Is there a SELinux tutorial for ISVs ?
by Davide Bolcioni
Greetings,
I was looking for directions about how would an ISV rool own policy for
the packages it ships. A very basic and step-by-step tutorial, for tiny
minds :-)
Thank you for your consideration,
Davide Bolcioni
18 years, 11 months
Re: using tmpfs for /tmp and selinux
by Aleksandar Milivojevic
Sorry for posting this outside of corresponding thread for those using
threading. I'm new to the list, and found thread in the archives, so couldn't
simply hit reply in my mail reader.
I've applied changes described to the rc.sysinit (restorecon /tmp), created
local.te (allow tmpfile tmpfs_t:filesystem associate;) and reloaded policy. It
seems to be working for me on both FC3 and RHEL4. The question I have is, will
this patches (to both initscripts and selinux-policy-targeted) be present in U1
for RHEL4?
Thanks,
Aleksandar Milivojevic
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
18 years, 11 months
"service iptables stop" not working -- /proc/net unreadable
by Chuck Anderson
I had a problem disabling my iptables firewall today, and noticed that
/proc/net being unreadable was the cause of "service iptables stop"
not working. I have an avc:
audit(1115326402.826:0): avc: denied { search } for pid=5818
exe=/bin/tcsh name=net dev=proc ino=-268435434
scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:proc_net_t tclass=dir
What happened to my /proc?
#ls -lZ /proc/net
ls: /proc/net: Permission denied
#ls -lZd /proc/net
ls: /proc/net: Permission denied
#ls -lZ /proc|grep net
?--------- ? ? net
#ls -l /proc|grep net
?--------- ? ? ? ? ? net
This is FC3 with kernel-2.6.11-1.14_FC3 and
selinux-policy-targeted-1.17.30-3.1.
18 years, 12 months
MySQL 5.0.4 Beta AVC Denied Messages
by Robert L Cochran
I am getting the following messages while attempting to start the MySQL
5.0.4 server mysqld with SELinux running on Fedora Core 3, and with all
current patches applied. I've already tried
restorecon -R -v /usr/lib/mysql
restorecon -R -v /var/lib/mysql
restorecon -v /usr/sbin/mysqld
I want to allow MySQL to run. Any suggestions?
May 4 21:02:53 rclap kernel: audit(1115254973.641:0): avc: denied {
setsched } for pid=3729exe=/usr/sbin/mysqld
scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t
tclass=process
May 4 21:02:53 rclap kernel: audit(1115254973.641:0): avc: denied {
setsched } for pid=3730exe=/usr/sbin/mysqld
scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t
tclass=process
May 4 21:02:53 rclap kernel: audit(1115254973.641:0): avc: denied {
setsched } for pid=3731exe=/usr/sbin/mysqld
scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t
tclass=process
May 4 21:02:53 rclap kernel: audit(1115254973.642:0): avc: denied {
setsched } for pid=3732exe=/usr/sbin/mysqld
scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t
tclass=process
May 4 21:02:54 rclap kernel: audit(1115254974.758:0): avc: denied {
setsched } for pid=3735exe=/usr/sbin/mysqld
scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t
tclass=process
May 4 21:02:54 rclap kernel: audit(1115254974.758:0): avc: denied {
setsched } for pid=3736exe=/usr/sbin/mysqld
scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t
tclass=process
May 4 21:02:54 rclap kernel: audit(1115254974.758:0): avc: denied {
setsched } for pid=3737exe=/usr/sbin/mysqld
scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t
tclass=process
May 4 21:02:54 rclap kernel: audit(1115254974.759:0): avc: denied {
setsched } for pid=3738exe=/usr/sbin/mysqld
scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t
tclass=process
May 4 21:02:54 rclap kernel: audit(1115254974.801:0): avc: denied {
setsched } for pid=3739exe=/usr/sbin/mysqld
scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t
tclass=process
y
18 years, 12 months
Problems with today's rawhide (.1284, etc.)
by Tom London
Running targeted/enforcing, today's rawhide.
