April 2006 - selinux - Fedora Mailing-Lists

by Göran Uddeborg

Maybe this is a FAQ, but I haven't found it answered in any of the FAQ:s I've looked through: Is there some kind of documentation list over the available classes and operations (permissions)? Other concepts, like types and roles are defined in the policy, with some luck together with a comment. In some cases there are even manual pages, like httpd_selinux. But the list of available classes and operations must be defined by the kernel module if I understand things correctly. I could extract a list from the flask/access_vectors file. But I would have liked something with a sentence or so of explanation. Some names may be self-explanatory, but many are not obvious. I'm imagining some kind of list like the appendices of the O'Reilley book, but updated for the current version. Does such a list exist somewhere? Or is it just in my imagination? :-)

16 years, 7 months

4
4
0 / 0

Re: Apache/PHP module boot restriction?

by Stephen Smalley

On Wed, 2006-02-22 at 16:41 -0800, Andrew JH Ring wrote: > I've recently set up a Fedora Core 4 web server running Apache 2.2.0 > with PHP 5.1.2. I've managed to get Apache loading the module, after > setting libphp5.so to shlib_t, however Apache seems to still be unable > to access the module during boot. I'm getting a Cannot load libphp5 > cannot restore segment prot after reloc. Is this a known problem, and > if so, how is it fixed? cc'd fedora-selinux-list as well above, since you mentioned you were using FC4. This usually indicates a text relocation, which is undesirable if it can be avoided. The stock FC4 php doesn't appear to have any text relocations in its libphp (readelf -d libphp5.so.1 | grep TEXTREL). Possibly it has a patch to avoid the problem. Ideally, it would be best if you could similarly patch or fix the build for PHP 5.1.2. If you truly need to allow it, then you can label the .so file with the texrel_shlib_t type (since you are using FC4, I used the old type name). Some discussion of the SELinux memory protection tests can be found in: http://people.redhat.com/drepper/selinux-mem.html -- Stephen Smalley National Security Agency

16 years, 11 months

3
3
0 / 0

SELinux Module Packaging in FC5

by Paul Howarth

Is there any documentation anywhere on including SELinux Policy Modules in packages (e.g. for Extras) in FC5? For instance, is there a directory where modules can be dropped into so that they get picked up aotomatically? Where should they live? Consider an example. I have an LDAP-backed addressbook frontend written in PHP that runs on apache. So I install the files in /var/www/someplace in my package and I need to provide an SELinux module that: * Includes the appropriate file contexts for the application's cache directory, which needs to be writable by httpd * Gives httpd permission to contact LDAP servers over the network (i.e. ports 389 and 636) Is it possible to turn on the httpd_builtin_scripting boolean from a module (the app is written in PHP and needs this)? Is it even sensible to try to do this, or there just be a README.SELinux telling people they need to do this themselves? Should the module be loaded in a %post script? Some guidelines would no doubt be appreciated by many people. Paul.

16 years, 11 months

5
20
0 / 0

Another mount issue

by Paul Howarth

On my file/web/samba/nfs server I have a software archive, which I serve out using both samba and httpd. So the whole thing as public_content_rw_t, and the appropriate boolean set so that samba can write to it. On the software archive I have DVD ISO images of FC4 and FC5. I have fstab entries for these to loopback mount them as follows: /srv/softlib/fedora/stentz/FC4-i386-DVD.iso /srv/softlib/fedora/stentz/dvd iso9660 ro,loop,fscontext=system_u:object_r:public_content_t 0 0 /srv/softlib/fedora/bordeaux/FC-5-i386-DVD.iso /srv/softlib/fedora/bordeaux/dvd iso9660 ro,loop,fscontext=system_u:object_r:public_content_t 0 0 Unfortunately the mount won't work at boot time because mount is confined to the mount_t domain, which can't read public_content_rw_t: Apr 21 08:40:21 badby kernel: audit(1145605218.512:331): avc: denied { read } for pid=1469 comm="mount" name="FC4-i386-DVD.iso" dev=dm-5 ino=1032205 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file Apr 21 08:40:21 badby kernel: audit(1145605218.564:332): avc: denied { read } for pid=1469 comm="mount" name="FC-5-i386-DVD.iso" dev=dm-5 ino=606259 scontext=system_u:system_r:mount_t:s0 tcontext=root:object_r:public_content_rw_t:s0 tclass=file A "mount -a" after booting works fine as it then runs unconfined. Is this something that should be generally allowed or should I just write local policy to fix this? Paul.

