How to modify the policy?
by Hongwei Li
Hi,
I have a fc3 linux (kernel 2.6.10-1.770_FC3) with selinux enforced,
targeted policy 1.17.30-2.96. I try to use squirrelmail's plugin
change_passwd, but got denied. The system log shows:
Apr 14 09:42:59 pippo kernel: audit(1113489779.011:0): avc: denied {
search } for pid=13211 exe=/bin/bash name=src dev=hda6 ino=425174
scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:src_t
tclass=dir
Apr 14 09:42:59 pippo kernel: audit(1113489779.012:0): avc: denied {
setuid } for pid=13211 exe=/usr/bin/chpasswd capability=7
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
I can use that plugin's command in ssh console, but just not from the web.
Should I change the targeted policy to make it working? If yes, how to
modify the policy?
Thanks a lot!
Hongwei Li
19 years
targeted policy and apache(?)
by Ben
I'm seeing avc errors, and it's pretty unclear to me what's causing them.
What's being complained about, here?
1 Time(s): audit(1113980474.264:0): avc: denied { search } for pid=7148
exe=/bin/bash name=log dev=md0 ino=3260417
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_log_t tclass=dir
I would guess that some script is trying to list a log directory on
/dev/md0, but that's about all I can guess from this and it doesn't help
me track it down to a useful level anyway.
19 years
New policy for yam
by David Hampton
This is written on an FC3 base system using the selinux-policy-strict-
sources-1.22.1-2 policy from March 11th. These are the first policies
I've submitted so I'd appreciate any comments on how to write better
policies.
David
19 years
New policy for tripwire
by David Hampton
This is written on an FC3 base system using the selinux-policy-strict-
sources-1.22.1-2 policy from March 11th. These are the first policies
I've submitted so I'd appreciate any comments on how to write better
policies.
David
19 years
New policy for pyzor
by David Hampton
This is a new strict policy for the pyzor spam filter. It is based on
the selinux-policy-strict-sources-1.23.2-1 fedora RPM. This policy
requires the definition of a pyzor reserved port that was in the
net_contexts diff I sent last Wednesday. Please let me know if there
are any problems with or changes needed to this policy.
David
19 years
Sound difficulties.
by Seth Chambers
I am a new Linux user, having installed FC 3 one week ago. Im having
difficulty getting my sound card to work. FC 3 comes with Alsa pre-
installed, and it does detect the card, and the driver, snd-emu10k1, has
been installed. The sound card is a Soundblaster Live 5.1 by Creative
Labs. The error message that I receive when I use aumix is error: error
opening mixer. The error message I receive when I try using alsamixer
isalsamixer: function snd_ctl_open failed for default: No such device.
Any help with this problem would be much appreciated. Also, the device
does work in XP. Thanks in advance.
19 years
Prelink fails under strict/enforcing
by David Hampton
I'm having problems with the prelink command on my system running the
latest FC3/strict/1.23.11-1 policy.
Running in enforcing mode, when I run 'prelink -a' after updating glibc,
I get a single "avc: denied { relabelto }" error message and prelink
bails out. Running tripwire immediately before and after the prelink
command show no changes to any files on the system.
Running the same scenario in permissive mode, I get a series of 100 or
more relabelto denied error messages. The tripwire runs show over 1000
modified files, which is par for the course after updating glibc.
Here's one of the error messages in full:
Apr 15 10:36:08 starfury kernel: audit(1113575768.487:0): avc:
denied { relabelto } for pid=22291 exe=/usr/sbin/prelink
name=refer.#prelink#.SULAFf dev=dm-0 ino=13717061
scontext=root:system_r:prelink_t tcontext=system_u:object_r:bin_t
tclass=file
As far as I can tell from looking at the policy sources, I shouldn't be
getting any of these errors. There is a (long) line in prelink.te that
explicitly allows relabelto. Wrapped for clarity, it is:
allow prelink_t {
ifdef(`amanda.te', `amanda_usr_lib_t')
admin_passwd_exec_t
ifdef(`apache.te', `httpd_modules_t')
ifdef(`xserver.te', `xkb_var_lib_t')
ld_so_t su_exec_t texrel_shlib_t
shlib_t sbin_t bin_t lib_t exec_type
}:file { create_file_perms execute relabelto relabelfrom };
This line explicitly allows prelink the relabelto permission for bin_t
files, which is what the avc message I copied is complaining about.
I've spot checked some of the other 100 error messages. The majority of
them have a target context of xxx_exec_t and the declaration of the
xxx_exec_t type includes the exec_type attribute, which means the
operation should be allowed based on the policy line above.
Any suggestions on where to go from here to track down this problem?
David
19 years
cups: unconfined_t:dbus...
by Tom London
Running targeted/enforcing, 1.23.10-5, rawhide.
When I disconnected a USB printer, got the following:
Apr 15 09:56:51 localhost kernel: usb 2-1: USB disconnect, address 2
Apr 15 09:56:51 localhost kernel: drivers/usb/class/usblp.c: usblp0: removed
Apr 15 09:56:55 localhost dbus: avc: denied { send_msg } for
msgtype=signal interface=com.redhat.PrinterSpooler
member=PrinterRemoved dest=org.freedesktop.DBus spid=2634 tpid=3592
scontext=user_u:system_r:cupsd_t tcontext=user_u:system_r:unconfined_t
tclass=dbus
Apr 15 09:56:55 localhost last message repeated 2 times
Apr 15 09:56:55 localhost dbus: avc: denied { send_msg } for
msgtype=signal interface=com.redhat.PrinterSpooler member=PrinterAdded
dest=org.freedesktop.DBus spid=2634 tpid=3592
scontext=user_u:system_r:cupsd_t tcontext=user_u:system_r:unconfined_t
tclass=dbus
Apr 15 09:56:55 localhost dbus: avc: denied { send_msg } for
msgtype=signal interface=com.redhat.PrinterSpooler member=PrinterAdded
dest=org.freedesktop.DBus spid=2634 tpid=3592
scontext=user_u:system_r:cupsd_t tcontext=user_u:system_r:unconfined_t
tclass=dbus
audit2allow says:
allow cupsd_t unconfined_t:dbus send_msg;
That right?
tom
--
Tom London
19 years