problems with tmpfs and relabeling
by Bill Nottingham
I'm currently working with the stateless code, which mounts the root
filesystem read-only, moving various things that need to be read-write
to tmpfs bind-mounted in the appropriate location.
This initially runs afoul of policy, and I need to write my own
policy that allows you to mount on top of /etc/resolv.conf (standard
targeted policy doesn't like that for some reason. :) )
However, relabeling the files then fails - for each type that I'm
putting on tmpfs, I need to add:
allow <type> tmpfs_t:filesystem associate;
before relabelling works.
This seems strange - is this something that should be fixed in
the stock policy, or should I just carry this in my own module?
Bill
16 years, 11 months
bluetooth on FC5
by Charles-Edouard Ruault
Hi All,
i've compiled and installed kdebluetooth on my Fedora ppc distro, i'm
trying to get the stuff working and i'm getting the following problems
related to SELinux:
When i want to browse a device which is not yet paired with the laptop
i'm getting errors, because hcid is denied a few filesystem operations:
audit(1146044994.917:786): avc: denied { create } for pid=1836
comm="hcid" name="bluetooth" scontext=system_u:system_r:bluetooth_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
I've then straced hcid and found out that it's trying to create a
directory /var/lib/bluetooth and that this operation is being denied (
thus the above log ).
I've manually created the directory:
mkdir -p /var/lib/bluetooth/
and then
chcon system_u:object_r:bluetooth_var_lib_t bluetooth
and now everything's fine.
So i guess two things could be done in order to fix this :
1) allow hcid to create a dir in /var/lib ( i.e add this to the policy :
allow bluetooth_t var_lib_t:dir create; )
2) during installation of the bluetooth packages, create the
/var/lib/bluetooth directory and tag it properly.
--
Charles-Edouard Ruault
GPG key Id E4D2B80C
16 years, 11 months
securing home directories and using public_html
by Steve Strong
Sorry if this has already been asked and answered, but I'm a newbie!
Maybe there's an archive I can search...
I run a lab of fedora 5 clients and a RHEL 4.0 server (that means that
the version of SELinux running on the server is the same as the version
running on fedora core 3, right?) in a high school CS department. I'm
teaching a unit on web programming using php and mysql. I've given
students a world-readable public_html directory and a database, user and
password. All works well until I notice students copying code from each
other's public_html directories.
Is there a way to allow httpd to access these directories and not allow
users to get to them from their console?
thanks in advance!
steve
--
Steve Strong
Math and Computer Science
Washington High School
2205 Forest Dr. SE
Cedar Rapids, IA 52403
http://crwash.org
mailto:strong.s@crwash.org
16 years, 11 months
texrel_shlib_t
by Paul Howarth
texrel_shlib_t is I believe an alias for textrel_shlib_t. Is it just
there for historical reasons to support a typo someone made whilst
developing policy?
There are still some instances of texrel_shlib_t in the policy:
# semanage fcontext -l | grep texrel
/usr(/.*)?/intellinux/plug_ins/.*\.api regular file
system_u:object_r:texrel_shlib_t:s0
/usr(/.*)?/intellinux/nppdf\.so regular file
system_u:object_r:texrel_shlib_t:s0
/usr/lib(64)?/libsipphoneapi\.so.* regular file
system_u:object_r:texrel_shlib_t:s0
/usr(/.*)?/intellinux/lib/\.so regular file
system_u:object_r:texrel_shlib_t:s0
Should these really be textrel_shlib_t or am I missing something subtle?
Paul.
16 years, 11 months
Trouble with dump / restore
by Tony Nelson
This is probably only marginally related to SELinux. I'm trying to learn
how to use dump and restore (via DVD+/-R), and I've gotten it working to
the point where the files seem to be OK but the SELinux Extended Attributes
are not. I used the commands (as root, with / being LogVol02):
# mount -r /dev/VolGroup00/LogVol00 /mnt/lv00
# dump -0 -L xxx -B 4590208 -f /tmp/dumpdvd /dev/VolGroup00/LogVol00
[cdrecord used once per tape, from another terminal]
# cdrecord -v -sao dev=dvd -data /tmp/dumpdvd
# restore -C -f /dev/dvd
OK, some of that is superstition, but it works except for about one of
these messages for each file, and no other errors (according to grep -v):
./path/to/file: EA foo_x:object_r:bar_y value changed
What am I doing wrong?
