December 2005 - selinux - Fedora Mailing-Lists

by Steve G

Hi...from my logs: type=PATH msg=audit(12/23/2005 10:36:04.030:20507) : item=0 name=(null) inode=14909846 dev=03:07 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 type=SOCKADDR msg=audit(12/23/2005 10:36:04.030:20507) : saddr=local /var/run/acpid.socket type=SYSCALL msg=audit(12/23/2005 10:36:04.030:20507) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=4 a1=7fffffbf25c0 a2=6e a3=7fffffbf2428 items=1 pid=2242 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=hald-addon-acpi exe=/usr/libexec/hald-addon-acpi subj=system_u:system_r:hald_t:s0 type=AVC msg=audit(12/23/2005 10:36:04.030:20507) : avc: denied { write } for pid=2242 comm=hald-addon-acpi name=acpid.socket dev=hda7 ino=14909846 scontext=system_u:system_r:hald_t:s0 context=system_u:object_r:var_run_t:s0 tclass=sock_file This just scrolls for hours and hours... -Steve __________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com

18 years, 4 months

3
4
0 / 0

sendmail+greylist-milter problem

by Alexey Tarasov

Greetings, Sorry, if same matters was discussed previously - I've not found any trails. If there is any FAQ with solution of my problem, please give me a link. Thanks for help. best regards, Alexey Tarasov --------------- Problem 1. Installed: sendmail-8.3.14, milter-greylist-2.0.2, selinux-policy-targeted-1.27.2-19 starting sendmail from init results in: maillog --- sendmail[1997]: NOQUEUE: SYSERR(root): /etc/mail/sendmail.cf: line 1674: Xgreylist: local socket name /var/milter-greylist/milter-greylist.sock unsafe: Permission denied --- audit.log: --- type=AVC msg=audit(1135060778.168:5): avc: denied { getattr } for pid=1994 comm="newaliases" name="milter-greylist.sock" dev=dm-0 ino=7831655 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=sock_file type=SYSCALL msg=audit(1135060778.168:5): arch=40000003 syscall=196 success=no exit=-13 a0=bfd5995c a1=bfd598ac a2=b7c60ff4 a3=bfd598ac items=1 pid=1994 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 comm="newaliases" exe="/usr/sbin/sendmail.sendmail" type=AVC_PATH msg=audit(1135060778.168:5): path="/var/milter-greylist/milter-greylist.sock" type=PATH msg=audit(1135060778.168:5): item=0 name="/var/milter-greylist/milter-greylist.sock" flags=0 inode=7831655 dev=fd:00 mode=0140755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1135060778.260:6): avc: denied { getattr } for pid=1997 comm="sendmail" name="milter-greylist.sock" dev=dm-0 ino=7831655 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=sock_file type=SYSCALL msg=audit(1135060778.260:6): arch=40000003 syscall=196 success=no exit=-13 a0=bf89508c a1=bf894fdc a2=b7c9dff4 a3=bf894fdc items=1 pid=1997 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" type=AVC_PATH msg=audit(1135060778.260:6): path="/var/milter-greylist/milter-greylist.sock" type=PATH msg=audit(1135060778.260:6): item=0 name="/var/milter-greylist/milter-greylist.sock" flags=0 inode=7831655 dev=fd:00 mode=0140755 ouid=0 ogid=0 rdev=00:00 --- And this output is generated on system shutdown: --- type=AVC msg=audit(1135059155.814:79): avc: denied { getattr } for pid=3857 comm="K30sendmail" name="sendmail.pid" dev=dm-0 ino=7602305 scontext=system_u:system_r:sendmail_launch_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1135059155.814:79): arch=40000003 syscall=195 success=no exit=-13 a0=8113cf8 a1=bfe421c8 a2=aedff4 a3=8113828 items=1 pid=3857 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="K30sendmail" exe="/bin/bash" type=AVC_PATH msg=audit(1135059155.814:79): path="/var/run/sendmail.pid" type=PATH msg=audit(1135059155.814:79): item=0 name="/var/run/sendmail.pid" flags=1 inode=7602305 dev=fd:00 mode=0100600 ouid=0 ogid=51 rdev=00:00 type=AVC msg=audit(1135059155.822:80): avc: denied { unlink } for pid=3864 comm="rm" name="sendmail.pid" dev=dm-0 ino=7602305 scontext=system_u:system_r:sendmail_launch_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1135059155.822:80): arch=40000003 syscall=10 success=no exit=-13 a0=bfdabf03 a1=1 a2=8050204 a3=bfdab9e0 items=1 pid=3864 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rm" exe="/bin/rm" type=PATH msg=audit(1135059155.822:80): item=0 name="/var/run/sendmail.pid" flags=10 inode=7602212 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1135059155.826:81): avc: denied { unlink } for pid=3865 comm="rm" name="sendmail" dev=dm-0 ino=7602307 scontext=system_u:system_r:sendmail_launch_t:s0 tcontext=root:object_r:var_lock_t:s0 tclass=file type=SYSCALL msg=audit(1135059155.826:81): arch=40000003 syscall=10 success=no exit=-13 a0=bff31eff a1=1 a2=8050204 a3=bff30f40 items=1 pid=3865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rm" exe="/bin/rm" type=PATH msg=audit(1135059155.826:81): item=0 name="/var/lock/subsys/sendmail" flags=10 inode=7602207 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1135059155.826:82): avc: denied { getattr } for pid=3857 comm="K30sendmail" name="sm-client.pid" dev=dm-0 ino=7602308 scontext=system_u:system_r:sendmail_launch_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1135059155.826:82): arch=40000003 syscall=195 success=no exit=-13 a0=8113cf8 a1=bfe448b8 a2=aedff4 a3=8110710 items=1 pid=3857 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="K30sendmail" exe="/bin/bash" type=AVC_PATH msg=audit(1135059155.826:82): path="/var/run/sm-client.pid" type=PATH msg=audit(1135059155.826:82): item=0 name="/var/run/sm-client.pid" flags=1 inode=7602308 dev=fd:00 mode=0100644 ouid=51 ogid=51 rdev=00:00 --- #ls -lZ -rw------- root smmsp root:object_r:var_run_t sendmail.pid -rw-r--r-- smmsp smmsp root:object_r:var_run_t sm-client.pid -rw-r--r-- root root root:object_r:var_lock_t sendmail Problem 2. ping is called by bash script, executed by cron with root rights (comand line: ping -c 1 -w 5 > /dev/null ) --- type=AVC msg=audit(1133295301.930:2739): avc: denied { write } for pid=30341 comm="ping" name="[56893]" dev=pipefs ino=56893 scontext=root:system_r:ping_t:s0 tcontext=system_u:system_r:crond_t:s0 tclass=fifo_file type=AVC msg=audit(1133295301.930:2739): avc: denied { read } for pid=30341 comm="ping" name="[56892]" dev=pipefs ino=56892 scontext=root:system_r:ping_t:s0 tcontext=system_u:system_r:crond_t:s0 tclass=fifo_file --- Is any way to avoid such messages?

