Re: up2date/seaudit/... not working (EXPLAINED)
by Tom London
That fixed it!!!!!
'su' no longer takes 20 seconds to complete!
The root shell still has XAUTHORITY set to /root/.xauthABCD, but commands
(like seaudit, up2date) now work.
Thanks for the speedy response!
tom
------------------------------------------------------------------------
* /From/: Stephen Smalley <sds epoch ncsc mil>
* /To/: "Fedora SELinux support list for users & developers."
<fedora-selinux-list redhat com>
* /Cc/: Russell Coker <russell coker com au>, Daniel J Walsh <dwalsh
redhat com>
* /Subject/: Re: up2date/seaudit/... not working (EXPLAINED)
* /Date/: Fri, 18 Jun 2004 16:24:18 -0400
------------------------------------------------------------------------
On Fri, 2004-06-18 at 15:00, Tom London wrote:
> Running off of the development tree, I couldn't get graphical apps (like
> up2date, seaudit, ...) working when su'ed as root. All of this works
> fine on a 'stock FC2' machine (running off
> of the base and released-updates trees).
Try moving the 'pam_selinux.so open multiple' line before the
'pam_xauth.so' line in /etc/pam.d/su. Dan, this is necessary under the
current policy to get xauth to run with the right permissions for the
new domain.
--
Stephen Smalley <sds epoch ncsc mil>
National Security Agency
19 years, 11 months
up2date/seaudit/... not working (EXPLAINED)
by Tom London
Running off of the development tree, I couldn't get graphical apps (like
up2date, seaudit, ...) working when su'ed as root. All of this works
fine on a 'stock FC2' machine (running off
of the base and released-updates trees).
The problem seems to be that the latest packages cause 'su' to change
the settings of XAUTHORITY environment variable from
'XAUTHORITY=/home/USER/.Xauthority' to
'XAUTHORITY=/root/.xauthABCD' (ABCD the usual 'uniqueness' stuff).
If you manually reset XAUTHORITY back to '/home/USER/.Xauthority', the
apps work
again.
Here's a bit of added strangeness: if you start 'xauth' in another user
window and then
try 'su -l', XAUTHORITY is not changed in the root shell. No AVCs against
/root/.authABCD either....
[On the 'stock FC2' machine, XAUTHORITY is not modified by su.]
I've bugzilla'ed this
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126300)
against coreutils, but I'm not sure that is the right place (e.g.,
pam?). (All my systems
run with SELinux enabled, so I can only assume this is occurring on
SELinux-disabled
systems as well.)
Can someone explain why 'su' would be changing XAUTHORITY ?
thanks,
tom
19 years, 11 months
organizing the audit messages
by İsmail İyigünler
Hi
Can we compose the audit messages for building a simple database to find which
user with which security context, executed which command and when he/she did
this ? How can we build this ?
Thanks!
-------------------------------------------------
This mail sent through IMP: http://webmail.students.itu.edu.tr
19 years, 11 months
X-user xauthed to execute a "root"/system level configuration helper yield denials
by Francis K Shim
Edited to make relevant details clear:
execute_no_trans
exe=/usr/sbin/userhelper
path=/usr/X11R6/bin/xauth
scontext=user:staff_r:staff_userhelper_t
tcontext=system_u:object_r:xauth_exec_t
tclass=file
write
exe=/usr/X11R6/bin/xauth
name=user
scontext=user:staff_r:staff_userhelper_t
tcontext=user:object_r:staff_home_dir_t
tclass=dir
add_name
exe=/usr/X11R6/bin/xauth
name=.Xauthority-c
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=dir
create
exe=/usr/X11R6/bin/xauth
name=.Xauthority-c
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
link
exe=/usr/X11R6/bin/xauth
name=.Xauthority-c
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
write
exe=/usr/X11R6/bin/xauth
name=.Xauthority
scontext=USER:staff_r:staff_userhelper_t
tcontext=system_u:object_r:staff_home_xauth_t
tclass=file
remove_name
exe=/usr/X11R6/bin/xauth
name=.Xauthority-c
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=dir
unlink
exe=/usr/X11R6/bin/xauth
name=.Xauthority-c
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
setattr
exe=/usr/sbin/userhelper
name=.xauthxxxxx
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
write
exe=/usr/X11R6/bin/xauth
path=.xauthxxxxx
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
read
exe=/usr/X11R6/bin/xauth
