Today's targeted policy...
by Tom London
Running targeted/enforcing, latest rawhide.
After installing today's policy files and rebooting, had X/execmem
problems. Solved by 'setsebool -P allow_execmem 1'.
Rebooting produces scads of use and sigchild denials. Attached is
/var/log/messages.
In the past, use/fd denials were usually due to leaky file descriptors
across execs. That likely the case here? Not sure about sigchild....
tom
--
Tom London
19 years, 2 months
Default permissions and security context of new user?
by R. Jensen
Moderator: I didn't realize I had sent this message from
a different address than the one I used to subscribe to the list.
Sorry.
------------------------------------------------------
Hi. I'm wondering about the permissions new users get
when they are created. Before SELinux I had to add users
to 'wheel' to enable them to su to root.
I did an adduser and it seems to be unrestricted:
[testse@lankhmar ~]$ id -Z
user_u:system_r:unconfined_t
and the user is able to su to root. Is this normal?
How would I keep the user from being able to su?
I added:
user testse roles { user_r };
to /etc/selinux/targeted/src/policy/users
and did: make load
This didn't seem to make any difference.
This is on FC3 (2.6.10-1.760_FC3)
selinux-policy-targeted-1.17.30-2.75
[root@lankhmar ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 18
Policy from config file:targeted
I'm not sure if this is clear, or enough information.
I tried searching the archives but didn't find anything.
[I may be searching incorrectly].
Thanks,
Richard.
19 years, 2 months
CORE 3
by Kutzler, Paul
I am having problems getting the syslog to write to something outside
the /var/log directory.....
I have this working on FC2 and i believe I have all the configs changed
over.... Maybe I am missing a file?
Any help appreciated.
Thanks
Paul
Paul E. Kutzler II, CISSP,RHCE
Senior Systems Administrator
Arrow International, Inc
www.arrowintl.com
Corporate Offices
2400 Bernville Road, Reading, PA 19605
Voice: 610 - 378 - 0131, ext. 3458
Fax: 610 - 374 - 5360
CONFIDENTIALITY NOTICE: If you have received this e-mail in error, please immediately notify the sender by e-mail at the address shown. This e-mail transmission may contain confidential information. This information is intended only for the use of the individual(s) or entity for whom it is intended even if addressed incorrectly. Please delete from your files if you are not the intended recipient. Thank you for your compliance.
19 years, 2 months
Fedora Core 2: initrd failed to mount ext3 root fs.
by KokHow Teh
Hi list;
I just installed Fedora Core 2 last 2 days. The binaries work fine
from the installation CDs that I have no problem installing the full system
and booting up the machine i686 P4. However, when I build the kernel from
the source with the default configuration for arch/i386, booting up the
machine failed due to initrd failing to mount the ext3 root file system. It
failed when linuxrc trying to mount the root fs with pivot_root(). Please
advise. Thanks.
Regards,
TEH
19 years, 2 months
Are these settings correct?
by Hongwei Li
While I am checking the posible reason that the php mail() does not work
in my fc3 system, I found the following settings:
# ls -lZ /usr/sbin/send*
lrwxrwxrwx root root user_u:object_r:sbin_t
/usr/sbin/sendmail -> /etc/alternatives/mta
-rwxr-sr-x root smmsp system_u:object_r:sbin_t
/usr/sbin/sendmail.sendmail
and all files in /etc/alternatives/ show either user_u:object_r:etc_t or
root:object_r:etc_t
Are these settings correct? Do I need to run restorecon on them? or on
all folders in the system?
Thanks!
Hongwei Li
19 years, 2 months
portmap
by Andrzej Kąkolewski
Hello
I'm getting this avc message in /var/log/messages:
audit(1107361904.516:0): avc: denied { read } for pid=3588
exe=/sbin/portmap name=libnsl.so.1 dev=dm-0 ino=8700082
scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t
tclass=lnk_file
How can I fix it ?
--
Pozdrawiam
Andrzej Kąkolewski
Mail: k_andrzej_85(a)o2.pl
JID: gnr(a)jabber.atman.pl
19 years, 2 months
Request Tracker 3
by Kanwar Ranbir Sandhu
Hello Everyone,
Has anyone attempted to run RT3 (3.2.2) on a FC3 system? I'm running
into a bunch of selinux errors, and I'm having problems resolving the
issue: I'm just not very familiar with selinux.
