crond/mailman, .... Rawhide issues....
by Tom London
Latest stuff from Rawhide: crond/mailman issues again....
Here is the email (I got lots of these!):
Subject: Cron <mailman@fedora> /usr/bin/python -S
/var/mailman/cron/gate_news
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/var/mailman>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=mailman>
X-Cron-Env: <USER=mailman>
Traceback (most recent call last):
File "/var/mailman/cron/gate_news", line 284, in ?
main()
File "/var/mailman/cron/gate_news", line 259, in main
lock.lock(timeout=0.5)
File "/var/mailman/Mailman/LockFile.py", line 243, in lock
self.__write()
File "/var/mailman/Mailman/LockFile.py", line 422, in __write
fp = open(self.__tmpfname, 'w')
IOError: [Errno 13] Permission denied:
'/var/mailman/locks/gate_news.lock.fedora.XXX.3986.0'
Here are the AVCs:
Aug 13 08:35:01 fedora crond(pam_unix)[4065]: session opened for user
mailman by (uid=0)
Aug 13 08:35:01 fedora crond(pam_unix)[4068]: session opened for user
root by (uid=0)
Aug 13 08:35:02 fedora kernel: audit(1092411302.395:0): avc: denied {
read append } for pid=4067 exe=/usr/bin/python name=error dev=hda2
ino=442471 scontext=system_u:system_r:system_crond_t
tcontext=system_u:object_r:mailman_log_t tclass=file
Aug 13 08:35:02 fedora kernel: audit(1092411302.397:0): avc: denied {
write } for pid=4067 exe=/usr/bin/python name=locks dev=hda2 ino=442718
scontext=system_u:system_r:system_crond_t
tcontext=system_u:object_r:mailman_lock_t tclass=dir
Aug 13 08:35:02 fedora crond(pam_unix)[4068]: session closed for user root
Aug 13 08:35:04 fedora crond(pam_unix)[4065]: session closed for user
mailman
audit2allow produces:
allow system_crond_t mailman_lock_t:dir { write };
allow system_crond_t mailman_log_t:file { append read };
That right, (or have I broken something else)?
tom
[BTW, booleans now get loaded. Neat!]
19 years, 8 months
Re: Braces in path field breaks audit2allow (PROPOSED FIX)
by Tom London
Thanks.
I figured the script was doing more with some of the fields, and
reordering the code would break something ....
If the 'we only need to consider braces at the start' assumption
is wrong, I think a more complicated regular expression that
just excludes braces after '=' would work too.
tom
> ------------------------------------------------------------------------
>
> * /From/: Stephen Smalley <sds epoch ncsc mil>
>
> ------------------------------------------------------------------------
>
>On Thu, 2004-08-12 at 17:47, t l wrote:
>> Sorry to make the first mod so complicated.
>>
>> After looking at the Perl a bit, this is simpler, but
>> depends on 'important brace fields' starting with the
>> brace character. Is that correct?
>
>I think so (I didn't write this script, and am not a perl expert
>either). The script is just trying to extract the list of permissions,
>which starts with a { by itself after the avc: denied prefix. With
>regard to your original diff, note that audit2allow captures auxiliary
>audit information like path and exe for the -v option; the exceptions
>for pid, dev, and ino are just to omit that information, as it was
>viewed as too ephemeral to likely be useful when reviewing audit2allow
>output.
>
>--
>Stephen Smalley <sds epoch ncsc mil>
>National Security Agency
>
>
>
19 years, 8 months
Re: Braces in path field breaks audit2allow (PROPOSED FIX)
by t l
Sorry to make the first mod so complicated.
After looking at the Perl a bit, this is simpler, but
depends on 'important brace fields' starting with the
brace character. Is that correct?
