http startup problem
by Arthur Stephens
I do not know if this a SELinux problem or httpd problem.
Upgraded to the latest SELinux and now httpd fails with the following message
Dec 6 20:13:03 webmail kernel: audit(1102392783.654:0): avc: denied { unlink } for pid=2005 exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0 ino=228205 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file
Dec 6 20:13:04 webmail httpd: httpd startup succeeded
Dec 6 20:13:04 webmail kernel: audit(1102392784.995:0): avc: denied { unlink } for pid=2006 exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0 ino=228205 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=file
The httpd error log shows
[Mon Dec 06 20:13:04 2004] [error] (17)File exists: Cannot create SSLMutex with file `/etc/httpd/logs/ssl_mutex.2005'
Configuration Failed
ls -Z of the directory shows the ssl_mutex... is being created incorrectly?
-rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log.2
-rw-r--r-- root root root:object_r:httpd_log_t ssl_mutex.2005
-rw-r--r-- root root system_u:object_r:httpd_log_t ssl_request_log
I am confused on where to fix this.
Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens(a)ptera.net
509-927-Ptera
19 years, 4 months
Understanding SELinux
by Giuseppe Greco
Hi all,
I've lots of problems related to SELinux on FC3...
I get tonnes of messages like
...
audit(1102179993.228:0): avc: denied { append } for pid=2624
exe=/sbin/syslogd name=boot.log dev=md-6 ino=128104
scontex=root:system_r:syslogd_t tcontext=system_u:object_r:file_t
tclass=file
syslog: /var/log/boot.log: Permissin denied
...
Same problem with dhcpd, portmap, etc.
I've tried this
[root@murphy etc]# ls -alZ /var/log/boot.log
-rw------- root root /var/log/boot.log
... and then this
[root@murphy etc]# chcon -t var_log_t /var/log/boot.log
but I always get the error message
"chcon: can't apply partial context to unlabeled file boot.log"
What I'm trying to understand is why system files like this are
not already labeled as they should, and what I've to do to get
my boxes working without complying...
Thanks for helping a poor novice,
j3d.
--
----------------------------------------
Giuseppe Greco
::agamura::
phone: +41 (0)91 604 67 65
mobile: +41 (0)76 390 60 32
email: giuseppe.greco(a)agamura.com
web: www.agamura.com
----------------------------------------
19 years, 4 months
perl/cgi script problem
by Arthur Stephens
Ok I thought I had this SELinux thing figured out atleast a little.
Finally got httpd to startup.
But now I have perl/cgi script problems.
When trying to access my Genesis WebAuthoring System the script works in the /cgi-bin/genesis/ directory displaying the login screen
but when I go to log in I get this error message.
Error: could not write to file '/var/www/pteraweb/cgi-bin/genesis/script_data/accounts/.webauth_tokens' - Permission denied - Permission denied
Plus these on the console
Dec 2 21:04:37 webmail kernel: audit(1102050277.791:0): avc: denied { search } for pid=2359 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir
Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir
Dec 2 21:04:54 webmail kernel: audit(1102050294.906:0): avc: denied { search } for pid=2360 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir
Dec 2 21:04:55 webmail kernel: audit(1102050295.132:0): avc: denied { write } for pid=2360 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file
Oh I know what this means so I added this to my custom.fc
/var/www/.*/cgi-bin(/.*)? system-u:object_r:httpd_sys_script_exec_t
which is what I saw in file_contexts for /var/www/cgi-bin
make load
fixfiles relabel
The log shows it relabled everything.
But now I get...
Dec 3 13:42:38 webmail kernel: audit(1102110158.398:0): avc: denied { search } for pid=1873 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir
Dec 3 13:42:47 webmail kernel: audit(1102110167.739:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir
Dec 3 13:42:47 webmail kernel: audit(1102110167.740:0): avc: denied { search } for pid=1874 exe=/usr/bin/perl name=sys dev=proc ino=-268435431 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir
Dec 3 13:42:47 webmail kernel: audit(1102110167.964:0): avc: denied { write } for pid=1874 exe=/usr/bin/perl name=.webauth_tokens dev=dm-0 ino=228251 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file
So I ran out of what I know to do or maybe I messed things up.
Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens(a)ptera.net
509-927-Ptera
19 years, 4 months
rpm -V selinux-policy-targeted
by Joe Orton
Should I expect output like this from rpm -V from a fresh install, even
if I haven't touched the policy myself?
[root@blane ~]# rpm -V selinux-policy-targeted
.......TC c /etc/selinux/targeted/contexts/default_contexts
.......TC c /etc/selinux/targeted/contexts/default_type
.......TC c /etc/selinux/targeted/contexts/failsafe_context
..5....TC c /etc/selinux/targeted/contexts/files/file_contexts
.......TC c /etc/selinux/targeted/contexts/files/media
.......TC c /etc/selinux/targeted/contexts/initrc_context
.......TC c /etc/selinux/targeted/contexts/removable_context
.......TC c /etc/selinux/targeted/contexts/userhelper_context
.......TC c /etc/selinux/targeted/contexts/users/root
..5....T. c /etc/selinux/targeted/policy/policy.18
Since policy/policy.18 is marked %config(noreplace) the new policy.18
file is installed as policy.18.rpmnew and hence it seems manual
intervention is needed to load the new policy, it's not a simple rpm -U
or up2date run away - is this desirable?
joe
19 years, 4 months
Bind and selinux
by Rogelio J. Baucells
Hi,
I have a server running FC3 + selinux (targeted) and I had some
problems with bind and dynamic DNS updates. This is how I fix it.
The first thing I noticed is that the named server was not able to
create the Journal files for the zones I was trying to update
# ls -l /var/named/chroot/var
total 24
drwxr-x--- 4 root named 4096 Dec 1 14:42 named
drwxrwx--- 3 root named 4096 Nov 16 11:50 run
drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
because the user "named" (the one running the daemon) did not have
access to create new files inside the named folder. I think this is a
problem in the bind-chroot rmp package. I ran the following command to
give the user named access to create new files inside the named folder
# chmod 770 /var/named/chroot/var/named
# ls -l /var/named/chroot/var
total 24
drwxrwx--- 4 root named 4096 Dec 1 14:42 named
drwxrwx--- 3 root named 4096 Nov 16 11:50 run
drwxrwx--- 2 named named 4096 Mar 13 2003 tmp
That fixed the problem. Now selinux!!!
When I try to update one of the zones I get the following error in
/var/log/messages
----------------------------------------------------------------------
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
zone 'example.com/IN': adding an RR
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
zone 'example.com/IN': adding an RR
Dec 1 14:56:01 server named[22580]: journal file example.com.zone.jnl
does not exist, creating it
Dec 1 14:56:01 server named[22580]: example.com.zone.jnl: create:
permission denied
Dec 1 14:56:01 server kernel: audit(1101930961.025:0): avc: denied {
write } for pid=22581 exe=/usr/sbin/named name=named dev=dm-0
ino=293768 scontext=root:system_r:named_t
tcontext=system_u:object_r:named_zone_t tclass=dir
Dec 1 14:56:01 server named[22580]: client 127.0.0.1#32867: updating
zone 'example.com/IN': error: journal open failed: unexpected error
----------------------------------------------------------------------
I ran the "Security Level Configuration" tool and enabled "Allow named
to overwrite master zone files" and that fixed the problem.
Without the ACL modifications of the folder /var/named/chroot/var/named
the setting in the "Security Level Configuration" is useless. I hope
this information helps somebody having the same problems...
RJB
19 years, 4 months
Re: httpd avc denied problem
by Arthur Stephens
>> I am new to SELinux and Fedora 3 - setting up a replacement server for
the one that got hacked
>> I transfered our websites over and discovered I had to have them all
under /usr/www/
>>Who or what does tell you this should be this way? /usr/ is the wrong
>>place.
