December 2004 - selinux - Fedora Mailing-Lists

by Juan Espino

18 years, 3 months

3
3
0 / 0

by Joe Orton

I've seen a few issues where file labels are getting lost: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=140706 http://bugs.php.net/bug.php?id=30952 and another one reported to the httpd users' list. Is there a known cause of these problems? Is it prelink related, possibly? Regards, joe

18 years, 4 months

3
11
0 / 0

Head-banging targets, please

by David P. Hart

I need help understanding SELinux! I've read just about every on-line SELinux article I can find, and I am getting progressively more confused as I read more. Following along in these articles on a Fedora Core 3 system, reading documents written for Fedora Core 2 Test 3 and before, is confusing. The older the document, the more my installation fails to match the documentation. I need a starting place, some things to look at once I have my Fedora Core 3 installation running. Some simple things, some that work correctly, some that fail and I can learn how to track down and fix. And, the answers to some basic questions: 1) Why does a Fedora Core 3 installation, with SELinux "Active" or "Warn", not install selinux-policy-targeted-sources? I kept pulling my hair out (little that there is) when trying to find: /etc/selinux/targeted/src/policy All the documents referred to this directory, and it was VERY confusing not to find it. This directory should at least be an empty directory after a fresh install. 2) Are the setools and setools-gui packages required to be used on a SELinux enabled system? If so, why are they not installed when SELinux is installed? In particular, I am very confused about how to create new users and new groups. It looks like I need to update our in-house instructions to use seuseradd, seuserdel, etc. instead of useradd and userdel? 3) Where the heck is the SELinux audit file? Try as much as I could, I can't find it. Every document references it, but none I have found actually refer to it by path/filename. 4) I know you guys discuss policy problems all the time, from the viewpoint of their AVC log events, but I'd like to see what one of these AVC log events looks like on my system. In particular, I have a Fedora Core 3 Workstation installation running the targeted policy in enforcing mode. I'd appreciate a simple test I could perform that would generate an AVC log entry, some idea on how to look for the log entry, and some idea about how to analyze the log entry. I know, blasphemy. But there are three ways that adults learn: 1. Visual: people who learn by seeing it done. 2. Auditory: people who learn by hearing. 3. Kenesthetic: people who learn by doing (touch and body movement). I'm a #3. 5) Does it make sense to have a Workstation installation with the "strict" policy? Under what circumstances? I am putting instructions together for people in my Lab on how to install and use Fedora Core 3. One of the early lessons I want to document is some simple instructions on how to use SELinux. Then, as other instructions are written for other Lab-oriented tasks, I would integrate SELinux into these instructions. The people in the Lab are responsible for maintaining their various computers, so knowledge about SELinux appears necessary. If I can't understand it and explain it to them, things are going to get messy. Thanks for the help. -- David Hart <dhart275(a)offramp.com>

18 years, 4 months

8
10
0 / 0

SELinux error with yum --installroot

by Bob Kashani

When I run: yum -y --installroot=/testroot groupinstall "Base" I get all kinds of errors like this: error: %post(libuser-0.52.5-1.i386) scriptlet failed, exit status 255 error: %post(gnupg-1.2.6-1.i386) scriptlet failed, exit status 255 If I turn selinux off there are no errors. Any ideas why this is happening? FC3 fully updated. yum-2.1.12-0.fc3 libselinux-1.19.1-8 selinux-policy-targeted-1.17.30-2.58 Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome

18 years, 5 months

4
17
0 / 0

Problems with sudo

by Bogdan Agica

Hi everybody. First of all, let me introduce myself. My name is Bogdan Agica and I'm in the Linux team for the BitDefender Antivirus. I'm responsible with the SELinux integration of BitDefender and I seem to have some issues with dropping privileges. The startup scripts rely on sudo in order to drop privileges in a standard linux system. I have written the test policy for the postfix agent, which works fine if the programs are started as root (not via the startup scripts); however the final policy is supposed to integrate seamlessly with the product. In the /etc/init.d script, the programs (5 of them) are started by comands like: # sudo -u bitdefender /opt/BitDefender/bin/bdcored start I have looked at the files domains/program/sudo.te and macros/program/sudo_macros.te. Unfortunately, the lack of documentation for the sudo_domain() macro was a problem, so I have some questions: 1. What exactly does the sudo_domain() macro do? 2. Is this the tool that I need? (i have tried to integrate it with the policy, but it resulted in errors) I'm using FC3, and the following packages: # rpm -qa | grep -i selinux selinux-policy-strict-1.19.10-2 selinux-policy-targeted-sources-1.17.30-2.51 selinux-doc-1.14.1-1 libselinux-1.19.1-8 selinux-policy-targeted-1.17.30-2.51 selinux-policy-strict-sources-1.19.10-2 Of course, should anyone want to look at the beta policy that I've written, I can provide it, and the software itself is available on the company's ftp site. TIA, -- Bogdan Agica BitDefender Internal Testing Engineer ------------------------------------- SOFTWIN Data Security Division ------------------------------------- email: bagica(a)bitdefender.com phone: +(4021) 233 18 52; 233 07 80 fax: (+4021) 233.07.63 Bucharest, ROMANIA http://www.bitdefender.com http://www.softwin.ro ------------------------------------- secure your every bit ------------------------------------- -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://www.bitdefender.com/

