From kaigai at ak.jp.nec.com Mon Jun 1 06:03:55 2009 From: kaigai at ak.jp.nec.com (KaiGai Kohei) Date: Mon, 01 Jun 2009 15:03:55 +0900 Subject: staff_t unable to connect SE-PostgreSQL Message-ID: <4A236F4B.1050402@ak.jp.nec.com> Dan, http://people.fedoraproject.org/~dwalsh/SELinux/F11/system_userdomain.patch It seems to me that the patch removes postgresql_role() from the userdom_unpriv_user_template(), but it can prevent staff_t to access SE-PostgreSQL. Could you fix it please? -- OSS Platform Development Division, NEC KaiGai Kohei From dwalsh at redhat.com Mon Jun 1 12:43:31 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 01 Jun 2009 08:43:31 -0400 Subject: staff_t unable to connect SE-PostgreSQL In-Reply-To: <4A236F4B.1050402@ak.jp.nec.com> References: <4A236F4B.1050402@ak.jp.nec.com> Message-ID: <4A23CCF3.3090104@redhat.com> On 06/01/2009 02:03 AM, KaiGai Kohei wrote: > Dan, > > http://people.fedoraproject.org/~dwalsh/SELinux/F11/system_userdomain.patch > > It seems to me that the patch removes postgresql_role() from the > userdom_unpriv_user_template(), but it can prevent staff_t to access > SE-PostgreSQL. > > Could you fix it please? Ok I added optional_policy(` postgresql_role(staff_r, staff_t) ') to staff.te, I do not want all users to be able to manage postgresql. So this should be user type by user type decision. From dwalsh at redhat.com Mon Jun 1 12:59:41 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 01 Jun 2009 08:59:41 -0400 Subject: policy to allow myapp to exec chfn In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D9F2E1@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D9F2D9@dragonfly.symark.com> <4A1F3EF5.7030405@redhat.com> <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D9F2E1@dragonfly.symark.com> Message-ID: <4A23D0BD.7060200@redhat.com> On 05/29/2009 09:10 PM, Brian Ginn wrote: > Ok, Thanks! > In flask/security_classes I see that class passwd is commented to be # userspace. > In flask/access_vectors I see the chfn permission for class passwd. > ... So maybe next time I get a similar problem, I'll be able to solve it myself. > > Is https://bugzilla.redhat.com/ the appropriate place to submit a bug report for chfn ? > > Yes > > -Brian > > From kaigai at kaigai.gr.jp Mon Jun 1 13:43:59 2009 From: kaigai at kaigai.gr.jp (KaiGai Kohei) Date: Mon, 01 Jun 2009 22:43:59 +0900 Subject: staff_t unable to connect SE-PostgreSQL In-Reply-To: <4A23CCF3.3090104@redhat.com> References: <4A236F4B.1050402@ak.jp.nec.com> <4A23CCF3.3090104@redhat.com> Message-ID: <4A23DB1F.6060904@kaigai.gr.jp> Daniel J Walsh wrote: > On 06/01/2009 02:03 AM, KaiGai Kohei wrote: >> Dan, >> >> http://people.fedoraproject.org/~dwalsh/SELinux/F11/system_userdomain.patch >> >> It seems to me that the patch removes postgresql_role() from the >> userdom_unpriv_user_template(), but it can prevent staff_t to access >> SE-PostgreSQL. >> >> Could you fix it please? > Ok I added > > > optional_policy(` > postgresql_role(staff_r, staff_t) > ') > > to staff.te, I do not want all users to be able to manage postgresql. > So this should be user type by user type decision. The postgresql_role() might be misnamed? It does not allow permissions to manage PostgreSQL iteself. It only allows the given domain to perform as an unprivileged client with some of the UBAC specific types on SE-PostgreSQL. The userdom_common_user_template() allows the given domain to connect to PostgreSQL (when allow_user_postgresql_connect is turned on), so I think basic permissions to the database objects should be also allowed. -- KaiGai Kohei From BGinn at symark.com Mon Jun 1 17:05:35 2009 From: BGinn at symark.com (Brian Ginn) Date: Mon, 1 Jun 2009 10:05:35 -0700 Subject: getting myapp to exec /sbin/swapon Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D9F2E5@dragonfly.symark.com> I am attempting to get myapp to exec /sbin/swapon audit2allow says I need: allow myapp_t fixed_disk_device_t:blk_file { read write }; This compiles, but semodule won't install it: [root at domingo ~]# semodule -i /nethome/user/bginn/src/pb6/pb/selinux/myapp.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { write }; libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { read }; libsepol.check_assertions: 2 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! [root at domingo ~]# I don't see any constraint, or class permission that would affect this. I do see that modules/kernel/storage.te contains: neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read; neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write }; Could these be causing my problem? Is there a domain transition or other policy that would allow myapp to exec /sbin/swapon ? Thanks, Brian From dwalsh at redhat.com Mon Jun 1 17:11:35 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 01 Jun 2009 13:11:35 -0400 Subject: getting myapp to exec /sbin/swapon In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D9F2E5@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB6D9F2E5@dragonfly.symark.com> Message-ID: <4A240BC7.6090204@redhat.com> On 06/01/2009 01:05 PM, Brian Ginn wrote: > I am attempting to get myapp to exec /sbin/swapon > > audit2allow says I need: > allow myapp_t fixed_disk_device_t:blk_file { read write }; > > This compiles, but semodule won't install it: > [root at domingo ~]# semodule -i /nethome/user/bginn/src/pb6/pb/selinux/myapp.pp > libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { write }; > libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp_t fixed_disk_device_t:blk_file { read }; > libsepol.check_assertions: 2 assertion violations occured > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > [root at domingo ~]# > > I don't see any constraint, or class permission that would affect this. > > I do see that modules/kernel/storage.te contains: > neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read; > neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write }; > Could these be causing my problem? > > Is there a domain transition or other policy that would allow myapp to exec /sbin/swapon ? > Probably best to do fstools_domtrans(myapp_t) If you want to allow myapp_t to edit fixed disks, you need to use this interface. storage_manage_fixed_disk(myapp_t) > > > Thanks, > Brian > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From kaigai at ak.jp.nec.com Mon Jun 1 23:44:09 2009 From: kaigai at ak.jp.nec.com (KaiGai Kohei) Date: Tue, 02 Jun 2009 08:44:09 +0900 Subject: Usage of /usr/share/selinux/packages Message-ID: <4A2467C9.5090504@ak.jp.nec.com> In the latest selinux-policy package, I could find an empty directory at /usr/share/selinux/packages . What is the purpose? Is it intended to store policy packages installed by other RPMs (such as mod_selinux)? Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei From dwalsh at redhat.com Tue Jun 2 11:30:45 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 02 Jun 2009 07:30:45 -0400 Subject: Usage of /usr/share/selinux/packages In-Reply-To: <4A2467C9.5090504@ak.jp.nec.com> References: <4A2467C9.5090504@ak.jp.nec.com> Message-ID: <4A250D65.9040804@redhat.com> On 06/01/2009 07:44 PM, KaiGai Kohei wrote: > In the latest selinux-policy package, I could find an empty directory > at /usr/share/selinux/packages . > > What is the purpose? Is it intended to store policy packages installed > by other RPMs (such as mod_selinux)? > > Thanks, Yes the idea was to provide a location for third parties to put their PP files. From kaigai at kaigai.gr.jp Tue Jun 2 11:48:54 2009 From: kaigai at kaigai.gr.jp (KaiGai Kohei) Date: Tue, 02 Jun 2009 20:48:54 +0900 Subject: Usage of /usr/share/selinux/packages In-Reply-To: <4A250D65.9040804@redhat.com> References: <4A2467C9.5090504@ak.jp.nec.com> <4A250D65.9040804@redhat.com> Message-ID: <4A2511A6.6040100@kaigai.gr.jp> Daniel J Walsh wrote: > On 06/01/2009 07:44 PM, KaiGai Kohei wrote: >> In the latest selinux-policy package, I could find an empty directory >> at /usr/share/selinux/packages . >> >> What is the purpose? Is it intended to store policy packages installed >> by other RPMs (such as mod_selinux)? >> >> Thanks, > Yes the idea was to provide a location for third parties to put their PP > files. Hmm... Now, I provide two types of policy packages (targeted and mls). Do you have any guideline to deploy these files? For example, the mod_selinux installs its policy modules at: /usr/share/selinux/targeted/mod_selinux.pp and /usr/share/selinux/mls/mod_selinux.pp If we put them on a single directory, it conflicts due to the name. Thanks, -- KaiGai Kohei From paul at city-fan.org Tue Jun 2 12:05:30 2009 From: paul at city-fan.org (Paul Howarth) Date: Tue, 02 Jun 2009 13:05:30 +0100 Subject: Usage of /usr/share/selinux/packages In-Reply-To: <4A2511A6.6040100@kaigai.gr.jp> References: <4A2467C9.5090504@ak.jp.nec.com> <4A250D65.9040804@redhat.com> <4A2511A6.6040100@kaigai.gr.jp> Message-ID: <4A25158A.2060709@city-fan.org> KaiGai Kohei wrote: > Daniel J Walsh wrote: >> On 06/01/2009 07:44 PM, KaiGai Kohei wrote: >>> In the latest selinux-policy package, I could find an empty directory >>> at /usr/share/selinux/packages . >>> >>> What is the purpose? Is it intended to store policy packages installed >>> by other RPMs (such as mod_selinux)? >>> >>> Thanks, >> Yes the idea was to provide a location for third parties to put their PP >> files. > > Hmm... Now, I provide two types of policy packages (targeted and mls). > Do you have any guideline to deploy these files? > > For example, the mod_selinux installs its policy modules at: > /usr/share/selinux/targeted/mod_selinux.pp > and > /usr/share/selinux/mls/mod_selinux.pp > > If we put them on a single directory, it conflicts due to the name. I think /usr/share/selinux/packages is a hangover from when packaging modules in RPMs was first being considered. The draft guidelines (which are old but still relevant) suggest that mod_selinux is doing the right thing. http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules Paul. From dwalsh at redhat.com Tue Jun 2 12:10:51 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 02 Jun 2009 08:10:51 -0400 Subject: Usage of /usr/share/selinux/packages In-Reply-To: <4A25158A.2060709@city-fan.org> References: <4A2467C9.5090504@ak.jp.nec.com> <4A250D65.9040804@redhat.com> <4A2511A6.6040100@kaigai.gr.jp> <4A25158A.2060709@city-fan.org> Message-ID: <4A2516CB.3080001@redhat.com> On 06/02/2009 08:05 AM, Paul Howarth wrote: > KaiGai Kohei wrote: >> Daniel J Walsh wrote: >>> On 06/01/2009 07:44 PM, KaiGai Kohei wrote: >>>> In the latest selinux-policy package, I could find an empty directory >>>> at /usr/share/selinux/packages . >>>> >>>> What is the purpose? Is it intended to store policy packages installed >>>> by other RPMs (such as mod_selinux)? >>>> >>>> Thanks, >>> Yes the idea was to provide a location for third parties to put their PP >>> files. >> >> Hmm... Now, I provide two types of policy packages (targeted and mls). >> Do you have any guideline to deploy these files? >> >> For example, the mod_selinux installs its policy modules at: >> /usr/share/selinux/targeted/mod_selinux.pp >> and >> /usr/share/selinux/mls/mod_selinux.pp >> Well not sure what the differences are between the two policies, but maybe we should consider a mechanism for installing one policy and having it turn on different componants depending on the type. Most policy packages would work on all types of policy, so installing in a policy type specific directory does not make sense for them. >> If we put them on a single directory, it conflicts due to the name. > > I think /usr/share/selinux/packages is a hangover from when packaging > modules in RPMs was first being considered. The draft guidelines (which > are old but still relevant) suggest that mod_selinux is doing the right > thing. > > http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules > > Paul. > Bottom line, is you can install them anywhere you want, I don't care. We were asked to allocate a directory for third parties to install their packages if they so choose. Personally I always thought they should go into directories owned by the package /usr/share/mod_selinux/MLS and /usr/share/mod_selinux/targeted for example. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From mrowais at hotmail.com Thu Jun 4 18:32:46 2009 From: mrowais at hotmail.com (Mohamed Aburowais) Date: Thu, 4 Jun 2009 19:32:46 +0100 Subject: SELinux questions NewSElinux user, New role, new domain Message-ID: Hello, I'm actually new to SELinux, I've done all the tutorials in the Fedora10 SELinux guide and also has an old book about SELinux which doesn't work well with the one in Fedora10. I need a help in creating new policy and hope SELinux experts can in getting with SELinux, my current problems are: 1- I've created new SELinux user, example_u, using the command: semanage user -a -P user -R "user_r staff_r" example_u. it has been created, but when I mapped my user to it, and then log in from current user to example user and used the command id -Z , it shows example user is having the unconfine_u SELinux user, this is not the case when logging from remote ssh connection. The other concern is in /etc/selinux/targeted/context/users the new SELinux user example_u does not appear with these users with a file about it, but it is appeared when using semanage user -l . 2- I also need to create a totally new role, empty and then give this role may domains to enter, a main one for the user, and ones for the files. 3- Then I need to create new domain, actually I know about how to make the .fc and .te files (not fully about .te), but with the .if I know a bit, but can I get more information about making this and then deploying it. Thank you very much. _________________________________________________________________ Get the best of MSN on your mobile http://clk.atdmt.com/UKM/go/147991039/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Thu Jun 4 18:34:10 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 04 Jun 2009 14:34:10 -0400 Subject: semodule In-Reply-To: <464159.53393.qm@web36803.mail.mud.yahoo.com> References: <464159.53393.qm@web36803.mail.mud.yahoo.com> Message-ID: <4A2813A2.6080509@redhat.com> On 05/31/2009 05:12 PM, Vadym Chepkov wrote: > >> also check /etc/pam.d/system-auth > > Unexpected, but yes, you were right, when I disabled winbind it worked as expected, but I need winbind enabled. I thought having pam_selinux as a first and last session rule should be sufficient. what's wrong with my config then? > > $ cat /etc/pam.d/sshd > #%PAM-1.0 > auth include system-auth > account required pam_nologin.so > account include system-auth > password include system-auth > # pam_selinux.so close should be the first session rule > session required pam_selinux.so close > session include system-auth > session required pam_loginuid.so > # pam_selinux.so open should only be followed by sessions to be executed in the user context > session required pam_selinux.so open env_params > session optional pam_keyinit.so force revoke > > $ cat /etc/pam.d/system-auth > #%PAM-1.0 > auth required pam_env.so > auth sufficient pam_unix.so try_first_pass nullok > auth sufficient pam_winbind.so > auth required pam_deny.so > > account sufficient pam_unix.so > account required pam_winbind.so > > password required pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid > session sufficient pam_unix.so > session required pam_winbind.so > > > Sincerely yours, > Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list No idea how windbind woul change this. From dwalsh at redhat.com Thu Jun 4 18:42:32 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 04 Jun 2009 14:42:32 -0400 Subject: SELinux questions NewSElinux user, New role, new domain In-Reply-To: References: Message-ID: <4A281598.7040403@redhat.com> On 06/04/2009 02:32 PM, Mohamed Aburowais wrote: > > Hello, > I'm actually new to SELinux, I've done all the tutorials in the Fedora10 SELinux guide and also has an old book about SELinux which doesn't work well with the one in Fedora10. > > I need a help in creating new policy and hope SELinux experts can in getting with SELinux, my current problems are: > 1- I've created new SELinux user, example_u, using the command: semanage user -a -P user -R "user_r staff_r" example_u. it has been created, but when I mapped my user to it, and then log in from current user to example user and used the command id -Z , it shows example user is having the unconfine_u SELinux user, this is not the case when logging from remote ssh connection. The other concern is in /etc/selinux/targeted/context/users the new SELinux user example_u does not appear with these users with a file about it, but it is appeared when using semanage user -l . > You have to create the example_u to tell login programs to use it. > 2- I also need to create a totally new role, empty and then give this role may domains to enter, a main one for the user, and ones for the files. > > 3- Then I need to create new domain, actually I know about how to make the .fc and .te files (not fully about .te), but with the .if I know a bit, but can I get more information about making this and then deploying it. > I don't understand your question. You only need .if file if other domains are going to interact with your new domain. Most user domains types do not need 'if' files. > > Thank you very much. > > _________________________________________________________________ > Get the best of MSN on your mobile > http://clk.atdmt.com/UKM/go/147991039/direct/01/ > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Did you create /etc/selinux/targeted/contexts/users/ From ejtr at layer3.co.uk Fri Jun 5 08:30:21 2009 From: ejtr at layer3.co.uk (Ted Rule) Date: Fri, 05 Jun 2009 09:30:21 +0100 Subject: SELinux permissive domains in non-Fedora tree Message-ID: <4A28D79D.6090607@layer3.co.uk> I was much cheered last year to see Dan's permissive domains feature make it into the Fedora Policy, as per his livejournal article: http://danwalsh.livejournal.com/24537.html I had rather rashly hoped that this would make it into the main RedHat tree quite quickly as it seems so very useful for testing new applications. Sadly, it doesn't appear to exist in one of my CentOS5.3 instances running these versions - at least "semanage --help" suggests that it's not there, and I'm assuming that CentOS5.3 is near enough in policy version to RHEL5 to show that RHEL5 lacks the feature: $ rpm -q policycoreutils selinux-policy-targeted kernel policycoreutils-1.33.12-14.2.el5 selinux-policy-targeted-2.4.6-203.el5 kernel-2.6.18-92.el5 kernel-2.6.18-128.1.10.el5 but of course it does exist in my F10 instance running these: $ rpm -q policycoreutils selinux-policy-targeted kernel policycoreutils-2.0.57-14.fc10.i386 selinux-policy-targeted-3.5.13-38.fc10.noarch kernel-2.6.27.9-159.fc10.i686 Is there a timescale for adding this feature to RHEL5, or will it have to wait until RHEL6? Is there some sort of workaround to run the F10 policy on a CentOS5 box to get the feature, or does that simply involve so many version changes to umpteen other packages as to be a fruitless exercise? -- Ted Rule Director, Layer3 Systems Ltd http://www.layer3.co.uk/ From ejtr at layer3.co.uk Fri Jun 5 09:22:18 2009 From: ejtr at layer3.co.uk (Ted Rule) Date: Fri, 05 Jun 2009 10:22:18 +0100 Subject: glusterfs / fusefs / SELinux problems in permissive mode In-Reply-To: <4A28D79D.6090607@layer3.co.uk> References: <4A28D79D.6090607@layer3.co.uk> Message-ID: <4A28E3CA.8010400@layer3.co.uk> I have a problem running a GlusterFS Client talking to a mounted filesystem, where the SELinux labelling appears to be lost at dismount. The experiments we've tried so far suggest that the problem is in SELinux policy for the underlying FUSE kernel driver. All the boxes in question running CentOS5.3, with these relevant rpms: $ rpm -q kernel selinux-policy fuse glusterfs-client kernel-2.6.18-92.el5 kernel-2.6.18-128.1.10.el5 selinux-policy-2.4.6-203.el5 fuse-2.7.4-1.el5.rf glusterfs-client-2.0.0-1 where the fuse driver is from Dag repository, and glusterfs-client was locally rebuilt from an SRPM, but everything else from CentOS When the remote filesystem is initially mounted, the tree ends up with fusefs_t labels: [me at web1 ~]$ ls -lZ /mnt/shared .... drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t contexttest drwxr-xr-x root root system_u:object_r:fusefs_t contexttest2 drwxr-xr-x root root system_u:object_r:fusefs_t contexttest3 drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t files drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t icons drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t images drwxrwsr-x root weblogs system_u:object_r:fusefs_t logfiles drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t navtest ... [me at web1 ~]$ However, it's possible to chcon the tree manually and set the locally visible label, as in: [me at web1 ~]$ sudo chcon -t file_t /mnt/shared/contexttest3 [me at web1 ~]$ ls -lZ /mnt/shared ... drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t contexttest drwxr-xr-x root root system_u:object_r:fusefs_t contexttest2 drwxr-xr-x root root system_u:object_r:file_t contexttest3 drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t EMMA drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t files drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t icons drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t images drwxrwsr-x root weblogs system_u:object_r:fusefs_t logfiles drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t navtest ... This change of label is also correctly reflected on the server end of the mount. However, if we now unmount/remount the volume, all the labels revert to fusefs_t. FWIW, this was all with the Client and Server in SELinux permissive. This then suggested to us that the fuse driver somehow fails to read all the extended attributes from the ext3 filesystem on the Server; maybe it only reads fuse-specific attributes, and leaves the remainder blank. After some other experiments, we tried running the Client in SELinux disabled, and lo and behold, the Server's labels were picked up on mount correctly. We then found that the filesystem policy appears to class fuse as a non-xattr filesystem, as in this clause from kernel/filesystem.te: .... type fusefs_t; fs_noxattr_type(fusefs_t) allow fusefs_t self:filesystem associate; allow fusefs_t fs_t:filesystem associate; genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0) genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0) genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0) .... However, we can see that chcon is able to write the label from the client up to the server, so the fuse driver must be xattr capable to some degree. Given that the problem appears to go away when I set SELinux to disabled ( as opposed to permissive ), I presume that it's a policy bug. Is there some relatively simple tweak that could be applied, such as adding a line something like this: fs_use_xattr fuse gen_context(system_u:object_r:fusefs_t,s0); to match what ext3 has: fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); Can you offer any further suggestions? Many thanks, -- Ted Rule Director, Layer3 Systems Ltd http://www.layer3.co.uk/ From sds at tycho.nsa.gov Fri Jun 5 12:35:27 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 05 Jun 2009 08:35:27 -0400 Subject: glusterfs / fusefs / SELinux problems in permissive mode In-Reply-To: <4A28E3CA.8010400@layer3.co.uk> References: <4A28D79D.6090607@layer3.co.uk> <4A28E3CA.8010400@layer3.co.uk> Message-ID: <1244205327.20265.39.camel@localhost.localdomain> On Fri, 2009-06-05 at 10:22 +0100, Ted Rule wrote: > I have a problem running a GlusterFS Client talking to a mounted > filesystem, where the SELinux labelling appears to be lost at dismount. > > The experiments we've tried so far suggest that the problem is in > SELinux policy for the underlying FUSE kernel driver. See this thread: http://marc.info/?t=121379726100001&r=1&w=2 What is needed is the ability to automatically detect whether the underlying fs supports security xattrs, using them if supported or falling back to the genfscon rule for filesystems that do not support them. That is what Eric's patch was trying to do, but it ran into a deadlock problem on some filesystems. If you want all of the files in the mount to have a single label on each mount, you could use a context= mount instead. But that doesn't support per-file labeling. > All the boxes in question running CentOS5.3, with these relevant rpms: > > $ rpm -q kernel selinux-policy fuse glusterfs-client > kernel-2.6.18-92.el5 > kernel-2.6.18-128.1.10.el5 > selinux-policy-2.4.6-203.el5 > fuse-2.7.4-1.el5.rf > glusterfs-client-2.0.0-1 > > where the fuse driver is from Dag repository, and glusterfs-client was > locally rebuilt from an SRPM, but everything else from CentOS > > When the remote filesystem is initially mounted, the tree ends up with > fusefs_t labels: > > [me at web1 ~]$ ls -lZ /mnt/shared > .... > drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t contexttest > drwxr-xr-x root root system_u:object_r:fusefs_t contexttest2 > drwxr-xr-x root root system_u:object_r:fusefs_t contexttest3 > drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t files > drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t icons > drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t images > drwxrwsr-x root weblogs system_u:object_r:fusefs_t logfiles > drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t navtest > > ... > [me at web1 ~]$ > > > However, it's possible to chcon the tree manually and set the locally > visible label, as in: > > [me at web1 ~]$ sudo chcon -t file_t /mnt/shared/contexttest3 > [me at web1 ~]$ ls -lZ /mnt/shared > ... > drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t contexttest > drwxr-xr-x root root system_u:object_r:fusefs_t contexttest2 > drwxr-xr-x root root system_u:object_r:file_t contexttest3 > drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t EMMA > drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t files > drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t icons > drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t images > drwxrwsr-x root weblogs system_u:object_r:fusefs_t logfiles > drwxrwsr-x apache sharedfiles system_u:object_r:fusefs_t navtest > ... > > This change of label is also correctly reflected on the server end of > the mount. > > However, if we now unmount/remount the volume, all the labels revert to > fusefs_t. > > FWIW, this was all with the Client and Server in SELinux permissive. > > This then suggested to us that the fuse driver somehow fails to read all > the extended attributes from the ext3 filesystem on the Server; maybe it > only reads fuse-specific attributes, > and leaves the remainder blank. > > After some other experiments, we tried running the Client in SELinux > disabled, and lo and behold, the Server's labels were picked up on mount > correctly. > > We then found that the filesystem policy appears to class fuse as a > non-xattr filesystem, as in this clause from kernel/filesystem.te: > > .... > type fusefs_t; > fs_noxattr_type(fusefs_t) > allow fusefs_t self:filesystem associate; > allow fusefs_t fs_t:filesystem associate; > genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0) > genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0) > genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0) > .... > > However, we can see that chcon is able to write the label from the > client up to the server, so the fuse driver must be xattr capable to > some degree. > > Given that the problem appears to go away when I set SELinux to disabled > ( as opposed to permissive ), I presume that it's a policy bug. > > Is there some relatively simple tweak that could be applied, such as > adding a line something like this: > > fs_use_xattr fuse gen_context(system_u:object_r:fusefs_t,s0); > > to match what ext3 has: > > fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); > > > Can you offer any further suggestions? > > > Many thanks, > > > > -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Jun 5 12:51:12 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 05 Jun 2009 08:51:12 -0400 Subject: SELinux permissive domains in non-Fedora tree In-Reply-To: <4A28D79D.6090607@layer3.co.uk> References: <4A28D79D.6090607@layer3.co.uk> Message-ID: <1244206272.20265.54.camel@localhost.localdomain> On Fri, 2009-06-05 at 09:30 +0100, Ted Rule wrote: > I was much cheered last year to see Dan's permissive domains feature > make it into the Fedora Policy, as per his livejournal article: > > http://danwalsh.livejournal.com/24537.html > > I had rather rashly hoped that this would make it into the main RedHat > tree quite quickly as it seems so very useful for testing new applications. > > Sadly, it doesn't appear to exist in one of my CentOS5.3 instances > running these versions - at least "semanage --help" suggests that it's > not there, and I'm assuming > that CentOS5.3 is near enough in policy version to RHEL5 to show that > RHEL5 lacks the feature: > > $ rpm -q policycoreutils selinux-policy-targeted kernel > policycoreutils-1.33.12-14.2.el5 > selinux-policy-targeted-2.4.6-203.el5 > kernel-2.6.18-92.el5 > kernel-2.6.18-128.1.10.el5 > > but of course it does exist in my F10 instance running these: > > $ rpm -q policycoreutils selinux-policy-targeted kernel > policycoreutils-2.0.57-14.fc10.i386 > selinux-policy-targeted-3.5.13-38.fc10.noarch > kernel-2.6.27.9-159.fc10.i686 > > > Is there a timescale for adding this feature to RHEL5, or will it have > to wait until RHEL6? Is there some sort of workaround to run the F10 policy > on a CentOS5 box to get the feature, or does that simply involve so many > version changes to umpteen other packages as to be a fruitless exercise? I can't speak to your question about when or whether it would be backported to RHEL5, but it would require back porting the patches to the kernel, libsepol, checkpolicy, and policycoreutils (semanage). And due to the incremental nature of the binary policy format versions, they would also have to back port the policy capabilities patches. It would certainly be a nice feature to have in RHEL5. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Fri Jun 5 13:24:02 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 05 Jun 2009 09:24:02 -0400 Subject: SELinux permissive domains in non-Fedora tree In-Reply-To: <1244206272.20265.54.camel@localhost.localdomain> References: <4A28D79D.6090607@layer3.co.uk> <1244206272.20265.54.camel@localhost.localdomain> Message-ID: <4A291C72.3020408@redhat.com> On 06/05/2009 08:51 AM, Stephen Smalley wrote: > On Fri, 2009-06-05 at 09:30 +0100, Ted Rule wrote: >> I was much cheered last year to see Dan's permissive domains feature >> make it into the Fedora Policy, as per his livejournal article: >> >> http://danwalsh.livejournal.com/24537.html >> >> I had rather rashly hoped that this would make it into the main RedHat >> tree quite quickly as it seems so very useful for testing new applications. >> >> Sadly, it doesn't appear to exist in one of my CentOS5.3 instances >> running these versions - at least "semanage --help" suggests that it's >> not there, and I'm assuming >> that CentOS5.3 is near enough in policy version to RHEL5 to show that >> RHEL5 lacks the feature: >> >> $ rpm -q policycoreutils selinux-policy-targeted kernel >> policycoreutils-1.33.12-14.2.el5 >> selinux-policy-targeted-2.4.6-203.el5 >> kernel-2.6.18-92.el5 >> kernel-2.6.18-128.1.10.el5 >> >> but of course it does exist in my F10 instance running these: >> >> $ rpm -q policycoreutils selinux-policy-targeted kernel >> policycoreutils-2.0.57-14.fc10.i386 >> selinux-policy-targeted-3.5.13-38.fc10.noarch >> kernel-2.6.27.9-159.fc10.i686 >> >> >> Is there a timescale for adding this feature to RHEL5, or will it have >> to wait until RHEL6? Is there some sort of workaround to run the F10 policy >> on a CentOS5 box to get the feature, or does that simply involve so many >> version changes to umpteen other packages as to be a fruitless exercise? > > I can't speak to your question about when or whether it would be > backported to RHEL5, but it would require back porting the patches to > the kernel, libsepol, checkpolicy, and policycoreutils (semanage). And > due to the incremental nature of the binary policy format versions, they > would also have to back port the policy capabilities patches. It would > certainly be a nice feature to have in RHEL5. > Well backporting major features to RHEL5 is frowned upon from a risk factor. So I do not see this feature being back ported. We will be releaseing semodule -DB in RHEL5.4 though. From chepkov at yahoo.com Fri Jun 5 13:54:08 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Fri, 5 Jun 2009 06:54:08 -0700 (PDT) Subject: semodule Message-ID: <382463.47785.qm@web36808.mail.mud.yahoo.com> --- On Thu, 6/4/09, Daniel J Walsh wrote: > No idea how windbind woul change this. > But it does. Shall I submit bugzilla ticket about it? Vadym From sds at tycho.nsa.gov Fri Jun 5 14:10:33 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 05 Jun 2009 10:10:33 -0400 Subject: semodule In-Reply-To: <465251.41151.qm@web36801.mail.mud.yahoo.com> References: <465251.41151.qm@web36801.mail.mud.yahoo.com> Message-ID: <1244211033.20265.67.camel@localhost.localdomain> On Sun, 2009-05-31 at 08:36 -0700, Vadym Chepkov wrote: > I compared /etc/pam.d/sshd of the affected and working system, they are identical. But, I found these entries in /var/log/secure of the system in trouble: > > error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument > > I bet it's a smoking gun, I just have no idea what to do about it. Wait - that means that sshd is still trying to set up the tty label. Dan, I thought you switched to using pam_selinux instead for sshd? Why would there be both direct selinux logic in sshd and pam_selinux in /etc/pam.d/sshd? -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Jun 5 14:19:52 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 05 Jun 2009 10:19:52 -0400 Subject: semodule In-Reply-To: <382463.47785.qm@web36808.mail.mud.yahoo.com> References: <382463.47785.qm@web36808.mail.mud.yahoo.com> Message-ID: <1244211592.20265.69.camel@localhost.localdomain> On Fri, 2009-06-05 at 06:54 -0700, Vadym Chepkov wrote: > > --- On Thu, 6/4/09, Daniel J Walsh wrote: > > No idea how windbind woul change this. > > > > But it does. Shall I submit bugzilla ticket about it? Looks like pam_winbind can change the PAM_USER value. Which could confuse pam_selinux. