From gene.heskett at verizon.net Sun Mar 1 00:06:39 2009 From: gene.heskett at verizon.net (Gene Heskett) Date: Sat, 28 Feb 2009 19:06:39 -0500 Subject: f10 vs selinux again. In-Reply-To: <94C3B204-16EA-45A4-820E-8E4D3DE22D27@nall.com> References: <1235850300.11365.42.camel@notebook1.grift.internal> <200902281818.06034.gene.heskett@verizon.net> <94C3B204-16EA-45A4-820E-8E4D3DE22D27@nall.com> Message-ID: <200902281906.40098.gene.heskett@verizon.net> On Saturday 28 February 2009, Joe Nall wrote: >On Feb 28, 2009, at 5:18 PM, Gene Heskett wrote: >> ... >> # This file controls the state of SELinux on the system. >> # SELINUX= can take one of these three values: >> # enforcing - SELinux security policy is enforced. >> # permissive - SELinux prints warnings instead of enforcing. >> # disabled - No SELinux policy is loaded. >> SELINUX=enabeled > >enabeled (other than being misspelled) is not a valid choice >(enforcing, permissive, disabled) Duh, by George you're right. But I can't see fixing that till we get the base.pp problem fixed. >> ... >> [root at coyote radeon]# sestatus >> SELinux status: enabled >> SELinuxfs mount: /selinux >> Current mode: permissive >> Mode from config file: error (Success) > >because the mode from the config file is not correct > >joe -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) I either want less decadence or more chance to participate in it. From gene.heskett at verizon.net Sun Mar 1 00:11:50 2009 From: gene.heskett at verizon.net (Gene Heskett) Date: Sat, 28 Feb 2009 19:11:50 -0500 Subject: f10 vs selinux again. In-Reply-To: <1235864772.11365.82.camel@notebook1.grift.internal> References: <1235850300.11365.42.camel@notebook1.grift.internal> <200902281818.06034.gene.heskett@verizon.net> <1235864772.11365.82.camel@notebook1.grift.internal> Message-ID: <200902281911.50435.gene.heskett@verizon.net> On Saturday 28 February 2009, Dominick Grift wrote: >On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote: >> On Saturday 28 February 2009, Dominick Grift wrote: >> >On Sat, 2009-02-28 at 16:09 -0500, Gene Heskett wrote: >> >> On Saturday 28 February 2009, Dominick Grift wrote: >> >> >On Sat, 2009-02-28 at 15:32 -0500, Gene Heskett wrote: >> >> >> On Saturday 28 February 2009, Dominick Grift wrote: >> >> >> >On Sat, 2009-02-28 at 14:15 -0500, Gene Heskett wrote: >> >> >> >> On Saturday 28 February 2009, Dominick Grift wrote: >> >> >> >> >On Sat, 2009-02-28 at 12:53 -0500, Gene Heskett wrote: >> >> >> >> >> Greetings all; >> >> >> >> >> >> >> >> >> >> I have just upgraded then updated as much as possible, an F8 >> >> >> > >> >> >> >install to >> >> >> > >> >> >> >> >> F10. selinux is now denying ConsoleKit and friends, and >> >> >> >> >> awstats. >> >> >> > >> >> >> >F10 will >> >> >> > >> >> >> >> >> run without console-kit-daemon I find, but I went so far as to >> >> >> > >> >> >> >touch >> >> >> > >> >> >> >> >> /.autorelabel & reboot & leave it to contemplate its sins for >> >> >> >> >> an >> >> >> > >> >> >> >hour or >> >> >> > >> >> >> >> >> so as there is nearly 2TB of drives here. Didn't help. >> >> >> >> >> >> >> >> >> >> So Now I have selinux disabled, and everything it working. >> >> >> >> >> Can >> >> >> > >> >> >> >this be >> >> >> > >> >> >> >> >> addressed? >> >> >> >> > >> >> >> >> >Can you show use the avc denials related to your issues? avc >> >> >> >> > denials >> >> >> > >> >> >> >are >> >> >> > >> >> >> >> >sent to /var/log/audit/audit.log and can be retrieved with the >> >> >> > >> >> >> >ausearch >> >> >> > >> >> >> >> >command. For example use: ausearch -m avc -ts today, to retrieve >> >> >> > >> >> >> >today's >> >> >> > >> >> >> >> >avc denials. >> >> >> >> >> >> >> >> None today, I turned it off, yesterdays is attached. >> >> >> >> >> >> >> >> >You state that you updated as much as possible. What did you not >> >> >> > >> >> >> >update? >> >> >> > >> >> >> >> About 70 packages are left, all the java stuff cuz I've installed >> >> >> >> from >> >> >> > >> >> >> >Sun, >> >> >> > >> >> >> >> I've nuked fedora's firefox cuz I already had 3.0.6 (had to fix >> >> >> >> that >> >> >> > >> >> >> >up by >> >> >> > >> >> >> >> hand and some of the menus are still fubar) and anytime I do a >> >> >> >> -devel, >> >> >> > >> >> >> >it >> >> >> > >> >> >> >> barfs over strigi. What the heck does that thing do anywho? >> >> >> >> >> >> >> >> I also am not running the F10 kernel cuz I have to set stakes and >> >> >> >> call >> >> >> > >> >> >> >a >> >> >> > >> >> >> >> surveyer to measure screen scrolling speed, so I'm running >> >> >> >> 2.6.28.7 >> >> >> > >> >> >> >and am >> >> >> > >> >> >> >> building the xorg drm and xf86-r6xx-r7xx-radeonhd trees. Now >> >> >> >> glxgears >> >> >> > >> >> >> >says >> >> >> > >> >> >> >> 275-300 fps and I can tolerate it. Anyway, from the yumex >> >> >> >> screen: >> >> >> >> >> >> >> >> 14:05:14 : Error in Dependency Resolution >> >> >> >> 14:05:14 : Missing Dependency: xine-lib(plugin-abi) = 1.25 is >> >> >> >> needed >> >> >> > >> >> >> >by >> >> >> > >> >> >> >> package xine-lib-extras-freeworld-1.1.16.2-1.fc10.i386 >> >> >> > >> >> >> >(rpmfusion-free- >> >> >> > >> >> >> >> updates) >> >> >> >> Missing Dependency: kernel-uname-r = 2.6.27.15-170.2.24.fc10.i686 >> >> >> >> is >> >> >> > >> >> >> >needed by >> >> >> > >> >> >> >> package >> >> >> > >> >> >> >kmod-fglrx-2.6.27.15-170.2.24.fc10.i686-8.573-1.9.1.fc10.1.i686 >> >> >> > >> >> >> >> (rpmfusion-nonfree-updates) >> >> >> >> Missing Dependency: strigi-libs = 0.5.11-1.fc10 is needed by >> >> >> >> package >> >> >> > >> >> >> >strigi- >> >> >> > >> >> >> >> devel-0.5.11-1.fc10.i386 (fedora) >> >> >> >> >> >> >> >> I might be able to get a list of updates (if you need them) not >> >> >> >> done >> >> >> > >> >> >> >from yum. >> >> >> > >> >> >> >> I use yumex most of the time. >> >> >> >> >> >> >> >> Thanks Dominick >> >> >> > >> >> >> >No that is fine, thanks. Which version of selinux-policy is >> >> >> > currently installed? >> >> >> > >> >> >> >I picked a few of the denials out of there and both were allowed in >> >> >> > the rawhide policy. >> >> >> > >> >> >> >This leads me to think that either you are running a old version of >> >> >> > the selinux-policy or that the fixes in rawhide policy have not >> >> >> > been pushed to Fedora 10 policy yet. >> >> >> >> >> >> I'll go for the latter as there isn't an update available. >> >> >> [root at coyote Documents]# rpm -qa|grep policy >> >> >> checkpolicy-2.0.16-3.fc10.i386 >> >> >> selinux-policy-3.5.13-18.fc10.noarch >> >> >> policycoreutils-2.0.57-11.fc10.i386 >> >> >> policycoreutils-gui-2.0.57-11.fc10.i386 >> >> >> selinux-policy-targeted-3.5.13-18.fc10.noarch >> >> >> >> >> >> >I either case you can create custom policies to allow these >> >> >> > denials. >> >> >> > >> >> >> >A quick (and dirty) way is to "cat avc-denials.txt | audit2allow -M >> >> >> >mydenials; /usr/sbin/semodule -i mydenials.pp >> >> >> >> >> >> And that upchucks. It generates mydenials.pp, then: >> >> >> [root at coyote Documents]# /usr/sbin/semodule -i mydenials.pp >> >> >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS >> >> >> base. libsemanage.semanage_link_sandbox: Link packages failed >> >> >> /usr/sbin/semodule: Failed! >> >> >> >> >> >> Looks like I may be missing something? >> >> > >> >> >Can you give me to output of sestatus? >> >> This is after the reboot/relabel, using this /etc/selinux/config >> >> # This file controls the state of SELinux on the system. >> # SELINUX= can take one of these three values: >> # enforcing - SELinux security policy is enforced. >> # permissive - SELinux prints warnings instead of enforcing. >> # disabled - No SELinux policy is loaded. >> SELINUX=enabeled > >should read enforcing or permissive > >> # SELINUXTYPE= can take one of these two values: >> # targeted - Targeted processes are protected, >> # mls - Multi Level Security protection. >> SELINUXTYPE=targeted >> # SETLOCALDEFS= Check local definition changes >> SETLOCALDEFS=0 >> >> [root at coyote radeon]# sestatus >> SELinux status: enabled >> SELinuxfs mount: /selinux >> Current mode: permissive >> Mode from config file: error (Success) > >This looks wrong. see above > >> Policy version: 24 >> Policy from config file: targeted >> >> and that looks completely fubar to me. But since its 'permissive', >> consolekit is running, but sealert is popping up about every 30 seconds. >> Its fussing about console-kit-history now. WTH? > >You can easily disable setroubleshoot: > >service setroubleshoot stop >( to disable it by default: chkconfig setroubleshoot off ) > >> >> >you could try /usr/sbin/semodule -s targeted -i mydenials.pp >> >> >> >> Fails exactly the same. Does selinux=disabled screw with that? >> > >> >Well you should have SELinux enabled when you install the module. >> >Enable it first. >> > >> >> >You might also consider /usr/sbin/semodule -b base.pp (this should >> >> >replace the base module) >> >> ohhkayy >> >> Turned it back on, rebooted, relabeled, and: >> >> [root at coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. >> libsemanage.semanage_link_sandbox: Link packages failed >> /usr/sbin/semodule: Failed! >> >> [root at coyote Documents]# /usr/sbin/semodule -b base.pp >> /usr/sbin/semodule: Could not read file 'base.pp': No such file or >> directory [root at coyote Documents]# locate base.pp >> /etc/selinux/targeted/modules/active/base.pp >> /usr/share/selinux/targeted/base.pp.bz2 >> >> [root at coyote targeted]# ls -l `locate base.pp` >> -rw------- 1 root root 16771501 2009-02-26 18:38 >> /etc/selinux/targeted/modules/active/base.pp -rw-r--r-- 1 root root >> 172790 2008-11-06 13:06 /usr/share/selinux/targeted/base.pp.bz2 >> >> So which one is right? I'm getting a headache. :( > >the one in /etc is active. The one is /usr is used to generate it i >believe > >> So I bunzip2'd the the /usr/share/selinux/targeted/base.pp.bz2 and >> overwrote the /etc/selinux/targeted/modules/active/base.pp with it, it was >> about half the size. I think this is the same error again. >> [root at coyote Documents]# /usr/sbin/semodule -s targeted -i mydenials.pp >> libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. >> libsemanage.semanage_link_sandbox: Link packages failed >> /usr/sbin/semodule: Failed! >> >> And that bunzip2 operation of course generated this: >> [root at coyote Documents]# rpm -V `rpm -qa|grep targeted` >> missing /usr/share/selinux/targeted/base.pp.bz2 >> >> So I did a bzip2 -k base.pp, and now rpm -V is happy again. >> >> Sounds like I need to manually nuke whats in etc and force >> rpm to re-install? Unforch, /var/cache/yum is devoid of any >> F10 files, I just checked. >> >> Your turn coach. :) > >You could try: >rpm -Uvh --replacefiles --replacepkgs selinux-policy >and >selinux-policy-targeted >then make sure your base.pp is fresh (try >semodule -B) Where do I get the policy and policy-targeted rpms? /var/cache/yum is empty of any F10 stuff. How about I use the ones on the install dvd? Then if they are old, yumex can replace them. >> >Not totally sure. No. First enable SELinux. Then try to install the >> >policy module again. If that does not work consider replacing base.pp. >> > >> >The error suggests that base.pp is for MLS policy. This should not be >> >the case. >> > >> >> >man semodule >> >> > >> >> >This looks like something that could have gone wrong during the >> >> > upgrade. I'll second that thought. Thanks Dominick -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) I either want less decadence or more chance to participate in it. From gene.heskett at verizon.net Sun Mar 1 00:39:34 2009 From: gene.heskett at verizon.net (Gene Heskett) Date: Sat, 28 Feb 2009 19:39:34 -0500 Subject: f10 vs selinux again. In-Reply-To: <1235864772.11365.82.camel@notebook1.grift.internal> References: <1235850300.11365.42.camel@notebook1.grift.internal> <200902281818.06034.gene.heskett@verizon.net> <1235864772.11365.82.camel@notebook1.grift.internal> Message-ID: <200902281939.34172.gene.heskett@verizon.net> On Saturday 28 February 2009, Dominick Grift wrote: >On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote: > >You could try: >rpm -Uvh --replacefiles --replacepkgs selinux-policy and >selinux-policy-targeted then make sure your base.pp is fresh (try >semodule -B) Ok, did that, no problem with the selinux-policy rpm from the dvd, but when I do the same with selinux-policy- targeted, I'm right back to square one: [root at coyote Packages]# rpm -Uvh --replacefiles --replacepkgs selinux-policy-targeted-3.5.13-18.fc10.noarch.rpm Preparing... ########################################### [100%] 1:selinux-policy-targeted########################################### [100%] libsepol.print_missing_requirements: pki's global requirements were not met: type/attribute pki_kra_port_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! A somewhat different error message that might be a bit more enlightening to someone who actually knows what it means, but its swahili to me. :) So, should I nuke the contents of /etc/selinux/* and repeat the rpm commands? Your turn, Coach. :) -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Lightning strikes. From domg472 at gmail.com Sun Mar 1 11:18:26 2009 From: domg472 at gmail.com (Dominick Grift) Date: Sun, 01 Mar 2009 12:18:26 +0100 Subject: f10 vs selinux again. In-Reply-To: <200902281939.34172.gene.heskett@verizon.net> References: <1235850300.11365.42.camel@notebook1.grift.internal> <200902281818.06034.gene.heskett@verizon.net> <1235864772.11365.82.camel@notebook1.grift.internal> <200902281939.34172.gene.heskett@verizon.net> Message-ID: <1235906306.17478.3.camel@notebook1.grift.internal> On Sat, 2009-02-28 at 19:39 -0500, Gene Heskett wrote: > On Saturday 28 February 2009, Dominick Grift wrote: > >On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote: > > > >You could try: > >rpm -Uvh --replacefiles --replacepkgs selinux-policy and > >selinux-policy-targeted then make sure your base.pp is fresh (try > >semodule -B) > > Ok, did that, no problem with the selinux-policy rpm from the dvd, but when I do the same with selinux-policy- > targeted, I'm right back to square one: > > [root at coyote Packages]# rpm -Uvh --replacefiles --replacepkgs selinux-policy-targeted-3.5.13-18.fc10.noarch.rpm > Preparing... ########################################### [100%] > 1:selinux-policy-targeted########################################### [100%] > libsepol.print_missing_requirements: pki's global requirements were not met: type/attribute pki_kra_port_t > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! > > A somewhat different error message that might be a bit more enlightening to > someone who actually knows what it means, but its swahili to me. :) > > So, should I nuke the contents of /etc/selinux/* and repeat the rpm commands? > > Your turn, Coach. :) > You can get the latest packages from koji.fedoraproject.org/koji or your local fedora mirror. The error above looks like a bug in policy. Make sure that if you install the latest selinux policy for f10 from koji, that you install both: selinux-policy as well as selinux-policy-targeted. From gene.heskett at verizon.net Sun Mar 1 16:54:53 2009 From: gene.heskett at verizon.net (Gene Heskett) Date: Sun, 01 Mar 2009 11:54:53 -0500 Subject: f10 vs selinux again. In-Reply-To: <1235906306.17478.3.camel@notebook1.grift.internal> References: <1235850300.11365.42.camel@notebook1.grift.internal> <200902281939.34172.gene.heskett@verizon.net> <1235906306.17478.3.camel@notebook1.grift.internal> Message-ID: <200903011154.53927.gene.heskett@verizon.net> On Sunday 01 March 2009, Dominick Grift wrote: >On Sat, 2009-02-28 at 19:39 -0500, Gene Heskett wrote: >> On Saturday 28 February 2009, Dominick Grift wrote: >> >On Sat, 2009-02-28 at 18:18 -0500, Gene Heskett wrote: >> > >> >You could try: >> >rpm -Uvh --replacefiles --replacepkgs selinux-policy and >> >selinux-policy-targeted then make sure your base.pp is fresh (try >> >semodule -B) >> >> Ok, did that, no problem with the selinux-policy rpm from the dvd, but >> when I do the same with selinux-policy- targeted, I'm right back to square >> one: >> >> [root at coyote Packages]# rpm -Uvh --replacefiles --replacepkgs >> selinux-policy-targeted-3.5.13-18.fc10.noarch.rpm Preparing... >> ########################################### [100%] >> 1:selinux-policy-targeted########################################### >> [100%] libsepol.print_missing_requirements: pki's global requirements were >> not met: type/attribute pki_kra_port_t libsemanage.semanage_link_sandbox: >> Link packages failed >> semodule: Failed! >> >> A somewhat different error message that might be a bit more enlightening >> to someone who actually knows what it means, but its swahili to me. :) >> >> So, should I nuke the contents of /etc/selinux/* and repeat the rpm >> commands? >> >> Your turn, Coach. :) > >You can get the latest packages from koji.fedoraproject.org/koji or your >local fedora mirror. > >The error above looks like a bug in policy. > >Make sure that if you install the latest selinux policy for f10 from >koji, that you install both: selinux-policy as well as >selinux-policy-targeted. I found late yesterday that the updates repo in my yum-repos.d was disabled. Enabling that & pulling in several hundred more updates, I have not seen another alert since I installed those updated ones. No idea where they came from, just some yum mirror I have to assume lacking more info. Maybe we can lay this one to rest, and I can go back to "enforcing" since its permissive due to a miss-spelling of enforcing in the config. Sorry for the noise, my apologies. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Everything should be made as simple as possible, but not simpler. -- Albert Einstein From brian at brianac.com.au Mon Mar 2 11:17:56 2009 From: brian at brianac.com.au (Brian Chadwick) Date: Mon, 02 Mar 2009 21:17:56 +1000 Subject: postfix trying to access /boot AVC Message-ID: <49ABC064.5070203@brianac.com.au> Hi, This is happening after the last round of F10 updates involving postfix. postfix-2.5.6-1.fc10.i386.rpm selinux-policy-targeted-3.5.13-45.fc10.noarch.rpm Summary: SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /boot (boot_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by smtpd. It is not expected that this access is required by smtpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /boot, restorecon -v '/boot' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:postfix_smtpd_t:s0 Target Context system_u:object_r:boot_t:s0 Target Objects /boot [ dir ] Source smtpd Source Path /usr/libexec/postfix/smtpd Port Host admin.brianac.com.au Source RPM Packages postfix-2.5.6-1.fc10 Target RPM Packages filesystem-2.4.19-1.fc10 Policy RPM selinux-policy-3.5.13-45.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name admin.brianac.com.au Platform Linux admin.brianac.com.au 2.6.27.15-170.2.24.fc10.i686.PAE #1 SMP Wed Feb 11 23:35:37 EST 2009 i686 athlon Alert Count 294 First Seen Thu 26 Feb 2009 20:46:08 EST Last Seen Mon 02 Mar 2009 10:46:05 EST Local ID cbf2bcef-ae64-4d65-bd35-e8226a7d35a1 Line Numbers Raw Audit Messages node=admin.brianac.com.au type=AVC msg=audit(1235954765.372:3918): avc: denied { getattr } for pid=11567 comm="smtpd" path="/boot" dev=sda2 ino=2 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir node=admin.brianac.com.au type=SYSCALL msg=audit(1235954765.372:3918): arch=40000003 syscall=195 success=yes exit=0 a0=bfe00176 a1=bfe0056c a2=811ff4 a3=bfe0017c items=0 ppid=2421 pid=11567 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) From mcepl at redhat.com Mon Mar 2 14:56:08 2009 From: mcepl at redhat.com (Matej Cepl) Date: Mon, 2 Mar 2009 15:56:08 +0100 Subject: postfix trying to access /boot AVC References: <49ABC064.5070203@brianac.com.au> Message-ID: <8l8t76-e86.ln1@ppp1053.in.ipex.cz> On 2009-03-02, 11:17 GMT, Brian Chadwick wrote: > This is happening after the last round of F10 updates involving > postfix. > > postfix-2.5.6-1.fc10.i386.rpm Known problem (https://bugzilla.redhat.com/show_bug.cgi?id=221347) and apparently not simple to tackle. Moreover, upstream doesn't seem to consider SELinux as something to consider. Oh well. Mat?j From dwalsh at redhat.com Mon Mar 2 15:03:33 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 02 Mar 2009 10:03:33 -0500 Subject: Fwd: SELinux user login problem In-Reply-To: <1235829283.11365.25.camel@notebook1.grift.internal> References: <994219730902250208h2bcb9bb5ife376930cbc611f7@mail.gmail.com> <994219730902250231n55eaef25lf95b7f89b031becb@mail.gmail.com> <49A56821.8050109@redhat.com> <994219730902260853h59626357u8fb0d4f22d01b465@mail.gmail.com> <49A839CD.8020307@redhat.com> <994219730902280335m24cc6d03v9302588beb5ad40@mail.gmail.com> <1235829283.11365.25.camel@notebook1.grift.internal> Message-ID: <49ABF545.9060800@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dominick Grift wrote: > On Sat, 2009-02-28 at 17:05 +0530, prakash hallalli wrote: >> Hi All, >> >> Thanks for replay to me. This is am getting audit messages >> form /var/log/audit/audit.log. >> >> type=AVC msg=audit(1235820249.704:255): avc: denied { rlimitinh } >> for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0 >> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process >> type=AVC msg=audit(1235820249.704:255): avc: denied { noatsecure } >> for pid=4296 comm="login" scontext=system_u:system_r:getty_t:s0 >> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process >> type=SYSCALL msg=audit(1235820249.704:255): arch=c000003e syscall=59 >> success=yes exit=0 a0=402269 a1=7fff186d7030 a2=7fff186d9550 a3=22 >> items=0 ppid=1 pid=4296 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty4 comm="login" exe="/bin/login" >> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) >> type=USER_AUTH msg=audit(1235820253.552:256): user pid=4296 uid=0 >> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 >> msg='PAM: authentication acct="user1" : exe="/bin/login" (hostname=?, >> addr=?, terminal=tty4 res=success)' >> type=USER_ACCT msg=audit(1235820253.555:257): user pid=4296 uid=0 >> auid=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 >> msg='PAM: accounting acct="user1" : exe="/bin/login" (hostname=?, >> addr=?, terminal=tty4 res=success)' >> type=LOGIN msg=audit(1235820253.560:258): login pid=4296 uid=0 old >> auid=4294967295 new auid=527 >> type=USER_ROLE_CHANGE msg=audit(1235820253.567:259): user pid=4296 >> uid=0 auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 >> msg='pam: default-context=prakash:prakash_r:prakash_t:s0 >> selected-context=prakash:prakash_r:prakash_t:s0: >> exe="/bin/login" (hostname=?, addr=?, terminal=tty4 res=success)' >> type=USER_START msg=audit(1235820253.568:260): user pid=4296 uid=0 >> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: >> session open acct="user1" : exe="/bin/login" (hostname=?, addr=?, >> terminal=tty4 res=success)' >> type=CRED_ACQ msg=audit(1235820253.568:261): user pid=4296 uid=0 >> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='PAM: >> setcred acct="user1" : exe="/bin/login" (hostname=?, addr=?, >> terminal=tty4 res=success)' >> type=USER_LOGIN msg=audit(1235820253.570:262): user pid=4296 uid=0 >> auid=527 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 >> msg='uid=527: exe="/bin/login" (hostname=?, addr=?, terminal=tty4 >> res=success)' >> type=AVC msg=audit(1235820275.060:263): avc: denied { siginh } for >> pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 >> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process >> type=AVC msg=audit(1235820275.060:263): avc: denied { rlimitinh } >> for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 >> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process >> type=AVC msg=audit(1235820275.060:263): avc: denied { noatsecure } >> for pid=4132 comm="login" scontext=system_u:system_r:getty_t:s0 >> tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process >> type=SYSCALL msg=audit(1235820275.060:263): arch=c000003e syscall=59 >> success=yes exit=0 a0=402269 a1=7fff1bcb84a0 a2=7fff1bcba9c0 a3=22 >> items=0 ppid=1 pid=4132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 >> fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="login" exe="/bin/login" >> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null) >> >> Thanks, >> >> Prakah > > The issue is that RHEL5 targeted policy is not designed to target user > domains. > > The avc denials that you provided do not give me a clue about what is > stopping this from working. > > It may well be that the denials responsible is hidden. > > You can expose hidden denials using : > > # semodule -b /usr/share/selinux/targeted/enableaudit.pp > > To restore the defaults you would execute: > > # semodule -b /usr/share/selinux/targeted/base.pp > > After you have exposed the hidden avc denials you may be presented with > more clues in audit.log as to what is stopping functionality. > > But again, the big issue here is that RHEL5 targeted policy is not > designed to target users. > > This functionality does work in Fedora 9 and up. > > hth , Dominick > >> On Sat, Feb 28, 2009 at 12:36 AM, Daniel J Walsh >> wrote: >> > prakash hallalli wrote: >> Hi All, > >> I am using CentOS-5 x86_64, I have followed what u > have sent the >> steps. >> But still i am getting same user login problem. I am > not able to >> login >> user properly in system. > >> These are i have followed the steps. > >> 1. Create a source policy module:- > >> #cd /home/prakash >> #vi prakash.te >> policy_module(prakash, 0.0.1) >> role prakash_r; >> userdom_unpriv_user_template(prakash); > >> 2. Build the source policy module: > >> #make -f /usr/share/selinux/devel/Makefile > >> 3. Install the binary policy module: > >> #semodule -i prakash.pp > >> 4. Create default contexts for prakash: > >> #cd /etc/selinux/targeted/contexts/users >> #vi prakash >> system_r:system_local_login_t:s0 > prakash_r:prakash_t:s0 >> system_r:remote_login_t:s0 > prakash_r:prakash_t:s0 >> system_r:sshd_t:s0 > prakash_r:prakash_t:s0 >> system_r:crond_t:s0 > prakash_r:prakash_t:s0 >> system_r:xdm_t:s0 > prakash_r:prakash_t:s0 >> prakash_r:prakash_su_t:s0 > prakash_r:prakash_t:s0 >> prakash_r:prakash_sudo_t:s0 > prakash_r:prakash_t:s0 >> system_r:initrc_su_t:s0 > prakash_r:prakash_t:s0 >> prakash_r:prakash_t:s0 > prakash_r:prakash_t:s0 > >> 5. Create a SELinux user mapping for prakash: > >> #semanage user -a -L s0 -r s0-s0 -R "prakash_r" -P user > prakash > >> 6. Add new prakash user for user1: > >> #useradd -Z prakash user1 > >> 7. when i will try to login in the system, will get > permission denied >> message. > >> gtt login: user1 >> password: XXXXXX > >> -bash: /home/user1/.bash_profile: Permission denied >> -bash-3.1$id >> uid=524(user1) gid=525(user1) groups=525(user1) >> context=prakash:prakash_r:prakash_t > >> I tryed to one more user then all so i got same problem. > I am not sure >> what i did the mistakes, Please help me what i have to do. > >> Thanks, >> Prakash, k, h. > >> On Wed, Feb 25, 2009 at 9:17 PM, Daniel J Walsh > wrote: > > > >> prakash hallalli wrote: >>>>> Hi All, >>>>> >>>>> I have created 'myuser' user and created custom > module policy >> for >>>>> user. >>>>> I have installed successfully module, but when i > logging myuser in >>>>> i will get bash prompt. >>>>> >>>>> I have followed as below steps for creating > module. >>>>> >>>>> #vi myuser.te >>>>> policy_module(myuser, 0.0.1) >>>>> role myuser_r; >>>>> > userdom_unpriv_user_templete(myuser) >>>>> >>>>> #make ?-f /usr/share/selinux/devel/Makefile >>>>> #sudo semodule ?i myuser.pp >>>>> #semanage user ?a ?L s0 ?r s0?s0 ?L "myuser1_r" ?P user > myuser1 >>>>> #useradd ?Z myuser1 myuser1 >>>>> >>>>> I did all the step when i try login in system following > error will >> display. >>>>> gtt login: myuser >>>>> password: XXXXXX >>>>> >>>>> -bash: /home/myuser/.bash_profile: Permission denied >>>>> -bash-3.1$ >>>>> >>>>> Please give what should i have to do. >>>>> >>>>> Thanks, >>>>> Prakash. >>>>> >>>>> >>>>> >>>>> > ------------------------------------------------------------------------ >>>>> >>>>> -- >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list at redhat.com >>>>> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> Which OS and Version. > >> Depending on the policy you might need to relabe the homedir > to get the >> labels correct. > >> restorecon -R -v /home > > > > > ------------------------------------------------------------------------ > >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > Please attach the AVC messages from /var/log/audit/audit.log. >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list Yes if you want to write targeted user protection in RHEL5 you need to use strict or MLS Policy not targeted. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmr9UUACgkQrlYvE4MpobMkngCfbwrbyLPXWG4YcuavTpqjKmRn 8HcAoI3VOr9k/DQbsPQXUmlHncGgHWAX =0Hc+ -----END PGP SIGNATURE----- From rcritten at redhat.com Mon Mar 2 15:16:22 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 02 Mar 2009 10:16:22 -0500 Subject: pam_mkhomedirs Message-ID: <49ABF846.4070804@redhat.com> An IPA user reported this on our mailing list. He's getting SELinux permission failures from pam_mkhomedirs when he's trying to log into a machine for the first time as a user. Is there an existing way to configure a system to handle this? thanks rob -------------- next part -------------- An embedded message was scrubbed... From: Natxo Asenjo Subject: Re: [Freeipa-users] new freeipa user Date: Thu, 26 Feb 2009 16:09:01 +0100 Size: 12149 URL: From kas at fi.muni.cz Mon Mar 2 15:34:48 2009 From: kas at fi.muni.cz (Jan Kasprzak) Date: Mon, 2 Mar 2009 16:34:48 +0100 Subject: TCP server howto In-Reply-To: <1235817998.11365.12.camel@notebook1.grift.internal> References: <20090227230224.GF30997@fi.muni.cz> <1235817998.11365.12.camel@notebook1.grift.internal> Message-ID: <20090302153448.GH31276@fi.muni.cz> Dominick Grift wrote: : I think corenet_reserved_port() is what you are looking for. : Thanks for the hint. It is _almost_ exactly as you wrote, except: : # Declarations : : type my_port_t; : corenet_reserved_port(my_port_t) : : # Policy : : corenet_all_recvfrom_unlabeled($1) : corenet_all_recvfrom_netlabel($1) : corenet_tcp_sendrecv_generic_if($1) : corenet_tcp_sendrecv_generic_node($1) : corenet_tcp_sendrecv_all_ports($1) - corenet_tcp_bind_generic_node($1) + corenet_tcp_bind_inadrr_any_node($1) : allow $1 my_port_t:tcp_socket name_bind; + allow $1 self:capability net_bind_service; + allow $1 self:tcp_socket create_stream_socket_perms; : #EOF : : sudo semanage port -a -t my_port_t -p tcp 40 I would however like to have a really-high-level macro (or two) to do the above - I guess this is what many users would like to do - saying "this context belongs to my port", and "this domain can run a TCP server on this port". The similar way how the files_pid_file() and files_pid_filetrans() macros allow for the "I want to have my own PID file in /var/run" case. Would it be acceptable to submit this as a patch for inclusion in the upstream policy? I would like to have other things included upstream as well - for example, now I have a policy bits for Perl: file contexts for /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying "this domain can run Perl scripts". Thanks, -Yenya -- | Jan "Yenya" Kasprzak | | GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E | | http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ | >> If you find yourself arguing with Alan Cox, you?re _probably_ wrong. << >> --James Morris in "How and Why You Should Become a Kernel Hacker" << From domg472 at gmail.com Mon Mar 2 16:16:06 2009 From: domg472 at gmail.com (Dominick Grift) Date: Mon, 02 Mar 2009 17:16:06 +0100 Subject: TCP server howto In-Reply-To: <20090302153448.GH31276@fi.muni.cz> References: <20090227230224.GF30997@fi.muni.cz> <1235817998.11365.12.camel@notebook1.grift.internal> <20090302153448.GH31276@fi.muni.cz> Message-ID: <1236010567.19155.28.camel@notebook1.grift.internal> On Mon, 2009-03-02 at 16:34 +0100, Jan Kasprzak wrote: > Dominick Grift wrote: > : I think corenet_reserved_port() is what you are looking for. > : > Thanks for the hint. It is _almost_ exactly as you wrote, > except: > > : # Declarations > : > : type my_port_t; > : corenet_reserved_port(my_port_t) > : > : # Policy > : > : corenet_all_recvfrom_unlabeled($1) > : corenet_all_recvfrom_netlabel($1) > : corenet_tcp_sendrecv_generic_if($1) > : corenet_tcp_sendrecv_generic_node($1) > : corenet_tcp_sendrecv_all_ports($1) > - corenet_tcp_bind_generic_node($1) > + corenet_tcp_bind_inadrr_any_node($1) > > : allow $1 my_port_t:tcp_socket name_bind; > > + allow $1 self:capability net_bind_service; > + allow $1 self:tcp_socket create_stream_socket_perms; > > : #EOF > : > : sudo semanage port -a -t my_port_t -p tcp 40 > > I would however like to have a really-high-level macro (or two) > to do the above - I guess this is what many users would like to do > - saying "this context belongs to my port", and "this domain can run > a TCP server on this port". The similar way how the files_pid_file() > and files_pid_filetrans() macros allow for the > "I want to have my own PID file in /var/run" case. > > Would it be acceptable to submit this as a patch for inclusion > in the upstream policy? My example of declaring a port would not be acceptable upstream. If you want your policy upstream then you would have to declare your port in the corenetwork.te.in file that is in the kernel section of the policy source. If you add a declaration there, then interfaces will be generated that you can use, when you build the source. For example: network_port(myport, tcp,40,s0) would create interfaces like: corenet_tcp_bind_myport_port() that you can use hth , Dominick > > I would like to have other things included upstream as well - for > example, now I have a policy bits for Perl: file contexts for > /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying > "this domain can run Perl scripts". > > Thanks, > > -Yenya > From dwalsh at redhat.com Mon Mar 2 16:58:02 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 02 Mar 2009 11:58:02 -0500 Subject: TCP server howto In-Reply-To: <20090302153448.GH31276@fi.muni.cz> References: <20090227230224.GF30997@fi.muni.cz> <1235817998.11365.12.camel@notebook1.grift.internal> <20090302153448.GH31276@fi.muni.cz> Message-ID: <49AC101A.50101@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jan Kasprzak wrote: > Dominick Grift wrote: > : I think corenet_reserved_port() is what you are looking for. > : > Thanks for the hint. It is _almost_ exactly as you wrote, > except: > > : # Declarations > : > : type my_port_t; > : corenet_reserved_port(my_port_t) > : > : # Policy > : > : corenet_all_recvfrom_unlabeled($1) > : corenet_all_recvfrom_netlabel($1) > : corenet_tcp_sendrecv_generic_if($1) > : corenet_tcp_sendrecv_generic_node($1) > : corenet_tcp_sendrecv_all_ports($1) > - corenet_tcp_bind_generic_node($1) > + corenet_tcp_bind_inadrr_any_node($1) > > : allow $1 my_port_t:tcp_socket name_bind; > > + allow $1 self:capability net_bind_service; > + allow $1 self:tcp_socket create_stream_socket_perms; > > : #EOF > : > : sudo semanage port -a -t my_port_t -p tcp 40 > > I would however like to have a really-high-level macro (or two) > to do the above - I guess this is what many users would like to do > - saying "this context belongs to my port", and "this domain can run > a TCP server on this port". The similar way how the files_pid_file() > and files_pid_filetrans() macros allow for the > "I want to have my own PID file in /var/run" case. > > Would it be acceptable to submit this as a patch for inclusion > in the upstream policy? > > I would like to have other things included upstream as well - for > example, now I have a policy bits for Perl: file contexts for > /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying > "this domain can run Perl scripts". > > Thanks, > > -Yenya > Yenya, take this discussion to the refpolicy list Better to discuss it there. I think having a higher level template for creating a tcp or udp port would not be a bad idea. See what upstream thinks. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmsDzYACgkQrlYvE4MpobNJHwCfZ5YbOsiYpBATkbTZyCqkZWh+ wGUAn1qN1EySr3iW5Pn4TO8aDrhJKZRA =+xoQ -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Mar 2 17:09:23 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 02 Mar 2009 12:09:23 -0500 Subject: postfix trying to access /boot AVC In-Reply-To: <8l8t76-e86.ln1@ppp1053.in.ipex.cz> References: <49ABC064.5070203@brianac.com.au> <8l8t76-e86.ln1@ppp1053.in.ipex.cz> Message-ID: <49AC12C3.4080703@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matej Cepl wrote: > On 2009-03-02, 11:17 GMT, Brian Chadwick wrote: >> This is happening after the last round of F10 updates involving >> postfix. >> >> postfix-2.5.6-1.fc10.i386.rpm > > Known problem > (https://bugzilla.redhat.com/show_bug.cgi?id=221347) and > apparently not simple to tackle. Moreover, upstream doesn't seem > to consider SELinux as something to consider. Oh well. > > Mat?j > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I think we should fix this in policy and allow postfix domains to search mountpoints. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmsEsIACgkQrlYvE4MpobNXzwCaAwfHP7TbQMCiXC2PFrSiXt1J 47gAoMU8JeZS76nN44LJU+aOGLov9tDb =bX9g -----END PGP SIGNATURE----- From dwalsh at redhat.com Mon Mar 2 17:11:58 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 02 Mar 2009 12:11:58 -0500 Subject: pam_mkhomedirs In-Reply-To: <49ABF846.4070804@redhat.com> References: <49ABF846.4070804@redhat.com> Message-ID: <49AC135E.9020501@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rob Crittenden wrote: > An IPA user reported this on our mailing list. He's getting SELinux > permission failures from pam_mkhomedirs when he's trying to log into a > machine for the first time as a user. > > Is there an existing way to configure a system to handle this? > > thanks > > rob > > > ------------------------------------------------------------------------ > > Subject: > Re: [Freeipa-users] new freeipa user > From: > Natxo Asenjo > Date: > Thu, 26 Feb 2009 16:09:01 +0100 > To: > freeipa-users at redhat.com > > To: > freeipa-users at redhat.com > > > On Thu, Feb 26, 2009 at 4:20 AM, Rob Crittenden wrote: >> Natxo Asenjo wrote: > >>> I have so far only run into a problem and that is the auto creation of >>> home dirs on the firs login. I used the authenthication configuration >>> gui from fedora10 on the ipaclient and checked the option to >>> auto-create homedirs but that doesn't work. There is a selinux error: >>> >>> Feb 25 23:28:47 ipaclient01 setroubleshoot: SELinux is preventing sshd >>> (sshd_t) "write" to ./home (home_root_t). For complete SELinux >>> messages. run sealert -l 2f194ec1-0764-48b0-b66c-d84734105283 >>> apparently the pam_mkhomedir.so is not allowed to work with selinux. >>> Any workarounds? >> It would be helpful to see the sealert output for this error. We may be able >> to include a generic fix in IPA, or pass this by the SELinux guys to see >> what they think. > > ok, the output of sealert -l 2f194ec1-0764-48b0-b66c-d84734105283 > > Summary: > > SELinux is preventing sshd (sshd_t) "write" to ./home (home_root_t). > > Detailed Description: > > SELinux denied access requested by sshd. The current boolean settings do not > allow this access. If you have not setup sshd to require this access this may > signal an intrusion attempt. If you do intend this access you need to change the > booleans on this system to allow the access. > > Allowing Access: > > Confined processes can be configured to to run requiring different access, > SELinux provides booleans to allow you to turn on/off access as needed. The > boolean allow_polyinstantiation is set incorrectly. > Boolean Description: > Allow login programs to use polyinstantiated directories. > > > Fix Command: > # setsebool -P allow_polyinstantiation 1 > > Additional Information: > > Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023 > Target Context system_u:object_r:home_root_t:s0 > Target Objects ./home [ dir ] > Source sshd > Source Path /usr/sbin/sshd > Port > Host ipaclient01.virtual.local > Source RPM Packages openssh-server-5.1p1-3.fc10 > Target RPM Packages filesystem-2.4.19-1.fc10 > Policy RPM selinux-policy-3.5.13-45.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_boolean > Host Name ipaclient01.virtual.local > Platform Linux ipaclient01.virtual.local > 2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11 > 23:14:31 EST 2009 x86_64 x86_64 > Alert Count 1 > First Seen Wed Feb 25 23:28:47 2009 > Last Seen Wed Feb 25 23:28:47 2009 > Local ID 2f194ec1-0764-48b0-b66c-d84734105283 > Line Numbers > > Raw Audit Messages > > node=ipaclient01.virtual.local type=AVC msg=audit(1235600927.386:53): avc: deni > ed { write } for pid=3055 comm="sshd" name="home" dev=dm-0 ino=211745 scontext > =system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t: > s0 tclass=dir > > node=ipaclient01.virtual.local type=SYSCALL msg=audit(1235600927.386:53): arch=c > 000003e syscall=83 success=no exit=-13 a0=173bd66 a1=1ed a2=21 a3=6a6e657361632f > 65 items=0 ppid=1870 pid=3055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" > subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) > > > so I run: > # setsebool -P allow_polyinstantiation 1 > > And next time I tried login on the console through gdm: > > Feb 26 15:41:53 ipaclient01 setroubleshoot: SELinux is preventing gdm-session-wo > r (xdm_t) "write" to ./home (home_root_t). For complete SELinux messages. run se > alert -l cf03e02d-4bdd-484d-bf6f-d70c553bdab8 > > running sealert -l cf03e02d-4bdd-484d-bf6f-d70c553bdab8 provides a > similar output but one substitutes sshd for gdm als source, obviously. > > There is another SElinux error in the log: > > Feb 26 15:46:34 ipaclient01 setroubleshoot: SELinux is preventing gdm-session-wo > r (xdm_t) "create" to ./casenjo (home_root_t). For complete SELinux messages. ru > n sealert -l a104e0b3-0dc4-4dc7-ba6a-494b7ca070de > > Summary: > > SELinux is preventing gdm-session-wor (xdm_t) "create" to ./casenjo > (home_root_t). > > Detailed Description: > > SELinux denied access requested by gdm-session-wor. It is not expected that this > access is required by gdm-session-wor and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to restore > the default system file context for ./casenjo, > > restorecon -v './casenjo' > > If this does not work, there is currently no automatic way to allow this access. > Instead, you can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:object_r:home_root_t:s0 > Target Objects ./casenjo [ dir ] > Source gdm-session-wor > Source Path /usr/libexec/gdm-session-worker > Port > Host ipaclient01.virtual.local > Source RPM Packages gdm-2.24.0-12.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-45.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name ipaclient01.virtual.local > Platform Linux ipaclient01.virtual.local > 2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11 > 23:14:31 EST 2009 x86_64 x86_64 > Alert Count 1 > First Seen Thu Feb 26 15:46:32 2009 > Last Seen Thu Feb 26 15:46:32 2009 > Local ID a104e0b3-0dc4-4dc7-ba6a-494b7ca070de > Line Numbers > > Raw Audit Messages > > node=ipaclient01.virtual.local type=AVC msg=audit(1235659592.554:36): avc: deni > ed { create } for pid=4301 comm="gdm-session-wor" name="casenjo" scontext=syst > em_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tcl > ass=dir > > node=ipaclient01.virtual.local type=SYSCALL msg=audit(1235659592.554:36): arch=c > 000003e syscall=83 success=no exit=-13 a0=7f577ce13bb6 a1=1ed a2=21 a3=810101010 > 1010100 items=0 ppid=4174 pid=4301 auid=1100 uid=0 gid=1002 euid=0 suid=0 fsuid= > 0 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4 comm="gdm-session-wor" exe="/u > sr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=( > null) > > > This time I cannot run restorecon -v './casenjo' because the folder > ./casenjo simply does not exist., neither gdm nor sshd could > autocreate them. > > I'd very much rather that selinux stayed enabled, obviously. > > Hope the output of sealert is helpful to you guys. > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Yes tell him don't use it? :^) A better option is oddjob-mkhomedir -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmsE10ACgkQrlYvE4MpobMRZwCfSKhiJ4+6kGrYb+PHzri9iF0+ AYUAn2n5gGACqcgf03UiKA2Iiu1bX6uv =u7+b -----END PGP SIGNATURE----- From olivares14031 at yahoo.com Tue Mar 3 01:23:48 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 2 Mar 2009 17:23:48 -0800 (PST) Subject: avcs on rawhide new and old one Message-ID: <621678.88577.qm@web52608.mail.re2.yahoo.com> Summary: SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by crontab. It is not expected that this access is required by crontab and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0 .c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source crontab Source Path /usr/bin/crontab Port Host riohigh Source RPM Packages cronie-1.2-6.