Nagios Web Interface and SELinux
by Ryan Skadberg
I have been trying to get nagios up and running on 2 different
machines. One running FC5 and one running FC6. Nagios itself starts
up fine, but the web interface fails miserably.
When looking at /var/log/messages, I see things like:
Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied
{ execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi"
dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
I noticed in the selinux-policy-targeted Changelog:
* Wed Jul 26 2006 Dan Walsh <dwalsh(a)redhat.com> 2.3.3-13
- Add nagios policy
This may have been for the program itself or maybe the web interface,
but it sure doesn't seem to be working for me.
Both systems are set to:
SELINUX=enforcing
SELINUXTYPE=targeted
SETLOCALDEFS=0
Anyone have any advice on how to fix this?
Thanks!
Skadz
16 years, 2 months
[ANN] Madison policy generation tools
by Karl MacMillan
The first public release of the Madison SELinux policy generation tools
can be found at http://et.redhat.com/madison/. Madison is a new project
to create command line and GUI policy generation tools that:
* Create more readable and secure policy by leveraging the reference
policy development environment.
* Provide administrators with guidance and information to help them
make good security decisions.
This release focuses on the creation of a foundation library (in
python). It only includes a single tool - audit2policy - that is a drop
in replacement for audit2allow with better reference policy interface
call generation (using the undocumented -R audit2allow flag).
Contributions are very welcome. I'm looking for help with:
* Testing (particularly interface call generation and module
generation)
* Documenation
* Unit test creation
* Code / tool development
See the website for more details on contributing.
To the authors of other policy generation tools: I would like to avoid
duplication of effort where possible. The current release focuses on
areas that other tools have not explored thoroughly. Moving forward I
would to discuss how we can best work together.
Please send any feedback to the selinux development list.
Thanks - Karl
16 years, 11 months
vmware beta....needs mount/unmount?
by Tom London
Running latest rawhide, targeted/enforcing.
I'm testing the latest vmware beta (6?).
Seems to want to mount on /proc/fs/vmware-block/mountPoint:
none on /proc/fs/vmware-block/mountPoint type vmware-block (rw)
This produces the following AVC during boot:
type=AVC msg=audit(1167500297.368:6): avc: denied { mount } for
pid=2225 comm="mount" name="/" dev=vmware-block ino=1
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1167500297.368:6): arch=40000003 syscall=21
success=yes exit=0 a0=937cdd8 a1=937ce00 a2=937cde8 a3=c0ed0000
items=0 ppid=2212 pid=2225 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" exe="/bin/mount"
subj=system_u:system_r:mount_t:s0 key=(null)
I believe this is the associated AVC from 'unmount' during shutdown:
type=AVC msg=audit(1167502331.621:34): avc: denied { unmount } for
pid=4269 comm="umount" scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1167502331.621:34): arch=40000003 syscall=22
success=yes exit=0 a0=9f20120 a1=bffc51f0 a2=9f20148 a3=9f20121
items=0 ppid=4268 pid=4269 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="umount"
exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null)
This appears to be the script from /etc/init.d/vmware:
# Start the file system blocking driver
vmware_start_vmblock() {
mkdir -p /tmp/VMwareDnD && chmod 777 /tmp/VMwareDnD
vmware_exec 'Loading module' vmware_load_module $vmblock
exitcode=`expr $exitcode + $?`
mount -t vmware-block none /proc/fs/vmware-block/mountPoint
}
# Stop the file system blocking driver
vmware_stop_vmblock() {
umount /proc/fs/vmware-block/mountPoint
vmware_unload_module $vmblock
}
Right way to fix?
tom
--
Tom London
16 years, 11 months
Basic GUI on strict policy
by mantaray_1
List members -
I have recently been working on setting up a strict policy (using
selinux-policy-2.4.6-1.fc6), and I thought I would make a post to share
the module I made which allows logging in and entering the GUI. The
module includes four user-defined types, which I use to limit program
access to my home directories, but which do not need to be included.
Some rules would need to be adapted for use without three of the four
user-defined types (which are for ".gnome", ".gnome2", and
".gnome2_private" in the user's home directory). I have not taken the
time to translate the "allow" statements into calls to "access
interfaces", but the module could be a starting point for someone
working on developing a personalized strict policy for their system. I
had several problems with mls while working on the policy, and this is
why the mls interfaces are included for "user_t" in the module. I did
not take the time to see exactly which statements were necessary, since
I am not particularly interested in using mls anyway. Without the
additional types, the ".fc" file could be blank, and the ".if" file
could simply contain a descriptive title such as: "## <summary>Rules
added for GUI access</summary>". I have included this module in the
"apps" folder on my system. To use the module, after placing the files
in the "apps" folder, run "make conf" and "make load".
