April 2005 - selinux - Fedora Mailing-Lists

selinux-policy-targeted-1.23.12-4: /proc {search} failures ?

by Tom London

Running targeted/enforcing, latest rawhide. Rebooting after today's updates (including .1261 and selinux-policy-targeted-1.23.12-4), graphical logins fail. Looks like search access to /proc/PROCESS-ID directories are failing. (Also show an early hotplug attempt at writing to sysfs_t). I worked around this by doing an 'ALT-CTL-F2', and logging in on the text console, and doing a 'setenforce 0'. Reverting to graphical via 'ALT-CTL-F7' now allows login. /var/log messages show a very large number of avcs, including many that look like: Apr 23 13:04:18 localhost dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67 Apr 23 13:04:18 localhost dhclient: DHCPACK from 10.10.192.1 Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc: denied { write } for name=vcs7 dev=sysfs ino=6997 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t tclass=dir Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc: denied { write } for name=vcsa7 dev=sysfs ino=7003 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:sysfs_t tclass=dir Apr 23 13:04:19 localhost NET[2301]: /sbin/dhclient-script : updated /etc/resolv.conf and Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: denied { search } for name=2 dev=proc ino=131074 scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: denied { search } for name=3 dev=proc ino=196610 scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t tclass=dir Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc: denied { search } for name=4 dev=proc ino=262146 scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t tclass=dir <<<<SNIP many, many >>>> Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2103 dev=proc ino=137822210 scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2111 dev=proc ino=138346498 scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2303 dev=proc ino=150929410 scontext=system_u:system_r:init_t tcontext=system_u:system_r:dhcpc_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2476 dev=proc ino=162267138 scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2530 dev=proc ino=165806082 scontext=system_u:system_r:init_t tcontext=system_u:system_r:portmap_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2548 dev=proc ino=166985730 scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t tclass=dir Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc: denied { search } for name=2575 dev=proc ino=168755202 scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t tclass=dir <<<<SNIP many, many.... >>>> etc. etc. Is this a policy change, or did something else change? Or, did I just botch it again? thanks, tom -- Tom London

18 years, 12 months

2
2
0 / 0

Experiences with selinux enabled targetted on Fedora Core 3

by Richard E Miles

In order to become more familiar with the selinux capabilities I did the following: Started selinux in permissive mode for targetted. I recieved warnings for the following services: portmap, ntpd, and ntpdate. I then ran fixfiles check. After it ran for quite some time. It did not report any problems. So I enabled targetted and rebooted. I then received error warnings for the same services. The following relevent messages from dmesg follow: <snip> EXT3-fs: mounted filesystem with ordered data mode. security: 3 users, 4 roles, 319 types, 20 bools security: 53 classes, 10805 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev hda2, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), not configured for labeling SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts <snip> ip_tables: (C) 2000-2002 Netfilter core team ip_conntrack version 2.1 (2047 buckets, 16376 max) - 360 bytes per conntrack eth0: link up, 100Mbps, full-duplex, lpa 0x45E1 audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts <snip> IPv6 over IPv4 tunneling driver divert: not allocating divert_blk for non-ethernet device sit0 audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.763:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir Obviously something is amiss. I do not know how to correct these messages for the services. Does anyone know how the fix this delemma? If not should I bugzilla it? -- Richard E Miles Federal Way WA. USA registered linux user 46097

18 years, 12 months

10
22
0 / 0

Adding Raid 5 partition

by stuart

I have added 3 extra disks to my system, which i have created a new raid5 device on /dev/md0. I wish to use this device to serve webpages, but when i change the document root directive in my httpd.conf, and restart the httpd server, i get the error that this directory does not exist. I have properly labeled md0 with "e2label" command and added the approriate stanza in my "/etc/fstab" to mount the directory automatically on boot. I have Selinux running on targeted policy and i have attempted to use "fixfiles" and "restorecon" so that Selinux recoginizes it.. But i am yet to have success. I have also tried just using a normal ext3 partition, that i created after installation, and i get the same error. Stuart James

19 years

2
3
0 / 0

Problems with Mailman under strict

by David Hampton

I just started having problem with mailman on my FC3/strict 1.23.10-2 system, but I believe the change is unrelated to policy changes. It seems that the mailman init script now explicitly invokes python mailmanctl -s -q start instead of just mailmanctl -s -q start This prevents the domain_auto_trans rule in mailman.te from switching domains from initrc_t to mailman_mail_t. Fixing the mailman init file has solved my problem for now, but this will just reappear with every upgrade to the mailman package. Any chance of fixing the mailman package? David

19 years

2
1
0 / 0

Serving a loopback mounted ISO with Apache

by Christofer C. Bell

I'm running Fedora Core 3 with selinux-policy-targeted-1.17.30-2.96 and I'd like to serve an ISO file I've mounted (the contents of the ISO, I don't care about the ISO itself). I've mounted it thusly: # mount -t iso9660 -o,loop PG2003-08.ISO gutenberg And I show that it's mounted properly: /var/www/html/PG2003-08.ISO on /var/www/html/gutenberg type iso9660 (rw,loop=/dev/loop0) Trying to read this content using a web-browser (via apache) gives me a 403 Forbidden. The reason is an avc denied: Apr 22 19:48:43 circe kernel: audit(1114217323.877:0): avc: denied { getattr } for pid=14889 exe=/usr/sbin/httpd path=/var/www/html/gutenberg dev=loop0 ino=1792 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:iso9660_t tclass=dir Unfortunately, I'm unable to relabel this content because the iso9660 filesystem does not support extended attributes: restorecon get context on /var/www/html/gutenberg/etext03/vbgle11h/images/pl41.jpg failed: 'Operation not supported' [ and so on ] I have relabeled the mountpoint itself without the ISO mounted. Is there a workaround or something I'm missing that I can do to make this content readable by apache? Thanks! -- Chris () ASCII Ribbon Campaign! /\ Say NO to HTML in Mail and News!

19 years

2
1
0 / 0

Tweaks to the amavis policy

by David Hampton

I've added support to the (unused) amavis policy to allow interaction with additional mail filters, and added a new type specifically for quarantined spam and viruses. I also tweaked the network access to limit ports that can be used by amavisd. I'd appreciate any feedback on these changes or tips on how to write better policies. Thanks. David P.S. These diffs are based on the files from the selinux-policy-strict- sources-1.22.1-2 rpm.

19 years

4
4
0 / 0

Tweaks to the clamav policy

by David Hampton

I've added support to the (unused) clamav policy to allow listening for service requests on a TCP socket, and for interacting with amavis. I also made some tweaks that tighten up the network access allowed by freshclam, split the freshclam and spamd log files into two different types, and make the clamd control socket a unique type. Thanks. David P.S. These diffs are based on the files from the selinux-policy-strict- sources-1.22.1-2 rpm.

19 years

4
4
0 / 0

Updates to amavisd [patch]

by David Hampton

The attached patch updates the (unused) amavisd policy to work with the changes in the FC strict/1.23.10-2 policy. It also fixes the access needed by tmpreaper to delete files from the caught spam/virus directory. David

19 years

2
1
0 / 0

Updates to clamav [patch]

by David Hampton

The attached patch updates the (unused) clamav policy to work with the changes in the FC strict/1.23.10-2 policy. It also fixes an access problem with the clamd socket. David

19 years

2
1
0 / 0

Updates to dcc [patch]

by David Hampton

The attached patch updates the (unused) dcc policy to work with the changes in the FC strict/1.23.10-2 policy. It also makes a couple of tweaks to the policy David

19 years

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux April 2005