1105 fails to boot....
by Tom London
Running strict/enforcing, latest rawhide:
After installing latest packages, relabeling /etc, /bin, /lib, ....
and rebooting, the system produces lots of udev type errors
(cannot remove /dev/.udev_tdb/classSTUFF) and hangs
on 'adding hardware'
Boots (with messages) in permissive mode.
Here are the 'early' AVCs:
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev bdev, type
bdev), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied
{ read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17
scontext=system_u:system_r:hostname_t
tcontext=system_u:object_r:root_t tclass=file
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev usbfs, type
usbfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: audit(1106292233.809:0): avc: denied
{ read } for pid=576 exe=/sbin/restorecon path=/init dev=rootfs
ino=17 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:root_t tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied
{ read } for pid=576 exe=/sbin/restorecon name=customizable_types
dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:default_context_t tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied
{ use } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17
scontext=system_u:system_r:dmesg_t tcontext=system_u:system_r:kernel_t
tclass=fd
Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied
{ read } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17
scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292235.086:0): avc: denied
{ read } for pid=703 exe=/bin/bash path=/init dev=rootfs ino=17
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292239.427:0): avc: denied
{ use } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17
scontext=system_u:system_r:kudzu_t tcontext=system_u:system_r:kernel_t
tclass=fd
Jan 21 07:24:30 fedora kernel: audit(1106292239.428:0): avc: denied
{ read } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17
scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora ptal-mlcd: SYSLOG at ExMgr.cpp:652,
dev=<mlc:usb:PSC_900_Series>, pid=2629, e=2, t=1106321070
ptal-mlcd successfully initialized.
Jan 21 07:24:30 fedora ptal-printd:
ptal-printd(mlc:usb:PSC_900_Series) successfully initialized using
/var/run/ptal-printd/mlc_usb_PSC_900_Series*.
Jan 21 07:24:30 fedora kernel: Floppy drive(s): fd0 is 1.44M
I'll probe a bit, but any help is welcome!
tom
--
Tom London
17 years, 7 months
Re: not installing SELinux with Fedora
by stewartetcie@canada.com
On Sunday, 2005-06-19 at 16:08 (PDT)
Steve G <linux_4ever(a)yahoo.com> wrote:
>Its very easy to do, but you will be running your own
>distro. :) Just get a RH9 build host and use the
>rookery build system. It'll let you know which
>packages need TLC.
Beware of forks masquerading as subsystems. The offer
of mandatory access control is seductive, but the
SELinux implementation is flawed if it amounts to a
fork in the Linux code base.
>SE Linux does need some help in managing policy.
...
>This what's missing from SE Linux.
>A good configuration for the non-security expert.
If that were the only problem, it would be enough to
preclude the inclusion of SELinux from a general
purpose Linux distribution until such time as good
management tools are available.
On Monday, 2005-06-20 at 07:10 (PDT)
Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
>Most distributions don't want to have to ship
>multiple variations of the kernel and userland, so
>they naturally don't want to have ship a SELinux and
>non-SELinux variant of kernel, coreutils, etc.
Yikes, I should have anticipated this, given the forum
and the topic, but, in the immortal words of Monte
Python, "No-one ever expects the Spanish inquisition!"
Let's be clear about one thing. I am neither a devil,
nor am I a devil's advocate and I really can't find the
time right now for an extended vacation at a U.S.
resort in Cuba, or even an unscheduled layover in
Syria. I know you guys listen to everything, all the
time, everywhere, but when my girl friend said, "Oh,
you devil," that was just a figure of speech. Really.
Now, let's approach the topic under discussion one step
at a time, as a Jesuit would.
Connecting to the internet can be risky, because we
don't know who else has an internet connection, or what
malicious plans they may have. So intellectual property
developers often disconnect clusters used as render
farms for movie production, or compile farms used for
code production, from external networks. This is as
appropriate for protecting open source products from
damage as it is for protecting proprietary products
from theft. In fact, many private nets don't connect to
the internet. SWIFT, the Society for Worldwide
Interchange and Funds Transfer, is a case in point.
Isolation provides strong security and we're not likely
to stop doing it anytime soon, but it is inappropriate
for all cases. That's why we use multi-homed firewalls
to interconnect the internet to a DMZ for the servers
that provide internet services and to the internal
firewalls that protect local area networks. This works
pretty well, even better since IP Tables came along,
and the proof is that most of the systems compromised
by intruders either lack such protection, or don't have
it configured properly.
Wouldn't it be nice to have a general purpose operating
system that could be pruned and tuned for optimal
performance on isolated systems, firewalls, servers,
workstations, or laptops for road warriors? Oh, and it
must be open source, because we can't validate system
security unless we can audit the code. Certification
requires certainty. A number of operating systems meet
these criteria.
One candidate is Linux (a. k. a. non-SELinux). If I
have to roll my own distro from Fedora in order to
optimize performance by removing unnecessary
subsystems, such as mandatory access control on an
isolated system, then Fedora is no longer a general
purpose system and it is no longer Linux, now it is
SELinux.
These comments are offered in the spirit of
constructive criticism. I'm grateful you declared your
bias, for your spirited defence of your product and
very grateful SELinux was contributed to the open
source community, warts and all. However, SELinux isn't
the only possible implementation of mandatory access
control for Linux (cf. sHype). If my criticicms are
valid, SELinux must either be improved, or it'll be
replaced by a better implementation. Perhaps I'm wrong.
Time will tell. Meanwhile, thanks for listening.
17 years, 11 months
using selinux to control user access to files
by Hein Coulier
hi, newby speaking here (totally lost in the selinux labyrinth).
