Version change failure
by Barry Roomberg
I've just updated (via yum) a newly installed fedora box.
It thinks my policy should be version 18.
But my make load produced 17.
Ooops.
What to I need to do to synchronize them?
19 years, 5 months
realplayer
by Tom London
Running rawhide, strict/enforcing.
After installing the RealPlayer 10 rpm (installs mostly into /usr/local/....),
have no problem running realplayer in permissive mode.
It did through off the 'ld.so.cache' avc:
Oct 18 06:55:58 fedora kernel: audit(1098107758.752:0): avc: denied
{ execute } for pid=3956 path=/etc/ld.so.cache dev=hda2 ino=4474151
scontext=user_u:user_r:user_t tcontext=system_u:object_r:ld_so_cache_t
tclass=file
I was not surprised, since the files were not properly labeled.
Using the labels from HelixPlayer as a guide, I relabled RealPlayer's
installed files (mostly changing .so -> shlib_t, etc.)
This fixed the 'ld.so.cache' avc, but now I'm stumped with the following:
Oct 22 08:58:36 fedora kernel: audit(1098460716.425:0): avc: denied
{ execute } for pid=19845 path=/usr/lib/locale/locale-archive
dev=hda2 ino=4117048 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:locale_t tclass=file
Oct 22 08:58:36 fedora kernel: audit(1098460716.426:0): avc: denied
{ execute } for pid=19845
path=/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION dev=hda2 ino=4444372
scontext=user_u:user_r:user_t tcontext=system_u:object_r:locale_t
tclass=file
Execute for locale files????
I tried 'strace ./realplay.bin' and got:
<<<<<SNIP>>>>>
munmap(0xe5d000, 135566) = 0
set_tid_address(0xc5c928) = 19906
rt_sigaction(SIGRTMIN, {0x2c23a0, [], SA_RESTORER|SA_SIGINFO,
0x2c98a0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x2c2410, [],
SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x2c98a0}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0
_sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xfefff5a8, 31, (nil), 0}) = 0
brk(0) = 0x80d5000
brk(0x80f6000) = 0x80f6000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=38674048, ...}) = 0
mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = -1 EACCES
(Permission denied)
close(3) = 0
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=2528, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xe36000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2528
read(3, "", 4096) = 0
close(3) = 0
munmap(0xe36000, 4096) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=365, ...}) = 0
mmap2(NULL, 365, PROT_READ, MAP_PRIVATE, 3, 0) = -1 EACCES (Permission denied)
close(3) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Is this related to the previously reported (and fixed, I thought)
mmap() problem? Something else?
thanks,
tom
--
Tom London
19 years, 5 months
Generic roles in selinux
by Barry Roomberg
Either I'm very confused or my system is very broken.
When I add a new user to my system via the adduser script, they get
tagged
with "Generic" for their policy type.
When I examine (using seuser -X) the users, I see that all the Generics
(there are a lot) have roles of sysadm_r, system_r, and user_r.
Which means to me that all these users can assume sysadm_r by executing
the newrole command.
Is this appropriate? Shouldn't sysadm_r be reserved for administrators?
19 years, 5 months
mangled audit messages
by Colin Walters
On my FC2 server, running strict policy, I am seeing a lot of these:
audit(1098309975.693:0): avc:
denied { getattr } for pid=12283 exe=/usr/sbin/sshd
audit(1098309977.469:0): avc:
denied { getattr } for pid=12293 exe=/usr/sbin/sshd
audit(1098309984.374:0): avc:
denied { getattr } for pid=12319 exe=/usr/sbin/sshd
audit(1098309985.817:0): avc:
denied { getattr } for pid=12325 exe=/usr/sbin/sshd
Note the large amount of odd leading whitespace, and the lack of any
additional information. Does anyone know anything about this?
19 years, 6 months
USB printer disconnect...
by Tom London
Running strict/enforcing with latest Rawhide (.643, ...)
Disconnecting a USB printer after the system has booted up
in graphical mode produces an avc for 'alternatives' followed
by a host of avc for 'killall':
Oct 26 08:07:08 fedora ptal-mlcd: ERROR at ExMgr.cpp:3209,
dev=<mlc:usb:PSC_900_Series@/dev/usb/lp0>, pid=2440, e=19,
t=1098803228 llioSubprocess: llioRead returns -1, expected=6!
Oct 26 08:07:08 fedora udev[3858]: removing device node '/dev/usb/lp0'
Oct 26 08:07:08 fedora kernel: usb 3-2: USB disconnect, address 2
Oct 26 08:07:08 fedora ptal-mlcd: ERROR at ExMgr.cpp:2820,
dev=<mlc:usb:PSC_900_Series@/dev/usb/lp0>, pid=2417, e=11,
t=1098803228 llioService: fdRead returns 0, expected=6!
