macros in old policy
by Joy Latten
I am converting the selinux testsuite policy to reference policy.
The old test policy used the macros, can_setcon, can_setexec,
can_setfscreate. These macros are not existent in the source for
current refpolicy. Will these macros be included in refpolicy or
obsolete, or do I write them myself in the test module, or do they map
to something else now? Just wondering what is the correct thing to do?
Regards,
Joy Latten
18 years, 3 months
does selinux work with non-fedora package ?
by ody quraviharto
hi all,
I am a Fedora newbie interesting in selinux. here are some questions
1. does selinux work well with reiserfs filesystem ?
2. does selinux work well with postgresql rpm packages I downloaded
from postgresql site ?
thx very much
18 years, 3 months
Re: MySQL 5.0 and Fedora
by Tiziano
I'm downloading it..and I'll try it...
Steven Ringwald wrote:
> Tiziano Demaria wrote:
>
>> Dear Friends
>>
>> i'm letterally on shit with FEDORA CORE 3and MySQL 5.0.xxxfrom MySQL
>> official website.
>>
>> Practically MySQL works but doesn't work anymore with PHPADMIN...i've
>> also updated php to the last version (from php.net)....but still
>> problem...
>> Do you have any solution please ?
>>
>> Thank you in advance, best regards
>
>
>
> I would highly recommend Xampp... I have found that it works really
> well, and installs itself out-of-the-way, so it is easy to remove
> should you have need to.
>
> http://www.apachefriends.org/en/xampp.html
>
> Steve
>
18 years, 3 months
error in today's rawhide update....
by Tom London
Running targeted/enforcing.
Updating today via yum (updating from selinux-policy-targeted-2.2.6-2
to selinux-policy-targeted-2.2.8-1):
Updating : selinux-policy-targeted ####################### [33/92]
Traceback (most recent call last):
File "/usr/sbin/genhomedircon", line 364, in ?
selconf.write()
File "/usr/sbin/genhomedircon", line 325, in write
fd.write(self.genoutput())
File "/usr/sbin/genhomedircon", line 316, in genoutput
ret += self.genHomeDirContext()
File "/usr/sbin/genhomedircon", line 265, in genHomeDirContext
users = self.getUsers()
File "/usr/sbin/genhomedircon", line 210, in getUsers
(status, list, lsize) = semanage_seuser_list(self.semanageHandle)
NameError: global name 'semanage_seuser_list' is not defined
libsemanage.semanage_install_sandbox: genhomedircon returned error code 1.
/sbin/restorecon reset /usr/bin/rhgb context
system_u:object_r:bin_t->system_u:object_r:xdm_exec_t
Updating : NetworkManager-gnome ####################### [34/92]
Nothing obvious in /var/log/messages or in /var/log/audit/audit.log
--
Tom London
18 years, 3 months
NetworkManager in today's rawhide....
by Tom London
NetworkManager is now in /usr/sbin, so it is not getting labeled as
NetworkManager_exec_t.
After doing a 'chcon -t NetworkManager_exec_t /usr/sbin/NetworkManager':
----
type=SOCKETCALL msg=audit(01/28/2006 09:50:36.513:61) : nargs=3 a0=10
a1=b74f40f4 a2=0
type=SOCKADDR msg=audit(01/28/2006 09:50:36.513:61) : saddr=netlink pid:0
type=SYSCALL msg=audit(01/28/2006 09:50:36.513:61) : arch=i386
syscall=socketcall(sendmsg) success=yes exit=32 a0=10 a1=b74f4070
a2=249268 a3=0 items=0 pid=3122 auid=unknown(4294967295) uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=NetworkManager exe=/usr/sbin/NetworkManager
type=AVC msg=audit(01/28/2006 09:50:36.513:61) : avc: denied {
nlmsg_write } for pid=3122 comm=NetworkManager
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:system_r:NetworkManager_t:s0
tclass=netlink_route_socket
--
Tom London
18 years, 3 months
need help - new hard disk, messed up but uneditable fstab file
by Gökhan Fazlı Çelik
Hi,
I am looking for an answer to the trouble I have faced, any help will be
appreciated.
