Re: How to start up an unconfined service
by Daniel J Walsh
Orion Poplawski wrote:
> Daniel J Walsh wrote:
>> Orion Poplawski wrote:
>>> I'm running SGE (Sun Grid Engine) and the daemon is now starting up
>>> in the initrc_t domain. I really need it to be unconfined (I
>>> believe) as it can really do just about anything. How can I do this?
>>>
>> In targeted policy initrc_t is unconfined. I believe you could also
>> chcon -t unconfined_exec_t DAEMONPATH
>> to get the transition
>
> Okay, so the problem is with execmod then:
>
> audit(1144077767.717:1841): avc: denied { execmod } for pid=30457
> comm="lt-testhdf5" name="libhdf5.so.1.2.1" dev=hda3 ino=2913756
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=file
>
> and:
>
> audit(1144077181.455:932): avc: denied { execmod } for pid=27638
> comm="lt-testhdf5" name="libhdf5.so.1.2.1" dev=dm-2 ino=6300972
> scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:object_r:default_t:s0 tclass=file
>
> I'm trying to build HDF5-1.7.52 and this is happening during the
> make-check phase. The first is doing an rpmbuild as a normal user.
> The second is with mock started by SGE.
>
You can turn off this check by setting allow_execmod boolean.
setsebool -P allow_execmod=1
Or you can label these files with textrel_shlib_t
chcon -t textrel_shlib_t libhdf5.so.1.2.1
16 years, 11 months
How to start up an unconfined service
by Orion Poplawski
I'm running SGE (Sun Grid Engine) and the daemon is now starting up in
the initrc_t domain. I really need it to be unconfined (I believe) as
it can really do just about anything. How can I do this?
Thanks!
- Orion
16 years, 11 months
Re: Overriding default file contexts?
by Stephen Smalley
On Mon, 2006-04-03 at 10:11 -0500, Ian Pilcher wrote:
> So 'semanage fcontext ...' is simply an interface to modify the policy
> contexts/files/file_contexts? This is going to result in an rpmnew
> file whenever the policy is updated, right?
No. That file is no longer provided by the policy package directly; it
is generated by libsemanage each time upon updates, and even policy
updates go through libsemanage now. libsemanage merges local additions
(stored separately in the file_contexts.local file in the
modules/active/ subdirectory) with the policy-provided file into the
final file before installing it.
> It's just my opinion, but I think it would be very convenient for system
> administrators and packagers to have a simple mechanism to override the
> policy for specific files.
Yes, that's what semanage fcontext -a is for. Or under FC4, you could
manually create and edit
a /etc/selinux/targeted/contexts/file/file_contexts.local file.
--
Stephen Smalley
National Security Agency
16 years, 11 months
fc5 useradd in rpm not working
by Ted Toth
A useradd that I have in an RPM I'm developing doesn't work. I can however
run it from the command line. Can anyone give me an idea of what the
difference is and how I can correct my RPM?
16 years, 11 months
Overriding default file contexts?
by Ian Pilcher
Perhaps there's a way to do this, and I simply don't know it.
I just finished manually relabeling the Acrobat Reader libraries and
plug-ins. Of course, if I ever have to relabel my filesystem, I'll have
to do this again.
Wouldn't it be nice if I could put file in a directory, .file_contexts
for example, give it a special context (file_context_t?) which would
never be changed, and specify contexts that would override the policy
default contexts.
It sure seems like this could save some pain.
--
========================================================================
Ian Pilcher i.pilcher(a)comcast.net
========================================================================
16 years, 11 months
ping redirect
by Matthew Saltzman
This was mentioned on fedora-list, but I don't think the OP is interested in
posting here. "ping <host> > foo" as a normal user produces AVC:
Apr 3 09:41:20 vincent52 kernel: audit(1144071680.338:437): avc:
denied
{ write } for pid=21467 comm="ping" name="foo" dev=dm-4 ino=2195784
scontext=user_u:system_r:ping_t:s0
tcontext=user_u:object_r:user_home_t:s0
tclass=file
In a gterm, it just hangs. On a VC, ping exits with an error.
This is FC5 with selinux-policy-targeted-2.2.25-2.fc5.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
16 years, 11 months
nfs avc messages with kernel-2.6.16-1.2069_FC4
by Antonio Olivares
Dear all,
I decided to install latest FC4 kernel
2.6.16-1.2069_FC4 or so. Upon booting I can no longer
surf the internet. I get some avc denied messages
from dmesg. How can I fix this issue?
