restorecon vs. setfiles
by Gary Peck
For some reason restorecon and setfiles have different notions of what
context certain files should be. For example:
# ls -Z /usr/lib/libz.*
-rwxr-xr-x+ root root system_u:object_r:lib_t /usr/lib/libz.a
lrwxrwxrwx+ root root system_u:object_r:lib_t /usr/lib/libz.so -> libz.so.1.2.1.1
lrwxrwxrwx root root system_u:object_r:lib_t /usr/lib/libz.so.1 -> libz.so.1.2.1.1
-rwxr-xr-x root root system_u:object_r:shlib_t /usr/lib/libz.so.1.2.1.1
# restorecon -v /usr/lib/libz.*
restorecon set context /usr/lib/libz.so->system_u:object_r:shlib_t
restorecon set context /usr/lib/libz.so.1->system_u:object_r:shlib_t
# setfiles -v /etc/security/selinux/file_contexts /usr/lib/libz.*
setfiles: read 1450 specifications
setfiles: labeling files under /usr/lib/libz.a
setfiles: hash table stats: 1 elements, 1/65536 buckets used, longest chain length 1
setfiles: labeling files under /usr/lib/libz.so
setfiles: relabeling /usr/lib/libz.so from system_u:object_r:shlib_t to system_u:object_r:lib_t
setfiles: hash table stats: 1 elements, 1/65536 buckets used, longest chain length 1
setfiles: labeling files under /usr/lib/libz.so.1
setfiles: relabeling /usr/lib/libz.so.1 from system_u:object_r:shlib_t to system_u:object_r:lib_t
setfiles: hash table stats: 1 elements, 1/65536 buckets used, longest chain length 1
setfiles: labeling files under /usr/lib/libz.so.1.2.1.1
setfiles: hash table stats: 1 elements, 1/65536 buckets used, longest chain length 1
setfiles: Done.
So, restorecon thinks that *.so files should be shlib_t, whereas
setfiles thinks they should be lib_t. Which one is right and why do they
disagree? I thought that they both get their context info from the same
place.
This is with policy-1.11.3-5 and policycoreutils-1.11-4.
gary
19 years, 10 months
acv denied from screensaver
by Richard Hally
The messages below occured while booting with the latest strict policy
in enforcing mode. One of the things that is not working is the
screensaver. The first message indicates that the problem with the
screensaver may be related to context of files in /tmp created by xdm.
Jul 10 03:13:22 new2 kernel: audit(1089443602.916:0): avc: denied {
search } for pid=3288 exe=/usr/X11R6/bin/xscreensaver name=.X11-unix
dev=hda2 ino=1840550 scontext=richard:staff_r:staff_screensaver_t
tcontext=system_u:object_r:xdm_tmp_t tclass=dir
The additional messages below may or may not be related.
Jul 10 03:13:24 new2 kernel: audit(1089443604.337:0): avc: denied {
create } for pid=3161 exe=/usr/bin/gnome-session
scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t
tclass=netlink_route_socket
the message above repeates 5 times then:
Jul 10 03:13:30 new2 kernel: audit(1089443610.307:0): avc: denied {
getattr }
for pid=3390 exe=/usr/libexec/gnome-vfs-daemon path=/initrd dev=ram0
ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t
tclass=dir
Jul 10 03:13:31 new2 kernel: audit(1089443611.639:0): avc: denied {
getattr }
for pid=3401 exe=/usr/bin/nautilus path=/initrd dev=ram0 ino=2
scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t
tclass=dir
Jul 10 03:13:31 new2 kernel: audit(1089443611.788:0): avc: denied {
getattr }
for pid=3402 exe=/usr/bin/nautilus path=/initrd dev=ram0 ino=2
scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t
tclass=dir
Jul 10 03:13:36 new2 kernel: audit(1089443616.055:0): avc: denied {
create } for pid=3161 exe=/usr/bin/gnome-session
scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t
tclass=netlink_route_socket
Jul 10 03:15:09 new2 kernel: audit(1089443709.073:0): avc: denied {
create } for pid=3161 exe=/usr/bin/gnome-session
scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t
tclass=netlink_route_socket
19 years, 10 months
avc denied from mDNSResponder
by Richard Hally
When booting in enforcing mode with the latest strict
policy(selinux-policy-strict-sources-1.14.1-5)
the following avc denied message is produced.
