Adding net .fc file for Fedora Extra package
by Jochen Schmitt
Hello,
I have create the suck package, which was available from the
fedora extra repository.
Becouse on FC3 SELinux is enable as default, I think, that I have
to write a own suck.fc file to put suck in the same domain as
inn.
Now I will aks, how ist the best practice to distribute a *.fc
file in a Fedora Extra package.
Best Regards:
Jochen Schmitt
18 years, 2 months
Head-banging targets, please
by David P. Hart
I need help understanding SELinux!
I've read just about every on-line SELinux article I can find, and I am
getting progressively more confused as I read more. Following along in
these articles on a Fedora Core 3 system, reading documents written for
Fedora Core 2 Test 3 and before, is confusing. The older the document,
the more my installation fails to match the documentation.
I need a starting place, some things to look at once I have my Fedora
Core 3 installation running. Some simple things, some that work
correctly, some that fail and I can learn how to track down and fix.
And, the answers to some basic questions:
1) Why does a Fedora Core 3 installation, with SELinux "Active" or
"Warn", not install selinux-policy-targeted-sources? I kept
pulling my hair out (little that there is) when trying to find:
/etc/selinux/targeted/src/policy
All the documents referred to this directory, and it was VERY
confusing not to find it. This directory should at least be
an empty directory after a fresh install.
2) Are the setools and setools-gui packages required to be used on a
SELinux enabled system? If so, why are they not installed when
SELinux is installed? In particular, I am very confused about how
to create new users and new groups. It looks like I need to update
our in-house instructions to use seuseradd, seuserdel, etc. instead
of useradd and userdel?
3) Where the heck is the SELinux audit file? Try as much as I could,
I can't find it. Every document references it, but none I have
found actually refer to it by path/filename.
4) I know you guys discuss policy problems all the time, from the
viewpoint of their AVC log events, but I'd like to see what one of
these AVC log events looks like on my system. In particular, I
have a Fedora Core 3 Workstation installation running the targeted
policy in enforcing mode. I'd appreciate a simple test I could
perform that would generate an AVC log entry, some idea on how to
look for the log entry, and some idea about how to analyze the log
entry. I know, blasphemy. But there are three ways that adults
learn:
1. Visual: people who learn by seeing it done.
2. Auditory: people who learn by hearing.
3. Kenesthetic: people who learn by doing (touch and body
movement).
I'm a #3.
5) Does it make sense to have a Workstation installation with the
"strict" policy? Under what circumstances?
I am putting instructions together for people in my Lab on how to
install and use Fedora Core 3. One of the early lessons I want to
document is some simple instructions on how to use SELinux. Then, as
other instructions are written for other Lab-oriented tasks, I would
integrate SELinux into these instructions. The people in the Lab are
responsible for maintaining their various computers, so knowledge about
SELinux appears necessary. If I can't understand it and explain it to
them, things are going to get messy.
Thanks for the help.
--
David Hart <dhart275(a)offramp.com>
18 years, 2 months
pam & /etc/selinux/strict/contexts/files/media
by Tom London
Running strict/enforcing, latest Rawhide,
but reverted to kernel-2.6.10-1.1063_FC4.
Noticed the following AVCs from pam early
in boot:
Jan 8 10:33:17 fedora kernel: audit(1105180348.115:0): avc: denied
{ read } for pid=1562 exe=/sbin/pam_console_apply
path=/etc/selinux/strict/contexts/files/media dev=hda2 ino=4506184
scontext=system_u:system_r:pam_console_t
tcontext=system_u:object_r:file_context_t tclass=file
Jan 8 10:33:17 fedora kernel: audit(1105180348.145:0): avc: denied
{ read } for pid=1566 exe=/sbin/pam_console_apply
path=/etc/selinux/strict/contexts/files/media dev=hda2 ino=4506184
scontext=system_u:system_r:pam_console_t
tcontext=system_u:object_r:file_context_t tclass=file
allow pam_console_t file_context_t:file read;
dontallow?
tom
--
Tom London
18 years, 2 months
Samba file server
by Ivan Gyurdiev
Hi,
I have a fairly trivial setup ( I think ) that I'd like to get working
under SElinux.
I have a bunch of data on /data, which is its own LVM logical volume.
I have symlinks to the parts of the data in /data/smb that I'd like to
export via smb.
My server also exports user home directories and all printers.
The problem is:
Stuff on /data is labeled: system_u:object_r:default_t
Stuff on /home is labeled: system_u:object_r:user_home_dir_t
under system_u:object_r:home_root_t
I get:
audit(1105106751.784:0): avc: denied { search } for pid=32352
exe=/usr/sbin/smbd name=/ dev=dm-1 ino=2 scontext=user_u:system_r:smbd_t
tcontext=system_u:object_r:default_t tclass=dir
audit(1105107520.694:0): avc: denied { search } for pid=32629
exe=/usr/sbin/smbd name=/ dev=dm-2 ino=2 scontext=user_u:system_r:smbd_t
tcontext=system_u:object_r:home_root_t tclass=dir
- How can I address this situation?
- What if I wanted to share /data over httpd as well?
Thanks for any help,
--
Ivan Gyurdiev <ivg2(a)cornell.edu>
Cornell University
18 years, 2 months
SELinux error with yum --installroot
by Bob Kashani
When I run:
yum -y --installroot=/testroot groupinstall "Base"
I get all kinds of errors like this:
error: %post(libuser-0.52.5-1.i386) scriptlet failed, exit status 255
error: %post(gnupg-1.2.6-1.i386) scriptlet failed, exit status 255
If I turn selinux off there are no errors. Any ideas why this is
happening?
