RE: Network drop out problem
by Brad Douglas
Found the problem. Someone had set up a Maxtor network storage device on
the same IP addr I was getting through DHCP.
Many thanks to those who responded.
>From: Brad Douglas
>Sent: Thursday, 21 July 2005 4:32 PM
>To: 'fedora-selinux-list(a)redhat.com'
>Subject: Network drop out problem
>Hi,
>This is my first post here - please be gentle 8).
>Yesterday I installed FC4 on a HP ML110 proliant server. The plan is to
use it as out file server, so I've got samba running on it, along with vnc.
>The problem I've run into is that the box appears to be running fine, but
every now and then _all_ the network connections to my >laptop (running XP)
disappear and can not reconnect for a few seconds: ssh, samba, vnc -
everything. A few seconds later everything is fine again (till the next
time). The weirdest thing is that I don't see any disruption pinging the
box.
>I've gone through the samba, message and secure logs and can't see anything
obviously wrong.
>If anyone has an idea what's going on, or even where I could look to
diagnose the cause I'd be very grateful.
>Thanks,
>B
18 years, 4 months
A few permission problems
by Nicklas Norling
Hi.
I've got a system updated from old redhat releases to FC2-3 and now 4.
I've just downloaded selinux-policy-targeted and have been able to fix
most of
my problems with setsebool etc. while in permissive mode. However a few more
difficult issues still intrigues me and I'd love it if someone would
offer some help.
First:
[root@spock ~]# audit2allow -i /var/log/messages -l
allow dovecot_auth_t selinux_config_t:file { getattr read };
allow httpd_sys_script_t var_t:dir getattr;
allow named_t unconfined_t:fifo_file read;
allow smbd_t selinux_config_t:dir search;
allow smbd_t selinux_config_t:file { getattr read };
allow webalizer_t home_root_t:dir search;
allow webalizer_t user_home_dir_t:dir search;
The dovecot-auth problem seems to occur with every new connection to
dovecot:
Jul 16 14:00:16 spock kernel: audit(1121515216.305:122): avc: denied {
read } for pid=21686 comm="dovecot-auth" name="config" dev=hda3
ino=394549 scontext=root:system_r:dovecot_auth_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 16 14:00:16 spock kernel: audit(1121515216.305:123): avc: denied {
getattr } for pid=21686 comm="dovecot-auth" name="config" dev=hda3
ino=394549 scontext=root:system_r:dovecot_auth_t
tcontext=system_u:object_r:selinux_config_t tclass=file
The httpd problem appears to be python related. Not sure which of my web
applications is triggering it
(if any). Maybe MoinMoin Wiki but I can't seem to trigger it myself,
maybe a search spider is triggering it.
Jul 16 02:00:54 spock kernel: audit(1121472054.557:119): avc: denied {
getattr } for pid=20378 comm="python" name="var" dev=hda3 ino=163841
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_t tclass=dir
named is denied some fun?
Jul 14 15:39:10 spock named[1771]: exiting
Jul 14 15:39:12 spock kernel: audit(1121348352.535:98): avc: denied {
read } for pid=16108 comm="named-checkconf" name
="[196624]" dev=pipefs ino=196624 scontext=root:system_r:named_t
tcontext=root:system_r:unconfined_t tclass=fifo_file
Jul 14 15:39:12 spock named[16110]: starting BIND 9.3.1 -u named
Samba appears to wan't to read in the selinux config file? Every access
to a home directory triggers this despite the correct sebool is set.
Jul 15 02:43:18 spock kernel: audit(1121388198.077:104): avc: denied {
search } for pid=17122 comm="smbd" name="selinu
x" dev=hda3 ino=394114 scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
Jul 15 02:43:18 spock kernel: audit(1121388198.077:105): avc: denied {
read } for pid=17122 comm="smbd" name="config"
dev=hda3 ino=394549 scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 15 02:43:18 spock kernel: audit(1121388198.078:106): avc: denied {
getattr } for pid=17122 comm="smbd" name="config" dev=hda3 ino=394549
scontext=system_u:system_r:smbd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
webalizer is being asked to put it's resulting webpages into a local
users web directory in support of per user usage stat. The users
webfolder has the correct objects set for httpd security.
