I got a mess when both policy and policy sources got upgraded.
by Aleksey Nogin
Just filed https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118604 :
1) I installed policy-sources (which required installing the policy
package as well).
2) I modified /etc/security/selinux/src/policy/users (to include myself
with appropriate staff roles) and started using the locally augmented
policy.
3) After a while, I ran "up2date -u" which picked up that both policy
and policy-sources need to be updated.
4) up2date -u upgraded the policy package.
!!! At this point, the default policy got installed and loaded,
!!! overriding the local changes. All the processes that were running in
!!! context aleksey:staff_r:staff_t became system_u:object_r:unlabeled_t
5) Later in the up2date -u, the policy-source package was upgraded, the
new locally-augmented policy got rebuilt and loaded and things got back
to normal. But the mis-labeled processes stayed mislabeled (which caused
some files to become mislabeled too).
P.S. At a minimum, the policy files in the policy package should be
%config(noreplace). But the best solution would be to _only_ one package
that would include all the source files and would always do the
make-and-install-and-reload on upgrade.
P.P.S Sticking with just one (source-based) policy package would also
make it easier to implement the RFE in
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118571 .
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
dmesg errors
by Jim Cornette
Attached is the dmesg errors grepped to output avc errors.
Also, I am having trouble with logging out of gnome. Instead of poweroff
command, I get an unkmown user error dialog message. Poweroff does
nothing. I have to run this from root to get it to poweroff.
Sorry for the alias.
Jim
audit(1079481254.697:0): avc: denied { search } for pid=3307 exe=/usr/X11R6/bin/XFree86 name=console dev=hdb2 ino=752210 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:xdm_var_run_t tclass=dir
audit(1079481256.567:0): avc: denied { read } for pid=3310 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:file_t tclass=file
audit(1079481256.567:0): avc: denied { getattr } for pid=3310 exe=/bin/bash path=/etc/mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:file_t tclass=file
audit(1079481260.180:0): avc: denied { search } for pid=3312 exe=/usr/bin/ssh-agent name=home dev=hdb2 ino=1030177 scontext=user_u:user_r:user_ssh_agent_t tcontext=system_u:object_r:home_root_t tclass=dir
audit(1079481273.536:0): avc: denied { search } for pid=3307 exe=/usr/X11R6/bin/XFree86 name=.gnome2 dev=hdb2 ino=33285 scontext=user_u:user_r:user_xserver_t tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079481273.536:0): avc: denied { read } for pid=3307 exe=/usr/X11R6/bin/XFree86 name=fonts.dir dev=hdb2 ino=801265 scontext=user_u:user_r:user_xserver_t tcontext=user_u:object_r:user_home_t tclass=file
audit(1079481273.536:0): avc: denied { getattr } for pid=3307 exe=/usr/X11R6/bin/XFree86 path=/home/jim/.gnome2/share/cursor-fonts/fonts.dir dev=hdb2 ino=801265 scontext=user_u:user_r:user_xserver_t tcontext=user_u:object_r:user_home_t tclass=file
audit(1079481275.105:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=sys dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t tclass=dir
audit(1079481275.109:0): avc: denied { listen } for pid=3342 exe=/usr/bin/fam path=/tmp/.fam_socket scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079481275.173:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam capability=0 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=capability
audit(1079481275.175:0): avc: denied { write } for pid=3335 exe=/usr/libexec/gnome-settings-daemon name=.famjOWPcN dev=hdb2 ino=278074 scontext=user_u:user_r:user_t tcontext=system_u:object_r:inetd_child_tmp_t tclass=sock_file
audit(1079481275.175:0): avc: denied { connectto } for pid=3335 exe=/usr/libexec/gnome-settings-daemon path=/tmp/.famjOWPcN scontext=user_u:user_r:user_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079481275.178:0): avc: denied { accept } for pid=3342 exe=/usr/bin/fam path=/tmp/.famjOWPcN scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079481275.180:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mtab dev=hdb2 ino=294773 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:file_t tclass=file
audit(1079481275.180:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/etc/mtab dev=hdb2 ino=294773 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:file_t tclass=file
audit(1079481275.181:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file
audit(1079481275.181:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=3342 dev= ino=219021314 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=dir
