February 2006 - selinux - Fedora Mailing-Lists

Error sending status request (Operation not permitted)

by Bruce Ecroyd

I recently switched from FC4 targeted (enforcing) to strict (permissive) using selinux-policy-strict-1.27.1-2.16.noarch.rpm. I did a touch /.autorelabel before rebooting. I see this: [bruce@BorgCube ~]$ su - Password: Error sending status request (Operation not permitted) [root@BorgCube ~]# The last part of the /var/log/audit/audit.log shows: type=SYSCALL msg=audit(1138247001.111:13162965): arch=40000003 syscall=5 success=yes exit=3 a0=866125b a1=c2 a2=180 a3=3a8083 items=1 pid=8250 auid=4294967295 uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su" type=AVC msg=audit(1138247001.111:13162965): avc: denied { create } for pid=8250 comm="su" name=.xauthVpNVFy scontext=user_u:user_r:user_t tcontext=user_u:object_r:sysadm_home_dir_t tclass=file type=AVC msg=audit(1138247001.111:13162965): avc: denied { add_name } for pid=8250 comm="su" name=.xauthVpNVFy scontext=user_u:user_r:user_t tcontext=root:object_r:sysadm_home_dir_t tclass=dir type=AVC msg=audit(1138247001.111:13162965): avc: denied { write } for pid=8250 comm="su" name=root dev=dm-0 ino=11392129 scontext=user_u:user_r:user_t tcontext=root:object_r:sysadm_home_dir_t tclass=dir type=SYSCALL msg=audit(1138247001.111:13162967): arch=40000003 syscall=207 success=yes exit=0 a0=3 a1=0 a2=0 a3=0 items=0 pid=8250 auid=4294967295 uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" exe="/bin/su" type=AVC msg=audit(1138247001.111:13162967): avc: denied { setattr } for pid=8250 comm="su" name=.xauthVpNVFy dev=dm-0 ino=11392172 scontext=user_u:user_r:user_t tcontext=user_u:object_r:sysadm_home_dir_t tclass=file type=USER msg=audit(1138247001.325:13165423): user pid=8250 uid=501 auid=4294967295 msg='PAM session open: user=root exe=/bin/su (hostname=?, addr=?, terminal=pts/2 result=Success)' Any ideas? If I change to strict, enforcing, will this prevent me from su to root? Bruce

18 years, 2 months

2
1
0 / 0

du confusion

by Russell Coker

du currently displays the total count of blocks used for the file including block(s) for XATTRs. This means that every file is reported as having a block used for the security.selinux XATTR (even though those blocks are shared extensively on typical SE Linux systems). A more useful display on SE Linux systems is to have the --apparent-size option of du enabled. I suggest that we have a default install of Fedora alias "du" to "du --apparent-size". Currently in a default install we have rm aliased to "rm -i" (and similar for mv and cp), so it seems that there is a good precedent for this sort of thing. What do you think? -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page

18 years, 2 months

5
7
0 / 0

context not inherited on mounted FS

by Dovydas Sankauskas

I have dir $ l -dZ /home/dovydas/muzika drwxrwxr-x dovydas dovydas user_u:object_r:user_home_t /home/dovydas/muzika/ I mount here external usb hdd $ mount /dev/sda1 on /home/dovydas/muzika type xfs (rw,noexec) When I do $ touch /home/dovydas/muzika/sample I get $ l -Z /home/dovydas/muzika/sample -rw-rw-r-- dovydas dovydas system_u:object_r:file_t /home/dovydas/muzika/sample Why context is not inherited? How can I solve this problem? I saw this problem, when I tried to connect to my computer via ftp. I simply can not see file "sample" via ftp. I can create a subdir, but i can not see it. All other dirs are allright, except this one /home/dovydas/muzika, which is mounted external hdd. -- Dovydas Sankauskas

18 years, 2 months

2
2
0 / 0

Curious Behavior doing routine redirection of ping output to file...