I want to make it clear that I do not work with SELinux policy
professionally, and I am not an expert on policy creation or Linux
security. I may have included permissions that are not needed, and I
may have omitted permissions that are needed. I am making this post
because I want to share what I came up with while working on a policy
for my own system. In short: It works for my system, and it took a bit
of work for me to get to this point, so I want to share it.
Developers -
From my experience, I have a couple of comments I hope policy
developers will find helpful:
First, a strict policy without mls enabled that would function
essentially the same as the "strict-mls" option might be useful to some
users. I would have preferred to install "strict" rather than
"strict-mls" but my system would not even boot with the non-mls version.
I did not investigate this problem very carefully, but I found, for
example, that there is no "netifcon lo ..." statement for "strict",
while there is for "strict-mls".
Second, I found some of the permissions needed to successfully enter the
GUI were difficult to determine (without sorting through lots of extra
"denied" statements that resulted from disabling "dontaudit"
statements). Perhaps some time could be spent developing a policy
somewhere between "strict" and "targeted" that allows more access and
has less "dontaudit" statements written into the modules; or perhaps an
optional module could be included with the "strict" policy that has been
written by someone who knows exactly what is needed and what is not
needed (rather than by someone like myself), and that allows basic
access to the GUI.
-Ken-
*********************************
*********************************
policy_module(basic_use,1.0)
#########
#
# These rules are needed for basic operation using the strict policy.
#
require
{
class capability { fowner setgid setuid sys_tty_config };
class chr_file { getattr ioctl read write };
class dbus send_msg;
class dir { add_name getattr read remove_name search setattr write };
class fd use;
class fifo_file { getattr ioctl read write };
class file { create execute execute_no_trans getattr read setattr
unlink write };
class filesystem { associate getattr };
class netif { tcp_recv tcp_send };
class process { execheap execmem execstack getpgid getsched signal };
class shm { associate create destroy getattr read unix_read unix_write
write };
class sock_file { create unlink write };
class unix_stream_socket connectto;
#
role object_r;
role sysadm_r;
role system_r;
role user_r;
#
type alsa_etc_rw_t;
type apmd_t;
type autofs_t;
type bin_t;
type binfmt_misc_fs_t;
type boot_t;
type cupsd_t;
type cupsd_var_run_t;
type default_t;
type devpts_t;
type etc_runtime_t;
type fonts_t;
type fs_t;
type hostname_t;
type ice_tmp_t;
type initrc_t;
type inotifyfs_t;
type kernel_t;
type lo_netif_t;
type local_login_t;
type lost_found_t;
type lvm_control_t;
type mono_exec_t;
type net_conf_t;
type nscd_var_run_t;
type rpc_pipefs_t;
type shell_exec_t;
type sound_device_t;
type sysadm_dbusd_t;
type sysadm_gconf_tmp_t;
type sysadm_gconfd_t;
type sysadm_home_dir_t;
type sysadm_home_t;
type sysadm_t;
type sysadm_tmp_t;
type sysadm_tty_device_t;
type sysadm_xauth_home_t;
type sysadm_xserver_t;
type sysadm_xserver_tmp_t;
type sysctl_fs_t;
type sysfs_t;
type system_crond_t;
type system_dbusd_t;
type system_dbusd_var_run_t;
type tmpfs_t;
type usbfs_t;
type user_dbusd_t;
type user_gconf_tmp_t;
type user_gconfd_t;
type user_home_dir_t;
type user_home_t;
type user_t;
type user_tmp_t;
type user_tty_device_t;
type user_xauth_home_t;
type user_xserver_t;
type user_xserver_tmp_t;
