reject of org.freedesktop.PackageKit.Transaction
by Gabriele Pohl
Hi,
I got the following Error Message from
the PackageKit today:
"A security policy in place prevents this sender from sending this
message to this recipient, see message bus configuration file (rejected
message had interface "org.freedesktop.PackageKit.Transaction" member
"Cancel" error name "(unset)" destination "org.freedesktop.PackageKit")"
What shall I do to solve it?
Which configuration file is meant?
/etc/dbus-1/:
-rw-r--r-- 1 root root 2524 5. Dez 21:14 session.conf
drwxr-xr-x 2 root root 4096 5. Dez 21:14 session.d
-rw-r--r-- 1 root root 3368 5. Dez 21:14 system.conf
drwxr-xr-x 2 root root 4096 5. Dez 21:14 system.d
ls -lR /etc/dbus-1/system.d/org.freedesktop.*
-rw-r--r-- 1 root root 396 6. Sep
11:55 /etc/dbus-1/system.d/org.freedesktop.PackageKitAptBackend.conf
-rw-r--r-- 1 root root 610 6. Sep
11:55 /etc/dbus-1/system.d/org.freedesktop.PackageKit.conf
-rw-r--r-- 1 root root 573 6. Sep
11:55 /etc/dbus-1/system.d/org.freedesktop.PackageKitTestBackend.conf
-rw-r--r-- 1 root root 396 6. Sep
11:55 /etc/dbus-1/system.d/org.freedesktop.PackageKitYumBackend.conf
-rw-r--r-- 1 root root 365 30. Jun
18:02 /etc/dbus-1/system.d/org.freedesktop.PolicyKit.conf
rpm -qa | grep policy
seedit-policy-2.2.0-2.fc9.i386
selinux-policy-3.3.1-111.fc9.noarch
checkpolicy-2.0.16-3.fc9.i386
policycoreutils-gui-2.0.52-8.fc9.i386
selinux-policy-targeted-3.3.1-111.fc9.noarch
policycoreutils-2.0.52-8.fc9.i386
selinux-policy-devel-3.3.1-111.fc9.noarch
rpm -q dbus
dbus-1.2.6-1.fc9.i386
-Gabriele
15 years, 4 months
What is wrong when spamc is not allowed to connect to spamd?
by Göran Uddeborg
I'm gradually upgrading to Fedora 10 using yum, so I suspect this
problem might be that some package is not yet upgraded. But I can't
understand what it could be.
I'm running spamassassin using the lines
DROPPRIVS=yes
INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc
in /etc/procmailrc. After upgrading to Fedora 10 policy and
spamassassin I get these AVC:s
time->Sun Dec 7 20:01:46 2008
type=SYSCALL msg=audit(1228676506.702:50): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=1358850 a2=10 a3=8 items=0 ppid=3558 pid=3559 auid=4294967295 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1228676506.702:50): avc: denied { name_connect } for pid=3559 comm="spamc" dest=783 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket
I.e., spamc isn't allowed to connect to spamd's TCP socket.
Looking in the spamassassin.te source I see that spamc_t is allowed to
connect to spamd_t:unix_stream_socket but I can't see anything that
would allow it to connect to a tcp_socket of any type.
Looking at the spamassassin code, I spamd would create and spamc use a
unix-domain socket if given explicit path to it, but in the default
configuration I can't see anything that would add those flags.
I've enabled spamassassin_can_network as a temporary workaround, but
that shouldn't be necessary just to use spamc, should it?
What am I missing here?
15 years, 4 months
SELinux Error with bonobo-activation-server
by Adam D. Ligas
Hey folks,
I installed the VNC server package from the Fedora repo on my F10
server, and then edited my .vnc/xstartup file to allow a normal desktop
environment.
Now, each time the server boots, Nautilus bombs out with the following
error:
"Nautilus cannot be used now, due to an unexpected error from Bonobo
when attempting to locate the factory. Killing bonobo-activation-server
and restarting Nautilus may help fix the problem".
In conjunction with this dialog box, I get the following SELinux error.
--- Begin SELinux Error ---
Summary:
SELinux is preventing ck-get-x11-serv (consolekit_t) "connectto"
unconfined_notrans_t.
