Problem creating apol file context index
by Brian Ginn
I have RHEL 5, and Fedora 9 running in under vmware fusion on a MacBook Pro.
Apol hangs (on both) when trying to create a file context index. There is no output at all for several hours, then I kill it.
I don't remember the name right now, but I found a command line utility to create (the same?) index, but that hangs as well.
Could it be that I'm not waiting long enough?
Or maybe apol won't work in a VM?
Any other thoughts?
Thanks,
Brian
15 years, 1 month
SELinux policy for fsetfilecon() in libselinux
by Brian Ginn
I am attempting to use the fsetfilecon() call within a C program. Several other libselinux calls are working OK, but this call fails in enforcing mode (it works in permissive mode).
The audit.log and audit2allow are suggesting policy code that I already have in the policy.
I suspect that I'm being bitten by a "don't audit" rule somewhere.
Is there a reference policy macro that I can include to get fsetfilecon() to work?
Note: I already included
selinux_get_enforce_mode( t_selinux_api_t );
To get the security_getenforce() function to work.
Thanks,
Brian
15 years, 1 month
selinux denying devkit-disks-he?
by Antonio Olivares
Dear fellow selinux experts,
I have a fat32 partition so that I can access files from both windows and linux, I know that it is not needed, but I have become acustomed to one. For some reason or another I cannot mount it :(, selinux is getting in the way, when I try to call it from the desktop I get:
Unable to mount 21 GB Filesystem
org.freedesktop.devicekit.disks.filesystem-mount-system-internal auth_admin
Thanks for any help provided.
Regards,
Antonio
Summary:
SELinux is preventing devkit-disks-he (devicekit_disk_t) "sys_rawio"
devicekit_disk_t.
Detailed Description:
SELinux denied access requested by devkit-disks-he. It is not expected that this
access is required by devkit-disks-he and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023
Target Context system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023
Target Objects None [ capability ]
Source devkit-disks-he
Source Path /usr/libexec/devkit-disks-helper-ata-smart-collect
Port <Unknown>
Host antonio-fedora-x86-64
Source RPM Packages DeviceKit-disks-004-0.4.20090406git.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.10-9.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name antonio-fedora-x86-64
Platform Linux antonio-fedora-x86-64
2.6.29.1-52.fc11.x86_64 #1 SMP Mon Apr 6 03:50:07
EDT 2009 x86_64 x86_64
Alert Count 4
First Seen Tue 07 Apr 2009 05:24:02 PM CDT
Last Seen Wed 08 Apr 2009 07:55:41 AM CDT
Local ID 100225d2-8a03-4744-b428-6ac49dfcee42
Line Numbers
Raw Audit Messages
node=antonio-fedora-x86-64 type=AVC msg=audit(1239195341.496:17): avc: denied { sys_rawio } for pid=2887 comm="devkit-disks-he" capability=17 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=capability
node=antonio-fedora-x86-64 type=SYSCALL msg=audit(1239195341.496:17): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=2285 a2=7fffde692120 a3=3 items=0 ppid=2884 pid=2887 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-he" exe="/usr/libexec/devkit-disks-helper-ata-smart-collect" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
15 years, 1 month
SELinux is preventing devkit-disks-da (devicekit_disk_t)
by Antonio Olivares
Dear fellow selinux experts,
I got a selinux denial upon mounting a fat32 partition(shared between windows and linux). How can I fix it so that it does not show up again if it does?
Summary:
SELinux is preventing devkit-disks-da (devicekit_disk_t) "sys_ptrace"
devicekit_disk_t.
