Re: Where should an RPM install .te/.fc files?
by W. Michael Petullo
>> I maintain an RPM that installs .te and .fc files. In the past,
>> contributing to the system's SELinux policy could be done by installing
>> files in /etc/security/selinux/src/policy (I'm not sure this is right
>> to begin with):
>> %policy %{_sysconfdir}/security/selinux/src/policy/macros/
>> pam_mount_macros.te
>> However, now policies may be in /etc/selinux/strict/src/policy/ or /
>> etc/selinux/targeted/src/policy/. It is also possible that only one of
>> these directories exists.
> I don't think that your macros file fits in with the targetted policy, and
> I think that the general aims of the targetted policy don't involve that
> sort of thing (but this hasn't been considered much so far).
> It's probably best to install the files under only the strict directory.
> It is also possible that only one of those directories exists.
Installing exclusively under the strict policy make sense. The things I am
explicitly allowing should probably already be allowed by the targeted
policy. However, what about the case where a user does not have the strict
policy installed? In this case my RPM will install its policy files to an
otherwise empty policy source tree. This may result in directories like
/etc/selinux/strict being orphans -- not owned by any RPM. Should this be
avoided somehow?
Thanks for your help!
--
Mike
19 years, 11 months
'unable to relabel' in /dev.... MAKEDEV-3.7-2
by Tom London
Running off of the development tree, MAKEDEV-3.7-2 creates lots of new
files. Running 'fixfiles relabel' or 'setfiles -v $FC /dev' generates
lots of error messages like:
/dev/ptyu7: Permission denied
/usr/sbin/setfiles: unable to relabel /dev/ptyu7 to
system_u:object_r:device_t
/dev/ptyd7: Permission denied
/usr/sbin/setfiles: unable to relabel /dev/ptyd7 to
system_u:object_r:device_t
/dev/ptyde: Permission denied
/usr/sbin/setfiles: unable to relabel /dev/ptyde to
system_u:object_r:device_t
/dev/ptyac: Permission denied
/usr/sbin/setfiles: unable to relabel /dev/ptyac to
system_u:object_r:device_t
/dev/ptys1: Permission denied
/usr/sbin/setfiles: unable to relabel /dev/ptys1 to
system_u:object_r:device_t
/dev/ircomm9: Permission denied
/usr/sbin/setfiles: unable to relabel /dev/ircomm9 to
system_u:object_r:device_t
/dev/ptyre: Permission denied
/usr/sbin/setfiles: unable to relabel /dev/ptyre to
system_u:object_r:device_t
Here is an 'ls -l' of one of the files:
[root@dell dev]# ls -l ptyu7
crw-rw-rw- 1 root tty 2, 87 Jun 14 12:42 ptyu7
[root@dell dev]# ls -lZ $_
crw-rw-rw- root tty root:object_r:device_t ptyu7
[root@dell dev]#
I'm running selinux-policy-strict-1.13.4-6, with file_contexts augmented
with Russell Coker's fix for /udev/microcode.
tom
19 years, 11 months
problem relabeling with FC2
by İsmail İyigünler
Hi
I'm using Fedora Core 2 with kernel 2.6.6 with SELinux. However some of my
directories' (in /proc for example) security context still looks "(null)". I
tried the instructions in GettingStartedWithNewSELinux.pdf to relabel all the
file system, but i did not work (both permissive and enforcing mode):
[root@santiago /]#
[root@santiago /]# make -C /etc/security/selinux/src/policy/ relabel
make: Entering directory /etc/security/selinux/src/policy/
Cleaning out /tmp
rm -rf /tmp/.??* /tmp/*
/usr/bin/setfiles file_context/file_context 'mount | grep -v bind | grep -v "
context=" | awk ' /(ext[23]|xfs).*rw{print $3}'
/usr/bin/setfiles: read 1426 spesifications
/usr/bin/setfiles: labeling files under /
/usr/bin/setfiles: error while labeling files under /
make:*** [relabel] Error 1
make: Leaving directory '/etc/security/selinux/src/policy'
[root@santiago policy]#
What have I missed? Could anyone help me on this? Your attention is greatly
appreciated. Thank you.
