Re: FC2 SELinux Installation issue (Newbie)
by Tom London
I believe you can boot in permissive mode (without editing the config
file) by
entering enforcing=0 as a boot parameter. So, this may be simpler....
1. Boot with 'enforcing=0 single' to get to single-user mode/permissive.
2. 'fixfiles relabel' (or 'make relabel' if needed)
3. Reboot
tom
> ------------------------------------------------------------------------
>
> * /From/: Valdis Kletnieks vt edu
>
> ------------------------------------------------------------------------
>
>Probably a botched relabel.
>
>1) Boot with 'selinux=0' to disable it entirely.
>2) Edit the selinux file and set to 'selinux=permissive'.
>3) Reboot.
>4) make relabel, then set 'selinux=enforcing' and reboot again.
>
>
19 years, 10 months
/u?dev/microcode ?
by Tom London
A previous posting indicated that /u?dev/microcode should be labeled as
system_u:object_r:cpu_device_t.
Is this still needed? Added to file_contexts/types.fc?
tom
19 years, 10 months
lack of AVC denied messages
by Richard Hally
After recent updates Mozilla web browser will not start while in
enforcing mode. The troubling thing is that it does not produce any avc
denied messages. Further, after switching to permissive mode, starting
Mozilla web browser, exiting, generating allow rules from the avc denied
messages, incorporating them into the policy, doing a 'make reload' and
trying Mozilla again in enforcing mode it still will not start and
does not produce and avc denied messages.
Considering that the recommended method for generating policy is to
"debug it into existence" i.e. run things and look at the avc denied
messages, this lack of avc denied message indicates there is something
fundamentally wrong here and indicates a mode of failure we may not have
considered before.
Or is it just a bug?
Thanks for any help,
Richard Hally
kernel 2.6.7.-1.448
selinux-policy-strict-sources-1.13.8-1
sysklogd-1.4.1-20
19 years, 10 months
typo in new fixifiles
by Tom London
New fixfiles has lines like:
if [ $1 != "" ]; then
These produce shell errors. I think they could be:
if [ x$1 != "x" ]; then
or some such.....
tom
19 years, 10 months
mozilla not starting in enforcing mode
by Richard Hally
After the most recent update to the strict policy
(selinux-policy-strict-1.13.7-1), Mozilla web browser will not start in
enforcing mode. It does *not* produce *any* avc denied messages in
enforcing mode. Below are the avc denied messages that are produced when
it does start in permissive mode:
Jun 20 20:31:30 new2 kernel: audit(1087777890.697:0): avc: denied {
write } for pid=3471 exe=/usr/lib/mozilla-1.6/mozilla-xremote-client
name=X0 dev=hda2 ino=1840568 scontext=richard:staff_r:staff_mozilla_t
tcontext=system_u:object_r:xdm_tmp_t tclass=sock_file
Jun 20 20:31:34 new2 kernel: audit(1087777894.263:0): avc: denied {
unlink } for pid=3457 exe=/usr/lib/mozilla-1.6/mozilla-bin
name=.fonts.cache-1 dev=hda2 ino=1091707
scontext=richard:staff_r:staff_mozilla_t
tcontext=richard:object_r:staff_home_t tclass=file
Here is part of the output from fixfiles relabel prior to testing this
problem :
/usr/sbin/setfiles: read 1499 specifications
/usr/sbin/setfiles: labeling files under /
/usr/sbin/setfiles: relabeling /home/richard/.fonts.cache-1 from
richard:object_r:staff_mozilla_rw_t to richard:object_r:staff_home_t
/usr/sbin/setfiles: relabeling /.autofsck from system_u:object_r:root_t
to system_u:object_r:default_t
/usr/sbin/setfiles: hash table stats: 374956 elements, 62564/65536
buckets used, longest chain length 15
HTH
Richard Hally
19 years, 10 months
policy problem with netlink sockets
by Richard Hally
Attached in the 'spew' file is the last 200 lines from doing a make
reload of the latest strict policy
(selinux-policy-strict-sources-1.13.7-1). Below are some of the avc
denied messages generated immediately after the newly made policy was
loaded. Does this need to be put into bugzilla?
