"setenforce 0",seytem complain command not found
by zhangyanxv
Hello,
I want to run matlab704 on my FC4 box,and I know before running I
should disable the SElinux with "setenforce 0",and it does works some
times,but not always and hints that command not found! Very weird and
the system seemed not reasonable.Please help me.
Thanks a lot!
Aladin
18 years, 8 months
gdm failures? compiler or policy problems?
by Tom London
Running strict/enforcing, today's rawhide.
gdm fails to start (many initrc_t/xserver_t type failures).
I would normally guess a missing transition, but there are some reports of
problems with gcc4/-Os.
Regardless, gdm starts fine in permissive mode.
tom
--
Tom London
18 years, 8 months
kernel Oops from policy
by Russell Coker
r_dir_file(insmod_t, debugfs_t)
The above needs to be added to the strict policy to prevent a kernel Oops on
boot with the usb_uhci driver. Below is the kernel message log from before I
added the above to one of my systems. I only really needed to allow search
access to the directory, but I decided to allow full read access to the
directory and any files under it just in case.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166327
Above is a bugzilla entry.
USB Universal Host Controller Interface driver v2.2
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
audit(1124441960.362:2): avc: denied { search } for pid=958 comm="modprobe"
n
ame="/" dev=debugfs ino=3962 scontext=system_u:system_r:insmod_t
tcontext=system_u:object_r:debugfs_t tclass=dir
Unable to handle kernel NULL pointer dereference at virtual address 00000013
printing eip:
c01e1d48
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: uhci_hcd i2c_i801 i2c_core snd_intel8x0 snd_ac97_codec
snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device
snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc e100
mii flo
ppy dm_snapshot dm_zero dm_mirror ext3 jbd dm_mod
CPU: 0
EIP: 0060:[<c01e1d48>] Not tainted VLI
EFLAGS: 00010286 (2.6.12-1.1398_FC4)
EIP is at debugfs_mknod+0x1b/0x47
eax: ffffffef ebx: fffffff3 ecx: 00006468 edx: d72ac578
esi: d591ecb0 edi: d6939f6c ebp: d89e6aca esp: d6939f3c
ds: 007b es: 007b ss: 0068
Process modprobe (pid: 958, threadinfo=d6939000 task=d6cf4000)
Stack: d72ac71c c01e1d8f 00000000 d72ac71c c01e1ecf 41ed001c 00000000 000041ed
00000000 d89e6aca c01e1f4c d6939f6c fffffff3 ffffffed c0000000 d89e9700
d6939000 c01e1fc4 00000000 00000000 d883603c d89e7108 d6939000 c0000000
Call Trace:
[<c01e1d8f>] debugfs_mkdir+0x1b/0x28
[<c01e1ecf>] debugfs_create_by_name+0x91/0xbe
[<c01e1f4c>] debugfs_create_file+0x50/0xaa
[<c01e1fc4>] debugfs_create_dir+0x1e/0x22
[<d883603c>] uhci_hcd_init+0x3c/0xea [uhci_hcd]
[<c014844c>] sys_init_module+0xca/0x1c4
[<c0103a51>] syscall_call+0x7/0xb
Code: 00 00 60 12 3d c0 89 d8 83 c4 08 5b 5e 5f 5d c3 53 89 d3 89 ca 8b 4c 24
08 8b 80 dc 00 00 00 e8 2f ff ff ff 89 c2 b8 ef ff ff ff <8b> 4b 20 85 c9 74
02 5b c3 b0 ff 85 d2 74 f8 89 d8 e8 a7 84 fb
<6>ACPI: Power Button (FF) [PWRF]
18 years, 8 months
object classes and permissions list updated
by Christopher J. PeBenito
There were some questions as to the meaning of some of the newer
permissions not too long ago. I've updated the overview of SELinux
object classes and permissions, available here:
http://www.tresys.com/selinux. It contains all of the classes and
permissions, including the netlink_kobject_uevent_socket class and
execstack and execheap process permissions added in 2.6.12.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
18 years, 8 months
s-c-securitylevel and permissive?
by Richard Hally
running rawhide with the strict policy, when I startup
system-config-securitylevel from the menu and simply exit by clicking on
OK (without changing anything) the system is switched from enforcing to
permissive.
