamitra & Radha. From maximilianbianco at gmail.com Wed Aug 12 15:15:28 2009 From: maximilianbianco at gmail.com (max bianco) Date: Wed, 12 Aug 2009 11:15:28 -0400 Subject: Confining Applications running as root user In-Reply-To: <4EF101F7236DB443A8FABF8164BFBD0C082EA6B6@xmb-sjc-223.amer.cisco.com> References: <19073.48200.534937.986699@freddi.uddeborg> <4EF101F7236DB443A8FABF8164BFBD0C082EA6B6@xmb-sjc-223.amer.cisco.com> Message-ID: On Tue, Aug 11, 2009 at 6:54 PM, Anamitra Dutta Majumdar (anmajumd) wrote: > > > We are trying to migrate our existing security policies to SELinux. We > are new to SELinux and hence are finding it difficult to map our > existing policies. > I would recommend SELinux by Example since you will need to be familiar with the policy language to properly make the transition. I am not aware of any website that covers it in the same detail but if you find one let me know. > In our existing policy, all applications (including ones running as root > user) with the exception of insmod and modprobe, are denied access to > /lib directory. How would we go about writing such a policy without > actually confining every application manually, since that would indeed > be cumbersome? Denied access completely? I'd think that might cause some problems but there is still plenty I don't know so... You were using AppArmor or something similar? Interesting. I think a neverallow rule is probably your best bet here, it will generate compiler error if you have any rules that violate it. I don't specifically remember how the errors get reported i.e. does it spit out the specific allow rules that cause the problem? Seems I need another refpolicy refresher. Anyway after I'd cleaned up the errors which might be a task and two-thirds, I'd add my allow rules for insmod and modprobe which share the same label, insmod_exec_t, so at least that would be easy :^) Though the thing to consider is really do I need to completely deny access to this directory. SELinux allows fine-grained access control so depending on your security goals the restriction need not necessarily require heavy modification of the policy, Have you used the policy analysis tools? These should help you get a better idea of the scope of things affected by restricting access to lib_t , they take a little getting used to so be patient. yum install setools There is also a GUI policy dev tool, two of them actually. SLIDE is the one I think you'd need to tackle this task. I haven't really used it much, I like to beat my head against brick walls don't you know, you can install it with yum but its separate from setools, yum install slide? http://oss.tresys.com/projects/slide I highly recommend the book mentioned above, if your completely new to SELinux. So that's how I'd start to go about it anyway, there are much more experienced hands monitoring this list but they are busy folk. You could try the IRC chat #selinux and #fedora-selinux for more direct and immediate help. dgrift is usually around there and is a good resource for these kinds of questions. Also you don't mention exactly what its for but there is a minimal selinux policy you can load and that might cut down on a lot of the work. From dwalsh at redhat.com Wed Aug 12 20:34:14 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 12 Aug 2009 16:34:14 -0400 Subject: Confining Applications running as root user In-Reply-To: <4EF101F7236DB443A8FABF8164BFBD0C082EA6B6@xmb-sjc-223.amer.cisco.com> References: <19073.48200.534937.986699@freddi.uddeborg> <4EF101F7236DB443A8FABF8164BFBD0C082EA6B6@xmb-sjc-223.amer.cisco.com> Message-ID: <4A832746.5090606@redhat.com> On 08/11/2009 06:54 PM, Anamitra Dutta Majumdar (anmajumd) wrote: > > > We are trying to migrate our existing security policies to SELinux. We > are new to SELinux and hence are finding it difficult to map our > existing policies. > > In our existing policy, all applications (including ones running as root > user) with the exception of insmod and modprobe, are denied access to > /lib directory. How would we go about writing such a policy without > actually confining every application manually, since that would indeed > be cumbersome? > > Thanks, > Anamitra & Radha. > So you want to control an administrator that is logged in as root from writing to /lib? Not very easy to do. If he can disable selinux, load kernel modules, install rpm ... He can easily circumvent your protection. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Wed Aug 12 20:36:03 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 12 Aug 2009 16:36:03 -0400 Subject: rsync as backup from f11 to F10 - issues In-Reply-To: <24926122.post@talk.nabble.com> References: <24925988.post@talk.nabble.com> <24926122.post@talk.nabble.com> Message-ID: <4A8327B3.3080308@redhat.com> On 08/11/2009 05:30 PM, Mike Cloaked wrote: > > > > Mike Cloaked wrote: >> >> >> Machines on the LAN have been running backups across the network using an >> rsync command within a script which essentially does: >> rsync --delete -aXH --exclude blah /opt >> home1:/media/usbdrive/BACKUPS/myhostname >> and similar for other directories. >> >> This has worked fine until I installed F11 on some of the machines in the >> LAN, with ext4 filesystems on them. >> >> Trying the same thing in this case gave AVC denials on the machine >> (running F10) to which the the external usb drive was attached (and with >> an ext3 filesystem to take the backups) >> >> The AVC contained: >> Summary >> SELinux is preventing rsync (unconfined_t) "mac_admin" unconfined_t. >> >> > > I wonder if this is related to > https://bugzilla.redhat.com/show_bug.cgi?id=510649 Yes you are trying to put F11 labels on an F10 box. Just setup rsync to not maintain labels. From mike.cloaked at gmail.com Wed Aug 12 21:07:31 2009 From: mike.cloaked at gmail.com (mike cloaked) Date: Wed, 12 Aug 2009 22:07:31 +0100 Subject: rsync as backup from f11 to F10 - issues In-Reply-To: <4A8327B3.3080308@redhat.com> References: <24925988.post@talk.nabble.com> <24926122.post@talk.nabble.com> <4A8327B3.3080308@redhat.com> Message-ID: <3b8e57a80908121407x18dfc012m6bd276f5db803122@mail.gmail.com> On Wed, Aug 12, 2009 at 9:36 PM, Daniel J Walsh wrote: > On 08/11/2009 05:30 PM, Mike Cloaked wrote: >> >> >> >> Mike Cloaked wrote: >>> >>> >>> Machines on the LAN have been running backups across the network using an >>> rsync command within a script which essentially does: >>> rsync --delete -aXH --exclude blah /opt >>> home1:/media/usbdrive/BACKUPS/myhostname >>> and similar for other directories. >>> >>> This has worked fine until I installed F11 on some of the ?machines in the >>> LAN, with ext4 filesystems on them. >>> >>> Trying the same thing in this case gave AVC denials on the machine >>> (running F10) to which the the external usb drive was attached (and with >>> an ext3 filesystem to take the backups) >>> >>> The AVC contained: >>> Summary >>> SELinux is preventing rsync (unconfined_t) "mac_admin" unconfined_t. >>> >>> >> >> I wonder if this is related to >> https://bugzilla.redhat.com/show_bug.cgi?id=510649 > Yes you are trying to put F11 labels on an F10 box. ?Just setup rsync to not maintain labels. > You mean use flags -aH and not -AXH ? I suppose that not putting labels onto the backup will then mean that restoring (if it became necessary) from the backup stored on the F10 box would then generate labels on the F11 box being restored that are correct according to current policy for F11 if I use rsync -aH during the restore process. Presumably labels of some kind will be generated on the backup drive on the F10 machine but would not be related to the labels on the originals. Is this how others do backups? How would this differ if rdiff-backup was used instead? Since rdiff-backup is rsync based presumably the same thinking applies? -- mike From olivares14031 at yahoo.com Wed Aug 12 22:23:05 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 12 Aug 2009 15:23:05 -0700 (PDT) Subject: two denials one for ck-get-x11-serv and one for wine Message-ID: <418942.93452.qm@web52610.mail.re2.yahoo.com> Dear fellow selinux experts and users, I had problems updating a rawhide machine and I used xfce spin to get back in the saddle. I encountered two denials and I post them here for guidance. Thanks in Advance, Antonio Summary: SELinux is preventing the ck-get-x11-serv from using potentially mislabeled files (.Xauthority). Detailed Description: SELinux has denied ck-get-x11-serv access to potentially mislabeled file(s) (.Xauthority). This means that SELinux will not allow ck-get-x11-serv to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want ck-get-x11-serv to access this files, you need to relabel them using restorecon -v '.Xauthority'. You might want to relabel the entire directory using restorecon -R -v ''. Additional Information: Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:admin_home_t:s0 Target Objects .Xauthority [ file ] Source ck-get-x11-serv Source Path /usr/libexec/ck-get-x11-server-pid Port Host (removed) Source RPM Packages ConsoleKit-x11-0.3.1-2.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.26-8.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name (removed) Platform Linux localhost.localdomain 2.6.31-0.125.rc5.git2.fc12.i686 #1 SMP Tue Aug 4 03:18:57 EDT 2009 i686 i686 Alert Count 1 First Seen Wed 12 Aug 2009 02:42:54 AM CDT Last Seen Wed 12 Aug 2009 02:42:54 AM CDT Local ID ffd20bb6-e1cf-466f-b51e-9de4c94b4991 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1250062974.438:22): avc: denied { read } for pid=1325 comm="ck-get-x11-serv" name=".Xauthority" dev=dm-0 ino=78946 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1250062974.438:22): arch=40000003 syscall=33 success=no exit=-13 a0=bffedfbc a1=4 a2=18ab18 a3=bffedfbc items=0 ppid=1324 pid=1325 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) Can't copy the wine and can't submit the above one to bugzilla. The wine one looks serious as I try to run some windows programs that worked before without problems. Will see how I can capture them? From rchapman at aardvark.com.au Wed Aug 12 23:53:43 2009 From: rchapman at aardvark.com.au (Richard Chapman) Date: Thu, 13 Aug 2009 07:53:43 +0800 Subject: AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). In-Reply-To: <4A80C3E2.7090407@aardvark.com.au> References: <4A80C3E2.7090407@aardvark.com.au> Message-ID: <4A835607.6050102@aardvark.com.au> I am running Centos 5.3 in permissive mode - and recently I started getting 4 avcs every time I boot the server. I am not sure - but I think these might have started when I changed my desktop from Gnome to KDE. I have tried the relabelling suggested in the AVC - but this hasn't fixed it. Does it look like I have something set up wrong - or is there a policy problem? Richard. Summary SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied setxkbmap access to potentially mislabeled file(s) (./.X11-unix). This means that SELinux will not allow setxkbmap to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access If you want setxkbmap to access this files, you need to relabel them using restorecon -v './.X11-unix'. You might want to relabel the entire directory using restorecon -R -v './.X11-unix'. Additional Information Source Context: system_u:system_r:rhgb_t Target Context: system_u:object_r:initrc_tmp_t Target Objects: ./.X11-unix [ dir ] Source: setxkbmap Source Path: /usr/bin/setxkbmap Port: Host: C5.aardvark.com.au Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: home_tmp_bad_labels Host Name: C5.aardvark.com.au Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue Aug 4 20:19:25 EDT 2009 x86_64 x86_64 Alert Count: 34 First Seen: Sun Jan 11 17:55:13 2009 Last Seen: Mon Aug 10 18:13:15 2009 Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 Line Numbers: Raw Audit Messages : host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) Summary SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied setxkbmap access to potentially mislabeled file(s) (./.X11-unix). This means that SELinux will not allow setxkbmap to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access If you want setxkbmap to access this files, you need to relabel them using restorecon -v './.X11-unix'. You might want to relabel the entire directory using restorecon -R -v './.X11-unix'. Additional Information Source Context: system_u:system_r:rhgb_t Target Context: system_u:object_r:initrc_tmp_t Target Objects: ./.X11-unix [ dir ] Source: setxkbmap Source Path: /usr/bin/setxkbmap Port: Host: C5.aardvark.com.au Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: home_tmp_bad_labels Host Name: C5.aardvark.com.au Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue Aug 4 20:19:25 EDT 2009 x86_64 x86_64 Alert Count: 35 First Seen: Sun Jan 11 17:55:13 2009 Last Seen: Mon Aug 10 18:13:16 2009 Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 Line Numbers: Raw Audit Messages : host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) Summary SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied setxkbmap access to potentially mislabeled file(s) (./.X11-unix). This means that SELinux will not allow setxkbmap to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access If you want setxkbmap to access this files, you need to relabel them using restorecon -v './.X11-unix'. You might want to relabel the entire directory using restorecon -R -v './.X11-unix'. Additional Information Source Context: system_u:system_r:rhgb_t Target Context: system_u:object_r:initrc_tmp_t Target Objects: ./.X11-unix [ dir ] Source: setxkbmap Source Path: /usr/bin/setxkbmap Port: Host: C5.aardvark.com.au Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: home_tmp_bad_labels Host Name: C5.aardvark.com.au Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue Aug 4 20:19:25 EDT 2009 x86_64 x86_64 Alert Count: 36 First Seen: Sun Jan 11 17:55:13 2009 Last Seen: Mon Aug 10 18:13:17 2009 Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 Line Numbers: Raw Audit Messages : host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13 a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13 a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) Summary SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied setxkbmap access to potentially mislabeled file(s) (./.X11-unix). This means that SELinux will not allow setxkbmap to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access If you want setxkbmap to access this files, you need to relabel them using restorecon -v './.X11-unix'. You might want to relabel the entire directory using restorecon -R -v './.X11-unix'. Additional Information Source Context: system_u:system_r:rhgb_t Target Context: system_u:object_r:initrc_tmp_t Target Objects: ./.X11-unix [ dir ] Source: setxkbmap Source Path: /usr/bin/setxkbmap Port: Host: C5.aardvark.com.au Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: home_tmp_bad_labels Host Name: C5.aardvark.com.au Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue Aug 4 20:19:25 EDT 2009 x86_64 x86_64 Alert Count: 37 First Seen: Sun Jan 11 17:55:13 2009 Last Seen: Mon Aug 10 18:13:19 2009 Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 Line Numbers: Raw Audit Messages : host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) From lists at sapience.com Thu Aug 13 00:52:25 2009 From: lists at sapience.com (Mail Lists) Date: Wed, 12 Aug 2009 20:52:25 -0400 Subject: rsync as backup from f11 to F10 - issues In-Reply-To: <3b8e57a80908121407x18dfc012m6bd276f5db803122@mail.gmail.com> References: <24925988.post@talk.nabble.com> <24926122.post@talk.nabble.com> <4A8327B3.3080308@redhat.com> <3b8e57a80908121407x18dfc012m6bd276f5db803122@mail.gmail.com> Message-ID: <4A8363C9.8030706@sapience.com> On 08/12/2009 05:07 PM, mike cloaked wrote: > > On Wed, Aug 12, 2009 at 9:36 PM, Daniel J Walsh wrote: originals. > > > > Is this how others do backups? Cant speak for others but I do not backup selinux labels. I cannot speak to other attributes or ACL's. I think of selinux labels as belonging to the host server policy not the backup machine - so the policy in my mind comes from the target where the backups would be restored to. So, if you backed up /home/cloaked/foo and restored it to bing:/home/cloaked/foo then I would expect the labels to come from the policy on bing - whether or not the backup was made from bing or somewhere else. > > How would this differ if rdiff-backup was used instead? Since > > rdiff-backup is rsync based .... Dunno - I kind of thought rdiff-backup had better extended attribute handling than rsync itself and its my preferred tool anyway. gene/ From mike.cloaked at gmail.com Thu Aug 13 09:26:43 2009 From: mike.cloaked at gmail.com (Mike Cloaked) Date: Thu, 13 Aug 2009 02:26:43 -0700 (PDT) Subject: rsync as backup from f11 to F10 - issues In-Reply-To: <4A8363C9.8030706@sapience.com> References: <24925988.post@talk.nabble.com> <24926122.post@talk.nabble.com> <4A8327B3.3080308@redhat.com> <3b8e57a80908121407x18dfc012m6bd276f5db803122@mail.gmail.com> <4A8363C9.8030706@sapience.com> Message-ID: <24951776.post@talk.nabble.com> Mail Lists-3 wrote: > > > Cant speak for others but I do not backup selinux labels. I cannot > speak to other attributes or ACL's. > > I think of selinux labels as belonging to the host server policy not > the backup machine - so the policy in my mind comes from the target > where the backups would be restored to. > > So, if you backed up /home/cloaked/foo and restored it to > bing:/home/cloaked/foo then I would expect the labels to come from the > policy on bing - whether or not the backup was made from bing or > somewhere else. > > > >> > How would this differ if rdiff-backup was used instead? Since >> > rdiff-backup is rsync based .... > > Dunno - I kind of thought rdiff-backup had better extended attribute > handling than rsync itself and its my preferred tool anyway. > > gene/ > > Generally true - but one situation I found the backup done my way that I liked, to include labels, was when transitioning from F10 to F11 where I had specific labels on some files in /opt to avoid avc denials in F10. In order to move to F11 with ext4 what I did was to create a backup on the external drive and included the original labelling for F10, for the entire /opt structure. Then when I installed F11, I allowed the installer to format both / and /opt with ext4. Then once the install was completed I restored the /opt backup to the new /opt partition for F11 including the old F10 labels, and was able to progress using the files with their old contexts apart from an occasional need to change a context. Presumably had I restored using rsync -aH only then the file contexts would have been made according to the F11 current policy and not been a generic "file_t". Some instances would certainly not have worked such as a mail spool area on /opt that would not have been given their correct mail related contexts after the restore - although I don't know if the mail spool area, once bind mounted onto the root directory mail spool, would then get their correct contexts if I used a restorecon command on the mail spool at that time? I don't know if the same also would then apply to user areas residing on the /opt/Local/home directory? Again initially the files would have incorrect contexts restoring using rsync -aH and again once bind mounted to /home would restorecon put the correct labels back? -- View this message in context: http://www.nabble.com/rsync-as-backup-from-f11-to-F10---issues-tp24925988p24951776.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From paul at city-fan.org Thu Aug 13 10:38:49 2009 From: paul at city-fan.org (Paul Howarth) Date: Thu, 13 Aug 2009 11:38:49 +0100 Subject: rsync as backup from f11 to F10 - issues In-Reply-To: <24951776.post@talk.nabble.com> References: <24925988.post@talk.nabble.com> <24926122.post@talk.nabble.com> <4A8327B3.3080308@redhat.com> <3b8e57a80908121407x18dfc012m6bd276f5db803122@mail.gmail.com> <4A8363C9.8030706@sapience.com> <24951776.post@talk.nabble.com> Message-ID: <4A83ED39.3010109@city-fan.org> On 13/08/09 10:26, Mike Cloaked wrote: > > > Mail Lists-3 wrote: >> >> Cant speak for others but I do not backup selinux labels. I cannot >> speak to other attributes or ACL's. >> >> I think of selinux labels as belonging to the host server policy not >> the backup machine - so the policy in my mind comes from the target >> where the backups would be restored to. >> >> So, if you backed up /home/cloaked/foo and restored it to >> bing:/home/cloaked/foo then I would expect the labels to come from the >> policy on bing - whether or not the backup was made from bing or >> somewhere else. >> >> >> >>>> How would this differ if rdiff-backup was used instead? Since >>>> rdiff-backup is rsync based .... >> Dunno - I kind of thought rdiff-backup had better extended attribute >> handling than rsync itself and its my preferred tool anyway. >> >> gene/ >> >> > > Generally true - but one situation I found the backup done my way that I > liked, to include labels, was when transitioning from F10 to F11 where I had > specific labels on some files in /opt to avoid avc denials in F10. > > In order to move to F11 with ext4 what I did was to create a backup on the > external drive and included the original labelling for F10, for the entire > /opt structure. Then when I installed F11, I allowed the installer to > format both / and /opt with ext4. Then once the install was completed I > restored the /opt backup to the new /opt partition for F11 including the old > F10 labels, and was able to progress using the files with their old contexts > apart from an occasional need to change a context. > > Presumably had I restored using rsync -aH only then the file contexts would > have been made according to the F11 current policy and not been a generic > "file_t". Some instances would certainly not have worked such as a mail > spool area on /opt that would not have been given their correct mail related > contexts after the restore - although I don't know if the mail spool area, > once bind mounted onto the root directory mail spool, would then get their > correct contexts if I used a restorecon command on the mail spool at that > time? > > I don't know if the same also would then apply to user areas residing on the > /opt/Local/home directory? Again initially the files would have incorrect > contexts restoring using rsync -aH and again once bind mounted to /home > would restorecon put the correct labels back? You'll like this: http://danwalsh.livejournal.com/27571.html Paul. From baishuwei at gmail.com Thu Aug 13 11:18:17 2009 From: baishuwei at gmail.com (Bai Shuwei) Date: Thu, 13 Aug 2009 19:18:17 +0800 Subject: does SELinux can log all the files access? Message-ID: Hi, ALL: I cannot find any log tools to log all the files access, including delete/remove/read/write operations. So i want to know whether SELinux upport the functions. Thanks for your responce! Best Regards! Bai Shuwei -- Love other people, as same as love yourself! Don't think all the time, do it by your hands! Personal URL: http://dslab.lzu.edu.cn:8080/members/baishw/ E-Mail: baishuwei at gmail.com or baishuwei at dslab.lzu.edu.cn -------------- next part -------------- An HTML attachment was scrubbed... URL: From domg472 at gmail.com Thu Aug 13 11:27:25 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 13 Aug 2009 13:27:25 +0200 Subject: does SELinux can log all the files access? In-Reply-To: References: Message-ID: <20090813112724.GA2741@notebook3.grift.internal> On Thu, Aug 13, 2009 at 07:18:17PM +0800, Bai Shuwei wrote: > Hi, ALL: > I cannot find any log tools to log all the files access, including > delete/remove/read/write operations. So i want to know whether SELinux > upport the functions. Thanks for your responce! > > Best Regards! the audit suite can do logging: see man auditctl. You can get selinux to log grants by adding auditallow rules. By default selinux logs denied access unless the denial is hidden using dontaudit. > > Bai Shuwei > > -- > Love other people, as same as love yourself! > Don't think all the time, do it by your hands! > > Personal URL: http://dslab.lzu.edu.cn:8080/members/baishw/ > E-Mail: baishuwei at gmail.com or baishuwei at dslab.lzu.edu.cn > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From dwalsh at redhat.com Thu Aug 13 17:42:08 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 13 Aug 2009 13:42:08 -0400 Subject: two denials one for ck-get-x11-serv and one for wine In-Reply-To: <418942.93452.qm@web52610.mail.re2.yahoo.com> References: <418942.93452.qm@web52610.mail.re2.yahoo.com> Message-ID: <4A845070.8010602@redhat.com> On 08/12/2009 06:23 PM, Antonio Olivares wrote: > Dear fellow selinux experts and users, > > I had problems updating a rawhide machine and I used xfce spin to get back in the saddle. I encountered two denials and I post them here for guidance. > > Thanks in Advance, > > Antonio > > Summary: > > SELinux is preventing the ck-get-x11-serv from using potentially mislabeled > files (.Xauthority). > > Detailed Description: > > SELinux has denied ck-get-x11-serv access to potentially mislabeled file(s) > (.Xauthority). This means that SELinux will not allow ck-get-x11-serv to use > these files. It is common for users to edit files in their home directory or tmp > directories and then move (mv) them to system directories. The problem is that > the files end up with the wrong file context which confined applications are not > allowed to access. > > Allowing Access: > > If you want ck-get-x11-serv to access this files, you need to relabel them using > restorecon -v '.Xauthority'. You might want to relabel the entire directory > using restorecon -R -v ''. > > Additional Information: > > Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023 > Target Context unconfined_u:object_r:admin_home_t:s0 > Target Objects .Xauthority [ file ] > Source ck-get-x11-serv > Source Path /usr/libexec/ck-get-x11-server-pid > Port > Host (removed) > Source RPM Packages ConsoleKit-x11-0.3.1-2.fc12 > Target RPM Packages > Policy RPM selinux-policy-3.6.26-8.fc12 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name home_tmp_bad_labels > Host Name (removed) > Platform Linux localhost.localdomain > 2.6.31-0.125.rc5.git2.fc12.i686 #1 SMP Tue Aug 4 > 03:18:57 EDT 2009 i686 i686 > Alert Count 1 > First Seen Wed 12 Aug 2009 02:42:54 AM CDT > Last Seen Wed 12 Aug 2009 02:42:54 AM CDT > Local ID ffd20bb6-e1cf-466f-b51e-9de4c94b4991 > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1250062974.438:22): avc: denied { read } for pid=1325 comm="ck-get-x11-serv" name=".Xauthority" dev=dm-0 ino=78946 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file > > node=localhost.localdomain type=SYSCALL msg=audit(1250062974.438:22): arch=40000003 syscall=33 success=no exit=-13 a0=bffedfbc a1=4 a2=18ab18 a3=bffedfbc items=0 ppid=1324 pid=1325 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) > > > Can't copy the wine and can't submit the above one to bugzilla. The wine one looks serious as I try to run some windows programs that worked before without problems. Will see how I can capture them? > > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Mislabled file. chcon -t xauth_home_t /root/.Xauthority should fix. Fixing labeling in selinux-policy-3.6.26-11.fc12.src.rpm From dwalsh at redhat.com Thu Aug 13 17:46:19 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 13 Aug 2009 13:46:19 -0400 Subject: rsync as backup from f11 to F10 - issues In-Reply-To: <24951776.post@talk.nabble.com> References: <24925988.post@talk.nabble.com> <24926122.post@talk.nabble.com> <4A8327B3.3080308@redhat.com> <3b8e57a80908121407x18dfc012m6bd276f5db803122@mail.gmail.com> <4A8363C9.8030706@sapience.com> <24951776.post@talk.nabble.com> Message-ID: <4A84516B.8090208@redhat.com> On 08/13/2009 05:26 AM, Mike Cloaked wrote: > > > > Mail Lists-3 wrote: >> >> >> Cant speak for others but I do not backup selinux labels. I cannot >> speak to other attributes or ACL's. >> >> I think of selinux labels as belonging to the host server policy not >> the backup machine - so the policy in my mind comes from the target >> where the backups would be restored to. >> >> So, if you backed up /home/cloaked/foo and restored it to >> bing:/home/cloaked/foo then I would expect the labels to come from the >> policy on bing - whether or not the backup was made from bing or >> somewhere else. >> >> >> >>>> How would this differ if rdiff-backup was used instead? Since >>>> rdiff-backup is rsync based .... >> >> Dunno - I kind of thought rdiff-backup had better extended attribute >> handling than rsync itself and its my preferred tool anyway. >> >> gene/ >> >> > > Generally true - but one situation I found the backup done my way that I > liked, to include labels, was when transitioning from F10 to F11 where I had > specific labels on some files in /opt to avoid avc denials in F10. > > In order to move to F11 with ext4 what I did was to create a backup on the > external drive and included the original labelling for F10, for the entire > /opt structure. Then when I installed F11, I allowed the installer to > format both / and /opt with ext4. Then once the install was completed I > restored the /opt backup to the new /opt partition for F11 including the old > F10 labels, and was able to progress using the files with their old contexts > apart from an occasional need to change a context. > > Presumably had I restored using rsync -aH only then the file contexts would > have been made according to the F11 current policy and not been a generic > "file_t". Some instances would certainly not have worked such as a mail > spool area on /opt that would not have been given their correct mail related > contexts after the restore - although I don't know if the mail spool area, > once bind mounted onto the root directory mail spool, would then get their > correct contexts if I used a restorecon command on the mail spool at that > time? > > I don't know if the same also would then apply to user areas residing on the > /opt/Local/home directory? Again initially the files would have incorrect > contexts restoring using rsync -aH and again once bind mounted to /home > would restorecon put the correct labels back? > I am not a sysadm, but I think it is better to backup the the files with saving the labeling, then running restorecon after you restore the labels. If you want to change the labels some where on a system you should tell SELinux about this using the semanage fcontext -a command. Then restorecon will fix the labels. The problem with moving labels from one machine to another, is that you may not have the same security labels available on both machines as you have seen. If you had both machines running the same policy, it would have worked. From dwalsh at redhat.com Thu Aug 13 18:19:40 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 13 Aug 2009 14:19:40 -0400 Subject: AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). In-Reply-To: <4A835607.6050102@aardvark.com.au> References: <4A80C3E2.7090407@aardvark.com.au> <4A835607.6050102@aardvark.com.au> Message-ID: <4A84593C.8000407@redhat.com> On 08/12/2009 07:53 PM, Richard Chapman wrote: > I am running Centos 5.3 in permissive mode - and recently I started > getting 4 avcs every time I boot the server. I am not sure - but I think > these might have started when I changed my desktop from Gnome to KDE. I > have tried the relabelling suggested in the AVC - but this hasn't fixed it. > Does it look like I have something set up wrong - or is there a policy > problem? > Richard. > > > Summary > SELinux is preventing the setxkbmap from using potentially mislabeled > files (./.X11-unix). > Detailed Description > [SELinux is in permissive mode, the operation would have been denied but > was permitted due to permissive mode.] > > SELinux has denied setxkbmap access to potentially mislabeled file(s) > (./.X11-unix). This means that SELinux will not allow setxkbmap to use > these files. It is common for users to edit files in their home > directory or tmp directories and then move (mv) them to system > directories. The problem is that the files end up with the wrong file > context which confined applications are not allowed to access. > > Allowing Access > If you want setxkbmap to access this files, you need to relabel them > using restorecon -v './.X11-unix'. You might want to relabel the entire > directory using restorecon -R -v './.X11-unix'. > Additional Information > > Source Context: system_u:system_r:rhgb_t > Target Context: system_u:object_r:initrc_tmp_t > Target Objects: ./.X11-unix [ dir ] > Source: setxkbmap > Source Path: /usr/bin/setxkbmap > Port: > Host: C5.aardvark.com.au > Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 > Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 > Selinux Enabled: True > Policy Type: targeted > MLS Enabled: True > Enforcing Mode: Permissive > Plugin Name: home_tmp_bad_labels > Host Name: C5.aardvark.com.au > Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue > Aug 4 20:19:25 EDT 2009 x86_64 x86_64 > Alert Count: 34 > First Seen: Sun Jan 11 17:55:13 2009 > Last Seen: Mon Aug 10 18:13:15 2009 > Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 > Line Numbers: > Raw Audit Messages : > > host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: > denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" > dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir > host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: > denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" > dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir > host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): > arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 > a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 > comm="setxkbmap" exe="/usr/bin/setxkbmap" > subj=system_u:system_r:rhgb_t:s0 key=(null) > host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): > arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 > a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 > comm="setxkbmap" exe="/usr/bin/setxkbmap" > subj=system_u:system_r:rhgb_t:s0 key=(null) > > > Summary > SELinux is preventing the setxkbmap from using potentially mislabeled > files (./.X11-unix). > Detailed Description > [SELinux is in permissive mode, the operation would have been denied but > was permitted due to permissive mode.] > > SELinux has denied setxkbmap access to potentially mislabeled file(s) > (./.X11-unix). This means that SELinux will not allow setxkbmap to use > these files. It is common for users to edit files in their home > directory or tmp directories and then move (mv) them to system > directories. The problem is that the files end up with the wrong file > context which confined applications are not allowed to access. > > Allowing Access > If you want setxkbmap to access this files, you need to relabel them > using restorecon -v './.X11-unix'. You might want to relabel the entire > directory using restorecon -R -v './.X11-unix'. > Additional Information > > Source Context: system_u:system_r:rhgb_t > Target Context: system_u:object_r:initrc_tmp_t > Target Objects: ./.X11-unix [ dir ] > Source: setxkbmap > Source Path: /usr/bin/setxkbmap > Port: > Host: C5.aardvark.com.au > Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 > Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 > Selinux Enabled: True > Policy Type: targeted > MLS Enabled: True > Enforcing Mode: Permissive > Plugin Name: home_tmp_bad_labels > Host Name: C5.aardvark.com.au > Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue > Aug 4 20:19:25 EDT 2009 x86_64 x86_64 > Alert Count: 35 > First Seen: Sun Jan 11 17:55:13 2009 > Last Seen: Mon Aug 10 18:13:16 2009 > Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 > Line Numbers: > Raw Audit Messages : > > host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: > denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" > dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir > host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: > denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" > dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir > host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): > arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 > a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" > exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) > host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): > arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 > a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" > exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) > > > Summary > SELinux is preventing the setxkbmap from using potentially mislabeled > files (./.X11-unix). > Detailed Description > [SELinux is in permissive mode, the operation would have been denied but > was permitted due to permissive mode.] > > SELinux has denied setxkbmap access to potentially mislabeled file(s) > (./.X11-unix). This means that SELinux will not allow setxkbmap to use > these files. It is common for users to edit files in their home > directory or tmp directories and then move (mv) them to system > directories. The problem is that the files end up with the wrong file > context which confined applications are not allowed to access. > > Allowing Access > If you want setxkbmap to access this files, you need to relabel them > using restorecon -v './.X11-unix'. You might want to relabel the entire > directory using restorecon -R -v './.X11-unix'. > Additional Information > > Source Context: system_u:system_r:rhgb_t > Target Context: system_u:object_r:initrc_tmp_t > Target Objects: ./.X11-unix [ dir ] > Source: setxkbmap > Source Path: /usr/bin/setxkbmap > Port: > Host: C5.aardvark.com.au > Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 > Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 > Selinux Enabled: True > Policy Type: targeted > MLS Enabled: True > Enforcing Mode: Permissive > Plugin Name: home_tmp_bad_labels > Host Name: C5.aardvark.com.au > Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue > Aug 4 20:19:25 EDT 2009 x86_64 x86_64 > Alert Count: 36 > First Seen: Sun Jan 11 17:55:13 2009 > Last Seen: Mon Aug 10 18:13:17 2009 > Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 > Line Numbers: > Raw Audit Messages : > > host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: > denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" > dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir > host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: > denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" > dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir > host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): > arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13 > a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" > exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) > host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): > arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13 > a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" > exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) > > > > Summary > SELinux is preventing the setxkbmap from using potentially mislabeled > files (./.X11-unix). > Detailed Description > [SELinux is in permissive mode, the operation would have been denied but > was permitted due to permissive mode.] > > SELinux has denied setxkbmap access to potentially mislabeled file(s) > (./.X11-unix). This means that SELinux will not allow setxkbmap to use > these files. It is common for users to edit files in their home > directory or tmp directories and then move (mv) them to system > directories. The problem is that the files end up with the wrong file > context which confined applications are not allowed to access. > > Allowing Access > If you want setxkbmap to access this files, you need to relabel them > using restorecon -v './.X11-unix'. You might want to relabel the entire > directory using restorecon -R -v './.X11-unix'. > Additional Information > > Source Context: system_u:system_r:rhgb_t > Target Context: system_u:object_r:initrc_tmp_t > Target Objects: ./.X11-unix [ dir ] > Source: setxkbmap > Source Path: /usr/bin/setxkbmap > Port: > Host: C5.aardvark.com.au > Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 > Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 > Selinux Enabled: True > Policy Type: targeted > MLS Enabled: True > Enforcing Mode: Permissive > Plugin Name: home_tmp_bad_labels > Host Name: C5.aardvark.com.au > Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue > Aug 4 20:19:25 EDT 2009 x86_64 x86_64 > Alert Count: 37 > First Seen: Sun Jan 11 17:55:13 2009 > Last Seen: Mon Aug 10 18:13:19 2009 > Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 > Line Numbers: > Raw Audit Messages : > > host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: > denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" > dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir > host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: > denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" > dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 > tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir > host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): > arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 > a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" > exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) > host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): > arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 > a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" > exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list chcon -R -t xserver_tmp_t /tmp/.X11-unix I always use tmpfs for /tmp, so I never end up with garbage on a reboot. From dwalsh at redhat.com Thu Aug 13 18:29:02 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 13 Aug 2009 14:29:02 -0400 Subject: does SELinux can log all the files access? In-Reply-To: References: Message-ID: <4A845B6E.4090806@redhat.com> On 08/13/2009 07:18 AM, Bai Shuwei wrote: > Hi, ALL: > I cannot find any log tools to log all the files access, including > delete/remove/read/write operations. So i want to know whether SELinux > upport the functions. Thanks for your responce! > > Best Regards! > > Bai Shuwei > man auditctl Audit subsystem is what you want. > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From mike.cloaked at gmail.com Thu Aug 13 19:41:17 2009 From: mike.cloaked at gmail.com (mike cloaked) Date: Thu, 13 Aug 2009 20:41:17 +0100 Subject: rsync as backup from f11 to F10 - issues In-Reply-To: <4A83ED39.3010109@city-fan.org> References: <24925988.post@talk.nabble.com> <24926122.post@talk.nabble.com> <4A8327B3.3080308@redhat.com> <3b8e57a80908121407x18dfc012m6bd276f5db803122@mail.gmail.com> <4A8363C9.8030706@sapience.com> <24951776.post@talk.nabble.com> <4A83ED39.3010109@city-fan.org> Message-ID: <3b8e57a80908131241j2213cf4am618934c00f233118@mail.gmail.com> On Thu, Aug 13, 2009 at 11:38 AM, Paul Howarth wrote: > You'll like this: > http://danwalsh.livejournal.com/27571.html > > Paul. Indeed - that is a useful entry.... -- mike From chepkov at yahoo.com Thu Aug 13 20:03:41 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Thu, 13 Aug 2009 13:03:41 -0700 (PDT) Subject: samba and system users home Message-ID: <265338.97603.qm@web36804.mail.mud.yahoo.com> Hi, Each time anybody trying to access a samba share I get a denials like this: type=AVC msg=audit(1250191256.756:26956): avc: denied { getattr } for pid=20508 comm="smbd" path="/var/www" dev=dm-5 ino=2 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir type=AVC msg=audit(1250191256.756:26955): avc: denied { getattr } for pid=20508 comm="smbd" path="/var/mysql" dev=dm-4 ino=2 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir I am not sure why samba is trying to access this directories, it's no ones home, just a mount point. dovecot generates the same AVCs, but only when it starts. What is the best way to suppress these? Thanks. Sincerely yours, Vadym Chepkov From paul at city-fan.org Thu Aug 13 20:50:26 2009 From: paul at city-fan.org (Paul Howarth) Date: Thu, 13 Aug 2009 21:50:26 +0100 Subject: samba and system users home In-Reply-To: <265338.97603.qm@web36804.mail.mud.yahoo.com> References: <265338.97603.qm@web36804.mail.mud.yahoo.com> Message-ID: <20090813215026.24af1fae@metropolis.intra.city-fan.org> On Thu, 13 Aug 2009 13:03:41 -0700 (PDT) Vadym Chepkov wrote: > Hi, > > Each time anybody trying to access a samba share I get a denials like > this: > > type=AVC msg=audit(1250191256.756:26956): avc: denied { getattr } > for pid=20508 comm="smbd" path="/var/www" dev=dm-5 ino=2 > scontext=system_u:system_r:smbd_t:s0 > tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir > > type=AVC msg=audit(1250191256.756:26955): avc: denied { getattr } > for pid=20508 comm="smbd" path="/var/mysql" dev=dm-4 ino=2 > scontext=system_u:system_r:smbd_t:s0 > tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir > > I am not sure why samba is trying to access this directories, it's no > ones home, just a mount point. dovecot generates the same AVCs, but > only when it starts. What is the best way to suppress these? Thanks. I've been getting these for years too! Well, I've had these in local policy for several releases: # Samba needs to be able to access stuff under /srv allow smbd_t var_t:dir getattr; # F11 noise reduction dontaudit smbd_t lost_found_t:dir { getattr read }; dontaudit smbd_t squid_cache_t:dir getattr; dontaudit smbd_t mysqld_db_t:dir getattr; Paul. From dwalsh at redhat.com Thu Aug 13 21:31:39 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 13 Aug 2009 17:31:39 -0400 Subject: samba and system users home In-Reply-To: <20090813215026.24af1fae@metropolis.intra.city-fan.org> References: <265338.97603.qm@web36804.mail.mud.yahoo.com> <20090813215026.24af1fae@metropolis.intra.city-fan.org> Message-ID: <4A84863B.90501@redhat.com> On 08/13/2009 04:50 PM, Paul Howarth wrote: > On Thu, 13 Aug 2009 13:03:41 -0700 (PDT) > Vadym Chepkov wrote: > >> Hi, >> >> Each time anybody trying to access a samba share I get a denials like >> this: >> >> type=AVC msg=audit(1250191256.756:26956): avc: denied { getattr } >> for pid=20508 comm="smbd" path="/var/www" dev=dm-5 ino=2 >> scontext=system_u:system_r:smbd_t:s0 >> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir >> >> type=AVC msg=audit(1250191256.756:26955): avc: denied { getattr } >> for pid=20508 comm="smbd" path="/var/mysql" dev=dm-4 ino=2 >> scontext=system_u:system_r:smbd_t:s0 >> tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir >> >> I am not sure why samba is trying to access this directories, it's no >> ones home, just a mount point. dovecot generates the same AVCs, but >> only when it starts. What is the best way to suppress these? Thanks. > > I've been getting these for years too! Well, I've had these in local > policy for several releases: > > # Samba needs to be able to access stuff under /srv > allow smbd_t var_t:dir getattr; > > # F11 noise reduction > dontaudit smbd_t lost_found_t:dir { getattr read }; > dontaudit smbd_t squid_cache_t:dir getattr; > dontaudit smbd_t mysqld_db_t:dir getattr; > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Are these mountpoints on your system? From chepkov at yahoo.com Thu Aug 13 21:47:55 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Thu, 13 Aug 2009 14:47:55 -0700 (PDT) Subject: samba and system users home In-Reply-To: <4A84863B.90501@redhat.com> Message-ID: <847919.32867.qm@web36805.mail.mud.yahoo.com> Yes, they are mount points. Sincerely yours, Vadym Chepkov --- On Thu, 8/13/09, Daniel J Walsh wrote: > From: Daniel J Walsh > Subject: Re: samba and system users home > To: "Paul Howarth" > Cc: "Vadym Chepkov" , "Fedora SELinux" > Date: Thursday, August 13, 2009, 5:31 PM > On 08/13/2009 04:50 PM, Paul Howarth > wrote: > > On Thu, 13 Aug 2009 13:03:41 -0700 (PDT) > > Vadym Chepkov > wrote: > > > >> Hi, > >> > >> Each time anybody trying to access a samba share I > get a denials like > >> this: > >> > >> type=AVC msg=audit(1250191256.756:26956): > avc:? denied? { getattr } > >> for? pid=20508 comm="smbd" path="/var/www" > dev=dm-5 ino=2 > >> scontext=system_u:system_r:smbd_t:s0 > >> tcontext=system_u:object_r:httpd_sys_content_t:s0 > tclass=dir > >> > >> type=AVC msg=audit(1250191256.756:26955): > avc:? denied? { getattr } > >> for? pid=20508 comm="smbd" path="/var/mysql" > dev=dm-4 ino=2 > >> scontext=system_u:system_r:smbd_t:s0 > >> tcontext=system_u:object_r:mysqld_db_t:s0 > tclass=dir > >> > >> I am not sure why samba is trying to access this > directories, it's no > >> ones home, just a mount point. dovecot generates > the same AVCs, but > >> only when it starts. What is the best way to > suppress these? Thanks. > > > > I've been getting these for years too! Well, I've had > these in local > > policy for several releases: > > > > # Samba needs to be able to access stuff under /srv > > allow smbd_t var_t:dir getattr; > > > > # F11 noise reduction > > dontaudit smbd_t lost_found_t:dir { getattr read }; > > dontaudit smbd_t squid_cache_t:dir getattr; > > dontaudit smbd_t mysqld_db_t:dir getattr; > > > > Paul. > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Are these mountpoints on your system? > From dwalsh at redhat.com Thu Aug 13 22:16:01 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 13 Aug 2009 18:16:01 -0400 Subject: samba and system users home In-Reply-To: <847919.32867.qm@web36805.mail.mud.yahoo.com> References: <847919.32867.qm@web36805.mail.mud.yahoo.com> Message-ID: <4A8490A1.1070203@redhat.com> On 08/13/2009 05:47 PM, Vadym Chepkov wrote: > Yes, they are mount points. > > Sincerely yours, > Vadym Chepkov > > > --- On Thu, 8/13/09, Daniel J Walsh wrote: > >> From: Daniel J Walsh >> Subject: Re: samba and system users home >> To: "Paul Howarth" >> Cc: "Vadym Chepkov" , "Fedora SELinux" >> Date: Thursday, August 13, 2009, 5:31 PM >> On 08/13/2009 04:50 PM, Paul Howarth >> wrote: >>> On Thu, 13 Aug 2009 13:03:41 -0700 (PDT) >>> Vadym Chepkov >> wrote: >>> >>>> Hi, >>>> >>>> Each time anybody trying to access a samba share I >> get a denials like >>>> this: >>>> >>>> type=AVC msg=audit(1250191256.756:26956): >> avc: denied { getattr } >>>> for pid=20508 comm="smbd" path="/var/www" >> dev=dm-5 ino=2 >>>> scontext=system_u:system_r:smbd_t:s0 >>>> tcontext=system_u:object_r:httpd_sys_content_t:s0 >> tclass=dir >>>> >>>> type=AVC msg=audit(1250191256.756:26955): >> avc: denied { getattr } >>>> for pid=20508 comm="smbd" path="/var/mysql" >> dev=dm-4 ino=2 >>>> scontext=system_u:system_r:smbd_t:s0 >>>> tcontext=system_u:object_r:mysqld_db_t:s0 >> tclass=dir >>>> >>>> I am not sure why samba is trying to access this >> directories, it's no >>>> ones home, just a mount point. dovecot generates >> the same AVCs, but >>>> only when it starts. What is the best way to >> suppress these? Thanks. >>> >>> I've been getting these for years too! Well, I've had >> these in local >>> policy for several releases: >>> >>> # Samba needs to be able to access stuff under /srv >>> allow smbd_t var_t:dir getattr; >>> >>> # F11 noise reduction >>> dontaudit smbd_t lost_found_t:dir { getattr read }; >>> dontaudit smbd_t squid_cache_t:dir getattr; >>> dontaudit smbd_t mysqld_db_t:dir getattr; >>> >>> Paul. >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> Are these mountpoints on your system? >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Samba must be doing a getattr on all the mountpoints on the system. This is what makes SELinux so much fun... From rchapman at aardvark.com.au Fri Aug 14 04:19:17 2009 From: rchapman at aardvark.com.au (Richard Chapman) Date: Fri, 14 Aug 2009 12:19:17 +0800 Subject: AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). In-Reply-To: <4A84593C.8000407@redhat.com> References: <4A80C3E2.7090407@aardvark.com.au> <4A835607.6050102@aardvark.com.au> <4A84593C.8000407@redhat.com> Message-ID: <4A84E5C5.3000908@aardvark.com.au> Daniel J Walsh wrote: > On 08/12/2009 07:53 PM, Richard Chapman wrote: > >> I am running Centos 5.3 in permissive mode - and recently I started >> getting 4 avcs every time I boot the server. I am not sure - but I think >> these might have started when I changed my desktop from Gnome to KDE. I >> have tried the relabelling suggested in the AVC - but this hasn't fixed it. >> Does it look like I have something set up wrong - or is there a policy >> problem? >> Richard. >> >> >> Summary >> SELinux is preventing the setxkbmap from using potentially mislabeled >> files (./.X11-unix). >> Detailed Description >> [SELinux is in permissive mode, the operation would have been denied but >> was permitted due to permissive mode.] >> >> SELinux has denied setxkbmap access to potentially mislabeled file(s) >> (./.X11-unix). This means that SELinux will not allow setxkbmap to use >> these files. It is common for users to edit files in their home >> directory or tmp directories and then move (mv) them to system >> directories. The problem is that the files end up with the wrong file >> context which confined applications are not allowed to access. >> >> Allowing Access >> If you want setxkbmap to access this files, you need to relabel them >> using restorecon -v './.X11-unix'. You might want to relabel the entire >> directory using restorecon -R -v './.X11-unix'. >> Additional Information >> >> Source Context: system_u:system_r:rhgb_t >> Target Context: system_u:object_r:initrc_tmp_t >> Target Objects: ./.X11-unix [ dir ] >> Source: setxkbmap >> Source Path: /usr/bin/setxkbmap >> Port: >> Host: C5.aardvark.com.au >> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >> Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 >> Selinux Enabled: True >> Policy Type: targeted >> MLS Enabled: True >> Enforcing Mode: Permissive >> Plugin Name: home_tmp_bad_labels >> Host Name: C5.aardvark.com.au >> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue >> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >> Alert Count: 34 >> First Seen: Sun Jan 11 17:55:13 2009 >> Last Seen: Mon Aug 10 18:13:15 2009 >> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >> Line Numbers: >> Raw Audit Messages : >> >> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: >> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: >> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): >> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 >> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >> comm="setxkbmap" exe="/usr/bin/setxkbmap" >> subj=system_u:system_r:rhgb_t:s0 key=(null) >> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): >> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 >> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >> comm="setxkbmap" exe="/usr/bin/setxkbmap" >> subj=system_u:system_r:rhgb_t:s0 key=(null) >> >> >> Summary >> SELinux is preventing the setxkbmap from using potentially mislabeled >> files (./.X11-unix). >> Detailed Description >> [SELinux is in permissive mode, the operation would have been denied but >> was permitted due to permissive mode.] >> >> SELinux has denied setxkbmap access to potentially mislabeled file(s) >> (./.X11-unix). This means that SELinux will not allow setxkbmap to use >> these files. It is common for users to edit files in their home >> directory or tmp directories and then move (mv) them to system >> directories. The problem is that the files end up with the wrong file >> context which confined applications are not allowed to access. >> >> Allowing Access >> If you want setxkbmap to access this files, you need to relabel them >> using restorecon -v './.X11-unix'. You might want to relabel the entire >> directory using restorecon -R -v './.X11-unix'. >> Additional Information >> >> Source Context: system_u:system_r:rhgb_t >> Target Context: system_u:object_r:initrc_tmp_t >> Target Objects: ./.X11-unix [ dir ] >> Source: setxkbmap >> Source Path: /usr/bin/setxkbmap >> Port: >> Host: C5.aardvark.com.au >> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >> Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 >> Selinux Enabled: True >> Policy Type: targeted >> MLS Enabled: True >> Enforcing Mode: Permissive >> Plugin Name: home_tmp_bad_labels >> Host Name: C5.aardvark.com.au >> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue >> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >> Alert Count: 35 >> First Seen: Sun Jan 11 17:55:13 2009 >> Last Seen: Mon Aug 10 18:13:16 2009 >> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >> Line Numbers: >> Raw Audit Messages : >> >> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: >> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: >> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): >> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" >> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): >> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" >> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >> >> >> Summary >> SELinux is preventing the setxkbmap from using potentially mislabeled >> files (./.X11-unix). >> Detailed Description >> [SELinux is in permissive mode, the operation would have been denied but >> was permitted due to permissive mode.] >> >> SELinux has denied setxkbmap access to potentially mislabeled file(s) >> (./.X11-unix). This means that SELinux will not allow setxkbmap to use >> these files. It is common for users to edit files in their home >> directory or tmp directories and then move (mv) them to system >> directories. The problem is that the files end up with the wrong file >> context which confined applications are not allowed to access. >> >> Allowing Access >> If you want setxkbmap to access this files, you need to relabel them >> using restorecon -v './.X11-unix'. You might want to relabel the entire >> directory using restorecon -R -v './.X11-unix'. >> Additional Information >> >> Source Context: system_u:system_r:rhgb_t >> Target Context: system_u:object_r:initrc_tmp_t >> Target Objects: ./.X11-unix [ dir ] >> Source: setxkbmap >> Source Path: /usr/bin/setxkbmap >> Port: >> Host: C5.aardvark.com.au >> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >> Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 >> Selinux Enabled: True >> Policy Type: targeted >> MLS Enabled: True >> Enforcing Mode: Permissive >> Plugin Name: home_tmp_bad_labels >> Host Name: C5.aardvark.com.au >> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue >> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >> Alert Count: 36 >> First Seen: Sun Jan 11 17:55:13 2009 >> Last Seen: Mon Aug 10 18:13:17 2009 >> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >> Line Numbers: >> Raw Audit Messages : >> >> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: >> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" >> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: >> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" >> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): >> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13 >> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" >> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): >> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13 >> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" >> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >> >> >> >> Summary >> SELinux is preventing the setxkbmap from using potentially mislabeled >> files (./.X11-unix). >> Detailed Description >> [SELinux is in permissive mode, the operation would have been denied but >> was permitted due to permissive mode.] >> >> SELinux has denied setxkbmap access to potentially mislabeled file(s) >> (./.X11-unix). This means that SELinux will not allow setxkbmap to use >> these files. It is common for users to edit files in their home >> directory or tmp directories and then move (mv) them to system >> directories. The problem is that the files end up with the wrong file >> context which confined applications are not allowed to access. >> >> Allowing Access >> If you want setxkbmap to access this files, you need to relabel them >> using restorecon -v './.X11-unix'. You might want to relabel the entire >> directory using restorecon -R -v './.X11-unix'. >> Additional Information >> >> Source Context: system_u:system_r:rhgb_t >> Target Context: system_u:object_r:initrc_tmp_t >> Target Objects: ./.X11-unix [ dir ] >> Source: setxkbmap >> Source Path: /usr/bin/setxkbmap >> Port: >> Host: C5.aardvark.com.au >> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >> Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 >> Selinux Enabled: True >> Policy Type: targeted >> MLS Enabled: True >> Enforcing Mode: Permissive >> Plugin Name: home_tmp_bad_labels >> Host Name: C5.aardvark.com.au >> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue >> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >> Alert Count: 37 >> First Seen: Sun Jan 11 17:55:13 2009 >> Last Seen: Mon Aug 10 18:13:19 2009 >> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >> Line Numbers: >> Raw Audit Messages : >> >> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: >> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: >> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): >> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" >> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): >> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" >> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >> >> >> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > chcon -R -t xserver_tmp_t /tmp/.X11-unix > > I always use tmpfs for /tmp, so I never end up with garbage on a reboot. > > Thanks Daniel - but this is the response... [root at C5 ~]# chcon -R -t xserver_tmp_t /tmp/.X11-unix chcon: failed to change context of /tmp/.X11-unix to system_u:object_r:xserver_t mp_t: Invalid argument chcon: failed to change context of /tmp/.X11-unix/X0 to system_u:object_r:xserve r_tmp_t: Invalid argument chcon: failed to change context of /tmp/.X11-unix/X1005 to user_u:object_r:xserv er_tmp_t: Invalid argument [root at C5 ~]# Being pretty green - I don't really understand the problem here. Also - if this chcon worked - would this be a permanent solution - or does it need to be executed in a boot script? I like your idea of using tmpfs - but is it ever a problem that tmpfs is relatively small and finite? Also - please excuse my ignorance - but how do I make tmpfs the tmp folder? Richard. From misc.lists at blueyonder.co.uk Fri Aug 14 08:10:19 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Fri, 14 Aug 2009 09:10:19 +0100 Subject: F11 Relabel problem Message-ID: <1250237419.3387.24.camel@localhost> Hello all, I have just upgraded from F9 to F11 and, still having one or two selinux related problems, decided to do a /.autorelabel. Knowing how long this can take on my ageing hardware I went off for a cup of tea... On the screen when I returned (the job had not finished) was: SELinux: Context system_u:object_r:gamin_??? is not valid (left unmapped) The question marks are mine. I just reached for a pen when another load of messages flashed by and the job finished. Here is what I found in /var/log/messages: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:squid_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:dovecot_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:fail2ban_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). Context system_u:object_r:squid_var_t:s0 is not valid (left unmapped). Context unconfined_u:object_r:squid_var_t:s0 is not valid (left unmapped). My question(s): 1) Should I be worried? 