vsftpd and ~/public_html
by Dawid Gajownik
Hi!
I have silly problem: I'm not able to enter ~/public_html directory
using ftp client. I found this AVC messages in /var/log/audit/audit.log:
type=AVC msg=audit(1125243640.479:279): avc: denied { search } for
pid=10731 comm="vsftpd" name="public_html" dev=hda6 ino=229557
scontext=root:system_r:ftpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
type=SYSCALL msg=audit(1125243640.479:279): arch=40000003 syscall=12
success=no exit=-13 a0=8927908 a1=0 a2=fd2524 a3=bfbfa5bc items=1
pid=10731 auid=4294967295 uid=500 gid=100 euid=500 suid=500 fsuid=500
egid=100 sgid=100 fsgid=100 comm="vsftpd" exe="/usr/sbin/vsftpd"
type=CWD msg=audit(1125243640.479:279): cwd="/home/y4kk0"
type=PATH msg=audit(1125243640.479:279): item=0 name="public_html"
flags=3 inode=229557 dev=03:06 mode=040777 ouid=500 ogid=100 rdev=00:00
[y4kk0@X ~]$ ls -Zd public_html/
drwxrwxrwx y4kk0 users system_u:object_r:httpd_user_content_t
public_html/
[y4kk0@X ~]$
selinux-policy-targeted-1.25.4-10
system: Fedora Core 4
Maybe default policy should allow ftp server to enter this directory so
users would be able to upload their WWW stuff via ftp?
Regards,
Dawid Gajownik
--
^_*
18 years, 8 months
cgiirc
by Eric Tanguy
I try to make cgiirc working on my system. Apache works fine and selinux
Allow HTTPD scripts to connect to the network is enable. So i can cgiirc
to connect to an irc server. I can see what is said on the channel but i
can't make any action. If i disable selinux all works fine. If i enable
selinux i have this in /var/log/audit/audit.log :
type=AVC msg=audit(1124298167.251:3778508): avc: denied { read } for
pid=3907 comm="irc.cgi" name="formats" dev=dm-0 ino=8323109
scontext=system_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=dir
type=SYSCALL msg=audit(1124298167.251:3778508): arch=40000003 syscall=5
success=no exit=-13 a0=94586b8 a1=18800 a2=94586b8 a3=9430fe0 items=1
pid=3907 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
sgid=48 fsgid=48 comm="irc.cgi" exe="/usr/bin/perl"
type=CWD msg=audit(1124298167.251:3778508):
cwd="/var/www/cgi-bin/cgiirc"
type=PATH msg=audit(1124298167.251:3778508): item=0 name="formats"
flags=103 inode=8323109 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1124298171.144:3812320): avc: denied { connectto }
for pid=3922 comm="client-perl.cgi" name="sock"
scontext=system_u:system_r:httpd_sys_script_t
tcontext=system_u:system_r:httpd_sys_script_t tclass=unix_stream_socket
type=SYSCALL msg=audit(1124298171.144:3812320): arch=40000003
syscall=102 success=no exit=-13 a0=3 a1=bfc86690 a2=45b3bc0 a3=6e
items=1 pid=3922 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 comm="client-perl.cgi" exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1124298171.144:3812320):
path="/tmp/cgiirc-0coinr388dt/sock"
type=SOCKADDR msg=audit(1124298171.144:3812320):
saddr=01002F746D702F6367696972632D30636F696E7233383864742F736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
But it's very difficult to understand where is the problem.
Someone could help me?
Thanks
--
Eric Tanguy | Nantes, France
<eric.tanguy(a)univ-nantes.fr>
Key : A4B8368F | Key Server : subkeys.pgp.net
Fedora Core release 4 (Stentz) sur athlon kernel 2.6.12-1.1398_FC4
18 years, 8 months
seaudit working?
by john bray
i'd thought that seaudit was currently working again. but when i just
ran it, it coredumped.
this seaudit: setools-gui-2.1.1-2
so, do we think it's working now? or was i just imagining things?