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.6-8.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.176.rc6.git5.fc11.i586 #1 SMP Sat Feb 28 20:51:15 EST 2009 i686 athlon Alert Count 16 First Seen Mon 02 Mar 2009 07:11:37 PM CST Last Seen Mon 02 Mar 2009 07:11:39 PM CST Local ID 3883b140-4d39-40f5-9262-ce2c4c4e2e16 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15740]" dev=sockfs ino=15740 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=SYSCALL msg=audit(1236042699.560:325): arch=40000003 syscall=11 success=yes exit=0 a0=9756cc8 a1=9765140 a2=9750a18 a3=9765140 items=0 ppid=6988 pid=7023 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null) Summary: SELinux prevented kde4-config from writing .kde. Detailed Description: SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may want to allow this. If .kde is not a core file, this could signal a intrusion attempt. Allowing Access: Changing the "allow_daemons_dump_core" boolean to true will allow this access: "setsebool -P allow_daemons_dump_core=1." Fix Command: setsebool -P allow_daemons_dump_core=1 Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:root_t:s0 Target Objects .kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port Host riohigh Source RPM Packages kdelibs-4.2.1-1.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.6-8.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_daemons_dump_core Host Name riohigh Platform Linux riohigh 2.6.29-0.176.rc6.git5.fc11.i586 #1 SMP Sat Feb 28 20:51:15 EST 2009 i686 athlon Alert Count 16 First Seen Tue 17 Feb 2009 08:36:03 AM CST Last Seen Mon 02 Mar 2009 03:49:11 PM CST Local ID 6d47417b-4b4b-4c4f-9c12-6210059fc418 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1236030551.278:7): avc: denied { create } for pid=2361 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir node=riohigh type=SYSCALL msg=audit(1236030551.278:7): arch=40000003 syscall=39 success=no exit=-13 a0=9e843f8 a1=1c0 a2=60cf8c a3=0 items=0 ppid=2360 pid=2361 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Thanks, Antonio From john.spann at ngc.com Tue Mar 3 13:22:23 2009 From: john.spann at ngc.com (Spann, John W.) Date: Tue, 3 Mar 2009 07:22:23 -0600 Subject: Policy for Embedded Machine In-Reply-To: <20090221170015.5668561A9FB@hormel.redhat.com> References: <20090221170015.5668561A9FB@hormel.redhat.com> Message-ID: <4A8989A53645E8429EBF62BCF55AD5A4055A0D29@XMBIL151.northgrum.com> Do I have to be running the 2.6.28 kernel to have the ability to load the dummy policy? This seems like the approach I would take, but we must use the 2.6.27.14 kernel. From sds at tycho.nsa.gov Tue Mar 3 14:29:56 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 03 Mar 2009 09:29:56 -0500 Subject: Policy for Embedded Machine In-Reply-To: <4A8989A53645E8429EBF62BCF55AD5A4055A0D29@XMBIL151.northgrum.com> References: <20090221170015.5668561A9FB@hormel.redhat.com> <4A8989A53645E8429EBF62BCF55AD5A4055A0D29@XMBIL151.northgrum.com> Message-ID: <1236090596.22391.8.camel@localhost.localdomain> On Tue, 2009-03-03 at 07:22 -0600, Spann, John W. wrote: > Do I have to be running the 2.6.28 kernel to have the ability to load > the dummy policy? This seems like the approach I would take, but we must > use the 2.6.27.14 kernel. No, you should be able to create a dummy policy for 2.6.27.14. You'll need to grab the scripts/selinux files from 2.6.28 or later, but you should be able to use those files on the older kernel. -- Stephen Smalley National Security Agency From dwalsh at redhat.com Tue Mar 3 14:46:58 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 03 Mar 2009 09:46:58 -0500 Subject: avcs on rawhide new and old one In-Reply-To: <621678.88577.qm@web52608.mail.re2.yahoo.com> References: <621678.88577.qm@web52608.mail.re2.yahoo.com> Message-ID: <49AD42E2.5090305@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > > > > Summary: > > SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t. > > Detailed Description: > > SELinux denied access requested by crontab. It is not expected that this access > is required by crontab and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0 > .c1023 > Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Objects socket [ unix_stream_socket ] > Source crontab > Source Path /usr/bin/crontab > Port > Host riohigh > Source RPM Packages cronie-1.2-6.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.6-8.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh 2.6.29-0.176.rc6.git5.fc11.i586 #1 > SMP Sat Feb 28 20:51:15 EST 2009 i686 athlon > Alert Count 16 > First Seen Mon 02 Mar 2009 07:11:37 PM CST > Last Seen Mon 02 Mar 2009 07:11:39 PM CST > Local ID 3883b140-4d39-40f5-9262-ce2c4c4e2e16 > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15740]" dev=sockfs ino=15740 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=SYSCALL msg=audit(1236042699.560:325): arch=40000003 syscall=11 success=yes exit=0 a0=9756cc8 a1=9765140 a2=9750a18 a3=9765140 items=0 ppid=6988 pid=7023 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null) > > > > Summary: > > SELinux prevented kde4-config from writing .kde. > > Detailed Description: > > SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may > want to allow this. If .kde is not a core file, this could signal a intrusion > attempt. > > Allowing Access: > > Changing the "allow_daemons_dump_core" boolean to true will allow this access: > "setsebool -P allow_daemons_dump_core=1." > > Fix Command: > > setsebool -P allow_daemons_dump_core=1 > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:object_r:root_t:s0 > Target Objects .kde [ dir ] > Source kde4-config > Source Path /usr/bin/kde4-config > Port > Host riohigh > Source RPM Packages kdelibs-4.2.1-1.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.6-8.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name allow_daemons_dump_core > Host Name riohigh > Platform Linux riohigh 2.6.29-0.176.rc6.git5.fc11.i586 #1 > SMP Sat Feb 28 20:51:15 EST 2009 i686 athlon > Alert Count 16 > First Seen Tue 17 Feb 2009 08:36:03 AM CST > Last Seen Mon 02 Mar 2009 03:49:11 PM CST > Local ID 6d47417b-4b4b-4c4f-9c12-6210059fc418 > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1236030551.278:7): avc: denied { create } for pid=2361 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir > > node=riohigh type=SYSCALL msg=audit(1236030551.278:7): arch=40000003 syscall=39 success=no exit=-13 a0=9e843f8 a1=1c0 a2=60cf8c a3=0 items=0 ppid=2360 pid=2361 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > > > > Thanks, > > Antonio > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list THe .kde problem has been reported, to kdebase. THe crontab trying to talk to unconfined_t unix stream socket, I think is a leaked file descriptor caused by restarting cron, perhaps from a konsole? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmtQuIACgkQrlYvE4MpobNRvgCg0/AgI5iDOwBlv7t9QO4kIAMj FNEAoNuT68US7f92FwgxqFGoQ0Kt9p/n =K84y -----END PGP SIGNATURE----- From bob at lorez.org Tue Mar 3 16:11:40 2009 From: bob at lorez.org (Bob Richmond) Date: Tue, 03 Mar 2009 08:11:40 -0800 Subject: Fedora 10 sendmail/smrsh denied Message-ID: <49AD56BC.7060107@lorez.org> Files in /etc/smrsh used to get a type of "etc_smrsh_t" that allowed files in there to be executed by smrsh on behalf of sendmail. That went away, and now sendmail can't execute mail processing programs under /etc/smrsh. Did the standard location for mail processing programs change? From olivares14031 at yahoo.com Thu Mar 5 01:56:22 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 4 Mar 2009 17:56:22 -0800 (PST) Subject: kde avc(SELinux prevented kde4-config from writing .kde.)will it be on next selinux policy update? Message-ID: <389193.15867.qm@web52601.mail.re2.yahoo.com> Dear selinux experts, I have a question about a repeated avc, I ask if I should apply the suggested fix or wait for an selinux policy update which addressses this? Summary: SELinux prevented kde4-config from writing .kde. Detailed Description: SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may want to allow this. If .kde is not a core file, this could signal a intrusion attempt. Allowing Access: Changing the "allow_daemons_dump_core" boolean to true will allow this access: "setsebool -P allow_daemons_dump_core=1." Fix Command: setsebool -P allow_daemons_dump_core=1 Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:root_t:s0 Target Objects .kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port Host riohigh Source RPM Packages kdelibs-4.2.1-2.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.7-1.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_daemons_dump_core Host Name riohigh Platform Linux riohigh 2.6.29-0.197.rc7.fc11.i586 #1 SMP Tue Mar 3 23:01:11 EST 2009 i686 athlon Alert Count 20 First Seen Tue 17 Feb 2009 08:36:03 AM CST Last Seen Wed 04 Mar 2009 07:44:55 PM CST Local ID 6d47417b-4b4b-4c4f-9c12-6210059fc418 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1236217495.274:8): avc: denied { create } for pid=2386 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir node=riohigh type=SYSCALL msg=audit(1236217495.274:8): arch=40000003 syscall=39 success=no exit=-13 a0=87163f8 a1=1c0 a2=49e32ec a3=0 items=0 ppid=2385 pid=2386 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Regards, Antonio From olivares14031 at yahoo.com Thu Mar 5 01:57:35 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 4 Mar 2009 17:57:35 -0800 (PST) Subject: dbus and kerneloops with selinux avc Message-ID: <32613.54640.qm@web52605.mail.re2.yahoo.com> Dear all, after applying the updates, I encountered the following avc courtesy of setroubleshooter: Summary: SELinux is preventing dbus-daemon-lau (system_dbusd_t) "execute" kerneloops_exec_t. Detailed Description: SELinux denied access requested by dbus-daemon-lau. It is not expected that this access is required by dbus-daemon-lau and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 Target Context system_u:object_r:kerneloops_exec_t:s0 Target Objects kerneloops [ file ] Source dbus-daemon-lau Source Path /lib/dbus-1/dbus-daemon-launch-helper Port Host riohigh Source RPM Packages dbus-1.2.4.4permissive-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.7-1.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.197.rc7.fc11.i586 #1 SMP Tue Mar 3 23:01:11 EST 2009 i686 athlon Alert Count 1 First Seen Wed 04 Mar 2009 07:46:21 PM CST Last Seen Wed 04 Mar 2009 07:46:21 PM CST Local ID 71016152-e696-4ba1-af79-497748fd156b Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1236217581.391:21): avc: denied { execute } for pid=3241 comm="dbus-daemon-lau" name="kerneloops" dev=sda5 ino=8699 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kerneloops_exec_t:s0 tclass=file node=riohigh type=SYSCALL msg=audit(1236217581.391:21): arch=40000003 syscall=11 success=no exit=-13 a0=9c95e20 a1=9c95de8 a2=9c95008 a3=9c98368 items=0 ppid=3240 pid=3241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) Thanks, Antonio From gene.heskett at verizon.net Thu Mar 5 04:05:26 2009 From: gene.heskett at verizon.net (Gene Heskett) Date: Wed, 04 Mar 2009 23:05:26 -0500 Subject: Rebooted, permissive, setroubleshooter going nuts. Message-ID: <200903042305.27010.gene.heskett@verizon.net> Greetings; And a portion of this lists archive on this box has gone missing to boot. So I can't look up the command to extract all these hits, about once every 2 minutes or so, to a logfile I can post. And when I click on the star, it tells me the connection has been lost to /var/run/setroubleshoot/setroubleshoot_server. But there is a zero length file there, generated when I rebooted to 2.6.29-rc7 5:18 ago WTH? And I just found a very short setroubleshooter.log which I will attach. It looks like it got a tummy ache just a few minutes ago. I think I will follow what I did with 29-rc7, and not build any sound modules for anything except the audigy2, cuz now I have sound, akonadi even starts! Help? -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Your motives for doing whatever good deed you may have in mind will be misinterpreted by somebody. -------------- next part -------------- A non-text attachment was scrubbed... Name: setroubleshootd.log Type: text/x-log Size: 865 bytes Desc: not available URL: From gene.heskett at verizon.net Thu Mar 5 07:18:03 2009 From: gene.heskett at verizon.net (Gene Heskett) Date: Thu, 05 Mar 2009 02:18:03 -0500 Subject: Rebooted, permissive, setroubleshooter going nuts. In-Reply-To: <200903042305.27010.gene.heskett@verizon.net> References: <200903042305.27010.gene.heskett@verizon.net> Message-ID: <200903050218.03588.gene.heskett@verizon.net> On Wednesday 04 March 2009, Gene Heskett wrote: >Greetings; > >And a portion of this lists archive on this box has gone missing to boot. >So I can't look up the command to extract all these hits, about once every 2 >minutes or so, to a logfile I can post. And when I click on the star, it >tells me the connection has been lost to >/var/run/setroubleshoot/setroubleshoot_server. But there is a zero length >file there, generated when I rebooted to 2.6.29-rc7 5:18 ago WTH? > >And I just found a very short setroubleshooter.log which I will attach. It >looks like it got a tummy ache just a few minutes ago. > >I think I will follow what I did with 29-rc7, and not build any sound > modules for anything except the audigy2, cuz now I have sound, akonadi even > starts! > >Help? No comment. Can anyone tell me why, when looking at the log messages, and it tells me to get the full report by running sealert with -l hashnumber, I as root am denied? From a root shell: [root at coyote log]# sealert -l 1ed4cefd-aa3b-4727-b9ef-28b8e2cbb42c failed to connect to server: Connection refused I am back on a 2.6.28.7 kernel now. And setroubleshooter's screen alerts in time with the kmail pongs of new mail coming are contributing to my loss of sanity or whatever. Somehow it has decided that fetchmail isn't supposed to be able to access its users directory/.f, uhh, I was gonna run it and get the exact file and the connection to its server has been lost, again. I thought it was funny that the reject messages were going into the system log... Uptodate Fedora 10. x86_64 running 32 bit. A 'service setroubleshoot restart' restarts it though. Anybody have a clue, I seem to be fresh out, and I'm about to compile it out. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Was my SOY LOAF left out in th'RAIN? It tastes REAL GOOD!! From gene.heskett at verizon.net Thu Mar 5 07:28:18 2009 From: gene.heskett at verizon.net (Gene Heskett) Date: Thu, 05 Mar 2009 02:28:18 -0500 Subject: Rebooted, permissive, setroubleshooter going nuts. In-Reply-To: <200903050218.03588.gene.heskett@verizon.net> References: <200903042305.27010.gene.heskett@verizon.net> <200903050218.03588.gene.heskett@verizon.net> Message-ID: <200903050228.18872.gene.heskett@verizon.net> On Thursday 05 March 2009, Gene Heskett wrote: >On Wednesday 04 March 2009, Gene Heskett wrote: >>Greetings; >> >>And a portion of this lists archive on this box has gone missing to boot. >>So I can't look up the command to extract all these hits, about once every >> 2 minutes or so, to a logfile I can post. And when I click on the star, >> it tells me the connection has been lost to >>/var/run/setroubleshoot/setroubleshoot_server. But there is a zero length >>file there, generated when I rebooted to 2.6.29-rc7 5:18 ago WTH? >> >>And I just found a very short setroubleshooter.log which I will attach. It >>looks like it got a tummy ache just a few minutes ago. >> >>I think I will follow what I did with 29-rc7, and not build any sound >> modules for anything except the audigy2, cuz now I have sound, akonadi >> even starts! >> >>Help? > >No comment. Can anyone tell me why, when looking at the log messages, and > it tells me to get the full report by running sealert with -l hashnumber, I > as root am denied? From a root shell: >[root at coyote log]# sealert -l 1ed4cefd-aa3b-4727-b9ef-28b8e2cbb42c >failed to connect to server: Connection refused > >I am back on a 2.6.28.7 kernel now. And setroubleshooter's screen alerts in >time with the kmail pongs of new mail coming are contributing to my loss of >sanity or whatever. Somehow it has decided that fetchmail isn't supposed to >be able to access its users directory/.f, uhh, I was gonna run it and get > the exact file and the connection to its server has been lost, again. I > thought it was funny that the reject messages were going into the system > log... > >Uptodate Fedora 10. x86_64 running 32 bit. > >A 'service setroubleshoot restart' restarts it though. Anybody have a clue, > I seem to be fresh out, and I'm about to compile it out. Ok, the restart allowed me to collect the most recent hit from sealert: =============================== [root at coyote init.d]# sealert -l 2ada4c61-64cb-40d7-8268-83488b12426e Summary: SELinux is preventing procmail (procmail_t) "append" to /var/log/fetchmail.log (var_log_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux is preventing procmail (procmail_t) "append" to /var/log/fetchmail.log (var_log_t). The SELinux type var_log_t, is a generic type for all files in the directory and very few processes (SELinux Domains) are allowed to write to this SELinux type. This type of denial usual indicates a mislabeled file. By default a file created in a directory has the gets the context of the parent directory, but SELinux policy has rules about the creation of directories, that say if a process running in one SELinux Domain (D1) creates a file in a directory with a particular SELinux File Context (F1) the file gets a different File Context (F2). The policy usually allows the SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for some reason a file (/var/log/fetchmail.log) was created with the wrong context, this domain will be denied. The usual solution to this problem is to reset the file context on the target file, restorecon -v '/var/log/fetchmail.log'. If the file context does not change from var_log_t, then this is probably a bug in policy. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy package. If it does change, you can try your application again to see if it works. The file context could have been mislabeled by editing the file or moving the file from a different directory, if the file keeps getting mislabeled, check the init scripts to see if they are doing something to mislabel the file. Allowing Access: You can attempt to fix file context by executing restorecon -v '/var/log/fetchmail.log' Fix Command: restorecon '/var/log/fetchmail.log' Additional Information: Source Context system_u:system_r:procmail_t:s0 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log/fetchmail.log [ file ] Source procmail Source Path /usr/bin/procmail Port Host coyote.coyote.den Source RPM Packages procmail-3.22-22.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-46.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name mislabeled_file Host Name coyote.coyote.den Platform Linux coyote.coyote.den 2.6.28.7 #6 SMP PREEMPT Wed Mar 4 23:08:30 EST 2009 i686 athlon Alert Count 63 First Seen Sat Feb 28 16:34:21 2009 Last Seen Thu Mar 5 02:20:43 2009 Local ID 2ada4c61-64cb-40d7-8268-83488b12426e Line Numbers Raw Audit Messages node=coyote.coyote.den type=AVC msg=audit(1236237643.658:745): avc: denied { append } for pid=8712 comm="procmail" path="/var/log/fetchmail.log" dev=sda3 ino=23527557 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=coyote.coyote.den type=SYSCALL msg=audit(1236237643.658:745): arch=40000003 syscall=11 success=yes exit=0 a0=8941670 a1=8941748 a2=8940af8 a3=0 items=0 ppid=2784 pid=8712 auid=4294967295 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" subj=system_u:system_r:procmail_t:s0 key=(null) Thanks Guys. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Was my SOY LOAF left out in th'RAIN? It tastes REAL GOOD!! From paul at city-fan.org Thu Mar 5 12:02:14 2009 From: paul at city-fan.org (Paul Howarth) Date: Thu, 05 Mar 2009 12:02:14 +0000 Subject: Rebooted, permissive, setroubleshooter going nuts. In-Reply-To: <200903050228.18872.gene.heskett@verizon.net> References: <200903042305.27010.gene.heskett@verizon.net> <200903050218.03588.gene.heskett@verizon.net> <200903050228.18872.gene.heskett@verizon.net> Message-ID: <49AFBF46.20706@city-fan.org> Gene Heskett wrote: > On Thursday 05 March 2009, Gene Heskett wrote: >> On Wednesday 04 March 2009, Gene Heskett wrote: >>> Greetings; >>> >>> And a portion of this lists archive on this box has gone missing to boot. >>> So I can't look up the command to extract all these hits, about once every >>> 2 minutes or so, to a logfile I can post. And when I click on the star, >>> it tells me the connection has been lost to >>> /var/run/setroubleshoot/setroubleshoot_server. But there is a zero length >>> file there, generated when I rebooted to 2.6.29-rc7 5:18 ago WTH? >>> >>> And I just found a very short setroubleshooter.log which I will attach. It >>> looks like it got a tummy ache just a few minutes ago. >>> >>> I think I will follow what I did with 29-rc7, and not build any sound >>> modules for anything except the audigy2, cuz now I have sound, akonadi >>> even starts! >>> >>> Help? >> No comment. Can anyone tell me why, when looking at the log messages, and >> it tells me to get the full report by running sealert with -l hashnumber, I >> as root am denied? From a root shell: >> [root at coyote log]# sealert -l 1ed4cefd-aa3b-4727-b9ef-28b8e2cbb42c >> failed to connect to server: Connection refused >> >> I am back on a 2.6.28.7 kernel now. And setroubleshooter's screen alerts in >> time with the kmail pongs of new mail coming are contributing to my loss of >> sanity or whatever. Somehow it has decided that fetchmail isn't supposed to >> be able to access its users directory/.f, uhh, I was gonna run it and get >> the exact file and the connection to its server has been lost, again. I >> thought it was funny that the reject messages were going into the system >> log... >> >> Uptodate Fedora 10. x86_64 running 32 bit. >> >> A 'service setroubleshoot restart' restarts it though. Anybody have a clue, >> I seem to be fresh out, and I'm about to compile it out. > Ok, the restart allowed me to collect the most recent hit from sealert: > =============================== > [root at coyote init.d]# sealert -l 2ada4c61-64cb-40d7-8268-83488b12426e > > Summary: > > SELinux is preventing procmail (procmail_t) "append" to /var/log/fetchmail.log > (var_log_t). > > Detailed Description: > > [SELinux is in permissive mode, the operation would have been denied but was > permitted due to permissive mode.] > > SELinux is preventing procmail (procmail_t) "append" to /var/log/fetchmail.log > (var_log_t). The SELinux type var_log_t, is a generic type for all files in the > directory and very few processes (SELinux Domains) are allowed to write to this > SELinux type. This type of denial usual indicates a mislabeled file. By default > a file created in a directory has the gets the context of the parent directory, > but SELinux policy has rules about the creation of directories, that say if a > process running in one SELinux Domain (D1) creates a file in a directory with a > particular SELinux File Context (F1) the file gets a different File Context > (F2). The policy usually allows the SELinux Domain (D1) the ability to write, > unlink, and append on (F2). But if for some reason a file > (/var/log/fetchmail.log) was created with the wrong context, this domain will be > denied. The usual solution to this problem is to reset the file context on the > target file, restorecon -v '/var/log/fetchmail.log'. If the file context does > not change from var_log_t, then this is probably a bug in policy. Please file a > bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the > selinux-policy package. If it does change, you can try your application again to > see if it works. The file context could have been mislabeled by editing the file > or moving the file from a different directory, if the file keeps getting > mislabeled, check the init scripts to see if they are doing something to > mislabel the file. > > Allowing Access: > > You can attempt to fix file context by executing restorecon -v > '/var/log/fetchmail.log' > > Fix Command: > > restorecon '/var/log/fetchmail.log' > > Additional Information: > > Source Context system_u:system_r:procmail_t:s0 > Target Context system_u:object_r:var_log_t:s0 > Target Objects /var/log/fetchmail.log [ file ] > Source procmail > Source Path /usr/bin/procmail > Port > Host coyote.coyote.den > Source RPM Packages procmail-3.22-22.fc10 > Target RPM Packages > Policy RPM selinux-policy-3.5.13-46.fc10 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Permissive > Plugin Name mislabeled_file > Host Name coyote.coyote.den > Platform Linux coyote.coyote.den 2.6.28.7 #6 SMP PREEMPT > Wed Mar 4 23:08:30 EST 2009 i686 athlon > Alert Count 63 > First Seen Sat Feb 28 16:34:21 2009 > Last Seen Thu Mar 5 02:20:43 2009 > Local ID 2ada4c61-64cb-40d7-8268-83488b12426e > Line Numbers > > Raw Audit Messages > > node=coyote.coyote.den type=AVC msg=audit(1236237643.658:745): avc: denied { append } for pid=8712 > comm="procmail" path="/var/log/fetchmail.log" dev=sda3 ino=23527557 scontext=system_u:system_r:procmail_t:s0 > tcontext=system_u:object_r:var_log_t:s0 tclass=file > > node=coyote.coyote.den type=SYSCALL msg=audit(1236237643.658:745): arch=40000003 syscall=11 success=yes exit=0 > a0=8941670 a1=8941748 a2=8940af8 a3=0 items=0 ppid=2784 pid=8712 auid=4294967295 uid=501 gid=501 euid=501 > suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" > subj=system_u:system_r:procmail_t:s0 key=(null) > > Thanks Guys. Is this a fetchmail log or a procmail log? What do you expect to get logged here? I guess you're running fetchmail in daemon mode with procmail as local delivery agent? See if this helps: # semanage fcontext -a -t procmail_log_t '/var/log/fetchmail\.log' # restorecon -v /var/log/fetchmail.log Paul. From dwalsh at redhat.com Thu Mar 5 13:33:06 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 05 Mar 2009 08:33:06 -0500 Subject: Rebooted, permissive, setroubleshooter going nuts. In-Reply-To: <49AFBF46.20706@city-fan.org> References: <200903042305.27010.gene.heskett@verizon.net> <200903050218.03588.gene.heskett@verizon.net> <200903050228.18872.gene.heskett@verizon.net> <49AFBF46.20706@city-fan.org> Message-ID: <49AFD492.4070802@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul Howarth wrote: > Gene Heskett wrote: >> On Thursday 05 March 2009, Gene Heskett wrote: >>> On Wednesday 04 March 2009, Gene Heskett wrote: >>>> Greetings; >>>> >>>> And a portion of this lists archive on this box has gone missing to >>>> boot. >>>> So I can't look up the command to extract all these hits, about once >>>> every >>>> 2 minutes or so, to a logfile I can post. And when I click on the >>>> star, >>>> it tells me the connection has been lost to >>>> /var/run/setroubleshoot/setroubleshoot_server. But there is a zero >>>> length >>>> file there, generated when I rebooted to 2.6.29-rc7 5:18 ago WTH? >>>> >>>> And I just found a very short setroubleshooter.log which I will >>>> attach. It >>>> looks like it got a tummy ache just a few minutes ago. >>>> >>>> I think I will follow what I did with 29-rc7, and not build any sound >>>> modules for anything except the audigy2, cuz now I have sound, akonadi >>>> even starts! >>>> >>>> Help? >>> No comment. Can anyone tell me why, when looking at the log >>> messages, and >>> it tells me to get the full report by running sealert with -l >>> hashnumber, I >>> as root am denied? From a root shell: >>> [root at coyote log]# sealert -l 1ed4cefd-aa3b-4727-b9ef-28b8e2cbb42c >>> failed to connect to server: Connection refused >>> >>> I am back on a 2.6.28.7 kernel now. And setroubleshooter's screen >>> alerts in >>> time with the kmail pongs of new mail coming are contributing to my >>> loss of >>> sanity or whatever. Somehow it has decided that fetchmail isn't >>> supposed to >>> be able to access its users directory/.f, uhh, I was gonna run it >>> and get >>> the exact file and the connection to its server has been lost, again. I >>> thought it was funny that the reject messages were going into the system >>> log... >>> >>> Uptodate Fedora 10. x86_64 running 32 bit. >>> >>> A 'service setroubleshoot restart' restarts it though. Anybody have >>> a clue, >>> I seem to be fresh out, and I'm about to compile it out. >> Ok, the restart allowed me to collect the most recent hit from sealert: >> =============================== >> [root at coyote init.d]# sealert -l >> 2ada4c61-64cb-40d7-8268-83488b12426e >> >> Summary: >> >> SELinux is preventing procmail (procmail_t) "append" to >> /var/log/fetchmail.log >> (var_log_t). >> >> Detailed Description: >> >> [SELinux is in permissive mode, the operation would have been denied >> but was >> permitted due to permissive >> mode.] >> SELinux is preventing procmail (procmail_t) "append" to >> /var/log/fetchmail.log >> (var_log_t). The SELinux type var_log_t, is a generic type for all >> files in the >> directory and very few processes (SELinux Domains) are allowed to >> write to this >> SELinux type. This type of denial usual indicates a mislabeled file. >> By default >> a file created in a directory has the gets the context of the parent >> directory, >> but SELinux policy has rules about the creation of directories, that >> say if a process running in one SELinux Domain (D1) creates a file in >> a directory with a >> particular SELinux File Context (F1) the file gets a different File >> Context (F2). The policy usually allows the SELinux Domain (D1) the >> ability to write, unlink, and append on (F2). But if for some reason >> a file (/var/log/fetchmail.log) was created with >> the wrong context, this domain will be >> denied. The usual solution to this problem is to reset the file >> context on the target file, restorecon -v '/var/log/fetchmail.log'. >> If the file context does not change from var_log_t, then this is >> probably a bug in policy. Please file a bug report >> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the >> selinux-policy package. If it does change, you can try your >> application again to >> see if it works. The file context could have been mislabeled by >> editing the file >> or moving the file from a different directory, if the file keeps >> getting mislabeled, check the init scripts to see if they are >> doing something to mislabel the >> file. >> Allowing Access: >> >> You can attempt to fix file context by executing restorecon -v >> '/var/log/fetchmail.log' >> Fix Command: >> >> restorecon '/var/log/fetchmail.log' >> >> Additional Information: >> >> Source Context system_u:system_r:procmail_t:s0 >> Target Context system_u:object_r:var_log_t:s0 >> Target Objects /var/log/fetchmail.log [ file ] >> Source procmail >> Source Path /usr/bin/procmail >> Port >> Host coyote.coyote.den >> Source RPM Packages procmail-3.22-22.fc10 >> Target RPM Packages >> Policy RPM selinux-policy-3.5.13-46.fc10 >> Selinux Enabled True >> Policy Type targeted >> MLS Enabled True >> Enforcing Mode Permissive >> Plugin Name mislabeled_file >> Host Name coyote.coyote.den >> Platform Linux coyote.coyote.den 2.6.28.7 #6 SMP >> PREEMPT >> Wed Mar 4 23:08:30 EST 2009 i686 athlon >> Alert Count 63 >> First Seen Sat Feb 28 16:34:21 2009 >> Last Seen Thu Mar 5 02:20:43 2009 >> Local ID 2ada4c61-64cb-40d7-8268-83488b12426e >> Line Numbers >> >> Raw Audit Messages >> >> node=coyote.coyote.den type=AVC msg=audit(1236237643.658:745): avc: >> denied { append } for pid=8712 comm="procmail" >> path="/var/log/fetchmail.log" dev=sda3 ino=23527557 >> scontext=system_u:system_r:procmail_t:s0 >> tcontext=system_u:object_r:var_log_t:s0 tclass=file >> >> node=coyote.coyote.den type=SYSCALL msg=audit(1236237643.658:745): >> arch=40000003 syscall=11 success=yes exit=0 a0=8941670 a1=8941748 >> a2=8940af8 a3=0 items=0 ppid=2784 pid=8712 auid=4294967295 uid=501 >> gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 >> tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" >> subj=system_u:system_r:procmail_t:s0 key=(null) >> >> Thanks Guys. > > Is this a fetchmail log or a procmail log? What do you expect to get > logged here? > > I guess you're running fetchmail in daemon mode with procmail as local > delivery agent? > > See if this helps: > > # semanage fcontext -a -t procmail_log_t '/var/log/fetchmail\.log' > # restorecon -v /var/log/fetchmail.log > > Paul. > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Currently f10 policy has ./policy/modules/services/mta.te:logging_append_all_logs(system_mail_t) ./policy/modules/system/init.te:logging_append_all_logs(initrc_t) ./policy/modules/system/init.te:logging_append_all_logs(daemon) I think it could be argued that we should allow all confined domains to append to any log file, since simple redirection of stdout causes the AVC in question. Being able to write to a log file allows a cracked program to erase the log contents. Being able to append to a log file means you could fill up the system with garbage or write something to a log file that would cause some other app or Human to do something bad. Fetchmail policy does not allow for the creation of a logfile right now. I guess the default is to write to syslog. We need to add a mechansim for fetchmail to create a fetchmail_log_t and allow procmail_t to append to it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmv1JIACgkQrlYvE4MpobMVoQCbBguw0NgYBYr0X/6gfv5pqNXF IUQAoNW3KmkesnPbo5CcPaUxCofKvPeR =TiT3 -----END PGP SIGNATURE----- From dwalsh at redhat.com Thu Mar 5 14:11:41 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 05 Mar 2009 09:11:41 -0500 Subject: dbus and kerneloops with selinux avc In-Reply-To: <32613.54640.qm@web52605.mail.re2.yahoo.com> References: <32613.54640.qm@web52605.mail.re2.yahoo.com> Message-ID: <49AFDD9D.8090203@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear all, > > after applying the updates, I encountered the following avc courtesy of setroubleshooter: > > > Summary: > > SELinux is preventing dbus-daemon-lau (system_dbusd_t) "execute" > kerneloops_exec_t. > > Detailed Description: > > SELinux denied access requested by dbus-daemon-lau. It is not expected that this > access is required by dbus-daemon-lau and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 > Target Context system_u:object_r:kerneloops_exec_t:s0 > Target Objects kerneloops [ file ] > Source dbus-daemon-lau > Source Path /lib/dbus-1/dbus-daemon-launch-helper > Port > Host riohigh > Source RPM Packages dbus-1.2.4.4permissive-4.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.7-1.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh 2.6.29-0.197.rc7.fc11.i586 #1 SMP > Tue Mar 3 23:01:11 EST 2009 i686 athlon > Alert Count 1 > First Seen Wed 04 Mar 2009 07:46:21 PM CST > Last Seen Wed 04 Mar 2009 07:46:21 PM CST > Local ID 71016152-e696-4ba1-af79-497748fd156b > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1236217581.391:21): avc: denied { execute } for pid=3241 comm="dbus-daemon-lau" name="kerneloops" dev=sda5 ino=8699 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kerneloops_exec_t:s0 tclass=file > > node=riohigh type=SYSCALL msg=audit(1236217581.391:21): arch=40000003 syscall=11 success=no exit=-13 a0=9c95e20 a1=9c95de8 a2=9c95008 a3=9c98368 items=0 ppid=3240 pid=3241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) > > > > > Thanks, > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Should be fixed in todays policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmv3Z0ACgkQrlYvE4MpobMpHACgoI4FTsH8DgETgfi6zJvXYzFx lGoAn2JLlGadrNoJt3MAP5td51oVqcGC =1hRl -----END PGP SIGNATURE----- From dwalsh at redhat.com Thu Mar 5 14:18:29 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 05 Mar 2009 09:18:29 -0500 Subject: kde avc(SELinux prevented kde4-config from writing .kde.)will it be on next selinux policy update? In-Reply-To: <389193.15867.qm@web52601.mail.re2.yahoo.com> References: <389193.15867.qm@web52601.mail.re2.yahoo.com> Message-ID: <49AFDF35.6040707@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear selinux experts, > > I have a question about a repeated avc, I ask if I should apply the suggested fix or wait for an selinux policy update which addressses this? > > > Summary: > > SELinux prevented kde4-config from writing .kde. > > Detailed Description: > > SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may > want to allow this. If .kde is not a core file, this could signal a intrusion > attempt. > > Allowing Access: > > Changing the "allow_daemons_dump_core" boolean to true will allow this access: > "setsebool -P allow_daemons_dump_core=1." > > Fix Command: > > setsebool -P allow_daemons_dump_core=1 > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:object_r:root_t:s0 > Target Objects .kde [ dir ] > Source kde4-config > Source Path /usr/bin/kde4-config > Port > Host riohigh > Source RPM Packages kdelibs-4.2.1-2.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.7-1.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name allow_daemons_dump_core > Host Name riohigh > Platform Linux riohigh 2.6.29-0.197.rc7.fc11.i586 #1 SMP > Tue Mar 3 23:01:11 EST 2009 i686 athlon > Alert Count 20 > First Seen Tue 17 Feb 2009 08:36:03 AM CST > Last Seen Wed 04 Mar 2009 07:44:55 PM CST > Local ID 6d47417b-4b4b-4c4f-9c12-6210059fc418 > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1236217495.274:8): avc: denied { create } for pid=2386 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir > > node=riohigh type=SYSCALL msg=audit(1236217495.274:8): arch=40000003 syscall=39 success=no exit=-13 a0=87163f8 a1=1c0 a2=49e32ec a3=0 items=0 ppid=2385 pid=2386 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > > > > Regards, > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This is a bug in kdebase. The kdm login program thinks it's home dir is / so it is trying to create /.kde in the root directory. There are bugs files on this. Not being able to create this directory does not seem to bother the login app, so I think it is deep down in the libraries. I can change SELinux to cover this up but I would rather put pression on kde maintainers to fix there code. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmv3zUACgkQrlYvE4MpobOY/ACgh2G8BOA3U5qE2Iqyy+W7U3vf /RIAn3tFrawkATHmI24SSUDrMVKzFgHC =KZEf -----END PGP SIGNATURE----- From gene.heskett at verizon.net Thu Mar 5 14:19:51 2009 From: gene.heskett at verizon.net (Gene Heskett) Date: Thu, 05 Mar 2009 09:19:51 -0500 Subject: Rebooted, permissive, setroubleshooter going nuts. In-Reply-To: <49AFBF46.20706@city-fan.org> References: <200903042305.27010.gene.heskett@verizon.net> <200903050228.18872.gene.heskett@verizon.net> <49AFBF46.20706@city-fan.org> Message-ID: <200903050919.52280.gene.heskett@verizon.net> On Thursday 05 March 2009, Paul Howarth wrote: >Gene Heskett wrote: >> On Thursday 05 March 2009, Gene Heskett wrote: >>> On Wednesday 04 March 2009, Gene Heskett wrote: >>>> Greetings; >>>> >>>> And a portion of this lists archive on this box has gone missing to >>>> boot. So I can't look up the command to extract all these hits, about >>>> once every 2 minutes or so, to a logfile I can post. And when I click >>>> on the star, it tells me the connection has been lost to >>>> /var/run/setroubleshoot/setroubleshoot_server. But there is a zero >>>> length file there, generated when I rebooted to 2.6.29-rc7 5:18 ago WTH? >>>> >>>> And I just found a very short setroubleshooter.log which I will attach. >>>> It looks like it got a tummy ache just a few minutes ago. >>>> >>>> I think I will follow what I did with 29-rc7, and not build any sound >>>> modules for anything except the audigy2, cuz now I have sound, akonadi >>>> even starts! >>>> >>>> Help? >>> >>> No comment. Can anyone tell me why, when looking at the log messages, >>> and it tells me to get the full report by running sealert with -l >>> hashnumber, I as root am denied? From a root shell: >>> [root at coyote log]# sealert -l 1ed4cefd-aa3b-4727-b9ef-28b8e2cbb42c >>> failed to connect to server: Connection refused >>> >>> I am back on a 2.6.28.7 kernel now. And setroubleshooter's screen alerts >>> in time with the kmail pongs of new mail coming are contributing to my >>> loss of sanity or whatever. Somehow it has decided that fetchmail isn't >>> supposed to be able to access its users directory/.f, uhh, I was gonna >>> run it and get the exact file and the connection to its server has been >>> lost, again. I thought it was funny that the reject messages were going >>> into the system log... >>> >>> Uptodate Fedora 10. x86_64 running 32 bit. >>> >>> A 'service setroubleshoot restart' restarts it though. Anybody have a >>> clue, I seem to be fresh out, and I'm about to compile it out. >> >> Ok, the restart allowed me to collect the most recent hit from sealert: >> =============================== >> [root at coyote init.d]# sealert -l 2ada4c61-64cb-40d7-8268-83488b12426e >> >> Summary: >> >> SELinux is preventing procmail (procmail_t) "append" to >> /var/log/fetchmail.log (var_log_t). >> >> Detailed Description: >> >> [SELinux is in permissive mode, the operation would have been denied but >> was permitted due to permissive mode.] >> >> SELinux is preventing procmail (procmail_t) "append" to >> /var/log/fetchmail.log (var_log_t). The SELinux type var_log_t, is a >> generic type for all files in the directory and very few processes >> (SELinux Domains) are allowed to write to this SELinux type. This type of >> denial usual indicates a mislabeled file. By default a file created in a >> directory has the gets the context of the parent directory, but SELinux >> policy has rules about the creation of directories, that say if a process >> running in one SELinux Domain (D1) creates a file in a directory with a >> particular SELinux File Context (F1) the file gets a different File >> Context (F2). The policy usually allows the SELinux Domain (D1) the >> ability to write, unlink, and append on (F2). But if for some reason a >> file >> (/var/log/fetchmail.log) was created with the wrong context, this domain >> will be denied. The usual solution to this problem is to reset the file >> context on the target file, restorecon -v '/var/log/fetchmail.log'. If the >> file context does not change from var_log_t, then this is probably a bug >> in policy. Please file a bug report >> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the >> selinux-policy package. If it does change, you can try your application >> again to see if it works. The file context could have been mislabeled by >> editing the file or moving the file from a different directory, if the >> file keeps getting mislabeled, check the init scripts to see if they are >> doing something to mislabel the file. >> >> Allowing Access: >> >> You can attempt to fix file context by executing restorecon -v >> '/var/log/fetchmail.log' >> >> Fix Command: >> >> restorecon '/var/log/fetchmail.log' >> >> Additional Information: >> >> Source Context system_u:system_r:procmail_t:s0 >> Target Context system_u:object_r:var_log_t:s0 >> Target Objects /var/log/fetchmail.log [ file ] >> Source procmail >> Source Path /usr/bin/procmail >> Port >> Host coyote.coyote.den >> Source RPM Packages procmail-3.22-22.fc10 >> Target RPM Packages >> Policy RPM selinux-policy-3.5.13-46.fc10 >> Selinux Enabled True >> Policy Type targeted >> MLS Enabled True >> Enforcing Mode Permissive >> Plugin Name mislabeled_file >> Host Name coyote.coyote.den >> Platform Linux coyote.coyote.den 2.6.28.7 #6 SMP >> PREEMPT Wed Mar 4 23:08:30 EST 2009 i686 athlon Alert Count >> 63 >> First Seen Sat Feb 28 16:34:21 2009 >> Last Seen Thu Mar 5 02:20:43 2009 >> Local ID 2ada4c61-64cb-40d7-8268-83488b12426e >> Line Numbers >> >> Raw Audit Messages >> >> node=coyote.coyote.den type=AVC msg=audit(1236237643.658:745): avc: >> denied { append } for pid=8712 comm="procmail" >> path="/var/log/fetchmail.log" dev=sda3 ino=23527557 >> scontext=system_u:system_r:procmail_t:s0 >> tcontext=system_u:object_r:var_log_t:s0 tclass=file >> >> node=coyote.coyote.den type=SYSCALL msg=audit(1236237643.658:745): >> arch=40000003 syscall=11 success=yes exit=0 a0=8941670 a1=8941748 >> a2=8940af8 a3=0 items=0 ppid=2784 pid=8712 auid=4294967295 uid=501 gid=501 >> euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) >> ses=4294967295 comm="procmail" exe="/usr/bin/procmail" >> subj=system_u:system_r:procmail_t:s0 key=(null) >> >> Thanks Guys. > >Is this a fetchmail log or a procmail log? What do you expect to get >logged here? fetchmails normal activities > >I guess you're running fetchmail in daemon mode with procmail as local >delivery agent? Correct. > >See if this helps: > ># semanage fcontext -a -t procmail_log_t '/var/log/fetchmail\.log' ># restorecon -v /var/log/fetchmail.log > >Paul. I did the restorecon -v thing on the two logs and that seems to have satisfied setroubleshoot. For the nonce, I have had to restart it twice since rebooting last night. I wonder if the f10 upgrade from f8 removed some stuff I had in logrotate to address that? Here are the messages snip surrounding the last failure: Mar 5 02:28:31 coyote setroubleshoot: [program.ERROR] audit event#012node=coyote.coyote.den type=AVC msg=audit(1236238110.422:761): avc: denied { signull } for pid=8602 comm="setroubleshootd" scontext=unconfined_u:unconfined_r:setroubleshootd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 tclass=process#012#012node=coyote.coyote.den type=SYSCALL msg=audit(1236238110.422:761): arch=40000003 syscall=37 success=yes exit=0 a0=1027 a1=0 a2=b7ab8a28 a3=1027 items=0 ppid=1 pid=8602 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="setroubleshootd" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:setroubleshootd_t:s0 key=(null) Mar 5 08:29:46 coyote setroubleshoot: [rpc.ERROR] attempt to open server connection failed: Connection refused Mar 5 08:30:50 coyote setroubleshoot: [server.ERROR] cannot start systen DBus service: org.freedesktop.DBus.Error.AccessDenied: An SELinx policy prevents this sender from sending this message to this recipient (rejected message had interface "org.freedesktop.DBus" member "ello" error name "(unset)" destination "org.freedesktop.DBus") Mar 5 08:31:20 coyote kernel: [33498.076923] SELinux: Context unconfined_u:unconfined_r:setroubleshootd_t:s0- s0:c0.c1023 would be invald if enforcing Chuckle, note miss-spelling above. :) In those cases where I have restarted setroubleshoot, it always reports a failure of the stop action only. Is the above enough to determine an exit reason. In one case earlier, it said "exiting to prevent recursion" As for the logging fsckups, I have now added a few lines to /etc/logrotate.d/mail, as follows. ================= # Logrotate file for fetchmail.log and procmail.log /var/log/fetchmail.log { missingok compress notifempty weekly size=1000k rotate 5 copytruncate create 0600 gene gene prerotate /usr/bin/killall fetchmail sleep 1 endscript postrotate chown gene:gene /var/log/fetchmail.log restorecon -v /var/log/fetchmail.log <-new echo "log rotated on "date -u >>var/log/fetchmail.log su gene -c "/usr/bin/fetchmail -d 90 --fetchmailrc /home/gene/.fetchmailrc" endscript } /var/log/procmail.log { missingok compress notifempty weekly size=1000k rotate 5 copytruncate create 0600 gene gene postrotate restorecon -v /var/log/procmail.log <-new echo "log rotated on "date -u >>/var/log/procmail.log endscript } =============================== logrotates actions have consistently been a PIMA here. Humm, in fact since those two files are 0600 gene gene, should I do an "su gene -c" wrapper on those two restorecon lines? -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) For large values of one, one equals two, for small values of two. From cpebenito at tresys.com Thu Mar 5 14:23:02 2009 From: cpebenito at tresys.com (Christopher J. PeBenito) Date: Thu, 05 Mar 2009 09:23:02 -0500 Subject: [refpolicy] TCP server howto In-Reply-To: <49AC101A.50101@redhat.com> References: <20090227230224.GF30997@fi.muni.cz> <1235817998.11365.12.camel@notebook1.grift.internal> <20090302153448.GH31276@fi.muni.cz> <49AC101A.50101@redhat.com> Message-ID: <1236262982.26944.61.camel@gorn.columbia.tresys.com> On Mon, 2009-03-02 at 11:58 -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jan Kasprzak wrote: > > Dominick Grift wrote: > > : I think corenet_reserved_port() is what you are looking for. > > : > > Thanks for the hint. It is _almost_ exactly as you wrote, > > except: > > > > : # Declarations > > : > > : type my_port_t; > > : corenet_reserved_port(my_port_t) > > : > > : # Policy > > : > > : corenet_all_recvfrom_unlabeled($1) > > : corenet_all_recvfrom_netlabel($1) > > : corenet_tcp_sendrecv_generic_if($1) > > : corenet_tcp_sendrecv_generic_node($1) > > : corenet_tcp_sendrecv_all_ports($1) > > - corenet_tcp_bind_generic_node($1) > > + corenet_tcp_bind_inadrr_any_node($1) > > > > : allow $1 my_port_t:tcp_socket name_bind; > > > > + allow $1 self:capability net_bind_service; > > + allow $1 self:tcp_socket create_stream_socket_perms; > > > > : #EOF > > : > > : sudo semanage port -a -t my_port_t -p tcp 40 > > > > I would however like to have a really-high-level macro (or two) > > to do the above - I guess this is what many users would like to do > > - saying "this context belongs to my port", and "this domain can run > > a TCP server on this port". The similar way how the files_pid_file() > > and files_pid_filetrans() macros allow for the > > "I want to have my own PID file in /var/run" case. > > > > Would it be acceptable to submit this as a patch for inclusion > > in the upstream policy? > > > > I would like to have other things included upstream as well - for > > example, now I have a policy bits for Perl: file contexts for > > /usr/bin/perl* and /usr/lib{,64}/perl5/*, and an interface macro for saying > > "this domain can run Perl scripts". > > > > Thanks, > > > > -Yenya > > > > Yenya, take this discussion to the refpolicy list > > > > Better to discuss it there. I think having a higher level template for > creating a tcp or udp port would not be a bad idea. See what upstream > thinks. I'm willing to consider it, but it'll need a good name. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 From mgrepl at redhat.com Thu Mar 5 14:29:02 2009 From: mgrepl at redhat.com (Miroslav Grepl) Date: Thu, 05 Mar 2009 15:29:02 +0100 Subject: Rebooted, permissive, setroubleshooter going nuts. In-Reply-To: <49AFD492.4070802@redhat.com> References: <200903042305.27010.gene.heskett@verizon.net> <200903050218.03588.gene.heskett@verizon.net> <200903050228.18872.gene.heskett@verizon.net> <49AFBF46.20706@city-fan.org> <49AFD492.4070802@redhat.com> Message-ID: <49AFE1AE.1060907@redhat.com> Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Paul Howarth wrote: > >> Gene Heskett wrote: >> >>> On Thursday 05 March 2009, Gene Heskett wrote: >>> >>>> On Wednesday 04 March 2009, Gene Heskett wrote: >>>> >>>>> Greetings; >>>>> >>>>> And a portion of this lists archive on this box has gone missing to >>>>> boot. >>>>> So I can't look up the command to extract all these hits, about once >>>>> every >>>>> 2 minutes or so, to a logfile I can post. And when I click on the >>>>> star, >>>>> it tells me the connection has been lost to >>>>> /var/run/setroubleshoot/setroubleshoot_server. But there is a zero >>>>> length >>>>> file there, generated when I rebooted to 2.6.29-rc7 5:18 ago WTH? >>>>> >>>>> And I just found a very short setroubleshooter.log which I will >>>>> attach. It >>>>> looks like it got a tummy ache just a few minutes ago. >>>>> >>>>> I think I will follow what I did with 29-rc7, and not build any sound >>>>> modules for anything except the audigy2, cuz now I have sound, akonadi >>>>> even starts! >>>>> >>>>> Help? >>>>> >>>> No comment. Can anyone tell me why, when looking at the log >>>> messages, and >>>> it tells me to get the full report by running sealert with -l >>>> hashnumber, I >>>> as root am denied? From a root shell: >>>> [root at coyote log]# sealert -l 1ed4cefd-aa3b-4727-b9ef-28b8e2cbb42c >>>> failed to connect to server: Connection refused >>>> >>>> I am back on a 2.6.28.7 kernel now. And setroubleshooter's screen >>>> alerts in >>>> time with the kmail pongs of new mail coming are contributing to my >>>> loss of >>>> sanity or whatever. Somehow it has decided that fetchmail isn't >>>> supposed to >>>> be able to access its users directory/.f, uhh, I was gonna run it >>>> and get >>>> the exact file and the connection to its server has been lost, again. I >>>> thought it was funny that the reject messages were going into the system >>>> log... >>>> >>>> Uptodate Fedora 10. x86_64 running 32 bit. >>>> >>>> A 'service setroubleshoot restart' restarts it though. Anybody have >>>> a clue, >>>> I seem to be fresh out, and I'm about to compile it out. >>>> >>> Ok, the restart allowed me to collect the most recent hit from sealert: >>> =============================== >>> [root at coyote init.d]# sealert -l >>> 2ada4c61-64cb-40d7-8268-83488b12426e >>> >>> Summary: >>> >>> SELinux is preventing procmail (procmail_t) "append" to >>> /var/log/fetchmail.log >>> (var_log_t). >>> >>> Detailed Description: >>> >>> [SELinux is in permissive mode, the operation would have been denied >>> but was >>> permitted due to permissive >>> mode.] >>> SELinux is preventing procmail (procmail_t) "append" to >>> /var/log/fetchmail.log >>> (var_log_t). The SELinux type var_log_t, is a generic type for all >>> files in the >>> directory and very few processes (SELinux Domains) are allowed to >>> write to this >>> SELinux type. This type of denial usual indicates a mislabeled file. >>> By default >>> a file created in a directory has the gets the context of the parent >>> directory, >>> but SELinux policy has rules about the creation of directories, that >>> say if a process running in one SELinux Domain (D1) creates a file in >>> a directory with a >>> particular SELinux File Context (F1) the file gets a different File >>> Context (F2). The policy usually allows the SELinux Domain (D1) the >>> ability to write, unlink, and append on (F2). But if for some reason >>> a file (/var/log/fetchmail.log) was created with >>> the wrong context, this domain will be >>> denied. The usual solution to this problem is to reset the file >>> context on the target file, restorecon -v '/var/log/fetchmail.log'. >>> If the file context does not change from var_log_t, then this is >>> probably a bug in policy. Please file a bug report >>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the >>> selinux-policy package. If it does change, you can try your >>> application again to >>> see if it works. The file context could have been mislabeled by >>> editing the file >>> or moving the file from a different directory, if the file keeps >>> getting mislabeled, check the init scripts to see if they are >>> doing something to mislabel the >>> file. >>> Allowing Access: >>> >>> You can attempt to fix file context by executing restorecon -v >>> '/var/log/fetchmail.log' >>> Fix Command: >>> >>> restorecon '/var/log/fetchmail.log' >>> >>> Additional Information: >>> >>> Source Context system_u:system_r:procmail_t:s0 >>> Target Context system_u:object_r:var_log_t:s0 >>> Target Objects /var/log/fetchmail.log [ file ] >>> Source procmail >>> Source Path /usr/bin/procmail >>> Port >>> Host coyote.coyote.den >>> Source RPM Packages procmail-3.22-22.fc10 >>> Target RPM Packages >>> Policy RPM selinux-policy-3.5.13-46.fc10 >>> Selinux Enabled True >>> Policy Type targeted >>> MLS Enabled True >>> Enforcing Mode Permissive >>> Plugin Name mislabeled_file >>> Host Name coyote.coyote.den >>> Platform Linux coyote.coyote.den 2.6.28.7 #6 SMP >>> PREEMPT >>> Wed Mar 4 23:08:30 EST 2009 i686 athlon >>> Alert Count 63 >>> First Seen Sat Feb 28 16:34:21 2009 >>> Last Seen Thu Mar 5 02:20:43 2009 >>> Local ID 2ada4c61-64cb-40d7-8268-83488b12426e >>> Line Numbers >>> >>> Raw Audit Messages >>> >>> node=coyote.coyote.den type=AVC msg=audit(1236237643.658:745): avc: >>> denied { append } for pid=8712 comm="procmail" >>> path="/var/log/fetchmail.log" dev=sda3 ino=23527557 >>> scontext=system_u:system_r:procmail_t:s0 >>> tcontext=system_u:object_r:var_log_t:s0 tclass=file >>> >>> node=coyote.coyote.den type=SYSCALL msg=audit(1236237643.658:745): >>> arch=40000003 syscall=11 success=yes exit=0 a0=8941670 a1=8941748 >>> a2=8940af8 a3=0 items=0 ppid=2784 pid=8712 auid=4294967295 uid=501 >>> gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 >>> tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" >>> subj=system_u:system_r:procmail_t:s0 key=(null) >>> >>> Thanks Guys. >>> >> Is this a fetchmail log or a procmail log? What do you expect to get >> logged here? >> >> I guess you're running fetchmail in daemon mode with procmail as local >> delivery agent? >> >> See if this helps: >> >> # semanage fcontext -a -t procmail_log_t '/var/log/fetchmail\.log' >> # restorecon -v /var/log/fetchmail.log >> >> Paul. >> >> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > Currently f10 policy has > > ./policy/modules/services/mta.te:logging_append_all_logs(system_mail_t) > ./policy/modules/system/init.te:logging_append_all_logs(initrc_t) > ./policy/modules/system/init.te:logging_append_all_logs(daemon) > > I think it could be argued that we should allow all confined domains to > append to any log file, since simple redirection of stdout causes the > AVC in question. Being able to write to a log file allows a cracked > program to erase the log contents. Being able to append to a log file > means you could fill up the system with garbage or write something to a > log file that would cause some other app or Human to do something bad. > > Fetchmail policy does not allow for the creation of a logfile right now. > I guess the default is to write to syslog. We need to add a mechansim > for fetchmail to create a fetchmail_log_t and allow procmail_t to append > to it. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkmv1JIACgkQrlYvE4MpobMVoQCbBguw0NgYBYr0X/6gfv5pqNXF > IUQAoNW3KmkesnPbo5CcPaUxCofKvPeR > =TiT3 > -----END PGP SIGNATURE----- > Ok, I will add this mechanism to the policy. From gene.heskett at verizon.net Thu Mar 5 14:34:59 2009 From: gene.heskett at verizon.net (Gene Heskett) Date: Thu, 05 Mar 2009 09:34:59 -0500 Subject: Rebooted, permissive, setroubleshooter going nuts. In-Reply-To: <49AFD492.4070802@redhat.com> References: <200903042305.27010.gene.heskett@verizon.net> <49AFBF46.20706@city-fan.org> <49AFD492.4070802@redhat.com> Message-ID: <200903050934.59958.gene.heskett@verizon.net> On Thursday 05 March 2009, Daniel J Walsh wrote: >Paul Howarth wrote: >> Gene Heskett wrote: >>> On Thursday 05 March 2009, Gene Heskett wrote: >>>> On Wednesday 04 March 2009, Gene Heskett wrote: >>>>> Greetings; >>>>> >>>>> And a portion of this lists archive on this box has gone missing to >>>>> boot. >>>>> So I can't look up the command to extract all these hits, about once >>>>> every >>>>> 2 minutes or so, to a logfile I can post. And when I click on the >>>>> star, >>>>> it tells me the connection has been lost to >>>>> /var/run/setroubleshoot/setroubleshoot_server. But there is a zero >>>>> length >>>>> file there, generated when I rebooted to 2.6.29-rc7 5:18 ago WTH? >>>>> >>>>> And I just found a very short setroubleshooter.log which I will >>>>> attach. It >>>>> looks like it got a tummy ache just a few minutes ago. >>>>> >>>>> I think I will follow what I did with 29-rc7, and not build any sound >>>>> modules for anything except the audigy2, cuz now I have sound, akonadi >>>>> even starts! >>>>> >>>>> Help? >>>> >>>> No comment. Can anyone tell me why, when looking at the log >>>> messages, and >>>> it tells me to get the full report by running sealert with -l >>>> hashnumber, I >>>> as root am denied? From a root shell: >>>> [root at coyote log]# sealert -l 1ed4cefd-aa3b-4727-b9ef-28b8e2cbb42c >>>> failed to connect to server: Connection refused >>>> >>>> I am back on a 2.6.28.7 kernel now. And setroubleshooter's screen >>>> alerts in >>>> time with the kmail pongs of new mail coming are contributing to my >>>> loss of >>>> sanity or whatever. Somehow it has decided that fetchmail isn't >>>> supposed to >>>> be able to access its users directory/.f, uhh, I was gonna run it >>>> and get >>>> the exact file and the connection to its server has been lost, again. I >>>> thought it was funny that the reject messages were going into the system >>>> log... >>>> >>>> Uptodate Fedora 10. x86_64 running 32 bit. >>>> >>>> A 'service setroubleshoot restart' restarts it though. Anybody have >>>> a clue, >>>> I seem to be fresh out, and I'm about to compile it out. >>> >>> Ok, the restart allowed me to collect the most recent hit from sealert: >>> =============================== >>> [root at coyote init.d]# sealert -l >>> 2ada4c61-64cb-40d7-8268-83488b12426e >>> >>> Summary: >>> >>> SELinux is preventing procmail (procmail_t) "append" to >>> /var/log/fetchmail.log >>> (var_log_t). >>> >>> Detailed Description: >>> >>> [SELinux is in permissive mode, the operation would have been denied >>> but was >>> permitted due to permissive >>> mode.] >>> SELinux is preventing procmail (procmail_t) "append" to >>> /var/log/fetchmail.log >>> (var_log_t). The SELinux type var_log_t, is a generic type for all >>> files in the >>> directory and very few processes (SELinux Domains) are allowed to >>> write to this >>> SELinux type. This type of denial usual indicates a mislabeled file. >>> By default >>> a file created in a directory has the gets the context of the parent >>> directory, >>> but SELinux policy has rules about the creation of directories, that >>> say if a process running in one SELinux Domain (D1) creates a file in >>> a directory with a >>> particular SELinux File Context (F1) the file gets a different File >>> Context (F2). The policy usually allows the SELinux Domain (D1) the >>> ability to write, unlink, and append on (F2). But if for some reason >>> a file (/var/log/fetchmail.log) was created with >>> the wrong context, this domain will be >>> denied. The usual solution to this problem is to reset the file >>> context on the target file, restorecon -v '/var/log/fetchmail.log'. >>> If the file context does not change from var_log_t, then this is >>> probably a bug in policy. Please file a bug report >>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the >>> selinux-policy package. If it does change, you can try your >>> application again to >>> see if it works. The file context could have been mislabeled by >>> editing the file >>> or moving the file from a different directory, if the file keeps >>> getting mislabeled, check the init scripts to see if they are >>> doing something to mislabel the >>> file. >>> Allowing Access: >>> >>> You can attempt to fix file context by executing restorecon -v >>> '/var/log/fetchmail.log' >>> Fix Command: >>> >>> restorecon '/var/log/fetchmail.log' >>> >>> Additional Information: >>> >>> Source Context system_u:system_r:procmail_t:s0 >>> Target Context system_u:object_r:var_log_t:s0 >>> Target Objects /var/log/fetchmail.log [ file ] >>> Source procmail >>> Source Path /usr/bin/procmail >>> Port >>> Host coyote.coyote.den >>> Source RPM Packages procmail-3.22-22.fc10 >>> Target RPM Packages >>> Policy RPM selinux-policy-3.5.13-46.fc10 >>> Selinux Enabled True >>> Policy Type targeted >>> MLS Enabled True >>> Enforcing Mode Permissive >>> Plugin Name mislabeled_file >>> Host Name coyote.coyote.den >>> Platform Linux coyote.coyote.den 2.6.28.7 #6 SMP >>> PREEMPT >>> Wed Mar 4 23:08:30 EST 2009 i686 athlon >>> Alert Count 63 >>> First Seen Sat Feb 28 16:34:21 2009 >>> Last Seen Thu Mar 5 02:20:43 2009 >>> Local ID 2ada4c61-64cb-40d7-8268-83488b12426e >>> Line Numbers >>> >>> Raw Audit Messages >>> >>> node=coyote.coyote.den type=AVC msg=audit(1236237643.658:745): avc: >>> denied { append } for pid=8712 comm="procmail" >>> path="/var/log/fetchmail.log" dev=sda3 ino=23527557 >>> scontext=system_u:system_r:procmail_t:s0 >>> tcontext=system_u:object_r:var_log_t:s0 tclass=file >>> >>> node=coyote.coyote.den type=SYSCALL msg=audit(1236237643.658:745): >>> arch=40000003 syscall=11 success=yes exit=0 a0=8941670 a1=8941748 >>> a2=8940af8 a3=0 items=0 ppid=2784 pid=8712 auid=4294967295 uid=501 >>> gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 >>> tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail" >>> subj=system_u:system_r:procmail_t:s0 key=(null) >>> >>> Thanks Guys. >> >> Is this a fetchmail log or a procmail log? What do you expect to get >> logged here? >> >> I guess you're running fetchmail in daemon mode with procmail as local >> delivery agent? >> >> See if this helps: >> >> # semanage fcontext -a -t procmail_log_t '/var/log/fetchmail\.log' >> # restorecon -v /var/log/fetchmail.log >> >> Paul. >> >> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >Currently f10 policy has > >./policy/modules/services/mta.te:logging_append_all_logs(system_mail_t) >./policy/modules/system/init.te:logging_append_all_logs(initrc_t) >./policy/modules/system/init.te:logging_append_all_logs(daemon) > >I think it could be argued that we should allow all confined domains to >append to any log file, since simple redirection of stdout causes the >AVC in question. Being able to write to a log file allows a cracked >program to erase the log contents. Being able to append to a log file >means you could fill up the system with garbage or write something to a >log file that would cause some other app or Human to do something bad. > >Fetchmail policy does not allow for the creation of a logfile right now. fetchmail itself cannot create the file either, it must exist. Which is why my logrotate "mail" script, posted in another message, uses the copytruncate method of pruning the file(s). I had to touch these originally, and chown etc them. And I have now added the restorecon -v directive also. However that is running as root I assume, so should I wrap those two lines in an "su gene -c"? > I guess the default is to write to syslog. I believe the default only writes a log if a logfile is defined in the matching ~/.fetchmailrc or ~/.procmailrc, otherwise they are silent. > We need to add a mechansim >for fetchmail to create a fetchmail_log_t and allow procmail_t to append >to it. I think so, Daniel. Something along those lines anyway would certainly reduce the noise. OTOH, maybe my solution in the logrotate.d/mail file is sufficient. But I have NDI exactly when it will trigger a logrotation again. ATM, trying to debug rules, I have procmail set verbose so its noisy as can be with one incoming mail generating log entries larger than the usual 1 or 2 paragraph mail itself. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) The sooner our happiness together begins, the longer it will last. -- Miramanee, "The Paradise Syndrome", stardate 4842.6 From kas at fi.muni.cz Thu Mar 5 20:01:58 2009 From: kas at fi.muni.cz (Jan Kasprzak) Date: Thu, 5 Mar 2009 21:01:58 +0100 Subject: Environment variables over exec()? Message-ID: <20090305200158.GZ30997@fi.muni.cz> Hello, I am probably overlooking something, but it seems that SELinux prevents the environment variables to be inherited to the new program over exec(): I have a daemon (running in its own domain mydaemon_t) which tries to fork() and then exec() a program which has domain_auto_trans() to a new domain myprogram_t. Now I want to pass a TMPDIR environment variable from the daemon to the program. It does not work - I get AVCs about myprogram_t trying to read the tmp_t directory (which means it still tries to use /tmp, not whatever is written in TMPDIR. I have created my own directory /var/myprogram/tmp which I also put into the TMPDIR variable. When I add "sleep(100)" to the daemon just before the exec() of myprogram, I can see the TMPDIR variable correctly set in /proc//environ. When I do "setenforce 0", running the program from the daemon causes the /var/myprogram/tmp mtime to be updated and no AVCs are logged, so the program gets the TMPDIR variable correctly set up. Does SELinux prevent the environment variables to be inherited over exec()? If so, how can I enable it? Thanks, -Yenya -- | Jan "Yenya" Kasprzak | | GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E | | http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ | >> If you find yourself arguing with Alan Cox, you?re _probably_ wrong. << >> --James Morris in "How and Why You Should Become a Kernel Hacker" << From sds at tycho.nsa.gov Thu Mar 5 20:06:41 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Thu, 05 Mar 2009 15:06:41 -0500 Subject: Environment variables over exec()? In-Reply-To: <20090305200158.GZ30997@fi.muni.cz> References: <20090305200158.GZ30997@fi.muni.cz> Message-ID: <1236283601.11138.8.camel@localhost.localdomain> On Thu, 2009-03-05 at 21:01 +0100, Jan Kasprzak wrote: > Hello, > > I am probably overlooking something, but it seems that SELinux prevents > the environment variables to be inherited to the new program over exec(): > > I have a daemon (running in its own domain mydaemon_t) which tries > to fork() and then exec() a program which has domain_auto_trans() > to a new domain myprogram_t. Now I want to pass a TMPDIR environment > variable from the daemon to the program. It does not work - I get > AVCs about myprogram_t trying to read the tmp_t directory (which means > it still tries to use /tmp, not whatever is written in TMPDIR. > > I have created my own directory /var/myprogram/tmp which I also > put into the TMPDIR variable. When I add "sleep(100)" to the daemon > just before the exec() of myprogram, I can see the TMPDIR variable correctly > set in /proc//environ. > > When I do "setenforce 0", running the program from the daemon > causes the /var/myprogram/tmp mtime to be updated and no AVCs are logged, > so the program gets the TMPDIR variable correctly set up. > > Does SELinux prevent the environment variables to be inherited > over exec()? If so, how can I enable it? On a domain transition, by default, SELinux will set the AT_SECURE auxv flag and glibc will then sanitize the environment in the same manner as for setuid/setgid program execution. You can disable that behavior on a selective basis by allowing the "noatsecure" permission between the old and new domains. You would add the following allow rule to your policy: allow mydaemon_t myprogram_t:process noatsecure; -- Stephen Smalley National Security Agency From kas at fi.muni.cz Thu Mar 5 21:57:39 2009 From: kas at fi.muni.cz (Jan Kasprzak) Date: Thu, 5 Mar 2009 22:57:39 +0100 Subject: Environment variables over exec()? In-Reply-To: <1236283601.11138.8.camel@localhost.localdomain> References: <20090305200158.GZ30997@fi.muni.cz> <1236283601.11138.8.camel@localhost.localdomain> Message-ID: <20090305215739.GB30997@fi.muni.cz> Stephen Smalley wrote: : > Does SELinux prevent the environment variables to be inherited : > over exec()? If so, how can I enable it? : : On a domain transition, by default, SELinux will set the AT_SECURE auxv : flag and glibc will then sanitize the environment in the same manner as : for setuid/setgid program execution. You can disable that behavior on a : selective basis by allowing the "noatsecure" permission between the old : and new domains. You would add the following allow rule to your policy: : : allow mydaemon_t myprogram_t:process noatsecure; Thanks for the explanation. I have already tested that the above rule solves the problem for me (found it out using semodule -DB, as suggested by Dominick Grift). -Yenya -- | Jan "Yenya" Kasprzak | | GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E | | http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ | >> If you find yourself arguing with Alan Cox, you?re _probably_ wrong. << >> --James Morris in "How and Why You Should Become a Kernel Hacker" << From BGinn at symark.com Fri Mar 6 01:55:26 2009 From: BGinn at symark.com (Brian Ginn) Date: Thu, 5 Mar 2009 17:55:26 -0800 Subject: How do I create an initial policy for a new app? Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5C34@dragonfly.symark.com> using the polgengui, i get an error that the type is unknown (see below). I compared the generated files to /usr/share/selinux/devel/example.* I can see that I need to add the initial type myapp2_t; ... there are some other differences. For example: Polgengui's myapp2.te: corecmd_executable_file(pbrun_exec_t) example.te: domain_type(myapp_t) domain_entry_file(myapp_t, myapp_exec_t) Do these accomplish essentially the same thing? Thanks, Brian + . ./myapp2.sh ++ set -x ++ make -f /usr/share/selinux/devel/Makefile Compiling targeted myapp2 module /usr/bin/checkmodule: loading policy configuration from tmp/myapp2.tmp myapp2.te:22:ERROR 'unknown type myapp2_t' at token ';' on line 83532: allow myapp2_t myapp2_rw_t:file { create getattr setattr read write append rename link unlink ioctl lock }; /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/myapp2.mod] Error 1 ++ /usr/sbin/semodule -i myapp2.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t system_chkpwd_t:process { transition }; libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t updpwd_t:process { transition }; libsepol.check_assertion_helper: assertion on line 0 violated by allow system_chkpwd_t myapp2_t:process { sigchld }; libsepol.check_assertion_helper: assertion on line 0 violated by allow updpwd_t myapp2_t:process { sigchld }; libsepol.check_assertions: 4 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed /usr/sbin/semodule: Failed! ++ /sbin/restorecon -F -R -v /usr/local/bin/myapp2 /sbin/restorecon reset /usr/local/bin/myapp2 context system_u:object_r:bin_t:s0->system_u:object_r:bin_t:s0 ++ /sbin/restorecon -F -R -v /etc/pb.settings /sbin/restorecon reset /etc/pb.settings context system_u:object_r:etc_t:s0->system_u:object_r:etc_t:s0 ++ /usr/sbin/semanage port -a -t myapp2_port_t -p tcp 23000 libsepol.context_from_record: type myapp2_port_t is not defined libsepol.context_from_record: could not create context structure libsepol.port_from_record: could not create port structure for range 23000:23000 (tcp) libsepol.sepol_port_modify: could not load port range 23000 - 23000 (tcp) libsemanage.dbase_policydb_modify: could not modify record value libsemanage.semanage_base_merge_components: could not merge local modifications into policy /usr/sbin/semanage: Could not add port tcp/23000 ++ echo -ne '\033]0;root at localhost:~' [root at localhost ~]# ` -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Fri Mar 6 13:30:11 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 06 Mar 2009 08:30:11 -0500 Subject: How do I create an initial policy for a new app? In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5C34@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5C34@dragonfly.symark.com> Message-ID: <49B12563.9080205@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian Ginn wrote: > using the polgengui, i get an error that the type is unknown (see below). > > > > I compared the generated files to /usr/share/selinux/devel/example.* > > I can see that I need to add the initial type myapp2_t; > > > > ... there are some other differences. For example: > > > > Polgengui's myapp2.te: > > corecmd_executable_file(pbrun_exec_t) > > > > example.te: > > domain_type(myapp_t) > > domain_entry_file(myapp_t, myapp_exec_t) > > > > Do these accomplish essentially the same thing? > > Not really corecmd_executable_file just identifies the label as being an executable, which lots of apps will be allowed to execute without a transition. domain_type identifies the label as something that applies to a process, domain_entry_file says that you can start a process labeled myapp_t, by executing an executable labeled myapp_exec_t. BUT you still need to write a transition rule, like domtrans_pattern(unconfined_t, myapp_exec_t, myapp_t) Which would say when a process labeled unconfined_t executes an executable labeled myapp_exec_t, it will transition to a process labeled myapp_t. > > > > Thanks, > > Brian > > > > > > + . ./myapp2.sh > > ++ set -x > > ++ make -f /usr/share/selinux/devel/Makefile > > Compiling targeted myapp2 module > > /usr/bin/checkmodule: loading policy configuration from tmp/myapp2.tmp > > myapp2.te:22:ERROR 'unknown type myapp2_t' at token ';' on line 83532: > > > > allow myapp2_t myapp2_rw_t:file { create getattr setattr read write append rename link unlink ioctl lock }; > > /usr/bin/checkmodule: error(s) encountered while parsing configuration > > make: *** [tmp/myapp2.mod] Error 1 > > ++ /usr/sbin/semodule -i myapp2.pp > > libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t system_chkpwd_t:process { transition }; > > libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t updpwd_t:process { transition }; > > libsepol.check_assertion_helper: assertion on line 0 violated by allow system_chkpwd_t myapp2_t:process { sigchld }; > > libsepol.check_assertion_helper: assertion on line 0 violated by allow updpwd_t myapp2_t:process { sigchld }; > > libsepol.check_assertions: 4 assertion violations occured > > libsemanage.semanage_expand_sandbox: Expand module failed > > /usr/sbin/semodule: Failed! > > ++ /sbin/restorecon -F -R -v /usr/local/bin/myapp2 > > /sbin/restorecon reset /usr/local/bin/myapp2 context system_u:object_r:bin_t:s0->system_u:object_r:bin_t:s0 > > ++ /sbin/restorecon -F -R -v /etc/pb.settings > > /sbin/restorecon reset /etc/pb.settings context system_u:object_r:etc_t:s0->system_u:object_r:etc_t:s0 > > ++ /usr/sbin/semanage port -a -t myapp2_port_t -p tcp 23000 > > libsepol.context_from_record: type myapp2_port_t is not defined > > libsepol.context_from_record: could not create context structure > > libsepol.port_from_record: could not create port structure for range 23000:23000 (tcp) > > libsepol.sepol_port_modify: could not load port range 23000 - 23000 (tcp) > > libsemanage.dbase_policydb_modify: could not modify record value > > libsemanage.semanage_base_merge_components: could not merge local modifications into policy > > /usr/sbin/semanage: Could not add port tcp/23000 > > ++ echo -ne '\033]0;root at localhost:~' > > [root at localhost ~]# > > > > ` > > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxJWMACgkQrlYvE4MpobP8gQCeIBGJ5MY2vk/v5qwaqNR1jAfH oLsAn1zdQLWspzC0PKeqA140rhTBgN/4 =TzQA -----END PGP SIGNATURE----- From kas at fi.muni.cz Fri Mar 6 14:00:00 2009 From: kas at fi.muni.cz (Jan Kasprzak) Date: Fri, 6 Mar 2009 15:00:00 +0100 Subject: Moving /etc/fonts/ to fonts_t? Message-ID: <20090306140000.GJ7301@fi.muni.cz> In my Fedora 10 system, all fonts under /usr/share/fonts are of the fonts_t type, while the fontconfig files under /etc/fonts are of the default etc_t type. I think it would make sense to move the whole /etc/fonts directory under the fonts_t type, so that user can easily say "this domain can use fonts" and be done without allowing the domain to read the whole /etc directory and files. What do you think about it? Does it make sense to modify the default Fedora policy according to these lines? -Yenya -- | Jan "Yenya" Kasprzak | | GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E | | http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ | >> If you find yourself arguing with Alan Cox, you?re _probably_ wrong. << >> --James Morris in "How and Why You Should Become a Kernel Hacker" << From dwalsh at redhat.com Fri Mar 6 14:05:37 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 06 Mar 2009 09:05:37 -0500 Subject: Moving /etc/fonts/ to fonts_t? In-Reply-To: <20090306140000.GJ7301@fi.muni.cz> References: <20090306140000.GJ7301@fi.muni.cz> Message-ID: <49B12DB1.70809@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jan Kasprzak wrote: > In my Fedora 10 system, all fonts under /usr/share/fonts > are of the fonts_t type, while the fontconfig files under /etc/fonts > are of the default etc_t type. I think it would make sense to move > the whole /etc/fonts directory under the fonts_t type, so that user > can easily say "this domain can use fonts" and be done without allowing > the domain to read the whole /etc directory and files. > > What do you think about it? Does it make sense to modify the default > Fedora policy according to these lines? > > -Yenya > yes. If there are fonts in /etc/fonts it should be labeled fonts_t -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxLbEACgkQrlYvE4MpobM49ACfQ6qNY37cS85ke9kw2hrYCNuB SE0AoMuKcplP2fX2Gy4mVGOwHyv+kuy0 =Z7uc -----END PGP SIGNATURE----- From dwalsh at redhat.com Fri Mar 6 14:08:00 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 06 Mar 2009 09:08:00 -0500 Subject: Moving /etc/fonts/ to fonts_t? In-Reply-To: <49B12DB1.70809@redhat.com> References: <20090306140000.GJ7301@fi.muni.cz> <49B12DB1.70809@redhat.com> Message-ID: <49B12E40.6090008@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel J Walsh wrote: > Jan Kasprzak wrote: >> In my Fedora 10 system, all fonts under /usr/share/fonts >> are of the fonts_t type, while the fontconfig files under /etc/fonts >> are of the default etc_t type. I think it would make sense to move >> the whole /etc/fonts directory under the fonts_t type, so that user >> can easily say "this domain can use fonts" and be done without allowing >> the domain to read the whole /etc directory and files. > >> What do you think about it? Does it make sense to modify the default >> Fedora policy according to these lines? > >> -Yenya > > yes. If there are fonts in /etc/fonts it should be labeled fonts_t if they are not fonts though lots of domains can write to fonts_t - -- fedora-selinux-list mailing list fedora-selinux-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmxLkAACgkQrlYvE4MpobN9rQCbBq51YaslKt7yHf5ZACOXv8Yk iBYAnRTuU4dIgEHD15t4BgVxDOWv6aQ6 =xcLX -----END PGP SIGNATURE----- From kas at fi.muni.cz Fri Mar 6 14:15:13 2009 From: kas at fi.muni.cz (Jan Kasprzak) Date: Fri, 6 Mar 2009 15:15:13 +0100 Subject: Moving /etc/fonts/ to fonts_t? In-Reply-To: <49B12E40.6090008@redhat.com> References: <20090306140000.GJ7301@fi.muni.cz> <49B12DB1.70809@redhat.com> <49B12E40.6090008@redhat.com> Message-ID: <20090306141513.GK7301@fi.muni.cz> Daniel J Walsh wrote: : -----BEGIN PGP SIGNED MESSAGE----- : Hash: SHA1 : : Daniel J Walsh wrote: : > Jan Kasprzak wrote: : >> In my Fedora 10 system, all fonts under /usr/share/fonts : >> are of the fonts_t type, while the fontconfig files under /etc/fonts : >> are of the default etc_t type. I think it would make sense to move : >> the whole /etc/fonts directory under the fonts_t type, so that user : >> can easily say "this domain can use fonts" and be done without allowing : >> the domain to read the whole /etc directory and files. : > : > yes. If there are fonts in /etc/fonts it should be labeled fonts_t : if they are not fonts though lots of domains can write to fonts_t These are configuration files for fontconfig-based fonts (used by GNOME/KDE, xetex, ...). Virtual fonts like "mono" or "serif" are described here, etc. It probably makes sense that everybody who can legally write /usr/share/fonts should also be able to write to /etc/fonts. -Yenya -- | Jan "Yenya" Kasprzak | | GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E | | http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ | >> If you find yourself arguing with Alan Cox, you?re _probably_ wrong. << >> --James Morris in "How and Why You Should Become a Kernel Hacker" << From olivares14031 at yahoo.com Fri Mar 6 23:10:48 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Fri, 6 Mar 2009 15:10:48 -0800 (PST) Subject: kernel oops, dhclient, NetworkManager denials Message-ID: <171384.62343.qm@web52610.mail.re2.yahoo.com> Dear selinux experts, I am running rawhide and I have encountered the following denied avc's. Thank you all for your help in anticipation :). Summary: SELinux is preventing kerneloops (kerneloops_t) "read" inotifyfs_t. Detailed Description: SELinux denied access requested by kerneloops. It is not expected that this access is required by kerneloops and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:kerneloops_t:s0-s0:c0.c1023 Target Context system_u:object_r:inotifyfs_t:s0 Target Objects inotify [ dir ] Source kerneloops Source Path /usr/sbin/kerneloops Port Host riohigh Source RPM Packages kerneloops-0.12-3.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.7-2.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP Wed Mar 4 18:03:29 EST 2009 i686 athlon Alert Count 2 First Seen Fri 06 Mar 2009 08:37:41 AM CST Last Seen Fri 06 Mar 2009 04:13:48 PM CST Local ID a255a610-ce27-4ae2-8583-5e79658a0022 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1236377628.970:206): avc: denied { read } for pid=14322 comm="kerneloops" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:kerneloops_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir node=riohigh type=SYSCALL msg=audit(1236377628.970:206): arch=40000003 syscall=11 success=yes exit=0 a0=987de20 a1=987dde8 a2=987d008 a3=9880368 items=0 ppid=14321 pid=14322 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kerneloops" exe="/usr/sbin/kerneloops" subj=system_u:system_r:kerneloops_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing NetworkManager (NetworkManager_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by NetworkManager. It is not expected that this access is required by NetworkManager and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:NetworkManager_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source NetworkManager Source Path /usr/sbin/NetworkManager Port Host riohigh Source RPM Packages NetworkManager-0.7.0.99-1.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.7-2.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP Wed Mar 4 18:03:29 EST 2009 i686 athlon Alert Count 5 First Seen Mon 23 Feb 2009 07:23:54 AM CST Last Seen Fri 06 Mar 2009 04:15:00 PM CST Local ID f192ed25-15af-43fd-aa2e-524cca16b88a Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461 pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) Summary: SELinux is preventing consoletype (consoletype_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by consoletype. It is not expected that this access is required by consoletype and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:consoletype_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source consoletype Source Path /sbin/consoletype Port Host riohigh Source RPM Packages initscripts-8.89-2 Target RPM Packages Policy RPM selinux-policy-3.6.7-2.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP Wed Mar 4 18:03:29 EST 2009 i686 athlon Alert Count 10 First Seen Mon 23 Feb 2009 07:23:51 AM CST Last Seen Fri 06 Mar 2009 04:15:00 PM CST Local ID 2797c459-0038-4c1e-a419-d4bc54691e3a Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1236377700.541:235): avc: denied { read write } for pid=14459 comm="consoletype" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1236377700.541:235): avc: denied { read write } for pid=14459 comm="consoletype" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1236377700.541:235): avc: denied { read write } for pid=14459 comm="consoletype" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=SYSCALL msg=audit(1236377700.541:235): arch=40000003 syscall=11 success=yes exit=0 a0=8fe0470 a1=8fe0078 a2=8fe01c8 a3=8fe0078 items=0 ppid=14458 pid=14459 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null) Summary: SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by dhclient. It is not expected that this access is required by dhclient and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source dhclient Source Path /sbin/dhclient Port Host riohigh Source RPM Packages dhclient-4.1.0-9.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.7-2.