/etc/sysconfig/selinux
by Martin Schmiderer
Hello *,
i start the installation of fc2t2 with selinux in permissive mode. Later on
after i get the newest updates i try to set selinux to enforcing
in /etc/sysconfig/selinux.
After reboot dmesg |grep -i selinux tells me that selinx runs in permissive
mode. Ok, whats happen... i append enforcing=1 on the grub cmd. That works
fine.
So why does it nothing do if i try to set enforcing
in /etc/sysconfig/selinux???
Thanks for this good job in fc2t2 ;-) (and excuse me for my bad english).
greetz,
Martin
20 years
avc denied messages from boot
by Richard Hally
when booting to runlevel 5 in enforcing mode with the latest policy
there were only a few AVC denied messages. they are copied below.
[root@localhost root]# rpm -q policy policy-sources
policy-1.9.2-10
policy-sources-1.9.2-10
[root@localhost root]#
Hope this helps,
Richard Hally
--------------------messages-----------------------------
Apr 5 22:37:25 localhost crond: crond startup succeeded
Apr 5 22:37:25 localhost kernel: audit(1081219045.889:0): avc: denied
{ read
} for pid=1647 exe=/usr/sbin/crond name=mailman dev=hdc3 ino=539689
scontext=system_u:system_r:crond_t tcontext=system_u:object_r:file_t
tclass=file
Apr 5 22:37:27 localhost xfs: xfs startup succeeded
Apr 5 22:38:04 localhost gdm(pam_unix)[1814]: session opened for user
richard by (uid=0)
Apr 5 22:38:19 localhost kernel: audit(1081219099.459:0): avc: denied
{ setattr } for pid=1886 exe=/usr/libexec/gnome-settings-daemon
name=registry.xml dev=hdc3 ino=3009195 scontext=richard:staff_r:staff_t
tcontext=system_u:object_r:var_t tclass=file
Apr 5 22:38:20 localhost kernel: audit(1081219100.136:0): avc: denied
{ getattr } for pid=1901 exe=/usr/X11R6/bin/xscreensaver
path=/home/richard/.xscreensaver dev=hdc3 ino=2469233
scontext=richard:staff_r:staff_screensaver_t
tcontext=richard:object_r:staff_home_t tclass=file
Apr 5 22:38:29 localhost kernel: audit(1081219109.860:0): avc: denied
{ getattr } for pid=1955 exe=/usr/libexec/gnome-vfs-daemon path=/initrd
dev=ram0 ino=2 scontext=richard:staff_r:staff_t
tcontext=system_u:object_r:file_t tclass=dir
Apr 5 22:38:30 localhost kernel: audit(1081219110.466:0): avc: denied
{ getattr } for pid=1966 exe=/usr/bin/nautilus path=/initrd dev=ram0
ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t
tclass=dir
Apr 5 22:38:30 localhost kernel: audit(1081219110.653:0): avc: denied
{ getattr } for pid=1967 exe=/usr/bin/nautilus path=/initrd dev=ram0
ino=2 scontext=richard:staff_r:staff_t tcontext=system_u:object_r:file_t
tclass=dir
Apr 5 22:38:37 localhost kernel: audit(1081219117.803:0): avc: denied
{ setattr } for pid=1976 exe=/usr/libexec/mixer_applet2
name=registry.xml dev=hdc3 ino=3009195 scontext=richard:staff_r:staff_t
tcontext=system_u:object_r:var_t tclas:
20 years
Not good
by Gene Czarcinski
OK, I updated with todays round of updates ... at least with respect to
selinux. This includes the kernel, policy, policy-sources, and
policycoreutils.
I then rebooted and ran "make reload" and "make relabel". They seemed to
complete OK. However, I cannot login from gdm as root (!), a regular user,
or a user with a sysadm role defined ... I get an indication that the home
directory could not be found (including for root).
BTW, what are the "right" circumstances for running "make relabel"? I have
sometimes gotten an error saying it could not handle "/dev/tty1". Should I
plan to do this from single-user-mode?
Gene
20 years
Creating new users and roles
by Nic¤
Hello,
is there a different way to add new users and roles
that creating them in the
/etc/security/selinux/src/policy/users file and
recompiling the policy ?
thanks
Nico.
__________________________________________________________
Lèche-vitrine ou lèche-écran ?
magasinage.yahoo.ca
20 years
Success with Gaussian03
by Albert Strasheim
Hello all,
Not sure if this should go to fedora-test-list instead, but here goes...
I have successfully managed to get Gaussian03 (commercial software for
computation chemistry) going on FC2 test2.
Here's a quick HOWTO:
1. Extract the LI2-800N.taz file provided by Gaussian, Inc. to /opt/g03.
This is the x86 binary distribution of Gaussian03.
