selinux April 2006

selinux@lists.fedoraproject.org

69 participants
97 discussions

Re: fc5: several troubles at my first attempt
by Ron Yorston 06 Apr '06

06 Apr '06

Stephen Smalley wrote: >On Wed, 2006-03-15 at 19:08 +0200, Maxim Britov wrote: >> I have installed current fc5 by http about week or two ago. It updated from rawhide. >> It currently installed on hda2 and it ran from qemu. >> >> I see many avc denied messages in dmesg (repeated 210 times with different pids): >> audit(1142439027.188:2): avc: denied { search } for pid=349 comm="pam_console_app" name="var" dev=hda2 ino=210081 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir >> hda2 here is / > >Hmmm.../var should be labeled with system_u:object_r:var_t, not file_t. >Need to relabel? I'm seeing these too. My /var is on a separate partition. Could this be the cause of the problem? Mar 31 20:04:18 random kernel: audit(1143831757.360:451): avc: denied { search } for pid=1384 comm="pam_console_app" name="var" dev=hde3 ino=62785 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir Mar 31 20:04:18 random kernel: EXT3 FS on hde3, internal journal Mar 31 20:04:18 random kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs Mar 31 20:04:18 random kernel: kjournald starting. Commit interval 5 seconds Mar 31 20:04:18 random kernel: EXT3 FS on hde8, internal journal Mar 31 20:04:18 random kernel: EXT3-fs: mounted filesystem with ordered data mode. Mar 31 20:04:18 random kernel: SELinux: initialized (dev hde8, type ext3), uses xattr # df Filesystem 1K-blocks Used Available Use% Mounted on /dev/hde3 972564 353452 568912 39% / /dev/hde8 972532 290180 632152 32% /var # ls -Zd /var drwxr-xr-x root root system_u:object_r:var_t /var # ls -id /var 2 /var Ron

3 2

Re: Sharing partitions between FC4 and FC5
by Ron Yorston 05 Apr '06

05 Apr '06

Stephen Smalley wrote: >A MLS compatibility patch went into Linux 2.6.15 and was back ported to >one of the FC4 kernel updates. Is your FC4 kernel updated? I think I'm entirely up to date: # uname -r 2.6.16-1.2069_FC4 # rpm -qa | grep selinux selinux-policy-targeted-1.27.1-2.22 libselinux-devel-1.23.11-1.1 libselinux-1.23.11-1.1 Ron

2 2

VMware Workstation in FC5
by Matthew Saltzman 05 Apr '06

05 Apr '06

Running vmware workstation in FC5 with selinux-policy-targeted-2.2.25-2.fc5 produces the error: $ vmware /usr/lib/vmware/bin/vmware: error while loading shared libraries: /usr/lib/vmware/lib/libgdk-x11-2.0.so.0/libgdk-x11-2.0.so.0: cannot restore segment prot after reloc: Permission denied and the AVC: Apr 3 09:38:05 kernel: audit(1144071485.547:433): avc: denied { execmod } for pid=21419 comm="vmware" name="libgdk-x11-2.0.so.0" dev=dm-0 ino=1343530 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs

4 6

gstreamer plugin problem
by Louis Garcia 05 Apr '06

05 Apr '06

pitfdll is a gstreamer plugin that loads win32 binary codecs. Which works if selinux=0. $ ls -Z /usr/lib/gstreamer-0.10/libpitfdll.so -rwxr-xr-x root root system_u:object_r:lib_t libpitfdll.so ls -Z -d /usr/lib/win32 drwxr-xr-x root root system_u:object_r:lib_t /usr/lib/win32 under selinux it can't. I get this error: type=AVC msg=audit(1144183154.042:117): avc: denied { execmod } for pid=2360 comm="totem" name="libpitfdll.so" dev=hda3 ino=815199 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file I put this through audit2allow: allow unconfined_t lib_t:file execmod; I don't want to have all unconfined_t access to lib_t just libpitfdll.so. how can I only allow libpitfdll.so access to lib_t? --Louis

2 1

-Wunused-param in kernel compiles?
by Tom London 04 Apr '06

04 Apr '06

The last few kernels appear to be compiled with '-Wunused-param'. That right? Is this a 'going forward' feature? Appears to break vmware. Just want to know if I need work on this, or if it will revert at some future point... tom -- Tom London

1 1

Re: fc5: several troubles at my first attempt
by Ron Yorston 04 Apr '06

04 Apr '06

I wrote: [snip lots of stuff] >>> Mar 31 20:04:18 random kernel: audit(1143831757.360:451): avc: denied { search } for pid=1384 comm="pam_console_app" name="var" dev=hde3 ino=62785 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir OK, I booted into single user mode, unmounted /var and ran chcon -t var_t /var on the mount point. Now when I boot I don't get 450 messages like the above. The underlying problem is that pam_console_apply is trying to access /var before it's mounted. We just happened to see it because the SELinux context on the mount point won't allow it. Ron