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP Wed Mar 4 18:03:29 EST 2009 i686 athlon Alert Count 3 First Seen Fri 06 Mar 2009 04:16:01 PM CST Last Seen Fri 06 Mar 2009 04:16:01 PM CST Local ID a9c1d6de-334d-4f45-99bb-470f0f97e3ff Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1236377761.743:243): avc: denied { read write } for pid=14537 comm="dhclient" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1236377761.743:243): avc: denied { read write } for pid=14537 comm="dhclient" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1236377761.743:243): avc: denied { read write } for pid=14537 comm="dhclient" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=SYSCALL msg=audit(1236377761.743:243): arch=40000003 syscall=11 success=yes exit=0 a0=8d98e40 a1=8da51d0 a2=8d891b8 a3=8da51d0 items=0 ppid=14469 pid=14537 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=10 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) I first started the system, then I saw that there was no connection, so I did a service NetworkManager stop, followed by a start and then the denied avc. I did not get a working internet connection, so I then went to call dhclient, the command worked, but selinux kicked in. Thank you for your help. Will get back to work on Monday :) Regards, Antonio From Per.t.Sjoholm at flysta.net Sat Mar 7 11:57:31 2009 From: Per.t.Sjoholm at flysta.net (Per Sjoholm) Date: Sat, 07 Mar 2009 12:57:31 +0100 Subject: cobbler selinux policy Message-ID: <49B2612B.6020303@flysta.net> Looked for a way of handling multi distro PXE setup on CentOS 5 and found cobbler It has a webinterface + cmd cobblers wiki mention SELinux but only for allowing things Cobbler needs to write and read critical files. Does anyone have a a SELinux policy for cobbler? Thanks /Per From dwalsh at redhat.com Sat Mar 7 14:47:52 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 07 Mar 2009 09:47:52 -0500 Subject: kernel oops, dhclient, NetworkManager denials In-Reply-To: <171384.62343.qm@web52610.mail.re2.yahoo.com> References: <171384.62343.qm@web52610.mail.re2.yahoo.com> Message-ID: <49B28918.5030709@redhat.com> On 03/06/2009 06:10 PM, Antonio Olivares wrote: > Dear selinux experts, > > I am running rawhide and I have encountered the following denied avc's. Thank you all for your help in anticipation :). > > > Summary: > > SELinux is preventing kerneloops (kerneloops_t) "read" inotifyfs_t. > > Detailed Description: > > SELinux denied access requested by kerneloops. It is not expected that this > access is required by kerneloops and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:kerneloops_t:s0-s0:c0.c1023 > Target Context system_u:object_r:inotifyfs_t:s0 > Target Objects inotify [ dir ] > Source kerneloops > Source Path /usr/sbin/kerneloops > Port > Host riohigh > Source RPM Packages kerneloops-0.12-3.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.7-2.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP > Wed Mar 4 18:03:29 EST 2009 i686 athlon > Alert Count 2 > First Seen Fri 06 Mar 2009 08:37:41 AM CST > Last Seen Fri 06 Mar 2009 04:13:48 PM CST > Local ID a255a610-ce27-4ae2-8583-5e79658a0022 > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1236377628.970:206): avc: denied { read } for pid=14322 comm="kerneloops" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:kerneloops_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir > > node=riohigh type=SYSCALL msg=audit(1236377628.970:206): arch=40000003 syscall=11 success=yes exit=0 a0=987de20 a1=987dde8 a2=987d008 a3=9880368 items=0 ppid=14321 pid=14322 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kerneloops" exe="/usr/sbin/kerneloops" subj=system_u:system_r:kerneloops_t:s0-s0:c0.c1023 key=(null) > > > > > Summary: > > SELinux is preventing NetworkManager (NetworkManager_t) "read write" > unconfined_t. > > Detailed Description: > > SELinux denied access requested by NetworkManager. It is not expected that this > access is required by NetworkManager and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:system_r:NetworkManager_t:s0 > Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Objects socket [ unix_stream_socket ] > Source NetworkManager > Source Path /usr/sbin/NetworkManager > Port > Host riohigh > Source RPM Packages NetworkManager-0.7.0.99-1.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.7-2.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP > Wed Mar 4 18:03:29 EST 2009 i686 athlon > Alert Count 5 > First Seen Mon 23 Feb 2009 07:23:54 AM CST > Last Seen Fri 06 Mar 2009 04:15:00 PM CST > Local ID f192ed25-15af-43fd-aa2e-524cca16b88a > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461 pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) > > > > > Summary: > > SELinux is preventing consoletype (consoletype_t) "read write" unconfined_t. > > Detailed Description: > > SELinux denied access requested by consoletype. It is not expected that this > access is required by consoletype and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:system_r:consoletype_t:s0 > Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Objects socket [ unix_stream_socket ] > Source consoletype > Source Path /sbin/consoletype > Port > Host riohigh > Source RPM Packages initscripts-8.89-2 > Target RPM Packages > Policy RPM selinux-policy-3.6.7-2.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP > Wed Mar 4 18:03:29 EST 2009 i686 athlon > Alert Count 10 > First Seen Mon 23 Feb 2009 07:23:51 AM CST > Last Seen Fri 06 Mar 2009 04:15:00 PM CST > Local ID 2797c459-0038-4c1e-a419-d4bc54691e3a > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1236377700.541:235): avc: denied { read write } for pid=14459 comm="consoletype" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236377700.541:235): avc: denied { read write } for pid=14459 comm="consoletype" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236377700.541:235): avc: denied { read write } for pid=14459 comm="consoletype" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=SYSCALL msg=audit(1236377700.541:235): arch=40000003 syscall=11 success=yes exit=0 a0=8fe0470 a1=8fe0078 a2=8fe01c8 a3=8fe0078 items=0 ppid=14458 pid=14459 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null) > > > > Summary: > > SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t. > > Detailed Description: > > SELinux denied access requested by dhclient. It is not expected that this access > is required by dhclient and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 > Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Objects socket [ unix_stream_socket ] > Source dhclient > Source Path /sbin/dhclient > Port > Host riohigh > Source RPM Packages dhclient-4.1.0-9.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.7-2.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP > Wed Mar 4 18:03:29 EST 2009 i686 athlon > Alert Count 3 > First Seen Fri 06 Mar 2009 04:16:01 PM CST > Last Seen Fri 06 Mar 2009 04:16:01 PM CST > Local ID a9c1d6de-334d-4f45-99bb-470f0f97e3ff > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1236377761.743:243): avc: denied { read write } for pid=14537 comm="dhclient" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236377761.743:243): avc: denied { read write } for pid=14537 comm="dhclient" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236377761.743:243): avc: denied { read write } for pid=14537 comm="dhclient" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=SYSCALL msg=audit(1236377761.743:243): arch=40000003 syscall=11 success=yes exit=0 a0=8d98e40 a1=8da51d0 a2=8d891b8 a3=8da51d0 items=0 ppid=14469 pid=14537 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=10 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) > > > > I first started the system, then I saw that there was no connection, so I did a service NetworkManager stop, followed by a start and then the denied avc. I did not get a working internet connection, so I then went to call dhclient, the command worked, but selinux kicked in. Thank you for your help. Will get back to work on Monday :) > > Regards, > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list kerneloops should be fixed in current rawhide. selinux-policy-3.6.8-1.fc11 THe other leaks are probably caused by running konsole/kde. Which leaks file descriptors like crazy. You can create a policy te file like the following cat > kdeleaks.te << __eof policy_module(kdeleaks, 1.0) require { type unconfined_t; attribute domain; class unix_stream_socket { read write }; } #============= dhcpc_t ============== dontaudit domain unconfined_t:unix_stream_socket { read write }; _eof # make -f /usr/share/selinux/devel/Makefile # semodule -i kdeleaks.pp From domg472 at gmail.com Sun Mar 8 13:46:29 2009 From: domg472 at gmail.com (Dominick Grift) Date: Sun, 08 Mar 2009 14:46:29 +0100 Subject: cobbler selinux policy In-Reply-To: <49B2612B.6020303@flysta.net> References: <49B2612B.6020303@flysta.net> Message-ID: <1236519989.4269.4.camel@desktop1.grift.internal> On Sat, 2009-03-07 at 12:57 +0100, Per Sjoholm wrote: > Looked for a way of handling multi distro PXE setup on CentOS 5 and > found cobbler > It has a webinterface + cmd > cobblers wiki mention SELinux but only for allowing things > Cobbler needs to write and read critical files. > > Does anyone have a a SELinux policy for cobbler? I do not think that anyone does. I have offered to write one but i need someone with cobbler-knowledge to help me test it and it seems no one has time to do this. I do not have the cobbler-infrastructure nor do i have the cobbler-knowledge to write policy. If you want to help, let me know. > > Thanks > /Per > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From gene.heskett at verizon.net Mon Mar 9 02:22:05 2009 From: gene.heskett at verizon.net (Gene Heskett) Date: Sun, 08 Mar 2009 22:22:05 -0400 Subject: fetchmail/procmail denials Message-ID: <200903082222.06020.gene.heskett@verizon.net> Greetings; Its been several days, but I haven't seen any policy updates yet, and setroubleshooter is still hacking away at the lower right corner of the screen. Call this a ping? :) -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Indifference will certainly be the downfall of mankind, but who cares? From mgrepl at redhat.com Mon Mar 9 09:41:39 2009 From: mgrepl at redhat.com (Miroslav Grepl) Date: Mon, 09 Mar 2009 10:41:39 +0100 Subject: How do I create an initial policy for a new app? In-Reply-To: <49B12563.9080205@redhat.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5C34@dragonfly.symark.com> <49B12563.9080205@redhat.com> Message-ID: <49B4E453.1050600@redhat.com> Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Brian Ginn wrote: > >> using the polgengui, i get an error that the type is unknown (see below). >> >> >> >> I compared the generated files to /usr/share/selinux/devel/example.* >> >> I can see that I need to add the initial type myapp2_t; >> >> >> >> ... there are some other differences. For example: >> >> >> >> Polgengui's myapp2.te: >> >> corecmd_executable_file(pbrun_exec_t) >> >> > > >> example.te: >> >> domain_type(myapp_t) >> >> domain_entry_file(myapp_t, myapp_exec_t) >> >> >> >> Do these accomplish essentially the same thing? >> >> >> > Not really corecmd_executable_file just identifies the label as being an > executable, which lots of apps will be allowed to execute without a > transition. > > domain_type identifies the label as something that applies to a process, > domain_entry_file says that you can start a process labeled myapp_t, by > executing an executable labeled myapp_exec_t. BUT you still need to > write a transition rule, like domtrans_pattern(unconfined_t, > myapp_exec_t, myapp_t) > > Which would say when a process labeled unconfined_t executes an > executable labeled myapp_exec_t, it will transition to a process labeled > myapp_t. > > The example of an initial policy for a app, in this case for ceterim app. centerim.te: policy_module(centerim,1.0.0) type centerim_t; type centerim_exec_t; application_domain(centerim_t, centerim_exec_t) role unconfined_r types centerim_t; ########################### # definiton of transition from unconfined_t to centerim_t unconfined_domtrans_to(centerim_t, centerim_exec_t) libs_use_ld_so(centerim_t) libs_use_shared_libs(centerim_t) miscfiles_read_localization(centerim_t) # set permissive mode for centerim_t permissive centerim_t; centerim.fc: /usr/bin/centerim -- gen_context(system_u:object_r:centerim_exec_t,s0) >> >> Thanks, >> >> Brian >> >> >> >> >> >> + . ./myapp2.sh >> >> ++ set -x >> >> ++ make -f /usr/share/selinux/devel/Makefile >> >> Compiling targeted myapp2 module >> >> /usr/bin/checkmodule: loading policy configuration from tmp/myapp2.tmp >> >> myapp2.te:22:ERROR 'unknown type myapp2_t' at token ';' on line 83532: >> >> >> >> allow myapp2_t myapp2_rw_t:file { create getattr setattr read write append rename link unlink ioctl lock }; >> >> /usr/bin/checkmodule: error(s) encountered while parsing configuration >> >> make: *** [tmp/myapp2.mod] Error 1 >> >> ++ /usr/sbin/semodule -i myapp2.pp >> >> libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t system_chkpwd_t:process { transition }; >> >> libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t updpwd_t:process { transition }; >> >> libsepol.check_assertion_helper: assertion on line 0 violated by allow system_chkpwd_t myapp2_t:process { sigchld }; >> >> libsepol.check_assertion_helper: assertion on line 0 violated by allow updpwd_t myapp2_t:process { sigchld }; >> >> libsepol.check_assertions: 4 assertion violations occured >> >> libsemanage.semanage_expand_sandbox: Expand module failed >> >> /usr/sbin/semodule: Failed! >> >> ++ /sbin/restorecon -F -R -v /usr/local/bin/myapp2 >> >> /sbin/restorecon reset /usr/local/bin/myapp2 context system_u:object_r:bin_t:s0->system_u:object_r:bin_t:s0 >> >> ++ /sbin/restorecon -F -R -v /etc/pb.settings >> >> /sbin/restorecon reset /etc/pb.settings context system_u:object_r:etc_t:s0->system_u:object_r:etc_t:s0 >> >> ++ /usr/sbin/semanage port -a -t myapp2_port_t -p tcp 23000 >> >> libsepol.context_from_record: type myapp2_port_t is not defined >> >> libsepol.context_from_record: could not create context structure >> >> libsepol.port_from_record: could not create port structure for range 23000:23000 (tcp) >> >> libsepol.sepol_port_modify: could not load port range 23000 - 23000 (tcp) >> >> libsemanage.dbase_policydb_modify: could not modify record value >> >> libsemanage.semanage_base_merge_components: could not merge local modifications into policy >> >> /usr/sbin/semanage: Could not add port tcp/23000 >> >> ++ echo -ne '\033]0;root at localhost:~' >> >> [root at localhost ~]# >> >> >> >> ` >> >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkmxJWMACgkQrlYvE4MpobP8gQCeIBGJ5MY2vk/v5qwaqNR1jAfH > oLsAn1zdQLWspzC0PKeqA140rhTBgN/4 > =TzQA > -----END PGP SIGNATURE----- > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From dwalsh at redhat.com Mon Mar 9 14:57:11 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 09 Mar 2009 10:57:11 -0400 Subject: fetchmail/procmail denials In-Reply-To: <200903082222.06020.gene.heskett@verizon.net> References: <200903082222.06020.gene.heskett@verizon.net> Message-ID: <49B52E47.3000503@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gene Heskett wrote: > Greetings; > > Its been several days, but I haven't seen any policy updates yet, and > setroubleshooter is still hacking away at the lower right corner of the > screen. > > Call this a ping? :) > Gene need more info. OS? Problem? AVCs? Lots of email, lots of bugzillas, 5 different OSs. RHEL4, RHEL5, F9, F10, Rawhide. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm1LkcACgkQrlYvE4MpobObfQCgoME+wOJhxnCwKV93JiPvzhlF +aMAn0wlm3vFOnI+CsffxGebd9DzMh9n =TBr7 -----END PGP SIGNATURE----- From paul at city-fan.org Mon Mar 9 15:03:19 2009 From: paul at city-fan.org (Paul Howarth) Date: Mon, 09 Mar 2009 15:03:19 +0000 Subject: fetchmail/procmail denials In-Reply-To: <49B52E47.3000503@redhat.com> References: <200903082222.06020.gene.heskett@verizon.net> <49B52E47.3000503@redhat.com> Message-ID: <49B52FB7.3030406@city-fan.org> Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Gene Heskett wrote: >> Greetings; >> >> Its been several days, but I haven't seen any policy updates yet, and >> setroubleshooter is still hacking away at the lower right corner of the >> screen. >> >> Call this a ping? :) >> > Gene need more info. OS? Problem? AVCs? > > Lots of email, lots of bugzillas, 5 different OSs. > > RHEL4, RHEL5, F9, F10, Rawhide. I think Gene was referring to this: https://www.redhat.com/archives/fedora-selinux-list/2009-March/msg00025.html Paul. From mgrepl at redhat.com Mon Mar 9 15:50:20 2009 From: mgrepl at redhat.com (Miroslav Grepl) Date: Mon, 09 Mar 2009 16:50:20 +0100 Subject: fetchmail/procmail denials In-Reply-To: <200903082222.06020.gene.heskett@verizon.net> References: <200903082222.06020.gene.heskett@verizon.net> Message-ID: <49B53ABC.7080102@redhat.com> Gene Heskett wrote: > Greetings; > > Its been several days, but I haven't seen any policy updates yet, and > setroubleshooter is still hacking away at the lower right corner of the > screen. > > Call this a ping? :) > > Fixed in selinux-policy-3.5.13-48.fc10 and selinux-policy-3.3.1-126.fc9. For now, you can download update from Koji. http://koji.fedoraproject.org/koji/packageinfo?packageID=32 From gene.heskett at verizon.net Mon Mar 9 16:35:45 2009 From: gene.heskett at verizon.net (Gene Heskett) Date: Mon, 09 Mar 2009 12:35:45 -0400 Subject: fetchmail/procmail denials In-Reply-To: <49B52FB7.3030406@city-fan.org> References: <200903082222.06020.gene.heskett@verizon.net> <49B52E47.3000503@redhat.com> <49B52FB7.3030406@city-fan.org> Message-ID: <200903091235.46048.gene.heskett@verizon.net> On Monday 09 March 2009, Paul Howarth wrote: >Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Gene Heskett wrote: >>> Greetings; >>> >>> Its been several days, but I haven't seen any policy updates yet, and >>> setroubleshooter is still hacking away at the lower right corner of the >>> screen. >>> >>> Call this a ping? :) >> >> Gene need more info. OS? Problem? AVCs? >> >> Lots of email, lots of bugzillas, 5 different OSs. >> >> RHEL4, RHEL5, F9, F10, Rawhide. > >I think Gene was referring to this: > >https://www.redhat.com/archives/fedora-selinux-list/2009-March/msg00025.html > >Paul. Yes, Paul. And to requote from the last of that thread: "Fetchmail policy does not allow for the creation of a logfile right now. I guess the default is to write to syslog. We need to add a mechansim for fetchmail to create a fetchmail_log_t and allow procmail_t to append to it." Which would address this particular problem nicely WITH the exception that my procmail keeps its own logs. Here is my 'mail' script in /etc/logrotate.d: =============================================== # Logrotate file for fetchmail.log and procmail.log /var/log/fetchmail.log { missingok compress notifempty weekly size=1000k rotate 5 copytruncate create 0600 gene gene prerotate /usr/bin/killall fetchmail sleep 1 endscript postrotate chown gene:gene /var/log/fetchmail.log restorecon -v /var/log/fetchmail.log echo "log rotated on "date -u >>var/log/fetchmail.log su gene -c "/usr/bin/fetchmail -d 90 --fetchmailrc /home/gene/.fetchmailrc" endscript } /var/log/procmail.log { missingok compress notifempty weekly size=1000k rotate 5 copytruncate create 0600 gene gene postrotate restorecon -v /var/log/procmail.log echo "log rotated on "date -u >>/var/log/procmail.log endscript } =========================================== And I should note that doing a head on the two files shows the echo's above, except I need to backtick the date -u :) I'll fix that right now. FWIW, neither file is up to the trigger size, but close, and this is only noonish Monday: -rw------- 1 gene gene 472824 2009-03-09 12:23 /var/log/fetchmail.log -rw------- 1 gene gene 854970 2009-03-09 12:21 /var/log/procmail.log >From the dates on the rest of the procmail.log-*.gz's it is in fact being rotated daily, so I should add another 0 to the size, or just remove it & let it use the Sunday morning schedule. Or I should remove the VERBOSE=yes in the ~/.procmailrc :) fetchmail.log is being rotated at 4 day intervals. At one point someone else whose name is not (I don't think) on the CC: list, said he would do it. So I was expecting to see a new targeted policy show up in yumex in a day or so, but it is still missing. Thanks everybody. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Fatal Error: Found MS-Windows System -> Repartitioning Disk for Linux... From gene.heskett at verizon.net Mon Mar 9 16:46:50 2009 From: gene.heskett at verizon.net (Gene Heskett) Date: Mon, 09 Mar 2009 12:46:50 -0400 Subject: fetchmail/procmail denials In-Reply-To: <49B53ABC.7080102@redhat.com> References: <200903082222.06020.gene.heskett@verizon.net> <49B53ABC.7080102@redhat.com> Message-ID: <200903091246.50636.gene.heskett@verizon.net> On Monday 09 March 2009, Miroslav Grepl wrote: >Gene Heskett wrote: >> Greetings; >> >> Its been several days, but I haven't seen any policy updates yet, and >> setroubleshooter is still hacking away at the lower right corner of the >> screen. >> >> Call this a ping? :) > >Fixed in selinux-policy-3.5.13-48.fc10 and selinux-policy-3.3.1-126.fc9. >For now, you can download update from Koji. > >http://koji.fedoraproject.org/koji/packageinfo?packageID=32 Unforch, the rpm -Uvh reports: [root at coyote yum]# rpm -Uvh selinux-policy-*.rpm Freeing locks for locker 0x1de9: 24455/3087005472 Freeing locks for locker 0x1dea: 24455/3087005472 Freeing locks for locker 0x1deb: 24455/3087005472 Preparing... ########################################### [100%] 1:selinux-policy ########################################### [ 50%] 2:selinux-policy-targeted########################################### [100%] libsepol.print_missing_requirements: pki's global requirements were not met: type/attribute initscript libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! And I've seen that error before too. :( Now what, coaches? -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Kirkland, Illinois, law forbids bees to fly over the village or through any of its streets. From mgrepl at redhat.com Mon Mar 9 17:44:29 2009 From: mgrepl at redhat.com (Miroslav Grepl) Date: Mon, 09 Mar 2009 18:44:29 +0100 Subject: fetchmail/procmail denials In-Reply-To: <200903091246.50636.gene.heskett@verizon.net> References: <200903082222.06020.gene.heskett@verizon.net> <49B53ABC.7080102@redhat.com> <200903091246.50636.gene.heskett@verizon.net> Message-ID: <49B5557D.9060802@redhat.com> Gene Heskett wrote: > On Monday 09 March 2009, Miroslav Grepl wrote: > >> Gene Heskett wrote: >> >>> Greetings; >>> >>> Its been several days, but I haven't seen any policy updates yet, and >>> setroubleshooter is still hacking away at the lower right corner of the >>> screen. >>> >>> Call this a ping? :) >>> >> Fixed in selinux-policy-3.5.13-48.fc10 and selinux-policy-3.3.1-126.fc9. >> For now, you can download update from Koji. >> >> http://koji.fedoraproject.org/koji/packageinfo?packageID=32 >> > > Unforch, the rpm -Uvh reports: > [root at coyote yum]# rpm -Uvh selinux-policy-*.rpm > Freeing locks for locker 0x1de9: 24455/3087005472 > Freeing locks for locker 0x1dea: 24455/3087005472 > Freeing locks for locker 0x1deb: 24455/3087005472 > Preparing... ########################################### [100%] > 1:selinux-policy ########################################### [ 50%] > 2:selinux-policy-targeted########################################### [100%] > libsepol.print_missing_requirements: pki's global requirements were not met: > type/attribute initscript > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! > > And I've seen that error before too. :( > > Now what, coaches? > > Please execute: su -c rm -f /etc/selinux/targeted/modules/active/modules/pki.pp and try to update again. Should it work. From gene.heskett at verizon.net Mon Mar 9 18:40:51 2009 From: gene.heskett at verizon.net (Gene Heskett) Date: Mon, 09 Mar 2009 14:40:51 -0400 Subject: fetchmail/procmail denials In-Reply-To: <49B5557D.9060802@redhat.com> References: <200903082222.06020.gene.heskett@verizon.net> <200903091246.50636.gene.heskett@verizon.net> <49B5557D.9060802@redhat.com> Message-ID: <200903091440.51940.gene.heskett@verizon.net> On Monday 09 March 2009, Miroslav Grepl wrote: >rm -f /etc/selinux/targeted/modules/active/modules/pki.pp [root at coyote yum]# rm -f /etc/selinux/targeted/modules/active/modules/pki.pp [root at coyote yum]# rpm -Uvh selinux-policy-*.rpm Preparing... ########################################### [100%] package selinux-policy-3.5.13-48.fc10.noarch is already installed package selinux-policy-targeted-3.5.13-48.fc10.noarch is already installed And the every 90 second alerts have ceased since I first did the update, thank you very much. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) If I am elected no one will ever have to do their laundry again! From olivares14031 at yahoo.com Mon Mar 9 23:31:51 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 9 Mar 2009 16:31:51 -0700 (PDT) Subject: selinux stopping NetworkManager from doing its job. Message-ID: <814784.3064.qm@web52601.mail.re2.yahoo.com> Dear fellow testers and selinux experts, selinux is stopping NetworkManager from doing its job. To get internet, I have to manually type # dhclient eth0 and get internet connection. Summary: SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by dhclient. It is not expected that this access is required by dhclient and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source dhclient Source Path /sbin/dhclient Port Host riohigh Source RPM Packages dhclient-4.1.0-10.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-1.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.215.rc7.fc11.i586 #1 SMP Sun Mar 8 23:25:31 EDT 2009 i686 athlon Alert Count 6 First Seen Fri 06 Mar 2009 04:16:01 PM CST Last Seen Mon 09 Mar 2009 05:22:13 PM CST Local ID a9c1d6de-334d-4f45-99bb-470f0f97e3ff Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1236640933.104:39): avc: denied { read write } for pid=3313 comm="dhclient" path="socket:[15009]" dev=sockfs ino=15009 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=SYSCALL msg=audit(1236640933.104:39): arch=40000003 syscall=11 success=yes exit=0 a0=85082b8 a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) Guess it applies over here: Summary: SELinux is preventing NetworkManager (NetworkManager_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by NetworkManager. It is not expected that this access is required by NetworkManager and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:NetworkManager_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source NetworkManager Source Path /usr/sbin/NetworkManager Port Host riohigh Source RPM Packages NetworkManager-0.7.0.99-1.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.7-2.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP Wed Mar 4 18:03:29 EST 2009 i686 athlon Alert Count 5 First Seen Mon 23 Feb 2009 07:23:54 AM CST Last Seen Fri 06 Mar 2009 04:15:00 PM CST Local ID f192ed25-15af-43fd-aa2e-524cca16b88a Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461 pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) I do not get eth0 active upon starting up, since selinux stops NetworkManager from getting IP automagically :(. Regards, Antonio From kanarip at kanarip.com Tue Mar 10 00:48:40 2009 From: kanarip at kanarip.com (Jeroen van Meeuwen) Date: Tue, 10 Mar 2009 01:48:40 +0100 Subject: selinux stopping NetworkManager from doing its job. In-Reply-To: <814784.3064.qm@web52601.mail.re2.yahoo.com> References: <814784.3064.qm@web52601.mail.re2.yahoo.com> Message-ID: <49B5B8E8.20804@kanarip.com> Antonio Olivares wrote: > Dear fellow testers and selinux experts, > > selinux is stopping NetworkManager from doing its job. To get internet, I have to manually type # dhclient eth0 > and get internet connection. > See also: https://bugzilla.redhat.com/show_bug.cgi?id=489422 Currently being worked on in #fedora-devel on irc.freenode.net Kind regards, Jeroen van Meeuwen -kanarip From dwalsh at redhat.com Tue Mar 10 13:14:17 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 10 Mar 2009 09:14:17 -0400 Subject: selinux stopping NetworkManager from doing its job. In-Reply-To: <814784.3064.qm@web52601.mail.re2.yahoo.com> References: <814784.3064.qm@web52601.mail.re2.yahoo.com> Message-ID: <49B667A9.2060203@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Antonio Olivares wrote: > Dear fellow testers and selinux experts, > > selinux is stopping NetworkManager from doing its job. To get internet, I have to manually type # dhclient eth0 > and get internet connection. > > > Summary: > > SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t. > > Detailed Description: > > SELinux denied access requested by dhclient. It is not expected that this access > is required by dhclient and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 > Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Objects socket [ unix_stream_socket ] > Source dhclient > Source Path /sbin/dhclient > Port > Host riohigh > Source RPM Packages dhclient-4.1.0-10.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.8-1.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh 2.6.29-0.215.rc7.fc11.i586 #1 SMP > Sun Mar 8 23:25:31 EDT 2009 i686 athlon > Alert Count 6 > First Seen Fri 06 Mar 2009 04:16:01 PM CST > Last Seen Mon 09 Mar 2009 05:22:13 PM CST > Local ID a9c1d6de-334d-4f45-99bb-470f0f97e3ff > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1236640933.104:39): avc: denied { read write } for pid=3313 comm="dhclient" path="socket:[15009]" dev=sockfs ino=15009 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=SYSCALL msg=audit(1236640933.104:39): arch=40000003 syscall=11 success=yes exit=0 a0=85082b8 a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) > > > Guess it applies over here: > > > Summary: > > SELinux is preventing NetworkManager (NetworkManager_t) "read write" > unconfined_t. > > Detailed Description: > > SELinux denied access requested by NetworkManager. It is not expected that this > access is required by NetworkManager and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:system_r:NetworkManager_t:s0 > Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Objects socket [ unix_stream_socket ] > Source NetworkManager > Source Path /usr/sbin/NetworkManager > Port > Host riohigh > Source RPM Packages NetworkManager-0.7.0.99-1.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.7-2.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP > Wed Mar 4 18:03:29 EST 2009 i686 athlon > Alert Count 5 > First Seen Mon 23 Feb 2009 07:23:54 AM CST > Last Seen Fri 06 Mar 2009 04:15:00 PM CST > Local ID f192ed25-15af-43fd-aa2e-524cca16b88a > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461 pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) > > > > > I do not get eth0 active upon starting up, since selinux stops NetworkManager from getting IP automagically :(. > > Regards, > > > Antonio > > > > > I am not sure this is an SELinux issue. The errors you are showing above are related to a leaked file descriptor, probably in konsole, when you did a service networkmanager restart. If you put the machine in permissive mode or set NetworkManager_t as perissive does the network come up? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm2Z6kACgkQrlYvE4MpobM0/QCgi7e8hpTiMjF6owvgjl+z6fiv 1OwAoIyN2JwxXCINi5zAP+3G1KKc1G9c =Evy9 -----END PGP SIGNATURE----- From dwalsh at redhat.com Tue Mar 10 13:17:05 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 10 Mar 2009 09:17:05 -0400 Subject: fetchmail/procmail denials In-Reply-To: <200903091440.51940.gene.heskett@verizon.net> References: <200903082222.06020.gene.heskett@verizon.net> <200903091246.50636.gene.heskett@verizon.net> <49B5557D.9060802@redhat.com> <200903091440.51940.gene.heskett@verizon.net> Message-ID: <49B66851.4020207@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gene Heskett wrote: > On Monday 09 March 2009, Miroslav Grepl wrote: >> rm -f /etc/selinux/targeted/modules/active/modules/pki.pp > [root at coyote yum]# rm -f /etc/selinux/targeted/modules/active/modules/pki.pp > [root at coyote yum]# rpm -Uvh selinux-policy-*.rpm > Preparing... ########################################### [100%] > package selinux-policy-3.5.13-48.fc10.noarch is already installed > package selinux-policy-targeted-3.5.13-48.fc10.noarch is already > installed > > And the every 90 second alerts have ceased since I first did the update, thank > you very much. > rpm -Uvh selinux-policy-*.rpm --force This will cause the postinstall to run. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm2aFEACgkQrlYvE4MpobO42ACgmitDzeRchvU5U7QUFOaUtpeV E7cAoLjTC9d7pJFYzTv9zTtu5NqP/ISL =cbyK -----END PGP SIGNATURE----- From BGinn at symark.com Wed Mar 11 01:26:51 2009 From: BGinn at symark.com (Brian Ginn) Date: Tue, 10 Mar 2009 18:26:51 -0700 Subject: Several policy questions Message-ID: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5C47@dragonfly.symark.com> I have an application that consists of four different programs that all talk to each other via TCP sockets... Similar to the diagram: +---------+ +-------| ServerA |------+ | +---------+ | | | | +----------------+ | +---------+ | UserApp Client |---|-----| ServerB | +----------------+ | +---------+ | | | | | | | +--------+ | +-------| Logger |------+ +--------+ The ServerA, ServerB, and Logger all run from xinetd. The "UserApp Client" is the only program directly executed via the user. All programs read from a common settings file in /etc. With Fedora Core 9, I've used the polgengui to create initial policies for the four programs. Then since they share the settings file, I edited the definitions so that configuration file is not specific to any one of the programs. They all need to share port information, so I added require { myservera_port_t; myserverb_port_t; mylogger_port_t } statements to each .te file. That seems to work on FC9, but on RedHat EL 5.2, when attempting to load myservera, it complains: /usr/sbin/semodule -i myservera.pp libsepol.print_missing_requirements: myservera's global requirements were not met: type/attribute myserverb_port_t libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed! Attempting to load myserverB first ends up with the same complaint about the serverA's port_t being undefined. I had kept the .te files for the four programs separate... but this message makes me think that maybe I need to combine them. Is that necessary? Or is there a way to pre-define the ports before the "require from somewhere else" statement? For my four programs, should I have four distinct policy_module statements? Is it possible to have multiple policy_module statements in the same .te file? Also, I seem to be having domain transfer problems. I added this following code to each .te file: domain_auto_trans(unconfined_t, myapp_exec_t, myapp_t ) allow unconfined_t myapp_t:fd use; allow myapp_t unconfined_t:fifo_file rw_file_perms; allow myapp_t unconfined_t:process sigchld; however, each process still runs as follows: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 32504 pts/4 00:00:00 myapp unconfined_u:system_r:inetd_child_t:s0-s0:c0.c1023 32508 ? 00:00:00 myserverb unconfined_u:system_r:inetd_child_t:s0-s0:c0.c1023 32512 ? 00:00:00 mylogger For the inetd daemons, is this something I should try to fix, or is unconfined_u:system_r:inetd_child_t "secure enough"? Any suggestions for getting the myapp domain transferred? Thanks, Brian -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian at brianac.com.au Wed Mar 11 06:17:48 2009 From: brian at brianac.com.au (Brian Chadwick) Date: Wed, 11 Mar 2009 16:17:48 +1000 Subject: AVCs with spamd (F10) Message-ID: <49B7578C.8090409@brianac.com.au> Hi, Fedora 10. A number of AVCs are occurring with my use of spamassassin. For some spamd seems to want to access /home .. is this right? Raw Audit Messages node=admin.brianac.com.au type=AVC msg=audit(1236681698.7:20): avc: denied { read } for pid=3148 comm="spamd" name=".razor" dev=sda3 ino=198361 scontext=system_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir node=admin.brianac.com.au type=SYSCALL msg=audit(1236681698.7:20): arch=40000003 syscall=5 success=yes exit=9 a0=9bb07c4 a1=98800 a2=2 a3=927d0d4 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null) Raw Audit Messages node=admin.brianac.com.au type=AVC msg=audit(1236681698.7:21): avc: denied { read } for pid=3148 comm="spamd" name="server.c302.cloudmark.com.conf" dev=sda3 ino=198151 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file node=admin.brianac.com.au type=SYSCALL msg=audit(1236681698.7:21): arch=40000003 syscall=5 success=yes exit=9 a0=9bba88c a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null) Raw Audit Messages node=admin.brianac.com.au type=AVC msg=audit(1236681697.863:14): avc: denied { append } for pid=3148 comm="spamd" name="razor-agent.log" dev=sda3 ino=199151 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file node=admin.brianac.com.au type=SYSCALL msg=audit(1236681697.863:14): arch=40000003 syscall=5 success=yes exit=8 a0=9bb0f14 a1=8441 a2=1b6 a3=8441 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null) Raw Audit Messages node=admin.brianac.com.au type=AVC msg=audit(1236681697.879:15): avc: denied { ioctl } for pid=3148 comm="spamd" path="/root/.razor/razor-agent.log" dev=sda3 ino=199151 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file node=admin.brianac.com.au type=SYSCALL msg=audit(1236681697.879:15): arch=40000003 syscall=54 success=no exit=-25 a0=8 a1=5401 a2=bfa0c9d8 a3=bfa0ca18 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null) Raw Audit Messages node=admin.brianac.com.au type=AVC msg=audit(1236681697.985:17): avc: denied { read } for pid=3148 comm="spamd" name="servers.discovery.lst" dev=sda3 ino=198364 scontext=system_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file node=admin.brianac.com.au type=SYSCALL msg=audit(1236681697.985:17): arch=40000003 syscall=5 success=yes exit=9 a0=9bb6bec a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null) Raw Audit Messages node=admin.brianac.com.au type=AVC msg=audit(1236681697.879:16): avc: denied { getattr } for pid=3148 comm="spamd" path="/root/.razor/razor-agent.log" dev=sda3 ino=199151 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file node=admin.brianac.com.au type=SYSCALL msg=audit(1236681697.879:16): arch=40000003 syscall=197 success=yes exit=0 a0=8 a1=81d6060 a2=7ccff4 a3=0 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null) Raw Audit Messages node=admin.brianac.com.au type=AVC msg=audit(1236681697.986:18): avc: denied { ioctl } for pid=3148 comm="spamd" path="/root/.razor/servers.discovery.lst" dev=sda3 ino=198364 scontext=system_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file node=admin.brianac.com.au type=SYSCALL msg=audit(1236681697.986:18): arch=40000003 syscall=54 success=no exit=-25 a0=9 a1=5401 a2=bfa0c9d8 a3=bfa0ca18 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null) Raw Audit Messages node=admin.brianac.com.au type=AVC msg=audit(1236681697.986:19): avc: denied { getattr } for pid=3148 comm="spamd" path="/root/.razor/servers.discovery.lst" dev=sda3 ino=198364 scontext=system_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file node=admin.brianac.com.au type=SYSCALL msg=audit(1236681697.986:19): arch=40000003 syscall=197 success=yes exit=0 a0=9 a1=81d6060 a2=7ccff4 a3=0 items=0 ppid=1 pid=3148 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="spamd" exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null) From domg472 at gmail.com Wed Mar 11 08:46:42 2009 From: domg472 at gmail.com (Dominick Grift) Date: Wed, 11 Mar 2009 09:46:42 +0100 Subject: Several policy questions In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5C47@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5C47@dragonfly.symark.com> Message-ID: <1236761203.13534.10.camel@notebook1.grift.internal> On Tue, 2009-03-10 at 18:26 -0700, Brian Ginn wrote: > I have an application that consists of four different programs that > all talk to each other via TCP sockets? Similar to the diagram: > > +---------+ > > +-------| ServerA |------+ > > | +---------+ | > > | | | > > +----------------+ | +---------+ > > | UserApp Client |---|-----| ServerB | > > +----------------+ | +---------+ > > | | | > > | | | > > | +--------+ | > > +-------| Logger |------+ > > +--------+ > > > > The ServerA, ServerB, and Logger all run from xinetd. > > The "UserApp Client" is the only program directly executed via the > user. > > All programs read from a common settings file in /etc. > > > > With Fedora Core 9, I've used the polgengui to create initial policies > for the four programs. > > Then since they share the settings file, I edited the definitions so > that configuration file is not specific to any one of the programs. > > They all need to share port information, so I added require > { myservera_port_t; myserverb_port_t; mylogger_port_t } statements to > each .te file. > > That seems to work on FC9, but on RedHat EL 5.2, when attempting to > load myservera, it complains: > > /usr/sbin/semodule -i myservera.pp > > libsepol.print_missing_requirements: myservera's global requirements > were not met: type/attribute myserverb_port_t > > libsemanage.semanage_link_sandbox: Link packages failed > > /usr/sbin/semodule: Failed! > > > > Attempting to load myserverB first ends up with the same complaint > about the serverA's port_t being undefined. > > > > I had kept the .te files for the four programs separate? but this > message makes me think that maybe I need to combine them. Is that > necessary? Or is there a way to pre-define the ports before the > "require from somewhere else" statement? > You could maybe declare your ports in a separate port module. Or you could integrate your modules to the main selinux-policy packages. > > For my four programs, should I have four distinct policy_module > statements? > > Is it possible to have multiple policy_module statements in the > same .te file? > > > > Also, I seem to be having domain transfer problems. > > I added this following code to each .te file: > > domain_auto_trans(unconfined_t, myapp_exec_t, myapp_t ) This would also require: role unconfined_r types myapp_t; However please consider that the unconfined domain is designed to be unrestricted. (it should not domain transition to unconfined domains) One would use the confined user domains (if available) > allow unconfined_t myapp_t:fd use; > > allow myapp_t unconfined_t:fifo_file rw_file_perms; > > allow myapp_t unconfined_t:process sigchld; > > however, each process still runs as follows: > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 32504 pts/4 > 00:00:00 myapp > > unconfined_u:system_r:inetd_child_t:s0-s0:c0.c1023 32508 ? 00:00:00 > myserverb > > unconfined_u:system_r:inetd_child_t:s0-s0:c0.c1023 32512 ? 