List of operations
by Göran Uddeborg
Maybe this is a FAQ, but I haven't found it answered in any of the
FAQ:s I've looked through:
Is there some kind of documentation list over the available classes
and operations (permissions)?
Other concepts, like types and roles are defined in the policy, with
some luck together with a comment. In some cases there are even
manual pages, like httpd_selinux.
But the list of available classes and operations must be defined by
the kernel module if I understand things correctly. I could extract a
list from the flask/access_vectors file. But I would have liked
something with a sentence or so of explanation. Some names may be
self-explanatory, but many are not obvious. I'm imagining some kind
of list like the appendices of the O'Reilley book, but updated for the
current version. Does such a list exist somewhere? Or is it just in
my imagination? :-)
16 years, 11 months
1105 fails to boot....
by Tom London
Running strict/enforcing, latest rawhide:
After installing latest packages, relabeling /etc, /bin, /lib, ....
and rebooting, the system produces lots of udev type errors
(cannot remove /dev/.udev_tdb/classSTUFF) and hangs
on 'adding hardware'
Boots (with messages) in permissive mode.
Here are the 'early' AVCs:
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev bdev, type
bdev), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev rootfs, type
rootfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev sysfs, type
sysfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: audit(1106292231.919:0): avc: denied
{ read } for pid=478 exe=/bin/hostname path=/init dev=rootfs ino=17
scontext=system_u:system_r:hostname_t
tcontext=system_u:object_r:root_t tclass=file
Jan 21 07:24:30 fedora kernel: SELinux: initialized (dev usbfs, type
usbfs), uses genfs_contexts
Jan 21 07:24:30 fedora kernel: audit(1106292233.809:0): avc: denied
{ read } for pid=576 exe=/sbin/restorecon path=/init dev=rootfs
ino=17 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:root_t tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292234.081:0): avc: denied
{ read } for pid=576 exe=/sbin/restorecon name=customizable_types
dev=hda2 ino=4506184 scontext=system_u:system_r:restorecon_t
tcontext=system_u:object_r:default_context_t tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied
{ use } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17
scontext=system_u:system_r:dmesg_t tcontext=system_u:system_r:kernel_t
tclass=fd
Jan 21 07:24:30 fedora kernel: audit(1106292235.062:0): avc: denied
{ read } for pid=702 exe=/bin/dmesg path=/init dev=rootfs ino=17
scontext=system_u:system_r:dmesg_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292235.086:0): avc: denied
{ read } for pid=703 exe=/bin/bash path=/init dev=rootfs ino=17
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora kernel: audit(1106292239.427:0): avc: denied
{ use } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17
scontext=system_u:system_r:kudzu_t tcontext=system_u:system_r:kernel_t
tclass=fd
Jan 21 07:24:30 fedora kernel: audit(1106292239.428:0): avc: denied
{ read } for pid=1233 exe=/sbin/kmodule path=/init dev=rootfs ino=17
scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:root_t
tclass=file
Jan 21 07:24:30 fedora ptal-mlcd: SYSLOG at ExMgr.cpp:652,
dev=<mlc:usb:PSC_900_Series>, pid=2629, e=2, t=1106321070
ptal-mlcd successfully initialized.
Jan 21 07:24:30 fedora ptal-printd:
ptal-printd(mlc:usb:PSC_900_Series) successfully initialized using
/var/run/ptal-printd/mlc_usb_PSC_900_Series*.
