From lists at sapience.com  Sat Jan  3 05:36:05 2009
From: lists at sapience.com (Mail Lists)
Date: Sat, 03 Jan 2009 00:36:05 -0500
Subject: squid reverse proxy - AVC
Message-ID: <495EF945.9060708@sapience.com>


 I use squid on the border firewall to act as a reverse proxy for
non-https web server.

 This is fedora 10 fully updated with selinux set to permissive until
its clean, I see this logged - any suggestions how to deal with it ?


 Thanks for any help

 gene



 Summary:

SELinux is preventing squid (squid_t) "search" to ./etc (named_conf_t).

 ...

Source Context                unconfined_u:system_r:squid_t:s0
Target Context                system_u:object_r:named_conf_t:s0
Target Objects                ./etc [ dir ]
Source                        squid
Source Path                   /usr/sbin/squid
Port                          <Unknown>

...

Raw Audit Messages
 type=AVC msg=audit(1230675079.826:69): avc:  denied  { search }
for  pid=4026 comm="squid" name="etc" dev=sda1 ino=207365
scontext=unconfined_u:system_r:squid_t:s0
tcontext=system_u:object_r:named_conf_t:s0 tclass=dir

type=SYSCALL msg=audit(1230675079.826:69): arch=40000003
syscall=11 success=no exit=-2 a0=bfcda538 a1=bfcd94fc a2=bfcda7e8
a3=1 items=0 ppid=4025 pid=4026 auid=500 uid=23 gid=23 euid=0 suid=0
fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none) ses=2
comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0
key=(null)




From lists at sapience.com  Sat Jan  3 16:16:44 2009
From: lists at sapience.com (Mail Lists)
Date: Sat, 03 Jan 2009 11:16:44 -0500
Subject: squid reverse proxy - AVC
In-Reply-To: <495EF945.9060708@sapience.com>
References: <495EF945.9060708@sapience.com>
Message-ID: <495F8F6C.7090208@sapience.com>

On 01/03/2009 12:36 AM, Mail Lists wrote:
>  I use squid on the border firewall to act as a reverse proxy for
> non-https web server.
> 

  Forgot to say - this seems to happen before any connections so I
assume at start up. I do not know if this would prevent startup or not.

  Thanks again for any help/advice.

gene/



From lists at sapience.com  Sat Jan  3 18:54:56 2009
From: lists at sapience.com (Mail Lists)
Date: Sat, 03 Jan 2009 13:54:56 -0500
Subject: setroubleshoot - kills itself
Message-ID: <495FB480.9090304@sapience.com>


I was monitoring a remote server (permissive mode) via sealert -b
when setroubleshootd exited with this in /var/log/messages:


Did selinux deny setroubleshootd ?

gene

----------------------------------------------------
Jan  3 13:48:03 web1 setroubleshoot: [program.ERROR] setroubleshoot
generated
AVC, exiting to avoid recursion,
context=system_u:system_r:setroubleshootd_t:s0, AVC
scontext=system_u:system_r:setroubleshootd_t:s0
Jan  3 13:48:03 web1 setroubleshoot: [program.ERROR] audit
event#012node=web1.prv.sapience.com
type=AVC msg=audit(1231008483.779:1387): avc:  denied  { signull }
for  pid=265 9 comm="setroubleshootd"
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=unconf ined_u:unconfined_r:unconfined_t:s0
tclass=process#012#012node=web1.prv.sapience.com type=SYSCALL
msg=audit(1231008483.779:1387): arch=40000003 syscall=37
success=yes exit=0 a0=2079 a1=0 a2=ad454c a3=2079 items=0
ppid=1 pid=2659 auid=4294967295 uid=0 gid=0 euid=0
 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
 comm="setroubleshootd"
exe=2F7573722F62696E2F707974686F6E2E237072656C696E6B23202864656C6574656429
 subj=system_u: system_r:setroubleshootd_t:s0 key=(null)



From rchapman at aardvark.com.au  Sun Jan  4 07:24:05 2009
From: rchapman at aardvark.com.au (Richard Chapman)
Date: Sun, 04 Jan 2009 16:24:05 +0900
Subject: Troubleshootng the Selunix troubleshooter
Message-ID: <49606415.9000301@aardvark.com.au>

Hi.. When I first installed Centos 5.0 - I disabled SELinux at the first 
sign of trouble. I have now seen the light - and have enabled SELinux 
on  the system which is now updated to Centos 5.2 with Kernel Linux 
2.6.18-92.1.22.el5 on x86_64. I initially enabled Selinux in permissive 
mode - and tried looking at the GUI SELinux Troubleshooter - but it 
shows no problems. This may be OK - because there are no "type=avc" 
messages in the audit.log file. However there are thousands of "type= 
user_avc". Here are the last 20 while in permissive mode:

type=USER_AVC msg=audit(1231052785.984:833): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=AddMatch dest=org.freedesktop.DBus spid=7820 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.984:834): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=GetNameOwner dest=org.freedesktop.DBus spid=7820 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.985:835): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.986:836): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820 scontext=system_u:system_r:init_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.987:837): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=RemoveMatch dest=org.freedesktop.DBus spid=7820 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.987:838): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=AddMatch dest=org.freedesktop.DBus spid=7820 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.987:839): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=GetNameOwner dest=org.freedesktop.DBus spid=7820 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.988:840): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.989:841): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820 scontext=system_u:system_r:init_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.990:842): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=RemoveMatch dest=org.freedesktop.DBus spid=7820 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.990:843): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=AddMatch dest=org.freedesktop.DBus spid=7820 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.990:844): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=GetNameOwner dest=org.freedesktop.DBus spid=7820 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.991:845): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.991:846): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820 scontext=system_u:system_r:init_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.992:847): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=RemoveMatch dest=org.freedesktop.DBus spid=7820 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.992:848): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=AddMatch dest=org.freedesktop.DBus spid=7820 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.992:849): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=GetNameOwner dest=org.freedesktop.DBus spid=7820 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.992:850): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.993:851): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820 scontext=system_u:system_r:init_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1231052785.994:852): user pid=2489 uid=81 auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=RemoveMatch dest=org.freedesktop.DBus spid=7820 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'


If I set the system to Enforcing mode - and log out and log back in - 
the login seems to run very slowly. If I try to run the gui SELinux 
Troubleshooter - the application window doesn't come up - but I see the 
following errors in the boot.log file.

Jan 3 16:55:54 C5 dbus: avc: received setenforce notice (enforcing=1) 
Jan 3 16:56:23 C5 userhelper[24703]: running 
'/usr/share/system-config-securitylevel/system-config-securitylevel.py' 
with system_u:system_r:unconfined_t context 
Jan 3 16:56:23 C5 userhelper[24703]: running 
'/usr/share/system-config-securitylevel/system-config-securitylevel.py' 
with root privileges on behalf of 'root'
Jan 3 16:58:02 C5 gconfd (root-21790): Exiting
Jan 3 16:58:02 C5 sshd[21044]: pam_unix(sshd:session): session closed 
for user nx
Jan 3 16:58:02 C5 su: pam_unix(su-l:session): session closed for user root
Jan 3 16:58:23 C5 sshd[24747]: Accepted publickey for nx from 
192.168.0.2 port 33869 ssh2
Jan 3 16:58:23 C5 sshd[24747]: pam_unix(sshd:session): session opened 
for user nx by (uid=0)
Jan 3 16:58:25 C5 su: pam_unix(su-l:session): session opened for user 
root by (uid=102)
Jan 3 16:58:28 C5 dovecot: IMAP(tim): Disconnected: Logged out
Jan 3 16:58:30 C5 gconfd (root-25493): starting (version 2.14.0), pid 
25493 user 'root'
Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address 
"xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only 
configuration source at position 0
Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address 
"xml:readwrite:/root/.gconf" to a writable configuration source at 
position 1
Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address 
"xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only 
configuration source at position 2
Jan 3 16:58:33 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate 0 0 
Not Found
Jan 3 16:58:33 C5 last message repeated 4 times
Jan 3 16:58:33 C5 gconfd (root-25493): Resolved address 
"xml:readwrite:/root/.gconf" to a writable configuration source at 
position 0
Jan 3 16:59:46 C5 gdm[4045]: pam_unix(gdm:session): session opened for 
user root by (uid=0)
Jan 3 16:59:59 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate 0 0 
Not Found
Jan 3 16:59:59 C5 last message repeated 4 times
Jan 3 17:00:01 C5 crond[25738]: (root) CMD (/var/www/sarg/sarg.cron > 
/dev/null 2>&1)
Jan 3 17:00:01 C5 crond[25740]: (root) CMD 
(/etc/webmin/webalizer/webalizer.pl /var/log/squid/access.log)
Jan 3 17:00:01 C5 crond[25742]: (root) CMD (/etc/webmin/status/monitor.pl)
Jan 3 17:00:01 C5 crond[25743]: (root) CMD 
(/etc/webmin/fetchmail/check.pl --mail rchapman\@aardvark\.com\.au --errors)
Jan 3 17:00:01 C5 su: pam_unix(su:session): session opened for user 
richard by (uid=0)
Jan 3 17:00:04 C5 su: pam_unix(su:session): session opened for user 
postgres by (uid=0)
Jan 3 17:00:04 C5 su: pam_unix(su:session): session closed for user postgres
Jan 3 17:00:13 C5 su: pam_unix(su:session): session closed for user richard
Jan 3 17:01:01 C5 crond[25911]: (root) CMD (run-parts /etc/cron.hourly)
Jan 3 17:01:15 C5 userhelper[25928]: running 
'/usr/share/system-config-securitylevel/system-config-securitylevel.py' 
with system_u:system_r:unconfined_t context 
Jan 3 17:01:15 C5 userhelper[25928]: running 
'/usr/share/system-config-securitylevel/system-config-securitylevel.py' 
with root privileges on behalf of 'root'
Jan 3 17:02:18 C5 setroubleshoot: [dbus.ERROR] could not start dbus: Did 
not receive a reply. Possible causes include: the remote application did 
not send a reply, the message bus security policy blocked the reply, the 
reply timeout expired, or the network connection was broken.
Jan 3 17:03:06 C5 dovecot: imap-login: Login: user=<tim>, method=PLAIN, 
rip=192.168.0.199, lip=192.168.0.201
Jan 3 17:03:37 C5 dovecot: IMAP(tim): Disconnected: Logged out
Jan 3 17:04:14 C5 setroubleshoot: [dbus.ERROR] could not start dbus: Did 
not receive a reply. Possible causes include: the remote application did 
not send a reply, the message bus security policy blocked the reply, the 
reply timeout expired, or the network connection was broken.

I have also tried the comand line sealert application - which runs fine 
- but shows no problems:

[root at C5 <mailto:root at C5> ~]# sealert -a /var/log/audit/audit.log
100% donefound 0 alerts in /var/log/audit/audit.log
[root at C5 <mailto:root at C5> ~]# 

It looks to me as if there is some problem (possibly a policy issue) 
with my dbus connection. and this is preventing the selinux 
troubleshooter operating in enforcing mode - and also probably causing 
some other problems in enforcing mode - though no "type-avc" problems 
show up int eh audit logs.

Can anyone explain to me what "type=user_avc" messages are - and why 
they are not reported by teh gui SELinux troubleshooter or sealert? How 
should I debug the remainig issues in theis system?

All adice appreciated.

Richard.





From tmz at pobox.com  Sun Jan  4 15:34:14 2009
From: tmz at pobox.com (Todd Zullinger)
Date: Sun, 4 Jan 2009 10:34:14 -0500
Subject: libgpod HAL callout and SELinux denials
Message-ID: <20090104153414.GH12325@inocybe.teonanacatl.org>

Hi,

I help maintain libgpod upstream and in Fedora.  We install a hal
callout? to handle newer iPods, which make some very useful and
required information accessible only via a SCSI query of the iPod.
The callout is meant to make the needed query and store the
information retrieved (which is is an XML file) on the iPod where it
can subsequently be read by a normal user.

To do this, the callout mounts the iPod to a temporary location,
queries the device, saves the XML, and unmounts.  This causes a number
of denials which I will attach.  I'd like to get some help in
determining what things need fixed in the callout code and what things
need policy changes.  If I need to, I can package a policy module in
libgpod, though having it in the main selinux policy would be
preferable I think.

The libgpod callout code is in:

https://gtkpod.svn.sourceforge.net/svnroot/gtkpod/libgpod/trunk/tools/

Most of the interesting code is in hal-callout.c, but the other files
are probably worth a look as well.

FWIW, the callout currently uses /tmp/ipodXXXXXX (via mkdtemp) as the
temporary mount point.  I did try moving that to /media to see if that
worked any better, but AFAICT, it caused the same denials.  Moving the
temp mount out of /tmp is not a problem (and is probably a good idea
anyway).

Any help will be much appreciated.

? http://people.freedesktop.org/~david/hal-spec/hal-spec.html#device-properties-info-callouts

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We can't be so fixated on our desire to preserve the rights of
ordinary Americans.
    -- William Jefferson Clinton (USA TODAY, 11 March 1993, page 2A)

-------------- next part --------------
----
time->Sun Jan  4 09:54:56 2009
type=SYSCALL msg=audit(1231080896.291:1697): arch=40000003 syscall=21 success=yes exit=0 a0=bfed16d7 a1=81fbd20 a2=bfed1a1d a3=0 items=0 ppid=2080 pid=21577 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libgpod-callout" exe="/usr/lib/hal/scripts/libgpod-callout" subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1231080896.291:1697): avc:  denied  { mount } for  pid=21577 comm="libgpod-callout" name="/" dev=sdb2 ino=1 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem
type=AVC msg=audit(1231080896.291:1697): avc:  denied  { mounton } for  pid=21577 comm="libgpod-callout" path="/tmp/ipodtSpXXY" dev=dm-1 ino=363384 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:hald_tmp_t:s0 tclass=dir
----
time->Sun Jan  4 09:54:56 2009
type=SYSCALL msg=audit(1231080896.304:1698): arch=40000003 syscall=5 success=yes exit=3 a0=81fca00 a1=80c2 a2=1b6 a3=80c2 items=0 ppid=2080 pid=21577 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libgpod-callout" exe="/usr/lib/hal/scripts/libgpod-callout" subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1231080896.304:1698): avc:  denied  { read write } for  pid=21577 comm="libgpod-callout" name="SysInfoExtended.DAPDNU" dev=sdb2 ino=19721 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=AVC msg=audit(1231080896.304:1698): avc:  denied  { create } for  pid=21577 comm="libgpod-callout" name="SysInfoExtended.DAPDNU" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=AVC msg=audit(1231080896.304:1698): avc:  denied  { add_name } for  pid=21577 comm="libgpod-callout" name="SysInfoExtended.DAPDNU" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
type=AVC msg=audit(1231080896.304:1698): avc:  denied  { write } for  pid=21577 comm="libgpod-callout" name="Device" dev=sdb2 ino=19720 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
----
time->Sun Jan  4 09:54:56 2009
type=SYSCALL msg=audit(1231080896.305:1699): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfecf764 a2=5ceff4 a3=81fcaa8 items=0 ppid=2080 pid=21577 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libgpod-callout" exe="/usr/lib/hal/scripts/libgpod-callout" subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1231080896.305:1699): avc:  denied  { getattr } for  pid=21577 comm="libgpod-callout" path="/tmp/ipodtSpXXY/iPod_Control/Device/SysInfoExtended.DAPDNU" dev=sdb2 ino=19721 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file
----
time->Sun Jan  4 09:54:56 2009
type=SYSCALL msg=audit(1231080896.360:1700): arch=40000003 syscall=38 success=yes exit=0 a0=81fb8b0 a1=81fbba8 a2=73925c a3=1 items=0 ppid=2080 pid=21577 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libgpod-callout" exe="/usr/lib/hal/scripts/libgpod-callout" subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1231080896.360:1700): avc:  denied  { unlink } for  pid=21577 comm="libgpod-callout" name="SysInfoExtended" dev=sdb2 ino=19722 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=AVC msg=audit(1231080896.360:1700): avc:  denied  { rename } for  pid=21577 comm="libgpod-callout" name="SysInfoExtended.DAPDNU" dev=sdb2 ino=19721 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=AVC msg=audit(1231080896.360:1700): avc:  denied  { remove_name } for  pid=21577 comm="libgpod-callout" name="SysInfoExtended.DAPDNU" dev=sdb2 ino=19721 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
----
time->Sun Jan  4 09:54:56 2009
type=SYSCALL msg=audit(1231080896.360:1701): arch=40000003 syscall=22 success=yes exit=0 a0=81fbd20 a1=48 a2=81fbba8 a3=81fbb60 items=0 ppid=2080 pid=21577 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libgpod-callout" exe="/usr/lib/hal/scripts/libgpod-callout" subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1231080896.360:1701): avc:  denied  { unmount } for  pid=21577 comm="libgpod-callout" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090104/5d2fb598/attachment.sig>

From dwalsh at redhat.com  Sun Jan  4 17:02:47 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Sun, 04 Jan 2009 12:02:47 -0500
Subject: libgpod HAL callout and SELinux denials
In-Reply-To: <20090104153414.GH12325@inocybe.teonanacatl.org>
References: <20090104153414.GH12325@inocybe.teonanacatl.org>
Message-ID: <4960EBB7.1000002@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Todd Zullinger wrote:
> Hi,
> 
> I help maintain libgpod upstream and in Fedora.  We install a hal
> callout? to handle newer iPods, which make some very useful and
> required information accessible only via a SCSI query of the iPod.
> The callout is meant to make the needed query and store the
> information retrieved (which is is an XML file) on the iPod where it
> can subsequently be read by a normal user.
> 
> To do this, the callout mounts the iPod to a temporary location,
> queries the device, saves the XML, and unmounts.  This causes a number
> of denials which I will attach.  I'd like to get some help in
> determining what things need fixed in the callout code and what things
> need policy changes.  If I need to, I can package a policy module in
> libgpod, though having it in the main selinux policy would be
> preferable I think.
> 
> The libgpod callout code is in:
> 
> https://gtkpod.svn.sourceforge.net/svnroot/gtkpod/libgpod/trunk/tools/
> 
> Most of the interesting code is in hal-callout.c, but the other files
> are probably worth a look as well.
> 
> FWIW, the callout currently uses /tmp/ipodXXXXXX (via mkdtemp) as the
> temporary mount point.  I did try moving that to /media to see if that
> worked any better, but AFAICT, it caused the same denials.  Moving the
> temp mount out of /tmp is not a problem (and is probably a good idea
> anyway).
> 
> Any help will be much appreciated.
> 
> ? http://people.freedesktop.org/~david/hal-spec/hal-spec.html#device-properties-info-callouts
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Use /var/run/hald instead of /tmp.

And I will add rules to allow this in F10 and F11.  Are you planning on
putting this in F9?  RHEL5.4?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklg67YACgkQrlYvE4MpobNpJwCfedv/ax6GWv8zZ3yBgX9eNU3W
YcQAnA4z86L4qhfHRAC7m6rKv0EGX8In
=ztxE
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Sun Jan  4 19:35:49 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Sun, 04 Jan 2009 14:35:49 -0500
Subject: avc Dead-Letter? Fedora 10
In-Reply-To: <49577090.1010603@fedoraproject.org>
References: <49577090.1010603@fedoraproject.org>
Message-ID: <49610F95.1070101@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Murphy wrote:
> This is the first Fedora I've come across a files called dead-letter.
> I don't use sendmail, exim is installed, if relevant.
> 
> 
> Summary:
> 
> SELinux is preventing the sendmail from using potentially mislabeled files
> (./dead.letter).
> 
> Detailed Description:
> 
> SELinux has denied sendmail access to potentially mislabeled file(s)
> (./dead.letter). This means that SELinux will not allow sendmail to use
> these
> files. It is common for users to edit files in their home directory or tmp
> directories and then move (mv) them to system directories. The problem
> is that
> the files end up with the wrong file context which confined applications
> are not
> allowed to access.
> 
> Allowing Access:
> 
> If you want sendmail to access this files, you need to relabel them using
> restorecon -v './dead.letter'. You might want to relabel the entire
> directory
> using restorecon -R -v './dead.letter'.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:logwatch_t:s0
> Target Context                system_u:object_r:admin_home_t:s0
> Target Objects                ./dead.letter [ dir ]
> Source                        sendmail
> Source Path                   /usr/sbin/ssmtp
> Port                          <Unknown>
> Host                          frank01.frankly3d.local
> Source RPM Packages           ssmtp-2.61-11.7.fc10
> Target RPM Packages
> Policy RPM                    selinux-policy-3.5.13-34.fc10
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   home_tmp_bad_labels
> Host Name                     frank01.frankly3d.local
> Platform                      Linux frank01.frankly3d.local
>                               2.6.27.9-159.fc10.i686 #1 SMP Tue Dec 16
> 15:12:04
>                               EST 2008 i686 i686
> Alert Count                   1
> First Seen                    Sun 28 Dec 2008 12:18:46 GMT
> Last Seen                     Sun 28 Dec 2008 12:18:46 GMT
> Local ID                      6feff0bd-d81b-472e-8c9b-a4538c69479f
> Line Numbers
> 
> Raw Audit Messages
> 
> node=frank01.frankly3d.local type=AVC msg=audit(1230466726.28:154): avc:
>  denied  { add_name } for  pid=4443 comm="sendmail" name="dead.letter"
> scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> 
> node=frank01.frankly3d.local type=SYSCALL msg=audit(1230466726.28:154):
> arch=40000003 syscall=5 success=no exit=-13 a0=97312d0 a1=441 a2=1b6
> a3=440 items=0 ppid=4311 pid=4443 auid=4294967295 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="sendmail" exe="/usr/sbin/ssmtp"
> subj=system_u:system_r:logwatch_t:s0 key=(null)
> 
> 
> ====================================================
> Dead-Letter contents
> ====================================================
> 
> /etc/cron.daily/0logwatch:
> 
> sendmail: Cannot open mail:25
> /etc/cron.daily/rkhunter:
> 
> send-mail: Cannot open mail:25
> send-mail: Cannot open mail:25
> 
> 
> /bin/sh: opt/f-prot/fpscan: No such file or directory
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The problem here looks like logwatch did not transition to system_mail_t
when running sendmail.

What sendmail is it running and what is it labeled?


ls -lZ PATHTO/sendmail?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklhD5UACgkQrlYvE4MpobN8XwCfY42dNSXVk5WePCDzLsmsfTdW
JJ4Anj6+t0ASCv895udBKMkVfzZx4P4G
=DK93
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Sun Jan  4 19:38:04 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Sun, 04 Jan 2009 14:38:04 -0500
Subject: squid reverse proxy - AVC
In-Reply-To: <495EF945.9060708@sapience.com>
References: <495EF945.9060708@sapience.com>
Message-ID: <4961101C.5020501@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mail Lists wrote:
>  I use squid on the border firewall to act as a reverse proxy for
> non-https web server.
> 
>  This is fedora 10 fully updated with selinux set to permissive until
> its clean, I see this logged - any suggestions how to deal with it ?
> 
> 
>  Thanks for any help
> 
>  gene
> 
> 
> 
>  Summary:
> 
> SELinux is preventing squid (squid_t) "search" to ./etc (named_conf_t).
> 
>  ...
> 
> Source Context                unconfined_u:system_r:squid_t:s0
> Target Context                system_u:object_r:named_conf_t:s0
> Target Objects                ./etc [ dir ]
> Source                        squid
> Source Path                   /usr/sbin/squid
> Port                          <Unknown>
> 
> ...
> 
> Raw Audit Messages
>  type=AVC msg=audit(1230675079.826:69): avc:  denied  { search }
> for  pid=4026 comm="squid" name="etc" dev=sda1 ino=207365
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:named_conf_t:s0 tclass=dir
> 
> type=SYSCALL msg=audit(1230675079.826:69): arch=40000003
> syscall=11 success=no exit=-2 a0=bfcda538 a1=bfcd94fc a2=bfcda7e8
> a3=1 items=0 ppid=4025 pid=4026 auid=500 uid=23 gid=23 euid=0 suid=0
> fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none) ses=2
> comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0
> key=(null)
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This looks like squid_t is searching a directory named etc which is
labeled named_conf_t?

what does ls -ldZ /etc
say?

Did you relabel /etc directory named_conf_t?

Do you have squid running within some kind of named chroot?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklhEBwACgkQrlYvE4MpobM4EwCeOf07V7PoyWVG5sSiRyYkTcWI
zuQAoKpjUT1DBQafp+R1E1NXsKzZm3hD
=lBIF
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Sun Jan  4 19:40:12 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Sun, 04 Jan 2009 14:40:12 -0500
Subject: setroubleshoot - kills itself
In-Reply-To: <495FB480.9090304@sapience.com>
References: <495FB480.9090304@sapience.com>
Message-ID: <4961109C.4040308@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mail Lists wrote:
> I was monitoring a remote server (permissive mode) via sealert -b
> when setroubleshootd exited with this in /var/log/messages:
> 
> 
> Did selinux deny setroubleshootd ?
> 
> gene
> 
> ----------------------------------------------------
> Jan  3 13:48:03 web1 setroubleshoot: [program.ERROR] setroubleshoot
> generated
> AVC, exiting to avoid recursion,
> context=system_u:system_r:setroubleshootd_t:s0, AVC
> scontext=system_u:system_r:setroubleshootd_t:s0
> Jan  3 13:48:03 web1 setroubleshoot: [program.ERROR] audit
> event#012node=web1.prv.sapience.com
> type=AVC msg=audit(1231008483.779:1387): avc:  denied  { signull }
> for  pid=265 9 comm="setroubleshootd"
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=unconf ined_u:unconfined_r:unconfined_t:s0
> tclass=process#012#012node=web1.prv.sapience.com type=SYSCALL
> msg=audit(1231008483.779:1387): arch=40000003 syscall=37
> success=yes exit=0 a0=2079 a1=0 a2=ad454c a3=2079 items=0
> ppid=1 pid=2659 auid=4294967295 uid=0 gid=0 euid=0
>  suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>  comm="setroubleshootd"
> exe=2F7573722F62696E2F707974686F6E2E237072656C696E6B23202864656C6574656429
>  subj=system_u: system_r:setroubleshootd_t:s0 key=(null)
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
setroubleshoot will die if it finds an AVC about it self to prevent an
infinite loop of avcs.


setroubleshoot can send itself a signull on both Rawhide and F10 with
the latest updates.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklhEJwACgkQrlYvE4MpobMEWwCgg8CTKHGOOvZGU84e4Jg7ecnc
C0cAoKdhLpHG8vwEn/+tBAeo7c5e7kK1
=0Zl5
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Sun Jan  4 19:42:53 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Sun, 04 Jan 2009 14:42:53 -0500
Subject: Troubleshootng the Selunix troubleshooter
In-Reply-To: <49606415.9000301@aardvark.com.au>
References: <49606415.9000301@aardvark.com.au>
Message-ID: <4961113D.7000905@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Richard Chapman wrote:
> Hi.. When I first installed Centos 5.0 - I disabled SELinux at the first
> sign of trouble. I have now seen the light - and have enabled SELinux
> on  the system which is now updated to Centos 5.2 with Kernel Linux
> 2.6.18-92.1.22.el5 on x86_64. I initially enabled Selinux in permissive
> mode - and tried looking at the GUI SELinux Troubleshooter - but it
> shows no problems. This may be OK - because there are no "type=avc"
> messages in the audit.log file. However there are thousands of "type=
> user_avc". Here are the last 20 while in permissive mode:
> 
> type=USER_AVC msg=audit(1231052785.984:833): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
> member=AddMatch dest=org.freedesktop.DBus spid=7820
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.984:834): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.985:835): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.986:836): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
> scontext=system_u:system_r:init_t:s0
> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.987:837): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.987:838): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
> member=AddMatch dest=org.freedesktop.DBus spid=7820
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.987:839): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.988:840): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.989:841): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
> scontext=system_u:system_r:init_t:s0
> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.990:842): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.990:843): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
> member=AddMatch dest=org.freedesktop.DBus spid=7820
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.990:844): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.991:845): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.991:846): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
> scontext=system_u:system_r:init_t:s0
> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.992:847): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.992:848): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
> member=AddMatch dest=org.freedesktop.DBus spid=7820
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.992:849): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.992:850): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.993:851): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
> scontext=system_u:system_r:init_t:s0
> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> type=USER_AVC msg=audit(1231052785.994:852): user pid=2489 uid=81
> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
> scontext=user_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> 
> 
> If I set the system to Enforcing mode - and log out and log back in -
> the login seems to run very slowly. If I try to run the gui SELinux
> Troubleshooter - the application window doesn't come up - but I see the
> following errors in the boot.log file.
> 
> Jan 3 16:55:54 C5 dbus: avc: received setenforce notice (enforcing=1)
> Jan 3 16:56:23 C5 userhelper[24703]: running
> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
> with system_u:system_r:unconfined_t context Jan 3 16:56:23 C5
> userhelper[24703]: running
> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
> with root privileges on behalf of 'root'
> Jan 3 16:58:02 C5 gconfd (root-21790): Exiting
> Jan 3 16:58:02 C5 sshd[21044]: pam_unix(sshd:session): session closed
> for user nx
> Jan 3 16:58:02 C5 su: pam_unix(su-l:session): session closed for user root
> Jan 3 16:58:23 C5 sshd[24747]: Accepted publickey for nx from
> 192.168.0.2 port 33869 ssh2
> Jan 3 16:58:23 C5 sshd[24747]: pam_unix(sshd:session): session opened
> for user nx by (uid=0)
> Jan 3 16:58:25 C5 su: pam_unix(su-l:session): session opened for user
> root by (uid=102)
> Jan 3 16:58:28 C5 dovecot: IMAP(tim): Disconnected: Logged out
> Jan 3 16:58:30 C5 gconfd (root-25493): starting (version 2.14.0), pid
> 25493 user 'root'
> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
> "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
> configuration source at position 0
> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
> "xml:readwrite:/root/.gconf" to a writable configuration source at
> position 1
> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
> "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only
> configuration source at position 2
> Jan 3 16:58:33 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate 0 0
> Not Found
> Jan 3 16:58:33 C5 last message repeated 4 times
> Jan 3 16:58:33 C5 gconfd (root-25493): Resolved address
> "xml:readwrite:/root/.gconf" to a writable configuration source at
> position 0
> Jan 3 16:59:46 C5 gdm[4045]: pam_unix(gdm:session): session opened for
> user root by (uid=0)
> Jan 3 16:59:59 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate 0 0
> Not Found
> Jan 3 16:59:59 C5 last message repeated 4 times
> Jan 3 17:00:01 C5 crond[25738]: (root) CMD (/var/www/sarg/sarg.cron >
> /dev/null 2>&1)
> Jan 3 17:00:01 C5 crond[25740]: (root) CMD
> (/etc/webmin/webalizer/webalizer.pl /var/log/squid/access.log)
> Jan 3 17:00:01 C5 crond[25742]: (root) CMD (/etc/webmin/status/monitor.pl)
> Jan 3 17:00:01 C5 crond[25743]: (root) CMD
> (/etc/webmin/fetchmail/check.pl --mail rchapman\@aardvark\.com\.au
> --errors)
> Jan 3 17:00:01 C5 su: pam_unix(su:session): session opened for user
> richard by (uid=0)
> Jan 3 17:00:04 C5 su: pam_unix(su:session): session opened for user
> postgres by (uid=0)
> Jan 3 17:00:04 C5 su: pam_unix(su:session): session closed for user
> postgres
> Jan 3 17:00:13 C5 su: pam_unix(su:session): session closed for user richard
> Jan 3 17:01:01 C5 crond[25911]: (root) CMD (run-parts /etc/cron.hourly)
> Jan 3 17:01:15 C5 userhelper[25928]: running
> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
> with system_u:system_r:unconfined_t context Jan 3 17:01:15 C5
> userhelper[25928]: running
> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
> with root privileges on behalf of 'root'
> Jan 3 17:02:18 C5 setroubleshoot: [dbus.ERROR] could not start dbus: Did
> not receive a reply. Possible causes include: the remote application did
> not send a reply, the message bus security policy blocked the reply, the
> reply timeout expired, or the network connection was broken.
> Jan 3 17:03:06 C5 dovecot: imap-login: Login: user=<tim>, method=PLAIN,
> rip=192.168.0.199, lip=192.168.0.201
> Jan 3 17:03:37 C5 dovecot: IMAP(tim): Disconnected: Logged out
> Jan 3 17:04:14 C5 setroubleshoot: [dbus.ERROR] could not start dbus: Did
> not receive a reply. Possible causes include: the remote application did
> not send a reply, the message bus security policy blocked the reply, the
> reply timeout expired, or the network connection was broken.
> 
> I have also tried the comand line sealert application - which runs fine
> - but shows no problems:
> 
> [root at C5 <mailto:root at C5> ~]# sealert -a /var/log/audit/audit.log
> 100% donefound 0 alerts in /var/log/audit/audit.log
> [root at C5 <mailto:root at C5> ~]#
> It looks to me as if there is some problem (possibly a policy issue)
> with my dbus connection. and this is preventing the selinux
> troubleshooter operating in enforcing mode - and also probably causing
> some other problems in enforcing mode - though no "type-avc" problems
> show up int eh audit logs.
> 
> Can anyone explain to me what "type=user_avc" messages are - and why
> they are not reported by teh gui SELinux troubleshooter or sealert? How
> should I debug the remainig issues in theis system?
> 
> All adice appreciated.
> 
> Richard.
> 
> 
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please make sure your labeling is correct.

touch /.autorelabel; reboot

Looks like the entire system is running with a signal context which is
causing you your problems.

You might also want to grab the 5.3 policy, a preview is currently
available on

http://people.redhat.com/dwalsh/SELinux/RHEL5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklhET0ACgkQrlYvE4MpobN/xQCfbPlG+JiHqdeE4hlT74XlRLmR
IUQAoJu/VriYRDC2S+89oBxm7DcTN84u
=k22P
-----END PGP SIGNATURE-----



From lists at sapience.com  Sun Jan  4 20:29:46 2009
From: lists at sapience.com (Mail Lists)
Date: Sun, 04 Jan 2009 15:29:46 -0500
Subject: squid reverse proxy - AVC
In-Reply-To: <4961101C.5020501@redhat.com>
References: <495EF945.9060708@sapience.com> <4961101C.5020501@redhat.com>
Message-ID: <49611C3A.9070306@sapience.com>



 Apolagize I didnt list reply ...

trying again:

On 01/04/2009 02:38 PM, Daniel J Walsh wrote:
> > This looks like squid_t is searching a directory named etc which is
> > labeled named_conf_t?
> >
> > what does ls -ldZ /etc
> > say?

   # ls -ldZ /etc
drwxr-xr-x  root root system_u:object_r:etc_t:s0       /etc/

> >
> > Did you relabel /etc directory named_conf_t?

  nope - only thing I find with named_conf_t is /var/named/chroot

  I note that sealert does not always show the full path - be nice if it
did. In this case there are not a lot of directores called etc so its
not hard to find.

> >
> > Do you have squid running within some kind of named chroot?

  squid is not chrooted but of course bind is running in its
/var/named/chroot.

  This is a standard F10 install - i simply added to /etc/squid.conf
some acl's and a line to have it reverse proxy to DMZ web server like below

  http_port <EXT_IP>:80 vhost defaultsite=<webhostname>:80




From lists at sapience.com  Sun Jan  4 20:33:59 2009
From: lists at sapience.com (Mail Lists)
Date: Sun, 04 Jan 2009 15:33:59 -0500
Subject: setroubleshoot - kills itself
In-Reply-To: <4961109C.4040308@redhat.com>
References: <495FB480.9090304@sapience.com> <4961109C.4040308@redhat.com>
Message-ID: <49611D37.3090905@sapience.com>

On 01/04/2009 02:40 PM, Daniel J Walsh wrote:

> setroubleshoot will die if it finds an AVC about it self to prevent an
> infinite loop of avcs.
> 
> 
> setroubleshoot can send itself a signull on both Rawhide and F10 with
> the latest updates.

  What caused it to have a problem ? Is this expected behaviour for
setroubleshootd - or is something amiss that caused it to get the signull ?

  Do I need to write a monitor script to keep restarting it ?



From paul at city-fan.org  Sun Jan  4 20:48:50 2009
From: paul at city-fan.org (Paul Howarth)
Date: Sun, 4 Jan 2009 20:48:50 +0000
Subject: avc Dead-Letter? Fedora 10
In-Reply-To: <49610F95.1070101@redhat.com>
References: <49577090.1010603@fedoraproject.org> <49610F95.1070101@redhat.com>
Message-ID: <20090104204850.782a8fa2@city-fan.org>

On Sun, 04 Jan 2009 14:35:49 -0500
Daniel J Walsh <dwalsh at redhat.com> wrote:
> The problem here looks like logwatch did not transition to
> system_mail_t when running sendmail.