Richard Hally
Jun 22 23:37:38 new2 kernel: audit(1087961858.402:0): avc: granted {
load_policy } for pid=13433 exe=/usr/sbin/load_policy
scontext=root:sysadm_r:load_policy_t
tcontext=system_u:object_r:security_t tclass=security
Jun 22 23:37:38 new2 kernel: security: 6 users, 7 roles, 1254 types, 1
bools
Jun 22 23:37:38 new2 kernel: security: 51 classes, 340144 rules
Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied {
create } for pid=3051 exe=/usr/bin/gnome-session
scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t
tclass=netlink_route_socket
Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied {
bind } for pid=3051 exe=/usr/bin/gnome-session
scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t
tclass=netlink_route_socket
Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied {
getattr }
for pid=3051 exe=/usr/bin/gnome-session
scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t
tclass=netlink_route_socket
Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied {
write } for pid=3051 exe=/usr/bin/gnome-session
scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t
tclass=netlink_route_socket
Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied {
nlmsg_read } for pid=3051 exe=/usr/bin/gnome-session
scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t
tclass=netlink_route_socket
Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied {
read } for pid=3051 exe=/usr/bin/gnome-session
scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t
tclass=netlink_route_socket
:
domains/program/firstboot.te:124:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 107984:
#line 124
allow firstboot_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux
domains/program/hotplug.te:147:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 114418:
#line 147
allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s
domains/program/hotplug.te:147:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 114418:
#line 147
allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s
domains/program/hotplug.te:147:WARNING 'remapping class netlink_tcpdiag_socket to netlink_socket for policy version 17' at token ';' on line 114418:
#line 147
allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s
domains/program/hotplug.te:147:WARNING 'remapping class netlink_nflog_socket to netlink_socket for policy version 17' at token ';' on line 114418:
#line 147
allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s
domains/program/hotplug.te:147:WARNING 'remapping class netlink_xfrm_socket to netlink_socket for policy version 17' at token ';' on line 114418:
#line 147
allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s
domains/program/hotplug.te:147:WARNING 'remapping class netlink_selinux_socket to netlink_socket for policy version 17' at token ';' on line 114418:
#line 147
allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s
domains/program/hotplug.te:147:WARNING 'remapping class netlink_audit_socket to netlink_socket for policy version 17' at token ';' on line 114418:
#line 147
allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s
domains/program/hotplug.te:147:WARNING 'remapping class netlink_ip6fw_socket to netlink_socket for policy version 17' at token ';' on line 114418:
#line 147
allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s
domains/program/hotplug.te:147:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 114418:
#line 147
allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s
domains/program/ifconfig.te:27:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 116234:
# for /sbin/ip
allow ifconfig_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
domains/program/inetd.te:127:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 118626:
#line 127
allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc
domains/program/inetd.te:127:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 118626:
#line 127
allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc
domains/program/inetd.te:127:WARNING 'remapping class netlink_tcpdiag_socket to netlink_socket for policy version 17' at token ';' on line 118626:
#line 127
allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc
domains/program/inetd.te:127:WARNING 'remapping class netlink_nflog_socket to netlink_socket for policy version 17' at token ';' on line 118626:
#line 127
allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc
domains/program/inetd.te:127:WARNING 'remapping class netlink_xfrm_socket to netlink_socket for policy version 17' at token ';' on line 118626:
#line 127
allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc
domains/program/inetd.te:127:WARNING 'remapping class netlink_selinux_socket to netlink_socket for policy version 17' at token ';' on line 118626:
#line 127
allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc
domains/program/inetd.te:127:WARNING 'remapping class netlink_audit_socket to netlink_socket for policy version 17' at token ';' on line 118626:
#line 127
allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc
domains/program/inetd.te:127:WARNING 'remapping class netlink_ip6fw_socket to netlink_socket for policy version 17' at token ';' on line 118626:
#line 127
allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc
domains/program/inetd.te:127:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 118626:
#line 127
allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc
domains/program/initrc.te:312:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 120997:
allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 312
domains/program/initrc.te:312:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 120997:
allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 312
domains/program/initrc.te:312:WARNING 'remapping class netlink_tcpdiag_socket to netlink_socket for policy version 17' at token ';' on line 120997:
allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 312
domains/program/initrc.te:312:WARNING 'remapping class netlink_nflog_socket to netlink_socket for policy version 17' at token ';' on line 120997:
allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 312
domains/program/initrc.te:312:WARNING 'remapping class netlink_xfrm_socket to netlink_socket for policy version 17' at token ';' on line 120997:
allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 312
domains/program/initrc.te:312:WARNING 'remapping class netlink_selinux_socket to netlink_socket for policy version 17' at token ';' on line 120997:
allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 312
domains/program/initrc.te:312:WARNING 'remapping class netlink_audit_socket to netlink_socket for policy version 17' at token ';' on line 120997:
allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 312
domains/program/initrc.te:312:WARNING 'remapping class netlink_ip6fw_socket to netlink_socket for policy version 17' at token ';' on line 120997:
allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 312
domains/program/initrc.te:312:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 120997:
allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 312
domains/program/modutil.te:79:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 136851:
allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 79
domains/program/modutil.te:79:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 136851:
allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 79
domains/program/modutil.te:79:WARNING 'remapping class netlink_tcpdiag_socket to netlink_socket for policy version 17' at token ';' on line 136851:
allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 79
domains/program/modutil.te:79:WARNING 'remapping class netlink_nflog_socket to netlink_socket for policy version 17' at token ';' on line 136851:
allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 79
domains/program/modutil.te:79:WARNING 'remapping class netlink_xfrm_socket to netlink_socket for policy version 17' at token ';' on line 136851:
allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 79
domains/program/modutil.te:79:WARNING 'remapping class netlink_selinux_socket to netlink_socket for policy version 17' at token ';' on line 136851:
allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 79
domains/program/modutil.te:79:WARNING 'remapping class netlink_audit_socket to netlink_socket for policy version 17' at token ';' on line 136851:
allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 79
domains/program/modutil.te:79:WARNING 'remapping class netlink_ip6fw_socket to netlink_socket for policy version 17' at token ';' on line 136851:
allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 79
domains/program/modutil.te:79:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 136851:
allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so
#line 79
domains/program/named.te:136:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 143917:
allow ndc_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
domains/program/netutils.te:34:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 145163:
allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
# Create and use netlink sockets.
domains/program/rpm.te:239:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 175440:
#line 239
allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke
domains/program/rpm.te:239:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 175440:
#line 239
allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke
domains/program/rpm.te:239:WARNING 'remapping class netlink_tcpdiag_socket to netlink_socket for policy version 17' at token ';' on line 175440:
#line 239
allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke
domains/program/rpm.te:239:WARNING 'remapping class netlink_nflog_socket to netlink_socket for policy version 17' at token ';' on line 175440:
#line 239
allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke
domains/program/rpm.te:239:WARNING 'remapping class netlink_xfrm_socket to netlink_socket for policy version 17' at token ';' on line 175440:
#line 239
allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke
domains/program/rpm.te:239:WARNING 'remapping class netlink_selinux_socket to netlink_socket for policy version 17' at token ';' on line 175440:
#line 239
allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke
domains/program/rpm.te:239:WARNING 'remapping class netlink_audit_socket to netlink_socket for policy version 17' at token ';' on line 175440:
#line 239
allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke
domains/program/rpm.te:239:WARNING 'remapping class netlink_ip6fw_socket to netlink_socket for policy version 17' at token ';' on line 175440:
#line 239
allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke
domains/program/rpm.te:239:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 175440:
#line 239
allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke
domains/program/rpm.te:239:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 175576:
#line 239
allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
domains/program/rpm.te:239:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 175576:
#line 239
allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
domains/program/rpm.te:239:WARNING 'remapping class netlink_tcpdiag_socket to netlink_socket for policy version 17' at token ';' on line 175576:
#line 239
allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
domains/program/rpm.te:239:WARNING 'remapping class netlink_nflog_socket to netlink_socket for policy version 17' at token ';' on line 175576:
#line 239
allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
domains/program/rpm.te:239:WARNING 'remapping class netlink_xfrm_socket to netlink_socket for policy version 17' at token ';' on line 175576:
#line 239
allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
domains/program/rpm.te:239:WARNING 'remapping class netlink_selinux_socket to netlink_socket for policy version 17' at token ';' on line 175576:
#line 239
allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
domains/program/rpm.te:239:WARNING 'remapping class netlink_audit_socket to netlink_socket for policy version 17' at token ';' on line 175576:
#line 239
allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
domains/program/rpm.te:239:WARNING 'remapping class netlink_ip6fw_socket to netlink_socket for policy version 17' at token ';' on line 175576:
#line 239
allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
domains/program/rpm.te:239:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 175576:
#line 239
allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
domains/program/snort.te:18:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 183684:
# use iptable netlink
allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
domains/program/snort.te:19:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 183685:
allow snort_t self:netlink_firewall_socket { bind create getattr nlmsg_read read write };
allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
domains/program/traceroute.te:33:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 194591:
allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow traceroute_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
domains/program/unconfined.te:15:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 197331:
allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
#line 15
domains/program/unconfined.te:15:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 197331:
allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
#line 15
domains/program/unconfined.te:15:WARNING 'remapping class netlink_tcpdiag_socket to netlink_socket for policy version 17' at token ';' on line 197331:
allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
#line 15
domains/program/unconfined.te:15:WARNING 'remapping class netlink_nflog_socket to netlink_socket for policy version 17' at token ';' on line 197331:
allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
#line 15
domains/program/unconfined.te:15:WARNING 'remapping class netlink_xfrm_socket to netlink_socket for policy version 17' at token ';' on line 197331:
allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
#line 15
domains/program/unconfined.te:15:WARNING 'remapping class netlink_selinux_socket to netlink_socket for policy version 17' at token ';' on line 197331:
allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
#line 15
domains/program/unconfined.te:15:WARNING 'remapping class netlink_audit_socket to netlink_socket for policy version 17' at token ';' on line 197331:
allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
#line 15
domains/program/unconfined.te:15:WARNING 'remapping class netlink_ip6fw_socket to netlink_socket for policy version 17' at token ';' on line 197331:
allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
#line 15
domains/program/unconfined.te:15:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 197331:
allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu
#line 15
domains/program/vmware.te:91:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 202339:
allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow kernel_t self:capability { net_admin };
security: 6 users, 7 roles, 1254 types, 1 bools
security: 51 classes, 309579 rules
/usr/bin/checkpolicy: policy configuration loaded
/usr/bin/checkpolicy: writing binary representation (version 17) to /etc/selinux/strict/policy/policy.17
Building file_contexts ...
install -m 644 file_contexts/file_contexts /etc/selinux/strict/contexts/files/file_contexts
/usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat /selinux/policyvers`
touch tmp/load
[root@new2 policy]#
19 years, 10 months
Re: FC2 Startup Errors
by Ed Warner
Message: 10
Date: Tue, 22 Jun 2004 09:07:12 -0400
From: Stephen Smalley <sds(a)epoch.ncsc.mil>
Subject: Re: FC2 Startup Errors
To: "Fedora SELinux support list for users &
developers."
<fedora-selinux-list(a)redhat.com>
Message-ID:
<1087909632.6237.26.camel(a)moss-spartans.epoch.ncsc.mil>
Content-Type: text/plain
On Tue, 2004-06-22 at 08:54, edwarner99(a)yahoo.com
wrote:
> I am getting these errors when I reboot FC2.
> I don't know what they mean. I have more, but this
is
> the jist of the errors.
>
> I can log in as a user, but I have root privileges.
>
> audit(1087859536.934:0): avc: denied { getattr }
for
> pid=1 exe=/sbin/init path=/dev/initctl dev=hda2
> ino=73143 scontext=system_u:system_r:kernel_t
> tcontext=system_u:object_r:file_t tclass=fifo_file
<snip>
<snip> Do you want SELinux to be enabled? If so,
then run fixfiles relabel to label your filesystems.
If not, then edit /etc/sysconfig/selinux accordingly
to disable it.
I don't have a /etc/sysconfig/selinux, but I do have a
/etc/security/selinux
What do I have to do to disable?
I placed selinux=0 in grub.conf on the kernel line.
That seemed to kill everything.
Was this the right way?
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
19 years, 10 months
Strange AVC from privoxy write
by Tom London
Running the latest packages from the development tree.
I configured mozilla to connect to privoxy (through the usual port
8118). All works
OK until I try to 'add a URL pattern' to one of privoxy's config files
through the browser.
I get the following AVC (notice the blank space/empty fields):
Jun 21 14:20:30 dell
kernel:
audit(1087852830.344:0): avc: denied { write } for pid=13411
exe=/usr/sbin/privoxy
and a privoxy err page reporting the write error.
Retrying after 'setenforce 0' produces the same AVC (but the 'write'
succeeds).
Haven't seen an AVC like this before..... is this the expected behavior?
tom
19 years, 10 months
Re: FC2 Startup Errors
by Ed Warner
> Message: 10
> Date: Tue, 22 Jun 2004 09:07:12 -0400
> From: Stephen Smalley <sds(a)epoch.ncsc.mil>
> Subject: Re: FC2 Startup Errors
> To: "Fedora SELinux support list for users &
> developers."
> <fedora-selinux-list(a)redhat.com>
> Message-ID:
>
<1087909632.6237.26.camel(a)moss-spartans.epoch.ncsc.mil>
> Content-Type: text/plain
>
> On Tue, 2004-06-22 at 08:54, edwarner99(a)yahoo.com
> wrote:
> > I am getting these errors when I reboot FC2.
> > I don't know what they mean. I have more, but this
> is
> > the jist of the errors.
> >
> > I can log in as a user, but I have root
> privileges.
