February 2005 - selinux - Fedora Mailing-Lists

by hb

hi; I changed a SE linux system from a targeted policy to strict to do some testing with strict & enforcing for a particular setup i plan. System is FC3 (all patches up to 01.02.2005) with standard install up to that point. Policy change : 1 yum'ed the strict policy and policy sources 2 did a system-config-securelevel (changed targeted -> strict) 3 reboot (fingers crossed ..) What happend was this : Mass complains (avc: denies ) mass out of Memory errors .. (no way .. )// the system has 384MB RAM rescue CD : mount and change to permissive /etc/selinux/config touch /.autorelabel this time autorelabel worked still many avc denies from std. system services fixfiles check // everything ok .. surprise still many many avc denies from std system services .. So my Question : is this normal (still no production quality) ? or a bug / side effect from changing the policy (should work but does not) ? Since there are to many errors i can't track each individual problem down. any idea what to try? ---- Example /var/log/messages Feb 1 15:58:15 dragon kernel: audit(1107269508.339:0): avc: denied { getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/mem dev=tmpfs ino=485 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:memory_device_t tclass=chr_file Feb 1 15:58:15 dragon kernel: audit(1107269508.339:0): avc: denied { getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/net/tun dev=tmpfs ino=1816 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:tun_tap_device_t tclass=chr_file Feb 1 15:58:15 dragon kernel: audit(1107269508.339:0): avc: denied { getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/ppp dev=tmpfs ino=1817 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ppp_device_t tclass=chr_file Feb 1 15:58:15 dragon kernel: audit(1107269508.343:0): avc: denied { getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/zero dev=tmpfs ino=1820 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:zero_device_t tclass=chr_file Feb 1 15:58:15 dragon kernel: audit(1107269508.554:0): avc: denied { read } for pid=2183 exe=/sbin/lvm.static name=hdf dev=tmpfs ino=1063 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:removable_device_t tclass=blk_file Feb 1 15:58:15 dragon kernel: audit(1107269508.556:0): avc: denied { write } for pid=2183 exe=/sbin/lvm.static name=control dev=tmpfs ino=4737 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lvm_control_t tclass=chr_file Feb 1 15:58:15 dragon kernel: audit(1107269508.556:0): avc: denied { ioctl } for pid=2183 exe=/sbin/lvm.static path=/dev/mapper/control dev=tmpfs ino=4737 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:lvm_control_t tclass=chr_file Feb 1 15:58:15 dragon kernel: audit(1107269508.557:0): avc: denied { write } for pid=2183 exe=/sbin/lvm.static name=.cache dev=hde1 ino=66753 scontext=system_u:system_r:initrc_t tcontext=user_u:object_r:etc_t tclass=file -- hb <hburde(a)t-online.de>

18 years, 10 months

2
1
0 / 0

execmod avcs from today's policy

by Tom London

Running strict/enforcing, today's Rawhide. Noticed the avcs below in the log. I believe the java one may be from the sun JVM I have installed.... xscreensaver and helixplayer ones are new. My understanding is that I need to set the boolean 'allow_execmod' to allow this kind of thing (although nothing appears broken....) Do I have that correct? tom Jan 28 07:54:36 fedora gdm(pam_unix)[3218]: session opened for user tbl by (uid=0) Jan 28 07:54:48 fedora kernel: audit(1106927688.744:0): avc: denied { execmod } for pid=3491 comm=xscreensaver-gl path=/usr/X11R6/lib/libGL.so.1.2 dev=hda2 ino=4127021 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t tclass=file Jan 28 07:54:57 fedora kernel: audit(1106927697.979:0): avc: denied { execmod } for pid=3549 comm=java path=/lib/libc-2.3.4.so dev=hda2 ino=3178539 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t tclass=file Jan 28 07:55:19 fedora kernel: audit(1106927719.841:0): avc: denied { execmod } for pid=3650 comm=hxplay.bin path=/usr/lib/helix/plugins/swfrender.so dev=hda2 ino=4375247 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t tclass=file Jan 28 07:55:21 fedora kernel: audit(1106927721.289:0): avc: denied { execmod } for pid=3650 comm=hxplay.bin path=/usr/lib/helix/plugins/oggfformat.so dev=hda2 ino=4376641 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t tclass=file Jan 28 07:55:21 fedora kernel: audit(1106927721.316:0): avc: denied { execmod } for pid=3650 comm=hxplay.bin path=/usr/lib/helix/plugins/theorarend.so dev=hda2 ino=4376654 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t tclass=file Jan 28 07:55:22 fedora kernel: audit(1106927722.757:0): avc: denied { execmod } for pid=3650 comm=hxplay.bin path=/usr/lib/helix/plugins/vorbisrend.so dev=hda2 ino=4376655 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t tclass=file

18 years, 10 months

3
10
0 / 0

Re: error: kernel: audit: avc: denied { write }

by Roger Skildum

When I type the command this is what i get: /sbin/restorecon reset context /dev/log user_u:object_r:device_t->system_u:object_r:devlog_t >> slew of the errors listed below each time I boot. >> Jan 30 05:18:48 host kernel: audit(1107080328.663:0): avc: denied { >> write } for pid=3575 exe=/usr/sbin/ntpd name=log dev=tmpfs ino=6673 >> scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:device_t >> tclass=sock_file >What does /sbin/restorecon -v /dev/log show? >-- >Stephen Smalley <sds epoch ncsc mil> >National Security Agency