Here's the error in /var/log/httpd/error_log:
---start---
[Sun Jan 30 19:42:14 2005] [notice] suEXEC mechanism enabled
(wrapper: /usr/sbin/suexec)
[Sun Jan 30 19:42:17 2005] [notice] Digest: generating secret for digest
authentication ...
[Sun Jan 30 19:42:17 2005] [notice] Digest: done
[Sun Jan 30 19:42:17 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Sun Jan 30 19:42:17 2005] [notice] LDAP: SSL support unavailable
[Sun Jan 30 19:42:17 2005] [notice] FastCGI: process manager initialized
(pid 669)
[Sun Jan 30 19:42:17 2005] [warn] FastCGI: server
"/var/www/rt/bin/mason_handler.fcgi" started (pid 670)
[Sun Jan 30 19:42:17 2005] [notice] mod_python: Creating 4 session
mutexes based on 256 max processes and 0 max threads.
[Sun Jan 30 19:42:19 2005] [notice] Apache/2.0.52 (Fedora) configured --
resuming normal operations
[Sun Jan 30 19:42:22 2005] [warn] FastCGI: server
"/var/www/rt/bin/mason_handler.fcgi" started (pid 679)
[Sun Jan 30 19:42:27 2005] [warn] FastCGI: server
"/var/www/rt/bin/mason_handler.fcgi" started (pid 681)
[Sun Jan 30 19:42:32 2005] [warn] FastCGI: server
"/var/www/rt/bin/mason_handler.fcgi" started (pid 682)
Log file /var/log/rt.log couldn't be written or created.
RT can't run. at /var/www/rt/lib/RT.pm line 204.
---end---
And here's what's output to /var/log/messages while that's going on:
---start--
avc: denied { getattr } for pid=681 exe=/usr/bin/perl path=/var/log
dev=dm-5 ino=129025 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_log_t tclass=dir
avc: denied { ioctl } for pid=693 exe=/usr/bin/perl
path=/var/log/httpd/error_log dev=dm-5 ino=129070
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:httpd_log_t tclass=file
avc: denied { read } for pid=693 exe=/usr/bin/perl name=tmp dev=dm-3
ino=12 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:tmp_t tclass=lnk_file
---end---
Ummm..not quite sure how to interpret that. But, it looks like selinux
doesn't like the context of /var/log/rt.log, which currently is:
-rw-r--r-- root rt
system_u:object_r:httpd_log_t /var/log/rt.log
And for /var/log/http (as well as for all files within):
drwx------ root root system_u:object_r:httpd_log_t
I could just turn off selinux, but seeing as how I've managed to run
SugarCRM and Mambo on the same box, RT3 should work as well.
Thanks in advance.
Regards,
Ranbir
--
Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.
www.systemsaligned.com
19 years, 2 months
Re: policy change adventure ..
by hb
Hi,
Thx for the hint - looks a lot better now.
I order to get that working i had to replace the policycoreutils with
the rawhide version.
Beside 2 warnings it seems ok :
Preparing... ###########################################
[100%]
Warnung: setexeccon(root:staff_r:rpm_script_t) fails from context
"root:staff_r:staff_t": Das Argument ist ungültig (= invalid argument)
Continuing ...
1:selinux-policy-strict ###########################################
[100%]
Warnung: setexeccon(root:staff_r:rpm_script_t) fails from context
"root:staff_r:staff_t": Das Argument ist ungültig
Continuing ...
I have to install the source to make some costum changes later on and
got a 'wrong checkpolicy version' error (rpm -Uvh strict-sources...).
Any idea ? (checkpolicy should be in policycoreutils which was allready
replaced with the latest rawhide version !)
--
Holger Burde <hburde(a)t-online.de>
19 years, 2 months
installing webapp via install.php in webroot
by Roger Grosswiler
Hi,
Was trying to install Linpha in webroot. Untarred everythings,
afterwards was pointing the browser to:
http://frodo/linpha/install/install.php and got the following:
Feb 1 13:19:37 frodo kernel: audit(1107260377.190:0): avc: denied {
search } for pid=22391 exe=/usr/sbin/httpd name=linpha dev=dm-0
ino=771968 scontext=root:system_r:httpd_t
tcontext=root:object_r:user_home_t tclass=dir
Feb 1 13:19:37 frodo kernel: audit(1107260377.190:0): avc: denied {
getattr } for pid=22391 exe=/usr/sbin/httpd path=/var/www/html/linpha
dev=dm-0 ino=771968 scontext=root:system_r:httpd_t
tcontext=root:object_r:user_home_t tclass=dir
What can i do to get this running?
Roger
19 years, 2 months