July 2005 - selinux - Fedora Mailing-Lists

by Tom London

Running strict/enforcing, latest rawhide: After installing latest packages, relabeling /etc, /bin, /lib, .... and rebooting, the system produces lots of udev type errors (cannot remove /dev/.udev_tdb/classSTUFF) and hangs on 'adding hardware' Boots (with messages) in permissive mode. Here are the 'early' AVCs: Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev bdev, type bdev), uses genfs_contexts Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied { read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17 scontext=system_u:system_r:hostname_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts Jan 21 07:24:30 fedora kernel: audit(1106292233.809:0): avc: denied { read } for pid=576 exe=/sbin/restorecon path=/init dev=rootfs ino=17 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied { read } for pid=576 exe=/sbin/restorecon name=customizable_types dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t tcontext=system_u:object_r:default_context_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied { use } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17 scontext=system_u:system_r:dmesg_t tcontext=system_u:system_r:kernel_t tclass=fd Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied { read } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17 scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292235.086:0): avc: denied { read } for pid=703 exe=/bin/bash path=/init dev=rootfs ino=17 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora kernel: audit(1106292239.427:0): avc: denied { use } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17 scontext=system_u:system_r:kudzu_t tcontext=system_u:system_r:kernel_t tclass=fd Jan 21 07:24:30 fedora kernel: audit(1106292239.428:0): avc: denied { read } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17 scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:root_t tclass=file Jan 21 07:24:30 fedora ptal-mlcd: SYSLOG at ExMgr.cpp:652, dev=<mlc:usb:PSC_900_Series>, pid=2629, e=2, t=1106321070 ptal-mlcd successfully initialized. Jan 21 07:24:30 fedora ptal-printd: ptal-printd(mlc:usb:PSC_900_Series) successfully initialized using /var/run/ptal-printd/mlc_usb_PSC_900_Series*. Jan 21 07:24:30 fedora kernel: Floppy drive(s): fd0 is 1.44M I'll probe a bit, but any help is welcome! tom -- Tom London

17 years, 10 months

4
7
0 / 0

update from fc3 -> fc4: cyrus/sasl-errors

by Roger Grosswiler

hi, i recently updated from fc3 to fc4. i use this machine as a mailserver with cyrus. 1st problem was the database - fixed issue. now, on authentication, i get errors, will say, with selinux enforcing i cannot authenticate at all. from the fc-list i got some help, with a few commands, that should help better understanding. What can i do, to have this box with selinux enforcing enabled? ah, yes, in permissive mode it works fine. here a sniplet of my logs: > [root@link ~]# ausearch -i -a 9657218 > ---- > type=PATH msg=audit(07/30/05 16:21:20.281:9657218) : item=0 flags=follow inode=262199 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 > type=SOCKETCALL msg=audit(07/30/05 16:21:20.281:9657218) : nargs=3 a0=b a1=bfd308fa a2=6e > type=SOCKADDR msg=audit(07/30/05 16:21:20.281:9657218) : saddr=local /var/run/saslauthd/mux > type=SYSCALL msg=audit(07/30/05 16:21:20.281:9657218) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfd2e4b0 a2=dd0228 a3=bfd2e513 items=1 pid=28898 auid=root uid=cyrus gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail sgid=mail fsgid=mail comm=imapd exe=/usr/lib/cyrus-imapd/imapd > type=AVC msg=audit(07/30/05 16:21:20.281:9657218) : avc: denied { search } for pid=28898 comm=imapd name=saslauthd dev=dm-0 ino=262199 scontext=root:system_r:cyrus_t tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir > >> ausearch -i -a 9659874 >> >> > [root@link ~]# ausearch -i -a 9659874 > ---- > type=PATH msg=audit(07/30/05 16:21:24.635:9659874) : item=0 flags=follow inode=262199 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 > type=SOCKETCALL msg=audit(07/30/05 16:21:24.635:9659874) : nargs=3 a0=b a1=bfd308fa a2=6e > type=SOCKADDR msg=audit(07/30/05 16:21:24.635:9659874) : saddr=local /var/run/saslauthd/mux > type=SYSCALL msg=audit(07/30/05 16:21:24.635:9659874) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfd2e4b0 a2=dd0228 a3=bfd2e513 items=1 pid=28898 auid=root uid=cyrus gid=mail euid=cyrus suid=cyrus fsuid=cyrus egid=mail sgid=mail fsgid=mail comm=imapd exe=/usr/lib/cyrus-imapd/imapd > type=AVC msg=audit(07/30/05 16:21:24.635:9659874) : avc: denied { search } for pid=28898 comm=imapd name=saslauthd dev=dm-0 ino=262199 scontext=root:system_r:cyrus_t tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir i hope, you can help. Thanks a lot Roger

