sealert and setroubleshootd
by Eric Tanguy
The new setroubleshoot version solved the problem i had and i find it
very usefull, helpfull and efficient.
Thanks for this!
But 2 remarks :
the day is given in french format on my system but not the time which is
given in anglosaxon format but without am or pm. It's annoying. It will
be better if the time is given as the specified format (ie 24h format).
The system would be more helpfull with a translation of all fields
because sometimes the messages are subtil to understand.
Thank you again for this usefull tool.
Eric
17 years, 5 months
Getting avc denied messages for mounting iso images on loopback device
by Srinivasa Ds
Hi all
I tried to mount an iso image on a loopback device in FC6,Iam getting this error.
=======================
audit(1164321995.887:79): avc: denied { read } for pid=2969
comm="pam_console_app" name="/" dev=loop0 ino=1472
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023
tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
audit(1164321995.887:80): avc: denied { read } for pid=2966
comm="pam_console_app" name="/" dev=loop0 ino=1472
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023
tcontext=system_u:object_r:iso9660_t:s0 tclass=dir
=======================================================
I was doing this operation through ssh.This works if selinux is disabled.
Is there any fix for this??
Thanks
Srinivasa DS
17 years, 5 months
changing squid cache dir
by Michael Thomas
I reconfigured my squid to use a cache directory on a filesystem with
more space (/space/squid/cache, and relabeled /space/squid and all of
its subdirectories with system_u:object_r:squid_cache_t.
Now I'm getting AVC denied messages[1] because it seems that squid wants
to read from /.
setroubleshoot says that I can run "setsebool -P read_default_t=1" to
remove this denial, but I'd rather find out why squid wants to read from
/ and relabel files appropriately. Any ideas?
--Wart
[1] avc: denied { search } for comm='"squid"' dev='sdb5' egid='0'
euid='0' exe='"/usr/sbin/squid"' exit='-13' fsgid='0' fsuid='0' gid='0'
items='0' name='"/"' pid='3114' scontext=system_u:system_r:squid_t:s0
sgid='0' subj='system_u:system_r:squid_t:s0' suid='0' tclass='dir'
tcontext=system_u:object_r:default_t:s0 tty='(none)' uid='0'
17 years, 5 months
AVC denied messages for openvpn and procmail
by Tony Molloy
Hi,
I'm trying to get up to speed on SElinux so sorry for being so long.
I've managed to get rid of various avc denied messages. However I'm
getting the following two AVC denied messages from setroubleshoot. They
are not causing any problems but I would like to know how to go about
getting rid of them. Would I need to have some sort of local policy.
I'll include the complete message here.
>Summary
>SELinux is preventing /sbin/ifconfig (ifconfig_t) "write"
>to /etc/openvpn/openvpn.log (openvpn_etc_t).
>Detailed Description
>SELinux denied access requested by /sbin/ifconfig. It is not expected
>that this access is required by /sbin/ifconfig and this access may
>signal an intrusion attempt. It is also possible that the specific
>version or configuration of the application is causing it to require
>additional access.
>Allowing Access
>Sometimes labeling problems can cause SELinux denials. You could try to
>restore the default system file context for /etc/openvpn/openvpn.log,
>restorecon -v /etc/openvpn/openvpn.log If this does not work, there is
>currently no automatic way to allow this access. Instead, you can
>generate a local policy module to allow this access - see FAQ Or you can
>disable SELinux protection altogether. Disabling SELinux protection is
>not recommended. Please file a bug report against this package.