17 years

3
3
0 / 0

procmail

by Paul Howarth

I use procmail as my local delivery agent from sendmail. In FC5 this appears to be running as procmail_t. Procmail offers the ability to pipe mail through programs (filters), and I use this facility from time to time. I'm getting quite a lot of denials when doing this and wonder what the right approach to fixing them is. Case 1: a locally-written shell script called "spamdomain" This is in my ~/bin directory and of type user_home_t Procmail recipe: SPAMDOMAIN=`spamdomain` Result: Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8006): avc: denied { execute } for pid=16622 comm="procmail" name="spamdomain" dev=dm-1 ino=1399071 scontext=system_u:system_r:procmail_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8007): avc: denied { execute_no_trans } for pid=16622 comm="procmail" name="spamdomain" dev=dm-1 ino=1399071 scontext=system_u:system_r:procmail_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file Case 2: piping mail through "sa-learn" I run spamass-milter to reject mail in-protocol and then my own local filter using procmail on anything that gets through. If I'm sure something's spam, I like spamassassin to learn about it so I might reject it earlier in future. So I pipe it through sa-learn (spamd_exec_t): Procmail recipe: :0c | sa-learn --username=paul(a)city-fan.org --spam >/dev/null 2>&1 Result: Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.743:8008): avc: denied { getattr } for pid=16718 comm="bash" name="sa-learn" dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.747:8009): avc: denied { execute } for pid=16718 comm="bash" name="sa-learn" dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.747:8010): avc: denied { read } for pid=16718 comm="bash" name="sa-learn" dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.747:8011): avc: denied { execute_no_trans } for pid=16719 comm="bash" name="sa-learn" dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.799:8012): avc: denied { ioctl } for pid=16719 comm="sa-learn" name="sa-learn" dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file The "bash" denials will be due to procmail forking a shell to handle the redirects. What *should* I be doing here to fix this? I know I could just add local policy to fix the denials, but is there a way to do it that's supported by existing policy? Paul.

17 years

4
8
0 / 0

selinux breaks nfs

by dragoran

hello I tryed to share a partition using nfs (using system-config-nfs), but selinux prevents it from beeing mounted: audit(1145781795.498:64): avc: denied { dac_override } for pid=26228 comm="rpc.mountd" capability=1 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781795.498:65): avc: denied { dac_read_search } for pid=26228 comm="rpc.mountd" capability=2 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781795.498:66): avc: denied { dac_override } for pid=26228 comm="rpc.mountd" capability=1 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781795.498:67): avc: denied { dac_read_search } for pid=26228 comm="rpc.mountd" capability=2 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781817.496:68): avc: denied { dac_override } for pid=26228 comm="rpc.mountd" capability=1 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781817.496:69): avc: denied { dac_read_search } for pid=26228 comm="rpc.mountd" capability=2 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781817.496:70): avc: denied { dac_override } for pid=26228 comm="rpc.mountd" capability=1 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781817.496:71): avc: denied { dac_read_search } for pid=26228 comm="rpc.mountd" capability=2 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability All boleans for nfs are set to true, if I do setenforce 0 it works. I am using selinux-policy-targeted-2.2.34-3.fc5 (from updates testing) on FC x86_64.

