SELinux is screwing me up!!!! Help!
by Dan Thurman
Folks,
I believe all of my problems started because I had backup
and restored my filesystem and and *somehow* all or some
of the selinux attributes may have been messed up. Reading
the selinux manual, it says that you can rebuild it by touching
a file: /.autorelabel and reboot. I did that, and I still have
the same problem as before - nothing has changed. I checked some
of the file-permissions such as /bin/su and note that they are
correct and other files and directory - so at first mini-check it
all appears to be correct. The restore appears correct throughout
on precursory checks.
The following are problem I am having....
1) I cannot login as a non-root user! I have 4 non-root user accounts
and yet I cannot log into any of them except as root!
I get the following message when attempting to log in:
==========================================
Your session lasted less than 10 seconds. If you have not
logged out yourself, this could mean that there is some
installation problem or that you may be out of diskspace.
Try logging in with one of the failsafe sessions to see if
you can fix this problem.
[] View details (~/.xsession-errors file)
==========================================
then I get kicked out of the login session.
2) As root user, when I `su - dant', I get this EVERY TIME:
==========================================
Your default context is: user_u:system_r:kernel_t.
Do you want to want to choose a different one? [n]
==========================================
chosing the default lets me in as this user. Choosing 'n'
gives me a list of context and choosing one lets me in.
3) As root, I tried to create a non-root user:
# useradd joed
/var/log/message says:
type=USER_CHAUTHTOK msg=audit(1134936930.895:3557): user pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding user acct=joed res=success'
type=USER_CHAUTHTOK msg=audit(1134936930.895:3558): user pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding home directory acct=joed res=success'
type=AVC msg=audit(1134936931.415:3559): avc: denied { create } for pid=19294 comm="useradd" name=".kde" scontext=root:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=dir
type=SYSCALL msg=audit(1134936931.415:3559): arch=40000003 syscall=39 success=no exit=-13 a0=bfde8bf0 a1=1ed a2=92f92ef a3=ffffffff items=1 pid=19294 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
type=CWD msg=audit(1134936931.415:3559): cwd="/root"
type=PATH msg=audit(1134936931.415:3559): item=0 name="/home/joed/.kde" flags=10 inode=1245989 dev=03:02 mode=040755 ouid=511 ogid=512 rdev=00:00
type=AVC msg=audit(1134936931.419:3560): avc: denied { create } for pid=19294 comm="useradd" name="passwd+" scontext=root:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file
type=SYSCALL msg=audit(1134936931.419:3560): arch=40000003 syscall=5 success=no exit=-13 a0=bfde8f64 a1=8241 a2=1b6 a3=92f33b8 items=1 pid=19294 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd"
type=CWD msg=audit(1134936931.419:3560): cwd="/root"
type=PATH msg=audit(1134936931.419:3560): item=0 name="/etc/passwd+" flags=310 inode=1212417 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
type=USER_CHAUTHTOK msg=audit(1134936931.419:3561): user pid=19294 uid=0 auid=4294967295 msg='useradd: op=adding user acct=joed res=failed'
4) Cannot 'yum update' successfully and these are the errors I see:
Transaction Test Succeeded
Running Transaction
Installing: arts ####################### [ 1/26]
error: unpacking of archive failed on file /usr/bin/artscat: cpio: lsetfilecon
Installing: perl ####################### [ 2/26]
error: unpacking of archive failed on file /usr/bin/a2p: cpio: lsetfilecon
