March 2004 - selinux - Fedora Mailing-Lists

I got a mess when both policy and policy sources got upgraded.

by Aleksey Nogin

Just filed https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118604 : 1) I installed policy-sources (which required installing the policy package as well). 2) I modified /etc/security/selinux/src/policy/users (to include myself with appropriate staff roles) and started using the locally augmented policy. 3) After a while, I ran "up2date -u" which picked up that both policy and policy-sources need to be updated. 4) up2date -u upgraded the policy package. !!! At this point, the default policy got installed and loaded, !!! overriding the local changes. All the processes that were running in !!! context aleksey:staff_r:staff_t became system_u:object_r:unlabeled_t 5) Later in the up2date -u, the policy-source package was upgraded, the new locally-augmented policy got rebuilt and loaded and things got back to normal. But the mis-labeled processes stayed mislabeled (which caused some files to become mislabeled too). P.S. At a minimum, the policy files in the policy package should be %config(noreplace). But the best solution would be to _only_ one package that would include all the source files and would always do the make-and-install-and-reload on upgrade. P.P.S Sticking with just one (source-based) policy package would also make it easier to implement the RFE in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118571 . -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907

20 years, 1 month

1
0
0 / 0

dmesg errors

by Jim Cornette

Attached is the dmesg errors grepped to output avc errors. Also, I am having trouble with logging out of gnome. Instead of poweroff command, I get an unkmown user error dialog message. Poweroff does nothing. I have to run this from root to get it to poweroff. Sorry for the alias. Jim audit(1079481254.697:0): avc: denied { search } for pid=3307 exe=/usr/X11R6/bin/XFree86 name=console dev=hdb2 ino=752210 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:xdm_var_run_t tclass=dir audit(1079481256.567:0): avc: denied { read } for pid=3310 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:file_t tclass=file audit(1079481256.567:0): avc: denied { getattr } for pid=3310 exe=/bin/bash path=/etc/mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:file_t tclass=file audit(1079481260.180:0): avc: denied { search } for pid=3312 exe=/usr/bin/ssh-agent name=home dev=hdb2 ino=1030177 scontext=user_u:user_r:user_ssh_agent_t tcontext=system_u:object_r:home_root_t tclass=dir audit(1079481273.536:0): avc: denied { search } for pid=3307 exe=/usr/X11R6/bin/XFree86 name=.gnome2 dev=hdb2 ino=33285 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079481273.536:0): avc: denied { read } for pid=3307 exe=/usr/X11R6/bin/XFree86 name=fonts.dir dev=hdb2 ino=801265 scontext=user_u:user_r:user_xserver_t tcontext=user_u:object_r:user_home_t tclass=file audit(1079481273.536:0): avc: denied { getattr } for pid=3307 exe=/usr/X11R6/bin/XFree86 path=/home/jim/.gnome2/share/cursor-fonts/fonts.dir dev=hdb2 ino=801265 scontext=user_u:user_r:user_xserver_t tcontext=user_u:object_r:user_home_t tclass=file audit(1079481275.105:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=sys dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1079481275.109:0): avc: denied { listen } for pid=3342 exe=/usr/bin/fam path=/tmp/.fam_socket scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079481275.173:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam capability=0 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=capability audit(1079481275.175:0): avc: denied { write } for pid=3335 exe=/usr/libexec/gnome-settings-daemon name=.famjOWPcN dev=hdb2 ino=278074 scontext=user_u:user_r:user_t tcontext=system_u:object_r:inetd_child_tmp_t tclass=sock_file audit(1079481275.175:0): avc: denied { connectto } for pid=3335 exe=/usr/libexec/gnome-settings-daemon path=/tmp/.famjOWPcN scontext=user_u:user_r:user_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079481275.178:0): avc: denied { accept } for pid=3342 exe=/usr/bin/fam path=/tmp/.famjOWPcN scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079481275.180:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mtab dev=hdb2 ino=294773 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:file_t tclass=file audit(1079481275.180:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/etc/mtab dev=hdb2 ino=294773 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:file_t tclass=file audit(1079481275.181:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file audit(1079481275.181:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=3342 dev= ino=219021314 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=dir audit(1079481275.181:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079481275.181:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079481275.276:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/usr/share/mime-info/gnome-vfs.keys dev=hdb2 ino=229748 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=file audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=home dev=hdb2 ino=1030177 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:home_root_t tclass=dir audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=.gnome dev=hdb2 ino=2224863 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079481275.729:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim/.gnome/mime-info dev=hdb2 ino=1112366 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079481275.730:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mime-info dev=hdb2 ino=1112366 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079481275.766:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim/.gnome/mime-info/user.mime dev=hdb2 ino=1111959 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=file audit(1079481279.834:0): avc: denied { write } for pid=3366 exe=/usr/bin/magicdev name=fd0 dev=hdb2 ino=65586 scontext=user_u:user_r:user_t tcontext=system_u:object_r:removable_device_t tclass=blk_file audit(1079481279.835:0): avc: denied { ioctl } for pid=3366 exe=/usr/bin/magicdev path=/dev/fd0 dev=hdb2 ino=65586 scontext=user_u:user_r:user_t tcontext=system_u:object_r:removable_device_t tclass=blk_file audit(1079481282.526:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file audit(1079481282.526:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079481282.526:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079481286.686:0): avc: denied { use } for