Error sending status request (Operation not permitted)
by Bruce Ecroyd
I recently switched from FC4 targeted (enforcing) to strict (permissive)
using selinux-policy-strict-1.27.1-2.16.noarch.rpm.
I did a touch /.autorelabel before rebooting.
I see this:
[bruce@BorgCube ~]$ su -
Password:
Error sending status request (Operation not permitted)
[root@BorgCube ~]#
The last part of the /var/log/audit/audit.log shows:
type=SYSCALL msg=audit(1138247001.111:13162965): arch=40000003 syscall=5
success=yes exit=3 a0=866125b a1=c2 a2=180 a3=3a8083 items=1 pid=8250
auid=4294967295 uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100
fsgid=100 comm="su" exe="/bin/su"
type=AVC msg=audit(1138247001.111:13162965): avc: denied { create } for
pid=8250 comm="su" name=.xauthVpNVFy scontext=user_u:user_r:user_t
tcontext=user_u:object_r:sysadm_home_dir_t tclass=file
type=AVC msg=audit(1138247001.111:13162965): avc: denied { add_name } for
pid=8250 comm="su" name=.xauthVpNVFy scontext=user_u:user_r:user_t
tcontext=root:object_r:sysadm_home_dir_t tclass=dir
type=AVC msg=audit(1138247001.111:13162965): avc: denied { write } for
pid=8250 comm="su" name=root dev=dm-0 ino=11392129
scontext=user_u:user_r:user_t tcontext=root:object_r:sysadm_home_dir_t
tclass=dir
type=SYSCALL msg=audit(1138247001.111:13162967): arch=40000003 syscall=207
success=yes exit=0 a0=3 a1=0 a2=0 a3=0 items=0 pid=8250 auid=4294967295
uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su"
exe="/bin/su"
type=AVC msg=audit(1138247001.111:13162967): avc: denied { setattr } for
pid=8250 comm="su" name=.xauthVpNVFy dev=dm-0 ino=11392172
scontext=user_u:user_r:user_t tcontext=user_u:object_r:sysadm_home_dir_t
tclass=file
type=USER msg=audit(1138247001.325:13165423): user pid=8250 uid=501
auid=4294967295 msg='PAM session open: user=root exe=/bin/su (hostname=?,
addr=?, terminal=pts/2 result=Success)'
Any ideas?
If I change to strict, enforcing, will this prevent me from su to root?
Bruce
18 years, 2 months
du confusion
by Russell Coker
du currently displays the total count of blocks used for the file including
block(s) for XATTRs. This means that every file is reported as having a
block used for the security.selinux XATTR (even though those blocks are
shared extensively on typical SE Linux systems).
A more useful display on SE Linux systems is to have the --apparent-size
option of du enabled. I suggest that we have a default install of Fedora
alias "du" to "du --apparent-size".
Currently in a default install we have rm aliased to "rm -i" (and similar for
mv and cp), so it seems that there is a good precedent for this sort of
thing.
What do you think?
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
18 years, 2 months
context not inherited on mounted FS
by Dovydas Sankauskas
I have dir
$ l -dZ /home/dovydas/muzika
drwxrwxr-x dovydas dovydas user_u:object_r:user_home_t
/home/dovydas/muzika/
I mount here external usb hdd
$ mount
/dev/sda1 on /home/dovydas/muzika type xfs (rw,noexec)
When I do
$ touch /home/dovydas/muzika/sample
I get
$ l -Z /home/dovydas/muzika/sample
-rw-rw-r-- dovydas dovydas system_u:object_r:file_t
/home/dovydas/muzika/sample
Why context is not inherited? How can I solve this problem? I saw this
problem, when I tried to connect to my computer via ftp. I simply can
not see file "sample" via ftp. I can create a subdir, but i can not
see it. All other dirs are allright, except this one
/home/dovydas/muzika, which is mounted external hdd.
--
Dovydas Sankauskas
18 years, 2 months
Curious Behavior doing routine redirection of ping output to file...
by selinux.funchords@spameater.org
I'm not exactly a "newbie," but I'm diving a lot deeper than
I ever have. This one has me a little wrapped around the axel, and
if someone could help clear the fog, I'd appreciate it.