18 years, 4 months

4
12
0 / 0

samba share avcs

by Steve G

Hi, This is a long standing problem that causes me to do "setenforce 0". I wished there was a boolean to just turn of checking of samba or a streamlined way for samba to relabel things on startup. In any event, I have a share, /src, which I want to access across the network. It fails. This is what I see in the logs: type=PATH msg=audit(12/23/2005 10:37:26.180:20524) : item=0 name=gtk+-2.8.9/gdk-pixbuf/pixops/pixops.c inode=1934832 dev=03:07 mode=dir,755 ouid=sgrubb ogid=sgrubb rdev=00:00 obj=user_u:object_r:user_home_t:s0 type=CWD msg=audit(12/23/2005 10:37:26.180:20524) : cwd=/src type=SYSCALL msg=audit(12/23/2005 10:37:26.180:20524) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=7fffffe1c720 a1=7fffffe1b120 a2=7fffffe1b120 a3=7fffffe1aaec items=1 pid=23380 auid=root uid=nobody gid=root euid=nobody suid=root fsuid=nobody egid=nobody sgid=nobody fsgid=nobody comm=smbd exe=/usr/sbin/smbd subj=root:system_r:smbd_t:s0 type=AVC msg=audit(12/23/2005 10:37:26.180:20524) : avc: denied { search } for pid=23380 comm=smbd name=gtk+-2.8.9 dev=hda7 ino=1934832 scontext=root:system_r:smbd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir What is the correct solution for this? -Steve __________________________________ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/

18 years, 4 months

2
1
0 / 0

how does selinux get initialized durring bootup?

by dragoran

as you can see here: http://bugzilla.initng.thinktux.net/show_bug.cgi?id=365 there is a bug in initng that after booting selinux is not working. what needs to be done in the boot process to get selinux working ? have searched in the initscripts and have'nt found anything that helps.