If so, a patch follows.
tom
--- /usr/bin/audit2allow 2004-08-11 14:29:39.000000000 -0700
+++ a2a 2004-08-12 14:42:33.812606852 -0700
@@ -65,7 +65,7 @@
$command="";
foreach $i(0..$#types){
next if($types[$i]!~/[=\{]/);
- if($types[$i]=~/\{/){
+ if($types[$i]=~/^\{/){
$j=$i+1;
while($types[$j]!~/\}/){
$command.=" $types[$j]";
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
19 years, 8 months
Braces in path field breaks audit2allow
by t l
The following AVC makes audit2allow loop:
Aug 12 09:08:02 fedora kernel: audit(1092326882.229:0): avc: denied { read } for pid=4477 exe=/bin/bash path=/home/tbl/.thunderbird/default/7hvcq9as.slt/extensions/{847b3a00-7ab1-11d4-8f02-006008948af5}/chrome/enigmail-skin-tbird.jar dev=hda2 ino=3769282 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:user_home_t tclass=file
Notice the brace characters in the 'path=' field.
Deleting the brace characters, or replacing them with some other characters
makes audit2allow work again.
I can fix the problem by moving the code in audit2allow that checks for
various '=' fields before the parsing of the brace field,
and putting in an extra case for 'path='.
I don't think this is the right fix. What about other fields
that may have braces, like 'exe=', etc.?
Someone with better Perl skills: please help!
tom
[Please notice that I didn't choose the filename ;) ]
--- /usr/bin/audit2allow 2004-08-11 14:29:39.000000000 -0700
+++ audit2allow 2004-08-12 13:42:32.605241853 -0700
@@ -65,6 +65,13 @@
$command="";
foreach $i(0..$#types){
next if($types[$i]!~/[=\{]/);
+ my($a,$b) = split /=/,$types[$i];
+
+ next if($a eq "pid");
+ next if($a eq "dev");
+ next if($a eq "ino");
+ next if($a eq "path");
+
if($types[$i]=~/\{/){
$j=$i+1;
while($types[$j]!~/\}/){
@@ -73,11 +80,6 @@
}
next;
}
- my($a,$b) = split /=/,$types[$i];
-
- next if($a eq "pid");
- next if($a eq "dev");
- next if($a eq "ino");
if(($a eq "scontext")||($a eq "tcontext")||($a eq "tclass")){
if($a ne "tclass"){
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
19 years, 8 months
glibc updates and sshd
by Stephen Smalley
Hi,
rpm runs a helper after glibc updates that does a /sbin/service sshd
condrestart. The present policy doesn't properly transition domains for
this restarting of sshd by rpm, so if you have updated your glibc, your
sshd may be running in the wrong domain. ps -eZ | grep sshd should show
a context of system_u:system_r:sshd_t. If it does not, then do a
/sbin/service sshd condrestart. Policy patch below.
Index: policy/domains/program/unused/rpm.te
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/policy/domains/program/unused/rpm.te,v
retrieving revision 1.24
diff -u -r1.24 rpm.te
--- policy/domains/program/unused/rpm.te 12 Jul 2004 16:41:48 -0000 1.24
+++ policy/domains/program/unused/rpm.te 12 Aug 2004 18:42:44 -0000
@@ -59,6 +59,7 @@
allow rpm_t devtty_t:chr_file rw_file_perms;
domain_auto_trans(rpm_t, ldconfig_exec_t, ldconfig_t)
+domain_auto_trans(rpm_t, initrc_exec_t, initrc_t)
ifdef(`cups.te', `
r_dir_file(cupsd_t, rpm_var_lib_t)
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
19 years, 8 months
dbus send_msg denials
by Fred New
I've got an FC3T1 system with all the latest Rawhide updates using the
targeted policy and I've noticed the following messages in
/var/log/messages:
Aug 11 07:43:28 darth dbus: avc: denied { send_msg } for
scontext=user_u:system_r:unconfined_t
tcontext=user_u:system_r:unconfined_t tclass=dbus
Aug 11 07:44:03 darth last message repeated 7 times
Aug 11 07:45:08 darth last message repeated 13 times
Is anyone else getting these?
Fred
19 years, 8 months
Re: selinux-policy-strict-sources: syntax error in Rawhide
by Tom London
Stephen,
Thanks.