audit(1079481275.181:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079481275.181:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079481275.276:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/usr/share/mime-info/gnome-vfs.keys dev=hdb2 ino=229748 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=file
audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=home dev=hdb2 ino=1030177 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:home_root_t tclass=dir
audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir
audit(1079481275.727:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=.gnome dev=hdb2 ino=2224863 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079481275.729:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim/.gnome/mime-info dev=hdb2 ino=1112366 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079481275.730:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mime-info dev=hdb2 ino=1112366 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079481275.766:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim/.gnome/mime-info/user.mime dev=hdb2 ino=1111959 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=file
audit(1079481279.834:0): avc: denied { write } for pid=3366 exe=/usr/bin/magicdev name=fd0 dev=hdb2 ino=65586 scontext=user_u:user_r:user_t tcontext=system_u:object_r:removable_device_t tclass=blk_file
audit(1079481279.835:0): avc: denied { ioctl } for pid=3366 exe=/usr/bin/magicdev path=/dev/fd0 dev=hdb2 ino=65586 scontext=user_u:user_r:user_t tcontext=system_u:object_r:removable_device_t tclass=blk_file
audit(1079481282.526:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file
audit(1079481282.526:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079481282.526:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079481286.686:0): avc: denied { use } for pid=3416 exe=/sbin/pam_timestamp_check path=/dev/tty2 dev=hdb2 ino=71750 scontext=user_u:user_r:pam_t tcontext=system_u:system_r:local_login_t tclass=fd
audit(1079481286.688:0): avc: denied { sys_tty_config } for pid=3416 exe=/sbin/pam_timestamp_check capability=26 scontext=user_u:user_r:pam_t tcontext=user_u:user_r:pam_t tclass=capability
audit(1079481292.262:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir
audit(1079481300.966:0): avc: denied { read } for pid=3425 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:file_t tclass=file
audit(1079481305.741:0): avc: denied { setattr } for pid=3433 exe=/usr/libexec/mixer_applet2 name=registry.xml dev=hdb2 ino=2175537 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_t tclass=file
audit(1079481306.919:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam capability=0 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=capability
audit(1079481306.930:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir
audit(1079481318.752:0): avc: denied { read } for pid=3439 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:file_t tclass=file
audit(1079481318.753:0): avc: denied { getattr } for pid=3439 exe=/bin/bash path=/etc/mtab dev=hdb2 ino=294773 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:file_t tclass=file
audit(1079481321.152:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=home dev=hdb2 ino=1030177 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:home_root_t tclass=dir
audit(1079481321.152:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir
audit(1079482042.883:0): avc: denied { search } for pid=3501 exe=/bin/su name=root dev=hdb2 ino=359745 scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir
audit(1079482042.898:0): avc: denied { write } for pid=3501 exe=/bin/su name=root dev=hdb2 ino=359745 scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir
audit(1079482042.898:0): avc: denied { add_name } for pid=3501 exe=/bin/su name=.xauthtZDJwx scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir
audit(1079482042.898:0): avc: denied { create } for pid=3501 exe=/bin/su name=.xauthtZDJwx scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t tclass=file
audit(1079482042.923:0): avc: denied { setattr } for pid=3501 exe=/bin/su name=.xauthtZDJwx dev=hdb2 ino=360078 scontext=user_u:user_r:user_su_t tcontext=user_u:object_r:staff_home_dir_t tclass=file
audit(1079482500.573:0): avc: denied { read } for pid=3539 exe=/bin/bash name=mtab dev=hdb2 ino=294773 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:file_t tclass=file
audit(1079482629.580:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=4105 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:proc_t tclass=lnk_file
audit(1079482629.580:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=3342 dev= ino=219021314 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=dir
