OpenLDAP PID and args files
by Paul Howarth
FC5 has file contexts for /var/run/slapd.pid and /var/run/slapd.args
# semanage fcontext -l | grep slapd
/var/lib/ldap(/.*)? all files
system_u:object_r:slapd_db_t:s0
/etc/ldap/slapd\.conf regular file
system_u:object_r:slapd_etc_t:s0
/usr/sbin/slapd regular file
system_u:object_r:slapd_exec_t:s0
/var/run/slapd\.args regular file
system_u:object_r:slapd_var_run_t:s0
/var/lib/ldap/replog(/.*)? all files
system_u:object_r:slapd_replog_t:s0
/var/run/slapd\.pid regular file
system_u:object_r:slapd_var_run_t:s0
However, in FC5 the default slapd.conf file puts these files in
/var/run/openldap, so the file contexts don't get set properly, at least
not for the args file:
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
I've fixed this for now using restorecon but it would be nice for policy
to be fixed. Not sure if it applies to FC4 or not.
Paul.
16 years, 10 months
webalizer/cron
by Paul Howarth
What's happening here?
type=AVC msg=audit(1148266965.669:78582): avc: denied { create } for
pid=17006 comm="webalizer" scontext=user_u:system_r:webalizer_t:s0
tcontext=user_u:system_r:webalizer_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1148266965.669:78582): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bffea6b8 a2=7bdff4 a3=1 items=0 pid=17006
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="webalizer" exe="/usr/bin/webalizer"
type=SOCKETCALL msg=audit(1148266965.669:78582): nargs=3 a0=10 a1=3 a2=0
I'm getting *lots* of these with every night's webalizer cron job.
It doesn't seem to stop it working though.
Paul.
16 years, 10 months
cron does not run on strict policy-2.x
by shintaro_fujiwara
Hi,
I have a sever strict-policy newest package,
but my cron fails.
When I see /var/log/cron,
ENTRYPOINT FAILED
line I could get.
/etc/crontab has
system_u:object_r:system_cron_spool_t.
I have two FC5 strict-policy server and
both fails on cron,although anacron runs
faily fine.
16 years, 10 months
SELinux/nss_ldap tracking bug
by Ian Pilcher
For anyone who's interested, I have created a tracking bug for SELinux/
nss_ldap interactions. Thus far, I've entered subordinate bugs for the
dbus-daemon (messagebus), ntpd, and xfs.
You can find the bug at:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192555
--
========================================================================
Ian Pilcher i.pilcher(a)comcast.net
========================================================================
16 years, 10 months
unsubscribe
by Douglas.D.Hartman
unsubscribe
-----Original Message-----
From: fedora-selinux-list-bounces(a)redhat.com
[mailto:fedora-selinux-list-bounces@redhat.com] On Behalf Of
fedora-selinux-list-request(a)redhat.com
Sent: Saturday, May 20, 2006 12:00 PM
To: fedora-selinux-list(a)redhat.com
Subject: fedora-selinux-list Digest, Vol 27, Issue 19
Send fedora-selinux-list mailing list submissions to
fedora-selinux-list(a)redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
or, via email, send a message with subject or body 'help' to
fedora-selinux-list-request(a)redhat.com
You can reach the person managing the list at
fedora-selinux-list-owner(a)redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of fedora-selinux-list digest..."
Today's Topics:
1. printer AVCs.... (Tom London)
2. Re: need help for local.te (Hongwei Li)
3. Re: need help for local.te (Kayvan A. Sylvan)
4. Re: need help for local.te (Hongwei Li)
5. Re: selinux prelink avc's (dragoran)
6. Trusted Solaris over SELinux (Justin Conover)
7. Re: Trusted Solaris over SELinux (Andy Green)
8. Re: Trusted Solaris over SELinux (Martin Ebourne)
9. Re: Trusted Solaris over SELinux (Justin Conover)
10. Re: Trusted Solaris over SELinux (Andy Green)
----------------------------------------------------------------------
Message: 1
Date: Fri, 19 May 2006 09:02:35 -0700
From: "Tom London" <selinux(a)gmail.com>
Subject: printer AVCs....
