1105 fails to boot....
by Tom London
Running strict/enforcing, latest rawhide:
After installing latest packages, relabeling /etc, /bin, /lib, ....
and rebooting, the system produces lots of udev type errors
(cannot remove /dev/.udev_tdb/classSTUFF) and hangs
on 'adding hardware'
Boots (with messages) in permissive mode.
Here are the 'early' AVCs:
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev bdev, type
bdev), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied
{ read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17
scontext=system_u:system_r:hostname_t
tcontext=system_u:object_r:root_t tclass=file
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev usbfs, type
usbfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: audit(1106292233.809:0): avc: denied
{ read } for pid=576 exe=/sbin/restorecon path=/init dev=rootfs
ino=17 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:root_t tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied
{ read } for pid=576 exe=/sbin/restorecon name=customizable_types
dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:default_context_t tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied
{ use } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17
scontext=system_u:system_r:dmesg_t tcontext=system_u:system_r:kernel_t
tclass=fd
Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied
{ read } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17
scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292235.086:0): avc: denied
{ read } for pid=703 exe=/bin/bash path=/init dev=rootfs ino=17
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292239.427:0): avc: denied
{ use } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17
scontext=system_u:system_r:kudzu_t tcontext=system_u:system_r:kernel_t
tclass=fd
Jan 21 07:24:30 fedora kernel: audit(1106292239.428:0): avc: denied
{ read } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17
scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora ptal-mlcd: SYSLOG at ExMgr.cpp:652,
dev=<mlc:usb:PSC_900_Series>, pid=2629, e=2, t=1106321070
ptal-mlcd successfully initialized.
Jan 21 07:24:30 fedora ptal-printd:
ptal-printd(mlc:usb:PSC_900_Series) successfully initialized using
/var/run/ptal-printd/mlc_usb_PSC_900_Series*.
Jan 21 07:24:30 fedora kernel: Floppy drive(s): fd0 is 1.44M
I'll probe a bit, but any help is welcome!
tom
--
Tom London
18 years, 4 months
Is there a SELinux tutorial for ISVs ?
by Davide Bolcioni
Greetings,
I was looking for directions about how would an ISV rool own policy for
the packages it ships. A very basic and step-by-step tutorial, for tiny
minds :-)
Thank you for your consideration,
Davide Bolcioni
18 years, 10 months
awstats
by Farkas Levente
hi,
we use http://awstats.sourceforge.net/ to generate http web statistics.
in order to generate date there is a hourly cron job which collect the
statistics from the webserver's log file. but this scripts use the same
collection of perl scripts which generates the web pages.
how can i solve it?
i found this description:
http://yanbaru.dyndns.org/linux/fedora2awstats.html
although i don't realy like local.te.
is there any 'default' settings for awstats?
i wish we has some kind of default policy which include rules for
awstats too:-0
yours.
--
Levente "Si vis pacem para bellum!"
18 years, 10 months
nagios_log_t missing
by Farkas Levente
hi,
there is a nagios_log_t and used in nagios.fc but never defined
(missing). so when we try to apply it we got these errors:
---------------------------------------------
# chcon -R -t nagios_log_t /var/log/nagios
chcon: failed to change context of /var/log/nagios to
system_u:object_r:nagios_log_t: Invalid argument
chcon: failed to change context of /var/log/nagios/rw to
system_u:object_r:nagios_log_t: Invalid argument
chcon: failed to change context of /var/log/nagios/archives to
system_u:object_r:nagios_log_t: Invalid argument
chcon: failed to change context of /var/log/nagios/.bash_history to
user_u:object_r:nagios_log_t: Invalid argument
---------------------------------------------
how can i fix it?
dan could you create updated rpms which fix it in
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/ ?:-)
yours.
--
Levente "Si vis pacem para bellum!"
18 years, 10 months
snmpd proc monitoring problem
by Carlos Pastorino
Hello,
I've inserted the following line on my /etc/snmpd.conf file:
proc sshd
Then I executed the following command:
snmpwalk -On -v2c -c public localhost .1.3.6.1.4.1.2021.2.1
and got the answer:
.1.3.6.1.4.1.2021.2.1.1.1 = INTEGER: 1
.1.3.6.1.4.1.2021.2.1.2.1 = STRING: sshd
.1.3.6.1.4.1.2021.2.1.3.1 = INTEGER: 0
.1.3.6.1.4.1.2021.2.1.4.1 = INTEGER: 0
.1.3.6.1.4.1.2021.2.1.5.1 = INTEGER: 0
.1.3.6.1.4.1.2021.2.1.100.1 = INTEGER: 1
.1.3.6.1.4.1.2021.2.1.101.1 = STRING: No sshd process running.
