selinux March 2004

selinux@lists.fedoraproject.org

48 participants
73 discussions

nsupdate and netlink_socket AVCs
by Aleksey Nogin 06 Apr '04

06 Apr '04

If I attempt to use nsupdate from under an ordinary user (which shouldn't be a problem, should it?), then I see audit(1079022100.499:0): avc: denied { bind } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket audit(1079022100.499:0): avc: denied { getattr } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket audit(1079022100.499:0): avc: denied { write } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket audit(1079022100.500:0): avc: denied { read } for pid=18759 exe=/usr/bin/nsupdate scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=netlink_socket Not sure what this is all about. -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907

4 7

Postfix and SELinux
by Rudi Chiarito 01 Apr '04

01 Apr '04

I successfully - or so it seems - convinced a box to work in enforcing mode, but as of today I still see these error messages whenever postfix is started: Mar 29 17:33:35 pizza kernel: audit(1080603215.577:0): avc: denied { write } for pid=5102 exe=/usr/sbin/postalias name=aliases.db dev=sda3 ino=245461 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:postfix_etc_t tclass=file Mar 29 17:33:36 pizza kernel: audit(1080603216.592:0): avc: denied { search } for pid=5103 exe=/bin/bash dev= ino=1 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:devpts_t tclass=dir Mar 29 17:33:36 pizza kernel: audit(1080603216.597:0): avc: denied { execute } for pid=5104 exe=/bin/bash name=master dev=sda3 ino=1407396 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:lib_t tclass=file Does this ring a bell? As far as I can tell, all contexts are properly set. To play safe, I even removed and reinstalled the postfix RPM. The system has all the latest Raw Hide packages. Rudi