name=.xauthxxxxx
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
getattr
exe=/usr/X11R6/bin/xauth
path=/home/USER/.xauthgxxxxx
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
execute_no_trans
exe=/usr/sbin/userhelper
path=/usr/X11R6/bin/xauth
scontext=USER:staff_r:staff_userhelper_t
tcontext=system_u:object_r:xauth_exec_t
tclass=file
write
exe=/usr/X11R6/bin/xauth
name=.Xauthority
scontext=USER:staff_r:staff_userhelper_t
tcontext=system_u:object_r:staff_home_xauth_t
tclass=file
read
exe=/sbin/iptables
path=/var/run/sudo/USER/unknown
scontext=USER:system_r:iptables_t
tcontext=USER:object_r:pam_var_run_t
tclass=file
read
exe=/sbin/hwclock
path=/var/run/sudo/USER/unknown
scontext=USER:system_r:hwclock_t
tcontext=USER:object_r:pam_var_run_t
tclass=file
execute_no_trans
exe=/usr/sbin/userhelper
path=/usr/X11R6/bin/xauth
scontext=USER:staff_r:staff_userhelper_t
tcontext=system_u:object_r:xauth_exec_t
tclass=file
write
exe=/usr/X11R6/bin/xauth
name=.Xauthority
scontext=USER:staff_r:staff_userhelper_t
tcontext=system_u:object_r:staff_home_xauth_t
tclass=file
read
exe=/sbin/iptables
path=/var/run/sudo/USER/unknown
scontext=USER:system_r:iptables_t
tcontext=USER:object_r:pam_var_run_t
tclass=file
read
exe=/usr/sbin/ntpdate
path=/var/run/sudo/USER/unknown
scontext=USER:system_r:ntpd_t
tcontext=USER:object_r:pam_var_run_t
tclass=file
read
exe=/sbin/hwclock
path=/var/run/sudo/USER/unknown
scontext=USER:system_r:hwclock_t
tcontext=USER:object_r:pam_var_run_t
tclass=file
write
exe=/usr/sbin/userhelper
name=USER
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=dir
remove_name
exe/usr/sbin/userhelper
name=.xauthxxxxx
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=dir
unlink
exe=/usr/sbin/userhelper
name=.xauthxxxxx
scontext=USER:staff_r:staff_userhelper_t
tcontext=USER:object_r:staff_home_dir_t
tclass=file
--
Francis K Shim <francis.shim(a)sympatico.ca>
19 years, 11 months
ntp
by Jason Hooper
could someone point me in the direction of getting ntp to work with selinux
on fedora C2? does anyone have experience with this? is it supposed to
just work with the default file_contexts? any help is appreciated...thanks
j
..
19 years, 11 months
RE: ntp
by David Balazic
> From:
> fedora-selinux-list-bounces@redhat.com[SMTP:fedora-selinux-list-bounces@re
> dhat.com] on behalf of Stephen Smalley[SMTP:sds@epoch.ncsc.mil]
>
> On Thu, 2004-06-17 at 10:03, Jason Hooper wrote:
> > Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied {
> write
> > } for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367
> > scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t
> > tclass=chr_file
>
> Mismatch between your kernel and policy. RedHat released a kernel
> update for FC2 without updating the policy accordingly. If you update
> to selinux-policy-strict in the devel tree, you should be ok. But note
> that this also requires updating SysVinit, libselinux, and possibly
> other components as the policy layout has changed completely in the
> devel tree.
>
> First, is SELinux supposed to work in Fedora Core 2 or is it in
beta(alpha)
> phase ?
It is supposed to work.
Khm, khm ... it is alpha/beta after all, isn't it ?
> --
> Stephen Smalley <sds(a)epoch.ncsc.mil>
> National Security Agency
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
19 years, 11 months
RE: ntp
by David Balazic
Look, I would love to take part in the polishing of SELinux on Fedora, but I
have
no time at all for that, really. I will turn SELinux off on my system.
Actually it's a
question if I will use FC2 at all. I have very little time for FC and even
that is then
used for bug hunting/reporting and not actual "using"...
Regards,
DB
> ----------
> From:
> fedora-selinux-list-bounces@redhat.com[SMTP:fedora-selinux-list-bounces@re
> dhat.com] on behalf of Stephen Smalley[SMTP:sds@epoch.ncsc.mil]
> Reply To: Fedora SELinux support list for users & developers.
> Sent: 17. junij 2004 16:45
> To: Fedora SELinux support list for users & developers.
> Subject: RE: ntp
>
> On Thu, 2004-06-17 at 10:12, David Balazic wrote:
> > Khm, khm ... it is alpha/beta after all, isn't it ?
>
> Shrug. If you want to be conservative, you can just patch your policy
> to include the devnull initial SID rather than trying to update to
> rawhide.
