From goeran at uddeborg.se Sat Jan 2 12:51:15 2010 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Sat, 2 Jan 2010 13:51:15 +0100 Subject: AVC:s on xauth file when doing su In-Reply-To: <4B3CB0A8.6050603@redhat.com> References: <4B393F3E.1060403@rubix.com> <20091229105700.GB20705@localhost.localdomain> <4B3A36B2.3090703@rubix.com> <19258.30051.160951.252201@gargle.gargle.HOWL> <20091229215045.GA29350@localhost.localdomain> <19259.31875.618530.552239@freddi.uddeborg> <4B3CB0A8.6050603@redhat.com> Message-ID: <19263.16707.692694.709648@freddi.uddeborg> Daniel J Walsh: > There have been some fixes around the handling of xauth in the > latest policies, so this might have fixed your problems. It seems to be so. I can't trigger it any more. The latest policy updates appears to have fixed this too. From zephod at cfl.rr.com Sat Jan 2 17:39:56 2010 From: zephod at cfl.rr.com (Steve Blackwell) Date: Sat, 2 Jan 2010 12:39:56 -0500 Subject: New Years Resolution Message-ID: <20100102123956.0dd2c3b5@steve.blackwell> OK, here is one of my New Year's resolutions: Get a better understanding of SELinux. I'm running a F11 box in permissive mode and I get hundreds of AVCs. Let start with this one. SELinux is preventing dbus-daemon (system_dbusd_t) "search" unconfined_t. node=steve.blackwell type=AVC msg=audit(1262408462.863:1162): avc: denied { search } for pid=1613 comm="dbus-daemon" name="23667" dev=proc ino=584443 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir Now, if I'm reading this correctly, the dbus-daemon process tried to search a directory called 23667 but didn't have permission to do so. The problem with that is that I don't have a directory called 23667. At least there isn't one now but I suppose it could have existed at the time the AVC was generated which was just after midnight. I'm getting one of these every hour with different numbers for the target directory. I thought that it might be related to a cron job but it seems that the hourly crom job just calls anacron to check to see if the daily, weekly or monthly cron job needs to be run. The other possibility is that it has something to do with BackupPC. One thing I don't understand is why SELinux is flagging this in the first place. Since the target context is unconfined_t, should anything be able to search it? Steve. From selinux at gmail.com Sat Jan 2 18:10:27 2010 From: selinux at gmail.com (Tom London) Date: Sat, 2 Jan 2010 10:10:27 -0800 Subject: New Years Resolution In-Reply-To: <20100102123956.0dd2c3b5@steve.blackwell> References: <20100102123956.0dd2c3b5@steve.blackwell> Message-ID: <4c4ba1531001021010u29501cai8e339414971425d7@mail.gmail.com> On Sat, Jan 2, 2010 at 9:39 AM, Steve Blackwell wrote: > OK, here is one of my New Year's resolutions: > > Get a better understanding of SELinux. > > I'm running a F11 box in permissive mode and I get hundreds of AVCs. > Let start with this one. > > SELinux is preventing dbus-daemon (system_dbusd_t) "search" > unconfined_t. > > node=steve.blackwell type=AVC msg=audit(1262408462.863:1162): avc: > denied { search } for pid=1613 comm="dbus-daemon" name="23667" dev=proc > ino=584443 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir > > Now, if I'm reading this correctly, the dbus-daemon process tried to > search a directory called 23667 but didn't have permission to do so. > > The problem with that is that I don't have a directory called 23667. > At least there isn't one now but I suppose it could have existed at the > time the AVC was generated which was just after midnight. I'm getting > one of these every hour with different numbers for the target > directory. I thought that it might be related to a cron job but it > seems that the hourly crom job just calls anacron to check to see if > the daily, weekly or monthly cron job needs to be run. The other > possibility is that it has something to do with BackupPC. > > One thing I don't understand is why SELinux is flagging this in the > first place. Since the target context is unconfined_t, should anything > be able to search it? > > Steve. If you notice, the AVC says "dev=proc". That, and the name of the directory suggests that the target directory in question is '/proc/23677'. So, dbus-daemon (pid=1613) is attempting to search for some information about a running unconfined_t process (in this case, 23677) and the policy is not allowing it. Since the attempted accesses are directed at running processes, they would almost certainly be different and/or change with time, reboots, etc. I believe the policy does not allow unrestricted access by arbitrary domains to unconfined_t targets. Hope this helps.... tom -- Tom London From zephod at cfl.rr.com Sat Jan 2 19:10:35 2010 From: zephod at cfl.rr.com (Steve Blackwell) Date: Sat, 2 Jan 2010 14:10:35 -0500 Subject: New Years Resolution In-Reply-To: <4c4ba1531001021010u29501cai8e339414971425d7@mail.gmail.com> References: <20100102123956.0dd2c3b5@steve.blackwell> <4c4ba1531001021010u29501cai8e339414971425d7@mail.gmail.com> Message-ID: <20100102141035.5d2149e5@steve.blackwell> On Sat, 2 Jan 2010 10:10:27 -0800 Tom London wrote: > On Sat, Jan 2, 2010 at 9:39 AM, Steve Blackwell > wrote: > > OK, here is one of my New Year's resolutions: > > > > Get a better understanding of SELinux. > > > > I'm running a F11 box in permissive mode and I get hundreds of AVCs. > > Let start with this one. > > > > SELinux is preventing dbus-daemon (system_dbusd_t) "search" > > unconfined_t. > > > > node=steve.blackwell type=AVC msg=audit(1262408462.863:1162): avc: > > denied { search } for pid=1613 comm="dbus-daemon" name="23667" > > dev=proc ino=584443 > > scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 > > tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir > > > > Now, if I'm reading this correctly, the dbus-daemon process tried to > > search a directory called 23667 but didn't have permission to do so. > > > > The problem with that is that I don't have a directory called 23667. > > At least there isn't one now but I suppose it could have existed at > > the time the AVC was generated which was just after midnight. I'm > > getting one of these every hour with different numbers for the > > target directory. I thought that it might be related to a cron job > > but it seems that the hourly crom job just calls anacron to check > > to see if the daily, weekly or monthly cron job needs to be run. > > The other possibility is that it has something to do with BackupPC. > > > > One thing I don't understand is why SELinux is flagging this in the > > first place. Since the target context is unconfined_t, should > > anything be able to search it? > > > > Steve. > > If you notice, the AVC says "dev=proc". That, and the name of the > directory suggests that the target directory in question is > '/proc/23677'. So, dbus-daemon (pid=1613) is attempting to search for > some information about a running unconfined_t process (in this case, > 23677) and the policy is not allowing it. > > Since the attempted accesses are directed at running processes, they > would almost certainly be different and/or change with time, reboots, > etc. > > I believe the policy does not allow unrestricted access by arbitrary > domains to unconfined_t targets. > > Hope this helps.... > > tom Thanks Tom, it does help. This is interesting. I just got another of the same type of AVC while I was watching and so I was able to look at the process and: # ls -Zd /proc/29899 dr-xr-xr-x. steve steve unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 /proc/29899 # ps -ef | grep 29899 steve 29899 1 2 13:55 ? 00:00:04 /usr/bin/python -E /usr/bin/sealert -s so SELinux is complaining about sealert!? # ps -Z 29899 LABEL PID TTY STAT TIME COMMAND unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 29899 ? S 0:04 /usr/bin/python -E /usr/bin/sealert -s Is that context correct? Steve. From selinux at gmail.com Sat Jan 2 19:23:53 2010 From: selinux at gmail.com (Tom London) Date: Sat, 2 Jan 2010 11:23:53 -0800 Subject: New Years Resolution In-Reply-To: <20100102141035.5d2149e5@steve.blackwell> References: <20100102123956.0dd2c3b5@steve.blackwell> <4c4ba1531001021010u29501cai8e339414971425d7@mail.gmail.com> <20100102141035.5d2149e5@steve.blackwell> Message-ID: <4c4ba1531001021123y72c3a5c9s2919aa0dd629643@mail.gmail.com> On Sat, Jan 2, 2010 at 11:10 AM, Steve Blackwell wrote: > On Sat, 2 Jan 2010 10:10:27 -0800 > Tom London wrote: > >> On Sat, Jan 2, 2010 at 9:39 AM, Steve Blackwell >> wrote: >> > OK, here is one of my New Year's resolutions: >> > >> > Get a better understanding of SELinux. >> > >> > I'm running a F11 box in permissive mode and I get hundreds of AVCs. >> > Let start with this one. >> > >> > SELinux is preventing dbus-daemon (system_dbusd_t) "search" >> > unconfined_t. >> > >> > node=steve.blackwell type=AVC msg=audit(1262408462.863:1162): avc: >> > denied { search } for pid=1613 comm="dbus-daemon" name="23667" >> > dev=proc ino=584443 >> > scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 >> > tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir >> > >> > Now, if I'm reading this correctly, the dbus-daemon process tried to >> > search a directory called 23667 but didn't have permission to do so. >> > >> > The problem with that is that I don't have a directory called 23667. >> > At least there isn't one now but I suppose it could have existed at >> > the time the AVC was generated which was just after midnight. I'm >> > getting one of these every hour with different numbers for the >> > target directory. I thought that it might be related to a cron job >> > but it seems that the hourly crom job just calls anacron to check >> > to see if the daily, weekly or monthly cron job needs to be run. >> > The other possibility is that it has something to do with BackupPC. >> > >> > One thing I don't understand is why SELinux is flagging this in the >> > first place. Since the target context is unconfined_t, should >> > anything be able to search it? >> > >> > Steve. >> >> If you notice, the AVC says "dev=proc". ?That, and the name of the >> directory suggests that the target directory in question is >> '/proc/23677'. ?So, dbus-daemon (pid=1613) is attempting to search for >> some information about a running unconfined_t process (in this case, >> 23677) and the policy is not allowing it. >> >> Since the attempted accesses are directed at running processes, they >> would almost certainly be different and/or change with time, reboots, >> etc. >> >> I believe the policy does not allow unrestricted access by arbitrary >> domains to unconfined_t targets. >> >> Hope this helps.... >> >> tom > Thanks Tom, it does help. > > This is interesting. I just got another of the same type of AVC while I > was watching and so I was able to look at the process and: > > # ls -Zd /proc/29899 > dr-xr-xr-x. steve steve > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 /proc/29899 > > # ps -ef | grep 29899 > steve ? ?29899 ? ? 1 ?2 13:55 ? ? ? ? ?00:00:04 /usr/bin/python > -E /usr/bin/sealert -s > > so SELinux is complaining about sealert!? > > # ps -Z 29899 > LABEL ? ? ? ? ? ? ? ? ? ? ? ? ? ? PID TTY ? ? ?STAT ? TIME COMMAND > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 29899 ? S > 0:04 /usr/bin/python -E /usr/bin/sealert -s > > Is that context correct? > > Steve. > Does 'audit2allow -al' give you any useful information? (Or you can look at /var/log/audit/audit.log for the "raw" AVCs). Also, you can put the system in to "permissive mode" (via 'setenforce 0'). This will allow the accesses, but log any access violations. You may also want to check if there are any updates to the selinux-policy packages. tom -- Tom London From domg472 at gmail.com Sat Jan 2 22:09:16 2010 From: domg472 at gmail.com (Dominick Grift) Date: Sat, 02 Jan 2010 23:09:16 +0100 Subject: policy for vino server (based on current rawhide policy) Message-ID: <4B3FC40C.7060604@gmail.com> I create policy for vino server today. I tested it a few times and it works. You can either use it by enabling remote desktop or via empathy. It requires many patches etc though. I attached what i think is related. I might have missed some. Its also on my git repository ( i maintain it there ) git clone git://82.197.205.60/selinux-modules.git You will have to some vnc tube ports (vnc_port_t) there is a comment about it in vino.te. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: vino.fc URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: telepathy.fc URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: telepathy.if URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: telepathy.te URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: vino.if URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: vino.te URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch_bind_initrc_domtrans_for_cobbler.fc URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch_dbus_transition_to_session_bus_for_telepathy.if URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch_files_read_all_tmpfs_files_for_pulseaudio.if URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch_gnome_cache_home_filetrans_for_telepathy_mc.if URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch_gnome_setattr_home_for_mplayer.if URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch_pulseaudio_sign_key_with_seahorse.if URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch_userdomain_setattr_user_tmp_dirs_for_seahorse_daemon.if URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From goeran at uddeborg.se Sun Jan 3 15:51:37 2010 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Sun, 3 Jan 2010 16:51:37 +0100 Subject: AVC:s on xauth file when doing su In-Reply-To: <19263.16707.692694.709648@freddi.uddeborg> References: <4B393F3E.1060403@rubix.com> <20091229105700.GB20705@localhost.localdomain> <4B3A36B2.3090703@rubix.com> <19258.30051.160951.252201@gargle.gargle.HOWL> <20091229215045.GA29350@localhost.localdomain> <19259.31875.618530.552239@freddi.uddeborg> <4B3CB0A8.6050603@redhat.com> <19263.16707.692694.709648@freddi.uddeborg> Message-ID: <19264.48393.302351.317493@gargle.gargle.HOWL> G?ran Uddeborg: > It seems to be so. I can't trigger it any more. When I stopped trying, I could trigger it again. :-( I did "su" in an xterm (NOT from an ssh session) and got the avc:s below again. Looking at root's home directory after it happened, I see these files mimmi# ll .xauth* -rw------- 1 root root 51 3 jan 11.48 .xauth2nqqtg -rw------- 1 root root 0 3 jan 11.48 .xauthrZ8z8F -rw------- 2 root root 0 3 jan 11.48 .xauthrZ8z8F-c -rw------- 2 root root 0 3 jan 11.48 .xauthrZ8z8F-l mimmi# ll -Z .xauth* -rw------- root root unconfined_u:object_r:xauth_home_t:SystemLow .xauth2nqqtg -rw------- root root system_u:object_r:xauth_home_t:SystemLow .xauthrZ8z8F -rw------- root root unconfined_u:object_r:xauth_home_t:SystemLow .xauthrZ8z8F-c -rw------- root root unconfined_u:object_r:xauth_home_t:SystemLow .xauthrZ8z8F-l TWO .xauth*-files were generated at the same time, the time when I did "su". But only one of them triggered these avc:s. The su session points its XAUTHORITY to .xauth2nqqtg, i.e. the one which didn't trigger any avc:s. Furthermore, now the file does have the correct context, xauth_home_t! Of course, simply trying another "su" in the same way doesn't trigger anything. The search goes on. time->Sun Jan 3 11:48:42 2010 type=SYSCALL msg=audit(1262515722.636:63657): arch=c000003e syscall=21 success=no exit=-13 a0=7fff04ce14dc a1=2 a2=0 a3=7fff04cdf4c0 items=0 ppid=21356 pid=21406 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=137 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1262515722.636:63657): avc: denied { write } for pid=21406 comm="xauth" name=".xauthrZ8z8F" dev=dm-0 ino=25002031 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file ---- time->Sun Jan 3 11:48:42 2010 type=SYSCALL msg=audit(1262515722.637:63658): arch=c000003e syscall=2 success=no exit=-13 a0=7fff04ce14dc a1=0 a2=1b6 a3=0 items=0 ppid=21356 pid=21406 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=137 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1262515722.637:63658): avc: denied { read } for pid=21406 comm="xauth" name=".xauthrZ8z8F" dev=dm-0 ino=25002031 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file From ganesai at fedoraproject.org Sun Jan 3 15:52:07 2010 From: ganesai at fedoraproject.org (sai ganesh) Date: Sun, 3 Jan 2010 21:22:07 +0530 Subject: need help in contributing to se-linux policy development Message-ID: <7f952b9b1001030752y4bc4fd4o9b5af9dd94f43a06@mail.gmail.com> hi, my name is sai. i am a fedora-ambassador.i want to contribute to the development of se-linux policies.i am a Redhat certified se-linux policy administrator.i want to contribute to the development of se-linux policies.how can i contribute ? whom should i contact? i have already tried contacting the owners of the se-linux packages.i didn't get any response. -- s.saiganesh ?The Linux philosophy is 'Laugh in the face of danger'. Oops. Wrong One. 'Do it yourself'. Yes, that's it -------------- next part -------------- An HTML attachment was scrubbed... URL: From domg472 at gmail.com Sun Jan 3 16:23:40 2010 From: domg472 at gmail.com (Dominick Grift) Date: Sun, 3 Jan 2010 17:23:40 +0100 Subject: need help in contributing to se-linux policy development In-Reply-To: <7f952b9b1001030752y4bc4fd4o9b5af9dd94f43a06@mail.gmail.com> References: <7f952b9b1001030752y4bc4fd4o9b5af9dd94f43a06@mail.gmail.com> Message-ID: <20100103162339.GA2924@localhost.localdomain> On Sun, Jan 03, 2010 at 09:22:07PM +0530, sai ganesh wrote: > hi, > my name is sai. i am a > fedora-ambassador.i > want to contribute to the development of se-linux policies.i am a Redhat > certified se-linux policy administrator.i want to contribute to the > development of se-linux policies.how can i contribute ? > whom should i contact? You can suggest policy here on this list. You can join #selinux and #fedora-selinux on irc://irc.freenode.org. You can contribute directly upstream here: http://oss.tresys.com/projects/refpolicy/wiki/HowToContribute. You can suggest policy in bugzilla.redhat.com in the selinux-policy component. Daniel "dwalsh" Walsh (RedHat) is Fedora/Redhat SELinux policy maintainer and Chris "Pebenito" Pebenito (Tresys) is Reference policy maintainer (upstream to Fedora). > > i have already tried contacting the owners of the se-linux packages.i > didn't get any response. > > > > -- > s.saiganesh > ?The Linux philosophy is 'Laugh in the face of danger'. Oops. Wrong One. 'Do > it yourself'. Yes, that's it > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From domg472 at gmail.com Sun Jan 3 16:32:49 2010 From: domg472 at gmail.com (Dominick Grift) Date: Sun, 3 Jan 2010 17:32:49 +0100 Subject: AVC:s on xauth file when doing su In-Reply-To: <19264.48393.302351.317493@gargle.gargle.HOWL> References: <4B393F3E.1060403@rubix.com> <20091229105700.GB20705@localhost.localdomain> <4B3A36B2.3090703@rubix.com> <19258.30051.160951.252201@gargle.gargle.HOWL> <20091229215045.GA29350@localhost.localdomain> <19259.31875.618530.552239@freddi.uddeborg> <4B3CB0A8.6050603@redhat.com> <19263.16707.692694.709648@freddi.uddeborg> <19264.48393.302351.317493@gargle.gargle.HOWL> Message-ID: <20100103163249.GB2924@localhost.localdomain> On Sun, Jan 03, 2010 at 04:51:37PM +0100, G?ran Uddeborg wrote: > G?ran Uddeborg: > > It seems to be so. I can't trigger it any more. > > When I stopped trying, I could trigger it again. :-( > > I did "su" in an xterm (NOT from an ssh session) and got the avc:s > below again. Looking at root's home directory after it happened, I > see these files > > mimmi# ll .xauth* > -rw------- 1 root root 51 3 jan 11.48 .xauth2nqqtg > -rw------- 1 root root 0 3 jan 11.48 .xauthrZ8z8F > -rw------- 2 root root 0 3 jan 11.48 .xauthrZ8z8F-c > -rw------- 2 root root 0 3 jan 11.48 .xauthrZ8z8F-l > mimmi# ll -Z .xauth* > -rw------- root root unconfined_u:object_r:xauth_home_t:SystemLow .xauth2nqqtg > -rw------- root root system_u:object_r:xauth_home_t:SystemLow .xauthrZ8z8F This (above) is the entry i am most interested in. The file apears created by system_u (some system service). Could it be that we are missing an domain transition somewhere? This command, i think, returns potential problems: sesearch --allow -t xauth_exec_t | grep execute_no_trans Do you have stuff running initrc_t? (ps auxZ | grep initrc_t) This i dont think is related but may be something to keep in mind also as potential issues for xauth: [root at localhost selinux-modules]# sesearch --allow -t xauth_exec_t | grep execute_no_trans | grep sudo allow sysadm_sudo_t exec_type : file { ioctl read getattr lock execute execute_no_trans open } ; allow staff_sudo_t exec_type : file { ioctl read getattr lock execute execute_no_trans open } ; > -rw------- root root unconfined_u:object_r:xauth_home_t:SystemLow .xauthrZ8z8F-c > -rw------- root root unconfined_u:object_r:xauth_home_t:SystemLow .xauthrZ8z8F-l > > TWO .xauth*-files were generated at the same time, the time when I did > "su". But only one of them triggered these avc:s. The su session > points its XAUTHORITY to .xauth2nqqtg, i.e. the one which didn't > trigger any avc:s. > > Furthermore, now the file does have the correct context, xauth_home_t! > > Of course, simply trying another "su" in the same way doesn't trigger > anything. The search goes on. > > time->Sun Jan 3 11:48:42 2010 > type=SYSCALL msg=audit(1262515722.636:63657): arch=c000003e syscall=21 success=no exit=-13 a0=7fff04ce14dc a1=2 a2=0 a3=7fff04cdf4c0 items=0 ppid=21356 pid=21406 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=137 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1262515722.636:63657): avc: denied { write } for pid=21406 comm="xauth" name=".xauthrZ8z8F" dev=dm-0 ino=25002031 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file > ---- > time->Sun Jan 3 11:48:42 2010 > type=SYSCALL msg=audit(1262515722.637:63658): arch=c000003e syscall=2 success=no exit=-13 a0=7fff04ce14dc a1=0 a2=1b6 a3=0 items=0 ppid=21356 pid=21406 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=137 comm="xauth" exe="/usr/bin/xauth" subj=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1262515722.637:63658): avc: denied { read } for pid=21406 comm="xauth" name=".xauthrZ8z8F" dev=dm-0 ino=25002031 scontext=unconfined_u:unconfined_r:xauth_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From goeran at uddeborg.se Sun Jan 3 17:19:05 2010 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Sun, 3 Jan 2010 18:19:05 +0100 Subject: AVC:s on xauth file when doing su In-Reply-To: <20100103163249.GB2924@localhost.localdomain> References: <4B393F3E.1060403@rubix.com> <20091229105700.GB20705@localhost.localdomain> <4B3A36B2.3090703@rubix.com> <19258.30051.160951.252201@gargle.gargle.HOWL> <20091229215045.GA29350@localhost.localdomain> <19259.31875.618530.552239@freddi.uddeborg> <4B3CB0A8.6050603@redhat.com> <19263.16707.692694.709648@freddi.uddeborg> <19264.48393.302351.317493@gargle.gargle.HOWL> <20100103163249.GB2924@localhost.localdomain> Message-ID: <19264.53641.202113.400704@gargle.gargle.HOWL> Dominick Grift: > > -rw------- root root system_u:object_r:xauth_home_t:SystemLow .xauthrZ8z8F > This (above) is the entry i am most interested in. The file apears created by system_u (some system