policy addition for mozilla
by Richard Hally
Attached (and below) is a diff of a one line addition for
mozilla_macros.te from the the selinux-policy-strict-sources-1.14.1-5.
audit2allow generated the following from the avc denied messages I
received when trying to run Mozilla: allow staff_mozilla_t xdm_tmp_t:dir
{ search };
Please add
Thanks
Richard Hally
--- mozilla_macros.te.prev 2004-07-09 00:32:53.397132227 -0400
+++ mozilla_macros.te 2004-07-09 00:34:15.845137952 -0400
@@ -116,6 +116,7 @@
ifdef(`xdm.te', `
allow $1_mozilla_t xdm_t:fifo_file { write read };
+allow $1_mozilla_t xdm_tmp_t:dir { search };
allow $1_mozilla_t xdm_tmp_t:file { getattr read };
allow $1_mozilla_t xdm_tmp_t:sock_file { write };
')dnl end if xdm.te
--- mozilla_macros.te.prev 2004-07-09 00:32:53.397132227 -0400
+++ mozilla_macros.te 2004-07-09 00:34:15.845137952 -0400
@@ -116,6 +116,7 @@
ifdef(`xdm.te', `
allow $1_mozilla_t xdm_t:fifo_file { write read };
+allow $1_mozilla_t xdm_tmp_t:dir { search };
allow $1_mozilla_t xdm_tmp_t:file { getattr read };
allow $1_mozilla_t xdm_tmp_t:sock_file { write };
')dnl end if xdm.te
19 years, 10 months
fixfile.cron added.
by Daniel J Walsh
Todays policycoreutils has a new cron job, fixfiles.cron, that will run
in /etc/cron.daily. This script will run a check on the file system on
a daily basis looking for file contexts in the wrong state. It will
them mail a list of files with the incorrect context to the root account.
The following environment variables are set and can be overridden in the
/etc/selinux/config directory.
CRONTYPE="check" # You could change this to "restore" to have the
script automatically clean up
INVALIDFILE=/var/tmp/badcontext # Name of the file to store the
badcontext file list
CRONMAILTO="root" # Account to send mail to
Suggestions on improvements? Comments?
Dan
19 years, 10 months
[ANN] setools 1.4.1 release
by Karl MacMillan
Setools version 1.4.1 has been released. It is available from the Tresys
webpage at http://www.tresys.com/selinux/ or the SELinux CVS repository on
sourceforge.
This is a minor bug fix release. The changes include:
- Support for version 18 policies.
- A fix for a time zone related bug in seaudit.
- The addition of the makefile target 'install-dev' that installs the
libraries and headers necessary for third party developers to use the
setools libraries (libapol, libseuser, libseaudit).
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410)290-1411 ext 134
19 years, 10 months
Tmpfs
by Ivan Gyurdiev
What's the situation with tmpfs? I have /tmp on tmpfs and I get lots of
denials. Tmpfs doesn't seem to support xattrs, however..
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Is /tmp on tmpfs something that should work, or is this not supported?
What about /dev on tmpfs (or /udev)?
19 years, 10 months
Re: RFE: show change of enforcing state in log ?
by Tom London
Interesting....
I was actually trying address a (slightly) different issue: how to
recreate, after the fact, as much of the state as possible
from the log. Can certainly add to the user space code
to detect this change, and then emit a message to the log.
Prior to your suggestion, I looked at the code for selinuxfs.c.
I think a one line change could also do the trick:
(I modeled this after the log prints on a policy load)
***************
*** 135,140 ****
--- 135,143 ----
length = task_has_security(current, SECURITY__SETENFORCE);
if (length)
goto out;
+ printk(KERN_INFO "setenforce: %s->%s\n",
+ (selinux_enforcing ? "enforcing" : "permissive"),
+ (new_value ? "enforcing" : "permissive"));
selinux_enforcing = new_value;
if (selinux_enforcing)
avc_ss_reset(0);
tom
> ------------------------------------------------------------------------
>
> * /From/: Stephen Smalley <sds epoch ncsc mil>
>
> ------------------------------------------------------------------------
>
>On Tue, 2004-06-29 at 18:35, Tom London wrote:
>> How difficult would it be to add 'old state->new state' to the log on a
>> change in
>> the enforcing state? Currently, 'setenforce' appears to be logged as a
>> toggle....
