acpid, killing processes or accessing ttys with selinux on fc4
by Vincenzo Ciancia
Hi all, I was addressed here from the fedora-general list.
When I try to kill kwin (workaround I am trying for a bug) which is not
owned by root, from an acpid event handler, I see
==============
type=PATH msg=audit(1120137170.131:15862051): item=0 name="/home/vincenzo"
inode=2 dev=03:03 mode=040755 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1120137170.131:15862051): arch=40000003 syscall=195
success=no exit=-13 a0=8608218 a1=bfaec42c a2=236ff4 a3=bfaec42c items=1
pid=2381 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="sh" exe="/bin/bash"
type=AVC msg=audit(1120137170.131:15862051): avc: denied { search } for
pid=2381 comm="sh" name=/ dev=hda3 ino=2 scontext=root:system_r:apmd_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1120137170.138:15862566): arch=40000003 syscall=37
success=no exit=-1 a0=b97 a1=9 a2=0 a3=b97 items=0 pid=2381 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="killall"
exe="/usr/bin/killall"
type=AVC msg=audit(1120137170.138:15862566): avc: denied { kill } for
pid=2381 comm="killall" capability=5 scontext=root:system_r:apmd_t
tcontext=root:system_r:apmd_t tclass=capability
===============
in audit.log
Also, if I try to use
action=chvt 1 < /dev/tty10
(because chvt needs a tty to operate)
I find
========
type=PATH msg=audit(1120137360.814:62404): item=0 name="/home/vincenzo"
inode=2 dev=03:03 mode=040755 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1120137360.814:62404): arch=40000003 syscall=195
success=no exit=-13 a0=957e218 a1=bfb7578c a2=987ff4 a3=bfb7578c items=1
pid=2450 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="sh" exe="/bin/bash"
type=AVC msg=audit(1120137360.814:62404): avc: denied { search } for
pid=2450 comm="sh" name=/ dev=hda3 ino=2 scontext=root:system_r:apmd_t
tcontext=system_u:object_r:home_root_t tclass=dir
========
even if /dev/tty10 is owned by root.
How do I allow both operations? I can't find any reference to acpid in the
selinux configuration tool.
Bye and thanks
Vincenzo Ciancia
--
Please note that I do not read the e-mail address used in the from field but
I read vincenzo_ml at yahoo dot it
Attenzione: non leggo l'indirizzo di posta usato nel campo from, ma leggo
vincenzo_ml at yahoo dot it
18 years, 9 months
Re: [FC3] kernel panic after selinux-policy-targeted update
by Stephen Smalley
On Mon, 2005-06-27 at 15:22 +0100, D. D. Brierton wrote:
> I ran sudo yum update today and selinux-policy-targeted was updated
> (along with another selinux related package whose name I can't remember)
> and immediately my system became unresponsive and I had to do a hard reboot.
>
> Now I cannot boot into FC3 at all (I'm posting this from Windows). This
> is the error I get:
>
> audit(1119882959.657:0): avc: denied { execmod } for pid=1 comm=init
> path=/lib/tls/libc-2.3.5.so dev=hda3 ino=2638668
> scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:shlib_t
> tclass=file
> /sbin/init: error while loading shared libraries : /lib/tls/libc.so.6:
> cannot apply additional memory protection after relocation: Permission
> denied
> Kernel panic - not syncing: Attempted to kill init!
>
> Any suggestions on what to do?
>
> I know I can boot with selinux=0. After that, what? Attempt to reinstall
> selinux?
What is your hardware? ppc32 by any chance? execmod has to be allowed
to all file types on that platform (or, as in kernel 2.6.12, the check
has to be disabled completely for ppc32).
/usr/sbin/getsebool allow_execmod shows what?