Oct 26 08:07:08 fedora ptal-mlcd: ERROR at ExMgr.cpp:871,
dev=<mlc:usb:PSC_900_Series@/dev/usb/lp0>, pid=2417, e=32,
t=1098803228 exClose(reason=0x0010)
Oct 26 08:07:08 fedora kernel: drivers/usb/class/usblp.c: usblp0: removed
Oct 26 08:07:12 fedora kernel: audit(1098803232.090:0): avc: denied
{ getattr } for pid=3902 exe=/usr/sbin/alternatives
path=/var/lib/alternatives dev=hda2 ino=4456489
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:rpm_var_lib_t tclass=dir
Oct 26 08:07:12 fedora kernel: audit(1098803232.111:0): avc: denied
{ search } for pid=3903 exe=/usr/bin/killall name=selinux dev=hda2
ino=4509743 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
Oct 26 08:07:12 fedora kernel: audit(1098803232.113:0): avc: denied
{ search } for pid=3903 exe=/usr/bin/killall name=1 dev=proc
ino=65538 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:init_t tclass=dir
Oct 26 08:07:12 fedora kernel: audit(1098803232.113:0): avc: denied
{ search } for pid=3903 exe=/usr/bin/killall name=2 dev=proc
ino=131074 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:kernel_t tclass=dir
Oct 26 08:07:12 fedora kernel: audit(1098803232.113:0): avc: denied
{ search } for pid=3903 exe=/usr/bin/killall name=3 dev=proc
ino=196610 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:kernel_t tclass=dir
Oct 26 08:07:12 fedora kernel: audit(1098803232.113:0): avc: denied
{ search } for pid=3903 exe=/usr/bin/killall name=4 dev=proc
ino=262146 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:kernel_t tclass=dir
Oct 26 08:07:12 fedora kernel: audit(1098803232.113:0): avc: denied
{ search } for pid=3903 exe=/usr/bin/killall name=5 dev=proc
ino=327682 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:kernel_t tclass=dir
Oct 26 08:07:12 fedora kernel: audit(1098803232.113:0): avc: denied
{ search } for pid=3903 exe=/usr/bin/killall name=22 dev=proc
ino=1441794 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:kernel_t tclass=dir
Oct 26 08:07:12 fedora kernel: audit(1098803232.114:0): avc: denied
{ search } for pid=3903 exe=/usr/bin/killall name=32 dev=proc
ino=2097154 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:system_r:kernel_t tclass=dir
<<< SNIP about 100 avc's like the above>>>>
Oct 26 08:07:29 fedora kernel: ohci_hcd 0000:00:03.1: wakeup
tom
--
Tom London
19 years, 6 months
Ask for suggestions
by Philip Leo
Hi,
I am a postgraduate student and is doing my master's thesis, I am interesting in Linux security and have learnt SELinux for several months. I want to do some work in SELinux, and thus to finish my
thesis. But there are so many aspects in SELinux. So, Would you please give me some suggestions on where to start?
Thanks a lot.
--
Best regards,
Philip Leo
---------------------------------
Do you Yahoo!?
vote.yahoo.com - Register online to vote today!
19 years, 6 months
Cant Login after installing Fedora, screen keeps flickering
by Mehul
Hello,
I installed Fedora on my Tohisba A70 Laptop yesterday and I am not
able to get into it. The installation worked fine, but when I try to
boot into fedora I can c a dialog box which has a text say "show
details", just after that my screen starts fickering. I am guessing
that this issue is realted to my Graphics card. How do I install the
the new driver coz I cant even get to the command prompt?
Can somebody please tell me how to get into command prompt while
booting fedora?. I mean is there a set of key sequences which would
directly get me into command prompt
Please help
Mehul
19 years, 6 months
RE: Cant Login after installing Fedora, screen keeps flickering
by Predrag Petrovic
Hi Mehul,
Well try booting the rescue cd. After everything it boots linux enter: chroot /mnt/sysimage and try to debug. Also try booting into single user mode by adding single in the boot string of grub.
________________________________
From: fedora-selinux-list-bounces(a)redhat.com on behalf of Mehul
Sent: Sun 10/24/2004 7:32 PM
To: fedora-selinux-list(a)redhat.com
Subject: Cant Login after installing Fedora, screen keeps flickering
Hello,
I installed Fedora on my Tohisba A70 Laptop yesterday and I am not
able to get into it. The installation worked fine, but when I try to
boot into fedora I can c a dialog box which has a text say "show
details", just after that my screen starts fickering. I am guessing
that this issue is realted to my Graphics card. How do I install the
the new driver coz I cant even get to the command prompt?
Can somebody please tell me how to get into command prompt while
booting fedora?. I mean is there a set of key sequences which would
directly get me into command prompt
Please help
Mehul
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
19 years, 6 months
Cant Login after installing Fedora, screen keeps flickering
by Mehul
Hello,
I installed Fedora on my Tohisba A70 Laptop yesterday and I am not able
to get into it. The installation worked fine, but when I try to boot
into fedora I can c a dialog box which has a text say "show details",
just after that my screen starts fickering. I am guessing that this
issue is realted to my Graphics card. How do I install the the new
driver coz I cant even get to the command prompt?
Can somebody please tell me how to get into command prompt while booting
fedora?. I mean is there a set of key sequences which would directly
get me into command prompt
Please help
Mehul
19 years, 6 months
User file access auditing
by Barry Roomberg
I have setup a Fedora 2 box with SELinux enabled.
I'm able to add users and relabel /home to allow their .ssh keys to
work, so I have a baseline install that is working.
I would like to create a shared dir tree that certain users have full
access to. Every file access that reads or writes data (stat, open,
read, write, delete, rename, ???) should be logged, while still allowing
the operation to complete.
Is SELinux appropriate for that type of tracking?
If so, can anyone give me a hint on the way to construct the policy?
Thanks.
Barry
Note to moderator: I have just been given a new address so the last
email got sent to you. Please ignore it.
19 years, 6 months