5 5

install of kernel 2.6.4-1.298 does not work
by Richard Hally 31 Mar '04

31 Mar '04

when I ran up2date today it appeared to install kernel 2.6.4-1.298. There were no errors reported. But it did not update grub as usual, it did not put any files in /boot, and when I do rpm -q kernel it does not show 2.6.4-1.298 (It shows the other kernels 253 etc) [root@old1 boot]# rpm -q kernel kernel-2.6.3-2.1.242 kernel-2.6.3-2.1.253 kernel-2.6.3-2.1.246 kernel-2.6.3-2.1.253.2.1 Below are the messages in the up2date log file. [Tue Mar 30 20:50:28 2004] up2date installing packages: ['GConf2-2.6.0-1', 'GConf2-devel-2.6.0-1', 'Guppi-0.40.3-18', 'Guppi-devel-0.40.3-18', 'ImageMagick-5.5.7.15-1.3', 'ImageMagick-c++-5.5.7.15-1.3', 'ImageMagick-c++-devel-5.5.7.15-1.3', 'ImageMagick-devel-5.5.7.15-1.3', 'ImageMagick-perl-5.5.7.15-1.3', 'Maelstrom-3.0.6-3', 'a2ps-4.13b-37', 'amanda-2.4.4p2-3', 'amanda-client-2.4.4p2-3', 'amanda-devel-2.4.4p2-3', 'amanda-server-2.4.4p2-3', 'anaconda-9.92-0.20040323181753', 'anaconda-runtime-9.92-0.20040323181753', 'apr-0.9.4-11', 'apr-devel-0.9.4-11', 'apr-util-0.9.4-12', 'apr-util-devel-0.9.4-12', 'aumix-2.8-8', 'beecrypt-3.1.0-3', 'beecrypt-devel-3.1.0-3', 'beecrypt-python-3.1.0-3', 'bind-9.2.3-13', 'bind-chroot-9.2.3-13', 'bind-devel-9.2.3-13', 'bind-libs-9.2.3-13', 'bind-utils-9.2.3-13', 'binutils-2.15.90.0.1.1-2', 'busybox-1.00.pre8-2', 'busybox-anaconda-1.00.pre8-2', 'control-center-2.5.4-2', 'dhclient-3.0.1rc12-4', 'dhcp-3.0.1rc12-4', 'dhcp-devel-3.0.1rc12-4', 'esound-0.2.34-1', 'esound-devel-0.2.34-1', 'file-4.07-3', 'freeglut-2.2.0-11', 'freeglut-devel-2.2.0-11', 'gaim-0.75.99-20040328cvs', 'gedit-2.5.92-1', 'gedit-devel-2.5.92-1', 'glibc-2.3.3-20', 'glibc-common-2.3.3-20', 'glibc-devel-2.3.3-20', 'glibc-headers-2.3.3-20', 'glibc-profile-2.3.3-20', 'glibc-utils-2.3.3-20', 'gnome-mime-data-2.4.1-3', 'gnome-vfs2-2.6.0-1', 'gnome-vfs2-devel-2.6.0-1', 'gnome-vfs2-smb-2.6.0-1', 'gok-0.9.10-2', 'gpm-1.20.1-45', 'gpm-devel-1.20.1-45', 'hotplug-2004_03_11-1', 'htdig-3.2.0b5-7', 'htdig-web-3.2.0b5-7', 'httpd-2.0.49-1', 'httpd-devel-2.0.49-1', 'httpd-manual-2.0.49-1', 'hwdata-0.114-1', 'initscripts-7.49-1', 'ipxutils-2.2.4-1', 'kdebase-3.2.1-1.5', 'kdebase-devel-3.2.1-1.5', 'kdegames-3.2.1-2', 'kdegames-devel-3.2.1-2', 'kdenetwork-3.2.1-3', 'kdenetwork-devel-3.2.1-3', 'kdepim-3.2.1-4', 'kdepim-devel-3.2.1-4', 'kernel-2.6.4-1.298', 'kernel-doc-2.6.4-1.298', 'kernel-source-2.6.4-1.298', 'kernel-utils-2.4-9.1.126', 'kinput2-canna-wnn6-v3.1-17', 'less-382-3', 'libbonobo-2.6.0-2', 'libbonobo-devel-2.6.0-2', 'libselinux-1.6-5', 'libselinux-devel-1.6-5', 'libwnck-2.5.90-3', 'libwnck-devel-2.5.90-3', 'libxml2-2.6.8-1', 'libxml2-devel-2.6.8-1', 'libxml2-python-2.6.8-1', 'lm_sensors-2.8.3-5', 'lm_sensors-devel-2.8.3-5', 'man-1.5m2-5', 'mod_ssl-2.0.49-1', 'modutils-2.4.26-14', 'ncpfs-2.2.4-1', 'neon-0.24.4-4', 'neon-devel-0.24.4-4', 'net-snmp-5.1.1-1', 'net-snmp-devel-5.1.1-1', 'net-snmp-perl-5.1.1-1', 'net-snmp-utils-5.1.1-1', 'nptl-devel-2.3.3-20', 'nscd-2.3.3-20', 'nss_ldap-217-1', 'openssl-0.9.7a-35', 'openssl-devel-0.9.7a-35', 'openssl-perl-0.9.7a-35', 'pcre-4.5-2', 'pcre-devel-4.5-2', 'policy-1.9.1-2', 'policy-sources-1.9.1-2', 'policycoreutils-1.9-16', 'qt-3.3.1-0.7', 'qt-MySQL-3.3.1-0.7', 'qt-ODBC-3.3.1-0.7', 'qt-PostgreSQL-3.3.1-0.7', 'qt-designer-3.3.1-0.7', 'qt-devel-3.3.1-0.7', 'rhythmbox-0.7.1-2', 'rp-pppoe-3.5-12', 'rpmdb-fedora-1.91-0.20040330', 'samba-3.0.3-1.pre1', 'samba-client-3.0.3-1.pre1', 'samba-common-3.0.3-1.pre1', 'samba-swat-3.0.3-1.pre1', 'sash-3.7-3', 'setools-1.2.1-3', 'setools-devel-1.2.1-3', 'setools-gui-1.2.1-3', 'shared-mime-info-0.14-1', 'slocate-2.7-8', 'sylpheed-0.9.10-2', 'system-config-bind-2.0.2-4', 'system-config-date-1.7.3-1', 'system-config-display-1.0.12-1', 'system-config-netboot-0.1.3-4', 'system-config-printer-0.6.98-1', 'system-config-printer-gui-0.6.98-1', 'system-config-samba-1.2.9-1', 'system-config-securitylevel-1.3.9-1', 'system-config-securitylevel-tui-1.3.9-1', 'system-config-services-0.8.8-4', 'tetex-2.0.2-13', 'tetex-afm-2.0.2-13', 'tetex-doc-2.0.2-13', 'tetex-dvips-2.0.2-13', 'tetex-fonts-2.0.2-13', 'tetex-latex-2.0.2-13', 'tetex-xdvi-2.0.2-13', 'udev-023-1', 'util-linux-2.12-15', 'vim-X11-6.2.403-1', 'vim-common-6.2.403-1', 'vim-enhanced-6.2.403-1', 'vim-minimal-6.2.403-1', 'vnc-4.0-1.beta4.9', 'vnc-server-4.0-1.beta4.9', 'w3m-0.5-1', 'webalizer-2.01_10-22', 'xinitrc-3.38-1', 'zip-2.3-22'] [Tue Mar 30 22:05:51 2004] up2date Modifying bootloader config to include the new kernel info [Tue Mar 30 22:05:51 2004] up2date Adding 2.6.4-1.298 to bootloader config [Tue Mar 30 22:05:51 2004] up2date Adding 2.6.4-1.298 to bootloader config [Tue Mar 30 22:05:52 2004] up2date Running lilo with the new configuration [Tue Mar 30 22:05:53 2004] up2date Modifying bootloader config to include the new kernel info [Tue Mar 30 22:05:53 2004] up2date Adding 2.6.4-1.298 to bootloader config [Tue Mar 30 22:05:53 2004] up2date Running lilo with the new configuration [root@old1 boot]# This shows (supposedly) that all those packages were updated. If the kernel was not installed when the log says it was, how many others were not really updated? another problem is that I use grub! ( have never used lilo on this box) and it was not updated. the log shows that the kernel install tried to update lilo. btw I am running in enforcing mode as root (with role sysmgr_r): Where do I start with the bug reports? the kernel 'cause it did not install? up2date because it did not report any errors when something was very worng? selinux policy? there are hundreds of avc denied messages... please let me know how to proceed with getting my system updated in enforcing mode and if there is additional information I can provide. the messages file is 796261 bytes and I have saved a copy. thanks, Richard Hally Richard Hally

