Postfix/mailman problem
by Eric Smith
I've got an FC4 x86_64 system with the targeted policy. I'm only
just beginning to understand SELinux, after reading the O'Reilly book.
I'm trying to use the Postfix MTA with GNU Mailman, using the
postfix-to-mailman-2.1.py script. I put the script in
/usr/lib/mailman/bin, but it fails. /var/log/maillog says:
Mar 1 17:26:34 donnybrook pipe[10056]: fatal: pipe_comand: execvp
/usr/lib/mailman/bin/postfix-to-mailman-2.1.py: Permission denied
Mar 1 17:26:35 donnybrook postfix/pipe[10055]: 4D0F150087:
to=<nonpareil-commits(a)lists.brouhaha.com>, relay=mailman, delay=1,
status=bounced (Command died with status 1:
"/usr/lib/mailman/bin/postfix-to-mailman-2.1.py")
/var/log/audit/audit.log says:
type=AVC msg=audit(1141262794.346:48506): avc: denied { execute } for
pid=10056 comm="pipe" name="postfix-to-mailman-2.1.py" dev=dm-6 ino=786433
scontext=system_u:system_r:postfix_pipe_t
tcontext=system_u:object_r:mailman_queue_exec_t tclass=file
As root, I tried:
% chcon -u system_u -r system_r -t postfix_pipe_t postfix-to-mailman-2.1.py
chcon: failed to change context of postfix-to-mailman-2.1.py to
system_u:system_r:postfix_pipe_t: Permission denied
Why can't I do that, or what should I do instead to make this work?
Thanks!
Eric
18 years, 1 month
How to allow vsftpd to listen on other ports?
by Dawid Gajownik
Hi!
I wanted vsftpd to listen on 750 or 777 port. SELinux does not like this
type=AVC msg=audit(1141840161.184:107): avc: denied { name_bind } for
pid=5352 comm="vsftpd" src=777 scontext=root:system_r:ftpd_t
tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=AVC msg=audit(1141840470.444:114): avc: denied { name_bind } for
pid=5495 comm="vsftpd" src=750 scontext=root:system_r:ftpd_t
tcontext=system_u:object_r:kerberos_port_t tclass=tcp_socket
I've downloaded selinux-policy-targeted-sources rpm and wanted to add
this line:
portcon tcp 750 system_u:object_r:ftp_port_t
The problem is that I don't know where should it be placed. It does not
work in domains/misc/local.te -- `make load' fails ;-)
OS: FC4
selinux-policy-targeted-sources: 1.27.1-2.22
Regards,
Dawid
--
^_*
18 years, 1 month
enableaudit.pp ...
by Tom London
Running latest targeted policy.
/usr/share/selinux/targeted/base.pp and enableaudit.pp appear to be identical.
That right? If so, I must not understand on how to use.
So, how do I load a policy with all the 'dontaudit' rules removed?
tom
[Sorry for the dumb question....]
--
Tom London
18 years, 1 month
Modifying local policy onn RHEL 4
by Florian Lengyel
Is this the appropriate list to ask about modifying local Selinux policies
on Red Hate Enterprise Linux 4? If it is, can someone inform me what i need
to download in order to modify the local Selinux policy? The source and
tools to do this don't seem to be included in my installation (following the
online Red Hat documentation); perhaps there are appropriate rpms to
download in up2date--I don't know what they are, and they do not seem to be
mentioned in the online documentation.
If this is not the appropriate list, please let me know.
Thanks,
FL
18 years, 1 month
Unable to create swapfiles....
by Dan Thurman
Hi Daniel J Walsh,
I have read the previous posts regarding creating swapfiles
and SELinux refuses to allow it.
The steps to create a swapfile is:
1) dd if=/dev/zero of=/swapfile bs=1024 count=<SWAP-SIZE>
1.5) New step: chcon -t swapfile_t /swapfile
2) mkswap /swapfile
3) swapon /swapfile
4) Add entry to fstab
All of this is per Redhat's documention - which is old.
