selinux December 2005

selinux@lists.fedoraproject.org

48 participants
63 discussions

Re: Possible bug..
by Mark Evers 10 Dec '05

10 Dec '05

Well, after alot of trying i did a fixfiles relabel and right after that a touch /.autorelabel and rebooted the machine, and dovecot works again. I still don't know what went wrong, but it works again. Mark Evers ----- Original Message ----- From: Net-Care Beheer To: fedora-selinux-list(a)redhat.com Sent: Saturday, December 10, 2005 1:43 AM Subject: Possible bug.. First of all, i'm hoping i'm posting this the right way, but i've tried everything that i know I'm having problems with Dovecot, and i've asked for help in #fedore on freenode.net, without success and they adviced me to post it here. This is the error i get in /var/log/audit/audit.log when i start dovecot using webmin type=AVC msg=audit(1134174789.681:11): avc: denied { read } for pid=2908 comm="dovecot" name="dovecot" dev=dm-0 ino=67858 scontext=system_u:system_r:dovecot_t tcontext=system_u:object_r:bin_t tclass=dir type=SYSCALL msg=audit(1134174789.681:11): arch=40000003 syscall=5 success=no exit=-13 a0=8059310 a1=8000 a2=0 a3=8000 items=1 pid=2908 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dovecot" exe="/usr/sbin/dovecot" type=CWD msg=audit(1134174789.681:11): cwd="/usr/libexec/webmin/dovecot" type=PATH msg=audit(1134174789.681:11): item=0 name="." flags=101 inode=67858 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 On my screen i get "Starting Dovecot Imap: Fatal: unlink_directory() failed for /var/run/dovecot-login: Permission denied" When i try to start dovecot using "service dovecot start" or /etc/rc.d/init.d/dovecot start i get "Starting Dovecot Imap: [FAILED]" I've allready tried a fixfiles and even a touch /.autorelabel without luck. The system is fully updated with yum, and removing/adding dovecot doesn't make a difference. I Hope someone can help. Thanks Mark Evers Netherlands.

1 0

Spamassassin Problem
by Jose H. REMY 09 Dec '05

09 Dec '05

For inf. My Spamassassin install works fine (3.0.4-2.fc4) With spamass-milter-0.3.0-8.fc4 and also mimedefang-2.54-1.2.fc4 With policy version 2.0 and selinux-policy-targeted-1.27.1-2.11 Except Razor2 plugin and custom header rewritings Jose H. REMY

1 0

mysqld_disable_trans leaves mysqld running as initrc_t?
by Chuck Anderson 08 Dec '05

08 Dec '05

I've disabled SELinux protection of mysqld since it was causing major performance problems. This broke CGI scripts since httpd_script_t couldn't connect to the mysql unix domain socket. audit2allow created these rules which I put into local.te: allow httpd_sys_script_t var_t:dir getattr; allow httpd_sys_script_t initrc_t:unix_stream_socket connectto; allow httpd_t initrc_t:unix_stream_socket connectto; This fixed the problem. However, is mysqld supposed to be running as initrc_t instead of unconfined_t when mysqld_disable_trans is set?

2 1

Allow apache to send mail?
by Robin Bowes 07 Dec '05

07 Dec '05

Hi, Can anyone tell me how to allow apache (httpd) to send mail, i.e. to use the smtp port? I'm trying to enable notifications in Trac and am seeing this in the audit log: type=AVC msg=audit(1133985478.317:38): avc: denied { name_connect } for pid=2175 comm="httpd" dest=25 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:smtp_port_t tclass=tcp_socket type=SYSCALL msg=audit(1133985478.317:38): arch=c000003e syscall=42 success=no exit=-13 a0=11 a1=2aaab21569f0 a2=10 a3=0 items=0 pid=2175 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" type=SOCKADDR msg=audit(1133985478.317:38): saddr=020000195433A04E0000000000000000 How do I modify my policy to allow this? Thanks, R.