Jan 21 07:24:30 fedora kernel: Floppy drive(s): fd0 is 1.44M
I'll probe a bit, but any help is welcome!
tom
--
Tom London
17 years, 10 months
cant create dirs from vsftpd
by Peter Magnusson
selinux-policy-targeted-1.25.3-9 in FC4 surely isnt perfect. Cant create
dirs when I login over ftp:
type=CWD msg=audit(1123375603.524:11258814): cwd="/home/iocc"
type=PATH msg=audit(1123375603.524:11258814): item=0 name="mp3" flags=10
inode=5046274 dev=03:01 mode=040755 ouid=636 ogid=636 rdev=00:00
type=AVC msg=audit(1123375603.539:11258878): avc: denied { getattr } for
pid=10556 comm="vsftpd" name="/" dev=0:10 ino=49161
scontext=root:system_r:ftpd_t tcontext=system_u:object_r:nfs_t tclass=dir
type=SYSCALL msg=audit(1123375603.539:11258878): arch=40000003 syscall=196
success=no exit=-13 a0=9527930 a1=9523328 a2=3a3ff4 a3=797eec items=1
pid=10556 auid=636 uid=636 gid=636 euid=636 suid=636 fsuid=636 egid=636
sgid=636 fsgid=636 comm="vsftpd" exe="/usr/sbin/vsftpd"
Cant find what I should turn off in /etc/selinux/targeted/booleans to make
it work. So I need a little help. Later, I want to upload files in that dir
also.
Also, Im not so sure that I like that I cant see alot of dirs when Im
logged in at the ftp.
17 years, 11 months
selinux-policy-targeted 1.25.4-10 and dovecot
by Paul Howarth
I notice in the changelog that a recent change was:
* Wed Aug 17 2005 Dan Walsh <dwalsh(a)redhat.com> 1.25.4-4
- Add more access for amanda
- Allow dovecot to create files in mail_spool_t
Having installed the updated policy this morning, I found I had to add a
local rule:
allow dovecot_t mail_spool_t:file write;
This is needed to allow dovecot to delete mail from the mail spool file
(I use dovecot in pop3 mode). I'm surprised this wasn't the default - is
there a good reason why it isn't?
Cheers, Paul.
P.S. there is still a problem with pptp - in pppd.fc
# Fix pptp sockets
/var/run/pptp(/.*)? -- system_u:object_r:pptp_var_run_t
should read:
# Fix pptp sockets
/var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t
because /var/run/pptp is a directory and the items in that directory
should be sockets, not regular files.
18 years
NeedHelp: Issue on change apache DocumentRoot location on FC3
by KevinKW
Hi,
I've changed the DocumentRoot directory of httpd 2.0.52 server from
/var/www/html to /data/www/html, which is mounted from the disk /dev/hda8.
But when I try to start httpd service, it reports warning "Warning:
DocumentRoot [/data/www/html/] does not exist".
I've changed its the security context by command "chcon -R -t
httpd_user_content_t /data/www" but it still didnot work.
The follows are the output by command "ls -Z /data/www"
=============
drwxr-xr-x kevinkw kevinkw user_u:object_r:httpd_user_content_t cgi-bin
drwxr-xr-x kevinkw kevinkw user_u:object_r:httpd_user_content_t error
drwxr-xr-x kevinkw kevinkw user_u:object_r:httpd_user_content_t html
drwxr-xr-x kevinkw kevinkw user_u:object_r:httpd_user_content_t icons
=============
How can I solve this problem? Any more information needed, please let me
know. Thanks very much!
Best wishes,
Kevin
18 years
ANN: New Release of Setools
by Kevin Carr
Tresys is proud to announce the release of Setools-2.1.2. This minor
release provides support for loading the new version 20 binary policy
format. We have provided updated permission maps for version 19 and 20 as
well. Also included in this release is the ability for seaudit to parse avc
messages in logs generated by auditd.
