selinux issue
by John Oliver
I know jack-diddly about selinux. Up until now, I've simply disabled it
each time I ran into a headache like this. I'm having this issue on a
RHEL5.3 machine. The problem does not show up on several existing
RHEL5.2 machines... I don't know if that's because my predecessor knew
the magic recipe, or because of a some difference between 5.2 and 5.3
[root@localhost ~]# service httpd start
Starting httpd: httpd: Syntax error on line 209 of
/etc/httpd/conf/httpd.conf: Syntax error on line 1 of
/etc/httpd/conf.d/valicert.conf: Cannot load
/etc/httpd/modules/vcapache.so into server:
/etc/httpd/modules/vcapache.so: cannot enable executable stack as shared
object requires: Permission denied
[FAILED]
[root@localhost ~]# tail -2 /var/log/messages
Feb 9 12:59:54 localhost setroubleshoot: SELinux is preventing httpd
(httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux
messages. run sealert -l d41f81b1-555f-4992-be21-4e4ac141f620
Feb 9 13:03:10 localhost setroubleshoot: SELinux is preventing httpd
(httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux
messages. run sealert -l 072e94cc-778b-44a7-b407-ea6616385489
[root@localhost ~]# sealert -l 072e94cc-778b-44a7-b407-ea6616385489
Summary:
SELinux is preventing httpd (httpd_t) "execstack" to <Unknown>
(httpd_t).
Detailed Description:
SELinux denied access requested by httpd. It is not expected that this
access is
required by httpd and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application
is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
package.
Additional Information:
Source Context root:system_r:httpd_t
Target Context root:system_r:httpd_t
Target Objects None [ process ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages httpd-2.2.3-22.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.18-128.el5 #1 SMP
Wed Dec 17 11:42:39 EST 2008 i686 i686
Alert Count 1
First Seen Mon Feb 9 13:03:09 2009
Last Seen Mon Feb 9 13:03:09 2009
Local ID 072e94cc-778b-44a7-b407-ea6616385489
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1234184589.996:31): avc:
denied { execstack } for pid=2957 comm="httpd"
scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0
tclass=process
host=localhost.localdomain type=SYSCALL msg=audit(1234184589.996:31):
arch=40000003 syscall=125 success=no exit=-13 a0=bf80d000 a1=1000
a2=1000007 a3=fffff000 items=0 ppid=2956 pid=2957 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="httpd"
exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
How do I make this particular module work? If I do an "ls -Z" on
/etc/httpd/modules/ it has the same permissions as every other module...
-rwxr-xr-x root root system_ubject_r:httpd_modules_t mod_vhost_alias.so
-rwxr-xr-x root root system_ubject_r:httpd_modules_t vcapache.so
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
15 years, 2 months
vsftpd using mysql
by Maria Iano
My vsftpd server needs to talk to my mysql server, and is being
denied. Before I use audit2allow to make special rules I wanted to ask
whether there is a boolean out there that I am missing. Here is what
audit2allow gives me:
allow ftpd_t mysqld_db_t:dir search;
allow ftpd_t mysqld_t:unix_stream_socket connectto;
allow ftpd_t mysqld_var_run_t:sock_file write;
I notice there is a boolean for httpd to talk to mysql, which makes me
think there might be one for vsftpd. Does anyone know if such a one
exists?
Thanks,
Maria
15 years, 2 months
awstats AVC denial
by Vadym Chepkov
Hi,
I can't figure out why do I get denies in my Redhat installation.
This is what I have:
selinux-policy-targeted-2.4.6-203.el5
httpd_enable_cgi --> on
httpd_unified --> off
system_u:object_r:httpd_sys_content_t:s0 /var/www/awstats
system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/awstats/awstats.pl
system_u:object_r:httpd_sys_content_t:s0 /var/www/awstats/awstats022009.txt
And this is what I get:
type=AVC msg=audit(1234014919.167:40376): avc: denied { read } for pid=32656 comm="awstats.pl" name="awstats" dev=sda1 ino=704533 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1234014919.167:40377): avc: denied { getattr } for pid=32656 comm="awstats.pl" path="/var/www/awstats/awstats022009.txt" dev=sda1 ino=706623 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
The question is, why? Thank you.
Sincerely yours,
Vadym Chepkov
15 years, 2 months
Help with squid / squidGuard
by Arthur Dent
Hello all,
Still on my mission to clean up any unnecessary local policies I might
have mistakenly created I have now turned my attention to my squid web
proxy.
I have a nightly script which downloads updated blacklists to be fed to
squidGuard. They are held in a variety of directories under
/var/squidGuard/blacklists/ and without my local policy I get avcs when
something tries to access one of these blacklist databases.
The proposed remedy of:
restorecon -v '/var/squidGuard/blacklists/blacklists/porn/domains.db'
made no difference.
When I do a ls -laZ on these directories I get a mizture of:
squid squid system_u:object_r:var_t:s0 and
squid squid unconfined_u:object_r:var_t:s0
Which should it be?
Should I build a chcon statement into the download script?