Detailed Description:
SELinux denied access requested by devkit-disks-da. It is not expected that this
access is required by devkit-disks-da and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023
Target Context system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023
Target Objects None [ capability ]
Source devkit-disks-da
Source Path /usr/libexec/devkit-disks-daemon
Port <Unknown>
Host antonio-fedora-x86-64
Source RPM Packages DeviceKit-disks-003-9.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.10-8.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name antonio-fedora-x86-64
Platform Linux antonio-fedora-x86-64
2.6.29.1-46.fc11.x86_64 #1 SMP Thu Apr 2 22:34:13
EDT 2009 x86_64 x86_64
Alert Count 2
First Seen Thu 02 Apr 2009 04:36:09 PM CDT
Last Seen Mon 06 Apr 2009 04:24:45 PM CDT
Local ID 80470692-0d41-4e67-8df2-d03673f897a8
Line Numbers
Raw Audit Messages
node=antonio-fedora-x86-64 type=AVC msg=audit(1239053085.114:23): avc: denied { sys_ptrace } for pid=2830 comm="devkit-disks-da" capability=19 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=capability
node=antonio-fedora-x86-64 type=SYSCALL msg=audit(1239053085.114:23): arch=c000003e syscall=89 success=yes exit=36 a0=7fffb3ce9c00 a1=7fffb3ce9d10 a2=fff a3=7fffb3ce99b0 items=0 ppid=1 pid=2830 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-da" exe="/usr/libexec/devkit-disks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
Regards,
Antonio
15 years, 1 month
kde avc(SELinux prevented kde4-config from writing .kde.)will it be on next selinux policy update?
by Antonio Olivares
Dear selinux experts,
I have a question about a repeated avc, I ask if I should apply the suggested fix or wait for an selinux policy update which addressses this?
Summary:
SELinux prevented kde4-config from writing .kde.
Detailed Description:
SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may
want to allow this. If .kde is not a core file, this could signal a intrusion
attempt.
Allowing Access:
Changing the "allow_daemons_dump_core" boolean to true will allow this access:
"setsebool -P allow_daemons_dump_core=1."
Fix Command:
setsebool -P allow_daemons_dump_core=1
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:root_t:s0
Target Objects .kde [ dir ]
Source kde4-config
Source Path /usr/bin/kde4-config
Port <Unknown>
Host riohigh
Source RPM Packages kdelibs-4.2.1-2.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.7-1.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_daemons_dump_core
Host Name riohigh
Platform Linux riohigh 2.6.29-0.197.rc7.fc11.i586 #1 SMP
Tue Mar 3 23:01:11 EST 2009 i686 athlon
Alert Count 20
First Seen Tue 17 Feb 2009 08:36:03 AM CST
Last Seen Wed 04 Mar 2009 07:44:55 PM CST
Local ID 6d47417b-4b4b-4c4f-9c12-6210059fc418
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236217495.274:8): avc: denied { create } for pid=2386 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir
node=riohigh type=SYSCALL msg=audit(1236217495.274:8): arch=40000003 syscall=39 success=no exit=-13 a0=87163f8 a1=1c0 a2=49e32ec a3=0 items=0 ppid=2385 pid=2386 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Regards,
Antonio
15 years, 1 month
Trend Micro IWSS AVCs
by Jeronimo Zucco
I'm getting some avc's using Trend Micro IWSS (web proxy anti-virus -
www.trendmicro.com/en/products/gateway/iwss/evaluate/overview.htm ).