18 years, 4 months

1
0
0 / 0

Fwd: FW: Neophyte question re: httpd under SELinux

by Al Pacifico

> -----Original Message----- > From: Daniel J Walsh [mailto:dwalsh@redhat.com] > Sent: Thursday, December 22, 2005 12:33 PM > To: Al Pacifico > Cc: fedora-selinux-list(a)redhat.com > Subject: Re: Neophyte question re: httpd under > SELinux > > Al Pacifico wrote: > > Marcus- > > > > Thanks for your response. > > > > This helped some, I think, but I still have my > issues. > > > > The URL > > > http://fedora.redhat.com/docs/selinux-apache-fc3/sn-debugging-and-customizin > > g.html#sn-httpd-booleans didn't contribute much. > > > > Output of ls -Z showed directories of my .../test > directory as > > user_u:object_r:user_home_t. > > > > Changing context with chcon -Rv -t > httpd_sys_script_t ./test (as root) did > > not work... lot of permission denied messages. My > machine has a multidisk > > setup and /home is its own partition or disk; not > sure if that matters. > > > > Output of getsebool -a | grep httpd is: > > > > allow_httpd_anon_write --> inactive > > allow_httpd_sys_script_anon_write --> inactive > > httpd_builtin_scripting --> active > > httpd_can_network_connect --> inactive > > httpd_disable_trans --> active > > httpd_enable_cgi --> active > > httpd_enable_ftp_server --> inactive > > httpd_enable_homedirs --> active > > httpd_ssi_exec --> active > > httpd_suexec_disable_trans --> inactive > > httpd_tty_comm --> inactive > > httpd_unified --> active > > > > I totally agree with the comment about placing > files in the correct > places, > > on a production machine. However, numerous apache > modules come with > testing > > suites that use the system httpd executable > (appropriately) in other > > locations. > > > > I'm starting to believe that I should either use > setenforce 0 when > > developing. If I do that, and forget to turn it > back on, will there be > some > > ugly ramifications later? I have to halt httpd > from the console using > ctrl-C > > because of the -X option, so I can't just stick > setenforce 1 in my script. > > (Hmm.... how do I trap ctrl-C in a bash script?) I > could switch to testing > > with lighttpd for CGI and SCGI, but I do need to > test some apache modules > > for which that is not an option. > > > > Two things I still don't unmderstand: > > Why doesn't the "Disable SELinux protection for > httpd daemon" checkbox > just > > take care of the problem? > > My /var/log/messages didn't help me... doesn't > show all those permission > > denied messages when I tried to recusively change > the context in my > .../test > > directory. Should I be looking elsewhere? Do I > need to tell SELinux > > something? > > > > I'm sorry if my questions are pretty basic; I > definitely fall in the > > category of 80% just want to get the job done and > 20% want to know more. > > > > Thanks. > > -al > > > > -----Original Message----- > > From: fedora-selinux-list-bounces(a)redhat.com > > [mailto:fedora-selinux-list-bounces@redhat.com] On > Behalf Of Marcus O. > White > > Sent: Wednesday, December 21, 2005 2:20 AM > > To: fedora-selinux-list(a)redhat.com > > Subject: Re: Neophyte question re: httpd under > SELinux > > > > On Tue, 2005-12-20 at 22:26 -0800, Al Pacifico > wrote: > > > >> I'm working on a CGI program in C, but recently > SELinux seems to have > >> tripped me up. > >> > >> I started with Tom Boutell's cgic and an example > CGI program (provided in > >> his source tree) that generates a JPEG on the > fly. It ran fine months > back > >> with the following script: > >> > >> dir=$(dirname $0) > >> /usr/sbin/httpd -X -k start -d $dir -e debug > >> > >> on my FC4 machine. > >> > >> Now, it's time to start testing the program I > wrote, but my Apache > >> > > (version > > > >> 2.0.54, installed from Fedora RPM, if it matters) > won't start unless I > >> execute /usr/sbin/setenforce 0 before executing > my script. (it took me a > >> while to figure that one out!). In fact, > /usr/sbin/httpd -v won't even > >> > > work. > > > >> I'm sure the SELinux policy has updated via yum > since times when it > >> > > worked, > > > >> and that explains the change. I tried checking > "Disable SELinux > protection > >> for httpd daemon" in the > system-config-securitylevel dialog and > >> > > relabelling > > > >> my filesystems, but I still need to execute > /usr/sbin/setenforce 0 > >> beforehand to run my script that starts