audit(1079482629.580:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079482629.581:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/proc/3342/mounts dev= ino=219021328 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=file
audit(1079482629.581:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim dev=hdb2 ino=1848978 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_dir_t tclass=dir
audit(1079482650.058:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=sys dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t tclass=dir
audit(1079482650.109:0): avc: denied { chown } for pid=3342 exe=/usr/bin/fam capability=0 scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=capability
audit(1079482650.109:0): avc: denied { listen } for pid=3342 exe=/usr/bin/fam path=/tmp/.famrrGRJP scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079482650.115:0): avc: denied { write } for pid=3554 exe=/usr/bin/kdeinit name=.famrrGRJP dev=hdb2 ino=278715 scontext=user_u:user_r:user_t tcontext=system_u:object_r:inetd_child_tmp_t tclass=sock_file
audit(1079482650.115:0): avc: denied { connectto } for pid=3554 exe=/usr/bin/kdeinit path=/tmp/.famrrGRJP scontext=user_u:user_r:user_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079482650.116:0): avc: denied { accept } for pid=3342 exe=/usr/bin/fam path=/tmp/.famrrGRJP scontext=system_u:system_r:inetd_child_t tcontext=system_u:system_r:inetd_child_t tclass=unix_stream_socket
audit(1079482650.287:0): avc: denied { getattr } for pid=3555 exe=/usr/bin/kdeinit path=/var/tmp/kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir
audit(1079482650.288:0): avc: denied { search } for pid=3555 exe=/usr/bin/kdeinit name=kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir
audit(1079482650.334:0): avc: denied { read } for pid=3555 exe=/usr/bin/kdeinit name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file
audit(1079482650.335:0): avc: denied { getattr } for pid=3555 exe=/usr/bin/kdeinit path=/var/tmp/kdecache-jim/ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file
audit(1079482651.439:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file
audit(1079482651.441:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit name=kdecache-jim dev=hdb2 ino=376975 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir
audit(1079482651.441:0): avc: denied { add_name } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir
audit(1079482651.441:0): avc: denied { create } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file
audit(1079482651.442:0): avc: denied { setattr } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file
audit(1079482660.017:0): avc: denied { remove_name } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=dir
audit(1079482660.017:0): avc: denied { rename } for pid=3555 exe=/usr/bin/kdeinit name=ksycocaO5zZ9b.new dev=hdb2 ino=376480 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file
audit(1079482660.017:0): avc: denied { unlink } for pid=3555 exe=/usr/bin/kdeinit name=ksycoca dev=hdb2 ino=376415 scontext=user_u:user_r:user_t tcontext=user_u:object_r:file_t tclass=file
audit(1079482660.024:0): avc: denied { write } for pid=3555 exe=/usr/bin/kdeinit name=ksycocastamp dev=hdb2 ino=376977 scontext=user_u:user_r:user_t tcontext=system_u:object_r:file_t tclass=file
audit(1079482660.175:0): avc: denied { search } for pid=3342 exe=/usr/bin/fam name=.kde dev=hdb2 ino=737042 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079482660.176:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/home/jim/.kde/share/servicetypes dev=hdb2 ino=801647 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079482660.177:0): avc: denied { read } for pid=3342 exe=/usr/bin/fam name=servicetypes dev=hdb2 ino=801647 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:user_home_t tclass=dir
audit(1079482660.179:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/usr/share/servicetypes/kcomprfilter.desktop dev=hdb2 ino=196659 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=file
audit(1079482660.787:0): avc: denied { getattr } for pid=3342 exe=/usr/bin/fam path=/usr/share/applications/redhat-web.desktop dev=hdb2 ino=1717246 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:usr_t tclass=lnk_file
audit(1079482810.277:0): avc: denied { setattr } for pid=3567 exe=/usr/bin/gnome-volume-control name=registry.xml dev=hdb2 ino=2175537 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_t tclass=file
20 years, 1 month
The abc of SELinux
by Barry Yu
To understand the who idea of SELinx from the very beginning - The abc of it, where could I find the doc and infos?
20 years, 1 month
message on fedore-test-list
by Richard Hally
The messages below were on the fedora-test-list and I was wondering if
someone on this list would be interested in them?
