selinux February 2005

selinux@lists.fedoraproject.org

53 participants
58 discussions

1105 fails to boot....
by Tom London 07 Nov '05

07 Nov '05

Running strict/enforcing, latest rawhide: After installing latest packages, relabeling /etc, /bin, /lib, .... and rebooting, the system produces lots of udev type errors (cannot remove /dev/.udev_tdb/classSTUFF) and hangs on 'adding hardware' Boots (with messages) in permissive mode. Here are the 'early' AVCs: Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev bdev, type bdev), uses genfs_contexts Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied { read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17 scontext=system_u:system_r:hostname_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts Jan 21 07:24:30 fedora kernel: audit(1106292233.809:0): avc: denied { read } for pid=576 exe=/sbin/restorecon path=/init dev=rootfs ino=17 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied { read } for pid=576 exe=/sbin/restorecon name=customizable_types dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:default_context_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied { use } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17 scontext=system_u:system_r:dmesg_t tcontext=system_u:system_r:kernel_t tclass=fd Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied { read } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292235.086:0): avc: denied { read } for pid=703 exe=/bin/bash path=/init dev=rootfs ino=17 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292239.427:0): avc: denied { use } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17 scontext=system_u:system_r:kudzu_t tcontext=system_u:system_r:kernel_t tclass=fd Jan 21 07:24:30 fedora kernel: audit(1106292239.428:0): avc: denied { read } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17 scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora ptal-mlcd: SYSLOG at ExMgr.cpp:652, dev=<mlc:usb:PSC_900_Series>, pid=2629, e=2, t=1106321070 ptal-mlcd successfully initialized. Jan 21 07:24:30 fedora ptal-printd: ptal-printd(mlc:usb:PSC_900_Series) successfully initialized using /var/run/ptal-printd/mlc_usb_PSC_900_Series*. Jan 21 07:24:30 fedora kernel: Floppy drive(s): fd0 is 1.44M I'll probe a bit, but any help is welcome! tom -- Tom London

4 7

Experiences with selinux enabled targetted on Fedora Core 3
by Richard E Miles 25 Apr '05

25 Apr '05

In order to become more familiar with the selinux capabilities I did the following: Started selinux in permissive mode for targetted. I recieved warnings for the following services: portmap, ntpd, and ntpdate. I then ran fixfiles check. After it ran for quite some time. It did not report any problems. So I enabled targetted and rebooted. I then received error warnings for the same services. The following relevent messages from dmesg follow: <snip> EXT3-fs: mounted filesystem with ordered data mode. security: 3 users, 4 roles, 319 types, 20 bools security: 53 classes, 10805 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev hda2, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), not configured for labeling SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts <snip> ip_tables: (C) 2000-2002 Netfilter core team ip_conntrack version 2.1 (2047 buckets, 16376 max) - 360 bytes per conntrack eth0: link up, 100Mbps, full-duplex, lpa 0x45E1 audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts <snip> IPv6 over IPv4 tunneling driver divert: not allocating divert_blk for non-ethernet device sit0 audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.763:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir Obviously something is amiss. I do not know how to correct these messages for the services. Does anyone know how the fix this delemma? If not should I bugzilla it? -- Richard E Miles Federal Way WA. USA registered linux user 46097

10 22

hello all, I just joined the list
by nanocurie 14 Apr '05

14 Apr '05

Hello all, I just joined the list. I just downloaded and installed FC3, and noticed that it had SE-Linux installed by default. I thought okay, so the NSA now can/will take control of my secure computers. Good, if there's anyone I'd want controlling them other than I. Then I saw the post about setools, and saw how they can be used in an enterprise environment. Reminds me of Active Directory. Cool. This is probably better. Just kidding bigbrother. I look forward to learning with you all about SElinux nc

5 7

ntpd drift.TEMP file
by mroselinux＠eastgranby.k12.ct.us 07 Mar '05

07 Mar '05

I have just built an FC3 samba server using the K12LTSP iso's and am getting the following messages on the log. Jan 21 01:55:14 admin ntpd[9988]: can't open /etc/ntp/drift.TEMP: Permission denied Jan 21 01:55:14 admin kernel: audit(1106290514.375:0): avc: denied { write } for pid=9988 exe=/usr/sbin/ntpd name=ntp dev=hda3 ino=3392705 scontext=root:system_r:ntpd_t tcontext=system_u:object_r:etc_t tclass=dir With SELinux enabled, the drift file could not be created. In permissive mode, the drift file is properly created and updated. What have I done wrong? [root@admin ntp]# ls -dZ . drwxr-xr-x ntp ntp system_u:object_r:etc_t [root@admin ntp]# ls -lZ drift -rw-r--r-- ntp ntp root:object_r:etc_t drift Mark Orenstein East Granby, CT School System