Jul 11 04:02:17 spock kernel: audit(1121047337.762:57): avc: denied {
search } for pid=3409 comm="webalizer" name="home" dev=hda3 ino=819203
scontext=system_u:system_r:webalizer_t
tcontext=system_u:object_r:home_root_t tclass=dir
Jul 11 04:02:17 spock kernel: audit(1121047337.762:58): avc: denied {
search } for pid=3409 comm="webalizer" name="joakim" dev=hda3
ino=458781 scontext=system_u:system_r:webalizer_t
tcontext=user_u:object_r:user_home_dir_t tclass=dir
In addition to this I have a shared folder with 'public' material, files
that I offer to for download/upload. This folder is shared to my users
with ftp as well as samba. Is this even possible to do with selinux?
Jul 16 15:24:31 spock kernel: audit(1121520271.993:127): avc: denied {
search } for pid=21818 comm="smbd" name="/" dev=hdc1 ino=2
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:ftpd_anon_t
tclass=dir
Jul 16 15:24:32 spock kernel: audit(1121520272.060:128): avc: denied {
getattr } for pid=21818 comm="smbd" name="pub" dev=hdc1 ino=32769
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:ftpd_anon_t
tclass=dir
Jul 16 15:24:32 spock kernel: audit(1121520272.156:129): avc: denied {
read } for pid=21818 comm="smbd" name="pub" dev=hdc1 ino=32769
scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:ftpd_anon_t
tclass=dir
audit2allow suggests:
allow smbd_t ftpd_anon_t:dir { getattr read search };
Greatful for any tips, hoping to enforce soon!
/Nicke
18 years, 4 months
ainit
by Russell Coker
The attached patch is needed for correct functionality of ainit with the
latest strict policy when running reasonably recent rawhide packages.
Is this really what we want? Having a system process allocate shared memory
that can be used by any user processes? Also it seems likely that other
sound programs will need to access the shared memory in question.
There are three possible assumptions that we could make:
1) Anyone who is serious about security doesn't use ALSA so such access
doesn't matter that much.
2) Sound devices are a channel for communication anyway so it doesn't really
grant any new access. NB I don't know enough about sound programming to
know whether this assumption is correct. Does ALSA require that a shared
memory segment be available to all programs that are accessing the sound
device? If so the assumption holds for ALSA. Can an application stuff some
data into the sound hardware without using the user-space code from ALSA in
such a way that another application can read it?
3) We need to have pam_console launch programs such as ainit in a context
determined by the user role.
Option 3 might be the best one long-term.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
18 years, 4 months
Network drop out problem
by Brad Douglas
Hi,
This is my first post here - please be gentle 8).
Yesterday I installed FC4 on a HP ML110 proliant server. The plan is to use
it as out file server, so I've got samba running on it, along with vnc.
The problem I've run into is that the box appears to be running fine, but
every now and then _all_ the network connections to my laptop (running XP)
disappear and can not reconnect for a few seconds: ssh, samba, vnc -
everything. A few seconds later everything is fine again (till the next
time). The weirdest thing is that I don't see any disruption pinging the
box.
I've gone through the samba, message and secure logs and can't see anything
obviously wrong.
If anyone has an idea what's going on, or even where I could look to
diagnose the cause I'd be very grateful.
Thanks,
B
18 years, 4 months
apache mod_jk
by marko bauhardt
Hello all,
i have a question about selinux and apache/mod_jk.
I use Fedora Core 3.
The apache runs flawless (The files in /var/www/html are available).
But the connection to the tomcat dont work. The debug output in
/var/log/messages:
audit(1121888291.180:0): avc: denied { connect } for pid=3388
exe=/usr/sbin/httpd scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_t tclass=tcp_socket
if i turned off the selinux with "setenforce 0",the jsps in the tomcat
are available. But i think this is a bad workaround to set the enforce
to 0. If i execute "setenforce 1" the connection to the tomcat fails.
Exist another solution to connect the apache with the tomcat?
Must i use the command chcon for the files in my tomcat?
18 years, 4 months
Problems with selinux-policy-targeted-1.25.2-4 (user_ping boolean)
by dragoran
During boot I get an error :
error reading /etc/selinux/targeted/booleans because there is no
user_ping bool
I had allowed user_ping in the older policy in
system-config-securitylevel but now it disappered?
is this a bug or a feature? (ping still works)
if it is a feature how can I get rid of this message?
18 years, 4 months
Call for Paper - 2nd SELinux Symposium
by Frank Mayer
SECOND SECURITY ENHANCED LINUX SYMPOSIUM (www.selinux-symposium.org)
Call for Papers
The call for papers for the Second Security Enhanced Linux (SELinux)
Symposium is now open. The Symposium is scheduled for February 28-March
2, 2006, at the Wyndham Hotel, Baltimore, Maryland, USA. The event is
the only of its kind to examine SELinux and the power of the flexible
mandatory access control security it brings to Linux. Last year's
inaugural symposium was a tremendous success providing the SELinux
development and user community the opportunity to discuss related
research results, development plans, and applications.