1 0

Small bug in apache.fc
by Harry Hoffman 04 Apr '06

04 Apr '06

Hi, apache.fc allows for webroot location to be under /srv but selinux currently stops apache from searching under /srv (at least this seems to be the case to me, but I'm fairly new to selinux). From: file_contexts/program/apache.fc /srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t a ls -lZ of / shows: drwxr-xr-x root root system_u:object_r:default_t srv running audit2allow -i /var/log/messages shows: allow httpd_t default_t:dir search; adding a local.te policy with: allow httpd_t default_t:dir search; fixes the problem and allows httpd to start without issue. Cheers, Harry -- Harry Hoffman Integrated Portable Solutions, LLC 877.846.5927 ext 1000 http://www.ip-solutions.net/

3 4

Problem while writing the new policy
by Suman B 03 Apr '06

03 Apr '06

Hi, I am a newbie to selinux. I would like to write a new policy and want to ensure that the policy is working. I saw in some web pages, that i have to write a policy file and to keep in /etc/selinux/src/ , but there is no such directory. What are the steps i have to follow for writing the policy. and give me a small exampl with which i can create a new policy. Thanks in advance. Regards, Suman.B

2 1

Re: fc5: several troubles at my first attempt
by Ron Yorston 03 Apr '06

03 Apr '06

Daniel J Walsh wrote: >Ron Yorston wrote: >> Stephen Smalley wrote: >> >>> On Wed, 2006-03-15 at 19:08 +0200, Maxim Britov wrote: >>> >>>> I have installed current fc5 by http about week or two ago. It updated from rawhide. >>>> It currently installed on hda2 and it ran from qemu. >>>> >>>> I see many avc denied messages in dmesg (repeated 210 times with different pids): >>>> audit(1142439027.188:2): avc: denied { search } for pid=349 comm="pam_console_app" name="var" dev=hda2 ino=210081 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir >>>> hda2 here is / >>>> >>> Hmmm.../var should be labeled with system_u:object_r:var_t, not file_t. >>> Need to relabel? >>> >> >> I'm seeing these too. My /var is on a separate partition. Could this be >> the cause of the problem? >> >> Mar 31 20:04:18 random kernel: audit(1143831757.360:451): avc: denied { search } for pid=1384 comm="pam_console_app" name="var" dev=hde3 ino=62785 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir >> Mar 31 20:04:18 random kernel: EXT3 FS on hde3, internal journal >> Mar 31 20:04:18 random kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs >> Mar 31 20:04:18 random kernel: kjournald starting. Commit interval 5 seconds >> Mar 31 20:04:18 random kernel: EXT3 FS on hde8, internal journal >> Mar 31 20:04:18 random kernel: EXT3-fs: mounted filesystem with ordered data mode. >> Mar 31 20:04:18 random kernel: SELinux: initialized (dev hde8, type ext3), uses xattr >> >> # df >> Filesystem 1K-blocks Used Available Use% Mounted on >> /dev/hde3 972564 353452 568912 39% / >> /dev/hde8 972532 290180 632152 32% /var >> # ls -Zd /var >> drwxr-xr-x root root system_u:object_r:var_t /var >> # ls -id /var >> 2 /var >> >> Ron >> >What happens when you > >restorecon -R -v /var > Nothing much. # ls -Zd /var drwxr-xr-x root root system_u:object_r:var_t /var # restorecon -R -v /var restorecon reset /var/log/Xorg.0.log context system_u:object_r:var_log_t->system_u:object_r:xserver_log_t restorecon reset /var/log/xen-hotplug.log context system_u:object_r:var_log_t->system_u:object_r:xend_var_log_t restorecon reset /var/log/Xorg.0.log.old context system_u:object_r:var_log_t->system_u:object_r:xserver_log_t lstat(/var/lib/nfs/rpc_pipefs) failed: Permission denied restorecon reset /var/run/sendmail.pid context system_u:object_r:var_run_t->system_u:object_r:sendmail_var_run_t # ls -Zd /var drwxr-xr-x root root system_u:object_r:var_t /var And rebooting still results in 450 messages like: Apr 3 20:25:04 random kernel: audit(1144092277.317:451): avc: denied { search } for pid=1384 comm="pam_console_app" name="var" dev=hde3 ino=62785 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir I've tried booting with the FC5 rescue CD. This shows that the /var mount point on hde3 still has the wrong context: sh-3.1# ls -id var 62785 var sh-3.1# ls -Zd var drwxr-xr-x root root system_u:object_r:file_t:s0 var There doesn't seem to be a copy of restorecon on the rescue CD so I wasn't able to change the context of the mount point. Why's pan_console_app trying to access /var before it's been mounted anyway? Ron

1 0

Packaging hotfixes
by Axel Thimm 03 Apr '06

03 Apr '06

Hi, is there a way to have policy enhancements per packages? I'm asking this because both fedora's and upstream handling of new selinux rules works great, still the upgraded selinux-policy packages need some time to hit the users and while they wait for their nvidia, avidemux, whatever fix, they always seem to need it instantaneously and prefer to turn off selinx altogether instead of waiting for a fix. If there is a way to locally add rules from packages, then the problematic app foo could carry an selinux snippet with itself and install it until the policy package catches up. Or would such a mechanism allow any package to overthrow selinux altogether thus making this more of a security risk than a feature? -- Axel.Thimm at ATrpms.net

2 2

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux April 2006