What i want to accomplish with selinux is the following : i want to allow
different end-users (with different roles) to do something with some files.
I'll give you an example :
fileA : may be read by roleA and roleB
fileB : may only be read by roleB ; audited
fileC : may be read and changed by roleB ; audited
I read several pdf's, read the o'reilly book, but i seem to be unable to
achieve my goal.
Help would be appreciated.
tia, hecou.
17 years, 11 months
RE: the labeling procedure
by Steve Brueckner
> restorecon doesn't rely on having policy sources
> (selinux-policy-targeted-sources) installed. It uses the installed
> file_contexts configuration created by the policy
> (selinux-policy-targeted) package. That lives
> under /etc/selinux/targeted/contexts/files.
Aha, I think the O'Reilly book is just out of date. Not surprising
considering the moving target that is SELinux.
> SELinux utilities don't rely on having the policy sources available,
> as you likely don't want them on production systems. make relabel is
> really only for developers, and hardly used at all anymore (it
> predates having fixfiles and restorecon).
Actually I am developing here. My problem is that I have a huge chroot
directory (basically a full duplicate of the whole system) and I want to get
everything in there labeled as if it was outside chroot. To do this I
duplicated file_contexts/types.fc and used sed to prepend the chroot
directory to every line. It seems to work pretty well, but I'm still having
trouble getting the user home directories inside chroot labeled properly.
The homedirs macros and files are apparently throwing me.
I'd appreciate any suggestions on a better way to label the chroot
filesystem. And any ideas on how to get those chrooted homedirs labeled
correctly.
Stephen Brueckner, ATC-NY
17 years, 11 months
avc denied about hwclock.
by Vinicius
Hello,
I'm getting the following on FC4:
"audit(1119989359.942:2): avc: denied { read } for pid=1427
comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s
ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file
audit(1119989359.942:3): avc: denied { read } for pid=1427
comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s
ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file"
How to resolve this problem, please?
TIA,
Vinicius.
17 years, 11 months
How do I tell if SELinux is working?
by Jon August
I updated the policy after I found that there was a bug with starting
DHCP and since then I haven't had any issues getting things to work.
Things like a CGI script running sendmail to send an email - which
used to show up in the audit log, now work fine.
What can I do to see if SELinux is still paying attention?
-Jon
17 years, 11 months
more latest selinux policy change problems
by Peter Magnusson
A little script that runs in cron complained about stuff after I turned on
selinux for apache again;
mv: cannot set setfscreatecon `user_u:object_r:httpd_sys_script_rw_t':
Permission denied
so I changed the selinux perms on these files. Hope it will work next time
I turn on selinux for apache. Because now its off again because of this:
Tested what gallery (http://gallery.sourceforge.net/) would think about
selinux. It didnt like it at all. It said that it has no rights to write in
the userfile.
And how would I know what I should set the perms to get it working?
Jun 21 06:27:25 sysbabe kernel: audit(1119328045.441:0): avc: denied {
write } for pid=29609 exe=/usr/sbin/httpd name=userdb.dat dev=hda2
ino=688180 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
Jun 21 06:27:25 sysbabe kernel: audit(1119328045.442:0): avc: denied {
write } for pid=29609 exe=/usr/sbin/httpd name=userdb.dat dev=hda2
ino=688180 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
is what is says. Same problem on an other vhost with an counter, just other
name= of course.
This is thing above is just the mainpage. It must be able to write dirs
also, when creating new albums. It must also be able to execute
/usr/bin/convert and maybe other programs also. Hmm, and it stores tmp
files in /tmp also. httpd_sys_content_execute_tmpfiles_t on /tmp maybe? :)
I have no idea how many fixes that are needed to get everything working.
Is it any *generic* for apache-can-write-whatever-it wants in selinux?
As long that apache cant write in *system files* or execute anything as
root Im quite happy.
Did the fedora team expect problems like this to be created with the latest
selinux policy change or is it a suprise for you? Its fine to have it by
default in new release of fedora but not CHANGE it in a update.
17 years, 11 months
selinux fedora 3 selinux-policy-targeted-1.17.30-3.15 update breaks some programs
by alberto passariello
while this update fixes some problems there are some still open.
Jun 30 17:14:58 tiger kernel: audit(1120144498.202:0): avc: denied
{ execmod } for pid=6950 comm=python
path=/usr/lib/wingide2.0/bin/2.3/external/pyscintilla2/_scintilla.so
dev=sda2 ino=8555070 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:bin_t tclass=file
this was caught while starting wing IDE ( a python RAD software )
----------------------------------------
Alberto Passariello
Byte Works Sistemi S.r.l.
Cisco Systems partner Premier certified
Viale Liegi 44,
00198 Roma
Tel: +39 6 863.863.22
Fax: +39 6 863.863.23
Email: apassariello(a)byworks.com
-----------------------------------------------
17 years, 11 months
What's the proper way to set context on locally installed files?
by Jason L Tibbitts III
Matlab, it seems, puts shared libs and binaries in the same
directory. I will freely admit that Matlab is a piece of crap, but I
have no choice but to support it.
Until recent policy updates the location of the libraries was not an
issue, but under selinux-policy-targeted-1.17.30-3.15 Matlab fails to
start at all because it can't load its libraries. On my system they
live under /usr/lib/matlab-14.2/bin/glnx86, and I suppose due to that
they end up with system_u:object_r:bin_t context. If I do
chcon system_u:object_r:shlib_t /usr/lib/matlab-14.2/bin/glnx86/*.so
everything is happy.
I'm going to see if I can hack Matlab to look for its libraries
elsewhere, but if I can't I wonder if there's any way for me to
include local file context overrides for things like this.
- J<
17 years, 11 months