After installing today's packages, system fails to boot.
Hangs just after starting init, after producing a message like
MAKEDEV:mkdir: file exists
System will boot with 'enforcing=0'.
The log shows many avc denials to tmpfs (below).
Did I mess up?
tom
--------------------------------------------------------
May 4 07:33:23 localhost kernel: audit(1115191953.487:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
May 4 07:33:23 localhost kernel: audit(1115191970.159:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:hwclock_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
May 4 07:33:23 localhost kernel: audit(1115217172.838:0): avc:
denied { getattr } for path=/dev/mapper/VolGroup00-LogVol00
dev=tmpfs ino=6442 scontext=system_u:system_r:fsadm_t
tcontext=system_u:object_r:tmpfs_t tclass=blk_file
May 4 07:33:23 localhost kernel: audit(1115217172.839:0): avc:
denied { read write } for name=VolGroup00-LogVol00 dev=tmpfs
ino=6442 scontext=system_u:system_r:fsadm_t
tcontext=system_u:object_r:tmpfs_t tclass=blk_file
May 4 07:33:23 localhost kernel: audit(1115217172.839:0): avc:
denied { ioctl } for path=/dev/mapper/VolGroup00-LogVol00 dev=tmpfs
ino=6442 scontext=system_u:system_r:fsadm_t
tcontext=system_u:object_r:tmpfs_t tclass=blk_file
May 4 07:33:23 localhost kernel: audit(1115217177.481:0): avc:
denied { write } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
May 4 07:33:23 localhost kernel: audit(1115217177.481:0): avc:
denied { add_name } for name=log
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
May 4 07:33:23 localhost kernel: audit(1115217177.481:0): avc:
denied { create } for name=log scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:tmpfs_t tclass=sock_file
May 4 07:33:23 localhost kernel: audit(1115217177.481:0): avc:
denied { setattr } for name=log dev=tmpfs ino=6865
scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:tmpfs_t tclass=sock_file
May 4 07:33:23 localhost kernel: audit(1115217178.127:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
May 4 07:33:23 localhost kernel: audit(1115217178.127:0): avc:
denied { write } for name=log dev=tmpfs ino=6865
scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:tmpfs_t
tclass=sock_file
May 4 07:33:23 localhost kernel: audit(1115217198.206:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:cardmgr_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
May 4 07:33:23 localhost kernel: audit(1115217198.206:0): avc:
denied { write } for name=log dev=tmpfs ino=6865
scontext=system_u:system_r:cardmgr_t
tcontext=system_u:object_r:tmpfs_t tclass=sock_file
May 4 07:33:23 localhost kernel: audit(1115217200.530:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
May 4 07:33:23 localhost kernel: audit(1115217200.530:0): avc:
denied { write } for name=log dev=tmpfs ino=6865
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t
tclass=sock_file
May 4 07:33:23 localhost kernel: audit(1115217200.821:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
May 4 07:33:23 localhost kernel: audit(1115217202.856:0): avc:
denied { read } for name=config dev=dm-0 ino=1275872
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file
May 4 07:33:23 localhost kernel: audit(1115217202.856:0): avc:
denied { getattr } for path=/etc/selinux/config dev=dm-0 ino=1275872
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file
May 4 07:33:29 localhost kernel: audit(1115217209.362:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:portmap_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
May 4 07:33:29 localhost kernel: audit(1115217209.580:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
May 4 07:33:29 localhost kernel: audit(1115217209.581:0): avc:
denied { write } for name=log dev=tmpfs ino=6865
scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:tmpfs_t
tclass=sock_file
May 4 07:33:31 localhost kernel: audit(1115217211.468:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:howl_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
May 4 07:33:36 localhost kernel: audit(1115217216.843:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
May 4 07:33:39 localhost kernel: audit(1115217219.784:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:ntpd_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
May 4 07:33:39 localhost kernel: audit(1115217219.784:0): avc:
