April 2004 - selinux - Fedora Mailing-Lists

by Elliot Lee

This is a reminder of the mailing lists for the Fedora Project, and the purpose of each list. You can view this information at http://fedora.redhat.com/participate/communicate/ When you're using these mailing lists, please take the time to choose the one that is most appropriate to your post. If you don't know the right mailing list to use for a question or discussion, please contact me. This will help you get the best possible answer for your question, and keep other list subscribers happy! Mailing Lists Mailing lists are email addresses which send email to all users subscribed to the mailing list. Sending an email to a mailing list reaches all users interested in discussing a specific topic and users available to help other users with the topic. The following mailing lists are available. To subscribe, send email to <listname>-request(a)redhat.com (replace <listname> with the desired mailing list name such as fedora-list) with the word subscribe in the subject. fedora-announce-list - Announcements of changes and events fedora-list - For users of releases fedora-test-list - For testers of test releases fedora-devel-list - For developers, developers, developers fedora-docs-list - For participants of the docs project fedora-desktop-list - For discussions about desktop issues such as user interfaces, artwork, and usability fedora-config-list - For discussions about the development of configuration tools fedora-legacy-list - For discussions about the Fedora Legacy Project fedora-selinux-list - For discussions about the Fedora SELinux Project fedora-de-list - For discussions about Fedora in the German language fedora-ja-list - For discussions about Fedora in the Japanese language fedora-i18n-list - For discussions about the internationalization of Fedora Core fedora-trans-list - For discussions about translating the software and documentation associated with the Fedora Project German: fedora-trans-de French: fedora-trans-fr Spanish: fedora-trans-es Italian: fedora-trans-it Brazilian Portuguese: fedora-trans-pt_br Japanese: fedora-trans-ja Korean: fedora-trans-ko Simplified Chinese: fedora-trans-zh_cn Traditional Chinese: fedora-trans-zh_tw

19 years, 5 months

1
0
0 / 0

Re: x.org DRI/Hardware accel (a SELinux problem)

by Dax Kelson

On Tue, 2004-04-20 at 15:50, Mike A. Harris wrote: > On Tue, 20 Apr 2004, Dax Kelson wrote: > > >Should I bugzilla this, or is it a known issue? > > > >A did a install from Rawhide yesterday (also noted with test2), and on > >my laptop with an Radeon Mobility M7 LW [Radeon Mobility 7500]. I have > >no direct rendering. > > > >$ glxinfo | grep rendering: > >direct rendering: No > > > >It did work with RHL8, RHL9, and FC1. FYI, I have an 80GB hard disk in my laptop and I did two concurrent Everything installs of FC2T3. One in SELinux enforcing mode and the other with SELinux disabled (the default). Without SELinux = Direct Rending works With Enforcing SELinux = Direct Rending doesn't work Curiously, I didn't see any avc messages that seem to be related. Dax Kelson Guru Labs

19 years, 5 months

2
1
0 / 0

Weird avc messages from udev

by Aleksey Nogin

I am getting a lot of messages of the form: audit(1083104429.259:0): avc: denied { sendto } for pid=23780 exe=/sbin/udevsendpath=@udevd scontext=system_u:system_r:udev_t tcontext=system_u:system_r:kernel_t tclass=unix_dgram_socket audit(1083104431.054:0): avc: denied { sendto } for pid=23803 exe=/sbin/udevsendpath=@udevd scontext=system_u:system_r:udev_t tcontext=system_u:system_r:kernel_t tclass=unix_dgram_socket audit(1083104431.406:0): avc: denied { sendto } for pid=23815 exe=/sbin/udevsendpath=@udevd scontext=system_u:system_r:udev_t tcontext=system_u:system_r:kernel_t tclass=unix_dgram_socket audit(1083104432.080:0): avc: denied { sendto } for pid=23821 exe=/sbin/udevsendpath=@udevd scontext=system_u:system_r:udev_t tcontext=system_u:system_r:kernel_t tclass=unix_dgram_socket -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907

19 years, 5 months

2
1
0 / 0

Numerous problems with postfix's newaliases.