____________________________________________________________________
TonyN.:' <mailto:tonynelson@georgeanelson.com>
' <http://www.georgeanelson.com/>
16 years, 11 months
[FW: Re: dump/restore and SElinux security context problem]
by Kayvan A. Sylvan
Anyone on the fedora-selinux-list have any clues for how to proceed with
this problem?
In a nutshell: I can not get dump to restore the xattr file attributes
when booted into the FC5 rescue DVD.
Thanks for any answers or ideas!
----- Forwarded message from "Kayvan A. Sylvan" <kayvan(a)sylvan.com> -----
Date: Sun, 23 Apr 2006 18:44:37 -0700
From: "Kayvan A. Sylvan" <kayvan(a)sylvan.com>
To: For users of Fedora Core releases <fedora-list(a)redhat.com>
Subject: Re: dump/restore and SElinux security context problem
On Sun, Apr 23, 2006 at 02:39:43PM -0400, Tony Nelson wrote:
> At 8:06 PM -0700 4/22/06, Kayvan A. Sylvan wrote:
> >I used "dump" to create a snapshot of a filesystem, then, using
> >the FC5 DVD to boot into rescue mode, used "restore" to recreate it.
> >
> >The problem: during the restore, for every file, I get messages like this:
> >
> > restore: lsetxattr ./System.map-2.6.15-1.1833_FC4 failed: Invalid argument
>
> When booting the rescue CD, use the kernel command line:
>
> linux rescue enforcing=0
>
> along with any other options you need (when I remember, I use "hda=noprobe
> hdb=noprobe").
This seemed to produce no different effect.
The portion of the dmesg output (when booting the rescue CD) follows:
security: 3 users, 6 roles, 1161 types, 135 bools, 1 sens, 256 cats
security: 55 classes, 38679 rules
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev loop0, type squashfs), not configured for labeling
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts
SELinux: initialized (dev ramfs, type ramfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev cpuset, type cpuset), not configured for labeling
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
audit(1145840702.919:2): avc: denied { transition } for pid=651 comm="loader" name="bash" dev=loop0 ino=1500 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:anaconda_t:s0 tclass=process
[...]
SELinux: initialized (dev sda1, type ext2), uses xattr
kjournald starting. Commit interval 5 seconds
EXT3 FS on sda1, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev sda1, type ext3), uses xattr
After the restore, the "ls -lZ" output, while still booted in the rescue
mode, shows this (it's identical for all files):
-rw-r--r-- root root system_u:object_r:file_t:s0 vmlinuz-2.6.16-1.2069_FC4smp
Once booted back up in the FC4 system, the same file shows up as:
-rw-r--r-- root root system_u:object_r:unlabeled_t vmlinuz-2.6.16-1.2069_FC4smp
I am wondering if I have to have the same SELinux policy loaded while
in the rescue mode in order to avoid the "lsetxattr: invalid argument"
error? How would I go about doing that?
---Kayvan
----- End forwarded message -----
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
16 years, 11 months
dump/restore and SElinux security context problem
by Kayvan A. Sylvan
[This was originally posted on fedora-list, and despite some helpful
answers, the problem still remains. --Kayvan]
Hi everyone.
I was trying to upgrade from FC4 to FC5, but my root partition was too small
to accomodate the DVD image. So, I had to resize some partitions. GNU parted
was useless in that task (see Redhat Bugzilla Bug 90894).
Finally, I used "dump" to create a snapshot of a filesystem, then, using
the FC5 DVD to boot into rescue mode, used "restore" to recreate it.