Installing: cups-libs ####################### [ 3/26]
error: unpacking of archive failed on file /usr/lib/libcups.so.2: cpio: lsetfilecon
error: %pre(kdelibs-3.5.0-0.1.fc4.i386) scriptlet failed, exit status 255
error: install: %pre scriptlet failed (2), skipping kdelibs-3.5.0-0.1.fc4
Installing: kdebase [ 5/26]warning: /etc/X11/xdm/kdmrc saved as /etc/X11/xdm/kdmrc.rpmorig
Installing: kdebase ####################### [ 5/26]
error: unpacking of archive failed on file /etc/X11/xdm/kdmrc: cpio: lsetfilecon Updating : kdenetwork ####################### [ 6/26]
error: unpacking of archive failed on file /etc/pam.d/kppp: cpio: lsetfilecon
Installing: kdebindings ####################### [ 7/26]
error: unpacking of archive failed on file /usr/bin/embedjs: cpio: lsetfilecon
Updating : kdemultimedia ####################### [ 8/26]
error: unpacking of archive failed on file /etc/xdg/menus/applications-merged/kde-multimedia-music.menu: cpio: lsetfilecon
Updating : kdegraphics ####################### [ 9/26]
error: unpacking of archive failed on file /usr/bin/kcolorchooser: cpio: lsetfilecon
Updating : kdegames ####################### [10/26]
error: unpacking of archive failed on file /usr/bin/atlantik: cpio: lsetfilecon
Installing: arts-devel ####################### [11/26]
error: unpacking of archive failed on file /usr/bin/artsc-config: cpio: lsetfilecon
Installing: kdelibs-devel ####################### [12/26]
error: unpacking of archive failed on file /usr/bin/dcopidl: cpio: lsetfilecon
Updating : kdeartwork ####################### [13/26]
error: unpacking of archive failed on file /usr/bin/kbanner.kss: cpio: lsetfilecon
Updating : cups ####################### [14/26]
error: unpacking of archive failed on file /etc/cron.daily/cups: cpio: lsetfilecon
Updating : system-config-nfs ####################### [15/26]
error: unpacking of archive failed on file /etc/pam.d/system-config-nfs: cpio: lsetfilecon
Updating : kdebindings-devel ####################### [16/26]
error: unpacking of archive failed on file /usr/include/kde/kjsembed: cpio: lsetfilecon
Updating : dhcp ####################### [17/26]
error: unpacking of archive failed on file /etc/dhcpd.conf: cpio: lsetfilecon
error: %preun(kdenetwork-3.4.2-0.fc4.2.i386) scriptlet failed, exit status 255
Cleanup : kdeartwork ####################### [18/26]
error: %postun(kdeartwork-3.4.2-0.fc4.1.i386) scriptlet failed, exit status 255
error: %trigger(cups-1.1.23-15.1.i386) scriptlet failed, exit status 255
Cleanup : kdemultimedia ####################### [19/26]
error: %postun(kdemultimedia-3.4.2-0.fc4.1.i386) scriptlet failed, exit status 255
error: %preun(system-config-nfs-1.3.11-0.fc4.1.noarch) scriptlet failed, exit status 255
Cleanup : kdebindings-devel ####################### [20/26]
Cleanup : kdegraphics ####################### [21/26]
error: %postun(kdegraphics-3.4.2-0.fc4.2.i386) scriptlet failed, exit status 25
I am at loss as to why I see a general "avc: denied {xxxxxxx}" messages
interpersed in the /var/log/message and /var/log/audit/audit.log files such
as shown below:
/var/log/messages:
====================
===
No idea what these are:
Dec 12 21:48:06 linux dbus: avc: received policyload notice (seqno=3)
Dec 12 21:48:06 linux dbus: avc: 1 AV entries and 1/512 buckets used, longest chain length 1
Dec 12 21:48:06 linux dbus: avc: received policyload notice (seqno=3)
Dec 12 21:48:06 linux dbus: avc: 0 AV entries and 0/512 buckets used, longest chain length 0
Dec 12 21:48:06 linux dbus: avc: received policyload notice (seqno=3)
Dec 12 21:48:06 linux dbus: avc: 7 AV entries and 7/512 buckets used, longest chain length 1
===
Relabeling problems shown below...