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Jun 5 14:45:32 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 05 Jun 2009 10:45:32 -0400 Subject: semodule In-Reply-To: <1244211592.20265.69.camel@localhost.localdomain> References: <382463.47785.qm@web36808.mail.mud.yahoo.com> <1244211592.20265.69.camel@localhost.localdomain> Message-ID: <1244213132.20265.92.camel@localhost.localdomain> On Fri, 2009-06-05 at 10:19 -0400, Stephen Smalley wrote: > On Fri, 2009-06-05 at 06:54 -0700, Vadym Chepkov wrote: > > > > --- On Thu, 6/4/09, Daniel J Walsh wrote: > > > No idea how windbind woul change this. > > > > > > > But it does. Shall I submit bugzilla ticket about it? > > Looks like pam_winbind can change the PAM_USER value. Which could > confuse pam_selinux. Found this thread: http://www.mail-archive.com/samba at lists.samba.org/msg15640.html Can you configure winbind with use default domain=yes? -- Stephen Smalley National Security Agency From chepkov at yahoo.com Fri Jun 5 15:09:09 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Fri, 5 Jun 2009 08:09:09 -0700 (PDT) Subject: semodule Message-ID: <93596.83827.qm@web36805.mail.mud.yahoo.com> --- On Fri, 6/5/09, Stephen Smalley wrote: > Found this thread: > http://www.mail-archive.com/samba at lists.samba.org/msg15640.html > > Can you configure winbind with use default domain=yes? > I do have have such setup. Both type of users are affected: local and "winbind" Sincerely yours, Vadym Chepkov From sds at tycho.nsa.gov Fri Jun 5 15:09:29 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 05 Jun 2009 11:09:29 -0400 Subject: semodule In-Reply-To: <93596.83827.qm@web36805.mail.mud.yahoo.com> References: <93596.83827.qm@web36805.mail.mud.yahoo.com> Message-ID: <1244214569.20265.95.camel@localhost.localdomain> On Fri, 2009-06-05 at 08:09 -0700, Vadym Chepkov wrote: > --- On Fri, 6/5/09, Stephen Smalley wrote: > > > Found this thread: > > http://www.mail-archive.com/samba at lists.samba.org/msg15640.html > > > > Can you configure winbind with use default domain=yes? > > > > I do have have such setup. Both type of users are affected: local and "winbind" Can you append "debug" to the arguments to the latter instance of pam_selinux.so, e.g.: session required pam_selinux.so open env_params debug And then login again via ssh and look in /var/log/secure? -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Fri Jun 5 15:12:50 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 05 Jun 2009 11:12:50 -0400 Subject: semodule In-Reply-To: <1244214569.20265.95.camel@localhost.localdomain> References: <93596.83827.qm@web36805.mail.mud.yahoo.com> <1244214569.20265.95.camel@localhost.localdomain> Message-ID: <1244214770.20265.97.camel@localhost.localdomain> On Fri, 2009-06-05 at 11:09 -0400, Stephen Smalley wrote: > On Fri, 2009-06-05 at 08:09 -0700, Vadym Chepkov wrote: > > --- On Fri, 6/5/09, Stephen Smalley wrote: > > > > > Found this thread: > > > http://www.mail-archive.com/samba at lists.samba.org/msg15640.html > > > > > > Can you configure winbind with use default domain=yes? > > > > > > > I do have have such setup. Both type of users are affected: local and "winbind" > > Can you append "debug" to the arguments to the latter instance of > pam_selinux.so, e.g.: > session required pam_selinux.so open env_params debug > > And then login again via ssh and look in /var/log/secure? Hmmm...btw, I notice that order of entries has changed in /etc/pam.d in F11 from F10, with the: session include system-auth line at the end of /etc/pam.d/sshd rather than between the two pam_selinux instances. So maybe the problem is that when you upgraded, it didn't replace your pam config due to your local configuration of winbind, and thus you didn't get that ordering change. I know that they reworked the way sshd interacts with pam_selinux. -- Stephen Smalley National Security Agency From chepkov at yahoo.com Fri Jun 5 16:40:07 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Fri, 5 Jun 2009 09:40:07 -0700 (PDT) Subject: semodule Message-ID: <534808.16477.qm@web36801.mail.mud.yahoo.com> --- On Fri, 6/5/09, Stephen Smalley wrote: > > Can you append "debug" to the arguments to the latter > instance of > pam_selinux.so, e.g.: > session? ? required? > ???pam_selinux.so open env_params debug > > And then login again via ssh and look in /var/log/secure? > No changes at all, same error about ssh_selinux_setup_pty. To answer your other post, I compared pam.d/sshd with freshly installed F10, they are identical. I am attaching both files in question. Thank you for your help. Sincerely yours, Vadym Chepkov -------------- next part -------------- A non-text attachment was scrubbed... Name: sshd Type: application/octet-stream Size: 540 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: system-auth Type: application/octet-stream Size: 807 bytes Desc: not available URL: From sds at tycho.nsa.gov Fri Jun 5 16:37:59 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 05 Jun 2009 12:37:59 -0400 Subject: semodule In-Reply-To: <534808.16477.qm@web36801.mail.mud.yahoo.com> References: <534808.16477.qm@web36801.mail.mud.yahoo.com> Message-ID: <1244219879.20265.98.camel@localhost.localdomain> On Fri, 2009-06-05 at 09:40 -0700, Vadym Chepkov wrote: > --- On Fri, 6/5/09, Stephen Smalley wrote: > > > > Can you append "debug" to the arguments to the latter > > instance of > > pam_selinux.so, e.g.: > > session required > > pam_selinux.so open env_params debug > > > > And then login again via ssh and look in /var/log/secure? > > > > No changes at all, same error about ssh_selinux_setup_pty. > To answer your other post, I compared pam.d/sshd with freshly installed F10, they are identical. I am attaching both files in question. > Thank you for your help. You should have gotten some pam_selinux log messages in /var/log/secure if you added the debug option and logged into the system again. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Fri Jun 5 17:07:22 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 05 Jun 2009 13:07:22 -0400 Subject: semodule In-Reply-To: <382463.47785.qm@web36808.mail.mud.yahoo.com> References: <382463.47785.qm@web36808.mail.mud.yahoo.com> Message-ID: <4A2950CA.6090607@redhat.com> On 06/05/2009 09:54 AM, Vadym Chepkov wrote: > > > --- On Thu, 6/4/09, Daniel J Walsh wrote: >> No idea how windbind woul change this. >> > > But it does. Shall I submit bugzilla ticket about it? > > Vadym > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list yes From dwalsh at redhat.com Fri Jun 5 17:09:54 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 05 Jun 2009 13:09:54 -0400 Subject: semodule In-Reply-To: <1244211033.20265.67.camel@localhost.localdomain> References: <465251.41151.qm@web36801.mail.mud.yahoo.com> <1244211033.20265.67.camel@localhost.localdomain> Message-ID: <4A295162.7060203@redhat.com> On 06/05/2009 10:10 AM, Stephen Smalley wrote: > On Sun, 2009-05-31 at 08:36 -0700, Vadym Chepkov wrote: >> I compared /etc/pam.d/sshd of the affected and working system, they are identical. But, I found these entries in /var/log/secure of the system in trouble: >> >> error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument >> >> I bet it's a smoking gun, I just have no idea what to do about it. > > Wait - that means that sshd is still trying to set up the tty label. > Dan, I thought you switched to using pam_selinux instead for sshd? Why > would there be both direct selinux logic in sshd and pam_selinux > in /etc/pam.d/sshd? > There should not be. From chepkov at yahoo.com Fri Jun 5 17:10:26 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Fri, 5 Jun 2009 10:10:26 -0700 (PDT) Subject: semodule Message-ID: <351138.27771.qm@web36802.mail.mud.yahoo.com> --- On Fri, 6/5/09, Stephen Smalley wrote: > > You should have gotten some pam_selinux log messages in > /var/log/secure > if you added the debug option and logged into the system > again. > You should be able to see debug option I added in the sshd file I sent you. No debug entries in /var/log/secure. Could it be that session call never gets out of pam_winbind, which is called in system-auth? Vadym From sds at tycho.nsa.gov Fri Jun 5 17:22:29 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 05 Jun 2009 13:22:29 -0400 Subject: semodule In-Reply-To: <351138.27771.qm@web36802.mail.mud.yahoo.com> References: <351138.27771.qm@web36802.mail.mud.yahoo.com> Message-ID: <1244222549.20265.102.camel@localhost.localdomain> On Fri, 2009-06-05 at 10:10 -0700, Vadym Chepkov wrote: > > --- On Fri, 6/5/09, Stephen Smalley wrote: > > > > > You should have gotten some pam_selinux log messages in > > /var/log/secure > > if you added the debug option and logged into the system > > again. > > > > You should be able to see debug option I added in the sshd file I sent you. > No debug entries in /var/log/secure. Could it be that session call never gets out of pam_winbind, which is called in system-auth? I don't know. Adding debug to that pam entry on a F10 system here and logged in, I get the following in /var/log/secure (omitting the timestamp and hostname prefix): sshd[3745]: pam_selinux(sshd:session): Open Session sshd[3745]: pam_selinux(sshd:session): Username= sds SELinux User = unconfined_u Level= s0 sshd[3745]: pam_selinux(sshd:session): Selected Security Context unconfined_u:unconfined_r:unconfined_t:s0 sshd[3745]: pam_selinux(sshd:session): Checking if unconfined_u:unconfined_r:unconfined_t:s0 mls range valid for unconfined_u:unconfined_r:unconfined_t:s0 sshd[3745]: pam_selinux(sshd:session): set sds security context to unconfined_u:unconfined_r:unconfined_t:s0 sshd[3745]: pam_selinux(sshd:session): set sds key creation context to unconfined_u:unconfined_r:unconfined_t:s0 sshd[3745]: pam_selinux(sshd:session): Close Session -- Stephen Smalley National Security Agency From chepkov at yahoo.com Fri Jun 5 21:14:22 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Fri, 5 Jun 2009 14:14:22 -0700 (PDT) Subject: pam_mkhomedir Message-ID: <861893.26544.qm@web36806.mail.mud.yahoo.com> I started to work on a test case for selinux/winbind and found another unrelated issue with pam_mkhomedir. SELinux doesn't allow winbind user to create a home for himself and copy files from /etc/skel, I had to add the following rules into the local policy: allow sshd_t user_home_dir_t:file { write create setattr }; unprivuser_home_filetrans_home_dir(sshd_t) unprivuser_create_home_dir(sshd_t) I searched bugzilla and it seems a related case was already filed (Bug 447096) against Fedora 9. I don't see an option to modify the bug and make it Fedora 10, which means after Fedora 11 is released it will be automatically closed without resolution like it has happened so many times in the past. Is the a way to keep a bug alive until it is actually resolved? Thanks. Sincerely yours, Vadym Chepkov From dwalsh at redhat.com Sat Jun 6 11:05:45 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 06 Jun 2009 07:05:45 -0400 Subject: pam_mkhomedir In-Reply-To: <861893.26544.qm@web36806.mail.mud.yahoo.com> References: <861893.26544.qm@web36806.mail.mud.yahoo.com> Message-ID: <4A2A4D89.5040206@redhat.com> On 06/05/2009 05:14 PM, Vadym Chepkov wrote: > > I started to work on a test case for selinux/winbind and found another unrelated issue with pam_mkhomedir. SELinux doesn't allow winbind user to create a home for himself and copy files from /etc/skel, I had to add the following rules into the local policy: > > allow sshd_t user_home_dir_t:file { write create setattr }; > unprivuser_home_filetrans_home_dir(sshd_t) > unprivuser_create_home_dir(sshd_t) > > > I searched bugzilla and it seems a related case was already filed (Bug 447096) against Fedora 9. I don't see an option to modify the bug and make it Fedora 10, which means after Fedora 11 is released it will be automatically closed without resolution like it has happened so many times in the past. Is the a way to keep a bug alive until it is actually resolved? Thanks. > > Sincerely yours, > Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list We would prefer you to use pam_oddjob_mkhomedir. The problem with pam_mkhomedir is that it requires us to give privs to all login programs to write all over the users homedir. I do not want to give login programs this priv, because I want to prevent them from even being able to read the homedir. Imagine a remove exploit of sshd that allows me to pull data off the HOMEDIR without even logging in. Imagine being able to walk up to a gdm session and being able to trick it to read the homedir without logging in. I do not think there is a way to get the bugzilla to move forward, without manual intervention. From chepkov at yahoo.com Sat Jun 6 11:26:43 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Sat, 6 Jun 2009 04:26:43 -0700 (PDT) Subject: pam_mkhomedir Message-ID: <300039.66551.qm@web36801.mail.mud.yahoo.com> --- On Sat, 6/6/09, Daniel J Walsh wrote: > We would prefer you to use pam_oddjob_mkhomedir. That's not something I have selected, system tool did it on my behalf: authconfig --enablemkhomedir create home directories for users on their first login This adds pam_mkhomedir into /etc/pam.d/system_auth. > I do not think there is a way to get the bugzilla to move > forward, without manual intervention. And I would like to intervene, but as I said, I can't edit these fields in the bug, they are not available for editing. Vadym From dwalsh at redhat.com Sat Jun 6 13:07:43 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 06 Jun 2009 09:07:43 -0400 Subject: pam_mkhomedir In-Reply-To: <861893.26544.qm@web36806.mail.mud.yahoo.com> References: <861893.26544.qm@web36806.mail.mud.yahoo.com> Message-ID: <4A2A6A1F.5010208@redhat.com> On 06/05/2009 05:14 PM, Vadym Chepkov wrote: > > I started to work on a test case for selinux/winbind and found another unrelated issue with pam_mkhomedir. SELinux doesn't allow winbind user to create a home for himself and copy files from /etc/skel, I had to add the following rules into the local policy: > > allow sshd_t user_home_dir_t:file { write create setattr }; > unprivuser_home_filetrans_home_dir(sshd_t) > unprivuser_create_home_dir(sshd_t) > > > I searched bugzilla and it seems a related case was already filed (Bug 447096) against Fedora 9. I don't see an option to modify the bug and make it Fedora 10, which means after Fedora 11 is released it will be automatically closed without resolution like it has happened so many times in the past. Is the a way to keep a bug alive until it is actually resolved? Thanks. > > Sincerely yours, > Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Moved it to F11. From sf181257 at students.mimuw.edu.pl Sat Jun 6 13:09:16 2009 From: sf181257 at students.mimuw.edu.pl (=?UTF-8?B?IlN0YW5pc8WCYXcgVC4gRmluZGVpc2VuIg==?=) Date: Sat, 06 Jun 2009 15:09:16 +0200 Subject: allow_execstack Message-ID: <4A2A6A7C.5000505@students.mimuw.edu.pl> Look what I've found regarding stack execution: ======================================================================= execstack :: As the name suggests, this error is raised if a program tries to make its stack (or parts thereof) executable with an mprotect call. This should never, ever be necessary. Stack memory is not executable on most OSes these days and this won't change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. http://people.redhat.com/drepper/selinux-mem.html ======================================================================= $ cat /selinux/booleans/allow_execstack 1 1 $ cat /etc/redhat-release Fedora release 10 (Cambridge) I haven't changed this setting manually since system install so I guess this is a bug in the Fedora policy? BTW what does the 1st "1", and what does the 2nd "1" in /selinux/booleans/allow_execstack stand for? Thanks! STF ======================================================================= http://eisenbits.homelinux.net/~stf/ OpenPGP: DFD9 0146 3794 9CF6 17EA D63F DBF5 8AA8 3B31 FE8A ======================================================================= From dwalsh at redhat.com Sat Jun 6 13:48:00 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 06 Jun 2009 09:48:00 -0400 Subject: allow_execstack In-Reply-To: <4A2A6A7C.5000505@students.mimuw.edu.pl> References: <4A2A6A7C.5000505@students.mimuw.edu.pl> Message-ID: <4A2A7390.8020704@redhat.com> On 06/06/2009 09:09 AM, "Stanis?aw T. Findeisen" wrote: > Look what I've found regarding stack execution: > > ======================================================================= > execstack :: As the name suggests, this error is raised if a program > tries to make its stack (or parts thereof) executable with an mprotect > call. This should never, ever be necessary. Stack memory is not > executable on most OSes these days and this won't change. Executable > stack memory is one of the biggest security problems. An execstack error > might in fact be most likely raised by malicious code. > > http://people.redhat.com/drepper/selinux-mem.html > ======================================================================= > > $ cat /selinux/booleans/allow_execstack > 1 1 > $ cat /etc/redhat-release > Fedora release 10 (Cambridge) > > I haven't changed this setting manually since system install so I guess > this is a bug in the Fedora policy? > > BTW what does the 1st "1", and what does the 2nd "1" in > /selinux/booleans/allow_execstack stand for? > > Thanks! > STF > > ======================================================================= > http://eisenbits.homelinux.net/~stf/ > OpenPGP: DFD9 0146 3794 9CF6 17EA D63F DBF5 8AA8 3B31 FE8A > ======================================================================= > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Allow execstack was turned on by default in F10. Note: allow_execstack only affects unconfined domains. All confined domains are not allowed to execstack, even if the allow_execstack is set. The boolean should have been named unconfined_execstack. From peterjb at mtaonline.net Sat Jun 6 19:03:35 2009 From: peterjb at mtaonline.net (Peter Joseph) Date: Sat, 6 Jun 2009 12:03:35 -0700 (PDT) Subject: SELinux Instructions Message-ID: <23904686.post@talk.nabble.com> For the past several weeks I have been trying to learn SELinux, and as so many before me, I find it extremely frustrating, ready to give up. Can someone tell me where to start? It looks to me that all of the stuff written about SELinux was written by Microsoft people in order to keep people from using Linux. Take for example the 'cat' command relating to /etc/pam.d/gdm - what in the world am I to get from this: #%PAM-1.0 auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth required pam_succeed_if.so user != root quiet auth required pam_env.so auth substack system-auth auth optional pam_gnome_keyring.so account required pam_nologin.so account include system-auth password include system-auth session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session optional pam_gnome_keyring.so auto_start session include system-auth Where can I find information explaining the above? Is there a place where one could find some sort of a basic template file? A file showing the minimum initial settings that could be built upon? It seems to me that inclusion of SELinux in Fedora is counterproductive. Instead of providing users with a firewall they could manage after negotiating a reasonable learning curve, the users are presented with this monstrous security system understood only by full-blown programmers. Is there a way of learning SELinux without the computer science degree prerequisit? -- View this message in context: http://www.nabble.com/SELinux-Instructions-tp23904686p23904686.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From mcepl at redhat.com Sat Jun 6 19:16:21 2009 From: mcepl at redhat.com (Matej Cepl) Date: Sat, 6 Jun 2009 19:16:21 +0000 (UTC) Subject: SELinux Instructions References: <23904686.post@talk.nabble.com> Message-ID: Peter Joseph, Sat, 06 Jun 2009 12:03:35 -0700: > Where can I find information explaining the above? Search for PAM configuration on Google. This has actually absolutely nothing to do with SELinux ;-). > firewall SELinux is not firewall and it is not intended as replacement of thereof. > reasonable learning curve, the users are presented with this monstrous > security system understood only by full-blown programmers. Is there a > way of learning SELinux without the computer science degree prerequisit? Normal user is not supposed to understand SELinux, it should just work for him (or he can file bugs). If you want to fiddle with it, then you should know what you are doing. If you want to learn stuff, then the best source I found was "SELinux User Guide" (http://docs.fedoraproject.org/selinux-user-guide/) and probably even better "SELinux by Example" (http://www.amazon.com/SELinux- Example-Security-Enhanced-Development/dp/0131963694/) ... it is slightly dated, but it leads you very nicely from simple to hights which are unsurmountable for regular human beings. Best, Mat?j From domg472 at gmail.com Sat Jun 6 19:54:30 2009 From: domg472 at gmail.com (Dominick Grift) Date: Sat, 06 Jun 2009 21:54:30 +0200 Subject: SELinux Instructions In-Reply-To: <23904686.post@talk.nabble.com> References: <23904686.post@talk.nabble.com> Message-ID: <1244318070.8246.5.camel@notebook2.grift.internal> On Sat, 2009-06-06 at 12:03 -0700, Peter Joseph wrote: > the users are presented with this > monstrous security system understood only by full-blown programmers. Is > there a way of learning SELinux without the computer science degree > prerequisit? > I am neither a programmer nor do i have a computer science degree but i would like to think that i can find my way pretty well with SELinux. I usually lurk at #fedora-selinux on irc.freenode.org and if i can, i help get people started with SELinux. If you want some interactive guidance then feel free to join the chat, my IRC nick name is dgrift. From tmraz at redhat.com Mon Jun 8 07:14:44 2009 From: tmraz at redhat.com (Tomas Mraz) Date: Mon, 08 Jun 2009 09:14:44 +0200 Subject: semodule In-Reply-To: <4A295162.7060203@redhat.com> References: <465251.41151.qm@web36801.mail.mud.yahoo.com> <1244211033.20265.67.camel@localhost.localdomain> <4A295162.7060203@redhat.com> Message-ID: <1244445285.13715.24.camel@vespa.frost.loc> On Fri, 2009-06-05 at 13:09 -0400, Daniel J Walsh wrote: > On 06/05/2009 10:10 AM, Stephen Smalley wrote: > > On Sun, 2009-05-31 at 08:36 -0700, Vadym Chepkov wrote: > >> I compared /etc/pam.d/sshd of the affected and working system, they are identical. But, I found these entries in /var/log/secure of the system in trouble: > >> > >> error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument > >> > >> I bet it's a smoking gun, I just have no idea what to do about it. > > > > Wait - that means that sshd is still trying to set up the tty label. > > Dan, I thought you switched to using pam_selinux instead for sshd? Why > > would there be both direct selinux logic in sshd and pam_selinux > > in /etc/pam.d/sshd? > > > There should not be. Some SELinux calls still have to happen from sshd directly - for example the pty relabelling, because the pty in sshd is not yet set up when the pam_selinux is called. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From mgrepl at redhat.com Mon Jun 8 09:42:58 2009 From: mgrepl at redhat.com (Miroslav Grepl) Date: Mon, 08 Jun 2009 11:42:58 +0200 Subject: SELinux Instructions In-Reply-To: References: <23904686.post@talk.nabble.com> Message-ID: <4A2CDD22.4060507@redhat.com> Matej Cepl wrote: > Peter Joseph, Sat, 06 Jun 2009 12:03:35 -0700: > >> Where can I find information explaining the above? >> > > Search for PAM configuration on Google. This has actually absolutely > nothing to do with SELinux ;-). > > >> firewall >> > > SELinux is not firewall and it is not intended as replacement of thereof. > > >> reasonable learning curve, the users are presented with this monstrous >> security system understood only by full-blown programmers. Is there a >> way of learning SELinux without the computer science degree prerequisit? >> > > Normal user is not supposed to understand SELinux, it should just work > for him (or he can file bugs). If you want to fiddle with it, then you > should know what you are doing. > > If you want to learn stuff, then the best source I found was "SELinux > User Guide" (http://docs.fedoraproject.org/selinux-user-guide/) and > probably even better "SELinux by Example" (http://www.amazon.com/SELinux- > Example-Security-Enhanced-Development/dp/0131963694/) ... it is slightly > dated, but it leads you very nicely from simple to hights which are > unsurmountable for regular human beings. > > Best, > > Mat?j > > And what I really recommend you is also Dan Walsh's LiveJournal about SELinux. There is a lot of useful information that can help you with understanding of SELinux. Look at http://danwalsh.livejournal.com/ > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From olivares14031 at yahoo.com Mon Jun 8 20:21:59 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 8 Jun 2009 13:21:59 -0700 (PDT) Subject: firefox on rawhide and selinux Message-ID: <725070.18670.qm@web52608.mail.re2.yahoo.com> Summary: SELinux is preventing firefox from changing a writable memory segment executable. Detailed Description: The firefox application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If firefox does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust firefox to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/lib/firefox-3.5b4/firefox'". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/lib/firefox-3.5b4/firefox'" Fix Command: chcon -t unconfined_execmem_exec_t '/usr/lib/firefox-3.5b4/firefox' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Objects None [ process ] Source firefox Source Path /usr/lib/firefox-3.5b4/firefox Port Host localhost.localdomain Source RPM Packages firefox-3.5-0.21.beta4.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.13-2.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execmem Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.30-0.97.rc8.fc12.i586 #1 SMP Wed Jun 3 09:55:34 EDT 2009 i686 i686 Alert Count 8 First Seen Mon 08 Jun 2009 12:27:54 PM CDT Last Seen Mon 08 Jun 2009 12:28:08 PM CDT Local ID 0e0d62f4-09db-4ddf-987c-8210c45b9e70 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1244482088.874:27316): avc: denied { execmem } for pid=2566 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=localhost.localdomain type=SYSCALL msg=audit(1244482088.874:27316): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=2000 a2=7 a3=22 items=0 ppid=2554 pid=2566 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.5b4/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Thanks, Antonio From dwalsh at redhat.com Mon Jun 8 21:17:22 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 08 Jun 2009 17:17:22 -0400 Subject: firefox on rawhide and selinux In-Reply-To: <725070.18670.qm@web52608.mail.re2.yahoo.com> References: <725070.18670.qm@web52608.mail.re2.yahoo.com> Message-ID: <4A2D7FE2.6010200@redhat.com> On 06/08/2009 04:21 PM, Antonio Olivares wrote: > > > Summary: > > SELinux is preventing firefox from changing a writable memory segment > executable. > > Detailed Description: > > The firefox application attempted to change the access protection of memory > (e.g., allocated using malloc). This is a potential security problem. > Applications should not be doing this. Applications are sometimes coded > incorrectly and request this permission. The SELinux Memory Protection Tests > (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to > remove this requirement. If firefox does not work and you need it to work, you > can configure SELinux temporarily to allow this access until the application is > fixed. Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. > > Allowing Access: > > If you trust firefox to run correctly, you can change the context of the > executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t > '/usr/lib/firefox-3.5b4/firefox'". You must also change the default file context > files on the system in order to preserve them even on a full relabel. "semanage > fcontext -a -t unconfined_execmem_exec_t '/usr/lib/firefox-3.5b4/firefox'" > > Fix Command: > > chcon -t unconfined_execmem_exec_t '/usr/lib/firefox-3.5b4/firefox' > > Additional Information: > > Source Context unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- > SystemHigh > Target Objects None [ process ] > Source firefox > Source Path /usr/lib/firefox-3.5b4/firefox > Port > Host localhost.localdomain > Source RPM Packages firefox-3.5-0.21.beta4.fc12 > Target RPM Packages > Policy RPM selinux-policy-3.6.13-2.fc12 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name allow_execmem > Host Name localhost.localdomain > Platform Linux localhost.localdomain > 2.6.30-0.97.rc8.fc12.i586 #1 SMP Wed Jun 3 > 09:55:34 EDT 2009 i686 i686 > Alert Count 8 > First Seen Mon 08 Jun 2009 12:27:54 PM CDT > Last Seen Mon 08 Jun 2009 12:28:08 PM CDT > Local ID 0e0d62f4-09db-4ddf-987c-8210c45b9e70 > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1244482088.874:27316): avc: denied { execmem } for pid=2566 comm="firefox" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process > > node=localhost.localdomain type=SYSCALL msg=audit(1244482088.874:27316): arch=40000003 syscall=192 success=no exit=-13 a0=0 a1=2000 a2=7 a3=22 items=0 ppid=2554 pid=2566 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.5b4/firefox" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > > > > Thanks, > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Are you using flashplugin? Not sure which app is causing the execmem. Do you have nspluginwrapper installed? From olivares14031 at yahoo.com Mon Jun 8 21:21:28 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 8 Jun 2009 14:21:28 -0700 (PDT) Subject: firefox on rawhide and selinux Message-ID: <573506.84995.qm@web52602.mail.re2.yahoo.com> --- On Mon, 6/8/09, Daniel J Walsh wrote: > From: Daniel J Walsh > Subject: Re: firefox on rawhide and selinux > To: "Antonio Olivares" > Cc: fedora-selinux-list at redhat.com > Date: Monday, June 8, 2009, 2:17 PM > On 06/08/2009 04:21 PM, Antonio > Olivares wrote: > > > > > > Summary: > > > > SELinux is preventing firefox from changing a writable > memory segment > > executable. > > > > Detailed Description: > > > > The firefox application attempted to change the access > protection of memory > > (e.g., allocated using malloc). This is a potential > security problem. > > Applications should not be doing this. Applications > are sometimes coded > > incorrectly and request this permission. The SELinux > Memory Protection Tests > > (http://people.redhat.com/drepper/selinux-mem.html) web > page explains how to > > remove this requirement. If firefox does not work and > you need it to work, you > > can configure SELinux temporarily to allow this access > until the application is > > fixed. Please file a bug report > > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > > > Allowing Access: > > > > If you trust firefox to run correctly, you can change > the context of the > > executable to unconfined_execmem_exec_t. "chcon -t > unconfined_execmem_exec_t > > '/usr/lib/firefox-3.5b4/firefox'". You must also > change the default file context > > files on the system in order to preserve them even on > a full relabel. "semanage > > fcontext -a -t unconfined_execmem_exec_t > '/usr/lib/firefox-3.5b4/firefox'" > > > > Fix Command: > > > > chcon -t unconfined_execmem_exec_t > '/usr/lib/firefox-3.5b4/firefox' > > > > Additional Information: > > > > Source Context > > unconfined_u:unconfined_r:unconfined_t:SystemLow- > > > > SystemHigh > > Target Context > > unconfined_u:unconfined_r:unconfined_t:SystemLow- > > > > SystemHigh > > Target Objects > None [ process ] > > Source > firefox > > Source Path > > /usr/lib/firefox-3.5b4/firefox > > Port > > Host > > localhost.localdomain > > Source RPM Packages > firefox-3.5-0.21.beta4.fc12 > > Target RPM Packages > > Policy RPM > selinux-policy-3.6.13-2.fc12 > > Selinux Enabled > True > > Policy Type > targeted > > MLS Enabled > True > > Enforcing Mode > Enforcing > > Plugin Name > allow_execmem > > Host Name > > localhost.localdomain > > Platform > Linux > localhost.localdomain > > > > 2.6.30-0.97.rc8.fc12.i586 #1 SMP Wed Jun 3 > > > > 09:55:34 EDT 2009 i686 i686 > > Alert Count > 8 > > First Seen > Mon 08 Jun 2009 12:27:54 PM CDT > > Last Seen > Mon 08 Jun 2009 > 12:28:08 PM CDT > > Local ID > > 0e0d62f4-09db-4ddf-987c-8210c45b9e70 > > Line Numbers > > > > Raw Audit Messages > > > > node=localhost.localdomain type=AVC > msg=audit(1244482088.874:27316): avc: denied { > execmem } for pid=2566 comm="firefox" > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tclass=process > > > > node=localhost.localdomain type=SYSCALL > msg=audit(1244482088.874:27316): arch=40000003 