httpd > with my CGI program. > >> > >> If it helps, the example CGI program (not the one > I've written, but Tom > >> Boutell's that formerly ran) is in the directory > >> > >> > /home/myuser/Development/myproject/imageFromCGI_test/test > > >> > >> and > >> > >> ls -l > /home/myuser/Development/myproject/imageFromCGI_test/test > outputs > >> > >> total 52 > >> drwxrwxr-x 2 myuser apache 4096 Sep 9 10:03 > cgi-bin > >> drwxrwxr-x 2 myuser apache 4096 Sep 9 13:07 > conf > >> -rwxr-xr-x 1 root root 63 Dec 20 14:38 > debug_CGI > >> drwxrwxr-x 2 myuser apache 4096 Sep 9 12:08 > htdocs > >> drwxrwxr-x 2 myuser apache 4096 Sep 9 12:04 > logs > >> lrwxrwxrwx 1 root root 18 Sep 9 09:52 > modules -> /etc/httpd/modules > >> drwxrwxr-x 2 myuser apache 4096 Sep 9 12:04 run > >> > >> (probably only makes sense if you're accustomed > to configuring apache; > >> > > this > > > >> directory is essentially the argument to the > Apache ServerRoot > directive). > >> > >> I inferred that the directory might be important > since /sbin/service > httpd > >> start works fine, regardless of state of > aforementioned checkbox. > >> > >> What bugs me is that I don't get any kind of > warning... apache just never > >> starts. > >> Q: How do I get warnings? (grep avc > /var/log/messages was of no help to > my > >> pea-brain) > >> Q: What else do I need to change to alter this > behavior? > >> > >> I understand that for a production machine, > SELinux is a good thing. I > >> hadn't installed it when I used FC2 and hadn't > had much problem with FC3 > >> > > or > > > >> with FC4 until yesterday. I have to believe there > is a better way than > >> > > just > > > >> turning it off. > >> > >> Thanks. > >> -al > >> > >> Al Pacifico > >> Seattle, WA > >> > >> > >> > >> > >> -- > >> fedora-selinux-list mailing list > >> fedora-selinux-list(a)redhat.com > >> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> > > > > >From RHEL list: > > > > Gavin Young wrote: > > > >> Hey guys, hopefully someone out there can help me > with this because > >> > > I'm > > > >> an SELinux virgin so to speak. > >> > >> We have a RHEL v4 box running apache amongst > other things. No changes > >> have been made to the standard Redhat policies. > >> > > > > I'm no expert but I am trying to wade through > Apache/selinux issues as > > well. > > You might find the following "beta" document > helpful: > > > > > <http://fedora.redhat.com/docs/selinux-apache-fc3/sn-debugging-and-customizi > > ng.html#sn-httpd-booleans> > > > > ------------------- > > On Fri, 4 Mar 2005, Gavin Young wrote: > > > > > >> Hey guys, hopefully someone out there can help me > with this because > >> > > I'm > > > >> an SELinux virgin so to speak. > >> > >> We have a RHEL v4 box running apache amongst > other things. No changes > >> have been made to the standard Redhat policies. > >> > >> We are wanting to run a perl based web app > (Sql-Ledger) > >> from /usr/local/sql-ledger but SELinux is > stopping us. > >> > >> With SELinux disabled it works correctly. When > SELinux protection of > >> > > the > > > >> HTTPD daemon is switched on the browser displays: > Internal Server > >> > > Error > > > >> and /var/log/messages reports > >> > >> Mar 3 15:13:23 zorb1 kernel: > audit(1109816003.103:0): avc: denied > >> { execute } for pid=24711 exe=/usr/sbin/httpd > name=login.pl dev=dm-0 > >> ino=9228595 scontext=root:system_r:httpd_t > >> > > tcontext=root:object_r:usr_t > > > >> tclass=file > >> > >> > >>> From what I can tell SELinux is stopping scripts > being run from any > >>> > >> other directory apart from /var/www/cgi-bin. I > have tried moving the > >> sql-ledger directory into cgi-bin but that > doesn't appear to help > >> because it is still a sub-directory of cgi-bin. > >> > > > > The release notes give a hint to the right > direction but doesn't > > directly > > talk about cgi - you need to set the file contexts > of the sql-ledger > > stuff > > as cgi-content, something like this: > > "chcon -R -h -t httpd_sys_script_exec_t <path to > slq-ledger directory>" > > > > - Panu - > > > > ---------------------- > > > > What are the HTTPD Booleans set to? > > > > getsebool -a | grep httpd > > > > httpd_enable_cgi needs to be active, if it is not. > That wouldn't > > generate the denial you have, so think of this as > a "is it plugged in?" > > type of question. > > > > > >> We are wanting to run a perl based web app > (Sql-Ledger) > >> from /usr/local/sql-ledger but SELinux is > stopping us. > >> > > > > This is where someone could correct me for best > practices advise. > > > > You want to seriously consider moving the CGI > program to the appropriate > > directory. Otherwise, you are trying to give > Apache execute access to > > something inside of /usr/local/ ... > > > > To do this in /usr/local/, you will need to change > policy or > > relabel /usr/local/ to make this happen, which > will serve to reduce > > security on the system. > > > > > >> With SELinux disabled it works correctly. When > SELinux protection of > >> > > the > > > >> HTTPD daemon is switched on the browser displays: > Internal Server > >> > > Error > > > >> and /var/log/messages reports > >> > >> Mar 3 15:13:23 zorb1 kernel: > audit(1109816003.103:0): avc: denied > >> { execute } for pid=24711 exe=/usr/sbin/httpd > name=login.pl dev=dm-0 > >> ino=9228595 scontext=root:system_r:httpd_t > >> > > tcontext=root:object_r:usr_t > > > >> tclass=file > >> > >> >From what I can tell SELinux is stopping scripts > being run from any > >> other directory apart from /var/www/cgi-bin. I > have tried moving the > >> sql-ledger directory into cgi-bin but that > doesn't appear to help > >> because it is still a sub-directory of cgi-bin. > >> > > > > That shouldn't be a problem. You just need to > relabel the directory > > recursively. This should work, and is a good > practice since it refers > > to the mapping of labels to directories/files as > defined by the policy: > > > > restorecon -Rv /var/www/cgi-bin/sql-ledger/ > > > > If ls -Z doesn't show that the type is > httpd_sys_script_t, do this: > > > > chcon -Rv -t httpd_sys_script_t > /var/www/cgi-bin/sql-ledger/ > > > > > >> This problem must have come up before... Any help > would be much > >> appreciated. > >> > > > > Yeah, almost qualifies for a FAQ. > > > > Future updates to the Red Hat SELinux Guide[1] > will likely address > > Apache more thoroughly. > > > > - Karsten > > [1] > > > http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/in > > dex.html > > > > HTH > > > > Marcus O. > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list(a)redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > > > > > -- > > fedora-selinux-list mailing list > > fedora-selinux-list(a)redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > What avc messages are you seeing. With > httpd_enable_homedirs turned on > apache should be able to read your homedirs. > If you are seeing file_t in your > /var/log/audit/audit.log then you > probably need to relabel your system. > > touch /.autorelabel > reboot > > -- > > > > > Thanks, Daniel! Still stumped. I've reduced this to a simple case that can be executed on any FC4 box (updated via yum) that has the httpd RPM and SELinux, so that you might be able to look on your machine. [root@powell imageFromCGI_test]# /usr/sbin/httpd -V <expected to see server version, etc, but no response> [root@powell imageFromCGI_test]# /usr/sbin/setenforce 0 <try again with SELinux off> [root@powell imageFromCGI_test]# /usr/sbin/httpd -V Server version: Apache/2.0.54 Server built: Sep 2 2005 11:54:18 <snip> [root@powell imageFromCGI_test]# /usr/sbin/setenforce 1 <SELinux back on> [root@powell imageFromCGI_test]# /usr/sbin/httpd -V [root@powell imageFromCGI_test]# Output of grep AVC /var/log/audit/audit.log now ends with: type=AVC msg=audit(1135317046.340:535): avc: granted { setenforce } for pid=8452 comm="setenforce" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security type=AVC msg=audit(1135317060.595:536): avc: granted { setenforce } for pid=8454 comm="setenforce" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Shouldn't there have been a message following the last line saying my execution of /usr/sbin/httpd -V was denied? Output of getsebool -a | grep httpd is still: allow_httpd_anon_write --> inactive allow_httpd_sys_script_anon_write --> inactive httpd_builtin_scripting --> active httpd_can_network_connect --> inactive httpd_disable_trans --> active httpd_enable_cgi --> active httpd_enable_ftp_server --> inactive httpd_enable_homedirs --> active httpd_ssi_exec --> active httpd_suexec_disable_trans --> inactive httpd_tty_comm --> inactive httpd_unified --> active Any ideas? Clearly, I'm missing something, here. -al __________________________________ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/

