getting nfsd to export /mnt/whatever and /l/x
by Alexandre Oliva
So I have some filesystems in /mnt/whatever, /l/x, /l/y/z that are
exported over nfs. FC3 used to be able to export them fine, but in
yesterday's rawhide tree, mountd fails to stat the exported mount
points, so everything falls apart. bug 118946 seems to imply this
should be fixed, but it doesn't work for me. Should I reopen that
bug, or create a new one?
--
Alexandre Oliva http://www.ic.unicamp.br/~oliva/
Red Hat Compiler Engineer aoliva(a){redhat.com, gcc.gnu.org}
Free Software Evangelist oliva(a){lsd.ic.unicamp.br, gnu.org}
18 years, 2 months
Permissive mode on individual services
by Sitsofe Wheeler
Hello,
In a similar way to the way that selinux can be turned on or off for a
single service like apache, is there anyway to selectively have
permissive mode on just one service and enforcing on all the rest?
--
Sitsofe | http://sucs.org/~sits/
18 years, 2 months
selinux and feedback from web
by Hongwei Li
Hi,
My system information --
os: RedHat FC3 linux, kernel-2.6.10-1.741_FC3, selinux
enforced, iptables enabled
selinux: selinux-policy-targeted-1.17.30-2.73 (the most update one)
iptables: iptables-1.2.11-3.1.FC3
web: httpd-2.0.52-3.1
sendmail: sendmail-8.13.1-2
php: php-4.3.10-3.2
SELINUXTYPE targeted
I have a testing feedback php code for my web site using
mail($toaddress, $subject, $mailcontent, $fromaddress);
If selinux is disabled, the code works well. The user ($toaddress)
receives the content ($mailcontent), etc. However, if selinux is
enforced, the user does not receive it and the system log shows:
Jan 28 14:19:46 pippo kernel: audit(1106943586.048:0): avc: denied {
read } for pid=6801 exe=/usr/sbin/sendmail.sendmail name=clientmqueue
dev=hda3 ino=470506 scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:mqueue_spool_t tclass=dir
Should I do something to make it working with selinux enforced?
Thanks!
Hongwei
18 years, 2 months
[OT] SELinux symposium BoFs and WiPs
by Karl MacMillan
This message is for those attending or considering attending the SELinux
Symposium.
I have been asked to organize Birds-of-a-Feature sessions (BoFs) and
Work-in-progress Reports (WiPs) for the upcoming SELinux symposium
(http://www.selinux-symposium.net/). These sessions will be a less formal time
to present new work or discuss topics of mutual interest. Hopefully this will
provide an opportunity for community building and collaboration. The conference
organizers are currently planning to have a reception with food and drinks on
the evening of the first day of the conference. At the beginning of the
reception there will be 30 - 45 minutes of WiPs. During the rest of the
reception there will be small breakout groups for BoFs. If you are attending the
symposium and interested in organizing a BoF or presenting a WiP please submit a
proposal. The number of slots for each will be limited, so the sooner you submit
your proposal the more likely it will be included. Details on the submission
process are included below.
Thanks,
Karl
Work-in-Progress Reports (WiPs)
WiPs are an opportunity to present emerging projects and technologies to the
community in short presentations. The presentations usually cover
works-in-progress, new results, or timely topics. Speakers should submit the
title of the presentation, a few sentences describing the topic, and a brief bio
by Feb 14 to chair(a)selinux-symposium.org. Accepted presenters will be notified
by email and the final schedule will be placed on the website and posted at the
conference.
Birds-of-a-Feature Sessions (BoFs)
BoFs are an opportunity to have an informal gathering of community members
interested in a particular topic. BoFs often include brief introductory remarks
or a demonstration followed by discussion. Interested parties can submit
suggestions for BoFs by Feb 14 to chair(a)selinux-symposium.org. Please include a
title, brief description of the topic, and contact information for the
organizer. Organizers will be notified of the acceptance of their BoF by email
and the final schedule will be placed on the website and posted at the
conference.
