AVC Denied for thunderbird-bin and firefox-bin.
by Vinicius
Hello,
The /var/log/messages is showing the messages:
"Jun 12 09:23:49 mycomputer kernel: audit(1118579029.860:0): avc:
denied { execmod } for pid=26414 comm=thunderbird-bin path=/
usr/local/thunderbird/components/libqfaservices.so dev=dm-0 ino=2093301
scontext=user_u:system_r:unconfined_t tcontext=root
:object_r:user_home_t tclass=file
Jun 12 09:33:43 mycomputer kernel: audit(1118579623.351:0): avc: denied
{ execmod } for pid=26948 comm=firefox-bin path=/home
/cassius/.mozilla/plugins/libflashplayer.so dev=dm-0 ino=2112839
scontext=user_u:system_r:unconfined_t tcontext=user_u:obje
ct_r:user_home_t tclass=file"
How to resolve these problems, please?
TIA,
Vinicius.
17 years, 12 months
mozilla flashplayer plugin
by Bob Kashani
The mozilla flashplayer plugin no longer works with the latest policy
update.
Here is the avc:
Jun 10 21:18:51 chaucer kernel: audit(1118463531.297:0): avc: denied
{ execmod } for pid=20428 comm=firefox-bin
path=/home/medieval/.mozilla/plugins/libflashplayer.so dev=hda3
ino=8536070 scontext=user_u:system_r:unconfined_t
tcontext=user_u:object_r:user_home_t tclass=file
It seems related to the other error that I'm getting about loading
shared libraries.
Bob
--
Bob Kashani
http://www.ocf.berkeley.edu/~bobk/garnome
17 years, 12 months
full_user_role macro not working as expected
by Jeremy Utley
Greetings everyone!
I'm trying to set up a demonstration of SELinux functionality for a
few people, and have been hitting my head against a brick wall on it
for 2 days, was hoping that maybe you guys could give me some
advice...Background:
System:
Fedora Core 3, updated to latest packages via "yum update"
Strict policy, version 1.19.10-2, and the strict policy sources installed.
The Goal:
To demonstrate locking down access to a file to only a certain role,
privileged_r. User account should have to access that role via the
newrole command.
The current problem:
According to the policy writing docs, a role should be created via the
full_user_role() macro. So, in domains/misc/custom_policy.te, I
placed the following line (along with other custom rules that have
already been compiled successfully and work):
full_user_role(privileged)
The docs also say that new user roles should be added to the
in_user_role macro within macros/user_macros.te, so I did that as
well, making that macro look like this:
undefine(`in_user_role')
define(`in_user_role', `
role user_r types $1;
role staff_r types $1;
role privileged_r type $1;
')
Now, when trying to compile the policy after that, I get the following error:
/usr/bin/checkpolicy: loading policy configuration from policy.conf
domains/misc/custom_policy.te:13:ERROR 'unknown type
privileged_userhelper_t' at token ';' on line 115000:
#line 13
allow privileged_mozilla_t privileged_userhelper_t:process transition;
/usr/bin/checkpolicy: error(s) encountered while parsing configuration
make: *** [/etc/selinux/strict/policy/policy.18] Error 1
I've been banging my head against the wall on this one for a day and a
half - have searched the web, read numerous docs on creating policy,
looked at how the full_user_role macro is used elsewhere in the
policy, and I simply can't figure out what I'm doing wrong.
Anyone have any ideas?
Jeremy
17 years, 12 months
question policy
by Ma. Alejandra Castillo
Sirs, I need a little help. I want to realize a policy (targeted) with Samba
or shh. In this moment I am realizing my tesis and I have already documented
in spanish a lot about selinux. But now is the time to realize the policy
and I only have two months for this.