But with the inclusion of SELinux, a new security context
of swapfile_t was added, and supposedly added to mkswap
as well - and I have have the latest YUM updates since I am
testing with FC5-T3 and I have done (1.5) above but when doing
(2) I get a "relabel" denial with the message:
> mkswap /swapfile
mkswap: unable to relabel /swapfile to swapfile_t: Permission denied
/var/log/audit/audit.log shows:
type=AVC msg=audit(1141837284.182:194): avc: denied { ioctl } for pid=3948 comm="mkswap" name="swapfile" dev=hda7 ino=107915 scontext=root:system_r:fsadm_t:s0-s0:c0.c255 tcontext=root:object_r:swapfile_t:s0 tclass=file
type=SYSCALL msg=audit(1141837284.182:194): arch=40000003 syscall=54 success=no exit=-13 a0=3 a1=1260 a2=bf9c1ed0 a3=bf9c39fb items=0 pid=3948 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mkswap" exe="/sbin/mkswap"
type=AVC_PATH msg=audit(1141837284.182:194): path="/swapfile"
type=AVC msg=audit(1141837284.238:195): avc: denied { relabelfrom } for pid=3948 comm="mkswap" name="swapfile" dev=hda7 ino=107915 scontext=root:system_r:fsadm_t:s0-s0:c0.c255 tcontext=root:object_r:swapfile_t:s0 tclass=file
type=SYSCALL msg=audit(1141837284.238:195): arch=40000003 syscall=228 success=no exit=-13 a0=3 a1=250f66f a2=804a434 a3=b items=0 pid=3948 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mkswap" exe="/sbin/mkswap"
Please let me know what solution is needed!
Kind regards,
Dan
18 years, 1 month
dontaudit for
by Tom London
Running targeted/enforcing, latest rawhide.
I get this:
----
type=PATH msg=audit(03/07/2006 09:11:05.866:13) : item=0
name=/proc/sys/vm/ flags=follow,access inode=4026531930 dev=00:03
mode=dir,555 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/07/2006 09:11:05.866:13) : cwd=/usr/share/hal/scripts
type=SYSCALL msg=audit(03/07/2006 09:11:05.866:13) : arch=i386
syscall=access success=no exit=-13(Permission denied) a0=95213b8 a1=2
a2=2 a3=9520528 items=1 pid=2674 auid=unknown(4294967295) uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=pm-powersave exe=/bin/bash
type=AVC msg=audit(03/07/2006 09:11:05.866:13) : avc: denied { write
} for pid=2674 comm=pm-powersave name=vm dev=proc ino=-268435366
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
----
I think it comes from /usr/sbin/pm-powersave:
if [ ! -w "/proc/sys/vm/" ] ; then
# Use the raw kernel sysfs interface
echo "You do not have write access to /proc/sys/vm/"
exit 1
fi
/proc/sys/vm appers to not want to be written:
[tbl@localhost vm]$ ls -ldZ /proc/sys/vm
dr-xr-xr-x root root system_u:object_r:sysctl_vm_t /proc/sys/vm
[tbl@localhost vm]$
Should this be a 'dontaudit'? E.g.:
dontaudit hald_t sysctl_vm_t:dir write;
tom
--
Tom London
18 years, 1 month
selinux, httpd and sudo
by Tom Diehl
Hi all,
I have an el4 machine that I am trying to get a shell script working from a
php page with sudo. I can su to apache and execute the script using sudo but
when I try to execute the script from the php page I get the following avc's:
type=AVC msg=audit(1141573880.162:1935): avc: denied { setrlimit } for pid=29788 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=process
type=SYSCALL msg=audit(1141573880.162:1935): arch=c000003e syscall=160 success=no exit=-13 a0=4 a1=7fbffff9a0 a2=0 a3=7fbffff701 items=0 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=AVC msg=audit(1141573880.164:1936): avc: denied { read } for pid=29788 comm="sudo" name="shadow" dev=dm-0 ino=51991 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
type=SYSCALL msg=audit(1141573880.164:1936): arch=c000003e syscall=2 success=no exit=-13 a0=2a95e1302a a1=0 a2=1b6 a3=1 items=1 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=CWD msg=audit(1141573880.164:1936): cwd="/var/www/adddomain"
type=PATH msg=audit(1141573880.164:1936): name="/etc/shadow" flags=101 inode=51991 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141573880.165:1937): avc: denied { read } for pid=29788 comm="sudo" name="shadow" dev=dm-0 ino=51991 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
type=SYSCALL msg=audit(1141573880.165:1937): arch=c000003e syscall=2 success=no exit=-13 a0=2a95e1302a a1=0 a2=1b6 a3=4 items=1 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=CWD msg=audit(1141573880.165:1937): cwd="/var/www/adddomain"
type=PATH msg=audit(1141573880.165:1937): name="/etc/shadow" flags=101 inode=51991 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141573880.165:1938): avc: denied { create } for pid=29788 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=netlink_route_socket
type=SYSCALL msg=audit(1141573880.165:1938): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=0 a3=7fbfffe901 items=0 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=AVC msg=audit(1141573880.166:1939): avc: denied { setgid } for pid=29788 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
type=SYSCALL msg=audit(1141573880.166:1939): arch=c000003e syscall=119 success=yes exit=0 a0=ffffffff a1=30 a2=ffffffff a3=7fbffff701 items=0 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=AVC msg=audit(1141573880.167:1940): avc: denied { setuid } for pid=29788 comm="sudo" capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
type=SYSCALL msg=audit(1141573880.167:1940): arch=c000003e syscall=117 success=yes exit=0 a0=30 a1=30 a2=0 a3=7fbffff701 items=0 pid=29788 auid=0 uid=48 gid=48 euid=48 suid=0 fsuid=48 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=AVC msg=audit(1141573880.167:1941): avc: denied { setgid } for pid=29788 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
type=SYSCALL msg=audit(1141573880.167:1941): arch=c000003e syscall=119 success=no exit=-1 a0=ffffffff a1=0 a2=ffffffff a3=7fbffff701 items=0 pid=29788 auid=0 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
If I am reading these correctly, it appears that selinux is stopping sudo from
executing the commands. Is there a way to get this to work without making the
system insecure. The script is restricted to internal use but there are
publicly accessible websites hosted on the machine.