Dec 17 18:35:50 linux kernel: SELinux: initialized (dev sdb1, type ext3), uses xattr
Dec 17 18:35:50 linux kernel: audit(1134872391.398:2): avc: granted { setenforce } for pid=379 comm="rc.sysinit" scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:security_t tclass=security
Dec 17 18:35:50 linux kernel: audit(1134872392.086:3): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="__db.001" dev=hda2 ino=904713 scontext=system_u:system_r:kernel_t tcontext=root:object_r:file_t tclass=file
Dec 17 18:35:50 linux kernel: audit(1134872412.527:4): avc: denied { relabelto } for pid=1236 comm="setfiles" name="root" dev=hda2 ino=671745 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_dir_t tclass=dir
Dec 17 18:35:50 linux kernel: audit(1134872412.547:5): avc: denied { relabelto } for pid=1236 comm="setfiles" name="bin" dev=hda2 ino=671746 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_t tclass=dir
Dec 17 18:35:50 linux kernel: audit(1134872412.559:6): avc: denied { relabelto } for pid=1236 comm="setfiles" name="doCerts" dev=hda2 ino=671747 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_t tclass=file
Dec 17 18:35:50 linux kernel: audit(1134872412.951:7): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="khelpcenter" dev=hda2 ino=672118 scontext=system_u:system_r:kernel_t tcontext=root:object_r:file_t tclass=dir
Dec 17 18:35:50 linux kernel: audit(1134872412.975:8): avc: denied { relabelto } for pid=1236 comm="setfiles" name="socket-linux.cdkkt.com" dev=hda2 ino=672307 scontext=system_u:system_r:kernel_t tcontext=root:object_r:user_home_t tclass=lnk_file
Dec 17 18:35:50 linux kernel: audit(1134872413.031:9): avc: denied { relabelto } for pid=1236 comm="setfiles" name="libflashplayer.so" dev=hda2 ino=672362 scontext=system_u:system_r:kernel_t tcontext=root:object_r:lib_t tclass=file
Dec 17 18:35:50 linux kernel: audit(1134873060.784:10): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="xterm" dev=hda2 ino=1565515 scontext=system_u:system_r:kernel_t tcontext=root:object_r:file_t tclass=lnk_file
Dec 17 18:35:50 linux kernel: audit(1134873187.416:11): avc: denied { relabelto } for pid=1236 comm="setfiles" name="dant" dev=hda2 ino=1245501 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_dir_t tclass=dir
Dec 17 18:35:50 linux kernel: audit(1134873187.416:12): avc: denied { relabelto } for pid=1236 comm="setfiles" name=".kde" dev=hda2 ino=1245502 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=dir
Dec 17 18:35:50 linux kernel: audit(1134873187.420:13): avc: denied { relabelto } for pid=1236 comm="setfiles" name="Autorun.desktop" dev=hda2 ino=1245504 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=file
Dec 17 18:35:50 linux kernel: audit(1134873187.492:14): avc: denied { relabelto } for pid=1236 comm="setfiles" name="socket-linux.cdkkt.com" dev=hda2 ino=1245588 scontext=system_u:system_r:kernel_t tcontext=user_u:object_r:user_home_t tclass=lnk_file
Dec 17 18:35:50 linux kernel: audit(1134873191.264:15): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="verifyFS" dev=hdb1 ino=49063 scontext=system_u:system_r:kernel_t tcontext=root:object_r:samba_share_t tclass=file
Dec 17 18:35:50 linux kernel: audit(1134873191.340:16): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="DenyHosts-1.1.2-python2.4.noarch.rpm" dev=hdb1 ino=1651599 scontext=system_u:system_r:kernel_t tcontext=root:object_r:default_t tclass=file
Dec 17 18:35:50 linux kernel: audit(1134873218.749:17): avc: denied { relabelfrom } for pid=1236 comm="setfiles" name="defaults" dev=hdb3 ino=1697393 scontext=system_u:system_r:kernel_t tcontext=root:object_r:default_t tclass=dir
Dec 17 18:35:50 linux kernel: audit(1134873319.356:18): avc: granted { setenforce } for pid=379 comm="rc.sysinit" scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:security_t tclass=security
Dec 17 18:35:50 linux kernel: Adding 2289252k swap on /dev/hda3. Priority:-1 extents:1 across:2289252k
Any help would be appreciated!
