hald, udev ...
by Tom London
Running strict/enforcing off of Rawhide,
kernel-2.6.10-1.1087_FC4.
After applying today's updates, but booting
above kernel (1089 has problems....)
I get the following AVCs:
Jan 15 11:38:33 fedora kernel: audit(1105789089.441:0): avc: denied
{ search } for pid=1501 exe=/bin/bash name=modules dev=hda2
ino=3178500 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:modules_object_t tclass=dir
Jan 15 11:38:33 fedora kernel: audit(1105789091.037:0): avc: denied
{ search } for pid=1659 exe=/bin/bash name=usb dev=hda2 ino=4456490
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:hotplug_var_run_t tclass=dir
Jan 15 11:38:33 fedora kernel: audit(1105789091.040:0): avc: denied
{ search } for pid=1659 exe=/bin/bash name=modules dev=hda2
ino=3178500 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:modules_object_t tclass=dir
Jan 15 11:38:33 fedora kernel: audit(1105789091.055:0): avc: denied
{ search } for pid=1691 exe=/bin/bash name=usb dev=hda2 ino=4456490
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:hotplug_var_run_t tclass=dir
Jan 15 11:38:33 fedora kernel: audit(1105789091.057:0): avc: denied
{ search } for pid=1691 exe=/bin/bash name=modules dev=hda2
ino=3178500 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:modules_object_t tclass=dir
Jan 15 11:38:33 fedora kernel: audit(1105789091.869:0): avc: denied
{ search } for pid=1688 exe=/bin/bash name=usb dev=hda2 ino=4456490
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:hotplug_var_run_t tclass=dir
Jan 15 11:38:33 fedora kernel: audit(1105789091.872:0): avc: denied
{ search } for pid=1688 exe=/bin/bash name=modules dev=hda2
ino=3178500 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:modules_object_t tclass=dir
Jan 15 11:38:33 fedora kernel: audit(1105789092.598:0): avc: denied
{ search } for pid=1724 exe=/bin/bash name=usb dev=hda2 ino=4456490
scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:hotplug_var_run_t tclass=dir
Jan 15 11:38:33 fedora kernel: audit(1105789092.601:0): avc: denied
{ search } for pid=1724 exe=/bin/bash name=modules dev=hda2
ino=3178500 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:modules_object_t tclass=dir
Jan 15 11:38:33 fedora kernel: audit(1105789093.046:0): avc: denied
{ search } for pid=1735 exe=/bin/bash name=modules dev=hda2
ino=3178500 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:modules_object_t tclass=dir
Jan 15 11:38:33 fedora kernel: audit(1105789093.091:0): avc: denied
{ search } for pid=1772 exe=/bin/bash name=modules dev=hda2
ino=3178500 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:modules_object_t tclass=dir
Jan 15 11:38:33 fedora kernel: audit(1105789093.120:0): avc: denied
{ search } for pid=1779 exe=/bin/bash name=modules dev=hda2
ino=3178500 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:modules_object_t tclass=dir
Jan 15 11:39:02 fedora kernel: audit(1105817942.699:0): avc: denied
{ search } for pid=2766 exe=/usr/sbin/hald name=net dev=proc
ino=-268435434 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:proc_net_t tclass=dir
Jan 15 11:39:02 fedora kernel: audit(1105817942.924:0): avc: denied
{ search } for pid=2766 exe=/usr/sbin/hald name=net dev=proc
ino=-268435434 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:proc_net_t tclass=dir
suggesting:
r_dir_file(hald_t, proc_net_t)
r_dir_file(udev_t, {hotplug_var_t modules_object_t})
tom
--
Tom London
18 years, 2 months
kgpg, execmod...
by Tom London
running strict/enforcing, latest rawhide.
