November 2005 - selinux - Fedora Mailing-Lists

by Göran Uddeborg

Maybe this is a FAQ, but I haven't found it answered in any of the FAQ:s I've looked through: Is there some kind of documentation list over the available classes and operations (permissions)? Other concepts, like types and roles are defined in the policy, with some luck together with a comment. In some cases there are even manual pages, like httpd_selinux. But the list of available classes and operations must be defined by the kernel module if I understand things correctly. I could extract a list from the flask/access_vectors file. But I would have liked something with a sentence or so of explanation. Some names may be self-explanatory, but many are not obvious. I'm imagining some kind of list like the appendices of the O'Reilley book, but updated for the current version. Does such a list exist somewhere? Or is it just in my imagination? :-)

16 years, 11 months

4
4
0 / 0

RE: Problems with httpd and SElinux.

by Dan Thurman

>From: fedora-selinux-list-bounces(a)redhat.com >[mailto:fedora-selinux-list-bounces@redhat.com]On Behalf Of Daniel B. >Thurman >Sent: Tuesday, November 08, 2005 3:43 PM >To: Robert Cahn; Daniel J Walsh >Cc: fedora-list(a)redhat.com; fedora-selinux-list(a)redhat.com >Subject: RE: Problems with httpd and SElinux. > > >>From: Daniel J Walsh [mailto:dwalsh@redhat.com] >>Sent: Monday, November 07, 2005 9:30 AM >>To: Daniel B. Thurman >>Cc: fedora-selinux-list(a)redhat.com >>Subject: Re: Problems with httpd and SElinux. >> >> >>Daniel B. Thurman wrote: >>> Folks, >>> >>> I was asked to post this information here. To explain things, >>> I have installed FrontPage extensions on FC4 but not realizing >>> that I had to first disable SElinux for httpd first, but to make >>> a long story short, I was able to install FP and then restore >>> SElinux protections for httpd, but on reboot, SElinux refused >>> to allow httpd to start and I suspect it had something to do >>> with the FrontPage additions to the /etc/httpd/conf/httpd.conf >>> file. I currently have SElinux protections turned off for >>> https. Below is the audit file, hope it helps show the problem. >>> >>> type=AVC msg=audit(1131056930.757:251): avc: denied { >>name_bind } for pid=4946 comm="httpd" src=8090 >>scontext=root:system_r:httpd_t >>tcontext=system_u:object_r:port_t tclass=tcp_socket >>> type=SYSCALL msg=audit(1131056930.757:251): arch=40000003 >>syscall=102 success=no exit=-13 a0=2 a1=bfc779f0 a2=750218 >>a3=8b8da58 items=0 pid=4946 auid=4294967295 uid=0 gid=0 euid=0 >>suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" >exe="/usr/sbin/httpd" >>> type=SOCKADDR msg=audit(1131056930.757:251): >>saddr=0A001F9A000000000000000000000000000000000000000000000000 >>> type=SOCKETCALL msg=audit(1131056930.757:251): nargs=3 a0=5 >>a1=8b8da84 a2=1c >>> >>> Kind regards, >>> Dan >>> >>> >>We do not currently allow apache to listen on port 8090, >>but this looks legitimate, so I will add to policy. >>You can install policy (selinux-policy-targeted-sources >>for now and add a line to: >>/etc/selinux/targeted/src/policy/domains/misc/local.te >>portcon tcp 8090 system_u:object_r:http_port_t >> >>Then execute make -c /etc/selinux/targeted/src/policy load >> >>and you should be able to use that port. >> > >The information you gave me above does not work. I got all >sorts of compile errors. BTW, the make should be "make -C". > >>From Paul Howarth, I tried: >============================================= >If you want httpd to be able to listen on port 8090, and you have the >policy sources installed, you can do this by adding the following line >to /etc/selinux/targeted/src/policy/net_contexts: > >portcon tcp 8090 system_u:object_r:http_port_t > >Then you need to compile and reload the security contexts: ># make -C /etc/selinux/targeted/src/policy reload >============================================= > >This all compiles fine now. > >Testing to see if httpd can now restart with the new policies: >1) setsebool -P httpd_disable_trans 0 >2) Restart httpd for this to take effect: service httpd restart > >Httpd can restart with no failure messages. The httpd server >now runs fine. > >HOWEVER - Testing FrontPage client against my FC4 box FAILS to >connect and the reason revealed in /var/log/httpd/error_log: > >[Tue Nov 08 15:25:40 2005] [error] (13)Permission denied: >Could not create key file >"/usr/local/frontpage/version5.0/apache-fp/suidkey.17096" in >FrontPageInit(). Until this problem is fixed, the FrontPage >security patch is disabled and the FrontPage extensions may >not work correctly. > >I suspect that there is a SElinux policy that is preventing the FP >client program from creating and deleting the suidkey file it needs >in order to startup and begin listening for FP Client requests. Please >note that the process number is created and destroyed for the >suidkey file >and this is happening from within the httpd service file and >has nothing >to do with the FP client connection attempts. SELinux policy >is preventing >the service file from creating and destroying this file. > >So - in order to get back the successful FP client connections >as before, >performing these steps: > >1) setsebool -P httpd_disable_trans 1 >2) Restart httpd for this to take effect: service httpd restart > >The httpd/error_log error message does not appear and I can now >connect with to the FC4 with the FP client. > >Dan Thurman. > >-- Huh? Who resent this? This one was sent 11/7/2005... I replied back to Daniel J Walsh with an attachment with the output of /var/log/audit/audit_log file that showed why *many* denials that were occuring with SElinux preventing the FrontPage process from working within httpd. In case Daniel did not get it, I am attaching the file again. ============================================== Daniel J. Walsh: ================ >>What did you see for AVC messages in /var/log/messages or >>/var/log/audit/audit.log? >> > >Please see the attached file. It is the /var/log/audit/audit.log >file and is 13k compressed. I tried best as I could to trucate to >relevant logs pertaining to httpd/fp issues. Please let me know if >you need anything else. ============================================== Kind regards, Dan -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.0/167 - Release Date: 11/11/2005

