June 2004 - selinux - Fedora Mailing-Lists

Re: FC2 SELinux Installation issue (Newbie)

by Tom London

I believe you can boot in permissive mode (without editing the config file) by entering enforcing=0 as a boot parameter. So, this may be simpler.... 1. Boot with 'enforcing=0 single' to get to single-user mode/permissive. 2. 'fixfiles relabel' (or 'make relabel' if needed) 3. Reboot tom > ------------------------------------------------------------------------ > > * /From/: Valdis Kletnieks vt edu > > ------------------------------------------------------------------------ > >Probably a botched relabel. > >1) Boot with 'selinux=0' to disable it entirely. >2) Edit the selinux file and set to 'selinux=permissive'. >3) Reboot. >4) make relabel, then set 'selinux=enforcing' and reboot again. > >

19 years, 10 months

1
0
0 / 0

/u?dev/microcode ?

by Tom London

A previous posting indicated that /u?dev/microcode should be labeled as system_u:object_r:cpu_device_t. Is this still needed? Added to file_contexts/types.fc? tom

19 years, 10 months

3
3
0 / 0

lack of AVC denied messages

by Richard Hally

After recent updates Mozilla web browser will not start while in enforcing mode. The troubling thing is that it does not produce any avc denied messages. Further, after switching to permissive mode, starting Mozilla web browser, exiting, generating allow rules from the avc denied messages, incorporating them into the policy, doing a 'make reload' and trying Mozilla again in enforcing mode it still will not start and does not produce and avc denied messages. Considering that the recommended method for generating policy is to "debug it into existence" i.e. run things and look at the avc denied messages, this lack of avc denied message indicates there is something fundamentally wrong here and indicates a mode of failure we may not have considered before. Or is it just a bug? Thanks for any help, Richard Hally kernel 2.6.7.-1.448 selinux-policy-strict-sources-1.13.8-1 sysklogd-1.4.1-20

19 years, 10 months

3
2
0 / 0

typo in new fixifiles

by Tom London

New fixfiles has lines like: if [ $1 != "" ]; then These produce shell errors. I think they could be: if [ x$1 != "x" ]; then or some such..... tom

19 years, 10 months

2
1
0 / 0

mozilla not starting in enforcing mode

by Richard Hally

After the most recent update to the strict policy (selinux-policy-strict-1.13.7-1), Mozilla web browser will not start in enforcing mode. It does *not* produce *any* avc denied messages in enforcing mode. Below are the avc denied messages that are produced when it does start in permissive mode: Jun 20 20:31:30 new2 kernel: audit(1087777890.697:0): avc: denied { write } for pid=3471 exe=/usr/lib/mozilla-1.6/mozilla-xremote-client name=X0 dev=hda2 ino=1840568 scontext=richard:staff_r:staff_mozilla_t tcontext=system_u:object_r:xdm_tmp_t tclass=sock_file Jun 20 20:31:34 new2 kernel: audit(1087777894.263:0): avc: denied { unlink } for pid=3457 exe=/usr/lib/mozilla-1.6/mozilla-bin name=.fonts.cache-1 dev=hda2 ino=1091707 scontext=richard:staff_r:staff_mozilla_t tcontext=richard:object_r:staff_home_t tclass=file Here is part of the output from fixfiles relabel prior to testing this problem : /usr/sbin/setfiles: read 1499 specifications /usr/sbin/setfiles: labeling files under / /usr/sbin/setfiles: relabeling /home/richard/.fonts.cache-1 from richard:object_r:staff_mozilla_rw_t to richard:object_r:staff_home_t /usr/sbin/setfiles: relabeling /.autofsck from system_u:object_r:root_t to system_u:object_r:default_t /usr/sbin/setfiles: hash table stats: 374956 elements, 62564/65536 buckets used, longest chain length 15 HTH Richard Hally