.1.3.6.1.4.1.2021.2.1.102.1 = INTEGER: 0
.1.3.6.1.4.1.2021.2.1.103.1 = STRING:
But, if I execute the command below:
setenforce 0
I get the correct answer:
.1.3.6.1.4.1.2021.2.1.1.1 = INTEGER: 1
.1.3.6.1.4.1.2021.2.1.2.1 = STRING: sshd
.1.3.6.1.4.1.2021.2.1.3.1 = INTEGER: 0
.1.3.6.1.4.1.2021.2.1.4.1 = INTEGER: 0
.1.3.6.1.4.1.2021.2.1.5.1 = INTEGER: 2
.1.3.6.1.4.1.2021.2.1.100.1 = INTEGER: 0
.1.3.6.1.4.1.2021.2.1.101.1 = STRING:
.1.3.6.1.4.1.2021.2.1.102.1 = INTEGER: 0
.1.3.6.1.4.1.2021.2.1.103.1 = STRING:
The problem is, nothing shows up on /var/log/messages to allow me to
figure out how to tweak the
/etc/selinux/targeted/src/policy/domains/program/snmpd.te file.
Any hints?
Regards,
Carlos
18 years, 10 months
selinux-policy-strict-1.23.13-4: suggestions?
by Tom London
Running strict/enforcing, latest rawhide.
I finally got around to 'blowing the dust off' of my strict PC. I
updated to latest rawhide, did a 'fixfiles relabel', and rebooted.
Graphical login failed. Appears that xdm is failing on creating a sem:
Apr 30 13:20:44 fedora kernel: audit(1114892386.776:0): avc: denied
{ create } for key=1417649221 scontext=system_u:system_r:xdm_t
tcontext=system_u:system_r:xdm_t tclass=sem
Apr 30 13:25:35 fedora kernel: audit(1114892735.514:0): avc: denied
{ unix_read unix_write } for key=199061348
scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t
tclass=sem
Adding:
allow xdm_t self:sem { create unix_read unix_write };
to xdm.te seems to fix this. That OK?
Also, running firefox proxied through privoxy generates:
Apr 30 13:48:23 fedora kernel: audit(1114894103.357:0): avc: denied
{ name_connect } for dest=8118 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
or
allow user_mozilla_t port_t:tcp_socket name_connect;
That right?
Going through /var/log/messages:
Early on, I get this:
Apr 30 13:27:05 fedora kernel: SELinux: Completing initialization.
Apr 30 13:27:05 fedora kernel: SELinux: Setting up existing superblocks.
Apr 30 13:27:05 fedora kernel: audit(1114867589.097:0): avc: denied
{ write } for path=pipe:[1886] dev=pipefs ino=1886
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:unlabeled_t tclass=fifo_file
Apr 30 13:27:05 fedora kernel: SELinux: initialized (dev hda2, type
ext3), uses xattr
Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev tmpfs, type
tmpfs), uses transition SIDs
and
Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Apr 30 13:27:06 fedora kernel: audit(1114867589.937:0): avc: denied
{ read } for name=class@vc@vcsa1 dev=tmpfs ino=1836
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: audit(1114867589.939:0): avc: denied
{ read } for name=class@vc@vcs1 dev=tmpfs ino=1830
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev usbfs, type
usbfs), uses genfs_contexts
Apr 30 13:27:06 fedora kernel: audit(1114867590.492:0): avc: denied
{ create } for name=input scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
Apr 30 13:27:06 fedora kernel: audit(1114867590.494:0): avc: denied
{ create } for name=input scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
Apr 30 13:27:06 fedora kernel: audit(1114867591.604:0): avc: denied
{ write } for name=class@vc@vcs1 dev=tmpfs ino=1830
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: audit(1114867591.627:0): avc: denied
{ write } for name=class@vc@vcsa1 dev=tmpfs ino=1836
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: audit(1114867591.754:0): avc: denied
{ read } for name=class@vc@vcs1 dev=tmpfs ino=1830
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: audit(1114867591.764:0): avc: denied
{ read } for name=class@vc@vcsa1 dev=tmpfs ino=1836
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
Apr 30 13:27:06 fedora kernel: audit(1114867592.051:0): avc: denied
{ write } for name=class@vc@vcsa1 dev=tmpfs ino=1836
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t
tclass=file
<<<<SNIP>>>>
Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc: denied
{ search } for name=485 dev=proc ino=31784962
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t
tclass=dir
Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc: denied
{ search } for name=494 dev=proc ino=32374786
scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:initrc_t tclass=dir
Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc: denied
{ search } for name=545 dev=proc ino=35717122
scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:hotplug_t tclass=dir
and
Apr 30 13:27:08 fedora kernel: ohci1394: fw-host0: OHCI-1394 1.0
(PCI): IRQ=[11] MMIO=[ed100000-ed1007ff] Max Packet=[2048]
Apr 30 13:27:08 fedora kernel: audit(1114867609.739:0): avc: denied
{ getattr } for path=/etc/hotplug dev=hda2 ino=4472955
scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir
Apr 30 13:27:09 fedora kernel: audit(1114867609.739:0): avc: denied
{ search } for name=hotplug dev=hda2 ino=4472955
scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:hotplug_etc_t tclass=dir
and
Apr 30 13:27:10 fedora kernel: audit(1114892828.091:0): avc: denied
{ execute } for name=auto.net dev=hda2 ino=4474546
scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:automount_etc_t tclass=file
Apr 30 13:27:10 fedora kernel: audit(1114892828.595:0): avc: denied
{ write } for name=/ dev=hda2 ino=2
scontext=system_u:system_r:automount_t
tcontext=system_u:object_r:root_t tclass=dir
Apr 30 13:27:10 fedora kernel: audit(1114892828.677:0): avc: denied
{ dac_override } for capability=1
scontext=system_u:system_r:automount_t
tcontext=system_u:system_r:automount_t tclass=capability
Apr 30 13:27:10 fedora kernel: audit(1114892828.787:0): avc: denied
{ write } for name=/ dev=hda2 ino=2
scontext=system_u:system_r:automount_t
tcontext=system_u:object_r:root_t tclass=dir
Sorry if these are already fixed.
tom
--
Tom London
18 years, 10 months
gpg through apache and php?
by brett
Hi,
I had to disable SELinux on my apache httpd in order to get my php scripts
to work. They proc_open() gpg and SELinux didn't like that. Is there
anyway to allow gpg to get through proc_open() so i can still have SELinux
checking up on my webserver?
Thanks in advance,
-brett
18 years, 10 months
apache + mod_perl + sendmail - FC3 SELinux
by Joe Roback
FC3 2.6.11-1.14_FC3
SELinux related rpms:
libselinux-1.19.1-8
libselinux-devel-1.19.1-8
selinux-policy-targeted-1.17.30-2.96
perl-5.8.5-9
sendmail-8.13.1-2
httpd-2.0.52-3.1
I am using software from http://software.eprints.org. Web application
that uses mod_perl. It sends emails for registering users and forgotten
passwords. Anything an email is fired off syslog shows this:
Apr 28 21:48:23 dlist kernel: audit(1114750103.574:0): avc: denied {
read } for pid=25276 exe=/usr/sbin/httpd name=sendmail dev=dm-0
ino=368559 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:sbin_t tclass=lnk_file
I have also tried sending email with PHP's mail() call and it resulted in:
Apr 28 21:48:23 dlist kernel: audit(1114750103.679:0): avc: denied {
write } for pid=25276 exe=/usr/sbin/sendmail.sendmail name=clientmqueue
dev=dm-0 ino=2310265 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Apr 28 21:48:23 dlist kernel: audit(1114750103.679:0): avc: denied {
add_name } for pid=25276 exe=/usr/sbin/sendmail.sendmail
name=dfj3T4mNH8025276 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Apr 28 21:48:23 dlist kernel: audit(1114750103.679:0): avc: denied {
create } for pid=25276 exe=/usr/sbin/sendmail.sendmail
name=dfj3T4mNH8025276 scontext=root:system_r:system_mail_t
tcontext=root:object_r:var_spool_t tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.680:0): avc: denied {
getattr } for pid=25276 exe=/usr/sbin/sendmail.sendmail
path=/var/spool/clientmqueue/dfj3T4mNH8025276 dev=dm-0 ino=2311458
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.680:0): avc: denied {
lock } for pid=25276 exe=/usr/sbin/sendmail.sendmail
path=/var/spool/clientmqueue/dfj3T4mNH8025276 dev=dm-0 ino=2311458
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.680:0): avc: denied {
write } for pid=25276 exe=/usr/sbin/sendmail.sendmail
path=/var/spool/clientmqueue/dfj3T4mNH8025276 dev=dm-0 ino=2311458
