From chepkov at yahoo.com Thu Oct 1 00:21:56 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Wed, 30 Sep 2009 17:21:56 -0700 (PDT) Subject: Strange AVC Message-ID: <522937.70517.qm@web36805.mail.mud.yahoo.com> Hi, I am puzzled, what could have caused this kind of AVC: type=SYSCALL msg=audit(1254270789.862:74347): arch=c000003e syscall=2 success=no exit=-13 a0=7f2929f52532 a1=0 a2=d a3=7fff325c4270 items=0 ppid=18807 pid=18808 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1254270789.862:74347): avc: denied { read } for pid=18808 comm="uptime" name="utmp" dev=sda1 ino=2474106 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file Sincerely yours, Vadym Chepkov From js44352 at gmail.com Thu Oct 1 02:13:42 2009 From: js44352 at gmail.com (Jason Shaw) Date: Wed, 30 Sep 2009 20:13:42 -0600 Subject: The SELinux Documentation Project [Request for topics] In-Reply-To: <4AC1130D.8000601@manicmethod.com> References: <4AC1130D.8000601@manicmethod.com> Message-ID: Starting a SELinux documentation project is a fantastic idea, and is truly much needed! I am two months new to SELinux, and have literally put together an 8 inch binder of documentation from what I would estimate to be 50-70 different sources. Areas of deficiencies that I think could use more documentation include: 1) Current description of all objects and classes supported by SELinux 2) Simple 'getting started' policy module examples to help explain things such as creating new types/domains and working with domain transitions, explanation of how testing through a SSH shell can give you different results than from testing at the console, and networking examples: restricting access to sockets, denying access to specific network interfaces, details explaining why one would use macros in policy, simple MLS getting started examples. 3) Explanation of how SELinux can be different between various Linux distros (such as how enabling the SELinux strict policy causes RHEL 5.3 not to boot, how MLS does not support X in Fedora and other distros, why Fedora is the latest development version, and how there seem to be a lot of older tools for SELinux that have been superseded by utilities such as semanage. 4) Tutorials showing how to use SLIDE 5) Explanation of when users and roles are used and not used (for example, how their use can be different between files and processes). 6) Examples of how to test the robustness of SELinux configurations. (for example, try to access files and processes as root to see permission denied errors) On Mon, Sep 28, 2009 at 1:48 PM, Joshua Brindle wrote: > As we discussed at Linux Plumbers Conference during the 'Making SELinux > Easier to Use" talk we have some document deficiencies in the SELinux > project. > > I volunteered to start an SELinux Documentation Project. The primary > purpose of the project would be to get as much documentation as possible on > the selinuxproject.org wiki, organized in a fashion that users can > understand and consume easily. > > As I admitted before, we, the developers, are not always the best people to > judge what documentation users need and therefore am requesting users, > hopefully from different backgrounds and environments, tell us what > documentation they feel is lacking, what questions they've been asked or > have asked themselves and couldn't find documentation for. > > I think we need basic documentation that tells about SELinux (both beginner > and advanced), howto's for specific things (using secmark, using netlabel, > etc) and a set of short 'recipes' to accomplish simple tasks. > > There are documents all over the place with various information, as well as > blog entries and mailing list archives but the effort here is to consolidate > all those resources onto selinuxproject.org. > > I'd also like to see volunteers in the community to help out with the > documentation effort, I know quite a few people already write things like > this on blogs, etc and it would be great to see that information > moved/copied onto selinuxproject.org. > > > Users: > > Please, if you are a user and have run in to lack of documentation respond > to this thread, or privately if you aren't comfortable talking on list so > that we can collect what the biggest deficiencies are and get to writing > documentation as soon as possible. > > > Thanks. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tony.molloy at ul.ie Thu Oct 1 07:24:16 2009 From: tony.molloy at ul.ie (Tony Molloy) Date: Thu, 1 Oct 2009 08:24:16 +0100 Subject: Samba AVC In-Reply-To: <4AC39625.8090703@redhat.com> References: <200909301015.15335.tony.molloy@ul.ie> <4AC39625.8090703@redhat.com> Message-ID: <200910010824.17298.tony.molloy@ul.ie> On Wednesday 30 September 2009 18:32:21 Daniel J Walsh wrote: > > This is definitely fixed in 5.4 policy. > > 5.5 policy is now previewing at > http://people.redhat.com/dwalsh/SELinux/RHEL5 > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Thanks Daniel, as I said I generated a local policy so the messages are no longer clogging up the logs. I'll have a look at the latest policy. Regards, Tony -- Dept. of Comp. Sci. University of Limerick. From domg472 at gmail.com Thu Oct 1 09:51:04 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 1 Oct 2009 11:51:04 +0200 Subject: Strange AVC In-Reply-To: <522937.70517.qm@web36805.mail.mud.yahoo.com> References: <522937.70517.qm@web36805.mail.mud.yahoo.com> Message-ID: <20091001095102.GA2581@notebook2.grift.internal> On Wed, Sep 30, 2009 at 05:21:56PM -0700, Vadym Chepkov wrote: > Hi, > > I am puzzled, what could have caused this kind of AVC: > > type=SYSCALL msg=audit(1254270789.862:74347): arch=c000003e syscall=2 success=no exit=-13 a0=7f2929f52532 a1=0 a2=d a3=7fff325c4270 items=0 ppid=18807 pid=18808 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:httpd_t:s0 key=(null) > type=AVC msg=audit(1254270789.862:74347): avc: denied { read } for pid=18808 comm="uptime" name="utmp" dev=sda1 ino=2474106 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file Well uptime runs in the httpd_t domain and the httpd domain (uptime) tried to read /var/run/utmp file. /var/run/utmp has a object type that is owned by init scripts for object in /var/run. you can and should check first to see whether the types are correct: should "uptime" in this scenario run in the httpd_t domain (is it called from a webapp (non-cgi) also is the target object labelled properly (matchpathcon /var/run/utmp) Once that is established you can verify whether httpd_t should be able to access the target type: sesearch --allow -s httpd_t -t initrc_var_run_t -c file -p read With this information you are going to have to make your security decision. should you allow it or deny it? I can tell you that in my configuration /var/run/utmp also has type initrc_var_run_t. So i guess that is what it should be. What i cannot tell you is why and how uptime is executed in this scenario. All i know is that it runs in the httpd_t domain. > > > Sincerely yours, > Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From deleriux at airattack-central.com Thu Oct 1 10:05:36 2009 From: deleriux at airattack-central.com (Matthew Ife) Date: Thu, 01 Oct 2009 11:05:36 +0100 Subject: getsebool -d Message-ID: <1254391536.11388.28.camel@home.localdomain> Would it be possible to add a description flag for getsebool so that it will produce a description of a bool out to the user when they pass -d? One of the problems of getsebool is that it only shows you what bools are there but not what they are supposed to do. I expect this should make it much more straightforward for sysadmins to implement selinux on their systems. Im aware that man pages do produce useful descriptions of bools however I would think it would be much more convenient to do it this way. Also some tunables for whatever reason might not be documented in man pages or custom policy may not have man pages for it but it could add the bool description in XML somewhere else. Additionally getsebool -a -d should produce a description for all bools so a sysadmin can grep for keywords. How feasible would this be to do? From domg472 at gmail.com Thu Oct 1 10:10:16 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 1 Oct 2009 12:10:16 +0200 Subject: The SELinux Documentation Project [Request for topics] In-Reply-To: References: <4AC1130D.8000601@manicmethod.com> Message-ID: <20091001101015.GB2581@notebook2.grift.internal> On Wed, Sep 30, 2009 at 08:13:42PM -0600, Jason Shaw wrote: > Starting a SELinux documentation project is a fantastic idea, and is truly > much needed! > > I am two months new to SELinux, and have literally put together an 8 inch > binder of documentation from what I would estimate to be 50-70 different > sources. > > Areas of deficiencies that I think could use more documentation include: > > 1) Current description of all objects and classes supported by SELinux http://oss.tresys.com/projects/refpolicy/wiki/ObjectClassesPerms This is for me the reference i use and google/maillists > > 2) Simple 'getting started' policy module examples to help explain things > such as creating new types/domains and working with domain transitions, > explanation of how testing through a SSH shell can give you different > results than from testing at the console, and networking examples: > restricting access to sockets, denying access to specific network > interfaces, details explaining why one would use macros in policy, simple > MLS getting started examples. http://www.youtube.com/results?search_query=SELinux+confine+a+GUI+app&search_type= Is a series of screencasts i created whilst creating a policy for google gadgets. it is far from perfect but it might help people get started. I also have other screencasts: http://www.youtube.com/results?search_query=domg4721&search_type=&aq=f and a blog with some stuff: Especially my series on locking down selinux hs some nice examples in my view. http://selinux-mac.blogspot.com/ > > 3) Explanation of how SELinux can be different between various Linux distros > (such as how enabling the SELinux strict policy causes RHEL 5.3 not to boot, > how MLS does not support X in Fedora and other distros, why Fedora is the > latest development version, and how there seem to be a lot of older tools > for SELinux that have been superseded by utilities such as semanage. Good idea. > 4) Tutorials showing how to use SLIDE http://www.youtube.com/watch?v=x2soA3CD2pY A very small intro on slide. But agreed we should do more. good idea Although it is best to know how it works witouth slides help first > 5) Explanation of when users and roles are used and not used (for example, > how their use can be different between files and processes). good idea. noted. > > 6) Examples of how to test the robustness of SELinux configurations. (for > example, try to access files and processes as root to see permission denied > errors) Good idea i think one or some of my videos touched on confining root and it impact. Great ideas , thanks for your feedback. i will use this to create some new documentation in the near future. > > > On Mon, Sep 28, 2009 at 1:48 PM, Joshua Brindle wrote: > > > As we discussed at Linux Plumbers Conference during the 'Making SELinux > > Easier to Use" talk we have some document deficiencies in the SELinux > > project. > > > > I volunteered to start an SELinux Documentation Project. The primary > > purpose of the project would be to get as much documentation as possible on > > the selinuxproject.org wiki, organized in a fashion that users can > > understand and consume easily. > > > > As I admitted before, we, the developers, are not always the best people to > > judge what documentation users need and therefore am requesting users, > > hopefully from different backgrounds and environments, tell us what > > documentation they feel is lacking, what questions they've been asked or > > have asked themselves and couldn't find documentation for. > > > > I think we need basic documentation that tells about SELinux (both beginner > > and advanced), howto's for specific things (using secmark, using netlabel, > > etc) and a set of short 'recipes' to accomplish simple tasks. > > > > There are documents all over the place with various information, as well as > > blog entries and mailing list archives but the effort here is to consolidate > > all those resources onto selinuxproject.org. > > > > I'd also like to see volunteers in the community to help out with the > > documentation effort, I know quite a few people already write things like > > this on blogs, etc and it would be great to see that information > > moved/copied onto selinuxproject.org. > > > > > > Users: > > > > Please, if you are a user and have run in to lack of documentation respond > > to this thread, or privately if you aren't comfortable talking on list so > > that we can collect what the biggest deficiencies are and get to writing > > documentation as soon as possible. > > > > > > Thanks. > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From domg472 at gmail.com Thu Oct 1 10:14:22 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 1 Oct 2009 12:14:22 +0200 Subject: getsebool -d In-Reply-To: <1254391536.11388.28.camel@home.localdomain> References: <1254391536.11388.28.camel@home.localdomain> Message-ID: <20091001101421.GC2581@notebook2.grift.internal> On Thu, Oct 01, 2009 at 11:05:36AM +0100, Matthew Ife wrote: > Would it be possible to add a description flag for getsebool so that it > will produce a description of a bool out to the user when they pass -d? > > One of the problems of getsebool is that it only shows you what bools > are there but not what they are supposed to do. I expect this should > make it much more straightforward for sysadmins to implement selinux on > their systems. > > Im aware that man pages do produce useful descriptions of bools however > I would think it would be much more convenient to do it this way. Also > some tunables for whatever reason might not be documented in man pages > or custom policy may not have man pages for it but it could add the bool > description in XML somewhere else. > > Additionally getsebool -a -d should produce a description for all bools > so a sysadmin can grep for keywords. semanage boolean -l might help: [root at notebook2 ~]# semanage boolean -l | grep httpd | head -n 1 httpd_can_network_relay -> off Allow httpd to act as a relay > > How feasible would this be to do? > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From roberto.sassu at polito.it Thu Oct 1 13:13:14 2009 From: roberto.sassu at polito.it (Roberto Sassu) Date: Thu, 1 Oct 2009 15:13:14 +0200 Subject: selinux-polgengui not working on Fedora 11 Message-ID: <200910011513.14720.roberto.sassu@polito.it> Hi all i'm trying to use the utility selinux-polgengui under Fedora 11, but at the end of the wizard process the program is unable to generate the policy and it displays this message: "too many values to unpack". When i execute this from the shell, another message is also prompted: /usr/share/system-config-selinux/polgengui.py:417: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6 self.error(e.message) I have the distribution up to date and i use KDE 4.3.1 as window manager. How to solve this issue? Thanks for replies From dwalsh at redhat.com Thu Oct 1 13:52:47 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 01 Oct 2009 09:52:47 -0400 Subject: selinux-polgengui not working on Fedora 11 In-Reply-To: <200910011513.14720.roberto.sassu@polito.it> References: <200910011513.14720.roberto.sassu@polito.it> Message-ID: <4AC4B42F.8050900@redhat.com> On 10/01/2009 09:13 AM, Roberto Sassu wrote: > Hi all > > i'm trying to use the utility selinux-polgengui under Fedora 11, but at the > end of the wizard process the program is unable to generate the policy and it > displays this message: > > "too many values to unpack". > > When i execute this from the shell, another message is also prompted: > > /usr/share/system-config-selinux/polgengui.py:417: DeprecationWarning: > BaseException.message has been deprecated as of Python 2.6 > self.error(e.message) > > I have the distribution up to date and i use KDE 4.3.1 as window manager. > How to solve this issue? > Thanks for replies > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > What did you select? Might be a code path that has not been traversed. From dwalsh at redhat.com Thu Oct 1 14:06:00 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 01 Oct 2009 10:06:00 -0400 Subject: Strange AVC In-Reply-To: <20091001095102.GA2581@notebook2.grift.internal> References: <522937.70517.qm@web36805.mail.mud.yahoo.com> <20091001095102.GA2581@notebook2.grift.internal> Message-ID: <4AC4B748.8070805@redhat.com> On 10/01/2009 05:51 AM, Dominick Grift wrote: > On Wed, Sep 30, 2009 at 05:21:56PM -0700, Vadym Chepkov wrote: >> Hi, >> >> I am puzzled, what could have caused this kind of AVC: >> >> type=SYSCALL msg=audit(1254270789.862:74347): arch=c000003e syscall=2 success=no exit=-13 a0=7f2929f52532 a1=0 a2=d a3=7fff325c4270 items=0 ppid=18807 pid=18808 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:httpd_t:s0 key=(null) >> type=AVC msg=audit(1254270789.862:74347): avc: denied { read } for pid=18808 comm="uptime" name="utmp" dev=sda1 ino=2474106 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file > > Well uptime runs in the httpd_t domain and the httpd domain (uptime) tried to read /var/run/utmp file. /var/run/utmp has a object type that is owned by init scripts for object in /var/run. > > you can and should check first to see whether the types are correct: should "uptime" in this scenario run in the httpd_t domain (is it called from a webapp (non-cgi) also is the target object labelled properly (matchpathcon /var/run/utmp) > > Once that is established you can verify whether httpd_t should be able to access the target type: > > sesearch --allow -s httpd_t -t initrc_var_run_t -c file -p read > > With this information you are going to have to make your security decision. > > should you allow it or deny it? > > I can tell you that in my configuration /var/run/utmp also has type initrc_var_run_t. So i guess that is what it should be. > > What i cannot tell you is why and how uptime is executed in this scenario. > All i know is that it runs in the httpd_t domain. >> >> >> Sincerely yours, >> Vadym Chepkov >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list You would need to add policy to be able to do this. Apache being able to read utmp could allow a hacker to figure out all the user names that have logged onto a system. It is denied by default. You can easily add custom policy using audit2allow. From chepkov at yahoo.com Thu Oct 1 14:13:44 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Thu, 1 Oct 2009 07:13:44 -0700 (PDT) Subject: Strange AVC In-Reply-To: <4AC4B748.8070805@redhat.com> Message-ID: <489686.68722.qm@web36805.mail.mud.yahoo.com> That's the problem, I don't think it was a legitimate call. I scanned every single file in /var/www and I don't see presence on uptime call anywhere. I afraid it was a probe to see if the system can be compromised. I scanned file system for inode 2474106 - it's gone, neither ppid=18807 nor pid=18808 are running, so I am not even sure where else to look. Sincerely yours, Vadym Chepkov --- On Thu, 10/1/09, Daniel J Walsh wrote: > From: Daniel J Walsh > Subject: Re: Strange AVC > To: fedora-selinux-list at redhat.com > Date: Thursday, October 1, 