checkpolicy bombing on Fedora devel...
by Valdis.Kletnieks@vt.edu
Something is causing checkpolicy to segfault. I ended up building
it from the .src.rpm so it was compiled with -g and not stripped.
checkpolicy-1.27.1-1, libselinux-1.26-6, updated to -devel tree as of this morning.
gdb then says:
(gdb) run -M -o policy.20 policy.conf
Starting program: /usr/src/redhat/BUILD/checkpolicy-1.27.1/checkpolicy -M -o policy.20 policy.conf
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0xffffe000
/usr/src/redhat/BUILD/checkpolicy-1.27.1/checkpolicy: loading policy configuration from policy.conf
Program received signal SIGSEGV, Segmentation fault.
parse_categories (id=0x8bbff28 "s0", levdatum=0x80a75b8, cats=0x80a00bc)
at policy_parse.y:3569
3569 range_start = range_end = cdatum->value - 1;
(gdb) where
#0 parse_categories (id=0x8bbff28 "s0", levdatum=0x80a75b8, cats=0x80a00bc)
at policy_parse.y:3569
#1 0x0804f340 in parse_security_context (c=0x80a00ac) at policy_parse.y:3850
#2 0x080534f2 in yyparse () at policy_parse.y:3925
#3 0x0804a743 in main (argc=5, argv=0xbfeecd74) at checkpolicy.c:549
This ring any bells? Have I dorked up a file ('users' most likely) during the
conversion to MCS in a way that didn't flag a syntax error but causes a crash?
Hints, etc accepted..
17 years, 6 months
selinux and squirrelmail in FC4
by Hongwei Li
Hello,
I have a FC4 system, kernel: 2.6.12-1.1447_FC4, selinux targeted, enforced,
installed: selinux-policy-targeted-1.25.4-10.1,
selinux-policy-targeted-sources-1.25.4-10.1
squirrelmail-1.4.4-2
If I setenforce 0, then users can log in squirrelmail and read/send emails w/o
problems. If I setenforce 1, then users cannot login sm. The error message
is:
Error connecting to IMAP server: localhost.
13 : Permission denied
However, the system log does not show error message about it. So, if I run
the selinux command, I got:
# audit2allow -l -i /var/log/messages -o
/etc/selinux/targeted/src/policy/domains/program/apache.te
# make load
make: Nothing to be done for `load'.
BTW, users can still run pine to read/send emails. I tried to set
squirrelmail's server setting using sendmail or smtp, but no help.
Can somebody tell how to solve the problem?
Thanks!
Hongwei Li
17 years, 6 months
Call for papers deadline extended
by SELinux Symposium Chair
By popular request, the deadline for paper submissions for the 2006
SELinux Symposium has been extended to October 1, 2005. See the
symposium web site (www.selinux-symposium.org) for the call for papers
and submissions requirements.
Thank you,
SELinux Symposium Chair
17 years, 6 months
disable setenforce
by Todd Merritt
I can't find where I read this now, could somebody please tell me what I
need to add/remove from the strict policy to disallow running of the
setenforce command (but still allow changing enforcement mode via
rebooting) ?
Thanks,
Todd
17 years, 6 months
sshd Selinux v/s sshd Selinux disabled .......
by Ma. Alejandra Castillo
Dear All,
A question for you, Which are the benefits/advantages regarding
execute these specific services: sshd, samba, postgres and vsftpd over
a system platform Selinux-enabled, instead of execute those mentioned
services over a system platform SELinux-disabled??
Thanks and Rgds.
--
Ma. Alejandra Castillo M.
17 years, 6 months
NetworkManager wants security_t:file read...
by Tom London
Running targeted/enforcing, latest rawhide.
