Problem with SELinux and NIS
by Tony Molloy
Hi,
My test system runs FC4 updated to the latest rpm's as of today. I'm
trying to get SELinux working and am having a slight problem
I've gotten nfs, samba and ntpd working OK, but I have a problem with NIS
running yppasswd to set passwords.
With SELinux disabled it work's, with SELinux enabled, in enforcing mode
and targetted policy it doesn't.
The errors I get are as follows:
/var/log/messages ( edited )
beta rpc.yppasswdd[1778]: update testacc1 (uid=9001) from host
10.220.1.151 failed
beta rpc.yppasswdd[1778]: password file locked
^^^^^^^^^^^^^^^^^^^^
/var/log/audit/audit.log
type=PATH msg=audit(1120732794.982:341722): item=0 name="/etc/.pwd.lock"
flags=310 inode=62249 dev=03:01 mode=040755 ouid=0 ogid=0 rdev=00:00
type=Unknown msg=audit(1120732794.982:341722): cwd="/"
type=SYSCALL msg=audit(1120732794.982:341722): arch=40000003 syscall=5
success=no exit=-13 a0=acf181 a1=41 a2=180 a3=ffffffff items=1 pid=1778
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="rpc.yppasswdd" exe="/usr/sbin/rpc.yppasswdd"
type=AVC msg=audit(1120732794.982:341722): avc: denied { write } for
pid=1778 comm="rpc.yppasswdd" name=".pwd.lock" dev=hda1 ino=62391
scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:shadow_t
tclass=file
So it seems that SELinux is denying rpc.yppasswdd writing
to /etc/.pwd.lock
How do I allow it to write to that file.
Thank's in advance
Tony
--
Tony Molloy.
Dept. of Comp. Sci.
University of Limerick
18 years, 9 months
Fedora 3 and SELinux
by Preeti Malakar
Sir,
I installed Fedora core 3 with firewall enabled
and selinux active option during installation but
there is no source code anywhere in the system tree.
The /usr/src directory contains redhat directory but
no linux-2.6.5-1.358 which is there in fedora 2.
Some SELinux commands are also missing like
change_bool, setsebool -P option.
Can anyone tell me what am I missing.
Thanking you
Preeti
MTech (CSE)
IITGuwahati
_______________________________________________________
Too much spam in your inbox? Yahoo! Mail gives you the best spam protection for FREE! http://in.mail.yahoo.com
18 years, 9 months
ANN: Dates set of Second SELinux Symposium
by Frank Mayer
The Second Security Enhanced Linux Symposium is scheduled for 28 February -
2
March 2006 in Baltimore, Maryland, USA. Last year's inaugural symposium was
a
tremendous success providing the SELinux development and user community the
opportunity to discuss related research results, development plans, and
applications. In the second Symposium, we will build upon that success with
a
special focus on applications of SELinux to solve real-world security
challenges. The Symposium is an opportunity to learn about SELinux and share
technical and application experiences.
The Symposium is a 3-day conference, with one day for tutorials and two days
for
technical presentations and interchange. The call for papers will be
released in
the coming days. For additional information see the Symposium's web site at
www.selinux-symposium.org or e-mail at info(a)selinux-symposium.org.
Technical Committee:
Joshua Brindle, Tresys
Russell Coker, Red Hat
Chad Hanson, TCS
Trent Jaeger, IBM
Pete Loscocco, NSA
Karl MacMillan, Tresys
Frank Mayer (Chair), Tresys
James Morris, Red Hat
Doc Shankar, IBM
Stephen Smalley, NSA
Daniel Walsh, Red Hat
18 years, 9 months
FC4 cyrus-imapd socket issues...
by Tom Lisjac
I'm getting the following avc's on FC4 when starting cyrus-imapd with
selinux-policy-targeted-1.23.18-17. As a result, it can't listen on
ports 110, 143 and 993. Do I need to toggle cyrus_disable_trans to
make this daemon work?
Best regards,
-Tom
---------------------------------
>From /var/log/audit/audit.log. In addition to 993, an avc is also
generated for ports 110 and 143:
type=AVC msg=audit(1120506529.586:145746): avc: denied { name_bind }
for pid=2919 comm="cyrus-master" src=993
scontext=system_u:system_r:cyrus_t tcontext=system_u:
type=SOCKETCALL msg=audit(1120506529.662:145983): nargs=3 a0=7 a1=9e18aa8 a2=10
type=SOCKADDR msg=audit(1120506529.662:145983):
saddr=0200006E000000000000000000000000
type=SYSCALL msg=audit(1120506529.662:145983): arch=40000003
syscall=102 success=no exit=-13 a0=2 a1=bfc61440 a2=8054164 a3=9e18c40
items=0 pid=2919 auid=4294967295 u
... which causes the following in /var/log/messages
Jul 4 15:54:13 test master[6295]: unable to create imap listener
socket: Address family not supported by protocol
Jul 4 15:54:13 test master[6295]: unable to create imaps listener
socket: Address family not supported by protocol
Jul 4 15:54:13 test master[6295]: unable to create pop3 listener
socket: Address family not supported by protocol
Jul 4 15:54:13 test master[6295]: unable to create pop3s listener
socket: Address family not supported by protocol
18 years, 9 months
Shorewall startup issues on FC4...
