A few policy changes I had to make
by Rodrigo Damazio
Hello. I started playing with SELinux on FC2, and recently moved
to FC3, and I must say it's much better now, with the targeted policy.
Congrats on this.
I still had to change a few things in my policies, though.
Following is a collection of the avc errors justifying my changes. I'm
not experienced with SElinux yet, so I may be doing something
wrong...please let me know if these changes are correct or not. Also,
the unlink allow for httpd_t is because, for some reason, when I try to
remove a file from within PHP, it uses httpd_t instead of
httpd_sys_script_t . I would also like a rule(which I'm not sure how to
write) to allow PHP programs to execute external programs, since I have
a script which receives an uploaded file, does a lot of processing with
it through external programs, and stores it in the database - when I run
that, it gives me avc execute errors trying to run bash and the other
utilities.
Apache:
Nov 12 16:50:46 fireball kernel: audit(1100285446.637:0): avc: denied
{ connectto } for pid=2522 exe=/usr/sbin/httpd path=/tmp/.s.PGSQL.5432
scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:unconfined_t
tclass=unix_stream_socket
NTPd:
Nov 11 19:51:49 fireball kernel: audit(1100209909.743:0): avc: denied
{ create } for pid=2293 exe=/usr/sbin/ntpd
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc: denied
{ bind } for pid=2293 exe=/usr/sbin/ntpd
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.745:0): avc: denied
{ getattr } for pid=2293 exe=/usr/sbin/ntpd
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.747:0): avc: denied
{ write } for pid=2293 exe=/usr/sbin/ntpd
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.749:0): avc: denied
{ net_admin } for pid=2293 exe=/usr/sbin/ntpd capability=12
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
tclass=capability
Nov 11 19:51:49 fireball kernel: audit(1100209909.750:0): avc: denied
{ nlmsg_read } for pid=2293 exe=/usr/sbin/ntpd
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
tclass=netlink_route_socket
Nov 11 19:51:49 fireball kernel: audit(1100209909.752:0): avc: denied
{ read } for pid=2293 exe=/usr/sbin/ntpd
scontext=user_u:system_r:ntpd_t tcontext=user_u:system_r:ntpd_t
tclass=netlink_route_socket
DHCPd:
Nov 12 23:37:25 fireball kernel: audit(1100309845.314:0): avc: denied
{ create } for pid=10002 exe=/usr/sbin/dhcpd
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.317:0): avc: denied
{ bind } for pid=10002 exe=/usr/sbin/dhcpd
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.320:0): avc: denied
{ getattr } for pid=10002 exe=/usr/sbin/dhcpd
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.323:0): avc: denied
{ write } for pid=10002 exe=/usr/sbin/dhcpd
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.325:0): avc: denied
{ net_admin } for pid=10002 exe=/usr/sbin/dhcpd capability=12
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
tclass=capability
Nov 12 23:37:25 fireball kernel: audit(1100309845.326:0): avc: denied
{ nlmsg_read } for pid=10002 exe=/usr/sbin/dhcpd
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.327:0): avc: denied
{ read } for pid=10002 exe=/usr/sbin/dhcpd
scontext=root:system_r:dhcpd_t tcontext=root:system_r:dhcpd_t
tclass=netlink_route_socket
Nov 12 23:37:25 fireball kernel: audit(1100309845.909:0): avc: denied
{ unlink } for pid=10008 exe=/usr/sbin/dhcpd name=dhcpd.leases~
dev=hda1 ino=425472 scontext=root:system_r:dhcpd_t
tcontext=system_u:object_r:file_t tclass=file
named:
Nov 12 23:41:25 fireball kernel: audit(1100310085.797:0): avc: denied
{ create } for pid=10183 exe=/usr/sbin/named
scontext=root:system_r:named_t tcontext=root:system_r:named_t
tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.798:0): avc: denied
{ bind } for pid=10183 exe=/usr/sbin/named
scontext=root:system_r:named_t tcontext=root:system_r:named_t
tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.799:0): avc: denied
{ getattr } for pid=10183 exe=/usr/sbin/named
scontext=root:system_r:named_t tcontext=root:system_r:named_t
tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.803:0): avc: denied
{ write } for pid=10183 exe=/usr/sbin/named
scontext=root:system_r:named_t tcontext=root:system_r:named_t
tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.806:0): avc: denied
{ nlmsg_read } for pid=10183 exe=/usr/sbin/named
scontext=root:system_r:named_t tcontext=root:system_r:named_t
tclass=netlink_route_socket
Nov 12 23:41:25 fireball kernel: audit(1100310085.809:0): avc: denied
{ read } for pid=10183 exe=/usr/sbin/named
scontext=root:system_r:named_t tcontext=root:system_r:named_t
tclass=netlink_route_socket
Thanks,
Rodrigo
19 years, 4 months
not relabeling "/dev/:0".
by Vinicius
Hello,
Is the problem below a SELinux related issue, please? If so, how to
resolve this, please?
