New SELinux User
by Linda Finch
I am trying to get up to speed with SELinux however as I am also a novice
Linux user (my OS knowledge has been with other systems) this is a very
steep learning curve! To ease the pain, I purchased the SELinux by example
book and have been trying to work through the example policy module for the
IRC daemon.
I set up a standard FC4 workstation with the required strict src policy, IRC
etc and proceeded to follow through the book however I cannot get it to
compile. When I enter the make && make install && make load command I get
the following error:
make && make install && make load
/usr/bin/checkpolicy -o policy.21 policy.conf
/usr/bin/checkpolicy: loading policy configuration from policy.conf
domains/program/ircd.te:28:ERROR 'duplicate declaration of type/attribute'
at token ';' on line 290384:
type ircd_log_t, file_type, sysadmfile, logfile;
#line 28
checkpolicy: error(s) encountered while parsing configuration
make: *** [policy.21] Error 1
I've double checked the ircd.te file, looked at the policy.conf file and
can't see anything wrong. Is this error immediately obvious to anyone
(without knowing the example in the book of course!)? If so, please help!
Apologies if there is something simple that I've not done - as I say, I'm a
novice user! I've also had a go with the reference policy example in the
book for FC5 and couldn't get that to compile either. That gives an error
with the generated_definitions.conf file. I downloaded the most uptodate
version of the refpolicy from Tresys' site but maybe there are other patches
I need? Again, this was a std FC5 install.
Thanks in advance
Linda
_________________________________________________________________
The new Windows Live Toolbar helps you guard against viruses
http://toolbar.live.com/?mkt=en-gb
17 years, 5 months
APOL and Fake Attributes
by Leffler, Sean
(not sure if this is the best list to ask this, but here goes...)
Running FC5 and SeTools 3.0.
When I load any policy in apol, they always show up w/ fake attributes
because "names are not stored in binary format."
So how do i get these to show up like they do in the book & screenshots.
thanks,
Sean Leffler
NSTec
17 years, 5 months
dd whole disk within SElinux
by paul mullen
Hi,
I need to create a backup image of my system and was going to use dd
if=/dev/hda of=/dev/hdb.
With SElinux targeted policy enabled will this have any affect on the dd
working correctly?
New to SElinux so any advise advice is appreciated.
Many Thanks
Paul
_________________________________________________________________
Windows Live Messenger has arrived. Click here to download it for free!
http://imagine-msn.com/messenger/launch80/?locale=en-gb
17 years, 5 months
Setting up a samba share?
by Knute Johnson
I'm setting up a samba share on my new FC6 install that will be
public with no password required. Just like an unmolested Windows
share.
I found an article that said to put the selinux context description
in /etc/selinux/targeted/contexts/files/file_contexts.local.
My shared directory is /var/share. I put the line:
/var/share(/.*)? system_u:object_r:samba_share_t
in that file.
Is this the correct way to make this change and make it permanent?
Will this do what it is supposed to do?
This is selinux related but why does the directory have to be world
executable to make this work?
Thanks very much,
--
Knute Johnson
Molon Labe...
17 years, 5 months
gdm logout during selinux-policy-targeted update....?
by Tom London
Running rawhide, targeted/enforcing.
Running 'yum update' today again (second time) caused a gdm logout in
the middle of the update when updating selinux-policy-targeted.
Here are the only messages I see:
Nov 7 06:12:21 localhost Updated: pirut.noarch 1.2.7-1.fc7
Nov 7 06:12:30 localhost kernel: security: 3 users, 6 roles, 1562
types, 170 bools, 1 sens, 1024 cats
Nov 7 06:12:30 localhost kernel: security: 59 classes, 48605 rules
Nov 7 06:12:30 localhost dbus: Can't send to audit system: USER_AVC
avc: received policyload notice (seqno=2) : exe="?" (sauid=81,
hostname=?, addr=?, terminal=?)
Nov 7 06:12:30 localhost dbus: Can't send to audit system: USER_AVC
avc: received policyload notice (seqno=2) : exe="/bin/dbus-daemon"
(sauid=500, hostname=?, addr=?, terminal=?)
