more on udev.te
by Tom London
Russell,
Get many avc's like:
Aug 29 12:45:06 fedora kernel: audit(1093808656.624:0): avc: denied {
search } for pid=1354 exe=/bin/bash name=console dev=hda2 ino=4456494
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:pam_var_console_t tclass=dir
Aug 29 12:45:06 fedora kernel: audit(1093808656.757:0): avc: denied {
search } for pid=1357 exe=/bin/bash name=console dev=hda2 ino=4456494
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:pam_var_console_t tclass=dir
indicating that udev.te needs either
allow udev_t pam_var_console_t:dir { search };
or dontaudit udev_t pam_var_console_t:dir { search };
Either of those correct?
tom
19 years, 7 months
Disable SELinux question
by Park Lee
Hi,
In Fedora Core 2, if we add selinux=0 to the kernel boot line, SELinux will be disabled completely.
By adding SELINUX=disabled into /etc/sysconfig/selinux. We can "disable" the SELinux kernel. Surely disabled in here doesn't fully disable the SELinux kernel but simply boots into permissive mode and skips loading the policy.
Then, If we do this(i.e. adding SELINUX=disabled into /etc/sysconfig/selinux), Will new files be created without security context information? Need we relabel the entire filesystem again?
Thanks,
--
Best Regards,
Park Lee <parklee_sel(a)yahoo.com>
---------------------------------
Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now.
19 years, 7 months
rpc.mountd failure...
by Tom London
Noticed the following, running .524 kernel and latest policy from Rawhide.
tom
> Aug 23 08:20:18 fedora nfs: Starting NFS services: succeeded
> Aug 23 08:20:18 fedora nfs: rpc.rquotad startup succeeded
> Aug 23 08:20:18 fedora nfs: rpc.nfsd startup succeeded
> Aug 23 08:20:18 fedora kernel: audit(1093274418.647:0): avc: denied
> { name_bind } for pid=2564 exe=/usr/sbin/rpc.mountd
> scontext=system_u:system_r:nfsd_t
> tcontext=system_u:object_r:ipp_port_t tclass=udp_socket
> Aug 23 08:20:18 fedora portmap[2565]: connect from 127.0.0.1 to
> set(mountd): request from unprivileged port
> Aug 23 08:20:18 fedora rpc.mountd: unable to register (mountd, 3, udp).
> Aug 23 08:20:18 fedora nfs: rpc.mountd startup failed
> Aug 23 08:20:18 fedora rpcidmapd: rpc.idmapd -SIGHUP succeeded
19 years, 7 months
fstab-sync - relabeling /etc/fstab?
by Tom London
With latest from Rawhide, running strict/permissive:
Each boot, something is relabeling /etc/fstab from etc_t to tmp_t.
I suspect fstab-sync, which seems to be run just after hald is started
(from hald? /etc/hal/device.d/50-fstab-sync.hal ?)
Of course, if you forget to restore it before rebooting in strict/enforcing
mode, the boot fails trying to read /etc/fstab, and puts you into
'disk doctor' mode.
This doesn't happen if you boot in strict/enforcing mode, since
the policy prevents this from running and doing damage.
I noticed a bugzilla against hal:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131187
Anyone else seeing this?
Does this happen in targeted policy?
tom
19 years, 7 months
dbus-daemon-1 running as user_u:user_r:user_t.... that right?
by Tom London
Running Rawhide, strict/permissive, 'ps aZx' yields (some lines snipped):
system_u:system_r:saslauthd_t 3438 ? S 0:00
/usr/sbin/saslauthd
system_u:system_r:dbusd_t 3455 ? Ss 0:00 dbus-daemon-1
syste
system_u:system_r:hald_t 3468 ? Ss 0:00 hald
system_u:system_r:mdadm_t 3488 ? Ss 0:00 mdadm --monitor
system_u:system_r:xdm_t 3675 ? Ss 0:00
/usr/bin/gdm-binary
system_u:system_r:xdm_t 3939 ? S 0:00
/usr/bin/gdm-binary
system_u:system_r:xdm_xserver_t 3952 ? S 40:14
/usr/X11R6/bin/X :0
user_u:user_r:user_t 4026 ? Ss 0:01
/usr/bin/gnome-sessio
user_u:user_r:user_ssh_agent_t 4076 ? Ss 0:00
/usr/bin/ssh-agent /u
user_u:user_r:user_t 4080 ? Ss 0:00 dbus-daemon-1
--fork
user_u:user_r:user_t 4084 ? S 0:01
/usr/libexec/gconfd-2
As shown, gnome-session, ssh-agent, dbus-daemon-1 (the second one),
and gconfd-2 are running in user_u:user_r:user_t. That right?
thanks,
tom
19 years, 7 months
dot directory - .mozilla, .gqview, ETC:
by Jim Cornette
After finally getting SELinux working, I had a message related to the
.whatever configuration directories in the /home/user directories. The
local email to root is attached. The mail in not long and seems to be
fairly minor. The other errors are obvious within the attachment.
