policy change adventure ..
by hb
hi;
I changed a SE linux system from a targeted policy to strict to do some
testing with strict & enforcing for a particular setup i plan. System is
FC3 (all patches up to 01.02.2005) with standard install up to that
point.
Policy change :
1 yum'ed the strict policy and policy sources
2 did a system-config-securelevel (changed targeted -> strict)
3 reboot (fingers crossed ..)
What happend was this :
Mass complains (avc: denies )
mass out of Memory errors .. (no way .. )// the system has 384MB RAM
rescue CD : mount and change to permissive /etc/selinux/config
touch /.autorelabel
this time autorelabel worked
still many avc denies from std. system services
fixfiles check // everything ok .. surprise
still many many avc denies from std system services ..
So my Question : is this normal (still no production quality) ? or a
bug / side effect from changing the policy (should work but does not) ?
Since there are to many errors i can't track each individual problem
down. any idea what to try?
----
Example /var/log/messages
Feb 1 15:58:15 dragon kernel: audit(1107269508.339:0): avc: denied
{ getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/mem dev=tmpfs
ino=485 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:memory_device_t tclass=chr_file
Feb 1 15:58:15 dragon kernel: audit(1107269508.339:0): avc: denied
{ getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/net/tun
dev=tmpfs ino=1816 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:tun_tap_device_t tclass=chr_file
Feb 1 15:58:15 dragon kernel: audit(1107269508.339:0): avc: denied
{ getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/ppp dev=tmpfs
ino=1817 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:ppp_device_t tclass=chr_file
Feb 1 15:58:15 dragon kernel: audit(1107269508.343:0): avc: denied
{ getattr } for pid=2183 exe=/sbin/lvm.static path=/dev/zero dev=tmpfs
ino=1820 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:zero_device_t tclass=chr_file
Feb 1 15:58:15 dragon kernel: audit(1107269508.554:0): avc: denied
{ read } for pid=2183 exe=/sbin/lvm.static name=hdf dev=tmpfs ino=1063
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:removable_device_t tclass=blk_file
Feb 1 15:58:15 dragon kernel: audit(1107269508.556:0): avc: denied
{ write } for pid=2183 exe=/sbin/lvm.static name=control dev=tmpfs
ino=4737 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:lvm_control_t tclass=chr_file
Feb 1 15:58:15 dragon kernel: audit(1107269508.556:0): avc: denied
{ ioctl } for pid=2183 exe=/sbin/lvm.static path=/dev/mapper/control
dev=tmpfs ino=4737 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:lvm_control_t tclass=chr_file
Feb 1 15:58:15 dragon kernel: audit(1107269508.557:0): avc: denied
{ write } for pid=2183 exe=/sbin/lvm.static name=.cache dev=hde1
ino=66753 scontext=system_u:system_r:initrc_t
tcontext=user_u:object_r:etc_t tclass=file
--
hb <hburde(a)t-online.de>
19 years, 2 months
execmod avcs from today's policy
by Tom London
Running strict/enforcing, today's Rawhide.
Noticed the avcs below in the log.
I believe the java one may be from the sun JVM I have installed....
xscreensaver and helixplayer ones are new.
My understanding is that I need to set the boolean 'allow_execmod' to
allow this kind of thing (although nothing appears broken....)
Do I have that correct?
tom
Jan 28 07:54:36 fedora gdm(pam_unix)[3218]: session opened for user
tbl by (uid=0)
Jan 28 07:54:48 fedora kernel: audit(1106927688.744:0): avc: denied
{ execmod } for pid=3491 comm=xscreensaver-gl
path=/usr/X11R6/lib/libGL.so.1.2 dev=hda2 ino=4127021
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t
tclass=file
Jan 28 07:54:57 fedora kernel: audit(1106927697.979:0): avc: denied
{ execmod } for pid=3549 comm=java path=/lib/libc-2.3.4.so dev=hda2
ino=3178539 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:shlib_t tclass=file
Jan 28 07:55:19 fedora kernel: audit(1106927719.841:0): avc: denied
{ execmod } for pid=3650 comm=hxplay.bin
path=/usr/lib/helix/plugins/swfrender.so dev=hda2 ino=4375247
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t
tclass=file
Jan 28 07:55:21 fedora kernel: audit(1106927721.289:0): avc: denied
{ execmod } for pid=3650 comm=hxplay.bin
path=/usr/lib/helix/plugins/oggfformat.so dev=hda2 ino=4376641
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t
tclass=file
Jan 28 07:55:21 fedora kernel: audit(1106927721.316:0): avc: denied
{ execmod } for pid=3650 comm=hxplay.bin
path=/usr/lib/helix/plugins/theorarend.so dev=hda2 ino=4376654
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t
tclass=file
Jan 28 07:55:22 fedora kernel: audit(1106927722.757:0): avc: denied
{ execmod } for pid=3650 comm=hxplay.bin
path=/usr/lib/helix/plugins/vorbisrend.so dev=hda2 ino=4376655
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shlib_t
tclass=file
19 years, 2 months
Re: error: kernel: audit: avc: denied { write }
by Roger Skildum
When I type the command this is what i get:
/sbin/restorecon reset context /dev/log user_u:object_r:device_t->system_u:object_r:devlog_t
>> slew of the errors listed below each time I boot.
>> Jan 30 05:18:48 host kernel: audit(1107080328.663:0): avc: denied {
>> write } for pid=3575 exe=/usr/sbin/ntpd name=log dev=tmpfs ino=6673
>> scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:device_t
>> tclass=sock_file
>What does /sbin/restorecon -v /dev/log show?