by Aleksey Nogin

When MTA is set to postfix, if I try to use newaliases in enforcing mode, I get: audit(1083135148.926:0): security_compute_sid: invalid context root:system_r:sysadm_mail_t for scontext=root:sysadm_r:sysadm_mail_t tcontext=system_u:object_r:postfix_master_exec_t tclass=process and execution fails. In permissive mode, I see: audit(1083135243.731:0): security_compute_sid: invalid context root:system_r:sysadm_mail_t for scontext=root:sysadm_r:sysadm_mail_t tcontext=system_u:object_r:postfix_master_exec_t tclass=process audit(1083135243.732:0): avc: denied { transition } for pid=29608 exe=/usr/sbin/sendmail.postfix path=/usr/sbin/postalias dev=hda2 ino=392740 scontext=root:sysadm_r:sysadm_mail_t tcontext=root:system_r:sysadm_mail_t tclass=process audit(1083135243.732:0): avc: denied { entrypoint } for pid=29608 exe=/usr/sbin/sendmail.postfix path=/usr/sbin/postalias dev=hda2 ino=392740 scontext=root:system_r:sysadm_mail_t tcontext=system_u:object_r:postfix_master_exec_t tclass=file audit(1083135243.733:0): avc: denied { use } for pid=29608 exe=/usr/sbin/postalias path=/proc/net/if_inet6 dev= ino=-268434827 scontext=root:system_r:sysadm_mail_t tcontext=root:sysadm_r:sysadm_mail_t tclass=fd audit(1083135243.733:0): avc: denied { siginh } for pid=29608 exe=/usr/sbin/postalias scontext=root:sysadm_r:sysadm_mail_t tcontext=root:system_r:sysadm_mail_t tclass=process audit(1083135243.733:0): avc: denied { rlimitinh } for pid=29608 exe=/usr/sbin/postalias scontext=root:sysadm_r:sysadm_mail_t tcontext=root:system_r:sysadm_mail_t tclass=process audit(1083135243.733:0): avc: denied { noatsecure } for pid=29608 exe=/usr/sbin/postalias scontext=root:sysadm_r:sysadm_mail_t tcontext=root:system_r:sysadm_mail_t tclass=process audit(1083135243.757:0): avc: denied { write } for pid=29608 exe=/usr/sbin/postalias name=postfix dev=hda2 ino=4055697 scontext=root:system_r:sysadm_mail_t tcontext=system_u:object_r:postfix_etc_t tclass=dir audit(1083135243.757:0): avc: denied { add_name } for pid=29608 exe=/usr/sbin/postalias name=__db.aliases.db scontext=root:system_r:sysadm_mail_t tcontext=system_u:object_r:postfix_etc_t tclass=dir audit(1083135243.757:0): avc: denied { create } for pid=29608 exe=/usr/sbin/postalias name=__db.aliases.db scontext=root:system_r:sysadm_mail_t tcontext=root:object_r:postfix_etc_t tclass=file audit(1083135243.758:0): avc: denied { write } for pid=29608 exe=/usr/sbin/postalias path=/etc/postfix/__db.aliases.db dev=hda2 ino=4055330 scontext=root:system_r:sysadm_mail_t tcontext=root:object_r:postfix_etc_t tclass=file audit(1083135243.764:0): avc: denied { remove_name } for pid=29608 exe=/usr/sbin/postalias name=__db.aliases.db dev=hda2 ino=4055330 scontext=root:system_r:sysadm_mail_t tcontext=system_u:object_r:postfix_etc_t tclass=dir audit(1083135243.764:0): avc: denied { rename } for pid=29608 exe=/usr/sbin/postalias name=__db.aliases.db dev=hda2 ino=4055330 scontext=root:system_r:sysadm_mail_t tcontext=root:object_r:postfix_etc_t tclass=file -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907

19 years, 5 months

1
0
0 / 0

Core 2 Test 3

by Nick Gray

OK Dan, I am on the right list now! I joined this morning and was reviewing the archives. First question is about the way that we are the installation/selection of SELinux in Core 2 from the message titled 'Fedora Core 2 and SELinux' > SELinux *will* be included in Fedora Core 2 test 3 and the final > Fedora Core 2 release. However, SELinux will be disabled by default. > To install with SELinux support, pass 'selinux' to the installer > on the command line. (Or, configure it appropriately in kickstart). Can Someone justify using a command line option to the installation process. I provided to the SEL list, a comp.xml skeleton that I used to add SEL to Core 1. I will add the same below.

