List of operations
by Göran Uddeborg
Maybe this is a FAQ, but I haven't found it answered in any of the
FAQ:s I've looked through:
Is there some kind of documentation list over the available classes
and operations (permissions)?
Other concepts, like types and roles are defined in the policy, with
some luck together with a comment. In some cases there are even
manual pages, like httpd_selinux.
But the list of available classes and operations must be defined by
the kernel module if I understand things correctly. I could extract a
list from the flask/access_vectors file. But I would have liked
something with a sentence or so of explanation. Some names may be
self-explanatory, but many are not obvious. I'm imagining some kind
of list like the appendices of the O'Reilley book, but updated for the
current version. Does such a list exist somewhere? Or is it just in
my imagination? :-)
17 years, 1 month
Error sending status request (Operation not permitted)
by Bruce Ecroyd
I recently switched from FC4 targeted (enforcing) to strict (permissive)
using selinux-policy-strict-1.27.1-2.16.noarch.rpm.
I did a touch /.autorelabel before rebooting.
I see this:
[bruce@BorgCube ~]$ su -
Password:
Error sending status request (Operation not permitted)
[root@BorgCube ~]#
The last part of the /var/log/audit/audit.log shows:
type=SYSCALL msg=audit(1138247001.111:13162965): arch=40000003 syscall=5
success=yes exit=3 a0=866125b a1=c2 a2=180 a3=3a8083 items=1 pid=8250
auid=4294967295 uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100
fsgid=100 comm="su" exe="/bin/su"
type=AVC msg=audit(1138247001.111:13162965): avc: denied { create } for
pid=8250 comm="su" name=.xauthVpNVFy scontext=user_u:user_r:user_t
tcontext=user_u:object_r:sysadm_home_dir_t tclass=file
type=AVC msg=audit(1138247001.111:13162965): avc: denied { add_name } for
pid=8250 comm="su" name=.xauthVpNVFy scontext=user_u:user_r:user_t
tcontext=root:object_r:sysadm_home_dir_t tclass=dir
type=AVC msg=audit(1138247001.111:13162965): avc: denied { write } for
pid=8250 comm="su" name=root dev=dm-0 ino=11392129
scontext=user_u:user_r:user_t tcontext=root:object_r:sysadm_home_dir_t
tclass=dir
type=SYSCALL msg=audit(1138247001.111:13162967): arch=40000003 syscall=207
success=yes exit=0 a0=3 a1=0 a2=0 a3=0 items=0 pid=8250 auid=4294967295
uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su"
exe="/bin/su"
type=AVC msg=audit(1138247001.111:13162967): avc: denied { setattr } for
pid=8250 comm="su" name=.xauthVpNVFy dev=dm-0 ino=11392172
scontext=user_u:user_r:user_t tcontext=user_u:object_r:sysadm_home_dir_t
tclass=file
type=USER msg=audit(1138247001.325:13165423): user pid=8250 uid=501
auid=4294967295 msg='PAM session open: user=root exe=/bin/su (hostname=?,
addr=?, terminal=pts/2 result=Success)'
Any ideas?
If I change to strict, enforcing, will this prevent me from su to root?
Bruce
17 years, 9 months
Curious Behavior doing routine redirection of ping output to file...
by selinux.funchords@spameater.org
I'm not exactly a "newbie," but I'm diving a lot deeper than
I ever have. This one has me a little wrapped around the axel, and
if someone could help clear the fog, I'd appreciate it.
The short version:
I'm trying to redirect the output of ping to a file. I get a 0
byte file as a result.
Where I am now:
When selinux is permissive, it works as I expect it to.
When this started, I had no idea that selinux was running or even what
it was, exactly (I've been running this system for about two weeks).
I've learned a lot since then. But I haven't figured out how to do
anything other than flip bits on existing boolean rules and change
the sestatus mode. For example, how do I fix the above problem?
Current version: 2.6.14-1.1653_FC4 with selinux in targeted/enforced.
When this began, I posted a message to www.fedoraforum.org
( http://www.fedoraforum.org/forum/showthread.php?t=88238 )
with the title, "BASH: How to redirect ping output to file?"
