avc denied from logrotate
by Richard Hally
Here are the avc denied messages from doing a logrotate.
I get an error message when I try to do the logrotate in enforcing mode. I
changed to
permissive mode, did the logrotate and the resulting messages are attached:
Richard Hally
20 years, 1 month
up2date does not work under sudo.
by Aleksey Nogin
This seems to be new. With policy-sources-1.9-15 if I try running
up2date from sudo -r sysadm_r (from a staff user), it fails to actually
install the packages:
Name Version Rel Channel
----------------------------------------------------------------------
xorg-x11-xdm 0.0.6.6 0.0.2004_03_11.9rawhide
xorg-x11-xfs 0.0.6.6 0.0.2004_03_11.9rawhide
Testing package set / solving RPM inter-dependencies...
########################################
xorg-x11-xdm-0.0.6.6-0.0.20 ########################## Done.
xorg-x11-xfs-0.0.6.6-0.0.20 ########################## Done.
xorg-x11-0.0.6.6-0.0.2004_0 ########################## Done.
Preparing ########################################### [100%]
The following Packages were marked to be skipped by your configuration:
Name Version Rel Reason
-------------------------------------------------------------------------------
ocaml 3.07 0.fdr.5.1.90Pkg
name/pattern
The following packages were added to your selection to satisfy dependencies:
Name Version Release
--------------------------------------------------------------
xorg-x11 0.0.6.6 0.0.2004_03_11.9
dmesg shows:
audit(1080298058.273:0): avc: denied { transition } for pid=3821
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
scontext=aleksey:sysadm_r:sysadm_t
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process
audit(1080298058.306:0): avc: denied { transition } for pid=3822
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
scontext=aleksey:sysadm_r:sysadm_t
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process
audit(1080298058.333:0): avc: denied { transition } for pid=3823
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
scontext=aleksey:sysadm_r:sysadm_t
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process
audit(1080298058.431:0): avc: denied { transition } for pid=3824
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
scontext=aleksey:sysadm_r:sysadm_t
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
FW: How to start using selinux?
by Richard Hally
-----Original Message-----
From: fedora-selinux-list-bounces(a)redhat.com
[mailto:fedora-selinux-list-bounces@redhat.com] On Behalf Of Gene
Czarcinski
Sent: Thursday, March 25, 2004 5:13 PM
To: fedora-selinux-list(a)redhat.com
Subject: Re: How to start using selinux?
On Thursday 25 March 2004 14:09, Richard Hally wrote:
> > Here are a couple of links to HOWTOs
> >
> >
https://sourceforge.net/docman/display_doc.php?docid=20372&group_id=21266
> >
> >
https://sourceforge.net/docman/display_doc.php?docid=21959&group_id=21266
>Thanks. There are good but ..
>What I am looking for is something a bit more "cook bookish". Since the
>default (current snapshot of FC2 development) is to install with selinux
set
>to enforcing, I am expecting the system to come up (it does not) and then
>some "cook book" instructions on setting things up so I can begin plying
with
>things. Right now if I bootup with selinux set to enforcing, I cannot do
>anything .. even login.
The recommended way to start off is in permissive mode. Kernel ...253.2.1
does not start in enforcing mode automatically by default.
>I was hoping to see something with selinux running where I could then work
>(play) with the system to understand selinux configuration and usage.
One thing you can do is duplicate the lines in grub for a particular kernel
and add ENFORCING to the title and enforcing=1 to the end of the kernel
line. That way you can start off in either mode.
The way to see which mode is to "cat /selinux/enforce" 0 is permissive. To
change to enforcing while running "echo 1 > /selinux/enforce".
>Right now, booting up in single user mode is my most useful too since that
is
>the only way I have found to get out of enforcing mode.
<snip>
Richard Hally
20 years, 1 month
[policy-1.9-11] ssh-agent takes all the CPU in enforcing mode.
by Aleksey Nogin
What I see in the logs is
audit(1080124752.283:0): avc: denied { write } for pid=2885
exe=/usr/bin/ssh-agent path=/home/aleksey/.xsession-errors dev=hda2
ino=310712 scontext=aleksey:staff_r:staff_ssh_agent_t
tcontext=aleksey:object_r:staff_home_t tclass=file
and strace shows
getpid() = 2886
rt_sigaction(SIGPIPE, {0x1b9cc8, [], SA_RESTORER, 0x137478}, {SIG_IGN},
8) = 0
socket(PF_UNIX, SOCK_DGRAM, 0) = 3
fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
connect(3, {sa_family=AF_UNIX, path="/dev/log"}, 16) = 0
send(3, "<35>Mar 24 02:48:10 ssh-agent[2886]: error: accept from
AUTH_SOCKET: Socket operation on non-socket", 99, 0) = 99
rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0
close(3) = 0
select(2, [1], [], NULL, NULL) = 1 (in [1])
accept(1, 0xfeee0800, [110]) = -1 ENOTSOCK (Socket operation
on non-socket)
time([1080125290]) = 1080125290
getpid() = 2886
going in circles.
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
MRTG errors with SELinux on
by Jim Cornette
When I was running this computer yesterday with selinux=1, I got this
mail message every few minutes. I am running with selinux=0 now and this
message does not show.
Also, kmail reported that there was file corruption when launching
without having selinux active.
I was also set off with a message that I got with usermount when selinux
was active. It asked for me to contact my administrator for access to
any usually user visible mounts. It works normally with selinux off.