7 7

Is arbitrary access to rpm_t by sysadm_r a security problem?
by Aleksey Nogin 31 Mar '04

31 Mar '04

I would imagine sysadm_r can do a lot anyway, but just in case it is a problem, here it is: % id uid=500(aleksey) gid=500(aleksey) groups=500(aleksey) context=aleksey:sysadm_r:sysadm_t % rpm -q rpm --pipe id uid=500(aleksey) gid=500(aleksey) groups=500(aleksey) context=aleksey:sysadm_r:rpm_t Basically, the --pipe option to rpm seems to be giving sysadm_r full access to sysadm_r:rpm_t -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907

3 3

udev and SELinux.
by Aleksey Nogin 30 Mar '04

30 Mar '04

I briefly tried installing udev and it seems that it was creating devices with the default device_t type instead of the one dictated by SELinux policies. Is this a known issue? Should I file a Bugzilla report? -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907

2 1

Should Yum and up2date understand SELinux roles
by Tom Mitchell 30 Mar '04

30 Mar '04

Should yum check "id" for sysadm_r role? Since %pre and %post actions are problematic a partial install could result that may not be simple to fix. Here is a yum session that shows the interaction that is prompting my question. Note the scriptlet error followed by "Transaction(s) Complete". # yum install xorg-x11-100dpi-fonts Gathering header information file(s) from server(s) Server: Fedora Core 1.91 - Development Tree Finding updated packages Downloading needed headers Resolving dependencies Dependencies resolved I will do the following: [install: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386] Is this ok [y/N]: y Downloading Packages Getting xorg-x11-100dpi-fonts-0.0.6.6-0.0.2004_03_11.9.i386.rpm xorg-x11-100dpi-fonts-0.0 100% |=========================| 4.2 MB 05:26 Running test transaction: Test transaction complete, Success! xorg-x11-100dpi-fonts 100 % done 1/1 error: setexeccon(root:staff_r:rpm_script_t) fails from context "root:staff_r:staff_t": Invalid argument error: %post(xorg-x11-100dpi-fonts-0.0.6.6-0.0.2004_03_11.9) scriptlet failed, exit status 255 Installed: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386 Transaction(s) Complete # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:staff_r:staff_t # newrole -r sysadm_r Authenticating root. Password: # rpm -e xorg-x11-100dpi-fonts # yum install xorg-x11-100dpi-fonts Gathering header information file(s) from server(s) Server: Fedora Core 1.91 - Development Tree Finding updated packages Downloading needed headers Resolving dependencies Dependencies resolved I will do the following: [install: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386] Is this ok [y/N]: y Downloading Packages Running test transaction: Test transaction complete, Success! xorg-x11-100dpi-fonts 100 % done 1/1 Installed: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386 Transaction(s) Complete -- T o m M i t c h e l l /dev/null the ultimate in secure storage.

