[sandbox] modifying the Xephyr window title (patch)
by Christoph A.
Hi,
If most of your windows are sandboxed applications, your bar looks like:
[Sandbox sandbo..] [Sandbox sandbo..] [Sandbox sandbo..]
and it is hard to find a specific application.
example of a current Xephyr title:
Sandbox sandbox_web_t:s0:c112,c991 -- /usr/bin/firefox
with the modification in the attached patch titles will look like:
/usr/bin/firefox (sandbox_web_t)
and it should be easier to find a specific application.
In addition to the type I would find it handy to also include the
DISPLAY in the title (needed when using xsel for copy'n paste).
The second patch only adds '-nolisten tcp' to Xephyr, but if there are
use cases where one needs Xephyr to open a listener this patch will
break thinks.
regards,
Christoph A.
btw: secon's manpage doesn't contain the '-l' option.
11 years, 10 months
software update & SELinux libraries
by Lowell
Hi!
Three times over the last few days, the Software Update program has
announced that it has 10 updates it wants to install. I okay this,
provide the password to approve it, the program gets the list of pkgs.
(a few SELinux libraries, a microcode reader, an ffmpeg lib, among
others) downloads, attempts to install, fails and closes; the details
say "Fail;fail'
This is Fedora 17 64-bit Gnome on a Toshiba Satellite A665.
Thought you might like to know of this.
thx
Lowell Premer
11 years, 10 months
Unable to activate SELinux (on RHEL 6.2)
by Simon Reber
Hi all,
I'm having trouble to active SELinux on our RHEL 6 Linux system.
We have some sort of special installation framework (cobbler and puppet)
and initially disabled SELinux (which is fine)
[output from Kickstart]
...
selinux --disabled
...
%packages --excludedocs --nobase
kernel
yum
openssh-server
openssh-clients
audit
logrotate
tmpwatch
vixie-cron
crontabs
ksh
ntp
perl
bind-utils
sudo
which
sendmail
wget
redhat-lsb
rsync
authconfig
lsof
unzip
sharutils
logwatch
libacl
nfs-utils
lcsetup
-firstboot
-tftp-server
-system-config-soundcard
-libselinux-python
-selinux-policy
-libselinux-utils
-selinux-policy-targeted
...
But for some high Security Risk systems, it's required to turn it on
anyway.
So I followed the guidance on:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Securi
ty-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enab
ling_and_Disabling_SELinux.html to enable SELinux again on these systems
Unfortunately does the system not initiate SELinux correctly nor do I
see any hint where the problem is:
tgl90a-8401 root:/etc/init $ sestatus
SELinux status: disabled
tgl90a-8401 root:/etc/init $ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
The only thing I can see is:
tgl90a-8401 root:/etc/init $ cat /var/log/messages
Jun 13 13:41:30 tgl90a-8401 kernel: SELinux: Initializing.
Does anybody know if I need additional packages on the system or any
special setting set?
If tried "permissive" mode with /.autorelable - which didn't
work either
I also installed @Base Group to ensure nothing is missing - but
still the same result
I've tried it with the same setup on RHEL 5 which perfectly worked - but
not on RHEL 6!
So I'm really looking forward to get some hints/tips
Thanks and all the best,
Si
11 years, 10 months
Poor error when loading policy module
by Moray Henderson
I'm updating a custom policy from CentOS 5 to CentOS 6. The module builds
successfully, but fails to load:
# semodule -i mypolicy.pp
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule: Failed!
It took me some time to work out that the error should have read:
File context already exists for /var/run/passenger: mypolicy.fc line 5
Now that I know there is already policy for Passenger, I can adjust mine
accordingly. Any chance of getting a more helpful version of the error
included in semodule?
Moray.
"To err is human; to purr, feline."
11 years, 10 months
#restorecon -R / ; operation not support
by casinee app
Hi,
when i execute #restorecon -R / , all the output is "... operation not
support". I had check the source code, and in
linux/security/selinux/hooks.c :
...
sbsec = inode->i_sb->s_security;
if (!(sbsec->flags & SE_SBLABELSUPP))
{
return -EOPNOTSUPP;
}
...
it returned. The SE_SBLABELSUPP defined as 0x40, i want to know how can i
do to make the filesystem to support the SecurityContext of selinux.
Thanks.
11 years, 10 months
F17 systemd AVC
by Vadym Chepkov
Hi,
I just upgraded to Fedora 17.
I see these AVC on the console and dmesg output during the startup:
[ 10.617385] type=1400 audit(1338674944.983:4): avc: denied { create } for pid=472 comm="systemd-tmpfile" name="lp0" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
[ 10.618270] type=1400 audit(1338674944.984:5): avc: denied { create } for pid=472 comm="systemd-tmpfile" name="lp1" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
[ 10.619047] type=1400 audit(1338674944.985:6): avc: denied { create } for pid=472 comm="systemd-tmpfile" name="lp2" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
[ 10.619769] type=1400 audit(1338674944.985:7): avc: denied { create } for pid=472 comm="systemd-tmpfile" name="lp3" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
[ 10.648250] type=1400 audit(1338674945.014:8): avc: denied { read } for pid=472 comm="systemd-tmpfile" name="lock" dev="dm-3" ino=3764 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
[ 10.648824] type=1400 audit(1338674945.014:9): avc: denied { read } for pid=472 comm="systemd-tmpfile" name="lock" dev="dm-3" ino=3764 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
Something I should be concerned about or can be safely ignored?
Thanks,
Vadym
11 years, 10 months
SELinux policy installation error
by thomas cameron
Howdy All -
I just installed F17 i386 on my daughter's laptop and ran yum update. I
saw this:
Updating : selinux-policy-3.10.0-125.fc17.noarch
19/405
/usr/share/selinux/devel/include/services/jetty.if: Syntax error on line
180472 jetty_cache_t [type=IDENTIFIER]
It seems non-fatal, but I am not sure. Shall I BZ it, or do you already
know about it?
TC
11 years, 10 months