by Tom Lisjac
Getting back to selinux... :)
When using nat and multiple ISP providers on Shorewall 2.4.0, the
following error is produced on boot with FC4:
Cannot open "/proc/sys/net/ipv4/route/flush
The box is running the latest update: selinux-policy-targeted-1.23.18-17.
Adding the following to local.te will fix it... but I don't want to
have to install policy sources on my servers like I did with FC3.:
allow ifconfig_t initrc_tmp_t:file read;
allow ifconfig_t sysctl_net_t:file write;
allow ifconfig_t var_lib_t:file read;
Best regards,
-Tom
-----------------------------------------------------------------------------
>From /var/log/audit/audit.log:
type=PATH msg=audit(1120675555.415:78677): item=0 name="/sbin/ip"
type=AVC_PATH msg=audit(1120675555.415:78677): path="/var/lib/shorewall/nat"
type=AVC msg=audit(1120675555.415:78677): avc: denied { read } for pid=2430
comm="ip" name="nat" dev=hda2 ino=4406613
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:object_r:var_lib_t tclass=file
type=AVC msg=audit(1120675556.084:95462): avc: denied { write } for
pid=2641 comm="ip" name="flush" dev=proc ino=-268435296
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:object_r:sysctl_net_t tclass=file
type=PATH msg=audit(1120675555.879:90329): item=0 name="/sbin/ip"
type=AVC_PATH msg=audit(1120675555.879:90329):
path="/tmp/shorewall.Gh1879/providers"
type=AVC msg=audit(1120675555.879:90329): avc: denied { read } for pid=2588
comm="ip" name="providers" dev=hda2 ino=3068205
scontext=system_u:system_r:ifconfig_t
tcontext=system_u:object_r:initrc_tmp_t tclass=file
18 years, 9 months
Re: NSA motives
by stewartetcie@canada.com
Waiting for the other shoe to drop?
On 5 Jul 07:11 (CEST) Peter Magnusson
iocc(a)fedora-selinux.lists.flashdance.cx> wrote:
>I'll have my tinfoil hat on for the rest of the day
On 5 Jul 04:39 (PDT) Angela Kahealani
<angela(a)kahealani.com> wrote:
>I doubt it... you probably meant aluminum foil.
>If you've got actual tin foil, where do I get some?
So the real conspiracy is about who has replaced all
the tin foil with aluminum foil? I don't think so.
This belief appears to have arisen as a result of a
simple misunderstanding. Many people who've heard the
same voices you two claim to hear have been diagnosed
with tinnitus. Whether or not these diagnoses are
accurate, tin probably won't help.
It sure is funny about all that aluminum foil though...
On 4 Jul 23:05 (PDT) Valdis Kletnieks
<Valdis.Kletnieks(a)vt.edu> wrote:
>The back door is elsewhere, where you'll never find
>it, especially if you're busy looking at the SELinux
>code looking for backdoors.
Interesting, if true, but I'm more concerned that the
mandatory access control of SE Linux, combined with a
digital rights management policy, provides a strategy
to control the flow of information on the internet.
Digital rights management policies require a unique ID
for information access that can also provide the
"internet DNA" to track users online.
Distributing software that's used to restrict access to
information under non-restrictive licenses like the
GPL seems to be counter-productive. It is inappropriate
for the open source community to be co-opted by a
strategy that runs counter to their motives. Now that
SE Linux has been merged into Linux 2.6, without
digital rights management policies, are we waiting for
the other shoe to drop?
The thing to remember about SE Linux is just because it
is merged with the Linux 2.6 kernel does not mean that
it is mandatory. It can be removed with a some effort,
just like those tin foil hats.
18 years, 9 months
SELinux and Thinkpad ACPI (part 1: screen blank)
by Matthew Saltzman
The ACPI scripts that I use to turn off the screen and suspend to RAM no
longer function in FC4 (worked fine in FC3). The screen blank script is
invoked on Fn-F3 and contains:
#!/bin/sh
if [ -f /var/tmp/acpi-lightoff ]; then
/usr/sbin/radeontool light on
/bin/rm /var/tmp/acpi-lightoff
else
/usr/sbin/radeontool light off
/bin/touch /var/tmp/acpi-lightoff
When the script is invoked, the following messages are generated in /var/log/acpid:
[Sun Jul 3 16:15:50 2005] received event "ibm/hotkey HKEY 00000080 00001003"
[Sun Jul 3 16:15:50 2005] notifying client 2531[0:0]
[Sun Jul 3 16:15:50 2005] notifying client 3068[500:500]
[Sun Jul 3 16:15:50 2005] executing action "/etc/acpi/actions/Fn-F3.sh"
[Sun Jul 3 16:15:50 2005] BEGIN HANDLER MESSAGES
Radeon hardware not found in lspci output.