Jul 10 03:12:02 new2 network: Bringing up interface eth0: succeeded
Jul 10 03:12:04 new2 kernel: audit(1089443524.677:0): avc: denied {
name_bind
} for pid=2016 exe=/usr/bin/mDNSResponder scontext=user_u:user_r:user_t
tcontext=system_u:object_r:dns_port_t tclass=udp_socket
HTH
Richard Hally
19 years, 10 months
Major problems after upgrade from FC1
by Adam T. Gautier
I am about to pull what little is left of my hair out. I decided to
upgrade from FC1 to FC2 by pointing yum to a FC2 repository and upgrading
all packages. This worked for the most part but I am having massive
problems with SELinux. I am not sure that SELinux got setup properly. One
of this biggest problems that I have is that crond now no longer runs. I
have been following the Fedora SELinux FAQ to get up to speed with lots of
google searches and watching this list but I have not been able to solve
my problem. My first problem is that system crond is not running. My
user crontab is running fine. So, my question is could someone help me
1.) Make sure my setup is correct.
2.) Get the correct policies setup (I am also having a problem with
postfix, but I think if I get #1 then there is enough info on the web to
solve that problem).
Also, the reason I think there is a configuration problem was because when
following the FAQ to add a user:
------------------------------
EXCERPT:
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/index.html#id30...
Q: How can I create a new Linux user account with the user's home
directory having the proper context?
A: You can create your new user with the standard useradd command, but
first you must become root with a context of sysadm_r. This context switch
has been incorporated into the su command:
%>su - root
Your default context is root:sysadm_r:sysadm_t.
Do you want to choose a different one? [n] n
%>useradd auser
%>ls -Z /home
drwxr-xr-x auser auser root:object_r:user_home_dir_t
/home/auser
------------------------------
So I thought if I ran ls -Z /home I would get a similar result?
------------------------------
OUTPUT: ls -Z /home
drwxr--r--+ <user> <group> (null) <user>
Also, I get the (null) report on all directories in /root.
------------------------------
OUTPUT: sudo /usr/sbin/sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Policy version: 17
Policy booleans:
user_ping inactive
Process contexts:
Current context: user_u:sysadm_r:sysadm_t
Init context: system_u:system_r:kernel_t
/sbin/mingetty system_u:system_r:kernel_t
/usr/sbin/sshd system_u:system_r:kernel_t
File contexts:
Controlling term: user_u:object_r:devpts_t
-----------------
EXCERPT: /var/log/messages
Jul 12 12:00:00 sun kernel: audit(1089651600.583:0): avc: denied {
compute_user } for pid=27396 exe=/usr/sbin/crond
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:security_t
tclass=security
Jul 12 12:00:00 sun kernel: audit(1089651600.584:0): avc: denied {
compute_av
} for pid=27396 exe=/usr/sbin/crond scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:security_t tclass=security
Jul 12 12:00:00 sun kernel: audit(1089651600.586:0): avc: denied {
check_context } for pid=27396 exe=/usr/sbin/crond
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:security_t
tclass=security
Jul 12 12:00:00 sun kernel: audit(1089651600.586:0): avc: denied { write
} for pid=27396 exe=/usr/sbin/crond name=exec dev=proc ino=1795424277
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t
tclass=file
Jul 12 12:00:00 sun kernel: audit(1089651600.587:0): avc: denied {
setexec } for pid=27396 exe=/usr/sbin/crond
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t
tclass=process
Jul 12 12:00:00 sun kernel: audit(1089651600.587:0): avc: denied {
transition
} for pid=27396 exe=/usr/sbin/crond path=/bin/bash dev=hda3 ino=3850263