denied { write } for name=log dev=tmpfs ino=6865
scontext=system_u:system_r:ntpd_t tcontext=system_u:object_r:tmpfs_t
tclass=sock_file
May 4 07:33:41 localhost kernel: audit(1115217221.632:0): avc:
denied { read } for name=fd dev=tmpfs ino=2839
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:tmpfs_t
tclass=lnk_file
May 4 07:34:00 localhost kernel: audit(1115217240.363:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
May 4 07:34:01 localhost kernel: audit(1115217241.339:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
May 4 07:34:02 localhost kernel: audit(1115217242.433:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
May 4 07:34:04 localhost kernel: audit(1115217244.727:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:updfstab_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
May 4 07:34:04 localhost kernel: audit(1115217244.727:0): avc:
denied { write } for name=log dev=tmpfs ino=6865
scontext=system_u:system_r:updfstab_t
tcontext=system_u:object_r:tmpfs_t tclass=sock_file
May 4 07:34:09 localhost kernel: audit(1115217249.960:0): avc:
denied { read } for name=mapper dev=tmpfs ino=3919
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
May 4 07:34:09 localhost kernel: audit(1115217249.960:0): avc:
denied { getattr } for path=/dev/mapper dev=tmpfs ino=3919
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
May 4 07:34:09 localhost kernel: audit(1115217249.960:0): avc:
denied { getattr } for path=/dev/mapper/VolGroup00-LogVol01
dev=tmpfs ino=6444 scontext=system_u:system_r:hald_t
tcontext=system_u:object_r:tmpfs_t tclass=blk_file
May 4 07:34:10 localhost kernel: audit(1115217250.223:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:getty_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
May 4 07:34:12 localhost kernel: audit(1115217252.745:0): avc:
denied { search } for name=rhgb dev=dm-0 ino=1277513
scontext=system_u:system_r:init_t tcontext=system_u:object_r:mnt_t
tclass=dir
May 4 07:34:39 localhost kernel: audit(1115217279.531:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:hald_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
May 4 07:35:00 localhost dbus: avc: denied { send_msg } for
msgtype=method_call interface=com.redhat.CupsDriverConfig
member=MatchDriver dest=com.redhat.CupsDriverConfig spid=3570
tpid=3058 scontext=user_u:system_r:unconfined_t
tcontext=system_u:system_r:cupsd_config_t tclass=dbus
May 4 07:35:00 localhost kernel: audit(1115217300.770:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
May 4 07:35:00 localhost kernel: audit(1115217300.770:0): avc:
denied { write } for name=log dev=tmpfs ino=6865
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:tmpfs_t tclass=sock_file
May 4 07:35:00 localhost kernel: audit(1115217300.771:0): avc:
denied { search } for name=/ dev=tmpfs ino=2832
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:tmpfs_t tclass=dir
May 4 07:35:34 localhost kernel: audit(1115217334.071:0): avc:
denied { write } for name=cache dev=dm-0 ino=2142136
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:var_t tclass=dir
May 4 07:35:34 localhost kernel: audit(1115217334.071:0): avc:
denied { add_name } for name=foomatic
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:var_t tclass=dir
May 4 07:35:34 localhost kernel: audit(1115217334.071:0): avc:
denied { create } for name=foomatic
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:var_t tclass=dir
May 4 07:35:34 localhost kernel: audit(1115217334.071:0): avc:
denied { create } for name=printconf.pickle
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:var_t tclass=file
May 4 07:35:34 localhost kernel: audit(1115217334.071:0): avc:
denied { getattr } for path=/var/cache/foomatic/printconf.pickle
dev=dm-0 ino=2158741 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:var_t tclass=file
May 4 07:35:34 localhost kernel: audit(1115217334.072:0): avc:
denied { write } for path=/var/cache/foomatic/printconf.pickle
dev=dm-0 ino=2158741 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:var_t tclass=file
May 4 07:35:34 localhost dbus: avc: denied { send_msg } for
msgtype=method_return dest=:1.5 spid=3058 tpid=3570
scontext=system_u:system_r:cupsd_config_t
tcontext=user_u:system_r:unconfined_t tclass=dbus
--
Tom London
18 years, 12 months
awstats
by Farkas Levente
hi,
we use http://awstats.sourceforge.net/ to generate http web statistics.