service). Could it be that we are missing an domain transition somewhere? > This command, i think, returns potential problems: > sesearch --allow -t xauth_exec_t | grep execute_no_trans That didn't find anything at all. (And consequently, adding a grep for sudo at the end didn't show anything either.) > Do you have stuff running initrc_t? (ps auxZ | grep initrc_t) There are (now) four such processes: system_u:system_r:initrc_t:SystemLow nobody 1899 0.0 0.0 105448 876 ? Ss 2009 4:04 /bin/bash /usr/local/sbin/adslmon system_u:system_r:initrc_t:SystemLow-SystemHigh root 2552 0.0 0.0 52088 1640 ? S 2009 0:05 /usr/libexec/polkit-1/polkitd unconfined_u:system_r:initrc_t:SystemLow root 25981 0.0 0.0 39280 536 ? Ss 2009 0:14 hostapd -B -ddK /etc/hostapd/hostapd.conf system_u:system_r:initrc_t:SystemLow nobody 29310 0.0 0.0 104648 656 ? S 18:12 0:00 sleep 10 adslmon is a script I use to monitor when my ADSL connection goes down and when it comes up again. The sleep is called from that script. I can't imagine it would be involved, but just in case you want to see it I put a copy at ftp://ftp.uddeborg.se/pub/adslmon From domg472 at gmail.com Sun Jan 3 17:48:41 2010 From: domg472 at gmail.com (Dominick Grift) Date: Sun, 3 Jan 2010 18:48:41 +0100 Subject: AVC:s on xauth file when doing su In-Reply-To: <19264.53641.202113.400704@gargle.gargle.HOWL> References: <20091229105700.GB20705@localhost.localdomain> <4B3A36B2.3090703@rubix.com> <19258.30051.160951.252201@gargle.gargle.HOWL> <20091229215045.GA29350@localhost.localdomain> <19259.31875.618530.552239@freddi.uddeborg> <4B3CB0A8.6050603@redhat.com> <19263.16707.692694.709648@freddi.uddeborg> <19264.48393.302351.317493@gargle.gargle.HOWL> <20100103163249.GB2924@localhost.localdomain> <19264.53641.202113.400704@gargle.gargle.HOWL> Message-ID: <20100103174840.GC2924@localhost.localdomain> On Sun, Jan 03, 2010 at 06:19:05PM +0100, G?ran Uddeborg wrote: > Dominick Grift: > > > -rw------- root root system_u:object_r:xauth_home_t:SystemLow .xauthrZ8z8F > > This (above) is the entry i am most interested in. The file apears created by system_u (some system service). Could it be that we are missing an domain transition somewhere? > > > This command, i think, returns potential problems: > > sesearch --allow -t xauth_exec_t | grep execute_no_trans > > That didn't find anything at all. (And consequently, adding a grep > for sudo at the end didn't show anything either.) That is odd, these commands do return stuff on my f12 system(s) > > > Do you have stuff running initrc_t? (ps auxZ | grep initrc_t) > > There are (now) four such processes: > > system_u:system_r:initrc_t:SystemLow nobody 1899 0.0 0.0 105448 876 ? Ss 2009 4:04 /bin/bash /usr/local/sbin/adslmon > system_u:system_r:initrc_t:SystemLow-SystemHigh root 2552 0.0 0.0 52088 1640 ? S 2009 0:05 /usr/libexec/polkit-1/polkitd Looks like polkit runs in the wrong SELinux environment (do not know if this at all related though): That might signal that some files on your system may be mislabeled (i would suggest a file system relabel just for peace of mind) [dgrift at localhost selinux-modules]$ ps auxZ | grep polkit-1 system_u:system_r:policykit_t:s0-s0:c0.c1023 root 1712 0.0 0.0 51524 3636 ? S 12:58 0:00 /usr/libexec/polkit-1/polkitd > unconfined_u:system_r:initrc_t:SystemLow root 25981 0.0 0.0 39280 536 ? Ss 2009 0:14 hostapd -B -ddK /etc/hostapd/hostapd.conf > system_u:system_r:initrc_t:SystemLow nobody 29310 0.0 0.0 104648 656 ? S 18:12 0:00 sleep 10 > > adslmon is a script I use to monitor when my ADSL connection goes down > and when it comes up again. The sleep is called from that script. I > can't imagine it would be involved, but just in case you want to see > it I put a copy at ftp://ftp.uddeborg.se/pub/adslmon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From goeran at uddeborg.se Sun Jan 3 21:00:08 2010 From: goeran at uddeborg.se (=?utf-8?Q?G=C3=B6ran?= Uddeborg) Date: Sun, 3 Jan 2010 22:00:08 +0100 Subject: AVC:s on xauth file when doing su In-Reply-To: <20100103174840.GC2924@localhost.localdomain> References: <20091229105700.GB20705@localhost.localdomain> <4B3A36B2.3090703@rubix.com> <19258.30051.160951.252201@gargle.gargle.HOWL> <20091229215045.GA29350@localhost.localdomain> <19259.31875.618530.552239@freddi.uddeborg> <4B3CB0A8.6050603@redhat.com> <19263.16707.692694.709648@freddi.uddeborg> <19264.48393.302351.317493@gargle.gargle.HOWL> <20100103163249.GB2924@localhost.localdomain> <19264.53641.202113.400704@gargle.gargle.HOWL> <20100103174840.GC2924@localhost.localdomain> Message-ID: <19265.1368.375828.421383@gargle.gargle.HOWL> Dominick Grift: > That is odd, these commands do return stuff on my f12 system(s) Odd indeed. Are we on the same policy? I have 3.6.32-63.fc12. If you wish to compare, I've placed the output of "sesearch --allow -t xauth_exec_t" in ftp://ftp.uddeborg.se/pub/sesearch > Looks like polkit runs in the wrong SELinux environment I ran restorecon on polkitd, and its type was indeed changed. I restarted it, and it looks better now. mimmi$ ps -ZC polkitd LABEL PID TTY TIME CMD system_u:system_r:policykit_t:SystemLow-SystemHigh 723 ? 00:00:00 polkitd > (i would suggest a file system relabel just for peace of mind) Probably a good idea. First, I'm running a "fixfiles check" on everything now, to see if I can find anything that would explain the behaviour. So far it has only found pretty unimportant things, like files under ~/.gconf that had user_home_t rather than gconf_home_t. From tony at specialistdevelopment.com Mon Jan 4 15:09:50 2010 From: tony at specialistdevelopment.com (tony at specialistdevelopment.com) Date: Mon, 04 Jan 2010 15:09:50 +0000 Subject: Move httpd root, selinux help Message-ID: <20100104150950.91062pzt2txwzdtq@mail.specialistdevelopment.com> Hi, Wishing everyone a happy new year! Can anyone point me in the right direction with a problem im having with selinux and httpd please? I have created a virtual host and have created the directory structure: /vhosts/domain.tld/htdocs # Document root /vhosts/domain.tld/logs # Log root /vhosts/domain.tld/private # Private root I have set the contexts and they display as: [root at server htdocs]# ls -laZ /vhosts/domain.tld/htdocs drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 .. -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html [root at server htdocs]# ls -laZ /vhosts/domain.tld/logs drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 .. so to me this looks like it has the right contexts. when i try to start apache i get the following error: [root at server htdocs]# /sbin/service httpd start Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does not exist httpd: Could not reliably determine the server's fully qualified domain name, using ::1 for ServerName [FAILED] now i know the directory exists, which confuses me. below are the error logs: [root at server htdocs]# tail /var/log/httpd/error_log (13)Permission denied: httpd: could not open error log file /wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/error.log. Unable to open logs Can anyone help as i am really stuck. Thankyou in advance! Tony From Moray.Henderson at ict-software.org Mon Jan 4 15:41:11 2010 From: Moray.Henderson at ict-software.org (Moray Henderson) Date: Mon, 4 Jan 2010 15:41:11 +0000 Subject: Move httpd root, selinux help In-Reply-To: <20100104150950.91062pzt2txwzdtq@mail.specialistdevelopment.com> References: <20100104150950.91062pzt2txwzdtq@mail.specialistdevelopment.com> Message-ID: <005c01ca8d54$5842c2e0$08c848a0$@Henderson@ict-software.org> tony at specialistdevelopment.com wrote: >Hi, > >Wishing everyone a happy new year! > >Can anyone point me in the right direction with a problem im having >with selinux and httpd please? > >I have created a virtual host and have created the directory structure: > >/vhosts/domain.tld/htdocs # Document root >/vhosts/domain.tld/logs # Log root >/vhosts/domain.tld/private # Private root > >I have set the contexts and they display as: > >[root at server htdocs]# ls -laZ /vhosts/domain.tld/htdocs >drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 . >drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 .. >-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 >index.html > >[root at server htdocs]# ls -laZ /vhosts/domain.tld/logs >drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 . >drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 .. > >so to me this looks like it has the right contexts. > >when i try to start apache i get the following error: > >[root at server htdocs]# /sbin/service httpd start >Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does >not exist >httpd: Could not reliably determine the server's fully qualified >domain name, using ::1 for ServerName > [FAILED] > >now i know the directory exists, which confuses me. below are the error >logs: > >[root at server htdocs]# tail /var/log/httpd/error_log >(13)Permission denied: httpd: could not open error log file >/wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/erro r.l >og. >Unable to open logs > >Can anyone help as i am really stuck. > >Thankyou in advance! > >Tony I have found that apache needs at least search access to _all_ the directories in the hierarchy - so your /vhosts and your /vhosts/domain.tld directories both need to be some type that apache can search. Also check /var/log/audit/audit.log (or ausearch) for the precise denial message. Moray. "To err is human. To purr, feline" From dwalsh at redhat.com Mon Jan 4 16:09:23 2010 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 04 Jan 2010 11:09:23 -0500 Subject: Move httpd root, selinux help In-Reply-To: <20100104150950.91062pzt2txwzdtq@mail.specialistdevelopment.com> References: <20100104150950.91062pzt2txwzdtq@mail.specialistdevelopment.com> Message-ID: <4B4212B3.5040204@redhat.com> On 01/04/2010 10:09 AM, tony at specialistdevelopment.com wrote: > Hi, > > Wishing everyone a happy new year! > > Can anyone point me in the right direction with a problem im having with > selinux and httpd please? > > I have created a virtual host and have created the directory structure: > > /vhosts/domain.tld/htdocs # Document root > /vhosts/domain.tld/logs # Log root > /vhosts/domain.tld/private # Private root > > I have set the contexts and they display as: > > [root at server htdocs]# ls -laZ /vhosts/domain.tld/htdocs > drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 . > drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 .. > -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 > index.html > > [root at server htdocs]# ls -laZ /vhosts/domain.tld/logs > drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 . > drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 .. > > so to me this looks like it has the right contexts. > > when i try to start apache i get the following error: > > [root at server htdocs]# /sbin/service httpd start > Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does > not exist > httpd: Could not reliably determine the server's fully qualified domain > name, using ::1 for ServerName > [FAILED] > > now i know the directory exists, which confuses me. below are the error > logs: > > [root at server htdocs]# tail /var/log/httpd/error_log > (13)Permission denied: httpd: could not open error log file > /wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/error.log. > > Unable to open logs > > Can anyone help as i am really stuck. > > Thankyou in advance! > > Tony > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > # semanage fcontext -a -t httpd_sys_content_t '/vhosts(/.