scontext=system_u:system_r:kernel_t tcontext=user_u:sysadm_r:sysadm_t
tclass=process
Jul 12 12:00:00 sun kernel: audit(1089651600.590:0): avc: denied {
siginh } for pid=27396 exe=/bin/bash scontext=system_u:system_r:kernel_t
tcontext=user_u:sysadm_r:sysadm_t tclass=process
Jul 12 12:00:00 sun kernel: audit(1089651600.590:0): avc: denied {
rlimitinh } for pid=27396 exe=/bin/bash
scontext=system_u:system_r:kernel_t tcontext=user_u:sysadm_r:sysadm_t
tclass=process
Jul 12 12:00:00 sun kernel: audit(1089651600.590:0): avc: denied {
noatsecure
} for pid=27396 exe=/bin/bash scontext=system_u:system_r:kernel_t
tcontext=user_u:sysadm_r:sysadm_t tclass=process
Jul 12 12:00:01 sun kernel: audit(1089651601.074:0): avc: denied {
execute } for pid=27400 exe=/usr/sbin/crond name=sendmail.postfix
dev=hda3 ino=3391852 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sendmail_exec_t tclass=file
Jul 12 12:00:01 sun kernel: audit(1089651601.074:0): avc: denied {
execute_no_trans } for pid=27400 exe=/usr/sbin/crond
path=/usr/sbin/sendmail.postfix dev=hda3 ino=3391852
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sendmail_exec_t tclass=file
19 years, 10 months
Mozilla accessing java engine yield denials
by Francis K Shim
Edited to show relevant details more clearly:
denied { execute }
exe=/bin/bash
name=java
scontext=user:staff_r:staff_mozilla_t tcontext=system_u:object_r:usr_t
tclass=file
denied { execute_no_trans }
exe=/bin/bash
path=/usr/java/j2re1.4.2_01/bin/java
scontext=user:staff_r:staff_mozilla_t
tcontext=system_u:object_r:usr_t
tclass=file
denied { search }
exe=/usr/java/j2re1.4.2_01/bin/java
name=vm
scontext=user:staff_r:staff_mozilla_t
tcontext=system_u:object_r:sysctl_vm_t
tclass=dir
--
Francis K Shim <francis.shim(a)sympatico.ca>
19 years, 10 months
FC3... install/update ?
by Tom London
With FC3 about to descend, anyone know if updates
from FC2 will be supported? Only clean installs?
Any thoughts on SELinux-related areas needing attention?
tom
19 years, 10 months
Re: FC3... install/update ?
by Tom London
Thanks.
I have 3 systems: one running 'stock' FC2, the other 2
running off the development and Arjan's tree.
I'll try the 'yum update' on the stock system.
I'm assuming (hoping?) that the 'bleeding edge'
systems will just update (i.e., 'yum update')
smoothly..... (they've already lost the '2'
from the login splash screen, and yum.conf
has been updated to point only at the
development tree).
FC2T1 clean install had issues with
SELinux installs (home directories not properly
labeled, ...). The bugzilla entry for this
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123856)
is not closed....
Has this been fixed? Need testing?
tom
> ------------------------------------------------------------------------
>
> * /From/: Stephen Smalley <sds epoch ncsc mil>
> * /To/: "Fedora SELinux support list for users & developers."
> <fedora-selinux-list redhat com>
> * /Subject/: Re: FC3... install/update ?
> * /Date/: Mon, 12 Jul 2004 10:13:42 -0400
>
> ------------------------------------------------------------------------
>
>On Thu, 2004-07-08 at 13:29, Tom London wrote:
>> With FC3 about to descend, anyone know if updates
>> from FC2 will be supported? Only clean installs?
>
>Caveat: I think you need to do a 'yum upgrade' rather than a 'yum
>update' from FC2 to pick up the policy -> selinux-policy-strict update.
>A 'yum update' seems to leave the old policy package unchanged, while
>pulling in the newer SysVinit, libselinux, and policycoreutils (which do
>still work with the older policy package, but that isn't likely what you
>want).
>
>--
>Stephen Smalley <sds epoch ncsc mil>
>National Security Agency
>
>
>
19 years, 10 months
avc denied messages from boot
by Frank Marsolais
I found the following in the archives.
I upgraded from rh7.2 to 9.0 to fedora 2.
