December 2004 - selinux - Fedora Mailing-Lists

by Rodrigo Damazio

Hello. I started playing with SELinux on FC2, and recently moved to FC3, and I must say it's much better now, with the targeted policy. Congrats on this. I still had to change a few things in my policies, though. Following is a collection of the avc errors justifying my changes. I'm not experienced with SElinux yet, so I may be doing something wrong...please let me know if these changes are correct or not. Also, the unlink allow for httpd_t is because, for some reason, when I try to remove a file from within PHP, it uses httpd_t instead of httpd_sys_script_t . I would also like a rule(which I'm not sure how to write) to allow PHP programs to execute external programs, since I have a script which receives an uploaded file, does a lot of processing with it through external programs, and stores it in the database - when I run that, it gives me avc execute errors trying to run bash and the other utilities. Apache: Nov 12 16:50:46 fireball kernel: audit(1100285446.637:0): avc: denied { connectto } for pid=2522 exe=/usr/sbin/httpd path=/tmp/.s.PGSQL.5432 scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:unconfined_t tclass=unix_stream_socket NTPd: Nov 11 19:51:49 fireball kernel: audit(1100209909.743:0): avc: denied { create } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc: denied { bind } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc: denied { getattr } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket Nov 11 19:51:49 fireball kernel: audit(1100209909.747:0): avc: denied { write } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket Nov 11 19:51:49 fireball kernel: audit(1100209909.749:0): avc: denied { net_admin } for pid=2293 exe=/usr/sbin/ntpd capability=12 scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=capability Nov 11 19:51:49 fireball kernel: audit(1100209909.750:0): avc: denied { nlmsg_read } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket Nov 11 19:51:49 fireball kernel: audit(1100209909.752:0): avc: denied { read } for pid=2293 exe=/usr/sbin/ntpd scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t tclass=netlink_route_socket DHCPd: Nov 12 23:37:25 fireball kernel: audit(1100309845.314:0): avc: denied { create } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket Nov 12 23:37:25 fireball kernel: audit(1100309845.317:0): avc: denied { bind } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket Nov 12 23:37:25 fireball kernel: audit(1100309845.320:0): avc: denied { getattr } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket Nov 12 23:37:25 fireball kernel: audit(1100309845.323:0): avc: denied { write } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket Nov 12 23:37:25 fireball kernel: audit(1100309845.325:0): avc: denied { net_admin } for pid=10002 exe=/usr/sbin/dhcpd capability=12 scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=capability Nov 12 23:37:25 fireball kernel: audit(1100309845.326:0): avc: denied { nlmsg_read } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket Nov 12 23:37:25 fireball kernel: audit(1100309845.327:0): avc: denied { read } for pid=10002 exe=/usr/sbin/dhcpd scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t tclass=netlink_route_socket Nov 12 23:37:25 fireball kernel: audit(1100309845.909:0): avc: denied { unlink } for pid=10008 exe=/usr/sbin/dhcpd name=dhcpd.leases~ dev=hda1 ino=425472 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:file_t tclass=file named: Nov 12 23:41:25 fireball kernel: audit(1100310085.797:0): avc: denied { create } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket Nov 12 23:41:25 fireball kernel: audit(1100310085.798:0): avc: denied { bind } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket Nov 12 23:41:25 fireball kernel: audit(1100310085.799:0): avc: denied { getattr } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket Nov 12 23:41:25 fireball kernel: audit(1100310085.803:0): avc: denied { write } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket Nov 12 23:41:25 fireball kernel: audit(1100310085.806:0): avc: denied { nlmsg_read } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket Nov 12 23:41:25 fireball kernel: audit(1100310085.809:0): avc: denied { read } for pid=10183 exe=/usr/sbin/named scontext=root:system_r:named_t tcontext=root:system_r:named_t tclass=netlink_route_socket Thanks, Rodrigo

19 years, 4 months

4
6
0 / 0

not relabeling "/dev/:0".

by Vinicius

Hello, Is the problem below a SELinux related issue, please? If so, how to resolve this, please? /var/log/messages: "... -:0[3004]: Warning! Could not get current context for /dev/:0, not relabeling. ..." TIA, Vinicius.

