SELinux and RPM Packaging
by Aurelien Bompard
Hi *,
I've put up a page on the Fedora wiki to help packagers deal with SELinux
support from FC5 onwards : http://fedoraproject.org/wiki/Packaging/SELinux
It gathers solutions I've read on this list and in the FAQs.
Please have a look at it, check it for mistakes, and add new use cases when
you find some.
And since I'm not a native english speaker, there probably are mistakes all
over the page, so feel free to edit to your heart's content (event when it
is grammatically correct but "sounds weird").
I hope this page can become a reference for RPM packagers in the future.
Thanks,
Aurélien
--
http://aurelien.bompard.org ~~~~ Jabber : abompard(a)jabber.fr
"Never test for an error condition you don't know how to
handle." -- Steinbach's Guideline for Systems Programming
16 years, 11 months
Oracle-XE on FC5
by Jean-Christophe Choisy
Hello,
I've been trying to install and use Oracle-XE (express edition) on
Fedora Core 5. I failed at it. The rpm installs fine of course, but
the initial configuration fails. The script invoked fails to create
some directories, the database is never created and so on...
I tried to fix it myself and found some 'execmod' avc's in audit.log,
then chcon'd the respective .so files. Still, after fixing all of the
reported ones, it still doesn't work and leaves me rather clueless as
to why. Switching to permissive mode indeed solves it all.
I would really like to keep selinux in enforcing mode, and I guess
I'm missing something rather simple here... Has anyone got oracle-xe
running in fc5 with selinux enforcing? (targeted policy).
Thanks.
16 years, 11 months
postmap command avc: denied messages
by J. K. Cliburn
First, should I file a bugzilla for this?
Second, is there a workaround? Oddly, it didn't seem to impede the
completion of the postmap command.
Apr 10 12:17:10 osprey kernel: audit(1144689430.970:8): avc: denied { read wri
te } for pid=4617 comm="postmap" name="0" dev=devpts ino=2 scontext=user_u:syst
em_r:postfix_map_t:s0-s0:c0.c255 tcontext=user_u:object_r:devpts_t:s0 tclass=chr
_file
Apr 10 12:17:10 osprey kernel: audit(1144689430.970:9): avc: denied { read wri
te } for pid=4617 comm="postmap" name="0" dev=devpts ino=2 scontext=user_u:syst
em_r:postfix_map_t:s0-s0:c0.c255 tcontext=user_u:object_r:devpts_t:s0 tclass=chr
_file
Apr 10 12:17:10 osprey kernel: audit(1144689430.970:10): avc: denied { read wr
ite } for pid=4617 comm="postmap" name="0" dev=devpts ino=2 scontext=user_u:sys
tem_r:postfix_map_t:s0-s0:c0.c255 tcontext=user_u:object_r:devpts_t:s0 tclass=ch
r_file
Apr 10 12:17:10 osprey kernel: audit(1144689430.970:11): avc: denied { read wr
ite } for pid=4617 comm="postmap" name="0" dev=devpts ino=2 scontext=user_u:sys
tem_r:postfix_map_t:s0-s0:c0.c255 tcontext=user_u:object_r:devpts_t:s0 tclass=ch
r_file
Apr 10 12:17:10 osprey kernel: audit(1144689430.982:12): avc: denied { read }
for pid=4617 comm="postmap" name="stat" dev=proc ino=4026531853 scontext=user_u
:system_r:postfix_map_t:s0-s0:c0.c255 tcontext=system_u:object_r:proc_t:s0 tclas
s=file
Apr 10 12:17:10 osprey kernel: audit(1144689430.982:13): avc: denied { read }
for pid=4617 comm="postmap" name="cpuinfo" dev=proc ino=4026531851 scontext=use
r_u:system_r:postfix_map_t:s0-s0:c0.c255 tcontext=system_u:object_r:proc_t:s0 tc
lass=file
Thanks,
Jay
16 years, 11 months
prelink and java_exec_t
by Tom London
Get this from latest rawhide policy:
type=AVC msg=audit(1144938632.660:3574): avc: denied { read } for
pid=4722 comm="prelink" name="gij" dev=dm-0 ino=5795535