When I put in rpm -q policy policy-sources
I received back
# rpm -q policy policy-sources
policy-1.11.3-3
package policy-sources is not installed
Should I download policy-sources or is something else broken?
For the -12 policy would that be 1.12 or 1.9.2-12?
My error messages look like the following:
Jul 11 09:50:02 gpi04 kernel: security: 30 classes, 303377 rules
Jul 11 09:50:02 gpi04 kernel: SELinux: Completing initialization.
Jul 11 09:50:02 gpi04 kernel: SELinux: Setting up existing superblocks.
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev , type selinuxfs), uses genfs_contexts
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev sda5, type ext3), uses xattr
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev ram0, type ext2), uses xattr
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev , type mqueue), not configured for labeling
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev , type hugetlbfs), not configured for labeling
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev , type devpts), uses transition SIDs
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev , type eventpollfs), uses genfs_contexts
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev , type pipefs), uses task SIDs
Jul 11 09:50:02 gpi04 kernel: SELinux: initialized (dev , type tmpfs), uses transition SIDs
Jul 11 09:50:03 gpi04 kernel: SELinux: initialized (dev , type futexfs), uses genfs_contexts
Jul 11 09:50:03 gpi04 kernel: SELinux: initialized (dev , type sockfs), uses task SIDs
Jul 11 09:50:03 gpi04 kernel: SELinux: initialized (dev , type proc), uses genfs_contexts
Jul 11 09:50:03 gpi04 kernel: SELinux: initialized (dev , type bdev), uses genfs_contexts
Jul 11 09:50:03 gpi04 kernel: SELinux: initialized (dev , type rootfs), uses genfs_contexts
Jul 11 09:50:03 gpi04 kernel: SELinux: initialized (dev , type sysfs), uses genfs_contexts
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.326:0): avc: denied { read write } for pid=1 exe=/sbin/init path=/dev/console d
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.326:0): avc: denied { read } for pid=1 exe=/sbin/init name=libselinux.so.1 dev=
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.326:0): avc: denied { getattr } for pid=1 exe=/sbin/init path=/lib/libselinux.s
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.326:0): avc: denied { execute } for pid=1 path=/lib/libselinux.so.1 dev=sda5 in
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.326:0): avc: denied { read } for pid=1 exe=/sbin/init name=libc.so.6 dev=sda5 i
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.327:0): avc: denied { ioctl } for pid=1 exe=/sbin/init path=/dev/tty0 dev=sda5
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.545:0): avc: denied { lock } for pid=1 exe=/sbin/init path=/var/run/utmp dev=sd
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.603:0): avc: denied { getattr } for pid=1 exe=/sbin/init path=/dev/initctl dev=
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.603:0): avc: denied { read write } for pid=1 exe=/sbin/init name=initctl dev=sd
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.612:0): avc: denied { execute_no_trans } for pid=287 exe=/sbin/init path=/etc/r
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.618:0): avc: denied { ioctl } for pid=287 exe=/bin/bash path=/etc/rc.d/rc.sysin
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.658:0): avc: denied { getattr } for pid=287 exe=/bin/bash path=/ dev=sda5 ino=2
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.675:0): avc: denied { execute } for pid=293 exe=/bin/bash name=hostname dev=sda
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.675:0): avc: denied { execute_no_trans } for pid=293 exe=/bin/bash path=/bin/ho
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.747:0): avc: denied { getattr } for pid=298 exe=/bin/gawk path=/dev/console dev
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.791:0): avc: denied { mounton } for pid=299 exe=/bin/mount path=/proc dev=sda5
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.791:0): avc: denied { mount } for pid=299 exe=/bin/mount name=/ dev= ino=1 scon
Jul 11 09:50:03 gpi04 kernel: audit(1089539246.792:0): avc: denied { mount } for pid=300 exe=/bin/mount name=/ dev= ino=1 scon
Jul 11 09:50:03 gpi04 xinetd[2420]: xinetd Version 2.3.13 started with libwrap loadavg options compiled in.
