1105 fails to boot....
by Tom London
Running strict/enforcing, latest rawhide:
After installing latest packages, relabeling /etc, /bin, /lib, ....
and rebooting, the system produces lots of udev type errors
(cannot remove /dev/.udev_tdb/classSTUFF) and hangs
on 'adding hardware'
Boots (with messages) in permissive mode.
Here are the 'early' AVCs:
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev bdev, type
bdev), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied
{ read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17
scontext=system_u:system_r:hostname_t
tcontext=system_u:object_r:root_t tclass=file
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev usbfs, type
usbfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: audit(1106292233.809:0): avc: denied
{ read } for pid=576 exe=/sbin/restorecon path=/init dev=rootfs
ino=17 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:root_t tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied
{ read } for pid=576 exe=/sbin/restorecon name=customizable_types
dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:default_context_t tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied
{ use } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17
scontext=system_u:system_r:dmesg_t tcontext=system_u:system_r:kernel_t
tclass=fd
Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied
{ read } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17
scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292235.086:0): avc: denied
{ read } for pid=703 exe=/bin/bash path=/init dev=rootfs ino=17
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292239.427:0): avc: denied
{ use } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17
scontext=system_u:system_r:kudzu_t tcontext=system_u:system_r:kernel_t
tclass=fd
Jan 21 07:24:30 fedora kernel: audit(1106292239.428:0): avc: denied
{ read } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17
scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora ptal-mlcd: SYSLOG at ExMgr.cpp:652,
dev=<mlc:usb:PSC_900_Series>, pid=2629, e=2, t=1106321070
ptal-mlcd successfully initialized.
Jan 21 07:24:30 fedora ptal-printd:
ptal-printd(mlc:usb:PSC_900_Series) successfully initialized using
/var/run/ptal-printd/mlc_usb_PSC_900_Series*.
Jan 21 07:24:30 fedora kernel: Floppy drive(s): fd0 is 1.44M
I'll probe a bit, but any help is welcome!
tom
--
Tom London
17 years, 10 months
using selinux to control user access to files
by Hein Coulier
hi, newby speaking here (totally lost in the selinux labyrinth).
What i want to accomplish with selinux is the following : i want to allow
different end-users (with different roles) to do something with some files.
I'll give you an example :
fileA : may be read by roleA and roleB
fileB : may only be read by roleB ; audited
fileC : may be read and changed by roleB ; audited
I read several pdf's, read the o'reilly book, but i seem to be unable to
achieve my goal.
Help would be appreciated.
tia, hecou.
18 years, 2 months
how does rpm work under Selinux
by James Z. Li
Hi all,
I was wondering how rpm works with Selinux, say I downloaded
a third-party rpm package and installed it with rpm -i. Will rpm
label the newly installed file properly or I have to relabel filesystem
or do 'restorecon' manually ?
Any webpages I could read on this problem? Thanks a lot.
James
18 years, 4 months
HELP: transition denied regardless of policy?
by Aleksander Adamowski
Hi!
I'm having a problem with FC3 strict policy. Basically, I've customised
the policy to cover all that I need on that system, but there's one last
denial that I'm unable to remedy:
May 26 03:26:01 machinename kernel: audit(1117070761.996:0): avc:
denied { transition } for pid=11773 exe=/bin/bash
path=/home/twiki/bin/mailnotify dev=hda1 ino=51463
scontext=root:sysadm_r:sysadm_crond_t tcontext=root:system_r:twiki_t
tclass=process
(where /home/twiki/bin/mailnotify has a context of
system_u:object_r:twiki_exec_t.)
