acv denied messages, misceleneous
by Richard Hally
Attached is a log/messages file from running in enforcing mode. Some of
the messages are from running "yum update" to get todays updates and
some are from running Mozilla mail to send a message.
Apr 16 04:02:21 localhost syslogd 1.4.1: restart.
Apr 16 04:02:21 localhost logrotate: ALERT exited abnormally with [1]
Apr 16 04:09:16 localhost init: Trying to re-exec init
Apr 16 04:09:45 localhost su(pam_unix)[5574]: session opened for user news by (uid=0)
Apr 16 04:09:45 localhost kernel: audit(1082102985.943:0): avc: denied { append } for pid=5577 exe=/usr/bin/slrnpull name=log dev=hdc3 ino=311507 scontext=user_u:user_r:user_t tcontext=system_u:object_r:slrnpull_spool_t tclass=file
Apr 16 04:09:46 localhost kernel: audit(1082102986.034:0): avc: denied { read } for pid=5577 exe=/usr/bin/slrnpull name=slrnpull.conf dev=hdc3 ino=311050 scontext=user_u:user_r:user_t tcontext=system_u:object_r:slrnpull_spool_t tclass=file
Apr 16 04:09:46 localhost su(pam_unix)[5574]: session closed for user news
Apr 16 04:09:46 localhost kernel: audit(1082102986.479:0): avc: denied { getattr } for pid=5587 exe=/usr/sbin/tmpwatch path=/var/tmp/kdecache-root dev=hdc3 ino=1357905 scontext=system_u:system_r:tmpreaper_t tcontext=system_u:object_r:file_t tclass=dir
Apr 16 13:03:52 localhost kernel: audit(1082135032.752:0): avc: denied { getattr } for pid=6168 exe=/usr/lib/mozilla-1.6/mozilla-bin path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_mozilla_t tcontext=system_u:object_r:file_t tclass=dir
Apr 16 13:21:22 localhost su(pam_unix)[6224]: session opened for user root by richard(uid=500)
Apr 16 16:22:27 localhost kernel: audit(1082146947.134:0): avc: denied { search } for pid=8246 exe=/sbin/ldconfig name=tmp dev=hdc3 ino=310689 scontext=root:sysadm_r:ldconfig_t tcontext=system_u:object_r:tmp_t tclass=dir
Apr 16 16:27:14 localhost kernel: audit(1082147234.089:0): avc: denied { execute } for pid=8952 exe=/bin/bash name=dmsetup dev=hdc3 ino=1046648 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
Apr 16 16:27:14 localhost kernel: audit(1082147234.089:0): avc: denied { read } for pid=8952 exe=/bin/bash name=dmsetup dev=hdc3 ino=1046648 scontext=root:sysadm_r:bootloader_t tcontext=system_u:object_r:lvm_exec_t tclass=file
Apr 16 16:27:18 localhost kernel: SELinux: initialized (dev loop0, type ext2), uses xattr
Apr 16 16:31:08 localhost kernel: audit(1082147468.765:0): avc: granted { load_policy } for pid=9107 exe=/usr/sbin/load_policy scontext=root:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security
Apr 16 16:31:09 localhost kernel: security: 6 users, 7 roles, 1241 types, 1 bools
Apr 16 16:31:09 localhost kernel: security: 30 classes, 298679 rules
Apr 16 16:32:36 localhost kernel: audit(1082147555.936:0): avc: granted { load_policy } for pid=9163 exe=/usr/sbin/load_policy scontext=root:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security
Apr 16 16:32:36 localhost kernel: security: 6 users, 7 roles, 1239 types, 1 bools
Apr 16 16:32:36 localhost kernel: security: 30 classes, 298241 rules
Apr 16 16:32:36 localhost kernel: security: invalidating context system_u:system_r:atd_t
Apr 16 16:32:36 localhost kernel: security: invalidating context system_u:object_r:atd_exec_t
Apr 16 16:32:36 localhost kernel: security: invalidating context system_u:object_r:atd_var_run_t
Apr 16 16:37:21 localhost kernel: audit(1082147841.882:0): avc: denied { search } for pid=1657 exe=/usr/sbin/atd name=at dev=hdc3 ino=2600030 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:at_spool_t tclass=dir
Apr 16 16:37:21 localhost kernel: audit(1082147841.955:0): avc: denied { search } for pid=1657 exe=/usr/sbin/atd dev=hdc3 ino=2 scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:root_t tclass=dir