19 years, 10 months

5
6
0 / 0

policy problem with netlink sockets

by Richard Hally

Attached in the 'spew' file is the last 200 lines from doing a make reload of the latest strict policy (selinux-policy-strict-sources-1.13.7-1). Below are some of the avc denied messages generated immediately after the newly made policy was loaded. Does this need to be put into bugzilla? Richard Hally Jun 22 23:37:38 new2 kernel: audit(1087961858.402:0): avc: granted { load_policy } for pid=13433 exe=/usr/sbin/load_policy scontext=root:sysadm_r:load_policy_t tcontext=system_u:object_r:security_t tclass=security Jun 22 23:37:38 new2 kernel: security: 6 users, 7 roles, 1254 types, 1 bools Jun 22 23:37:38 new2 kernel: security: 51 classes, 340144 rules Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied { create } for pid=3051 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied { bind } for pid=3051 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied { getattr } for pid=3051 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied { write } for pid=3051 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied { nlmsg_read } for pid=3051 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket Jun 22 23:41:25 new2 kernel: audit(1087962085.540:0): avc: denied { read } for pid=3051 exe=/usr/bin/gnome-session scontext=richard:staff_r:staff_t tcontext=richard:staff_r:staff_t tclass=netlink_route_socket : domains/program/firstboot.te:124:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 107984: #line 124 allow firstboot_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux domains/program/hotplug.te:147:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 114418: #line 147 allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s domains/program/hotplug.te:147:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 114418: #line 147 allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s domains/program/hotplug.te:147:WARNING 'remapping class netlink_tcpdiag_socket to netlink_socket for policy version 17' at token ';' on line 114418: #line 147 allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s domains/program/hotplug.te:147:WARNING 'remapping class netlink_nflog_socket to netlink_socket for policy version 17' at token ';' on line 114418: #line 147 allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s domains/program/hotplug.te:147:WARNING 'remapping class netlink_xfrm_socket to netlink_socket for policy version 17' at token ';' on line 114418: #line 147 allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s domains/program/hotplug.te:147:WARNING 'remapping class netlink_selinux_socket to netlink_socket for policy version 17' at token ';' on line 114418: #line 147 allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s domains/program/hotplug.te:147:WARNING 'remapping class netlink_audit_socket to netlink_socket for policy version 17' at token ';' on line 114418: #line 147 allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s domains/program/hotplug.te:147:WARNING 'remapping class netlink_ip6fw_socket to netlink_socket for policy version 17' at token ';' on line 114418: #line 147 allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s domains/program/hotplug.te:147:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 114418: #line 147 allow hotplug_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_s domains/program/ifconfig.te:27:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 116234: # for /sbin/ip allow ifconfig_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; domains/program/inetd.te:127:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 118626: #line 127 allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc domains/program/inetd.te:127:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 118626: #line 127 allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc domains/program/inetd.te:127:WARNING 'remapping class netlink_tcpdiag_socket to netlink_socket for policy version 17' at token ';' on line 118626: #line 127 allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc domains/program/inetd.te:127:WARNING 'remapping class netlink_nflog_socket to netlink_socket for policy version 17' at token ';' on line 118626: #line 127 allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc domains/program/inetd.te:127:WARNING 'remapping class netlink_xfrm_socket to netlink_socket for policy version 17' at token ';' on line 118626: #line 127 allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc domains/program/inetd.te:127:WARNING 'remapping class netlink_selinux_socket to netlink_socket for policy version 17' at token ';' on line 118626: #line 127 allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc domains/program/inetd.te:127:WARNING 'remapping class netlink_audit_socket to netlink_socket for policy version 17' at token ';' on line 118626: #line 127 allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc domains/program/inetd.te:127:WARNING 'remapping class netlink_ip6fw_socket to netlink_socket for policy version 17' at token ';' on line 118626: #line 127 allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc domains/program/inetd.te:127:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 118626: #line 127 allow inetd_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_soc domains/program/initrc.te:312:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 120997: allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 312 domains/program/initrc.te:312:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 120997: allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 312 domains/program/initrc.te:312:WARNING 'remapping class netlink_tcpdiag_socket to netlink_socket for policy version 17' at token ';' on line 120997: allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 312 domains/program/initrc.te:312:WARNING 'remapping class netlink_nflog_socket to netlink_socket for policy version 17' at token ';' on line 120997: allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 312 domains/program/initrc.te:312:WARNING 'remapping class netlink_xfrm_socket to netlink_socket for policy version 17' at token ';' on line 120997: allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 312 domains/program/initrc.te:312:WARNING 'remapping class netlink_selinux_socket to netlink_socket for policy version 17' at token ';' on line 120997: allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 312 domains/program/initrc.te:312:WARNING 'remapping class netlink_audit_socket to netlink_socket for policy version 17' at token ';' on line 120997: allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 312 domains/program/initrc.te:312:WARNING 'remapping class netlink_ip6fw_socket to netlink_socket for policy version 17' at token ';' on line 120997: allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 312 domains/program/initrc.te:312:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 120997: allow initrc_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 312 domains/program/modutil.te:79:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 136851: allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 79 domains/program/modutil.te:79:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 136851: allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 79 domains/program/modutil.te:79:WARNING 'remapping class netlink_tcpdiag_socket to netlink_socket for policy version 17' at token ';' on line 136851: allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 79 domains/program/modutil.te:79:WARNING 'remapping class netlink_nflog_socket to netlink_socket for policy version 17' at token ';' on line 136851: allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 79 domains/program/modutil.te:79:WARNING 'remapping class netlink_xfrm_socket to netlink_socket for policy version 17' at token ';' on line 136851: allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 