2. Gaussian03 won't run if its files are world readable, so create a
seperate group for Gaussian03 users:
/usr/sbin/groupadd -r g03
/usr/bin/gpasswd -a myuser g03
3. Set up the permissions on the Gaussian03 files:
chown -R root.g03 /opt/g03
chmod -R a+rX /opt/g03
chmod -R o-rwx /opt/g03
4. Set the SELinux security context for the Gaussian03 files:
chcon -t bin_t `find /opt/g03 -perm +111 -type f`
(Modified command from the comment in bug 120140. Is this right?)
Now Gaussian03 can be run by any user in the g03 group (provided he/she
sets the g03root environment variable and sources the necessary file from
/opt/g03/bsd).
Cheers,
Albert Strasheim
20 years
kernel panic after policy update failure
by J. Scott Farrow
I just updated (via yum) to policy-1.9.2-9 on kernel 2.6.4.1-300 and get the following on reboot:
Enforcing mode requested but no policy loaded. Halting now.
Kernel panic: Attempted to kill init!
I tried adding "selinux=0" to the kernel args, and also tried booting single user, but get the same result. I had to boot rescue mode off the iso disc and turn off selinux in /etc/sysconfig/selinux. Now I can boot again.
It turns out that the policy rpm upgrade failed. No biggie, but I am wondering whether it is expected behaviour that you get a kernel panic if you attempt to boot with selinux enabled, but without a policy file (or a damaged file)? As a sysadmin, that concerns me. Perhaps a gentler behaviour would be to dump you in single user mode?
- J. Scott Farrow
20 years
missing policies?
by Ric Letson
Where are the user policies located?
Am I missing /etc/security/selinux/src/policy/users or has the user list
moved to another location? It may be somewhere else and I'm just not
finding it, my only experience with selinux was on gentoo.
Also, does anyone know of any good documentation on the Fedora Core 2
SELinux implementation? The Fedora website is pretty sparse as far as
any documentation goes, probably due to it not being written yet.
OS: Fedora Core 2 Test 2 (installed by ftp from redhat mirror)
Policy: policy-1.9-15
Coreutils: policycoreutils-1.9-12
--
Ric Letson, NB2E
digitalcontrol(a)myrealbox.com
============================
GPG Signed for Authenticity
20 years
ssh -l root getting context staff_t is pointless
by Alexandre Oliva
I read previous discussions about it here. The argument IIRC is that
making the default context staff_t adds a little bit of security.
IMHO, it adds no security whatsoever, since
`ssh -l root hostname -t su -' gets you to sysadm_r without asking for
a password. So how about changing the default policy such that ssh
selects sysadm_r by default, which should minimize the inconvenience
without really losing anything in terms of security?
--
Alexandre Oliva http://www.ic.unicamp.br/~oliva/
Red Hat Compiler Engineer aoliva(a){redhat.com, gcc.gnu.org}
Free Software Evangelist oliva(a){lsd.ic.unicamp.br, gnu.org}
20 years
Re: Advice for installing test2 if you are going to be saving files
by Alexandre Oliva
[Adding SELinux list]
On Apr 4, 2004, Russell Coker <russell(a)coker.com.au> wrote:
> using the context= mount option to label them as
> nfs_t might be an easy hack to solve this).
I've tried adding context=system_u:object_r:nfs_t to the mounts
containing the maze of soft links that my home dir is, but no luck.
First off, booting in enforcing mode, it wouldn't mount it, probably
because they're all in logical volumes (I think I heard that SELinux
is not compatible with LVM ATM :-(
Oddly, if I'm in enforcing mode and attempt to mount them as
root_u:sysadm_r:sysadm_t, they fail to mount with the context= setting
in /etc/fstab, but mount succeeds without it. Is this a bug? If so,
same as above, or a different one? (it says the device is read only)
I tried labeling everything in these filesystems as
system_u:object_r:nfs_t, but I still couldn't ssh into the box in
enforcing mode. SSH key authentication failed to stat() the
authorized_keys file, so id demanded a password. Then, it failed to
chdir to my homedir, and finally xauth took a few seconds trying to
lock ~/.Xauthority before it timed out and gave up, and I was given a
prompt with $PWD=/. I could then cd to my home dir and use it
normally AFAICT, but this is quite inconvenient.
I guess I'll have to stay a bit longer without enforcing mode :-(
--
Alexandre Oliva http://www.ic.unicamp.br/~oliva/
Red Hat Compiler Engineer aoliva(a){redhat.com, gcc.gnu.org}
Free Software Evangelist oliva(a){lsd.ic.unicamp.br, gnu.org}
20 years