5 8

Re: fc3 - password change problem - syslog and portmapper
by Jayendren Anand Maduray 01 Mar '05

01 Mar '05

Hi! having problems with selinux for sylog and portmapper. Also cannot change password with selinux enable. it is running in targeted mode. I have been checking with nsa-selinux forum, and some of the ppl recommend that i ask this forum. from nsa-linux: On Tue, 2005-02-22 at 08:09 +0200, Jayendren Anand Maduray wrote: > Got FC3 running SELINUX in enforcing mode. > > 1. however when i try to change my password, i get the ffg error: > SystemError: couldn't get security context of `/etc/passwd': No data available > > 2. also, when i boot up, syslogd, and portmap cannot start, so i disabled it > in SELinux. i would like to get this to work, though. > > i am running kernel Linux shiva 2.6.10-1.741_FC3smp The most likely scenario is that you never labeled your filesystems, or that you ran with SELinux disabled for some period of time and thus ended up with some files without security labels. Touch /.autorelabel and reboot, or run /sbin/fixfiles relabel and reboot. BTW, this kind of question belongs on fedora-selinux-list, not here, IMHO. -- Stephen Smalley <sds(a)tycho.nsa.gov> National Security Agency Hi! tried restorecon, here is the output: [root@shiva jay]# restorecon /etc/passwd [root@shiva jay]# passwd Changing password for user root. New UNIX password: Retype new UNIX password: passwd: Authentication failure [root@shiva jay]# here is dmesg: SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev hda5, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), not configured for labeling SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts For Syslogd: syslogd: error while loading shared libraries: /lib/ld-linux.so.2: cannot apply additional memory protection after relocation For portmap: error while loading shared libraries: libnsl.so.1: cannot open shared object file: No such file or directory. On Tuesday 22 February 2005 14:46, Russell Coker wrote: > restorecon /etc/passwd -- Jayendren Anand Maduray Microsoft Certified Professional Network Plus IT Administrator Perinatal HIV Research Unit Old Potch Road Chris Hani Baragwanath Hospital Soweto South Africa Tel: +27 11 989 9776 Tel: +27 11 989 9999 Fax: +27 11 938 3973 Cel: 082 22 774 94

2 2

[ANN] Setools 2.0 released
by Karl MacMillan 01 Mar '05

01 Mar '05

A new version of Setools is available from http://www.tresys.com/selinux. This release contains major new features including: - Sediff: a new tool that allows a user to take two policies and find the differences including added or removed types, users, roles, booleans and most importantly type enforcement rules. The semantic difference of a policy is different from the syntactic difference in that it shows the cumulative effect of rules rather than doing a line-by-line comparison. - File contexts database: major improvements were made to the file context indexing and searching tools including conversion to an on-disk database for reduced memory usage and integration into Apol. - Direct file relabel analysis: a new analysis module was added to Apol for analyzing direct object relabeling. - Type relationship analysis: a new analysis module was added to Apol for to facilitate understanding the relationship between two types. This analysis builds on the rule searching and other analysis in Apol to give the user convenient access to many queries and anlyses at once. - Seaudit report: generation of reports was integrated into seaudit. Previously this was only available as a commandline tool. More details on the new features can be found at http://www.tresys.com/selinux/setools_new_noteworthy.html. --- Karl MacMillan Tresys Technology http://www.tresys.com (410) 290-1411 ext 134

1 0

make: ***[_modinst_post] Error 143
by KokHow Teh 28 Feb '05

28 Feb '05

Hi; I ran into the above error when I `make modules_install` in FC2. Could someone enlighten me on how I can find out more information about the error please? Regards, TEH