19 years, 5 months

2
1
0 / 0

Current rawhide RHGB avc message

by Dax Kelson

The Red Hat graphical boot program "rhgb" generates this avc message at bootup. It seems to run ok. audit(1082997673.875:0): avc: denied { read } for pid=49 exe=/usr/bin/rhgb name=XF86Config dev=hda6 ino=408408 scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:firstboot_rw_t tclass=file A oddity (non SELinux related) thing I noticed is that the the files /etc/X11/XF86Config and /etc/X11/xorg.conf both exist and have different contents.

19 years, 5 months

2
1
0 / 0

SE Linux policy

by Krzysztof Mazurczyk

Hi all, I have started playing with new SE Linux. I have it already running. BTW minor question: There are messages in log that /sbin/unix_verify is denied to do something. System is seemed to work well. Because /sbin/unix_verify is from libpam-modules I'm not sure what to do - ignore or add some rules to policy for /sbin/unix_verify. I can run user-mode-linux from my shell but I need to run UML when main system boots. UML should generaly run via nohup program in background mode. My main question is how to that. I'm generally looking for good solution from security point of view and relatively easy to do. I have thought about: 1) Leave UML running in initrc_t domain - now I have but it is bad. Isn't it? 2) Create special domain - is impossible for me yet. 3) Extend rights for existing domains. 4) Run UML via runcon program in init.d script in the same context like when run from shell. 3) and 4) are similar somehow but 4) seems to be easier to do. I can modify policy adding 'allow' rules but I'm not sure if it is right way in this case. I haven't found a document like, let's say, 'general advices' containing advices like: 'what can be do safely', 'what should be avoided', 'if you do ... remember about ...', 'be careful if you want ...', 'if you allow ... you week policy seriously'. I have feeling that SE Linux policy has its own deep philosophy so I'm afraid to make deeper changes in policy and not to break policy seriously. Any advices, helps or comments are welcome. Best regards, Chris

19 years, 5 months

2
3
0 / 0

Re: .te files in packages

by Shahms King

(I just subscribed, so I'm replying from the list archive...) Given that FC2 is no longer shipping with SELinux enabled by default, it makes sense to have a separate policy package for individual packages, IMHO. The policy package would depend on policy-sources and the parent package and could easily do: %post cd /etc/security/selinux/src/polixy make load PACKAGELIST="parent-package parent-package-devel" for PACKAGE in $PACKAGELIST; do if /bin/rpm -q $PACKAGE > /dev/null 2>&1; then /bin/rpm -ql $PACKAGE | /usr/sbin/setfiles -s \ /etc/security/selinux/file_contexts fi done ================================================================ Of course all of this would be greatly enhanced by an rpm macro that handled adding all other packages built from the same spec file as the policy package. Heck, the macro could have options to exclude packages or include separately compiled packages in the list. -- Shahms King <shahms(a)shahms.com>

19 years, 5 months

3
2
0 / 0

Current rawhide "cardctl ident" problem

by Dax Kelson

In enforcing mode I can't run the cardctl program. Specifically, I tried "cardctl ident" to get a list of PCMCIA/Cardbus devices. It comes back with an error message, and this avc message: audit(1082997955.593:0): avc: denied { ioctl } for pid=2076 exe=/sbin/cardctl path=/dev/tty1 dev=hda6 ino=678551 scontext=root:sysadm_r:cardmgr_t tcontext=root:object_r:sysadm_tty_device_t tclass=chr_file