syscall=192 > success=no exit=-13 a0=0 a1=2000 a2=7 a3=22 items=0 > ppid=2554 pid=2566 auid=500 uid=500 gid=500 euid=500 > suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) > ses=1 comm="firefox" exe="/usr/lib/firefox-3.5b4/firefox" > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > key=(null) > > > > > > > > > > Thanks, > > > > Antonio > > > > > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Are you using flashplugin? Not sure which app is > causing the execmem. > Do you have nspluginwrapper installed? > both flashplugin and nspluginwrapper are installed :( updated rawhide as of yesterdays 20080607's report, I can't get todays updates, will apply them tomorrow when more mirrors are updated. Thanks, Antonio From chepkov at yahoo.com Tue Jun 9 18:35:41 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Tue, 9 Jun 2009 11:35:41 -0700 (PDT) Subject: Fedora11 and Setroubleshoot-server Message-ID: <391706.79278.qm@web36801.mail.mud.yahoo.com> It seems /etc/rc.d/init.d/setroubleshoot was removed in setroubleshoot-server in Fedora 11. What was the rationale behind it? Is there other tool to monitor SELinux events on servers without console now? Thanks. Sincerely yours, Vadym Chepkov From dpquigl at tycho.nsa.gov Tue Jun 9 18:42:47 2009 From: dpquigl at tycho.nsa.gov (David P. Quigley) Date: Tue, 09 Jun 2009 14:42:47 -0400 Subject: Fedora11 and Setroubleshoot-server In-Reply-To: <391706.79278.qm@web36801.mail.mud.yahoo.com> References: <391706.79278.qm@web36801.mail.mud.yahoo.com> Message-ID: <1244572967.2909.1.camel@moss-terrapins.epoch.ncsc.mil> I could be wrong so don't hold me to this but I remember hearing that they moved this service into being started as needed by another component. I believe this was done to help with boot times. If I remember correctly setroubleshoot should start up when it receives the first AVC denial. On Tue, 2009-06-09 at 11:35 -0700, Vadym Chepkov wrote: > It seems /etc/rc.d/init.d/setroubleshoot was removed in setroubleshoot-server in Fedora 11. What was the rationale behind it? Is there other tool to monitor SELinux events on servers without console now? Thanks. > > Sincerely yours, > Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From chepkov at yahoo.com Tue Jun 9 19:43:27 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Tue, 9 Jun 2009 12:43:27 -0700 (PDT) Subject: Fedora11 and Setroubleshoot-server Message-ID: <399009.95158.qm@web36805.mail.mud.yahoo.com> I would be glad to know what that is I suppose to start "faster" now. Is Fedora becoming strictly a desktop solution and I need to start looking for something else for a server? I am just curious. Sincerely yours, Vadym Chepkov --- On Tue, 6/9/09, David P. Quigley wrote: > From: David P. Quigley > Subject: Re: Fedora11 and Setroubleshoot-server > To: "Vadym Chepkov" > Cc: "Fedora SELinux" > Date: Tuesday, June 9, 2009, 2:42 PM > I could be wrong so don't hold me to > this but I remember hearing that > they moved this service into being started as needed by > another > component. I believe this was done to help with boot times. > If I > remember correctly setroubleshoot should start up when it > receives the > first AVC denial. From maximilianbianco at gmail.com Tue Jun 9 21:24:01 2009 From: maximilianbianco at gmail.com (max) Date: Tue, 9 Jun 2009 17:24:01 -0400 Subject: SELinux Instructions In-Reply-To: <23904686.post@talk.nabble.com> References: <23904686.post@talk.nabble.com> Message-ID: <20090609212401.GA10285@vertex.ga.at.cox.net> On Sat, Jun 06, 2009 at 12:03:35PM -0700, Peter Joseph wrote: > > For the past several weeks I have been trying to learn SELinux, and as so > many before me, I find it extremely frustrating, ready to give up. Can > someone tell me where to start? It looks to me that all of the stuff > written about SELinux was written by Microsoft people in order to keep > people from using Linux. Take for example the 'cat' command relating to > /etc/pam.d/gdm - what in the world am I to get from this: > #%PAM-1.0 > auth [success=done ignore=ignore default=bad] pam_selinux_permit.so > auth required pam_succeed_if.so user != root quiet > auth required pam_env.so > auth substack system-auth > auth optional pam_gnome_keyring.so > account required pam_nologin.so > account include system-auth > password include system-auth > session required pam_selinux.so close > session required pam_loginuid.so > session optional pam_console.so > session required pam_selinux.so open > session optional pam_keyinit.so force revoke > session required pam_namespace.so > session optional pam_gnome_keyring.so auto_start > session include system-auth > Where can I find information explaining the above? Is there a place where > one could find some sort of a basic template file? A file showing the > minimum initial settings that could be built upon? > It seems to me that inclusion of SELinux in Fedora is counterproductive. > Instead of providing users with a firewall they could manage after > negotiating a reasonable learning curve, the users are presented with this > monstrous security system understood only by full-blown programmers. Is > there a way of learning SELinux without the computer science degree > prerequisit? > I do not have a computer science degree. Here it is as I understand it. I oversimplify where I can, its a big subject that requires knowing the internals of the kernel, if you really want to get down to the nitty gritty, all I can say is I am wrestling the bear, but do you really expect me to kick the crap out of an animal that outweighs me ten times over by myself? So it is nice to know that I am not the only one getting his ass kicked. Perhaps a coalition of the novices, with truncheons can prod the brains to spill their guts ;^) I hope this can get you headed in the right direction. I am of course happy to accept correction. I have made it only as brief as neccesity dictates. So since I don't know what you know I am going to assume less rather than more. SELinux is all about file labels. Basically the policy defines what label is allowed to access which other label and how it is allowed to access it i.e. read,append,write and on and on. Its a bit different from DAC(Discretionary Access Controls) but not much really, its really just a natural extension of DAC, or subdivision of DAC really. With regular DAC you have basically three permissions. I don't know how many SELinux has but its a lot more than three. So in DAC you have read, write, and execute bits. When you pull a directory listing you are shown the permissions that the owner, the group, and everyone_else has plus a label(from left to right). [m at vertex ~]$ ls -Z drwxr-xr-x m m unconfined_u:object_r:user_home_t:s0 Desktop drwxr-xr-x m m unconfined_u:object_r:user_home_t:s0 Documents drwxr-x--- m m unconfined_u:object_r:user_home_t:s0 Download drwxr-xr-x m m unconfined_u:object_r:user_home_t:s0 git drwxrwxr-x m m unconfined_u:object_r:user_home_t:s0 mail drwxrwxr-x m m unconfined_u:object_r:user_home_t:s0 Meshes drwxr-xr-x m m unconfined_u:object_r:user_home_t:s0 modules drwxr-xr-x m m unconfined_u:object_r:user_home_t:s0 Music drwxr-xr-x m m unconfined_u:object_r:user_home_t:s0 Pictures drwxrwxr-x m m unconfined_u:object_r:user_home_t:s0 Scripts drwxr-xr-x m m unconfined_u:object_r:user_home_t:s0 selinux drwxrwxr-x root root unconfined_u:object_r:user_home_t:s0 selinuxpp drwxr-xr-x m m unconfined_u:object_r:user_home_t:s0 Videos drwxr-xr-x m m unconfined_u:object_r:user_home_t:s0 Warped Contrails Ok so it shows they are all directories then the permissions of the respective owner, group, everyone_else. Then user and group and then SELinux info followed by the file name. DAC bits do not allow the granularity that SELinux labels do but it comes at the cost of complexity. Since the Linux kernel is both powerful and complex and any GNU/Linux distro is a melding of often disparate pieces, it, the SELinux policy, can become complex indeed. The complexity is born of neccesity. [m at vertex ~]$ chmod 700 * chmod: changing permissions of `selinuxpp': Operation not permitted [m at vertex ~]$ ls -Z drwx------ m m unconfined_u:object_r:user_home_t:s0 Desktop drwx------ m m unconfined_u:object_r:user_home_t:s0 Documents drwx------ m m unconfined_u:object_r:user_home_t:s0 Download drwx------ m m unconfined_u:object_r:user_home_t:s0 git drwx------ m m unconfined_u:object_r:user_home_t:s0 mail drwx------ m m unconfined_u:object_r:user_home_t:s0 Meshes drwx------ m m unconfined_u:object_r:user_home_t:s0 modules drwx------ m m unconfined_u:object_r:user_home_t:s0 Music drwx------ m m unconfined_u:object_r:user_home_t:s0 Pictures drwx------ m m unconfined_u:object_r:user_home_t:s0 Scripts drwx------ m m unconfined_u:object_r:user_home_t:s0 selinux drwxrwxr-x root root unconfined_u:object_r:user_home_t:s0 selinuxpp drwx------ m m unconfined_u:object_r:user_home_t:s0 Videos drwx------ m m unconfined_u:object_r:user_home_t:s0 Warped Contrails I am not root and not in roots group and/or I do not have the write permission so I cannot change the properties of the directory selinuxpp, that is simple DAC. However I have the read and execute bits so I can read all the files contained in it. [m at vertex ~]$ cd selinuxpp [m at vertex selinuxpp]$ pwd /home/m/selinuxpp [m at vertex selinuxpp]$ ls -Z -rw-rw-r-- root root unconfined_u:object_r:user_home_t:s0 nbs.fc -rw-rw-r-- root root unconfined_u:object_r:user_home_t:s0 nbs.if -rw-r--r-- root root unconfined_u:object_r:user_home_t:s0 nbs.pp -rwxr-x--- root root unconfined_u:object_r:user_home_t:s0 nbs.sh -rw-rw-r-- root root unconfined_u:object_r:user_home_t:s0 nbs.te drwxr-xr-x root root unconfined_u:object_r:user_home_t:s0 tmp I can get the attributes of the files as above and read them as below. [m at vertex selinuxpp]$ cat nbs.te policy_module(nbs,1.0.0) ######################################## # # Declarations # type nbs_t; type nbs_exec_t; application_domain(nbs_t, nbs_exec_t) role system_r types nbs_t; The policy was produced with the guitools and I never tested it so that is enough of that, maybe on some other day. It is enough that I can read a file I do not own, now the fun begins. [m at vertex ~]$ ls -Z drwx------ m m unconfined_u:object_r:user_home_t:s0 Desktop drwx------ m m unconfined_u:object_r:user_home_t:s0 Documents drwx------ m m unconfined_u:object_r:user_home_t:s0 Download drwx------ m m unconfined_u:object_r:user_home_t:s0 git drwx------ m m unconfined_u:object_r:user_home_t:s0 mail drwx------ m m unconfined_u:object_r:user_home_t:s0 Meshes drwx------ m m unconfined_u:object_r:user_home_t:s0 modules drwx------ m m unconfined_u:object_r:user_home_t:s0 Music drwx------ m m unconfined_u:object_r:user_home_t:s0 Pictures drwx------ m m unconfined_u:object_r:user_home_t:s0 Scripts drwx------ m m unconfined_u:object_r:user_home_t:s0 selinux drwxrwxr-x root root unconfined_u:object_r:user_home_t:s0 selinuxpp drwx------ m m unconfined_u:object_r:user_home_t:s0 Videos drwx------ m m unconfined_u:object_r:user_home_t:s0 Warped Contrails Take note that I can copy the directory. [m at vertex ~]$ cp selinuxpp selinuxpp_z cp: omitting directory `selinuxpp' Duh!! Which way did he go George? [m at vertex ~]$ cp -r selinuxpp selinuxpp_z `selinuxpp' -> `selinuxpp_z' `selinuxpp/nbs.sh' -> `selinuxpp_z/nbs.sh' cp: cannot open `selinuxpp/nbs.sh' for reading: Permission denied `selinuxpp/tmp' -> `selinuxpp_z/tmp' `selinuxpp/tmp/all_interfaces.conf' -> `selinuxpp_z/tmp/all_interfaces.conf' `selinuxpp/tmp/nbs.tmp' -> `selinuxpp_z/tmp/nbs.tmp' `selinuxpp/tmp/iferror.m4' -> `selinuxpp_z/tmp/iferror.m4' `selinuxpp/nbs.pp' -> `selinuxpp_z/nbs.pp' `selinuxpp/nbs.fc' -> `selinuxpp_z/nbs.fc' `selinuxpp/nbs.if' -> `selinuxpp_z/nbs.if' `selinuxpp/nbs.te' -> `selinuxpp_z/nbs.te' [m at vertex ~]$ ls -Z drwx------ m m unconfined_u:object_r:user_home_t:s0 Desktop drwx------ m m unconfined_u:object_r:user_home_t:s0 Documents drwx------ m m unconfined_u:object_r:user_home_t:s0 Download drwx------ m m unconfined_u:object_r:user_home_t:s0 git drwx------ m m unconfined_u:object_r:user_home_t:s0 mail drwx------ m m unconfined_u:object_r:user_home_t:s0 Meshes drwx------ m m unconfined_u:object_r:user_home_t:s0 modules drwx------ m m unconfined_u:object_r:user_home_t:s0 Music drwx------ m m unconfined_u:object_r:user_home_t:s0 Pictures drwx------ m m unconfined_u:object_r:user_home_t:s0 Scripts drwx------ m m unconfined_u:object_r:user_home_t:s0 selinux drwxrwxr-x root root unconfined_u:object_r:user_home_t:s0 selinuxpp drwxrwxr-x m m unconfined_u:object_r:user_home_t:s0 selinuxpp_z drwx------ m m unconfined_u:object_r:user_home_t:s0 Videos drwx------ m m unconfined_u:object_r:user_home_t:s0 Warped Contrails [m at vertex ~]$ ls -Z selinuxpp_z -rw-rw-r-- m m unconfined_u:object_r:user_home_t:s0 nbs.fc -rw-rw-r-- m m unconfined_u:object_r:user_home_t:s0 nbs.if -rw-r--r-- m m unconfined_u:object_r:user_home_t:s0 nbs.pp -rw-rw-r-- m m unconfined_u:object_r:user_home_t:s0 nbs.te drwxr-xr-x m m unconfined_u:object_r:user_home_t:s0 tmp [m at vertex ~]$ pwd /home/m [m at vertex ~]$ diff selinuxpp selinuxpp_z Only in selinuxpp: nbs.sh Common subdirectories: selinuxpp/tmp and selinuxpp_z/tmp Ok. well I did not get everything but even a partial copy could contain sensitive data. Here it hardly matters, much, unless I have a poorly written policy but depending on what gets compromised they may get all they need, because the type of one file has access to the other as defined in my policy. NBS stands for never before seen anamoly detector. It does not run as a daemon but for the sake of not going back to find another example let us pretend it does. It parses a log file and puts each entry into a database, keeping track of how many times it has seen a particular entry, so its easy to see never before seen stuff which might be of interest or maybe to find recurring patterns. Now i need to take care that my policy allows it to read log files but does not allow it to modify them in any way or a flaw in NBS could lead to someone being able to modify the logs, bottom line is we only want authorized files/persons reading log files, in all reality no one should be able to modify a log file. Well with SELinux this is easy (relatively) but with DAC much more difficult. If I can read the file then I can copy it, if I can write the file then I can erase or otherwise modify it. If this was a database of customer info then you can see what damage might be done by the unscrupulous. SELinux provides the mechanism for regulation of the system and its processes. To ensure that a program or process is only doing what it should be doing, if I exploit I flaw in apache then I can only affect the things that apache would normally need to run anyway. Caveat Emptor as they say, if what I am after is normally accessible by apache or whatever daemon I exploit then SELinux won't save me. SELinux is not a drop in replacement for all your security needs or considerations. Having said that, its been called the last line of defense but that only applies if the attack is from the outside, more often than not these days its a trojaned host that gets you. Each file has a user associated with it and then the permissions that user has are actually defined in policy. SELinux is default deny. It is very important that this be understood, simple as it sounds. There are no deny rules because the whole system is one big deny rule. You have to allow what you need and if you don't then its denied. Well, yeah not so easy a task when it has to be done for everything, consider all the different pieces of the typical distribution and all the calls they make, files they write, sockets opened, and on and on. So in DAC the permissions are defined read, write, execute. Assigned to the user, group, everyone_else. The key is too see the permissions inherent in each of the "three". Read, write, execute. Write is for instance a very broad premission. You could potentially erase the file completely if your not careful, but append is much more granular, so a service like apache can be allowed to append to its log file but never modify its previous contents. Note the SELinux label defines a user_u, a role_r, a type_t, and an MLS(Multi-Level-Security) field. Policy defines what other domains the unconfined_u is allowed to access, the object_r is a generic thing that you will see on almost every file, the type should be something intuitive. How is that determined? Well now we cross into the realm of the kernel. The SELinux policy is basically a mirror of the processes that could be going on in the kernel at any given moment. That is a big statement but I trust you'll take it with a grain of salt. If system security was a solved problem we'd be talking about something else. So each type is defined in policy and which other types it can access are explicitly defined in policy. Also which permissions for each other type to which access is allowed must be stated. The user_u is allowed access to certain domains, whose type is allowed access to domains x,y,z. So the _u, _r, _t are just conventions so we can distinguish them but basically to the kernel its all labels. The policy language is confusing at first but if you can start to see the permissions within the permissions then its useful indeed. The conventions are just there for you and me. Well its running long already, now what am I forgetting? http://www.nsa.gov/research/_files/selinux/papers/module-abs.shtml http://www.nsa.gov/research/selinux/docs.shtml http://docs.fedoraproject.org/selinux-user-guide/ http://danwalsh.livejournal.com/ http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/ http://searchenterpriselinux.techtarget.com/news/article/0,289142,sid39_gci1323731,00.html From tibbs at math.uh.edu Wed Jun 10 01:23:22 2009 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Tue, 09 Jun 2009 20:23:22 -0500 Subject: Policy for zoneminder Message-ID: Zoneminder (http://www.zoneminder.com) is a really nice web-based surveillance application that's been packages for Fedora. It runs as a combination of daemons (written in perl) and a php-based web interface and it should come as no surprise that it has issues with selinux. The zoneminder documentation includes some information on policy at http://www.zoneminder.com/wiki/index.php/Main_Documentation#Configuring_SELinux_Policy, including a policy module which I'll include at the end of this message. I haven't tested it yet; I'm currently more concerned about whether there's any path to getting some kind of reasonable support for zoneminder into the base policy. I don't really know enough to say what form that it should take; if the suggested policy module is really sufficient, a simple boolean that allows httpd to access a few extra things might be good. However, the daemons which currently seem to run as initrc_t also need to be confined, then things rapidly become complex beyond my limited understanding of selinux. Here's the suggested policy: module local_zoneminder 1.0; require { type httpd_t; type initrc_var_run_t; type initrc_t; type v4l_device_t; type file_t; class unix_stream_socket { read connectto }; class file { read lock }; class shm { unix_read unix_write associate read write getattr }; class chr_file getattr; } #============= httpd_t ============== allow httpd_t initrc_t:unix_stream_socket connectto; allow httpd_t initrc_t:shm { unix_read unix_write associate read write getattr }; allow httpd_t initrc_var_run_t:file { read lock }; allow httpd_t v4l_device_t:chr_file getattr; - J< From domg472 at gmail.com Wed Jun 10 08:27:54 2009 From: domg472 at gmail.com (Dominick Grift) Date: Wed, 10 Jun 2009 10:27:54 +0200 Subject: Policy for zoneminder In-Reply-To: References: Message-ID: <1244622474.25333.8.camel@notebook2.grift.internal> Hello, Are you testing this on Fedora? If so, i can help you create proper policy for both daemon and webapp. All i need is a "rpm -ql" and someone that can test my policy and send feedback. I recently also wrote policy for a motion detection software called motion which is available on rpmfusion. That policy is not perfected because it needs testing in not so standard scenarios, but a basic configuration works just fine. http://82.197.205.60/~dgrift/stuff/modules/motion.te http://82.197.205.60/~dgrift/stuff/modules/motion.if http://82.197.205.60/~dgrift/stuff/modules/motion.fc On Tue, 2009-06-09 at 20:23 -0500, Jason L Tibbitts III wrote: > Zoneminder (http://www.zoneminder.com) is a really nice web-based > surveillance application that's been packages for Fedora. It runs as > a combination of daemons (written in perl) and a php-based web > interface and it should come as no surprise that it has issues with > selinux. > > The zoneminder documentation includes some information on policy at > http://www.zoneminder.com/wiki/index.php/Main_Documentation#Configuring_SELinux_Policy, > including a policy module which I'll include at the end of this > message. I haven't tested it yet; I'm currently more concerned about > whether there's any path to getting some kind of reasonable support > for zoneminder into the base policy. I don't really know enough to > say what form that it should take; if the suggested policy module is > really sufficient, a simple boolean that allows httpd to access a few > extra things might be good. However, the daemons which currently seem > to run as initrc_t also need to be confined, then things rapidly > become complex beyond my limited understanding of selinux. > > Here's the suggested policy: > > module local_zoneminder 1.0; > > require { > type httpd_t; > type initrc_var_run_t; > type initrc_t; > type v4l_device_t; > type file_t; > class unix_stream_socket { read connectto }; > class file { read lock }; > class shm { unix_read unix_write associate read write getattr }; > class chr_file getattr; > } > > #============= httpd_t ============== > allow httpd_t initrc_t:unix_stream_socket connectto; > allow httpd_t initrc_t:shm { unix_read unix_write associate read write getattr }; > allow httpd_t initrc_var_run_t:file { read lock }; > allow httpd_t v4l_device_t:chr_file getattr; > > > - J< > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Wed Jun 10 11:56:55 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 10 Jun 2009 07:56:55 -0400 Subject: Fedora11 and Setroubleshoot-server In-Reply-To: <399009.95158.qm@web36805.mail.mud.yahoo.com> References: <399009.95158.qm@web36805.mail.mud.yahoo.com> Message-ID: <4A2F9F87.5070801@redhat.com> On 06/09/2009 03:43 PM, Vadym Chepkov wrote: > > I would be glad to know what that is I suppose to start "faster" now. Is Fedora becoming strictly a desktop solution and I need to start looking for something else for a server? I am just curious. > > Sincerely yours, > Vadym Chepkov > > > --- On Tue, 6/9/09, David P. Quigley wrote: > >> From: David P. Quigley >> Subject: Re: Fedora11 and Setroubleshoot-server >> To: "Vadym Chepkov" >> Cc: "Fedora SELinux" >> Date: Tuesday, June 9, 2009, 2:42 PM >> I could be wrong so don't hold me to >> this but I remember hearing that >> they moved this service into being started as needed by >> another >> component. I believe this was done to help with boot times. >> If I >> remember correctly setroubleshoot should start up when it >> receives the >> first AVC denial. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list In stead of having two huge python programs running all of the time doing nothing we have reimplemented setroubleshoot into a dbus application. Now you have two small C apps sedispatch which listens to auditdispatch for avc messages and seapplet is running on the desktop to listen for dbus messages from setroubleshootd to put up the star. setroubleshoot is now a dbus service. Audit listens for all messages which hands it to audispd which hands the messages to sedispatch. Which you should see running on your system. When sedisatch sees an AVC it sends a dbus message to setroubleshootd. Dbus will start setroubleshootd if it is not running. When setroulbleshootd sees the message it analyzes it and sends a dbus signal to all seapplets, the seapplet will put up the Star. If the user clicks on the star, seapplet will start sealert. sealert now exits on closing of the browser and setroubleshootd will shutdown after 10 seconds of no AVC messages and the sealert browser is shut down. The sealert browser also sends a dbus message to wake up setroubleshoot since it needs it to handle reading the AVC messages. This change was made to make boot faster use less memory, and is part of a big redesign of setroubleshoot. A redesigned GUI should be released to Rawhide soon. From chepkov at yahoo.com Wed Jun 10 12:19:32 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Wed, 10 Jun 2009 05:19:32 -0700 (PDT) Subject: Fedora11 and Setroubleshoot-server Message-ID: <978316.46330.qm@web36808.mail.mud.yahoo.com> But as I already explained setroubleshoot-server package was intended for the server environment - no GUI, no stars, no clicking .... I understand I have to run messagebus service now, which wasn't needed before in server environment. Thank you. Vadym From chepkov at yahoo.com Wed Jun 10 16:05:15 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Wed, 10 Jun 2009 09:05:15 -0700 (PDT) Subject: audit and /etc/profile.d in Fedora 11 Message-ID: <968141.57166.qm@web36806.mail.mud.yahoo.com> Hi, I am not really sure it is SELinux related, but for the lack of a better audience I thought I would share my observation of a newly installed Fedora 11. During system startup some audit related process is trying to execute all scripts in /etc/profile.d/ and since I always have a separate /usr file system it fails miserable trying to do so, since /usr is not mounted yet. I am pretty sure it doesn't affect functionality and can be ignored in my case, but still, I would expect only login shell executing those scripts. It happens right after 'audit policy loaded' line and before 'Welcome to Fedora'. Sincerely yours, Vadym Chepkov From tibbs at math.uh.edu Wed Jun 10 19:10:02 2009 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Wed, 10 Jun 2009 14:10:02 -0500 Subject: Policy for zoneminder In-Reply-To: <1244622474.25333.8.camel@notebook2.grift.internal> (Dominick Grift's message of "Wed\, 10 Jun 2009 10\:27\:54 +0200") References: <1244622474.25333.8.camel@notebook2.grift.internal> Message-ID: >>>>> "DG" == Dominick Grift writes: DG> Are you testing this on Fedora? I comaintain it in Fedora. My current zoneminder server runs F11. DG> All i need is a "rpm -ql" and someone that can test my policy and DG> send feedback. I don't fully understand the interaction between the daemon portion and the webapp portion (which as I understand it cannot be in a separate domain from httpd) but I'm not really sure it's as simple as looking at the file list. Still, 'repoquery -l zoneminder' will show you that. - J< From domg472 at gmail.com Wed Jun 10 20:28:45 2009 From: domg472 at gmail.com (Dominick Grift) Date: Wed, 10 Jun 2009 22:28:45 +0200 Subject: Policy for zoneminder In-Reply-To: References: <1244622474.25333.8.camel@notebook2.grift.internal> Message-ID: <1244665725.25333.66.camel@notebook2.grift.internal> On Wed, 2009-06-10 at 14:10 -0500, Jason L Tibbitts III wrote: > >>>>> "DG" == Dominick Grift writes: > > DG> Are you testing this on Fedora? > > I comaintain it in Fedora. My current zoneminder server runs F11. > > DG> All i need is a "rpm -ql" and someone that can test my policy and > DG> send feedback. > > I don't fully understand the interaction between the daemon portion > and the webapp portion (which as I understand it cannot be in a > separate domain from httpd) but I'm not really sure it's as simple as > looking at the file list. Still, 'repoquery -l zoneminder' will show > you that. > > - J< Yes as far as the webapp is concerned it will have to run as httpd_t if its PHP. However the daemons can be confined. I downloaded the package and found it has a lot of executable files. I was looking into the zoneminder init script and noticed a few of those executables as run by initrc_t (zmu zmpkg zmupdate) I have created some declarations for those executables and made their domains permissive. I also defined file contexts for the executable files, pid , log and config file. The source policy is here: http://82.197.205.60/~dgrift/stuff/modules/zoneminder.te http://82.197.205.60/~dgrift/stuff/modules/zoneminder.if http://82.197.205.60/~dgrift/stuff/modules/zoneminder.fc http://82.197.205.60/~dgrift/stuff/modules/zoneminder.pp make -f /usr/share/selinux/devel/Makefile sudo semodule -i zoneminder.pp sudo restorecon -v -R /etc/rc.d/init.d/zoneminder /etc/zoneminder /var/log/zoneminder /usr/bin/zmpkg /usr/bin/zmu /usr/bin/zmupdate (restore each location in zoneminder.fc) Then run i, test the app, and collect all the AVC denials. Please send those AVC denials to me so that i can extend and perfect the policy. Please mind that the webapp will not work yet and probably many other things with that. I have only made some declarations that i thought should be made to get started. (no policy yet) Thanks From domg472 at gmail.com Wed Jun 10 21:53:05 2009 From: domg472 at gmail.com (Dominick Grift) Date: Wed, 10 Jun 2009 23:53:05 +0200 Subject: audit and /etc/profile.d in Fedora 11 In-Reply-To: <968141.57166.qm@web36806.mail.mud.yahoo.com> References: <968141.57166.qm@web36806.mail.mud.yahoo.com> Message-ID: <1244670785.25333.70.camel@notebook2.grift.internal> On Wed, 2009-06-10 at 09:05 -0700, Vadym Chepkov wrote: > Hi, > > I am not really sure it is SELinux related, but for the lack of a better audience I thought I would share my observation of a newly installed Fedora 11. During system startup some audit related process is trying to execute all scripts in /etc/profile.d/ and since I always have a separate /usr file system it fails miserable trying to do so, since /usr is not mounted yet. I am pretty sure it doesn't affect functionality and can be ignored in my case, but still, I would expect only login shell executing those scripts. > It happens right after 'audit policy loaded' line and before 'Welcome to Fedora'. This should probably be directed to bugzilla.redhat.com in the auditd component or audit maillist: http://www.redhat.com/mailman/listinfo/linux-audit > Sincerely yours, > Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From nico at altiva.fr Sun Jun 14 01:19:57 2009 From: nico at altiva.fr (NMONNET) Date: Sun, 14 Jun 2009 01:19:57 +0000 (UTC) Subject: SELinux/dbus issues since upgrading to F11 (from F10) Message-ID: I get shitloads of AVC from dbus since I upgraded; and in fact, I can't even log in in enforceing mode anymore. I tried relabelling, same difference. Example: type=AVC msg=audit(1244936277.370:81): avc: denied { search } for pid=2394 comm="dbus-daemon" name="3998" dev=proc ino=337975 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0 tclass=dir type=AVC msg=audit(1244936277.370:81): avc: denied { read } for pid=2394 comm="dbus-daemon" name="cmdline" dev=proc ino=337976 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0 tclass=file type=SYSCALL msg=audit(1244936277.370:81): arch=c000003e syscall=2 success=yes exit=66 a0=7f02cc625660 a1=0 a2=7f02cc625672 a3=0 items=0 ppid=1 pid=2394 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0- s0:c0.c1023 key=(null) type=AVC msg=audit(1244936292.198:82): avc: denied { search } for pid=2394 comm="dbus-daemon" name="3972" dev=proc ino=338174 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_mono_t:s0 tclass=dir type=SYSCALL msg=audit(1244936292.198:82): arch=c000003e syscall=2 success=yes exit=67 a0=7f02cc639d70 a1=0 a2=7f02cc639d82 a3=0 items=0 ppid=1 pid=2394 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0- s0:c0.c1023 key=(null) Your help much appreciated! From chepkov at yahoo.com Sun Jun 14 18:50:40 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Sun, 14 Jun 2009 11:50:40 -0700 (PDT) Subject: semodule Message-ID: <345963.83669.qm@web36808.mail.mud.yahoo.com> authconfig --updateall fixed the issue. I think this step should be added to YumUpgradeFaq wiki page. Sincerely yours, Vadym Chepkov From sradvan at redhat.com Mon Jun 15 03:47:08 2009 From: sradvan at redhat.com (Scott Radvan) Date: Mon, 15 Jun 2009 13:47:08 +1000 Subject: squid denial on F11 for var_run_t Message-ID: <20090615134708.782d51fe@redhat.com> Hi list, As many of you know I am working on a Managing Confined Services guide for Fedora. Having set up a simple squid environment on Fedora 11, with minimal and default settings in squid.conf (http_port 3128 as allowed by semanage, and a default cache_dir), I was able to create the cache directory structure, but I got a denial when actually starting squid for the first time (I assume this happens as it attempts to create its pid in /var/run): -- SELinux is preventing squid (squid_t) "read" var_run_t. node=localhost.localdomain type=AVC msg=audit(1244690560.923:31): avc: denied { read } for pid=2413 comm="squid" name="squid.pid" dev=dm-0 ino=364 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1244690560.923:31): arch=40000003 syscall=5 success=no exit=-13 a0=b7ec8340 a1=8000 a2=1b6 a3=0 items=0 ppid=2404 pid=2413 auid=500 uid=23 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=pts0 ses=1 comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null) -- I followed the FAQ as was linked in the denial text: http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385 Using audit2allow, which gave me a type enforcement file, the contents of which are: -- module local 1.0; require { type var_run_t; type squid_t; class file read; } #============= squid_t ============== allow squid_t var_run_t:file read; -- and after creating and