Jul 11 09:50:03 gpi04 kernel: audit(1089539247.894:0): avc: denied { read } for pid=453 exe=/bin/setfont dev=sda5 ino=2 sconte
Jul 11 09:50:03 gpi04 xinetd[2420]: Started working: 2 available services
Jul 11 09:50:03 gpi04 kernel: audit(1089539247.990:0): avc: denied { syslog_console } for pid=459 exe=/bin/dmesg scontext=syst
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.012:0): avc: denied { mount } for pid=460 exe=/bin/mount name=/ dev= ino=1 scon
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.053:0): avc: denied { search } for pid=463 exe=/sbin/sysctl name=sys dev= ino=-
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.053:0): avc: denied { search } for pid=463 exe=/sbin/sysctl name=net dev= ino=-
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.053:0): avc: denied { write } for pid=463 exe=/sbin/sysctl name=ip_forward dev=
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.053:0): avc: denied { getattr } for pid=463 exe=/sbin/sysctl path=/proc/sys/net
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.053:0): avc: denied { search } for pid=463 exe=/sbin/sysctl name=kernel dev= in
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.053:0): avc: denied { write } for pid=463 exe=/sbin/sysctl name=sysrq dev= ino=
Jul 11 09:50:03 gpi04 kernel: audit(1089539248.053:0): avc: denied { getattr } for pid=463 exe=/sbin/sysctl path=/proc/sys/ker
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.032:0): avc: denied { read } for pid=470 exe=/bin/date scontext=system_u:system
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.256:0): avc: denied { sys_module } for pid=483 exe=/sbin/insmod capability=16 s
Jul 11 09:50:04 gpi04 kernel: ACPI: Power Button (FF) [PWRF]
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.288:0): avc: denied { read } for pid=489 exe=/sbin/insmod name=modprobe.conf.di
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.288:0): avc: denied { getattr } for pid=489 exe=/sbin/insmod path=/etc/modprobe
Jul 11 09:50:04 gpi04 kernel: ohci_hcd 0000:00:0f.2: OHCI Host Controller
Jul 11 09:50:04 gpi04 kernel: ohci_hcd 0000:00:0f.2: irq 7, pci mem 22831000
Jul 11 09:50:04 gpi04 kernel: SELinux: initialized (dev , type usbdevfs), uses genfs_contexts
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.469:0): avc: denied { mount } for pid=493 exe=/sbin/insmod name=/ dev= ino=1195
Jul 11 09:50:04 gpi04 kernel: SELinux: initialized (dev , type usbfs), uses genfs_contexts
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.469:0): avc: denied { mount } for pid=493 exe=/sbin/insmod name=/ dev= ino=1196
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.469:0): avc: denied { search } for pid=493 exe=/sbin/insmod dev= ino=1196 scont
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.469:0): avc: denied { search } for pid=493 exe=/sbin/insmod dev= ino=1195 scont
Jul 11 09:50:04 gpi04 kernel: ohci_hcd 0000:00:0f.2: new USB bus registered, assigned bus number 1
Jul 11 09:50:04 gpi04 kernel: hub 1-0:1.0: USB hub found
Jul 11 09:50:04 gpi04 kernel: hub 1-0:1.0: 2 ports detected
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.506:0): avc: denied { mounton } for pid=507 exe=/bin/mount path=/proc/bus/usb d
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.511:0): avc: denied { read } for pid=510 exe=/bin/grep name=devices dev= ino=11
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.511:0): avc: denied { getattr } for pid=510 exe=/bin/grep path=/proc/bus/usb/de
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.527:0): avc: denied { getattr } for pid=500 exe=/bin/bash path=/sys/devices/pci