18 years, 4 months

1
0
0 / 0

Neophyte question re: httpd under SELinux

by Al Pacifico

I'm working on a CGI program in C, but recently SELinux seems to have tripped me up. I started with Tom Boutell's cgic and an example CGI program (provided in his source tree) that generates a JPEG on the fly. It ran fine months back with the following script: dir=$(dirname $0) /usr/sbin/httpd -X -k start -d $dir -e debug on my FC4 machine. Now, it's time to start testing the program I wrote, but my Apache (version 2.0.54, installed from Fedora RPM, if it matters) won't start unless I execute /usr/sbin/setenforce 0 before executing my script. (it took me a while to figure that one out!). In fact, /usr/sbin/httpd -v won't even work. I'm sure the SELinux policy has updated via yum since times when it worked, and that explains the change. I tried checking "Disable SELinux protection for httpd daemon" in the system-config-securitylevel dialog and relabelling my filesystems, but I still need to execute /usr/sbin/setenforce 0 beforehand to run my script that starts httpd with my CGI program. If it helps, the example CGI program (not the one I've written, but Tom Boutell's that formerly ran) is in the directory /home/myuser/Development/myproject/imageFromCGI_test/test and ls -l /home/myuser/Development/myproject/imageFromCGI_test/test outputs total 52 drwxrwxr-x 2 myuser apache 4096 Sep 9 10:03 cgi-bin drwxrwxr-x 2 myuser apache 4096 Sep 9 13:07 conf -rwxr-xr-x 1 root root 63 Dec 20 14:38 debug_CGI drwxrwxr-x 2 myuser apache 4096 Sep 9 12:08 htdocs drwxrwxr-x 2 myuser apache 4096 Sep 9 12:04 logs lrwxrwxrwx 1 root root 18 Sep 9 09:52 modules -> /etc/httpd/modules drwxrwxr-x 2 myuser apache 4096 Sep 9 12:04 run (probably only makes sense if you're accustomed to configuring apache; this directory is essentially the argument to the Apache ServerRoot directive). I inferred that the directory might be important since /sbin/service httpd start works fine, regardless of state of aforementioned checkbox. What bugs me is that I don't get any kind of warning... apache just never starts. Q: How do I get warnings? (grep avc /var/log/messages was of no help to my pea-brain) Q: What else do I need to change to alter this behavior? I understand that for a production machine, SELinux is a good thing. I hadn't installed it when I used FC2 and hadn't had much problem with FC3 or with FC4 until yesterday. I have to believe there is a better way than just turning it off. Thanks. -al Al Pacifico Seattle, WA

18 years, 4 months

3
3
0 / 0

java failure

by Tom London

Running targeted/enforcing, latest rawhide(selinux-policy-targeted-2.1.6-11): executing 'java' produces "error spawning gij" audit.log shows: type=SELINUX_ERR msg=audit(1135117790.324:65): security_compute_sid: invalid context user_u:system_r:java_t:s0 for scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:java_exec_t:s0 tclass=process type=SYSCALL msg=audit(1135117790.324:65): arch=40000003 syscall=11 success=no exit=-13 a0=804877a a1=bff00d94 a2=9149040 a3=320cc0 items=1 pid=6726 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="java" exe="/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre/bin/java" type=CWD msg=audit(1135117790.324:65): cwd="/home/tbl/Downloads/azureus" type=PATH msg=audit(1135117790.324:65): item=0 name="/usr/bin/gij" flags=101 inode=137573 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 This known? tom -- Tom London

18 years, 4 months

2
2
0 / 0

RE: Problem with VNC and SELinux: FC4

by chanson＠TrustedCS.com

>Folks, > >With the new SELinux updates, it appears that root, >other than normal users can login to Fedora via VNC >Server? My VNC Server is setup such that I am using >xinitd for VNC Server requests. > A problem I noticed on FC4 with updates is that running VNC from initscripts will cause user sessions to have a system_u:system_r:initrc_t context. If you start a VNC server as the user from a shell, you get get the expected behavior of unconfined_t session. >Another problem I noticed is that when I log into my >Fedora system via VNC as root user, and open a xterm >window and run a su - <normal-user>, I get back a >SElinux message: > >================================================ ># su - dan >Your default context is: user_u:system_r:kernel_t. > >Do you want to want to choose a different one? [n] >================================================

