1105 fails to boot....
by Tom London
Running strict/enforcing, latest rawhide:
After installing latest packages, relabeling /etc, /bin, /lib, ....
and rebooting, the system produces lots of udev type errors
(cannot remove /dev/.udev_tdb/classSTUFF) and hangs
on 'adding hardware'
Boots (with messages) in permissive mode.
Here are the 'early' AVCs:
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev bdev, type
bdev), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied
{ read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17
scontext=system_u:system_r:hostname_t
tcontext=system_u:object_r:root_t tclass=file
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev usbfs, type
usbfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: audit(1106292233.809:0): avc: denied
{ read } for pid=576 exe=/sbin/restorecon path=/init dev=rootfs
ino=17 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:root_t tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied
{ read } for pid=576 exe=/sbin/restorecon name=customizable_types
dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:default_context_t tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied
{ use } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17
scontext=system_u:system_r:dmesg_t tcontext=system_u:system_r:kernel_t
tclass=fd
Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied
{ read } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17
scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292235.086:0): avc: denied
{ read } for pid=703 exe=/bin/bash path=/init dev=rootfs ino=17
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292239.427:0): avc: denied
{ use } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17
scontext=system_u:system_r:kudzu_t tcontext=system_u:system_r:kernel_t
tclass=fd
Jan 21 07:24:30 fedora kernel: audit(1106292239.428:0): avc: denied
{ read } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17
scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora ptal-mlcd: SYSLOG at ExMgr.cpp:652,
dev=<mlc:usb:PSC_900_Series>, pid=2629, e=2, t=1106321070
ptal-mlcd successfully initialized.
Jan 21 07:24:30 fedora ptal-printd:
ptal-printd(mlc:usb:PSC_900_Series) successfully initialized using
/var/run/ptal-printd/mlc_usb_PSC_900_Series*.
Jan 21 07:24:30 fedora kernel: Floppy drive(s): fd0 is 1.44M
I'll probe a bit, but any help is welcome!
tom
--
Tom London
17 years, 7 months
ntpd drift.TEMP file
by mroselinux@eastgranby.k12.ct.us
I have just built an FC3 samba server using the K12LTSP iso's and am
getting the following messages on the log.
Jan 21 01:55:14 admin ntpd[9988]: can't open /etc/ntp/drift.TEMP:
Permission denied
Jan 21 01:55:14 admin kernel: audit(1106290514.375:0): avc: denied {
write } for pid=9988 exe=/usr/sbin/ntpd name=ntp dev=hda3 ino=3392705
scontext=root:system_r:ntpd_t tcontext=system_u:object_r:etc_t tclass=dir
With SELinux enabled, the drift file could not be created. In permissive
mode, the drift file is properly created and updated. What have I done
wrong?
[root@admin ntp]# ls -dZ .
drwxr-xr-x ntp ntp system_u:object_r:etc_t
[root@admin ntp]# ls -lZ drift
-rw-r--r-- ntp ntp root:object_r:etc_t drift
Mark Orenstein
East Granby, CT School System
18 years, 3 months
load_policy in chroot question
by Bob Kashani
When I install the selinux-policy-targeted rpm in a chroot it seems that
load_policy is executed and loads the policy that's installed in the
chroot into the running kernel (I'm assuming via %post). Should
installing the selinux-policy-targeted rpm in a chroot allow this to
happen? What if you're installing a policy into the chroot that's
different than the one you have installed on your system? Is there a way
to not allow load_policy to execute in a chroot?