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.528:0): avc: denied { read } for pid=516 exe=/bin/cat name=bNumConfigurations d
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.553:0): avc: denied { getattr } for pid=287 exe=/bin/bash path=/forcefsck dev=s
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.560:0): avc: denied { getattr } for pid=287 exe=/bin/bash path=/initrd/dev/root
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.567:0): avc: denied { getattr } for pid=521 exe=/usr/bin/readlink path=/sys dev
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.991:0): avc: denied { read } for pid=526 exe=/sbin/fsck name=sda5 dev=sda5 ino=
Jul 11 09:50:04 gpi04 kernel: audit(1089553650.991:0): avc: denied { getattr } for pid=526 exe=/sbin/fsck path=/dev/sda5 dev=s
Jul 11 09:50:04 gpi04 kernel: audit(1089553651.014:0): avc: denied { read } for pid=526 exe=/sbin/fsck name=root dev=ram0 ino=
Jul 11 09:50:04 gpi04 kernel: audit(1089553651.014:0): avc: denied { ioctl } for pid=526 exe=/sbin/fsck path=/initrd/dev/root
Jul 11 09:50:04 gpi04 kernel: audit(1089553651.091:0): avc: denied { write } for pid=536 exe=/sbin/fsck.ext2 name=root dev=ram
Jul 11 09:50:04 gpi04 kernel: audit(1089553771.892:0): avc: denied { unmount } for pid=1056 exe=/bin/umount scontext=system_u:
Jul 11 09:50:04 gpi04 kernel: audit(1089553771.912:0): avc: denied { ioctl } for pid=1057 exe=/sbin/blockdev path=/dev/ram0 de
Jul 11 09:50:04 gpi04 kernel: audit(1089553772.043:0): avc: denied { remount } for pid=1063 exe=/bin/mount scontext=system_u:s
Jul 11 09:50:04 gpi04 kernel: EXT3 FS on sda5, internal journal
Jul 11 09:50:04 gpi04 kernel: audit(1089553772.062:0): avc: denied { write } for pid=1065 exe=/sbin/minilogd name=dev dev=sda5
Jul 11 09:50:04 gpi04 kernel: audit(1089553772.062:0): avc: denied { add_name } for pid=1065 exe=/sbin/minilogd name=log scont
Jul 11 09:50:05 gpi04 kernel: audit(1089553772.062:0): avc: denied { create } for pid=1065 exe=/sbin/minilogd name=log scontex
Jul 11 09:50:05 gpi04 kernel: audit(1089553772.062:0): avc: denied { listen } for pid=1065 exe=/sbin/minilogd path=/dev/log sc
Jul 11 09:50:05 gpi04 kernel: audit(1089553772.062:0): avc: denied { getattr } for pid=1067 exe=/sbin/minilogd path=/dev/log
I know I am very green when it comes to this; A point in the right direction would be greatly appreciated, even a suggested FAQ to
read.
TIA
Frank Marsolais
The original message I found follows:
*****************************************************************************************
*****************************************************************************************
Re: avc denied messages from boot
--------------------------------------------------------------------------------
From: Richard Hally <rhally mindspring com>
To: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: avc denied messages from boot
Date: Tue, 06 Apr 2004 12:53:04 -0400
--------------------------------------------------------------------------------
Daniel J Walsh wrote:
Richard Hally wrote:
when booting to runlevel 5 in enforcing mode with the latest policy there were only a few AVC denied messages. they are copied
below.
[root localhost root]# rpm -q policy policy-sources
policy-1.9.2-10
policy-sources-1.9.2-10
[root localhost root]#
Hope this helps,
Richard Hally
There is a bug in the init scripts that leaves /initrd mounted. If you umount this directory most of these messages will disappear.
The screensaver ones should be fixed by -12 policy
Not sure why gnome is trying to manipulate the registry.xml file.
