Big brother and httpd
by Tom Diehl
Hi,
I am trying to get Big Brother working on EL4. I have the following in
the httpd.conf
Alias /bb /home/bb/bb/www
With SELinux enabled I get the following in the logs when I try to access
the BB web page
:
Jun 25 18:44:24 pocono kernel: audit(1119739464.262:0): avc: denied { search } for pid=20700 comm=httpd name=bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir
Jun 25 18:44:24 pocono kernel: audit(1119739464.262:0): avc: denied { getattr } for pid=20700 comm=httpd path=/home/bb/bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir
Jun 25 18:44:27 pocono kernel: audit(1119739467.679:0): avc: denied { search } for pid=23158 comm=httpd name=bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir
Jun 25 18:44:27 pocono kernel: audit(1119739467.679:0): avc: denied { getattr } for pid=23158 comm=httpd path=/home/bb/bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir
If I disable SELinux for apache, I can access the BB web pages just fine.
I relabeled /home/bb/bb/www but I still get the errors.
(pocono pts31) # ll -Z ~bb/bb/www
-rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-ack.sh
-rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-hist.sh
-rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-histlog.sh
-rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-hostsvc.sh
-rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-rep.sh
-rwxr-xr-x bb bb root:object_r:httpd_sys_content_t bb-replog.sh
-rw-rw-r-- bb bb user_u:object_r:user_home_t bb.html
-rw-rw-r-- bb bb user_u:object_r:user_home_t bb2.html
drwxr-xr-x bb bb root:object_r:httpd_sys_content_t gifs
drwxr-xr-x bb bb root:object_r:httpd_sys_content_t help
drwxr-xr-x bb bb root:object_r:httpd_sys_content_t html
-rw-r--r-- bb bb root:object_r:httpd_sys_content_t index.html
drwxr-xr-x bb bb root:object_r:httpd_sys_content_t newbldg
drwxr-xr-x bb bb root:object_r:httpd_sys_content_t notes
drwxrwxr-x bb apache root:object_r:httpd_sys_content_t rep
drwxr-xr-x bb bb root:object_r:httpd_sys_content_t reynolds
drwxr-xr-x bb bb root:object_r:httpd_sys_content_t rogueind
drwxr-xr-x bb bb root:object_r:httpd_sys_content_t routers
drwxr-xr-x bb bb root:object_r:httpd_sys_content_t xo
(pocono pts31) #
I tried relabeling bb.html and bb2.html but they keep reverting to
user_u:object_r:user_home_t. I suspect this is my problem but I am new
to SELinux so I am not sure.
Can someone suggest how to fix this??
Regards,
Tom Diehl tdiehl(a)rogueind.com Spamtrap address mtd123(a)rogueind.com
15 years, 10 months
hal+selinux problems
by dragoran
I have a very strange problem:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161781
in dmesg I see:
kernel: audit(1119866301.866:4): avc: denied { write } for pid=3389
comm="hald" name=[25057] dev=pipefs ino=25057
scontext=root:system_r:hald_t tcontext=root:system_r:unconfined_t
tclass=fifo_file
I am running fc4+lastest policy target.
I also tryed to relabel but nothing seems to help.
15 years, 10 months
problem connecting to a sql server (httpd / php / freetds )
by Riccardo Penco
Hi all,
It's the first time I write to this list, I'm absolutely not a SELinux
expert, so I apologize if my question is poor (and for my english).
I'm running a server with FC3 (fully updated).
I wrote php scripts which connect to a MS-SQL Server 2k with FreeTDS (I
installed the binary downloaded from http://phprpms.sf.net).
They worked right.
This morning (after a reboot of the Linux server), the scripts can no
longer connect to the sql server; in /var/log/messages appear these avc
lines when I try to connect:
kernel: audit(1119598362.919:0): avc: denied { connect } for pid=3571
exe=/usr/sbin/httpd scontext=user_u:system_r:httpd_t
tcontext=user_u:system_r:httpd_t tclass=tcp_socket
Can anybody help me understand where is the problem?
Thank You very much
Riki
15 years, 10 months
dhcpd with selinux-policy-targeted-1.17.30-3.9 in FC3
by Alex Charrett
Hi All,
Ever since I've upgraded to selinux-policy-targeted-1.17.30-3.9 in FC3,
selinux seems to be preventing me starting dhcpd:
audit(1119637866.872:0): avc: denied { name_bind } for pid=3842
exe=/usr/sbin/dhcpd src=67 scontext=root:system_r:dhcpd_t
tcontext=system_u:object_r:reserved_port_t tclass=udp_socket
Running audit2allow over this gives me the follwing:
allow dhcpd_t reserved_port_t:udp_socket name_bind;
But I can't work out what configuration file to put this in, any pointers
would be much appreciated.
