httpd log rotation problem?
by Fred New
I am getting the following message once a week on a standard FC3 system.
Is this one of those denials that shouldn't be audited?:
Feb 6 04:02:26 nimeta01 kernel: audit(1107655346.258:0): avc: denied
{ ioctl } for pid=3587 exe=/usr/sbin/httpd
path=/var/log/httpd/error_log.1 dev=hda3 ino=1174805
scontext=user_u:system_r:httpd_t tcontext=root:object_r:httpd_runtime_t
tclass=file
httpd-2.0.52-3.1
selinux-policy-targeted-1.17.30-2.75
logrotate-3.7.1-2
Fred New
19 years, 2 months
findutils-4.2.15
by Tim Waugh
Hi,
I just updated findutils to 4.2.15 in devel. Please check that I
didn't make any mistakes porting the findutils-selinux.patch.
Thanks,
Tim.
*/
19 years, 2 months
Can somebody help me?
by Hongwei Li
Hi,
I posted this question a few days ago, but I haven't seen any reply.
Maybe, I missed some. Here I post it again and hope can get some help.
My system:
os: RedHat FC3 linux, kernel-2.6.10-1.760_FC3, selinux
enforced, iptables enabled
selinux: selinux-policy-targeted-1.17.30-2.75
iptables: iptables-1.2.11-3.1.FC3
web sever: httpd-2.0.52-3.1
sendmail: sendmail-8.13.1-2
squirrelmail: squirrelmail-1.4.3a-6.FC3
SELINUXTYPE=targeted
The problem is the SquirrelCheck in squirrelmail does not work when
selinux is enforced (targeted). If I click "Check Spelling" in
squirrelmail's Compose windows, it does not do any spell checking and the
system log shows:
Feb 16 09:07:25 pippo kernel: audit(1108566445.074:0): avc: denied {
search } for pid=7899 exe=/bin/cat name=spool dev=hda3 ino=470497
scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_spool_t tclass=dir
If selinux is disabled, then it works well. Does anybody run fc3 with
selinux enforced and run squirrelmail? If yes, please try "Check
Spelling". Does it work in your system? If yes, how did you make it
working? or how to fix this problem?
I appreciate all the help!
Hongwei Li
19 years, 2 months
Re: Policies for apache httpd and snmp
by susan_geller@speakeasy.net
Sorry, I was mistaken. I'm still getting the original audit message:
Feb 16 11:06:50 grant kernel: audit(1108580810.311:0): avc: denied { write } for pid=4662 exe=/usr/sbin/httpd name=mibs dev=hda1 ino=833921 scontext=root:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=dir
I checked selinux-policy-targeted and it seems to be up to date:
[root@grant ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.75
[root@grant ~]# rpm --verify selinux-policy-targeted
Time to learn a little about snmp and selinux, I guess.
Thanks, Susan
19 years, 2 months
Problems adding to targeted policy for a new cache directory for Squid
by Joe Cooper
Hi all,
I'm running into some issues adding policy to cover some extra
directories that we use on our systems. I'm using FC3 and the latest
errata targeted policy and kernel. For our Squid process, we devote one
or more partitions for cache storage, named /cache0, /cache1, and so on.
I've added the following line to file_contexts/program/squid.fc:
/cache.*(/.*)? system_u:object_r:squid_cache_t
Which matches the lines for /var/spool/squid(/.*)? and
/var/cache/squid(/.*)?. After running "restorecon -Rv /cache0", I have
the right label on /cache0:
[root@localhost /]# ls -ldZ /cache0
drwxr-xr-x squid squid system_u:object_r:squid_cache_t /cache0
[root@localhost /]# ls -ldZ /var/spool/squid
drwxr-x--- squid squid system_u:object_r:squid_cache_t
/var/spool/squid
However, when I start Squid I get a lot of avc: denied errors (I'm in
permissive mode for testing). Some of which don't even make any sense
to me, like this one:
audit(1108452395.149:0): avc: denied { read } for pid=3778
exe=/usr/sbin/squid name=00 dev=hdc2 ino=5
scontext=root:system_r:squid_t tcontext=root:object_r:nfs_t tclass=dir
This seems to indicate Squid needs to have nfs_t privileges, though I
don't see why this should be so in the targeted policy.
If I run restorecon again (after creating the directories), I get a
segfault and it stops before reaching the file(s) in the top level of
the directory (there are subdirectories which all get relabeled). i.e.:
[root@localhost /]# restorecon -Rv /cache0
...
restorecon reset context /cache0/0F/FF:->system_u:object_r:squid_cache_t
Segmentation fault
[root@localhost /]# ls -lZ /cache0
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 00
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 01
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 02
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 03
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 04
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 05
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 06
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 07
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 08
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 09
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0A
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0B
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0C
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0D
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0E
drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0F
-rw-r--r-- squid squid swap.state
So swap.state is still unlabeled, and starting Squid leads to more avc:
denied errores. If I restorecon on just swap.state, Squid starts
without errors, but after a reboot, the label is lost and Squid
generates errors again. I'll file an issue on the restorecon segfault,
but that still probably doesn't solve all of my problems.
