locking down a secure-file-area
by Security News
OK, what I'm trying to do now is to lock down a particular directory,
so that only people in a certain role may use the files in that
directory. The best way I can see to do this is to have a user login
and the "newrole" their way into the new secure-area domain.
Here's what I have done thus far...
1) chcon -t securefiles_t /home/testuser/securefiles
2) I edited the policy/users file to allow certain users into a
"secureuser_r" role.
3) I edited policy/rbac to "allow user_r secureuser_r"
I created a file called policy/domains/misc/securefiles.te with the following:
<start .te file>
type secureuser_t, domain;
type securefiles_t, file_type;
role secureuser_r types secureuser_t;
allow secureuser_t securefiles_t:dir *;
allow secureuser_t securefiles:file *;
domain_auto_trans(user_t, newrole_exec_t, secureuser_t)
role_tty_type_change(user, secureuser)
allow newrole_t secureuser_t:process transition;
</end .te file>
I am able to comipile and load the policy, but when I login as
testuser and attempt to "newrole -r secureuser_r -t secureuser_t" my
terminal screen closes instantly.
My error log:
avc: denied {transition} for pid=4044 exe=/usr/bin/newrole
path=bin/bash ... scontext=testuser:user_r:newrole_t
tcontext=testuser:secureuser_r:secureuser_t
tclass=process
Any thoughts?
17 years, 11 months
Change Password mysql for squirrelmail not working
by Roger Grosswiler
Hey,
i try to change my squirrel-passwords via mysql, which no longer works on
fc4. Could this be a selinux-issue? audit.log unfortunately doesn't help.
Here my booleans for httpd:
httpd_builtin_scripting --> active
httpd_can_network_connect --> active
httpd_disable_trans --> active
httpd_enable_cgi --> active
httpd_enable_homedirs --> active
httpd_ssi_exec --> active
httpd_suexec_disable_trans --> inactive
httpd_tty_comm --> inactive
httpd_unified --> active
Thankx for your help.
Roger
17 years, 11 months
fc4 samba errors { read write } { search } { remove_name }
by lastic miles
I'm using FC4 and my samba gives me hard time. I'm
getting following errors in /var/log/messages:
Jun 16 13:11:47 moon kernel:
audit(1118952707.301:6371): avc: denied { read write
} for pid=23062 comm="smbd" name=0 dev=devpts ino=2
scontext=root:system_r:smbd_t
tcontext=root:object_r:devpts_t tclass=chr_file
Jun 16 13:11:47 moon kernel:
audit(1118952707.539:6375): avc: denied { search }
for pid=23062 comm="smbd" name=nscd dev=sda2
ino=388653 scontext=root:system_r:smbd_t
tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Jun 16 13:13:15 moon kernel:
audit(1118952795.660:6385): avc: denied {
remove_name } for pid=23072 comm="smbd"
name=4dgw012.log dev=sda2 ino=389496
scontext=root:system_r:smbd_t
tcontext=system_u:object_r:samba_log_t tclass=dir
I reloaded the policy from
/etc/selinux/targeted/src/policy with command make
reload, also I activated "samba_enable_home_dirs" and
I'm having inactive "use_samba_home_dirs" and
"smbd_disable_trans".
Don't get me wrong. My samba works, but I'm getting
these errors. I would like to know why these errors
are there and how to fix them?
Btw I'm getting more of these error above when I'm
starting smb daemon. After it's started, only "{
remove_name }" error is present all the time.
Thanks in advance!
--
L. Miles
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
17 years, 11 months
Fixfiles path...
by Security News
Hey all,
Thank you for your replies to my first post.
As a side note to my issue about installing my own custom policy on
several remote machines...
I have just put my custom policy on a text box with the sources
included. I put the sources under /etc/selinux/dan_policy/
I still have the strict source files in the /etc/selinux directory,
but I have updated /etc/selinux/config to load the "dan_policy"
Now my problem is that when I update the source files and try to "make
relabel" or "fixfiles" both programs run the file contexts from the
STRICT directory.