18 years, 10 months

1
0
0 / 0

other Raw Hide avc messages

by Joe Orton

selinux-policy-targeted-1.21.5-1 kernel-2.6.10-1.1115_FC4 one lot of: type=KERNEL msg=audit(1107189317.896:165031): avc: denied { create } for pid= 3061 exe=/usr/sbin/htt_server name=.iiimp-unix scontext=user_u:system_r:i18n_inp ut_t tcontext=user_u:object_r:i18n_input_var_run_t tclass=dir and many times: type=KERNEL msg=audit(1107189602.159:494563): avc: denied { transition } for pid=3596 exe=/usr/sbin/crond path=/bin/bash dev=hda3 ino=1933320 scontext=user_u :system_r:crond_t tcontext=system_u:system_r:unconfined_t tclass=process which seems to mean that all cron scripts are failing and I am getting a execl: couldn't exec `/bin/sh' execl: Permission denied message from crond every couple of minutes. joe

18 years, 10 months

2
3
0 / 0

selinux and mail() in php code

by Hongwei Li

Hi, I posted this message a few days ago, but haven't seen any reply. Did I miss some posts? Here, I include my test code and post it again. Hope selinux experts can help me. My system information -- os: RedHat FC3 linux, kernel-2.6.10-1.741_FC3, selinux enforced, iptables enabled selinux: selinux-policy-targeted-1.17.30-2.73 (the most update one) iptables: iptables-1.2.11-3.1.FC3 web: httpd-2.0.52-3.1 sendmail: sendmail-8.13.1-2 php: php-4.3.10-3.2 SELINUXTYPE targeted I have a testing feedback php code for my web site using mail($toaddress, $subject, $feedback, $fromaddress); If selinux is disabled, the code works well. The user ($toaddress) receives the content ($mailcontent), etc. However, if selinux is enforced, the user does not receive it and the system log shows: Jan 28 14:19:46 pippo kernel: audit(1106943586.048:0): avc: denied { read } for pid=6801 exe=/usr/sbin/sendmail.sendmail name=clientmqueue dev=hda3 ino=470506 scontext=user_u:system_r:httpd_sys_script_t tcontext=system_u:object_r:mqueue_spool_t tclass=dir Should I do something to make it working with selinux enforced? Is there anybody out there who uses php's mail() function in the "feedback form" in his web server? Below is my testing php code. The only line you need to change is the first line where you can replace "your-email-address" with your email address to see if you receive mail or get error (system log, not from web or email) when selinux is enforced: <?php $toaddress = 'your-email-address'; $feedback = 'This is a test.'; $subject = 'Feedback from web'; $fromaddress = "From: webmaster(a)your.domain\r\n"; mail($toaddress, $subject, $feedback, $fromaddress); ?> Selinux experts: please test this code on your web server and I appreciate all help! Hongwei Li

18 years, 10 months

3
2
0 / 0

Xchat file permissions

by Poohba

I copied my .xchat2 dir from fc1 and xchat works fine. I am however unable to save. I'm getting a permission denied. I have the dir chmod 775 and i have it chown root.media and i am part of that media group. if I do id I see media listed as one of my groups. Why am I unable to save to the dir. It is the correct dir. Does SELinux have anything to do with this? Is there a way to completely turn it off. I am able to create files and directories in that directory if i were to just go to it.

18 years, 10 months

1
0
0 / 0

Re: selinux and mail() in php code

by Hongwei Li

> On Tue, Feb 01, 2005 at 09:27:16AM -0600, Hongwei Li wrote: >> Hi, >> I posted this message a few days ago, but haven't seen any reply. Did I >> miss some posts? Here, I include my test code and post it again. Hope selinux experts can help me. > > PHP mail() should be working if you are really running the latest policy, it works fine here. Do you have an > /etc/selinux/targeted/policy.18.rpmnew file? > > joe > What I have are: # ls -l /etc/selinux/targeted/ total 24 -rwx------ 1 root root 432 Jan 5 15:38 booleans drwxr-xr-x 4 root root 4096 Jan 26 13:49 contexts drwxr-xr-x 2 root root 4096 Jan 26 13:49 policy # ls -l /etc/selinux/targeted/policy/ total 332 -rw-r--r-- 1 root root 328447 Jan 19 16:44 policy.18 and my /etc/selinux/config is # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=Enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted Did I miss something? I recently installed the new policy 1.17.30-2.73 on Jan-26-2005, then did # restorecon -R -v /var/lib /var/spool # rpm -q -l mysql-server | restorecon -R -v -f - Should I do something else after that, specifically for php or sendmail, or...? Thanks! Hongwei

18 years, 10 months

1
0
0 / 0

Squirrelmail, MySQL-change password and SELinux

by Roger Grosswiler

Hi, tried successfully installing squirrelmail with mysql authentication. After installting the change_mysql-plugin, i got the following message in /var/log/messages: > Jan 31 22:21:53 frodo kernel: audit(1107206513.281:0): avc: denied { write } for pid=12823 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 ino=360554 scontext=root:system_r:httpd_t tcontext=root:object_r:var_lib_t tclass=sock_file > Jan 31 22:22:07 frodo kernel: audit(1107206527.169:0): avc: denied { write } for pid=12825 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 ino=360554 scontext=root:system_r:httpd_t tcontext=root:object_r:var_lib_t tclass=sock_file while squirrel's plugin meant, that the database is busy. If i understand the above right, selinux didn't let the plugin write the new password in the mysql-database. What can i do (except disabling selinux)? Thanks, Roger

18 years, 10 months

2
3
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux February 2005