This is directly related to my twiki.te policy:
#BEGIN
daemon_domain(twiki)
var_lib_domain(twiki)
domain_auto_trans(httpd_t, twiki_exec_t, twiki_t)
# daemon_domain(twiki) gets this done anyway:
#role_transition sysadm_r twiki_exec_t system_r;
domain_auto_trans(sysadm_crond_t, twiki_exec_t, twiki_t)
# domain_auto_tras should do it, but duplicating it doesn't hurt:
role sysadm_r types twiki_t;
allow sysadm_crond_t twiki_t:process transition;
# exe=/usr/bin/perl path=/etc/ld.so.cache :
allow twiki_t etc_t:file { getattr read };
allow httpd_t twiki_exec_t:dir { getattr search };
allow httpd_t twiki_exec_t:file ioctl;
allow httpd_t twiki_var_lib_t:dir { getattr read search };
allow httpd_t twiki_var_lib_t:file { append getattr ioctl read };
allow twiki_t bin_t:dir { search };
allow twiki_t bin_t:file { getattr };
allow twiki_t crond_t:fifo_file { ioctl read write };
allow twiki_t home_root_t:dir { search };
allow twiki_t twiki_exec_t:dir { search };
allow twiki_t urandom_device_t:chr_file { read };
allow twiki_t unlabeled_t:dir { getattr read search };
allow httpd_sys_script_t httpd_runtime_t:file write;
allow httpd_sys_script_t httpd_t:tcp_socket ioctl;
allow httpd_sys_script_t twiki_var_lib_t:dir { add_name remove_name
search write };
allow httpd_sys_script_t twiki_var_lib_t:file { create getattr read
unlink };
allow httpd_t twiki_var_lib_t:dir { add_name remove_name write };
allow httpd_t twiki_var_lib_t:file { create rename setattr unlink write };
#END
The problem is, although the
domain_auto_trans(sysadm_crond_t, twiki_exec_t, twiki_t)
...allows for:
allow sysadm_crond_t twiki_t:process transition;
And I've even allowed that process transition (allow sysadm_crond_t
twiki_t:process transition;) explicitly a few rows later (actually
audit2allow has given me this).
But the transition to root:system_r:twiki_t is still denied.
Am I missing something?
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.ab.altkom.pl
18 years, 4 months
Private user directory trees.
by George J. Jahchan
How can we setup private user directory that is (recursively) off-limits to
anyone but the owner (including root), so long as the policy is being enforced.
These directory trees would be similarly named for all users:
"/home_dir_path/Private/" for instance.
18 years, 4 months
disabilng selinux warnings
by Aleksandar Milivojevic
I have some NFS mounted file systems (from Solaris box). Whenever
moving files between them (mv shell command), users are getting
"security context not preserved" warning. I know what the warning is
about, and why it is being generated. Is it possible to disable it?
It's kind of confusing for the users (they think file isn't moved, so
they are calling administrators about non-existing problem), and in my
case really pointless. The source and destination are both mounted form
Solaris boxes, so there's really not anything that could have been
preserved. Not to mention how annoying it is to have hundreds or
thousands of them printed when moving a lot of files in one batch (and
basically, my users are rightfully asking for those warning to be disabled).
18 years, 4 months
acroread needs one more file set to texrel...
by Tom London
Running targed/enforcing, latest rawhide.
Running acroread, if you select File->Document Properties, acroread
dies. Here is the avc:
May 30 17:35:53 localhost kernel: audit(1117499753.135:6): avc:
denied { execmod } for pid=5026 comm="acroread" name=ADMPlugin.apl
dev=dm-0 ino=2321999 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file
Points to /usr/local/Adobe/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl
Sigh... Does this seem like an appropriate fix?:
--- distros.fc 2005-05-20 11:54:57.000000000 -0700
+++ /tmp/distros.fc 2005-05-30 17:46:08.000000000 -0700
@@ -156,6 +156,7 @@
/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t
/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api --
system_u:object_r:texrel_shlib_t
/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api --
system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl --
system_u:object_r:texrel_shlib_t
')
tom
--
Tom London
18 years, 4 months
Re: mkfs.ext3: Permission denied while trying to determine filesystem size
by Justin Conover
On 5/29/05, Justin Conover <justin.conover(a)gmail.com> wrote:
> Can't create a logical volume, have no problems doing it on another
> rawhide box. Plenty of space, I've done this ++++ times and for some
> reason this box is just causing a problem. "permission denied"
>
> Could this be a dieing HD? The box has 4x36GB scsi drives in it, in
> Raid0/lvm config.