-------------------------------------------------
This mail sent through IMP: http://webmail.students.itu.edu.tr
19 years, 11 months
Where should an RPM install .te/.fc files?
by W. Michael Petullo
Hello everyone,
I maintain an RPM that installs .te and .fc files. In the past,
contributing to the system's SELinux policy could be done by installing
files in /etc/security/selinux/src/policy (I'm not sure this is right
to begin with):
%policy %{_sysconfdir}/security/selinux/src/policy/macros/
pam_mount_macros.te
%policy %{_sysconfdir}/security/selinux/src/policy/file_contexts/misc/
pam_mount.fc
However, now policies may be in /etc/selinux/strict/src/policy/ or /
etc/selinux/targeted/src/policy/. It is also possible that only one of
these directories exists.
What is the proper procedure for an RPM to contribute to the system's
SELinux policy? My RPM introduces new contexts and provides new allow
statements. The Fedora Core 2 SELinux FAQ does not seem to address
these questions, though it does allude to SELinux-related RPM hooks.
--
Mike
19 years, 11 months
strange AVC messages with kernel 2.6.6-1.427
by Russell Coker
With the latest kernel I am getting some strange AVC messages I didn't get
with 2.6.5-1.358.
audit(1087039822.666:0): avc: denied { getattr } for pid=5262
exe=/usr/sbin/pppd path=/ dev=hda1 ino=16381 scontext=rjc:system_r:pppd_t
tcontext=system_u:object_r:root_t tclass=chr_file
audit(1087039822.684:0): avc: denied { getattr } for pid=5262
exe=/usr/sbin/pppd path=/ dev=hda1 ino=16381 scontext=rjc:system_r:pppd_t
tcontext=system_u:object_r:root_t tclass=chr_file
There is no device node 16381 on the file system. Running the same command
repeatedly gives similar messages with different inode numbers, so I guess
it's some sort of temporary file. The machine is in enforcing mode and
nothing that might want to create a root_t chr_file has permission to do
so...
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
19 years, 11 months
Kernel installation
by David Balazic
Hi!
On afresh FC2 install I get this :
[root@localhost root]# rpm -i
/mnt/cdrom/fc2updates/kernel-2.6.6-1.427.i686.rpm
warning: /mnt/cdrom/fc2updates/kernel-2.6.6-1.427.i686.rpm: V3 DSA
signature: NOKEY, key ID 4f2a6fd2
audit(1087049637.996:0): avc: denied { transition } for pid=2632
exe=/bin/bash path=/sbin/dmsetup dev=hde2 ino=1261594
scontext=root:sysadm_r:bootloader_t tcontext=root:system_r:lvm_t
tclass=process
/bin/bash: /root/.bashrc: Permission denied
[root@localhost root]#
It appears to work after that, but I'll report it just in case ;)
The same avc error happens wirth other kernels, even with one 2.4.x form
older Fedora/RHL version.
Regards,
David Balažic
----------------------------------------------------------------------------
-----------
http://noepatents.org/ Innovation, not litigation !
---
David Balazic mailto:david.balazic@hermes.si
HERMES Softlab http://www.hermes-softlab.com
Zagrebska cesta 104 Phone: +386 2 450 8851
SI-2000 Maribor
Slovenija
----------------------------------------------------------------------------
-----------
"Be excellent to each other." -
Bill S. Preston, Esq. & "Ted" Theodore Logan
----------------------------------------------------------------------------
-----------
19 years, 11 months
Where's my policy source?
by Levine, Daniel J.
Hey guys,
When I first installed my Fedora Core 2 (release) OS with SELinux, I
installed most of the packages I needed, but forgot that AMD doesn't get
installed by default. So afterwards I found the am-utils RPM and installed
it. Now I get spurious amd related messages from SELinux. I was probably
root when I installed am-utils and chances are it didn't put the right
contexts on the files an such.
