Re: fc5: several troubles at my first attempt
by Ron Yorston
Stephen Smalley wrote:
>On Wed, 2006-03-15 at 19:08 +0200, Maxim Britov wrote:
>> I have installed current fc5 by http about week or two ago. It updated from rawhide.
>> It currently installed on hda2 and it ran from qemu.
>>
>> I see many avc denied messages in dmesg (repeated 210 times with different pids):
>> audit(1142439027.188:2): avc: denied { search } for pid=349 comm="pam_console_app" name="var" dev=hda2 ino=210081 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
>> hda2 here is /
>
>Hmmm.../var should be labeled with system_u:object_r:var_t, not file_t.
>Need to relabel?
I'm seeing these too. My /var is on a separate partition. Could this be
the cause of the problem?
Mar 31 20:04:18 random kernel: audit(1143831757.360:451): avc: denied { search } for pid=1384 comm="pam_console_app" name="var" dev=hde3 ino=62785 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
Mar 31 20:04:18 random kernel: EXT3 FS on hde3, internal journal
Mar 31 20:04:18 random kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
Mar 31 20:04:18 random kernel: kjournald starting. Commit interval 5 seconds
Mar 31 20:04:18 random kernel: EXT3 FS on hde8, internal journal
Mar 31 20:04:18 random kernel: EXT3-fs: mounted filesystem with ordered data mode.
Mar 31 20:04:18 random kernel: SELinux: initialized (dev hde8, type ext3), uses xattr
# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/hde3 972564 353452 568912 39% /
/dev/hde8 972532 290180 632152 32% /var
# ls -Zd /var
drwxr-xr-x root root system_u:object_r:var_t /var
# ls -id /var
2 /var
Ron
16 years, 11 months
Re: Sharing partitions between FC4 and FC5
by Ron Yorston
Stephen Smalley wrote:
>A MLS compatibility patch went into Linux 2.6.15 and was back ported to
>one of the FC4 kernel updates. Is your FC4 kernel updated?
I think I'm entirely up to date:
# uname -r
2.6.16-1.2069_FC4
# rpm -qa | grep selinux
selinux-policy-targeted-1.27.1-2.22
libselinux-devel-1.23.11-1.1
libselinux-1.23.11-1.1
Ron
16 years, 12 months
VMware Workstation in FC5
by Matthew Saltzman
Running vmware workstation in FC5 with selinux-policy-targeted-2.2.25-2.fc5
produces the error:
$ vmware
/usr/lib/vmware/bin/vmware: error while loading shared libraries:
/usr/lib/vmware/lib/libgdk-x11-2.0.so.0/libgdk-x11-2.0.so.0: cannot
restore segment prot after reloc: Permission denied
and the AVC:
Apr 3 09:38:05 kernel: audit(1144071485.547:433): avc: denied
{ execmod } for pid=21419 comm="vmware" name="libgdk-x11-2.0.so.0"
dev=dm-0 ino=1343530 scontext=user_u:system_r:unconfined_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
16 years, 12 months
gstreamer plugin problem
by Louis Garcia
pitfdll is a gstreamer plugin that loads win32 binary codecs.
Which works if selinux=0.
$ ls -Z /usr/lib/gstreamer-0.10/libpitfdll.so
-rwxr-xr-x root root system_u:object_r:lib_t
libpitfdll.so
ls -Z -d /usr/lib/win32
drwxr-xr-x root root
system_u:object_r:lib_t /usr/lib/win32
under selinux it can't. I get this error:
type=AVC msg=audit(1144183154.042:117): avc: denied { execmod } for
pid=2360 comm="totem" name="libpitfdll.so" dev=hda3 ino=815199
scontext=user_u:system_r:unconfined_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
I put this through audit2allow:
allow unconfined_t lib_t:file execmod;
I don't want to have all unconfined_t access to lib_t just
libpitfdll.so.
how can I only allow libpitfdll.so access to lib_t?
--Louis
16 years, 12 months
-Wunused-param in kernel compiles?
by Tom London
The last few kernels appear to be compiled with '-Wunused-param'. That right?
Is this a 'going forward' feature?
Appears to break vmware.
Just want to know if I need work on this, or if it will revert at some
future point...
tom
--
Tom London
16 years, 12 months
Re: fc5: several troubles at my first attempt
by Ron Yorston
I wrote:
[snip lots of stuff]
>>> Mar 31 20:04:18 random kernel: audit(1143831757.360:451): avc: denied { search } for pid=1384 comm="pam_console_app" name="var" dev=hde3 ino=62785 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
OK, I booted into single user mode, unmounted /var and ran
chcon -t var_t /var
on the mount point. Now when I boot I don't get 450 messages like the
above.
The underlying problem is that pam_console_apply is trying to access /var
before it's mounted. We just happened to see it because the SELinux
context on the mount point won't allow it.
Ron
16 years, 12 months
Small bug in apache.fc
by Harry Hoffman
Hi,
apache.fc allows for webroot location to be under /srv but selinux
currently stops apache from searching under /srv (at least this seems to
be the case to me, but I'm fairly new to selinux).