17 years

1
2
0 / 0

FC5: Problem with acroread and CISCO VPN

by Klaus Steinberger

Hello, in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well as acroread: [klaus.steinberger@noname ~]$ acroread /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore segment prot after reloc: Permission denied [klaus.steinberger@noname ~]$ type=AVC msg=audit(1146115808.601:23): avc: denied { execmod } for pid=3366 comm="acroread" name="libJP2K.so" dev=hda2 ino=2680495 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1146115808.601:23): arch=40000003 syscall=125 success=no exit=-13 a0=2d4000 a1=aa000 a2=5 a3=bfb2dfd0 items=0 pid=3366 auid=10022 uid=10022 gid=100 euid=10022 suid=10022 fsuid=10022 egid=100 sgid=100 fsgid=100 comm="acroread" exe="/usr/lib/acroread/Reader/intellinux/bin/acroread" type=AVC_PATH msg=audit(1146115808.601:23): path="/usr/lib/acroread/Reader/intellinux/lib/libJP2K.so" [klaus.steinberger@noname ~]$ vpnclient connect lrz vpnclient: error while loading shared libraries: /opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot after reloc: Permission denied [klaus.steinberger@noname ~]$ type=AVC msg=audit(1146115819.449:24): avc: denied { execmod } for pid=3437 comm="vpnclient" name="libvpnapi.so" dev=hda2 ino=2676482 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1146115819.449:24): arch=40000003 syscall=125 success=no exit=-13 a0=5ce000 a1=43000 a2=5 a3=bfa87450 items=0 pid=3437 auid=10022 uid=10022 gid=100 euid=10022 suid=10022 fsuid=10022 egid=100 sgid=100 fsgid=100 comm="vpnclient" exe="/opt/cisco-vpnclient/bin/vpnclient" type=AVC_PATH msg=audit(1146115819.449:24): path="/opt/cisco-vpnclient/lib/libvpnapi.so" My system is up2date: [klaus.steinberger@noname ~]$ rpm -q selinux-policy-targeted selinux-policy-targeted-2.2.34-3.fc5 [klaus.steinberger@noname ~]$ rpm -q acroread acroread-7.0.5-2.2 [klaus.steinberger@noname ~]$ I'm currently not to familiar with selinux, so the only workaround I know is to "setenforce 0". Sincerly, Klaus -- Klaus Steinberger Maier-Leibnitz Labor Phone: (+49 89)289 14287 Am Coulombwall 6, D-85748 Garching, Germany FAX: (+49 89)289 14280 EMail: Klaus.Steinberger(a)Physik.Uni-Muenchen.DE URL: http://www.physik.uni-muenchen.de/~k2/ In a world without Walls and Fences, who needs Windows and Gates