Anyone else seeing this?
Thanks,
Richard Hally
18 years, 8 months
viewcvs problem with SELinux
by ankush grover
hey friends,
I have configure cvs and viewcvs on FC3 but I am not able to access
viewcvs when SELinux is on.
The /var/log/messages contains these entries
avc: denied { execute } for pid=5233 exe=/usr/sbin/httpd
name=viewcvs.cgi dev=hda5 ino=198687 scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:usr_t tclass=file
When I switch off SELinux I am able to access the viewcvs through the browser.
ls -lZ /usr/local/viewcvs
drwxr-xr-x root root system_u:object_r:usr_t cgi
-rwxr-xr-x root root system_u:object_r:usr_t cvsdbadmin
-rw-r--r-- root root system_u:object_r:usr_t cvsgraph.conf
drwxr-xr-x root root system_u:object_r:usr_t doc
drwxr-xr-x root root system_u:object_r:lib_t lib
-rwxr-xr-x root root system_u:object_r:usr_t loginfo-handler
-rwxr-xr-x root root system_u:object_r:usr_t make-database
-rwxr-xr-x root root system_u:object_r:usr_t standalone.py
drwxr-xr-x root root system_u:object_r:usr_t templates
-rw-r--r-- root root system_u:object_r:usr_t viewcvs.conf
I also did this make -C /etc/selinux/targeted/src/policy reload
restorecon -R /usr/local/viewcvs
But still the problem is persisting.
Thanks & Regards
Ankush Grover
18 years, 8 months
FC4, imap, sasl problems ...
by Thomas.Binder
Hi folks!
I don't know whether this has already been fixed, but there seems to be a typo
in version 1.25.3-12 of selinux-policy-targeted-sources in file
/etc/selinux/targeted/src/policy/domains/program/cyrus.te:
--- cyrus.te.old 2005-08-17 17:44:01.000000000 +0200
+++ cyrus.te 2005-08-17 17:11:22.000000000 +0200
@@ -42,7 +42,7 @@
create_dir_file(cyrus_t, mail_spool_t)
allow cyrus_t var_spool_t:dir search;
-ifdef(`saslaudthd.te', `
+ifdef(`saslauthd.te', `
allow cyrus_t saslauthd_var_run_t:dir search;
allow cyrus_t saslauthd_var_run_t:sock_file { read write };
allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
best regards,
Tom
18 years, 8 months
dhcpd in FC4
by jirkat@atlas.cz
Hi,
I've insttalled dhcpd server on FC4, but it could not be started from init
(when in 'enforce' mode)
It seems that rc script with type initrc_exec_t (running under related domain)
cannot exec the dhcpd program with file type dhcpd_exec_t.
What confuses me is that I cannot find any AVC messages in syslog, console nor dmesg.
How can I enable the avc: messages?
What shall I do to get dhcpd working?
Thanks
Tom
18 years, 8 months
fc3 ntpd shm policy rule
by gnu not unix
Hi folks--
I've been running fc3 / ccrma selinux and needed to add a
policy to allow ntpd shm access:
allow ntpd_t self:shm { associate create read unix_read unix_write write };
allow ntpd_t tmpfs_t:file { read write };
I put this in my domains/misc/local.te and make reload
and I was in business.
I'm not sure if this would be something you'd want to always
enable, as a typical ntpd uses third party clocks, on the internet
or corportate wan, etc.
Perhaps a ntpd.client policy for generic, default use,
and an ntpd.refclock policy for all the device and other access
needed to talk to refclocks?
../Steven
trying to get a feel for selinux
18 years, 8 months