pid=3416 exe=/sbin/pam_timestamp_check path=/dev/tty2 dev=hdb2 ino=71750 scontext=user_u:user_r:pam_t tcontext=system_u:system_r:local_login_t tclass=fd audit(1079481286.688:0): avc: denied { sys_tty_config } for pid=3416 exe=/sbin/pam_timestamp_check capability=26 scontext=user_u:user_r:pam_t tcontext=user_u:user_r:pam_t tclass=capability audit(1079481292.262:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir audit(1079481300.966:0): avc: denied { read } for pid=3425 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:file_t tclass=file audit(1079481305.741:0): avc: denied { setattr } for pid=3433 exe=/usr/libexec/mixer_applet2 name=registry.xml dev=hdb2 ino=2175537 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_t tclass=file audit(1079481306.919:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam capability=0 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=capability audit(1079481306.930:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir audit(1079481318.752:0): avc: denied { read } for pid=3439 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:file_t tclass=file audit(1079481318.753:0): avc: denied { getattr } for pid=3439 exe=/bin/bash path=/etc/mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:file_t tclass=file audit(1079481321.152:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=home dev=hdb2 ino=1030177 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:home_root_t tclass=dir audit(1079481321.152:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir audit(1079482042.883:0): avc: denied { search } for pid=3501 exe=/bin/su name=root dev=hdb2 ino=359745 scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir audit(1079482042.898:0): avc: denied { write } for pid=3501 exe=/bin/su name=root dev=hdb2 ino=359745 scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir audit(1079482042.898:0): avc: denied { add_name } for pid=3501 exe=/bin/su name=.xauthtZDJwx scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir audit(1079482042.898:0): avc: denied { create } for pid=3501 exe=/bin/su name=.xauthtZDJwx scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t tclass=file audit(1079482042.923:0): avc: denied { setattr } for pid=3501 exe=/bin/su name=.xauthtZDJwx dev=hdb2 ino=360078 scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t tclass=file audit(1079482500.573:0): avc: denied { read } for pid=3539 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:file_t tclass=file audit(1079482629.580:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file audit(1079482629.580:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=3342 dev= ino=219021314 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=dir audit(1079482629.580:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079482629.581:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file audit(1079482629.581:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir audit(1079482650.058:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=sys dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1079482650.109:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam capability=0 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=capability audit(1079482650.109:0): avc: denied { listen } for pid=3342 exe=/usr/bin/fam path=/tmp/.famrrGRJP scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079482650.115:0): avc: denied { write } for pid=3554 exe=/usr/bin/kdeinit name=.famrrGRJP dev=hdb2 ino=278715 scontext=user_u:user_r:user_t tcontext=system_u:object_r:inetd_child_tmp_t tclass=sock_file audit(1079482650.115:0): avc: denied { connectto } for pid=3554 exe=/usr/bin/kdeinit path=/tmp/.famrrGRJP scontext=user_u:user_r:user_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079482650.116:0): avc: denied { accept } for pid=3342 exe=/usr/bin/fam path=/tmp/.famrrGRJP scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket audit(1079482650.287:0): avc: denied { getattr } for pid=3555 exe=/usr/bin/kdeinit path=/var/tmp/kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir audit(1079482650.288:0): avc: denied { search } for pid=3555 exe=/usr/bin/kdeinit name=kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir audit(1079482650.334:0): avc: denied { read } for pid=3555 exe=/usr/bin/kdeinit name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482650.335:0): avc: denied { getattr } for pid=3555 exe=/usr/bin/kdeinit path=/var/tmp/kdecache-jim/ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482651.439:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482651.441:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit name=kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir audit(1079482651.441:0): avc: denied { add_name } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir audit(1079482651.441:0): avc: denied { create } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482651.442:0): avc: denied { setattr } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482660.017:0): avc: denied { remove_name } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir audit(1079482660.017:0): avc: denied { rename } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482660.017:0): avc: denied { unlink } for pid=3555 exe=/usr/bin/kdeinit name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file audit(1079482660.024:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit name=ksycocastamp dev=hdb2 ino=376977 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=file audit(1079482660.175:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=.kde dev=hdb2 ino=737042 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079482660.176:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim/.kde/share/servicetypes dev=hdb2 ino=801647 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079482660.177:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=servicetypes dev=hdb2 ino=801647 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir audit(1079482660.179:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/usr/share/servicetypes/kcomprfilter.desktop dev=hdb2 ino=196659 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=file audit(1079482660.787:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/usr/share/applications/redhat-web.desktop dev=hdb2 ino=1717246 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=lnk_file audit(1079482810.277:0): avc: denied { setattr } for pid=3567 exe=/usr/bin/gnome-volume-control name=registry.xml dev=hdb2 ino=2175537 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_t tclass=file