2009, 10:06 AM > On 10/01/2009 05:51 AM, Dominick > Grift wrote: > > On Wed, Sep 30, 2009 at 05:21:56PM -0700, Vadym > Chepkov wrote: > >> Hi, > >> > >> I am puzzled, what could have caused this kind of > AVC: > >> > >> type=SYSCALL msg=audit(1254270789.862:74347): > arch=c000003e syscall=2 success=no exit=-13 a0=7f2929f52532 > a1=0 a2=d a3=7fff325c4270 items=0 ppid=18807 pid=18808 > auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 > sgid=48 fsgid=48 tty=(none) comm="uptime" > exe="/usr/bin/uptime" subj=user_u:system_r:httpd_t:s0 > key=(null) > >> type=AVC msg=audit(1254270789.862:74347): > avc:? denied? { read } for? pid=18808 > comm="uptime" name="utmp" dev=sda1 ino=2474106 > scontext=user_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file > > > > Well uptime runs in the httpd_t domain and the httpd > domain (uptime) tried to read /var/run/utmp file. > /var/run/utmp has a object type that is owned by init > scripts for object in /var/run. > > > > you can and should check first to see whether the > types are correct: should "uptime" in this scenario run in > the httpd_t domain (is it called from a webapp (non-cgi) > also is the target object labelled properly (matchpathcon > /var/run/utmp) > > > > Once that is established you can verify whether > httpd_t should be able to access the target type: > > > > sesearch --allow -s httpd_t -t initrc_var_run_t? > -c file -p read > > > > With this information you are going to have to make > your security decision. > > > > should you allow it or deny it? > > > > I can tell you that in my configuration /var/run/utmp > also has type initrc_var_run_t. So i guess that is what it > should be. > > > > What i cannot tell you is why and how uptime is > executed in this scenario. > > All i know is that it runs in the httpd_t domain. > >> > >> > >> Sincerely yours, > >>???Vadym Chepkov > >> > >> -- > >> fedora-selinux-list mailing list > >> fedora-selinux-list at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> > >> > >> -- > >> fedora-selinux-list mailing list > >> fedora-selinux-list at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > You would need to add policy to be able to do this.? > Apache being able to read utmp could allow a hacker to > figure out all the user names that have logged onto a > system.? It is denied by default. > > You can easily add custom policy using audit2allow. > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From roberto.sassu at polito.it Thu Oct 1 14:15:20 2009 From: roberto.sassu at polito.it (Roberto Sassu) Date: Thu, 1 Oct 2009 16:15:20 +0200 Subject: selinux-polgengui not working on Fedora 11 In-Reply-To: <4AC4B42F.8050900@redhat.com> References: <200910011513.14720.roberto.sassu@polito.it> <4AC4B42F.8050900@redhat.com> Message-ID: <200910011615.21050.roberto.sassu@polito.it> On Thursday 01 October 2009 15:52:47 Daniel J Walsh wrote: > On 10/01/2009 09:13 AM, Roberto Sassu wrote: > > Hi all > > > > i'm trying to use the utility selinux-polgengui under Fedora 11, but at > > the end of the wizard process the program is unable to generate the > > policy and it displays this message: > > > > "too many values to unpack". > > > > When i execute this from the shell, another message is also prompted: > > > > /usr/share/system-config-selinux/polgengui.py:417: DeprecationWarning: > > BaseException.message has been deprecated as of Python 2.6 > > self.error(e.message) > > > > I have the distribution up to date and i use KDE 4.3.1 as window manager. > > How to solve this issue? > > Thanks for replies > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > What did you select? > > Might be a code path that has not been traversed. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > These are the choices i made: - Type: user application - Name: sandbox1 - Executable: /usr/bin/ssh - Roles: unconfined_u - Ports: connect to 22 - Common app traits: Interact with terminal - Files/directories: /etc/ssh - Booleans: none - Write policy: in my home. I tried in the past to use it with other combinations and but it never worked From dwalsh at redhat.com Thu Oct 1 16:07:27 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 01 Oct 2009 12:07:27 -0400 Subject: Strange AVC In-Reply-To: <489686.68722.qm@web36805.mail.mud.yahoo.com> References: <489686.68722.qm@web36805.mail.mud.yahoo.com> Message-ID: <4AC4D3BF.10708@redhat.com> On 10/01/2009 10:13 AM, Vadym Chepkov wrote: > That's the problem, I don't think it was a legitimate call. I scanned every single file in /var/www and I don't see presence on uptime call anywhere. I afraid it was a probe to see if the system can be compromised. I scanned file system for inode 2474106 - it's gone, neither ppid=18807 nor pid=18808 are running, so I am not even sure where else to look. > > Sincerely yours, > Vadym Chepkov > > > --- On Thu, 10/1/09, Daniel J Walsh wrote: > >> From: Daniel J Walsh >> Subject: Re: Strange AVC >> To: fedora-selinux-list at redhat.com >> Date: Thursday, October 1, 2009, 10:06 AM >> On 10/01/2009 05:51 AM, Dominick >> Grift wrote: >>> On Wed, Sep 30, 2009 at 05:21:56PM -0700, Vadym >> Chepkov wrote: >>>> Hi, >>>> >>>> I am puzzled, what could have caused this kind of >> AVC: >>>> >>>> type=SYSCALL msg=audit(1254270789.862:74347): >> arch=c000003e syscall=2 success=no exit=-13 a0=7f2929f52532 >> a1=0 a2=d a3=7fff325c4270 items=0 ppid=18807 pid=18808 >> auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 >> sgid=48 fsgid=48 tty=(none) comm="uptime" >> exe="/usr/bin/uptime" subj=user_u:system_r:httpd_t:s0 >> key=(null) >>>> type=AVC msg=audit(1254270789.862:74347): >> avc: denied { read } for pid=18808 >> comm="uptime" name="utmp" dev=sda1 ino=2474106 >> scontext=user_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file >>> >>> Well uptime runs in the httpd_t domain and the httpd >> domain (uptime) tried to read /var/run/utmp file. >> /var/run/utmp has a object type that is owned by init >> scripts for object in /var/run. >>> >>> you can and should check first to see whether the >> types are correct: should "uptime" in this scenario run in >> the httpd_t domain (is it called from a webapp (non-cgi) >> also is the target object labelled properly (matchpathcon >> /var/run/utmp) >>> >>> Once that is established you can verify whether >> httpd_t should be able to access the target type: >>> >>> sesearch --allow -s httpd_t -t initrc_var_run_t >> -c file -p read >>> >>> With this information you are going to have to make >> your security decision. >>> >>> should you allow it or deny it? >>> >>> I can tell you that in my configuration /var/run/utmp >> also has type initrc_var_run_t. So i guess that is what it >> should be. >>> >>> What i cannot tell you is why and how uptime is >> executed in this scenario. >>> All i know is that it runs in the httpd_t domain. >>>> >>>> >>>> Sincerely yours, >>>> Vadym Chepkov >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> You would need to add policy to be able to do this. >> Apache being able to read utmp could allow a hacker to >> figure out all the user names that have logged onto a >> system. It is denied by default. >> >> You can easily add custom policy using audit2allow. >> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> Not sure why anyone would be trying to run uptime, but I would watch your logs for other strange behaviour. From domg472 at gmail.com Thu Oct 1 16:59:01 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 1 Oct 2009 18:59:01 +0200 Subject: Strange AVC In-Reply-To: <4AC4D3BF.10708@redhat.com> References: <489686.68722.qm@web36805.mail.mud.yahoo.com> <4AC4D3BF.10708@redhat.com> Message-ID: <20091001165900.GA7513@notebook3.grift.internal> On Thu, Oct 01, 2009 at 12:07:27PM -0400, Daniel J Walsh wrote: > On 10/01/2009 10:13 AM, Vadym Chepkov wrote: > > That's the problem, I don't think it was a legitimate call. I scanned every single file in /var/www and I don't see presence on uptime call anywhere. I afraid it was a probe to see if the system can be compromised. I scanned file system for inode 2474106 - it's gone, neither ppid=18807 nor pid=18808 are running, so I am not even sure where else to look. > > > > Sincerely yours, > > Vadym Chepkov > > > > > > --- On Thu, 10/1/09, Daniel J Walsh wrote: > > > >> From: Daniel J Walsh > >> Subject: Re: Strange AVC > >> To: fedora-selinux-list at redhat.com > >> Date: Thursday, October 1, 2009, 10:06 AM > >> On 10/01/2009 05:51 AM, Dominick > >> Grift wrote: > >>> On Wed, Sep 30, 2009 at 05:21:56PM -0700, Vadym > >> Chepkov wrote: > >>>> Hi, > >>>> > >>>> I am puzzled, what could have caused this kind of > >> AVC: > >>>> > >>>> type=SYSCALL msg=audit(1254270789.862:74347): > >> arch=c000003e syscall=2 success=no exit=-13 a0=7f2929f52532 > >> a1=0 a2=d a3=7fff325c4270 items=0 ppid=18807 pid=18808 > >> auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 > >> sgid=48 fsgid=48 tty=(none) comm="uptime" > >> exe="/usr/bin/uptime" subj=user_u:system_r:httpd_t:s0 > >> key=(null) > >>>> type=AVC msg=audit(1254270789.862:74347): > >> avc: denied { read } for pid=18808 > >> comm="uptime" name="utmp" dev=sda1 ino=2474106 > >> scontext=user_u:system_r:httpd_t:s0 > >> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file > >>> > >>> Well uptime runs in the httpd_t domain and the httpd > >> domain (uptime) tried to read /var/run/utmp file. > >> /var/run/utmp has a object type that is owned by init > >> scripts for object in /var/run. > >>> > >>> you can and should check first to see whether the > >> types are correct: should "uptime" in this scenario run in > >> the httpd_t domain (is it called from a webapp (non-cgi) > >> also is the target object labelled properly (matchpathcon > >> /var/run/utmp) > >>> > >>> Once that is established you can verify whether > >> httpd_t should be able to access the target type: > >>> > >>> sesearch --allow -s httpd_t -t initrc_var_run_t > >> -c file -p read > >>> > >>> With this information you are going to have to make > >> your security decision. > >>> > >>> should you allow it or deny it? > >>> > >>> I can tell you that in my configuration /var/run/utmp > >> also has type initrc_var_run_t. So i guess that is what it > >> should be. > >>> > >>> What i cannot tell you is why and how uptime is > >> executed in this scenario. > >>> All i know is that it runs in the httpd_t domain. > >>>> > >>>> > >>>> Sincerely yours, > >>>> Vadym Chepkov > >>>> > >>>> -- > >>>> fedora-selinux-list mailing list > >>>> fedora-selinux-list at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>>> > >>>> > >>>> -- > >>>> fedora-selinux-list mailing list > >>>> fedora-selinux-list at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> You would need to add policy to be able to do this. > >> Apache being able to read utmp could allow a hacker to > >> figure out all the user names that have logged onto a > >> system. It is denied by default. > >> > >> You can easily add custom policy using audit2allow. > >> > >> > >> -- > >> fedora-selinux-list mailing list > >> fedora-selinux-list at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> > Not sure why anyone would be trying to run uptime, but I would watch your logs for other strange behaviour. maybe some webapp that you may have running "requires" it > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From deleriux at airattack-central.com Thu Oct 1 17:43:32 2009 From: deleriux at airattack-central.com (Matthew Ife) Date: Thu, 01 Oct 2009 18:43:32 +0100 Subject: Strange AVC In-Reply-To: <20091001165900.GA7513@notebook3.grift.internal> References: <489686.68722.qm@web36805.mail.mud.yahoo.com> <4AC4D3BF.10708@redhat.com> <20091001165900.GA7513@notebook3.grift.internal> Message-ID: <1254419012.3306.4.camel@home.localdomain> I would recommend grepping all your http access logs for the timestamp Sep 30 00:33 and seeing what pages were called. That might lead to some clues. On Thu, 2009-10-01 at 18:59 +0200, Dominick Grift wrote: > > > >> exe="/usr/bin/uptime" subj=user_u:system_r:httpd_t:s0 From yersinia.spiros at gmail.com Fri Oct 2 07:59:33 2009 From: yersinia.spiros at gmail.com (yersinia) Date: Fri, 2 Oct 2009 09:59:33 +0200 Subject: Strange AVC In-Reply-To: <1254419012.3306.4.camel@home.localdomain> References: <489686.68722.qm@web36805.mail.mud.yahoo.com> <4AC4D3BF.10708@redhat.com> <20091001165900.GA7513@notebook3.grift.internal> <1254419012.3306.4.camel@home.localdomain> Message-ID: On Thu, Oct 1, 2009 at 7:43 PM, Matthew Ife wrote: > I would recommend grepping all your http access logs for the timestamp > Sep 30 00:33 and seeing what pages were called. That might lead to some > clues. > Put a auditctl watch to /usr/bin/uptime > > On Thu, 2009-10-01 at 18:59 +0200, Dominick Grift wrote: > > > > > >> exe="/usr/bin/uptime" subj=user_u:system_r:httpd_t:s0 > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -------------- next part -------------- An HTML attachment was scrubbed... URL: From westfallsteve at qwest.net Fri Oct 2 14:22:57 2009 From: westfallsteve at qwest.net (steve westfall) Date: Fri, 02 Oct 2009 07:22:57 -0700 Subject: unsubscrube Message-ID: <4AC60CC1.40204@qwest.net> OK... I have done this in the official fashion multiple times. Why am I still on your mailing list? Are you that clueless? Steve Westfall From bruno at wolff.to Fri Oct 2 18:43:29 2009 From: bruno at wolff.to (Bruno Wolff III) Date: Fri, 2 Oct 2009 13:43:29 -0500 Subject: unsubscrube In-Reply-To: <4AC60CC1.40204@qwest.net> References: <4AC60CC1.40204@qwest.net> Message-ID: <20091002184329.GB20654@wolff.to> On Fri, Oct 02, 2009 at 07:22:57 -0700, steve westfall wrote: > OK... I have done this in the official fashion multiple times. Why am I > still on your > mailing list? Are you that clueless? This isn't the correct place to ask. The list manager may not be subscribed to the list. Typically you add "-owner" to the local part of a list address to get the address for the people that manage a list. However, did you get a confirmation message for the unsubscribe request and did you repsond to it indicating that you did indeed want to unsubscribe from the list? From rchapman at aardvark.com.au Sat Oct 3 01:40:58 2009 From: rchapman at aardvark.com.au (Richard Chapman) Date: Sat, 03 Oct 2009 09:40:58 +0800 Subject: unsubscrube In-Reply-To: <20091002184329.GB20654@wolff.to> References: <4AC60CC1.40204@qwest.net> <20091002184329.GB20654@wolff.to> Message-ID: <4AC6ABAA.50203@aardvark.com.au> And are you sure you are trying to unsubscribe from the same email address as you are subscribed from... I know I have made that mistake before.... Bruno Wolff III wrote: > On Fri, Oct 02, 2009 at 07:22:57 -0700, > steve westfall wrote: > >> OK... I have done this in the official fashion multiple times. Why am I >> still on your >> mailing list? Are you that clueless? >> > > This isn't the correct place to ask. The list manager may not be subscribed > to the list. Typically you add "-owner" to the local part of a list address > to get the address for the people that manage a list. > > However, did you get a confirmation message for the unsubscribe request and > did you repsond to it indicating that you did indeed want to unsubscribe > from the list? > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > From Moray.Henderson at ict.om.org Mon Oct 5 14:20:04 2009 From: Moray.Henderson at ict.om.org (Moray Henderson (ICT)) Date: Mon, 5 Oct 2009 14:20:04 +0000 Subject: fixfiles -F option Message-ID: <211227D58676844E9EFBA3414EC92E880517526810@QTS-MBXCLSTR1.global.local> Hello List. I have an rpm for an selinux policy for a custom CentOS 5.3 distribution. When I install it, I use pre/post install scripts to back up the previous file contexts and run "fixfiles -C ${FILE_CONTEXT}.pre restore" as in the standard selinux-policy-targeted rpm. On an upgrade, old httpd_sys_content_t files are not being updated to public_content_rw_t because httpd_sys_content_t is in the customizable_types file. According to the fixfiles man page, -F should "Force reset of context to match file_context for customizable files", but when I added it, it made no difference. I had a look at the fixfiles script, and indeed it looks as if -F doesn't work with -C. Is that correct, or did I miss something? Is there a recommended way to do that? Moray. "To err is human. To purr, feline" From dwalsh at redhat.com Mon Oct 5 15:22:29 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 05 Oct 2009 11:22:29 -0400 Subject: fixfiles -F option In-Reply-To: <211227D58676844E9EFBA3414EC92E880517526810@QTS-MBXCLSTR1.global.local> References: <211227D58676844E9EFBA3414EC92E880517526810@QTS-MBXCLSTR1.global.local> Message-ID: <4ACA0F35.1020807@redhat.com> On 10/05/2009 10:20 AM, Moray Henderson (ICT) wrote: > Hello List. > > I have an rpm for an selinux policy for a custom CentOS 5.3 distribution. When I install it, I use pre/post install scripts to back up the previous file contexts and run "fixfiles -C ${FILE_CONTEXT}.pre restore" as in the standard selinux-policy-targeted rpm. > > On an upgrade, old httpd_sys_content_t files are not being updated to public_content_rw_t because httpd_sys_content_t is in the customizable_types file. > > According to the fixfiles man page, -F should "Force reset of context to match file_context for customizable files", but when I added it, it made no difference. I had a look at the fixfiles script, and indeed it looks as if -F doesn't work with -C. Is that correct, or did I miss something? > > Is there a recommended way to do that? > > > Moray. > "To err is human. To purr, feline" > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Fix fixfiles and send a patch. :^( From olivares14031 at yahoo.com Wed Oct 7 21:46:17 2009 From: olivares14031 at yahoo.com (Antonio Olivares) Date: Wed, 7 Oct 2009 14:46:17 -0700 (PDT) Subject: sealert with message: Cannot access repository dir /var/cache/yum/x86_64/11.92/rawhide Message-ID: <636967.96796.qm@web52611.mail.re2.yahoo.com> Dear all, After updating to today's rawhide, I encountered a problem with seleart. I tried clicking on the star and I got a message: Cannot access repository dir /var/cache/yum/x86_64/11.92/rawhide After clicking several times, I managed to get it going and used the included bugzilla to file the following bug. https://bugzilla.redhat.com/show_bug.cgi?id=527739 Apparently, I had seen this error before, but I could not capture it. Thanks, Antonio From nkinder at redhat.com Thu Oct 8 16:19:21 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 08 Oct 2009 09:19:21 -0700 Subject: How do you expose a policy interface? Message-ID: <4ACE1109.4070707@redhat.com> I'm writing two policy modules for two separate packages (389-ds-base and 389-admin). I would like to expose some macros via an interface from my dirsrv policy for use by the dirsrv-admin policy. I have defined an interface in my dirsrv.if file and built and installed the dirsrv policy module. Apparently, this doesn't expose the interface as I get an error when building my dirsrv-admin policy that indicates that it doesn't know anything about my new interface. What is the proper way to expose a policy interface? Does my dirsrv.if file need to be installed on the system somewhere specific? Thanks, -NGK From domg472 at gmail.com Thu Oct 8 17:47:37 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 8 Oct 2009 19:47:37 +0200 Subject: How do you expose a policy interface? In-Reply-To: <4ACE1109.4070707@redhat.com> References: <4ACE1109.4070707@redhat.com> Message-ID: <20091008174736.GA24871@notebook3.grift.internal> On Thu, Oct 08, 2009 at 09:19:21AM -0700, Nathan Kinder wrote: > I'm writing two policy modules for two separate packages > (389-ds-base and 389-admin). I would like to expose some macros via > an interface from my dirsrv policy for use by the dirsrv-admin > policy. I have defined an interface in my dirsrv.if file and built > and installed the dirsrv policy module. Apparently, this doesn't > expose the interface as I get an error when building my dirsrv-admin > policy that indicates that it doesn't know anything about my new > interface. Make sure that both source policies are in the same directory. For example i put all my .te, .if and .fc files in ~/modules Than build the source policy modules: cd ~/modules; make -f /usr/share/selinux/devel/Makefile Finally install them: semodule -i ~/modules/*.pp This works for me. > > What is the proper way to expose a policy interface? Does my > dirsrv.if file need to be installed on the system somewhere > specific? > > Thanks, > -NGK > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From nkinder at redhat.com Thu Oct 8 18:08:01 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 08 Oct 2009 11:08:01 -0700 Subject: How do you expose a policy interface? In-Reply-To: <20091008174736.GA24871@notebook3.grift.internal> References: <4ACE1109.4070707@redhat.com> <20091008174736.GA24871@notebook3.grift.internal> Message-ID: <4ACE2A81.3010105@redhat.com> On 10/08/2009 10:47 AM, Dominick Grift wrote: > On Thu, Oct 08, 2009 at 09:19:21AM -0700, Nathan Kinder wrote: > >> I'm writing two policy modules for two separate packages >> (389-ds-base and 389-admin). I would like to expose some macros via >> an interface from my dirsrv policy for use by the dirsrv-admin >> policy. I have defined an interface in my dirsrv.if file and built >> and installed the dirsrv policy module. Apparently, this doesn't >> expose the interface as I get an error when building my dirsrv-admin >> policy that indicates that it doesn't know anything about my new >> interface. >> > Make sure that both source policies are in the same directory. For example i put all my .te, .if and .fc files in ~/modules > Than build the source policy modules: cd ~/modules; make -f /usr/share/selinux/devel/Makefile > > Finally install them: semodule -i ~/modules/*.pp > > This works for me. > The source for these two modules are installed in two different git repositories, and I'd prefer to keep them separate and be able to build them standalone. I've found that I can place my .if file in /usr/share/selinux/devel/include/services and it will be located when building the second policy module, but I'm guessing it's not really proper for me to install it there. Is there some sort of include path for interface files that can be set at policy module build time? I'd be fine with having a "389-ds-base-selinux-devel" package that installs my interface file somewhere which could then be used when building the "389-admin-selinux" package. The questions are where is there a standard place install the .if file and is there a way to specify the interface include path when building policy? >> What is the proper way to expose a policy interface? Does my >> dirsrv.if file need to be installed on the system somewhere >> specific? >> >> Thanks, >> -NGK >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> ------------------------------------------------------------------------ >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- An HTML attachment was scrubbed... URL: From domg472 at gmail.com Thu Oct 8 18:40:23 2009 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 8 Oct 2009 20:40:23 +0200 Subject: How do you expose a policy interface? In-Reply-To: <4ACE2A81.3010105@redhat.com> References: <4ACE1109.4070707@redhat.com> <20091008174736.GA24871@notebook3.grift.internal> <4ACE2A81.3010105@redhat.com> Message-ID: <20091008184022.GB24871@notebook3.grift.internal> On Thu, Oct 08, 2009 at 11:08:01AM -0700, Nathan Kinder wrote: > On 10/08/2009 10:47 AM, Dominick Grift wrote: > >On Thu, Oct 08, 2009 at 09:19:21AM -0700, Nathan Kinder wrote: > >>I'm writing two policy modules for two separate packages > >>(389-ds-base and 389-admin). I would like to expose some macros via > >>an interface from my dirsrv policy for use by the dirsrv-admin > >>policy. I have defined an interface in my dirsrv.if file and built > >>and installed the dirsrv policy module. Apparently, this doesn't > >>expose the interface as I get an error when building my dirsrv-admin > >>policy that indicates that it doesn't know anything about my new > >>interface. > >Make sure that both source policies are in the same directory. For example i put all my .te, .if and .fc files in ~/modules > >Than build the source policy modules: cd ~/modules; make -f /usr/share/selinux/devel/Makefile > > > >Finally install them: semodule -i ~/modules/*.pp > > > >This works for me. > The source for these two modules are installed in two different git > repositories, and I'd prefer to keep them separate and be able to > build them standalone. > > I've found that I can place my .if file in > /usr/share/selinux/devel/include/services and it will be located > when building the second policy module, but I'm guessing it's not > really proper for me to install it there. > > Is there some sort of include path for interface files that can be > set at policy module build time? I'd be fine with having a > "389-ds-base-selinux-devel" package that installs my interface file > somewhere which could then be used when building the > "389-admin-selinux" package. The questions are where is there a > standard place install the .if file and is there a way to specify > the interface include path when building policy? I think /usr/share/selinux/devel/include/ would be a proper place to put your shared policy. I would create devel packages that basically copy the interface files there. > >>What is the proper way to expose a policy interface? Does my > >>dirsrv.if file need to be installed on the system somewhere > >>specific? > >> > >>Thanks, > >>-NGK > >> > >>-- > >>fedora-selinux-list mailing list > >>fedora-selinux-list at redhat.com > >>https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>------------------------------------------------------------------------ > >> > >>-- > >>fedora-selinux-list mailing list > >>fedora-selinux-list at redhat.com > >>https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From ian-list at securitypimp.com Sun Oct 11 17:22:14 2009 From: ian-list at securitypimp.com (Ian Lists) Date: Sun, 11 Oct 2009 13:22:14 -0400 Subject: Confined User using screen Message-ID: I just started playing around with confining users in rawhide using selinux-policy-3.6.32-24.fc12.noarch and am having an issue running screen. When running screen with selinux enforcing I get the following error with no AVC. [b1gb0y at imarks-ws ~]$ id -Z user_u:user_r:user_t:s0 [b1gb0y at imarks-ws ~]$ screen Cannot make directory '/var/run/screen': File exists When I run screen with selinux in permissive mode it works as expected and generates AVCs. I have tried to run audit2allow against the follow AVCs but the module is not able to load. 234. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir write system_u:object_r:screen_var_run_t:s0 denied 26464 235. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir add_name system_u:object_r:screen_var_run_t:s0 denied 26464 236. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir create user_u:object_r:screen_var_run_t:s0 denied 26464 237. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 92 dir setattr user_u:object_r:screen_var_run_t:s0 denied 26465 238. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir write user_u:object_r:screen_var_run_t:s0 denied 26467 239. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir add_name user_u:object_r:screen_var_run_t:s0 denied 26467 240. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 fifo_file create user_u:object_r:screen_var_run_t:s0 denied 26467 241. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file read user_u:object_r:screen_var_run_t:s0 denied 26468 242. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file open user_u:object_r:screen_var_run_t:s0 denied 26468 243. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file write user_u:object_r:screen_var_run_t:s0 denied 26471 244. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 dir remove_name user_u:object_r:screen_var_run_t:s0 denied 26478 245. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 fifo_file unlink user_u:object_r:screen_var_run_t:s0 denied 26478 ausearch --start today -m avc | audit2allow -M screen [root at imarks-ws ~]# cat screen.te module screen 1.0; require { type screen_var_run_t; type user_t; class dir { write remove_name create add_name setattr }; class fifo_file { read write create unlink open }; } #============= user_t ============== allow user_t screen_var_run_t:dir { write remove_name create add_name setattr }; allow user_t screen_var_run_t:fifo_file { read write create unlink open }; semodule -i screen.pp libsepol.print_missing_requirements: screen's global requirements were not met: type/attribute screen_var_run_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! I know user_u should only be able to write to /tmp and /~ so this may be a bad idea all together.. Any suggests on getting this work would be much appreciated. Thanks, Ian -------------- next part -------------- An HTML attachment was scrubbed... URL: From domg472 at gmail.com Sun Oct 11 19:20:39 2009 From: domg472 at gmail.com (Dominick Grift) Date: Sun, 11 Oct 2009 21:20:39 +0200 Subject: Confined User using screen In-Reply-To: References: Message-ID: <20091011192038.GA6056@notebook3.grift.internal> On Sun, Oct 11, 2009 at 01:22:14PM -0400, Ian Lists wrote: > I just started playing around with confining users in rawhide using > selinux-policy-3.6.32-24.fc12.noarch and am having an issue running screen. > > When running screen with selinux enforcing I get the following error with no > AVC. > > [b1gb0y at imarks-ws ~]$ id -Z > user_u:user_r:user_t:s0 > [b1gb0y at imarks-ws ~]$ screen > Cannot make directory '/var/run/screen': File exists > > When I run screen with selinux in permissive mode it works as expected and > generates AVCs. I have tried to run audit2allow against the follow AVCs but > the module is not able to load. > > 234. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir write > system_u:object_r:screen_var_run_t:s0 denied 26464 > 235. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir add_name > system_u:object_r:screen_var_run_t:s0 denied 26464 > 236. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 83 dir create > user_u:object_r:screen_var_run_t:s0 denied 26464 > 237. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 92 dir setattr > user_u:object_r:screen_var_run_t:s0 denied 26465 > 238. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir write > user_u:object_r:screen_var_run_t:s0 denied 26467 > 239. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 dir add_name > user_u:object_r:screen_var_run_t:s0 denied 26467 > 240. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 133 fifo_file create > user_u:object_r:screen_var_run_t:s0 denied 26467 > 241. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file read > user_u:object_r:screen_var_run_t:s0 denied 26468 > 242. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file open > user_u:object_r:screen_var_run_t:s0 denied 26468 > 243. 10/11/2009 12:53:32 screen user_u:user_r:user_t:s0 2 fifo_file write > user_u:object_r:screen_var_run_t:s0 denied 26471 > 244. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 dir remove_name > user_u:object_r:screen_var_run_t:s0 denied 26478 > 245. 10/11/2009 12:53:40 screen user_u:user_r:user_t:s0 87 fifo_file unlink > user_u:object_r:screen_var_run_t:s0 denied 26478 > > ausearch --start today -m avc | audit2allow -M screen > > [root at imarks-ws ~]# cat screen.te > > module screen 1.0; > > require { > type screen_var_run_t; > type user_t; > class dir { write remove_name create add_name setattr }; > class fifo_file { read write create unlink open }; > } > > #============= user_t ============== > allow user_t screen_var_run_t:dir { write remove_name create add_name > setattr }; > allow user_t screen_var_run_t:fifo_file { read write create unlink open }; > > semodule -i screen.pp > libsepol.print_missing_requirements: screen's global requirements were not > met: type/attribute screen_var_run_t (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file or > directory). > semodule: Failed! > > > I know user_u should only be able to write to /tmp and /~ so this may be a > bad idea all together.. > Any suggests on getting this work would be much appreciated. > > Thanks, > Ian You should called the screen_role to make user_t transition to the screen domain: echo "policy_module(myuser, 0.0.1)" > myuser.te; echo "require { type user_t; }" >> myuser.te; echo "screen_role_template(user, user_r, user_t)" >> myuser.te; make -f /usr/share/selinux/devel/Makefile myuser.pp sudo semodule -i myuser.pp The problem is that you may have overwritten the shipped screen module with your custom policy module. If that is true than this wont install. If that is the case make sure you reinstall fedoras screen module. > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From deleriux at airattack-central.com Wed Oct 14 15:09:23 2009 From: deleriux at airattack-central.com (Matthew Ife) Date: Wed, 14 Oct 2009 16:09:23 +0100 Subject: Feedback from Linux users about SELinux. Message-ID: <1255532963.25231.31.camel@home.localdomain> So, I did a brief unscientific survey regarding SELinux with my colleagues. The idea here is to work out what people see wrong or right with SELinux and when documentation is done what should our focus or priorities be in regards to it? To give you a bit of background respondents are all above average technically Linux experienced whom work for a hosting company offering amongst other things Linux based solutions of some sort either pre-packed or bespoke. All the people I asked have a procedural approach to security (not the type of thing tagged onto the end of a project line of thinking) and in general are open to security advise. Attached is the PDF document with the questions I asked - you'll have to forgive my decorating abilities! The questions I asked could be wrong, the people I'm asking might not be the "average" sample we could do with and admittedly the sample is way too small. So firstly on with the questions I asked and why I asked them: > If you installed Fedora regarding SELinux would you > a) Disable it on install > b) permissive on install > c) enforcing on install. The point with this question is to really just gauge what these peoples feelings are with it "out of the box". Do they run it or do they not and how does that compare with their ideas for the questions I asked below. > Why would you choose that option? So the idea behind this question was to find out what they liked or disliked about selinux which was enough of a motivator for them to turn it on or turn it off or disable it completely. > Specifically what is SELinux meant to do? Really what I wanted to find out here is what the people would consider SELinux as being able to achieve for them as well as a brief understanding of how much they know about SELinux. > Out of five, (five being very sufficient, 0 being completely insufficient) where would you put standard UNIX permissions (rwx, setuids and acls) for security on a machine? First for desktops second for servers. This question was meant to gauge the persons understanding of DAC and how they pit against the current major security threats. I.E "Do you find DAC is sufficient enough for securing your server". >From the data this is my analysis but my opinions are pretty biased as I already know all these people anyway. I'd love peoples feedback. None of the respondents had any insight into the pros/cons of DAC or MAC. All the respondents saw SELinux as a fine grained access control mechanism. The more respondents understood about SELinux the more they were likely to enable it. Currently servers would benefit from SELinux more than Desktops would. So from the very limited feedback I've got I would say: Peoples understanding of why MAC in some fashion is necessary is limited or none existent. There should probably be some good argumentative cases for why DAC is not able to adequately contain a security breach or threat and what SELinux MAC is ready to do about it. Perhaps a wiki page that explains what DAC and MAC is - giving examples, what the current security trends and threats are against your systems and what both can / cannot do to mitigate them. People envision SELinux as a access control system. Documentation on type enforcement (perhaps with examples analogous to DAC) would be beneficial. In addition personally I would say most sysadmins are totally missing fundamental security understandings (what is a subject, what is an object, what is DAC what is MAC etc) and this means they are unable to appreciate what SELinux is trying to accomplish. Also I believe sysadmins do not consider containment of a security breach and spend much of their effort attempting to prevent it in the first place. Well, thats probably more than I can prune on the whole thing i've got. I might be perhaps looking way too much into the information I have and would recommend people make up their own minds based off of the information I supplied. The goal here is to find out what peoples vision of SELinux is (either right or wrong) and what can be done to help correct it. -------------- next part -------------- A non-text attachment was scrubbed... Name: selinux_survey.pdf Type: application/pdf Size: 36877 bytes Desc: not available URL: From joshua.roys at gtri.gatech.edu Wed Oct 14 17:30:04 2009 From: joshua.roys at gtri.gatech.edu (Joshua Roys) Date: Wed, 14 Oct 2009 13:30:04 -0400 Subject: strange avc with racoon under f-11 mls Message-ID: <4AD60A9C.101@gtri.gatech.edu> Hello all, I am trying to get ipsec/racoon running under f11 mls. However, an annoying avc is preventing that. avc: denied { recv } for saddr=1.2.3.4 src=500 daddr=4.3.2.1 dest=500 netif=eth0 scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer On IRC it was mentioned the tcontext=...:s15:... could be an issue...? Here's a bit of the selinux-policy that I thought should be allowing this: ./policy/modules/system/ipsec.te: corenet_all_recvfrom_unlabeled(racoon_t) corenet_tcp_sendrecv_all_if(racoon_t) corenet_udp_sendrecv_all_if(racoon_t) corenet_tcp_sendrecv_all_nodes(racoon_t) corenet_udp_sendrecv_all_nodes(racoon_t) corenet_tcp_bind_all_nodes(racoon_t) corenet_udp_bind_all_nodes(racoon_t) corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) ./policy/modules/kernel/corenetwork.if.in: interface(`corenet_all_recvfrom_unlabeled',` kernel_tcp_recvfrom_unlabeled($1) kernel_udp_recvfrom_unlabeled($1) kernel_raw_recvfrom_unlabeled($1) kernel_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_sendrecv_unlabeled_association($1) ') ./policy/modules/kernel/kernel.if: interface(`kernel_recvfrom_unlabeled_peer',` gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:peer recv; ') I'm not entirely certain if the following ipsec rules were