The short version:
I'm trying to redirect the output of ping to a file. I get a 0
byte file as a result.
Where I am now:
When selinux is permissive, it works as I expect it to.
When this started, I had no idea that selinux was running or even what
it was, exactly (I've been running this system for about two weeks).
I've learned a lot since then. But I haven't figured out how to do
anything other than flip bits on existing boolean rules and change
the sestatus mode. For example, how do I fix the above problem?
Current version: 2.6.14-1.1653_FC4 with selinux in targeted/enforced.
When this began, I posted a message to www.fedoraforum.org
( http://www.fedoraforum.org/forum/showthread.php?t=88238 )
with the title, "BASH: How to redirect ping output to file?"
Later, I found this from from /var/log/audit/audit.log ...
type=AVC msg=audit(1134599953.748:32): avc: denied { write } for
pid=5503 comm="ping" name="pingoutput2" dev=dm-0 ino=916895
scontext=root:system_r:ping_t tcontext=root:object_r:user_home_t tclass=file
type=SYSCALL msg=audit(1134599953.748:32): arch=40000003 syscall=11
success=yes exit=0 a0=8d64360 a1=8d56400 a2=8d51520 a3=1 items=2
pid=5503 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="ping" exe="/bin/ping"
type=AVC_PATH msg=audit(1134599953.748:32): path="/root/pingoutput2"
type=CWD msg=audit(1134599953.748:32): cwd="/root"
type=PATH msg=audit(1134599953.748:32): item=0 name="/bin/ping"
flags=101 inode=5499653 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1134599953.748:32): item=1 flags=101 inode=5892482
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
... and I discovered the commands audit2why and audit2allow, which has
this example in the audit2allow man pages ...
$ cd /etc/selinux/$(SELINUXTYPE)/src/policy
$ /usr/bin/audit2allow -i < /var/log/audit/audit.log >>
domains/misc/local.te <review domains/misc/local.te and customize as
desired>
$ make load
... and that's where my zero-byte stack blows.
I have no src directory under /etc/selinux/targeted, nor do I have
anything at all on my system named domains. Still, I tried to follow
the advice by mdkir'ing the necessary directories and creating a
local.te file with the recommended "allow ping_t user_home_t:file write;"
line in it.
Then I typed 'make load' and I really think I actually heard something
laugh at me.
This is the way I learn best, and this isn't anything more than a
curiousity to me. But from what I've told you so far, can you point
me into the right direction?
I did search the archive for this list, as well as the FC3 (which
also seemed to point to these directories that I don't have).
Thanks!
Robb Topolski
robb(at)funchords(dot)com
http://www.funchords.com
18 years, 2 months
error in 'make load'
by gf
Hi,
I am trying to update the httpd policy in selinux to allow access to port 8443.
I thought that I could add the line
portcon tcp 8443 system_u:object_r:http_port_t
to the file
/etc/selinux/targeted/src/policy/net_contents
and recompile.
My first step was to download the sources:
selinux-policy-targeted-sources-1.17.30-2.110.rpm
and install.
To check whether or not everthing was working, I tried the following
without altering any files:
[$ /etc/selinux/targeted/src/policy]:make load
mkdir -p /etc/selinux/targeted/policy
/usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18 policy.conf
/usr/bin/checkpolicy: loading policy configuration from policy.conf
tmp/program_used_flags.te:2:ERROR 'syntax error' at token
'/etc/selinux/targeted/src/policy/domains/program' on line 1164:
/etc/selinux/targeted/src/policy/domains/program
#line 1 "tmp/program_used_flags.te"
/usr/bin/checkpolicy: error(s) encountered while parsing configuration
make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
I am a newbie with regard to selinux and would really appreciate some
help diagnosing and correcting this error so that I can make my
desired changes.
I am using Scientific Linux 4 (a variant of RHEL4).
Thanks for your help.
