hald_t needs access to hwdata_t ?
by Tom London
Running targeted/enforcing, rawhide.
Does the following make sense?
tom
--- hald.te.save 2005-09-26 07:35:02.000000000 -0700
+++ hald.te 2005-09-26 07:35:34.000000000 -0700
@@ -79,6 +79,7 @@
tmp_domain(hald)
allow hald_t mnt_t:dir search;
r_dir_file(hald_t, proc_net_t)
+r_dir_file(hald_t, hwdata_t)
# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
ifdef(`apmd.te', `
Here are the AVCs:
type=AVC msg=audit(1127744849.852:7): avc: denied { search } for
pid=2462 comm="hald" name="hwdata" dev=dm-0 ino=130882
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:hwdata_t:s0 tclass=dir
type=SYSCALL msg=audit(1127744849.852:7): arch=40000003 syscall=5
success=no exit=-13 a0=8077d98 a1=8000 a2=1b6 a3=9759c88 items=1
pid=2462 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 comm="hald" exe="/usr/sbin/hald"
type=CWD msg=audit(1127744849.852:7): cwd="/"
type=PATH msg=audit(1127744849.852:7): item=0
name="/usr/share/hwdata/pci.ids" flags=101 inode=130882 dev=fd:00
mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1127744849.852:8): avc: denied { search } for
pid=2462 comm="hald" name="hwdata" dev=dm-0 ino=130882
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:hwdata_t:s0 tclass=dir
type=SYSCALL msg=audit(1127744849.852:8): arch=40000003 syscall=5
success=no exit=-13 a0=8077db8 a1=8000 a2=1b6 a3=9759c88 items=1
pid=2462 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 comm="hald" exe="/usr/sbin/hald"
type=CWD msg=audit(1127744849.852:8): cwd="/"
type=PATH msg=audit(1127744849.852:8): item=0
name="/usr/share/hwdata/usb.ids" flags=101 inode=130882 dev=fd:00
mode=040755 ouid=0 ogid=0 rdev=00:00
--
Tom London
17 years, 6 months
Inserting USB printer: hald_t cupsd_config_t:dbus
by Tom London
Running targeted/enforcing, latest rawhide.
Inserting a USB printer produces on the following AVCs in
/var/log/messages (not audit.log):
Sep 26 06:37:55 localhost kernel: usb 2-1: new full speed USB device
using uhci_hcd and address 5
Sep 26 06:37:55 localhost kernel: drivers/usb/class/usblp.c: usblp0:
USB Bidirectional printer dev 5 if 0 alt 1 proto 2 vid 0x03F0 pid
0x1E11
Sep 26 06:37:56 localhost dbus: Can't send to audit system: USER_AVC
pid=2499 uid=81 loginuid=-1 message=avc: denied { send_msg } for
msgtype=signal interface=org.freedesktop.Hal.Manager
member=DeviceRemoved dest=org.freedesktop.DBus spid=2517 tpid=4585
scontext=system_u:system_r:hald_t
tcontext=system_u:system_r:cupsd_config_t tclass=dbus
Sep 26 06:37:56 localhost dbus: Can't send to audit system: USER_AVC
pid=2499 uid=81 loginuid=-1 message=avc: denied { send_msg } for
msgtype=signal interface=org.freedesktop.Hal.Manager
member=DeviceRemoved dest=org.freedesktop.DBus spid=2517 tpid=4585
scontext=system_u:system_r:hald_t
tcontext=system_u:system_r:cupsd_config_t tclass=dbus
Sep 26 06:37:56 localhost dbus: Can't send to audit system: USER_AVC
pid=2499 uid=81 loginuid=-1 message=avc: denied { send_msg } for
msgtype=signal interface=org.freedesktop.Hal.Manager
member=DeviceRemoved dest=org.freedesktop.DBus spid=2517 tpid=4585
scontext=system_u:system_r:hald_t
tcontext=system_u:system_r:cupsd_config_t tclass=dbus
Sep 26 06:37:56 localhost dbus: Can't send to audit system: USER_AVC
pid=2499 uid=81 loginuid=-1 message=avc: denied { send_msg } for
msgtype=signal interface=org.freedesktop.Hal.Manager
member=DeviceAdded dest=org.freedesktop.DBus spid=2517 tpid=4585
scontext=system_u:system_r:hald_t
tcontext=system_u:system_r:cupsd_config_t tclass=dbus
Sep 26 06:37:56 localhost dbus: Can't send to audit system: USER_AVC
pid=2499 uid=81 loginuid=-1 message=avc: denied { send_msg } for
msgtype=signal interface=org.freedesktop.Hal.Manager
member=DeviceAdded dest=org.freedesktop.DBus spid=2517 tpid=4585
scontext=system_u:system_r:hald_t
tcontext=system_u:system_r:cupsd_config_t tclass=dbus
This patch make sense?