--------------------messages-----------------------------
Apr 5 22:37:25 localhost crond: crond startup succeeded
Apr 5 22:37:25 localhost kernel: audit(1081219045.889:0): avc: denied { read
} for pid=1647 exe=/usr/sbin/crond name=mailman dev=hdc3 ino=539689 scontext=system_u:system_r:crond_t
tcontext=system_u:object_r:file_t tclass=file
Apr 5 22:37:27 localhost xfs: xfs startup succeeded
Apr 5 22:38:04 localhost gdm(pam_unix)[1814]: session opened for user richard by (uid=0)
Apr 5 22:38:19 localhost kernel: audit(1081219099.459:0): avc: denied { setattr } for pid=1886
exe=/usr/libexec/gnome-settings-daemon name=registry.xml dev=hdc3 ino=3009195 scontext=richard:staff_r:staff_t
tcontext=system_u:object_r:var_t tclass=file
Apr 5 22:38:20 localhost kernel: audit(1081219100.136:0): avc: denied { getattr } for pid=1901 exe=/usr/X11R6/bin/xscreensaver
path=/home/richard/.xscreensaver dev=hdc3 ino=2469233 scontext=richard:staff_r:staff_screensaver_t
tcontext=richard:object_r:staff_home_t tclass=file
Apr 5 22:38:29 localhost kernel: audit(1081219109.860:0): avc: denied { getattr } for pid=1955 exe=/usr/libexec/gnome-vfs-daemon
path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir
Apr 5 22:38:30 localhost kernel: audit(1081219110.466:0): avc: denied { getattr } for pid=1966 exe=/usr/bin/nautilus path=/initrd
dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir
Apr 5 22:38:30 localhost kernel: audit(1081219110.653:0): avc: denied { getattr } for pid=1967 exe=/usr/bin/nautilus path=/initrd
dev=ram0 ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t tclass=dir
Apr 5 22:38:37 localhost kernel: audit(1081219117.803:0): avc: denied { setattr } for pid=1976 exe=/usr/libexec/mixer_applet2
name=registry.xml dev=hdc3 ino=3009195 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:var_t tclas:
--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Thanks Dan! you and the other people working on SELinux are making great progress. It looks like really will happen :)
Richard Hally
Frank Marsolais, MCSE, CCA
Greenman-Pedersen, Inc.
Phone (631) 587-5060 x348
Fax (631) 422-3479
FMarsolais(a)gpinet.com
19 years, 10 months
Upgrading to policy-strict RPM's
by Kirk Vogelsang
I've got slimmed down Fedora Core2 that doesn't seem to want to
enable selinux after rpm -U'ing the following packages:
policycoreutils-1.14.1-1
selinux-policy-strict-1.14.1-2
libselinux-1.14.1-1
After upgrading to those packages, booting to single user,
running fixfiles relabel, and rebooting once more, the system
comes up selinux disabled. I've verified /etc/selinux/config
SELINUX=permissive and SELINUXTYPE=strict. /etc/sysconfig/selinux
sym-links to /etc/selinux/config. Policy resides in
/etc/selinux/strict/policy/. Stock FC2 kernel, 2.6.5-1.358smp.
I've tried appending selinux in grub as well, to no avail.
What minute detail am I missing?
-----
Kirk M. Vogelsang <kvogelsa(a)ccs.neu.edu>
Northeastern University College of Computer Science
19 years, 10 months
avc denied from logrotate
by Richard Hally
Attached and below is a short /var/log/messages file showing the avc
denied messages that are generated using the current strict
policy(selinux-policy-strict-sources-1.14.1-5). Note the messages
inserted with "logger" that indicate where I switched from enforcing to
permissive to actually get logrotate to work.
HTH and please let me know if you need additional information.
Richard Hally
[root@new2 root]# cat /home/richard/messages.1
Jul 10 02:39:16 new2 syslogd 1.4.1: restart.
