SELinux and third party installers
by Mike Hearn
Hi,
I have a couple of questions. The first is that in the FC3 targetted
policy, it appears that ldconfig cannot write to user_home_t directories.
Why is this? It appears to be a restriction with no purpose, and some
programs rely on this to work. In fact I see from the archives that
ldconfig not being able to write or search certain directories has come up
before.
The second question is what impact SELinux will have on third party
installers. It seems from the nVidia thread that currently if you copy
files onto the system using "cp", this is the wrong way to do it and it
will break peoples SELinux setups. This surely cannot be correct: that'd
break every pretty much every third party installer (eg Loki Setup,
etc) out there!
If this is the case and this rather questionable decision is not reversed,
is using "install" the correct way to go about things on *every* SELinux
enabled distro, or is that a Fedora custom thing? It's a bit worrying how
much Fedora SELinux seems to differ from upstream, is this something that
will get better with time?
thanks -mike
18 years, 2 months
postgresql pg_dump won't run
by Dr. Michael J. Chudobiak
Hi,
I've just installed selinux on my FC3 server using the targeted policy,
and everything went well except that I can no longer run
/usr/bin/pg_dumpall as a root cron job for backing up postgresql
databases. I get this sort of log message, even if I run
pg_dump/pg_dumpall as the postgres user:
Dec 30 10:17:01 server2 kernel: audit(1104419821.285:0): avc: denied {
execute_no_trans } for pid=24740 exe=/bin/bash path=/usr/bin/pg_dump
dev=md0 ino=346137 scontext=user_u:system_r:postgresql_t
tcontext=system_u:object_r:postgresql_exec_t tclass=file
For now, I've disabled the postgres protection using
system-config-security-level, and it works fine - but postgresql is
unprotected of course.
Is there a way of running pg_dump and pg_dumpall under selinux, without
abandoning or rewriting the targeted policy?
- Mike
18 years, 2 months
no selinux tab with non-GUI system-config-securitylevel
by Greg Matheson
The FAQ says:
By default, SELinux enforcement for Apache HTTP is
enabled. To verify this, run system-config-securitylevel,
and view the SELinux tab.
But I don't see any SELinux stuff with my non-GUI install of FC3.
Is this right?
--
Greg Matheson, Taiwan
18 years, 2 months
cron/init leaking file descriptor?
by Tom London
Running strict/enforcing, latest Rawhide.
Started getting these avcs today.
Jan 4 08:21:28 fedora kernel: audit(1104855688.541:0): avc: denied
{ use } for pid=5131 exe=/usr/sbin/sendmail.sendmail path=/null
dev=selinuxfs ino=254 scontext=system_u:system_r:system_mail_t
tcontext=system_u:system_r:init_t tclass=fd
Jan 4 08:22:21 fedora kernel: audit(1104855741.192:0): avc: denied
{ use } for pid=5286 exe=/usr/sbin/logrotate path=/null dev=selinuxfs
ino=254 scontext=system_u:system_r:logrotate_t
tcontext=system_u:system_r:init_t tclass=fd
My naive reading of this indicates that someone is
leaving a open file descriptor (to /selinux/null ?)
tom
--
Tom London
18 years, 2 months
kudzu: needs 'allow kudzu_t self:unix_stream_socket connectto;' ?
by Tom London
Running strict/enforcing, today's rawhide.
Get this avc from the 'new' kudzu:
Jan 4 07:16:00 fedora kernel: microcode: CPU0 updated from revision
0x33 to 0x37, date = 06042003
Jan 4 07:16:00 fedora kernel: audit(1104851744.414:0): avc: denied
{ connectto } for pid=2336 exe=/usr/sbin/kudzupath=@
kudzu_config_socket
scontext=system_u:system_r:kudzu_t tcontext=system_u:system_r:kudzu_t
tclass=unix_stream_socket
Jan 4 07:16:00 fedora kernel: parport_pc: Ignoring new-style
parameters in presence of obsolete ones
tom
[Amazing.... this is the only avc with today's updates!!!!]
--
Tom London
18 years, 2 months
syslog-ng non-standard install generating AVC
by Steve Friedman
I recently installed FC3 on a machine (we had previously been using FC1),
so this is my first exposure to selinux. Consequently, we are running
the targeted policy in permissive mode. We use syslog-ng (rather than
sysklogd) and have updated the syslog-ng.conf to monitor/log/distribute
log events on a number of other ports beyond the standard syslog
distribution.
Among other things that we do in syslog-ng include:
- open non-standard UDP/TCP ports
- open non-standard files
- call non-standard routines
As a complete newbie to selinux, I don't know whether it is
easier/simpler/better/(or even how) to modify the syslog policy or the
attributes of the executables/files/directories that it touches. I would
appreciate some advice and guidance.
