Proper local policy modifications - where?
by Fritz Elfert
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I got some special scripts which need a modified policy
(/etc/dhclient-exit-hooks for example). So i'm wondering where to define
local exceptions resp. additions without messing up the stuff from the
policy-sources rpm. Is there any convention for adding local policies on FC2?
If not, would it probably make sense to establish such a convention like
e.g. /etc/security/selinux/policy.local?
Thanks
-Fritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAtHV/boM4mAMyprARAh+iAKCGhtNJnmw8YAaYgMp/aZIQ3ArIOgCgiab2
DH+ItSMzlD56RS8HAE//vas=
=kAmY
-----END PGP SIGNATURE-----
19 years, 10 months
OpenOffice.org fails to start
by Matthew East
This is a strange problem. I have recently enabled selinux on my system
and now I cannot start OpenOffice.org. Everything else is working fine.
When I start it it doesn't even get to the splash screen. I have NO
MESSAGES in dmesg or /var/log/messages about this (how can this
be??!??!!), and yet if I set selinux to permissive it loads fine.
Can anyone help me with this??
While I'm here, can somebody give me the solution to this error message
(which seems not to cause any problems), which occurs when I do a "su"
in Gnome Terminal.
audit(1085481816.902:0): avc: denied { add_name } for pid=1981
exe=/bin/su name=.xauthdgXnvH scontext=user_u:user_r:user_su_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
thanks everyone.
Matt
19 years, 10 months
Re: New user
by Bob Gustafson
Some added information
[root@hoho2 user1]# ls -lZ /etc/security/selinux/src/policy/policy.conf
-rw-r--r--+ root root
system_u:object_r:policy_src_t /etc/security/selinux/src/policy/policy.conf
[root@hoho2 user1]# cat /proc/version
Linux version 2.6.6-1.377smp (bhcompile(a)tweety.build.redhat.com) (gcc
version 3.3.3 20040412 (Red Hat
Linux 3.3.3-7)) #1 SMP Sat May 22 15:16:37 EDT 2004
[root@hoho2 user1]# which seuser
/usr/bin/seuser
[root@hoho2 user1]# ls -lZ /usr/bin/seuser -rwxr-xr-x+ root root
system_u:object_r:bin_t
/usr/bin/seuser
[root@hoho2 user1]#
------- previously sent a minute or so ago --
You are further along ..
I get
[root@hoho2 user1]# date
Mon May 24 13:16:52 CDT 2004
[root@hoho2 user1]# seuser show users
Could not open policy.conf file
[root@hoho2 user1]#
I have FC2 installed clean with all updates (incl development) to this
moment (except for ppp - which is having a problem independent of selinux).
Booting with kernel boot parame 'selinux=1 enforcing=0' (not enforce=0..)
The boot was done just after a run of '/sbin/fixfiles relabel' at init level 1.
BobG
On Mon, 24 May 2004 16:13:48 +0100, Anthony Pitt wrote:
>Hi there,
> I hope you can help. I've just installed 'Fedora COre2', with Selinux
>enabled.
>Using 'seuser' I created a new 'defined' selinux user, with user_r role
>only. I also created the users /home/* directory under the same process.
>I'm using the 'gnome' window manager interface.
>Now when I try to log on with this new user, I get all sorts of errors to
>do with the users environment, eventually allowing me a blank interface,
>with 'right-click' functionality only.
>Any ideas?
>Tony.
>
>----------------------------------------------------------------------
>A D Pitt Ph:+44(0)1684 895757
>Rm B006 Woodward Building Fax:+44(0)1684 896660
>QinetiQ email:t.pitt@eris.qinetiq.com
>Malvern Technology Centre,
>St Andrews Road
>Malvern
>Worcs.
>WR14 3PS
>
>URL:http://www.qinetiq.com/home_enterprise_security.html
>--
>fedora-selinux-list mailing list
>fedora-selinux-list(a)redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
19 years, 10 months
Re: firstbook new user creation?
by Tom London
yeah. firstboot appears to not be labeling home directory and files
correctly.
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123856)
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123856>
Work around:
boot single user
run 'fixfiles relabel'
boot up multiuser
You should then be able to login as usual.
------------------------------------------------------------------------
* /From/: billy ball <bball tux org>
* /To/: fedora-selinux-list redhat com
* /Subject/: firstbook new user creation?
* /Date/: Mon, 24 May 2004 15:26:33 -0400 (EDT)
------------------------------------------------------------------------
hi! cool distro! installed FC2 onto a dual-CPU P4 MPC box w/1GB RAM, 80GB
SATA drive, DVD/CDRW drive...
installed w/no problems (using selinux, enforced selection during
install)... however, creating a new user using firstboot dialog doesn't
work... my workaround was root login via Ctrl+Alt+F2, then role
selection...
known problem?
19 years, 10 months
New user
by Anthony Pitt
Hi there,
I hope you can help. I've just installed 'Fedora COre2', with Selinux
enabled.
Using 'seuser' I created a new 'defined' selinux user, with user_r role
only. I also created the users /home/* directory under the same process.
I'm using the 'gnome' window manager interface.
Now when I try to log on with this new user, I get all sorts of errors to
do with the users environment, eventually allowing me a blank interface,
with 'right-click' functionality only.
Any ideas?
Tony.
----------------------------------------------------------------------
A D Pitt Ph:+44(0)1684 895757
Rm B006 Woodward Building Fax:+44(0)1684 896660
QinetiQ email:t.pitt@eris.qinetiq.com
Malvern Technology Centre,
St Andrews Road
Malvern
Worcs.