2) Should I do anything? Note: I don't know if this is relevant because there is not much additional information to go on in the logs, but - I have in my /etc/fstab mappings to other partitions - one of which contains the former F9 system (so that I can refer to previous system configs while I tune my F11 system) /home is on its own partition. Thanks for any help / suggestions.... Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From sds at tycho.nsa.gov Fri Aug 14 11:55:20 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 14 Aug 2009 07:55:20 -0400 Subject: rsync as backup from f11 to F10 - issues In-Reply-To: <4A8327B3.3080308@redhat.com> References: <24925988.post@talk.nabble.com> <24926122.post@talk.nabble.com> <4A8327B3.3080308@redhat.com> Message-ID: <1250250920.2422.163.camel@moss-pluto.epoch.ncsc.mil> On Wed, 2009-08-12 at 16:36 -0400, Daniel J Walsh wrote: > On 08/11/2009 05:30 PM, Mike Cloaked wrote: > > > > > > > > Mike Cloaked wrote: > >> > >> > >> Machines on the LAN have been running backups across the network using an > >> rsync command within a script which essentially does: > >> rsync --delete -aXH --exclude blah /opt > >> home1:/media/usbdrive/BACKUPS/myhostname > >> and similar for other directories. > >> > >> This has worked fine until I installed F11 on some of the machines in the > >> LAN, with ext4 filesystems on them. > >> > >> Trying the same thing in this case gave AVC denials on the machine > >> (running F10) to which the the external usb drive was attached (and with > >> an ext3 filesystem to take the backups) > >> > >> The AVC contained: > >> Summary > >> SELinux is preventing rsync (unconfined_t) "mac_admin" unconfined_t. > >> > >> > > > > I wonder if this is related to > > https://bugzilla.redhat.com/show_bug.cgi?id=510649 > Yes you are trying to put F11 labels on an F10 box. Just setup rsync to not maintain labels. Isn't this scenario one of the reasons why we introduced the deferred context mapping support? If he allowed rsync mac_admin permission, it could in fact store the unknown labels on disk on the F10 box and later read them for restoring to the F11 system, right? -- Stephen Smalley National Security Agency From dwalsh at redhat.com Fri Aug 14 12:25:06 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Aug 2009 08:25:06 -0400 Subject: AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). In-Reply-To: <4A84E5C5.3000908@aardvark.com.au> References: <4A80C3E2.7090407@aardvark.com.au> <4A835607.6050102@aardvark.com.au> <4A84593C.8000407@redhat.com> <4A84E5C5.3000908@aardvark.com.au> Message-ID: <4A8557A2.403@redhat.com> On 08/14/2009 12:19 AM, Richard Chapman wrote: > Daniel J Walsh wrote: >> On 08/12/2009 07:53 PM, Richard Chapman wrote: >> >>> I am running Centos 5.3 in permissive mode - and recently I started >>> getting 4 avcs every time I boot the server. I am not sure - but I think >>> these might have started when I changed my desktop from Gnome to KDE. I >>> have tried the relabelling suggested in the AVC - but this hasn't >>> fixed it. >>> Does it look like I have something set up wrong - or is there a policy >>> problem? >>> Richard. >>> >>> >>> Summary >>> SELinux is preventing the setxkbmap from using potentially mislabeled >>> files (./.X11-unix). >>> Detailed Description >>> [SELinux is in permissive mode, the operation would have been denied but >>> was permitted due to permissive mode.] >>> >>> SELinux has denied setxkbmap access to potentially mislabeled file(s) >>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use >>> these files. It is common for users to edit files in their home >>> directory or tmp directories and then move (mv) them to system >>> directories. The problem is that the files end up with the wrong file >>> context which confined applications are not allowed to access. >>> >>> Allowing Access >>> If you want setxkbmap to access this files, you need to relabel them >>> using restorecon -v './.X11-unix'. You might want to relabel the entire >>> directory using restorecon -R -v './.X11-unix'. >>> Additional Information >>> >>> Source Context: system_u:system_r:rhgb_t >>> Target Context: system_u:object_r:initrc_tmp_t >>> Target Objects: ./.X11-unix [ dir ] >>> Source: setxkbmap >>> Source Path: /usr/bin/setxkbmap >>> Port: >>> Host: C5.aardvark.com.au >>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >>> Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 >>> Selinux Enabled: True >>> Policy Type: targeted >>> MLS Enabled: True >>> Enforcing Mode: Permissive >>> Plugin Name: home_tmp_bad_labels >>> Host Name: C5.aardvark.com.au >>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue >>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >>> Alert Count: 34 >>> First Seen: Sun Jan 11 17:55:13 2009 >>> Last Seen: Mon Aug 10 18:13:15 2009 >>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >>> Line Numbers: Raw Audit Messages : >>> >>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: >>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: >>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): >>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 >>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>> comm="setxkbmap" exe="/usr/bin/setxkbmap" >>> subj=system_u:system_r:rhgb_t:s0 key=(null) >>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): >>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 >>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>> comm="setxkbmap" exe="/usr/bin/setxkbmap" >>> subj=system_u:system_r:rhgb_t:s0 key=(null) >>> >>> >>> Summary >>> SELinux is preventing the setxkbmap from using potentially mislabeled >>> files (./.X11-unix). >>> Detailed Description >>> [SELinux is in permissive mode, the operation would have been denied but >>> was permitted due to permissive mode.] >>> >>> SELinux has denied setxkbmap access to potentially mislabeled file(s) >>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use >>> these files. It is common for users to edit files in their home >>> directory or tmp directories and then move (mv) them to system >>> directories. The problem is that the files end up with the wrong file >>> context which confined applications are not allowed to access. >>> >>> Allowing Access >>> If you want setxkbmap to access this files, you need to relabel them >>> using restorecon -v './.X11-unix'. You might want to relabel the entire >>> directory using restorecon -R -v './.X11-unix'. >>> Additional Information >>> >>> Source Context: system_u:system_r:rhgb_t >>> Target Context: system_u:object_r:initrc_tmp_t >>> Target Objects: ./.X11-unix [ dir ] >>> Source: setxkbmap >>> Source Path: /usr/bin/setxkbmap >>> Port: >>> Host: C5.aardvark.com.au >>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >>> Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 >>> Selinux Enabled: True >>> Policy Type: targeted >>> MLS Enabled: True >>> Enforcing Mode: Permissive >>> Plugin Name: home_tmp_bad_labels >>> Host Name: C5.aardvark.com.au >>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue >>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >>> Alert Count: 35 >>> First Seen: Sun Jan 11 17:55:13 2009 >>> Last Seen: Mon Aug 10 18:13:16 2009 >>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >>> Line Numbers: Raw Audit Messages : >>> >>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: >>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: >>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): >>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" >>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): >>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" >>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>> >>> >>> Summary >>> SELinux is preventing the setxkbmap from using potentially mislabeled >>> files (./.X11-unix). >>> Detailed Description >>> [SELinux is in permissive mode, the operation would have been denied but >>> was permitted due to permissive mode.] >>> >>> SELinux has denied setxkbmap access to potentially mislabeled file(s) >>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use >>> these files. It is common for users to edit files in their home >>> directory or tmp directories and then move (mv) them to system >>> directories. The problem is that the files end up with the wrong file >>> context which confined applications are not allowed to access. >>> >>> Allowing Access >>> If you want setxkbmap to access this files, you need to relabel them >>> using restorecon -v './.X11-unix'. You might want to relabel the entire >>> directory using restorecon -R -v './.X11-unix'. >>> Additional Information >>> >>> Source Context: system_u:system_r:rhgb_t >>> Target Context: system_u:object_r:initrc_tmp_t >>> Target Objects: ./.X11-unix [ dir ] >>> Source: setxkbmap >>> Source Path: /usr/bin/setxkbmap >>> Port: >>> Host: C5.aardvark.com.au >>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >>> Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 >>> Selinux Enabled: True >>> Policy Type: targeted >>> MLS Enabled: True >>> Enforcing Mode: Permissive >>> Plugin Name: home_tmp_bad_labels >>> Host Name: C5.aardvark.com.au >>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue >>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >>> Alert Count: 36 >>> First Seen: Sun Jan 11 17:55:13 2009 >>> Last Seen: Mon Aug 10 18:13:17 2009 >>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >>> Line Numbers: Raw Audit Messages : >>> >>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: >>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" >>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: >>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" >>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): >>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13 >>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" >>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): >>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13 >>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" >>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>> >>> >>> >>> Summary >>> SELinux is preventing the setxkbmap from using potentially mislabeled >>> files (./.X11-unix). >>> Detailed Description >>> [SELinux is in permissive mode, the operation would have been denied but >>> was permitted due to permissive mode.] >>> >>> SELinux has denied setxkbmap access to potentially mislabeled file(s) >>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use >>> these files. It is common for users to edit files in their home >>> directory or tmp directories and then move (mv) them to system >>> directories. The problem is that the files end up with the wrong file >>> context which confined applications are not allowed to access. >>> >>> Allowing Access >>> If you want setxkbmap to access this files, you need to relabel them >>> using restorecon -v './.X11-unix'. You might want to relabel the entire >>> directory using restorecon -R -v './.X11-unix'. >>> Additional Information >>> >>> Source Context: system_u:system_r:rhgb_t >>> Target Context: system_u:object_r:initrc_tmp_t >>> Target Objects: ./.X11-unix [ dir ] >>> Source: setxkbmap >>> Source Path: /usr/bin/setxkbmap >>> Port: >>> Host: C5.aardvark.com.au >>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >>> Target RPM Packages: Policy RPM: selinux-policy-2.4.6-225.el5 >>> Selinux Enabled: True >>> Policy Type: targeted >>> MLS Enabled: True >>> Enforcing Mode: Permissive >>> Plugin Name: home_tmp_bad_labels >>> Host Name: C5.aardvark.com.au >>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue >>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >>> Alert Count: 37 >>> First Seen: Sun Jan 11 17:55:13 2009 >>> Last Seen: Mon Aug 10 18:13:19 2009 >>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >>> Line Numbers: Raw Audit Messages : >>> >>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: >>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: >>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): >>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" >>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): >>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setxkbmap" >>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>> >>> >>> >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >> chcon -R -t xserver_tmp_t /tmp/.X11-unix >> >> I always use tmpfs for /tmp, so I never end up with garbage on a reboot. >> >> > Thanks Daniel - but this is the response... > > [root at C5 ~]# chcon -R -t xserver_tmp_t /tmp/.X11-unix > chcon: failed to change context of /tmp/.X11-unix to > system_u:object_r:xserver_t mp_t: Invalid > argument > chcon: failed to change context of /tmp/.X11-unix/X0 to > system_u:object_r:xserve r_tmp_t: Invalid > argument > chcon: failed to change context of /tmp/.X11-unix/X1005 to > user_u:object_r:xserv er_tmp_t: Invalid > argument > [root at C5 ~]# > > Being pretty green - I don't really understand the problem here. Also - > if this chcon worked - would this be a permanent solution - or does it > need to be executed in a boot script? > I like your idea of using tmpfs - but is it ever a problem that tmpfs is > relatively small and finite? Also - please excuse my ignorance - but how > do I make tmpfs the tmp folder? > > Richard. > > Must have changed between RHEL5 and F11 Try chcon -R -t xdm_xserver_tmp_t /tmp/.X11-unix Add this line to /etc/fstab tmpfs /tmp tmpfs rootcontext="system_u:object_r:tmp_t:s0",defaults 0 0 And reboot. I don't tend to store huge abouts of stuff in /tmp. If I want to store big stuff I can always use /var/tmp From gtwilliams at gmail.com Fri Aug 14 12:31:56 2009 From: gtwilliams at gmail.com (Garry T. Williams) Date: Fri, 14 Aug 2009 08:31:56 -0400 Subject: AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). In-Reply-To: <4A84E5C5.3000908@aardvark.com.au> References: <4A80C3E2.7090407@aardvark.com.au> <4A84593C.8000407@redhat.com> <4A84E5C5.3000908@aardvark.com.au> Message-ID: <200908140831.56234.gtwilliams@gmail.com> On Friday 14 August 2009 00:19:17 Richard Chapman wrote: > how do I make tmpfs the tmp folder? Add these lines to your /etc/fstab file and reboot: tmpfs /tmp tmpfs defaults 0 0 tmpfs /var/tmp tmpfs defaults 0 0 -- Garry T. Williams --- +1 678 656-4579 From misc.lists at blueyonder.co.uk Fri Aug 14 12:50:47 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Fri, 14 Aug 2009 13:50:47 +0100 Subject: [OT] tmpfs - was : AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). In-Reply-To: <4A8557A2.403@redhat.com> References: <4A80C3E2.7090407@aardvark.com.au> <4A835607.6050102@aardvark.com.au> <4A84593C.8000407@redhat.com> <4A84E5C5.3000908@aardvark.com.au> <4A8557A2.403@redhat.com> Message-ID: <1250254247.7390.10.camel@localhost> On Fri, 2009-08-14 at 08:25 -0400, Daniel J Walsh wrote: > On 08/14/2009 12:19 AM, Richard Chapman wrote: > > Daniel J Walsh wrote: > >> On 08/12/2009 07:53 PM, Richard Chapman wrote: [snip] > >> > >> I always use tmpfs for /tmp, so I never end up with garbage on a reboot. > >> > >> > > I like your idea of using tmpfs - but is it ever a problem that tmpfs is > > relatively small and finite? Also - please excuse my ignorance - but how > > do I make tmpfs the tmp folder? > > > > Richard. > > > > > Must have changed between RHEL5 and F11 > > Try > > chcon -R -t xdm_xserver_tmp_t /tmp/.X11-unix > > Add this line to /etc/fstab > > tmpfs /tmp tmpfs rootcontext="system_u:object_r:tmp_t:s0",defaults 0 0 > > And reboot. > > I don't tend to store huge abouts of stuff in /tmp. If I want to store big stuff I can always use /var/tmp Forgive the off-topic response, but I too like the idea of a self-washing /tmp. However I am concerned that I don't really understand how it works. What, for example, would be the effect of doing this on server which has only limited RAM and is only rebooted periodically. Would all the RAM get filled up over time by tmpfs and then everything would have to run in swap? Would I need to reboot regularly just to clean tmpfs? I do like the idea and have just implemented it on my desktop machine which has more RAM and gets shut down every day... Thanks... Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From misc.lists at blueyonder.co.uk Fri Aug 14 12:56:57 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Fri, 14 Aug 2009 13:56:57 +0100 Subject: AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). In-Reply-To: <200908140831.56234.gtwilliams@gmail.com> References: <4A80C3E2.7090407@aardvark.com.au> <4A84593C.8000407@redhat.com> <4A84E5C5.3000908@aardvark.com.au> <200908140831.56234.gtwilliams@gmail.com> Message-ID: <1250254617.7390.13.camel@localhost> On Fri, 2009-08-14 at 08:31 -0400, Garry T. Williams wrote: > On Friday 14 August 2009 00:19:17 Richard Chapman wrote: > > how do I make tmpfs the tmp folder? > > Add these lines to your /etc/fstab file and reboot: > > tmpfs /tmp tmpfs defaults 0 0 > tmpfs /var/tmp tmpfs defaults 0 0 > Interesting... Does this mean that if /tmp fills up the available RAM it will start using /var/tmp instead? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From rcritten at redhat.com Fri Aug 14 13:16:36 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 Aug 2009 09:16:36 -0400 Subject: Apache crashing in F-11 Message-ID: <4A8563B4.3070609@redhat.com> I'm having a problem where Apache is segfaulting when SELinux is enabled because of an AVC. I'm using freeIPA which defines a mod_python handler. The AVCs are: type=AVC msg=audit(1250255388.275:27650): avc: denied { execute } for pid=7849 comm="httpd" path=2F746D702F6666696A7435517772202864656C6574656429 dev=sda1 ino=442585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_tmp_t:s0 tclass=file type=AVC msg=audit(1250255388.288:27652): avc: denied { execute } for pid=7850 comm="httpd" path=2F6465762F73686D2F6666696D436E667967202864656C6574656429 dev=tmpfs ino=33960 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_tmpfs_t:s0 tclass=file audit2allow generated this: module test 1.0; require { type httpd_tmp_t; type httpd_t; type httpd_tmpfs_t; class file execute; } #============= httpd_t ============== allow httpd_t httpd_tmp_t:file execute; allow httpd_t httpd_tmpfs_t:file execute; I'm a bit stumped. What should I look for, something doing an exec, something messing in /tmp, both? thanks rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From dwalsh at redhat.com Fri Aug 14 13:25:10 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Aug 2009 09:25:10 -0400 Subject: AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). In-Reply-To: <1250254617.7390.13.camel@localhost> References: <4A80C3E2.7090407@aardvark.com.au> <4A84593C.8000407@redhat.com> <4A84E5C5.3000908@aardvark.com.au> <200908140831.56234.gtwilliams@gmail.com> <1250254617.7390.13.camel@localhost> Message-ID: <4A8565B6.8090203@redhat.com> On 08/14/2009 08:56 AM, Arthur Dent wrote: > On Fri, 2009-08-14 at 08:31 -0400, Garry T. Williams wrote: >> On Friday 14 August 2009 00:19:17 Richard Chapman wrote: >>> how do I make tmpfs the tmp folder? >> >> Add these lines to your /etc/fstab file and reboot: >> >> tmpfs /tmp tmpfs defaults 0 0 >> tmpfs /var/tmp tmpfs defaults 0 0 >> > > Interesting... > > Does this mean that if /tmp fills up the available RAM it will start > using /var/tmp instead? > No Just means that both are separate temporary memory file systems. > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Fri Aug 14 13:28:16 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Aug 2009 09:28:16 -0400 Subject: [OT] tmpfs - was : AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). In-Reply-To: <1250254247.7390.10.camel@localhost> References: <4A80C3E2.7090407@aardvark.com.au> <4A835607.6050102@aardvark.com.au> <4A84593C.8000407@redhat.com> <4A84E5C5.3000908@aardvark.com.au> <4A8557A2.403@redhat.com> <1250254247.7390.10.camel@localhost> Message-ID: <4A856670.9090102@redhat.com> On 08/14/2009 08:50 AM, Arthur Dent wrote: > On Fri, 2009-08-14 at 08:25 -0400, Daniel J Walsh wrote: >> On 08/14/2009 12:19 AM, Richard Chapman wrote: >>> Daniel J Walsh wrote: >>>> On 08/12/2009 07:53 PM, Richard Chapman wrote: > > [snip] > >>>> >>>> I always use tmpfs for /tmp, so I never end up with garbage on a reboot. >>>> >>>> >>> I like your idea of using tmpfs - but is it ever a problem that tmpfs is >>> relatively small and finite? Also - please excuse my ignorance - but how >>> do I make tmpfs the tmp folder? >>> >>> Richard. >>> >>> >> Must have changed between RHEL5 and F11 >> >> Try >> >> chcon -R -t xdm_xserver_tmp_t /tmp/.X11-unix >> >> Add this line to /etc/fstab >> >> tmpfs /tmp tmpfs rootcontext="system_u:object_r:tmp_t:s0",defaults 0 0 >> >> And reboot. >> >> I don't tend to store huge abouts of stuff in /tmp. If I want to store big stuff I can always use /var/tmp > > Forgive the off-topic response, but I too like the idea of a > self-washing /tmp. However I am concerned that I don't really understand > how it works. What, for example, would be the effect of doing this on > server which has only limited RAM and is only rebooted periodically. > Would all the RAM get filled up over time by tmpfs and then everything > would have to run in swap? > > Would I need to reboot regularly just to clean tmpfs? > Well there are tools like tmpwatch and tmpreaper that periodically clean up /tmp files. On a server or system with limited ram, this might not be a great idea, since you could run out of memory. I do not know if you can put a quota on it. I just don't store a lot of junk on /tmp, so it is never a problem. And I have had problems in the past with mislabeled files either via SELinux or UID problems in /tmp causing havoc with login. I am on a personal crusade to stop all system services (processes running as UID=0) from using /tmp. /var/tmp > I do like the idea and have just implemented it on my desktop machine > which has more RAM and gets shut down every day... > > Thanks... > > Mark > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Fri Aug 14 14:37:07 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Aug 2009 10:37:07 -0400 Subject: F11 Relabel problem In-Reply-To: <1250237419.3387.24.camel@localhost> References: <1250237419.3387.24.camel@localhost> Message-ID: <4A857693.5010206@redhat.com> On 08/14/2009 04:10 AM, Arthur Dent wrote: > Hello all, > > I have just upgraded from F9 to F11 and, still having one or two selinux > related problems, decided to do a /.autorelabel. > > Knowing how long this can take on my ageing hardware I went off for a > cup of tea... > > On the screen when I returned (the job had not finished) was: > SELinux: Context system_u:object_r:gamin_??? is not valid (left > unmapped) > > The question marks are mine. I just reached for a pen when another load > of messages flashed by and the job finished. > > Here is what I found in /var/log/messages: > > Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). > Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid > (left unmapped). > Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:squid_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:dovecot_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:fail2ban_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid > (left unmapped). > Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:samba_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left > unmapped). > Context system_u:object_r:squid_var_t:s0 is not valid (left unmapped). > Context unconfined_u:object_r:squid_var_t:s0 is not valid (left > unmapped). > > > My question(s): > > 1) Should I be worried? > 2) Should I do anything? > > Note: I don't know if this is relevant because there is not much > additional information to go on in the logs, but - I have in > my /etc/fstab mappings to other partitions - one of which contains the > former F9 system (so that I can refer to previous system configs while I > tune my F11 system) /home is on its own partition. > > Thanks for any help / suggestions.... > > Mark > > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list The problem is a lot of the scripts were renamed from DAEMON_script_exec_t to DAEMON_initrc_exec_t So I think restore is complaining because the previous label has gone away. If you ls -lZ /etc/init.d/ Look for unlabeled_t or script_exec_t, if you have those you might have a problem. If they all look like *initrc_exec_t or just initrc_exec_t then you are probably ok. From dwalsh at redhat.com Fri Aug 14 14:38:47 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Aug 2009 10:38:47 -0400 Subject: Apache crashing in F-11 In-Reply-To: <4A8563B4.3070609@redhat.com> References: <4A8563B4.3070609@redhat.com> Message-ID: <4A8576F7.3040201@redhat.com> On 08/14/2009 09:16 AM, Rob Crittenden wrote: > I'm having a problem where Apache is segfaulting when SELinux is enabled > because of an AVC. I'm using freeIPA which defines a mod_python handler. > > The AVCs are: > > type=AVC msg=audit(1250255388.275:27650): avc: denied { execute } for > pid=7849 comm="httpd" > path=2F746D702F6666696A7435517772202864656C6574656429 dev=sda1 > ino=442585 scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:object_r:httpd_tmp_t:s0 tclass=file > > type=AVC msg=audit(1250255388.288:27652): avc: denied { execute } for > pid=7850 comm="httpd" > path=2F6465762F73686D2F6666696D436E667967202864656C6574656429 dev=tmpfs > ino=33960 scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:object_r:httpd_tmpfs_t:s0 tclass=file > > audit2allow generated this: > > module test 1.0; > > require { > type httpd_tmp_t; > type httpd_t; > type httpd_tmpfs_t; > class file execute; > } > > #============= httpd_t ============== > allow httpd_t httpd_tmp_t:file execute; > allow httpd_t httpd_tmpfs_t:file execute; > > I'm a bit stumped. What should I look for, something doing an exec, > something messing in /tmp, both? > > thanks > > rob > > Apache executing something in /tmp, just feels like a very bad idea. I am not sure mod_python is doing this, but I would look for some configuration that is putting files in /tmp. > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Fri Aug 14 14:41:17 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Aug 2009 10:41:17 -0400 Subject: rsync as backup from f11 to F10 - issues In-Reply-To: <1250250920.2422.163.camel@moss-pluto.epoch.ncsc.mil> References: <24925988.post@talk.nabble.com> <24926122.post@talk.nabble.com> <4A8327B3.3080308@redhat.com> <1250250920.2422.163.camel@moss-pluto.epoch.ncsc.mil> Message-ID: <4A85778D.6030902@redhat.com> On 08/14/2009 07:55 AM, Stephen Smalley wrote: > On Wed, 2009-08-12 at 16:36 -0400, Daniel J Walsh wrote: >> On 08/11/2009 05:30 PM, Mike Cloaked wrote: >>> >>> >>> >>> Mike Cloaked wrote: >>>> >>>> >>>> Machines on the LAN have been running backups across the network using an >>>> rsync command within a script which essentially does: >>>> rsync --delete -aXH --exclude blah /opt >>>> home1:/media/usbdrive/BACKUPS/myhostname >>>> and similar for other directories. >>>> >>>> This has worked fine until I installed F11 on some of the machines in the >>>> LAN, with ext4 filesystems on them. >>>> >>>> Trying the same thing in this case gave AVC denials on the machine >>>> (running F10) to which the the external usb drive was attached (and with >>>> an ext3 filesystem to take the backups) >>>> >>>> The AVC contained: >>>> Summary >>>> SELinux is preventing rsync (unconfined_t) "mac_admin" unconfined_t. >>>> >>>> >>> >>> I wonder if this is related to >>> https://bugzilla.redhat.com/show_bug.cgi?id=510649 >> Yes you are trying to put F11 labels on an F10 box. Just setup rsync to not maintain labels. > > Isn't this scenario one of the reasons why we introduced the deferred > context mapping support? If he allowed rsync mac_admin permission, it > could in fact store the unknown labels on disk on the F10 box and later > read them for restoring to the F11 system, right? > Yes that would work, but I thought we were frowning on this. The files would also be unusable by any confined processes on the F10 machine, I am not sure what would happen with the association denied, errors. From misc.lists at blueyonder.co.uk Fri Aug 14 14:49:16 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Fri, 14 Aug 2009 15:49:16 +0100 Subject: F11 Relabel problem In-Reply-To: <4A857693.5010206@redhat.com> References: <1250237419.3387.24.camel@localhost> <4A857693.5010206@redhat.com> Message-ID: <1250261356.4119.3.camel@localhost> On Fri, 2009-08-14 at 10:37 -0400, Daniel J Walsh wrote: > On 08/14/2009 04:10 AM, Arthur Dent wrote: > The problem is a lot of the scripts were renamed from > > > DAEMON_script_exec_t to DAEMON_initrc_exec_t > > So I think restore is complaining because the previous label has gone away. > > If you ls -lZ /etc/init.d/ > > Look for unlabeled_t or script_exec_t, if you have those you might have a problem. > > If they all look like *initrc_exec_t or just initrc_exec_t then you are probably ok. > This could be my problem: ls -lZ /etc/init.d/ -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 acpid -rwxr-xr-x. root root system_u:object_r:crond_initrc_exec_t:s0 atd -rwxr-xr-x. root root system_u:object_r:auditd_initrc_exec_t:s0 auditd -rwxr-xr-x. root root system_u:object_r:avahi_initrc_exec_t:s0 avahi-daemon -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 backuppc -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 btseed -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 bttrack -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 clamd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 cpuspeed -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 crond -rwxr-xr-x. root root system_u:object_r:cupsd_initrc_exec_t:s0 cups -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 cups-config-daemon -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 dc_client -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 dc_server -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 ddclient -rwxr-xr-x. root root system_u:object_r:dnsmasq_initrc_exec_t:s0 dnsmasq -rwxr-xr-x. root root system_u:object_r:dovecot_initrc_exec_t:s0 dovecot -rwxr-xr-x. root root system_u:object_r:fail2ban_initrc_exec_t:s0 fail2ban -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 firstboot -rw-r--r--. root root system_u:object_r:bin_t:s0 functions -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 gpm -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 haldaemon -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 halt -rwxr-xr-x. root root system_u:object_r:httpd_initrc_exec_t:s0 httpd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 ip6tables -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 iptables -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 killall -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 lm_sensors -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 mdmonitor -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 messagebus -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 multipathd -rwxr-xr-x. root root system_u:object_r:mysqld_initrc_exec_t:s0 mysqld -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 netconsole -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 netfs -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 netplugd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 network -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 NetworkManager -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 nfs -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 nfslock -rwxr-xr-x. root root system_u:object_r:samba_initrc_exec_t:s0 nmb -rwxr-xr-x. root root system_u:object_r:nscd_initrc_exec_t:s0 nscd -rwxr-xr-x. root root system_u:object_r:ntpd_initrc_exec_t:s0 ntpd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 ntpdate -rwxr-xr-x. root root system_u:object_r:openvpn_initrc_exec_t:s0 openvpn -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 pcscd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 portreserve -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 psacct -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 racoon -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rdisc -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 restorecond -rwxr-xr-x. root root system_u:object_r:rpcbind_initrc_exec_t:s0 rpcbind -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rpcgssd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rpcidmapd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rpcsvcgssd -rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0 rsyslog -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 saslauthd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 sendmail -rwxr-xr-x. root root system_u:object_r:shorewall_initrc_exec_t:s0 shorewall -rwxr-xr-x. root root system_u:object_r:fsdaemon_initrc_exec_t:s0 smartd -rwxr-xr-x. root root system_u:object_r:samba_initrc_exec_t:s0 smb -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 smolt -rwxr-xr-x. root root system_u:object_r:snmpd_initrc_exec_t:s0 snmpd -rwxr-xr-x. root root system_u:object_r:snmpd_initrc_exec_t:s0 snmptrapd -rwxr-xr-x. root root system_u:object_r:spamd_initrc_exec_t:s0 spamassassin -rwxr-xr-x. root root system_u:object_r:squid_initrc_exec_t:s0 squid -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 squidGuard -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 sshd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 transparent-proxying -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 udev-post -rwxr-xr-x. root root system_u:object_r:samba_initrc_exec_t:s0 winbind -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 wpa_supplicant -rwxr-xr-x. root root system_u:object_r:ypbind_initrc_exec_t:s0 ypbind Looks OK ... But ls -lZ /mnt/F9/etc/init.d/ -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 acpid -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 anacron -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 atd -rwxr-xr-x. root root system_u:object_r:auditd_script_exec_t:s0 auditd -rwxr-xr-x. root root system_u:object_r:avahi_initrc_exec_t:s0 avahi-daemon -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 backuppc -rwxr-xr-x. root root system_u:object_r:bluetooth_script_exec_t:s0 bluetooth -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 btseed -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 bttrack -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 clamd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 cpuspeed -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 crond -rwxr-xr-x. root root system_u:object_r:cupsd_initrc_exec_t:s0 cups -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 cups-config-daemon -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 dc_client -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 dc_server -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 ddclient -rwxr-xr-x. root root system_u:object_r:dnsmasq_script_exec_t:s0 dnsmasq -rwxr-xr-x. root root system_u:object_r:dovecot_script_exec_t:s0 dovecot -rwxr-xr-x. root root system_u:object_r:bluetooth_script_exec_t:s0 dund -rwxr-xr-x. root root system_u:object_r:fail2ban_script_exec_t:s0 fail2ban -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 firestarter -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 firstboot -rwxr-xr-x. root root system_u:object_r:bin_t:s0 functions -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 gpm -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 haldaemon -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 halt -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 hsqldb -rwxr-xr-x. root root system_u:object_r:httpd_script_exec_t:s0 httpd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 ip6tables -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 iptables -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 irda -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 irqbalance -rwxr-xr-x. root root system_u:object_r:kerneloops_script_exec_t:s0 kerneloops -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 killall -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 lm_sensors -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 mdmonitor -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 messagebus -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 microcode_ctl -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 multipathd -rwxr-xr-x. root root system_u:object_r:mysqld_script_exec_t:s0 mysqld -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 netconsole -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 netfs -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 netplugd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 network -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 NetworkManager -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 nfs -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 nfslock -rwxr-xr-x. root root system_u:object_r:samba_script_exec_t:s0 nmb -rwxr-xr-x. root root system_u:object_r:nscd_script_exec_t:s0 nscd -rwxr-xr-x. root root system_u:object_r:ntpd_script_exec_t:s0 ntpd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 ntpdate -rwxr-xr-x. root root system_u:object_r:openvpn_script_exec_t:s0 openvpn -rwxr-xr-x. root root system_u:object_r:bluetooth_script_exec_t:s0 pand -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 pcscd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 psacct -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 racoon -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rdisc -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 restorecond -rwxr-xr-x. root root system_u:object_r:rpcbind_script_exec_t:s0 rpcbind -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rpcgssd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rpcidmapd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rpcsvcgssd -rwxr-xr-x. root root system_u:object_r:syslogd_script_exec_t:s0 rsyslog -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 saslauthd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 sendmail -rwxr-xr-x. root root system_u:object_r:setroubleshoot_script_exec_t:s0 setroubleshoot -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 shorewall -rwxr-xr-x. root root system_u:object_r:fsdaemon_script_exec_t:s0 smartd -rwxr-xr-x. root root system_u:object_r:samba_script_exec_t:s0 smb -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 smolt -rwxr-xr-x. root root system_u:object_r:snmp_script_exec_t:s0 snmpd -rwxr-xr-x. root root system_u:object_r:snmp_script_exec_t:s0 snmptrapd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 spamassassin -rwxr-xr-x. root root system_u:object_r:squid_script_exec_t:s0 squid -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 squidGuard -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 sshd -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 transparent-proxying -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 udev-post -rwxr-xr-x. root root system_u:object_r:samba_script_exec_t:s0 winbind -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 wpa_supplicant -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 ypbind This is the old F9 partition. Should I try to fix them somehow or just umount the F9 partition and only mount it when I need to peek inside? Thanks! Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Fri Aug 14 15:00:05 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Aug 2009 11:00:05 -0400 Subject: F11 Relabel problem In-Reply-To: <1250261356.4119.3.camel@localhost> References: <1250237419.3387.24.camel@localhost> <4A857693.5010206@redhat.com> <1250261356.4119.3.camel@localhost> Message-ID: <4A857BF5.6050102@redhat.com> On 08/14/2009 10:49 AM, Arthur Dent wrote: > On Fri, 2009-08-14 at 10:37 -0400, Daniel J Walsh wrote: >> On 08/14/2009 04:10 AM, Arthur Dent wrote: > >> The problem is a lot of the scripts were renamed from >> >> >> DAEMON_script_exec_t to DAEMON_initrc_exec_t >> >> So I think restore is complaining because the previous label has gone away. >> >> If you ls -lZ /etc/init.d/ >> >> Look for unlabeled_t or script_exec_t, if you have those you might have a problem. >> >> If they all look like *initrc_exec_t or just initrc_exec_t then you are probably ok. >> > > This could be my problem: > > ls -lZ /etc/init.d/ > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 acpid > -rwxr-xr-x. root root system_u:object_r:crond_initrc_exec_t:s0 atd > -rwxr-xr-x. root root system_u:object_r:auditd_initrc_exec_t:s0 auditd > -rwxr-xr-x. root root system_u:object_r:avahi_initrc_exec_t:s0 > avahi-daemon > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 backuppc > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 btseed > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 bttrack > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 clamd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 cpuspeed > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 crond > -rwxr-xr-x. root root system_u:object_r:cupsd_initrc_exec_t:s0 cups > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 > cups-config-daemon > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 dc_client > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 dc_server > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 ddclient > -rwxr-xr-x. root root system_u:object_r:dnsmasq_initrc_exec_t:s0 dnsmasq > -rwxr-xr-x. root root system_u:object_r:dovecot_initrc_exec_t:s0 dovecot > -rwxr-xr-x. root root system_u:object_r:fail2ban_initrc_exec_t:s0 > fail2ban > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 firstboot > -rw-r--r--. root root system_u:object_r:bin_t:s0 functions > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 gpm > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 haldaemon > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 halt > -rwxr-xr-x. root root system_u:object_r:httpd_initrc_exec_t:s0 httpd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 ip6tables > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 iptables > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 killall > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 lm_sensors > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 mdmonitor > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 messagebus > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 multipathd > -rwxr-xr-x. root root system_u:object_r:mysqld_initrc_exec_t:s0 mysqld > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 netconsole > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 netfs > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 netplugd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 network > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 NetworkManager > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 nfs > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 nfslock > -rwxr-xr-x. root root system_u:object_r:samba_initrc_exec_t:s0 nmb > -rwxr-xr-x. root root system_u:object_r:nscd_initrc_exec_t:s0 nscd > -rwxr-xr-x. root root system_u:object_r:ntpd_initrc_exec_t:s0 ntpd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 ntpdate > -rwxr-xr-x. root root system_u:object_r:openvpn_initrc_exec_t:s0 openvpn > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 pcscd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 portreserve > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 psacct > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 racoon > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rdisc > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 restorecond > -rwxr-xr-x. root root system_u:object_r:rpcbind_initrc_exec_t:s0 rpcbind > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rpcgssd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rpcidmapd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rpcsvcgssd > -rwxr-xr-x. root root system_u:object_r:syslogd_initrc_exec_t:s0 rsyslog > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 saslauthd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 sendmail > -rwxr-xr-x. root root system_u:object_r:shorewall_initrc_exec_t:s0 > shorewall > -rwxr-xr-x. root root system_u:object_r:fsdaemon_initrc_exec_t:s0 smartd > -rwxr-xr-x. root root system_u:object_r:samba_initrc_exec_t:s0 smb > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 smolt > -rwxr-xr-x. root root system_u:object_r:snmpd_initrc_exec_t:s0 snmpd > -rwxr-xr-x. root root system_u:object_r:snmpd_initrc_exec_t:s0 snmptrapd > -rwxr-xr-x. root root system_u:object_r:spamd_initrc_exec_t:s0 > spamassassin > -rwxr-xr-x. root root system_u:object_r:squid_initrc_exec_t:s0 squid > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 squidGuard > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 sshd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 > transparent-proxying > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 udev-post > -rwxr-xr-x. root root system_u:object_r:samba_initrc_exec_t:s0 winbind > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 wpa_supplicant > -rwxr-xr-x. root root system_u:object_r:ypbind_initrc_exec_t:s0 ypbind > > > Looks OK ... But > > ls -lZ /mnt/F9/etc/init.d/ > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 acpid > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 anacron > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 atd > -rwxr-xr-x. root root system_u:object_r:auditd_script_exec_t:s0 auditd > -rwxr-xr-x. root root system_u:object_r:avahi_initrc_exec_t:s0 > avahi-daemon > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 backuppc > -rwxr-xr-x. root root system_u:object_r:bluetooth_script_exec_t:s0 > bluetooth > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 btseed > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 bttrack > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 clamd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 cpuspeed > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 crond > -rwxr-xr-x. root root system_u:object_r:cupsd_initrc_exec_t:s0 cups > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 > cups-config-daemon > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 dc_client > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 dc_server > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 ddclient > -rwxr-xr-x. root root system_u:object_r:dnsmasq_script_exec_t:s0 dnsmasq > -rwxr-xr-x. root root system_u:object_r:dovecot_script_exec_t:s0 dovecot > -rwxr-xr-x. root root system_u:object_r:bluetooth_script_exec_t:s0 dund > -rwxr-xr-x. root root system_u:object_r:fail2ban_script_exec_t:s0 > fail2ban > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 firestarter > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 firstboot > -rwxr-xr-x. root root system_u:object_r:bin_t:s0 functions > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 gpm > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 haldaemon > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 halt > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 hsqldb > -rwxr-xr-x. root root system_u:object_r:httpd_script_exec_t:s0 httpd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 ip6tables > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 iptables > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 irda > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 irqbalance > -rwxr-xr-x. root root system_u:object_r:kerneloops_script_exec_t:s0 > kerneloops > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 killall > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 lm_sensors > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 mdmonitor > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 messagebus > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 microcode_ctl > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 multipathd > -rwxr-xr-x. root root system_u:object_r:mysqld_script_exec_t:s0 mysqld > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 netconsole > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 netfs > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 netplugd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 network > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 NetworkManager > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 nfs > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 nfslock > -rwxr-xr-x. root root system_u:object_r:samba_script_exec_t:s0 nmb > -rwxr-xr-x. root root system_u:object_r:nscd_script_exec_t:s0 nscd > -rwxr-xr-x. root root system_u:object_r:ntpd_script_exec_t:s0 ntpd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 ntpdate > -rwxr-xr-x. root root system_u:object_r:openvpn_script_exec_t:s0 openvpn > -rwxr-xr-x. root root system_u:object_r:bluetooth_script_exec_t:s0 pand > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 pcscd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 psacct > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 racoon > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rdisc > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 restorecond > -rwxr-xr-x. root root system_u:object_r:rpcbind_script_exec_t:s0 rpcbind > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rpcgssd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rpcidmapd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 rpcsvcgssd > -rwxr-xr-x. root root system_u:object_r:syslogd_script_exec_t:s0 rsyslog > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 saslauthd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 sendmail > -rwxr-xr-x. root root system_u:object_r:setroubleshoot_script_exec_t:s0 > setroubleshoot > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 shorewall > -rwxr-xr-x. root root system_u:object_r:fsdaemon_script_exec_t:s0 smartd > -rwxr-xr-x. root root system_u:object_r:samba_script_exec_t:s0 smb > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 smolt > -rwxr-xr-x. root root system_u:object_r:snmp_script_exec_t:s0 snmpd > -rwxr-xr-x. root root system_u:object_r:snmp_script_exec_t:s0 snmptrapd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 spamassassin > -rwxr-xr-x. root root system_u:object_r:squid_script_exec_t:s0 squid > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 squidGuard > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 sshd > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 > transparent-proxying > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 udev-post > -rwxr-xr-x. root root system_u:object_r:samba_script_exec_t:s0 winbind > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 wpa_supplicant > -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0 ypbind > > > This is the old F9 partition. Should I try to fix them somehow or just > umount the F9 partition and only mount it when I need to peek inside? > Well it is up to you. One option would be to use a mount context when you mount the partion, which would override and ignore the F9 labels. Either way I don't think it will cause you much problems. > Thanks! > > Mark > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From rcritten at redhat.com Fri Aug 14 15:00:10 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 14 Aug 2009 11:00:10 -0400 Subject: Apache crashing in F-11 In-Reply-To: <4A8576F7.3040201@redhat.com> References: <4A8563B4.3070609@redhat.com> <4A8576F7.3040201@redhat.com> Message-ID: <4A857BFA.9010600@redhat.com> Daniel J Walsh wrote: > On 08/14/2009 09:16 AM, Rob Crittenden wrote: >> I'm having a problem where Apache is segfaulting when SELinux is enabled >> because of an AVC. I'm using freeIPA which defines a mod_python handler. >> >> The AVCs are: >> >> type=AVC msg=audit(1250255388.275:27650): avc: denied { execute } for >> pid=7849 comm="httpd" >> path=2F746D702F6666696A7435517772202864656C6574656429 dev=sda1 >> ino=442585 scontext=unconfined_u:system_r:httpd_t:s0 >> tcontext=unconfined_u:object_r:httpd_tmp_t:s0 tclass=file >> >> type=AVC msg=audit(1250255388.288:27652): avc: denied { execute } for >> pid=7850 comm="httpd" >> path=2F6465762F73686D2F6666696D436E667967202864656C6574656429 dev=tmpfs >> ino=33960 scontext=unconfined_u:system_r:httpd_t:s0 >> tcontext=unconfined_u:object_r:httpd_tmpfs_t:s0 tclass=file >> >> audit2allow generated this: >> >> module test 1.0; >> >> require { >> type httpd_tmp_t; >> type httpd_t; >> type httpd_tmpfs_t; >> class file execute; >> } >> >> #============= httpd_t ============== >> allow httpd_t httpd_tmp_t:file execute; >> allow httpd_t httpd_tmpfs_t:file execute; >> >> I'm a bit stumped. What should I look for, something doing an exec, >> something messing in /tmp, both? >> >> thanks >> >> rob >> >> > Apache executing something in /tmp, just feels like a very bad idea. I am not sure mod_python is doing this, but I would look for some configuration that is putting files in /tmp. > Ok, the core dumps were relatively enlightening. They at least pointed out what import things were choking on. Turns out that the python ctypes module creates a file in /tmp and executes it. It seems, oddly enough, to actually execute gcc and ldconfig. Quite bizarre. By not importing that module it makes SELinux happy again. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mjc at avtechpulse.com Fri Aug 14 15:16:51 2009 From: mjc at avtechpulse.com (Dr. Michael J. Chudobiak) Date: Fri, 14 Aug 2009 11:16:51 -0400 Subject: kvm/qemu problems Message-ID: <4A857FE3.30100@avtechpulse.com> Hi all, My kvm/qemu instance of WindowsXP on Fedora stopped functioning in the past week or two, due to some change in selinux policies. This is the problem: [root at xena ~]# audit2allow -a #============= svirt_t ============== allow svirt_t devpts_t:chr_file setattr; allow svirt_t self:capability { chown fsetid }; allow svirt_t self:process setrlimit; Is there a handy just-make-it-work boolean for this? Should this be a bug? selinux-policy-targeted-3.6.12-72.fc11.noarch - Mike From eparis at redhat.com Fri Aug 14 15:29:46 2009 From: eparis at redhat.com (Eric Paris) Date: Fri, 14 Aug 2009 11:29:46 -0400 Subject: kvm/qemu problems In-Reply-To: <4A857FE3.30100@avtechpulse.com> References: <4A857FE3.30100@avtechpulse.com> Message-ID: <1250263786.10329.11.camel@dhcp231-106.rdu.redhat.com> On Fri, 2009-08-14 at 11:16 -0400, Dr. Michael J. Chudobiak wrote: > Hi all, > > My kvm/qemu instance of WindowsXP on Fedora stopped functioning in the > past week or two, due to some change in selinux policies. This is the > problem: BZ 515521 -Eric From misc.lists at blueyonder.co.uk Fri Aug 14 17:34:55 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Fri, 14 Aug 2009 18:34:55 +0100 Subject: F11 Relabel problem In-Reply-To: <4A857BF5.6050102@redhat.com> References: <1250237419.3387.24.camel@localhost> <4A857693.5010206@redhat.com> <1250261356.4119.3.camel@localhost> <4A857BF5.6050102@redhat.com> Message-ID: <1250271295.4119.22.camel@localhost> On Fri, 2009-08-14 at 11:00 -0400, Daniel J Walsh wrote: > On 08/14/2009 10:49 AM, Arthur Dent wrote: [snip] > > This is the old F9 partition. Should I try to fix them somehow or just > > umount the F9 partition and only mount it when I need to peek inside? > > > Well it is up to you. One option would be to use a mount context when you mount the partion, > which would override and ignore the F9 labels. Well that sounds like a plan! How best to do it? Is it as simple as putting this in fstab? (apologies for the line-wrap) /dev/sda6 /mnt/F9 ext3r rootcontext="system_u:object_r:initrc_exec_t:s0" defaults 0 0 Is that right? Thanks! Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Fri Aug 14 20:13:52 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 14 Aug 2009 16:13:52 -0400 Subject: F11 Relabel problem In-Reply-To: <1250271295.4119.22.camel@localhost> References: <1250237419.3387.24.camel@localhost> <4A857693.5010206@redhat.com> <1250261356.4119.3.camel@localhost> <4A857BF5.6050102@redhat.com> <1250271295.4119.22.camel@localhost> Message-ID: <4A85C580.9060701@redhat.com> On 08/14/2009 01:34 PM, Arthur Dent wrote: > On Fri, 2009-08-14 at 11:00 -0400, Daniel J Walsh wrote: >> On 08/14/2009 10:49 AM, Arthur Dent wrote: > > [snip] > >>> This is the old F9 partition. Should I try to fix them somehow or just >>> umount the F9 partition and only mount it when I need to peek inside? >>> >> Well it is up to you. One option would be to use a mount context when you mount the partion, >> which would override and ignore the F9 labels. > > Well that sounds like a plan! How best to do it? Is it as simple as > putting this in fstab? (apologies for the line-wrap) > > /dev/sda6 /mnt/F9 ext3r > rootcontext="system_u:object_r:initrc_exec_t:s0" defaults 0 0 > > Is that right? > > Thanks! > > Mark > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Just use context, not rootcontext. And I do not think you want everything on F9 to look like initrc_t. I guess I would label it all nfs_t, to make it look like a remote system, or usr_t to make it look generic. From sm3501 at yahoo.com Fri Aug 14 20:30:21 2009 From: sm3501 at yahoo.com (Sam Marshall) Date: Fri, 14 Aug 2009 13:30:21 -0700 (PDT) Subject: MCS Max Number of Category Element Comparisions? Message-ID: <207268.75160.qm@web111819.mail.gq1.yahoo.com> Hi, In FC11, is there a limit to the number of category elements that?can be compared to make access decisions using MCS? My understanding is that up to 1024 categories can be assigned in setrans.conf, however, only six or fewer categories can be used for comparision to make access decisions.. For example, when I assign a login user to 7 categories (e.g., s:0, c1, c2, c5, c8, c11, c12, c19) and label a file with the exact same categories number, permission is denied if the user tries to cat out the file(Unix dacl permissions allow the user read access) When I assign less than 7 of the exact same categories to the file and user, the user can open the file. I've tried using ranges (c2.c5, c10.c18, etc?), and found that there appears to be a four element limitation with the range notation. Does this sound right? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From misc.lists at blueyonder.co.uk Sat Aug 15 10:50:53 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Sat, 15 Aug 2009 11:50:53 +0100 Subject: Logrotate on mounted partition Message-ID: <1250333453.3396.20.camel@localhost> I have a procmail recipe which writes a copy of every mail I receive (just because I'm paranoid it doesn't mean they aren't out to get me!) to a backup area on my /dev/sda9 partition, mounted as /mnt/backup/ by fstab. (It is an ext3 partition). Back in March 2008 when I was on F8 Stephen Smalley kindly helped me to prevent the hundreds of avcs by suggesting the following: semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?" restorecon -v -R /mnt/backup This worked perfectly. It also held true throughout my time with F9. I have now upgraded to F11 (I skipped F10) and it still kind of works. I get an avc when logrotate tries to access these files. The strange thing is this didn't happen under F8 or F9. Is there an elegant solution to this problem or should I write a policy module? This is what audit2allow proposes: module rawmail 1.0; require { type mail_spool_t; type logrotate_t; class file getattr; } #============= logrotate_t ============== allow logrotate_t mail_spool_t:file getattr; The full avc is below. Many thanks for all your help.... Mark Summary SELinux is preventing logrotate (logrotate_t) "getattr" mail_spool_t. Detailed Description [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by logrotate. It is not expected that this access is required by logrotate and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context: system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context: system_u:object_r:mail_spool_t:s0 Target Objects: /mnt/backup/mail/rawmail [ file ] Source: logrotate Source Path: /usr/sbin/logrotate Port: Host: troodos.org.uk Source RPM Packages: logrotate-3.7.8-2.fc11 Target RPM Packages: Policy RPM: selinux-policy-3.6.12-72.fc11 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: catchall Host Name: mydomain Platform: Linux mydomain 2.6.29.6-217.2.3.fc11.i686.PAE #1 SMP Wed Jul 29 16:05:22 EDT 2009 i686 i686 Alert Count: 3 First Seen: Thu Aug 13 03:45:40 2009 Last Seen: Sat Aug 15 03:26:41 2009 Local ID: 3a8c20b3-ff25-43ea-8214-bd926c28215b Line Numbers: Raw Audit Messages : node=mydomain type=AVC msg=audit(1250303201.472:2436): avc: denied { getattr } for pid=15100 comm="logrotate" path="/mnt/backup/mail/rawmail" dev=sda9 ino=2490369 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file node=troodos.org.uk type=SYSCALL msg=audit(1250303201.472:2436): arch=40000003 syscall=196 success=yes exit=0 a0=8a7d598 a1=bfe1faa4 a2=77cff4 a3=1 items=0 ppid=15098 pid=15100 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=513 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From mike.cloaked at gmail.com Sat Aug 15 18:37:51 2009 From: mike.cloaked at gmail.com (Mike Cloaked) Date: Sat, 15 Aug 2009 11:37:51 -0700 (PDT) Subject: rsync as backup from f11 to F10 - issues In-Reply-To: <4A85778D.6030902@redhat.com> References: <24925988.post@talk.nabble.com> <24926122.post@talk.nabble.com> <4A8327B3.3080308@redhat.com> <1250250920.2422.163.camel@moss-pluto.epoch.ncsc.mil> <4A85778D.6030902@redhat.com> Message-ID: <24987099.post@talk.nabble.com> Daniel J Walsh wrote: > > On 08/14/2009 07:55 AM, Stephen Smalley wrote: >> On Wed, 2009-08-12 at 16:36 -0400, Daniel J Walsh wrote: >>> On 08/11/2009 05:30 PM, Mike Cloaked wrote: >>>> >>>> >>>> >>>> Mike Cloaked wrote: >>>>> >>>>> >>>>> Machines on the LAN have been running backups across the network using >>>>> an >>>>> rsync command within a script which essentially does: >>>>> rsync --delete -aXH --exclude blah /opt >>>>> home1:/media/usbdrive/BACKUPS/myhostname >>>>> and similar for other directories. >>>>> >>>>> This has worked fine until I installed F11 on some of the machines in >>>>> the >>>>> LAN, with ext4 filesystems on them. >>>>> >>>>> Trying the same thing in this case gave AVC denials on the machine >>>>> (running F10) to which the the external usb drive was attached (and >>>>> with >>>>> an ext3 filesystem to take the backups) >>>>> >>>>> The AVC contained: >>>>> Summary >>>>> SELinux is preventing rsync (unconfined_t) "mac_admin" unconfined_t. >>>>> >>>>> >>>> >>>> I wonder if this is related to >>>> https://bugzilla.redhat.com/show_bug.cgi?id=510649 >>> Yes you are trying to put F11 labels on an F10 box. Just setup rsync to >>> not maintain labels. >> >> Isn't this scenario one of the reasons why we introduced the deferred >> context mapping support? If he allowed rsync mac_admin permission, it >> could in fact store the unknown labels on disk on the F10 box and later >> read them for restoring to the F11 system, right? >> > Yes that would work, but I thought we were frowning on this. The files > would also be unusable by any confined processes on the F10 machine, I am > not sure what would happen with the association denied, errors. > > I can't speak for others but in my case once the files were stored on the disk as backups via the F10 machine they would never be used on the F10 machine, as that machine would only ever act as a conduit for backup and restore to the F11 machine - hence the files would only be used on F11 anyway - so the F10 machine is only a processing facility to get the files onto the backup drive. Presumably the facility referred to in the link several posts back up this thread would allow this to happen? -- View this message in context: http://www.nabble.com/rsync-as-backup-from-f11-to-F10---issues-tp24925988p24987099.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From mike.cloaked at gmail.com Sat Aug 15 18:39:46 2009 From: mike.cloaked at gmail.com (Mike Cloaked) Date: Sat, 15 Aug 2009 11:39:46 -0700 (PDT) Subject: rsync as backup from f11 to F10 - issues In-Reply-To: <24987099.post@talk.nabble.com> References: <24925988.post@talk.nabble.com> <24926122.post@talk.nabble.com> <4A8327B3.3080308@redhat.com> <1250250920.2422.163.camel@moss-pluto.epoch.ncsc.mil> <4A85778D.6030902@redhat.com> <24987099.post@talk.nabble.com> Message-ID: <24987112.post@talk.nabble.com> Mike Cloaked wrote: > > > I can't speak for others but in my case once the files were stored on the > disk as backups via the F10 machine they would never be used on the F10 > machine, as that machine would only ever act as a conduit for backup and > restore to the F11 machine - hence the files would only be used on F11 > anyway - so the F10 machine is only a processing facility to get the files > onto the backup drive. > > Presumably the facility referred to in the link several posts back up this > thread would allow this to happen? > Sorry - not the link but the reference to the allowing mac_admin permission... on the F10 machine? -- View this message in context: http://www.nabble.com/rsync-as-backup-from-f11-to-F10---issues-tp24925988p24987112.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From lists at sapience.com Sat Aug 15 19:15:29 2009 From: lists at sapience.com (Mail Lists) Date: Sat, 15 Aug 2009 15:15:29 -0400 Subject: rsync as backup from f11 to F10 - issues In-Reply-To: <24987099.post@talk.nabble.com> References: <24925988.post@talk.nabble.com> <24926122.post@talk.nabble.com> <4A8327B3.3080308@redhat.com> <1250250920.2422.163.camel@moss-pluto.epoch.ncsc.mil> <4A85778D.6030902@redhat.com> <24987099.post@talk.nabble.com> Message-ID: <4A870951.1000609@sapience.com> On 08/15/2009 02:37 PM, Mike Cloaked wrote: > > I can't speak for others but in my case once the files were stored on the > disk as backups via the F10 machine they would never be used on the F10 > machine, as that machine would only ever act as a conduit for backup and I find it very convenient to be able to browse the backup tree on the server (or elsewhere if its epxorted) - thats one of the greatest benefits of using rdiff-backup or rsync no ? From shintaro.fujiwara at gmail.com Sat Aug 15 23:50:21 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Sun, 16 Aug 2009 08:50:21 +0900 Subject: [OT] tmpfs - was : AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). In-Reply-To: <4A856670.9090102@redhat.com> References: <4A80C3E2.7090407@aardvark.com.au> <4A835607.6050102@aardvark.com.au> <4A84593C.8000407@redhat.com> <4A84E5C5.3000908@aardvark.com.au> <4A8557A2.403@redhat.com> <1250254247.7390.10.camel@localhost> <4A856670.9090102@redhat.com> Message-ID: Hello. > I am on a personal crusade to stop all system services (processes running as UID=0) from using /tmp. /var/tmp I'm interested in this topic but I don't know how to find processes running as UID=0 using /tmp or /var/tmp. Thanks in advance. 2009/8/14 Daniel J Walsh : > On 08/14/2009 08:50 AM, Arthur Dent wrote: >> On Fri, 2009-08-14 at 08:25 -0400, Daniel J Walsh wrote: >>> On 08/14/2009 12:19 AM, Richard Chapman wrote: >>>> Daniel J Walsh wrote: >>>>> On 08/12/2009 07:53 PM, Richard Chapman wrote: >> >> [snip] >> >>>>> >>>>> I always use tmpfs for /tmp, so I never end up with garbage on a reboot. >>>>> >>>>> >>>> I like your idea of using tmpfs - but is it ever a problem that tmpfs is >>>> relatively small and finite? Also - please excuse my ignorance - but how >>>> do I make tmpfs the tmp folder? >>>> >>>> Richard. >>>> >>>> >>> Must have changed between RHEL5 and F11 >>> >>> Try >>> >>> chcon -R -t xdm_xserver_tmp_t /tmp/.X11-unix >>> >>> Add this line to /etc/fstab >>> >>> tmpfs ? ? ? ? ? ? ? ? ? /tmp ? ? ? ? ? ? ? ? tmpfs ? rootcontext="system_u:object_r:tmp_t:s0",defaults ? ? ? ?0 0 >>> >>> And reboot. >>> >>> I don't tend to store huge abouts of stuff in /tmp. ?If I want to store big stuff I can always use /var/tmp >> >> Forgive the off-topic response, but I too like the idea of a >> self-washing /tmp. However I am concerned that I don't really understand >> how it works. What, for example, would be the effect of doing this on >> server which has only limited RAM and is only rebooted periodically. >> Would all the RAM get filled up over time by tmpfs and then everything >> would have to run in swap? >> >> Would I need to reboot regularly just to clean tmpfs? >> > Well there are tools like tmpwatch and tmpreaper that periodically clean up /tmp files. > > On a server or system with limited ram, this might not be a great idea, since you could run out of > memory. ?I do not know if you can put a quota on it. ?I just don't store a lot of junk on /tmp, so it is > never a problem. ?And I have had problems in the past with mislabeled files either via SELinux or UID problems in > /tmp causing havoc with login. > > I am on a personal crusade to stop all system services (processes running as UID=0) from using /tmp. /var/tmp > >> I do like the idea and have just implemented it on my desktop machine >> which has more RAM and gets shut down every day... >> >> Thanks... >> >> Mark >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- http://intrajp.no-ip.com/ Home Page From adriangolding at gmail.com Mon Aug 17 02:42:54 2009 From: adriangolding at gmail.com (adrian golding) Date: Mon, 17 Aug 2009 10:42:54 +0800 Subject: SELinux - back to basics Message-ID: dear all, can you please point me to the right place: with reference to: http://danwalsh.livejournal.com/10131.html i am interested in how dan knows what an attacker can make use of the samba vulnerability to do by default, and what the attacker cannot do. More generally speaking, how do we look at a service or application in a SELinux system, and finding out what the attacker can do and cannot do in the case of the service being exploited? in that page, he looked at some of the relevant booleans and i guess "samba_enable_home_dirs ---> off" prevents the attacker to read/manipulate the user's home directories. But what about the rest? What other things can an end user (who is not very experienced in SELinux) examine to know what the attacker can / cannot do? thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From adriangolding at gmail.com Mon Aug 17 05:05:53 2009 From: adriangolding at gmail.com (adrian golding) Date: Mon, 17 Aug 2009 13:05:53 +0800 Subject: SELinux - back to basics In-Reply-To: References: Message-ID: To refine my questions in the earlier email: 1) many of the things the attacker can do if he exploits the Samba vulnerability can be found in the source policy. but there are also so many other rules in the policy (hundreds?), my question is how do I know if the other rules matter much? there are >300 rules related to smbd_t, and it just *seems* a lot can go wrong with the system. 2) how do we verify the part about what the attackers cannot do? does it mean, if i cannot find a rule that links smbd_t with user_home_t with the 'read' permission, the attacker cannot read/manipulate user home directories? Or it is not as trivial? 3) i am assuming ports 137-139 and 445 are labelled smbd_port_t, but where can i find this assignment in the policy? i am currently using apol. thank you On Mon, Aug 17, 2009 at 10:42 AM, adrian golding wrote: > dear all, can you please point me to the right place: > with reference to: http://danwalsh.livejournal.com/10131.html > > i am interested in how dan knows what an attacker can make use of the samba > vulnerability to do by default, and what the attacker cannot do. More > generally speaking, how do we look at a service or application in a SELinux > system, and finding out what the attacker can do and cannot do in the case > of the service being exploited? > > in that page, he looked at some of the relevant booleans and i guess > "samba_enable_home_dirs ---> off" prevents the attacker to read/manipulate > the user's home directories. But what about the rest? What other things can > an end user (who is not very experienced in SELinux) examine to know what > the attacker can / cannot do? > > thank you > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sradvan at redhat.com Mon Aug 17 05:23:55 2009 From: sradvan at redhat.com (Scott Radvan) Date: Mon, 17 Aug 2009 15:23:55 +1000 Subject: SELinux - back to basics In-Reply-To: References: Message-ID: <20090817152355.415ee600@stratos.bne.redhat.com> On Mon, 17 Aug 2009 13:05:53 +0800 adrian golding wrote: > To refine my questions in the earlier email: > 3) i am assuming ports 137-139 and 445 are labelled smbd_port_t, but > where can i find this assignment in the policy? i am currently using > apol. I don't have the knowledge required to answer all of your questions - in fact, I also would like to hear what some of the more informed members on this list think about what you've raised. But, to find the ports for smbd_port_t, you can do as root: semanage port -l | grep smbd Cheers, -- Scott Radvan Content Author, Platform (Installation and Deployment) Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com "Stop assuming that systems are secure unless demonstrated insecure; start assuming that systems are insecure unless designed securely." - Bruce Schneier From fdsubs at t-online.hu Mon Aug 17 08:59:59 2009 From: fdsubs at t-online.hu (Daniel Fazekas) Date: Mon, 17 Aug 2009 10:59:59 +0200 Subject: racoon denials Message-ID: selinux-policy-3.6.12-72.fc11.noarch selinux-policy-targeted-3.6.12-72.fc11.noarch ipsec-tools-0.7.2-1.fc11.x86_64 I'm getting a handful of racoon denials with what I believe is a pretty common setup ? is there anything I could be doing differently? allow racoon_t shadow_t:file { read getattr open }; This is needed for racoon to do XAuth logins with the default auth_source of system. Unfortunately that's the only option available with racoon as supplied in Fedora 11, as support for pam/ldap/radius isn't built in. The rest is all caused by my having a phase1_up/down script in /etc/ racoon/scripts (the directory and the script are both system_u:object_r:bin_t:s0). allow racoon_t setkey_exec_t:file { read execute open execute_no_trans }; allow racoon_t fs_t:filesystem getattr; allow racoon_t tmp_t:dir { write remove_name getattr search add_name }; allow racoon_t tmp_t:file { write getattr read create unlink open }; Calling /sbin/setkey to add and remove SPDs is the primary reason to have an up/down script. The fs_t and tmp_t accesses are less clear why they are necessary. It's a /bin/sh script which isn't doing anything other than calling / sbin/setkey. type=AVC msg=audit(1250495868.674:27320): avc: denied { getattr } for pid=5436 comm="l2tp_up_down" path="/tmp" dev=dm-0 ino=26 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1250495868.674:27321): avc: denied { write } for pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1250495868.674:27322): avc: denied { getattr } for pid=5436 comm="l2tp_up_down" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=AVC msg=audit(1250495868.674:27323): avc: denied { search } for pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1250495868.674:27323): avc: denied { add_name } for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1250495868.674:27323): avc: denied { create } for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1250495868.674:27323): avc: denied { write open } for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1250495868.675:27324): avc: denied { getattr } for pid=5436 comm="l2tp_up_down" path="/tmp/sh-thd-1250518043" dev=dm-0 ino=218 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1250495868.676:27325): avc: denied { read } for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1250495868.676:27326): avc: denied { remove_name } for pid=5436 comm="l2tp_up_down" name="sh- thd-1250518043" dev=dm-0 ino=218 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1250495868.676:27326): avc: denied { unlink } for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1250495868.676:27327): avc: denied { execute } for pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file type=AVC msg=audit(1250495868.676:27327): avc: denied { read open } for pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file type=AVC msg=audit(1250495868.676:27327): avc: denied { execute_no_trans } for pid=5436 comm="l2tp_up_down" path="/sbin/ setkey" dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file type=AVC msg=audit(1250496231.280:27354): avc: denied { execute } for pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file type=AVC msg=audit(1250496231.280:27354): avc: denied { read open } for pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file type=AVC msg=audit(1250496231.280:27354): avc: denied { execute_no_trans } for pid=5533 comm="l2tp_up_down" path="/sbin/ setkey" dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file type=AVC msg=audit(1250496231.293:27359): avc: denied { read } for pid=5533 comm="setkey" path=2F746D702F73682D7468642D31323530353139323239202864656C6574656429 dev=dm-0 ino=30914 scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file From sds at tycho.nsa.gov Mon Aug 17 11:29:11 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 17 Aug 2009 07:29:11 -0400 Subject: MCS Max Number of Category Element Comparisions? In-Reply-To: <207268.75160.qm@web111819.mail.gq1.yahoo.com> References: <207268.75160.qm@web111819.mail.gq1.yahoo.com> Message-ID: <1250508551.3629.76.camel@moss-pluto.epoch.ncsc.mil> On Fri, 2009-08-14 at 13:30 -0700, Sam Marshall wrote: > Hi, > > In FC11, is there a limit to the number of category elements that can > be compared to make access decisions using MCS? My understanding is > that up to 1024 categories can be assigned in setrans.conf, however, > only six or fewer categories can be used for comparision to make > access decisions. > > For example, when I assign a login user to 7 categories (e.g., s:0, > c1, c2, c5, c8, c11, c12, c19) and label a file with the exact same > categories number, permission is denied if the user tries to cat out > the file(Unix dacl permissions allow the user read access) > > When I assign less than 7 of the exact same categories to the file and > user, the user can open the file. > > I've tried using ranges (c2.c5, c10.c18, etc ), and found that there > appears to be a four element limitation with the range notation. > > Does this sound right? No, that sounds like a bug. Can you provide more specifics, please? The following worked for me just fine: # useradd foo # passwd foo # semanage login -a -s unconfined_u -r s0-s0:c0,c1,c2,c5,c8,c11,c12,c19 foo # ssh -l foo localhost $ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c2,c5,c8,c11,c12,c19 $ echo hello > foo $ chcon -l s0:c0.c2,c5,c8,c11,c12,c19 foo $ cat foo hello -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Aug 17 12:28:02 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 17 Aug 2009 12:28:02 +0000 Subject: SELinux - back to basics In-Reply-To: References: Message-ID: <1250512082.3629.108.camel@moss-pluto.epoch.ncsc.mil> On Mon, 2009-08-17 at 10:42 +0800, adrian golding wrote: > dear all, can you please point me to the right place: > > with reference to: http://danwalsh.livejournal.com/10131.html > > > i am interested in how dan knows what an attacker can make use of the > samba vulnerability to do by default, and what the attacker cannot > do. More generally speaking, how do we look at a service or > application in a SELinux system, and finding out what the attacker can > do and cannot do in the case of the service being exploited? > > > in that page, he looked at some of the relevant booleans and i guess > "samba_enable_home_dirs ---> off" prevents the attacker to > read/manipulate the user's home directories. But what about the rest? > What other things can an end user (who is not very experienced in > SELinux) examine to know what the attacker can / cannot do? sesearch can be a very useful tool for interrogating the policy to see what a given domain can access, and the information flow and domain transition analysis capabilities of apol are likewise quite useful. -- Stephen Smalley National Security Agency From domg472 at gmail.com Mon Aug 17 12:33:14 2009 From: domg472 at gmail.com (Dominick Grift) Date: Mon, 17 Aug 2009 14:33:14 +0200 Subject: SELinux - back to basics In-Reply-To: <1250512082.3629.108.camel@moss-pluto.epoch.ncsc.mil> References: <1250512082.3629.108.camel@moss-pluto.epoch.ncsc.mil> Message-ID: <20090817123312.GA5446@notebook3.grift.internal> On Mon, Aug 17, 2009 at 12:28:02PM +0000, Stephen Smalley wrote: > On Mon, 2009-08-17 at 10:42 +0800, adrian golding wrote: > > dear all, can you please point me to the right place: > > > > with reference to: http://danwalsh.livejournal.com/10131.html > > > > > > i am interested in how dan knows what an attacker can make use of the > > samba vulnerability to do by default, and what the attacker cannot > > do. More generally speaking, how do we look at a service or > > application in a SELinux system, and finding out what the attacker can > > do and cannot do in the case of the service being exploited? > > > > > > in that page, he looked at some of the relevant booleans and i guess > > "samba_enable_home_dirs ---> off" prevents the attacker to > > read/manipulate the user's home directories. But what about the rest? > > What other things can an end user (who is not very experienced in > > SELinux) examine to know what the attacker can / cannot do? > > sesearch can be a very useful tool for interrogating the policy to see > what a given domain can access, and the information flow and domain > transition analysis capabilities of apol are likewise quite useful. With regard to sesearch it is good to know that it displays all rules, also the rules that maybe disabled by boolean. So with that in mind sesearch can be a bit misleading. if you encounter a situation where access is denied, but where sesearch returns a rule that would have allowed the access, then pipe the avc denial into audit2why. > > -- > Stephen Smalley > National Security Agency > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From domg472 at gmail.com Mon Aug 17 14:10:37 2009 From: domg472 at gmail.com (Dominick Grift) Date: Mon, 17 Aug 2009 16:10:37 +0200 Subject: racoon denials In-Reply-To: References: Message-ID: <20090817141034.GA5935@notebook3.grift.internal> On Mon, Aug 17, 2009 at 10:59:59AM +0200, Daniel Fazekas wrote: > selinux-policy-3.6.12-72.fc11.noarch > selinux-policy-targeted-3.6.12-72.fc11.noarch > ipsec-tools-0.7.2-1.fc11.x86_64 > > I'm getting a handful of racoon denials with what I believe is a pretty > common setup ? is there anything I could be doing differently? > > allow racoon_t shadow_t:file { read getattr open }; Well i can give you some direction into how to allow this stuff but i am not confident as to wheter its the right this to do and i also have not tested any of it. but in theory: echo "policy_module(myracoon, 0.0.1)" > myracoon.te; echo "require { type racoon_t; }" >> myracoon.te; echo "auth_read_shadow(racoon_t)" >> myracoon.te; > > This is needed for racoon to do XAuth logins with the default > auth_source of system. Unfortunately that's the only option available > with racoon as supplied in Fedora 11, as support for pam/ldap/radius > isn't built in. > > > The rest is all caused by my having a phase1_up/down script in /etc/ > racoon/scripts (the directory and the script are both > system_u:object_r:bin_t:s0). > > allow racoon_t setkey_exec_t:file { read execute open execute_no_trans }; > allow racoon_t fs_t:filesystem getattr; > allow racoon_t tmp_t:dir { write remove_name getattr search add_name }; > allow racoon_t tmp_t:file { write getattr read create unlink open }; echo "setkey_domtrans(racoon_t)" >> myracoon.te; echo "fs_dontaudit_getattr_xattr_fs(racoon_t)" >> myracoon.te; echo "type racoon_tmp_t;" >> myracoon.te; echo "files_tmp_file(racoon_tmp_t)" >> myracoon.te; echo "manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)" >> myracoon.te; echo "manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)" >> myracoon.te; echo "files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })" >> myracoon.te; make -f /usr/share/selinux/devel/Makefile myracoon.pp sudo semodule -i myracoon.pp This is just the rules translated into policy. I am not positive whether racoon or setkey creates the object in tmp, read shadow, and get attributes of fs_t:filesystem. This policy assumes racoon_t does all that. > > Calling /sbin/setkey to add and remove SPDs is the primary reason to > have an up/down script. > The fs_t and tmp_t accesses are less clear why they are necessary. It's a > /bin/sh script which isn't doing anything other than calling / > sbin/setkey. > > type=AVC msg=audit(1250495868.674:27320): avc: denied { getattr } for > pid=5436 comm="l2tp_up_down" path="/tmp" dev=dm-0 ino=26 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1250495868.674:27321): avc: denied { write } for > pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1250495868.674:27322): avc: denied { getattr } for > pid=5436 comm="l2tp_up_down" name="/" dev=dm-0 ino=2 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > type=AVC msg=audit(1250495868.674:27323): avc: denied { search } for > pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1250495868.674:27323): avc: denied { add_name } for > pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1250495868.674:27323): avc: denied { create } for > pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1250495868.674:27323): avc: denied { write open } > for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 > ino=218 scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1250495868.675:27324): avc: denied { getattr } for > pid=5436 comm="l2tp_up_down" path="/tmp/sh-thd-1250518043" dev=dm-0 > ino=218 scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1250495868.676:27325): avc: denied { read } for > pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1250495868.676:27326): avc: denied { remove_name } > for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 > ino=218 scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1250495868.676:27326): avc: denied { unlink } for > pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1250495868.676:27327): avc: denied { execute } for > pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file > type=AVC msg=audit(1250495868.676:27327): avc: denied { read open } > for pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file > type=AVC msg=audit(1250495868.676:27327): avc: denied { > execute_no_trans } for pid=5436 comm="l2tp_up_down" path="/sbin/setkey" > dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file > type=AVC msg=audit(1250496231.280:27354): avc: denied { execute } for > pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file > type=AVC msg=audit(1250496231.280:27354): avc: denied { read open } > for pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file > type=AVC msg=audit(1250496231.280:27354): avc: denied { > execute_no_trans } for pid=5533 comm="l2tp_up_down" path="/sbin/setkey" > dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file > type=AVC msg=audit(1250496231.293:27359): avc: denied { read } for > pid=5533 comm="setkey" > path=2F746D702F73682D7468642D31323530353139323239202864656C6574656429 > dev=dm-0 ino=30914 scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From fdsubs at t-online.hu Mon Aug 17 15:37:42 2009 From: fdsubs at t-online.hu (Daniel Fazekas) Date: Mon, 17 Aug 2009 17:37:42 +0200 Subject: racoon denials In-Reply-To: <20090817141034.GA5935@notebook3.grift.internal> References: <20090817141034.GA5935@notebook3.grift.internal> Message-ID: <92D7C773-14A8-4EEA-817D-A58B9CB61CD9@t-online.hu> On Aug 17, 2009, at 16:10, Dominick Grift wrote: > echo "setkey_domtrans(racoon_t)" >> myracoon.te; This line results in the follow error: myracoon.te":6:ERROR 'syntax error' at token 'setkey_domtrans' on line 3308: setkey_domtrans(racoon_t) And the avcs which cause audit2allow to suggest this remains: allow racoon_t setkey_exec_t:file { read execute open execute_no_trans }; But it seems to have cleared up all the rest, thanks! > This is just the rules translated into policy. I am not positive > whether racoon or setkey creates the object in tmp, read shadow, and > get attributes of fs_t:filesystem. racoon itself reads shadow. The rest is all caused by racoon executing a bash shell script, which in turn executes setkey. I believe now that the tmp file accesses are likely caused by that script's use of here-document << syntax to specify the input for setkey. eg.: /sbin/setkey -c << EOT spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require; spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}/32[any] any -P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require; EOT From domg472 at gmail.com Mon Aug 17 16:09:21 2009 From: domg472 at gmail.com (Dominick Grift) Date: Mon, 17 Aug 2009 18:09:21 +0200 Subject: racoon denials In-Reply-To: <92D7C773-14A8-4EEA-817D-A58B9CB61CD9@t-online.hu> References: <20090817141034.GA5935@notebook3.grift.internal> <92D7C773-14A8-4EEA-817D-A58B9CB61CD9@t-online.hu> Message-ID: <20090817160919.GC5935@notebook3.grift.internal> On Mon, Aug 17, 2009 at 05:37:42PM +0200, Daniel Fazekas wrote: > On Aug 17, 2009, at 16:10, Dominick Grift wrote: > >> echo "setkey_domtrans(racoon_t)" >> myracoon.te; > > This line results in the follow error: > myracoon.te":6:ERROR 'syntax error' at token 'setkey_domtrans' on line > 3308: > setkey_domtrans(racoon_t) So that means there is no such shared policy. we can can work around that by adding the following to the myracoon.te: echo "require { type setkey_exec_t, setkey_t; }" >> myracoon.te; echo "domtrans_pattern(racoon_t, setkey_exec_t, setkey_t)" >> myracoon.te; make -f /usr/share/selinux/devel/Makefile myracoon.pp sudo semodule -i myracoon.pp assuming setkey_t is the domain type > > And the avcs which cause audit2allow to suggest this remains: > allow racoon_t setkey_exec_t:file { read execute open execute_no_trans }; > > But it seems to have cleared up all the rest, thanks! > >> This is just the rules translated into policy. I am not positive >> whether racoon or setkey creates the object in tmp, read shadow, and >> get attributes of fs_t:filesystem. > > racoon itself reads shadow. > The rest is all caused by racoon executing a bash shell script, which in > turn executes setkey. > > I believe now that the tmp file accesses are likely caused by that > script's use of here-document << syntax to specify the input for setkey. > > eg.: > > /sbin/setkey -c << EOT > spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P in ipsec > esp/tunnel/${REMOTE}-${LOCAL}/require; > spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}/32[any] any -P out ipsec > esp/tunnel/${LOCAL}-${REMOTE}/require; > EOT > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From sds at tycho.nsa.gov Mon Aug 17 17:15:58 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 17 Aug 2009 13:15:58 -0400 Subject: rsync as backup from f11 to F10 - issues In-Reply-To: <24987112.post@talk.nabble.com> References: <24925988.post@talk.nabble.com> <24926122.post@talk.nabble.com> <4A8327B3.3080308@redhat.com> <1250250920.2422.163.camel@moss-pluto.epoch.ncsc.mil> <4A85778D.6030902@redhat.com> <24987099.post@talk.nabble.com> <24987112.post@talk.nabble.com> Message-ID: <1250529358.3629.125.camel@moss-pluto.epoch.ncsc.mil> On Sat, 2009-08-15 at 11:39 -0700, Mike Cloaked wrote: > > > Mike Cloaked wrote: > > > > > > I can't speak for others but in my case once the files were stored on the > > disk as backups via the F10 machine they would never be used on the F10 > > machine, as that machine would only ever act as a conduit for backup and > > restore to the F11 machine - hence the files would only be used on F11 > > anyway - so the F10 machine is only a processing facility to get the files > > onto the backup drive. > > > > Presumably the facility referred to in the link several posts back up this > > thread would allow this to happen? > > > > Sorry - not the link but the reference to the allowing mac_admin > permission... on the F10 machine? Yes. Which you could do via a local policy module. As long as nothing confined on the F10 box needs to access those files... -- Stephen Smalley National Security Agency From fdsubs at t-online.hu Mon Aug 17 20:46:16 2009 From: fdsubs at t-online.hu (Daniel Fazekas) Date: Mon, 17 Aug 2009 22:46:16 +0200 Subject: racoon denials In-Reply-To: <20090817160919.GC5935@notebook3.grift.internal> References: <20090817141034.GA5935@notebook3.grift.internal> <92D7C773-14A8-4EEA-817D-A58B9CB61CD9@t-online.hu> <20090817160919.GC5935@notebook3.grift.internal> Message-ID: <95BF9113-03C5-44BF-AA1C-73BFD6AA269F@t-online.hu> On Aug 17, 2009, at 18:09, Dominick Grift wrote: > So that means there is no such shared policy. we can can work around > that by adding the following to the myracoon.te: > echo "require { type setkey_exec_t, setkey_t; }" >> myracoon.te; > echo "domtrans_pattern(racoon_t, setkey_exec_t, setkey_t)" >> > myracoon.te; > > assuming setkey_t is the domain type That did compile, but now there's a whole new set of setkey_t denials. allow setkey_t racoon_t:key_socket { read write }; allow setkey_t racoon_t:netlink_route_socket { read write }; allow setkey_t racoon_t:udp_socket { read write }; allow setkey_t racoon_t:unix_stream_socket { read write }; allow setkey_t racoon_tmp_t:file { read getattr }; I now had to make setkey_t permissive. Previously it only required doing that for racoon_t. From olivares14031 at yahoo.com Mon Aug 17 23:12:25 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 17 Aug 2009 16:12:25 -0700 (PDT) Subject: setroubleshooter not filing bugs, is there another way Message-ID: <342583.80029.qm@web52603.mail.re2.yahoo.com> Dear fellow selinux experts, I am encountering a problem with setroubleshooter and avc denials for wine. It gives me a fatal error report, but I can't copy + paste like I used to, I tried to file a bugzilla report but the process hangs and it is not being sent. Is there another way to capture the report so I can send in the avc denials? I am running xfce fully updated in rawhide. I try to dmesg but get no avcs and I can't run windows programs under wine without seeing the setroubleshoot(er) go crazy :( Thanks, Antonio From selinux at gmail.com Mon Aug 17 23:20:18 2009 From: selinux at gmail.com (Tom London) Date: Mon, 17 Aug 2009 16:20:18 -0700 Subject: setroubleshooter not filing bugs, is there another way In-Reply-To: <342583.80029.qm@web52603.mail.re2.yahoo.com> References: <342583.80029.qm@web52603.mail.re2.yahoo.com> Message-ID: <4c4ba1530908171620h299c7386q76b3ce45ec342162@mail.gmail.com> On Mon, Aug 17, 2009 at 4:12 PM, Antonio Olivares wrote: > Dear fellow selinux experts, > > I am encountering a problem with setroubleshooter and avc denials for wine. ? It gives me a fatal error report, but I can't copy + paste like I used to, I tried to file a bugzilla report but the process hangs and it is not being sent. ?Is there another way to capture the report so I can send in the avc denials? > > I am running xfce fully updated in rawhide. ?I try to dmesg but get no avcs and I can't run windows programs under wine without seeing the setroubleshoot(er) go crazy :( > > Thanks, > > Antonio > If you are getting AVCs, you should see in /var/log/messages lines that look like: Aug 17 13:08:42 tlondon setroubleshoot: SELinux is preventing abrt (initrc_t) "add_name" var_t. For complete SELinux messages. run sealert -l 41767f84-0e7c-4e14-a318-8f2f97877019 You should be able to run "sealert" with the arguments in the message to produce a text version of the alert that you can copy/paste into a bugzilla. tom -- Tom London From olivares14031 at yahoo.com Tue Aug 18 02:53:50 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 17 Aug 2009 19:53:50 -0700 (PDT) Subject: setroubleshooter not filing bugs, is there another way In-Reply-To: <4c4ba1530908171620h299c7386q76b3ce45ec342162@mail.gmail.com> Message-ID: <625893.47009.qm@web52611.mail.re2.yahoo.com> --- On Mon, 8/17/09, Tom London wrote: > From: Tom London > Subject: Re: setroubleshooter not filing bugs, is there another way > To: "Antonio Olivares" > Cc: fedora-selinux-list at redhat.com > Date: Monday, August 17, 2009, 4:20 PM > On Mon, Aug 17, 2009 at 4:12 PM, > Antonio > Olivares > wrote: > > Dear fellow selinux experts, > > > > I am encountering a problem with setroubleshooter and > avc denials for wine. It gives me a fatal error report, > but I can't copy + paste like I used to, I tried to file a > bugzilla report but the process hangs and it is not being > sent. Is there another way to capture the report so I can > send in the avc denials? > > > > I am running xfce fully updated in rawhide. I try to > dmesg but get no avcs and I can't run windows programs under > wine without seeing the setroubleshoot(er) go crazy :( > > > > Thanks, > > > > Antonio > > > > If you are getting AVCs, you should see in > /var/log/messages lines > that look like: > > Aug 17 13:08:42 tlondon setroubleshoot: SELinux is > preventing abrt > (initrc_t) "add_name" var_t. For complete SELinux messages. > run > sealert -l 41767f84-0e7c-4e14-a318-8f2f97877019 > > You should be able to run "sealert" with the arguments in > the message > to produce a text version of the alert that you can > copy/paste into a > bugzilla. > > tom > -- > Tom London > Thanks Tom for your guidance. Tomorrow as I get to work and get the alert(s) will try to capture following your advice and mail them to list. Regards, Antonio From paul at city-fan.org Tue Aug 18 07:01:57 2009 From: paul at city-fan.org (Paul Howarth) Date: Tue, 18 Aug 2009 08:01:57 +0100 Subject: setroubleshooter not filing bugs, is there another way In-Reply-To: <625893.47009.qm@web52611.mail.re2.yahoo.com> References: <4c4ba1530908171620h299c7386q76b3ce45ec342162@mail.gmail.com> <625893.47009.qm@web52611.mail.re2.yahoo.com> Message-ID: <20090818080157.114efebf@metropolis.intra.city-fan.org> On Mon, 17 Aug 2009 19:53:50 -0700 (PDT) Antonio Olivares wrote: > --- On Mon, 8/17/09, Tom London wrote: > > > From: Tom London > > Subject: Re: setroubleshooter not filing bugs, is there another way > > To: "Antonio Olivares" > > Cc: fedora-selinux-list at redhat.com > > Date: Monday, August 17, 2009, 4:20 PM > > On Mon, Aug 17, 2009 at 4:12 PM, > > Antonio > > Olivares > > wrote: > > > Dear fellow selinux experts, > > > > > > I am encountering a problem with setroubleshooter and > > avc denials for wine. It gives me a fatal error report, > > but I can't copy + paste like I used to, I tried to file a > > bugzilla report but the process hangs and it is not being > > sent. Is there another way to capture the report so I can > > send in the avc denials? > > > > > > I am running xfce fully updated in rawhide. I try to > > dmesg but get no avcs and I can't run windows programs under > > wine without seeing the setroubleshoot(er) go crazy :( > > > > > > Thanks, > > > > > > Antonio > > > > > > > If you are getting AVCs, you should see in > > /var/log/messages lines > > that look like: > > > > Aug 17 13:08:42 tlondon setroubleshoot: SELinux is > > preventing abrt > > (initrc_t) "add_name" var_t. For complete SELinux messages. > > run > > sealert -l 41767f84-0e7c-4e14-a318-8f2f97877019 > > > > You should be able to run "sealert" with the arguments in > > the message > > to produce a text version of the alert that you can > > copy/paste into a > > bugzilla. > > > > tom > > -- > > Tom London > > > > Thanks Tom for your guidance. Tomorrow as I get to work and get the > alert(s) will try to capture following your advice and mail them to > list. Bear in mind that if you're running auditd, the messages will be in /var/log/audit/audit.log rather than /var/log/messages. Paul. From casmls at gmail.com Tue Aug 18 08:22:26 2009 From: casmls at gmail.com (Christoph A.) Date: Tue, 18 Aug 2009 10:22:26 +0200 Subject: xguest: firefox - execmem Message-ID: <4A8A64C2.2080806@gmail.com> Hi, I wanted to try the xguest user, but firefox always crashed on startup. This AVC appears many times in the logs: type=AVC msg=audit(1250580934.287:24730): avc: denied { execmem } for pid=4845 comm="firefox" scontext=xguest_u:xguest_r:mozilla_t:s0 tcontext=xguest_u:xguest_r:mozilla_t:s0 tclass=process execmem is not allowed: getsebool -a|grep execmem allow_execmem --> off Allowing execmem resolves the problem, but is there a better solution for this? Another question: I would like to make some permanent changes to the xguest account (keyboard layout, safe passphrase for wifi access, set keyring pw, remove some icons,...) How can I as admin do that? thanks, Christoph -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: OpenPGP digital signature URL: From domg472 at gmail.com Tue Aug 18 09:11:52 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 18 Aug 2009 11:11:52 +0200 Subject: xguest: firefox - execmem In-Reply-To: <4A8A64C2.2080806@gmail.com> References: <4A8A64C2.2080806@gmail.com> Message-ID: <20090818091150.GA2445@notebook3.grift.internal> On Tue, Aug 18, 2009 at 10:22:26AM +0200, Christoph A. wrote: > Hi, > > I wanted to try the xguest user, but firefox always crashed on startup. > > This AVC appears many times in the logs: > > type=AVC msg=audit(1250580934.287:24730): avc: denied { execmem } for > pid=4845 comm="firefox" scontext=xguest_u:xguest_r:mozilla_t:s0 > tcontext=xguest_u:xguest_r:mozilla_t:s0 tclass=process I have a feeling that this is due to a plugin that i not run in the nsplugin_t domain, but i might be wrong. Can you confirm or deny that? Afaik mozilla does not require { execmem }, but many of those crappy plugins do ( for example flash-plugin ). I certain configurations those plugins do not get run in the designated nsplugin_t domain. In that case firefox runs them. I am not sure whether mozilla_t domain transitions to nsplugin_t at all. In practice i believe it does not matter all that much what needs it. You can allow or (silently) deny it. You can use audit2allow to create an add-on to the mozilla_t domain. Pipe the particular AVC denial into audit2allow -M mymozilla; semodule -i mymozilla.pp > > > execmem is not allowed: > getsebool -a|grep execmem > allow_execmem --> off > > Allowing execmem resolves the problem, but is there a better solution > for this? > > Another question: > > I would like to make some permanent changes to the xguest account > (keyboard layout, safe passphrase for wifi access, set keyring pw, > remove some icons,...) > How can I as admin do that? > > thanks, > Christoph > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From misc.lists at blueyonder.co.uk Tue Aug 18 09:12:16 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Tue, 18 Aug 2009 10:12:16 +0100 Subject: Logrotate on mounted partition In-Reply-To: <1250333453.3396.20.camel@localhost> References: <1250333453.3396.20.camel@localhost> Message-ID: <1250586736.2771.8.camel@localhost> On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote: > I have a procmail recipe which writes a copy of every mail I receive > (just because I'm paranoid it doesn't mean they aren't out to get me!) > to a backup area on my /dev/sda9 partition, mounted as > /mnt/backup/ by fstab. (It is an ext3 partition). > > Back in March 2008 when I was on F8 Stephen Smalley kindly helped me to > prevent the hundreds of avcs by suggesting the following: > > semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?" > restorecon -v -R /mnt/backup > > This worked perfectly. It also held true throughout my time with F9. I > have now upgraded to F11 (I skipped F10) and it still kind of works. I > get an avc when logrotate tries to access these files. > > The strange thing is this didn't happen under F8 or F9. > > Is there an elegant solution to this problem or should I write a policy > module? > > This is what audit2allow proposes: > > module rawmail 1.0; > > require { > type mail_spool_t; > type logrotate_t; > class file getattr; > } > > #============= logrotate_t ============== > allow logrotate_t mail_spool_t:file getattr; > > > The full avc is below. > > Many thanks for all your help.... > > Mark Just to add to my own mail... I employed the above policy module, everything seemed OK so (as this seemed to be the last of the problems since upgrading) I switched to enforcing mode. Since doing so I have received no AVCs but I am finding these in my maillog: procmail: Lock failure on "/mnt/backup/mail/rawmail.lock" procmail: Error while writing to "/mnt/backup/mail/rawmail" Temporarily switching back with setenforce 0 stops them so it is selinux related... Also, I get these dovecot messages (although I haven't investigated fully if they are selinux related... **Unmatched Entries** dovecot: IMAP(wife): fchown() failed with file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not permitted: 1 Time(s) dovecot: IMAP(son): fchown() failed with file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not permitted: 1 Time(s) dovecot: IMAP(son): fchown() failed with file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not permitted: 1 Time(s) dovecot: IMAP(son): fchown() failed with file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not permitted: 3 Time(s) But still no AVCs Any ideas? Thanks Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From domg472 at gmail.com Tue Aug 18 09:17:51 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 18 Aug 2009 11:17:51 +0200 Subject: racoon denials In-Reply-To: <95BF9113-03C5-44BF-AA1C-73BFD6AA269F@t-online.hu> References: <20090817141034.GA5935@notebook3.grift.internal> <92D7C773-14A8-4EEA-817D-A58B9CB61CD9@t-online.hu> <20090817160919.GC5935@notebook3.grift.internal> <95BF9113-03C5-44BF-AA1C-73BFD6AA269F@t-online.hu> Message-ID: <20090818091750.GB2445@notebook3.grift.internal> On Mon, Aug 17, 2009 at 10:46:16PM +0200, Daniel Fazekas wrote: > On Aug 17, 2009, at 18:09, Dominick Grift wrote: > >> So that means there is no such shared policy. we can can work around >> that by adding the following to the myracoon.te: >> echo "require { type setkey_exec_t, setkey_t; }" >> myracoon.te; >> echo "domtrans_pattern(racoon_t, setkey_exec_t, setkey_t)" >> >> myracoon.te; >> >> assuming setkey_t is the domain type > > That did compile, but now there's a whole new set of setkey_t denials. > > allow setkey_t racoon_t:key_socket { read write }; > allow setkey_t racoon_t:netlink_route_socket { read write }; > allow setkey_t racoon_t:udp_socket { read write }; > allow setkey_t racoon_t:unix_stream_socket { read write }; > allow setkey_t racoon_tmp_t:file { read getattr }; I was kind of expecting that. The issue is that most of these rules look really ugly. Maybe there is a 'good' reason why setkey_domtrans is not available. Maybe we should not let racoon_t domain transition to setkey_t. try this rule instead of the domtrans_pattern(): can_exec(racoon_t, setkey_exec_t) (maybe theres a setkey_exec() available for you to call) This will cause racoon_t to run setkey in the racoon_t domain instead. > > I now had to make setkey_t permissive. Previously it only required doing > that for racoon_t. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From domg472 at gmail.com Tue Aug 18 09:21:44 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 18 Aug 2009 11:21:44 +0200 Subject: Logrotate on mounted partition In-Reply-To: <1250586736.2771.8.camel@localhost> References: <1250333453.3396.20.camel@localhost> <1250586736.2771.8.camel@localhost> Message-ID: <20090818092142.GC2445@notebook3.grift.internal> On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote: > On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote: > > I have a procmail recipe which writes a copy of every mail I receive > > (just because I'm paranoid it doesn't mean they aren't out to get me!) > > to a backup area on my /dev/sda9 partition, mounted as > > /mnt/backup/ by fstab. (It is an ext3 partition). > > > > Back in March 2008 when I was on F8 Stephen Smalley kindly helped me to > > prevent the hundreds of avcs by suggesting the following: > > > > semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?" > > restorecon -v -R /mnt/backup > > > > This worked perfectly. It also held true throughout my time with F9. I > > have now upgraded to F11 (I skipped F10) and it still kind of works. I > > get an avc when logrotate tries to access these files. > > > > The strange thing is this didn't happen under F8 or F9. > > > > Is there an elegant solution to this problem or should I write a policy > > module? > > > > This is what audit2allow proposes: > > > > module rawmail 1.0; > > > > require { > > type mail_spool_t; > > type logrotate_t; > > class file getattr; > > } > > > > #============= logrotate_t ============== > > allow logrotate_t mail_spool_t:file getattr; > > > > > > The full avc is below. > > > > Many thanks for all your help.... > > > > Mark > > Just to add to my own mail... > > I employed the above policy module, everything seemed OK so (as this > seemed to be the last of the problems since upgrading) I switched to > enforcing mode. > > Since doing so I have received no AVCs but I am finding these in my > maillog: > > procmail: Lock failure on "/mnt/backup/mail/rawmail.lock" > procmail: Error while writing to "/mnt/backup/mail/rawmail" > > Temporarily switching back with setenforce 0 stops them so it is selinux > related... > > > Also, I get these dovecot messages (although I haven't investigated > fully if they are selinux related... > **Unmatched Entries** > dovecot: IMAP(wife): fchown() failed with > file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not > permitted: 1 Time(s) > dovecot: IMAP(son): fchown() failed with > file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not > permitted: 1 Time(s) > dovecot: IMAP(son): fchown() failed with > file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not > permitted: 1 Time(s) > dovecot: IMAP(son): fchown() failed with > file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not > permitted: 3 Time(s) > > > But still no AVCs > > Any ideas? Try semodule -DB to unload any silent denials. Remember that the denials shown after you do this are meant to be silenced. To reload policy with the silenced denials: semodule -B. Also keep an eye on /var/log/messages since the DBUS user space object manager logs some denials there (if DBUS is at all involved) hth > > Thanks > > Mark > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From fdsubs at t-online.hu Tue Aug 18 09:36:35 2009 From: fdsubs at t-online.hu (Daniel Fazekas) Date: Tue, 18 Aug 2009 11:36:35 +0200 Subject: racoon denials In-Reply-To: <20090818091750.GB2445@notebook3.grift.internal> References: <20090817141034.GA5935@notebook3.grift.internal> <92D7C773-14A8-4EEA-817D-A58B9CB61CD9@t-online.hu> <20090817160919.GC5935@notebook3.grift.internal> <95BF9113-03C5-44BF-AA1C-73BFD6AA269F@t-online.hu> <20090818091750.GB2445@notebook3.grift.internal> Message-ID: <0415205B-3634-4D9B-A49C-8C1F54D5258B@t-online.hu> On Aug 18, 2009, at 11:17, Dominick Grift wrote: > try this rule instead of the domtrans_pattern(): > can_exec(racoon_t, setkey_exec_t) Thanks, that did the trick. Everything seems to be fine now with enforcing turned fully back on. Here's for reference the myracoon.te we ended up with, in case it helps somebody else too: policy_module(myracoon, 0.0.4) require { type racoon_t, setkey_exec_t; } auth_read_shadow(racoon_t) can_exec(racoon_t, setkey_exec_t) fs_dontaudit_getattr_xattr_fs(racoon_t) type racoon_tmp_t; files_tmp_file(racoon_tmp_t) manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file }) From misc.lists at blueyonder.co.uk Tue Aug 18 09:42:40 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Tue, 18 Aug 2009 10:42:40 +0100 Subject: Logrotate on mounted partition In-Reply-To: <20090818092142.GC2445@notebook3.grift.internal> References: <1250333453.3396.20.camel@localhost> <1250586736.2771.8.camel@localhost> <20090818092142.GC2445@notebook3.grift.internal> Message-ID: <1250588560.2771.12.camel@localhost> On Tue, 2009-08-18 at 11:21 +0200, Dominick Grift wrote: > On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote: > > On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote: > > > I have a procmail recipe which writes a copy of every mail I receive > > > (just because I'm paranoid it doesn't mean they aren't out to get me!) > > > to a backup area on my /dev/sda9 partition, mounted as > > > /mnt/backup/ by fstab. (It is an ext3 partition). > > > > > > Back in March 2008 when I was on F8 Stephen Smalley kindly helped me to > > > prevent the hundreds of avcs by suggesting the following: > > > > > > semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?" > > > restorecon -v -R /mnt/backup > > > > > > This worked perfectly. It also held true throughout my time with F9. I > > > have now upgraded to F11 (I skipped F10) and it still kind of works. I > > > get an avc when logrotate tries to access these files. > > > > > > The strange thing is this didn't happen under F8 or F9. > > > > > > Is there an elegant solution to this problem or should I write a policy > > > module? > > > > > > This is what audit2allow proposes: > > > > > > module rawmail 1.0; > > > > > > require { > > > type mail_spool_t; > > > type logrotate_t; > > > class file getattr; > > > } > > > > > > #============= logrotate_t ============== > > > allow logrotate_t mail_spool_t:file getattr; > > > > > > > > > The full avc is below. > > > > > > Many thanks for all your help.... > > > > > > Mark > > > > Just to add to my own mail... > > > > I employed the above policy module, everything seemed OK so (as this > > seemed to be the last of the problems since upgrading) I switched to > > enforcing mode. > > > > Since doing so I have received no AVCs but I am finding these in my > > maillog: > > > > procmail: Lock failure on "/mnt/backup/mail/rawmail.lock" > > procmail: Error while writing to "/mnt/backup/mail/rawmail" > > > > Temporarily switching back with setenforce 0 stops them so it is selinux > > related... > > > > > > Also, I get these dovecot messages (although I haven't investigated > > fully if they are selinux related... > > **Unmatched Entries** > > dovecot: IMAP(wife): fchown() failed with > > file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not > > permitted: 1 Time(s) > > dovecot: IMAP(son): fchown() failed with > > file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not > > permitted: 1 Time(s) > > dovecot: IMAP(son): fchown() failed with > > file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not > > permitted: 1 Time(s) > > dovecot: IMAP(son): fchown() failed with > > file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not > > permitted: 3 Time(s) > > > > > > But still no AVCs > > > > Any ideas? > Try semodule -DB to unload any silent denials. Remember that the denials shown after you do this are meant to be silenced. > To reload policy with the silenced denials: semodule -B. > > Also keep an eye on /var/log/messages since the DBUS user space object manager logs some denials there (if DBUS is at all involved) Is this related? (apologies for line-wrap): Aug 18 09:07:44 troodos dbus: avc: received setenforce notice (enforcing=0) Aug 18 09:07:44 troodos dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=0)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?) I haven't tried semodule -DB yet, but your message caused me to look at /var/log/messages and this was the first thing I saw... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From casmls at gmail.com Tue Aug 18 09:54:24 2009 From: casmls at gmail.com (Christoph A.) Date: Tue, 18 Aug 2009 11:54:24 +0200 Subject: xguest: firefox - execmem In-Reply-To: <20090818091150.GA2445@notebook3.grift.internal> References: <4A8A64C2.2080806@gmail.com> <20090818091150.GA2445@notebook3.grift.internal> Message-ID: <4A8A7A50.7050101@gmail.com> On 18.08.2009 11:11, Dominick Grift wrote: >> type=AVC msg=audit(1250580934.287:24730): avc: denied { execmem } for >> pid=4845 comm="firefox" scontext=xguest_u:xguest_r:mozilla_t:s0 >> tcontext=xguest_u:xguest_r:mozilla_t:s0 tclass=process > > I have a feeling that this is due to a plugin that i not run in the nsplugin_t domain, but i might be wrong. > Can you confirm or deny that? flash-plugin is not (yet) installed for xguest other installed plugins: ls /usr/lib/mozilla/plugins librhythmbox-itms-detection-plugin.so libtotem-cone-plugin.so libtotem-gmp-plugin.so libtotem-mully-plugin.so libtotem-narrowspace-plugin.so > Afaik mozilla does not require { execmem }, but many of those crappy plugins do ( for example flash-plugin ). > I certain configurations those plugins do not get run in the designated nsplugin_t domain. > > In that case firefox runs them. > > I am not sure whether mozilla_t domain transitions to nsplugin_t at all. > > In practice i believe it does not matter all that much what needs it. You can allow or (silently) deny it. Silent deny would mean don't use firefox (because it crashes immediately after I start it, if execmem is not allowed). Does this imply that it has something to do with firefox rather than a specific plugin, or are all plugins loaded at startup? > You can use audit2allow to create an add-on to the mozilla_t domain. I prefer to get it fixed upstream (it it is a bug) ;) thanks, Christoph -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: OpenPGP digital signature URL: From casmls at gmail.com Tue Aug 18 09:57:13 2009 From: casmls at gmail.com (Christoph A.) Date: Tue, 18 Aug 2009 11:57:13 +0200 Subject: xguest: firefox - execmem In-Reply-To: <4A8A7A50.7050101@gmail.com> References: <4A8A64C2.2080806@gmail.com> <20090818091150.GA2445@notebook3.grift.internal> <4A8A7A50.7050101@gmail.com> Message-ID: <4A8A7AF9.3060606@gmail.com> On 18.08.2009 11:54, Christoph A. wrote: >> You can use audit2allow to create an add-on to the mozilla_t domain. > I prefer to get it fixed upstream (it it is a bug) ;) should read (_if_ it is a bug) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: OpenPGP digital signature URL: From mrowais at hotmail.com Tue Aug 18 10:07:26 2009 From: mrowais at hotmail.com (Mohamed Aburowais) Date: Tue, 18 Aug 2009 11:07:26 +0100 Subject: setroubleshooter not filing bugs, is there another way In-Reply-To: <20090818080157.114efebf@metropolis.intra.city-fan.org> References: <4c4ba1530908171620h299c7386q76b3ce45ec342162@mail.gmail.com> <625893.47009.qm@web52611.mail.re2.yahoo.com> <20090818080157.114efebf@metropolis.intra.city-fan.org> Message-ID: You can try searching you audit by using this command: ausearch -m avc for today's denial messages : ausearch -m avc -ts today > Date: Tue, 18 Aug 2009 08:01:57 +0100 > From: paul at city-fan.org > To: olivares14031 at yahoo.com > CC: fedora-selinux-list at redhat.com > Subject: Re: setroubleshooter not filing bugs, is there another way > > On Mon, 17 Aug 2009 19:53:50 -0700 (PDT) > Antonio Olivares wrote: > > --- On Mon, 8/17/09, Tom London wrote: > > > > > From: Tom London > > > Subject: Re: setroubleshooter not filing bugs, is there another way > > > To: "Antonio Olivares" > > > Cc: fedora-selinux-list at redhat.com > > > Date: Monday, August 17, 2009, 4:20 PM > > > On Mon, Aug 17, 2009 at 4:12 PM, > > > Antonio > > > Olivares > > > wrote: > > > > Dear fellow selinux experts, > > > > > > > > I am encountering a problem with setroubleshooter and > > > avc denials for wine. It gives me a fatal error report, > > > but I can't copy + paste like I used to, I tried to file a > > > bugzilla report but the process hangs and it is not being > > > sent. Is there another way to capture the report so I can > > > send in the avc denials? > > > > > > > > I am running xfce fully updated in rawhide. I try to > > > dmesg but get no avcs and I can't run windows programs under > > > wine without seeing the setroubleshoot(er) go crazy :( > > > > > > > > Thanks, > > > > > > > > Antonio > > > > > > > > > > If you are getting AVCs, you should see in > > > /var/log/messages lines > > > that look like: > > > > > > Aug 17 13:08:42 tlondon setroubleshoot: SELinux is > > > preventing abrt > > > (initrc_t) "add_name" var_t. For complete SELinux messages. > > > run > > > sealert -l 41767f84-0e7c-4e14-a318-8f2f97877019 > > > > > > You should be able to run "sealert" with the arguments in > > > the message > > > to produce a text version of the alert that you can > > > copy/paste into a > > > bugzilla. > > > > > > tom > > > -- > > > Tom London > > > > > > > Thanks Tom for your guidance. Tomorrow as I get to work and get the > > alert(s) will try to capture following your advice and mail them to > > list. > > Bear in mind that if you're running auditd, the messages will be > in /var/log/audit/audit.log rather than /var/log/messages. > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list _________________________________________________________________ Windows Live Messenger: Thanks for 10 great years?enjoy free winks and emoticons. http://clk.atdmt.com/UKM/go/157562755/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From domg472 at gmail.com Tue Aug 18 10:23:51 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 18 Aug 2009 12:23:51 +0200 Subject: xguest: firefox - execmem In-Reply-To: <4A8A7A50.7050101@gmail.com> References: <4A8A64C2.2080806@gmail.com> <20090818091150.GA2445@notebook3.grift.internal> <4A8A7A50.7050101@gmail.com> Message-ID: <20090818102349.GD2445@notebook3.grift.internal> On Tue, Aug 18, 2009 at 11:54:24AM +0200, Christoph A. wrote: > On 18.08.2009 11:11, Dominick Grift wrote: > >> type=AVC msg=audit(1250580934.287:24730): avc: denied { execmem } for > >> pid=4845 comm="firefox" scontext=xguest_u:xguest_r:mozilla_t:s0 > >> tcontext=xguest_u:xguest_r:mozilla_t:s0 tclass=process > > > > I have a feeling that this is due to a plugin that i not run in the nsplugin_t domain, but i might be wrong. > > Can you confirm or deny that? > > flash-plugin is not (yet) installed for xguest > > other installed plugins: > > ls /usr/lib/mozilla/plugins > librhythmbox-itms-detection-plugin.so libtotem-cone-plugin.so > libtotem-gmp-plugin.so libtotem-mully-plugin.so > libtotem-narrowspace-plugin.so > > > > Afaik mozilla does not require { execmem }, but many of those crappy plugins do ( for example flash-plugin ). > > I certain configurations those plugins do not get run in the designated nsplugin_t domain. > > > > In that case firefox runs them. > > > > I am not sure whether mozilla_t domain transitions to nsplugin_t at all. > > > > In practice i believe it does not matter all that much what needs it. You can allow or (silently) deny it. > > Silent deny would mean don't use firefox (because it crashes > immediately after I start it, if execmem is not allowed). > > Does this imply that it has something to do with firefox rather than a > specific plugin, or are all plugins loaded at startup? Good question. I think it implies it has something to do with firefox. i guess you will have to allow it. > > > > You can use audit2allow to create an add-on to the mozilla_t domain. > I prefer to get it fixed upstream (it it is a bug) ;) > > thanks, > Christoph > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From domg472 at gmail.com Tue Aug 18 10:28:19 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 18 Aug 2009 12:28:19 +0200 Subject: Logrotate on mounted partition In-Reply-To: <1250588560.2771.12.camel@localhost> References: <1250333453.3396.20.camel@localhost> <1250586736.2771.8.camel@localhost> <20090818092142.GC2445@notebook3.grift.internal> <1250588560.2771.12.camel@localhost> Message-ID: <20090818102817.GE2445@notebook3.grift.internal> On Tue, Aug 18, 2009 at 10:42:40AM +0100, Arthur Dent wrote: > On Tue, 2009-08-18 at 11:21 +0200, Dominick Grift wrote: > > On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote: > > > On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote: > > > > I have a procmail recipe which writes a copy of every mail I receive > > > > (just because I'm paranoid it doesn't mean they aren't out to get me!) > > > > to a backup area on my /dev/sda9 partition, mounted as > > > > /mnt/backup/ by fstab. (It is an ext3 partition). > > > > > > > > Back in March 2008 when I was on F8 Stephen Smalley kindly helped me to > > > > prevent the hundreds of avcs by suggesting the following: > > > > > > > > semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?" > > > > restorecon -v -R /mnt/backup > > > > > > > > This worked perfectly. It also held true throughout my time with F9. I > > > > have now upgraded to F11 (I skipped F10) and it still kind of works. I > > > > get an avc when logrotate tries to access these files. > > > > > > > > The strange thing is this didn't happen under F8 or F9. > > > > > > > > Is there an elegant solution to this problem or should I write a policy > > > > module? > > > > > > > > This is what audit2allow proposes: > > > > > > > > module rawmail 1.0; > > > > > > > > require { > > > > type mail_spool_t; > > > > type logrotate_t; > > > > class file getattr; > > > > } > > > > > > > > #============= logrotate_t ============== > > > > allow logrotate_t mail_spool_t:file getattr; > > > > > > > > > > > > The full avc is below. > > > > > > > > Many thanks for all your help.... > > > > > > > > Mark > > > > > > Just to add to my own mail... > > > > > > I employed the above policy module, everything seemed OK so (as this > > > seemed to be the last of the problems since upgrading) I switched to > > > enforcing mode. > > > > > > Since doing so I have received no AVCs but I am finding these in my > > > maillog: > > > > > > procmail: Lock failure on "/mnt/backup/mail/rawmail.lock" > > > procmail: Error while writing to "/mnt/backup/mail/rawmail" > > > > > > Temporarily switching back with setenforce 0 stops them so it is selinux > > > related... > > > > > > > > > Also, I get these dovecot messages (although I haven't investigated > > > fully if they are selinux related... > > > **Unmatched Entries** > > > dovecot: IMAP(wife): fchown() failed with > > > file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not > > > permitted: 1 Time(s) > > > dovecot: IMAP(son): fchown() failed with > > > file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not > > > permitted: 1 Time(s) > > > dovecot: IMAP(son): fchown() failed with > > > file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not > > > permitted: 1 Time(s) > > > dovecot: IMAP(son): fchown() failed with > > > file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not > > > permitted: 3 Time(s) > > > > > > > > > But still no AVCs > > > > > > Any ideas? > > Try semodule -DB to unload any silent denials. Remember that the denials shown after you do this are meant to be silenced. > > To reload policy with the silenced denials: semodule -B. > > > > Also keep an eye on /var/log/messages since the DBUS user space object manager logs some denials there (if DBUS is at all involved) > > Is this related? (apologies for line-wrap): No, not related. (it is a (known) bug in dbus though) > > Aug 18 09:07:44 troodos dbus: avc: received setenforce notice > (enforcing=0) > Aug 18 09:07:44 troodos dbus: Can't send to audit system: USER_AVC avc: > received setenforce notice (enforcing=0)#012: exe="?" (sauid=81, > hostname=?, addr=?, terminal=?) > > I haven't tried semodule -DB yet, but your message caused me to look > at /var/log/messages and this was the first thing I saw... > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From misc.lists at blueyonder.co.uk Tue Aug 18 10:39:07 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Tue, 18 Aug 2009 11:39:07 +0100 Subject: Logrotate on mounted partition In-Reply-To: <20090818092142.GC2445@notebook3.grift.internal> References: <1250333453.3396.20.camel@localhost> <1250586736.2771.8.camel@localhost> <20090818092142.GC2445@notebook3.grift.internal> Message-ID: <1250591947.2771.17.camel@localhost> On Tue, 2009-08-18 at 11:21 +0200, Dominick Grift wrote: > On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote: > > On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote: [snip] > > > > Just to add to my own mail... > > > > I employed the above policy module, everything seemed OK so (as this > > seemed to be the last of the problems since upgrading) I switched to > > enforcing mode. > > > > Since doing so I have received no AVCs but I am finding these in my > > maillog: > > > > procmail: Lock failure on "/mnt/backup/mail/rawmail.lock" > > procmail: Error while writing to "/mnt/backup/mail/rawmail" > > > > Temporarily switching back with setenforce 0 stops them so it is selinux > > related... > > > > > > Also, I get these dovecot messages (although I haven't investigated > > fully if they are selinux related... > > **Unmatched Entries** > > dovecot: IMAP(wife): fchown() failed with > > file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not > > permitted: 1 Time(s) > > dovecot: IMAP(son): fchown() failed with > > file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not > > permitted: 1 Time(s) > > dovecot: IMAP(son): fchown() failed with > > file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not > > permitted: 1 Time(s) > > dovecot: IMAP(son): fchown() failed with > > file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not > > permitted: 3 Time(s) > > > > > > But still no AVCs > > > > Any ideas? > Try semodule -DB to unload any silent denials. Remember that the denials shown after you do this are meant to be silenced. > To reload policy with the silenced denials: semodule -B. > > Also keep an eye on /var/log/messages since the DBUS user space object manager logs some denials there (if DBUS is at all involved) OK - since semodule -DB getting flooded with AVCs... Here are some that are related to this problem... cat /var/log/audit/audit.log | grep -i procmail .... type=AVC msg=audit(1250591203.244:43494): avc: denied { rlimitinh } for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process type=AVC msg=audit(1250591203.244:43494): avc: denied { siginh } for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process type=AVC msg=audit(1250591203.244:43494): avc: denied { noatsecure } for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:procmail_t:s0 tclass=process type=SYSCALL msg=audit(1250591203.244:43494): arch=40000003 syscall=11 success=yes exit=0 a0=5d8098 a1=bf83277c a2=4ab960 a3=41904 items=0 ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) type=AVC msg=audit(1250591203.418:43495): avc: denied { search } for pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir type=SYSCALL msg=audit(1250591203.418:43495): arch=40000003 syscall=196 success=no exit=-2 a0=9779280 a1=bf95f790 a2=77cff4 a3=97793f8 items=0 ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) This still with setenforce 0 Any ideas? Thanks for your help!... Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From domg472 at gmail.com Tue Aug 18 10:46:39 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 18 Aug 2009 12:46:39 +0200 Subject: Logrotate on mounted partition In-Reply-To: <1250591947.2771.17.camel@localhost> References: <1250333453.3396.20.camel@localhost> <1250586736.2771.8.camel@localhost> <20090818092142.GC2445@notebook3.grift.internal> <1250591947.2771.17.camel@localhost> Message-ID: <20090818104638.GF2445@notebook3.grift.internal> On Tue, Aug 18, 2009 at 11:39:07AM +0100, Arthur Dent wrote: > On Tue, 2009-08-18 at 11:21 +0200, Dominick Grift wrote: > > On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote: > > > On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote: > > [snip] > > > > > > > Just to add to my own mail... > > > > > > I employed the above policy module, everything seemed OK so (as this > > > seemed to be the last of the problems since upgrading) I switched to > > > enforcing mode. > > > > > > Since doing so I have received no AVCs but I am finding these in my > > > maillog: > > > > > > procmail: Lock failure on "/mnt/backup/mail/rawmail.lock" > > > procmail: Error while writing to "/mnt/backup/mail/rawmail" > > > > > > Temporarily switching back with setenforce 0 stops them so it is selinux > > > related... > > > > > > > > > Also, I get these dovecot messages (although I haven't investigated > > > fully if they are selinux related... > > > **Unmatched Entries** > > > dovecot: IMAP(wife): fchown() failed with > > > file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not > > > permitted: 1 Time(s) > > > dovecot: IMAP(son): fchown() failed with > > > file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not > > > permitted: 1 Time(s) > > > dovecot: IMAP(son): fchown() failed with > > > file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not > > > permitted: 1 Time(s) > > > dovecot: IMAP(son): fchown() failed with > > > file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not > > > permitted: 3 Time(s) > > > > > > > > > But still no AVCs > > > > > > Any ideas? > > Try semodule -DB to unload any silent denials. Remember that the denials shown after you do this are meant to be silenced. > > To reload policy with the silenced denials: semodule -B. > > > > Also keep an eye on /var/log/messages since the DBUS user space object manager logs some denials there (if DBUS is at all involved) > > OK - since semodule -DB getting flooded with AVCs... > > Here are some that are related to this problem... > > cat /var/log/audit/audit.log | grep -i procmail > .... > type=AVC msg=audit(1250591203.244:43494): avc: denied { rlimitinh } > for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 > tcontext=system_u:system_r:procmail_t:s0 tclass=process > type=AVC msg=audit(1250591203.244:43494): avc: denied { siginh } for > pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 > tcontext=system_u:system_r:procmail_t:s0 tclass=process > type=AVC msg=audit(1250591203.244:43494): avc: denied { noatsecure } > for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 > tcontext=system_u:system_r:procmail_t:s0 tclass=process > type=SYSCALL msg=audit(1250591203.244:43494): arch=40000003 syscall=11 > success=yes exit=0 a0=5d8098 a1=bf83277c a2=4ab960 a3=41904 items=0 > ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" > exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) > type=AVC msg=audit(1250591203.418:43495): avc: denied { search } for > pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 > scontext=system_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:mnt_t:s0 tclass=dir > type=SYSCALL msg=audit(1250591203.418:43495): arch=40000003 syscall=196 > success=no exit=-2 a0=9779280 a1=bf95f790 a2=77cff4 a3=97793f8 items=0 > ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" > exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) > > This still with setenforce 0 > > Any ideas? > > Thanks for your help!... > > Mark > The only AVC denial that is ( a little bit ) interesting is: avc: denied { search } for pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir Pipe this into audit2why to see if it has any suggestions. Although i doubt it is related to your issue. A quick way to rule out SELinux as the cause of your issue is to reproduce the issue in permissive mode. If access is (still) denied when you try to reproduce it in permissive mode, than it is not an SELinux issue. If it works in permissive mode, but not in enforcing mode, then it is a SELinux issue. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From casmls at gmail.com Tue Aug 18 10:53:59 2009 From: casmls at gmail.com (Christoph A.) Date: Tue, 18 Aug 2009 12:53:59 +0200 Subject: xguest: firefox - execmem In-Reply-To: <20090818102349.GD2445@notebook3.grift.internal> References: <4A8A64C2.2080806@gmail.com> <20090818091150.GA2445@notebook3.grift.internal> <4A8A7A50.7050101@gmail.com> <20090818102349.GD2445@notebook3.grift.internal> Message-ID: <4A8A8847.2030805@gmail.com> On 18.08.2009 12:23, Dominick Grift wrote: >> Does this imply that it has something to do with firefox rather than a >> specific plugin, or are all plugins loaded at startup? > > Good question. I think it implies it has something to do with firefox. > i guess you will have to allow it. Ok, I filed a bugreport. https://bugzilla.redhat.com/show_bug.cgi?id=517998 thanks, Christoph -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 163 bytes Desc: OpenPGP digital signature URL: From misc.lists at blueyonder.co.uk Tue Aug 18 11:23:25 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Tue, 18 Aug 2009 12:23:25 +0100 Subject: Logrotate on mounted partition In-Reply-To: <20090818104638.GF2445@notebook3.grift.internal> References: <1250333453.3396.20.camel@localhost> <1250586736.2771.8.camel@localhost> <20090818092142.GC2445@notebook3.grift.internal> <1250591947.2771.17.camel@localhost> <20090818104638.GF2445@notebook3.grift.internal> Message-ID: <1250594605.2771.22.camel@localhost> On Tue, 2009-08-18 at 12:46 +0200, Dominick Grift wrote: > On Tue, Aug 18, 2009 at 11:39:07AM +0100, Arthur Dent wrote: > > On Tue, 2009-08-18 at 11:21 +0200, Dominick Grift wrote: > > > On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote: > > > > On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote: > > > > [snip] > > > > > > > > > > Just to add to my own mail... > > > > > > > > I employed the above policy module, everything seemed OK so (as this > > > > seemed to be the last of the problems since upgrading) I switched to > > > > enforcing mode. > > > > > > > > Since doing so I have received no AVCs but I am finding these in my > > > > maillog: > > > > > > > > procmail: Lock failure on "/mnt/backup/mail/rawmail.lock" > > > > procmail: Error while writing to "/mnt/backup/mail/rawmail" > > > > > > > > Temporarily switching back with setenforce 0 stops them so it is selinux > > > > related... > > > > > > > > > > > > Also, I get these dovecot messages (although I haven't investigated > > > > fully if they are selinux related... > > > > **Unmatched Entries** > > > > dovecot: IMAP(wife): fchown() failed with > > > > file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not > > > > permitted: 1 Time(s) > > > > dovecot: IMAP(son): fchown() failed with > > > > file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not > > > > permitted: 1 Time(s) > > > > dovecot: IMAP(son): fchown() failed with > > > > file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not > > > > permitted: 1 Time(s) > > > > dovecot: IMAP(son): fchown() failed with > > > > file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not > > > > permitted: 3 Time(s) > > > > > > > > > > > > But still no AVCs > > > > > > > > Any ideas? > > > Try semodule -DB to unload any silent denials. Remember that the denials shown after you do this are meant to be silenced. > > > To reload policy with the silenced denials: semodule -B. > > > > > > Also keep an eye on /var/log/messages since the DBUS user space object manager logs some denials there (if DBUS is at all involved) > > > > OK - since semodule -DB getting flooded with AVCs... > > > > Here are some that are related to this problem... > > > > cat /var/log/audit/audit.log | grep -i procmail > > .... > > type=AVC msg=audit(1250591203.244:43494): avc: denied { rlimitinh } > > for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 > > tcontext=system_u:system_r:procmail_t:s0 tclass=process > > type=AVC msg=audit(1250591203.244:43494): avc: denied { siginh } for > > pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 > > tcontext=system_u:system_r:procmail_t:s0 tclass=process > > type=AVC msg=audit(1250591203.244:43494): avc: denied { noatsecure } > > for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 > > tcontext=system_u:system_r:procmail_t:s0 tclass=process > > type=SYSCALL msg=audit(1250591203.244:43494): arch=40000003 syscall=11 > > success=yes exit=0 a0=5d8098 a1=bf83277c a2=4ab960 a3=41904 items=0 > > ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" > > exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) > > type=AVC msg=audit(1250591203.418:43495): avc: denied { search } for > > pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 > > scontext=system_u:system_r:procmail_t:s0 > > tcontext=system_u:object_r:mnt_t:s0 tclass=dir > > type=SYSCALL msg=audit(1250591203.418:43495): arch=40000003 syscall=196 > > success=no exit=-2 a0=9779280 a1=bf95f790 a2=77cff4 a3=97793f8 items=0 > > ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" > > exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) > > > > This still with setenforce 0 > > > > Any ideas? > > > > Thanks for your help!... > > > > Mark > > > > The only AVC denial that is ( a little bit ) interesting is: > > avc: denied { search } for > pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 > scontext=system_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:mnt_t:s0 tclass=dir > > Pipe this into audit2why to see if it has any suggestions. Although i doubt it is related to your issue. > > A quick way to rule out SELinux as the cause of your issue is to reproduce the issue in permissive mode. > > If access is (still) denied when you try to reproduce it in permissive mode, than it is not an SELinux issue. > > If it works in permissive mode, but not in enforcing mode, then it is a SELinux issue. > Well all that audit2why suggests for that avc is: Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. On your other point, you will notice (further up in this mail) that this problem is only in Enforcing mode. Switching to Permissive does indeed stop the procmail errors. Still watching the avcs.... I'll keep you posted.. Thanks Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From domg472 at gmail.com Tue Aug 18 11:48:12 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 18 Aug 2009 13:48:12 +0200 Subject: Logrotate on mounted partition In-Reply-To: <1250594605.2771.22.camel@localhost> References: <1250333453.3396.20.camel@localhost> <1250586736.2771.8.camel@localhost> <20090818092142.GC2445@notebook3.grift.internal> <1250591947.2771.17.camel@localhost> <20090818104638.GF2445@notebook3.grift.internal> <1250594605.2771.22.camel@localhost> Message-ID: <20090818114811.GG2445@notebook3.grift.internal> On Tue, Aug 18, 2009 at 12:23:25PM +0100, Arthur Dent wrote: > On Tue, 2009-08-18 at 12:46 +0200, Dominick Grift wrote: > > On Tue, Aug 18, 2009 at 11:39:07AM +0100, Arthur Dent wrote: > > > On Tue, 2009-08-18 at 11:21 +0200, Dominick Grift wrote: > > > > On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote: > > > > > On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote: > > > > > > [snip] > > > > > > > > > > > > > Just to add to my own mail... > > > > > > > > > > I employed the above policy module, everything seemed OK so (as this > > > > > seemed to be the last of the problems since upgrading) I switched to > > > > > enforcing mode. > > > > > > > > > > Since doing so I have received no AVCs but I am finding these in my > > > > > maillog: > > > > > > > > > > procmail: Lock failure on "/mnt/backup/mail/rawmail.lock" > > > > > procmail: Error while writing to "/mnt/backup/mail/rawmail" > > > > > > > > > > Temporarily switching back with setenforce 0 stops them so it is selinux > > > > > related... > > > > > > > > > > > > > > > Also, I get these dovecot messages (although I haven't investigated > > > > > fully if they are selinux related... > > > > > **Unmatched Entries** > > > > > dovecot: IMAP(wife): fchown() failed with > > > > > file /home/wife/mail/.imap/INBOX/dovecot.index.tmp: Operation not > > > > > permitted: 1 Time(s) > > > > > dovecot: IMAP(son): fchown() failed with > > > > > file /home/son/mail/.imap/INBOX/dovecot.index.cache.lock: Operation not > > > > > permitted: 1 Time(s) > > > > > dovecot: IMAP(son): fchown() failed with > > > > > file /home/son/mail/.imap/INBOX/dovecot.index.log.newlock: Operation not > > > > > permitted: 1 Time(s) > > > > > dovecot: IMAP(son): fchown() failed with > > > > > file /home/son/mail/.imap/INBOX/dovecot.index.tmp: Operation not > > > > > permitted: 3 Time(s) > > > > > > > > > > > > > > > But still no AVCs > > > > > > > > > > Any ideas? > > > > Try semodule -DB to unload any silent denials. Remember that the denials shown after you do this are meant to be silenced. > > > > To reload policy with the silenced denials: semodule -B. > > > > > > > > Also keep an eye on /var/log/messages since the DBUS user space object manager logs some denials there (if DBUS is at all involved) > > > > > > OK - since semodule -DB getting flooded with AVCs... > > > > > > Here are some that are related to this problem... > > > > > > cat /var/log/audit/audit.log | grep -i procmail > > > .... > > > type=AVC msg=audit(1250591203.244:43494): avc: denied { rlimitinh } > > > for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 > > > tcontext=system_u:system_r:procmail_t:s0 tclass=process > > > type=AVC msg=audit(1250591203.244:43494): avc: denied { siginh } for > > > pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 > > > tcontext=system_u:system_r:procmail_t:s0 tclass=process > > > type=AVC msg=audit(1250591203.244:43494): avc: denied { noatsecure } > > > for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 > > > tcontext=system_u:system_r:procmail_t:s0 tclass=process > > > type=SYSCALL msg=audit(1250591203.244:43494): arch=40000003 syscall=11 > > > success=yes exit=0 a0=5d8098 a1=bf83277c a2=4ab960 a3=41904 items=0 > > > ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" > > > exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) > > > type=AVC msg=audit(1250591203.418:43495): avc: denied { search } for > > > pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 > > > scontext=system_u:system_r:procmail_t:s0 > > > tcontext=system_u:object_r:mnt_t:s0 tclass=dir > > > type=SYSCALL msg=audit(1250591203.418:43495): arch=40000003 syscall=196 > > > success=no exit=-2 a0=9779280 a1=bf95f790 a2=77cff4 a3=97793f8 items=0 > > > ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" > > > exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) > > > > > > This still with setenforce 0 > > > > > > Any ideas? > > > > > > Thanks for your help!... > > > > > > Mark > > > > > > > The only AVC denial that is ( a little bit ) interesting is: > > > > avc: denied { search } for > > pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 > > scontext=system_u:system_r:procmail_t:s0 > > tcontext=system_u:object_r:mnt_t:s0 tclass=dir > > > > Pipe this into audit2why to see if it has any suggestions. Although i doubt it is related to your issue. > > > > A quick way to rule out SELinux as the cause of your issue is to reproduce the issue in permissive mode. > > > > If access is (still) denied when you try to reproduce it in permissive mode, than it is not an SELinux issue. > > > > If it works in permissive mode, but not in enforcing mode, then it is a SELinux issue. > > > > Well all that audit2why suggests for that avc is: > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this > access. > > On your other point, you will notice (further up in this mail) that this > problem is only in Enforcing mode. Switching to Permissive does indeed > stop the procmail errors. > > Still watching the avcs.... I'll keep you posted.. > > Thanks > > Mark > Whoops obviously you need to allow procmail_t to search mountpoints to make it work. echo "> > avc: denied { search } for pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir" auditallow -M myprocmail; semodule -i myprocmail.pp this is a bug in policy > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From olivares14031 at yahoo.com Tue Aug 18 12:29:16 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 18 Aug 2009 05:29:16 -0700 (PDT) Subject: setroubleshooter not filing bugs, is there another way In-Reply-To: <20090818080157.114efebf@metropolis.intra.city-fan.org> Message-ID: <549925.23384.qm@web52610.mail.re2.yahoo.com> > > Thanks Tom for your guidance.? Tomorrow as I get > to work and get the > > alert(s) will try to capture following your advice and > mail them to > > list. > > Bear in mind that if you're running auditd, the messages > will be > in /var/log/audit/audit.log rather than /var/log/messages. > > Paul. > Thanks Paul :) Tom's advice worked. Here's the denied avc [olivares at localhost ~]$ su - Password: [root at localhost ~]# tail -f /var/log/messages Aug 18 07:26:02 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 Aug 18 07:26:02 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 Aug 18 07:26:02 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 Aug 18 07:26:02 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 Aug 18 07:26:03 localhost setroubleshoot: Your system may be seriously compromised! For complete SELinux messages. run sealert -l 70b576a6-6313-4753-9403-22ac883c585a Aug 18 07:26:03 localhost setroubleshoot: Your system may be seriously compromised! For complete SELinux messages. run sealert -l 70b576a6-6313-4753-9403-22ac883c585a Aug 18 07:26:04 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 Aug 18 07:26:04 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 Aug 18 07:26:04 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 Aug 18 07:26:05 localhost kernel: [drm] TV-14: set mode NTSC 480i 0 ^C [root at localhost ~]# [root at localhost ~]# [root at localhost ~]# sealert -l 70b576a6-6313-4753-9403-22ac883c585a Summary: Your system may be seriously compromised! Detailed Description: SELinux has denied the explorer.exe the ability to mmap low area of the kernel address space. The ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings helps protect against exploiting null deref bugs in the kernel. All applications that need this access should have already had policy written for them. If a compromised application tries modify the kernel this AVC would be generated. This is a serious issue. Your system may very well be compromised. Allowing Access: Contact your security administrator and report this issue. Additional Information: Source Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 Target Objects None [ memprotect ] Source wine-preloader Source Path /usr/bin/wine-preloader Port Host localhost.localdomain Source RPM Packages wine-core-1.1.26-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.26-8.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name mmap_zero Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.31-0.125.4.2.rc5.git2.fc12.i686 #1 SMP Tue Aug 11 21:20:05 EDT 2009 i686 i686 Alert Count 86 First Seen Wed Aug 12 17:09:09 2009 Last Seen Tue Aug 18 07:26:03 2009 Local ID 70b576a6-6313-4753-9403-22ac883c585a Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1250598363.591:37): avc: denied { mmap_zero } for pid=1861 comm="explorer.exe" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect node=localhost.localdomain type=SYSCALL msg=audit(1250598363.591:37): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=110000 a2=0 a3=32 items=0 ppid=1 pid=1861 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="explorer.exe" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) Thanks, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From olivares14031 at yahoo.com Tue Aug 18 12:33:25 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 18 Aug 2009 05:33:25 -0700 (PDT) Subject: setroubleshooter not filing bugs, is there another way In-Reply-To: Message-ID: <54498.19868.qm@web52612.mail.re2.yahoo.com> Mohammed, Thank you very much for your advice. It also works and it gives all the denied avcs :) > ?You can try searching you audit by using this > command: > > ?ausearch -m avc > > for today's denial messages : ausearch -m avc -ts > today > > ? [root at localhost ~]# ausearch -m avc -ts today ---- time->Tue Aug 18 07:25:56 2009 type=SYSCALL msg=audit(1250598356.895:28): arch=40000003 syscall=90 success=no exit=-13 a0=bff8b0c0 a1=0 a2=bff8b0c0 a3=5a items=0 ppid=1479 pid=1840 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1250598356.895:28): avc: denied { mmap_zero } for pid=1840 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect ---- time->Tue Aug 18 07:25:57 2009 type=SYSCALL msg=audit(1250598357.702:29): arch=40000003 syscall=90 success=no exit=-13 a0=bfe7d630 a1=0 a2=bfe7d630 a3=5a items=0 ppid=1 pid=1848 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1250598357.702:29): avc: denied { mmap_zero } for pid=1848 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect ---- time->Tue Aug 18 07:25:57 2009 type=SYSCALL msg=audit(1250598357.812:30): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=110000 a2=0 a3=32 items=0 ppid=1 pid=1848 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wineboot.exe" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1250598357.812:30): avc: denied { mmap_zero } for pid=1848 comm="wineboot.exe" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect ---- time->Tue Aug 18 07:25:57 2009 type=SYSCALL msg=audit(1250598357.889:31): arch=40000003 syscall=90 success=no exit=-13 a0=bff8ad80 a1=0 a2=bff8ad80 a3=5a items=0 ppid=1848 pid=1849 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1250598357.889:31): avc: denied { mmap_zero } for pid=1849 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect ---- time->Tue Aug 18 07:25:57 2009 type=SYSCALL msg=audit(1250598357.937:32): arch=40000003 syscall=90 success=no exit=-13 a0=bf9c5880 a1=0 a2=bf9c5880 a3=5a items=0 ppid=1848 pid=1850 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1250598357.937:32): avc: denied { mmap_zero } for pid=1850 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect ---- time->Tue Aug 18 07:25:58 2009 type=SYSCALL msg=audit(1250598358.059:33): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=110000 a2=0 a3=32 items=0 ppid=1848 pid=1850 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="services.exe" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1250598358.059:33): avc: denied { mmap_zero } for pid=1850 comm="services.exe" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect ---- time->Tue Aug 18 07:25:58 2009 type=SYSCALL msg=audit(1250598358.696:34): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=110000 a2=0 a3=32 items=0 ppid=1 pid=1849 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="winemenubuilder" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1250598358.696:34): avc: denied { mmap_zero } for pid=1849 comm="winemenubuilder" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect ---- time->Tue Aug 18 07:25:59 2009 type=SYSCALL msg=audit(1250598359.058:35): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=110000 a2=0 a3=32 items=0 ppid=1479 pid=1840 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="Emu48.exe" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1250598359.058:35): avc: denied { mmap_zero } for pid=1840 comm="Emu48.exe" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect ---- time->Tue Aug 18 07:26:03 2009 type=SYSCALL msg=audit(1250598363.514:36): arch=40000003 syscall=90 success=no exit=-13 a0=bfa73ab0 a1=0 a2=bfa73ab0 a3=5a items=0 ppid=1 pid=1861 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1250598363.514:36): avc: denied { mmap_zero } for pid=1861 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect ---- time->Tue Aug 18 07:26:03 2009 type=SYSCALL msg=audit(1250598363.591:37): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=110000 a2=0 a3=32 items=0 ppid=1 pid=1861 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="explorer.exe" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1250598363.591:37): avc: denied { mmap_zero } for pid=1861 comm="explorer.exe" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect Regards, Antonio From misc.lists at blueyonder.co.uk Tue Aug 18 13:41:15 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Tue, 18 Aug 2009 14:41:15 +0100 Subject: Logrotate on mounted partition In-Reply-To: <20090818114811.GG2445@notebook3.grift.internal> References: <1250333453.3396.20.camel@localhost> <1250586736.2771.8.camel@localhost> <20090818092142.GC2445@notebook3.grift.internal> <1250591947.2771.17.camel@localhost> <20090818104638.GF2445@notebook3.grift.internal> <1250594605.2771.22.camel@localhost> <20090818114811.GG2445@notebook3.grift.internal> Message-ID: <1250602875.2771.30.camel@localhost> On Tue, 2009-08-18 at 13:48 +0200, Dominick Grift wrote: > On Tue, Aug 18, 2009 at 12:23:25PM +0100, Arthur Dent wrote: > > On Tue, 2009-08-18 at 12:46 +0200, Dominick Grift wrote: > > > On Tue, Aug 18, 2009 at 11:39:07AM +0100, Arthur Dent wrote: > > > > On Tue, 2009-08-18 at 11:21 +0200, Dominick Grift wrote: > > > > > On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote: > > > > > > On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote: > > > > > > > > [snip] > > > > > > > > > > > > > > > > Just to add to my own mail... > > > > > > > > > > > > I employed the above policy module, everything seemed OK so (as this > > > > > > seemed to be the last of the problems since upgrading) I switched to > > > > > > enforcing mode. > > > > > > > > > > > > Since doing so I have received no AVCs but I am finding these in my > > > > > > maillog: > > > > > > > > > > > > procmail: Lock failure on "/mnt/backup/mail/rawmail.lock" > > > > > > procmail: Error while writing to "/mnt/backup/mail/rawmail" > > > > > > > > > > > > Temporarily switching back with setenforce 0 stops them so it is selinux > > > > > > related... [snip] > > > > > > But still no AVCs > > > > > > > > > > > > Any ideas? > > > > > Try semodule -DB to unload any silent denials. Remember that the denials shown after you do this are meant to be silenced. > > > > > To reload policy with the silenced denials: semodule -B. > > > > > > > > > > Also keep an eye on /var/log/messages since the DBUS user space object manager logs some denials there (if DBUS is at all involved) > > > > > > > > OK - since semodule -DB getting flooded with AVCs... > > > > > > > > Here are some that are related to this problem... > > > > > > > > cat /var/log/audit/audit.log | grep -i procmail > > > > .... > > > > type=AVC msg=audit(1250591203.244:43494): avc: denied { rlimitinh } > > > > for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 > > > > tcontext=system_u:system_r:procmail_t:s0 tclass=process > > > > type=AVC msg=audit(1250591203.244:43494): avc: denied { siginh } for > > > > pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 > > > > tcontext=system_u:system_r:procmail_t:s0 tclass=process > > > > type=AVC msg=audit(1250591203.244:43494): avc: denied { noatsecure } > > > > for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 > > > > tcontext=system_u:system_r:procmail_t:s0 tclass=process > > > > type=SYSCALL msg=audit(1250591203.244:43494): arch=40000003 syscall=11 > > > > success=yes exit=0 a0=5d8098 a1=bf83277c a2=4ab960 a3=41904 items=0 > > > > ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" > > > > exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) > > > > type=AVC msg=audit(1250591203.418:43495): avc: denied { search } for > > > > pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 > > > > scontext=system_u:system_r:procmail_t:s0 > > > > tcontext=system_u:object_r:mnt_t:s0 tclass=dir > > > > type=SYSCALL msg=audit(1250591203.418:43495): arch=40000003 syscall=196 > > > > success=no exit=-2 a0=9779280 a1=bf95f790 a2=77cff4 a3=97793f8 items=0 > > > > ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" > > > > exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) > > > > > > > > This still with setenforce 0 > > > > > > > > Any ideas? > > > > > > > > Thanks for your help!... > > > > > > > > Mark > > > > > > > > > > The only AVC denial that is ( a little bit ) interesting is: > > > > > > avc: denied { search } for > > > pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 > > > scontext=system_u:system_r:procmail_t:s0 > > > tcontext=system_u:object_r:mnt_t:s0 tclass=dir > > > > > > Pipe this into audit2why to see if it has any suggestions. Although i doubt it is related to your issue. > > > > > > A quick way to rule out SELinux as the cause of your issue is to reproduce the issue in permissive mode. > > > > > > If access is (still) denied when you try to reproduce it in permissive mode, than it is not an SELinux issue. > > > > > > If it works in permissive mode, but not in enforcing mode, then it is a SELinux issue. > > > > > > > Well all that audit2why suggests for that avc is: > > > > Was caused by: > > Missing type enforcement (TE) allow rule. > > > > You can use audit2allow to generate a loadable module to allow this > > access. > > > > On your other point, you will notice (further up in this mail) that this > > problem is only in Enforcing mode. Switching to Permissive does indeed > > stop the procmail errors. > > > > Still watching the avcs.... I'll keep you posted.. > > > > Thanks > > > > Mark > > > > Whoops obviously you need to allow procmail_t to search mountpoints to make it work. > > echo "> > avc: denied { search } for pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir" auditallow -M myprocmail; semodule -i myprocmail.pp > > this is a bug in policy Thank you Dominick, that's fixed it! I had already created a policy module from that AVC just to see what it would look like - but I hadn't implemented it. Now I have and it works fine! BTW, I though your way of creating the module was very clever - I liked that.. but for the sake of the archives there are a couple of typos: echo "> > avc: denied { search } for pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir" auditallow -M ^^^ ^^^ myprocmail; semodule -i myprocmail.pp Should be: echo "> > avc: denied { search } for pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir" | audit2allow -M myprocmail; semodule -i myprocmail.pp Thanks again Your help is much appreciated! Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Tue Aug 18 17:17:09 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 18 Aug 2009 13:17:09 -0400 Subject: setroubleshooter not filing bugs, is there another way In-Reply-To: <54498.19868.qm@web52612.mail.re2.yahoo.com> References: <54498.19868.qm@web52612.mail.re2.yahoo.com> Message-ID: <4A8AE215.4010209@redhat.com> On 08/18/2009 08:33 AM, Antonio Olivares wrote: > Mohammed, > > Thank you very much for your advice. It also works and it gives all the denied avcs :) > >> You can try searching you audit by using this >> command: >> >> ausearch -m avc >> >> for today's denial messages : ausearch -m avc -ts >> today >> >> > > [root at localhost ~]# ausearch -m avc -ts today > ---- > time->Tue Aug 18 07:25:56 2009 > type=SYSCALL msg=audit(1250598356.895:28): arch=40000003 syscall=90 success=no exit=-13 a0=bff8b0c0 a1=0 a2=bff8b0c0 a3=5a items=0 ppid=1479 pid=1840 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1250598356.895:28): avc: denied { mmap_zero } for pid=1840 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect > ---- > time->Tue Aug 18 07:25:57 2009 > type=SYSCALL msg=audit(1250598357.702:29): arch=40000003 syscall=90 success=no exit=-13 a0=bfe7d630 a1=0 a2=bfe7d630 a3=5a items=0 ppid=1 pid=1848 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1250598357.702:29): avc: denied { mmap_zero } for pid=1848 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect > ---- > time->Tue Aug 18 07:25:57 2009 > type=SYSCALL msg=audit(1250598357.812:30): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=110000 a2=0 a3=32 items=0 ppid=1 pid=1848 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wineboot.exe" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1250598357.812:30): avc: denied { mmap_zero } for pid=1848 comm="wineboot.exe" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect > ---- > time->Tue Aug 18 07:25:57 2009 > type=SYSCALL msg=audit(1250598357.889:31): arch=40000003 syscall=90 success=no exit=-13 a0=bff8ad80 a1=0 a2=bff8ad80 a3=5a items=0 ppid=1848 pid=1849 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1250598357.889:31): avc: denied { mmap_zero } for pid=1849 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect > ---- > time->Tue Aug 18 07:25:57 2009 > type=SYSCALL msg=audit(1250598357.937:32): arch=40000003 syscall=90 success=no exit=-13 a0=bf9c5880 a1=0 a2=bf9c5880 a3=5a items=0 ppid=1848 pid=1850 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1250598357.937:32): avc: denied { mmap_zero } for pid=1850 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect > ---- > time->Tue Aug 18 07:25:58 2009 > type=SYSCALL msg=audit(1250598358.059:33): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=110000 a2=0 a3=32 items=0 ppid=1848 pid=1850 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="services.exe" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1250598358.059:33): avc: denied { mmap_zero } for pid=1850 comm="services.exe" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect > ---- > time->Tue Aug 18 07:25:58 2009 > type=SYSCALL msg=audit(1250598358.696:34): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=110000 a2=0 a3=32 items=0 ppid=1 pid=1849 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="winemenubuilder" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1250598358.696:34): avc: denied { mmap_zero } for pid=1849 comm="winemenubuilder" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect > ---- > time->Tue Aug 18 07:25:59 2009 > type=SYSCALL msg=audit(1250598359.058:35): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=110000 a2=0 a3=32 items=0 ppid=1479 pid=1840 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="Emu48.exe" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1250598359.058:35): avc: denied { mmap_zero } for pid=1840 comm="Emu48.exe" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect > ---- > time->Tue Aug 18 07:26:03 2009 > type=SYSCALL msg=audit(1250598363.514:36): arch=40000003 syscall=90 success=no exit=-13 a0=bfa73ab0 a1=0 a2=bfa73ab0 a3=5a items=0 ppid=1 pid=1861 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="wine-preloader" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1250598363.514:36): avc: denied { mmap_zero } for pid=1861 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect > ---- > time->Tue Aug 18 07:26:03 2009 > type=SYSCALL msg=audit(1250598363.591:37): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=110000 a2=0 a3=32 items=0 ppid=1 pid=1861 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="explorer.exe" exe="/usr/bin/wine-preloader" subj=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1250598363.591:37): avc: denied { mmap_zero } for pid=1861 comm="explorer.exe" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect > > > Regards, > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list And if you run this output through audit2allow -w in rawhide, you will get the following. type=AVC msg=audit(1250598356.895:28): avc: denied { mmap_zero } for pid=1840 comm="wine-preloader" scontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:wine_t:s0-s0:c0.c1023 tclass=memprotect Was caused by: The boolean mmap_low_allowed was set incorrectly. Description: Allow certain domains to map low memory in the kernel Allow access by executing: # setsebool -P mmap_low_allowed 1 Sadly this is not what setroubleshoot told you. I will fix setroubleshoot to give this suggestion. From dwalsh at redhat.com Tue Aug 18 17:30:04 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 18 Aug 2009 13:30:04 -0400 Subject: racoon denials In-Reply-To: References: Message-ID: <4A8AE51C.7050605@redhat.com> On 08/17/2009 04:59 AM, Daniel Fazekas wrote: > selinux-policy-3.6.12-72.fc11.noarch > selinux-policy-targeted-3.6.12-72.fc11.noarch > ipsec-tools-0.7.2-1.fc11.x86_64 > > I'm getting a handful of racoon denials with what I believe is a pretty > common setup ? is there anything I could be doing differently? > > allow racoon_t shadow_t:file { read getattr open }; > > This is needed for racoon to do XAuth logins with the default > auth_source of system. Unfortunately that's the only option available > with racoon as supplied in Fedora 11, as support for pam/ldap/radius > isn't built in. > > > The rest is all caused by my having a phase1_up/down script in > /etc/racoon/scripts (the directory and the script are both > system_u:object_r:bin_t:s0). > > allow racoon_t setkey_exec_t:file { read execute open execute_no_trans }; > allow racoon_t fs_t:filesystem getattr; > allow racoon_t tmp_t:dir { write remove_name getattr search add_name }; > allow racoon_t tmp_t:file { write getattr read create unlink open }; > > Calling /sbin/setkey to add and remove SPDs is the primary reason to > have an up/down script. > The fs_t and tmp_t accesses are less clear why they are necessary. It's > a /bin/sh script which isn't doing anything other than calling > /sbin/setkey. > > type=AVC msg=audit(1250495868.674:27320): avc: denied { getattr } for > pid=5436 comm="l2tp_up_down" path="/tmp" dev=dm-0 ino=26 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1250495868.674:27321): avc: denied { write } for > pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1250495868.674:27322): avc: denied { getattr } for > pid=5436 comm="l2tp_up_down" name="/" dev=dm-0 ino=2 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > type=AVC msg=audit(1250495868.674:27323): avc: denied { search } for > pid=5436 comm="l2tp_up_down" name="tmp" dev=dm-0 ino=26 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1250495868.674:27323): avc: denied { add_name } > for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1250495868.674:27323): avc: denied { create } for > pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1250495868.674:27323): avc: denied { write open } > for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 > ino=218 scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1250495868.675:27324): avc: denied { getattr } for > pid=5436 comm="l2tp_up_down" path="/tmp/sh-thd-1250518043" dev=dm-0 > ino=218 scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1250495868.676:27325): avc: denied { read } for > pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1250495868.676:27326): avc: denied { remove_name } > for pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 > ino=218 scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=dir > type=AVC msg=audit(1250495868.676:27326): avc: denied { unlink } for > pid=5436 comm="l2tp_up_down" name="sh-thd-1250518043" dev=dm-0 ino=218 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > type=AVC msg=audit(1250495868.676:27327): avc: denied { execute } for > pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file > type=AVC msg=audit(1250495868.676:27327): avc: denied { read open } > for pid=5436 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file > type=AVC msg=audit(1250495868.676:27327): avc: denied { > execute_no_trans } for pid=5436 comm="l2tp_up_down" path="/sbin/setkey" > dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file > type=AVC msg=audit(1250496231.280:27354): avc: denied { execute } for > pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file > type=AVC msg=audit(1250496231.280:27354): avc: denied { read open } > for pid=5533 comm="l2tp_up_down" name="setkey" dev=dm-0 ino=10974 > scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file > type=AVC msg=audit(1250496231.280:27354): avc: denied { > execute_no_trans } for pid=5533 comm="l2tp_up_down" path="/sbin/setkey" > dev=dm-0 ino=10974 scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:setkey_exec_t:s0 tclass=file > type=AVC msg=audit(1250496231.293:27359): avc: denied { read } for > pid=5533 comm="setkey" > path=2F746D702F73682D7468642D31323530353139323239202864656C6574656429 > dev=dm-0 ino=30914 scontext=system_u:system_r:racoon_t:s0 > tcontext=system_u:object_r:tmp_t:s0 tclass=file > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > I can add a tunable to allow racoon to read shadow, although I would like to see it use pam if a port is available. I will also add the ability to transition from racoon to setkey_t, but I would prefer if you put your temporary files in /var/racoon or /var/run/pluto or /var/run/racoon. System Services should NEVER use /tmp for creation of interaction with files. Users live there and users is evil :^) From dwalsh at redhat.com Tue Aug 18 17:34:53 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 18 Aug 2009 13:34:53 -0400 Subject: xguest: firefox - execmem In-Reply-To: <4A8A8847.2030805@gmail.com> References: <4A8A64C2.2080806@gmail.com> <20090818091150.GA2445@notebook3.grift.internal> <4A8A7A50.7050101@gmail.com> <20090818102349.GD2445@notebook3.grift.internal> <4A8A8847.2030805@gmail.com> Message-ID: <4A8AE63D.1030103@redhat.com> On 08/18/2009 06:53 AM, Christoph A. wrote: > On 18.08.2009 12:23, Dominick Grift wrote: >>> Does this imply that it has something to do with firefox rather than a >>> specific plugin, or are all plugins loaded at startup? >> >> Good question. I think it implies it has something to do with firefox. >> i guess you will have to allow it. > > Ok, I filed a bugreport. > > https://bugzilla.redhat.com/show_bug.cgi?id=517998 > > thanks, > Christoph > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list It is a known problem in rawhide. xulrunner is requiring execmem. So for the time being you will need to add a policy to allow execmem to xguest. From dwalsh at redhat.com Tue Aug 18 17:40:08 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 18 Aug 2009 13:40:08 -0400 Subject: Logrotate on mounted partition In-Reply-To: <1250602875.2771.30.camel@localhost> References: <1250333453.3396.20.camel@localhost> <1250586736.2771.8.camel@localhost> <20090818092142.GC2445@notebook3.grift.internal> <1250591947.2771.17.camel@localhost> <20090818104638.GF2445@notebook3.grift.internal> <1250594605.2771.22.camel@localhost> <20090818114811.GG2445@notebook3.grift.internal> <1250602875.2771.30.camel@localhost> Message-ID: <4A8AE778.3020905@redhat.com> On 08/18/2009 09:41 AM, Arthur Dent wrote: > On Tue, 2009-08-18 at 13:48 +0200, Dominick Grift wrote: >> On Tue, Aug 18, 2009 at 12:23:25PM +0100, Arthur Dent wrote: >>> On Tue, 2009-08-18 at 12:46 +0200, Dominick Grift wrote: >>>> On Tue, Aug 18, 2009 at 11:39:07AM +0100, Arthur Dent wrote: >>>>> On Tue, 2009-08-18 at 11:21 +0200, Dominick Grift wrote: >>>>>> On Tue, Aug 18, 2009 at 10:12:16AM +0100, Arthur Dent wrote: >>>>>>> On Sat, 2009-08-15 at 11:50 +0100, Arthur Dent wrote: >>>>> >>>>> [snip] >>>>> >>>>>>> >>>>>>> Just to add to my own mail... >>>>>>> >>>>>>> I employed the above policy module, everything seemed OK so (as this >>>>>>> seemed to be the last of the problems since upgrading) I switched to >>>>>>> enforcing mode. >>>>>>> >>>>>>> Since doing so I have received no AVCs but I am finding these in my >>>>>>> maillog: >>>>>>> >>>>>>> procmail: Lock failure on "/mnt/backup/mail/rawmail.lock" >>>>>>> procmail: Error while writing to "/mnt/backup/mail/rawmail" >>>>>>> >>>>>>> Temporarily switching back with setenforce 0 stops them so it is selinux >>>>>>> related... > [snip] >>>>>>> But still no AVCs >>>>>>> >>>>>>> Any ideas? >>>>>> Try semodule -DB to unload any silent denials. Remember that the denials shown after you do this are meant to be silenced. >>>>>> To reload policy with the silenced denials: semodule -B. >>>>>> >>>>>> Also keep an eye on /var/log/messages since the DBUS user space object manager logs some denials there (if DBUS is at all involved) >>>>> >>>>> OK - since semodule -DB getting flooded with AVCs... >>>>> >>>>> Here are some that are related to this problem... >>>>> >>>>> cat /var/log/audit/audit.log | grep -i procmail >>>>> .... >>>>> type=AVC msg=audit(1250591203.244:43494): avc: denied { rlimitinh } >>>>> for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 >>>>> tcontext=system_u:system_r:procmail_t:s0 tclass=process >>>>> type=AVC msg=audit(1250591203.244:43494): avc: denied { siginh } for >>>>> pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 >>>>> tcontext=system_u:system_r:procmail_t:s0 tclass=process >>>>> type=AVC msg=audit(1250591203.244:43494): avc: denied { noatsecure } >>>>> for pid=14767 comm="procmail" scontext=system_u:system_r:sendmail_t:s0 >>>>> tcontext=system_u:system_r:procmail_t:s0 tclass=process >>>>> type=SYSCALL msg=audit(1250591203.244:43494): arch=40000003 syscall=11 >>>>> success=yes exit=0 a0=5d8098 a1=bf83277c a2=4ab960 a3=41904 items=0 >>>>> ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 >>>>> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" >>>>> exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) >>>>> type=AVC msg=audit(1250591203.418:43495): avc: denied { search } for >>>>> pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 >>>>> scontext=system_u:system_r:procmail_t:s0 >>>>> tcontext=system_u:object_r:mnt_t:s0 tclass=dir >>>>> type=SYSCALL msg=audit(1250591203.418:43495): arch=40000003 syscall=196 >>>>> success=no exit=-2 a0=9779280 a1=bf95f790 a2=77cff4 a3=97793f8 items=0 >>>>> ppid=14766 pid=14767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 >>>>> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" >>>>> exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) >>>>> >>>>> This still with setenforce 0 >>>>> >>>>> Any ideas? >>>>> >>>>> Thanks for your help!... >>>>> >>>>> Mark >>>>> >>>> >>>> The only AVC denial that is ( a little bit ) interesting is: >>>> >>>> avc: denied { search } for >>>> pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 >>>> scontext=system_u:system_r:procmail_t:s0 >>>> tcontext=system_u:object_r:mnt_t:s0 tclass=dir >>>> >>>> Pipe this into audit2why to see if it has any suggestions. Although i doubt it is related to your issue. >>>> >>>> A quick way to rule out SELinux as the cause of your issue is to reproduce the issue in permissive mode. >>>> >>>> If access is (still) denied when you try to reproduce it in permissive mode, than it is not an SELinux issue. >>>> >>>> If it works in permissive mode, but not in enforcing mode, then it is a SELinux issue. >>>> >>> >>> Well all that audit2why suggests for that avc is: >>> >>> Was caused by: >>> Missing type enforcement (TE) allow rule. >>> >>> You can use audit2allow to generate a loadable module to allow this >>> access. >>> >>> On your other point, you will notice (further up in this mail) that this >>> problem is only in Enforcing mode. Switching to Permissive does indeed >>> stop the procmail errors. >>> >>> Still watching the avcs.... I'll keep you posted.. >>> >>> Thanks >>> >>> Mark >>> >> >> Whoops obviously you need to allow procmail_t to search mountpoints to make it work. >> >> echo "> > avc: denied { search } for pid=14767 comm="procmail" name="mnt" dev=sda5 ino=943921 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir" auditallow -M myprocmail; semodule -i myprocmail.pp >> >> this is a bug in policy > > Thank you Dominick, that's fixed it! > > I had already created a policy module from that AVC just to see what it > would look like - but I hadn't implemented it. Now I have and it works > fine! > > BTW, I though your way of creating the module was very clever - I liked > that.. but for the sake of the archives there are a couple of typos: > > echo "> > avc: denied { search } for pid=14767 comm="procmail" > name="mnt" dev=sda5 ino=943921 scontext=system_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:mnt_t:s0 tclass=dir" auditallow -M > ^^^ ^^^ > myprocmail; semodule -i myprocmail.pp > > Should be: > echo "> > avc: denied { search } for pid=14767 comm="procmail" > name="mnt" dev=sda5 ino=943921 scontext=system_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:mnt_t:s0 tclass=dir" | audit2allow -M > myprocmail; semodule -i myprocmail.pp > > Thanks again > > Your help is much appreciated! > > Mark > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I will change rawhide to allow all domains to search mnt_t, since this is a logical place for people to mount directories that a confined application might need access to. Similarly I will allow all domains to search default_t, which is the default name for a directory created in / From dwalsh at redhat.com Tue Aug 18 17:43:15 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 18 Aug 2009 13:43:15 -0400 Subject: racoon denials In-Reply-To: <0415205B-3634-4D9B-A49C-8C1F54D5258B@t-online.hu> References: <20090817141034.GA5935@notebook3.grift.internal> <92D7C773-14A8-4EEA-817D-A58B9CB61CD9@t-online.hu> <20090817160919.GC5935@notebook3.grift.internal> <95BF9113-03C5-44BF-AA1C-73BFD6AA269F@t-online.hu> <20090818091750.GB2445@notebook3.grift.internal> <0415205B-3634-4D9B-A49C-8C1F54D5258B@t-online.hu> Message-ID: <4A8AE833.4040606@redhat.com> On 08/18/2009 05:36 AM, Daniel Fazekas wrote: > On Aug 18, 2009, at 11:17, Dominick Grift wrote: > >> try this rule instead of the domtrans_pattern(): >> can_exec(racoon_t, setkey_exec_t) > > Thanks, that did the trick. > Everything seems to be fine now with enforcing turned fully back on. > > Here's for reference the myracoon.te we ended up with, in case it helps > somebody else too: > > policy_module(myracoon, 0.0.4) > require { type racoon_t, setkey_exec_t; } > > auth_read_shadow(racoon_t) > > can_exec(racoon_t, setkey_exec_t) > > fs_dontaudit_getattr_xattr_fs(racoon_t) > > type racoon_tmp_t; > files_tmp_file(racoon_tmp_t) > manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) > manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) > files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file }) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Ok better then the domtrans, although most of what you showed before were probably leaked file descriptors. I would really prefer not to use /tmp. From fdsubs at t-online.hu Tue Aug 18 17:53:02 2009 From: fdsubs at t-online.hu (Daniel Fazekas) Date: Tue, 18 Aug 2009 19:53:02 +0200 Subject: racoon denials In-Reply-To: <4A8AE833.4040606@redhat.com> References: <20090817141034.GA5935@notebook3.grift.internal> <92D7C773-14A8-4EEA-817D-A58B9CB61CD9@t-online.hu> <20090817160919.GC5935@notebook3.grift.internal> <95BF9113-03C5-44BF-AA1C-73BFD6AA269F@t-online.hu> <20090818091750.GB2445@notebook3.grift.internal> <0415205B-3634-4D9B-A49C-8C1F54D5258B@t-online.hu> <4A8AE833.4040606@redhat.com> Message-ID: On Aug 18, 2009, at 19:43, Daniel J Walsh wrote: >> type racoon_tmp_t; >> files_tmp_file(racoon_tmp_t) >> manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) >> manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) >> files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file }) > Ok better then the domtrans, although most of what you showed before > were probably leaked file descriptors. > I would really prefer not to use /tmp. I still think ? though haven't actually tested it ? that all those tmp file accesses are caused by bash's here-doc syntax to provide input for setkey. (The temp files are all named sh-thd-#UNIX_TIMESTAMP#) Just like the example script in ipsec-tools, /etc/racoon/scripts/ p1_up_down does it: setkey -c << EOT spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require; spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require; EOT The only other alternative seems to be to put the rules into a dynamically created temp file, which I could then place anywhere, then use setkey -f to load it from there. "setkey takes a series of operations from standard input (if invoked with -c) or the file named filename (if invoked with -f filename)." From dwalsh at redhat.com Tue Aug 18 21:15:35 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 18 Aug 2009 17:15:35 -0400 Subject: [OT] tmpfs - was : AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). In-Reply-To: References: <4A80C3E2.7090407@aardvark.com.au> <4A835607.6050102@aardvark.com.au> <4A84593C.8000407@redhat.com> <4A84E5C5.3000908@aardvark.com.au> <4A8557A2.403@redhat.com> <1250254247.7390.10.camel@localhost> <4A856670.9090102@redhat.com> Message-ID: <4A8B19F7.9050305@redhat.com> On 08/15/2009 07:50 PM, Shintaro Fujiwara wrote: > Hello. > >> I am on a personal crusade to stop all system services (processes running as UID=0) from using /tmp. /var/tmp > > I'm interested in this topic but I don't know how to find processes > running as UID=0 using /tmp or /var/tmp. > > Thanks in advance. > > There is no good way other then grep. But any time I see a domain asking for tmp_t in SELinux I always suggest to the developers to use /var/run instead. From dwalsh at redhat.com Tue Aug 18 21:22:17 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 18 Aug 2009 17:22:17 -0400 Subject: SELinux - back to basics In-Reply-To: References: Message-ID: <4A8B1B89.4040802@redhat.com> On 08/16/2009 10:42 PM, adrian golding wrote: > dear all, can you please point me to the right place: > with reference to: http://danwalsh.livejournal.com/10131.html > > i am interested in how dan knows what an attacker can make use of the samba > vulnerability to do by default, and what the attacker cannot do. More > generally speaking, how do we look at a service or application in a SELinux > system, and finding out what the attacker can do and cannot do in the case > of the service being exploited? > > in that page, he looked at some of the relevant booleans and i guess > "samba_enable_home_dirs ---> off" prevents the attacker to read/manipulate > the user's home directories. But what about the rest? What other things can > an end user (who is not very experienced in SELinux) examine to know what > the attacker can / cannot do? > > thank you > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list One simple answer is I can look at the policy source code. Secondly you can use the sesearch command sesearch --allow -s smbd_t Shows me all the rules of what smbd_t is allowed to do. If I want to do more complex analyses of the policy I can use a tool like apol. From shintaro.fujiwara at gmail.com Tue Aug 18 21:22:19 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Wed, 19 Aug 2009 06:22:19 +0900 Subject: [OT] tmpfs - was : AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). In-Reply-To: <4A8B19F7.9050305@redhat.com> References: <4A80C3E2.7090407@aardvark.com.au> <4A835607.6050102@aardvark.com.au> <4A84593C.8000407@redhat.com> <4A84E5C5.3000908@aardvark.com.au> <4A8557A2.403@redhat.com> <1250254247.7390.10.camel@localhost> <4A856670.9090102@redhat.com> <4A8B19F7.9050305@redhat.com> Message-ID: Thanks. I understand. Please persuade programmers not to use /tmp so easily. I will follow your instructions. 2009/8/19 Daniel J Walsh : > On 08/15/2009 07:50 PM, Shintaro Fujiwara wrote: >> Hello. >> >>> I am on a personal crusade to stop all system services (processes running as UID=0) from using /tmp. /var/tmp >> >> I'm interested in this topic but I don't know how to find processes >> running as UID=0 using /tmp or /var/tmp. >> >> Thanks in advance. >> >> > > There is no good way other then grep. ?But any time I see a domain asking for tmp_t in SELinux I always suggest to the developers to use /var/run instead. > -- http://intrajp.no-ip.com/ Home Page From dwalsh at redhat.com Tue Aug 18 21:49:06 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 18 Aug 2009 17:49:06 -0400 Subject: SELinux - back to basics In-Reply-To: References: Message-ID: <4A8B21D2.6080304@redhat.com> On 08/17/2009 01:05 AM, adrian golding wrote: > To refine my questions in the earlier email: > 1) many of the things the attacker can do if he exploits the Samba > vulnerability can be found in the source policy. but there are also so many > other rules in the policy (hundreds?), my question is how do I know if the > other rules matter much? there are >300 rules related to smbd_t, and it > just *seems* a lot can go wrong with the system. > Yes you got to ask the questions. You can ask a question in APOL about whether the smbd_t can read a file. A simple query sesearch --allow -s smbd_t -t user_home_t -c file -p read asks whether smbd_t can read files labeled user_home_t directly. You can use apol to look for transition rules that might allow it. SELinux is all about types so you need to user commands like semanage port -l To list the types that ports are assigned to or /etc/selinux/targeted/context/files/files.context to see what types are assigned to files, by default. > 2) how do we verify the part about what the attackers cannot do? does it > mean, if i cannot find a rule that links smbd_t with user_home_t with the > 'read' permission, the attacker cannot read/manipulate user home > directories? Or it is not as trivial? Anything that is not allowed is denied. See above. > > 3) i am assuming ports 137-139 and 445 are labelled smbd_port_t, but where > can i find this assignment in the policy? i am currently using apol. > semanage port -l > thank you > > > On Mon, Aug 17, 2009 at 10:42 AM, adrian golding wrote: > >> dear all, can you please point me to the right place: >> with reference to: http://danwalsh.livejournal.com/10131.html >> >> i am interested in how dan knows what an attacker can make use of the samba >> vulnerability to do by default, and what the attacker cannot do. More >> generally speaking, how do we look at a service or application in a SELinux >> system, and finding out what the attacker can do and cannot do in the case >> of the service being exploited? >> >> in that page, he looked at some of the relevant booleans and i guess >> "samba_enable_home_dirs ---> off" prevents the attacker to read/manipulate >> the user's home directories. But what about the rest? What other things can >> an end user (who is not very experienced in SELinux) examine to know what >> the attacker can / cannot do? >> >> thank you >> >> >> > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Tue Aug 18 21:51:08 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 18 Aug 2009 17:51:08 -0400 Subject: SELinux - back to basics In-Reply-To: <20090817123312.GA5446@notebook3.grift.internal> References: <1250512082.3629.108.camel@moss-pluto.epoch.ncsc.mil> <20090817123312.GA5446@notebook3.grift.internal> Message-ID: <4A8B224C.2090503@redhat.com> On 08/17/2009 08:33 AM, Dominick Grift wrote: > On Mon, Aug 17, 2009 at 12:28:02PM +0000, Stephen Smalley wrote: >> On Mon, 2009-08-17 at 10:42 +0800, adrian golding wrote: >>> dear all, can you please point me to the right place: >>> >>> with reference to: http://danwalsh.livejournal.com/10131.html >>> >>> >>> i am interested in how dan knows what an attacker can make use of the >>> samba vulnerability to do by default, and what the attacker cannot >>> do. More generally speaking, how do we look at a service or >>> application in a SELinux system, and finding out what the attacker can >>> do and cannot do in the case of the service being exploited? >>> >>> >>> in that page, he looked at some of the relevant booleans and i guess >>> "samba_enable_home_dirs ---> off" prevents the attacker to >>> read/manipulate the user's home directories. But what about the rest? >>> What other things can an end user (who is not very experienced in >>> SELinux) examine to know what the attacker can / cannot do? >> >> sesearch can be a very useful tool for interrogating the policy to see >> what a given domain can access, and the information flow and domain >> transition analysis capabilities of apol are likewise quite useful. > > With regard to sesearch it is good to know that it displays all rules, also the rules that maybe disabled by boolean. > So with that in mind sesearch can be a bit misleading. > > if you encounter a situation where access is denied, but where sesearch returns a rule that would have allowed the access, then pipe the avc denial into audit2why. > >> >> -- >> Stephen Smalley >> National Security Agency >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> ------------------------------------------------------------------------ >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list If you use the -C option it will show you the boolean. Of course it will not tell you if it is enabled or not. From adriangolding at gmail.com Wed Aug 19 06:28:13 2009 From: adriangolding at gmail.com (adrian golding) Date: Wed, 19 Aug 2009 14:28:13 +0800 Subject: SELinux - back to basics In-Reply-To: <4A8B21D2.6080304@redhat.com> References: <4A8B21D2.6080304@redhat.com> Message-ID: dear all, thank you for the comments/tips. The reason for asking these questions is that although i think SELinux is good in many ways, eg, it allows the implementation of RBAC and MAC and such, and yes indeed, we can use tools like APOL's domain analysis to find out if one domain can 'reach' another domain, but the right questions have to be asked. Maybe this is too far fetched, but if a paranoid administrator wants to fully know what is at risk before deploying the system, would it be a good practice to generate some domain reachability tree for each of the services that is facing the Internet / network? Or another way for this paranoid administrator is to use a strict policy (instead of targeted) and manually every rule, which is only manageable if the machine is having a very specific function like a firewall or file server? thank you.. On Wed, Aug 19, 2009 at 5:49 AM, Daniel J Walsh wrote: > On 08/17/2009 01:05 AM, adrian golding wrote: > > To refine my questions in the earlier email: > > 1) many of the things the attacker can do if he exploits the Samba > > vulnerability can be found in the source policy. but there are also so > many > > other rules in the policy (hundreds?), my question is how do I know if > the > > other rules matter much? there are >300 rules related to smbd_t, and it > > just *seems* a lot can go wrong with the system. > > > Yes you got to ask the questions. You can ask a question in APOL about > whether the smbd_t can read a file. > > A simple query > sesearch --allow -s smbd_t -t user_home_t -c file -p read > > asks whether smbd_t can read files labeled user_home_t directly. You can > use apol to look for transition rules that might allow it. > > SELinux is all about types so you need to user commands like > > semanage port -l > > To list the types that ports are assigned to or > /etc/selinux/targeted/context/files/files.context to see what types are > assigned to files, by default. > > > 2) how do we verify the part about what the attackers cannot do? does it > > mean, if i cannot find a rule that links smbd_t with user_home_t with the > > 'read' permission, the attacker cannot read/manipulate user home > > directories? Or it is not as trivial? > Anything that is not allowed is denied. See above. > > > > 3) i am assuming ports 137-139 and 445 are labelled smbd_port_t, but > where > > can i find this assignment in the policy? i am currently using apol. > > > semanage port -l > > > thank you > > > > > > On Mon, Aug 17, 2009 at 10:42 AM, adrian golding < > adriangolding at gmail.com>wrote: > > > >> dear all, can you please point me to the right place: > >> with reference to: http://danwalsh.livejournal.com/10131.html > >> > >> i am interested in how dan knows what an attacker can make use of the > samba > >> vulnerability to do by default, and what the attacker cannot do. More > >> generally speaking, how do we look at a service or application in a > SELinux > >> system, and finding out what the attacker can do and cannot do in the > case > >> of the service being exploited? > >> > >> in that page, he looked at some of the relevant booleans and i guess > >> "samba_enable_home_dirs ---> off" prevents the attacker to > read/manipulate > >> the user's home directories. But what about the rest? What other things > can > >> an end user (who is not very experienced in SELinux) examine to know > what > >> the attacker can / cannot do? > >> > >> thank you > >> > >> > >> > > > > > > ------------------------------------------------------------------------ > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From fdsubs at t-online.hu Wed Aug 19 11:01:20 2009 From: fdsubs at t-online.hu (Daniel Fazekas) Date: Wed, 19 Aug 2009 13:01:20 +0200 Subject: racoon denials In-Reply-To: <4A8AE51C.7050605@redhat.com> References: <4A8AE51C.7050605@redhat.com> Message-ID: On Aug 18, 2009, at 19:30, Daniel J Walsh wrote: > I can add a tunable to allow racoon to read shadow, although I would > like to see it use pam if a port is available. I too would prefer PAM, unfortunately Fedora 11's copy of racoon is built without --with-libpam. There already a BZ about it from November 2008: https://bugzilla.redhat.com/show_bug.cgi?id=470793 > I will also add the ability to transition from racoon to setkey_t, > but I would prefer if you put your temporary files in /var/racoon > or /var/run/pluto or /var/run/racoon. > System Services should NEVER use /tmp for creation of interaction > with files. Users live there and users is evil :^) Turns out that was simple enough. I just added TMPDIR="/var/racoon" to the start of the bash shell script, and now bash doesn't try putting its stuff into /tmp. What's even better is that this already seems to be allowed by the current policy. So the whole extra myracoon module could be simplified as: --------- policy_module(myracoon, 0.0.5) require { type racoon_t, setkey_exec_t; } auth_read_shadow(racoon_t) can_exec(racoon_t, setkey_exec_t) fs_dontaudit_getattr_xattr_fs(racoon_t) --------- Are these reasonable to add to the official policy one day? From tmraz at redhat.com Wed Aug 19 14:17:46 2009 From: tmraz at redhat.com (Tomas Mraz) Date: Wed, 19 Aug 2009 16:17:46 +0200 Subject: racoon denials In-Reply-To: References: <4A8AE51C.7050605@redhat.com> Message-ID: <1250691466.10382.220.camel@vespa.frost.loc> On Wed, 2009-08-19 at 13:01 +0200, Daniel Fazekas wrote: > On Aug 18, 2009, at 19:30, Daniel J Walsh wrote: > > > I can add a tunable to allow racoon to read shadow, although I would > > like to see it use pam if a port is available. > > I too would prefer PAM, unfortunately Fedora 11's copy of racoon is > built without --with-libpam. > There already a BZ about it from November 2008: > https://bugzilla.redhat.com/show_bug.cgi?id=470793 > > > I will also add the ability to transition from racoon to setkey_t, > > but I would prefer if you put your temporary files in /var/racoon > > or /var/run/pluto or /var/run/racoon. > > System Services should NEVER use /tmp for creation of interaction > > with files. Users live there and users is evil :^) > > Turns out that was simple enough. > > I just added > TMPDIR="/var/racoon" > to the start of the bash shell script, and now bash doesn't try > putting its stuff into /tmp. > What's even better is that this already seems to be allowed by the > current policy. I've added the TMPDIR setting to the ipsec-tools-0.7.3-2.fc12 package - you can get it from koji or from rawhide mirrors later. > So the whole extra myracoon module could be simplified as: > > --------- > policy_module(myracoon, 0.0.5) > require { type racoon_t, setkey_exec_t; } > > auth_read_shadow(racoon_t) > can_exec(racoon_t, setkey_exec_t) > fs_dontaudit_getattr_xattr_fs(racoon_t) > --------- > > Are these reasonable to add to the official policy one day? I've also added --with-libpam to the build and added some initial racoon PAM configuration. Can you please test xauth against pam instead of shadow? I still suppose some selinux-policy adjustments will be necessary. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From txtoth at gmail.com Wed Aug 19 18:41:59 2009 From: txtoth at gmail.com (Xavier Toth) Date: Wed, 19 Aug 2009 13:41:59 -0500 Subject: mlscontrain violation on dir create Message-ID: A process of type siterep_jcdx_nautilus_helper_t running at SystemHigh is trying to create a directory at SystemLow and getting the following mlsconstraint violation: node=jcdx type=AVC msg=audit(1250704307.148:1143): avc: denied { create } for pid=4208 comm="processdirs" name="test7" scontext=s iterep_u:siterep_r:siterep_jcdx_nautilus_helper_t:s15:c0.c1023 tcontext=system_u:object_r:jcdx_ml_var_t:s0 tclass=dir The siterep_jcdx_nautilus_helper_t policy uses the following macros: manage_dirs_pattern($1_jcdx_nautilus_helper_t,jcdx_ml_var_t,jcdx_ml_var_t) ifdef(`enable_mls',` mls_file_read_all_levels($1_jcdx_nautilus_helper_t) mls_file_write_all_levels($1_jcdx_nautilus_helper_t) mls_file_downgrade($1_jcdx_nautilus_helper_t) mls_file_upgrade($1_jcdx_nautilus_helper_t) ') I've looked at the policy mlsconstaints but I'm not understanding which one is being violated, any ideas? Ted From dwalsh at redhat.com Wed Aug 19 19:51:44 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 19 Aug 2009 15:51:44 -0400 Subject: SELinux - back to basics In-Reply-To: References: <4A8B21D2.6080304@redhat.com> Message-ID: <4A8C57D0.7020101@redhat.com> On 08/19/2009 02:28 AM, adrian golding wrote: > dear all, thank you for the comments/tips. > The reason for asking these questions is that although i think SELinux is > good in many ways, eg, it allows the implementation of RBAC and MAC and > such, and yes indeed, we can use tools like APOL's domain analysis to find > out if one domain can 'reach' another domain, but the right questions have > to be asked. Maybe this is too far fetched, but if a paranoid administrator > wants to fully know what is at risk before deploying the system, would it be > a good practice to generate some domain reachability tree for each of the > services that is facing the Internet / network? > > Or another way for this paranoid administrator is to use a strict policy > (instead of targeted) and manually every rule, which is only manageable if > the machine is having a very specific function like a firewall or file > server? > > thank you.. > > > > > > > > > > On Wed, Aug 19, 2009 at 5:49 AM, Daniel J Walsh wrote: > >> On 08/17/2009 01:05 AM, adrian golding wrote: >>> To refine my questions in the earlier email: >>> 1) many of the things the attacker can do if he exploits the Samba >>> vulnerability can be found in the source policy. but there are also so >> many >>> other rules in the policy (hundreds?), my question is how do I know if >> the >>> other rules matter much? there are >300 rules related to smbd_t, and it >>> just *seems* a lot can go wrong with the system. >>> >> Yes you got to ask the questions. You can ask a question in APOL about >> whether the smbd_t can read a file. >> >> A simple query >> sesearch --allow -s smbd_t -t user_home_t -c file -p read >> >> asks whether smbd_t can read files labeled user_home_t directly. You can >> use apol to look for transition rules that might allow it. >> >> SELinux is all about types so you need to user commands like >> >> semanage port -l >> >> To list the types that ports are assigned to or >> /etc/selinux/targeted/context/files/files.context to see what types are >> assigned to files, by default. >> >>> 2) how do we verify the part about what the attackers cannot do? does it >>> mean, if i cannot find a rule that links smbd_t with user_home_t with the >>> 'read' permission, the attacker cannot read/manipulate user home >>> directories? Or it is not as trivial? >> Anything that is not allowed is denied. See above. >>> >>> 3) i am assuming ports 137-139 and 445 are labelled smbd_port_t, but >> where >>> can i find this assignment in the policy? i am currently using apol. >>> >> semanage port -l >> >>> thank you >>> >>> >>> On Mon, Aug 17, 2009 at 10:42 AM, adrian golding < >> adriangolding at gmail.com>wrote: >>> >>>> dear all, can you please point me to the right place: >>>> with reference to: http://danwalsh.livejournal.com/10131.html >>>> >>>> i am interested in how dan knows what an attacker can make use of the >> samba >>>> vulnerability to do by default, and what the attacker cannot do. More >>>> generally speaking, how do we look at a service or application in a >> SELinux >>>> system, and finding out what the attacker can do and cannot do in the >> case >>>> of the service being exploited? >>>> >>>> in that page, he looked at some of the relevant booleans and i guess >>>> "samba_enable_home_dirs ---> off" prevents the attacker to >> read/manipulate >>>> the user's home directories. But what about the rest? What other things >> can >>>> an end user (who is not very experienced in SELinux) examine to know >> what >>>> the attacker can / cannot do? >>>> >>>> thank you >>>> >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list There is very little differnce in RHEL5 and beyond between strict policy and targeted. In targeted policy there are several unconfined domains. So an administrator would want to make sure there are no or few processes running on his system labeled initrc_t, inetd_child_t or unoconfined_t for example. But from a network facing point of view targeted and strict provide the same inforcement. In Fedora 10/11/Rawhide, strict policy has dissapeared, and you can remove the unconfined module to get the same functionality that used to be in strict policy. From dwalsh at redhat.com Wed Aug 19 23:35:38 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 19 Aug 2009 19:35:38 -0400 Subject: mlscontrain violation on dir create In-Reply-To: References: Message-ID: <4A8C8C4A.5060803@redhat.com> On 08/19/2009 02:41 PM, Xavier Toth wrote: > A process of type siterep_jcdx_nautilus_helper_t running at SystemHigh > is trying to create a directory at SystemLow and getting the following > mlsconstraint violation: > > node=jcdx type=AVC msg=audit(1250704307.148:1143): avc: denied { > create } for pid=4208 comm="processdirs" name="test7" scontext=s > iterep_u:siterep_r:siterep_jcdx_nautilus_helper_t:s15:c0.c1023 > tcontext=system_u:object_r:jcdx_ml_var_t:s0 tclass=dir > > The siterep_jcdx_nautilus_helper_t policy uses the following macros: > > manage_dirs_pattern($1_jcdx_nautilus_helper_t,jcdx_ml_var_t,jcdx_ml_var_t) > > ifdef(`enable_mls',` > mls_file_read_all_levels($1_jcdx_nautilus_helper_t) > mls_file_write_all_levels($1_jcdx_nautilus_helper_t) > mls_file_downgrade($1_jcdx_nautilus_helper_t) > mls_file_upgrade($1_jcdx_nautilus_helper_t) > ') > > I've looked at the policy mlsconstaints but I'm not understanding > which one is being violated, any ideas? > > Ted > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Not an MLS constraint. iterep_u creating a file labeled system_u From dwalsh at redhat.com Wed Aug 19 23:42:31 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 19 Aug 2009 19:42:31 -0400 Subject: racoon denials In-Reply-To: References: <20090817141034.GA5935@notebook3.grift.internal> <92D7C773-14A8-4EEA-817D-A58B9CB61CD9@t-online.hu> <20090817160919.GC5935@notebook3.grift.internal> <95BF9113-03C5-44BF-AA1C-73BFD6AA269F@t-online.hu> <20090818091750.GB2445@notebook3.grift.internal> <0415205B-3634-4D9B-A49C-8C1F54D5258B@t-online.hu> <4A8AE833.4040606@redhat.com> Message-ID: <4A8C8DE7.90909@redhat.com> On 08/18/2009 01:53 PM, Daniel Fazekas wrote: > On Aug 18, 2009, at 19:43, Daniel J Walsh wrote: > >>> type racoon_tmp_t; >>> files_tmp_file(racoon_tmp_t) >>> manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) >>> manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) >>> files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file }) >> Ok better then the domtrans, although most of what you showed before >> were probably leaked file descriptors. >> I would really prefer not to use /tmp. > > I still think ? though haven't actually tested it ? that all those tmp > file accesses are caused by bash's here-doc syntax to provide input for > setkey. (The temp files are all named sh-thd-#UNIX_TIMESTAMP#) > > Just like the example script in ipsec-tools, > /etc/racoon/scripts/p1_up_down does it: > > setkey -c << EOT > spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec > esp/tunnel/${LOCAL}-${REMOTE}/require; > spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec > esp/tunnel/${REMOTE}-${LOCAL}/require; > EOT > > The only other alternative seems to be to put the rules into a > dynamically created temp file, which I could then place anywhere, then > use setkey -f to load it from there. > > "setkey takes a series of operations from standard input (if invoked > with -c) or the file named filename (if invoked with -f filename)." > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Yes that looks correct. So I will add the rules to rawhide. Miroslav can you grab the ipsec,te from rawhide and put it in F11. From dwalsh at redhat.com Thu Aug 20 00:00:56 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 19 Aug 2009 20:00:56 -0400 Subject: racoon denials In-Reply-To: References: <4A8AE51C.7050605@redhat.com> Message-ID: <4A8C9238.6080506@redhat.com> On 08/19/2009 07:01 AM, Daniel Fazekas wrote: > On Aug 18, 2009, at 19:30, Daniel J Walsh wrote: > >> I can add a tunable to allow racoon to read shadow, although I would >> like to see it use pam if a port is available. > > I too would prefer PAM, unfortunately Fedora 11's copy of racoon is > built without --with-libpam. > There already a BZ about it from November 2008: > https://bugzilla.redhat.com/show_bug.cgi?id=470793 > >> I will also add the ability to transition from racoon to setkey_t, but >> I would prefer if you put your temporary files in /var/racoon or >> /var/run/pluto or /var/run/racoon. >> System Services should NEVER use /tmp for creation of interaction with >> files. Users live there and users is evil :^) > > Turns out that was simple enough. > > I just added > TMPDIR="/var/racoon" > to the start of the bash shell script, and now bash doesn't try putting > its stuff into /tmp. > What's even better is that this already seems to be allowed by the > current policy. > > So the whole extra myracoon module could be simplified as: > > --------- > policy_module(myracoon, 0.0.5) > require { type racoon_t, setkey_exec_t; } > > auth_read_shadow(racoon_t) > can_exec(racoon_t, setkey_exec_t) > fs_dontaudit_getattr_xattr_fs(racoon_t) > --------- > > Are these reasonable to add to the official policy one day? > Yes From mgrepl at redhat.com Thu Aug 20 11:55:36 2009 From: mgrepl at redhat.com (Miroslav Grepl) Date: Thu, 20 Aug 2009 13:55:36 +0200 Subject: racoon denials In-Reply-To: <4A8C8DE7.90909@redhat.com> References: <20090817141034.GA5935@notebook3.grift.internal> <92D7C773-14A8-4EEA-817D-A58B9CB61CD9@t-online.hu> <20090817160919.GC5935@notebook3.grift.internal> <95BF9113-03C5-44BF-AA1C-73BFD6AA269F@t-online.hu> <20090818091750.GB2445@notebook3.grift.internal> <0415205B-3634-4D9B-A49C-8C1F54D5258B@t-online.hu> <4A8AE833.4040606@redhat.com> <4A8C8DE7.90909@redhat.com> Message-ID: <4A8D39B8.7000403@redhat.com> On 08/20/2009 01:42 AM, Daniel J Walsh wrote: > On 08/18/2009 01:53 PM, Daniel Fazekas wrote: > >> On Aug 18, 2009, at 19:43, Daniel J Walsh wrote: >> >> >>>> type racoon_tmp_t; >>>> files_tmp_file(racoon_tmp_t) >>>> manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) >>>> manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) >>>> files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file }) >>>> >>> Ok better then the domtrans, although most of what you showed before >>> were probably leaked file descriptors. >>> I would really prefer not to use /tmp. >>> >> I still think ? though haven't actually tested it ? that all those tmp >> file accesses are caused by bash's here-doc syntax to provide input for >> setkey. (The temp files are all named sh-thd-#UNIX_TIMESTAMP#) >> >> Just like the example script in ipsec-tools, >> /etc/racoon/scripts/p1_up_down does it: >> >> setkey -c<< EOT >> spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec >> esp/tunnel/${LOCAL}-${REMOTE}/require; >> spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec >> esp/tunnel/${REMOTE}-${LOCAL}/require; >> EOT >> >> The only other alternative seems to be to put the rules into a >> dynamically created temp file, which I could then place anywhere, then >> use setkey -f to load it from there. >> >> "setkey takes a series of operations from standard input (if invoked >> with -c) or the file named filename (if invoked with -f filename)." >> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > Yes that looks correct. So I will add the rules to rawhide. > > > Miroslav can you grab the ipsec,te from rawhide and put it in F11. > Added to selinux-policy-3.6.12-79.fc11 -------------- next part -------------- An HTML attachment was scrubbed... URL: From olivares14031 at yahoo.com Thu Aug 20 12:27:33 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 20 Aug 2009 05:27:33 -0700 (PDT) Subject: selinux denials on rawhide. Some I can't get back Message-ID: <952418.31136.qm@web52607.mail.re2.yahoo.com> Dear fellow selinux experts, I have encountered some weird denials while running rawhide. But selinux troubleshooter is not allowing me to file bugs. IT just hangs. While running livecd I was able to file some bugs. After installing(restoring a rawhide system using livecd), I can't do it. I will attach a set of denials by selinux. Thanks, Antonio -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: avcs-20090820.txt URL: From domg472 at gmail.com Thu Aug 20 12:41:34 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 20 Aug 2009 14:41:34 +0200 Subject: selinux denials on rawhide. Some I can't get back In-Reply-To: <952418.31136.qm@web52607.mail.re2.yahoo.com> References: <952418.31136.qm@web52607.mail.re2.yahoo.com> Message-ID: <20090820124133.GA2783@notebook3.grift.internal> On Thu, Aug 20, 2009 at 05:27:33AM -0700, Antonio Olivares wrote: > Dear fellow selinux experts, > > I have encountered some weird denials while running rawhide. But selinux troubleshooter is not allowing me to file bugs. IT just hangs. While running livecd I was able to file some bugs. After installing(restoring a rawhide system using livecd), I can't do it. I will attach a set of denials by selinux. > > Thanks, > > Antonio > > > > Aug 12 02:41:26 localhost kernel: type=1400 audit(1250062886.941:25230): avc: denied { write } for pid=1590 comm="auditctl" path="/dev/null" dev=tmpfs ino=11264 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file > Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.129:4): avc: denied { execute } for pid=166 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1011 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file > Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.129:5): avc: denied { mmap_zero } for pid=166 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect > Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.129:6): avc: denied { execute } for pid=166 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1113 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file > Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.131:7): avc: denied { write } for pid=166 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.131:8): avc: denied { open } for pid=166 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062928.769:9): avc: denied { sys_module } for pid=459 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability > Aug 12 17:11:37 localhost setroubleshoot: [avc.ERROR] Plugin Exception leaks #012Traceback (most recent call last):#012 File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 148, in analyze_avc#012 report = plugin.analyze(avc)#012 File "/usr/share/setroubleshoot/plugins/leaks.py", line 46, in analyze#012 if avc.syscall == 'execve':#012AttributeError: AVC instance has no attribute 'syscall' > Aug 12 17:36:26 localhost kernel: type=1400 audit(1250116586.288:39547): avc: denied { write } for pid=23025 comm="auditctl" path="/dev/null" dev=tmpfs ino=161648 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file > Aug 12 17:40:26 localhost kernel: type=1400 audit(1250116826.639:22972): avc: denied { write } for pid=2085 comm="auditctl" path="/dev/null" dev=tmpfs ino=14928 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file > Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.129:4): avc: denied { execute } for pid=167 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1012 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file > Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.129:5): avc: denied { mmap_zero } for pid=167 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect > Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.130:6): avc: denied { execute } for pid=167 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1114 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file > Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.130:7): avc: denied { write } for pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.131:8): avc: denied { open } for pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165525.340:9): avc: denied { sys_module } for pid=480 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability > Aug 13 12:40:40 localhost kernel: type=1400 audit(1250185240.254:91): avc: denied { write } for pid=2860 comm="auditctl" path="/dev/null" dev=tmpfs ino=40043 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file > Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.229:4): avc: denied { execute } for pid=167 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1012 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file > Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.230:5): avc: denied { mmap_zero } for pid=167 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect > Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.231:6): avc: denied { execute } for pid=167 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1114 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file > Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.231:7): avc: denied { write } for pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.232:8): avc: denied { open } for pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.790:9): avc: denied { sys_module } for pid=463 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability > Aug 14 17:14:31 localhost kernel: type=1400 audit(1250288071.151:120): avc: denied { write } for pid=2853 comm="auditctl" path="/dev/null" dev=tmpfs ino=83085 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file > Aug 17 07:46:24 localhost kernel: type=1400 audit(1250513184.418:22958): avc: denied { write } for pid=2188 comm="auditctl" path="/dev/null" dev=tmpfs ino=19698 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file > Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.366:4): avc: denied { execute } for pid=167 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1012 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file > Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.367:5): avc: denied { mmap_zero } for pid=167 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect > Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.367:6): avc: denied { execute } for pid=167 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1114 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file > Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.368:7): avc: denied { write } for pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.368:8): avc: denied { open } for pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file > Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597974.538:9): avc: denied { sys_module } for pid=435 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability > Aug 19 15:53:41 localhost dbus: avc: received policyload notice (seqno=2) > Aug 19 15:53:41 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=2)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?) > Aug 19 16:04:57 localhost kernel: type=1400 audit(1250715897.391:279): avc: denied { write } for pid=5261 comm="auditctl" path="/dev/null" dev=tmpfs ino=283860 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file > Aug 20 06:56:40 localhost kernel: type=1400 audit(1250769400.824:20606): avc: denied { unlink } for pid=1500 comm="chkconfig" name="K88auditd" dev=dm-0 ino=9509 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file > Aug 20 06:56:40 localhost kernel: type=1400 audit(1250769400.825:20607): avc: denied { create } for pid=1500 comm="chkconfig" name="S11auditd" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file > Aug 20 07:22:57 localhost dbus: avc: received policyload notice (seqno=2) > Aug 20 07:22:57 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=2)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Join the club :) I have a shedload of custom policy modules for rawhide. Some of it may not be recommended to add but it does fix most issues. have a look here: http://82.197.205.60/~dgrift/stuff/modules/rawhide12/ Also install the latest packages available (koji and [root at notebook3 ~]# less /etc/yum.repos.d/koji.repo [koji] name=Fedora 12 - x86_64 - Just Born baseurl=http://koji.fedoraproject.org/static-repos/dist-f12-build-current/x86_64 enabled=0 My rawhide runs surprisingly good in some regards even better than f11 ... hth > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From selinux at gmail.com Thu Aug 20 13:37:13 2009 From: selinux at gmail.com (Tom London) Date: Thu, 20 Aug 2009 06:37:13 -0700 Subject: selinux denials on rawhide. Some I can't get back In-Reply-To: <20090820124133.GA2783@notebook3.grift.internal> References: <952418.31136.qm@web52607.mail.re2.yahoo.com> <20090820124133.GA2783@notebook3.grift.internal> Message-ID: <4c4ba1530908200637m5493c626ndb5866563be76f11@mail.gmail.com> On Thu, Aug 20, 2009 at 5:41 AM, Dominick Grift wrote: > On Thu, Aug 20, 2009 at 05:27:33AM -0700, Antonio Olivares wrote: >> Dear fellow selinux experts, >> >> I have encountered some weird denials while running rawhide. ?But selinux troubleshooter is not allowing me to file bugs. ?IT just hangs. ?While running livecd I was able to file some bugs. ?After installing(restoring a rawhide system using livecd), I can't do it. ?I will attach a set of denials by selinux. >> >> Thanks, >> >> Antonio >> >> >> >> Aug 12 02:41:26 localhost kernel: type=1400 audit(1250062886.941:25230): avc: ?denied ?