Selinux under FC-4 ?
by Timothy Murphy
Will I be able to turn off selinux under FC-4 ?
Life is hard enough without inventing problems ...
--
Timothy Murphy
e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland
18 years, 8 months
using tmpfs for /tmp and selinux
by dragoran
Is it possible to use tmpfs for /tmp with selinux (targeted) ...
I tryed but got many avcs (tmp_t becomes tmpfs_t) for all files in /tmp
18 years, 8 months
vmware/vmnet:
by Tom London
Running targeted/enforcing, latest rawhide.
Notice the following AVC generated by VMware init sequence:
Mar 30 06:33:35 localhost kernel: audit(1112193215.505:0): avc:
denied { search } for pid=3690 exe=/sbin/ifconfig name=net dev=sysfs
ino=225 scontext=user_u:system_r:ifconfig_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Mar 30 06:33:35 localhost kernel: vmnet8: failed sysfs registration (-13)
This seems to imply:
allow ifconfig_t sysfs_t:dir search;
ifconfig.te has
domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
So, should ifconfig_t be allowed the same access to sysfs_t as initrc_t, such as
r_dir_file(ifconfig_t, sysfs_t)
thanks,
tom
--
Tom London
18 years, 8 months
selinux-policy-targeted-1.17.30-2.90 troubles. (FC3)
by Omri Schwarz
A machine installed as FC3 got its update from up2date yesterday
and now will no longer allow logins on the console, nor the X console,
and will no longer allow the sudoers to sudo.
Touching /.autorelabel and rebooting has not fixed the problem.
The sudo problem only leaves this message to the console:
root:system_r:unconfined_t is not a valid context
And this in the logs:
Mar 29 18:19:55 HOST sudo: omri : TTY=pts/0 ; PWD=/nfs/newline/h1/omri ;
USER=root ; COMMAND=/bin/su root
The attempt to log to the X console leaves this in the logs:
Mar 29 18:36:22 HOST gdm-binary[5538]: pam_krb5[5538]: authentication succeeds
for 'omri' (omri@KRB5REALM)
Mar 29 18:36:22 HOST gdm(pam_unix)[5538]: session opened for user omri by
(uid=0)
Mar 29 18:36:22 HOST gdm[5135]: gdm_cleanup_children: child 5538 crashed of
signal 6
Mar 29 18:36:22 HOST gdm[5135]: gdm_cleanup_children: Slave crashed, killing
its children
Logging in as root leaves what might be slightly more useful:
Mar 29 18:43:56 HOST gdm(pam_unix)[6206]: session opened for user root by
(uid=0)
Mar 29 18:43:56 HOST dbus-daemon-1: avc: could not determine enforcing mode
Meanwhile, I can SSH in and su to root without a problem.
I am very much an SELinux newbie, and was hoping to learn about this system by
installing the targeted policy and seeing it in action, but here I am
mystified.
None of the messages are enough for me to figure out what needs chcon'ing.
So I would be much obliged for any help you could offer.
18 years, 8 months
httpd controls ?
by Jeremy Ardley
Hi,
I am experimenting with cgi-bin perl scripts to set specific user's
passwords. The scripts correctly generate passwords when run from the
bash prompt but silently do nothing when invoked on the web page.
I assume this is a selinux issue and would like some pointers.
1.Is letting a cgi script change passwords a good idea?
2. If it is safe, how do I persuade selinux to let it happen?
Thanks
Jeremy
18 years, 8 months
Everything got broken. selinux-policy-targeted-1.17.30-2.90
by Omri Schwarz
(Sorry if I break the threading, but my subscription has not kicked in.)
Stephen Smalley says:
On Wed, 2005-03-30 at 00:56 -0500, Omri Schwarz wrote:
>> Right now I have a machine that is using selinux-policy-targeted-1.17.30-2.9
0.n
>> oarch.rpm, and I suffer from the same errors:
>
>> # /usr/sbin/getenforce
>> getenforce: getenforce() failed
>
>> ]# /usr/sbin/getsebool -a
>> getsebool: booleans.c:48: security_get_boolean_names: Assertion
`selinux_mnt'
>> failed.
>> Aborted
>
>> # cat /selinux/enforce
>> 1
>What does 'id' show? What is in your /etc/selinux/config file?
% more /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=Enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
% id
uid=10204(omri) gid=101(cdrecording) groups=0(root),48(apache),101(cdrecording)
context=user_u:system_r:unconfined_t
>> Mar 30 00:55:15 HOST kernel: audit(1112162115.873:0): avc: denied {
search }
>> for pid=6178 exe=/sbin/portmap name=etc dev=hda3 ino=229377
>> scontext=root:system_r:portmap_t tcontext=system_u:object_r:home_root_t
>> tclass=dir
>/etc certainly shouldn't be labeled home_root_t. /sbin/fixfiles restore?
Done.
