install of dev-3.8.3-1.i386 fails w/ strict/enforcing
by Tom London
Attempting to 'yum update' to dev-3.8.3-1.i386
from dev-3.8.2-1 produces:
dev 100 % done 50/101
error: unpacking of archive failed: cpio: lstat
and the update fails. No avc's in log.
Rerunning 'yum update dev' in permissive mode
succeeds.
Avc's from permissive mode run:
Jul 31 10:56:04 fedora kernel: audit(1091296564.101:0): avc: denied {
getattr } for pid=9419 exe=/usr/bin/python path=/dev/dri dev=hda2
ino=2689470 scontext=root:sysadm_r:rpm_t
tcontext=system_u:object_r:dri_device_t tclass=dir
Jul 31 10:56:19 fedora kernel: audit(1091296579.901:0): avc: denied {
search } for pid=9421 exe=/usr/sbin/groupadd name=selinux dev=hda2
ino=4509743 scontext=root:sysadm_r:groupadd_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
Jul 31 10:56:19 fedora kernel: audit(1091296579.901:0): avc: denied {
read } for pid=9421 exe=/usr/sbin/groupadd name=config dev=hda2
ino=4509759 scontext=root:sysadm_r:groupadd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 31 10:56:19 fedora kernel: audit(1091296579.902:0): avc: denied {
getattr } for pid=9421 exe=/usr/sbin/groupadd path=/etc/selinux/config
dev=hda2 ino=4509759 scontext=root:sysadm_r:groupadd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 31 10:56:20 fedora kernel: audit(1091296580.078:0): avc: denied {
search } for pid=9422 exe=/usr/sbin/useradd name=run dev=hda2
ino=4456484 scontext=root:sysadm_r:useradd_t
tcontext=system_u:object_r:var_run_t tclass=dir
Jul 31 10:56:29 fedora kernel: audit(1091296589.978:0): avc: denied {
relabelfrom } for pid=9419 exe=/usr/bin/python name=dri dev=hda2
ino=2689470 scontext=root:sysadm_r:rpm_t
tcontext=system_u:object_r:dri_device_t tclass=dir
Jul 31 10:56:29 fedora kernel: audit(1091296589.979:0): avc: denied {
relabelto } for pid=9419 exe=/usr/bin/python name=dri dev=hda2
ino=2689470 scontext=root:sysadm_r:rpm_t
tcontext=system_u:object_r:dri_device_t tclass=dir
Jul 31 10:56:30 fedora kernel: audit(1091296590.011:0): avc: denied {
setattr } for pid=9419 exe=/usr/bin/python name=dri dev=hda2
ino=2689470 scontext=root:sysadm_r:rpm_t
tcontext=system_u:object_r:dri_device_t tclass=dir
Jul 31 10:56:30 fedora kernel: audit(1091296590.017:0): avc: denied {
search } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470
scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t
tclass=dir
Jul 31 10:56:30 fedora kernel: audit(1091296590.083:0): avc: denied {
write } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470
scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t
tclass=dir
Jul 31 10:56:30 fedora kernel: audit(1091296590.083:0): avc: denied {
add_name } for pid=9419 exe=/usr/bin/python name=card0;410bdd3f
scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t
tclass=dir
Jul 31 10:56:30 fedora kernel: audit(1091296590.136:0): avc: denied {
remove_name } for pid=9419 exe=/usr/bin/python name=card0;410bdd3f
dev=hda2 ino=2689465 scontext=root:sysadm_r:rpm_t
tcontext=system_u:object_r:dri_device_t tclass=dir
Jul 31 10:57:49 fedora kernel: audit(1091296669.135:0): avc: denied {
search } for pid=9419 exe=/usr/bin/python name=dri dev=hda2 ino=2689470
scontext=root:sysadm_r:rpm_t tcontext=system_u:object_r:dri_device_t
tclass=dir
Jul 31 10:57:49 fedora kernel: audit(1091296669.136:0): avc: denied {
getattr } for pid=9419 exe=/usr/bin/python path=/dev/dri dev=hda2
ino=2689470 scontext=root:sysadm_r:rpm_t
tcontext=system_u:object_r:dri_device_t tclass=dir
Audit2allow on the above produces:
allow groupadd_t selinux_config_t:dir { search };
allow groupadd_t selinux_config_t:file { getattr read };
allow rpm_t dri_device_t:dir { add_name getattr relabelfrom relabelto
remove_name search setattr write };
allow useradd_t var_run_t:dir { search };
Hope this helps,
tom
19 years, 1 month
rhgb....still no graphical boot when strict/enforcing
by Tom London
I'm still getting only text-based boots when running with strict/enforcing,
but graphical boots if I set 'enforcing=0'
Here are entries from the log from a strict/enforcing boot:
Jul 31 11:16:23 fedora kernel: SELinux: initialized (dev sockfs, type