>Additional Information
>Source Context system_u:system_r:ifconfig_t:s0
>Target Context system_u:object_r:openvpn_etc_t:s0
>Target Objects /etc/openvpn/openvpn.log [ file ]
>Affected RPM Packages net-tools-1.60-73 [application]
>Policy RPM selinux-policy-2.4.3-10.fc6
>Selinux Enabled True
>Policy Type targeted
>MLS Enabled True
>Enforcing Mode Enforcing
>Plugin Name plugins.catchall
>Host Name localhost
>Platform Linux localhost 2.6.18-1.8492.fc6 #1 SMP Fri Nov 10 12:45:28 EST
>2006 i686 i686
>Raw Audit Messages
>avc: denied { write } for comm='"ifconfig"' dev='sda10' egid='0' euid='0'
>exe='"/sbin/ifconfig"' exit='0' fsgid='0' fsuid='0' gid='0' items='0'
>name='"openvpn.log"' path='"/etc/openvpn/openvpn.log"' pid='2983'
>scontext=system_u:system_r:ifconfig_t:s0 sgid='0'
>subj='system_u:system_r:ifconfig_t:s0' suid='0' tclass='file'
>tcontext=system_u:object_r:openvpn_etc_t:s0 tty='(none)' uid='0'
This is on a laptop. I tried "restorecon -v /etc/openvpn/openvpn.log" but
since openvpn.log is recreated on each boot then it's always going to
have the wrong label. How can I get rid of this.
>Summary
>SELinux is preventing access to files with the default label, default_t.
>Detailed Description
>These files have the default label on them. This can indicate a labeling
>problem, especially if the files being referred to are not top level
>directories. IE everything under /usr, /var. /dev, /tmp, ... should not
>be labeled with the default label. The default label is for files who do
>not have a label on a parent directory. So if you create a new directory
>in / you might legitimately get this label.
>Allowing Access
>If you want a confined domain to use these files you will probably need
>to relabel the file/directory with chcon. In some cases it is just
>easier to relabel the system, to relabel execute: "touch /.autorelabel;
>reboot"
>Additional Information
>Source Context system_u:system_r:procmail_t:s0
>Target Context system_u:object_r:default_t:s0
>Target Objects / [ dir ]
>Affected RPM Packages procmail-3.22-17.1 [application]filesystem-2.4.0-1
>[target]
>Policy RPM selinux-policy-2.4.3-10.fc6
>Selinux Enabled True
>Policy Type targeted
>MLS Enabled True
>Enforcing Mode Enforcing
>Plugin Name plugins.default
>Host Name localhost
>Platform Linux localhost 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:45:28 EST
>2006 i686 i686
>Raw Audit Messages
>avc: denied { search } for comm='"procmail"' dev='sda8' egid='12'
>euid='0' exe='"/usr/bin/procmail"' exit='-13' fsgid='12' fsuid='0'
>gid='12' items='0' name='"/"' pid='3112'
>scontext=system_u:system_r:procmail_t:s0 sgid='12'
>subj='system_u:system_r:procmail_t:s0' suid='0' tclass='dir'
>tcontext=system_u:object_r:default_t:s0 tty='(none)' uid='0'
Again I tried "touch /.autorelabel; >reboot" but I keep getting the avc
denied message.
Regards,
Tony
--
Tony Molloy.
System Manager.
Dept. of Comp. Sci.
University of Limerick
17 years, 5 months
VMware update needs dbus sendmsg
by Tom London
Running latest rawhide, targeted enforcing.
I updated VMware from VMware-workstation-5.5.2-29772.i386.rpm to
VMware-workstation-5.5.3-34685.i386.rpm.
New VMware will not run in enforcing mode, but will in permissive
mode. Here is console output from enforcing mode:
[tbl@localhost ~]$ vmware
GTK Accessibility Module initialized
process 4409: Applications must not close shared connections - see
dbus_connection_close() docs. This is a bug in the application.
D-Bus not built with -rdynamic so unable to print a backtrace
GTK Accessibility Module initialized
/usr/lib/vmware/bin/vmware: symbol lookup error: /usr/lib/libspi.so.0:
undefined symbol: atk_hyperlink_impl_get_type
[tbl@localhost ~]$
In permissive mode:
[tbl@localhost ~]$ vmware
GTK Accessibility Module initialized
[tbl@localhost ~]$
In permissive mode, produces many (e.g., >1000) AVCs trying to access
DBUS. Here are 2 of them:
type=USER_AVC msg=audit(1164639327.028:1041): user pid=2165 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:
denied { send_msg } for msgtype=method_call
interface=org.freedesktop.Hal.Device member=PropertyExists
dest=org.freedesktop.Hal spid=4488 tpid=2652
scontext=user_u:system_r:unconfined_execmem_t:s0
tcontext=system_u:system_r:hald_t:s0 tclass=dbus :
exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=USER_AVC msg=audit(1164639327.028:1042): user pid=2165 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:
denied { send_msg } for msgtype=method_return dest=:1.25 spid=2652
tpid=4488 scontext=system_u:system_r:hald_t:s0
tcontext=user_u:system_r:unconfined_execmem_t:s0 tclass=dbus :
exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
or
allow hald_t unconfined_execmem_t:dbus send_msg;
allow unconfined_execmem_t hald_t:dbus send_msg;
Make sense to add?