{ write } for ?pid=1590 comm="auditctl" path="/dev/null" dev=tmpfs ino=11264 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file >> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.129:4): avc: ?denied ?{ execute } for ?pid=166 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1011 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file >> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.129:5): avc: ?denied ?{ mmap_zero } for ?pid=166 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect >> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.129:6): avc: ?denied ?{ execute } for ?pid=166 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1113 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file >> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.131:7): avc: ?denied ?{ write } for ?pid=166 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file >> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062926.131:8): avc: ?denied ?{ open } for ?pid=166 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file >> Aug 12 02:42:16 localhost kernel: type=1400 audit(1250062928.769:9): avc: ?denied ?{ sys_module } for ?pid=459 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability >> Aug 12 17:11:37 localhost setroubleshoot: [avc.ERROR] Plugin Exception leaks #012Traceback (most recent call last):#012 ?File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 148, in analyze_avc#012 ? ?report = plugin.analyze(avc)#012 ?File "/usr/share/setroubleshoot/plugins/leaks.py", line 46, in analyze#012 ? ?if avc.syscall == 'execve':#012AttributeError: AVC instance has no attribute 'syscall' >> Aug 12 17:36:26 localhost kernel: type=1400 audit(1250116586.288:39547): avc: ?denied ?{ write } for ?pid=23025 comm="auditctl" path="/dev/null" dev=tmpfs ino=161648 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file >> Aug 12 17:40:26 localhost kernel: type=1400 audit(1250116826.639:22972): avc: ?denied ?{ write } for ?pid=2085 comm="auditctl" path="/dev/null" dev=tmpfs ino=14928 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file >> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.129:4): avc: ?denied ?{ execute } for ?pid=167 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1012 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file >> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.129:5): avc: ?denied ?{ mmap_zero } for ?pid=167 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect >> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.130:6): avc: ?denied ?{ execute } for ?pid=167 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1114 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file >> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.130:7): avc: ?denied ?{ write } for ?pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file >> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165523.131:8): avc: ?denied ?{ open } for ?pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file >> Aug 13 07:12:12 localhost kernel: type=1400 audit(1250165525.340:9): avc: ?denied ?{ sys_module } for ?pid=480 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability >> Aug 13 12:40:40 localhost kernel: type=1400 audit(1250185240.254:91): avc: ?denied ?{ write } for ?pid=2860 comm="auditctl" path="/dev/null" dev=tmpfs ino=40043 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file >> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.229:4): avc: ?denied ?{ execute } for ?pid=167 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1012 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file >> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.230:5): avc: ?denied ?{ mmap_zero } for ?pid=167 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect >> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.231:6): avc: ?denied ?{ execute } for ?pid=167 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1114 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file >> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.231:7): avc: ?denied ?{ write } for ?pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file >> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.232:8): avc: ?denied ?{ open } for ?pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file >> Aug 14 06:56:09 localhost kernel: type=1400 audit(1250250962.790:9): avc: ?denied ?{ sys_module } for ?pid=463 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability >> Aug 14 17:14:31 localhost kernel: type=1400 audit(1250288071.151:120): avc: ?denied ?{ write } for ?pid=2853 comm="auditctl" path="/dev/null" dev=tmpfs ino=83085 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file >> Aug 17 07:46:24 localhost kernel: type=1400 audit(1250513184.418:22958): avc: ?denied ?{ write } for ?pid=2188 comm="auditctl" path="/dev/null" dev=tmpfs ino=19698 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file >> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.366:4): avc: ?denied ?{ execute } for ?pid=167 comm="vbetool" path="/dev/zero" dev=tmpfs ino=1012 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file >> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.367:5): avc: ?denied ?{ mmap_zero } for ?pid=167 comm="vbetool" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=memprotect >> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.367:6): avc: ?denied ?{ execute } for ?pid=167 comm="vbetool" path="/dev/mem" dev=tmpfs ino=1114 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file >> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.368:7): avc: ?denied ?{ write } for ?pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file >> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597971.368:8): avc: ?denied ?{ open } for ?pid=167 comm="vbetool" name="mtrr" dev=proc ino=4026531909 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file >> Aug 18 07:19:41 localhost kernel: type=1400 audit(1250597974.538:9): avc: ?denied ?{ sys_module } for ?pid=435 comm="iw" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability >> Aug 19 15:53:41 localhost dbus: avc: ?received policyload notice (seqno=2) >> Aug 19 15:53:41 localhost dbus: Can't send to audit system: USER_AVC avc: ?received policyload notice (seqno=2)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?) >> Aug 19 16:04:57 localhost kernel: type=1400 audit(1250715897.391:279): avc: ?denied ?{ write } for ?pid=5261 comm="auditctl" path="/dev/null" dev=tmpfs ino=283860 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file >> Aug 20 06:56:40 localhost kernel: type=1400 audit(1250769400.824:20606): avc: ?denied ?{ unlink } for ?pid=1500 comm="chkconfig" name="K88auditd" dev=dm-0 ino=9509 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file >> Aug 20 06:56:40 localhost kernel: type=1400 audit(1250769400.825:20607): avc: ?denied ?{ create } for ?pid=1500 comm="chkconfig" name="S11auditd" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file >> Aug 20 07:22:57 localhost dbus: avc: ?received policyload notice (seqno=2) >> Aug 20 07:22:57 localhost dbus: Can't send to audit system: USER_AVC avc: ?received policyload notice (seqno=2)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?) > > Join the club :) > > I have a shedload of custom policy modules for rawhide. Some of it may not be recommended to add but it does fix most issues. > have a look here: http://82.197.205.60/~dgrift/stuff/modules/rawhide12/ > > Also install the latest packages available (koji and > > [root at notebook3 ~]# less /etc/yum.repos.d/koji.repo > [koji] > name=Fedora 12 - x86_64 - Just Born > baseurl=http://koji.fedoraproject.org/static-repos/dist-f12-build-current/x86_64 > enabled=0 > > My rawhide runs surprisingly good in some regards even better than f11 ... > > hth > Believe a few of these are understood: > Aug 20 06:56:40 localhost kernel: type=1400 audit(1250769400.824:20606): avc: denied { unlink } for pid=1500 comm="chkconfig" name="K88auditd" dev=dm-0 ino=9509 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file > Aug 20 06:56:40 localhost kernel: type=1400 audit(1250769400.825:20607): avc: denied { create } for pid=1500 comm="chkconfig" name="S11auditd" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file These are caused by "readahead": readahead delays starting up auditd until it has "finished". Apparently it does this in a manner not 100% as expected. I got rid of these by uninstalling readahead. Believe the developers are aware of this.,.... Believe many of the earlier AVCs are due to recent changes to the "unconfined" domain. From dwalsh: "I have changed all unconfined_domains to permissive so that we can find as many AVC's as possible for a couple of weeks." tom -- Tom London From dwalsh at redhat.com Thu Aug 20 13:47:29 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 20 Aug 2009 09:47:29 -0400 Subject: selinux denials on rawhide. Some I can't get back In-Reply-To: <952418.31136.qm@web52607.mail.re2.yahoo.com> References: <952418.31136.qm@web52607.mail.re2.yahoo.com> Message-ID: <4A8D53F1.1000200@redhat.com> On 08/20/2009 08:27 AM, Antonio Olivares wrote: > Dear fellow selinux experts, > > I have encountered some weird denials while running rawhide. But selinux troubleshooter is not allowing me to file bugs. IT just hangs. While running livecd I was able to file some bugs. After installing(restoring a rawhide system using livecd), I can't do it. I will attach a set of denials by selinux. > > Thanks, > > Antonio > > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list All of the vbetool bugs are fixed in the latest rawhide udev transitions to vbetool_t THe ones that are not vbetool related #============= auditctl_t ============== allow auditctl_t device_t:file write; Dan> This is a bug in the initrd I believe, it seems to be creating a file named /dev/null, Or it is failing to create a file and the first process that redirects its output creates the file with the wrong label. #============= initrc_t ============== allow initrc_t etc_t:lnk_file { create unlink }; Fixed in selinux-policy-3.6.28-3.fc12 #============= udev_t ============== allow udev_t self:capability sys_module; This is a kernel fix that eparis is working on. I believe it is bubbling through the kernel acceptance stream. From dwalsh at redhat.com Thu Aug 20 13:59:23 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 20 Aug 2009 09:59:23 -0400 Subject: selinux denials on rawhide. Some I can't get back In-Reply-To: <4A8D53F1.1000200@redhat.com> References: <952418.31136.qm@web52607.mail.re2.yahoo.com> <4A8D53F1.1000200@redhat.com> Message-ID: <4A8D56BB.1020303@redhat.com> FYI. http://danwalsh.livejournal.com/30335.html From txtoth at gmail.com Thu Aug 20 14:00:49 2009 From: txtoth at gmail.com (Xavier Toth) Date: Thu, 20 Aug 2009 09:00:49 -0500 Subject: mlscontrain violation on dir create In-Reply-To: <4A8C8C4A.5060803@redhat.com> References: <4A8C8C4A.5060803@redhat.com> Message-ID: On Wed, Aug 19, 2009 at 6:35 PM, Daniel J Walsh wrote: > On 08/19/2009 02:41 PM, Xavier Toth wrote: >> A process of type siterep_jcdx_nautilus_helper_t running at SystemHigh >> is trying to create a directory at SystemLow and getting the following >> mlsconstraint violation: >> >> node=jcdx type=AVC msg=audit(1250704307.148:1143): avc: ?denied ?{ >> create } for ?pid=4208 comm="processdirs" name="test7" scontext=s >> iterep_u:siterep_r:siterep_jcdx_nautilus_helper_t:s15:c0.c1023 >> tcontext=system_u:object_r:jcdx_ml_var_t:s0 tclass=dir >> >> The ?siterep_jcdx_nautilus_helper_t policy uses the following macros: >> >> ? ? ? ? manage_dirs_pattern($1_jcdx_nautilus_helper_t,jcdx_ml_var_t,jcdx_ml_var_t) >> >> ? ? ? ? ifdef(`enable_mls',` >> ? ? ? ? ? ? ? ? ?mls_file_read_all_levels($1_jcdx_nautilus_helper_t) >> ? ? ? ? ? ? ? ? ?mls_file_write_all_levels($1_jcdx_nautilus_helper_t) >> ? ? ? ? ? ? ? ? ?mls_file_downgrade($1_jcdx_nautilus_helper_t) >> ? ? ? ? ? ? ? ? ?mls_file_upgrade($1_jcdx_nautilus_helper_t) >> ? ? ? ? ') >> >> I've looked at the policy mlsconstaints but I'm not understanding >> which one is being violated, any ideas? >> >> Ted >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > Not an MLS constraint. > iterep_u creating a file labeled system_u > > I once was blind but now I see ... Thanks Dan. Ted From dwalsh at redhat.com Thu Aug 20 17:00:27 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 20 Aug 2009 13:00:27 -0400 Subject: mlscontrain violation on dir create In-Reply-To: References: <4A8C8C4A.5060803@redhat.com> Message-ID: <4A8D812B.6060308@redhat.com> On 08/20/2009 10:00 AM, Xavier Toth wrote: > On Wed, Aug 19, 2009 at 6:35 PM, Daniel J Walsh wrote: >> On 08/19/2009 02:41 PM, Xavier Toth wrote: >>> A process of type siterep_jcdx_nautilus_helper_t running at SystemHigh >>> is trying to create a directory at SystemLow and getting the following >>> mlsconstraint violation: >>> >>> node=jcdx type=AVC msg=audit(1250704307.148:1143): avc: denied { >>> create } for pid=4208 comm="processdirs" name="test7" scontext=s >>> iterep_u:siterep_r:siterep_jcdx_nautilus_helper_t:s15:c0.c1023 >>> tcontext=system_u:object_r:jcdx_ml_var_t:s0 tclass=dir >>> >>> The siterep_jcdx_nautilus_helper_t policy uses the following macros: >>> >>> manage_dirs_pattern($1_jcdx_nautilus_helper_t,jcdx_ml_var_t,jcdx_ml_var_t) >>> >>> ifdef(`enable_mls',` >>> mls_file_read_all_levels($1_jcdx_nautilus_helper_t) >>> mls_file_write_all_levels($1_jcdx_nautilus_helper_t) >>> mls_file_downgrade($1_jcdx_nautilus_helper_t) >>> mls_file_upgrade($1_jcdx_nautilus_helper_t) >>> ') >>> >>> I've looked at the policy mlsconstaints but I'm not understanding >>> which one is being violated, any ideas? >>> >>> Ted >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >> Not an MLS constraint. >> iterep_u creating a file labeled system_u >> >> > > I once was blind but now I see ... Thanks Dan. > > Ted > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list No propblem. I have looked at a few billion more of these then you have. From frankly3d at gmail.com Fri Aug 21 17:32:34 2009 From: frankly3d at gmail.com (Frank Murphy (Frankly3D)) Date: Fri, 21 Aug 2009 18:32:34 +0100 Subject: Setroubleshoot Reports times are in IST Message-ID: <4A8EDA32.1010909@gmail.com> How do I get the pop-up reports in my timezone (Ireland) gmt -- Regards, Frank jabber | msn | skype: frankly3d http://fedoraproject.org/wiki/User:Frankly3d http://www.frankly3d.com From anmajumd at cisco.com Fri Aug 21 18:44:23 2009 From: anmajumd at cisco.com (Anamitra Dutta Majumdar (anmajumd)) Date: Fri, 21 Aug 2009 11:44:23 -0700 Subject: Confining Applications running as root user In-Reply-To: <4A832746.5090606@redhat.com> References: <19073.48200.534937.986699@freddi.uddeborg> <4EF101F7236DB443A8FABF8164BFBD0C082EA6B6@xmb-sjc-223.amer.cisco.com> <4A832746.5090606@redhat.com> Message-ID: <4EF101F7236DB443A8FABF8164BFBD0C0847F5BC@xmb-sjc-223.amer.cisco.com> Thanks everyone for their responses. I have another followup question. Is it mandatory to add all the neverallow rules to assert.te. If so does that imply that we need to maintain our own version of assert.te with the modifications. Thanks Anamitra & Radha -----Original Message----- From: Daniel J Walsh [mailto:dwalsh at redhat.com] Sent: Wednesday, August 12, 2009 1:34 PM To: Anamitra Dutta Majumdar (anmajumd) Cc: fedora-selinux-list at redhat.com Subject: Re: Confining Applications running as root user On 08/11/2009 06:54 PM, Anamitra Dutta Majumdar (anmajumd) wrote: > > > We are trying to migrate our existing security policies to SELinux. We > are new to SELinux and hence are finding it difficult to map our > existing policies. > > In our existing policy, all applications (including ones running as > root > user) with the exception of insmod and modprobe, are denied access to > /lib directory. How would we go about writing such a policy without > actually confining every application manually, since that would indeed > be cumbersome? > > Thanks, > Anamitra & Radha. > So you want to control an administrator that is logged in as root from writing to /lib? Not very easy to do. If he can disable selinux, load kernel modules, install rpm ... He can easily circumvent your protection. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Fri Aug 21 20:28:42 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 21 Aug 2009 16:28:42 -0400 Subject: Setroubleshoot Reports times are in IST In-Reply-To: <4A8EDA32.1010909@gmail.com> References: <4A8EDA32.1010909@gmail.com> Message-ID: <4A8F037A.7030807@redhat.com> On 08/21/2009 01:32 PM, Frank Murphy (Frankly3D) wrote: > How do I get the pop-up reports in my timezone (Ireland) gmt > I would figure it reports the default based off the timezone specification. From js44352 at gmail.com Fri Aug 21 21:25:47 2009 From: js44352 at gmail.com (Jason Shaw) Date: Fri, 21 Aug 2009 15:25:47 -0600 Subject: Label eth0 with a MCS security category? Message-ID: In FC-11, under the targeted policy, is it possible to label an ethernet interface (such as eth0, eth1) with a specific MCS category? Example: 1) Use semanage to assign user1 to s0:c5 3) Assign eth0 to s0:c4 (Can this be done?) 4) Assign eth1 to s0:c5 Desired result: if user1 tries to ping -I eth1 the ping command will work (as both eth1 and user1 have category c5). If user1 tries to ping -I eth0 , the ping command will not work (category mismatch between user and eth1). -------------- next part -------------- An HTML attachment was scrubbed... URL: From sm3501 at yahoo.com Sat Aug 22 12:55:57 2009 From: sm3501 at yahoo.com (Sam Marshall) Date: Sat, 22 Aug 2009 05:55:57 -0700 (PDT) Subject: MCS Max Number of Category Element Comparisions? In-Reply-To: <1250508551.3629.76.camel@moss-pluto.epoch.ncsc.mil> Message-ID: <63661.28235.qm@web111818.mail.gq1.yahoo.com> You are correct - my mistake in the original post. I too?was unable to reproduce on FC11. Originally observed the problem in RHEL5.3 (selinux-policy-targeted.noarch 2.4.6-203.el5) using targeted policy v21 enforcing. ? On?RHEL5.3,?if I assign >6 non contiguous categories, the mappings are lost. ? For example, assigning six noncontiguous categories to a user works just fine: # semanage login -m -s user_u -r s0-s0:c3,c5,c7,c9,c11,c13 user_1 ? id -Z user_u:system_r:unconfined_t:s0-s0:c3;c5,c7,c9,c11,c13 ? Now, assign 7 categories to user_1 # semanage login -m -s user_u -r s0-s0:c3,c5,c7,c9,c11,c13,c15 user_1 ? All 7 category mappings appear to have been applied: # semanage login -l user_1 user_u s0-s0:c3,c5,c7,c9,c11,c13,c15 However,?as user_1, the 7 category mappings are not linked to the user per the id -Z command. Subsequent attempts to open a file requiring the 7 categories as user_1?fails: login as user_1 after the 7 categories have been assigned: id -Z user_u:system_r:unconfined_t:s0 --- On Mon, 8/17/09, Stephen Smalley wrote: From: Stephen Smalley Subject: Re: MCS Max Number of Category Element Comparisions? To: "Sam Marshall" Cc: fedora-selinux-list at redhat.com Date: Monday, August 17, 2009, 11:29 AM On Fri, 2009-08-14 at 13:30 -0700, Sam Marshall wrote: > Hi, >? > In FC11, is there a limit to the number of category elements that can > be compared to make access decisions using MCS? My understanding is > that up to 1024 categories can be assigned in setrans.conf, however, > only six or fewer categories can be used for comparision to make > access decisions. >? > For example, when I assign a login user to 7 categories (e.g., s:0, > c1, c2, c5, c8, c11, c12, c19) and label a file with the exact same > categories number, permission is denied if the user tries to cat out > the file(Unix dacl permissions allow the user read access) >? > When I assign less than 7 of the exact same categories to the file and > user, the user can open the file. >? > I've tried using ranges (c2.c5, c10.c18, etc ), and found that there > appears to be a four element limitation with the range notation. >? > Does this sound right? No, that sounds like a bug.? Can you provide more specifics, please? The following worked for me just fine: # useradd foo # passwd foo # semanage login -a -s unconfined_u -r s0-s0:c0,c1,c2,c5,c8,c11,c12,c19 foo # ssh -l foo localhost $ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c2,c5,c8,c11,c12,c19 $ echo hello > foo $ chcon -l s0:c0.c2,c5,c8,c11,c12,c19 foo $ cat foo hello -- Stephen Smalley National Security Agency -------------- next part -------------- An HTML attachment was scrubbed... URL: From olivares14031 at yahoo.com Sun Aug 23 17:15:28 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Sun, 23 Aug 2009 10:15:28 -0700 (PDT) Subject: can't install rawhide on Emachines ET-1161-05, anaconda traceback + selinux Message-ID: <728989.30173.qm@web52608.mail.re2.yahoo.com> Dear all, I downloaded xfce-20080815.... iso from nightly build to try and install rawhide on an Emachines ET-1161-05 machine and was unable to. I tried the liveinstaller and got the following: anaconda 12.15-1.fc12 exception report Traceback (most recent call first): File "/usr/lib64/python2.6/site-packages/block/device.py", line 454, in get_table table = apply(_dm.table, tableParts, {}) File "/usr/lib64/python2.6/site-packages/block/device.py", line 337, in __init__ table = self.get_table() File "/usr/lib/anaconda/storage/devices.py", line 2836, in setup self._pyBlockMultiPath = block.device.MultiPath(*parents) File "/usr/lib/anaconda/storage/devicetree.py", line 1855, in populate mp.setup() File "/usr/lib/anaconda/storage/__init__.py", line 293, in reset self.devicetree.populate() File "/usr/lib/anaconda/storage/__init__.py", line 74, in storageInitialize storage.reset() File "/usr/lib/anaconda/dispatch.py", line 204, in moveStep rc = stepFunc(self.anaconda) File "/usr/lib/anaconda/dispatch.py", line 127, in gotoNext self.moveStep() File "/usr/lib/anaconda/gui.py", line 1201, in nextClicked self.anaconda.dispatch.gotoNext() ValueError: size must be positive Local variables in innermost frame: tableParts: [0, 0, 'multipath', '0 0 1 1 round-robin 0 4 1 8:16 1000 8:32 1000 8:48 1000 8:64 1000'] self: params: 0 0 1 1 round-robin 0 4 1 8:16 1000 8:32 1000 8:48 1000 8:64 1000 _dm: munge_dev: Anaconda instance, containing members: rescue_mount: True intf: InstallInterface instance, containing members: intf.icw: InstallControlWindow instance, containing members: intf.icw.handle: 33 intf.icw.currentWindow: KeyboardWindow instance, containing members: intf.icw.currentWindow.modelViewSW: intf.icw.currentWindow.title: Keyboard intf.icw.currentWindow.modelStore: intf.icw.currentWindow.modelView: intf.icw.currentWindow.sidebarTitle: Keyboard intf.icw.currentWindow.kbd: Keyboard instance, containing members: intf.icw.currentWindow.kbd.config: [['KEYTABLE="us"\n', 'KEYTABLE', 'us'], ['MODEL="pc105+inet"\n', 'MODEL', 'pc105+inet'], ['LAYOUT="us"\n', 'LAYOUT', 'us'], ['KEYBOARDTYPE="pc"\n', 'KEYBOARDTYPE', 'pc']] intf.icw.currentWindow.kbd.type: PC intf.icw.currentWindow.kbd._mods: KeyboardModels instance, containing members: intf.icw.currentWindow.kbd._mods._modelDict: {'gr': ['keyboard|Greek', 'gr,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'sr-cy': ['keyboard|Serbian', 'rs', 'pc105', '', ''], 'sv-latin1': ['keyboard|Swedish', 'se', 'pc105', '', ''], 'tml-inscript': ['keyboard|Tamil (Inscript)', 'in,us', 'pc105', 'tam', 'grp:shifts_toggle,grp_led:scroll'], 'cf': ['keyboard|French Canadian', 'ca(fr)', 'pc105', '', ''], 'fr_CH-latin1': ['keyboard|Swiss French (latin1)', 'ch', 'pc105', 'fr', ''], 'fr-pc': ['keyboard|French (pc)', 'fr', 'pc105', '', ''], 'us': ['keyboard|U.S. English', 'us', 'pc105+inet', '', ''], 'sk-qwerty': ['keyboard|Slovak (qwerty)', 'sk', 'pc105', '', 'qwerty'], 'et': ['keyboard|Estonian', 'ee', 'pc105', '', ''], 'ar-qwerty-digits': ['keyboard|Arabic (qwerty/digits)', 'ara,us', 'pc105', 'qwerty_digits', 'grp:shifts_toggle,grp_led:scroll'], 'ar-azerty': ['keyboard|Arabic (azerty)', 'ara,us', 'pc105', 'azerty', 'grp:shifts_toggle,grp_led:scroll'], 'ie': ['keyboard|Irish', 'ie', 'pc105', '', ''], 'sr-latin': ['keyboard|Serbian (latin)', 'rs', 'pc105', 'latin', ''], 'es': ['keyboard|Spanish', 'es', 'pc105', '', ''], 'pl2': ['keyboard|Polish', 'pl', 'pc105', '', ''], 'cz-lat2': ['keyboard|Czech (qwerty)', 'cz', 'pc105', 'qwerty', ''], 'ru': ['keyboard|Russian', 'ru,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'fr-latin1': ['keyboard|French (latin1)', 'fr', 'pc105', '', ''], 'bg_bds-utf8': ['keyboard|Bulgarian', 'bg,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'no': ['keyboard|Norwegian', 'no', 'pc105', '', ''], 'de-latin1-nodeadkeys': ['keyboard|German (latin1 w/ no deadkeys)', 'de', 'pc105', 'nodeadkeys', ''], 'ar-azerty-digits': ['keyboard|Arabic (azerty/digits)', 'ara,us', 'pc105', 'azerty_digits', 'grp:shifts_toggle,grp_led:scroll'], 'is-latin1': ['keyboard|Icelandic', 'is', 'pc105', '', ''], 'tj': ['keyboard|Tajik', 'tj', 'pc105', '', ''], 'ro-std-cedilla': ['keyboard|Romanian Standard Cedilla', 'ro', 'pc105', 'std_cedilla', ''], 'pt-latin1': ['keyboard|Portuguese', 'pt', 'pc105', '', ''], 'it': ['keyboard|Italian', 'it', 'pc105', '', ''], 'ro': ['keyboard|Romanian', 'ro', 'pc105', '', ''], 'br-abnt2': ['keyboard|Brazilian (ABNT2)', 'br', 'abnt2', '', ''], 'ar-digits': ['keyboard|Arabic (digits)', 'ara,us', 'pc105', 'digits', 'grp:shifts_toggle,grp_led:scroll'], 'cz-us-qwertz': ['keyboard|Czech', 'cz,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'it-ibm': ['keyboard|Italian (IBM)', 'it', 'pc105', '', ''], 'bg_pho-utf8': ['keyboard|Bulgarian (Phonetic)', 'bg,us', 'pc105', ',phonetic', 'grp:shifts_toggle,grp_led:scroll'], 'fr-latin9': ['keyboard|French (latin9)', 'fr', 'pc105', 'latin9', ''], 'dk': ['keyboard|Danish', 'dk', 'pc105', '', ''], 'be-latin1': ['keyboard|Belgian (be-latin1)', 'be', 'pc105', '', ''], 'sg-latin1': ['keyboard|Swiss German (latin1)', 'ch', 'pc105', 'de_nodeadkeys', ''], 'de': ['keyboard|German', 'de', 'pc105', '', ''], 'ua-utf': ['keyboard|Ukrainian', 'ua,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'tml-uni': ['keyboard|Tamil (Typewriter)', 'in,us', 'pc105', 'tam_TAB', 'grp:shifts_toggle,grp_led:scroll'], 'hu': ['keyboard|Hungarian', 'hu', 'pc105', '', ''], 'fr': ['keyboard|French', 'fr', 'pc105', '', ''], 'us-acentos': ['keyboard|U.S. International', 'us', 'pc105', 'intl', ''], 'fr_CH': ['keyboard|Swiss French', 'ch', 'pc105', 'fr', ''], 'fi': ['keyboard|Finnish', 'fi', 'pc105', '', ''], 'ro-cedilla': ['keyboard|Romanian Cedilla', 'ro', 'pc105', 'cedilla', ''], 'dvorak': ['keyboard|Dvorak', 'us', 'pc105', 'dvorak', ''], 'it2': ['keyboard|Italian (it2)', 'it', 'pc105', '', ''], 'sg': ['keyboard|Swiss German', 'ch', 'pc105', 'de_nodeadkeys', ''], 'fi-latin1': ['keyboard|Finnish (latin1)', 'fi', 'pc105', '', ''], 'ben-probhat': ['keyboard|Bengali (Probhat)', 'in,us', 'pc105', 'ben_probhat', 'grp:shifts_toggle,grp_led:scroll'], 'croat': ['keyboard|Croatian', 'hr', 'pc105', '', ''], 'jp106': ['keyboard|Japanese', 'jp', 'jp106', '', ''], 'hu101': ['keyboard|Hungarian (101 key)', 'hu', 'pc105', 'qwerty', ''], 'slovene': ['keyboard|Slovenian', 'si', 'pc105', '', ''], 'ben': ['keyboard|Bengali (Inscript)', 'in,us', 'pc105', 'ben', 'grp:shifts_toggle,grp_led:scroll'], 'de-latin1': ['keyboard|German (latin1)', 'de', 'pc105', '', ''], 'ro-std': ['keyboard|Romanian Standard', 'ro', 'pc105', 'std', ''], 'ko': ['keyboard|Korean', 'kr', 'pc105', '', ''], 'dev': ['keyboard|Devanagari (Inscript)', 'dev,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'la-latin1': ['keyboard|Latin American', 'latam', 'pc105', '', ''], 'gur': ['keyboard|Punjabi (Inscript)', 'gur,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'ar-qwerty': ['keyboard|Arabic (qwerty)', 'ara,us', 'pc105', 'qwerty', 'grp:shifts_toggle,grp_led:scroll'], 'uk': ['keyboard|United Kingdom', 'gb', 'pc105', '', ''], 'guj': ['keyboard|Gujarati (Inscript)', 'in,us', 'pc105', 'guj', 'grp:shifts_toggle,grp_led:scroll'], 'trq': ['keyboard|Turkish', 'tr', 'pc105', '', ''], 'mk-utf': ['keyboard|Macedonian', 'mkd,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'nl': ['keyboard|Dutch', 'nl', 'pc105', '', ''], 'dk-latin1': ['keyboard|Danish (latin1)', 'dk', 'pc105', '', '']} intf.icw.currentWindow.kbd.beenset: 1 intf.icw.currentWindow.priority: 20 intf.icw.currentWindow.vbox: intf.icw.currentWindow.mode: 2 intf.icw.currentWindow.ics: InstallControlState instance, containing members: intf.icw.currentWindow.ics.prevEnabled: True intf.icw.currentWindow.ics.cw: Already dumped intf.icw.currentWindow.ics.nextEnabled: True intf.icw.currentWindow.ics.grabNext: True intf.icw.currentWindow.ics.title: Install Window intf.icw.currentWindow.kbdDict: {'gr': ['Greek', 'gr,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'sr-cy': ['Serbian', 'rs', 'pc105', '', ''], 'sv-latin1': ['Swedish', 'se', 'pc105', '', ''], 'cf': ['French Canadian', 'ca(fr)', 'pc105', '', ''], 'fr_CH-latin1': ['Swiss French (latin1)', 'ch', 'pc105', 'fr', ''], 'fr-latin9': ['French (latin9)', 'fr', 'pc105', 'latin9', ''], 'dev': ['Devanagari (Inscript)', 'dev,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'sk-qwerty': ['Slovak (qwerty)', 'sk', 'pc105', '', 'qwerty'], 'et': ['Estonian', 'ee', 'pc105', '', ''], 'ar-qwerty-digits': ['Arabic (qwerty/digits)', 'ara,us', 'pc105', 'qwerty_digits', 'grp:shifts_toggle,grp_led:scroll'], 'ar-azerty': ['Arabic (azerty)', 'ara,us', 'pc105', 'azerty', 'grp:shifts_toggle,grp_led:scroll'], 'ie': ['Irish', 'ie', 'pc105', '', ''], 'ro-cedilla': ['Romanian Cedilla', 'ro', 'pc105', 'cedilla', ''], 'es': ['Spanish', 'es', 'pc105', '', ''], 'pl2': ['Polish', 'pl', 'pc105', '', ''], 'cz-lat2': ['Czech (qwerty)', 'cz', 'pc105', 'qwerty', ''], 'ru': ['Russian', 'ru,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'dvorak': ['Dvorak', 'us', 'pc105', 'dvorak', ''], 'bg_bds-utf8': ['Bulgarian', 'bg,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'no': ['Norwegian', 'no', 'pc105', '', ''], 'de-latin1-nodeadkeys': ['German (latin1 w/ no deadkeys)', 'de', 'pc105', 'nodeadkeys', ''], 'ben': ['Bengali (Inscript)', 'in,us', 'pc105', 'ben', 'grp:shifts_toggle,grp_led:scroll'], 'ar-azerty-digits': ['Arabic (azerty/digits)', 'ara,us', 'pc105', 'azerty_digits', 'grp:shifts_toggle,grp_led:scroll'], 'ar-qwerty': ['Arabic (qwerty)', 'ara,us', 'pc105', 'qwerty', 'grp:shifts_toggle,grp_led:scroll'], 'tj': ['Tajik', 'tj', 'pc105', '', ''], 'ro-std-cedilla': ['Romanian Standard Cedilla', 'ro', 'pc105', 'std_cedilla', ''], 'pt-latin1': ['Portuguese', 'pt', 'pc105', '', ''], 'us-acentos': ['U.S. International', 'us', 'pc105', 'intl', ''], 'ro': ['Romanian', 'ro', 'pc105', '', ''], 'br-abnt2': ['Brazilian (ABNT2)', 'br', 'abnt2', '', ''], 'ar-digits': ['Arabic (digits)', 'ara,us', 'pc105', 'digits', 'grp:shifts_toggle,grp_led:scroll'], 'cz-us-qwertz': ['Czech', 'cz,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'it-ibm': ['Italian (IBM)', 'it', 'pc105', '', ''], 'bg_pho-utf8': ['Bulgarian (Phonetic)', 'bg,us', 'pc105', ',phonetic', 'grp:shifts_toggle,grp_led:scroll'], 'fr-pc': ['French (pc)', 'fr', 'pc105', '', ''], 'dk': ['Danish', 'dk', 'pc105', '', ''], 'be-latin1': ['Belgian (be-latin1)', 'be', 'pc105', '', ''], 'sg-latin1': ['Swiss German (latin1)', 'ch', 'pc105', 'de_nodeadkeys', ''], 'fr-latin1': ['French (latin1)', 'fr', 'pc105', '', ''], 'ua-utf': ['Ukrainian', 'ua,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'tml-uni': ['Tamil (Typewriter)', 'in,us', 'pc105', 'tam_TAB', 'grp:shifts_toggle,grp_led:scroll'], 'it': ['Italian', 'it', 'pc105', '', ''], 'fr': ['French', 'fr', 'pc105', '', ''], 'dk-latin1': ['Danish (latin1)', 'dk', 'pc105', '', ''], 'fr_CH': ['Swiss French', 'ch', 'pc105', 'fr', ''], 'fi': ['Finnish', 'fi', 'pc105', '', ''], 'sr-latin': ['Serbian (latin)', 'rs', 'pc105', 'latin', ''], 'hu': ['Hungarian', 'hu', 'pc105', '', ''], 'it2': ['Italian (it2)', 'it', 'pc105', '', ''], 'fi-latin1': ['Finnish (latin1)', 'fi', 'pc105', '', ''], 'ben-probhat': ['Bengali (Probhat)', 'in,us', 'pc105', 'ben_probhat', 'grp:shifts_toggle,grp_led:scroll'], 'croat': ['Croatian', 'hr', 'pc105', '', ''], 'jp106': ['Japanese', 'jp', 'jp106', '', ''], 'hu101': ['Hungarian (101 key)', 'hu', 'pc105', 'qwerty', ''], 'slovene': ['Slovenian', 'si', 'pc105', '', ''], 'tml-inscript': ['Tamil (Inscript)', 'in,us', 'pc105', 'tam', 'grp:shifts_toggle,grp_led:scroll'], 'de-latin1': ['German (latin1)', 'de', 'pc105', '', ''], 'ro-std': ['Romanian Standard', 'ro', 'pc105', 'std', ''], 'ko': ['Korean', 'kr', 'pc105', '', ''], 'us': ['U.S. English', 'us', 'pc105+inet', '', ''], 'la-latin1': ['Latin American', 'latam', 'pc105', '', ''], 'gur': ['Punjabi (Inscript)', 'gur,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'de': ['German', 'de', 'pc105', '', ''], 'is-latin1': ['Icelandic', 'is', 'pc105', '', ''], 'uk': ['United Kingdom', 'gb', 'pc105', '', ''], 'guj': ['Gujarati (Inscript)', 'in,us', 'pc105', 'guj', 'grp:shifts_toggle,grp_led:scroll'], 'trq': ['Turkish', 'tr', 'pc105', '', ''], 'mk-utf': ['Macedonian', 'mkd,us', 'pc105', '', 'grp:shifts_toggle,grp_led:scroll'], 'nl': ['Dutch', 'nl', 'pc105', '', ''], 'sg': ['Swiss German', 'ch', 'pc105', 'de_nodeadkeys', '']} intf.icw.currentWindow.type: us intf.icw.currentWindow.col: intf.icw.currentWindow.icon: system-config-keyboard.png intf.icw.mainxml: intf.icw.window: intf.icw.installFrame: intf.icw.anaconda: Already dumped intf.icw.reloadRcQueued: 0 intf.runres: 800x600 intf.anaconda: Already dumped rescue: False updateSrc: None mediaDevice: None methodstr: livecd:///dev/mapper/live-osimg-min dispatch: rootPath: /mnt/sysimage platform: canReIPL: False xdriver: None reIPLMessage: None isKickstart: False stage2: None id: InstallData instance, containing members: id.firewall: Firewall instance, containing members: id.firewall.portlist: [] id.firewall.servicelist: [] id.firewall.trustdevs: [] id.firewall.enabled: 1 id.anaconda: Already dumped id.upgradeRoot: None id.keyboard: Already dumped id.timezone: Timezone instance, containing members: id.timezone.utc: 0 id.timezone.tz: America/New_York id.backend: LiveCDCopyBackend instance, containing members: id.backend.modeText: id.backend.instPath: /mnt/sysimage id.backend.skipFormatRoot: True id.backend.instLog: None id.backend.supportsUpgrades: False id.backend._loopbackFile: None id.backend.rootFsType: ext4 id.backend.osimg: //dev/mapper/live-osimg-min id.backend.supportsPackageSelection: False id.upgrade: None id.monitor: None id.storage: id.desktop: Desktop instance, containing members: id.desktop.info: {} id.desktop.runlevel: 3 id.rootParts: None id.x_already_set: 1 id.firstboot: 0 id.users: None id.displayMode: g id.auth: --enableshadow --passalgo=sha512 --enablefingerprint id.ksdata: None id.bootloader: x86BootloaderInfo instance, containing members: id.bootloader._configdir: /boot/grub id.bootloader.doUpgradeOnly: 0 id.bootloader.above1024: 0 id.bootloader.defaultDevice: None id.bootloader.pure: None id.bootloader.storage: id.bootloader.serialOptions: None id.bootloader.args: KernelArguments instance, containing members: id.bootloader.args.args: id.bootloader.args.id: Already dumped id.bootloader.kernelLocation: /boot/ id.bootloader.timeout: None id.bootloader._configname: grub.conf id.bootloader.device: None id.bootloader.kickstart: 0 id.bootloader.serialDevice: None id.bootloader.useGrubVal: 1 id.bootloader._drivelist: None id.bootloader.images: BootImages instance, containing members: id.bootloader.images.default: None id.bootloader.images.images: {} id.bootloader.serial: 0 id.bootloader.password: None id.extraModules: [] id.network: Network instance, containing members: id.network.netdevices: {'eth0': DEVICE=eth0 BOOTPROTO=static DNS1=10.128.0.4 GATEWAY=10.154.21.1 HWADDR=00:21:97:6D:DF:93 IPADDR=10.154.21.253 NETMASK=255.255.255.0 ONBOOT=yes } id.network.ksdevice: None id.network.overrideDHCPhostname: False id.network.hostname: localhost.localdomain id.network.domains: [] id.instClass: id.isHeadless: 0 id.videocard: None id.instLanguage: Language instance, containing members: id.instLanguage.info: {'LANG': en_US.UTF-8, 'SYSFONT': latarcyrheb-sun16} id.instLanguage.targetLang: None id.instLanguage.nativeLangNames: {'Swedish': Swedish, 'Icelandic': Icelandic, 'Chinese(Simplified)': Chinese(Simplified), 'Telugu': Telugu, 'Turkish': Turkish, 'Maithili': Maithili, 'Italian': Italian, 'Oriya': Oriya, 'Slovenian': Slovenian, 'Norwegian(Bokm?l)': Norwegian(Bokm?l), 'Gujarati': Gujarati, 'Hindi': Hindi, 'Dutch': Dutch, 'Korean': Korean, 'Estonian': Estonian, 'Danish': Danish, 'Bulgarian': Bulgarian, 'Northern Sotho': Northern Sotho, 'Hungarian': Hungarian, 'Macedonian': Macedonian, 'Welsh': Welsh, 'Vietnamese': Vietnamese, 'Malay': Malay, 'French': French, 'Serbian(Latin)': Serbian(Latin), 'Catalan': Catalan, 'Bengali': Bengali, 'Marathi': Marathi, 'Russian': Russian, 'Tajik': Tajik, 'Assamese': Assamese, 'Afrikaans': Afrikaans, 'Tamil': Tamil, 'Iloko': Iloko, 'Nepali': Nepali, 'Finnish': Finnish, 'Punjabi': Punjabi, 'Spanish': Spanish, 'Indonesian': Indonesian, 'Romanian': Romanian, 'Greek': Greek, 'English': English, 'Malayalam': Malayalam, 'Serbian': Serbian, 'Bengali(India)': Bengali(India), 'Croatian': Croatian, 'Portuguese': Portuguese, 'Portuguese(Brazilian)': Portuguese(Brazilian), 'Zulu': Zulu, 'German': German, 'Ukrainian': Ukrainian, 'Japanese': Japanese, 'Kannada': Kannada, 'Czech': Czech, 'Persian': Persian, 'Slovak': Slovak, 'Hebrew': Hebrew, 'Polish': Polish, 'Arabic': Arabic, 'Chinese(Traditional)': Chinese(Traditional), 'Sinhala': Sinhala} id.instLanguage.default: en_US.UTF-8 id.instLanguage.displayMode: g id.instLanguage.current: en_US.UTF-8 id.instLanguage.localeInfo: {'hu_HU.UTF-8': ('Hungarian', 'hu', 'latarcyrheb-sun16', 'hu', 'Europe/Budapest'), 'sr_RS.UTF-8': ('Serbian', 'sr', 'latarcyrheb-sun16', 'sr-cy', 'Europe/Belgrade'), 'ta_IN.UTF-8': ('Tamil', 'ta', 'none', 'us', 'Asia/Kolkata'), 'zu_ZA.UTF-8': ('Zulu', 'zu', 'latarcyrheb-sun16', 'us', 'Africa/Johannesburg'), 'et_EE.UTF-8': ('Estonian', 'et', 'latarcyrheb-sun16', 'et', 'Europe/Tallinn'), 'zh_TW.UTF-8': ('Chinese(Traditional)', 'zh_TW', 'none', 'us', 'Asia/Taipei'), 'sk_SK.UTF-8': ('Slovak', 'sk', 'latarcyrheb-sun16', 'sk-qwerty', 'Europe/Bratislava'), 'cs_CZ.UTF-8': ('Czech', 'cs', 'latarcyrheb-sun16', 'cz-lat2', 'Europe/Prague'), 'en_US.UTF-8': ('English', 'en', 'latarcyrheb-sun16', 'us', 'America/New_York'), 'da_DK.UTF-8': ('Danish', 'da', 'latarcyrheb-sun16', 'dk', 'Europe/Copenhagen'), 'ro_RO.UTF-8': ('Romanian', 'ro', 'Lat2-Terminus16', 'ro', 'Europe/Bucharest'), 'ilo_PH.UTF-8': ('Iloko', 'ilo', 'latarcyrheb-sun16', 'us', 'Asia/Manila'), 'ml_IN.UTF-8': ('Malayalam', 'ml', 'none', 'us', 'Asia/Kolkata'), 'nb_NO.UTF-8': ('Norwegian(Bokm\xc3\xa5l)', 'nb', 'latarcyrheb-sun16', 'no', 'Europe/Oslo'), 'pl_PL.UTF-8': ('Polish', 'pl', 'latarcyrheb-sun16', 'pl2', 'Europe/Warsaw'), 'ar_SA.UTF-8': ('Arabic', 'ar', 'none', 'us', 'Asia/Riyadh'), 'fr_FR.UTF-8': ('French', 'fr', 'latarcyrheb-sun16', 'fr-latin9', 'Europe/Paris'), 'it_IT.UTF-8': ('Italian', 'it', 'latarcyrheb-sun16', 'it', 'Europe/Rome'), 'pt_BR.UTF-8': ('Portuguese(Brazilian)', 'pt_BR', 'latarcyrheb-sun16', 'br-abnt2', 'America/Sao_Paulo'), 'sr_RS.UTF-8 at latin': ('Serbian(Latin)', 'sr at latin', 'latarcyrheb-sun16', 'sr-latin', 'Europe/Belgrade'), 'mr_IN.UTF-8': ('Marathi', 'mr', 'none', 'us', 'Asia/Kolkata'), 'ru_RU.UTF-8': ('Russian', 'ru', 'none', 'ru', 'Europe/Moscow'), 'si_LK.UTF-8': ('Sinhala', 'si', 'none', 'us', 'Asia/Colombo'), 'de_DE.UTF-8': ('German', 'de', 'latarcyrheb-sun16', 'de-latin1-nodeadkeys', 'Europe/Berlin'), 'ja_JP.UTF-8': ('Japanese', 'ja', 'none', 'jp106', 'Asia/Tokyo'), 'hr_HR.UTF-8': ('Croatian', 'hr', 'latarcyrheb-sun16', 'croat', 'Europe/Zagreb'), 'ko_KR.UTF-8': ('Korean', 'ko', 'none', 'us', 'Asia/Seoul'), 'es_ES.UTF-8': ('Spanish', 'es', 'latarcyrheb-sun16', 'es', 'Europe/Madrid'), 'cy_GB.UTF-8': ('Welsh', 'cy', 'latarcyrheb-sun16', 'uk', 'Europe/London'), 'af_ZA.UTF-8': ('Afrikaans', 'af', 'latarcyrheb-sun16', 'us', 'Africa/Johannesburg'), 'fa_IR.UTF-8': ('Persian', 'fa', 'none', 'us', 'Asia/Tehran'), 'bn_IN.UTF-8': ('Bengali(India)', 'bn', 'none', 'us', 'Asia/Kolkata'), 'tr_TR.UTF-8': ('Turkish', 'tr', 'latarcyrheb-sun16', 'trq', 'Europe/Istanbul'), 'uk_UA.UTF-8': ('Ukrainian', 'uk', 'latarcyrheb-sun16', 'ua-utf', 'Europe/Kiev'), 'C': ('English', 'en', 'latarcyrheb-sun16', 'us', 'America/New_York'), 'as_IN.UTF-8': ('Assamese', 'as', 'none', 'us', 'Asia/Kolkata'), 'is_IS.UTF-8': ('Icelandic', 'is', 'latarcyrheb-sun16', 'is-latin1', 'Atlantic/Reykjavik'), 'vi_VN.UTF-8': ('Vietnamese', 'vi', 'latarcyrheb-sun16', 'us', 'Asia/Saigon'), 'pt_PT.UTF-8': ('Portuguese', 'pt', 'latarcyrheb-sun16', 'pt-latin1', 'Europe/Lisbon'), 'gu_IN.UTF-8': ('Gujarati', 'gu', 'none', 'us', 'Asia/Kolkata'), 'bn_BD.UTF-8': ('Bengali', 'bn', 'none', 'us', 'Asia/Dhaka'), 'ne_NP.UTF-8': ('Nepali', 'ne', 'none', 'us', 'Asia/Kathmandu'), 'or_IN.UTF-8': ('Oriya', 'or', 'none', 'us', 'Asia/Kolkata'), 'pa_IN.UTF-8': ('Punjabi', 'pa', 'none', 'us', 'Asia/Kolkata'), 'he_IL.UTF-8': ('Hebrew', 'he', 'none', 'us', 'Asia/Jerusalem'), 'ms_MY.UTF-8': ('Malay', 'ms', 'latarcyrheb-sun16', 'us', 'Asia/Kuala_Lumpur'), 'mai_IN.UTF-8': ('Maithili', 'mai', 'none', 'us', 'Asia/Kolkata'), 'nso_ZA.UTF-8': ('Northern Sotho', 'nso', 'latarcyrheb-sun16', 'us', 'Africa/Johannesburg'), 'zh_CN.UTF-8': ('Chinese(Simplified)', 'zh_CN', 'none', 'us', 'Asia/Shanghai'), 'te_IN.UTF-8': ('Telugu', 'te', 'none', 'us', 'Asia/Kolkata'), 'el_GR.UTF-8': ('Greek', 'el', 'iso07u-16', 'gr', 'Europe/Athens'), 'id_ID.UTF-8': ('Indonesian', 'id', 'latarcyrheb-sun16', 'us', 'Asia/Jakarta'), 'sv_SE.UTF-8': ('Swedish', 'sv', 'latarcyrheb-sun16', 'sv-latin1', 'Europe/Stockholm'), 'sl_SI.UTF-8': ('Slovenian', 'sl', 'latarcyrheb-sun16', 'slovene', 'Europe/Ljubljana'), 'bg_BG.UTF-8': ('Bulgarian', 'bg', 'latarcyrheb-sun16', 'bg_bds-utf8', 'Europe/Sofia'), 'tg_TG.UTF-8': ('Tajik', 'tg', 'none', 'tj', 'Asia/Dushanbe'), 'nl_NL.UTF-8': ('Dutch', 'nl', 'latarcyrheb-sun16', 'nl', 'Europe/Amsterdam'), 'fi_FI.UTF-8': ('Finnish', 'fi', 'latarcyrheb-sun16', 'fi', 'Europe/Helsinki'), 'ca_ES.UTF-8': ('Catalan', 'ca', 'latarcyrheb-sun16', 'es', 'Europe/Madrid'), 'hi_IN.UTF-8': ('Hindi', 'hi', 'none', 'us', 'Asia/Kolkata'), 'kn_IN.UTF-8': ('Kannada', 'kn', 'none', 'us', 'Asia/Kolkata'), 'mk_MK.UTF-8': ('Macedonian', 'mk', 'latarcyrheb-sun16', 'mk', 'Europe/Skopje')} id.rootPassword: {'lock': False, 'password': , 'isCrypted': False} id.security: Security instance, containing members: id.security.selinux: 1 id.upgradeSwapInfo: None dir: 1 backend: Already dumped /tmp/anaconda.log: 12:01:21 INFO : using only installclass _Fedora 12:01:21 INFO : anaconda called with cmdline = ['/usr/sbin/anaconda', '--liveinst', '--method=livecd:///dev/mapper/live-osimg-min', '--lang', 'en_US.UTF-8'] 12:01:21 INFO : Display mode = g 12:01:21 INFO : Starting graphical installation. 12:01:21 INFO : Detected 3536M of memory 12:01:21 INFO : Swap attempt of 1024M to 5584M 12:01:21 WARNING : step installtype does not exist 12:01:21 WARNING : step confirminstall does not exist 12:01:21 WARNING : step complete does not exist 12:01:21 INFO : moving (1) to step welcome 12:01:23 INFO : moving (1) to step keyboard 12:01:50 INFO : moving (1) to step betanag 12:02:02 INFO : moving (1) to step storageinit 12:02:04 INFO : no /tmp/fcpconfig; not configuring zfcp 12:02:05 DEBUG : DeviceTree.addUdevDevice: name: live-rw ; 12:02:05 DEBUG : DeviceTree.addUdevDMDevice: name: live-rw ; 12:02:05 DEBUG : DeviceTree.addUdevDevice: name: loop4 ; 12:02:05 DEBUG : DeviceTree.handleUdevDeviceFormat: name: None ; 12:02:05 DEBUG : DeviceTree.addUdevDevice: name: live-osimg-min ; 12:02:05 DEBUG : DeviceTree.addUdevDMDevice: name: live-osimg-min ; 12:02:05 DEBUG : DeviceTree.addUdevDevice: name: loop1 ; 12:02:05 DEBUG : DeviceTree.handleUdevDeviceFormat: name: None ; 12:02:05 DEBUG : DeviceTree.addUdevDevice: name: sda1 ; 12:02:05 DEBUG : DeviceTree.addUdevPartitionDevice: name: sda1 ; 12:02:05 DEBUG : DeviceTree.addUdevDevice: name: sda ; 12:02:05 DEBUG : DeviceTree.addUdevDiskDevice: name: sda ; 12:02:05 DEBUG : DiskDevice._setFormat: sda ; current: None ; type: None ; 12:02:06 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sda ; 12:02:06 DEBUG : DiskDevice.addChild: kids: 0 ; name: sda ; 12:02:06 DEBUG : PartitionDevice._setFormat: sda1 ; 12:02:06 DEBUG : PartitionDevice._setFormat: sda1 ; current: None ; type: None ; 12:02:06 DEBUG : PartitionDevice.probe: sda1 ; exists: True ; 12:02:06 DEBUG : PartitionDevice._computeResize: sda1 ; status: True ; 12:02:06 DEBUG : PartitionDevice.getFlag: path: /dev/sda1 ; flag: 1 ; part: parted.Partition instance -- disk: fileSystem: number: 1 path: /dev/sda1 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x2eedf50> ; 12:02:06 DEBUG : PartitionDevice.flagAvailable: path: /dev/sda1 ; flag: 1 ; part: parted.Partition instance -- disk: fileSystem: number: 1 path: /dev/sda1 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x2eedf50> ; 12:02:06 DEBUG : PartitionDevice.getFlag: path: /dev/sda1 ; flag: 10 ; part: parted.Partition instance -- disk: fileSystem: number: 1 path: /dev/sda1 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x2eedf50> ; 12:02:06 DEBUG : PartitionDevice.flagAvailable: path: /dev/sda1 ; flag: 10 ; part: parted.Partition instance -- disk: fileSystem: number: 1 path: /dev/sda1 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x2eedf50> ; 12:02:06 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sda1 ; 12:02:07 DEBUG : NTFS.supported: supported: False ; 12:02:07 DEBUG : PartitionDevice._setFormat: sda1 ; 12:02:07 DEBUG : PartitionDevice._setFormat: sda1 ; current: None ; type: ntfs ; 12:02:07 DEBUG : DeviceTree.addUdevDevice: name: sda2 ; 12:02:07 DEBUG : DeviceTree.addUdevPartitionDevice: name: sda2 ; 12:02:07 DEBUG : DiskDevice.addChild: kids: 1 ; name: sda ; 12:02:07 DEBUG : PartitionDevice._setFormat: sda2 ; 12:02:07 DEBUG : PartitionDevice._setFormat: sda2 ; current: None ; type: None ; 12:02:07 DEBUG : PartitionDevice.probe: sda2 ; exists: True ; 12:02:07 DEBUG : PartitionDevice._computeResize: sda2 ; status: True ; 12:02:07 DEBUG : PartitionDevice.getFlag: path: /dev/sda2 ; flag: 1 ; part: parted.Partition instance -- disk: fileSystem: number: 2 path: /dev/sda2 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x2eedfb0> ; 12:02:07 DEBUG : PartitionDevice.flagAvailable: path: /dev/sda2 ; flag: 1 ; part: parted.Partition instance -- disk: fileSystem: number: 2 path: /dev/sda2 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x2eedfb0> ; 12:02:07 DEBUG : PartitionDevice.getFlag: path: /dev/sda2 ; flag: 10 ; part: parted.Partition instance -- disk: fileSystem: number: 2 path: /dev/sda2 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x2eedfb0> ; 12:02:07 DEBUG : PartitionDevice.flagAvailable: path: /dev/sda2 ; flag: 10 ; part: parted.Partition instance -- disk: fileSystem: number: 2 path: /dev/sda2 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x2eedfb0> ; 12:02:07 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sda2 ; 12:02:12 DEBUG : NTFS.supported: supported: False ; 12:02:12 DEBUG : PartitionDevice._setFormat: sda2 ; 12:02:12 DEBUG : PartitionDevice._setFormat: sda2 ; current: None ; type: ntfs ; 12:02:12 DEBUG : DeviceTree.addUdevDevice: name: sdb ; 12:02:12 DEBUG : StorageDevice._setFormat: sdb ; current: None ; type: None ; 12:02:12 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sdb ; 12:02:12 DEBUG : MultipathMember.__init__: uuid: None ; exists: True ; multipath_members: [] ; label: None ; device: /dev/sdb ; serial: 920321111113 ; 12:02:12 DEBUG : StorageDevice._setFormat: sdb ; current: None ; type: multipath_member ; 12:02:12 DEBUG : DeviceTree.handleMultipathMemberFormat: type: multipath_member ; name: sdb ; 12:02:12 DEBUG : StorageDevice.addChild: kids: 0 ; name: sdb ; 12:02:12 DEBUG : MultipathDevice._setFormat: mpath0 ; current: None ; type: None ; 12:02:12 DEBUG : DeviceTree.addUdevDevice: name: sdc ; 12:02:12 DEBUG : StorageDevice._setFormat: sdc ; current: None ; type: None ; 12:02:12 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sdc ; 12:02:12 DEBUG : MultipathMember.__init__: uuid: None ; exists: True ; multipath_members: [, ] ; label: None ; device: /dev/sdc ; serial: 920321111113 ; 12:02:12 DEBUG : StorageDevice._setFormat: sdc ; current: None ; type: multipath_member ; 12:02:12 DEBUG : DeviceTree.handleMultipathMemberFormat: type: multipath_member ; name: sdc ; 12:02:12 DEBUG : DeviceTree.addUdevDevice: name: sdd ; 12:02:12 DEBUG : StorageDevice._setFormat: sdd ; current: None ; type: None ; 12:02:12 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sdd ; 12:02:12 DEBUG : MultipathMember.__init__: uuid: None ; exists: True ; multipath_members: [, , ] ; label: None ; device: /dev/sdd ; serial: 920321111113 ; 12:02:12 DEBUG : StorageDevice._setFormat: sdd ; current: None ; type: multipath_member ; 12:02:12 DEBUG : DeviceTree.handleMultipathMemberFormat: type: multipath_member ; name: sdd ; 12:02:12 DEBUG : DeviceTree.addUdevDevice: name: sde ; 12:02:12 DEBUG : StorageDevice._setFormat: sde ; current: None ; type: None ; 12:02:12 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sde ; 12:02:12 DEBUG : MultipathMember.__init__: uuid: None ; exists: True ; multipath_members: [, , , ] ; label: None ; device: /dev/sde ; serial: 920321111113 ; 12:02:12 DEBUG : StorageDevice._setFormat: sde ; current: None ; type: multipath_member ; 12:02:12 DEBUG : DeviceTree.handleMultipathMemberFormat: type: multipath_member ; name: sde ; 12:02:12 DEBUG : DeviceTree.addUdevDevice: name: sda ; 12:02:12 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sda ; 12:02:12 CRITICAL: anaconda 12.15-1.fc12 exception report Traceback (most recent call first): File "/usr/lib64/python2.6/site-packages/block/device.py", line 454, in get_table table = apply(_dm.table, tableParts, {}) File "/usr/lib64/python2.6/site-packages/block/device.py", line 337, in __init__ table = self.get_table() File "/usr/lib/anaconda/storage/devices.py", line 2836, in setup self._pyBlockMultiPath = block.device.MultiPath(*parents) File "/usr/lib/anaconda/storage/devicetree.py", line 1855, in populate mp.setup() File "/usr/lib/anaconda/storage/__init__.py", line 293, in reset self.devicetree.populate() File "/usr/lib/anaconda/storage/__init__.py", line 74, in storageInitialize storage.reset() File "/usr/lib/anaconda/dispatch.py", line 204, in moveStep rc = stepFunc(self.anaconda) File "/usr/lib/anaconda/dispatch.py", line 127, in gotoNext self.moveStep() File "/usr/lib/anaconda/gui.py", line 1201, in nextClicked self.anaconda.dispatch.gotoNext() ValueError: size must be positive 12:02:25 WARNING : /usr/lib/python2.6/site-packages/meh/ui/gui.py:160: GtkWarning: gtk_notebook_set_tab_label: assertion `GTK_IS_WIDGET (child)' failed exnxml = gtk.glade.XML(findGladeFile("exnSave.glade"), domain="python-meh") 12:09:23 INFO : using only installclass _Fedora 12:09:23 INFO : anaconda called with cmdline = ['/usr/sbin/anaconda', '--liveinst', '--method=livecd:///dev/mapper/live-osimg-min', '--lang', 'en_US.UTF-8'] 12:09:23 INFO : Display mode = g 12:09:23 INFO : Starting graphical installation. 