I have added a secondary hdd and edited /etc/fstab file, it seems it is
messed up. Selinux requires root password and this file remains read-only
against all the efforts I have tried.
chmod +w,
or from "vi :x!" doesnot work and I am stuck at the boot stage..
18 years, 3 months
avc denied gone after reboot
by Steve Brueckner
I'm creating an SELinux-enabled Xen VM on FC4. I create the file system for
the VM by copying the filesystem from the underlying host. For the very
first boot of the VM, I have it /.auotrelabel. However, when I then try to
install an rpm inside the VM I get an avc denied, even though I can install
the same rpm on the underlying host just fine. Even stranger, if I reboot
the VM once, I then have no problem installing the rpm inside of it.
So there are two oddities:
1 - why does the rpm install fine on the host but not in the VM that clones
the host's file system?
2 - why does the rpm install correctly after a reboot, but not after the
initial boot?
Aside from upgrading my policy, how can I track down the problem here?
Here are some details:
# rpm -ivh jre:
error: unpacking of archive failed on file /usr/java/jre1.5.0_01/CHANGES:
cpio: lsetfilecon failed - Permission denied
/var/log/audit/audit.log:
type=AVC msg=audit(1138316170.719:32): avc: denied { relabelto } for
pid=1706 comm="rpm" name="CHANGES" dev=hda1 ino=16578
scontext=root:system_r:kernel_t tcontext=system_u:object_r:usr_t tclass=file
# rpm -qa | grep selinux:
libselinux-devel-1.23.10-2
libselinux-1.23.10-2
selinux-policy-targeted-sources-1.27.1-2.16
selinux-policy-targeted-1.27.1-2.16
I haven't altered the policy sources (yet).
Both host and VM are in enforcing mode.
Thanks,
- Steve
Stephen Brueckner, ATC-NY
18 years, 3 months
Resend: Error sending status request (Operation not permitted)
by Bruce Ecroyd
I recently switched from FC4 targeted (enforcing) to strict (permissive)
using selinux-policy-strict-1.27.1-2.16.noarch.rpm.
I did a touch /.autorelabel before rebooting.
I see this:
[bruce@BorgCube ~]$ su -
Password:
Error sending status request (Operation not permitted)
[root@BorgCube ~]#
The last part of the /var/log/audit/audit.log shows:
type=SYSCALL msg=audit(1138247001.111:13162965): arch=40000003 syscall=5
success=yes exit=3 a0=866125b a1=c2 a2=180 a3=3a8083 items=1 pid=8250
auid=4294967295 uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100
fsgid=100 comm="su" exe="/bin/su"
type=AVC msg=audit(1138247001.111:13162965): avc: denied { create } for
pid=8250 comm="su" name=.xauthVpNVFy scontext=user_u:user_r:user_t
tcontext=user_u:object_r:sysadm_home_dir_t tclass=file
type=AVC msg=audit(1138247001.111:13162965): avc: denied { add_name } for
pid=8250 comm="su" name=.xauthVpNVFy scontext=user_u:user_r:user_t
tcontext=root:object_r:sysadm_home_dir_t tclass=dir
type=AVC msg=audit(1138247001.111:13162965): avc: denied { write } for
pid=8250 comm="su" name=root dev=dm-0 ino=11392129
scontext=user_u:user_r:user_t tcontext=root:object_r:sysadm_home_dir_t
tclass=dir
type=SYSCALL msg=audit(1138247001.111:13162967): arch=40000003 syscall=207
success=yes exit=0 a0=3 a1=0 a2=0 a3=0 items=0 pid=8250 auid=4294967295
uid=501 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su"
exe="/bin/su"
type=AVC msg=audit(1138247001.111:13162967): avc: denied { setattr } for
pid=8250 comm="su" name=.xauthVpNVFy dev=dm-0 ino=11392172
scontext=user_u:user_r:user_t tcontext=user_u:object_r:sysadm_home_dir_t
tclass=file
type=USER msg=audit(1138247001.325:13165423): user pid=8250 uid=501
auid=4294967295 msg='PAM session open: user=root exe=/bin/su (hostname=?,
addr=?, terminal=pts/2 result=Success)'
Any ideas?