by selinux.funchords＠spameater.org

I'm not exactly a "newbie," but I'm diving a lot deeper than I ever have. This one has me a little wrapped around the axel, and if someone could help clear the fog, I'd appreciate it. The short version: I'm trying to redirect the output of ping to a file. I get a 0 byte file as a result. Where I am now: When selinux is permissive, it works as I expect it to. When this started, I had no idea that selinux was running or even what it was, exactly (I've been running this system for about two weeks). I've learned a lot since then. But I haven't figured out how to do anything other than flip bits on existing boolean rules and change the sestatus mode. For example, how do I fix the above problem? Current version: 2.6.14-1.1653_FC4 with selinux in targeted/enforced. When this began, I posted a message to www.fedoraforum.org ( http://www.fedoraforum.org/forum/showthread.php?t=88238 ) with the title, "BASH: How to redirect ping output to file?" Later, I found this from from /var/log/audit/audit.log ... type=AVC msg=audit(1134599953.748:32): avc: denied { write } for pid=5503 comm="ping" name="pingoutput2" dev=dm-0 ino=916895 scontext=root:system_r:ping_t tcontext=root:object_r:user_home_t tclass=file type=SYSCALL msg=audit(1134599953.748:32): arch=40000003 syscall=11 success=yes exit=0 a0=8d64360 a1=8d56400 a2=8d51520 a3=1 items=2 pid=5503 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ping" exe="/bin/ping" type=AVC_PATH msg=audit(1134599953.748:32): path="/root/pingoutput2" type=CWD msg=audit(1134599953.748:32): cwd="/root" type=PATH msg=audit(1134599953.748:32): item=0 name="/bin/ping" flags=101 inode=5499653 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1134599953.748:32): item=1 flags=101 inode=5892482 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 ... and I discovered the commands audit2why and audit2allow, which has this example in the audit2allow man pages ... $ cd /etc/selinux/$(SELINUXTYPE)/src/policy $ /usr/bin/audit2allow -i < /var/log/audit/audit.log >> domains/misc/local.te <review domains/misc/local.te and customize as desired> $ make load ... and that's where my zero-byte stack blows. I have no src directory under /etc/selinux/targeted, nor do I have anything at all on my system named domains. Still, I tried to follow the advice by mdkir'ing the necessary directories and creating a local.te file with the recommended "allow ping_t user_home_t:file write;" line in it. Then I typed 'make load' and I really think I actually heard something laugh at me. This is the way I learn best, and this isn't anything more than a curiousity to me. But from what I've told you so far, can you point me into the right direction? I did search the archive for this list, as well as the FC3 (which also seemed to point to these directories that I don't have). Thanks! Robb Topolski robb(at)funchords(dot)com http://www.funchords.com

18 years, 2 months

7
9
0 / 0

Red Hat SE Linux Opening

by Steve G

Hi, I just wanted to let everyone know that Red Hat has a SE Linux programming job available. If you're interested, please take a look: http://redhat.hrdpt.com/cgi-bin/a/highlightjob.cgi?jobid=1049 -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

18 years, 2 months

1
0
0 / 0

error in 'make load'

by gf

Hi, I am trying to update the httpd policy in selinux to allow access to port 8443. I thought that I could add the line portcon tcp 8443 system_u:object_r:http_port_t to the file /etc/selinux/targeted/src/policy/net_contents and recompile. My first step was to download the sources: selinux-policy-targeted-sources-1.17.30-2.110.rpm and install. To check whether or not everthing was working, I tried the following without altering any files: [$ /etc/selinux/targeted/src/policy]:make load mkdir -p /etc/selinux/targeted/policy /usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18 policy.conf /usr/bin/checkpolicy: loading policy configuration from policy.conf tmp/program_used_flags.te:2:ERROR 'syntax error' at token '/etc/selinux/targeted/src/policy/domains/program' on line 1164: /etc/selinux/targeted/src/policy/domains/program #line 1 "tmp/program_used_flags.te" /usr/bin/checkpolicy: error(s) encountered while parsing configuration make: *** [/etc/selinux/targeted/policy/policy.18] Error 1 I am a newbie with regard to selinux and would really appreciate some help diagnosing and correcting this error so that I can make my desired changes. I am using Scientific Linux 4 (a variant of RHEL4). Thanks for your help. -g