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Message-ID:
<4c4ba1530605190902q5c981798m31d36366654f159(a)mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Running latest Rawhide, targeted/enforcing.
I get the following when 'deactivating/activating' a USB printer (and
printing fails):
type=AVC msg=audit(1148052935.119:30): avc: denied { create } for
pid=1902 comm="python" scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:system_r:hplip_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1148052935.119:30): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bffa4878 a2=49ebaff4 a3=bffa4e69 items=0
pid=1902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python"
subj=system_u:system_r:hplip_t:s0
type=SOCKETCALL msg=audit(1148052935.119:30): nargs=3 a0=10 a1=3 a2=0
type=USER_AVC msg=audit(1148053114.333:32): user pid=1735 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:
denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobQueuedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)'
The following messages were in /var/log/messages:
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc: denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobQueuedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc: denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=QueueChanged
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc: denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobStartedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:35 localhost hpiod: invalid product id string: Broken
pipe io/hpiod/device.cpp 623
May 19 08:35:35 localhost hpiod: unable to Device::Open
hp:/usb/hp_LaserJet_1300?serial=00CNCB954325 io/hpiod/device.cpp 862
May 19 08:35:35 localhost hp_LaserJet_1300?serial=00CNCB954325: INFO:
open device failed; will retry in 30 seconds...
May 19 08:36:05 localhost hpiod: invalid product id string: Broken
pipe io/hpiod/device.cpp 623
tom
--
Tom London
------------------------------
Message: 2
Date: Fri, 19 May 2006 12:13:15 -0500 (CDT)
From: "Hongwei Li" <hongwei(a)wustl.edu>
Subject: Re: need help for local.te
To: fedora-selinux-list(a)redhat.com
Message-ID:
<1866.128.252.85.103.1148058795.squirrel(a)morpheus.wustl.edu>
Content-Type: text/plain;charset=iso-8859-1
> On Fri, 2006-05-19 at 09:58 -0500, Hongwei Li wrote:
>> Hi,
>>
>> I need help about local.te. My system:
>>
>> kernel: 2.6.16-1.2111_FC5smp
>> selinux-policy-targeted: 2.2.38-1.fc5
>> audit: 1.1.5-1
>> sendmail: 8.13.6-0.FC5.1
>> squirrelmail: 1.4.6-5.fc5
>>
>> When I try to create an email folder in squirrelmail, I got Error. So, I
>> run
>> the following to create my local.te and add my module. Here are what I
run
>> and get:
>>
>> # audit2allow -M local < /var/log/audit/audit.log
>> Generating type enforcment file: local.te
>> Compiling policy
>> checkmodule -M -m -o local.mod local.te
>> semodule_package -o local.pp -m local.mod
>>
>> ******************** IMPORTANT ***********************
>>
>> In order to load this newly created policy package into the kernel,
>> you are required to execute
>>
>> semodule -i local.pp
>>
>> # ls -l
>> total 40
>> -rw-r--r-- 1 root root 2448 May 19 09:46 local.mod
>> -rw-r--r-- 1 root root 2464 May 19 09:46 local.pp
>> -rw-r--r-- 1 root root 733 May 19 09:46 local.te
>>
>> # semodule -i local.pp
>> libsepol.check_assertion_helper: assertion on line 0 violated by allow
>> httpd_t
>> shadow_t:file { read };
>> libsepol.check_assertions: 1 assertion violations occured
>> libsemanage.semanage_expand_sandbox: Expand module failed
>> semodule: Failed!
>>
>> How to solve the problem?
>>
>> Thanks!
>
> This means that your local.te file includes a rule that allows httpd to
> read your /etc/shadow file, and this violates an assertion in the base
> policy. Review your local.te file, prune entries that are not
> legitimate, and rebuild the .mod and .pp files, e.g.