Get the following from NetworkManager:
type=AVC msg=audit(1126796883.544:9): avc: denied { read } for
pid=2309 comm="ls" name="mls" dev=selinuxfs ino=12
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1126796883.544:9): arch=40000003 syscall=5
success=no exit=-13 a0=bfac4cf4 a1=8000 a2=0 a3=8000 items=1 pid=2309
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="ls" exe="/bin/ls"
type=CWD msg=audit(1126796883.544:9): cwd="/etc/sysconfig/network-scripts"
type=PATH msg=audit(1126796883.544:9): item=0 name="/selinux/mls"
flags=101 inode=12 dev=00:0d mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1126796887.764:10): avc: denied { read } for
pid=2578 comm="killall" name="mls" dev=selinuxfs ino=12
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1126796887.764:10): arch=40000003 syscall=5
success=no exit=-13 a0=bfd0c884 a1=8000 a2=0 a3=8000 items=1 pid=2578
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="killall" exe="/usr/bin/killall"
type=CWD msg=audit(1126796887.764:10): cwd="/"
type=PATH msg=audit(1126796887.764:10): item=0 name="/selinux/mls"
flags=101 inode=12 dev=00:0d mode=0100444 ouid=0 ogid=0 rdev=00:00
allow NetworkManager_t security_t:file read;
That right?
tom
--
Tom London
17 years, 6 months
Introducing Multi-Category Security (MCS) SELinux policy in Rawhide
by Daniel J Walsh
Tonights rawhide update for selinux-policy-targeted and selinux-policy-strict include MCS.
What is MCS?
Multi-category Security (MCS) is a discretionary labeling mechanism for
SELinux. It allows users to add meaningful security labels to their own
files. Only domains with access to these labels will then be able to
access the files. Examples of category labels are "Company Confidential",
"Intranet Only" and "Patient Records".
MCS can only further restrict access to files, after Unix DAC rules and
SELinux MAC Type Enforcement rules have been applied. MCS uses much of the
Multi-level Security (MLS) technology present in SELinux, but is designed
to be simpler and map more readily to general use.
The general idea is to provide end users with more control over the
security of their own files and help make SELinux more user-oriented. In
the future, we expect to make use of category labels in areas such as
labeled printing, where the category label is printed on each page.
A reboot is required to turn on the MLS/MCS field on policy. The goal was to allow everything
to continue working without the reboot. A relabel should not be necessary.
Dan
--
17 years, 6 months
libselinux should not require libsetrans
by Stephen Smalley
Hi,
In the current Fedora spec file, libselinux has libsetrans as a prereq,
thereby pulling it in on libselinux updates for all users regardless of
policy. However, libsetrans presumes that MCS is enabled and always
appends :s0 to contexts when converting to raw format if they lack it.
This breaks (for example) a system running strict policy, as libselinux
then starts using the MCS-specific libsetrans and it starts
appending :so to raw contexts, but the kernel then rejects those
contexts since it does not have a MLS-enabled policy.
libsetrans is supposed to be optional, with libselinux gracefully
falling back to no translation if it is absent. I can possibly see
making it a dependency of MCS-enabled targeted policy packages, but not
of libselinux. Yes?
--
Stephen Smalley
National Security Agency
17 years, 6 months
Latest rawhide: lots of 'type' errors. No graphical login
by Tom London
Running targeted/enforcing, latest rawhide.
Today's updates broke lots. Booting hangs with many messages about
'invalid type' from file-contexts, etc.
Anyone seeing this or did I break something?
tom
--
Tom London
17 years, 6 months
cupsd: minor nit
by Tom London
Running targeted/enforcing, latest rawhide.
If I 'remove' a USB printer (via 'rmmod usblp') and then reboot,
printconf-tui tries to create the directory /var/cache/foomatic. This fails
with:
type=AVC msg=audit( 1126301390.416:17): avc: denied { create } for pid=3106
comm="printconf-tui" name="foomatic"
scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:var_t
tclass=dir
type=SYSCALL msg=audit( 1126301390.416:17): arch=40000003 syscall=39
success=no exit=-13 a0=9aefe10 a1=1ed a2=778468 a3=b7345a2c items=1 pid=3106
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="printconf-tui" exe="/usr/bin/python"
type=CWD msg=audit(1126301390.416:17): cwd="/"
type=PATH msg=audit(1126301390.416:17): item=0 name="/var/cache/foomatic"
flags=10 inode=2142136 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
[This seems 'harmless', since printing appears to work, but ...]
Does this seem correct?
tom
--- /tmp/cups.te 2005-09-09 15:38:31.000000000 -0700
+++ ./cups.te 2005-09-09 14:56:26.000000000 -0700
@@ -240,7 +240,7 @@
rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
+file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, { file dir })
allow cupsd_config_t var_t:lnk_file read;
can_network_tcp(cupsd_config_t)
--
Tom London
17 years, 6 months