Funnily enough I've had a similar issue with logrotate not
transitioning to squid_t on Fedora 10:

type=AVC msg=audit(1231041733.717:646): avc:  denied  { read } for
pid=6892 comm="squid" name="squid.conf" dev=dm-6 ino=147637
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:squid_conf_t:s0 tclass=file type=SYSCALL
msg=audit(1231041733.717:646): arch=c000003e syscall=2 success=no
exit=-13 a0=7f8b4a6bb260 a1=0 a2=1b6 a3=7f8b48be47b0 items=0 ppid=6891
pid=6892 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=101 comm="squid" exe="/usr/sbin/squid"
subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

The result of this is the following email when logrotate runs:

/etc/cron.daily/logrotate:

2009/01/04 04:02:13| ALERT: initgroups: unable to set groups for User
squid and Group 0 FATAL: Unable to open configuration
file: /etc/squid/squid.conf: (13) Permission denied Squid Cache
(Version 3.0.STABLE10): Terminated abnormally. CPU Usage: 0.032 seconds
= 0.009 user + 0.023 sys Maximum Resident Size: 0 KB
Page faults with physical i/o: 25

Paul.



From tmz at pobox.com  Mon Jan  5 03:03:32 2009
From: tmz at pobox.com (Todd Zullinger)
Date: Sun, 4 Jan 2009 22:03:32 -0500
Subject: libgpod HAL callout and SELinux denials
In-Reply-To: <4960EBB7.1000002@redhat.com>
References: <20090104153414.GH12325@inocybe.teonanacatl.org>
	<4960EBB7.1000002@redhat.com>
Message-ID: <20090105030332.GL12325@inocybe.teonanacatl.org>

Daniel J Walsh wrote:
> Use /var/run/hald instead of /tmp.

Will do.

> And I will add rules to allow this in F10 and F11.

Thanks Dan!

> Are you planning on putting this in F9?

Yes.  (Actually, the callout is already there, but due to a hal path
issue, it wasn't ever being called.  Once that issue is fixed, users
would start to notice the SELinux denials.  I'll wait until I see the
policy package updates before pushing any libgpod updates though.  And
no one will be the wiser, hopefully.)

> RHEL5.4?

Not that I'm aware of.  In RHEL, libgpod is a core package, and I
don't have any part of the maintenance there.  But it would appear
unlikely to see an update, as currently RHEL has 0.4.0, while Fedora
has 0.6.0 (which first added the callout).  The library soname changed
between 0.4.0 and 0.6.0, which makes me doubt that RHEL will bump it
during a point release.

Thanks again for the quick response!  May it rain the beverage of your
choice. ;)

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Religion. A daughter of Hope and Fear, explaining to Ignorance the
nature of the Unknowable.
    -- Ambrose Bierce, The Enlarged Devil's Dictionary, 1906

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090104/0fb35d54/attachment.sig>

From rchapman at aardvark.com.au  Mon Jan  5 05:47:35 2009
From: rchapman at aardvark.com.au (Richard Chapman)
Date: Mon, 05 Jan 2009 14:47:35 +0900
Subject: Troubleshootng the Selunix troubleshooter
In-Reply-To: <4961113D.7000905@redhat.com>
References: <49606415.9000301@aardvark.com.au> <4961113D.7000905@redhat.com>
Message-ID: <49619EF7.1010700@aardvark.com.au>

Thanks Daniel

I'm pretty sure you are right - that there is something wrong with the 
labelling - but

touch /.autorelabel; reboot

Doesn't seem to cause the relabelling.
I was a bit suspicious that the relabelling didn't work the first time - 
because I also did a touch /forcefsck at the boot when I was expecting 
relabelling - and it seemed to do 3 fscks - but no obvious relabelling. 
I assumed one of the fscks must have really been a relabel - but maybe 
not.... Now wehn I do the touch and reboot - there is no delay in the 
reboot messages on the system console.

I have found this thread - which seem to describe a similar lack of 
relabelling - but doesn't offer a solution:
http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17009&forum=37&post_id=60859 
<http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17009&forum=37&post_id=60859>

I haven't tried the 5.3 policy preview yet. Might that help me with the 
relabelling?

Thanks again

Richard.




Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Richard Chapman wrote:
>   
>> Hi.. When I first installed Centos 5.0 - I disabled SELinux at the first
>> sign of trouble. I have now seen the light - and have enabled SELinux
>> on  the system which is now updated to Centos 5.2 with Kernel Linux
>> 2.6.18-92.1.22.el5 on x86_64. I initially enabled Selinux in permissive
>> mode - and tried looking at the GUI SELinux Troubleshooter - but it
>> shows no problems. This may be OK - because there are no "type=avc"
>> messages in the audit.log file. However there are thousands of "type=
>> user_avc". Here are the last 20 while in permissive mode:
>>
>> type=USER_AVC msg=audit(1231052785.984:833): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.984:834): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.985:835): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.986:836): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>> scontext=system_u:system_r:init_t:s0
>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.987:837): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.987:838): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.987:839): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.988:840): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.989:841): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>> scontext=system_u:system_r:init_t:s0
>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.990:842): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.990:843): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.990:844): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.991:845): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.991:846): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>> scontext=system_u:system_r:init_t:s0
>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.992:847): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.992:848): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.992:849): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.992:850): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.993:851): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>> scontext=system_u:system_r:init_t:s0
>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>> type=USER_AVC msg=audit(1231052785.994:852): user pid=2489 uid=81
>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>> scontext=user_u:system_r:initrc_t:s0
>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>
>>
>> If I set the system to Enforcing mode - and log out and log back in -
>> the login seems to run very slowly. If I try to run the gui SELinux
>> Troubleshooter - the application window doesn't come up - but I see the
>> following errors in the boot.log file.
>>
>> Jan 3 16:55:54 C5 dbus: avc: received setenforce notice (enforcing=1)
>> Jan 3 16:56:23 C5 userhelper[24703]: running
>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>> with system_u:system_r:unconfined_t context Jan 3 16:56:23 C5
>> userhelper[24703]: running
>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>> with root privileges on behalf of 'root'
>> Jan 3 16:58:02 C5 gconfd (root-21790): Exiting
>> Jan 3 16:58:02 C5 sshd[21044]: pam_unix(sshd:session): session closed
>> for user nx
>> Jan 3 16:58:02 C5 su: pam_unix(su-l:session): session closed for user root
>> Jan 3 16:58:23 C5 sshd[24747]: Accepted publickey for nx from
>> 192.168.0.2 port 33869 ssh2
>> Jan 3 16:58:23 C5 sshd[24747]: pam_unix(sshd:session): session opened
>> for user nx by (uid=0)
>> Jan 3 16:58:25 C5 su: pam_unix(su-l:session): session opened for user
>> root by (uid=102)
>> Jan 3 16:58:28 C5 dovecot: IMAP(tim): Disconnected: Logged out
>> Jan 3 16:58:30 C5 gconfd (root-25493): starting (version 2.14.0), pid
>> 25493 user 'root'
>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
>> "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
>> configuration source at position 0
>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
>> "xml:readwrite:/root/.gconf" to a writable configuration source at
>> position 1
>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
>> "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only
>> configuration source at position 2
>> Jan 3 16:58:33 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate 0 0
>> Not Found
>> Jan 3 16:58:33 C5 last message repeated 4 times
>> Jan 3 16:58:33 C5 gconfd (root-25493): Resolved address
>> "xml:readwrite:/root/.gconf" to a writable configuration source at
>> position 0
>> Jan 3 16:59:46 C5 gdm[4045]: pam_unix(gdm:session): session opened for
>> user root by (uid=0)
>> Jan 3 16:59:59 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate 0 0
>> Not Found
>> Jan 3 16:59:59 C5 last message repeated 4 times
>> Jan 3 17:00:01 C5 crond[25738]: (root) CMD (/var/www/sarg/sarg.cron >
>> /dev/null 2>&1)
>> Jan 3 17:00:01 C5 crond[25740]: (root) CMD
>> (/etc/webmin/webalizer/webalizer.pl /var/log/squid/access.log)
>> Jan 3 17:00:01 C5 crond[25742]: (root) CMD (/etc/webmin/status/monitor.pl)
>> Jan 3 17:00:01 C5 crond[25743]: (root) CMD
>> (/etc/webmin/fetchmail/check.pl --mail rchapman\@aardvark\.com\.au
>> --errors)
>> Jan 3 17:00:01 C5 su: pam_unix(su:session): session opened for user
>> richard by (uid=0)
>> Jan 3 17:00:04 C5 su: pam_unix(su:session): session opened for user
>> postgres by (uid=0)
>> Jan 3 17:00:04 C5 su: pam_unix(su:session): session closed for user
>> postgres
>> Jan 3 17:00:13 C5 su: pam_unix(su:session): session closed for user richard
>> Jan 3 17:01:01 C5 crond[25911]: (root) CMD (run-parts /etc/cron.hourly)
>> Jan 3 17:01:15 C5 userhelper[25928]: running
>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>> with system_u:system_r:unconfined_t context Jan 3 17:01:15 C5
>> userhelper[25928]: running
>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>> with root privileges on behalf of 'root'
>> Jan 3 17:02:18 C5 setroubleshoot: [dbus.ERROR] could not start dbus: Did
>> not receive a reply. Possible causes include: the remote application did
>> not send a reply, the message bus security policy blocked the reply, the
>> reply timeout expired, or the network connection was broken.
>> Jan 3 17:03:06 C5 dovecot: imap-login: Login: user=<tim>, method=PLAIN,
>> rip=192.168.0.199, lip=192.168.0.201
>> Jan 3 17:03:37 C5 dovecot: IMAP(tim): Disconnected: Logged out
>> Jan 3 17:04:14 C5 setroubleshoot: [dbus.ERROR] could not start dbus: Did
>> not receive a reply. Possible causes include: the remote application did
>> not send a reply, the message bus security policy blocked the reply, the
>> reply timeout expired, or the network connection was broken.
>>
>> I have also tried the comand line sealert application - which runs fine
>> - but shows no problems:
>>
>> [root at C5 <mailto:root at C5> ~]# sealert -a /var/log/audit/audit.log
>> 100% donefound 0 alerts in /var/log/audit/audit.log
>> [root at C5 <mailto:root at C5> ~]#
>> It looks to me as if there is some problem (possibly a policy issue)
>> with my dbus connection. and this is preventing the selinux
>> troubleshooter operating in enforcing mode - and also probably causing
>> some other problems in enforcing mode - though no "type-avc" problems
>> show up int eh audit logs.
>>
>> Can anyone explain to me what "type=user_avc" messages are - and why
>> they are not reported by teh gui SELinux troubleshooter or sealert? How
>> should I debug the remainig issues in theis system?
>>
>> All adice appreciated.
>>
>> Richard.
>>
>>
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>     
> Please make sure your labeling is correct.
>
> touch /.autorelabel; reboot
>
> Looks like the entire system is running with a signal context which is
> causing you your problems.
>
> You might also want to grab the 5.3 policy, a preview is currently
> available on
>
> http://people.redhat.com/dwalsh/SELinux/RHEL5
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAklhET0ACgkQrlYvE4MpobN/xQCfbPlG+JiHqdeE4hlT74XlRLmR
> IUQAoJu/VriYRDC2S+89oBxm7DcTN84u
> =k22P
> -----END PGP SIGNATURE-----
>
>   



From rchapman at aardvark.com.au  Mon Jan  5 06:10:54 2009
From: rchapman at aardvark.com.au (Richard Chapman)
Date: Mon, 05 Jan 2009 15:10:54 +0900
Subject: Troubleshootng the Selunix troubleshooter
In-Reply-To: <49619EF7.1010700@aardvark.com.au>
References: <49606415.9000301@aardvark.com.au> <4961113D.7000905@redhat.com>
	<49619EF7.1010700@aardvark.com.au>
Message-ID: <4961A46E.3050900@aardvark.com.au>

Hi again Daniel

Here is some more info on this problem - which may be significant... 
After checking the link from my last email again I tried:
[root at C5 ~]# fixfiles relabel

    Files in the /tmp directory may be labeled incorrectly, this command
    can remove all files in /tmp.  If you choose to remove files from /tmp,
    a reboot will be required after completion.
   
    Do you wish to clean out the /tmp directory [N]? y
Cleaning out /tmp
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 18 
has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 19 
has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 20 
has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 21 
has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 23 
has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 40 
has invalid context root:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 41 
has invalid context root:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 42 
has invalid context root:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 43 
has invalid context root:object_r:user_mozilla_home_t:s0
Exiting after 10 errors.
[root at C5 ~]#

Looks like there is a problem with the policy? Any suggestions how to 
resolve this?


Richard.


Richard Chapman wrote:
> Thanks Daniel
>
> I'm pretty sure you are right - that there is something wrong with the 
> labelling - but
>
> touch /.autorelabel; reboot
>
> Doesn't seem to cause the relabelling.
> I was a bit suspicious that the relabelling didn't work the first time 
> - because I also did a touch /forcefsck at the boot when I was 
> expecting relabelling - and it seemed to do 3 fscks - but no obvious 
> relabelling. I assumed one of the fscks must have really been a 
> relabel - but maybe not.... Now wehn I do the touch and reboot - there 
> is no delay in the reboot messages on the system console.
>
> I have found this thread - which seem to describe a similar lack of 
> relabelling - but doesn't offer a solution:
> http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17009&forum=37&post_id=60859 
> <http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17009&forum=37&post_id=60859> 
>
>
> I haven't tried the 5.3 policy preview yet. Might that help me with 
> the relabelling?
>
> Thanks again
>
> Richard.
>
>
>
>
> Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Richard Chapman wrote:
>>  
>>> Hi.. When I first installed Centos 5.0 - I disabled SELinux at the 
>>> first
>>> sign of trouble. I have now seen the light - and have enabled SELinux
>>> on  the system which is now updated to Centos 5.2 with Kernel Linux
>>> 2.6.18-92.1.22.el5 on x86_64. I initially enabled Selinux in permissive
>>> mode - and tried looking at the GUI SELinux Troubleshooter - but it
>>> shows no problems. This may be OK - because there are no "type=avc"
>>> messages in the audit.log file. However there are thousands of "type=
>>> user_avc". Here are the last 20 while in permissive mode:
>>>
>>> type=USER_AVC msg=audit(1231052785.984:833): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.984:834): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.985:835): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.986:836): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.987:837): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.987:838): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.987:839): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.988:840): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.989:841): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.990:842): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.990:843): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.990:844): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.991:845): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.991:846): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.992:847): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.992:848): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.992:849): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.992:850): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.993:851): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>> type=USER_AVC msg=audit(1231052785.994:852): user pid=2489 uid=81
>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>> scontext=user_u:system_r:initrc_t:s0
>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>
>>>
>>> If I set the system to Enforcing mode - and log out and log back in -
>>> the login seems to run very slowly. If I try to run the gui SELinux
>>> Troubleshooter - the application window doesn't come up - but I see the
>>> following errors in the boot.log file.
>>>
>>> Jan 3 16:55:54 C5 dbus: avc: received setenforce notice (enforcing=1)
>>> Jan 3 16:56:23 C5 userhelper[24703]: running
>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>> with system_u:system_r:unconfined_t context Jan 3 16:56:23 C5
>>> userhelper[24703]: running
>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>> with root privileges on behalf of 'root'
>>> Jan 3 16:58:02 C5 gconfd (root-21790): Exiting
>>> Jan 3 16:58:02 C5 sshd[21044]: pam_unix(sshd:session): session closed
>>> for user nx
>>> Jan 3 16:58:02 C5 su: pam_unix(su-l:session): session closed for 
>>> user root
>>> Jan 3 16:58:23 C5 sshd[24747]: Accepted publickey for nx from
>>> 192.168.0.2 port 33869 ssh2
>>> Jan 3 16:58:23 C5 sshd[24747]: pam_unix(sshd:session): session opened
>>> for user nx by (uid=0)
>>> Jan 3 16:58:25 C5 su: pam_unix(su-l:session): session opened for user
>>> root by (uid=102)
>>> Jan 3 16:58:28 C5 dovecot: IMAP(tim): Disconnected: Logged out
>>> Jan 3 16:58:30 C5 gconfd (root-25493): starting (version 2.14.0), pid
>>> 25493 user 'root'
>>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
>>> "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
>>> configuration source at position 0
>>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
>>> "xml:readwrite:/root/.gconf" to a writable configuration source at
>>> position 1
>>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
>>> "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only
>>> configuration source at position 2
>>> Jan 3 16:58:33 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate 
>>> 0 0
>>> Not Found
>>> Jan 3 16:58:33 C5 last message repeated 4 times
>>> Jan 3 16:58:33 C5 gconfd (root-25493): Resolved address
>>> "xml:readwrite:/root/.gconf" to a writable configuration source at
>>> position 0
>>> Jan 3 16:59:46 C5 gdm[4045]: pam_unix(gdm:session): session opened for
>>> user root by (uid=0)
>>> Jan 3 16:59:59 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate 
>>> 0 0
>>> Not Found
>>> Jan 3 16:59:59 C5 last message repeated 4 times
>>> Jan 3 17:00:01 C5 crond[25738]: (root) CMD (/var/www/sarg/sarg.cron >
>>> /dev/null 2>&1)
>>> Jan 3 17:00:01 C5 crond[25740]: (root) CMD
>>> (/etc/webmin/webalizer/webalizer.pl /var/log/squid/access.log)
>>> Jan 3 17:00:01 C5 crond[25742]: (root) CMD 
>>> (/etc/webmin/status/monitor.pl)
>>> Jan 3 17:00:01 C5 crond[25743]: (root) CMD
>>> (/etc/webmin/fetchmail/check.pl --mail rchapman\@aardvark\.com\.au
>>> --errors)
>>> Jan 3 17:00:01 C5 su: pam_unix(su:session): session opened for user
>>> richard by (uid=0)
>>> Jan 3 17:00:04 C5 su: pam_unix(su:session): session opened for user
>>> postgres by (uid=0)
>>> Jan 3 17:00:04 C5 su: pam_unix(su:session): session closed for user
>>> postgres
>>> Jan 3 17:00:13 C5 su: pam_unix(su:session): session closed for user 
>>> richard
>>> Jan 3 17:01:01 C5 crond[25911]: (root) CMD (run-parts /etc/cron.hourly)
>>> Jan 3 17:01:15 C5 userhelper[25928]: running
>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>> with system_u:system_r:unconfined_t context Jan 3 17:01:15 C5
>>> userhelper[25928]: running
>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>> with root privileges on behalf of 'root'
>>> Jan 3 17:02:18 C5 setroubleshoot: [dbus.ERROR] could not start dbus: 
>>> Did
>>> not receive a reply. Possible causes include: the remote application 
>>> did
>>> not send a reply, the message bus security policy blocked the reply, 
>>> the
>>> reply timeout expired, or the network connection was broken.
>>> Jan 3 17:03:06 C5 dovecot: imap-login: Login: user=<tim>, method=PLAIN,
>>> rip=192.168.0.199, lip=192.168.0.201
>>> Jan 3 17:03:37 C5 dovecot: IMAP(tim): Disconnected: Logged out
>>> Jan 3 17:04:14 C5 setroubleshoot: [dbus.ERROR] could not start dbus: 
>>> Did
>>> not receive a reply. Possible causes include: the remote application 
>>> did
>>> not send a reply, the message bus security policy blocked the reply, 
>>> the
>>> reply timeout expired, or the network connection was broken.
>>>
>>> I have also tried the comand line sealert application - which runs fine
>>> - but shows no problems:
>>>
>>> [root at C5 <mailto:root at C5> ~]# sealert -a /var/log/audit/audit.log
>>> 100% donefound 0 alerts in /var/log/audit/audit.log
>>> [root at C5 <mailto:root at C5> ~]#
>>> It looks to me as if there is some problem (possibly a policy issue)
>>> with my dbus connection. and this is preventing the selinux
>>> troubleshooter operating in enforcing mode - and also probably causing
>>> some other problems in enforcing mode - though no "type-avc" problems
>>> show up int eh audit logs.
>>>
>>> Can anyone explain to me what "type=user_avc" messages are - and why
>>> they are not reported by teh gui SELinux troubleshooter or sealert? How
>>> should I debug the remainig issues in theis system?
>>>
>>> All adice appreciated.
>>>
>>> Richard.
>>>
>>>
>>>
>>> -- 
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>     
>> Please make sure your labeling is correct.
>>
>> touch /.autorelabel; reboot
>>
>> Looks like the entire system is running with a signal context which is
>> causing you your problems.
>>
>> You might also want to grab the 5.3 policy, a preview is currently
>> available on
>>
>> http://people.redhat.com/dwalsh/SELinux/RHEL5
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAklhET0ACgkQrlYvE4MpobN/xQCfbPlG+JiHqdeE4hlT74XlRLmR
>> IUQAoJu/VriYRDC2S+89oBxm7DcTN84u
>> =k22P
>> -----END PGP SIGNATURE-----
>>
>>   
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>



From zoroufi at gmail.com  Mon Jan  5 13:10:36 2009
From: zoroufi at gmail.com (Mohammad zoroufi)
Date: Mon, 5 Jan 2009 16:40:36 +0330
Subject: SELinux XWindows Problem
Message-ID: <fc098f70901050510n31826b4eu42a1fd2162ce1aeb@mail.gmail.com>

Dear All,
I like to make SELinux operating in Enforcing mode (Fedora 9); but the main
problem I have encountered is that the XWindows is not supported by SELinux.
So I should work in text mode.
Would anyone help me on this so that I overcome to this problem?
**
Sincerely
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090105/d523f5a8/attachment.htm>

From dwalsh at redhat.com  Mon Jan  5 13:59:40 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Mon, 05 Jan 2009 08:59:40 -0500
Subject: SELinux XWindows Problem
In-Reply-To: <fc098f70901050510n31826b4eu42a1fd2162ce1aeb@mail.gmail.com>
References: <fc098f70901050510n31826b4eu42a1fd2162ce1aeb@mail.gmail.com>
Message-ID: <4962124C.3000903@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mohammad zoroufi wrote:
> Dear All,
> I like to make SELinux operating in Enforcing mode (Fedora 9); but the main
> problem I have encountered is that the XWindows is not supported by SELinux.
> So I should work in text mode.
> Would anyone help me on this so that I overcome to this problem?
> **
> Sincerely
> 
> 
Are you talking about the MLS Policy?  Xwindows is supported for all
Fedora Releases when using targeted policy and there are many people
using Xwindows and MLS policy in F10.
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkliEkwACgkQrlYvE4MpobMmPgCg5IGD1uLnwN5NAfclb57kRdt5
ViYAnj8s+67WE0gi4ukMYx6D0nMv8YIF
=1aBF
-----END PGP SIGNATURE-----



From zoroufi at gmail.com  Mon Jan  5 15:13:24 2009
From: zoroufi at gmail.com (zoroufi)
Date: Mon, 5 Jan 2009 07:13:24 -0800 (PST)
Subject: SELinux XWindows Problem
In-Reply-To: <4962124C.3000903@redhat.com>
References: <fc098f70901050510n31826b4eu42a1fd2162ce1aeb@mail.gmail.com>
	<4962124C.3000903@redhat.com>
Message-ID: <21292740.post@talk.nabble.com>


Dear Daniel, 
Thanks for your comment.
Yes The MLS policy was my mean.
Due to some political constraints I should make MLS policy enforcing in FC9 
with XWindows Support.
Do you think upgrading XOrg to higher version might solve the problem? If no
,do you have any alternatives for this?
when I switch into MLS policy in enforcing mode Xwindows doesn't work
properly and at the worst It is not possible to login to the operating
system via the graphical terminal.
Thanks again for your carefulness.


Daniel J Walsh wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Mohammad zoroufi wrote:
>> Dear All,
>> I like to make SELinux operating in Enforcing mode (Fedora 9); but the
>> main
>> problem I have encountered is that the XWindows is not supported by
>> SELinux.
>> So I should work in text mode.
>> Would anyone help me on this so that I overcome to this problem?
>> **
>> Sincerely
>> 
>> 
> Are you talking about the MLS Policy?  Xwindows is supported for all
> Fedora Releases when using targeted policy and there are many people
> using Xwindows and MLS policy in F10.
>> 
>> ------------------------------------------------------------------------
>> 
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkliEkwACgkQrlYvE4MpobMmPgCg5IGD1uLnwN5NAfclb57kRdt5
> ViYAnj8s+67WE0gi4ukMYx6D0nMv8YIF
> =1aBF
> -----END PGP SIGNATURE-----
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 

-- 
View this message in context: http://www.nabble.com/SELinux-XWindows-Problem-tp21290740p21292740.html
Sent from the Fedora SELinux List mailing list archive at Nabble.com.



From dwalsh at redhat.com  Mon Jan  5 15:24:43 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Mon, 05 Jan 2009 10:24:43 -0500
Subject: SELinux XWindows Problem
In-Reply-To: <21292740.post@talk.nabble.com>
References: <fc098f70901050510n31826b4eu42a1fd2162ce1aeb@mail.gmail.com>	<4962124C.3000903@redhat.com>
	<21292740.post@talk.nabble.com>
Message-ID: <4962263B.2030304@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

zoroufi wrote:
> Dear Daniel, 
> Thanks for your comment.
> Yes The MLS policy was my mean.
> Due to some political constraints I should make MLS policy enforcing in FC9 
> with XWindows Support.
> Do you think upgrading XOrg to higher version might solve the problem? If no
> ,do you have any alternatives for this?
> when I switch into MLS policy in enforcing mode Xwindows doesn't work
> properly and at the worst It is not possible to login to the operating
> system via the graphical terminal.
> Thanks again for your carefulness.
> 
Yes MLS Is not supported with XWindows yet.  As I stated you might be
luckier with F10.    Not sure why you are required to run MLS though
unless you are actually storing multi level data on your system.


> 
> Daniel J Walsh wrote:
> Mohammad zoroufi wrote:
>>>> Dear All,
>>>> I like to make SELinux operating in Enforcing mode (Fedora 9); but the
>>>> main
>>>> problem I have encountered is that the XWindows is not supported by
>>>> SELinux.
>>>> So I should work in text mode.
>>>> Would anyone help me on this so that I overcome to this problem?
>>>> **
>>>> Sincerely
>>>>
>>>>
> Are you talking about the MLS Policy?  Xwindows is supported for all
> Fedora Releases when using targeted policy and there are many people
> using Xwindows and MLS policy in F10.
>>>> ------------------------------------------------------------------------
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
- --
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkliJjsACgkQrlYvE4MpobM6HgCfd2ZBLcvk6xdELGXFhpR5ba3Z
ZxYAoJkeq2yfFBlNk4VDPLqjtT2GY1hH
=uqQk
-----END PGP SIGNATURE-----



From dpquigl at tycho.nsa.gov  Mon Jan  5 15:30:53 2009
From: dpquigl at tycho.nsa.gov (David P. Quigley)
Date: Mon, 05 Jan 2009 10:30:53 -0500
Subject: squid reverse proxy - AVC
In-Reply-To: <49611C3A.9070306@sapience.com>
References: <495EF945.9060708@sapience.com> <4961101C.5020501@redhat.com>
	<49611C3A.9070306@sapience.com>
Message-ID: <1231169453.18774.5.camel@moss-terrapins.epoch.ncsc.mil>

On Sun, 2009-01-04 at 15:29 -0500, Mail Lists wrote:
> 
>  Apolagize I didnt list reply ...
> 
> trying again:
> 
> On 01/04/2009 02:38 PM, Daniel J Walsh wrote:
> > > This looks like squid_t is searching a directory named etc which is
> > > labeled named_conf_t?
> > >
> > > what does ls -ldZ /etc
> > > say?
> 
>    # ls -ldZ /etc
> drwxr-xr-x  root root system_u:object_r:etc_t:s0       /etc/
> 
> > >
> > > Did you relabel /etc directory named_conf_t?
> 
>   nope - only thing I find with named_conf_t is /var/named/chroot
> 
>   I note that sealert does not always show the full path - be nice if it
> did. In this case there are not a lot of directores called etc so its
> not hard to find.

The directory you are trying to access is etc but not /etc
under /var/named/chroot there is an etc directory in there for the
chroot which is labeled with named_conf_t. It might be good for us to
have this labeled with etc_t instead. There are several directories
under the chroot which should probably be given their properly labeling.

Dave



From olivares14031 at yahoo.com  Mon Jan  5 16:32:34 2009
From: olivares14031 at yahoo.com (Antonio Olivares)
Date: Mon, 5 Jan 2009 08:32:34 -0800 (PST)
Subject: SELinux:  class kernel_service not defined in policy
Message-ID: <713024.67408.qm@web52605.mail.re2.yahoo.com>

What does the following mean?

SELinux:  class kernel_service not defined in policy


running rawhide btw.

Regards,

Antonio 


      



From dwalsh at redhat.com  Mon Jan  5 19:16:10 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Mon, 05 Jan 2009 14:16:10 -0500
Subject: SELinux:  class kernel_service not defined in policy
In-Reply-To: <713024.67408.qm@web52605.mail.re2.yahoo.com>
References: <713024.67408.qm@web52605.mail.re2.yahoo.com>
Message-ID: <49625C7A.7000702@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> What does the following mean?
> 
> SELinux:  class kernel_service not defined in policy
> 
> 
> running rawhide btw.
> 
> Regards,
> 
> Antonio 
> 
> 
>       
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
That means the kernel has a new class defined which we currently do not
have policy for.  Eventually policy will be defined for this class and
the message will be gone.

Not sure what the kernel_service class is for?

eparis?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkliXHkACgkQrlYvE4MpobMp0gCffKVSGRR15f3fjP3wupnqaiGT
L2gAoOdj0T7SfYgUQWA6dofcgr1Nee0R
=9ARO
-----END PGP SIGNATURE-----



From sds at tycho.nsa.gov  Mon Jan  5 19:18:42 2009
From: sds at tycho.nsa.gov (Stephen Smalley)
Date: Mon, 05 Jan 2009 14:18:42 -0500
Subject: SELinux:  class kernel_service not defined in policy
In-Reply-To: <49625C7A.7000702@redhat.com>
References: <713024.67408.qm@web52605.mail.re2.yahoo.com>
	<49625C7A.7000702@redhat.com>
Message-ID: <1231183122.3102.25.camel@localhost.localdomain>

On Mon, 2009-01-05 at 14:16 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Antonio Olivares wrote:
> > What does the following mean?
> > 
> > SELinux:  class kernel_service not defined in policy
> > 
> > 
> > running rawhide btw.
> > 
> > Regards,
> > 
> > Antonio 
> > 
> > 
> >       
> > 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> That means the kernel has a new class defined which we currently do not
> have policy for.  Eventually policy will be defined for this class and
> the message will be gone.
> 
> Not sure what the kernel_service class is for?
> 
> eparis?

Patch already posted to refpolicy list to define it.
It was introduced by David Howell's patches for use by cachefiles as
well as any future kernel services that likewise need to override task
credentials.

-- 
Stephen Smalley
National Security Agency



From lists at sapience.com  Tue Jan  6 02:42:26 2009
From: lists at sapience.com (Mail Lists)
Date: Mon, 05 Jan 2009 21:42:26 -0500
Subject: squid reverse proxy - AVC
In-Reply-To: <496226D3.3090402@redhat.com>
References: <495EF945.9060708@sapience.com> <4961101C.5020501@redhat.com>
	<49611B83.1090608@sapience.com> <496226D3.3090402@redhat.com>
Message-ID: <4962C512.60000@sapience.com>

On 01/05/2009 10:27 AM, Daniel J Walsh wrote:

> 
> Are you seeing this avc on every boot?  Or just once.  THis could have
> happened if you were in the /var/named/chroot/etc directory hen you
> restarted the squid application.

  Brilliant catch - i just cd /etc/squid and restarted it ... and no
avc. I have not as yet rebooted to see what happens on a full reboot -
but it certainly appears that i was in /var/named/chroot/etc when I
started squid.

  I will report back when the machine gets a reboot to confirm all is well.

  Thank you for you insight and help.

gene/



From loganjerry at gmail.com  Wed Jan  7 16:41:04 2009
From: loganjerry at gmail.com (Jerry James)
Date: Wed, 7 Jan 2009 09:41:04 -0700
Subject: GCL
In-Reply-To: <870180fe0812181440v1be0faan99e899cc960a6670@mail.gmail.com>
References: <870180fe0812181440v1be0faan99e899cc960a6670@mail.gmail.com>
Message-ID: <870180fe0901070841t71d06d2aj2bd1b516ffb7997b@mail.gmail.com>

On Thu, Dec 18, 2008 at 3:40 PM, Jerry James <loganjerry at gmail.com> wrote:
> I have been told that the Fedora builders run with SELinux disabled.
> In that case, is it necessary continue with bz #472780?  Can I just
> include the policy I attached to that bug in the GCL source RPM and
> stop worrying about build-time permissions?  Do I need somebody's
> permission (no pun intended) to do that?