> # vi local.te # edit out bogus entries or replace them with dontaudit
rules
> # checkmodule -m -M -o local.mod local.te
> # semodule_package -o local.pp -m local.mod
> # semodule -i local.pp
>
> --
> Stephen Smalley
> National Security Agency
The problem is I need to re-do for local.te from time to time, and whenver I
run (after rebooting)
# audit2allow -M local < /var/log/audit/audit.log
the line
allow httpd_t shadow_t:file { getattr read write };
is automatically added to local.te -- this time, it added more, not just
read.
I believe that this is because I need to run change_password plugin in
squirrelmail. It is not a problem in fc4 selinux -- I run audit2allow to
add
entry into local.te and run make load, then everything is working. But, in
fc5, it is a problem. If I remove that line, then whenever I run the above
command, it is automatically added.
How to fix the problem?
Thanks!
Hongwei
------------------------------
Message: 3
Date: Fri, 19 May 2006 18:30:37 -0700
From: "Kayvan A. Sylvan" <kayvan(a)sylvan.com>
Subject: Re: need help for local.te
To: Hongwei Li <hongwei(a)wustl.edu>
Cc: fedora-selinux-list(a)redhat.com
Message-ID: <20060520013037.GD2422(a)satyr.sylvan.com>
Content-Type: text/plain; charset=us-ascii
On Fri, May 19, 2006 at 12:13:15PM -0500, Hongwei Li wrote:
>
> The problem is I need to re-do for local.te from time to time, and whenver
I
> run (after rebooting)
> # audit2allow -M local < /var/log/audit/audit.log
> the line
>
> allow httpd_t shadow_t:file { getattr read write };
>
> is automatically added to local.te -- [...]
> How to fix the problem?
How about something like this?
audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena
(8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
------------------------------
Message: 4
Date: Fri, 19 May 2006 22:16:44 -0500 (CDT)
From: "Hongwei Li" <hongwei(a)wustl.edu>
Subject: Re: need help for local.te
To: fedora-selinux-list(a)redhat.com
Message-ID:
<1808.70.230.152.93.1148095004.squirrel(a)morpheus.wustl.edu>
Content-Type: text/plain;charset=iso-8859-1
> On Fri, May 19, 2006 at 12:13:15PM -0500, Hongwei Li wrote:
>>
>> The problem is I need to re-do for local.te from time to time, and
whenver I
>> run (after rebooting)
>> # audit2allow -M local < /var/log/audit/audit.log
>> the line
>>
>> allow httpd_t shadow_t:file { getattr read write };
>>
>> is automatically added to local.te -- [...]
>> How to fix the problem?
>
> How about something like this?
>
> audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
>
> --
> Kayvan A. Sylvan | Proud husband of | Father to my kids:
> Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena
(8/8/89)
I did and got:
# audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
# checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
(unknown source)::ERROR 'unknown type dovecot_auth_t' at token ';' on line
33:
allow procmail_t tmp_t:dir { search write };
allow dovecot_auth_t initrc_var_run_t:file { read write };
checkmodule: error(s) encountered while parsing configuration
I manually edit local.te to add a line
type dovecot_auth_t;
and run it again, then got
# checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
(unknown source)::ERROR 'unknown type initrc_var_run_t' at token ';' on line
34:
allow procmail_t tmp_t:dir { search write };
allow dovecot_auth_t initrc_var_run_t:file { read write };
checkmodule: error(s) encountered while parsing configuration
The line 34 is:
allow dovecot_auth_t initrc_var_run_t:file { read write };
What to do next? Thanks!
Hongwei
------------------------------
Message: 5
Date: Sat, 20 May 2006 13:18:35 +0200
From: dragoran <dragoran(a)feuerpokemon.de>
Subject: Re: selinux prelink avc's
To: dragoran <dragoran(a)feuerpokemon.de>
Cc: fedora-selinux-list(a)redhat.com
Message-ID: <446EFB0B.8030508(a)feuerpokemon.de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
dragoran wrote:
> audit(1147793154.831:353): avc: denied { execute_no_trans } for
> pid=5195 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
> scontext=system_u:system_r:prelink_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793154.831:354): avc: denied { execute_no_trans } for
> pid=5196 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
> scontext=system_u:system_r:prelink_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793155.019:355): avc: denied { execute_no_trans } for
> pid=5197 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
> scontext=system_u:system_r:prelink_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793155.447:356): avc: denied { execute_no_trans } for
> pid=5198 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
> scontext=system_u:system_r:prelink_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793156.255:357): avc: denied { execute_no_trans } for
> pid=5199 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
> scontext=system_u:system_r:prelink_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> I am using FC5 with selinux-policy-targeted-2.2.36-2.fc5
> whats gonig on? is a file misslabeled or is this a policy bug?
