trying to use MCS
by Gene Czarcinski
OK, I have "current" development installed and now I want to start playing
with MCS.
I have figured out that running targeted is also running MCS ... good so far.
As root, I can change categories with chcon and chcat. Defining some "test"
categories in setrans.conf takes effect immediately and that works ... as
root.
BUT, as a "regular user", I cannot seem to do anything. How do I define what
users can use what categories?
Sorry if I am a bit dense but I could find nothing about this searching this
or other related mailing lists.
Gene
18 years, 6 months
procmail is not allowed to talk to spamassassin
by Nicolas Mailhot
Hi,
Looking at audit logs I see several :
type=AVC msg=audit(1130513065.226:40): avc: denied { execute } for
pid=2935 comm="procmail" name="spamc" dev=dm-0 ino=3349141
scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
Shouldn't procmail be allowed to talk to spamassassin ? it's a common
enough usage pattern.
(system is up-to-date rawhide, selinux-policy-targeted-1.27.2-8)
Regards,
--
Nicolas Mailhot
18 years, 6 months
Getting "Inappropriate ioctl" :during initrd stage of booting.
by Aggarwal, VikasX
Hi,
Please tell if there is a way to turn off the selinux after full
installation but before first boot.
I have a daemon which needs to do ioctl during initrd.
daemon + related-driver is already inserted into a new-initrd.
Daemon can do ioctl during normal operation of a running machine, but
will get "Inappropriate ioctl for device /dev/iscsictl" if built into
initrd.
Its just a control interface to a software iscsi driver and daemon
needs to pass some handler during initrd stage.
I already tried passing selinux=0, enforcing=0, disable=1. But looks
the selinux policy to disallow ioctl during initrd is built in kernel.
I have little knowledge in this area. Will appreciate any ideas for
workaround.
thanks
-vikas
18 years, 6 months
Port to use in MTA when communicating with mail filter ?
by Nicolas Mailhot
Hi,
I'm using postfix with the amavid-new spam/virus mail filter. In this
type of configuration the MTA sends every processed mail to the filter
daemon on one port, and receives the result of the filtering on another.
The online documentation is not too clear, but the commonly used ports
seem to be on the 10024-10026 range. In my setup the MTA listens on port
10026 and the filter on port 10025.
Unfortunately that means the selinux policy in Raw Hide blocks postfix
startup:
Oct 23 11:56:21 rousalka postfix/master[2076]: fatal: bind 127.0.0.1
port 10026: Permission denied
Therefore, I'd like to know:
1. if a port has already been allocated in the Fedora Devel targeted
policy for MTA <- filter communication
2. if yes which one is it so I make my installation conformant
3. if not would it be possible to add it? I'm ready to poll the
postfix/amavisd-new lists to find out what the canonical port to use
would be.
Regards,
--
Nicolas Mailhot
18 years, 6 months
Re: fedora-selinux-list Digest, Vol 20, Issue 18
by Jayendren Anand Maduray
Greetings fellow travellers.
Could someone please help me with the following errors:
*audit(1129788324.500:0): avc: denied { execute } for pid=3105
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.501:0): avc: denied { execute } for pid=3106
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.507:0): avc: denied { execute } for pid=3107
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.510:0): avc: denied { execute } for pid=3108
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.514:0): avc: denied { execute } for pid=3109
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.517:0): avc: denied { execute } for pid=3110
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.521:0): avc: denied { execute } for pid=3111
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.522:0): avc: denied { execute } for pid=3112
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.528:0): avc: denied { execute } for pid=3113
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.529:0): avc: denied { execute } for pid=3114
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file*
These errors are from dmesg, and occured after compiling and installing
squidclam from source.
