selinux March 2006

selinux@lists.fedoraproject.org

40 participants
54 discussions

Postfix/mailman problem
by Eric Smith 11 Mar '06

11 Mar '06

I've got an FC4 x86_64 system with the targeted policy. I'm only just beginning to understand SELinux, after reading the O'Reilly book. I'm trying to use the Postfix MTA with GNU Mailman, using the postfix-to-mailman-2.1.py script. I put the script in /usr/lib/mailman/bin, but it fails. /var/log/maillog says: Mar 1 17:26:34 donnybrook pipe[10056]: fatal: pipe_comand: execvp /usr/lib/mailman/bin/postfix-to-mailman-2.1.py: Permission denied Mar 1 17:26:35 donnybrook postfix/pipe[10055]: 4D0F150087: to=<nonpareil-commits(a)lists.brouhaha.com>, relay=mailman, delay=1, status=bounced (Command died with status 1: "/usr/lib/mailman/bin/postfix-to-mailman-2.1.py") /var/log/audit/audit.log says: type=AVC msg=audit(1141262794.346:48506): avc: denied { execute } for pid=10056 comm="pipe" name="postfix-to-mailman-2.1.py" dev=dm-6 ino=786433 scontext=system_u:system_r:postfix_pipe_t tcontext=system_u:object_r:mailman_queue_exec_t tclass=file As root, I tried: % chcon -u system_u -r system_r -t postfix_pipe_t postfix-to-mailman-2.1.py chcon: failed to change context of postfix-to-mailman-2.1.py to system_u:system_r:postfix_pipe_t: Permission denied Why can't I do that, or what should I do instead to make this work? Thanks! Eric

3 11

How to allow vsftpd to listen on other ports?
by Dawid Gajownik 10 Mar '06

10 Mar '06

Hi! I wanted vsftpd to listen on 750 or 777 port. SELinux does not like this type=AVC msg=audit(1141840161.184:107): avc: denied { name_bind } for pid=5352 comm="vsftpd" src=777 scontext=root:system_r:ftpd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket type=AVC msg=audit(1141840470.444:114): avc: denied { name_bind } for pid=5495 comm="vsftpd" src=750 scontext=root:system_r:ftpd_t tcontext=system_u:object_r:kerberos_port_t tclass=tcp_socket I've downloaded selinux-policy-targeted-sources rpm and wanted to add this line: portcon tcp 750 system_u:object_r:ftp_port_t The problem is that I don't know where should it be placed. It does not work in domains/misc/local.te -- `make load' fails ;-) OS: FC4 selinux-policy-targeted-sources: 1.27.1-2.22 Regards, Dawid -- ^_*

2 6

enableaudit.pp ...
by Tom London 09 Mar '06

09 Mar '06

Running latest targeted policy. /usr/share/selinux/targeted/base.pp and enableaudit.pp appear to be identical. That right? If so, I must not understand on how to use. So, how do I load a policy with all the 'dontaudit' rules removed? tom [Sorry for the dumb question....] -- Tom London

2 2

Modifying local policy onn RHEL 4
by Florian Lengyel 08 Mar '06

08 Mar '06

Is this the appropriate list to ask about modifying local Selinux policies on Red Hate Enterprise Linux 4? If it is, can someone inform me what i need to download in order to modify the local Selinux policy? The source and tools to do this don't seem to be included in my installation (following the online Red Hat documentation); perhaps there are appropriate rpms to download in up2date--I don't know what they are, and they do not seem to be mentioned in the online documentation. If this is not the appropriate list, please let me know. Thanks, FL

