fsck.ext3 on bootup
by Tom London
Get these very early during boot up. I'm guessing we're trying to check
the 'early root' and that this is harmless. If so,
dontaudit fsadm_t device_t:blk_file { getattr };
That sound right?
tom
Sep 16 10:50:36 fedora kernel: ACPI: Sleep Button (CM) [FUTS]
Sep 16 10:50:36 fedora kernel: audit(1095357002.303:0): avc: denied {
getattr } for pid=1839 exe=/sbin/fsck.ext3 path=/dev/root dev=tmpfs
ino=2028 scontext=system_u:system_r:fsadm_t
tcontext=system_u:object_r:device_t tclass=blk_file
Sep 16 10:50:36 fedora kernel: EXT3 FS on hda2, internal journal Sep 16
10:50:36 fedora kernel: device-mapper: 4.1.0-ioctl (2003-12-10)
initialised: dm(a)uk.sistina.com Sep 16 10:50:36 fedora kernel:
audit(1095357004.327:0): avc: denied { getattr } for pid=2074
exe=/sbin/fsck.ext3 path=/dev/root dev=tmpfs ino=2028
scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:device_t
tclass=blk_file
19 years, 7 months
hald - r/w access to /dev/usb/lp0?
by Tom London
When haldaemon starts, and typically just after the text 'login:'
appears but before the graphical stuff takes over, I get:
Sep 25 10:28:57 fedora kernel: audit(1096133337.944:0): avc: denied
{ read write } for pid=3187 exe=/usr/sbin/hald name=lp0 dev=tmpfs
ino=5073 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:printer_device_t tclass=chr_file
referring to /dev/usb/lp0.
Does hald need read/write access to the printer_device?
Seems strange, but if so, we need to add to hald.te. If not,
any idea what's happening?
tom
--
Tom London
19 years, 7 months
setenforce notice to dbus, 13 minute delay?
by Tom London
I notice that when I do 'setenforce', dbus is notified.
But there appears to be a significant delay, e.g., 13-15 minutes,
before dbus logs it.
Is this just log buffer 'flush buffer' timing? Is this to be expected?
thanks,
tom
Sep 25 10:29:54 fedora kernel: audit(1096133394.349:0): avc: granted
{ setenforce } for pid=4107 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
<SNIP>
Sep 25 10:43:21 fedora dbus: avc: received setenforce notice (enforcing=0)
--
Tom London
19 years, 7 months
cups.te: ptal_t needs to read usbfs_t
by Tom London
When hpoj starts, it produces the following:
Sep 25 10:28:24 fedora kernel: audit(1096133304.072:0): avc: denied
{ read } for pid=2769 exe=/usr/sbin/ptal-mlcd dev=usbfs ino=2309
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=dir
ptal_t already has 'r_dir_file(ptal_t, usbdevfs_t)'.
Suggest adding 'r_dir_file(ptal_t, usbfs_t)'
[Are both still needed?]
tom
--- cups.te 2004-09-23 11:02:38.000000000 -0700
+++ /tmp/cups.te 2004-09-25 10:57:11.147771270 -0700
@@ -156,6 +156,7 @@
allow ptal_t printer_device_t:chr_file { ioctl read write };
allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
r_dir_file(ptal_t, usbdevfs_t)
+r_dir_file(ptal_t, usbfs_t)
allow cupsd_t ptal_var_run_t:sock_file { write setattr };
allow cupsd_t ptal_t:unix_stream_socket { connectto };
allow cupsd_t ptal_var_run_t:dir { search };
--
Tom London
19 years, 7 months
firefox, gaim, /lib/ld-2.3.3.so ?
by Tom London
After being on the road for a bit, I did a 'yum update' to grab the new stuff.
After doing so (>300 packages), running strict/enforcing,
firefox and gaim fail to start:
Sep 23 20:10:29 fedora kernel: audit(1095995429.976:0): avc: denied
{ write } for pid=4755 path=/lib/ld-2.3.3.so dev=hda2 ino=3178536
scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:ld_so_t tclass=file
Sep 23 20:10:31 fedora kernel: audit(1095995431.164:0): avc: denied
{ unlink } for pid=4755 exe=/usr/lib/firefox-0.10.0/firefox-bin
name=.fonts.cache-1 dev=hda2 ino=2752979
scontext=user_u:user_r:user_mozilla_t
tcontext=user_u:object_r:user_home_t tclass=file
and
Sep 23 20:26:51 fedora kernel: audit(1095996411.010:0): avc: denied
{ write } for pid=4838 path=/lib/ld-2.3.3.so dev=hda2 ino=3178536
scontext=user_u:user_r:user_t tcontext=system_u:object_r:ld_so_t
tclass=file
Running in permissive mode both start, and /lib/ld-2.3.3.so is not written to.
Write to /lib/ld-2.3.3.so ????? Did I do something stupid?
tom
--
Tom London
19 years, 7 months
RE: What is SELinux targeted policy?
by Alex Ackerman
>-----Original Message-----
>From: fedora-selinux-list-bounces(a)redhat.com on behalf of Daniel J Walsh
>Sent: Mon 9/20/2004 5:35 PM
>To: For users of Fedora Core releases; Fedora SELinux support list for users & developers.; Development discussions related to Fedora Core
>Subject: What is SELinux targeted policy?
>Strict policy is still available but will be not be installable
>directly, you can use selinux-config-securitylevel to turn it on
>and relabel the file system.
Does this mean the strict policy will not work on a Fedora Core system at all or that it will take some customization prior to working effectively? Also, are there plans to support te domains for either Sendmail or Postfix via the SELinux policy in the near future? What about PostgreSQL/MySQL?