type var_lib_nfs_t;
type var_lib_t;
type var_run_t;
type var_t;
type xdm_xserver_tmp_t;
}
#
# Types:
#
type file_transfer_t;
type gnome_t;
type gnome2_private_t;
type gnome2_t;
#
# mls:
#
mls_file_read_up(user_t)
mls_file_write_down(user_t)
mls_file_upgrade(user_t)
mls_file_downgrade(user_t)
mls_file_write_within_range(user_t)
mls_socket_read_all_levels(user_t)
mls_socket_read_to_clearance(user_t)
mls_socket_write_all_levels(user_t)
mls_net_receive_all_levels(user_t)
mls_sysvipc_read_all_levels(user_t)
mls_sysvipc_write_all_levels(user_t)
mls_rangetrans_source(user_t)
mls_rangetrans_target(user_t)
mls_process_read_up(user_t)
mls_process_write_down(user_t)
mls_process_set_level(user_t)
mls_xwin_read_all_levels(user_t)
mls_xwin_write_all_levels(user_t)
mls_colormap_read_all_levels(user_t)
mls_colormap_write_all_levels(user_t)
mls_trusted_object(user_t)
mls_fd_use_all_levels(user_t)
mls_fd_share_all_levels(user_t)
mls_context_translate_all_levels(user_t)
#
# Ability to login and enter the GUI:
#
allow apmd_t kernel_t:file read;
allow apmd_t user_tty_device_t:chr_file { getattr ioctl write };
allow gnome2_t fs_t:filesystem associate;
allow hostname_t nscd_var_run_t:dir search;
allow initrc_t lvm_control_t:chr_file write;
allow initrc_t var_t:file { setattr write };
allow sysadm_dbusd_t autofs_t:dir getattr;
allow sysadm_dbusd_t bin_t:file { execute execute_no_trans };
allow sysadm_dbusd_t binfmt_misc_fs_t:dir getattr;
allow sysadm_dbusd_t boot_t:dir getattr;
allow sysadm_dbusd_t devpts_t:dir getattr;
allow sysadm_dbusd_t etc_runtime_t:file { getattr read };
allow sysadm_dbusd_t fonts_t:dir { getattr search };
allow sysadm_dbusd_t fonts_t:file { getattr read };
allow sysadm_dbusd_t fs_t:filesystem getattr;
allow sysadm_dbusd_t inotifyfs_t:dir getattr;
allow sysadm_dbusd_t local_login_t:fd use;
allow sysadm_dbusd_t rpc_pipefs_t:dir getattr;
allow sysadm_dbusd_t self:capability { setgid setuid };
allow sysadm_dbusd_t self:fifo_file { getattr ioctl read write };
allow sysadm_dbusd_t self:process { execmem execstack getsched };
allow sysadm_dbusd_t self:shm { create destroy read unix_read unix_write
write };
allow sysadm_dbusd_t self:unix_stream_socket connectto;
allow sysadm_dbusd_t shell_exec_t:file { execute execute_no_trans
getattr read };
allow sysadm_dbusd_t sound_device_t:chr_file { ioctl read write };
allow sysadm_dbusd_t sysadm_gconf_tmp_t:file { getattr read };
allow sysadm_dbusd_t sysadm_gconfd_t:unix_stream_socket connectto;
allow sysadm_dbusd_t sysadm_home_dir_t:dir { getattr read search };
allow sysadm_dbusd_t sysadm_home_t:dir { getattr read search };
allow sysadm_dbusd_t sysadm_home_t:file { getattr read write };
allow sysadm_dbusd_t sysadm_t:dbus send_msg;
allow sysadm_dbusd_t sysadm_tmp_t:dir { add_name getattr remove_name
search setattr write };
allow sysadm_dbusd_t sysadm_tmp_t:sock_file { create write unlink };
allow sysadm_dbusd_t sysadm_tty_device_t:chr_file { read write };
allow sysadm_dbusd_t sysadm_xauth_home_t:file { getattr read };
allow sysadm_dbusd_t sysadm_xserver_t:unix_stream_socket connectto;
allow sysadm_dbusd_t sysadm_xserver_tmp_t:dir search;
allow sysadm_dbusd_t sysadm_xserver_tmp_t:sock_file write;
allow sysadm_dbusd_t sysctl_fs_t:dir search;
allow sysadm_dbusd_t sysfs_t:dir getattr;
allow sysadm_dbusd_t system_dbusd_t:dbus send_msg;
allow sysadm_dbusd_t system_dbusd_t:unix_stream_socket connectto;
allow sysadm_dbusd_t system_dbusd_var_run_t:dir search;
allow sysadm_dbusd_t system_dbusd_var_run_t:sock_file write;
allow sysadm_dbusd_t tmpfs_t:dir getattr;
allow sysadm_dbusd_t tmpfs_t:file { read write };
allow sysadm_dbusd_t usbfs_t:dir getattr;
allow sysadm_dbusd_t user_xserver_tmp_t:dir search;
allow sysadm_dbusd_t user_xserver_tmp_t:sock_file write;
allow sysadm_dbusd_t var_lib_nfs_t:dir search;
allow sysadm_dbusd_t var_lib_t:dir search;
allow sysadm_dbusd_t var_t:file { getattr read };
allow sysadm_gconfd_t local_login_t:fd use;
allow sysadm_gconfd_t sysadm_dbusd_t:unix_stream_socket connectto;
allow sysadm_gconfd_t sysadm_tty_device_t:chr_file { read write };
allow sysadm_t cupsd_t:unix_stream_socket connectto;
allow sysadm_t default_t:file execute;
allow sysadm_t lost_found_t:dir { read write };
allow sysadm_t mono_exec_t:file { execute execute_no_trans };
allow sysadm_t self:process { execmem execstack };
allow sysadm_xserver_t self:process { execmem execstack };
allow sysadm_xserver_t sysadm_dbusd_t:fd use;
allow sysadm_xserver_t sysadm_dbusd_t:shm { associate getattr read
unix_read unix_write write };
allow sysadm_xserver_t sysadm_home_t:dir search;
allow sysadm_xserver_t sysadm_home_t:file { getattr read };
allow sysadm_xserver_t sysadm_t:process getpgid;
allow sysadm_xserver_t tmpfs_t:file { read write };
allow sysadm_xserver_t user_xserver_tmp_t:dir { add_name getattr
remove_name search write };
allow sysadm_xserver_t user_xserver_tmp_t:sock_file { create unlink };
allow system_crond_t var_run_t:dir { add_name remove_name write };
allow system_crond_t var_run_t:file { create unlink write };
allow user_dbusd_t autofs_t:dir getattr;
allow user_dbusd_t bin_t:file { execute execute_no_trans };
allow user_dbusd_t binfmt_misc_fs_t:dir getattr;
allow user_dbusd_t boot_t:dir getattr;
allow user_dbusd_t devpts_t:dir getattr;
allow user_dbusd_t etc_runtime_t:file { getattr read };
allow user_dbusd_t fonts_t:dir { getattr search };
allow user_dbusd_t fonts_t:file { getattr read };
allow user_dbusd_t fs_t:filesystem getattr;
allow user_dbusd_t gnome2_private_t:dir getattr;
allow user_dbusd_t gnome2_t:dir { getattr read search };
allow user_dbusd_t gnome2_t:file { getattr read write };
allow user_dbusd_t inotifyfs_t:dir getattr;
allow user_dbusd_t local_login_t:fd use;
allow user_dbusd_t rpc_pipefs_t:dir getattr;
allow user_dbusd_t self:fifo_file { getattr ioctl read write };
allow user_dbusd_t self:process getsched;
allow user_dbusd_t self:shm { create destroy read unix_read unix_write
write };
allow user_dbusd_t self:unix_stream_socket connectto;
allow user_dbusd_t shell_exec_t:file { execute execute_no_trans getattr
read };
allow user_dbusd_t sound_device_t:chr_file { ioctl read write };
allow user_dbusd_t sysadm_xserver_tmp_t:dir search;
allow user_dbusd_t sysadm_xserver_tmp_t:sock_file write;
allow user_dbusd_t sysctl_fs_t:dir search;
allow user_dbusd_t sysfs_t:dir getattr;
allow user_dbusd_t system_dbusd_t:dbus send_msg;
allow user_dbusd_t system_dbusd_t:unix_stream_socket connectto;
allow user_dbusd_t system_dbusd_var_run_t:dir search;
allow user_dbusd_t system_dbusd_var_run_t:sock_file write;
allow user_dbusd_t tmpfs_t:dir getattr;
allow user_dbusd_t tmpfs_t:file { read write };
allow user_dbusd_t usbfs_t:dir getattr;
allow user_dbusd_t user_gconf_tmp_t:dir { getattr search };
allow user_dbusd_t user_gconf_tmp_t:file { getattr read };
allow user_dbusd_t user_gconfd_t:unix_stream_socket connectto;
allow user_dbusd_t user_home_dir_t:dir { getattr read search };
allow user_dbusd_t user_home_t:dir { read search };
allow user_dbusd_t user_home_t:file { getattr read };
allow user_dbusd_t user_t:dbus send_msg;
allow user_dbusd_t user_tmp_t:dir { add_name getattr remove_name search
setattr write };
allow user_dbusd_t user_tmp_t:sock_file { create unlink write };
allow user_dbusd_t user_tty_device_t:chr_file { read write };
allow user_dbusd_t user_xauth_home_t:file { getattr read };
allow user_dbusd_t user_xserver_t:unix_stream_socket connectto;
allow user_dbusd_t user_xserver_tmp_t:dir search;
allow user_dbusd_t user_xserver_tmp_t:sock_file write;
allow user_dbusd_t var_lib_nfs_t:dir search;
allow user_dbusd_t var_lib_t:dir search;
allow user_dbusd_t var_t:file { getattr read };
allow user_gconfd_t local_login_t:fd use;
allow user_gconfd_t user_dbusd_t:unix_stream_socket connectto;
allow user_gconfd_t user_tty_device_t:chr_file { read write };
allow user_t alsa_etc_rw_t:file read;
allow user_t cupsd_t:unix_stream_socket connectto;
allow user_t cupsd_var_run_t:sock_file write;
allow user_t gnome_t:dir { getattr search };
allow user_t gnome_t:file { getattr read write };
allow user_t gnome2_private_t:dir getattr;
allow user_t gnome2_t:dir { add_name getattr read remove_name search
write };
allow user_t gnome2_t:file { create getattr read unlink };
allow user_t ice_tmp_t:dir { add_name getattr remove_name search write };
allow user_t ice_tmp_t:sock_file { create unlink write };
allow user_t net_conf_t:file read;
allow user_t self:process { execheap execmem execstack };
allow user_t sysadm_xserver_tmp_t:sock_file write;
allow user_t sysctl_fs_t:file read;
allow user_t user_gconfd_t:process signal;
allow user_t user_gconf_tmp_t:dir { getattr search };
allow user_t user_gconf_tmp_t:file { getattr read };
allow user_t user_xserver_t:dir { getattr search };
allow user_t user_xserver_t:file read;
allow user_xserver_t gnome2_t:dir search;
allow user_xserver_t gnome2_t:file { getattr read };
allow user_xserver_t lo_netif_t:netif { tcp_recv tcp_send };
allow user_xserver_t self:capability fowner;
allow user_xserver_t self:process { execmem execstack };
allow user_xserver_t sysadm_xserver_tmp_t:dir { add_name getattr
remove_name search write };
allow user_xserver_t sysadm_xserver_tmp_t:sock_file { create unlink };
allow user_xserver_t tmpfs_t:file { read write };
allow user_xserver_t user_dbusd_t:fd use;
allow user_xserver_t user_dbusd_t:shm { associate getattr read unix_read
unix_write write };
allow user_xserver_t user_t:process getpgid;
allow user_xserver_t xdm_xserver_tmp_t:file read;
# End
16 years, 11 months
execstack AVCs in Rawhide...?
by Tom London
Running latest Rawhide, targeted/enforcing.
I seem to be getting execstack AVCs from setroubleshootd, sealert,
gaim, mixer_applet2, and firefox-bin.
Firefox has flash and Sun java plugins; guessing that may be part of the issue.
tom
type=DAEMON_START msg=audit(1166807740.587:4053) auditd start,
ver=1.3.1, format=raw, auid=4294967295 pid=2084 res=success, auditd
pid=2084
type=CONFIG_CHANGE msg=audit(1166807740.687:5): audit_enabled=1 old=0
by auid=4294967295 subj=system_u:system_r:auditd_t:s0
type=CONFIG_CHANGE msg=audit(1166807740.893:6):
audit_backlog_limit=256 old=64 by auid=4294967295
subj=system_u:system_r:auditctl_t:s0
type=AVC msg=audit(1166807745.923:7): avc: denied { execstack } for
pid=2187 comm="setroubleshootd"
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=process
type=SYSCALL msg=audit(1166807745.923:7): arch=40000003 syscall=125
success=no exit=-13 a0=bfce1000 a1=1000 a2=1000007 a3=fffff000 items=0
ppid=1 pid=2187 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd"
exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0
key=(null)
type=LABEL_LEVEL_CHANGE msg=audit(1166807750.278:8): user pid=2517
uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
msg='printer=HP5MP uri=hp:/par/HP_LaserJet_5MP?device=/dev/parport0
banners=none,none range=unknown: exe="/usr/sbin/cupsd"
(hostname=localhost.localdomain, addr=127.0.0.1, terminal=?
res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1166807750.429:9): user pid=2517
uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
msg='printer=hp_LaserJet_1300
uri=hal:///org/freedesktop/Hal/devices/usb_device_3f0_1017_00CNCB954325_if0_printer_noserial
banners=none,none range=unknown: exe="/usr/sbin/cupsd"
(hostname=localhost.localdomain, addr=127.0.0.1, terminal=?
res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1166807750.494:10): user pid=2517
uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
msg='printer=Innopath uri=file:/dev/null banners=none,none
range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain,
addr=127.0.0.1, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1166807750.496:11): user pid=2517
uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
msg='printer=Local uri=file:/dev/null banners=none,none range=unknown:
exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1,
terminal=? res=success)'
type=USER_ERR msg=audit(1166807765.078:12): user pid=2960 uid=0
auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM:
bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?,
terminal=? res=failed)'
type=USER_AUTH msg=audit(1166807777.433:13): user pid=3037 uid=0
auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM:
authentication acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?,
addr=?, terminal=:0 res=success)'
type=USER_ACCT msg=audit(1166807777.435:14): user pid=3037 uid=0
auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM:
accounting acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?,
terminal=:0 res=success)'
type=CRED_ACQ msg=audit(1166807777.436:15): user pid=3037 uid=0
auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM:
setcred acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?,
terminal=:0 res=success)'
type=LOGIN msg=audit(1166807777.440:16): login pid=3037 uid=0 old
auid=4294967295 new auid=500
type=USER_START msg=audit(1166807777.583:17): user pid=3037 uid=0
auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: session
open acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?,
terminal=:0 res=success)'
type=USER_LOGIN msg=audit(1166807777.585:18): user pid=3037 uid=0
auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=500:
exe="/usr/sbin/gdm-binary" (hostname=localhost.localdomain,
addr=127.0.0.1, terminal=:0 res=success)'
type=AVC msg=audit(1166807804.117:19): avc: denied { execstack } for
pid=3229 comm="sealert" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1166807804.117:19): arch=40000003 syscall=125
success=no exit=-13 a0=bf882000 a1=1000 a2=1000007 a3=fffff000 items=0
ppid=1 pid=3229 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="sealert"
exe="/usr/bin/python" subj=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1166807804.624:20): avc: denied { execstack } for
pid=3240 comm="sealert" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1166807804.624:20): arch=40000003 syscall=125
success=no exit=-13 a0=bff2f000 a1=1000 a2=1000007 a3=fffff000 items=0
ppid=3239 pid=3240 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="sealert"
exe="/usr/bin/python" subj=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1166807809.849:21): avc: denied { execstack } for
pid=3283 comm="gaim" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1166807809.849:21): arch=40000003 syscall=125
success=no exit=-13 a0=bffd9000 a1=1000 a2=1000007 a3=fffff000 items=0
ppid=3193 pid=3283 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gaim"
exe="/usr/bin/gaim" subj=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1166807821.317:22): avc: denied { execstack } for
pid=3419 comm="mixer_applet2"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1166807821.317:22): arch=40000003 syscall=125
success=no exit=-13 a0=bfa39000 a1=1000 a2=1000007 a3=fffff000 items=0
ppid=3408 pid=3419 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="mixer_applet2"
exe="/usr/libexec/mixer_applet2" subj=user_u:system_r:unconfined_t:s0
key=(null)
type=USER_AUTH msg=audit(1166807845.960:23): user pid=3460 uid=500
auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication
acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0
res=success)'
type=USER_ACCT msg=audit(1166807845.961:24): user pid=3460 uid=500
auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: accounting
acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0
res=success)'
type=USER_START msg=audit(1166807847.381:25): user pid=3460 uid=500
auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open
acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0
res=success)'
type=CRED_ACQ msg=audit(1166807847.382:26): user pid=3460 uid=500
auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred
acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0
res=success)'
type=AVC msg=audit(1166807900.148:27): avc: denied { execstack } for
pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1166807900.148:27): arch=40000003 syscall=125
success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0
ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin"
exe="/usr/lib/firefox-2.0/firefox-bin"
subj=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1166807900.158:28): avc: denied { execstack } for
pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1166807900.158:28): arch=40000003 syscall=125
success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0
ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin"
exe="/usr/lib/firefox-2.0/firefox-bin"
subj=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1166807900.162:29): avc: denied { execstack } for
pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1166807900.162:29): arch=40000003 syscall=125
success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0
ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin"
exe="/usr/lib/firefox-2.0/firefox-bin"
subj=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1166807900.163:30): avc: denied { execstack } for
pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1166807900.163:30): arch=40000003 syscall=125
success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0
ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin"
exe="/usr/lib/firefox-2.0/firefox-bin"
subj=user_u:system_r:unconfined_t:s0 key=(null)
--
Tom London
16 years, 11 months
help! my wine has some errors!
by Kimia
i install wine with yum, my system is fc6.
when i start winecfg and all other program such as notepad i recived the
error:
*Failed to open the service control manager.
*now,i did nothing,but it can ran,and then the program died.
i must click the force quit button to kill it.
please,what shoud do to run wine?
thanks all ideas!
--
Kimia
16 years, 11 months
Re: Speakers for 3rd SELinux Symposium
by Paolo D.
Good evening Dr. Mayer,
I don't know in other countries, but in Italy people has been informed ;)
http://www.programmazione.it/index.php?entity=eitem&idItem=35011
A Merry Secure Christmas and an Happy Allowed New Year to everyone!
Paolo
------------------------------
Message: 2
Date: Mon, 11 Dec 2006 09:05:41 -0500
From: "Frank L. Mayer" <mayerf(a)tresys.com>
Subject: Speakers for 3rd SELinux Symposium (Registration opens)
To: <selinux(a)tycho.nsa.gov>, <fedora-selinux-list(a)redhat.com>
Message-ID:
<3F5870E81362A647A4DA1D0DF8F10268772053(a)exchange.columbia.tresys.com>
Content-Type: text/plain; charset="iso-8859-1"
All, we have announced the speakers for the 3rd SELinux Symposium, which
will be held in Baltimore, Maryland on 12-16 March 2007. You can see the
agenda, paper and tutorial abstracts, and registration information at the
web site: www.selinux-symposium.org. Below is the text from the press
release. Hope you can join us again at this conference. Thanks to all the
authors who submitted papers. You can still participate by submitting case
study and works-in-progress proposals (see web site). Frank
===============================================================
Speakers Confirmed for the
Third Annual Security Enhanced Linux Symposium and Developer Summit
Event Slated for March 12-16, 2007 in Baltimore, Maryland, USA
Baltimore, Maryland-December 11, 2006 - The Security Enhanced Linux
(SELinux) Symposium announces papers and speakers for its third annual
symposium. Experts from business, government, and academia will share and
discuss the latest SELinux application experience, research and development
results, and product plans. The event explores the popular SELinux
technology and the power of flexible mandatory access control in Linux.
Registration for the SELinux Symposium, scheduled for March 12-16, 2007 in
Baltimore, Maryland, is now open at www.selinux-symposium.org.
The Third SELinux Symposium features two full days of SELinux-related
tutorials followed by a two-day technical agenda that includes papers,
presentations, and case studies by experts and practitioners with SELinux.
Topics for the symposium include changes and extensions to the core SELinux
technology, advances in SELinux policy management and development, and the
use of SELinux to build secure system solutions. The symposium also includes
an invitation-only SELinux developer summit, where the core developers and
contributors of SELinux discuss upcoming technology changes, requirements,
and plans.
Papers for the symposium were selected via a community review process and
include authors from several organizations, including atsec,
Hewlett-Packard, IBM, Pennsylvania State University, Red Hat, SPARTA, Tresys
Technology, University of Maryland-Baltimore County, U.S. Joint Forces
Command, and the U.S. National Security Agency. The full agenda for the
symposium is available at www.selinux-symposium.org.
About the SELinux Symposium
The Security Enhanced Linux (SELinux) Symposium is an annual exchange of
ideas, technology, and research involving SELinux. SELinux is emerging
technology that adds flexible, strong mandatory access control security to
Linux. The third annual symposium is scheduled for March 12-16, 2007 in
Baltimore, Maryland, USA. This year's symposium is sponsored by
Hewlett-Packard, IBM, Red Hat, and Tresys Technology. The event brings
together experts from business, government, and academia to share research,
development, and application experiences using SELinux. For information on
registration and sponsorship opportunities, see www.selinux-symposium.org.
------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
End of fedora-selinux-list Digest, Vol 34, Issue 11
***************************************************
__________ Informazione NOD32 1880 (20061123) __________
Questo messaggio h stato controllato dal Sistema Antivirus NOD32
http://www.nod32.it
16 years, 11 months
sendmail attempting to read to /dev/hda
by Mike A. Harris
Using FC6, I get the following SELinux warnings in /var/log/messages
every time I reboot:
Dec 13 07:18:21 localhost setroubleshoot: SELinux is preventing
/usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda
(fixed_disk_device_t). For complete SELinux messages. run sealert
-l 334bcb59-54ff-414f-bd52-f32c49
90df4a
Dec 13 07:18:22 localhost setroubleshoot: SELinux is preventing
/usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda
(fixed_disk_device_t). For complete SELinux messages. run sealert
-l 334bcb59-54ff-414f-bd52-f32c49
90df4a
My sendmail configuration is unmodified from Fedora Core 6 default
installation, and while sendmail is set to start at bootup, I am not
currently using sendmail for anything on this system.
Nonetheless the error is a bit alarming, and I didn't find anything
similar in a google search. My system is fully updated to the
current updates as of just prior to my reboot, which was about 15
minutes ago.
[root@shuttle ~]# rpm -qf /usr/sbin/sendmail.sendmail
sendmail-8.13.8-2
[root@shuttle ~]# ls -al /usr/sbin/sendmail.sendmail
-rwxr-sr-x 1 root smmsp 806460 Sep 5 09:27 /usr/sbin/sendmail.sendmail
[root@shuttle ~]# sealert -l 334bcb59-54ff-414f-bd52-f32c4990df4a
Summary
SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t)
"read" to
/dev/hda (fixed_disk_device_t).
Detailed Description
SELinux denied access requested by /usr/sbin/sendmail.sendmail. It
is not
expected that this access is required by
/usr/sbin/sendmail.sendmail and
this access may signal an intrusion attempt. It is also possible
that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for /dev/hda, restorecon -v
/dev/hda
If this does not work, there is currently no automatic way to allow
this
access. Instead, you can generate a local policy module to allow this
access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
can disable SELinux protection altogether. Disabling SELinux
protection is
not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information:
Source Context: system_u:system_r:system_mail_t
Target Context: system_u:object_r:fixed_disk_device_t
Target Objects: /dev/hda [ blk_file ]
Affected RPM Packages: sendmail-8.13.8-2 [application]
Policy RPM: selinux-policy-2.4.6-1.fc6
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: plugins.catchall_file
Host Name: shuttle
Platform: Linux shuttle 2.6.18-1.2849.fc6 #1 SMP Fri
Nov 10 12:45:28 EST 2006 i686 i686
Alert Count: 2
Line Numbers:
Raw Audit Messages:
avc: denied { read } for comm="sendmail" dev=tmpfs egid=51 euid=0
exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=0 gid=0 items=0
name="hda" path="/dev/hda" pid=2509
scontext=system_u:system_r:system_mail_t:s0 sgid=51
subj=system_u:system_r:system_mail_t:s0 suid=0 tclass=blk_file
tcontext=system_u:object_r:fixed_disk_device_t:s0 tty=(none) uid=0
16 years, 11 months
Re: fedora-selinux-list Digest, Vol 34, Issue 20
by stefano@proinco.net
esto es un mensaje automatico.
al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos
stefano bagnasco
16 years, 11 months
Reg error in policy module
by baskar baskar
Hi,
I have written this module and saved as twiki.te
policy_module(twiki, 1.0)
require {
type httpd_sys_script_exec_t;
type sbin_t;
type tmp_t;
type ls_exec_t;
type httpd_tmp_t;
type httpd_sys_script_t;
}
allow httpd_sys_script_t httpd_sys_script_exec_t:dir read;
allow httpd_sys_script_t ls_exec_t:file getattr;
allow httpd_sys_script_t sbin_t:file getattr;
allow httpd_sys_script_t tmp_t:lnk_file read;
allow httpd_sys_script_t httpd_tmp_t:file { r_file_perms unlink write };
when i try to run
semodule -i twiki.pp
i am getting
libsepol.permission_copy_callback: Module twiki depends on permission setkeycreate in class process, not satisfied
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
this error.
please anyone help me
i am configuring twiki now
without this i cant move to next step
please send me solutions
thanks in advance
Regards
Baskar.N
Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php
16 years, 11 months