June 2005 - selinux - Fedora Mailing-Lists

Individual Domains for Particular PHP Scripts.

by Tobias

Hi SELinux users! I've read: http://fedora.redhat.com/docs/selinux-apache-fc3/sn-further-approaches.ht... My Testbed: FC4 with selinux-policy-strict-sources-1.23.16-6. My Steps: #ls -laZ /var/www/html/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_php_script_a_t a.php -rw-r--r-- root root system_u:object_r:httpd_php_script_b_t b.php -rw-r--r-- root root system_u:object_r:httpd_sys_content_t index.html #cat a.php <?php $fp = fopen("b.php","r"); if ($fp) { echo "sorry, could access the another domain :-("; } fclose($fp); ?> #cat myphp.te #file types httpd_php_script_x_t type httpd_php_script_a_t, file_type, sysadmfile; type httpd_php_script_b_t, file_type, sysadmfile; #process domains httpd_php_domain_x_t type httpd_php_domain_a_t, domain, privmail; type httpd_php_domain_b_t, domain, privmail; #allow apache acces the new types allow httpd_t httpd_php_script_a_t:file { getattr read }; allow httpd_t httpd_php_script_b_t:file { getattr read }; #authorize system_r for httpd_php_domain_x_t; role system_r types httpd_php_domain_a_t; role system_r types httpd_php_domain_b_t; #domain auto transition domain_auto_trans(httpd_t, httpd_php_script_a_t, httpd_php_domain_a_t); domain_auto_trans(httpd_t, httpd_php_script_b_t, httpd_php_domain_a_t); # make reload #cat /selinux/enforce 1 Now, i'll expect an Error, or Acces Denied while Browseraccess to http://localhost/a.php, but a.php reports "sorry, could access the another domain :-(". Neither avc denied messages, nor any other Errors. What's wrong in my policy? Doesn't works the domain auto transition properly ? How to separate PHP Scripts in their own domains? Any Help welcome! Thanks in Advance! Toby -- -- TobyD Geschenkt: 3 Monate GMX ProMail gratis + 3 Ausgaben stern gratis ++ Jetzt anmelden & testen ++ http://www.gmx.net/de/go/promail ++

17 years, 9 months

5
7
0 / 0

ftp,smb and atalk stopped working in FC4

by pi

From FC4 ftp seems to be part of the selinux-policy. I have managed the httpd part of it, getting different user/public_html to work, so i know the syntax to make them ok. When it comes to ftp i cannot find anything to read up on and the same goes for smb, wich i need for some pc´s. and atalk for macs. I installed proftpd in favor of vsftpd. I know i can turn selinux protection off for the specified services, but i want it . Can anyone hint me in the right direction here, where i can read up on it? Regards /pi

17 years, 9 months

2
1
0 / 0

Targeted policy blocks PostgreSQL ident authentication

by Ian Pilcher

The gory details are at: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161383 It looks like SELinux is preventing PostgreSQL from opening a TCP socket to 127.0.0.1:113. Can anyone suggest a workaround (other than turning off SELinux for PostgreSQL)? Thanks! -- ======================================================================== Ian Pilcher i.pilcher(a)comcast.net ========================================================================

17 years, 9 months

1
0
0 / 0

squirrelmail not working after policy update

by Bob Kashani

FC3 selinux-policy-targeted-1.17.30-3.9 Arrgh...squirrelmail is not working. I ran audit2allow and it told me to add this: allow httpd_t self:tcp_socket connect; Which makes everything work now. Is this correct? Here is the AVC error that I was getting: Jun 17 18:32:26 sorcerer kernel: audit(1119058346.336:0): avc: denied { connect } for pid=3388 exe=/usr/sbin/httpd scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Bob -- Bob Kashani http://www.ocf.berkeley.edu/~bobk/garnome

17 years, 9 months

2
4
0 / 0

selinux cant't auto load at system bootup.

by huang mingyou

hello,all. My system is trustix3.0 .I use the 2.6.11.11 kernel and use selinux.install the selinux package .but the selinux can't auto load at system bootup.I cant'f find where is error. pleases help me.

