June 2004 - selinux - Fedora Mailing-Lists

Re: up2date/seaudit/... not working (EXPLAINED)

by Tom London

That fixed it!!!!! 'su' no longer takes 20 seconds to complete! The root shell still has XAUTHORITY set to /root/.xauthABCD, but commands (like seaudit, up2date) now work. Thanks for the speedy response! tom ------------------------------------------------------------------------ * /From/: Stephen Smalley <sds epoch ncsc mil> * /To/: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com> * /Cc/: Russell Coker <russell coker com au>, Daniel J Walsh <dwalsh redhat com> * /Subject/: Re: up2date/seaudit/... not working (EXPLAINED) * /Date/: Fri, 18 Jun 2004 16:24:18 -0400 ------------------------------------------------------------------------ On Fri, 2004-06-18 at 15:00, Tom London wrote: > Running off of the development tree, I couldn't get graphical apps (like > up2date, seaudit, ...) working when su'ed as root. All of this works > fine on a 'stock FC2' machine (running off > of the base and released-updates trees). Try moving the 'pam_selinux.so open multiple' line before the 'pam_xauth.so' line in /etc/pam.d/su. Dan, this is necessary under the current policy to get xauth to run with the right permissions for the new domain. -- Stephen Smalley <sds epoch ncsc mil> National Security Agency

19 years, 11 months

1
0
0 / 0

up2date/seaudit/... not working (EXPLAINED)

by Tom London

Running off of the development tree, I couldn't get graphical apps (like up2date, seaudit, ...) working when su'ed as root. All of this works fine on a 'stock FC2' machine (running off of the base and released-updates trees). The problem seems to be that the latest packages cause 'su' to change the settings of XAUTHORITY environment variable from 'XAUTHORITY=/home/USER/.Xauthority' to 'XAUTHORITY=/root/.xauthABCD' (ABCD the usual 'uniqueness' stuff). If you manually reset XAUTHORITY back to '/home/USER/.Xauthority', the apps work again. Here's a bit of added strangeness: if you start 'xauth' in another user window and then try 'su -l', XAUTHORITY is not changed in the root shell. No AVCs against /root/.authABCD either.... [On the 'stock FC2' machine, XAUTHORITY is not modified by su.] I've bugzilla'ed this (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126300) against coreutils, but I'm not sure that is the right place (e.g., pam?). (All my systems run with SELinux enabled, so I can only assume this is occurring on SELinux-disabled systems as well.) Can someone explain why 'su' would be changing XAUTHORITY ? thanks, tom

19 years, 11 months

3
2
0 / 0

organizing the audit messages

by İsmail İyigünler

Hi Can we compose the audit messages for building a simple database to find which user with which security context, executed which command and when he/she did this ? How can we build this ? Thanks! ------------------------------------------------- This mail sent through IMP: http://webmail.students.itu.edu.tr

19 years, 11 months

2
1
0 / 0

X-user xauthed to execute a "root"/system level configuration helper yield denials

