problem booting a 2.6.13 kernel with selinux enabled
by Joy Latten
I have installed Fedora Core 4 on my machine with selinux enabled
and have followed the instructions to enable MLS. Both are working.
I have compiled a 2.6.13 kernel from kernel.org with selinux enabled in
my kernel. However, I am unable to boot into my 2.6.13 kernel.
When I disable selinux (selinux=0) or set (enforcing=0) my kernel
boots up ok. When I boot into my 2.6.13 kernel with selinux enabled, the
boot hangs after the SELinux initializations and at the point I believe
udev is suppose to get started.
When I tried booting into my 2.6.13 kernel with "enforcing=0 single"
and did a restorecon /etc/mtab, then did a setenforce 1 to switch to
enforcing mode and exited the single user shell to come up in multi-user
mode, it worked. I am sure I am stepping around something. :-)
(These steps are similar to those in README.mls instructions.) I did get
a bunch of the following messages from "dmesg"
though:
audit(1126300655.450:2839259): avc: denied { search } for pid=2199
comm="klogd" name="/" dev=tmpfs ino=1168
scontext=system_u:system_r:klogd_t:s0-s9:c0.c127
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
I do not understand but am very curious to know why I cannot boot
straight into my 2.6.13 kernel? Does 2.6.13 introduce some changes?
A colleague experienced similar problem. Has anyone else experienced
this problem or can explain to me what is happening?
Thanks!
Joy Latten
18 years, 2 months
unconfined_t
by Ma. Alejandra Castillo
Dear all,
i have a question for you, when i execute the comand id -Z for example:
id -Z for the users root i obtain this output root:system_r:unconfined_t
id -Z for the user mai user_u:system_r:unconfined_t
and the same happens with all the users that i have created.
why does it appear as unconfined_t??
how can y change this?
Saludos
--
Ma. Alejandra Castillo M.
18 years, 3 months
selinux-policy-targeted 1.25.4-10 and dovecot
by Paul Howarth
I notice in the changelog that a recent change was:
* Wed Aug 17 2005 Dan Walsh <dwalsh(a)redhat.com> 1.25.4-4
- Add more access for amanda
- Allow dovecot to create files in mail_spool_t
Having installed the updated policy this morning, I found I had to add a
local rule:
allow dovecot_t mail_spool_t:file write;
This is needed to allow dovecot to delete mail from the mail spool file
(I use dovecot in pop3 mode). I'm surprised this wasn't the default - is
there a good reason why it isn't?
Cheers, Paul.
P.S. there is still a problem with pptp - in pppd.fc
# Fix pptp sockets
/var/run/pptp(/.*)? -- system_u:object_r:pptp_var_run_t
should read:
# Fix pptp sockets
/var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t
because /var/run/pptp is a directory and the items in that directory
should be sockets, not regular files.
18 years, 3 months
Some errors
by Eric Tanguy
I see a lot of strange messages from audit when my pc stops, i think
this is related to this :
in /var/log/audit/audit.log i find these messages :
type=SELINUX_ERR msg=audit(1126197472.980:4): SELinux: unrecognized
netlink message type=1009 for sclass=49
type=SELINUX_ERR msg=audit(1126197473.080:5): SELinux: unrecognized
netlink message type=1009 for sclass=49
It is not possible to add the date and the time in the audit.log lines ?
Thanks
--
Eric Tanguy | Nantes, France
<eric.tanguy(a)univ-nantes.fr>
Key : A4B8368F | Key Server : subkeys.pgp.net
Fedora Core release 4 (Stentz) sur athlon kernel 2.6.12-1.1447_FC4
18 years, 3 months
WebDAV
by Andrew Ziem
Is there a SELinux policy for use with WebDAV? I have the WebDAV
working correctly with Apache and Cadaver, but SELinux prevents writing.
I have noticed that there are at least two issues. First, SELinux
prevents Apache from writing to httpd_sys_content_t. Second, Apache
needs to update its locking database. I don't want to allow write
access to all httpd_sys_content_t.
type=AVC msg=audit(1126138296.843:56): avc: denied { write } for
pid=3525 comm="httpd" name="lockdb.dir" dev=hda7 ino=1011851
scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:var_lib_t
tclass=file
type=SYSCALL msg=audit(1126138296.843:56): arch=40000003 syscall=5
success=yes exit=11 a0=8675e00 a1=42 a2=1b6 a3=886a6c0 items=1 pid=3525
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=CWD msg=audit(1126138296.843:56): cwd="/"
type=PATH msg=audit(1126138296.843:56): item=0
name="/var/lib/dav/lockdb.dir" flags=310 inode=1006106 dev=03:07
mode=040700 ouid=48 ogid=48 rdev=00:00
type=AVC msg=audit(1126138520.634:58): avc: denied { write } for
pid=3526 comm="httpd" name="lockdb.dir" dev=hda7 ino=1011851
scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:var_lib_t
tclass=file
type=SYSCALL msg=audit(1126138520.634:58): arch=40000003 syscall=5
success=yes exit=11 a0=867dc20 a1=42 a2=1b6 a3=867fbd8 items=1 pid=3526
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=CWD msg=audit(1126138520.634:58): cwd="/"
type=PATH msg=audit(1126138520.634:58): item=0
name="/var/lib/dav/lockdb.dir" flags=310 inode=1006106 dev=03:07
mode=040700 ouid=48 ogid=48 rdev=00:00
Andrew
18 years, 3 months
MCS
by Gene Czarcinski
I have been reviewing/following the MCS discussions on this mailing list, the
LSPP mailing list, and the NSA selinux mailing list and it appears (to me)
that MCS (Multiple Category System) capability may be sufficiently
implemented to do some testing.