sockfs), uses task SIDs
Jul 31 11:16:23 fedora kernel: SELinux: initialized (dev proc, type
proc), uses
genfs_contexts
Jul 31 11:16:23 fedora kernel: SELinux: initialized (dev bdev, type
bdev), uses
genfs_contexts
Jul 31 11:16:23 fedora kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Jul 31 11:16:23 fedora kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Jul 31 11:16:23 fedora kernel: audit(1091272545.625:0): avc: denied {
mounton
} for pid=533 exe=/usr/bin/rhgb path=/initrd dev=ram0 ino=2
scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:file_t
tclass=dir
Jul 31 11:16:23 fedora kernel: audit(1091272545.625:0): avc: denied {
sys_admin } for pid=533 exe=/usr/bin/rhgb capability=21
scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t
tclass=capability
Here are log entries from an 'enforcing=0' boot:
Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev sockfs, type
sockfs), uses task SIDs
Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev proc, type
proc), uses
genfs_contexts
Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev bdev, type
bdev), uses
genfs_contexts
Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Jul 29 20:40:38 fedora kernel: audit(1091133597.795:0): avc: denied {
mounton
} for pid=533 exe=/usr/bin/rhgb path=/initrd dev=ram0 ino=2
scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:file_t
tclass=dir
Jul 29 20:40:38 fedora kernel: SELinux: initialized (dev ramfs, type
ramfs), uses genfs_contexts
Jul 29 20:40:38 fedora kernel: audit(1091133597.795:0): avc: denied {
mount }
for pid=533 exe=/usr/bin/rhgb name=/ dev=ramfs ino=1291
scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:ramfs_t
tclass=filesystem
Jul 29 20:40:38 fedora kernel: audit(1091133598.713:0): avc: denied {
search } for pid=534 exe=/usr/bin/rhgb name=run dev=hda2 ino=4456484
scontext=system_u:system_r:rhgb_t tcontext=system_u:object_r:var_run_t
tclass=dir
tom
19 years, 1 month
macro ?
by İsmail İyigünler
hi
what is macro conceptually ? i'm just a beginner in SELinux, just read your documents and testing in my system, and i'm having lots of denied messages from console usually, is it normal ? and what is the differences between default user_r and staff_r roles, can i group users by their authority by user_r and staff_r roles? , and can i assign "group"s to any roles? If not, how can i do it?
thanks for your help :-)
19 years, 1 month
RE: Can not access files in own home directory
by David Balazic
> From: Russell Coker[SMTP:russell@coker.com.au]
>
> On Wed, 9 Jun 2004 17:42, David Balazic <david.balazic(a)hermes.si> wrote:
> > Because I get a failure right 5 minutes after installation.
> >
> > I did a SELinux enabled install of FC2 ( Workstation type ).
> > In firstboot I created a user.
>
> This is a known bug, when firstboot creates a user it doesn't give the
> correct
> type to the home directory files. Running setfiles is the correct thing
> to
> do. But you don't have to label the entire file system, just the home
> directory for the new user.
>
setfiles requires some "policy" argument, what do I use ?
Well, I just run "fixfiles relabel" ( not is runlevel 1, as suggested by
Andrew Farris,
but level 5, is that a problem ? ).
Now login on VCx is OK, but login in X still does not work. Previously it
reported that
my home dir does not exist, but now after the "fix" , when I enter my
username and
password an blank blue screen with a mouse pointer ( pointer, not sandwatch
) appears
and nothing happens. I waited 30 seconds and switched to VC1 to check out
what is
happening, but then the screen started to blink. It went black for ~5
seconds, then back
to VC1 for a second , then black again and so on. Maybe the X server was
restarting.
Any clues ?
David Balažic
19 years, 1 month
Kernel install errors w/ strict/enforcing
by Tom London
The following started about a week ago
(running rawhide and off of Dan's tree:
kernel-2.6.7-1.499, selinux-policy-strict-1.15.10-1, ...)
'yum install' for the kernel (.499 and .501) produces the following:
failed to stat ./build/include/asm: 13
above message repeated 9 times.
The install appears to be correct.