19 years, 5 months

1
0
0 / 0

Current rawhide (test3??) Firstboot AVC messages

by Dax Kelson

I did an install from rawhide last night. It claims to be test3. I started my install with "linux selinux" and run in enforcing mode. After going through the FirstBoot app, I logged in as root at the text terminal and ran "dmesg | grep avc". Here is the output: audit(1082992916.819:0): avc: denied { create } for pid=211 exe=/sbin/lvm.static name=archive scontext=system_u:system_r:lvm_t tcontext=system_u:object_r:lvm_etc_t tclass=dir audit(1082992944.637:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB0 dev=hda6 ino=700638 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992944.638:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB1 dev=hda6 ino=700639 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992944.638:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB2 dev=hda6 ino=700646 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992944.638:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB3 dev=hda6 ino=700647 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992944.638:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB4 dev=hda6 ino=700648 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992944.638:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB5 dev=hda6 ino=700649 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992944.638:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB6 dev=hda6 ino=700650 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992944.638:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB7 dev=hda6 ino=700651 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992944.638:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB8 dev=hda6 ino=700652 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992944.638:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB9 dev=hda6 ino=700653 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992944.639:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB10 dev=hda6 ino=700640 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992944.639:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB11 dev=hda6 ino=700641 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992944.639:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB12 dev=hda6 ino=700642 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992944.639:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB13 dev=hda6 ino=700643 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992944.639:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB14 dev=hda6 ino=700644 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992944.639:0): avc: denied { write } for pid=1495 exe=/usr/lib/cups/backend/serial name=ttyUSB15 dev=hda6 ino=700645 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usbtty_device_t tclass=chr_file audit(1082992952.663:0): avc: denied { transition } for pid=1663 exe=/bin/su path=/bin/bash dev=hda6 ino=977288 scontext=system_u:system_r:initrc_su_t tcontext=user_u:sysadm_r:sysadm_t tclass=process audit(1082992965.952:0): avc: denied { unix_read unix_write } for pid=51 exe=/usr/X11R6/bin/Xorg key=0 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:firstboot_t tclass=shm audit(1082992972.074:0): avc: denied { read } for pid=1916 exe=/sbin/consoletype path=pipe:[3710] dev= ino=3710 scontext=system_u:system_r:consoletype_t tcontext=system_u:system_r:firstboot_t tclass=fifo_file audit(1082992972.074:0): avc: denied { write } for pid=1916 exe=/sbin/consoletype path=pipe:[3710] dev= ino=3710 scontext=system_u:system_r:consoletype_t tcontext=system_u:system_r:firstboot_t tclass=fifo_file audit(1082992972.161:0): avc: denied { read } for pid=1917 exe=/sbin/iptables path=pipe:[3710] dev= ino=3710 scontext=system_u:system_r:iptables_t tcontext=system_u:system_r:firstboot_t tclass=fifo_file audit(1082992972.161:0): avc: denied { write } for pid=1917 exe=/sbin/iptables path=pipe:[3710] dev= ino=3710 scontext=system_u:system_r:iptables_t tcontext=system_u:system_r:firstboot_t tclass=fifo_file audit(1082992987.095:0): avc: denied { read } for pid=1931 exe=/sbin/consoletype path=pipe:[3710] dev= ino=3710 scontext=system_u:system_r:consoletype_t tcontext=system_u:system_r:firstboot_t tclass=fifo_file audit(1082992987.095:0): avc: denied { write } for pid=1931 exe=/sbin/consoletype path=pipe:[3710] dev= ino=3710 scontext=system_u:system_r:consoletype_t tcontext=system_u:system_r:firstboot_t tclass=fifo_file audit(1082992987.106:0): avc: denied { read } for pid=1932 exe=/sbin/iptables path=pipe:[3710] dev= ino=3710 scontext=system_u:system_r:iptables_t tcontext=system_u:system_r:firstboot_t tclass=fifo_file audit(1082992987.107:0): avc: denied { write } for pid=1932 exe=/sbin/iptables path=pipe:[3710] dev= ino=3710 scontext=system_u:system_r:iptables_t tcontext=system_u:system_r:firstboot_t tclass=fifo_file audit(1082992996.944:0): avc: denied { unix_read unix_write } for pid=51 exe=/usr/X11R6/bin/Xorg key=0 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:system_r:firstboot_t tclass=shm

19 years, 5 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux April 2004