3 4

Unable to create swapfiles....
by Dan Thurman 08 Mar '06

08 Mar '06

Hi Daniel J Walsh, I have read the previous posts regarding creating swapfiles and SELinux refuses to allow it. The steps to create a swapfile is: 1) dd if=/dev/zero of=/swapfile bs=1024 count=<SWAP-SIZE> 1.5) New step: chcon -t swapfile_t /swapfile 2) mkswap /swapfile 3) swapon /swapfile 4) Add entry to fstab All of this is per Redhat's documention - which is old. But with the inclusion of SELinux, a new security context of swapfile_t was added, and supposedly added to mkswap as well - and I have have the latest YUM updates since I am testing with FC5-T3 and I have done (1.5) above but when doing (2) I get a "relabel" denial with the message: > mkswap /swapfile mkswap: unable to relabel /swapfile to swapfile_t: Permission denied /var/log/audit/audit.log shows: type=AVC msg=audit(1141837284.182:194): avc: denied { ioctl } for pid=3948 comm="mkswap" name="swapfile" dev=hda7 ino=107915 scontext=root:system_r:fsadm_t:s0-s0:c0.c255 tcontext=root:object_r:swapfile_t:s0 tclass=file type=SYSCALL msg=audit(1141837284.182:194): arch=40000003 syscall=54 success=no exit=-13 a0=3 a1=1260 a2=bf9c1ed0 a3=bf9c39fb items=0 pid=3948 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mkswap" exe="/sbin/mkswap" type=AVC_PATH msg=audit(1141837284.182:194): path="/swapfile" type=AVC msg=audit(1141837284.238:195): avc: denied { relabelfrom } for pid=3948 comm="mkswap" name="swapfile" dev=hda7 ino=107915 scontext=root:system_r:fsadm_t:s0-s0:c0.c255 tcontext=root:object_r:swapfile_t:s0 tclass=file type=SYSCALL msg=audit(1141837284.238:195): arch=40000003 syscall=228 success=no exit=-13 a0=3 a1=250f66f a2=804a434 a3=b items=0 pid=3948 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mkswap" exe="/sbin/mkswap" Please let me know what solution is needed! Kind regards, Dan

1 0

dontaudit for
by Tom London 07 Mar '06

07 Mar '06

Running targeted/enforcing, latest rawhide. I get this: ---- type=PATH msg=audit(03/07/2006 09:11:05.866:13) : item=0 name=/proc/sys/vm/ flags=follow,access inode=4026531930 dev=00:03 mode=dir,555 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(03/07/2006 09:11:05.866:13) : cwd=/usr/share/hal/scripts type=SYSCALL msg=audit(03/07/2006 09:11:05.866:13) : arch=i386 syscall=access success=no exit=-13(Permission denied) a0=95213b8 a1=2 a2=2 a3=9520528 items=1 pid=2674 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=pm-powersave exe=/bin/bash type=AVC msg=audit(03/07/2006 09:11:05.866:13) : avc: denied { write } for pid=2674 comm=pm-powersave name=vm dev=proc ino=-268435366 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir ---- I think it comes from /usr/sbin/pm-powersave: if [ ! -w "/proc/sys/vm/" ] ; then # Use the raw kernel sysfs interface echo "You do not have write access to /proc/sys/vm/" exit 1 fi /proc/sys/vm appers to not want to be written: [tbl@localhost vm]$ ls -ldZ /proc/sys/vm dr-xr-xr-x root root system_u:object_r:sysctl_vm_t /proc/sys/vm [tbl@localhost vm]$ Should this be a 'dontaudit'? E.g.: dontaudit hald_t sysctl_vm_t:dir write; tom -- Tom London

1 0

selinux, httpd and sudo
by Tom Diehl 05 Mar '06

05 Mar '06

Hi all, I have an el4 machine that I am trying to get a shell script working from a php page with sudo. I can su to apache and execute the script using sudo but when I try to execute the script from the php page I get the following avc's: type=AVC msg=audit(1141573880.162:1935): avc: denied { setrlimit } for pid=29788 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=process type=SYSCALL msg=audit(1141573880.162:1935): arch=c000003e syscall=160 success=no exit=-13 a0=4 a1=7fbffff9a0 a2=0 a3=7fbffff701 items=0 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo" type=AVC msg=audit(1141573880.164:1936): avc: denied { read } for pid=29788 comm="sudo" name="shadow" dev=dm-0 ino=51991 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file type=SYSCALL msg=audit(1141573880.164:1936): arch=c000003e syscall=2 success=no exit=-13 a0=2a95e1302a a1=0 a2=1b6 a3=1 items=1 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo" type=CWD msg=audit(1141573880.164:1936): cwd="/var/www/adddomain" type=PATH msg=audit(1141573880.164:1936): name="/etc/shadow" flags=101 inode=51991 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1141573880.165:1937): avc: denied { read } for pid=29788 comm="sudo" name="shadow" dev=dm-0 ino=51991 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file type=SYSCALL msg=audit(1141573880.165:1937): arch=c000003e syscall=2 success=no exit=-13 a0=2a95e1302a a1=0 a2=1b6 a3=4 items=1 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo" type=CWD msg=audit(1141573880.165:1937): cwd="/var/www/adddomain" type=PATH msg=audit(1141573880.165:1937): name="/etc/shadow" flags=101 inode=51991 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1141573880.165:1938): avc: denied { create } for pid=29788 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=netlink_route_socket type=SYSCALL msg=audit(1141573880.165:1938): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=0 a3=7fbfffe901 items=0 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo" type=AVC msg=audit(1141573880.166:1939): avc: denied { setgid } for pid=29788 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability type=SYSCALL msg=audit(1141573880.166:1939): arch=c000003e syscall=119 success=yes exit=0 a0=ffffffff a1=30 a2=ffffffff a3=7fbffff701 items=0 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo" type=AVC msg=audit(1141573880.167:1940): avc: denied { setuid } for pid=29788 comm="sudo" capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability type=SYSCALL msg=audit(1141573880.167:1940): arch=c000003e syscall=117 success=yes exit=0 a0=30 a1=30 a2=0 a3=7fbffff701 items=0 pid=29788 auid=0 uid=48 gid=48 euid=48 suid=0 fsuid=48 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo" type=AVC msg=audit(1141573880.167:1941): avc: denied { setgid } for pid=29788 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability type=SYSCALL msg=audit(1141573880.167:1941): arch=c000003e syscall=119 success=no exit=-1 a0=ffffffff a1=0 a2=ffffffff a3=7fbffff701 items=0 pid=29788 auid=0 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo" If I am reading these correctly, it appears that selinux is stopping sudo from executing the commands. Is there a way to get this to work without making the system insecure. The script is restricted to internal use but there are publicly accessible websites hosted on the machine. Regards, Tom