*)?' # restorecon -R -v /vhosts Should fix the problem You need to label every file/dir that httpd will access with a label it can read or search. From dwalsh at redhat.com Mon Jan 4 18:01:24 2010 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 04 Jan 2010 13:01:24 -0500 Subject: CentOS 5.4 + xinetd + sshd + SELinux issues In-Reply-To: <20091231100658.GA25765@megiteam.pl> References: <20091231100658.GA25765@megiteam.pl> Message-ID: <4B422CF4.7030500@redhat.com> On 12/31/2009 05:06 AM, Grzegorz Nosek wrote: > Hi all, > > I have a problem trying to run sshd via xinetd on a CentOS 5.4 system > (I want to slap a tcpwrappers-style wrapper before sshd, so I need it > that way). > > In permissive mode I can log in/out with the following failures reported > by audit2allow: > > allow amanda_t consoletype_exec_t:file { execute execute_no_trans }; > allow amanda_t devpts_t:chr_file { write ioctl }; > allow amanda_t hostname_exec_t:file { execute execute_no_trans }; > allow amanda_t shell_exec_t:file entrypoint; > > I don't even have amanda installed, so the context is clearly bogus. > > After a chat on #fedora-selinux it seems that sshd cannot find its > default context, so falls back to the first available one, which happens > to be something:something:amanda_t (the list is read from /selinux/user). > This operation is performed by sshd itself (as verified by strace). > > I don't need Fort Knox type security but I'd like to use SELinux to > tighten down other parts of the system, so I'd really like to use the > enforcing mode. > > Any hints? A good TFM to R will hopefully do. > > Best regards, > Grzegorz Nosek > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > This looks like you have a very screwed up system. What domain is sshd running with? ps -eZ | grep sshd You could try a relabel touch /.autorelabel; reboot Which should get all the processes running in the correct domain. From dwalsh at redhat.com Mon Jan 4 19:01:08 2010 From: dwalsh at redhat.com (Daniel J Walsh) Date: Mon, 04 Jan 2010 14:01:08 -0500 Subject: Home directories within /var In-Reply-To: References: <20091231080955.6e39659f@city-fan.org> Message-ID: <4B423AF4.1020602@redhat.com> On 12/31/2009 12:18 PM, Robert Nichols wrote: > Paul Howarth wrote: >> On Wed, 30 Dec 2009 18:52:02 -0600 >> Robert Nichols wrote: >> >>> On my system I have home directories in /var/home and bind mounted >>> to /home: >>> >>> /var/home on /home type none (rw,bind) >>> >>> Is there any way to prevent restorecon on /var from descending into >>> /var/home and destroying the normal home directory file contexts? >>> Reproducing all of file_contexts.homedirs in local policy is of course >>> unmaintainable. >> >> You can make the file contexts for /var/home match those for /home very >> easily on F-11 onwards: >> >> # semanage fcontext -a -e /home /var/home >> >> See http://danwalsh.livejournal.com/2009/04/09/ for Dan's blog on file >> context equivalency. > > TYVM. Perhaps someday the manpage for semanage will include some mention > of that "-e" flag. > Open a bugzilla please. From domg472 at gmail.com Mon Jan 4 20:51:21 2010 From: domg472 at gmail.com (Dominick Grift) Date: Mon, 04 Jan 2010 21:51:21 +0100 Subject: bug in bind.if - bind_initrc_domtrans Message-ID: <4B4254C9.8060901@gmail.com> I just stumbled on a bug: Bad: ######################################## ## ## Execute bind server in the bind domain. ## ## ## ## The type of the process performing this action. ## ## # # interface(`bind_initrc_domtrans',` gen_require(` type bind_initrc_exec_t; ') init_labeled_script_domtrans($1, bind_initrc_exec_t) Good: ######################################## ## ## Execute bind server in the bind domain. ## ## ## ## The type of the process performing this action. ## ## # # interface(`bind_initrc_domtrans',` gen_require(` type bind_initrc_exec_t; ') init_labeled_script_domtrans($1, named_initrc_exec_t) ') Thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From domg472 at gmail.com Mon Jan 4 20:53:50 2010 From: domg472 at gmail.com (Dominick Grift) Date: Mon, 04 Jan 2010 21:53:50 +0100 Subject: Bug in bind.if - bind_admin Message-ID: <4B42555E.80906@gmail.com> Whoops sorry but similar bug apears in bind_admin: bind_initrc_exec_t is non-existent; use named_initrc_exec_t instead. init_labeled_script_domtrans($1, bind_initrc_exec_t) bind, named... i know its confusing thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From sds at tycho.nsa.gov Mon Jan 4 21:36:56 2010 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 04 Jan 2010 16:36:56 -0500 Subject: Apparent memory leak in libselinux In-Reply-To: <9ae48b020912301632u6d69e445tf2dd33d3afe9ca04@mail.gmail.com> References: <9ae48b020912301632u6d69e445tf2dd33d3afe9ca04@mail.gmail.com> Message-ID: <1262641016.28009.167.camel@moss-pluto.epoch.ncsc.mil> On Wed, 2009-12-30 at 16:32 -0800, Ed Swierk wrote: > When I run the following on a F12 system booted with selinux=0, the > tcmalloc heap checker complains about a leak somewhere in libselinux: > > $ HEAPCHECK=normal LD_PRELOAD=/usr/lib64/libtcmalloc.so.0 > /usr/bin/python -c 'import _ssl' > > Leak check _main_ detected leaks of 120 bytes in 1 objects > The 1 largest leaks: > Leak of 120 bytes in 1 objects allocated from: > @ 0x3bf9866589 _IO_getdelim > @ 0x3bfb40ca53 set_selinuxmnt > @ 0x3bfb414fe6 string_to_security_class > @ 0x3bfb404cdb _init > @ 0x7fff4bdfa8ed 0x00007fff4bdfa8ed > > No leak is detected when I run this with selinux enabled. My system > has libselinux-2.0.87-1.fc12 installed. Likely introduced by Eric's short cut for checking /proc/filesystems and bailing immediately in the non-selinux case. Try this: diff --git a/libselinux/src/init.c b/libselinux/src/init.c index ecb3199..4d010dc 100644 --- a/libselinux/src/init.c +++ b/libselinux/src/init.c @@ -59,8 +59,10 @@ static void init_selinuxmnt(void) } fclose(fp); - if (!exists) + if (!exists) { + free(buf); return; + } /* At this point, the usual spot doesn't have an selinuxfs so * we look around for it */ -- Stephen Smalley National Security Agency From sds at tycho.nsa.gov Mon Jan 4 21:42:48 2010 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Mon, 04 Jan 2010 16:42:48 -0500 Subject: CentOS 5.4 + xinetd + sshd + SELinux issues In-Reply-To: <20091231100658.GA25765@megiteam.pl> References: <20091231100658.GA25765@megiteam.pl> Message-ID: <1262641368.28009.173.camel@moss-pluto.epoch.ncsc.mil> On Thu, 2009-12-31 at 11:06 +0100, Grzegorz Nosek wrote: > Hi all, > > I have a problem trying to run sshd via xinetd on a CentOS 5.4 system > (I want to slap a tcpwrappers-style wrapper before sshd, so I need it > that way). > > In permissive mode I can log in/out with the following failures reported > by audit2allow: > > allow amanda_t consoletype_exec_t:file { execute execute_no_trans }; > allow amanda_t devpts_t:chr_file { write ioctl }; > allow amanda_t hostname_exec_t:file { execute execute_no_trans }; > allow amanda_t shell_exec_t:file entrypoint; > > I don't even have amanda installed, so the context is clearly bogus. > > After a chat on #fedora-selinux it seems that sshd cannot find its > default context, so falls back to the first available one, which happens > to be something:something:amanda_t (the list is read from /selinux/user). > This operation is performed by sshd itself (as verified by strace). > > I don't need Fort Knox type security but I'd like to use SELinux to > tighten down other parts of the system, so I'd really like to use the > enforcing mode. > > Any hints? A good TFM to R will hopefully do. In what label/context are xinetd and sshd running (ps -eZ)? What are the file security contexts on their executables (ls -Z)? -- Stephen Smalley National Security Agency From eswierk at aristanetworks.com Mon Jan 4 22:49:20 2010 From: eswierk at aristanetworks.com (Ed Swierk) Date: Mon, 4 Jan 2010 14:49:20 -0800 Subject: Apparent memory leak in libselinux In-Reply-To: <1262641016.28009.167.camel@moss-pluto.epoch.ncsc.mil> References: <9ae48b020912301632u6d69e445tf2dd33d3afe9ca04@mail.gmail.com> <1262641016.28009.167.camel@moss-pluto.epoch.ncsc.mil> Message-ID: <9ae48b021001041449w677a7da4rbbca504a32c08f3a@mail.gmail.com> On Mon, Jan 4, 2010 at 1:36 PM, Stephen Smalley wrote: > Likely introduced by Eric's short cut for checking /proc/filesystems and > bailing immediately in the non-selinux case. ?Try this: There are a couple of other leakage cases to worry about. I submitted a patch here: http://userspace.selinuxproject.org/trac/ticket/10 --Ed From ganesai at gmail.com Tue Jan 5 05:27:57 2010 From: ganesai at gmail.com (sai ganesh) Date: Tue, 5 Jan 2010 05:27:57 +0000 Subject: Move httpd root, selinux help In-Reply-To: <4B4212B3.5040204@redhat.com> References: <20100104150950.91062pzt2txwzdtq@mail.specialistdevelopment.com> <4B4212B3.5040204@redhat.com> Message-ID: <7f952b9b1001042127x3846ede1p5e42c3931a92b85c@mail.gmail.com> the exact log of the avc denial is needed to analyse the problem.but assuming it as a denial due to the context.either you can do as dwalsh said or alternatively ,you can change the context of the file and directory to httpd_sys_content_t and put the file name and directory name in /etc/selinux/restorecond.conf and restart the restorecond service. so that even when you accidentally delete the file you can get the correct context on recreating it. On 1/4/10, Daniel J Walsh wrote: > On 01/04/2010 10:09 AM, tony at specialistdevelopment.com wrote: >> Hi, >> >> Wishing everyone a happy new year! >> >> Can anyone point me in the right direction with a problem im having with >> selinux and httpd please? >> >> I have created a virtual host and have created the directory structure: >> >> /vhosts/domain.tld/htdocs # Document root >> /vhosts/domain.tld/logs # Log root >> /vhosts/domain.tld/private # Private root >> >> I have set the contexts and they display as: >> >> [root at server htdocs]# ls -laZ /vhosts/domain.tld/htdocs >> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 . >> drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 .. >> -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 >> index.html >> >> [root at server htdocs]# ls -laZ /vhosts/domain.tld/logs >> drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 . >> drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 .. >> >> so to me this looks like it has the right contexts. >> >> when i try to start apache i get the following error: >> >> [root at server htdocs]# /sbin/service httpd start >> Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does >> not exist >> httpd: Could not reliably determine the server's fully qualified domain >> name, using ::1 for ServerName >> [FAILED] >> >> now i know the directory exists, which confuses me. below are the error >> logs: >> >> [root at server htdocs]# tail /var/log/httpd/error_log >> (13)Permission denied: httpd: could not open error log file >> /wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/error.log. >> >> Unable to open logs >> >> Can anyone help as i am really stuck. >> >> Thankyou in advance! >> >> Tony >> >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > # semanage fcontext -a -t httpd_sys_content_t '/vhosts(/.*)?' > # restorecon -R -v /vhosts > > Should fix the problem > > You need to label every file/dir that httpd will access with a label it can > read or search. > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- s.saiganesh ?The Linux philosophy is 'Laugh in the face of danger'. Oops. Wrong One. 