(kernel modules, etc)
I don't know if this is helpful or just a "not again", but here it is.
Jim
--
There's a fine line between courage and foolishness. Too bad it's not a fence.
>From root(a)localhost.localdomain Sat Aug 28 04:50:28 2004
Return-Path: <root(a)localhost.localdomain>
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by localhost.localdomain (8.13.1/8.13.1) with ESMTP id i7S8oS16004506
for <root(a)localhost.localdomain>; Sat, 28 Aug 2004 04:50:28 -0400
Received: (from root@localhost)
by localhost.localdomain (8.13.1/8.13.1/Submit) id i7S8oSYZ004504
for root; Sat, 28 Aug 2004 04:50:28 -0400
Date: Sat, 28 Aug 2004 04:50:28 -0400
From: root <root(a)localhost.localdomain>
Message-Id: <200408280850.i7S8oSYZ004504(a)localhost.localdomain>
To: root(a)localhost.localdomain
Subject: Invalid File Contexts
Status: RO
Content-Length: 3617
Lines: 72
/lib/modules/2.6.8-1.526/modules.ieee1394map
/lib/modules/2.6.8-1.526/modules.symbols
/lib/modules/2.6.8-1.526/modules.inputmap
/lib/modules/2.6.8-1.526/modules.usbmap
/lib/modules/2.6.8-1.526/modules.isapnpmap
/lib/modules/2.6.8-1.526/modules.pcimap
/lib/modules/2.6.8-1.526/modules.ccwmap
/lib/modules/2.6.8-1.526/modules.dep
/lib/modules/2.6.8-1.526/modules.alias
/home/jim/.gconfd/saved_state
/home/jim/.mozilla/default/hsqrrxyg.slt/Mail/pop-server.insight.r-3.com/Trash
/home/jim/.mozilla/default/hsqrrxyg.slt/Mail/pop-server.insight.r-3.com/Trash.msf
/home/jim/.mozilla/default/hsqrrxyg.slt/Mail/pop-server.insight.r-1.com/Trash
/home/jim/.mozilla/default/hsqrrxyg.slt/Mail/pop-server.insight.r-1.com/Trash.msf
/home/jim/.mozilla/default/hsqrrxyg.slt/bookmarks.html
/home/jim/.mozilla/default/hsqrrxyg.slt/Cache
/home/jim/.mozilla/default/hsqrrxyg.slt/Cache/02F196D5d01
/home/jim/.mozilla/default/hsqrrxyg.slt/Cache/F79B8089d01
/home/jim/.mozilla/default/hsqrrxyg.slt/Cache/_CACHE_001_
/home/jim/.mozilla/default/hsqrrxyg.slt/Cache/50C50E21d01
/home/jim/.mozilla/default/hsqrrxyg.slt/Cache/19BEEB51d01
/home/jim/.mozilla/default/hsqrrxyg.slt/Cache/_CACHE_002_
/home/jim/.mozilla/default/hsqrrxyg.slt/Cache/EEB988C5d01
/home/jim/.mozilla/default/hsqrrxyg.slt/Cache/044687A3d01
/home/jim/.mozilla/default/hsqrrxyg.slt/Cache/7990DEA6d01
/home/jim/.mozilla/default/hsqrrxyg.slt/Cache/_CACHE_003_
/home/jim/.mozilla/default/hsqrrxyg.slt/Cache/_CACHE_MAP_
/home/jim/.mozilla/default/hsqrrxyg.slt/Cache/F790F05Ed01
/home/jim/.mozilla/default/hsqrrxyg.slt/prefs.js
/home/jim/avc-kernel-reinstall.txt
/home/jim/.metacity/sessions/1093641023-3580-728131614.ms
/home/jim/.metacity/sessions/1093663696-3622-1576427724.ms
/home/jim/.metacity/sessions/1093604839-4145-3534460300.ms
/home/jim/fixfiles-cron
/home/jim/.gqview/history
/home/jim/.gqview/collections
/home/jim/relabeled.targeted.permissive.txt
/home/jim/.gconf/desktop/gnome/peripherals/keyboard/xkb.sysbackup/%gconf.xml
/home/jim/.gconf/desktop/gnome/applications/window_manager/%gconf.xml
/home/jim/.gconf/apps/panel/profiles/default/applets/mixer/prefs/%gconf.xml
/home/jim/.gconf/apps/panel/profiles/default/applets/clock/prefs/%gconf.xml
/home/jim/.gconf/apps/panel/profiles/default/applets/window_list/prefs/%gconf.xml
/home/jim/.gconf/apps/panel/profiles/default/applets/workspace_switcher/prefs/%gconf.xml