john
thus:
[root@junior ~]# seaudit
*** glibc detected *** seaudit: realloc(): invalid next size: 0x0ca74d50
***
======= Backtrace: =========
/lib/libc.so.6[0x166045]
/lib/libc.so.6(__libc_realloc+0x101)[0x166a30]
seaudit(add_cond_expr_item+0x5e)[0x8072bfe]
seaudit[0x808449d]
seaudit(ap_read_binpol_file+0xdd0)[0x8086b9c]
seaudit(open_partial_policy+0x1b1)[0x80753e1]
seaudit(seaudit_open_policy+0x13e)[0x80572d2]
seaudit(delayed_main+0x53)[0x805773f]
/usr/lib/libglib-2.0.so.0[0x4c5650]
/usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x1dc)[0x4c33ee]
/usr/lib/libglib-2.0.so.0[0x4c63f6]
/usr/lib/libglib-2.0.so.0(g_main_loop_run+0x1a1)[0x4c66e3]
/usr/lib/libgtk-x11-2.0.so.0(gtk_main+0xb4)[0x24691b5]
seaudit(main+0x2fc)[0x8057af4]
/lib/libc.so.6(__libc_start_main+0xdf)[0x115d5f]
seaudit[0x8052f15]
======= Memory map: ========
00101000-00224000 r-xp 00000000 fd:00 41846498 /lib/libc-2.3.5.so
00224000-00226000 r-xp 00123000 fd:00 41846498 /lib/libc-2.3.5.so
00226000-00228000 rwxp 00125000 fd:00 41846498 /lib/libc-2.3.5.so
00228000-0022a000 rwxp 00228000 00:00 0
0022c000-002fc000 r-xp 00000000 fd:00
20600920 /usr/X11R6/lib/libX11.so.6.2
002fc000-00300000 rwxp 000cf000 fd:00
20600920 /usr/X11R6/lib/libX11.so.6.2
00302000-00363000 r-xp 00000000 fd:00
20602246 /usr/lib/libfreetype.so.6.3.7
00363000-0036a000 rwxp 00061000 fd:00
20602246 /usr/lib/libfreetype.so.6.3.7
0036c000-00392000 r-xp 00000000 fd:00
20602248 /usr/lib/libfontconfig.so.1.0.400392000-00395000 rwxp
00026000 fd:00
20602248 /usr/lib/libfontconfig.so.1.0.400395000-00396000 rwxp
00395000 00:00 0
00398000-003aa000 r-xp 00000000 fd:00
20602249 /usr/X11R6/lib/libXft.so.2.1.2
003aa000-003ab000 rwxp 00012000 fd:00
20602249 /usr/X11R6/lib/libXft.so.2.1.2
003ad000-003b0000 r-xp 00000000 fd:00
20601972 /usr/X11R6/lib/libXrandr.so.2.0003b0000-003b1000 rwxp
00002000 fd:00
20601972 /usr/X11R6/lib/libXrandr.so.2.0003b1000-003ba000 r-xp
00000000 fd:00 41844788 /lib/libnss_files-2.3.5.so
003ba000-003bb000 r-xp 00008000 fd:00
41844788 /lib/libnss_files-2.3.5.so
003bb000-003bc000 rwxp 00009000 fd:00
41844788 /lib/libnss_files-2.3.5.so
003bc000-003bf000 r-xp 00000000 fd:00
20975411 /usr/lib/libglade/2.0/libbonobo.so
003bf000-003c0000 rwxp 00002000 fd:00
20975411 /usr/lib/libglade/2.0/libbonobo.so
003c0000-003d0000 r-xp 00000000 fd:00
20810680 /usr/lib/gtk-2.0/2.4.0/engines/libclearlooks.so
003d0000-003d1000 rwxp 0000f000 fd:00
20810680 /usr/lib/gtk-2.0/2.4.0/engines/libclearlooks.so
003d1000-003d3000 r-xp 00000000 fd:00
20809948 /usr/lib/pango/1.4.0/modules/pango-basic-fc.so
003d3000-003d4000 rwxp 00001000 fd:00
20809948 /usr/lib/pango/1.4.0/modules/pango-basic-fc.so
003d4000-003d8000 r-xp 00000000 fd:00
20810008 /usr/lib/gtk-2.0/2.4.0/loaders/libpixbufloader-png.so
003d8000-003d9000 rwxp 00003000 fd:00
20810008 /usr/lib/gtk-2.0/2.4.0/loaders/libpixbufloader-png.so
004a0000-00524000 r-xp 00000000 fd:00
20598948 /usr/lib/libglib-2.0.so.0.600.400524000-00529000 rwxp
00084000 fd:00
20598948 /usr/lib/libglib-2.0.so.0.600.40052b000-0052e000 r-xp
00000000 fd:00 20600450 /usr/lib/libgmodule-2.0.so.0.600.4
0052e000-0052f000 rwxp 00002000 fd:00
20600450 /usr/lib/libgmodule-2.0.so.0.600.4
00532000-0054c000 r-xp 00000000 fd:00 41844829 /lib/ld-2.3.5.so
0054c000-0054d000 r-xp 00019000 fd:00 41844829 /lib/ld-2.3.5.so
0054d000-0054e000 rwxp 0001a000 fd:00 41844829 /lib/ld-2.3.5.so
00550000-00552000 r-xp 00000000 fd:00 41846519 /lib/libcom_err.so.2.1
00552000-00553000 rwxp 00001000 fd:00 41846519 /lib/libcom_err.so.2.1
00555000-0064d000 r-xp 00000000 fd:00
41846520 /lib/libcrypto.so.0.9.7f
0064d000-0065f000 rwxp 000f8000 fd:00
41846520 /lib/libcrypto.so.0.9.7f
0065f000-00662000 rwxp 0065f000 00:00 0