12:09:23 INFO : Detected 3536M of memory 12:09:23 INFO : Swap attempt of 1024M to 5584M 12:09:23 WARNING : step installtype does not exist 12:09:23 WARNING : step confirminstall does not exist 12:09:23 WARNING : step complete does not exist 12:09:23 INFO : moving (1) to step welcome 12:09:28 INFO : moving (1) to step keyboard 12:09:30 INFO : moving (1) to step betanag 12:09:31 INFO : moving (1) to step storageinit 12:09:33 INFO : no /tmp/fcpconfig; not configuring zfcp 12:09:33 DEBUG : DeviceTree.addUdevDevice: name: live-rw ; 12:09:33 DEBUG : DeviceTree.addUdevDMDevice: name: live-rw ; 12:09:33 DEBUG : DeviceTree.addUdevDevice: name: loop4 ; 12:09:33 DEBUG : DeviceTree.handleUdevDeviceFormat: name: None ; 12:09:33 DEBUG : DeviceTree.addUdevDevice: name: live-osimg-min ; 12:09:33 DEBUG : DeviceTree.addUdevDMDevice: name: live-osimg-min ; 12:09:33 DEBUG : DeviceTree.addUdevDevice: name: loop1 ; 12:09:33 DEBUG : DeviceTree.handleUdevDeviceFormat: name: None ; 12:09:33 DEBUG : DeviceTree.addUdevDevice: name: sda1 ; 12:09:33 DEBUG : DeviceTree.addUdevPartitionDevice: name: sda1 ; 12:09:33 DEBUG : DeviceTree.addUdevDevice: name: sda ; 12:09:33 DEBUG : DeviceTree.addUdevDiskDevice: name: sda ; 12:09:33 DEBUG : DiskDevice._setFormat: sda ; current: None ; type: None ; 12:09:34 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sda ; 12:09:34 DEBUG : DiskDevice.addChild: kids: 0 ; name: sda ; 12:09:34 DEBUG : PartitionDevice._setFormat: sda1 ; 12:09:34 DEBUG : PartitionDevice._setFormat: sda1 ; current: None ; type: None ; 12:09:34 DEBUG : PartitionDevice.probe: sda1 ; exists: True ; 12:09:34 DEBUG : PartitionDevice._computeResize: sda1 ; status: True ; 12:09:34 DEBUG : PartitionDevice.getFlag: path: /dev/sda1 ; flag: 1 ; part: parted.Partition instance -- disk: fileSystem: number: 1 path: /dev/sda1 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x3900f50> ; 12:09:34 DEBUG : PartitionDevice.flagAvailable: path: /dev/sda1 ; flag: 1 ; part: parted.Partition instance -- disk: fileSystem: number: 1 path: /dev/sda1 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x3900f50> ; 12:09:34 DEBUG : PartitionDevice.getFlag: path: /dev/sda1 ; flag: 10 ; part: parted.Partition instance -- disk: fileSystem: number: 1 path: /dev/sda1 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x3900f50> ; 12:09:34 DEBUG : PartitionDevice.flagAvailable: path: /dev/sda1 ; flag: 10 ; part: parted.Partition instance -- disk: fileSystem: number: 1 path: /dev/sda1 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x3900f50> ; 12:09:34 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sda1 ; 12:09:35 DEBUG : NTFS.supported: supported: False ; 12:09:35 DEBUG : PartitionDevice._setFormat: sda1 ; 12:09:35 DEBUG : PartitionDevice._setFormat: sda1 ; current: None ; type: ntfs ; 12:09:35 DEBUG : DeviceTree.addUdevDevice: name: sda2 ; 12:09:35 DEBUG : DeviceTree.addUdevPartitionDevice: name: sda2 ; 12:09:35 DEBUG : DiskDevice.addChild: kids: 1 ; name: sda ; 12:09:35 DEBUG : PartitionDevice._setFormat: sda2 ; 12:09:35 DEBUG : PartitionDevice._setFormat: sda2 ; current: None ; type: None ; 12:09:35 DEBUG : PartitionDevice.probe: sda2 ; exists: True ; 12:09:35 DEBUG : PartitionDevice._computeResize: sda2 ; status: True ; 12:09:35 DEBUG : PartitionDevice.getFlag: path: /dev/sda2 ; flag: 1 ; part: parted.Partition instance -- disk: fileSystem: number: 2 path: /dev/sda2 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x3900fb0> ; 12:09:35 DEBUG : PartitionDevice.flagAvailable: path: /dev/sda2 ; flag: 1 ; part: parted.Partition instance -- disk: fileSystem: number: 2 path: /dev/sda2 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x3900fb0> ; 12:09:35 DEBUG : PartitionDevice.getFlag: path: /dev/sda2 ; flag: 10 ; part: parted.Partition instance -- disk: fileSystem: number: 2 path: /dev/sda2 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x3900fb0> ; 12:09:35 DEBUG : PartitionDevice.flagAvailable: path: /dev/sda2 ; flag: 10 ; part: parted.Partition instance -- disk: fileSystem: number: 2 path: /dev/sda2 type: 0 name: None active: True busy: False geometry: PedPartition: <_ped.Partition object at 0x3900fb0> ; 12:09:35 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sda2 ; 12:09:39 DEBUG : NTFS.supported: supported: False ; 12:09:39 DEBUG : PartitionDevice._setFormat: sda2 ; 12:09:39 DEBUG : PartitionDevice._setFormat: sda2 ; current: None ; type: ntfs ; 12:09:39 DEBUG : DeviceTree.addUdevDevice: name: sdb ; 12:09:39 DEBUG : StorageDevice._setFormat: sdb ; current: None ; type: None ; 12:09:39 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sdb ; 12:09:39 DEBUG : MultipathMember.__init__: uuid: None ; exists: True ; multipath_members: [] ; label: None ; device: /dev/sdb ; serial: 920321111113 ; 12:09:39 DEBUG : StorageDevice._setFormat: sdb ; current: None ; type: multipath_member ; 12:09:39 DEBUG : DeviceTree.handleMultipathMemberFormat: type: multipath_member ; name: sdb ; 12:09:39 DEBUG : StorageDevice.addChild: kids: 0 ; name: sdb ; 12:09:39 DEBUG : MultipathDevice._setFormat: mpath0 ; current: None ; type: None ; 12:09:39 DEBUG : DeviceTree.addUdevDevice: name: sdc ; 12:09:39 DEBUG : StorageDevice._setFormat: sdc ; current: None ; type: None ; 12:09:39 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sdc ; 12:09:39 DEBUG : MultipathMember.__init__: uuid: None ; exists: True ; multipath_members: [, ] ; label: None ; device: /dev/sdc ; serial: 920321111113 ; 12:09:39 DEBUG : StorageDevice._setFormat: sdc ; current: None ; type: multipath_member ; 12:09:39 DEBUG : DeviceTree.handleMultipathMemberFormat: type: multipath_member ; name: sdc ; 12:09:39 DEBUG : DeviceTree.addUdevDevice: name: sdd ; 12:09:39 DEBUG : StorageDevice._setFormat: sdd ; current: None ; type: None ; 12:09:39 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sdd ; 12:09:39 DEBUG : MultipathMember.__init__: uuid: None ; exists: True ; multipath_members: [, , ] ; label: None ; device: /dev/sdd ; serial: 920321111113 ; 12:09:39 DEBUG : StorageDevice._setFormat: sdd ; current: None ; type: multipath_member ; 12:09:39 DEBUG : DeviceTree.handleMultipathMemberFormat: type: multipath_member ; name: sdd ; 12:09:39 DEBUG : DeviceTree.addUdevDevice: name: sde ; 12:09:39 DEBUG : StorageDevice._setFormat: sde ; current: None ; type: None ; 12:09:39 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sde ; 12:09:39 DEBUG : MultipathMember.__init__: uuid: None ; exists: True ; multipath_members: [, , , ] ; label: None ; device: /dev/sde ; serial: 920321111113 ; 12:09:39 DEBUG : StorageDevice._setFormat: sde ; current: None ; type: multipath_member ; 12:09:39 DEBUG : DeviceTree.handleMultipathMemberFormat: type: multipath_member ; name: sde ; 12:09:39 DEBUG : DeviceTree.addUdevDevice: name: sda ; 12:09:39 DEBUG : DeviceTree.handleUdevDeviceFormat: name: sda ; /tmp/program.log: Running... ['udevadm', 'trigger', '--subsystem-match=net'] Running... ['udevadm', 'settle'] Running... ['udevadm', 'trigger', '--subsystem-match=net'] Running... ['udevadm', 'settle'] Running... ['udevadm', 'trigger', '--subsystem-match=block'] Running... ['modprobe', 'fcoe'] WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. Running... ['udevadm', 'settle', '--timeout=30'] Running... ['udevadm', 'settle', '--timeout=30'] Running... ['ntfsinfo', '-m', '/dev/sda1'] Volume Information Name of device: /dev/sda1 Device state: 11 Volume Name: PQSERVICE Volume State: 1 Volume Version: 3.1 Sector Size: 512 Cluster Size: 4096 Volume Size in Clusters: 2621439 MFT Information MFT Record Size: 1024 MFT Zone Multiplier: 1 MFT Data Position: 24 MFT Zone Start: 786432 MFT Zone End: 1114111 MFT Zone Position: 786432 Current Position in First Data Zone: 1114111 Current Position in Second Data Zone: 0 LCN of Data Attribute for FILE_MFT: 786432 FILE_MFTMirr Size: 4 LCN of Data Attribute for File_MFTMirr: 16 Size of Attribute Definition Table: 2560 FILE_Bitmap Information FILE_Bitmap MFT Record Number: 6 State of FILE_Bitmap Inode: 0 Length of Attribute List: 0 Attribute List: (null) Number of Attached Extent Inodes: 0 FILE_Bitmap Data Attribute Information Decompressed Runlist: not done yet Base Inode: 6 Attribute Types: not done yet Attribute Name Length: 0 Attribute State: 3 Attribute Allocated Size: 327680 Attribute Data Size: 327680 Attribute Initialized Size: 327680 Attribute Compressed Size: 0 Compression Block Size: 0 Compression Block Size Bits: 0 Compression Block Clusters: 0 Running... ['ntfsresize', '-m', '/dev/sda1'] ntfsresize v2.0.0 (libntfs 10:0:0) Minsize (in MB): 7229 Running... ['ntfsinfo', '-m', '/dev/sda2'] Volume Information Name of device: /dev/sda2 Device state: 11 Volume Name: OS Volume State: 1 Volume Version: 3.1 Sector Size: 512 Cluster Size: 4096 Volume Size in Clusters: 31283411 MFT Information MFT Record Size: 1024 MFT Zone Multiplier: 1 MFT Data Position: 24 MFT Zone Start: 786432 MFT Zone End: 4696858 MFT Zone Position: 786432 Current Position in First Data Zone: 4696858 Current Position in Second Data Zone: 0 LCN of Data Attribute for FILE_MFT: 786432 FILE_MFTMirr Size: 4 LCN of Data Attribute for File_MFTMirr: 16 Size of Attribute Definition Table: 2560 FILE_Bitmap Information FILE_Bitmap MFT Record Number: 6 State of FILE_Bitmap Inode: 0 Length of Attribute List: 0 Attribute List: (null) Number of Attached Extent Inodes: 0 FILE_Bitmap Data Attribute Information Decompressed Runlist: not done yet Base Inode: 6 Attribute Types: not done yet Attribute Name Length: 0 Attribute State: 3 Attribute Allocated Size: 4558848 Attribute Data Size: 3910432 Attribute Initialized Size: 3910432 Attribute Compressed Size: 0 Compression Block Size: 0 Compression Block Size Bits: 0 Compression Block Clusters: 0 Running... ['ntfsresize', '-m', '/dev/sda2'] ntfsresize v2.0.0 (libntfs 10:0:0) Minsize (in MB): 39258 Running... ['udevadm', 'settle', '--timeout=30'] Running... ['udevadm', 'trigger', '--subsystem-match=net'] Running... ['udevadm', 'settle'] Running... ['udevadm', 'trigger', '--subsystem-match=net'] Running... ['udevadm', 'settle'] Running... ['udevadm', 'trigger', '--subsystem-match=block'] Running... ['modprobe', 'fcoe'] WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. Running... ['udevadm', 'settle', '--timeout=30'] Running... ['udevadm', 'settle', '--timeout=30'] Running... ['ntfsinfo', '-m', '/dev/sda1'] Volume Information Name of device: /dev/sda1 Device state: 11 Volume Name: PQSERVICE Volume State: 1 Volume Version: 3.1 Sector Size: 512 Cluster Size: 4096 Volume Size in Clusters: 2621439 MFT Information MFT Record Size: 1024 MFT Zone Multiplier: 1 MFT Data Position: 24 MFT Zone Start: 786432 MFT Zone End: 1114111 MFT Zone Position: 786432 Current Position in First Data Zone: 1114111 Current Position in Second Data Zone: 0 LCN of Data Attribute for FILE_MFT: 786432 FILE_MFTMirr Size: 4 LCN of Data Attribute for File_MFTMirr: 16 Size of Attribute Definition Table: 2560 FILE_Bitmap Information FILE_Bitmap MFT Record Number: 6 State of FILE_Bitmap Inode: 0 Length of Attribute List: 0 Attribute List: (null) Number of Attached Extent Inodes: 0 FILE_Bitmap Data Attribute Information Decompressed Runlist: not done yet Base Inode: 6 Attribute Types: not done yet Attribute Name Length: 0 Attribute State: 3 Attribute Allocated Size: 327680 Attribute Data Size: 327680 Attribute Initialized Size: 327680 Attribute Compressed Size: 0 Compression Block Size: 0 Compression Block Size Bits: 0 Compression Block Clusters: 0 Running... ['ntfsresize', '-m', '/dev/sda1'] ntfsresize v2.0.0 (libntfs 10:0:0) Minsize (in MB): 7229 Running... ['ntfsinfo', '-m', '/dev/sda2'] Volume Information Name of device: /dev/sda2 Device state: 11 Volume Name: OS Volume State: 1 Volume Version: 3.1 Sector Size: 512 Cluster Size: 4096 Volume Size in Clusters: 31283411 MFT Information MFT Record Size: 1024 MFT Zone Multiplier: 1 MFT Data Position: 24 MFT Zone Start: 786432 MFT Zone End: 4696858 MFT Zone Position: 786432 Current Position in First Data Zone: 4696858 Current Position in Second Data Zone: 0 LCN of Data Attribute for FILE_MFT: 786432 FILE_MFTMirr Size: 4 LCN of Data Attribute for File_MFTMirr: 16 Size of Attribute Definition Table: 2560 FILE_Bitmap Information FILE_Bitmap MFT Record Number: 6 State of FILE_Bitmap Inode: 0 Length of Attribute List: 0 Attribute List: (null) Number of Attached Extent Inodes: 0 FILE_Bitmap Data Attribute Information Decompressed Runlist: not done yet Base Inode: 6 Attribute Types: not done yet Attribute Name Length: 0 Attribute State: 3 Attribute Allocated Size: 4558848 Attribute Data Size: 3910432 Attribute Initialized Size: 3910432 Attribute Compressed Size: 0 Compression Block Size: 0 Compression Block Size Bits: 0 Compression Block Clusters: 0 Running... ['ntfsresize', '-m', '/dev/sda2'] ntfsresize v2.0.0 (libntfs 10:0:0) Minsize (in MB): 39258 Running... ['udevadm', 'settle', '--timeout=30'] /tmp/storage.log: [2009-08-23 12:01:11,485] DEBUG: registered device format class PPCPRePBoot as prepboot [2009-08-23 12:01:11,666] DEBUG: registered device format class LVMPhysicalVolume as lvmpv [2009-08-23 12:01:11,670] DEBUG: registered device format class DMRaidMember as dmraidmember [2009-08-23 12:01:11,678] DEBUG: registered device format class SwapSpace as swap [2009-08-23 12:01:11,681] DEBUG: registered device format class MultipathMember as multipath_member [2009-08-23 12:01:11,709] DEBUG: registered device format class Ext2FS as ext2 [2009-08-23 12:01:11,710] DEBUG: registered device format class Ext3FS as ext3 [2009-08-23 12:01:11,711] DEBUG: registered device format class Ext4FS as ext4 [2009-08-23 12:01:11,712] DEBUG: registered device format class FATFS as vfat [2009-08-23 12:01:11,713] DEBUG: registered device format class EFIFS as efi [2009-08-23 12:01:11,713] DEBUG: registered device format class BTRFS as btrfs [2009-08-23 12:01:11,714] DEBUG: registered device format class GFS2 as gfs2 [2009-08-23 12:01:11,715] DEBUG: registered device format class JFS as jfs [2009-08-23 12:01:11,716] DEBUG: registered device format class XFS as xfs [2009-08-23 12:01:11,717] DEBUG: registered device format class HFS as hfs [2009-08-23 12:01:11,718] DEBUG: registered device format class AppleBootstrapFS as appleboot [2009-08-23 12:01:11,719] DEBUG: registered device format class HFSPlus as hfs+ [2009-08-23 12:01:11,720] DEBUG: registered device format class NTFS as ntfs [2009-08-23 12:01:11,720] DEBUG: registered device format class NFS as nfs [2009-08-23 12:01:11,721] DEBUG: registered device format class NFSv4 as nfs4 [2009-08-23 12:01:11,722] DEBUG: registered device format class Iso9660FS as iso9660 [2009-08-23 12:01:11,723] DEBUG: registered device format class NoDevFS as nodev [2009-08-23 12:01:11,724] DEBUG: registered device format class DevPtsFS as devpts [2009-08-23 12:01:11,728] DEBUG: registered device format class ProcFS as proc [2009-08-23 12:01:11,728] DEBUG: registered device format class SysFS as sysfs [2009-08-23 12:01:11,728] DEBUG: registered device format class TmpFS as tmpfs [2009-08-23 12:01:11,728] DEBUG: registered device format class BindFS as bind [2009-08-23 12:01:11,932] DEBUG: registered device format class LUKS as luks [2009-08-23 12:01:11,935] DEBUG: registered device format class MDRaidMember as mdmember [2009-08-23 12:02:04,292] INFO: sr0 looks to be the live device; ignoring [2009-08-23 12:02:04,348] INFO: sr0 looks to be the live device; ignoring [2009-08-23 12:02:04,356] INFO: devices to scan for multipath: ['sda', 'sda1', 'sda2', 'sdb', 'sdc', 'sdd', 'sde', 'dm-0', 'dm-1'] [2009-08-23 12:02:04,372] INFO: adding sda1 to non_disk_device list [2009-08-23 12:02:04,372] INFO: adding sda2 to non_disk_device list [2009-08-23 12:02:04,373] INFO: adding dm-0 to non_disk_device list [2009-08-23 12:02:04,373] INFO: adding dm-1 to non_disk_device list [2009-08-23 12:02:04,373] INFO: adding sdb to multipath_disks [2009-08-23 12:02:04,374] INFO: found multipath set: [['sdb', 'sdc', 'sdd', 'sde']] [2009-08-23 12:02:04,374] INFO: adding sdc to multipath_disks [2009-08-23 12:02:04,374] INFO: found multipath set: [['sdb', 'sdc', 'sdd', 'sde']] [2009-08-23 12:02:04,374] INFO: adding sdd to multipath_disks [2009-08-23 12:02:04,375] INFO: found multipath set: [['sdb', 'sdc', 'sdd', 'sde']] [2009-08-23 12:02:04,375] INFO: adding sde to multipath_disks [2009-08-23 12:02:04,375] INFO: found multipath set: [['sdb', 'sdc', 'sdd', 'sde']] [2009-08-23 12:02:04,375] INFO: adding sda to singlepath_disks [2009-08-23 12:02:04,376] INFO: devices to scan: ['dm-0', 'dm-1', 'sda1', 'sda2', 'sdb', 'sdc', 'sdd', 'sde', 'sda'] [2009-08-23 12:02:05,144] DEBUG: scanning live-rw (/devices/virtual/block/dm-0)... [2009-08-23 12:02:05,145] DEBUG: looking for device 'live-rw'... [2009-08-23 12:02:05,146] DEBUG: found None [2009-08-23 12:02:05,148] DEBUG: live-rw is a device-mapper device [2009-08-23 12:02:05,155] DEBUG: looking for device 'loop4'... [2009-08-23 12:02:05,155] DEBUG: found None [2009-08-23 12:02:05,165] DEBUG: ignoring loop4 (/devices/virtual/block/loop4) [2009-08-23 12:02:05,166] DEBUG: looking for device 'loop4'... [2009-08-23 12:02:05,167] DEBUG: found None [2009-08-23 12:02:05,167] ERROR: failure scanning device live-rw: could not add slave loop4 [2009-08-23 12:02:05,178] DEBUG: {'ID_FS_VERSION': '1.0', 'DKD_DM_TARGET_COUNT': '1', 'DM_OPEN': '1', 'DM_MINOR': '0', 'DM_NAME': 'live-rw', 'ID_FS_LABEL_ENC': 'xfce-x86_64-2009', 'ANACBIN': '/sbin', 'DKD_DM_TARGET_TYPES': 'snapshot', 'DKD_DM_LAST_EVENT_NR': '0', 'DEVTYPE': 'disk', 'DM_SUSPENDED': 'Active', 'DKD_DM_NAME': 'live-rw', 'DKD_DM_MAJOR': '253', 'ID_FS_UUID': 'aa0a7150-c86e-4a57-a52c-73731b217ec6', 'ID_FS_UUID_ENC': 'aa0a7150-c86e-4a57-a52c-73731b217ec6', 'ID_FS_TYPE': 'ext4', 'DM_MAJOR': '253', 'DKD_DM_OPENCOUNT': '1', 'sysfs_path': '/devices/virtual/block/dm-0', 'ID_FS_LABEL': 'xfce-x86_64-2009', 'ID_FS_USAGE': 'filesystem', 'DM_READONLY': 'Writeable', 'DKD_DM_TABLE_STATE': 'LIVE', 'MINOR': '0', 'symlinks': ['block/253:0', 'disk/by-id/dm-name-live-rw', 'disk/by-uuid/aa0a7150-c86e-4a57-a52c-73731b217ec6'], 'DM_TABLES_LOADED': 'Live', 'MAJOR': '253', 'name': 'dm-0', 'DEVNAME': 'dm-0', 'DKD_DM_MINOR': '0', 'DKD_DM_STATE': 'ACTIVE', 'DKD_MEDIA_AVAILABLE': '1'} [2009-08-23 12:02:05,180] DEBUG: no type or existing type for live-rw, bailing [2009-08-23 12:02:05,186] DEBUG: scanning live-osimg-min (/devices/virtual/block/dm-1)... [2009-08-23 12:02:05,186] DEBUG: looking for device 'live-osimg-min'... [2009-08-23 12:02:05,187] DEBUG: found None [2009-08-23 12:02:05,191] DEBUG: live-osimg-min is a device-mapper device [2009-08-23 12:02:05,198] DEBUG: looking for device 'loop1'... [2009-08-23 12:02:05,199] DEBUG: found None [2009-08-23 12:02:05,209] DEBUG: ignoring loop1 (/devices/virtual/block/loop1) [2009-08-23 12:02:05,210] DEBUG: looking for device 'loop1'... [2009-08-23 12:02:05,210] DEBUG: found None [2009-08-23 12:02:05,211] ERROR: failure scanning device live-osimg-min: could not add slave loop1 [2009-08-23 12:02:05,217] DEBUG: {'ID_FS_VERSION': '1.0', 'DKD_DM_TARGET_COUNT': '1', 'DM_OPEN': '0', 'DM_MINOR': '1', 'DM_NAME': 'live-osimg-min', 'ID_FS_LABEL_ENC': 'xfce-x86_64-2009', 'ANACBIN': '/sbin', 'DKD_DM_TARGET_TYPES': 'snapshot', 'DKD_DM_LAST_EVENT_NR': '0', 'DEVTYPE': 'disk', 'DM_SUSPENDED': 'Active', 'DKD_DM_NAME': 'live-osimg-min', 'DKD_DM_MAJOR': '253', 'ID_FS_UUID': 'aa0a7150-c86e-4a57-a52c-73731b217ec6', 'ID_FS_UUID_ENC': 'aa0a7150-c86e-4a57-a52c-73731b217ec6', 'ID_FS_TYPE': 'ext4', 'DM_MAJOR': '253', 'DKD_DM_OPENCOUNT': '0', 'sysfs_path': '/devices/virtual/block/dm-1', 'ID_FS_LABEL': 'xfce-x86_64-2009', 'ID_FS_USAGE': 'filesystem', 'DM_READONLY': 'Read-only', 'DKD_DM_TABLE_STATE': 'LIVE', 'MINOR': '1', 'symlinks': ['block/253:1', 'disk/by-id/dm-name-live-osimg-min', 'disk/by-uuid/aa0a7150-c86e-4a57-a52c-73731b217ec6'], 'DM_TABLES_LOADED': 'Live', 'MAJOR': '253', 'name': 'dm-1', 'DEVNAME': 'dm-1', 'DKD_DM_MINOR': '1', 'DKD_DM_STATE': 'READONLY', 'DKD_MEDIA_AVAILABLE': '1'} [2009-08-23 12:02:05,220] DEBUG: no type or existing type for live-osimg-min, bailing [2009-08-23 12:02:05,225] DEBUG: scanning sda1 (/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda/sda1)... [2009-08-23 12:02:05,226] DEBUG: looking for device 'sda1'... [2009-08-23 12:02:05,227] DEBUG: found None [2009-08-23 12:02:05,228] DEBUG: sda1 is a partition [2009-08-23 12:02:05,238] DEBUG: looking for device 'sda'... [2009-08-23 12:02:05,239] DEBUG: found None [2009-08-23 12:02:05,248] DEBUG: scanning sda (/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda)... [2009-08-23 12:02:05,248] DEBUG: looking for device 'sda'... [2009-08-23 12:02:05,248] DEBUG: found None [2009-08-23 12:02:05,251] DEBUG: sda is a disk [2009-08-23 12:02:05,252] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:02:05,261] DEBUG: looking up parted Device: /dev/sda [2009-08-23 12:02:05,261] DEBUG: looking up parted Device: /dev/sda [2009-08-23 12:02:05,279] DEBUG: creating parted Disk: /dev/sda [2009-08-23 12:02:06,282] DEBUG: added sda (disk) to device tree [2009-08-23 12:02:06,285] DEBUG: {'symlinks': ['block/8:0', 'disk/by-id/ata-ST3160815AS_6RX88PY8', 'disk/by-id/scsi-SATA_ST3160815AS_6RX88PY8', 'disk/by-path/pci-0000:00:08.0-scsi-0:0:0:0'], 'DKD_PARTITION_TABLE': '1', 'ID_SERIAL_SHORT': '6RX88PY8', 'DEVNAME': 'sda', 'DEVTYPE': 'disk', 'name': 'sda', 'ID_SERIAL': 'ST3160815AS_6RX88PY8', 'ID_MODEL': 'ST3160815AS', 'ANACBIN': '/sbin', 'MAJOR': '8', 'ID_REVISION': '4.AAA', 'MINOR': '0', 'ID_PATH': 'pci-0000:00:08.0-scsi-0:0:0:0', 'sysfs_path': '/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda', 'ID_TYPE': 'disk', 'DKD_PARTITION_TABLE_SCHEME': 'mbr', 'ID_MODEL_ENC': 'ST3160815AS\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20', 'DKD_MEDIA_AVAILABLE': '1', 'ID_BUS': 'ata', 'ID_SCSI_COMPAT': 'SATA_ST3160815AS_6RX88PY8'} [2009-08-23 12:02:06,286] DEBUG: no type or existing type for sda, bailing [2009-08-23 12:02:06,286] DEBUG: looking for device 'sda'... [2009-08-23 12:02:06,287] DEBUG: found DiskDevice instance (0x2ebc4d0) -- name = sda status = True parents = [] kids = 0 id = 0 uuid = None format = size = 152625.344238 major = 8 minor = 0 exists = True sysfs path = /devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda label = None target size = 0 path = /dev/sda format args = [] removable = False partedDevice = partedDisk = [2009-08-23 12:02:06,293] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:02:06,300] DEBUG: looking up parted Partition: /dev/sda1 [2009-08-23 12:02:06,305] DEBUG: looking up parted Device: /dev/sda1 [2009-08-23 12:02:06,346] DEBUG: added sda1 (partition) to device tree [2009-08-23 12:02:06,348] DEBUG: {'DEVNAME': 'sda1', 'ID_REVISION': '4.AAA', 'DKD_PARTITION_SIZE': '10737418240', 'ID_PATH': 'pci-0000:00:08.0-scsi-0:0:0:0', 'DKD_PARTITION_NUMBER': '1', 'ID_FS_LABEL_ENC': 'PQSERVICE', 'ID_SERIAL': 'ST3160815AS_6RX88PY8', 'DKD_PARTITION': '1', 'MINOR': '1', 'DEVTYPE': 'partition', 'ID_FS_UUID': '8A108582108575CB', 'ID_FS_UUID_ENC': '8A108582108575CB', 'ID_FS_TYPE': 'ntfs', 'ID_SCSI_COMPAT': 'SATA_ST3160815AS_6RX88PY8', 'DKD_PARTITION_TYPE': '0x27', 'ID_MODEL': 'ST3160815AS', 'MAJOR': '8', 'sysfs_path': '/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda/sda1', 'ID_FS_LABEL': 'PQSERVICE', 'ID_FS_USAGE': 'filesystem', 'ID_TYPE': 'disk', 'DKD_PARTITION_SCHEME': 'mbr', 'ID_BUS': 'ata', 'symlinks': ['block/8:1', 'disk/by-id/ata-ST3160815AS_6RX88PY8-part1', 'disk/by-id/scsi-SATA_ST3160815AS_6RX88PY8-part1', 'disk/by-path/pci-0000:00:08.0-scsi-0:0:0:0-part1', 'disk/by-uuid/8A108582108575CB', 'disk/by-label/PQSERVICE'], 'ID_SERIAL_SHORT': '6RX88PY8', 'name': 'sda1', 'ANACBIN': '/sbin', 'ID_MODEL_ENC': 'ST3160815AS\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20'} [2009-08-23 12:02:06,349] DEBUG: type detected on 'sda1' is 'ntfs' [2009-08-23 12:02:07,592] DEBUG: getFormat('ntfs') returning NTFS instance [2009-08-23 12:02:07,599] DEBUG: scanning sda2 (/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda/sda2)... [2009-08-23 12:02:07,599] DEBUG: looking for device 'sda2'... [2009-08-23 12:02:07,600] DEBUG: found None [2009-08-23 12:02:07,600] DEBUG: sda2 is a partition [2009-08-23 12:02:07,603] DEBUG: looking for device 'sda'... [2009-08-23 12:02:07,604] DEBUG: found DiskDevice instance (0x2ebc4d0) -- name = sda status = True parents = [] kids = 1 id = 0 uuid = None format = size = 152625.344238 major = 8 minor = 0 exists = True sysfs path = /devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda label = None target size = 0 path = /dev/sda format args = [] removable = False partedDevice = partedDisk = [2009-08-23 12:02:07,610] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:02:07,631] DEBUG: looking up parted Partition: /dev/sda2 [2009-08-23 12:02:07,635] DEBUG: looking up parted Device: /dev/sda2 [2009-08-23 12:02:07,679] DEBUG: added sda2 (partition) to device tree [2009-08-23 12:02:07,695] DEBUG: {'DEVNAME': 'sda2', 'ID_REVISION': '4.AAA', 'DKD_PARTITION_SIZE': '128136855552', 'ID_PATH': 'pci-0000:00:08.0-scsi-0:0:0:0', 'DKD_PARTITION_NUMBER': '2', 'ID_FS_LABEL_ENC': 'OS', 'ID_SERIAL': 'ST3160815AS_6RX88PY8', 'DKD_PARTITION': '1', 'MINOR': '2', 'DEVTYPE': 'partition', 'ID_FS_UUID': 'CAB4D6FDB4D6EB49', 'DKD_PARTITION_FLAGS': 'boot', 'ID_FS_UUID_ENC': 'CAB4D6FDB4D6EB49', 'ID_FS_TYPE': 'ntfs', 'ID_SCSI_COMPAT': 'SATA_ST3160815AS_6RX88PY8', 'DKD_PARTITION_TYPE': '0x07', 'ID_MODEL': 'ST3160815AS', 'MAJOR': '8', 'sysfs_path': '/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda/sda2', 'ID_FS_LABEL': 'OS', 'ID_FS_USAGE': 'filesystem', 'ID_TYPE': 'disk', 'DKD_PARTITION_SCHEME': 'mbr', 'ID_BUS': 'ata', 'symlinks': ['block/8:2', 'disk/by-id/ata-ST3160815AS_6RX88PY8-part2', 'disk/by-id/scsi-SATA_ST3160815AS_6RX88PY8-part2', 'disk/by-path/pci-0000:00:08.0-scsi-0:0:0:0-part2', 'disk/by-uuid/CAB4D6FDB4D6EB49', 'disk/by-label/OS'], 'ID_SERIAL_SHORT': '6RX88PY8', 'name': 'sda2', 'ANACBIN': '/sbin', 'ID_MODEL_ENC': 'ST3160815AS\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20'} [2009-08-23 12:02:07,696] DEBUG: type detected on 'sda2' is 'ntfs' [2009-08-23 12:02:12,545] DEBUG: getFormat('ntfs') returning NTFS instance [2009-08-23 12:02:12,555] DEBUG: scanning sdb (/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:0/block/sdb)... [2009-08-23 12:02:12,555] DEBUG: looking for device 'sdb'... [2009-08-23 12:02:12,555] DEBUG: found None [2009-08-23 12:02:12,556] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:02:12,559] DEBUG: added sdb (storage device) to device tree [2009-08-23 12:02:12,561] DEBUG: {'ID_VENDOR_ID': '058f', 'DEVNAME': 'sdb', 'ID_USB_INTERFACE_NUM': '00', 'ID_REVISION': '1.00', 'ID_VENDOR_ENC': 'Generic\\x20', 'ID_PATH': 'pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:0', 'ID_VENDOR': 'Generic', 'ID_SERIAL': 'Generic_USB_SD_Reader_920321111113-0:0', 'DEVTYPE': 'disk', 'MINOR': '16', 'ID_FS_TYPE': 'multipath_member', 'ID_MODEL_ID': '6377', 'ID_MODEL': 'USB_SD_Reader', 'MAJOR': '8', 'ID_USB_INTERFACES': ':080650:', 'ID_INSTANCE': '0:0', 'sysfs_path': '/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:0/block/sdb', 'ID_TYPE': 'disk', 'ID_BUS': 'usb', 'symlinks': ['block/8:16', 'disk/by-id/usb-Generic_USB_SD_Reader_920321111113-0:0', 'disk/by-path/pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:0'], 'ID_SERIAL_SHORT': '920321111113', 'name': 'sdb', 'ANACBIN': '/sbin', 'ID_MODEL_ENC': 'USB\\x20SD\\x20Reader\\x20\\x20\\x20', 'DKD_MEDIA_AVAILABLE': '0', 'ID_USB_DRIVER': 'usb-storage'} [2009-08-23 12:02:12,562] DEBUG: type detected on 'sdb' is 'multipath_member' [2009-08-23 12:02:12,565] DEBUG: getFormat('multipath_member') returning MultipathMember instance [2009-08-23 12:02:12,573] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:02:12,577] DEBUG: looking up parted Device: /dev/mapper/mpath0 [2009-08-23 12:02:12,579] DEBUG: scanning sdc (/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:1/block/sdc)... [2009-08-23 12:02:12,580] DEBUG: looking for device 'sdc'... [2009-08-23 12:02:12,580] DEBUG: found None [2009-08-23 12:02:12,580] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:02:12,584] DEBUG: added sdc (storage device) to device tree [2009-08-23 12:02:12,586] DEBUG: {'ID_VENDOR_ID': '058f', 'DEVNAME': 'sdc', 'ID_USB_INTERFACE_NUM': '00', 'ID_REVISION': '1.01', 'ID_VENDOR_ENC': 'Generic\\x20', 'ID_PATH': 'pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:1', 'ID_VENDOR': 'Generic', 'ID_SERIAL': 'Generic_USB_CF_Reader_920321111113-0:1', 'DEVTYPE': 'disk', 'MINOR': '32', 'ID_FS_TYPE': 'multipath_member', 'ID_MODEL_ID': '6377', 'ID_MODEL': 'USB_CF_Reader', 'MAJOR': '8', 'ID_USB_INTERFACES': ':080650:', 'ID_INSTANCE': '0:1', 'sysfs_path': '/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:1/block/sdc', 'ID_TYPE': 'disk', 'ID_BUS': 'usb', 'symlinks': ['block/8:32', 'disk/by-id/usb-Generic_USB_CF_Reader_920321111113-0:1', 'disk/by-path/pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:1'], 'ID_SERIAL_SHORT': '920321111113', 'name': 'sdc', 'ANACBIN': '/sbin', 'ID_MODEL_ENC': 'USB\\x20CF\\x20Reader\\x20\\x20\\x20', 'DKD_MEDIA_AVAILABLE': '0', 'ID_USB_DRIVER': 'usb-storage'} [2009-08-23 12:02:12,587] DEBUG: type detected on 'sdc' is 'multipath_member' [2009-08-23 12:02:12,590] DEBUG: getFormat('multipath_member') returning MultipathMember instance [2009-08-23 12:02:12,597] DEBUG: scanning sdd (/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:2/block/sdd)... [2009-08-23 12:02:12,598] DEBUG: looking for device 'sdd'... [2009-08-23 12:02:12,598] DEBUG: found None [2009-08-23 12:02:12,598] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:02:12,601] DEBUG: added sdd (storage device) to device tree [2009-08-23 12:02:12,603] DEBUG: {'ID_VENDOR_ID': '058f', 'DEVNAME': 'sdd', 'ID_USB_INTERFACE_NUM': '00', 'ID_REVISION': '1.02', 'ID_VENDOR_ENC': 'Generic\\x20', 'ID_PATH': 'pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:2', 'ID_VENDOR': 'Generic', 'ID_SERIAL': 'Generic_USB_SM_Reader_920321111113-0:2', 'DEVTYPE': 'disk', 'MINOR': '48', 'ID_FS_TYPE': 'multipath_member', 'ID_MODEL_ID': '6377', 'ID_MODEL': 'USB_SM_Reader', 'MAJOR': '8', 'ID_USB_INTERFACES': ':080650:', 'ID_INSTANCE': '0:2', 'sysfs_path': '/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:2/block/sdd', 'ID_TYPE': 'disk', 'ID_BUS': 'usb', 'symlinks': ['block/8:48', 'disk/by-id/usb-Generic_USB_SM_Reader_920321111113-0:2', 'disk/by-path/pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:2'], 'ID_SERIAL_SHORT': '920321111113', 'name': 'sdd', 'ANACBIN': '/sbin', 'ID_MODEL_ENC': 'USB\\x20SM\\x20Reader\\x20\\x20\\x20', 'DKD_MEDIA_AVAILABLE': '0', 'ID_USB_DRIVER': 'usb-storage'} [2009-08-23 12:02:12,604] DEBUG: type detected on 'sdd' is 'multipath_member' [2009-08-23 12:02:12,608] DEBUG: getFormat('multipath_member') returning MultipathMember instance [2009-08-23 12:02:12,618] DEBUG: scanning sde (/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:3/block/sde)... [2009-08-23 12:02:12,619] DEBUG: looking for device 'sde'... [2009-08-23 12:02:12,619] DEBUG: found None [2009-08-23 12:02:12,619] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:02:12,622] DEBUG: added sde (storage device) to device tree [2009-08-23 12:02:12,625] DEBUG: {'ID_VENDOR_ID': '058f', 'DEVNAME': 'sde', 'ID_USB_INTERFACE_NUM': '00', 'ID_REVISION': '1.03', 'ID_VENDOR_ENC': 'Generic\\x20', 'ID_PATH': 'pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:3', 'ID_VENDOR': 'Generic', 'ID_SERIAL': 'Generic_USB_MS_Reader_920321111113-0:3', 'DEVTYPE': 'disk', 'MINOR': '64', 'ID_FS_TYPE': 'multipath_member', 'ID_MODEL_ID': '6377', 'ID_MODEL': 'USB_MS_Reader', 'MAJOR': '8', 'ID_USB_INTERFACES': ':080650:', 'ID_INSTANCE': '0:3', 'sysfs_path': '/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:3/block/sde', 'ID_TYPE': 'disk', 'ID_BUS': 'usb', 'symlinks': ['block/8:64', 'disk/by-id/usb-Generic_USB_MS_Reader_920321111113-0:3', 'disk/by-path/pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:3'], 'ID_SERIAL_SHORT': '920321111113', 'name': 'sde', 'ANACBIN': '/sbin', 'ID_MODEL_ENC': 'USB\\x20MS\\x20Reader\\x20\\x20\\x20', 'DKD_MEDIA_AVAILABLE': '0', 'ID_USB_DRIVER': 'usb-storage'} [2009-08-23 12:02:12,626] DEBUG: type detected on 'sde' is 'multipath_member' [2009-08-23 12:02:12,629] DEBUG: getFormat('multipath_member') returning MultipathMember instance [2009-08-23 12:02:12,637] DEBUG: scanning sda (/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda)... [2009-08-23 12:02:12,637] DEBUG: looking for device 'sda'... [2009-08-23 12:02:12,638] DEBUG: found DiskDevice instance (0x2ebc4d0) -- name = sda status = True parents = [] kids = 2 id = 0 uuid = None format = size = 152625.344238 major = 8 minor = 0 exists = True sysfs path = /devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda label = None target size = 0 path = /dev/sda format args = [] removable = False partedDevice = partedDisk = [2009-08-23 12:02:12,642] DEBUG: {'symlinks': ['block/8:0', 'disk/by-id/ata-ST3160815AS_6RX88PY8', 'disk/by-id/scsi-SATA_ST3160815AS_6RX88PY8', 'disk/by-path/pci-0000:00:08.0-scsi-0:0:0:0'], 'DKD_PARTITION_TABLE': '1', 'ID_SERIAL_SHORT': '6RX88PY8', 'DEVNAME': 'sda', 'DEVTYPE': 'disk', 'name': 'sda', 'ID_SERIAL': 'ST3160815AS_6RX88PY8', 'ID_MODEL': 'ST3160815AS', 'ANACBIN': '/sbin', 'MAJOR': '8', 'ID_REVISION': '4.AAA', 'MINOR': '0', 'ID_PATH': 'pci-0000:00:08.0-scsi-0:0:0:0', 'sysfs_path': '/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda', 'ID_TYPE': 'disk', 'DKD_PARTITION_TABLE_SCHEME': 'mbr', 'ID_MODEL_ENC': 'ST3160815AS\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20', 'DKD_MEDIA_AVAILABLE': '1', 'ID_BUS': 'ata', 'ID_SCSI_COMPAT': 'SATA_ST3160815AS_6RX88PY8'} [2009-08-23 12:02:12,643] DEBUG: no type or existing type for sda, bailing [2009-08-23 12:02:12,679] INFO: sr0 looks to be the live device; ignoring [2009-08-23 12:02:12,688] INFO: adding mpath device mpath0 [2009-08-23 12:09:21,936] DEBUG: registered device format class PPCPRePBoot as prepboot [2009-08-23 12:09:21,946] DEBUG: registered device format class LVMPhysicalVolume as lvmpv [2009-08-23 12:09:21,947] DEBUG: registered device format class DMRaidMember as dmraidmember [2009-08-23 12:09:21,950] DEBUG: registered device format class SwapSpace as swap [2009-08-23 12:09:21,951] DEBUG: registered device format class MultipathMember as multipath_member [2009-08-23 12:09:21,958] DEBUG: registered device format class Ext2FS as ext2 [2009-08-23 12:09:21,959] DEBUG: registered device format class Ext3FS as ext3 [2009-08-23 12:09:21,959] DEBUG: registered device format class Ext4FS as ext4 [2009-08-23 12:09:21,960] DEBUG: registered device format class FATFS as vfat [2009-08-23 12:09:21,960] DEBUG: registered device format class EFIFS as efi [2009-08-23 12:09:21,960] DEBUG: registered device format class BTRFS as btrfs [2009-08-23 12:09:21,961] DEBUG: registered device format class GFS2 as gfs2 [2009-08-23 12:09:21,961] DEBUG: registered device format class JFS as jfs [2009-08-23 12:09:21,962] DEBUG: registered device format class XFS as xfs [2009-08-23 12:09:21,962] DEBUG: registered device format class HFS as hfs [2009-08-23 12:09:21,962] DEBUG: registered device format class AppleBootstrapFS as appleboot [2009-08-23 12:09:21,963] DEBUG: registered device format class HFSPlus as hfs+ [2009-08-23 12:09:21,963] DEBUG: registered device format class NTFS as ntfs [2009-08-23 12:09:21,963] DEBUG: registered device format class NFS as nfs [2009-08-23 12:09:21,964] DEBUG: registered device format class NFSv4 as nfs4 [2009-08-23 12:09:21,964] DEBUG: registered device format class Iso9660FS as iso9660 [2009-08-23 12:09:21,964] DEBUG: registered device format class NoDevFS as nodev [2009-08-23 12:09:21,965] DEBUG: registered device format class DevPtsFS as devpts [2009-08-23 12:09:21,965] DEBUG: registered device format class ProcFS as proc [2009-08-23 12:09:21,965] DEBUG: registered device format class SysFS as sysfs [2009-08-23 12:09:21,966] DEBUG: registered device format class TmpFS as tmpfs [2009-08-23 12:09:21,966] DEBUG: registered device format class BindFS as bind [2009-08-23 12:09:21,974] DEBUG: registered device format class LUKS as luks [2009-08-23 12:09:21,975] DEBUG: registered device format class MDRaidMember as mdmember [2009-08-23 12:09:33,211] INFO: sr0 looks to be the live device; ignoring [2009-08-23 12:09:33,275] INFO: sr0 looks to be the live device; ignoring [2009-08-23 12:09:33,283] INFO: devices to scan for multipath: ['sda', 'sda1', 'sda2', 'sdb', 'sdc', 'sdd', 'sde', 'dm-0', 'dm-1'] [2009-08-23 12:09:33,284] INFO: adding sda1 to non_disk_device list [2009-08-23 12:09:33,284] INFO: adding sda2 to non_disk_device list [2009-08-23 12:09:33,285] INFO: adding dm-0 to non_disk_device list [2009-08-23 12:09:33,285] INFO: adding dm-1 to non_disk_device list [2009-08-23 12:09:33,285] INFO: adding sdb to multipath_disks [2009-08-23 12:09:33,286] INFO: found multipath set: [['sdb', 'sdc', 'sdd', 'sde']] [2009-08-23 12:09:33,286] INFO: adding sdc to multipath_disks [2009-08-23 12:09:33,286] INFO: found multipath set: [['sdb', 'sdc', 'sdd', 'sde']] [2009-08-23 12:09:33,287] INFO: adding sdd to multipath_disks [2009-08-23 12:09:33,287] INFO: found multipath set: [['sdb', 'sdc', 'sdd', 'sde']] [2009-08-23 12:09:33,287] INFO: adding sde to multipath_disks [2009-08-23 12:09:33,287] INFO: found multipath set: [['sdb', 'sdc', 'sdd', 'sde']] [2009-08-23 12:09:33,288] INFO: adding sda to singlepath_disks [2009-08-23 12:09:33,288] INFO: devices to scan: ['dm-0', 'dm-1', 'sda1', 'sda2', 'sdb', 'sdc', 'sdd', 'sde', 'sda'] [2009-08-23 12:09:33,546] DEBUG: scanning live-rw (/devices/virtual/block/dm-0)... [2009-08-23 12:09:33,547] DEBUG: looking for device 'live-rw'... [2009-08-23 12:09:33,547] DEBUG: found None [2009-08-23 12:09:33,548] DEBUG: live-rw is a device-mapper device [2009-08-23 12:09:33,550] DEBUG: looking for device 'loop4'... [2009-08-23 12:09:33,550] DEBUG: found None [2009-08-23 12:09:33,554] DEBUG: ignoring loop4 (/devices/virtual/block/loop4) [2009-08-23 12:09:33,555] DEBUG: looking for device 'loop4'... [2009-08-23 12:09:33,555] DEBUG: found None [2009-08-23 12:09:33,574] ERROR: failure scanning device live-rw: could not add slave loop4 [2009-08-23 12:09:33,577] DEBUG: {'ID_FS_VERSION': '1.0', 'DKD_DM_TARGET_COUNT': '1', 'DM_OPEN': '1', 'DM_MINOR': '0', 'DM_NAME': 'live-rw', 'ID_FS_LABEL_ENC': 'xfce-x86_64-2009', 'ANACBIN': '/sbin', 'DKD_DM_TARGET_TYPES': 'snapshot', 'DKD_DM_LAST_EVENT_NR': '0', 'DEVTYPE': 'disk', 'DM_SUSPENDED': 'Active', 'DKD_DM_NAME': 'live-rw', 'DKD_DM_MAJOR': '253', 'ID_FS_UUID': 'aa0a7150-c86e-4a57-a52c-73731b217ec6', 'ID_FS_UUID_ENC': 'aa0a7150-c86e-4a57-a52c-73731b217ec6', 'ID_FS_TYPE': 'ext4', 'DM_MAJOR': '253', 'DKD_DM_OPENCOUNT': '1', 'sysfs_path': '/devices/virtual/block/dm-0', 'ID_FS_LABEL': 'xfce-x86_64-2009', 'ID_FS_USAGE': 'filesystem', 'DM_READONLY': 'Writeable', 'DKD_DM_TABLE_STATE': 'LIVE', 'MINOR': '0', 'symlinks': ['block/253:0', 'disk/by-id/dm-name-live-rw', 'disk/by-uuid/aa0a7150-c86e-4a57-a52c-73731b217ec6'], 'DM_TABLES_LOADED': 'Live', 'MAJOR': '253', 'name': 'dm-0', 'DEVNAME': 'dm-0', 'DKD_DM_MINOR': '0', 'DKD_DM_STATE': 'ACTIVE', 'DKD_MEDIA_AVAILABLE': '1'} [2009-08-23 12:09:33,578] DEBUG: no type or existing type for live-rw, bailing [2009-08-23 12:09:33,580] DEBUG: scanning live-osimg-min (/devices/virtual/block/dm-1)... [2009-08-23 12:09:33,580] DEBUG: looking for device 'live-osimg-min'... [2009-08-23 12:09:33,580] DEBUG: found None [2009-08-23 12:09:33,581] DEBUG: live-osimg-min is a device-mapper device [2009-08-23 12:09:33,583] DEBUG: looking for device 'loop1'... [2009-08-23 12:09:33,584] DEBUG: found None [2009-08-23 12:09:33,599] DEBUG: ignoring loop1 (/devices/virtual/block/loop1) [2009-08-23 12:09:33,599] DEBUG: looking for device 'loop1'... [2009-08-23 12:09:33,599] DEBUG: found None [2009-08-23 12:09:33,599] ERROR: failure scanning device live-osimg-min: could not add slave loop1 [2009-08-23 12:09:33,602] DEBUG: {'ID_FS_VERSION': '1.0', 'DKD_DM_TARGET_COUNT': '1', 'DM_OPEN': '0', 'DM_MINOR': '1', 'DM_NAME': 'live-osimg-min', 'ID_FS_LABEL_ENC': 'xfce-x86_64-2009', 'ANACBIN': '/sbin', 'DKD_DM_TARGET_TYPES': 'snapshot', 'DKD_DM_LAST_EVENT_NR': '0', 'DEVTYPE': 'disk', 'DM_SUSPENDED': 'Active', 'DKD_DM_NAME': 'live-osimg-min', 'DKD_DM_MAJOR': '253', 'ID_FS_UUID': 'aa0a7150-c86e-4a57-a52c-73731b217ec6', 'ID_FS_UUID_ENC': 'aa0a7150-c86e-4a57-a52c-73731b217ec6', 'ID_FS_TYPE': 'ext4', 'DM_MAJOR': '253', 'DKD_DM_OPENCOUNT': '0', 'sysfs_path': '/devices/virtual/block/dm-1', 'ID_FS_LABEL': 'xfce-x86_64-2009', 'ID_FS_USAGE': 'filesystem', 'DM_READONLY': 'Read-only', 'DKD_DM_TABLE_STATE': 'LIVE', 'MINOR': '1', 'symlinks': ['block/253:1', 'disk/by-id/dm-name-live-osimg-min', 'disk/by-uuid/aa0a7150-c86e-4a57-a52c-73731b217ec6'], 'DM_TABLES_LOADED': 'Live', 'MAJOR': '253', 'name': 'dm-1', 'DEVNAME': 'dm-1', 'DKD_DM_MINOR': '1', 'DKD_DM_STATE': 'READONLY', 'DKD_MEDIA_AVAILABLE': '1'} [2009-08-23 12:09:33,603] DEBUG: no type or existing type for live-osimg-min, bailing [2009-08-23 12:09:33,605] DEBUG: scanning sda1 (/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda/sda1)... [2009-08-23 12:09:33,605] DEBUG: looking for device 'sda1'... [2009-08-23 12:09:33,606] DEBUG: found None [2009-08-23 12:09:33,606] DEBUG: sda1 is a partition [2009-08-23 12:09:33,620] DEBUG: looking for device 'sda'... [2009-08-23 12:09:33,620] DEBUG: found None [2009-08-23 12:09:33,623] DEBUG: scanning sda (/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda)... [2009-08-23 12:09:33,623] DEBUG: looking for device 'sda'... [2009-08-23 12:09:33,624] DEBUG: found None [2009-08-23 12:09:33,629] DEBUG: sda is a disk [2009-08-23 12:09:33,630] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:09:33,634] DEBUG: looking up parted Device: /dev/sda [2009-08-23 12:09:33,635] DEBUG: looking up parted Device: /dev/sda [2009-08-23 12:09:33,670] DEBUG: creating parted Disk: /dev/sda [2009-08-23 12:09:34,163] DEBUG: added sda (disk) to device tree [2009-08-23 12:09:34,166] DEBUG: {'symlinks': ['block/8:0', 'disk/by-id/ata-ST3160815AS_6RX88PY8', 'disk/by-id/scsi-SATA_ST3160815AS_6RX88PY8', 'disk/by-path/pci-0000:00:08.0-scsi-0:0:0:0'], 'DKD_PARTITION_TABLE': '1', 'ID_SERIAL_SHORT': '6RX88PY8', 'DEVNAME': 'sda', 'DEVTYPE': 'disk', 'name': 'sda', 'ID_SERIAL': 'ST3160815AS_6RX88PY8', 'ID_MODEL': 'ST3160815AS', 'ANACBIN': '/sbin', 'MAJOR': '8', 'ID_REVISION': '4.AAA', 'MINOR': '0', 'ID_PATH': 'pci-0000:00:08.0-scsi-0:0:0:0', 'sysfs_path': '/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda', 'ID_TYPE': 'disk', 'DKD_PARTITION_TABLE_SCHEME': 'mbr', 'ID_MODEL_ENC': 'ST3160815AS\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20', 'DKD_MEDIA_AVAILABLE': '1', 'ID_BUS': 'ata', 'ID_SCSI_COMPAT': 'SATA_ST3160815AS_6RX88PY8'} [2009-08-23 12:09:34,167] DEBUG: no type or existing type for sda, bailing [2009-08-23 12:09:34,167] DEBUG: looking for device 'sda'... [2009-08-23 12:09:34,169] DEBUG: found DiskDevice instance (0x38cf4d0) -- name = sda status = True parents = [] kids = 0 id = 0 uuid = None format = size = 152625.344238 major = 8 minor = 0 exists = True sysfs path = /devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda label = None target size = 0 path = /dev/sda format args = [] removable = False partedDevice = partedDisk = [2009-08-23 12:09:34,204] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:09:34,207] DEBUG: looking up parted Partition: /dev/sda1 [2009-08-23 12:09:34,221] DEBUG: looking up parted Device: /dev/sda1 [2009-08-23 12:09:34,268] DEBUG: added sda1 (partition) to device tree [2009-08-23 12:09:34,271] DEBUG: {'DEVNAME': 'sda1', 'ID_REVISION': '4.AAA', 'DKD_PARTITION_SIZE': '10737418240', 'ID_PATH': 'pci-0000:00:08.0-scsi-0:0:0:0', 'DKD_PARTITION_NUMBER': '1', 'ID_FS_LABEL_ENC': 'PQSERVICE', 'ID_SERIAL': 'ST3160815AS_6RX88PY8', 'DKD_PARTITION': '1', 'MINOR': '1', 'DEVTYPE': 'partition', 'ID_FS_UUID': '8A108582108575CB', 'ID_FS_UUID_ENC': '8A108582108575CB', 'ID_FS_TYPE': 'ntfs', 'ID_SCSI_COMPAT': 'SATA_ST3160815AS_6RX88PY8', 'DKD_PARTITION_TYPE': '0x27', 'ID_MODEL': 'ST3160815AS', 'MAJOR': '8', 'sysfs_path': '/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda/sda1', 'ID_FS_LABEL': 'PQSERVICE', 'ID_FS_USAGE': 'filesystem', 'ID_TYPE': 'disk', 'DKD_PARTITION_SCHEME': 'mbr', 'ID_BUS': 'ata', 'symlinks': ['block/8:1', 'disk/by-id/ata-ST3160815AS_6RX88PY8-part1', 'disk/by-id/scsi-SATA_ST3160815AS_6RX88PY8-part1', 'disk/by-path/pci-0000:00:08.0-scsi-0:0:0:0-part1', 'disk/by-uuid/8A108582108575CB', 'disk/by-label/PQSERVICE'], 'ID_SERIAL_SHORT': '6RX88PY8', 'name': 'sda1', 'ANACBIN': '/sbin', 'ID_MODEL_ENC': 'ST3160815AS\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20'} [2009-08-23 12:09:34,273] DEBUG: type detected on 'sda1' is 'ntfs' [2009-08-23 12:09:35,209] DEBUG: getFormat('ntfs') returning NTFS instance [2009-08-23 12:09:35,217] DEBUG: scanning sda2 (/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda/sda2)... [2009-08-23 12:09:35,217] DEBUG: looking for device 'sda2'... [2009-08-23 12:09:35,217] DEBUG: found None [2009-08-23 12:09:35,218] DEBUG: sda2 is a partition [2009-08-23 12:09:35,220] DEBUG: looking for device 'sda'... [2009-08-23 12:09:35,222] DEBUG: found DiskDevice instance (0x38cf4d0) -- name = sda status = True parents = [] kids = 1 id = 0 uuid = None format = size = 152625.344238 major = 8 minor = 0 exists = True sysfs path = /devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda label = None target size = 0 path = /dev/sda format args = [] removable = False partedDevice = partedDisk = [2009-08-23 12:09:35,228] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:09:35,231] DEBUG: looking up parted Partition: /dev/sda2 [2009-08-23 12:09:35,234] DEBUG: looking up parted Device: /dev/sda2 [2009-08-23 12:09:35,268] DEBUG: added sda2 (partition) to device tree [2009-08-23 12:09:35,270] DEBUG: {'DEVNAME': 'sda2', 'ID_REVISION': '4.AAA', 'DKD_PARTITION_SIZE': '128136855552', 'ID_PATH': 'pci-0000:00:08.0-scsi-0:0:0:0', 'DKD_PARTITION_NUMBER': '2', 'ID_FS_LABEL_ENC': 'OS', 'ID_SERIAL': 'ST3160815AS_6RX88PY8', 'DKD_PARTITION': '1', 'MINOR': '2', 'DEVTYPE': 'partition', 'ID_FS_UUID': 'CAB4D6FDB4D6EB49', 'DKD_PARTITION_FLAGS': 'boot', 'ID_FS_UUID_ENC': 'CAB4D6FDB4D6EB49', 'ID_FS_TYPE': 'ntfs', 'ID_SCSI_COMPAT': 'SATA_ST3160815AS_6RX88PY8', 'DKD_PARTITION_TYPE': '0x07', 'ID_MODEL': 'ST3160815AS', 'MAJOR': '8', 'sysfs_path': '/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda/sda2', 'ID_FS_LABEL': 'OS', 'ID_FS_USAGE': 'filesystem', 'ID_TYPE': 'disk', 'DKD_PARTITION_SCHEME': 'mbr', 'ID_BUS': 'ata', 'symlinks': ['block/8:2', 'disk/by-id/ata-ST3160815AS_6RX88PY8-part2', 'disk/by-id/scsi-SATA_ST3160815AS_6RX88PY8-part2', 'disk/by-path/pci-0000:00:08.0-scsi-0:0:0:0-part2', 'disk/by-uuid/CAB4D6FDB4D6EB49', 'disk/by-label/OS'], 'ID_SERIAL_SHORT': '6RX88PY8', 'name': 'sda2', 'ANACBIN': '/sbin', 'ID_MODEL_ENC': 'ST3160815AS\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20'} [2009-08-23 12:09:35,271] DEBUG: type detected on 'sda2' is 'ntfs' [2009-08-23 12:09:39,898] DEBUG: getFormat('ntfs') returning NTFS instance [2009-08-23 12:09:39,906] DEBUG: scanning sdb (/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:0/block/sdb)... [2009-08-23 12:09:39,906] DEBUG: looking for device 'sdb'... [2009-08-23 12:09:39,907] DEBUG: found None [2009-08-23 12:09:39,907] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:09:39,910] DEBUG: added sdb (storage device) to device tree [2009-08-23 12:09:39,912] DEBUG: {'ID_VENDOR_ID': '058f', 'DEVNAME': 'sdb', 'ID_USB_INTERFACE_NUM': '00', 'ID_REVISION': '1.00', 'ID_VENDOR_ENC': 'Generic\\x20', 'ID_PATH': 'pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:0', 'ID_VENDOR': 'Generic', 'ID_SERIAL': 'Generic_USB_SD_Reader_920321111113-0:0', 'DEVTYPE': 'disk', 'MINOR': '16', 'ID_FS_TYPE': 'multipath_member', 'ID_MODEL_ID': '6377', 'ID_MODEL': 'USB_SD_Reader', 'MAJOR': '8', 'ID_USB_INTERFACES': ':080650:', 'ID_INSTANCE': '0:0', 'sysfs_path': '/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:0/block/sdb', 'ID_TYPE': 'disk', 'ID_BUS': 'usb', 'symlinks': ['block/8:16', 'disk/by-id/usb-Generic_USB_SD_Reader_920321111113-0:0', 'disk/by-path/pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:0'], 'ID_SERIAL_SHORT': '920321111113', 'name': 'sdb', 'ANACBIN': '/sbin', 'ID_MODEL_ENC': 'USB\\x20SD\\x20Reader\\x20\\x20\\x20', 'DKD_MEDIA_AVAILABLE': '0', 'ID_USB_DRIVER': 'usb-storage'} [2009-08-23 12:09:39,913] DEBUG: type detected on 'sdb' is 'multipath_member' [2009-08-23 12:09:39,916] DEBUG: getFormat('multipath_member') returning MultipathMember instance [2009-08-23 12:09:39,924] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:09:39,927] DEBUG: looking up parted Device: /dev/mapper/mpath0 [2009-08-23 12:09:39,930] DEBUG: scanning sdc (/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:1/block/sdc)... [2009-08-23 12:09:39,930] DEBUG: looking for device 'sdc'... [2009-08-23 12:09:39,930] DEBUG: found None [2009-08-23 12:09:39,931] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:09:39,933] DEBUG: added sdc (storage device) to device tree [2009-08-23 12:09:39,936] DEBUG: {'ID_VENDOR_ID': '058f', 'DEVNAME': 'sdc', 'ID_USB_INTERFACE_NUM': '00', 'ID_REVISION': '1.01', 'ID_VENDOR_ENC': 'Generic\\x20', 'ID_PATH': 'pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:1', 'ID_VENDOR': 'Generic', 'ID_SERIAL': 'Generic_USB_CF_Reader_920321111113-0:1', 'DEVTYPE': 'disk', 'MINOR': '32', 'ID_FS_TYPE': 'multipath_member', 'ID_MODEL_ID': '6377', 'ID_MODEL': 'USB_CF_Reader', 'MAJOR': '8', 'ID_USB_INTERFACES': ':080650:', 'ID_INSTANCE': '0:1', 'sysfs_path': '/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:1/block/sdc', 'ID_TYPE': 'disk', 'ID_BUS': 'usb', 'symlinks': ['block/8:32', 'disk/by-id/usb-Generic_USB_CF_Reader_920321111113-0:1', 'disk/by-path/pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:1'], 'ID_SERIAL_SHORT': '920321111113', 'name': 'sdc', 'ANACBIN': '/sbin', 'ID_MODEL_ENC': 'USB\\x20CF\\x20Reader\\x20\\x20\\x20', 'DKD_MEDIA_AVAILABLE': '0', 'ID_USB_DRIVER': 'usb-storage'} [2009-08-23 12:09:39,937] DEBUG: type detected on 'sdc' is 'multipath_member' [2009-08-23 12:09:39,939] DEBUG: getFormat('multipath_member') returning MultipathMember instance [2009-08-23 12:09:39,946] DEBUG: scanning sdd (/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:2/block/sdd)... [2009-08-23 12:09:39,946] DEBUG: looking for device 'sdd'... [2009-08-23 12:09:39,947] DEBUG: found None [2009-08-23 12:09:39,947] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:09:39,950] DEBUG: added sdd (storage device) to device tree [2009-08-23 12:09:39,952] DEBUG: {'ID_VENDOR_ID': '058f', 'DEVNAME': 'sdd', 'ID_USB_INTERFACE_NUM': '00', 'ID_REVISION': '1.02', 'ID_VENDOR_ENC': 'Generic\\x20', 'ID_PATH': 'pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:2', 'ID_VENDOR': 'Generic', 'ID_SERIAL': 'Generic_USB_SM_Reader_920321111113-0:2', 'DEVTYPE': 'disk', 'MINOR': '48', 'ID_FS_TYPE': 'multipath_member', 'ID_MODEL_ID': '6377', 'ID_MODEL': 'USB_SM_Reader', 'MAJOR': '8', 'ID_USB_INTERFACES': ':080650:', 'ID_INSTANCE': '0:2', 'sysfs_path': '/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:2/block/sdd', 'ID_TYPE': 'disk', 'ID_BUS': 'usb', 'symlinks': ['block/8:48', 'disk/by-id/usb-Generic_USB_SM_Reader_920321111113-0:2', 'disk/by-path/pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:2'], 'ID_SERIAL_SHORT': '920321111113', 'name': 'sdd', 'ANACBIN': '/sbin', 'ID_MODEL_ENC': 'USB\\x20SM\\x20Reader\\x20\\x20\\x20', 'DKD_MEDIA_AVAILABLE': '0', 'ID_USB_DRIVER': 'usb-storage'} [2009-08-23 12:09:39,953] DEBUG: type detected on 'sdd' is 'multipath_member' [2009-08-23 12:09:39,956] DEBUG: getFormat('multipath_member') returning MultipathMember instance [2009-08-23 12:09:39,962] DEBUG: scanning sde (/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:3/block/sde)... [2009-08-23 12:09:39,963] DEBUG: looking for device 'sde'... [2009-08-23 12:09:39,963] DEBUG: found None [2009-08-23 12:09:39,963] DEBUG: getFormat('None') returning DeviceFormat instance [2009-08-23 12:09:39,966] DEBUG: added sde (storage device) to device tree [2009-08-23 12:09:39,968] DEBUG: {'ID_VENDOR_ID': '058f', 'DEVNAME': 'sde', 'ID_USB_INTERFACE_NUM': '00', 'ID_REVISION': '1.03', 'ID_VENDOR_ENC': 'Generic\\x20', 'ID_PATH': 'pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:3', 'ID_VENDOR': 'Generic', 'ID_SERIAL': 'Generic_USB_MS_Reader_920321111113-0:3', 'DEVTYPE': 'disk', 'MINOR': '64', 'ID_FS_TYPE': 'multipath_member', 'ID_MODEL_ID': '6377', 'ID_MODEL': 'USB_MS_Reader', 'MAJOR': '8', 'ID_USB_INTERFACES': ':080650:', 'ID_INSTANCE': '0:3', 'sysfs_path': '/devices/pci0000:00/0000:00:02.1/usb1/1-9/1-9:1.0/host6/target6:0:0/6:0:0:3/block/sde', 'ID_TYPE': 'disk', 'ID_BUS': 'usb', 'symlinks': ['block/8:64', 'disk/by-id/usb-Generic_USB_MS_Reader_920321111113-0:3', 'disk/by-path/pci-0000:00:02.1-usb-0:9:1.0-scsi-0:0:0:3'], 'ID_SERIAL_SHORT': '920321111113', 'name': 'sde', 'ANACBIN': '/sbin', 'ID_MODEL_ENC': 'USB\\x20MS\\x20Reader\\x20\\x20\\x20', 'DKD_MEDIA_AVAILABLE': '0', 'ID_USB_DRIVER': 'usb-storage'} [2009-08-23 12:09:39,969] DEBUG: type detected on 'sde' is 'multipath_member' [2009-08-23 12:09:39,972] DEBUG: getFormat('multipath_member') returning MultipathMember instance [2009-08-23 12:09:39,979] DEBUG: scanning sda (/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda)... [2009-08-23 12:09:39,979] DEBUG: looking for device 'sda'... [2009-08-23 12:09:39,980] DEBUG: found DiskDevice instance (0x38cf4d0) -- name = sda status = True parents = [] kids = 2 id = 0 uuid = None format = size = 152625.344238 major = 8 minor = 0 exists = True sysfs path = /devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda label = None target size = 0 path = /dev/sda format args = [] removable = False partedDevice = partedDisk = [2009-08-23 12:09:39,983] DEBUG: {'symlinks': ['block/8:0', 'disk/by-id/ata-ST3160815AS_6RX88PY8', 'disk/by-id/scsi-SATA_ST3160815AS_6RX88PY8', 'disk/by-path/pci-0000:00:08.0-scsi-0:0:0:0'], 'DKD_PARTITION_TABLE': '1', 'ID_SERIAL_SHORT': '6RX88PY8', 'DEVNAME': 'sda', 'DEVTYPE': 'disk', 'name': 'sda', 'ID_SERIAL': 'ST3160815AS_6RX88PY8', 'ID_MODEL': 'ST3160815AS', 'ANACBIN': '/sbin', 'MAJOR': '8', 'ID_REVISION': '4.AAA', 'MINOR': '0', 'ID_PATH': 'pci-0000:00:08.0-scsi-0:0:0:0', 'sysfs_path': '/devices/pci0000:00/0000:00:08.0/host2/target2:0:0/2:0:0:0/block/sda', 'ID_TYPE': 'disk', 'DKD_PARTITION_TABLE_SCHEME': 'mbr', 'ID_MODEL_ENC': 'ST3160815AS\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20', 'DKD_MEDIA_AVAILABLE': '1', 'ID_BUS': 'ata', 'ID_SCSI_COMPAT': 'SATA_ST3160815AS_6RX88PY8'} [2009-08-23 12:09:39,984] DEBUG: no type or existing type for sda, bailing [2009-08-23 12:09:40,017] INFO: sr0 looks to be the live device; ignoring [2009-08-23 12:09:40,025] INFO: adding mpath device mpath0 /proc/cmdline: initrd=initrd0.img root=CDLABEL=xfce-x86_64-20090818.15 rootfstype=auto ro liveimg BOOT_IMAGE=vmlinuz0 https://bugzilla.redhat.com/show_bug.cgi?id=517026 This one was CLOSED but it is still here: https://bugzilla.redhat.com/show_bug.cgi?id=517025 I will try different parameters to install and will see if I get this again? Regards, Antonio From jmorris at namei.org Mon Aug 24 01:51:26 2009 From: jmorris at namei.org (James Morris) Date: Mon, 24 Aug 2009 11:51:26 +1000 (EST) Subject: Label eth0 with a MCS security category? In-Reply-To: References: Message-ID: On Fri, 21 Aug 2009, Jason Shaw wrote: > In FC-11, under the targeted policy, is it possible to label an ethernet > interface (such as eth0, eth1) with a specific MCS category? > > Example: > 1) Use semanage to assign user1 to s0:c5 > 3) Assign eth0 to s0:c4 (Can this be done?) > 4) Assign eth1 to s0:c5 > > Desired result: if user1 tries to ping -I eth1 the ping command > will work (as both eth1 and user1 have category c5). If user1 tries to ping > -I eth0 , the ping command will not work (category mismatch > between user and eth1). It should be possible to do this via iptables and SECMARK. i.e. match all packets on ethN and label with the MCS category then use the SELinux packet flow policy rules. I haven't looked at this stuff for a while, so cc'ing Paul Moore, who maintains the code. -- James Morris From rcritten at redhat.com Mon Aug 24 18:23:08 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 24 Aug 2009 14:23:08 -0400 Subject: sharing between dogtag and Apache Message-ID: <4A92DA8C.8080102@redhat.com> I'm running dogtag, a certificate server, which can publish CRLs. Right now I'm writing them within the dogtag context which writes the files as pki_ca_var_lib_t. I want to make these available from within Apache so I did: Alias /ipa/crl /var/lib/pki-ca/publish Trouble is Apache can't read the files. The simplest route is to simply grant httpd read/search/getattr access to the directory and files. I've got that working now. This grants Apache the rights to read anything in there though, not really the best solution. Can I create a new label, say pki_ca_publish_t, and use that to share between the two? How might I go about doing that? thanks rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From domg472 at gmail.com Mon Aug 24 19:19:17 2009 From: domg472 at gmail.com (Dominick Grift) Date: Mon, 24 Aug 2009 21:19:17 +0200 Subject: sharing between dogtag and Apache In-Reply-To: <4A92DA8C.8080102@redhat.com> References: <4A92DA8C.8080102@redhat.com> Message-ID: <20090824191916.GA22376@notebook3.grift.internal> On Mon, Aug 24, 2009 at 02:23:08PM -0400, Rob Crittenden wrote: > I'm running dogtag, a certificate server, which can publish CRLs. Right > now I'm writing them within the dogtag context which writes the files as > pki_ca_var_lib_t. > > I want to make these available from within Apache so I did: > > Alias /ipa/crl /var/lib/pki-ca/publish > > Trouble is Apache can't read the files. The simplest route is to simply > grant httpd read/search/getattr access to the directory and files. I've > got that working now. > > This grants Apache the rights to read anything in there though, not > really the best solution. > > Can I create a new label, say pki_ca_publish_t, and use that to share > between the two? How might I go about doing that? I am not very experience with this specific matter but in theory the following may work: So lets assume dogtag creates stuff in /var/lib/pki-ca/ with type pki_ca_var_lib_t. If you can direct dogtag to create the specific files that you want apache to have access to in for example /var/lib/pki-ca/mystuff That you could, in theory create a new filetrans pattern. you'd specify a context for /var/lib/pki-ca/mystuff /var/lib/pki-ca/mystuff(/.