Is there any reason updating the policy should prevent dhcpd from running,
was that the intention? It certainly would seem like a funny thing do to
do me.
Cheers,
Alex.
15 years, 10 months
FC4: losetup does not work anymore
by Stefan Hoelldampf
Hi,
after the FC3->FC4 upgrade losetup does not work anymore:
# losetup /dev/loop0 test.img
audit(1118949662.609:50): avc: denied { search } for pid=24032
comm="losetup" name=root dev=dm-0 ino=1775393
scontext=root:system_r:fsadm_t tcontext=root:object_r:user_home_dir_t
tclass=dir
loop: can't open device test.img: Permission denied
Any hints?
TIA,
Stefan
15 years, 10 months
Problem encountered with x-windows in Fedora FC4
by Abe Drier
I'll begin by mentioning my system works fine under FC3. I currently
have a dual boot system with FC3 and FC4.
Trying to do the clean FC4 install using the windowing option resulted
in a white screen. Retried the installation in text mode and the
installation completed successfully. When the system booted, post
installation, the same white screen reappeared.
Rebooted with "init 3" to come up in text mode. Only one anomaly was
noted. About every fifth keyboard entry results in the appearance of
one white square character in the center of the screen that lasts for
one keystroke.
Tried "startx" and was confronted with the white screen. Switching to a
virtual console results in a confused mess of blue and gray box
characters. Can log in successfully after which the screen has a blue
border with a working screen within the border. The first few pixels of
the character that should be on the left edge are actually on the right
edge. That is the first character of the line is split on the right and
left edge.
The "xorg.conf" configuration file is the same in FC3 and FC4. So for
the moment I am perplexed. The hardware is the same and the
configuration file is the same. I have appended the configuration file.
Any suggestions would be most welcome.
(I have installed all the updates as of June 25 2005. I can't execute
system-config-display from the console in that I get a white screen.
Was unable to locate xorgcfg or xorgsetup in Fedora as mentioned on the
x.org site.)
=====================================================================
# XFree86 4 configuration created by pyxf86config
Section "ServerLayout"
Identifier "Default Layout"
Screen 0 "Screen0" 0 0
InputDevice "Mouse0" "CorePointer"
InputDevice "Keyboard0" "CoreKeyboard"
EndSection
Section "Files"
# RgbPath is the location of the RGB database. Note, this is the name
of the
# file minus the extension (like ".txt" or ".db"). There is normally
# no need to change the default.
# Multiple FontPath entries are allowed (they are concatenated together)
# By default, Red Hat 6.0 and later now use a font server independent of
# the X server to render fonts.
RgbPath "/usr/X11R6/lib/X11/rgb"
FontPath "unix/:7100"
EndSection
Section "Module"
Load "dbe"
Load "extmod"
Load "fbdevhw"
Load "glx"
Load "record"
Load "freetype"
Load "type1"
Load "dri"
EndSection
Section "InputDevice"