>--
>Stephen Smalley <sds epoch ncsc mil>
>National Security Agency
19 years, 2 months
other Raw Hide avc messages
by Joe Orton
selinux-policy-targeted-1.21.5-1
kernel-2.6.10-1.1115_FC4
one lot of:
type=KERNEL msg=audit(1107189317.896:165031): avc: denied { create }
for pid= 3061 exe=/usr/sbin/htt_server name=.iiimp-unix
scontext=user_u:system_r:i18n_inp ut_t
tcontext=user_u:object_r:i18n_input_var_run_t tclass=dir
and many times:
type=KERNEL msg=audit(1107189602.159:494563): avc: denied { transition
} for pid=3596 exe=/usr/sbin/crond path=/bin/bash dev=hda3 ino=1933320
scontext=user_u :system_r:crond_t
tcontext=system_u:system_r:unconfined_t tclass=process
which seems to mean that all cron scripts are failing and I am getting a
execl: couldn't exec `/bin/sh'
execl: Permission denied
message from crond every couple of minutes.
joe
19 years, 2 months
selinux and mail() in php code
by Hongwei Li
Hi,
I posted this message a few days ago, but haven't seen any reply. Did I
miss some posts? Here, I include my test code and post it again. Hope
selinux experts can help me.
My system information --
os: RedHat FC3 linux, kernel-2.6.10-1.741_FC3, selinux
enforced, iptables enabled
selinux: selinux-policy-targeted-1.17.30-2.73 (the most update one)
iptables: iptables-1.2.11-3.1.FC3
web: httpd-2.0.52-3.1
sendmail: sendmail-8.13.1-2
php: php-4.3.10-3.2
SELINUXTYPE targeted
I have a testing feedback php code for my web site using
mail($toaddress, $subject, $feedback, $fromaddress);
If selinux is disabled, the code works well. The user ($toaddress)
receives the content ($mailcontent), etc. However, if selinux is
enforced, the user does not receive it and the system log shows:
Jan 28 14:19:46 pippo kernel: audit(1106943586.048:0): avc: denied {
read } for pid=6801 exe=/usr/sbin/sendmail.sendmail name=clientmqueue
dev=hda3 ino=470506 scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:mqueue_spool_t tclass=dir
Should I do something to make it working with selinux enforced?
Is there anybody out there who uses php's mail() function in the "feedback
form" in his web server? Below is my testing php code. The only line you
need to change is the first line where you can replace
"your-email-address" with your email address to see if you receive mail or
get error (system log, not from web or email) when selinux is enforced:
<?php
$toaddress = 'your-email-address';
$feedback = 'This is a test.';
$subject = 'Feedback from web';
$fromaddress = "From: webmaster(a)your.domain\r\n";
mail($toaddress, $subject, $feedback, $fromaddress);
?>
Selinux experts: please test this code on your web server and I appreciate
all help!
Hongwei Li
19 years, 2 months
Xchat file permissions
by Poohba
I copied my .xchat2 dir from fc1 and xchat works fine. I am however
unable to save. I'm getting a permission denied. I have the dir chmod
775 and i have it chown root.media and i am part of that media group. if
I do id I see media listed as one of my groups. Why am I unable to save
to the dir. It is the correct dir. Does SELinux have anything to do with
this? Is there a way to completely turn it off. I am able to create
files and directories in that directory if i were to just go to it.
19 years, 2 months
Re: selinux and mail() in php code
by Hongwei Li
> On Tue, Feb 01, 2005 at 09:27:16AM -0600, Hongwei Li wrote:
>> Hi,
>> I posted this message a few days ago, but haven't seen any reply. Did
I
>> miss some posts? Here, I include my test code and post it again. Hope
selinux experts can help me.
>
> PHP mail() should be working if you are really running the latest
policy, it works fine here. Do you have an
> /etc/selinux/targeted/policy.18.rpmnew file?
>
> joe
>
What I have are:
# ls -l /etc/selinux/targeted/
total 24
-rwx------ 1 root root 432 Jan 5 15:38 booleans
drwxr-xr-x 4 root root 4096 Jan 26 13:49 contexts
drwxr-xr-x 2 root root 4096 Jan 26 13:49 policy
# ls -l /etc/selinux/targeted/policy/
total 332
-rw-r--r-- 1 root root 328447 Jan 19 16:44 policy.18
and my /etc/selinux/config is
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing. #
disabled - SELinux is fully disabled.
SELINUX=Enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
Did I miss something? I recently installed the new policy 1.17.30-2.73 on
Jan-26-2005, then did
# restorecon -R -v /var/lib /var/spool
# rpm -q -l mysql-server | restorecon -R -v -f -
Should I do something else after that, specifically for php or sendmail,
or...?
Thanks!
Hongwei
19 years, 2 months
Squirrelmail, MySQL-change password and SELinux
by Roger Grosswiler
Hi,
tried successfully installing squirrelmail with mysql authentication.
After installting the change_mysql-plugin, i got the following message
in /var/log/messages:
> Jan 31 22:21:53 frodo kernel: audit(1107206513.281:0): avc: denied { write } for pid=12823 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 ino=360554 scontext=root:system_r:httpd_t tcontext=root:object_r:var_lib_t tclass=sock_file
> Jan 31 22:22:07 frodo kernel: audit(1107206527.169:0): avc: denied { write } for pid=12825 exe=/usr/sbin/httpd name=mysql.sock dev=dm-0 ino=360554 scontext=root:system_r:httpd_t tcontext=root:object_r:var_lib_t tclass=sock_file
while squirrel's plugin meant, that the database is busy. If i
understand the above right, selinux didn't let the plugin write the new
password in the mysql-database.
What can i do (except disabling selinux)?
Thanks,
Roger
19 years, 2 months