----------------------------------------------------------------------------
------------------------------------------------------
I have tracked this down further and discovered that it is the SE Linux
stuff that is messing up pump. I have found a newer version of pump now and
I'm going to try it.
However, I have to say that the way it fails is not intuitive to me. When
pump (dhcp client) sends out the discover packet (with a SE Linux enabled
kernel), the packet actually goes out, it just fails because the UDP
checksum is bad. This is not what I would expect out of SE Linux. I would
have thought that it would have returned some no-priviledge error to the
program (pump) indicating that it failed. Instead to just send out a broken
packet seems pretty weird.
-Scott
-----Original Message-----
From: fedora-test-list-admin(a)redhat.com
<mailto:fedora-test-list-admin@redhat.com>
[mailto:fedora-test-list-admin@redhat.com]
<mailto:[mailto:fedora-test-list-admin@redhat.com]> On Behalf Of Edwards,
Scott (MED, Kelly IT Resouces)
Sent: Monday, March 08, 2004 1:12 PM
To: 'fedora-test-list(a)redhat.com'
Subject: Pump on FC2T1?
I have been trying to use pump (dhcp client) on FC2T1 and can't seem to get
it to work. I have tried it on FC1 and FC1 with a 2.6 Kernel and it seems
to work fine on them. When I'm running pump on FC2T1 I get several messages
from the dhcpd server that "5 bad udp checksums in 5 packets". I am going
to keep digging into it, but I wanted to ask if there is something that is a
known problem that I'm unaware of? Any pointers would be welcome.
Thanks
* Scott
--
fedora-test-list mailing list
20 years, 1 month
errors with labels after running for a while
by Bill Nottingham
This is after running for a while, occasionally flipping
enforcing on and off. Might be interesting to look at.
Bill
/usr/sbin/setfiles -v -n file_contexts/file_contexts `mount | awk '/(ext[23]| xfs).*rw/{print $3}'`
/usr/sbin/setfiles: unable to stat file /dev/tty1
/usr/sbin/setfiles: unable to stat file /dev/tty2
/usr/sbin/setfiles: error while labeling files under /
/usr/sbin/setfiles: read 1272 specifications
/usr/sbin/setfiles: labeling files under /
/usr/sbin/setfiles: relabeling /etc/modules.conf from system_u:object_r:etc_t to system_u:object_r:modules_conf_t
/usr/sbin/setfiles: relabeling /etc/auto.master from root:object_r:etc_t to system_u:object_r:etc_t
/usr/sbin/setfiles: relabeling /etc/ptal/ptal-printd-like from system_u:object_r:etc_runtime_t to system_u:object_r:etc_t
/usr/sbin/setfiles: relabeling /etc/hotplug/usb.usermap from system_u:object_r:etc_t to system_u:object_r:hotplug_etc_t
/usr/sbin/setfiles: relabeling /etc/mtab from root:object_r:etc_runtime_t to system_u:object_r:etc_runtime_t
/usr/sbin/setfiles: relabeling /etc/.pwd.lock from system_u:object_r:shadow_t to system_u:object_r:etc_t
/usr/sbin/setfiles: relabeling /etc/security/selinux/src/policy/file_contexts/misc from root:object_r:policy_src_t to system_u:object_r:policy_src_t
/usr/sbin/setfiles: relabeling /etc/security/selinux/src/policy/policy.conf from root:object_r:policy_src_t to system_u:object_r:policy_src_t
/usr/sbin/setfiles: relabeling /etc/security/selinux/src/policy/tmp/load from root:object_r:policy_src_t to system_u:object_r:policy_src_t
/usr/sbin/setfiles: relabeling /etc/security/selinux/src/policy/tmp/program_used_flags.te from root:object_r:policy_src_t to system_u:object_r:policy_src_t
/usr/sbin/setfiles: relabeling /etc/security/selinux/src/policy.conf from root:object_r:policy_src_t to system_u:object_r:policy_src_t
/usr/sbin/setfiles: relabeling /etc/security/selinux/file_contexts from root:object_r:policy_config_t to system_u:object_r:policy_config_t
/usr/sbin/setfiles: relabeling /etc/rndc.key from system_u:object_r:etc_t to system_u:object_r:rndc_conf_t
make: *** [checklabels] Error 1
20 years, 1 month
[policy-sources-1.8-10] tmpwatch ACLs.
