Re: How to start up an unconfined service
by Daniel J Walsh
Orion Poplawski wrote:
> Daniel J Walsh wrote:
>> Orion Poplawski wrote:
>>> I'm running SGE (Sun Grid Engine) and the daemon is now starting up
>>> in the initrc_t domain. I really need it to be unconfined (I
>>> believe) as it can really do just about anything. How can I do this?
>>>
>> In targeted policy initrc_t is unconfined. I believe you could also
>> chcon -t unconfined_exec_t DAEMONPATH
>> to get the transition
>
> Okay, so the problem is with execmod then:
>
> audit(1144077767.717:1841): avc: denied { execmod } for pid=30457
> comm="lt-testhdf5" name="libhdf5.so.1.2.1" dev=hda3 ino=2913756
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=file
>
> and:
>
> audit(1144077181.455:932): avc: denied { execmod } for pid=27638
> comm="lt-testhdf5" name="libhdf5.so.1.2.1" dev=dm-2 ino=6300972
> scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:object_r:default_t:s0 tclass=file
>
> I'm trying to build HDF5-1.7.52 and this is happening during the
> make-check phase. The first is doing an rpmbuild as a normal user.
> The second is with mock started by SGE.
>
You can turn off this check by setting allow_execmod boolean.
setsebool -P allow_execmod=1
Or you can label these files with textrel_shlib_t
chcon -t textrel_shlib_t libhdf5.so.1.2.1
18 years
How to start up an unconfined service
by Orion Poplawski
I'm running SGE (Sun Grid Engine) and the daemon is now starting up in
the initrc_t domain. I really need it to be unconfined (I believe) as
it can really do just about anything. How can I do this?
Thanks!
- Orion
18 years
Re: Overriding default file contexts?
by Stephen Smalley
On Mon, 2006-04-03 at 10:11 -0500, Ian Pilcher wrote:
> So 'semanage fcontext ...' is simply an interface to modify the policy
> contexts/files/file_contexts? This is going to result in an rpmnew
> file whenever the policy is updated, right?
No. That file is no longer provided by the policy package directly; it
is generated by libsemanage each time upon updates, and even policy
updates go through libsemanage now. libsemanage merges local additions
(stored separately in the file_contexts.local file in the
modules/active/ subdirectory) with the policy-provided file into the
final file before installing it.
> It's just my opinion, but I think it would be very convenient for system
> administrators and packagers to have a simple mechanism to override the
> policy for specific files.
Yes, that's what semanage fcontext -a is for. Or under FC4, you could
manually create and edit
a /etc/selinux/targeted/contexts/file/file_contexts.local file.
--
Stephen Smalley
National Security Agency
18 years
fc5 useradd in rpm not working
by Ted Toth
A useradd that I have in an RPM I'm developing doesn't work. I can however
run it from the command line. Can anyone give me an idea of what the
difference is and how I can correct my RPM?
18 years
Overriding default file contexts?
by Ian Pilcher
Perhaps there's a way to do this, and I simply don't know it.
I just finished manually relabeling the Acrobat Reader libraries and
plug-ins. Of course, if I ever have to relabel my filesystem, I'll have
to do this again.
Wouldn't it be nice if I could put file in a directory, .file_contexts
for example, give it a special context (file_context_t?) which would
never be changed, and specify contexts that would override the policy
default contexts.
It sure seems like this could save some pain.
--
========================================================================
Ian Pilcher i.pilcher(a)comcast.net
========================================================================
18 years
ping redirect
by Matthew Saltzman
This was mentioned on fedora-list, but I don't think the OP is interested in
posting here. "ping <host> > foo" as a normal user produces AVC:
Apr 3 09:41:20 vincent52 kernel: audit(1144071680.338:437): avc:
denied
{ write } for pid=21467 comm="ping" name="foo" dev=dm-4 ino=2195784
scontext=user_u:system_r:ping_t:s0
tcontext=user_u:object_r:user_home_t:s0
tclass=file
In a gterm, it just hangs. On a VC, ping exits with an error.
This is FC5 with selinux-policy-targeted-2.2.25-2.fc5.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
18 years
nfs avc messages with kernel-2.6.16-1.2069_FC4
by Antonio Olivares
Dear all,
I decided to install latest FC4 kernel
2.6.16-1.2069_FC4 or so. Upon booting I can no longer
surf the internet. I get some avc denied messages
from dmesg. How can I fix this issue?