Thanks!
Alex Ackerman
http://www.darkhonor.com
19 years, 7 months
updated SELinux FAQ
by Karsten Wade
Fedora Core 3 test 2:
http://fedora.redhat.com/docs/selinux-faq-fc3test2/ (v. 1.3-1)
Fedora Core 2:
http://fedora.redhat.com/docs/selinux-faq-fc2/ (v. 1.2-8)
1. Notice the new URLs. These are permanent homes. Currently, the
copies on people.redhat.com are up-to-date, and I will work out some
form of redirect in the near future.
2. Content *should* be technically updated to match test2. If not, see
3.
3. If you have bugs or additional questions (and hopefully answers), use
the bugzilla form that is linked from the first Tip box "Making
changes/additions to the Fedora SELinux FAQ".
4. A few new questions in this version:
Q: What is the SELinux targeted policy?
Q: What daemons are protected by the targeted policy?
Q: Which daemons will you add to the targeted policy? How about
Sendmail, Postfix, MySQL, or PostgreSQL?
Q: What about the strict policy? Does it even work?
Q: How do I install/not install SELinux?
Q: How do I switch the policy I'm using?
Q: How do I enable/disable SELinux protection on specific daemons
under the targeted policy?
Q: Why does SELINUX=disabled not work for me?
5. Lifecycle comments: I'll maintain this FAQ as long as it is useful.
This FAQ is particular to each version of Fedora Core. Each version of
this FAQ will follow the version of Fedora to the Legacy Project, when
the time comes.
- Karsten
--
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
19 years, 7 months
get the red and green back (really consoletype, rhgb)
by Tom London
Booting in strict/enforcing, 'Fedora' in the 'Welcome to Fedora Core'
message is no longer red, the subsequent 6 or so messages are formatted
differently (i.e., the '[OK]' is not nicely indented, and it is not in
green).
Also, rhgb doesn't start. (Yeah, I know, this is not a bug, its a
feature ;) )
Anyway, the following patch puts the red and green back in the boot.
The change mimics the privileges given for console_device_t:chr_file
---
/etc/selinux/strict/src-1.17.16-3/policy/domains/program/consoletype.te
2004-09-16 07:14:24.000000000 -0700
+++ ./consoletype.te 2004-09-16 11:37:14.000000000 -0700
@@ -52,5 +52,5 @@
allow consoletype_t pam_var_run_t:file { getattr read };
')
ifdef(`distro_redhat', `
-dontaudit consoletype_t tmpfs_t:chr_file { read write };
+allow consoletype_t tmpfs_t:chr_file { getattr ioctl read write };
')
The follow makes rhgb work in strict/enforcing. The problem
is that it wants to mount /etc/rhgb, but it is currently labeled
'etc_t'. Labeling /etc/rhgb as 'root_t' makes it work. Not sure
if this is really 'proper'. I'd be more comfortable with it being
labeled something like 'etc_rhgb_t' or some such, or moving
the mount point....
---
/etc/selinux/strict/src-1.17.16-3/policy/file_contexts/program/rhgb.fc
2004-09-16 07:14:24.000000000 -0700
+++ ./rhgb.fc 2004-09-16 12:21:12.424588200 -0700
@@ -1,2 +1,3 @@
/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t
#/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t
+/etc/rhgb -d system_u:object_r:root_t
19 years, 7 months
mount ?
by Tom London
Running strict/enforcing, with latest from Dan's tree.
The 'mount' command produces no output when run in enforcing mode.
Works fine in permissive mode.
No AVCs produced.....
tom
19 years, 7 months
mailman...
by Tom London
Running strict/enforcing, latest packages from Dan's tree.
Argh... mailman again.
Here's the avc:
Sep 15 20:40:02 fedora kernel: audit(1095306002.105:0): avc: denied {
getattr } for pid=20117 exe=/usr/bin/python
path=/var/mailman/pythonlib/korean/__init__.pyc dev=hda2 ino=444330
scontext=system_u:system_r:mailman_queue_t
tcontext=system_u:object_r:var_t tclass=file
occurs every 5 minutes (so generates lots of error'ed emails). Mailman
requires
python 'stuff' from /var/mailman/pythonlib and from /var/mailman/Mailman.
I can think of 2 possible fixes:
1. Explicitly allow mailman_queue_t to read var_t:
--- mailman.te 2004-09-15 12:53:30.000000000 -0700
+++
/etc/selinux/strict/src-1.17.14-1.patched/policy/domains/program/mailman.te2004-09-14
16:36:43.000000000 -0700
@@ -31,7 +31,7 @@
can_network(mailman_$1_t)
can_ypbind(mailman_$1_t)
allow mailman_$1_t self:unix_stream_socket create_socket_perms;
-allow mailman_$1_t var_t:dir r_dir_perms;
+r_dir_file(mailman_$1_t, var_t)
')
mailman_domain(queue, `, auth_chkpwd')
or
2. by relabeling the .py, .pyc and .pyo files in /var/mailman/pythonlib
and /var/mailman/Mailman as shlib_t (or something else?)
i.e. adding this to mailman.fc:
/var/mailman/pythonlib(/.*)?/.*\.py([co])? --
system_u:object_r:shlib_t
/var/mailman/Mailman(/.*)?/.*\.py([co])? -- system_u:object_r:shlib_t
I'm not sure that shlib_t is correct. (Should it be mailman_queue_t?)
But I noticed an entry in types.fc for .so files in the pythonlib tree,
and copied that.
tom
19 years, 7 months