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
hello?
any solution for this problem?
------------------------------
Message: 6
Date: Sat, 20 May 2006 08:22:57 -0500
From: "Justin Conover" <justin.conover(a)gmail.com>
Subject: Trusted Solaris over SELinux
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Message-ID:
<a36b7e2a0605200622v54259deale2e30cb73f6f7ab6(a)mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trust
ed
I thought this was interesting. Yeah, I use Solaris to so I read some Sun
blogs too. :)
16 years, 10 months
Help unsubscribe
by Douglas.D.Hartman
Help
-----Original Message-----
From: fedora-selinux-list-request(a)redhat.com
To: fedora-selinux-list(a)redhat.com
Sent: 5/20/06 12:00 PM
Subject: fedora-selinux-list Digest, Vol 27, Issue 19
Send fedora-selinux-list mailing list submissions to
fedora-selinux-list(a)redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
or, via email, send a message with subject or body 'help' to
fedora-selinux-list-request(a)redhat.com
You can reach the person managing the list at
fedora-selinux-list-owner(a)redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of fedora-selinux-list digest..."
Today's Topics:
1. printer AVCs.... (Tom London)
2. Re: need help for local.te (Hongwei Li)
3. Re: need help for local.te (Kayvan A. Sylvan)
4. Re: need help for local.te (Hongwei Li)
5. Re: selinux prelink avc's (dragoran)
6. Trusted Solaris over SELinux (Justin Conover)
7. Re: Trusted Solaris over SELinux (Andy Green)
8. Re: Trusted Solaris over SELinux (Martin Ebourne)
9. Re: Trusted Solaris over SELinux (Justin Conover)
10. Re: Trusted Solaris over SELinux (Andy Green)
----------------------------------------------------------------------
Message: 1
Date: Fri, 19 May 2006 09:02:35 -0700
From: "Tom London" <selinux(a)gmail.com>
Subject: printer AVCs....
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Message-ID:
<4c4ba1530605190902q5c981798m31d36366654f159(a)mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Running latest Rawhide, targeted/enforcing.
I get the following when 'deactivating/activating' a USB printer (and
printing fails):
type=AVC msg=audit(1148052935.119:30): avc: denied { create } for
pid=1902 comm="python" scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:system_r:hplip_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1148052935.119:30): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bffa4878 a2=49ebaff4 a3=bffa4e69 items=0
pid=1902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python"
subj=system_u:system_r:hplip_t:s0
type=SOCKETCALL msg=audit(1148052935.119:30): nargs=3 a0=10 a1=3 a2=0
type=USER_AVC msg=audit(1148053114.333:32): user pid=1735 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:
denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobQueuedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)'
The following messages were in /var/log/messages:
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc: denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobQueuedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc: denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=QueueChanged
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc: denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobStartedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:35 localhost hpiod: invalid product id string: Broken
pipe io/hpiod/device.cpp 623
May 19 08:35:35 localhost hpiod: unable to Device::Open
hp:/usb/hp_LaserJet_1300?serial=00CNCB954325 io/hpiod/device.cpp 862
May 19 08:35:35 localhost hp_LaserJet_1300?serial=00CNCB954325: INFO:
open device failed; will retry in 30 seconds...