>
> --
> Stephen Smalley <sds(a)epoch.ncsc.mil>
> National Security Agency
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
19 years, 11 months
RE: ntp
by David Balazic
What if you set your system to permissive mode and see what is ntpdate
trying to do ?
> ----------
> From:
> fedora-selinux-list-bounces@redhat.com[SMTP:fedora-selinux-list-bounces@re
> dhat.com] on behalf of Jason Hooper[SMTP:jhooper@tlcontact.com]
> Reply To: Fedora SELinux support list for users & developers.
> Sent: 17. junij 2004 16:03
> To: fedora-selinux-list(a)redhat.com
> Subject: RE: ntp
>
> Yeah it seems like it should just work...yet it doesn't...wierd. I have
> two machines trying to sync ( well, three, but the third one works and is
> not selinux )
>
> I get this avc on both :
>
> Machine1 :
>
> Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied {
> write
> } for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367
> scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t
> tclass=chr_file
>
> Machine2 :
>
> Jun 17 06:11:33 doh2 kernel: audit(1087470693.719:0): avc: denied {
> write
> } for pid=2335 exe=/usr/sbin/ntpdate path=/ dev=hda2 ino=5060
> scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t
> tclass=chr_file
>
> Machine2 has an ntpd.te file while machine1 does not. Does that matter
> in
> this case? I can send it if its needed.
>
> Thanks again for the help
>
> ..
>
>
> -----Original Message-----
> From: Russell Coker [mailto:russell@coker.com.au]
> Sent: Wednesday, June 16, 2004 10:01 PM
> To: fedora-selinux-list(a)redhat.com
> Cc: Jason Hooper
> Subject: Re: ntp
>
> On Thu, 17 Jun 2004 04:51, "Jason Hooper" <jhooper(a)tlcontact.com> wrote:
> > could someone point me in the direction of getting ntp to work with
> selinux
> > on fedora C2? does anyone have experience with this? is it supposed
> to
> > just work with the default file_contexts? any help is
> > appreciated...thanks
>
> For the typical operation (synchronising from a master server somewhere on
> the
> net) it is supposed to just work, it does for me. I have a rawhide
> machine
> running the strict SE Linux policy synchronising with an NTP server right
> now, and I don't believe that FC2 differs from the current rawhide in any
> significant way related to NTP.
>
> Does ntpd support directly interfacing with GPS hardware or other accurate
> time sources? If so some extra policy will be needed to support this.
>
> If you see any AVC messages related to ntpd then please post them to this
> list.
>
> --
> http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/ My home page
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
19 years, 11 months
mount reiserfs (novice)
by Maxim Britov
I can't mount reiserfs. I just begin study SE Linux. Could you help me?
FC2+updates:
mount /dev/hdc2 /mnt/disk
# dmesg
ReiserFS: hdc2: found reiserfs format "3.6" with standard journal
ReiserFS: hdc2: using ordered data mode
ReiserFS: hdc2: journal params: device hdc2, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30
ReiserFS: hdc2: checking transaction log (hdc2)
ReiserFS: hdc2: Using r5 hash to sort names
audit(1087473997.967:0): avc: denied { search } for pid=2885 exe=/bin/mount dev=hdc2 ino=2 scontext=root:sysadm_r:mount_t tcontext=system_u:object_r:unlabeled_t tclass=dir
ReiserFS: hdc2: warning: xattrs/ACLs enabled and couldn't find/create .reiserfs_priv. Failing mount.
# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t
# ls -Z
drwxr-xr-x root root system_u:object_r:mnt_t cdrom
drwxr-xr-x+ root root system_u:object_r:mnt_t disk
mkfs.ext2 and mount - works fine.
--
MaxBritov
GnuPG KeyID 0x4580A6D66F3DB1FB Keyserver hkp://keyserver.kjsl.com
Fingerprint: 4059 B5C5 8985 5A47 8F5A 8623 4580 A6D6 6F3D B1FB
JABBER: maxbritov on jabber.org/jabber.ru ICQ 198171258
19 years, 11 months
/usr/bin/run-parts->system_u:object_r:bin_t (?!)
by Tom London
/usr/bin/run-parts has context system_u:object_r:bin_t under
selinux-policy-strict-1.13.4-6 (and earlier).
crond_t.te has entries to search bin_t dirs, but not to
read/getattr/execute bin_t files.
Here is the AVC for run-parts:
audit(1087423260.368:0): avc: denied { getattr } for pid=4135
exe=/bin/bash path=/usr/bin/run-parts dev=hdb3 ino=1006312
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:bin_t
tclass=file
thanks.
tom
19 years, 11 months