Kind regards,
Dan
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
18 years, 4 months
error installing selinux targeted policy
by Jason Dravet
I updated to todays rawhide and when yum was updating
selinux-policy-targeted I saw the following message:
Updating : selinux-policy-targeted ##################### [140/400]
libsemanage.parse_module_headers: Data did not represent a module.
Failed!
Things seem to work as they did yesterday.
FYI,
Jason
18 years, 4 months
ProFTPD not showing all directorys.
by Mark Evers
Well, SELinux handed me another problem, i've been reading into the http://fedora.redhat.com/docs/selinux-faq-fc3/ hoping i would get my answer,
without luck.
The problem is, when i connect to my FC4's Proftpd server i'm missing alot of directorys and files, and they do excist, i checked using SSH
At first i could only see the "homes" directory, then i tried a fixfiles relabel, it brought back some dir's, but not the ones that are most important like public_html.
Then i tried to disable SELinux to see if it's really SELinux related, and like magic, there are the missing dir's.
What i want, but can't find is a way for users to have full access to there home dir, they are chrooted so they can't look "beyond" there own home dir, and still use SELinux.
To be honest, i'm verry new to SELinux and i'm still trying to figure this out, i like the idea of security alot, but i find it hard to get information about it, like how to check what policys are enabled, and what policys can be added.
I've tried the system-config-security-level, and the only thing it showed me was the firewall.
I'm using Shorewall so that's not usefull to me.
I hope someone can help out.
Thanks
Mark Evers
18 years, 4 months
Non-root console login issue! (was: Problem with VNC and SELinux: FC4)
by Dan Thurman
>From: fedora-list-bounces(a)redhat.com
>[mailto:fedora-list-bounces@redhat.com]On Behalf Of Daniel B. Thurman
>Sent: Friday, December 16, 2005 6:11 PM
>To: For users of Fedora Core releases (E-mail)
>Cc: Fedora SELinux support list for users & developers.
>Subject: Problem with VNC and SELinux: FC4
>
>
>
>Folks,
>
>With the new SELinux updates, it appears that root,
>other than normal users can login to Fedora via VNC
>Server? My VNC Server is setup such that I am using
>xinitd for VNC Server requests.
>
>Another problem I noticed is that when I log into my
>Fedora system via VNC as root user, and open a xterm
>window and run a su - <normal-user>, I get back a
>SElinux message:
>
>================================================
># su - dan
>Your default context is: user_u:system_r:kernel_t.
>
>Do you want to want to choose a different one? [n]
>================================================
>
>It is *possible* that this problem came up when
>I had to make a copy of my filesystem to another
>hard-disk for the purpose of creating a /boot
>partition (my bad) and copied/restored the filesystem
>back over to the main drive. I don't think I made
>any copy/restore mistakes as I know the fs permissions
>are correct but I cannot speak for filesystem journaling
>or whatever that keeps track of the SELinux attributes.
>
>In any case, what can I do to resolve my VNC and/or su
>issue knowing that SElinux has something to do with it?
>
>Thanks!
>Dan Thurman
>
Problem is not related to SELinux and not really related
to VNC. It turns out that I cannot log into the console
as a non-root user and I get a message saying:
=======================================================
Your session lasted less than 10 seconds. If you have not
logged out yourself, this could mean that there is some
installation problem or that you may be out of diskspace.
Try logging in with one of the failsafe sessions to see if
you can fix this problem.