00664000-00666000 r-xp 00000000 fd:00
20588090 /usr/lib/libkrb5support.so.0.0
00666000-00667000 rwxp 00001000 fd:00
20588090 /usr/lib/libkrb5support.so.0.0
00669000-0068c000 r-xp 00000000 fd:00
20602270 /usr/lib/libk5crypto.so.3.0
0068c000-0068d000 rwxp 00023000 fd:00
20602270 /usr/lib/libk5crypto.so.3.0
0068f000-006fe000 r-xp 00000000 fd:00 20602271 /usr/lib/libkrb5.so.3.2
006fe000-00701000 rwxp 0006e000 fd:00 20602271 /usr/lib/libkrb5.so.3.2
00703000-0071a000 r-xp 00000000 fd:00
20602272 /usr/lib/libgssapi_krb5.so.2.2
0071a000-0071b000 rwxp 00017000 fd:00
20602272 /usr/lib/libgssapi_krb5.so.2.2
0071d000-00752000 r-xp 00000000 fd:00 41846521 /lib/libssl.so.0.9.7f
00752000-00755000 rwxp 00035000 fd:00 41846521 /lib/libssl.so.0.9.7f
00757000-0075e000 r-xp 00000000 fd:00
20602287 /usr/lib/libpopt.so.0.0.0
0075e000-0075f000 rwxp 00006000 fd:00
20602287 /usr/lib/libpopt.so.0.0.0
00761000-00874000 r-xp 00000000 fd:00
20602344 /usr/lib/libxml2.so.2.6.20
00874000-0087c000 rwxp Aborted
[root@junior ~]#
18 years, 8 months
differences between setfiles and restorecon? repeat of old thread?
by Tom London
Running targeted/enforcing, latest rawhide.
I created a 'backup' of my root lvm2 partition, mounted the new partition as
/mnt, and copied the files via 'cp -dpR / /mnt'.
The copied files were all incorrectly labeled. (same result with cp
--preserve=all').
I tried 'chroot /mnt; restorcon -v -R /', but it had no effect (returned
immediately), as did any other resorecon attempted in the chroot'ed shell.
'setfiles -v /etc/selinux/targeted/contexts/files/file_contexts /' did the
right thing.
[Its almost as if restorecon is using the 'real' full pathname (with leading
/mnt), and setfiles is using the 'chroot'ed' pathname (without the leading
/mnt).]
First, should the 'preserve' on cp have failed to copy the contexts? Second,
why the difference in behavior between setfiles and restorecon in this
context?
Still curious,
tom
--
Tom London
18 years, 8 months
targeted boot AVC: dbus ...
by Tom London
Running targeted/enforcing, latest rawhide:
I get the following AVC on boot up:
type=AVC msg=audit(1125167566.309:8): avc: denied { create } for pid=2538
comm="dbus-daemon" scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:system_r:system_dbusd_t tclass=netlink_audit_socket
type=SYSCALL msg=audit(1125167566.309:8): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bfa37400 a2=e770f8 a3=86b7698 items=0 pid=2538
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="dbus-daemon" exe="/usr/bin/dbus-daemon"
type=SOCKETCALL msg=audit(1125167566.309:8): nargs=3 a0=10 a1=3 a2=9
Make sense to add
allow system_dbusd_t self:netlink_audit_socket create_socket_perms;
tom
--
Tom London
18 years, 8 months
targeted boot AVC: ntpd
by Tom London
Running targeted/enforcing, latest rawhide:
On boot, ntpd produces the following:
type=AVC msg=audit(1125168808.672:7): avc: denied { sys_resource } for
pid=2431 comm="ntpd" capability=24 scontext=system_u:system_r:ntpd_t
tcontext=system_u:system_r:ntpd_t tclass=capability
type=SYSCALL msg=audit(1125168808.672:7): arch=40000003 syscall=75
success=no exit=-1 a0=8 a1=bfab4b18 a2=25cff4 a3=bfab4b18 items=0 pid=2431
auid=4294967295 uid=0 gid=0 euid=0
I can't figure if this should be an 'allow' or 'dontallow'.
Help?
tom
[Otherwise, targeted boot on my system is completely clean.]
--
Tom London
18 years, 8 months
how to make sure that selinux work properly??
by Wen-Fu Shih
dear all:
I have install the SELinux on Fedora Core 4
But I seems can't feel any changes?
if I have booleans: httpd_disable_trans=0
and I exec "service httpd restart" by root
if the SELinuxi work well,will it be denied?
and how could sure that the SELinux is working?
thx.