Could I please get a response to this, either here on in bugzilla?  Thank you,
-- 
Jerry James
http://loganjerry.googlepages.com/



From dwalsh at redhat.com  Wed Jan  7 20:46:25 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Wed, 07 Jan 2009 15:46:25 -0500
Subject: squid reverse proxy - AVC
In-Reply-To: <4962C512.60000@sapience.com>
References: <495EF945.9060708@sapience.com> <4961101C.5020501@redhat.com>
	<49611B83.1090608@sapience.com> <496226D3.3090402@redhat.com>
	<4962C512.60000@sapience.com>
Message-ID: <496514A1.9030201@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mail Lists wrote:
> On 01/05/2009 10:27 AM, Daniel J Walsh wrote:
> 
>> Are you seeing this avc on every boot?  Or just once.  THis could have
>> happened if you were in the /var/named/chroot/etc directory hen you
>> restarted the squid application.
> 
>   Brilliant catch - i just cd /etc/squid and restarted it ... and no
> avc. I have not as yet rebooted to see what happens on a full reboot -
> but it certainly appears that i was in /var/named/chroot/etc when I
> started squid.
> 
>   I will report back when the machine gets a reboot to confirm all is well.
> 
>   Thank you for you insight and help.
> 
> gene/
Confined applications have a bad happen of running getattr on the
Current Working Directory when they start, generating bizarre AVC messages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkllFKEACgkQrlYvE4MpobM7BACghnAFFKn26AlbiWf0OepM1Sip
V0YAoKk1UhNpjPl1fRWBMjXqWINHvH4E
=MHDh
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Wed Jan  7 20:48:23 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Wed, 07 Jan 2009 15:48:23 -0500
Subject: setroubleshoot - kills itself
In-Reply-To: <49611D37.3090905@sapience.com>
References: <495FB480.9090304@sapience.com> <4961109C.4040308@redhat.com>
	<49611D37.3090905@sapience.com>
Message-ID: <49651517.8020006@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mail Lists wrote:
> On 01/04/2009 02:40 PM, Daniel J Walsh wrote:
> 
>> setroubleshoot will die if it finds an AVC about it self to prevent an
>> infinite loop of avcs.
>>
>>
>> setroubleshoot can send itself a signull on both Rawhide and F10 with
>> the latest updates.
> 
>   What caused it to have a problem ? Is this expected behaviour for
> setroubleshootd - or is something amiss that caused it to get the signull ?
> 
>   Do I need to write a monitor script to keep restarting it ?
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No it is probably just a bug in policy.

setroubleshoot executes a lot of code to try to figure out what caused
an AVC, so sometimes a new code path is crossed which we did not write
policy for.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkllFRcACgkQrlYvE4MpobNUawCg0s64KDXu78gjaDwGznJJ3ihq
K5QAnjKEIt3EOqQiNEwUqgNlMmg8Pmfu
=EOXq
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Wed Jan  7 20:50:57 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Wed, 07 Jan 2009 15:50:57 -0500
Subject: Troubleshootng the Selunix troubleshooter
In-Reply-To: <4961A46E.3050900@aardvark.com.au>
References: <49606415.9000301@aardvark.com.au> <4961113D.7000905@redhat.com>
	<49619EF7.1010700@aardvark.com.au>
	<4961A46E.3050900@aardvark.com.au>
Message-ID: <496515B1.4000507@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Richard Chapman wrote:
> Hi again Daniel
> 
> Here is some more info on this problem - which may be significant...
> After checking the link from my last email again I tried:
> [root at C5 ~]# fixfiles relabel
> 
>    Files in the /tmp directory may be labeled incorrectly, this command
>    can remove all files in /tmp.  If you choose to remove files from /tmp,
>    a reboot will be required after completion.
>      Do you wish to clean out the /tmp directory [N]? y
> Cleaning out /tmp
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 18
> has invalid context user_u:object_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 19
> has invalid context user_u:object_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 20
> has invalid context user_u:object_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 21
> has invalid context user_u:object_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 23
> has invalid context user_u:object_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 40
> has invalid context root:object_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 41
> has invalid context root:object_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 42
> has invalid context root:object_r:user_mozilla_home_t:s0
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 43
> has invalid context root:object_r:user_mozilla_home_t:s0
> Exiting after 10 errors.
> [root at C5 ~]#
> 
> Looks like there is a problem with the policy? Any suggestions how to
> resolve this?
> 
> 
> Richard.
> 
> 
> Richard Chapman wrote:
>> Thanks Daniel
>>
>> I'm pretty sure you are right - that there is something wrong with the
>> labelling - but
>>
>> touch /.autorelabel; reboot
>>
>> Doesn't seem to cause the relabelling.
>> I was a bit suspicious that the relabelling didn't work the first time
>> - because I also did a touch /forcefsck at the boot when I was
>> expecting relabelling - and it seemed to do 3 fscks - but no obvious
>> relabelling. I assumed one of the fscks must have really been a
>> relabel - but maybe not.... Now wehn I do the touch and reboot - there
>> is no delay in the reboot messages on the system console.
>>
>> I have found this thread - which seem to describe a similar lack of
>> relabelling - but doesn't offer a solution:
>> http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17009&forum=37&post_id=60859
>> <http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17009&forum=37&post_id=60859>
>>
>>
>> I haven't tried the 5.3 policy preview yet. Might that help me with
>> the relabelling?
>>
>> Thanks again
>>
>> Richard.
>>
>>
>>
>>
>> Daniel J Walsh wrote:
> Richard Chapman wrote:
>  
>>>>> Hi.. When I first installed Centos 5.0 - I disabled SELinux at the
>>>>> first
>>>>> sign of trouble. I have now seen the light - and have enabled SELinux
>>>>> on  the system which is now updated to Centos 5.2 with Kernel Linux
>>>>> 2.6.18-92.1.22.el5 on x86_64. I initially enabled Selinux in permissive
>>>>> mode - and tried looking at the GUI SELinux Troubleshooter - but it
>>>>> shows no problems. This may be OK - because there are no "type=avc"
>>>>> messages in the audit.log file. However there are thousands of "type=
>>>>> user_avc". Here are the last 20 while in permissive mode:
>>>>>
>>>>> type=USER_AVC msg=audit(1231052785.984:833): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.984:834): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.985:835): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.986:836): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>>>> scontext=system_u:system_r:init_t:s0
>>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.987:837): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.987:838): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.987:839): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.988:840): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.989:841): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>>>> scontext=system_u:system_r:init_t:s0
>>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.990:842): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.990:843): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.990:844): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.991:845): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.991:846): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>>>> scontext=system_u:system_r:init_t:s0
>>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.992:847): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.992:848): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.992:849): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.992:850): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.993:851): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>>>> scontext=system_u:system_r:init_t:s0
>>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>> type=USER_AVC msg=audit(1231052785.994:852): user pid=2489 uid=81
>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>
>>>>>
>>>>> If I set the system to Enforcing mode - and log out and log back in -
>>>>> the login seems to run very slowly. If I try to run the gui SELinux
>>>>> Troubleshooter - the application window doesn't come up - but I see the
>>>>> following errors in the boot.log file.
>>>>>
>>>>> Jan 3 16:55:54 C5 dbus: avc: received setenforce notice (enforcing=1)
>>>>> Jan 3 16:56:23 C5 userhelper[24703]: running
>>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>>>> with system_u:system_r:unconfined_t context Jan 3 16:56:23 C5
>>>>> userhelper[24703]: running
>>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>>>> with root privileges on behalf of 'root'
>>>>> Jan 3 16:58:02 C5 gconfd (root-21790): Exiting
>>>>> Jan 3 16:58:02 C5 sshd[21044]: pam_unix(sshd:session): session closed
>>>>> for user nx
>>>>> Jan 3 16:58:02 C5 su: pam_unix(su-l:session): session closed for
>>>>> user root
>>>>> Jan 3 16:58:23 C5 sshd[24747]: Accepted publickey for nx from
>>>>> 192.168.0.2 port 33869 ssh2
>>>>> Jan 3 16:58:23 C5 sshd[24747]: pam_unix(sshd:session): session opened
>>>>> for user nx by (uid=0)
>>>>> Jan 3 16:58:25 C5 su: pam_unix(su-l:session): session opened for user
>>>>> root by (uid=102)
>>>>> Jan 3 16:58:28 C5 dovecot: IMAP(tim): Disconnected: Logged out
>>>>> Jan 3 16:58:30 C5 gconfd (root-25493): starting (version 2.14.0), pid
>>>>> 25493 user 'root'
>>>>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
>>>>> "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
>>>>> configuration source at position 0
>>>>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
>>>>> "xml:readwrite:/root/.gconf" to a writable configuration source at
>>>>> position 1
>>>>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
>>>>> "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only
>>>>> configuration source at position 2
>>>>> Jan 3 16:58:33 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate
>>>>> 0 0
>>>>> Not Found
>>>>> Jan 3 16:58:33 C5 last message repeated 4 times
>>>>> Jan 3 16:58:33 C5 gconfd (root-25493): Resolved address
>>>>> "xml:readwrite:/root/.gconf" to a writable configuration source at
>>>>> position 0
>>>>> Jan 3 16:59:46 C5 gdm[4045]: pam_unix(gdm:session): session opened for
>>>>> user root by (uid=0)
>>>>> Jan 3 16:59:59 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate
>>>>> 0 0
>>>>> Not Found
>>>>> Jan 3 16:59:59 C5 last message repeated 4 times
>>>>> Jan 3 17:00:01 C5 crond[25738]: (root) CMD (/var/www/sarg/sarg.cron >
>>>>> /dev/null 2>&1)
>>>>> Jan 3 17:00:01 C5 crond[25740]: (root) CMD
>>>>> (/etc/webmin/webalizer/webalizer.pl /var/log/squid/access.log)
>>>>> Jan 3 17:00:01 C5 crond[25742]: (root) CMD
>>>>> (/etc/webmin/status/monitor.pl)
>>>>> Jan 3 17:00:01 C5 crond[25743]: (root) CMD
>>>>> (/etc/webmin/fetchmail/check.pl --mail rchapman\@aardvark\.com\.au
>>>>> --errors)
>>>>> Jan 3 17:00:01 C5 su: pam_unix(su:session): session opened for user
>>>>> richard by (uid=0)
>>>>> Jan 3 17:00:04 C5 su: pam_unix(su:session): session opened for user
>>>>> postgres by (uid=0)
>>>>> Jan 3 17:00:04 C5 su: pam_unix(su:session): session closed for user
>>>>> postgres
>>>>> Jan 3 17:00:13 C5 su: pam_unix(su:session): session closed for user
>>>>> richard
>>>>> Jan 3 17:01:01 C5 crond[25911]: (root) CMD (run-parts /etc/cron.hourly)
>>>>> Jan 3 17:01:15 C5 userhelper[25928]: running
>>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>>>> with system_u:system_r:unconfined_t context Jan 3 17:01:15 C5
>>>>> userhelper[25928]: running
>>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>>>> with root privileges on behalf of 'root'
>>>>> Jan 3 17:02:18 C5 setroubleshoot: [dbus.ERROR] could not start dbus:
>>>>> Did
>>>>> not receive a reply. Possible causes include: the remote application
>>>>> did
>>>>> not send a reply, the message bus security policy blocked the reply,
>>>>> the
>>>>> reply timeout expired, or the network connection was broken.
>>>>> Jan 3 17:03:06 C5 dovecot: imap-login: Login: user=<tim>, method=PLAIN,
>>>>> rip=192.168.0.199, lip=192.168.0.201
>>>>> Jan 3 17:03:37 C5 dovecot: IMAP(tim): Disconnected: Logged out
>>>>> Jan 3 17:04:14 C5 setroubleshoot: [dbus.ERROR] could not start dbus:
>>>>> Did
>>>>> not receive a reply. Possible causes include: the remote application
>>>>> did
>>>>> not send a reply, the message bus security policy blocked the reply,
>>>>> the
>>>>> reply timeout expired, or the network connection was broken.
>>>>>
>>>>> I have also tried the comand line sealert application - which runs fine
>>>>> - but shows no problems:
>>>>>
>>>>> [root at C5 <mailto:root at C5> ~]# sealert -a /var/log/audit/audit.log
>>>>> 100% donefound 0 alerts in /var/log/audit/audit.log
>>>>> [root at C5 <mailto:root at C5> ~]#
>>>>> It looks to me as if there is some problem (possibly a policy issue)
>>>>> with my dbus connection. and this is preventing the selinux
>>>>> troubleshooter operating in enforcing mode - and also probably causing
>>>>> some other problems in enforcing mode - though no "type-avc" problems
>>>>> show up int eh audit logs.
>>>>>
>>>>> Can anyone explain to me what "type=user_avc" messages are - and why
>>>>> they are not reported by teh gui SELinux troubleshooter or sealert? How
>>>>> should I debug the remainig issues in theis system?
>>>>>
>>>>> All adice appreciated.
>>>>>
>>>>> Richard.
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>     
> Please make sure your labeling is correct.
> 
> touch /.autorelabel; reboot
> 
> Looks like the entire system is running with a signal context which is
> causing you your problems.
> 
> You might also want to grab the 5.3 policy, a preview is currently
> available on
> 
> http://people.redhat.com/dwalsh/SELinux/RHEL5
>>>

>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>


Upgrade to the 5.3 policy and see if the problem goes away.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkllFbEACgkQrlYvE4MpobPrLgCgv/4rm8ybxO3TfRKjRlXtj9M9
ryIAnRpcVUZgeIGvO2E4g6XYhpb3JUQ3
=QxJn
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Wed Jan  7 21:04:01 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Wed, 07 Jan 2009 16:04:01 -0500
Subject: avc Dead-Letter? Fedora 10
In-Reply-To: <20090104204850.782a8fa2@city-fan.org>
References: <49577090.1010603@fedoraproject.org> <49610F95.1070101@redhat.com>
	<20090104204850.782a8fa2@city-fan.org>
Message-ID: <496518C1.2090808@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:
> On Sun, 04 Jan 2009 14:35:49 -0500
> Daniel J Walsh <dwalsh at redhat.com> wrote:
>> The problem here looks like logwatch did not transition to
>> system_mail_t when running sendmail.
> 
> Funnily enough I've had a similar issue with logrotate not
> transitioning to squid_t on Fedora 10:
> 
> type=AVC msg=audit(1231041733.717:646): avc:  denied  { read } for
> pid=6892 comm="squid" name="squid.conf" dev=dm-6 ino=147637
> scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:squid_conf_t:s0 tclass=file type=SYSCALL
> msg=audit(1231041733.717:646): arch=c000003e syscall=2 success=no
> exit=-13 a0=7f8b4a6bb260 a1=0 a2=1b6 a3=7f8b48be47b0 items=0 ppid=6891
> pid=6892 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=101 comm="squid" exe="/usr/sbin/squid"
> subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
> 
> The result of this is the following email when logrotate runs:
> 
> /etc/cron.daily/logrotate:
> 
> 2009/01/04 04:02:13| ALERT: initgroups: unable to set groups for User
> squid and Group 0 FATAL: Unable to open configuration
> file: /etc/squid/squid.conf: (13) Permission denied Squid Cache
> (Version 3.0.STABLE10): Terminated abnormally. CPU Usage: 0.032 seconds
> = 0.009 user + 0.023 sys Maximum Resident Size: 0 KB
> Page faults with physical i/o: 25
> 
> Paul.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Latest policy should have the squid_domtrans back.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkllGMEACgkQrlYvE4MpobNdDwCgv7fu8wL9vl+umrWBVwxoyk4A
17wAoIQxQHeEzjvf2CHoXYxevH8uYP18
=Rbuu
-----END PGP SIGNATURE-----



From rchapman at aardvark.com.au  Thu Jan  8 04:09:25 2009
From: rchapman at aardvark.com.au (Richard Chapman)
Date: Thu, 08 Jan 2009 13:09:25 +0900
Subject: Troubleshootng the Selunix troubleshooter
In-Reply-To: <496515B1.4000507@redhat.com>
References: <49606415.9000301@aardvark.com.au> <4961113D.7000905@redhat.com>
	<49619EF7.1010700@aardvark.com.au>
	<4961A46E.3050900@aardvark.com.au> <496515B1.4000507@redhat.com>
Message-ID: <49657C75.8020405@aardvark.com.au>

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Richard Chapman wrote:
>   
>> Hi again Daniel
>>
>> Here is some more info on this problem - which may be significant...
>> After checking the link from my last email again I tried:
>> [root at C5 ~]# fixfiles relabel
>>
>>    Files in the /tmp directory may be labeled incorrectly, this command
>>    can remove all files in /tmp.  If you choose to remove files from /tmp,
>>    a reboot will be required after completion.
>>      Do you wish to clean out the /tmp directory [N]? y
>> Cleaning out /tmp
>> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 18
>> has invalid context user_u:object_r:user_mozilla_home_t:s0
>> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 19
>> has invalid context user_u:object_r:user_mozilla_home_t:s0
>> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 20
>> has invalid context user_u:object_r:user_mozilla_home_t:s0
>> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 21
>> has invalid context user_u:object_r:user_mozilla_home_t:s0
>> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 23
>> has invalid context user_u:object_r:user_mozilla_home_t:s0
>> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 40
>> has invalid context root:object_r:user_mozilla_home_t:s0
>> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 41
>> has invalid context root:object_r:user_mozilla_home_t:s0
>> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 42
>> has invalid context root:object_r:user_mozilla_home_t:s0
>> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 43
>> has invalid context root:object_r:user_mozilla_home_t:s0
>> Exiting after 10 errors.
>> [root at C5 ~]#
>>
>> Looks like there is a problem with the policy? Any suggestions how to
>> resolve this?
>>
>>
>> Richard.
>>
>>
>> Richard Chapman wrote:
>>     
>>> Thanks Daniel
>>>
>>> I'm pretty sure you are right - that there is something wrong with the
>>> labelling - but
>>>
>>> touch /.autorelabel; reboot
>>>
>>> Doesn't seem to cause the relabelling.
>>> I was a bit suspicious that the relabelling didn't work the first time
>>> - because I also did a touch /forcefsck at the boot when I was
>>> expecting relabelling - and it seemed to do 3 fscks - but no obvious
>>> relabelling. I assumed one of the fscks must have really been a
>>> relabel - but maybe not.... Now wehn I do the touch and reboot - there
>>> is no delay in the reboot messages on the system console.
>>>
>>> I have found this thread - which seem to describe a similar lack of
>>> relabelling - but doesn't offer a solution:
>>> http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17009&forum=37&post_id=60859
>>> <http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17009&forum=37&post_id=60859>
>>>
>>>
>>> I haven't tried the 5.3 policy preview yet. Might that help me with
>>> the relabelling?
>>>
>>> Thanks again
>>>
>>> Richard.
>>>
>>>
>>>
>>>
>>> Daniel J Walsh wrote:
>>>       
>> Richard Chapman wrote:
>>  
>>     
>>>>>> Hi.. When I first installed Centos 5.0 - I disabled SELinux at the
>>>>>> first
>>>>>> sign of trouble. I have now seen the light - and have enabled SELinux
>>>>>> on  the system which is now updated to Centos 5.2 with Kernel Linux
>>>>>> 2.6.18-92.1.22.el5 on x86_64. I initially enabled Selinux in permissive
>>>>>> mode - and tried looking at the GUI SELinux Troubleshooter - but it
>>>>>> shows no problems. This may be OK - because there are no "type=avc"
>>>>>> messages in the audit.log file. However there are thousands of "type=
>>>>>> user_avc". Here are the last 20 while in permissive mode:
>>>>>>
>>>>>> type=USER_AVC msg=audit(1231052785.984:833): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.984:834): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.985:835): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.986:836): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>>>>> scontext=system_u:system_r:init_t:s0
>>>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.987:837): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.987:838): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.987:839): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.988:840): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.989:841): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>>>>> scontext=system_u:system_r:init_t:s0
>>>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.990:842): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.990:843): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.990:844): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.991:845): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.991:846): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>>>>> scontext=system_u:system_r:init_t:s0
>>>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.992:847): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.992:848): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>>> member=AddMatch dest=org.freedesktop.DBus spid=7820
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.992:849): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>>> member=GetNameOwner dest=org.freedesktop.DBus spid=7820
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.992:850): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device
>>>>>> member=Rescan dest=org.freedesktop.Hal spid=7820 tpid=3667
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.993:851): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_return dest=:1.14 spid=3667 tpid=7820
>>>>>> scontext=system_u:system_r:init_t:s0
>>>>>> tcontext=user_u:system_r:initrc_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>> type=USER_AVC msg=audit(1231052785.994:852): user pid=2489 uid=81
>>>>>> auid=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  {
>>>>>> send_msg } for msgtype=method_call interface=org.freedesktop.DBus
>>>>>> member=RemoveMatch dest=org.freedesktop.DBus spid=7820
>>>>>> scontext=user_u:system_r:initrc_t:s0
>>>>>> tcontext=system_u:system_r:init_t:s0 tclass=dbus :
>>>>>> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>>>>>>
>>>>>>
>>>>>> If I set the system to Enforcing mode - and log out and log back in -
>>>>>> the login seems to run very slowly. If I try to run the gui SELinux
>>>>>> Troubleshooter - the application window doesn't come up - but I see the
>>>>>> following errors in the boot.log file.
>>>>>>
>>>>>> Jan 3 16:55:54 C5 dbus: avc: received setenforce notice (enforcing=1)
>>>>>> Jan 3 16:56:23 C5 userhelper[24703]: running
>>>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>>>>> with system_u:system_r:unconfined_t context Jan 3 16:56:23 C5
>>>>>> userhelper[24703]: running
>>>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>>>>> with root privileges on behalf of 'root'
>>>>>> Jan 3 16:58:02 C5 gconfd (root-21790): Exiting
>>>>>> Jan 3 16:58:02 C5 sshd[21044]: pam_unix(sshd:session): session closed
>>>>>> for user nx
>>>>>> Jan 3 16:58:02 C5 su: pam_unix(su-l:session): session closed for
>>>>>> user root
>>>>>> Jan 3 16:58:23 C5 sshd[24747]: Accepted publickey for nx from
>>>>>> 192.168.0.2 port 33869 ssh2
>>>>>> Jan 3 16:58:23 C5 sshd[24747]: pam_unix(sshd:session): session opened
>>>>>> for user nx by (uid=0)
>>>>>> Jan 3 16:58:25 C5 su: pam_unix(su-l:session): session opened for user
>>>>>> root by (uid=102)
>>>>>> Jan 3 16:58:28 C5 dovecot: IMAP(tim): Disconnected: Logged out
>>>>>> Jan 3 16:58:30 C5 gconfd (root-25493): starting (version 2.14.0), pid
>>>>>> 25493 user 'root'
>>>>>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
>>>>>> "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only
>>>>>> configuration source at position 0
>>>>>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
>>>>>> "xml:readwrite:/root/.gconf" to a writable configuration source at
>>>>>> position 1
>>>>>> Jan 3 16:58:30 C5 gconfd (root-25493): Resolved address
>>>>>> "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only
>>>>>> configuration source at position 2
>>>>>> Jan 3 16:58:33 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate
>>>>>> 0 0
>>>>>> Not Found
>>>>>> Jan 3 16:58:33 C5 last message repeated 4 times
>>>>>> Jan 3 16:58:33 C5 gconfd (root-25493): Resolved address
>>>>>> "xml:readwrite:/root/.gconf" to a writable configuration source at
>>>>>> position 0
>>>>>> Jan 3 16:59:46 C5 gdm[4045]: pam_unix(gdm:session): session opened for
>>>>>> user root by (uid=0)
>>>>>> Jan 3 16:59:59 C5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate
>>>>>> 0 0
>>>>>> Not Found
>>>>>> Jan 3 16:59:59 C5 last message repeated 4 times
>>>>>> Jan 3 17:00:01 C5 crond[25738]: (root) CMD (/var/www/sarg/sarg.cron >
>>>>>> /dev/null 2>&1)
>>>>>> Jan 3 17:00:01 C5 crond[25740]: (root) CMD
>>>>>> (/etc/webmin/webalizer/webalizer.pl /var/log/squid/access.log)
>>>>>> Jan 3 17:00:01 C5 crond[25742]: (root) CMD
>>>>>> (/etc/webmin/status/monitor.pl)
>>>>>> Jan 3 17:00:01 C5 crond[25743]: (root) CMD
>>>>>> (/etc/webmin/fetchmail/check.pl --mail rchapman\@aardvark\.com\.au
>>>>>> --errors)
>>>>>> Jan 3 17:00:01 C5 su: pam_unix(su:session): session opened for user
>>>>>> richard by (uid=0)
>>>>>> Jan 3 17:00:04 C5 su: pam_unix(su:session): session opened for user
>>>>>> postgres by (uid=0)
>>>>>> Jan 3 17:00:04 C5 su: pam_unix(su:session): session closed for user
>>>>>> postgres
>>>>>> Jan 3 17:00:13 C5 su: pam_unix(su:session): session closed for user
>>>>>> richard
>>>>>> Jan 3 17:01:01 C5 crond[25911]: (root) CMD (run-parts /etc/cron.hourly)
>>>>>> Jan 3 17:01:15 C5 userhelper[25928]: running
>>>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>>>>> with system_u:system_r:unconfined_t context Jan 3 17:01:15 C5
>>>>>> userhelper[25928]: running
>>>>>> '/usr/share/system-config-securitylevel/system-config-securitylevel.py'
>>>>>> with root privileges on behalf of 'root'
>>>>>> Jan 3 17:02:18 C5 setroubleshoot: [dbus.ERROR] could not start dbus:
>>>>>> Did
>>>>>> not receive a reply. Possible causes include: the remote application
>>>>>> did
>>>>>> not send a reply, the message bus security policy blocked the reply,
>>>>>> the
>>>>>> reply timeout expired, or the network connection was broken.
>>>>>> Jan 3 17:03:06 C5 dovecot: imap-login: Login: user=<tim>, method=PLAIN,
>>>>>> rip=192.168.0.199, lip=192.168.0.201
>>>>>> Jan 3 17:03:37 C5 dovecot: IMAP(tim): Disconnected: Logged out
>>>>>> Jan 3 17:04:14 C5 setroubleshoot: [dbus.ERROR] could not start dbus:
>>>>>> Did
>>>>>> not receive a reply. Possible causes include: the remote application
>>>>>> did
>>>>>> not send a reply, the message bus security policy blocked the reply,
>>>>>> the
>>>>>> reply timeout expired, or the network connection was broken.
>>>>>>
>>>>>> I have also tried the comand line sealert application - which runs fine
>>>>>> - but shows no problems:
>>>>>>
>>>>>> [root at C5 <mailto:root at C5> ~]# sealert -a /var/log/audit/audit.log
>>>>>> 100% donefound 0 alerts in /var/log/audit/audit.log
>>>>>> [root at C5 <mailto:root at C5> ~]#
>>>>>> It looks to me as if there is some problem (possibly a policy issue)
>>>>>> with my dbus connection. and this is preventing the selinux
>>>>>> troubleshooter operating in enforcing mode - and also probably causing
>>>>>> some other problems in enforcing mode - though no "type-avc" problems
>>>>>> show up int eh audit logs.
>>>>>>
>>>>>> Can anyone explain to me what "type=user_avc" messages are - and why
>>>>>> they are not reported by teh gui SELinux troubleshooter or sealert? How
>>>>>> should I debug the remainig issues in theis system?
>>>>>>
>>>>>> All adice appreciated.
>>>>>>
>>>>>> Richard.
>>>>>>
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> fedora-selinux-list mailing list
>>>>>> fedora-selinux-list at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>>     
>>>>>>             
>> Please make sure your labeling is correct.
>>
>> touch /.autorelabel; reboot
>>
>> Looks like the entire system is running with a signal context which is
>> causing you your problems.
>>
>> You might also want to grab the 5.3 policy, a preview is currently
>> available on
>>
>> http://people.redhat.com/dwalsh/SELinux/RHEL5
>>     
>
>   
>>> -- 
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>>>       
>
>
> Upgrade to the 5.3 policy and see if the problem goes away.
>   

Many many thanks Daniel

I eventually tracked down your(?) comments on bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=449420

which lead me to the same conclusion. I installed the 5.3 policy you 
directed me to - and touched and rebooted - and the re-label went 
through properly for the first time.
The troubleshooter is now working fine - and I am tracking down a couple 
of denials related to "spamc" and "webalizer". I've only just started 
down this path - but I am happy to fill you in if you are interested...

Thanks again for you incredibly knowledgeable and helpful advice.

Richard.




> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkllFbEACgkQrlYvE4MpobPrLgCgv/4rm8ybxO3TfRKjRlXtj9M9
> ryIAnRpcVUZgeIGvO2E4g6XYhpb3JUQ3
> =QxJn
> -----END PGP SIGNATURE-----
>
>   



From joe at nall.com  Thu Jan  8 04:34:26 2009
From: joe at nall.com (Joe Nall)
Date: Wed, 7 Jan 2009 22:34:26 -0600
Subject: New F10 X AVC
Message-ID: <69715C13-1835-4DC1-A0D0-EBE582E460E8@nall.com>

Any clue what is going on with this AVC? This is is a local variant of  
selinux-policy-mls-3.5.13-125. xterms and our non-gtk apps do not  
generate this AVC. It is fatal to the apps that experience it. New in  
F10.

joe


node=fast type=USER_AVC msg=audit(1231388602.219:4379667): user  
pid=3917 uid=0 auid=4294967295 ses=4294967295  
subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:   
denied  { write } for request=RANDR:SelectInput comm=/usr/lib64/ 
firefox-3.0.5/firefox resid=78 restype=WINDOW  
scontext=user_u:user_r:user_t:s6:c0.c511  
tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023  
tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,  
terminal=?)'
node=fast type=USER_AVC msg=audit(1231388632.992:4379857): user  
pid=3917 uid=0 auid=4294967295 ses=4294967295  
subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:   
denied  { write } for request=RANDR:SelectInput comm=/usr/bin/gnome- 
terminal resid=78 restype=WINDOW  
scontext=user_u:user_r:user_t:s4:c0,c2,c11,c200.c511  
tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023  
tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,  
terminal=?)'



From joe at nall.com  Thu Jan  8 05:27:02 2009
From: joe at nall.com (Joe Nall)
Date: Wed, 7 Jan 2009 23:27:02 -0600
Subject: execmem_exec_t, unconfined.te and nsplugin
Message-ID: <B79F9162-CD10-472B-B626-16E597639BF4@nall.com>

libsepol.print_missing_requirements: nsplugin's global requirements  
were not met: type/attribute execmem_exec_t
/usr/bin/semodule_link:  Error while linking packages
make[1]: *** [validate] Error 1
make[1]: Leaving directory `/home/joe/src2/Linux_x86_64/BUILD/rpmbuild/ 
BUILD/serefpolicy-3.5.13'
error: Bad exit status from /var/tmp/rpm-tmp.XoIIV1 (%install)

I'm trying to build an mls policy with nsplugin defined as a module in  
modules-mls.conf. nsplugin depends on execmem_exec_t which is defined  
in unconfined.te which is _not_ a module in modules-mls.conf, creating  
the error above.

Is there a better place to declare execmem_exec_t (userdomain.te?).

joe



From frankly3d at fedoraproject.org  Thu Jan  8 08:17:30 2009
From: frankly3d at fedoraproject.org (Frank Murphy)
Date: Thu, 08 Jan 2009 08:17:30 +0000
Subject: avc Dead-Letter? Fedora 10
In-Reply-To: <49610F95.1070101@redhat.com>
References: <49577090.1010603@fedoraproject.org> <49610F95.1070101@redhat.com>
Message-ID: <4965B69A.5070305@fedoraproject.org>

Daniel J Walsh wrote:
> Frank Murphy wrote:
>> This is the first Fedora I've come across a files called dead-letter.
>> I don't use sendmail, exim is installed, if relevant.
> 
> 

> 
> What sendmail is it running and what is it labeled?
> 
> 
> ls -lZ PATHTO/sendmail?

No sendmail.

This deadletter files, was semmingly cause by something called ssmtp
http://linux.die.net/man/8/ssmtp

which seems to have installed itself with F10, and decided to replace
exim, without my consent.

Have come across something relevant:
http://www.redhat.com/archives/fedora-selinux-list/2008-December/msg00078.html

Frank



From wolfy at nobugconsulting.ro  Thu Jan  8 12:58:21 2009
From: wolfy at nobugconsulting.ro (Manuel Wolfshant)
Date: Thu, 08 Jan 2009 14:58:21 +0200
Subject: avc Dead-Letter? Fedora 10
In-Reply-To: <4965B69A.5070305@fedoraproject.org>
References: <49577090.1010603@fedoraproject.org> <49610F95.1070101@redhat.com>
	<4965B69A.5070305@fedoraproject.org>
Message-ID: <4965F86D.6050800@nobugconsulting.ro>

Frank Murphy wrote:
> Daniel J Walsh wrote:
>   
>> Frank Murphy wrote:
>>     
>>> This is the first Fedora I've come across a files called dead-letter.
>>> I don't use sendmail, exim is installed, if relevant.
>>>       
>>     
>
>   
>> What sendmail is it running and what is it labeled?
>>
>>
>> ls -lZ PATHTO/sendmail?
>>     
>
> No sendmail.
>
> This deadletter files, was semmingly cause by something called ssmtp
> http://linux.die.net/man/8/ssmtp
>   
ssmtp will leave dead.letter behind if it cannot reach the configured 
relay MTA. But not only ssmtp creates dead.letter

> which seems to have installed itself with F10, and decided to replace
> exim, without my consent.
>
>   
ssmtp installs /usr/sbin/sendmail.ssmtp and ln -s it to 
/usr/sbin/sendmail via the standard alternatives system:
postinstall scriptlet (using /bin/sh):
/usr/sbin/alternatives  --install /usr/sbin/sendmail mta 
/usr/sbin/sendmail.ssmtp 30 \
        --slave /usr/bin/mailq mta-mailq /usr/bin/mailq.ssmtp \
        --slave /usr/bin/newaliases mta-newaliases 
/usr/bin/newaliases.ssmtp \
        --slave /usr/share/man/man1/mailq.1.gz mta-mailqman 
/usr/share/man/man1/mailq.ssmtp.1.gz \
        --slave /usr/share/man/man1/newaliases.1.gz mta-newaliasesman 
/usr/share/man/man1/newaliases.ssmtp.1.gz \
        --slave /usr/share/man/man8/sendmail.8.gz mta-sendmailman 
/usr/share/man/man8/ssmtp.8.gz

it never replaces exim unless told to, because exim is preferred by yum. 
actually you MUST install ssmtp ON PURPOSE, it never comes as the first 
choice and the priorities are chosen as to be less preferred when 
compared to sendmail or postfix. However I have no idea how does exim 
handle this. sendmail is the default mailer chosen by anaconda, which 
gets replaced by exim or postfix if one chooses to not install sendmail. 
you have to try really hard to install ssmtp and it's on purpose like that.

> Have come across something relevant:
> http://www.redhat.com/archives/fedora-selinux-list/2008-December/msg00078.html
>   



From joe at nall.com  Fri Jan  9 16:52:28 2009
From: joe at nall.com (Joe Nall)
Date: Fri, 9 Jan 2009 10:52:28 -0600
Subject: New F10 X AVC
In-Reply-To: <69715C13-1835-4DC1-A0D0-EBE582E460E8@nall.com>
References: <69715C13-1835-4DC1-A0D0-EBE582E460E8@nall.com>
Message-ID: <4E2CC0A8-3F6D-44E6-984E-42125AC4A7DD@nall.com>


On Jan 7, 2009, at 10:34 PM, Joe Nall wrote:

> Any clue what is going on with this AVC? This is is a local variant  
> of selinux-policy-mls-3.5.13-125. xterms and our non-gtk apps do not  
> generate this AVC. It is fatal to the apps that experience it. New  
> in F10.

Follow up: I can get around this by disabling RANDR and XINERAMA

joe

> node=fast type=USER_AVC msg=audit(1231388602.219:4379667): user  
> pid=3917 uid=0 auid=4294967295 ses=4294967295  
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:   
> denied  { write } for request=RANDR:SelectInput comm=/usr/lib64/ 
> firefox-3.0.5/firefox resid=78 restype=WINDOW  
> scontext=user_u:user_r:user_t:s6:c0.c511  
> tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023  
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?,  
> addr=?, terminal=?)'
> node=fast type=USER_AVC msg=audit(1231388632.992:4379857): user  
> pid=3917 uid=0 auid=4294967295 ses=4294967295  
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:   
> denied  { write } for request=RANDR:SelectInput comm=/usr/bin/gnome- 
> terminal resid=78 restype=WINDOW  
> scontext=user_u:user_r:user_t:s4:c0,c2,c11,c200.c511  
> tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023  
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?,  
> addr=?, terminal=?)'
>



From joe at nall.com  Fri Jan  9 17:33:51 2009
From: joe at nall.com (Joe Nall)
Date: Fri, 9 Jan 2009 11:33:51 -0600
Subject: plymouthd avcs in MLS
Message-ID: <A95E4FC0-3AD9-4B42-BF7F-1C144FFD5D72@nall.com>

type=AVC msg=audit(1231458433.619:3): avc:  denied  { execute } for   
pid=1 comm="init" name="plymouth" dev=rootfs ino=73  
scontext=system_u:system_r:kernel_t:s15:c0.c1023  
tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1231458433.621:4): avc:  denied  { read } for   
pid=723 comm="init" name="plymouth" dev=rootfs ino=73  
scontext=system_u:system_r:kernel_t:s15:c0.c1023  
tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1231458433.621:4): avc:  denied   
{ execute_no_trans } for  pid=723 comm="init" path="/bin/plymouth"  
dev=rootfs ino=73 scontext=system_u:system_r:kernel_t:s15:c0.c1023  
tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1231458433.623:5): avc:  denied  { getattr } for   
pid=723 comm="plymouth" path="/etc/ld.so.cache" dev=rootfs ino=122  
scontext=system_u:system_r:kernel_t:s15:c0.c1023  
tcontext=system_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1231458433.625:6): avc:  denied  { search } for   
pid=695 comm="plymouthd" name="lib" dev=dm-0 ino=555970  
scontext=system_u:system_r:kernel_t:s15:c0.c1023  
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1231458433.625:6): avc:  denied  { read } for   
pid=695 comm="plymouthd" name="boot-duration" dev=dm-0 ino=564304  
scontext=system_u:system_r:kernel_t:s15:c0.c1023  
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1231458433.632:7): avc:  denied  { getattr } for   
pid=695 comm="plymouthd" path="/var/lib/plymouth/boot-duration"  
dev=dm-0 ino=564304 scontext=system_u:system_r:kernel_t:s15:c0.c1023  
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1231458434.550:20): avc:  denied  { read } for   
pid=695 comm="plymouthd" path="/ptmx" dev=tmpfs ino=354  
scontext=system_u:system_r:kernel_t:s15:c0.c1023  
tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file

type=AVC msg=audit(1231458434.550:21): avc:  denied  { write } for   
pid=695 comm="plymouthd" path="/tty1" dev=tmpfs ino=357  
scontext=system_u:system_r:kernel_t:s15:c0.c1023  
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

with the last avc repeated ~3000 times a second forever in enforcing.

Should plymouthd have a dedicated type or should tty1 be SystemHigh?

joe



From rchapman at aardvark.com.au  Sat Jan 10 05:22:36 2009
From: rchapman at aardvark.com.au (Richard Chapman)
Date: Sat, 10 Jan 2009 14:22:36 +0900
Subject: Denials from spamc and webalizer on Centos 5.2
Message-ID: <4968309C.8060702@aardvark.com.au>

After some trouble getting the file-system relabelled - which was 
eventually solved by Daniel's suggestion to change to a 5.3 preview 
release of the policy packages - I now have (only) a couple of 
intractable denials.

One seems to be related to procmail running spamc. The other seems to be 
webalizer being denied access to squid logs. Here is some representative 
troubledhooter output:

Summary
SELinux is preventing spamc (procmail_t) "execute" to ./spamc 
(spamc_exec_t).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but 
was permitted due to permissive mode.]

SELinux denied access requested by spamc. It is not expected that this 
access is required by spamc and this access may signal an intrusion 
attempt. It is also possible that the specific version or configuration 
of the application is causing it to require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to 
restore the default system file context for ./spamc,

restorecon -v './spamc'

If this does not work, there is currently no automatic way to allow this 
access. Instead, you can generate a local policy module to allow this 
access - see FAQ 
<http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can 
disable SELinux protection altogether. Disabling SELinux protection is 
not recommended. Please file a bug report 
<http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package.

