selinux May 2005

selinux@lists.fedoraproject.org

47 participants
63 discussions

by Farkas Levente

hi, there is a nagios_log_t and used in nagios.fc but never defined (missing). so when we try to apply it we got these errors: --------------------------------------------- # chcon -R -t nagios_log_t /var/log/nagios chcon: failed to change context of /var/log/nagios to system_u:object_r:nagios_log_t: Invalid argument chcon: failed to change context of /var/log/nagios/rw to system_u:object_r:nagios_log_t: Invalid argument chcon: failed to change context of /var/log/nagios/archives to system_u:object_r:nagios_log_t: Invalid argument chcon: failed to change context of /var/log/nagios/.bash_history to user_u:object_r:nagios_log_t: Invalid argument --------------------------------------------- how can i fix it? dan could you create updated rpms which fix it in ftp://people.redhat.com/dwalsh/SELinux/RHEL4/ ?:-) yours. -- Levente "Si vis pacem para bellum!"

18 years, 7 months

2
5
0 / 0

snmpd proc monitoring problem

by Carlos Pastorino

Hello, I've inserted the following line on my /etc/snmpd.conf file: proc sshd Then I executed the following command: snmpwalk -On -v2c -c public localhost .1.3.6.1.4.1.2021.2.1 and got the answer: .1.3.6.1.4.1.2021.2.1.1.1 = INTEGER: 1 .1.3.6.1.4.1.2021.2.1.2.1 = STRING: sshd .1.3.6.1.4.1.2021.2.1.3.1 = INTEGER: 0 .1.3.6.1.4.1.2021.2.1.4.1 = INTEGER: 0 .1.3.6.1.4.1.2021.2.1.5.1 = INTEGER: 0 .1.3.6.1.4.1.2021.2.1.100.1 = INTEGER: 1 .1.3.6.1.4.1.2021.2.1.101.1 = STRING: No sshd process running. .1.3.6.1.4.1.2021.2.1.102.1 = INTEGER: 0 .1.3.6.1.4.1.2021.2.1.103.1 = STRING: But, if I execute the command below: setenforce 0 I get the correct answer: .1.3.6.1.4.1.2021.2.1.1.1 = INTEGER: 1 .1.3.6.1.4.1.2021.2.1.2.1 = STRING: sshd .1.3.6.1.4.1.2021.2.1.3.1 = INTEGER: 0 .1.3.6.1.4.1.2021.2.1.4.1 = INTEGER: 0 .1.3.6.1.4.1.2021.2.1.5.1 = INTEGER: 2 .1.3.6.1.4.1.2021.2.1.100.1 = INTEGER: 0 .1.3.6.1.4.1.2021.2.1.101.1 = STRING: .1.3.6.1.4.1.2021.2.1.102.1 = INTEGER: 0 .1.3.6.1.4.1.2021.2.1.103.1 = STRING: The problem is, nothing shows up on /var/log/messages to allow me to figure out how to tweak the /etc/selinux/targeted/src/policy/domains/program/snmpd.te file. Any hints? Regards, Carlos

18 years, 7 months

2
3
0 / 0

selinux-policy-strict-1.23.13-4: suggestions?