18 years, 5 months

3
3
0 / 0

SELinux and third party installers

by Mike Hearn

Hi, I have a couple of questions. The first is that in the FC3 targetted policy, it appears that ldconfig cannot write to user_home_t directories. Why is this? It appears to be a restriction with no purpose, and some programs rely on this to work. In fact I see from the archives that ldconfig not being able to write or search certain directories has come up before. The second question is what impact SELinux will have on third party installers. It seems from the nVidia thread that currently if you copy files onto the system using "cp", this is the wrong way to do it and it will break peoples SELinux setups. This surely cannot be correct: that'd break every pretty much every third party installer (eg Loki Setup, etc) out there! If this is the case and this rather questionable decision is not reversed, is using "install" the correct way to go about things on *every* SELinux enabled distro, or is that a Fedora custom thing? It's a bit worrying how much Fedora SELinux seems to differ from upstream, is this something that will get better with time? thanks -mike

18 years, 5 months

5
23
0 / 0

postgresql pg_dump won't run

by Dr. Michael J. Chudobiak

Hi, I've just installed selinux on my FC3 server using the targeted policy, and everything went well except that I can no longer run /usr/bin/pg_dumpall as a root cron job for backing up postgresql databases. I get this sort of log message, even if I run pg_dump/pg_dumpall as the postgres user: Dec 30 10:17:01 server2 kernel: audit(1104419821.285:0): avc: denied { execute_no_trans } for pid=24740 exe=/bin/bash path=/usr/bin/pg_dump dev=md0 ino=346137 scontext=user_u:system_r:postgresql_t tcontext=system_u:object_r:postgresql_exec_t tclass=file For now, I've disabled the postgres protection using system-config-security-level, and it works fine - but postgresql is unprotected of course. Is there a way of running pg_dump and pg_dumpall under selinux, without abandoning or rewriting the targeted policy? - Mike