in order to generate date there is a hourly cron job which collect the
statistics from the webserver's log file. but this scripts use the same
collection of perl scripts which generates the web pages.
how can i solve it?
i found this description:
http://yanbaru.dyndns.org/linux/fedora2awstats.html
although i don't realy like local.te.
is there any 'default' settings for awstats?
i wish we has some kind of default policy which include rules for
awstats too:-0
yours.
--
Levente "Si vis pacem para bellum!"
18 years, 12 months
RE: make relabel > restorecon
by Steve Brueckner
Daniel J Walsh wrote:
> Steve Brueckner wrote:
>> Daniel J Walsh wrote:
>>> Steve Brueckner wrote:
>>>> I have a file
>>>> /etc/selinux/targeted/src/policy/file_contexts/programs/tspi_dillo.fc
>>>> that contains the following line only:
>>>>
>>>> /tspi/usr/local/bin/dillo -- system_u:object_r:tspi_dillo_exec_t
>>>>
>>>> When I do # make reload and then # make relabel the system
>>>> correctly labels the file and adds the above line to the master
>>>> file_contexts file.
>>>>
>>>> However, if I then run # /sbin/restorecon /tspi/usr/local/bin/dillo
>>>> the file's type reverts to default_t
>>>>
>>>> Any ideas on why this is happening?
>>>>
>>> I take it you have a domains/program/tspi_dillo.te file?
>>>
>>> grep dillo /etc/selinux/targeted/context/files/*
>>>
>> Yes, I have
>> /etc/selinux/targeted/src/policy/domains/program/tspi_dillo.te
>> which declares the tspi_dillo_exec_t.
>>
>> However, I think your grep showed me where the problem lies. There
>> are two file_contexts files:
>> /etc/selinux/targeted/src/policy/file_contexts/file_contexts
>> /etc/selinux/targeted/context/files/file_contexts
>>
>> And a diff shows that the former has the context for dillo and the
>> latter does not. I was apparently mistaken earlier when I said that
>> the "master" file_contexts file contains the line in question.
>>
>> So my question now becomes how does the former get updated? I've
>> done make reload and make relabel but it seems that neither is
>> updating /etc/selinux/targeted/context/files/file_contexts.
>>
> That is strange. Make reload should have copied the your
> file_context over.
>
> Try make -W users load
> See if the file_context gets replaced. Any chance of clock skew on
> your machine.
Fooling make into thinking users had been updated did the trick, thanks. My
clock, logs, and file times all look fine, so I don't think clock skew is
the problem.
I am, however, running (last week's) rawhide SELinux and rawhide kernel on
an othewise FC3 install, so maybe there's something not meshing in there.
Am I correct in thinking that the rawhide SELinux packages are currently
being written and tested on FC4?
Anyway, I appreciate the assist.
- Steve Brueckner, ATC-NY
18 years, 12 months
selinux-policy-strict-1.23.14-2 - glitches...
by Tom London
Running strict/enforcing, latest rawhide.
The following crop up with today's updates:
0. Early boot denials:
May 3 06:42:12 fedora kernel: security: 3 users, 6 roles, 1333
types, 63 boolsMay 3 06:42:12 fedora kernel: security: 55 classes,
342123 rules
May 3 06:42:12 fedora kernel: SELinux: Completing initialization.
May 3 06:42:12 fedora kernel: SELinux: Setting up existing superblocks.