17 years, 9 months

1
0
0 / 0

problem with selinux-policy-targeted FC3

by Peter Magnusson

I run FC3 on an box. I have selinux enabled. Last selinux-policy-targeted fucked up so my webserver didnt start, I think its very irresponsible of the fedora team to fuckup a lot of peoples httpds like this. I have; apt-get update &>/dev/null apt-get upgrade -y in cron.daily. I have many vhosts. All are in /www like /www/domain1.net /www/domain2.net and so on. If it matters its NFS exported to an other computer running FC3. No, I dont wanna move it to /var/www . It would say; Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] does not exist Jun 19 00:32:27 sysbabe kernel: audit(1119133946.358:0): avc: denied { search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] does not exist Jun 19 00:32:27 sysbabe kernel: audit(1119133946.358:0): avc: denied { search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] does not exist Jun 19 00:32:27 sysbabe kernel: audit(1119133946.359:0): avc: denied { search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] does not exist Jun 19 00:32:27 sysbabe kernel: audit(1119133946.361:0): avc: denied { search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir on EACH subdir inside /www. I know nothing about selinux, only restorecon. I tried restorecon -R /www/ but it didnt help. I got some help on irc (thanks again) and did setsebool -P httpd_disable_trans 1 and now the webserver at least work. But I guess the PROPER way would be to set system_r:httpd_t perms on all files inside /www ? But how do I do that without rebooting? touch /.autorelabel and reboot... is a reboot.

17 years, 9 months

3
4
0 / 0

fc4 samba errors { read write } { search } { remove_name } - second part

by lastic miles

Hello! I found some things. With the command 'audit2allow' and the log I've got these rules: allow nmbd_t devpts_t:chr_file { read write }; allow smbd_t devpts_t:chr_file { read write }; allow smbd_t nscd_var_run_t:dir search; allow smbd_t samba_log_t:dir remove_name; How and where to apply them into the security policy on my fc4? Thanks! -- L. Miles ____________________________________________________ Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com

17 years, 9 months

2
3
0 / 0

problems with selinux and amsn

by Felipe Sánchez

Hi there, well i think i have a problem with selinux policy and amsn, turns out that after one upgrade amsn stoped working, then it says that i have to download the TLS module, wich i had before, i download it but keeps doing the same, then i googled a litle and some people had that problem and fixed it installing another tls module, i installed tls1.5, nothing happened, i use fedora 3. Then i tryed in fedora 4 and i have the same problem. Really i need some help, my sister is killing ME!!!! ;-) we only use linux...

