selinux March 2006

selinux@lists.fedoraproject.org

40 participants
54 discussions

by Tom London

Running today's rawhide, targeted/enforcing. Noticed the following. ---- type=PATH msg=audit(03/03/2006 07:07:50.170:13) : item=0 name=/proc/sys/vm/ flags=follow,access inode=4026531930 dev=00:03 mode=dir,555 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(03/03/2006 07:07:50.170:13) : cwd=/usr/share/hal/scripts type=SYSCALL msg=audit(03/03/2006 07:07:50.170:13) : arch=i386 syscall=access success=no exit=-13(Permission denied) a0=8566400 a1=2 a2=2 a3=8565878 items=1 pid=2489 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=pm-powersave exe=/bin/bash type=AVC msg=audit(03/03/2006 07:07:50.170:13) : avc: denied { write } for pid=2489 comm=pm-powersave name=vm dev=proc ino=-268435366 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir ---- type=PATH msg=audit(03/03/2006 07:07:51.358:14) : item=0 name=/proc/sys/vm/ flags=follow,access inode=4026531930 dev=00:03 mode=dir,555 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(03/03/2006 07:07:51.358:14) : cwd=/usr/share/hal/scripts type=SYSCALL msg=audit(03/03/2006 07:07:51.358:14) : arch=i386 syscall=access success=no exit=-13(Permission denied) a0=9d16400 a1=2 a2=2 a3=9d15878 items=1 pid=2520 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=pm-powersave exe=/bin/bash type=AVC msg=audit(03/03/2006 07:07:51.358:14) : avc: denied { write } for pid=2520 comm=pm-powersave name=vm dev=proc ino=-268435366 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir ---- tom -- Tom London

18 years, 1 month

1
0
0 / 0

AVC when configuring printer.....

by Tom London

Running latest Rawhide, targeted/enforcing. System->Administration->Printing, and hitting 'Apply' on the currently configured printer produces the following: ---- type=PATH msg=audit(02/27/2006 08:04:15.126:101) : item=2 flags=follow,open inode=1045697 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 type=PATH msg=audit(02/27/2006 08:04:15.126:101) : item=1 flags=follow,open inode=5786615 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 type=PATH msg=audit(02/27/2006 08:04:15.126:101) : item=0 name=/usr/sbin/printconf-backend flags=follow,open inode=5790576 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 type=CWD msg=audit(02/27/2006 08:04:15.126:101) : cwd=/ type=AVC_PATH msg=audit(02/27/2006 08:04:15.126:101) : path=pipe:[21844] type=AVC_PATH msg=audit(02/27/2006 08:04:15.126:101) : path=/root/.rh-fontconfig/.fonts.cache-2 type=SYSCALL msg=audit(02/27/2006 08:04:15.126:101) : arch=i386 syscall=execve success=yes exit=0 a0=899cdc8 a1=899ce18 a2=899cf20 a3=8999d70 items=3 pid=5773 auid=tbl uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root comm=printconf-backe exe=/usr/bin/python type=AVC msg=audit(02/27/2006 08:04:15.126:101) : avc: denied { read } for pid=5773 comm=printconf-backe name=.fonts.cache-2 dev=dm-0 ino=555510 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(02/27/2006 08:04:15.126:101) : avc: denied { write } for pid=5773 comm=printconf-backe name=[21844] dev=pipefs ino=21844 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=fifo_file ---- tom -- Tom London

18 years, 1 month

2
4
0 / 0

Re: FC4 + samba + selinux

by Ivan Gyurdiev

> >> I think we should allow smbd to search all directories if this is the >> case. Alternatively we can have system-config-samba generate policy for >> this on the fly, and alert the user, but that will be a pain, and seems >> unnecessary. >> >> > Maybe have system-config-samba make sure the directory is properly > labeled with mnt_t or samba_share_t? I think Eric's point was that smbd needs directory search access on the entire path to the directory. I haven't verified that this is correct, but from past experience I suspect it's true. Labeling everything on the path as samba_share_t or mnt_t is usually not possible.

18 years, 1 month

1
0
0 / 0

FC4 + samba + selinux

by Louis Garcia

I am setting up an FC4 samba server and can't get my shares accessed. With selinux off samba works normally. I have created a dir: drwxrwsrwx root root system_u:object_r:samba_share_t /data/public The is the error I get: type=AVC msg=audit(1140923608.645:86): avc: denied { search } for pid=3338 comm="smbd" name="/" dev=hda5 ino=2 scontext=root:system_r:smbd_t tcontext=system_u:object_r:default_t tclass=dir type=SYSCALL msg=audit(1140923608.645:86): arch=40000003 syscall=195 success=no exit=-13 a0=88b85f8 a1=bff9aec4 a2=7fbff4 a3=bff9aec4 items=1 pid=3338 auid=500 uid=502 gid=0 euid=502 suid=0 fsuid=502 egid=100 sgid=100 fsgid=100 comm="smbd" exe="/usr/sbin/smbd" type=CWD msg=audit(1140923608.645:86): cwd="/" type=PATH msg=audit(1140923608.645:86): item=0 name="/data/public" flags=1 inode=2 dev=03:05 mode=040755 ouid=0 ogid=0 rdev=00:00 why does smbd_t want access to default_t when the dir is labeled samba_share_t? Does smbd_t have access to samba_share_t by default? Any advise, --Louis

18 years, 1 month

3
3
0 / 0

← Newer
1
2
3
4
5
6
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux March 2006