Jul 10 02:39:23 new2 kernel: audit(1089441563.715:0): avc: granted {
setenforce } for pid=4032 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Jul 10 02:40:09 new2 kernel: audit(1089441609.750:0): avc: denied {
search } for pid=4045 exe=/usr/bin/postgres name=pgsql dev=hda2
ino=722952 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:postgresql_db_t tclass=dir
Jul 10 02:43:15 new2 richard: that was logrotate in enforcing
Jul 10 02:43:34 new2 richard: now setting permissive
Jul 10 02:43:46 new2 kernel: audit(1089441826.619:0): avc: granted {
setenforce } for pid=4101 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Jul 10 02:44:08 new2 richard: now doing logrotate
Jul 10 02:44:16 new2 kernel: audit(1089441856.765:0): avc: denied {
transition } for pid=4105 exe=/bin/bash path=/etc/rc.d/init.d/cups
dev=hda2 ino=864571 scontext=root:sysadm_r:logrotate_t
tcontext=root:system_r:initrc_t tclass=process
Jul 10 02:44:16 new2 kernel: audit(1089441856.773:0): avc: denied {
use } for pid=4107 exe=/sbin/consoletype path=/dev/null dev=hda2
ino=1064669 scontext=root:system_r:consoletype_t
tcontext=root:sysadm_r:logrotate_t tclass=fd
Jul 10 02:44:16 new2 cups: cupsd shutdown succeeded
Jul 10 02:44:16 new2 kernel: audit(1089441856.913:0): avc: denied {
ioctl } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts
ino=2 scontext=root:system_r:cupsd_t
tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
Jul 10 02:44:16 new2 kernel: audit(1089441856.914:0): avc: denied {
getattr } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts
ino=2 scontext=root:system_r:cupsd_t
tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc: denied {
read } for pid=4121 exe=/bin/bash name=.bashrc dev=hda2 ino=130311
scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t
tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc: denied {
getattr } for pid=4121 exe=/bin/bash path=/root/.bashrc dev=hda2
ino=130311 scontext=root:system_r:cupsd_t
tcontext=root:object_r:staff_home_t tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied {
search } for pid=4123 exe=/usr/bin/id name=selinux dev=hda2 ino=913073
scontext=root:system_r:cupsd_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied {
read } for pid=4123 exe=/usr/bin/id name=config dev=hda2 ino=914871
scontext=root:system_r:cupsd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied {
getattr } for pid=4123 exe=/usr/bin/id path=/etc/selinux/config
dev=hda2 ino=914871 scontext=root:system_r:cupsd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 10 02:44:17 new2 cups: cupsd startup succeeded
Jul 10 02:39:16 new2 syslogd 1.4.1: restart.
Jul 10 02:39:23 new2 kernel: audit(1089441563.715:0): avc: granted { setenforce } for pid=4032 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security
Jul 10 02:40:09 new2 kernel: audit(1089441609.750:0): avc: denied { search } for pid=4045 exe=/usr/bin/postgres name=pgsql dev=hda2 ino=722952 scontext=user_u:user_r:user_t tcontext=system_u:object_r:postgresql_db_t tclass=dir
Jul 10 02:43:15 new2 richard: that was logrotate in enforcing
Jul 10 02:43:34 new2 richard: now setting permissive
Jul 10 02:43:46 new2 kernel: audit(1089441826.619:0): avc: granted { setenforce } for pid=4101 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security
Jul 10 02:44:08 new2 richard: now doing logrotate
Jul 10 02:44:16 new2 kernel: audit(1089441856.765:0): avc: denied { transition } for pid=4105 exe=/bin/bash path=/etc/rc.d/init.d/cups dev=hda2 ino=864571 scontext=root:sysadm_r:logrotate_t tcontext=root:system_r:initrc_t tclass=process
Jul 10 02:44:16 new2 kernel: audit(1089441856.773:0): avc: denied { use } for pid=4107 exe=/sbin/consoletype path=/dev/null dev=hda2 ino=1064669 scontext=root:system_r:consoletype_t tcontext=root:sysadm_r:logrotate_t tclass=fd
Jul 10 02:44:16 new2 cups: cupsd shutdown succeeded
Jul 10 02:44:16 new2 kernel: audit(1089441856.913:0): avc: denied { ioctl } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts ino=2 scontext=root:system_r:cupsd_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
Jul 10 02:44:16 new2 kernel: audit(1089441856.914:0): avc: denied { getattr } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts ino=2 scontext=root:system_r:cupsd_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc: denied { read } for pid=4121 exe=/bin/bash name=.bashrc dev=hda2 ino=130311 scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc: denied { getattr } for pid=4121 exe=/bin/bash path=/root/.bashrc dev=hda2 ino=130311 scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied { search } for pid=4123 exe=/usr/bin/id name=selinux dev=hda2 ino=913073 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=dir
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied { read } for pid=4123 exe=/usr/bin/id name=config dev=hda2 ino=914871 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied { getattr } for pid=4123 exe=/usr/bin/id path=/etc/selinux/config dev=hda2 ino=914871 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 10 02:44:17 new2 cups: cupsd startup succeeded
19 years, 10 months