Ok I moved everything under /var/www..
ran fixfiles
changed everything under httpd.conf to point to /var/www/...
I got the same error messages just different directories
Being desperate to get this working I copied the error_log from a directory
that was working
ran fixfiles
and got avc: denied { append }
(13)Permission denied: httpd: could not open error log file
/var/www/spokanewines.com/logs/error_log.
Unable to open logs
[root@webmail ~]# cd /var/www/spokanewines.com/logs/
[root@webmail logs]# ls -alZ
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
error_log
I tried to run
system-config-securitylevel
but there are no references to Boolean options for Apache HTTP
just firewall options.
Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens(a)ptera.net
509-927-Ptera
----- Original Message -----
From: "Alexander Dalloz" <ad+lists(a)uni-x.org>
To: "For users of Fedora Core releases" <fedora-list(a)redhat.com>
Sent: Monday, November 29, 2004 11:25 AM
Subject: Re: httpd avc denied problem
> --
> fedora-list mailing list
> fedora-list(a)redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
19 years, 4 months
lpoptions, printing from firefox. mozilla_macros.te?
by Tom London
Running strict/enforcing, latest Rawhide.
Each time I boot, /etc/cups/lpoptions
appears to be created with the 'wrong'
type: cupsd_etc_t instead of
cupsd_rw_etc_t.
Printing from firefox produces the following
avc's complaining about accessing /etc/cups/lpoptions
in either case.
Does mozilla_macros.te need:
ifdef(`cups.te', `
allow $1_mozilla_t cupsd_etc_t:dir search;
+allow user_mozilla_t cupsd_rw_etc_t:file read;
')
I'm still working on figuring out why lpoptions
is getting the wrong type.....
tom
Dec 2 07:27:56 fedora kernel: audit(1102001276.342:0): avc: denied
{ read } for pid=3363 exe=/usr/lib/firefox-1.0/firefox-bin
name=lpoptions dev=hda2 ino=4474994
scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:cupsd_rw_etc_t tclass=file
Dec 2 07:27:56 fedora kernel: audit(1102001276.695:0): avc: denied
{ read } for pid=3363 exe=/usr/lib/firefox-1.0/firefox-bin
name=lpoptions dev=hda2 ino=4474994
scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:cupsd_rw_etc_t tclass=file
Dec 2 07:28:00 fedora kernel: audit(1102001280.378:0): avc: denied
{ read } for pid=3363 exe=/usr/lib/firefox-1.0/firefox-bin
name=lpoptions dev=hda2 ino=4474994
scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:cupsd_rw_etc_t tclass=file
--
Tom London
19 years, 4 months
firefox and /usr/tmp
by Tom London
Running strict/enforcing, latest Rawhide,
selinux-policy-strict-1.19.8-4
Starting firefox produces:
Dec 1 18:49:33 fedora kernel: audit(1101955773.849:0): avc: denied
{ read } for pid=4652 exe=/usr/lib/firefox-1.0/firefox-bin name=tmp
dev=hda2 ino=4112455 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:tmp_t tclass=lnk_file
on attempted read of /usr/tmp (link to /var/tmp)
Should there be a
dontaudit user_mozilla_t tmp_t:lnk_file read;
in mozilla_macros.te ?
