Domains, interpreted languages, and Cron scripts
by Bill McCarty
Hi all,
I've run into an architectural headache that someone else must already have
visited, and perhaps solved. But, I find no mention of the problem in list
archives or elsewhere.
I have several Python scripts that run under Cron. Some of these scripts
access or modify sensitive data, and so I'd like to define one or more
domains by means of which to limit their privileges. However, the exe name
associated with such scripts is /usr/bin/python2.3, rather than the name of
the script. Consistent with the principle of least privilege, I'd prefer to
define distinct domains for each script, rather than an overly broad
python_t domain, for instance.
Has anyone else been here already? What techniques are useful for
constraining the privileges given to scripts?
One idea: Would it be a good thing to modify Run-parts to transition to a
domain named for the Cron script it launches? Doing so would seem to solve
my problem, but it might create others <g>.
Thanks,
--
Bill McCarty, Ph.D.
Professor of Information Technology
Azusa Pacific University
19 years, 4 months
checkinstall on Fc3T2
by aq
hello,
I am compiling openbox-3.2 from source code (yes, FC3T2 is test
edition, so nobody makes packages for it). I run "./configure", then
"make". But when I run checkinstall to make a rpm package of openbox,
I got various errors (for ex, "Segmentation fault mkdir data 2 & >
/dev/null). I guess the problem is that the "checkinstall" has
insufficient privilege.
What should I do to fix this problem?
thank you a lot,
AQ
19 years, 5 months
FC2 Selinux boot failure
by deff
My fedora core 2 selinux ceased to function.
dmesg:
Security Scaffold v1.0.0 initialized
SELinux: Initializing.
SELinux: Starting in permissive mode
There is already a security framework initialized, register_security failed.
selinux_register_security: Registering secondary module capability
Capability LSM initialized as secondary
sestatus -v:
SELinux status: disabled
What's wrong? Can't manage to boot it at least to permissive. Only thing I've
messed recently was nss authentification via ldap.
deff
19 years, 5 months
Conflicting types message
by Stephen John Smoogen
/etc/cron.daily/fixfiles.cron:
logging to /dev/null
/usr/sbin/setfiles: conflicting specifications for
/lib/tls/i486/libdb-4.2.so and /lib/tls/i586/libdb-4.2.so, using
system_u:object_r:shlib_t.
Null message body; hope that's ok
I got this morning from the badcontexts file. Do not know enough about
SElinux to figure out what is causing this...
--
Stephen J Smoogen.
Professional System Administrator
19 years, 5 months
/var/tmp/badcontext
by Stephen John Smoogen
What should users do with the files listed in /var/tmp/badcontext?
For the last 3 days I have had over 10000 files listed since I
installed it. I was wondering if I should be running some command
after a yum upgrade that I didnt know about ;).
17287 /var/tmp/badcontext.HNjBUG2517
52272 /var/tmp/badcontext.XzqEZB4859
22518 /var/tmp/badcontext.YGZFP27816
--
Stephen J Smoogen.
Professional System Administrator
19 years, 5 months
/lib/tls/i[456]86/libdb-4.2.so - patch to types.fc
by Tom London
Running 'setfiles -vv $FC /lib' produces:
setfiles: labeling files under /lib
setfiles: relabeling /lib/tls/i586/libdb-4.2.so from
system_u:object_r:shlib_t to system_u:object_r:lib_t
setfiles: conflicting specifications for /lib/tls/i486/libdb-4.2.so
and /lib/tls/i586/libdb-4.2.so, using system_u:object_r:shlib_t.
setfiles: relabeling /lib/tls/i486/libdb-4.2.so from
system_u:object_r:lib_t to system_u:object_r:shlib_t
Suggest this patch:
--- types.fc 2004-09-23 11:02:38.000000000 -0700
+++ /tmp/types.fc 2004-09-24 22:35:40.913346939 -0700
@@ -302,7 +302,7 @@
/lib(64)?/[^/]*/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
/lib(64)?/security/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
/lib(64)?/tls/i686/cmov/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
-/lib(64)?/tls/i486/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/lib(64)?/tls/i[456]86/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
#
# /sbin
tom
--
Tom London
19 years, 5 months
reconnecting USB p rinter
by Tom London
Running strict/enforcing, w/USB printer.
Reconnecting printer (after pulling the plug) yields the following:
Sep 25 18:46:47 fedora kernel: audit(1096163207.182:0): avc: denied
{ search } for pid=7592 exe=/usr/sbin/hal_lpadmin name=cups dev=hda2
ino=4474131 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:cupsd_etc_t tclass=dir
Sep 25 18:46:48 fedora kernel: audit(1096163208.050:0): avc: denied
{ read } for pid=7593 exe=/usr/bin/python name=printconf_tui.py
dev=hda2 ino=4309021 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:printconf_t tclass=file
Sep 25 18:46:48 fedora kernel: audit(1096163208.050:0): avc: denied
{ getattr } for pid=7593 exe=/usr/bin/python
path=/usr/share/printconf/util/printconf_tui.py dev=hda2 ino=4309021
scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:printconf_t tclass=file
Sep 25 18:46:49 fedora kernel: audit(1096163209.538:0): avc: denied
{ read } for pid=7595 exe=/usr/bin/perl name=urandom dev=tmpfs
ino=965 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
Attached patch to cups.te adds allow rules for these.
Please correct/edit/etc.
tom
--
Tom London
19 years, 5 months