# Specify which keyboard LEDs can be user-controlled (eg, with xset(1))
# Option "Xleds" "1 2 3"
# To disable the XKEYBOARD extension, uncomment XkbDisable.
# Option "XkbDisable"
# To customise the XKB settings to suit your keyboard, modify the
# lines below (which are the defaults). For example, for a non-U.S.
# keyboard, you will probably want to use:
# Option "XkbModel" "pc102"
# If you have a US Microsoft Natural keyboard, you can use:
# Option "XkbModel" "microsoft"
#
# Then to change the language, change the Layout setting.
# For example, a german layout can be obtained with:
# Option "XkbLayout" "de"
# or:
# Option "XkbLayout" "de"
# Option "XkbVariant" "nodeadkeys"
#
# If you'd like to switch the positions of your capslock and
# control keys, use:
# Option "XkbOptions" "ctrl:swapcaps"
# Or if you just want both to be control, use:
# Option "XkbOptions" "ctrl:nocaps"
#
Identifier "Keyboard0"
Driver "kbd"
Option "XkbModel" "pc105"
Option "XkbLayout" "us"
EndSection
Section "InputDevice"
Identifier "Mouse0"
Driver "mouse"
Option "Protocol" "IMPS/2"
Option "Device" "/dev/input/mice"
Option "ZAxisMapping" "4 5"
Option "Emulate3Buttons" "yes"
EndSection
Section "Monitor"
Identifier "Monitor0"
VendorName "Monitor Vendor"
ModelName "Sony CPD-200SF"
DisplaySize 330 240
HorizSync 30.0 - 80.0
VertRefresh 50.0 - 120.0
Option "dpms"
EndSection
Section "Device"
Identifier "Videocard0"
Driver "trident"
VendorName "Videocard vendor"
BoardName "Trident CyberBlade (generic)"
EndSection
Section "Screen"
Identifier "Screen0"
Device "Videocard0"
Monitor "Monitor0"
DefaultDepth 24
SubSection "Display"
Viewport 0 0
Depth 16
Modes "800x600" "640x480"
EndSubSection
SubSection "Display"
Viewport 0 0
Depth 24
Modes "1024x768" "800x600" "640x480"
EndSubSection
EndSection
Section "DRI"
Group 0
Mode 0666
EndSection
15 years, 10 months
where is ping.te in targeted policy FC4
by James Z. Li
Hi all,
I just installed FC4. In strict policy, both ping.te and ping.fc
exist. However, in targeted policy, I also find ping.fc file,
which label ping binary files as the type ping_exec_t. Since
there is no ping.te file, where is ping_exec_t defined?
Thanks,
James
15 years, 10 months
Weird denials at initialisation on FC4
by Bojan Smojver
First a bit of background. I have been experimenting on this system with
suspend2 patches, which caused my root filesystem (which sits
on /dev/hda2) to go nuts (probably not the fault of suspend2 patches,
but rather my unusual experiments with it). The file system check would
report "Resize inode invalid", which appears to be one of those
conditions where e2fsck doesn't know what to do and gives up. Anyway,
after a while and because I could still mount that file system, I
decided to copy all files to another file system (from the rescue mode),
recreate the file system and copy all the files back, while preserving
ownership, permissions, attributes etc. After that, I stared my system
with selinux=0, which stuffed up (on purpose) some SELinux attributes,
which then forced relabelling on the next reboot. Just to be sure I'm
back on the baseline.
All right, one would think that I would have a fully working system and
no issues whatsoever after this with targeted policy. Well, everything I
do actually does work, it's just that I get the following strange stuff
happening at boot:
------------------------------------------------
security: 3 users, 6 roles, 775 types, 89 bools
security: 55 classes, 183262 rules
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev hda2, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev selinuxfs, type selinuxfs), uses
genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), not configured for
labeling
SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for
labelin
g
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses
genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
audit(1119689719.414:2): avc: denied { search } for pid=465
comm="hotplug" name=proc dev=hda2 ino=439777
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:default_t tclass=dir
audit(1119689719.420:3): avc: denied { search } for pid=468
comm="default.hotplug" name=proc dev=hda2 ino=439777
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:default_t tclass=dir
audit(1119689719.427:4): avc: denied { search } for pid=466
comm="hotplug" name=proc dev=hda2 ino=439777
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:default_t tclass=dir
audit(1119689719.434:5): avc: denied { search } for pid=470
comm="default.hotplug" name=proc dev=hda2 ino=439777
scontext=system_u:system_r:hotplug_t
tcontext=system_u:object_r:default_t tclass=dir
[... SNIP ...]
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
------------------------------------------------
The above denials actually go on for 40 lines. They all appear to be
referring to inode 439777 on /dev/hda2, which I could not locate with
find.
Anyone has any ideas as to what's going on here?
--
Bojan
15 years, 10 months
dhcpd with selinux-policy-targeted-1.17.30-3.9 in FC3
by Alex Charrett
Hi All,
Ever since I've upgraded to selinux-policy-targeted-1.17.30-3.9 in FC3,
selinux seems to be preventing me starting dhcpd:
audit(1119637866.872:0): avc: denied { name_bind } for pid=3842
exe=/usr/sbin/dhcpd src=67 scontext=root:system_r:dhcpd_t
tcontext=system_u:object_r:reserved_port_t tclass=udp_socket
Running audit2allow over this gives me the follwing:
allow dhcpd_t reserved_port_t:udp_socket name_bind;
But I can't work out what configuration file to put this in, any pointers
would be much appreciated.
Is there any reason updating the policy should prevent dhcpd from running,
was that the intention?
Cheers,
Alex.
15 years, 10 months