Additional Information

Source Context:   	system_u:system_r:procmail_t
Target Context:   	system_u:object_r:spamc_exec_t
Target Objects:   	./spamc [ file ]
Source:   	spamc
Source Path:   	/usr/bin/spamc
Port:   	<Unknown>
Host:   	C5.aardvark.com.au
Source RPM Packages:   	spamassassin-3.2.4-1.el5
Target RPM Packages:   	
Policy RPM:   	selinux-policy-2.4.6-203.el5
Selinux Enabled:   	True
Policy Type:   	targeted
MLS Enabled:   	True
Enforcing Mode:   	Permissive
Plugin Name:   	catchall_file
Host Name:   	C5.aardvark.com.au
Platform:   	Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 
16 11:57:43 EST 2008 x86_64 x86_64
Alert Count:   	199
First Seen:   	Wed Jan 7 21:12:56 2009
Last Seen:   	Sat Jan 10 13:50:07 2009
Local ID:   	72201679-d161-4d2d-8423-44b1b65a211f
Line Numbers:   	

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
denied { execute } for pid=16474 comm="procmail" name="spamc" dev=dm-0 
ino=31336954 scontext=system_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
denied { execute } for pid=16474 comm="procmail" name="spamc" dev=dm-0 
ino=31336954 scontext=system_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
denied { execute_no_trans } for pid=16474 comm="procmail" 
path="/usr/bin/spamc" dev=dm-0 ino=31336954 
scontext=system_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
denied { execute_no_trans } for pid=16474 comm="procmail" 
path="/usr/bin/spamc" dev=dm-0 ino=31336954 
scontext=system_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc" 
dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc" 
dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005): 
arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0 
a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500 
gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 
tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" 
subj=system_u:system_r:procmail_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005): 
arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0 
a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500 
gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 
tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" 
subj=system_u:system_r:procmail_t:s0 key=(null)




Summary
SELinux is preventing webalizer (webalizer_t) "search" to ./webalizer 
(bin_t).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but 
was permitted due to permissive mode.]

SELinux denied access requested by webalizer. It is not expected that 
this access is required by webalizer and this access may signal an 
intrusion attempt. It is also possible that the specific version or 
configuration of the application is causing it to require additional 
access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to 
restore the default system file context for ./webalizer,

restorecon -v './webalizer'

If this does not work, there is currently no automatic way to allow this 
access. Instead, you can generate a local policy module to allow this 
access - see FAQ 
<http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can 
disable SELinux protection altogether. Disabling SELinux protection is 
not recommended. Please file a bug report 
<http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package.

Additional Information

Source Context:   	root:system_r:webalizer_t:SystemLow-SystemHigh
Target Context:   	system_u:object_r:bin_t
Target Objects:   	./webalizer [ dir ]
Source:   	webalizer
Source Path:   	/usr/bin/webalizer
Port:   	<Unknown>
Host:   	C5.aardvark.com.au
Source RPM Packages:   	webalizer-2.01_10-30.1
Target RPM Packages:   	
Policy RPM:   	selinux-policy-2.4.6-203.el5
Selinux Enabled:   	True
Policy Type:   	targeted
MLS Enabled:   	True
Enforcing Mode:   	Permissive
Plugin Name:   	catchall_file
Host Name:   	C5.aardvark.com.au
Platform:   	Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 
16 11:57:43 EST 2008 x86_64 x86_64
Alert Count:   	119
First Seen:   	Wed Jan 7 22:00:02 2009
Last Seen:   	Sat Jan 10 14:00:01 2009
Local ID:   	fd879861-abb1-4e67-a190-0a721c66dc0e
Line Numbers:   	

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc: 
denied { search } for pid=16510 comm="webalizer" name="webalizer" 
dev=dm-0 ino=32479105 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:bin_t:s0 tclass=dir
host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc: 
denied { search } for pid=16510 comm="webalizer" name="webalizer" 
dev=dm-0 ino=32479105 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:bin_t:s0 tclass=dir
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027): 
arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0 
a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730 
comm="webalizer" exe="/usr/bin/webalizer" 
subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027): 
arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0 
a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730 
comm="webalizer" exe="/usr/bin/webalizer" 
subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)



I didn't think I was doing anything unusual here - so I am surprised 
these aren't covered by standard policy. Am I don't something strange - 
and if so - do I need to write my own local policy. Is there a more 
standard way to run spamc and/.or webalizer which will prevent these 
denials?

Thanks

Richard.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090110/ac4fd2ae/attachment.htm>

From mmcallis at redhat.com  Sat Jan 10 11:14:23 2009
From: mmcallis at redhat.com (Murray McAllister)
Date: Sat, 10 Jan 2009 21:14:23 +1000
Subject: Denials from spamc and webalizer on Centos 5.2
In-Reply-To: <4968309C.8060702@aardvark.com.au>
References: <4968309C.8060702@aardvark.com.au>
Message-ID: <4968830F.3030505@redhat.com>

Richard Chapman wrote:
> After some trouble getting the file-system relabelled - which was 
> eventually solved by Daniel's suggestion to change to a 5.3 preview 
> release of the policy packages - I now have (only) a couple of 
> intractable denials.
> 
> One seems to be related to procmail running spamc. The other seems to be 
> webalizer being denied access to squid logs. Here is some representative 
> troubledhooter output:
> 
> Summary
> SELinux is preventing spamc (procmail_t) "execute" to ./spamc 
> (spamc_exec_t).
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied but 
> was permitted due to permissive mode.]
> 
> SELinux denied access requested by spamc. It is not expected that this 
> access is required by spamc and this access may signal an intrusion 
> attempt. It is also possible that the specific version or configuration 
> of the application is causing it to require additional access.
> 
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could try to 
> restore the default system file context for ./spamc,
> 
> restorecon -v './spamc'
> 
> If this does not work, there is currently no automatic way to allow this 
> access. Instead, you can generate a local policy module to allow this 
> access - see FAQ 
> <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can 
> disable SELinux protection altogether. Disabling SELinux protection is 
> not recommended. Please file a bug report 
> <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package.
> 
> Additional Information
> 
> Source Context:   	system_u:system_r:procmail_t
> Target Context:   	system_u:object_r:spamc_exec_t
> Target Objects:   	./spamc [ file ]
> Source:   	spamc
> Source Path:   	/usr/bin/spamc
> Port:   	<Unknown>
> Host:   	C5.aardvark.com.au
> Source RPM Packages:   	spamassassin-3.2.4-1.el5
> Target RPM Packages:   	
> Policy RPM:   	selinux-policy-2.4.6-203.el5
> Selinux Enabled:   	True
> Policy Type:   	targeted
> MLS Enabled:   	True
> Enforcing Mode:   	Permissive
> Plugin Name:   	catchall_file
> Host Name:   	C5.aardvark.com.au
> Platform:   	Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 
> 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count:   	199
> First Seen:   	Wed Jan 7 21:12:56 2009
> Last Seen:   	Sat Jan 10 13:50:07 2009
> Local ID:   	72201679-d161-4d2d-8423-44b1b65a211f
> Line Numbers:   	
Fedora 10 has a rule that looks like it would resolve this issue:

$ sesearch --allow -s procmail_t -t spamc_exec_t
WARNING: This policy contained disabled aliases; they have been removed.
Found 1 semantic av rules:
    allow procmail_t spamc_exec_t : file { ioctl read getattr execute } ;

selinux-policy-3.5.13-38.fc10.noarch
selinux-policy-targeted-3.5.13-38.fc10.noarch

Do you have this rule when running the 5.3 preview packages? I am not 
sure about your webalizer issue...
> 
> Raw Audit Messages :
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
> denied { execute } for pid=16474 comm="procmail" name="spamc" dev=dm-0 
> ino=31336954 scontext=system_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
> denied { execute } for pid=16474 comm="procmail" name="spamc" dev=dm-0 
> ino=31336954 scontext=system_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
> denied { execute_no_trans } for pid=16474 comm="procmail" 
> path="/usr/bin/spamc" dev=dm-0 ino=31336954 
> scontext=system_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
> denied { execute_no_trans } for pid=16474 comm="procmail" 
> path="/usr/bin/spamc" dev=dm-0 ino=31336954 
> scontext=system_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
> denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc" 
> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
> denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc" 
> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005): 
> arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0 
> a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500 
> gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 
> tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" 
> subj=system_u:system_r:procmail_t:s0 key=(null)
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005): 
> arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0 
> a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500 
> gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 
> tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" 
> subj=system_u:system_r:procmail_t:s0 key=(null)
> 
> 
> 
> 
> Summary
> SELinux is preventing webalizer (webalizer_t) "search" to ./webalizer 
> (bin_t).
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied but 
> was permitted due to permissive mode.]
> 
> SELinux denied access requested by webalizer. It is not expected that 
> this access is required by webalizer and this access may signal an 
> intrusion attempt. It is also possible that the specific version or 
> configuration of the application is causing it to require additional 
> access.
> 
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could try to 
> restore the default system file context for ./webalizer,
> 
> restorecon -v './webalizer'
> 
> If this does not work, there is currently no automatic way to allow this 
> access. Instead, you can generate a local policy module to allow this 
> access - see FAQ 
> <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can 
> disable SELinux protection altogether. Disabling SELinux protection is 
> not recommended. Please file a bug report 
> <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package.
> 
> Additional Information
> 
> Source Context:   	root:system_r:webalizer_t:SystemLow-SystemHigh
> Target Context:   	system_u:object_r:bin_t
> Target Objects:   	./webalizer [ dir ]
> Source:   	webalizer
> Source Path:   	/usr/bin/webalizer
> Port:   	<Unknown>
> Host:   	C5.aardvark.com.au
> Source RPM Packages:   	webalizer-2.01_10-30.1
> Target RPM Packages:   	
> Policy RPM:   	selinux-policy-2.4.6-203.el5
> Selinux Enabled:   	True
> Policy Type:   	targeted
> MLS Enabled:   	True
> Enforcing Mode:   	Permissive
> Plugin Name:   	catchall_file
> Host Name:   	C5.aardvark.com.au
> Platform:   	Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 
> 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count:   	119
> First Seen:   	Wed Jan 7 22:00:02 2009
> Last Seen:   	Sat Jan 10 14:00:01 2009
> Local ID:   	fd879861-abb1-4e67-a190-0a721c66dc0e
> Line Numbers:   	
> 
> Raw Audit Messages :
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc: 
> denied { search } for pid=16510 comm="webalizer" name="webalizer" 
> dev=dm-0 ino=32479105 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:bin_t:s0 tclass=dir
> host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc: 
> denied { search } for pid=16510 comm="webalizer" name="webalizer" 
> dev=dm-0 ino=32479105 scontext=root:system_r:webalizer_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:bin_t:s0 tclass=dir
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027): 
> arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0 
> a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730 
> comm="webalizer" exe="/usr/bin/webalizer" 
> subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027): 
> arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0 
> a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 gid=0 
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730 
> comm="webalizer" exe="/usr/bin/webalizer" 
> subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
> 
> 
> 
> I didn't think I was doing anything unusual here - so I am surprised 
> these aren't covered by standard policy. Am I don't something strange - 
> and if so - do I need to write my own local policy. Is there a more 
> standard way to run spamc and/.or webalizer which will prevent these 
> denials?
> 
> Thanks
> 
> Richard.
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list



From zoroufi at gmail.com  Sat Jan 10 11:36:39 2009
From: zoroufi at gmail.com (zoroufi)
Date: Sat, 10 Jan 2009 03:36:39 -0800 (PST)
Subject: New F10 X AVC
In-Reply-To: <69715C13-1835-4DC1-A0D0-EBE582E460E8@nall.com>
References: <69715C13-1835-4DC1-A0D0-EBE582E460E8@nall.com>
Message-ID: <21387191.post@talk.nabble.com>


Did you make Fedora 10 enforcing in MLS policy?
Didn't you encounter the X windows problem like previous releases of Fedora(
i.e. Fedora 9 or earlier)?


Joe Nall wrote:
> 
> Any clue what is going on with this AVC? This is is a local variant of  
> selinux-policy-mls-3.5.13-125. xterms and our non-gtk apps do not  
> generate this AVC. It is fatal to the apps that experience it. New in  
> F10.
> 
> joe
> 
> 
> node=fast type=USER_AVC msg=audit(1231388602.219:4379667): user  
> pid=3917 uid=0 auid=4294967295 ses=4294967295  
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:   
> denied  { write } for request=RANDR:SelectInput comm=/usr/lib64/ 
> firefox-3.0.5/firefox resid=78 restype=WINDOW  
> scontext=user_u:user_r:user_t:s6:c0.c511  
> tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023  
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,  
> terminal=?)'
> node=fast type=USER_AVC msg=audit(1231388632.992:4379857): user  
> pid=3917 uid=0 auid=4294967295 ses=4294967295  
> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:   
> denied  { write } for request=RANDR:SelectInput comm=/usr/bin/gnome- 
> terminal resid=78 restype=WINDOW  
> scontext=user_u:user_r:user_t:s4:c0,c2,c11,c200.c511  
> tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023  
> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,  
> terminal=?)'
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 

-- 
View this message in context: http://www.nabble.com/New-F10-X-AVC-tp21345740p21387191.html
Sent from the Fedora SELinux List mailing list archive at Nabble.com.



From joe at nall.com  Sat Jan 10 17:17:20 2009
From: joe at nall.com (Joe Nall)
Date: Sat, 10 Jan 2009 11:17:20 -0600
Subject: New F10 X AVC
In-Reply-To: <21387191.post@talk.nabble.com>
References: <69715C13-1835-4DC1-A0D0-EBE582E460E8@nall.com>
	<21387191.post@talk.nabble.com>
Message-ID: <2DF3AACF-269E-458C-BEA2-B1B29EF0CEB9@nall.com>


On Jan 10, 2009, at 5:36 AM, zoroufi wrote:

>
> Did you make Fedora 10 enforcing in MLS policy?

Yes, with a modified policy and using openbox instead of gnome.

joe

>
> Didn't you encounter the X windows problem like previous releases of  
> Fedora(
> i.e. Fedora 9 or earlier)?
>
>
> Joe Nall wrote:
>>
>> Any clue what is going on with this AVC? This is is a local variant  
>> of
>> selinux-policy-mls-3.5.13-125. xterms and our non-gtk apps do not
>> generate this AVC. It is fatal to the apps that experience it. New in
>> F10.
>>
>> joe
>>
>>
>> node=fast type=USER_AVC msg=audit(1231388602.219:4379667): user
>> pid=3917 uid=0 auid=4294967295 ses=4294967295
>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:
>> denied  { write } for request=RANDR:SelectInput comm=/usr/lib64/
>> firefox-3.0.5/firefox resid=78 restype=WINDOW
>> scontext=user_u:user_r:user_t:s6:c0.c511
>> tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023
>> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
>> terminal=?)'
>> node=fast type=USER_AVC msg=audit(1231388632.992:4379857): user
>> pid=3917 uid=0 auid=4294967295 ses=4294967295
>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:
>> denied  { write } for request=RANDR:SelectInput comm=/usr/bin/gnome-
>> terminal resid=78 restype=WINDOW
>> scontext=user_u:user_r:user_t:s4:c0,c2,c11,c200.c511
>> tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023
>> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
>> terminal=?)'
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>
> -- 
> View this message in context: http://www.nabble.com/New-F10-X-AVC-tp21345740p21387191.html
> Sent from the Fedora SELinux List mailing list archive at Nabble.com.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list



From zoroufi at gmail.com  Sat Jan 10 19:56:43 2009
From: zoroufi at gmail.com (zoroufi)
Date: Sat, 10 Jan 2009 11:56:43 -0800 (PST)
Subject: New F10 X AVC
In-Reply-To: <2DF3AACF-269E-458C-BEA2-B1B29EF0CEB9@nall.com>
References: <69715C13-1835-4DC1-A0D0-EBE582E460E8@nall.com>
	<21387191.post@talk.nabble.com>
	<2DF3AACF-269E-458C-BEA2-B1B29EF0CEB9@nall.com>
Message-ID: <21391139.post@talk.nabble.com>


Would you please state in detail which modification and why the openbox
instead of gnome?
I'm in trouble with this and trying to overcome this problem.
Thanks again for your carefulness


Joe Nall wrote:
> 
> 
> On Jan 10, 2009, at 5:36 AM, zoroufi wrote:
> 
>>
>> Did you make Fedora 10 enforcing in MLS policy?
> 
> Yes, with a modified policy and using openbox instead of gnome.
> 
> joe
> 
>>
>> Didn't you encounter the X windows problem like previous releases of  
>> Fedora(
>> i.e. Fedora 9 or earlier)?
>>
>>
>> Joe Nall wrote:
>>>
>>> Any clue what is going on with this AVC? This is is a local variant  
>>> of
>>> selinux-policy-mls-3.5.13-125. xterms and our non-gtk apps do not
>>> generate this AVC. It is fatal to the apps that experience it. New in
>>> F10.
>>>
>>> joe
>>>
>>>
>>> node=fast type=USER_AVC msg=audit(1231388602.219:4379667): user
>>> pid=3917 uid=0 auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:
>>> denied  { write } for request=RANDR:SelectInput comm=/usr/lib64/
>>> firefox-3.0.5/firefox resid=78 restype=WINDOW
>>> scontext=user_u:user_r:user_t:s6:c0.c511
>>> tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023
>>> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
>>> terminal=?)'
>>> node=fast type=USER_AVC msg=audit(1231388632.992:4379857): user
>>> pid=3917 uid=0 auid=4294967295 ses=4294967295
>>> subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023 msg='avc:
>>> denied  { write } for request=RANDR:SelectInput comm=/usr/bin/gnome-
>>> terminal resid=78 restype=WINDOW
>>> scontext=user_u:user_r:user_t:s4:c0,c2,c11,c200.c511
>>> tcontext=system_u:object_r:xdm_rootwindow_t:s0-s15:c0.c1023
>>> tclass=x_drawable : exe="/usr/bin/Xorg" (sauid=0, hostname=?, addr=?,
>>> terminal=?)'
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>>>
>>
>> -- 
>> View this message in context:
>> http://www.nabble.com/New-F10-X-AVC-tp21345740p21387191.html
>> Sent from the Fedora SELinux List mailing list archive at Nabble.com.
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 

-- 
View this message in context: http://www.nabble.com/New-F10-X-AVC-tp21345740p21391139.html
Sent from the Fedora SELinux List mailing list archive at Nabble.com.



From joe at nall.com  Sat Jan 10 20:04:32 2009
From: joe at nall.com (Joe Nall)
Date: Sat, 10 Jan 2009 14:04:32 -0600
Subject: New F10 X AVC
In-Reply-To: <21391139.post@talk.nabble.com>
References: <69715C13-1835-4DC1-A0D0-EBE582E460E8@nall.com>
	<21387191.post@talk.nabble.com>
	<2DF3AACF-269E-458C-BEA2-B1B29EF0CEB9@nall.com>
	<21391139.post@talk.nabble.com>
Message-ID: <E227E03E-4DA9-41E8-BADC-7D749D44C3B1@nall.com>


On Jan 10, 2009, at 1:56 PM, zoroufi wrote:

>
> Would you please state in detail which modification

When time permits. This is an easy request to make and a harder one to  
fulfill.

> and why the openbox
> instead of gnome?

Because dbus/gnome interaction hasn't a clue about MLS. We had to  
simplify things to get something to work.

joe



From rchapman at aardvark.com.au  Sun Jan 11 02:24:39 2009
From: rchapman at aardvark.com.au (Richard Chapman)
Date: Sun, 11 Jan 2009 11:24:39 +0900
Subject: Denials from spamc and webalizer on Centos 5.2
In-Reply-To: <4968830F.3030505@redhat.com>
References: <4968309C.8060702@aardvark.com.au> <4968830F.3030505@redhat.com>
Message-ID: <49695867.8060609@aardvark.com.au>

Thanks Murray... It looks to me like Centos 5.2 and/or the 5.3 preview 
policy release doesn;'t have that rule:

--------
[root at C5 ~]# sesearch --allow -s procmail_t -t spamc_exec_t

[root at C5 ~]#
--------

Can you advise me the easiest and/or best way to add this rule to to my 
system?

Richard



Murray McAllister wrote:
> Richard Chapman wrote:
>> After some trouble getting the file-system relabelled - which was 
>> eventually solved by Daniel's suggestion to change to a 5.3 preview 
>> release of the policy packages - I now have (only) a couple of 
>> intractable denials.
>>
>> One seems to be related to procmail running spamc. The other seems to 
>> be webalizer being denied access to squid logs. Here is some 
>> representative troubledhooter output:
>>
>> Summary
>> SELinux is preventing spamc (procmail_t) "execute" to ./spamc 
>> (spamc_exec_t).
>> Detailed Description
>> [SELinux is in permissive mode, the operation would have been denied 
>> but was permitted due to permissive mode.]
>>
>> SELinux denied access requested by spamc. It is not expected that 
>> this access is required by spamc and this access may signal an 
>> intrusion attempt. It is also possible that the specific version or 
>> configuration of the application is causing it to require additional 
>> access.
>>
>> Allowing Access
>> Sometimes labeling problems can cause SELinux denials. You could try 
>> to restore the default system file context for ./spamc,
>>
>> restorecon -v './spamc'
>>
>> If this does not work, there is currently no automatic way to allow 
>> this access. Instead, you can generate a local policy module to allow 
>> this access - see FAQ 
>> <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can 
>> disable SELinux protection altogether. Disabling SELinux protection 
>> is not recommended. Please file a bug report 
>> <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this 
>> package.
>>
>> Additional Information
>>
>> Source Context:       system_u:system_r:procmail_t
>> Target Context:       system_u:object_r:spamc_exec_t
>> Target Objects:       ./spamc [ file ]
>> Source:       spamc
>> Source Path:       /usr/bin/spamc
>> Port:       <Unknown>
>> Host:       C5.aardvark.com.au
>> Source RPM Packages:       spamassassin-3.2.4-1.el5
>> Target RPM Packages:      
>> Policy RPM:       selinux-policy-2.4.6-203.el5
>> Selinux Enabled:       True
>> Policy Type:       targeted
>> MLS Enabled:       True
>> Enforcing Mode:       Permissive
>> Plugin Name:       catchall_file
>> Host Name:       C5.aardvark.com.au
>> Platform:       Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP 
>> Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
>> Alert Count:       199
>> First Seen:       Wed Jan 7 21:12:56 2009
>> Last Seen:       Sat Jan 10 13:50:07 2009
>> Local ID:       72201679-d161-4d2d-8423-44b1b65a211f
>> Line Numbers:      
> Fedora 10 has a rule that looks like it would resolve this issue:
>
> $ sesearch --allow -s procmail_t -t spamc_exec_t
> WARNING: This policy contained disabled aliases; they have been removed.
> Found 1 semantic av rules:
>    allow procmail_t spamc_exec_t : file { ioctl read getattr execute } ;
>
> selinux-policy-3.5.13-38.fc10.noarch
> selinux-policy-targeted-3.5.13-38.fc10.noarch
>
> Do you have this rule when running the 5.3 preview packages? I am not 
> sure about your webalizer issue...
>>
>> Raw Audit Messages :
>>
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
>> denied { execute } for pid=16474 comm="procmail" name="spamc" 
>> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
>> denied { execute } for pid=16474 comm="procmail" name="spamc" 
>> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
>> denied { execute_no_trans } for pid=16474 comm="procmail" 
>> path="/usr/bin/spamc" dev=dm-0 ino=31336954 
>> scontext=system_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
>> denied { execute_no_trans } for pid=16474 comm="procmail" 
>> path="/usr/bin/spamc" dev=dm-0 ino=31336954 
>> scontext=system_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
>> denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc" 
>> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563007.814:8005): avc: 
>> denied { read } for pid=16474 comm="procmail" path="/usr/bin/spamc" 
>> dev=dm-0 ino=31336954 scontext=system_u:system_r:procmail_t:s0 
>> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005): 
>> arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0 
>> a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500 
>> gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 
>> tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" 
>> subj=system_u:system_r:procmail_t:s0 key=(null)
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563007.814:8005): 
>> arch=c000003e syscall=59 success=yes exit=0 a0=196772e0 a1=196792a0 
>> a2=196791f0 a3=8 items=0 ppid=16473 pid=16474 auid=4294967295 uid=500 
>> gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 
>> tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" 
>> subj=system_u:system_r:procmail_t:s0 key=(null)
>>
>>
>>
>>
>> Summary
>> SELinux is preventing webalizer (webalizer_t) "search" to ./webalizer 
>> (bin_t).
>> Detailed Description
>> [SELinux is in permissive mode, the operation would have been denied 
>> but was permitted due to permissive mode.]
>>
>> SELinux denied access requested by webalizer. It is not expected that 
>> this access is required by webalizer and this access may signal an 
>> intrusion attempt. It is also possible that the specific version or 
>> configuration of the application is causing it to require additional 
>> access.
>>
>> Allowing Access
>> Sometimes labeling problems can cause SELinux denials. You could try 
>> to restore the default system file context for ./webalizer,
>>
>> restorecon -v './webalizer'
>>
>> If this does not work, there is currently no automatic way to allow 
>> this access. Instead, you can generate a local policy module to allow 
>> this access - see FAQ 
>> <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can 
>> disable SELinux protection altogether. Disabling SELinux protection 
>> is not recommended. Please file a bug report 
>> <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this 
>> package.
>>
>> Additional Information
>>
>> Source Context:       root:system_r:webalizer_t:SystemLow-SystemHigh
>> Target Context:       system_u:object_r:bin_t
>> Target Objects:       ./webalizer [ dir ]
>> Source:       webalizer
>> Source Path:       /usr/bin/webalizer
>> Port:       <Unknown>
>> Host:       C5.aardvark.com.au
>> Source RPM Packages:       webalizer-2.01_10-30.1
>> Target RPM Packages:      
>> Policy RPM:       selinux-policy-2.4.6-203.el5
>> Selinux Enabled:       True
>> Policy Type:       targeted
>> MLS Enabled:       True
>> Enforcing Mode:       Permissive
>> Plugin Name:       catchall_file
>> Host Name:       C5.aardvark.com.au
>> Platform:       Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP 
>> Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
>> Alert Count:       119
>> First Seen:       Wed Jan 7 22:00:02 2009
>> Last Seen:       Sat Jan 10 14:00:01 2009
>> Local ID:       fd879861-abb1-4e67-a190-0a721c66dc0e
>> Line Numbers:      
>>
>> Raw Audit Messages :
>>
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc: 
>> denied { search } for pid=16510 comm="webalizer" name="webalizer" 
>> dev=dm-0 ino=32479105 
>> scontext=root:system_r:webalizer_t:s0-s0:c0.c1023 
>> tcontext=system_u:object_r:bin_t:s0 tclass=dir
>> host=C5.aardvark.com.au type=AVC msg=audit(1231563601.389:8027): avc: 
>> denied { search } for pid=16510 comm="webalizer" name="webalizer" 
>> dev=dm-0 ino=32479105 
>> scontext=root:system_r:webalizer_t:s0-s0:c0.c1023 
>> tcontext=system_u:object_r:bin_t:s0 tclass=dir
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027): 
>> arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0 
>> a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 
>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730 
>> comm="webalizer" exe="/usr/bin/webalizer" 
>> subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231563601.389:8027): 
>> arch=c000003e syscall=4 success=no exit=-2 a0=4171ee a1=7fff7d310db0 
>> a2=7fff7d310db0 a3=21000 items=0 ppid=16509 pid=16510 auid=0 uid=0 
>> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=730 
>> comm="webalizer" exe="/usr/bin/webalizer" 
>> subj=root:system_r:webalizer_t:s0-s0:c0.c1023 key=(null)
>>
>>
>>
>> I didn't think I was doing anything unusual here - so I am surprised 
>> these aren't covered by standard policy. Am I don't something strange 
>> - and if so - do I need to write my own local policy. Is there a more 
>> standard way to run spamc and/.or webalizer which will prevent these 
>> denials?
>>
>> Thanks
>>
>> Richard.
>>
>>
>> ------------------------------------------------------------------------
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>



From domg472 at gmail.com  Mon Jan 12 12:44:48 2009
From: domg472 at gmail.com (domg472 g472)
Date: Mon, 12 Jan 2009 13:44:48 +0100
Subject: Denials from spamc and webalizer on Centos 5.2
Message-ID: <5aebb9fb0901120444x37d0b2e4o57a0a4bca8bb3f56@mail.gmail.com>

Hello,

With regard to procmail, i think your policy is missing a domain
transition to spamassassin.

A custom policy looking something like the following may or may not
fix that issue:

mkdir ~/myprocmail; cd ~/myprocmail;
echo "policy_module(myprocmail, 0.0.1)" > myprocmail.te;
echo "require { type procmail_t; }" >> myprocmail.te;
echo "optional_policy(`" >> myprocmail.te;
echo "spamassassin_domtrans_spamc(procmail_t)" >> myprocmail.te;
echo "')" >> myprocmail.te;

make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i myprocmail.pp

With regard to webalizer it looks like webalizer is searching
something in a "bin" directory.
If you want you can allow this.

mkdir ~/mywebalizer; cd ~mywebalizer;
echo "policy_module(mywebalizer, 0.0.1)" > mywebalizer.te;
echo "require { type webalizer_t; }" >> mywebalizer.te;
echo "corecmd_search_bin(webalizer_t)" >> mywebalizer.te;

make -f /usr/share/selinux/devel/Makefile
/usr/sbin/semodule -i  mywebalizer.pp

It may be that both procmail and webalizer domains need more access
after this, but you will notice that if this is the case.

P.s. You may or may not need to escape some of the characters in my example.

Hth,
Dominick



From dwalsh at redhat.com  Mon Jan 12 16:50:53 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Mon, 12 Jan 2009 11:50:53 -0500
Subject: execmem_exec_t, unconfined.te and nsplugin
In-Reply-To: <B79F9162-CD10-472B-B626-16E597639BF4@nall.com>
References: <B79F9162-CD10-472B-B626-16E597639BF4@nall.com>
Message-ID: <496B74ED.6060609@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe Nall wrote:
> libsepol.print_missing_requirements: nsplugin's global requirements were
> not met: type/attribute execmem_exec_t
> /usr/bin/semodule_link:  Error while linking packages
> make[1]: *** [validate] Error 1
> make[1]: Leaving directory
> `/home/joe/src2/Linux_x86_64/BUILD/rpmbuild/BUILD/serefpolicy-3.5.13'
> error: Bad exit status from /var/tmp/rpm-tmp.XoIIV1 (%install)
> 
> I'm trying to build an mls policy with nsplugin defined as a module in
> modules-mls.conf. nsplugin depends on execmem_exec_t which is defined in
> unconfined.te which is _not_ a module in modules-mls.conf, creating the
> error above.
> 
> Is there a better place to declare execmem_exec_t (userdomain.te?).
> 
> joe
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes, I think we should create a new app execmem.te and move stuff there.

Java, Mono, and other apps fall into this categorie, of applications
that users execute that require execmem, execstack privs.

What we really need is

USERTYPE_t executes execmem_exec_t gets USERTYPE_EXECMEM_T ==
(USERTYPE_T + execmem and execstack)


Currently execmem_exec_t is just a rename of unconfined_execmem_exec_t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklrdO0ACgkQrlYvE4MpobMraACgl98E+0lh8VFEVJUT+TFiVkMW
xLAAoLOVtLg9e/yKTFOA0oVLVqW4PC4R
=r6Bq
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Mon Jan 12 16:53:28 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Mon, 12 Jan 2009 11:53:28 -0500
Subject: plymouthd avcs in MLS
In-Reply-To: <A95E4FC0-3AD9-4B42-BF7F-1C144FFD5D72@nall.com>
References: <A95E4FC0-3AD9-4B42-BF7F-1C144FFD5D72@nall.com>
Message-ID: <496B7588.6000204@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe Nall wrote:
> type=AVC msg=audit(1231458433.619:3): avc:  denied  { execute } for 
> pid=1 comm="init" name="plymouth" dev=rootfs ino=73
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:root_t:s0 tclass=file
> type=AVC msg=audit(1231458433.621:4): avc:  denied  { read } for 
> pid=723 comm="init" name="plymouth" dev=rootfs ino=73
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:root_t:s0 tclass=file
> type=AVC msg=audit(1231458433.621:4): avc:  denied  { execute_no_trans }
> for  pid=723 comm="init" path="/bin/plymouth" dev=rootfs ino=73
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:root_t:s0 tclass=file
> type=AVC msg=audit(1231458433.623:5): avc:  denied  { getattr } for 
> pid=723 comm="plymouth" path="/etc/ld.so.cache" dev=rootfs ino=122
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:root_t:s0 tclass=file
> type=AVC msg=audit(1231458433.625:6): avc:  denied  { search } for 
> pid=695 comm="plymouthd" name="lib" dev=dm-0 ino=555970
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
> type=AVC msg=audit(1231458433.625:6): avc:  denied  { read } for 
> pid=695 comm="plymouthd" name="boot-duration" dev=dm-0 ino=564304
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1231458433.632:7): avc:  denied  { getattr } for 
> pid=695 comm="plymouthd" path="/var/lib/plymouth/boot-duration" dev=dm-0
> ino=564304 scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1231458434.550:20): avc:  denied  { read } for 
> pid=695 comm="plymouthd" path="/ptmx" dev=tmpfs ino=354
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
> 
> type=AVC msg=audit(1231458434.550:21): avc:  denied  { write } for 
> pid=695 comm="plymouthd" path="/tty1" dev=tmpfs ino=357
> scontext=system_u:system_r:kernel_t:s15:c0.c1023
> tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
> 
> with the last avc repeated ~3000 times a second forever in enforcing.
> 
> Should plymouthd have a dedicated type or should tty1 be SystemHigh?
> 
> joe
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I think plymouthd is started in the initrd, so  I don't think we can
have a transition.  But shouldn't the kernel be able to override MLS So
it could write to this terminal?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklrdYgACgkQrlYvE4MpobMYDACeOq906O8BalhlDJv94Lu/oe1Z
Y6QAnj6r0CshCY5G819oBj+jVp4mr/iE
=oOG1
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Mon Jan 12 16:56:33 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Mon, 12 Jan 2009 11:56:33 -0500
Subject: Denials from spamc and webalizer on Centos 5.2
In-Reply-To: <5aebb9fb0901120444x37d0b2e4o57a0a4bca8bb3f56@mail.gmail.com>
References: <5aebb9fb0901120444x37d0b2e4o57a0a4bca8bb3f56@mail.gmail.com>
Message-ID: <496B7641.1040507@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

domg472 g472 wrote:
> Hello,
> 
> With regard to procmail, i think your policy is missing a domain
> transition to spamassassin.
> 
> A custom policy looking something like the following may or may not
> fix that issue:
> 
> mkdir ~/myprocmail; cd ~/myprocmail;
> echo "policy_module(myprocmail, 0.0.1)" > myprocmail.te;
> echo "require { type procmail_t; }" >> myprocmail.te;
> echo "optional_policy(`" >> myprocmail.te;
> echo "spamassassin_domtrans_spamc(procmail_t)" >> myprocmail.te;
> echo "')" >> myprocmail.te;
> 
> make -f /usr/share/selinux/devel/Makefile
> /usr/sbin/semodule -i myprocmail.pp
> 
> With regard to webalizer it looks like webalizer is searching
> something in a "bin" directory.
> If you want you can allow this.
> 
> mkdir ~/mywebalizer; cd ~mywebalizer;
> echo "policy_module(mywebalizer, 0.0.1)" > mywebalizer.te;
> echo "require { type webalizer_t; }" >> mywebalizer.te;
> echo "corecmd_search_bin(webalizer_t)" >> mywebalizer.te;
> 
> make -f /usr/share/selinux/devel/Makefile
> /usr/sbin/semodule -i  mywebalizer.pp
> 
> It may be that both procmail and webalizer domains need more access
> after this, but you will notice that if this is the case.
> 
> P.s. You may or may not need to escape some of the characters in my example.
> 
> Hth,
> Dominick
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Fedora 10 and Rawhide have a domtrans to spamc, but RHEL5 looks like it
only able to execute spamc without a transition.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklrdkEACgkQrlYvE4MpobNI8ACfRAv7WPFed5YrOQT15aFHIdlZ
tusAn0jeucaL0XurCwzab9hChLT/eEA/
=k4Pd
-----END PGP SIGNATURE-----



From mmcallis at redhat.com  Wed Jan 14 01:44:53 2009
From: mmcallis at redhat.com (Murray McAllister)
Date: Wed, 14 Jan 2009 11:44:53 +1000
Subject: running rsync as root to preserve contexts
Message-ID: <496D4395.1010503@redhat.com>

Hi,

I am not sure how rsync works, but should it have to be run as the root 
user to preserve contexts?