17 years, 9 months

3
2
0 / 0

Spamassasin Problem

by W. Scott Wilburn

Hi, Since upgrading from spamassassin.i386 3.0.4-2.fc4 to spamassassin.i386 3.0.4-1.fc4, I get avc denied messages: Nov 20 04:05:44 scooby kernel: audit(1132484744.807:45387): avc: denied { search } for pid=25548 comm="spamd" name=".spamassassin" dev=md0 ino=2197675 scontext=root:system_r:spamd_t tcontext=user_u:object_r:user_home_t tclass=dir FC4, targeted policy enforcing mode selinux-policy-targeted-sources.noarch 1.27.1-2.11 Since the problem occurred with a spamassassin update, not selinux, I assume something in the behavior of spamassassin has changed. Any help appreciated. Scott Wilburn --

17 years, 10 months

4
4
0 / 0

selinux and udev ?

by Tom London

There are reports in fedora-test about the 2.X policy slowing down udev. (Appears that folks are comparing booting with selinxux=1 with selinux=0). I have to admit that udev is running slower (targeted/enforcing). Any validity to this? Known issue? How to track down? tom -- Tom London

17 years, 10 months

6
18
0 / 0

'install' command goes "oink!" after recent updates.

by Valdis.Kletnieks＠vt.edu

coreutils-5.93-4 libsepol-1.9.41-1 libsemanage-1.3.59-1 libsetrans-0.1.8-1 Not sure if this is a coreutils bug or an selinux bug. Recently, I noticed that a 'make install' that called /usr/bin/install ran *very* slowly: % time cp hello.c /tmp/hello.c real 0m0.040s user 0m0.008s sys 0m0.016s % time /usr/bin/install -c -m 644 hello.c /tmp/hello.c real 0m4.641s user 0m1.608s sys 0m0.388s Literally 100 times slower. Gaak. A bit of playing with strace showed why: strace install -c -m 644 hello.c /tmp/hello.c 7,745 system calls. Of those, only 297 were *not* part of the 1,862 times that 'install' did an open/write/read/close of /selinux/context - once for every single file context type it found, whether or not it had anything to do with the file that was actually being installed. This is a show-stopper guys - when something like this bloats a 'make install' from something that takes 2 minute into something that you don't bother checking until you get back from lunch, it *will* add dramatically to the "security takes waaaay too much resources" bandwagon. Almost-full strace follows. execve("/usr/bin/install", ["install", "-c", "-m", "644", "hello.c", "/tmp/hello.c"], [/* 56 vars */]) = 0 brk(0) = 0x805a000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f16000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=72776, ...}) = 0 mmap2(NULL, 72776, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f04000 close(3) = 0 open("/usr/lib/libacl.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\23"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=24996, ...}) = 0 mmap2(NULL, 27832, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7efd000 mmap2(0xb7f03000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5) = 0xb7f03000 close(3) = 0 open("/lib/libselinux.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`2\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=83848, ...}) = 0 mmap2(NULL, 85008, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7ee8000 mmap2(0xb7efc000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14) = 0xb7efc000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0ZW\1\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1460028, ...}) = 0 mmap2(NULL, 1227740, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7dbc000 mmap2(0xb7ee2000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x125) = 0xb7ee2000 mmap2(0xb7ee6000, 7132, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7ee6000 close(3) = 0 open("/usr/lib/libattr.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\v\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=32990, ...