This particular systems is running 'stock' selinux-policy-strict files
(i.e.,
selinux-policy-strict-sources is installed, but not modified).
From your response (and from my reading of the develops on
selinux(a)tycho.nsa.gov), I'm guessing that the best thing to do is just
wait for the other rpm's to 'catch up'.
It appears that the 'yum' process left me with my current policy.18
file (dated Aug-1) and a policy.18.rpmnew (dated Aug-8) (from
the selinux-policy-strict package, I believe), so I'm guessing
I have 'valid' policy files for the 'current' (i.e.,
selinux-policy-strict-1.15.11)
and the 'new' (i.e., selinux-policy-strict-1.15.13) environments.
I should have enough to 'keep running' until the new packages
come (Thanks Dan!).
thanks again,
tom
> ------------------------------------------------------------------------
>
> * /From/: Stephen Smalley <sds epoch ncsc mil>
>
> ------------------------------------------------------------------------
>
>On Mon, 2004-08-09 at 11:46, Tom London wrote:
>> Seems to be an error in the latest selinux-policy-strict-sources from
>> Rawhide:
>> tom
>>
>> selinux-policy-strict-sources 100 % done 67/459
>> make: Entering directory `/etc/selinux/strict/src/policy'
>> mkdir -p /etc/selinux/strict/policy
>> /usr/bin/checkpolicy -o /etc/selinux/strict/policy/policy.18 policy.conf
>> /usr/bin/checkpolicy: loading policy configuration from policy.conf
>> domains/user.te:70:ERROR 'syntax error' at token ')' on line 43573:
>> #line 70
>> if () {
>> /usr/bin/checkpolicy: error(s) encountered while parsing configuration
>> make: *** [/etc/selinux/strict/policy/policy.18] Error 1
>> make: Leaving directory `/etc/selinux/strict/src/policy'
>
>Side effect of converting many of the compile-time tunables to runtime
>booleans - if you have a customized tunables.tun file, then it is left
>intact by rpm, and m4 ends up defining away the boolean in the policy
>sources. If you have customized your tunables, then move aside your
>tunable.tun file and replace it with the .rpmnew file and then customize
>it again. You'll also need a /etc/selinux/$SELINUXTYPE/booleans file to
>customize the booleans (but I don't think Dan has built a
>policycoreutils yet that includes the updated load_policy to pull
>boolean settings from it).
>
>--
>Stephen Smalley <sds epoch ncsc mil>
>National Security Agency
>
>
>
19 years, 8 months
selinux-policy-strict-sources: syntax error in Rawhide
by Tom London
Seems to be an error in the latest selinux-policy-strict-sources from
Rawhide:
tom
selinux-policy-strict-sources 100 % done 67/459
make: Entering directory `/etc/selinux/strict/src/policy'
mkdir -p /etc/selinux/strict/policy
/usr/bin/checkpolicy -o /etc/selinux/strict/policy/policy.18 policy.conf
/usr/bin/checkpolicy: loading policy configuration from policy.conf
domains/user.te:70:ERROR 'syntax error' at token ')' on line 43573:
#line 70
if () {
/usr/bin/checkpolicy: error(s) encountered while parsing configuration
make: *** [/etc/selinux/strict/policy/policy.18] Error 1
make: Leaving directory `/etc/selinux/strict/src/policy'
19 years, 8 months
booting fedora core 2
by Vineet Billorey
Respected Sir,
i recently installed fedora core 2 in my
machine(celeron 1.7, 128mb ram). it installed
completey but afterewards it simply shows a grub
prompt which does not do anything. also grub.conf file
is not available. kinldy guide me immediately.
vineetbillorey(a)yahoo.com
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail
19 years, 8 months
Politicas SElinux
by Ma. Alejandra Castillo M.
hello, it will make my thesis project on SElinux, where creale a politica
not even defined so that service. By the same I look for much information on
the matter. As they are the politicas already defined? where podria to find?
I wait for its answers, greetings and thanks.
--
Ma. Alejandra Castillo M.
Chile
19 years, 8 months
