selinux December 2006

selinux@lists.fedoraproject.org

23 participants
38 discussions

Nagios Web Interface and SELinux
by Ryan Skadberg 12 Sep '07

12 Sep '07

I have been trying to get nagios up and running on 2 different machines. One running FC5 and one running FC6. Nagios itself starts up fine, but the web interface fails miserably. When looking at /var/log/messages, I see things like: Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied { execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi" dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file I noticed in the selinux-policy-targeted Changelog: * Wed Jul 26 2006 Dan Walsh <dwalsh(a)redhat.com> 2.3.3-13 - Add nagios policy This may have been for the program itself or maybe the web interface, but it sure doesn't seem to be working for me. Both systems are set to: SELINUX=enforcing SELINUXTYPE=targeted SETLOCALDEFS=0 Anyone have any advice on how to fix this? Thanks! Skadz

3 4

[ANN] Madison policy generation tools
by Karl MacMillan 09 Jan '07

09 Jan '07

The first public release of the Madison SELinux policy generation tools can be found at http://et.redhat.com/madison/. Madison is a new project to create command line and GUI policy generation tools that: * Create more readable and secure policy by leveraging the reference policy development environment. * Provide administrators with guidance and information to help them make good security decisions. This release focuses on the creation of a foundation library (in python). It only includes a single tool - audit2policy - that is a drop in replacement for audit2allow with better reference policy interface call generation (using the undocumented -R audit2allow flag). Contributions are very welcome. I'm looking for help with: * Testing (particularly interface call generation and module generation) * Documenation * Unit test creation * Code / tool development See the website for more details on contributing. To the authors of other policy generation tools: I would like to avoid duplication of effort where possible. The current release focuses on areas that other tools have not explored thoroughly. Moving forward I would to discuss how we can best work together. Please send any feedback to the selinux development list. Thanks - Karl

2 2

vmware beta....needs mount/unmount?
by Tom London 02 Jan '07

02 Jan '07

Running latest rawhide, targeted/enforcing. I'm testing the latest vmware beta (6?). Seems to want to mount on /proc/fs/vmware-block/mountPoint: none on /proc/fs/vmware-block/mountPoint type vmware-block (rw) This produces the following AVC during boot: type=AVC msg=audit(1167500297.368:6): avc: denied { mount } for pid=2225 comm="mount" name="/" dev=vmware-block ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem type=SYSCALL msg=audit(1167500297.368:6): arch=40000003 syscall=21 success=yes exit=0 a0=937cdd8 a1=937ce00 a2=937cde8 a3=c0ed0000 items=0 ppid=2212 pid=2225 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) I believe this is the associated AVC from 'unmount' during shutdown: type=AVC msg=audit(1167502331.621:34): avc: denied { unmount } for pid=4269 comm="umount" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem type=SYSCALL msg=audit(1167502331.621:34): arch=40000003 syscall=22 success=yes exit=0 a0=9f20120 a1=bffc51f0 a2=9f20148 a3=9f20121 items=0 ppid=4268 pid=4269 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null) This appears to be the script from /etc/init.d/vmware: # Start the file system blocking driver vmware_start_vmblock() { mkdir -p /tmp/VMwareDnD && chmod 777 /tmp/VMwareDnD vmware_exec 'Loading module' vmware_load_module $vmblock exitcode=`expr $exitcode + $?` mount -t vmware-block none /proc/fs/vmware-block/mountPoint } # Stop the file system blocking driver vmware_stop_vmblock() { umount /proc/fs/vmware-block/mountPoint vmware_unload_module $vmblock } Right way to fix? tom -- Tom London

2 2

Basic GUI on strict policy
by mantaray_1 28 Dec '06

28 Dec '06

List members - I have recently been working on setting up a strict policy (using selinux-policy-2.4.6-1.fc6), and I thought I would make a post to share the module I made which allows logging in and entering the GUI. The module includes four user-defined types, which I use to limit program access to my home directories, but which do not need to be included. Some rules would need to be adapted for use without three of the four user-defined types (which are for ".gnome", ".gnome2", and ".gnome2_private" in the user's home directory). I have not taken the time to translate the "allow" statements into calls to "access interfaces", but the module could be a starting point for someone working on developing a personalized strict policy for their system. I had several problems with mls while working on the policy, and this is why the mls interfaces are included for "user_t" in the module. I did not take the time to see exactly which statements were necessary, since I am not particularly interested in using mls anyway. Without the additional types, the ".fc" file could be blank, and the ".if" file could simply contain a descriptive title such as: "## <summary>Rules added for GUI access</summary>". I have included this module in the "apps" folder on my system. To use the module, after placing the files in the "apps" folder, run "make conf" and "make load". I want to make it clear that I do not work with SELinux policy professionally, and I am not an expert on policy creation or Linux security. I may have included permissions that are not needed, and I may have omitted permissions that are needed. I am making this post because I want to share what I came up with while working on a policy for my own system. In short: It works for my system, and it took a bit of work for me to get to this point, so I want to share it. Developers - From my experience, I have a couple of comments I hope policy developers will find helpful: First, a strict policy without mls enabled that would function essentially the same as the "strict-mls" option might be useful to some users. I would have preferred to install "strict" rather than "strict-mls" but my system would not even boot with the non-mls version. I did not investigate this problem very carefully, but I found, for example, that there is no "netifcon lo ..." statement for "strict", while there is for "strict-mls". Second, I found some of the permissions needed to successfully enter the GUI were difficult to determine (without sorting through lots of extra "denied" statements that resulted from disabling "dontaudit" statements). Perhaps some time could be spent developing a policy somewhere between "strict" and "targeted" that allows more access and has less "dontaudit" statements written into the modules; or perhaps an optional module could be included with the "strict" policy that has been written by someone who knows exactly what is needed and what is not needed (rather than by someone like myself), and that allows basic access to the GUI. -Ken- ********************************* ********************************* policy_module(basic_use,1.0) ######### # # These rules are needed for basic operation using the strict policy. # require { class capability { fowner setgid setuid sys_tty_config }; class chr_file { getattr ioctl read write }; class dbus send_msg; class dir { add_name getattr read remove_name search setattr write }; class fd use; class fifo_file { getattr ioctl read write }; class file { create execute execute_no_trans getattr read setattr unlink write }; class filesystem { associate getattr }; class netif { tcp_recv tcp_send }; class process { execheap execmem execstack getpgid getsched signal }; class shm { associate create destroy getattr read unix_read unix_write write }; class sock_file { create unlink write }; class unix_stream_socket connectto; # role object_r; role sysadm_r; role system_r; role user_r; # type alsa_etc_rw_t; type apmd_t; type autofs_t; type bin_t; type binfmt_misc_fs_t; type boot_t; type cupsd_t; type cupsd_var_run_t; type default_t; type devpts_t; type etc_runtime_t; type fonts_t; type fs_t; type hostname_t; type ice_tmp_t; type initrc_t; type inotifyfs_t; type kernel_t; type lo_netif_t; type local_login_t; type lost_found_t; type lvm_control_t; type mono_exec_t; type net_conf_t; type nscd_var_run_t; type rpc_pipefs_t; type shell_exec_t; type sound_device_t; type sysadm_dbusd_t; type sysadm_gconf_tmp_t; type sysadm_gconfd_t; type sysadm_home_dir_t; type sysadm_home_t; type sysadm_t; type sysadm_tmp_t; type sysadm_tty_device_t; type sysadm_xauth_home_t; type sysadm_xserver_t; type sysadm_xserver_tmp_t; type sysctl_fs_t; type sysfs_t; type system_crond_t; type system_dbusd_t; type system_dbusd_var_run_t; type tmpfs_t; type usbfs_t; type user_dbusd_t; type user_gconf_tmp_t; type user_gconfd_t; type user_home_dir_t; type user_home_t; type user_t; type user_tmp_t; type user_tty_device_t; type user_xauth_home_t; type user_xserver_t; type user_xserver_tmp_t; type var_lib_nfs_t; type var_lib_t; type var_run_t; type var_t; type xdm_xserver_tmp_t; } # # Types: # type file_transfer_t; type gnome_t; type gnome2_private_t; type gnome2_t; # # mls: # mls_file_read_up(user_t) mls_file_write_down(user_t) mls_file_upgrade(user_t) mls_file_downgrade(user_t) mls_file_write_within_range(user_t) mls_socket_read_all_levels(user_t) mls_socket_read_to_clearance(user_t) mls_socket_write_all_levels(user_t) mls_net_receive_all_levels(user_t) mls_sysvipc_read_all_levels(user_t) mls_sysvipc_write_all_levels(user_t) mls_rangetrans_source(user_t) mls_rangetrans_target(user_t) mls_process_read_up(user_t) mls_process_write_down(user_t) mls_process_set_level(user_t) mls_xwin_read_all_levels(user_t) mls_xwin_write_all_levels(user_t) mls_colormap_read_all_levels(user_t) mls_colormap_write_all_levels(user_t) mls_trusted_object(user_t) mls_fd_use_all_levels(user_t) mls_fd_share_all_levels(user_t) mls_context_translate_all_levels(user_t) # # Ability to login and enter the GUI: # allow apmd_t kernel_t:file read; allow apmd_t user_tty_device_t:chr_file { getattr ioctl write }; allow gnome2_t fs_t:filesystem associate; allow hostname_t nscd_var_run_t:dir search; allow initrc_t lvm_control_t:chr_file write; allow initrc_t var_t:file { setattr write }; allow sysadm_dbusd_t autofs_t:dir getattr; allow sysadm_dbusd_t bin_t:file { execute execute_no_trans }; allow sysadm_dbusd_t binfmt_misc_fs_t:dir getattr; allow sysadm_dbusd_t boot_t:dir getattr; allow sysadm_dbusd_t devpts_t:dir getattr; allow sysadm_dbusd_t etc_runtime_t:file { getattr read }; allow sysadm_dbusd_t fonts_t:dir { getattr search }; allow sysadm_dbusd_t fonts_t:file { getattr read }; allow sysadm_dbusd_t fs_t:filesystem getattr; allow sysadm_dbusd_t inotifyfs_t:dir getattr; allow sysadm_dbusd_t local_login_t:fd use; allow sysadm_dbusd_t rpc_pipefs_t:dir getattr; allow sysadm_dbusd_t self:capability { setgid setuid }; allow sysadm_dbusd_t self:fifo_file { getattr ioctl read write }; allow sysadm_dbusd_t self:process { execmem execstack getsched }; allow sysadm_dbusd_t self:shm { create destroy read unix_read unix_write write }; allow sysadm_dbusd_t self:unix_stream_socket connectto; allow sysadm_dbusd_t shell_exec_t:file { execute execute_no_trans getattr read }; allow sysadm_dbusd_t sound_device_t:chr_file { ioctl read write }; allow sysadm_dbusd_t sysadm_gconf_tmp_t:file { getattr read }; allow sysadm_dbusd_t sysadm_gconfd_t:unix_stream_socket connectto; allow sysadm_dbusd_t sysadm_home_dir_t:dir { getattr read search }; allow sysadm_dbusd_t sysadm_home_t:dir { getattr read search }; allow sysadm_dbusd_t sysadm_home_t:file { getattr read write }; allow sysadm_dbusd_t sysadm_t:dbus send_msg; allow sysadm_dbusd_t sysadm_tmp_t:dir { add_name getattr remove_name search setattr write }; allow sysadm_dbusd_t sysadm_tmp_t:sock_file { create write unlink }; allow sysadm_dbusd_t sysadm_tty_device_t:chr_file { read write }; allow sysadm_dbusd_t sysadm_xauth_home_t:file { getattr read }; allow sysadm_dbusd_t sysadm_xserver_t:unix_stream_socket connectto; allow sysadm_dbusd_t sysadm_xserver_tmp_t:dir search; allow sysadm_dbusd_t sysadm_xserver_tmp_t:sock_file write; allow sysadm_dbusd_t sysctl_fs_t:dir search; allow sysadm_dbusd_t sysfs_t:dir getattr; allow sysadm_dbusd_t system_dbusd_t:dbus send_msg; allow sysadm_dbusd_t system_dbusd_t:unix_stream_socket connectto; allow sysadm_dbusd_t system_dbusd_var_run_t:dir search; allow sysadm_dbusd_t system_dbusd_var_run_t:sock_file write; allow sysadm_dbusd_t tmpfs_t:dir getattr; allow sysadm_dbusd_t tmpfs_t:file { read write }; allow sysadm_dbusd_t usbfs_t:dir getattr; allow sysadm_dbusd_t user_xserver_tmp_t:dir search; allow sysadm_dbusd_t user_xserver_tmp_t:sock_file write; allow sysadm_dbusd_t var_lib_nfs_t:dir search; allow sysadm_dbusd_t var_lib_t:dir search; allow sysadm_dbusd_t var_t:file { getattr read }; allow sysadm_gconfd_t local_login_t:fd use; allow sysadm_gconfd_t sysadm_dbusd_t:unix_stream_socket connectto; allow sysadm_gconfd_t sysadm_tty_device_t:chr_file { read write }; allow sysadm_t cupsd_t:unix_stream_socket connectto; allow sysadm_t default_t:file execute; allow sysadm_t lost_found_t:dir { read write }; allow sysadm_t mono_exec_t:file { execute execute_no_trans }; allow sysadm_t self:process { execmem execstack }; allow sysadm_xserver_t self:process { execmem execstack }; allow sysadm_xserver_t sysadm_dbusd_t:fd use; allow sysadm_xserver_t sysadm_dbusd_t:shm { associate getattr read unix_read unix_write write }; allow sysadm_xserver_t sysadm_home_t:dir search; allow sysadm_xserver_t sysadm_home_t:file { getattr read }; allow sysadm_xserver_t sysadm_t:process getpgid; allow sysadm_xserver_t tmpfs_t:file { read write }; allow sysadm_xserver_t user_xserver_tmp_t:dir { add_name getattr remove_name search write }; allow sysadm_xserver_t user_xserver_tmp_t:sock_file { create unlink }; allow system_crond_t var_run_t:dir { add_name remove_name write }; allow system_crond_t var_run_t:file { create unlink write }; allow user_dbusd_t autofs_t:dir getattr; allow user_dbusd_t bin_t:file { execute execute_no_trans }; allow user_dbusd_t binfmt_misc_fs_t:dir getattr; allow user_dbusd_t boot_t:dir getattr; allow user_dbusd_t devpts_t:dir getattr; allow user_dbusd_t etc_runtime_t:file { getattr read }; allow user_dbusd_t fonts_t:dir { getattr search }; allow user_dbusd_t fonts_t:file { getattr read }; allow user_dbusd_t fs_t:filesystem getattr; allow user_dbusd_t gnome2_private_t:dir getattr; allow user_dbusd_t gnome2_t:dir { getattr read search }; allow user_dbusd_t gnome2_t:file { getattr read write }; allow user_dbusd_t inotifyfs_t:dir getattr; allow user_dbusd_t local_login_t:fd use; allow user_dbusd_t rpc_pipefs_t:dir getattr; allow user_dbusd_t self:fifo_file { getattr ioctl read write }; allow user_dbusd_t self:process getsched; allow user_dbusd_t self:shm { create destroy read unix_read unix_write write }; allow user_dbusd_t self:unix_stream_socket connectto; allow user_dbusd_t shell_exec_t:file { execute execute_no_trans getattr read }; allow user_dbusd_t sound_device_t:chr_file { ioctl read write }; allow user_dbusd_t sysadm_xserver_tmp_t:dir search; allow user_dbusd_t sysadm_xserver_tmp_t:sock_file write; allow user_dbusd_t sysctl_fs_t:dir search; allow user_dbusd_t sysfs_t:dir getattr; allow user_dbusd_t system_dbusd_t:dbus send_msg; allow user_dbusd_t system_dbusd_t:unix_stream_socket connectto; allow user_dbusd_t system_dbusd_var_run_t:dir search; allow user_dbusd_t system_dbusd_var_run_t:sock_file write; allow user_dbusd_t tmpfs_t:dir getattr; allow user_dbusd_t tmpfs_t:file { read write }; allow user_dbusd_t usbfs_t:dir getattr; allow user_dbusd_t user_gconf_tmp_t:dir { getattr search }; allow user_dbusd_t user_gconf_tmp_t:file { getattr read }; allow user_dbusd_t user_gconfd_t:unix_stream_socket connectto; allow user_dbusd_t user_home_dir_t:dir { getattr read search }; allow user_dbusd_t user_home_t:dir { read search }; allow user_dbusd_t user_home_t:file { getattr read }; allow user_dbusd_t user_t:dbus send_msg; allow user_dbusd_t user_tmp_t:dir { add_name getattr remove_name search setattr write }; allow user_dbusd_t user_tmp_t:sock_file { create unlink write }; allow user_dbusd_t user_tty_device_t:chr_file { read write }; allow user_dbusd_t user_xauth_home_t:file { getattr read }; allow user_dbusd_t user_xserver_t:unix_stream_socket connectto; allow user_dbusd_t user_xserver_tmp_t:dir search; allow user_dbusd_t user_xserver_tmp_t:sock_file write; allow user_dbusd_t var_lib_nfs_t:dir search; allow user_dbusd_t var_lib_t:dir search; allow user_dbusd_t var_t:file { getattr read }; allow user_gconfd_t local_login_t:fd use; allow user_gconfd_t user_dbusd_t:unix_stream_socket connectto; allow user_gconfd_t user_tty_device_t:chr_file { read write }; allow user_t alsa_etc_rw_t:file read; allow user_t cupsd_t:unix_stream_socket connectto; allow user_t cupsd_var_run_t:sock_file write; allow user_t gnome_t:dir { getattr search }; allow user_t gnome_t:file { getattr read write }; allow user_t gnome2_private_t:dir getattr; allow user_t gnome2_t:dir { add_name getattr read remove_name search write }; allow user_t gnome2_t:file { create getattr read unlink }; allow user_t ice_tmp_t:dir { add_name getattr remove_name search write }; allow user_t ice_tmp_t:sock_file { create unlink write }; allow user_t net_conf_t:file read; allow user_t self:process { execheap execmem execstack }; allow user_t sysadm_xserver_tmp_t:sock_file write; allow user_t sysctl_fs_t:file read; allow user_t user_gconfd_t:process signal; allow user_t user_gconf_tmp_t:dir { getattr search }; allow user_t user_gconf_tmp_t:file { getattr read }; allow user_t user_xserver_t:dir { getattr search }; allow user_t user_xserver_t:file read; allow user_xserver_t gnome2_t:dir search; allow user_xserver_t gnome2_t:file { getattr read }; allow user_xserver_t lo_netif_t:netif { tcp_recv tcp_send }; allow user_xserver_t self:capability fowner; allow user_xserver_t self:process { execmem execstack }; allow user_xserver_t sysadm_xserver_tmp_t:dir { add_name getattr remove_name search write }; allow user_xserver_t sysadm_xserver_tmp_t:sock_file { create unlink }; allow user_xserver_t tmpfs_t:file { read write }; allow user_xserver_t user_dbusd_t:fd use; allow user_xserver_t user_dbusd_t:shm { associate getattr read unix_read unix_write write }; allow user_xserver_t user_t:process getpgid; allow user_xserver_t xdm_xserver_tmp_t:file read; # End

1 0

execstack AVCs in Rawhide...?
by Tom London 25 Dec '06

25 Dec '06

Running latest Rawhide, targeted/enforcing. I seem to be getting execstack AVCs from setroubleshootd, sealert, gaim, mixer_applet2, and firefox-bin. Firefox has flash and Sun java plugins; guessing that may be part of the issue. tom type=DAEMON_START msg=audit(1166807740.587:4053) auditd start, ver=1.3.1, format=raw, auid=4294967295 pid=2084 res=success, auditd pid=2084 type=CONFIG_CHANGE msg=audit(1166807740.687:5): audit_enabled=1 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 type=CONFIG_CHANGE msg=audit(1166807740.893:6): audit_backlog_limit=256 old=64 by auid=4294967295 subj=system_u:system_r:auditctl_t:s0 type=AVC msg=audit(1166807745.923:7): avc: denied { execstack } for pid=2187 comm="setroubleshootd" scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0 tclass=process type=SYSCALL msg=audit(1166807745.923:7): arch=40000003 syscall=125 success=no exit=-13 a0=bfce1000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2187 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=LABEL_LEVEL_CHANGE msg=audit(1166807750.278:8): user pid=2517 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=HP5MP uri=hp:/par/HP_LaserJet_5MP?device=/dev/parport0 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)' type=LABEL_LEVEL_CHANGE msg=audit(1166807750.429:9): user pid=2517 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=hp_LaserJet_1300 uri=hal:///org/freedesktop/Hal/devices/usb_device_3f0_1017_00CNCB954325_if0_printer_noserial banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)' type=LABEL_LEVEL_CHANGE msg=audit(1166807750.494:10): user pid=2517 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Innopath uri=file:/dev/null banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)' type=LABEL_LEVEL_CHANGE msg=audit(1166807750.496:11): user pid=2517 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Local uri=file:/dev/null banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=? res=success)' type=USER_ERR msg=audit(1166807765.078:12): user pid=2960 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=? res=failed)' type=USER_AUTH msg=audit(1166807777.433:13): user pid=3037 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: authentication acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_ACCT msg=audit(1166807777.435:14): user pid=3037 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: accounting acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=CRED_ACQ msg=audit(1166807777.436:15): user pid=3037 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: setcred acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=LOGIN msg=audit(1166807777.440:16): login pid=3037 uid=0 old auid=4294967295 new auid=500 type=USER_START msg=audit(1166807777.583:17): user pid=3037 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: session open acct=tbl : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_LOGIN msg=audit(1166807777.585:18): user pid=3037 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=500: exe="/usr/sbin/gdm-binary" (hostname=localhost.localdomain, addr=127.0.0.1, terminal=:0 res=success)' type=AVC msg=audit(1166807804.117:19): avc: denied { execstack } for pid=3229 comm="sealert" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807804.117:19): arch=40000003 syscall=125 success=no exit=-13 a0=bf882000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=3229 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="sealert" exe="/usr/bin/python" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1166807804.624:20): avc: denied { execstack } for pid=3240 comm="sealert" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807804.624:20): arch=40000003 syscall=125 success=no exit=-13 a0=bff2f000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3239 pid=3240 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="sealert" exe="/usr/bin/python" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1166807809.849:21): avc: denied { execstack } for pid=3283 comm="gaim" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807809.849:21): arch=40000003 syscall=125 success=no exit=-13 a0=bffd9000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3193 pid=3283 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gaim" exe="/usr/bin/gaim" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1166807821.317:22): avc: denied { execstack } for pid=3419 comm="mixer_applet2" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807821.317:22): arch=40000003 syscall=125 success=no exit=-13 a0=bfa39000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3408 pid=3419 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="mixer_applet2" exe="/usr/libexec/mixer_applet2" subj=user_u:system_r:unconfined_t:s0 key=(null) type=USER_AUTH msg=audit(1166807845.960:23): user pid=3460 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_ACCT msg=audit(1166807845.961:24): user pid=3460 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: accounting acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_START msg=audit(1166807847.381:25): user pid=3460 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=CRED_ACQ msg=audit(1166807847.382:26): user pid=3460 uid=500 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)' type=AVC msg=audit(1166807900.148:27): avc: denied { execstack } for pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807900.148:27): arch=40000003 syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1166807900.158:28): avc: denied { execstack } for pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807900.158:28): arch=40000003 syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1166807900.162:29): avc: denied { execstack } for pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807900.162:29): arch=40000003 syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1166807900.163:30): avc: denied { execstack } for pid=3441 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1166807900.163:30): arch=40000003 syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=3441 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="firefox-bin" exe="/usr/lib/firefox-2.0/firefox-bin" subj=user_u:system_r:unconfined_t:s0 key=(null) -- Tom London