17 years, 9 months

2
1
0 / 0

NIS trouble after update of targeted policy

by Aleksandar Milivojevic

In continuation to my pervious mail to this list (subject was "selinux-policy-targeted and logrotate", but was really more about upgrading from 1.17.30-2.88 to 1.17.30-3.6). After I upgraded to selinux-policy-targeted-1.17.30-3.6 (Daniel's rhel4u2 RPM), several appliactions contolled by targeted policy started complaining about something that looks like lookups to NIS maps were denied. The testing box in question is in permissive mode, so there might be much more of those for boxes running in enforcing mode. The logs are in attachment. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. Jun 17 10:06:58 mybox kernel: audit(1119020818.412:0): avc: denied { search } for pid=2542 comm=ntpd name=yp dev=dm-2 ino=112001 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:var_yp_t tclass=dir Jun 17 10:06:58 mybox kernel: audit(1119020818.415:0): avc: denied { read } for pid=2542 comm=ntpd name=milivojevic.org.2 dev=dm-2 ino=112005 scontext=user_u:system_r:ntpd_t tcontext=user_u:object_r:var_yp_t tclass=file Jun 17 10:06:58 mybox kernel: audit(1119020818.419:0): avc: denied { name_bind } for pid=2542 comm=ntpd src=1022 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:reserved_port_t tclass=udp_socket Jun 17 10:06:58 mybox kernel: audit(1119020818.422:0): avc: denied { name_bind } for pid=2542 comm=ntpd src=1023 scontext=user_u:system_r:ntpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket Jun 17 10:06:59 mybox kernel: audit(1119020819.077:0): avc: denied { search } for pid=2576 comm=postmaster name=nscd dev=dm-2 ino=464004 scontext=user_u:system_r:postgresql_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Jun 17 10:07:07 mybox kernel: audit(1119020827.010:0): avc: denied { search } for pid=2642 comm=httpd name=nscd dev=dm-2 ino=464004 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Jun 17 10:07:12 mybox kernel: audit(1119020832.905:0): avc: denied { search } for pid=2827 comm=httpd name=yp dev=dm-2 ino=112001 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_yp_t tclass=dir Jun 17 10:07:12 mybox kernel: audit(1119020832.905:0): avc: denied { read } for pid=2827 comm=httpd name=milivojevic.org.2 dev=dm-2 ino=112005 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_yp_t tclass=file Jun 17 10:07:12 mybox kernel: audit(1119020832.906:0): avc: denied { name_bind } for pid=2827 comm=httpd src=883 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:reserved_port_t tclass=udp_socket Jun 17 10:07:12 mybox kernel: audit(1119020832.906:0): avc: denied { name_bind } for pid=2827 comm=httpd src=884 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket Jun 17 10:07:12 mybox kernel: audit(1119020832.907:0): avc: denied { connect } for pid=2827 comm=httpd lport=884 scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t tclass=tcp_socket Jun 17 10:07:13 mybox kernel: audit(1119020833.376:0): avc: denied { name_bind } for pid=2891 comm=httpd src=953 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:rndc_port_t tclass=tcp_socket Jun 17 10:09:05 mybox kernel: audit(1119020945.663:0): avc: denied { search } for pid=2887 comm=httpd name=yp dev=dm-2 ino=112001 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_yp_t tclass=dir

17 years, 9 months

2
2
0 / 0

selinux-policy-targeted and logrotate

by Aleksandar Milivojevic

I've installed selinux-policy-targeted-1.17.30-2.88 from RHEL4 U1 on my system. It fixed number of problems with /tmp mounted as tmpfs (and hence having context of tmpfs_t, instead of tmp_t). However, I'm still noticing one problem. Logrotate postrotate scripts fail. Log files show it was SELinux blocking them: Jun 16 04:02:23 mybox kernel: audit(1118912543.190:0): avc: denied { associate } for pid=28151 comm=logrotate name=logrotate.8npXq2 scontext=system_u:object_r:var_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem Jun 17 04:02:18 mybox kernel: audit(1118998938.340:0): avc: denied { associate } for pid=6006 comm=logrotate name=logrotate.aNF9be scontext=system_u:object_r:var_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem As I was typing this email, I noticed Daniel already have SELinux/RHEL4/u2 directory, and chagelog indicated problem with logrotate and tmpfs was tackled after version 1.17.30-2.88 was released. So I downloaded selinux-policy-targeted-1.17.30-3.6 and installed it on test system. I noticed small problem with postinstall script. It calls /sbin/restorecon, and it seems to be relabeling all my file systems as I type this (taking a looong time). Not sure if this would be good idea on production systems that might have some directories with custom labels. For example, I have chrooted Apache on one of my systems, and relabeling would destroy it since all the files in chroot jail would be reset to wrong labels. Also, if I used chcon to give some application access to files in non-default area, relabeling entire file system would trash those too. Another problem I noticed was that file_contexts and policy.18 files were created as dot rpmnew, and than restorecon complains about "invalid labels" or something like that (can't cut&paste it or look exact wording, it scrolled off very fast, I hardly spotted that newrpm thing). I guess there are some new types defined in updated policy, but since policy file was created as rpmnew, the script simply reloaded old policy file, and kernel didn't knew about new types. Anyhow, I believe I had original policy.18 and file_contexts as installed by previous version of the package. Shouldn't in this case RPM install new files instead of creating them as rpmnew? ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.

17 years, 9 months

2
2
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux June 2005