January 2011 - selinux - Fedora Mailing-Lists

by Mr Dash Four

Problems combining these 2 to run while SELinux is in 'enforced' mode (policy running is the 'stock' targeted one supplied with FC13). I get 2 audit alerts when Shorewall starts (and fails!) - see logs below. I have x86_64 arch machine with FC13 running. Stock Shorewall is installed. IPSet (xtunnels) is compiled in (though with the 'stock' rpm I am getting the same errors). The problem seems to be caused by the Shorewall init script (see further below). The relevant part of my syslog when SELinux is in enforced mode is: =========SELinux=Enforcing================================ Jun 26 23:18:38 dev1 shorewall[2456]: Compiling... Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.634:29543): avc: denied { create } for pid=2577 comm="ipset" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket Jun 26 23:18:38 dev1 kernel: type=1400 audit(1277590718.637:29544): avc: denied { create } for pid=2579 comm="ipset" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/zones... Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/interfaces... Jun 26 23:18:38 dev1 shorewall[2456]: Determining Hosts in Zones... Jun 26 23:18:38 dev1 shorewall[2456]: Preprocessing Action Files... Jun 26 23:18:38 dev1 shorewall[2456]: Pre-processing /usr/share/shorewall/action.Drop... Jun 26 23:18:38 dev1 shorewall[2456]: Pre-processing /usr/share/shorewall/action.Reject... Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/policy... Jun 26 23:18:38 dev1 shorewall[2456]: Compiling /etc/shorewall/blacklist... Jun 26 23:18:38 dev1 shorewall[2456]: ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and iptables : /etc/shorewall/blacklist (line 11) Jun 26 23:18:38 dev1 shorewall[2456]: ERROR: Shorewall start failed ========================================================== When I switch SELinux to Permissive I get two further errors: =========SELinux=Permissive=============================== Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29551): avc: denied { create } for pid=3799 comm="ipset" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29552): avc: denied { getopt } for pid=3799 comm="ipset" lport=255 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket Jun 26 23:32:45 dev1 kernel: type=1400 audit(1277591565.629:29553): avc: denied { setopt } for pid=3799 comm="ipset" lport=255 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:shorewall_t:s0 tclass=rawip_socket Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/zones... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/interfaces... Jun 26 23:32:45 dev1 shorewall[3678]: Determining Hosts in Zones... Jun 26 23:32:45 dev1 shorewall[3678]: Preprocessing Action Files... Jun 26 23:32:45 dev1 shorewall[3678]: Pre-processing /usr/share/shorewall/action.Drop... Jun 26 23:32:45 dev1 shorewall[3678]: Pre-processing /usr/share/shorewall/action.Reject... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/policy... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/blacklist... Jun 26 23:32:45 dev1 shorewall[3678]: Adding Anti-smurf Rules Jun 26 23:32:45 dev1 shorewall[3678]: Compiling TCP Flags filtering... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Kernel Route Filtering... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling Martian Logging... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 1... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling /etc/shorewall/rules... Jun 26 23:32:45 dev1 shorewall[3678]: Generating Transitive Closure of Used-action List... Jun 26 23:32:45 dev1 shorewall[3678]: Processing /usr/share/shorewall/action.Reject for chain Reject... Jun 26 23:32:45 dev1 shorewall[3678]: Processing /usr/share/shorewall/action.Drop for chain Drop... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling MAC Filtration -- Phase 2... Jun 26 23:32:45 dev1 shorewall[3678]: Applying Policies... Jun 26 23:32:45 dev1 shorewall[3678]: Generating Rule Matrix... Jun 26 23:32:45 dev1 shorewall[3678]: Creating iptables-restore input... Jun 26 23:32:45 dev1 shorewall[3678]: Compiling iptables-restore input for chains blacklst mangle:... Jun 26 23:32:45 dev1 shorewall[3678]: Shorewall configuration compiled to /var/lib/shorewall/.start Jun 26 23:32:45 dev1 shorewall[3678]: Starting Shorewall.... Jun 26 23:32:45 dev1 shorewall[3678]: Initializing... Jun 26 23:32:46 dev1 kernel: u32 classifier Jun 26 23:32:46 dev1 kernel: Performance counters on Jun 26 23:32:46 dev1 kernel: input device check on Jun 26 23:32:46 dev1 kernel: Actions configured Jun 26 23:32:46 dev1 shorewall[3678]: Processing /etc/shorewall/init ... Jun 26 23:32:46 dev1 shorewall[3678]: loading /etc/shorewall/ips/blacklist-x1.ips Jun 26 23:32:46 dev1 shorewall[3678]: loading /etc/shorewall/ips/blacklist-x2.ips Jun 26 23:32:46 dev1 shorewall[3678]: loading /etc/shorewall/ips/blacklist-z1.ips Jun 26 23:32:47 dev1 shorewall[3678]: loading /etc/shorewall/ips/blacklist-z2.ips Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/tcclear ... Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Route Filtering... Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Martian Logging... Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Proxy ARP... Jun 26 23:32:49 dev1 shorewall[3678]: Setting up Traffic Control... Jun 26 23:32:49 dev1 shorewall[3678]: Preparing iptables-restore input... Jun 26 23:32:49 dev1 shorewall[3678]: Running /sbin/iptables-restore... Jun 26 23:32:49 dev1 shorewall[3678]: IPv4 Forwarding Enabled Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/start ... Jun 26 23:32:49 dev1 shorewall[3678]: Processing /etc/shorewall/started ... Jun 26 23:32:49 dev1 shorewall[3678]: Shorewall started ========================================================== The problem seems to be caused by the shorewall init script, which is: ===========Shorewall init script========================== modprobe ifb numifbs=1 ip link set dev ifb0 up # configure the ipsets sw_ips_mask='/etc/shorewall/ips/*.ips' ipset_exec='/usr/sbin/ipset' if [ "$COMMAND" = start ]; then $ipset_exec -F $ipset_exec -X for c in `/bin/ls $sw_ips_mask 2>/dev/null`; do echo loading $c $ipset_exec -R < $c done fi ========================================================== The above script executes /usr/sbin/ipset to create my IP Sets needed for running Shorewall (all IP set commands are contained in those *.ips files). These IP sets comprise mainly of IP subnets which are part of my blacklists (banned IP subnets), though they also contain some IP Port sets as well. Don't know why SELinux denies "create" (and then "getopt" and "setopt") on a, what seems to be, raw ip socket (IPSet do not use/need one as far as I know!)? If I remove the IP Set part of the init script above and rearrange Shorewall to run without IPSets all is well, though its functionality is VERY limited and barely useful to me! Two questions to the SELinux gurus on here: 1) Why am I getting these alerts? and 2) How can I fix the problem so that I could run both Shorewall and IPSets with SELinux in Enforced mode? This is important for me as this is a production server and a lot of stuff runs on it and needs to be available 24/7. Many thanks in advance!

