selinux June 2005

selinux@lists.fedoraproject.org

83 participants
93 discussions

Big brother and httpd
by Tom Diehl 27 Jun '05

27 Jun '05

Hi, I am trying to get Big Brother working on EL4. I have the following in the httpd.conf Alias /bb /home/bb/bb/www With SELinux enabled I get the following in the logs when I try to access the BB web page : Jun 25 18:44:24 pocono kernel: audit(1119739464.262:0): avc: denied { search } for pid=20700 comm=httpd name=bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir Jun 25 18:44:24 pocono kernel: audit(1119739464.262:0): avc: denied { getattr } for pid=20700 comm=httpd path=/home/bb/bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir Jun 25 18:44:27 pocono kernel: audit(1119739467.679:0): avc: denied { search } for pid=23158 comm=httpd name=bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir Jun 25 18:44:27 pocono kernel: audit(1119739467.679:0): avc: denied { getattr } for pid=23158 comm=httpd path=/home/bb/bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir If I disable SELinux for apache, I can access the BB web pages just fine. I relabeled /home/bb/bb/www but I still get the errors. (pocono pts31) # ll -Z ~bb/bb/www -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-ack.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-hist.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-histlog.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-hostsvc.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-rep.sh -rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-replog.sh -rw-rw-r-- bb bb user_u:object_r:user_home_t bb.html -rw-rw-r-- bb bb user_u:object_r:user_home_t bb2.html drwxr-xr-x bb bb root:object_r:httpd_sys_content_t gifs drwxr-xr-x bb bb root:object_r:httpd_sys_content_t help drwxr-xr-x bb bb root:object_r:httpd_sys_content_t html -rw-r--r-- bb bb root:object_r:httpd_sys_content_t index.html drwxr-xr-x bb bb root:object_r:httpd_sys_content_t newbldg drwxr-xr-x bb bb root:object_r:httpd_sys_content_t notes drwxrwxr-x bb apache root:object_r:httpd_sys_content_t rep drwxr-xr-x bb bb root:object_r:httpd_sys_content_t reynolds drwxr-xr-x bb bb root:object_r:httpd_sys_content_t rogueind drwxr-xr-x bb bb root:object_r:httpd_sys_content_t routers drwxr-xr-x bb bb root:object_r:httpd_sys_content_t xo (pocono pts31) # I tried relabeling bb.html and bb2.html but they keep reverting to user_u:object_r:user_home_t. I suspect this is my problem but I am new to SELinux so I am not sure. Can someone suggest how to fix this?? Regards, Tom Diehl tdiehl(a)rogueind.com Spamtrap address mtd123(a)rogueind.com

5 12

hal+selinux problems
by dragoran 27 Jun '05

27 Jun '05

I have a very strange problem: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161781 in dmesg I see: kernel: audit(1119866301.866:4): avc: denied { write } for pid=3389 comm="hald" name=[25057] dev=pipefs ino=25057 scontext=root:system_r:hald_t tcontext=root:system_r:unconfined_t tclass=fifo_file I am running fc4+lastest policy target. I also tryed to relabel but nothing seems to help.

1 0

problem connecting to a sql server (httpd / php / freetds )
by Riccardo Penco 27 Jun '05

27 Jun '05

Hi all, It's the first time I write to this list, I'm absolutely not a SELinux expert, so I apologize if my question is poor (and for my english). I'm running a server with FC3 (fully updated). I wrote php scripts which connect to a MS-SQL Server 2k with FreeTDS (I installed the binary downloaded from http://phprpms.sf.net) They worked right. This morning (after a reboot of the Linux server), the scripts can no longer connect to the sql server; in /var/log/messages appear these avc lines when I try to connect: kernel: audit(1119598362.919:0): avc: denied { connect } for pid=3571 exe=/usr/sbin/httpd scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Can anybody help me understand where is the problem? Thank You very much Riki

4 6

dhcpd with selinux-policy-targeted-1.17.30-3.9 in FC3
by Alex Charrett 27 Jun '05