---
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410) 290-1411 ext 134
18 years, 2 months
Running httpd scripts from nfs mounts?
by John W. Lockhart
I'm trying to run scripts via httpd from a trusted nfs server,
but selinux is preventing me:
kernel: audit(1106703013.728:0): avc: denied { execute } for pid=28425
exe=/usr/sbin/httpd name=sanity_server.pl dev=0:12 ino=32407792
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t
tclass=file
So I umounted the nfs volume, and added the following to the
mount options in /etc/fstab:
context=system_u:object_r:httpd_sys_content_t
I mounted the volume again, and re-tried. That failed with:
kernel: audit(1106705663.904:0): avc: denied { execute_no_trans } for
pid=28573 exe=/usr/sbin/httpd
path=/mnt/myserver/testing-scripts/sanity_server.pl dev=0:12 ino=3
2407792 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
Now, there's a lot of miscellaneous stuff on /mnt/myserver,
not just the web scripts. I need to figure out how to get the
scripts working again (preferably without breaking anything else)...
they worked fine under RHEL3, but are failing as above under the
current RHEL4 candidate.
kernel is: 2.6.9-5.EL #1 SMP Wed Jan 5 19:23:24 EST 2005 ia64 ia64 ia64
GNU/Linux
(The script fails on other architectures, as well; I just happened to be
using the ia64 box tonight.)
Any/all words of wisdom appreciated,
-- John
18 years, 2 months
Enormous local.users (849MB!!!)
by Tom London
Running strict/enforcing, latest rawhide.
After installing today's updates, here is 'ls -l /etc/selinux/strict/users':
[root@fedora users]# ls -l
total 830620
-rw-r--r-- 1 root root 849689211 Jan 27 07:18 local.users
-rw-r--r-- 1 root root 1062 Jan 26 15:17 local.users.rpmnew
-rw-r--r-- 1 root root 511 Jan 27 07:12 system.users
-rw-r--r-- 1 root root 509 Jan 26 07:08 system.users.rpmsave
I did 'mv local.users foobar', and did a 'make reload':
[root@fedora policy]# make reload
m4 tunables/distro.tun tunables/tunable.tun tmp/program_used_flags.te
/etc/selinux/strict/users/local.users | sed 's/^user/#user/g' >>
tmp/local.users
m4: /etc/selinux/strict/users/local.users: No such file or directory
install -m 644 tmp/local.users /etc/selinux/strict/users/local.users
Validating file_contexts ...
/usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.18
/etc/selinux/strict/contexts/files/file_contexts
/usr/sbin/load_policy /etc/selinux/strict/policy/policy.18
touch tmp/load
[root@fedora policy]#
Here's the results:
[root@fedora users]# ls -l
total 1661216
-rw-r--r-- 1 root root 849689211 Jan 27 07:18 foobar
-rw-r--r-- 1 root root 849690274 Jan 27 10:53 local.users
-rw-r--r-- 1 root root 1062 Jan 26 15:17 local.users.rpmnew
-rw-r--r-- 1 root root 511 Jan 27 07:12 system.users
-rw-r--r-- 1 root root 509 Jan 26 07:08 system.users.rpmsave
[root@fedora users]#
[root@fedora policy]# ls -l tmp
total 830636
-rw-r--r-- 1 root root 371 Jan 12 08:23 configurable_types
-rw-r--r-- 1 root root 371 Jan 27 07:12 customizable_types
-rw-r--r-- 1 root root 0 Jan 27 10:53 load
-rw-r--r-- 1 root root 849690274 Jan 27 10:52 local.users
-rw-r--r-- 1 root root 3354 Jan 27 07:12 program_used_flags.te
-rw-r--r-- 1 root root 511 Jan 27 07:12 system.users
-rw-r--r-- 1 root root 0 Jan 27 10:53 valid_fc
[root@fedora policy]#
What did I do wrong? 849MB tmp/local.users??????
Should the command be '>/tmp/local.users' instead of
'>>/tmp/local.users'????
Can I clear this out?
tom
--
Tom London
18 years, 2 months
Hi,I forget my username,and also it does not allow me to login.
by abdul ayub
Hi,
My name is abdul ayub.I forget my username but i know my password,but when i went there to login.I could not be able to login because i forget my username.Can you plz tell me my username so that i will be able to login and participate in the Forum. Thanks abdul ayub.
---------------------------------
Do you Yahoo!?
Yahoo! Search presents - Jib Jab's 'Second Term'
18 years, 2 months
Help with domain transitions
by David Hampton
I'm having trouble getting exim to consistently transition domains so I
can work on a new policy. I'm probably overlooking something simple
here, but I can't figure out what.