--
Stephen Smalley
National Security Agency
18 years, 9 months
Avc denied about python and hplip.
by Vinicius
Hello,
I'm trying to install HPLIP driver
(http://sourceforge.net/projects/hpinkjet/), but I'm getting this:
"type=AVC msg=audit(1120103235.648:24617): avc: denied { write } for
pid=2062 comm="python" name=base dev=dm-0 ino=144003
4 scontext=system_u:system_r:hplip_t tcontext=root:object_r:usr_t tclass=dir
type=PATH msg=audit(1120103235.687:24702): item=0
name="/usr/share/hplip/base/status.pyc" inode=1440034 dev=fd:00 mode=0407
55 ouid=0 ogid=0 rdev=00:00"
How to solve this problem, please?
TIA,
Vinicius.
18 years, 9 months
Re: SELinux Blocking LDAP Connections
by Justin Willmert
Stephen Smalley wrote:
>On Tue, 2005-06-28 at 18:22 -0500, Justin Willmert wrote:
>
>
>>Does anybody know of any problems with the new SELinux installed in
>>Fedora Core 4? I have OpenLDAP 2.2.23-5 installed and use it for my user
>>accounts. Fedora (throught the system-auth PAM module and nsswitch) will
>>log in correctly, but dovecot (version 0.99.14-4.fc4) and apache
>>(version 2.0.54-10) cannot connect to the ldap server when SELinux is
>>enabled. I use dovecot-ldap.conf for dovecot to get the users and their
>>home directories. In Apache, I use basic authentication through LDAP to
>>protect a WebDAV accessible folder. For a long time, I thought Dovecot
>>wasn't working correctly, but after I set up Apache and it too didn't
>>work with OpenLDAP, I came to think that SELinux is blocking something.
>>Now the problem is I am not well enough informed about SELinux to be
>>able to debug where the problem may reside.
>>
>>This is the message I get in /var/log/maillog when SELinux is enabled:
>> Jun 28 17:21:14 netserv dovecot-auth: LDAP: ldap_result() failed:
>>Can't contact LDAP server
>>
>>And this is the error I get in /etc/httpd/logs/mydomain.com-error_log
>> [Tue Jun 28 17:21:37 2005] [warn] [client 192.168.1.1] [5962]
>>auth_ldap authenticate: user myuser authentication failed; URI
>>/calendars/ [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
>>
>>I can get you SELinux contexts for certain files if you need them, but I
>>don't have a clue on which ones to include.
>>
>>
>
>Look in /var/log/audit/audit.log, particularly for messages with the
>type=AVC prefix. SELinux permission denials are now logged there by the
>audit daemon (previously they would go to /var/log/messages). And
>report them to fedora-selinux-list.
>
>
>
Ok. I've been told (as you can see above) to report this problem to this
list instead of fedora-list (Just used a mailing list for the first time
yesterday, so I'm still learning about them). As you can see above, I'm
having a problem with SELinux and Dovecot and Apache. After looking
through my audit.log file, these are the lines I thought were most
important.
This is what I found concerning apache:
type=AVC msg=audit(1119048563.037:3670666): avc: denied {
name_connect } for pid=6051 comm="httpd" dest=389
scontext=root:system_r:httpd_t
tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
type=SOCKETCALL msg=audit(1119048563.054:3670776): nargs=3 a0=19
a1=8347e80 a2=10
type=SOCKADDR msg=audit(1119048563.054:3670776):
saddr=02000185C0A801940000000000000000
type=SYSCALL msg=audit(1119048563.054:3670776): arch=40000003
syscall=102 success=no exit=-13 a0=3 a1=bfcf1ad0 a2=3c94cb8 a3=19
items=0 pid=6052 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0
egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
And this is what I found concerning Dovecot:
type=AVC msg=audit(1119053800.290:1566630): avc: denied { read }
for pid=7472 comm="dovecot" name=stderr dev=tmpfs ino=2345
scontext=root:system_r:dovecot_t tcontext=system_u:object_r:device_t
tclass=lnk_file
type=PATH msg=audit(1119053800.291:1566631): item=0 name="/dev"
inode=534 dev=00:0d mode=040755 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1119053800.291:1566631): arch=40000003
syscall=33 success=no exit=-13 a0=94e8100 a1=2 a2=94e8100 a3=739ca0
items=1 pid=7472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 comm="dovecot" exe="/usr/sbin/dovecot"
type=AVC msg=audit(1119053800.291:1566631): avc: denied { write }
for pid=7472 comm="dovecot" name=/ dev=tmpfs ino=534
scontext=root:system_r:dovecot_t tcontext=system_u:object_r:device_t
tclass=dir
type=PATH msg=audit(1119053900.137:1641147): item=0
name="/dev/stderr" inode=534 dev=00:0d mode=040755 ouid=0 ogid=0
rdev=00:00
Both of these sets were repeated multiple times throughout the log.