Here are the logs:
Linux: Red Hat Enterprise Linux Server release 5.2
Policy version: 21
Policy from config file: targeted
type=SYSCALL msg=audit(1238693758.307:18): arch=40000003 syscall=125
success=no exit=-13 a0=6a1000 a1=51000 a2=5 a3=bfd8ecf0 items=0 ppid=1
pid=4639 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502
egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd"
exe="/opt/trend/iwss/bin/iwss-process"
subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1238693769.018:25): avc: denied { execmod } for
pid=4756 comm="ismetricmgmtd"
path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0
ino=9231574 scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1238693769.018:25): arch=40000003 syscall=125
success=no exit=-13 a0=93b000 a1=5f000 a2=5 a3=bfd4a040 items=0
ppid=4753 pid=4756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ismetricmgmtd"
exe="/opt/trend/iwss/bin/ismetricmgmtd"
subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1238693772.384:32): avc: denied { execmod } for
pid=4798 comm="svcmonitor"
path="/opt/trend/iwss/bin/lib/libReportLogging.so" dev=dm-0
ino=9231574 scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1238693772.384:32): arch=40000003 syscall=125
success=no exit=-13 a0=895000 a1=5f000 a2=5 a3=bfd7f0b0 items=0 ppid=1
pid=4798 auid=4294967295 uid=502 gid=502 euid=0 suid=0 fsuid=0
egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295
comm="svcmonitor" exe="/opt/trend/iwss/bin/svcmonitor"
subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1238693775.995:35): avc: denied { execmod } for
pid=4889 comm="iwssd"
path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0
ino=9166090 scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1238693775.995:35): arch=40000003 syscall=125
success=no exit=-13 a0=5ed000 a1=51000 a2=5 a3=bf8afb10 items=0 ppid=1
pid=4889 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502
egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd"
exe="/opt/trend/iwss/bin/iwss-process"
subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1238694058.311:155): avc: denied { execmod } for
pid=19765 comm="iwssd"
path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0
ino=9166090 scontext=user_u:system_r:unconfined_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1238694058.311:155): arch=40000003 syscall=125
success=yes exit=0 a0=702000 a1=51000 a2=5 a3=bffed4c0 items=0 ppid=1
pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502
egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd"
exe="/opt/trend/iwss/bin/iwss-process"
subj=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1238694060.596:156): avc: denied { execmod } for
pid=19765 comm="iwssd"
path="/opt/trend/iwss/bin/plugin/libIWSSPIUrlFilter.so" dev=dm-0
ino=9166092 scontext=user_u:system_r:unconfined_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1238694060.596:156): arch=40000003 syscall=125
success=yes exit=0 a0=7de000 a1=53000 a2=5 a3=bffed4c0 items=0 ppid=1
pid=19765 auid=500 uid=502 gid=502 euid=502 suid=502 fsuid=502
egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="iwssd"
exe="/opt/trend/iwss/bin/iwss-process"
subj=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1238694164.063:188): avc: denied { execmod } for
pid=4582 comm="iwssd"
path="/opt/trend/iwss/bin/plugin/IWSSPIJavascan.so" dev=dm-0
ino=9166090 scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1238694164.063:188): arch=40000003 syscall=125
success=yes exit=0 a0=81d000 a1=51000 a2=5 a3=bfecca10 items=0 ppid=1
pid=4582 auid=4294967295 uid=502 gid=502 euid=502 suid=502 fsuid=502
egid=502 sgid=502 fsgid=502 tty=(none) ses=4294967295 comm="iwssd"
exe="/opt/trend/iwss/bin/iwss-process"
subj=system_u:system_r:initrc_t:s0 key=(null)
It was running ok whith target selinux enforced, since december until
today. Now I have to put selinux in permissive mode to get IWSS
running again.
Running audit2allow, I've got this policy:
#============= initrc_t ==============
allow initrc_t initrc_tmp_t:file execmod;
allow initrc_t usr_t:file execmod;
#============= unconfined_t ==============
allow unconfined_t initrc_tmp_t:file execmod;
allow unconfined_t usr_t:file execmod;
To permissive, isn't? Any ideia how to fix it?
--
Jeronimo Zucco
LPIC-1 Linux Professional Institute Certified
Universidade de Caxias do Sul - NPDU
http://jczucco.blogspot.com
---------------------------------------
Essa mensagem foi enviada pelo UCS Mail
15 years, 1 month
PostgreSQL WAL log shipping does not work on Fedora 6 with SE Linux enabled... no error message. What gives?
by Aleksey Tsalolikhin
Hi. I am trying to enable WAL log shipping on our PostgreSQL 8.1.10
(upgrade to 8.3.7 is in the works) running on Fedora Core 6 (upgrade
to a more recent version is in the works).