Nov 7 06:12:30 localhost Updated: selinux-policy-targeted.noarch 2.4.3-1
Nov 7 06:12:30 localhost gconfd (tbl-4169): starting (version
2.16.0), pid 4169 user 'tbl'
Logging in, I can run 'rpm -Uvh selinux-policy-targeted' in permissive
mode with no problem. Rebooting also seems fine.....
Anyone else seeing this?
Anyone have guesses on what is causing this?
tom
--
Tom London
17 years, 5 months
Re: Permission denied for public_html
by John Griffiths
> Subject:
> Re: Permission denied for public_html
> From:
> Volker Englisch <Volker(a)englisch.us>
> Date:
> Mon, 06 Nov 2006 09:18:42 -0500
> To:
> Paul Howarth <paul(a)city-fan.org>
>
> To:
> Paul Howarth <paul(a)city-fan.org>
> CC:
> fedora-selinux-list(a)redhat.com
>
>
> On 11/06/2006 04:05 AM Paul Howarth wrote:
>> Try these settings first:
>>
>> # setsebool -P httpd_enable_homedirs 1
>> # setsebool -P samba_enable_home_dirs 1
>>
>> Paul.
>>
>
> I had set these values in order to get samba to work. In fact, at
> some point I thought I did have both samba and http access to the
> public_html directory working but when I made additional changes
> trying to allow a cgi script to write to a directory I must have
> messed up the access to the user websites.
>
The context of the directory has to be public_content_rw_t for both
Samba and httpd to access it.
Regards,
John Griffiths
> By the way, access to the main website
> http://mydomain.us/
> works without problems.
>
> Thanks
>
> Volker Englisch
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
17 years, 5 months
Need help for midterm project/presentation (FC5 & SELinux)
by Leffler, Sean
So I volunteered (!?!?!) to give a presentation on SELinux for my
midtem project.
At the time I thought 'cool, how hard can this be.' (ok, you can stop
laughing now)
So now I'm a bit panic'd. I picked up the Oreilly's book and the other
one SELinux by example.
The pickle I'm in is that the class is using FC5 and both books were
written for earlier versions and its befuddling me.
So I thought I would beg on this list for a few examples I could present
to the class on how to do some basic policy stuff.
Like here is a new widget and this is how you modify permissions to make
it work, yada yada. Nothing major just simple stuff like that. (I will
touch on the targeted policy for the big daemons/services but I wanted
to show how you might tackle a problem that was not part of the targeted
list.)
I have been reading everything I can find on FC5/SELinux but I've just
run out of time.
So any help would be appreciated, and FWIW, I really dig this stuff. :)
Sean
17 years, 5 months
denied {search} pam_console_app
by Robin Bowes
Hi,
I'm seeing a whole raft of these msgs at boot:
audit(1162812576.696:158): avc: denied { search } for pid=523
comm="pam_console_app" name="var" dev=dm-0 ino=229377
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
audit2allow suggests this to fix:
allow pam_console_t file_t:dir search;
My question:
Is this the right fix? Or is there some chcon magic I can do?
R.
17 years, 5 months
SELinux is preventing /usr/sbin/groupadd
by Norm
I am sure the explanation and information is clear enough in the
Setroubleshoot browser report but the catch is I don't understand it
nor can seem to figure out what to do to stop the problem "SELinux is
preventing /usr/sbin/groupadd(useradd_t) "sys_tty_config" to <Unknown>
(groupadd_t)" I appreciate that it could be an intrusion attempt but
that is unlikely and as it occur ed when I was not on the computer I
assume it is part of a cron process or similar.
How do I deal with it?
17 years, 5 months
setsebool sandbox error on FC6
by Arthur M. Kang
On a fresh install of FC6, I'm getting errors when trying to use the
setsebool command.
# setsebool httpd_disable_trans 1
libsemanage.semanage_commit_sandbox: Error while renaming
/etc/selinux/targeted/modules/active to
/etc/selinux/targeted/modules/previous.
Could not change policy booleans
Has anyone else experienced similar problems? Is there a problem on my
end? Is there a fix?
Although the error message is generated, the boolean does get set.
However, the -P switch doesn't work and the boolean won't stick across
reboots.
Is there an alternate method to remotely configure booleans that stick
across reboots?
Any help is appreciated.
Arthur
17 years, 5 months