2 3

selinux and NFS?
by Dave Alden 30 Mar '04

30 Mar '04

Hi, I'm wondering how selinux is going to interact with non-FC2 machines? My mail server and "home" server are both running RedHat 8.0 for now and this summer I'm planning on taking them to RHEL 3. My users login to 3 different systems (Mac OS X, Solaris and RedHat/Fedora linux) and get the same home directory. Am I going to have to disable selinux? ...thnx, ...dave

2 1

SELinux vs. sudo and usermode
by Matthew Miller 30 Mar '04

30 Mar '04

In many ways, the sudo and usermode programs are kludgy attempts to achieve what SE Linux does for real -- separate out root powers. Certain users can be delegated to run only certain programs with root privileges. Sudo also acts as the sysadmin's swiss army knife. Common practice here is to have all sysadmins use sudo for _anything_ that needs to be run as root. This has the advantage of documenting all actions (by agreement, not enforced, of course), and the convenience of not needing to actually know the root password. Likewise, the usermode program allows any user to provide the root password in order to run the various system-config-* programs. I have a patch (see <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=86188>) which allows members of a given group ("wheel", typically) to authenticate with their *own* credentials to gain access to these programs. (Other users are prompted for the root password.) There's an obvious security tradeoff, here: instead of needing to know two passwords, one only needs one's own. On the other hand, it removes the need to manage root passwords for desktop users or for large numbers of machines, and is an undeniable convenience. So, since I'm just diving into SE Linux -- how does this _work_ in the Brave New World? Is sudo obsolete? Is my usermode patch now pointless? Can this be accomplished another way? *Should* it be accomplished at all? Thanks! -- Matthew Miller mattdm(a)mattdm.org <http://www.mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/>

1 0

Pb installing Policy
by Nic¤ 30 Mar '04

30 Mar '04

Hi all, Im getting trouble installing policy on my Fedora Core 1. I have upgraded the list of packages present on Daniel Walsh ftp server (ftp://people.redhat.com/dwalsh/SELinux/) using the selUpgrade script. When I try to load the policy here is what I get : root]# make -C /etc/security/selinux/src/policy relabel make: Entre dans le rÃ©pertoire `/etc/security/selinux/src/policy' /usr/sbin/setfiles file_contexts/file_contexts `mount | awk '/(ext[23]| xfs).*rw/{print $3}'` /usr/sbin/setfiles: read 423 specifications /usr/sbin/setfiles: invalid context system_u:object_r:default_t on line number 39 /usr/sbin/setfiles: invalid context system_u:object_r:root_t on line number 44 /usr/sbin/setfiles: invalid context system_u:object_r:home_root_t on line number 53 /usr/sbin/setfiles: invalid context system_u:object_r:user_home_dir_t on line number 54 /usr/sbin/setfiles: invalid context system_u:object_r:user_home_t on line number 55 /usr/sbin/setfiles: invalid context system_u:object_r:mnt_t on line number 59 /usr/sbin/setfiles: invalid context system_u:object_r:var_t on line number 64 /usr/sbin/setfiles: invalid context system_u:object_r:catman_t on line number 65 /usr/sbin/setfiles: invalid context system_u:object_r:catman_t on line number 66 /usr/sbin/setfiles: invalid context system_u:object_r:var_yp_t on line number 67 Nico __________________________________________________________ Lèche-vitrine ou lèche-écran ? magasinage.yahoo.ca

2 3

How do I make sure programs have write access to their own tty?
by Aleksey Nogin 29 Mar '04

29 Mar '04

When I run (from staff_r) things via sudo, then sometimes it turns out that the programs I run end up not being able to communicate back to me as they are denied access to the tty they are running on (see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119209 for details). Is there some way within the SELinux framework to give programs write access to the tty they are running on w/o giving them write access to all the ttys of the same type? -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux March 2004