necessary, but I added them anyway: *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :selinux_input - [0:0] :selinux_output - [0:0] :selinux_new_input - [0:0] :selinux_new_output - [0:0] -A INPUT -j selinux_input -A OUTPUT -j selinux_output -A selinux_input -m state --state NEW -j selinux_new_input -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore -A selinux_output -m state --state NEW -j selinux_new_output -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore -A selinux_new_input -j SECMARK --selctx system_u:object_r:server_packet_t:s0 -A selinux_new_output -j SECMARK --selctx system_u:object_r:client_packet_t:s0 -A selinux_new_input -p udp --dport 500 -j SECMARK --selctx system_u:object_r:isakmp_server_packet_t:s0 -A selinux_new_output -p udp --dport 500 -j SECMARK --selctx system_u:object_r:isakmp_client_packet_t:s0 -A selinux_new_input -j CONNSECMARK --save -A selinux_new_input -j RETURN -A selinux_new_output -j CONNSECMARK --save -A selinux_new_output -j RETURN COMMIT Thanks in advance, Joshua Roys From dwalsh at redhat.com Wed Oct 14 19:42:28 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 14 Oct 2009 15:42:28 -0400 Subject: strange avc with racoon under f-11 mls In-Reply-To: <4AD60A9C.101@gtri.gatech.edu> References: <4AD60A9C.101@gtri.gatech.edu> Message-ID: <4AD629A4.1030601@redhat.com> On 10/14/2009 01:30 PM, Joshua Roys wrote: > Hello all, > > I am trying to get ipsec/racoon running under f11 mls. However, an > annoying avc is preventing that. > > avc: denied { recv } for saddr=1.2.3.4 src=500 daddr=4.3.2.1 dest=500 > netif=eth0 scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer > > On IRC it was mentioned the tcontext=...:s15:... could be an issue...? > > Here's a bit of the selinux-policy that I thought should be allowing this: > ./policy/modules/system/ipsec.te: > corenet_all_recvfrom_unlabeled(racoon_t) > corenet_tcp_sendrecv_all_if(racoon_t) > corenet_udp_sendrecv_all_if(racoon_t) > corenet_tcp_sendrecv_all_nodes(racoon_t) > corenet_udp_sendrecv_all_nodes(racoon_t) > corenet_tcp_bind_all_nodes(racoon_t) > corenet_udp_bind_all_nodes(racoon_t) > corenet_udp_bind_isakmp_port(racoon_t) > corenet_udp_bind_ipsecnat_port(racoon_t) > > ./policy/modules/kernel/corenetwork.if.in: > interface(`corenet_all_recvfrom_unlabeled',` > kernel_tcp_recvfrom_unlabeled($1) > kernel_udp_recvfrom_unlabeled($1) > kernel_raw_recvfrom_unlabeled($1) > kernel_recvfrom_unlabeled_peer($1) > > # XXX - at some point the oubound/send access check will be removed > # but for right now we need to keep this in place so as not to > break > # older systems > kernel_sendrecv_unlabeled_association($1) > ') > > ./policy/modules/kernel/kernel.if: > interface(`kernel_recvfrom_unlabeled_peer',` > gen_require(` > type unlabeled_t; > ') > > allow $1 unlabeled_t:peer recv; > ') > > > > I'm not entirely certain if the following ipsec rules were necessary, > but I added them anyway: > *mangle > :PREROUTING ACCEPT [0:0] > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > :selinux_input - [0:0] > :selinux_output - [0:0] > :selinux_new_input - [0:0] > :selinux_new_output - [0:0] > -A INPUT -j selinux_input > -A OUTPUT -j selinux_output > -A selinux_input -m state --state NEW -j selinux_new_input > -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK > --restore > -A selinux_output -m state --state NEW -j selinux_new_output > -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK > --restore > > -A selinux_new_input -j SECMARK --selctx > system_u:object_r:server_packet_t:s0 > -A selinux_new_output -j SECMARK --selctx > system_u:object_r:client_packet_t:s0 > > -A selinux_new_input -p udp --dport 500 -j SECMARK --selctx > system_u:object_r:isakmp_server_packet_t:s0 > -A selinux_new_output -p udp --dport 500 -j SECMARK --selctx > system_u:object_r:isakmp_client_packet_t:s0 > > -A selinux_new_input -j CONNSECMARK --save > -A selinux_new_input -j RETURN > -A selinux_new_output -j CONNSECMARK --save > -A selinux_new_output -j RETURN > COMMIT > > Thanks in advance, > > Joshua Roys > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Did you run the AVC through audit2why? From joshua.roys at gtri.gatech.edu Wed Oct 14 22:42:31 2009 From: joshua.roys at gtri.gatech.edu (Joshua Roys) Date: Wed, 14 Oct 2009 18:42:31 -0400 Subject: strange avc with racoon under f-11 mls In-Reply-To: <4AD629A4.1030601@redhat.com> References: <4AD60A9C.101@gtri.gatech.edu> <4AD629A4.1030601@redhat.com> Message-ID: <4AD653D7.3000608@gtri.gatech.edu> On 10/14/2009 03:42 PM, Daniel J Walsh wrote: > On 10/14/2009 01:30 PM, Joshua Roys wrote: >> >> avc: denied { recv } for saddr=1.2.3.4 src=500 daddr=4.3.2.1 dest=500 >> netif=eth0 scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 >> tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer >> >> On IRC it was mentioned the tcontext=...:s15:... could be an issue...? >> > Did you run the AVC through audit2why? It said: Policy constraint violation. Looking at policy/mls, I see this: # the peer/packet recv op mlsconstrain { peer packet } { recv } (( l1 dom l2 ) or (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )); And here are our contexts: scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 According to: http://www.patrickmcdaniel.org/pubs/sacmat07.pdf the mlsconstrain above expands to: subject = system_u:system_r:racoon_t:s0-s15:c0.c1023 object = system_u:object_r:unlabeled_t:s15-s15:c0.c1023 l1 dom l2 = opl(dom, getl(subject), getl(object)) = opl(dom, s0, s15) = FALSE mlsnetreadtoclr appears to only be granted via: policy/modules/kernel/mls.if: mls_socket_read_to_clearance which is not granted to racoon_t and mlsnetread: policy/modules/kernel/mls.if: mls_socket_read_all_levels which is also not given to racoon_t. mlsconstrain { peer packet } { recv } (( FALSE ) or (( FALSE ) and ( h1 dom l2 )) or ( FALSE )); So, does anyone have a pointer to why my traffic is coming in at s15? Or any other advice would be appreciated! Thanks for your help so far, -- Josh From yersinia.spiros at gmail.com Thu Oct 15 07:29:22 2009 From: yersinia.spiros at gmail.com (yersinia) Date: Thu, 15 Oct 2009 09:29:22 +0200 Subject: Feedback from Linux users about SELinux. In-Reply-To: <1255532963.25231.31.camel@home.localdomain> References: <1255532963.25231.31.camel@home.localdomain> Message-ID: On Wed, Oct 14, 2009 at 5:09 PM, Matthew Ife wrote: > So, I did a brief unscientific survey regarding SELinux with my > colleagues. The idea here is to work out what people see wrong or right > with SELinux and when documentation is done what should our focus or > priorities be in regards to it? > To give you a bit of background respondents are all above average > technically Linux experienced whom work for a hosting company offering > amongst other things Linux based solutions of some sort either > pre-packed or bespoke. All the people I asked have a procedural approach > to security (not the type of thing tagged onto the end of a project line > of thinking) and in general are open to security advise. > > Attached is the PDF document with the questions I asked - you'll have to > forgive my decorating abilities! > > The questions I asked could be wrong, the people I'm asking might not be > the "average" sample we could do with and admittedly the sample is way > too small. > > So firstly on with the questions I asked and why I asked them: > >> If you installed Fedora regarding SELinux would you >> a) Disable it on install >> b) permissive on install >> c) enforcing on install. > The point with this question is to really just gauge what these peoples > feelings are with it "out of the box". Do they run it or do they not and > how does that compare with their ideas for the questions I asked below. > >> Why would you choose that option? > So the idea behind this question was to find out what they liked or > disliked about selinux which was enough of a motivator for them to turn > it on or turn it off or disable it completely. > >> Specifically what is SELinux meant to do? > Really what I wanted to find out here is what the people would consider > SELinux as being able to achieve for them as well as a brief > understanding of how much they know about SELinux. > >> Out of five, (five being very sufficient, 0 being completely > insufficient) where would you put standard UNIX permissions (rwx, > setuids and acls) for security on a machine? First for desktops second > for servers. > This question was meant to gauge the persons understanding of DAC and > how they pit against the current major security threats. I.E "Do you > find DAC is sufficient enough for securing your server". > > > >From the data this is my analysis but my opinions are pretty biased as I > already know all these people anyway. I'd love peoples feedback. > > > None of the respondents had any insight into the pros/cons of DAC or > MAC. > All the respondents saw SELinux as a fine grained access control > mechanism. > The more respondents understood about SELinux the more they were likely > to enable it. > Currently servers would benefit from SELinux more than Desktops would. > > > So from the very limited feedback I've got I would say: > > Peoples understanding of why MAC in some fashion is necessary is limited > or none existent. There should probably be some good argumentative cases > for why DAC is not able to adequately contain a security breach or > threat and what SELinux MAC is ready to do about it. Perhaps a wiki page > that explains what DAC and MAC is - giving examples, what the current > security trends and threats are against your systems and what both can / > cannot do to mitigate them. > For the first question this is the classic paper that explain why a MAC is necessary for an OS - http://jya.com/paperF1.htm For the second point this is the "selinux mitigation new" from tresys http://www.tresys.com/innovation.php n any case should be made clear that a MAC-level policy applied to a Web application does not protect applications itself in general, but the web server / application server/web application in some particular case - depends by threats (e.g. BOF versus XSS for example, defacing versus sql injection ) - but in first place the operating system that hosts them. For the issues dealt by OWASP it is necessary, ALSO, to have a web application firewall like mod_security. IMHO, the most prudent approach is to use mod_security and SELinux, both. For what regard the DOS attack MAC may or may not help, it depends. For example, if there is an application problem for which a certain sequence of commands can lead to application termination, and should not happen, the MAC can do little or nothing. Best Regards > People envision SELinux as a access control system. Documentation on > type enforcement (perhaps with examples analogous to DAC) would be > beneficial. > > In addition personally I would say most sysadmins are totally missing > fundamental security understandings (what is a subject, what is an > object, what is DAC what is MAC etc) and this means they are unable to > appreciate what SELinux is trying to accomplish. Also I believe > sysadmins do not consider containment of a security breach and spend > much of their effort attempting to prevent it in the first place. > > Well, thats probably more than I can prune on the whole thing i've got. > I might be perhaps looking way too much into the information I have and > would recommend people make up their own minds based off of the > information I supplied. > > The goal here is to find out what peoples vision of SELinux is (either > right or wrong) and what can be done to help correct it. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > From deleriux at airattack-central.com Thu Oct 15 13:18:09 2009 From: deleriux at airattack-central.com (Matthew Ife) Date: Thu, 15 Oct 2009 14:18:09 +0100 Subject: Feedback from Linux users about SELinux. In-Reply-To: References: <1255532963.25231.31.camel@home.localdomain> Message-ID: <1255612689.1579.19.camel@home.localdomain> On Thu, 2009-10-15 at 09:29 +0200, yersinia wrote: > On Wed, Oct 14, 2009 at 5:09 PM, Matthew Ife > wrote: > > So, I did a brief unscientific survey regarding SELinux with my > > colleagues. The idea here is to work out what people see wrong or right > > with SELinux and when documentation is done what should our focus or > > priorities be in regards to it? > > To give you a bit of background respondents are all above average > > technically Linux experienced whom work for a hosting company offering > > amongst other things Linux based solutions of some sort either > > pre-packed or bespoke. All the people I asked have a procedural approach > > to security (not the type of thing tagged onto the end of a project line > > of thinking) and in general are open to security advise. > > > > Attached is the PDF document with the questions I asked - you'll have to > > forgive my decorating abilities! > > > > The questions I asked could be wrong, the people I'm asking might not be > > the "average" sample we could do with and admittedly the sample is way > > too small. > > > > So firstly on with the questions I asked and why I asked them: > > > >> If you installed Fedora regarding SELinux would you > >> a) Disable it on install > >> b) permissive on install > >> c) enforcing on install. > > The point with this question is to really just gauge what these peoples > > feelings are with it "out of the box". Do they run it or do they not and > > how does that compare with their ideas for the questions I asked below. > > > >> Why would you choose that option? > > So the idea behind this question was to find out what they liked or > > disliked about selinux which was enough of a motivator for them to turn > > it on or turn it off or disable it completely. > > > >> Specifically what is SELinux meant to do? > > Really what I wanted to find out here is what the people would consider > > SELinux as being able to achieve for them as well as a brief > > understanding of how much they know about SELinux. > > > >> Out of five, (five being very sufficient, 0 being completely > > insufficient) where would you put standard UNIX permissions (rwx, > > setuids and acls) for security on a machine? First for desktops second > > for servers. > > This question was meant to gauge the persons understanding of DAC and > > how they pit against the current major security threats. I.E "Do you > > find DAC is sufficient enough for securing your server". > > > > > > >From the data this is my analysis but my opinions are pretty biased as I > > already know all these people anyway. I'd love peoples feedback. > > > > > > None of the respondents had any insight into the pros/cons of DAC or > > MAC. > > All the respondents saw SELinux as a fine grained access control > > mechanism. > > The more respondents understood about SELinux the more they were likely > > to enable it. > > Currently servers would benefit from SELinux more than Desktops would. > > > > > > So from the very limited feedback I've got I would say: > > > > Peoples understanding of why MAC in some fashion is necessary is limited > > or none existent. There should probably be some good argumentative cases > > for why DAC is not able to adequately contain a security breach or > > threat and what SELinux MAC is ready to do about it. Perhaps a wiki page > > that explains what DAC and MAC is - giving examples, what the current > > security trends and threats are against your systems and what both can / > > cannot do to mitigate them. > > > For the first question this is the classic paper that explain why a > MAC is necessary for an OS - > http://jya.com/paperF1.htm > For the second point this is the "selinux mitigation new" from tresys > http://www.tresys.com/innovation.php > > n any case should be made clear that a MAC-level policy applied to a > Web application does not protect applications itself in general, but > the web server / application server/web application in some particular > case - depends by threats (e.g. BOF versus XSS for example, defacing > versus sql injection ) - but in first place the operating system that > hosts them. For the issues dealt by OWASP it is necessary, ALSO, to > have a web application firewall like mod_security. IMHO, the most > prudent approach is to use mod_security and SELinux, both. > > For what regard the DOS attack MAC may or may not help, it depends. > For example, if there is an application problem for which a certain > sequence of commands can lead to application termination, and should > not happen, the MAC can do little or nothing. > > Best Regards > > People envision SELinux as a access control system. Documentation on > > type enforcement (perhaps with examples analogous to DAC) would be > > beneficial. > > > > In addition personally I would say most sysadmins are totally missing > > fundamental security understandings (what is a subject, what is an > > object, what is DAC what is MAC etc) and this means they are unable to > > appreciate what SELinux is trying to accomplish. Also I believe > > sysadmins do not consider containment of a security breach and spend > > much of their effort attempting to prevent it in the first place. > > > > Well, thats probably more than I can prune on the whole thing i've got. > > I might be perhaps looking way too much into the information I have and > > would recommend people make up their own minds based off of the > > information I supplied. > > > > The goal here is to find out what peoples vision of SELinux is (either > > right or wrong) and what can be done to help correct it. > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > I should point out my intention here is not to completely rewrite whats already been written, but sysadmins don't want to click a list of references to much larger documents to fetch the information that they want. We should cherry pick the best bits and reformat the content to deliver it to people in a more digestible way. Regardless of peoples feelings - as a sysadmin myself - I don't want to spend my time sifting and scanning through whitepapers, essays and presentations when I'm really trying to see how I can resolve an immediate problem. Whitepapers, essays and presentations are great when you don't have a deadline to meet. The majority of people who will consider SELinux are going to do so when they have a problem to solve. What I'd like to see more of is practical examples with links inside the examples to a glossaries of terminologies so people can read a document and get links to information that they don't have a clear understanding of, in this way we are giving them proof of concept examples showing SELinux in action with opportunities to understand more fundamental security concepts to fortify their theoretical knowledge. The glossaries could contain references to other more heavier theoretical information including many of the documents people are suggesting. I think part of the problem is when people say "there's no documentation" what they mean is easy to digest and simple to implement documentation - I think there really is lots of very useful and good documentation. Its just sparsely distributed and most professionals working on a project with deadlines simply don't want to be bogged down spending more time searching for the data than having it provided to them from a centralized source. From txtoth at gmail.com Thu Oct 15 13:27:40 2009 From: txtoth at gmail.com (Xavier Toth) Date: Thu, 15 Oct 2009 08:27:40 -0500 Subject: strange avc with racoon under f-11 mls In-Reply-To: <4AD653D7.3000608@gtri.gatech.edu> References: <4AD60A9C.101@gtri.gatech.edu> <4AD629A4.1030601@redhat.com> <4AD653D7.3000608@gtri.gatech.edu> Message-ID: On Wed, Oct 14, 2009 at 5:42 PM, Joshua Roys wrote: > On 10/14/2009 03:42 PM, Daniel J Walsh wrote: >> >> On 10/14/2009 01:30 PM, Joshua Roys wrote: >>> >>> avc: ?denied ?