>
>
> [root@trinity ~]# lvcreate -L2G -nLogVol08 VolGroup01
> Logical volume "LogVol08" created
> [root@trinity ~]# mke2fs -j /dev/VolGroup01/LogVol08
> mke2fs 1.37 (21-Mar-2005)
> Could not stat /dev/VolGroup01/LogVol08 --- Permission denied
> [root@trinity ~]# mkfs.ext3 -F -j /dev/VolGroup01/LogVol08
> mke2fs 1.37 (21-Mar-2005)
> mkfs.ext3: Permission denied while trying to determine filesystem size
> # mkfs.ext3 -F -j /dev/mapper/VolGroup01-LogVol08
> mke2fs 1.37 (21-Mar-2005)
> mkfs.ext3: Permission denied while trying to determine filesystem size
> ]# mkfs.ext3 -F -j /dev/mapper/VolGroup01-LogVol08
> mke2fs 1.37 (21-Mar-2005)
> mkfs.ext3: Permission denied while trying to determine filesystem size
> [root@trinity ~]# mke2fs -f /dev/mapper/VolGroup01-LogVol08
> mke2fs: bad fragment size - /dev/mapper/VolGroup01-LogVol08
>
> [root@trinity ~]# id -Z
> root:system_r:unconfined_t
> [root@trinity ~]# ls -la /sbin/ | grep mkfs
> -rwxr-xr-x 1 root root 7192 May 3 23:30 mkfs
> -rwxr-xr-x 1 root root 15872 May 3 23:30 mkfs.cramfs
> -rwxr-xr-x 3 root root 35888 May 10 04:17 mkfs.ext2
> -rwxr-xr-x 3 root root 35888 May 10 04:17 mkfs.ext3
> -rwxr-xr-x 3 root root 30180 Apr 28 09:31 mkfs.msdos
> -rwxr-xr-x 3 root root 30180 Apr 28 09:31 mkfs.vfat
> [root@trinity ~]# lsmod | grep ext3
> ext3 133193 8
> jbd 61785 1 ext3
>
> [root@trinity ~]# vgdisplay
> --- Volume group ---
> VG Name VolGroup01
> System ID
> Format lvm2
> Metadata Areas 1
> Metadata Sequence No 12
> VG Access read/write
> VG Status resizable
> MAX LV 0
> Cur LV 9
> Open LV 8
> Max PV 0
> Cur PV 1
> Act PV 1
> VG Size 101.28 GB
> PE Size 32.00 MB
> Total PE 3241
> Alloc PE / Size 672 / 21.00 GB
> Free PE / Size 2569 / 80.28 GB
> VG UUID 8A535T-TOpJ-Fzkg-BREJ-TJE7-E3Lp-nChZOg
>
>
> The differences on the box that work don't work are following,
>
> Works (x86_64/rawhide)
> # rpm -qa | grep lvm
> lvm2-2.01.08-1.0 <----- WHY 2?
> lvm2-2.01.08-2.1
> system-config-lvm-0.9.32-1.0
> # rpm -qa | grep e2fsprogs
> e2fsprogs-devel-1.37-4
> e2fsprogs-1.37-4.x86_64
> e2fsprogs-1.37-4.i386
>
>
>
> Doesn't work (x86/Rawhide)
> # rpm -qa | grep lvm
> lvm2-2.01.08-2.1
> system-config-lvm-0.9.32-1.0
> # rpm -qa | grep e2fsprogs
> e2fsprogs-devel-1.37-4
> e2fsprogs-1.37-4
> Both box's are in a soft raid/lvm config, Not sure why the i386 box
> defaulted to VolGroup01 but shouldn't matter in any case.
>
Well, it looks like the problem is between mkfs and selinux. The box
that works is set to
# sestatus
SELinux status: disabled
While the one that doesn't work is running selinux, so is this a bug,
can anyone else mkfs on selinux=1 box's? I haven't run into this
before and I know I have other box's running selinux that i've created
new fs on.
18 years, 4 months
ptal, strict patch - thanks for the comments
by Tom London
Daniel, Ivan, thanks for the helpful comments.
Appears that ptal only needs 'server', so I changed to
'can_network_server_tcp(ptal_t)'.
I defined 'ptal_port_t' in network.te, and bound it to port 5703 in
network_contexts.
Hope this is better. Please correct....
tom
--
Tom London
18 years, 4 months