18 years, 5 months

3
5
0 / 0

syslog-ng non-standard install generating AVC

by Steve Friedman

I recently installed FC3 on a machine (we had previously been using FC1), so this is my first exposure to selinux. Consequently, we are running the targeted policy in permissive mode. We use syslog-ng (rather than sysklogd) and have updated the syslog-ng.conf to monitor/log/distribute log events on a number of other ports beyond the standard syslog distribution. Among other things that we do in syslog-ng include: - open non-standard UDP/TCP ports - open non-standard files - call non-standard routines As a complete newbie to selinux, I don't know whether it is easier/simpler/better/(or even how) to modify the syslog policy or the attributes of the executables/files/directories that it touches. I would appreciate some advice and guidance. AVC log events: Dec 27 04:02:17 gsi10 kernel: audit(1104138137.142:0): avc: denied { write } for pid=16201 exe=/sbin/syslog-ng name=kmsg dev=proc ino=-268435446 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file Dec 27 04:02:17 gsi10 kernel: audit(1104138137.145:0): avc: denied { read } for pid=16202 exe=/bin/bash name=mtab dev=dm-0 ino=7146016 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Dec 27 04:02:17 gsi10 kernel: audit(1104138137.145:0): avc: denied { getattr } for pid=16202 exe=/bin/bash path=/etc/mtab dev=dm-0 ino=7146016 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Dec 27 04:02:17 gsi10 kernel: audit(1104138137.150:0): avc: denied { write } for pid=16202 exe=_executable_1_ name=status dev=dm-0 ino=166481 scontext=system_u:system_r:syslogd_t tcontext=user_u:object_r:usr_t tclass=file Dec 27 04:02:17 gsi10 kernel: audit(1104138137.150:0): avc: denied { getattr } for pid=16202 exe=_executable_1_ path=_file_1_ dev=dm-0 ino=166481 scontext=system_u:system_r:syslogd_t tcontext=user_u:object_r:usr_t tclass=file Dec 27 10:47:27 gsi10 kernel: audit(1104162447.513:0): avc: denied { sys_admin } for pid=16201 exe=/sbin/syslog-ng capability=21 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { write } for pid=16201 exe=/sbin/syslog-ng name=log dev=dm-0 ino=166417 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=dir Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { add_name } for pid=16201 exe=/sbin/syslog-ng name=e27.log scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=dir Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { create } for pid=16201 exe=/sbin/syslog-ng name=e27.log scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { setattr } for pid=16201 exe=/sbin/syslog-ng name=e27.log dev=dm-0 ino=166450 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { chown } for pid=16201 exe=/sbin/syslog-ng capability=0 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { fowner } for pid=16201 exe=/sbin/syslog-ng capability=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { fsetid } for pid=16201 exe=/sbin/syslog-ng capability=4 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { append } for pid=16201 exe=/sbin/syslog-ng path=_file_2_ dev=dm-0 ino=166450 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.318:0): avc: denied { write } for pid=16202 exe=_executable_1_ path=_file_3_ dev=dm-0 ino=166444 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.318:0): avc: denied { getattr } for pid=16202 exe=_executable_1_ path=_file_4_ dev=dm-0 ino=166472 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.318:0): avc: denied { read } for pid=16202 exe=_executable_1_ path=_file_5_ dev=dm-0 ino=166474 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { remove_name } for pid=16202 exe=_executable_1_ name=delete_next dev=dm-0 ino=166474 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=dir Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { unlink } for pid=16202 exe=_executable_1_ name=delete_next dev=dm-0 ino=166474 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { search } for pid=1633 exe=_executable_1_ name=bin dev=dm-0 ino=1245185 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=dir Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { read } for pid=1633 exe=_executable_1_ name=sh dev=dm-0 ino=3850242 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=lnk_file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { execute } for pid=1633 exe=_executable_1_ name=bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.320:0): avc: denied { execute_no_trans } for pid=1633 exe=_executable_1_ path=/bin/bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.320:0): avc: denied { read } for pid=1633 exe=_executable_1_ path=/bin/bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.321:0): avc: denied { read } for pid=1633 exe=/bin/bash name=meminfo dev=proc ino=-268435454 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.321:0): avc: denied { getattr } for pid=1633 exe=/bin/bash path=/proc/meminfo dev=proc ino=-268435454 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.322:0): avc: denied { search } for pid=1633 exe=/bin/bash name=sbin dev=dm-0 ino=7356417 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:sbin_t tclass=dir Dec 27 16:16:35 gsi10 kernel: audit(1104182195.322:0): avc: denied { getattr } for pid=1633 exe=/bin/bash path=/bin/bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { getattr } for pid=1633 exe=/bin/bash path=/bin/rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { execute } for pid=1633 exe=/bin/bash name=rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { execute_no_trans } for pid=1633 exe=/bin/bash path=/bin/rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { read } for pid=1633 exe=/bin/bash path=/bin/rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file Steve Friedman

18 years, 5 months

4
4
0 / 0

What to do after building a kernel.

by Justin Conover

After I built a new kernel based of of ck-overloaded, I rebooted and a ton of SELinux errors/messages, kept comeing across the screen? What do need to do to make a home-grown-kernel work with SELinux.

18 years, 5 months

4
6
0 / 0

FC3 " avc: denied" issue

by Erwin J. Prinz

I have a fully upgraded (as of today) FC3 system on which I always could install the NVIDIA drivers. But, to get a successful install after the last upgrade (today) (which included selinux-policy-targeted.noarch 1.17.30-2.58) I now have to "setenforce 0" before installing the NVIDIA drivers. Otherwise, the install fails due to several access denied issues, e.g.: Dec 25 18:51:34 tiger kernel: audit(1104022294.445:0): avc: denied { write } for pid=3956 exe=/sbin/ldconfig path=/var/log/nvidia-installer.log dev=hda6 ino=517383 scontext=root:system_r:ldconfig_t tcontext=system_u:object_r:var_log_t tclass=file Dec 25 18:51:34 tiger kernel: audit(1104022294.801:0): avc: denied { read } for pid=3956 exe=/sbin/ldconfig name=libXvMCNVIDIA.so.1.0.6629 dev=hda4 ino=194830 scontext=root:system_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Dec 25 18:51:35 tiger kernel: audit(1104022295.012:0): avc: denied { getattr } for pid=3956 exe=/sbin/ldconfig path=/usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 dev=hda4 ino=194830 scontext=root:system_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file Dec 25 18:51:38 tiger kernel: audit(1104022298.997:0): avc: denied { getattr } for pid=3956 exe=/sbin/ldconfig path=/usr/lib/libGL.so.1.0.6629 dev=hda4 ino=521611 scontext=root:system_r:ldconfig_t tcontext=root:object_r:lib_t tclass=file/avc The initial context of root is "root:system_r:unconfined_t" and I can't change to "root:sysadm_r:sysadm_t". I did a "fixfiles relabel" and reboot without changing the outcome. I don't think the issue is with the NVIDIA drivers as they worked on FC3 before, and as "setenforce 0" "fixes" the issue. I would appreciate pointers to what could be wrong. Best regards, Erwin

18 years, 5 months

5
13
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux December 2004