selinux April 2006

selinux@lists.fedoraproject.org

69 participants
97 discussions

Start a nNew thread

SELinux overview on line.
by Daniel J Walsh 03 Apr '06

03 Apr '06

http://www.redhat.com/v/swf/SELinux/ Dan

4 5

Re: How to start up an unconfined service
by Daniel J Walsh 03 Apr '06

03 Apr '06

Orion Poplawski wrote: > Daniel J Walsh wrote: >> Orion Poplawski wrote: >>> I'm running SGE (Sun Grid Engine) and the daemon is now starting up >>> in the initrc_t domain. I really need it to be unconfined (I >>> believe) as it can really do just about anything. How can I do this? >>> >> In targeted policy initrc_t is unconfined. I believe you could also >> chcon -t unconfined_exec_t DAEMONPATH >> to get the transition > > Okay, so the problem is with execmod then: > > audit(1144077767.717:1841): avc: denied { execmod } for pid=30457 > comm="lt-testhdf5" name="libhdf5.so.1.2.1" dev=hda3 ino=2913756 > scontext=user_u:system_r:unconfined_t:s0 > tcontext=user_u:object_r:user_home_t:s0 tclass=file > > and: > > audit(1144077181.455:932): avc: denied { execmod } for pid=27638 > comm="lt-testhdf5" name="libhdf5.so.1.2.1" dev=dm-2 ino=6300972 > scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:object_r:default_t:s0 tclass=file > > I'm trying to build HDF5-1.7.52 and this is happening during the > make-check phase. The first is doing an rpmbuild as a normal user. > The second is with mock started by SGE. > You can turn off this check by setting allow_execmod boolean. setsebool -P allow_execmod=1 Or you can label these files with textrel_shlib_t chcon -t textrel_shlib_t libhdf5.so.1.2.1

1 0

How to start up an unconfined service
by Orion Poplawski 03 Apr '06

03 Apr '06

I'm running SGE (Sun Grid Engine) and the daemon is now starting up in the initrc_t domain. I really need it to be unconfined (I believe) as it can really do just about anything. How can I do this? Thanks! - Orion

2 1

Re: Overriding default file contexts?
by Stephen Smalley 03 Apr '06

03 Apr '06

On Mon, 2006-04-03 at 10:11 -0500, Ian Pilcher wrote: > So 'semanage fcontext ...' is simply an interface to modify the policy > contexts/files/file_contexts? This is going to result in an rpmnew > file whenever the policy is updated, right? No. That file is no longer provided by the policy package directly; it is generated by libsemanage each time upon updates, and even policy updates go through libsemanage now. libsemanage merges local additions (stored separately in the file_contexts.local file in the modules/active/ subdirectory) with the policy-provided file into the final file before installing it. > It's just my opinion, but I think it would be very convenient for system > administrators and packagers to have a simple mechanism to override the > policy for specific files. Yes, that's what semanage fcontext -a is for. Or under FC4, you could manually create and edit a /etc/selinux/targeted/contexts/file/file_contexts.local file. -- Stephen Smalley National Security Agency

1 0

fc5 useradd in rpm not working
by Ted Toth 03 Apr '06

03 Apr '06

A useradd that I have in an RPM I'm developing doesn't work. I can however run it from the command line. Can anyone give me an idea of what the difference is and how I can correct my RPM?

2 1

Overriding default file contexts?
by Ian Pilcher 03 Apr '06

03 Apr '06

Perhaps there's a way to do this, and I simply don't know it. I just finished manually relabeling the Acrobat Reader libraries and plug-ins. Of course, if I ever have to relabel my filesystem, I'll have to do this again. Wouldn't it be nice if I could put file in a directory, .file_contexts for example, give it a special context (file_context_t?) which would never be changed, and specify contexts that would override the policy default contexts. It sure seems like this could save some pain. -- ======================================================================== Ian Pilcher i.pilcher(a)comcast.net ========================================================================

3 3

ping redirect
by Matthew Saltzman 03 Apr '06

03 Apr '06

This was mentioned on fedora-list, but I don't think the OP is interested in posting here. "ping <host> > foo" as a normal user produces AVC: Apr 3 09:41:20 vincent52 kernel: audit(1144071680.338:437): avc: denied { write } for pid=21467 comm="ping" name="foo" dev=dm-4 ino=2195784 scontext=user_u:system_r:ping_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file In a gterm, it just hangs. On a VC, ping exits with an error. This is FC5 with selinux-policy-targeted-2.2.25-2.fc5. -- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs

1 0

nfs avc messages with kernel-2.6.16-1.2069_FC4
by Antonio Olivares 03 Apr '06

03 Apr '06

Dear all, I decided to install latest FC4 kernel 2.6.16-1.2069_FC4 or so. Upon booting I can no longer surf the internet. I get some avc denied messages from dmesg. How can I fix this issue? I do not want to disable selinux. TIA, Antonio __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

2 2

Sharing partitions between FC4 and FC5
by Ron Yorston 03 Apr '06

03 Apr '06

I've installed FC5 alongside FC4. Initially I just gave FC5 its own /, /var and /usr partitions but then edited /etc/fstab to add partitions that I want to share between FC4 and FC5: things like /home and /opt. For each OS I use a different login with separate home directories. This avoids problems with GNOME configurations and the like. Then I rebooted into FC5 and forced a relabel. FC5 works fine but I'm now unable to login to the GNOME desktop in FC4 unless I set enforcing=0 on boot. When I do that the log rapidly fills up with lines like: Apr 1 10:30:24 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352500 I'll attach the log messages I get when I try to login with SELinux in enforcing mode. Ron --- Apr 1 10:20:43 random gdm(pam_unix)[2868]: session opened for user rmy by (uid=0) Apr 1 10:20:43 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_dir_t:s0) returned 22 for dev=dm-1 ino=352024 Apr 1 10:20:43 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352336 Apr 1 10:20:52 random gdm[2868]: gdm_auth_user_add: Could not lock cookie file /home/rmyfc4/.Xauthority Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352894 Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=353188 Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352496 Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352341 Apr 1 10:20:53 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352335 Apr 1 10:20:54 random gconfd (rmy-2984): starting (version 2.10.0), pid 2984 user 'rmy' Apr 1 10:20:54 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352349 Apr 1 10:20:54 random gconfd (rmy-2984): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0 Apr 1 10:20:54 random gconfd (rmy-2984): Resolved address "xml:readwrite:/home/rmyfc4/.gconf" to a read-only configuration source at position 1 Apr 1 10:20:54 random gconfd (rmy-2984): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2 Apr 1 10:20:54 random gconfd (rmy-2984): None of the resolved addresses are writable; saving configuration settings will not be possible Apr 1 10:20:54 random gconfd (rmy-2984): No writable config sources successfully resolved, may not be able to save some configuration changes Apr 1 10:20:54 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352072 Apr 1 10:20:54 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352350 [snip] Apr 1 10:20:55 random kernel: inode_doinit_with_dentry: context_to_sid(user_u:object_r:user_home_t:s0) returned 22 for dev=dm-1 ino=352897 Apr 1 10:21:15 random gdm(pam_unix)[2868]: session closed for user rmy Apr 1 10:21:15 random dbus: avc: 0 AV entries and 0/512 buckets used, longest chain length 0 Apr 1 10:21:24 random gconfd (rmy-2984): Could not open saved state file '/home/rmyfc4/.gconfd/saved_state.tmp' for writing: Permission denied

2 1

samba, kerberos, winbind and W2K3 avc messages
by Tom Diehl 02 Apr '06

02 Apr '06

Hi all, I have a fully updated FC4 machine that I am trying to get samba and winbind working with selinux in enforcing mode. I would appreciate it if someone could look at the avc messages below and help me understand what they mean and how to fix the machine. When I start up samba and winbind I get the following avc messages: Apr 2 11:06:45 backup kernel: audit(1143990405.799:54): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file Apr 2 11:06:45 backup kernel: audit(1143990405.807:55): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file Apr 2 11:06:45 backup kernel: audit(1143990405.811:56): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file Apr 2 11:06:45 backup kernel: audit(1143990405.815:57): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file Apr 2 11:06:45 backup kernel: audit(1143990405.819:58): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file Apr 2 11:06:45 backup kernel: audit(1143990405.823:59): avc: denied { getattr } for pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file ... When I try to browse the samba shares from the w2k3 server I get the following messages: ==> messages <== Apr 2 11:09:35 backup kernel: audit(1143990575.906:161): avc: denied { getattr } for pid=2811 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file Apr 2 11:09:35 backup kernel: audit(1143990575.910:162): avc: denied { getattr } for pid=2811 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file ==> samba/sommer1.log <== [2006/04/02 11:09:35, 1] libads/kerberos_verify.c:ads_verify_ticket(324) ads_verify_ticket: krb5_get_server_rcache failed (Permission denied in replay cache code) [2006/04/02 11:09:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! [2006/04/02 11:09:35, 1] libads/kerberos_verify.c:ads_verify_ticket(324) ads_verify_ticket: krb5_get_server_rcache failed (Permission denied in replay cache code) [2006/04/02 11:09:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! If I disable selinux everything works as it should. Regards, Tom Diehl tdiehl(a)rogueind.com Spamtrap address mtd123(a)rogueind.com

1 0

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux April 2006