}) = 0 mmap2(NULL, 15376, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7db8000 mmap2(0xb7dbb000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xb7dbb000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\f\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=13892, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7db7000 mmap2(NULL, 12408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7db3000 mmap2(0xb7db5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7db5000 close(3) = 0 open("/lib/libsepol.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200#\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=204168, ...}) = 0 mmap2(NULL, 249380, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d76000 mmap2(0xb7da8000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x31) = 0xb7da8000 mmap2(0xb7da9000, 40484, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7da9000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7d75000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7d756b0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xb7db5000, 4096, PROT_READ) = 0 mprotect(0xb7ee2000, 8192, PROT_READ) = 0 mprotect(0xb7f30000, 4096, PROT_READ) = 0 munmap(0xb7f04000, 72776) = 0 access("/etc/selinux/", F_OK) = 0 brk(0) = 0x805a000 brk(0x807b000) = 0x807b000 open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=71, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f15000 read(3, "# Stray comment\nSELINUX=permissi"..., 4096) = 71 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb7f15000, 4096) = 0 open("/proc/mounts", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f15000 read(3, "rootfs / rootfs rw 0 0\n/dev/root"..., 1024) = 1024 close(3) = 0 munmap(0xb7f15000, 4096) = 0 open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=72776, ...}) = 0 mmap2(NULL, 72776, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f04000 close(3) = 0 open("/lib/libsetrans.so.0", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\n\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=6804, ...}) = 0 mmap2(NULL, 9680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d72000 mmap2(0xb7d74000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7d74000 close(3) = 0 munmap(0xb7f04000, 72776) = 0 open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3 read(3, "1", 19) = 1 close(3) = 0 open("/etc/selinux/strict/setrans.conf", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=594, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f15000 read(3, "#\n# Multi-Category Security tran"..., 4096) = 594 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb7f15000, 4096) = 0 open("/proc/filesystems", O_RDONLY|O_LARGEFILE) = 3 read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 305 open("/proc/self/attr/current", O_RDONLY|O_LARGEFILE) = 4 read(4, "valdis:staff_r:staff_t:s0-s0:c0."..., 4095) = 37 close(4) = 0 close(3) = 0 open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=54054656, ...}) = 0 mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7b72000 mmap2(NULL, 204800, PROT_READ, MAP_PRIVATE, 3, 0x121f) = 0xb7b40000 mmap2(NULL, 4096, PROT_READ, MAP_PRIVATE, 3, 0x2b89) = 0xb7b3f000 close(3) = 0 geteuid32() = 967 umask(0) = 022 stat64("/tmp/hello.c", {st_mode=S_IFREG|0644, st_size=35, ...}) = 0 stat64("hello.c", {st_mode=S_IFREG|0664, st_size=35, ...}) = 0 stat64("/tmp/hello.c", {st_mode=S_IFREG|0644, st_size=35, ...}) = 0 unlink("/tmp/hello.c") = 0 open("hello.c", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0664, st_size=35, ...}) = 0 open("/tmp/hello.c", O_WRONLY|O_CREAT|O_LARGEFILE, 0100664) = 4 fstat64(4, {st_mode=S_IFREG|0664, st_size=0, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0664, st_size=35, ...}) = 0 read(3, "main() {printf(\"Hello world!\\n\")"..., 4096) = 35 write(4, "main() {printf(\"Hello world!