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.687:0): avc: denied {
read } for pid=25276 exe=/usr/sbin/sendmail.sendmail
name=dfj3T4mNH8025276 dev=dm-0 ino=2311458
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.696:0): avc: denied {
remove_name } for pid=25276 exe=/usr/sbin/sendmail.sendmail
name=tfj3T4mNH8025276 dev=dm-0 ino=2311462
scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Apr 28 21:48:23 dlist kernel: audit(1114750103.696:0): avc: denied {
rename } for pid=25276 exe=/usr/sbin/sendmail.sendmail
name=tfj3T4mNH8025276 dev=dm-0 ino=2311462
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.696:0): avc: denied {
unlink } for pid=25276 exe=/usr/sbin/sendmail.sendmail
name=qfj3T4mNH8025276 dev=dm-0 ino=2311461
scontext=root:system_r:system_mail_t tcontext=root:object_r:var_spool_t
tclass=file
Apr 28 21:48:23 dlist kernel: audit(1114750103.696:0): avc: denied {
read } for pid=25276 exe=/usr/sbin/sendmail.sendmail name=clientmqueue
dev=dm-0 ino=2310265 scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Apr 28 21:48:23 dlist kernel: audit(1114750103.901:0): avc: denied {
sigchld } for pid=1 exe=/sbin/init scontext=root:system_r:system_mail_t
tcontext=user_u:system_r:unconfined_t tclass=process
This is really troubling, since sending email through a CGI application
is probably the most basic web application there is. Any help would be
greatly appreciated. This is my first time dealing with SELinux, so I am
newbie here. :)
sestatus:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: disabled
Policy version: 18
Policy from config file:targeted
Policy booleans:
allow_ypbind active
dhcpd_disable_trans inactive
httpd_disable_trans inactive
httpd_enable_cgi active
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_tty_comm inactive
httpd_unified active
mysqld_disable_trans inactive
named_disable_trans inactive
named_write_master_zonesinactive
nscd_disable_trans inactive
ntpd_disable_trans inactive
portmap_disable_trans inactive
postgresql_disable_transinactive
snmpd_disable_trans inactive
squid_disable_trans inactive
syslogd_disable_trans inactive
use_nfs_home_dirs inactive
use_samba_home_dirs inactive
use_syslogng inactive
winbind_disable_trans inactive
ypbind_disable_trans inactive
I am not sure what other information might be helpful, but ask and you
shall receive. :)
cheers,
Joe Roback
<robackja(a)cs.arizona.edu>
18 years, 10 months
MLS permission map
by Frank Mayer
I've been working through the new MLS implementation (a nice improvement by
the way). I see how the old method of mapping permissions to read or write
is changed and instead these ideas are implemented in the constraints
definitions. I like that too since a policy writer can tweak their notion of
reads and writes (which given the volume of covert channels that will be
present, will allow one to change how strict they want to be).
My question is: although the mapping is not explicit, it is still there. In
the current sample policy, has someone captured the justification for which
permissions are restricted and which are not? Which are being treated as
reads, writes, both or neither? Ultimately for any certifiable security
policy we'll need to justify this mapping. I specially ask both to see if
the model we have built into apol's permmap is consistent with the MLS
mappings, as well as for the reference policy work we're doing that Karl
mentioned earlier. Thanks Frank
18 years, 10 months
Starting Linux in Single mode with selinux=enforcing
by Ronny
Hi all I have enabled selinux to enforcing mode but when I rebooted I
get Kernel Panic I know I made a mistake didn't create policies.So how
do I boot in sinlge mode to edit the line back to its original.
Am using Fedora Core 3 with grub but can't go to single mode.
Thanks in advance
Ronny
--
***************************************************************************
/ ''We can't become what we need to be by remaining what we are''\
\ ,, ,,/
***************************************************************************
18 years, 10 months