-g
18 years, 2 months
[Fwd: [Fwd: Leveraging Security-Enhanced Linux in Your Data Center]]
by Daniel J Walsh
-------- Original Message --------
Subject: Leveraging Security-Enhanced Linux in Your Data Center
Date: Thu, 16 Feb 2006 14:03:25 UT
From: Ziff Davis Media <linux(a)enews.eweek.com>
Reply-To: linux(a)enews.eweek.com
To: rob(a)kenna.net
Ziff Davis Media eSeminars: The Online Seminar Standard
Leveraging Security-Enhanced Linux in Your Data Center
February 23, 2005 @ 2:00 p.m. Eastern/11:00 a.m. Pacific
Duration: 60 minutes
Register & Attend Online
http://ct.enews.eweek.com/rd/cts?d=186-3220-8-252-47659-378051-0-0-0-1
If you are unable to attend the live event you may still register and
will receive an e-mail when the on-demand version becomes available.
Event Overview:
Security-Enhanced Linux is generating industry buzz, but what can it do
for you and your data center? The threats to your systems range from
well-meaning, innocent employee blunders to deliberate, well-organized
attacks by foreign governments. You can reasonably and effectively
leverage the latest available operating system technology to protect
your data and systems. And, because it is Linux, you'll be using a
well-supported, yet economical OS to mount your defenses.
Join this live, interactive eSeminar and hear speakers from Red Hat and
Intel discuss best practices, standards, options and platforms that
create a secure network system. You'll understand the development and
benefits of Security-Enhanced Linux and come away with solid and
practical information you can immediately put to use. You'll have access
to downloadable white papers and other information you can use.
Join us for this event and you'll learn:
* How tools like Position Independent Executables protect your servers
* How to protect against exploitable application security weaknesses
* How Execute Disable protects against buffer overflow attacks
* What application families and hardware suites can take advantage
of Security-Enhanced Linux
* Why Security-Enhanced Linux is safe, practical and necessary
* Which capabilities in the new emerging Intel platforms will help
with deploying security in the enterprise environment
Featured Speakers:
Reinier Tuinzing, World Wide Government Market Segment Marketing
Manager, Customer Solutions Group - Intel Corporation
Chris Runge, Technical Director, Red Hat Government - Red Hat, Inc.
Frank Derfler, VP, Market Experts Group - Ziff Davis Media
Sponsored by Red Hat, Inc. & Intel Corporation
Register & Attend Online
http://ct.enews.eweek.com/rd/cts?d=186-3220-8-252-47659-378051-0-0-0-1
Please visit www.eSeminarslive.com
for a complete list of upcoming Ziff Davis Internet eSeminars.
If you have already registered for these eSeminars, please ignore this
message. Feel free to pass this e-mail along to other colleagues on
your team who may have an interest in attending the eSeminar above. If
you have problems with your registration, send e-mail to: mailto:eSeminars@ziffdavis.com
=========================================================
eNewsletter Information
=========================================================
You are subscribed to this newsletter with the e-mail
address rob(a)kenna.net.
TO UNSUBSCRIBE, click here:
http://ct.enews.eweek.com/rd/cts?d=186-3220-8-252-47659-378054-0-0-0-1&em...
To change your HTML/text preferences, change your e-mail
address or subscribe to other eNewsletters from Ziff Davis
Media, click here:
http://ct.enews.eweek.com/rd/cts?d=186-3220-8-252-47659-378057-0-0-0-1
Copyright (c) 2006 Ziff Davis Media Inc. All Rights Reserved.
Ziff Davis Media Inc., 28 East 28th Street, New York, NY 10016
--
Robert Kenna / Red Hat
Sr Product Mgr - Storage
10 Technology Park Drive
Westford, MA 01886
o: (978) 392-2410 (x22410)
f: (978) 392-1001
c: (978) 771-6314
rkenna(a)redhat.com
18 years, 2 months
KDE Screensaver
by Mike Leahy
Hello list,
I just asked about this problem earlier on fedora-test-list. When I try
to open the screensaver settings in Fedora test list, I got a message
related to denied access to libGL.so.1. Rahul clued me into realizing
that this is an SELinux issue. I set SELinux to permissive, and this
allowed me to open/edit the KDE screensaver settings.
Is there anything I should do to try changing the policies and/or is
this already a known issue?
