selinux prelink avc's
by dragoran
audit(1147793154.831:353): avc: denied { execute_no_trans } for
pid=5195 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
scontext=system_u:system_r:prelink_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
audit(1147793154.831:354): avc: denied { execute_no_trans } for
pid=5196 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
scontext=system_u:system_r:prelink_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
audit(1147793155.019:355): avc: denied { execute_no_trans } for
pid=5197 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
scontext=system_u:system_r:prelink_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
audit(1147793155.447:356): avc: denied { execute_no_trans } for
pid=5198 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
scontext=system_u:system_r:prelink_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
audit(1147793156.255:357): avc: denied { execute_no_trans } for
pid=5199 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
scontext=system_u:system_r:prelink_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
I am using FC5 with selinux-policy-targeted-2.2.36-2.fc5
whats gonig on? is a file misslabeled or is this a policy bug?
16 years, 10 months
printer AVCs....
by Tom London
Running latest Rawhide, targeted/enforcing.
I get the following when 'deactivating/activating' a USB printer (and
printing fails):
type=AVC msg=audit(1148052935.119:30): avc: denied { create } for
pid=1902 comm="python" scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:system_r:hplip_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1148052935.119:30): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bffa4878 a2=49ebaff4 a3=bffa4e69 items=0
pid=1902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python"
subj=system_u:system_r:hplip_t:s0
type=SOCKETCALL msg=audit(1148052935.119:30): nargs=3 a0=10 a1=3 a2=0
type=USER_AVC msg=audit(1148053114.333:32): user pid=1735 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:
denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobQueuedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)'
The following messages were in /var/log/messages:
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc: denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobQueuedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc: denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=QueueChanged
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc: denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobStartedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:35 localhost hpiod: invalid product id string: Broken
pipe io/hpiod/device.cpp 623
May 19 08:35:35 localhost hpiod: unable to Device::Open
hp:/usb/hp_LaserJet_1300?serial=00CNCB954325 io/hpiod/device.cpp 862
May 19 08:35:35 localhost hp_LaserJet_1300?serial=00CNCB954325: INFO:
open device failed; will retry in 30 seconds...
May 19 08:36:05 localhost hpiod: invalid product id string: Broken
pipe io/hpiod/device.cpp 623
tom
--
Tom London
16 years, 10 months
CGI Script permissions
by Jochen Wiedmann
Hi,
I have a CGI script which ought to have some special permissions. In
particular, it ought to invoke a certain command as a certain user. To
achieve that, I have created an entry in the sudoers file, which allows
the httpd user to invoke the command without a password. Now my CGI
script does a
sudo -u mp /u2/mp/mpbin/mpfak 001
where mp is the special user, mpfak is the necessary command and the
remaining part is the mp programs argument.
However, when the program is invoked, then I see the following message
in syslog:
May 26 07:49:21 fibudbserver kernel: audit(1148622561.696:14): avc:
denied { setrlimit } for pid=31749 comm="sudo"
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
May 26 07:49:21 fibudbserver kernel: audit(1148622561.699:15): avc:
denied { setgid } for pid=31749 comm="sudo" capability=6
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
May 26 07:49:21 fibudbserver kernel: audit(1148622561.699:16): avc:
denied { setuid } for pid=31749 comm="sudo" capability=7
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
May 26 07:49:21 fibudbserver kernel: audit(1148622561.700:17): avc:
denied { search } for pid=31749 comm="sudo" name="/" dev=sda5 ino=2
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:file_t tclass=dir
May 26 07:49:21 fibudbserver kernel: audit(1148622561.700:18): avc:
denied { setgid } for pid=31749 comm="sudo" capability=6
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
May 26 07:49:21 fibudbserver kernel: audit(1148622561.700:19): avc:
denied { setuid } for pid=31749 comm="sudo" capability=7
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
I must admit, that I do not even understand whether I ought to change my
scripts permissions or the "sudo" programs. I do hesitate to do either.
Can anyone please advice me how to continue? For example, I might as
well invoke sudo from a wrapper script and change that scripts
permissions. Question is: How would I do that?
Regards,
Jochen
16 years, 10 months
faied update a module
by shintaro_fujiwara
I yum updated lately.
I edited .te file and made apache.pp
When I tried to update apache.pp
[root@intrajp devel]# semodule -u apache.pp
libsepol.class_copy_callback: apache: Modules may not yet declare new
classes.
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
Why and how shoul I do ?
Thanks.