Any topics relating to SELinux technology, flexible mandatory access
control, and its application to real-world problem are of interest for
this symposium. Such topic include:
+ Innovations and advancement in SELinux technology
+ Use and application of SELinux and Type Enforcement
+ SELinux development experiences and tools
+ Use and Configuration of MLS and RBAC in securing systems
+ Updates on the various Linux distributions using SELinux
+ Practical "root"-less system administration policies
+ Case studies and application experience SELinux
+ Related research and development activities
+ Tools and products supporting/using SELinux
+ Security evaluation and certification issues
+ User and customers concerns and needs
+ Tutorials
No marketing pitches will be accepted.
The call for papers is open until September 19, 2005. For additional
information and submittal requirements, see www.selinux-symposium.org.
Technical Committee:
Joshua Brindle, Tresys
Russell Coker, Red Hat
Chad Hanson, TCS
Trent Jaeger, IBM
Pete Loscocco, NSA
Karl MacMillan, Tresys
Frank Mayer (Chair), Tresys
James Morris, Red Hat
Doc Shankar, IBM
Stephen Smalley, NSA
Daniel Walsh, Red Hat
18 years, 4 months
call for FAQs
by Karsten Wade
Better late than never, eh?
If you have an FAQ about Fedora and SELinux:
* Something not covered in the FAQ already
* An FAQ in FC3 is different or not needed for FC4
* An entry that needs to be expanded
Here is the best (and only) way to get in the queue.
1. Use this easy-to-fill-out bug: http://tinyurl.com/7p9mt
* Make the Summary meaningful
* Fill out the description
* _Do not_ remove the blocking bug 118757
Okay, wait, there is another way. If you send me an email with a
collection of pointers to specific messages/threads in online archives
on this or other mailing lists, I'll make the bug report myself.
Thanks,
Karsten
--
Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
Red Hat SELinux Guide
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
18 years, 4 months
sysadm_r role
by Preeti Malakar
Sir,
Can anyone explain the following result, why root has to change
the type along with role sysadm_r role . Why does it say "couldnt get
default type" in the first case
[root@pryber ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=root:system_r:unconfined_t
[root@pryber ~]# id -Z
root:system_r:unconfined_t
[root@pryber ~]# grep ^role
/etc/selinux/targeted/src/policy/policy.conf | cut -f2 "-d " | sort -u
sysadm_r
system_r
user_r
[root@pryber ~]# newrole -r sysadm_r
Couldn't get default type.
[root@pryber ~]# newrole -r sysadm_r -t sysadm_t
Authenticating root.
Password:
[root@pryber ~]# id -Z
root:sysadm_r:unconfined_t
--
Thanks in advance
Regards
Preeti Malakar
MTech CSE
IIT Guwahati
18 years, 4 months
a few more problem with the latest policy
by Farkas Levente
hi,
a few problem with the latest policy file.
------------------------------------------
# audit2allow -i /var/log/messages -l
allow apmd_t proc_t:file ioctl;
allow dhcpc_t etc_t:file { unlink write };
allow ifconfig_t initrc_t:udp_socket { read write };
------------------------------------------
and here is the relevant part of the log file
------------------------------------------
audit(1121423510.841:2): avc: denied { read write } for pid=2215
comm="ip" name="[6542]" dev=sockfs ino=6542
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:initrc_t tclass=udp_socket
audit(1121423510.846:3): avc: denied { read write } for pid=2218
comm="ip" name="[6542]" dev=sockfs ino=6542
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:initrc_t tclass=udp_socket
audit(1121423655.473:4): avc: denied { write } for pid=2888 comm="cp"
name="resolv.conf.predhclient" dev=hda2 ino=3997781
scontext=root:system_r:dhcpc_t tcontext=root:object_r:etc_t tclass=file
audit(1121423655.473:5): avc: denied { unlink } for pid=2888
comm="cp" name="resolv.conf.predhclient" dev=hda2 ino=3997781
scontext=root:system_r:dhcpc_t tcontext=root:object_r:etc_t tclass=file
audit(1121423736.907:6): avc: denied { ioctl } for pid=2982
comm="awk" name="state" dev=proc ino=-268434831
scontext=system_u:system_r:apmd_t tcontext=system_u:object_r:proc_t
tclass=file
------------------------------------------
yours.
--
Levente "Si vis pacem para bellum!"
18 years, 4 months