\\n\")"..., 35) = 35 read(3, "", 4096) = 0 close(4) = 0 close(3) = 0 setxattr("/tmp/hello.c", "system.posix_acl_access", "\x02\x00\x00\x00\x01\x00\x06\x00\xff\xff\xff\xff\x04\x00\x00\x00\xff\xff\xff\xff \x00\x00\x00\xff\xff\xff\xff", 28, 0) = -1 EOPNOTSUPP (Operation not supported) chmod("/tmp/hello.c", 0600) = 0 chown32("/tmp/hello.c", -1, -1) = 0 chmod("/tmp/hello.c", 0644) = 0 lstat64("/tmp/hello.c", {st_mode=S_IFREG|0644, st_size=35, ...}) = 0 open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3 read(3, "1", 19) = 1 close(3) = 0 open("/etc/selinux/strict/contexts/files/file_contexts", O_RDONLY|O_LARGEFILE) = 3 open("/etc/selinux/strict/contexts/files/file_contexts.homedirs", O_RDONLY|O_LARGEFILE) = 4 open("/etc/selinux/strict/contexts/files/file_contexts.local", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) fstat64(3, {st_mode=S_IFREG|0644, st_size=114044, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7b3e000 read(3, "# Distro-specific customizations"..., 4096) = 4096 read(3, "b[^/]*\\.so(\\.[^/]*)* --\tsystem_u"..., 4096) = 4096 read(3, "ovable device...\n/dev/pd[a-d][^/"..., 4096) = 4096 read(3, "r:bin_t:s0\n/opt(/.*)?/sbin(/.*)?"..., 4096) = 4096 read(3, "*)?\tsystem_u:object_r:man_t:s0\n/"..., 4096) = 4096 read(3, "/usr/sbin/accton\t--\tsystem_u:obj"..., 4096) = 4096 read(3, "-\tsystem_u:object_r:amanda_user_"..., 4096) = 4096 read(3, "\n/var/run/\\.?acpid\\.socket\t-s\tsy"..., 4096) = 4096 read(3, "ject_r:comsat_exec_t:s0\n# consol"..., 4096) = 4096 read(3, "r:bin_t:s0\n/usr/lib(64)?/cups/cg"..., 4096) = 4096 read(3, "larm-notify.*\t--\tsystem_u:object"..., 4096) = 4096 read(3, "object_r:xferlog_t:s0\n/var/log/x"..., 4096) = 4096 read(3, "usr/lib/gnupg/.*\t--\tsystem_u:obj"..., 4096) = 4096 read(3, "_t:s0\n/etc/init\\.d/.*\t\t--\tsystem"..., 4096) = 4096 read(3, "tem_u:object_r:innd_exec_t:s0\n# "..., 4096) = 4096 read(3, "--\tsystem_u:object_r:load_policy"..., 4096) = 4096 read(3, "ct_r:lvm_exec_t:s0\n/sbin/vgscan\t"..., 4096) = 4096 read(3, "luggerrc system_u:object_r:mozil"..., 4096) = 4096 read(3, "\t\tsystem_u:object_r:ntpd_log_t:s"..., 4096) = 4096 read(3, "\n/usr/sbin/postqueue\t--\tsystem_u"..., 4096) = 4096 read(3, "voxy(/.*)?\t\tsystem_u:object_r:pr"..., 4096) = 4096 read(3, "_u:object_r:samba_log_t:s0\n/var/"..., 4096) = 4096 read(3, "var_run_t:s0\n/var/run/snmpd\t\t-d\t"..., 4096) = 4096 read(3, "ct_r:traceroute_exec_t:s0\n/usr/b"..., 4096) = 4096 read(3, ":s0\n#/usr/local/vmware/[^/]*/.*\\"..., 4096) = 4096 read(3, "on\n/usr/sbin/zebra\t\t--\tsystem_u:"..., 4096) = 4096 read(3, "tem_u:object_r:bin_t:s0\n/emul/ia"..., 4096) = 4096 read(3, "r:texrel_shlib_t:s0\n/usr/lib/lad"..., 4096) = 3452 read(3, "", 4096) = 0 fstat64(4, {st_mode=S_IFREG|0644, st_size=9381, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7b3d000 read(4, "\n#\n#\n# User-specific file contex"..., 4096) = 4096 read(4, "onts.cache-.*\t--\troot:object_r:s"..., 4096) = 4096 read(4, "me_t:s0\n/home/valdis/\\.screenrc\t"..., 4096) = 1189 read(4, "", 4096) = 0 _llseek(3, 0, [0], SEEK_SET) = 0 _llseek(4, 0, [0], SEEK_SET) = 0 read(3, "# Distro-specific customizations"..., 4096) = 4096 open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "system_u:object_r:default_t:s0\0", 31) = 31 read(5, "system_u:object_r:default_t:s0\0", 4095) = 31 close(5) = 0 open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "system_u:object_r:root_t:s0\0", 28) = 28 read(5, "system_u:object_r:root_t:s0\0", 4095) = 28 close(5) = 0 (1,858 iterations of open/write/read/close deleted) open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "valdis:object_r:staff_orbit_tmp_"..., 37) = 37 read(5, "valdis:object_r:staff_orbit_tmp_"..., 4095) = 37 close(5) = 0 open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "valdis:object_r:staff_orbit_tmp_"..., 37) = 37 read(5, "valdis:object_r:staff_orbit_tmp_"..., 4095) = 37 close(5) = 0 close(3) = 0 munmap(0xb7b3e000, 4096) = 0 close(4) = 0 munmap(0xb7b3d000, 4096) = 0 brk(0x863e000) = 0x863e000 close(1) = 0 munmap(0xb7d72000, 9680) = 0 exit_group(0) = ? Process 17917 detached