If I change to strict, enforcing, will this prevent me from su to root?
Bruce
18 years, 3 months
/usr/share - self inflicted issue
by Craig White
My main desktop, I was trying to upgrade from FC-3 to FC-4.
I was a little short of space in /usr partition so I moved /usr/share
to /home/share and symlinked it back.
This seemed all and good but that does cause a cups issue.
the only clues I ever get are...
E [26/Jan/2006:07:02:22 -0700] LoadBanners: Unable to open banner
directory "/usr/share/cups/banners": Permission denied
/var/log/cups/error_log
E [26/Jan/2006:07:02:22 -0700] LoadPPDs: Unable to open PPD directory
"/usr/share/cups/model": Permission denied
but those directories **seem to be ok**
# ls -Zld /usr/share/cups/model /usr/share/cups/banners/
drwxr-xr-x 2 system_u:object_r:cupsd_etc_t root root 4096 Jan 16
18:29 /usr/share/cups/banners/
drwxr-xr-x 2 system_u:object_r:cupsd_etc_t root root 4096 Jan 16
18:29 /usr/share/cups/model
on my CentOS-4 system...they are different
# ls -Zld /usr/share/cups/model /usr/share/cups/banners/
drwxr-xr-x 2 system_u:object_r:usr_t root root 4096 Dec 27
07:12 /usr/share/cups/banners/
drwxr-xr-x 2 system_u:object_r:usr_t root root 4096 Dec 27
07:12 /usr/share/cups/model
The things I try to fix this aren't working...
# fixfiles -R cups restore
/sbin/restorecon: error while labeling files under /usr/share/cups
and on and on for every file/folder in the tree
# chcon -t system_u:object_r:usr_t /usr/share/cups/
chcon: couldn't compute security context from
system_u:object_r:cupsd_etc_t
and I am stumped...suggestions anyone?
Thanks
Craig
18 years, 3 months
/etc/blkid.tab, /etc/avahi/etc/localtime
by Tom London
Running targeted/enforcing, latest rawhide.
I get these with 'restorecon -v -R /etc':
restorecon reset /etc/avahi/etc/localtime context
system_u:object_r:locale_t->system_u:object_r:etc_t
restorecon reset /etc/blkid.tab context
user_u:object_r:etc_t->system_u:object_r:etc_runtime_t
First, I believe the avahi chroots to /etc/avahi, so shouldn't its
'local copy' of localtime be locale_t?
Second, checking /var/log/messages, I get:
Jan 26 06:50:41 localhost kernel: audit(1138286986.121:2): avc:
denied { write } for pid=1554 comm="mount" name="blkid.tab" dev=dm-0
ino=1275806 scontext=system_u:system_r:mount_t:s0
tcontext=user_u:object_r:etc_t:s0 tclass=file
Jan 26 06:50:41 localhost kernel: floppy0: no floppy controllers found
Jan 26 06:50:41 localhost kernel: audit(1138286987.665:3): avc:
denied { write } for pid=1602 comm="swapon" name="blkid.tab"
dev=dm-0 ino=1275806 scontext=system_u:system_r:fsadm_t:s0
tcontext=user_u:object_r:etc_t:s0 tclass=file
Jan 26 06:50:41 localhost kernel: Adding 1048568k swap on
/dev/VolGroup00/LogVol01. Priority:-1 extents:1 across:1048568k
So it looks like blkid.tab's type is getting (periodically) wedged.
I'm guessing this occurs when I do a 'mount' (manual) or insert a usb
drive of some sort.
More needed here to figure out?
tom
--
Tom London
18 years, 3 months