3 8

help! my wine has some errors!
by Kimia 22 Dec '06

22 Dec '06

i install wine with yum, my system is fc6. when i start winecfg and all other program such as notepad i recived the error: *Failed to open the service control manager. *now,i did nothing,but it can ran,and then the program died. i must click the force quit button to kill it. please,what shoud do to run wine? thanks all ideas! -- Kimia

2 1

Re: Speakers for 3rd SELinux Symposium
by Paolo D. 20 Dec '06

20 Dec '06

Good evening Dr. Mayer, I don't know in other countries, but in Italy people has been informed ;) http://www.programmazione.it/index.php?entity=eitem&idItem=35011 A Merry Secure Christmas and an Happy Allowed New Year to everyone! Paolo ------------------------------ Message: 2 Date: Mon, 11 Dec 2006 09:05:41 -0500 From: "Frank L. Mayer" <mayerf(a)tresys.com> Subject: Speakers for 3rd SELinux Symposium (Registration opens) To: <selinux(a)tycho.nsa.gov>, <fedora-selinux-list(a)redhat.com> Message-ID: <3F5870E81362A647A4DA1D0DF8F10268772053(a)exchange.columbia.tresys.com> Content-Type: text/plain; charset="iso-8859-1" All, we have announced the speakers for the 3rd SELinux Symposium, which will be held in Baltimore, Maryland on 12-16 March 2007. You can see the agenda, paper and tutorial abstracts, and registration information at the web site: www.selinux-symposium.org. Below is the text from the press release. Hope you can join us again at this conference. Thanks to all the authors who submitted papers. You can still participate by submitting case study and works-in-progress proposals (see web site). Frank =============================================================== Speakers Confirmed for the Third Annual Security Enhanced Linux Symposium and Developer Summit Event Slated for March 12-16, 2007 in Baltimore, Maryland, USA Baltimore, Maryland-December 11, 2006 - The Security Enhanced Linux (SELinux) Symposium announces papers and speakers for its third annual symposium. Experts from business, government, and academia will share and discuss the latest SELinux application experience, research and development results, and product plans. The event explores the popular SELinux technology and the power of flexible mandatory access control in Linux. Registration for the SELinux Symposium, scheduled for March 12-16, 2007 in Baltimore, Maryland, is now open at www.selinux-symposium.org. The Third SELinux Symposium features two full days of SELinux-related tutorials followed by a two-day technical agenda that includes papers, presentations, and case studies by experts and practitioners with SELinux. Topics for the symposium include changes and extensions to the core SELinux technology, advances in SELinux policy management and development, and the use of SELinux to build secure system solutions. The symposium also includes an invitation-only SELinux developer summit, where the core developers and contributors of SELinux discuss upcoming technology changes, requirements, and plans. Papers for the symposium were selected via a community review process and include authors from several organizations, including atsec, Hewlett-Packard, IBM, Pennsylvania State University, Red Hat, SPARTA, Tresys Technology, University of Maryland-Baltimore County, U.S. Joint Forces Command, and the U.S. National Security Agency. The full agenda for the symposium is available at www.selinux-symposium.org. About the SELinux Symposium The Security Enhanced Linux (SELinux) Symposium is an annual exchange of ideas, technology, and research involving SELinux. SELinux is emerging technology that adds flexible, strong mandatory access control security to Linux. The third annual symposium is scheduled for March 12-16, 2007 in Baltimore, Maryland, USA. This year's symposium is sponsored by Hewlett-Packard, IBM, Red Hat, and Tresys Technology. The event brings together experts from business, government, and academia to share research, development, and application experiences using SELinux. For information on registration and sponsorship opportunities, see www.selinux-symposium.org. ------------------------------ -- fedora-selinux-list mailing list fedora-selinux-list(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list End of fedora-selinux-list Digest, Vol 34, Issue 11 *************************************************** __________ Informazione NOD32 1880 (20061123) __________ Questo messaggio h stato controllato dal Sistema Antivirus NOD32 http://www.nod32.it

1 0

sendmail attempting to read to /dev/hda
by Mike A. Harris 20 Dec '06

20 Dec '06

Using FC6, I get the following SELinux warnings in /var/log/messages every time I reboot: Dec 13 07:18:21 localhost setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda (fixed_disk_device_t). For complete SELinux messages. run sealert -l 334bcb59-54ff-414f-bd52-f32c49 90df4a Dec 13 07:18:22 localhost setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda (fixed_disk_device_t). For complete SELinux messages. run sealert -l 334bcb59-54ff-414f-bd52-f32c49 90df4a My sendmail configuration is unmodified from Fedora Core 6 default installation, and while sendmail is set to start at bootup, I am not currently using sendmail for anything on this system. Nonetheless the error is a bit alarming, and I didn't find anything similar in a google search. My system is fully updated to the current updates as of just prior to my reboot, which was about 15 minutes ago. [root@shuttle ~]# rpm -qf /usr/sbin/sendmail.sendmail sendmail-8.13.8-2 [root@shuttle ~]# ls -al /usr/sbin/sendmail.sendmail -rwxr-sr-x 1 root smmsp 806460 Sep 5 09:27 /usr/sbin/sendmail.sendmail [root@shuttle ~]# sealert -l 334bcb59-54ff-414f-bd52-f32c4990df4a Summary SELinux is preventing /usr/sbin/sendmail.sendmail (system_mail_t) "read" to /dev/hda (fixed_disk_device_t). Detailed Description SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not expected that this access is required by /usr/sbin/sendmail.sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /dev/hda, restorecon -v /dev/hda If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information: Source Context: system_u:system_r:system_mail_t Target Context: system_u:object_r:fixed_disk_device_t Target Objects: /dev/hda [ blk_file ] Affected RPM Packages: sendmail-8.13.8-2 [application] Policy RPM: selinux-policy-2.4.6-1.fc6 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall_file Host Name: shuttle Platform: Linux shuttle 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:45:28 EST 2006 i686 i686 Alert Count: 2 Line Numbers: Raw Audit Messages: avc: denied { read } for comm="sendmail" dev=tmpfs egid=51 euid=0 exe="/usr/sbin/sendmail.sendmail" exit=0 fsgid=51 fsuid=0 gid=0 items=0 name="hda" path="/dev/hda" pid=2509 scontext=system_u:system_r:system_mail_t:s0 sgid=51 subj=system_u:system_r:system_mail_t:s0 suid=0 tclass=blk_file tcontext=system_u:object_r:fixed_disk_device_t:s0 tty=(none) uid=0

2 2

Re: fedora-selinux-list Digest, Vol 34, Issue 20
by stefano＠proinco.net 20 Dec '06

20 Dec '06

esto es un mensaje automatico. al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos stefano bagnasco

1 0

Reg error in policy module
by baskar baskar 19 Dec '06

19 Dec '06

Hi, I have written this module and saved as twiki.te policy_module(twiki, 1.0) require { type httpd_sys_script_exec_t; type sbin_t; type tmp_t; type ls_exec_t; type httpd_tmp_t; type httpd_sys_script_t; } allow httpd_sys_script_t httpd_sys_script_exec_t:dir read; allow httpd_sys_script_t ls_exec_t:file getattr; allow httpd_sys_script_t sbin_t:file getattr; allow httpd_sys_script_t tmp_t:lnk_file read; allow httpd_sys_script_t httpd_tmp_t:file { r_file_perms unlink write }; when i try to run semodule -i twiki.pp i am getting libsepol.permission_copy_callback: Module twiki depends on permission setkeycreate in class process, not satisfied libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! this error. please anyone help me i am configuring twiki now without this i cant move to next step please send me solutions thanks in advance Regards Baskar.N Send free SMS to your Friends on Mobile from your Yahoo! Messenger. Download Now! http://messenger.yahoo.com/download.php

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux December 2006