13 years, 3 months

4
57
0 / 0

mysql_upgrade selinux issues

by Luciano Furtado

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Group, I am seeing the errors (warning since I am on permissive mode) bellow for mysql_upgrade after I enabled selinux. Linux lrfurtado 2.6.26-2-xen-686 #1 SMP Thu Nov 25 02:32:31 UTC 2010 i686 GNU/Linux cat /etc/debian_version 5.0.7 SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 23 Policy from config file: default [ 31.271298] type=1400 audit(1294223212.646:7): avc: denied { search } for pid=1372 comm="mysql_upgrade" name="bin" dev=xvda ino=231661 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir [ 31.285387] type=1400 audit(1294223212.662:8): avc: denied { read } for pid=1377 comm="mysql_upgrade" name="sh" dev=xvda ino=163914 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file [ 31.285413] type=1400 audit(1294223212.662:9): avc: denied { execute } for pid=1377 comm="mysql_upgrade" name="bash" dev=xvda ino=163866 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file [ 31.285423] type=1400 audit(1294223212.662:10): avc: denied { read } for pid=1377 comm="mysql_upgrade" name="bash" dev=xvda ino=163866 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file [ 31.285459] type=1400 audit(1294223212.662:11): avc: denied { execute_no_trans } for pid=1377 comm="mysql_upgrade" path="/bin/bash" dev=xvda ino=163866 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file [ 31.286542] type=1400 audit(1294223212.662:12): avc: denied { getattr } for pid=1377 comm="sh" path="/bin/bash" dev=xvda ino=163866 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file [ 31.287663] type=1400 audit(1294223212.662:13): avc: denied { execute } for pid=1378 comm="sh" name="mysql" dev=xvda ino=231409 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file [ 31.287678] type=1400 audit(1294223212.662:14): avc: denied { read } for pid=1378 comm="sh" name="mysql" dev=xvda ino=231409 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file when I run audit2allow I get the following: #============= mysqld_t ============== allow mysqld_t bin_t:dir search; allow mysqld_t bin_t:file { read execute }; allow mysqld_t bin_t:lnk_file read; allow mysqld_t shell_exec_t:file { read execute getattr execute_no_trans }; I have also attached the output of: sesearch --all | grep mysql > /tmp/mysql.policy What's the proper fix here? I dont want to give the mysqld_t permission to execute arbitrary scripts. The only solution I have right now is to relabel mysql_upgrade so it runs as unconfined, and that's not much of a solution. Best Regards. Luciano -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNMF2mAAoJENgwSj9ZOOwrzbMH/2KBIxOUf68Z/7L1RKAN6pH8 kIIGmcTZRODa5PLTpEIMNPPHij3q2Pmx+nmQk4A0tbWKnmxZORLuEAodwOgZjdg5 pEXqc5SrISid4z5x2hU/x9sXkNaXXUZMXjz+TtdoGQvlAkiwlXZh2YZlcmQAQ2ax tTrk/sc7KHoHmoDADubsDhbSohj3lqY7hvwTtlLlYQnLnEmwHBPKvr3kQOMS3RDT 4V4Rv5FkrzBRjOJo6FkzwI/UOdR+fIqGkts0L47/R/nSd8cv60IvncpVMqKTaTfY 7f/FfoYGT1w2iKaPx2xingFA8SWXyFQ/8GPKULSEZ3sdSjx+O06UKD6jHet3+oo= =3Fq0 -----END PGP SIGNATURE-----

13 years, 3 months

3
5
0 / 0

nscd AVC

by Vadym Chepkov

Hi, Is it safe to permit these? selinux-policy-3.9.7-18.fc14.noarch # ausearch -m avc -ts yesterday ---- time->Sun Jan 9 11:23:14 2011 type=SYSCALL msg=audit(1294590194.604:12): arch=40000003 syscall=5 success=yes exit=18 a0=57b497 a1=0 a2=1b6 a3=58856a items=0 ppid=1 pid=997 auid=4294967295 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=system_u:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1294590194.604:12): avc: denied { read } for pid=997 comm="nscd" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir ---- time->Sun Jan 9 11:23:14 2011 type=SYSCALL msg=audit(1294590194.604:13): arch=40000003 syscall=195 success=yes exit=0 a0=57b49c a1=ae2f16bc a2=29fff4 a3=3 items=0 ppid=1 pid=997 auid=4294967295 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=system_u:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1294590194.604:13): avc: denied { read } for pid=997 comm="nscd" name="tmp" dev=dm-0 ino=15581 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file ---- time->Sun Jan 9 11:41:04 2011 type=SYSCALL msg=audit(1294591264.449:7): arch=40000003 syscall=195 success=yes exit=0 a0=3f049c a1=ae9f964c a2=38bff4 a3=3 items=0 ppid=1 pid=973 auid=4294967295 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=system_u:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1294591264.449:7): avc: denied { read } for pid=973 comm="nscd" name="tmp" dev=dm-0 ino=15581 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file ---- time->Sun Jan 9 11:41:04 2011 type=SYSCALL msg=audit(1294591264.448:6): arch=40000003 syscall=5 success=yes exit=16 a0=3f0497 a1=0 a2=1b6 a3=3fd56a items=0 ppid=1 pid=973 auid=4294967295 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=4294967295 comm="nscd" exe="/usr/sbin/nscd" subj=system_u:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1294591264.448:6): avc: denied { read } for pid=973 comm="nscd" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