WR14 3PS
URL:http://www.qinetiq.com/home_enterprise_security.html
19 years, 10 months
firstbook new user creation?
by billy ball
hi! cool distro! installed FC2 onto a dual-CPU P4 MPC box w/1GB RAM, 80GB
SATA drive, DVD/CDRW drive...
installed w/no problems (using selinux, enforced selection during
install)... however, creating a new user using firstboot dialog doesn't
work... my workaround was root login via Ctrl+Alt+F2, then role
selection...
known problem?
19 years, 10 months
FC2 install with 'selinux' fails....
by t l
I tried to install my shiny new FC2 CDs (verified!) 'on top of' an existing
FC2T3/selinux=enabled system. I entered 'selinux' at the install/boot prompt.
I tried both 'updating existing system' and a clean install on top of the
existing partitions. After selecting packages and writing the install image
to disk, both attempt produce an anaconda abort message saying
OSError: [Errno 17] File exists: '/mnt/sysimage/selinux'
I bugzilla'ed this against anaconda as the abort message requested
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123687), but
I'm guessing that I missed something quite basic. Do I need to
completely wipe the drive clean to proceed?
Suggestions warmly welcomed.
tom
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
19 years, 10 months
Fedora Project Mailing Lists reminder
by Elliot Lee
This is a reminder of the mailing lists for the Fedora Project, and
the purpose of each list. You can view this information at
http://fedora.redhat.com/participate/communicate/
When you're using these mailing lists, please take the time to choose
the one that is most appropriate to your post. If you don't know the
right mailing list to use for a question or discussion, please contact
me. This will help you get the best possible answer for your question,
and keep other list subscribers happy!
Mailing Lists
Mailing lists are email addresses which send email to all users
subscribed to the mailing list. Sending an email to a mailing list
reaches all users interested in discussing a specific topic and users
available to help other users with the topic.
The following mailing lists are available. To subscribe, send email to <listname>-request(a)redhat.com
(replace <listname> with the desired mailing list name such as
fedora-list) with the word subscribe in the subject.
fedora-announce-list - Announcements of changes and events. To stay
aware of news, subscribe to this list.
fedora-list - For users of releases. If you want help with a problem
installing or using , this is the list for you.
fedora-test-list - For testers of test releases. If you would like to
discuss experiences using TEST releases, this is the list for you.
fedora-devel-list - For developers, developers, developers. If you are
interested in helping create releases, this is the list for you.
fedora-docs-list - For participants of the docs project
fedora-desktop-list - For discussions about desktop issues such as user
interfaces, artwork, and usability
fedora-config-list - For discussions about the development of
configuration tools
fedora-legacy-announce - For announcements about the Fedora Legacy
Project
fedora-legacy-list - For discussions about the Fedora Legacy Project
fedora-selinux-list - For discussions about the Fedora SELinux Project
fedora-de-list - For discussions about Fedora in the German language
fedora-ja-list - For discussions about Fedora in the Japanese language
fedora-i18n-list - For discussions about the internationalization of
Fedora Core
fedora-trans-list - For discussions about translating the software and
documentation associated with the Fedora Project
German: fedora-trans-de
French: fedora-trans-fr
Spanish: fedora-trans-es
Italian: fedora-trans-it
Brazilian Portuguese: fedora-trans-pt_br
Japanese: fedora-trans-ja
Korean: fedora-trans-ko
Simplified Chinese: fedora-trans-zh_cn
Traditional Chinese: fedora-trans-zh_tw
19 years, 10 months
mailman, cron, /bin/sh (more on Re: restorecon vs. setfiles???)
by Tom London
I did a FC2 install 'everything' and that seems to have turned on mailman
cron entries. Unfortuneately, the one that runs /var/mailman/cron/gate_news
(every 5 minutes!) fails and sends email to email with the report:
Subject: Cron <mailman@dell> /usr/bin/python -S
/var/mailman/cron/gate_news
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/var/mailman>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=mailman>
execl: couldn't exec `/bin/sh'
execl: Permission denied
The equivalent avc message is:
May 21 12:00:00 dell kernel: audit(1085166000.890:0): avc: denied
{ transition } for pid=7796 exe=/usr/sbin/crond path=/bin/bash
dev=hdb3 ino=376840 scontext=system_u:system_r:crond_t
tcontext=user_u:sysadm_r:sysadm_t tclass=process
The appropriate entry in crond.te (I think) is:
can_exec(crond_t, shell_exec_t)
The labels for /bin/bash and /bin/sh are as follows (from a clean FC2
install):
-rwxr-xr-x+ root root system_u:object_r:shell_exec_t bash
lrwxrwxrwx+ root root system_u:object_r:bin_t sh ->
bash
Is the label for /bin/sh causing this to fail?
tom
------------------------------------------------------------------------
* /From/: Daniel J Walsh <dwalsh redhat com>
* /To/: "Fedora SELinux support list for users & developers."
<fedora-selinux-list redhat com>
* /Subject/: Re: restorecon vs. setfiles
* /Date/: Wed, 19 May 2004 15:17:50 -0400
------------------------------------------------------------------------
Stephen Smalley wrote:
On Tue, 2004-05-18 at 23:07, Daniel J Walsh wrote:
Looks like a bug in matchpathcon (Which is used buy restorecon).
It is returning the wrong security context. I will send this to
stephen. Basically looks like it is ignoring file type.
matchpathcon takes a pathname and optional file mode as input parameters
for matching against the file contexts configuration. It doesn't
attempt to stat the file itself to obtain the mode because it is
sometimes used by programs that are creating new files (e.g. udev) and
want to know the context for the file they are about to create, so it
requires the caller to provide the mode. restorecon currently passes 0
as the mode, so no mode matching is performed.
So this is a bug in restorecon; it needs to be changed to stat the file
and provide the mode.
policycoreutils-1.12-2 has two fixes for restorecon, it handles the
symbolic link problem and ignores <<none>>.
Dan
19 years, 10 months