May 19 08:36:05 localhost hpiod: invalid product id string: Broken
pipe io/hpiod/device.cpp 623
tom
--
Tom London
------------------------------
Message: 2
Date: Fri, 19 May 2006 12:13:15 -0500 (CDT)
From: "Hongwei Li" <hongwei(a)wustl.edu>
Subject: Re: need help for local.te
To: fedora-selinux-list(a)redhat.com
Message-ID:
<1866.128.252.85.103.1148058795.squirrel(a)morpheus.wustl.edu>
Content-Type: text/plain;charset=iso-8859-1
> On Fri, 2006-05-19 at 09:58 -0500, Hongwei Li wrote:
>> Hi,
>>
>> I need help about local.te. My system:
>>
>> kernel: 2.6.16-1.2111_FC5smp
>> selinux-policy-targeted: 2.2.38-1.fc5
>> audit: 1.1.5-1
>> sendmail: 8.13.6-0.FC5.1
>> squirrelmail: 1.4.6-5.fc5
>>
>> When I try to create an email folder in squirrelmail, I got Error. So, I
>> run
>> the following to create my local.te and add my module. Here are what I run
>> and get:
>>
>> # audit2allow -M local < /var/log/audit/audit.log
>> Generating type enforcment file: local.te
>> Compiling policy
>> checkmodule -M -m -o local.mod local.te
>> semodule_package -o local.pp -m local.mod
>>
>> ******************** IMPORTANT ***********************
>>
>> In order to load this newly created policy package into the kernel,
>> you are required to execute
>>
>> semodule -i local.pp
>>
>> # ls -l
>> total 40
>> -rw-r--r-- 1 root root 2448 May 19 09:46 local.mod
>> -rw-r--r-- 1 root root 2464 May 19 09:46 local.pp
>> -rw-r--r-- 1 root root 733 May 19 09:46 local.te
>>
>> # semodule -i local.pp
>> libsepol.check_assertion_helper: assertion on line 0 violated by allow
>> httpd_t
>> shadow_t:file { read };
>> libsepol.check_assertions: 1 assertion violations occured
>> libsemanage.semanage_expand_sandbox: Expand module failed
>> semodule: Failed!
>>
>> How to solve the problem?
>>
>> Thanks!
>
> This means that your local.te file includes a rule that allows httpd to
> read your /etc/shadow file, and this violates an assertion in the base
> policy. Review your local.te file, prune entries that are not
> legitimate, and rebuild the .mod and .pp files, e.g.
> # vi local.te # edit out bogus entries or replace them with dontaudit rules
> # checkmodule -m -M -o local.mod local.te
> # semodule_package -o local.pp -m local.mod
> # semodule -i local.pp
>
> --
> Stephen Smalley
> National Security Agency
The problem is I need to re-do for local.te from time to time, and whenver I
run (after rebooting)
# audit2allow -M local < /var/log/audit/audit.log
the line
allow httpd_t shadow_t:file { getattr read write };
is automatically added to local.te -- this time, it added more, not just read.
I believe that this is because I need to run change_password plugin in
squirrelmail. It is not a problem in fc4 selinux -- I run audit2allow to add
entry into local.te and run make load, then everything is working. But, in
fc5, it is a problem. If I remove that line, then whenever I run the above
command, it is automatically added.
How to fix the problem?
Thanks!
Hongwei
------------------------------
Message: 3
Date: Fri, 19 May 2006 18:30:37 -0700
From: "Kayvan A. Sylvan" <kayvan(a)sylvan.com>
Subject: Re: need help for local.te
To: Hongwei Li <hongwei(a)wustl.edu>
Cc: fedora-selinux-list(a)redhat.com
Message-ID: <20060520013037.GD2422(a)satyr.sylvan.com>
Content-Type: text/plain; charset=us-ascii
On Fri, May 19, 2006 at 12:13:15PM -0500, Hongwei Li wrote:
>
> The problem is I need to re-do for local.te from time to time, and whenver I
> run (after rebooting)
> # audit2allow -M local < /var/log/audit/audit.log
> the line
>
> allow httpd_t shadow_t:file { getattr read write };
>
> is automatically added to local.te -- [...]
> How to fix the problem?