27 Jun '05

Hi All, Ever since I've upgraded to selinux-policy-targeted-1.17.30-3.9 in FC3, selinux seems to be preventing me starting dhcpd: audit(1119637866.872:0): avc: denied { name_bind } for pid=3842 exe=/usr/sbin/dhcpd src=67 scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:reserved_port_t tclass=udp_socket Running audit2allow over this gives me the follwing: allow dhcpd_t reserved_port_t:udp_socket name_bind; But I can't work out what configuration file to put this in, any pointers would be much appreciated. Is there any reason updating the policy should prevent dhcpd from running, was that the intention? It certainly would seem like a funny thing do to do me. Cheers, Alex.

2 3

FC4: losetup does not work anymore
by Stefan Hoelldampf 26 Jun '05

26 Jun '05

Hi, after the FC3->FC4 upgrade losetup does not work anymore: # losetup /dev/loop0 test.img audit(1118949662.609:50): avc: denied { search } for pid=24032 comm="losetup" name=root dev=dm-0 ino=1775393 scontext=root:system_r:fsadm_t tcontext=root:object_r:user_home_dir_t tclass=dir loop: can't open device test.img: Permission denied Any hints? TIA, Stefan

2 1

Problem encountered with x-windows in Fedora FC4
by Abe Drier 26 Jun '05

26 Jun '05

I'll begin by mentioning my system works fine under FC3. I currently have a dual boot system with FC3 and FC4. Trying to do the clean FC4 install using the windowing option resulted in a white screen. Retried the installation in text mode and the installation completed successfully. When the system booted, post installation, the same white screen reappeared. Rebooted with "init 3" to come up in text mode. Only one anomaly was noted. About every fifth keyboard entry results in the appearance of one white square character in the center of the screen that lasts for one keystroke. Tried "startx" and was confronted with the white screen. Switching to a virtual console results in a confused mess of blue and gray box characters. Can log in successfully after which the screen has a blue border with a working screen within the border. The first few pixels of the character that should be on the left edge are actually on the right edge. That is the first character of the line is split on the right and left edge. The "xorg.conf" configuration file is the same in FC3 and FC4. So for the moment I am perplexed. The hardware is the same and the configuration file is the same. I have appended the configuration file. Any suggestions would be most welcome. (I have installed all the updates as of June 25 2005. I can't execute system-config-display from the console in that I get a white screen. Was unable to locate xorgcfg or xorgsetup in Fedora as mentioned on the x.org site.) ===================================================================== # XFree86 4 configuration created by pyxf86config Section "ServerLayout" Identifier "Default Layout" Screen 0 "Screen0" 0 0 InputDevice "Mouse0" "CorePointer" InputDevice "Keyboard0" "CoreKeyboard" EndSection Section "Files" # RgbPath is the location of the RGB database. Note, this is the name of the # file minus the extension (like ".txt" or ".db"). There is normally # no need to change the default. # Multiple FontPath entries are allowed (they are concatenated together) # By default, Red Hat 6.0 and later now use a font server independent of # the X server to render fonts. RgbPath "/usr/X11R6/lib/X11/rgb" FontPath "unix/:7100" EndSection Section "Module" Load "dbe" Load "extmod" Load "fbdevhw" Load "glx" Load "record" Load "freetype" Load "type1" Load "dri" EndSection Section "InputDevice" # Specify which keyboard LEDs can be user-controlled (eg, with xset(1)) # Option "Xleds" "1 2 3" # To disable the XKEYBOARD extension, uncomment XkbDisable. # Option "XkbDisable" # To customise the XKB settings to suit your keyboard, modify the # lines below (which are the defaults). For example, for a non-U.S. # keyboard, you will probably want to use: # Option "XkbModel" "pc102" # If you have a US Microsoft Natural keyboard, you can use: # Option "XkbModel" "microsoft" # # Then to change the language, change the Layout setting. # For example, a german layout can be obtained with: # Option "XkbLayout" "de" # or: # Option "XkbLayout" "de" # Option "XkbVariant" "nodeadkeys" # # If you'd like to switch the positions of your capslock and # control keys, use: # Option "XkbOptions" "ctrl:swapcaps" # Or if you just want both to be control, use: # Option "XkbOptions" "ctrl:nocaps" # Identifier "Keyboard0" Driver "kbd" Option "XkbModel" "pc105" Option "XkbLayout" "us" EndSection Section "InputDevice" Identifier "Mouse0" Driver "mouse" Option "Protocol" "IMPS/2" Option "Device" "/dev/input/mice" Option "ZAxisMapping" "4 5" Option "Emulate3Buttons" "yes" EndSection Section "Monitor" Identifier "Monitor0" VendorName "Monitor Vendor" ModelName "Sony CPD-200SF" DisplaySize 330 240 HorizSync 30.0 - 80.0 VertRefresh 50.0 - 120.0 Option "dpms" EndSection Section "Device" Identifier "Videocard0" Driver "trident" VendorName "Videocard vendor" BoardName "Trident CyberBlade (generic)" EndSection Section "Screen" Identifier "Screen0" Device "Videocard0" Monitor "Monitor0" DefaultDepth 24 SubSection "Display" Viewport 0 0 Depth 16 Modes "800x600" "640x480" EndSubSection SubSection "Display" Viewport 0 0 Depth 24 Modes "1024x768" "800x600" "640x480" EndSubSection EndSection Section "DRI" Group 0 Mode 0666 EndSection