/var/log/messages:
"...
-:0[3004]: Warning! Could not get current context for /dev/:0, not
relabeling.
..."
TIA, Vinicius.
19 years, 4 months
avc: denied ... syslogd and others.
by Vinicius
Hello,
How to resolve the problems below, please?
"Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.432:0): avc:
denied { read
} for pid=2005 exe=/sbin/syslogd name=libc-2.3.3.so dev=hda7
ino=752988 sconte
xt=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t
tclass=file
Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.432:0): avc: denied
{ geta
ttr } for pid=2005 exe=/sbin/syslogd path=/lib/tls/libc-2.3.3.so
dev=hda7 ino=7
52988 scontext=user_u:system_r:syslogd_t
tcontext=system_u:object_r:file_t tclas
s=file
Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.432:0): avc: denied
{ exec
ute } for pid=2005 path=/lib/tls/libc-2.3.3.so dev=hda7 ino=752988
scontext=use
r_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file
Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.463:0): avc: denied
{ appe
nd } for pid=2006 exe=/sbin/syslogd name=messages dev=hda7 ino=115590
scontext=
user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t tclass=file
Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.463:0): avc: denied
{ ioct
l } for pid=2006 exe=/sbin/syslogd path=/var/log/messages dev=hda7
ino=115590 s
context=user_u:system_r:syslogd_t tcontext=system_u:object_r:file_t
tclass=file
Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied
{ sear
ch } for pid=2021 exe=/sbin/portmap name=/ dev=hda7 ino=2
scontext=user_u:syste
m_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied
{ read
} for pid=2021 exe=/sbin/portmap name=libnsl-2.3.3.so dev=hda7
ino=753010 scon
text=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t
tclass=file
Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied
{ geta
ttr } for pid=2021 exe=/sbin/portmap path=/lib/libnsl-2.3.3.so dev=hda7
ino=753
010 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t
tclass=
file
Dec 8 15:36:59 cviniciusm kernel: audit(1102527416.576:0): avc: denied
{ exec
ute } for pid=2021 path=/lib/libnsl-2.3.3.so dev=hda7 ino=753010
scontext=user_
u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=file"
"# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: error (Success)
Policy version: 18
Policy from config file:targeted
Policy booleans:
...
syslogd_disable_trans inactive
..."
TIA, Vinicius.
19 years, 4 months
Looking for a simple project
by W. Michael Petullo
I am looking for a simple project to use as an example of Java GNOME
development. Because I am interested in SELinux, I thought that I could
write a GNOME application that was SELinux-related. I am looking for an
application that would take about one month to write (working on it
part-time). Only the GUI needs to be written in Java.
One idea I had was an application that would help parse AVC messages in a
system's log files. The program would categorize AVC messages by criteria
like scontext and present a expandable list of categories. The categories
could be expanded to reveal AVC messages. This might help when debugging
a SELinux policy.
So, does anyone have any suggestions? As I mentioned, my goal is really
to demonstrate the use of Java GNOME, but I would like to do something
useful. I would like to hear if there is anything anyone wants to see.
--
Mike
19 years, 4 months
cups wants to write to /usr/lib/python2.4/.../printconf_tui.pyo, etc
by Tom London
Running strict/enforcing, latest Rawhide.
When logging in, cups, running in cupsd_config_t
wants to write /usr/lib/python/site-packages/printconf_tui.pyo,
and /usr/share/printconf/util/printconf_tui.pyo.
Strict and Permissive avc's shown below.
Two things:
1. Didn't these files get moved to /var under an
earlier bugzilla?