Audit2why said that the denial was caused by a "Missing type enforcement
(TE) allow rule."
and audit2allow produced this (which is the same as I had in my local
policy):
require {
type squid_t;
}
#============= squid_t ==============
files_rw_var_files(squid_t)
Should I just stick with my local policy, or fix something else?
Thanks
Mark
p.s. Happy to post the whole avc(s) if required...
15 years, 2 months
Re: on machine with CPU -> 100%, lots of avc's
by Antonio Olivares
--- On Wed, 2/4/09, Christopher Beland <beland(a)alum.mit.edu> wrote:
> From: Christopher Beland <beland(a)alum.mit.edu>
> Subject: Re: on machine with CPU -> 100%, lots of avc's
> To: olivares14031(a)yahoo.com
> Cc: "For testers of Fedora Core development releases" <fedora-test-list(a)redhat.com>
> Date: Wednesday, February 4, 2009, 7:45 PM
> Try (as root):
>
> service auditd restart
>
> and see if auditd returns OK or FAIL? It might spit out
> some errors, or
> put something in /var/log/messages. If it complains about
> the log not
> being writable by owner, then "chmod u+w
> /var/log/audit/*" is what
> fixed it for me.
>
> It could also be an SELinux problem, but only if you have
> SELINUX=enforcing in /etc/selinux/config. On my test
> machine, I
> generally set SELINUX=permissive there so I see avc
> denials, but
> everything continues working even if there is an SELinux
> misconfiguration.
>
> > Disable SELinux and AVCs will be gone. Forever.
>
> I agree SELinux can be quite frustrating once you start
> customizing
> services, and I have been known to turn it off entirely for
> that reason.
> But for testing purpose, it's extremely useful to have
> people like us
> stumble across avc denials so the general public
> doesn't have to, and
> they can enjoy the security benefits.
>
> -B.
Thank you for your help, I am now seeing setroubleshooter kick in :)
[olivares@localhost ~]$ su -
Password:
[root@localhost ~]# service auditd restart
Stopping auditd: [FAILED]
Starting auditd: [FAILED]
[root@localhost ~]# tail -f /var/log/messages
Feb 5 11:00:39 localhost kernel: type=1400 audit(1233853239.594:5): avc: denied { read write } for pid=3871 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb 5 11:00:39 localhost kernel: type=1400 audit(1233853239.594:6): avc: denied { read write } for pid=3871 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.081:7): avc: denied { read write } for pid=3881 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.081:8): avc: denied { read write } for pid=3881 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.122:9): avc: denied { read write } for pid=3885 comm="auditd" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.122:10): avc: denied { read write } for pid=3885 comm="auditd" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb 5 11:00:40 localhost auditd: audit log is not writable by owner
Feb 5 11:00:40 localhost auditd: The audit daemon is exiting.
Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.159:11): avc: denied { read write } for pid=3887 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.159:12): avc: denied { read write } for pid=3887 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
^C
[root@localhost ~]# chmod u+w /var/log/audit/*
You have new mail in /var/spool/mail/root
[root@localhost ~]# service auditd restart
Stopping auditd: [FAILED]
Starting auditd: [ OK ]
[root@localhost ~]# service auditd status
auditd (pid 3930) is running...
[root@localhost ~]#
Now I get to see the alerts:
Summary:
SELinux is preventing consoletype (consoletype_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by consoletype. It is not expected that this
access is required by consoletype and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:consoletype_t
Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects socket [ unix_stream_socket ]
Source consoletype
Source Path /sbin/consoletype
Port <Unknown>
Host localhost
Source RPM Packages initscripts-8.89-1
Target RPM Packages
Policy RPM selinux-policy-3.6.4-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost
Platform Linux localhost 2.6.29-0.78.rc3.git5.fc11.i686 #1
SMP Tue Feb 3 16:45:12 EST 2009 i686 athlon
Alert Count 2
First Seen Thu 05 Feb 2009 11:02:08 AM CST
Last Seen Thu 05 Feb 2009 11:02:08 AM CST
Local ID f1514423-f554-4573-bbbc-be7e2ea49653
Line Numbers
Raw Audit Messages
node=localhost type=AVC msg=audit(1233853328.116:21): avc: denied { read write } for pid=3961 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost type=AVC msg=audit(1233853328.116:21): avc: denied { read write } for pid=3961 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost type=SYSCALL msg=audit(1233853328.116:21): arch=40000003 syscall=11 success=yes exit=0 a0=8401580 a1=84015e0 a2=84012e8 a3=84015e0 items=0 ppid=3960 pid=3961 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null)
Summary:
SELinux is preventing auditctl (auditctl_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by auditctl. It is not expected that this access
is required by auditctl and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:auditctl_t
Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow-
SystemHigh
Target Objects socket [ unix_stream_socket ]
Source auditctl
Source Path /sbin/auditctl
Port <Unknown>
Host localhost
Source RPM Packages audit-1.7.11-2.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.4-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost
Platform Linux localhost 2.6.29-0.78.rc3.git5.fc11.i686 #1
SMP Tue Feb 3 16:45:12 EST 2009 i686 athlon
Alert Count 2
First Seen Thu 05 Feb 2009 11:01:56 AM CST
Last Seen Thu 05 Feb 2009 11:01:56 AM CST
Local ID 57e3c37f-6698-456e-9d2f-86ad2b68220a
Line Numbers
Raw Audit Messages
node=localhost type=AVC msg=audit(1233853316.292:19): avc: denied { read write } for pid=3936 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost type=AVC msg=audit(1233853316.292:19): avc: denied { read write } for pid=3936 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=localhost type=SYSCALL msg=audit(1233853316.292:19): arch=40000003 syscall=11 success=yes exit=0 a0=83a4c40 a1=83a4e38 a2=83a8350 a3=83a4e38 items=0 ppid=3913 pid=3936 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="auditctl" exe="/sbin/auditctl" subj=unconfined_u:system_r:auditctl_t:s0 key=(null)
I will now check my other two machines to see if auditd is running or not and apply the same fix.