1 0

squirrelmail / postfix mail lost policy 1.17.30-2.80
by Jeremy Ardley 26 Feb '05

26 Feb '05

Hi, On fedora core 3 - out of the box plus some upgrades. My current setup has policycoreutils-1.18.1-2.9 selinux-policy-targeted-1.17.30-2.80 squirrelmail-1.4.3a-6.FC3 dovecot-0.99.11-1.FC3.4 I can send mail normally from my system except when I use squirrelmail. The mail is quietly dropped without being sent and a copy is moved into my sent items folder. When I check the messages log I see the following avc entries Feb 24 17:14:46 mail kernel: audit(1109236486.039:0): avc: denied { read append } for pid=7589 exe=/bin/bash path=/var/lib/squirrelmail/prefs/jeremy.abook dev=dm-0 ino=6438914 scontext=user_u:system_r:httpd_sys_script_t t context=root:object_r:httpd_var_lib_t tclass=file Feb 24 17:14:46 mail kernel: audit(1109236486.128:0): avc: denied { create } for pid=7589 exe=/usr/sbin/sendmail.postfix scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_ dgram_socket Feb 24 17:14:46 mail kernel: audit(1109236486.136:0): avc: denied { search } for pid=7589 exe=/usr/sbin/sendmail.postfix name=spool dev=dm-0 ino=4030501 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object _r:var_spool_t tclass=dir Feb 24 17:14:46 mail kernel: audit(1109236486.137:0): avc: denied { create } for pid=7589 exe=/usr/sbin/sendmail.postfix scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_ dgram_socket I have seen previous correspondence regarding similar faults but nothing I have tried has improved things. Is there a definitive fix I can apply? Thanks Jeremy

2 12

nis+ support f nscd in targeted pol
by Niki Waibel 24 Feb '05

24 Feb '05

hi, i am new to selinux. i usually extend redhat/fedora linux by nis-utils-1.4.1 to access the NIS+ environment. i've just found out that this is not configured in selinux of fc3 for nscd: === Feb 23 18:35:14 pcxeon-1 kernel: audit(1109180114.178:0): avc: denied { read } for pid=20078 exe=/usr/sbin/nscd name=NIS_COLD_START dev=sda1 ino=737383 scontext=root:system_r:nscd_t tcontext=root:object_r:var_t tclass=file === so i guess that the /var/nis/NIS_COLD_START file has to be made available to the nscd command. i tried the following (cheers russell coker): === cd /etc/selinux/targeted/src/policy echo "allow nscd_t var_t:file { getattr read };" >> domains/misc/custom.te make load === but now i get: === Feb 24 18:03:14 pcxeon-1 kernel: audit(1109264594.241:0): avc: denied { write } for pid=8888 exe=/usr/sbin/nscd name=keyservsock dev=sda1 ino=737436 scontext=root:system_r:nscd_t tcontext=user_u:object_r:var_run_t tclass=sock_file === i think that the /var/nis (NIS+) dir should be integrated into the targeted policy like the /var/yp (NIS) dir... i've tried to add /var/nis(/.*)? system_u:object_r:var_nis_t at several places, without success. (i am simply too new to all this selinux stuff...). anyway, using >>allow nscd_t var_t:file { getattr read };<< now nscd seems to contact the keyserv program of the portmapper: === # rpcinfo -p program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100029 1 udp 980 keyserv 100029 2 udp 980 keyserv 100024 1 udp 32772 status 100024 1 tcp 32776 status 100021 1 udp 32778 nlockmgr 100021 3 udp 32778 nlockmgr 100021 4 udp 32778 nlockmgr 100021 1 tcp 33060 nlockmgr 100021 3 tcp 33060 nlockmgr 100021 4 tcp 33060 nlockmgr === which seems to have an open socket at: # ls -la /var/run/keyservsock srw-rw-rw- 1 root root 0 Feb 24 04:58 /var/run/keyservsock niki -- niki w. waibel - system administrator @ newlogic technologies ag

1 1

Horde Application Suite and SELinux...
by Tom Lisjac 24 Feb '05

24 Feb '05

Hi folks! I've just installed the php based Horde Application Suite (http://horde.org) on a Fedora Core 3. Everything is working great with the targeted policy and SELinux enabled except for a small problem with spell checking in the Imp webmail app. The spell checker passes the text to aspell using a temporary file in /tmp. The targeted policy prohibits "http scripts" from using the /tmp directory... so aspell runs but doesn't return any results. If I disable SELinux, it works fine... but since this server will be running in a hostile environment, I'd rather not. I could also add: allow httpd_sys_script_t httpd_tmp_t:file { getattr read }; ... to the targeted policy, but I'd prefer not modify it or open this directory up to other less trustworthy scripts that may eventually run on the system. I've thought about creating a separate directory and rule for this app and operation... but I can't help but wonder if there's better approach for resolving this problem? Any suggestions would be greatly appreciated! Thanks, -Tom

5 10

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux February 2005