How do I get these programs to run my own file_context files under
/etc/selinux/dan_policy/...?
Thanks,
Dan
17 years, 11 months
help!
by Zafar
Your server has unexpectedly terminated the connection. Possible causes for
this include server problems, network problems, or a long period of
inactivity. Account: '192.168.0.203', Server: '192.168.0.203', Protocol:
POP3, Port: 110, Secure(SSL): No, Error Number: 0x800CCC0F
17 years, 11 months
Proper steps to enable /home/*/public_html on Fedora Core 3
by Medina, Agenol
Hello,
I'm Agenol Medina.
I recently installed FC3 and I cant get my /home/*/public_html directories availble to thier owners.
I can do it with FC2 but since selinux is now in the picture, I dont know how to "activate" my /home/*/public_html directories.
I looked for some help in my local bookstores but I found nothing that I didnt know (based on how to do the same for FC2). Can you indicate where to look or what instructions to execute.
Thank you for your help.
Agenol Medina
17 years, 11 months
distributing custom policy
by Security News
Anyone have any thoughts on the best way to install my own policy
files on a few machines.
I have to go out and find a way to install a policy file, install my
own file_context files, and then compile and load the new custom
policy and fc files.
These systems would be running standard FC3 with the targetted policy,
but without the targetted sources.
I would like to set them all up so that they then have my own version
of the strict policy, without having the source files installed.
Is rpm the best way to attack this or are there better options out
there? As I see it I would have to include the
policy-strict-<version>.rpm as well as setools-<version>.rpm within my
own rpm file in order to load everything necessary to load the policy
and relabel the filesystem.
17 years, 11 months
Re: problems after selinux-policy-targeted-1.17.30-3.2 update
by Michael E Locasto
I have also experienced the error in the new version of the policy boolean
file. However, Colin's advice about setting the execmod boolean to 1
doesn't work for me.
[root@xoren ~]# /usr/sbin/setsebool -P allow_execmod=true
[root@xoren ~]# /usr/sbin/getsebool allow_execmod
allow_execmod --> active
[root@xoren targeted]# grep execmod booleans
allow_execmod=1
[root@xoren targeted]#
However, I still cannot start acroread. The Mozilla Flash plugin is also
still inoperable. I see messages in /var/log/messages of the form:
Jun 15 14:12:28 xoren kernel: audit(1118844748.131:0): avc: denied {
execmod } for pid=6438 comm=acroread
path=/usr/local/Adobe/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api
dev=hda5 ino=29374502 scontext=user_u:system_r:unconfined_t
tcontext=system_u:object_r:usr_t tclass=file
I appreciate any advice. Should I reboot or reinitialize the SELinux
framework? If so, how? I'm a complete newbie in regards to SELinux.
How do I go about disabling selinux (I'd rather not).
Version info:
[root@xoren ~]# uname -r
2.6.11-1.27_FC3
[root@xoren ~]# rpm -qa | grep selinux
libselinux-1.19.1-8
selinux-policy-targeted-1.17.30-3.2
libselinux-devel-1.19.1-8
[root@xoren ~]#
Please CC me, I'm not subscribed to the list.
Cheers,
Michael
17 years, 11 months
other problems after selinux-policy-targeted-1.17.30-3.2
by Markus Ralser
Dear all,
an old error seems to reappear after uptdate to
selinux-policy-targeted-1.17.30-3.2.
When I try to start my openoffice now, i get
/etc/openoffice.org-1.9/program/soffice.bin: error
while loading shared libraries:
/opt/openoffice.org1.9.104/program/libicudata.so.26:
cannot restore segment prot after reloc: Permission
denied
Can anyobdy help me quickly please?
Thank you,
Markus
___________________________________________________________
Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de
17 years, 11 months
