Problem with restorecon
by Konrad Azzopardi
Hi people,
i have the following policy version installed
selinux-policy-3.3.1-107.fc9.noarch
selinux-policy-devel-3.3.1-107.fc9.noarch
selinux-policy-targeted-3.3.1-107.fc9.noarch
I create an Selinux policy and generated the following filecontexts
[root@MALTA konsu]# semanage fcontext -l | grep yule
/etc/init.d/yule regular file
system_u:object_r:yule_script_exec_t:s0
/var/run/yule.pid regular file
system_u:object_r:yule_var_run_t:s0
/var/log/yule(/.*)? regular file
system_u:object_r:yule_log_t:s0
/var/lib/yule(/.*)? regular file
system_u:object_r:yule_var_lib_t:s0
/etc/yulerc regular file
system_u:object_r:yule_config_t:s0
/usr/local/sbin/yule regular file
system_u:object_r:yule_exec_t:s0
Allt he files seems to become labelled normally as expected except
/etc/init.d/yule
[root@MALTA konsu]# restorecon -R -v /etc/init.d/yule
[root@MALTA konsu]# ls -lrtZ /etc/init.d/yule
-rwx------ root root system_u:object_r:initrc_exec_t:s0 /etc/init.d/yule
I cannot get rid of initrc_exec_t. Although my script is still
confined correctly, I would like to label this file normally, is there
a reason why restorecon fails ?
many thanks
konrad
fedora-selinux-list
15 years, 5 months
preventing unconfined users exec in home and tmp
by Murray McAllister
Hi,
I have turned "allow_unconfined_exec_content" off, but unconfined users
(unconfined_u) can still execute files in their home directories and /tmp/.
I tried adding a user with "useradd -Z unconfined_u". This user can
still execute. I could not find any dontaudit rules.
Am I missing something?
Thanks.
15 years, 5 months
installing xine from source yields lots of selinux denials
by Antonio Olivares
Dear all,
Trying to install xine-lib from source *to put in the missing pieces* gives selinux denials with chcon
Summary:
SELinux is preventing chcon (unconfined_t) "mac_admin" unconfined_t.
Detailed Description:
SELinux denied access requested by chcon. It is not expected that this access is
required by chcon and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0
Target Context unconfined_u:unconfined_r:unconfined_t:s0
Target Objects None [ capability2 ]
Source chcon
Source Path /usr/bin/chcon
Port <Unknown>
Host emachines-3
Source RPM Packages coreutils-6.12-17.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name emachines-3
Platform Linux emachines-3 2.6.27.5-109.fc10.x86_64 #1 SMP
Thu Nov 13 20:12:05 EST 2008 x86_64 x86_64
Alert Count 60
First Seen Tue 18 Nov 2008 07:47:03 AM CST
Last Seen Tue 18 Nov 2008 07:48:36 AM CST
Local ID 395c28ed-1aab-4d88-9105-57cecfd55b14
Line Numbers
Raw Audit Messages
node=emachines-3 type=AVC msg=audit(1227016116.77:132): avc: denied { mac_admin } for pid=3757 comm="chcon" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=capability2
node=emachines-3 type=SYSCALL msg=audit(1227016116.77:132): arch=c000003e syscall=188 success=no exit=-22 a0=133e670 a1=6236f9 a2=133fa40 a3=21 items=0 ppid=3751 pid=3757 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)
Thanks,
Antonio
15 years, 5 months