Thanks for any suggestions,
Mike
type=USER_AUTH msg=audit(1140153148.074:1925): user pid=11876 uid=500
auid=500 msg='PAM: authentication acct=root : exe="/bin/su" (hostname=?,
addr=?, terminal=pts/5 res=success)'
type=USER_ACCT msg=audit(1140153148.074:1926): user pid=11876 uid=500
auid=500 msg='PAM: accounting acct=root : exe="/bin/su" (hostname=?,
addr=?, terminal=pts/5 res=success)'
type=USER_START msg=audit(1140153148.190:1927): user pid=11876 uid=500
auid=500 msg='PAM: session open acct=root : exe="/bin/su" (hostname=?,
addr=?, terminal=pts/5 res=success)'
type=CRED_ACQ msg=audit(1140153148.190:1928): user pid=11876 uid=500
auid=500 msg='PAM: setcred acct=root : exe="/bin/su" (hostname=?,
addr=?, terminal=pts/5 res=success)'
type=AVC msg=audit(1140153183.272:1929): avc: denied { execstack } for
pid=11897 comm="kcmshell" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1140153183.272:1929): arch=40000003 syscall=125
success=no exit=-13 a0=bfc01000 a1=1000 a2=1000007 a3=fffff000 items=0
pid=11897 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="kcmshell" exe="/usr/bin/kdeinit"
type=AVC msg=audit(1140153183.272:1930): avc: denied { execstack } for
pid=11897 comm="kcmshell" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1140153183.272:1930): arch=40000003 syscall=125
success=no exit=-13 a0=bfc01000 a1=1000 a2=1000007 a3=fffff000 items=0
pid=11897 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="kcmshell" exe="/usr/bin/kdeinit"
type=AVC msg=audit(1140153211.694:1931): avc: denied { execstack } for
pid=11900 comm="kcmshell" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1140153211.694:1931): arch=40000003 syscall=125
success=no exit=-13 a0=bfc01000 a1=1000 a2=1000007 a3=fffff000 items=0
pid=11900 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="kcmshell" exe="/usr/bin/kdeinit"
type=AVC msg=audit(1140153211.694:1932): avc: denied { execstack } for
pid=11900 comm="kcmshell" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1140153211.694:1932): arch=40000003 syscall=125
success=no exit=-13 a0=bfc01000 a1=1000 a2=1000007 a3=fffff000 items=0
pid=11900 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="kcmshell" exe="/usr/bin/kdeinit"
type=AVC msg=audit(1140153246.196:1933): avc: denied { execstack } for
pid=11903 comm="kcmshell" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1140153246.196:1933): arch=40000003 syscall=125
success=no exit=-13 a0=bfc01000 a1=1000 a2=1000007 a3=fffff000 items=0
pid=11903 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="kcmshell" exe="/usr/bin/kdeinit"
type=AVC msg=audit(1140153246.196:1934): avc: denied { execstack } for
pid=11903 comm="kcmshell" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1140153246.196:1934): arch=40000003 syscall=125
success=no exit=-13 a0=bfc01000 a1=1000 a2=1000007 a3=fffff000 items=0
pid=11903 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 comm="kcmshell" exe="/usr/bin/kdeinit"
18 years, 2 months
caught SIGTERM, shutting down
by pine oil
Hi,
I upgraded FC4 files with 'yum -y ugrade' last night.
After rebooting, I can't start httpd with selinux on (enforcing) with
the following error message in /var/log/httpd:
[Sat Feb 18 09:26:13 2006] [notice] caught SIGTERM, shutting down
I have no problem starting httpd with selinux permissive.
What could be the problem causing this error?
pine
18 years, 2 months
Why is only 127.0.0.1 (out of 127.0.0.0/8) a node_lo_t in policy?
by Bruno Wolff III
I was trying to understand selinux better and was looking through the
policy sources and noticed that out of the loopback address space only
127.0.0.1 was given a local node type with the following:
nodecon 127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t
I would have expected a netmask of 255.0.0.0 in the above.
Is this a trade off of mistakes when people use a nonstandard network
mask for loopback versus potentially having to modify the policy when
running services on loopback addresses other than 127.0.0.1? (Which one
might want to do to reuse a standard port number when providing local
services.)
18 years, 2 months