How about something like this?
audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
------------------------------
Message: 4
Date: Fri, 19 May 2006 22:16:44 -0500 (CDT)
From: "Hongwei Li" <hongwei(a)wustl.edu>
Subject: Re: need help for local.te
To: fedora-selinux-list(a)redhat.com
Message-ID:
<1808.70.230.152.93.1148095004.squirrel(a)morpheus.wustl.edu>
Content-Type: text/plain;charset=iso-8859-1
> On Fri, May 19, 2006 at 12:13:15PM -0500, Hongwei Li wrote:
>>
>> The problem is I need to re-do for local.te from time to time, and whenver I
>> run (after rebooting)
>> # audit2allow -M local < /var/log/audit/audit.log
>> the line
>>
>> allow httpd_t shadow_t:file { getattr read write };
>>
>> is automatically added to local.te -- [...]
>> How to fix the problem?
>
> How about something like this?
>
> audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
>
> --
> Kayvan A. Sylvan | Proud husband of | Father to my kids:
> Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
I did and got:
# audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
# checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
(unknown source)::ERROR 'unknown type dovecot_auth_t' at token ';' on line 33:
allow procmail_t tmp_t:dir { search write };
allow dovecot_auth_t initrc_var_run_t:file { read write };
checkmodule: error(s) encountered while parsing configuration
I manually edit local.te to add a line
type dovecot_auth_t;
and run it again, then got
# checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
(unknown source)::ERROR 'unknown type initrc_var_run_t' at token ';' on line 34:
allow procmail_t tmp_t:dir { search write };
allow dovecot_auth_t initrc_var_run_t:file { read write };
checkmodule: error(s) encountered while parsing configuration
The line 34 is:
allow dovecot_auth_t initrc_var_run_t:file { read write };
What to do next? Thanks!
Hongwei
------------------------------
Message: 5
Date: Sat, 20 May 2006 13:18:35 +0200
From: dragoran <dragoran(a)feuerpokemon.de>
Subject: Re: selinux prelink avc's
To: dragoran <dragoran(a)feuerpokemon.de>
Cc: fedora-selinux-list(a)redhat.com
Message-ID: <446EFB0B.8030508(a)feuerpokemon.de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
dragoran wrote:
> audit(1147793154.831:353): avc: denied { execute_no_trans } for
> pid=5195 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
> scontext=system_u:system_r:prelink_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793154.831:354): avc: denied { execute_no_trans } for
> pid=5196 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
> scontext=system_u:system_r:prelink_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793155.019:355): avc: denied { execute_no_trans } for
> pid=5197 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
> scontext=system_u:system_r:prelink_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793155.447:356): avc: denied { execute_no_trans } for
> pid=5198 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
> scontext=system_u:system_r:prelink_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793156.255:357): avc: denied { execute_no_trans } for
> pid=5199 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
> scontext=system_u:system_r:prelink_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> I am using FC5 with selinux-policy-targeted-2.2.36-2.fc5
> whats gonig on? is a file misslabeled or is this a policy bug?
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
hello?
any solution for this problem?
------------------------------
Message: 6
Date: Sat, 20 May 2006 08:22:57 -0500
From: "Justin Conover" <justin.conover(a)gmail.com>
Subject: Trusted Solaris over SELinux
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Message-ID:
<a36b7e2a0605200622v54259deale2e30cb73f6f7ab6(a)mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_tr...