Trying to start kgpg rusults in:
[tbl@fedora mozExtensions]$ kgpg
gpg: error while loading shared libraries: cannot restore segment prot
after reloc: Permission denied
gpg: error while loading shared libraries: cannot restore segment prot
after reloc: Permission denied
[tbl@fedora mozExtensions]$
Here are the AVCs. Notice the execmod denial:
Jan 15 12:15:02 fedora crond(pam_unix)[3567]: session closed for user root
Jan 15 12:19:06 fedora kernel: audit(1105820346.545:0): avc: denied
{ read } for pid=3583 exe=/usr/bin/kgpg name=gpg.conf dev=hda2
ino=3802156 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:user_gpg_secret_t tclass=file
Jan 15 12:19:07 fedora kernel: audit(1105820347.033:0): avc: denied
{ execmod } for pid=3597 comm=gpg path=/usr/bin/gpg dev=hda2
ino=4127070 scontext=user_u:user_r:user_gpg_t
tcontext=system_u:object_r:gpg_exec_t tclass=file
Jan 15 12:19:07 fedora kernel: audit(1105820347.035:0): avc: denied
{ read } for pid=3583 exe=/usr/bin/kgpg name=gpg.conf dev=hda2
ino=3802156 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:user_gpg_secret_t tclass=file
Jan 15 12:19:07 fedora kernel: audit(1105820347.043:0): avc: denied
{ execmod } for pid=3598 comm=gpg path=/usr/bin/gpg dev=hda2
ino=4127070 scontext=user_u:user_r:user_gpg_t
tcontext=system_u:object_r:gpg_exec_t tclass=file
Jan 15 12:19:07 fedora kernel: audit(1105820347.074:0): avc: denied
{ read } for pid=3583 exe=/usr/bin/kgpg name=gpg.conf dev=hda2
ino=3802156 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:user_gpg_secret_t tclass=file
Jan 15 12:19:07 fedora kernel: audit(1105820347.143:0): avc: denied
{ read } for pid=3583 exe=/usr/bin/kgpg name=gpg.conf dev=hda2
ino=3802156 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:user_gpg_secret_t tclass=file
allow user_gpg_t gpg_exec_t:file execmod;
I'm gun shy to be sprinkling these around. Any thoughts/help?
tom
--
Tom London
18 years, 2 months
/selinux/null being labeled as root_t?
by Colin Walters
Hi,
I'm seeing an odd denial on my FC2 server after the latest kernel
updates.
Jan 14 11:38:15 monk kernel: audit(1105720695.913:0): avc: denied { getattr } for pid=6661 exe=/usr/sbin/sendmail.postfix path=/null dev=selinuxfs ino=189 scontext=zosima:staff_r:staff_mail_t tcontext=system_u:object_r:root_t tclass=chr_file
So this is the /selinux/null file, which should be labeled with
security_t, correct? My genfscon file just has:
# selinuxfs
genfscon selinuxfs / system_u:object_r:security_t
I'm pretty sure this is a kernel problem since I haven't changed my
policy in some time.
(Yes, I plan to upgrade to FC3 soon :))
18 years, 2 months
RE: Creating new roles
by Steve Brueckner
I spent my first couple of days in SELinux tinkering with FC2, and only
installed FC3 today. It's possible I may not yet fully appreciate the
differences in working with the targeted policy. I see now that even though
multiple roles are defined, they're all assigned to the unconfined_t domain.
The targeted policy appeals to me for the obvious reasons: I'd like most of
the system to run without the complications introduced by SELinux. I'd
rather not go back to the strict policy unless I have to.
My goal, however, is to do some fairly serious policy writing to lock down a
few applications, but leave most of the system alone. I think I'll need to
make new domains, new roles, and new transitions to do this.
>From my limited understanding, it looks like even though the default
targeted policy is role-blind, I should be able to modify it to add my own
custom roles that aren't of type unconfined_t. After all, it's still
SELinux under the hood, isn't it? Or am I missing something fundamental?
Will I have no choice but to use the strict policy as my starting point?
- Steve
-----Original Message-----
From: Stephen Smalley [mailto:sds@epoch.ncsc.mil]
Sent: Thursday, January 13, 2005 4:51 PM
To: Fedora SELinux support list for users & developers.
Subject: Re: Creating new roles
On Thu, 2005-01-13 at 16:47, Steve Brueckner wrote:
> I'm just getting started with SELinux. I've read a bunch and just
installed
> FC3.
>
> I'm trying to add a new role, but can't figure out where roles are
defined.
> The O'Reilly book says they're "scattered around the policy tree" and
Debian
> references say they're in users.te, which doesn't appear to exist in FC3.
>
> If I can find where the few extant roles are defined, I can probably
figure
> out how to define my own. Or should I be trying to do it from scratch by
> making a new file? In which case I could use some hints on how to do it.