Here is the AVC messages I'm getting:
Jan 8 21:38:23 chaucer kernel: audit(1105249103.605:0): avc: granted
{ load_policy } for pid=4233 exe=/usr/sbin/load_policy
scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
Jan 8 21:38:23 chaucer kernel: security: 3 users, 4 roles, 316 types,
20 bools
Jan 8 21:38:23 chaucer kernel: security: 53 classes, 7962 rules
Bob
--
Bob Kashani
http://www.ocf.berkeley.edu/~bobk/garnome
18 years, 3 months
New user/role transition error
by Steve Brueckner
I'm trying to add a new role and test it by adding a user with access to
that role. I can su to the new user, but then when I try to newrole I get
"... is not a valid context". Here are my steps so far; I'm starting from
the default strict policy:
#useradd engineer
Added the following to .../strict/src/policy/users
user engineer roles { user_r developer_r };
Added the following to .../strict/src/policy/domains/user.te
full_user_role(developer)
allow system_r developer_r
allow sysadm_r developer_r
allow user_r developer_r
allow staff_r developer_r
Added the following into in_user_role macro in
.../strict/src/policy/macros/user_macros.te
role developer_r types $1;
Added the following to .../strict/src/policy/appconfig/default_type
developer_r:user_t
#make load
steve$ id -Z
user_u:user_r:user_t
steve$ su engineer
engineer$ id -Z
engineer:user_r:user_t
engineer$ newrole -r developer_r
engineer:developer_r:user_t is not a valid context
Any ideas what I've neglected in setting this up? Thanks!
18 years, 3 months
findutils-4.2.15
by Tim Waugh
Hi,
I just updated findutils to 4.2.15 in devel. Please check that I
didn't make any mistakes porting the findutils-selinux.patch.
Thanks,
Tim.
*/
18 years, 3 months
Request Tracker 3
by Kanwar Ranbir Sandhu
Hello Everyone,
Has anyone attempted to run RT3 (3.2.2) on a FC3 system? I'm running
into a bunch of selinux errors, and I'm having problems resolving the
issue: I'm just not very familiar with selinux.
Here's the error in /var/log/httpd/error_log:
---start---
[Sun Jan 30 19:42:14 2005] [notice] suEXEC mechanism enabled
(wrapper: /usr/sbin/suexec)
[Sun Jan 30 19:42:17 2005] [notice] Digest: generating secret for digest
authentication ...
[Sun Jan 30 19:42:17 2005] [notice] Digest: done
[Sun Jan 30 19:42:17 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sun Jan 30 19:42:17 2005] [notice] LDAP: SSL support unavailable
[Sun Jan 30 19:42:17 2005] [notice] FastCGI: process manager initialized
(pid 669)
[Sun Jan 30 19:42:17 2005] [warn] FastCGI: server
"/var/www/rt/bin/mason_handler.fcgi" started (pid 670)
[Sun Jan 30 19:42:17 2005] [notice] mod_python: Creating 4 session
mutexes based on 256 max processes and 0 max threads.
[Sun Jan 30 19:42:19 2005] [notice] Apache/2.0.52 (Fedora) configured --
resuming normal operations
[Sun Jan 30 19:42:22 2005] [warn] FastCGI: server
"/var/www/rt/bin/mason_handler.fcgi" started (pid 679)
[Sun Jan 30 19:42:27 2005] [warn] FastCGI: server
"/var/www/rt/bin/mason_handler.fcgi" started (pid 681)
[Sun Jan 30 19:42:32 2005] [warn] FastCGI: server
"/var/www/rt/bin/mason_handler.fcgi" started (pid 682)
Log file /var/log/rt.log couldn't be written or created.
RT can't run. at /var/www/rt/lib/RT.pm line 204.
---end---
And here's what's output to /var/log/messages while that's going on:
---start--
avc: denied { getattr } for pid=681 exe=/usr/bin/perl path=/var/log
dev=dm-5 ino=129025 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_log_t tclass=dir
avc: denied { ioctl } for pid=693 exe=/usr/bin/perl
path=/var/log/httpd/error_log dev=dm-5 ino=129070
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:httpd_log_t tclass=file
avc: denied { read } for pid=693 exe=/usr/bin/perl name=tmp dev=dm-3
ino=12 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:tmp_t tclass=lnk_file
---end---
Ummm..not quite sure how to interpret that. But, it looks like selinux
doesn't like the context of /var/log/rt.log, which currently is:
-rw-r--r-- root rt
system_u:object_r:httpd_log_t /var/log/rt.log
And for /var/log/http (as well as for all files within):
drwx------ root root system_u:object_r:httpd_log_t
I could just turn off selinux, but seeing as how I've managed to run
SugarCRM and Mambo on the same box, RT3 should work as well.