Detailed Description:
SELinux denied access requested by ck-get-x11-serv. It is not expected
that this
access is required by ck-get-x11-serv and this access may signal an
intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context system_u:system_r:unconfined_notrans_t:s0
Target Objects 002F746D702F2E5831312D756E69782F5831 [
unix_stream_socket ]
Source ck-get-x11-serv
Source Path /usr/libexec/ck-get-x11-server-pid
Port <Unknown>
Host boris
Source RPM Packages ConsoleKit-x11-0.3.0-2.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-26.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name boris
Platform Linux boris 2.6.27.5-117.fc10.i686 #1 SMP
Tue Nov
18 12:19:59 EST 2008 i686 athlon
Alert Count 2
First Seen Sat 06 Dec 2008 04:40:19 PM EST
Last Seen Sun 07 Dec 2008 05:04:49 PM EST
Local ID a654e04f-23ae-4f1e-8c47-9583cd2b5c27
Line Numbers
Raw Audit Messages
node=boris type=AVC msg=audit(1228687489.309:9): avc: denied
{ connectto } for pid=2291 comm="ck-get-x11-serv"
path=002F746D702F2E5831312D756E69782F5831
scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023
tcontext=system_u:system_r:unconfined_notrans_t:s0
tclass=unix_stream_socket
node=boris type=SYSCALL msg=audit(1228687489.309:9): arch=40000003
syscall=102 success=no exit=-13 a0=3 a1=bfc677c0 a2=61a160 a3=11 items=0
ppid=2290 pid=2291 auid=4294967295 uid=500 gid=504 euid=500 suid=500
fsuid=500 egid=504 sgid=504 fsgid=504 tty=(none) ses=4294967295
comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid"
subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
--- End SELinux Error ---
The workaround for now is to SSH to the server, kill -9 the bonobo
process, and then restart the vncserver service. But I would like to
remove all of those steps if at all possible.
Thoughts?
- Adam
15 years, 4 months
SELinux Error Configuring Samba
by Adam D. Ligas
Hey folks,
I'm trying to setup Samba on this F10 server. To do so, I am trying to
run a program out of the "System" menu.
Menu path:
System -> Administration -> Samba
The program does not run. Instead, SELinux comes up with the following
error.
--- Begin SELinux Alert ---
Summary:
SELinux is preventing polkitd (polkit_t) "search" to ./32587
(unconfined_notrans_t).
Detailed Description:
SELinux denied access requested by polkitd. It is not expected that this
access
is required by polkitd and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./32587,
restorecon -v './32587'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:polkit_t:s0-s0:c0.c1023
Target Context
unconfined_u:system_r:unconfined_notrans_t:s0
Target Objects ./32587 [ dir ]
Source polkitd
Source Path /usr/libexec/polkitd
Port <Unknown>
Host boris
Source RPM Packages PolicyKit-0.9-3.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-26.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name boris
Platform Linux boris 2.6.27.5-117.fc10.i686 #1 SMP
Tue Nov
18 12:19:59 EST 2008 i686 athlon
Alert Count 1
First Seen Sun 07 Dec 2008 04:53:54 PM EST
Last Seen Sun 07 Dec 2008 04:53:54 PM EST
Local ID 7f00770b-bdcb-4561-8b3f-14960c89329d
Line Numbers
Raw Audit Messages
node=boris type=AVC msg=audit(1228686834.70:6634): avc: denied
{ search } for pid=32595 comm="polkitd" name="32587" dev=proc
ino=817686 scontext=system_u:system_r:polkit_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:unconfined_notrans_t:s0 tclass=dir
node=boris type=SYSCALL msg=audit(1228686834.70:6634): arch=40000003
syscall=5 success=no exit=-13 a0=9b55dd8 a1=8000 a2=0 a3=8000 items=0
ppid=1 pid=32595 auid=4294967295 uid=87 gid=87 euid=87 suid=87 fsuid=87
egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkitd"
exe="/usr/libexec/polkitd"
subj=system_u:system_r:polkit_t:s0-s0:c0.c1023 key=(null)
--- End SELinux Alert ---
The resolution instructions do not work as listed above. Basically, I
don't think restorecon can find the directory - I think its made when
you try to run the program. Each time you run it, you get a separate
SELinux error with a different numbered directory at the end of the
command.
Thoughts?
- Adam
15 years, 4 months
SELinux error with icecast package
by Adam D. Ligas
Hey folks,
I've got a bunch of SELinux errors on my newly installed F10 server.
I'm a decently knowledgeable Linux user, but SELinux is pretty much over
my head at this point.
Rather then spam the IRC channel, I thought I would send a series of
messages with the various errors to this list. If this is not the
appropriate place to do this, please let me know and accept my apology
in advance.
This error occurred when installing icecast from the standard Fedora
repo. According to the GUI troubleshoot tool, it tried it more then
once.