by Francis K Shim

Edited to make relevant details clear: execute_no_trans exe=/usr/sbin/userhelper path=/usr/X11R6/bin/xauth scontext=user:staff_r:staff_userhelper_t tcontext=system_u:object_r:xauth_exec_t tclass=file write exe=/usr/X11R6/bin/xauth name=user scontext=user:staff_r:staff_userhelper_t tcontext=user:object_r:staff_home_dir_t tclass=dir add_name exe=/usr/X11R6/bin/xauth name=.Xauthority-c scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=dir create exe=/usr/X11R6/bin/xauth name=.Xauthority-c scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file link exe=/usr/X11R6/bin/xauth name=.Xauthority-c scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file write exe=/usr/X11R6/bin/xauth name=.Xauthority scontext=USER:staff_r:staff_userhelper_t tcontext=system_u:object_r:staff_home_xauth_t tclass=file remove_name exe=/usr/X11R6/bin/xauth name=.Xauthority-c scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=dir unlink exe=/usr/X11R6/bin/xauth name=.Xauthority-c scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file setattr exe=/usr/sbin/userhelper name=.xauthxxxxx scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file write exe=/usr/X11R6/bin/xauth path=.xauthxxxxx scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file read exe=/usr/X11R6/bin/xauth name=.xauthxxxxx scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file getattr exe=/usr/X11R6/bin/xauth path=/home/USER/.xauthgxxxxx scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file execute_no_trans exe=/usr/sbin/userhelper path=/usr/X11R6/bin/xauth scontext=USER:staff_r:staff_userhelper_t tcontext=system_u:object_r:xauth_exec_t tclass=file write exe=/usr/X11R6/bin/xauth name=.Xauthority scontext=USER:staff_r:staff_userhelper_t tcontext=system_u:object_r:staff_home_xauth_t tclass=file read exe=/sbin/iptables path=/var/run/sudo/USER/unknown scontext=USER:system_r:iptables_t tcontext=USER:object_r:pam_var_run_t tclass=file read exe=/sbin/hwclock path=/var/run/sudo/USER/unknown scontext=USER:system_r:hwclock_t tcontext=USER:object_r:pam_var_run_t tclass=file execute_no_trans exe=/usr/sbin/userhelper path=/usr/X11R6/bin/xauth scontext=USER:staff_r:staff_userhelper_t tcontext=system_u:object_r:xauth_exec_t tclass=file write exe=/usr/X11R6/bin/xauth name=.Xauthority scontext=USER:staff_r:staff_userhelper_t tcontext=system_u:object_r:staff_home_xauth_t tclass=file read exe=/sbin/iptables path=/var/run/sudo/USER/unknown scontext=USER:system_r:iptables_t tcontext=USER:object_r:pam_var_run_t tclass=file read exe=/usr/sbin/ntpdate path=/var/run/sudo/USER/unknown scontext=USER:system_r:ntpd_t tcontext=USER:object_r:pam_var_run_t tclass=file read exe=/sbin/hwclock path=/var/run/sudo/USER/unknown scontext=USER:system_r:hwclock_t tcontext=USER:object_r:pam_var_run_t tclass=file write exe=/usr/sbin/userhelper name=USER scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=dir remove_name exe/usr/sbin/userhelper name=.xauthxxxxx scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=dir unlink exe=/usr/sbin/userhelper name=.xauthxxxxx scontext=USER:staff_r:staff_userhelper_t tcontext=USER:object_r:staff_home_dir_t tclass=file -- Francis K Shim <francis.shim(a)sympatico.ca>

19 years, 11 months

2
2
0 / 0

ntp

by Jason Hooper

could someone point me in the direction of getting ntp to work with selinux on fedora C2? does anyone have experience with this? is it supposed to just work with the default file_contexts? any help is appreciated...thanks j ..

19 years, 11 months

3
4
0 / 0

RE: ntp

by David Balazic

> From: > fedora-selinux-list-bounces@redhat.com[SMTP:fedora-selinux-list-bounces@re > dhat.com] on behalf of Stephen Smalley[SMTP:sds@epoch.ncsc.mil] > > On Thu, 2004-06-17 at 10:03, Jason Hooper wrote: > > Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied { > write > > } for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367 > > scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t > > tclass=chr_file > > Mismatch between your kernel and policy. RedHat released a kernel > update for FC2 without updating the policy accordingly. If you update > to selinux-policy-strict in the devel tree, you should be ok. But note > that this also requires updating SysVinit, libselinux, and possibly > other components as the policy layout has changed completely in the > devel tree. > > First, is SELinux supposed to work in Fedora Core 2 or is it in beta(alpha) > phase ? It is supposed to work. Khm, khm ... it is alpha/beta after all, isn't it ? > -- > Stephen Smalley <sds(a)epoch.ncsc.mil> > National Security Agency > > -- > fedora-selinux-list mailing list > fedora-selinux-list(a)redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list >

19 years, 11 months

3
2
0 / 0

RE: ntp

by David Balazic

Look, I would love to take part in the polishing of SELinux on Fedora, but I have no time at all for that, really. I will turn SELinux off on my system. Actually it's a question if I will use FC2 at all. I have very little time for FC and even that is then used for bug hunting/reporting and not actual "using"... Regards, DB > ---------- > From: > fedora-selinux-list-bounces@redhat.com[SMTP:fedora-selinux-list-bounces@re > dhat.com] on behalf of Stephen Smalley[SMTP:sds@epoch.ncsc.mil] > Reply To: Fedora SELinux support list for users & developers. > Sent: 17. junij 2004 16:45 > To: Fedora SELinux support list for users & developers. > Subject: RE: ntp > > On Thu, 2004-06-17 at 10:12, David Balazic wrote: > > Khm, khm ... it is alpha/beta after all, isn't it ? > > Shrug. If you want to be conservative, you can just patch your policy > to include the devnull initial SID rather than trying to update to > rawhide. > > -- > Stephen Smalley <sds(a)epoch.ncsc.mil> > National Security Agency > > -- > fedora-selinux-list mailing list > fedora-selinux-list(a)redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list >