Apr 16 16:37:21 localhost kernel: audit(1082147841.966:0): avc: denied { create } for pid=1657 exe=/usr/sbin/atd scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:unlabeled_t tclass=unix_dgram_socket
Apr 16 16:41:35 localhost kernel: audit(1082148095.688:0): avc: denied { use } for pid=9492 exe=/usr/sbin/sendmail.sendmail path=pipe:[50959] dev= ino=50959 scontext=root:sysadm_r:system_mail_t tcontext=root:sysadm_r:rpm_t tclass=fd
Apr 16 16:42:47 localhost kernel: inode_doinit_with_dentry: context_to_sid(system_u:object_r:atd_exec_t) returned 22 for dev=hdc3 ino=752649
Apr 16 17:48:09 localhost IIim: htt shutdown succeeded
Apr 16 17:48:10 localhost su(pam_unix)[10916]: session opened for user htt by (uid=0)
Apr 16 17:48:11 localhost su(pam_unix)[10916]: session closed for user htt
Apr 16 17:48:11 localhost IIim: htt startup succeeded
Apr 16 17:49:34 localhost xfs: xfs -USR1 succeeded
Apr 16 17:49:34 localhost xfs[1628]: re-reading config file
Apr 16 17:49:35 localhost xfs[1628]: ignoring font path element /usr/lib/openoffice/share/fonts/truetype (unreadable)
Apr 16 17:57:50 localhost sendmail: sendmail shutdown succeeded
Apr 16 17:57:50 localhost sendmail: sm-client shutdown failed
Apr 16 17:57:51 localhost kernel: audit(1082152671.412:0): avc: denied { read } for pid=13082 exe=/bin/hostname path=pipe:[129472] dev= ino=129472 scontext=root:system_r:hostname_t tcontext=root:sysadm_r:rpm_t tclass=fifo_file
Apr 16 17:57:51 localhost kernel: audit(1082152671.412:0): avc: denied { read } for pid=13082 exe=/bin/hostname path=/etc/mail/submit.mc dev=hdc3 ino=2060428 scontext=root:system_r:hostname_t tcontext=system_u:object_r:etc_mail_t tclass=file
Apr 16 17:57:51 localhost kernel: audit(1082152671.412:0): avc: denied { read } for pid=13082 exe=/bin/hostname path=/usr/share/sendmail-cf/m4/cf.m4 dev=hdc3 ino=1635910 scontext=root:system_r:hostname_t tcontext=system_u:object_r:usr_t tclass=file
Apr 16 17:57:51 localhost kernel: audit(1082152671.412:0): avc: denied { read } for pid=13082 exe=/bin/hostname path=/usr/share/sendmail-cf/m4/cfhead.m4 dev=hdc3 ino=1635519 scontext=root:system_r:hostname_t tcontext=system_u:object_r:usr_t tclass=file
Apr 16 17:57:51 localhost kernel: audit(1082152671.792:0): avc: denied { read } for pid=13090 exe=/usr/sbin/sendmail.sendmail path=pipe:[129472] dev= ino=129472 scontext=root:system_r:sendmail_t tcontext=root:sysadm_r:rpm_t tclass=fifo_file
Apr 16 17:57:52 localhost kernel: audit(1082152672.581:0): avc: denied { read } for pid=13094 exe=/usr/sbin/sendmail.sendmail path=pipe:[129472] dev= ino=129472 scontext=root:system_r:sendmail_t tcontext=root:sysadm_r:rpm_t tclass=fifo_file
Apr 16 17:57:52 localhost sendmail: sendmail startup succeeded
Apr 16 17:57:53 localhost kernel: audit(1082152673.569:0): avc: denied { read } for pid=13104 exe=/usr/sbin/sendmail.sendmail path=pipe:[129472] dev= ino=129472 scontext=root:system_r:sendmail_t tcontext=root:sysadm_r:rpm_t tclass=fifo_file
Apr 16 17:57:53 localhost sendmail: sm-client startup succeeded
Apr 16 20:11:51 localhost kernel: audit(1082160711.345:0): avc: denied { getattr } for pid=13281 exe=/usr/lib/mozilla-1.6/mozilla-bin path=/initrd dev=ram0 ino=2 scontext=richard:staff_r:staff_mozilla_t tcontext=system_u:object_r:file_t tclass=dir
19 years, 5 months
Pam_mount and SELinux
by W. Michael Petullo
As an exercise to help me learn the fundamentals of SELinux policies I
am trying to get pam_mount to work one an enforcing SELinux system.
Pam_mount is a module that allows password-protected volumes to be
mounted when a user logs in using the users normal system password.
Pam_mount requires several special capabilities and I have modified my
su_macros.te to give them to the su command (its a start).