tom
--- cups.te.save 2005-09-26 06:47:18.000000000 -0700
+++ cups.te 2005-09-26 06:47:44.000000000 -0700
@@ -263,7 +263,7 @@
ifdef(`dbusd.te', `
allow cupsd_t hald_t:dbus send_msg;
allow cupsd_config_t hald_t:dbus send_msg;
-allow hald_t cupsd_t:dbus send_msg;
+allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
')dnl end if dbusd.te
allow hald_t cupsd_config_t:process signal;
--
Tom London
17 years, 6 months
Postfix email program
by John Griffiths
We use the Postfix email system and not sendmail. When selinux is in
permissive mode, postfix will start. When selinux is enforcing with
selinux-policy-targeted-1.27.1-2.1, it does not start.
These are the entries to audit.log when trying to start postfix with
selinux enforcing.
type=AVC msg=audit(1127679357.877:29): avc: denied { search } for pid=4929 comm="postalias" name="audit" dev=dm-0 ino=1721482 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:auditd_log_t tclass=dir
type=SYSCALL msg=audit(1127679357.877:29): arch=40000003 syscall=195 success=no exit=-13 a0=9498cc0 a1=bfbdd26c a2=496ff4 a3=64 items=1 pid=4929 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias" exe="/usr/sbin/postalias"
type=CWD msg=audit(1127679357.877:29): cwd="/var/log/audit"
type=PATH msg=audit(1127679357.877:29): item=0 name="DB_CONFIG" flags=1 inode=1721482 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1127679357.878:30): avc: denied { search } for pid=4929 comm="postalias" name="audit" dev=dm-0 ino=1721482 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:auditd_log_t tclass=dir
type=SYSCALL msg=audit(1127679357.878:30): arch=40000003 syscall=5 success=no exit=-13 a0=9498cc0 a1=8000 a2=1b6 a3=9498ce8 items=1 pid=4929 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias" exe="/usr/sbin/postalias"
type=CWD msg=audit(1127679357.878:30): cwd="/var/log/audit"
type=PATH msg=audit(1127679357.878:30): item=0 name="DB_CONFIG" flags=101 inode=1721482 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1127679357.878:31): avc: denied { search } for pid=4929 comm="postalias" name="audit" dev=dm-0 ino=1721482 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:auditd_log_t tclass=dir
type=SYSCALL msg=audit(1127679357.878:31): arch=40000003 syscall=195 success=no exit=-13 a0=9498f08 a1=bfbdd2fc a2=496ff4 a3=64 items=1 pid=4929 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias" exe="/usr/sbin/postalias"
type=CWD msg=audit(1127679357.878:31): cwd="/var/log/audit"
type=PATH msg=audit(1127679357.878:31): item=0 name="__db.002" flags=1 inode=1721482 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1127679358.558:32): avc: denied { name_bind } for pid=4975 comm="master" src=10025 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:amavisd_send_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1127679358.558:32): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfe36550 a2=8065228 a3=bfe365c4 items=0 pid=4975 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="master" exe="/usr/libexec/postfix/master"
type=SOCKADDR msg=audit(1127679358.558:32): saddr=020027297F0000010000000000000000
type=SOCKETCALL msg=audit(1127679358.558:32): nargs=3 a0=50 a1=923c3b8 a2=10
I still do not know enough about selinux to know if I can relabel
something of if this needs a new policy.