'Do it yourself'. Yes, that's it From root at localdomain.pl Tue Jan 5 08:51:28 2010 From: root at localdomain.pl (Grzegorz Nosek) Date: Tue, 5 Jan 2010 09:51:28 +0100 Subject: CentOS 5.4 + xinetd + sshd + SELinux issues In-Reply-To: <1262641368.28009.173.camel@moss-pluto.epoch.ncsc.mil> References: <20091231100658.GA25765@megiteam.pl> <1262641368.28009.173.camel@moss-pluto.epoch.ncsc.mil> Message-ID: <20100105085128.GA9731@megiteam.pl> On pon, sty 04, 2010 at 04:42:48 -0500, Stephen Smalley wrote: > > I have a problem trying to run sshd via xinetd on a CentOS 5.4 system > > (I want to slap a tcpwrappers-style wrapper before sshd, so I need it > > that way). > > In what label/context are xinetd and sshd running (ps -eZ)? > What are the file security contexts on their executables (ls -Z)? In the meantime I managed to get stuff running by adding a module like below. xinetd is running with system_u:system_r:inetd_t:SystemLow-SystemHigh, sshd binary is labelled as system_u:object_r:sshd_exec_t, so I did not need any relabelling, I just needed the domain transition to switch sshd to unconfined_t. It stayed as inetd_t or went to inetd_child_t before; I can't remember right now and I'm not too willing to hack at it again due to kernel bugs (on a system broken in the right way the kernel panics in do_sys_open -> (..) -> chrdev_open -> ptmx_open -> init_dev; probably a missing IS_ERR somewhere). I'd have expected the run_ssh_inetd tunable to do this but apparently, it does nothing at all in the targeted policy (as of CentOS 5.4). So, for future reference, here's the module I needed: --------------------- cut -------------------- module inetdssh 1.0.0; require { type inetd_t; type unconfined_t; type sshd_exec_t; class process { transition }; } #============= inetd_t ============== allow inetd_t unconfined_t:process transition; type_transition inetd_t sshd_exec_t : process unconfined_t; #============= unconfined_t ============== allow unconfined_t self:process transition; --------------------- cut -------------------- Best regards, Grzegorz Nosek From ganesai at fedoraproject.org Tue Jan 5 14:03:28 2010 From: ganesai at fedoraproject.org (sai ganesh) Date: Tue, 5 Jan 2010 19:33:28 +0530 Subject: generating rules in permissive mode? Message-ID: <7f952b9b1001050603h3cf3a07wb2e8608c0f07c355@mail.gmail.com> hi, i have a query if i want to start a completely custom made service .i have defined all the transitions and types.now i need only the allow rules. what is the difference between (going to permissive mode and checking the logs to generate the entire set of policy's allow rules ) and ( generating the allow rules one by one after updating the policy again and again in the enforcing mode ).i find it easier to generate the entire set of allow rules switching to permissive mode.is there any chance that i may miss a rule if i switch to permissive mode and generate the rules from the logs or say i give extra permissions ? which is the preffered method?. -- s.saiganesh ?The Linux philosophy is 'Laugh in the face of danger'. Oops. Wrong One. 'Do it yourself'. Yes, that's it -------------- next part -------------- An HTML attachment was scrubbed... URL: From dwalsh at redhat.com Tue Jan 5 14:37:04 2010 From: dwalsh at redhat.com (Daniel J Walsh) Date: Tue, 05 Jan 2010 09:37:04 -0500 Subject: generating rules in permissive mode? In-Reply-To: <7f952b9b1001050603h3cf3a07wb2e8608c0f07c355@mail.gmail.com> References: <7f952b9b1001050603h3cf3a07wb2e8608c0f07c355@mail.gmail.com> Message-ID: <4B434E90.5080800@redhat.com> On 01/05/2010 09:03 AM, sai ganesh wrote: > hi, > i have a query > if i want to start a completely custom made service .i have defined all the > transitions and types.now i need only the allow rules. > what is the difference between (going to permissive mode and checking the > logs to generate the entire set of policy's allow rules ) and ( generating > the allow rules one by one after updating the policy again and again in the > enforcing mode ).i find it easier to generate the entire set of allow rules > switching to permissive mode.is there any chance that i may miss a rule if i > switch to permissive mode and generate the rules from the logs or say i give > extra permissions ? > > > which is the preffered method?. > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list If you are using F11/F12 you can setup a permissive domains permissive myapp_t; This will allow you to run the machine in enforcing, but your new domain in permissive mode. We almost always develop policy in permissive mode, but you have to be aware that sometimes you can deny something and cause an application to go down a different code path. For example, apps that use the pam stack attempt to read shadow_t, if you dontaudit this, the app will execute a helper application to read the shadow file. This is considered more secure. From domg472 at gmail.com Tue Jan 5 14:49:05 2010 From: domg472 at gmail.com (Dominick Grift) Date: Tue, 05 Jan 2010 15:49:05 +0100 Subject: generating rules in permissive mode? In-Reply-To: <7f952b9b1001050603h3cf3a07wb2e8608c0f07c355@mail.gmail.com> References: <7f952b9b1001050603h3cf3a07wb2e8608c0f07c355@mail.gmail.com> Message-ID: <4B435161.9040102@gmail.com> On 01/05/2010 03:03 PM, sai ganesh wrote: > hi, > i have a query > if i want to start a completely custom made service .i have defined all the > transitions and types.now i need only the allow rules. > what is the difference between (going to permissive mode and checking the > logs to generate the entire set of policy's allow rules ) and ( generating > the allow rules one by one after updating the policy again and again in the > enforcing mode ).i find it easier to generate the entire set of allow rules > switching to permissive mode.is there any chance that i may miss a rule if i > switch to permissive mode and generate the rules from the logs or say i give > extra permissions ? > > > which is the preffered method?. > Well it is not black or white in my opinion. Both have drawbacks. You cannot without testing know whether you defined all transitions. Atleast not transitions to external domains. If you test in permissive mode you must be very careful with what you add especially when your domain executes external executable files. Questions like should i domain transition or run in the local domain are important. Implementing a domain transition will change the whole scenario. So if you test in permissive, than during the first run, check for execute_no_trans in your AVC denials. Then decide whether it is best to transition or execute_no_trans there. If you decide to transition then basically your current batch of AVC denials becomes useless. You would only add the domain transition policy to you module, rebuild, reinstall and retest again. Testing in enforcing mode is a pain. On newer systems you can also use "Permissive domains". When you use this you can run single domain types permissive as opposed to the whole system. This is a nice feature and i consider this my favorite. You will still have to be aware of implementing possible domain transitions before anything else to avoid adding more policy than strictly required. Another thing you should keep in mind when using "Permissive domains" is that although the local domain is permissive; external domains interacting with the local domain are strictly enforced. Thus, Although your local domain type is permissive, it can still fail to run. Simply because some external domain is denied interaction with objects owned by the local domain or domain types owned by the local domain. So in a nut shell: Permissive domains: pros: saves time cons: external domain interacting with local permissive domain are still denied on each system call they make. cons: make sure you domain transition first (if required) before adding other policy Permissive mode: pros: saves even more time cons: system is unprotected. cons: make sure you domain transition first (if required) before adding other policy hth > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From sds at tycho.nsa.gov Tue Jan 5 15:36:19 2010 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Tue, 05 Jan 2010 10:36:19 -0500 Subject: generating rules in permissive mode? In-Reply-To: <7f952b9b1001050603h3cf3a07wb2e8608c0f07c355@mail.gmail.com> References: <7f952b9b1001050603h3cf3a07wb2e8608c0f07c355@mail.gmail.com> Message-ID: <1262705779.28009.185.camel@moss-pluto.epoch.ncsc.mil> On Tue, 2010-01-05 at 19:33 +0530, sai ganesh wrote: > hi, > i have a query > if i want to start a completely custom made service .i have defined > all the transitions and types.now i need only the allow rules. > what is the difference between (going to permissive mode and checking > the logs to generate the entire set of policy's allow rules ) and > ( generating the allow rules one by one after updating the policy > again and again in the enforcing mode ).i find it easier to generate > the entire set of allow rules switching to permissive mode.is there > any chance that i may miss a rule if i switch to permissive mode and > generate the rules from the logs or say i give extra permissions ? > > > which is the preffered method?. One other item to keep in mind about permissive mode: When in permissive mode, SELinux only logs the first instance of a given permission denial, i.e. once per (process security context, object security context, object security class, permission) tuple and then SELinux silences further denials on that same permission by granting the permission until the administrator switches to enforcing mode or reloads the policy. This is to avoid flooding syslogd or auditd with repeated denials on the same permission, and to avoid unnecessary duplication in the logs as the duplicates would yield the same allow rule regardless. It can however mask denials on different subjects/objects that happen to be in the same security context. See: http://marc.info/?t=122953404700001&r=1&w=2 -- Stephen Smalley National Security Agency From tony at specialistdevelopment.com Thu Jan 7 15:17:30 2010 From: tony at specialistdevelopment.com (tony at specialistdevelopment.com) Date: Thu, 07 Jan 2010 15:17:30 +0000 Subject: Move httpd root, selinux help In-Reply-To: <7f952b9b1001042127x3846ede1p5e42c3931a92b85c@mail.gmail.com> References: <20100104150950.91062pzt2txwzdtq@mail.specialistdevelopment.com> <4B4212B3.5040204@redhat.com> <7f952b9b1001042127x3846ede1p5e42c3931a92b85c@mail.gmail.com> Message-ID: <20100107151730.11386mbpkhg0hcsq@mail.specialistdevelopment.com> Thanks for your help, all sorted now :) Tony Quoting sai ganesh : > the exact log of the avc denial is needed to analyse the problem.but > assuming it as a denial due to the context.either you can do as > dwalsh said or alternatively ,you can change the context of the file > and directory to httpd_sys_content_t and put the file name and > directory name in /etc/selinux/restorecond.conf and restart the > restorecond service. > so that even when you accidentally delete the file you can get the > correct context on recreating it. > > > On 1/4/10, Daniel J Walsh wrote: >> On 01/04/2010 10:09 AM, tony at specialistdevelopment.com wrote: >>> Hi, >>> >>> Wishing everyone a happy new year! >>> >>> Can anyone point me in the right direction with a problem im having with >>> selinux and httpd please? >>> >>> I have created a virtual host and have created the directory structure: >>> >>> /vhosts/domain.tld/htdocs # Document root >>> /vhosts/domain.tld/logs # Log root >>> /vhosts/domain.tld/private # Private root >>> >>> I have set the contexts and they display as: >>> >>> [root at server htdocs]# ls -laZ /vhosts/domain.tld/htdocs >>> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 . >>> drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 .. >>> -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 >>> index.html >>> >>> [root at server htdocs]# ls -laZ /vhosts/domain.tld/logs >>> drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 . >>> drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 .. >>> >>> so to me this looks like it has the right contexts. >>> >>> when i try to start apache i get the following error: >>> >>> [root at server htdocs]# /sbin/service httpd start >>> Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does >>> not exist >>> httpd: Could not reliably determine the server's fully qualified domain >>> name, using ::1 for ServerName >>> [FAILED] >>> >>> now i know the directory exists, which confuses me. below are the error >>> logs: >>> >>> [root at server htdocs]# tail /var/log/httpd/error_log >>> (13)Permission denied: httpd: could not open error log file >>> /wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/error.log. >>> >>> Unable to open logs >>> >>> Can anyone help as i am really stuck. >>> >>> Thankyou in advance! >>> >>> Tony >>> >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >>> >> # semanage fcontext -a -t httpd_sys_content_t '/vhosts(/.