You can download this new release from the Tresys website by clicking the
link on our main page -
http://www.tresys.com
Kevin Carr
Tresys Technology
410.290.1411 x137
18 years
ifconfig/pipefs avc messages.
by dragoran
I have found this messages in /var/log/audit/audit.log:
> type=AVC msg=audit(1120371250.432:658540): avc: denied { write }
> for pid=3342 comm="ifconfig" name=[11205] dev=pipefs ino=11205
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371250.432:658540): avc: denied { read } for
> pid=3342 comm="ifconfig" name=[11205] dev=pipefs ino=11205
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371250.432:658540): avc: denied { write }
> for pid=3342 comm="ifconfig" name=[11203] dev=pipefs ino=11203
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371250.432:658540): avc: denied { read } for
> pid=3342 comm="ifconfig" name=[11203] dev=pipefs ino=11203
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371250.432:658540): avc: denied { write }
> for pid=3342 comm="ifconfig" name=[11202] dev=pipefs ino=11202
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371250.432:658540): avc: denied { read } for
> pid=3342 comm="ifconfig" name=[11202] dev=pipefs ino=11202
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371250.432:658540): avc: denied { write }
> for pid=3342 comm="ifconfig" name=[11201] dev=pipefs ino=11201
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371250.432:658540): avc: denied { read } for
> pid=3342 comm="ifconfig" name=[11201] dev=pipefs ino=11201
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371250.432:658540): avc: denied { write }
> for pid=3342 comm="ifconfig" name=[11687] dev=pipefs ino=11687
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371250.432:658540): avc: denied { write }
> for pid=3342 comm="ifconfig" name=[11687] dev=pipefs ino=11687
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=PATH msg=audit(1120371251.502:661490): item=1 inode=2127845
> dev=08:05 mode=0100755 ouid=0 ogid=0 rdev=00:00
> type=PATH msg=audit(1120371251.502:661490): item=0
> name="/sbin/ifconfig" inode=9297060 dev=08:05 mode=0100755 ouid=0
> ogid=0 rdev=00:00
> type=AVC_PATH msg=audit(1120371251.502:661490): path="pipe:[11687]"
> type=AVC_PATH msg=audit(1120371251.502:661490): path="pipe:[11687]"
> type=AVC_PATH msg=audit(1120371251.502:661490): path="pipe:[11201]"
> type=AVC_PATH msg=audit(1120371251.502:661490): path="pipe:[11201]"
> type=AVC_PATH msg=audit(1120371251.502:661490): path="pipe:[11202]"
> type=AVC_PATH msg=audit(1120371251.502:661490): path="pipe:[11202]"
> type=AVC_PATH msg=audit(1120371251.502:661490): path="pipe:[11203]"
> type=AVC_PATH msg=audit(1120371251.502:661490): path="pipe:[11203]"
> type=AVC_PATH msg=audit(1120371251.502:661490): path="pipe:[11205]"
> type=AVC_PATH msg=audit(1120371251.502:661490): path="pipe:[11205]"
> type=SYSCALL msg=audit(1120371251.502:661490): arch=c000003e
> syscall=59 success=yes exit=0 a0=627990 a1=627cb0 a2=608440
> a3=2aaaaaac5000 items=2 pid=3370 auid=4294967295 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ifconfig" exe="/sbin/ifconfig"
> type=AVC msg=audit(1120371251.502:661490): avc: denied { write }
> for pid=3370 comm="ifconfig" name=[11205] dev=pipefs ino=11205
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371251.502:661490): avc: denied { read } for
> pid=3370 comm="ifconfig" name=[11205] dev=pipefs ino=11205
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371251.502:661490): avc: denied { write }
> for pid=3370 comm="ifconfig" name=[11203] dev=pipefs ino=11203
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371251.502:661490): avc: denied { read } for
> pid=3370 comm="ifconfig" name=[11203] dev=pipefs ino=11203
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371251.502:661490): avc: denied { write }
> for pid=3370 comm="ifconfig" name=[11202] dev=pipefs ino=11202
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371251.502:661490): avc: denied { read } for
> pid=3370 comm="ifconfig" name=[11202] dev=pipefs ino=11202
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371251.502:661490): avc: denied { write }
> for pid=3370 comm="ifconfig" name=[11201] dev=pipefs ino=11201
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371251.502:661490): avc: denied { read } for
> pid=3370 comm="ifconfig" name=[11201] dev=pipefs ino=11201
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371251.502:661490): avc: denied { write }
> for pid=3370 comm="ifconfig" name=[11687] dev=pipefs ino=11687
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=AVC msg=audit(1120371251.502:661490): avc: denied { write }
> for pid=3370 comm="ifconfig" name=[11687] dev=pipefs ino=11687
> scontext=root:system_r:ifconfig_t tcontext=root:system_r:unconfined_t
> tclass=fifo_file
> type=PATH msg=audit(1120371251.510:662032): item=1 inode=2127845
> dev=08:05 mode=0100755 ouid=0 ogid=0 rdev=00:00
> type=PATH msg=audit(1120371251.510:662032): item=0 name="/sbin/ip"
> inode=9297052 dev=08:05 mode=0100755 ouid=0 ogid=0 rdev=00:00
I did fixfiles relabel but it have'nt fixed them.