18 years, 1 month

4
6
0 / 0

Selinux Apache avc denied

by Alain Reguera Delgado

Hi, this is my first message. I am completely new in SELinux. I can't make my web application able to send emails. Selinux blocks it and return to me an avc denied in /var/log/messages. --- ... Jul 27 15:41:38 hostname kernel: audit(1122493298.486:0): avc: denied { execute } for pid=4011 comm=httpd name=bash dev=hda5 ino=844138 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:shell_exec_t tclass=file ... --- Have you some comments about? I've been reading the faqs and redhat's manual, but it turns confuse to me. I continue reading and write to you, hoping you light my selinux's way, and help me to work in the first steps understanding the technology. I've been stopped the web development. I feel selinux is a brilliant technology I'd like to implement in my webserver. Thanks for your reading time...\:)> -- alain

18 years, 1 month

4
4
0 / 0

SElinux policy for pine

by James Z. Li

Hi all, First, sorry for my English. I wrote a set of SELinux policy rules for pine ( pine-4.63-1.i386.rpm) on FC4 (targeted). It works well IF no email attachments involved. As root, you are able to browse the whole filesystem: get a file from anywhere as the attachment or save the attachment to anywhere you like. Does this make the security policy totally broken? At the same time, I was also evaluating LIDS (lids.org). As for pine under LIDS, it has same problem: it requires WRITE (including READ) permission to "/" (inode number of "/"). For SELinux, since the policy is based on domain/type, it is even worse in the sense of policy writing: it requires one rw_dir_file rule for each of several hundreds of types on the whole filesystem, so several hundreds of rules will be added. I was thinking if there is a chroot mode for pine but I could not find any useful info. Another potential way to solve this problem is that to create a directory under user's (root's) home direcroty, which is only used to store email attachments: you need copy files from everywhere else to this directory before you can upload them as outgoing attachments; and all incoming attachments will be saved to this directory first, then you can copy or move them to somewhere else. By doing this, we can write corresponding policy to label this directory and grant permissions. Any suggestions? James Enclosed pls find my pine.fc and pine.te files ################################ #/etc/selinux/targeted/src/policy/file_contexts/program/pine.fc # pine.fc # Authors: james.zheng.li(a)gmail.com ################################ /usr/bin/mailutil -- system_u:object_r:pine_exec_t /usr/bin/pico -- system_u:object_r:pine_exec_t /usr/bin/pilot -- system_u:object_r:pine_exec_t /usr/bin/pine -- system_u:object_r:pine_exec_t /usr/bin/rpdump -- system_u:object_r:pine_exec_t /usr/bin/rpload -- system_u:object_r:pine_exec_t /usr/sbin/mlock -- system_u:object_r:pine_exec_t /etc/pine\.info -- system_u:object_r:pine_etc_t /etc/pine\.conf -- system_u:object_r:pine_etc_t /etc/pine\.conf\.fixed -- system_u:object_r:pine_etc_t HOME_DIR/mail(/.*)? system_u:object_r:pine_user_home_t HOME_DIR/\.addressbook(\.lu)? -- system_u:object_r:pine_user_home_t HOME_DIR/\.pine-debug[1-4] -- system_u:object_r:pine_user_home_t HOME_DIR/\.pinerc -- system_u:object_r:pine_user_home_t HOME_DIR/\.newsrc -- system_u:object_r:pine_user_home_t HOME_DIR/\.signature -- system_u:object_r:pine_user_home_t HOME_DIR/\.mailcap -- system_u:object_r:pine_user_home_t HOME_DIR/\.mime\.types -- system_u:object_r:pine_user_home_t HOME_DIR/\.pine-interrupted-mail -- system_u:object_r:pine_user_home_t HOME_DIR/dead\.letter -- system_u:object_r:pine_user_home_t ################################# #/etc/selinux/targeted/src/policy/domains/program/pine.te # pine.te # Authors: james.zheng.li(a)gmail.com ################################# # # Rules for the pine domain. # # pine_t is the domain for the pine program # pine_exec_t is the type of the corresponding program. # type pine_t, domain,privmail,nscd_client_domain; type pine_exec_t, file_type, sysadmfile, exec_type; type pine_user_home_t, file_type, sysadmfile, customizable; type pine_etc_t, file_type, sysadmfile; role sysadm_r types pine_t; role system_r types pine_t; #role user_r types pine_t; domain_auto_trans(sysadm_t, pine_exec_t, pine_t) #domain_auto_trans(initrc_t, pine_exec_t, pine_t) file_type_auto_trans(pine_t,user_home_dir_t,pine_user_home_t,dir_file_class_set) general_domain_access(pine_t) tmp_domain(pine) can_exec(pine_t, pine_exec_t) read_sysctl(pine_t) uses_shlib(pine_t) allow pine_t devpts_t:chr_file create_file_perms; allow pine_t devpts_t:dir search; allow pine_t etc_t:file { getattr read }; allow pine_t etc_t:lnk_file read; read_locale(pine_t) allow pine_t mail_spool_t:dir rw_dir_perms; allow pine_t mail_spool_t:file create_file_perms; allow pine_t proc_t:dir search; allow pine_t proc_t:lnk_file read; allow pine_t urandom_device_t:chr_file getattr; allow pine_t usr_t:file read; allow pine_t var_spool_t:dir search; allow pine_t fs_t:filesystem getattr; allow pine_t net_conf_t:file r_file_perms; allow pine_t sbin_t:dir search; allow pine_t sbin_t:lnk_file read; allow system_mail_t pine_tmp_t:file { read write }; allow system_mail_t pine_user_home_t:file { read write }; allow pine_t home_root_t:dir { getattr search }; allow pine_t self:capability { fsetid fowner};