1. Pam_mount needs be able to work in /var/run/pam_mount:
allow $1_su_t var_run_t:dir { getattr add_name remove_name write };
allow $1_su_t var_run_t:file { create getattr setattr read write lock unlink };
2. Pam_mount needs to be able to read its configuration file:
allow $1_su_t etc_runtime_t:file { getattr read };
allow $1_su_t user_home_t:dir { getattr read };
3. Pam_mount needs to be able to execute some commands in /sbin:
allow $1_su_t sbin_t:file { read execute };
4. Pam_mount needs to be able to execute mount:
allow $1_su_t mount_exec_t:file { read execute };
allow $1_su_t $1_su_t:capability { fsetid };
domain_auto_trans($1_su_t, mount_exec_t, mount_t)
One problem I am having right now is that when pam_mount tries to execute
mount it fails with a "permission denied" error. But I get no related
AVC log from SELinux. If I disable SELinux's enforcing then I get no
error and everything works fine.
Other than that, I would like to hear any comments about the additional
requirements pam_mount has. I am giving more capabilities to su and
therefore increasing risk. Am I doing so in the right way? Does anyone
have a better model to propose to accomplish this?
--
Mike
:wq
19 years, 5 months
udev tries to execute files in /etc/dev.d
by Aleksey Nogin
I see a lot of messages of the form
audit(1082098131.912:0): avc: denied { execute } for pid=3700
exe=/sbin/udev name=dbus.dev dev=hda2 ino=229313
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t
tclass=file
audit(1082098131.920:0): avc: denied { execute } for pid=3701
exe=/sbin/udev name=dbus.dev dev=hda2 ino=229313
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t
tclass=file
audit(1082098131.921:0): avc: denied { execute } for pid=3702
exe=/sbin/udev name=pam_console.dev dev=hda2 ino=229315
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t
tclass=file
audit(1082098131.921:0): avc: denied { execute } for pid=3703
exe=/sbin/udev name=selinux.dev dev=hda2 ino=229329
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t
tclass=file
audit(1082098131.922:0): avc: denied { execute } for pid=3704
exe=/sbin/udev name=pam_console.dev dev=hda2 ino=229315
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t
tclass=file
audit(1082098131.922:0): avc: denied { execute } for pid=3705
exe=/sbin/udev name=selinux.dev dev=hda2 ino=229329
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:etc_t
tclass=file
Should the files in /etc/dev.d be labeled differently?
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
19 years, 5 months
login default ... changed?
by Gene Czarcinski
Now things related to selinux, policy, etc. have been changing so radidly that
my memory may be incorrect.
IIRC, it used to be that if I logged in from gdm as a sysadm_r user (staff_r
and sysadm_r) as defined in users, I would be logged in with sysadm_r. This
appears to have changed (or my memory is faulty). The default for a sysadm_r
user is to get staff_r and must use newrole -r sysadm_r to get that. Good!
That is the way I think it should work.
The same is true for root. As far as selinux is concerned, root is just
another sysadm_r user and the default role logging in from gdm is staff_r.
Is this what should be done. This will certainly be a change for most users.
When I login as root from gdm, I do not expect that I will be prompted for
root's password when I invoke system-config-users from the menu.
I also notice that doing an "su -" to root or another sysadm_r user will
default to sysadm_r role for that user. if it is from another sysadm_r user,
then I get a choice of sysadm_r (default) or staff_r. If it is from a user_r
user, then no choice, I just get sysadm_r.
Comments?? Is this how things should work??
This is not criticism, just wondering.
Gene
19 years, 5 months
bugs of the day
by Bill Nottingham
I can bugzilla if it's preferred.
policy-1.11.2-6
1) contexts aren't set correctly on install. Jeremy is looking at this.
2) lvm_t can't read sysfs_t. It needs to
3) udev spews all sorts of stuff
a) it can't run things in /etc/dev.d (etc_t, shell_exec_t ATM)
b) can't look in /bin
c) read symlinks in /bin
d) various other things because of this
4) init can't write to wtmp (var_log_t)
5) other bits
bootup log and audit2allow attached.
Bill
19 years, 5 months
Su from an unprivileged account
by Nic¤
Hi all.
Is there a way to easily configure the policy to allow
an unprivileged user to execute the su command.
By default, this is not allowed !
Nico.
__________________________________________________________
Lèche-vitrine ou lèche-écran ?
magasinage.yahoo.ca
19 years, 5 months
ANN: Tresys Setools 1.3
by Karl MacMillan
Setools version 1.3 has been released. It is available from
http://www.tresys.com/selinux/ and the selinux cvs repository on
SourceForge. This is a major new feature release that includes:
- Two new commandline tools for finding and replacing file contexts. The
tools findcon and replcon can recursively search for files with contexts
that match search strings. The search strings can specify complete contexts,
partial contexts, and shell globbing style wildcards. Replcon will then
replace the context or part of the context. These tools fill an important
gap for the administration of SElinux systems and for the analysis of
SELinux policies. These tools are different from restorecon and chcon
because they can recursively search directories and different from setfiles
because they can set arbitrary contexts.