tom
--
Tom London
17 years, 5 months
rpm -V/prelink/exec{mem,stack,heap,mod}
by Tom London
Running rawhide, targeted/enforcing.
After some problems completing daily updates, I decided to do a brute
force winnowing of the installed packages on my system via:
for i in `rpm -qa`
do
rpm -V $i
done
This generated lots of chaff, but I did get a few complaints and AVCs
from prelink. Here are a few examples:
type=AVC msg=audit(1164207673.111:60): avc: denied { execmod } for
pid=14045 comm="ld-linux.so.2"
name="libSDL-1.2.so.0.7.3.#prelink#.KpNF6b" dev=dm-0 ino=5474274
scontext=user_u:system_r:rpm_t:s0 tcontext=user_u:object_r:lib_t:s0
tclass=file
type=SYSCALL msg=audit(1164207673.111:60): arch=40000003 syscall=125
success=no exit=-13 a0=aa4000 a1=7c000 a2=5 a3=bfe79f30 items=0
ppid=14035 pid=14045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 comm="ld-linux.so.2" exe="/lib/ld-2.5.90.so"
subj=user_u:system_r:rpm_t:s0 key=(null)
type=AVC_PATH msg=audit(1164207673.111:60):
path="/usr/lib/libSDL-1.2.so.0.7.3.#prelink#.KpNF6b"
type=AVC msg=audit(1164207351.971:48): avc: denied { execstack } for
pid=5126 comm="ld-linux.so.2" scontext=user_u:system_r:rpm_t:s0
tcontext=user_u:system_r:rpm_t:s0 tclass=process
type=SYSCALL msg=audit(1164207351.971:48): arch=40000003 syscall=125
success=no exit=-13 a0=bfa65000 a1=1000 a2=1000007 a3=fffff000 items=0
ppid=5125 pid=5126 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 comm="ld-linux.so.2" exe="/lib/ld-2.5.90.so"
subj=user_u:system_r:rpm_t:s0 key=(null)
type=AVC msg=audit(1164207446.818:49): avc: denied { execmem } for
pid=6730 comm="ld-linux.so.2" scontext=user_u:system_r:rpm_t:s0
tcontext=user_u:system_r:rpm_t:s0 tclass=process
type=SYSCALL msg=audit(1164207446.818:49): arch=40000003 syscall=192
success=no exit=-13 a0=8048000 a1=91b000 a2=7 a3=812 items=0 ppid=6729
pid=6730 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 comm="ld-linux.so.2" exe="/lib/ld-2.5.90.so"
subj=user_u:system_r:rpm_t:s0 key=(null)
type=AVC msg=audit(1164208640.223:66): avc: denied { execheap } for
pid=30931 comm="ld-linux.so.2" scontext=user_u:system_r:rpm_t:s0
tcontext=user_u:system_r:rpm_t:s0 tclass=process
type=SYSCALL msg=audit(1164208640.223:66): arch=40000003 syscall=125
success=yes exit=0 a0=4f40d000 a1=6a000 a2=5 a3=bfc234f0 items=0
ppid=30907 pid=30931 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 comm="ld-linux.so.2" exe="/lib/ld-2.5.90.so"
subj=user_u:system_r:rpm_t:s0 key=(null)
I'm guessing this is probably an (obscure?) edge case, but is there a
missing transition from rpm_t to something like prelink_t?