[] View details (~/.xsession-errors file)
=======================================================
The problem here is that the .xsession-errors file does
not exist. I also note from /var/log/message file:
=======================================================
Dec 17 12:45:31 linux gdm(pam_unix)[16480]: session opened for user dant by (uid=0)
Dec 17 12:45:32 linux gdm(pam_unix)[16480]: session closed for user dant
Dec 17 12:45:32 linux dbus: avc: 0 AV entries and 0/512 buckets used, longest chain length 0
=======================================================
And from /var/log/audit/audit.log
=======================================================
type=USER_AUTH msg=audit(1134858412.155:3929): user pid=3397 uid=0 auid=4294967295 msg='PAM authentication: user=dant exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 result=Success)'
type=USER_ACCT msg=audit(1134858412.159:3930): user pid=3397 uid=0 auid=4294967295 msg='PAM accounting: user=dant exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 result=Success)'
type=CRED_ACQ msg=audit(1134858412.247:3931): user pid=3397 uid=0 auid=4294967295 msg='PAM setcred: user=dant exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 result=Success)'
type=USER_START msg=audit(1134858412.307:3932): user pid=3397 uid=0 auid=4294967295 msg='PAM session open: user=dant exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=:0 result=Success)'
=======================================================
File:
# ls -l /usr/bin/gdm-binary
-rwxr-xr-x 1 root root 251668 May 23 2005 /usr/bin/gdm-binary
HALLLLLP! Please :-)
Dan
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
18 years, 4 months
RE: Problem with VNC and SELinux: FC4
by Dan Thurman
>From: fedora-list-bounces(a)redhat.com
>[mailto:fedora-list-bounces@redhat.com]On Behalf Of Daniel B. Thurman
>Sent: Friday, December 16, 2005 6:11 PM
>To: For users of Fedora Core releases (E-mail)
>Cc: Fedora SELinux support list for users & developers.
>Subject: Problem with VNC and SELinux: FC4
>
>
>
>Folks,
>
>With the new SELinux updates, it appears that root,
>other than normal users can login to Fedora via VNC
>Server? My VNC Server is setup such that I am using
>xinitd for VNC Server requests.
>
>Another problem I noticed is that when I log into my
>Fedora system via VNC as root user, and open a xterm
>window and run a su - <normal-user>, I get back a
>SElinux message:
>
>================================================
># su - dan
>Your default context is: user_u:system_r:kernel_t.
>
>Do you want to want to choose a different one? [n]
>================================================
>
>It is *possible* that this problem came up when
>I had to make a copy of my filesystem to another
>hard-disk for the purpose of creating a /boot
>partition (my bad) and copied/restored the filesystem
>back over to the main drive. I don't think I made
>any copy/restore mistakes as I know the fs permissions
>are correct but I cannot speak for filesystem journaling
>or whatever that keeps track of the SELinux attributes.
>
>In any case, what can I do to resolve my VNC and/or su
>issue knowing that SElinux has something to do with it?
>
>Thanks!
>Dan Thurman
>
>--
>No virus found in this outgoing message.
>Checked by AVG Free Edition.
>Version: 7.1.371 / Virus Database: 267.14.1/204 - Release
>Date: 12/15/2005
>
>
Someone care to help me out here? I have been trying to
remote login as a non-root user and VNC is trying to let
me in, but for some reason is dropping the VNC client,
thus denying me. Login as root works. I suspect that
a selinux context is needed to allow remote non-root VNC
user access?
I had a private email sent to me saying that they had a
similar problem as well but did not offer any solution
for a fix.
Anything I can do or research to narrow down this issue?
Thanks,
Dan
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/206 - Release Date: 12/16/2005
18 years, 4 months
Using spamassassin with selinux
by Nicolas Mailhot
Hi,
I'm still trying to get spamassassin to work properly with procmail
selinux (this is bug #172088, been open almost 50 days, still not
closed). I'm getting a bit tired of watching my spam system fail and
will probably revert to no selinux testing at all (selinux=0, like
almost everyone else) if this continues. 50 days is more than enough to
fix a reported problem.