injecting a module from this as described in that FAQ entry, I am now able to start squid and get it working fine. Should this be filed as a bug? Is there a better way to fix it? I figured it was worth mentioning as this happened out-of-the-box on F11 with default settings. I am happy to provide any further details or output should you require it. selinux 3.6.12-39.fc11 linux 2.6.29.4-167.fc11 squid 3.0.STABLE13-1.fc11 Thanks, -- Scott Radvan Content Author, Platform (Installation and Deployment) Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com From paul at city-fan.org Mon Jun 15 06:19:39 2009 From: paul at city-fan.org (Paul Howarth) Date: Mon, 15 Jun 2009 07:19:39 +0100 Subject: squid denial on F11 for var_run_t In-Reply-To: <20090615134708.782d51fe@redhat.com> References: <20090615134708.782d51fe@redhat.com> Message-ID: <20090615071939.0526df9f@metropolis.intra.city-fan.org> On Mon, 15 Jun 2009 13:47:08 +1000 Scott Radvan wrote: > Hi list, > > > > As many of you know I am working on a Managing Confined Services guide > for Fedora. > > Having set up a simple squid environment on Fedora 11, with minimal > and default settings in squid.conf (http_port 3128 as allowed by > semanage, and a default cache_dir), I was able to create the cache > directory structure, but I got a denial when actually starting squid > for the first time (I assume this happens as it attempts to create > its pid in /var/run): What's happening here is a denial for *reading* /var/run/squid.pid, which is of type var_run_t. Now in Fedora 11 this file should be labelled squid_var_run_t, and that's what it is labelled on two Fedora 11 boxes freshly installed here. It seems there's a labelling problem on your system. Can you post the output of "ls -lZa /var/run"? Is your system a fresh install or an upgrade? Paul. From paul at city-fan.org Mon Jun 15 20:58:15 2009 From: paul at city-fan.org (Paul Howarth) Date: Mon, 15 Jun 2009 21:58:15 +0100 Subject: F-11: proftpd can't create /var/log/proftpd/controls.log Message-ID: <20090615215815.7a4ad739@metropolis.intra.city-fan.org> I needed to add this policy to allow proftpd to start in F-11: # Proftpd needs to create /var/log/proftpd/controls.log allow ftpd_t xferlog_t:dir { write add_name }; /var/log/proftpd is xferlog_t and it seems ftpd_t can't create new files in directories of that type. Paul. From sradvan at redhat.com Mon Jun 15 22:31:19 2009 From: sradvan at redhat.com (Scott Radvan) Date: Tue, 16 Jun 2009 08:31:19 +1000 Subject: squid denial on F11 for var_run_t In-Reply-To: <20090615071939.0526df9f@metropolis.intra.city-fan.org> References: <20090615134708.782d51fe@redhat.com> <20090615071939.0526df9f@metropolis.intra.city-fan.org> Message-ID: <20090616083119.4d071d2c@redhat.com> On Mon, 15 Jun 2009 07:19:39 +0100 Paul Howarth wrote: > On Mon, 15 Jun 2009 13:47:08 +1000 > Scott Radvan wrote: > > > I got a denial when actually starting squid for the first time (I > > assume this happens as it attempts to create its pid in /var/run): > > What's happening here is a denial for *reading* /var/run/squid.pid, > which is of type var_run_t. Now in Fedora 11 this file should be > labelled squid_var_run_t, and that's what it is labelled on two Fedora > 11 boxes freshly installed here. It seems there's a labelling problem > on your system. Can you post the output of "ls -lZa /var/run"? Is your > system a fresh install or an upgrade? > > Paul. I'm pretty sure I've figured out what I was doing wrong after another re-install. I was previously starting squid directly from /usr/sbin/squid instead of using 'service squid start'. Starting it directly from /usr/sbin/squid apparently(?) doesn't initialise squid.pid as squid_var_run_t, rather it just starts as var_run_t, which is why I got a denial. Starting squid via 'service squid start' as I should have been doing from the start is working fine now. Thanks for your help Paul. -- Scott Radvan Content Author, Platform (Installation and Deployment) Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com From dwalsh at redhat.com Tue Jun 16 12:29:19 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 16 Jun 2009 08:29:19 -0400 Subject: F-11: proftpd can't create /var/log/proftpd/controls.log In-Reply-To: <20090615215815.7a4ad739@metropolis.intra.city-fan.org> References: <20090615215815.7a4ad739@metropolis.intra.city-fan.org> Message-ID: <4A37901F.8040007@redhat.com> On 06/15/2009 04:58 PM, Paul Howarth wrote: > I needed to add this policy to allow proftpd to start in F-11: > > # Proftpd needs to create /var/log/proftpd/controls.log > allow ftpd_t xferlog_t:dir { write add_name }; > > /var/log/proftpd is xferlog_t and it seems ftpd_t can't create new > files in directories of that type. > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Fixed in selinux-policy-3.6.12-53.fc11 From dwalsh at redhat.com Tue Jun 16 12:32:10 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 16 Jun 2009 08:32:10 -0400 Subject: squid denial on F11 for var_run_t In-Reply-To: <20090616083119.4d071d2c@redhat.com> References: <20090615134708.782d51fe@redhat.com> <20090615071939.0526df9f@metropolis.intra.city-fan.org> <20090616083119.4d071d2c@redhat.com> Message-ID: <4A3790CA.5080608@redhat.com> On 06/15/2009 06:31 PM, Scott Radvan wrote: > On Mon, 15 Jun 2009 07:19:39 +0100 > Paul Howarth wrote: > >> On Mon, 15 Jun 2009 13:47:08 +1000 >> Scott Radvan wrote: >> >>> I got a denial when actually starting squid for the first time (I >>> assume this happens as it attempts to create its pid in /var/run): >> >> What's happening here is a denial for *reading* /var/run/squid.pid, >> which is of type var_run_t. Now in Fedora 11 this file should be >> labelled squid_var_run_t, and that's what it is labelled on two Fedora >> 11 boxes freshly installed here. It seems there's a labelling problem >> on your system. Can you post the output of "ls -lZa /var/run"? Is your >> system a fresh install or an upgrade? >> >> Paul. > > I'm pretty sure I've figured out what I was doing wrong after another > re-install. > > I was previously starting squid directly from /usr/sbin/squid instead > of using 'service squid start'. Starting it directly > from /usr/sbin/squid apparently(?) doesn't initialise squid.pid as > squid_var_run_t, rather it just starts as var_run_t, which is why I got > a denial. > > Starting squid via 'service squid start' as I should have been doing > from the start is working fine now. Thanks for your help Paul. > Unconfined processes tend to stay unconfined. That is what uses expect, telling them that they are executing an uconfined process that suddenly becomes confined, seems wrong to them. That being said, you can end up with mislabeled files because of this. So unconfined_t -> squid_exec_t -> unconfined_t But unconfined processes starting init scripts have a transition unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t So any time you are using a confined process you should use the init script to start them, otherwise you could get mislabeled files. From dwalsh at redhat.com Tue Jun 16 12:49:55 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 16 Jun 2009 08:49:55 -0400 Subject: squid denial on F11 for var_run_t In-Reply-To: <4A3790CA.5080608@redhat.com> References: <20090615134708.782d51fe@redhat.com> <20090615071939.0526df9f@metropolis.intra.city-fan.org> <20090616083119.4d071d2c@redhat.com> <4A3790CA.5080608@redhat.com> Message-ID: <4A3794F3.30702@redhat.com> On 06/16/2009 08:32 AM, Daniel J Walsh wrote: > Unconfined processes tend to stay unconfined. That is what uses expect, > telling them that they are executing an uconfined process that suddenly > becomes confined, seems wrong to them. That being said, you can end up > with mislabeled files because of this. > > So > > > unconfined_t -> squid_exec_t -> unconfined_t > > But unconfined processes starting init scripts have a transition > > unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t > > So any time you are using a confined process you should use the init > script to start them, otherwise you could get mislabeled files. I also just wrote a blog on this. http://danwalsh.livejournal.com/29041.html From sds at tycho.nsa.gov Tue Jun 16 12:57:02 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 16 Jun 2009 08:57:02 -0400 Subject: squid denial on F11 for var_run_t In-Reply-To: <4A3794F3.30702@redhat.com> References: <20090615134708.782d51fe@redhat.com> <20090615071939.0526df9f@metropolis.intra.city-fan.org> <20090616083119.4d071d2c@redhat.com> <4A3790CA.5080608@redhat.com> <4A3794F3.30702@redhat.com> Message-ID: <1245157022.2512.50.camel@localhost.localdomain> On Tue, 2009-06-16 at 08:49 -0400, Daniel J Walsh wrote: > On 06/16/2009 08:32 AM, Daniel J Walsh wrote: > > Unconfined processes tend to stay unconfined. That is what uses expect, > > telling them that they are executing an uconfined process that suddenly > > becomes confined, seems wrong to them. That being said, you can end up > > with mislabeled files because of this. > > > > So > > > > > > unconfined_t -> squid_exec_t -> unconfined_t > > > > But unconfined processes starting init scripts have a transition > > > > unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t > > > > So any time you are using a confined process you should use the init > > script to start them, otherwise you could get mislabeled files. > > > I also just wrote a blog on this. > > http://danwalsh.livejournal.com/29041.html Hmm...when did this change? It used to be the case that a domain transition was also defined directly from unconfined_t to the daemon domain when running the daemon binary, precisely because users and scriptlets sometimes do that. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Tue Jun 16 13:18:35 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 16 Jun 2009 09:18:35 -0400 Subject: squid denial on F11 for var_run_t In-Reply-To: <1245157022.2512.50.camel@localhost.localdomain> References: <20090615134708.782d51fe@redhat.com> <20090615071939.0526df9f@metropolis.intra.city-fan.org> <20090616083119.4d071d2c@redhat.com> <4A3790CA.5080608@redhat.com> <4A3794F3.30702@redhat.com> <1245157022.2512.50.camel@localhost.localdomain> Message-ID: <4A379BAB.2010007@redhat.com> On 06/16/2009 08:57 AM, Stephen Smalley wrote: > On Tue, 2009-06-16 at 08:49 -0400, Daniel J Walsh wrote: >> On 06/16/2009 08:32 AM, Daniel J Walsh wrote: >>> Unconfined processes tend to stay unconfined. That is what uses expect, >>> telling them that they are executing an uconfined process that suddenly >>> becomes confined, seems wrong to them. That being said, you can end up >>> with mislabeled files because of this. >>> >>> So >>> >>> >>> unconfined_t -> squid_exec_t -> unconfined_t >>> >>> But unconfined processes starting init scripts have a transition >>> >>> unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t >>> >>> So any time you are using a confined process you should use the init >>> script to start them, otherwise you could get mislabeled files. >> >> >> I also just wrote a blog on this. >> >> http://danwalsh.livejournal.com/29041.html > > Hmm...when did this change? It used to be the case that a domain > transition was also defined directly from unconfined_t to the daemon > domain when running the daemon binary, precisely because users and > scriptlets sometimes do that. > About FC5 time frame. The most common error caused by this was AVC's about getattr in homedir, redirection of stdout blowing up because squid_t can not write to user_tmp_t. Etc. From olivares14031 at yahoo.com Tue Jun 16 13:40:53 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 16 Jun 2009 06:40:53 -0700 (PDT) Subject: selinux denying dev-kit, and others Message-ID: <920755.83231.qm@web52603.mail.re2.yahoo.com> Summary: SELinux is preventing gnome-clock-app (gnomeclock_t) "read" inotifyfs_t. Detailed Description: SELinux denied access requested by gnome-clock-app. It is not expected that this access is required by gnome-clock-app and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:gnomeclock_t:SystemLow- SystemHigh Target Context system_u:object_r:inotifyfs_t:SystemLow Target Objects inotify [ dir ] Source gnome-clock-app Source Path /usr/libexec/gnome-clock-applet-mechanism Port Host localhost.localdomain Source RPM Packages gnome-panel-2.26.2-3.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.15-1.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1 SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686 Alert Count 1 First Seen Tue 16 Jun 2009 08:36:10 AM CDT Last Seen Tue 16 Jun 2009 08:36:10 AM CDT Local ID b01fae6b-cc0e-42cb-bea3-2c84383966e0 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1245159370.605:31): avc: denied { read } for pid=2250 comm="gnome-clock-app" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir node=localhost.localdomain type=SYSCALL msg=audit(1245159370.605:31): arch=40000003 syscall=11 success=yes exit=0 a0=9a9fe28 a1=9a9fce8 a2=9a9f008 a3=9aa22a8 items=0 ppid=2249 pid=2250 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gnome-clock-app" exe="/usr/libexec/gnome-clock-applet-mechanism" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing devkit-disks-da (devicekit_disk_t) "getattr" inotifyfs_t. Detailed Description: SELinux denied access requested by devkit-disks-da. It is not expected that this access is required by devkit-disks-da and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:devicekit_disk_t:SystemLow- SystemHigh Target Context system_u:object_r:inotifyfs_t:SystemLow Target Objects inotify [ dir ] Source devkit-disks-da Source Path /usr/libexec/devkit-disks-daemon Port Host localhost.localdomain Source RPM Packages DeviceKit-disks-004-3.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.15-1.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1 SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686 Alert Count 1 First Seen Tue 16 Jun 2009 08:35:52 AM CDT Last Seen Tue 16 Jun 2009 08:35:52 AM CDT Local ID 8b03ae67-6d8b-49ea-821b-c78a2b4e715e Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1245159352.360:30): avc: denied { getattr } for pid=2214 comm="devkit-disks-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir node=localhost.localdomain type=SYSCALL msg=audit(1245159352.360:30): arch=40000003 syscall=197 success=yes exit=0 a0=7 a1=bfd94d00 a2=5ddff4 a3=95f8510 items=0 ppid=1 pid=2214 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-da" exe="/usr/libexec/devkit-disks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing devkit-disks-da (devicekit_disk_t) "read" inotifyfs_t. Detailed Description: SELinux denied access requested by devkit-disks-da. It is not expected that this access is required by devkit-disks-da and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:devicekit_disk_t:SystemLow- SystemHigh Target Context system_u:object_r:inotifyfs_t:SystemLow Target Objects inotify [ dir ] Source devkit-disks-da Source Path /usr/libexec/devkit-disks-daemon Port Host localhost.localdomain Source RPM Packages DeviceKit-disks-004-3.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.15-1.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1 SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686 Alert Count 8 First Seen Tue 16 Jun 2009 07:21:24 AM CDT Last Seen Tue 16 Jun 2009 08:35:51 AM CDT Local ID 0ecb0348-2ba7-401d-a917-9c0f74a7f61d Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1245159351.885:29): avc: denied { read } for pid=2214 comm="devkit-disks-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir node=localhost.localdomain type=SYSCALL msg=audit(1245159351.885:29): arch=40000003 syscall=11 success=yes exit=0 a0=87bbe50 a1=87be290 a2=87bb008 a3=87bbd90 items=0 ppid=2213 pid=2214 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-da" exe="/usr/libexec/devkit-disks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing devkit-power-da (devicekit_power_t) "getattr" inotifyfs_t. Detailed Description: SELinux denied access requested by devkit-power-da. It is not expected that this access is required by devkit-power-da and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:devicekit_power_t:SystemLow- SystemHigh Target Context system_u:object_r:inotifyfs_t:SystemLow Target Objects inotify [ dir ] Source devkit-power-da Source Path /usr/libexec/devkit-power-daemon Port Host localhost.localdomain Source RPM Packages DeviceKit-power-008-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.15-1.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1 SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686 Alert Count 1 First Seen Tue 16 Jun 2009 08:35:45 AM CDT Last Seen Tue 16 Jun 2009 08:35:45 AM CDT Local ID 48abf8a4-c9fb-4129-abd3-35ed578349eb Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1245159345.55:27): avc: denied { getattr } for pid=2174 comm="devkit-power-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir node=localhost.localdomain type=SYSCALL msg=audit(1245159345.55:27): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfeb5e40 a2=5ddff4 a3=90cc030 items=0 ppid=1 pid=2174 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-power-da" exe="/usr/libexec/devkit-power-daemon" subj=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing devkit-daemon (devicekit_t) "read" inotifyfs_t. Detailed Description: SELinux denied access requested by devkit-daemon. It is not expected that this access is required by devkit-daemon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:devicekit_t:SystemLow-SystemHigh Target Context system_u:object_r:inotifyfs_t:SystemLow Target Objects inotify [ dir ] Source devkit-daemon Source Path /usr/libexec/devkit-daemon Port Host localhost.localdomain Source RPM Packages DeviceKit-003-1 Target RPM Packages Policy RPM selinux-policy-3.6.15-1.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1 SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686 Alert Count 1 First Seen Tue 16 Jun 2009 08:35:45 AM CDT Last Seen Tue 16 Jun 2009 08:35:45 AM CDT Local ID a1417ce4-b120-4778-9802-f21888673601 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1245159345.63:28): avc: denied { read } for pid=2178 comm="devkit-daemon" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir node=localhost.localdomain type=SYSCALL msg=audit(1245159345.63:28): arch=40000003 syscall=11 success=yes exit=0 a0=8fe4e10 a1=8fe4d98 a2=8fe4008 a3=8fe7358 items=0 ppid=2177 pid=2178 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-daemon" exe="/usr/libexec/devkit-daemon" subj=system_u:system_r:devicekit_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing devkit-power-da (devicekit_power_t) "read" inotifyfs_t. Detailed Description: SELinux denied access requested by devkit-power-da. It is not expected that this access is required by devkit-power-da and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:devicekit_power_t:SystemLow- SystemHigh Target Context system_u:object_r:inotifyfs_t:SystemLow Target Objects inotify [ dir ] Source devkit-power-da Source Path /usr/libexec/devkit-power-daemon Port Host localhost.localdomain Source RPM Packages DeviceKit-power-008-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.15-1.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1 SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686 Alert Count 9 First Seen Tue 16 Jun 2009 07:21:24 AM CDT Last Seen Tue 16 Jun 2009 08:35:44 AM CDT Local ID a3306212-15db-4b4b-a00a-d2c310e28d4f Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1245159344.629:26): avc: denied { read } for pid=2174 comm="devkit-power-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir node=localhost.localdomain type=SYSCALL msg=audit(1245159344.629:26): arch=40000003 syscall=11 success=yes exit=0 a0=9147e50 a1=914a290 a2=9147008 a3=9147d90 items=0 ppid=2173 pid=2174 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-power-da" exe="/usr/libexec/devkit-power-daemon" subj=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 key=(null) From domg472 at gmail.com Tue Jun 16 13:53:56 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 16 Jun 2009 15:53:56 +0200 Subject: squid denial on F11 for var_run_t In-Reply-To: <4A379BAB.2010007@redhat.com> References: <20090615134708.782d51fe@redhat.com> <20090615071939.0526df9f@metropolis.intra.city-fan.org> <20090616083119.4d071d2c@redhat.com> <4A3790CA.5080608@redhat.com> <4A3794F3.30702@redhat.com> <1245157022.2512.50.camel@localhost.localdomain> <4A379BAB.2010007@redhat.com> Message-ID: <1245160436.14274.6.camel@notebook2.grift.internal> On Tue, 2009-06-16 at 09:18 -0400, Daniel J Walsh wrote: > >>> unconfined_t -> squid_exec_t -> unconfined_t > >>> > >>> But unconfined processes starting init scripts have a transition > >>> > >>> unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t > >>> > >>> So any time you are using a confined process you should use the init > >>> script to start them, otherwise you could get mislabeled files. The AVC denial was about squid_t trying to access var_run_t. If unconfined_t executed squid_exec_t then the domain would not be squid_t. If squid would run as squid_t then the pid would not be var_run_t. The AVC denial does not seem to make sense. Maybe only if two squid processes were running, one unconfined and one confined, that were conflicting. From dwalsh at redhat.com Tue Jun 16 14:07:27 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 16 Jun 2009 10:07:27 -0400 Subject: selinux denying dev-kit, and others In-Reply-To: <920755.83231.qm@web52603.mail.re2.yahoo.com> References: <920755.83231.qm@web52603.mail.re2.yahoo.com> Message-ID: <4A37A71F.7040506@redhat.com> On 06/16/2009 09:40 AM, Antonio Olivares wrote: > > > Summary: > > SELinux is preventing gnome-clock-app (gnomeclock_t) "read" inotifyfs_t. > > Detailed Description: > > SELinux denied access requested by gnome-clock-app. It is not expected that this > access is required by gnome-clock-app and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:gnomeclock_t:SystemLow- > SystemHigh > Target Context system_u:object_r:inotifyfs_t:SystemLow > Target Objects inotify [ dir ] > Source gnome-clock-app > Source Path /usr/libexec/gnome-clock-applet-mechanism > Port > Host localhost.localdomain > Source RPM Packages gnome-panel-2.26.2-3.fc12 > Target RPM Packages > Policy RPM selinux-policy-3.6.15-1.fc12 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1 > SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686 > Alert Count 1 > First Seen Tue 16 Jun 2009 08:36:10 AM CDT > Last Seen Tue 16 Jun 2009 08:36:10 AM CDT > Local ID b01fae6b-cc0e-42cb-bea3-2c84383966e0 > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1245159370.605:31): avc: denied { read } for pid=2250 comm="gnome-clock-app" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir > > node=localhost.localdomain type=SYSCALL msg=audit(1245159370.605:31): arch=40000003 syscall=11 success=yes exit=0 a0=9a9fe28 a1=9a9fce8 a2=9a9f008 a3=9aa22a8 items=0 ppid=2249 pid=2250 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gnome-clock-app" exe="/usr/libexec/gnome-clock-applet-mechanism" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null) > > > > > Summary: > > SELinux is preventing devkit-disks-da (devicekit_disk_t) "getattr" inotifyfs_t. > > Detailed Description: > > SELinux denied access requested by devkit-disks-da. It is not expected that this > access is required by devkit-disks-da and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:devicekit_disk_t:SystemLow- > SystemHigh > Target Context system_u:object_r:inotifyfs_t:SystemLow > Target Objects inotify [ dir ] > Source devkit-disks-da > Source Path /usr/libexec/devkit-disks-daemon > Port > Host localhost.localdomain > Source RPM Packages DeviceKit-disks-004-3.fc12 > Target RPM Packages > Policy RPM selinux-policy-3.6.15-1.fc12 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1 > SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686 > Alert Count 1 > First Seen Tue 16 Jun 2009 08:35:52 AM CDT > Last Seen Tue 16 Jun 2009 08:35:52 AM CDT > Local ID 8b03ae67-6d8b-49ea-821b-c78a2b4e715e > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1245159352.360:30): avc: denied { getattr } for pid=2214 comm="devkit-disks-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir > > node=localhost.localdomain type=SYSCALL msg=audit(1245159352.360:30): arch=40000003 syscall=197 success=yes exit=0 a0=7 a1=bfd94d00 a2=5ddff4 a3=95f8510 items=0 ppid=1 pid=2214 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-da" exe="/usr/libexec/devkit-disks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) > > > > > Summary: > > SELinux is preventing devkit-disks-da (devicekit_disk_t) "read" inotifyfs_t. > > Detailed Description: > > SELinux denied access requested by devkit-disks-da. It is not expected that this > access is required by devkit-disks-da and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:devicekit_disk_t:SystemLow- > SystemHigh > Target Context system_u:object_r:inotifyfs_t:SystemLow > Target Objects inotify [ dir ] > Source devkit-disks-da > Source Path /usr/libexec/devkit-disks-daemon > Port > Host localhost.localdomain > Source RPM Packages DeviceKit-disks-004-3.fc12 > Target RPM Packages > Policy RPM selinux-policy-3.6.15-1.fc12 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1 > SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686 > Alert Count 8 > First Seen Tue 16 Jun 2009 07:21:24 AM CDT > Last Seen Tue 16 Jun 2009 08:35:51 AM CDT > Local ID 0ecb0348-2ba7-401d-a917-9c0f74a7f61d > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1245159351.885:29): avc: denied { read } for pid=2214 comm="devkit-disks-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir > > node=localhost.localdomain type=SYSCALL msg=audit(1245159351.885:29): arch=40000003 syscall=11 success=yes exit=0 a0=87bbe50 a1=87be290 a2=87bb008 a3=87bbd90 items=0 ppid=2213 pid=2214 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-da" exe="/usr/libexec/devkit-disks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) > > > > > Summary: > > SELinux is preventing devkit-power-da (devicekit_power_t) "getattr" inotifyfs_t. > > Detailed Description: > > SELinux denied access requested by devkit-power-da. It is not expected that this > access is required by devkit-power-da and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:devicekit_power_t:SystemLow- > SystemHigh > Target Context system_u:object_r:inotifyfs_t:SystemLow > Target Objects inotify [ dir ] > Source devkit-power-da > Source Path /usr/libexec/devkit-power-daemon > Port > Host localhost.localdomain > Source RPM Packages DeviceKit-power-008-1.fc12 > Target RPM Packages > Policy RPM selinux-policy-3.6.15-1.fc12 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1 > SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686 > Alert Count 1 > First Seen Tue 16 Jun 2009 08:35:45 AM CDT > Last Seen Tue 16 Jun 2009 08:35:45 AM CDT > Local ID 48abf8a4-c9fb-4129-abd3-35ed578349eb > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1245159345.55:27): avc: denied { getattr } for pid=2174 comm="devkit-power-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir > > node=localhost.localdomain type=SYSCALL msg=audit(1245159345.55:27): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfeb5e40 a2=5ddff4 a3=90cc030 items=0 ppid=1 pid=2174 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-power-da" exe="/usr/libexec/devkit-power-daemon" subj=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 key=(null) > > > > > Summary: > > SELinux is preventing devkit-daemon (devicekit_t) "read" inotifyfs_t. > > Detailed Description: > > SELinux denied access requested by devkit-daemon. It is not expected that this > access is required by devkit-daemon and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:devicekit_t:SystemLow-SystemHigh > Target Context system_u:object_r:inotifyfs_t:SystemLow > Target Objects inotify [ dir ] > Source devkit-daemon > Source Path /usr/libexec/devkit-daemon > Port > Host localhost.localdomain > Source RPM Packages DeviceKit-003-1 > Target RPM Packages > Policy RPM selinux-policy-3.6.15-1.fc12 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1 > SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686 > Alert Count 1 > First Seen Tue 16 Jun 2009 08:35:45 AM CDT > Last Seen Tue 16 Jun 2009 08:35:45 AM CDT > Local ID a1417ce4-b120-4778-9802-f21888673601 > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1245159345.63:28): avc: denied { read } for pid=2178 comm="devkit-daemon" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir > > node=localhost.localdomain type=SYSCALL msg=audit(1245159345.63:28): arch=40000003 syscall=11 success=yes exit=0 a0=8fe4e10 a1=8fe4d98 a2=8fe4008 a3=8fe7358 items=0 ppid=2177 pid=2178 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-daemon" exe="/usr/libexec/devkit-daemon" subj=system_u:system_r:devicekit_t:s0-s0:c0.c1023 key=(null) > > > > Summary: > > SELinux is preventing devkit-power-da (devicekit_power_t) "read" inotifyfs_t. > > Detailed Description: > > SELinux denied access requested by devkit-power-da. It is not expected that this > access is required by devkit-power-da and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:devicekit_power_t:SystemLow- > SystemHigh > Target Context system_u:object_r:inotifyfs_t:SystemLow > Target Objects inotify [ dir ] > Source devkit-power-da > Source Path /usr/libexec/devkit-power-daemon > Port > Host localhost.localdomain > Source RPM Packages DeviceKit-power-008-1.fc12 > Target RPM Packages > Policy RPM selinux-policy-3.6.15-1.fc12 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1 > SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686 > Alert Count 9 > First Seen Tue 16 Jun 2009 07:21:24 AM CDT > Last Seen Tue 16 Jun 2009 08:35:44 AM CDT > Local ID a3306212-15db-4b4b-a00a-d2c310e28d4f > Line Numbers > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1245159344.629:26): avc: denied { read } for pid=2174 comm="devkit-power-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir > > node=localhost.localdomain type=SYSCALL msg=audit(1245159344.629:26): arch=40000003 syscall=11 success=yes exit=0 a0=9147e50 a1=914a290 a2=9147008 a3=9147d90 items=0 ppid=2173 pid=2174 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-power-da" exe="/usr/libexec/devkit-power-daemon" subj=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 key=(null) > > > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This is a leak in dbus that we are trying to get cleaned up. I posted an patch but they have not been updated yet. We have found leaks in dbus and cron that were causing lots of domains to request this access, so we want to clean up these tools and then see what domains really need this access. From paul at city-fan.org Tue Jun 16 14:10:38 2009 From: paul at city-fan.org (Paul Howarth) Date: Tue, 16 Jun 2009 15:10:38 +0100 Subject: squid denial on F11 for var_run_t In-Reply-To: <1245160436.14274.6.camel@notebook2.grift.internal> References: <20090615134708.782d51fe@redhat.com> <20090615071939.0526df9f@metropolis.intra.city-fan.org> <20090616083119.4d071d2c@redhat.com> <4A3790CA.5080608@redhat.com> <4A3794F3.30702@redhat.com> <1245157022.2512.50.camel@localhost.localdomain> <4A379BAB.2010007@redhat.com> <1245160436.14274.6.camel@notebook2.grift.internal> Message-ID: <4A37A7DE.4030707@city-fan.org> On 16/06/09 14:53, Dominick Grift wrote: > On Tue, 2009-06-16 at 09:18 -0400, Daniel J Walsh wrote: > >>>>> unconfined_t -> squid_exec_t -> unconfined_t >>>>> >>>>> But unconfined processes starting init scripts have a transition >>>>> >>>>> unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t >>>>> >>>>> So any time you are using a confined process you should use the init >>>>> script to start them, otherwise you could get mislabeled files. > > The AVC denial was about squid_t trying to access var_run_t. > > If unconfined_t executed squid_exec_t then the domain would not be > squid_t. > > If squid would run as squid_t then the pid would not be var_run_t. > > The AVC denial does not seem to make sense. Maybe only if two squid > processes were running, one unconfined and one confined, that were > conflicting. Perhaps squid was first run unconfined, creating /var/run/squid.pid that was var_run_t, then run again using the initscript, causing the denial when trying to access the pidfile? Paul. From domg472 at gmail.com Tue Jun 16 14:13:22 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 16 Jun 2009 16:13:22 +0200 Subject: squid denial on F11 for var_run_t In-Reply-To: <4A37A7DE.4030707@city-fan.org> References: <20090615134708.782d51fe@redhat.com> <20090615071939.0526df9f@metropolis.intra.city-fan.org> <20090616083119.4d071d2c@redhat.com> <4A3790CA.5080608@redhat.com> <4A3794F3.30702@redhat.com> <1245157022.2512.50.camel@localhost.localdomain> <4A379BAB.2010007@redhat.com> <1245160436.14274.6.camel@notebook2.grift.internal> <4A37A7DE.4030707@city-fan.org> Message-ID: <1245161602.14274.7.camel@notebook2.grift.internal> On Tue, 2009-06-16 at 15:10 +0100, Paul Howarth wrote: > On 16/06/09 14:53, Dominick Grift wrote: > > On Tue, 2009-06-16 at 09:18 -0400, Daniel J Walsh wrote: > > > >>>>> unconfined_t -> squid_exec_t -> unconfined_t > >>>>> > >>>>> But unconfined processes starting init scripts have a transition > >>>>> > >>>>> unconfined_t -> initrc_exec_t -> initrc_t -> squid_exec_t -> squid_t > >>>>> > >>>>> So any time you are using a confined process you should use the init > >>>>> script to start them, otherwise you could get mislabeled files. > > > > The AVC denial was about squid_t trying to access var_run_t. > > > > If unconfined_t executed squid_exec_t then the domain would not be > > squid_t. > > > > If squid would run as squid_t then the pid would not be var_run_t. > > > > The AVC denial does not seem to make sense. Maybe only if two squid > > processes were running, one unconfined and one confined, that were > > conflicting. > > Perhaps squid was first run unconfined, creating /var/run/squid.pid that > was var_run_t, then run again using the initscript, causing the denial > when trying to access the pidfile? > > Paul. Yes that is was i think happened. From dwalsh at redhat.com Wed Jun 17 13:59:54 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 17 Jun 2009 09:59:54 -0400 Subject: FYI: Latest F11 SELinux Features. Message-ID: <4A38F6DA.8040002@redhat.com> http://danwalsh.livejournal.com/29401.html From sundaram at fedoraproject.org Wed Jun 17 18:10:14 2009 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Wed, 17 Jun 2009 23:40:14 +0530 Subject: ifconfig SELinux alert in Fedora 11 Message-ID: <4A393186.9000502@fedoraproject.org> Hi SELinux is preventing ifconfig (ifconfig_t) "read" security_t. Audit message: node=localhost.localdomain type=AVC msg=audit(1245262097.577:19): avc: denied { read } for pid=3269 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:unconfined_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1245262097.577:19): arch=40000003 syscall=5 success=no exit=-13 a0=bfbcfdb8 a1=8000 a2=0 a3=bfbcfdb8 items=0 ppid=3253 pid=3269 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:unconfined_r:ifconfig_t:s0-s0:c0.c1023 key=(null) --- Rahul From sundaram at fedoraproject.org Wed Jun 17 18:12:21 2009 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Wed, 17 Jun 2009 23:42:21 +0530 Subject: umount SELinux alert in Fedora 11 Message-ID: <4A393205.9010403@fedoraproject.org> Hi, Summary: SELinux prevented umount from mounting on the file or directory "mtab" (type "etc_t"). Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1244693043.30:19491): avc: denied { unlink } for pid=10969 comm="umount" name="mtab" dev=dm-1 ino=87534 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1244693043.30:19491): arch=40000003 syscall=38 success=yes exit=0 a0=a1043b a1=a1040a a2=a12b88 a3=4 items=0 ppid=1886 pid=10969 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) --- Rahul From bretford at gmail.com Wed Jun 17 17:18:23 2009 From: bretford at gmail.com (brian retford) Date: Wed, 17 Jun 2009 10:18:23 -0700 Subject: bizarre packet labelings Message-ID: <9a4c67ab0906171018m4b798e14od8b64510e6fea6fa@mail.gmail.com> We have a fairly customized centos 5.3 distribution, but I know of nothing that would cause the behavior I'm seeing. We don't use iptables or ipsec, secmark is enabled in the kernel. I get avc denied messages for packets that almost certainly do exist, but the targets almost never make sense (at least to me), things like ls_exec_t, lib_t, and other seemingly random types. Thoughts? avc: denied { send } for pid=3202 comm="sshd" saddr=172.27.13.41 src=22 daddr=172.27.134.1 dest=40428 netif=eth0 scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=packet -b -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Wed Jun 17 19:47:00 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 17 Jun 2009 15:47:00 -0400 Subject: bizarre packet labelings In-Reply-To: <9a4c67ab0906171018m4b798e14od8b64510e6fea6fa@mail.gmail.com> References: <9a4c67ab0906171018m4b798e14od8b64510e6fea6fa@mail.gmail.com> Message-ID: <1245268020.3033.68.camel@localhost.localdomain> On Wed, 2009-06-17 at 10:18 -0700, brian retford wrote: > We have a fairly customized centos 5.3 distribution, but I know of > nothing that would cause the behavior I'm seeing. We don't use > iptables or ipsec, secmark is enabled in the kernel. I get avc denied > messages for packets that almost certainly do exist, but the targets > almost never make sense (at least to me), things like ls_exec_t, > lib_t, and other seemingly random types. Thoughts? > > avc: denied { send } for pid=3202 comm="sshd" saddr=172.27.13.41 > src=22 daddr=172.27.134.1 dest=40428 netif=eth0 > scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:lib_t:s0 tclass=packet If you haven't configured iptables to mark packets with those contexts, then you shouldn't get any such denials. So either you have a weird iptables configuration or you have a kernel bug. What kernel are you using? -- Stephen Smalley National Security Agency From bretford at gmail.com Wed Jun 17 21:21:16 2009 From: bretford at gmail.com (brian retford) Date: Wed, 17 Jun 2009 14:21:16 -0700 Subject: bizarre packet labelings In-Reply-To: <1245268020.3033.68.camel@localhost.localdomain> References: <9a4c67ab0906171018m4b798e14od8b64510e6fea6fa@mail.gmail.com> <1245268020.3033.68.camel@localhost.localdomain> Message-ID: <9a4c67ab0906171421y574ab7ccq84d556c38cc449f@mail.gmail.com> 2.6.18, with some custom kernel modules -- there is an off chance that they are interacting, but I doubt it. -b On Wed, Jun 17, 2009 at 12:47 PM, Stephen Smalley wrote: > On Wed, 2009-06-17 at 10:18 -0700, brian retford wrote: > > We have a fairly customized centos 5.3 distribution, but I know of > > nothing that would cause the behavior I'm seeing. We don't use > > iptables or ipsec, secmark is enabled in the kernel. I get avc denied > > messages for packets that almost certainly do exist, but the targets > > almost never make sense (at least to me), things like ls_exec_t, > > lib_t, and other seemingly random types. Thoughts? > > > > avc: denied { send } for pid=3202 comm="sshd" saddr=172.27.13.41 > > src=22 daddr=172.27.134.1 dest=40428 netif=eth0 > > scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:lib_t:s0 tclass=packet > > If you haven't configured iptables to mark packets with those contexts, > then you shouldn't get any such denials. > > So either you have a weird iptables configuration or you have a kernel > bug. > > What kernel are you using? > > -- > Stephen Smalley > National Security Agency > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mike.cloaked at gmail.com Wed Jun 17 21:37:52 2009 From: mike.cloaked at gmail.com (mike cloaked) Date: Wed, 17 Jun 2009 22:37:52 +0100 Subject: selinux local policy from F10 to F11? Message-ID: <3b8e57a80906171437h7427352cyb8b04bad17de00eb@mail.gmail.com> If you have generated local selinux policy using semanage fcontext for specific files or directories in F10, is there now a recommended way to automate retrieval of these and then create the same rule set for F11 after a clean F11 install? I know that you can do # semanage fcontext -C -l and send the output to a file. This will generate lines such as SELinux fcontext type Context /home/mike/.cxoffice(/.*)? all files system_u:object_r:textrel_shlib_t:s0 /home/mike/.cxoffice/dotwine/drive_c/Windows/System/SHLWAPI.DLL all files system_u:object_r:textrel_shlib_t:s0 /home/mike/.cxoffice/dotwine/drive_c/Windows/System/ole32.dll all files system_u:object_r:textrel_shlib_t:s0 /home/mike/.wine(/.*)? all files system_u:object_r:textrel_shlib_t:s0 However I guess that saving this will still not allow these rules to be written back to the new system in an automated way unless a script is written to parse the lines and create a set of new selinux fcontext lines that will create each local rule with something like: semanage fcontext -a -t textrel_shlib_t /home/mike/.cxoffice(/.*)? with one for each original line in the output generated from the old system before it was replaced? If there is a cleaner way to achieve this I would like to hear about it? -- mike From domg472 at gmail.com Thu Jun 18 09:42:10 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 18 Jun 2009 11:42:10 +0200 Subject: selinux local policy from F10 to F11? In-Reply-To: <3b8e57a80906171437h7427352cyb8b04bad17de00eb@mail.gmail.com> References: <3b8e57a80906171437h7427352cyb8b04bad17de00eb@mail.gmail.com> Message-ID: <1245318130.26954.4.camel@notebook2.grift.internal> On Wed, 2009-06-17 at 22:37 +0100, mike cloaked wrote: > If you have generated local selinux policy using semanage fcontext for > specific files or directories in F10, is there now a recommended way > to automate retrieval of these and then create the same rule set for > F11 after a clean F11 install? > > I know that you can do > # semanage fcontext -C -l and send the output to a file. > This will generate lines such as > SELinux fcontext type Context > > /home/mike/.cxoffice(/.*)? all files > system_u:object_r:textrel_shlib_t:s0 > /home/mike/.cxoffice/dotwine/drive_c/Windows/System/SHLWAPI.DLL all > files system_u:object_r:textrel_shlib_t:s0 > /home/mike/.cxoffice/dotwine/drive_c/Windows/System/ole32.dll all > files system_u:object_r:textrel_shlib_t:s0 > /home/mike/.wine(/.*)? all files > system_u:object_r:textrel_shlib_t:s0 > > However I guess that saving this will still not allow these rules to > be written back to the new system in an automated way unless a script > is written to parse the lines and create a set of new selinux fcontext > lines that will create each local > rule with something like: > semanage fcontext -a -t textrel_shlib_t /home/mike/.cxoffice(/.*)? > with one for each original line in the output generated from the old > system before it was replaced? > > If there is a cleaner way to achieve this I would like to hear about it? > > You can create a local policy module and distribute that: mything.te policy_module(mything, 0.0.1) mything.fc HOME_DIR/.cxoffice/dotwine/bla/bla/mything.so -- gen_context(system_u:object_r:textrel_shlib_t, s0) "build and install" make -f /usr/share/selinux/devel/Makefile semodule -i mything.pp restorecon -R -v /home/mike/.cxoffice/dotwine That should work From sds at tycho.nsa.gov Thu Jun 18 12:32:10 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 18 Jun 2009 08:32:10 -0400 Subject: selinux local policy from F10 to F11? In-Reply-To: <3b8e57a80906171437h7427352cyb8b04bad17de00eb@mail.gmail.com> References: <3b8e57a80906171437h7427352cyb8b04bad17de00eb@mail.gmail.com> Message-ID: <1245328330.3033.73.camel@localhost.localdomain> On Wed, 2009-06-17 at 22:37 +0100, mike cloaked wrote: > If you have generated local selinux policy using semanage fcontext for > specific files or directories in F10, is there now a recommended way > to automate retrieval of these and then create the same rule set for > F11 after a clean F11 install? > > I know that you can do > # semanage fcontext -C -l and send the output to a file. > This will generate lines such as > SELinux fcontext type Context > > /home/mike/.cxoffice(/.*)? all files > system_u:object_r:textrel_shlib_t:s0 > /home/mike/.cxoffice/dotwine/drive_c/Windows/System/SHLWAPI.DLL all > files system_u:object_r:textrel_shlib_t:s0 > /home/mike/.cxoffice/dotwine/drive_c/Windows/System/ole32.dll all > files system_u:object_r:textrel_shlib_t:s0 > /home/mike/.wine(/.*)? all files > system_u:object_r:textrel_shlib_t:s0 > > However I guess that saving this will still not allow these rules to > be written back to the new system in an automated way unless a script > is written to parse the lines and create a set of new selinux fcontext > lines that will create each local > rule with something like: > semanage fcontext -a -t textrel_shlib_t /home/mike/.cxoffice(/.*)? > with one for each original line in the output generated from the old > system before it was replaced? > > If there is a cleaner way to achieve this I would like to hear about it? That's come up before, but no one has implemented --export and --import options as far as I know. So I think the only way to do it presently is to manually copy the /etc/selinux/targeted/modules/active/file_contexts.local file from the F10 system to the F11 system, and then run semodule -B on the F11 system to force a policy store rebuild. Afterward, you should find it installed in /etc/selinux/targeted/contexts/files/file_contexts.local on the F11 system. -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Thu Jun 18 12:33:11 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 18 Jun 2009 08:33:11 -0400 Subject: bizarre packet labelings In-Reply-To: <9a4c67ab0906171421y574ab7ccq84d556c38cc449f@mail.gmail.com> References: <9a4c67ab0906171018m4b798e14od8b64510e6fea6fa@mail.gmail.com> <1245268020.3033.68.camel@localhost.localdomain> <9a4c67ab0906171421y574ab7ccq84d556c38cc449f@mail.gmail.com> Message-ID: <1245328391.3033.74.camel@localhost.localdomain> On Wed, 2009-06-17 at 14:21 -0700, brian retford wrote: > 2.6.18, with some custom kernel modules -- there is an off chance that > they are interacting, but I doubt it. Well, you have some kind of kernel bug, whether it lies in those custom kernel modules or elsewhere I don't know. Obviously removing those custom kernel modules and re-testing would help eliminate them as possible causes. > -b > > On Wed, Jun 17, 2009 at 12:47 PM, Stephen Smalley > wrote: > > On Wed, 2009-06-17 at 10:18 -0700, brian retford wrote: > > We have a fairly customized centos 5.3 distribution, but I > know of > > nothing that would cause the behavior I'm seeing. We don't > use > > iptables or ipsec, secmark is enabled in the kernel. I get > avc denied > > messages for packets that almost certainly do exist, but the > targets > > almost never make sense (at least to me), things like > ls_exec_t, > > lib_t, and other seemingly random types. Thoughts? > > > > avc: denied { send } for pid=3202 comm="sshd" > saddr=172.27.13.41 > > src=22 daddr=172.27.134.1 dest=40428 netif=eth0 > > scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:lib_t:s0 tclass=packet > > > If you haven't configured iptables to mark packets with those > contexts, > then you shouldn't get any such denials. > > So either you have a weird iptables configuration or you have > a kernel > bug. > > What kernel are you using? > > -- > Stephen Smalley > National Security Agency > > -- Stephen Smalley National Security Agency From dwalsh at redhat.com Thu Jun 18 19:31:51 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 18 Jun 2009 15:31:51 -0400 Subject: ifconfig SELinux alert in Fedora 11 In-Reply-To: <4A393186.9000502@fedoraproject.org> References: <4A393186.9000502@fedoraproject.org> Message-ID: <4A3A9627.9080102@redhat.com> On 06/17/2009 02:10 PM, Rahul Sundaram wrote: > Hi > > SELinux is preventing ifconfig (ifconfig_t) "read" security_t. > > Audit message: > > node=localhost.localdomain type=AVC msg=audit(1245262097.577:19): avc: > denied { read } for pid=3269 comm="ifconfig" name="mls" dev=selinuxfs > ino=12 scontext=unconfined_u:unconfined_r:ifconfig_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:security_t:s0 tclass=file > node=localhost.localdomain type=SYSCALL msg=audit(1245262097.577:19): > arch=40000003 syscall=5 success=no exit=-13 a0=bfbcfdb8 a1=8000 a2=0 > a3=bfbcfdb8 items=0 ppid=3253 pid=3269 auid=500 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="ifconfig" > exe="/sbin/ifconfig" > subj=unconfined_u:unconfined_r:ifconfig_t:s0-s0:c0.c1023 key=(null) > > --- > > Rahul > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Why would ifconfig be reading the /selinux/mls? Did this app get execed from a different application? Might be a leaked file descriptor From dwalsh at redhat.com Thu Jun 18 19:32:40 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 18 Jun 2009 15:32:40 -0400 Subject: umount SELinux alert in Fedora 11 In-Reply-To: <4A393205.9010403@fedoraproject.org> References: <4A393205.9010403@fedoraproject.org> Message-ID: <4A3A9658.8050002@redhat.com> On 06/17/2009 02:12 PM, Rahul Sundaram wrote: > Hi, > > Summary: > > SELinux prevented umount from mounting on the file or directory "mtab" (type > "etc_t"). > > Raw Audit Messages > > node=localhost.localdomain type=AVC msg=audit(1244693043.30:19491): avc: > denied { unlink } for pid=10969 comm="umount" name="mtab" dev=dm-1 > ino=87534 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:etc_t:s0 tclass=file > > node=localhost.localdomain type=SYSCALL msg=audit(1244693043.30:19491): > arch=40000003 syscall=38 success=yes exit=0 a0=a1043b a1=a1040a > a2=a12b88 a3=4 items=0 ppid=1886 pid=10969 auid=4294967295 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 > comm="umount" exe="/bin/umount" > subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null) > > --- > > Rahul > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list restorecon /etc/mtab Should Fix. Did some other app create this file? From mike.cloaked at gmail.com Thu Jun 18 19:56:21 2009 From: mike.cloaked at gmail.com (Mike Cloaked) Date: Thu, 18 Jun 2009 12:56:21 -0700 (PDT) Subject: selinux local policy from F10 to F11? In-Reply-To: <1245328330.3033.73.camel@localhost.localdomain> References: <3b8e57a80906171437h7427352cyb8b04bad17de00eb@mail.gmail.com> <1245328330.3033.73.camel@localhost.localdomain> Message-ID: <24099584.post@talk.nabble.com> Stephen Smalley wrote: > > > That's come up before, but no one has implemented --export and --import > options as far as I know. > > So I think the only way to do it presently is to manually copy > the /etc/selinux/targeted/modules/active/file_contexts.local file from > the F10 system to the F11 system, and then run semodule -B on the F11 > system to force a policy store rebuild. Afterward, you should find it > installed in /etc/selinux/targeted/contexts/files/file_contexts.local on > the F11 system. > > -- > Stephen Smalley > > Thank you - that sounds very useful - I'll try that at the weekend and see if it works - -- View this message in context: http://www.nabble.com/selinux-local-policy-from-F10-to-F11--tp24082581p24099584.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From rmartino at optonline.net Thu Jun 18 20:47:46 2009 From: rmartino at optonline.net (rick) Date: Thu, 18 Jun 2009 16:47:46 -0400 Subject: gpsd on F11-64 Message-ID: <4A3AA7F2.1070800@optonline.net> I have a shiny new F11 install and am getting the following in the syslog: Jun 18 15:41:16 calvin setroubleshoot: SELinux prevented gpsd from using the terminal 0. For complete SELinux messages. run sealert -l d33b557f-d1a4-4bde-add4-93b93ce91cc6 Fedora seems to be gpsd-challenged but the alert suggests trying restorecon which does not seem to do anything... Summary: SELinux is preventing gpsd (gpsd_t) "write" to run (var_run_t). and fyi: # ls -Z gpsd -rwxr-xr-x. root root system_u:object_r:gpsd_exec_t:s0 gpsd ...so does this warrant a bug report on the policy or is it possible to change the context of the daemon's file so that it will work? fyi, the audit msg is below and the gpsd init script looks for the file in the wrong place, so perhaps the policy expects it to be in /usr/bin instead of usr/sbin also... any help appreciated, rick ------------ Raw Audit Messages node=calvin.rikm.net type=AVC msg=audit(1245353432.700:34699): avc: denied { write } for pid=12148 comm="gpsd" name="run" dev=sda7 ino=1654 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir node=calvin.rikm.net type=SYSCALL msg=audit(1245353432.700:34699): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fffd13b8d40 a2=6e a3=3db7168fcc items=0 ppid=12147 pid=12148 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="gpsd" exe="/usr/sbin/gpsd" subj=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 key=(null) ------------- -- . . . this space intentionally left blank . . . From mgrepl at redhat.com Fri Jun 19 07:55:11 2009 From: mgrepl at redhat.com (Miroslav Grepl) Date: Fri, 19 Jun 2009 09:55:11 +0200 Subject: gpsd on F11-64 In-Reply-To: <4A3AA7F2.1070800@optonline.net> References: <4A3AA7F2.1070800@optonline.net> Message-ID: <4A3B445F.10406@redhat.com> rick wrote: > > > I have a shiny new F11 install and am getting the following in the > syslog: > > > Jun 18 15:41:16 calvin setroubleshoot: SELinux prevented gpsd from > using the terminal 0. For complete SELinux messages. run sealert -l > d33b557f-d1a4-4bde-add4-93b93ce91cc6 > > > > > Fedora seems to be gpsd-challenged but the alert suggests trying > restorecon which does not seem to do anything... > > > > Summary: > > SELinux is preventing gpsd (gpsd_t) "write" to run (var_run_t). > > > > and fyi: > > > > # ls -Z gpsd > -rwxr-xr-x. root root system_u:object_r:gpsd_exec_t:s0 gpsd > > > > ...so does this warrant a bug report on the policy or is it possible > to change the context of the daemon's file so that it will work? > > fyi, the audit msg is below and the gpsd init script looks for the > file in the wrong place, so perhaps the policy expects it to be in > /usr/bin instead of usr/sbin also... > > > > Ok, how you mentioned above, the gpsd has the init script now, but we don't have a policy for that. Then this is a bug in the policy. Regards, Miroslav > > > > > any help appreciated, > > > > rick > > > > > > > > ------------ > > Raw Audit Messages > > node=calvin.rikm.net type=AVC msg=audit(1245353432.700:34699): avc: > denied { write } for pid=12148 comm="gpsd" name="run" dev=sda7 > ino=1654 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_run_t:s0 tclass=dir > > node=calvin.rikm.net type=SYSCALL msg=audit(1245353432.700:34699): > arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fffd13b8d40 > a2=6e a3=3db7168fcc items=0 ppid=12147 pid=12148 auid=500 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 > comm="gpsd" exe="/usr/sbin/gpsd" > subj=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 key=(null) > > ------------- > > > > > > > > > > > > > > > > > From domg472 at gmail.com Fri Jun 19 09:28:41 2009 From: domg472 at gmail.com (Dominick Grift) Date: Fri, 19 Jun 2009 11:28:41 +0200 Subject: secure mode for sudo Message-ID: <1245403722.679.3.camel@notebook2.grift.internal> Why does sudo not have a secure_mode boolean like su has? if(secure_mode) { # Only allow transitions to unprivileged user domains. userdom_spec_domtrans_unpriv_users($1_sudo_t) } else { # Allow transitions to all user domains userdom_spec_domtrans_all_users($1_sudo_t) } -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Fri Jun 19 09:52:56 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 19 Jun 2009 05:52:56 -0400 Subject: secure mode for sudo In-Reply-To: <1245403722.679.3.camel@notebook2.grift.internal> References: <1245403722.679.3.camel@notebook2.grift.internal> Message-ID: <4A3B5FF8.4060404@redhat.com> On 06/19/2009 05:28 AM, Dominick Grift wrote: > Why does sudo not have a secure_mode boolean like su has? > > if(secure_mode) { > # Only allow transitions to unprivileged user domains. > userdom_spec_domtrans_unpriv_users($1_sudo_t) > } else { > # Allow transitions to all user domains > userdom_spec_domtrans_all_users($1_sudo_t) > } > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Probably a bug. From sundaram at fedoraproject.org Fri Jun 19 09:54:25 2009 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Fri, 19 Jun 2009 15:24:25 +0530 Subject: ifconfig SELinux alert in Fedora 11 In-Reply-To: <4A3A9627.9080102@redhat.com> References: <4A393186.9000502@fedoraproject.org> <4A3A9627.9080102@redhat.com> Message-ID: <4A3B6051.4040908@fedoraproject.org> On 06/19/2009 01:01 AM, Daniel J Walsh wrote: > Why would ifconfig be reading the /selinux/mls? > > Did this app get execed from a different application? Might be a leaked > file descriptor I have no idea why it happens. I was merely running NetworkManager. Rahul From sundaram at fedoraproject.org Fri Jun 19 09:54:47 2009 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Fri, 19 Jun 2009 15:24:47 +0530 Subject: umount SELinux alert in Fedora 11 In-Reply-To: <4A3A9658.8050002@redhat.com> References: <4A393205.9010403@fedoraproject.org> <4A3A9658.8050002@redhat.com> Message-ID: <4A3B6067.7010206@fedoraproject.org> On 06/19/2009 01:02 AM, Daniel J Walsh wrote: > restorecon /etc/mtab > > Should Fix. > > Did some other app create this file? How do I find that out? Rahul From dwalsh at redhat.com Fri Jun 19 10:06:03 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 19 Jun 2009 06:06:03 -0400 Subject: umount SELinux alert in Fedora 11 In-Reply-To: <4A3B6067.7010206@fedoraproject.org> References: <4A393205.9010403@fedoraproject.org> <4A3A9658.8050002@redhat.com> <4A3B6067.7010206@fedoraproject.org> Message-ID: <4A3B630B.9070304@redhat.com> On 06/19/2009 05:54 AM, Rahul Sundaram wrote: > On 06/19/2009 01:02 AM, Daniel J Walsh wrote: > >> restorecon /etc/mtab >> >> Should Fix. >> >> Did some other app create this file? > > How do I find that out? > > Rahul > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I would figure it is a tool that you ran as root that modified the mount table. If the tool was run by initrc_t it would have transitioned properly. You could use restorecond to maintain the proper context so this does not happen again. From rmartino at optonline.net Fri Jun 19 21:40:08 2009 From: rmartino at optonline.net (rick) Date: Fri, 19 Jun 2009 17:40:08 -0400 Subject: gpsd on F11-64 In-Reply-To: <4A3B445F.10406@redhat.com> References: <4A3AA7F2.1070800@optonline.net> <4A3B445F.10406@redhat.com> Message-ID: <4A3C05B8.6090004@optonline.net> > > Ok, how you mentioned above, the gpsd has the init script now, but we > don't have a policy for that. Then this is a bug in the policy. > There is a bug report already open on the policy error, id=493506, hopefully the base functionality errors will be pursued to conclusion as well. Even with the init script corrected and selinux disabled the udev processes do not start the daemon. The daemon will run if started manually but I was hoping they would work it out this time. thanks, rick -- . . . this space intentionally left blank . . . From chepkov at yahoo.com Sat Jun 20 10:28:03 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Sat, 20 Jun 2009 03:28:03 -0700 (PDT) Subject: daemons and policy update Message-ID: <367583.65346.qm@web36803.mail.mud.yahoo.com> All, This is not the very first time I experienced this and I wonder what is the common sense to solving this kind of issues. I installed this policy update: selinux-policy-targeted-3.6.12-45.fc11 Tue 16 Jun 2009 06:29:13 AM EDT Only today I released it made crond in-operational completely for several days. /var/log/cron: Jun 20 06:08:02 hut crond[7705]: (*system*) ERROR (Could not set exec or keycreate context to system_u:system_r:system_cronjob_t:SystemLow-SystemHigh for user) Jun 20 06:08:02 hut crond[7705]: (root) ERROR (failed to change SELinux context) So every single crontab jobs were missed. Simple service crond restart fixes the problem. Do I need to reboot the system every time the new policy is installed, is this the "recommended" approach? Thank you. Sincerely yours, Vadym Chepkov From chepkov at yahoo.com Sat Jun 20 10:36:57 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Sat, 20 Jun 2009 03:36:57 -0700 (PDT) Subject: daemons and policy update Message-ID: <811038.12785.qm@web36804.mail.mud.yahoo.com> By the way, I would prefer if crond would just die in cases like this. Sincerely yours, Vadym Chepkov --- On Sat, 6/20/09, Vadym Chepkov wrote: > From: Vadym Chepkov > Subject: daemons and policy update > To: "Fedora SELinux" > Date: Saturday, June 20, 2009, 6:28 AM > All, > > This is not the very first time I experienced this and I > wonder what is the common sense to solving this kind of > issues. > > I installed this policy update: > > selinux-policy-targeted-3.6.12-45.fc11? ? ? > ? Tue 16 Jun 2009 06:29:13 AM EDT > > Only today I released it made crond in-operational > completely for several days. > > /var/log/cron: > Jun 20 06:08:02 hut crond[7705]: (*system*) ERROR (Could > not set exec or keycreate context to > system_u:system_r:system_cronjob_t:SystemLow-SystemHigh for > user) > Jun 20 06:08:02 hut crond[7705]: (root) ERROR (failed to > change SELinux context) > > So every single crontab jobs were missed. Simple service > crond restart fixes the problem. Do I need to reboot the > system every time the new policy is installed, is this the > "recommended" approach? Thank you. > > Sincerely yours, > Vadym Chepkov > From dwalsh at redhat.com Sat Jun 20 11:08:53 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 20 Jun 2009 07:08:53 -0400 Subject: daemons and policy update In-Reply-To: <367583.65346.qm@web36803.mail.mud.yahoo.com> References: <367583.65346.qm@web36803.mail.mud.yahoo.com> Message-ID: <4A3CC345.8050606@redhat.com> On 06/20/2009 06:28 AM, Vadym Chepkov wrote: > > All, > > This is not the very first time I experienced this and I wonder what is the common sense to solving this kind of issues. > > I installed this policy update: > > selinux-policy-targeted-3.6.12-45.fc11 Tue 16 Jun 2009 06:29:13 AM EDT > > Only today I released it made crond in-operational completely for several days. > > /var/log/cron: > Jun 20 06:08:02 hut crond[7705]: (*system*) ERROR (Could not set exec or keycreate context to system_u:system_r:system_cronjob_t:SystemLow-SystemHigh for user) > Jun 20 06:08:02 hut crond[7705]: (root) ERROR (failed to change SELinux context) > > So every single crontab jobs were missed. Simple service crond restart fixes the problem. Do I need to reboot the system every time the new policy is installed, is this the "recommended" approach? Thank you. > No, selinux-policy update should never require a reboot. I have not heard of this before, I have no idea what caused it. > Sincerely yours, > Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Sat Jun 20 11:09:35 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 20 Jun 2009 07:09:35 -0400 Subject: daemons and policy update In-Reply-To: <811038.12785.qm@web36804.mail.mud.yahoo.com> References: <811038.12785.qm@web36804.mail.mud.yahoo.com> Message-ID: <4A3CC36F.9080301@redhat.com> Please open a bug report for cron. On 06/20/2009 06:36 AM, Vadym Chepkov wrote: > > By the way, I would prefer if crond would just die in cases like this. > > Sincerely yours, > Vadym Chepkov > > > --- On Sat, 6/20/09, Vadym Chepkov wrote: > >> From: Vadym Chepkov >> Subject: daemons and policy update >> To: "Fedora SELinux" >> Date: Saturday, June 20, 2009, 6:28 AM >> All, >> >> This is not the very first time I experienced this and I >> wonder what is the common sense to solving this kind of >> issues. >> >> I installed this policy update: >> >> selinux-policy-targeted-3.6.12-45.fc11 >> Tue 16 Jun 2009 06:29:13 AM EDT >> >> Only today I released it made crond in-operational >> completely for several days. >> >> /var/log/cron: >> Jun 20 06:08:02 hut crond[7705]: (*system*) ERROR (Could >> not set exec or keycreate context to >> system_u:system_r:system_cronjob_t:SystemLow-SystemHigh for >> user) >> Jun 20 06:08:02 hut crond[7705]: (root) ERROR (failed to >> change SELinux context) >> >> So every single crontab jobs were missed. Simple service >> crond restart fixes the problem. Do I need to reboot the >> system every time the new policy is installed, is this the >> "recommended" approach? Thank you. >> >> Sincerely yours, >> Vadym Chepkov >> > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From dwalsh at redhat.com Sat Jun 20 11:11:08 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 20 Jun 2009 07:11:08 -0400 Subject: ifconfig SELinux alert in Fedora 11 In-Reply-To: <4A3B6051.4040908@fedoraproject.org> References: <4A393186.9000502@fedoraproject.org> <4A3A9627.9080102@redhat.com> <4A3B6051.4040908@fedoraproject.org> Message-ID: <4A3CC3CC.9060302@redhat.com> On 06/19/2009 05:54 AM, Rahul Sundaram wrote: > On 06/19/2009 01:01 AM, Daniel J Walsh wrote: > >> Why would ifconfig be reading the /selinux/mls? >> >> Did this app get execed from a different application? Might be a leaked >> file descriptor > > I have no idea why it happens. I was merely running NetworkManager. > > Rahul > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Is it continuing to happen or was this a one time occurrence. The only code that I imagine opens and reads /selinux/mls is libselinux and this opens it, reads the value and closes the file in the same function call, so it can not leak. From sundaram at fedoraproject.org Sat Jun 20 20:19:01 2009 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Sun, 21 Jun 2009 01:49:01 +0530 Subject: ifconfig SELinux alert in Fedora 11 In-Reply-To: <4A3CC3CC.9060302@redhat.com> References: <4A393186.9000502@fedoraproject.org> <4A3A9627.9080102@redhat.com> <4A3B6051.4040908@fedoraproject.org> <4A3CC3CC.9060302@redhat.com> Message-ID: <4A3D4435.9030302@fedoraproject.org> On 06/20/2009 04:41 PM, Daniel J Walsh wrote: > On 06/19/2009 05:54 AM, Rahul Sundaram wrote: > Is it continuing to happen or was this a one time occurrence. The only > code that I imagine opens and reads /selinux/mls is libselinux and this > opens it, reads the value and closes the file in the same function call, > so it can not leak. It happens everytime I connect to a CDMA network via NetworkManager and run vpnc. Rahul From paul at city-fan.org Mon Jun 22 06:58:35 2009 From: paul at city-fan.org (Paul Howarth) Date: Mon, 22 Jun 2009 07:58:35 +0100 Subject: ifconfig SELinux alert in Fedora 11 In-Reply-To: <4A3D4435.9030302@fedoraproject.org> References: <4A393186.9000502@fedoraproject.org> <4A3A9627.9080102@redhat.com> <4A3B6051.4040908@fedoraproject.org> <4A3CC3CC.9060302@redhat.com> <4A3D4435.9030302@fedoraproject.org> Message-ID: <20090622075835.68bb0eac@metropolis.intra.city-fan.org> On Sun, 21 Jun 2009 01:49:01 +0530 Rahul Sundaram wrote: > On 06/20/2009 04:41 PM, Daniel J Walsh wrote: > > On 06/19/2009 05:54 AM, Rahul Sundaram wrote: > > Is it continuing to happen or was this a one time occurrence. The > > only code that I imagine opens and reads /selinux/mls is libselinux > > and this opens it, reads the value and closes the file in the same > > function call, so it can not leak. > > It happens everytime I connect to a CDMA network via NetworkManager > and run vpnc. > > Rahul I've just had a very similar denial, when starting openvpn via NetworkManager: type=AVC msg=audit(1245653684.772:27): avc: denied { read } for pid=5486 comm="openvpn" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1245653684.772:27): arch=c000003e syscall=2 success=no