Justin Willmert
18 years, 9 months
selinux fedora 3 last update breaks some programs
by alberto passariello
i jusp upgraded my fedora core to
selinux-policy-targeted-1.17.30-3.13
and a java application I use now produces this message ...
Jun 27 10:23:43 tiger kernel: audit(1119860623.918:0): avc: denied
{ execmod } for pid=6218 comm=java path=/lib64/tls/libc-2.3.5.so
dev=sda2 ino=16780747 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:lib_t tclass=file
acrobast reader 7 produces thi error
Jun 27 11:22:17 tiger kernel: audit(1119864137.180:0): avc: denied
{ execmod } for pid=18874 comm=acroread path=/lib/tls/libc-2.3.5.so
dev=sda2 ino=41946582 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:shlib_t tclass=file
how cai I solve the problem?
----------------------------------------
Alberto Passariello
Byte Works Sistemi S.r.l.
Cisco Systems partner Premier certified
Viale Liegi 44,
00198 Roma
Tel: +39 6 863.863.22
Fax: +39 6 863.863.23
Email: apassariello(a)byworks.com
-----------------------------------------------
18 years, 9 months
permission denied on shared library
by rich turner
i have installed a 3rd party application that worked with fc3 but no longer
works with fc4. i am getting the following error:
stio: error while loading shared libraries: /usr/lib/libstorix.so: cannot
restore segment prot after reloc: Permission denied.
when i run the command "setenforce 0" it works so my thoughts are that it is
not setup properly with selinux.
# ls -l /usr/lib/libstorix.so
lrwxrwxrwx 1 root root 28 Jun 26 05:14 /usr/lib/libstorix.so
-> /opt/storix/lib/libstorix.so
# ls -lZ /usr/lib/libstorix.so
lrwxrwxrwx root root
system_u:object_r:lib_t /usr/lib/libstorix.so
# ls -lZ /opt/storix/lib/libstorix.so
-rw-r--r-- root root
system_u:object_r:shlib_t /opt/storix/lib/libstorix.so
i have seen this error in a number of searches, and the most common solution
is to turn selinux off. there must be a better way to get this to work.
18 years, 9 months
gssftp server on FC4
by Darrel Adams
I'm just trying to get my feet wet using Fedora Core. I want to set up a
test server for http, ftp, and possibly mail services. Any tips or guidance
would be great. I was able to get the httpd running but am having some
difficulty connecting to the ftp server. I get the following error:
Connected to 192.168.4.95
220 test06.rentawheel.us FTP server (Version 5.60) ready.
User (192.168.4.95:(none)): dadams
530 Must perform authentication before identifying USER.
Thanks,
Darrel
18 years, 9 months
Cannot load shared library
by Davide Bolcioni
Greetings,
I have the following in /var/log/messages:
kernel: audit(...): avc: denied { execmod } for pid=14208 comm=hicgi
path=/opt/highway/bin/hssock.so dev=dm-2 ino=4177
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:bin_t
tclass=file
where "hicgi" is an executable attempting to load the shared library
"/opt/highway/bin/hssock.so" ... and failing. The contexts are:
# ls -Z hicgi
-rwx------ highway highway system_u:object_r:bin_t hicgi
# ls -Z hssock.so
-rwxr-xr-x highway highway system_u:object_r:bin_t hssock.so
Thank you for your consideration,
Davide Bolcioni
--
There is no place like /home.