79 domains/program/modutil.te:79:WARNING 'remapping class netlink_selinux_socket to netlink_socket for policy version 17' at token ';' on line 136851: allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 79 domains/program/modutil.te:79:WARNING 'remapping class netlink_audit_socket to netlink_socket for policy version 17' at token ';' on line 136851: allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 79 domains/program/modutil.te:79:WARNING 'remapping class netlink_ip6fw_socket to netlink_socket for policy version 17' at token ';' on line 136851: allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 79 domains/program/modutil.te:79:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 136851: allow insmod_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_so #line 79 domains/program/named.te:136:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 143917: allow ndc_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; domains/program/netutils.te:34:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 145163: allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; # Create and use netlink sockets. domains/program/rpm.te:239:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 175440: #line 239 allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke domains/program/rpm.te:239:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 175440: #line 239 allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke domains/program/rpm.te:239:WARNING 'remapping class netlink_tcpdiag_socket to netlink_socket for policy version 17' at token ';' on line 175440: #line 239 allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke domains/program/rpm.te:239:WARNING 'remapping class netlink_nflog_socket to netlink_socket for policy version 17' at token ';' on line 175440: #line 239 allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke domains/program/rpm.te:239:WARNING 'remapping class netlink_xfrm_socket to netlink_socket for policy version 17' at token ';' on line 175440: #line 239 allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke domains/program/rpm.te:239:WARNING 'remapping class netlink_selinux_socket to netlink_socket for policy version 17' at token ';' on line 175440: #line 239 allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke domains/program/rpm.te:239:WARNING 'remapping class netlink_audit_socket to netlink_socket for policy version 17' at token ';' on line 175440: #line 239 allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke domains/program/rpm.te:239:WARNING 'remapping class netlink_ip6fw_socket to netlink_socket for policy version 17' at token ';' on line 175440: #line 239 allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke domains/program/rpm.te:239:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 175440: #line 239 allow rpm_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socke domains/program/rpm.te:239:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 175576: #line 239 allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu domains/program/rpm.te:239:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 175576: #line 239 allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu domains/program/rpm.te:239:WARNING 'remapping class netlink_tcpdiag_socket to netlink_socket for policy version 17' at token ';' on line 175576: #line 239 allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu domains/program/rpm.te:239:WARNING 'remapping class netlink_nflog_socket to netlink_socket for policy version 17' at token ';' on line 175576: #line 239 allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu domains/program/rpm.te:239:WARNING 'remapping class netlink_xfrm_socket to netlink_socket for policy version 17' at token ';' on line 175576: #line 239 allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu domains/program/rpm.te:239:WARNING 'remapping class netlink_selinux_socket to netlink_socket for policy version 17' at token ';' on line 175576: #line 239 allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu domains/program/rpm.te:239:WARNING 'remapping class netlink_audit_socket to netlink_socket for policy version 17' at token ';' on line 175576: #line 239 allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu domains/program/rpm.te:239:WARNING 'remapping class netlink_ip6fw_socket to netlink_socket for policy version 17' at token ';' on line 175576: #line 239 allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu domains/program/rpm.te:239:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 175576: #line 239 allow rpm_script_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu domains/program/snort.te:18:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 183684: # use iptable netlink allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; domains/program/snort.te:19:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 183685: allow snort_t self:netlink_firewall_socket { bind create getattr nlmsg_read read write }; allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; domains/program/traceroute.te:33:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 194591: allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow traceroute_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; domains/program/unconfined.te:15:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 197331: allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu #line 15 domains/program/unconfined.te:15:WARNING 'remapping class netlink_firewall_socket to netlink_socket for policy version 17' at token ';' on line 197331: allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu #line 15 domains/program/unconfined.te:15:WARNING 'remapping class netlink_tcpdiag_socket to netlink_socket for policy version 17' at token ';' on line 197331: allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu #line 15 domains/program/unconfined.te:15:WARNING 'remapping class netlink_nflog_socket to netlink_socket for policy version 17' at token ';' on line 197331: allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu #line 15 domains/program/unconfined.te:15:WARNING 'remapping class netlink_xfrm_socket to netlink_socket for policy version 17' at token ';' on line 197331: allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu #line 15 domains/program/unconfined.te:15:WARNING 'remapping class netlink_selinux_socket to netlink_socket for policy version 17' at token ';' on line 197331: allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu #line 15 domains/program/unconfined.te:15:WARNING 'remapping class netlink_audit_socket to netlink_socket for policy version 17' at token ';' on line 197331: allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu #line 15 domains/program/unconfined.te:15:WARNING 'remapping class netlink_ip6fw_socket to netlink_socket for policy version 17' at token ';' on line 197331: allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu #line 15 domains/program/unconfined.te:15:WARNING 'remapping class netlink_dnrt_socket to netlink_socket for policy version 17' at token ';' on line 197331: allow unconfined_t domain:{ { tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinu #line 15 domains/program/vmware.te:91:WARNING 'remapping class netlink_route_socket to netlink_socket for policy version 17' at token ';' on line 202339: allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; allow kernel_t self:capability { net_admin }; security: 6 users, 7 roles, 1254 types, 1 bools security: 51 classes, 309579 rules /usr/bin/checkpolicy: policy configuration loaded /usr/bin/checkpolicy: writing binary representation (version 17) to /etc/selinux/strict/policy/policy.17 Building file_contexts ... install -m 644 file_contexts/file_contexts /etc/selinux/strict/contexts/files/file_contexts /usr/sbin/load_policy /etc/selinux/strict/policy/policy.`cat /selinux/policyvers` touch tmp/load [root@new2 policy]#