Here are the avc's from the log:
Jul 31 10:37:35 fedora kernel: audit(1091295455.845:0): avc: denied {
getattr } for pid=4689 exe=/sbin/nash
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290
scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:38 fedora kernel: audit(1091295458.230:0): avc: denied {
getattr } for pid=4695 exe=/sbin/nash
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290
scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:39 fedora kernel: audit(1091295459.276:0): avc: denied {
getattr } for pid=4701 exe=/sbin/nash
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290
scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:39 fedora kernel: audit(1091295459.468:0): avc: denied {
transition } for pid=4703 exe=/bin/bash path=/sbin/dmsetup dev=hda2
ino=2310342 scontext=root:sysadm_r:bootloader_t
tcontext=root:system_r:lvm_t tclass=process
Jul 31 10:37:40 fedora kernel: audit(1091295460.731:0): avc: denied {
getattr } for pid=4735 exe=/sbin/nash
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290
scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:41 fedora kernel: audit(1091295461.268:0): avc: denied {
getattr } for pid=4739 exe=/sbin/nash
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290
scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:41 fedora kernel: audit(1091295461.764:0): avc: denied {
getattr } for pid=4744 exe=/sbin/nash
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290
scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:42 fedora kernel: audit(1091295462.569:0): avc: denied {
getattr } for pid=4751 exe=/sbin/nash
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290
scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:43 fedora kernel: audit(1091295463.091:0): avc: denied {
getattr } for pid=4756 exe=/sbin/nash
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290
scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
Jul 31 10:37:43 fedora kernel: audit(1091295463.633:0): avc: denied {
getattr } for pid=4761 exe=/sbin/nash
path=/lib/modules/2.6.7-1.501/build/include/asm dev=hda2 ino=3637290
scontext=root:sysadm_r:bootloader_t
tcontext=system_u:object_r:modules_object_t tclass=lnk_file
'audit2allow' on the above yields:
allow bootloader_t lvm_t:process { transition };
allow bootloader_t modules_object_t:lnk_file { getattr };
Do we need to make this (or some other) change?
thanks
tom
19 years, 1 month
Re: Caveat: Broken pam, also latest dev pgks: strict/enforcing boot hangs....
by Tom London
Stephen,
Thanks for this update.
Installing the new pam also fixed my booting problem,
where booting was hanging during/after starting cyrus.
(Thanks also to Dan for working on this with me).
tom
---------------------------------------------------------------------------
* From: Stephen Smalley <sds epoch ncsc mil>
* Date: Fri, 30 Jul 2004 08:10:54 -0400
Just as a warning, the pam package in rawhide is broken for SELinux;
non-root logins will fail under console login, gdm, or ssh when in
enforcing mode. I think that this is due to a bug in pam_unix related
to execution of the chkpwd helper program. In permissive mode, pam_unix
doesn't need to run the helper program, as it can directly read
/etc/shadow itself. Fixed pam is available from Dan's site
ftp://people.redhat.com/dwalsh/SELinux/Fedora.
--
Stephen Smalley <sds epoch ncsc mil>
National Security Agency
19 years, 2 months
Caveat: Broken pam
by Stephen Smalley
Just as a warning, the pam package in rawhide is broken for SELinux;
non-root logins will fail under console login, gdm, or ssh when in
enforcing mode. I think that this is due to a bug in pam_unix related
to execution of the chkpwd helper program. In permissive mode, pam_unix
doesn't need to run the helper program, as it can directly read
/etc/shadow itself. Fixed pam is available from Dan's site
ftp://people.redhat.com/dwalsh/SELinux/Fedora.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
19 years, 2 months
Re: latest dev pgks: strict/enforcing boot hangs....
by Tom London
nope. Thats all I get. When I added an allow rule
to search /var/lock, I got another one for 'getattr'
(so I did the r_dir_perms).
But thats all.
Should I do an 'enableaudit'?
tom
> ------------------------------------------------------------------------
>
> * /From/: Daniel J Walsh <dwalsh redhat com>
>
> ------------------------------------------------------------------------
> Tom London wrote:
>
>After installing the latest packages from the development tree,
>(including selinux-policy-strict-1.15.8-3, etc.), booting with
>strict/enforcing hangs (but it works with strict/permissive).
>
>
>
> Do you have any additional messages from strict/permissive?
>
> Dan
>
>[Same behavior with both 494 and 499 kernel. And I did
>a 'fixfiles relabel' to no avail.]
>
>
> Here are the last entries from the log:
>
> Jul 28 20:30:45 fedora ntpd[2203]: kernel time sync status 0040
> Jul 28 20:30:45 fedora xinetd[2179]: xinetd Version 2.3.13 started
> with libwrap loadavg options compiled in.