2 2

Spamassasin Problem
by W. Scott Wilburn 07 Dec '05

07 Dec '05

Hi, Since upgrading from spamassassin.i386 3.0.4-2.fc4 to spamassassin.i386 3.0.4-1.fc4, I get avc denied messages: Nov 20 04:05:44 scooby kernel: audit(1132484744.807:45387): avc: denied { search } for pid=25548 comm="spamd" name=".spamassassin" dev=md0 ino=2197675 scontext=root:system_r:spamd_t tcontext=user_u:object_r:user_home_t tclass=dir FC4, targeted policy enforcing mode selinux-policy-targeted-sources.noarch 1.27.1-2.11 Since the problem occurred with a spamassassin update, not selinux, I assume something in the behavior of spamassassin has changed. Any help appreciated. Scott Wilburn --

4 4

SELinux Symposium Agenda released
by Frank Mayer 07 Dec '05

07 Dec '05

All, FYI, the agenda for the 2nd SELinux Symposium has been released. Below is a copy of the press release. Frank Speakers Confirmed for the Second Security-Enhanced Linux Symposium and Developer Summit Baltimore, Md. - (December 7, 2005) - The Security-Enhanced Linux (SELinux) Symposium announces papers and speakers for its second annual symposium. Experts from business, government, and academia will share and discuss the latest SELinux research and development results, application experience, and product plans. The event explores the emerging SELinux technology and the power of flexible mandatory access control in Linux. Registration for the SELinux Symposium, scheduled for February 27-March 3, 2006 in Baltimore, Maryland, will open soon at www.selinux-symposium.org. The Second SELinux Symposium features two full days of SELinux-related tutorials followed by a two-day technical agenda that includes papers, presentations, and case studies by experts and practitioners with SELinux. Topics for the symposium include in-depth discussions of the core SELinux technology, emerging SELinux policy management and development tools, experiences using SELinux to build secure system solutions, and the status of SELinux within Linux. New this year is an invitation-only SELinux developer summit, where the core developers and contributors of SELinux discuss upcoming technology changes, requirements, and plans. Papers for the symposium were selected via a community review process, and include authors from several organizations including IBM, MITRE Corporation, Pennsylvania State University, Purdue University, Red Hat, Tresys Technology, Trusted Computer Solutions, University of Illinois, University of Tulsa, University of Wisconsin, and the U.S. National Security Agency. The full agenda for the symposium is available at www.selinux-symposium.org. About the SELinux Symposium The Security-Enhanced Linux (SELinux) Symposium is an annual exchange of ideas, technology, and research involving SELinux. SELinux is technology that adds flexible, strong mandatory access control security to Linux. The Second Symposium is scheduled for February 27-March 3, 2006 in Baltimore, Maryland and is sponsored by Hewlett-Packard, IBM, Red Hat, Tresys Technology, and Trusted Computer Solutions. The event brings together experts from business, government, and academia to share research, development, and application experiences using SELinux. For information on registration and sponsorship opportunities, see www.selinux-symposium.org or info(a)selinux-symposium.org.

1 0

Selinux and RPM packaging (trac)
by Nicklas Norling 07 Dec '05

07 Dec '05

Hi, Been looking around for quite some time and have found very little about how one is supposed to create rpm packages with selinux content. Specifically I'm trying to create a rpm package of trac http://projects.edgewall.com/trac/. The Wiki there suggests .fc and .te files for it http://projects.edgewall.com/trac/wiki/TracWithSeLinux. How would you recommend I go about this project. Does selinux contain a system for plugging in .te and .fc files so contexts are recognized during the package install or should I submitt these files for inclusion in the normal policy packages and wait for it to hit the fans? Do anyone have any pointers to best practis in these situations? What can the .spec file do in order to keep track of selinux permissions etc. Thankful for any help, /Nicke -- JID nicke(a)im.exinor.net

3 2

selinux
by lamia.h＠wanadoo.tn 07 Dec '05

07 Dec '05

2 1

udev slowness and selinux
by Jason Dravet 07 Dec '05

07 Dec '05

Hello, I am running todays rawhide and udev is still slow, but it is better than it was. Here are some numbers: booting with selinux disabled: udev starts in 5 seconds booting with selinux enabled (libselinux-1.27.28-1): udev starts in 26 seconds. booting with selinux enabled (older than libselinux-1.27.28-1): udev started in 50-60 seconds. I am running udev-075-4, kernel-2.6.14-1-1740, libselinux-1.27.28-1, and selinux-policy-targeted-2.0.9-1. I am running selinux in targeted enforcing mode. Thanks, Jason