--
Tom London
19 years, 4 months
use can_network_XXX() in inetd.te, ssh.te, rhgb.te, rpcd.te...?
by Tom London
Running strict/enforcing off of latest Rawhide
Several problems after latest update,
mostly like:
Nov 30 20:14:43 fedora kernel: audit(1101874483.584:0): avc: denied
{ accept } for pid=3656 exe=/usr/sbin/sshd lport=22
scontext=root:system_r:sshd_t tcontext=root:system_r:sshd_t
tclass=tcp_socket
or
Nov 30 19:17:04 fedora kernel: audit(1101871024.847:0): avc: denied
{ listen } for pid=2251 exe=/usr/sbin/xinetd lport=113
scontext=system_u:system_r:inetd_t tcontext=system_u:system_r:inetd_t
tclass=tcp_socket
Nov 30 19:17:04 fedora xinetd[2251]: service auth, accept: Permission
denied (errno = 13)
or
Nov 30 19:16:51 fedora kernel: audit(1101871006.547:0): avc: denied
{ listen } for pid=1959 exe=/sbin/rpc.statd lport=32768
scontext=system_u:system_r:rpcd_t tcontext=system_u:system_r:rpcd_t
tclass=tcp_socket
or
Nov 30 19:42:36 fedora kernel: audit(1101843722.414:0): avc: denied
{ connect } for pid=1198 exe=/usr/bin/rhgb
scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t
tclass=tcp_socket
Nov 30 19:42:36 fedora kernel: audit(1101843722.421:0): avc: denied
{ connect } for pid=1198 exe=/usr/bin/rhgb
scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t
tclass=tcp_socket
etc.
I added something like 'allow XXX self:tcp_socket {listen accept}'
or 'allow XXX self:tcp_socket {connect}'
to get the daemons up and running, but shouldn't
these guys use the can_network_tcp(), can_network_client(),
or can_network_server()?
Are patches needed, or is this in the works?
tom
--
Tom London
19 years, 4 months
kernel fails to install
by Tom London
Running strict/enforcing off of Rawhide.
Doing yesterday's updates, the kernel failed to
install to /boot. That is, no files installed
under /boot, but worked OK installing
files to /lib/modules.
I did an rpm -e, setenforce 0; rpm -ivh, and got
the following:
w
Nov 30 19:36:32 fedora kernel: audit(1101872192.328:0): avc: denied
{ read } for pid=3647 exe=/bin/bash name=.bashrc dev=hda2 ino=1196086
scontext=root:sysadm_r:bootloader_t
tcontext=root:object_r:staff_home_t tclass=file
Nov 30 19:36:32 fedora kernel: audit(1101872192.328:0): avc: denied
{ getattr } for pid=3647 exe=/bin/bash path=/root/.bashrc dev=hda2
ino=1196086 scontext=root:sysadm_r:bootloader_t
tcontext=root:object_r:staff_home_t tclass=file
Nov 30 19:36:32 fedora kernel: audit(1101872192.337:0): avc: denied
{ read } for pid=3649 exe=/usr/bin/id name=config dev=hda2
ino=4509759 scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Nov 30 19:36:32 fedora kernel: audit(1101872192.338:0): avc: denied
{ getattr } for pid=3649 exe=/usr/bin/id path=/etc/selinux/config
dev=hda2 ino=4509759 scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Nov 30 19:36:32 fedora kernel: audit(1101872192.501:0): avc: denied
{ execute } for pid=3647 exe=/bin/bash name=colorls.sh dev=hda2
ino=4474159 scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:etc_t tclass=file
Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied
{ execute } for pid=3662 exe=/bin/bash name=consoletype dev=hda2
ino=2310212 scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:consoletype_exec_t tclass=file
Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied
{ execute_no_trans } for pid=3662 exe=/bin/bash
path=/sbin/consoletype dev=hda2 ino=2310212
scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:consoletype_exec_t tclass=file
Nov 30 19:36:32 fedora kernel: audit(1101872192.530:0): avc: denied
{ read } for pid=3662 exe=/bin/bash path=/sbin/consoletype dev=hda2
ino=2310212 scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:consoletype_exec_t tclass=file
allow bootloader_t consoletype_exec_t:file { execute execute_no_trans read };
allow bootloader_t etc_t:file execute;
allow bootloader_t selinux_config_t:file { getattr read };
allow bootloader_t staff_home_t:file { getattr read };
--
Tom London
19 years, 4 months