By default, FC3 uses the "targeted" policy, which only confines specific
network services and does not have any real notion of user roles and
domains. You can switch to the "strict" policy by installing it (e.g.
yum install selinux-policy-strict*) and then using
system-config-securitylevel GUI to set the active policy to it and
rebooting, at which point it should automatically relabel. Or manually,
you can just edit /etc/selinux/config to set the SELINUXTYPE to strict,
reboot single user, and run fixfiles relabel by hand, then bring the
system up the rest of the way. Have you read the Fedora SELinux FAQ?
http://fedora.redhat.com/docs/selinux-faq-fc3/
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
18 years, 2 months
Creating new roles
by Steve Brueckner
I'm just getting started with SELinux. I've read a bunch and just installed
FC3.
I'm trying to add a new role, but can't figure out where roles are defined.
The O'Reilly book says they're "scattered around the policy tree" and Debian
references say they're in users.te, which doesn't appear to exist in FC3.
If I can find where the few extant roles are defined, I can probably figure
out how to define my own. Or should I be trying to do it from scratch by
making a new file? In which case I could use some hints on how to do it.
- Steve
18 years, 2 months
kernel-2.6.10-1.1074_FC4 breaks firefox?
by Tom London
Running strict/enforcing, latest Rawhide.
After downloading today's updates, including
kernel-2.6.10-1.1074_FC4, and rebooting,
(and before the kernel oops with a kernel
page fault):
firefox refuses to start in enforcing mode. Here
are the AVCs:
Jan 8 10:28:01 fedora kernel: audit(1105208881.086:0): avc: denied
{ execmod } for pid=4242 comm=java path=/lib/ld-2.3.4.so dev=hda2
ino=3178514 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:ld_so_t tclass=file
Jan 8 10:28:01 fedora kernel: audit(1105208881.831:0): avc: denied
{ execmem } for pid=4266 comm=firefox-bin
scontext=user_u:user_r:user_mozilla_t
tcontext=user_u:user_r:user_mozilla_t tclass=process
Jan 8 10:28:01 fedora kernel: audit(1105208881.928:0): avc: denied
{ execmem } for pid=4266 comm=firefox-bin
scontext=user_u:user_r:user_mozilla_t
tcontext=user_u:user_r:user_mozilla_t tclass=process
Policy needs fixing for new kernel mods?
tom
--
Tom London
18 years, 2 months
Re: Is there any IPsec-Tools policy available in FC2?
by Park Lee
On Wed, 12 Jan 2005 at 21:08, Petre Rodan wrote:
> latest Gentoo policies can be found here:
>
>
http://dev.gentoo.org/~kaiowas/policy/gentoo/domains/program/ipsec.te
>
http://dev.gentoo.org/~kaiowas/policy/gentoo/file_contexts/program/ipsec.fc
>
> net_contexts should also contain:
> ifdef(`ipsec.te', `portcon udp 500
system_u:object_r:isakmp_port_t')
I've made some modifications in the ipsec.te and
ipsec.fc you mentioned above.and put them into the
proper location in Fedora Core 2.
When I ran 'make load' in src/policy directory.
There came a WARNING as following:
... ...
/usr/bin/checkpolicy: loading policy configuration
from policy.conf
domains/program/ipsec.te:63:WARNING 'conflicting rule
for (sysadm_locate_t, setkey_exec_t:process): default
was setkey_t, is now sysadm_setkey_t' at token ';'
on line 120846:
#line 63
type_transition sysadm_t setkey_exec_t:process
sysadm_setkey_t;
... ...
Why did it bring out such a WARNING?
Is there a method to solve it?
Thank you.
=====
Best Regards,
Park Lee
__________________________________
Do you Yahoo!?
The all-new My Yahoo! - What will yours do?
http://my.yahoo.com
18 years, 2 months
dhcpd targeted policy
by Rogelio J. Baucells
Hi,
I am running a FC3 computer with the latest targeted policy
(selinux-policy-targeted-1.17.30-2.68) and I am getting the following
messages at the time dhcpd starts:
-----------------------------------------------------------------
audit(1105547723.050:0): avc: denied { net_admin } for pid=6247
exe=/usr/sbin/dhcpd capability=12 scontext=root:system_r:dhcpd_t
tcontext=root:system_r:dhcpd_t tclass=capability
audit(1105547723.244:0): avc: denied { read } for pid=6247
exe=/usr/sbin/dhcpd name=cacert.org.pem dev=hdc2 ino=230129
scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:usr_t tclass=file
-----------------------------------------------------------------
I looked at the configuration file (dhcpd.conf) and I do not see any
place where I am referencing the cacert.org cert file. I use that file
for other services and it is located at (/usr/share/ssl/certs).
Is there any information on how to resolve this errors?
Thanks
RJB
18 years, 2 months