> Jul 28 20:30:45 fedora xinetd[2179]: Started working: 1 available
> service
> Jul 28 20:30:45 fedora ntpd[2203]: frequency initialized 70.900
> PPM from /var/lib/ntp/drift
> Jul 28 20:30:45 fedora ntpd[2203]: configure: keyword
> "authenticate" unknown, line ignored
> Jul 28 20:30:45 fedora kernel: Installing knfsd (copyright (C)
> 1996 okir monad swb de).
> Jul 28 20:30:45 fedora kernel: SELinux: initialized (dev nfsd,
> type nfsd), uses genfs_contexts
> Jul 28 20:30:45 fedora nfs: Starting NFS services: succeeded
> Jul 28 20:30:45 fedora nfs: rpc.rquotad startup succeeded
> Jul 28 20:30:45 fedora nfs: rpc.nfsd startup succeeded
> Jul 28 20:30:45 fedora nfs: rpc.mountd startup succeeded
> Jul 28 20:30:45 fedora rpcidmapd: rpc.idmapd -SIGHUP succeeded
> Jul 28 20:30:50 fedora udev[2271]: creating device node '/dev/lp0'
> Jul 28 20:30:50 fedora kernel: audit(1091071850.411:0): avc:
> denied { search } for pid=2279 exe=/bin/bash name=lock dev=hda2
> ino=4456478 scontext=system_u:system_r:udev_t
> tcontext=system_u:object_r:var_lock_t tclass=dir
>
> HANGS HERE.... ALT-CTL-DEL
>
>Jul 28 20:31:15 fedora shutdown: shutting down for system reboot
>Jul 28 20:31:15 fedora init: Switching to runlevel: 6
>
>
>I thought that perhaps the udev message was indicating something, so I
>added
> allow udev_t var_lock_t:dir r_dir_perms;
>but this seems to be a red herring,
>all that did was to remove the avc..... still hangs.
>
>
>Any ideas?
> tom
>--
>fedora-selinux-list mailing list
>fedora-selinux-list redhat com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
19 years, 2 months
latest dev pgks: strict/enforcing boot hangs....
by Tom London
After installing the latest packages from the development tree,
(including selinux-policy-strict-1.15.8-3, etc.), booting with
strict/enforcing hangs (but it works with strict/permissive).
[Same behavior with both 494 and 499 kernel. And I did
a 'fixfiles relabel' to no avail.]
Here are the last entries from the log:
Jul 28 20:30:45 fedora ntpd[2203]: kernel time sync status 0040
Jul 28 20:30:45 fedora xinetd[2179]: xinetd Version 2.3.13 started with
libwrap loadavg options compiled in.
Jul 28 20:30:45 fedora xinetd[2179]: Started working: 1 available service
Jul 28 20:30:45 fedora ntpd[2203]: frequency initialized 70.900 PPM from
/var/lib/ntp/drift
Jul 28 20:30:45 fedora ntpd[2203]: configure: keyword "authenticate"
unknown, line ignored
Jul 28 20:30:45 fedora kernel: Installing knfsd (copyright (C) 1996
okir(a)monad.swb.de).
Jul 28 20:30:45 fedora kernel: SELinux: initialized (dev nfsd, type
nfsd), uses genfs_contexts
Jul 28 20:30:45 fedora nfs: Starting NFS services: succeeded
Jul 28 20:30:45 fedora nfs: rpc.rquotad startup succeeded
Jul 28 20:30:45 fedora nfs: rpc.nfsd startup succeeded
Jul 28 20:30:45 fedora nfs: rpc.mountd startup succeeded
Jul 28 20:30:45 fedora rpcidmapd: rpc.idmapd -SIGHUP succeeded
Jul 28 20:30:50 fedora udev[2271]: creating device node '/dev/lp0'
Jul 28 20:30:50 fedora kernel: audit(1091071850.411:0): avc: denied {
search } for pid=2279 exe=/bin/bash name=lock dev=hda2 ino=4456478
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:var_lock_t
tclass=dir
HANGS HERE.... ALT-CTL-DEL
Jul 28 20:31:15 fedora shutdown: shutting down for system reboot
Jul 28 20:31:15 fedora init: Switching to runlevel: 6
I thought that perhaps the udev message was indicating something, so I
added
allow udev_t var_lock_t:dir r_dir_perms;
but this seems to be a red herring,
all that did was to remove the avc..... still hangs.
Any ideas?
tom
19 years, 2 months