scontext=system_u:system_r:prelink_t:s0
tcontext=system_u:object_r:java_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1144938632.660:3574): arch=40000003 syscall=5
success=no exit=-13 a0=8e9f9a0 a1=8000 a2=0 a3=0 items=1 pid=4722
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink"
subj=system_u:system_r:prelink_t:s0
type=CWD msg=audit(1144938632.660:3574): cwd="/"
type=PATH msg=audit(1144938632.660:3574): item=0 name="/usr/bin/gij"
inode=5795535 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:java_exec_t:s0
type=AVC msg=audit(1144938638.996:3575): avc: denied { read } for
pid=4722 comm="prelink" name="gcj-dbtool" dev=dm-0 ino=5801815
scontext=system_u:system_r:prelink_t:s0
tcontext=system_u:object_r:java_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1144938638.996:3575): arch=40000003 syscall=5
success=no exit=-13 a0=8e9f9a0 a1=8000 a2=0 a3=0 items=1 pid=4722
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink"
subj=system_u:system_r:prelink_t:s0
type=CWD msg=audit(1144938638.996:3575): cwd="/"
type=PATH msg=audit(1144938638.996:3575): item=0
name="/usr/bin/gcj-dbtool" inode=5801815 dev=fd:00 mode=0100755 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:java_exec_t:s0
tom
--
Tom London
16 years, 11 months
Support for the NX client
by Aurelien Bompard
Hi all,
To have the (proprietary) NX client from http://nomachine.com work on FC5
with SELinux on, I had to run "setsebool allow_execmod 1"
Then the NX client works, and I turn it back off afterwards. It works, but
there should be a better way
The lib causing the problem is /usr/NX/lib/libXcomp.so.1, and I found today
in the wiki a possible cleaner way to do it. From:
http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions#head-fe350791...
I should be able to run "chcon -t testrel_shlib_t /usr/NX/lib/libXcomp.so.1"
and make it work. Except this commands gives me :
chcon: failed to change context of /usr/NX/lib/libXcomp.so.1 to
system_u:object_r:testrel_shlib_t: Invalid argument
Is this type not valid on FC5 ? Which leads me to: how can I list the
available types on the system ?
Thanks
Aurélien
--
http://aurelien.bompard.org ~~~~ Jabber : abompard(a)jabber.fr
"Backups are for wimps. Real men upload their work to an ftp server
and have everybody mirror it." -- Linus Torvalds
16 years, 11 months
rawhide update errors
by Richard Hally
Do the following errors need to be bugzilled?
Updating : selinux-policy-targeted ####################### [18/54]
/usr/sbin/load_policy: Can't load policy: Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
semodule: Failed!
Updating : mesa-libGLw-devel ####################### [19/54]
Updating : libselinux-devel ####################### [20/54]
Updating : postfix ####################### [21/54]
Updating : vim-minimal ######################
[22/54]warning: /etc/vimrc created as /etc/vimrc.rpmnew
Updating : vim-minimal ####################### [22/54]
Updating : vim-X11 ####################### [23/54]
Updating : synaptics ####################### [24/54]
Updating : selinux-policy-strict ####################### [25/54]
libsepol.scope_copy_callback: authlogin: Duplicate declaration in
module: type/attribute system_chkpwd_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
Updating : gnupg ###################
16 years, 11 months
AVCs from selinux-targeted
by Tom London
Below is a dump of the AVC after applying today's
selinux-policy-targeted and rebooting in permissive mode.
tom
[gdm greeter fails, but not sure yet if it is related....
The first AVC is from vmware...]