17 years, 1 month

4
12
0 / 0

Re: fedora-selinux-list Digest, Vol 26, Issue 32

by John Griffiths

fedora-selinux-list-request(a)redhat.com wrote: > > Subject: > Error running ffmpeg due to permission denied on library > From: > "Robert Foster" <rfoster(a)mountainvisions.com.au> > Date: > Thu, 27 Apr 2006 12:41:09 +1000 > To: > <fedora-selinux-list(a)redhat.com> > > To: > <fedora-selinux-list(a)redhat.com> > > > Hi, > I'm trying to get ffmpeg working for Gallery2 on FC5, and getting the > following error (from the debug message via Gallery): > > Executing: ( "/usr/bin/ffmpeg" "-h" ) > 2>/MV/webs/Repository/gallery/tmp/g2dbgitTQYC > file_exists(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) > filesize(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) > fopen(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC, r, 0) > feof(Resource id #108) > fgets(Resource id #108, 4096) > feof(Resource id #108) > fgets(Resource id #108, 4096) > feof(Resource id #108) > fclose(Resource id #108) > unlink(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) > Regular Output: > Error Output: > /usr/bin/ffmpeg: error while loading shared libraries: libavcodec.so.51: > cannot enable executable stack as shared object requires: Permission > denied > Status: 127 (expected 0) > A quick look in /usr/lib reveals: > > -rwxr-xr-x root root system_u:object_r:textrel_shlib_t > /usr/lib/libavcodec-CVS.so > lrwxrwxrwx root root system_u:object_r:lib_t > /usr/lib/libavcodec.so -> libavcodec-CVS.so > lrwxrwxrwx root root > system_u:object_r:lib_t /usr/lib/libavcodec.so.51 -> > libavcodec-CVS.so > > > /var/log/audit/audit.log shows: > > type=SYSCALL msg=audit(1146010953.133:45163): arch=40000003 > syscall=125 success=no exit=-13 a0=bfc5b000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25005 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > type=AVC msg=audit(1146010953.141:45164): avc: denied { execstack } > for pid=25007 comm="ffmpeg" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process > type=SYSCALL msg=audit(1146010953.141:45164): arch=40000003 > syscall=125 success=no exit=-13 a0=bf9e8000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25007 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > type=AVC msg=audit(1146010953.213:45165): avc: denied { execstack } > for pid=25009 comm="ffmpeg" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process > type=SYSCALL msg=audit(1146010953.213:45165): arch=40000003 > syscall=125 success=no exit=-13 a0=bfbe6000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25009 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > type=AVC msg=audit(1146010953.221:45166): avc: denied { execstack } > for pid=25011 comm="ffmpeg" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process > type=SYSCALL msg=audit(1146010953.221:45166): arch=40000003 > syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25011 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > when I run the page producing the error output. > > I tried to set the allow_execstack boolean but it didn't make any > difference. > > I'm out of ideas on this one - any help appreciated :) > > Robert Foster > General Manager > Mountain Visions P/L http://mountainvisions.com.au > <http://mountainvisions.com.au/> > Mobile: 0418 131 065 > I had the same problem when using Kino which also uses ffmpeg. Here is what I did and it works. execstack -c /usr/lib/libmp3lame.so.0 execstack -c /usr/lib/libxvidcore.so.4 chcon -t textrel_shlib_t /usr/lib/libavformat.so.50 chcon -t textrel_shlib_t /usr/lib/libavutil.so.49 chcon -t textrel_shlib_t /usr/lib/libavcodec.so.51 This also takes care of the problem with lame-3.96.1-10.rhfc5.at, libxvidcore4-1.1.0-8.rhfc5.at, libavformat50-0.4.9-14_cvs20060301.rhfc5.at, libavutil49-0.4.9-14_cvs20060301.rhfc5.at, and libavcodec51-0.4.9-14_cvs20060301.rhfc5.at. Regards, John

17 years, 1 month

4
9
0 / 0

mock and SELinux

by Paul Howarth

I've written up my workaround for getting mock to work under SELinux at: http://fedoraproject.org/wiki/Extras/MockTricks (the bottom half of the page). It'd be nice if some people more knowledgeable than myself would give it a once-over to make sure I'm not talking complete nonsense... :-) Cheers, Paul.

17 years, 1 month

4
3
0 / 0

Problem with SELinux and Postfix (sending from Python scripts)

by Jeff Coffler

Hi folks, I found this link that had a similar (but not identical) problem: http://www.redhat.com/archives/fedora-selinux-list/2004-December/msg00033... O/S: Fedora Core5 Mail server: Postfix SELinux: Enabled. Basically, the problem is this. When I try to send E-Mail from a Python script, Postfix fails. In the maillog file, I see: Apr 24 13:53:57 miffy postfix/pickup[29094]: warning: maildrop/2104D276B2A: Permission denied In messages, I see: Apr 24 13:57:58 miffy kernel: audit(1145912278.348:688): avc: denied { getattr } for pid=29094 comm="pickup" name="2104D276B2A" dev=sda3 ino=2583338 scontext=root:system_r:postfix_pickup_t:s0 tcontext=root:object_r:postfix_spool_t:s0 tclass=file If I set SELinux to permissive mode, it works fine. Is this an SELinux policy problem? How can I go about fixing this? I'd prefer to run with SELinux enabled ... Thanks! -- Jeff

17 years, 1 month

2
3
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux April 2006