selinux-policy-targeted-1.23.12-4: /proc {search} failures ?
by Tom London
Running targeted/enforcing, latest rawhide.
Rebooting after today's updates (including .1261 and
selinux-policy-targeted-1.23.12-4), graphical logins fail.
Looks like search access to /proc/PROCESS-ID directories are failing.
(Also show an early hotplug attempt at writing to sysfs_t).
I worked around this by doing an 'ALT-CTL-F2', and logging in on the
text console, and doing a 'setenforce 0'. Reverting to graphical via
'ALT-CTL-F7' now allows login.
/var/log messages show a very large number of avcs, including many
that look like:
Apr 23 13:04:18 localhost dhclient: DHCPREQUEST on eth0 to
255.255.255.255 port 67
Apr 23 13:04:18 localhost dhclient: DHCPACK from 10.10.192.1
Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc:
denied { write } for name=vcs7 dev=sysfs ino=6997
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 23 13:04:18 localhost kernel: audit(1114286658.747:0): avc:
denied { write } for name=vcsa7 dev=sysfs ino=7003
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 23 13:04:19 localhost NET[2301]: /sbin/dhclient-script : updated
/etc/resolv.conf
and
Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc:
denied { search } for name=2 dev=proc ino=131074
scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t
tclass=dir
Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc:
denied { search } for name=3 dev=proc ino=196610
scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t
tclass=dir
Apr 23 13:05:15 localhost kernel: audit(1114286715.636:0): avc:
denied { search } for name=4 dev=proc ino=262146
scontext=system_u:system_r:init_t tcontext=system_u:system_r:kernel_t
tclass=dir
<<<<SNIP many, many >>>>
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc:
denied { search } for name=2103 dev=proc ino=137822210
scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc:
denied { search } for name=2111 dev=proc ino=138346498
scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc:
denied { search } for name=2303 dev=proc ino=150929410
scontext=system_u:system_r:init_t tcontext=system_u:system_r:dhcpc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc:
denied { search } for name=2476 dev=proc ino=162267138
scontext=system_u:system_r:init_t tcontext=system_u:system_r:initrc_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc:
denied { search } for name=2530 dev=proc ino=165806082
scontext=system_u:system_r:init_t tcontext=system_u:system_r:portmap_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc:
denied { search } for name=2548 dev=proc ino=166985730
scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t
tclass=dir
Apr 23 13:05:16 localhost kernel: audit(1114286715.638:0): avc:
denied { search } for name=2575 dev=proc ino=168755202
scontext=system_u:system_r:init_t tcontext=system_u:system_r:rpcd_t
tclass=dir
<<<<SNIP many, many.... >>>>
etc. etc.
Is this a policy change, or did something else change? Or, did I just
botch it again?
thanks,
tom
--
Tom London
18 years, 12 months
Experiences with selinux enabled targetted on Fedora Core 3
by Richard E Miles
In order to become more familiar with the selinux capabilities I did the
following:
Started selinux in permissive mode for targetted. I recieved warnings for the
following services:
portmap, ntpd, and ntpdate.
I then ran fixfiles check. After it ran for quite some time. It did not
report any problems.
So I enabled targetted and rebooted. I then received error warnings for the
same services. The following relevent messages from dmesg follow:
<snip>
EXT3-fs: mounted filesystem with ordered data mode.
security: 3 users, 4 roles, 319 types, 20 bools
security: 53 classes, 10805 rules
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev hda2, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), not configured for labeling
SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labeling
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
<snip>
ip_tables: (C) 2000-2002 Netfilter core team
ip_conntrack version 2.1 (2047 buckets, 16376 max) - 360 bytes per conntrack
eth0: link up, 100Mbps, full-duplex, lpa 0x45E1
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.010:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009536.011:0): avc: denied { search } for pid=3541 exe=/sbin/portmap name=/ dev=hda2 ino=2 scontext=user_u:system_r:portmap_t tcontext=system_u:object_r:file_t tclass=dir
SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts
<snip>
IPv6 over IPv4 tunneling driver
divert: not allocating divert_blk for non-ethernet device sit0
audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.625:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.626:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.627:0): avc: denied { search } for pid=4176 exe=/usr/sbin/ntpdate name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.763:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.764:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.765:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
audit(1109009547.766:0): avc: denied { search } for pid=4180 exe=/usr/sbin/ntpd name=/ dev=hda2 ino=2 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:file_t tclass=dir
Obviously something is amiss. I do not know how to correct these messages for
the services. Does anyone know how the fix this delemma? If not should I
bugzilla it?