I started with the targeted policy on an up to date FC3 system. In my
new exim.te file, I have a daemon_domain(exim, ...) declaration, which
yields (among other things) the following in the policy.conf file when I
run make:
type exim_exec_t, file_type, sysadmfile, exec_type;
allow initrc_t exim_exec_t:file { { read getattr lock execute ioctl }
execute_no_trans };
allow sysadm_t exim_exec_t:file { { read getattr lock execute ioctl }
execute_no_trans };
allow initrc_t exim_exec_t:file { read { getattr execute } };
allow exim_t exim_exec_t:file { read getattr lock execute ioctl };
allow exim_t exim_exec_t:file entrypoint;
type_transition initrc_t exim_exec_t:process exim_t;
The executable is correctly labeled:
-rwsr-xr-x root root system_u:object_r:exim_exec_t /usr/sbin/exim
I have run 'make reload', and /var/log/messages shows that the new
policy file was loaded. However, when I run exim it still always ends
up in the unconfined_t domain. It doesn't matter if I use 'service exim
restart', 'run_init service exim restart', or start exim by hand.
If I do a 'make fixfiles' then everything starts working as expected,
and all three ways of starting exim cause the transition to occur into
the exim_t domain.
Perhaps this is because I forcefully (rpm -U --force) reinstalled the
selinux-policy-targeted RPM the other night after I finished testing
things? Something's definitely fubar on my system.
David
18 years, 2 months
targeted policy: crond_t now invalid for initrc_t ?
by Tom London
Running targeted/enforcing, latest Rawhide:
Get the following on boot with latest policy (selinux-policy-targeted-1.21.2-6):
Jan 22 12:57:54 localhost kernel: audit(1106427474.075:0):
security_compute_sid: invalid context user_u:system_r:crond_t for
scontext=user_u:system_r:initrc_t
tcontext=system_u:object_r:crond_exec_t tclass=process
Jan 22 12:57:54 localhost gpm[2789]: *** info [mice.c(1766)]:
Jan 22 12:57:54 localhost gpm[2789]: imps2: Auto-detected intellimouse PS/2
Jan 22 12:57:55 localhost kernel: audit(1106427475.435:0):
security_compute_sid: invalid context user_u:system_r:crond_t for
scontext=user_u:system_r:initrc_t
tcontext=system_u:object_r:anacron_exec_t tclass=process
Jan 22 12:57:55 localhost xfs[2826]: ignoring font path element
/usr/X11R6/lib/X11/fonts/Speedo (unreadable)
Jan 22 12:57:55 localhost kernel: audit(1106427475.634:0):
security_compute_sid: invalid context user_u:system_r:crond_t for
scontext=user_u:system_r:initrc_t
tcontext=system_u:object_r:crond_exec_t tclass=process
18 years, 2 months
selinux in fc3 and squirrelmail
by Hongwei Li
Hi,
I have some problems with squirrelmail 1.4.3a in a redhat fc3 linux system
where selinux is enforced. My system:
os: RedHat FC3 linux, kernel 2.6.9, selinux enforced, iptables enabled
web: httpd-2.0.52-3.1 (apache)
sendmail: 8.13.1-2
squirrelmail: 1.4.3a-6.FC3 configured with smtp, not sendmail
php: 4.3.10-3.2
mysql: 3.23.58-13
I have found 2 major problems of squirrelmail so far when selinux is
enforced:
1. cannot connect mysql database for any purpose (addressbook, pref, etc.)
-- always "Error initializing addressbook database" etc.;
The system log shows:
Jan 23 10:21:18 pippo kernel: audit(1105978878.395:0): avc: denied {
write } for pid=21651 exe=/usr/sbin/httpd name=mysql.sock dev=hda3
ino=455088 scontext=root:system_r:httpd_t
tcontext=user_u:object_r:var_lib_t tclass=sock_file
2. cannot attach any file to send -- always denied.
The system log shows:
...
Jan 25 15:09:25 pippo kernel: audit(1106687365.076:0): avc: denied {
write } for pid=23123 exe=/usr/sbin/httpd name=attach dev=hda3 ino=470516
scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_spool_t
tclass=dir
...
The sm attachment dir is set by default as in config.php:
$attachment_dir = '/var/spool/squirrelmail/attach/';
and it's mode is:
# ls -lZ /var/spool/squirrelmail/
drwx------ apache apache system_u:object_r:var_spool_t attach
There might be more problems in sm when selinux is enforced, but I just
haven't found.
If I disable selinux while iptables is still enabled and the required
ports are opened, everything in squirrelmail works well, no problem at
all.
Is there anybody using sm 1.4.3a in fc3 with selinux enforced? Do you
have any problem with mysql database initialization and attach files to
send? If you find a way to solve the problem, please share it with me.
I'd greatly appreciate all help!
Thanks!
Hongwei Li
18 years, 2 months