00:00:00 > mylogger > initd_daemons are declared this way: inetd_tcp_service_domain(myserverb_t, myserverb_exec_t) role system_r types myserverb_t; This also takes care of domain transition > > For the inetd daemons, is this something I should try to fix, or is > unconfined_u:system_r:inetd_child_t "secure enough"? > > Any suggestions for getting the myapp domain transferred? > > > > > > > > Thanks, > > Brian > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From chepkov at yahoo.com Wed Mar 11 12:41:48 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Wed, 11 Mar 2009 05:41:48 -0700 (PDT) Subject: AVCs with spamd (F10) In-Reply-To: <49B7578C.8090409@brianac.com.au> Message-ID: <814448.47263.qm@web36802.mail.mud.yahoo.com> Default policy doesn't have rules allowing access root's home (admin_home_t). I added the following into my local policy as a workaround: /root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) /root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) /root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) Sincerely yours, Vadym Chepkov From sds at tycho.nsa.gov Wed Mar 11 13:08:31 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 11 Mar 2009 09:08:31 -0400 Subject: Several policy questions In-Reply-To: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5C47@dragonfly.symark.com> References: <8F43ACC6DCEECD4FA252B8042E2C4B8B9DB24E5C47@dragonfly.symark.com> Message-ID: <1236776911.14649.37.camel@localhost.localdomain> On Tue, 2009-03-10 at 18:26 -0700, Brian Ginn wrote: > I have an application that consists of four different programs that > all talk to each other via TCP sockets? Similar to the diagram: > > +---------+ > > +-------| ServerA |------+ > > | +---------+ | > > | | | > > +----------------+ | +---------+ > > | UserApp Client |---|-----| ServerB | > > +----------------+ | +---------+ > > | | | > > | | | > > | +--------+ | > > +-------| Logger |------+ > > +--------+ > > > > The ServerA, ServerB, and Logger all run from xinetd. > > The "UserApp Client" is the only program directly executed via the > user. > > All programs read from a common settings file in /etc. > > > > With Fedora Core 9, I've used the polgengui to create initial policies > for the four programs. > > Then since they share the settings file, I edited the definitions so > that configuration file is not specific to any one of the programs. > > They all need to share port information, so I added require > { myservera_port_t; myserverb_port_t; mylogger_port_t } statements to > each .te file. > > That seems to work on FC9, but on RedHat EL 5.2, when attempting to > load myservera, it complains: > > /usr/sbin/semodule -i myservera.pp > > libsepol.print_missing_requirements: myservera's global requirements > were not met: type/attribute myserverb_port_t > > libsemanage.semanage_link_sandbox: Link packages failed > > /usr/sbin/semodule: Failed! > > > > Attempting to load myserverB first ends up with the same complaint > about the serverA's port_t being undefined. That is to be expected since they have a mutual dependency. You should get the same error on FC9 if you are installing one of those modules on a clean system that doesn't already have the other modules installed. You could overcome it by passing all of the modules at once to semodule, e.g. semodule -i myservera.pp -i myserverb.pp -i mylogger.pp or depending on the version of semodule, just semodule -i myservera.pp myserverb.pp mylogger.pp so that they can be inserted in a single transaction, enabling the mutual dependencies to be resolved. > I had kept the .te files for the four programs separate? but this > message makes me think that maybe I need to combine them. Is that > necessary? Or is there a way to pre-define the ports before the > "require from somewhere else" statement? You can keep them separate using the above technique or by refactoring them as Dominick suggested, but I'm not sure why you would do so since they form a single logical application. Will you ever want to install one without the others? > For my four programs, should I have four distinct policy_module > statements? Only if their policies live in separate modules. A single module may contain any number of distinct domains, so you don't need a separate module per domain if that is your question. > Is it possible to have multiple policy_module statements in the > same .te file? Not presently, no. > Also, I seem to be having domain transfer problems. > > I added this following code to each .te file: > > domain_auto_trans(unconfined_t, myapp_exec_t, myapp_t ) > > allow unconfined_t myapp_t:fd use; > > allow myapp_t unconfined_t:fifo_file rw_file_perms; > > allow myapp_t unconfined_t:process sigchld; Try to use refpolicy interfaces when possible. As Dominick noted, you are missing a role declaration for myapp_t here that could prevent the transition - that should have triggered a SELINUX_ERR message in the audit log. > > however, each process still runs as follows: > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 32504 pts/4 > 00:00:00 myapp > > unconfined_u:system_r:inetd_child_t:s0-s0:c0.c1023 32508 ? 00:00:00 > myserverb > > unconfined_u:system_r:inetd_child_t:s0-s0:c0.c1023 32512 ? 00:00:00 > mylogger > > > > For the inetd daemons, is this something I should try to fix, or is > unconfined_u:system_r:inetd_child_t "secure enough"? I'd recommend creating your own domain. refpolicy at oss.tresys.com is a good place to ask such questions as well. -- Stephen Smalley National Security Agency From dougp at medinet.ca Wed Mar 11 16:59:13 2009 From: dougp at medinet.ca (Doug Poulin) Date: Wed, 11 Mar 2009 09:59:13 -0700 Subject: I need a copy of the vsftpd.te configuration files Message-ID: <77B79D12A84D49BFA2C490C97392E63A@medinet.net> Can someone please send me a copy of the SELinux domain file(s) to set up vsftpd properly. I'm running Redhat EL4 and they aren't included in the source rpms. Send it to email dougp at medinet.ca Doug Poulin Senior Developer Medinet Health Systems -------------- next part -------------- An HTML attachment was scrubbed... URL: From chepkov at yahoo.com Wed Mar 11 17:01:37 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Wed, 11 Mar 2009 10:01:37 -0700 (PDT) Subject: mediawiki AVC Message-ID: <806929.80873.qm@web36805.mail.mud.yahoo.com> Hello, mediawiki software has a following script, ImageMagick gets invoked using it: $ cat /var/www/mediawiki/bin/ulimit4.sh #!/bin/bash ulimit -t $1 -v $2 -f $3 eval "$4" I added /var/www/mediawiki/bin/.* regular file system_u:object_r:httpd_sys_script_exec_t:s0 into local policy. I receive the following AVC denial: type=AVC msg=audit(1236789583.906:576443): avc: denied { read } for pid=22724 comm="ulimit4.sh" path="eventpoll:[10101538]" dev=eventpollfs ino=10101538 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file audit2allow suggests the following: allow httpd_sys_script_t httpd_t:file read; but it doesn't seem right to me. I don't want to make it httpd_unconfined_script_exec_t, does anyone has a better suggestion? Thank you. Sincerely yours, Vadym Chepkov From domg472 at gmail.com Wed Mar 11 17:26:15 2009 From: domg472 at gmail.com (Dominick Grift) Date: Wed, 11 Mar 2009 18:26:15 +0100 Subject: I need a copy of the vsftpd.te configuration files In-Reply-To: <77B79D12A84D49BFA2C490C97392E63A@medinet.net> References: <77B79D12A84D49BFA2C490C97392E63A@medinet.net> Message-ID: <1236792376.3590.0.camel@notebook1.grift.internal> On Wed, 2009-03-11 at 09:59 -0700, Doug Poulin wrote: > Can someone please send me a copy of the SELinux domain file(s) to set > up vsftpd properly. I'm running Redhat EL4 and they aren't included > in the source rpms. man ftpd_selinux :might help? what is the exact problem? > > Send it to email dougp at medinet.ca > > Doug Poulin > Senior Developer > Medinet Health Systems > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From sds at tycho.nsa.gov Wed Mar 11 17:28:06 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Wed, 11 Mar 2009 13:28:06 -0400 Subject: I need a copy of the vsftpd.te configuration files In-Reply-To: <77B79D12A84D49BFA2C490C97392E63A@medinet.net> References: <77B79D12A84D49BFA2C490C97392E63A@medinet.net> Message-ID: <1236792486.14649.58.camel@localhost.localdomain> On Wed, 2009-03-11 at 09:59 -0700, Doug Poulin wrote: > Can someone please send me a copy of the SELinux domain file(s) to set > up vsftpd properly. I'm running Redhat EL4 and they aren't included > in the source rpms. > > Send it to email dougp at medinet.ca Look in the selinux-policy-targeted .src.rpm file, under domains/program/unused. It would be ftpd.te (and ftpd.fc under file_contexts/program). Anything in the unused subdirectory doesn't get included in the final policy, but you can copy it over to your actual domains/program directory and see if it will build. -- Stephen Smalley National Security Agency From domg472 at gmail.com Wed Mar 11 17:40:47 2009 From: domg472 at gmail.com (Dominick Grift) Date: Wed, 11 Mar 2009 18:40:47 +0100 Subject: mediawiki AVC In-Reply-To: <806929.80873.qm@web36805.mail.mud.yahoo.com> References: <806929.80873.qm@web36805.mail.mud.yahoo.com> Message-ID: <1236793247.3590.12.camel@notebook1.grift.internal> On Wed, 2009-03-11 at 10:01 -0700, Vadym Chepkov wrote: > Hello, > > mediawiki software has a following script, ImageMagick gets invoked using it: > > $ cat /var/www/mediawiki/bin/ulimit4.sh > #!/bin/bash > > ulimit -t $1 -v $2 -f $3 > eval "$4" > > > I added > /var/www/mediawiki/bin/.* regular file system_u:object_r:httpd_sys_script_exec_t:s0 > > into local policy. I receive the following AVC denial: > > type=AVC msg=audit(1236789583.906:576443): avc: denied { read } for pid=22724 comm="ulimit4.sh" path="eventpoll:[10101538]" dev=eventpollfs ino=10101538 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file > > audit2allow suggests the following: > > allow httpd_sys_script_t httpd_t:file read; > > but it doesn't seem right to me. I don't want to make it httpd_unconfined_script_exec_t, does anyone has a better suggestion? Looks like it wants to read some httpd process info. As far as i am concerned you can allow this access with a local policy: echo "avc: denied { read } for pid=22724 comm="ulimit4.sh" path="eventpoll:[10101538]" dev=eventpollfs ino=10101538 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file" | audit2allow -M myhttpdsysscript; /usr/sbin/semodule -i myhttpdsysscript.pp Mind the line breaks. to undo:semodule -r myhttpdsysscript You can also run this script in a unique domain. This would require you to write policy for it. Something like: mkdir ~/mediawikiscript; cd ~/mediawikiscript; echo "policy_module(mediawikiscript, 0.0.1)" > mediawikiscript.te echo "apache_content_template(mediawikiscript) >> mediawikiscript.te echo "allow httpd_mediawikiscript_script_t httpd_t:file read;" echo "/var/www/mediawiki/bin/.* gen_context(system_u:object_r:httpd_mediawikiscript_script_exec_t" > mediawikiscript.fc (watch the line breaks) make -f /usr/share/selinux/devel/Makefile semodule -i mediawikiscript.pp restorecon -R -v /var/www/mediawiki/bin/ > Thank you. > > Sincerely yours, > Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From sradvan at redhat.com Tue Mar 17 05:33:08 2009 From: sradvan at redhat.com (Scott Radvan) Date: Tue, 17 Mar 2009 15:33:08 +1000 Subject: implications of httpd_unified Message-ID: <20090317153308.3cc47a43@redhat.com> Hi all, I have taken ownership of development on the Fedora 11 SELinux (Managing Confined Services) guide, and am currently trying to build on the descriptions of the purposes, uses and implications of enabling/disabling some of the available Booleans. I am wondering if anybody can expand or has any comments on this description of the httpd_unified Boolean, as there doesn't seem to be a great deal out there about it. "This Boolean is off by default, turning it on will allow all httpd executables to have full access to all content labeled with a http file context. Leaving it off makes sure that one httpd service can not interfere with another." Specifically I am interested in what is meant by a service that can not "interfere with another" in the case of http_unified, but any comments which may help me refine the description are more than welcome. Thank you, -- Scott Radvan, Content Author Red Hat APAC (Brisbane) http://www.apac.redhat.com From paul at city-fan.org Tue Mar 17 07:39:45 2009 From: paul at city-fan.org (Paul Howarth) Date: Tue, 17 Mar 2009 07:39:45 +0000 Subject: implications of httpd_unified In-Reply-To: <20090317153308.3cc47a43@redhat.com> References: <20090317153308.3cc47a43@redhat.com> Message-ID: <20090317073945.0c29ce84@metropolis.intra.city-fan.org> On Tue, 17 Mar 2009 15:33:08 +1000 Scott Radvan wrote: > Hi all, > > > I have taken ownership of development on the Fedora 11 SELinux > (Managing Confined Services) guide, and am currently trying to build > on the descriptions of the purposes, uses and implications of > enabling/disabling some of the available Booleans. > > I am wondering if anybody can expand or has any comments on this > description of the httpd_unified Boolean, as there doesn't seem to be > a great deal out there about it. > > "This Boolean is off by default, turning it on will allow all httpd > executables to have full access to all content labeled with a http > file context. Leaving it off makes sure that one httpd service can not > interfere with another." > > Specifically I am interested in what is meant by a service that can > not "interfere with another" in the case of http_unified, but any > comments which may help me refine the description are more than > welcome. I think this means that say httpd_bugzilla_script_t can't access httpd_sys_* files and httpd_sys_script_t can't access httpd_bugzilla_* files etc. Paul. From domg472 at gmail.com Tue Mar 17 12:39:50 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 17 Mar 2009 13:39:50 +0100 Subject: implications of httpd_unified In-Reply-To: <20090317153308.3cc47a43@redhat.com> References: <20090317153308.3cc47a43@redhat.com> Message-ID: <1237293592.7383.81.camel@notebook1.grift.internal> On Tue, 2009-03-17 at 15:33 +1000, Scott Radvan wrote: > "This Boolean is off by default, turning it on will allow all httpd > executables to have full access to all content labeled with a http file > context. Leaving it off makes sure that one httpd service can not > interfere with another." The httpd SELinux policy allows one to confine specific http content to specific domains or sandboxes If configured properly for example, a user cgi script gets run in a domain specific to user scripts. That domain specific to user content can only manage user content. For example a user labels his cgi script with the type httpd_user_script_exec_t. Now when apache runs this script, it will domain transition to the httpd_user_script_t domain. This domain can only access content with the httpd user type, for example httpd_user_content_t. When a sysadm labels a system cgi script with type httpd_sys_script_exec_t, then apache will domain transition to the httpd_sys_script_t domain specific to system scripts. This httpd_sys_script_t domain can only access content with the sys type, for example httpd_sys_content_t. The httpd SELinux policy allows the operator to define more of these specific domains. It facilitates this with the apache_content_template for example. So if you have a cgi webapp called myscript, Then you can run this script in its own apache domain. You would for example create a module and call apache_content_template(myscript) This will create types that you can use to confine you script. httpd_myscript_script_exec_t, httpd_myscript_content_t etc. Now if you label your script with type httpd_myscript_script_exec_t, apache will domain transition to httpd_myscript_script_exec_t. This domain only has access to files with type httpd_myscript_content_t. The idea of this model is that the different domains cannot interfere with each other. (escalate their privilege) If one cgi script is compromised it will not be able to affect another script if that script is running in another domain. Now about httpd_unified: All httpd content is assigned an attribute: httpdcontent. So httpd_myscript_content_t is httpdcontent but also httpd_user_content_t is httpdcontent. httpd_unified allows the processes to escalate to each others content. instead of a rule like this for example: allow httpd_myscript_script_t httpd_myscript_content_t:file read; theres a rule: allow httpd_myscript_script_t httpdcontent:file read; Which says: allow the httpd_myscript_script_t domain to read all files that have the httpdcontent attribute assigned to them. Which is all httpd content. So by default you can isolate the different apache content. But if you enable httpd_unified then that isolation is gone. (then everything will just be httpdcontent) It may be best to just try it. create two simple hello world web scripts. and create a new domain for each. Then run the scripts in their domain. later edit the scripts to read some content that is not in their domain. for example let them try to read a file with type httpd_sys_content_t. This should be denied if httpd_unified is disabled. Then enable httpd_unified and your scripts should be able to read the file with the httpd_sys_content_t type. Disclaimer: I might have this all wrong. Use this at your own risk. > > Specifically I am interested in what is meant by a service that can not > "interfere with another" in the case of http_unified, but any comments > which may help me refine the description are more than welcome. privilege escalation. apache script a cannot access apache script b's files. > > Thank you, > > hth, Dominick From zoroufi at gmail.com Tue Mar 17 15:08:59 2009 From: zoroufi at gmail.com (zoroufi) Date: Tue, 17 Mar 2009 08:08:59 -0700 (PDT) Subject: Unable to successfully run some applications in Fedora 9 with MLS enforcing Message-ID: <22561139.post@talk.nabble.com> Dear All, After successfully switching to MLS enforcing mode in Fedora 9 I have some troubles when running some applications. After executing these applications they are terminated and no result even no log is generated. For example running the system-config-selinux terminates the application. Would you please help me what should I do in order to overcome this problem? Similar behaviors are estimated when you run any of the followings commands service --status-all system-config-users system-config-display ... Any comments will be appreciated Mohammad -- View this message in context: http://www.nabble.com/Unable-to-successfully-run-some-applications-in-Fedora-9-with-MLS-enforcing-tp22561139p22561139.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From domg472 at gmail.com Tue Mar 17 15:26:49 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 17 Mar 2009 16:26:49 +0100 Subject: Unable to successfully run some applications in Fedora 9 with MLS enforcing In-Reply-To: <22561139.post@talk.nabble.com> References: <22561139.post@talk.nabble.com> Message-ID: <1237303609.7383.86.camel@notebook1.grift.internal> On Tue, 2009-03-17 at 08:08 -0700, zoroufi wrote: > Dear All, > After successfully switching to MLS enforcing mode in Fedora 9 I have some > troubles when running some applications. After executing these applications > they are terminated and no result even no log is generated. > For example running the system-config-selinux terminates the application. > Would you please help me what should I do in order to overcome this problem? > Similar behaviors are estimated when you run any of the followings commands > service --status-all > system-config-users > system-config-display > ... > Any comments will be appreciated > Mohammad policy-MLS in Fedora 9 is not supported in a GUI i believe. If you want to use policy-MLS, use it in runlevel 3 only. In Fedora 11 (rawhide), MLS might work with the GUI but it is still a work in progress. I am not sure why "service --status-all" would cause issue however. Any related AVC denial that is generated might give clues. From sebastian.pfaff at gmail.com Tue Mar 17 16:49:31 2009 From: sebastian.pfaff at gmail.com (Sebastian Pfaff) Date: Tue, 17 Mar 2009 17:49:31 +0100 Subject: how does execstack work? Message-ID: <2D152A8C-03EC-44C6-B4B7-CAC7F4CEA2E6@gmail.com> Hello everyone, 1st i'm relativley new to selinux, so be patient with me ;). Im using Fedora 10. I wrote a small c app: #include /* shellcode calls exit_code(2), see man 2 exit_code */ void func(int a, int b, int c) { int *helper = NULL; char buf[] = "\x31\xdb\xb3\x02\x31\xc0\xb0\xfc\xcd\x80"; helper = (int *)(&helper+2); *helper=(int)buf; } int main(int c, char **v) { func(1, 2, 3); return 0; } the shellcode executes exit_group(2) with argument 2 (like exit_group(2)). Shellcode works as expected. I tested it on several systems. The shellcode will run in the stack region of the process. helper = (int *)(&helper+2); will overwrite the saved instrucion pointer (return address), so the process will continue execution at address of local variable buf (which is saved on stack). Program was compiled with: gcc -Xlinker -v -Xlinker execstack -o shellcode_str shellcode_str.c Here the commands: [root at SecLab student]# gcc -Xlinker -z -Xlinker execstack shellcode_str.c -o shellcode_str [root at SecLab student]# chcon -t vul_exec_t shellcode_str [root at SecLab student]# ls -Z shellcode_str -rwxrwxr-x root root unconfined_u:object_r:vul_exec_t:s0 shellcode_str (i i did a chcon -t vul_exec_t shellcode_str, so excutable shellcode_str is labled correctly) Please note that shellscript will run in domain vul_t. My te file (vul.te): ## confines vul policy_module(vul,0.0.6) require { type unconfined_t; } role unconfined_r types vul_t; ######################################## # # Declarations # type vul_t; domain_type(vul_t) # Access to shared libraries libs_use_ld_so(vul_t) libs_use_shared_libs(vul_t) type vul_exec_t; files_type(vul_exec_t) domain_entry_file(vul_t, vul_exec_t) domain_auto_transition_pattern(unconfined_t, vul_exec_t, vul_t); #auditallow unconfined_t self:process execstack; #auditallow vul_t self:process execstack; execstack -q says that the executable has an exectcubale stack: [root at SecLab student]# execstack -q shellcode_str X shellcode_str exucting shellcode_str: [root at SecLab student]# semodule -R [root at SecLab student]# ./shellcode_str [root at SecLab student]# echo $? 2 Return value of 2 indicates that shellcode on the stack has been executed successfully. I expected that SELinux will prevent any execution of code on the stack. But audit.log shows me nothing like this. Here the audit.log, since last reloead: type=MAC_POLICY_LOAD msg=audit(1237306463.553:2886): policy loaded auid=0 ses=133 type=SYSCALL msg=audit(1237306463.553:2886): arch=40000003 syscall=4 success=yes exit=3470910 a0=4 a1=b7bce000 a2=34f63e a3=bf9330f8 items=0 ppid=20508 pid=20509 auid =0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=133 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_ t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1237306470.434:2887): avc: denied { read write } for pid=20511 comm="shellcode_str" name="0" dev=devpts ino=2 scontext=unconfined_u:unconfined_r :vul_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1237306470.434:2887): avc: denied { read write } for pid=20511 comm="shellcode_str" path="/dev/pts/0" dev=devpts ino=2 scontext=unconfined_u:unc onfined_r:vul_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1237306470.434:2887): avc: denied { read write } for pid=20511 comm="shellcode_str" path="/dev/pts/0" dev=devpts ino=2 scontext=unconfined_u:unc onfined_r:vul_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1237306470.434:2887): avc: denied { read write } for pid=20511 comm="shellcode_str" path="/dev/pts/0" dev=devpts ino=2 scontext=unconfined_u:unc onfined_r:vul_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_devpts_t:s0 tclass=chr_file type=SYSCALL msg=audit(1237306470.434:2887): arch=40000003 syscall=11 per=400000 success=yes exit=0 a0=811b480 a1=8121ca8 a2=8110bc0 a3=0 items=0 ppid=6574 pid=20511 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=133 comm="shellcode_str" exe="/home/student/ shellcode_str" subj=unconfined_u:unconfined_ r:vul_t:s0-s0:c0.c1023 key=(null) Does SELinux prevent exectution on the stack? If yes, how can i see this. It would also be helpful, when i had an example which shows me a denial of execstack (searching the log gave no results here). Or is something wrong with my example? I suppose, i have an wrong understanding adout how SELinux execstack works. Please help to clarify this. hope someone can help. tnx in advance. -- Sebastian Pfaff From zoroufi at gmail.com Tue Mar 17 17:00:20 2009 From: zoroufi at gmail.com (zoroufi) Date: Tue, 17 Mar 2009 10:00:20 -0700 (PDT) Subject: There was an error starting GNOME settings Daemons, Some things, such as Themes, sounds, or background settings may not work correctly Message-ID: <22563621.post@talk.nabble.com> When I login with a user mapped to System_u SELinux user there is no such error messages, But when I login with a user mapped to sysadm_u SELinux user there is a such error message ( some desktop icons are not loaded correctly) As you know you could mapped any linux user with a SELinux user in the following text file /etc/selinux/mls/seusers. As you know the system_u SELinux user has less than sysadm_u SELinux user in viewpoint of privileges. So could you tell me that How I could overcome to this problem? -- View this message in context: http://www.nabble.com/There-was-an-error-starting-GNOME-settings-Daemons%2C-Some-things%2C-such-as-Themes%2C-sounds%2C-or-background-settings-may-not-work-correctly-tp22563621p22563621.html Sent from the Fedora SELinux List mailing list archive at Nabble.com. From sds at tycho.nsa.gov Tue Mar 17 17:28:57 2009 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 17 Mar 2009 13:28:57 -0400 Subject: how does execstack work? In-Reply-To: <2D152A8C-03EC-44C6-B4B7-CAC7F4CEA2E6@gmail.com> References: <2D152A8C-03EC-44C6-B4B7-CAC7F4CEA2E6@gmail.com> Message-ID: <1237310937.6582.123.camel@localhost.localdomain> On Tue, 2009-03-17 at 17:49 +0100, Sebastian Pfaff wrote: > Does SELinux prevent exectution on the stack? If yes, how can i see > this. It would also be helpful, when i had an example which shows me a > denial of execstack (searching the log gave no results here). Or is > something wrong with my example? > I suppose, i have an wrong understanding adout how SELinux execstack > works. Please help to clarify this. The SELinux execstack check only comes into play if the process calls mprotect(...PROT_EXEC...) on the stack. It is just a policy control over the ability of the process to mark its stack executable. If the program was marked as requiring an executable stack, then that won't ever happen - the kernel will set it up accordingly from the beginning. http://people.redhat.com/drepper/selinux-mem.html -- Stephen Smalley National Security Agency From dwalsh at redhat.com Tue Mar 17 18:52:20 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 17 Mar 2009 14:52:20 -0400 Subject: There was an error starting GNOME settings Daemons, Some things, such as Themes, sounds, or background settings may not work correctly In-Reply-To: <22563621.post@talk.nabble.com> References: <22563621.post@talk.nabble.com> Message-ID: <49BFF164.6040908@redhat.com> On 03/17/2009 01:00 PM, zoroufi wrote: > When I login with a user mapped to System_u SELinux user there is no such > error messages, But when I login with a user mapped to sysadm_u SELinux user > there is a such error message ( some desktop icons are not loaded correctly) > As you know you could mapped any linux user with a SELinux user in the > following text file > /etc/selinux/mls/seusers. > > As you know the system_u SELinux user has less than sysadm_u SELinux user in > viewpoint of privileges. > So could you tell me that How I could overcome to this problem? First What OS? Version? system_u is not supposed to be a login user, you are supposed to use something like staff_u or user_u, guest_u, xguest_u or unconfined_u. sysadm_u is not necessarily more or less powerfull then the other user types. I don't like to talk about greater or less privs when using SELinux because the reality is the domains are just different. In some circumstances it might be able to do more and other less. For example, I can setup the login programs to be not allowed to login as sysadm_u. From dwalsh at redhat.com Tue Mar 17 18:54:09 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 17 Mar 2009 14:54:09 -0400 Subject: Unable to successfully run some applications in Fedora 9 with MLS enforcing In-Reply-To: <1237303609.7383.86.camel@notebook1.grift.internal> References: <22561139.post@talk.nabble.com> <1237303609.7383.86.camel@notebook1.grift.internal> Message-ID: <49BFF1D1.2060103@redhat.com> On 03/17/2009 11:26 AM, Dominick Grift wrote: > On Tue, 2009-03-17 at 08:08 -0700, zoroufi wrote: >> Dear All, >> After successfully switching to MLS enforcing mode in Fedora 9 I have some >> troubles when running some applications. After executing these applications >> they are terminated and no result even no log is generated. >> For example running the system-config-selinux terminates the application. >> Would you please help me what should I do in order to overcome this problem? >> Similar behaviors are estimated when you run any of the followings commands >> service --status-all >> system-config-users >> system-config-display >> ... >> Any comments will be appreciated >> Mohammad > > policy-MLS in Fedora 9 is not supported in a GUI i believe. If you want > to use policy-MLS, use it in runlevel 3 only. > > In Fedora 11 (rawhide), MLS might work with the GUI but it is still a > work in progress. > > I am not sure why "service --status-all" would cause issue however. Any > related AVC denial that is generated might give clues. > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Yes if you want to run mls with a desktop you need to run fedora 11. And many userhelper tools will not work, including system-config-selinux. From dwalsh at redhat.com Tue Mar 17 18:54:51 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 17 Mar 2009 14:54:51 -0400 Subject: Unable to successfully run some applications in Fedora 9 with MLS enforcing In-Reply-To: <49BFF1D1.2060103@redhat.com> References: <22561139.post@talk.nabble.com> <1237303609.7383.86.camel@notebook1.grift.internal> <49BFF1D1.2060103@redhat.com> Message-ID: <49BFF1FB.7080504@redhat.com> On 03/17/2009 02:54 PM, Daniel J Walsh wrote: > On 03/17/2009 11:26 AM, Dominick Grift wrote: >> On Tue, 2009-03-17 at 08:08 -0700, zoroufi wrote: >>> Dear All, >>> After successfully switching to MLS enforcing mode in Fedora 9 I have >>> some >>> troubles when running some applications. After executing these >>> applications >>> they are terminated and no result even no log is generated. >>> For example running the system-config-selinux terminates the >>> application. >>> Would you please help me what should I do in order to overcome this >>> problem? >>> Similar behaviors are estimated when you run any of the followings >>> commands >>> service --status-all >>> system-config-users >>> system-config-display >>> ... >>> Any comments will be appreciated >>> Mohammad >> >> policy-MLS in Fedora 9 is not supported in a GUI i believe. If you want >> to use policy-MLS, use it in runlevel 3 only. >> >> In Fedora 11 (rawhide), MLS might work with the GUI but it is still a >> work in progress. >> >> I am not sure why "service --status-all" would cause issue however. Any >> related AVC denial that is generated might give clues. >> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Yes if you want to run mls with a desktop you need to run fedora 11. And > many userhelper tools will not work, including system-config-selinux. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You should be able to run system-config-selinux as root though. From dwalsh at redhat.com Tue Mar 17 19:17:38 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 17 Mar 2009 15:17:38 -0400 Subject: implications of httpd_unified In-Reply-To: <1237293592.7383.81.camel@notebook1.grift.internal> References: <20090317153308.3cc47a43@redhat.com> <1237293592.7383.81.camel@notebook1.grift.internal> Message-ID: <49BFF752.90909@redhat.com> http_unified means, that all file types for httpd_sys_* are treated the same way. httpd_sys_content_t httpd_sys_content_rw_t httpd_sys_script_exec_t httpd_sys_content_ra_t If you turn on this boolean, and you want a script running as httpd_sys_script_t or httpd_t can read/write/execute all http_sys file types. If you turn it off, the admin is responsible to make sure the labeling is correct on all files. So if httpd_sys_script_t wants to write to a file/directory, it needs to be labeled httpd_sys_content_rw_t. httpd_sys_script_t can not interact with httpd_(NON sys)_content_t with or without the boolean set. the httpd_unified boolean does not effect any other httpd_(NON sys)_script_t domains. From dsugar at tresys.com Wed Mar 18 14:09:12 2009 From: dsugar at tresys.com (Dave Sugar) Date: Wed, 18 Mar 2009 10:09:12 -0400 Subject: [ANN] CDS Framework 3.3 Message-ID: <1237385352.4110.3.camel@localhost.localdomain> Version 3.3 of the CDS Framework Toolkit from Tresys Technology is now available for download from the Tresys Open Source website at http://oss.tresys.com The CDS Framework Toolkit is an Eclipse plug-in that allows engineers to leverage the power of SELinux when designing and implementing cross domain solutions without requiring that they have in depth knowledge of the complex details of underlying SELinux security policies. In particular the CDS Framework Toolkit provides the following benefits to CDS developers on SELinux systems: * An integrated development environment for creating security policy * Graphical editing of information flow for developing security policy * SELinux policy generation * Integration with SLIDE and Reference Policy (also available on http://oss.tresys.com) CDS Framework version 3.3.0 - highlights: * Adds ability to print the security architecture diagram * Facilitates interfacing with raw SELinux policy through the addition of an export option in the graphical interface * Adds enhancements to CDS Framework translation dictionary and add additional linkage files * Fixes issues with routing of lines across boundaries and with attaching control resources in a domain when changing its parent Dave Sugar Tresys Technology, LLC From aaronngray.lists at googlemail.com Fri Mar 20 20:14:50 2009 From: aaronngray.lists at googlemail.com (Aaron Gray) Date: Fri, 20 Mar 2009 20:14:50 -0000 Subject: Newbie Q Message-ID: <93342487F62D4248BE1B81837BCB8F78@HPLAPTOP> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run on Apache. Runs fine in permissive mode not in enforcing. I bought the O'Reilly SE Linux book and learned the basics but it does not really seem to help me on Fedora. there was no /var/log/kernel so I tried /var/log/secure with the following command sequence setenforce 0 # access the cgi from the web setenforce 1 audit2allow -l -i /var/log/secure What is strange also is the system is not flagging things up as a notification icon anymore in enforcing mode. If someone could guide me or push me in the right direction I would be most thankful. Aaron From jdennis at redhat.com Fri Mar 20 20:42:31 2009 From: jdennis at redhat.com (John Dennis) Date: Fri, 20 Mar 2009 16:42:31 -0400 Subject: Newbie Q In-Reply-To: <93342487F62D4248BE1B81837BCB8F78@HPLAPTOP> References: <93342487F62D4248BE1B81837BCB8F78@HPLAPTOP> Message-ID: <49C3FFB7.1060106@redhat.com> Aaron Gray wrote: > I am trying to audit2allow on F10 to allow a cgi-bin perl script to > run on Apache. Runs fine in permissive mode not in enforcing. > > I bought the O'Reilly SE Linux book and learned the basics but it does > not really seem to help me on Fedora. > > there was no /var/log/kernel so I tried /var/log/secure with the > following command sequence > > setenforce 0 > > # access the cgi from the web > > setenforce 1 > > audit2allow -l -i /var/log/secure The audit log file is /var/log/audit/audit.log. Note, you must have root privileges to read it. > > > What is strange also is the system is not flagging things up as a > notification icon anymore in enforcing mode. Do you mean the "Star" Icon which opens the SETroubleshoot browser is not appearing on your desktop? If so are there any errors in /var/log/setroubleshoot/setroubleshootd.log? Are there actually AVC messages in the /var/log/audit/audit.log file? What version of setroubleshoot is installed? > > If someone could guide me or push me in the right direction I would be > most thankful. > > Aaron > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From domg472 at gmail.com Fri Mar 20 21:13:15 2009 From: domg472 at gmail.com (Dominick Grift) Date: Fri, 20 Mar 2009 22:13:15 +0100 Subject: Newbie Q In-Reply-To: <93342487F62D4248BE1B81837BCB8F78@HPLAPTOP> References: <93342487F62D4248BE1B81837BCB8F78@HPLAPTOP> Message-ID: <1237583595.15653.8.camel@notebook1.grift.internal> On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote: > I am trying to audit2allow on F10 to allow a cgi-bin perl script to run on > Apache. Runs fine in permissive mode not in enforcing. > > I bought the O'Reilly SE Linux book and learned the basics but it does not > really seem to help me on Fedora. > > there was no /var/log/kernel so I tried /var/log/secure with the following > command sequence > > setenforce 0 > > # access the cgi from the web > > setenforce 1 > > audit2allow -l -i /var/log/secure > > What is strange also is the system is not flagging things up as a > notification icon anymore in enforcing mode. > > If someone could guide me or push me in the right direction I would be most > thankful. auditd logs to /var/log/audit/audit.log To use cgi you must set the boolean httpd_enable_cgi. Then either label the cgi type httpd_sys_script_exec_t or create a custom domain for your script: mkdir myscript; cd myscript; echo "policy_module(myscript, 0.0.1)" > myscript.te echo "apache_content_template(myscript)" >> myscript.te echo "/var/www/cgi-bin/myscript.pl -- gen_context(system_u:object_r:httpd_myscript_script_exec_t, s0)" > myscript.fc make -f /usr/share/selinux/devel/Makefile semodule -i myscript.pp restorecon -R -v /var/www/cgi-bin/myscript.pl This is just a base module you will likely need to extend it. you can do so why making the httpd_myscript_script_t permissive and then extend your source policy with any rules required frpm audit.log/audit2why semanage permissive -a httpd_myscript_script_t ausearch -m avc -ts today | grep httpd_myscript_script_t | audit2allow -R >> myscript.te; make -f /usr/share/selinux/devel/Makefile; semodule -i myscript.pp semanage permissive -d httpd_myscript_script_t (to remove the permissive domain) hth , Dominick > Aaron > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From aaronngray.lists at googlemail.com Fri Mar 20 23:12:19 2009 From: aaronngray.lists at googlemail.com (Aaron Gray) Date: Fri, 20 Mar 2009 23:12:19 -0000 Subject: Newbie Q References: <93342487F62D4248BE1B81837BCB8F78@HPLAPTOP> <1237583595.15653.8.camel@notebook1.grift.internal> Message-ID: > On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote: >> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run >> on >> Apache. Runs fine in permissive mode not in enforcing. >> >> I bought the O'Reilly SE Linux book and learned the basics but it does >> not >> really seem to help me on Fedora. >> >> there was no /var/log/kernel so I tried /var/log/secure with the >> following >> command sequence >> >> setenforce 0 >> >> # access the cgi from the web >> >> setenforce 1 >> >> audit2allow -l -i /var/log/secure >> >> What is strange also is the system is not flagging things up as a >> notification icon anymore in enforcing mode. >> >> If someone could guide me or push me in the right direction I would be >> most >> thankful. > auditd logs to /var/log/audit/audit.log > > To use cgi you must set the boolean httpd_enable_cgi. Great GIT on Apache running now !:) Thanks But not accessing the repositories, looks like a script is needed. > Then either label the cgi type httpd_sys_script_exec_t or create a > custom domain for your script: > > mkdir myscript; cd myscript; > echo "policy_module(myscript, 0.0.1)" > myscript.te > echo "apache_content_template(myscript)" >> myscript.te > echo "/var/www/cgi-bin/myscript.pl -- > gen_context(system_u:object_r:httpd_myscript_script_exec_t, s0)" > > myscript.fc > > make -f /usr/share/selinux/devel/Makefile > semodule -i myscript.pp > restorecon -R -v /var/www/cgi-bin/myscript.pl This is interesting. command line, thanks, interesting I will have to learn this stuff on the command line to understand it properly. > This is just a base module you will likely need to extend it. you can do > so why making the httpd_myscript_script_t permissive and then extend > your source policy with any rules required frpm audit.log/audit2why > > semanage permissive -a httpd_myscript_script_t Nice :) > ausearch -m avc -ts today | grep httpd_myscript_script_t | audit2allow > -R >> myscript.te; make -f /usr/share/selinux/devel/Makefile; semodule > -i myscript.pp This might just do the job ! > semanage permissive -d httpd_myscript_script_t > > (to remove the permissive domain) Is there any reason not to be using setenforce 0/1, on a machine behind firewall. I will try this. Looks like theres a need of a good howto that shows how simple these things can be. Many thanks Dominick Aaron From aaronngray.lists at googlemail.com Fri Mar 20 23:22:17 2009 From: aaronngray.lists at googlemail.com (Aaron Gray) Date: Fri, 20 Mar 2009 23:22:17 -0000 Subject: Newbie Q References: <93342487F62D4248BE1B81837BCB8F78@HPLAPTOP> <49C3FFB7.1060106@redhat.com> Message-ID: <8221560D29264287B8C0B5F1F34C9CBC@HPLAPTOP> > Aaron Gray wrote: >> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run >> on Apache. Runs fine in permissive mode not in enforcing. >> >> I bought the O'Reilly SE Linux book and learned the basics but it does >> not really seem to help me on Fedora. >> >> there was no /var/log/kernel so I tried /var/log/secure with the >> following command sequence >> >> setenforce 0 >> >> # access the cgi from the web >> >> setenforce 1 >> >> audit2allow -l -i /var/log/secure > The audit log file is /var/log/audit/audit.log. Note, you must have root > privileges to read it. >> >> >> What is strange also is the system is not flagging things up as a >> notification icon anymore in enforcing mode. Thanks for the reply. > Do you mean the "Star" Icon which opens the SETroubleshoot browser is not > appearing on your desktop? Yep. > If so are there any errors in /var/log/setroubleshoot/setroubleshootd.log? Yep. > Are there actually AVC messages in the /var/log/audit/audit.log file? Yep. > What version of setroubleshoot is installed? F10's ? Version 2.0.12 It runs when I select it from the command line but not automatically on violations. ~~~~~~~~~~~~setroubleshooth.log~~~~~~~~~~~~ 2009-03-20 16:58:15,020 [program.ERROR] setroubleshoot generated AVC, exiting to avoid recursion, context=system_u:system_r:setroubleshootd_t:s0, AVC scontext=system_u:system_r:setroubleshootd_t:s0 2009-03-20 16:58:15,020 [program.ERROR] audit event node=localhost.localdomain type=AVC msg=audit(1237568294.768:209): avc: denied { signull } for pid=2480 comm="setroubleshootd" scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process node=localhost.localdomain type=SYSCALL msg=audit(1237568294.768:209): arch=40000003 syscall=37 success=yes exit=0 a0=7d11 a1=0 a2=5cf70c a3=7d11 items=0 ppid=1 pid=2480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Does this give any clues ? Aaron From aaronngray.lists at googlemail.com Sat Mar 21 02:26:36 2009 From: aaronngray.lists at googlemail.com (Aaron Gray) Date: Sat, 21 Mar 2009 02:26:36 -0000 Subject: Newbie Q - gitweb policy References: <93342487F62D4248BE1B81837BCB8F78@HPLAPTOP> <1237583595.15653.8.camel@notebook1.grift.internal> Message-ID: <0580DCCB5EA0412E9A1B1E1B7BA18B54@HPLAPTOP> > On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote: >> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run >> on >> Apache. Runs fine in permissive mode not in enforcing. >> I had to use 'setenforce 0', remove the grep, and then whittle down the code a bit. mkdir gitweb-policy; cd gitweb-policy; echo "policy_module(gitweb, 0.0.1)" > gitweb.te echo "apache_content_template(gitweb)" >> gitweb.te echo "/var/www/git/gitweb.cgi -- gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)" >gitweb.fc make -f /usr/share/selinux/devel/Makefile semodule -i gitweb.pp restorecon -R -v /var/www/git/gitweb.cgi setenforce 0; Do the http access ! setenforce 1; ausearch -m avc -ts today | audit2allow -R >> gitweb.te; make -f /usr/share/selinux/devel/Makefile; semodule -i gitweb.pp Whittle the code down a bit to :- gitweb.te policy_module(gitweb, 0.0.1) apache_content_template(gitweb) require { type httpd_sys_script_t; } #============= httpd_sys_script_t ============== files_list_default(httpd_sys_script_t) files_read_default_files(httpd_sys_script_t) gitweb.fc /var/www/git/gitweb.cgi -- gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0) From domg472 at gmail.com Sat Mar 21 09:55:55 2009 From: domg472 at gmail.com (Dominick Grift) Date: Sat, 21 Mar 2009 10:55:55 +0100 Subject: Newbie Q - gitweb policy In-Reply-To: <0580DCCB5EA0412E9A1B1E1B7BA18B54@HPLAPTOP> References: <93342487F62D4248BE1B81837BCB8F78@HPLAPTOP> <1237583595.15653.8.camel@notebook1.grift.internal> <0580DCCB5EA0412E9A1B1E1B7BA18B54@HPLAPTOP> Message-ID: <1237629355.15653.18.camel@notebook1.grift.internal> On Sat, 2009-03-21 at 02:26 +0000, Aaron Gray wrote: > > On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote: > >> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run > >> on > >> Apache. Runs fine in permissive mode not in enforcing. > >> > > I had to use 'setenforce 0', remove the grep, and then whittle down the code > a bit. > > mkdir gitweb-policy; > cd gitweb-policy; > echo "policy_module(gitweb, 0.0.1)" > gitweb.te > echo "apache_content_template(gitweb)" >> gitweb.te > echo "/var/www/git/gitweb.cgi -- > gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0)" >gitweb.fc > > make -f /usr/share/selinux/devel/Makefile > semodule -i gitweb.pp > restorecon -R -v /var/www/git/gitweb.cgi > > setenforce 0; > > Do the http access ! > > > setenforce 1; > > ausearch -m avc -ts today | audit2allow -R >> gitweb.te; > > make -f /usr/share/selinux/devel/Makefile; > > semodule -i gitweb.pp > > > Whittle the code down a bit to :- > gitweb.te > policy_module(gitweb, 0.0.1) > apache_content_template(gitweb) > > require { > type httpd_sys_script_t; > } > > #============= httpd_sys_script_t ============== > files_list_default(httpd_sys_script_t) > files_read_default_files(httpd_sys_script_t) Looks like something went wrong here. for starters something is running in the httpd_sys_script_t domain and not httpd_gitweb_script_t. Second youre giving httpd_sys_script_t access to read files with type default_t (not recommended) http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/ Heres my git policy: policy_module(git_daemon, 0.0.1) ######################################## # # Git daemon declarations # attribute git_daemon_user_content_type; attribute git_daemon_system_content_type; type git_daemon_t; type git_daemon_exec_t; inetd_service_domain(git_daemon_t, git_daemon_exec_t) role system_r types git_daemon_t; application_executable_file(git_daemon_exec_t) type git_daemon_system_content_t, git_daemon_system_content_type; typeattribute git_daemon_system_content_t git_daemon_system_content_type; files_type(git_daemon_system_content_t) ## ##

