selinux June 2005

selinux@lists.fedoraproject.org

83 participants
93 discussions

1105 fails to boot....
by Tom London 07 Nov '05

07 Nov '05

Running strict/enforcing, latest rawhide: After installing latest packages, relabeling /etc, /bin, /lib, .... and rebooting, the system produces lots of udev type errors (cannot remove /dev/.udev_tdb/classSTUFF) and hangs on 'adding hardware' Boots (with messages) in permissive mode. Here are the 'early' AVCs: Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev bdev, type bdev), uses genfs_contexts Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied { read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17 scontext=system_u:system_r:hostname_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts Jan 21 07:24:30 fedora kernel: audit(1106292233.809:0): avc: denied { read } for pid=576 exe=/sbin/restorecon path=/init dev=rootfs ino=17 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied { read } for pid=576 exe=/sbin/restorecon name=customizable_types dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:default_context_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied { use } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17 scontext=system_u:system_r:dmesg_t tcontext=system_u:system_r:kernel_t tclass=fd Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied { read } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292235.086:0): avc: denied { read } for pid=703 exe=/bin/bash path=/init dev=rootfs ino=17 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292239.427:0): avc: denied { use } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17 scontext=system_u:system_r:kudzu_t tcontext=system_u:system_r:kernel_t tclass=fd Jan 21 07:24:30 fedora kernel: audit(1106292239.428:0): avc: denied { read } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17 scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora ptal-mlcd: SYSLOG at ExMgr.cpp:652, dev=<mlc:usb:PSC_900_Series>, pid=2629, e=2, t=1106321070 ptal-mlcd successfully initialized. Jan 21 07:24:30 fedora ptal-printd: ptal-printd(mlc:usb:PSC_900_Series) successfully initialized using /var/run/ptal-printd/mlc_usb_PSC_900_Series*. Jan 21 07:24:30 fedora kernel: Floppy drive(s): fd0 is 1.44M I'll probe a bit, but any help is welcome! tom -- Tom London

4 7

Re: not installing SELinux with Fedora
by stewartetcie＠canada.com 12 Jul '05

12 Jul '05

On Sunday, 2005-06-19 at 16:08 (PDT) Steve G <linux_4ever(a)yahoo.com> wrote: >Its very easy to do, but you will be running your own >distro. :) Just get a RH9 build host and use the >rookery build system. It'll let you know which >packages need TLC. Beware of forks masquerading as subsystems. The offer of mandatory access control is seductive, but the SELinux implementation is flawed if it amounts to a fork in the Linux code base. >SE Linux does need some help in managing policy. ... >This what's missing from SE Linux. >A good configuration for the non-security expert. If that were the only problem, it would be enough to preclude the inclusion of SELinux from a general purpose Linux distribution until such time as good management tools are available. On Monday, 2005-06-20 at 07:10 (PDT) Stephen Smalley <sds(a)tycho.nsa.gov> wrote: >Most distributions don't want to have to ship >multiple variations of the kernel and userland, so >they naturally don't want to have ship a SELinux and >non-SELinux variant of kernel, coreutils, etc. Yikes, I should have anticipated this, given the forum and the topic, but, in the immortal words of Monte Python, "No-one ever expects the Spanish inquisition!" Let's be clear about one thing. I am neither a devil, nor am I a devil's advocate and I really can't find the time right now for an extended vacation at a U.S. resort in Cuba, or even an unscheduled layover in Syria. I know you guys listen to everything, all the time, everywhere, but when my girl friend said, "Oh, you devil," that was just a figure of speech. Really. Now, let's approach the topic under discussion one step at a time, as a Jesuit would. Connecting to the internet can be risky, because we don't know who else has an internet connection, or what malicious plans they may have. So intellectual property developers often disconnect clusters used as render farms for movie production, or compile farms used for code production, from external networks. This is as appropriate for protecting open source products from damage as it is for protecting proprietary products from theft. In fact, many private nets don't connect to the internet. SWIFT, the Society for Worldwide Interchange and Funds Transfer, is a case in point. Isolation provides strong security and we're not likely to stop doing it anytime soon, but it is inappropriate for all cases. That's why we use multi-homed firewalls to interconnect the internet to a DMZ for the servers that provide internet services and to the internal firewalls that protect local area networks. This works pretty well, even better since IP Tables came along, and the proof is that most of the systems compromised by intruders either lack such protection, or don't have it configured properly. Wouldn't it be nice to have a general purpose operating system that could be pruned and tuned for optimal performance on isolated systems, firewalls, servers, workstations, or laptops for road warriors? Oh, and it must be open source, because we can't validate system security unless we can audit the code. Certification requires certainty. A number of operating systems meet these criteria. One candidate is Linux (a. k. a. non-SELinux). If I have to roll my own distro from Fedora in order to optimize performance by removing unnecessary subsystems, such as mandatory access control on an isolated system, then Fedora is no longer a general purpose system and it is no longer Linux, now it is SELinux. These comments are offered in the spirit of constructive criticism. I'm grateful you declared your bias, for your spirited defence of your product and very grateful SELinux was contributed to the open source community, warts and all. However, SELinux isn't the only possible implementation of mandatory access control for Linux (cf. sHype). If my criticicms are valid, SELinux must either be improved, or it'll be replaced by a better implementation. Perhaps I'm wrong. Time will tell. Meanwhile, thanks for listening.