by Tom London

Running strict/enforcing, latest rawhide. I finally got around to 'blowing the dust off' of my strict PC. I updated to latest rawhide, did a 'fixfiles relabel', and rebooted. Graphical login failed. Appears that xdm is failing on creating a sem: Apr 30 13:20:44 fedora kernel: audit(1114892386.776:0): avc: denied { create } for key=1417649221 scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t tclass=sem Apr 30 13:25:35 fedora kernel: audit(1114892735.514:0): avc: denied { unix_read unix_write } for key=199061348 scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:xdm_t tclass=sem Adding: allow xdm_t self:sem { create unix_read unix_write }; to xdm.te seems to fix this. That OK? Also, running firefox proxied through privoxy generates: Apr 30 13:48:23 fedora kernel: audit(1114894103.357:0): avc: denied { name_connect } for dest=8118 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:port_t tclass=tcp_socket or allow user_mozilla_t port_t:tcp_socket name_connect; That right? Going through /var/log/messages: Early on, I get this: Apr 30 13:27:05 fedora kernel: SELinux: Completing initialization. Apr 30 13:27:05 fedora kernel: SELinux: Setting up existing superblocks. Apr 30 13:27:05 fedora kernel: audit(1114867589.097:0): avc: denied { write } for path=pipe:[1886] dev=pipefs ino=1886 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=fifo_file Apr 30 13:27:05 fedora kernel: SELinux: initialized (dev hda2, type ext3), uses xattr Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs and Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts Apr 30 13:27:06 fedora kernel: audit(1114867589.937:0): avc: denied { read } for name=class@vc@vcsa1 dev=tmpfs ino=1836 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file Apr 30 13:27:06 fedora kernel: audit(1114867589.939:0): avc: denied { read } for name=class@vc@vcs1 dev=tmpfs ino=1830 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file Apr 30 13:27:06 fedora kernel: SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts Apr 30 13:27:06 fedora kernel: audit(1114867590.492:0): avc: denied { create } for name=input scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir Apr 30 13:27:06 fedora kernel: audit(1114867590.494:0): avc: denied { create } for name=input scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=dir Apr 30 13:27:06 fedora kernel: audit(1114867591.604:0): avc: denied { write } for name=class@vc@vcs1 dev=tmpfs ino=1830 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file Apr 30 13:27:06 fedora kernel: audit(1114867591.627:0): avc: denied { write } for name=class@vc@vcsa1 dev=tmpfs ino=1836 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file Apr 30 13:27:06 fedora kernel: audit(1114867591.754:0): avc: denied { read } for name=class@vc@vcs1 dev=tmpfs ino=1830 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file Apr 30 13:27:06 fedora kernel: audit(1114867591.764:0): avc: denied { read } for name=class@vc@vcsa1 dev=tmpfs ino=1836 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file Apr 30 13:27:06 fedora kernel: audit(1114867592.051:0): avc: denied { write } for name=class@vc@vcsa1 dev=tmpfs ino=1836 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:tmpfs_t tclass=file <<<<SNIP>>>> Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc: denied { search } for name=485 dev=proc ino=31784962 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=dir Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc: denied { search } for name=494 dev=proc ino=32374786 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:initrc_t tclass=dir Apr 30 13:27:06 fedora kernel: audit(1114867595.180:0): avc: denied { search } for name=545 dev=proc ino=35717122 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:hotplug_t tclass=dir and Apr 30 13:27:08 fedora kernel: ohci1394: fw-host0: OHCI-1394 1.0 (PCI): IRQ=[11] MMIO=[ed100000-ed1007ff] Max Packet=[2048] Apr 30 13:27:08 fedora kernel: audit(1114867609.739:0): avc: denied { getattr } for path=/etc/hotplug dev=hda2 ino=4472955 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:hotplug_etc_t tclass=dir Apr 30 13:27:09 fedora kernel: audit(1114867609.739:0): avc: denied { search } for name=hotplug dev=hda2 ino=4472955 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:hotplug_etc_t tclass=dir and Apr 30 13:27:10 fedora kernel: audit(1114892828.091:0): avc: denied { execute } for name=auto.net dev=hda2 ino=4474546 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:automount_etc_t tclass=file Apr 30 13:27:10 fedora kernel: audit(1114892828.595:0): avc: denied { write } for name=/ dev=hda2 ino=2 scontext=system_u:system_r:automount_t tcontext=system_u:object_r:root_t tclass=dir Apr 30 13:27:10 fedora kernel: audit(1114892828.677:0): avc: denied { dac_override } for capability=1 scontext=system_u:system_r:automount_t tcontext=system_u:system_r:automount_t tclass=capability Apr 30 13:27:10 fedora kernel: audit(1114892828.787:0): avc: denied { write } for name=/ dev=hda2 ino=2 scontext=system_u:system_r:automount_t tcontext=system_u:object_r:root_t tclass=dir Sorry if these are already fixed. tom -- Tom London

18 years, 7 months

2
1
0 / 0

← Newer
1
2
3
4
5
6
7
Older →

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux May 2005