2. Can we add a 'dontaudit' to cups.te for this:
dontaudit cupsd_config_t lib_t:dir write;
dontaudit cupsd_config_t usr_t:dir write;
tom
Strict avcs:
Dec 4 10:20:41 fedora kernel: audit(1102184441.369:0): avc: denied
{ write } for pid=2844 exe=/usr/bin/python name=util dev=hda2
ino=4309019 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:usr_t tclass=dir
Dec 4 10:20:41 fedora kernel: audit(1102184441.619:0): avc: denied
{ write } for pid=2844 exe=/usr/bin/python name=site-packages
dev=hda2 ino=4525331 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:lib_t tclass=dir
Permissive avc:
Dec 4 10:35:08 fedora kernel: audit(1102185308.369:0): avc: denied
{ write } for pid=3591 exe=/usr/bin/python name=util dev=hda2
ino=4309019 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:usr_t tclass=dir
Dec 4 10:35:08 fedora kernel: audit(1102185308.370:0): avc: denied
{ remove_name } for pid=3591 exe=/usr/bin/python
name=printconf_tui.pyo dev=hda2 ino=4309180
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:usr_t tclass=dir
Dec 4 10:35:08 fedora kernel: audit(1102185308.370:0): avc: denied
{ unlink } for pid=3591 exe=/usr/bin/python name=printconf_tui.pyo
dev=hda2 ino=4309180 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:printconf_t tclass=file
Dec 4 10:35:08 fedora kernel: audit(1102185308.606:0): avc: denied
{ add_name } for pid=3591 exe=/usr/bin/python name=printconf_tui.pyo
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:usr_t tclass=dir
Dec 4 10:35:08 fedora kernel: audit(1102185308.606:0): avc: denied
{ create } for pid=3591 exe=/usr/bin/python name=printconf_tui.pyo
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:usr_t tclass=file
Dec 4 10:35:08 fedora kernel: audit(1102185308.606:0): avc: denied
{ write } for pid=3591 exe=/usr/bin/python
path=/usr/share/printconf/util/printconf_tui.pyo dev=hda2 ino=4309025
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:usr_t tclass=file
--
Tom London
19 years, 4 months
Request
by Mark Stier
Hello!
Could someone please take the strict policy and set a permissive
default for unconfigured processes like in the targeted policy? That
would be really great.
Thanks in advance,
Mark
--
Signed PGP public key available on key servers.
19 years, 4 months
OpenMosix
by Chak
Someone had installed OpenMosix on Fedora Core 3??? I cant!!! Any kind of
help will be apreciated.
19 years, 4 months
yum/bootloader avcs?
by Tom London
Running strict, latest Rawhide.
I happened to do today's updates in permissive
mode, and got the following avcs:
Dec 7 07:40:23 fedora kernel: loop: loaded (max 8 devices)
Dec 7 07:41:29 fedora kernel: audit(1102434089.867:0): avc: denied
{ read } for pid=3863 exe=/bin/bash name=.bashrc dev=hda2 ino=1130588
scontext=root:sysadm_r:bootloader_t
tcontext=root:object_r:staff_home_t tclass=file
Dec 7 07:41:29 fedora kernel: audit(1102434089.867:0): avc: denied
{ getattr } for pid=3863 exe=/bin/bash path=/root/.bashrc dev=hda2
ino=1130588 scontext=root:sysadm_r:bootloader_t
tcontext=root:object_r:staff_home_t tclass=file
Dec 7 07:41:29 fedora kernel: audit(1102434089.957:0): avc: denied
{ read } for pid=3865 exe=/usr/bin/id name=config dev=hda2
ino=4509759 scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Dec 7 07:41:29 fedora kernel: audit(1102434089.957:0): avc: denied
{ getattr } for pid=3865 exe=/usr/bin/id path=/etc/selinux/config
dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:selinux_config_t tclass=file
The first two of these (ref to /root/.basrc, I believe) is not new, but
I don't remember seeing the others.
tom
--
Tom London
19 years, 4 months
avc denied from /.autorelabel
by Richard Hally
Included below are the avc denied messages from trying to do an
autorelabel while in enforcing mode with the strict policy.
there are also messages about line 64 of rc.sysinit: permission denied.
Looks like sysinit(initrc_t) is trying to write to /selinux/enforce with
out being allowed to do so.
Thus setfiles can not read file_contexts.
HTH
Richard Hally
Dec 6 05:53:56 new2 kernel: audit(1102330419.769:0): avc: denied {
write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:security_t tclass=file
Dec 6 05:53:56 new2 kernel: audit(1102330419.769:0): avc: denied {
write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:security_t tclass=file
Dec 6 05:53:56 new2 kernel: audit(1102330420.005:0): avc: denied {
read } for pid=1279 exe=/usr/sbin/setfiles name=file_contexts dev=dm-0
ino=3998097 scontext=system_u:system_r:initrc_t
tcontext=root:object_r:file_context_t tclass=file
Dec 6 05:53:56 new2 kernel: audit(1102330420.026:0): avc: denied {
write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:security_t tclass=file
Dec 6 05:53:56 new2 kernel: audit(1102330420.026:0): avc: denied {
write } for pid=213 exe=/bin/bash name=enforce dev=selinuxfs ino=4
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:security_t tclass=file
19 years, 4 months