## Allow Git daemon to read home directories. ##

## gen_tunable(git_daemon_enable_homedirs, false) ## ##

## Allow Git daemon to access nfs file systems. ##

## gen_tunable(git_daemon_use_nfs, false) ## ##

## Allow Git daemon to access cifs file systems. ##

## gen_tunable(git_daemon_use_cifs, false) ######################################## # # Git daemon policy # allow git_daemon_t self:fifo_file rw_fifo_file_perms; allow git_daemon_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; allow git_daemon_t self:udp_socket { write read create connect getattr }; allow git_daemon_t self:unix_dgram_socket { write create connect }; list_dirs_pattern(git_daemon_t, git_daemon_system_content_type, git_daemon_system_content_type) read_files_pattern(git_daemon_t, git_daemon_system_content_type, git_daemon_system_content_type) corecmd_exec_bin(git_daemon_t) corenet_all_recvfrom_unlabeled(git_daemon_t) corenet_all_recvfrom_netlabel(git_daemon_t) files_read_etc_files(git_daemon_t) files_search_usr(git_daemon_t) fs_search_auto_mountpoints(git_daemon_t) kernel_read_system_state(git_daemon_t) libs_use_ld_so(git_daemon_t) libs_use_shared_libs(git_daemon_t) logging_send_syslog_msg(git_daemon_t) miscfiles_read_localization(git_daemon_t) miscfiles_read_public_files(git_daemon_t) sysnet_read_config(git_daemon_t) optional_policy(` apache_content_template(gitweb) apache_search_sys_content(httpd_gitweb_script_t) files_getattr_tmp_dirs(httpd_gitweb_script_t) git_daemon_read_system_content(httpd_gitweb_script_t) ') optional_policy(` nscd_read_pid(git_daemon_t) ') tunable_policy(`git_daemon_enable_homedirs && use_nfs_home_dirs', ` fs_list_nfs(git_daemon_t) fs_read_nfs_files(git_daemon_t) ') tunable_policy(`git_daemon_use_nfs', ` fs_list_nfs(git_daemon_t) fs_read_nfs_files(git_daemon_t) ') tunable_policy(`git_daemon_enable_homedirs && use_samba_home_dirs', ` fs_list_cifs(git_daemon_t) fs_read_cifs_files(git_daemon_t) ') tunable_policy(`git_daemon_use_cifs', ` fs_list_cifs(git_daemon_t) fs_read_cifs_files(git_daemon_t) ') tunable_policy(`git_daemon_enable_homedirs', ` list_dirs_pattern(git_daemon_t, git_daemon_user_content_type, git_daemon_user_content_type) read_files_pattern(git_daemon_t, git_daemon_user_content_type, git_daemon_user_content_type) userdom_search_all_users_home_dirs(git_daemon_t) ') #EOF ## SELinux policy for Git daemon. ## ##

## Git daemon is a really simple server for Git ## repositories. ##

## ####################################### ## ## The per role template for the Git daemon module. ## ## ##

## This template creates derived domains which are used ## for Git daemon. ##

##

## This template is invoked automatically for each user, and ## generally does not need to be invoked directly ## by policy writers. ##

## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The type of the user domain. ## ## ## ## ## The role associated with the user domain. ## ## # template(`git_daemon_per_role_template', ` gen_require(` type git_daemon_exec_t; attribute git_daemon_user_content_type; ') ######################################## # # Git daemon public declarations. # type $1_git_daemon_t; application_domain($1_git_daemon_t, git_daemon_exec_t) role $3 types $1_git_daemon_t; type $1_git_daemon_home_t, git_daemon_user_content_type; userdom_user_home_content($1, $1_git_daemon_home_t) typeattribute $1_git_daemon_home_t git_daemon_user_content_type; ######################################## # # Git daemon public policy. # allow $1_git_daemon_t self:fifo_file rw_fifo_file_perms; allow $1_git_daemon_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; allow $1_git_daemon_t self:tcp_socket { bind read write accept create setopt listen }; allow $1_git_daemon_t self:udp_socket { create connect write read getattr }; allow $1_git_daemon_t $2:process sigchld; allow $2 $1_git_daemon_t:process { ptrace signal_perms }; git_daemon_read_user_content($1, $1_git_daemon_t) manage_dirs_pattern($2, git_daemon_user_content_type, git_daemon_user_content_type) manage_files_pattern($2, git_daemon_user_content_type, git_daemon_user_content_type) exec_files_pattern($2, git_daemon_user_content_type, git_daemon_user_content_type) userdom_search_user_home_dirs($1, $1_git_daemon_t) userdom_user_home_dir_filetrans($1, $1_git_daemon_t, $1_git_daemon_home_t, { dir file }) relabel_dirs_pattern($2, git_daemon_user_content_type, git_daemon_user_content_type) relabel_files_pattern($2, git_daemon_user_content_type, git_daemon_user_content_type) domain_auto_trans($2, git_daemon_exec_t, $1_git_daemon_t) ps_process_pattern($2, $1_git_daemon_t) corecmd_exec_bin($1_git_daemon_t) corenet_all_recvfrom_unlabeled($1_git_daemon_t) corenet_all_recvfrom_netlabel($1_git_daemon_t) corenet_tcp_sendrecv_all_if($1_git_daemon_t) corenet_tcp_sendrecv_all_nodes($1_git_daemon_t) corenet_tcp_bind_all_nodes($1_git_daemon_t) corenet_tcp_bind_git_daemon_port($1_git_daemon_t) files_read_etc_files($1_git_daemon_t) files_search_home($1_git_daemon_t) files_search_usr($1_git_daemon_t) fs_search_auto_mountpoints($1_git_daemon_t) kernel_read_system_state($1_git_daemon_t) libs_use_ld_so($1_git_daemon_t) libs_use_shared_libs($1_git_daemon_t) logging_send_syslog_msg($1_git_daemon_t) miscfiles_read_localization($1_git_daemon_t) sysnet_read_config($1_git_daemon_t) userdom_use_user_terminals($1, $1_git_daemon_t) tunable_policy(`use_nfs_home_dirs', ` fs_list_nfs($1_git_daemon_t) fs_read_nfs_files($1_git_daemon_t) ') tunable_policy(`use_samba_home_dirs', ` fs_list_cifs($1_git_daemon_t) fs_read_cifs_files($1_git_daemon_t) ') optional_policy(` nscd_read_pid($1_git_daemon_t) ') optional_policy(` nis_use_ypbind($1_git_daemon_t) ') ') ######################################## ## ## Allow the specified domain to read ## Git daemon system content. ## ## ## ## Domain allowed access. ## ## ## # interface(`git_daemon_read_system_content', ` gen_require(` attribute git_daemon_system_content_type; ') files_search_var($1) list_dirs_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) read_files_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) ') ######################################## ## ## Allow the specified domain to manage ## Git daemon system content. ## ## ## ## Domain allowed access. ## ## ## # interface(`git_daemon_manage_system_content', ` gen_require(` attribute git_daemon_system_content_type; ') files_search_var($1) manage_dirs_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) manage_files_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) ') ######################################## ## ## Allow the specified domain to execute ## Git daemon system content files. ## ## ## ## Domain allowed access. ## ## ## # interface(`git_daemon_execute_system_content_files', ` gen_require(` attribute git_daemon_system_content_type; ') files_search_var($1) exec_files_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) ') ######################################## ## ## Allow the specified domain to read ## Git daemon personal repositories. ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Domain allowed access. ## ## # interface(`git_daemon_read_user_content', ` gen_require(` attribute git_daemon_user_content_type; ') allow $2 git_daemon_user_content_type:dir list_dir_perms; allow $2 git_daemon_user_content_type:file read_file_perms; userdom_search_user_home_dirs($1, $2) ') ######################################## ## ## Allow the specified domain to manage ## Git daemon personal repositories. ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Domain allowed access. ## ## # interface(`git_daemon_manage_user_content', ` gen_require(` attribute git_daemon_user_content_type; ') allow $2 git_daemon_user_content_type:dir manage_dir_perms; allow $2 git_daemon_user_content_type:file manage_file_perms; userdom_user_home_dir_filetrans($1, $2, git_daemon_user_content_type, { dir file }) userdom_search_user_home_dirs($1, $2) ') ######################################## ## ## Allow the specified domain to relabel ## Git daemon personal repositories. ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Domain allowed access. ## ## # interface(`git_daemon_relabel_user_content', ` gen_require(` attribute git_daemon_user_content_type; ') allow $2 git_daemon_user_content_type:dir relabel_dir_perms; allow $2 git_daemon_user_content_type:file relabel_file_perms; userdom_search_user_home_dirs($1, $2) ') ######################################## ## ## Allow the specified domain to manage ## all Git daemon content. ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Domain allowed access. ## ## ## # interface(`git_daemon_manage_all_content', ` git_daemon_manage_user_content($1, $2) git_daemon_manage_system_content($2) ') ######################################## ## ## Allow the specified domain to read ## all Git daemon content. ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Domain allowed access. ## ## ## # interface(`git_daemon_read_all_content', ` git_daemon_read_user_content($1, $2) git_daemon_read_system_content($2) ') ######################################## ## ## Allow the specified domain to relabel ## all Git daemon content. ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Domain allowed access. ## ## ## # interface(`git_daemon_relabel_all_content', ` git_daemon_relabel_user_content($1, $2) git_daemon_relabel_system_content($2) ') ######################################## ## ## Allow the specified domain to list ## Git daemon system content directories. ## ## ## ## Domain allowed access. ## ## ## # interface(`git_daemon_list_system_content_dirs', ` gen_require(` attribute git_daemon_system_content_type; ') files_search_var($1) list_dirs_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) ') ######################################## ## ## Allow the specified domain to search ## Git daemon system content directories. ## ## ## ## Domain allowed access. ## ## ## # interface(`git_daemon_search_system_content_dirs', ` gen_require(` attribute git_daemon_system_content_type; ') files_search_var($1) search_dirs_pattern($1, git_daemon_system_content_type, git_daemon_system_content_type) ') ####################################### ## ## The template for creating a Git user domain. ## ## ##

## This template creates a user domain, types, and ## rules for the user's pty. ##

## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## # template(`git_daemon_git_user_template',` gen_require(` attribute unpriv_userdomain, userdomain; class context contains; ') ############################## # # Git user public declarations. # attribute $1_file_type; attribute $1_usertype; type $1_t, userdomain, $1_usertype; domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) role $1_r types $1_t; allow system_r $1_r; typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) ############################## # # Git user public policy. # allow $1_usertype self:context contains; allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; corecmd_exec_bin($1_usertype) kernel_read_system_state($1_usertype) files_read_etc_files($1_usertype) files_search_home($1_usertype) git_daemon_manage_system_content($1_usertype) git_daemon_execute_system_content_files($1_usertype) libs_use_ld_so($1_usertype) libs_use_shared_libs($1_usertype) miscfiles_read_localization($1_usertype) ssh_rw_stream_sockets($1_usertype) optional_policy(` nscd_read_pid($1_usertype) ') ') ######################################## ## ## All of the rules required to administrate an ## Git daemon environment ## ## ## ## Prefix of the domain. Example, user would be ## the prefix for the user_t domain. ## ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the Git daemon domain. ## ## ## # interface(`git_daemon_admin', ` gen_require(` type git_daemon_t, git_daemon_exec_t, httpd_gitweb_script_exec_t; ') allow $1 git_daemon_t:process { getattr ptrace signal_perms }; git_daemon_manage_all_content($1, $2) git_daemon_relabel_all_content($1, $2) miscfiles_manage_public_files($1) kernel_search_proc($1) allow $1 git_daemon_t:dir list_dir_perms; read_files_pattern($1, git_daemon_t, git_daemon_t) read_lnk_files_pattern($1, git_daemon_t, git_daemon_t) manage_files_pattern($1, httpd_gitweb_script_exec_t, httpd_gitweb_script_exec_t) manage_files_pattern($1, git_daemon_exec_t, git_daemon_exec_t) seutil_domtrans_setfiles($1) ') #EOF ######################################## # # Git daemon contexts # HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:ROLE_git_daemon_home_t, s0) HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:ROLE_git_daemon_home_t, s0) /srv/git(/.*)? gen_context(system_u:object_r:git_daemon_system_content_t, s0) /usr/bin/git-daemon -- gen_context(system_u:object_r:git_daemon_exec_t, s0) /var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0) #EOF But it wont work unless its modified or integrated properly. Also it might need some polishing. > gitweb.fc > /var/www/git/gitweb.cgi -- > gen_context(system_u:object_r:httpd_gitweb_script_exec_t, s0) > From domg472 at gmail.com Sat Mar 21 11:15:19 2009 From: domg472 at gmail.com (Dominick Grift) Date: Sat, 21 Mar 2009 12:15:19 +0100 Subject: Newbie Q In-Reply-To: References: <93342487F62D4248BE1B81837BCB8F78@HPLAPTOP> <1237583595.15653.8.camel@notebook1.grift.internal> Message-ID: <1237634120.19699.4.camel@notebook1.grift.internal> On Fri, 2009-03-20 at 23:12 +0000, Aaron Gray wrote: > > On Fri, 2009-03-20 at 20:14 +0000, Aaron Gray wrote: > >> I am trying to audit2allow on F10 to allow a cgi-bin perl script to run > >> on > >> Apache. Runs fine in permissive mode not in enforcing. > >> > >> I bought the O'Reilly SE Linux book and learned the basics but it does > >> not > >> really seem to help me on Fedora. > >> > >> there was no /var/log/kernel so I tried /var/log/secure with the > >> following > >> command sequence > >> > >> setenforce 0 > >> > >> # access the cgi from the web > >> > >> setenforce 1 > >> > >> audit2allow -l -i /var/log/secure > >> > >> What is strange also is the system is not flagging things up as a > >> notification icon anymore in enforcing mode. > >> > >> If someone could guide me or push me in the right direction I would be > >> most > >> thankful. > > auditd logs to /var/log/audit/audit.log > > > > To use cgi you must set the boolean httpd_enable_cgi. > > Great GIT on Apache running now !:) Thanks > > But not accessing the repositories, looks like a script is needed. > > > Then either label the cgi type httpd_sys_script_exec_t or create a > > custom domain for your script: > > > > mkdir myscript; cd myscript; > > echo "policy_module(myscript, 0.0.1)" > myscript.te > > echo "apache_content_template(myscript)" >> myscript.te > > echo "/var/www/cgi-bin/myscript.pl -- > > gen_context(system_u:object_r:httpd_myscript_script_exec_t, s0)" > > > myscript.fc > > > > make -f /usr/share/selinux/devel/Makefile > > semodule -i myscript.pp > > restorecon -R -v /var/www/cgi-bin/myscript.pl > > This is interesting. command line, thanks, interesting I will have to learn > this stuff on the command line to understand it properly. > > > This is just a base module you will likely need to extend it. you can do > > so why making the httpd_myscript_script_t permissive and then extend > > your source policy with any rules required frpm audit.log/audit2why > > > > semanage permissive -a httpd_myscript_script_t > > Nice :) > > > ausearch -m avc -ts today | grep httpd_myscript_script_t | audit2allow > > -R >> myscript.te; make -f /usr/share/selinux/devel/Makefile; semodule > > -i myscript.pp > > This might just do the job ! > > > semanage permissive -d httpd_myscript_script_t > > > > (to remove the permissive domain) > > Is there any reason not to be using setenforce 0/1, on a machine behind > firewall. What makes you think that the security threat only comes from the network? There might be a rogue program local to the system, and if you setenforce 0 , you allow everything. not what i would want. by using semanage permissive -a you only allow a specific domain to run in permissive mode. This minimizes the risks and it conforms to SELinux least privilege philosophy. > I will try this. Looks like theres a need of a good howto that shows how > simple these things can be. > > Many thanks Dominick > > Aaron > From al_bin at vp.pl Mon Mar 23 20:57:05 2009 From: al_bin at vp.pl (Albert Bartoszko) Date: Mon, 23 Mar 2009 21:57:05 +0100 Subject: F10 and synce selinux troubles. Message-ID: <1237841825.23298.70.camel@localhost.localdomain> Hi all! It's my first post. I last try to connect Palm to computer with F10 using synce-hal. I got several selinux alerts. All files has default context, pppd works fine with command line. SELinux is preventing pppd (hald_t) "read" ./options (pppd_etc_rw_t). Additional Information: Source Context system_u:system_r:hald_t Target Context system_u:object_r:pppd_etc_rw_t Target Objects ./options [ file ] Source pppd Source Path /usr/sbin/pppd Port Host localhost.localdomain Source RPM Packages ppp-2.4.4-8.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-48.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 2 First Seen Fri Mar 20 19:13:17 2009 Last Seen Fri Mar 20 20:17:07 2009 Local ID 746a1a3e-6177-42e3-9a45-44beb2856c56 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1237576627.818:385): avc: denied { read } for pid=11770 comm="pppd" name="options" dev=dm-0 ino=360195 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:pppd_etc_rw_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1237576627.818:385): arch=40000003 syscall=5 success=yes exit=4 a0=a10303 a1=0 a2=1b6 a3=0 items=0 ppid=11756 pid=11770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:hald_t:s0 key=(null) SELinux is preventing pppd (hald_t) "getattr" /etc/ppp/options (pppd_etc_rw_t). Additional Information: Source Context system_u:system_r:hald_t Target Context system_u:object_r:pppd_etc_rw_t Target Objects /etc/ppp/options [ file ] Source pppd Source Path /usr/sbin/pppd Port Host localhost.localdomain Source RPM Packages ppp-2.4.4-8.fc10 Target RPM Packages ppp-2.4.4-8.fc10 Policy RPM selinux-policy-3.5.13-48.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 2 First Seen Fri Mar 20 19:13:17 2009 Last Seen Fri Mar 20 20:17:07 2009 Local ID c291b3a2-1c71-4baf-a2c5-f854f049f31a Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1237576627.818:386): avc: denied { getattr } for pid=11770 comm="pppd" path="/etc/ppp/options" dev=dm-0 ino=360195 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:pppd_etc_rw_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1237576627.818:386): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bfa6ee14 a2=40eff4 a3=e0e080 items=0 ppid=11756 pid=11770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:hald_t:s0 key=(null) SELinux is preventing pppd (hald_t) "read write" ./pppd2.tdb (pppd_var_run_t). Additional Information: Source Context system_u:system_r:hald_t Target Context system_u:object_r:pppd_var_run_t Target Objects ./pppd2.tdb [ file ] Source pppd Source Path /usr/sbin/pppd Port Host localhost.localdomain Source RPM Packages ppp-2.4.4-8.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-48.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 2 First Seen Fri Mar 20 19:13:17 2009 Last Seen Fri Mar 20 20:17:07 2009 Local ID 1bef60ad-3bca-46eb-bb03-64983c6e80e0 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1237576627.878:387): avc: denied { read write } for pid=11770 comm="pppd" name="pppd2.tdb" dev=dm-0 ino=5272278 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:pppd_var_run_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1237576627.878:387): arch=40000003 syscall=5 success=yes exit=7 a0=a10333 a1=42 a2=1a4 a3=0 items=0 ppid=11756 pid=11770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:hald_t:s0 key=(null) SELinux is preventing pppd (hald_t) "getattr" /var/run/pppd2.tdb (pppd_var_run_t). Additional Information: Source Context system_u:system_r:hald_t Target Context system_u:object_r:pppd_var_run_t Target Objects /var/run/pppd2.tdb [ file ] Source pppd Source Path /usr/sbin/pppd Port Host localhost.localdomain Source RPM Packages ppp-2.4.4-8.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-48.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 2 First Seen Fri Mar 20 19:13:17 2009 Last Seen Fri Mar 20 20:17:07 2009 Local ID 07544813-1176-427b-ab4a-dded6daaf56e Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1237576627.878:388): avc: denied { getattr } for pid=11770 comm="pppd" path="/var/run/pppd2.tdb" dev=dm-0 ino=5272278 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:pppd_var_run_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1237576627.878:388): arch=40000003 syscall=197 success=yes exit=0 a0=7 a1=bfa6f674 a2=40eff4 a3=e10f98 items=0 ppid=11756 pid=11770 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:hald_t:s0 key=(null) SELinux is preventing pppd (hald_t) "create" ./LCK..ttyUSB0 (var_lock_t). Additional Information: Source Context system_u:system_r:hald_t Target Context system_u:object_r:var_lock_t Target Objects ./LCK..ttyUSB0 [ file ] Source pppd Source Path /usr/sbin/pppd Port Host localhost.localdomain Source RPM Packages ppp-2.4.4-8.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-48.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 2 First Seen Fri Mar 20 19:13:17 2009 Last Seen Fri Mar 20 20:17:07 2009 Local ID e59e15b8-a651-430a-9581-79bd1e36e4f7 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1237576627.879:389): avc: denied { create } for pid=11771 comm="pppd" name="LCK..ttyUSB0" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file node=localhost.localdomain type=AVC msg=audit(1237576627.879:389): avc: denied { read write } for pid=11771 comm="pppd" name="LCK..ttyUSB0" dev=dm-0 ino=5265361 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1237576627.879:389): arch=40000003 syscall=5 success=yes exit=8 a0=a27520 a1=c2 a2=1a4 a3=bfa6e6ec items=0 ppid=1 pid=11771 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:hald_t:s0 key=(null) SELinux is preventing hal-dccm (hald_dccm_t) "getattr" hald_dccm_t. Additional Information: Source Context system_u:system_r:hald_dccm_t Target Context system_u:system_r:hald_dccm_t Target Objects pipe [ fifo_file ] Source hal-dccm Source Path /usr/libexec/hal-dccm Port Host localhost.localdomain Source RPM Packages synce-hal-0.1-1.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-48.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 2 First Seen Fri Mar 20 19:13:17 2009 Last Seen Fri Mar 20 20:17:07 2009 Local ID 03e073b1-7c9a-41d6-9eea-c736309b5f8f Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1237576627.903:390): avc: denied { getattr } for pid=11756 comm="hal-dccm" path="pipe:[209228]" dev=pipefs ino=209228 scontext=system_u:system_r:hald_dccm_t:s0 tcontext=system_u:system_r:hald_dccm_t:s0 tclass=fifo_file node=localhost.localdomain type=SYSCALL msg=audit(1237576627.903:390): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfcb2aac a2=6aeff4 a3=5 items=0 ppid=2129 pid=11756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-dccm" exe="/usr/libexec/hal-dccm" subj=system_u:system_r:hald_dccm_t:s0 key=(null) SELinux is preventing hal-dccm (hald_dccm_t) "create" hald_dccm_t. Additional Information: Source Context system_u:system_r:hald_dccm_t Target Context system_u:system_r:hald_dccm_t Target Objects None [ unix_dgram_socket ] Source hal-dccm Source Path /usr/libexec/hal-dccm Port Host localhost.localdomain Source RPM Packages synce-hal-0.1-1.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-48.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 2 First Seen Fri Mar 20 19:13:17 2009 Last Seen Fri Mar 20 20:17:07 2009 Local ID c1f75682-ab61-46ea-85f2-3e081eedfc01 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1237576627.903:391): avc: denied { create } for pid=11756 comm="hal-dccm" scontext=system_u:system_r:hald_dccm_t:s0 tcontext=system_u:system_r:hald_dccm_t:s0 tclass=unix_dgram_socket node=localhost.localdomain type=SYSCALL msg=audit(1237576627.903:391): arch=40000003 syscall=102 success=yes exit=0 a0=1 a1=bfcb2540 a2=6aeff4 a3=6b23cc items=0 ppid=2129 pid=11756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-dccm" exe="/usr/libexec/hal-dccm" subj=system_u:system_r:hald_dccm_t:s0 key=(null) SELinux is preventing hal-dccm (hald_dccm_t) "connect" hald_dccm_t. Additional Information: Source Context system_u:system_r:hald_dccm_t Target Context system_u:system_r:hald_dccm_t Target Objects None [ unix_dgram_socket ] Source hal-dccm Source Path /usr/libexec/hal-dccm Port Host localhost.localdomain Source RPM Packages synce-hal-0.1-1.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-48.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 2 First Seen Fri Mar 20 19:13:17 2009 Last Seen Fri Mar 20 20:17:07 2009 Local ID b2c25766-1a6d-4453-a81b-9a895be0a06b Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1237576627.903:392): avc: denied { connect } for pid=11756 comm="hal-dccm" scontext=system_u:system_r:hald_dccm_t:s0 tcontext=system_u:system_r:hald_dccm_t:s0 tclass=unix_dgram_socket node=localhost.localdomain type=AVC msg=audit(1237576627.903:392): avc: denied { write } for pid=11756 comm="hal-dccm" name="log" dev=tmpfs ino=7412 scontext=system_u:system_r:hald_dccm_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file node=localhost.localdomain type=AVC msg=audit(1237576627.903:392): avc: denied { sendto } for pid=11756 comm="hal-dccm" path="/dev/log" scontext=system_u:system_r:hald_dccm_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket node=localhost.localdomain type=SYSCALL msg=audit(1237576627.903:392): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfcb2540 a2=6aeff4 a3=0 items=0 ppid=2129 pid=11756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-dccm" exe="/usr/libexec/hal-dccm" subj=system_u:system_r:hald_dccm_t:s0 key=(null) SELinux is preventing hal-dccm (hald_dccm_t) "search" ./dbus (system_dbusd_var_run_t). Additional Information: Source Context system_u:system_r:hald_dccm_t Target Context system_u:object_r:system_dbusd_var_run_t Target Objects ./dbus [ dir ] Source hal-dccm Source Path /usr/libexec/hal-dccm Port Host localhost.localdomain Source RPM Packages synce-hal-0.1-1.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-48.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 2 First Seen Fri Mar 20 19:13:17 2009 Last Seen Fri Mar 20 20:17:07 2009 Local ID 418b2252-1561-4209-ba8d-8ed9f4917c7b Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1237576627.907:393): avc: denied { search } for pid=11756 comm="hal-dccm" name="dbus" dev=dm-0 ino=5265901 scontext=system_u:system_r:hald_dccm_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir node=localhost.localdomain type=AVC msg=audit(1237576627.907:393): avc: denied { write } for pid=11756 comm="hal-dccm" name="system_bus_socket" dev=dm-0 ino=5265775 scontext=system_u:system_r:hald_dccm_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file node=localhost.localdomain type=AVC msg=audit(1237576627.907:393): avc: denied { connectto } for pid=11756 comm="hal-dccm" path="/var/run/dbus/system_bus_socket" scontext=system_u:system_r:hald_dccm_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost.localdomain type=SYSCALL msg=audit(1237576627.907:393): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfcb28a0 a2=87bff4 a3=1f items=0 ppid=2129 pid=11756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-dccm" exe="/usr/libexec/hal-dccm" subj=system_u:system_r:hald_dccm_t:s0 key=(null) SELinux is preventing pppd (hald_t) "read" ./pap-secrets (pppd_secret_t). Additional Information: Source Context system_u:system_r:hald_t Target Context system_u:object_r:pppd_secret_t Target Objects ./pap-secrets [ file ] Source pppd Source Path /usr/sbin/pppd Port Host localhost.localdomain Source RPM Packages ppp-2.4.4-8.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-48.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 1 First Seen Fri Mar 20 20:17:08 2009 Last Seen Fri Mar 20 20:17:08 2009 Local ID 8790ca12-4cd3-468f-917b-b29956652895 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1237576628.453:394): avc: denied { read } for pid=11771 comm="pppd" name="pap-secrets" dev=dm-0 ino=360200 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:pppd_secret_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1237576628.453:394): arch=40000003 syscall=5 success=yes exit=11 a0=a135e5 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=11771 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyUSB0 ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:hald_t:s0 key=(null) SELinux is preventing pppd (hald_t) "getattr" /etc/ppp/pap-secrets (pppd_secret_t). Additional Information: Source Context system_u:system_r:hald_t Target Context system_u:object_r:pppd_secret_t Target Objects /etc/ppp/pap-secrets [ file ] Source pppd Source Path /usr/sbin/pppd Port Host localhost.localdomain Source RPM Packages ppp-2.4.4-8.fc10 Target RPM Packages ppp-2.4.4-8.fc10 Policy RPM selinux-policy-3.5.13-48.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 1 First Seen Fri Mar 20 20:17:08 2009 Last Seen Fri Mar 20 20:17:08 2009 Local ID a4d794e1-18d5-41fd-a755-2f68eb4aefc4 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1237576628.453:395): avc: denied { getattr } for pid=11771 comm="pppd" path="/etc/ppp/pap-secrets" dev=dm-0 ino=360200 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:pppd_secret_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1237576628.453:395): arch=40000003 syscall=197 success=yes exit=0 a0=b a1=bfa6f1c4 a2=40eff4 a3=a135e5 items=0 ppid=1 pid=11771 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyUSB0 ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:hald_t:s0 key=(null) SELinux is preventing pppd (hald_t) "getattr" /etc/ppp/ip-up (pppd_initrc_exec_t). Additional Information: Source Context system_u:system_r:hald_t Target Context system_u:object_r:pppd_initrc_exec_t Target Objects /etc/ppp/ip-up [ file ] Source pppd Source Path /usr/sbin/pppd Port Host localhost.localdomain Source RPM Packages ppp-2.4.4-8.fc10 Target RPM Packages initscripts-8.86-1 Policy RPM selinux-policy-3.5.13-48.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 2 First Seen Fri Mar 20 19:13:18 2009 Last Seen Fri Mar 20 20:17:08 2009 Local ID 231cc7e5-6eb3-4cb8-8f3c-f901c9e464b8 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1237576628.498:396): avc: denied { getattr } for pid=11771 comm="pppd" path="/etc/ppp/ip-up" dev=dm-0 ino=361994 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:pppd_initrc_exec_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1237576628.498:396): arch=40000003 syscall=195 success=yes exit=0 a0=a12036 a1=bfa6f584 a2=40eff4 a3=bfa6f6d8 items=0 ppid=1 pid=11771 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyUSB0 ses=4294967295 comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:hald_t:s0 key=(null) SELinux is preventing ip-up (hald_t) "execute" ./ip-up (pppd_initrc_exec_t). Additional Information: Source Context system_u:system_r:hald_t Target Context system_u:object_r:pppd_initrc_exec_t Target Objects ./ip-up [ file ] Source ip-up Source Path /bin/bash Port Host localhost.localdomain Source RPM Packages bash-3.2-30.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-48.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 2 First Seen Fri Mar 20 19:13:18 2009 Last Seen Fri Mar 20 20:17:08 2009 Local ID 9c0bf4d7-e98d-46b5-8e98-b727169803af Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1237576628.498:397): avc: denied { execute } for pid=11784 comm="pppd" name="ip-up" dev=dm-0 ino=361994 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:pppd_initrc_exec_t:s0 tclass=file node=localhost.localdomain type=AVC msg=audit(1237576628.498:397): avc: denied { read } for pid=11784 comm="pppd" name="ip-up" dev=dm-0 ino=361994 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:pppd_initrc_exec_t:s0 tclass=file node=localhost.localdomain type=AVC msg=audit(1237576628.498:397): avc: denied { execute_no_trans } for pid=11784 comm="pppd" path="/etc/ppp/ip-up" dev=dm-0 ino=361994 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:pppd_initrc_exec_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1237576628.498:397): arch=40000003 syscall=11 success=yes exit=0 a0=a12036 a1=bfa6f6b8 a2=e0e018 a3=0 items=0 ppid=11771 pid=11784 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip-up" exe="/bin/bash" subj=system_u:system_r:hald_t:s0 key=(null) SELinux is preventing ip-up (hald_t) "ioctl" /etc/ppp/ip-up (pppd_initrc_exec_t). Additional Information: Source Context system_u:system_r:hald_t Target Context system_u:object_r:pppd_initrc_exec_t Target Objects /etc/ppp/ip-up [ file ] Source ip-up Source Path /bin/bash Port Host localhost.localdomain Source RPM Packages bash-3.2-30.fc10 Target RPM Packages initscripts-8.86-1 Policy RPM selinux-policy-3.5.13-48.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 2 First Seen Fri Mar 20 19:13:18 2009 Last Seen Fri Mar 20 20:17:08 2009 Local ID 0ec7c0de-0086-4c13-b618-bf4858af6f41 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1237576628.500:398): avc: denied { ioctl } for pid=11784 comm="ip-up" path="/etc/ppp/ip-up" dev=dm-0 ino=361994 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:pppd_initrc_exec_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1237576628.500:398): arch=40000003 syscall=54 success=no exit=-25 a0=3 a1=5401 a2=bf832bd8 a3=bf832c18 items=0 ppid=11771 pid=11784 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip-up" exe="/bin/bash" subj=system_u:system_r:hald_t:s0 key=(null) SELinux is preventing hal-dccm (hald_dccm_t) "write" hald_dccm_t. Additional Information: Source Context system_u:system_r:hald_dccm_t Target Context system_u:system_r:hald_dccm_t Target Objects None [ unix_dgram_socket ] Source hal-dccm Source Path /usr/libexec/hal-dccm Port Host localhost.localdomain Source RPM Packages synce-hal-0.1-1.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-48.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 3 First Seen Fri Mar 20 19:13:18 2009 Last Seen Fri Mar 20 20:17:08 2009 Local ID bc1a16c5-af3f-42c0-9563-62a8cdf9eb69 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1237576628.514:405): avc: denied { write } for pid=11756 comm="hal-dccm" scontext=system_u:system_r:hald_dccm_t:s0 tcontext=system_u:system_r:hald_dccm_t:s0 tclass=unix_dgram_socket node=localhost.localdomain type=SYSCALL msg=audit(1237576628.514:405): arch=40000003 syscall=102 success=yes exit=86 a0=9 a1=bfcb23f4 a2=6aeff4 a3=14 items=0 ppid=2129 pid=11756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-dccm" exe="/usr/libexec/hal-dccm" subj=system_u:system_r:hald_dccm_t:s0 key=(null) Albert From peljasz at yahoo.co.uk Tue Mar 24 21:38:53 2009 From: peljasz at yahoo.co.uk (lejeczek) Date: Tue, 24 Mar 2009 21:38:53 +0000 Subject: setroubleshoot server listens out on inet Message-ID: <49C952ED.9020607@yahoo.co.uk> dear all, that really baffles me, I don't seem to be able to set it up :) and that port by default in conf file?? setroubleshoot server should be able to listen on network so remote sealert could connect to it, right? on my boxes(f9;f10) it does even look like binding to a port please advise cheers ___________________________________________________________ Try the all-new Yahoo! Mail. "The New Version is radically easier to use" ? The Wall Street Journal http://uk.docs.yahoo.com/nowyoucan.html From jdennis at redhat.com Tue Mar 24 21:48:32 2009 From: jdennis at redhat.com (John Dennis) Date: Tue, 24 Mar 2009 17:48:32 -0400 Subject: setroubleshoot server listens out on inet In-Reply-To: <49C952ED.9020607@yahoo.co.uk> References: <49C952ED.9020607@yahoo.co.uk> Message-ID: <49C95530.9090904@redhat.com> lejeczek wrote: > dear all, > that really baffles me, I don't seem to be able to set it up :) > and that port by default in conf file?? > setroubleshoot server should be able to listen on network so remote > sealert could connect to it, right? > on my boxes(f9;f10) it does even look like binding to a port > please advise > cheers > By default the connection between the server and client is local and is implemented with a unix domain socket, not inet. This default is chosen for security reasons with the consequence the client (sealert) can only connect to the server (setroubleshootd) if they are running on the same host. However, it is possible to configure setroubleshootd to accept inet connections (see the comments in /etc/setroubleshoot/setroubleshoot.cfg) so that a remote sealert can connect to it. Be aware there is no authentication in this configuration and as such you must be comfortable with anyone being able to access your selinux denial information. For sealert to connect via inet to a remote host use the "connect to" menu item in the "File" menu (going from memory, the name might be slightly different). In the default local case you should not need to do anything special, the default configuration should just work. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From domg472 at gmail.com Tue Mar 24 22:14:00 2009 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 24 Mar 2009 23:14:00 +0100 Subject: setroubleshoot server listens out on inet In-Reply-To: <49C952ED.9020607@yahoo.co.uk> References: <49C952ED.9020607@yahoo.co.uk> Message-ID: <1237932841.7435.5.camel@notebook1.grift.internal> On Tue, 2009-03-24 at 21:38 +0000, lejeczek wrote: > dear all, > that really baffles me, I don't seem to be able to set it up :) > and that port by default in conf file?? > setroubleshoot server should be able to listen on network so remote > sealert could connect to it, right? > on my boxes(f9;f10) it does even look like binding to a port > please advise > cheers This might not be what you are looking but i would just like to mention that prelude and the audisp plug-in do a great job of relaying avc denials amongst other things secure on the network to a central manager http://people.redhat.com/sgrubb/audit/prelude.txt > ___________________________________________________________ > Try the all-new Yahoo! Mail. "The New Version is radically easier to use" The Wall Street Journal > http://uk.docs.yahoo.com/nowyoucan.html > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From olivares14031 at yahoo.com Tue Mar 24 23:34:00 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Tue, 24 Mar 2009 16:34:00 -0700 (PDT) Subject: dhcpd_write and .kde4 revisited + crontab trouble, ntp too Message-ID: <662441.74307.qm@web52609.mail.re2.yahoo.com> Summary: SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by dhclient. It is not expected that this access is required by dhclient and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source dhclient Source Path /sbin/dhclient Port Host riohigh Source RPM Packages dhclient-4.1.0-11.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.258.rc8.git2.fc11.i586 #1 SMP Mon Mar 16 20:53:59 EDT 2009 i686 athlon Alert Count 22 First Seen Fri 06 Mar 2009 04:16:01 PM CST Last Seen Tue 24 Mar 2009 04:35:56 PM CST Local ID a9c1d6de-334d-4f45-99bb-470f0f97e3ff Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1237934156.758:26): avc: denied { read write } for pid=3372 comm="dhclient" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1237934156.758:26): avc: denied { read write } for pid=3372 comm="dhclient" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=SYSCALL msg=audit(1237934156.758:26): arch=40000003 syscall=11 success=yes exit=0 a0=921ff38 a1=9207390 a2=9203bc0 a3=9207390 items=0 ppid=3332 pid=3372 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) Summary: SELinux prevented kde4-config from writing .kde. Detailed Description: SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may want to allow this. If .kde is not a core file, this could signal a intrusion attempt. Allowing Access: Changing the "allow_daemons_dump_core" boolean to true will allow this access: "setsebool -P allow_daemons_dump_core=1." Fix Command: setsebool -P allow_daemons_dump_core=1 Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:root_t:s0 Target Objects .kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port Host riohigh Source RPM Packages kdelibs-4.2.1-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_daemons_dump_core Host Name riohigh Platform Linux riohigh 2.6.29-0.258.rc8.git2.fc11.i586 #1 SMP Mon Mar 16 20:53:59 EDT 2009 i686 athlon Alert Count 43 First Seen Tue 17 Feb 2009 08:36:03 AM CST Last Seen Tue 24 Mar 2009 04:34:07 PM CST Local ID 6d47417b-4b4b-4c4f-9c12-6210059fc418 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1237934047.415:8): avc: denied { create } for pid=2410 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir node=riohigh type=SYSCALL msg=audit(1237934047.415:8): arch=40000003 syscall=39 success=no exit=-13 a0=8ac6418 a1=1c0 a2=296f2ec a3=0 items=0 ppid=2409 pid=2410 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Now I see why crontab does not work :( Summary: SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by crontab. It is not expected that this access is required by crontab and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0 .c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source crontab Source Path /usr/bin/crontab Port Host riohigh Source RPM Packages cronie-1.2-7.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.258.rc8.git2.fc11.i586 #1 SMP Mon Mar 16 20:53:59 EDT 2009 i686 athlon Alert Count 114 First Seen Mon 02 Mar 2009 07:11:37 PM CST Last Seen Tue 24 Mar 2009 04:10:37 PM CST Local ID 3883b140-4d39-40f5-9262-ce2c4c4e2e16 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=SYSCALL msg=audit(1237932637.221:85): arch=40000003 syscall=11 success=yes exit=0 a0=8e005a0 a1=8e004d0 a2=8dfa9f8 a3=8e004d0 items=0 ppid=5324 pid=5361 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null) [olivares at riohigh ~]$ crontab -l Authentication service cannot retrieve authentication info You (olivares) are not allowed to access to (crontab) because of pam configuration. [olivares at riohigh ~]$ crontab -e Authentication service cannot retrieve authentication info You (olivares) are not allowed to access to (crontab) because of pam configuration. [olivares at riohigh ~]$ setroubleshooter kicks in and returns: Summary: SELinux is preventing ntpd (ntpd_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by ntpd. It is not expected that this access is required by ntpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:ntpd_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source ntpd Source Path /usr/sbin/ntpd Port Host riohigh Source RPM Packages ntp-4.2.4p6-3.