Afterwards:
% ls -lZ /
drwxr-xr-x root root system_u:object_r:bin_t bin
drwxr-xr-x root root system_u:object_r:boot_t boot
drwxr-xr-x root root system_u:object_r:device_t dev
drwxr-xr-x root root system_u:object_r:home_root_t etc
drwxr-xr-x root root system_u:object_r:home_root_t home
drwxr-xr-x root root system_u:object_r:root_t initrd
drwxr-xr-x root root system_u:object_r:lib_t lib
drwx------ root root system_u:object_r:lost_found_t lost+found
drwxr-xr-x root root system_u:object_r:mnt_t media
drwxr-xr-x root root system_u:object_r:default_t misc
drwxr-xr-x root root system_u:object_r:mnt_t mnt
drwxr-xr-x root root nfs
drwxr-xr-x root root system_u:object_r:usr_t opt
dr-xr-xr-x root root proc
drwxr-x--- root root root:object_r:user_home_dir_t root
drwxr-xr-x root root system_u:object_r:sbin_t sbin
drwxr-xr-x root root selinux
drwxr-xr-x root root system_u:object_r:default_t srv
drwxr-xr-x root root sys
drwxr-xr-x root root system_u:object_r:default_t tftpboot
drwxrwxrwt root root system_u:object_r:tmp_t tmp
drwxr-xr-x root root system_u:object_r:usr_t usr
drwxr-xr-x root root system_u:object_r:var_t var
18 years, 8 months
Everything got broken. selinux-policy-targeted-1.17.30-2.90
by Omri Schwarz
Hi, everyone.
Until two days ago, when I ran up2date, I had a machine running
FC3 with SELinux targeted, user homedirs coming in over NFS,
Apache running and segregated into httpd_t land, and so on and so forth.
I ran up2date.
And it all went to hell. The upgrade to selinux-policy-targeted-1.17.30-2.90
prevented console logins, use of sudo, and startups from messagebus and httpd.
It allowed, however for SSH logins, and use of 'su'.
Right now I have a machine that is using selinux-policy-targeted-1.17.30-2.90.n
oarch.rpm, and I suffer from the same errors:
# /usr/sbin/getenforce
getenforce: getenforce() failed
]# /usr/sbin/getsebool -a
getsebool: booleans.c:48: security_get_boolean_names: Assertion `selinux_mnt'
failed.
Aborted
# cat /selinux/enforce
1
# cd /selinux/booleans
# ls
allow_ypbind mysqld_disable_trans squid_disable_trans
dhcpd_disable_trans named_disable_trans syslogd_disable_trans
httpd_disable_trans named_write_master_zones use_nfs_home_dirs
httpd_enable_cgi nscd_disable_trans use_samba_home_dirs
httpd_enable_homedirs ntpd_disable_trans use_syslogng
httpd_ssi_exec portmap_disable_trans winbind_disable_trans
httpd_tty_comm postgresql_disable_trans ypbind_disable_trans
httpd_unified snmpd_disable_trans
# cat *
1 10 00 01 11 11 10 01 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
]# cat policyvers
18
Now, for the many multifarious wierdnesses that have sprung up on me:
I cannot log in to the console.
TTY logins fail silently and X logins leave this in the syslog:
Mar 29 18:43:42 HOST gdm(pam_unix)[5945]: session opened for user root by
(uid=0)
Mar 29 18:43:42 HOST gdm[5135]: gdm_cleanup_children: child 5945 crashed of
signal 6
Mar 29 18:43:42 HOST gdm[5135]: gdm_cleanup_children: Slave crashed, killing
its children
Clearly something is denied a resource by selinux, causing a crash that
ends the login session.
I cannot sudo:
% sudo su root
Password:
root:system_r:unconfined_t is not a valid context
Doing a sudo leaves this in /var/log/secure:
Mar 30 00:47:29 HOST sudo: omri : TTY=pts/1 ; PWD=/nfs/newline/h1/omri ;
USER=root ; COMMAND=/bin/su root
And this in /var/log/messages:
Mar 30 00:47:29 HOST sudo(pam_unix)[6028]: authentication failure;
logname=omri uid=0 euid=0 tty=pts/1 ruser= rhost= user=omri
Mar 30 00:47:29 HOST sudo[6028]: pam_krb5[6028]: authentication succeeds for
'omri' (omri(a)SPACE.MIT.EDU)
I can SSH in, but this gets left in the logs:
Mar 30 00:43:48 HOST sshd[5941]: error: Failed to set exec security context
omri:system_r:unconfined_t for omri. Continuing in permissive mode
I can su just fine, which is what lets me play around with these things.
The portmapper has its own difficulties:
Mar 30 00:55:15 HOST kernel: audit(1112162115.873:0): avc: denied { search }
for pid=6178 exe=/sbin/portmap name=etc dev=hda3 ino=229377
scontext=root:system_r:portmap_t tcontext=system_u:object_r:home_root_t
tclass=dir
Obviously, it's the console logins that I want to solve first and foremost.