Later, I found this from from /var/log/audit/audit.log ...
type=AVC msg=audit(1134599953.748:32): avc: denied { write } for
pid=5503 comm="ping" name="pingoutput2" dev=dm-0 ino=916895
scontext=root:system_r:ping_t tcontext=root:object_r:user_home_t tclass=file
type=SYSCALL msg=audit(1134599953.748:32): arch=40000003 syscall=11
success=yes exit=0 a0=8d64360 a1=8d56400 a2=8d51520 a3=1 items=2
pid=5503 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="ping" exe="/bin/ping"
type=AVC_PATH msg=audit(1134599953.748:32): path="/root/pingoutput2"
type=CWD msg=audit(1134599953.748:32): cwd="/root"
type=PATH msg=audit(1134599953.748:32): item=0 name="/bin/ping"
flags=101 inode=5499653 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1134599953.748:32): item=1 flags=101 inode=5892482
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
... and I discovered the commands audit2why and audit2allow, which has
this example in the audit2allow man pages ...
$ cd /etc/selinux/$(SELINUXTYPE)/src/policy
$ /usr/bin/audit2allow -i < /var/log/audit/audit.log >>
domains/misc/local.te <review domains/misc/local.te and customize as
desired>
$ make load
... and that's where my zero-byte stack blows.
I have no src directory under /etc/selinux/targeted, nor do I have
anything at all on my system named domains. Still, I tried to follow
the advice by mdkir'ing the necessary directories and creating a
local.te file with the recommended "allow ping_t user_home_t:file write;"
line in it.
Then I typed 'make load' and I really think I actually heard something
laugh at me.
This is the way I learn best, and this isn't anything more than a
curiousity to me. But from what I've told you so far, can you point
me into the right direction?
I did search the archive for this list, as well as the FC3 (which
also seemed to point to these directories that I don't have).
Thanks!
Robb Topolski
robb(at)funchords(dot)com
http://www.funchords.com
17 years, 9 months
dbus error message
by Srinivasa Ds
Hi
Iam getting selinux dbus error message on my RHEL4 machine
This is different from earlier dbus error messages which is there
earlier and selinux-policy-targeted-1.17.30-2.117.noarch.rpm(from Daniel
walsh) has fixed it. This one looks different from that and it doesn't
have "denied send_msg" message which has security class fields and
helped in debugging.
Error messages looks like this
=================================================================
Jan 17 17:02:07 x330b dbus: Can't send to audit system: USER_AVC
pid=7704 uid=81 loginuid=0 message=avc: received policyload notice
(seqno=16)
Jan 17 17:02:07 x330b dbus: Can't send to audit system: USER_AVC
pid=7704 uid=81 loginuid=0 message=avc: 0 AV entries and 0/512 buckets
used, longest chain length 0
Jan 17 17:02:24 x330b dbus: Can't send to audit system: USER_AVC
pid=7704 uid=81 loginuid=0 message=avc: received setenforce notice
(enforcing=1)
===================================================================
I just wanted to know,why this error message is getting generated and
how to fix it out.
Is it due to lack of send_msg permission?
Looking for reply
Srinivasa DS
17 years, 10 months
Problem with interbase (firebird-1.5) on FC4 box, httpd-2.0.54, php-interbase-5.0.4-10.5
by Daniel Paul
Hello there,
because I need interbase (firebird) support in php, I recompiled the actual
php-5.0.4-10.5 package with interbase support (--with-interbase=shared). When
I start httpd there is the following message in error_log:
PHP Warning: PHP Startup: Unable to load dynamic library
'/usr/lib/php/modules/interbase.so' - object requires: cannot enable
executable stack as shared object requires: Permission denied in Unknown on
line 0
phpinfo() shows that php has read the interbase.ini file which contains a
reference to the interbase.so module, but interbase support is disabled
(nothing shows up regarding interbase). With selinux set to permissive mode
(instead of enforcing), there is no such message and phpinfo() shows me, that
interbase support is enabled.
audit.log shows the following:
type=AVC msg=audit(1138630853.033:10): avc: denied { execstack } for
pid=1886 comm="httpd" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_t tclass=process
type=SYSCALL msg=audit(1138630853.033:10): arch=40000003 syscall=125
success=no exit=-13 a0=bf8a3000 a1=1000 a2=1000007 a3=d5a000 items=0 pid=1886
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd"
exe="/usr/sbin/httpd"
Any help would be truly appreciated.