3 8

AVCs when inserting USB hard drive, etc.
by Tom London 03 Dec '05

03 Dec '05

Running Rawhide, targeted/enforcing. running selinux-policy-targeted-2.0.8-1, got the following in /var/log/messages when I inserted a USB hard drive: Dec 3 11:58:18 localhost kernel: sda: sda1 sda2 sda3 Dec 3 11:58:18 localhost kernel: sd 0:0:0:0: Attached scsi disk sda Dec 3 11:58:20 localhost dbus: Can't send to audit system: USER_AVC pid=2759 uid=81 loginuid=-1 message=avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device member=SetPropertyBoolean dest=org.freedesktop.Hal spid=25942 tpid=2799 scontext=system_u:system_r:hald_t tcontext=system_u:system_r:hald_t tclass=dbus Dec 3 11:58:20 localhost fstab-sync[25943]: added mount point /media/usbdisk for /dev/sda1 Dec 3 11:58:20 localhost dbus: Can't send to audit system: USER_AVC pid=2759 uid=81 loginuid=-1 message=avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Device member=SetPropertyBoolean dest=org.freedesktop.Hal spid=25949 tpid=2799 scontext=system_u:system_r:hald_t tcontext=system_u:system_r:hald_t tclass=dbus Dec 3 11:58:20 localhost fstab-sync[25950]: added mount point /media/usbdisk1 for /dev/sda2 Many of the following in /var/log/audit/audit.log: time->Sat Dec 3 11:58:20 2005 type=PATH msg=audit(1133639900.242:1387): item=0 flags=1 inode=2142284 dev=fd:00 mode=0140666 ouid=0 ogid=0 rdev=00:00 type=SOCKETCALL msg=audit(1133639900.242:1387): nargs=3 a0=4 a1=bfd17f6a a2=6e type=SOCKADDR msg=audit(1133639900.242:1387): saddr=01002F7661722F72756E2F61637069642E736F636B6574000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SYSCALL msg=audit(1133639900.242:1387): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd17f20 a2=4 a3=8b31030 items=1 pid=2805 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hald-addon-acpi" exe="/usr/libexec/hald-addon-acpi" type=AVC msg=audit(1133639900.242:1387): avc: denied { write } for pid=2805 comm="hald-addon-acpi" name="acpid.socket" dev=dm-0 ino=2142284 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file ---- time->Sat Dec 3 11:58:25 2005 type=PATH msg=audit(1133639905.246:1388): item=0 flags=1 inode=2142284 dev=fd:00 mode=0140666 ouid=0 ogid=0 rdev=00:00 type=SOCKETCALL msg=audit(1133639905.246:1388): nargs=3 a0=4 a1=bfd17f6a a2=6e type=SOCKADDR msg=audit(1133639905.246:1388): saddr=01002F7661722F72756E2F61637069642E736F636B6574000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SYSCALL msg=audit(1133639905.246:1388): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd17f20 a2=4 a3=8b31030 items=1 pid=2805 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hald-addon-acpi" exe="/usr/libexec/hald-addon-acpi" type=AVC msg=audit(1133639905.246:1388): avc: denied { write } for pid=2805 comm="hald-addon-acpi" name="acpid.socket" dev=dm-0 ino=2142284 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file ---- time->Sat Dec 3 11:58:30 2005 type=PATH msg=audit(1133639910.250:1389): item=0 flags=1 inode=2142284 dev=fd:00 mode=0140666 ouid=0 ogid=0 rdev=00:00 type=SOCKETCALL msg=audit(1133639910.250:1389): nargs=3 a0=4 a1=bfd17f6a a2=6e type=SOCKADDR msg=audit(1133639910.250:1389): saddr=01002F7661722F72756E2F61637069642E736F636B6574000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SYSCALL msg=audit(1133639910.250:1389): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd17f20 a2=4 a3=8b31030 items=1 pid=2805 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hald-addon-acpi" exe="/usr/libexec/hald-addon-acpi" type=AVC msg=audit(1133639910.250:1389): avc: denied { write } for pid=2805 comm="hald-addon-acpi" name="acpid.socket" dev=dm-0 ino=2142284 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file ---- Did a manual 'restorecon -v -R /var/run' and got: [root@tlondon ~]# restorecon -v -R /var/run restorecon reset /var/run/vmnet-natd-8.mac context system_u:object_r:initrc_var_run_t->system_u:object_r:var_run_t restorecon reset /var/run/acpid.socket context system_u:object_r:var_run_t->system_u:object_r:apmd_var_run_t tom -- Tom London

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux December 2005