Here is the output of selinuxconf:
[*root@shiva jay]# selinuxconfig
selinux state="enforcing"
policypath="/etc/selinux/targeted"
default_type_path="/etc/selinux/targeted/contexts/default_type"
default_context_path="/etc/selinux/targeted/contexts/default_contexts"
default_failsafe_context_path="/etc/selinux/targeted/contexts/failsafe_context"
binary_policy_path="/etc/selinux/targeted/policy/policy"
user_contexts_path="/etc/selinux/targeted/contexts/users/"
contexts_path="/etc/selinux/targeted/contexts"*
Output of uname -a:
*[root@shiva jay]# uname -a
Linux shiva 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686 i686
i386 GNU/Linux*
Any help would be greatly appreciated.
God bless.
fedora-selinux-list-request(a)redhat.com wrote:
>Send fedora-selinux-list mailing list submissions to
> fedora-selinux-list(a)redhat.com
>
>To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>or, via email, send a message with subject or body 'help' to
> fedora-selinux-list-request(a)redhat.com
>
>You can reach the person managing the list at
> fedora-selinux-list-owner(a)redhat.com
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of fedora-selinux-list digest..."
>
>
>Today's Topics:
>
> 1. Re: mailman cgi-bin denied search (Tim Fenn)
> 2. Preserving Context with tar (W. Scott wilburn)
> 3. Re: mailman cgi-bin denied search (Daniel J Walsh)
> 4. Re: Preserving Context with tar (Daniel J Walsh)
> 5. Re: mailman cgi-bin denied search (Tim Fenn)
> 6. Re: Preserving Context with tar (Stephen Smalley)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Wed, 19 Oct 2005 13:49:47 -0700
>From: Tim Fenn <fenn(a)stanford.edu>
>Subject: Re: mailman cgi-bin denied search
>To: Daniel J Walsh <dwalsh(a)redhat.com>
>Cc: fedora-selinux-list(a)redhat.com
>Message-ID: <20051019204947.GC6466(a)stanford.edu>
>Content-Type: text/plain; charset=us-ascii
>
>On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>
>
>>Tim Fenn wrote:
>>
>>
>>>I recently installed mailman on my FC3 box (using the redhat based
>>>RPMs), and it seems to be working just fine, except for the numerous
>>>avc messages it cranks out whenever I run one of the cgi scripts
>>>associated with mailman (e.g. via the web interface):
>>>
>>>Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied
>>>{ search } for pid=18761 comm="listinfo" name="run" dev=sda1
>>>ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>u:object_r:var_run_t tclass=dir
>>>
>>>
>>>
>>Why would mailman listinfo be searching /var/log directory?
>>
>>
>>
>
>Well, I get the same errors with mailmanctl:
>
>./mailmanctl status
>
>yields no output, and the following errors:
>Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
>{ read write } for pid=20837 comm="mailmanctl" name="3" dev=devpts
>ino=5 scontext=root:system_r:mailman_mail_t
>tcontext=root:object_r:devpts_t tclass=chr_file
>Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
>{ search } for pid=20837 comm="mailmanctl" name="run" dev=sda1
>ino=1294372 scontext=root:system_r:mailman_mail_t
>tcontext=system_u:object_r:var_run_t tclass=dir
>Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
>{ setgid } for pid=20837 comm="mailmanctl" capability=6
>scontext=root:system_r:mailman_mail_t
>tcontext=root:system_r:mailman_mail_t tclass=capability
>
>However, if I comment out:
>
>from Mailman.Logging.Syslog import syslog
>
>in the mailmanctl script, all is well:
>
># ./mailmanctl status
>mailman (pid 17677) is running...
>
>and no error messages. I would assume the same is true with the
>cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
>
>Regards,
>Tim
>
>
>
>------------------------------
>
>Message: 2
>Date: Wed, 19 Oct 2005 15:56:06 -0600
>From: "W. Scott wilburn" <wilburn(a)lanl.gov>
>Subject: Preserving Context with tar
>To: fedora-selinux-list(a)redhat.com
>Message-ID: <20051019215606.GE4717(a)wilburn.lanl.gov>
>Content-Type: text/plain; charset=us-ascii
>
>Sorry to be asking such a simple question. Is it possible to preserve
>file contexts using tar? I would have thought -p would do this, but
>it appears no, atleast on RHEL4 and FC4.