Thanks in advance,
Daniel
17 years, 10 months
rawhide selinux-policy-strict whoopsage...
by Valdis.Kletnieks@vt.edu
Ran yum, it tried to install selinux-policy-strict-2.2.5-1 and died a horrid death:
Updating : selinux-policy-strict ####################### [13/24]
libsepol.verify_module_requirements: Module acct's global requirements were not met: type/attribute sysadm_home_dir_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
libsepol.verify_module_requirements: Module alsa's global requirements were not met: type/attribute devlog_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
libsepol.verify_module_requirements: Module amanda's global requirements were not met: type/attribute sysadm_home_dir_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
.... (skipping scads of similar errors..)
libsepol.verify_module_requirements: Module xserver's global requirements were not met: type/attribute logfile
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
libsepol.verify_module_requirements: Module zebra's global requirements were not met: type/attribute direct_init
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
Running strict/permissive. Any suggestions?
17 years, 10 months
extras package that require changes in selinux-policy (initng)
by dragoran
Hello.
I am working on selinux support in initng, which is in review for extras
now [1].
But it seems that initng requires a policy to work (just tested in
targeted mode)
Using the default context (sbin_t) lets all apps that are started from
initng run as kernel_t.
Relabling /sbin/initng to init_exec_t (same as init) fixes this and the
processes run as init_t and udev_t for udev, but some issues still remain.
hald,httpd, etc. also run as init_t which is *wrong* they have to get
into their own domain. How is this handled in sysvinit?
After reading the code I havn't found anything about it.
The patch I wrote can be found here:
http://bugzilla.initng.thinktux.net/show_bug.cgi?id=365
Did I do something wrong? Did I miss something?
After fixing this we will run into an other problem. Every time the
filesystem gots relabled initng will become sbin_t which will break it.
To fix this we need to modify the selinux-policy. What should be done if
a package in extras requires to change a core package?
Should I just fill a bug against it and hope that it will be released as
an update for FC4, and gets into rawhide too?
Was unable to find anything about it in the wiki.
1: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=173459
17 years, 10 months
Re: Spamassassin emails have wrong perms -- CC'ed to selinux list
by Justin Willmert
Justin Willmert wrote:
> I am hoping somebody can help me solve a problem I am having with
> procmail and spamassassin (specifically spamd). When spamassassin has
> marked a message as spam, it gets sorted to a Junk folder, but the
> problem is that it is owned by root:mail when it should be owned by
> the user. When this happens, dovecot will not serve the email to the
> user. I sort other emails into folders with simple matching rules and
> those work fine. Spamassassin is the only rule that is piped out to a
> program.
>
> Here is the relevant portion my procmailrc file:
>
> DROPPRIV=yes # Make this run as a normal user. If
> you need
> # root privileges for something, do
> it before
> # this line.
> # Send mail through spamassassin
> :0fw
> | spamc -u $LOGNAME
>
> # Now that we've tagged the spam, put in the appropriate folder
> :0
> * ^X-Spam-Status: Yes
> .Junk/
>
> I've tried taking the -u $LOGNAME portion out too and that doesn't
> work. Following is a maillog sample.
>
> Jan 29 17:47:11 netserv sendmail[19847]: k0TNlAig019847: Milter add:
> header: X-Virus-Scanned: ClamAV 0.88/1257/Sun Jan 29 09:15:47 2006
> on mydomain.com
> Jan 29 17:47:11 netserv sendmail[19847]: k0TNlAig019847: Milter add:
> header: X-Virus-Status: Clean
> Jan 29 17:47:11 netserv spamd[19654]: connection from mydomain.com
> [127.0.0.1] at port 57905
> Jan 29 17:47:11 netserv spamd[19654]: handle_user: unable to find
> user 'justin'!
> Jan 29 17:47:11 netserv spamd[19654]: Still running as root: user
> not specified with -u, not found, or set to root. Fall back to
> nobody.
> Jan 29 17:47:11 netserv spamd[19654]: processing message
> <BAY107-F2792E57045186E9EED3A038A160(a)phx.gbl> for justin:99.
> Jan 29 17:47:11 netserv spamd[19654]: cannot write to
> /etc/mail/bayes/bayes_journal, Bayes db update ignored: Permission
> denied
> Jan 29 17:47:13 netserv spamd[19654]: clean message (1.7/5.0) for
> justin:99 in 1.5 seconds, 1076 bytes.
