List of operations
by Göran Uddeborg
Maybe this is a FAQ, but I haven't found it answered in any of the
FAQ:s I've looked through:
Is there some kind of documentation list over the available classes
and operations (permissions)?
Other concepts, like types and roles are defined in the policy, with
some luck together with a comment. In some cases there are even
manual pages, like httpd_selinux.
But the list of available classes and operations must be defined by
the kernel module if I understand things correctly. I could extract a
list from the flask/access_vectors file. But I would have liked
something with a sentence or so of explanation. Some names may be
self-explanatory, but many are not obvious. I'm imagining some kind
of list like the appendices of the O'Reilley book, but updated for the
current version. Does such a list exist somewhere? Or is it just in
my imagination? :-)
17 years, 1 month
Re: Apache/PHP module boot restriction?
by Stephen Smalley
On Wed, 2006-02-22 at 16:41 -0800, Andrew JH Ring wrote:
> I've recently set up a Fedora Core 4 web server running Apache 2.2.0
> with PHP 5.1.2. I've managed to get Apache loading the module, after
> setting libphp5.so to shlib_t, however Apache seems to still be unable
> to access the module during boot. I'm getting a Cannot load libphp5
> cannot restore segment prot after reloc. Is this a known problem, and
> if so, how is it fixed?
cc'd fedora-selinux-list as well above, since you mentioned you were
using FC4.
This usually indicates a text relocation, which is undesirable if it can
be avoided. The stock FC4 php doesn't appear to have any text
relocations in its libphp (readelf -d libphp5.so.1 | grep TEXTREL).
Possibly it has a patch to avoid the problem.
Ideally, it would be best if you could similarly patch or fix the build
for PHP 5.1.2. If you truly need to allow it, then you can label
the .so file with the texrel_shlib_t type (since you are using FC4, I
used the old type name).
Some discussion of the SELinux memory protection tests can be found in:
http://people.redhat.com/drepper/selinux-mem.html
--
Stephen Smalley
National Security Agency
17 years, 5 months
AVC when configuring printer.....
by Tom London
Running latest Rawhide, targeted/enforcing.
System->Administration->Printing, and hitting 'Apply' on the currently
configured printer produces the following:
----
type=PATH msg=audit(02/27/2006 08:04:15.126:101) : item=2
flags=follow,open inode=1045697 dev=fd:00 mode=file,755 ouid=root
ogid=root rdev=00:00
type=PATH msg=audit(02/27/2006 08:04:15.126:101) : item=1
flags=follow,open inode=5786615 dev=fd:00 mode=file,755 ouid=root
ogid=root rdev=00:00
type=PATH msg=audit(02/27/2006 08:04:15.126:101) : item=0
name=/usr/sbin/printconf-backend flags=follow,open inode=5790576
dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(02/27/2006 08:04:15.126:101) : cwd=/
type=AVC_PATH msg=audit(02/27/2006 08:04:15.126:101) : path=pipe:[21844]
type=AVC_PATH msg=audit(02/27/2006 08:04:15.126:101) :
path=/root/.rh-fontconfig/.fonts.cache-2
type=SYSCALL msg=audit(02/27/2006 08:04:15.126:101) : arch=i386
syscall=execve success=yes exit=0 a0=899cdc8 a1=899ce18 a2=899cf20
a3=8999d70 items=3 pid=5773 auid=tbl uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root
comm=printconf-backe exe=/usr/bin/python
type=AVC msg=audit(02/27/2006 08:04:15.126:101) : avc: denied { read
} for pid=5773 comm=printconf-backe name=.fonts.cache-2 dev=dm-0
ino=555510 scontext=system_u:system_r:cupsd_config_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(02/27/2006 08:04:15.126:101) : avc: denied {
write } for pid=5773 comm=printconf-backe name=[21844] dev=pipefs
ino=21844 scontext=system_u:system_r:cupsd_config_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=fifo_file
----
tom
--
Tom London
17 years, 9 months
FC4 + samba + selinux
by Louis Garcia
I am setting up an FC4 samba server and can't get my shares accessed.
With selinux off samba works normally.
I have created a dir:
drwxrwsrwx root root
system_u:object_r:samba_share_t /data/public
The is the error I get:
type=AVC msg=audit(1140923608.645:86): avc: denied { search } for
pid=3338 comm="smbd" name="/" dev=hda5 ino=2
scontext=root:system_r:smbd_t tcontext=system_u:object_r:default_t
tclass=dir
type=SYSCALL msg=audit(1140923608.645:86): arch=40000003 syscall=195
success=no exit=-13 a0=88b85f8 a1=bff9aec4 a2=7fbff4 a3=bff9aec4 items=1
pid=3338 auid=500 uid=502 gid=0 euid=502 suid=0 fsuid=502 egid=100
sgid=100 fsgid=100 comm="smbd" exe="/usr/sbin/smbd"
type=CWD msg=audit(1140923608.645:86): cwd="/"
type=PATH msg=audit(1140923608.645:86): item=0 name="/data/public"
flags=1 inode=2 dev=03:05 mode=040755 ouid=0 ogid=0 rdev=00:00
why does smbd_t want access to default_t when the dir is labeled
samba_share_t?
Does smbd_t have access to samba_share_t by default?
Any advise, --Louis
17 years, 9 months
ANN: CDS Framework IDE
by Kevin Carr
Tresys has completed an initial version of the CDS Framework IDE tool to
assist in developing cross domain solutions for SELinux. The tool consists
of an IDE with a new high-level language to specify CDS architectures
focused on the information flow goals of the particular project. The tool
generates the necessary SELinux policy from the higher-level specification.
It is available open source on the Tresys Technology website.
http://tresys.com/selinux/index.shtml
It's is an Eclipse plug-in so just extract the tarball in your plugins
directory.
Kevin Carr
Tresys Technology
410.290.1411 x137
17 years, 9 months
selinux and tmpfs message
by Jason Dravet
When I boot rawhide I see the following selinux messages. Why is tmpfs
listed twice?
SELinux: initialized (dev dm-0, type ext3), uses xattr
-->SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses
genfs_contexts
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
-->SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
Thanks,
Jason
17 years, 9 months
hid2hci AVCs
by Émeric Maschino
Hi,
For quite some time now, I'm getting AVCs similar to this one in
my /var/log/audit/audit.log file:
type=AVC msg=audit(1140723627.168:7): avc: denied { ioctl } for
pid=1866 comm="hid2hci" name="001" dev=tmpfs ino=3178
scontext=system_u:system_r:bluetooth_t:s0
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1140723627.168:7): arch=c0000032 syscall=1065
success=no
exit=13 a0=4 a1=40085511 a2=60000fffffa61954 a3=1001 items=0 pid=1866
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="hid2hci" exe="/usr/sbin/hid2hci"
type=AVC_PATH msg=audit(1140723627.168:7): path="/dev/bus/usb/001/001"
This is on an Itanium system. Is there something I can try to solve this
issue?
Many thanks,
Émeric
17 years, 9 months
Swap-related AVC
by Émeric Maschino
Hi,
With up-to-date Rawhide, I'm getting the following AVC in
my /var/log/messages file:
Feb 23 20:40:34 zx6000 kernel: audit(1140723618.608:3): avc: denied
{ write }
for pid=1340 comm="swapon" name="blkid.tab" dev=dm-0 ino=6253814
scontext=system_u:system_r:fsadm_t:s0 tcontext=user_u:object_r:etc_t:s0
tclass=file
Feb 23 20:40:34 zx6000 kernel: Adding 2031584k swap
on /dev/VolGroup00/LogVol01. Priority:-2 extents:1 across:2031584k
I don't know exactly when this problem first appears. It should be noted
that, contrarily to what's displayed, my swap partition isn't 2GB in
size, but 4GB.
Is this a general/64-bit specific/ia64 specific issue?
Many thanks,
Émeric
17 years, 9 months
Samba access for public_html.
by Christofer C. Bell
I'd like to be able to drag and drop files in ~/public_html on my FC4
machine running the stock targetted policy with Samba. I'm unable to
see that public_html even exists when browsing my share, let alone
manipulate files. Here's the avc log:
type=AVC msg=audit(1140775433.847:9264): avc: denied { getattr } for
pid=30827 comm="smbd" name="public_html" dev=md0 ino=8375104
scontext=system_u:system_r:smbd_t
tcontext=user_u:object_r:httpd_sys_content_t tclass=dir
Is there an boolean that can be set or is this a job for audit2allow?
Thank you very much!
--
Chris
"I trust the Democrats to take away my money, which I can afford. I
trust the Republicans to take away my freedom, which I cannot."
17 years, 9 months
