reiser4 +selinux
by Justin Conover
Does anyone know if reiser4 has the XATTRs added to handle selinux now?
18 years, 3 months
"data did not represent a module" error
by Benjamin Youngdahl
Hello. I saw some previous discussions on this list regarding the message:
"libsemanage.parse_module_headers: Data did not represent a module."
when upgrading a policy RPM.
Did I miss how to resolve this issue, and also what perhaps I'd manage to do
to get things into this state? I'd appreciate any help you can give
pointing me in the right direction.
Best regards,
Ben
....
Here's my e.g.
Downloading Packages:
(1/1): selinux-policy-tar 100% |=========================| 443 kB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : selinux-policy-targeted ######################### [1/2]
libsemanage.parse_module_headers: Data did not represent a module.
Failed!
/sbin/restorecon reset /usr/share/logwatch/scripts/logwatch.pl context
system_u: object_r:bin_t->system_u:object_r:logwatch_exec_t
/sbin/restorecon reset /var/cache/logwatch context
system_u:object_r:var_t->system_u:object_r:logwatch_cache_t
Cleanup : selinux-policy-targeted ######################### [2/2]
18 years, 3 months
missing tmpfs_t in latest?
by Tom London
Running targeted, latest rawhide (e.g., selinux-policy-targeted-2.1.6-22).
Reboot in enforcing mode fails: system goes into 'disk repair' mode.
'enforcing=0' works, but many messages.
First, 'id -Z' in gnome terminal:
[tbl@tlondon ~]$ id -Z
system_u:system_r:xdm_t:SystemLow-SystemHigh
[tbl@tlondon ~]$
'audit2allow -d' shows...
[root@tlondon ~]# audit2allow -d
allow auditctl_t tmpfs_t:chr_file write;
allow auditd_t tmpfs_t:chr_file getattr;
allow auditd_t tmpfs_t:dir search;
allow cpucontrol_t tmpfs_t:chr_file write;
allow cpucontrol_t tmpfs_t:dir search;
allow cpuspeed_t tmpfs_t:chr_file getattr;
allow cpuspeed_t tmpfs_t:dir search;
allow dhcpc_t tmpfs_t:chr_file { read write };
allow dhcpc_t tmpfs_t:dir search;
allow fsadm_t tmpfs_t:blk_file ioctl;
allow fsadm_t tmpfs_t:chr_file ioctl;
allow hwclock_t tmpfs_t:chr_file getattr;
allow hwclock_t tmpfs_t:dir search;
allow ifconfig_t tmpfs_t:chr_file write;
allow klogd_t tmpfs_t:dir search;
allow klogd_t tmpfs_t:sock_file write;
allow mount_t tmpfs_t:blk_file getattr;
allow netutils_t tmpfs_t:chr_file write;
allow pam_console_t tmpfs_t:blk_file setattr;
allow pam_console_t tmpfs_t:chr_file setattr;
allow pam_console_t tmpfs_t:dir search;
allow pam_console_t tmpfs_t:lnk_file getattr;
allow portmap_t tmpfs_t:chr_file getattr;
allow portmap_t tmpfs_t:dir search;
allow syslogd_t tmpfs_t:dir add_name;
allow syslogd_t tmpfs_t:sock_file setattr;
[root@tlondon ~]#
Relabeling is borked:
[root@tlondon ~]# restorecon -v -R /tmp
file_contexts: invalid context system_u:object_r:tmp_t
matchpathcon(/tmp) failed Invalid argument
file_contexts: invalid context system_u:object_r:xdm_xserver_tmp_t
matchpathcon(/tmp/.X0-lock) failed Invalid argument
file_contexts: invalid context system_u:object_r:xfs_tmp_t
matchpathcon(/tmp/.font-unix) failed Invalid argument
file_contexts: invalid context system_u:object_r:xfs_tmp_t
matchpathcon(/tmp/.font-unix/fs7100) failed Invalid argument
[root@tlondon ~]#
tom
--
Tom London
18 years, 3 months
Selinux warning?
by Tom Diehl
Hi all,
I have an EL4 box that every time I do su - vmail I get the following warnings
in the log:
Dec 31 12:25:22 roger su(pam_unix)[2055]: session opened for user vmail by root(uid=0)
Dec 31 12:25:22 roger su[2055]: Warning! Could not relabel /dev/pts/3 with user_u:object_r:initrc_devpts_t, not relabeling.Operation not permitted
This started after I changed the UID in /etc/passwd and the gid in /etc/group.
(roger pts4) # ll -Z /dev/pts/3
crw------- root tty root:object_r:initrc_devpts_t /dev/pts/3
(roger pts4) #
Is there something that needs to be done for selinux when I change a u/gid??
Regards,
Tom Diehl tdiehl(a)rogueind.com Spamtrap address mtd123(a)rogueind.com
18 years, 3 months
selinux kills SM
by Nicolas Mailhot
Hi,
I don't really have the time to do a proper bug report, but today's
selinux update in rawhide killed squirelmail+dovecot.
Regards,
--
Nicolas Mailhot
18 years, 3 months
selinux policy upgrade avcs
by Steve G
Hi,
When yum updates my rawhide policy, I get these avcs:
type=PATH msg=audit(12/29/2005 08:26:52.659:120) : item=0 name=/etc/mtab
inode=11403372 dev=03:07 mode=file,644 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:etc_runtime_t:s0
type=CWD msg=audit(12/29/2005 08:26:52.659:120) : cwd=/
type=SYSCALL msg=audit(12/29/2005 08:26:52.659:120) : arch=x86_64 syscall=open
success=no exit=-13(Permission denied) a0=3446313756 a1=0 a2=1b6 a3=0 items=1
pid=2472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=tty1 comm=load_policy exe=/usr/sbin/load_policy
subj=root:system_r:load_policy_t:s0-s0:c0.c255
type=AVC msg=audit(12/29/2005 08:26:52.659:120) : avc: denied { read } for
pid=2472 comm=load_policy name=mtab dev=hda7 ino=11403372
scontext=root:system_r:load_policy_t:s0-s0:c0.c255
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
-Steve
__________________________________________
Yahoo! DSL Something to write home about.
Just $16.99/mo. or less.
dsl.yahoo.com
18 years, 3 months
top avcs
by Steve G
Hi,
I was running top as a normal user on my rawhide machine. Its scrolls avcs for
various pids like this:
type=PATH msg=audit(01/01/2006 08:55:21.980:306) : item=0 name=/proc/425/stat
inode=27852814 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00
obj=system_u:system_r:udev_t:s0-s0:c0.c255
type=CWD msg=audit(01/01/2006 08:55:21.980:306) :
cwd=/home/sgrubb/working/BUILD
type=SYSCALL msg=audit(01/01/2006 08:55:21.980:306) : arch=x86_64 syscall=open
success=no exit=-13(Permission denied) a0=3446610680 a1=0 a2=0 a3=0 items=1
pid=3497 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb
egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=tty2 comm=top exe=/usr/bin/top
subj=user_u:system_r:unconfined_t:s0
type=AVC msg=audit(01/01/2006 08:55:21.980:306) : avc: denied { read } for
pid=3497 comm=top name=stat dev=proc ino=27852814
scontext=user_u:system_r:unconfined_t:s0
tcontext=system_u:system_r:udev_t:s0-s0:c0.c255 tclass=file
pid 425 is udevd. I am wondering if this is just something that needs correcting
in policy or if this is a case where polyinstantiation is needed for the proc
file system.
-Steve
__________________________________
Yahoo! for Good - Make a difference this year.
http://brand.yahoo.com/cybergivingweek2005/
18 years, 3 months