[root@localhost ~]# ausearch -i -if log
----
type=DAEMON_START msg=audit(04/12/2006 08:49:21.597:3214) auditd
start, ver=1.2, format=raw, auid=unknown(4294967295) res=success,
auditd pid=1987
----
type=CONFIG_CHANGE msg=audit(04/12/2006 08:49:21.597:4) :
audit_enabled=1 old=0 by auid=unknown(4294967295)
----
type=CONFIG_CHANGE msg=audit(04/12/2006 08:49:21.645:5) :
audit_backlog_limit=256 old=64 by auid=unknown(4294967295)
----
type=SOCKETCALL msg=audit(04/12/2006 08:49:30.234:6) : nargs=3 a0=4
a1=bfbacca0 a2=10
type=SOCKADDR msg=audit(04/12/2006 08:49:30.234:6) : saddr=inet
host:0.0.0.0 serv:0
type=SYSCALL msg=audit(04/12/2006 08:49:30.234:6) : arch=i386
syscall=socketcall(bind) success=yes exit=0 a0=2 a1=bfbacc70
a2=82a0158 a3=7 items=0 pid=2143 auid=unknown(4294967295) uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=(none) comm=vmnet-natd exe=/usr/bin/vmnet-natd
subj=system_u:system_r:initrc_t:s0
type=AVC msg=audit(04/12/2006 08:49:30.234:6) : avc: denied {
node_bind } for pid=2143 comm=vmnet-natd
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=rawip_socket
----
type=USER_ERR msg=audit(04/12/2006 08:50:06.277:7) : user pid=2639
uid=root auid=unknown(4294967295) msg='PAM: bad_ident acct=? :
exe=/usr/sbin/gdm-binary (hostname=?, addr=?, terminal=console
res=failed)'
----
type=AVC_PATH msg=audit(04/12/2006 08:50:14.705:8) :
path=/usr/lib/dri/i915_dri.so
type=SYSCALL msg=audit(04/12/2006 08:50:14.705:8) : arch=i386
syscall=mprotect success=yes exit=0 a0=e48000 a1=2af000 a2=5
a3=bfbcb770 items=0 pid=2672 auid=unknown(4294967295) uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=tty7 comm=Xorg exe=/usr/bin/Xorg
subj=system_u:system_r:xdm_t:s0-s0:c0.c255
type=AVC msg=audit(04/12/2006 08:50:14.705:8) : avc: denied {
execmod } for pid=2672 comm=Xorg name=i915_dri.so dev=dm-0
ino=5880987 scontext=system_u:system_r:xdm_t:s0-s0:c0.c255
tcontext=system_u:object_r:lib_t:s0 tclass=file
----
type=USER_AUTH msg=audit(04/12/2006 08:50:57.884:9) : user pid=2669
uid=root auid=unknown(4294967295) msg='PAM: authentication acct=tbl :
exe=/usr/sbin/gdm-binary (hostname=?, addr=?, terminal=:0
res=success)'
----
type=USER_ACCT msg=audit(04/12/2006 08:50:57.884:10) : user pid=2669
uid=root auid=unknown(4294967295) msg='PAM: accounting acct=tbl :
exe=/usr/sbin/gdm-binary (hostname=?, addr=?, terminal=:0
res=success)'
----
type=CRED_ACQ msg=audit(04/12/2006 08:50:57.888:11) : user pid=2669
uid=root auid=unknown(4294967295) msg='PAM: setcred acct=tbl :
exe=/usr/sbin/gdm-binary (hostname=?, addr=?, terminal=:0
res=success)'
----
type=LOGIN msg=audit(04/12/2006 08:50:57.888:12) : login pid=2669
uid=root old auid=unknown(4294967295) new auid=tbl
----
type=USER_START msg=audit(04/12/2006 08:50:58.072:13) : user pid=2669
uid=root auid=tbl msg='PAM: session open acct=tbl :
exe=/usr/sbin/gdm-binary (hostname=?, addr=?, terminal=:0
res=success)'
----
type=USER_LOGIN msg=audit(04/12/2006 08:50:58.076:14) : user pid=2669
uid=root auid=tbl msg='uid=tbl exe=/usr/sbin/gdm-binary
(hostname=localhost.localdomain, addr=127.0.0.1, terminal=:0
res=success)'
----
type=PATH msg=audit(04/12/2006 08:51:04.840:15) : item=0
name=/proc/sys/vm/ inode=4026531931 dev=00:03 mode=dir,555 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_t:s0
type=CWD msg=audit(04/12/2006 08:51:04.840:15) : cwd=/usr/share/hal/scripts