I have the following entry in my procmail :
:0fw: .spamc.lock
* < 256000
| spamc
Now maildir logs show spamassassin is denied access to its own files
when selinux is enabled :
Dec 17 11:30:05 rousalka spamd[2681]: spamd: connection from
localhost.localdomain [127.0.0.1] at port 50637
Dec 17 11:30:05 rousalka spamd[2681]: spamd: setuid to nim succeeded
(yes spamd does setuids)
Dec 17 11:30:05 rousalka spamd[2681]: spamd: creating default_prefs:
/home/nim/.spamassassin/user_prefs
(spamd didn't see the pref files already existed - probably because of
selinux - so it tries to create it)
Dec 17 11:30:05 rousalka spamd[2681]: mkdir /home/nim: Le fichier
existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line 1467
(the system tells it to get lost, the file already exists)
Dec 17 11:30:05 rousalka spamd[2681]: config: cannot write to
/home/nim/.spamassassin/user_prefs: Permission non accordée
(and spamd is not allowed to write it)
Dec 17 11:30:05 rousalka spamd[2681]: spamd: failed to create readable
default_prefs: /home/nim/.spamassassin/user_prefs
likewise pyzor is dead
Dec 17 11:30:05 rousalka spamd[2681]: internal error
Dec 17 11:30:05 rousalka spamd[2681]: pyzor: check failed: internal error
and the autowhitelist can not be modified, because spamd can not create
a lockfile
Dec 17 11:30:05 rousalka spamd[2681]: locker: safe_lock: cannot create
tmp lockfile
/home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2681 for
/home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée
Dec 17 11:30:05 rousalka spamd[2681]: auto-whitelist: open of
auto-whitelist file failed: locker: safe_lock: cannot create tmp
lockfile
/home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2681 for
/home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée
Dec 17 11:30:05 rousalka spamd[2681]: Can't call method "finish" on an
undefined value at
/usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/Plugin/AWL.pm line 397.
This on a fully relabeled selinux-policy-targeted-2.1.6-8 rawhide system
--
Nicolas Mailhot
18 years, 4 months
selinux-policy-targeted-2.1.6-4: needs netif
by Tom London
running today's policy, have boot/network problems.
Fixed boot problems by turning off hplip/cups.
Appears more 'netif' work is needed:
[root@tlondon ~]# ausearch -m avc,selinux_err -ts 12/16/2005
|audit2allow -l allow avahi_t null_device_t:netif udp_send;
allow cupsd_t null_device_t:netif tcp_send;
allow hplip_t null_device_t:netif tcp_send;
allow kernel_t null_device_t:netif rawip_send;
allow ntpd_t null_device_t:netif udp_send;
allow ntpd_t policy_config_t:udp_socket node_bind;
allow ping_t null_device_t:netif rawip_recv;
allow ping_t policy_config_t:node rawip_recv;
allow unconfined_t null_device_t:netif tcp_recv;
allow unconfined_t policy_config_t:node udp_recv;
allow unconfined_t sysctl_t:tcp_socket recv_msg;
allow unconfined_t sysctl_t:udp_socket send_msg;
[root@tlondon ~]#
Here are a few AVCs:
----
time->Fri Dec 16 07:06:31 2005
type=AVC msg=audit(1134745591.755:5): avc: denied { tcp_send } for
pid=2686 comm="python" saddr=127.0.0.1 src=37866 daddr=127.0.0.1
dest=50000 netif=lo scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:null_device_t:s0 tclass=netif