{ recv } for ?saddr=1.2.3.4 src=500 daddr=4.3.2.1 dest=500 >>> netif=eth0 scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 >>> tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer >>> >>> On IRC it was mentioned the tcontext=...:s15:... could be an issue...? >>> >> Did you run the AVC through audit2why? > > It said: Policy constraint violation. > > Looking at policy/mls, I see this: > # the peer/packet recv op > mlsconstrain { peer packet } { recv } > ? ? ? ?(( l1 dom l2 ) or > ? ? ? ? (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or > ? ? ? ? ( t1 == mlsnetread )); > > And here are our contexts: > scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 > tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 > > According to: > http://www.patrickmcdaniel.org/pubs/sacmat07.pdf > the mlsconstrain above expands to: > > subject = system_u:system_r:racoon_t:s0-s15:c0.c1023 > object = system_u:object_r:unlabeled_t:s15-s15:c0.c1023 > l1 dom l2 = opl(dom, getl(subject), getl(object)) > ? ? ? ? ?= opl(dom, s0, s15) > ? ? ? ? ?= FALSE > > mlsnetreadtoclr appears to only be granted via: > policy/modules/kernel/mls.if: mls_socket_read_to_clearance > which is not granted to racoon_t > > and mlsnetread: > policy/modules/kernel/mls.if: mls_socket_read_all_levels > which is also not given to racoon_t. > > mlsconstrain { peer packet } { recv } > ? ? ? ?(( FALSE ) or > ? ? ? ? (( FALSE ) and ( h1 dom l2 )) or > ? ? ? ? ( FALSE )); > > So, does anyone have a pointer to why my traffic is coming in at s15? Or any > other advice would be appreciated! > > Thanks for your help so far, > > -- > Josh > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > What do your SA's look like (/etc/racoon/key.conf)? From joshua.roys at gtri.gatech.edu Fri Oct 16 16:19:39 2009 From: joshua.roys at gtri.gatech.edu (Joshua Roys) Date: Fri, 16 Oct 2009 12:19:39 -0400 Subject: strange avc with racoon under f-11 mls In-Reply-To: References: <4AD60A9C.101@gtri.gatech.edu> <4AD629A4.1030601@redhat.com> <4AD653D7.3000608@gtri.gatech.edu> Message-ID: <4AD89D1B.4070509@gtri.gatech.edu> On 10/15/2009 09:27 AM, Xavier Toth wrote: > On Wed, Oct 14, 2009 at 5:42 PM, Joshua Roys > wrote: >> On 10/14/2009 03:42 PM, Daniel J Walsh wrote: >>> >>> On 10/14/2009 01:30 PM, Joshua Roys wrote: >>>> >>>> avc: denied { recv } for saddr=1.2.3.4 src=500 daddr=4.3.2.1 dest=500 >>>> netif=eth0 scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 >>>> tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer >>>> >> >> Looking at policy/mls, I see this: >> # the peer/packet recv op >> mlsconstrain { peer packet } { recv } >> (( l1 dom l2 ) or >> (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or >> ( t1 == mlsnetread )); >> >> mlsnetreadtoclr appears to only be granted via: >> policy/modules/kernel/mls.if: mls_socket_read_to_clearance >> which is not granted to racoon_t >> Hello, We have ipsec working again, using something like: ($local_t and $remote_t being the local and remote types) mls_socket_read_to_clearance(racoon_t) allow $local_t $remote_t:association polmatch; allow $remote_t $local_t:association polmatch; allow $local_t $remote_t:peer recv; Thanks for the tips, Joshua Roys From Moray.Henderson at ict.om.org Tue Oct 20 14:14:28 2009 From: Moray.Henderson at ict.om.org (Moray Henderson (ICT)) Date: Tue, 20 Oct 2009 14:14:28 +0000 Subject: fixfiles -F option In-Reply-To: <4ACA0F35.1020807@redhat.com> References: <211227D58676844E9EFBA3414EC92E880517526810@QTS-MBXCLSTR1.global.local> <4ACA0F35.1020807@redhat.com> Message-ID: <211227D58676844E9EFBA3414EC92E880517E1631A@QTS-MBXCLSTR1.global.local> Daniel wrote: >On 10/05/2009 10:20 AM, Moray Henderson (ICT) wrote: >> Hello List. >> >> I have an rpm for an selinux policy for a custom CentOS 5.3 distribution. >When I install it, I use pre/post install scripts to back up the previous >file contexts and run "fixfiles -C ${FILE_CONTEXT}.pre restore" as in the >standard selinux-policy-targeted rpm. >> >> On an upgrade, old httpd_sys_content_t files are not being updated to >public_content_rw_t because httpd_sys_content_t is in the >customizable_types file. >> >> According to the fixfiles man page, -F should "Force reset of context to >match file_context for customizable files", but when I added it, it made >no difference. I had a look at the fixfiles script, and indeed it looks >as if -F doesn't work with -C. Is that correct, or did I miss something? >> >> Is there a recommended way to do that? >> >> >> Moray. >> "To err is human. To purr, feline" >> >> >Fix fixfiles and send a patch. :^( Sorry for delay - I was at a training course, then recovering from the cold I caught at the training course... I am working on fixing the fixfiles script, but it looks more complicated than I thought, as I'm also trying to bring the usage info and man page into line with how the script actually behaves. As far as I can see, the "-o outputfile" option has never worked: it just adds the name of the output file to the restorecon or setfiles commands without the -o option to say that it's an output option. In addition, it won't work at all with the verify command because that uses its own -o option. I would therefore vote for removing -o from fixfiles altogether, but if you really want it there and working, I'll see what I can do. Let me know what you think. In addition to fixfiles, I have also documented the -p option to both restorecon and setfiles, and brought their usage info and man pages into line. Moray. "To err is human. To purr, feline" From dwalsh at redhat.com Tue Oct 20 15:31:29 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 20 Oct 2009 11:31:29 -0400 Subject: fixfiles -F option In-Reply-To: <211227D58676844E9EFBA3414EC92E880517E1631A@QTS-MBXCLSTR1.global.local> References: <211227D58676844E9EFBA3414EC92E880517526810@QTS-MBXCLSTR1.global.local> <4ACA0F35.1020807@redhat.com> <211227D58676844E9EFBA3414EC92E880517E1631A@QTS-MBXCLSTR1.global.local> Message-ID: <4ADDD7D1.1030005@redhat.com> On 10/20/2009 10:14 AM, Moray Henderson (ICT) wrote: > Daniel wrote: >> On 10/05/2009 10:20 AM, Moray Henderson (ICT) wrote: >>> Hello List. >>> >>> I have an rpm for an selinux policy for a custom CentOS 5.3 distribution. >> When I install it, I use pre/post install scripts to back up the previous >> file contexts and run "fixfiles -C ${FILE_CONTEXT}.pre restore" as in the >> standard selinux-policy-targeted rpm. >>> >>> On an upgrade, old httpd_sys_content_t files are not being updated to >> public_content_rw_t because httpd_sys_content_t is in the >> customizable_types file. >>> >>> According to the fixfiles man page, -F should "Force reset of context to >> match file_context for customizable files", but when I added it, it made >> no difference. I had a look at the fixfiles script, and indeed it looks >> as if -F doesn't work with -C. Is that correct, or did I miss something? >>> >>> Is there a recommended way to do that? >>> >>> >>> Moray. >>> "To err is human. To purr, feline" >>> >>> >> Fix fixfiles and send a patch. :^( > > Sorry for delay - I was at a training course, then recovering from the cold I caught at the training course... > > I am working on fixing the fixfiles script, but it looks more complicated than I thought, as I'm also trying to bring the usage info and man page into line with how the script actually behaves. > > As far as I can see, the "-o outputfile" option has never worked: it just adds the name of the output file to the restorecon or setfiles commands without the -o option to say that it's an output option. In addition, it won't work at all with the verify command because that uses its own -o option. > > I would therefore vote for removing -o from fixfiles altogether, but if you really want it there and working, I'll see what I can do. Let me know what you think. > > In addition to fixfiles, I have also documented the -p option to both restorecon and setfiles, and brought their usage info and man pages into line. > > > Moray. > "To err is human. To purr, feline" > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > I have no problem with removing the -o option. I don't think anyone uses it. From anmajumd at cisco.com Tue Oct 20 23:52:43 2009 From: anmajumd at cisco.com (Anamitra Dutta Majumdar (anmajumd)) Date: Tue, 20 Oct 2009 16:52:43 -0700 Subject: No avcs generated after running at jobs in enforcing mode In-Reply-To: <4AD89D1B.4070509@gtri.gatech.edu> References: <4AD60A9C.101@gtri.gatech.edu> <4AD629A4.1030601@redhat.com> <4AD653D7.3000608@gtri.gatech.edu> <4AD89D1B.4070509@gtri.gatech.edu> Message-ID: <4EF101F7236DB443A8FABF8164BFBD0C08B50C79@xmb-sjc-223.amer.cisco.com> We are trying to run an at job which echoes something on the terminal as below at 14:53 at> echo "hello" > /dev/pts/1 at> ^D When we run the above in the permissive mode we get hello on our term. However when we run in enforcing mode nothing seems to happen. We do not get any sealerts either. Can someone let us know what is going on in the enforcing mode and what would be a way to check the status of the job? Thanks Anamitra & Radha From bruno at wolff.to Tue Oct 20 23:54:58 2009 From: bruno at wolff.to (Bruno Wolff III) Date: Tue, 20 Oct 2009 18:54:58 -0500 Subject: No avcs generated after running at jobs in enforcing mode In-Reply-To: <4EF101F7236DB443A8FABF8164BFBD0C08B50C79@xmb-sjc-223.amer.cisco.com> References: <4AD60A9C.101@gtri.gatech.edu> <4AD629A4.1030601@redhat.com> <4AD653D7.3000608@gtri.gatech.edu> <4AD89D1B.4070509@gtri.gatech.edu> <4EF101F7236DB443A8FABF8164BFBD0C08B50C79@xmb-sjc-223.amer.cisco.com> Message-ID: <20091020235458.GB12724@wolff.to> On Tue, Oct 20, 2009 at 16:52:43 -0700, "Anamitra Dutta Majumdar (anmajumd)" wrote: > > We are trying to run an at job which echoes something on the terminal as > below > > at 14:53 > at> echo "hello" > /dev/pts/1 > at> ^D > > When we run the above in the permissive mode we get hello on our term. > However when we run in enforcing mode nothing seems to happen. We do not > get any sealerts either. > > Can someone let us know what is going on in the enforcing mode and what > would be a way to check the status of the job? There might be a don't audit on that rule. From justinmattock at gmail.com Wed Oct 21 00:38:34 2009 From: justinmattock at gmail.com (Justin P. Mattock) Date: Tue, 20 Oct 2009 17:38:34 -0700 Subject: No avcs generated after running at jobs in enforcing mode In-Reply-To: <20091020235458.GB12724@wolff.to> References: <4AD60A9C.101@gtri.gatech.edu> <4AD629A4.1030601@redhat.com> <4AD653D7.3000608@gtri.gatech.edu> <4AD89D1B.4070509@gtri.gatech.edu> <4EF101F7236DB443A8FABF8164BFBD0C08B50C79@xmb-sjc-223.amer.cisco.com> <20091020235458.GB12724@wolff.to> Message-ID: <4ADE580A.50601@gmail.com> Bruno Wolff III wrote: > On Tue, Oct 20, 2009 at 16:52:43 -0700, > "Anamitra Dutta Majumdar (anmajumd)" wrote: > >> >> We are trying to run an at job which echoes something on the terminal as >> below >> >> at 14:53 >> at> echo "hello"> /dev/pts/1 >> at> ^D >> >> When we run the above in the permissive mode we get hello on our term. >> However when we run in enforcing mode nothing seems to happen. We do not >> get any sealerts either. >> >> Can someone let us know what is going on in the enforcing mode and what >> would be a way to check the status of the job? >> > > There might be a don't audit on that rule. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > yep, check to see if there's a mislabel use restorecon * then like above just use make enableaudit while compiling the policy to generate any avc's that are in the don't audit section. Justin P. Mattock From marco.shaw at gmail.com Wed Oct 21 14:32:47 2009 From: marco.shaw at gmail.com (Marco Shaw) Date: Wed, 21 Oct 2009 11:32:47 -0300 Subject: Accounting/auditing reference? Message-ID: <717ccda00910210732x680ba763ge89ff3ec9c0903e4@mail.gmail.com> Is there anything online detailing SELinux's accounting and auditing features? Example: How/if it does system and process accounting How/if it does system and process auditing How/if it exactly logs (through syslogd?) Thanks, Marco From jdennis at redhat.com Wed Oct 21 14:42:16 2009 From: jdennis at redhat.com (John Dennis) Date: Wed, 21 Oct 2009 10:42:16 -0400 Subject: Accounting/auditing reference? In-Reply-To: <717ccda00910210732x680ba763ge89ff3ec9c0903e4@mail.gmail.com> References: <717ccda00910210732x680ba763ge89ff3ec9c0903e4@mail.gmail.com> Message-ID: <4ADF1DC8.9030304@redhat.com> On 10/21/2009 10:32 AM, Marco Shaw wrote: > Is there anything online detailing SELinux's accounting and auditing features? > > Example: > How/if it does system and process accounting > How/if it does system and process auditing > How/if it exactly logs (through syslogd?) SELinux is a MAC (Mandatory Access Control) system. It does not do accounting and auditing. However the features in the audit system are probably what you want. For information on audit start here: http://people.redhat.com/sgrubb/audit/index.html SELinux denials do get recorded in the audit log (/var/log/audit/audit.log) -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Moray.Henderson at ict.om.org Wed Oct 21 15:54:58 2009 From: Moray.Henderson at ict.om.org (Moray Henderson (ICT)) Date: Wed, 21 Oct 2009 15:54:58 +0000 Subject: fixfiles -F option In-Reply-To: <4ADDD7D1.1030005@redhat.com> References: <211227D58676844E9EFBA3414EC92E880517526810@QTS-MBXCLSTR1.global.local> <4ACA0F35.1020807@redhat.com> <211227D58676844E9EFBA3414EC92E880517E1631A@QTS-MBXCLSTR1.global.local> <4ADDD7D1.1030005@redhat.com> Message-ID: <211227D58676844E9EFBA3414EC92E880517E1638E@QTS-MBXCLSTR1.global.local> Hi Daniel, Here are my patches for fixfiles and the documentation. The restorecon & setfiles patches are simple: document the -p option and bring usage and man pages into line. The fixfiles patch: - enables -F with -C - removes -o option - corrects "[-F] relabel" in man page - brings man page and usage into line with script behaviour It is still possible to combine fixfiles options that don't make sense together, such as -R with relabel, or -R with -C, but at least the right combinations are in the documentation. These patches were made against policycoreutils-1.33.12-14.2.el5.src.rpm, but most of the fixes are still valid against the fc11 version. I hope you like them ;-) Moray. "To err is human. To purr, feline" -------------- next part -------------- A non-text attachment was scrubbed... Name: policycoreutils-setfiles.patch Type: application/octet-stream Size: 1595 bytes Desc: policycoreutils-setfiles.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: policycoreutils-fixfiles.patch Type: application/octet-stream Size: 3993 bytes Desc: policycoreutils-fixfiles.patch URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: policycoreutils-restorecon.patch Type: application/octet-stream Size: 1075 bytes Desc: policycoreutils-restorecon.patch URL: From marco.shaw at gmail.com Wed Oct 21 16:17:29 2009 From: marco.shaw at gmail.com (Marco Shaw) Date: Wed, 21 Oct 2009 13:17:29 -0300 Subject: Accounting/auditing reference? In-Reply-To: <4ADF1DC8.9030304@redhat.com> References: <717ccda00910210732x680ba763ge89ff3ec9c0903e4@mail.gmail.com> <4ADF1DC8.9030304@redhat.com> Message-ID: <717ccda00910210917n3caa10ddsf56a18969613edd@mail.gmail.com> On Wed, Oct 21, 2009 at 11:42 AM, John Dennis wrote: > On 10/21/2009 10:32 AM, Marco Shaw wrote: >> >> Is there anything online detailing SELinux's accounting and auditing >> features? >> >> Example: >> How/if it does system and process accounting >> How/if it does system and process auditing >> How/if it exactly logs ?(through syslogd?) > > SELinux is a MAC (Mandatory Access Control) system. It does not do > accounting and auditing. However the features in the audit system are > probably what you want. For information on audit start here: > http://people.redhat.com/sgrubb/audit/index.html > > SELinux denials do get recorded in the audit log (/var/log/audit/audit.log) (Line-wrapping may be way off, sorry...) Thanks John, Is audit an officially supported package though? If not, I'm going to have to research how RHEL can meet all the PCI-DSS requirements... There was a webcast yesterday on RHEL and PCI compliance, but I got called away just as they were answering one of my questions near the end of the webcast. I'll have to research more on the audit.log also. I'd prefer to have a built-in solution that uses syslogd, vs something hard coded to a specific log. Marco From jdennis at redhat.com Wed Oct 21 16:24:42 2009 From: jdennis at redhat.com (John Dennis) Date: Wed, 21 Oct 2009 12:24:42 -0400 Subject: Accounting/auditing reference? In-Reply-To: <717ccda00910210917n3caa10ddsf56a18969613edd@mail.gmail.com> References: <717ccda00910210732x680ba763ge89ff3ec9c0903e4@mail.gmail.com> <4ADF1DC8.9030304@redhat.com> <717ccda00910210917n3caa10ddsf56a18969613edd@mail.gmail.com> Message-ID: <4ADF35CA.9000004@redhat.com> On 10/21/2009 12:17 PM, Marco Shaw wrote: > On Wed, Oct 21, 2009 at 11:42 AM, John Dennis wrote: >> On 10/21/2009 10:32 AM, Marco Shaw wrote: >>> >>> Is there anything online detailing SELinux's accounting and auditing >>> features? >>> >>> Example: >>> How/if it does system and process accounting >>> How/if it does system and process auditing >>> How/if it exactly logs (through syslogd?) >> >> SELinux is a MAC (Mandatory Access Control) system. It does not do >> accounting and auditing. However the features in the audit system are >> probably what you want. For information on audit start here: >> http://people.redhat.com/sgrubb/audit/index.html >> >> SELinux denials do get recorded in the audit log (/var/log/audit/audit.log) > > (Line-wrapping may be way off, sorry...) > > Thanks John, > > Is audit an officially supported package though? If not, I'm going to > have to research > how RHEL can meet all the PCI-DSS requirements... > > There was a webcast yesterday on RHEL and PCI compliance, but I got called away > just as they were answering one of my questions near the end of the webcast. > > I'll have to research more on the audit.log also. I'd prefer to have > a built-in solution that > uses syslogd, vs something hard coded to a specific log. Yes, audit is official. There is an entire ecosystem built around audit, including things like intrusion detection. Start with the link I provided, do a bit of reading, then follow up with your question on the Linux Audit mailing list (this email list is not the one you want). You can subscribe to the Linux Audit mailing list here: https://www.redhat.com/mailman/listinfo/linux-audit -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From dwalsh at redhat.com Wed Oct 21 21:08:27 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 21 Oct 2009 17:08:27 -0400 Subject: No avcs generated after running at jobs in enforcing mode In-Reply-To: <4EF101F7236DB443A8FABF8164BFBD0C08B50C79@xmb-sjc-223.amer.cisco.com> References: <4AD60A9C.101@gtri.gatech.edu> <4AD629A4.1030601@redhat.com> <4AD653D7.3000608@gtri.gatech.edu> <4AD89D1B.4070509@gtri.gatech.edu> <4EF101F7236DB443A8FABF8164BFBD0C08B50C79@xmb-sjc-223.amer.cisco.com> Message-ID: <4ADF784B.4040208@redhat.com> On 10/20/2009 07:52 PM, Anamitra Dutta Majumdar (anmajumd) wrote: > > We are trying to run an at job which echoes something on the terminal as > below > > at 14:53 > at> echo "hello" > /dev/pts/1 > at> ^D > > When we run the above in the permissive mode we get hello on our term. > However when we run in enforcing mode nothing seems to happen. We do not > get any sealerts either. > > Can someone let us know what is going on in the enforcing mode and what > would be a way to check the status of the job? > > Thanks > Anamitra & Radha > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Might be something dontaudited. You need to turn off audit rules temporarily semodule -DB Run your test look for avc messages in /var/log/audit/audit.log pertaining to cron and terminals You need to add those rules using audit2allow. From fenn at stanford.edu Thu Oct 22 00:04:33 2009 From: fenn at stanford.edu (Tim Fenn) Date: Wed, 21 Oct 2009 17:04:33 -0700 Subject: F12 beta, ldap authentication and NFS mounted home Message-ID: <20091021170433.74fe35d4@thanos.Stanford.EDU> I upgraded a machine from F10 to F12 beta - its a client machine that mounts /home over NFS and authenticates over LDAP (however, its a mac server that sets /home as /Volumes/Homes, which I have set up as a pointer to /home). use_nfs_home_dirs is on and I can log in via SSH or the console, but the graphical login fails when clicking "log in" with the following selinux error: SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access on Homes. I've attached the full sealart, am I missing something obvious/simple? Thanks for any help! -Tim -- --------------------------------------------------------- Tim Fenn fenn at stanford.edu Stanford University, School of Medicine James H. Clark Center 318 Campus Drive, Room E300 Stanford, CA 94305-5432 Phone: (650) 736-1714 FAX: (650) 736-1961 --------------------------------------------------------- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: sealert.txt URL: From kanarip at kanarip.com Thu Oct 22 06:16:09 2009 From: kanarip at kanarip.com (Jeroen van Meeuwen) Date: Thu, 22 Oct 2009 08:16:09 +0200 Subject: F12 beta, ldap authentication and NFS mounted home In-Reply-To: <20091021170433.74fe35d4@thanos.Stanford.EDU> References: <20091021170433.74fe35d4@thanos.Stanford.EDU> Message-ID: <4ADFF8A9.70501@kanarip.com> On 10/22/2009 02:04 AM, Tim Fenn wrote: > I upgraded a machine from F10 to F12 beta - its a client machine that > mounts /home over NFS and authenticates over LDAP (however, its a mac > server that sets /home as /Volumes/Homes, which I have set up as a > pointer to /home). use_nfs_home_dirs is on and I can log in via SSH or > the console, but the graphical login fails when clicking "log in" with > the following selinux error: > > SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access > on Homes. > > I've attached the full sealart, am I missing something obvious/simple? > FWIW, I had something similar with gdm-greeter, I think. I also had a different problem[1] with gdm so I didn't give it much attention at the time. -- Jeroen [1] https://bugzilla.redhat.com/show_bug.cgi?id=530041 From dwalsh at redhat.com Thu Oct 22 12:28:04 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 22 Oct 2009 08:28:04 -0400 Subject: F12 beta, ldap authentication and NFS mounted home In-Reply-To: <4ADFF8A9.70501@kanarip.com> References: <20091021170433.74fe35d4@thanos.Stanford.EDU> <4ADFF8A9.70501@kanarip.com> Message-ID: <4AE04FD4.7000605@redhat.com> On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote: > On 10/22/2009 02:04 AM, Tim Fenn wrote: >> I upgraded a machine from F10 to F12 beta - its a client machine that >> mounts /home over NFS and authenticates over LDAP (however, its a mac >> server that sets /home as /Volumes/Homes, which I have set up as a >> pointer to /home). use_nfs_home_dirs is on and I can log in via SSH or >> the console, but the graphical login fails when clicking "log in" with >> the following selinux error: >> >> SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" access >> on Homes. >> >> I've attached the full sealart, am I missing something obvious/simple? >> > > FWIW, I had something similar with gdm-greeter, I think. I also had a > different problem[1] with gdm so I didn't give it much attention at the > time. > > -- Jeroen > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=530041 > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > I need to see the AVC in /var/log/audit/audit.log to make sure I know the reason. Make sure the use_nfs_home_dirs boolean is turned on. # getsebool use_nfs_home_dirs use_nfs_home_dirs --> on From dwalsh at redhat.com Thu Oct 22 12:58:20 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 22 Oct 2009 08:58:20 -0400 Subject: fixfiles -F option In-Reply-To: <211227D58676844E9EFBA3414EC92E880517E1638E@QTS-MBXCLSTR1.global.local> References: <211227D58676844E9EFBA3414EC92E880517526810@QTS-MBXCLSTR1.global.local> <4ACA0F35.1020807@redhat.com> <211227D58676844E9EFBA3414EC92E880517E1631A@QTS-MBXCLSTR1.global.local> <4ADDD7D1.1030005@redhat.com> <211227D58676844E9EFBA3414EC92E880517E1638E@QTS-MBXCLSTR1.global.local> Message-ID: <4AE056EC.3020609@redhat.com> On 10/21/2009 11:54 AM, Moray Henderson (ICT) wrote: > Hi Daniel, > > Here are my patches for fixfiles and the documentation. > > The restorecon & setfiles patches are simple: document the -p option and bring usage and man pages into line. > > The fixfiles patch: > - enables -F with -C > - removes -o option > - corrects "[-F] relabel" in man page > - brings man page and usage into line with script behaviour > > It is still possible to combine fixfiles options that don't make sense together, such as -R with relabel, or -R with -C, but at least the right combinations are in the documentation. > > These patches were made against policycoreutils-1.33.12-14.2.el5.src.rpm, but most of the fixes are still valid against the fc11 version. > > I hope you like them ;-) > > > Moray. > "To err is human. To purr, feline" I have applied your packages to the Fedora 12 policycoreutils package and will send them upstream. These fixes will be in RHEL6 and we are investigating getting them into RHEL5.5 Thank you. From fenn at stanford.edu Thu Oct 22 17:20:28 2009 From: fenn at stanford.edu (Tim Fenn) Date: Thu, 22 Oct 2009 10:20:28 -0700 Subject: F12 beta, ldap authentication and NFS mounted home In-Reply-To: <4AE04FD4.7000605@redhat.com> References: <20091021170433.74fe35d4@thanos.Stanford.EDU> <4ADFF8A9.70501@kanarip.com> <4AE04FD4.7000605@redhat.com> Message-ID: <20091022102028.24a09b16@stanford.edu> On Thu, 22 Oct 2009 08:28:04 -0400 Daniel J Walsh wrote: > On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote: > > On 10/22/2009 02:04 AM, Tim Fenn wrote: > >> I upgraded a machine from F10 to F12 beta - its a client machine > >> that mounts /home over NFS and authenticates over LDAP (however, > >> its a mac server that sets /home as /Volumes/Homes, which I have > >> set up as a pointer to /home). use_nfs_home_dirs is on and I can > >> log in via SSH or the console, but the graphical login fails when > >> clicking "log in" with the following selinux error: > >> > >> SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" > >> access on Homes. > >> > >> I've attached the full sealart, am I missing something > >> obvious/simple? > >> > > > > FWIW, I had something similar with gdm-greeter, I think. I also had > > a different problem[1] with gdm so I didn't give it much attention > > at the time. > > > > -- Jeroen > > > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=530041 > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > I need to see the AVC in /var/log/audit/audit.log to make sure I know > the reason. > > Make sure the use_nfs_home_dirs boolean is turned on. > Yes, it is. Upon further investigation, it appears gdm is just crashing - I'll look into related bug reports. The selinux alert may be for something else, I'll post the audit.log next time I catch it. -Tim -- CAPS LOCK IS THE CRUISE CONTROL OF AWESOMNESS From fenn at stanford.edu Fri Oct 23 23:08:02 2009 From: fenn at stanford.edu (Tim Fenn) Date: Fri, 23 Oct 2009 16:08:02 -0700 Subject: F12 beta, ldap authentication and NFS mounted home In-Reply-To: <4AE04FD4.7000605@redhat.com> References: <20091021170433.74fe35d4@thanos.Stanford.EDU> <4ADFF8A9.70501@kanarip.com> <4AE04FD4.7000605@redhat.com> Message-ID: <20091023160802.7a26dd85@stanford.edu> On Thu, 22 Oct 2009 08:28:04 -0400 Daniel J Walsh wrote: > On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote: > > On 10/22/2009 02:04 AM, Tim Fenn wrote: > >> I upgraded a machine from F10 to F12 beta - its a client machine > >> that mounts /home over NFS and authenticates over LDAP (however, > >> its a mac server that sets /home as /Volumes/Homes, which I have > >> set up as a pointer to /home). use_nfs_home_dirs is on and I can > >> log in via SSH or the console, but the graphical login fails when > >> clicking "log in" with the following selinux error: > >> > >> SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" > >> access on Homes. > >> > >> I've attached the full sealart, am I missing something > >> obvious/simple? > >> > > > > FWIW, I had something similar with gdm-greeter, I think. I also had > > a different problem[1] with gdm so I didn't give it much attention > > at the time. > > > I need to see the AVC in /var/log/audit/audit.log to make sure I know > the reason. > OK, I spent a bit more time on this today (sorry for the late response, been busy with all these new operating systems this week!). Upon login, I get the audit_1.log (see attached), and upon firing up startx, I get audit_2.log - it seems the link to /home is whats causing the problem, audit2allow suggests allow local_login_t default_t:lnk_file read; allow consolekit_t default_t:lnk_file read; but I'm not sure thats the "proper" solution - would it be better to set /Volumes/Homes as the NFS mount and /home as a pointer to it? -Tim -- CAPS LOCK IS THE CRUISE CONTROL OF AWESOMNESS -------------- next part -------------- A non-text attachment was scrubbed... Name: audit_1.log Type: text/x-log Size: 3408 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: audit_2.log Type: text/x-log Size: 647 bytes Desc: not available URL: From dwalsh at redhat.com Sat Oct 24 11:58:47 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Sat, 24 Oct 2009 07:58:47 -0400 Subject: F12 beta, ldap authentication and NFS mounted home In-Reply-To: <20091023160802.7a26dd85@stanford.edu> References: <20091021170433.74fe35d4@thanos.Stanford.EDU> <4ADFF8A9.70501@kanarip.com> <4AE04FD4.7000605@redhat.com> <20091023160802.7a26dd85@stanford.edu> Message-ID: <4AE2EBF7.9020101@redhat.com> On 10/23/2009 07:08 PM, Tim Fenn wrote: > On Thu, 22 Oct 2009 08:28:04 -0400 > Daniel J Walsh wrote: > >> On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote: >>> On 10/22/2009 02:04 AM, Tim Fenn wrote: >>>> I upgraded a machine from F10 to F12 beta - its a client machine >>>> that mounts /home over NFS and authenticates over LDAP (however, >>>> its a mac server that sets /home as /Volumes/Homes, which I have >>>> set up as a pointer to /home). use_nfs_home_dirs is on and I can >>>> log in via SSH or the console, but the graphical login fails when >>>> clicking "log in" with the following selinux error: >>>> >>>> SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" >>>> access on Homes. >>>> >>>> I've attached the full sealart, am I missing something >>>> obvious/simple? >>>> >>> >>> FWIW, I had something similar with gdm-greeter, I think. I also had >>> a different problem[1] with gdm so I didn't give it much attention >>> at the time. >>> >> I need to see the AVC in /var/log/audit/audit.log to make sure I know >> the reason. >> > > OK, I spent a bit more time on this today (sorry for the late response, > been busy with all these new operating systems this week!). Upon > login, I get the audit_1.log (see attached), and upon firing up startx, > I get audit_2.log - it seems the link to /home is whats causing the > problem, audit2allow suggests > > allow local_login_t default_t:lnk_file read; > allow consolekit_t default_t:lnk_file read; > > but I'm not sure thats the "proper" solution - would it be better to > set /Volumes/Homes as the NFS mount and /home as a pointer to it? > > -Tim > Looks like a labeling problem. The problem looks like you have a users home directories in a separate location. And it is not labeled correctly. The symbolic link is labeled with the default label, and the login programs are not able ro read this link. You probably need to label it something like user_home_dir_t. Homes is the link. Is /volume/homes a sumbolic link to /home? Are the users home dirs local or on a nother machine mounted via nfs? From joe at nall.com Sat Oct 24 18:11:01 2009 From: joe at nall.com (Joe Nall) Date: Sat, 24 Oct 2009 11:11:01 -0700 Subject: strange avc with racoon under f-11 mls In-Reply-To: <4AD89D1B.4070509@gtri.gatech.edu> References: <4AD60A9C.101@gtri.gatech.edu> <4AD629A4.1030601@redhat.com> <4AD653D7.3000608@gtri.gatech.edu> <4AD89D1B.4070509@gtri.gatech.edu> Message-ID: On Fri, Oct 16, 2009 at 9:19 AM, Joshua Roys wrote: > On 10/15/2009 09:27 AM, Xavier Toth wrote: >> >> On Wed, Oct 14, 2009 at 5:42 PM, Joshua Roys >> ?wrote: >>> >>> On 10/14/2009 03:42 PM, Daniel J Walsh wrote: >>>> >>>> On 10/14/2009 01:30 PM, Joshua Roys wrote: >>>>> >>>>> avc: ?denied ?{ recv } for ?saddr=1.2.3.4 src=500 daddr=4.3.2.1 >>>>> dest=500 >>>>> netif=eth0 scontext=system_u:system_r:racoon_t:s0-s15:c0.c1023 >>>>> tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=peer >>>>> >>> >>> Looking at policy/mls, I see this: >>> # the peer/packet recv op >>> mlsconstrain { peer packet } { recv } >>> ? ? ? ?(( l1 dom l2 ) or >>> ? ? ? ? (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or >>> ? ? ? ? ( t1 == mlsnetread )); >>> >>> mlsnetreadtoclr appears to only be granted via: >>> policy/modules/kernel/mls.if: mls_socket_read_to_clearance >>> which is not granted to racoon_t >>> > > Hello, > > We have ipsec working again, using something like: > > ($local_t and $remote_t being the local and remote types) > > mls_socket_read_to_clearance(racoon_t) > > allow $local_t $remote_t:association polmatch; > allow $remote_t $local_t:association polmatch; > > allow $local_t $remote_t:peer recv; > > Thanks for the tips, > > Joshua Roys Here is what we are using. Some of this is because we do a fair amount of dynamic config in the init scripts, some may be redundant with other fixes in refpol/F11 because it was originally developed in F9. policy_module(hack_ipsec,1.0.9) require { type initrc_t, ipsec_spd_t; attribute domain; } allow domain ipsec_spd_t:association { polmatch sendto recvfrom }; require { type setkey_t, initrc_tmp_t; } # autoconfiguration needs this gen_require(`type ipsec_conf_file_t, ipsec_key_file_t;'); allow initrc_t ipsec_conf_file_t:dir { write remove_name add_name }; allow initrc_t ipsec_conf_file_t:file { rename write setattr relabelfrom relabelto create unlink }; allow initrc_t ipsec_key_file_t:file { write read rename }; # get setkey to talk to me in enforcing mode gen_require(`type setkey_t, initrc_devpts_t, initrc_tmp_t;'); allow setkey_t initrc_tmp_t:file { read getattr}; gen_require(`type udev_t, ipsec_conf_file_t;'); allow udev_t ipsec_conf_file_t:file ioctl; allow udev_t self:key_socket create; # runtime gen_require(` type racoon_t, ipsec_spd_t, unlabeled_t; '); allow unlabeled_t ipsec_spd_t:association polmatch; allow unlabeled_t self:association sendto; allow racoon_t unlabeled_t:udp_socket recvfrom; allow racoon_t unlabeled_t:association setcontext; mls_socket_read_to_clearance(racoon_t) mls_socket_write_to_clearance(racoon_t) corenet_out_generic_if(racoon_t); corenet_udp_send_generic_node(racoon_t); From fenn at stanford.edu Sun Oct 25 01:33:00 2009 From: fenn at stanford.edu (Tim Fenn) Date: Sat, 24 Oct 2009 18:33:00 -0700 Subject: F12 beta, ldap authentication and NFS mounted home In-Reply-To: <4AE2EBF7.9020101@redhat.com> References: <20091021170433.74fe35d4@thanos.Stanford.EDU> <4ADFF8A9.70501@kanarip.com> <4AE04FD4.7000605@redhat.com> <20091023160802.7a26dd85@stanford.edu> <4AE2EBF7.9020101@redhat.com> Message-ID: <20091024183300.40bca842@stanford.edu> On Sat, 24 Oct 2009 07:58:47 -0400 Daniel J Walsh wrote: > On 10/23/2009 07:08 PM, Tim Fenn wrote: > > On Thu, 22 Oct 2009 08:28:04 -0400 > > Daniel J Walsh wrote: > > > >> On 10/22/2009 02:16 AM, Jeroen van Meeuwen wrote: > >>> On 10/22/2009 02:04 AM, Tim Fenn wrote: > >>>> I upgraded a machine from F10 to F12 beta - its a client machine > >>>> that mounts /home over NFS and authenticates over LDAP (however, > >>>> its a mac server that sets /home as /Volumes/Homes, which I have > >>>> set up as a pointer to /home). use_nfs_home_dirs is on and I can > >>>> log in via SSH or the console, but the graphical login fails when > >>>> clicking "log in" with the following selinux error: > >>>> > >>>> SELinux is preventing /usr/libexec/ck-get-x11-server-pid "read" > >>>> access on Homes. > >>>> > >>>> I've attached the full sealart, am I missing something > >>>> obvious/simple? > >>>> > >>> > >>> FWIW, I had something similar with gdm-greeter, I think. I also > >>> had a different problem[1] with gdm so I didn't give it much > >>> attention at the time. > >>> > >> I need to see the AVC in /var/log/audit/audit.log to make sure I > >> know the reason. > >> > > > > OK, I spent a bit more time on this today (sorry for the late > > response, been busy with all these new operating systems this > > week!). Upon login, I get the audit_1.log (see attached), and upon > > firing up startx, I get audit_2.log - it seems the link to /home is > > whats causing the problem, audit2allow suggests > > > > allow local_login_t default_t:lnk_file read; > > allow consolekit_t default_t:lnk_file read; > > > > but I'm not sure thats the "proper" solution - would it be better to > > set /Volumes/Homes as the NFS mount and /home as a pointer to it? > > > > -Tim > > > Looks like a labeling problem. > > The problem looks like you have a users home directories in a > separate location. And it is not labeled correctly. > > The symbolic link is labeled with the default label, and the login > programs are not able ro read this link. > > You probably need to label it something like user_home_dir_t. > > Homes is the link. > > Is /volume/homes a sumbolic link to /home? > > Are the users home dirs local or on a nother machine mounted via nfs? > /home was the NFS mount, /volumes/homes was the symbolic link to it. If I do the opposite (/volumes/homes as the NFS mount, /home as a link to /volumes/homes), I don't see any selinux avc errors. I'll leave it at that for now, but let me know if you'd like additional information or try out anything to further debug/test things. -tim -- CAPS LOCK IS THE CRUISE CONTROL OF AWESOMNESS From misc.lists at blueyonder.co.uk Sun Oct 25 13:01:49 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Sun, 25 Oct 2009 13:01:49 +0000 Subject: Relabelling issue Message-ID: <1256475709.3640.8.camel@localhost> Hello all, I got an avc the other day that made me suspect that I might have labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; reboot" The