*)?' >> # restorecon -R -v /vhosts >> >> Should fix the problem >> >> You need to label every file/dir that httpd will access with a label it can >> read or search. >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > > -- > s.saiganesh > ?The Linux philosophy is 'Laugh in the face of danger'. Oops. Wrong > One. 'Do it yourself'. Yes, that's it > From tony at specialistdevelopment.com Thu Jan 7 15:19:03 2010 From: tony at specialistdevelopment.com (tony at specialistdevelopment.com) Date: Thu, 07 Jan 2010 15:19:03 +0000 Subject: Selinux Alerts Message-ID: <20100107151903.974063vx0wgkk21z@mail.specialistdevelopment.com> Hi guys, Im getting selinux alerts logged to audit.log, is there anyway to parse the alerts via the command line to get human readable alerts? I have read that you can install setroubleshoot, but installs a huge list of dependencies for use with the gui, but i dont have a gui installed. Any ideas? Tony From dwalsh at redhat.com Thu Jan 7 15:32:32 2010 From: dwalsh at redhat.com (Daniel J Walsh) Date: Thu, 07 Jan 2010 10:32:32 -0500 Subject: Selinux Alerts In-Reply-To: <20100107151903.974063vx0wgkk21z@mail.specialistdevelopment.com> References: <20100107151903.974063vx0wgkk21z@mail.specialistdevelopment.com> Message-ID: <4B45FE90.5020905@redhat.com> On 01/07/2010 10:19 AM, tony at specialistdevelopment.com wrote: > Hi guys, > > Im getting selinux alerts logged to audit.log, is there anyway to parse > the alerts via the command line to get human readable alerts? > > I have read that you can install setroubleshoot, but installs a huge > list of dependencies for use with the gui, but i dont have a gui installed. > > Any ideas? > > Tony > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > You can install setroubleshoot-server and set it up to send email. audit2allow -la Will generate a list of audit2allow rules, which is what I usually do. From jdennis at redhat.com Thu Jan 7 15:42:09 2010 From: jdennis at redhat.com (John Dennis) Date: Thu, 07 Jan 2010 10:42:09 -0500 Subject: Selinux Alerts In-Reply-To: <20100107151903.974063vx0wgkk21z@mail.specialistdevelopment.com> References: <20100107151903.974063vx0wgkk21z@mail.specialistdevelopment.com> Message-ID: <4B4600D1.4080507@redhat.com> On 01/07/2010 10:19 AM, tony at specialistdevelopment.com wrote: > Hi guys, > > Im getting selinux alerts logged to audit.log, is there anyway to parse > the alerts via the command line to get human readable alerts? > > I have read that you can install setroubleshoot, but installs a huge > list of dependencies for use with the gui, but i dont have a gui installed. > > Any ideas? Install the non-gui version of setroubleshoot, that's why it exists. The package name is setroubleshoot-server. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From Moray.Henderson at ict-software.org Thu Jan 7 15:48:19 2010 From: Moray.Henderson at ict-software.org (Moray Henderson) Date: Thu, 7 Jan 2010 15:48:19 +0000 Subject: Selinux Alerts In-Reply-To: <20100107151903.974063vx0wgkk21z@mail.specialistdevelopment.com> References: <20100107151903.974063vx0wgkk21z@mail.specialistdevelopment.com> Message-ID: <000601ca8fb0$d6b2f970$8418ec50$@Henderson@ict-software.org> tony at specialistdevelopment.com wrote: >Hi guys, > >Im getting selinux alerts logged to audit.log, is there anyway to >parse the alerts via the command line to get human readable alerts? > >I have read that you can install setroubleshoot, but installs a huge >list of dependencies for use with the gui, but i dont have a gui >installed. > >Any ideas? > >Tony As well as audit2allow(1) and audit2why(8), there are the aureport(8) and ausearch(8) programs; they have a huge number of options, so take time to study the man pages, but "aureport --avc" will list all the selinux denials. Moray. "To err is human; to purr, feline." From m.roth at 5-cent.us Thu Jan 7 15:45:38 2010 From: m.roth at 5-cent.us (m.roth at 5-cent.us) Date: Thu, 7 Jan 2010 10:45:38 -0500 (EST) Subject: selinux and smagent Message-ID: <43213.165.112.92.128.1262879138.squirrel@host290.hostmonster.com> I never did solve this, and I'm looking at it again. Selinux still gripes (it's in permissive mode, or this would be more of a problem). httpd_unified is on, which is what the *wrong* error message from selinux tells me will fix this. Given the info below, *should* I chcon (or semanage) /var/log/httpd/smagent.log to the same type as the httpd error.log? Will that make selinux happy? mark, not happy with selinux host=biblio type=AVC msg=audit(1262787360.769:5531): avc: denied { write } for pid=1654 comm="LLAWP" path="/var/log/httpd/smagent.log" dev=sda3 ino=46107941 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_log_t:s0 tclass=file ll -Z /var/log/httpd/smagent.log -rw-r--r-- apache root user_u:object_r:httpd_log_t /var/log/httpd/smagent.log ll -Z /usr/local/opt//webagent/bin/LLAWP -rwxrwxr-x root root system_u:object_r:bin_t /usr/local/opt//webagent/bin/LLAWP ll -Z /var/log/httpd/error_log -rw-r--r-- root root system_u:object_r:httpd_log_t /var/log/httpd/error_log ll -Z /usr/sbin/httpd -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd From domg472 at gmail.com Thu Jan 7 17:16:24 2010 From: domg472 at gmail.com (Dominick Grift) Date: Thu, 07 Jan 2010 18:16:24 +0100 Subject: selinux and smagent In-Reply-To: <43213.165.112.92.128.1262879138.squirrel@host290.hostmonster.com> References: <43213.165.112.92.128.1262879138.squirrel@host290.hostmonster.com> Message-ID: <4B4616E8.9060603@gmail.com> On 01/07/2010 04:45 PM, m.roth at 5-cent.us wrote: > I never did solve this, and I'm looking at it again. Selinux still gripes > (it's in permissive mode, or this would be more of a problem). > httpd_unified is on, which is what the *wrong* error message from selinux > tells me will fix this. > > Given the info below, *should* I chcon (or semanage) > /var/log/httpd/smagent.log to the same type as the httpd error.log? Will > that make selinux happy? > > mark, not happy with selinux > > > host=biblio type=AVC msg=audit(1262787360.769:5531): avc: denied { write > } for pid=1654 comm="LLAWP" path="/var/log/httpd/smagent.log" dev=sda3 > ino=46107941 scontext=user_u:system_r:httpd_t:s0 > tcontext=user_u:object_r:httpd_log_t:s0 tclass=file > Apache can not and will not write to its log files. The log file should be open for append only. This is so that a compromized web server can not wipe its audit trail. You should consider this to be a bug in smagent. If you want to just allow it any way (discouraged) than you can do the following: echo "avc: denied { write } for pid=1654 comm="LLAWP" path="/var/log/httpd/smagent.log" dev=sda3 ino=46107941 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_log_t:s0 tclass=file" | audit2allow -M myfaultysmagent; sudo semodule -i myfaultysmagent.pp Hth > ll -Z /var/log/httpd/smagent.log > -rw-r--r-- apache root user_u:object_r:httpd_log_t > /var/log/httpd/smagent.log > > ll -Z /usr/local/opt//webagent/bin/LLAWP > -rwxrwxr-x root root system_u:object_r:bin_t > /usr/local/opt//webagent/bin/LLAWP > > ll -Z /var/log/httpd/error_log > -rw-r--r-- root root system_u:object_r:httpd_log_t > /var/log/httpd/error_log > > ll -Z /usr/sbin/httpd > -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd > > > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From rnicholsNOSPAM at comcast.net Thu Jan 7 23:20:09 2010 From: rnicholsNOSPAM at comcast.net (Robert Nichols) Date: Thu, 07 Jan 2010 17:20:09 -0600 Subject: Home directories within /var In-Reply-To: <4B423AF4.1020602@redhat.com> References: <20091231080955.6e39659f@city-fan.org> <4B423AF4.1020602@redhat.com> Message-ID: Daniel J Walsh wrote: > On 12/31/2009 12:18 PM, Robert Nichols wrote: >> Paul Howarth wrote: [SNIP] >>> You can make the file contexts for /var/home match those for /home very >>> easily on F-11 onwards: >>> >>> # semanage fcontext -a -e /home /var/home >>> >>> See http://danwalsh.livejournal.com/2009/04/09/ for Dan's blog on file >>> context equivalency. >> TYVM. Perhaps someday the manpage for semanage will include some mention >> of that "-e" flag. >> > Open a bugzilla please. Finally got a round tuit. https://bugzilla.redhat.com/show_bug.cgi?id=553469 -- Bob Nichols "NOSPAM" is really part of my email address. Do NOT delete it. From tony at specialistdevelopment.com Fri Jan 8 10:47:49 2010 From: tony at specialistdevelopment.com (tony at specialistdevelopment.com) Date: Fri, 08 Jan 2010 10:47:49 +0000 Subject: Mysql Alert In-Reply-To: <000601ca8fb0$d6b2f970$8418ec50$@Henderson@ict-software.org> References: <20100107151903.974063vx0wgkk21z@mail.specialistdevelopment.com> <000601ca8fb0$d6b2f970$8418ec50$@Henderson@ict-software.org> Message-ID: <20100108104749.855543bh5785bwb9@mail.specialistdevelopment.com> Hi Guys, Sorry to keep emailing the group but im determined to crack selinux and not just switch it off :) I have moved my mysql root to /db01/mysql and have sym linked /var/lib/mysql to there as well just in case any apps still have mysql hard coded to the original location. The alert im getting is this: Summary: SELinux is preventing /bin/bash "read" access on /var/lib/mysql. Detailed Description: SELinux denied access requested by mysqld_safe. It is not expected that this access is required by mysqld_safe and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:mysqld_safe_t:s0 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects /var/lib/mysql [ lnk_file ] Source mysqld_safe Source Path /bin/bash Port Host vm-lin-wb01 Source RPM Packages bash-4.0.35-2.fc12 Target RPM Packages mysql-server-5.1.41-2.fc12 Policy RPM selinux-policy-3.6.32-63.