Any help would be most appreciated.
18 years, 8 months
Desktop apps interoperability
by Ivan Gyurdiev
Okay, mozilla's handling of saved files is a problem. Here's what it
does - files saved under ROLE_home_dir_t, or ROLE_home_t directories
turn to ROLE_mozilla_home_t via file_type_auto_trans.
Here's what gift does by default - it has a download folder where it
puts stuff. The downloaded files turn to ROLE_gift_home_t (context of
parent folder, which is ~/.giFT/completed or something).
Here's what mencoder does - it saves stuff as ROLE_mplayer_home_t
via file_type_auto_trans.
==============
This is bad for interoperability. Using the home_domain macro,
the user has access to the home_domain type of an application.
However one app has no access to the home_domain type of another app.
Basically I can never play (mplayer) a movie that I just downloaded,
whether or not it was via mozilla, or gift.
Alternatively, there could be a common data type - ROLE_home_t.
However none of those apps can save its data directly
under /home/username as ROLE_home_t, because all of them have a
home_domain, and that's where the file_type_auto_trans rule is used.
There can't be more than one file_type_auto_trans on the same folder
type (right?). Furthermore this seems to be explicitly avoided for
mozilla (it does not write to ROLE_home_t for security reasons -
overwriting .bashrc?).
============
Ok, here
Fundamentally, what I want to know is:
1) Do desktop apps need to be confined? Is it a good idea to confine
them?
2) If so, a shared data type is needed for interoperability.
Is ROLE_home_t acceptable for that purpose.
3)
0) No
1) Shared data type is needed for interoperability
2) Keeping both application settings, and user data in the same folder
is a problem
18 years, 8 months
selinux with gosa
by Farkas Levente
hi,
is anyone try to use gosa with selinux?
since gosa try to write into /var/spool/gosa directory which has
var_spool_t type and by default it can write into this directory. what
is the prefered why to enable write for gosa into this directory? should
i simple change /var/spool/gosa to httpd_sys_script_rw_t? it's working
but i don't know what is the right solution.
another question how can i add this attrib to the gosa rpm for
/var/spool/gosa?
yours.
--
Levente "Si vis pacem para bellum!"
18 years, 8 months
different md5sums for files on /dev/cdrom
by matousu@volny.cz
Hi,
I have encountered strange problem while reading my files
from CDROM. I am still troubleshooting this, so I apreciate
any help or notice to the problem I am describing below.
HW:
ASUS Pundit-R with Intel Prescott, Seagate ST3200822AS as hdc and
hda: HL-DT-STDVDRRW GWA-4161B, ATAPI CD/DVD-ROM drive
hda: ATAPI 40X DVD-ROM DVD-R CD-R/RW drive, 2048kB Cache, UDMA(33)
SW:
# uname -a
Linux pundit 2.6.10-1.741_FC3smp #1 SMP Thu Jan 13 16:53:16 EST
2005 i686 i686 i386 GNU/Linux
-
W2k installed on another partition.
PROBLEM:
I have cdrom A with a file, let say the file is named
file.cdrom-fc3, when mounted on fc3 linux.
On fc3 linux hdc6 I have file, let say file.w2k-to-fc3, which I
have previously read from cdrom A in Windows 2k and saved on shared
vfat and transfered to hdc6 after my fc3 linux boot. There is
nothing wrong with this file.
I have another linux on another machine, dell latitude with RH9 and
kernel 2.4.20.
Let say the file on cdrom A When I mount the cdrom in this linuxbox
become file.rh9
So now we have three files, all of them should have the same
md5sum, as the files are based on the same source,
and here they are:
0fed8b1345de558c18c5c9fa164b192a file.w2k-to-fc3 ---> OK
a1a4a1174be8579bee5c83caa5f696aa file.cdrom-fc3 !!!!! BAD
0fed8b1345de558c18c5c9fa164b192a file.rh9 ---> OK
So, the fc3 kernel driver handling the cdrom badly affects the
files. This is valid for any cdrom and any file.
The main efect is that mpeg or jpeg files are not or are badly
readable in fc3.
For instance mplayer gives messages like
[msmpeg4 @ 0x84e4bc8]Error at MB: 644
[msmpeg4 @ 0x84e4bc8]concealing 2147483647 errors.
with artefacts during the playback.
But the sideefect within the app is not important now.
I have disabled selinux and the behavior of jpeg files is better
now, I can read most of them, but still not OK, as visible also
from md5sums.
I can say, the cdrom drive is OK because it works well in w2k.
Also the file on cdrom is OK and healthy. It works in another OSes.
So I am suspecting these systems:
o kernel driver
o cdrom drive hdparameters - I am using default fc3 settings
o some another part of kernel sitting over devices, like selinux ?
I realy need to solve this so I apreciate _ANY_ info.
At least, if i write to wrong list, send me the email to people
which are able to help to find the reason of this problem, and
advice a solution.
Thanks in advance,
Petr
18 years, 8 months