Thanks in advance for all help.
John
17 years, 6 months
"avc denied" on mounted ISO image for HTTP install
by Matt Arnilo S. Baluyos (Mailing Lists)
Hello everyone,
I'm trying to do a network installation via HTTP install. To save
space on my HTTP server, I mounted my ISO images into a
publicly-accessible directory under my DocumentRoot.
mount -o loop /backup/iso/centos-4.1/CentOS-4.1-i386-bin1of4.iso
/var/www/html/centos-4.1/disc1
mount -o loop /backup/iso/centos-4.1/CentOS-4.1-i386-bin2of4.iso
/var/www/html/centos-4.1/disc2
mount -o loop /backup/iso/centos-4.1/CentOS-4.1-i386-bin3of4.iso
/var/www/html/centos-4.1/disc3
mount -o loop /backup/iso/centos-4.1/CentOS-4.1-i386-bin4of4.iso
/var/www/html/centos-4.1/disc4
Trying to test the installation on a client machine, I gett a "403
Forbidden" error whenever I browse http://server/centos-4.1/disc1
So I check my /var/log/messages and I found these SELinux error logs:
Sep 25 07:47:46 localhost kernel: audit(1127605666.816:0): avc:
denied { getattr } for pid=2638 comm=httpd
path=/var/www/html/centos-4.1/disc1 dev=loop0 ino=1856
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:iso9660_t
tclass=dir
Any ideas on how to solve this? I am admittedly a SELinux newbie.
Best regards,
Matt
--
Stand before it and there is no beginning.
Follow it and there is no end.
Stay with the ancient Tao,
Move with the present.
17 years, 6 months
kickstart install of rawhide with SE Linux MCS policy
by Russell Coker
As you have probably noticed there are kudzu dependencies that make upgrading
a machine to rawhide a PITA.
As an easy method of installing a MCS machine I've created a kick-start config
for it. Firstly you have to have a kickstart server (have copied all FC4
files to the server and made suitable configuration to the DHCP server or
whatever - neither of these lists is appropriate for the details of
kick-start configuration so I won't try to explain).
The file ks.cfg refers to "SERV" which should be replaced by the IP address of
the NFS and web server used. The file archive.tgz (attached) needs to be on
the web server (modifying ks.cfg to have it use an NFS server instead is easy
enough). The file rpms.tar referenced in the ks.cfg file needs to contain
the following packages from rawhide (or newer versions if available).
checkpolicy-1.27.1-1.i386.rpm
glibc-2.3.90-12.i686.rpm
glibc-common-2.3.90-12.i386.rpm
glibc-devel-2.3.90-12.i386.rpm
glibc-headers-2.3.90-12.i386.rpm
hwdata-0.169-1.noarch.rpm
iptables-1.3.2-1.i386.rpm
kernel-2.6.13-1.1567_FC5.i686.rpm
kudzu-1.2.7-1.i386.rpm
libselinux-1.26-6.i386.rpm
libselinux-devel-1.26-6.i386.rpm
libsemanage-1.3.2-1.i386.rpm
libsepol-1.9.4-1.i386.rpm
libsetrans-0.1.7-1.i386.rpm
mkinitrd-4.2.21-1.i386.rpm
module-init-tools-3.2-0.pre7.3.i386.rpm
policycoreutils-1.27.1-1.i386.rpm
procps-3.2.5-7.i386.rpm
selinux-policy-strict-1.27.1-5.noarch.rpm
selinux-policy-strict-sources-1.27.1-5.noarch.rpm
selinux-policy-targeted-1.27.1-4.noarch.rpm
selinux-policy-targeted-sources-1.27.1-4.noarch.rpm
udev-069-3.i386.rpm
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
17 years, 6 months
Selinux is denying webalizer
by Tomas Larsson
Selinux is denying webalizer one logfile.