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name vm-lin-wb01 Platform Linux vm-lin-wb01 2.6.31.9-174.fc12.i686.PAE #1 SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 Alert Count 1 First Seen Fri Jan 8 10:06:33 2010 Last Seen Fri Jan 8 10:06:33 2010 Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425 Line Numbers Raw Audit Messages node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25): arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mysqld_safe" exe="/bin/bash" subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null) All the contexts look correct to me, but have i missed something? would be grateful if anyone could point me in the right direction. Thanks in advance :) From domg472 at gmail.com Fri Jan 8 11:43:13 2010 From: domg472 at gmail.com (Dominick Grift) Date: Fri, 08 Jan 2010 12:43:13 +0100 Subject: Mysql Alert In-Reply-To: <20100108104749.855543bh5785bwb9@mail.specialistdevelopment.com> References: <20100107151903.974063vx0wgkk21z@mail.specialistdevelopment.com> <000601ca8fb0$d6b2f970$8418ec50$@Henderson@ict-software.org> <20100108104749.855543bh5785bwb9@mail.specialistdevelopment.com> Message-ID: <4B471A51.8070101@gmail.com> On 01/08/2010 11:47 AM, tony at specialistdevelopment.com wrote: > Hi Guys, > > Sorry to keep emailing the group but im determined to crack selinux and > not just switch it off :) > > I have moved my mysql root to /db01/mysql and have sym linked > /var/lib/mysql to there as well just in case any apps still have mysql > hard coded to the original location. > > The alert im getting is this: > > Summary: > > SELinux is preventing /bin/bash "read" access on /var/lib/mysql. > > Detailed Description: > > SELinux denied access requested by mysqld_safe. It is not expected that > this > access is required by mysqld_safe and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration > of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a > bug > report. > > Additional Information: > > Source Context unconfined_u:system_r:mysqld_safe_t:s0 > Target Context system_u:object_r:mysqld_db_t:s0 > Target Objects /var/lib/mysql [ lnk_file ] > Source mysqld_safe > Source Path /bin/bash > Port > Host vm-lin-wb01 > Source RPM Packages bash-4.0.35-2.fc12 > Target RPM Packages mysql-server-5.1.41-2.fc12 > Policy RPM selinux-policy-3.6.32-63.fc12 > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Plugin Name catchall > Host Name vm-lin-wb01 > Platform Linux vm-lin-wb01 > 2.6.31.9-174.fc12.i686.PAE #1 > SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 > Alert Count 1 > First Seen Fri Jan 8 10:06:33 2010 > Last Seen Fri Jan 8 10:06:33 2010 > Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425 > Line Numbers > > Raw Audit Messages > > node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied { > read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 ino=21498 > scontext=unconfined_u:system_r:mysqld_safe_t:s0 > tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file > > node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25): > arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c > a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 > comm="mysqld_safe" exe="/bin/bash" > subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null) > > All the contexts look correct to me, but have i missed something? would > be grateful if anyone could point me in the right direction. > > Thanks in advance :) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list looks like there is no such rule to allow this access. > [root at localhost ~]# sesearch --allow -s mysqld_safe_t | grep mysqld_db_t > allow mysqld_safe_t mysqld_db_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; > allow mysqld_safe_t mysqld_db_t : dir { ioctl read write getattr lock add_name remove_name search open } ; You can allow mysqld_safe_t to read lnk_files with type mysqld_db_t: echo "avc: denied { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file" | audit2allow -M mymysqldsafe; sudo semodule -i mymysqldsafe.pp ( make sure that you use "mymysqldsafe" for your modules' name. This to avoid that you overwrite your existing mysql module. ) Please consider reporting this bug. Thanks in advance. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From wolfy at nobugconsulting.ro Fri Jan 8 11:45:33 2010 From: wolfy at nobugconsulting.ro (Manuel Wolfshant) Date: Fri, 08 Jan 2010 13:45:33 +0200 Subject: Mysql Alert In-Reply-To: <20100108104749.855543bh5785bwb9@mail.specialistdevelopment.com> References: <20100107151903.974063vx0wgkk21z@mail.specialistdevelopment.com> <000601ca8fb0$d6b2f970$8418ec50$@Henderson@ict-software.org> <20100108104749.855543bh5785bwb9@mail.specialistdevelopment.com> Message-ID: <4B471ADD.5050001@nobugconsulting.ro> tony at specialistdevelopment.com wrote: > Hi Guys, > > Sorry to keep emailing the group but im determined to crack selinux > and not just switch it off :) > > I have moved my mysql root to /db01/mysql and have sym linked > /var/lib/mysql to there as well just in case any apps still have mysql > hard coded to the original location. Use mount --bind instead of symlink > > The alert im getting is this: > > Summary: > > SELinux is preventing /bin/bash "read" access on /var/lib/mysql. > > Detailed Description: > > SELinux denied access requested by mysqld_safe. It is not expected > that this > access is required by mysqld_safe and this access may signal an intrusion > attempt. It is also possible that the specific version or > configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file > a bug > report. > > Additional Information: > > Source Context unconfined_u:system_r:mysqld_safe_t:s0 > Target Context system_u:object_r:mysqld_db_t:s0 > Target Objects /var/lib/mysql [ lnk_file ] > Source mysqld_safe > Source Path /bin/bash > Port > Host vm-lin-wb01 > Source RPM Packages bash-4.0.35-2.fc12 > Target RPM Packages mysql-server-5.1.41-2.fc12 > Policy RPM selinux-policy-3.6.32-63.fc12 > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Plugin Name catchall > Host Name vm-lin-wb01 > Platform Linux vm-lin-wb01 > 2.6.31.9-174.fc12.i686.PAE #1 > SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 > Alert Count 1 > First Seen Fri Jan 8 10:06:33 2010 > Last Seen Fri Jan 8 10:06:33 2010 > Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425 > Line Numbers > > Raw Audit Messages > > node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied > { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 > ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 > tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file > > node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25): > arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c > a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 > comm="mysqld_safe" exe="/bin/bash" > subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null) > > All the contexts look correct to me, but have i missed something? > would be grateful if anyone could point me in the right direction. > > Thanks in advance :) > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Manuel Wolfshant linux registered user #131416 IT manager NoBug Consulting SRL A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? From domg472 at gmail.com Fri Jan 8 11:57:31 2010 From: domg472 at gmail.com (Dominick Grift) Date: Fri, 08 Jan 2010 12:57:31 +0100 Subject: Mysql Alert In-Reply-To: <4B471ADD.5050001@nobugconsulting.ro> References: <20100107151903.974063vx0wgkk21z@mail.specialistdevelopment.com> <000601ca8fb0$d6b2f970$8418ec50$@Henderson@ict-software.org> <20100108104749.855543bh5785bwb9@mail.specialistdevelopment.com> <4B471ADD.5050001@nobugconsulting.ro> Message-ID: <4B471DAB.6030505@gmail.com> On 01/08/2010 12:45 PM, Manuel Wolfshant wrote: > tony at specialistdevelopment.com wrote: >> Hi Guys, >> >> Sorry to keep emailing the group but im determined to crack selinux >> and not just switch it off :) >> >> I have moved my mysql root to /db01/mysql and have sym linked >> /var/lib/mysql to there as well just in case any apps still have mysql >> hard coded to the original location. > Use mount --bind instead of symlink Whoops i did not notice this issue is due to custom configuration. So this issue probably does not justify a bugreport. I do not think SELinux plays nice with mount --bind so that may not work. You just manually allow mysqld_safe_t to read the link file , like i showed in my example. Make sure though that the link target is properly labeled (mysqld_db_t) and that mysqld_safe_t can access it. ( label db01 dir with a type mysqld_safe_t has access to search. for example var_t or mysqld_db_t. > > >> >> The alert im getting is this: >> >> Summary: >> >> SELinux is preventing /bin/bash "read" access on /var/lib/mysql. >> >> Detailed Description: >> >> SELinux denied access requested by mysqld_safe. It is not expected >> that this >> access is required by mysqld_safe and this access may signal an intrusion >> attempt. It is also possible that the specific version or >> configuration of the >> application is causing it to require additional access. >> >> Allowing Access: >> >> You can generate a local policy module to allow this access - see FAQ >> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file >> a bug >> report. >> >> Additional Information: >> >> Source Context unconfined_u:system_r:mysqld_safe_t:s0 >> Target Context system_u:object_r:mysqld_db_t:s0 >> Target Objects /var/lib/mysql [ lnk_file ] >> Source mysqld_safe >> Source Path /bin/bash >> Port >> Host vm-lin-wb01 >> Source RPM Packages bash-4.0.35-2.fc12 >> Target RPM Packages mysql-server-5.1.41-2.fc12 >> Policy RPM selinux-policy-3.6.32-63.fc12 >> Selinux Enabled True >> Policy Type targeted >> Enforcing Mode Enforcing >> Plugin Name catchall >> Host Name vm-lin-wb01 >> Platform Linux vm-lin-wb01 >> 2.6.31.9-174.fc12.i686.PAE #1 >> SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 >> Alert Count 1 >> First Seen Fri Jan 8 10:06:33 2010 >> Last Seen Fri Jan 8 10:06:33 2010 >> Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425 >> Line Numbers >> >> Raw Audit Messages >> >> node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied >> { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 >> ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 >> tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file >> >> node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25): >> arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c >> a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0 >> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 >> comm="mysqld_safe" exe="/bin/bash" >> subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null) >> >> All the contexts look correct to me, but have i missed something? >> would be grateful if anyone could point me in the right direction. >> >> Thanks in advance :) >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From tony at specialistdevelopment.com Fri Jan 8 12:11:58 2010 From: tony at specialistdevelopment.com (tony at specialistdevelopment.com) Date: Fri, 08 Jan 2010 12:11:58 +0000 Subject: Mysql Alert In-Reply-To: <4B471DAB.6030505@gmail.com> References: <20100107151903.974063vx0wgkk21z@mail.specialistdevelopment.com> <000601ca8fb0$d6b2f970$8418ec50$@Henderson@ict-software.org> <20100108104749.855543bh5785bwb9@mail.specialistdevelopment.com> <4B471ADD.5050001@nobugconsulting.ro> <4B471DAB.6030505@gmail.com> Message-ID: <20100108121158.32124ah0qkk9wyry@mail.specialistdevelopment.com> Ho Dominick, Thanks ill try that, thanks to everyone for their help over the last couple of days, im starting to like and understand selinux, but no doubt there will be some more issues :) Thanks again. Tony Quoting Dominick Grift : > On 01/08/2010 12:45 PM, Manuel Wolfshant wrote: >> tony at specialistdevelopment.com wrote: >>> Hi Guys, >>> >>> Sorry to keep emailing the group but im determined to crack selinux >>> and not just switch it off :) >>> >>> I have moved my mysql root to /db01/mysql and have sym linked >>> /var/lib/mysql to there as well just in case any apps still have mysql >>> hard coded to the original location. >> Use mount --bind instead of symlink > > Whoops i did not notice this issue is due to custom configuration. So > this issue probably does not justify a bugreport. > > I do not think SELinux plays nice with mount --bind so that may not work. > > You just manually allow mysqld_safe_t to read the link file , like i > showed in my example. > > Make sure though that the link target is properly labeled (mysqld_db_t) > and that mysqld_safe_t can access it. ( label db01 dir with a type > mysqld_safe_t has access to search. for