19 years, 4 months

5
4
0 / 0

avc: denied ... syslogd and others.

by Vinicius

Hello, How to resolve the problems below, please? "Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.432:0): avc: denied { read } for pid=2005 exe=/sbin/syslogd name=libc-2.3.3.so dev=hda7 ino=752988 sconte xt=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.432:0): avc: denied { geta ttr } for pid=2005 exe=/sbin/syslogd path=/lib/tls/libc-2.3.3.so dev=hda7 ino=7 52988 scontext=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclas s=file Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.432:0): avc: denied { exec ute } for pid=2005 path=/lib/tls/libc-2.3.3.so dev=hda7 ino=752988 scontext=use r_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.463:0): avc: denied { appe nd } for pid=2006 exe=/sbin/syslogd name=messages dev=hda7 ino=115590 scontext= user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.463:0): avc: denied { ioct l } for pid=2006 exe=/sbin/syslogd path=/var/log/messages dev=hda7 ino=115590 s context=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied { sear ch } for pid=2021 exe=/sbin/portmap name=/ dev=hda7 ino=2 scontext=user_u:syste m_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied { read } for pid=2021 exe=/sbin/portmap name=libnsl-2.3.3.so dev=hda7 ino=753010 scon text=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=file Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied { geta ttr } for pid=2021 exe=/sbin/portmap path=/lib/libnsl-2.3.3.so dev=hda7 ino=753 010 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass= file Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied { exec ute } for pid=2021 path=/lib/libnsl-2.3.3.so dev=hda7 ino=753010 scontext=user_ u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=file" "# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: error (Success) Policy version: 18 Policy from config file:targeted Policy booleans: ... syslogd_disable_trans inactive ..." TIA, Vinicius.

19 years, 4 months

2
4
0 / 0

Looking for a simple project

by W. Michael Petullo

I am looking for a simple project to use as an example of Java GNOME development. Because I am interested in SELinux, I thought that I could write a GNOME application that was SELinux-related. I am looking for an application that would take about one month to write (working on it part-time). Only the GUI needs to be written in Java. One idea I had was an application that would help parse AVC messages in a system's log files. The program would categorize AVC messages by criteria like scontext and present a expandable list of categories. The categories could be expanded to reveal AVC messages. This might help when debugging a SELinux policy. So, does anyone have any suggestions? As I mentioned, my goal is really to demonstrate the use of Java GNOME, but I would like to do something useful. I would like to hear if there is anything anyone wants to see. -- Mike

19 years, 4 months

2
1
0 / 0

cups wants to write to /usr/lib/python2.4/.../printconf_tui.pyo, etc

by Tom London

Running strict/enforcing, latest Rawhide. When logging in, cups, running in cupsd_config_t wants to write /usr/lib/python/site-packages/printconf_tui.pyo, and /usr/share/printconf/util/printconf_tui.pyo. Strict and Permissive avc's shown below. Two things: 1. Didn't these files get moved to /var under an earlier bugzilla? 2. Can we add a 'dontaudit' to cups.te for this: dontaudit cupsd_config_t lib_t:dir write; dontaudit cupsd_config_t usr_t:dir write; tom Strict avcs: Dec 4 10:20:41 fedora kernel: audit(1102184441.369:0): avc: denied { write } for pid=2844 exe=/usr/bin/python name=util dev=hda2 ino=4309019 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:usr_t tclass=dir Dec 4 10:20:41 fedora kernel: audit(1102184441.619:0): avc: denied { write } for pid=2844 exe=/usr/bin/python name=site-packages dev=hda2 ino=4525331 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:lib_t tclass=dir Permissive avc: Dec 4 10:35:08 fedora kernel: audit(1102185308.369:0): avc: denied { write } for pid=3591 exe=/usr/bin/python name=util dev=hda2 ino=4309019 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:usr_t tclass=dir Dec 4 10:35:08 fedora kernel: audit(1102185308.370:0): avc: denied { remove_name } for pid=3591 exe=/usr/bin/python name=printconf_tui.pyo dev=hda2 ino=4309180 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:usr_t tclass=dir Dec 4 10:35:08 fedora kernel: audit(1102185308.370:0): avc: denied { unlink } for pid=3591 exe=/usr/bin/python name=printconf_tui.pyo dev=hda2 ino=4309180 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:printconf_t tclass=file Dec 4 10:35:08 fedora kernel: audit(1102185308.606:0): avc: denied { add_name } for pid=3591 exe=/usr/bin/python name=printconf_tui.pyo scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:usr_t tclass=dir Dec 4 10:35:08 fedora kernel: audit(1102185308.606:0): avc: denied { create } for pid=3591 exe=/usr/bin/python name=printconf_tui.pyo scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:usr_t tclass=file Dec 4 10:35:08 fedora kernel: audit(1102185308.606:0): avc: denied { write } for pid=3591 exe=/usr/bin/python path=/usr/share/printconf/util/printconf_tui.pyo dev=hda2 ino=4309025 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:usr_t tclass=file -- Tom London