18 years, 2 months

1
2
0 / 0

Problem with saslauthd and winbind

by Tom Lisjac

Cyrus-imap authentication fails when using saslauthd with pam and winbind in active directory mode. I'm running FC4 with selinux-policy-targeted-1.25.3-6 . The following in local.te fixes it: allow saslauthd_t samba_var_t:dir search; allow saslauthd_t selinux_config_t:dir search; allow saslauthd_t selinux_config_t:file { getattr read }; allow saslauthd_t winbind_t:unix_stream_socket connectto; allow saslauthd_t winbind_var_run_t:sock_file { getattr write }; My question is: should this be reported as a bug? There are a large number of possible configurations with saslauthd, pam and winbind. Is the ultimate goal to support them all? -Tom

18 years, 2 months

1
0
0 / 0

FC4, selinux, cyrus-imapd, saslauthd

by Harry Hoffman

Hi All, Running FC4 with targeted policy and getting AVC messages when cyrus-imapd tries to connect to the saslauthd socket. Here are the pertinent msgs: type=AVC msg=audit(1122586257.404:286451): avc: denied { search } for pid=2727 comm="imapd" name="saslauthd" dev=dm-3 ino=157128 scontext=root:system_r:cyrus_t tcontext=system_u:object_r:saslauthd_var_run_t tclass=dir type=SYSCALL msg=audit(1122586257.404:286451): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf8b13d0 a2=804228 a3=bf8b1437 items=1 pid=2727 auid=0 uid=76 gid=12 euid=76 suid=76 fsuid=76 egid=12 sgid=12 fsgid=12 comm="imapd" exe="/usr/lib/cyrus-imapd/imapd" type=SOCKADDR msg=audit(1122586257.404:286451): saddr=01002F7661722F72756E2F7361736C61757468642F6D75780000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Thanks, Harry

18 years, 2 months

2
1
0 / 0

crond and auditing

by Russell Coker

In vixie-cron-4.1-36.FC4 crond wants capability audit_control, is this desired? It seems that the rawhide version vixie-cron-4.1-36.FC5 isn't doing this, is rawhide lagging behind FC4 updates? I've attached a patch against the FC4 policy for this... -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page

18 years, 2 months

2
1
0 / 0

Abnormal Apache behavior.

by Stefan Held

Hi guys. Dunno if this is not new to you, but i am experiencing a strange behavior of the apache in FC4 with selinux enabled. Ok. What have i done? First i wrote some php stuff and was wondering why the Server did not allow to get some files in /css and does not allow to connect via an network socket to the postgresql server. Then i restarted the Server with apachectl stop and apachectl start. From now on everything worked fine and like expected. Then i did an Kernel update rebooted the machine and my Site was not reachable again. So i did some investigation and saw in the audit.log that selinux is disabling some stuff. Then i restarted again with apachectl stop and start. And like expected the httpd started working again. Is this an issue? I think this behavior is not normal :-) -- Stefan Held VI has only 2 Modes: obi(a)unixkiste.org The first one is for beeping all the time, IRCNet: Obi_Wan the second destroys the text. --------------------------------------------------------------------------- perl -e'map{print pack c,($|++?1:13)+ord,select$,,$,,$,,$|}split//,ESEL.$/' --------------------------------------------------------------------------- GPG-Keyprint = EAF2 6A65 D102 F2DB 4970 2A67 455B 98F2 572C 3FA9

18 years, 2 months

5
8
0 / 0

The HP PSC 1315 is recognized by FC4, print but no scan yet.

by Vinicius

Hello, Please see https://www.redhat.com/archives/fedora-list/2005-July/msg03159.html Any suggestions, please? TIA, Vinicius.

18 years, 2 months

4
11
0 / 0

audit update breaks hwclock

by dragoran

After updating audit today I get an error after udev is started that says that it can't connot to the audit system. I found this in the audit logs: > type=AVC msg=audit(1122549673.001:7418105): avc: denied { create } > for pid=34 19 comm="hwclock" scontext=root:system_r:hwclock_t > tcontext=root:system_r:hwcloc k_t tclass=netlink_audit_socket > type=SYSCALL msg=audit(1122549673.001:7418105): arch=c000003e > syscall=41 success =no exit=-13 a0=10 a1=3 a2=9 a3=42e8bfa9 items=0 > pid=3419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 comm="hwclock" exe="/sbin/hwclock" this results in an incorrect clock (+2h) I am not using ntpd. Timezonesettings are correct and it worked fine after the update.

18 years, 2 months

4
6
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux July 2005