example var_t or mysqld_db_t. > >> >> >>> >>> The alert im getting is this: >>> >>> Summary: >>> >>> SELinux is preventing /bin/bash "read" access on /var/lib/mysql. >>> >>> Detailed Description: >>> >>> SELinux denied access requested by mysqld_safe. It is not expected >>> that this >>> access is required by mysqld_safe and this access may signal an intrusion >>> attempt. It is also possible that the specific version or >>> configuration of the >>> application is causing it to require additional access. >>> >>> Allowing Access: >>> >>> You can generate a local policy module to allow this access - see FAQ >>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file >>> a bug >>> report. >>> >>> Additional Information: >>> >>> Source Context unconfined_u:system_r:mysqld_safe_t:s0 >>> Target Context system_u:object_r:mysqld_db_t:s0 >>> Target Objects /var/lib/mysql [ lnk_file ] >>> Source mysqld_safe >>> Source Path /bin/bash >>> Port >>> Host vm-lin-wb01 >>> Source RPM Packages bash-4.0.35-2.fc12 >>> Target RPM Packages mysql-server-5.1.41-2.fc12 >>> Policy RPM selinux-policy-3.6.32-63.fc12 >>> Selinux Enabled True >>> Policy Type targeted >>> Enforcing Mode Enforcing >>> Plugin Name catchall >>> Host Name vm-lin-wb01 >>> Platform Linux vm-lin-wb01 >>> 2.6.31.9-174.fc12.i686.PAE #1 >>> SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 >>> Alert Count 1 >>> First Seen Fri Jan 8 10:06:33 2010 >>> Last Seen Fri Jan 8 10:06:33 2010 >>> Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425 >>> Line Numbers >>> >>> Raw Audit Messages >>> >>> node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied >>> { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 >>> ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 >>> tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file >>> >>> node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25): >>> arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c >>> a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0 >>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 >>> comm="mysqld_safe" exe="/bin/bash" >>> subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null) >>> >>> All the contexts look correct to me, but have i missed something? >>> would be grateful if anyone could point me in the right direction. >>> >>> Thanks in advance :) >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> >> > > > From wolfy at nobugconsulting.ro Fri Jan 8 12:23:34 2010 From: wolfy at nobugconsulting.ro (Manuel Wolfshant) Date: Fri, 08 Jan 2010 14:23:34 +0200 Subject: Mysql Alert In-Reply-To: <4B471DAB.6030505@gmail.com> References: <20100107151903.974063vx0wgkk21z@mail.specialistdevelopment.com> <000601ca8fb0$d6b2f970$8418ec50$@Henderson@ict-software.org> <20100108104749.855543bh5785bwb9@mail.specialistdevelopment.com> <4B471ADD.5050001@nobugconsulting.ro> <4B471DAB.6030505@gmail.com> Message-ID: <4B4723C6.6040907@nobugconsulting.ro> Dominick Grift wrote: > On 01/08/2010 12:45 PM, Manuel Wolfshant wrote: > >> tony at specialistdevelopment.com wrote: >> >>> Hi Guys, >>> >>> Sorry to keep emailing the group but im determined to crack selinux >>> and not just switch it off :) >>> >>> I have moved my mysql root to /db01/mysql and have sym linked >>> /var/lib/mysql to there as well just in case any apps still have mysql >>> hard coded to the original location. >>> >> Use mount --bind instead of symlink >> > > Whoops i did not notice this issue is due to custom configuration. So > this issue probably does not justify a bugreport. > > I do not think SELinux plays nice with mount --bind so that may not work. > It does. Better that it plays with symlinks > You just manually allow mysqld_safe_t to read the link file , like i > showed in my example. > > Make sure though that the link target is properly labeled (mysqld_db_t) > and that mysqld_safe_t can access it. ( label db01 dir with a type > mysqld_safe_t has access to search. for example var_t or mysqld_db_t. > > >> >>> The alert im getting is this: >>> >>> Summary: >>> >>> SELinux is preventing /bin/bash "read" access on /var/lib/mysql. >>> >>> Detailed Description: >>> >>> SELinux denied access requested by mysqld_safe. It is not expected >>> that this >>> access is required by mysqld_safe and this access may signal an intrusion >>> attempt. It is also possible that the specific version or >>> configuration of the >>> application is causing it to require additional access. >>> >>> Allowing Access: >>> >>> You can generate a local policy module to allow this access - see FAQ >>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file >>> a bug >>> report. >>> >>> Additional Information: >>> >>> Source Context unconfined_u:system_r:mysqld_safe_t:s0 >>> Target Context system_u:object_r:mysqld_db_t:s0 >>> Target Objects /var/lib/mysql [ lnk_file ] >>> Source mysqld_safe >>> Source Path /bin/bash >>> Port >>> Host vm-lin-wb01 >>> Source RPM Packages bash-4.0.35-2.fc12 >>> Target RPM Packages mysql-server-5.1.41-2.fc12 >>> Policy RPM selinux-policy-3.6.32-63.fc12 >>> Selinux Enabled True >>> Policy Type targeted >>> Enforcing Mode Enforcing >>> Plugin Name catchall >>> Host Name vm-lin-wb01 >>> Platform Linux vm-lin-wb01 >>> 2.6.31.9-174.fc12.i686.PAE #1 >>> SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 >>> Alert Count 1 >>> First Seen Fri Jan 8 10:06:33 2010 >>> Last Seen Fri Jan 8 10:06:33 2010 >>> Local ID f35cf4f8-9714-4d41-8f88-310f8cef5425 >>> Line Numbers >>> >>> Raw Audit Messages >>> >>> node=vm-lin-wb01 type=AVC msg=audit(1262945193.369:25): avc: denied >>> { read } for pid=1267 comm="mysqld_safe" name="mysql" dev=dm-2 >>> ino=21498 scontext=unconfined_u:system_r:mysqld_safe_t:s0 >>> tcontext=system_u:object_r:mysqld_db_t:s0 tclass=lnk_file >>> >>> node=vm-lin-wb01 type=SYSCALL msg=audit(1262945193.369:25): >>> arch=40000003 syscall=195 success=no exit=-13 a0=9e04f88 a1=bff7924c >>> a2=b5cff4 a3=9e04f88 items=0 ppid=1227 pid=1267 auid=501 uid=0 gid=0 >>> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 >>> comm="mysqld_safe" exe="/bin/bash" >>> subj=unconfined_u:system_r:mysqld_safe_t:s0 key=(null) >>> >>> All the contexts look correct to me, but have i missed something? >>> would be grateful if anyone could point me in the right direction. >>> >>> Thanks in advance :) >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> >> > > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- Manuel Wolfshant linux registered user #131416 IT manager NoBug Consulting SRL A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? From uansari at yahoo.com Fri Jan 8 19:35:41 2010 From: uansari at yahoo.com (Usman S. Ansari) Date: Fri, 8 Jan 2010 11:35:41 -0800 (PST) Subject: A really simple question Message-ID: <539407.23840.qm@web50506.mail.re2.yahoo.com> I have written a driver for Linux kernel, in this driver I am using sk_security field for driver's internal data structure. This means that if SELinux is enabled, it will have conflict with my driver. For this reason, I run my driver with SELinux disabled. I want to know if it is possible to, only enable security on files and not on network objects ? >From what I have read about SELinux, it looks like this it possible, I just need conformation. And if this is possible, will SELinux need to use sk_security filed or not. If this is wrong list, please let me know appropriate place. Thanks. From sds at tycho.nsa.gov Fri Jan 8 20:03:01 2010 From: sds at tycho.nsa.gov (Stephen Smalley) Date: Fri, 08 Jan 2010 15:03:01 -0500 Subject: A really simple question In-Reply-To: <539407.23840.qm@web50506.mail.re2.yahoo.com> References: <539407.23840.qm@web50506.mail.re2.yahoo.com> Message-ID: <1262980981.20881.10.camel@moss-pluto.epoch.ncsc.mil> On Fri, 2010-01-08 at 11:35 -0800, Usman S. Ansari wrote: > I have written a driver for Linux kernel, in this driver I am using sk_security field for driver's internal data structure. This means that if SELinux is enabled, it will have conflict with my driver. For this reason, I run my driver with SELinux disabled. > > I want to know if it is possible to, only enable security on files and not on network objects ? > > >From what I have read about SELinux, it looks like this it possible, I just need conformation. And if this is possible, will SELinux need to use sk_security filed or not. > > If this is wrong list, please let me know appropriate place. > > Thanks. No, not possible (and not a legitimate use of that field by your driver regardless). From 2006: commit c2b507fda390b8ae90deba9b8cdc3fe727482193 Author: Stephen Smalley Date: Sat Feb 4 23:27:50 2006 -0800 [PATCH] selinux: require SECURITY_NETWORK Make SELinux depend on SECURITY_NETWORK (which depends on SECURITY), as it requires the socket hooks for proper operation even in the local case. -- Stephen Smalley National Security Agency From mantaray_1 at cox.net Sat Jan 9 00:13:04 2010 From: mantaray_1 at cox.net (Mantaray) Date: Fri, 08 Jan 2010 17:13:04 -0700 Subject: Constraints on netif and nodes no longer working after upgrading policy compiler Message-ID: <4B47CA10.8010603@cox.net> Hello, I have been using the same policy, which I have customized, for a few years now. When I upgrade my OS (I believe I originally developed the policy on Fedora 6) I use the same policy and compile it with the new compiler. The message from checkpolicy when I started using this policy was that the binary representation was version 6. I upgraded to version 7 and version 8 without any difficulties. I have recently upgraded to a version of the compiler that outputs version 10. With this version all constraints on both netif and node have no effect on my policy. I have done some troubleshooting by simplifying the personalized policy to the point that now I am only looking at the following constraint: constrain netif { dccp_recv dccp_send egress ingress rawip_recv rawip_send tcp_send tcp_recv udp_send udp_recv } ( t1 == can_access_internet and r1 == standard_r ); I had previously been able to successfully constrain Eth0, as well as several nodes I had defined. One of these constraints was for an rdc connection to a company server (used on a "work" user account), which was restricted to one ip address; and another was for my young son, to keep him limited to his "pbs kids" site. This is the primary reason I have used SELinux, although I am sure the other protections have been helpful as well. I have already upgraded the policy to the most recent reference policy in an effort to resolve the issue. The only result was additional difficulties which were the result of labeling changes in the policy. After resolving those difficulties, I am back to my original problem. I am wondering what changes have been made in the policy compiler that could cause this change in behavior, and how I need to modify my policy in order to get the node and netif based constraints working again. If anyone has any ideas that would help my to resolve the problem I would appreciate it. -Ken- From lists at sapience.com Sat Jan 9 02:08:48 2010 From: lists at sapience.com (Mail Lists) Date: Fri, 08 Jan 2010 21:08:48 -0500 Subject: Mysql Alert In-Reply-To: <20100108104749.855543bh5785bwb9@mail.specialistdevelopment.com> References: <20100107151903.974063vx0wgkk21z@mail.specialistdevelopment.com> <000601ca8fb0$d6b2f970$8418ec50$@Henderson@ict-software.org> <20100108104749.855543bh5785bwb9@mail.specialistdevelopment.com> Message-ID: <4B47E530.5030100@sapience.com> On 01/08/2010 05:47 AM, tony at specialistdevelopment.com wrote: > Hi Guys, > They have added the 'equivalence' flag for this : semanage fcontext -a -e /var/lib/mysql /db01/mysql restorecon -R /db01/mysql regards, gene/