18 years, 9 months
Re: FC4 dhcp, firestarter and SE Linux permission denied messages
by Stephen Smalley
On Wed, 2005-06-29 at 09:38 -0400, David Niemi wrote:
> I appear to be having audit problems with some of the things that
> firestarter wants to do when starting up and SE Linux. Initially dhcpd
> was giving errors and I found that dhcpd.conf contained some really
> strange IP addresses (136.54.10.8, whois -> Ford motor company???) as
> the subnet, netmask, etc. Got that straighted out and firestarter
> appears to be starting though I haven't plugged my home network into it
> yet to check.
>
> I am still getting errors when in the graphical part of the boot when
> services are starting (sorry, don't know the proper name) from
> firestarter about cp and "resolv.conf.predhclient" and some output from
> the dhcpd.
>
> Checking /var/log/messages I have found ~57 lines like:
>
> Jun 29 08:55:24 localhost kernel: audit(1120049722.072:2): avc: denied
> { write } for pid=1791 comm="cp" name=resolv.conf.predhclient dev=hda3
> ino=680749 scontext=system_u:system_r:dhcpc_t
> tcontext=system_u:object_r:etc_runtime_t tclass=file
> Jun 29 08:55:24 localhost kernel: audit(1120049722.072:3): avc: denied
> { unlink } for pid=1791 comm="cp" name=resolv.conf.predhclient dev=hda3
> ino=680749 scontext=system_u:system_r:dhcpc_t
> tcontext=system_u:object_r:etc_runtime_t tclass=file
> Jun 29 08:55:24 localhost kernel: audit(1120049722.164:4): avc: denied
> { execute } for pid=1831 comm="sh" name=modprobe dev=hda3 ino=129716
> scontext=system_u:system_r:dhcpc_t
> tcontext=system_u:object_r:insmod_exec_t tclass=file
>
> about modeprobe and iptables also.
>
> I've read the messages about "Re: Can't bind to dhcp address: Permission
> denied??" and tried Alexander's disable and reenable the protection on
> dhcpd and it didn't work.
>
> All of the message that I've kept from the past couple of weeks on dhcp
> haven't really helped, nor the messages about the policies.
>
> I've got VERY little knowledge of SE Linux policies, messages, and
> commands, so any help would be GREATLY appreciated
fedora-selinux-list is typically a better place to ask about SELinux
issues. cc'd.
--
Stephen Smalley
National Security Agency
18 years, 9 months
seaudit crashes with segmentation fault
by john bray
i'm posting this per stephen's request:
On Mon, 2005-06-27 at 14:32 -0400, Stephen Smalley wrote:
> On Mon, 2005-06-27 at 13:15 -0500, John Bray wrote:
> > every time i try to run seaudit, it immediately crashes with a
> > segmentation fault. the following errors appear, with or without any
> > arguments on the commandline:
> >
> > [root@junior setools-2.1.0]# seaudit -l /var/log/messages
> > -p /etc/selinux/targeted/src/policy/policy.conf
> <snip>
> >
> > wonder if anyone has any ideas or suggestions?
>
> - Post to fedora-selinux-list for SELinux questions.
> - What is your base system, FC3 or FC4?
> - In FC4, unless you disable auditd, audit messages are sent by the
> kernel to auditd and are written by auditd to /var/log/audit/audit.log.
> - Not sure that seaudit has been updated for the associated changes.
>
thanks stephen. i didn't even know that there was such a list. :-)
its FC4. clean install. auditd is running.
i guess i'd misunderstood. i'd thought that with it running, the
audit.log as well as to messages.
however, if i point at audit.log instead, it does NOT segfault, but
finds no messages either. :-)
thanks for your help. i will see about getting to the selinux list.
hope your day is going well.
john
18 years, 9 months