18 years, 4 months

2
1
0 / 0

rawhide policy error messages

by Steve G

Hi, I updated selinux targeted policy in rawhide and got this: Running Transaction Installing: selinux-policy ######################### [1/3] Updating : selinux-policy-targeted ######################### [2/3] security: invalidating context system_u:object_r:hostname_exec_t:s0 security: invalidating context system_u:system_r:hostname_t:s0 libsemanage.parse_module_headers: Data did not represent a module. Failed! /sbin/restorecon reset /bin/hostname context system_u:object_r:unlabeled_t->system_u:object_r:bin_t /sbin/restorecon reset /usr/lib/dri/radeon_dri.so context system_u:object_r:lib_t->system_u:object_r:textrel_shlib_t Cleanup : selinux-policy-targeted ######################### [3/3] Anything to worry about? Does the message from libsemanage actually give enough information to fix the problem? -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

18 years, 4 months

3
2
0 / 0

RE: Non-root console login issue! (was: Problem with VNC ... SELinux:FC4)

by Dan Thurman

>From: fedora-list-bounces(a)redhat.com >[mailto:fedora-list-bounces@redhat.com]On Behalf Of Daniel J Walsh >Sent: Tuesday, December 20, 2005 11:20 AM >To: For users of Fedora Core releases >Cc: Fedora SELinux support list for users & developers. >Subject: Re: Non-root console login issue! (was: Problem with VNCand >SELinux:FC4) > > >Daniel B. Thurman wrote: >>> From: fedora-list-bounces(a)redhat.com >>> [mailto:fedora-list-bounces@redhat.com]On Behalf Of Daniel >B. Thurman >>> Sent: Saturday, December 17, 2005 2:30 PM >>> To: For users of Fedora Core releases >>> Cc: Fedora SELinux support list for users & developers. >>> Subject: Non-root console login issue! (was: Problem with VNC and >>> SELinux:FC4) >>> >>> >>> >>>> From: fedora-list-bounces(a)redhat.com >>>> [mailto:fedora-list-bounces@redhat.com]On Behalf Of Daniel >B. Thurman >>>> Sent: Friday, December 16, 2005 6:11 PM >>>> To: For users of Fedora Core releases (E-mail) >>>> Cc: Fedora SELinux support list for users & developers. >>>> Subject: Problem with VNC and SELinux: FC4 >>>> >>>> >>>> >>>> Folks, >>>> >>>> With the new SELinux updates, it appears that root, >>>> other than normal users can login to Fedora via VNC >>>> Server? My VNC Server is setup such that I am using >>>> xinitd for VNC Server requests. >>>> >>>> Another problem I noticed is that when I log into my >>>> Fedora system via VNC as root user, and open a xterm >>>> window and run a su - <normal-user>, I get back a >>>> SElinux message: >>>> >>>> ================================================ >>>> # su - dan >>>> Your default context is: user_u:system_r:kernel_t. >>>> >>>> Do you want to want to choose a different one? [n] >>>> ================================================ >>>> >>>> It is *possible* that this problem came up when >>>> I had to make a copy of my filesystem to another >>>> hard-disk for the purpose of creating a /boot >>>> partition (my bad) and copied/restored the filesystem >>>> back over to the main drive. I don't think I made >>>> any copy/restore mistakes as I know the fs permissions >>>> are correct but I cannot speak for filesystem journaling >>>> or whatever that keeps track of the SELinux attributes. >>>> >>>> In any case, what can I do to resolve my VNC and/or su >>>> issue knowing that SElinux has something to do with it? >>>> >>>> Thanks! >>>> Dan Thurman >>>> >>>> >>> Problem is not related to SELinux and not really related >>> to VNC. It turns out that I cannot log into the console >>> as a non-root user and I get a message saying: >>> >>> ======================================================= >>> Your session lasted less than 10 seconds. If you have not >>> logged out yourself, this could mean that there is some >>> installation problem or that you may be out of diskspace. >>> Try logging in with one of the failsafe sessions to see if >>> you can fix this problem. >>> >>> [] View details (~/.xsession-errors file) >>> ======================================================= >>> >>> The problem here is that the .xsession-errors file does >>> not exist. I also note from /var/log/message file: >>> >>> ======================================================= >>> Dec 17 12:45:31 linux gdm(pam_unix)[16480]: session opened for >>> user dant by (uid=0) >>> Dec 17 12:45:32 linux gdm(pam_unix)[16480]: session closed for >>> user dant >>> Dec 17 12:45:32 linux dbus: avc: 0 AV entries and 0/512 >>> buckets used, longest chain length 0 >>> ======================================================= >>> >>> And