19 years, 10 months

2
1
0 / 0

Re: FC2 Startup Errors

by Ed Warner

Message: 10 Date: Tue, 22 Jun 2004 09:07:12 -0400 From: Stephen Smalley <sds(a)epoch.ncsc.mil> Subject: Re: FC2 Startup Errors To: "Fedora SELinux support list for users & developers." <fedora-selinux-list(a)redhat.com> Message-ID: <1087909632.6237.26.camel(a)moss-spartans.epoch.ncsc.mil> Content-Type: text/plain On Tue, 2004-06-22 at 08:54, edwarner99(a)yahoo.com wrote: > I am getting these errors when I reboot FC2. > I don't know what they mean. I have more, but this is > the jist of the errors. > > I can log in as a user, but I have root privileges. > > audit(1087859536.934:0): avc: denied { getattr } for > pid=1 exe=/sbin/init path=/dev/initctl dev=hda2 > ino=73143 scontext=system_u:system_r:kernel_t > tcontext=system_u:object_r:file_t tclass=fifo_file <snip> <snip> Do you want SELinux to be enabled? If so, then run fixfiles relabel to label your filesystems. If not, then edit /etc/sysconfig/selinux accordingly to disable it. I don't have a /etc/sysconfig/selinux, but I do have a /etc/security/selinux What do I have to do to disable? I placed selinux=0 in grub.conf on the kernel line. That seemed to kill everything. Was this the right way? __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail

19 years, 10 months

1
0
0 / 0

Strange AVC from privoxy write

by Tom London

Running the latest packages from the development tree. I configured mozilla to connect to privoxy (through the usual port 8118). All works OK until I try to 'add a URL pattern' to one of privoxy's config files through the browser. I get the following AVC (notice the blank space/empty fields): Jun 21 14:20:30 dell kernel: audit(1087852830.344:0): avc: denied { write } for pid=13411 exe=/usr/sbin/privoxy and a privoxy err page reporting the write error. Retrying after 'setenforce 0' produces the same AVC (but the 'write' succeeds). Haven't seen an AVC like this before..... is this the expected behavior? tom

