current targeted policy errors
by Joe Orton
There are a bunch of avc messages on bootup with a current-ish Raw Hide
system, are these known about?
audit(1110459676.136:0): avc: denied { read } for pid=1696
exe=/sbin/ip path=/init dev=rootfs ino=23
scontext=user_u:system_r:ifconfig_t tcontext=system_u:object_r:root_t
tclass=file
audit(1110459676.264:0): avc: denied { read } for pid=1700
exe=/sbin/iwconfig path=/init dev=rootfs ino=23
scontext=user_u:system_r:ifconfig_t tcontext=system_u:object_r:root_t
tclass=file
audit(1110459676.343:0): avc: denied { read } for pid=1702
exe=/sbin/ethtool path=/init dev=rootfs ino=23
scontext=user_u:system_r:ifconfig_t tcontext=system_u:object_r:root_t
tclass=file
(some repeated many times)
joe
19 years, 1 month
Acess others disk partions(fat32)
by Pedro Gonçalves
Hello,
I have fedora core 3 and windows installed on my computer but when i´m
using fedora i can´t acess to other partions where i have my documents.
Before i had mandrakelinux and i could acess easly to others partions.
So, i´d like to know what i have to do to solve this problem.
Thank you
Regards,
Pedro Goncalves
19 years, 1 month
RE: [newbie] setenforce 1 breaks ~user
by Peter George
touch /.autorelabel
reboot
Is the way forward then. Thank you.
:-)
P
--
Peter George CIW CI
Training Manager
Net Resources Ltd
26 Palmerston Place, Edinburgh, EH12 5AL
T: 0131 477 7127 F: 0131 477 7126
http://www.netresources.co.uk
-----Original Message-----
From: fedora-selinux-list-bounces(a)redhat.com on behalf of Eric Paris
Sent: Wed 09/03/2005 18:34
To: Fedora SELinux support list for users & developers.
Subject: Re: [newbie] setenforce 1 breaks ~user
I think I understand your problem to be that the home directories are
just left over from the old system and have absolutely no context. If
so you should be able to run
restorecon -R -v /home
to have everything under /home labeled correctly. I believe anything
in /home/[^/]+/public_html will get labeled with
system_u:object_r:httpd_user_content_t which should work.
If you want to relabel the whole system run
touch /.autorelabel
reboot
On Wed, 2005-03-09 at 18:18 +0000, Peter George wrote:
> I recently upgraded to FC3 + Apache 2.0. from RH7.3 + Apache 1.3. Currently running ext3 filesystem.
>
> /home/*/public_html/ files do not have SELinux extended attributes therefore I cannot change the security context on files.
>
> I cannot see www.domain/~user with # /usr/sbin/setenforce 1 it has to be /usr/sbin/setenforce 0
>
> I know I can force file lelabelling to include extended attributes (forgotten the url with the helpful command just now) with a reboot, and then follow the '# chcon' directives at
> http://fedora.redhat.com/docs/selinux-apache-fc3/sn-user-homedir.html
>
> i.e.
>
> # chcon -Rt httpd_sys_content_t /home/*/public_html/
> # /usr/sbin/setenforce 1
>
> Any web references or advice appreciated.
>
> P
> --
> Peter George CIW CI
> Training Manager
> Net Resources Ltd
> 26 Palmerston Place, Edinburgh, EH12 5AL
> T: 0131 477 7127 F: 0131 477 7126
> http://www.netresources.co.uk
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
19 years, 1 month
Selinux symposium presentations
by Frank Mayer
FYI, soft copies of all the presentations from last week's SELinux Symposium
are now posted on the symposium's web site (www.selinux-symposium.org). In
general, I think the symposium was a great success, and the participation
was much greater than we originally expected. Hopefully signs of good things
to come with this technology. Stay tuned for the dates and call for next
year's event! Frank
19 years, 1 month
help required to create SELinux based LiveCD for Fedora core 3
by KLN Murthy
Please help me creatng SELinux based LiveCD for Fedora Core 3 with steps.
K L N Murthy
( System Administrator )
Network Programs ( India ) Ltd.
B-1-C, Sector 10
Noida - 201301
Tel: +91 120 2536622
Fax : +91 120 2536625
********************************************************************************
Network Programs is a SEI-CMM Level 5 & ISO 9001: 2000 Certified Company
********************************************************************************
The information contained in this communication (including any attachments) is
intended solely for the use of the individual or entity to whom it is addressed
and others authorized to receive it. It may contain confidential or legally
privileged information. If you are not the intended recipient you are hereby
notified that any disclosure, copying, distribution or taking any action in
reliance on the contents of this information is strictly prohibited and may be
unlawful. If you have received this communication in error, please notify us
immediately by responding to this email and delete it from your system.
Network Programs (India) Limited is neither liable for the proper and complete
transmission of the information contained in this communication nor for any
delay in its receipt.