>
>The reason to do this is a use tar to install modified config files on
>new machines. Having to relabel after doing this is somewhat slow.
>Perhaps there is a better solution?
>
>Thanks,
>Scott Wilburn
>
>
>
>------------------------------
>
>Message: 3
>Date: Wed, 19 Oct 2005 22:31:36 -0400
>From: Daniel J Walsh <dwalsh(a)redhat.com>
>Subject: Re: mailman cgi-bin denied search
>To: Daniel J Walsh <dwalsh(a)redhat.com>, fedora-selinux-list(a)redhat.com
>Message-ID: <43570188.5060201(a)redhat.com>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>Tim Fenn wrote:
>
>
>>On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>>
>>
>>
>>>Tim Fenn wrote:
>>>
>>>
>>>
>>>>I recently installed mailman on my FC3 box (using the redhat based
>>>>RPMs), and it seems to be working just fine, except for the numerous
>>>>avc messages it cranks out whenever I run one of the cgi scripts
>>>>associated with mailman (e.g. via the web interface):
>>>>
>>>>Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied
>>>>{ search } for pid=18761 comm="listinfo" name="run" dev=sda1
>>>>ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>>u:object_r:var_run_t tclass=dir
>>>>
>>>>
>>>>
>>>>
>>>Why would mailman listinfo be searching /var/log directory?
>>>
>>>
>>>
>>>
>>Well, I get the same errors with mailmanctl:
>>
>>./mailmanctl status
>>
>>yields no output, and the following errors:
>>Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
>>{ read write } for pid=20837 comm="mailmanctl" name="3" dev=devpts
>>ino=5 scontext=root:system_r:mailman_mail_t
>>tcontext=root:object_r:devpts_t tclass=chr_file
>>Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
>>{ search } for pid=20837 comm="mailmanctl" name="run" dev=sda1
>>ino=1294372 scontext=root:system_r:mailman_mail_t
>>tcontext=system_u:object_r:var_run_t tclass=dir
>>Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
>>{ setgid } for pid=20837 comm="mailmanctl" capability=6
>>scontext=root:system_r:mailman_mail_t
>>tcontext=root:system_r:mailman_mail_t tclass=capability
>>
>>However, if I comment out:
>>
>>from Mailman.Logging.Syslog import syslog
>>
>>in the mailmanctl script, all is well:
>>
>># ./mailmanctl status
>>mailman (pid 17677) is running...
>>
>>and no error messages. I would assume the same is true with the
>>cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
>>
>>Regards,
>>Tim
>>
>>
>>
>Yes. submit a bug. Although generating these in FC4 would be far more
>interesting. Also do these AVC messages cause problems or are they just
>being reported. No output from the script is fixed in FC4.
>
>
>
>
>
--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator
Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa
Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94
Alternate email address: jayendren(a)mweb.co.za
18 years, 6 months
avahi - needs transition?
by Tom London
Running targeted/enforcing, latest rawhide.
The avahi-daemon fails to start:
Oct 27 14:47:39 localhost avahi-daemon[2279]: Found user 'avahi' (UID
70) and group 'avahi' (GID 70).
Oct 27 14:47:39 localhost avahi-daemon[2279]: Successfully dropped
root privileges.
Oct 27 14:47:39 localhost avahi-daemon[2279]: avahi-daemon 0.5.2 starting up.