----
time->Fri Dec 16 07:06:34 2005
type=AVC msg=audit(1134745594.243:6): avc: denied { tcp_send } for
pid=2713 comm="hp" saddr=127.0.0.1 src=37867 daddr=127.0.0.1
dest=50000 netif=lo scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:null_device_t:s0 tclass=netif
----
time->Fri Dec 16 07:06:34 2005
type=AVC msg=audit(1134745594.755:7): avc: denied { tcp_send } for
saddr=127.0.0.1 src=37866 daddr=127.0.0.1 dest=50000 netif=lo
scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:null_device_t:s0 tclass=netif
-------
time->Fri Dec 16 07:16:44 2005
type=SOCKETCALL msg=audit(1134746204.111:5): nargs=4 a0=4 a1=bfbf3450
a2=20 a3=0type=SYSCALL msg=audit(1134746204.111:5): arch=40000003
syscall=102 success=no exit=-1 a0=9 a1=bfbf30e4 a2=771ff4 a3=20
items=0 pid=2731 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 comm="ntpdate" exe="/usr/sbin/ntpdate"
type=AVC msg=audit(1134746204.111:5): avc: denied { udp_send } for
pid=2731 comm="ntpdate" saddr=192.168.1.101 src=32768
daddr=68.87.76.178 dest=53 netif=eth0
scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:null_device_t:s0 tclass=netif
----
time->Fri Dec 16 07:16:57 2005
type=SOCKETCALL msg=audit(1134746217.580:190): nargs=3 a0=d a1=bfae85ec a2=0
type=SOCKADDR msg=audit(1134746217.580:190):
saddr=020014E9E00000FB0000000000000000
type=SYSCALL msg=audit(1134746217.580:190): arch=40000003 syscall=102
success=no exit=-1 a0=10 a1=bfae8590 a2=af5134 a3=d items=0 pid=2814
auid=4294967295 uid=70 gid=70 euid=70 suid=70 fsuid=70 egid=70 sgid=70
fsgid=70 comm="avahi-daemon" exe="/usr/sbin/avahi-daemon"
type=AVC msg=audit(1134746217.580:190): avc: denied { udp_recv } for
pid=2814 comm="avahi-daemon" saddr=192.168.1.101 src=5353
daddr=224.0.0.251 dest=5353 netif=eth0
scontext=system_u:system_r:avahi_t:s0
tcontext=system_u:object_r:null_device_t:s0 tclass=netif
type=AVC msg=audit(1134746217.580:190): avc: denied { udp_send } for
pid=2814 comm="avahi-daemon" saddr=192.168.1.101 src=5353
daddr=224.0.0.251 dest=5353 netif=eth0
scontext=system_u:system_r:avahi_t:s0
tcontext=system_u:object_r:null_device_t:s0 tclass=netif
----
<<<<<Many more>>>>>
tom
-
--
Tom London
18 years, 4 months
login shell running as rpm_script_t?
by Tom London
Running latest rawhide (selinux-policy-targeted-2.1.5-1):
My login shell appears to be running as rpm_script_t.
Did I do something funny?
tom
[tbl@tlondon ~]$ ps Z
LABEL PID TTY STAT TIME COMMAND
user_u:system_r:rpm_script_t:s0 3193 pts/1 Ss 0:00 bash
user_u:system_r:rpm_script_t:s0 3195 pts/2 Ss 0:00 bash
user_u:system_r:rpm_script_t:s0 3922 pts/2 R+ 0:00 ps Z
[tbl@tlondon ~]$
--
Tom London
18 years, 4 months
Re: Still having problems with SELinux and Dovecot
by Mark Evers
----- Original Message -----
From: "Daniel J Walsh" <dwalsh(a)redhat.com>
To: "Mark Evers" <beheer(a)net-care.nl>
Sent: Wednesday, December 14, 2005 11:14 PM
Subject: Re: Still having problems with SELinux and Dovecot
> Mark Evers wrote:
>> The file was created by a regular "yum install dovecot", and i altered it
>> later using nano
>> The weard thing is, when it runs it keeps running, sometimes when i
>> reboot it isn't blocked by SELinux, but most times it is.