I do not want to disable selinux.
TIA,
Antonio
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
18 years
Sharing partitions between FC4 and FC5
by Ron Yorston
I've installed FC5 alongside FC4. Initially I just gave FC5 its own
/, /var and /usr partitions but then edited /etc/fstab to add partitions
that I want to share between FC4 and FC5: things like /home and /opt.
For each OS I use a different login with separate home directories.
This avoids problems with GNOME configurations and the like.
Then I rebooted into FC5 and forced a relabel. FC5 works fine but I'm
now unable to login to the GNOME desktop in FC4 unless I set enforcing=0
on boot. When I do that the log rapidly fills up with lines like:
Apr 1 10:30:24 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352500
I'll attach the log messages I get when I try to login with SELinux
in enforcing mode.
Ron
---
Apr 1 10:20:43 random gdm(pam_unix)[2868]: session opened for user rmy by (uid=0)
Apr 1 10:20:43 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_dir_t:s0) returned 22 for dev=dm-1 ino=352024
Apr 1 10:20:43 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352336
Apr 1 10:20:52 random gdm[2868]: gdm_auth_user_add: Could not lock cookie file /home/rmyfc4/.Xauthority
Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352894
Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=353188
Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352496
Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352341
Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352335
Apr 1 10:20:54 random gconfd (rmy-2984): starting (version 2.10.0), pid 2984 user 'rmy'
Apr 1 10:20:54 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352349
Apr 1 10:20:54 random gconfd (rmy-2984): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0
Apr 1 10:20:54 random gconfd (rmy-2984): Resolved address "xml:readwrite:/home/rmyfc4/.gconf" to a read-only configuration source at position 1
Apr 1 10:20:54 random gconfd (rmy-2984): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Apr 1 10:20:54 random gconfd (rmy-2984): None of the resolved addresses are writable; saving configuration settings will not be possible
Apr 1 10:20:54 random gconfd (rmy-2984): No writable config sources successfully resolved, may not be able to save some configuration changes
Apr 1 10:20:54 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352072
Apr 1 10:20:54 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352350
[snip]
Apr 1 10:20:55 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352897
Apr 1 10:21:15 random gdm(pam_unix)[2868]: session closed for user rmy
Apr 1 10:21:15 random dbus: avc: 0 AV entries and 0/512 buckets used, longest chain length 0
Apr 1 10:21:24 random gconfd (rmy-2984): Could not open saved state file '/home/rmyfc4/.gconfd/saved_state.tmp' for writing: Permission denied
18 years
samba, kerberos, winbind and W2K3 avc messages
by Tom Diehl
Hi all,
I have a fully updated FC4 machine that I am trying to get samba and winbind
working with selinux in enforcing mode.
I would appreciate it if someone could look at the avc messages below and
help me understand what they mean and how to fix the machine.
When I start up samba and winbind I get the following avc messages:
Apr 2 11:06:45 backup kernel: audit(1143990405.799:54): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr 2 11:06:45 backup kernel: audit(1143990405.807:55): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr 2 11:06:45 backup kernel: audit(1143990405.811:56): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr 2 11:06:45 backup kernel: audit(1143990405.815:57): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr 2 11:06:45 backup kernel: audit(1143990405.819:58): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr 2 11:06:45 backup kernel: audit(1143990405.823:59): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
...
When I try to browse the samba shares from the w2k3 server I get the following
messages:
==> messages <==
Apr 2 11:09:35 backup kernel: audit(1143990575.906:161): avc: denied { getattr } for pid=2811 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr 2 11:09:35 backup kernel: audit(1143990575.910:162): avc: denied { getattr } for pid=2811 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
==> samba/sommer1.log <==
[2006/04/02 11:09:35, 1] libads/kerberos_verify.c:ads_verify_ticket(324)
ads_verify_ticket: krb5_get_server_rcache failed (Permission denied in replay cache code)
[2006/04/02 11:09:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2006/04/02 11:09:35, 1] libads/kerberos_verify.c:ads_verify_ticket(324)
ads_verify_ticket: krb5_get_server_rcache failed (Permission denied in replay cache code)
[2006/04/02 11:09:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
If I disable selinux everything works as it should.
Regards,
Tom Diehl tdiehl(a)rogueind.com Spamtrap address mtd123(a)rogueind.com
18 years