/home/jim/.gconf/apps/panel/profiles/default/toplevels/bottom_panel/%gconf.xml
/home/jim/.gconf/apps/nautilus/%gconf.xml
/var/lib/slocate/slocate.db
/var/lib/rpm/__db.003
/var/lib/rpm/__db.001
/var/lib/rpm/__db.002
/var/log/Xorg.0.log
/var/run/utmp
/var/run/console/console.lock
/var/run/console/jim
/.autofsck
/usr/share/applications/mimeinfo.cache
/etc/fstab
/etc/hotplug/usb.usermap
/etc/prelink.cache
/etc/cups/certs/0
/etc/gconf/gconf.xml.defaults/schemas/apps/nautilus/icon_view/%gconf.xml
/etc/gconf/gconf.xml.defaults/schemas/apps/nautilus/list_view/%gconf.xml
/etc/gconf/gconf.xml.defaults/schemas/apps/nautilus/desktop/%gconf.xml
/etc/gconf/gconf.xml.defaults/schemas/apps/nautilus/preferences/%gconf.xml
/etc/gconf/gconf.xml.defaults/schemas/apps/nautilus/sidebar_panels/tree/%gconf.xml
/etc/gconf/gconf.xml.defaults/desktop/gnome/file_views/%gconf.xml
/etc/gconf/gconf.xml.defaults/apps/nautilus/icon_view/%gconf.xml
/etc/gconf/gconf.xml.defaults/apps/nautilus/list_view/%gconf.xml
/etc/gconf/gconf.xml.defaults/apps/nautilus/desktop/%gconf.xml
/etc/gconf/gconf.xml.defaults/apps/nautilus/preferences/%gconf.xml
/etc/gconf/gconf.xml.defaults/apps/nautilus/sidebar_panels/tree/%gconf.xml
/boot/grub/grub.conf
/boot/initrd-2.6.8-1.526.img
19 years, 7 months
Thanks! - Now able to test SELinux in enforcing.
by Jim Cornette
Earlier on in the list, I mentioned problems getting SELinux to even
boot so I could test it out.
I'd like to thank those for the guidance on getting the problems
straightened out on my end with advice.
I can now run SELInux in enforcing mode and using the targeted policy.
Thanks!
Jim
--
What a strange game. The only winning move is not to play.
-- WOP, "War Games"
19 years, 7 months
xfs socket startup fails with strict policy
by Leonard den Ottolander
Hi,
I'm seeing the following at startup. I have to boot to runlevel 3
because X won't start since it "could not open default font 'fixed'".
There is no socket for xfs (7100) although service xfs is reported
running.
Aug 25 23:27:36 k6-joy xfs: xfs startup succeeded
Aug 25 23:27:36 k6-joy kernel: audit(1093469256.744:0): avc: denied {
getattr } for pid=2171 exe=/usr/X11R6/bin/xfs path=/tmp/.font-unix
dev=hda6 ino=425186 scontext=system_u:system_r:xfs_t
tcontext=system_u:object_r:initrc_tmp_t tclass=dir
Aug 25 23:27:36 k6-joy xfs[2171]: cannot establish any listening sockets
Aug 25 23:27:37 k6-joy xfs[2171]: ignoring font path element
/usr/X11R6/lib/X11/fonts/Speedo (unreadable)
Running a fixfiles relabel did not fix this issue.
Leonard.
--
mount -t life -o ro /dev/dna /genetic/research
19 years, 7 months
Caveat: checkpolicy broken with respect to policy
by Stephen Smalley
Hi,
policy 1.17.3 and later are not being handled properly by checkpolicy,
because the update that was supposed to go out with checkpolicy-1.16.2
was not built properly due to a packaging mistake. End result: All
reserved ports are remapped to reserved_port_t, and most daemons will
fail during startup due to a lack of name_bind permission, at least with
strict policy. Fixed checkpolicy should be available soon.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
19 years, 7 months