Whats the problem?
bug in the policy? (using fc4 and selinux-policy-targeted-1.25.3-12)
18 years
policy version problem
by Wen-Fu Shih
I use yum install File:
selinux-policy-targeted-sources-1.25.4-11.noarch.rpm
and I enable SELinux on FC4 with kernel 2.6.13-1
the original policyvers is 19
after install the policy-soucres and make policy,
relabel,reboot
the policyver is still 19(use 'sestatus')
but the directory /etc/selinux/targeted/policy has
both policy.19 and policy.20
I'm confused about the policyvers
could I change the policyvers?
or have I did it?
~
thanks a lot
__________________________________________________
想即時收到新信通知?
馬上下載Yahoo!奇摩即時通訊
http://messenger.yahoo.com.tw/
18 years
rsync and nscd broken in selinux-policy-targeted-1.25.3-12
by TC Wan
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I'm kindof new to SELinux, but have read enough info from the various FAQs
etc to try and follow what is going on.
I recently upgrade to selinux-policy-targeted-1.25.3-12 on my server (and
rebooted), and discovered subsequently that it broke nscd and rsyncd.
I'm not sure what is the exact problem nscd is having. rsyncd requires
chroot rights.
$ rsync rsync://localhost/Mirror/
@ERROR: chroot failed
rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(420)
Output from sestatus:
- ---------------------
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 19
Policy from config file: targeted
dmesg|fgrep audit (edited):
- -----------------
audit(1125305372.102:2): avc: denied { create } for pid=1400
comm="nscd" scontext=system_u:system_r:nscd_t
tcontext=system_u:system_r:nscd_t tclass=netlink_audit_socket
audit(1125371048.190:11): avc: denied { sys_chroot } for pid=2479
comm="rsync" capability=18 scontext=system_u:system_r:rsync_t
tcontext=system_u:system_r:rsync_t tclass=capability
dmesg|audit2allow:
- -----------------
allow nscd_t self:netlink_audit_socket create;
allow rsync_t self:capability sys_chroot;
Should I wait for a new targeted policy release to address these problems
(if so, how soon?), or should I try to create a custom policy?
T.C.
- --
Wan Tat Chee (Senior Lecturer)
School of Computer Sciences, Univ. of Science Malaysia,
11800 USM, Penang, Malaysia. Rm.625 Ofc Ph: +604 653-3888 x 3617
NRG Lab Admin: +604 659-4757 Rm.601-F Ofc Ph: +604 653-4396
Internet: tcwan(a)cs.usm.my Web: http://nrg.cs.usm.my/~tcwan
GPG Key : http://nrg.cs.usm.my/~tcwan/tcwan-nrg-20040805.asc
F'print : 4B2E F0BF AAD7 2F51 CB41 4386 F72B 7859 8278 BDC4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDE85a9yt4WYJ4vcQRAm8TAJ0bnj1uY6bUbGqkrTitHDgfacuBrwCfUmEk
isxxEsd2oG+7QAh4LTtZegU=
=UQM2
-----END PGP SIGNATURE-----
18 years
