Spamassasin Problem
by W. Scott Wilburn
Hi,
I'm resending this as it seems to have been lost.
Scott Wilburn
--
18 years
findutils-selinux.patch critique (was Re: [patch] Recent findutils test suite failures)
by Tim Waugh
Forwarding this to a wider SELinux-knowledgeable audience. James had
asked me what patches we apply to findutils, so I mentioned SELinux
and pointed him to the patch for an initial review.
Tim.
*/
----- Forwarded message from James Youngman <jay(a)gnu.org> -----
Date: Fri, 25 Nov 2005 08:42:56 +0000
From: James Youngman <jay(a)gnu.org>
To: Tim Waugh <twaugh(a)redhat.com>
Cc: bug-findutils(a)gnu.org
Subject: Re: [patch] Recent findutils test suite failures
On Thu, Nov 24, 2005 at 11:12:19PM +0000, Tim Waugh wrote:
> 2. add support for SELinux.
>
> At the moment, it isn't autoconf-ed up, but it would be great if you
> wanted to take a look. SELinux is on by default in Fedora Core.
>
> http://cvs.fedora.redhat.com/viewcvs/devel/findutils/findutils-selinux.pa...
I'd certainly consider it. However, I have some comments/questions.
1. I notice that SELinux-enablement creates two new tests, "-context"
and "--context". I would eliminate "--context", leaving only
"-context". Find predicates aren't GNU-style long options. Find
is confusing enough with options as well as predicates, and so I
definitely don't want to further blur that line.
2. I see that if you use "find -context" on an SELinux-enabled version
of find on a system where SELinux is not enabled, find will
immediately perform a fatal exit with an explanatory message. I
won't say that that is definitely the wrong behaviour, but why did
you choose not to have -context simply always return false (and
perhaps issue one warning message)?
3. Security contexts are long multi-part strings. Matching with glob
patterns is a reasonable approach. Nevertheless, does the use of
glob patterns to match them reflect practice on other systems?
4. I notice that your patch slips in a definition for FNM_CASEFOLD.
That looks wrong to me. gl_FUNC_FNMATCH_GNU should call
AC_GNU_SOURCE to ensure that <fnmatch.h> #defines FNM_CASEFOLD for
you. This should be called by gl_INIT. Is this (a) not working
correctly on some of your build systems, (b) not working on any of
your build systems, implying a findutils bug, or (c) there for
'historical reasons'?
5. Findutils should probably default to compiling with SELinux support
on systems where <selinux/selinux.h> exists or --with-selinux is
specifified to configure, and compile without such support
otherwise.
6. Is there a reason you turn off Automake gnits rules checking in the
SELinux patch?
7. The configure magic for selinux can be fully generic and
self-contained I think: we could just have an selinux.m4 file.
That would also make it much easier to reuse it.
8. Are the DejaGnu test cases for the SELinux patch in another patch
file somewhere else? Perhaps it's in the same patch file as the
update to the Texinfo documentation. :)
Regards,
James.
----- End forwarded message -----
18 years
su after disk reorganization.
by Matthew Saltzman
I rebuilt my system disk to change the partitioning arrangment. This
involved copying everything off, repartitioning, copying everything
back, and creating a new initrd.
Almost everything seems to work now except that when I su, after the
password prompt, I get the following prompt:
$ su
Password:
Your default context is root:system_r:kernel_t.
Do you want to choose a different one? [n]
That didn't happen before. I tried autorelabel, but it had no effect.
What did the copy fail to preserve, and how can I fix it?
Thanks.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
18 years
Auditing file access below a directory
by Mont Rothstein
I am trying to determine if it is possible to audit all file access under a
directory for all users.
I've been looking at auditd/auditctl and it seems like only individual files
or directories can be watched, but not directory trees.
My current work around is to audit the gid of the default group for all of
the users I care about (accessing the server as a file server via samba).
This is obviously not ideal.
Does anyone know if there is a way to do this?
Thanks,
-Mont
P.S. This seemed to be the appropriate list for this. If it isn't I
apologize.
18 years
How do I make a text file writable?
by pine oil
The file listed below is a simple text file containing an integer number
to denote the number of visits to a web page.
A php script (counter.php) is supposed to increase the number by 1 every
time the page is accessed. It appears that everything happens as it is
supposed except for the incremental number of the visits. I think the
counter.txt file is not writable.
How do I make it writable? Do I need to change httpd_sys_content_t to
something else?
-----------------------------------------------------------------------------------------------
-rw-rw-r-- web web system_u:object_r:httpd_sys_content_t counter.txt
18 years
Another boring question .1.19 targeted
by Richard Irving
Hello, This is concerning FC3....
I recently updated a laptop, it had FC3 installed,
and targeted...
It recently updated the selinux libraries to 1.19.xxx,
and the *strict* policy sources... for targeted
it stopped at a 1.17.xxx version.
The problem appears to be when all the selinux libs
are synced to 1.19, the 1.17 *targeted* src/policy doesn't compile.
(at least on my system)
Does anyone have a pointer to 1.19 targeted policy,
*and* source ?
FWIW, I have trashed the targeted tree, and started from scrap..
and it didn't help.
TIA!
18 years
RE: [patch] CUPS 1.2 SELinux policy changes...
by chanson@TrustedCS.com
I am positive there are customer requirements for this. The example could be
multiple classified networks, instead of unclass/class as well. This can
provide printer reduction in these cases with a multilevel print server.
> -----Original Message-----
> From: Matt Anderson [mailto:mra@hp.com]
> Michael Sweet wrote:
> > Our government customers do not support both secure and non-secure
> > resources from a single server - it violates the policies they have in
> > place. Assuming that, at some point, they trust selinux enough to
> > change those policies and run classified and unclassified processing
> > on the same system image, you will need to make extensive changes at
> > both the client and server levels in order to securely pass and
> > authenticate the document classification data.
> >
18 years
SELinux AVCs with swap stored in LVM volume
by Felipe Alfaro Solana
Hello,
I'm running Fedora Core RawHhide and I'm seeing lots of SELinux AVCs
during boot, related to my swap stored in a LVM volume:
audit(1130670344.636:4): avc: denied { read } for pid=919
comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653
scontext=system_u:system_r:restorecon_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
audit(1130670345.668:5): avc: denied { use } for pid=932
comm="fsck" name="VolGroup00-Swap" dev=tmpfs ino=653
scontext=system_u:system_r:fsadm_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=fd
audit(1130670345.952:6): avc: denied { read } for pid=940
comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653
scontext=system_u:system_r:restorecon_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
audit(1130670346.092:7): avc: denied { read } for pid=941
comm="restorecon" name="VolGroup00-Swap" dev=tmpfs ino=653
scontext=system_u:system_r:restorecon_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
Attached to this message you will find "dmesg" which stores the dmesg
kernel ring which results after booting into runlevel 5.
Any ideas?
Thanks!
18 years
[patch] CUPS 1.2 SELinux policy changes...
by Michael Sweet
[Posting here for lack of a better place...]
Attached is a patch against the current selinux.sourceforge.net repo,
along with an archive of additional files that contain the policies
for non-CUPS software.
The patch fixes incompatibilities with the current CUPS 1.2 software
and removes the non-CUPS software rules from the CUPS policy files.
The CUPS 1.2 changes involve adding domain socket support and adding
the new files and directories introduced in 1.2...
I removed the non-CUPS rules because the mix of software makes
debugging and validating the CUPS policies that much harder, and it
makes sense to maintain the policies for separate projects
separately...
Anyways, comments welcome!
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw dot com
Internet Printing and Publishing Software http://www.easysw.com
18 years