18 years, 2 months

3
5
0 / 0

[Fwd: [Fwd: Leveraging Security-Enhanced Linux in Your Data Center]]

by Daniel J Walsh

-------- Original Message -------- Subject: Leveraging Security-Enhanced Linux in Your Data Center Date: Thu, 16 Feb 2006 14:03:25 UT From: Ziff Davis Media <linux(a)enews.eweek.com> Reply-To: linux(a)enews.eweek.com To: rob(a)kenna.net Ziff Davis Media eSeminars: The Online Seminar Standard Leveraging Security-Enhanced Linux in Your Data Center February 23, 2005 @ 2:00 p.m. Eastern/11:00 a.m. Pacific Duration: 60 minutes Register & Attend Online http://ct.enews.eweek.com/rd/cts?d=186-3220-8-252-47659-378051-0-0-0-1 If you are unable to attend the live event you may still register and will receive an e-mail when the on-demand version becomes available. Event Overview: Security-Enhanced Linux is generating industry buzz, but what can it do for you and your data center? The threats to your systems range from well-meaning, innocent employee blunders to deliberate, well-organized attacks by foreign governments. You can reasonably and effectively leverage the latest available operating system technology to protect your data and systems. And, because it is Linux, you'll be using a well-supported, yet economical OS to mount your defenses. Join this live, interactive eSeminar and hear speakers from Red Hat and Intel discuss best practices, standards, options and platforms that create a secure network system. You'll understand the development and benefits of Security-Enhanced Linux and come away with solid and practical information you can immediately put to use. You'll have access to downloadable white papers and other information you can use. Join us for this event and you'll learn: * How tools like Position Independent Executables protect your servers * How to protect against exploitable application security weaknesses * How Execute Disable protects against buffer overflow attacks * What application families and hardware suites can take advantage of Security-Enhanced Linux * Why Security-Enhanced Linux is safe, practical and necessary * Which capabilities in the new emerging Intel platforms will help with deploying security in the enterprise environment Featured Speakers: Reinier Tuinzing, World Wide Government Market Segment Marketing Manager, Customer Solutions Group - Intel Corporation Chris Runge, Technical Director, Red Hat Government - Red Hat, Inc. Frank Derfler, VP, Market Experts Group - Ziff Davis Media Sponsored by Red Hat, Inc. & Intel Corporation Register & Attend Online http://ct.enews.eweek.com/rd/cts?d=186-3220-8-252-47659-378051-0-0-0-1 Please visit www.eSeminarslive.com for a complete list of upcoming Ziff Davis Internet eSeminars. If you have already registered for these eSeminars, please ignore this message. Feel free to pass this e-mail along to other colleagues on your team who may have an interest in attending the eSeminar above. If you have problems with your registration, send e-mail to: mailto:eSeminars@ziffdavis.com ========================================================= eNewsletter Information ========================================================= You are subscribed to this newsletter with the e-mail address rob(a)kenna.net. TO UNSUBSCRIBE, click here: http://ct.enews.eweek.com/rd/cts?d=186-3220-8-252-47659-378054-0-0-0-1&em... To change your HTML/text preferences, change your e-mail address or subscribe to other eNewsletters from Ziff Davis Media, click here: http://ct.enews.eweek.com/rd/cts?d=186-3220-8-252-47659-378057-0-0-0-1 Copyright (c) 2006 Ziff Davis Media Inc. All Rights Reserved. Ziff Davis Media Inc., 28 East 28th Street, New York, NY 10016 -- Robert Kenna / Red Hat Sr Product Mgr - Storage 10 Technology Park Drive Westford, MA 01886 o: (978) 392-2410 (x22410) f: (978) 392-1001 c: (978) 771-6314 rkenna(a)redhat.com