20 years, 1 month

4
6
0 / 0

Should system-config-users be made SELinux-aware?

by Aleksey Nogin

I have filed an RFE - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118571 asking for system-config-users to allow editing user roles. Do people think it's a good idea? -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907

20 years, 1 month

1
0
0 / 0

The abc of SELinux

by Barry Yu

To understand the who idea of SELinx from the very beginning - The abc of it, where could I find the doc and infos?

20 years, 1 month

2
1
0 / 0

message on fedore-test-list

by Richard Hally

The messages below were on the fedora-test-list and I was wondering if someone on this list would be interested in them? ---------------------------------------------------------------------------- ------------------------------------------------------ I have tracked this down further and discovered that it is the SE Linux stuff that is messing up pump. I have found a newer version of pump now and I'm going to try it. However, I have to say that the way it fails is not intuitive to me. When pump (dhcp client) sends out the discover packet (with a SE Linux enabled kernel), the packet actually goes out, it just fails because the UDP checksum is bad. This is not what I would expect out of SE Linux. I would have thought that it would have returned some no-priviledge error to the program (pump) indicating that it failed. Instead to just send out a broken packet seems pretty weird. -Scott -----Original Message----- From: fedora-test-list-admin(a)redhat.com <mailto:fedora-test-list-admin@redhat.com> [mailto:fedora-test-list-admin@redhat.com] <mailto:[mailto:fedora-test-list-admin@redhat.com]> On Behalf Of Edwards, Scott (MED, Kelly IT Resouces) Sent: Monday, March 08, 2004 1:12 PM To: 'fedora-test-list(a)redhat.com' Subject: Pump on FC2T1? I have been trying to use pump (dhcp client) on FC2T1 and can't seem to get it to work. I have tried it on FC1 and FC1 with a 2.6 Kernel and it seems to work fine on them. When I'm running pump on FC2T1 I get several messages from the dhcpd server that "5 bad udp checksums in 5 packets". I am going to keep digging into it, but I wanted to ask if there is something that is a known problem that I'm unaware of? Any pointers would be welcome. Thanks * Scott -- fedora-test-list mailing list

20 years, 1 month

1
0
0 / 0

errors with labels after running for a while

by Bill Nottingham

This is after running for a while, occasionally flipping enforcing on and off. Might be interesting to look at. Bill /usr/sbin/setfiles -v -n file_contexts/file_contexts `mount | awk '/(ext[23]| xfs).*rw/{print $3}'` /usr/sbin/setfiles: unable to stat file /dev/tty1 /usr/sbin/setfiles: unable to stat file /dev/tty2 /usr/sbin/setfiles: error while labeling files under / /usr/sbin/setfiles: read 1272 specifications /usr/sbin/setfiles: labeling files under / /usr/sbin/setfiles: relabeling /etc/modules.conf from system_u:object_r:etc_t to system_u:object_r:modules_conf_t /usr/sbin/setfiles: relabeling /etc/auto.master from root:object_r:etc_t to system_u:object_r:etc_t /usr/sbin/setfiles: relabeling /etc/ptal/ptal-printd-like from system_u:object_r:etc_runtime_t to system_u:object_r:etc_t /usr/sbin/setfiles: relabeling /etc/hotplug/usb.usermap from system_u:object_r:etc_t to system_u:object_r:hotplug_etc_t /usr/sbin/setfiles: relabeling /etc/mtab from root:object_r:etc_runtime_t to system_u:object_r:etc_runtime_t /usr/sbin/setfiles: relabeling /etc/.pwd.lock from system_u:object_r:shadow_t to system_u:object_r:etc_t /usr/sbin/setfiles: relabeling /etc/security/selinux/src/policy/file_contexts/misc from root:object_r:policy_src_t to system_u:object_r:policy_src_t /usr/sbin/setfiles: relabeling /etc/security/selinux/src/policy/policy.conf from root:object_r:policy_src_t to system_u:object_r:policy_src_t /usr/sbin/setfiles: relabeling /etc/security/selinux/src/policy/tmp/load from root:object_r:policy_src_t to system_u:object_r:policy_src_t /usr/sbin/setfiles: relabeling /etc/security/selinux/src/policy/tmp/program_used_flags.te from root:object_r:policy_src_t to system_u:object_r:policy_src_t /usr/sbin/setfiles: relabeling /etc/security/selinux/src/policy.conf from root:object_r:policy_src_t to system_u:object_r:policy_src_t /usr/sbin/setfiles: relabeling /etc/security/selinux/file_contexts from root:object_r:policy_config_t to system_u:object_r:policy_config_t /usr/sbin/setfiles: relabeling /etc/rndc.key from system_u:object_r:etc_t to system_u:object_r:rndc_conf_t make: *** [checklabels] Error 1