There was also a problem with system-config-display. Posted below the
mail for the perl or mrtg error is an excerpt from the userland programs
that I had errors with.
Use of uninitialized value in string at /usr/bin/mrtg line 72.
Empty compile time value given to use lib at /usr/bin/mrtg line 72
Use of uninitialized value in concatenation (.) or string at
/usr/bin/mrtg line 73.
Can't locate MRTG_lib.pm in @INC (@INC contains: /../lib/mrtg2
/usr/lib/perl5/5.8.3/i386-linux-thread-multi /usr/lib/perl5/5.8.3
/usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2
/usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0
/usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2
/usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0
/usr/lib/perl5/vendor_perl .) at /usr/bin/mrtg line 78.
BEGIN failed--compilation aborted at /usr/bin/mrtg line 78.
excerpt from previous mail. <rant>
------------------------
The real distractions with SELinux is that everything seems to error out
with you don't have premission to perform this task, contact your
administrator. The simple task was to mount drives.
Message in pop-up states.
There are no filesystems which you are allowed to mount or unmount.
Contact your administrator.
OK! This used to work fine without SELinux. This limitation or
additional setup step will cause a lot of grief for users.
Now for trying to configure the display. Between running the command
from either a regular users terminal or launching from hat >> system
settings >> display. The trouble is more obvious that SELinux is getting
in the way. Running it from a root shell allows the program to work
correctly.
gnome-terminal as regular user shows below:
system-config-display
Could not set exec context to user_u:sysadm_r:sysadm_t.
</rant>
--------------------------
Jim
20 years, 1 month
receiving bug reports
by Karsten Wade
I'm wondering if this list is interested in receiving the bug reports
against the Fedora SELinux FAQ.
The Fedora SELinux FAQ is focused on answering Fedora specific SELinux
questions, and pointing people to other sources of information. This
will come out with FC2 test2. Additions and changes to the FAQ will be
handled through bugzilla.redhat.com, which is the pattern for the
Fedora docs project.
For fedora-selinux-list to receive the bug reports, we need to create a
bugzilla account, then we cc: the list on additions to the FAQ via
bugzilla. This would be a good way to keep everyone aware of new and
useful FAQ items. It also keeps us in the discussion about the
additions and changes.
This same method could be used for any SELinux bugs the list wishes to
track. For developers and writers, bugzilla is a handy tool for keeping
track of tasks and the discussion around them.
However, getting bugzilla traffic may increase the noise on the list for
some people[1]. So, I respectfully ask for the opinion and permission
of this list.
Thanks - Karsten
[1] FWIW, proper mail filtering would take care of this noise.
--
Karsten Wade, Sr. Tech Writer
this is not the .signature you are looking for
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
20 years, 1 month
[policy-1.9-5] VNC module in X AVC
by Aleksey Nogin
If I have
Load "vnc"
in my XF86Config, then by default the vnc module will listen on port
5900+display. In policy-1.9-5 this does not seem to be allowed:
audit(1079814805.625:0): avc: denied { name_bind } for pid=2025
exe=/usr/X11R6/bin/XFree86 src=5900
scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
/1 and /2 ?
by Chuck Anderson
What the heck are the /1 and /2 files for?
[root@foo /]# ls -l /[12]
-rw-r--r-- 1 root root 161 Mar 21 22:28 /1
-rw-r--r-- 1 root root 0 Mar 21 22:28 /2
[root@foo /]# cat 1
make: Entering directory `/etc/security/selinux/src/policy'
make: Nothing to be done for `/dev/null'.
make: Leaving directory `/etc/security/selinux/src/policy'
Looks like temp files leftover from something in the install
process, since the timestamp is before that of install.log:
[root@foo root]# ls -l install.log
-rw-r--r-- 1 root root 62700 Mar 21 22:47 install.log
and this was a fresh format + everything install.
20 years, 1 month
relabel home directory?
by Chuck Anderson
I installed a fresh copy of FC 1.91 200403191323, formatting all
partitions except /home. My home directory is not properly labelled,
so I cannot log in. A new user created with "useradd" can log in.
How do I fix the contexts on my home directory?
[root@foo home]# ls --lcontext
total 32
drwx------ 18 root:object_r:file_t cra cra 4096 Mar 18 00:35 cra
drwx------ 2 (null) root root 16384 Feb 16 16:01 lost+found
drwx------ 16 root:object_r:user_home_dir_t test test 4096 Mar 22 01:18 test
[root@foo cra]# ls --lcontext
....
-rw-r--r-- 1 (null) cra cra 738 Feb 16 23:21 .complete
drwxr-x--- 2 (null) cra cra 4096 Mar 18 00:30 Desktop
-rw-r--r-- 1 (null) cra cra 2323 Feb 16 23:21 .dircolors
-rw-r--r-- 1 (null) cra cra 26 Mar 18 00:30 .dmrc
....
20 years, 1 month
where to get the packages for FC2-t1
by Rusinsky Stanislas Herman W. A.
Hello,
I've searched for the SELinux rpm's for FC2-t1 but couldn't find them.
Is there any link to a site with them ? Any link to a HOWTO ? I haven't
found information on Fedora site's SELInux page neither.
Are Dan Walsh's packages suitable for this version ?
Thanks,
Stanislas.
--
"Many are the plans in a man's heart, but
is the Lord's purpose that prevails"
Prov. 19.21
20 years, 1 month