19 years, 10 months

3
6
0 / 0

Re: FC2 Startup Errors

by Ed Warner

> Message: 10 > Date: Tue, 22 Jun 2004 09:07:12 -0400 > From: Stephen Smalley <sds(a)epoch.ncsc.mil> > Subject: Re: FC2 Startup Errors > To: "Fedora SELinux support list for users & > developers." > <fedora-selinux-list(a)redhat.com> > Message-ID: > <1087909632.6237.26.camel(a)moss-spartans.epoch.ncsc.mil> > Content-Type: text/plain > > On Tue, 2004-06-22 at 08:54, edwarner99(a)yahoo.com > wrote: > > I am getting these errors when I reboot FC2. > > I don't know what they mean. I have more, but this > is > > the jist of the errors. > > > > I can log in as a user, but I have root > privileges. > > > > audit(1087859536.934:0): avc: denied { getattr } > for > > pid=1 exe=/sbin/init path=/dev/initctl dev=hda2 > > ino=73143 scontext=system_u:system_r:kernel_t > > tcontext=system_u:object_r:file_t tclass=fifo_file > <snip> > > The audit message indicates that you are running > with SELinux enabled, > but have not labeled your filesystem. I'm not sure > what you mean by > your statement about root privileges. Do you want > SELinux to be > enabled? If so, then run fixfiles relabel to label > your filesystems. > If not, then edit /etc/sysconfig/selinux accordingly > to disable it. > > -- > Stephen Smalley <sds(a)epoch.ncsc.mil> > National Security Agency After I rebooted, I can run as a user with root privileges. In the logs, it states there is an unknown user -u. I'm a little confused about selinux to begin with. I have read the documents. I run a small lan, so do you suggest I turn off selinux? Thanks, __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail

19 years, 10 months

3
2
0 / 0

FC2 Startup Errors

by Ed Warner

I am getting these errors when I reboot FC2. I don't know what they mean. I have more, but this is the jist of the errors. I can log in as a user, but I have root privileges. audit(1087859536.934:0): avc: denied { getattr } for pid=1 exe=/sbin/init path=/dev/initctl dev=hda2 ino=73143 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=fifo_file audit(1087859536.934:0): avc: denied { read write } for pid=1 exe=/sbin/init name=initctl dev=hda2 ino=73143 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=fifo_file audit(1087859538.846:0): avc: denied { getattr } for pid=278 exe=/sbin/initlog path=/dev/log dev=hda2 ino=65553 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=sock_file audit(1087859538.846:0): avc: denied { write } for pid=278 exe=/sbin/initlog name=log dev=hda2 ino=65553 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=sock_file audit(1087859538.925:0): avc: denied { syslog_console } for pid=446 exe=/bin/dmesg scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=system audit(1087859539.090:0): avc: denied { search } for pid=450 exe=/sbin/sysctl name=net dev= ino=-268435354 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_net_t tclass=dir audit(1087859539.090:0): avc: denied { write } for pid=450 exe=/sbin/sysctl name=ip_forward dev= ino=-268435331 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_net_t tclass=file audit(1087859539.090:0): avc: denied { getattr } for pid=450 exe=/sbin/sysctl path=/proc/sys/net/ipv4/ip_forward dev= ino=-268435331 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_net_t tclass=file audit(1087859539.092:0): avc: denied { search } for pid=450 exe=/sbin/sysctl name=unix dev= ino=-268435042 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_net_unix_t tclass=dir audit(1087859539.093:0): avc: denied { write } for pid=450 exe=/sbin/sysctl name=max_dgram_qlen dev= ino=-268435041 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_net_unix_t tclass=file audit(1087859539.093:0): avc: denied { getattr } for pid=450 exe=/sbin/sysctl path=/proc/sys/net/unix/max_dgram_qlen dev= ino=-268435041 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_net_unix_t tclass=file audit(1087859539.093:0): avc: denied { search } for pid=450 exe=/sbin/sysctl name=vm dev= ino=-268435370 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_vm_t tclass=dir audit(1087859539.093:0): avc: denied { write } for pid=450 exe=/sbin/sysctl name=overcommit_memory dev= ino=-268435369 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_vm_t tclass=file audit(1087859539.093:0): avc: denied { getattr } for pid=450 exe=/sbin/sysctl path=/proc/sys/vm/overcommit_memory dev= ino=-268435369 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_vm_t tclass=file audit(1087859539.093:0): avc: denied { search } for pid=450 exe=/sbin/sysctl name=dev dev= ino=-268435240 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_dev_t tclass=dir audit(1087859539.094:0): avc: denied { write } for pid=450 exe=/sbin/sysctl name=speed_limit_min dev= ino=-268435120 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_dev_t tclass=file audit(1087859539.094:0): avc: denied { getattr } for pid=450 exe=/sbin/sysctl path=/proc/sys/dev/raid/speed_limit_min dev= ino=-268435120 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_dev_t tclass=file __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail

19 years, 10 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux June 2004