March 2005 - selinux - Fedora Mailing-Lists

by Tom London

Running strict/enforcing, latest rawhide: After installing latest packages, relabeling /etc, /bin, /lib, .... and rebooting, the system produces lots of udev type errors (cannot remove /dev/.udev_tdb/classSTUFF) and hangs on 'adding hardware' Boots (with messages) in permissive mode. Here are the 'early' AVCs: Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev bdev, type bdev), uses genfs_contexts Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied { read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17 scontext=system_u:system_r:hostname_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts Jan 21 07:24:30 fedora kernel: audit(1106292233.809:0): avc: denied { read } for pid=576 exe=/sbin/restorecon path=/init dev=rootfs ino=17 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied { read } for pid=576 exe=/sbin/restorecon name=customizable_types dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:default_context_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied { use } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17 scontext=system_u:system_r:dmesg_t tcontext=system_u:system_r:kernel_t tclass=fd Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied { read } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292235.086:0): avc: denied { read } for pid=703 exe=/bin/bash path=/init dev=rootfs ino=17 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292239.427:0): avc: denied { use } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17 scontext=system_u:system_r:kudzu_t tcontext=system_u:system_r:kernel_t tclass=fd Jan 21 07:24:30 fedora kernel: audit(1106292239.428:0): avc: denied { read } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17 scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora ptal-mlcd: SYSLOG at ExMgr.cpp:652, dev=<mlc:usb:PSC_900_Series>, pid=2629, e=2, t=1106321070 ptal-mlcd successfully initialized. Jan 21 07:24:30 fedora ptal-printd: ptal-printd(mlc:usb:PSC_900_Series) successfully initialized using /var/run/ptal-printd/mlc_usb_PSC_900_Series*. Jan 21 07:24:30 fedora kernel: Floppy drive(s): fd0 is 1.44M I'll probe a bit, but any help is welcome! tom -- Tom London

17 years, 10 months

4
7
0 / 0

New policy for DCC

by David Hampton

This is a new strict policy for the DCC spam filter. It is based on the selinux-policy-strict-sources-1.23.2-1 fedora RPM. This policy requires the definition of dcc reserved ports that were in the net_contexts diff I sent last Wednesday. Please let me know if there are any problems with or changes needed to this policy. David

18 years, 5 months

3
4
0 / 0

Experiences with selinux enabled targetted on Fedora Core 3

by Richard E Miles

In order to become more familiar with the selinux capabilities I did the following: Started selinux in permissive mode for targetted. I recieved warnings for the following services: portmap, ntpd, and ntpdate. I then ran fixfiles check. After it ran for quite some time. It did not report any problems. So I enabled targetted and rebooted. I then received error warnings for the same services. The following relevent messages from dmesg follow: <snip> EXT3-fs: mounted filesystem with ordered data mode. security: 3 users, 4 roles, 319 types, 20 bools security: 53 classes, 10805 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev hda2, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), not configured for labeling SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts <snip> ip_tables: (C) 2000-2002 Netfilter core team ip_conntrack version 2.1 (2047 buckets, 16376 max) - 360 bytes per conntrack eth0: link up, 100Mbps, full-duplex, lpa 0x45E1 audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts <snip> IPv6 over IPv4 tunneling driver divert: not allocating divert_blk for non-ethernet device sit0 audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.763:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir Obviously something is amiss. I do not know how to correct these messages for the services. Does anyone know how the fix this delemma? If not should I bugzilla it? -- Richard E Miles Federal Way WA. USA registered linux user 46097

18 years, 5 months

10
22
0 / 0

Tweaks to the amavis policy

by David Hampton

I've added support to the (unused) amavis policy to allow interaction with additional mail filters, and added a new type specifically for quarantined spam and viruses. I also tweaked the network access to limit ports that can be used by amavisd. I'd appreciate any feedback on these changes or tips on how to write better policies. Thanks. David P.S. These diffs are based on the files from the selinux-policy-strict- sources-1.22.1-2 rpm.

18 years, 5 months

4
4
0 / 0

Tweaks to the clamav policy

by David Hampton

I've added support to the (unused) clamav policy to allow listening for service requests on a TCP socket, and for interacting with amavis. I also made some tweaks that tighten up the network access allowed by freshclam, split the freshclam and spamd log files into two different types, and make the clamd control socket a unique type. Thanks. David P.S. These diffs are based on the files from the selinux-policy-strict- sources-1.22.1-2 rpm.

18 years, 5 months

4
4
0 / 0

New policy for yam

by David Hampton

This is written on an FC3 base system using the selinux-policy-strict- sources-1.22.1-2 policy from March 11th. These are the first policies I've submitted so I'd appreciate any comments on how to write better policies. David

18 years, 5 months

3
4
0 / 0

New policy for tripwire

by David Hampton

This is written on an FC3 base system using the selinux-policy-strict- sources-1.22.1-2 policy from March 11th. These are the first policies I've submitted so I'd appreciate any comments on how to write better policies. David

18 years, 5 months

2
1
0 / 0

New policy for pyzor

by David Hampton

This is a new strict policy for the pyzor spam filter. It is based on the selinux-policy-strict-sources-1.23.2-1 fedora RPM. This policy requires the definition of a pyzor reserved port that was in the net_contexts diff I sent last Wednesday. Please let me know if there are any problems with or changes needed to this policy. David

18 years, 5 months

4
6
0 / 0

New policy for Pop-before-smtp daemon

by David Hampton

Here's a new policy to support the pop-before-smtp daemon from http://people.FreeBSD.org/~sheldonh/popb4smtp-nodb.tar.gz . I'd appreciate any feedback on these files or tips on how to write better policies. Thanks. David P.S. This policy is based on the selinux-policy-strict-sources-1.22.1-2 rpm on my FC3 system.

18 years, 5 months

2
1
0 / 0

hello all, I just joined the list

by nanocurie

Hello all, I just joined the list. I just downloaded and installed FC3, and noticed that it had SE-Linux installed by default. I thought okay, so the NSA now can/will take control of my secure computers. Good, if there's anyone I'd want controlling them other than I. Then I saw the post about setools, and saw how they can be used in an enterprise environment. Reminds me of Active Directory. Cool. This is probably better. Just kidding bigbrother. I look forward to learning with you all about SElinux nc

18 years, 5 months

5
7
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux March 2005