The problem: during the restore, for every file, I get messages like this:
restore: lsetxattr ./System.map-2.6.15-1.1833_FC4 failed: Invalid argument
This feels like it's related to SELinux. In fact, looking at
the restored files with "ls -Z", I see that they are all unlabeled.
If I don't use the rescue CD, and instead, on a running system where SELinux
is enabled, do the following:
1) setenforce 0
2) restore from the dump.
3) setenforce 1
Then, the restored files are in their correct security context.
How do I get this same result (files completely restored, along with
their extended attributes) while using the rescue CD?
My end goal is to be able to do a dump, boot into a rescue mode,
resize partitions, format new filesystems and restore the dump, and have
all files retain all their attributes (including their SELinux context
information).
Thanks for any answers.
---Kayvan
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
16 years, 11 months
samba and apache shared directories on FC5
by Robert Foster
Hi,
I have a directory structure that contains multiple web sites that I also
want shared out using samba to restricted users. I've just upgraded to FC5
and worked most of the kinks out (including trying to get Samba's net
getlocalsid to talk to ldap properly, but that's another story).
current configuration:
# ls -alZ /MV
gives:
drwsrws--- apache apache system_u:object_r:httpd_sys_content_t webs
however the samba shared directory is readonly for users browsing.
If I set the type to samba_share_t, apache can no longer read the
directory.
This also has other implications. I have a directory in another share
(Archives/Repository) that is soft linked to a directory under a web site so
that users can copy files into it from a windows client and have them
available for download.
I found a post by Stephen Smalley back in June last year that talks a little
about this issue:
http://www.redhat.com/archives/fedora-selinux-list/2005-June/msg00264.html
that suggested a possible fix by defining a new type allowing both httpd and
samba to access the files - with samba having permission to write.
Any ideas on whether this is likely to be added to a policy for FC5 in the
near future, and how can I fix this in the interim? I'd rather not disable
selinux if I can avoid it :)
Thanks in advance,
Robert Foster
General Manager
Mountain Visions P/L http://mountainvisions.com.au
<http://mountainvisions.com.au/>
Mobile: 0418 131 065
16 years, 11 months
SELINUX=disabled in latest rawhide?
by Tom London
Running latest rawhide, targeted/enforcing (selinux-policy-targeted-2.2.34-3):
After installing lastest rawhide packages today, on reboot, I noticed:
Apr 23 10:44:36 localhost kernel: SELinux: Disabled at runtime.
Apr 23 10:44:36 localhost kernel: SELinux: Unregistering netfilter hooks
Checking /etc/selinux/config, SELINUX was set to disabled.
I reset SELINUX to enforcing, rebooted in permissive to single, but
the reboot automagically detected a relabel was needed. It succeeded
and enforcing reboot works just fine.
tom
--
Tom London
16 years, 11 months
SELinux avcs in permissive mode
by Felipe Alfaro Solana
Hi, folks.
I'm running Fedora Core Devel (RawHide) with SELinux enabled in
permissive mode in a Xen domain 0. After booting into runlevel 3 I see
these avcs:
audit(1145694295.644:3): avc: denied { read write } for pid=1490
comm="xenstored" name="console" dev=tmpfs ino=812
scontext=system_u:system_r:xenstored_t:s0
tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
audit(1145694295.788:4): avc: denied { read write } for pid=1493
comm="xenconsoled" name="console" dev=tmpfs ino=812
scontext=system_u:system_r:xenconsoled_t:s0
tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
audit(1145694299.076:5): SELinux: unrecognized netlink message
type=28265 for sclass=43
audit(1145694302.696:8): avc: denied { read write } for pid=1621
comm="mingetty" name="utmp" dev=dm-0 ino=1310727
scontext=system_u:system_r:getty_t:s0
tcontext=system_u:object_r:init_var_run_t:s0 tclass=file
audit(1145694302.696:9): avc: denied { lock } for pid=1621
comm="mingetty" name="utmp" dev=dm-0 ino=1310727
scontext=system_u:system_r:getty_t:s0
tcontext=system_u:object_r:init_var_run_t:s0 tclass=file
Any comments on this?
Thanks!
16 years, 11 months
