October 2005 - selinux - Fedora Mailing-Lists

by Göran Uddeborg

Maybe this is a FAQ, but I haven't found it answered in any of the FAQ:s I've looked through: Is there some kind of documentation list over the available classes and operations (permissions)? Other concepts, like types and roles are defined in the policy, with some luck together with a comment. In some cases there are even manual pages, like httpd_selinux. But the list of available classes and operations must be defined by the kernel module if I understand things correctly. I could extract a list from the flask/access_vectors file. But I would have liked something with a sentence or so of explanation. Some names may be self-explanatory, but many are not obvious. I'm imagining some kind of list like the appendices of the O'Reilley book, but updated for the current version. Does such a list exist somewhere? Or is it just in my imagination? :-)

16 years, 11 months

4
4
0 / 0

SELinux AVCs with swap stored in LVM volume

by Felipe Alfaro Solana

Hello, I'm running Fedora Core RawHhide and I'm seeing lots of SELinux AVCs during boot, related to my swap stored in a LVM volume: audit(1130670344.636:4): avc: denied { read } for pid=919 comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file audit(1130670345.668:5): avc: denied { use } for pid=932 comm="fsck" name="VolGroup00-Swap" dev=tmpfs ino=653 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=fd audit(1130670345.952:6): avc: denied { read } for pid=940 comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file audit(1130670346.092:7): avc: denied { read } for pid=941 comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file Attached to this message you will find "dmesg" which stores the dmesg kernel ring which results after booting into runlevel 5. Any ideas? Thanks!

17 years, 10 months

4
4
0 / 0

1105 fails to boot....

by Tom London

Running strict/enforcing, latest rawhide: After installing latest packages, relabeling /etc, /bin, /lib, .... and rebooting, the system produces lots of udev type errors (cannot remove /dev/.udev_tdb/classSTUFF) and hangs on 'adding hardware' Boots (with messages) in permissive mode. Here are the 'early' AVCs: Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev bdev, type bdev), uses genfs_contexts Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied { read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17 scontext=system_u:system_r:hostname_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts Jan 21 07:24:30 fedora kernel: audit(1106292233.809:0): avc: denied { read } for pid=576 exe=/sbin/restorecon path=/init dev=rootfs ino=17 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied { read } for pid=576 exe=/sbin/restorecon name=customizable_types dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:default_context_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied { use } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17 scontext=system_u:system_r:dmesg_t tcontext=system_u:system_r:kernel_t tclass=fd Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied { read } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292235.086:0): avc: denied { read } for pid=703 exe=/bin/bash path=/init dev=rootfs ino=17 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292239.427:0): avc: denied { use } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17 scontext=system_u:system_r:kudzu_t tcontext=system_u:system_r:kernel_t tclass=fd Jan 21 07:24:30 fedora kernel: audit(1106292239.428:0): avc: denied { read } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17 scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora ptal-mlcd: SYSLOG at ExMgr.cpp:652, dev=<mlc:usb:PSC_900_Series>, pid=2629, e=2, t=1106321070 ptal-mlcd successfully initialized. Jan 21 07:24:30 fedora ptal-printd: ptal-printd(mlc:usb:PSC_900_Series) successfully initialized using /var/run/ptal-printd/mlc_usb_PSC_900_Series*. Jan 21 07:24:30 fedora kernel: Floppy drive(s): fd0 is 1.44M I'll probe a bit, but any help is welcome! tom -- Tom London

17 years, 10 months

4
7
0 / 0

SELinux errors: invalid context & inode_doinit_with_dentry: context_to_sid() returned 22

by Vladimir G. Ivanovic

I posted this message to the fedora-list mailing list, but I haven't as of yet gotten any answer. Could someone here shed some light on the errors I'm seeing? Thanks. --- Vladimir To: fedora-list(a)redhat.com Date: Wed, 26 Oct 2005 00:30:15 -0700 Subject: SELinux errors I'm getting lots of errors like: /etc/selinux/targeted/contexts/files/file_contexts: line 1851 has invalid context system_u:object_r:texrel_shlib_t /etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 14 has invalid context user_u:object_r:user_home_dir_t when I run "rpm -V selinux-policy-targeted". (As far as I can tell, every non-null, non-comment line in /etc/..../files/* generates an error.) In my syslog I have thousands of errors like: Oct 26 00:21:16 bach kernel: inode_doinit_with_dentry: context_to_sid(system_u:object_r:policy_src_t:s0) returned 22 for dev=sda4 ino=1145588 Oct 26 00:21:16 bach kernel: inode_doinit_with_dentry: context_to_sid(system_u:object_r:policy_src_t:s0) returned 22 for dev=sda4 ino=266929 which I assume are related. I've tried reinstalling the RPMs selinux-policy-targeted and selinux-policy-targeted-sources, and then booting with selinux=0, running "fixfiles relabel" and then rebooting normally. No change. I've tried googling, but I didn't find anything. Any advice (other than turning SELinux off)? Thanks. --- Vladimir kernel-smp-2.6.13-1.1532_FC4 checkpolicy-1.23.1-1 libselinux-1.26-1 libselinux-devel-1.26-1 policycoreutils-1.27.2-1.2 selinux-doc-1.19.5-1 selinux-policy-strict-1.27.1-2.6 selinux-policy-strict-sources-1.27.1-2.6 selinux-policy-targeted-1.27.1-2.6 selinux-policy-targeted-sources-1.27.1-2.6 setools-2.1.2-1.1 -- Vladimir G. Ivanovic Palo Alto, CA 94306 +1 650 678 8014