I want webalizer to make a report of vsftps.log, but senlinux is denying
webalizer access to the file, what to do?
Webilizer is run as a cronjob as root.
A snip from auth.log
type=PATH msg=audit(1127509217.604:11185427): item=0 name="webalizer.conf"
flags=401 inode=32641 dev=fd:00 mode=042777 ouid=0 ogid=0 rdev=00:00
type=CRED_DISP msg=audit(1127509222.415:11193091): user pid=29417 uid=0
auid=0 msg='PAM setcred: user=root exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron result=Success)'
type=USER_END msg=audit(1127509222.416:11193110): user pid=29417 uid=0
auid=0 msg='PAM session close: user=root exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron result=Success)'
type=AVC msg=audit(1127509223.373:11195697): avc: denied { search } for
pid=29635 comm="webalizer" name="root" dev=dm-0 ino=32641
scontext=root:system_r:webalizer_t tcontext=root:object_r:user_home_dir_t
tclass=dir
type=SYSCALL msg=audit(1127509223.373:11195697): arch=40000003 syscall=33
success=no exit=-13 a0=8060468 a1=0 a2=4a3ff4 a3=80617f0 items=1 pid=29635
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="webalizer" exe="/usr/bin/webalizer"
type=CWD msg=audit(1127509223.373:11195697): cwd="/root"
type=PATH msg=audit(1127509223.373:11195697): item=0 name="webalizer.conf"
flags=401 inode=32641 dev=fd:00 mode=042777 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1127509223.410:11195998): avc: denied { search } for
pid=29637 comm="webalizer" name="root" dev=dm-0 ino=32641
scontext=root:system_r:webalizer_t tcontext=root:object_r:user_home_dir_t
tclass=dir
type=SYSCALL msg=audit(1127509223.410:11195998): arch=40000003 syscall=33
success=no exit=-13 a0=8060468 a1=0 a2=2fcff4 a3=80617f0 items=1 pid=29637
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="webalizer" exe="/usr/bin/webalizer"
type=CWD msg=audit(1127509223.410:11195998): cwd="/root"
type=PATH msg=audit(1127509223.410:11195998): item=0 name="webalizer.conf"
flags=401 inode=32641 dev=fd:00 mode=042777 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1127509223.413:11196024): avc: denied { read } for
pid=29637 comm="webalizer" name="vsftpd.log" dev=dm-0 ino=1143800
scontext=root:system_r:webalizer_t tcontext=system_u:object_r:xferlog_t
tclass=file
type=SYSCALL msg=audit(1127509223.413:11196024): arch=40000003 syscall=5
success=no exit=-13 a0=8f6ff78 a1=8000 a2=1b6 a3=8f6f060 items=1 pid=29637
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="webalizer" exe="/usr/bin/webalizer"
type=CWD msg=audit(1127509223.413:11196024): cwd="/root"
type=PATH msg=audit(1127509223.413:11196024): item=0
name="/var/log/vsftpd.log" flags=101 inode=1143800 dev=fd:00 mode=0100600
ouid=0 ogid=0 rdev=00:00
type=CRED_DISP msg=audit(1127509224.298:11197719): user pid=29420 uid=0
auid=0 msg='PAM setcred: user=root exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron result=Success)'
type=USER_END msg=audit(1127509224.299:11197742): user pid=29420 uid=0
auid=0 msg='PAM session close: user=root exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron result=Success)'
type=USER_ACCT msg=audit(1127509261.312:11221084): user pid=29715 uid=0
auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/crond"
(hostname=?, addr=?, terminal=cron result=Success)'
type=LOGIN msg=audit(1127509261.314:11221153): login pid=29715 uid=0 old
auid=4294967295 new auid=0
type=USER_START msg=audit(1127509261.314:11221159): user pid=29715 uid=0
auid=0 msg='PAM session open: user=root exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron result=Success)'
type=CRED_ACQ msg=audit(1127509261.314:11221168): user pid=29715 uid=0
auid=0 msg='PAM setcred: user=root exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron result=Success)'
type=CRED_DISP msg=audit(1127509261.328:11221481): user pid=29715 uid=0
auid=0 msg='PAM setcred: user=root exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron result=Success)'
type=USER_END msg=audit(1127509261.329:11221500): user pid=29715 uid=0
auid=0 msg='PAM session close: user=root exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron result=Success)'
With best regards
Tomas Larsson
Sweden
Verus Amicus Est Tamquam Alter Idem
17 years, 6 months
Problem after installing selinux-policy-targeted-1.27.1-2.1.noarch.rpm
by Matthew Saltzman
I ran up2date to get selinux-policy-targeted-1.27.1-2.1.noarch.rpm.