May 3 06:42:12 fedora kernel: audit(1115102485.415:0): avc: denied
{ read } for name=proc dev=hda2 ino=3407873
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
May 3 06:42:12 fedora kernel: audit(1115102485.416:0): avc: denied
{ search } for name=/ dev=hda2 ino=2
scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:unlabeled_t tclass=dir
May 3 06:42:12 fedora last message repeated 3 times
May 3 06:42:12 fedora kernel: SELinux: initialized (dev hda2, type
ext3), uses xattr
Also, init seems to be doing a PID scan:
May 3 06:42:13 fedora kernel: audit(1115102490.729:0): avc: denied
{ read } for name=stat dev=proc ino=65550
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t
tclass=file
May 3 06:42:13 fedora kernel: audit(1115102490.730:0): avc: denied
{ read } for name=stat dev=proc ino=31916046
scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t
tclass=file
May 3 06:42:13 fedora kernel: audit(1115102490.730:0): avc: denied
{ read } for name=stat dev=proc ino=32505870
scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:initrc_t tclass=file
May 3 06:42:13 fedora kernel: audit(1115102490.730:0): avc: denied
{ read } for name=stat dev=proc ino=36175886
scontext=system_u:system_r:kernel_t
tcontext=system_u:system_r:hotplug_t tclass=file
<<<SNIP>>>
1. privoxy is non functional:
May 3 06:42:53 fedora kernel: audit(1115127773.695:0): avc: denied
{ name_bind } for src=8118 scontext=system_u:system_r:privoxy_t
tcontext=system_u:object_r:http_cache_port_t tclass=tcp_socket
so suggest adding
allow privoxy_t http_cache_port_t:tcp_socket name_bind;
to privoxy.te
2. trouble starting ptal. I can't tell if this is a missing
transition to ptal_t, or just a missing entry in net_contexts.
Help?
May 3 06:42:21 fedora kernel: audit(1115127741.848:0): avc: denied
{ name_bind } for src=5703 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5704 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5705 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5706 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5707 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5708 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5709 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5710 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5711 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5712 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5713 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5714 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied
{ name_bind } for src=5715 scontext=system_u:system_r:initrc_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
May 3 06:42:21 fedora ptal-photod:
ptal-photod(mlc:usb:PSC_900_Series): bind(tcpPort=5729) failed,
errno=13!
Also:
May 3 06:42:22 fedora kernel: audit(1115127741.921:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May 3 06:42:25 fedora ptal-mlcd: ERROR at ExMgr.cpp:2525,
dev=<mlc:usb:PSC_900_Series>, pid=2372, e=1, t=1115127745
Couldn't find device!
May 3 06:42:25 fedora kernel: audit(1115127745.660:0): avc: denied
{ write } for name=001 dev=usbfs ino=4489
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
May 3 06:42:25 fedora kernel: audit(1115127745.660:0): avc: denied
{ write } for name=001 dev=usbfs ino=4489
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
May 3 06:42:25 fedora kernel: audit(1115127745.660:0): avc: denied
{ write } for name=001 dev=usbfs ino=4473
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
May 3 06:42:25 fedora kernel: audit(1115127745.661:0): avc: denied
{ write } for name=001 dev=usbfs ino=4473
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
May 3 06:42:25 fedora kernel: audit(1115127745.661:0): avc: denied
{ write } for name=001 dev=usbfs ino=4457
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
May 3 06:42:25 fedora kernel: audit(1115127745.661:0): avc: denied
{ write } for name=001 dev=usbfs ino=4457
scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t
tclass=file
3. issues with fifo files:
May 3 06:42:14 fedora kernel: IPv6 over IPv4 tunneling driver
May 3 06:42:14 fedora kernel: audit(1115127718.038:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May 3 06:42:14 fedora kernel: audit(1115127718.041:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May 3 06:42:14 fedora kernel: audit(1115127718.256:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May 3 06:42:14 fedora kernel: audit(1115127718.260:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May 3 06:42:14 fedora kernel: ACPI: Power Button (FF) [PWRF]
<<<SNIP>>>
May 3 06:42:50 fedora ntpd[2472]: kernel time sync status 0040
May 3 06:42:50 fedora kernel: audit(1115127770.407:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May 3 06:42:50 fedora ntpd[2472]: frequency initialized 67.355 PPM
from /var/lib/ntp/drift
May 3 06:42:50 fedora ntpd[2472]: configure: keyword "authenticate"
unknown, line ignored
May 3 06:42:51 fedora kernel: audit(1115127771.070:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
<<<SNIP>>>
May 3 06:42:59 fedora kernel: audit(1115127779.773:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
May 3 06:42:59 fedora kernel: audit(1115127779.800:0): avc: denied
{ write } for name=rhgb-console dev=ramfs ino=5658
scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t
tclass=fifo_file
4. ddclient (fix to support http_port_t):
May 3 06:42:52 fedora kernel: audit(1115127772.664:0): avc: denied
{ name_connect } for dest=80 scontext=system_u:system_r:ddclient_t
tcontext=system_u:object_r:http_port_t tclass=tcp_socket
or
allow ddclient_t http_port_t:tcp_socket name_connect;
5. su denial:
May 3 06:44:04 fedora su(pam_unix)[3241]: session opened for user
root by tbl(uid=500)
May 3 06:44:17 fedora kernel: audit(1115127857.306:0): avc: denied
{ unix_read unix_write } for key=1592234044
scontext=user_u:user_r:user_t tcontext=system_u:system_r:xdm_t
tclass=sem
Does
allow user_t xdm_t:sem { unix_read unix_write };
make sense?
Thanks!
tom
--
Tom London
18 years, 12 months
RE: make relabel > restorecon
by Steve Brueckner
Daniel J Walsh wrote:
> Steve Brueckner wrote:
>
>> I have a file
>> /etc/selinux/targeted/src/policy/file_contexts/programs/tspi_dillo.fc
>> that contains the following line only:
>>
>> /tspi/usr/local/bin/dillo -- system_u:object_r:tspi_dillo_exec_t
>>
>> When I do # make reload and then # make relabel the system correctly
>> labels the file and adds the above line to the master file_contexts
>> file.
>>
>> However, if I then run # /sbin/restorecon /tspi/usr/local/bin/dillo
>> the file's type reverts to default_t
>>
>> Any ideas on why this is happening?
>>
>>
> I take it you have a domains/program/tspi_dillo.te file?
>
> grep dillo /etc/selinux/targeted/context/files/*
>
Yes, I have /etc/selinux/targeted/src/policy/domains/program/tspi_dillo.te
which declares the tspi_dillo_exec_t.
However, I think your grep showed me where the problem lies. There are two
file_contexts files:
/etc/selinux/targeted/src/policy/file_contexts/file_contexts
/etc/selinux/targeted/context/files/file_contexts
And a diff shows that the former has the context for dillo and the latter
does not. I was apparently mistaken earlier when I said that the "master"
file_contexts file contains the line in question.
So my question now becomes how does the former get updated? I've done make
reload and make relabel but it seems that neither is updating
/etc/selinux/targeted/context/files/file_contexts.
Thanks,
- Steve Brueckner, ATC-NY
18 years, 12 months
make relabel > restorecon
by Steve Brueckner
I have a file
/etc/selinux/targeted/src/policy/file_contexts/programs/tspi_dillo.fc that
contains the following line only:
/tspi/usr/local/bin/dillo -- system_u:object_r:tspi_dillo_exec_t
When I do # make reload and then # make relabel the system correctly labels
the file and adds the above line to the master file_contexts file.
However, if I then run # /sbin/restorecon /tspi/usr/local/bin/dillo the
file's type reverts to default_t
Any ideas on why this is happening?
Thanks,
- Steve Brueckner, ATC-NY
18 years, 12 months