Oct 27 14:47:39 localhost avahi-daemon[2279]: dbus_bus_get(): Failed
to connect to socket /var/run/dbus/system_bus_socket: No such file or
directory
Works OK in permissive mode, but 'ps -Z' shows the daemon is running
in initrc_t. Shouldn't there be a transition to something like howl_t
or some such?
tom
--
Tom London
18 years, 6 months
AWStats
by Mickey Hill
Hi all,
I have installed awstats (an httpd log file analyzer) from Extras and am
having some SELinux issues. I've gotten the same results on FC4 and
Rawhide, using current packages and unchanged config files. Below are
the steps I went through to get it working. Could someone more
knowledgeable provide some feedback on this, or point me in the right
direction? Is there a better or more correct way to do this? Is this
something that could or should be added to the policy?
/usr/share/awstats/wwwroot/cgi-bin/awstats.pl is run as a CGI script by
httpd, but is denied.
# ls -Z /usr/share/awstats/wwwroot/cgi-bin/
-rwxr-xr-x root root system_u:object_r:usr_t
awredir.pl
-rwxr-xr-x root root system_u:object_r:usr_t
awstats.pl
Changing the type gets the script running:
# chcon -t httpd_sys_script_exec_t /usr/share/awstats/wwwroot/cgi-bin/*
# ls -Z /usr/share/awstats/wwwroot/cgi-bin/
-rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
awredir.pl
-rwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
awstats.pl
However, the script reports an error.
Error: AWStats database directory defined in config file by 'DirData'
parameter (/var/lib/awstats) does not exist or is not writable.
# ls -Z /var/lib
...
drwxr-xr-x root root system_u:object_r:var_lib_t awstats
...
Changing the type allows the script to run:
# chcon -t httpd_sys_script_rw_t /var/lib/awstats
# ls -Z /var/lib
...
drwxr-xr-x root root system_u:object_r:httpd_sys_script_rw_t
awstats
...
Any thoughts?
Thanks,
--
Mickey Hill <mickey(a)mickeyhill.com>
18 years, 6 months
Exporting NTFS filesystems over NFS
by Göran Uddeborg
The policy apparently does not allow exporting an NTFS filesystem over
NFS. I can't see any obvious reason for this choice, but maybe there
is something I miss. Is this intentional, or is it a mistake? Or in
other words, should I bugzilla or only figure out how to change it for
myself?
The error message I get trying to export an NTFS fileystem is included
below. (If I go into permissive mode everything works as expected.)
type=AVC msg=audit(1130008471.475:403): avc: denied { getattr } for pid=9034 comm="exportfs" name="/" dev=sda1 ino=5 scontext=root:system_r:nfsd_t tcontext=system_u:object_r:dosfs_t tclass=dir
type=SYSCALL msg=audit(1130008471.475:403): arch=40000003 syscall=196 success=no exit=-13 a0=ffffb80b a1=ffffb76c a2=f7fc2ff4 a3=8052712 items=1 pid=9034 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="exportfs" exe="/usr/sbin/exportfs"
type=AVC_PATH msg=audit(1130008471.475:403): path="/mnt/remote/teddi"
type=CWD msg=audit(1130008471.475:403): cwd="/etc/selinux/strict/contexts/users"
type=PATH msg=audit(1130008471.475:403): item=0 name="/mnt/remote/teddi" flags=0 inode=5 dev=08:01 mode=040555 ouid=0 ogid=0 rdev=00:00
18 years, 6 months
Red Hat Government Users Conference.
by Daniel J Walsh
FYI: James and I will be speaking on SELinux next week at the Red Hat
Government Users Conference in Washington DC.
http://www.dlt.com/rhguc/
I will be giving an overview of SELinux talk and a James and I will be
running BOF on SELinux.
If you are at the conference stop by and say hello.
Dan
--
18 years, 6 months
SElinux activation on FC3 to FC4 update
by Daniel Paul
Hello,
I recently upgraded on of our FC3 boxes to FC3 via the normal update
procedure. Despite of the FC3 installation wizard the FC4 wizard didn't ask
me if I wanted to activate the SElinux feature. What is the preferred way to
activate the SElinux layer on a normal FC4 system? Do I simply install the
selinux-policy-targeted package?
Thank you in advance,
Daniel Paul
18 years, 6 months