/bin/touch: cannot touch `/var/tmp/acpi-lightoff': Permission denied
[Sun Jul 3 16:15:50 2005] END HANDLER MESSAGES
[Sun Jul 3 16:15:50 2005] action exited with status 1
[Sun Jul 3 16:15:50 2005] completed event "ibm/hotkey HKEY 00000080 00001003"
And the following are generated in /var/log/audit/audit.log:
type=PATH msg=audit(1120421750.387:2653913): item=0 name="/var/tmp/acpi-lightoff" flags=1 inode=906756 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00
type=Unknown msg=audit(1120421750.387:2653913): cwd="/"
type=SYSCALL msg=audit(1120421750.387:2653913): arch=40000003 syscall=195 success=no exit=-13 a0=9a02228 a1=bfef4278 a2=4bfff4 a3=9a022b8 items=1 pid=27793 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="Fn-F3.sh" exe="/bin/bash"
type=AVC msg=audit(1120421750.387:2653913): avc: denied { search } for pid=27793 comm="Fn-F3.sh" name="tmp" dev=dm-0 ino=906756 scontext=system_u:system_r:apmd_t tcontext=system_u:object_r:tmp_t tclass=dir
type=PATH msg=audit(1120421750.466:2654723): item=0 name="/usr/share/hwdata/pci.ids" flags=101 inode=809685 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=Unknown msg=audit(1120421750.466:2654723): cwd="/"
type=SYSCALL msg=audit(1120421750.466:2654723): arch=40000003 syscall=5 success=no exit=-13 a0=8054e5c a1=0 a2=fbad8001 a3=0 items=1 pid=27795 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="lspci" exe="/sbin/lspci"
type=AVC msg=audit(1120421750.466:2654723): avc: denied { read } for pid=27795 comm="lspci" name="pci.ids" dev=dm-0 ino=809685 scontext=system_u:system_r:apmd_t tcontext=system_u:object_r:usr_t tclass=file
type=PATH msg=audit(1120421750.481:2654836): item=0 name="/var/tmp/acpi-lightoff" flags=310 inode=906756 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00
type=Unknown msg=audit(1120421750.481:2654836): cwd="/"
type=SYSCALL msg=audit(1120421750.481:2654836): arch=40000003 syscall=5 success=no exit=-13 a0=bfefdeef a1=8941 a2=1b6 a3=8941 items=1 pid=27796 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="touch" exe="/bin/touch"
type=AVC msg=audit(1120421750.481:2654836): avc: denied { search } for pid=27796 comm="touch" name="tmp" dev=dm-0 ino=906756 scontext=system_u:system_r:apmd_t tcontext=system_u:object_r:tmp_t tclass=dir
type=PATH msg=audit(1120421750.481:2654837): item=0 name="/var/tmp/acpi-lightoff" flags=1 inode=906756 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00
type=Unknown msg=audit(1120421750.481:2654837): cwd="/"
type=SYSCALL msg=audit(1120421750.481:2654837): arch=40000003 syscall=30 success=no exit=-13 a0=bfefdeef a1=0 a2=804f8bc a3=bfefdeef items=1 pid=27796 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="touch" exe="/bin/touch"
type=AVC msg=audit(1120421750.481:2654837): avc: denied { search } for pid=27796 comm="touch" name="tmp" dev=dm-0 ino=906756 scontext=system_u:system_r:apmd_t tcontext=system_u:object_r:tmp_t tclass=dir
I'll post the suspend script results separately.
Thanks.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
18 years, 9 months
avc denied about hwclock.
by Vinicius
Hello,
I'm getting the following on FC4:
"audit(1119989359.942:2): avc: denied { read } for pid=1427
comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s
ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file
audit(1119989359.942:3): avc: denied { read } for pid=1427
comm="hwclock" name=localtime dev=dm-0 ino=1502961 scontext=s
ystem_u:system_r:hwclock_t tcontext=root:object_r:etc_t tclass=file"
How to resolve this problem, please?
TIA,
Vinicius.
18 years, 9 months
How do I tell if SELinux is working?
by Jon August
I updated the policy after I found that there was a bug with starting
DHCP and since then I haven't had any issues getting things to work.
Things like a CGI script running sendmail to send an email - which
used to show up in the audit log, now work fine.
What can I do to see if SELinux is still paying attention?
-Jon
18 years, 9 months