13 years, 3 months

3
13
0 / 0

F14 - NVIDIA & Labels

by Jorge Fábregas

Hi, Apart from the usual $HOME/.local/share/Trash mislabeled files warnings I'm getting (same as F12) these for /dev/nvidia* on Fedora 14: /dev/nvidia0 from system_u:object_r:device_t:s0 to system_u:object_r:xserver_misc_device_t:s0 /dev/nvidiactl from system_u:object_r:device_t:s0 to system_u:object_r:xserver_misc_device_t:s0 I don't know...maybe UDEV doesn't have the proper transition rules to create xserver_misc_device_t on directoy device_t? I fix the labels but when I restart they're created again with device_t. The desktop runs fine. It's just that obsession to have all files properly labeled :) Regards, Jorge

13 years, 3 months

2
2
0 / 0

Trouble sending mail from PHP scripts

by Scott Gifford

Hello, I'm having some trouble with an SELinux policy to allow sending mail from a PHP script run from our Web server with a local installation of qmail on a CentOS 5 system. We send mail using php's mail() function, which calls /usr/bin/sendmail, which in turn calls /var/qmail/bin/qmail-inject, then /var/qmail/bin/qmail-queue, which actually puts the message in the queue. SELinux comes with some default qmail policies, but out-of-the-box we had AVC denials when qmail-queue would try to write the message into the queue, since the Web script context was not permitted to do this. I decided to take this opportunity to learn about writing SELinux policies. I know qmail very well, so thought I would write a policy for qmail. The policy would transition to a new type mail_qmail_queue_t when qmail-queue was run, and then allow this type to write into the queue. I think I have the basics working, but I'm running into some snags, and I don't have enough experience to know what sorts of solutions are likely to work out. First, I am seeing some denials that seem to be related to file descriptors passed by Apache to qmail-queue. When qmail-queue is run, stderr is connected to the Web server log, and stdout is connected to the HTTP socket. This is a pretty normal setup, which will cause any output to show up in the user's browser and errors to show up in the Web server log. However I get these AVC denials: - Thu Dec 30 01:27:47 2010 type=AVC msg=audit(1293690467.534:90936): avc: denied { read } for pid=9643 comm="qmail-queue" path="pipe:[4937510]" dev=pipefs ino=4937510 scontext=system_u:system_r:mail_qmail_queue_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=fifo_file - Thu Dec 30 01:27:47 2010 type=AVC msg=audit(1293690467.534:90936): avc: denied { append } for pid=9643 comm="qmail-queue" path="/var/log/httpd/error_log" dev=md2 ino=24183170 scontext=system_u:system_r:mail_qmail_queue_t:s0 tcontext=user_u:object_r:httpd_log_t:s0 tclass=file - Thu Dec 30 01:27:47 2010 type=AVC msg=audit(1293690467.534:90936): avc: denied { read write } for pid=9643 comm="qmail-queue" path="socket:[13964]" dev=sockfs ino=13964 scontext=system_u:system_r:mail_qmail_queue_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=tcp_socket I could write policy to allow mail_qmail_queue access to these httpd_t resources, but in general it should not have that access; only when it is run from Apache. I could create a special type for "qmail-queue run from Apache", but that quickly gets out-of-hand if I create custom policies for each program that sends mail. What is the normal way to deal with these sorts of situations? Second, I am having some trouble getting file contexts set up. I have several qmail installations with different policies, so I wrote a rule in my fc file like this: /var/qmail(-.*)?/bin/qmail-queue -- gen_context(system_u:object_r:mail_qmail_queue_exec_t,s0) When I use that rule, qmail-queue gets labeled bin_t, I think because of another rule saying anything in a directory named "bin" is "bin_t". How can I tell it my rule is more specific or higher priority than the default rule? For that matter, how can I figure out what rule is overriding mine? Third, is there a useful guide for troubleshooting SELinux policy execution? When things don't work as I expect them to, it's hard to find the reason if it's not obvious from the audit.log. Finally, can anybody recommend a good book or other resource for learning SELinux? I have *SELinux by Example*, but it seems that conventions for policy files have changed a great deal since it was written. Thanks! -----Scott.