I thought this was interesting. Yeah, I use Solaris to so I read some Sun
blogs too. :)
16 years, 10 months
mailman
by Maxim Britov
# rpm -q kernel mailman selinux-policy-strict
kernel-2.6.16-1.2111_FC5
mailman-2.1.8-1
selinux-policy-strict-2.2.38-1.fc5
SELINUX=permissive
SELINUXTYPE=targeted
kernel: audit(1148035969.958:832): avc: denied { search } for pid=23052 comm="smtpd" name="mailman" dev=hda3 ino=588209 scontext=ro
ot:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mailman_data_t:s0 tclass=dir
kernel: audit(1148035969.958:833): avc: denied { read } for pid=23052 comm="smtpd" name="aliases.db" dev=hda3 ino=588256 scontext=r
oot:system_r:postfix_smtpd_t:s0 tcontext=root:object_r:mailman_data_t:s0 tclass=file
kernel: audit(1148035969.958:834): avc: denied { lock } for pid=23052 comm="smtpd" name="aliases.db" dev=hda3 ino=588256 scontext=r
oot:system_r:postfix_smtpd_t:s0 tcontext=root:object_r:mailman_data_t:s0 tclass=file
kernel: audit(1148035969.962:835): avc: denied { getattr } for pid=23052 comm="smtpd" name="aliases.db" dev=hda3 ino=588256 scontex
t=root:system_r:postfix_smtpd_t:s0 tcontext=root:object_r:mailman_data_t:s0 tclass=file
# ps axZ|fgrep mailman
user_u:system_r:initrc_t 23331 ? Ss 0:00 /usr/bin/python /usr/lib/mailman/bin/mailmanctl -s -q start
user_u:system_r:initrc_t 23334 ? S 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s
user_u:system_r:initrc_t 23335 ? S 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s
user_u:system_r:initrc_t 23336 ? S 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s
user_u:system_r:initrc_t 23337 ? S 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s
user_u:system_r:initrc_t 23338 ? S 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s
user_u:system_r:initrc_t 23339 ? S 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s
user_u:system_r:initrc_t 23340 ? S 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s
user_u:system_r:initrc_t 23341 ? S 0:00 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s
--
Maxim Britov
GnuPG KeyID 0x4580A6D66F3DB1FB xmpp:maxim@modum.by icq 198171258
Fingerprint: 4059 B5C5 8985 5A47 8F5A 8623 4580 A6D6 6F3D B1FB
GnuPG-ru Team (http://lists.gnupg.org/mailman/listinfo/gnupg-ru
xmpp:gnupg-ru@conference.jabber.ru)
16 years, 10 months
unconfined_execmem_t for /usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java ?
by Tom London
I'm getting execmem AVCs with latest policy and with SUN Java:
type=AVC msg=audit(1147912677.425:256): avc: denied { execmem } for
pid=10059 comm="java" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1147912677.425:256): arch=40000003 syscall=192
per=400000 success=no exit=-1082810368 a0=bf75a000 a1=3000 a2=7 a3=32
items=0 pid=10059 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 comm="java"
exe="/usr/lib/jvm/java-1.5.0-sun-1.5.0.06/jre/bin/java"
subj=user_u:system_r:unconfined_t:s0
Is it appropriate to label as unconfined_exemem_t?
tom
--
Tom London
16 years, 10 months
acroread again
by Joachim Selke
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
one or two weeks ago the Adobe Reader RPM from Adobe got a special
treatment in default policy (FC5). It looks like this:
| semanage fcontext -l | grep -Ei 'adobe|intellinux'
| /usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so regular file
system_u:object_r:textrel_shlib_t:s0
| /usr/(local/)?Adobe/.*\.api regular file
system_u:object_r:textrel_shlib_t:s0
| /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular file
system_u:object_r:textrel_shlib_t:s0
| /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular file
system_u:object_r:textrel_shlib_t:s0
| /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular file
system_u:object_r:textrel_shlib_t:s0
But there is a repackaged version of this RPM available from Dries RPM
Repository
(<http://dries.studentenweb.org/rpm/packages/acroread/info.html>), which
fixes some problems with the original RPM and changes the install path
from /usr/local/Adobe/Acrobat7.0 to /usr/lib/acroread.
But this change bypasses the rules for acroread in current default
policy. Can these rules be extended so that they cover the acroread RPM
from Dries RPM Repository?
Joachim
- --
B. Sc. Joachim Selke
Universität Hannover, Institut für Theoretische Informatik
Appelstraße 4, 30167 Hannover, Germany
<http://www.thi.uni-hannover.de/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEbFgVq7fYj4TsIUwRAvRCAJsFVzD+/5keLPbUuDLes3jkGhXZUQCglzHJ
/mCEUanWqbf66R7sELGp7Co=
=GeKx
-----END PGP SIGNATURE-----
16 years, 10 months