18 years, 2 months

2
1
0 / 0

KDE Screensaver

by Mike Leahy

Hello list, I just asked about this problem earlier on fedora-test-list. When I try to open the screensaver settings in Fedora test list, I got a message related to denied access to libGL.so.1. Rahul clued me into realizing that this is an SELinux issue. I set SELinux to permissive, and this allowed me to open/edit the KDE screensaver settings. Is there anything I should do to try changing the policies and/or is this already a known issue? Thanks for any suggestions, Mike type=USER_AUTH msg=audit(1140153148.074:1925): user pid=11876 uid=500 auid=500 msg='PAM: authentication acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/5 res=success)' type=USER_ACCT msg=audit(1140153148.074:1926): user pid=11876 uid=500 auid=500 msg='PAM: accounting acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/5 res=success)' type=USER_START msg=audit(1140153148.190:1927): user pid=11876 uid=500 auid=500 msg='PAM: session open acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/5 res=success)' type=CRED_ACQ msg=audit(1140153148.190:1928): user pid=11876 uid=500 auid=500 msg='PAM: setcred acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/5 res=success)' type=AVC msg=audit(1140153183.272:1929): avc: denied { execstack } for pid=11897 comm="kcmshell" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1140153183.272:1929): arch=40000003 syscall=125 success=no exit=-13 a0=bfc01000 a1=1000 a2=1000007 a3=fffff000 items=0 pid=11897 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="kcmshell" exe="/usr/bin/kdeinit" type=AVC msg=audit(1140153183.272:1930): avc: denied { execstack } for pid=11897 comm="kcmshell" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1140153183.272:1930): arch=40000003 syscall=125 success=no exit=-13 a0=bfc01000 a1=1000 a2=1000007 a3=fffff000 items=0 pid=11897 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="kcmshell" exe="/usr/bin/kdeinit" type=AVC msg=audit(1140153211.694:1931): avc: denied { execstack } for pid=11900 comm="kcmshell" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1140153211.694:1931): arch=40000003 syscall=125 success=no exit=-13 a0=bfc01000 a1=1000 a2=1000007 a3=fffff000 items=0 pid=11900 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="kcmshell" exe="/usr/bin/kdeinit" type=AVC msg=audit(1140153211.694:1932): avc: denied { execstack } for pid=11900 comm="kcmshell" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1140153211.694:1932): arch=40000003 syscall=125 success=no exit=-13 a0=bfc01000 a1=1000 a2=1000007 a3=fffff000 items=0 pid=11900 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="kcmshell" exe="/usr/bin/kdeinit" type=AVC msg=audit(1140153246.196:1933): avc: denied { execstack } for pid=11903 comm="kcmshell" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1140153246.196:1933): arch=40000003 syscall=125 success=no exit=-13 a0=bfc01000 a1=1000 a2=1000007 a3=fffff000 items=0 pid=11903 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="kcmshell" exe="/usr/bin/kdeinit" type=AVC msg=audit(1140153246.196:1934): avc: denied { execstack } for pid=11903 comm="kcmshell" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1140153246.196:1934): arch=40000003 syscall=125 success=no exit=-13 a0=bfc01000 a1=1000 a2=1000007 a3=fffff000 items=0 pid=11903 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="kcmshell" exe="/usr/bin/kdeinit"

18 years, 2 months

2
3
0 / 0

caught SIGTERM, shutting down

by pine oil

Hi, I upgraded FC4 files with 'yum -y ugrade' last night. After rebooting, I can't start httpd with selinux on (enforcing) with the following error message in /var/log/httpd: [Sat Feb 18 09:26:13 2006] [notice] caught SIGTERM, shutting down I have no problem starting httpd with selinux permissive. What could be the problem causing this error? pine

18 years, 2 months

2
1
0 / 0

Why is only 127.0.0.1 (out of 127.0.0.0/8) a node_lo_t in policy?

by Bruno Wolff III

I was trying to understand selinux better and was looking through the policy sources and noticed that out of the loopback address space only 127.0.0.1 was given a local node type with the following: nodecon 127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t I would have expected a netmask of 255.0.0.0 in the above. Is this a trade off of mistakes when people use a nonstandard network mask for loopback versus potentially having to modify the policy when running services on loopback addresses other than 127.0.0.1? (Which one might want to do to reuse a standard port number when providing local services.)

18 years, 2 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux February 2006