$ pwd
/home/murray

$ mkdir other
$ ls -dZ other/
drwxrwxr-x  murray murray unconfined_u:object_r:user_home_t:s0 other/

$ touch file && chcon -t samba_share_t file
$ ls -Z file
-rw-rw-r--  murray murray unconfined_u:object_r:samba_share_t:s0 file

$ rsync -aXHv file other/
sending incremental file list
file

sent 122 bytes  received 31 bytes  102.00 bytes/sec
total size is 0  speedup is 0.00
$ ls -Z other/
-rw-rw-r--  murray murray unconfined_u:object_r:user_home_t:s0 file

# samba_share_t type was not preserved.

$ sudo rsync -aXHv file other/
sending incremental file list

sent 128 bytes  received 17 bytes  290.00 bytes/sec

# running as sudo sends more bytes (previously 122).

total size is 0  speedup is 0.00
$ ls -Z other/
-rw-rw-r--  murray murray unconfined_u:object_r:samba_share_t:s0 file

# samba_share_t type was preserved.

I am using:

rsync-3.0.4-0.fc10.i386
openssh-askpass-5.1p1-3.fc10.i386
openssh-5.1p1-3.fc10.i386
openssh-clients-5.1p1-3.fc10.i386
libssh2-0.18-7.fc9.i386
openssh-server-5.1p1-3.fc10.i386

selinux-policy-3.5.13-38.fc10.noarch
selinux-policy-targeted-3.5.13-38.fc10.noarch

Cheers.



From sds at tycho.nsa.gov  Wed Jan 14 14:46:34 2009
From: sds at tycho.nsa.gov (Stephen Smalley)
Date: Wed, 14 Jan 2009 09:46:34 -0500
Subject: running rsync as root to preserve contexts
In-Reply-To: <496D4395.1010503@redhat.com>
References: <496D4395.1010503@redhat.com>
Message-ID: <1231944394.31192.21.camel@localhost.localdomain>

On Wed, 2009-01-14 at 11:44 +1000, Murray McAllister wrote:
> Hi,
> 
> I am not sure how rsync works, but should it have to be run as the root 
> user to preserve contexts?

Only if SELinux is disabled.  If SELinux is disabled, then you have to
be root or rather have CAP_SYS_ADMIN to set anything in the "security."
namespace.  If SELinux is enabled, then a process can set the
security.selinux attribute if it passes a set of SELinux permission
checks based on the SELinux contexts, independent of whether it is root.

I think perhaps the fundamental problem is that they are just trying to
use the generic xattr code rather than providing specific handling for
SELinux contexts using the libselinux interfaces, just as they provide
specific handling for ACLs using libacl.

> $ pwd
> /home/murray
> 
> $ mkdir other
> $ ls -dZ other/
> drwxrwxr-x  murray murray unconfined_u:object_r:user_home_t:s0 other/
> 
> $ touch file && chcon -t samba_share_t file
> $ ls -Z file
> -rw-rw-r--  murray murray unconfined_u:object_r:samba_share_t:s0 file
> 
> $ rsync -aXHv file other/
> sending incremental file list
> file
> 
> sent 122 bytes  received 31 bytes  102.00 bytes/sec
> total size is 0  speedup is 0.00
> $ ls -Z other/
> -rw-rw-r--  murray murray unconfined_u:object_r:user_home_t:s0 file
> 
> # samba_share_t type was not preserved.
> 
> $ sudo rsync -aXHv file other/
> sending incremental file list
> 
> sent 128 bytes  received 17 bytes  290.00 bytes/sec
> 
> # running as sudo sends more bytes (previously 122).
> 
> total size is 0  speedup is 0.00
> $ ls -Z other/
> -rw-rw-r--  murray murray unconfined_u:object_r:samba_share_t:s0 file
> 
> # samba_share_t type was preserved.
> 
> I am using:
> 
> rsync-3.0.4-0.fc10.i386
> openssh-askpass-5.1p1-3.fc10.i386
> openssh-5.1p1-3.fc10.i386
> openssh-clients-5.1p1-3.fc10.i386
> libssh2-0.18-7.fc9.i386
> openssh-server-5.1p1-3.fc10.i386
> 
> selinux-policy-3.5.13-38.fc10.noarch
> selinux-policy-targeted-3.5.13-38.fc10.noarch
> 
> Cheers.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency



From tmz at pobox.com  Wed Jan 14 16:22:45 2009
From: tmz at pobox.com (Todd Zullinger)
Date: Wed, 14 Jan 2009 11:22:45 -0500
Subject: libgpod HAL callout and SELinux denials
In-Reply-To: <20090105030332.GL12325@inocybe.teonanacatl.org>
References: <20090104153414.GH12325@inocybe.teonanacatl.org>
	<4960EBB7.1000002@redhat.com>
	<20090105030332.GL12325@inocybe.teonanacatl.org>
Message-ID: <20090114162245.GA18365@inocybe.teonanacatl.org>

I wrote:
> Daniel J Walsh wrote:
>> And I will add rules to allow this in F10 and F11.

The selinux-policy-3.5.13-38.fc10 fixed things nicely (noted in bodhi
as well).

>> Are you planning on putting this in F9?

The rules aren't in the selinux-policy-3.3.1-117.fc9 that's in
updates-testing yet, right?

While I'm looking at these iPod callouts, I noticed that there's some
podsleuth policy to allow podsleuth to do similar things.  Should we
coordinate things so that podsleuth and libgpod can share some
selinux-policy?

I do find that the podsleuth hal callout still produces AVC denials on
F-10 (every time an iPod is inserted):

type=AVC msg=audit(1231370741.744:256): avc:  denied  { execstack } for  pid=1521 comm="mono" scontext=system_u:system_r:podsleuth_t:s0 tcontext=system_u:system_r:podsleuth_t:s0 tclass=process
type=SYSCALL msg=audit(1231370741.744:256): arch=40000003 syscall=125 success=yes exit=0 a0=bfd5f000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1518 pid=1521 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mono" exe="/usr/bin/mono" subj=system_u:system_r:podsleuth_t:s0 key=(null)

Is this a generic mono execstack problem or is it something that needs
to be fixed in podsleuth or selinux-policy?

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It is easier to fight for one's principles than to live up to them.
    -- Alfred Adler

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090114/bfb1ae6c/attachment.sig>

From tmz at pobox.com  Wed Jan 14 16:45:16 2009
From: tmz at pobox.com (Todd Zullinger)
Date: Wed, 14 Jan 2009 11:45:16 -0500
Subject: New fedora cgit packages could use some policy updates
Message-ID: <20090114164516.GB18365@inocybe.teonanacatl.org>

Greetings,

I added a cgit package to Fedora yesterday.  It's only in rawhide at
the moment.  cgit is a cgi used to provide a web interface for viewing
git repositories (similar to gitweb?).

Is the preferred method to add policy to the selinux-policy package or
are package policy modules the way to go?  I thought the former was
preferred, but I can't find anything on the wiki other than
http://fedoraproject.org/wiki/PackagingDrafts/SELinux, which seems
like it might have been a stalled attempt.

The cgit requirements are fairly minimal, AFAICT.  It needs:

    * write access to its cache dir, /var/cache/cgit
    
    * read access to git repositories, which default to /var/lib/git,
      but are likely to be changed by admins (/srv/git is one popular
      choice).  For the moment, I created a README.SELinux file in the
      package that details how to set generic contexts to allow the
      package to work?.

That README suggests httpd_sys_content_rw_t for the cache and
httpd_sys_content_t (or public_content_t) for the git repos.  It's
quite likely that we'd want a more specific type for the cache dir
especially.

Additionally, the cgi itself needs to be httpd_sys_script_exec_t,
which happens automagically by virtue of installing it in
/var/www/cgi-bin/cgit.

Any help or suggestions would be most welcome.  I'd like to get these
things worked out before I build the package for F-9, F-10, and EL-5.
If crafting a policy requires moving anything around, I'd like to do
that before many users install the package and modify their configs.

? gitweb has some SELinux issues on F-10 itself, I filed this as
  https://bugzilla.redhat.com/479613 the other day.

? http://cvs.fedoraproject.org/viewvc/rpms/cgit/devel/README.SELinux?view=co

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well at first I was skeptical but then I thought I could be like
Hillary Clinton, just without the penis.
    -- Lois Griffin, The Family Guy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090114/2113f7e2/attachment.sig>

From dwalsh at redhat.com  Wed Jan 14 17:41:44 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Wed, 14 Jan 2009 12:41:44 -0500
Subject: libgpod HAL callout and SELinux denials
In-Reply-To: <20090114162245.GA18365@inocybe.teonanacatl.org>
References: <20090104153414.GH12325@inocybe.teonanacatl.org>	<4960EBB7.1000002@redhat.com>	<20090105030332.GL12325@inocybe.teonanacatl.org>
	<20090114162245.GA18365@inocybe.teonanacatl.org>
Message-ID: <496E23D8.1000108@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Todd Zullinger wrote:
> I wrote:
>> Daniel J Walsh wrote:
>>> And I will add rules to allow this in F10 and F11.
> 
> The selinux-policy-3.5.13-38.fc10 fixed things nicely (noted in bodhi
> as well).
> 
>>> Are you planning on putting this in F9?
> 
> The rules aren't in the selinux-policy-3.3.1-117.fc9 that's in
> updates-testing yet, right?
> 
> While I'm looking at these iPod callouts, I noticed that there's some
> podsleuth policy to allow podsleuth to do similar things.  Should we
> coordinate things so that podsleuth and libgpod can share some
> selinux-policy?
> 
> I do find that the podsleuth hal callout still produces AVC denials on
> F-10 (every time an iPod is inserted):
> 
> type=AVC msg=audit(1231370741.744:256): avc:  denied  { execstack } for  pid=1521 comm="mono" scontext=system_u:system_r:podsleuth_t:s0 tcontext=system_u:system_r:podsleuth_t:s0 tclass=process
> type=SYSCALL msg=audit(1231370741.744:256): arch=40000003 syscall=125 success=yes exit=0 a0=bfd5f000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1518 pid=1521 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mono" exe="/usr/bin/mono" subj=system_u:system_r:podsleuth_t:s0 key=(null)
> 
> Is this a generic mono execstack problem or is it something that needs
> to be fixed in podsleuth or selinux-policy?
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
mono uses execstack so any app that is written with mono will require
execstack.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkluI9cACgkQrlYvE4MpobNm7ACgk8afxQr+E0iW23DrQpr72+CQ
u3cAoIlNEEOHREFUMMHpZdC1PDz6JEMB
=8jE/
-----END PGP SIGNATURE-----



From loganjerry at gmail.com  Wed Jan 14 17:00:29 2009
From: loganjerry at gmail.com (Jerry James)
Date: Wed, 14 Jan 2009 10:00:29 -0700
Subject: New fedora cgit packages could use some policy updates
In-Reply-To: <20090114164516.GB18365@inocybe.teonanacatl.org>
References: <20090114164516.GB18365@inocybe.teonanacatl.org>
Message-ID: <870180fe0901140900i75107c94i70233f8925e3954c@mail.gmail.com>

On Wed, Jan 14, 2009 at 9:45 AM, Todd Zullinger <tmz at pobox.com> wrote:
> Is the preferred method to add policy to the selinux-policy package or
> are package policy modules the way to go?  I thought the former was
> preferred, but I can't find anything on the wiki other than
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux, which seems
> like it might have been a stalled attempt.

That page addresses a question I have with GCL: where should the
policy file be stored?  It suggests /usr/share/selinux/packages.  I
see that BackupPC stores its policy file there.  But that directory is
not owned by any package.  Should it be owned by selinux-policy?
-- 
Jerry James
http://loganjerry.googlepages.com/



From tmz at pobox.com  Wed Jan 14 18:15:29 2009
From: tmz at pobox.com (Todd Zullinger)
Date: Wed, 14 Jan 2009 13:15:29 -0500
Subject: libgpod HAL callout and SELinux denials
In-Reply-To: <496E23D8.1000108@redhat.com>
References: <20090104153414.GH12325@inocybe.teonanacatl.org>
	<4960EBB7.1000002@redhat.com>
	<20090105030332.GL12325@inocybe.teonanacatl.org>
	<20090114162245.GA18365@inocybe.teonanacatl.org>
	<496E23D8.1000108@redhat.com>
Message-ID: <20090114181529.GD18365@inocybe.teonanacatl.org>

Daniel J Walsh wrote:
> mono uses execstack so any app that is written with mono will
> require execstack.

So this is something that needs updated in the podsleuth policy I take
it?  Should I file it in bugzilla so it's on your (probably oversized)
TODO list? ;)

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The secret to success is knowing who to blame for your failures.
    -- Demotivators (www.despair.com)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090114/f320a7a4/attachment.sig>

From dwalsh at redhat.com  Wed Jan 14 19:22:25 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Wed, 14 Jan 2009 14:22:25 -0500
Subject: libgpod HAL callout and SELinux denials
In-Reply-To: <20090114181529.GD18365@inocybe.teonanacatl.org>
References: <20090104153414.GH12325@inocybe.teonanacatl.org>	<4960EBB7.1000002@redhat.com>	<20090105030332.GL12325@inocybe.teonanacatl.org>	<20090114162245.GA18365@inocybe.teonanacatl.org>	<496E23D8.1000108@redhat.com>
	<20090114181529.GD18365@inocybe.teonanacatl.org>
Message-ID: <496E3B71.4020004@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Todd Zullinger wrote:
> Daniel J Walsh wrote:
>> mono uses execstack so any app that is written with mono will
>> require execstack.
> 
> So this is something that needs updated in the podsleuth policy I take
> it?  Should I file it in bugzilla so it's on your (probably oversized)
> TODO list? ;)
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
yes, Although I do have help now in Miroslav Grepl <mgrepl at redhat.com>,
who is handling policy for F9 and F10
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkluO3EACgkQrlYvE4MpobNAlgCdFgVrGYutqWLluo8neHhFzD4a
c3YAn2ZhnXUeBo3p/7cdbdjD5slkFv+U
=EiZ8
-----END PGP SIGNATURE-----



From tmz at pobox.com  Thu Jan 15 03:28:15 2009
From: tmz at pobox.com (Todd Zullinger)
Date: Wed, 14 Jan 2009 22:28:15 -0500
Subject: libgpod HAL callout and SELinux denials
In-Reply-To: <496E3B71.4020004@redhat.com>
References: <20090104153414.GH12325@inocybe.teonanacatl.org>
	<4960EBB7.1000002@redhat.com>
	<20090105030332.GL12325@inocybe.teonanacatl.org>
	<20090114162245.GA18365@inocybe.teonanacatl.org>
	<496E23D8.1000108@redhat.com>
	<20090114181529.GD18365@inocybe.teonanacatl.org>
	<496E3B71.4020004@redhat.com>
Message-ID: <20090115032814.GF18365@inocybe.teonanacatl.org>

Daniel J Walsh wrote:
> Todd Zullinger wrote:
>> Daniel J Walsh wrote:
>>> mono uses execstack so any app that is written with mono will
>>> require execstack.
>>
>> So this is something that needs updated in the podsleuth policy I
>> take it?  Should I file it in bugzilla so it's on your (probably
>> oversized) TODO list? ;)
[...]
> yes, Although I do have help now in Miroslav Grepl <mgrepl at redhat.com>,
> who is handling policy for F9 and F10

Filed as https://bugzilla.redhat.com/480059.  Thanks.  And thanks
Miroslav for updating the libgpod hal callout in F-9 today.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A good programmer is one who looks both ways before crossing a one-way
street.
    -- Doug Linder

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090114/426e60c4/attachment.sig>

From mgrepl at redhat.com  Thu Jan 15 08:58:33 2009
From: mgrepl at redhat.com (Miroslav Grepl)
Date: Thu, 15 Jan 2009 09:58:33 +0100
Subject: libgpod HAL callout and SELinux denials
Message-ID: <496EFAB9.1020009@redhat.com>

I will fix the issue with execstack in the next release of selinux policy.

F9: selinux-policy-3.3.1-119.fc9
F10: selinux-policy-3.5.13-40.fc10



From dwalsh at redhat.com  Thu Jan 15 18:59:23 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Thu, 15 Jan 2009 13:59:23 -0500
Subject: New fedora cgit packages could use some policy updates
In-Reply-To: <870180fe0901140900i75107c94i70233f8925e3954c@mail.gmail.com>
References: <20090114164516.GB18365@inocybe.teonanacatl.org>
	<870180fe0901140900i75107c94i70233f8925e3954c@mail.gmail.com>
Message-ID: <496F878B.2060300@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jerry James wrote:
> On Wed, Jan 14, 2009 at 9:45 AM, Todd Zullinger <tmz at pobox.com> wrote:
>> Is the preferred method to add policy to the selinux-policy package or
>> are package policy modules the way to go?  I thought the former was
>> preferred, but I can't find anything on the wiki other than
>> http://fedoraproject.org/wiki/PackagingDrafts/SELinux, which seems
>> like it might have been a stalled attempt.
> 
> That page addresses a question I have with GCL: where should the
> policy file be stored?  It suggests /usr/share/selinux/packages.  I
> see that BackupPC stores its policy file there.  But that directory is
> not owned by any package.  Should it be owned by selinux-policy?
I will add this to rawhide selinux-policy package.

Miroslav can you add it to F10 policy package?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklvh4sACgkQrlYvE4MpobPDHgCcCTVsMnLJqKtSx2oh+TFK2w4w
Ns4AoOUwP0M/gv1eGlmLli9kLxubeog2
=JdUa
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Thu Jan 15 19:01:29 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Thu, 15 Jan 2009 14:01:29 -0500
Subject: New fedora cgit packages could use some policy updates
In-Reply-To: <20090114164516.GB18365@inocybe.teonanacatl.org>
References: <20090114164516.GB18365@inocybe.teonanacatl.org>
Message-ID: <496F8809.7040608@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Todd Zullinger wrote:
> Greetings,
> 
> I added a cgit package to Fedora yesterday.  It's only in rawhide at
> the moment.  cgit is a cgi used to provide a web interface for viewing
> git repositories (similar to gitweb?).
> 
> Is the preferred method to add policy to the selinux-policy package or
> are package policy modules the way to go?  I thought the former was
> preferred, but I can't find anything on the wiki other than
> http://fedoraproject.org/wiki/PackagingDrafts/SELinux, which seems
> like it might have been a stalled attempt.
> 
> The cgit requirements are fairly minimal, AFAICT.  It needs:
> 
>     * write access to its cache dir, /var/cache/cgit
>     
>     * read access to git repositories, which default to /var/lib/git,
>       but are likely to be changed by admins (/srv/git is one popular
>       choice).  For the moment, I created a README.SELinux file in the
>       package that details how to set generic contexts to allow the
>       package to work?.
> 
> That README suggests httpd_sys_content_rw_t for the cache and
> httpd_sys_content_t (or public_content_t) for the git repos.  It's
> quite likely that we'd want a more specific type for the cache dir
> especially.
> 
> Additionally, the cgi itself needs to be httpd_sys_script_exec_t,
> which happens automagically by virtue of installing it in
> /var/www/cgi-bin/cgit.
> 
> Any help or suggestions would be most welcome.  I'd like to get these
> things worked out before I build the package for F-9, F-10, and EL-5.
> If crafting a policy requires moving anything around, I'd like to do
> that before many users install the package and modify their configs.
> 
> ? gitweb has some SELinux issues on F-10 itself, I filed this as
>   https://bugzilla.redhat.com/479613 the other day.
> 
> ? http://cvs.fedoraproject.org/viewvc/rpms/cgit/devel/README.SELinux?view=co
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

What do you think of this simple policy package.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklviAgACgkQrlYvE4MpobPlygCgitezimX9aRbvp5pe4rmGCWTS
0EIAoN65uLSE7iwUPXf3AKDdGt50t10A
=vxF5
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: git.tgz
Type: application/x-compressed-tar
Size: 359 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090115/a3ab5b9d/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: git.tgz.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090115/a3ab5b9d/attachment.obj>

From rchapman at aardvark.com.au  Fri Jan 16 03:36:22 2009
From: rchapman at aardvark.com.au (Richard Chapman)
Date: Fri, 16 Jan 2009 12:36:22 +0900
Subject: Setting Samba Boolean. Recommended method?
In-Reply-To: <4968309C.8060702@aardvark.com.au>
References: <4968309C.8060702@aardvark.com.au>
Message-ID: <497000B6.2050403@aardvark.com.au>

I am running SElinux in permissive mode. I want to allow samba access to 
user home directories.
At setroubleshooters suggestion (see below) - I did the following at a 
shell prompt:

?       *setsebool -P samba_enable_home_dirs=1


*

This seemed to solve the problem. But after a reboot the denials are 
back. I assume the boolean is not carried across a reboot.

If my assumption is correct - where is the recommended place to put the:

setsebool -P samba_enable_home_dirs=1

command?
Should I create a local policy module and put it there - or is there 
some other recommended place? If anyone can point me to a recommended 
procedure ...

Thanks

Richard.


Summary:

SELinux is preventing the samba daemon from reading users' home directories.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied the samba daemon access to users' home directories. 
Someone
is attempting to access your home directories via your samba daemon. If 
you only
setup samba to share non-home directories, this probably signals a intrusion
attempt. For more information on SELinux integration with samba, look at the
samba_selinux man page. (man samba_selinux)

Allowing Access:

If you want samba to share home directories you need to turn on the
samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"

The following command will allow this access:

setsebool -P samba_enable_home_dirs=1

Additional Information:

Source Context                system_u:system_r:smbd_t
Target Context                user_u:object_r:spamassassin_home_t
Target Objects                ./.spamassassin [ dir ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          C5.aardvark.com.au
Source RPM Packages           samba-3.0.28-1.el5_2.1
Target RPM Packages          
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   samba_enable_home_dirs
Host Name                     C5.aardvark.com.au
Platform                      Linux C5.aardvark.com.au 
2.6.18-92.1.22.el5 #1 SMP
                              Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
Alert Count                   2
First Seen                    Tue 13 Jan 2009 10:59:19 PM WST
Last Seen                     Tue 13 Jan 2009 10:59:23 PM WST
Local ID                      70f6525d-ce9d-40a4-a558-c3db06781ae9
Line Numbers                 

Raw Audit Messages           

host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
denied  { search } for  pid=8841 comm="smbd" name=".spamassassin" 
dev=dm-0 ino=26155019 scontext=system_u:system_r:smbd_t:s0 
tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir

host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
denied  { search } for  pid=8841 comm="smbd" name=".spamassassin" 
dev=dm-0 ino=26155019 scontext=system_u:system_r:smbd_t:s0 
tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir

host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
denied  { getattr } for  pid=8841 comm="smbd" 
path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 
scontext=system_u:system_r:smbd_t:s0 
tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file

host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
denied  { getattr } for  pid=8841 comm="smbd" 
path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 
scontext=system_u:system_r:smbd_t:s0 
tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file

host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): 
arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 
a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 
pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 
egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" 
exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)

host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): 
arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 
a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 
pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 
egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" 
exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)





From paul at city-fan.org  Fri Jan 16 10:18:41 2009
From: paul at city-fan.org (Paul Howarth)
Date: Fri, 16 Jan 2009 10:18:41 +0000
Subject: Setting Samba Boolean. Recommended method?
In-Reply-To: <497000B6.2050403@aardvark.com.au>
References: <4968309C.8060702@aardvark.com.au>
	<497000B6.2050403@aardvark.com.au>
Message-ID: <49705F01.9000104@city-fan.org>

Richard Chapman wrote:
> I am running SElinux in permissive mode. I want to allow samba access to 
> user home directories.
> At setroubleshooters suggestion (see below) - I did the following at a 
> shell prompt:
> 
> ?       *setsebool -P samba_enable_home_dirs=1
> 
> 
> *
> 
> This seemed to solve the problem. But after a reboot the denials are 
> back. I assume the boolean is not carried across a reboot.
> 
> If my assumption is correct - where is the recommended place to put the:
> 
> setsebool -P samba_enable_home_dirs=1
> 
> command?
> Should I create a local policy module and put it there - or is there 
> some other recommended place? If anyone can point me to a recommended 
> procedure ...
> 
> Thanks
> 
> Richard.

You've done what you needed to do already - the -P option makes the 
boolean persist across reboots.

> Summary:
> 
> SELinux is preventing the samba daemon from reading users' home 
> directories.

This summary is actually slightly misleading in this case.

> Detailed Description:
> 
> [SELinux is in permissive mode, the operation would have been denied but 
> was
> permitted due to permissive mode.]
> 
> SELinux has denied the samba daemon access to users' home directories. 
> Someone
> is attempting to access your home directories via your samba daemon. If 
> you only
> setup samba to share non-home directories, this probably signals a 
> intrusion
> attempt. For more information on SELinux integration with samba, look at 
> the
> samba_selinux man page. (man samba_selinux)
> 
> Allowing Access:
> 
> If you want samba to share home directories you need to turn on the
> samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"
> 
> The following command will allow this access:
> 
> setsebool -P samba_enable_home_dirs=1
> 
> Additional Information:
> 
> Source Context                system_u:system_r:smbd_t
> Target Context                user_u:object_r:spamassassin_home_t
> Target Objects                ./.spamassassin [ dir ]
> Source                        smbd
> Source Path                   /usr/sbin/smbd
> Port                          <Unknown>
> Host                          C5.aardvark.com.au
> Source RPM Packages           samba-3.0.28-1.el5_2.1
> Target RPM Packages          Policy RPM                    
> selinux-policy-2.4.6-203.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   samba_enable_home_dirs
> Host Name                     C5.aardvark.com.au
> Platform                      Linux C5.aardvark.com.au 
> 2.6.18-92.1.22.el5 #1 SMP
>                              Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count                   2
> First Seen                    Tue 13 Jan 2009 10:59:19 PM WST
> Last Seen                     Tue 13 Jan 2009 10:59:23 PM WST
> Local ID                      70f6525d-ce9d-40a4-a558-c3db06781ae9
> Line Numbers                
> Raw Audit Messages          
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
> denied  { search } for  pid=8841 comm="smbd" name=".spamassassin" 
> dev=dm-0 ino=26155019 scontext=system_u:system_r:smbd_t:s0 
> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
> denied  { search } for  pid=8841 comm="smbd" name=".spamassassin" 
> dev=dm-0 ino=26155019 scontext=system_u:system_r:smbd_t:s0 
> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
> denied  { getattr } for  pid=8841 comm="smbd" 
> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 
> scontext=system_u:system_r:smbd_t:s0 
> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
> 
> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): avc:  
> denied  { getattr } for  pid=8841 comm="smbd" 
> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 
> scontext=system_u:system_r:smbd_t:s0 
> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
> 
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): 
> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 
> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 
> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 
> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" 
> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
> 
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): 
> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 
> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 
> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 
> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" 
> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)

These denials are all for the ~/.spamassassin directory and its 
contents, not the home directory in general. Browsing the majority of 
the home directory would work just fine in enforcing mode.

Paul.



From mgrepl at redhat.com  Fri Jan 16 11:14:56 2009
From: mgrepl at redhat.com (Miroslav Grepl)
Date: Fri, 16 Jan 2009 12:14:56 +0100
Subject: New fedora cgit packages could use some policy updates
In-Reply-To: <496F878B.2060300@redhat.com>
References: <20090114164516.GB18365@inocybe.teonanacatl.org>
	<870180fe0901140900i75107c94i70233f8925e3954c@mail.gmail.com>
	<496F878B.2060300@redhat.com>
Message-ID: <49706C30.7040708@redhat.com>

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jerry James wrote:
>   
>> On Wed, Jan 14, 2009 at 9:45 AM, Todd Zullinger <tmz at pobox.com> wrote:
>>     
>>> Is the preferred method to add policy to the selinux-policy package or
>>> are package policy modules the way to go?  I thought the former was
>>> preferred, but I can't find anything on the wiki other than
>>> http://fedoraproject.org/wiki/PackagingDrafts/SELinux, which seems
>>> like it might have been a stalled attempt.
>>>       
>> That page addresses a question I have with GCL: where should the
>> policy file be stored?  It suggests /usr/share/selinux/packages.  I
>> see that BackupPC stores its policy file there.  But that directory is
>> not owned by any package.  Should it be owned by selinux-policy?
>>     
> I will add this to rawhide selinux-policy package.
>
> Miroslav can you add it to F10 policy package?
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAklvh4sACgkQrlYvE4MpobPDHgCcCTVsMnLJqKtSx2oh+TFK2w4w
> Ns4AoOUwP0M/gv1eGlmLli9kLxubeog2
> =JdUa
> -----END PGP SIGNATURE-----
>   
I will do it.



From txtoth at gmail.com  Fri Jan 16 14:30:11 2009
From: txtoth at gmail.com (Xavier Toth)
Date: Fri, 16 Jan 2009 08:30:11 -0600
Subject: plymouthd avcs in MLS
In-Reply-To: <496B7588.6000204@redhat.com>
References: <A95E4FC0-3AD9-4B42-BF7F-1C144FFD5D72@nall.com>
	<496B7588.6000204@redhat.com>
Message-ID: <cadfc0e40901160630h5b2e9fc2q793e4168c02103f0@mail.gmail.com>

On Mon, Jan 12, 2009 at 10:53 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Joe Nall wrote:
>> type=AVC msg=audit(1231458433.619:3): avc:  denied  { execute } for
>> pid=1 comm="init" name="plymouth" dev=rootfs ino=73
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:root_t:s0 tclass=file
>> type=AVC msg=audit(1231458433.621:4): avc:  denied  { read } for
>> pid=723 comm="init" name="plymouth" dev=rootfs ino=73
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:root_t:s0 tclass=file
>> type=AVC msg=audit(1231458433.621:4): avc:  denied  { execute_no_trans }
>> for  pid=723 comm="init" path="/bin/plymouth" dev=rootfs ino=73
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:root_t:s0 tclass=file
>> type=AVC msg=audit(1231458433.623:5): avc:  denied  { getattr } for
>> pid=723 comm="plymouth" path="/etc/ld.so.cache" dev=rootfs ino=122
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:root_t:s0 tclass=file
>> type=AVC msg=audit(1231458433.625:6): avc:  denied  { search } for
>> pid=695 comm="plymouthd" name="lib" dev=dm-0 ino=555970
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
>> type=AVC msg=audit(1231458433.625:6): avc:  denied  { read } for
>> pid=695 comm="plymouthd" name="boot-duration" dev=dm-0 ino=564304
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
>> type=AVC msg=audit(1231458433.632:7): avc:  denied  { getattr } for
>> pid=695 comm="plymouthd" path="/var/lib/plymouth/boot-duration" dev=dm-0
>> ino=564304 scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
>> type=AVC msg=audit(1231458434.550:20): avc:  denied  { read } for
>> pid=695 comm="plymouthd" path="/ptmx" dev=tmpfs ino=354
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file
>>
>> type=AVC msg=audit(1231458434.550:21): avc:  denied  { write } for
>> pid=695 comm="plymouthd" path="/tty1" dev=tmpfs ino=357
>> scontext=system_u:system_r:kernel_t:s15:c0.c1023
>> tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
>>
>> with the last avc repeated ~3000 times a second forever in enforcing.
>>
>> Should plymouthd have a dedicated type or should tty1 be SystemHigh?
>>
>> joe
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> I think plymouthd is started in the initrd, so  I don't think we can
> have a transition.  But shouldn't the kernel be able to override MLS So
> it could write to this terminal?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAklrdYgACgkQrlYvE4MpobMYDACeOq906O8BalhlDJv94Lu/oe1Z
> Y6QAnj6r0CshCY5G819oBj+jVp4mr/iE
> =oOG1
> -----END PGP SIGNATURE-----
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

kernel_t already has mls_files_[read/write]_all_levels however it uses
term_use_console which doesn't cover tty_device_t. The options are to
use term_use_all_terms or to "allow kernel_t tty_device_t:chr_file
rw_file_perms;". Which will it be?

Ted



From ole.ersoy at gmail.com  Fri Jan 16 19:21:11 2009
From: ole.ersoy at gmail.com (Ole Ersoy)
Date: Fri, 16 Jan 2009 13:21:11 -0600
Subject: Fedora 10 Selinux Denies Firefox Ability to Upload Picture
Message-ID: <4970DE27.1000907@gmail.com>

Hi,

I tried uploading a picture to facebook, and it appears that selinux was denying firefox the ability to read the image.  The image has the following context:

rw-rw-r--  ole ole unconfined_u:object_r:user_home_t:s0 dsc06702.jpg


I looked in /var/log/messages and /var/log/audit/audit.log for a denial message, but did not see one (Silent denial?).  The image uploaded fine after running:

setenforce 0 

though, so I assume it's SELinux.  Thought I'd mention this in case it's something that can make a secure Fedora experience simpler for the average desktop user.

Cheers,
- Ole





From domg472 at gmail.com  Fri Jan 16 19:27:44 2009
From: domg472 at gmail.com (Dominick Grift)
Date: Fri, 16 Jan 2009 20:27:44 +0100
Subject: Fedora 10 Selinux Denies Firefox Ability to Upload Picture
In-Reply-To: <4970DE27.1000907@gmail.com>
References: <4970DE27.1000907@gmail.com>
Message-ID: <1232134064.8594.8.camel@localhost.localdomain>


On Fri, 2009-01-16 at 13:21 -0600, Ole Ersoy wrote:
> Hi,
> 
> I tried uploading a picture to facebook, and it appears that selinux was denying firefox the ability to read the image.  The image has the following context:
> 
> rw-rw-r--  ole ole unconfined_u:object_r:user_home_t:s0 dsc06702.jpg
> 
> 
> I looked in /var/log/messages and /var/log/audit/audit.log for a denial message, but did not see one (Silent denial?).  The image uploaded fine after running:
> 
> setenforce 0 
> 
> though, so I assume it's SELinux.  Thought I'd mention this in case it's something that can make a secure Fedora experience simpler for the average desktop user.

You can unload the "silent denials" using the "semodule -DB" command.
Your issue is strange however because it seems that you operate in the
unconfined user domain. This user domain is designed to be unrestricted
(not targeted) with the exception of execmem, execmod, execstack and
execheap.

Hth, Dominick grift

> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090116/e43c468f/attachment.sig>

From ole.ersoy at gmail.com  Fri Jan 16 21:13:30 2009
From: ole.ersoy at gmail.com (Ole Ersoy)
Date: Fri, 16 Jan 2009 15:13:30 -0600
Subject: Fedora 10 Selinux Denies Firefox Ability to Upload Picture
In-Reply-To: <1232134064.8594.8.camel@localhost.localdomain>
References: <4970DE27.1000907@gmail.com>
	<1232134064.8594.8.camel@localhost.localdomain>
Message-ID: <4970F87A.3050309@gmail.com>

> You can unload the "silent denials" using the "semodule -DB" command.

Gave it a shot, and nothing there either:
[root at ole Documents]# semodule -DB
[root at ole Documents]# 

> Your issue is strange however because it seems that you operate in the
> unconfined user domain. This user domain is designed to be unrestricted
> (not targeted) with the exception of execmem, execmod, execstack and
> execheap.

Indeed.  I'll keep poking around for clues and do a post back if I find more info.

Thanks,
- Ole



From domg472 at gmail.com  Fri Jan 16 21:22:22 2009
From: domg472 at gmail.com (Dominick Grift)
Date: Fri, 16 Jan 2009 22:22:22 +0100
Subject: Fedora 10 Selinux Denies Firefox Ability to Upload Picture
In-Reply-To: <4970F87A.3050309@gmail.com>
References: <4970DE27.1000907@gmail.com>
	<1232134064.8594.8.camel@localhost.localdomain>
	<4970F87A.3050309@gmail.com>
Message-ID: <1232140942.11696.1.camel@localhost.localdomain>

On Fri, 2009-01-16 at 15:13 -0600, Ole Ersoy wrote:

> Indeed.  I'll keep poking around for clues and do a post back if I find more info.

You could also try and see if DBUS is somehow involved. DBUS SELinux
denials go to /var/log/messages. It is a long shot.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090116/70cae18a/attachment.sig>

From rchapman at aardvark.com.au  Fri Jan 16 23:22:52 2009
From: rchapman at aardvark.com.au (Richard Chapman)
Date: Sat, 17 Jan 2009 08:22:52 +0900
Subject: Setting Samba Boolean. Recommended method?
In-Reply-To: <49705F01.9000104@city-fan.org>
References: <4968309C.8060702@aardvark.com.au>
	<497000B6.2050403@aardvark.com.au> <49705F01.9000104@city-fan.org>
Message-ID: <497116CC.4040607@aardvark.com.au>

Thanks Paul. Your observation that the problem is the ~/.spamassassin 
directory is very enlightening.
Nonetheless - I imagine that in enforcing mode - I will get lots of 
errors - and possibly samba delays - so it probably still needs fixing.
Can y0u suggest why I might have this problem - and how best to fix it?

Richard.