I do not want to disable selinux.
TIA,
Antonio
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
16 years, 11 months
Sharing partitions between FC4 and FC5
by Ron Yorston
I've installed FC5 alongside FC4. Initially I just gave FC5 its own
/, /var and /usr partitions but then edited /etc/fstab to add partitions
that I want to share between FC4 and FC5: things like /home and /opt.
For each OS I use a different login with separate home directories.
This avoids problems with GNOME configurations and the like.
Then I rebooted into FC5 and forced a relabel. FC5 works fine but I'm
now unable to login to the GNOME desktop in FC4 unless I set enforcing=0
on boot. When I do that the log rapidly fills up with lines like:
Apr 1 10:30:24 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352500
I'll attach the log messages I get when I try to login with SELinux
in enforcing mode.
Ron
---
Apr 1 10:20:43 random gdm(pam_unix)[2868]: session opened for user rmy by (uid=0)
Apr 1 10:20:43 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_dir_t:s0) returned 22 for dev=dm-1 ino=352024
Apr 1 10:20:43 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352336
Apr 1 10:20:52 random gdm[2868]: gdm_auth_user_add: Could not lock cookie file /home/rmyfc4/.Xauthority
Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352894
Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=353188
Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352496
Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352341
Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352335
Apr 1 10:20:54 random gconfd (rmy-2984): starting (version 2.10.0), pid 2984 user 'rmy'
Apr 1 10:20:54 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352349
Apr 1 10:20:54 random gconfd (rmy-2984): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0
Apr 1 10:20:54 random gconfd (rmy-2984): Resolved address "xml:readwrite:/home/rmyfc4/.gconf" to a read-only configuration source at position 1
Apr 1 10:20:54 random gconfd (rmy-2984): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Apr 1 10:20:54 random gconfd (rmy-2984): None of the resolved addresses are writable; saving configuration settings will not be possible
Apr 1 10:20:54 random gconfd (rmy-2984): No writable config sources successfully resolved, may not be able to save some configuration changes
Apr 1 10:20:54 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352072
Apr 1 10:20:54 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352350
[snip]
Apr 1 10:20:55 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352897
Apr 1 10:21:15 random gdm(pam_unix)[2868]: session closed for user rmy
Apr 1 10:21:15 random dbus: avc: 0 AV entries and 0/512 buckets used, longest chain length 0
Apr 1 10:21:24 random gconfd (rmy-2984): Could not open saved state file '/home/rmyfc4/.gconfd/saved_state.tmp' for writing: Permission denied
16 years, 11 months
samba, kerberos, winbind and W2K3 avc messages
by Tom Diehl
Hi all,
I have a fully updated FC4 machine that I am trying to get samba and winbind
working with selinux in enforcing mode.
I would appreciate it if someone could look at the avc messages below and
help me understand what they mean and how to fix the machine.
When I start up samba and winbind I get the following avc messages:
Apr 2 11:06:45 backup kernel: audit(1143990405.799:54): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr 2 11:06:45 backup kernel: audit(1143990405.807:55): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr 2 11:06:45 backup kernel: audit(1143990405.811:56): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr 2 11:06:45 backup kernel: audit(1143990405.815:57): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr 2 11:06:45 backup kernel: audit(1143990405.819:58): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr 2 11:06:45 backup kernel: audit(1143990405.823:59): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
...
When I try to browse the samba shares from the w2k3 server I get the following
messages:
==> messages <==
Apr 2 11:09:35 backup kernel: audit(1143990575.906:161): avc: denied { getattr } for pid=2811 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr 2 11:09:35 backup kernel: audit(1143990575.910:162): avc: denied { getattr } for pid=2811 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
==> samba/sommer1.log <==
[2006/04/02 11:09:35, 1] libads/kerberos_verify.c:ads_verify_ticket(324)
ads_verify_ticket: krb5_get_server_rcache failed (Permission denied in replay cache code)
[2006/04/02 11:09:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2006/04/02 11:09:35, 1] libads/kerberos_verify.c:ads_verify_ticket(324)
ads_verify_ticket: krb5_get_server_rcache failed (Permission denied in replay cache code)
[2006/04/02 11:09:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
If I disable selinux everything works as it should.
Regards,
Tom Diehl tdiehl(a)rogueind.com Spamtrap address mtd123(a)rogueind.com
16 years, 11 months