So, I figured I needed to re-label my file system so the amd related files
would have the correct SELinux contexts on them. This is what it would do
for me right?
Well, so I got to /etc/security/selinux and I don't have a src directory!
I'm pretty sure I picked Workstation Install and added various other
packages that I thought I needed at installation time. Am-utils is the only
after-the-fact package I installed.
So, where is the policy source? I'm looking in the right place right? Now
I do see in the SELinux getting started HOWTO that they do something like:
make -C /etc/selinux relabel
Should this cause my amd audit violation messages to go away? How would I
have added the am-utils RPM so that its files were labeled correctly in the
first place?
Thanks,
Daniel J. Levine
Section Supervisor
Johns Hopkins University
Applied Physics Laboratory
443-778-3952 240-228-3952
19 years, 11 months
Re: avc denied messages from microcode_ctl
by Tom London
[root@dell root]# ls -l /udev/microcode
crw------- 1 root root 10, 184 May 25 13:56 /udev/microcode
[root@dell root]# ls -lZ /udev/microcode
crw------- root root system_u:object_r:device_t
/udev/microcode
[root@dell root]#
------------------------------------------------------------------------
* /From/: Russell Coker <russell coker com au>
* /To/: Richard Hally <rhallyx mindspring com>
* /Cc/: fedora-selinux-list redhat com
* /Subject/: Re: avc denied messages from microcode_ctl
* /Date/: Tue, 15 Jun 2004 11:50:29 +1000
------------------------------------------------------------------------
On Tue, 15 Jun 2004 04:59, Richard Hally <rhallyx mindspring com> wrote:
> >I suggest just using setfiles to relabel /dev/cpu.
>
> There is no /udev/cpu. There is a /udev/microcode. It is labeled
> device_t.
There is no /dev/microcode listed in Documentation/devices.txt in the kernel
source tree from kernel.org.
Please show me the "ls -l /dev/microcode" output. We'll have to add an entry
to file_contexts/types.fc for it.
19 years, 11 months
avc denied messages from lvm.static
by Richard Hally
While booting the 427 kernel in enforcing mode with
selinux-policy-strict-1.13.4-5,
the following avc denied messages occur:
Jun 13 21:04:03 new2 kernel: audit(1087175021.671:0): avc: denied {
search } for pid=931 exe=/sbin/lvm.static dev=devpts ino=1
scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:devpts_t
tclass=dir
Jun 13 21:04:03 new2 kernel: audit(1087175022.193:0): avc: denied {
getattr }
for pid=931 exe=/sbin/lvm.static path=/dev/shm dev=hda2 ino=1091316
scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:file_t
tclass=dir
HTH
Richard Hally
19 years, 11 months
(Non)Domain Transitioning
by Kirk Vogelsang
I'm having some problems getting the snortcenter agent (miniserv.pl)
to start snort and transition snort to the appropriate snort_t domain.
When miniserv starts snort, snort continues to run in the miniserv
domain, snort_agent_t (domain I created.)
avc messages show miniserv starting snort with execute_no_trans,
which I believe is the problem:
audit(108724131.465:0): avc: denied { execute_no_trans } for pid=7136 exe=/bin//bash path=/usr/tools/adm/packages/snort/bin/snort dev=sda2 ino=256078 scontext=system_u:system_r:snort_agent_t tcontext=system_u:object_r:snort_exec_t tclass=file
When snort is started via run_init, it runs appropriately within the
snort_t domain. I have:
allow snort_agent_t snort_exec_t:file { read execute entrypoint };
...
...
allow snort_agent_t snort_t:process transition;
My question: How do I force a process (snort) to transition to the
correct domain (snort_t) when exec'd from another domain
(snort_agent_t)?
-----
Kirk M. Vogelsang <kvogelsa(a)ccs.neu.edu>
Northeastern University College of Computer Science
19 years, 11 months