Paul Howarth wrote:
> Richard Chapman wrote:
>> I am running SElinux in permissive mode. I want to allow samba access 
>> to user home directories.
>> At setroubleshooters suggestion (see below) - I did the following at 
>> a shell prompt:
>>
>> ?       *setsebool -P samba_enable_home_dirs=1
>>
>>
>> *
>>
>> This seemed to solve the problem. But after a reboot the denials are 
>> back. I assume the boolean is not carried across a reboot.
>>
>> If my assumption is correct - where is the recommended place to put the:
>>
>> setsebool -P samba_enable_home_dirs=1
>>
>> command?
>> Should I create a local policy module and put it there - or is there 
>> some other recommended place? If anyone can point me to a recommended 
>> procedure ...
>>
>> Thanks
>>
>> Richard.
>
> You've done what you needed to do already - the -P option makes the 
> boolean persist across reboots.
>
>> Summary:
>>
>> SELinux is preventing the samba daemon from reading users' home 
>> directories.
>
> This summary is actually slightly misleading in this case.
>
>> Detailed Description:
>>
>> [SELinux is in permissive mode, the operation would have been denied 
>> but was
>> permitted due to permissive mode.]
>>
>> SELinux has denied the samba daemon access to users' home 
>> directories. Someone
>> is attempting to access your home directories via your samba daemon. 
>> If you only
>> setup samba to share non-home directories, this probably signals a 
>> intrusion
>> attempt. For more information on SELinux integration with samba, look 
>> at the
>> samba_selinux man page. (man samba_selinux)
>>
>> Allowing Access:
>>
>> If you want samba to share home directories you need to turn on the
>> samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"
>>
>> The following command will allow this access:
>>
>> setsebool -P samba_enable_home_dirs=1
>>
>> Additional Information:
>>
>> Source Context                system_u:system_r:smbd_t
>> Target Context                user_u:object_r:spamassassin_home_t
>> Target Objects                ./.spamassassin [ dir ]
>> Source                        smbd
>> Source Path                   /usr/sbin/smbd
>> Port                          <Unknown>
>> Host                          C5.aardvark.com.au
>> Source RPM Packages           samba-3.0.28-1.el5_2.1
>> Target RPM Packages          Policy RPM                    
>> selinux-policy-2.4.6-203.el5
>> Selinux Enabled               True
>> Policy Type                   targeted
>> MLS Enabled                   True
>> Enforcing Mode                Permissive
>> Plugin Name                   samba_enable_home_dirs
>> Host Name                     C5.aardvark.com.au
>> Platform                      Linux C5.aardvark.com.au 
>> 2.6.18-92.1.22.el5 #1 SMP
>>                              Tue Dec 16 11:57:43 EST 2008 x86_64 x86_64
>> Alert Count                   2
>> First Seen                    Tue 13 Jan 2009 10:59:19 PM WST
>> Last Seen                     Tue 13 Jan 2009 10:59:23 PM WST
>> Local ID                      70f6525d-ce9d-40a4-a558-c3db06781ae9
>> Line Numbers                Raw Audit Messages          
>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): 
>> avc:  denied  { search } for  pid=8841 comm="smbd" 
>> name=".spamassassin" dev=dm-0 ino=26155019 
>> scontext=system_u:system_r:smbd_t:s0 
>> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>>
>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): 
>> avc:  denied  { search } for  pid=8841 comm="smbd" 
>> name=".spamassassin" dev=dm-0 ino=26155019 
>> scontext=system_u:system_r:smbd_t:s0 
>> tcontext=user_u:object_r:spamassassin_home_t:s0 tclass=dir
>>
>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): 
>> avc:  denied  { getattr } for  pid=8841 comm="smbd" 
>> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 
>> scontext=system_u:system_r:smbd_t:s0 
>> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>>
>> host=C5.aardvark.com.au type=AVC msg=audit(1231855163.997:6624): 
>> avc:  denied  { getattr } for  pid=8841 comm="smbd" 
>> path="/home/tim/.spamassassin/bayes_journal" dev=dm-0 ino=26149415 
>> scontext=system_u:system_r:smbd_t:s0 
>> tcontext=system_u:object_r:spamassassin_home_t:s0 tclass=file
>>
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): 
>> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 
>> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 
>> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 
>> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" 
>> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
>>
>> host=C5.aardvark.com.au type=SYSCALL msg=audit(1231855163.997:6624): 
>> arch=c000003e syscall=4 success=yes exit=0 a0=7ffff7628aa0 
>> a1=7ffff76281d0 a2=7ffff76281d0 a3=7ffff76286a0 items=0 ppid=3510 
>> pid=8841 auid=4294967295 uid=501 gid=0 euid=501 suid=0 fsuid=501 
>> egid=501 sgid=0 fsgid=501 tty=(none) ses=4294967295 comm="smbd" 
>> exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
>
> These denials are all for the ~/.spamassassin directory and its 
> contents, not the home directory in general. Browsing the majority of 
> the home directory would work just fine in enforcing mode.
>
> Paul.
>



From ole.ersoy at gmail.com  Sun Jan 18 21:00:36 2009
From: ole.ersoy at gmail.com (Ole Ersoy)
Date: Sun, 18 Jan 2009 15:00:36 -0600
Subject: Fedora 10 Selinux Denies Firefox Ability to Upload Picture
In-Reply-To: <1232140942.11696.1.camel@localhost.localdomain>
References: <4970DE27.1000907@gmail.com>	
	<1232134064.8594.8.camel@localhost.localdomain>	
	<4970F87A.3050309@gmail.com>
	<1232140942.11696.1.camel@localhost.localdomain>
Message-ID: <49739874.6070206@gmail.com>

I tried:
grep "SELinux is preventing" /var/log/messages

And peeking through /var/log/message, but did not find anything.  Next time I do a fresh install I'll see whether I can replicate the result.

Cheers,
- Ole



From dwalsh at redhat.com  Mon Jan 19 14:25:34 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Mon, 19 Jan 2009 09:25:34 -0500
Subject: Fedora 10 Selinux Denies Firefox Ability to Upload Picture
In-Reply-To: <49739874.6070206@gmail.com>
References: <4970DE27.1000907@gmail.com>		<1232134064.8594.8.camel@localhost.localdomain>		<4970F87A.3050309@gmail.com>	<1232140942.11696.1.camel@localhost.localdomain>
	<49739874.6070206@gmail.com>
Message-ID: <49748D5E.2030809@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ole Ersoy wrote:
> I tried:
> grep "SELinux is preventing" /var/log/messages
> 
> And peeking through /var/log/message, but did not find anything.  Next
> time I do a fresh install I'll see whether I can replicate the result.
> 
> Cheers,
> - Ole
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Your error (avc) messages are in /var/log/audit/audit.log


grep avc /var/log/audit/audit.log
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl0jV4ACgkQrlYvE4MpobM2ZwCdFYMT8/s3+yMgmVWyUnaM5Lu3
H30AoOlEjqmWU3tXkbcgHCq0uVOMhN77
=t11h
-----END PGP SIGNATURE-----



From tmz at pobox.com  Mon Jan 19 19:28:09 2009
From: tmz at pobox.com (Todd Zullinger)
Date: Mon, 19 Jan 2009 14:28:09 -0500
Subject: New fedora cgit packages could use some policy updates
In-Reply-To: <496F8809.7040608@redhat.com>
References: <20090114164516.GB18365@inocybe.teonanacatl.org>
	<496F8809.7040608@redhat.com>
Message-ID: <20090119192809.GX18365@inocybe.teonanacatl.org>

Daniel J Walsh wrote:
> What do you think of this simple policy package.

That looks nice and simple to start with.  Thanks.

Thinking ahead a bit, would we want to name it git or cgit?  There are
several packages/daemons that should eventually become confined by
stricter policy:

    git-daemon - provides the git:// protocol support
    gitweb - provides a CGI in perl for viewing git repos via http[s]
    cgit - provides a CGI in C for viewing git repos via http[s]

For example, gitweb would have no need to access the cgit cache, but
may have other areas that it needs to write to, which would mean
httpd_git_content_rw_t might need to encompass more than needed if it
includes both gitweb and cgit.

There have been a few recent security bugs with gitweb?, serious
enough to allow remote code execution.  This is definitely the sort of
thing a nice policy could help mitigate. :)

Do you have some links handy for how I'd go about creating a confined
policy for either cgit or gitweb?  That way I could test and add to
the policy to allow it to be as limited as is reasonable.  I'd be
happy to try and help beat something into shape for these git tools.
But I've really not spent a lot of time reading up on creating policy
from scratch.  I've perused your excellent blog, but not enough to be
able to do this yet.

? https://bugzilla.redhat.com/show_bug.cgi?id=477523
  https://bugzilla.redhat.com/show_bug.cgi?id=479715

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A vacuum is a hell of a lot better than some of the stuff that nature
replaces it with.
    -- Tennessee Williams

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090119/2d1d0b4f/attachment.sig>

From ole.ersoy at gmail.com  Mon Jan 19 23:20:50 2009
From: ole.ersoy at gmail.com (Ole Ersoy)
Date: Mon, 19 Jan 2009 17:20:50 -0600
Subject: Fedora 10 Selinux Denies Firefox Ability to Upload Picture
In-Reply-To: <49748D5E.2030809@redhat.com>
References: <4970DE27.1000907@gmail.com>		<1232134064.8594.8.camel@localhost.localdomain>		<4970F87A.3050309@gmail.com>	<1232140942.11696.1.camel@localhost.localdomain>
	<49739874.6070206@gmail.com> <49748D5E.2030809@redhat.com>
Message-ID: <49750AD2.5080807@gmail.com>

I had a look in /var/log/audit as well, but did not see anything that looks like a it's related.  I pasted the last few entries at the bottom of the email.

I've been trying to see whether I can create another denial entry, so that I know exactly which one is new, but the pictures are uploading with selinux enforcing now, so perhaps it was just a coincidence that running setenforce 0 worked....

I'm in the process of learning SELinux and experimenting, but I don't think I did anything to change target policy...

If no one else has the issue, I would say it's a false report - sorry.

Last set of log entries:

type=AVC msg=audit(1232406061.676:687): avc:  denied  { search } for  pid=2802 comm="unix_chkpwd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1232406061.676:687): arch=40000003 syscall=195 success=no exit=-13 a0=bfda5b7c a1=bfda5b1c a2=30bff4 a3=bfda5b7c items=0 ppid=2801 pid=2802 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1232406061.677:688): avc:  denied  { search } for  pid=2802 comm="unix_chkpwd" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1232406061.677:688): arch=40000003 syscall=5 success=no exit=-13 a0=bfda5b54 a1=8000 a2=0 a3=8000 items=0 ppid=2801 pid=2802 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 key=(null)
type=USER_ACCT msg=audit(1232406061.682:689): user pid=2801 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1232406061.687:690): user pid=2801 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=LOGIN msg=audit(1232406061.687:691): login pid=2801 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=2
type=USER_START msg=audit(1232406061.689:692): user pid=2801 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_DISP msg=audit(1232406061.750:693): user pid=2801 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_END msg=audit(1232406061.750:694): user pid=2801 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'



From frankly3d at fedoraproject.org  Tue Jan 20 11:06:02 2009
From: frankly3d at fedoraproject.org (Frank Murphy)
Date: Tue, 20 Jan 2009 11:06:02 +0000
Subject: Samba Sharing
Message-ID: <4975B01A.5090909@fedoraproject.org>

Having had a look at:

http://danwalsh.livejournal.com/14195.html

and smb.conf

I won't to share a dir+ subs on my samba\ssh server.

So I would

chcon -R -t samba_share_t /myfiles ( a folder immediately under root,
owned by me and accessible to @samba users)

The run
semanage fcontext -a -t samba_share_t ?/myfiles(/.*)??

to hold the context after a full relabel?


Basically the users need r\w to /myfiles (their own sub folders of)

Frank



From frankly3d at fedoraproject.org  Tue Jan 20 11:07:37 2009
From: frankly3d at fedoraproject.org (Frank Murphy)
Date: Tue, 20 Jan 2009 11:07:37 +0000
Subject: Samba Sharing
Message-ID: <4975B079.1090307@fedoraproject.org>

sorry typo should read:


chcon -R -t samba_share_t /myfiles ( a folder immediately under /
owned by me and accessible to @samba users)

The run
semanage fcontext -a -t samba_share_t ?/myfiles(/.*)??

to hold the context after a full relabel?


Basically the users need r\w to /myfiles (their own sub folders of)

Frank



From sds at tycho.nsa.gov  Tue Jan 20 13:27:30 2009
From: sds at tycho.nsa.gov (Stephen Smalley)
Date: Tue, 20 Jan 2009 08:27:30 -0500
Subject: Samba Sharing
In-Reply-To: <4975B079.1090307@fedoraproject.org>
References: <4975B079.1090307@fedoraproject.org>
Message-ID: <1232458050.4166.1.camel@localhost.localdomain>

On Tue, 2009-01-20 at 11:07 +0000, Frank Murphy wrote:
> sorry typo should read:
> 
> 
> chcon -R -t samba_share_t /myfiles ( a folder immediately under /
> owned by me and accessible to @samba users)
> 
> The run
> semanage fcontext -a -t samba_share_t ?/myfiles(/.*)??
> 
> to hold the context after a full relabel?

Alternatively, you can run the semanage fcontext command first, then run
'restorecon -R /myfiles' and it will apply the label you specified via
the prior semanage command to that directory tree.  No need to specify
the type twice in that case.

> 
> Basically the users need r\w to /myfiles (their own sub folders of)

-- 
Stephen Smalley
National Security Agency



From dwalsh at redhat.com  Tue Jan 20 15:19:11 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 20 Jan 2009 10:19:11 -0500
Subject: Fedora 10 Selinux Denies Firefox Ability to Upload Picture
In-Reply-To: <49750AD2.5080807@gmail.com>
References: <4970DE27.1000907@gmail.com>		<1232134064.8594.8.camel@localhost.localdomain>		<4970F87A.3050309@gmail.com>	<1232140942.11696.1.camel@localhost.localdomain>
	<49739874.6070206@gmail.com> <49748D5E.2030809@redhat.com>
	<49750AD2.5080807@gmail.com>
Message-ID: <4975EB6F.6090109@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ole Ersoy wrote:
> I had a look in /var/log/audit as well, but did not see anything that
> looks like a it's related.  I pasted the last few entries at the bottom
> of the email.
> 
> I've been trying to see whether I can create another denial entry, so
> that I know exactly which one is new, but the pictures are uploading
> with selinux enforcing now, so perhaps it was just a coincidence that
> running setenforce 0 worked....
> 
> I'm in the process of learning SELinux and experimenting, but I don't
> think I did anything to change target policy...
> 
> If no one else has the issue, I would say it's a false report - sorry.
> 
> Last set of log entries:
> 
> type=AVC msg=audit(1232406061.676:687): avc:  denied  { search } for 
> pid=2802 comm="unix_chkpwd" name="/" dev=selinuxfs ino=1
> scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:security_t:s0 tclass=dir
> type=SYSCALL msg=audit(1232406061.676:687): arch=40000003 syscall=195
> success=no exit=-13 a0=bfda5b7c a1=bfda5b1c a2=30bff4 a3=bfda5b7c
> items=0 ppid=2801 pid=2802 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="unix_chkpwd" exe="/sbin/unix_chkpwd"
> subj=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1232406061.677:688): avc:  denied  { search } for 
> pid=2802 comm="unix_chkpwd" name="/" dev=selinuxfs ino=1
> scontext=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:security_t:s0 tclass=dir
> type=SYSCALL msg=audit(1232406061.677:688): arch=40000003 syscall=5
> success=no exit=-13 a0=bfda5b54 a1=8000 a2=0 a3=8000 items=0 ppid=2801
> pid=2802 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="unix_chkpwd"
> exe="/sbin/unix_chkpwd"
> subj=system_u:system_r:system_chkpwd_t:s0-s0:c0.c1023 key=(null)
> type=USER_ACCT msg=audit(1232406061.682:689): user pid=2801 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
> acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
> res=success)'
> type=CRED_ACQ msg=audit(1232406061.687:690): user pid=2801 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
> res=success)'
> type=LOGIN msg=audit(1232406061.687:691): login pid=2801 uid=0 old
> auid=4294967295 new auid=0 old ses=4294967295 new ses=2
> type=USER_START msg=audit(1232406061.689:692): user pid=2801 uid=0
> auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
> msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" (hostname=?,
> addr=?, terminal=cron res=success)'
> type=CRED_DISP msg=audit(1232406061.750:693): user pid=2801 uid=0 auid=0
> ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
> res=success)'
> type=USER_END msg=audit(1232406061.750:694): user pid=2801 uid=0 auid=0
> ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
> msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" (hostname=?,
> addr=?, terminal=cron res=success)'

None of these are related.

Very strange.

Are you running with nsplugin_t?  ps -eZ | grep nsplugin

What file system are you using?

What is the exact behaviour that is being blocked?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl1628ACgkQrlYvE4MpobO27ACg0E3MmN5ILPB76eQ7WTSZUZX2
A70AnRrNgAHtCHVFKnIgdHMAsrf/k/eH
=+VhF
-----END PGP SIGNATURE-----



From ole.ersoy at gmail.com  Tue Jan 20 15:44:04 2009
From: ole.ersoy at gmail.com (Ole Ersoy)
Date: Tue, 20 Jan 2009 09:44:04 -0600
Subject: Fedora 10 Selinux Denies Firefox Ability to Upload Picture
In-Reply-To: <4975EB6F.6090109@redhat.com>
References: <4970DE27.1000907@gmail.com>		<1232134064.8594.8.camel@localhost.localdomain>		<4970F87A.3050309@gmail.com>	<1232140942.11696.1.camel@localhost.localdomain>
	<49739874.6070206@gmail.com> <49748D5E.2030809@redhat.com>
	<49750AD2.5080807@gmail.com> <4975EB6F.6090109@redhat.com>
Message-ID: <4975F144.1080208@gmail.com>

> Are you running with nsplugin_t?  ps -eZ | grep nsplugin

[root at ole Download]# ps -eZ | grep nsplugin
[root at ole Download]# 

> 
> What file system are you using?

ext3

> 
> What is the exact behaviour that is being blocked?

I tried uploading a photo to facebook, and kept getting a "one sentence" postback from facebook saying the image could not be uploaded.  I tried it 3-4 times, just to make sure it was not a temporary thing on their side.  Then I ran setenforce 0, and the image uploaded fine.  So I assumed selinux was blocking firefox from reading the image.  I've been trying to duplicate the result with SELinux enforcing though, after rebooting, and now I can upload images without a problem, so I'm wondering whether it was just a coincidence that setenforce 0 worked.  If no one else has the problem, then it's probably just a coincidence.  I have a better idea on how to isolate the message in the log now, so if it happens again, I'll hopefully be able to get a better grasp on why.

Thanks,
- Ole



From serue at us.ibm.com  Tue Jan 20 15:58:38 2009
From: serue at us.ibm.com (Serge E. Hallyn)
Date: Tue, 20 Jan 2009 09:58:38 -0600
Subject: Fedora 10 Selinux Denies Firefox Ability to Upload Picture
In-Reply-To: <4975F144.1080208@gmail.com>
References: <4970DE27.1000907@gmail.com>
	<1232134064.8594.8.camel@localhost.localdomain>
	<4970F87A.3050309@gmail.com>
	<1232140942.11696.1.camel@localhost.localdomain>
	<49739874.6070206@gmail.com> <49748D5E.2030809@redhat.com>
	<49750AD2.5080807@gmail.com> <4975EB6F.6090109@redhat.com>
	<4975F144.1080208@gmail.com>
Message-ID: <20090120155838.GA11279@us.ibm.com>

Quoting Ole Ersoy (ole.ersoy at gmail.com):
>> Are you running with nsplugin_t?  ps -eZ | grep nsplugin
>
> [root at ole Download]# ps -eZ | grep nsplugin
> [root at ole Download]# 
>
>>
>> What file system are you using?
>
> ext3
>
>>
>> What is the exact behaviour that is being blocked?
>
> I tried uploading a photo to facebook, and kept getting a "one
> sentence" postback from facebook saying the image could not be

Interesting.

Another thing to consider is that facebook (or someone else)
might have been trying to do something other than get that
picture, and selinux rightfully stopped it.

> uploaded.  I tried it 3-4 times, just to make sure it was not a
> temporary thing on their side.  Then I ran setenforce 0, and the image
> uploaded fine.  So I assumed selinux was blocking firefox from reading
> the image.  I've been trying to duplicate the result with SELinux
> enforcing though, after rebooting, and now I can upload images without
> a problem, so I'm wondering whether it was just a coincidence that
> setenforce 0 worked.  If no one else has the problem, then it's
> probably just a coincidence.  I have a better idea on how to isolate
> the message in the log now, so if it happens again, I'll hopefully be
> able to get a better grasp on why.
>
> Thanks,
> - Ole
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list



From dwalsh at redhat.com  Tue Jan 20 16:06:30 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 20 Jan 2009 11:06:30 -0500
Subject: Fedora 10 Selinux Denies Firefox Ability to Upload Picture
In-Reply-To: <20090120155838.GA11279@us.ibm.com>
References: <4970DE27.1000907@gmail.com>
	<1232134064.8594.8.camel@localhost.localdomain>
	<4970F87A.3050309@gmail.com>
	<1232140942.11696.1.camel@localhost.localdomain>
	<49739874.6070206@gmail.com> <49748D5E.2030809@redhat.com>
	<49750AD2.5080807@gmail.com> <4975EB6F.6090109@redhat.com>
	<4975F144.1080208@gmail.com> <20090120155838.GA11279@us.ibm.com>
Message-ID: <4975F686.5060509@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Serge E. Hallyn wrote:
> Quoting Ole Ersoy (ole.ersoy at gmail.com):
>>> Are you running with nsplugin_t?  ps -eZ | grep nsplugin
>> [root at ole Download]# ps -eZ | grep nsplugin
>> [root at ole Download]# 
>>
>>> What file system are you using?
>> ext3
>>
>>> What is the exact behaviour that is being blocked?
>> I tried uploading a photo to facebook, and kept getting a "one
>> sentence" postback from facebook saying the image could not be
> 
> Interesting.
> 
> Another thing to consider is that facebook (or someone else)
> might have been trying to do something other than get that
> picture, and selinux rightfully stopped it.
> 
>> uploaded.  I tried it 3-4 times, just to make sure it was not a
>> temporary thing on their side.  Then I ran setenforce 0, and the image
>> uploaded fine.  So I assumed selinux was blocking firefox from reading
>> the image.  I've been trying to duplicate the result with SELinux
>> enforcing though, after rebooting, and now I can upload images without
>> a problem, so I'm wondering whether it was just a coincidence that
>> setenforce 0 worked.  If no one else has the problem, then it's
>> probably just a coincidence.  I have a better idea on how to isolate
>> the message in the log now, so if it happens again, I'll hopefully be
>> able to get a better grasp on why.
>>
>> Thanks,
>> - Ole
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Ok, if it happens again, don't hesitate to ping me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl19oUACgkQrlYvE4MpobMqtQCfcMLys63o2TBh5ITnHFlE0WC3
Fr4AniDElQN84WBH9W2MZWH9fxguDPfS
=LlkN
-----END PGP SIGNATURE-----



From ole.ersoy at gmail.com  Tue Jan 20 16:34:52 2009
From: ole.ersoy at gmail.com (Ole Ersoy)
Date: Tue, 20 Jan 2009 10:34:52 -0600
Subject: Fedora 10 Selinux Denies Firefox Ability to Upload Picture
In-Reply-To: <20090120155838.GA11279@us.ibm.com>
References: <4970DE27.1000907@gmail.com>
	<1232134064.8594.8.camel@localhost.localdomain>
	<4970F87A.3050309@gmail.com>
	<1232140942.11696.1.camel@localhost.localdomain>
	<49739874.6070206@gmail.com> <49748D5E.2030809@redhat.com>
	<49750AD2.5080807@gmail.com> <4975EB6F.6090109@redhat.com>
	<4975F144.1080208@gmail.com> <20090120155838.GA11279@us.ibm.com>
Message-ID: <4975FD2C.5090408@gmail.com>

> 
> Another thing to consider is that facebook (or someone else)
> might have been trying to do something other than get that
> picture, and selinux rightfully stopped it.

Good point.  I'm starting to think that cleaning things up with a reinstall will be good.

Thanks,
- Ole



From olivares14031 at yahoo.com  Wed Jan 21 16:59:31 2009
From: olivares14031 at yahoo.com (Antonio Olivares)
Date: Wed, 21 Jan 2009 08:59:31 -0800 (PST)
Subject: denied avc's on rawhide: part 2
Message-ID: <757854.22125.qm@web52610.mail.re2.yahoo.com>

Dear list, 

I get the following avc's on rawhide.  I had 7 days without internet connection, updated and now I get the following ones.  Setroubleshoot does not kick in :(

output done by dmesg:

type=1400 audit(1232555999.381:4): avc:  denied  { write } for  pid=1590 comm="ip6tables-resto" path="/0" dev=devpts ino=3 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file


type=1400 audit(1232556094.962:5): avc:  denied  { create } for  pid=2654 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir
type=1400 audit(1232556101.971:6): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
type=1400 audit(1232556101.972:7): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
type=1400 audit(1232556101.972:8): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
type=1400 audit(1232556101.973:9): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
type=1400 audit(1232556101.974:10): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
type=1400 audit(1232556101.975:11): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
type=1400 audit(1232556101.975:12): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
type=1400 audit(1232556101.976:13): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
type=1400 audit(1232556101.977:14): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
type=1400 audit(1232556101.977:15): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
__ratelimit: 234 callbacks suppressed
type=1400 audit(1232556109.359:94): avc:  denied  { search } for  pid=2724 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
type=1400 audit(1232556109.359:95): avc:  denied  { search } for  pid=2724 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
fuse init (API version 7.11)

Regards,

Antonio 


      



From dwalsh at redhat.com  Wed Jan 21 21:22:05 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Wed, 21 Jan 2009 16:22:05 -0500
Subject: plymouthd avcs in MLS
In-Reply-To: <cadfc0e40901160630h5b2e9fc2q793e4168c02103f0@mail.gmail.com>
References: <A95E4FC0-3AD9-4B42-BF7F-1C144FFD5D72@nall.com>	
	<496B7588.6000204@redhat.com>
	<cadfc0e40901160630h5b2e9fc2q793e4168c02103f0@mail.gmail.com>
Message-ID: <497791FD.305@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have sucked it up over the last couple of days and have cleaned up
most of the MLS avcs in Fedora 11.  It now boots up and I can log in in
enforcing mode.

I would prefer to work with the F11 policy, although this can safely be
installed on an F10 system.

Tryout 3.6.3-5.f11

I gave the kernel_t the privs to run plymouth, it does not make much
sense to prevent kernel_t from any of the accesses it needed.

Also wrote most of the policy for wm_t.

Some problems like use of fusermount are going to be tougher to decide
on what the right thing to do is.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl3kf0ACgkQrlYvE4MpobNMYwCeOHaZ3GokeMzg8oRrM8vU/S6Q
sqAAoNlF+b4v0c3pnd7BPb8ljzwMB3Vj
=WkHm
-----END PGP SIGNATURE-----



From txtoth at gmail.com  Wed Jan 21 21:25:44 2009
From: txtoth at gmail.com (Xavier Toth)
Date: Wed, 21 Jan 2009 15:25:44 -0600
Subject: plymouthd avcs in MLS
In-Reply-To: <497791FD.305@redhat.com>
References: <A95E4FC0-3AD9-4B42-BF7F-1C144FFD5D72@nall.com>
	<496B7588.6000204@redhat.com>
	<cadfc0e40901160630h5b2e9fc2q793e4168c02103f0@mail.gmail.com>
	<497791FD.305@redhat.com>
Message-ID: <cadfc0e40901211325g6642aba9nd80727a2f501bcad@mail.gmail.com>

I'll give it a try on an F10 box when it finishes building.

Ted

On Wed, Jan 21, 2009 at 3:22 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I have sucked it up over the last couple of days and have cleaned up
> most of the MLS avcs in Fedora 11.  It now boots up and I can log in in
> enforcing mode.
>
> I would prefer to work with the F11 policy, although this can safely be
> installed on an F10 system.
>
> Tryout 3.6.3-5.f11
>
> I gave the kernel_t the privs to run plymouth, it does not make much
> sense to prevent kernel_t from any of the accesses it needed.
>
> Also wrote most of the policy for wm_t.
>
> Some problems like use of fusermount are going to be tougher to decide
> on what the right thing to do is.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkl3kf0ACgkQrlYvE4MpobNMYwCeOHaZ3GokeMzg8oRrM8vU/S6Q
> sqAAoNlF+b4v0c3pnd7BPb8ljzwMB3Vj
> =WkHm
> -----END PGP SIGNATURE-----
>



From txtoth at gmail.com  Wed Jan 21 21:49:52 2009
From: txtoth at gmail.com (Xavier Toth)
Date: Wed, 21 Jan 2009 15:49:52 -0600
Subject: plymouthd avcs in MLS
In-Reply-To: <cadfc0e40901211325g6642aba9nd80727a2f501bcad@mail.gmail.com>
References: <A95E4FC0-3AD9-4B42-BF7F-1C144FFD5D72@nall.com>
	<496B7588.6000204@redhat.com>
	<cadfc0e40901160630h5b2e9fc2q793e4168c02103f0@mail.gmail.com>
	<497791FD.305@redhat.com>
	<cadfc0e40901211325g6642aba9nd80727a2f501bcad@mail.gmail.com>
Message-ID: <cadfc0e40901211349g32e8f709i3bbfa393dec81d21@mail.gmail.com>

On Wed, Jan 21, 2009 at 3:25 PM, Xavier Toth <txtoth at gmail.com> wrote:
> I'll give it a try on an F10 box when it finishes building.
>
> Ted
>
> On Wed, Jan 21, 2009 at 3:22 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I have sucked it up over the last couple of days and have cleaned up
>> most of the MLS avcs in Fedora 11.  It now boots up and I can log in in
>> enforcing mode.
>>
>> I would prefer to work with the F11 policy, although this can safely be
>> installed on an F10 system.
>>
>> Tryout 3.6.3-5.f11
>>
>> I gave the kernel_t the privs to run plymouth, it does not make much
>> sense to prevent kernel_t from any of the accesses it needed.
>>
>> Also wrote most of the policy for wm_t.
>>
>> Some problems like use of fusermount are going to be tougher to decide
>> on what the right thing to do is.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkl3kf0ACgkQrlYvE4MpobNMYwCeOHaZ3GokeMzg8oRrM8vU/S6Q
>> sqAAoNlF+b4v0c3pnd7BPb8ljzwMB3Vj
>> =WkHm
>> -----END PGP SIGNATURE-----
>>
>

No can do on FC10 as it requires policycoreutils which requires python
2.6 ... :(

Ted



From dwalsh at redhat.com  Thu Jan 22 14:00:08 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Thu, 22 Jan 2009 09:00:08 -0500
Subject: plymouthd avcs in MLS
In-Reply-To: <cadfc0e40901211349g32e8f709i3bbfa393dec81d21@mail.gmail.com>
References: <A95E4FC0-3AD9-4B42-BF7F-1C144FFD5D72@nall.com>	
	<496B7588.6000204@redhat.com>	
	<cadfc0e40901160630h5b2e9fc2q793e4168c02103f0@mail.gmail.com>	
	<497791FD.305@redhat.com>	
	<cadfc0e40901211325g6642aba9nd80727a2f501bcad@mail.gmail.com>
	<cadfc0e40901211349g32e8f709i3bbfa393dec81d21@mail.gmail.com>
Message-ID: <49787BE8.3010201@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Xavier Toth wrote:
> On Wed, Jan 21, 2009 at 3:25 PM, Xavier Toth <txtoth at gmail.com> wrote:
>> I'll give it a try on an F10 box when it finishes building.
>>
>> Ted
>>
>> On Wed, Jan 21, 2009 at 3:22 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> I have sucked it up over the last couple of days and have cleaned up
> most of the MLS avcs in Fedora 11.  It now boots up and I can log in in
> enforcing mode.
> 
> I would prefer to work with the F11 policy, although this can safely be
> installed on an F10 system.
> 
> Tryout 3.6.3-5.f11
> 
> I gave the kernel_t the privs to run plymouth, it does not make much
> sense to prevent kernel_t from any of the accesses it needed.
> 
> Also wrote most of the policy for wm_t.
> 
> Some problems like use of fusermount are going to be tougher to decide
> on what the right thing to do is.
>>>

> No can do on FC10 as it requires policycoreutils which requires python
> 2.6 ... :(

> Ted

The problem is the spec file has been converted to use the compressed
policycoreutils,  You could simply take out the patch and the  tgz file
and throw it in the F10 spec file and you could build a F10 policy, or
you could just start using F11/Rawhide.

One problem I have with it now is it is silently failing on dbus
(NetworkManager) even in permissive mode.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl4e+gACgkQrlYvE4MpobPJDgCeKEK36nIyYeavIZY7knOkaVKS
umAAoMExfvdB+9fwWRG/pj0/l7FFcEF5
=CXFJ
-----END PGP SIGNATURE-----



From paul at city-fan.org  Thu Jan 22 14:15:24 2009
From: paul at city-fan.org (Paul Howarth)
Date: Thu, 22 Jan 2009 14:15:24 +0000
Subject: bind-mounted homedirs
Message-ID: <49787F7C.2090907@city-fan.org>

On a RHEL 5 server I have bind-mounted home directories, where the data 
on the server actually lives in /srv/homes but this is bind-mounted to 
/nis-home. The user home directories in LDAP refer to the /nis-home 
locations.

When I updated to the 5.3 selinux policy, everything under /srv/homes 
got relabelled based on the /srv/homes pathname rather than the 
/nis-home pathname. What would be the best way of preventing this from 
happening in the future?

Paul.



From santosp at fedoraproject.org  Fri Jan 23 14:13:52 2009
From: santosp at fedoraproject.org (Paulo Santos)
Date: Fri, 23 Jan 2009 15:13:52 +0100
Subject: SELinux in netbooted images
Message-ID: <7a41c4bc0901230613i2adc1715t33de138c48df6b3f@mail.gmail.com>

Hi all,

I googled a bit about this, but didn't found anything so i decided to send
this email to get some information/help.

I have several servers running on a netbooted image, which on its base, does
not contain any selinux related packages.
Currently I'm installing on the beginning of the boot process the following
package:

Installing:
 selinux-policy-targeted  noarch     2.4.6-137.1.el5  updates           911
k
Installing for dependencies:
 audit-libs-python       x86_64     1.6.5-9.el5      base               75 k
 diffutils               x86_64     2.8.1-15.2.3.el5  base              211
k
 libselinux-python       x86_64     1.33.4-5.el5     base               59 k
 libsemanage             x86_64     1.9.1-3.el5      base              138 k
 policycoreutils         x86_64     1.33.12-14.el5   base              631 k
 selinux-policy          noarch     2.4.6-137.1.el5  updates           381 k

In the end i still end up with SELinux disabled.

My question is the following.
How do i enable SELinux already in runtime, after the boot process finished?
(or do i need to modify the base image, to contain the selinux packages)


I apologize if this information can be found somewhere else, and if this is
not the correct place to ask the question.

Thanks,
Paulo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090123/53cb5215/attachment.htm>

From dwalsh at redhat.com  Fri Jan 23 19:38:36 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Fri, 23 Jan 2009 14:38:36 -0500
Subject: SELinux in netbooted images
In-Reply-To: <7a41c4bc0901230613i2adc1715t33de138c48df6b3f@mail.gmail.com>
References: <7a41c4bc0901230613i2adc1715t33de138c48df6b3f@mail.gmail.com>
Message-ID: <497A1CBC.6010807@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paulo Santos wrote:
> Hi all,
> 
> I googled a bit about this, but didn't found anything so i decided to send
> this email to get some information/help.
> 
> I have several servers running on a netbooted image, which on its base, does
> not contain any selinux related packages.
> Currently I'm installing on the beginning of the boot process the following
> package:
> 
> Installing:
>  selinux-policy-targeted  noarch     2.4.6-137.1.el5  updates           911
> k
> Installing for dependencies:
>  audit-libs-python       x86_64     1.6.5-9.el5      base               75 k
>  diffutils               x86_64     2.8.1-15.2.3.el5  base              211
> k
>  libselinux-python       x86_64     1.33.4-5.el5     base               59 k
>  libsemanage             x86_64     1.9.1-3.el5      base              138 k
>  policycoreutils         x86_64     1.33.12-14.el5   base              631 k
>  selinux-policy          noarch     2.4.6-137.1.el5  updates           381 k
> 
> In the end i still end up with SELinux disabled.
> 
> My question is the following.
> How do i enable SELinux already in runtime, after the boot process finished?
> (or do i need to modify the base image, to contain the selinux packages)
> 
> 
> I apologize if this information can be found somewhere else, and if this is
> not the correct place to ask the question.
> 
> Thanks,
> Paulo
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
What does /etc/selinux/config say?