up2date hung for a very long time at the end of the installation, so
finally, I killed it. At that point, I had two versions of
selinux-policy-targeted installed. Verifying each showed that all the
files were correct for the new version. But just to be safe (oops), I
deleted both and tried to reinstall
selinux-policy-targeted-1.27.1-2.1.noarch.rpm.
Running up2date now produces:
# up2date
Could not set exec context to root:sysadm_r:rpm_t.
and fails to run. After setenforce 0, I still get the message and up2date
runs.
Forcing a reinstall of selinux-policy-targeted-1.27.1-2.1.noarch.rpm has
no effect. Rebooting has no effect. Relabeling on reboot has no effect.
(Actually, after relabeling, rpm --verify produces
# rpm --verify selinux-policy-targeted
S.5....T. /etc/selinux/targeted/contexts/files/file_contexts.homedirs
)
So far, other things appear to work normally, but up2date does not work.
How can I fix this?
Thanks.
Messages in audit.log are:
type=USER_AUTH msg=audit(1127508331.874:1624469): user pid=3328 uid=0
auid=4294967295 msg='PAM authentication: user=root
exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=?
result=Success)'
type=USER_ACCT msg=audit(1127508331.874:1624478): user pid=3328 uid=0
auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/userhelper"
(hostname=?, addr=?, terminal=? result=Success)'
type=USER_START msg=audit(1127508331.884:1626823): user pid=3328 uid=0
auid=4294967295 msg='PAM session open: user=root
exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=?
result=Success)'
type=USER_END msg=audit(1127508331.901:1627077): user pid=3328 uid=0
auid=4294967295 msg='PAM session close: user=root
exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=?
result=Success)'
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
17 years, 6 months
changing of sulogin for SELinux roles?
by Bill Nottingham
There's an open bug for changing sulogin to handle multiple
accounts with uid 0. Wouldn't it also be useful to change
it to check roles as well (for strict policy)?
Bill
17 years, 6 months
Selinux an vsftp
by Tomas Larsson
I am getting 500 OOPS: failed to open xferlog log file:/var/log/vsftpd.log,
so I'm gessing that its something wrong in the selinux-setup
Ls -Z looks lime this
-rw-r--r-- root root system_u:object_r:var_log_t vsftpd.log
And in audit log
type=AVC msg=audit(1127260722.483:14084097): avc: denied { append } for
pid=622 comm="vsftpd" name="vsftpd.log" dev=dm-0 ino=1143798
scontext=system_u:system_r:ftpd_t tcontext=system_u:object_r:var_log_t
tclass=file
I'm guessing that I've got something wrong, but cant find what to do
With best regards
Tomas Larsson
Sweden
Verus Amicus Est Tamquam Alter Idem
17 years, 6 months