type=SYSCALL msg=audit(04/12/2006 08:51:04.840:15) : arch=i386
syscall=access success=yes exit=0 a0=9b243b8 a1=2 a2=2 a3=9b23528
items=1 pid=2841 auid=unknown(4294967295) uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
comm=pm-powersave exe=/bin/bash subj=system_u:system_r:hald_t:s0
type=AVC msg=audit(04/12/2006 08:51:04.840:15) : avc: denied { write
} for pid=2841 comm=pm-powersave name=vm dev=proc ino=-268435365
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
----
type=PATH msg=audit(04/12/2006 08:51:06.697:16) : item=1 name=(null)
inode=1045685 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(04/12/2006 08:51:06.697:16) : item=0
name=/usr/bin/bluez-pin inode=5799749 dev=fd:00 mode=file,755
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:bluetooth_helper_exec_t:s0
type=CWD msg=audit(04/12/2006 08:51:06.697:16) : cwd=/home/tbl
type=AVC_PATH msg=audit(04/12/2006 08:51:06.697:16) : path=pipe:[9329]
type=AVC_PATH msg=audit(04/12/2006 08:51:06.697:16) : path=pipe:[9329]
type=SYSCALL msg=audit(04/12/2006 08:51:06.697:16) : arch=i386
syscall=execve success=yes exit=0 a0=9b760b3 a1=bffcc5e0 a2=9b31078
a3=bffcdddf items=2 pid=2854 auid=tbl uid=tbl gid=tbl euid=tbl
suid=tbl fsuid=tbl egid=tbl sgid=tbl fsgid=tbl tty=(none)
comm=bluez-pin exe=/usr/bin/bluez-pin
subj=user_u:system_r:bluetooth_helper_t:s0
type=AVC msg=audit(04/12/2006 08:51:06.697:16) : avc: denied { write
} for pid=2854 comm=bluez-pin name=[9329] dev=pipefs ino=9329
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fifo_file
type=AVC msg=audit(04/12/2006 08:51:06.697:16) : avc: denied { use }
for pid=2854 comm=bluez-pin name=[9329] dev=pipefs ino=9329
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
----
type=AVC_PATH msg=audit(04/12/2006 08:51:18.709:17) :
path=/usr/lib/libSDL-1.2.so.0.7.2
type=SYSCALL msg=audit(04/12/2006 08:51:18.709:17) : arch=i386
syscall=mprotect success=yes exit=0 a0=32c7000 a1=71000 a2=5
a3=bf8935c0 items=0 pid=2848 auid=tbl uid=tbl gid=tbl euid=tbl
suid=tbl fsuid=tbl egid=tbl sgid=tbl fsgid=tbl tty=(none) comm=ekiga
exe=/usr/bin/ekiga subj=user_u:system_r:unconfined_t:s0
type=AVC msg=audit(04/12/2006 08:51:18.709:17) : avc: denied {
execmod } for pid=2848 comm=ekiga name=libSDL-1.2.so.0.7.2 dev=dm-0
ino=5803884 scontext=user_u:system_r:unconfined_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
----
type=USER_AUTH msg=audit(04/12/2006 08:51:33.050:18) : user pid=2951
uid=tbl auid=tbl msg='PAM: authentication acct=root : exe=/bin/su
(hostname=?, addr=?, terminal=pts/1 res=success)'
----
type=USER_ACCT msg=audit(04/12/2006 08:51:33.050:19) : user pid=2951
uid=tbl auid=tbl msg='PAM: accounting acct=root : exe=/bin/su
(hostname=?, addr=?, terminal=pts/1 res=success)'
----
type=USER_START msg=audit(04/12/2006 08:51:34.530:20) : user pid=2951
uid=tbl auid=tbl msg='PAM: session open acct=root : exe=/bin/su
(hostname=?, addr=?, terminal=pts/1 res=success)'
----
type=CRED_ACQ msg=audit(04/12/2006 08:51:35.178:21) : user pid=2951
uid=tbl auid=tbl msg='PAM: setcred acct=root : exe=/bin/su
(hostname=?, addr=?, terminal=pts/1 res=success)'
[root@localhost ~]#
--
Tom London
16 years, 11 months
SELinux support in awstats RPM
by Aurelien Bompard
Hi you SELinux gurus :)
I'm trying to add SELinux support to my rpm of awstats in Extras.