from /var/log/audit/audit.log >>> ======================================================= >>> type=USER_AUTH msg=audit(1134858412.155:3929): user pid=3397 >>> uid=0 auid=4294967295 msg='PAM authentication: user=dant >>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 >>> result=Success)' >>> type=USER_ACCT msg=audit(1134858412.159:3930): user pid=3397 >>> uid=0 auid=4294967295 msg='PAM accounting: user=dant >>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 >>> result=Success)' >>> type=CRED_ACQ msg=audit(1134858412.247:3931): user pid=3397 >>> uid=0 auid=4294967295 msg='PAM setcred: user=dant >>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 >>> result=Success)' >>> type=USER_START msg=audit(1134858412.307:3932): user pid=3397 >>> uid=0 auid=4294967295 msg='PAM session open: user=dant >>> exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 >>> result=Success)' >>> ======================================================= >>> >>> File: >>> # ls -l /usr/bin/gdm-binary >>> -rwxr-xr-x 1 root root 251668 May 23 2005 /usr/bin/gdm-binary >>> >>> HALLLLLP! Please :-) >>> >>> Dan >>> >>> >> >> Sorry - had to add this tidbit.... seems that SElinux may be >> involved or maybe my file journaling is messed up after a "restore"? >> >> I tried to create a new user account to see if by doing this >> I would get a correct security context and be able to log >> into the console but WHOA!!! What is going on here!?!?!? >> >> ======================================================= >> [root@linux ~]# useradd dant2 >> useradd: cannot rewrite password file >> [root@linux ~]# >> ======================================================= >> File: /var/log/audit/audit.log: >> >> 94967295 msg='useradd: op=adding home directory acct=dant2 >res=success' >> type=AVC msg=audit(1134859204.879:4004): avc: denied { >create } for pid=19177 comm="useradd" name=".kde" >scontext=root:system_r:kernel_t >tcontext=user_u:object_r:user_home_t tclass=dir >> type=SYSCALL msg=audit(1134859204.879:4004): arch=40000003 >syscall=39 success=no exit=-13 a0=bfd81470 a1=1ed a2=98fd2ef >a3=ffffffff items=1 pid=19177 auid=4294967295 uid=0 gid=0 >euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" >exe="/usr/sbin/useradd" >> type=CWD msg=audit(1134859204.879:4004): cwd="/root" >> type=PATH msg=audit(1134859204.879:4004): item=0 >name="/home/dant2/.kde" flags=10 inode=1245989 dev=03:02 >mode=040755 ouid=511 ogid=512 rdev=00:00 >> type=AVC msg=audit(1134859204.883:4005): avc: denied { >create } for pid=19177 comm="useradd" name="passwd+" >scontext=root:system_r:kernel_t >tcontext=system_u:object_r:file_t tclass=file >> type=SYSCALL msg=audit(1134859204.883:4005): arch=40000003 >syscall=5 success=no exit=-13 a0=bfd817e4 a1=8241 a2=1b6 >a3=98f6f38 items=1 pid=19177 auid=4294967295 uid=0 gid=0 >euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" >exe="/usr/sbin/useradd" >> type=CWD msg=audit(1134859204.883:4005): cwd="/root" >> type=PATH msg=audit(1134859204.883:4005): item=0 >name="/etc/passwd+" flags=310 inode=1212417 dev=03:02 >mode=040755 ouid=0 ogid=0 rdev=00:00 >> type=USER_CHAUTHTOK msg=audit(1134859204.883:4006): user >pid=19177 uid=0 auid=4294967295 msg='useradd: op=adding user >acct=dant2 res=failed' >> ======================================================= >> >> Dan >> >> >Looks like you have a labeling problem. file_t files should not exist >if your system is properly labeled. This either indicates you booted >with selinux=0 or you added additional disks. > >You can relabel by executing > >touch /.autorelabel >reboot From: RE: [mostly solved] SELinux is screwing me up!!!! Help! Date: Mon 12/19/2005 8:21AM I did try the autorelabel as it did not work. It wasn't until I tried the following that seemed to steer clear of permissions problems encountered with the autorelabel method. ========================================== I think that I solved this problem by: 1) Booting in selinux=0 single 2) /sbin/fixfiles -F -R -a -F relabel 3) reboot ========================================== Sorry that you did not see this later thread. Dan > > >-- > > >-- >fedora-list mailing list >fedora-list(a)redhat.com >To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > >-- >No virus found in this incoming message. >Checked by AVG Free Edition. >Version: 7.1.371 / Virus Database: 267.14.1/207 - Release >Date: 12/19/2005 > > -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.1/207 - Release Date: 12/19/2005

18 years, 4 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux December 2005