Here is a particular case (this one generated the last AVC (execheap) above):
[root@localhost ~]# rpm -V compiz
prelink: /usr/bin/compiz.#prelink#.bdtGdC Could not trace symbol resolving
S.?..... /usr/bin/compiz
[root@localhost ~]# setenforce 0
[root@localhost ~]# rpm -V compiz
[root@localhost ~]#
tom
--
Tom London
17 years, 5 months
denied avc's for hald how to fix
by Antonio Olivares
Dear all,
I keep getting this avc's. Have updated to latest
policies. I keep getting hpiod Failed when shutting
down.
audit(1164099425.079:4): avc: denied { name_bind }
for pid=2140 comm="hpiod" src=2208
scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
eth0: no IPv6 routers present
audit(1164099426.320:5): avc: denied { name_bind }
for pid=2145 comm="python" src=2207
scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
audit(1164099430.289:6): avc: denied { search } for
pid=2325 comm="hald" name="irq" dev=proc
ino=-268435212 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1164099430.290:7): avc: denied { search } for
pid=2325 comm="hald" name="irq" dev=proc
ino=-268435212 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1164099430.290:8): avc: denied { search } for
pid=2325 comm="hald" name="irq" dev=proc
ino=-268435212 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1164099430.290:9): avc: denied { search } for
pid=2325 comm="hald" name="irq" dev=proc
ino=-268435212 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1164099430.290:10): avc: denied { search } for
pid=2325 comm="hald" name="irq" dev=proc
ino=-268435212 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
Thanks for your help,
Antonio
____________________________________________________________________________________
Sponsored Link
Mortgage rates near 39yr lows. $420k for $1,399/mo.
Calculate new payment! www.LowerMyBills.com/lre
17 years, 5 months
semodule error/question
by Leffler, Sean
The Setup:
In VMware (winders based) I created a FC5 barebones httpd server running
strict policy.
Couldn't start the init process before it hung.
I ran dmesg | audit2allow -M dmesg and got a nice big module to install.
Since this is only for learning on a test network I decided to add the
whole module.
When I ran semodule -i dmesg.pp I got this error:
libsemanage.semanage_link_sandbox: Could not access sandbox base file
/etc/selinux/strict/modules/tmp/base.pp.
semodule: Failed!
There is no /etc/selinux/strict/modules or
/etc/selinux/strict/modules/tmp/ directory.
Is this created only when using the policy src.rpm? I did read in a
January '06 post that there was some problems with the
module/module.conf, don't know if this is related.
Pertinent info:
Kernel 2.6.18-1.2239.fc5
Checkpolicy-1.32-1.fc5
selinux-policy-strict.noarch 2.3.7-2.fc5
libsemanage-1.6.17-1
Policycoreutils-1.33.1-1
Thanks guys,
Sean
17 years, 5 months
sealert and setroubleshoutd
by Eric Tanguy
I have setroubleshoutd running as a service but i can't run sealert.
When i try to run it nothing happen so i tried to run it from root
command line with -v :
Traceback (most recent call last):
File "/usr/bin/sealert", line 440, in ?
print s
NameError: name 's' is not defined
What's the problem ?
Thanks
Eric
17 years, 5 months
error running slimserver on FC6
by Robin Bowes
Hi,
I'm running slimserver (http://slimdevices.com) on a minimal FC6 system.
I have created a slimserver user with homedir /opt/slimserver, and the
main binary runs out of /opt/slimseve/rtrunk/server (I'm running the
latest dev version from svn)
When I fire it up I get an avc error. audit2allow produces this:
allow unconfined_t user_home_t:file execmod;
I know how to modify the policy to allow this but I'm wondering how I
might go about identifying what's causing the problem and fixing it more
specifically, i.e. using chcon or something?
This is the full text of the error in audit.log:
type=AVC msg=audit(1163892174.128:14): avc: denied { execmod } for
pid=1364 comm="slimserver.pl" name="mysql.so" dev=dm-2 ino=200014
scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcont
ext=root:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1163892174.128:14): arch=40000003 syscall=125
success=no exit=-13 a0=8d0000 a1=2a000 a2=5 a3=bfc37f10 items=0
ppid=1360 pid=1364 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 comm="slimserver.pl" exe="/usr/bin/perl"
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1163892174.128:14):
path="/opt/slimserver/trunk/server/CPAN/arch/5.8/i386-linux-thread-multi/auto/DBD/mysql/mysql.so"
Any idea how I can resolve this?
Thanks,
R.
17 years, 5 months