17 years, 10 months

3
4
0 / 0

Rotate audit log?

by Matthew Saltzman

Is there a reason not to include /var/log/audit/audit.log in the logrotate regime? If not, what would need to go in a logrotate script to get selinux to start a new log file? Thanks. -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs

17 years, 10 months

4
9
0 / 0

More MCS

by Gene Czarcinski

I tried seting a category on a directory in /tmp and then (with touch) creating a file under that directory. So far so good. I then ssh'ed into the system as another user which does not have those categories defined in seusers. This user could access the file. This sounds like a bug to me. Also, is there a way that a category value can be propogated to all files/directories below it? Gene

17 years, 11 months

3
4
0 / 0

Webdav problems in enforcing mode in Raw Hide

by Nicolas Mailhot

Hi, I've just test tested webdav in enforcing mode on Fedora Devel and it doesn't work : - apache needs rw access on /srv (don't know where the default dav root should be, I put it in srv since its seems the FHS wants this kind of stuff there) type=AVC msg=audit(1130749513.951:3772): avc: denied { read } for pid=11759 comm="httpd" name="nim" dev=dm-0 ino=1048598 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1130749513.951:3772): arch=c000003e syscall=2 success=no exit=-13 a0=5555558ca410 a1=10800 a2=5555558c7ff8 a3=5555558c58a7 items=1 pid=11759 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" - it also needs rw acces to its default /var/lib/dav/lockdb.dir type=AVC msg=audit(1130749738.930:3777): avc: denied { write } for pid=11766 comm="httpd" name="lockdb.dir" dev=dm-0 ino=2392524 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1130749738.930:3777): arch=c000003e syscall=2 success=no exit=-13 a0=5555558c7580 a1=42 a2=1b6 a3=3 items=1 pid=11766 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" type=CWD msg=audit(1130749738.930:3777): cwd="/" type=PATH msg=audit(1130749738.930:3777): item=0 name="/var/lib/dav/lockdb.dir" flags=310 inode=2392223 dev=fd:00 mode=040700 ouid=48 ogid=48 rdev=00:00 On another topic I still have spamassassin procmail problems : type=CWD msg=audit(1130749836.551:3779): cwd="/home/nim/.maildir" type=PATH msg=audit(1130749836.551:3779): item=0 name="/usr/bin/spamc" flags=1 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1130749839.979:3780): avc: denied { execute } for pid=11852 comm="procmail" name="spamc" dev=dm-0 ino=3349141 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1130749839.979:3780): arch=c000003e syscall=59 success=no exit=-13 a0=51c1d1 a1=51c170 a2=51bfc0 a3=51c1d1 items=1 pid=11852 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="procmail" exe="/usr/bin/procmail" type=CWD msg=audit(1130749839.979:3780): cwd="/home/nim/.maildir" type=PATH msg=audit(1130749839.979:3780): item=0 name="/usr/bin/spamc" flags=101 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1130749839.983:3781): avc: denied { getattr } for pid=11852 comm="sh" name="spamc" dev=dm-0 ino=3349141 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=filetype=SYSCALL msg=audit(1130749839.983:3781): arch=c000003e syscall=4 success=no exit=-13 a0=6bf780 a1=7fffffefb5c0 a2=7fffffefb5c0 a3=2 items=1 pid=11852 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="sh" exe="/bin/bash" type=AVC_PATH msg=audit(1130749839.983:3781): path="/usr/bin/spamc" type=CWD msg=audit(1130749839.983:3781): cwd="/home/nim/.maildir" type=PATH msg=audit(1130749839.983:3781): item=0 name="/usr/bin/spamc" flags=1 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 Package versions : selinux-policy-targeted-1.27.2-10 libselinux-1.27.17-1 Regards, -- Nicolas Mailhot

17 years, 11 months

2
5
0 / 0

RE: More MCS

by chanson＠TrustedCS.com

> Hmmm...the current MLS logic inherits from the process' > effective/current/low level rather than from the parent directory. That is correct for MLS :) -Chad

17 years, 11 months

1
0
0 / 0

MCS

by Gene Czarcinski

OK, I am starting to work with MCS. First I added some categories to setrans.conf: s0:c1=moonbeam s0:c2=test2 s0:c3=test3 Then I added a user to seusers: gc:user_r:s0:c0.c15 Then I logged into that user. All new (written to?) files get created with s0:c0.c15 like: -rw-r--r-- gc gc user_u:object_r:user_home_t:s0:c0.c15 bookmarks1.html including some in /tmp: drwx------ gc gc user_u:object_r:tmp_t:s0:c0.c15 orbit-gc drwx------ gc gc user_u:object_r:tmp_t:s0:c0.c15 gconfd-gc Shouldn't they default to nothing and only get set if I do a chcat? BTW, I seem to remember that there were some gripe messages during bootup about the files in /tmp ... nothing in /var/log/* or dmesg. Bug, feature, or what am I doing wrong? Gene

17 years, 11 months

2
2
0 / 0

strict policy does not compile

by Richard Hally

Below is an error from updating strict policy sources from today's rawhide. The same error occurs when doing a "make reload" in the policy directory. Updating : selinux-policy-strict-source ####################### [26/55] initial_sid_contexts:9:ERROR 'unknown category s0' at token 'sid' on line 427891: sid kernel system_u:system_r:kernel_t:s0:s0 sid security system_u:object_r:security_t:s0:s0 /usr/bin/checkpolicy: error(s) encountered while parsing configuration make: *** [/etc/selinux/strict/policy/policy.20] Error 1 Richard Hally

17 years, 11 months

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux October 2005