12 30

using selinux to control user access to files
by Hein Coulier 12 Jul '05

12 Jul '05

hi, newby speaking here (totally lost in the selinux labyrinth). What i want to accomplish with selinux is the following : i want to allow different end-users (with different roles) to do something with some files. I'll give you an example : fileA : may be read by roleA and roleB fileB : may only be read by roleB ; audited fileC : may be read and changed by roleB ; audited I read several pdf's, read the o'reilly book, but i seem to be unable to achieve my goal. Help would be appreciated. tia, hecou.

7 18

RE: the labeling procedure
by Steve Brueckner 08 Jul '05

08 Jul '05

> restorecon doesn't rely on having policy sources > (selinux-policy-targeted-sources) installed. It uses the installed > file_contexts configuration created by the policy > (selinux-policy-targeted) package. That lives > under /etc/selinux/targeted/contexts/files. Aha, I think the O'Reilly book is just out of date. Not surprising considering the moving target that is SELinux. > SELinux utilities don't rely on having the policy sources available, > as you likely don't want them on production systems. make relabel is > really only for developers, and hardly used at all anymore (it > predates having fixfiles and restorecon). Actually I am developing here. My problem is that I have a huge chroot directory (basically a full duplicate of the whole system) and I want to get everything in there labeled as if it was outside chroot. To do this I duplicated file_contexts/types.fc and used sed to prepend the chroot directory to every line. It seems to work pretty well, but I'm still having trouble getting the user home directories inside chroot labeled properly. The homedirs macros and files are apparently throwing me. I'd appreciate any suggestions on a better way to label the chroot filesystem. And any ideas on how to get those chrooted homedirs labeled correctly. Stephen Brueckner, ATC-NY

3 2

Bug 160292 (cups-lpd) - back in 1.23.18-16?
by Ian Pilcher 07 Jul '05

07 Jul '05

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160292 says that this bug is fixed in selinux-policy-targeted-1.23.18-12. I'm running 1.23.18-16 (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161383) and this bug is definitely present. I've tried futzing with cupsd_lpd_disable_trans and cupsd_config_disable_trans to no avail. (Are these documented anywhere?) Am I nuts? -- ======================================================================== Ian Pilcher i.pilcher(a)comcast.net ========================================================================

2 3

avc denied about hwclock.
by Vinicius 05 Jul '05

05 Jul '05

Hello, I'm getting the following on FC4: "audit(1119989359.942:2): avc: denied { read } for pid=1427 comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file audit(1119989359.942:3): avc: denied { read } for pid=1427 comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file" How to resolve this problem, please? TIA, Vinicius.