>>
>> I just did the "restorecon /etc/dovecot.conf" and rebooted and it started
>> fine
>>
>>> Basically its context is wrong, Should be dovecot_etc_t not
>>> etc_runtime_t.
>>
>> Errrr??
>>
>>
>> ----- Original Message ----- From: "Daniel J Walsh" <dwalsh(a)redhat.com>
>> To: "Mark Evers" <beheer(a)net-care.nl>
>> Cc: <fedora-selinux-list(a)redhat.com>
>> Sent: Wednesday, December 14, 2005 10:51 PM
>> Subject: Re: Still having problems with SELinux and Dovecot
>>
>>
>>> Mark Evers wrote:
>>>> Well, i still have problems with SELinux and Dovecot, when i do a
>>>> reboot i get a error
>>>> Starting Dovecot Imap: Fatal: Can't open configuration file
>>>> /etc/dovecot.conf: Permission denied
>>>> and in the audit.log i find this error
>>>> type=AVC msg=audit(1134595859.843:208): avc: denied { read } for
>>>> pid=26990 comm="dovecot" name="dovecot.conf" dev=dm-0 ino=197586
>>>> scontext=system_u:system_r:dovecot_t
>>>> tcontext=system_u:object_r:etc_runtime_t tclass=file
>>>> type=SYSCALL msg=audit(1134595859.843:208): arch=40000003 syscall=5
>>>> success=no exit=-13 a0=8058a3e a1=8000 a2=0 a3=8000 items=1 pid=26990
>>>> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>>>> comm="dovecot" exe="/usr/sbin/dovecot"
>>>> type=CWD msg=audit(1134595859.843:208):
>>>> cwd="/usr/libexec/webmin/dovecot"
>>>> type=PATH msg=audit(1134595859.843:208): item=0
>>>> name="/etc/dovecot.conf" flags=101 inode=197586 dev=fd:00 mode=0100644
>>>> ouid=0 ogid=0 rdev=00:00
>>>> I can only fix this by doing a "fixfiles relabel" and "touch
>>>> ./autorelabel" and then it works again, till the next reboot..
>>>> Is there a way to fix this? or is there a way to exclude dovecot from
>>>> SELinux??
>>>>
>>> restorecon /etc/dovecot.conf
>>>
>>> How does that file get created? Is it being created by an init script?
>>>
>>> Basically its context is wrong, Should be dovecot_etc_t not
>>> etc_runtime_t.
>>>
> Well watch that file context and make sure no init script is replacing
> that file.
I'll keep an eye on it, thanks.
>>>> Mark Evers
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list(a)redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>>>
>>> --
>>>
>>
>
>
> --
>
18 years, 4 months
Still having problems with SELinux and Dovecot
by Mark Evers
Well, i still have problems with SELinux and Dovecot, when i do a reboot i get a error
Starting Dovecot Imap: Fatal: Can't open configuration file /etc/dovecot.conf: Permission denied
and in the audit.log i find this error
type=AVC msg=audit(1134595859.843:208): avc: denied { read } for pid=26990 comm="dovecot" name="dovecot.conf" dev=dm-0 ino=197586 scontext=system_u:system_r:dovecot_t tcontext=system_u:object_r:etc_runtime_t tclass=file
type=SYSCALL msg=audit(1134595859.843:208): arch=40000003 syscall=5 success=no exit=-13 a0=8058a3e a1=8000 a2=0 a3=8000 items=1 pid=26990 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dovecot" exe="/usr/sbin/dovecot"
type=CWD msg=audit(1134595859.843:208): cwd="/usr/libexec/webmin/dovecot"
type=PATH msg=audit(1134595859.843:208): item=0 name="/etc/dovecot.conf" flags=101 inode=197586 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
I can only fix this by doing a "fixfiles relabel" and "touch ./autorelabel" and then it works again, till the next reboot..
Is there a way to fix this? or is there a way to exclude dovecot from SELinux??
Mark Evers
18 years, 4 months