avc turned out to be unrelated to this, but I was a little surprised to see the following errors during the relabelling process: SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts Should I be concerned? Thanks for any suggestions... Mark p.s. Latest yum log entries: [root at localhost ~]# cat /var/log/yum.log | grep -i selinux Aug 08 21:05:15 Updated: selinux-policy-3.6.12-69.fc11.noarch Aug 08 21:08:51 Updated: selinux-policy-targeted-3.6.12-69.fc11.noarch Aug 12 13:28:30 Updated: selinux-policy-3.6.12-72.fc11.noarch Aug 12 13:29:05 Updated: selinux-policy-targeted-3.6.12-72.fc11.noarch Aug 22 10:31:50 Updated: selinux-policy-3.6.12-78.fc11.noarch Aug 22 10:32:25 Updated: selinux-policy-targeted-3.6.12-78.fc11.noarch Aug 29 16:17:14 Updated: selinux-policy-3.6.12-80.fc11.noarch Aug 29 16:17:48 Updated: selinux-policy-targeted-3.6.12-80.fc11.noarch Sep 07 18:20:34 Updated: selinux-policy-3.6.12-81.fc11.noarch Sep 07 18:21:09 Updated: selinux-policy-targeted-3.6.12-81.fc11.noarch Sep 12 09:31:35 Updated: selinux-policy-3.6.12-82.fc11.noarch Sep 12 09:32:08 Updated: selinux-policy-targeted-3.6.12-82.fc11.noarch Oct 01 19:43:02 Updated: selinux-policy-3.6.12-83.fc11.noarch Oct 01 19:43:35 Updated: selinux-policy-targeted-3.6.12-83.fc11.noarch Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From bruno at wolff.to Sun Oct 25 17:37:58 2009 From: bruno at wolff.to (Bruno Wolff III) Date: Sun, 25 Oct 2009 12:37:58 -0500 Subject: Relabelling issue In-Reply-To: <1256475709.3640.8.camel@localhost> References: <1256475709.3640.8.camel@localhost> Message-ID: <20091025173758.GC11937@wolff.to> On Sun, Oct 25, 2009 at 13:01:49 +0000, Arthur Dent wrote: > > I got an avc the other day that made me suspect that I might have > labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; > reboot" > > Should I be concerned? Generally it is a good idea to switch to permissive mode for a full relabel. Otherwise you might not be permitted to make the changes. Normally that won't be a problem after minor updates, but if things are to the point where you want to do a full relabel, it's generally simpler to make sure it will do all of the work needed rather than have to manually deal with the odd case here and there. From misc.lists at blueyonder.co.uk Sun Oct 25 20:37:40 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Sun, 25 Oct 2009 20:37:40 +0000 Subject: Relabelling issue In-Reply-To: <20091025173758.GC11937@wolff.to> References: <1256475709.3640.8.camel@localhost> <20091025173758.GC11937@wolff.to> Message-ID: <1256503060.3599.8.camel@localhost> On Sun, 2009-10-25 at 12:37 -0500, Bruno Wolff III wrote: > On Sun, Oct 25, 2009 at 13:01:49 +0000, > Arthur Dent wrote: > > > > I got an avc the other day that made me suspect that I might have > > labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; > > reboot" > > > > Should I be concerned? > > Generally it is a good idea to switch to permissive mode for a full relabel. > Otherwise you might not be permitted to make the changes. Normally that > won't be a problem after minor updates, but if things are to the point where > you want to do a full relabel, it's generally simpler to make sure it will > do all of the work needed rather than have to manually deal with the odd > case here and there. Thank you - but I'm not sure I fully understand what you're saying. Do you mean that if I had first switched to permissive mode, that those errors would not have occurred? Surely if a particular context is "not valid" there is nothing a relabel can do - permissive mode or otherwise? Or have I misunderstood? My question was really: a) How have I ended up with all of those invalid contexts? and b) Given that, as far as I can tell, most things seem to work - should I be concerned about these error messages? Thanks Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From bruno at wolff.to Sun Oct 25 23:23:17 2009 From: bruno at wolff.to (Bruno Wolff III) Date: Sun, 25 Oct 2009 18:23:17 -0500 Subject: Relabelling issue In-Reply-To: <1256503060.3599.8.camel@localhost> References: <1256475709.3640.8.camel@localhost> <20091025173758.GC11937@wolff.to> <1256503060.3599.8.camel@localhost> Message-ID: <20091025232317.GA14925@wolff.to> On Sun, Oct 25, 2009 at 20:37:40 +0000, Arthur Dent wrote: > > Thank you - but I'm not sure I fully understand what you're saying. Do > you mean that if I had first switched to permissive mode, that those > errors would not have occurred? Yes. > Surely if a particular context is "not valid" there is nothing a relabel > can do - permissive mode or otherwise? Or have I misunderstood? It's not that the context is valid, but that you may not have permission to make the changes. > My question was really: > a) How have I ended up with all of those invalid contexts? and It might be just changes in labels from previous versions of the policy. Normally the changes get made during updates. > b) Given that, as far as I can tell, most things seem to work - should I > be concerned about these error messages? Having things mislabelled can cause problems. You can either do a full relabel or use restorecon to fix them. Since you seem to know which ones did not get relabelled you can do a targetted relabelling with restorecon instead of checking evry file on your system. From dwalsh at redhat.com Mon Oct 26 15:39:59 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 26 Oct 2009 11:39:59 -0400 Subject: Relabelling issue In-Reply-To: <1256475709.3640.8.camel@localhost> References: <1256475709.3640.8.camel@localhost> Message-ID: <4AE5C2CF.5010307@redhat.com> On 10/25/2009 09:01 AM, Arthur Dent wrote: > Hello all, > > I got an avc the other day that made me suspect that I might have > labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; > reboot" > > The avc turned out to be unrelated to this, but I was a little surprised > to see the following errors during the relabelling process: > > SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts > type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 > SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). > type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 > Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k > SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts > > > Should I be concerned? > > Thanks for any suggestions... > > Mark > > p.s. > > Latest yum log entries: > [root at localhost ~]# cat /var/log/yum.log | grep -i selinux > Aug 08 21:05:15 Updated: selinux-policy-3.6.12-69.fc11.noarch > Aug 08 21:08:51 Updated: selinux-policy-targeted-3.6.12-69.fc11.noarch > Aug 12 13:28:30 Updated: selinux-policy-3.6.12-72.fc11.noarch > Aug 12 13:29:05 Updated: selinux-policy-targeted-3.6.12-72.fc11.noarch > Aug 22 10:31:50 Updated: selinux-policy-3.6.12-78.fc11.noarch > Aug 22 10:32:25 Updated: selinux-policy-targeted-3.6.12-78.fc11.noarch > Aug 29 16:17:14 Updated: selinux-policy-3.6.12-80.fc11.noarch > Aug 29 16:17:48 Updated: selinux-policy-targeted-3.6.12-80.fc11.noarch > Sep 07 18:20:34 Updated: selinux-policy-3.6.12-81.fc11.noarch > Sep 07 18:21:09 Updated: selinux-policy-targeted-3.6.12-81.fc11.noarch > Sep 12 09:31:35 Updated: selinux-policy-3.6.12-82.fc11.noarch > Sep 12 09:32:08 Updated: selinux-policy-targeted-3.6.12-82.fc11.noarch > Oct 01 19:43:02 Updated: selinux-policy-3.6.12-83.fc11.noarch > Oct 01 19:43:35 Updated: selinux-policy-targeted-3.6.12-83.fc11.noarch > Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch > Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This looks like a mismatch of policy and labels on disk. *_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these. So relabeling is probably a good idea. gamin_exec_t has disappeared. From misc.lists at blueyonder.co.uk Wed Oct 28 09:38:08 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Wed, 28 Oct 2009 09:38:08 +0000 Subject: Relabelling issue In-Reply-To: <4AE5C2CF.5010307@redhat.com> References: <1256475709.3640.8.camel@localhost> <4AE5C2CF.5010307@redhat.com> Message-ID: <1256722688.3622.14.camel@localhost> On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote: > On 10/25/2009 09:01 AM, Arthur Dent wrote: > > Hello all, > > > > I got an avc the other day that made me suspect that I might have > > labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; > > reboot" > > > > The avc turned out to be unrelated to this, but I was a little surprised > > to see the following errors during the relabelling process: > > > > SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts > > type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 > > SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). > > type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 > > Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k > > SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts > > > > > > Should I be concerned? > > > > Thanks for any suggestions... > > > > Mark > > > > p.s. > > > > Latest yum log entries: > > [root at localhost ~]# cat /var/log/yum.log | grep -i selinux > > Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch > > Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > This looks like a mismatch of policy and labels on disk. > > > *_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these. > > So relabeling is probably a good idea. > > gamin_exec_t has disappeared. OK - I finally got round to doing another relabel - this time in permissive mode (I wanted to watch for error messages and couldn't face the thought of sitting watching little asterisks march across the screen until today). Unfortunately I get exactly the same messages during the relabelling process: SELinux: initialized (dev sdb6, type ext3), uses xattr SELinux: initialized (dev sdb11, type vfat), uses genfs_contexts SELinux: initialized (dev sdb12, type vfat), uses genfs_contexts fuse init (API version 7.11) SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts So now I'm not sure what to do - just ignore it and wait until I rebuild with Fedora 12 - or do something now? Thanks for any advice... Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Wed Oct 28 12:50:36 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 28 Oct 2009 08:50:36 -0400 Subject: Relabelling issue In-Reply-To: <1256722688.3622.14.camel@localhost> References: <1256475709.3640.8.camel@localhost> <4AE5C2CF.5010307@redhat.com> <1256722688.3622.14.camel@localhost> Message-ID: <4AE83E1C.3040003@redhat.com> On 10/28/2009 05:38 AM, Arthur Dent wrote: > On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote: >> On 10/25/2009 09:01 AM, Arthur Dent wrote: >>> Hello all, >>> >>> I got an avc the other day that made me suspect that I might have >>> labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; >>> reboot" >>> >>> The avc turned out to be unrelated to this, but I was a little surprised >>> to see the following errors during the relabelling process: >>> >>> SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts >>> type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 >>> SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). >>> type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 >>> Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k >>> SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts >>> >>> >>> Should I be concerned? >>> >>> Thanks for any suggestions... >>> >>> Mark >>> >>> p.s. >>> >>> Latest yum log entries: >>> [root at localhost ~]# cat /var/log/yum.log | grep -i selinux >>> Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch >>> Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch >>> > >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> This looks like a mismatch of policy and labels on disk. >> >> >> *_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these. >> >> So relabeling is probably a good idea. >> >> gamin_exec_t has disappeared. > > OK - I finally got round to doing another relabel - this time in > permissive mode (I wanted to watch for error messages and couldn't face > the thought of sitting watching little asterisks march across the screen > until today). > > Unfortunately I get exactly the same messages during the relabelling > process: > SELinux: initialized (dev sdb6, type ext3), uses xattr > SELinux: initialized (dev sdb11, type vfat), uses genfs_contexts > SELinux: initialized (dev sdb12, type vfat), uses genfs_contexts > fuse init (API version 7.11) > SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts > SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). > SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). > Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k > SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts > > So now I'm not sure what to do - just ignore it and wait until I rebuild > with Fedora 12 - or do something now? > > Thanks for any advice... > > Mark > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-l If you do a load_policy do you see these messages? What version of policy and which version of the OS are you using? From deleriux at airattack-central.com Wed Oct 28 13:28:23 2009 From: deleriux at airattack-central.com (Matthew Ife) Date: Wed, 28 Oct 2009 13:28:23 +0000 Subject: Tgtd policy In-Reply-To: <4AE83E1C.3040003@redhat.com> References: <1256475709.3640.8.camel@localhost> <4AE5C2CF.5010307@redhat.com> <1256722688.3622.14.camel@localhost> <4AE83E1C.3040003@redhat.com> Message-ID: <1256736503.20466.1.camel@home.localdomain> Tgtd is a iscsi target daemon for linux. Its eventually going to also do FCoE but currently doesnt. Heres my policy for it. It needs some cleanup and i've not tested it with proper fixed disk devices. I assume the kernel actually does most of the read/write of the devices itself so the block device access i've given the daemon is minimal. Any feedback appreciated. -------------- next part -------------- A non-text attachment was scrubbed... Name: tgtd_policy.tar.gz Type: application/x-compressed-tar Size: 1268 bytes Desc: not available URL: From dwalsh at redhat.com Wed Oct 28 13:43:28 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 28 Oct 2009 09:43:28 -0400 Subject: Tgtd policy In-Reply-To: <1256736503.20466.1.camel@home.localdomain> References: <1256475709.3640.8.camel@localhost> <4AE5C2CF.5010307@redhat.com> <1256722688.3622.14.camel@localhost> <4AE83E1C.3040003@redhat.com> <1256736503.20466.1.camel@home.localdomain> Message-ID: <4AE84A80.5050001@redhat.com> On 10/28/2009 09:28 AM, Matthew Ife wrote: > Tgtd is a iscsi target daemon for linux. Its eventually going to also do > FCoE but currently doesnt. > > Heres my policy for it. It needs some cleanup and i've not tested it > with proper fixed disk devices. I assume the kernel actually does most > of the read/write of the devices itself so the block device access i've > given the daemon is minimal. > > Any feedback appreciated. > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Better off sending policy to the refpolicy list From deleriux at airattack-central.com Wed Oct 28 13:49:29 2009 From: deleriux at airattack-central.com (Matthew Ife) Date: Wed, 28 Oct 2009 13:49:29 +0000 Subject: Tgtd policy In-Reply-To: <4AE84A80.5050001@redhat.com> References: <1256475709.3640.8.camel@localhost> <4AE5C2CF.5010307@redhat.com> <1256722688.3622.14.camel@localhost> <4AE83E1C.3040003@redhat.com> <1256736503.20466.1.camel@home.localdomain> <4AE84A80.5050001@redhat.com> Message-ID: <1256737769.20466.2.camel@home.localdomain> On Wed, 2009-10-28 at 09:43 -0400, Daniel J Walsh wrote: > On 10/28/2009 09:28 AM, Matthew Ife wrote: > > Tgtd is a iscsi target daemon for linux. Its eventually going to also do > > FCoE but currently doesnt. > > > > Heres my policy for it. It needs some cleanup and i've not tested it > > with proper fixed disk devices. I assume the kernel actually does most > > of the read/write of the devices itself so the block device access i've > > given the daemon is minimal. > > > > Any feedback appreciated. > > > > > > > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Better off sending policy to the refpolicy list Done From dwalsh at redhat.com Wed Oct 28 13:59:57 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 28 Oct 2009 09:59:57 -0400 Subject: Tgtd policy In-Reply-To: <1256737769.20466.2.camel@home.localdomain> References: <1256475709.3640.8.camel@localhost> <4AE5C2CF.5010307@redhat.com> <1256722688.3622.14.camel@localhost> <4AE83E1C.3040003@redhat.com> <1256736503.20466.1.camel@home.localdomain> <4AE84A80.5050001@redhat.com> <1256737769.20466.2.camel@home.localdomain> Message-ID: <4AE84E5D.4000201@redhat.com> On 10/28/2009 09:49 AM, Matthew Ife wrote: > On Wed, 2009-10-28 at 09:43 -0400, Daniel J Walsh wrote: >> On 10/28/2009 09:28 AM, Matthew Ife wrote: >>> Tgtd is a iscsi target daemon for linux. Its eventually going to also do >>> FCoE but currently doesnt. >>> >>> Heres my policy for it. It needs some cleanup and i've not tested it >>> with proper fixed disk devices. I assume the kernel actually does most >>> of the read/write of the devices itself so the block device access i've >>> given the daemon is minimal. >>> >>> Any feedback appreciated. >>> >>> >>> >>> >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> Better off sending policy to the refpolicy list > > Done > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Here is my fixes for your policy. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: tgtd.fc URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: tgtd.if URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: tgtd.te URL: From domg472 at gmail.com Wed Oct 28 14:07:28 2009 From: domg472 at gmail.com (Dominick Grift) Date: Wed, 28 Oct 2009 15:07:28 +0100 Subject: Tgtd policy In-Reply-To: <1256736503.20466.1.camel@home.localdomain> References: <1256475709.3640.8.camel@localhost> <4AE5C2CF.5010307@redhat.com> <1256722688.3622.14.camel@localhost> <4AE83E1C.3040003@redhat.com> <1256736503.20466.1.camel@home.localdomain> Message-ID: <1256738848.9854.1.camel@localhost> On Wed, 2009-10-28 at 13:28 +0000, Matthew Ife wrote: I attached my version of the policy. > Tgtd is a iscsi target daemon for linux. Its eventually going to also do > FCoE but currently doesnt. > > Heres my policy for it. It needs some cleanup and i've not tested it > with proper fixed disk devices. I assume the kernel actually does most > of the read/write of the devices itself so the block device access i've > given the daemon is minimal. > > Any feedback appreciated. > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- ## Linux Target Framework Daemon. ## ##