So, I'm quite stumped...I thought I had done what I needed to make this
work, but clearly there's at least three things I don't understand:
1. Why does it lose the swap.state label on reboot? Does restorecon run
on every boot?
2. Why doesn't /var/spool/squid exhibit this same problem? restorecon
works without segfault, and doesn't lose the label on swap.state after a
reboot.
3. Where is nfs_t coming from on /cache0? It seems like some kind of
default that it falls back to when a file is unlabeled, but I don't see
anywhere that nfs_t is a generic label.
Thanks!
19 years, 2 months
error: kernel: audit: avc: denied { write }
by Roger Skildum
I am running FC3 with a vanilla 2.6.10 kernel patched for Win4lin. I am
not sure what has happened but all of a sudden I started getting a whole
slew of the errors listed below each time I boot.
Jan 30 05:18:48 host kernel: audit(1107080328.663:0): avc: denied {
write } for pid=3575 exe=/usr/sbin/ntpd name=log dev=tmpfs ino=6673
scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:device_t
tclass=sock_file
From what I understand they are related to selinux. They are not all
the same but all deal with kernel: audit. The system log shows me that
they happen while the system is running also. I have not noticed any
system degradation but something must be wrong. I do not think I have
done anything to course this except update my system. When I run system
monitor I see under the Resource Monitor tab I see a device listed as
/dev/shm with a type as tmpfs with a total of 125MB but 0% used. When I
look in the /dev directory there is no /dev/shm or /dev/tmpfs for that
matter. Is this related to the problem since the error lists
dev=tmpfs? Any I ideas as to what is wrong or how to correct?
Thanks
Roger
19 years, 2 months
vmware: execmod for /lib/tls/libc-2.3.4.so, /lib/libnss_files-2.3.4.so, /lib/ld-2.3.4.so?
by Tom London
Running targeted, latest Rawhide.
VMware now produces the following:
Feb 15 07:31:38 localhost kernel: audit(1108481498.195:0): avc:
denied { execmod } for pid=2911 comm=vmnet-bridge
path=/lib/tls/libc-2.3.4.so dev=dm-0 ino=327780
scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:lib_t
tclass=file
Feb 15 07:31:38 localhost kernel: audit(1108481498.255:0): avc:
denied { execmod } for pid=2915 comm=vmware-ping
path=/lib/tls/libc-2.3.4.so dev=dm-0 ino=327780
scontext=user_u:system_r:initrc_t tcontext=system_u:object_r:lib_t
tclass=file
Feb 15 07:31:38 localhost VMware[init]: /usr/bin/vmware-ping: error
while loading shared libraries: /lib/tls/libc.so.6: cannot apply
additional memory protection after relocation: Permission denied
<<<SNIP>>>
Feb 15 07:47:53 localhost kernel: audit(1108482473.711:0): avc:
denied { execmod } for pid=6297 comm=vmnet-dhcpd
path=/lib/libnss_files-2.3.4.so dev=dm-0 ino=556112
scontext=root:system_r:initrc_t tcontext=system_u:object_r:lib_t
tclass=file
<<<SNIP>>>
Feb 15 08:45:20 localhost kernel: audit(1108485920.125:0): avc:
denied { execmod } for pid=5004 comm=vmnet-bridge
path=/lib/ld-2.3.4.so dev=dm-0 ino=327776
scontext=root:system_r:initrc_t tcontext=system_u:object_r:ld_so_t
tclass=file
Could tag /lib/tls/libc* and /lib/libnss_files* as texrel_shlib_t, but
what about /lib/ld-*?
Seperate domain for VMware?
I'm testing this on a targeted system; not sure impact on strict policy.
tom
[Minor point/question: The AVC shows the libraries as lib_t, even
though they are shlib_t. The symbolic links (e.g., /lib/tls/libc.so.6)
are lib_t, however.... Should the AVC have tcontext of the link or the
file?]
--
Tom London
19 years, 2 months
mysql wont start with new kernel
by dragoran
I installed kernel 2.6.11-rc3-RT-V0.7.38-01 (compiled it from source) I
did make oldconfig and enabled PREEMT_DESKTOP ,CONFIG_MK7 and ntfs support.
After booting the kernel mysql don't start:
It shows:
Timeout error occurred trying to start MySQL Daemon.
dmesg says:
audit(1107676996.424:0): avc: denied { execmem } for pid=4806
comm=mysqld scontext=root:system_r:mysqld_t
tcontext=root:system_r:mysqld_t tclass=process
it works when I disabled selinux for mysqld.
I am running the targeted policy.
19 years, 2 months