exit=-13 a0=7fff5652e270 a1=0 a2=7fff5652e27c a3=fffffff8 items=0 ppid=5475 pid=5486 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null) Didn't stop openvpn working. Paul. From paul at city-fan.org Mon Jun 22 07:03:06 2009 From: paul at city-fan.org (Paul Howarth) Date: Mon, 22 Jun 2009 08:03:06 +0100 Subject: F-11 miscellany Message-ID: <20090622080306.43b69636@metropolis.intra.city-fan.org> Get this on every reboot: type=AVC msg=audit(1245652935.723:12): avc: denied { write } for pid=4130 comm="rm" name="/" dev=dm-18 ino=2 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir type=AVC msg=audit(1245652935.723:12): avc: denied { remove_name } for pid=4130 comm="rm" name="mysql.sock" dev=dm-18 ino=49156 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir type=AVC msg=audit(1245652935.723:12): avc: denied { unlink } for pid=4130 comm="rm" name="mysql.sock" dev=dm-18 ino=49156 scontext=system_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1245652935.723:12): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=7fff0d7d5ece a2=0 a3=7fff0d7d5060 items=0 ppid=4044 pid=4130 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rm" exe="/bin/rm" subj=system_u:system_r:mysqld_safe_t:s0 key=(null) I have /var/lib/mysql as a separate filesystem, hence the "/". Curiously, setroubleshoot misinterprets this as a mislabelled root directory, saying it should be "root_t" (the root directory *is* root_t). Also had this one this morning: type=AVC msg=audit(1245652948.769:13): avc: denied { search } for pid=4510 comm="gnome-settings-" name="hwdata" dev=dm-2 ino=24065 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hwdata_t:s0 tclass=dir type=SYSCALL msg=audit(1245652948.769:13): arch=c000003e syscall=2 success=no exit=-13 a0=31e6e1fb0e a1=0 a2=0 a3=1a items=0 ppid=4508 pid=4510 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="gnome-settings-" exe="/usr/libexec/gnome-settings-daemon" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Paul. From paul at city-fan.org Mon Jun 22 09:37:10 2009 From: paul at city-fan.org (Paul Howarth) Date: Mon, 22 Jun 2009 10:37:10 +0100 Subject: ifconfig SELinux alert in Fedora 11 In-Reply-To: <20090622075835.68bb0eac@metropolis.intra.city-fan.org> References: <4A393186.9000502@fedoraproject.org> <4A3A9627.9080102@redhat.com> <4A3B6051.4040908@fedoraproject.org> <4A3CC3CC.9060302@redhat.com> <4A3D4435.9030302@fedoraproject.org> <20090622075835.68bb0eac@metropolis.intra.city-fan.org> Message-ID: <4A3F50C6.3060008@city-fan.org> On 22/06/09 07:58, Paul Howarth wrote: > On Sun, 21 Jun 2009 01:49:01 +0530 > Rahul Sundaram wrote: > >> On 06/20/2009 04:41 PM, Daniel J Walsh wrote: >>> On 06/19/2009 05:54 AM, Rahul Sundaram wrote: >>> Is it continuing to happen or was this a one time occurrence. The >>> only code that I imagine opens and reads /selinux/mls is libselinux >>> and this opens it, reads the value and closes the file in the same >>> function call, so it can not leak. >> It happens everytime I connect to a CDMA network via NetworkManager >> and run vpnc. >> >> Rahul > > I've just had a very similar denial, when starting openvpn via > NetworkManager: > > type=AVC msg=audit(1245653684.772:27): avc: denied { read } for > pid=5486 comm="openvpn" name="mls" dev=selinuxfs ino=12 > scontext=system_u:system_r:openvpn_t:s0 > tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL > msg=audit(1245653684.772:27): arch=c000003e syscall=2 success=no > exit=-13 a0=7fff5652e270 a1=0 a2=7fff5652e27c a3=fffffff8 items=0 > ppid=5475 pid=5486 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" > exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 key=(null) > > Didn't stop openvpn working. Just got this one too, after running "rndc querylog" to turn on named's query logging from a root shell. type=AVC msg=audit(1245663191.793:115): avc: denied { read } for pid=21774 comm="rndc" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1245663191.793:115): arch=c000003e syscall=2 success=no exit=-13 a0=7fffa1a717d0 a1=0 a2=7fffa1a717dc a3=fffffff8 items=0 ppid=14800 pid=21774 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=5 comm="rndc" exe="/usr/sbin/rndc" subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null) Paul. From foss.mailinglists at gmail.com Mon Jun 22 09:41:10 2009 From: foss.mailinglists at gmail.com (sankarshan) Date: Mon, 22 Jun 2009 15:11:10 +0530 Subject: ifconfig SELinux alert in Fedora 11 In-Reply-To: <4A3CC3CC.9060302@redhat.com> References: <4A393186.9000502@fedoraproject.org> <4A3A9627.9080102@redhat.com> <4A3B6051.4040908@fedoraproject.org> <4A3CC3CC.9060302@redhat.com> Message-ID: <35586fc00906220241i266fe2d9x5dd5314181154858@mail.gmail.com> On Sat, Jun 20, 2009 at 4:41 PM, Daniel J Walsh wrote: > Is it continuing to happen or was this a one time occurrence. ?The only code > that I imagine opens and reads /selinux/mls is libselinux and this opens it, > reads the value and closes the file in the same function call, so it can not > leak. I have seen this happen on (a) using NetworkManager to connect to a CDMA network and (b) using vpnc while having NetworkManager on -- http://www.gutenberg.net - Fine literature digitally re-published http://www.plos.org - Public Library of Science http://www.creativecommons.org - Flexible copyright for creative work From olivares14031 at yahoo.com Mon Jun 22 13:22:46 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 22 Jun 2009 06:22:46 -0700 (PDT) Subject: rawhide being denied by selinux, ??? main process ended respawning Message-ID: <593918.35528.qm@web52602.mail.re2.yahoo.com> Rawhide fails to start X, selinux is denying lots of things init: ttyX main process ended, respawning init: ttyX main process (19XY) terminated with status 1 X is 1,2,3,4,5,6 Regards, Antonio From sds at tycho.nsa.gov Mon Jun 22 15:05:22 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 22 Jun 2009 11:05:22 -0400 Subject: ifconfig SELinux alert in Fedora 11 In-Reply-To: <4A3A9627.9080102@redhat.com> References: <4A393186.9000502@fedoraproject.org> <4A3A9627.9080102@redhat.com> Message-ID: <1245683122.3033.194.camel@localhost.localdomain> On Thu, 2009-06-18 at 15:31 -0400, Daniel J Walsh wrote: > On 06/17/2009 02:10 PM, Rahul Sundaram wrote: > > Hi > > > > SELinux is preventing ifconfig (ifconfig_t) "read" security_t. > > > > Audit message: > > > > node=localhost.localdomain type=AVC msg=audit(1245262097.577:19): avc: > > denied { read } for pid=3269 comm="ifconfig" name="mls" dev=selinuxfs > > ino=12 scontext=unconfined_u:unconfined_r:ifconfig_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:security_t:s0 tclass=file > > node=localhost.localdomain type=SYSCALL msg=audit(1245262097.577:19): > > arch=40000003 syscall=5 success=no exit=-13 a0=bfbcfdb8 a1=8000 a2=0 > > a3=bfbcfdb8 items=0 ppid=3253 pid=3269 auid=500 uid=0 gid=0 euid=0 > > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="ifconfig" > > exe="/sbin/ifconfig" > > subj=unconfined_u:unconfined_r:ifconfig_t:s0-s0:c0.c1023 key=(null) > > > > --- > > > > Rahul > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Why would ifconfig be reading the /selinux/mls? > > Did this app get execed from a different application? Might be a leaked > file descriptor ldd /sbin/ifconfig shows that ifconfig is now linked against libselinux, and thus runs its constructors. So that is why it is trying to open /selinux/mls. -- Stephen Smalley National Security Agency From mrowais at hotmail.com Tue Jun 23 14:58:07 2009 From: mrowais at hotmail.com (Mohamed Aburowais) Date: Tue, 23 Jun 2009 15:58:07 +0100 Subject: su or sudo from unconfined user to confined user Message-ID: Hello, I've a requirement to use a system as a root, but I need to move so offen to other users and be able to move to their default SELinux user and roles. As it appears to be, it is no a common thing to do, but is it possible without implementing a new policy? Regards _________________________________________________________________ Get the best of MSN on your mobile http://clk.atdmt.com/UKM/go/147991039/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at city-fan.org Tue Jun 23 15:11:19 2009 From: paul at city-fan.org (Paul Howarth) Date: Tue, 23 Jun 2009 16:11:19 +0100 Subject: ifconfig SELinux alert in Fedora 11 In-Reply-To: <4A3F50C6.3060008@city-fan.org> References: <4A393186.9000502@fedoraproject.org> <4A3A9627.9080102@redhat.com> <4A3B6051.4040908@fedoraproject.org> <4A3CC3CC.9060302@redhat.com> <4A3D4435.9030302@fedoraproject.org> <20090622075835.68bb0eac@metropolis.intra.city-fan.org> <4A3F50C6.3060008@city-fan.org> Message-ID: <20090623161119.760ffee5@metropolis.intra.city-fan.org> On Mon, 22 Jun 2009 10:37:10 +0100 Paul Howarth wrote: > On 22/06/09 07:58, Paul Howarth wrote: > > On Sun, 21 Jun 2009 01:49:01 +0530 > > Rahul Sundaram wrote: > > > >> On 06/20/2009 04:41 PM, Daniel J Walsh wrote: > >>> On 06/19/2009 05:54 AM, Rahul Sundaram wrote: > >>> Is it continuing to happen or was this a one time occurrence. The > >>> only code that I imagine opens and reads /selinux/mls is > >>> libselinux and this opens it, reads the value and closes the file > >>> in the same function call, so it can not leak. > >> It happens everytime I connect to a CDMA network via NetworkManager > >> and run vpnc. > >> > >> Rahul > > > > I've just had a very similar denial, when starting openvpn via > > NetworkManager: > > > > type=AVC msg=audit(1245653684.772:27): avc: denied { read } for > > pid=5486 comm="openvpn" name="mls" dev=selinuxfs ino=12 > > scontext=system_u:system_r:openvpn_t:s0 > > tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL > > msg=audit(1245653684.772:27): arch=c000003e syscall=2 success=no > > exit=-13 a0=7fff5652e270 a1=0 a2=7fff5652e27c a3=fffffff8 items=0 > > ppid=5475 pid=5486 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" > > exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 > > key=(null) > > > > Didn't stop openvpn working. > > Just got this one too, after running "rndc querylog" to turn on > named's query logging from a root shell. > > type=AVC msg=audit(1245663191.793:115): avc: denied { read } for > pid=21774 comm="rndc" name="mls" dev=selinuxfs ino=12 > scontext=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:security_t:s0 tclass=file > type=SYSCALL msg=audit(1245663191.793:115): arch=c000003e syscall=2 > success=no exit=-13 a0=7fffa1a717d0 a1=0 a2=7fffa1a717dc a3=fffffff8 > items=0 ppid=14800 pid=21774 auid=500 uid=0 gid=0 euid=0 suid=0 > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=5 comm="rndc" > exe="/usr/sbin/rndc" > subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null) /usr/sbin/rndc is linked against libselinux, which ties in with Stephen's explanation of the openvpn/vpnc issue too. I'm adding these to local policy for now: selinux_dontaudit_read_fs(ifconfig_t) selinux_dontaudit_read_fs(ndc_t) selinux_dontaudit_read_fs(openvpn_t) Paul. From domg472 at gmail.com Tue Jun 23 15:17:46 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 23 Jun 2009 17:17:46 +0200 Subject: su or sudo from unconfined user to confined user In-Reply-To: References: Message-ID: <1245770266.16544.18.camel@notebook2.grift.internal> It is possible i think yes. As far as i know there are two requirements (example unconfined_r to confined_r) 1. Your SELinux User must be mapped to both roles. semanage user -a -L s0 -r s0-s0 -R "unconfined_r confined_r" -P user special_u 2. Your source role must have access to your target role allow unconfined_r confined_r; (also make default context in /etc/selinux/targeted/contexts/users for special_u) The reason that this is supported by default is because it does not make sense to transition from a unconfined domain to a confined domain. It defeats the purpose of the unconfined domain. Unconfined environments are used by processes that are exempted from much of the policy enforcement. In rare cases unconfined domain transition to restricted domains. For example: one can toggle a boolean to force unconfined_t to transition to nsplugin_t when the process runs nsplugin. On Tue, 2009-06-23 at 15:58 +0100, Mohamed Aburowais wrote: > Hello, > I've a requirement to use a system as a root, but I need to move so > offen to other users and be able to move to their default SELinux user > and roles. > As it appears to be, it is no a common thing to do, but is it possible > without implementing a new policy? > > Regards > > > ______________________________________________________________________ > Beyond Hotmail - see what else you can do with Windows Live. Find out > more. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From domg472 at gmail.com Tue Jun 23 15:20:17 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 23 Jun 2009 17:20:17 +0200 Subject: su or sudo from unconfined user to confined user In-Reply-To: <1245770266.16544.18.camel@notebook2.grift.internal> References: <1245770266.16544.18.camel@notebook2.grift.internal> Message-ID: <1245770417.16544.19.camel@notebook2.grift.internal> On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote: > 2. Your source role must have access to your target role > allow unconfined_r confined_r; Whoops thats a syntax error. It should be: role unconfined_r confined_r; -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From mgrepl at redhat.com Tue Jun 23 15:56:47 2009 From: mgrepl at redhat.com (Miroslav Grepl) Date: Tue, 23 Jun 2009 17:56:47 +0200 Subject: ifconfig SELinux alert in Fedora 11 In-Reply-To: <20090623161119.760ffee5@metropolis.intra.city-fan.org> References: <4A393186.9000502@fedoraproject.org> <4A3A9627.9080102@redhat.com> <4A3B6051.4040908@fedoraproject.org> <4A3CC3CC.9060302@redhat.com> <4A3D4435.9030302@fedoraproject.org> <20090622075835.68bb0eac@metropolis.intra.city-fan.org> <4A3F50C6.3060008@city-fan.org> <20090623161119.760ffee5@metropolis.intra.city-fan.org> Message-ID: <4A40FB3F.4010201@redhat.com> On 06/23/2009 05:11 PM, Paul Howarth wrote: > On Mon, 22 Jun 2009 10:37:10 +0100 > Paul Howarth wrote: > > >> On 22/06/09 07:58, Paul Howarth wrote: >> >>> On Sun, 21 Jun 2009 01:49:01 +0530 >>> Rahul Sundaram wrote: >>> >>> >>>> On 06/20/2009 04:41 PM, Daniel J Walsh wrote: >>>> >>>>> On 06/19/2009 05:54 AM, Rahul Sundaram wrote: >>>>> Is it continuing to happen or was this a one time occurrence. The >>>>> only code that I imagine opens and reads /selinux/mls is >>>>> libselinux and this opens it, reads the value and closes the file >>>>> in the same function call, so it can not leak. >>>>> >>>> It happens everytime I connect to a CDMA network via NetworkManager >>>> and run vpnc. >>>> >>>> Rahul >>>> >>> I've just had a very similar denial, when starting openvpn via >>> NetworkManager: >>> >>> type=AVC msg=audit(1245653684.772:27): avc: denied { read } for >>> pid=5486 comm="openvpn" name="mls" dev=selinuxfs ino=12 >>> scontext=system_u:system_r:openvpn_t:s0 >>> tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL >>> msg=audit(1245653684.772:27): arch=c000003e syscall=2 success=no >>> exit=-13 a0=7fff5652e270 a1=0 a2=7fff5652e27c a3=fffffff8 items=0 >>> ppid=5475 pid=5486 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 >>> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" >>> exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 >>> key=(null) >>> >>> Didn't stop openvpn working. >>> >> Just got this one too, after running "rndc querylog" to turn on >> named's query logging from a root shell. >> >> type=AVC msg=audit(1245663191.793:115): avc: denied { read } for >> pid=21774 comm="rndc" name="mls" dev=selinuxfs ino=12 >> scontext=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:security_t:s0 tclass=file >> type=SYSCALL msg=audit(1245663191.793:115): arch=c000003e syscall=2 >> success=no exit=-13 a0=7fffa1a717d0 a1=0 a2=7fffa1a717dc a3=fffffff8 >> items=0 ppid=14800 pid=21774 auid=500 uid=0 gid=0 euid=0 suid=0 >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=5 comm="rndc" >> exe="/usr/sbin/rndc" >> subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null) >> > > /usr/sbin/rndc is linked against libselinux, which ties in with > Stephen's explanation of the openvpn/vpnc issue too. > > I'm adding these to local policy for now: > > selinux_dontaudit_read_fs(ifconfig_t) > selinux_dontaudit_read_fs(ndc_t) > selinux_dontaudit_read_fs(openvpn_t) > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Fixed in selinux-policy-3.6.12-57.fc11 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mrowais at hotmail.com Tue Jun 23 16:12:17 2009 From: mrowais at hotmail.com (Mohamed Aburowais) Date: Tue, 23 Jun 2009 17:12:17 +0100 Subject: su or sudo from unconfined user to confined user In-Reply-To: <1245770417.16544.19.camel@notebook2.grift.internal> References: <1245770266.16544.18.camel@notebook2.grift.internal> <1245770417.16544.19.camel@notebook2.grift.internal> Message-ID: Hello, As creating new simple role, I've done the following: -------------- policy_module(new, 0.0.1) role newroled_r; role unconfined_r newroled_r; ------------------ But it does not compile using make, showing error near role unconfined. > Subject: Re: su or sudo from unconfined user to confined user > From: domg472 at gmail.com > To: mrowais at hotmail.com > CC: fedora-selinux-list at redhat.com > Date: Tue, 23 Jun 2009 17:20:17 +0200 > > On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote: > > > 2. Your source role must have access to your target role > > allow unconfined_r confined_r; > > Whoops thats a syntax error. It should be: > > role unconfined_r confined_r; _________________________________________________________________ Get the best of MSN on your mobile http://clk.atdmt.com/UKM/go/147991039/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Tue Jun 23 16:20:38 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 23 Jun 2009 12:20:38 -0400 Subject: su or sudo from unconfined user to confined user In-Reply-To: <1245770266.16544.18.camel@notebook2.grift.internal> References: <1245770266.16544.18.camel@notebook2.grift.internal> Message-ID: <1245774038.12493.158.camel@localhost.localdomain> On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote: > It is possible i think yes. I could be wrong, but I think the original poster wanted a way he could switch to another user's security context in its entirety using su or sudo. Which today we do not support. The original (and current) view is that the SELinux user field should only get set when a session is created, and only role, type, and level can change within a session and only then if within the authorized roles and levels for the user. That bounds access escalation within a login session. su doesn't affect the SELinux security context, and newrole/sudo are limited to changing role, type, or level. In early Fedora and RHEL 4, there was support for switching the entire security context upon su, but that was removed. To re-instate it, you would need to do two things: 1) Add the necessary policy rules to allow su to switch the entire context. Look at the rules under an ifdef distro_rhel4 in su.if in the refpolicy for example. You could add those as a local policy module rather than rebuilding the base policy. 2) Add pam_selinux entries to /etc/pam.d/su. Look in /etc/pam.d/login for an example of how to do so. And I can't guarantee it will still work, as no one uses it that way anymore. > As far as i know there are two requirements (example unconfined_r to > confined_r) > > 1. Your SELinux User must be mapped to both roles. > semanage user -a -L s0 -r s0-s0 -R "unconfined_r confined_r" -P user > special_u > > 2. Your source role must have access to your target role > allow unconfined_r confined_r; > > (also make default context in /etc/selinux/targeted/contexts/users for > special_u) > > The reason that this is supported by default is because it does not make > sense to transition from a unconfined domain to a confined domain. It > defeats the purpose of the unconfined domain. > > Unconfined environments are used by processes that are exempted from > much of the policy enforcement. > > In rare cases unconfined domain transition to restricted domains. For > example: one can toggle a boolean to force unconfined_t to transition to > nsplugin_t when the process runs nsplugin. > > > On Tue, 2009-06-23 at 15:58 +0100, Mohamed Aburowais wrote: > > Hello, > > I've a requirement to use a system as a root, but I need to move so > > offen to other users and be able to move to their default SELinux user > > and roles. > > As it appears to be, it is no a common thing to do, but is it possible > > without implementing a new policy? > > > > Regards > > > > > > ______________________________________________________________________ > > Beyond Hotmail - see what else you can do with Windows Live. Find out > > more. > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Stephen Smalley National Security Agency From mrowais at hotmail.com Tue Jun 23 16:54:06 2009 From: mrowais at hotmail.com (Mohamed Aburowais) Date: Tue, 23 Jun 2009 17:54:06 +0100 Subject: su or sudo from unconfined user to confined user In-Reply-To: <1245774038.12493.158.camel@localhost.localdomain> References: <1245770266.16544.18.camel@notebook2.grift.internal> <1245774038.12493.158.camel@localhost.localdomain> Message-ID: This seems to be a bit complicated. As a start I'm trying to create new role and new types, I want the new role to be accessed by unconfined_r, having problem since my last email: Compiling targeted new module /usr/bin/checkmodule: loading policy configuration from tmp/new.tmp new.te":6:ERROR 'unknown role unconfined_r' at token ';' on line 3189: allow unconfined_r new_r; role new_r types example_t; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/new.mod] Error 1 the file used: new.te policy_module(new, 0.0.1) role new_r; type example_t; role new_r types example_t; allow unconfined_r new_r; (both allow or role causing the same problem). > Subject: Re: su or sudo from unconfined user to confined user > From: sds at tycho.nsa.gov > To: domg472 at gmail.com > CC: mrowais at hotmail.com; fedora-selinux-list at redhat.com > Date: Tue, 23 Jun 2009 12:20:38 -0400 > > On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote: > > It is possible i think yes. > > I could be wrong, but I think the original poster wanted a way he could > switch to another user's security context in its entirety using su or > sudo. Which today we do not support. > > The original (and current) view is that the SELinux user field should > only get set when a session is created, and only role, type, and level > can change within a session and only then if within the authorized roles > and levels for the user. That bounds access escalation within a login > session. su doesn't affect the SELinux security context, and > newrole/sudo are limited to changing role, type, or level. > > In early Fedora and RHEL 4, there was support for switching the entire > security context upon su, but that was removed. To re-instate it, you > would need to do two things: > 1) Add the necessary policy rules to allow su to switch the entire > context. Look at the rules under an ifdef distro_rhel4 in su.if in the > refpolicy for example. You could add those as a local policy module > rather than rebuilding the base policy. > 2) Add pam_selinux entries to /etc/pam.d/su. Look in /etc/pam.d/login > for an example of how to do so. > > And I can't guarantee it will still work, as no one uses it that way > anymore. > > > As far as i know there are two requirements (example unconfined_r to > > confined_r) > > > > 1. Your SELinux User must be mapped to both roles. > > semanage user -a -L s0 -r s0-s0 -R "unconfined_r confined_r" -P user > > special_u > > > > 2. Your source role must have access to your target role > > allow unconfined_r confined_r; > > > > (also make default context in /etc/selinux/targeted/contexts/users for > > special_u) > > > > The reason that this is supported by default is because it does not make > > sense to transition from a unconfined domain to a confined domain. It > > defeats the purpose of the unconfined domain. > > > > Unconfined environments are used by processes that are exempted from > > much of the policy enforcement. > > > > In rare cases unconfined domain transition to restricted domains. For > > example: one can toggle a boolean to force unconfined_t to transition to > > nsplugin_t when the process runs nsplugin. > > > > > > On Tue, 2009-06-23 at 15:58 +0100, Mohamed Aburowais wrote: > > > Hello, > > > I've a requirement to use a system as a root, but I need to move so > > > offen to other users and be able to move to their default SELinux user > > > and roles. > > > As it appears to be, it is no a common thing to do, but is it possible > > > without implementing a new policy? > > > > > > Regards > > > > > > > > > ______________________________________________________________________ > > > Beyond Hotmail - see what else you can do with Windows Live. Find out > > > more. > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- > Stephen Smalley > National Security Agency > _________________________________________________________________ Share your photos with Windows Live Photos ? Free. http://clk.atdmt.com/UKM/go/134665338/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From sds at tycho.nsa.gov Tue Jun 23 17:05:51 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 23 Jun 2009 13:05:51 -0400 Subject: su or sudo from unconfined user to confined user In-Reply-To: <1245774038.12493.158.camel@localhost.localdomain> References: <1245770266.16544.18.camel@notebook2.grift.internal> <1245774038.12493.158.camel@localhost.localdomain> Message-ID: <1245776751.27538.2.camel@localhost.localdomain> On Tue, 2009-06-23 at 12:20 -0400, Stephen Smalley wrote: > On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote: > > It is possible i think yes. > > I could be wrong, but I think the original poster wanted a way he could > switch to another user's security context in its entirety using su or > sudo. Which today we do not support. > > The original (and current) view is that the SELinux user field should > only get set when a session is created, and only role, type, and level > can change within a session and only then if within the authorized roles > and levels for the user. That bounds access escalation within a login > session. su doesn't affect the SELinux security context, and > newrole/sudo are limited to changing role, type, or level. > > In early Fedora and RHEL 4, there was support for switching the entire > security context upon su, but that was removed. To re-instate it, you > would need to do two things: > 1) Add the necessary policy rules to allow su to switch the entire > context. Look at the rules under an ifdef distro_rhel4 in su.if in the > refpolicy for example. You could add those as a local policy module > rather than rebuilding the base policy. > 2) Add pam_selinux entries to /etc/pam.d/su. Look in /etc/pam.d/login > for an example of how to do so. > > And I can't guarantee it will still work, as no one uses it that way > anymore. Oh, but I forgot that he is starting from unconfined_t, so it isn't quite that complicated, as su doesn't even run in its own domain when called by unconfined_t. This worked for me: # vi foo.te policy_module(foo, 1.0) require { type unconfined_t; type user_t; role unconfined_r; role user_r; } allow unconfined_t user_t:process transition; allow unconfined_r user_r; # make -f /usr/share/selinux/devel/Makefile foo.pp # semodule -i foo.pp # runcon user_u:user_r:user_t:s0 /bin/bash # id -Z user_u:user_r:user_t:s0 So you could use runcon to switch contexts (since you are starting from unconfined_t), and then use su to switch Linux uid. -- Stephen Smalley National Security Agency From dsugar at tresys.com Tue Jun 23 17:54:08 2009 From: dsugar at tresys.com (Dave Sugar) Date: Tue, 23 Jun 2009 13:54:08 -0400 Subject: [ANN] CDS Framework 3.6 Message-ID: <1245779648.8071.100.camel@localhost.localdomain> Version 3.6 of the CDS Framework Toolkit from Tresys Technology is now available for download from the Tresys Open Source website at http://oss.tresys.com/projects/cdsframework The CDS Framework Toolkit is an Eclipse plug-in that allows engineers to graphically design a system's security architecture, targeting information flow security goals. The toolkit uses the security architecture diagram to generate SELinux policy based on the Reference Policy or CLIP policy. It integrates with SLIDE to provide additional SELinux policy development capabilities. CDS Framework version 3.6 - highlights: * Adds feature to hide secondary information flows. * Adds quick fix support added to audit view to fix denials by modifying the security architecture diagram. Dave Sugar Tresys Technology, LLC From domg472 at gmail.com Tue Jun 23 17:57:56 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 23 Jun 2009 19:57:56 +0200 Subject: su or sudo from unconfined user to confined user In-Reply-To: References: <1245770266.16544.18.camel@notebook2.grift.internal> <1245774038.12493.158.camel@localhost.localdomain> Message-ID: <1245779876.16544.22.camel@notebook2.grift.internal> On Tue, 2009-06-23 at 17:54 +0100, Mohamed Aburowais wrote: > This seems to be a bit complicated. > As a start I'm trying to create new role and new types, I want the new > role to be accessed by unconfined_r, having problem since my last > email: > Compiling targeted new module > /usr/bin/checkmodule: loading policy configuration from tmp/new.tmp > new.te":6:ERROR 'unknown role unconfined_r' at token ';' on line 3189: > allow unconfined_r new_r; > role new_r types example_t; > /usr/bin/checkmodule: error(s) encountered while parsing > configuration > make: *** [tmp/new.mod] Error 1 > > the file used: new.te > policy_module(new, 0.0.1) > > role new_r; > type example_t; > role new_r types example_t; > allow unconfined_r new_r; > (both allow or role causing the same problem). Looks like you must require unconfined_r: require { role unconfined_r; } > > > > Subject: Re: su or sudo from unconfined user to confined user > > From: sds at tycho.nsa.gov > > To: domg472 at gmail.com > > CC: mrowais at hotmail.com; fedora-selinux-list at redhat.com > > Date: Tue, 23 Jun 2009 12:20:38 -0400 > > > > On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote: > > > It is possible i think yes. > > > > I could be wrong, but I think the original poster wanted a way he > could > > switch to another user's security context in its entirety using su > or > > sudo. Which today we do not support. > > > > The original (and current) view is that the SELinux user field > should > > only get set when a session is created, and only role, type, and > level > > can change within a session and only then if within the authorized > roles > > and levels for the user. That bounds access escalation within a > login > > session. su doesn't affect the SELinux security context, and > > newrole/sudo are limited to changing role, type, or level. > > > > In early Fedora and RHEL 4, there was support for switching the > entire > > security context upon su, but that was removed. To re-instate it, > you > > would need to do two things: > > 1) Add the necessary policy rules to allow su to switch the entire > > context. Look at the rules under an ifdef distro_rhel4 in su.if in > the > > refpolicy for example. You could add those as a local policy module > > rather than rebuilding the base policy. > > 2) Add pam_selinux entries to /etc/pam.d/su. Look > in /etc/pam.d/login > > for an example of how to do so. > > > > And I can't guarantee it will still work, as no one uses it that way > > anymore. > > > > > As far as i know there are two requirements (example unconfined_r > to > > > confined_r) > > > > > > 1. Your SELinux User must be mapped to both roles. > > > semanage user -a -L s0 -r s0-s0 -R "unconfined_r confined_r" -P > user > > > special_u > > > > > > 2. Your source role must have access to your target role > > > allow unconfined_r confined_r; > > > > > > (also make default context in /etc/selinux/targeted/contexts/users > for > > > special_u) > > > > > > The reason that this is supported by default is because it does > not make > > > sense to transition from a unconfined domain to a confined domain. > It > > > defeats the purpose of the unconfined domain. > > > > > > Unconfined environments are used by processes that are exempted > from > > > much of the policy enforcement. > > > > > > In rare cases unconfined domain transition to restricted domains. > For > > > example: one can toggle a boolean to force unconfined_t to > transition to > > > nsplugin_t when the process runs nsplugin. > > > > > > > > > On Tue, 2009-06-23 at 15:58 +0100, Mohamed Aburowais wrote: > > > > Hello, > > > > I've a requirement to use a system as a root, but I need to move > so > > > > offen to other users and be able to move to their default > SELinux user > > > > and roles. > > > > As it appears to be, it is no a common thing to do, but is it > possible > > > > without implementing a new policy? > > > > > > > > Regards > > > > > > > > > > > > > ______________________________________________________________________ > > > > Beyond Hotmail - see what else you can do with Windows Live. > Find out > > > > more. > > > > -- > > > > fedora-selinux-list mailing list > > > > fedora-selinux-list at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > -- > > > fedora-selinux-list mailing list > > > fedora-selinux-list at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > > Stephen Smalley > > National Security Agency > > > > > ______________________________________________________________________ > View your Twitter and Flickr updates from one place ? Learn more! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From domg472 at gmail.com Tue Jun 23 17:54:52 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 23 Jun 2009 19:54:52 +0200 Subject: su or sudo from unconfined user to confined user In-Reply-To: References: <1245770266.16544.18.camel@notebook2.grift.internal> <1245770417.16544.19.camel@notebook2.grift.internal> Message-ID: <1245779692.16544.21.camel@notebook2.grift.internal> On Tue, 2009-06-23 at 17:12 +0100, Mohamed Aburowais wrote: > Hello, > As creating new simple role, I've done the following: > -------------- > policy_module(new, 0.0.1) > > role newroled_r; > role unconfined_r newroled_r; > ------------------ > But it does not compile using make, showing error near role > unconfined. Sorry i was right the first time: allow unconfined_r confined_r; So: role unconfined_r confined_r; is wrong... > > > > Subject: Re: su or sudo from unconfined user to confined user > > From: domg472 at gmail.com > > To: mrowais at hotmail.com > > CC: fedora-selinux-list at redhat.com > > Date: Tue, 23 Jun 2009 17:20:17 +0200 > > > > On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote: > > > > > 2. Your source role must have access to your target role > > > allow unconfined_r confined_r; > > > > Whoops thats a syntax error. It should be: > > > > role unconfined_r confined_r; > > > ______________________________________________________________________ > Beyond Hotmail - see what else you can do with Windows Live. Find out > more. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From joliver at john-oliver.net Wed Jun 24 19:01:27 2009 From: joliver at john-oliver.net (John Oliver) Date: Wed, 24 Jun 2009 12:01:27 -0700 Subject: "cannot restore segment prot after reloc" Message-ID: <20090624190127.GA19943@ns.sdsitehosting.net> [root at ucore-web ~]# service httpd configtest httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load /etc/httpd/modules/vcapache.so into server: /etc/httpd/modules/vcapache.so: cannot restore segment prot after reloc: Permission denied [root at ucore-web ~]# ls -lZ /etc/httpd/modules/vcapache.so -rwxr-xr-x root root system_u:object_r:httpd_modules_t /etc/httpd/modules/vcapache.so I used chcon to make vcapache.so have the same attributes as other Apache modules... -rwxr-xr-x root root system_u:object_r:httpd_modules_t mod_userdir.so -rwxr-xr-x root root system_u:object_r:httpd_modules_t mod_usertrack.so -rwxr-xr-x root root system_u:object_r:httpd_modules_t mod_version.so -rwxr-xr-x root root system_u:object_r:httpd_modules_t mod_vhost_alias.so -rwxr-xr-x root root system_u:object_r:httpd_modules_t vcapache.so How to fix? Googling results in a thousand suggestions to disable SELinux and a couple to "chcon -t texrel_shlib_t" which did not work for me. -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** From domg472 at gmail.com Wed Jun 24 19:55:37 2009 From: domg472 at gmail.com (Dominick Grift) Date: Wed, 24 Jun 2009 21:55:37 +0200 Subject: "cannot restore segment prot after reloc" In-Reply-To: <20090624190127.GA19943@ns.sdsitehosting.net> References: <20090624190127.GA19943@ns.sdsitehosting.net> Message-ID: <1245873337.23526.1.camel@notebook2.grift.internal> On Wed, 2009-06-24 at 12:01 -0700, John Oliver wrote: > [root at ucore-web ~]# service httpd configtest > httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax > error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load > /etc/httpd/modules/vcapache.so into server: > /etc/httpd/modules/vcapache.so: cannot restore segment prot after reloc: > Permission denied > [root at ucore-web ~]# ls -lZ /etc/httpd/modules/vcapache.so > -rwxr-xr-x root root system_u:object_r:httpd_modules_t > /etc/httpd/modules/vcapache.so > > I used chcon to make vcapache.so have the same attributes as other > Apache modules... > > -rwxr-xr-x root root system_u:object_r:httpd_modules_t mod_userdir.so > -rwxr-xr-x root root system_u:object_r:httpd_modules_t mod_usertrack.so > -rwxr-xr-x root root system_u:object_r:httpd_modules_t mod_version.so > -rwxr-xr-x root root system_u:object_r:httpd_modules_t > mod_vhost_alias.so > -rwxr-xr-x root root system_u:object_r:httpd_modules_t vcapache.so > > How to fix? Googling results in a thousand suggestions to disable > SELinux and a couple to "chcon -t texrel_shlib_t" which did not work for > me. > Why did "chcon -t textrel_shlib_t /etc/httpd/modules/vcapache.so" not work? Can you show us AVC denials? You can retrieve AVC denials with the "ausearch -m avc -ts today" command. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From cpebenito at tresys.com Thu Jun 25 17:24:14 2009 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Thu, 25 Jun 2009 13:24:14 -0400 Subject: ifconfig SELinux alert in Fedora 11 In-Reply-To: <20090623161119.760ffee5@metropolis.intra.city-fan.org> References: <4A393186.9000502@fedoraproject.org> <4A3A9627.9080102@redhat.com> <4A3B6051.4040908@fedoraproject.org> <4A3CC3CC.9060302@redhat.com> <4A3D4435.9030302@fedoraproject.org> <20090622075835.68bb0eac@metropolis.intra.city-fan.org> <4A3F50C6.3060008@city-fan.org> <20090623161119.760ffee5@metropolis.intra.city-fan.org> Message-ID: <1245950654.4230.906.camel@gorn.columbia.tresys.com> On Tue, 2009-06-23 at 16:11 +0100, Paul Howarth wrote: > On Mon, 22 Jun 2009 10:37:10 +0100 > Paul Howarth wrote: > > > On 22/06/09 07:58, Paul Howarth wrote: > > > On Sun, 21 Jun 2009 01:49:01 +0530 > > > Rahul Sundaram wrote: > > > > > >> On 06/20/2009 04:41 PM, Daniel J Walsh wrote: > > >>> On 06/19/2009 05:54 AM, Rahul Sundaram wrote: > > >>> Is it continuing to happen or was this a one time occurrence. The > > >>> only code that I imagine opens and reads /selinux/mls is > > >>> libselinux and this opens it, reads the value and closes the file > > >>> in the same function call, so it can not leak. > > >> It happens everytime I connect to a CDMA network via NetworkManager > > >> and run vpnc. > > >> > > >> Rahul > > > > > > I've just had a very similar denial, when starting openvpn via > > > NetworkManager: > > > > > > type=AVC msg=audit(1245653684.772:27): avc: denied { read } for > > > pid=5486 comm="openvpn" name="mls" dev=selinuxfs ino=12 > > > scontext=system_u:system_r:openvpn_t:s0 > > > tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL > > > msg=audit(1245653684.772:27): arch=c000003e syscall=2 success=no > > > exit=-13 a0=7fff5652e270 a1=0 a2=7fff5652e27c a3=fffffff8 items=0 > > > ppid=5475 pid=5486 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="openvpn" > > > exe="/usr/sbin/openvpn" subj=system_u:system_r:openvpn_t:s0 > > > key=(null) > > > > > > Didn't stop openvpn working. > > > > Just got this one too, after running "rndc querylog" to turn on > > named's query logging from a root shell. > > > > type=AVC msg=audit(1245663191.793:115): avc: denied { read } for > > pid=21774 comm="rndc" name="mls" dev=selinuxfs ino=12 > > scontext=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:security_t:s0 tclass=file > > type=SYSCALL msg=audit(1245663191.793:115): arch=c000003e syscall=2 > > success=no exit=-13 a0=7fffa1a717d0 a1=0 a2=7fffa1a717dc a3=fffffff8 > > items=0 ppid=14800 pid=21774 auid=500 uid=0 gid=0 euid=0 suid=0 > > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=5 comm="rndc" > > exe="/usr/sbin/rndc" > > subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null) > > /usr/sbin/rndc is linked against libselinux, which ties in with > Stephen's explanation of the openvpn/vpnc issue too. > > I'm adding these to local policy for now: > > selinux_dontaudit_read_fs(ifconfig_t) > selinux_dontaudit_read_fs(ndc_t) > selinux_dontaudit_read_fs(openvpn_t) In the long term, the more appropriate interface would be seutil_dontaudit_libselinux_linked(), which is for programs that link against libselinux for basic reasons, such as doing a setfilecon() or setfscreatecon(), but don't use the features that depend on the libselinux constructor. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From olivares14031 at yahoo.com Thu Jun 25 21:01:19 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 25 Jun 2009 14:01:19 -0700 (PDT) Subject: Fw: had no X on rawhide, got X submitted bunch of reports due to selinux denials Message-ID: <277645.90090.qm@web52610.mail.re2.yahoo.com> --- On Thu, 6/25/09, Antonio Olivares wrote: > From: Antonio Olivares > Subject: had no X on rawhide, got X submitted bunch of reports due to selinux denials > To: fedora-test-list at redhat.com > Cc: fedora-selinux-list at redhat.com, olivares14031 at yahoo.com > Date: Thursday, June 25, 2009, 1:45 PM > Dear fellow testers and selinux > experts, > > On rawhide last day at work for summer, I got to report a > great deal of bugreports on selinux complaints, I have > gotten the mails separately.? I had no X for good part > of last week and this week.? I got updated and finally > got X but new kernel could not install because > > grubby fatal error:? unable to find a suitable > template > > only the -24 kernel boots the -28.rc12.fc12 kernel does not > even get created because of above error.? Also, a great > deal of selinux denials(avcs are shown in attachment I hope > goes through).? Also one/two/several kernel oops are > here also. > > This might be last chance to send this bugs, I will not get > back to rawhide till mid to late August when I come back to > work.? So I will send what I can and I hope it is not > in vain. > > Regards, > > Antonio > > > ? ? ? Text file was very big :(, uploaded it to website in case you want to see kernel oops and stuff that happened. Since I could not get X, I logged in via level 3 and used enforcing=0, since I got a great bunch of selinux denials something with /var/tmp/rpm??? or something like that. File is here: http://www.geocities.com/olivares14031/session.html Hope it helps in some way, otherwise I'll be back in August. I'll receive mail, but probably can't do much unless I get internet from somewhere else, then I can get back and reply when needed. Regards, Antonio From paul at city-fan.org Thu Jun 25 21:12:51 2009 From: paul at city-fan.org (Paul Howarth) Date: Thu, 25 Jun 2009 22:12:51 +0100 Subject: ifconfig SELinux alert in Fedora 11 In-Reply-To: <1245950654.4230.906.camel@gorn.columbia.tresys.com> References: <4A393186.9000502@fedoraproject.org> <4A3A9627.9080102@redhat.com> <4A3B6051.4040908@fedoraproject.org> <4A3CC3CC.9060302@redhat.com> <4A3D4435.9030302@fedoraproject.org> <20090622075835.68bb0eac@metropolis.intra.city-fan.org> <4A3F50C6.3060008@city-fan.org> <20090623161119.760ffee5@metropolis.intra.city-fan.org> <1245950654.4230.906.camel@gorn.columbia.tresys.com> Message-ID: <20090625221251.2e98bb58@metropolis.intra.city-fan.org> On Thu, 25 Jun 2009 13:24:14 -0400 "Christopher J. PeBenito" wrote: > On Tue, 2009-06-23 at 16:11 +0100, Paul Howarth wrote: > > On Mon, 22 Jun 2009 10:37:10 +0100 > > Paul Howarth wrote: > > > > > On 22/06/09 07:58, Paul Howarth wrote: > > > > On Sun, 21 Jun 2009 01:49:01 +0530 > > > > Rahul Sundaram wrote: > > > > > > > >> On 06/20/2009 04:41 PM, Daniel J Walsh wrote: > > > >>> On 06/19/2009 05:54 AM, Rahul Sundaram wrote: > > > >>> Is it continuing to happen or was this a one time > > > >>> occurrence. The only code that I imagine opens and > > > >>> reads /selinux/mls is libselinux and this opens it, reads the > > > >>> value and closes the file in the same function call, so it > > > >>> can not leak. > > > >> It happens everytime I connect to a CDMA network via > > > >> NetworkManager and run vpnc. > > > >> > > > >> Rahul > > > > > > > > I've just had a very similar denial, when starting openvpn via > > > > NetworkManager: > > > > > > > > type=AVC msg=audit(1245653684.772:27): avc: denied { read } > > > > for pidT86 comm="openvpn" name="mls" dev=selinuxfs ino > > > > scontext=system_u:system_r:openvpn_t:s0 > > > > tcontext=system_u:object_r:security_t:s0 tclass=file > > > > type=SYSCALL msg=audit(1245653684.772:27): arch?00003e > > > > syscall=2 success=no exit=-13 a0ff5652e270 a1=0 a2ff5652e27c > > > > a3?fffff8 items=0 ppidT75 pidT86 auidB94967295 uid=0 gid=0 > > > > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) > > > > sesB94967295 comm="openvpn" exe="/usr/sbin/openvpn" > > > > subj=system_u:system_r:openvpn_t:s0 key=(null) > > > > > > > > Didn't stop openvpn working. > > > > > > Just got this one too, after running "rndc querylog" to turn on > > > named's query logging from a root shell. > > > > > > type=AVC msg=audit(1245663191.793:115): avc: denied { read } > > > for pid!774 comm="rndc" name="mls" dev=selinuxfs ino > > > scontext=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 > > > tcontext=system_u:object_r:security_t:s0 tclass=file > > > type=SYSCALL msg=audit(1245663191.793:115): arch?00003e syscall=2 > > > success=no exit=-13 a0ffa1a717d0 a1=0 a2ffa1a717dc a3?fffff8 > > > items=0 ppid800 pid!774 auidP0 uid=0 gid=0 euid=0 suid=0 > > > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=5 comm="rndc" > > > exe="/usr/sbin/rndc" > > > subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null) > > > > /usr/sbin/rndc is linked against libselinux, which ties in with > > Stephen's explanation of the openvpn/vpnc issue too. > > > > I'm adding these to local policy for now: > > > > selinux_dontaudit_read_fs(ifconfig_t) > > selinux_dontaudit_read_fs(ndc_t) > > selinux_dontaudit_read_fs(openvpn_t) > > In the long term, the more appropriate interface would be > seutil_dontaudit_libselinux_linked(), which is for programs that link > against libselinux for basic reasons, such as doing a setfilecon() or > setfscreatecon(), but don't use the features that depend on the > libselinux constructor. That makes sense for ifconfig_t and ndc_t that are actually linked against libselinux, but openvpn_t uses sysnet_exec_ifconfig so perhaps that interface now needs to add seutil_dontaudit_libselinux_linked() for its calling domain? Paul. From misc.lists at blueyonder.co.uk Fri Jun 26 08:41:10 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Fri, 26 Jun 2009 09:41:10 +0100 Subject: Fail2Ban Message-ID: <20090626084110.GA19249@troodos.org.uk> Hello all, Following a spate of unsuccessful but irritating attempts to brute-force my home Fedora 9 server I decided to install fail2ban (using yum). Starting it up gave me several AVCs of two types. One example of each type is pasted below. Running audit2allow gave me the following policy. I have implemented the policy, and it works, but should it be necessary? I have googled a bit and found a couple of old bug reports but I'm not sure they're relevant and I think they have been incorporated into more recent policies anyway... policy_module(myfail2ban, 9.1.0) require { type iptables_t; type system_mail_t; type fail2ban_t; class unix_stream_socket { read write }; } #============= iptables_t ============== allow iptables_t fail2ban_t:unix_stream_socket { read write }; #============= system_mail_t ============== allow system_mail_t fail2ban_t:unix_stream_socket { read write }; Does that look OK? Is there a bool I could have set? Thanks for your help... Mark 2 x AVCs ======== >From SELinux_Troubleshoot at mydomain.com Thu Jun 25 19:19:30 2009 Return-Path: Received: from mydomain.com (mydomain.com [127.0.0.1]) by mydomain.com (8.14.2/8.14.2) with ESMTP id n5PIJUBI003995 for ; Thu, 25 Jun 2009 19:19:30 +0100 Message-Id: <200906251819.n5PIJUBI003995 at mydomain.com> Content-Type: multipart/alternative; boundary="===============1813742656==" MIME-Version: 1.0 Subject: [SELinux AVC Alert] SELinux is preventing iptables (iptables_t) "read write" fail2ban_t. From: SELinux_Troubleshoot at mydomain.com To: root at mydomain.com Date: Thu, 25 Jun 2009 18:19:30 -0000 Status: RO Content-Length: 10088 Lines: 157 --===============1813742656== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Summary: SELinux is preventing iptables (iptables_t) "read write" fail2ban_t. Detailed Description: SELinux denied access requested by iptables. It is not expected that this access is required by iptables and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:iptables_t:s0 Target Context unconfined_u:system_r:fail2ban_t:s0 Target Objects socket [ unix_stream_socket ] Source iptables Source Path /sbin/iptables Port Host mydomain.com Source RPM Packages iptables-1.4.1.1-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-133.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name mydomain.com Platform Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686 Alert Count 9 First Seen Tue Jun 23 14:12:58 2009 Last Seen Thu Jun 25 19:19:20 2009 Local ID 8291512a-d501-4af1-9e24-25d2052bf649 Line Numbers Raw Audit Messages node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc: denied { read write } for pid=3974 comm="iptables" path="socket:[21986]" dev=sockfs ino=21986 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc: denied { read write } for pid=3974 comm="iptables" path="socket:[22005]" dev=sockfs ino=22005 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc: denied { read write } for pid=3974 comm="iptables" path="socket:[22072]" dev=sockfs ino=22072 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket node=mydomain.com type=SYSCALL msg=audit(1245953960.354:478): arch=40000003 syscall=11 success=yes exit=0 a0=8cd7978 a1=8cd7cb8 a2=8cd7e38 a3=0 items=0 ppid=3969 pid=3974 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=unconfined_u:system_r:iptables_t:s0 key=(null) --===============1813742656==-- >From SELinux_Troubleshoot at mydomain.com Thu Jun 25 19:19:31 2009 Return-Path: Received: from mydomain.com (mydomain.com [127.0.0.1]) by mydomain.com (8.14.2/8.14.2) with ESMTP id n5PIJVHv003998 for ; Thu, 25 Jun 2009 19:19:31 +0100 Message-Id: <200906251819.n5PIJVHv003998 at mydomain.com> Content-Type: multipart/alternative; boundary="===============0749694059==" MIME-Version: 1.0 Subject: [SELinux AVC Alert] SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. From: SELinux_Troubleshoot at mydomain.com To: root at mydomain.com Date: Thu, 25 Jun 2009 18:19:31 -0000 Status: RO Content-Length: 9500 Lines: 151 --===============0749694059== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Summary: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. Detailed Description: SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:system_mail_t:s0 Target Context unconfined_u:system_r:fail2ban_t:s0 Target Objects socket [ unix_stream_socket ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port Host mydomain.com Source RPM Packages sendmail-8.14.2-4.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-133.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name mydomain.com Platform Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686 Alert Count 3 First Seen Tue Jun 23 14:12:59 2009 Last Seen Thu Jun 25 19:19:20 2009 Local ID 18e4bfc0-cbb2-41a6-af2c-8b271450ed73 Line Numbers Raw Audit Messages node=mydomain.com type=AVC msg=audit(1245953960.510:479): avc: denied { read write } for pid=3980 comm="sendmail" path="socket:[21986]" dev=sockfs ino=21986 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket node=mydomain.com type=AVC msg=audit(1245953960.510:479): avc: denied { read write } for pid=3980 comm="sendmail" path="socket:[22005]" dev=sockfs ino=22005 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket node=mydomain.com type=SYSCALL msg=audit(1245953960.510:479): arch=40000003 syscall=11 success=yes exit=0 a0=8908a90 a1=8908aa8 a2=8908d88 a3=0 items=0 ppid=3978 pid=3980 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=unconfined_u:system_r:system_mail_t:s0 key=(null) --===============0749694059== From dwalsh at redhat.com Fri Jun 26 12:36:26 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 26 Jun 2009 08:36:26 -0400 Subject: Fail2Ban In-Reply-To: <20090626084110.GA19249@troodos.org.uk> References: <20090626084110.GA19249@troodos.org.uk> Message-ID: <4A44C0CA.3040308@redhat.com> On 06/26/2009 04:41 AM, Arthur Dent wrote: > Hello all, > > Following a spate of unsuccessful but irritating attempts to brute-force my > home Fedora 9 server I decided to install fail2ban (using yum). > > Starting it up gave me several AVCs of two types. One example of each type is > pasted below. > > Running audit2allow gave me the following policy. I have implemented the > policy, and it works, but should it be necessary? I have googled a bit and > found a couple of old bug reports but I'm not sure they're relevant and I > think they have been incorporated into more recent policies anyway... > > policy_module(myfail2ban, 9.1.0) > > require { > type iptables_t; > type system_mail_t; > type fail2ban_t; > class unix_stream_socket { read write }; > } > > #============= iptables_t ============== > allow iptables_t fail2ban_t:unix_stream_socket { read write }; > > #============= system_mail_t ============== > allow system_mail_t fail2ban_t:unix_stream_socket { read write }; > > > Does that look OK? Is there a bool I could have set? > > Thanks for your help... > > Mark > > > 2 x AVCs > ======== > > >> From SELinux_Troubleshoot at mydomain.com Thu Jun 25 19:19:30 2009 > Return-Path: > Received: from mydomain.com (mydomain.com [127.0.0.1]) > by mydomain.com (8.14.2/8.14.2) with ESMTP id n5PIJUBI003995 > for; Thu, 25 Jun 2009 19:19:30 +0100 > Message-Id:<200906251819.n5PIJUBI003995 at mydomain.com> > Content-Type: multipart/alternative; boundary="===============1813742656==" > MIME-Version: 1.0 > Subject: [SELinux AVC Alert] SELinux is preventing iptables (iptables_t) "read > write" fail2ban_t. > From: SELinux_Troubleshoot at mydomain.com > To: root at mydomain.com > Date: Thu, 25 Jun 2009 18:19:30 -0000 > Status: RO > Content-Length: 10088 > Lines: 157 > > --===============1813742656== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > > > Summary: > > SELinux is preventing iptables (iptables_t) "read write" fail2ban_t. > > Detailed Description: > > SELinux denied access requested by iptables. It is not expected that this access > is required by iptables and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:system_r:iptables_t:s0 > Target Context unconfined_u:system_r:fail2ban_t:s0 > Target Objects socket [ unix_stream_socket ] > Source iptables > Source Path /sbin/iptables > Port > Host mydomain.com > Source RPM Packages iptables-1.4.1.1-2.fc9 > Target RPM Packages > Policy RPM selinux-policy-3.3.1-133.fc9 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name mydomain.com > Platform Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP > Fri Oct 17 14:52:14 EDT 2008 i686 i686 > Alert Count 9 > First Seen Tue Jun 23 14:12:58 2009 > Last Seen Thu Jun 25 19:19:20 2009 > Local ID 8291512a-d501-4af1-9e24-25d2052bf649 > Line Numbers > > Raw Audit Messages > > node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc: denied { read write } for pid=3974 comm="iptables" path="socket:[21986]" dev=sockfs ino=21986 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc: denied { read write } for pid=3974 comm="iptables" path="socket:[22005]" dev=sockfs ino=22005 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc: denied { read write } for pid=3974 comm="iptables" path="socket:[22072]" dev=sockfs ino=22072 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > node=mydomain.com type=SYSCALL msg=audit(1245953960.354:478): arch=40000003 syscall=11 success=yes exit=0 a0=8cd7978 a1=8cd7cb8 a2=8cd7e38 a3=0 items=0 ppid=3969 pid=3974 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=unconfined_u:system_r:iptables_t:s0 key=(null) > > > --===============1813742656==-- > >> From SELinux_Troubleshoot at mydomain.com Thu Jun 25 19:19:31 2009 > Return-Path: > Received: from mydomain.com (mydomain.com [127.0.0.1]) > by mydomain.com (8.14.2/8.14.2) with ESMTP id n5PIJVHv003998 > for; Thu, 25 Jun 2009 19:19:31 +0100 > Message-Id:<200906251819.n5PIJVHv003998 at mydomain.com> > Content-Type: multipart/alternative; boundary="===============0749694059==" > MIME-Version: 1.0 > Subject: [SELinux AVC Alert] SELinux is preventing sendmail (system_mail_t) > "read write" fail2ban_t. > From: SELinux_Troubleshoot at mydomain.com > To: root at mydomain.com > Date: Thu, 25 Jun 2009 18:19:31 -0000 > Status: RO > Content-Length: 9500 > Lines: 151 > > --===============0749694059== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > > > Summary: > > SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. > > Detailed Description: > > SELinux denied access requested by sendmail. It is not expected that this access > is required by sendmail and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:system_r:system_mail_t:s0 > Target Context unconfined_u:system_r:fail2ban_t:s0 > Target Objects socket [ unix_stream_socket ] > Source sendmail > Source Path /usr/sbin/sendmail.sendmail > Port > Host mydomain.com > Source RPM Packages sendmail-8.14.2-4.fc9 > Target RPM Packages > Policy RPM selinux-policy-3.3.1-133.fc9 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name mydomain.com > Platform Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP > Fri Oct 17 14:52:14 EDT 2008 i686 i686 > Alert Count 3 > First Seen Tue Jun 23 14:12:59 2009 > Last Seen Thu Jun 25 19:19:20 2009 > Local ID 18e4bfc0-cbb2-41a6-af2c-8b271450ed73 > Line Numbers > > Raw Audit Messages > > node=mydomain.com type=AVC msg=audit(1245953960.510:479): avc: denied { read write } for pid=3980 comm="sendmail" path="socket:[21986]" dev=sockfs ino=21986 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > node=mydomain.com type=AVC msg=audit(1245953960.510:479): avc: denied { read write } for pid=3980 comm="sendmail" path="socket:[22005]" dev=sockfs ino=22005 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > node=mydomain.com type=SYSCALL msg=audit(1245953960.510:479): arch=40000003 syscall=11 success=yes exit=0 a0=8908a90 a1=8908aa8 a2=8908d88 a3=0 items=0 ppid=3978 pid=3980 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=unconfined_u:system_r:system_mail_t:s0 key=(null) > > > --===============0749694059== > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list THese are leaked file descriptors from fail2ban. They are ok to allow. Try to upgrade to the latest fail2ban software via yum. From dwalsh at redhat.com Fri Jun 26 12:41:29 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 26 Jun 2009 08:41:29 -0400 Subject: Fw: had no X on rawhide, got X submitted bunch of reports due to selinux denials In-Reply-To: <277645.90090.qm@web52610.mail.re2.yahoo.com> References: <277645.90090.qm@web52610.mail.re2.yahoo.com> Message-ID: <4A44C1F9.9070803@redhat.com> On 06/25/2009 05:01 PM, Antonio Olivares wrote: > > --- On Thu, 6/25/09, Antonio Olivares wrote: > >> From: Antonio Olivares >> Subject: had no X on rawhide, got X submitted bunch of reports due to selinux denials >> To: fedora-test-list at redhat.com >> Cc: fedora-selinux-list at redhat.com, olivares14031 at yahoo.com >> Date: Thursday, June 25, 2009, 1:45 PM >> Dear fellow testers and selinux >> experts, >> >> On rawhide last day at work for summer, I got to report a >> great deal of bugreports on selinux complaints, I have >> gotten the mails separately. I had no X for good part >> of last week and this week. I got updated and finally >> got X but new kernel could not install because >> >> grubby fatal error: unable to find a suitable >> template >> >> only the -24 kernel boots the -28.rc12.fc12 kernel does not >> even get created because of above error. Also, a great >> deal of selinux denials(avcs are shown in attachment I hope >> goes through). Also one/two/several kernel oops are >> here also. >> >> This might be last chance to send this bugs, I will not get >> back to rawhide till mid to late August when I come back to >> work. So I will send what I can and I hope it is not >> in vain. >> >> Regards, >> >> Antonio >> >> >> > > Text file was very big :(, uploaded it to website in case you want to see kernel oops and stuff that happened. Since I could not get X, I logged in via level 3 and used enforcing=0, since I got a great bunch of selinux denials something with /var/tmp/rpm??? or something like that. File is here: > > http://www.geocities.com/olivares14031/session.html > > Hope it helps in some way, otherwise I'll be back in August. I'll receive mail, but probably can't do much unless I get internet from somewhere else, then I can get back and reply when needed. > > Regards, > > Antonio > > > > Sounds like your machine was heavily mislabeled. touch /.autorelable; reboot fixes the label on boot, or you can execute fixfiles restore From cpebenito at tresys.com Fri Jun 26 13:19:54 2009 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Fri, 26 Jun 2009 09:19:54 -0400 Subject: ifconfig SELinux alert in Fedora 11 In-Reply-To: <20090625221251.2e98bb58@metropolis.intra.city-fan.org> References: <4A393186.9000502@fedoraproject.org> <4A3A9627.9080102@redhat.com> <4A3B6051.4040908@fedoraproject.org> <4A3CC3CC.9060302@redhat.com> <4A3D4435.9030302@fedoraproject.org> <20090622075835.68bb0eac@metropolis.intra.city-fan.org> <4A3F50C6.3060008@city-fan.org> <20090623161119.760ffee5@metropolis.intra.city-fan.org> <1245950654.4230.906.camel@gorn.columbia.tresys.com> <20090625221251.2e98bb58@metropolis.intra.city-fan.org> Message-ID: <1246022394.4230.1287.camel@gorn.columbia.tresys.com> On Thu, 2009-06-25 at 22:12 +0100, Paul Howarth wrote: > On Thu, 25 Jun 2009 13:24:14 -0400 > "Christopher J. PeBenito" wrote: > > > On Tue, 2009-06-23 at 16:11 +0100, Paul Howarth wrote: > > > On Mon, 22 Jun 2009 10:37:10 +0100 > > > Paul Howarth wrote: > > > > > > > On 22/06/09 07:58, Paul Howarth wrote: > > > > > On Sun, 21 Jun 2009 01:49:01 +0530 > > > > > Rahul Sundaram wrote: > > > > > > > > > >> On 06/20/2009 04:41 PM, Daniel J Walsh wrote: > > > > >>> On 06/19/2009 05:54 AM, Rahul Sundaram wrote: > > > > >>> Is it continuing to happen or was this a one time > > > > >>> occurrence. The only code that I imagine opens and > > > > >>> reads /selinux/mls is libselinux and this opens it, reads the > > > > >>> value and closes the file in the same function call, so it > > > > >>> can not leak. > > > > >> It happens everytime I connect to a CDMA network via > > > > >> NetworkManager and run vpnc. > > > > >> > > > > >> Rahul > > > > > > > > > > I've just had a very similar denial, when starting openvpn via > > > > > NetworkManager: > > > > > > > > > > type=AVC msg=audit(1245653684.772:27): avc: denied { read } > > > > > for pidT86 comm="openvpn" name="mls" dev=selinuxfs ino > > > > > scontext=system_u:system_r:openvpn_t:s0 > > > > > tcontext=system_u:object_r:security_t:s0 tclass=file > > > > > type=SYSCALL msg=audit(1245653684.772:27): arch?00003e > > > > > syscall=2 success=no exit=-13 a0ff5652e270 a1=0 a2ff5652e27c > > > > > a3?fffff8 items=0 ppidT75 pidT86 auidB94967295 uid=0 gid=0 > > > > > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) > > > > > sesB94967295 comm="openvpn" exe="/usr/sbin/openvpn" > > > > > subj=system_u:system_r:openvpn_t:s0 key=(null) > > > > > > > > > > Didn't stop openvpn working. > > > > > > > > Just got this one too, after running "rndc querylog" to turn on > > > > named's query logging from a root shell. > > > > > > > > type=AVC msg=audit(1245663191.793:115): avc: denied { read } > > > > for pid!774 comm="rndc" name="mls" dev=selinuxfs ino > > > > scontext=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 > > > > tcontext=system_u:object_r:security_t:s0 tclass=file > > > > type=SYSCALL msg=audit(1245663191.793:115): arch?00003e syscall=2 > > > > success=no exit=-13 a0ffa1a717d0 a1=0 a2ffa1a717dc a3?fffff8 > > > > items=0 ppid800 pid!774 auidP0 uid=0 gid=0 euid=0 suid=0 > > > > fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=5 comm="rndc" > > > > exe="/usr/sbin/rndc" > > > > subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null) > > > > > > /usr/sbin/rndc is linked against libselinux, which ties in with > > > Stephen's explanation of the openvpn/vpnc issue too. > > > > > > I'm adding these to local policy for now: > > > > > > selinux_dontaudit_read_fs(ifconfig_t) > > > selinux_dontaudit_read_fs(ndc_t) > > > selinux_dontaudit_read_fs(openvpn_t) > > > > In the long term, the more appropriate interface would be > > seutil_dontaudit_libselinux_linked(), which is for programs that link > > against libselinux for basic reasons, such as doing a setfilecon() or > > setfscreatecon(), but don't use the features that depend on the > > libselinux constructor. > > That makes sense for ifconfig_t and ndc_t that are actually linked > against libselinux, but openvpn_t uses sysnet_exec_ifconfig so perhaps > that interface now needs to add seutil_dontaudit_libselinux_linked() > for its calling domain? I think I can buy that, as long as there is a comment explaining why its there. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From dwalsh at redhat.com Fri Jun 26 15:04:11 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 26 Jun 2009 11:04:11 -0400 Subject: ifconfig SELinux alert in Fedora 11 In-Reply-To: <1246022394.4230.1287.camel@gorn.columbia.tresys.com> References: <4A393186.9000502@fedoraproject.org> <4A3A9627.9080102@redhat.com> <4A3B6051.4040908@fedoraproject.org> <4A3CC3CC.9060302@redhat.com> <4A3D4435.9030302@fedoraproject.org> <20090622075835.68bb0eac@metropolis.intra.city-fan.org> <4A3F50C6.3060008@city-fan.org> <20090623161119.760ffee5@metropolis.intra.city-fan.org> <1245950654.4230.906.camel@gorn.columbia.tresys.com> <20090625221251.2e98bb58@metropolis.intra.city-fan.org> <1246022394.4230.1287.camel@gorn.columbia.tresys.com> Message-ID: <4A44E36B.8090008@redhat.com> On 06/26/2009 09:19 AM, Christopher J. PeBenito wrote: > On Thu, 2009-06-25 at 22:12 +0100, Paul Howarth wrote: >> On Thu, 25 Jun 2009 13:24:14 -0400 >> "Christopher J. PeBenito" wrote: >> >>> On Tue, 2009-06-23 at 16:11 +0100, Paul Howarth wrote: >>>> On Mon, 22 Jun 2009 10:37:10 +0100 >>>> Paul Howarth wrote: >>>> >>>>> On 22/06/09 07:58, Paul Howarth wrote: >>>>>> On Sun, 21 Jun 2009 01:49:01 +0530 >>>>>> Rahul Sundaram wrote: >>>>>> >>>>>>> On 06/20/2009 04:41 PM, Daniel J Walsh wrote: >>>>>>>> On 06/19/2009 05:54 AM, Rahul Sundaram wrote: >>>>>>>> Is it continuing to happen or was this a one time >>>>>>>> occurrence. The only code that I imagine opens and >>>>>>>> reads /selinux/mls is libselinux and this opens it, reads the >>>>>>>> value and closes the file in the same function call, so it >>>>>>>> can not leak. >>>>>>> It happens everytime I connect to a CDMA network via >>>>>>> NetworkManager and run vpnc. >>>>>>> >>>>>>> Rahul >>>>>> I've just had a very similar denial, when starting openvpn via >>>>>> NetworkManager: >>>>>> >>>>>> type=AVC msg=audit(1245653684.772:27): avc: denied { read } >>>>>> for pidT86 comm="openvpn" name="mls" dev=selinuxfs ino >>>>>> scontext=system_u:system_r:openvpn_t:s0 >>>>>> tcontext=system_u:object_r:security_t:s0 tclass=file >>>>>> type=SYSCALL msg=audit(1245653684.772:27): arch?00003e >>>>>> syscall=2 success=no exit=-13 a0ff5652e270 a1=0 a2ff5652e27c >>>>>> a3?fffff8 items=0 ppidT75 pidT86 auidB94967295 uid=0 gid=0 >>>>>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) >>>>>> sesB94967295 comm="openvpn" exe="/usr/sbin/openvpn" >>>>>> subj=system_u:system_r:openvpn_t:s0 key=(null) >>>>>> >>>>>> Didn't stop openvpn working. >>>>> Just got this one too, after running "rndc querylog" to turn on >>>>> named's query logging from a root shell. >>>>> >>>>> type=AVC msg=audit(1245663191.793:115): avc: denied { read } >>>>> for pid!774 comm="rndc" name="mls" dev=selinuxfs ino >>>>> scontext=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 >>>>> tcontext=system_u:object_r:security_t:s0 tclass=file >>>>> type=SYSCALL msg=audit(1245663191.793:115): arch?00003e syscall=2 >>>>> success=no exit=-13 a0ffa1a717d0 a1=0 a2ffa1a717dc a3?fffff8 >>>>> items=0 ppid800 pid!774 auidP0 uid=0 gid=0 euid=0 suid=0 >>>>> fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=5 comm="rndc" >>>>> exe="/usr/sbin/rndc" >>>>> subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null) >>>> /usr/sbin/rndc is linked against libselinux, which ties in with >>>> Stephen's explanation of the openvpn/vpnc issue too. >>>> >>>> I'm adding these to local policy for now: >>>> >>>> selinux_dontaudit_read_fs(ifconfig_t) >>>> selinux_dontaudit_read_fs(ndc_t) >>>> selinux_dontaudit_read_fs(openvpn_t) >>> In the long term, the more appropriate interface would be >>> seutil_dontaudit_libselinux_linked(), which is for programs that link >>> against libselinux for basic reasons, such as doing a setfilecon() or >>> setfscreatecon(), but don't use the features that depend on the >>> libselinux constructor. >> That makes sense for ifconfig_t and ndc_t that are actually linked >> against libselinux, but openvpn_t uses sysnet_exec_ifconfig so perhaps >> that interface now needs to add seutil_dontaudit_libselinux_linked() >> for its calling domain? > > I think I can buy that, as long as there is a comment explaining why its > there. > Yes the problem is any confined domain that executes a bin_t or any tool without a transition which loads libselinux will generate this avc. From chepkov at yahoo.com Tue Jun 30 03:49:08 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Mon, 29 Jun 2009 20:49:08 -0700 (PDT) Subject: memcached policy Message-ID: <92357.72402.qm@web36802.mail.mud.yahoo.com> It seems selinux memcache module has bugs in it or do I miss some boolean? I seriously doubt about first one. memcached-selinux-1.2.8-1.fc11.i586 type=AVC msg=audit(1246327827.194:59): avc: denied { write } for pid=2559 comm="memcached" name="memcached.pid" dev=dm-3 ino=699 scontext=unconfined_u:system_r:memcached_t:s0 tcontext=unconfined_u:object_r:memcached_var_run_t:s0 tclass=file type=AVC msg=audit(1246332806.070:95): avc: denied { write } for pid=3780 comm="memcached" scontext=unconfined_u:system_r:memcached_t:s0 tcontext=unconfined_u:system_r:memcached_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1246332806.070:97): avc: denied { name_bind } for pid=3780 comm="memcached" src=11211 scontext=unconfined_u:system_r:memcached_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1246332806.071:98): avc: denied { name_bind } for pid=3780 comm="memcached" src=11211 scontext=unconfined_u:system_r:memcached_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=udp_socket Sincerely yours, Vadym Chepkov From domg472 at gmail.com Tue Jun 30 08:04:40 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 30 Jun 2009 10:04:40 +0200 Subject: memcached policy In-Reply-To: <92357.72402.qm@web36802.mail.mud.yahoo.com> References: <92357.72402.qm@web36802.mail.mud.yahoo.com> Message-ID: <1246349080.13959.6.camel@notebook2.grift.internal> On Mon, 2009-06-29 at 20:49 -0700, Vadym Chepkov wrote: > It seems selinux memcache module has bugs in it or do I miss some boolean? > I seriously doubt about first one. > > memcached-selinux-1.2.8-1.fc11.i586 > > type=AVC msg=audit(1246327827.194:59): avc: denied { write } for pid=2559 comm="memcached" name="memcached.pid" dev=dm-3 ino=699 scontext=unconfined_u:system_r:memcached_t:s0 tcontext=unconfined_u:object_r:memcached_var_run_t:s0 tclass=file > > type=AVC msg=audit(1246332806.070:95): avc: denied { write } for pid=3780 comm="memcached" scontext=unconfined_u:system_r:memcached_t:s0 tcontext=unconfined_u:system_r:memcached_t:s0 tclass=netlink_route_socket > > type=AVC msg=audit(1246332806.070:97): avc: denied { name_bind } for pid=3780 comm="memcached" src=11211 scontext=unconfined_u:system_r:memcached_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket > > type=AVC msg=audit(1246332806.071:98): avc: denied { name_bind } for pid=3780 comm="memcached" src=11211 scontext=unconfined_u:system_r:memcached_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=udp_socket > > Sincerely yours, > Vadym Chepkov This is what audit2why says here: [root at notebook2 Desktop]# echo "type=AVC msg=audit(1246327827.194:59): avc: denied { write } for pid=2559 comm="memcached" name="memcached.pid" dev=dm-3 ino=699 scontext=unconfined_u:system_r:memcached_t:s0 tcontext=unconfined_u:object_r:memcached_var_run_t:s0 tclass=file" | audit2why type=AVC msg=audit(1246327827.194:59): avc: denied { write } for pid=2559 comm=memcached name=memcached.pid dev=dm-3 ino=699 scontext=unconfined_u:system_r:memcached_t:s0 tcontext=unconfined_u:object_r:memcached_var_run_t:s0 tclass=file Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. This is my version of selinux policy: [root at notebook2 Desktop]# rpm -qa | grep selinux-policy selinux-policy-targeted-3.6.12-61.fc11.noarch selinux-policy-3.6.12-61.fc11.noarch This is what sesearch says here: [root at notebook2 Desktop]# sesearch --allow -s memcached_t -t memcache_port_t Found 2 semantic av rules: allow memcached_t memcache_port_t : tcp_socket name_bind ; allow memcached_t memcache_port_t : udp_socket name_bind ; Conslusion: This access is allowed in 3.6.12-61. You can get it from koji.fedoraproject.org/koji Also have a look at this: http://danwalsh.livejournal.com/29463.html Hth, > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From domg472 at gmail.com Tue Jun 30 08:09:59 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 30 Jun 2009 10:09:59 +0200 Subject: memcached policy In-Reply-To: <92357.72402.qm@web36802.mail.mud.yahoo.com> References: <92357.72402.qm@web36802.mail.mud.yahoo.com> Message-ID: <1246349399.13959.9.camel@notebook2.grift.internal> On Mon, 2009-06-29 at 20:49 -0700, Vadym Chepkov wrote: > memcached-selinux-1.2.8-1.fc11.i586 By the way, you do not have to install this package. Policy for memcache daemon was adopted by selinux-policy. By installing that package you effectively replace was working policy module by one that is flawed. Uninstall the package and -Uvh --force the latest selinux-policy* rpms. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From jmorris at namei.org Tue Jun 30 08:56:42 2009 From: jmorris at namei.org (James Morris) Date: Tue, 30 Jun 2009 18:56:42 +1000 (EST) Subject: "Big Thanks To The SELinux Team" Message-ID: http://californiaquantum.wordpress.com/2009/06/30/big-thanks-to-the-selinux-team/ "Ive now been running Fedora 11 for three weeks and havent had a single SELinux issue at all. Maybe I am unique, but from what I can tell SELinux with Fedora 11 no longer has any annoying issues while running in enforcing mode." -- James Morris From icon at fedoraproject.org Tue Jun 30 10:27:13 2009 From: icon at fedoraproject.org (Konstantin Ryabitsev) Date: Tue, 30 Jun 2009 06:27:13 -0400 Subject: memcached policy In-Reply-To: <1246349399.13959.9.camel@notebook2.grift.internal> References: <92357.72402.qm@web36802.mail.mud.yahoo.com> <1246349399.13959.9.camel@notebook2.grift.internal> Message-ID: On Tue, Jun 30, 2009 at 4:09 AM, Dominick Grift wrote: > On Mon, 2009-06-29 at 20:49 -0700, Vadym Chepkov wrote: >> memcached-selinux-1.2.8-1.fc11.i586 > > By the way, you do not have to install this package. Policy for memcache > daemon was adopted by selinux-policy. > > By installing that package you effectively replace was working policy > module by one that is flawed. I must have missed the fact that it got added to the overall policy. Would have been nice to receive some sort of news (or a bug report) that the memcached-selinux package is now redundant. Could you tell me in which Fedora release the memcached policy was added? Regards, -- Konstantin Ryabitsev Montr?al, Qu?bec From domg472 at gmail.com Tue Jun 30 11:18:04 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 30 Jun 2009 13:18:04 +0200 Subject: memcached policy In-Reply-To: References: <92357.72402.qm@web36802.mail.mud.yahoo.com> <1246349399.13959.9.camel@notebook2.grift.internal> Message-ID: <1246360689.14447.0.camel@notebook2.grift.internal> On Tue, 2009-06-30 at 06:27 -0400, Konstantin Ryabitsev wrote: > On Tue, Jun 30, 2009 at 4:09 AM, Dominick Grift wrote: > > On Mon, 2009-06-29 at 20:49 -0700, Vadym Chepkov wrote: > >> memcached-selinux-1.2.8-1.fc11.i586 > > > > By the way, you do not have to install this package. Policy for memcache > > daemon was adopted by selinux-policy. > > > > By installing that package you effectively replace was working policy > > module by one that is flawed. > > I must have missed the fact that it got added to the overall policy. > Would have been nice to receive some sort of news (or a bug report) > that the memcached-selinux package is now redundant. Could you tell me > in which Fedora release the memcached policy was added? > > Regards, * Fri Aug 29 2008 Dan Walsh 3.5.5-4 - Allow pcsd to dbus - Add memcache policy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From shintaro.fujiwara at gmail.com Tue Jun 30 11:29:28 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Tue, 30 Jun 2009 20:29:28 +0900 Subject: constraints Message-ID: Hi, I want to yum install or update from certain domain (segatex_t), but although I set segatex.te right permission even I dontaudit disabled in vain. So, I followed Mr. Walsh lecture, asking audit2why. I still don't know how to solve the problem so please help. [root at notepc ~]# audit2why -i /var/log/audit/audit.log type=AVC msg=audit(1246361092.291:17): avc: denied { transition } for pid=3116 comm="segatex" path="/usr/bin/yum" dev=dm-0 ino=594330 scontext=unconfined_u:unconfined_r:segatex_t:s0 tcontext=unconfined_u:system_r:rpm_t:s0 tclass=process Was caused by: Policy constraint violation. May require adding a type attribute to the domain or type to satisfy the constraint. Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS). type=AVC msg=audit(1246361092.303:18): avc: denied { transition } for pid=3117 comm="segatex" path="/usr/bin/yum" dev=dm-0 ino=594330 scontext=unconfined_u:unconfined_r:segatex_t:s0 tcontext=unconfined_u:system_r:rpm_t:s0 tclass=process Was caused by: Policy constraint violation. May require adding a type attribute to the domain or type to satisfy the constraint. Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS). -- http://intrajp.no-ip.com/ Home Page From domg472 at gmail.com Tue Jun 30 11:47:46 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 30 Jun 2009 13:47:46 +0200 Subject: constraints In-Reply-To: References: Message-ID: <1246362466.14447.5.camel@notebook2.grift.internal> On Tue, 2009-06-30 at 20:29 +0900, Shintaro Fujiwara wrote: > Hi, I want to yum install or update from certain domain (segatex_t), > but although I set segatex.te right permission even I dontaudit > disabled in vain. > So, I followed Mr. Walsh lecture, asking audit2why. > > I still don't know how to solve the problem so please help. > > [root at notepc ~]# audit2why -i /var/log/audit/audit.log > type=AVC msg=audit(1246361092.291:17): avc: denied { transition } > for pid=3116 comm="segatex" path="/usr/bin/yum" dev=dm-0 ino=594330 > scontext=unconfined_u:unconfined_r:segatex_t:s0 > tcontext=unconfined_u:system_r:rpm_t:s0 tclass=process > > Was caused by: > Policy constraint violation. > > May require adding a type attribute to the domain or type to satisfy > the constraint. > > Constraints are defined in the policy sources in policy/constraints > (general), policy/mcs (MCS), and policy/mls (MLS). > > type=AVC msg=audit(1246361092.303:18): avc: denied { transition } > for pid=3117 comm="segatex" path="/usr/bin/yum" dev=dm-0 ino=594330 > scontext=unconfined_u:unconfined_r:segatex_t:s0 > tcontext=unconfined_u:system_r:rpm_t:s0 tclass=process > > Was caused by: > Policy constraint violation. > > May require adding a type attribute to the domain or type to satisfy > the constraint. > > Constraints are defined in the policy sources in policy/constraints > (general), policy/mcs (MCS), and policy/mls (MLS). > I am not sure about this but looking at the rpm_run() and rpm_transition_script() interfaces, i suspect this may be related: domain_system_change_exemption(segatex_t) role_transition unconfined_r rpm_exec_t system_r; allow unconfined_r system_r; -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From shintaro.fujiwara at gmail.com Tue Jun 30 12:49:28 2009 From: shintaro.fujiwara at gmail.com (Shintaro Fujiwara) Date: Tue, 30 Jun 2009 21:49:28 +0900 Subject: constraints In-Reply-To: <1246362466.14447.5.camel@notebook2.grift.internal> References: <1246362466.14447.5.camel@notebook2.grift.internal> Message-ID: Thanks, Dominick. I added domain_system_change_exemption(segatex_t) to segatex.te and, worked fine. Thanks !! 2009/6/30 Dominick Grift : > On Tue, 2009-06-30 at 20:29 +0900, Shintaro Fujiwara wrote: >> Hi, I want to yum install or update from certain domain (segatex_t), >> but although I set segatex.te right permission even I dontaudit >> disabled in vain. >> So, I followed Mr. Walsh lecture, asking audit2why. >> >> I still don't know how to solve the problem so please help. >> >> [root at notepc ~]# audit2why -i /var/log/audit/audit.log >> type=AVC msg=audit(1246361092.291:17): avc: ?denied ?{ transition } >> for ?pid=3116 comm="segatex" path="/usr/bin/yum" dev=dm-0 ino=594330 >> scontext=unconfined_u:unconfined_r:segatex_t:s0 >> tcontext=unconfined_u:system_r:rpm_t:s0 tclass=process >> >> ? ? ? Was caused by: >> ? ? ? ? ? ? ? Policy constraint violation. >> >> ? ? ? ? ? ? ? May require adding a type attribute to the domain or type to satisfy >> the constraint. >> >> ? ? ? ? ? ? ? Constraints are defined in the policy sources in policy/constraints >> (general), policy/mcs (MCS), and policy/mls (MLS). >> >> type=AVC msg=audit(1246361092.303:18): avc: ?denied ?{ transition } >> for ?pid=3117 comm="segatex" path="/usr/bin/yum" dev=dm-0 ino=594330 >> scontext=unconfined_u:unconfined_r:segatex_t:s0 >> tcontext=unconfined_u:system_r:rpm_t:s0 tclass=process >> >> ? ? ? Was caused by: >> ? ? ? ? ? ? ? Policy constraint violation. >> >> ? ? ? ? ? ? ? May require adding a type attribute to the domain or type to satisfy >> the constraint. >> >> ? ? ? ? ? ? ? Constraints are defined in the policy sources in policy/constraints >> (general), policy/mcs (MCS), and policy/mls (MLS). >> > > I am not sure about this but looking at the rpm_run() and > rpm_transition_script() interfaces, i suspect this may be related: > > ? ? ? ?domain_system_change_exemption(segatex_t) > ? ? ? ?role_transition unconfined_r rpm_exec_t system_r; > ? ? ? ?allow unconfined_r system_r; > > > -- http://intrajp.no-ip.com/ Home Page From rcritten at redhat.com Tue Jun 30 14:08:52 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Jun 2009 10:08:52 -0400 Subject: Supporting multiple OS releases Message-ID: <4A4A1C74.5040600@redhat.com> In the freeIPA project we have our own SELinux policy. We support RHEL 5 up through Fedora Rawhide. With Fedora 11 we saw some problems compiling our SELinux module which Dan Walsh provided a patch for. I haven't tried this on older releases yet but I'm guessing it won't work as expected (some policies seem to have been renamed, such as corenet_non_ipsec_sendrecv() -> corenet_all_recvfrom_unlabeled() My question is, how can we handle this in our source tree? Are we going to need to maintain per-release policies or does SELinux support some sort of versioning conditionals? thanks rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From domg472 at gmail.com Tue Jun 30 14:27:38 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 30 Jun 2009 16:27:38 +0200 Subject: Supporting multiple OS releases In-Reply-To: <4A4A1C74.5040600@redhat.com> References: <4A4A1C74.5040600@redhat.com> Message-ID: <1246372058.14447.15.camel@notebook2.grift.internal> On Tue, 2009-06-30 at 10:08 -0400, Rob Crittenden wrote: > In the freeIPA project we have our own SELinux policy. We support RHEL 5 > up through Fedora Rawhide. With Fedora 11 we saw some problems compiling > our SELinux module which Dan Walsh provided a patch for. I haven't tried > this on older releases yet but I'm guessing it won't work as expected > (some policies seem to have been renamed, such as > corenet_non_ipsec_sendrecv() -> corenet_all_recvfrom_unlabeled() > > My question is, how can we handle this in our source tree? Are we going > to need to maintain per-release policies or does SELinux support some > sort of versioning conditionals? > > thanks > > rob There is tunable policy, meaning you can tune you policy for specific distros for example. You do this by building the policy with DISTRO=(distro). See the SELinux makefile: http://oss.tresys.com/projects/refpolicy/browser/trunk/Makefile starting at line 179: # enable distribution-specific policy Then in the policy itself you would put the distro specifics into seperate blocks of policy. For example: http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/services/apache.te starting at line 702: ifdef(`distro_redhat',` ') Which is policy specific to RedHat distributions. So if you build with DISTRO=redhat this specific policy is added. You may or may not be able to use this mechanism for you scenario. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From jonathan.stott at gmail.com Tue Jun 30 15:21:21 2009 From: jonathan.stott at gmail.com (Jonathan Stott) Date: Tue, 30 Jun 2009 16:21:21 +0100 Subject: SELinux and gitosis (FC11) Message-ID: <20090630162121.58df1092@hzhangpg02.ph.man.ac.uk> Hi all Today I updated to FC11 and gitosis stopped working (gitosis is a collection of scripts for easing multiuser access to git repositories over ssh). I can tell it's an SELinux problem, because '/sbin/setenforcing 0' clears it up. On the server, the git repositories are managed by the 'git' user, which has the guest_u selinux type (though it also fails when given the user_u user). The home directory (/home/git) has the correct selinux context (user_home_t) as far as I can tell and I've run 'restorecon -Rvv' anyway, just to be sure. gitosis works by calling a system binary, gitosis-serve, which lives in /usr/bin/ and has the type of 'bin_t' so guest_u should be able to execute it. Even with 'setenforcing 0' no AVC denials are created though. Checking /var/log/secure shows that the key is being accepted, and it seems like the process then hangs. Any suggestions appreciated, Regards Jon From domg472 at gmail.com Tue Jun 30 15:35:39 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 30 Jun 2009 17:35:39 +0200 Subject: SELinux and gitosis (FC11) In-Reply-To: <20090630162121.58df1092@hzhangpg02.ph.man.ac.uk> References: <20090630162121.58df1092@hzhangpg02.ph.man.ac.uk> Message-ID: <1246376140.14447.25.camel@notebook2.grift.internal> On Tue, 2009-06-30 at 16:21 +0100, Jonathan Stott wrote: > Hi all > > Today I updated to FC11 and gitosis stopped working (gitosis is a collection of scripts for easing multiuser access to git repositories over ssh). I can tell it's an SELinux problem, because '/sbin/setenforcing 0' clears it up. > > On the server, the git repositories are managed by the 'git' user, which has the guest_u selinux type (though it also fails when given the user_u user). The home directory (/home/git) has the correct selinux context (user_home_t) as far as I can tell and I've run 'restorecon -Rvv' anyway, just to be sure. gitosis works by calling a system binary, gitosis-serve, which lives in /usr/bin/ and has the type of 'bin_t' so guest_u should be able to execute it. Even with 'setenforcing 0' no AVC denials are created though. Checking /var/log/secure shows that the key is being accepted, and it seems like the process then hangs. > > Any suggestions appreciated, > Regards > Jon Hi, Unload any silenced denials by running: semodule -DB try gitosis again (in permissive mode) After that see /var/log/audit/audit.log and attach the applicable part so that we can have a look. After testing put it back into enforcing mode and reload the silenced denials with semodule -B We need to have a look at avc denials. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From mgrepl at redhat.com Tue Jun 30 17:20:20 2009 From: mgrepl at redhat.com (Miroslav Grepl) Date: Tue, 30 Jun 2009 19:20:20 +0200 Subject: SELinux and gitosis (FC11) In-Reply-To: <20090630162121.58df1092@hzhangpg02.ph.man.ac.uk> References: <20090630162121.58df1092@hzhangpg02.ph.man.ac.uk> Message-ID: <4A4A4954.40308@redhat.com> On 06/30/2009 05:21 PM, Jonathan Stott wrote: > Hi all > > Today I updated to FC11 and gitosis stopped working (gitosis is a collection of scripts for easing multiuser access to git repositories over ssh). I can tell it's an SELinux problem, because '/sbin/setenforcing 0' clears it up. > > On the server, the git repositories are managed by the 'git' user, which has the guest_u selinux type (though it also fails when given the user_u user). The home directory (/home/git) has the correct selinux context (user_home_t) as far as I can tell and I've run 'restorecon -Rvv' anyway, just to be sure. gitosis works by calling a system binary, gitosis-serve, which lives in /usr/bin/ and has the type of 'bin_t' What is your verison of selinux-policy? # rpm -q selinux-policy selinux-policy-targeted gitosis-serve should have the following context: # ls -Z /usr/bin/gitosis-serve -rwxr-xr-x. root root system_u:object_r:gitosis_exec_t:s0 /usr/bin/gitosis-serve > so guest_u should be able to execute it. Even with 'setenforcing 0' no AVC denials are created though. Checking /var/log/secure shows that the key is being accepted, and it seems like the process then hangs. > > Any suggestions appreciated, > Regards > Jon > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Tue Jun 30 20:27:16 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 30 Jun 2009 16:27:16 -0400 Subject: Supporting multiple OS releases In-Reply-To: <4A4A1C74.5040600@redhat.com> References: <4A4A1C74.5040600@redhat.com> Message-ID: <4A4A7524.8010308@redhat.com> On 06/30/2009 10:08 AM, Rob Crittenden wrote: > In the freeIPA project we have our own SELinux policy. We support RHEL 5 > up through Fedora Rawhide. With Fedora 11 we saw some problems compiling > our SELinux module which Dan Walsh provided a patch for. I haven't tried > this on older releases yet but I'm guessing it won't work as expected > (some policies seem to have been renamed, such as > corenet_non_ipsec_sendrecv() -> corenet_all_recvfrom_unlabeled() > > My question is, how can we handle this in our source tree? Are we going > to need to maintain per-release policies or does SELinux support some > sort of versioning conditionals? > > thanks > > rob > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list The old interface will work, it just reports a nasty warning message when you compile it against newer policy. So I think you are safe compiling it on RHEL5 and installing it on F10/F11. From rcritten at redhat.com Tue Jun 30 20:41:37 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 30 Jun 2009 16:41:37 -0400 Subject: Supporting multiple OS releases In-Reply-To: <4A4A7524.8010308@redhat.com> References: <4A4A1C74.5040600@redhat.com> <4A4A7524.8010308@redhat.com> Message-ID: <4A4A7881.6040303@redhat.com> Daniel J Walsh wrote: > On 06/30/2009 10:08 AM, Rob Crittenden wrote: >> In the freeIPA project we have our own SELinux policy. We support RHEL 5 >> up through Fedora Rawhide. With Fedora 11 we saw some problems compiling >> our SELinux module which Dan Walsh provided a patch for. I haven't tried >> this on older releases yet but I'm guessing it won't work as expected >> (some policies seem to have been renamed, such as >> corenet_non_ipsec_sendrecv() -> corenet_all_recvfrom_unlabeled() >> >> My question is, how can we handle this in our source tree? Are we going >> to need to maintain per-release policies or does SELinux support some >> sort of versioning conditionals? >> >> thanks >> >> rob >> >> >> ------------------------------------------------------------------------ >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > The old interface will work, it just reports a nasty warning message > when you compile it against newer policy. So I think you are safe > compiling it on RHEL5 and installing it on F10/F11. We compile it on the given platform so we need some way to support all at once. For example, the code that builds fine on F-11 fails like this on F-9: Compiling targeted ipa_webgui module /usr/bin/checkmodule: loading policy configuration from tmp/ipa_webgui.tmp ipa_webgui.te":77:ERROR 'syntax error' at token 'userdom_dontaudit_search_admin_dir' on line 10764: userdom_dontaudit_search_admin_dir(ipa_webgui_t) The diff between F-11 and F-9 being: -userdom_dontaudit_search_sysadm_home_dirs(ipa_webgui_t) +userdom_dontaudit_search_admin_dir(ipa_webgui_t) rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From cra at WPI.EDU Tue Jun 30 20:48:44 2009 From: cra at WPI.EDU (Chuck Anderson) Date: Tue, 30 Jun 2009 16:48:44 -0400 Subject: cgi script needs to write to a cache location Message-ID: <20090630204844.GG30528@angus.ind.WPI.EDU> I have a cgi script /usr/share/cricket/cgi-bin/grapher.cgi which needs to write generated images to a cache in /var/cache/cricket. I'm using these file contexts to get the cgi script and static files working: /usr/share/[^/]*/www(/.*)? system_u:object_r:httpd_sys_content_t:s0 /usr/share/[^/]*/html(/.*)? system_u:object_r:httpd_sys_content_t:s0 /usr/share/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 so grapher.cgi is running as httpd_sys_script_exec_t. What type should I make /var/cache/cricket(/.*)? to allow the cgi to read/write/create files in this directory? I tried making /var/cache/cricket system_u:object_r:httpd_cache_t. Here is the output of audit2allow after running this under "setenforce 0": #============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_cache_t:dir { write search getattr setattr add_name }; allow httpd_sys_script_t httpd_cache_t:file { write read create ioctl getattr }; Is there a better type in the standard policy than httpd_cache_t that will allow httpd_sys_script_exec_t to write/create, or will I need to define this policy myself? Thanks. From domg472 at gmail.com Tue Jun 30 20:53:56 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 30 Jun 2009 22:53:56 +0200 Subject: cgi script needs to write to a cache location In-Reply-To: <20090630204844.GG30528@angus.ind.WPI.EDU> References: <20090630204844.GG30528@angus.ind.WPI.EDU> Message-ID: <1246395236.14447.44.camel@notebook2.grift.internal> On Tue, 2009-06-30 at 16:48 -0400, Chuck Anderson wrote: > I have a cgi script /usr/share/cricket/cgi-bin/grapher.cgi which needs > to write generated images to a cache in /var/cache/cricket. I'm using > these file contexts to get the cgi script and static files working: > > /usr/share/[^/]*/www(/.*)? system_u:object_r:httpd_sys_content_t:s0 > /usr/share/[^/]*/html(/.*)? system_u:object_r:httpd_sys_content_t:s0 > /usr/share/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 > > so grapher.cgi is running as httpd_sys_script_exec_t. What type > should I make /var/cache/cricket(/.*)? to allow the cgi to > read/write/create files in this directory? > > I tried making /var/cache/cricket system_u:object_r:httpd_cache_t. > Here is the output of audit2allow after running this under "setenforce > 0": > > #============= httpd_sys_script_t ============== > allow httpd_sys_script_t httpd_cache_t:dir { write search getattr setattr add_name }; > allow httpd_sys_script_t httpd_cache_t:file { write read create ioctl getattr }; > > Is there a better type in the standard policy than httpd_cache_t that > will allow httpd_sys_script_exec_t to write/create, or will I need to > define this policy myself? > > Thanks. semanage fcontext -a -t httpd_sys_content_rw_t "/var/cache/cricket(/.*)?" restorecon -R -v /var/cache/cricket Should work i believe man httpd_selinux > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Tue Jun 30 21:28:32 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 30 Jun 2009 17:28:32 -0400 Subject: Supporting multiple OS releases In-Reply-To: <4A4A7881.6040303@redhat.com> References: <4A4A1C74.5040600@redhat.com> <4A4A7524.8010308@redhat.com> <4A4A7881.6040303@redhat.com> Message-ID: <4A4A8380.3060707@redhat.com> On 06/30/2009 04:41 PM, Rob Crittenden wrote: > Daniel J Walsh wrote: >> On 06/30/2009 10:08 AM, Rob Crittenden wrote: >>> In the freeIPA project we have our own SELinux policy. We support RHEL 5 >>> up through Fedora Rawhide. With Fedora 11 we saw some problems compiling >>> our SELinux module which Dan Walsh provided a patch for. I haven't tried >>> this on older releases yet but I'm guessing it won't work as expected >>> (some policies seem to have been renamed, such as >>> corenet_non_ipsec_sendrecv() -> corenet_all_recvfrom_unlabeled() >>> >>> My question is, how can we handle this in our source tree? Are we going >>> to need to maintain per-release policies or does SELinux support some >>> sort of versioning conditionals? >>> >>> thanks >>> >>> rob >>> >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> The old interface will work, it just reports a nasty warning message >> when you compile it against newer policy. So I think you are safe >> compiling it on RHEL5 and installing it on F10/F11. > > We compile it on the given platform so we need some way to support all > at once. > > For example, the code that builds fine on F-11 fails like this on F-9: > > Compiling targeted ipa_webgui module > /usr/bin/checkmodule: loading policy configuration from tmp/ipa_webgui.tmp > ipa_webgui.te":77:ERROR 'syntax error' at token > 'userdom_dontaudit_search_admin_dir' on line 10764: > userdom_dontaudit_search_admin_dir(ipa_webgui_t) > > The diff between F-11 and F-9 being: > > -userdom_dontaudit_search_sysadm_home_dirs(ipa_webgui_t) > +userdom_dontaudit_search_admin_dir(ipa_webgui_t) > > rob > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list RIght I think you would need to build on F9 for support on F11 not the other way around. Just like you would do with shared libraries. You would not expect an c executable built on F11 to run on F9? From chepkov at yahoo.com Tue Jun 30 22:02:20 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Tue, 30 Jun 2009 15:02:20 -0700 (PDT) Subject: memcached policy Message-ID: <224935.37101.qm@web36801.mail.mud.yahoo.com> well, this packages needs to be obsoleted then. It was an honest mistake, I did yum search memcached and found it. anyway, I did yum erase memcached-selinux yum reinstall selinux-policy-targeted But still get avc: type=AVC msg=audit(1246399071.104:235): avc: denied { read } for pid=23185 comm="memcached" name="cpuinfo" dev=proc ino=4026531978 scontext=unconfined_u:system_r:memcached_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file Sincerely yours, Vadym Chepkov From domg472 at gmail.com Tue Jun 30 22:55:43 2009 From: domg472 at gmail.com (Dominick Grift) Date: Wed, 01 Jul 2009 00:55:43 +0200 Subject: memcached policy In-Reply-To: <224935.37101.qm@web36801.mail.mud.yahoo.com> References: <224935.37101.qm@web36801.mail.mud.yahoo.com> Message-ID: <1246402543.14447.48.camel@notebook2.grift.internal> On Tue, 2009-06-30 at 15:02 -0700, Vadym Chepkov wrote: > well, this packages needs to be obsoleted then. It was an honest mistake, I did yum search memcached and found it. > > anyway, I did > > yum erase memcached-selinux > yum reinstall selinux-policy-targeted > > But still get avc: > > type=AVC msg=audit(1246399071.104:235): avc: denied { read } for pid=23185 comm="memcached" name="cpuinfo" dev=proc ino=4026531978 scontext=unconfined_u:system_r:memcached_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file > > > Sincerely yours, > Vadym Chepkov > that would be; kernel_read_system_state(memcached_t) or kernel_dontaudit_read_system_state(memcached_t) If you notice loss in functionality then consider reporting this bug to bugzilla.redhat.com in the selinux policy component. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: