An interesting restorecon mislabel from selinux-policy-strict...
by Valdis.Kletnieks@vt.edu
Now watching a 'restorecon -v -R /' run to fix everything that got borked while
strict was broken...
We have these file context entries:
/usr/src(/.*)? system_u:object_r:src_t:s0
/usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t:s0
Guess what just happened to all the files under /usr/src/linux-2.6.16-foo/lib/
(Yes, moving the /usr/src/ entry lower in the file_contexts file should fix it,
but I haven't got my head wrapped around the new package scheme enough to figure
out how to accomplish that feat....)
18 years, 2 months
NeworkManager.....
by Tom London
Running today's rawhide:
Looks like NetworkManger is having problems wpa_ctrl and
/var/run/wpa_supplicant-global:
----
type=PATH msg=audit(02/10/2006 20:05:28.832:15) : item=0 flags=follow
inode=2777642 dev=fd:00 mode=socket,755 ouid=root ogid=root rdev=00:00
type=SOCKETCALL msg=audit(02/10/2006 20:05:28.832:15) : nargs=3 a0=12
a1=95ee772 a2=6e
type=SOCKADDR msg=audit(02/10/2006 20:05:28.832:15) : saddr=local
/var/run/wpa_supplicant-global
type=AVC_PATH msg=audit(02/10/2006 20:05:28.832:15) :
path=/var/run/wpa_supplicant-global
type=SYSCALL msg=audit(02/10/2006 20:05:28.832:15) : arch=i386
syscall=socketcall(connect) success=no exit=-13(Permission denied)
a0=3 a1=b759c220 a2=0 a3=0 items=1 pid=2457 auid=unknown(4294967295)
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root comm=NetworkManager exe=/usr/sbin/NetworkManager
type=AVC msg=audit(02/10/2006 20:05:28.832:15) : avc: denied {
sendto } for pid=2457 comm=NetworkManager name=wpa_supplicant-global
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:system_r:NetworkManager_t:s0
tclass=unix_dgram_socket
----
type=PATH msg=audit(02/10/2006 20:06:19.019:23) : item=0 flags=follow
inode=2777642 dev=fd:00 mode=socket,755 ouid=root ogid=root rdev=00:00
type=SOCKETCALL msg=audit(02/10/2006 20:06:19.019:23) : nargs=3 a0=12
a1=95eecca a2=6e
type=SOCKADDR msg=audit(02/10/2006 20:06:19.019:23) : saddr=local
/var/run/wpa_supplicant-global
type=AVC_PATH msg=audit(02/10/2006 20:06:19.019:23) :
path=/var/run/wpa_supplicant-global
type=SYSCALL msg=audit(02/10/2006 20:06:19.019:23) : arch=i386
syscall=socketcall(connect) success=yes exit=0 a0=3 a1=b759c220 a2=2
a3=0 items=1 pid=2457 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=NetworkManager exe=/usr/sbin/NetworkManager
type=AVC msg=audit(02/10/2006 20:06:19.019:23) : avc: denied {
sendto } for pid=2457 comm=NetworkManager name=wpa_supplicant-global
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:system_r:NetworkManager_t:s0
tclass=unix_dgram_socket
----
type=PATH msg=audit(02/10/2006 20:31:01.616:36) : item=0 flags=follow
inode=3626597 dev=fd:00 mode=socket,755 ouid=root ogid=root rdev=00:00
type=SOCKETCALL msg=audit(02/10/2006 20:31:01.616:36) : nargs=3 a0=7
a1=bfe73ff4 a2=0
type=SOCKADDR msg=audit(02/10/2006 20:31:01.616:36) : saddr=local
/var/run/NetworkManager/wpa_ctrl_2448-3
type=SYSCALL msg=audit(02/10/2006 20:31:01.616:36) : arch=i386
syscall=socketcall(sendmsg) success=yes exit=46 a0=10 a1=bfe73fd0 a2=0
a3=9219180 items=1 pid=2908 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant
type=AVC msg=audit(02/10/2006 20:31:01.616:36) : avc: denied { write
} for pid=2908 comm=wpa_supplicant name=wpa_ctrl_2448-3 dev=dm-0
ino=3626597 scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
type=PATH msg=audit(02/10/2006 20:31:01.632:37) : item=0
name=/var/run/NetworkManager/wpa_ctrl_2448-3 flags=parent
inode=3628150 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(02/10/2006 20:31:01.632:37) : cwd=/
type=SYSCALL msg=audit(02/10/2006 20:31:01.632:37) : arch=i386
syscall=unlink success=yes exit=0 a0=95eec5e a1=0 a2=95eec58
a3=95ec128 items=1 pid=2448 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=NetworkManager exe=/usr/sbin/NetworkManager
type=AVC msg=audit(02/10/2006 20:31:01.632:37) : avc: denied {
unlink } for pid=2448 comm=NetworkManager name=wpa_ctrl_2448-3
dev=dm-0 ino=3626597 scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
--
Tom London
18 years, 2 months
Nautilus Naughtiness
by Ted Rule
I've been having several problems recently with Nautilus and Gnome. This
started ever since I adjusted my Gnome settings to save session and
restore on login; I was simply too lazy to manually launch Firefox and
Evolution on login.