19 years, 4 months

3
3
0 / 0

Request

by Mark Stier

Hello! Could someone please take the strict policy and set a permissive default for unconfigured processes like in the targeted policy? That would be really great. Thanks in advance, Mark -- Signed PGP public key available on key servers.

19 years, 4 months

3
2
0 / 0

Maximum Hardisk for Fedora Core 3

by Foryanto J. Wiguna

Hello all i just want to know Maximum Hardisk for Fedora Core 3 regards, -Foryanto-

19 years, 4 months

2
1
0 / 0

OpenMosix

by Chak

Someone had installed OpenMosix on Fedora Core 3??? I cant!!! Any kind of help will be apreciated.

19 years, 4 months

1
0
0 / 0

yum/bootloader avcs?

by Tom London

Running strict, latest Rawhide. I happened to do today's updates in permissive mode, and got the following avcs: Dec 7 07:40:23 fedora kernel: loop: loaded (max 8 devices) Dec 7 07:41:29 fedora kernel: audit(1102434089.867:0): avc: denied { read } for pid=3863 exe=/bin/bash name=.bashrc dev=hda2 ino=1130588 scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:staff_home_t tclass=file Dec 7 07:41:29 fedora kernel: audit(1102434089.867:0): avc: denied { getattr } for pid=3863 exe=/bin/bash path=/root/.bashrc dev=hda2 ino=1130588 scontext=root:sysadm_r:bootloader_t tcontext=root:object_r:staff_home_t tclass=file Dec 7 07:41:29 fedora kernel: audit(1102434089.957:0): avc: denied { read } for pid=3865 exe=/usr/bin/id name=config dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:selinux_config_t tclass=file Dec 7 07:41:29 fedora kernel: audit(1102434089.957:0): avc: denied { getattr } for pid=3865 exe=/usr/bin/id path=/etc/selinux/config dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:selinux_config_t tclass=file The first two of these (ref to /root/.basrc, I believe) is not new, but I don't remember seeing the others. tom -- Tom London

19 years, 4 months

2
1
0 / 0

avc denied from /.autorelabel

by Richard Hally

Included below are the avc denied messages from trying to do an autorelabel while in enforcing mode with the strict policy. there are also messages about line 64 of rc.sysinit: permission denied. Looks like sysinit(initrc_t) is trying to write to /selinux/enforce with out being allowed to do so. Thus setfiles can not read file_contexts. HTH Richard Hally Dec 6 05:53:56 new2 kernel: audit(1102330419.769:0): avc: denied { write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=file Dec 6 05:53:56 new2 kernel: audit(1102330419.769:0): avc: denied { write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=file Dec 6 05:53:56 new2 kernel: audit(1102330420.005:0): avc: denied { read } for pid=1279 exe=/usr/sbin/setfiles name=file_contexts dev=dm-0 ino=3998097 scontext=system_u:system_r:initrc_t tcontext=root:object_r:file_context_t tclass=file Dec 6 05:53:56 new2 kernel: audit(1102330420.026:0): avc: denied { write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=file Dec 6 05:53:56 new2 kernel: audit(1102330420.026:0): avc: denied { write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:security_t tclass=file

19 years, 4 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux December 2004