1 1

where is ping.te in targeted policy FC4
by James Z. Li 26 Jun '05

26 Jun '05

Hi all, I just installed FC4. In strict policy, both ping.te and ping.fc exist. However, in targeted policy, I also find ping.fc file, which label ping binary files as the type ping_exec_t. Since there is no ping.te file, where is ping_exec_t defined? Thanks, James

1 0

SELINUX with APACHE and PHPBB
by Tiziano 25 Jun '05

25 Jun '05

2 1

Weird denials at initialisation on FC4
by Bojan Smojver 25 Jun '05

25 Jun '05

First a bit of background. I have been experimenting on this system with suspend2 patches, which caused my root filesystem (which sits on /dev/hda2) to go nuts (probably not the fault of suspend2 patches, but rather my unusual experiments with it). The file system check would report "Resize inode invalid", which appears to be one of those conditions where e2fsck doesn't know what to do and gives up. Anyway, after a while and because I could still mount that file system, I decided to copy all files to another file system (from the rescue mode), recreate the file system and copy all the files back, while preserving ownership, permissions, attributes etc. After that, I stared my system with selinux=0, which stuffed up (on purpose) some SELinux attributes, which then forced relabelling on the next reboot. Just to be sure I'm back on the baseline. All right, one would think that I would have a fully working system and no issues whatsoever after this with targeted policy. Well, everything I do actually does work, it's just that I get the following strange stuff happening at boot: ------------------------------------------------ security: 3 users, 6 roles, 775 types, 89 bools security: 55 classes, 183262 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev hda2, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), not configured for labeling SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for labelin g SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts audit(1119689719.414:2): avc: denied { search } for pid=465 comm="hotplug" name=proc dev=hda2 ino=439777 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:default_t tclass=dir audit(1119689719.420:3): avc: denied { search } for pid=468 comm="default.hotplug" name=proc dev=hda2 ino=439777 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:default_t tclass=dir audit(1119689719.427:4): avc: denied { search } for pid=466 comm="hotplug" name=proc dev=hda2 ino=439777 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:default_t tclass=dir audit(1119689719.434:5): avc: denied { search } for pid=470 comm="default.hotplug" name=proc dev=hda2 ino=439777 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:default_t tclass=dir [... SNIP ...] SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts ------------------------------------------------ The above denials actually go on for 40 lines. They all appear to be referring to inode 439777 on /dev/hda2, which I could not locate with find. Anyone has any ideas as to what's going on here? -- Bojan

2 2

dhcpd with selinux-policy-targeted-1.17.30-3.9 in FC3
by Alex Charrett 24 Jun '05

24 Jun '05

1 0

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux June 2005