Are you using a standard kernel?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl6HLwACgkQrlYvE4MpobMYlwCgymfEuPQT/VRMwTmMdIVPSDnH
JJ8AoMzKzTJhE1GDcxAH9iJAWpFnZec/
=s4IB
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Fri Jan 23 20:22:19 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Fri, 23 Jan 2009 15:22:19 -0500
Subject: denied avc's on rawhide: part 2
In-Reply-To: <757854.22125.qm@web52610.mail.re2.yahoo.com>
References: <757854.22125.qm@web52610.mail.re2.yahoo.com>
Message-ID: <497A26FB.3090205@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Dear list, 
> 
> I get the following avc's on rawhide.  I had 7 days without internet connection, updated and now I get the following ones.  Setroubleshoot does not kick in :(
> 
> output done by dmesg:
> 
> type=1400 audit(1232555999.381:4): avc:  denied  { write } for  pid=1590 comm="ip6tables-resto" path="/0" dev=devpts ino=3 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> 
> 
> type=1400 audit(1232556094.962:5): avc:  denied  { create } for  pid=2654 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir
> type=1400 audit(1232556101.971:6): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
> type=1400 audit(1232556101.972:7): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
> type=1400 audit(1232556101.972:8): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
> type=1400 audit(1232556101.973:9): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
> type=1400 audit(1232556101.974:10): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
> type=1400 audit(1232556101.975:11): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
> type=1400 audit(1232556101.975:12): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
> type=1400 audit(1232556101.976:13): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
> type=1400 audit(1232556101.977:14): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
> type=1400 audit(1232556101.977:15): avc:  denied  { search } for  pid=2694 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
> __ratelimit: 234 callbacks suppressed
> type=1400 audit(1232556109.359:94): avc:  denied  { search } for  pid=2724 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
> type=1400 audit(1232556109.359:95): avc:  denied  { search } for  pid=2724 comm="hal-acl-tool" name="PolicyKit-public" dev=dm-0 ino=3407878 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
> fuse init (API version 7.11)
> 
> Regards,
> 
> Antonio 
> 
> 
>       
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The first two are fixed and the third one seems to be a kde bug.  kde
tools are trying to create files in / as if it were a home directory.
This is probably not what they intended.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl6JvsACgkQrlYvE4MpobNTBgCeNqaO7NfHkqMzEUEegkFXcJrR
p+8AoLko5Mm+HsEsni7iM8Wil4RW0ape
=OAuf
-----END PGP SIGNATURE-----



From chepkov at yahoo.com  Sat Jan 24 15:18:10 2009
From: chepkov at yahoo.com (Vadym Chepkov)
Date: Sat, 24 Jan 2009 07:18:10 -0800 (PST)
Subject: yum-cron fails trying to mail a temporary file
Message-ID: <424868.75362.qm@web36806.mail.mud.yahoo.com>

I got an interesting denial which took me a bit to figure out.

type=AVC msg=audit(1232788787.310:1787): avc:  denied  { read } for  pid=9836 comm="mail" path="/var/run/yum-cron.EHQJws" dev=dm-3 ino=77843 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_run_t:s0 tclass=file

It comes from yum-cron package. What happens is a script starts from cron and creates a temporary file which inherits directory security context. Later it mails it using redirection syntax:
"mail $MAILTO < $YUMTMP"

mailx transitions to system_mail_t and is denied to read such a temporary file.

I don't think this is a unique script that has similar logic and I suspect some other directory needs to be used, but I didn't find any suitable in sources/sendmail.fc and before I create new type/directory I would like to know maybe there is more proper way to handle cases like this? 

Thank you.
Sincerely yours,
  Vadym Chepkov



From kaigai at kaigai.gr.jp  Sun Jan 25 04:09:03 2009
From: kaigai at kaigai.gr.jp (KaiGai Kohei)
Date: Sun, 25 Jan 2009 13:09:03 +0900
Subject: Does mcs work on rawhide correctly?
Message-ID: <497BE5DF.2030500@kaigai.gr.jp>

I found a strange behavior with selinux-policy-3.6.3-8.fc11.noarch.

[root at masu ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
[root at masu ~]# touch aaa
[root at masu ~]# ls -Z aaa
-rw-r--r--  root root unconfined_u:object_r:admin_home_t:s0 aaa
[root at masu ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
[root at masu ~]# chcon -l s0:c0 aaa
chcon: failed to change context of `aaa' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted

Why "s0-s0:c0.c31" cannot change the context from "s0" to "s0:c0"?

I could reproduce the matter after "semodule -B".

Is there anyone who can reproduce the matter?
-- 
KaiGai Kohei <kaigai at kaigai.gr.jp>



From santosp at fedoraproject.org  Mon Jan 26 08:07:10 2009
From: santosp at fedoraproject.org (Paulo Santos)
Date: Mon, 26 Jan 2009 09:07:10 +0100
Subject: SELinux in netbooted images
In-Reply-To: <497A1CBC.6010807@redhat.com>
References: <7a41c4bc0901230613i2adc1715t33de138c48df6b3f@mail.gmail.com>
	<497A1CBC.6010807@redhat.com>
Message-ID: <7a41c4bc0901260007m32a4ba7ar3fb6c8b0ef414205@mail.gmail.com>

Hi Daniel,

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#    enforcing - SELinux security policy is enforced.
#    permissive - SELinux prints warnings instead of enforcing.
#    disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#    targeted - Only targeted network daemons are protected.
#    strict - Full SELinux protection.
#    mls - Multi Level Security protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

CentOS 5.2 Kernel
kernel-PAE-2.6.18-92.1.10.el5


Thanks,
Paulo

On Fri, Jan 23, 2009 at 8:38 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Paulo Santos wrote:
> > Hi all,
> >
> > I googled a bit about this, but didn't found anything so i decided to
> send
> > this email to get some information/help.
> >
> > I have several servers running on a netbooted image, which on its base,
> does
> > not contain any selinux related packages.
> > Currently I'm installing on the beginning of the boot process the
> following
> > package:
> >
> > Installing:
> >  selinux-policy-targeted  noarch     2.4.6-137.1.el5  updates
> 911
> > k
> > Installing for dependencies:
> >  audit-libs-python       x86_64     1.6.5-9.el5      base
> 75 k
> >  diffutils               x86_64     2.8.1-15.2.3.el5  base
>  211
> > k
> >  libselinux-python       x86_64     1.33.4-5.el5     base
> 59 k
> >  libsemanage             x86_64     1.9.1-3.el5      base
>  138 k
> >  policycoreutils         x86_64     1.33.12-14.el5   base
>  631 k
> >  selinux-policy          noarch     2.4.6-137.1.el5  updates
> 381 k
> >
> > In the end i still end up with SELinux disabled.
> >
> > My question is the following.
> > How do i enable SELinux already in runtime, after the boot process
> finished?
> > (or do i need to modify the base image, to contain the selinux packages)
> >
> >
> > I apologize if this information can be found somewhere else, and if this
> is
> > not the correct place to ask the question.
> >
> > Thanks,
> > Paulo
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> What does /etc/selinux/config say?
>
> Are you using a standard kernel?
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkl6HLwACgkQrlYvE4MpobMYlwCgymfEuPQT/VRMwTmMdIVPSDnH
> JJ8AoMzKzTJhE1GDcxAH9iJAWpFnZec/
> =s4IB
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090126/245d9d2e/attachment.htm>

From rchapman at aardvark.com.au  Mon Jan 26 08:52:24 2009
From: rchapman at aardvark.com.au (Richard Chapman)
Date: Mon, 26 Jan 2009 17:52:24 +0900
Subject: Denials from spamc and webalizer on Centos 5.2
In-Reply-To: <5aebb9fb0901120444x37d0b2e4o57a0a4bca8bb3f56@mail.gmail.com>
References: <5aebb9fb0901120444x37d0b2e4o57a0a4bca8bb3f56@mail.gmail.com>
Message-ID: <497D79C8.6090705@aardvark.com.au>

Hi Dominick

It has taken me a while to decide to go ahead with your suggestion 
below... (I think I was hoping the problem would go away...:-)) and it 
looks like I am heading in the right direction - but there is a little 
more work to do.

There seemed to be a problem with the quotes in the line:

echo "optional_policy(`" >> myprocmail.te;

but I edited the .te file - and the make worked fine - after I installed 
the selinux-policy-devel package. Here is myprocmail.te:

policy_module(myprocmail, 0.0.1)
require { type procmail_t; }
optional_policy(`spamassassin_domtrans_spamc(procmail_t)')

I installed the policy file using teh GUI Selinux Administration tool.

I think we have got rid of the procmail error - but now we have a new 
error. (see below). I'm guessing I need another line or two in my 
myprocmail.te file. Can you tell me what it is I need? I'm pretty sure 
this is a new error - which might suggest that there is something wrong 
with the above policy file??

I haven't tried the webalizer changes yet. I have turned webalizer off 
for the time being.

Many thanks

Richard.


Summary
SELinux is preventing the semodule from using potentially mislabeled 
files 
(/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session). 

Detailed Description
[SELinux is in permissive mode, the operation would have been denied but 
was permitted due to permissive mode.]

SELinux has denied semodule access to potentially mislabeled file(s) 
(/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session). 
This means that SELinux will not allow semodule to use these files. It 
is common for users to edit files in their home directory or tmp 
directories and then move (mv) them to system directories. The problem 
is that the files end up with the wrong file context which confined 
applications are not allowed to access.

Allowing Access
If you want semodule to access this files, you need to relabel them 
using restorecon -v 
'/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session'. 
You might want to relabel the entire directory using restorecon -R -v 
'/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01'.
Additional Information

Source Context:   	system_u:system_r:semanage_t
Target Context:   	user_u:object_r:user_home_t
Target Objects:   
/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session 
[ file ]
Source:   	semodule
Source Path:   	/usr/sbin/semodule
Port:   	<Unknown>
Host:   	C5.aardvark.com.au
Source RPM Packages:   	policycoreutils-1.33.12-14.el5
Target RPM Packages:   	
Policy RPM:   	selinux-policy-2.4.6-203.el5
Selinux Enabled:   	True
Policy Type:   	targeted
MLS Enabled:   	True
Enforcing Mode:   	Permissive
Plugin Name:   	home_tmp_bad_labels
Host Name:   	C5.aardvark.com.au
Platform:   	Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue Dec 
16 11:57:43 EST 2008 x86_64 x86_64
Alert Count:   	1
First Seen:   	Sun Jan 25 14:38:32 2009
Last Seen:   	Sun Jan 25 14:38:32 2009
Local ID:   	5d6e1851-5dc3-49a1-b758-5b33327cdf8f
Line Numbers:   	

Raw Audit Messages :

host=C5.aardvark.com.au type=AVC msg=audit(1232861912.353:38467): avc: 
denied { append } for pid=23410 comm="semodule" 
path="/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session" 
dev=dm-0 ino=29294829 scontext=system_u:system_r:semanage_t:s0 
tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=C5.aardvark.com.au type=AVC msg=audit(1232861912.353:38467): avc: 
denied { append } for pid=23410 comm="semodule" 
path="/root/.nx/C-C5.aardvark.com.au-1005-1EBFEB021BC36FF25B1F49323B3E0A01/session" 
dev=dm-0 ino=29294829 scontext=system_u:system_r:semanage_t:s0 
tcontext=user_u:object_r:user_home_t:s0 tclass=file
host=C5.aardvark.com.au type=SYSCALL msg=audit(1232861912.353:38467): 
arch=c000003e syscall=59 success=yes exit=0 a0=34ab410 a1=34ab7b0 
a2=34aa660 a3=3 items=0 ppid=23404 pid=23410 auid=102 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3534 comm="semodule" 
exe="/usr/sbin/semodule" subj=system_u:system_r:semanage_t:s0 key=(null)
host=C5.aardvark.com.au type=SYSCALL msg=audit(1232861912.353:38467): 
arch=c000003e syscall=59 success=yes exit=0 a0=34ab410 a1=34ab7b0 
a2=34aa660 a3=3 items=0 ppid=23404 pid=23410 auid=102 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3534 comm="semodule" 
exe="/usr/sbin/semodule" subj=system_u:system_r:semanage_t:s0 key=(null)


domg472 g472 wrote:
> Hello,
>
> With regard to procmail, i think your policy is missing a domain
> transition to spamassassin.
>
> A custom policy looking something like the following may or may not
> fix that issue:
>
> mkdir ~/myprocmail; cd ~/myprocmail;
> echo "policy_module(myprocmail, 0.0.1)" > myprocmail.te;
> echo "require { type procmail_t; }" >> myprocmail.te;
> echo "optional_policy(`" >> myprocmail.te;
> echo "spamassassin_domtrans_spamc(procmail_t)" >> myprocmail.te;
> echo "')" >> myprocmail.te;
>
> make -f /usr/share/selinux/devel/Makefile
> /usr/sbin/semodule -i myprocmail.pp
>
> With regard to webalizer it looks like webalizer is searching
> something in a "bin" directory.
> If you want you can allow this.
>
> mkdir ~/mywebalizer; cd ~mywebalizer;
> echo "policy_module(mywebalizer, 0.0.1)" > mywebalizer.te;
> echo "require { type webalizer_t; }" >> mywebalizer.te;
> echo "corecmd_search_bin(webalizer_t)" >> mywebalizer.te;
>
> make -f /usr/share/selinux/devel/Makefile
> /usr/sbin/semodule -i  mywebalizer.pp
>
> It may be that both procmail and webalizer domains need more access
> after this, but you will notice that if this is the case.
>
> P.s. You may or may not need to escape some of the characters in my example.
>
> Hth,
> Dominick
>
>   



From rchapman at aardvark.com.au  Mon Jan 26 09:27:52 2009
From: rchapman at aardvark.com.au (Richard Chapman)
Date: Mon, 26 Jan 2009 18:27:52 +0900
Subject: Denials from spamc and webalizer on Centos 5.2
In-Reply-To: <497D79C8.6090705@aardvark.com.au>
References: <5aebb9fb0901120444x37d0b2e4o57a0a4bca8bb3f56@mail.gmail.com>
	<497D79C8.6090705@aardvark.com.au>
Message-ID: <497D8218.60702@aardvark.com.au>

Sorry Dominick - I pasted the wrong error into this email. I've pasted 
the right one below.

Richard Chapman wrote:
> Hi Dominick
>
> It has taken me a while to decide to go ahead with your suggestion 
> below... (I think I was hoping the problem would go away...:-)) and it 
> looks like I am heading in the right direction - but there is a little 
> more work to do.
>
> There seemed to be a problem with the quotes in the line:
>
> echo "optional_policy(`" >> myprocmail.te;
>
> but I edited the .te file - and the make worked fine - after I 
> installed the selinux-policy-devel package. Here is myprocmail.te:
>
> policy_module(myprocmail, 0.0.1)
> require { type procmail_t; }
> optional_policy(`spamassassin_domtrans_spamc(procmail_t)')
>
> I installed the policy file using teh GUI Selinux Administration tool.
>
> I think we have got rid of the procmail error - but now we have a new 
> error. (see below). I'm guessing I need another line or two in my 
> myprocmail.te file. Can you tell me what it is I need? I'm pretty sure 
> this is a new error - which might suggest that there is something 
> wrong with the above policy file??
>
> I haven't tried the webalizer changes yet. I have turned webalizer off 
> for the time being.
>
> Many thanks
>
> Richard.
>
> Summary
> SELinux is preventing spamc (spamc_t) "write" to pipe (postfix_local_t).
> Detailed Description
> [SELinux is in permissive mode, the operation would have been denied 
> but was permitted due to permissive mode.]
>
> SELinux denied access requested by spamc. It is not expected that this 
> access is required by spamc and this access may signal an intrusion 
> attempt. It is also possible that the specific version or 
> configuration of the application is causing it to require additional 
> access.
>
> Allowing Access
> You can generate a local policy module to allow this access - see FAQ 
> <http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385> Or you can 
> disable SELinux protection altogether. Disabling SELinux protection is 
> not recommended. Please file a bug report 
> <http://bugzilla.redhat.com/bugzilla/enter_bug.cgi> against this package.
> Additional Information
>
> Source Context:   	system_u:system_r:spamc_t
> Target Context:   	system_u:system_r:postfix_local_t
> Target Objects:   	pipe [ fifo_file ]
> Source:   	spamc
> Source Path:   	/usr/bin/spamc
> Port:   	<Unknown>
> Host:   	C5.aardvark.com.au
> Source RPM Packages:   	spamassassin-3.2.4-1.el5
> Target RPM Packages:   	
> Policy RPM:   	selinux-policy-2.4.6-203.el5
> Selinux Enabled:   	True
> Policy Type:   	targeted
> MLS Enabled:   	True
> Enforcing Mode:   	Permissive
> Plugin Name:   	catchall
> Host Name:   	C5.aardvark.com.au
> Platform:   	Linux C5.aardvark.com.au 2.6.18-92.1.22.el5 #1 SMP Tue 
> Dec 16 11:57:43 EST 2008 x86_64 x86_64
> Alert Count:   	8
> First Seen:   	Mon Jan 26 14:24:43 2009
> Last Seen:   	Mon Jan 26 17:10:19 2009
> Local ID:   	8cff6375-1acd-4f86-bb7f-7c99129a9a2b
> Line Numbers:   	
>
> Raw Audit Messages :
>
> host=C5.aardvark.com.au type=AVC msg=audit(1232957419.466:2987): avc: 
> denied { write } for pid=17103 comm="spamc" path="pipe:[224027]" 
> dev=pipefs ino=224027 scontext=system_u:system_r:spamc_t:s0 
> tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
> host=C5.aardvark.com.au type=AVC msg=audit(1232957419.466:2987): avc: 
> denied { write } for pid=17103 comm="spamc" path="pipe:[224027]" 
> dev=pipefs ino=224027 scontext=system_u:system_r:spamc_t:s0 
> tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1232957419.466:2987): 
> arch=c000003e syscall=59 success=yes exit=0 a0=ac072e0 a1=ac09310 
> a2=ac09260 a3=8 items=0 ppid=17102 pid=17103 auid=4294967295 uid=500 
> gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 
> tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" 
> subj=system_u:system_r:spamc_t:s0 key=(null)
> host=C5.aardvark.com.au type=SYSCALL msg=audit(1232957419.466:2987): 
> arch=c000003e syscall=59 success=yes exit=0 a0=ac072e0 a1=ac09310 
> a2=ac09260 a3=8 items=0 ppid=17102 pid=17103 auid=4294967295 uid=500 
> gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 
> tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" 
> subj=system_u:system_r:spamc_t:s0 key=(null)
>
>
>
> domg472 g472 wrote:
>> Hello,
>>
>> With regard to procmail, i think your policy is missing a domain
>> transition to spamassassin.
>>
>> A custom policy looking something like the following may or may not
>> fix that issue:
>>
>> mkdir ~/myprocmail; cd ~/myprocmail;
>> echo "policy_module(myprocmail, 0.0.1)" > myprocmail.te;
>> echo "require { type procmail_t; }" >> myprocmail.te;
>> echo "optional_policy(`" >> myprocmail.te;
>> echo "spamassassin_domtrans_spamc(procmail_t)" >> myprocmail.te;
>> echo "')" >> myprocmail.te;
>>
>> make -f /usr/share/selinux/devel/Makefile
>> /usr/sbin/semodule -i myprocmail.pp
>>
>> With regard to webalizer it looks like webalizer is searching
>> something in a "bin" directory.
>> If you want you can allow this.
>>
>> mkdir ~/mywebalizer; cd ~mywebalizer;
>> echo "policy_module(mywebalizer, 0.0.1)" > mywebalizer.te;
>> echo "require { type webalizer_t; }" >> mywebalizer.te;
>> echo "corecmd_search_bin(webalizer_t)" >> mywebalizer.te;
>>
>> make -f /usr/share/selinux/devel/Makefile
>> /usr/sbin/semodule -i  mywebalizer.pp
>>
>> It may be that both procmail and webalizer domains need more access
>> after this, but you will notice that if this is the case.
>>
>> P.s. You may or may not need to escape some of the characters in my 
>> example.
>>
>> Hth,
>> Dominick
>>
>>   
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>



From eparis at redhat.com  Mon Jan 26 13:33:32 2009
From: eparis at redhat.com (Eric Paris)
Date: Mon, 26 Jan 2009 08:33:32 -0500
Subject: SELinux in netbooted images
In-Reply-To: <7a41c4bc0901260007m32a4ba7ar3fb6c8b0ef414205@mail.gmail.com>
References: <7a41c4bc0901230613i2adc1715t33de138c48df6b3f@mail.gmail.com>
	<497A1CBC.6010807@redhat.com>
	<7a41c4bc0901260007m32a4ba7ar3fb6c8b0ef414205@mail.gmail.com>
Message-ID: <1232976812.9850.0.camel@localhost.localdomain>

On Mon, 2009-01-26 at 09:07 +0100, Paulo Santos wrote:
> 
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> #    enforcing - SELinux security policy is enforced.
> #    permissive - SELinux prints warnings instead of enforcing.
> #    disabled - No SELinux policy is loaded.
> SELINUX=enforcing
> # SELINUXTYPE= can take one of these two values:
> #    targeted - Only targeted network daemons are protected.
> #    strict - Full SELinux protection.
> #    mls - Multi Level Security protection.
> SELINUXTYPE=targeted 
> # SETLOCALDEFS= Check local definition changes
> SETLOCALDEFS=0 
> 
> CentOS 5.2 Kernel
> kernel-PAE-2.6.18-92.1.10.el5

How about what does cat /proc/cmdline say?




From sds at tycho.nsa.gov  Mon Jan 26 14:30:42 2009
From: sds at tycho.nsa.gov (Stephen Smalley)
Date: Mon, 26 Jan 2009 09:30:42 -0500
Subject: Does mcs work on rawhide correctly?
In-Reply-To: <497BE5DF.2030500@kaigai.gr.jp>
References: <497BE5DF.2030500@kaigai.gr.jp>
Message-ID: <1232980242.14213.9.camel@localhost.localdomain>

On Sun, 2009-01-25 at 13:09 +0900, KaiGai Kohei wrote:
> I found a strange behavior with selinux-policy-3.6.3-8.fc11.noarch.
> 
> [root at masu ~]# sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy version:                 24
> Policy from config file:        targeted
> [root at masu ~]# touch aaa
> [root at masu ~]# ls -Z aaa
> -rw-r--r--  root root unconfined_u:object_r:admin_home_t:s0 aaa
> [root at masu ~]# id -Z
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
> [root at masu ~]# chcon -l s0:c0 aaa
> chcon: failed to change context of `aaa' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
> 
> Why "s0-s0:c0.c31" cannot change the context from "s0" to "s0:c0"?
> 
> I could reproduce the matter after "semodule -B".
> 
> Is there anyone who can reproduce the matter?

What avc denial did you get?

It is interesting that you got Operation not permitted (EPERM) rather
than Permission denied (EACCES) - that usually reflects a capability
denial.

-- 
Stephen Smalley
National Security Agency



From kaigai at kaigai.gr.jp  Mon Jan 26 16:01:45 2009
From: kaigai at kaigai.gr.jp (KaiGai Kohei)
Date: Tue, 27 Jan 2009 01:01:45 +0900
Subject: Does mcs work on rawhide correctly?
In-Reply-To: <1232980242.14213.9.camel@localhost.localdomain>
References: <497BE5DF.2030500@kaigai.gr.jp>
	<1232980242.14213.9.camel@localhost.localdomain>
Message-ID: <497DDE69.8050608@kaigai.gr.jp>

Stephen Smalley wrote:
> On Sun, 2009-01-25 at 13:09 +0900, KaiGai Kohei wrote:
>> I found a strange behavior with selinux-policy-3.6.3-8.fc11.noarch.
>>
>> [root at masu ~]# sestatus
>> SELinux status:                 enabled
>> SELinuxfs mount:                /selinux
>> Current mode:                   enforcing
>> Mode from config file:          enforcing
>> Policy version:                 24
>> Policy from config file:        targeted
>> [root at masu ~]# touch aaa
>> [root at masu ~]# ls -Z aaa
>> -rw-r--r--  root root unconfined_u:object_r:admin_home_t:s0 aaa
>> [root at masu ~]# id -Z
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
>> [root at masu ~]# chcon -l s0:c0 aaa
>> chcon: failed to change context of `aaa' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
>>
>> Why "s0-s0:c0.c31" cannot change the context from "s0" to "s0:c0"?
>>
>> I could reproduce the matter after "semodule -B".
>>
>> Is there anyone who can reproduce the matter?
> 
> What avc denial did you get?
> 
> It is interesting that you got Operation not permitted (EPERM) rather
> than Permission denied (EACCES) - that usually reflects a capability
> denial.

The following operation:
  [root at masu ~]# ls -Z bbb
  -rw-r--r--  root root unconfined_u:object_r:admin_home_t:s0 bbb
  [root at masu ~]# id -Z
  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
  [root at masu ~]# chcon -l s0:c0 bbb
  chcon: failed to change context of `bbb' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted

got the following audit message:
 type=SELINUX_ERR msg=audit(1232984840.945:48):
   security_validate_transition:  denied for
   oldcontext=unconfined_u:object_r:admin_home_t:s0
   newcontext=unconfined_u:object_r:admin_home_t:s0:c0
   taskcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
   tclass=file
 type=SYSCALL msg=audit(1232984840.945:48): arch=40000003 syscall=226
   success=no exit=-1 a0=9597d48 a1=587cfd a2=9599058 a3=29 items=0
   ppid=3491 pid=3648 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0
   egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="chcon" exe="/usr/bin/chcon"
   subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 key=(null)

strace chcon -l s0:c0 bbb also says -EPERM.
     :
  setxattr("bbb", "security.selinux", "unconfined_u:object_r:admin_home_t:s0:c0", 41, 0) = -1 EPERM (Operation not permitted)
     :

Is the selinux-policy-3.6.3-8.fc11.noarch really built with mcs policy?

Thanks,
-- 
KaiGai Kohei <kaigai at kaigai.gr.jp>



From sds at tycho.nsa.gov  Mon Jan 26 17:28:43 2009
From: sds at tycho.nsa.gov (Stephen Smalley)
Date: Mon, 26 Jan 2009 12:28:43 -0500
Subject: Does mcs work on rawhide correctly?
In-Reply-To: <497DDE69.8050608@kaigai.gr.jp>
References: <497BE5DF.2030500@kaigai.gr.jp>
	<1232980242.14213.9.camel@localhost.localdomain>
	<497DDE69.8050608@kaigai.gr.jp>
Message-ID: <1232990923.14213.13.camel@localhost.localdomain>

On Tue, 2009-01-27 at 01:01 +0900, KaiGai Kohei wrote:
> Stephen Smalley wrote:
> > On Sun, 2009-01-25 at 13:09 +0900, KaiGai Kohei wrote:
> >> I found a strange behavior with selinux-policy-3.6.3-8.fc11.noarch.
> >>
> >> [root at masu ~]# sestatus
> >> SELinux status:                 enabled
> >> SELinuxfs mount:                /selinux
> >> Current mode:                   enforcing
> >> Mode from config file:          enforcing
> >> Policy version:                 24
> >> Policy from config file:        targeted
> >> [root at masu ~]# touch aaa
> >> [root at masu ~]# ls -Z aaa
> >> -rw-r--r--  root root unconfined_u:object_r:admin_home_t:s0 aaa
> >> [root at masu ~]# id -Z
> >> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
> >> [root at masu ~]# chcon -l s0:c0 aaa
> >> chcon: failed to change context of `aaa' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
> >>
> >> Why "s0-s0:c0.c31" cannot change the context from "s0" to "s0:c0"?
> >>
> >> I could reproduce the matter after "semodule -B".
> >>
> >> Is there anyone who can reproduce the matter?
> > 
> > What avc denial did you get?
> > 
> > It is interesting that you got Operation not permitted (EPERM) rather
> > than Permission denied (EACCES) - that usually reflects a capability
> > denial.
> 
> The following operation:
>   [root at masu ~]# ls -Z bbb
>   -rw-r--r--  root root unconfined_u:object_r:admin_home_t:s0 bbb
>   [root at masu ~]# id -Z
>   unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
>   [root at masu ~]# chcon -l s0:c0 bbb
>   chcon: failed to change context of `bbb' to `unconfined_u:object_r:admin_home_t:s0:c0': Operation not permitted
> 
> got the following audit message:
>  type=SELINUX_ERR msg=audit(1232984840.945:48):
>    security_validate_transition:  denied for
>    oldcontext=unconfined_u:object_r:admin_home_t:s0
>    newcontext=unconfined_u:object_r:admin_home_t:s0:c0
>    taskcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31
>    tclass=file
>  type=SYSCALL msg=audit(1232984840.945:48): arch=40000003 syscall=226
>    success=no exit=-1 a0=9597d48 a1=587cfd a2=9599058 a3=29 items=0
>    ppid=3491 pid=3648 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0
>    egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="chcon" exe="/usr/bin/chcon"
>    subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c31 key=(null)
> 
> strace chcon -l s0:c0 bbb also says -EPERM.
>      :
>   setxattr("bbb", "security.selinux", "unconfined_u:object_r:admin_home_t:s0:c0", 41, 0) = -1 EPERM (Operation not permitted)
>      :
> 
> Is the selinux-policy-3.6.3-8.fc11.noarch really built with mcs policy?

Sounds like it is the MLS policy instead, as only the mls configuration
defines mlsvalidatetrans constraints.

-- 
Stephen Smalley
National Security Agency



From dwalsh at redhat.com  Mon Jan 26 20:18:05 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Mon, 26 Jan 2009 15:18:05 -0500
Subject: bind-mounted homedirs
In-Reply-To: <49787F7C.2090907@city-fan.org>
References: <49787F7C.2090907@city-fan.org>
Message-ID: <497E1A7D.2020200@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:
> On a RHEL 5 server I have bind-mounted home directories, where the data
> on the server actually lives in /srv/homes but this is bind-mounted to
> /nis-home. The user home directories in LDAP refer to the /nis-home
> locations.
> 
> When I updated to the 5.3 selinux policy, everything under /srv/homes
> got relabelled based on the /srv/homes pathname rather than the
> /nis-home pathname. What would be the best way of preventing this from
> happening in the future?
> 
> Paul.
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

You can setup the labeling using semanage.


semanage fcontext -a -t home_root_t /srv/homes
semanage fcontext -a -t user_home_dir_t -f-d '/srv/homes/[^/]*'	
semanage fcontext -a -t user_home_t '/srv/homes/[^/]*/.+'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl+GnwACgkQrlYvE4MpobOEDwCgmhwNgU7k1t758tSoqj3MLH/z
+moAmwUoMtJsGu1QOPa8zZl6jfNmWqfn
=RJgs
-----END PGP SIGNATURE-----



From paul at city-fan.org  Mon Jan 26 20:31:47 2009
From: paul at city-fan.org (Paul Howarth)
Date: Mon, 26 Jan 2009 20:31:47 +0000
Subject: bind-mounted homedirs
In-Reply-To: <497E1A7D.2020200@redhat.com>
References: <49787F7C.2090907@city-fan.org>
	<497E1A7D.2020200@redhat.com>
Message-ID: <20090126203147.75c37c15@metropolis.intra.city-fan.org>

On Mon, 26 Jan 2009 15:18:05 -0500
Daniel J Walsh <dwalsh at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Paul Howarth wrote:
> > On a RHEL 5 server I have bind-mounted home directories, where the
> > data on the server actually lives in /srv/homes but this is
> > bind-mounted to /nis-home. The user home directories in LDAP refer
> > to the /nis-home locations.
> > 
> > When I updated to the 5.3 selinux policy, everything
> > under /srv/homes got relabelled based on the /srv/homes pathname
> > rather than the /nis-home pathname. What would be the best way of
> > preventing this from happening in the future?
> > 
> > Paul.
> > 
> > -- 
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> You can setup the labeling using semanage.
> 
> 
> semanage fcontext -a -t home_root_t /srv/homes
> semanage fcontext -a -t user_home_dir_t -f-d '/srv/homes/[^/]*'
> semanage fcontext -a -t user_home_t '/srv/homes/[^/]*/.+'

That gets the majority of things right but misses things like
~/.spamassassin (spamassassin_home_t).

Is there a way of seeing the full set of homedir contexts that would
include additions from local policy modules? At least with that I'd be
able to replicate them to /srv/homes/

Paul.



From dwalsh at redhat.com  Tue Jan 27 14:01:12 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 27 Jan 2009 09:01:12 -0500
Subject: bind-mounted homedirs
In-Reply-To: <20090126203147.75c37c15@metropolis.intra.city-fan.org>
References: <49787F7C.2090907@city-fan.org>	<497E1A7D.2020200@redhat.com>
	<20090126203147.75c37c15@metropolis.intra.city-fan.org>
Message-ID: <497F13A8.9050105@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Howarth wrote:
> On Mon, 26 Jan 2009 15:18:05 -0500
> Daniel J Walsh <dwalsh at redhat.com> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Paul Howarth wrote:
>>> On a RHEL 5 server I have bind-mounted home directories, where the
>>> data on the server actually lives in /srv/homes but this is
>>> bind-mounted to /nis-home. The user home directories in LDAP refer
>>> to the /nis-home locations.
>>>
>>> When I updated to the 5.3 selinux policy, everything
>>> under /srv/homes got relabelled based on the /srv/homes pathname
>>> rather than the /nis-home pathname. What would be the best way of
>>> preventing this from happening in the future?
>>>
>>> Paul.
>>>
>>> -- 
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> You can setup the labeling using semanage.
>>
>>
>> semanage fcontext -a -t home_root_t /srv/homes
>> semanage fcontext -a -t user_home_dir_t -f-d '/srv/homes/[^/]*'
>> semanage fcontext -a -t user_home_t '/srv/homes/[^/]*/.+'
> 
> That gets the majority of things right but misses things like
> ~/.spamassassin (spamassassin_home_t).
> 
> Is there a way of seeing the full set of homedir contexts that would
> include additions from local policy modules? At least with that I'd be
> able to replicate them to /srv/homes/
> 
> Paul.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

I attempted to open a discussion on what you are trying to do on this
list a couple of weekes ago,

You could do some sed/shell magic with the

/etc/selinux/targeted/modules/active/homedir_template

File, but I think the solution is to be able to add alternative roots in
 the libsemanage.conf file and have it do the labeling for you.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl/E6gACgkQrlYvE4MpobMyHgCfe3u9QgrZ2+L4bvTwScgJnDt8
cgcAoNT/tw3Nw5u3y921rP975oVzq0T9
=lawI
-----END PGP SIGNATURE-----



From dwalsh at redhat.com  Tue Jan 27 14:05:14 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 27 Jan 2009 09:05:14 -0500
Subject: yum-cron fails trying to mail a temporary file
In-Reply-To: <424868.75362.qm@web36806.mail.mud.yahoo.com>
References: <424868.75362.qm@web36806.mail.mud.yahoo.com>
Message-ID: <497F149A.9030700@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vadym Chepkov wrote:
> I got an interesting denial which took me a bit to figure out.
> 
> type=AVC msg=audit(1232788787.310:1787): avc:  denied  { read } for  pid=9836 comm="mail" path="/var/run/yum-cron.EHQJws" dev=dm-3 ino=77843 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_run_t:s0 tclass=file
> 
> It comes from yum-cron package. What happens is a script starts from cron and creates a temporary file which inherits directory security context. Later it mails it using redirection syntax:
> "mail $MAILTO < $YUMTMP"
> 
> mailx transitions to system_mail_t and is denied to read such a temporary file.
> 
> I don't think this is a unique script that has similar logic and I suspect some other directory needs to be used, but I didn't find any suitable in sources/sendmail.fc and before I create new type/directory I would like to know maybe there is more proper way to handle cases like this? 
> 
> Thank you.
> Sincerely yours,
>   Vadym Chepkov
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


This is a case where I believe we can use the open access.

I think a global saying tools like mailers could read ANY tmp file that
is handed to them, but can not open any would be ok.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl/FJoACgkQrlYvE4MpobMslQCeNOEuDRECvl/VENyiVpGm/tCL
XWMAn2+XD7yQu5VVJgtfNb1hnzn0JHOp
=eYWh
-----END PGP SIGNATURE-----



From chepkov at yahoo.com  Tue Jan 27 14:20:53 2009
From: chepkov at yahoo.com (Vadym Chepkov)
Date: Tue, 27 Jan 2009 06:20:53 -0800 (PST)
Subject: yum-cron fails trying to mail a temporary file
In-Reply-To: <497F149A.9030700@redhat.com>
Message-ID: <69177.63090.qm@web36803.mail.mud.yahoo.com>

Thanks, I submitted  bz 481760 against yum-cron package



From goswami.rituraj at gmail.com  Tue Jan 27 15:01:53 2009
From: goswami.rituraj at gmail.com (Rituraj Goswami)
Date: Tue, 27 Jan 2009 20:31:53 +0530
Subject: bind-mounted homedirs
In-Reply-To: <49787F7C.2090907@city-fan.org>
References: <49787F7C.2090907@city-fan.org>
Message-ID: <4656f4970901270701h849c581oda313f685eeb61c4@mail.gmail.com>

help. i have a microsoft intellipoint moouse and fedora 10 doesn't show the
icon. is anyone having the same problem. it's detected and if i press the
control key after configuring it shows the graphical circle around it but
doesn't show the icon. can anyone help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090127/24d6c1a4/attachment.htm>

From dwalsh at redhat.com  Tue Jan 27 19:27:27 2009
From: dwalsh at redhat.com (Daniel J Walsh)
Date: Tue, 27 Jan 2009 14:27:27 -0500
Subject: bind-mounted homedirs
In-Reply-To: <4656f4970901270701h849c581oda313f685eeb61c4@mail.gmail.com>
References: <49787F7C.2090907@city-fan.org>
	<4656f4970901270701h849c581oda313f685eeb61c4@mail.gmail.com>
Message-ID: <497F601F.6060801@redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rituraj Goswami wrote:
> help. i have a microsoft intellipoint moouse and fedora 10 doesn't show the
> icon. is anyone having the same problem. it's detected and if i press the
> control key after configuring it shows the graphical circle around it but
> doesn't show the icon. can anyone help.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I think you are asking on the wrong list.