Consequently, on login, I potentially had multiple copies of Nautilus
starting up, depending on how I'd left the desktop at logout. ( That's
multiple windows, which Gnome collapses onto a single process, but I was
seeing multiple processes under the fault conditions ). Invariably, at
least one of them crashed.
This became unworkable recently when I found I could make entire
directories disappear from Nautilus, even though they really still
existed. I drilled to a given "dangerous" directory's parent
within /home, then attempted to drill one step further, only to find
that the child directory started to display, and then Nautilus
completely crashed. If I tried opening the directory in a new window,
the child window crashed, and the parent window removed the directory
from its top level listing. It seemed that the "vulnerable" directories
were those which had been recently modified.
Experimenting further, this seems to relate to "gam_server", as numerous
denial messages appear in SELinux logs referencing this process.
"gam_server" is part of gamin, as in:
$ rpm -qf --queryformat="%{name}: %{summary}\n" /usr/libexec/gam_server
gamin: Library providing the FAM File Alteration Monitor API
The SELinux avc's only related to gam_server running under the
"user_gnome_vfs_t" domain.
Based on what I've seen so far, my suspicion is that the
user_gnome_vfs_t domain needs read access to every directory which
user_t has access to, and that if user_t can get to a directory, but
user_gnome_vfs_t can't, the overall Nautilus system gets very very
confused for some reason.
For the present, I've added some extras to my local SELinux policy which
cover most directories which Nautilus is likely to want to see, and this
DOES appear to stop Nautilus crashing on login for the first time in
several months. I don't think this is the complete solution, though. I
suspect the proper solution is for Nautilus itself to gracefully recover
from a permission denial in either the user_t OR the user_gnome_vfs_t
components; or perhaps just simply abandon the user_gnome_vfs_t domain
itself?
Bring back CLI, all is forgiven.
Extra SELinux policy:
.....
# Another attempt to stop Nautilus crashing oddly.... seems to be
related to the gam_server process...
allow user_gnome_vfs_t { user_home_dir_t user_home_t user_fonts_t
user_mozilla_home_t }:dir { search getattr read };
allow user_gnome_vfs_t { user_spamassassin_home_t user_evolution_home_t
user_home_ssh_t user_gconfd_home_t }:dir { search getattr read };
allow user_gnome_vfs_t { mnt_t removable_t bin_t sbin_t var_t }:dir
{ search getattr read };
allow user_gnome_vfs_t { user_home_t user_untrusted_content_t
user_xauth_home_t user_tmp_t }:file { getattr };
allow user_gnome_vfs_t { user_home_t }:lnk_file { read };
.....
Pertinent RPM Versions:
$ rpm -q selinux-policy-strict-sources
selinux-policy-strict-sources-1.27.1-2.16
$ rpm -qf /usr/bin/nautilus
nautilus-2.10.0-4
$ rpm -q gamin
gamin-0.1.1-3.FC4
$ rpm -qf /usr/libexec/gnome-vfs-daemon
gnome-vfs2-2.10.0-5
$ rpm -qf /usr/libexec/gam_server
gamin-0.1.1-3.FC4
$
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
18 years, 2 months
shared lib problem
by Junji Kanemaru
Hi,
I'm having problem with fc5-test2 that my app fails to load its
own shared library. The error I'm getting is:
"cannot restore segment prot after reloc: Permission denied"
It only happens when /selinux/enforce is true. I changed
security context of the shared library but same... Any clue?
If more info needed then let me know what kind of info are
needed.
Thanks,
-- Junji
--
Junji Kanemaru
Linuon Inc.
Tokyo Japan
18 years, 2 months
RE: auditing support for FC2 w/ kernel 2.6.10-1.771_FC2
by Verbeeck Derek
Steve,
I've had zero success with any of the releases on that page. Machine is running the stock gcc that shipped w/ FC2 and the updated 2.6.10 kernel, and I also tried it on a replica of this machine running 2.6.15.1. The make fails out on a bunch of calls to some functions. The site mentions needing updated glibc-kernel headers, but can these even be safely updated without hosing the system?
Trying to find the least painful way to get auditing support on these systems. Neither laus, the built-in kernel auditing support with these user space packages, or SNARE seem to work.
-Derek
-----Original Message-----
From: Steve G [mailto:linux_4ever@yahoo.com]
Sent: Wednesday, February 08, 2006 3:56 PM
To: Verbeeck Derek; fedora-selinux-list(a)redhat.com
Subject: Re: auditing support for FC2 w/ kernel 2.6.10-1.771_FC2
>Does anyone have experience with a similar scenario? Am I going about this the
>wrong way?