by Aleksey Nogin
audit(1079205620.091:0): avc: denied { getattr } for pid=4269
exe=/usr/sbin/tmpwatch path=/tmp/foo dev=hda2 ino=212920
scontext=system_u:system_r:tmpreaper_t tcontext=system_u:object_r:file_t
tclass=file
audit(1079205620.271:0): avc: denied { unlink } for pid=4269
exe=/usr/sbin/tmpwatch name=before.new dev=hda2 ino=1357435
scontext=system_u:system_r:tmpreaper_t tcontext=system_u:object_r:file_t
tclass=file
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
20 years, 1 month
Re: SELinux Documentation
by Faye Coker
On Sat, 13 Mar 2004 00:25, Doug Nicholson <djnichol(a)scc.net> wrote:
> Is there documentation on SELinux other than the various papers, HOWTOs,
> and FAQs? In particular, is anyone specifically working on the guidance
> documents listed on the to do page at the NSA site?
>
> Doug Nicholson
> djnichol(a)scc.net
I have an introduction to policy writing HOWTO just about finished (I will put
it up on Sourceforge when complete).
I have also started work on documenting stuff listed on the NSA's to do page.
After that, I hope to start work on a book.
faye
--
Faye Coker
faye(a)lurking-grue.org
20 years, 1 month
dumb question
by Tim McGaha (Comcast)
I am running FC2 Test 1 and have SELinux installed and running.
Services control panel won't open. I'm a newbie and it's probably
something simple. Here is from the CLI
[root@TimsFC2 root]# system-config-services
(system-config-services:3329): libglade-WARNING **: could not find glade
file 's erviceconf.glade'
(system-config-services:3329): GLib-GObject-CRITICAL **: file gobject.c:
line 12 22 (g_object_get): assertion `G_IS_OBJECT (object)' failed
(system-config-services:3329): GLib-GObject-CRITICAL **: file gobject.c:
line 12 22 (g_object_get): assertion `G_IS_OBJECT (object)' failed
Segmentation fault
20 years, 1 month
Re: ntp.... was Re: Fresh rawhide install / AVC messages
by Tom Mitchell
On Thu, Mar 11, 2004 at 11:50:18AM -0500, Steven Bonneville wrote:
> Tom Mitchell <mitch48(a)yahoo.com> wrote:
>
> > I might trust my dhcp server to give me an IP address but do I also
> > want it to set the time of day. Then what else do I trust it to do?
> > How do I manage the list of things that dhcp might update?
> >
> > For example if I have a well crafted /etc/ntp.conf file will that file
> > be lost if I move to a different DHCP served net.
>
> I don't have FC2t1 handy at the moment, but on RHEL 3 I believe that you can
> set the following options in /etc/sysconfig/network-scripts/ifcfg-* files:
>
> PEERDNS=no (/etc/resolv.conf)
> PEERNTP=no (/etc/ntp.conf, /etc/ntp/step-tickers)
> PEERNIS=no (/etc/yp.conf)
>
> If set to no, then those files won't get modified even if appropriate
> DHCP options are sent. See /sbin/dhclient-script for details.
I missed the PEER*=no flags when I first glanced at the script.
This looks like the the correct place to manage the long list of
DHCP-able config items.
This permits a default "policy" configuration for the expected common
situation of a responsible ISP or IT department. Individual DHCP
decisions can be made and set without the complexity of editing
policy. -- Cool --
My concern was the cyber cafe or hotel that a traveling businessman
encounters. There have already been rumors of bad boys snooping bits
and doing naughty things in the cyber cafes. DHCP smelled like a
potential problem where time of day, DNS, SMTP and a list of other
"important" administrative decisions could be silently co-opted.
Since all these issues exist regardless of SELinux the common and correct
place do address this is via /sbin/dhclient-scrip and the associated
config tools. -- Excellent --
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
20 years, 1 month