Can you give an idea to realize this in a short time?. The idea is to create
a final product well done.
saludos
--
Ma. Alejandra Castillo
17 years, 12 months
Unable to create files when using "context"option for NFS
by Robert Bottomley
In FC3 (running kernel 2.6.11-1.27_FC3smp and
selinux-policy-targeted-1.17.30-2.96), I am mounting an NFS filesystem for use
by Apache. In /etc/fstab, I have:
ozone:/usr/local/svn /svn nfs
rw,context=system_u:object_r:httpd_sys_script_rw_t,intr,bg,hard,rsize=8192,wsize=8192
0 0
Any attempts to create a file in /svn are met with (here I was attempting a
"touch x"):
audit(1117233333.027:0): avc: denied { associate } for pid=12795
exe=/bin/touch name=x scontext=root:object_r:httpd_sys_script_rw_t
tcontext=system_u:object_r:httpd_sys_script_rw_t tclass=filesystem
It does not matter what context I specify, I cannot create a file -- even
though my shell is running as unconfined_t. (If a file already exists, I can
edit it.)
So the questions are:
1. Is this a bug? Should I not be able to create a file when running in the
unconfined_t context?
2. Audit2allow tells me that I need to add:
allow httpd_sys_script_rw_t self:filesystem associate;
but if unconfined_t context cannot write, then will something in
httpd_sys_script_rw_t be able to?
sestatus
========
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 18
Policy from config file:targeted
Policy booleans:
allow_ypbind active
dhcpd_disable_trans inactive
httpd_disable_trans inactive
httpd_enable_cgi active
httpd_enable_homedirs active
httpd_ssi_exec active
httpd_tty_comm inactive
httpd_unified inactive
mysqld_disable_trans inactive
named_disable_trans inactive
named_write_master_zonesinactive
nscd_disable_trans inactive
ntpd_disable_trans inactive
portmap_disable_trans inactive
postgresql_disable_transinactive
snmpd_disable_trans inactive
squid_disable_trans inactive
syslogd_disable_trans inactive
use_nfs_home_dirs inactive
use_samba_home_dirs inactive
use_syslogng inactive
winbind_disable_trans inactive
ypbind_disable_trans inactive
--
Robert Bottomley | E-mail: bob(a)cert.ucr.edu
System Administrator | Tel: 951-781-5788
College of Engineering | It is dangerous to be right
Center for Environmental | CE-CERT when the government is wrong.
Research and Technology | UC Riverside --Voltaire
17 years, 12 months
policy para samba or ssh?
by Ma. Alejandra Castillo
Sirs, I need a little help. I want to realize a policy (targeted) with Samba
or shh. In this moment I am realizing my tesis and I have already documented
in spanish a lot about selinux. But now is the time to realize the policy
and I only have two months for this.
Can you give an idea to realize this in a short time?. The idea is to create
a final product well done.
saludos
--
Mai
17 years, 12 months
web-controlled system
by Florin Andrei
Any guidelines for changing the SELinux config for a system that's
controlled over a web interface running in Apache? The interface is
supposed to do things like: stop/start services, change network
settings, etc.
--
Florin Andrei
http://florin.myip.org/
17 years, 12 months
quiestion policy!
by Ma. Alejandra Castillo
Sirs, I need a little help. I want to realize a policy (targeted) with Samba
or shh. In this moment I am realizing my tesis and I have already documented
in spanish a lot about selinux. But now is the time to realize the policy
and I only have two months for this.
Can you give an idea to realize this in a short time?. The idea is to create
a final product well done.
saludos
18 years
booting fedora 3
by Darrel Adams
I downloaded the 4 FC3 ISO files on my windows xp machine and burned them to
cd's using Sonic Record Now but when I put disk 1 in my other machine and
set it to boot from cd, I get the message "No boot device available-". I can
start the machine with a Win98 disk in it and it starts the install of Win98
ok so I don't see it as a hardware setting issue. I'm a rookie with Fedora
so be easy on me.
Thanks,
Darrel
18 years
how does rpm work under Selinux
by James Z. Li
Hi all,
I was wondering how rpm works with Selinux, say I downloaded
a third-party rpm package and installed it with rpm -i. Will rpm
label the newly installed file properly or I have to relabel filesystem
or do 'restorecon' manually ?
Any webpages I could read on this problem? Thanks a lot.
James
18 years