My PostgreSQL archive_command is 'rsync %p postgres@node2:/file/to/$f
</dev/null'
This works fine only if and only if SE Linux is disabled on node 1
(the source node).
I used audit2allow on the SELinux messages, and generated an SE Linux
module to allow
Postgres to rsync the files out...
allow postgresql_t ssh_exec_t:file { read execute execute_no_trans };
allow postgresql_t ssh_port_t:tcp_socket name_connect;
allow postgresql_t user_home_t:dir { search getattr };
allow postgresql_t user_home_t:file { read getattr };
But the automated rsync by PostgreSQL still does now work. (Works
fine if I disable SELinux, by the way.)
The error I get in the PostgreSQL log is:
LOG: archive command "/usr/local/bin/rsync -e /usr/bin/ssh
pg_xlog/000000010000001D00000015
postgres@node2:WAL/000000010000001D00000015 </dev/null" failed: return
code 65280
Could not create directory '/home/postgres/.ssh'.
Host key verification failed.
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at io.c(632) [sender=3.0.4]
If anybody has any clue as to whats going on here, I would sure
appreciate your help.
"ssh node2" works fine from node1, I log in using key-based authentication
What stumps me is there are no further complaints from SELinux in any
log, but clearly SELinux is blocking the connection.
Thanks,
-at
--
Aleksey Tsalolikhin
UNIX System Administrator
"I get stuff done!"
http://www.verticalsysadmin.com/
LinkedIn - http://www.linkedin.com/in/atsaloli
15 years, 2 months
Re: Can't login with GDM
by Daniel J Walsh
On 03/31/2009 06:33 PM, Ben Gamari wrote:
> Hey everyone,
>
> Ever since yesterday's big update, I've been unable to login to my
> account through gdm. After entering my user name and password, the PAM
> conversation continues with gdm asking me, "Would you like to enter a
> security context?" On entering "N" the login fails and the gdm greeter
> denies login with "Unable to open session" while pausing for some time,
> often requiring Ctrl-Alt-Backspace to reclaim control of the computer.
>
> After entering "N", the following messages appear in /var/log/secure,
>
>> Mar 31 17:50:13 mercury pam: gdm[5157]: pam_selinux(gdm:session): Unable to get valid context for ben
>> Mar 31 17:50:13 mercury pam: gdm[5157]: pam_unix(gdm:session): session opened for user ben by (uid=0)
>
> After entering my password, the following message appears in
> /var/log/audit/audit.log,
>
>> type=LOGIN msg=audit(1238536335.839:224): login pid=5330 uid=0 old auid=500 new auid=500 old ses=1 new ses=15
>
> Followed by the following messages after entering "N" to entering a
> context,
>
>> type=USER_START msg=audit(1238536339.236:225): user pid=5330 uid=0 auid=500 ses=15 subj=unconfined_u:unconfined_
> r:unconfined_ t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="ben"
> exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0
> res=failed)'
>> type=USER_LOGIN msg=audit(1238536339.236:226): user pid=5330 uid=0 auid=500 ses=15 subj=unconfined_u:unconfined_r:unconfined_ t:s0-s0:c0.c1023 msg='uid=500: exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=/dev/tty7 res=failed)'
>> type=CRED_DISP msg=audit(1238536339.237:227): user pid=5330 uid=0 auid=500 ses=15 subj=unconfined_u:unconfined_r:unconfined_t :s0-s0:c0.c1023 msg='op=PAM:setcred acct="ben" exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0 res=success)'
>
> Anyone have any idea what might cause such a failure? I would be more
> than happy to provide any information neccessary to identify the
> root-cause of the problem. Thanks,
>
> - Ben
>
Do you have gdm running as unconfined_t?
ps -eZ | grep gdm
15 years, 2 months