16 years, 10 months
denied execheap, for httpd with zend optimizer (fc5)
by Jaak Simm
Hi all,
I'm installing Zend Optimizer 3.0 for httpd in FC5. After giving correct
security context with chcon and removing execstack requirement from its
.so files I'm still stuck with "denied {execheap}" error in the
/var/log/messages, when the httpd starts:
May 20 21:33:26 web2 kernel: audit(1148150006.772:751): avc: denied {
execheap } for pid=2584 comm="httpd" scontext=root:system_r:httpd_t:s0
tcontext=root:system_r:httpd_t:s0 tclass=process
I have enabled allow_execheap:
# getsebool allow_execheap
allow_execheap --> on
Also restarted the computer, but "denied {execheap}" message is present
and Zend Optimizer does not work.
Any comments and hints from selinux gurus, besides disabling selinux?
Thanks,
Jaak
16 years, 10 months
need help for local.te
by Hongwei Li
Hi,
I need help about local.te. My system:
kernel: 2.6.16-1.2111_FC5smp
selinux-policy-targeted: 2.2.38-1.fc5
audit: 1.1.5-1
sendmail: 8.13.6-0.FC5.1
squirrelmail: 1.4.6-5.fc5
When I try to create an email folder in squirrelmail, I got Error. So, I run
the following to create my local.te and add my module. Here are what I run
and get:
# audit2allow -M local < /var/log/audit/audit.log
Generating type enforcment file: local.te
Compiling policy
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
******************** IMPORTANT ***********************
In order to load this newly created policy package into the kernel,
you are required to execute
semodule -i local.pp
# ls -l
total 40
-rw-r--r-- 1 root root 2448 May 19 09:46 local.mod
-rw-r--r-- 1 root root 2464 May 19 09:46 local.pp
-rw-r--r-- 1 root root 733 May 19 09:46 local.te
# semodule -i local.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow httpd_t
shadow_t:file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
How to solve the problem?
Thanks!
Hongwei
16 years, 10 months
httpd can't execute bash?
by Ben
Is it a new thing that httpd can't execute bash? After a recent
policy upgrade, I'm seeing a lot of these:
audit(1147792088.616:148): avc: denied { execute } for pid=1262
comm="httpd" name="bash" dev=dm-0 ino=3267269
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
16 years, 10 months
Mailman/Postfix execute_no_trans denial
by Todd Zullinger
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I installed an FC5 system a few days ago and was testing mailman with
postfix. I've run into a problem when trying to send messages to any
I've created. SELinux is running in Enforcing mode. Setting it to
permissive allows list posts to go through.
Here's the avc denial I get:
audit(1148242843.454:41): avc: denied { execute_no_trans } for pid=27763 comm="local" name="mailman" dev=sda2 ino=163878 scontext=user_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
I read a thread from a month or so back where another fellow was using
mailman and postfix, but he was using the postfix-to-mailman-2.1.py
script for integration.
I am using mailman's builtin postfix integration by specifying
MTA='Postfix' in /etc/mailman/mm_cfg.py. This lets mailman create the
proper list aliases automatically on list creation. In
/etc/postfix/main.cf, hash:/etc/mailman/aliases is added to the
alias_maps parameter.
I'm not very familiar with selinux, so I'm unsure whether this is a
problem requiring a change in file context(s), a policy tweak, or
both. Could someone tap me in the right direction with the cluestick?
$ rpm -qa mailman postfix selinux-policy\*
selinux-policy-targeted-2.2.38-1.fc5
selinux-policy-2.2.38-1.fc5
postfix-2.2.8-1.2
mailman-2.1.7-1.2
Thanks,
- --
Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
Honesty is the best policy, but insanity is a better defense.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.
iGwEARECAC0FAkRw1GkmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qDmgCY9oSS1Uj/9dj6yMEftzCljdLZOACfcX1SDI5E
dhxBfD88LYbgA4vEX2A=
=/+Fu
-----END PGP SIGNATURE-----
16 years, 10 months
Audit messages to console
by Steve Brueckner
Can anyone think of a reason my avc messages are being printed to the
console as well as /var/log/messages? This is in an FC5 xenU (guest
domain), with no auditd running.
Steve Brueckner, ATC-NY
16 years, 10 months
ftp and home directories?
by Knute Johnson
I'm running a stock FC5 box for a mail server and web server. I
configured vsftp to use home directories so I had a place to send my
files to. I used /usr/sbin/setsebool ftp_home_dir 1 so I could
upload files. The next time I went to upload files it was 0 and I
had to set it again. Does this get reset when new SELinux stuff is
installed? Is it possible to make this permanent and if so how?
Thanks,
--
Knute Johnson
Molon Labe...
16 years, 10 months