13 years, 3 months

3
7
0 / 0

GIMP help shouldn't need execstack, should it?

by Göran Uddeborg

I discovered recently that gimp help crashes with a segmentation fault and an execmem AVC denial. I could make it work either by setting allow_execstack to on, or by changing the type of /usr/lib64/gimp/2.0/plug-ins/help-browser to unconfined_execmem_exec_t. I assume this is a bug in the help-browser that I should report. My understanding is that execstack should not be needed. But before I do I thought I check with the knowledgable people here. Is this AVC denial a result of an application bug, or could it be valid for gimp help to request this?

13 years, 3 months

5
8
0 / 0

Issues logging into to more than one system

by David Highley

Keep getting AVC's when I log into multiple Fedora 14 systems with automounted home directories. Labels keep getting mucked up after logging into a client NFS host. NFS directory server has files located in /export/home/<user>. Have done semanage fcontext -a -e /home /export/home. They automount to /home/<user>. time->Sat Dec 4 15:36:14 2010 type=SYSCALL msg=audit(1291505774.397:17149): arch=c000003e syscall=21 success=no exit=-13 a0=2320f80 a1=6 a2=20 a3=0 items=0 ppid=23814 pid=23980 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2462 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1291505774.397:17149): avc: denied { write } for pid=23980 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2 ino=392531 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file ---- time->Sat Dec 4 15:36:14 2010 type=SYSCALL msg=audit(1291505774.397:17150): arch=c000003e syscall=77 success=no exit=-13 a0=c a1=0 a2=7fff53028020 a3=0 items=0 ppid=23814 pid=23980 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2462 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1291505774.397:17150): avc: denied { write } for pid=23980 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2 ino=392531 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file

13 years, 4 months

4
11
0 / 0

Matlab

by mark

Is there a special policy or guideline for Matlab? >From the sealert: Summary: SELinux is preventing java (httpd_sys_script_t) "getsched" to <Unknown> (httpd_sys_script_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by java. It is not expected that this access is required by java and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. <snip> mark

13 years, 4 months

2
1
0 / 0

Another "execstack" (AviDemux)

by Jorge Fábregas

Hi, I'm running Fedora 14 (finally) and I'm getting also an "execstack" AVC while running the Avidemux video editor. I followed the suggestions on the SELinux Alert Browser and just copied/pasted the recommended commands to create the local policy: # grep /usr/bin/avidemux2_gtk /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp ..but when I run the first line I get: compilation failed: mypol.te:6:ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from mypol.te Should I open a bug for this issue as well for the execstack one even though is a package from RPM Fusion ? The system is totally updated (as of Jan 6th, 2011). -- Jorge

13 years, 4 months

4
3
0 / 0

udev and secure_mode_insmod in selinux-policy-3.9.7-10.fc14 and later

by Mark Montague

Under selinux-policy-3.9.7-7.fc14 and previous, udev was able to load kernel modules even when secure_mode_insmod=on Starting with the next policy release, 3.9.7-10.fc14, this fails, resulting in the ethernet device not being configured when the system boots; no denial is logged. Setting secure_mode_insmod=off and rebooting results in a working system, but allows other restricted domains to load kernel modules -- which is a shame since I also have unconfined_login=off and secure_mode=on. So I added a local module with the following rule in order to get the 3.9.7-7.fc14 behavior with secure_mode_insmod=on. (The seemingly superfluous enclosing "if" is needed to avoid a duplicate rule error). if (secure_mode_insmod) { modutils_domtrans_insmod_uncond(udev_t) } My question is: what is the desired behavior for future policy releases? Should secure_mode_insmod=on affect udev as it currently does under 3.9.7-10.fc14 and later? (A literal reading of the description for this boolean implies it should). Or should a new boolean be added (off by default) to allow administrators to have udev load kernel modules even when secure_mode_insmod=on? Or something else? Apologies if this is actually a non-issue due to lack of understanding on my end (but any education would be welcome in that case!) -- Mark Montague mark(a)catseye.org

13 years, 4 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux January 2011