Problem with installing a new harddisk...
by jckyau@cs.hku.hk
Hi,
I am very new to SELinux, so, please bear with my ignorance.
I have installed a Fedora Core 3 with SELinux enabled. The system
has been running pretty stable until I tried to installed a new harddisk
to my system. The system fails during the booting process if I have my
new harddisk installed. It stops booting whenever I reach the point of
setting up the ppp (I rely on a PPPoE line to connect to the Internet).
But it boots smoothly when I have the new harddisk removed. I think it
is a problem with SELinux (though I am not sure) as it gives me all
kinds of complains regarding permissions.
I am pretty sure that it isn't a problem with the harddisk, as this
harddisk works fine when installed into another computer. I've also
tried to install another harddisk to my SELinux box, and got the same
result. Any clue??
Many thanx in advance!
--
Joe Yau.....The Natural Born Uncle!!!
+---------------------------------------------------------------------+
| Email: jckyau(a)cs.hku.hk WWW: http://www.cs.hku.hk/~jckyau |
| |
| First they ignore you... Then they ridicule at you... |
| Then they fight you... Then you win!!! |
| -- Mahatma Gandhi |
+---------------------------------------------------------------------+
19 years
RE: Adobe Reader 7
by Fred New
On Sat 4/9/2005 8:15 PM, Colin Walters wrote:
> On Sat, 2005-04-09 at 07:40 +0000, Fred New wrote:
>
> > Is this a correct and accepted way of dealing with this without
> > installing the policy sources?
>
> What denials were you getting? We don't presently confine user logins
> with SELinux, so Adobe Reader should not have been affected.
>
Unfortunately, this problem seems to be "dontaudited"; I don't
see anything in /var/log/messages. If I run it from a terminal,
I see
[fred@darth ~]$ /usr/local/Adobe/Acrobat7.0/bin/acroread
/usr/local/Adobe/Acrobat7.0/Reader/intellinux/bin/acroread: error while loading shared libraries: /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/libJP2K.so: cannot restore segment prot after reloc: Permission denied
[fred@darth ~]$
But Adobe Reader runs if I go into permissive mode or if I make the
context changes previously mentioned.
The restorecon command leaves everything with a type of usr_t.
I installed Adobe Reader by expanding the tar.gz file as a normal
user and running the INSTALL script as root.
Fred
19 years
genhomedircon flakyness
by Valdis.Kletnieks@vt.edu
Running fedora-devel tree as of last night, and I'm hitting an oddness.
Basic problem: I add a user to /etc/selinux/strict/users/local.users,
and at some later point I run 'make' in /etc/selinux/strict/src/policy.
After that, genhomedircon barfs because it sees lines like:
/home/valdis -d valdis:object_r:staff_home_dir_t
in contexts/files/file_contexts.homedirs. However, since it just built the
policy using the 'users' file from src/policy/users, that 'user valdis'
line isn't there, so the context is invalid....
Does src/policy/Makefile need a ruleset to regenerate its copy of the 'users' file?
users: $(USERPATH)/system.users $(USERPATH)/local.users
cat $(USERPATH)/system.users $(USERPATH)/local.users > users
(Actually, that won't work, as $(USERPATH)/system.users has a dependency
on $(USER_FILES), so a more sophisticated solution is needed...
19 years
SELinux not enabled
by Sjoerd Mullender
I have a problem getting SELinux to work on my fully up-to-date FC3
system. Here is some relevant output:
# ls -l /etc/sysconfig/selinux
lrwxrwxrwx 1 root root 19 Apr 12 08:33 /etc/sysconfig/selinux ->
/etc/selinux/config
# grep -v ^# /etc/selinux/config
SELINUX=permissive
SELINUXTYPE=targeted
# rpm -qa '*policy*'
policycoreutils-1.18.1-2.10
selinux-policy-targeted-1.17.30-2.96
# rpm -q kernel
kernel-2.6.11-1.14_FC3
# sestatus
SELinux status: disabled
# dmesg | grep -i selinux
SELinux: Initializing.
SELinux: Starting in permissive mode
selinux_register_security: Registering secondary module capability
SELinux: Registering netfilter hooks
# setenforce Permissive
setenforce: SELinux is disabled
Note that there is a lot of stuff missing from the dmesg output (I
compared this with a system where it does work).
What I have understood from the FAQ and the config file, all I need to
do to get SELinux to work (initially in permissive mode) is set the two
values in /etc/selinux/config and then reboot. This I have done.
Is there any other file that might interfere?
The system was upgraded all the way from at least RedHat 9 via FC1 and
FC2 (and various FC1 tests). I have only recently installed the SELinux
stuff.
--
Sjoerd Mullender <sjoerd(a)acm.org>
19 years
cups avcs....
by Tom London
Running targeted/enforcing, latest rawhide.
Just noticed the following in the log:
Apr 11 17:40:22 localhost kernel: audit(1113266422.034:0): avc:
denied { search } for pid=2553 exe=/usr/sbin/cupsd name=dbus
dev=dm-0 ino=2142154 scontext=user_u:system_r:cupsd_t
tcontext=system_u:object_r:system_dbusd_var_run_t tclass=dir
Apr 11 17:40:22 localhost kernel: audit(1113266422.291:0): avc:
denied { search } for pid=2553 exe=/usr/sbin/cupsd name=dbus
dev=dm-0 ino=2142154 scontext=user_u:system_r:cupsd_t
tcontext=system_u:object_r:system_dbusd_var_run_t tclass=dir
Apr 11 17:40:22 localhost kernel: audit(1113266422.295:0): avc:
denied { search } for pid=2553 exe=/usr/sbin/cupsd name=dbus
dev=dm-0 ino=2142154 scontext=user_u:system_r:cupsd_t
tcontext=system_u:object_r:system_dbusd_var_run_t tclass=dir
Apr 11 17:40:22 localhost kernel: audit(1113266422.709:0): avc:
denied { search } for pid=2561 exe=/usr/lib/cups/backend/hal
name=dbus dev=dm-0 ino=2142154 scontext=user_u:system_r:cupsd_t
tcontext=system_u:object_r:system_dbusd_var_run_t tclass=dir
or
allow cupsd_t system_dbusd_var_run_t:dir search;
Did something change?
tom
--
Tom London
19 years
converting between strict and targeted
by Russell Coker
When I install FC4T2 and convert it to strict policy I get a huge number of
AVC messages related to setfiles running in domain initrc_t.