Awstats is a perl CGI script which analyses the webserver's logs (and other
logs). It stores its (text-based) databases in /var/lib/awstats, and the
cgi itself is in /usr/share/awstats/wwwroot/cgi-bin/awstats.pl. I use an
alias in an httpd conf file to make it visible from /awstats/ from the web.
For the FC5 package, I've added two semanage calls in %pre to set the
correct types on the cgi and the databases dir.
Before committing and requesting a build, I'd like to make sure with you
that I'm not doing something dangerous, since I'm rather new to SELinux.
Here's the diff :
--- awstats.spec 23 Feb 2006 10:17:11 -0000 1.10
+++ awstats.spec 9 Apr 2006 13:50:38 -0000
@@ -13,6 +13,7 @@
Requires: perl
Requires(post): perl
Requires(postun): /sbin/service
+Requires(pre): policycoreutils
%description
Advanced Web Statistics is a powerful and featureful tool that generates
@@ -112,6 +113,14 @@
%clean
rm -rf $RPM_BUILD_ROOT
+
+%pre
+# Set SELinux types
+semanage fcontext -a -t httpd_sys_script_exec_t \
+ '/usr/share/awstats/wwwroot/cgi-bin(/.*)?' 2>/dev/null || :
+semanage fcontext -a -t httpd_sys_script_rw_t '/var/lib/awstats(/.*)?'
2>/dev/null || :
+
+
%post
if [ $1 -eq 1 ]; then
if [ ! -f %{_sysconfdir}/%{name}/%{name}.`hostname`.conf ]; then
Does it look correct to you ? If I run semanage in %pre, I should not need
to run restorecon on /var/lib/awstats and
on /usr/share/awstats/wwwroot/cgi-bin in %post, do I ?
Is there a better/cleaner way to do it ?
This is a rather common case IMHO, so if we all agree I think it would be
worth having as an example on the Fedora wiki.
Thanks.
Aurélien
--
http://aurelien.bompard.org ~~~~ Jabber : abompard(a)jabber.fr
"You do not really understand something unless you can
explain it to your grandmother." -- Albert Einstein
16 years, 11 months
[FC5] Wrong default context for hping2
by Charles-Edouard Ruault
Hi All,
i've noticed that hping2 ( hping2-2.0.0-0.5.rc3 ) is not labeled with
the correct security context.
The binary is labled with context ping_exec_t:
-rwxr-xr-x root root system_u:object_r:ping_exec_t
/usr/sbin/hping2
But the ping_exec_t domain does not allow the creation of packet socket.
Here's the audit log :
type=AVC msg=audit(1144338231.596:1933): avc: denied { create } for
pid=17334 comm="hping2" scontext=user_u:system_r:ping_t:s0-s0:c0.c255
tcontext=user_u:system_r:ping_t:s0-s0:c0.c255 tclass=packet_socket
To work around this issue, i simply changed the context of hping2 to
sbin_t and it works fine.
The other option is to modify the ping_t domain to allow the creation of
packet socket.
audit2allow yields the following rule:
allow ping_t self:packet_socket create;
I'll leave the decision up to the package maintainer !
--
Charles-Edouard Ruault
GPG key Id E4D2B80C
16 years, 11 months