AVC log events:
Dec 27 04:02:17 gsi10 kernel: audit(1104138137.142:0): avc: denied { write } for pid=16201 exe=/sbin/syslog-ng name=kmsg dev=proc ino=-268435446 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_kmsg_t tclass=file
Dec 27 04:02:17 gsi10 kernel: audit(1104138137.145:0): avc: denied { read } for pid=16202 exe=/bin/bash name=mtab dev=dm-0 ino=7146016 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t tclass=file
Dec 27 04:02:17 gsi10 kernel: audit(1104138137.145:0): avc: denied { getattr } for pid=16202 exe=/bin/bash path=/etc/mtab dev=dm-0 ino=7146016 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t tclass=file
Dec 27 04:02:17 gsi10 kernel: audit(1104138137.150:0): avc: denied { write } for pid=16202 exe=_executable_1_ name=status dev=dm-0 ino=166481 scontext=system_u:system_r:syslogd_t tcontext=user_u:object_r:usr_t tclass=file
Dec 27 04:02:17 gsi10 kernel: audit(1104138137.150:0): avc: denied { getattr } for pid=16202 exe=_executable_1_ path=_file_1_ dev=dm-0 ino=166481 scontext=system_u:system_r:syslogd_t tcontext=user_u:object_r:usr_t tclass=file
Dec 27 10:47:27 gsi10 kernel: audit(1104162447.513:0): avc: denied { sys_admin } for pid=16201 exe=/sbin/syslog-ng capability=21 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { write } for pid=16201 exe=/sbin/syslog-ng name=log dev=dm-0 ino=166417 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=dir
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { add_name } for pid=16201 exe=/sbin/syslog-ng name=e27.log scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=dir
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { create } for pid=16201 exe=/sbin/syslog-ng name=e27.log scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { setattr } for pid=16201 exe=/sbin/syslog-ng name=e27.log dev=dm-0 ino=166450 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { chown } for pid=16201 exe=/sbin/syslog-ng capability=0 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { fowner } for pid=16201 exe=/sbin/syslog-ng capability=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { fsetid } for pid=16201 exe=/sbin/syslog-ng capability=4 scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=capability
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.160:0): avc: denied { append } for pid=16201 exe=/sbin/syslog-ng path=_file_2_ dev=dm-0 ino=166450 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.318:0): avc: denied { write } for pid=16202 exe=_executable_1_ path=_file_3_ dev=dm-0 ino=166444 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.318:0): avc: denied { getattr } for pid=16202 exe=_executable_1_ path=_file_4_ dev=dm-0 ino=166472 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.318:0): avc: denied { read } for pid=16202 exe=_executable_1_ path=_file_5_ dev=dm-0 ino=166474 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { remove_name } for pid=16202 exe=_executable_1_ name=delete_next dev=dm-0 ino=166474 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=dir
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { unlink } for pid=16202 exe=_executable_1_ name=delete_next dev=dm-0 ino=166474 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:usr_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { search } for pid=1633 exe=_executable_1_ name=bin dev=dm-0 ino=1245185 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=dir
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { read } for pid=1633 exe=_executable_1_ name=sh dev=dm-0 ino=3850242 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=lnk_file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.319:0): avc: denied { execute } for pid=1633 exe=_executable_1_ name=bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.320:0): avc: denied { execute_no_trans } for pid=1633 exe=_executable_1_ path=/bin/bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.320:0): avc: denied { read } for pid=1633 exe=_executable_1_ path=/bin/bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.321:0): avc: denied { read } for pid=1633 exe=/bin/bash name=meminfo dev=proc ino=-268435454 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.321:0): avc: denied { getattr } for pid=1633 exe=/bin/bash path=/proc/meminfo dev=proc ino=-268435454 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:proc_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.322:0): avc: denied { search } for pid=1633 exe=/bin/bash name=sbin dev=dm-0 ino=7356417 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:sbin_t tclass=dir
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.322:0): avc: denied { getattr } for pid=1633 exe=/bin/bash path=/bin/bash dev=dm-0 ino=1245248 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:shell_exec_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { getattr } for pid=1633 exe=/bin/bash path=/bin/rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { execute } for pid=1633 exe=/bin/bash name=rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { execute_no_trans } for pid=1633 exe=/bin/bash path=/bin/rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file
Dec 27 16:16:35 gsi10 kernel: audit(1104182195.323:0): avc: denied { read } for pid=1633 exe=/bin/bash path=/bin/rm dev=dm-0 ino=1245243 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:bin_t tclass=file
Steve Friedman
18 years, 2 months
Still svc: denied { getattr }...
by Giuseppe Greco
Hi all,
I've just updated my SELinux policies, but I still get the
following error messages when restarting squid:
audit(1104589130.341:0): avc: denied { getattr } for pid=2759
exe=/usr/sbin/squid path=/boot dev=hda1 ino=2
scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t
tclass=dir
audit(1104589130.342:0): avc: denied { getattr } for pid=2759
exe=/usr/sbin/squid path=/tmp dev=hda1 ino=2
scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t
tclass=dir
Shouldn't these rules already been fixed? What can I do to get
squid finally working without complying?
Thanks,
j3d.
--
----------------------------------------
Giuseppe Greco
::agamura::
phone: +41 (0)91 604 67 65
mobile: +41 (0)79 602 99 27
email: giuseppe.greco(a)agamura.com
web: www.agamura.com
----------------------------------------
18 years, 2 months
What to do after building a kernel.
by Justin Conover
After I built a new kernel based of of ck-overloaded, I rebooted and a
ton of SELinux errors/messages, kept comeing across the screen? What
do need to do to make a home-grown-kernel work with SELinux.
18 years, 3 months