It seems that the solution to this problem when converting from targeted to
strict is to have the following in setfiles.te:
ifdef(`distro_redhat', `
domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
')
We already have can_setenforce(initrc_t) in initrc.te so this isn't really
granting any extra access.
In the targeted policy we need to have definitions of all the types that are
used before /.autorelabel is checked. I have attached an archive of the
policy necessary in targeted to make the conversion to strict run smoothly.
Note that it only adds 9 aliases and 46 lines of file context so it won't
have any noticable overhead when using targeted policy, but it will make
things quite a bit nicer when converting from targeted to strict.
While the AVC messages don't really do any harm, it will give less annoyance
and confusion for users to have them gone. Incidentally for my testing I've
relabeled the system in enforcing mode and had it work fine. We can't do
this in production because in some situations a relabel operation will be
because of the configuration of the machine being badly messed up, enough so
that it may not be possible to relabel in enforcing mode.
Incidentally I've just filed a bugzilla requesting that there be a
"autorelabel" option for the kernel command line to give the same results as
a /.autorelabel file. That saves booting a messed up machine in permissive
mode for the purpose of creating the file.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154496
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
19 years
MySQL+Selinux problem
by Michael Calizo
Hi,
I have been banging my head to resolve this SELinux+MySQL problem on
fedora Core 3.
I followed this steps from this
list:https://www.redhat.com/archives/fedora-selinux-list/2004-November/ms...
* Install selinux-policy-targeted-sources.
* yum install selinux-policy-targeted-sources
* cd /etc/selinux/targeted/src/policy
* echo "allow httpd_t var_lib_t:sock_file rw_socket_perms;" >
domains/program/httpd_socket.te
* make load
After make load i get this error:
yada yada yada ....
Compiling policy ...
/usr/bin/checkpolicy -o /etc/selinux/strict/policy/policy.19 policy.conf
/usr/bin/checkpolicy: loading policy configuration from policy.conf
security: 3 users, 5 roles, 1304 types, 58 bools
security: 55 classes, 388377 rules
/usr/bin/checkpolicy: policy configuration loaded
/usr/bin/checkpolicy: writing binary representation (version 19) to
/etc/selinux/strict/policy/policy.19
/usr/bin/checkpolicy -c 18 -o /etc/selinux/strict/policy/policy.18 policy.conf
/usr/bin/checkpolicy: loading policy configuration from policy.conf
security: 3 users, 5 roles, 1304 types, 58 bools
security: 55 classes, 388377 rules
/usr/bin/checkpolicy: policy configuration loaded
/usr/bin/checkpolicy: writing binary representation (version 18) to
/etc/selinux/strict/policy/policy.18
make: *** No rule to make target
`file_contexts/program/httpd_socket.fc', needed by
`file_contexts/file_contexts'. Stop.
Im stuck with this error and i dont know what to do next. Any insights
are welcome and appreciated.
Thank you very much.
--
Mike Calizo
Registered Linux User # 365113
_________________________________________________
Even the longest journey has to start with a small first-step
19 years
mv hard drives with lvm/selinux ?
by Justin Conover
Just wondering if i'm going to move 2x160GB sata drives in raid 1 that
are on there own volume with SELinux turned on. Can I simply move
these to another box and be able to read them or does this become
really tricky?
Worst comes to worst I can mv the 80GB of data to another box, mv the
harddrives and then mv the data back just wondering if it could be as
easy to do it the other way.
19 years
avc: denied, aMSN
by Sander Hoentjen
Hi,
I get the following error in my log:
audit(1113264360.332:0): avc: denied { execmod } for pid=3261
comm=wish
path=/home/tjikkun/programs/amsn-extras/plugins/tls1.4/libtls1.4.so
dev=hda2 ino=243257 scontext=user_u:system_r:unconfined_t
tcontext=user_u:object_r:user_home_t tclass=file
It happens when I try to use aMSN which in turn wants to use this lib. I
am a developer of aMSN and I would really like to know what is the best
way to fix it. I guess I could change my policy or something(?), but
when we distribute aMSN I would like to have it working
"out-of-the-box". Any ideas on how to make this happen?
Thanks in advance,
Sander Hoentjen
19 years
RE: Adobe Reader 7
by Fred New
On Mon 4/11/2005 9:30 PM, Daniel J Walsh wrote:
> Ok we have policy for Acrobat but not Adobe.
>
> /usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/.*\.api --
> system_u:object_r:shlib_t
> /usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/AcroForm\.api --
> system_u:object_r:texrel_shlib_t
> /usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/EScript\.api --
> system_u:object_r:texrel_shlib_t
>
> Could you do a find /usr/local/Adobe -print and attach it?
> I will try to fix the file context file for it.
Yeh, everything is under the /usr/local/Adobe/Acrobat7.0 directory.
See the attached.
Fred
19 years