********************************************************************************
19 years, 1 month
How changing rule for mysql
by Roger Grosswiler
Hi,
I have this in my log:
Mar 9 08:31:16 link kernel: audit(1110353476.148:0): avc: denied {
search } for pid=32084 exe=/usr/libexec/mysqld name=webmessenger
dev=dm-0 ino=7488135 scontext=root:system_r:mysqld_t
tcontext=root:object_r:user_home_t tclass=dir
so, i went to
http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2825232
how i could make mysql working. i was looking for the apache.te (has
nothing to do with my problem) for the other example, assuming, i could
change a value in something like mysql.te.
all i found was /selinux/booleans/mysqld_disable_trans where i think i
would have to set 1 1 in it.
1) is this correct?
2) how can i do this with root (root hasnt rights to do that)
Thanks
Roger
19 years, 1 month
shc - Generic shell script compiler ??
by Justin Conover
Does anyone see this as being a decent program? Do you think it
encrypt's the script well enough or is easily crackable? If it is a
decent program, do you see a need for it in Fedora - extra's or
something as an added security mechanism. Although I imagine with the
fine grained control of SELinux this probably isn't really need, any
thoughts?
http://www.datsi.fi.upm.es/%7Efrosal/sources/shc.html
http://www.datsi.fi.upm.es/%7Efrosal/sources/CHANGES
http://www.datsi.fi.upm.es/%7Efrosal/sources/shc-3.7.tgz
http://www.linuxsecurity.com/content/view/117920/49/
" shc itself is not a compiler such as cc, it rather encodes
and encrypts a shell script and generates C source code with
the added expiration capability. It then uses the system
compiler to compile a stripped binary which behaves exactly
like the original script. Upon execution, the compiled
binary will decrypt and execute the code with the shell -c
option. Unfortunatelly, it will not give you any speed
improvement as a real C program would.
shc's main purpose is to protect your shell scripts from
modification or inspection. You can use it if you wish to
distribute your scripts but don't want them to be easily
readable by other people."
19 years, 1 month
/proc Q
by Holger Burde
Hi;
Filesystems with no support for persistent labels have no context but i
found coresponding type declarations (rawhide.strict: types/procfs.te or
fc3:targeted types/procfs.te) and usage (domains/program zebra.te:allow
zebra_t proc_t:file { getattr read };). Is this dummy stuff or have i
missed something ??
hb
--
Holger Burde <hburde(a)t-online.de>
19 years, 1 month
Re: selinux and ASP for Linux
by Jason Dravet
Thank you Karsten for the links, I will read them this afternoon.
Daniel,
I am using a fully patched FC3 install. I don't know why ASP for Linux is
trying to access the tty devices. My guess as to why it is executing locale
stuff is because of the ASP for Linux administration page. The locale
message only pop up if I goto those pages. For the record ASP for Linux was
formally Chilisoft software.
Thanks,
Jason
19 years, 1 month
nis+ and selinux targeted (nscd/ntpd problems)
by Niki Waibel
if you run FC3 and nis-utils-1.4.1 it is necessary to
add the following in
/etc/selinux/targeted/src/policy/domains/misc/custom.te
to make nscd running properly:
===
allow nscd_t file_t:file { read write };
#EXE=/usr/sbin/nscd NAME=passwd : read write
allow nscd_t file_t:file getattr;
#EXE=/usr/sbin/nscd PATH=/var/db/nscd/passwd : getattr
#EXE=/usr/sbin/nscd PATH=/var/db/nscd/group : getattr
#EXE=/usr/sbin/nscd PATH=/var/db/nscd/hosts : getattr
allow nscd_t var_t:file { getattr read };
#EXE=/usr/sbin/nscd NAME=NIS_COLD_START : read
#EXE=/usr/sbin/nscd PATH=/var/nis/NIS_COLD_START : getattr
allow nscd_t var_run_t:sock_file write;
#EXE=/usr/sbin/nscd NAME=keyservsock : write
allow nscd_t unconfined_t:unix_stream_socket connectto;
#EXE=/usr/sbin/nscd PATH=/var/run/keyservsock : connectto
===
i dont know if
===
allow nscd_t file_t:file { read write };
allow nscd_t file_t:file getattr;
allow nscd_t var_t:file { getattr read };
===
are really a good choice ...
nscd (if you have nisplus in /etc/nsswitch.conf) accesses
the files in /var/db/nscd (getattr, read, write) and /var/nis.
maybe there should be sthg like var_nis_t and var_db_nscd_t?
i am not sure if /etc/{passwd,group,hosts} are accessed as well...
using nis+ i've also figured out that ntpd needs some add rules:
===
allow ntpd_t var_t:file { getattr read };
#EXE=/usr/sbin/ntpd NAME=NIS_COLD_START : read
#EXE=/usr/sbin/ntpd PATH=/var/nis/NIS_COLD_START : getattr
allow ntpd_t var_run_t:sock_file write;
#EXE=/usr/sbin/ntpd NAME=keyservsock : write
allow ntpd_t unconfined_t:unix_stream_socket connectto;
#EXE=/usr/sbin/ntpd PATH=/var/run/keyservsock : connectto
===
can this be integrated into the std targeted policy?
--
niki w. waibel - system administrator @ newlogic technologies ag
19 years, 1 month