Thanks in advance.
Regards,
Ranbir
--
Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.
www.systemsaligned.com
18 years, 4 months
execmod avcs from today's policy
by Tom London
Running strict/enforcing, today's Rawhide.
Noticed the avcs below in the log.
I believe the java one may be from the sun JVM I have installed....
xscreensaver and helixplayer ones are new.
My understanding is that I need to set the boolean 'allow_execmod' to
allow this kind of thing (although nothing appears broken....)
Do I have that correct?
tom
Jan 28 07:54:36 fedora gdm(pam_unix)[3218]: session opened for user
tbl by (uid=0)
Jan 28 07:54:48 fedora kernel: audit(1106927688.744:0): avc: denied
{ execmod } for pid=3491 comm=xscreensaver-gl
path=/usr/X11R6/lib/libGL.so.1.2 dev=hda2 ino=4127021
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t
tclass=file
Jan 28 07:54:57 fedora kernel: audit(1106927697.979:0): avc: denied
{ execmod } for pid=3549 comm=java path=/lib/libc-2.3.4.so dev=hda2
ino=3178539 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:shlib_t tclass=file
Jan 28 07:55:19 fedora kernel: audit(1106927719.841:0): avc: denied
{ execmod } for pid=3650 comm=hxplay.bin
path=/usr/lib/helix/plugins/swfrender.so dev=hda2 ino=4375247
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t
tclass=file
Jan 28 07:55:21 fedora kernel: audit(1106927721.289:0): avc: denied
{ execmod } for pid=3650 comm=hxplay.bin
path=/usr/lib/helix/plugins/oggfformat.so dev=hda2 ino=4376641
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t
tclass=file
Jan 28 07:55:21 fedora kernel: audit(1106927721.316:0): avc: denied
{ execmod } for pid=3650 comm=hxplay.bin
path=/usr/lib/helix/plugins/theorarend.so dev=hda2 ino=4376654
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t
tclass=file
Jan 28 07:55:22 fedora kernel: audit(1106927722.757:0): avc: denied
{ execmod } for pid=3650 comm=hxplay.bin
path=/usr/lib/helix/plugins/vorbisrend.so dev=hda2 ino=4376655
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t
tclass=file
18 years, 4 months
other Raw Hide avc messages
by Joe Orton
selinux-policy-targeted-1.21.5-1
kernel-2.6.10-1.1115_FC4
one lot of:
type=KERNEL msg=audit(1107189317.896:165031): avc: denied { create }
for pid= 3061 exe=/usr/sbin/htt_server name=.iiimp-unix
scontext=user_u:system_r:i18n_inp ut_t
tcontext=user_u:object_r:i18n_input_var_run_t tclass=dir
and many times:
type=KERNEL msg=audit(1107189602.159:494563): avc: denied { transition
} for pid=3596 exe=/usr/sbin/crond path=/bin/bash dev=hda3 ino=1933320
scontext=user_u :system_r:crond_t
tcontext=system_u:system_r:unconfined_t tclass=process
which seems to mean that all cron scripts are failing and I am getting a
execl: couldn't exec `/bin/sh'
execl: Permission denied
message from crond every couple of minutes.
joe
18 years, 4 months
Squirrelmail, MySQL-change password and SELinux
by Roger Grosswiler
Hi,
tried successfully installing squirrelmail with mysql authentication.
After installting the change_mysql-plugin, i got the following message
in /var/log/messages:
> Jan 31 22:21:53 frodo kernel: audit(1107206513.281:0): avc: denied { write } for pid=12823 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 ino=360554 scontext=root:system_r:httpd_t tcontext=root:object_r:var_lib_t tclass=sock_file
> Jan 31 22:22:07 frodo kernel: audit(1107206527.169:0): avc: denied { write } for pid=12825 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 ino=360554 scontext=root:system_r:httpd_t tcontext=root:object_r:var_lib_t tclass=sock_file
while squirrel's plugin meant, that the database is busy. If i
understand the above right, selinux didn't let the plugin write the new
password in the mysql-database.
What can i do (except disabling selinux)?
Thanks,
Roger
18 years, 4 months