19 years, 11 months

1
0
0 / 0

RE: ntp

by David Balazic

What if you set your system to permissive mode and see what is ntpdate trying to do ? > ---------- > From: > fedora-selinux-list-bounces@redhat.com[SMTP:fedora-selinux-list-bounces@re > dhat.com] on behalf of Jason Hooper[SMTP:jhooper@tlcontact.com] > Reply To: Fedora SELinux support list for users & developers. > Sent: 17. junij 2004 16:03 > To: fedora-selinux-list(a)redhat.com > Subject: RE: ntp > > Yeah it seems like it should just work...yet it doesn't...wierd. I have > two machines trying to sync ( well, three, but the third one works and is > not selinux ) > > I get this avc on both : > > Machine1 : > > Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied { > write > } for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367 > scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t > tclass=chr_file > > Machine2 : > > Jun 17 06:11:33 doh2 kernel: audit(1087470693.719:0): avc: denied { > write > } for pid=2335 exe=/usr/sbin/ntpdate path=/ dev=hda2 ino=5060 > scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t > tclass=chr_file > > Machine2 has an ntpd.te file while machine1 does not. Does that matter > in > this case? I can send it if its needed. > > Thanks again for the help > > .. > > > -----Original Message----- > From: Russell Coker [mailto:russell@coker.com.au] > Sent: Wednesday, June 16, 2004 10:01 PM > To: fedora-selinux-list(a)redhat.com > Cc: Jason Hooper > Subject: Re: ntp > > On Thu, 17 Jun 2004 04:51, "Jason Hooper" <jhooper(a)tlcontact.com> wrote: > > could someone point me in the direction of getting ntp to work with > selinux > > on fedora C2? does anyone have experience with this? is it supposed > to > > just work with the default file_contexts? any help is > > appreciated...thanks > > For the typical operation (synchronising from a master server somewhere on > the > net) it is supposed to just work, it does for me. I have a rawhide > machine > running the strict SE Linux policy synchronising with an NTP server right > now, and I don't believe that FC2 differs from the current rawhide in any > significant way related to NTP. > > Does ntpd support directly interfacing with GPS hardware or other accurate > time sources? If so some extra policy will be needed to support this. > > If you see any AVC messages related to ntpd then please post them to this > list. > > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page > > -- > fedora-selinux-list mailing list > fedora-selinux-list(a)redhat.com > http://www.redhat.com/mailman/listinfo/fedora-selinux-list >

19 years, 11 months

1
0
0 / 0

mount reiserfs (novice)

by Maxim Britov

I can't mount reiserfs. I just begin study SE Linux. Could you help me? FC2+updates: mount /dev/hdc2 /mnt/disk # dmesg ReiserFS: hdc2: found reiserfs format "3.6" with standard journal ReiserFS: hdc2: using ordered data mode ReiserFS: hdc2: journal params: device hdc2, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 ReiserFS: hdc2: checking transaction log (hdc2) ReiserFS: hdc2: Using r5 hash to sort names audit(1087473997.967:0): avc: denied { search } for pid=2885 exe=/bin/mount dev=hdc2 ino=2 scontext=root:sysadm_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=dir ReiserFS: hdc2: warning: xattrs/ACLs enabled and couldn't find/create .reiserfs_priv. Failing mount. # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t # ls -Z drwxr-xr-x root root system_u:object_r:mnt_t cdrom drwxr-xr-x+ root root system_u:object_r:mnt_t disk mkfs.ext2 and mount - works fine. -- MaxBritov GnuPG KeyID 0x4580A6D66F3DB1FB Keyserver hkp://keyserver.kjsl.com Fingerprint: 4059 B5C5 8985 5A47 8F5A 8623 4580 A6D6 6F3D B1FB JABBER: maxbritov on jabber.org/jabber.ru ICQ 198171258

19 years, 11 months

3
3
0 / 0

/usr/bin/run-parts->system_u:object_r:bin_t (?!)

by Tom London

/usr/bin/run-parts has context system_u:object_r:bin_t under selinux-policy-strict-1.13.4-6 (and earlier). crond_t.te has entries to search bin_t dirs, but not to read/getattr/execute bin_t files. Here is the AVC for run-parts: audit(1087423260.368:0): avc: denied { getattr } for pid=4135 exe=/bin/bash path=/usr/bin/run-parts dev=hdb3 ino=1006312 scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t tclass=file thanks. tom

19 years, 11 months

3
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux June 2004