*)? gen_context(system_u:object_r:pki_ca_mystuff_var_lib_t, s0) restorecon -R -v /var/lib/pki-ca/ ( assuming the mystuff dir is already there ) (also see if this actually works, it might conflict with the pki-ca dir specification) You'd also need a custom filetrans rule: require { type domain_that_needs_to_create_the_stuff_t, pki_ca_var_lib_t; } type pki_ca_mystuff_var_lib_t; files_type(pki_ca_mystuff_var_lib_t) manage_files_pattern(domain_that_needs_to_create_the_stuff_t, pki_ca_mystuff_var_lib_t, pki_ca_mystuff_var_lib_t) filetrans_pattern(domain_that_needs_to_create_the_stuff_t, pki_ca_var_lib_t, pki_ca_mystuff_var_lib_t, file) In theory dogtag (or domain_that_needs_to_create_the_stuff_t) will create files in /var/lib/pki-ca/mystuff with type pki_ca_mystuff_var_lib_t This would mean that you do not have to give apache read access to pki_ca_var_lib_t files but instead pki_ca_mystuff_var_lib_t Whether this theory actually works in practice depends on whether you can direct dogtag (or whatever creates these thing) to create the ones shared with apache in another location, and that you can specify a different context for this location. So in practice this may not be so easy to accomplish. hth > > thanks > > rob > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From js44352 at gmail.com Tue Aug 25 15:17:10 2009 From: js44352 at gmail.com (Jason Shaw) Date: Tue, 25 Aug 2009 09:17:10 -0600 Subject: Label eth0 with a MCS security category? In-Reply-To: <200908241758.51960.paul.moore@hp.com> References: <200908241758.51960.paul.moore@hp.com> Message-ID: In the example below with the foo_user_t, my understanding is that after the new type is created, it should be assigned to a role, and then the role assigned to a user. The problem I am seeing is that after I assign the new role to the user, id -Z still shows the defualt unconfined_r role assigned. Details: // labeled the network interfaces semanage interface ?a ?t netif_t ?r s0:c4 eth0 semanage interface ?a ?t netif_t ?r s0:c5 eth1 // created a new type module netIfControl 1.0; require { # allow icmp as part of tcp class netif { tcp_send tcp_recv }; type netif_t }; # define a new type type user_1_t; # define a new role and assign the type to it # later assign the new role to the user using semanage role accessNetworkInterface_r types user_1_t; # define what the type is permitted to do allow user_1_t netif_t:netif { tcp_send tcp_recv }; // compile, package and load module checkmodule -M -m -o netIfControl.mod netIfCntrol.te semodule_package -o netIfControl.pp -m netIfControl.mod semodule -i netIfControl.pp // no errors reported // Create a new SeLinux user and assign to the networkInterface_r role semanage user -a -L s0 -r S0:c5 -R networkInterface_r -P user networkInterface _u // Map the new SELinux user to a Linux user semanage login -m -s networkInterface_u -r s0:c5 user_1 // Login via ssh as user_1 id -Z user:u system_r:unconfined_t:s0 On Mon, Aug 24, 2009 at 3:58 PM, Paul Moore wrote: > On Sunday 23 August 2009 09:51:26 pm James Morris wrote: > > On Fri, 21 Aug 2009, Jason Shaw wrote: > > > In FC-11, under the targeted policy, is it possible to label an > ethernet > > > interface (such as eth0, eth1) with a specific MCS category? > > > > > > Example: > > > 1) Use semanage to assign user1 to s0:c5 > > > 3) Assign eth0 to s0:c4 (Can this be done?) > > > 4) Assign eth1 to s0:c5 > > > > > > Desired result: if user1 tries to ping -I eth1 the ping > > > command will work (as both eth1 and user1 have category c5). If user1 > > > tries to ping -I eth0 , the ping command will not work > > > (category mismatch between user and eth1). > > > > It should be possible to do this via iptables and SECMARK. > > > > i.e. match all packets on ethN and label with the MCS category then use > > the SELinux packet flow policy rules. > > > > I haven't looked at this stuff for a while, so cc'ing Paul Moore, who > > maintains the code. > > [NOTE: I'm not currently subscribed to fedora-selinux-list, feel free to > fwd] > > Hi Jason, > > Using your example as a guide, there are actually two ways to accomplish > what > you want to do. The first approach James already mentioned: Secmark. The > second approach uses the network ingress/egress controls. The best choice > for > your particular case is going to likely depend on whatever other SELinux > network access controls you have in place and which administration > mechanism > you prefer ... however, here is a quick overview of what is involved for > both. > > * Secmark > - Establish a iptables rules marking the outbound packets > # iptables -t mangle -A OUTPUT -o eth0 -j SECMARK \ > --selctx system_u:object_r:foo_packet_t:s0:c4 > # iptables -t mangle -A OUTPUT -o eth1 -j SECMARK \ > --selctx system_u:object_r:foo_packet_t:s0:c5 > - Ensure you have the right SELinux policy in place > allow foo_user_t foo_packet_t:packet { send }; > > * Ingress/Egress Controls > - Label the interfaces > # semanage interface -a -t netif_t -r s0:c4 eth0 > # semanage interface -a -t netif_t -r s0:c5 eth1 > - Ensure you have the right SELinux policy in place > allow foo_user_t netif_t:netif { egress }; > > The examples above are pretty simple but they should get you going in the > right direction - if you have any questions don't hesitate to ask. > > -- > paul moore > linux @ hp > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Tue Aug 25 21:13:03 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 25 Aug 2009 17:13:03 -0400 Subject: sharing between dogtag and Apache In-Reply-To: <4A92DA8C.8080102@redhat.com> References: <4A92DA8C.8080102@redhat.com> Message-ID: <4A9453DF.6020401@redhat.com> On 08/24/2009 02:23 PM, Rob Crittenden wrote: > I'm running dogtag, a certificate server, which can publish CRLs. Right > now I'm writing them within the dogtag context which writes the files as > pki_ca_var_lib_t. > > I want to make these available from within Apache so I did: > > Alias /ipa/crl /var/lib/pki-ca/publish > > Trouble is Apache can't read the files. The simplest route is to simply > grant httpd read/search/getattr access to the directory and files. I've > got that working now. > > This grants Apache the rights to read anything in there though, not > really the best solution. > > Can I create a new label, say pki_ca_publish_t, and use that to share > between the two? How might I go about doing that? > > thanks > > rob > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Why not label them cert_t and allow dogtag to write cert_t. From anmajumd at cisco.com Tue Aug 25 22:43:06 2009 From: anmajumd at cisco.com (Anamitra Dutta Majumdar (anmajumd)) Date: Tue, 25 Aug 2009 15:43:06 -0700 Subject: Adding AV assertion to selinux policy in RHEL5 In-Reply-To: References: Message-ID: <4EF101F7236DB443A8FABF8164BFBD0C084801CF@xmb-sjc-223.amer.cisco.com> We are looking for a well documented procedure to add AV assertion to selinux policy on RHEL5. So far all SELinux URL links refer to the fact that the AV assertion needs to be added to assert.te file under $SELINUX_SRC folder. This appears to be true only for RHEL4 not RHEL5 since there is no src folder under /etc/selinux/targeted that contains the source policies in RHEL5. We have installed and built the selinux-policy-2.4.6-248.el5.src.rpm on our RHEL5.4 box and we did not find any assert.te file. Can someone help us with the exact method as to what needs to be done to add an AV assertion rule to our policy. Thanks Anamitra & Radha From qinglong at Bolizm.ihep.su Thu Aug 27 09:39:59 2009 From: qinglong at Bolizm.ihep.su (QingLong) Date: Thu, 27 Aug 2009 13:39:59 +0400 Subject: atieventsd (xorg-x11-drv-catalyst.rpm) on F11 Message-ID: <20090827093958.GH21075@Bolizm.ihep.su> Hello! I am trying to utilize proprietary video drivers from (the damned) AMD to get accelerated OpenGL on the ATI Mobility Radeon X300 on Fedora 11. So I have installed the packages (along with the required dependencies): akmod-catalyst xorg-x11-drv-catalyst Installation has finished quite smoothly, but after reboot I get no X. I guess, one of the reasons is the atieventsd is not starting due to selinux: | | type=AVC msg=audit(1251364326.851:16119): avc: denied { execmod } for pid=2212 comm="atieventsd" path="/usr/lib/catalyst/libGL.so.1.2" dev=sda6 ino=103736 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file | type=SYSCALL msg=audit(1251364326.851:16119): arch=40000003 syscall=125 success=yes exit=0 a0=11c000 a1=85000 a2=5 a3=bfc34860 items=0 ppid=2210 pid=2212 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="atieventsd" exe="/usr/sbin/atieventsd" subj=system_u:system_r:initrc_t:s0 key=(null) | For now I have to put selinux in permissive mode, but is it possible to get this fixed in a more intelligent way? Thank you. QingLong From laurent.rineau__fedora at normalesup.org Thu Aug 27 10:46:51 2009 From: laurent.rineau__fedora at normalesup.org (Laurent Rineau) Date: Thu, 27 Aug 2009 12:46:51 +0200 Subject: My home is fully labeled default_t after a kernel crash Message-ID: <200908271246.51641.laurent.rineau__fedora@normalesup.org> On my F11 x64 machine, this morning, I have launch that command: sudo semanage fcontext -a -t textrel_shlib_t /opt/intel/Compiler/11.0/081/mkl/lib/em64t/libmkl_core.so After that, my X11 server freezed. I managed to login on the machine with ssh, but sudo got permission denied. :-( Then I have done: - A soft shutdown with the power button. That shutdown was successful. - Power on the machine. Boot the default kernel. Lots of AVC on the console. X11 and mingetty unable to launch. - Reboot with "enforcing=0 autorelabel=1 single". Relabelling seems ok. - Reboot (with no selinux boot parameters). X11 and GDM ok. But just after I tried to login, a popup told me something about permission denied on $HOME, using HOME=/. Obviously, that failed! - Reboot with enforcing=0. Then I have managed to understand that the problem is that almost all my files in $HOME are labeled: "system_u:object_r:default_t:s0" (actually all my $HOME but files with customized context). Another problem: unconfined_u has disappeared! $ id -Z user_u:user_r:user_t:s0 $ sudo semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r user_u user s0 s0 user_r xguest_u user s0 s0 xguest_r I have search on the web for a solution, but the only solutions proposed where /.autorelabel! :-( That is why I am looking for a clue here... The machine is under F11, with updates. My configuration: $ rpm -qa \*selinux\* \*semana\* | sort libselinux-2.0.80-1.fc11.i586 libselinux-2.0.80-1.fc11.x86_64 libselinux-debuginfo-2.0.80-1.fc11.x86_64 libselinux-devel-2.0.80-1.fc11.x86_64 libselinux-python-2.0.80-1.fc11.x86_64 libselinux-utils-2.0.80-1.fc11.x86_64 libsemanage-2.0.31-4.fc11.x86_64 libsemanage-python-2.0.31-4.fc11.x86_64 selinux-policy-3.6.12-78.fc11.noarch selinux-policy-targeted-3.6.12-78.fc11.noarch $ uname -a Linux matisse.localdomain 2.6.29.6-217.2.8.fc11.x86_64 #1 SMP Sat Aug 15 01:06:26 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux $ sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted (But the machine was in enforcing mode at the beginning of the story.) -- Laurent Rineau http://fedoraproject.org/wiki/LaurentRineau From domg472 at gmail.com Thu Aug 27 11:20:48 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 27 Aug 2009 13:20:48 +0200 Subject: My home is fully labeled default_t after a kernel crash In-Reply-To: <200908271246.51641.laurent.rineau__fedora@normalesup.org> References: <200908271246.51641.laurent.rineau__fedora@normalesup.org> Message-ID: <20090827112047.GB2495@notebook3.grift.internal> On Thu, Aug 27, 2009 at 12:46:51PM +0200, Laurent Rineau wrote: > On my F11 x64 machine, this morning, I have launch that command: > > sudo semanage fcontext -a -t textrel_shlib_t > /opt/intel/Compiler/11.0/081/mkl/lib/em64t/libmkl_core.so > > After that, my X11 server freezed. I managed to login on the machine with ssh, > but sudo got permission denied. :-( Ouch > > Then I have done: > - A soft shutdown with the power button. That shutdown was successful. > - Power on the machine. Boot the default kernel. Lots of AVC on the console. > X11 and mingetty unable to launch. > - Reboot with "enforcing=0 autorelabel=1 single". Relabelling seems ok. > - Reboot (with no selinux boot parameters). X11 and GDM ok. But just after I > tried to login, a popup told me something about permission denied on $HOME, > using HOME=/. Obviously, that failed! > - Reboot with enforcing=0. > > Then I have managed to understand that the problem is that almost all my files > in $HOME are labeled: "system_u:object_r:default_t:s0" (actually all my $HOME > but files with customized context). > > Another problem: unconfined_u has disappeared! > $ id -Z > user_u:user_r:user_t:s0 > > $ sudo semanage user -l > Labeling MLS/ MLS/ > SELinux User Prefix MCS Level MCS Range SELinux > Roles > > guest_u user s0 s0 guest_r > root user s0 s0-s0:c0.c1023 staff_r > sysadm_r system_r unconfined_r > staff_u user s0 s0-s0:c0.c1023 staff_r > sysadm_r system_r > sysadm_u user s0 s0-s0:c0.c1023 sysadm_r > system_u user s0 s0-s0:c0.c1023 system_r > user_u user s0 s0 user_r > xguest_u user s0 s0 xguest_r > > > > I have search on the web for a solution, but the only solutions proposed where > /.autorelabel! :-( > > That is why I am looking for a clue here... > > > The machine is under F11, with updates. My configuration: > > $ rpm -qa \*selinux\* \*semana\* | sort > libselinux-2.0.80-1.fc11.i586 > libselinux-2.0.80-1.fc11.x86_64 > libselinux-debuginfo-2.0.80-1.fc11.x86_64 > libselinux-devel-2.0.80-1.fc11.x86_64 > libselinux-python-2.0.80-1.fc11.x86_64 > libselinux-utils-2.0.80-1.fc11.x86_64 > libsemanage-2.0.31-4.fc11.x86_64 > libsemanage-python-2.0.31-4.fc11.x86_64 > selinux-policy-3.6.12-78.fc11.noarch > selinux-policy-targeted-3.6.12-78.fc11.noarch > > $ uname -a > Linux matisse.localdomain 2.6.29.6-217.2.8.fc11.x86_64 #1 SMP Sat Aug 15 > 01:06:26 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux > > $ sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: permissive > Mode from config file: permissive > Policy version: 24 > Policy from config file: targeted > > (But the machine was in enforcing mode at the beginning of the story.) > I'd probably reinstall selinux-policy mv /etc/selinux/targeted /etc/selinux/targeted.backup yum remove selinux-policy* yum install selinux-policy selinux-policy-targeted touch /.autorelabel && reboot > -- > Laurent Rineau > http://fedoraproject.org/wiki/LaurentRineau > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From dwalsh at redhat.com Thu Aug 27 13:34:42 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 27 Aug 2009 09:34:42 -0400 Subject: atieventsd (xorg-x11-drv-catalyst.rpm) on F11 In-Reply-To: <20090827093958.GH21075@Bolizm.ihep.su> References: <20090827093958.GH21075@Bolizm.ihep.su> Message-ID: <4A968B72.7040802@redhat.com> On 08/27/2009 05:39 AM, QingLong wrote: > Hello! > > I am trying to utilize proprietary video drivers from (the damned) AMD > to get accelerated OpenGL on the ATI Mobility Radeon X300 on Fedora 11. > So I have installed the packages (along with the required dependencies): > akmod-catalyst > xorg-x11-drv-catalyst > Installation has finished quite smoothly, but after reboot I get no X. > I guess, one of the reasons is the atieventsd is not starting due to selinux: > | > | type=AVC msg=audit(1251364326.851:16119): avc: denied { execmod } for pid=2212 comm="atieventsd" path="/usr/lib/catalyst/libGL.so.1.2" dev=sda6 ino=103736 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file > | type=SYSCALL msg=audit(1251364326.851:16119): arch=40000003 syscall=125 success=yes exit=0 a0=11c000 a1=85000 a2=5 a3=bfc34860 items=0 ppid=2210 pid=2212 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="atieventsd" exe="/usr/sbin/atieventsd" subj=system_u:system_r:initrc_t:s0 key=(null) > | > For now I have to put selinux in permissive mode, > but is it possible to get this fixed in a more intelligent way? > Thank you. > > QingLong > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list # semanage fcontext -a -t textrel_shlib_t '/usr/lib/catalyst/libGL\.so.*' # restorecon -R -v /usr/lib/catalyst Should fix From laurent.rineau__fedora at normalesup.org Fri Aug 28 08:20:31 2009 From: laurent.rineau__fedora at normalesup.org (Laurent Rineau) Date: Fri, 28 Aug 2009 10:20:31 +0200 Subject: My home is fully labeled default_t after a kernel crash In-Reply-To: <20090827112047.GB2495@notebook3.grift.internal> References: <200908271246.51641.laurent.rineau__fedora@normalesup.org> <20090827112047.GB2495@notebook3.grift.internal> Message-ID: <200908281020.31648.laurent.rineau__fedora@normalesup.org> On Thursday 27 August 2009 13:20:48 Dominick Grift wrote: > I'd probably reinstall selinux-policy > mv /etc/selinux/targeted /etc/selinux/targeted.backup > > yum remove selinux-policy* > yum install selinux-policy selinux-policy-targeted > touch /.autorelabel && reboot That worked! I had to reboot with selinux=0 before reinstalling selinux- policy\*, because otherwise the rpm scripts had failures (probably a conflict with the corrupted selinux policy that was in memory). I have redone all that with the boot parameter selinux=0, then a reboot without that parameter, and I no longer have AVC in audit.log (and my user and home directory are label unconfined_u). Thanks for the help! By the way, I have retyped the semanage command that started the incident, and it ran smoothly this time! :-) -- Laurent Rineau http://fedoraproject.org/wiki/LaurentRineau From troyk9 at gmail.com Sun Aug 30 16:12:41 2009 From: troyk9 at gmail.com (Michael Greenstein) Date: Sun, 30 Aug 2009 12:12:41 -0400 Subject: Noob wishing to write policy to allow wireless brother printer Message-ID: Noob wishing to write policy to allow wireless brother printer SElinux is not allowing me to connect to my wireless brother mfc 490 cw - already installed drivers -- For some laughs check out my new complete video page at: http://www.youtube.com/profile?user=troyk9&view=videos ????????????????????????? -------------- next part -------------- An HTML attachment was scrubbed... URL: From seramal at gmail.com Sun Aug 30 19:58:51 2009 From: seramal at gmail.com (Fernando Magro) Date: Sun, 30 Aug 2009 20:58:51 +0100 Subject: vsftpd not changing security context while dropping privileges Message-ID: Hi, I noticed vsftpd starts running with UID 0 and MLS s0. When a user logs in, a new process is spawn (forked) from vsftpd and UID is changed to match the user. The problem is that MLS stays in s0, so if the user has a different MLS it will make everything fail. Starting vsftpd with s0-s0:c0.c1023 would be an option, but will then bypass per-user MLS security. So IMHO vsftpd should be patched to change security context when forking a new process. You can reproduce the problem by running: # semanage user -m -r s0-s0:c0.c1023 user_u # groupadd testing # useradd -m -g testing -Z user_u testing # semanage login -m -r s0:c3 testing # chcon -R -l s0:c3 /home/testing # /etc/init.d/vsftpd start # lftp open -u testing,password localhost ls Daniel Walsh said at https://bugzilla.redhat.com/show_bug.cgi?id=518569 : Lets bring this up for discussion on the SELinux list. There are two possibilities, here, One is to just change the level on the vstfpd process to run at the appropriate level of the user. The second would be to change the type, in order to run as a type appropriate for the user. IE With different privs then the vsftpd server. From rchapman at aardvark.com.au Mon Aug 31 02:17:21 2009 From: rchapman at aardvark.com.au (Richard Chapman) Date: Mon, 31 Aug 2009 10:17:21 +0800 Subject: AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). In-Reply-To: <4A8B1A43.6070300@redhat.com> References: <4A80C3E2.7090407@aardvark.com.au> <4A835607.6050102@aardvark.com.au> <4A84593C.8000407@redhat.com> <4A84E5C5.3000908@aardvark.com.au> <4A8557A2.403@redhat.com> <4A86420E.40200@aardvark.com.au> <4A8B1A43.6070300@redhat.com> Message-ID: <4A9B32B1.4030509@aardvark.com.au> Hi Daniel FYI: I have just rebooted the system for the first time in ages - and I'm still using /tmp as opposes to tmpfs - and received 2 more AVCs - very similar to the previous ones. If I understood correctly - you were not expecting this to re-occur. I haven't posted the AVCs because I think they are much the same as the originals - but can do so if you are interested. This is not a major problem - but is one of the issues preventing me from using "enforcing" mode. Any thoughts why it has re-occurred? Richard. Daniel J Walsh wrote: > On 08/15/2009 01:05 AM, Richard Chapman wrote: > >> Daniel J Walsh wrote: >> >>> On 08/14/2009 12:19 AM, Richard Chapman wrote: >>> >>> >>>> Daniel J Walsh wrote: >>>> >>>> >>>>> On 08/12/2009 07:53 PM, Richard Chapman wrote: >>>>> >>>>> >>>>> >>>>>> I am running Centos 5.3 in permissive mode - and recently I started >>>>>> getting 4 avcs every time I boot the server. I am not sure - but I >>>>>> think >>>>>> these might have started when I changed my desktop from Gnome to >>>>>> KDE. I >>>>>> have tried the relabelling suggested in the AVC - but this hasn't >>>>>> fixed it. >>>>>> Does it look like I have something set up wrong - or is there a policy >>>>>> problem? >>>>>> Richard. >>>>>> >>>>>> >>>>>> Summary >>>>>> SELinux is preventing the setxkbmap from using potentially mislabeled >>>>>> files (./.X11-unix). >>>>>> Detailed Description >>>>>> [SELinux is in permissive mode, the operation would have been >>>>>> denied but >>>>>> was permitted due to permissive mode.] >>>>>> >>>>>> SELinux has denied setxkbmap access to potentially mislabeled file(s) >>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use >>>>>> these files. It is common for users to edit files in their home >>>>>> directory or tmp directories and then move (mv) them to system >>>>>> directories. The problem is that the files end up with the wrong file >>>>>> context which confined applications are not allowed to access. >>>>>> >>>>>> Allowing Access >>>>>> If you want setxkbmap to access this files, you need to relabel them >>>>>> using restorecon -v './.X11-unix'. You might want to relabel the >>>>>> entire >>>>>> directory using restorecon -R -v './.X11-unix'. >>>>>> Additional Information >>>>>> >>>>>> Source Context: system_u:system_r:rhgb_t >>>>>> Target Context: system_u:object_r:initrc_tmp_t >>>>>> Target Objects: ./.X11-unix [ dir ] >>>>>> Source: setxkbmap >>>>>> Source Path: /usr/bin/setxkbmap >>>>>> Port: >>>>>> Host: C5.aardvark.com.au >>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >>>>>> Target RPM Packages: Policy RPM: >>>>>> selinux-policy-2.4.6-225.el5 >>>>>> Selinux Enabled: True >>>>>> Policy Type: targeted >>>>>> MLS Enabled: True >>>>>> Enforcing Mode: Permissive >>>>>> Plugin Name: home_tmp_bad_labels >>>>>> Host Name: C5.aardvark.com.au >>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue >>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >>>>>> Alert Count: 34 >>>>>> First Seen: Sun Jan 11 17:55:13 2009 >>>>>> Last Seen: Mon Aug 10 18:13:15 2009 >>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >>>>>> Line Numbers: Raw Audit Messages : >>>>>> >>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: >>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: >>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): >>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >>>>>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 >>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>>>>> comm="setxkbmap" exe="/usr/bin/setxkbmap" >>>>>> subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): >>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >>>>>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 >>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>>>>> comm="setxkbmap" exe="/usr/bin/setxkbmap" >>>>>> subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>> >>>>>> >>>>>> Summary >>>>>> SELinux is preventing the setxkbmap from using potentially mislabeled >>>>>> files (./.X11-unix). >>>>>> Detailed Description >>>>>> [SELinux is in permissive mode, the operation would have been >>>>>> denied but >>>>>> was permitted due to permissive mode.] >>>>>> >>>>>> SELinux has denied setxkbmap access to potentially mislabeled file(s) >>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use >>>>>> these files. It is common for users to edit files in their home >>>>>> directory or tmp directories and then move (mv) them to system >>>>>> directories. The problem is that the files end up with the wrong file >>>>>> context which confined applications are not allowed to access. >>>>>> >>>>>> Allowing Access >>>>>> If you want setxkbmap to access this files, you need to relabel them >>>>>> using restorecon -v './.X11-unix'. You might want to relabel the >>>>>> entire >>>>>> directory using restorecon -R -v './.X11-unix'. >>>>>> Additional Information >>>>>> >>>>>> Source Context: system_u:system_r:rhgb_t >>>>>> Target Context: system_u:object_r:initrc_tmp_t >>>>>> Target Objects: ./.X11-unix [ dir ] >>>>>> Source: setxkbmap >>>>>> Source Path: /usr/bin/setxkbmap >>>>>> Port: >>>>>> Host: C5.aardvark.com.au >>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >>>>>> Target RPM Packages: Policy RPM: >>>>>> selinux-policy-2.4.6-225.el5 >>>>>> Selinux Enabled: True >>>>>> Policy Type: targeted >>>>>> MLS Enabled: True >>>>>> Enforcing Mode: Permissive >>>>>> Plugin Name: home_tmp_bad_labels >>>>>> Host Name: C5.aardvark.com.au >>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue >>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >>>>>> Alert Count: 35 >>>>>> First Seen: Sun Jan 11 17:55:13 2009 >>>>>> Last Seen: Mon Aug 10 18:13:16 2009 >>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >>>>>> Line Numbers: Raw Audit Messages : >>>>>> >>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: >>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: >>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): >>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>>>>> comm="setxkbmap" >>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): >>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>>>>> comm="setxkbmap" >>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>> >>>>>> >>>>>> Summary >>>>>> SELinux is preventing the setxkbmap from using potentially mislabeled >>>>>> files (./.X11-unix). >>>>>> Detailed Description >>>>>> [SELinux is in permissive mode, the operation would have been >>>>>> denied but >>>>>> was permitted due to permissive mode.] >>>>>> >>>>>> SELinux has denied setxkbmap access to potentially mislabeled file(s) >>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use >>>>>> these files. It is common for users to edit files in their home >>>>>> directory or tmp directories and then move (mv) them to system >>>>>> directories. The problem is that the files end up with the wrong file >>>>>> context which confined applications are not allowed to access. >>>>>> >>>>>> Allowing Access >>>>>> If you want setxkbmap to access this files, you need to relabel them >>>>>> using restorecon -v './.X11-unix'. You might want to relabel the >>>>>> entire >>>>>> directory using restorecon -R -v './.X11-unix'. >>>>>> Additional Information >>>>>> >>>>>> Source Context: system_u:system_r:rhgb_t >>>>>> Target Context: system_u:object_r:initrc_tmp_t >>>>>> Target Objects: ./.X11-unix [ dir ] >>>>>> Source: setxkbmap >>>>>> Source Path: /usr/bin/setxkbmap >>>>>> Port: >>>>>> Host: C5.aardvark.com.au >>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >>>>>> Target RPM Packages: Policy RPM: >>>>>> selinux-policy-2.4.6-225.el5 >>>>>> Selinux Enabled: True >>>>>> Policy Type: targeted >>>>>> MLS Enabled: True >>>>>> Enforcing Mode: Permissive >>>>>> Plugin Name: home_tmp_bad_labels >>>>>> Host Name: C5.aardvark.com.au >>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue >>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >>>>>> Alert Count: 36 >>>>>> First Seen: Sun Jan 11 17:55:13 2009 >>>>>> Last Seen: Mon Aug 10 18:13:17 2009 >>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >>>>>> Line Numbers: Raw Audit Messages : >>>>>> >>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: >>>>>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" >>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: >>>>>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" >>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): >>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13 >>>>>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>>>>> comm="setxkbmap" >>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): >>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 a2=13 >>>>>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>>>>> comm="setxkbmap" >>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>> >>>>>> >>>>>> >>>>>> Summary >>>>>> SELinux is preventing the setxkbmap from using potentially mislabeled >>>>>> files (./.X11-unix). >>>>>> Detailed Description >>>>>> [SELinux is in permissive mode, the operation would have been >>>>>> denied but >>>>>> was permitted due to permissive mode.] >>>>>> >>>>>> SELinux has denied setxkbmap access to potentially mislabeled file(s) >>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap to use >>>>>> these files. It is common for users to edit files in their home >>>>>> directory or tmp directories and then move (mv) them to system >>>>>> directories. The problem is that the files end up with the wrong file >>>>>> context which confined applications are not allowed to access. >>>>>> >>>>>> Allowing Access >>>>>> If you want setxkbmap to access this files, you need to relabel them >>>>>> using restorecon -v './.X11-unix'. You might want to relabel the >>>>>> entire >>>>>> directory using restorecon -R -v './.X11-unix'. >>>>>> Additional Information >>>>>> >>>>>> Source Context: system_u:system_r:rhgb_t >>>>>> Target Context: system_u:object_r:initrc_tmp_t >>>>>> Target Objects: ./.X11-unix [ dir ] >>>>>> Source: setxkbmap >>>>>> Source Path: /usr/bin/setxkbmap >>>>>> Port: >>>>>> Host: C5.aardvark.com.au >>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >>>>>> Target RPM Packages: Policy RPM: >>>>>> selinux-policy-2.4.6-225.el5 >>>>>> Selinux Enabled: True >>>>>> Policy Type: targeted >>>>>> MLS Enabled: True >>>>>> Enforcing Mode: Permissive >>>>>> Plugin Name: home_tmp_bad_labels >>>>>> Host Name: C5.aardvark.com.au >>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 SMP Tue >>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >>>>>> Alert Count: 37 >>>>>> First Seen: Sun Jan 11 17:55:13 2009 >>>>>> Last Seen: Mon Aug 10 18:13:19 2009 >>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >>>>>> Line Numbers: Raw Audit Messages : >>>>>> >>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: >>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: >>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): >>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>>>>> comm="setxkbmap" >>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): >>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 a2=13 >>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>>>>> comm="setxkbmap" >>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> fedora-selinux-list mailing list >>>>>> fedora-selinux-list at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>>> >>>>>> >>>>> chcon -R -t xserver_tmp_t /tmp/.X11-unix >>>>> >>>>> I always use tmpfs for /tmp, so I never end up with garbage on a >>>>> reboot. >>>>> >>>>> >>>>> >>>> Thanks Daniel - but this is the response... >>>> >>>> [root at C5 ~]# chcon -R -t xserver_tmp_t /tmp/.X11-unix >>>> chcon: failed to change context of /tmp/.X11-unix to >>>> system_u:object_r:xserver_t mp_t: Invalid >>>> argument >>>> chcon: failed to change context of /tmp/.X11-unix/X0 to >>>> system_u:object_r:xserve r_tmp_t: Invalid >>>> argument >>>> chcon: failed to change context of /tmp/.X11-unix/X1005 to >>>> user_u:object_r:xserv er_tmp_t: Invalid >>>> argument >>>> [root at C5 ~]# >>>> >>>> Being pretty green - I don't really understand the problem here. Also - >>>> if this chcon worked - would this be a permanent solution - or does it >>>> need to be executed in a boot script? >>>> I like your idea of using tmpfs - but is it ever a problem that tmpfs is >>>> relatively small and finite? Also - please excuse my ignorance - but how >>>> do I make tmpfs the tmp folder? >>>> >>>> Richard. >>>> >>>> >>>> >>>> >>> Must have changed between RHEL5 and F11 >>> >>> Try >>> chcon -R -t xdm_xserver_tmp_t /tmp/.X11-unix >>> >>> Add this line to /etc/fstab >>> >>> tmpfs /tmp tmpfs >>> rootcontext="system_u:object_r:tmp_t:s0",defaults 0 0 >>> >>> And reboot. >>> >>> I don't tend to store huge abouts of stuff in /tmp. If I want to >>> store big stuff I can always use /var/tmp >>> >>> >>> >> Thanks Daniel >> >> That chcon command worked fine. Should this be a permanent solution - or >> will new files appearing there need a chcon too? Should I put this >> command into a boot script somewhere? >> >> I'll try tmpfs and see if it ever overflows in practice. Hopefully I'll >> be able to see something in my logwatch if there is ever a problem. >> Currently - It's using less than 1/2 its 2 gigs or ram - so there is >> some room to spare. Seems your suggestion has sparked quite a bit of >> interest...:-) >> >> Thanks again >> >> Richard. >> >> >> > No the chcon is fine. It was mislabeled at some point and relabeling does not touch /tmp > > From rashmeepawar at gmail.com Mon Aug 31 02:33:02 2009 From: rashmeepawar at gmail.com (Rashmi Pawar) Date: Mon, 31 Aug 2009 08:03:02 +0530 Subject: Dogtag implementation on Fc6 Message-ID: <816962df0908301933x4c6b0327j817c1f284440e7c5@mail.gmail.com> Hi, Hi I am new to the Dogtag Certificate system. I have to install the dogtag certificate system on fedora core 6. I would appreciate help from fedora-selinux-list users who have successfully installed and are runing dogtag certificate system on linux. I read the explanantion on dogtag on http://pki.fedoraproject.org/wiki/PKI_Main_Page yet I have some questions before starting the installation. Following are the questions: 1. Do I have to install and run Apache service on the system on which I am going to implement dogtag? 2. I am confused about the configuration of all the PKI subsystems like CA,RA,DRM...etc. In the http://pki.fedoraproject.org/wiki/PKI_Main_Page the configuration of all subsyems is given but I dont understand from where do I get the configuration URL for each subsystem. 3. I have to integrate the setup with Checkpoint, so need steps on the integration. * I would appreciate if someone who has implemented dogtag would provide me easy steps to install dogtag on fedora core 6. Thanks & Regards, Rashmee -------------- next part -------------- An HTML attachment was scrubbed... URL: From domg472 at gmail.com Mon Aug 31 08:13:12 2009 From: domg472 at gmail.com (Dominick Grift) Date: Mon, 31 Aug 2009 10:13:12 +0200 Subject: Noob wishing to write policy to allow wireless brother printer In-Reply-To: References: Message-ID: <20090831081310.GA11210@notebook3.grift.internal> On Sun, Aug 30, 2009 at 12:12:41PM -0400, Michael Greenstein wrote: > Noob wishing to write policy to allow wireless brother printer > SElinux is not allowing me to connect to my wireless brother mfc 490 cw - > already installed drivers Can you show us the AVC denials that occur when access is denied? The avc denials end up in /var/log/audit/audit.log. > -- > > For some laughs check out my new complete video page at: > http://www.youtube.com/profile?user=troyk9&view=videos > > ????????????????????????? > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From dwalsh at redhat.com Mon Aug 31 12:18:37 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 31 Aug 2009 08:18:37 -0400 Subject: Noob wishing to write policy to allow wireless brother printer In-Reply-To: References: Message-ID: <4A9BBF9D.4010600@redhat.com> On 08/30/2009 12:12 PM, Michael Greenstein wrote: > Noob wishing to write policy to allow wireless brother printer > SElinux is not allowing me to connect to my wireless brother mfc 490 cw - > already installed drivers > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Most likely a labeling problem. What AVC/setroubleshoot message are you seeing? From dwalsh at redhat.com Mon Aug 31 12:20:04 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 31 Aug 2009 08:20:04 -0400 Subject: vsftpd not changing security context while dropping privileges In-Reply-To: References: Message-ID: <4A9BBFF4.8010906@redhat.com> On 08/30/2009 03:58 PM, Fernando Magro wrote: > Hi, > > I noticed vsftpd starts running with UID 0 and MLS s0. When a user > logs in, a new process is spawn (forked) from vsftpd and UID is > changed to match the user. The problem is that MLS stays in s0, so if > the user has a different MLS it will make everything fail. Starting > vsftpd with s0-s0:c0.c1023 would be an option, but will then bypass > per-user MLS security. So IMHO vsftpd should be patched to change > security context when forking a new process. > > You can reproduce the problem by running: > # semanage user -m -r s0-s0:c0.c1023 user_u > # groupadd testing > # useradd -m -g testing -Z user_u testing > # semanage login -m -r s0:c3 testing > # chcon -R -l s0:c3 /home/testing > # /etc/init.d/vsftpd start > # lftp > open -u testing,password localhost > ls > > Daniel Walsh said at https://bugzilla.redhat.com/show_bug.cgi?id=518569 : > Lets bring this up for discussion on the SELinux list. > > There are two possibilities, here, One is to just change the level on the > vstfpd process to run at the appropriate level of the user. The second would > be to change the type, in order to run as a type appropriate for the user. IE > With different privs then the vsftpd server. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Fernando, I meant the Developers SELinux list which is selinux at tycho.nsa.gov From dwalsh at redhat.com Mon Aug 31 12:21:56 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 31 Aug 2009 08:21:56 -0400 Subject: Dogtag implementation on Fc6 In-Reply-To: <816962df0908301933x4c6b0327j817c1f284440e7c5@mail.gmail.com> References: <816962df0908301933x4c6b0327j817c1f284440e7c5@mail.gmail.com> Message-ID: <4A9BC064.1020309@redhat.com> On 08/30/2009 10:33 PM, Rashmi Pawar wrote: > Hi, > > Hi > > I am new to the Dogtag Certificate system. I have to install the dogtag > certificate system on fedora core 6. I would appreciate help from > fedora-selinux-list users who have successfully installed and are runing > dogtag certificate system on linux. > I read the explanantion on dogtag on > http://pki.fedoraproject.org/wiki/PKI_Main_Page yet I have some questions > before starting the installation. Following are the questions: > > 1. Do I have to install and run Apache service on the system on which I am > going to implement dogtag? > 2. I am confused about the configuration of all the PKI subsystems like > CA,RA,DRM...etc. In the http://pki.fedoraproject.org/wiki/PKI_Main_Page the > configuration of all subsyems is given but I dont understand from where do I > get the configuration URL for each subsystem. > 3. I have to integrate the setup with Checkpoint, so need steps on the > integration. > > * I would appreciate if someone who has implemented dogtag would provide me > easy steps to install dogtag on fedora core 6. > > > Thanks & Regards, > Rashmee > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Why are you sending this request to the SELinux list? Send it to the fedora-list. Also Fedora 6 has not been supported for a couple of years, you should definitely move to a supported OS. From dwalsh at redhat.com Mon Aug 31 12:49:04 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 31 Aug 2009 08:49:04 -0400 Subject: AVC every server boot: SELinux is preventing the setxkbmap from using potentially mislabeled files (./.X11-unix). In-Reply-To: <4A9B32B1.4030509@aardvark.com.au> References: <4A80C3E2.7090407@aardvark.com.au> <4A835607.6050102@aardvark.com.au> <4A84593C.8000407@redhat.com> <4A84E5C5.3000908@aardvark.com.au> <4A8557A2.403@redhat.com> <4A86420E.40200@aardvark.com.au> <4A8B1A43.6070300@redhat.com> <4A9B32B1.4030509@aardvark.com.au> Message-ID: <4A9BC6C0.8010600@redhat.com> On 08/30/2009 10:17 PM, Richard Chapman wrote: > Hi Daniel > > FYI: I have just rebooted the system for the first time in ages - and > I'm still using /tmp as opposes to tmpfs - and received 2 more AVCs - > very similar to the previous ones. If I understood correctly - you were > not expecting this to re-occur. I haven't posted the AVCs because I > think they are much the same as the originals - but can do so if you are > interested. > > This is not a major problem - but is one of the issues preventing me > from using "enforcing" mode. Any thoughts why it has re-occurred? > > Richard. > > Daniel J Walsh wrote: >> On 08/15/2009 01:05 AM, Richard Chapman wrote: >> >>> Daniel J Walsh wrote: >>> >>>> On 08/14/2009 12:19 AM, Richard Chapman wrote: >>>> >>>> >>>>> Daniel J Walsh wrote: >>>>> >>>>>> On 08/12/2009 07:53 PM, Richard Chapman wrote: >>>>>> >>>>>> >>>>>>> I am running Centos 5.3 in permissive mode - and recently I started >>>>>>> getting 4 avcs every time I boot the server. I am not sure - but I >>>>>>> think >>>>>>> these might have started when I changed my desktop from Gnome to >>>>>>> KDE. I >>>>>>> have tried the relabelling suggested in the AVC - but this hasn't >>>>>>> fixed it. >>>>>>> Does it look like I have something set up wrong - or is there a >>>>>>> policy >>>>>>> problem? >>>>>>> Richard. >>>>>>> >>>>>>> >>>>>>> Summary >>>>>>> SELinux is preventing the setxkbmap from using potentially >>>>>>> mislabeled >>>>>>> files (./.X11-unix). >>>>>>> Detailed Description >>>>>>> [SELinux is in permissive mode, the operation would have been >>>>>>> denied but >>>>>>> was permitted due to permissive mode.] >>>>>>> >>>>>>> SELinux has denied setxkbmap access to potentially mislabeled >>>>>>> file(s) >>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap >>>>>>> to use >>>>>>> these files. It is common for users to edit files in their home >>>>>>> directory or tmp directories and then move (mv) them to system >>>>>>> directories. The problem is that the files end up with the wrong >>>>>>> file >>>>>>> context which confined applications are not allowed to access. >>>>>>> >>>>>>> Allowing Access >>>>>>> If you want setxkbmap to access this files, you need to relabel them >>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the >>>>>>> entire >>>>>>> directory using restorecon -R -v './.X11-unix'. >>>>>>> Additional Information >>>>>>> >>>>>>> Source Context: system_u:system_r:rhgb_t >>>>>>> Target Context: system_u:object_r:initrc_tmp_t >>>>>>> Target Objects: ./.X11-unix [ dir ] >>>>>>> Source: setxkbmap >>>>>>> Source Path: /usr/bin/setxkbmap >>>>>>> Port: >>>>>>> Host: C5.aardvark.com.au >>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >>>>>>> Target RPM Packages: Policy RPM: >>>>>>> selinux-policy-2.4.6-225.el5 >>>>>>> Selinux Enabled: True >>>>>>> Policy Type: targeted >>>>>>> MLS Enabled: True >>>>>>> Enforcing Mode: Permissive >>>>>>> Plugin Name: home_tmp_bad_labels >>>>>>> Host Name: C5.aardvark.com.au >>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 >>>>>>> SMP Tue >>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >>>>>>> Alert Count: 34 >>>>>>> First Seen: Sun Jan 11 17:55:13 2009 >>>>>>> Last Seen: Mon Aug 10 18:13:15 2009 >>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >>>>>>> Line Numbers: Raw Audit Messages : >>>>>>> >>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: >>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899195.897:15): avc: >>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): >>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 >>>>>>> a2=13 >>>>>>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 >>>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) >>>>>>> ses=4294967295 >>>>>>> comm="setxkbmap" exe="/usr/bin/setxkbmap" >>>>>>> subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899195.897:15): >>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 >>>>>>> a2=13 >>>>>>> a3=3d29351a30 items=0 ppid=4021 pid=4022 auid=4294967295 uid=0 gid=0 >>>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) >>>>>>> ses=4294967295 >>>>>>> comm="setxkbmap" exe="/usr/bin/setxkbmap" >>>>>>> subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>>> >>>>>>> >>>>>>> Summary >>>>>>> SELinux is preventing the setxkbmap from using potentially >>>>>>> mislabeled >>>>>>> files (./.X11-unix). >>>>>>> Detailed Description >>>>>>> [SELinux is in permissive mode, the operation would have been >>>>>>> denied but >>>>>>> was permitted due to permissive mode.] >>>>>>> >>>>>>> SELinux has denied setxkbmap access to potentially mislabeled >>>>>>> file(s) >>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap >>>>>>> to use >>>>>>> these files. It is common for users to edit files in their home >>>>>>> directory or tmp directories and then move (mv) them to system >>>>>>> directories. The problem is that the files end up with the wrong >>>>>>> file >>>>>>> context which confined applications are not allowed to access. >>>>>>> >>>>>>> Allowing Access >>>>>>> If you want setxkbmap to access this files, you need to relabel them >>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the >>>>>>> entire >>>>>>> directory using restorecon -R -v './.X11-unix'. >>>>>>> Additional Information >>>>>>> >>>>>>> Source Context: system_u:system_r:rhgb_t >>>>>>> Target Context: system_u:object_r:initrc_tmp_t >>>>>>> Target Objects: ./.X11-unix [ dir ] >>>>>>> Source: setxkbmap >>>>>>> Source Path: /usr/bin/setxkbmap >>>>>>> Port: >>>>>>> Host: C5.aardvark.com.au >>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >>>>>>> Target RPM Packages: Policy RPM: >>>>>>> selinux-policy-2.4.6-225.el5 >>>>>>> Selinux Enabled: True >>>>>>> Policy Type: targeted >>>>>>> MLS Enabled: True >>>>>>> Enforcing Mode: Permissive >>>>>>> Plugin Name: home_tmp_bad_labels >>>>>>> Host Name: C5.aardvark.com.au >>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 >>>>>>> SMP Tue >>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >>>>>>> Alert Count: 35 >>>>>>> First Seen: Sun Jan 11 17:55:13 2009 >>>>>>> Last Seen: Mon Aug 10 18:13:16 2009 >>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >>>>>>> Line Numbers: Raw Audit Messages : >>>>>>> >>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: >>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899196.898:16): avc: >>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): >>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 >>>>>>> a2=13 >>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 >>>>>>> suid=0 >>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>>>>>> comm="setxkbmap" >>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899196.898:16): >>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 >>>>>>> a2=13 >>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 >>>>>>> suid=0 >>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>>>>>> comm="setxkbmap" >>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>>> >>>>>>> >>>>>>> Summary >>>>>>> SELinux is preventing the setxkbmap from using potentially >>>>>>> mislabeled >>>>>>> files (./.X11-unix). >>>>>>> Detailed Description >>>>>>> [SELinux is in permissive mode, the operation would have been >>>>>>> denied but >>>>>>> was permitted due to permissive mode.] >>>>>>> >>>>>>> SELinux has denied setxkbmap access to potentially mislabeled >>>>>>> file(s) >>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap >>>>>>> to use >>>>>>> these files. It is common for users to edit files in their home >>>>>>> directory or tmp directories and then move (mv) them to system >>>>>>> directories. The problem is that the files end up with the wrong >>>>>>> file >>>>>>> context which confined applications are not allowed to access. >>>>>>> >>>>>>> Allowing Access >>>>>>> If you want setxkbmap to access this files, you need to relabel them >>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the >>>>>>> entire >>>>>>> directory using restorecon -R -v './.X11-unix'. >>>>>>> Additional Information >>>>>>> >>>>>>> Source Context: system_u:system_r:rhgb_t >>>>>>> Target Context: system_u:object_r:initrc_tmp_t >>>>>>> Target Objects: ./.X11-unix [ dir ] >>>>>>> Source: setxkbmap >>>>>>> Source Path: /usr/bin/setxkbmap >>>>>>> Port: >>>>>>> Host: C5.aardvark.com.au >>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >>>>>>> Target RPM Packages: Policy RPM: >>>>>>> selinux-policy-2.4.6-225.el5 >>>>>>> Selinux Enabled: True >>>>>>> Policy Type: targeted >>>>>>> MLS Enabled: True >>>>>>> Enforcing Mode: Permissive >>>>>>> Plugin Name: home_tmp_bad_labels >>>>>>> Host Name: C5.aardvark.com.au >>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 >>>>>>> SMP Tue >>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >>>>>>> Alert Count: 36 >>>>>>> First Seen: Sun Jan 11 17:55:13 2009 >>>>>>> Last Seen: Mon Aug 10 18:13:17 2009 >>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >>>>>>> Line Numbers: Raw Audit Messages : >>>>>>> >>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: >>>>>>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" >>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899197.933:18): avc: >>>>>>> denied { search } for pid=4041 comm="setxkbmap" name=".X11-unix" >>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): >>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 >>>>>>> a2=13 >>>>>>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 >>>>>>> suid=0 >>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>>>>>> comm="setxkbmap" >>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899197.933:18): >>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fff31d13e20 >>>>>>> a2=13 >>>>>>> a3=8 items=0 ppid=1 pid=4041 auid=4294967295 uid=0 gid=0 euid=0 >>>>>>> suid=0 >>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>>>>>> comm="setxkbmap" >>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>>> >>>>>>> >>>>>>> >>>>>>> Summary >>>>>>> SELinux is preventing the setxkbmap from using potentially >>>>>>> mislabeled >>>>>>> files (./.X11-unix). >>>>>>> Detailed Description >>>>>>> [SELinux is in permissive mode, the operation would have been >>>>>>> denied but >>>>>>> was permitted due to permissive mode.] >>>>>>> >>>>>>> SELinux has denied setxkbmap access to potentially mislabeled >>>>>>> file(s) >>>>>>> (./.X11-unix). This means that SELinux will not allow setxkbmap >>>>>>> to use >>>>>>> these files. It is common for users to edit files in their home >>>>>>> directory or tmp directories and then move (mv) them to system >>>>>>> directories. The problem is that the files end up with the wrong >>>>>>> file >>>>>>> context which confined applications are not allowed to access. >>>>>>> >>>>>>> Allowing Access >>>>>>> If you want setxkbmap to access this files, you need to relabel them >>>>>>> using restorecon -v './.X11-unix'. You might want to relabel the >>>>>>> entire >>>>>>> directory using restorecon -R -v './.X11-unix'. >>>>>>> Additional Information >>>>>>> >>>>>>> Source Context: system_u:system_r:rhgb_t >>>>>>> Target Context: system_u:object_r:initrc_tmp_t >>>>>>> Target Objects: ./.X11-unix [ dir ] >>>>>>> Source: setxkbmap >>>>>>> Source Path: /usr/bin/setxkbmap >>>>>>> Port: >>>>>>> Host: C5.aardvark.com.au >>>>>>> Source RPM Packages: xorg-x11-xkb-utils-1.0.2-2.1 >>>>>>> Target RPM Packages: Policy RPM: >>>>>>> selinux-policy-2.4.6-225.el5 >>>>>>> Selinux Enabled: True >>>>>>> Policy Type: targeted >>>>>>> MLS Enabled: True >>>>>>> Enforcing Mode: Permissive >>>>>>> Plugin Name: home_tmp_bad_labels >>>>>>> Host Name: C5.aardvark.com.au >>>>>>> Platform: Linux C5.aardvark.com.au 2.6.18-128.4.1.el5 #1 >>>>>>> SMP Tue >>>>>>> Aug 4 20:19:25 EDT 2009 x86_64 x86_64 >>>>>>> Alert Count: 37 >>>>>>> First Seen: Sun Jan 11 17:55:13 2009 >>>>>>> Last Seen: Mon Aug 10 18:13:19 2009 >>>>>>> Local ID: 0950df01-cfad-420a-9e84-4996a8d31942 >>>>>>> Line Numbers: Raw Audit Messages : >>>>>>> >>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: >>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>>> host=C5.aardvark.com.au type=AVC msg=audit(1249899199.903:20): avc: >>>>>>> denied { search } for pid=4022 comm="setxkbmap" name=".X11-unix" >>>>>>> dev=dm-0 ino=27590701 scontext=system_u:system_r:rhgb_t:s0 >>>>>>> tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir >>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): >>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 >>>>>>> a2=13 >>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 >>>>>>> suid=0 >>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>>>>>> comm="setxkbmap" >>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1249899199.903:20): >>>>>>> arch=c000003e syscall=42 success=no exit=-2 a0=3 a1=7fffd74235b0 >>>>>>> a2=13 >>>>>>> a3=8 items=0 ppid=1 pid=4022 auid=4294967295 uid=0 gid=0 euid=0 >>>>>>> suid=0 >>>>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 >>>>>>> comm="setxkbmap" >>>>>>> exe="/usr/bin/setxkbmap" subj=system_u:system_r:rhgb_t:s0 key=(null) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> fedora-selinux-list mailing list >>>>>>> fedora-selinux-list at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>>>> >>>>>> chcon -R -t xserver_tmp_t /tmp/.X11-unix >>>>>> >>>>>> I always use tmpfs for /tmp, so I never end up with garbage on a >>>>>> reboot. >>>>>> >>>>>> >>>>> Thanks Daniel - but this is the response... >>>>> >>>>> [root at C5 ~]# chcon -R -t xserver_tmp_t /tmp/.X11-unix >>>>> chcon: failed to change context of /tmp/.X11-unix to >>>>> system_u:object_r:xserver_t mp_t: Invalid >>>>> argument >>>>> chcon: failed to change context of /tmp/.X11-unix/X0 to >>>>> system_u:object_r:xserve r_tmp_t: Invalid >>>>> argument >>>>> chcon: failed to change context of /tmp/.X11-unix/X1005 to >>>>> user_u:object_r:xserv er_tmp_t: Invalid >>>>> argument >>>>> [root at C5 ~]# >>>>> >>>>> Being pretty green - I don't really understand the problem here. >>>>> Also - >>>>> if this chcon worked - would this be a permanent solution - or does it >>>>> need to be executed in a boot script? >>>>> I like your idea of using tmpfs - but is it ever a problem that >>>>> tmpfs is >>>>> relatively small and finite? Also - please excuse my ignorance - >>>>> but how >>>>> do I make tmpfs the tmp folder? >>>>> >>>>> Richard. >>>>> >>>>> >>>>> >>>> Must have changed between RHEL5 and F11 >>>> >>>> Try >>>> chcon -R -t xdm_xserver_tmp_t /tmp/.X11-unix >>>> >>>> Add this line to /etc/fstab >>>> >>>> tmpfs /tmp tmpfs >>>> rootcontext="system_u:object_r:tmp_t:s0",defaults 0 0 >>>> >>>> And reboot. >>>> >>>> I don't tend to store huge abouts of stuff in /tmp. If I want to >>>> store big stuff I can always use /var/tmp >>>> >>>> >>> Thanks Daniel >>> >>> That chcon command worked fine. Should this be a permanent solution - or >>> will new files appearing there need a chcon too? Should I put this >>> command into a boot script somewhere? >>> >>> I'll try tmpfs and see if it ever overflows in practice. Hopefully I'll >>> be able to see something in my logwatch if there is ever a problem. >>> Currently - It's using less than 1/2 its 2 gigs or ram - so there is >>> some room to spare. Seems your suggestion has sparked quite a bit of >>> interest...:-) >>> >>> Thanks again >>> >>> Richard. >>> >>> >>> >> No the chcon is fine. It was mislabeled at some point and relabeling >> does not touch /tmp >> >> > I guess I would need to see the AVC messages, to make sure they are the same. What is the label on the /tmp/.X11-unix directory?