## Linux target framework (tgt) aims to simplify various ## SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation ## and maintenance. Our key goals are the clean integration into ## the scsi-mid layer and implementing a great portion of tgt ## in user space. ##

## -------------- next part -------------- policy_module(tgtd, 1.0.0) ######################################## # # TGTD personal declarations. # type tgtd_t; type tgtd_exec_t; init_daemon_domain(tgtd_t, tgtd_exec_t) type tgtd_initrc_exec_t; init_script_file(tgtd_initrc_exec_t) type tgtd_tmp_t; files_tmp_file(tgtd_tmp_t) type tgtd_tmpfs_t; files_tmpfs_file(tgtd_tmpfs_t) type tgtd_var_lib_t; files_type(tgtd_data_t) ######################################## # # TGTD personal policy. # allow tgtd_t self:capability sys_resource; allow tgtd_t self:process { setrlimit signal }; allow tgtd_t self:fifo_file rw_fifo_file_perms; allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read }; allow tgtd_t self:shm create_shm_perms; allow tgtd_t self:tcp_socket create_socket_perms; allow tgtd_t self:udp_socket create_socket_perms; allow tgtd_t self:unix_dgram_socket create_socket_perms; manage_dirs_pattern(tgtd_t, tmp_t, tgtd_tmp_t) manage_files_pattern(tgtd_t, tmp_t, tgtd_tmp_t) manage_sock_files_pattern(tgtd_t, tmp_t, tgtd_tmp_t) files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { dir file sock_file }) manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t) fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file) manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) corenet_all_recvfrom_netlabel(tgtd_t) corenet_all_recvfrom_unlabeled(tgtd_t) corenet_sendrecv_iscsi_server_packets(tgtd_t) corenet_tcp_sendrecv_generic_if(tgtd_t) corenet_tcp_sendrecv_generic_node(tgtd_t) corenet_tcp_bind_generic_node(tgtd_t) corenet_tcp_bind_iscsi_port(tgtd_t) corenet_tcp_sendrecv_iscsi_port(tgtd_t) files_read_etc_files(tgtd_t) kernel_read_fs_sysctls(tgtd_t) logging_send_syslog_msg(tgtd_t) miscfiles_read_localization(tgtd_t) storage_getattr_fixed_disk_dev(tgtd_t) -------------- next part -------------- /etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t, s0) /usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t, s0) /var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t, s0) From misc.lists at blueyonder.co.uk Wed Oct 28 15:14:53 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Wed, 28 Oct 2009 15:14:53 +0000 Subject: Relabelling issue In-Reply-To: <4AE83E1C.3040003@redhat.com> References: <1256475709.3640.8.camel@localhost> <4AE5C2CF.5010307@redhat.com> <1256722688.3622.14.camel@localhost> <4AE83E1C.3040003@redhat.com> Message-ID: <1256742893.3017.11.camel@localhost> On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote: > On 10/28/2009 05:38 AM, Arthur Dent wrote: > > On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote: > >> On 10/25/2009 09:01 AM, Arthur Dent wrote: > >>> Hello all, > >>> > >>> I got an avc the other day that made me suspect that I might have > >>> labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; > >>> reboot" > >>> > >>> The avc turned out to be unrelated to this, but I was a little surprised > >>> to see the following errors during the relabelling process: > >>> > >>> SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts > >>> type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 > >>> SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). > >>> SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). > >>> type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 > >>> Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k > >>> SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts > >>> > >>> > >>> Should I be concerned? > >>> > >>> Thanks for any suggestions... > >>> > >>> Mark > >>> > >>> p.s. > >>> > >>> Latest yum log entries: > >>> [root at localhost ~]# cat /var/log/yum.log | grep -i selinux > >>> Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch > >>> Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch > >>> > > > >>> -- > >>> fedora-selinux-list mailing list > >>> fedora-selinux-list at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> This looks like a mismatch of policy and labels on disk. > >> > >> > >> *_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these. > >> > >> So relabeling is probably a good idea. > >> > >> gamin_exec_t has disappeared. > > > > OK - I finally got round to doing another relabel - this time in > > permissive mode (I wanted to watch for error messages and couldn't face > > the thought of sitting watching little asterisks march across the screen > > until today). > > > > Unfortunately I get exactly the same messages during the relabelling > > process: > > SELinux: initialized (dev sdb6, type ext3), uses xattr > > SELinux: initialized (dev sdb11, type vfat), uses genfs_contexts > > SELinux: initialized (dev sdb12, type vfat), uses genfs_contexts > > fuse init (API version 7.11) > > SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts > > SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). > > SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). > > Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k > > SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts > > > > So now I'm not sure what to do - just ignore it and wait until I rebuild > > with Fedora 12 - or do something now? > > > > Thanks for any advice... > > > > Mark > > > > > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-l > If you do a load_policy do you see these messages? > > What version of policy and which version of the OS are you using? > Hi Daniel, Thanks for helping... If you look a little further up this thread you will see that I am using Fedora 11 and... >Latest yum log entries: >[root at localhost ~]# cat /var/log/yum.log | grep -i selinux >Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch >Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch I have not come across "load_policy" before. I just typed "load_policy" on the command line (as root) and got no errors and no feedback at all. From reading the man page for load_policy I presume that this means exit status 0 - and therefore that all is well with the command? What next? Thanks for the help so far... Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Wed Oct 28 17:23:15 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 28 Oct 2009 13:23:15 -0400 Subject: Relabelling issue In-Reply-To: <1256742893.3017.11.camel@localhost> References: <1256475709.3640.8.camel@localhost> <4AE5C2CF.5010307@redhat.com> <1256722688.3622.14.camel@localhost> <4AE83E1C.3040003@redhat.com> <1256742893.3017.11.camel@localhost> Message-ID: <4AE87E03.9010106@redhat.com> On 10/28/2009 11:14 AM, Arthur Dent wrote: > On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote: >> On 10/28/2009 05:38 AM, Arthur Dent wrote: >>> On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote: >>>> On 10/25/2009 09:01 AM, Arthur Dent wrote: >>>>> Hello all, >>>>> >>>>> I got an avc the other day that made me suspect that I might have >>>>> labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel; >>>>> reboot" >>>>> >>>>> The avc turned out to be unrelated to this, but I was a little surprised >>>>> to see the following errors during the relabelling process: >>>>> >>>>> SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts >>>>> type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 >>>>> SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). >>>>> SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). >>>>> type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 >>>>> Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k >>>>> SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts >>>>> >>>>> >>>>> Should I be concerned? >>>>> >>>>> Thanks for any suggestions... >>>>> >>>>> Mark >>>>> >>>>> p.s. >>>>> >>>>> Latest yum log entries: >>>>> [root at localhost ~]# cat /var/log/yum.log | grep -i selinux >>>>> Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch >>>>> Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch >>>>> >>> >>>>> -- >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> This looks like a mismatch of policy and labels on disk. >>>> >>>> >>>> *_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these. >>>> >>>> So relabeling is probably a good idea. >>>> >>>> gamin_exec_t has disappeared. >>> >>> OK - I finally got round to doing another relabel - this time in >>> permissive mode (I wanted to watch for error messages and couldn't face >>> the thought of sitting watching little asterisks march across the screen >>> until today). >>> >>> Unfortunately I get exactly the same messages during the relabelling >>> process: >>> SELinux: initialized (dev sdb6, type ext3), uses xattr >>> SELinux: initialized (dev sdb11, type vfat), uses genfs_contexts >>> SELinux: initialized (dev sdb12, type vfat), uses genfs_contexts >>> fuse init (API version 7.11) >>> SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts >>> SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped). >>> SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped). >>> Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k >>> SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts >>> >>> So now I'm not sure what to do - just ignore it and wait until I rebuild >>> with Fedora 12 - or do something now? >>> >>> Thanks for any advice... >>> >>> Mark >>> >>> >>> >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-l >> If you do a load_policy do you see these messages? >> >> What version of policy and which version of the OS are you using? >> > > Hi Daniel, > > Thanks for helping... > > If you look a little further up this thread you will see that I am using > Fedora 11 and... > >> Latest yum log entries: >> [root at localhost ~]# cat /var/log/yum.log | grep -i selinux >> Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch >> Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch > > I have not come across "load_policy" before. I just typed "load_policy" > on the command line (as root) and got no errors and no feedback at all. > > From reading the man page for load_policy I presume that this means exit > status 0 - and therefore that all is well with the command? > > What next? > > Thanks for the help so far... > > Mark > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I guess now reboot and see if you see these errors. From misc.lists at blueyonder.co.uk Wed Oct 28 17:31:36 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Wed, 28 Oct 2009 17:31:36 +0000 Subject: Relabelling issue In-Reply-To: <4AE87E03.9010106@redhat.com> References: <1256475709.3640.8.camel@localhost> <4AE5C2CF.5010307@redhat.com> <1256722688.3622.14.camel@localhost> <4AE83E1C.3040003@redhat.com> <1256742893.3017.11.camel@localhost> <4AE87E03.9010106@redhat.com> Message-ID: <1256751096.8270.2.camel@localhost> On Wed, 2009-10-28 at 13:23 -0400, Daniel J Walsh wrote: > On 10/28/2009 11:14 AM, Arthur Dent wrote: > > On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote: > >> On 10/28/2009 05:38 AM, Arthur Dent wrote: > >>> On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote: > >>>> On 10/25/2009 09:01 AM, Arthur Dent wrote: > >>>>> Hello all, snip... > > > > What next? > > > > Thanks for the help so far... > > > > Mark > > > > > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > I guess now reboot and see if you see these errors. Do you mean just reboot, or touch /.autorelabel; reboot ? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Wed Oct 28 17:46:37 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 28 Oct 2009 13:46:37 -0400 Subject: Relabelling issue In-Reply-To: <1256751096.8270.2.camel@localhost> References: <1256475709.3640.8.camel@localhost> <4AE5C2CF.5010307@redhat.com> <1256722688.3622.14.camel@localhost> <4AE83E1C.3040003@redhat.com> <1256742893.3017.11.camel@localhost> <4AE87E03.9010106@redhat.com> <1256751096.8270.2.camel@localhost> Message-ID: <4AE8837D.3060002@redhat.com> On 10/28/2009 01:31 PM, Arthur Dent wrote: > On Wed, 2009-10-28 at 13:23 -0400, Daniel J Walsh wrote: >> On 10/28/2009 11:14 AM, Arthur Dent wrote: >>> On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote: >>>> On 10/28/2009 05:38 AM, Arthur Dent wrote: >>>>> On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote: >>>>>> On 10/25/2009 09:01 AM, Arthur Dent wrote: >>>>>>> Hello all, > > snip... > >>> >>> What next? >>> >>> Thanks for the help so far... >>> >>> Mark >>> >>> >>> >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> I guess now reboot and see if you see these errors. > > Do you mean just reboot, or touch /.autorelabel; reboot ? > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Just reboot. From misc.lists at blueyonder.co.uk Wed Oct 28 17:54:59 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Wed, 28 Oct 2009 17:54:59 +0000 Subject: Relabelling issue In-Reply-To: <4AE8837D.3060002@redhat.com> References: <1256475709.3640.8.camel@localhost> <4AE5C2CF.5010307@redhat.com> <1256722688.3622.14.camel@localhost> <4AE83E1C.3040003@redhat.com> <1256742893.3017.11.camel@localhost> <4AE87E03.9010106@redhat.com> <1256751096.8270.2.camel@localhost> <4AE8837D.3060002@redhat.com> Message-ID: <1256752499.3022.1.camel@localhost> On Wed, 2009-10-28 at 13:46 -0400, Daniel J Walsh wrote: > On 10/28/2009 01:31 PM, Arthur Dent wrote: > > On Wed, 2009-10-28 at 13:23 -0400, Daniel J Walsh wrote: > >> On 10/28/2009 11:14 AM, Arthur Dent wrote: > >>> On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote: > >>>> On 10/28/2009 05:38 AM, Arthur Dent wrote: > >>>>> On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote: > >>>>>> On 10/25/2009 09:01 AM, Arthur Dent wrote: > >>>>>>> Hello all, > > > > snip... > > > >>> > >>> What next? > >>> > >>> Thanks for the help so far... > >>> > >>> Mark > >>> > >>> > >>> > >>> > >>> -- > >>> fedora-selinux-list mailing list > >>> fedora-selinux-list at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> I guess now reboot and see if you see these errors. > > > > Do you mean just reboot, or touch /.autorelabel; reboot ? > > > > > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Just reboot. No errors listed (nothing in dmesg) after a reboot. Do I try a relabel again now? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From dwalsh at redhat.com Wed Oct 28 17:57:44 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Wed, 28 Oct 2009 13:57:44 -0400 Subject: Relabelling issue In-Reply-To: <1256752499.3022.1.camel@localhost> References: <1256475709.3640.8.camel@localhost> <4AE5C2CF.5010307@redhat.com> <1256722688.3622.14.camel@localhost> <4AE83E1C.3040003@redhat.com> <1256742893.3017.11.camel@localhost> <4AE87E03.9010106@redhat.com> <1256751096.8270.2.camel@localhost> <4AE8837D.3060002@redhat.com> <1256752499.3022.1.camel@localhost> Message-ID: <4AE88618.3080909@redhat.com> On 10/28/2009 01:54 PM, Arthur Dent wrote: > On Wed, 2009-10-28 at 13:46 -0400, Daniel J Walsh wrote: >> On 10/28/2009 01:31 PM, Arthur Dent wrote: >>> On Wed, 2009-10-28 at 13:23 -0400, Daniel J Walsh wrote: >>>> On 10/28/2009 11:14 AM, Arthur Dent wrote: >>>>> On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote: >>>>>> On 10/28/2009 05:38 AM, Arthur Dent wrote: >>>>>>> On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote: >>>>>>>> On 10/25/2009 09:01 AM, Arthur Dent wrote: >>>>>>>>> Hello all, >>> >>> snip... >>> >>>>> >>>>> What next? >>>>> >>>>> Thanks for the help so far... >>>>> >>>>> Mark >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> I guess now reboot and see if you see these errors. >>> >>> Do you mean just reboot, or touch /.autorelabel; reboot ? >>> >>> >>> >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> Just reboot. > > No errors listed (nothing in dmesg) after a reboot. Do I try a relabel > again now? > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I think you will be fine. You could execute restorecon -R -v /etc/init.d And see if it reports anything. From misc.lists at blueyonder.co.uk Wed Oct 28 18:46:02 2009 From: misc.lists at blueyonder.co.uk (Arthur Dent) Date: Wed, 28 Oct 2009 18:46:02 +0000 Subject: Relabelling issue In-Reply-To: <4AE88618.3080909@redhat.com> References: <1256475709.3640.8.camel@localhost> <4AE5C2CF.5010307@redhat.com> <1256722688.3622.14.camel@localhost> <4AE83E1C.3040003@redhat.com> <1256742893.3017.11.camel@localhost> <4AE87E03.9010106@redhat.com> <1256751096.8270.2.camel@localhost> <4AE8837D.3060002@redhat.com> <1256752499.3022.1.camel@localhost> <4AE88618.3080909@redhat.com> Message-ID: <1256755562.3022.5.camel@localhost> On Wed, 2009-10-28 at 13:57 -0400, Daniel J Walsh wrote: > I think you will be fine. You could execute > > restorecon -R -v /etc/init.d > > And see if it reports anything. Well that reports nothing... So I think I'll leave it at that, and just wait until I'm ready to rebuild with F12 (probably around Xmas time). I feel reassured now. Thanks for all your help! Best regards Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From chepkov at yahoo.com Thu Oct 29 18:58:32 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Thu, 29 Oct 2009 11:58:32 -0700 (PDT) Subject: nagios avc Message-ID: <775628.11914.qm@web36807.mail.mud.yahoo.com> Hi, I think it's a legitimate access call that needs to be allowed: type=AVC msg=audit(1256842390.777:50774): avc: denied { read } for pid=17310 comm="httpd" name="status.dat" dev=dm-3 ino=182451 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=file Sincerely yours, Vadym Chepkov From dwalsh at redhat.com Thu Oct 29 19:31:42 2009 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 29 Oct 2009 15:31:42 -0400 Subject: nagios avc In-Reply-To: <775628.11914.qm@web36807.mail.mud.yahoo.com> References: <775628.11914.qm@web36807.mail.mud.yahoo.com> Message-ID: <4AE9ED9E.7070302@redhat.com> On 10/29/2009 02:58 PM, Vadym Chepkov wrote: > Hi, > > I think it's a legitimate access call that needs to be allowed: > > type=AVC msg=audit(1256842390.777:50774): avc: denied { read } for pid=17310 comm="httpd" name="status.dat" dev=dm-3 ino=182451 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nagios_log_t:s0 tclass=file > > > Sincerely yours, > Vadym Chepkov > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Apache shares the nagious log data? From chepkov at yahoo.com Thu Oct 29 20:20:53 2009 From: chepkov at yahoo.com (Vadym Chepkov) Date: Thu, 29 Oct 2009 13:20:53 -0700 (PDT) Subject: nagios avc In-Reply-To: <4AE9ED9E.7070302@redhat.com> Message-ID: <540257.94476.qm@web36802.mail.mud.yahoo.com> It reads it as a config file cat /usr/share/nagios/html/config.inc.php wrote: > From: Daniel J Walsh > Subject: Re: nagios avc > To: "Vadym Chepkov" > Cc: "Fedora SELinux" > Date: Thursday, October 29, 2009, 3:31 PM > On 10/29/2009 02:58 PM, Vadym Chepkov > wrote: > > Hi, > > > > I think it's a legitimate access call that needs to be > allowed: > > > > type=AVC msg=audit(1256842390.777:50774): avc:? > denied? { read } for? pid=17310 comm="httpd" > name="status.dat" dev=dm-3 ino=182451 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:nagios_log_t:s0 tclass=file > > > > > > Sincerely yours, > >???Vadym Chepkov > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > Apache shares the nagious log data? > From phangbyte at gmail.com Fri Oct 30 14:10:10 2009 From: phangbyte at gmail.com (Tyler Durvik) Date: Fri, 30 Oct 2009 10:10:10 -0400 Subject: change a user's MCS category Message-ID: I have 3 levels set up using MCS under the targeted policy: s0 SystemLow s0-s0:c0.c1023 SystemLow-SystemHigh s0-s0:c0.c1023 SystemHigh s0:c0 A s0:c1 B s0:c2 C I have 3 users set up and I want to assign an MCS category to each of them. So for instance: bob -> A joe -> B sue -> C how can I do this? I have tried the examples at James Morris's blog http://james-morris.livejournal.com/8228.html I get the following error: [root at fedora11sel targeted]# chcat -l -- +c0 bob libsemanage.validate_handler: MLS range s0-s0:c0 for Unix user bob exceeds allowed range s0 for SELinux user user_u (No such file or directory). libsemanage.validate_handler: seuser mapping [bob -> (user_u, s0-s0:c0)] is invalid (No such file or directory). libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory). /usr/sbin/semanage: Could not commit semanage transaction Thanks for any help you may have