- Seaudit now supports the creation of multiple views of the same audit log.
This allows the user to view the results from multiple audit log queries at
the same time. In addition, these queries can now be saved so that views can
be recreated later.
- Seaudit also has support for the new audit infrastructure included in the
current NSA release, Fedora Core 2 test 2, and recent Linux kernels. Also,
boolean change messages are supported.
- Apol has complete support for conditional policies, including the viewing
of conditional expressions, policy query and analysis results based on the
current boolean values, and changing the boolean values.
- The information flow analysis in Apol now supports assigning weights to
object class permissions. These weights are used to specify the importance,
or bandwidth, of object permissions so that the information flow analysis
can return flows that contain important permissions first. This will make it
easier for an analyst to find information flows in which they are interested
quickly.
- Seuser will now label newly created home directories.
- Support for version 17 policies is included in all of the tools.
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410)290-1411 ext 134
19 years, 5 months
adding /etc/roles
by Sean Middleditch
As was recommended to me, I'm sending this to the list. I was
recommended to go to -devel, but this list seems a heck of a lot more
appropriate, so here it is. Note that although I'm now subscribed I
have delivery turned off, so CC me if you want a response. I check the
web mail archives too, but I can't respond to messages posted there.
(I'd love to add that ability, tho; a form to respond to any list mail
using your subscribed mail address and account password... would be
sweet.)
Red Hat Bugzilla #120571
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120571)
I wrote a script and patch for adding /etc/roles support to SELinux. So,
instead of needing to hack in m4 macros and botch the ability to upgrade
sources with RPM, you can just edit /etc/roles and rebuild the policy
nice and clean like.
Still need to figure out how to tell the policy (or system utilities)
what the default login role should be. A user with user_r and sysadm_r
roles, for example, should not have sysadm_r as the default. The
default_contexts files does this, but I'm not comfortable modifying that
file with a script.
Also, some tools like addrole and delrole would be nice, for modifying
the /etc/roles file and automatically rebuilding/reloading the policy.
useradd/userdel should also support this functionality. The silly
seadduser command should also be fixed/removed; just make it so a flag
to useradd gives a default role, and if the default role is omitted,
don't add an /etc/roles entry. (Users not in /etc/roles wouldn't have
an SELinux user ID, unless manually added to the policy sources.) Makes
a heck of a lot more sense than a separate seuseradd command. I think
there was a bugzilla entry regarding that, not sure what bug# though.
Additionally, a command like "policy" or "selinux" for modifying various
SELinux attributes would be great (for example, pull in the
selinuxenabled command, and add something like "rebuild" or "load" as
well for rebuilding and reloading the policy). Would make
administration a lot easier and saner, which SELinux needs a lot of...
--
Sean Middleditch <elanthis(a)awesomeplay.com>
AwesomePlay Productions, Inc.
19 years, 5 months
some hits from latest set of updates
by Gene Czarcinski
The latest version of udev (024-3) may fix something but it breaks others --
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120956
My reason for this message is really another matter. When I say the large
number of denied messages involving udev, I immediately reinstalled
udev-023-2 and, sure enough, they went away ... well mostly. My sound was
broken again ... not for root (I could run s-c-soundcard) but for the user.
OK, I knew how to fix that ... "telinit 1", "setfiles /etc/security... /dev",
"telinit 5" ... sound works again for the user.
Now, my question is how will this be handled in the future? With the large
number of updates during the release development cycle, the number of updates
(and sometimes reinstall oldpackage) has created situtations where the
attributes on a file have gotten screwed up.
Through experience (I have done it enough times), I have come to know that
occasionally I will need to do a relabel (or if I am lucky and know the
general area, a setfiles). But how will this be handled once FC2 is release?
Will a general user be willing to run selinux=1, enforcing=1 if things get
screwed up when they update packages and suddenly things stop working
(because some file is mis-labeled)?
I want to run selinux and plan to run enforcing=1 regardless of what FC2 ships
by default. But, will that be true of most users?
Gene
19 years, 5 months
rawhide install aborts on setools-1.2.1-7 install
by Dax Kelson
I tried to install the 04/14/04 rawhide twice. I did an "Everything"
install and everything was good until right near the end I got a fatal
message that the setools RPM couldn't be installed.
Plenty of diskspace (12GB) was available.
Out on a text terminal (F4??) there was a cpio error message.
Dax Kelson
Guru Labs
19 years, 5 months