1 0

can any one help me on SELinux plzzzz
by Suman B 05 Mar '06

05 Mar '06

Hi, i am doing M.Tech and I am doing my mini-project on SeLinux. My guide told me to modify the SeLinux code a bit and recompile the kernel. I have read some articles and working procedure of SeLinux but i am unable to decide the modification which i could do. Plz help me out from this problem. Thanks in advance Regrads, Suman.B NIT Calicut.

2 1

AVCs during suspend/resume (vbetool/hald/ntpd)
by Tom London 04 Mar '06

04 Mar '06

Running latest rawhide (2.6.15-1.2009.4.2_FC), targeted/enforcing, some AVCs are generated (I think during resume). Running in Permissive mode, I get: ---- type=PATH msg=audit(03/04/2006 14:39:51.707:29) : item=1 flags=follow,open inode=1045516 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 type=PATH msg=audit(03/04/2006 14:39:51.707:29) : item=0 name=/usr/sbin/vbetool flags=follow,open inode=5794873 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(03/04/2006 14:39:51.707:29) : cwd=/usr/share/hal/scripts type=AVC_PATH msg=audit(03/04/2006 14:39:51.707:29) : path=/var/run/vbestate type=SYSCALL msg=audit(03/04/2006 14:39:51.707:29) : arch=i386 syscall=execve success=yes exit=0 a0=8a49e98 a1=8a49eb0 a2=8a4f980 a3=8a4f528 items=2 pid=2933 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=vbetool exe=/usr/sbin/vbetool type=AVC msg=audit(03/04/2006 14:39:51.707:29) : avc: denied { write } for pid=2933 comm=vbetool name=vbestate dev=dm-0 ino=2777558 scontext=system_u:system_r:vbetool_t:s0 tcontext=system_u:object_r:hald_var_run_t:s0 tclass=file ---- type=PATH msg=audit(03/04/2006 14:40:31.194:30) : item=1 flags=follow,open inode=1045516 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 type=PATH msg=audit(03/04/2006 14:40:31.194:30) : item=0 name=/usr/sbin/vbetool flags=follow,open inode=5794873 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(03/04/2006 14:40:31.194:30) : cwd=/usr/share/hal/scripts type=AVC_PATH msg=audit(03/04/2006 14:40:31.194:30) : path=/var/run/vbestate type=SYSCALL msg=audit(03/04/2006 14:40:31.194:30) : arch=i386 syscall=execve success=yes exit=0 a0=9268650 a1=927d070 a2=9268980 a3=9268518 items=2 pid=3115 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=vbetool exe=/usr/sbin/vbetool type=AVC msg=audit(03/04/2006 14:40:31.194:30) : avc: denied { read } for pid=3115 comm=vbetool name=vbestate dev=dm-0 ino=2777558 scontext=system_u:system_r:vbetool_t:s0 tcontext=system_u:object_r:hald_var_run_t:s0 tclass=file ---- type=AVC_PATH msg=audit(03/04/2006 14:40:31.222:31) : path=/var/run/vbestate type=SYSCALL msg=audit(03/04/2006 14:40:31.222:31) : arch=i386 syscall=ioctl success=no exit=-25(Inappropriate ioctl for device) a0=0 a1=4b3a a2=0 a3=bfc59044 items=0 pid=3115 auid=unknown(1515870810) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=vbetool exe=/usr/sbin/vbetool type=AVC msg=audit(03/04/2006 14:40:31.222:31) : avc: denied { ioctl } for pid=3115 comm=vbetool name=vbestate dev=dm-0 ino=2777558 scontext=system_u:system_r:vbetool_t:s0 tcontext=system_u:object_r:hald_var_run_t:s0 tclass=file ---- type=PATH msg=audit(03/04/2006 14:40:33.010:32) : item=0 name=/dev/tty8 flags=follow inode=681 dev=00:0f mode=char,660 ouid=root ogid=tty rdev=04:08 type=CWD msg=audit(03/04/2006 14:40:33.010:32) : cwd=/usr/share/hal/scripts type=SYSCALL msg=audit(03/04/2006 14:40:33.010:32) : arch=i386 syscall=chown32 success=yes exit=0 a0=bf97d207 a1=0 a2=0 a3=bf97d2c4 items=1 