>
>The kernel just audits the permission check, i.e. that setenforce
>permission was checked due to a change to the enforcing status. One
>could add an additional auxiliary audit data type to avc_audit_data and
>change the caller to supply the old and new states, but that would
>require a patch to the SELinux kernel module, and I'm not sure it is
>worthwhile. You can already have userspace receive notifications of
>enforcing status changes, including the new value via netlink socket
>messages; the userspace AVC in libselinux does this to detect changes in
>permissive/enforcing status.
>
>--
>Stephen Smalley <sds epoch ncsc mil>
>National Security Agency
>
>
>
19 years, 10 months
vi does not maintain contexts on symlinks
by Tom London
After accidentally editing '/etc/rc.sysinit' (a symlink to
'/etc/rc.d/rc.sysinit') and getting a system that didn't
boot in enforcing mode, I poked around a bit.
It appears that the selinix patch to vi (emacs, ... ?) to
maintain contexts across edits doesn't work if
you point at the symlink instead of the 'real' file.
[More precisely there is a function
'mch_copy_sec()' that calls get-/set-filecon(), but
it appears that in the 'backup file' case, from_file
and to_file are 'reversed'.]
In my case, editing '/etc/rc.sysinit' changed the
context of '/etc/rc.d/rc.sysinit' from
'system_u:object_r:initrc_exec_t' to
'root:object_r:etc_t'.
I've bugzilla'ed this against vim here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127361
but this may affect more than vim (e.g., emacs, ...)
Is this patch Fedora based, or is there an upstream
source? Am I breaking something else?
tom
19 years, 10 months
avc denied from postgresql
by Richard Hally
During bootup the postgresql server fails to start and produced the
following avc denied message:
Jun 15 05:09:12 new2 su(pam_unix)[2414]: session opened for user
postgres by (uid=0)
Jun 15 05:09:13 new2 kernel: audit(1087290553.569:0): avc: denied {
write } for pid=2445 exe=/usr/bin/postgres name=data dev=hda2
ino=788097 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:var_lib_t tclass=dir
Jun 15 05:09:14 new2 su(pam_unix)[2414]: session closed for user postgres
Jun 15 05:09:15 new2 postgresql: Starting postgresql service: failed
This is in enforcing mode with the strict policy
selinux-policy-strict-1.13.4-5
Thanks for any help,
Richard Hally
19 years, 10 months
logrotate errors
by Aaron Ross
Hi all,
I am having some problems with logrotate on a box with selinux enabled.
Here's my current sestatus:
[root@customer bin]# /usr/sbin/sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Policy version: 17
Policy booleans:
user_ping inactive
Process contexts:
Current context: root:sysadm_r:sysadm_t
Init context: system_u:system_r:kernel_t
/sbin/mingetty system_u:system_r:kernel_t
/usr/sbin/sshd system_u:system_r:kernel_t
File contexts:
Controlling term: root:object_r:devpts_t
/etc/passwd root:object_r:file_t
/etc/shadow root:object_r:file_t
And here is an example of the errors I'm seeing:
error: error getting file context /usr/local/apache/logs/access_log: No
data available
I've read the FAQ and I'll keep going through the introductions to
SELinux, but if I could get a quick explanation of what's going wrong, I
would be very grateful.
Thanks, Aaron
19 years, 10 months
RFE: show change of enforcing state in log ?
by Tom London
How difficult would it be to add 'old state->new state' to the log on a
change in
the enforcing state? Currently, 'setenforce' appears to be logged as a
toggle....
tom
19 years, 10 months
LSM program!
by Sajed Miremadi
Hi,
Does anybody have an LSM program(with the source code)?
And has anybody written a policy for the LSM?
I mean codes that are not available in the kernel(those that are not
default).
thanx,
19 years, 10 months