FC3 fully updated.
yum-2.1.12-0.fc3
libselinux-1.19.1-8
selinux-policy-targeted-1.17.30-2.58
Bob
--
Bob Kashani
http://www.ocf.berkeley.edu/~bobk/garnome
18 years, 2 months
/etc/init.d/ script
by Bogdan Agica
Hi again, everybody.
I'm making quite a progress in developing the policy source for
BitDefender, and I want to thank the list again for the tips given so
far.
I'm still running into this weird problem with the /etc/init.d/bd
script. This, in essence, is a very common start/stop script, but with
some functions like stats and info. These functions are trying to read
data from directories labeled bitdefender_etc_t and bitdefender_lib_t.
The problem is: should I want the script to do what it's supposed to do
I have to either:
1. Relabel the script from initrd_exec_t to something else,
in which case I'll run into problems starting / stopping the programs.
2. Give read access to initrd_t in bitdefender_etc_t and _lib_t,
which I think is a stupid workaround, providing read access to all
scripts in /etc/init.d to this dir.
I know, the best idea would to leave the /etc/init.d/ script for
starting and stopping the program, and to provide all the other
functionality via other means, but that is not feasible in the short
term.
Is there any way to "inherit" a type (C++like inheritance), e.g. to
create a type (say bitdefender_initrc_exec_t), which inherits all the
attributes of it's successor, but adds new functionality? (Would be a
nice idea if there isn't yet)
TIA,
--
Bogdan Agica
BitDefender Internal Testing Engineer
-------------------------------------
SOFTWIN
Data Security Division
-------------------------------------
email: bagica(a)bitdefender.com
phone: +(4021) 233 18 52; 233 07 80
fax: (+4021) 233.07.63
Bucharest, ROMANIA
http://www.bitdefender.com
http://www.softwin.ro
-------------------------------------
secure your every bit
-------------------------------------
--
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://www.bitdefender.com/
18 years, 2 months
Problems with sudo
by Bogdan Agica
Hi everybody.
First of all, let me introduce myself. My name is Bogdan Agica and I'm
in the Linux team for the BitDefender Antivirus.
I'm responsible with the SELinux integration of BitDefender and I seem
to have some issues with dropping privileges. The startup scripts rely
on sudo in order to drop privileges in a standard linux system. I have
written the test policy for the postfix agent, which works fine if the
programs are started as root (not via the startup scripts); however the
final policy is supposed to integrate seamlessly with the product.
In the /etc/init.d script, the programs (5 of them) are started by
comands like:
# sudo -u bitdefender /opt/BitDefender/bin/bdcored start
I have looked at the files domains/program/sudo.te and
macros/program/sudo_macros.te. Unfortunately, the lack of documentation
for the sudo_domain() macro was a problem, so I have some questions:
1. What exactly does the sudo_domain() macro do?
2. Is this the tool that I need? (i have tried to integrate it with the
policy, but it resulted in errors)
I'm using FC3, and the following packages:
# rpm -qa | grep -i selinux
selinux-policy-strict-1.19.10-2
selinux-policy-targeted-sources-1.17.30-2.51
selinux-doc-1.14.1-1
libselinux-1.19.1-8
selinux-policy-targeted-1.17.30-2.51
selinux-policy-strict-sources-1.19.10-2
Of course, should anyone want to look at the beta policy that I've
written, I can provide it, and the software itself is available on the
company's ftp site.
TIA,
--
Bogdan Agica
BitDefender Internal Testing Engineer
-------------------------------------
SOFTWIN
Data Security Division
-------------------------------------
email: bagica(a)bitdefender.com
phone: +(4021) 233 18 52; 233 07 80
fax: (+4021) 233.07.63
Bucharest, ROMANIA
http://www.bitdefender.com
http://www.softwin.ro
-------------------------------------
secure your every bit
-------------------------------------
--
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://www.bitdefender.com/
18 years, 2 months
newbie question
by Jordan Morgan
Hi,
I'm currently running FC2 instead of FC3. Tried to enable SELinux by
running in /root
yum install policy policycoreutils
as instructed by the Fedora 2 SELinux FAQ page. However it failed. I got
error message of Package not found and all. Checked out another FAQ page
and they said something about modifying the yum.conf file to include the
ftp site managed by Dan Walsh, and then running the command of
yum install checkpolicy policy policycoreutils pam passwd vixie-cron
this time, pam, passwd, and vixie-cron were installed (even though I
don't know what they are and what they do), but got more error messages
saying the policy headers need some file(not included).
I tried to go through your archive and look for answers but got no luck
so far. I thought I might give this a try first while reading more of
the threads. I apologize in advance if this is a repeated question.
On the redhat site, they said SELinux is not functional in FC2 and
suggested user to install FC3. So I guess my another question is: Should
I seek help in installing SELinux in the current FC2 or should I simply
install FC3 instead?
Your help on this is highly appreciated.
Thanks!
Jordan
18 years, 2 months
crontab
by Giuseppe Greco
Hi all,
I've the following script under /root/cron:
-rwxr-xr-x root root root:object_r:user_home_t checkconn
This script just check whether or not pppd is running. If not,
checkconn restarts pppd by invoking a script named adsl-start.
adsl-start is located under /sbin:
-rwxr-xr-x root root system_u:object_r:sbin_t /sbin/adsl-start
I've added checkconn to crontab, but it doesn't work due to SELinux...
Could you tell me which security context should I set for
checkconn?
Thanks,
j3d.
--
----------------------------------------
Giuseppe Greco
::agamura::
phone: +41 (0)91 604 67 65
mobile: +41 (0)79 602 99 27
email: giuseppe.greco(a)agamura.com
web: www.agamura.com
----------------------------------------
18 years, 2 months