Regards,
Tom
18 years, 1 month
can any one help me on SELinux plzzzz
by Suman B
Hi,
i am doing M.Tech and I am doing my mini-project on SeLinux. My guide told
me to modify the SeLinux code a bit and recompile the kernel. I have read
some articles and working procedure of SeLinux but i am unable to decide the
modification which i could do. Plz help me out from this problem.
Thanks in advance
Regrads,
Suman.B
NIT Calicut.
18 years, 1 month
AVCs during suspend/resume (vbetool/hald/ntpd)
by Tom London
Running latest rawhide (2.6.15-1.2009.4.2_FC), targeted/enforcing,
some AVCs are generated (I think during resume).
Running in Permissive mode, I get:
----
type=PATH msg=audit(03/04/2006 14:39:51.707:29) : item=1
flags=follow,open inode=1045516 dev=fd:00 mode=file,755 ouid=root
ogid=root rdev=00:00
type=PATH msg=audit(03/04/2006 14:39:51.707:29) : item=0
name=/usr/sbin/vbetool flags=follow,open inode=5794873 dev=fd:00
mode=file,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/04/2006 14:39:51.707:29) : cwd=/usr/share/hal/scripts
type=AVC_PATH msg=audit(03/04/2006 14:39:51.707:29) : path=/var/run/vbestate
type=SYSCALL msg=audit(03/04/2006 14:39:51.707:29) : arch=i386
syscall=execve success=yes exit=0 a0=8a49e98 a1=8a49eb0 a2=8a4f980
a3=8a4f528 items=2 pid=2933 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=vbetool exe=/usr/sbin/vbetool
type=AVC msg=audit(03/04/2006 14:39:51.707:29) : avc: denied { write
} for pid=2933 comm=vbetool name=vbestate dev=dm-0 ino=2777558
scontext=system_u:system_r:vbetool_t:s0
tcontext=system_u:object_r:hald_var_run_t:s0 tclass=file
----
type=PATH msg=audit(03/04/2006 14:40:31.194:30) : item=1
flags=follow,open inode=1045516 dev=fd:00 mode=file,755 ouid=root
ogid=root rdev=00:00
type=PATH msg=audit(03/04/2006 14:40:31.194:30) : item=0
name=/usr/sbin/vbetool flags=follow,open inode=5794873 dev=fd:00
mode=file,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/04/2006 14:40:31.194:30) : cwd=/usr/share/hal/scripts
type=AVC_PATH msg=audit(03/04/2006 14:40:31.194:30) : path=/var/run/vbestate
type=SYSCALL msg=audit(03/04/2006 14:40:31.194:30) : arch=i386
syscall=execve success=yes exit=0 a0=9268650 a1=927d070 a2=9268980
a3=9268518 items=2 pid=3115 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=vbetool exe=/usr/sbin/vbetool
type=AVC msg=audit(03/04/2006 14:40:31.194:30) : avc: denied { read
} for pid=3115 comm=vbetool name=vbestate dev=dm-0 ino=2777558
scontext=system_u:system_r:vbetool_t:s0
tcontext=system_u:object_r:hald_var_run_t:s0 tclass=file
----
type=AVC_PATH msg=audit(03/04/2006 14:40:31.222:31) : path=/var/run/vbestate
type=SYSCALL msg=audit(03/04/2006 14:40:31.222:31) : arch=i386
syscall=ioctl success=no exit=-25(Inappropriate ioctl for device) a0=0
a1=4b3a a2=0 a3=bfc59044 items=0 pid=3115 auid=unknown(1515870810)
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root comm=vbetool exe=/usr/sbin/vbetool
type=AVC msg=audit(03/04/2006 14:40:31.222:31) : avc: denied { ioctl
} for pid=3115 comm=vbetool name=vbestate dev=dm-0 ino=2777558
scontext=system_u:system_r:vbetool_t:s0
tcontext=system_u:object_r:hald_var_run_t:s0 tclass=file
----
type=PATH msg=audit(03/04/2006 14:40:33.010:32) : item=0
name=/dev/tty8 flags=follow inode=681 dev=00:0f mode=char,660
ouid=root ogid=tty rdev=04:08
type=CWD msg=audit(03/04/2006 14:40:33.010:32) : cwd=/usr/share/hal/scripts
type=SYSCALL msg=audit(03/04/2006 14:40:33.010:32) : arch=i386
syscall=chown32 success=yes exit=0 a0=bf97d207 a1=0 a2=0 a3=bf97d2c4