pid=3126 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=openvt exe=/usr/bin/openvt type=AVC msg=audit(03/04/2006 14:40:33.010:32) : avc: denied { setattr } for pid=3126 comm=openvt name=tty8 dev=tmpfs ino=681 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file ---- type=PATH msg=audit(03/04/2006 14:40:51.308:33) : item=1 flags=follow,open inode=1045516 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 type=PATH msg=audit(03/04/2006 14:40:51.308:33) : item=0 name=/usr/sbin/ntpdate flags=follow,open inode=5802324 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(03/04/2006 14:40:51.308:33) : cwd=/ type=AVC_PATH msg=audit(03/04/2006 14:40:51.308:33) : path=/dev/null type=SYSCALL msg=audit(03/04/2006 14:40:51.308:33) : arch=i386 syscall=execve success=yes exit=0 a0=9aa9458 a1=9aaa320 a2=9aab1b0 a3=9aaa838 items=2 pid=3182 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=ntpdate exe=/usr/sbin/ntpdate type=AVC msg=audit(03/04/2006 14:40:51.308:33) : avc: denied { use } for pid=3182 comm=ntpdate name=null dev=tmpfs ino=1151 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=fd ---- <<<<<<REBOOT HERE, in Enforcing mode>>>>>>>> ---- type=PATH msg=audit(03/04/2006 14:46:19.552:13) : item=0 name=/proc/sys/vm/ flags=follow,access inode=4026531930 dev=00:03 mode=dir,555 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(03/04/2006 14:46:19.552:13) : cwd=/usr/share/hal/scripts type=SYSCALL msg=audit(03/04/2006 14:46:19.552:13) : arch=i386 syscall=access success=no exit=-13(Permission denied) a0=9c3a3c8 a1=2 a2=2 a3=9c39538 items=1 pid=2695 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=pm-powersave exe=/bin/bash type=AVC msg=audit(03/04/2006 14:46:19.552:13) : avc: denied { write } for pid=2695 comm=pm-powersave name=vm dev=proc ino=-268435366 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir ---- type=PATH msg=audit(03/04/2006 14:46:22.004:14) : item=0 name=/proc/sys/vm/ flags=follow,access inode=4026531930 dev=00:03 mode=dir,555 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(03/04/2006 14:46:22.004:14) : cwd=/usr/share/hal/scripts type=SYSCALL msg=audit(03/04/2006 14:46:22.004:14) : arch=i386 syscall=access success=no exit=-13(Permission denied) a0=8e403c8 a1=2 a2=2 a3=8e3f538 items=1 pid=2733 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=pm-powersave exe=/bin/bash type=AVC msg=audit(03/04/2006 14:46:22.004:14) : avc: denied { write } for pid=2733 comm=pm-powersave name=vm dev=proc ino=-268435366 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir ---- -- Tom London

1 0

RE: ANN: CDS Framework IDE
by Kevin Carr 03 Mar '06

03 Mar '06

> I was very happy to see these announcements :) > > However, when I try to create a new project with either of these > plugins, I get the following errors: > > com.tresys.slide.plugin.wizards.NewProjectWizard > com.tresys.framework.plugin.wizards.NewProjectWizard > > Never used eclipse before... dunno if this is user error. It looks like these errors are because of an older version of eclipse. Both tools require Eclipse 3.1. On another note, I updated the Tresys Technology website to include some installation instructions for the CDS Framework IDE. Also I posted a newer tarball for the CDS tool that fixes some issues we found yesterday. Please get the newer release and try that one. http://tresys.com/selinux Kevin Carr Tresys Technology 410.290.1411 x137

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux March 2006