Unless this is an selinux issue, you should be asking this on
fedora-list at redhat.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkl/YB4ACgkQrlYvE4MpobM/hACdGS0swTtlEA27cUfnigF5uO5a
cBsAn2iJ1isLQkCmnFzdF1i0dSkKI0Tx
=0D0K
-----END PGP SIGNATURE-----



From konrad.azzopardi at gmail.com  Tue Jan 27 22:59:50 2009
From: konrad.azzopardi at gmail.com (Konrad Azzopardi)
Date: Tue, 27 Jan 2009 23:59:50 +0100
Subject: eclipse SLIDE question
Message-ID: <af1a12460901271459g41c2a009v3a15fca7f9c3ac13@mail.gmail.com>

Hi all,

Do not know if someone can help me in this list. I am trying to use
SLIDE to write SELinux module. Compilation works but when I try to use
semodule to insert the module I get the following error :

semodule -i test.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

It seems to be linked to the fact that while building using
checkmodule there is a missing -M. How can I make SLIDE use this -M
option ?

Many thanks
Konrad



From dsugar at tresys.com  Wed Jan 28 18:36:04 2009
From: dsugar at tresys.com (Dave Sugar)
Date: Wed, 28 Jan 2009 13:36:04 -0500
Subject: eclipse SLIDE question
In-Reply-To: <af1a12460901271459g41c2a009v3a15fca7f9c3ac13@mail.gmail.com>
References: <af1a12460901271459g41c2a009v3a15fca7f9c3ac13@mail.gmail.com>
Message-ID: <1233167764.17758.14.camel@localhost.localdomain>

Konrad,

This is an option in SLIDE.  In order to set the MLS option from within
SLIDE you need to right click on the project and select 'properties'.
On the left of the properties dialog select 'SLIDE Policy Module
Project'.  That shows the options that are settable (basically the
policy.conf).  You will want to select the 'Policy Type' of either 'MLS'
or 'MCS' based on your target machine.  

Let me know if you have any other questions.

Dave Sugar 
dsugar at tresys.com

On Tue, 2009-01-27 at 23:59 +0100, Konrad Azzopardi wrote:
> Hi all,
> 
> Do not know if someone can help me in this list. I am trying to use
> SLIDE to write SELinux module. Compilation works but when I try to use
> semodule to insert the module I get the following error :
> 
> semodule -i test.pp
> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule:  Failed!
> 
> It seems to be linked to the fact that while building using
> checkmodule there is a missing -M. How can I make SLIDE use this -M
> option ?
> 
> Many thanks
> Konrad
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list



From santosp at fedoraproject.org  Thu Jan 29 13:51:42 2009
From: santosp at fedoraproject.org (Paulo Santos)
Date: Thu, 29 Jan 2009 14:51:42 +0100
Subject: SELinux in netbooted images
In-Reply-To: <1233234767.3264.36.camel@localhost.localdomain>
References: <7a41c4bc0901230613i2adc1715t33de138c48df6b3f@mail.gmail.com>
	<497A1CBC.6010807@redhat.com>
	<7a41c4bc0901260007m32a4ba7ar3fb6c8b0ef414205@mail.gmail.com>
	<1232976812.9850.0.camel@localhost.localdomain>
	<7a41c4bc0901260554x212c00fcg8ebf79fc2fc8b9d3@mail.gmail.com>
	<7a41c4bc0901260907x494c79b8j9a0ea9b25f10c3de@mail.gmail.com>
	<7a41c4bc0901290040t2b64340fxdfba0e55f531df7c@mail.gmail.com>
	<1233234767.3264.36.camel@localhost.localdomain>
Message-ID: <7a41c4bc0901290551j3a74901fw5ccd6dfebf755186@mail.gmail.com>

Hi Eric,

No need to apologize :)
Looping the list again, sorry for replying directly to you Eric. It was not
my intention.

Regarding your question:

# ls -ltr /selinux/
total 0
-rw-rw-rw- 1 root root    0 Jan 23 09:56 user
-rw-rw-rw- 1 root root    0 Jan 23 09:56 relabel
-r--r--r-- 1 root root    0 Jan 23 09:56 policyvers
crw-rw-rw- 1 root root 1, 3 Jan 23 09:56 null
-r--r--r-- 1 root root    0 Jan 23 09:56 mls
-rw-rw-rw- 1 root root    0 Jan 23 09:56 member
-rw------- 1 root root    0 Jan 23 09:56 load
-rw-r--r-- 1 root root    0 Jan 23 09:56 enforce
--w------- 1 root root    0 Jan 23 09:56 disable
-rw-rw-rw- 1 root root    0 Jan 23 09:56 create
-rw-rw-rw- 1 root root    0 Jan 23 09:56 context
-rw-r--r-- 1 root root    0 Jan 23 09:56 compat_net
--w------- 1 root root    0 Jan 23 09:56 commit_pending_bools
-rw-r--r-- 1 root root    0 Jan 23 09:56 checkreqprot
dr-xr-xr-x 2 root root    0 Jan 23 09:56 booleans
dr-xr-xr-x 2 root root    0 Jan 23 09:56 avc
-rw-rw-rw- 1 root root    0 Jan 23 09:56 access


Thanks,
Paulo

On Thu, Jan 29, 2009 at 2:12 PM, Eric Paris <eparis at redhat.com> wrote:

> On Thu, 2009-01-29 at 09:40 +0100, Paulo Santos wrote:
> >  Hi all,
> >
> > Is there any other information i'm able to provide, to help
> > troubleshooting this issue ?
>
> I'm sorry, I totally forgot about this conversation.  I apologize.
>
> Does your image contain an empty /selinux directory to which selinuxfs
> can be mounted?  Looks like that directory not existing and mount
> failing could be a cause for what you are seeing...
>
> -Eric
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090129/5edf258e/attachment.htm>

From tmz at pobox.com  Thu Jan 29 18:17:01 2009
From: tmz at pobox.com (Todd Zullinger)
Date: Thu, 29 Jan 2009 13:17:01 -0500
Subject: libgpod HAL callout and SELinux denials
In-Reply-To: <496EFAB9.1020009@redhat.com>
References: <496EFAB9.1020009@redhat.com>
Message-ID: <20090129181701.GL24524@inocybe.teonanacatl.org>

Hi Miroslav,

Miroslav Grepl wrote:
> I will fix the issue with execstack in the next release of selinux policy.
>
> F9: selinux-policy-3.3.1-119.fc9
> F10: selinux-policy-3.5.13-40.fc10

Sorry for the slow reply.  I did test this on F-10 and I still get an
AVC whenever an iPod is connected:

time->Thu Jan 29 13:09:58 2009
type=SYSCALL msg=audit(1233252598.707:637): arch=40000003 syscall=125 success=no exit=-13 a0=bfe31000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=30975 pid=30978 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mono" exe="/usr/bin/mono" subj=system_u:system_r:podsleuth_t:s0 key=(null)
type=AVC msg=audit(1233252598.707:637): avc:  denied  { execstack } for  pid=30978 comm="mono" scontext=system_u:system_r:podsleuth_t:s0 tcontext=system_u:system_r:podsleuth_t:s0 tclass=process

(I missed the window while this was in testing to add this info to
Bodhi.)

$ rpm -q selinux-policy
selinux-policy-3.5.13-40.fc10.noarch

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Going to trial with a lawyer who considers your whole life-style a
Crime in Progress is not a happy prospect.
    -- Hunter S. Thompson

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090129/d9dd68db/attachment.sig>

From chepkov at yahoo.com  Thu Jan 29 18:52:17 2009
From: chepkov at yahoo.com (Vadym Chepkov)
Date: Thu, 29 Jan 2009 10:52:17 -0800 (PST)
Subject: example of a domain with transition policy
Message-ID: <815401.43069.qm@web36806.mail.mud.yahoo.com>

Hi,

Could somebody give me a working example of a policy module with transition, please. I am trying to create a policy for a vendor product I have to use (Asset Insight). 
The basic idea is to create domains ai_exec_t, ai_t, proper transition rules for initrc_exec_t -> initrc_t -> ai_exec_t -> ai_t. 
Then I want to ai_t be unconfined (for the moment) so probably make ai_t as an alias of unconfined_t, since there is no "permissive domain" in Redhat5 yet, but I want to be able to see what needs to be added to .te file to make it work. There is no much documentation about writing policy in Redhat/Fedora, unfortunately, or maybe I am missing some.
Thank you.

Sincerely yours,
  Vadym Chepkov



From tmz at pobox.com  Thu Jan 29 19:16:15 2009
From: tmz at pobox.com (Todd Zullinger)
Date: Thu, 29 Jan 2009 14:16:15 -0500
Subject: libgpod HAL callout and SELinux denials
In-Reply-To: <20090129181701.GL24524@inocybe.teonanacatl.org>
References: <496EFAB9.1020009@redhat.com>
	<20090129181701.GL24524@inocybe.teonanacatl.org>
Message-ID: <20090129191615.GM24524@inocybe.teonanacatl.org>

I wrote:
> Sorry for the slow reply.  I did test this on F-10 and I still get
> an AVC whenever an iPod is connected:

Bah, ignore me.  I somehow still had the older selinux-policy-targeted
package installed.  (I don't know how that could happen, as there is a
clear %{version}-%{release} requirement on selinux-policy.  But
regardless, updating the -targeted package as well does silence the
AVC.)

Sorry for the noise.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It is OK to let your mind go blank, but please turn off the sound.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090129/75d62e16/attachment.sig>

From domg472 at gmail.com  Thu Jan 29 19:20:24 2009
From: domg472 at gmail.com (Dominick Grift)
Date: Thu, 29 Jan 2009 20:20:24 +0100
Subject: example of a domain with transition policy
In-Reply-To: <815401.43069.qm@web36806.mail.mud.yahoo.com>
References: <815401.43069.qm@web36806.mail.mud.yahoo.com>
Message-ID: <1233256824.9690.17.camel@localhost.localdomain>

Lets assume we have an init script: /etc/rc.d/init.d/ai, a
executable: /usr/sbin/ai

first we create our file context file:

mkdir ~/ai; cd ~/ai;
echo "/etc/rc\.d/init\.d/ai --
gen_context(system_u:object_r:ai_initrc_exec_t, s0)" > ai.fc
echo "/usr/sbin/ai -- gen_context(system_u:object_r:ai_exec_t, s0)" >>
ai.fc

this will take care of our file contexts. Now lets declare our module
and some types to enforce:

echo "policy_module(ai, 0.0.1)" > ai.te
echo "type ai_initrc_exec_t;" >> ai.te
echo "init_script_file(ai_initrc_exec_t)" >> ai.te
echo "type ai_t;" >> ai.te
echo "type ai_exec_t;" >> ai.te
echo "init_daemon_domain(ai_t, ai_exec_t)" >> ai.te

Now lets compile our module:

make -f /usr/share/selinux/devel/Makefile

Now lets install our module:

sudo semodule -i ai.pp

Now lets restore the file context of our executable file and the init
script.

restorecon -v /etc/rc.d/init.d/ai
restorecon -v /usr/sbin/ai

Now we have to create actual policy. We do this by testing. Since EL5
does not support permissive domains, we will have to put the system into
permissive mode: setenforce 0

now lets start the daemon:

sudo service ai start

after some testing of the daemons functionility we stop the daemon:

sudo service ai stop

now we enforce selinux again: setenforce 1

..and we check for avc denials and pipe those into audit2allow to
translate raw avc denials to policy language:

ausearch -m avc -ts today | audit2allow -R

then we simply append the output to our ai.te file, recompile and
reinstall.

Thats about it in a nutshell.

Ofcourse this example is over simplified. there are only two files owned
by ai. in real life there are more files that need types (we would use
rpm -ql to find those, and we would inspect the output of audit2allow -R
to identify any file owned by ai that were created (like pid files ,
files in /tmp etc etc)

Also audit2allow -R's output is not optimal so we would try to find
optimal interfaces for the policy it may not have translated in a
optimal way.

If you have questions you can also join us on #fedora-selinux on
irc.freenode.org.

happy policy writing!

Dominick

On Thu, 2009-01-29 at 10:52 -0800, Vadym Chepkov wrote:
> Hi,
> 
> Could somebody give me a working example of a policy module with transition, please. I am trying to create a policy for a vendor product I have to use (Asset Insight). 
> The basic idea is to create domains ai_exec_t, ai_t, proper transition rules for initrc_exec_t -> initrc_t -> ai_exec_t -> ai_t. 
> Then I want to ai_t be unconfined (for the moment) so probably make ai_t as an alias of unconfined_t, since there is no "permissive domain" in Redhat5 yet, but I want to be able to see what needs to be added to .te file to make it work. There is no much documentation about writing policy in Redhat/Fedora, unfortunately, or maybe I am missing some.
> Thank you.
> 
> Sincerely yours,
>   Vadym Chepkov
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090129/05027bea/attachment.sig>

From chepkov at yahoo.com  Thu Jan 29 19:35:03 2009
From: chepkov at yahoo.com (Vadym Chepkov)
Date: Thu, 29 Jan 2009 11:35:03 -0800 (PST)
Subject: example of a domain with transition policy
In-Reply-To: <1233256824.9690.17.camel@localhost.localdomain>
Message-ID: <757943.53195.qm@web36808.mail.mud.yahoo.com>

Thank you so much.

Why do we need ai_initrc_exec_t though? All scripts in /etc/rc.d/init.d/ have context initrc_exec_t and it seems a proper approach to me.

Sincerely yours,
  Vadym Chepkov

P.S. To my shame never used IRC in my life :(

--- On Thu, 1/29/09, Dominick Grift <domg472 at gmail.com> wrote:

> From: Dominick Grift <domg472 at gmail.com>
> Subject: Re: example of a domain with transition policy
> To: "Vadym Chepkov" <chepkov at yahoo.com>
> Cc: fedora-selinux-list at redhat.com
> Date: Thursday, January 29, 2009, 2:20 PM
> Lets assume we have an init script: /etc/rc.d/init.d/ai, a
> executable: /usr/sbin/ai
> 
> first we create our file context file:
> 
> mkdir ~/ai; cd ~/ai;
> echo "/etc/rc\.d/init\.d/ai --
> gen_context(system_u:object_r:ai_initrc_exec_t, s0)"
> > ai.fc
> echo "/usr/sbin/ai --
> gen_context(system_u:object_r:ai_exec_t, s0)" >>
> ai.fc
> 
> this will take care of our file contexts. Now lets declare
> our module
> and some types to enforce:
> 
> echo "policy_module(ai, 0.0.1)" > ai.te
> echo "type ai_initrc_exec_t;" >> ai.te
> echo "init_script_file(ai_initrc_exec_t)"
> >> ai.te
> echo "type ai_t;" >> ai.te
> echo "type ai_exec_t;" >> ai.te
> echo "init_daemon_domain(ai_t, ai_exec_t)"
> >> ai.te
> 
> Now lets compile our module:
> 
> make -f /usr/share/selinux/devel/Makefile
> 
> Now lets install our module:
> 
> sudo semodule -i ai.pp
> 
> Now lets restore the file context of our executable file
> and the init
> script.
> 
> restorecon -v /etc/rc.d/init.d/ai
> restorecon -v /usr/sbin/ai
> 
> Now we have to create actual policy. We do this by testing.
> Since EL5
> does not support permissive domains, we will have to put
> the system into
> permissive mode: setenforce 0
> 
> now lets start the daemon:
> 
> sudo service ai start
> 
> after some testing of the daemons functionility we stop the
> daemon:
> 
> sudo service ai stop
> 
> now we enforce selinux again: setenforce 1
> 
> ..and we check for avc denials and pipe those into
> audit2allow to
> translate raw avc denials to policy language:
> 
> ausearch -m avc -ts today | audit2allow -R
> 
> then we simply append the output to our ai.te file,
> recompile and
> reinstall.
> 
> Thats about it in a nutshell.
> 
> Ofcourse this example is over simplified. there are only
> two files owned
> by ai. in real life there are more files that need types
> (we would use
> rpm -ql to find those, and we would inspect the output of
> audit2allow -R
> to identify any file owned by ai that were created (like
> pid files ,
> files in /tmp etc etc)
> 
> Also audit2allow -R's output is not optimal so we would
> try to find
> optimal interfaces for the policy it may not have
> translated in a
> optimal way.
> 
> If you have questions you can also join us on
> #fedora-selinux on
> irc.freenode.org.
> 
> happy policy writing!
> 
> Dominick
> 
> On Thu, 2009-01-29 at 10:52 -0800, Vadym Chepkov wrote:
> > Hi,
> > 
> > Could somebody give me a working example of a policy
> module with transition, please. I am trying to create a
> policy for a vendor product I have to use (Asset Insight). 
> > The basic idea is to create domains ai_exec_t, ai_t,
> proper transition rules for initrc_exec_t -> initrc_t
> -> ai_exec_t -> ai_t. 
> > Then I want to ai_t be unconfined (for the moment) so
> probably make ai_t as an alias of unconfined_t, since there
> is no "permissive domain" in Redhat5 yet, but I
> want to be able to see what needs to be added to .te file to
> make it work. There is no much documentation about writing
> policy in Redhat/Fedora, unfortunately, or maybe I am
> missing some.
> > Thank you.
> > 
> > Sincerely yours,
> >   Vadym Chepkov
> > 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> >
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list



From domg472 at gmail.com  Thu Jan 29 19:45:29 2009
From: domg472 at gmail.com (Dominick Grift)
Date: Thu, 29 Jan 2009 20:45:29 +0100
Subject: example of a domain with transition policy
In-Reply-To: <757943.53195.qm@web36808.mail.mud.yahoo.com>
References: <757943.53195.qm@web36808.mail.mud.yahoo.com>
Message-ID: <1233258329.9690.20.camel@localhost.localdomain>

Well SELinux is about least privilege. we tend to use as much unique
types as reasonably possible.

there is one small correction though for EL5 and my example:

el5 uses init_script_type() instead of init_script_file() 

so:

init_script_type(ai_initrc_exec_t)

On Thu, 2009-01-29 at 11:35 -0800, Vadym Chepkov wrote:
> Thank you so much.
> 
> Why do we need ai_initrc_exec_t though? All scripts in /etc/rc.d/init.d/ have context initrc_exec_t and it seems a proper approach to me.
> 
> Sincerely yours,
>   Vadym Chepkov
> 
> P.S. To my shame never used IRC in my life :(
> 
> --- On Thu, 1/29/09, Dominick Grift <domg472 at gmail.com> wrote:
> 
> > From: Dominick Grift <domg472 at gmail.com>
> > Subject: Re: example of a domain with transition policy
> > To: "Vadym Chepkov" <chepkov at yahoo.com>
> > Cc: fedora-selinux-list at redhat.com
> > Date: Thursday, January 29, 2009, 2:20 PM
> > Lets assume we have an init script: /etc/rc.d/init.d/ai, a
> > executable: /usr/sbin/ai
> > 
> > first we create our file context file:
> > 
> > mkdir ~/ai; cd ~/ai;
> > echo "/etc/rc\.d/init\.d/ai --
> > gen_context(system_u:object_r:ai_initrc_exec_t, s0)"
> > > ai.fc
> > echo "/usr/sbin/ai --
> > gen_context(system_u:object_r:ai_exec_t, s0)" >>
> > ai.fc
> > 
> > this will take care of our file contexts. Now lets declare
> > our module
> > and some types to enforce:
> > 
> > echo "policy_module(ai, 0.0.1)" > ai.te
> > echo "type ai_initrc_exec_t;" >> ai.te
> > echo "init_script_file(ai_initrc_exec_t)"
> > >> ai.te
> > echo "type ai_t;" >> ai.te
> > echo "type ai_exec_t;" >> ai.te
> > echo "init_daemon_domain(ai_t, ai_exec_t)"
> > >> ai.te
> > 
> > Now lets compile our module:
> > 
> > make -f /usr/share/selinux/devel/Makefile
> > 
> > Now lets install our module:
> > 
> > sudo semodule -i ai.pp
> > 
> > Now lets restore the file context of our executable file
> > and the init
> > script.
> > 
> > restorecon -v /etc/rc.d/init.d/ai
> > restorecon -v /usr/sbin/ai
> > 
> > Now we have to create actual policy. We do this by testing.
> > Since EL5
> > does not support permissive domains, we will have to put
> > the system into
> > permissive mode: setenforce 0
> > 
> > now lets start the daemon:
> > 
> > sudo service ai start
> > 
> > after some testing of the daemons functionility we stop the
> > daemon:
> > 
> > sudo service ai stop
> > 
> > now we enforce selinux again: setenforce 1
> > 
> > ..and we check for avc denials and pipe those into
> > audit2allow to
> > translate raw avc denials to policy language:
> > 
> > ausearch -m avc -ts today | audit2allow -R
> > 
> > then we simply append the output to our ai.te file,
> > recompile and
> > reinstall.
> > 
> > Thats about it in a nutshell.
> > 
> > Ofcourse this example is over simplified. there are only
> > two files owned
> > by ai. in real life there are more files that need types
> > (we would use
> > rpm -ql to find those, and we would inspect the output of
> > audit2allow -R
> > to identify any file owned by ai that were created (like
> > pid files ,
> > files in /tmp etc etc)
> > 
> > Also audit2allow -R's output is not optimal so we would
> > try to find
> > optimal interfaces for the policy it may not have
> > translated in a
> > optimal way.
> > 
> > If you have questions you can also join us on
> > #fedora-selinux on
> > irc.freenode.org.
> > 
> > happy policy writing!
> > 
> > Dominick
> > 
> > On Thu, 2009-01-29 at 10:52 -0800, Vadym Chepkov wrote:
> > > Hi,
> > > 
> > > Could somebody give me a working example of a policy
> > module with transition, please. I am trying to create a
> > policy for a vendor product I have to use (Asset Insight). 
> > > The basic idea is to create domains ai_exec_t, ai_t,
> > proper transition rules for initrc_exec_t -> initrc_t
> > -> ai_exec_t -> ai_t. 
> > > Then I want to ai_t be unconfined (for the moment) so
> > probably make ai_t as an alias of unconfined_t, since there
> > is no "permissive domain" in Redhat5 yet, but I
> > want to be able to see what needs to be added to .te file to
> > make it work. There is no much documentation about writing
> > policy in Redhat/Fedora, unfortunately, or maybe I am
> > missing some.
> > > Thank you.
> > > 
> > > Sincerely yours,
> > >   Vadym Chepkov
> > > 
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list at redhat.com
> > >
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090129/f9da9c24/attachment.sig>

From chepkov at yahoo.com  Thu Jan 29 21:29:45 2009
From: chepkov at yahoo.com (Vadym Chepkov)
Date: Thu, 29 Jan 2009 13:29:45 -0800 (PST)
Subject: example of a domain with transition policy
In-Reply-To: <1233258329.9690.20.camel@localhost.localdomain>
Message-ID: <716483.90452.qm@web36801.mail.mud.yahoo.com>

Unfortunately, I have to allow for it to "work" now, but I don't want do turn off selinux.

My first draft is this, by the way, and it's "working", so managers are off my back.

ai.te:

policy_module(ai,0.0.1)

type ai_initrc_exec_t;
init_script_type(ai_initrc_exec_t);

type ai_exec_t;
userdom_executable_file(ai_exec_t);

unconfined_alias_domain(ai_t);

init_daemon_domain(ai_t,ai_exec_t)

type ai_log_t;
logging_log_file(ai_log_t)

manage_dirs_pattern(ai_t,ai_log_t,ai_log_t)
manage_files_pattern(ai_t,ai_log_t,ai_log_t)

ai.fc:

/etc/rc\.d/init\.d/ai   --      gen_context(system_u:object_r:ai_initrc_exec_t,s0)
/usr/r/bin/aiadmin      --      gen_context(system_u:object_r:ai_initrc_exec_t,s0)
/usr/r/bin/aiclient     --      gen_context(system_u:object_r:ai_exec_t,s0)
/usr/r/bin/aiagent      --      gen_context(system_u:object_r:ai_exec_t,s0)
/usr/r/logs(/.*)?               gen_context(system_u:object_r:ai_log_t,s0)

I just need to figure out what kind of auditallow statement to put in so it will log what wasn't specifically allowed only.

The biggest challenge for me, so far, is to figure out all those macros from /usr/share/selinux/devel/include, I can't find any document that would have them all.


Sincerely yours,
  Vadym Chepkov



From domg472 at gmail.com  Thu Jan 29 21:44:49 2009
From: domg472 at gmail.com (Dominick Grift)
Date: Thu, 29 Jan 2009 22:44:49 +0100
Subject: example of a domain with transition policy
In-Reply-To: <716483.90452.qm@web36801.mail.mud.yahoo.com>
References: <716483.90452.qm@web36801.mail.mud.yahoo.com>
Message-ID: <1233265489.9690.23.camel@localhost.localdomain>

The source policy has all the info and documentation / examples you
need. Eclipse-slide provides easy access.


On Thu, 2009-01-29 at 13:29 -0800, Vadym Chepkov wrote:
> Unfortunately, I have to allow for it to "work" now, but I don't want do turn off selinux.
> 
> My first draft is this, by the way, and it's "working", so managers are off my back.
> 
> ai.te:
> 
> policy_module(ai,0.0.1)
> 
> type ai_initrc_exec_t;
> init_script_type(ai_initrc_exec_t);
> 
> type ai_exec_t;
> userdom_executable_file(ai_exec_t);
> 
> unconfined_alias_domain(ai_t);
> 
> init_daemon_domain(ai_t,ai_exec_t)
> 
> type ai_log_t;
> logging_log_file(ai_log_t)
> 
> manage_dirs_pattern(ai_t,ai_log_t,ai_log_t)
> manage_files_pattern(ai_t,ai_log_t,ai_log_t)
> 
> ai.fc:
> 
> /etc/rc\.d/init\.d/ai   --      gen_context(system_u:object_r:ai_initrc_exec_t,s0)
> /usr/r/bin/aiadmin      --      gen_context(system_u:object_r:ai_initrc_exec_t,s0)
> /usr/r/bin/aiclient     --      gen_context(system_u:object_r:ai_exec_t,s0)
> /usr/r/bin/aiagent      --      gen_context(system_u:object_r:ai_exec_t,s0)
> /usr/r/logs(/.*)?               gen_context(system_u:object_r:ai_log_t,s0)
> 
> I just need to figure out what kind of auditallow statement to put in so it will log what wasn't specifically allowed only.
> 
> The biggest challenge for me, so far, is to figure out all those macros from /usr/share/selinux/devel/include, I can't find any document that would have them all.
> 
> 
> Sincerely yours,
>   Vadym Chepkov
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090129/914bc3c8/attachment.sig>

From domg472 at gmail.com  Thu Jan 29 21:54:06 2009
From: domg472 at gmail.com (Dominick Grift)
Date: Thu, 29 Jan 2009 22:54:06 +0100
Subject: example of a domain with transition policy
In-Reply-To: <1233265489.9690.23.camel@localhost.localdomain>
References: <716483.90452.qm@web36801.mail.mud.yahoo.com>
	<1233265489.9690.23.camel@localhost.localdomain>
Message-ID: <1233266046.9690.29.camel@localhost.localdomain>

I don't see how the policy that you have pasted below could possibly
work because you did not even declare a domain type (type ai_t;)

Also there are a bunch of syntax errors there.

If you would have visited us on IRC, than chances are that you would
have a workable policy by now. 


On Thu, 2009-01-29 at 22:44 +0100, Dominick Grift wrote:
> The source policy has all the info and documentation / examples you
> need. Eclipse-slide provides easy access.
> 
> 
> On Thu, 2009-01-29 at 13:29 -0800, Vadym Chepkov wrote:
> > Unfortunately, I have to allow for it to "work" now, but I don't want do turn off selinux.
> > 
> > My first draft is this, by the way, and it's "working", so managers are off my back.
> > 
> > ai.te:
> > 
> > policy_module(ai,0.0.1)
> > 
> > type ai_initrc_exec_t;
> > init_script_type(ai_initrc_exec_t);
> > 
> > type ai_exec_t;
> > userdom_executable_file(ai_exec_t);
> > 
> > unconfined_alias_domain(ai_t);
> > 
> > init_daemon_domain(ai_t,ai_exec_t)
> > 
> > type ai_log_t;
> > logging_log_file(ai_log_t)
> > 
> > manage_dirs_pattern(ai_t,ai_log_t,ai_log_t)
> > manage_files_pattern(ai_t,ai_log_t,ai_log_t)
> > 
> > ai.fc:
> > 
> > /etc/rc\.d/init\.d/ai   --      gen_context(system_u:object_r:ai_initrc_exec_t,s0)
> > /usr/r/bin/aiadmin      --      gen_context(system_u:object_r:ai_initrc_exec_t,s0)
> > /usr/r/bin/aiclient     --      gen_context(system_u:object_r:ai_exec_t,s0)
> > /usr/r/bin/aiagent      --      gen_context(system_u:object_r:ai_exec_t,s0)
> > /usr/r/logs(/.*)?               gen_context(system_u:object_r:ai_log_t,s0)
> > 
> > I just need to figure out what kind of auditallow statement to put in so it will log what wasn't specifically allowed only.
> > 
> > The biggest challenge for me, so far, is to figure out all those macros from /usr/share/selinux/devel/include, I can't find any document that would have them all.
> > 
> > 
> > Sincerely yours,
> >   Vadym Chepkov
> > 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090129/7d427877/attachment.sig>

From sds at tycho.nsa.gov  Thu Jan 29 21:54:47 2009
From: sds at tycho.nsa.gov (Stephen Smalley)
Date: Thu, 29 Jan 2009 16:54:47 -0500
Subject: example of a domain with transition policy
In-Reply-To: <716483.90452.qm@web36801.mail.mud.yahoo.com>
References: <716483.90452.qm@web36801.mail.mud.yahoo.com>
Message-ID: <1233266087.5109.180.camel@localhost.localdomain>

On Thu, 2009-01-29 at 13:29 -0800, Vadym Chepkov wrote:
> Unfortunately, I have to allow for it to "work" now, but I don't want do turn off selinux.
> 
> My first draft is this, by the way, and it's "working", so managers are off my back.
> 
> ai.te:
> 
> policy_module(ai,0.0.1)
> 
> type ai_initrc_exec_t;
> init_script_type(ai_initrc_exec_t);
> 
> type ai_exec_t;
> userdom_executable_file(ai_exec_t);
> 
> unconfined_alias_domain(ai_t);

I don't think you want an alias (i.e. two names for the same domain) but
rather another domain that is unconfined as well.  Use
unconfined_domain().

> init_daemon_domain(ai_t,ai_exec_t)
> 
> type ai_log_t;
> logging_log_file(ai_log_t)
> 
> manage_dirs_pattern(ai_t,ai_log_t,ai_log_t)
> manage_files_pattern(ai_t,ai_log_t,ai_log_t)
> 
> ai.fc:
> 
> /etc/rc\.d/init\.d/ai   --      gen_context(system_u:object_r:ai_initrc_exec_t,s0)
> /usr/r/bin/aiadmin      --      gen_context(system_u:object_r:ai_initrc_exec_t,s0)
> /usr/r/bin/aiclient     --      gen_context(system_u:object_r:ai_exec_t,s0)
> /usr/r/bin/aiagent      --      gen_context(system_u:object_r:ai_exec_t,s0)
> /usr/r/logs(/.*)?               gen_context(system_u:object_r:ai_log_t,s0)
> 
> I just need to figure out what kind of auditallow statement to put in so it will log what wasn't specifically allowed only.
> 
> The biggest challenge for me, so far, is to figure out all those macros from /usr/share/selinux/devel/include, I can't find any document that would have them all.

There used to be a /usr/share/doc/selinux-policy* directory that had the
HTML documentation for the policy - not sure where that is now in F10.

Latest interface docs are also online,
http://oss.tresys.com/docs/refpolicy/api/

Interesting question about auditallow; you might need a script to
generate the right set, maybe derived from audit2allow/sepolgen innards.
Watch out though - auditallow'ing everything will flood your system with
too many audit messages.

-- 
Stephen Smalley
National Security Agency



From chepkov at yahoo.com  Thu Jan 29 22:09:39 2009
From: chepkov at yahoo.com (Vadym Chepkov)
Date: Thu, 29 Jan 2009 14:09:39 -0800 (PST)
Subject: example of a domain with transition policy
In-Reply-To: <1233266046.9690.29.camel@localhost.localdomain>
Message-ID: <624291.21702.qm@web36805.mail.mud.yahoo.com>

> I don't see how the policy that you have pasted below
> could possibly
> work because you did not even declare a domain type (type
> ai_t;)

I swear to God it works and it is defined:
unconfined_alias_domain(ai_t)
I assume this macro takes care of the definition.

> Also there are a bunch of syntax errors there.

Compiler didn't find any error

> If you would have visited us on IRC, than chances are that
> you would
> have a workable policy by now. 

And I am trying to find how to create an ID on IRC.
I have a trillian with IRC plugin, but I can't figure out how to create id yet, sorry about that.

Sincerely yours,
  Vadym Chepkov



From chepkov at yahoo.com  Thu Jan 29 22:43:24 2009
From: chepkov at yahoo.com (Vadym Chepkov)
Date: Thu, 29 Jan 2009 14:43:24 -0800 (PST)
Subject: example of a domain with transition policy
In-Reply-To: <1233266087.5109.180.camel@localhost.localdomain>
Message-ID: <656138.47141.qm@web36804.mail.mud.yahoo.com>

> I don't think you want an alias (i.e. two names for the
> same domain) but
> rather another domain that is unconfined as well.  Use
> unconfined_domain().

sshd_t is defined this way in Redhat policy, I learn from the masters :)

$ cd /home/vvc/rpmbuild/BUILD/serefpolicy-2.4.6/policy/modules/services
$ grep sshd_t ssh.te |grep domain
        unconfined_alias_domain(sshd_t)
        init_system_domain(sshd_t,sshd_exec_t)

> 
> Interesting question about auditallow; you might need a
> script to
> generate the right set, maybe derived from
> audit2allow/sepolgen innards.
> Watch out though - auditallow'ing everything will flood
> your system with
> too many audit messages.

Exactly, I want to avoid it.



From sds at tycho.nsa.gov  Fri Jan 30 12:50:12 2009
From: sds at tycho.nsa.gov (Stephen Smalley)
Date: Fri, 30 Jan 2009 07:50:12 -0500
Subject: example of a domain with transition policy
In-Reply-To: <656138.47141.qm@web36804.mail.mud.yahoo.com>
References: <656138.47141.qm@web36804.mail.mud.yahoo.com>
Message-ID: <1233319812.15446.1.camel@localhost.localdomain>

On Thu, 2009-01-29 at 14:43 -0800, Vadym Chepkov wrote:
> > I don't think you want an alias (i.e. two names for the
> > same domain) but
> > rather another domain that is unconfined as well.  Use
> > unconfined_domain().
> 
> sshd_t is defined this way in Redhat policy, I learn from the masters :)
> 
> $ cd /home/vvc/rpmbuild/BUILD/serefpolicy-2.4.6/policy/modules/services
> $ grep sshd_t ssh.te |grep domain
>         unconfined_alias_domain(sshd_t)
>         init_system_domain(sshd_t,sshd_exec_t)

That has changed in newer policies.  But regardless, if you want to be
able to see allows/denies on ai_t, you can't make it an alias - it needs
to be its own distinct type.  Aliases are just turned into the same
underlying type internally, so they will still show up as unconfined_t
in audit messages and ps -Z output.

> > 
> > Interesting question about auditallow; you might need a
> > script to
> > generate the right set, maybe derived from
> > audit2allow/sepolgen innards.
> > Watch out though - auditallow'ing everything will flood
> > your system with
> > too many audit messages.
> 
> Exactly, I want to avoid it.
-- 
Stephen Smalley
National Security Agency