While I am more interested in a MLS (Multiple Level System) capability with
selinux, MCS is pretty close since it is "simply" MLS (multi-levels,
multi-categories) with a single level and multi-categories.
However, I do have some questions --
1. Is most/all of the needed updates available for FC4 or should I plan to
use the FC5-development packages?
2. It appears that MCS is only available with targeted policy (not with the
strict policy). Are there plans to include it in strict at some future time?
3. To me, a key capability to make either MLS or MCS practical is to
implement polyinstantiation of /tmp and /home/<userid> directories so that
different levels and/or categories with really have different directories.
Has this been implemented? How does it work?
4. How do I enable MCS given that I am now running selinux-targeted in
enforcing mode?
Comment: While I understand that Red Hat folks would want to make a system
upgrade to MCS NOT require a system relabel, I (personally) do not consider
it a big deal to require full relabeling to transition to either MCS or MLS.
5. Is it the goal for MCS to make it fully implemented and an
installation/upgrade option for FC5?
6. Any tips on using MCS?
7. Is there anything the developers would especially like tested?
8. IIUC, "newrole -l" will be used to switch level & category on an MLS
system and "just" category on an MCS system. Is this correct?
9. IIUC, the implementation supports a large number of levels (currently 10
or s0-s9 but could be larger or smaller) and an even larger number of
categories (currently 128 or c0-c127 but could be larger or smaller). Is
this correct?
10. While the current implementation has levels specified as s0-s9 and
categories as c0-c127, there needs to some way to relate these "internal"
specifications to something more meaningful to real people. For example, for
sensitivity levels specifying s0=unclassified, s1=confidential, s2=secret,
etc. In a similar manner, categories need something like c0=foo, c1=bar,
c2=CompanyPropin, etc. Has anything been done with this in mind? What are
the plans for this?
Comment: It sure would be nice to be able to do:
newrole -l unclassified:CompanyPropin
Any comments/info appreciated.
Gene
18 years, 3 months
ANN: SELinux Policy Editor 1.2
by Yuichi Nakamura
Hi.
We've released SELinux Policy Editor 1.2.0.
How to download and install, see
http://seedit.sourceforge.net/doc/install/INSTALL.html
Documents are updated at
http://seedit.sourceforge.net/documents.html
Major Changes from 1.0
(1) Improved implementation to support different distributions
Now supports Fedora Core4, Turbo Linux 10 Server, Asianux 2.0.
(2) Added more sample policy
(3) Improved Simplified Policy Description language
See http://seedit.sourceforge.net/documents.html for
updated simplified policy description language.
(4) Developer's policy
For developers, simplified policy that uses macros are prepared
in seedit-policy-devel package.
# Documentations for developer's policy is not prepared yet.
# Be careful to use it.
(5) policy without RBAC
Policy without RBAC(like targeted policy) can be installed
when installing from source.
For feedback, e-mail to seedit-admin(a)lists.sourceforge.net .
---
Yuichi Nakamura
Hitachi Software, The George Washington University
Japan SELinux Users Group(JSELUG)
Japan Open Source Advocacy Organization(JOSAO)
SELinux Policy Editor: http://seedit.sourceforge.net/
18 years, 3 months
selinux, httpd, and nfs
by Ben
I'm trying to use NFS to make a bunch of images available for apache.
SELinux on the apache server seems to be getting in the way, and this
time I think it really is SELinux, because apache can serve the
images just fine when I'm not enforcing. When I turn on enforcing, I
get permission denied messages.
Unfortunately, there are no avc messages being generated, even when I
follow the steps listed out here:
http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#id2827008
I suspect the issue might have something to do with there being no
SELinux attributes on the files in my image directory.... but without
any avc messages, it's hard to tell.
Interestingly, even when I am enforcing, I can copy and read the
files.... just not with apache.
I'm using:
2.6.12-1.1447_FC4
libselinux-devel-1.23.10-2
libselinux-1.23.10-2
selinux-policy-targeted-sources-1.25.4-10
selinux-policy-targeted-1.25.4-10
18 years, 3 months
Can't use new users?
by Ben
So last night I installed FC3, added Fedora Extras, and did a yum
update. Now I can't use any new users. Behold:
[root@dumont ~]# adduser nagios
[root@dumont ~]# su - nagios
Your default context is user_u:system_r:unconfined_t.
Do you want to choose a different one? [n]
could not open session
/var/log/messages has this to say about it:
Sep 2 17:34:21 dumont su[6229]: Warning! Could not relabel /dev/pts/4
with user_u:object_r:devpts_t, not relabeling.Operation not permitted
Something doesn't seem quite right, but I'm not sure what I'm missing.
Here's are the selinux packages I've got installed:
selinux-policy-targeted-1.17.30-3.16
libselinux-1.19.1-8
libselinux-devel-1.19.1-8
18 years, 3 months