items=1 pid=3126 auid=unknown(4294967295) uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root comm=openvt
exe=/usr/bin/openvt
type=AVC msg=audit(03/04/2006 14:40:33.010:32) : avc: denied {
setattr } for pid=3126 comm=openvt name=tty8 dev=tmpfs ino=681
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
----
type=PATH msg=audit(03/04/2006 14:40:51.308:33) : item=1
flags=follow,open inode=1045516 dev=fd:00 mode=file,755 ouid=root
ogid=root rdev=00:00
type=PATH msg=audit(03/04/2006 14:40:51.308:33) : item=0
name=/usr/sbin/ntpdate flags=follow,open inode=5802324 dev=fd:00
mode=file,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/04/2006 14:40:51.308:33) : cwd=/
type=AVC_PATH msg=audit(03/04/2006 14:40:51.308:33) : path=/dev/null
type=SYSCALL msg=audit(03/04/2006 14:40:51.308:33) : arch=i386
syscall=execve success=yes exit=0 a0=9aa9458 a1=9aaa320 a2=9aab1b0
a3=9aaa838 items=2 pid=3182 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=ntpdate exe=/usr/sbin/ntpdate
type=AVC msg=audit(03/04/2006 14:40:51.308:33) : avc: denied { use }
for pid=3182 comm=ntpdate name=null dev=tmpfs ino=1151
scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:system_r:hald_t:s0 tclass=fd
----
<<<<<<REBOOT HERE, in Enforcing mode>>>>>>>>
----
type=PATH msg=audit(03/04/2006 14:46:19.552:13) : item=0
name=/proc/sys/vm/ flags=follow,access inode=4026531930 dev=00:03
mode=dir,555 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/04/2006 14:46:19.552:13) : cwd=/usr/share/hal/scripts
type=SYSCALL msg=audit(03/04/2006 14:46:19.552:13) : arch=i386
syscall=access success=no exit=-13(Permission denied) a0=9c3a3c8 a1=2
a2=2 a3=9c39538 items=1 pid=2695 auid=unknown(4294967295) uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=pm-powersave exe=/bin/bash
type=AVC msg=audit(03/04/2006 14:46:19.552:13) : avc: denied { write
} for pid=2695 comm=pm-powersave name=vm dev=proc ino=-268435366
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
----
type=PATH msg=audit(03/04/2006 14:46:22.004:14) : item=0
name=/proc/sys/vm/ flags=follow,access inode=4026531930 dev=00:03
mode=dir,555 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(03/04/2006 14:46:22.004:14) : cwd=/usr/share/hal/scripts
type=SYSCALL msg=audit(03/04/2006 14:46:22.004:14) : arch=i386
syscall=access success=no exit=-13(Permission denied) a0=8e403c8 a1=2
a2=2 a3=8e3f538 items=1 pid=2733 auid=unknown(4294967295) uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=pm-powersave exe=/bin/bash
type=AVC msg=audit(03/04/2006 14:46:22.004:14) : avc: denied { write
} for pid=2733 comm=pm-powersave name=vm dev=proc ino=-268435366
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
----
--
Tom London
18 years, 1 month
RE: ANN: CDS Framework IDE
by Kevin Carr
> I was very happy to see these announcements :)
>
> However, when I try to create a new project with either of these
> plugins, I get the following errors:
>
> com.tresys.slide.plugin.wizards.NewProjectWizard
> com.tresys.framework.plugin.wizards.NewProjectWizard
>
> Never used eclipse before... dunno if this is user error.
It looks like these errors are because of an older version of eclipse. Both
tools require Eclipse 3.1.
On another note, I updated the Tresys Technology website to include some
installation instructions for the CDS Framework IDE. Also I posted a newer
tarball for the CDS tool that fixes some issues we found yesterday. Please
get the newer release and try that one.
http://tresys.com/selinux
Kevin Carr
Tresys Technology
410.290.1411 x137
18 years, 1 month