20 years, 1 month

5
9
0 / 0

[policy-sources-1.8-10] tmpwatch ACLs.

by Aleksey Nogin

audit(1079205620.091:0): avc: denied { getattr } for pid=4269 exe=/usr/sbin/tmpwatch path=/tmp/foo dev=hda2 ino=212920 scontext=system_u:system_r:tmpreaper_t tcontext=system_u:object_r:file_t tclass=file audit(1079205620.271:0): avc: denied { unlink } for pid=4269 exe=/usr/sbin/tmpwatch name=before.new dev=hda2 ino=1357435 scontext=system_u:system_r:tmpreaper_t tcontext=system_u:object_r:file_t tclass=file -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907

20 years, 1 month

2
4
0 / 0

Re: SELinux Documentation

by Faye Coker

On Sat, 13 Mar 2004 00:25, Doug Nicholson <djnichol(a)scc.net> wrote: > Is there documentation on SELinux other than the various papers, HOWTOs, > and FAQs? In particular, is anyone specifically working on the guidance > documents listed on the to do page at the NSA site? > > Doug Nicholson > djnichol(a)scc.net I have an introduction to policy writing HOWTO just about finished (I will put it up on Sourceforge when complete). I have also started work on documenting stuff listed on the NSA's to do page. After that, I hope to start work on a book. faye -- Faye Coker faye(a)lurking-grue.org

20 years, 1 month

1
0
0 / 0

dumb question

by Tim McGaha (Comcast)

I am running FC2 Test 1 and have SELinux installed and running. Services control panel won't open. I'm a newbie and it's probably something simple. Here is from the CLI [root@TimsFC2 root]# system-config-services (system-config-services:3329): libglade-WARNING **: could not find glade file 's erviceconf.glade' (system-config-services:3329): GLib-GObject-CRITICAL **: file gobject.c: line 12 22 (g_object_get): assertion `G_IS_OBJECT (object)' failed (system-config-services:3329): GLib-GObject-CRITICAL **: file gobject.c: line 12 22 (g_object_get): assertion `G_IS_OBJECT (object)' failed Segmentation fault

20 years, 1 month

3
3
0 / 0

Re: ntp.... was Re: Fresh rawhide install / AVC messages

by Tom Mitchell

On Thu, Mar 11, 2004 at 11:50:18AM -0500, Steven Bonneville wrote: > Tom Mitchell <mitch48(a)yahoo.com> wrote: > > > I might trust my dhcp server to give me an IP address but do I also > > want it to set the time of day. Then what else do I trust it to do? > > How do I manage the list of things that dhcp might update? > > > > For example if I have a well crafted /etc/ntp.conf file will that file > > be lost if I move to a different DHCP served net. > > I don't have FC2t1 handy at the moment, but on RHEL 3 I believe that you can > set the following options in /etc/sysconfig/network-scripts/ifcfg-* files: > > PEERDNS=no (/etc/resolv.conf) > PEERNTP=no (/etc/ntp.conf, /etc/ntp/step-tickers) > PEERNIS=no (/etc/yp.conf) > > If set to no, then those files won't get modified even if appropriate > DHCP options are sent. See /sbin/dhclient-script for details. I missed the PEER*=no flags when I first glanced at the script. This looks like the the correct place to manage the long list of DHCP-able config items. This permits a default "policy" configuration for the expected common situation of a responsible ISP or IT department. Individual DHCP decisions can be made and set without the complexity of editing policy. -- Cool -- My concern was the cyber cafe or hotel that a traveling businessman encounters. There have already been rumors of bad boys snooping bits and doing naughty things in the cyber cafes. DHCP smelled like a potential problem where time of day, DNS, SMTP and a list of other "important" administrative decisions could be silently co-opted. Since all these issues exist regardless of SELinux the common and correct place do address this is via /sbin/dhclient-scrip and the associated config tools. -- Excellent -- -- T o m M i t c h e l l /dev/null the ultimate in secure storage.

20 years, 1 month

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux March 2004