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.258.rc8.git2.fc11.i586 #1 SMP Mon Mar 16 20:53:59 EDT 2009 i686 athlon Alert Count 1 First Seen Mon 23 Mar 2009 04:07:29 PM CST Last Seen Mon 23 Mar 2009 04:07:29 PM CST Local ID 718bc628-af85-4d41-a5c1-838d9d3208bd Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1237846049.986:105): avc: denied { read write } for pid=18588 comm="ntpd" path="socket:[4898784]" dev=sockfs ino=4898784 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=SYSCALL msg=audit(1237846049.986:105): arch=40000003 syscall=11 success=yes exit=0 a0=9e21f80 a1=9e22280 a2=9e21248 a3=9e22280 items=0 ppid=18587 pid=18588 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null) The time was not changed on this machine, I tried to call ntp and it did not work, why here's the reason: Summary: SELinux is preventing ntpd (ntpd_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by ntpd. It is not expected that this access is required by ntpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:ntpd_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source ntpd Source Path /usr/sbin/ntpd Port Host riohigh Source RPM Packages ntp-4.2.4p6-3.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.258.rc8.git2.fc11.i586 #1 SMP Mon Mar 16 20:53:59 EDT 2009 i686 athlon Alert Count 1 First Seen Mon 23 Mar 2009 04:07:29 PM CST Last Seen Mon 23 Mar 2009 04:07:29 PM CST Local ID 718bc628-af85-4d41-a5c1-838d9d3208bd Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1237846049.986:105): avc: denied { read write } for pid=18588 comm="ntpd" path="socket:[4898784]" dev=sockfs ino=4898784 scontext=unconfined_u:system_r:ntpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=SYSCALL msg=audit(1237846049.986:105): arch=40000003 syscall=11 success=yes exit=0 a0=9e21f80 a1=9e22280 a2=9e21248 a3=9e22280 items=0 ppid=18587 pid=18588 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null) I appreciate any help I can get. It has been a while since NetworkManager gives me a successfull connection. I have to become root and use dhclient to get internet access. If I need to file bug reports, please let me know against which components and I will do it. Thanks, Antonio From peljasz at yahoo.co.uk Wed Mar 25 08:33:11 2009 From: peljasz at yahoo.co.uk (lejeczek) Date: Wed, 25 Mar 2009 08:33:11 +0000 Subject: setroubleshoot server listens out on inet In-Reply-To: <49C95530.9090904@redhat.com> References: <49C952ED.9020607@yahoo.co.uk> <49C95530.9090904@redhat.com> Message-ID: <49C9EC47.50807@yahoo.co.uk> hello John, more than fair, safety is priority but what I said was that this is a bit of conf I cannot figure out there are these two directive in client_connect_to; listen_for_client fairly clear explanation how to use inet family and this 69783 in fedoras default_port, it's not even a valid port! is it? anyhow, I change this directive like: address_list = {unix}%(path)s, hostname:8880 (hostname gets resolved) but I still see no process binds/listens to that port and by the way, sealert browser seems using only hard-coded port with no way of changing it server logs: 2009-03-25 01:06:34,771 [communication.DEBUG] parse_socket_address_list: input='{unix}/var/run/setroubleshoot/setroubleshoot_server,10.0.0.100:8880' 2009-03-25 01:06:34,772 [communication.DEBUG] parse_socket_address_list: 10.0.0.100:8880 --> {inet}10.0.0.100:8880 socket=None 2009-03-25 01:06:34,774 [communication.DEBUG] new_listening_socket: {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None 2009-03-25 01:06:34,775 [communication.DEBUG] new_listening_socket: {inet}10.0.0.100:8880 socket=None but as I said, doesn't open that port, ipc socket is working, sends emails with reports I'll check those plug-ins Dominick mentions cheers John Dennis wrote: > lejeczek wrote: >> dear all, >> that really baffles me, I don't seem to be able to set it up :) >> and that port by default in conf file?? >> setroubleshoot server should be able to listen on network so remote >> sealert could connect to it, right? >> on my boxes(f9;f10) it does even look like binding to a port >> please advise >> cheers >> > By default the connection between the server and client is local and > is implemented with a unix domain socket, not inet. This default is > chosen for security reasons with the consequence the client (sealert) > can only connect to the server (setroubleshootd) if they are running > on the same host. However, it is possible to configure setroubleshootd > to accept inet connections (see the comments in > /etc/setroubleshoot/setroubleshoot.cfg) so that a remote sealert can > connect to it. Be aware there is no authentication in this > configuration and as such you must be comfortable with anyone being > able to access your selinux denial information. For sealert to connect > via inet to a remote host use the "connect to" menu item in the "File" > menu (going from memory, the name might be slightly different). In the > default local case you should not need to do anything special, the > default configuration should just work. > ___________________________________________________________ Inbox full of spam? Get leading spam protection and 1GB storage with All New Yahoo! Mail. http://uk.docs.yahoo.com/nowyoucan.html From olivares14031 at yahoo.com Wed Mar 25 22:20:33 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 25 Mar 2009 15:20:33 -0700 (PDT) Subject: selinux stopping NetworkManager from doing its job. In-Reply-To: <814784.3064.qm@web52601.mail.re2.yahoo.com> Message-ID: <177140.78081.qm@web52605.mail.re2.yahoo.com> --- On Mon, 3/9/09, Antonio Olivares wrote: > From: Antonio Olivares > Subject: selinux stopping NetworkManager from doing its job. > To: fedora-selinux-list at redhat.com > Cc: fedora-test-list at redhat.com > Date: Monday, March 9, 2009, 4:31 PM > Dear fellow testers and selinux experts, > > selinux is stopping NetworkManager from doing its job. To > get internet, I have to manually type # dhclient eth0 > and get internet connection. > > > Summary: > > SELinux is preventing dhclient (dhcpc_t) "read > write" unconfined_t. > > Detailed Description: > > SELinux denied access requested by dhclient. It is not > expected that this access > is required by dhclient and this access may signal an > intrusion attempt. It is > also possible that the specific version or configuration of > the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access > - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) > Or you can disable > SELinux protection altogether. Disabling SELinux protection > is not recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context > unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 > Target Context > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Objects socket [ unix_stream_socket ] > Source dhclient > Source Path /sbin/dhclient > Port > Host riohigh > Source RPM Packages dhclient-4.1.0-10.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.8-1.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh > 2.6.29-0.215.rc7.fc11.i586 #1 SMP > Sun Mar 8 23:25:31 EDT 2009 > i686 athlon > Alert Count 6 > First Seen Fri 06 Mar 2009 04:16:01 PM > CST > Last Seen Mon 09 Mar 2009 05:22:13 PM > CST > Local ID > a9c1d6de-334d-4f45-99bb-470f0f97e3ff > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1236640933.104:39): avc: > denied { read write } for pid=3313 > comm="dhclient" path="socket:[15009]" > dev=sockfs ino=15009 > scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tclass=unix_stream_socket > > node=riohigh type=SYSCALL msg=audit(1236640933.104:39): > arch=40000003 syscall=11 success=yes exit=0 a0=85082b8 > a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313 > auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=pts1 ses=1 comm="dhclient" > exe="/sbin/dhclient" > subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) > > > Guess it applies over here: > > > Summary: > > SELinux is preventing NetworkManager (NetworkManager_t) > "read write" > unconfined_t. > > Detailed Description: > > SELinux denied access requested by NetworkManager. It is > not expected that this > access is required by NetworkManager and this access may > signal an intrusion > attempt. It is also possible that the specific version or > configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access > - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) > Or you can disable > SELinux protection altogether. Disabling SELinux protection > is not recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context > unconfined_u:system_r:NetworkManager_t:s0 > Target Context > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Objects socket [ unix_stream_socket ] > Source NetworkManager > Source Path /usr/sbin/NetworkManager > Port > Host riohigh > Source RPM Packages > NetworkManager-0.7.0.99-1.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.7-2.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh > 2.6.29-0.203.rc7.fc11.i586 #1 SMP > Wed Mar 4 18:03:29 EST 2009 > i686 athlon > Alert Count 5 > First Seen Mon 23 Feb 2009 07:23:54 AM > CST > Last Seen Fri 06 Mar 2009 04:15:00 PM > CST > Local ID > f192ed25-15af-43fd-aa2e-524cca16b88a > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1236377700.684:236): avc: > denied { read write } for pid=14462 > comm="NetworkManager" > path="socket:[26116]" dev=sockfs ino=26116 > scontext=unconfined_u:system_r:NetworkManager_t:s0 > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236377700.684:236): avc: > denied { read write } for pid=14462 > comm="NetworkManager" > path="socket:[26116]" dev=sockfs ino=26116 > scontext=unconfined_u:system_r:NetworkManager_t:s0 > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1236377700.684:236): avc: > denied { read write } for pid=14462 > comm="NetworkManager" > path="socket:[26116]" dev=sockfs ino=26116 > scontext=unconfined_u:system_r:NetworkManager_t:s0 > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tclass=unix_stream_socket > > node=riohigh type=SYSCALL msg=audit(1236377700.684:236): > arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0 > a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461 > pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=pts1 ses=10 > comm="NetworkManager" > exe="/usr/sbin/NetworkManager" > subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) > > > > > I do not get eth0 active upon starting up, since selinux > stops NetworkManager from getting IP automagically :(. > > Regards, > > > Antonio > > > > > > -- > fedora-test-list mailing list > fedora-test-list at redhat.com > To unsubscribe: > https://www.redhat.com/mailman/listinfo/fedora-test-list I have used selinux=0 to troubleshoot this, and crontab now works(with selinux disabled), and also NetworkManager was not doing its job, I don't know what did it, but /etc/sysconfig/network-scripts/ifcfg-eth0 was modified and now it should work. Here's what I did: checked that I could see what is in my crontab( now I don't get message that pam configuration), I wondered what was going on? [olivares at riohigh ~]$ crontab -l 30 17 * * 1-5 ~/alarm &> /dev/null 30 21 * * 1-5 killall -9 /usr/bin/mplayer &> /dev/null 32 23 * * 1-5 /usr/bin/poweroff &> /dev/null Good, one down, several more to go: [olivares at riohigh ~]$ su - Password: [root at riohigh ~]# service NetworkManager stop Stopping NetworkManager daemon: [ OK ] [root at riohigh ~]# service NetworkManager start Setting network parameters... [ OK ] Starting NetworkManager daemon: [ OK ] [root at riohigh ~]# cat /etc/sysconfig/ atd keyboard auditd lm_sensors authconfig modules/ bittorrent netconsole bluetooth network cbq/ networking/ clock network-scripts/ console/ nfs cpuspeed nspluginwrapper crond ntpd crontab ntpdate firstboot prelink grub readonly-root hsqldb rsyslog httpd samba hw-uuid saslauthd i18n selinux init sendmail ip6tables smartmontools ip6tables-config snmpd iptables system-config-firewall [root at riohigh ~]# cat /etc/sysconfig/net netconsole network networking/ network-scripts/ [root at riohigh ~]# cat /etc/sysconfig/network network networking/ network-scripts/ [root at riohigh ~]# cat /etc/sysconfig/network-scripts/ ifcfg-eth0 ifdown-sl ifup-post ifcfg-lo ifdown-tunnel ifup-ppp ifdown ifup ifup-routes ifdown-bnep ifup-aliases ifup-sit ifdown-eth ifup-bnep ifup-sl ifdown-ippp ifup-eth ifup-tunnel ifdown-ipsec ifup-ippp ifup-wireless ifdown-ipv6 ifup-ipsec init.ipv6-global ifdown-isdn ifup-ipv6 net.hotplug ifdown-post ifup-ipx network-functions ifdown-ppp ifup-isdn network-functions-ipv6 ifdown-routes ifup-plip ifdown-sit ifup-plusb was this [root at riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 # VIA Technologies, Inc. VT6102 [Rhine-II] DEVICE=eth0 HWADDR=00:50:2c:a2:23:28 ONBOOT=no NM_CONTROLLED= [root at riohigh ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0 You have new mail in /var/spool/mail/root I changed it to [root at riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 # VIA Technologies, Inc. VT6102 [Rhine-II] DEVICE=eth0 HWADDR=00:50:2c:a2:23:28 ONBOOT=yes NM_CONTROLLED=yes I will restart system and hope that all is well and report back and see if selinux automatically relabels everything by itself, normally this happens when I have used selinux=0 booting parameter. It has been a while since I have to start network manually and it should work by itself. Regards, Antonio From olivares14031 at yahoo.com Wed Mar 25 23:03:48 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 25 Mar 2009 16:03:48 -0700 (PDT) Subject: selinux does not like crontab :(, default_t, kde Message-ID: <502316.66529.qm@web52612.mail.re2.yahoo.com> Dear all, I have resolved one problem(Not getting internet at startup by default), but have not fixed the crontab one and other(s): This one does not go away :( Summary: SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by crontab. It is not expected that this access is required by crontab and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0 .c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source crontab Source Path /usr/bin/crontab Port Host riohigh Source RPM Packages cronie-1.2-7.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 177 First Seen Mon 02 Mar 2009 07:11:37 PM CST Last Seen Wed 25 Mar 2009 04:57:03 PM CST Local ID 3883b140-4d39-40f5-9262-ce2c4c4e2e16 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53528]" dev=sockfs ino=53528 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=SYSCALL msg=audit(1238021823.376:68): arch=40000003 syscall=11 success=yes exit=0 a0=9fcb5c8 a1=9fcbd10 a2=9fb5ae0 a3=9fcbd10 items=0 ppid=4295 pid=4331 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null) I can't modify my crontab file: [olivares at riohigh ~]$ crontab -l Authentication service cannot retrieve authentication info You (olivares) are not allowed to access to (crontab) because of pam configuration. [olivares at riohigh ~]$ if I disable selinux, I can modify it and view it, but not with selinux enabled. I got greeted with the following: Summary: SELinux is preventing access to files with the default label, default_t. Detailed Description: SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. Allowing Access: If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot" Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects /.kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port Host riohigh Source RPM Packages kdelibs-4.2.1-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name default Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 7 First Seen Wed 25 Mar 2009 04:38:14 PM CST Last Seen Wed 25 Mar 2009 04:38:14 PM CST Local ID d3d42e40-6a28-48cf-8717-b85579c55bad Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1238020694.487:40): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir node=riohigh type=SYSCALL msg=audit(1238020694.487:40): arch=40000003 syscall=196 success=no exit=-13 a0=bfc3730b a1=bfc37258 a2=a12ff4 a3=a036c59 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing access to files with the default label, default_t. Detailed Description: SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. Allowing Access: If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot" Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:default_t:s0 Target Objects .kde [ dir ] Source kde4-config Source Path /usr/bin/kde4-config Port Host riohigh Source RPM Packages kdelibs-4.2.1-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name default Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 23 First Seen Wed 25 Mar 2009 04:38:14 PM CST Last Seen Wed 25 Mar 2009 04:38:14 PM CST Local ID 711eec22-2695-4e57-91ad-622e9c5f3b53 Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1238020694.489:42): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir node=riohigh type=SYSCALL msg=audit(1238020694.489:42): arch=40000003 syscall=196 success=no exit=-13 a0=a036c58 a1=bfc37230 a2=a12ff4 a3=a031250 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Startup did not take the 20 seconds, it took like 8 to 10 minutes with the relabeling and still see the same things. Is there an update that will fix this or do I have to disable selinux or boot in permissive in order to have a working machine. Please help this is no longer fun as it once was. Regards, Antonio From dwalsh at redhat.com Thu Mar 26 12:39:46 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 26 Mar 2009 08:39:46 -0400 Subject: selinux does not like crontab :(, default_t, kde In-Reply-To: <502316.66529.qm@web52612.mail.re2.yahoo.com> References: <502316.66529.qm@web52612.mail.re2.yahoo.com> Message-ID: <49CB7792.8090505@redhat.com> On 03/25/2009 07:03 PM, Antonio Olivares wrote: > Dear all, > > I have resolved one problem(Not getting internet at startup by default), but have not fixed the crontab one and other(s): > > This one does not go away :( > > > Summary: > > SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t. > > Detailed Description: > > SELinux denied access requested by crontab. It is not expected that this access > is required by crontab and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0 > .c1023 > Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Objects socket [ unix_stream_socket ] > Source crontab > Source Path /usr/bin/crontab > Port > Host riohigh > Source RPM Packages cronie-1.2-7.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.8-3.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 > #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon > Alert Count 177 > First Seen Mon 02 Mar 2009 07:11:37 PM CST > Last Seen Wed 25 Mar 2009 04:57:03 PM CST > Local ID 3883b140-4d39-40f5-9262-ce2c4c4e2e16 > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53528]" dev=sockfs ino=53528 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=SYSCALL msg=audit(1238021823.376:68): arch=40000003 syscall=11 success=yes exit=0 a0=9fcb5c8 a1=9fcbd10 a2=9fb5ae0 a3=9fcbd10 items=0 ppid=4295 pid=4331 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null) > > > I can't modify my crontab file: > > [olivares at riohigh ~]$ crontab -l > > Authentication service cannot retrieve authentication info > You (olivares) are not allowed to access to (crontab) because of pam configuration. > [olivares at riohigh ~]$ > > if I disable selinux, I can modify it and view it, but not with selinux enabled. > > I got greeted with the following: > > > Summary: > > SELinux is preventing access to files with the default label, default_t. > > Detailed Description: > > SELinux permission checks on files labeled default_t are being denied. These > files/directories have the default label on them. This can indicate a labeling > problem, especially if the files being referred to are not top level > directories. Any files/directories under standard system directories, /usr, > /var. /dev, /tmp, ..., should not be labeled with the default label. The default > label is for files/directories which do not have a label on a parent directory. > So if you create a new directory in / you might legitimately get this label. > > Allowing Access: > > If you want a confined domain to use these files you will probably need to > relabel the file/directory with chcon. In some cases it is just easier to > relabel the system, to relabel execute: "touch /.autorelabel; reboot" > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:object_r:default_t:s0 > Target Objects /.kde [ dir ] > Source kde4-config > Source Path /usr/bin/kde4-config > Port > Host riohigh > Source RPM Packages kdelibs-4.2.1-4.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.8-3.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name default > Host Name riohigh > Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 > #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon > Alert Count 7 > First Seen Wed 25 Mar 2009 04:38:14 PM CST > Last Seen Wed 25 Mar 2009 04:38:14 PM CST > Local ID d3d42e40-6a28-48cf-8717-b85579c55bad > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1238020694.487:40): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir > > node=riohigh type=SYSCALL msg=audit(1238020694.487:40): arch=40000003 syscall=196 success=no exit=-13 a0=bfc3730b a1=bfc37258 a2=a12ff4 a3=a036c59 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > > Summary: > > SELinux is preventing access to files with the default label, default_t. > > Detailed Description: > > SELinux permission checks on files labeled default_t are being denied. These > files/directories have the default label on them. This can indicate a labeling > problem, especially if the files being referred to are not top level > directories. Any files/directories under standard system directories, /usr, > /var. /dev, /tmp, ..., should not be labeled with the default label. The default > label is for files/directories which do not have a label on a parent directory. > So if you create a new directory in / you might legitimately get this label. > > Allowing Access: > > If you want a confined domain to use these files you will probably need to > relabel the file/directory with chcon. In some cases it is just easier to > relabel the system, to relabel execute: "touch /.autorelabel; reboot" > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:object_r:default_t:s0 > Target Objects .kde [ dir ] > Source kde4-config > Source Path /usr/bin/kde4-config > Port > Host riohigh > Source RPM Packages kdelibs-4.2.1-4.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.8-3.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name default > Host Name riohigh > Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 > #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon > Alert Count 23 > First Seen Wed 25 Mar 2009 04:38:14 PM CST > Last Seen Wed 25 Mar 2009 04:38:14 PM CST > Local ID 711eec22-2695-4e57-91ad-622e9c5f3b53 > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1238020694.489:42): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir > > node=riohigh type=SYSCALL msg=audit(1238020694.489:42): arch=40000003 syscall=196 success=no exit=-13 a0=a036c58 a1=bfc37230 a2=a12ff4 a3=a031250 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > > > Startup did not take the 20 seconds, it took like 8 to 10 minutes with the relabeling and still see the same things. Is there an update that will fix this or do I have to disable selinux or boot in permissive in order to have a working machine. > > Please help this is no longer fun as it once was. > > Regards, > > Antonio > > > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list The kde read/writing to /.kde is a kde bug/ kdm should have a home directory that we could give access to, not /. I have this setup and although it genetates AVC's I am able to login fine. Although gdm works better. If you want to get rid of these avc's you could execute. # semanage fcontext -a -t xdm_var_run_t '/\.kde(/.*)?' # restorecon -R -v /.kde Running crontab -e as root, problem is also a kdebase/konsole problem of leaked file descriptors. If you do an ls /proc/self/fd in the konsole you will see a whole bunch of file descriptors that have been leaked to the konsole. When you start a confined domain from the console SELinux reports these leaked file descriptors and closes them. ls -l /proc/self/fd should show something like # ls -l /proc/self/fd total 0 lr-x------. 1 root root 64 2009-03-26 08:31 0 -> /dev/pts/4 lrwx------. 1 root root 64 2009-03-26 08:31 1 -> /dev/pts/4 lrwx------. 1 root root 64 2009-03-26 08:31 2 -> /dev/pts/4 lr-x------. 1 root root 64 2009-03-26 08:31 3 -> /proc/32759/fd Which are three fd's to the terminal and one to the directory you are listing. I see no avc that would break crontab -e? [olivares at riohigh ~]$ crontab -l Authentication service cannot retrieve authentication info You (olivares) are not allowed to access to (crontab) because of pam configuration. Looks like you are running this as a normal user? Or are you running as root? I can not get this to happen on my machine, so I think it might be something about the way you have pam setup? Do you have anything special setup in pam? From dwalsh at redhat.com Thu Mar 26 14:32:21 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 26 Mar 2009 10:32:21 -0400 Subject: selinux stopping NetworkManager from doing its job. In-Reply-To: <177140.78081.qm@web52605.mail.re2.yahoo.com> References: <177140.78081.qm@web52605.mail.re2.yahoo.com> Message-ID: <49CB91F5.7060809@redhat.com> On 03/25/2009 06:20 PM, Antonio Olivares wrote: > > > > --- On Mon, 3/9/09, Antonio Olivares wrote: > >> From: Antonio Olivares >> Subject: selinux stopping NetworkManager from doing its job. >> To: fedora-selinux-list at redhat.com >> Cc: fedora-test-list at redhat.com >> Date: Monday, March 9, 2009, 4:31 PM >> Dear fellow testers and selinux experts, >> >> selinux is stopping NetworkManager from doing its job. To >> get internet, I have to manually type # dhclient eth0 >> and get internet connection. >> >> >> Summary: >> >> SELinux is preventing dhclient (dhcpc_t) "read >> write" unconfined_t. >> >> Detailed Description: >> >> SELinux denied access requested by dhclient. It is not >> expected that this access >> is required by dhclient and this access may signal an >> intrusion attempt. It is >> also possible that the specific version or configuration of >> the application is >> causing it to require additional access. >> >> Allowing Access: >> >> You can generate a local policy module to allow this access >> - see FAQ >> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) >> Or you can disable >> SELinux protection altogether. Disabling SELinux protection >> is not recommended. >> Please file a bug report >> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >> against this package. >> >> Additional Information: >> >> Source Context >> unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 >> Target Context >> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 >> 023 >> Target Objects socket [ unix_stream_socket ] >> Source dhclient >> Source Path /sbin/dhclient >> Port >> Host riohigh >> Source RPM Packages dhclient-4.1.0-10.fc11 >> Target RPM Packages >> Policy RPM selinux-policy-3.6.8-1.fc11 >> Selinux Enabled True >> Policy Type targeted >> MLS Enabled True >> Enforcing Mode Enforcing >> Plugin Name catchall >> Host Name riohigh >> Platform Linux riohigh >> 2.6.29-0.215.rc7.fc11.i586 #1 SMP >> Sun Mar 8 23:25:31 EDT 2009 >> i686 athlon >> Alert Count 6 >> First Seen Fri 06 Mar 2009 04:16:01 PM >> CST >> Last Seen Mon 09 Mar 2009 05:22:13 PM >> CST >> Local ID >> a9c1d6de-334d-4f45-99bb-470f0f97e3ff >> Line Numbers >> >> Raw Audit Messages >> >> node=riohigh type=AVC msg=audit(1236640933.104:39): avc: >> denied { read write } for pid=3313 >> comm="dhclient" path="socket:[15009]" >> dev=sockfs ino=15009 >> scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 >> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> tclass=unix_stream_socket >> >> node=riohigh type=SYSCALL msg=audit(1236640933.104:39): >> arch=40000003 syscall=11 success=yes exit=0 a0=85082b8 >> a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313 >> auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> fsgid=0 tty=pts1 ses=1 comm="dhclient" >> exe="/sbin/dhclient" >> subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) >> >> >> Guess it applies over here: >> >> >> Summary: >> >> SELinux is preventing NetworkManager (NetworkManager_t) >> "read write" >> unconfined_t. >> >> Detailed Description: >> >> SELinux denied access requested by NetworkManager. It is >> not expected that this >> access is required by NetworkManager and this access may >> signal an intrusion >> attempt. It is also possible that the specific version or >> configuration of the >> application is causing it to require additional access. >> >> Allowing Access: >> >> You can generate a local policy module to allow this access >> - see FAQ >> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) >> Or you can disable >> SELinux protection altogether. Disabling SELinux protection >> is not recommended. >> Please file a bug report >> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >> against this package. >> >> Additional Information: >> >> Source Context >> unconfined_u:system_r:NetworkManager_t:s0 >> Target Context >> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 >> 023 >> Target Objects socket [ unix_stream_socket ] >> Source NetworkManager >> Source Path /usr/sbin/NetworkManager >> Port >> Host riohigh >> Source RPM Packages >> NetworkManager-0.7.0.99-1.fc11 >> Target RPM Packages >> Policy RPM selinux-policy-3.6.7-2.fc11 >> Selinux Enabled True >> Policy Type targeted >> MLS Enabled True >> Enforcing Mode Enforcing >> Plugin Name catchall >> Host Name riohigh >> Platform Linux riohigh >> 2.6.29-0.203.rc7.fc11.i586 #1 SMP >> Wed Mar 4 18:03:29 EST 2009 >> i686 athlon >> Alert Count 5 >> First Seen Mon 23 Feb 2009 07:23:54 AM >> CST >> Last Seen Fri 06 Mar 2009 04:15:00 PM >> CST >> Local ID >> f192ed25-15af-43fd-aa2e-524cca16b88a >> Line Numbers >> >> Raw Audit Messages >> >> node=riohigh type=AVC msg=audit(1236377700.684:236): avc: >> denied { read write } for pid=14462 >> comm="NetworkManager" >> path="socket:[26116]" dev=sockfs ino=26116 >> scontext=unconfined_u:system_r:NetworkManager_t:s0 >> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> tclass=unix_stream_socket >> >> node=riohigh type=AVC msg=audit(1236377700.684:236): avc: >> denied { read write } for pid=14462 >> comm="NetworkManager" >> path="socket:[26116]" dev=sockfs ino=26116 >> scontext=unconfined_u:system_r:NetworkManager_t:s0 >> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> tclass=unix_stream_socket >> >> node=riohigh type=AVC msg=audit(1236377700.684:236): avc: >> denied { read write } for pid=14462 >> comm="NetworkManager" >> path="socket:[26116]" dev=sockfs ino=26116 >> scontext=unconfined_u:system_r:NetworkManager_t:s0 >> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> tclass=unix_stream_socket >> >> node=riohigh type=SYSCALL msg=audit(1236377700.684:236): >> arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0 >> a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461 >> pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> sgid=0 fsgid=0 tty=pts1 ses=10 >> comm="NetworkManager" >> exe="/usr/sbin/NetworkManager" >> subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null) >> >> >> >> >> I do not get eth0 active upon starting up, since selinux >> stops NetworkManager from getting IP automagically :(. >> >> Regards, >> >> >> Antonio >> >> >> >> >> >> -- >> fedora-test-list mailing list >> fedora-test-list at redhat.com >> To unsubscribe: >> https://www.redhat.com/mailman/listinfo/fedora-test-list > > I have used selinux=0 to troubleshoot this, and crontab now works(with selinux disabled), and also NetworkManager was not doing its job, I don't know what did it, but /etc/sysconfig/network-scripts/ifcfg-eth0 was modified and now it should work. Here's what I did: > > checked that I could see what is in my crontab( now I don't get message that pam configuration), I wondered what was going on? > > [olivares at riohigh ~]$ crontab -l > 30 17 * * 1-5 ~/alarm&> /dev/null > 30 21 * * 1-5 killall -9 /usr/bin/mplayer&> /dev/null > 32 23 * * 1-5 /usr/bin/poweroff&> /dev/null > > Good, one down, several more to go: > > [olivares at riohigh ~]$ su - > Password: > [root at riohigh ~]# service NetworkManager stop > Stopping NetworkManager daemon: [ OK ] > [root at riohigh ~]# service NetworkManager start > Setting network parameters... [ OK ] > Starting NetworkManager daemon: [ OK ] > [root at riohigh ~]# cat /etc/sysconfig/ > atd keyboard > auditd lm_sensors > authconfig modules/ > bittorrent netconsole > bluetooth network > cbq/ networking/ > clock network-scripts/ > console/ nfs > cpuspeed nspluginwrapper > crond ntpd > crontab ntpdate > firstboot prelink > grub readonly-root > hsqldb rsyslog > httpd samba > hw-uuid saslauthd > i18n selinux > init sendmail > ip6tables smartmontools > ip6tables-config snmpd > iptables system-config-firewall > [root at riohigh ~]# cat /etc/sysconfig/net > netconsole network networking/ network-scripts/ > [root at riohigh ~]# cat /etc/sysconfig/network > network networking/ network-scripts/ > [root at riohigh ~]# cat /etc/sysconfig/network-scripts/ > ifcfg-eth0 ifdown-sl ifup-post > ifcfg-lo ifdown-tunnel ifup-ppp > ifdown ifup ifup-routes > ifdown-bnep ifup-aliases ifup-sit > ifdown-eth ifup-bnep ifup-sl > ifdown-ippp ifup-eth ifup-tunnel > ifdown-ipsec ifup-ippp ifup-wireless > ifdown-ipv6 ifup-ipsec init.ipv6-global > ifdown-isdn ifup-ipv6 net.hotplug > ifdown-post ifup-ipx network-functions > ifdown-ppp ifup-isdn network-functions-ipv6 > ifdown-routes ifup-plip > ifdown-sit ifup-plusb > > was this > > [root at riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 > # VIA Technologies, Inc. VT6102 [Rhine-II] > DEVICE=eth0 > HWADDR=00:50:2c:a2:23:28 > ONBOOT=no > NM_CONTROLLED= > [root at riohigh ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0 > You have new mail in /var/spool/mail/root > > I changed it to > > [root at riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 > # VIA Technologies, Inc. VT6102 [Rhine-II] > DEVICE=eth0 > HWADDR=00:50:2c:a2:23:28 > ONBOOT=yes > NM_CONTROLLED=yes > > > I will restart system and hope that all is well and report back and see if selinux automatically relabels everything by itself, normally this happens when I have used selinux=0 booting parameter. It has been a while since I have to start network manually and it should work by itself. > > Regards, > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You should just use enforcing=0 which will boot in permissive mode, then you do not need to deal with relabeling. From olivares14031 at yahoo.com Thu Mar 26 14:55:50 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Thu, 26 Mar 2009 07:55:50 -0700 (PDT) Subject: selinux does not like crontab :(, default_t, kde In-Reply-To: <49CB7792.8090505@redhat.com> Message-ID: <347246.44517.qm@web52611.mail.re2.yahoo.com> > The kde read/writing to /.kde is a kde bug/ kdm should > have a home > directory that we could give access to, not /. I have this > setup and > although it genetates AVC's I am able to login fine. > Although gdm > works better. > > If you want to get rid of these avc's you could > execute. > > # semanage fcontext -a -t xdm_var_run_t > '/\.kde(/.*)?' > # restorecon -R -v /.kde > > Running crontab -e as root, problem is also a > kdebase/konsole problem of > leaked file descriptors. If you do an ls /proc/self/fd in > the konsole > you will see a whole bunch of file descriptors that have > been leaked to > the konsole. When you start a confined domain from the > console SELinux > reports these leaked file descriptors and closes them. > > ls -l /proc/self/fd > > should show something like > > # ls -l /proc/self/fd > total 0 > lr-x------. 1 root root 64 2009-03-26 08:31 0 -> > /dev/pts/4 > lrwx------. 1 root root 64 2009-03-26 08:31 1 -> > /dev/pts/4 > lrwx------. 1 root root 64 2009-03-26 08:31 2 -> > /dev/pts/4 > lr-x------. 1 root root 64 2009-03-26 08:31 3 -> > /proc/32759/fd > > Which are three fd's to the terminal and one to the > directory you are > listing. > > I see no avc that would break crontab -e? The avc denies crontab to display it and therefore the error. This happens on two machines running rawhide since the third one broke down :(. I can't test it there :( > > > [olivares at riohigh ~]$ crontab -l > > Authentication service cannot retrieve authentication info > You (olivares) are not allowed to access to (crontab) > because of pam > configuration. > > Looks like you are running this as a normal user? Or are > you running as > root? Normal user, even root can't edit crontab because the authority is denied :(, yes pam configuration :) > > > I can not get this to happen on my machine, so I think it > might be > something about the way you have pam setup? Do you have > anything > special setup in pam? No, just regular default setup as it comes. Nothing special set aside. Will try to apply the changes and report back. Thanks for helping out. Regards, Antonio From rnicholsNOSPAM at comcast.net Thu Mar 26 15:43:25 2009 From: rnicholsNOSPAM at comcast.net (Robert Nichols) Date: Thu, 26 Mar 2009 10:43:25 -0500 Subject: selinux does not like crontab :(, default_t, kde In-Reply-To: <347246.44517.qm@web52611.mail.re2.yahoo.com> References: <49CB7792.8090505@redhat.com> <347246.44517.qm@web52611.mail.re2.yahoo.com> Message-ID: Antonio Olivares wrote: > >> The kde read/writing to /.kde is a kde bug/ kdm should >> have a home >> directory that we could give access to, not /. I have this >> setup and >> although it genetates AVC's I am able to login fine. >> Although gdm >> works better. >> >> If you want to get rid of these avc's you could >> execute. >> >> # semanage fcontext -a -t xdm_var_run_t >> '/\.kde(/.*)?' >> # restorecon -R -v /.kde >> >> Running crontab -e as root, problem is also a >> kdebase/konsole problem of >> leaked file descriptors. If you do an ls /proc/self/fd in >> the konsole >> you will see a whole bunch of file descriptors that have >> been leaked to >> the konsole. When you start a confined domain from the >> console SELinux >> reports these leaked file descriptors and closes them. >> >> ls -l /proc/self/fd >> >> should show something like >> >> # ls -l /proc/self/fd >> total 0 >> lr-x------. 1 root root 64 2009-03-26 08:31 0 -> >> /dev/pts/4 >> lrwx------. 1 root root 64 2009-03-26 08:31 1 -> >> /dev/pts/4 >> lrwx------. 1 root root 64 2009-03-26 08:31 2 -> >> /dev/pts/4 >> lr-x------. 1 root root 64 2009-03-26 08:31 3 -> >> /proc/32759/fd >> >> Which are three fd's to the terminal and one to the >> directory you are >> listing. >> >> I see no avc that would break crontab -e? > The avc denies crontab to display it and therefore the error. This happens on two machines running rawhide since the third one broke down :(. I can't test it there :( >> >> [olivares at riohigh ~]$ crontab -l >> >> Authentication service cannot retrieve authentication info >> You (olivares) are not allowed to access to (crontab) >> because of pam >> configuration. >> >> Looks like you are running this as a normal user? Or are >> you running as >> root? > Normal user, even root can't edit crontab because the authority is denied :(, yes pam configuration :) >> >> I can not get this to happen on my machine, so I think it >> might be >> something about the way you have pam setup? Do you have >> anything >> special setup in pam? > No, just regular default setup as it comes. Nothing special set aside. I can confirm the same behavior when trying to run "crontab -l" or "crontab -e" both as non-root and root user. Authentication service cannot retrieve authentication info You (rnichols) are not allowed to access to (crontab) because of pam configuration. OR Authentication service cannot retrieve authentication info You (root) are not allowed to access to (crontab) because of pam configuration. The problem goes away when running in permissive mode. Regardless of permissive vs. enforcing mode, no AVCs are logged. No changes have been made to the rawhide SELinux or PAM configurations. I do see this message logged in /var/log/secure for each unsuccessful attempt: crontab: pam_unix(crond:account): helper binary execve failed: Permission denied selinux-policy-3.6.8-3.fc11.noarch selinux-policy-targeted-3.6.8-3.fc11.noarch authconfig-5.4.7-2.fc11.i586 -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. From dwalsh at redhat.com Fri Mar 27 11:54:57 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 27 Mar 2009 07:54:57 -0400 Subject: selinux does not like crontab :(, default_t, kde In-Reply-To: References: <49CB7792.8090505@redhat.com> <347246.44517.qm@web52611.mail.re2.yahoo.com> Message-ID: <49CCBE91.9090002@redhat.com> On 03/26/2009 11:43 AM, Robert Nichols wrote: > Antonio Olivares wrote: >> >>> The kde read/writing to /.kde is a kde bug/ kdm should >>> have a home directory that we could give access to, not /. I have this >>> setup and although it genetates AVC's I am able to login fine. >>> Although gdm works better. >>> >>> If you want to get rid of these avc's you could >>> execute. >>> >>> # semanage fcontext -a -t xdm_var_run_t >>> '/\.kde(/.*)?' >>> # restorecon -R -v /.kde >>> >>> Running crontab -e as root, problem is also a >>> kdebase/konsole problem of leaked file descriptors. If you do an ls >>> /proc/self/fd in >>> the konsole you will see a whole bunch of file descriptors that have >>> been leaked to the konsole. When you start a confined domain from the >>> console SELinux reports these leaked file descriptors and closes them. >>> >>> ls -l /proc/self/fd >>> >>> should show something like >>> >>> # ls -l /proc/self/fd >>> total 0 >>> lr-x------. 1 root root 64 2009-03-26 08:31 0 -> >>> /dev/pts/4 >>> lrwx------. 1 root root 64 2009-03-26 08:31 1 -> >>> /dev/pts/4 >>> lrwx------. 1 root root 64 2009-03-26 08:31 2 -> >>> /dev/pts/4 >>> lr-x------. 1 root root 64 2009-03-26 08:31 3 -> >>> /proc/32759/fd >>> >>> Which are three fd's to the terminal and one to the >>> directory you are listing. >>> >>> I see no avc that would break crontab -e? >> The avc denies crontab to display it and therefore the error. This >> happens on two machines running rawhide since the third one broke down >> :(. I can't test it there :( >>> >>> [olivares at riohigh ~]$ crontab -l >>> >>> Authentication service cannot retrieve authentication info >>> You (olivares) are not allowed to access to (crontab) >>> because of pam configuration. >>> >>> Looks like you are running this as a normal user? Or are >>> you running as root? >> Normal user, even root can't edit crontab because the authority is >> denied :(, yes pam configuration :) >>> >>> I can not get this to happen on my machine, so I think it >>> might be something about the way you have pam setup? Do you have >>> anything special setup in pam? >> No, just regular default setup as it comes. Nothing special set aside. > > I can confirm the same behavior when trying to run "crontab -l" or > "crontab -e" > both as non-root and root user. > > Authentication service cannot retrieve authentication info > You (rnichols) are not allowed to access to (crontab) because of pam > configuration. > > OR > > Authentication service cannot retrieve authentication info > You (root) are not allowed to access to (crontab) because of pam > configuration. > > The problem goes away when running in permissive mode. Regardless of > permissive > vs. enforcing mode, no AVCs are logged. No changes have been made to the > rawhide SELinux or PAM configurations. I do see this message logged in > /var/log/secure for each unsuccessful attempt: > > crontab: pam_unix(crond:account): helper binary execve failed: > Permission denied > > selinux-policy-3.6.8-3.fc11.noarch > selinux-policy-targeted-3.6.8-3.fc11.noarch > authconfig-5.4.7-2.fc11.i586 > Do you see an SELINUX_ERR in /var/log/audit/audit.log? WHat does id -Z show? Could you try # semodule -DB Then look for avcs about cron. From olivares14031 at yahoo.com Fri Mar 27 12:13:02 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Fri, 27 Mar 2009 05:13:02 -0700 (PDT) Subject: selinux does not like crontab :(, default_t, kde In-Reply-To: <49CCBE91.9090002@redhat.com> Message-ID: <634630.27552.qm@web52608.mail.re2.yahoo.com> --- On Fri, 3/27/09, Daniel J Walsh wrote: > From: Daniel J Walsh > Subject: Re: selinux does not like crontab :(, default_t, kde > To: "Robert Nichols" , "Antonio Olivares" , Fedora-SELinux-List at redhat.com > Date: Friday, March 27, 2009, 4:54 AM > On 03/26/2009 11:43 AM, Robert Nichols wrote: > > Antonio Olivares wrote: > >> > >>> The kde read/writing to /.kde is a kde bug/ > kdm should > >>> have a home directory that we could give > access to, not /. I have this > >>> setup and although it genetates AVC's I am > able to login fine. > >>> Although gdm works better. > >>> > >>> If you want to get rid of these avc's you > could > >>> execute. > >>> > >>> # semanage fcontext -a -t xdm_var_run_t > >>> '/\.kde(/.