__________________________________________________
想即時收到新信通知?
馬上下載Yahoo!奇摩即時通訊
http://messenger.yahoo.com.tw/
18 years, 8 months
NetworkManager: minor nit
by Tom London
Running targeted/enforcing, latest rawhide.
I get the following AVC during boot:
type=AVC msg=audit(1124890934.835:9): avc: denied { read } for pid=2734
comm="dhcdbd" name="dhclient-eth0.conf" dev=dm-0 ino=1276472
scontext=system_u:system_r:NetworkManager_t
tcontext=system_u:object_r:dhcp_etc_t tclass=file
type=SYSCALL msg=audit(1124890934.835:9): arch=40000003 syscall=33
success=no exit=-13 a0=bf9c1d48 a1=4 a2=bf9c21c8 a3=bf9c1d48 items=1
pid=2734 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="dhcdbd" exe="/sbin/dhcdbd"
type=CWD msg=audit(1124890934.835:9): cwd="/"
type=PATH msg=audit(1124890934.835:9): item=0 name="/etc/dhclient-eth0.conf"
flags=401 inode=1276472 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
I have 2 files in /etc: /etc/dhclient-eth[01].conf, both are zero length,
and both are labeled dhcp_etc_t.
Changing the label for /sbin/dhcdbd from sbin_t -> dhcpc_exec_t makes this
AVC vanish.
Would it be 'better' to just add:
allow NetworkManager_t dhcp_etc_t:file read;
?
tom
--
Tom London
18 years, 8 months
Questions on the targeted policy
by Søren Nøhr Christensen
Hi all!
Would it be possible to deny all but one subject access to a certain
directory? And can this be done using the targeted policy as a base?
I hope for some answers, possibly containing examples.
Best regards,
Soren Nohr Christensen
18 years, 8 months
windbindd.log & snmpd not playing well with selinux
by Craig
The other day I rebooted my pc to check on the new configuration
(adding/removing) of services. Although the reboot wasn't _necessary_, I
wanted to see what effect the changes in booted services would do to the
bootup time. Unfortunately, I forgot about an earlier selinux problem I
had that required an ".autolabel" reboot of the system & have had some
interesting issues with windbind & snmpd. I am running the following
selinux packages:
libselinux-1.19.1-8.i386.rpm
libselinux-devel-1.19.1-8.i386.rpm
selinux-doc-1.14.1-1.noarch.rpm
selinux-policy-targeted-1.17.30-3.16.noarch.rpm
I have looked at the bugzilla logs and these issues are entirely
separate from those mentioned (or at least they seem to be different to
me). First, the snmpd service will not start because it is being denied
by selinux:
Aug 13 07:22:13 wowway kernel: audit(1123932133.514:20): avc: denied {
execmem } for pid=8352 comm="snmpd" scontext=root:system_r:snmpd_t
tcontext=root:system_r:snmpd_t tclass=process
Aug 13 18:18:35 wowway kernel: audit(1123971515.257:21): avc: denied {
execmem } for pid=10368 comm="snmpd" scontext=root:system_r:snmpd_t
tcontext=root:system_r:snmpd_t tclass=process
It was only after the searching the System log for avc denials that I
came across the windbind problem which, to my knowledge, has not
affected my ability to access shared mounts or the the printer connected
to my linux box. Apparently, selinux is not allowing windbind to append
or write to the windbindd.log:
Aug 12 19:46:12 wowway kernel: audit(1123890372.244:2): avc: denied {
execmem } for pid=3873 comm="snmpd" scontext=user_u:system_r:snmpd_t
tcontext=user_u:system_r:snmpd_t tclass=process
Aug 12 19:46:25 wowway kernel: audit(1123890385.354:3): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:4): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:5): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:6): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:7): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:8): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:9): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:10): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.355:11): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.392:12): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.392:13): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.392:14): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.414:15): avc: denied {
write } for pid=4120 comm="winbindd" name="secrets.tdb" dev=dm-2
ino=345283 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:etc_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.415:16): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.415:17): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.415:18): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
Aug 12 19:46:25 wowway kernel: audit(1123890385.415:19): avc: denied {
append } for pid=4120 comm="winbindd" name="winbindd.log" dev=dm-2
ino=1641389 scontext=user_u:system_r:winbind_t
tcontext=root:object_r:var_log_t tclass=file
I admit that I have not had time to delve into selinux context
structures and rules, but these denials seem to be different, at least
so far as I can tell, from what has been reported. Please let me know if
there is any further information that can / need to provide.
Craig
18 years, 8 months