--- Begin SELinux Alert 1 ---
Summary:
SELinux is preventing nscd (nscd_t) "read" unconfined_notrans_t.
Detailed Description:
SELinux denied access requested by nscd. It is not expected that this
access is
required by nscd and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application
is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:nscd_t:s0
Target Context
unconfined_u:system_r:unconfined_notrans_t:s0
Target Objects pipe [ fifo_file ]
Source nscd
Source Path /usr/sbin/nscd
Port <Unknown>
Host boris
Source RPM Packages nscd-2.9-2
Target RPM Packages
Policy RPM selinux-policy-3.5.13-26.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name boris
Platform Linux boris 2.6.27.5-117.fc10.i686 #1 SMP
Tue Nov
18 12:19:59 EST 2008 i686 athlon
Alert Count 4
First Seen Sat 06 Dec 2008 04:16:14 PM EST
Last Seen Sat 06 Dec 2008 04:16:14 PM EST
Local ID cd43cbcd-4bae-4524-b52f-f8ab36f00764
Line Numbers
Raw Audit Messages
node=boris type=AVC msg=audit(1228598174.876:203): avc: denied
{ read } for pid=5357 comm="nscd" path="pipe:[35289]" dev=pipefs
ino=35289 scontext=unconfined_u:system_r:nscd_t:s0
tcontext=unconfined_u:system_r:unconfined_notrans_t:s0 tclass=fifo_file
node=boris type=SYSCALL msg=audit(1228598174.876:203): arch=40000003
syscall=11 success=yes exit=0 a0=8056c6b a1=bfb25c24 a2=bfb25c38 a3=0
items=0 ppid=5352 pid=5357 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="nscd" exe="/usr/sbin/nscd"
subj=unconfined_u:system_r:nscd_t:s0 key=(null)
--- End SELinux Alert ---
When I removed the package with yum, it threw this error a bunch more
times and added an additional one:
--- Begin SELinux Alert 2 ---
Summary:
SELinux prevented semanage from using the terminal 0.
Detailed Description:
SELinux prevented semanage from using the terminal 0. In most cases
daemons do
not need to interact with the terminal, usually these avc messages can
be
ignored. All of the confined daemons should have dontaudit rules around
using
the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
selinux-policy.
If you would like to allow all daemons to interact with the terminal,
you can
turn on the allow_daemons_use_tty boolean.
Allowing Access:
Changing the "allow_daemons_use_tty" boolean to true will allow this
access:
"setsebool -P allow_daemons_use_tty=1."
Fix Command:
setsebool -P allow_daemons_use_tty=1
Additional Information:
Source Context unconfined_u:system_r:semanage_t:s0
Target Context unconfined_u:object_r:devpts_t:s0
Target Objects 0 [ chr_file ]
Source semanage
Source Path /usr/bin/python
Port <Unknown>
Host boris
Source RPM Packages python-2.5.2-1.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-26.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_daemons_use_tty
Host Name boris
Platform Linux boris 2.6.27.5-117.fc10.i686 #1 SMP
Tue Nov
18 12:19:59 EST 2008 i686 athlon
Alert Count 1
First Seen Sun 07 Dec 2008 04:34:19 PM EST
Last Seen Sun 07 Dec 2008 04:34:19 PM EST
Local ID 5ff62f2f-d05d-46b3-9624-b1308e1a06f6
Line Numbers
Raw Audit Messages
node=boris type=AVC msg=audit(1228685659.553:6520): avc: denied { read
write } for pid=32355 comm="semanage" name="0" dev=devpts ino=2
scontext=unconfined_u:system_r:semanage_t:s0
tcontext=unconfined_u:object_r:devpts_t:s0 tclass=chr_file
node=boris type=SYSCALL msg=audit(1228685659.553:6520): arch=40000003
syscall=11 success=yes exit=0 a0=8050a82 a1=bf871adc a2=0 a3=0 items=0
ppid=32354 pid=32355 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=3 comm="semanage" exe="/usr/bin/python"
subj=unconfined_u:system_r:semanage_t:s0 key=(null)
-- End SELinux Alert ---
The second one includes some instructions to repair the error, but it
seems to be an "all or nothing" sort of command, and it seems even
weirder to run it after I've uninstalled the package that appears to be
using it.
Thoughts?
- Adam
15 years, 4 months
It's that spamass-milter thing again...
by Dan Thurman
I posted a long investigation of the interaction between
sendmail, spamassassin, and spamass-milter in Fedora
User's group. You can go there to get the full details of
that investigation, if you'd like:
Author: Daniel B. Thurman
Subject: F8 (and FX?]: Sendmail, Spamassassin, and Spamass-Milter issues.
As it seems, it appears that spamass-milter is the crux of the problem:
1) Starting spamass-milter from services (/etc/init.d) fails to create a
socket
2) Starting spamass-milter does not properly set it's socks security
context.
These problems appear for both F8 and F9.
But in any case, starting spamass-milter manually:
# spamass-milter -p '/var/run/spamass-milter/spamass-milter.sock' -f
But unfortunately the security context is wrong, which is:
srwxr-xr-x root root unconfined_u:object_r:var_run_r:s0
spamass-milter.sock
Even so, setroubleshoot, says to do the following:
restorecon -v '/var/run/spamass-milter/spamass-milter.sock',
Changes the security context to:
srwxr-xr-x root root system_u:object_r:spamd_var_run_t:s0
spamass-milter.sock
Which I believe is still incorrect, because it is assigned to
spamd_var_run_t,
in my opinion, is still not allowing sendmail rights to access this filter.
Whatever the actual problem is., I am still getting errors in the
message/maillog log
files saying that spamass-milter fails to run the filter.
For testing, I tried to manually set the socket to: sendmail_var_t or
sendmail_t, but chcon denies permissions to do so. I am unable
to test to see what the security context actually should be.
Please note, that I did not have any more problems with spamass-milter
for awhile, until the latest releases of F8 has broken it. I also note
that F9
broke as well.
Can someone please help?
Thanks!
Dan Thurman
15 years, 4 months
upgrade to F10 - local memcached policy tosses error
by Craig White
doing upgrade to F10 reports this error when installing package...
Updating : selinux-policy-targeted
182/397
libsepol.context_from_record: type memcached_port_t is not defined
libsepol.context_from_record: could not create context structure
(Invalid argument).
libsepol.port_from_record: could not create port structure for range
11211:11211 (tcp) (Invalid argument).
libsepol.sepol_port_modify: could not load port range 11211 - 11211
(tcp) (Invalid argument).
libsemanage.dbase_policydb_modify: could not modify record value
(Invalid argument).
libsemanage.semanage_base_merge_components: could not merge local
modifications into policy (Invalid argument).
semodule: Failed!
grep finds the argument here...
# grep -r 11211 /etc/selinux/
/etc/selinux/targeted/modules/active/ports.local:portcon tcp 11211
system_u:object_r:memcached_port_t:s0
Is this something I need to worry about/fix? (I do use memcached in a
RAILS development application)
Craig
15 years, 4 months
Sharing config file between daemons
by Arthur Pemberton
What is the best way to share a config file (user passwords) between
httpd and squid? They use different contexts. When I tried to point
squid to httpd's config, it got blocked.
--
Fedora 9 : sulphur is good for the skin
( www.pembo13.com )
15 years, 4 months
selinux-policy-3.6.1-6.src.rpm - a WTF in policy-20081111.patch?
by Valdis.Kletnieks@vt.edu
Seen in policy-20081111.patch:
grep -n wm policy* | grep ' :x_draw'
policy-20081111.patch:3763:+allow wm_t :x_drawable { get_property setattr show receive manage send read getattr list_child set_property };
Am I senile, or is something missing before that ":"?
(Don't ask how I found it, 'tis a long and sordid tale.. I may be posting
about the original issue separately).
15 years, 5 months
Centos 5 + RPMForge : SELinux block OpenVPN form using
by Arthur Pemberton
Audit message is:
host=moriarty type=AVC msg=audit(1228539599.507:62): avc: denied {
execstack } for pid=4737 comm="openvpn"
scontext=user_u:system_r:openvpn_t:s0 tcontext=user_u:system_r:openvpn
_t:s0 tclass=process
host=moriarty type=SYSCALL msg=audit(1228539599.507:62): arch=40000003
syscall=125 success=no exit=-13 a0=bfd77000 a1=1000 a2=1000007
a3=fffff000 items=0 ppid=4727 pid=4737 auid=50
0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
ses=6 comm="openvpn" exe="/usr/sbin/openvpn"
subj=user_u:system_r:openvpn_t:s0 key=(null)
setroubleshoot had no suggestion. This only happens when the init
script is used. Direct infovation of openvpn as root does not cause
this.
this google search suggests that this is a fairly popular problem with
no published solution (that I've seen):
http://www.google.com/search?q=liblzo2.so.2%3A+cannot+enable+executable+s...
--
Fedora 9 : sulphur is good for the skin
( www.pembo13.com )
15 years, 5 months