--
Richard E Miles
Federal Way WA. USA
registered linux user 46097
18 years, 12 months
Adding Raid 5 partition
by stuart
I have added 3 extra disks to my system, which i have created a new
raid5 device on /dev/md0. I wish to use this device to serve webpages,
but when i change the document root directive in my httpd.conf, and
restart the httpd server, i get the error that this directory does not
exist. I have properly labeled md0 with "e2label" command and added the
approriate stanza in my "/etc/fstab" to mount the directory
automatically on boot. I have Selinux running on targeted policy and i
have attempted to use "fixfiles" and "restorecon" so that Selinux
recoginizes it.. But i am yet to have success. I have also tried just
using a normal ext3 partition, that i created after installation, and i
get the same error.
Stuart James
19 years
Problems with Mailman under strict
by David Hampton
I just started having problem with mailman on my FC3/strict 1.23.10-2
system, but I believe the change is unrelated to policy changes. It
seems that the mailman init script now explicitly invokes
python mailmanctl -s -q start
instead of just
mailmanctl -s -q start
This prevents the domain_auto_trans rule in mailman.te from switching
domains from initrc_t to mailman_mail_t. Fixing the mailman init file
has solved my problem for now, but this will just reappear with every
upgrade to the mailman package. Any chance of fixing the mailman
package?
David
19 years
Serving a loopback mounted ISO with Apache
by Christofer C. Bell
I'm running Fedora Core 3 with selinux-policy-targeted-1.17.30-2.96
and I'd like to serve an ISO file I've mounted (the contents of the
ISO, I don't care about the ISO itself). I've mounted it thusly:
# mount -t iso9660 -o,loop PG2003-08.ISO gutenberg
And I show that it's mounted properly:
/var/www/html/PG2003-08.ISO on /var/www/html/gutenberg type iso9660
(rw,loop=/dev/loop0)
Trying to read this content using a web-browser (via apache) gives me
a 403 Forbidden. The reason is an avc denied:
Apr 22 19:48:43 circe kernel: audit(1114217323.877:0): avc: denied {
getattr } for pid=14889 exe=/usr/sbin/httpd
path=/var/www/html/gutenberg dev=loop0 ino=1792
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:iso9660_t
tclass=dir
Unfortunately, I'm unable to relabel this content because the iso9660
filesystem does not support extended attributes:
restorecon get context on
/var/www/html/gutenberg/etext03/vbgle11h/images/pl41.jpg failed:
'Operation not supported'
[ and so on ]
I have relabeled the mountpoint itself without the ISO mounted. Is
there a workaround or something I'm missing that I can do to make this
content readable by apache? Thanks!
--
Chris
() ASCII Ribbon Campaign!
/\ Say NO to HTML in Mail and News!
19 years
Tweaks to the amavis policy
by David Hampton
I've added support to the (unused) amavis policy to allow interaction
with additional mail filters, and added a new type specifically for
quarantined spam and viruses. I also tweaked the network access to
limit ports that can be used by amavisd. I'd appreciate any feedback on
these changes or tips on how to write better policies. Thanks.
David
P.S. These diffs are based on the files from the selinux-policy-strict-
sources-1.22.1-2 rpm.
19 years
Tweaks to the clamav policy
by David Hampton
I've added support to the (unused) clamav policy to allow listening for
service requests on a TCP socket, and for interacting with amavis. I
also made some tweaks that tighten up the network access allowed by
freshclam, split the freshclam and spamd log files into two different
types, and make the clamd control socket a unique type. Thanks.
David
P.S. These diffs are based on the files from the selinux-policy-strict-
sources-1.22.1-2 rpm.
19 years
Updates to amavisd [patch]
by David Hampton
The attached patch updates the (unused) amavisd policy to work with the
changes in the FC strict/1.23.10-2 policy. It also fixes the access
needed by tmpreaper to delete files from the caught spam/virus
directory.
David
19 years
Updates to clamav [patch]
by David Hampton
The attached patch updates the (unused) clamav policy to work with the
changes in the FC strict/1.23.10-2 policy. It also fixes an access
problem with the clamd socket.
David
19 years
Updates to dcc [patch]
by David Hampton
The attached patch updates the (unused) dcc policy to work with the
changes in the FC strict/1.23.10-2 policy. It also makes a couple of
tweaks to the policy
David
19 years