*)?' > >>> # restorecon -R -v /.kde > >>> > >>> Running crontab -e as root, problem is also a > >>> kdebase/konsole problem of leaked file > descriptors. If you do an ls > >>> /proc/self/fd in > >>> the konsole you will see a whole bunch of file > descriptors that have > >>> been leaked to the konsole. When you start a > confined domain from the > >>> console SELinux reports these leaked file > descriptors and closes them. > >>> > >>> ls -l /proc/self/fd > >>> > >>> should show something like > >>> > >>> # ls -l /proc/self/fd > >>> total 0 > >>> lr-x------. 1 root root 64 2009-03-26 08:31 0 > -> > >>> /dev/pts/4 > >>> lrwx------. 1 root root 64 2009-03-26 08:31 1 > -> > >>> /dev/pts/4 > >>> lrwx------. 1 root root 64 2009-03-26 08:31 2 > -> > >>> /dev/pts/4 > >>> lr-x------. 1 root root 64 2009-03-26 08:31 3 > -> > >>> /proc/32759/fd > >>> > >>> Which are three fd's to the terminal and > one to the > >>> directory you are listing. > >>> > >>> I see no avc that would break crontab -e? > >> The avc denies crontab to display it and therefore > the error. This > >> happens on two machines running rawhide since the > third one broke down > >> :(. I can't test it there :( > >>> > >>> [olivares at riohigh ~]$ crontab -l > >>> > >>> Authentication service cannot retrieve > authentication info > >>> You (olivares) are not allowed to access to > (crontab) > >>> because of pam configuration. > >>> > >>> Looks like you are running this as a normal > user? Or are > >>> you running as root? > >> Normal user, even root can't edit crontab > because the authority is > >> denied :(, yes pam configuration :) > >>> > >>> I can not get this to happen on my machine, so > I think it > >>> might be something about the way you have pam > setup? Do you have > >>> anything special setup in pam? > >> No, just regular default setup as it comes. > Nothing special set aside. > > > > I can confirm the same behavior when trying to run > "crontab -l" or > > "crontab -e" > > both as non-root and root user. > > > > Authentication service cannot retrieve authentication > info > > You (rnichols) are not allowed to access to (crontab) > because of pam > > configuration. > > > > OR > > > > Authentication service cannot retrieve authentication > info > > You (root) are not allowed to access to (crontab) > because of pam > > configuration. > > > > The problem goes away when running in permissive mode. > Regardless of > > permissive > > vs. enforcing mode, no AVCs are logged. No changes > have been made to the > > rawhide SELinux or PAM configurations. I do see this > message logged in > > /var/log/secure for each unsuccessful attempt: > > > > crontab: pam_unix(crond:account): helper binary execve > failed: > > Permission denied > > > > selinux-policy-3.6.8-3.fc11.noarch > > selinux-policy-targeted-3.6.8-3.fc11.noarch > > authconfig-5.4.7-2.fc11.i586 > > > Do you see an SELINUX_ERR in /var/log/audit/audit.log? > > WHat does id -Z show? > > Could you try > > # semodule -DB > > Then look for avcs about cron. In applying the fixes, I got back another sealert denying me the right to change it :( [olivares at riohigh ~]$ su - Password: [root at riohigh ~]# semanage fcontext -a -t xdm_var_run_t '/\.kde(/.*)?' [root at riohigh ~]# restorecon -R -v /.kde restorecon reset /.kde context system_u:object_r:default_t:s0->system_u:object_r:xdm_var_run_t:s0 restorecon reset /.kde/share context system_u:object_r:default_t:s0->system_u:object_r:xdm_var_run_t:s0 restorecon reset /.kde/share/config context system_u:object_r:default_t:s0->system_u:object_r:xdm_var_run_t:s0 You have new mail in /var/spool/mail/root [root at riohigh ~]# [olivares at riohigh ~]$ ls -l /proc/self/fd total 0 lrwx------. 1 olivares olivares 64 2009-03-27 06:08 0 -> /dev/pts/2 lrwx------. 1 olivares olivares 64 2009-03-27 06:08 1 -> /dev/pts/2 lrwx------. 1 olivares olivares 64 2009-03-27 06:08 10 -> socket:[18111] lrwx------. 1 olivares olivares 64 2009-03-27 06:08 11 -> socket:[18111] lrwx------. 1 olivares olivares 64 2009-03-27 06:08 14 -> socket:[18111] lrwx------. 1 olivares olivares 64 2009-03-27 06:08 15 -> socket:[18111] lrwx------. 1 olivares olivares 64 2009-03-27 06:08 17 -> socket:[18111] lrwx------. 1 olivares olivares 64 2009-03-27 06:08 2 -> /dev/pts/2 lrwx------. 1 olivares olivares 64 2009-03-27 06:08 20 -> socket:[18111] lrwx------. 1 olivares olivares 64 2009-03-27 06:08 21 -> socket:[18111] lr-x------. 1 olivares olivares 64 2009-03-27 06:08 3 -> /proc/3853/fd lrwx------. 1 olivares olivares 64 2009-03-27 06:08 9 -> socket:[18418] [olivares at riohigh ~]$ [root at riohigh ~]# ls -l /proc/self/fd total 0 lrwx------. 1 root root 64 2009-03-27 06:08 0 -> /dev/pts/1 lrwx------. 1 root root 64 2009-03-27 06:08 1 -> /dev/pts/1 lrwx------. 1 root root 64 2009-03-27 06:08 2 -> /dev/pts/1 lrwx------. 1 root root 64 2009-03-27 06:08 20 -> socket:[18111] lrwx------. 1 root root 64 2009-03-27 06:08 21 -> socket:[18111] lr-x------. 1 root root 64 2009-03-27 06:08 3 -> /proc/3819/fd [root at riohigh ~]# Summary: SELinux is preventing restorecon (setfiles_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by restorecon. It is not expected that this access is required by restorecon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102 3 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source restorecon Source Path /sbin/setfiles Port Host riohigh Source RPM Packages policycoreutils-2.0.62-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-3.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon Alert Count 2 First Seen Fri 27 Mar 2009 06:03:21 AM CST Last Seen Fri 27 Mar 2009 06:03:21 AM CST Local ID 280758b9-8eca-415e-9097-612ca0d9651f Line Numbers Raw Audit Messages node=riohigh type=AVC msg=audit(1238155401.283:63): avc: denied { read write } for pid=3738 comm="restorecon" path="socket:[18111]" dev=sockfs ino=18111 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=AVC msg=audit(1238155401.283:63): avc: denied { read write } for pid=3738 comm="restorecon" path="socket:[18111]" dev=sockfs ino=18111 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=riohigh type=SYSCALL msg=audit(1238155401.283:63): arch=40000003 syscall=11 success=yes exit=0 a0=9533b00 a1=95336d8 a2=9534bc0 a3=95336d8 items=0 ppid=3630 pid=3738 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) [root at riohigh ~]# cat /var/log/audit/audit.log | grep 'avc' type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931620.198:52): avc: denied { read write } for pid=4120 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237931623.442:55): avc: denied { read write } for pid=4122 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932293.691:69): avc: denied { read write } for pid=5166 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932297.181:72): avc: denied { read write } for pid=5170 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932306.888:79): avc: denied { read write } for pid=5219 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932306.888:79): avc: denied { read write } for pid=5219 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932632.246:82): avc: denied { read write } for pid=5357 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237932637.221:85): avc: denied { read write } for pid=5361 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937447.164:116): avc: denied { read write } for pid=7298 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17513]" dev=sockfs ino=17513 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237937449.632:119): avc: denied { read write } for pid=7300 comm="crontab" path="socket:[17209]" dev=sockfs ino=17209 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1237996117.239:8): avc: denied { create } for pid=2408 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181854]" dev=sockfs ino=181854 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017872.171:71): avc: denied { read write } for pid=13038 comm="crontab" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017888.596:78): avc: denied { read write } for pid=13093 comm="dhclient" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017888.596:78): avc: denied { read write } for pid=13093 comm="dhclient" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017888.596:78): avc: denied { read write } for pid=13093 comm="dhclient" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017888.596:78): avc: denied { read write } for pid=13093 comm="dhclient" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238017888.596:78): avc: denied { read write } for pid=13093 comm="dhclient" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181854]" dev=sockfs ino=181854 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238018048.157:79): avc: denied { read write } for pid=13241 comm="at" path="socket:[181488]" dev=sockfs ino=181488 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238020694.347:13): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.348:14): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.348:15): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.348:16): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.355:17): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.356:18): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.356:19): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.356:20): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.357:21): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.357:22): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.357:23): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.357:24): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.358:25): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.358:26): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.358:27): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.358:28): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.359:29): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.359:30): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.359:31): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.383:32): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.397:33): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.425:34): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.432:35): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.481:36): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.482:37): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.486:38): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.486:39): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.487:40): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.488:41): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238020694.489:42): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53528]" dev=sockfs ino=53528 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238106483.931:8): avc: denied { getattr } for pid=2414 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.932:9): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.932:10): avc: denied { getattr } for pid=2414 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.933:11): avc: denied { getattr } for pid=2414 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.951:12): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.951:13): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.952:14): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.952:15): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.952:16): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.952:17): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.953:18): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.953:19): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.953:20): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.954:21): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.954:22): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.954:23): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.954:24): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.955:25): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.955:26): avc: denied { getattr } for pid=2414 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106483.959:27): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.005:28): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.021:29): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.060:30): avc: denied { getattr } for pid=2414 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.122:31): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.142:32): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.147:33): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.148:34): avc: denied { getattr } for pid=2414 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.148:35): avc: denied { getattr } for pid=2414 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.180:36): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106484.181:37): avc: denied { search } for pid=2414 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238106526.630:40): avc: denied { search } for pid=2688 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir type=AVC msg=audit(1238106526.630:40): avc: denied { read } for pid=2688 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file type=AVC msg=audit(1238106526.702:41): avc: denied { execute } for pid=2689 comm="pulseaudio" name="polkit-read-auth-helper" dev=sda5 ino=17300 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:polkit_auth_exec_t:s0 tclass=file type=AVC msg=audit(1238106526.702:41): avc: denied { read open } for pid=2689 comm="pulseaudio" name="polkit-read-auth-helper" dev=sda5 ino=17300 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:polkit_auth_exec_t:s0 tclass=file type=AVC msg=audit(1238106526.702:41): avc: denied { execute_no_trans } for pid=2689 comm="pulseaudio" path="/usr/libexec/polkit-read-auth-helper" dev=sda5 ino=17300 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:polkit_auth_exec_t:s0 tclass=file type=AVC msg=audit(1238106526.753:42): avc: denied { setattr } for pid=2690 comm="pulseaudio" name=".pulse" dev=sda5 ino=132410 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1238106526.756:43): avc: denied { read } for pid=2690 comm="pulseaudio" name="babc6121fcf79fbe86069a3248e578cc:runtime" dev=sda5 ino=131673 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=lnk_file type=AVC msg=audit(1238106526.765:44): avc: denied { write } for pid=2690 comm="pulseaudio" name="pulse-7jSoifiWvzLS" dev=sda5 ino=17108 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1238106526.765:44): avc: denied { add_name } for pid=2690 comm="pulseaudio" name="autospawn.lock" scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1238106526.765:44): avc: denied { create } for pid=2690 comm="pulseaudio" name="autospawn.lock" scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=AVC msg=audit(1238106526.765:44): avc: denied { write } for pid=2690 comm="pulseaudio" name="autospawn.lock" dev=sda5 ino=17316 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=AVC msg=audit(1238106526.854:45): avc: denied { read } for pid=2691 comm="pulseaudio" name="pulse-shm-868967743" dev=tmpfs ino=19899 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmpfs_t:s0 tclass=file type=AVC msg=audit(1238106526.854:45): avc: denied { open } for pid=2691 comm="pulseaudio" name="pulse-shm-868967743" dev=tmpfs ino=19899 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmpfs_t:s0 tclass=file type=AVC msg=audit(1238106526.854:46): avc: denied { getattr } for pid=2691 comm="pulseaudio" path="/dev/shm/pulse-shm-868967743" dev=tmpfs ino=19899 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmpfs_t:s0 tclass=file type=AVC msg=audit(1238106527.020:47): avc: denied { read write } for pid=2691 comm="pulseaudio" name="babc6121fcf79fbe86069a3248e578cc:device-volumes.i386-redhat-linux-gnu.gdbm" dev=sda5 ino=132646 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file type=AVC msg=audit(1238106527.020:47): avc: denied { open } for pid=2691 comm="pulseaudio" name="babc6121fcf79fbe86069a3248e578cc:device-volumes.i386-redhat-linux-gnu.gdbm" dev=sda5 ino=132646 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file type=AVC msg=audit(1238106527.035:48): avc: denied { getattr } for pid=2691 comm="pulseaudio" path="/var/lib/gdm/.pulse/babc6121fcf79fbe86069a3248e578cc:device-volumes.i386-redhat-linux-gnu.gdbm" dev=sda5 ino=132646 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file type=AVC msg=audit(1238106527.415:51): avc: denied { lock } for pid=2691 comm="pulseaudio" path="/var/lib/gdm/.esd_auth" dev=sda5 ino=132649 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file type=AVC msg=audit(1238106527.436:52): avc: denied { create } for pid=2691 comm="pulseaudio" name="native" scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1238106527.439:53): avc: denied { setattr } for pid=2691 comm="pulseaudio" name="native" dev=sda5 ino=19560 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1238106527.695:54): avc: denied { remove_name } for pid=2688 comm="pulseaudio" name="autospawn.lock" dev=sda5 ino=17316 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1238106527.695:54): avc: denied { unlink } for pid=2688 comm="pulseaudio" name="autospawn.lock" dev=sda5 ino=17316 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=AVC msg=audit(1238106560.602:62): avc: denied { read } for pid=2691 comm="pulseaudio" name="babc6121fcf79fbe86069a3248e578cc:runtime" dev=sda5 ino=131673 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=lnk_file type=AVC msg=audit(1238106560.602:62): avc: denied { write } for pid=2691 comm="pulseaudio" name="pulse-7jSoifiWvzLS" dev=sda5 ino=17108 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1238106560.602:62): avc: denied { remove_name } for pid=2691 comm="pulseaudio" name="native" dev=sda5 ino=19560 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir type=AVC msg=audit(1238106560.602:62): avc: denied { unlink } for pid=2691 comm="pulseaudio" name="native" dev=sda5 ino=19560 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1238106560.621:63): avc: denied { setattr } for pid=2691 comm="pulseaudio" name=".pulse" dev=sda5 ino=132410 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1238106560.622:64): avc: denied { write } for pid=2691 comm="pulseaudio" name="pid" dev=sda5 ino=17350 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=AVC msg=audit(1238106560.623:65): avc: denied { unlink } for pid=2691 comm="pulseaudio" name="pid" dev=sda5 ino=17350 scontext=system_u:system_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file type=AVC msg=audit(1238154706.445:8): avc: denied { getattr } for pid=2404 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.447:9): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.447:10): avc: denied { getattr } for pid=2404 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.447:11): avc: denied { getattr } for pid=2404 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.457:12): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.458:13): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.458:14): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.458:15): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.458:16): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.459:17): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.459:18): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.459:19): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.460:20): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.460:21): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.460:22): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.460:23): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.461:24): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.461:25): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.461:26): avc: denied { getattr } for pid=2404 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.471:27): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.508:28): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.510:29): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.522:30): avc: denied { getattr } for pid=2404 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.708:31): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.720:32): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.724:33): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.724:34): avc: denied { getattr } for pid=2404 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.725:35): avc: denied { getattr } for pid=2404 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.782:36): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238154706.783:37): avc: denied { search } for pid=2404 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir type=AVC msg=audit(1238155282.150:61): avc: denied { read write } for pid=3671 comm="semanage" path="socket:[18111]" dev=sockfs ino=18111 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238155282.150:61): avc: denied { read write } for pid=3671 comm="semanage" path="socket:[18111]" dev=sockfs ino=18111 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238155401.283:63): avc: denied { read write } for pid=3738 comm="restorecon" path="socket:[18111]" dev=sockfs ino=18111 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=AVC msg=audit(1238155401.283:63): avc: denied { read write } for pid=3738 comm="restorecon" path="socket:[18111]" dev=sockfs ino=18111 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket [root at riohigh ~]# [root at riohigh ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root at riohigh ~]# [olivares at riohigh ~]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [olivares at riohigh ~]$ running the last one and seeing what will happen? Thanks Robert for pointing out that the problems do exist and for helping out :) Thank you Daniel for helping out in looking for fixes to this problem :) Regards, Antonio From rnicholsNOSPAM at comcast.net Fri Mar 27 15:50:04 2009 From: rnicholsNOSPAM at comcast.net (Robert Nichols) Date: Fri, 27 Mar 2009 10:50:04 -0500 Subject: selinux does not like crontab :(, default_t, kde In-Reply-To: <49CCBE91.9090002@redhat.com> References: <49CB7792.8090505@redhat.com> <347246.44517.qm@web52611.mail.re2.yahoo.com> <49CCBE91.9090002@redhat.com> Message-ID: Daniel J Walsh wrote: > On 03/26/2009 11:43 AM, Robert Nichols wrote: >> I can confirm the same behavior when trying to run "crontab -l" or >> "crontab -e" >> both as non-root and root user. >> >> Authentication service cannot retrieve authentication info >> You (rnichols) are not allowed to access to (crontab) because of pam >> configuration. >> >> OR >> >> Authentication service cannot retrieve authentication info >> You (root) are not allowed to access to (crontab) because of pam >> configuration. >> >> The problem goes away when running in permissive mode. Regardless of >> permissive >> vs. enforcing mode, no AVCs are logged. No changes have been made to the >> rawhide SELinux or PAM configurations. I do see this message logged in >> /var/log/secure for each unsuccessful attempt: >> >> crontab: pam_unix(crond:account): helper binary execve failed: >> Permission denied >> >> selinux-policy-3.6.8-3.fc11.noarch >> selinux-policy-targeted-3.6.8-3.fc11.noarch >> authconfig-5.4.7-2.fc11.i586 >> > Do you see an SELINUX_ERR in /var/log/audit/audit.log? > > WHat does id -Z show? > > Could you try > > # semodule -DB > > Then look for avcs about cron. I see this SELINUX_ERR in audit.log for each attempt: type=SELINUX_ERR msg=audit(1238166172.444:23): security_compute_sid: invalid context unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=process After "semodule -DB", I still don't see any AVCs from cron. With or without the dontaudits removed, running "grep cron audit.log" shows these 3 lines for each attempt: type=SELINUX_ERR msg=audit(1238167945.826:1307): security_compute_sid: invalid context unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1238167945.826:1307): arch=40000003 syscall=11 success=no exit=-13 a0=119d98 a1=bffd1030 a2=11c8e8 a3=119db4 items=0 ppid=3890 pid=3891 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null) type=USER_ACCT msg=audit(1238167945.829:1308): user pid=3890 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="rnichols" exe="/usr/bin/crontab" (hostname=?, addr=?, terminal=cron res=failed)' (Now running "semodule -B" to restore peace to my system!) -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. From dwalsh at redhat.com Fri Mar 27 18:37:19 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Fri, 27 Mar 2009 14:37:19 -0400 Subject: selinux does not like crontab :(, default_t, kde In-Reply-To: <502316.66529.qm@web52612.mail.re2.yahoo.com> References: <502316.66529.qm@web52612.mail.re2.yahoo.com> Message-ID: <49CD1CDF.2070208@redhat.com> On 03/25/2009 07:03 PM, Antonio Olivares wrote: > Dear all, > > I have resolved one problem(Not getting internet at startup by default), but have not fixed the crontab one and other(s): > > This one does not go away :( > > > Summary: > > SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t. > > Detailed Description: > > SELinux denied access requested by crontab. It is not expected that this access > is required by crontab and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0 > .c1023 > Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Target Objects socket [ unix_stream_socket ] > Source crontab > Source Path /usr/bin/crontab > Port > Host riohigh > Source RPM Packages cronie-1.2-7.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.8-3.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name riohigh > Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 > #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon > Alert Count 177 > First Seen Mon 02 Mar 2009 07:11:37 PM CST > Last Seen Wed 25 Mar 2009 04:57:03 PM CST > Local ID 3883b140-4d39-40f5-9262-ce2c4c4e2e16 > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53528]" dev=sockfs ino=53528 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket > > node=riohigh type=SYSCALL msg=audit(1238021823.376:68): arch=40000003 syscall=11 success=yes exit=0 a0=9fcb5c8 a1=9fcbd10 a2=9fb5ae0 a3=9fcbd10 items=0 ppid=4295 pid=4331 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null) > > > I can't modify my crontab file: > > [olivares at riohigh ~]$ crontab -l > > Authentication service cannot retrieve authentication info > You (olivares) are not allowed to access to (crontab) because of pam configuration. > [olivares at riohigh ~]$ > > if I disable selinux, I can modify it and view it, but not with selinux enabled. > > I got greeted with the following: > > > Summary: > > SELinux is preventing access to files with the default label, default_t. > > Detailed Description: > > SELinux permission checks on files labeled default_t are being denied. These > files/directories have the default label on them. This can indicate a labeling > problem, especially if the files being referred to are not top level > directories. Any files/directories under standard system directories, /usr, > /var. /dev, /tmp, ..., should not be labeled with the default label. The default > label is for files/directories which do not have a label on a parent directory. > So if you create a new directory in / you might legitimately get this label. > > Allowing Access: > > If you want a confined domain to use these files you will probably need to > relabel the file/directory with chcon. In some cases it is just easier to > relabel the system, to relabel execute: "touch /.autorelabel; reboot" > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:object_r:default_t:s0 > Target Objects /.kde [ dir ] > Source kde4-config > Source Path /usr/bin/kde4-config > Port > Host riohigh > Source RPM Packages kdelibs-4.2.1-4.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.8-3.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name default > Host Name riohigh > Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 > #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon > Alert Count 7 > First Seen Wed 25 Mar 2009 04:38:14 PM CST > Last Seen Wed 25 Mar 2009 04:38:14 PM CST > Local ID d3d42e40-6a28-48cf-8717-b85579c55bad > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1238020694.487:40): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir > > node=riohigh type=SYSCALL msg=audit(1238020694.487:40): arch=40000003 syscall=196 success=no exit=-13 a0=bfc3730b a1=bfc37258 a2=a12ff4 a3=a036c59 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > > Summary: > > SELinux is preventing access to files with the default label, default_t. > > Detailed Description: > > SELinux permission checks on files labeled default_t are being denied. These > files/directories have the default label on them. This can indicate a labeling > problem, especially if the files being referred to are not top level > directories. Any files/directories under standard system directories, /usr, > /var. /dev, /tmp, ..., should not be labeled with the default label. The default > label is for files/directories which do not have a label on a parent directory. > So if you create a new directory in / you might legitimately get this label. > > Allowing Access: > > If you want a confined domain to use these files you will probably need to > relabel the file/directory with chcon. In some cases it is just easier to > relabel the system, to relabel execute: "touch /.autorelabel; reboot" > > Additional Information: > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > Target Context system_u:object_r:default_t:s0 > Target Objects .kde [ dir ] > Source kde4-config > Source Path /usr/bin/kde4-config > Port > Host riohigh > Source RPM Packages kdelibs-4.2.1-4.fc11 > Target RPM Packages > Policy RPM selinux-policy-3.6.8-3.fc11 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name default > Host Name riohigh > Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586 > #1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon > Alert Count 23 > First Seen Wed 25 Mar 2009 04:38:14 PM CST > Last Seen Wed 25 Mar 2009 04:38:14 PM CST > Local ID 711eec22-2695-4e57-91ad-622e9c5f3b53 > Line Numbers > > Raw Audit Messages > > node=riohigh type=AVC msg=audit(1238020694.489:42): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir > > node=riohigh type=SYSCALL msg=audit(1238020694.489:42): arch=40000003 syscall=196 success=no exit=-13 a0=a036c58 a1=bfc37230 a2=a12ff4 a3=a031250 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > > > > Startup did not take the 20 seconds, it took like 8 to 10 minutes with the relabeling and still see the same things. Is there an update that will fix this or do I have to disable selinux or boot in permissive in order to have a working machine. > > Please help this is no longer fun as it once was. > > Regards, > > Antonio > > > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Update to selinux-policy-3.6.10-2.fc11 From olivares14031 at yahoo.com Fri Mar 27 21:59:16 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Fri, 27 Mar 2009 14:59:16 -0700 (PDT) Subject: selinux does not like crontab :(, default_t, kde In-Reply-To: <49CD1CDF.2070208@redhat.com> Message-ID: <728837.96320.qm@web52603.mail.re2.yahoo.com> > Update to > > selinux-policy-3.6.10-2.fc11 Not available :( [root at riohigh ~]# yum update adobe-linux-i386 | 951 B 00:00 adobe-linux-i386/primary | 10 kB 00:00 adobe-linux-i386 17/17 rawhide/metalink | 7.1 kB 00:00 rawhide | 3.4 kB 00:00 rawhide/primary_db | 8.0 MB 00:24 Setting up Update Process No Packages marked for Update Selinux is going crazy, the setroubleshooter hogs the CPU with a great deal of denials even in permissive mode. I hope I wake up next Monday and the problem goes away, hopefully with the release of Fedora 11 Beta :) nsplugin, pulseaudio and others are also causing lots of trouble, problem is I tried to write a bug report but was unable to, setroubleshoot deamon died and I could not copy paste it :( [olivares at riohigh ~]$ dmesg | grep 'avc' type=1400 audit(1238189886.196:3): avc: denied { search } for pid=1553 comm="ifconfig" name="selinux" dev=sda5 ino=25722 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=1400 audit(1238189886.196:4): avc: denied { read } for pid=1553 comm="ifconfig" name="config" dev=sda5 ino=97197 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=1400 audit(1238189886.196:5): avc: denied { open } for pid=1553 comm="ifconfig" name="config" dev=sda5 ino=97197 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=1400 audit(1238189886.196:6): avc: denied { getattr } for pid=1553 comm="ifconfig" path="/etc/selinux/config" dev=sda5 ino=97197 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=1400 audit(1238189886.197:7): avc: denied { getattr } for pid=1553 comm="ifconfig" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=1400 audit(1238189886.197:8): avc: denied { search } for pid=1553 comm="ifconfig" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir type=1400 audit(1238189886.197:9): avc: denied { getattr } for pid=1553 comm="ifconfig" path="/selinux/class" dev=selinuxfs ino=26 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir type=1400 audit(1238189886.197:10): avc: denied { read } for pid=1553 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file type=1400 audit(1238189886.198:11): avc: denied { open } for pid=1553 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file type=1400 audit(1238189892.172:12): avc: denied { rlimitinh } for pid=1815 comm="modprobe" scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=process type=1400 audit(1238189892.172:13): avc: denied { siginh } for pid=1815 comm="modprobe" scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=process type=1400 audit(1238189892.172:14): avc: denied { noatsecure } for pid=1815 comm="modprobe" scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=process Here are some anyway even with enforcing=0(permissive mode) :( Regards, Antonio From rnicholsNOSPAM at comcast.net Fri Mar 27 22:55:01 2009 From: rnicholsNOSPAM at comcast.net (Robert Nichols) Date: Fri, 27 Mar 2009 17:55:01 -0500 Subject: selinux does not like crontab :(, default_t, kde In-Reply-To: <728837.96320.qm@web52603.mail.re2.yahoo.com> References: <49CD1CDF.2070208@redhat.com> <728837.96320.qm@web52603.mail.re2.yahoo.com> Message-ID: Antonio Olivares wrote: >> Update to >> >> selinux-policy-3.6.10-2.fc11 > > Not available :( No doubt held back by the Beta freeze, which has now been lifted, and will come through in tonight's rawhide push. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. From rnicholsNOSPAM at comcast.net Sun Mar 29 05:32:51 2009 From: rnicholsNOSPAM at comcast.net (Robert Nichols) Date: Sun, 29 Mar 2009 00:32:51 -0500 Subject: selinux does not like crontab :(, default_t, kde In-Reply-To: <49CD1CDF.2070208@redhat.com> References: <502316.66529.qm@web52612.mail.re2.yahoo.com> <49CD1CDF.2070208@redhat.com> Message-ID: Daniel J Walsh wrote: > On 03/25/2009 07:03 PM, Antonio Olivares wrote: >> Dear all, >> >> I have resolved one problem(Not getting internet at startup by >> default), but have not fixed the crontab one and other(s): >> >> This one does not go away :( >> >> >> Summary: >> >> SELinux is preventing crontab (admin_crontab_t) "read write" >> unconfined_t. > Update to > > selinux-policy-3.6.10-2.fc11 Now that the update logjam has broken, this problem is fixed in selinux-policy*-3.6.10-4.fc11. Thanks. -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. From chepkov at yahoo.com Sun Mar 29 13:54:57 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Sun, 29 Mar 2009 06:54:57 -0700 (PDT) Subject: Proftpd AVC Message-ID: <948464.12614.qm@web36806.mail.mud.yahoo.com> Hi, I am not sure what is this about? type=AVC msg=audit(1238334358.188:369): avc: denied { write } for pid=4251 comm="proftpd" scontext=system_u:system_r:ftpd_t:s0 tco ntext=system_u:system_r:ftpd_t:s0 tclass=key audit2allow suggests allow ftpd_t self:key write; But I am not sure if I should do it or not. Sincerely yours, Vadym Chepkov From dwalsh at redhat.com Mon Mar 30 13:42:22 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 30 Mar 2009 09:42:22 -0400 Subject: selinux does not like crontab :(, default_t, kde In-Reply-To: <728837.96320.qm@web52603.mail.re2.yahoo.com> References: <728837.96320.qm@web52603.mail.re2.yahoo.com> Message-ID: <49D0CC3E.1080706@redhat.com> On 03/27/2009 05:59 PM, Antonio Olivares wrote: >> Update to >> >> selinux-policy-3.6.10-2.fc11 > > Not available :( > > [root at riohigh ~]# yum update > adobe-linux-i386 | 951 B 00:00 > adobe-linux-i386/primary | 10 kB 00:00 > adobe-linux-i386 17/17 > rawhide/metalink | 7.1 kB 00:00 > rawhide | 3.4 kB 00:00 > rawhide/primary_db | 8.0 MB 00:24 > Setting up Update Process > No Packages marked for Update > > > Selinux is going crazy, the setroubleshooter hogs the CPU with a great deal of denials even in permissive mode. I hope I wake up next Monday and the problem goes away, hopefully with the release of Fedora 11 Beta :) > > nsplugin, pulseaudio and others are also causing lots of trouble, problem is I tried to write a bug report but was unable to, setroubleshoot deamon died and I could not copy paste it :( > > [olivares at riohigh ~]$ dmesg | grep 'avc' > type=1400 audit(1238189886.196:3): avc: denied { search } for pid=1553 comm="ifconfig" name="selinux" dev=sda5 ino=25722 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir > type=1400 audit(1238189886.196:4): avc: denied { read } for pid=1553 comm="ifconfig" name="config" dev=sda5 ino=97197 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file > type=1400 audit(1238189886.196:5): avc: denied { open } for pid=1553 comm="ifconfig" name="config" dev=sda5 ino=97197 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file > type=1400 audit(1238189886.196:6): avc: denied { getattr } for pid=1553 comm="ifconfig" path="/etc/selinux/config" dev=sda5 ino=97197 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file > type=1400 audit(1238189886.197:7): avc: denied { getattr } for pid=1553 comm="ifconfig" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=filesystem > type=1400 audit(1238189886.197:8): avc: denied { search } for pid=1553 comm="ifconfig" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir > type=1400 audit(1238189886.197:9): avc: denied { getattr } for pid=1553 comm="ifconfig" path="/selinux/class" dev=selinuxfs ino=26 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=dir > type=1400 audit(1238189886.197:10): avc: denied { read } for pid=1553 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file > type=1400 audit(1238189886.198:11): avc: denied { open } for pid=1553 comm="ifconfig" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file > type=1400 audit(1238189892.172:12): avc: denied { rlimitinh } for pid=1815 comm="modprobe" scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=process > type=1400 audit(1238189892.172:13): avc: denied { siginh } for pid=1815 comm="modprobe" scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=process > type=1400 audit(1238189892.172:14): avc: denied { noatsecure } for pid=1815 comm="modprobe" scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:insmod_t:s0 tclass=process > > > Here are some anyway even with enforcing=0(permissive mode) :( > > Regards, > > > Antonio > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This sounds like you have a mislabeled system. Rawhide has opened today. see if the update fixes your problems, otherwise try a relabel. From dwalsh at redhat.com Mon Mar 30 13:51:55 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 30 Mar 2009 09:51:55 -0400 Subject: Proftpd AVC In-Reply-To: <948464.12614.qm@web36806.mail.mud.yahoo.com> References: <948464.12614.qm@web36806.mail.mud.yahoo.com> Message-ID: <49D0CE7B.1040609@redhat.com> On 03/29/2009 09:54 AM, Vadym Chepkov wrote: > Hi, > I am not sure what is this about? > > type=AVC msg=audit(1238334358.188:369): avc: denied { write } for pid=4251 comm="proftpd" scontext=system_u:system_r:ftpd_t:s0 tco ntext=system_u:system_r:ftpd_t:s0 tclass=key > > audit2allow suggests > allow ftpd_t self:key write; > > But I am not sure if I should do it or not. > > Sincerely yours, > Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list You should allow it, although nothing actually uses this, so I could be safely ignored. From olivares14031 at yahoo.com Mon Mar 30 22:20:46 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Mon, 30 Mar 2009 15:20:46 -0700 (PDT) Subject: selinux does not like crontab :(, default_t, kde In-Reply-To: <49D0CC3E.1080706@redhat.com> Message-ID: <281621.91504.qm@web52607.mail.re2.yahoo.com> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > This sounds like you have a mislabeled system. Rawhide has > opened > today. see if the update fixes your problems, otherwise try > a relabel. Now it is not selinux's fault: [olivares at riohigh Download]$ crontab -l cron/olivares: Permission denied [olivares at riohigh Download]$ crontab -e cron/olivares: Permission denied [olivares at riohigh Download]$ dmesg | grep 'avc' type=1400 audit(1238450106.840:4): avc: denied { read } for pid=1716 comm="dmesg" name="ld.so.cache" dev=sda5 ino=68454 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file Wonder what could it be now? Thanks, Antonio From dwalsh at redhat.com Tue Mar 31 12:26:01 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 31 Mar 2009 08:26:01 -0400 Subject: selinux does not like crontab :(, default_t, kde In-Reply-To: <281621.91504.qm@web52607.mail.re2.yahoo.com> References: <281621.91504.qm@web52607.mail.re2.yahoo.com> Message-ID: <49D20BD9.5010004@redhat.com> On 03/30/2009 06:20 PM, Antonio Olivares wrote: > >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> This sounds like you have a mislabeled system. Rawhide has >> opened >> today. see if the update fixes your problems, otherwise try >> a relabel. > > Now it is not selinux's fault: > > [olivares at riohigh Download]$ crontab -l > cron/olivares: Permission denied > [olivares at riohigh Download]$ crontab -e > cron/olivares: Permission denied > [olivares at riohigh Download]$ dmesg | grep 'avc' > type=1400 audit(1238450106.840:4): avc: denied { read } for pid=1716 comm="dmesg" name="ld.so.cache" dev=sda5 ino=68454 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file > > > Wonder what could it be now? > > Thanks, > > Antonio > That should be fixed in rawhide policy. selinux-policy-3.6.10-4.fc11.noarch > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list From goeran at uddeborg.se Tue Mar 31 20:08:57 2009 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Tue, 31 Mar 2009 22:08:57 +0200 Subject: kde avc(SELinux prevented kde4-config from writing .kde.)will it be on next selinux policy update? In-Reply-To: <49AFDF35.6040707@redhat.com> References: <389193.15867.qm@web52601.mail.re2.yahoo.com> <49AFDF35.6040707@redhat.com> Message-ID: <18898.30809.956133.628833@freddi.uddeborg> Daniel J Walsh writes: > Antonio Olivares wrote: > > SELinux prevented kde4-config from writing .kde. > > Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 > > Target Context system_u:object_r:root_t:s0 > > Target Objects .kde [ dir ] > This is a bug in kdebase. The kdm login program thinks it's home dir is > / so it is trying to create /.kde in the root directory. There are bugs > files on this. I don't find the bugzilla. Do you have a reference? There must be something more than kdm causing this. I get the same, and I use the default gdm as login manager.