What to do after building a kernel.
by Justin Conover
After I built a new kernel based of of ck-overloaded, I rebooted and a
ton of SELinux errors/messages, kept comeing across the screen? What
do need to do to make a home-grown-kernel work with SELinux.
18 years, 11 months
xfs file system w/ selinux?
by Justin Conover
Is there any downside to running xfs with selinux?
I'm just testing(playing) with test2 and I was thinking of using
lvm/xfs/selinux. Choosing xfs because it is a good fs and easier to
grow online than ext3. Plus I'm just testing :)
18 years, 11 months
Domains, interpreted languages, and Cron scripts
by Bill McCarty
Hi all,
I've run into an architectural headache that someone else must already have
visited, and perhaps solved. But, I find no mention of the problem in list
archives or elsewhere.
I have several Python scripts that run under Cron. Some of these scripts
access or modify sensitive data, and so I'd like to define one or more
domains by means of which to limit their privileges. However, the exe name
associated with such scripts is /usr/bin/python2.3, rather than the name of
the script. Consistent with the principle of least privilege, I'd prefer to
define distinct domains for each script, rather than an overly broad
python_t domain, for instance.
Has anyone else been here already? What techniques are useful for
constraining the privileges given to scripts?
One idea: Would it be a good thing to modify Run-parts to transition to a
domain named for the Cron script it launches? Doing so would seem to solve
my problem, but it might create others <g>.
Thanks,
--
Bill McCarty, Ph.D.
Professor of Information Technology
Azusa Pacific University
19 years
setools in Fedora
by Yuichi Nakamura
I tried to use setools in FedoraCore3-test3.
I installed from rpm in Fedora project server.
setools-1.4.1-5, setools-gui-1.4.1-5
gui tools(apol,sepcut) are very slow before window is shown.
In FedoraCore2, it was slow, too.
When I used setools in FedoraCore1, setool is fast enough in the same machine.
---
Yuichi Nakamura
Japan SELinux Users Group(JSELUG)
http://www.selinux.gr.jp/
Hitachi Software
http://www.selinux.hitachi-sk.co.jp/en
The George Washington University
19 years, 1 month
Truncated log entries
by Barry Roomberg
I'm running Fedora Core 2 Kernel: 2.6.5-1.358
I'm logging activity in a directory (thanks Stephen).
I occasionally get what look like to be truncated log entries such as:
Oct 27 11:24:21 mstoppel1 kernel: audit(1098890661.257:8894633):
avc: granted { read } for pid=17834 exed=500 fsuid=500 egid=500
sgid=500 fsgid=500
"exed=500" ???
also:
Oct 27 11:26:47 mstoppel1 kernel: =500 fsgid=500
Any idea why? They are rare and interspersed with good entries.
19 years, 1 month
ANN: Setools 1.5 released
by Karl MacMillan
A new version of setools is available from
http://www.tresys.com/selinux/. This is a major release with several new
features including:
- Additional options for domain transition analysis to filter the
results based on the access privileges of the target domain.
- A new tool (seaudit-report) for creating reports from SELinux log
messages. This tool is highly configurable and can effectively integrate
with the LogWatch application for automating SE Linux audit log
reporting.
- Seaudit can now export filtered log messages.
- A pair of new tools (indexcon and searchcon) for creating and
searching a snapshot of the filesystem on an SELinux system. Searchcon
allows efficient searching based on path, type, user, and/or object
class. This tool will be expanded and integrated with Apol in the
future.
- Numerous bug fixes to all of the tools.
--
Karl MacMillan
Tresys Technology
kmacmillan(a)tresys.com
http://www.tresys.com
19 years, 1 month
hwbrowser
by Tom London
Just happen to notice this running strict/enforcing:
hwbrowser produces the following avcs, and doesn't
display anything for 'Hard Drives' (sorry, got hit
with the truncated avc message...):
[Does it really need write access to fixed_device_t?]
tom
Oct 29 09:45:17 fedora kernel: audit(1099068317.291:0): avc: denied
{ write } for pid=14626 exe=/bin/bash path=pipe:[51083] dev=pipefs
ino=51083 scontext=root:sysadm_r:sysadm_t
tcontext=system_u:system_r:xdm_t tclass=fifo_file
Oct 29 09:45:17 fedora kernel: audit(1099068317.291:0): avc: denied
{ write } for pid=14626 exe=/bin/bash path=pipe:[51083] dev=pipefs
ino=51083 scontext=root:sysadm_r:sysadm_t
tcontext=system_u:system_r:xdm_t tclass=fifo_file
Oct 29 09:45:18 fedora kernel:
audit(1099068318.321:0): avc: denied {
unix_read unix_write } for pid=3299 exe=/usr/X11R6/bin/Xorg
Oct 29 09:45:19 fedora kernel: audit(1099068319.206:0): avc: denied
{ read write } for pid=14627 exe=/usr/bin/python name=hda dev=tmpfs
ino=1024 scontext=root:sysadm_r:sysadm_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
Oct 29 09:45:19 fedora kernel: audit(1099068319.208:0): avc: denied
{ read } for pid=14627 exe=/usr/bin/python name=hda dev=tmpfs
ino=1024 scontext=root:sysadm_r:sysadm_t
tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file
--
Tom London
19 years, 1 month
ldconfig, /etc/ld.so.cache and prelink ?
by Tom London
Running strict/enforcing off of Rawhide.
While doing today's rawhide installs (yum),
I monitored the label of /etc/ld.so.cache via
ls -lZ /etc/ld.so.cache
Several times during the installation of packages,
the label of this file changed from
system_u:object_r:ld_so_cache_t
to
root:object_r:ld_so_cache_t
[OK, I think]
or to
root:object_r:etc_t
[Not OK, I think]
Each time it changed to etc_t, I ran
restorecon -vv /etc/ld.so.cache
a few seconds later and got the typical
restorecon reset context /etc/ld.so.cache->system_u:object_r:ld_so_cache_t
I'm guessing that when a package updates
/etc/ld.so.cache, it may leave the label
in a funny state, presuming that yum
will fix it at the end.
Does this explain the 'intermittant' prelink
error messages generated during package installations?
tom
--
Tom London
19 years, 1 month
Truncated log entries
by Barry Roomberg
Single CPU box. No multi-threading.
But ignore this for now, single I need to go to FC 3 anyway.
19 years, 1 month