17 years, 10 months

3
3
0 / 0

help with the SELinux FAQ

by Karsten Wade

If you would like to help write or update the Fedora SELinux FAQ[1], please follow up to this thread on fedora-docs-list(a)redhat.com (reply-to set). I've been unable to maintain the FAQ in a proper state for a while now, and we need the content to be significantly updated for FC5. Changes made now can be included in the FC5 testing process. To fill this role, you need to know what is going on in the Fedora SELinux project. We can take care of the rest with you, from access to the content and tools to make the changes. Thanks - Karsten, lazy FAQ maintainer [1] http://fedora.redhat.com/docs/selinux-faq/ -- Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 Content Services Fedora Documentation Project http://www.redhat.com/docs http://fedoraproject.org/wiki/DocsProject

17 years, 10 months

2
1
0 / 0

Hacks from Pax - SELinux Articles

by Justin Conover

I was reading through these and thought I would pass them on, pretty good read(s). 1.) http://www.linuxsecurity.com/content/view/120567/49/ 2.) http://www.linuxsecurity.com/content/view/120622/49/ 3.) http://www.linuxsecurity.com/content/view/120700/49/

17 years, 10 months

2
1
0 / 0

printer creation in RPM scriptlet

by Matthew Saltzman

I tried installing http://remi.collet.free.fr/rpms/fc4.i386/cups-pdf-2.0.0-0.1.fc4.remi.i386.... The RPM has the following post-install scriptlet: if [ "$1" -eq "1" ]; then /etc/init.d/cups restart ( /usr/sbin/lpadmin -p Cups-PDF -v cups-pdf:/ -m PostscriptColor.ppd -E && echo Cups-PDF printer created ) || true fi With selinux-policy-targeted-1.27.1-2.11 in enforcing mode, the lpadmin command fails with error: lpadmin: add-printer (set device) failed: client-error-not-possible In permissive mode, the install proceeds without problem. The relevant audit.log entries are: type=AVC msg=audit(1133045911.757:788): avc: denied { ioctl } for pid=20774 comm="printconf-backe" name="[7217936]" dev=pipefs ino=7217936 scontext=root:system_r:cupsd_config_t tcontext=root:system_r:unconfined_t tclass=fifo_file type=SYSCALL msg=audit(1133045911.757:788): arch=40000003 syscall=54 success=no exit=-13 a0=0 a1=5401 a2=bfd10098 a3=bfd100d8 items=0 pid=20774 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="printconf-backe" exe="/usr/bin/python" type=AVC_PATH msg=audit(1133045911.757:788): path="pipe:[7217936]" type=AVC msg=audit(1133045911.757:789): avc: denied { getattr } for pid=20774 comm="printconf-backe" name="[7217936]" dev=pipefs ino=7217936 scontext=root:system_r:cupsd_config_t tcontext=root:system_r:unconfined_t tclass=fifo_file type=SYSCALL msg=audit(1133045911.757:789): arch=40000003 syscall=197 success=no exit=-13 a0=0 a1=bfd0fffc a2=960ff4 a3=b7ec4020 items=0 pid=20774 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="printconf-backe" exe="/usr/bin/python" type=AVC_PATH msg=audit(1133045911.757:789): path="pipe:[7217936]" type=AVC msg=audit(1133045911.781:790): avc: denied { ioctl } for pid=20774 comm="printconf-backe" name="[7217936]" dev=pipefs ino=7217936 scontext=root:system_r:cupsd_config_t tcontext=root:system_r:unconfined_t tclass=fifo_file type=SYSCALL msg=audit(1133045911.781:790): arch=40000003 syscall=54 success=no exit=-13 a0=0 a1=5401 a2=bfd0ffb8 a3=bfd0fff8 items=0 pid=20774 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="printconf-backe" exe="/usr/bin/python" type=AVC_PATH msg=audit(1133045911.781:790): path="pipe:[7217936]" type=AVC msg=audit(1133045912.273:791): avc: denied { getattr } for pid=20787 comm="cups-pdf" name="SPOOL" dev=dm-0 ino=737988 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:var_spool_t tclass=dir type=SYSCALL msg=audit(1133045912.273:791): arch=40000003 syscall=195 success=no exit=-13 a0=8057f20 a1=bf9c9a6c a2=960ff4 a3=bf9c9a6c items=1 pid=20787 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=AVC_PATH msg=audit(1133045912.273:791): path="/var/spool/cups-pdf/SPOOL" type=CWD msg=audit(1133045912.273:791): cwd="/" type=PATH msg=audit(1133045912.273:791): item=0 name="/var/spool/cups-pdf/SPOOL" flags=1 inode=737988 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs

17 years, 10 months

2
1
0 / 0

SELINUX problem and SPAMASSASSIN

by SternData

I just built a new FC4 machine and am migrating my mail server to it. I got an error each time I started spamassassin until I put selinux into permissive mode. How can I configure selinux to allow this? Nov 8 17:23:19 mooch spamd[4899]: Error creating a DNS resolver socket: Permission denied at /usr/lib/perl5/site_perl/5.8.6/Mail/SpamAssassin/DnsResolver.pm line 202, <GEN36> line 44. -- Steve

17 years, 10 months

2
1
0 / 0

Re: newest(-3.19) selinux?

by SternData

Ian Malone wrote: > I see there's an updated selinux-policy-targeted. > I'm currently 1.17.30-3.16, newest is 1.17.30-3.19 > Has anyone had any trouble with this? (i.e. can > I install now or should I wait till the weekend?) > Problems. After installation, I get this when running yum, between the download and the installation: Transaction Test Succeeded Running Transaction /etc/selinux/targeted/contexts/files/file_contexts: line 825 has invalid context system_u:object_r:lvm_exec_t /etc/selinux/targeted/contexts/files/file_contexts: line 1572 has invalid context system_u:object_r:slapd_lock_t /etc/selinux/targeted/contexts/files/file_contexts: line 1579 has invalid context system_u:object_r:slapd_cert_t -- Steve

17 years, 10 months

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux November 2005