Yep. What you are talking about is laus - which is a Suse audit system. The 2.6
kernel has a native audit system that works completely different from Laus. The
user space package can be found at http://people.redhat.com/sgrubb/audit. The
latest stable version is 1.0.14.
I want to think that you need 2.6.14 kernel to have most problems solved. You can
try the older kernel and if you run into problems you should look for something
newer.
-Steve
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
18 years, 2 months
dbus error message
by Srinivasa Ds
Hi
Iam getting selinux dbus error message on my RHEL4 machine
This is different from earlier dbus error messages which is there
earlier and selinux-policy-targeted-1.17.30-2.117.noarch.rpm(from Daniel
walsh) has fixed it. This one looks different from that and it doesn't
have "denied send_msg" message which has security class fields and
helped in debugging.
Error messages looks like this
=================================================================
Jan 17 17:02:07 x330b dbus: Can't send to audit system: USER_AVC
pid=7704 uid=81 loginuid=0 message=avc: received policyload notice
(seqno=16)
Jan 17 17:02:07 x330b dbus: Can't send to audit system: USER_AVC
pid=7704 uid=81 loginuid=0 message=avc: 0 AV entries and 0/512 buckets
used, longest chain length 0
Jan 17 17:02:24 x330b dbus: Can't send to audit system: USER_AVC
pid=7704 uid=81 loginuid=0 message=avc: received setenforce notice
(enforcing=1)
===================================================================
I just wanted to know,why this error message is getting generated and
how to fix it out.
Is it due to lack of send_msg permission?
Looking for reply
Srinivasa DS
18 years, 2 months
Good morning from Greece
by Achilles Myrmidon
I am a new user in Linux environment. I bought a new computer and it was
about to install Fedora Core 4. I have inserted the first CD and i have
choosen the option of "graphical installation". When i pressed the button
"enter" i saw a screen with many numbers and some errors messages that i
didn't write them down.
My computer is new with EIDE and SATA II hard disks, with MSI GeForce
graphical card and Intel CPU.
Can you advise me please what could be wrong?
Best Regards
John
18 years, 2 months
auditing support for FC2 w/ kernel 2.6.10-1.771_FC2
by Verbeeck Derek
Greetings,
I'm trying to get audit support working w/ FC2 and kernel 2.6.10
(provided from a yum repository and recompiled from that source). The
issue is that even when both audit support and syscall auditing are
flagged on in .config, when the system is booting with a rebuilt kernel,
I am not seeing a /dev/audit device file, so the audit software I'm
trying to use fails. I'm trying to use laus, a third party application
written by Novell, which builds fine from source, but fails due to lack
of /dev/audit. I have tried to mknod the device file myself with no
success, it still complains about not having the audit device.
Does anyone have experience with a similar scenario? Am I going
about this the wrong way?
Thanks for your time!
Derek Verbeeck
System Administrator
Advanced Acoustic Concepts
631-273-5700 ext 2305
18 years, 2 months
What makes contexts different for audit.log and ls -Z?
by Göran Uddeborg
What could cause the context shown with "ls" and the context reported
for an denied AVC check to differ?
After a recent upgrade, Samba stopped working for us. Trying
smbclient user adb is not allowed to access it's home directory. From
an strace of smbd I see that a stat() call fails:
8307 stat64("/home/adb", 0xbff08334) = -1 EACCES (Permission denied)
I believe I found the reason in audit.log:
type=AVC msg=audit(1139403413.095:1782): avc: denied { search } for pid=8647 comm="smbd" name="home" dev=hda2 ino=966657 scontext=root:system_r:smbd_t tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1139403413.095:1782): arch=40000003 syscall=195 success=no exit=-13 a0=90f7110 a1=bff08334 a2=5baff4 a3=bff08334 items=1 pid=8647 auid=504 uid=734 gid=0 euid=734 suid=0 fsuid=734 egid=734 sgid=734 fsgid=734 comm="smbd" exe="/usr/sbin/smbd"
type=CWD msg=audit(1139403413.095:1782): cwd="/"
type=PATH msg=audit(1139403413.095:1782): item=0 name="/home/adb" flags=1 inode=966657 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
"home_root_t" for /home/adb seems incorrect to me. But when I do ls
-ldZ on /home/adb, it has a different context:
server2# ls -lZd /home/adb
drwx------ adb adb user_u:object_r:user_home_dir_t /home/adb
"user_home_dir_t" makes a lot more sense.
The context of the smbd daemon looks right with ps.
server2$ ps -ZC smbd
LABEL PID TTY TIME CMD
root:system_r:smbd_t 7737 ? 00:00:00 smbd
root:system_r:smbd_t 7735 ? 00:00:00 smbd
Somewhat blindly, I have done a "fixfiles -F relabel", and I've done
an extra "load_policy policy.19", and neither makes any difference.
18 years, 2 months