> Jan 29 17:47:13 netserv spamd[19654]: result: . 1 -
> BAYES_50,DNS_FROM_RFC_POST,MSGID_FROM_MTA_HEADER
>
> scantime=1.5,size=1076,mid=<BAY107-F2792E57045186E9EED3A038A160(a)phx.gbl>,bayes=0.499999999735837,autolearn=no
>
> Jan 29 17:47:13 netserv sendmail[19849]: k0TNlAig019847:
> to=<justin(a)mydomain.com>, delay=00:00:02, xdelay=00:00:02,
> mailer=local, pri=30995, dsn=2.0.0, stat=Sent
>
> As you can see, I've also got a problem with not being able to access
> the bayes_journal. I've put it in it's own directory and made them
> owned by nobody:staff and still nothing. Anyway, here is my local.cf
> file:
>
> # These values can be overridden by editing
> ~/.spamassassin/user_prefs.cf
> # (see spamassassin(1) for details)
>
> # How many hits before a message is considered spam. The lower the
> number, the
> # more sensitive it is.
> required_hits 5
>
> # Encapsulate spam in an attachment (0=No, 1=Yes in message/rfc822,
> # 2=Yes in text/plain)
> report_safe 0
>
> # Text to prepend to subject of spam
> rewrite_header Subject [SPAM]
>
> # Enable the Bayes System
> use_bayes 1
>
> # Enable Bayes auto-learning
> bayes_auto_learn 1
>
> # Mail using languages used in these country codes will not be
> marked as being
> # possibly spam in a foreign language.
> ok_languages en
>
> I'd be happy to send along any other information you need. Thanks for
> help in advance.
>
> Justin Willmert
>
I'm cc-ing this to the fedora-selinux-list. I think some of the problems
may be applicable there.
OK, after some more testing, when I disable SELinux, many of the errors
go away. First of all, I get rid of the error message saying user can
not be found and with it the 'still running as root' error. Second, it
is able to access the bayes_journal file (as long as normal unix
permissions are right, which I've figured out). So I guess the problem
is an SELinux issue which I can't solve. I'd attach some avc error
messages, but I can't seem to find any. I've looked in maillog, secure,
and messages, but nothing.
17 years, 10 months
Problems with snmpd following update.
by J. David Rye of Roadtech
Have run in to a problem on a couple of servers that I have updated in
the last week or so.
snmpd does not start after a reboot, the following log extract is from
/var/log/messages on server f4.
Jan 31 17:26:54 f4 acpid: acpid startup succeeded
Jan 31 17:26:54 f4 kernel: audit(1138728414.530:2): avc: denied {
execmem } fo
r pid=5278 comm="snmpd" scontext=user_u:system_r:snmpd_t
tcontext=user_u:system
_r:snmpd_t tclass=process
Jan 31 17:26:54 f4 snmpd: /usr/sbin/snmpd: error while loading shared
libraries:
libbeecrypt.so.6: cannot enable executable stack as shared object
requires: Per
mission denied
Jan 31 17:26:54 f4 snmpd: snmpd startup failed
Running
execstack -q /usr/lib/libbeecrypt.so.6
gives
X /usr/lib/libbeecrypt.so.6
So the library is explisitly marked as requiring an executable stack.
looking at the obvious rpms yields the following
kernel-2.6.12-1.1381_FC3 was kernel-2.6.11-1.14_FC3
net-snmp-5.2.1.2-FC3.1 unchanged
net-snmp-libs-5.2.1.2-FC3.1 unchanged
selinux-policy-targeted-1.17.30-3.19 was
selinux-policy-targeted-1.17.30-2.96
libselinux-1.19.1-8 unchanged
beecrypt-3.1.0-6 unchanged
Any suggestions appreciated.
--
J. David Rye
http://www.roadrunner.uk.com
http://www.rha.org.uk
mailto://d.rye@roadtech.co.uk
17 years, 10 months
SElinux and firestarter
by Jonathan Underwood
Hi,
There appears to be issues with SElinux and the firestarter package
available from fedora-extras. I have attached the errors from
/var/log/messages upon boot to this email. I suspect it may be related
to either dhcpd or kernel module loading upon boot, but I'm rather
clueless about SElinux. If someone could give me some pointers on how
to proceed with debugging this it would be really appreciated. I have
reported the bug here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179248
This is with kernel 2.6.14-1.1656_FC4, libselinux-1.23.10-2,
selinux-policy-targeted-1.27.1-2.16.
I realize that I have probably not given enough information to debug
this, but I am not sure what else would be useful.
Many thanks,
Jonathan
17 years, 10 months