> >
> > audit(1087859536.934:0): avc: denied { getattr }
> for
> > pid=1 exe=/sbin/init path=/dev/initctl dev=hda2
> > ino=73143 scontext=system_u:system_r:kernel_t
> > tcontext=system_u:object_r:file_t tclass=fifo_file
> <snip>
>
> The audit message indicates that you are running
> with SELinux enabled,
> but have not labeled your filesystem. I'm not sure
> what you mean by
> your statement about root privileges. Do you want
> SELinux to be
> enabled? If so, then run fixfiles relabel to label
> your filesystems.
> If not, then edit /etc/sysconfig/selinux accordingly
> to disable it.
>
> --
> Stephen Smalley <sds(a)epoch.ncsc.mil>
> National Security Agency
After I rebooted, I can run as a user with root
privileges. In the logs, it states there is an unknown
user -u.
I'm a little confused about selinux to begin with. I
have read the documents. I run a small lan, so do you
suggest I turn off selinux?
Thanks,
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
19 years, 10 months
FC2 Startup Errors
by Ed Warner
I am getting these errors when I reboot FC2.
I don't know what they mean. I have more, but this is
the jist of the errors.
I can log in as a user, but I have root privileges.
audit(1087859536.934:0): avc: denied { getattr } for
pid=1 exe=/sbin/init path=/dev/initctl dev=hda2
ino=73143 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:file_t tclass=fifo_file
audit(1087859536.934:0): avc: denied { read write }
for pid=1 exe=/sbin/init name=initctl dev=hda2
ino=73143 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:file_t tclass=fifo_file
audit(1087859538.846:0): avc: denied { getattr } for
pid=278 exe=/sbin/initlog path=/dev/log dev=hda2
ino=65553 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:file_t tclass=sock_file
audit(1087859538.846:0): avc: denied { write } for
pid=278 exe=/sbin/initlog name=log dev=hda2 ino=65553
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:file_t tclass=sock_file
audit(1087859538.925:0): avc: denied {
syslog_console } for pid=446 exe=/bin/dmesg
scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:kernel_t tclass=system
audit(1087859539.090:0): avc: denied { search } for
pid=450 exe=/sbin/sysctl name=net dev= ino=-268435354
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sysctl_net_t tclass=dir
audit(1087859539.090:0): avc: denied { write } for
pid=450 exe=/sbin/sysctl name=ip_forward dev=
ino=-268435331 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sysctl_net_t tclass=file
audit(1087859539.090:0): avc: denied { getattr } for
pid=450 exe=/sbin/sysctl
path=/proc/sys/net/ipv4/ip_forward dev= ino=-268435331
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sysctl_net_t tclass=file
audit(1087859539.092:0): avc: denied { search } for
pid=450 exe=/sbin/sysctl name=unix dev= ino=-268435042
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sysctl_net_unix_t
tclass=dir
audit(1087859539.093:0): avc: denied { write } for
pid=450 exe=/sbin/sysctl name=max_dgram_qlen dev=
ino=-268435041 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sysctl_net_unix_t
tclass=file
audit(1087859539.093:0): avc: denied { getattr } for
pid=450 exe=/sbin/sysctl
path=/proc/sys/net/unix/max_dgram_qlen dev=
ino=-268435041 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sysctl_net_unix_t
tclass=file
audit(1087859539.093:0): avc: denied { search } for
pid=450 exe=/sbin/sysctl name=vm dev= ino=-268435370
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sysctl_vm_t tclass=dir
audit(1087859539.093:0): avc: denied { write } for
pid=450 exe=/sbin/sysctl name=overcommit_memory dev=
ino=-268435369 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sysctl_vm_t tclass=file
audit(1087859539.093:0): avc: denied { getattr } for
pid=450 exe=/sbin/sysctl
path=/proc/sys/vm/overcommit_memory dev=
ino=-268435369 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sysctl_vm_t tclass=file
audit(1087859539.093:0): avc: denied { search } for
pid=450 exe=/sbin/sysctl name=dev dev= ino=-268435240
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sysctl_dev_t tclass=dir
audit(1087859539.094:0): avc: denied { write } for
pid=450 exe=/sbin/sysctl name=speed_limit_min dev=
ino=-268435120 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sysctl_dev_t tclass=file
audit(1087859539.094:0): avc: denied { getattr } for
pid=450 exe=/sbin/sysctl
path=/proc/sys/dev/raid/speed_limit_min dev=
ino=-268435120 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:sysctl_dev_t tclass=file
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
19 years, 10 months