From: file_contexts/program/apache.fc
/srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t
a ls -lZ of / shows:
drwxr-xr-x root root system_u:object_r:default_t srv
running audit2allow -i /var/log/messages shows:
allow httpd_t default_t:dir search;
adding a local.te policy with:
allow httpd_t default_t:dir search;
fixes the problem and allows httpd to start without issue.
Cheers,
Harry
--
Harry Hoffman
Integrated Portable Solutions, LLC
877.846.5927 ext 1000
http://www.ip-solutions.net/
16 years, 12 months
Problem while writing the new policy
by Suman B
Hi,
I am a newbie to selinux. I would like to write a new policy and want to
ensure that the policy is working.
I saw in some web pages, that i have to write a policy file and to keep in
/etc/selinux/src/ , but there is no such directory.
What are the steps i have to follow for writing the policy. and give me a
small exampl with which i can create a new policy.
Thanks in advance.
Regards,
Suman.B
16 years, 12 months
Re: fc5: several troubles at my first attempt
by Ron Yorston
Daniel J Walsh wrote:
>Ron Yorston wrote:
>> Stephen Smalley wrote:
>>
>>> On Wed, 2006-03-15 at 19:08 +0200, Maxim Britov wrote:
>>>
>>>> I have installed current fc5 by http about week or two ago. It updated from rawhide.
>>>> It currently installed on hda2 and it ran from qemu.
>>>>
>>>> I see many avc denied messages in dmesg (repeated 210 times with different pids):
>>>> audit(1142439027.188:2): avc: denied { search } for pid=349 comm="pam_console_app" name="var" dev=hda2 ino=210081 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
>>>> hda2 here is /
>>>>
>>> Hmmm.../var should be labeled with system_u:object_r:var_t, not file_t.
>>> Need to relabel?
>>>
>>
>> I'm seeing these too. My /var is on a separate partition. Could this be
>> the cause of the problem?
>>
>> Mar 31 20:04:18 random kernel: audit(1143831757.360:451): avc: denied { search } for pid=1384 comm="pam_console_app" name="var" dev=hde3 ino=62785 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
>> Mar 31 20:04:18 random kernel: EXT3 FS on hde3, internal journal
>> Mar 31 20:04:18 random kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
>> Mar 31 20:04:18 random kernel: kjournald starting. Commit interval 5 seconds
>> Mar 31 20:04:18 random kernel: EXT3 FS on hde8, internal journal
>> Mar 31 20:04:18 random kernel: EXT3-fs: mounted filesystem with ordered data mode.
>> Mar 31 20:04:18 random kernel: SELinux: initialized (dev hde8, type ext3), uses xattr
>>
>> # df
>> Filesystem 1K-blocks Used Available Use% Mounted on
>> /dev/hde3 972564 353452 568912 39% /
>> /dev/hde8 972532 290180 632152 32% /var
>> # ls -Zd /var
>> drwxr-xr-x root root system_u:object_r:var_t /var
>> # ls -id /var
>> 2 /var
>>
>> Ron
>>
>What happens when you
>
>restorecon -R -v /var
>
Nothing much.
# ls -Zd /var
drwxr-xr-x root root system_u:object_r:var_t /var
# restorecon -R -v /var
restorecon reset /var/log/Xorg.0.log context system_u:object_r:var_log_t->system_u:object_r:xserver_log_t
restorecon reset /var/log/xen-hotplug.log context system_u:object_r:var_log_t->system_u:object_r:xend_var_log_t
restorecon reset /var/log/Xorg.0.log.old context system_u:object_r:var_log_t->system_u:object_r:xserver_log_t
lstat(/var/lib/nfs/rpc_pipefs) failed: Permission denied
restorecon reset /var/run/sendmail.pid context system_u:object_r:var_run_t->system_u:object_r:sendmail_var_run_t
# ls -Zd /var
drwxr-xr-x root root system_u:object_r:var_t /var
And rebooting still results in 450 messages like:
Apr 3 20:25:04 random kernel: audit(1144092277.317:451): avc: denied { search } for pid=1384 comm="pam_console_app" name="var" dev=hde3 ino=62785 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
I've tried booting with the FC5 rescue CD. This shows that the /var
mount point on hde3 still has the wrong context:
sh-3.1# ls -id var
62785 var
sh-3.1# ls -Zd var
drwxr-xr-x root root system_u:object_r:file_t:s0 var
There doesn't seem to be a copy of restorecon on the rescue CD so I
wasn't able to change the context of the mount point.
Why's pan_console_app trying to access /var before it's been mounted
anyway?
Ron
16 years, 12 months
Packaging hotfixes
by Axel Thimm
Hi,
is there a way to have policy enhancements per packages? I'm asking
this because both fedora's and upstream handling of new selinux rules
works great, still the upgraded selinux-policy packages need some time
to hit the users and while they wait for their nvidia, avidemux,
whatever fix, they always seem to need it instantaneously and prefer
to turn off selinx altogether instead of waiting for a fix.
If there is a way to locally add rules from packages, then the
problematic app foo could carry an selinux snippet with itself and
install it until the policy package catches up.
Or would such a mechanism allow any package to overthrow selinux
altogether thus making this more of a security risk than a feature?
--
Axel.Thimm at ATrpms.net
16 years, 12 months