4 6

How do I tell if SELinux is working?
by Jon August 04 Jul '05

04 Jul '05

I updated the policy after I found that there was a bug with starting DHCP and since then I haven't had any issues getting things to work. Things like a CGI script running sendmail to send an email - which used to show up in the audit log, now work fine. What can I do to see if SELinux is still paying attention? -Jon

4 7

more latest selinux policy change problems
by Peter Magnusson 04 Jul '05

04 Jul '05

A little script that runs in cron complained about stuff after I turned on selinux for apache again; mv: cannot set setfscreatecon `user_u:object_r:httpd_sys_script_rw_t': Permission denied so I changed the selinux perms on these files. Hope it will work next time I turn on selinux for apache. Because now its off again because of this: Tested what gallery (http://gallery.sourceforge.net/) would think about selinux. It didnt like it at all. It said that it has no rights to write in the userfile. And how would I know what I should set the perms to get it working? Jun 21 06:27:25 sysbabe kernel: audit(1119328045.441:0): avc: denied { write } for pid=29609 exe=/usr/sbin/httpd name=userdb.dat dev=hda2 ino=688180 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Jun 21 06:27:25 sysbabe kernel: audit(1119328045.442:0): avc: denied { write } for pid=29609 exe=/usr/sbin/httpd name=userdb.dat dev=hda2 ino=688180 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file is what is says. Same problem on an other vhost with an counter, just other name= of course. This is thing above is just the mainpage. It must be able to write dirs also, when creating new albums. It must also be able to execute /usr/bin/convert and maybe other programs also. Hmm, and it stores tmp files in /tmp also. httpd_sys_content_execute_tmpfiles_t on /tmp maybe? :) I have no idea how many fixes that are needed to get everything working. Is it any *generic* for apache-can-write-whatever-it wants in selinux? As long that apache cant write in *system files* or execute anything as root Im quite happy. Did the fedora team expect problems like this to be created with the latest selinux policy change or is it a suprise for you? Its fine to have it by default in new release of fedora but not CHANGE it in a update.

6 8

selinux fedora 3 selinux-policy-targeted-1.17.30-3.15 update breaks some programs
by alberto passariello 03 Jul '05

03 Jul '05

while this update fixes some problems there are some still open. Jun 30 17:14:58 tiger kernel: audit(1120144498.202:0): avc: denied { execmod } for pid=6950 comm=python path=/usr/lib/wingide2.0/bin/2.3/external/pyscintilla2/_scintilla.so dev=sda2 ino=8555070 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:bin_t tclass=file this was caught while starting wing IDE ( a python RAD software ) ---------------------------------------- Alberto Passariello Byte Works Sistemi S.r.l. Cisco Systems partner Premier certified Viale Liegi 44, 00198 Roma Tel: +39 6 863.863.22 Fax: +39 6 863.863.23 Email: apassariello(a)byworks.com -----------------------------------------------

2 1

What's the proper way to set context on locally installed files?
by Jason L Tibbitts III 30 Jun '05

30 Jun '05

Matlab, it seems, puts shared libs and binaries in the same directory. I will freely admit that Matlab is a piece of crap, but I have no choice but to support it. Until recent policy updates the location of the libraries was not an issue, but under selinux-policy-targeted-1.17.30-3.15 Matlab fails to start at all because it can't load its libraries. On my system they live under /usr/lib/matlab-14.2/bin/glnx86, and I suppose due to that they end up with system_u:object_r:bin_t context. If I do chcon system_u:object_r:shlib_t /usr/lib/matlab-14.2/bin/glnx86/*.so everything is happy. I'm going to see if I can hack Matlab to look for its libraries elsewhere, but if I can't I wonder if there's any way for me to include local file context overrides for things like this. - J<

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux June 2005