SELinux is preventing zenity...

Mon Dec 21 03:06:55 UTC 2009

On 21/12/09 02:25, Steve Blackwell wrote:
> On Fri, 18 Dec 2009 10:11:53 +0100
> Dominick Grift<domg472 at gmail.com>  wrote:
>
>    
>> On Thu, Dec 17, 2009 at 08:36:00PM -0500, Steve Blackwell wrote:
>>      
>>> I have a UPS that sends an SNMP trap when the main power goes out.
>>> I wrote my snmptrapd.conf file to execute a script when the trap is
>>> received. The script simply calls zenity to pop up a message.
>>>
>>> Here's my problem. If I start snmptrapd from the command line
>>> everything works beautifully but if I have the system start it at
>>> boot time or via System->Administration->Services, the trap gets
>>> logged
>>>        
>> Because when you start it manually it gets executed in the users
>> environment which is unrestricted/ unprotected in el5
>>      
> OK, I see that now. I got a bit wrapped around the axel because
> snmptrapd sometimes creates a file (I'm not quite sure
> when) called /var/net-smpd/snmptrapd.conf and if I run
> # /etc/rc.d/init.d/snmptrapd restart
> as root it gets created with a snmpd_var_lib_t type but if I just
> start snmptrapd from the command line as root it gets created with a
> different type and then the system can't restart snmptrapd because it
> doesn't have permission to write to that file.  ... I think...
>
>    
>>      
>>> in /var/log/messages but the zenity window doesn't get displayed
>>> and I get these SELinux messages in /var/log/messages.
>>>
>>> SELinux is preventing the zenity from using potentially mislabeled
>>> files (XO)...
>>>
>>> SELinux is preventing zenity (snmpd_t) "name_connect" to<Unknown>
>>> <xserver_port_t>...
>>>
>>> I've looked at the ouput of
>>>
>>> # ps -ef | grep snmptrapd
>>>
>>> and it is identical in both cases so I don't understand why one
>>> works and the other doesn't. I tried
>>>
>>> # cat /var/log/messages | audit2allow -m local
>>>        
>> The avc denial gets logged to .:
>>
>> ausearch -m avc -ts yesterday | grep snmpt_t | audit2allow -M mysnmp
>> | semodule -i mysnmp.pp
>>      
> This was also confusing me because I had auditd turned off and so the
> avc denials are supposed to go to /var/log/messages but it seems that
> some still went to /var/log/audit/audit.log.
>
> Anyhow running this command helped in that I don't get any more avc
> denials logged but I still don't see my dialog popup. I'm going to try
> this again starting with a clean log.
>
> I have a few questions if you have the time to answer them.
>
> I have been reading this:
> http://www.linuxtopia.org/online_books/getting_started_with_SELinux/index.html
> and this:
> http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index.html
> which I found quite useful but they are way out of date. Is there
> anything comparable that is current?
>
> My understanding is that a .te is a policy configuration file, a text
> file and that a .pp file is a policy package, a binary file. Does
> the .te file get "compiled" into a .pp file and if so how does this
> happen?
>
> I read that the policy directory for Fedora systems is
> /etc/security/selinux/src/policy
> but neither the RHEL5.4 system at work nor my Fedora 11 system at home
> has such a directory and the only .te file is in
> /usr/share/selinux/devel.
> Where is the accepted location to put .te files?
>
> Is there a way to "see" what a .pp file is doing? A disassembly of
> sorts. I'd like to look at some examples. There are plenty of .pp files
> in /etc/selinux/targeted/modules/active/modules.
>
> Thanks,
> Steve
>    
>>> but that just produced a file that said:
>>>
>>> module local 1.0;
>>>
>>> and nothing else.
>>>
>>> I'm running RHEL5.4 with SELinux in enforcing mode.
>>>
>>> Any help would be appreciated.
>>>
>>> Thanks,
>>> Steve
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>        
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>    
Steve,
we have two selinux docs in the fedora docs at
http://docs.fedoraproject.org/
Also maybe Daniels Blog might be useful to you @
http://danwalsh.livejournal.com/

There are more, but I cant think of them at the moment. If you harass 
fenris02 in #fedora, and ask him for the SElinux links,he has got a 
script that
blahs them out.

Regards,
Tristan

-- 
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net

Thawte Notary

For Fedora related issues, please email me at:
TSantore at fedoraproject.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3388 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091221/c7b524c7/attachment.p7s>