Thank you for helping out again with this problem.
Regards,
Antonio
15 years, 2 months
denying group of users from r/w/x files
by Ali Hamad
Hello :
I really do not know how to do this, but I really need it. Here is what
I want to do :
remove all the Selinux rules ( targeted ) since I really do not need
them. I only need selinux to do only the following :
a) create a rule for file that can not be accessed from known group
of users. i.e group A can not read/write/execute this file. However,
the file permission is 666 and that file permission can not be changed.
b) directory that has permission of 777. However, group A of users
can not write/read/execute it.
Here is what I came up with :
/usr/sbin/semanage fcontext -a -t ?? /var/file.txt
I did not know what type I should put in there.
would you please guide me how to achieve my goal ?
Any suggestion is highly appreciated.
Ali.
15 years, 2 months
Fedora 9 can't use apache's mod_auth_shadow
by Kevin White
I'm trying to set an out-of-the-box httpd to use mod_auth_shadow to
authenticate users. Selinux won't let me.
mod_auth_shadow runs /usr/sbin/validate (which is chrooted) to actually
check against /etc/shadow:
[root@localhost selinux]# ls -lrtZ /usr/sbin/validate
-rwsr-xr-x root root system_u:object_r:chkpwd_exec_t:s0 /usr/sbin/validate
Validate appears to be labeled correctly, so, apparently the problem is
that httpd can't make the domain transistion.
I really don't know how to allow it to. I'd like to.
Help!
Thanks,
Kevin
selinux-policy-devel-3.3.1-118.fc9.noarch
selinux-policy-3.3.1-118.fc9.noarch
selinux-policy-targeted-3.3.1-118.fc9.noarch
httpd-2.2.9-1.fc9.i386
mod_auth_shadow-2.2-4.fc9.i386
15 years, 2 months
[ANN]SELinux tool : segatex-7.20 released
by Shintaro Fujiwara
Hi, I released segatex-7.20 which had been written using qt4 classes.
Because Fedora10's default qt version is 4, I ported code for it.
http://sourceforge.net/projects/segatex/
###########segatex######################################################################
You can setenforce 0 or 1 by pushing button.
Any action will set statusBar label anew.
You can see status pushing state menu, too.
Yum install/update SELinux related RPMs, including seedit. Options are
not yet implied.
You can audit2allow.
It's a combination of audit2allow -m local -i logname -o filename.te
with other options, -l -R -v -e,
and you can rename module name changing local to whatever you want.
You can see denied audit.log.
You can generate interface macroed policy
(require brace not included yet).
You can semodule -l -i -u -r.
Of course you can make new module.
You can install,update,remove modules.
All you have to do is just pushing button.
You can semanage -l.
It's "boolean login user port interface fcontext translation".
But it's different order.Login and user comes first.
You can semanage login -a -m -d.
You can semanage fcontext -a -m -d.
You can semanage port -a -m -d.
You can semanage translation -a -m -d.
You can setsebool [-P] boolean value
You can generate brand-new policy module.
You can aureport.
You can ausearch.
You can add/delete Linux user.
You can grep process.
You can relabel the whole system.
You can restorcon the whole directory wherever you want.
You can ftp download.
########segatex_editor##################################################################
Push break .te button.
You will see raw .te files in raw_te_files/layer directory.
##########################
Push break .if button.
You will see raw .if files in raw_if_files/layer directory.
But interfaces which reside inside itselves are stay as is.
Refer those already broken in the file.
--
http://intrajp.no-ip.com/ Home Page
15 years, 2 months
Re: system_u
by Konrad Azzopardi
Dear all
Is there any reason why by default system_u in Fedora 10 is not
allowed to have system_r role ?
Tnx
Konrad
15 years, 2 months
Re: selinux-polgengui
by Konrad Azzopardi
Hi all,
I am experiencing a problem in selinux-polgengui. I have
policycoreutils-gui-2.0.57-14.fc10.i386 installed and I am using
selinux-policy-targeted-3.5.13-41.fc10.noarch
While generating a policy, the GUI is erraneously (in my opinion)
using the init_script_domtrans_spec() macro that seemed to exist in
init.if in previous policy but not anymore.
Tnx
Konrad
15 years, 2 months