May 2006 - selinux - Fedora Mailing-Lists

tools... LOG

by Ma. Alejandra Castillo

Dear, besides seaudit, aureport and ausearch. Other tools exist to revise LOG? Saludos -- Ma. Alejandra Castillo M.

16 years, 10 months

2
1
0 / 0

procmail

by Paul Howarth

I use procmail as my local delivery agent from sendmail. In FC5 this appears to be running as procmail_t. Procmail offers the ability to pipe mail through programs (filters), and I use this facility from time to time. I'm getting quite a lot of denials when doing this and wonder what the right approach to fixing them is. Case 1: a locally-written shell script called "spamdomain" This is in my ~/bin directory and of type user_home_t Procmail recipe: SPAMDOMAIN=`spamdomain` Result: Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8006): avc: denied { execute } for pid=16622 comm="procmail" name="spamdomain" dev=dm-1 ino=1399071 scontext=system_u:system_r:procmail_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file Apr 11 16:14:29 goalkeeper kernel: audit(1144768469.242:8007): avc: denied { execute_no_trans } for pid=16622 comm="procmail" name="spamdomain" dev=dm-1 ino=1399071 scontext=system_u:system_r:procmail_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file Case 2: piping mail through "sa-learn" I run spamass-milter to reject mail in-protocol and then my own local filter using procmail on anything that gets through. If I'm sure something's spam, I like spamassassin to learn about it so I might reject it earlier in future. So I pipe it through sa-learn (spamd_exec_t): Procmail recipe: :0c | sa-learn --username=paul(a)city-fan.org --spam >/dev/null 2>&1 Result: Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.743:8008): avc: denied { getattr } for pid=16718 comm="bash" name="sa-learn" dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.747:8009): avc: denied { execute } for pid=16718 comm="bash" name="sa-learn" dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.747:8010): avc: denied { read } for pid=16718 comm="bash" name="sa-learn" dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.747:8011): avc: denied { execute_no_trans } for pid=16719 comm="bash" name="sa-learn" dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file Apr 11 16:14:41 goalkeeper kernel: audit(1144768481.799:8012): avc: denied { ioctl } for pid=16719 comm="sa-learn" name="sa-learn" dev=dm-3 ino=852750 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamd_exec_t:s0 tclass=file The "bash" denials will be due to procmail forking a shell to handle the redirects. What *should* I be doing here to fix this? I know I could just add local policy to fix the denials, but is there a way to do it that's supported by existing policy? Paul.

16 years, 10 months

4
8
0 / 0

selinux in fc5

by Hongwei Li

Hi, I have a question about selinux in fc5. My system: kernel: 2.6.16-1.2111_FC5smp selinux-policy-targeted: 2.2.38-1.fc5 I need to modify the policy to meet our requests. But, when I search targeted-sources, I could not find anything. Is the targeted-sources excluded from fc5 selinux? If yes, how to modify the policy? Where to put my local.te and where to run "make load" as in fc4, or I should do it in a completely different way, how? Thanks! Hongwei Li

16 years, 10 months

3
2
0 / 0

FastCGI applications

by Paul Howarth

I've just moved my personal moin wiki from mod_python to FastCGI for performance reasons (it's well worth it!). For people that don't know, FastCGI works by starting up one or more copies of a CGI application and then keeping them running, passing requests from server to application over a socket. This avoids the startup overhead of the CGI application for each request that is necessary with regular CGI. I needed the policy module below to get it working. I'm not sure what exactly all of the "allows" are allowing, so advice would be welcome (sample AVCs included). Regarding support for FastCGI in the standard policy, perhaps appropriate rules could be added under a boolean httpd_enable_fastcgi or even added to the features enabled with httpd_enable_cgi? policy_module(apache, 0.1.0) require { type httpd_sys_script_t; type httpd_log_t; type httpd_t; type devpts_t; type var_run_t; }; # ========================================================== # Needed for mod_fcgid # ========================================================== # This is the FastCGI application doing something to the httpd error log # ---------------------------------------------------------------------- #type=AVC msg=audit(1147697748.197:15226): avc: denied { ioctl } for pid=15684 comm="python" name="error_log" dev=dm-4 ino=851988 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:httpd_log_t:s0 tclass=file #type=SYSCALL msg=audit(1147697748.197:15226): arch=40000003 syscall=54 success=no exit=-25 a0=1 a1=5401 a2=bffd4cf8 a3=bffd4d38 items=0 pid=15684 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python" #type=AVC_PATH msg=audit(1147697748.197:15226): path="/var/log/httpd/error_log" allow httpd_sys_script_t httpd_log_t:file ioctl; # This is the FastCGI application listening for FastCGI requests on its socket allow httpd_sys_script_t httpd_t:unix_stream_socket { accept getattr ioctl listen }; # Not sure what this is doing # --------------------------- #type=AVC msg=audit(1147699050.131:15341): avc: denied { ioctl } for pid=16705 comm="httpd" name="2" dev=devpts ino=4 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file #type=SYSCALL msg=audit(1147699050.131:15341): arch=40000003 syscall=54 success=yes exit=0 a0=0 a1=5401 a2=bff4ee38 a3=bff4ee78 items=0 pid=16705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd" #type=AVC_PATH msg=audit(1147699050.131:15341): path="/dev/pts/2" allow httpd_t devpts_t:chr_file ioctl; # perhaps it should be term_ioctl_generic_ptys(httpd_t) # mod_fcgid setting attr of its socket dir # ---------------------------------------- # type=AVC msg=audit(1147697688.037:15216): avc: denied { setattr } for pid=15656 comm="httpd" name="mod_fcgid" dev=dm-4 ino=458818 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir # type=SYSCALL msg=audit(1147697688.037:15216): arch=40000003 syscall=212 success=yes exit=0 a0=91aa148 a1=30 a2=ffffffff a3=30 items=1 pid=15656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd" # type=CWD msg=audit(1147697688.037:15216): cwd="/" # type=PATH msg=audit(1147697688.037:15216): item=0 name="/etc/httpd/run/mod_fcgid" flags=1 inode=458818 dev=fd:04 mode=040755 ouid=48 ogid=48 rdev=00:00 allow httpd_t var_run_t:dir setattr; Paul.

16 years, 10 months

2
2
0 / 0

selinux breaks nfs

by dragoran

hello I tryed to share a partition using nfs (using system-config-nfs), but selinux prevents it from beeing mounted: audit(1145781795.498:64): avc: denied { dac_override } for pid=26228 comm="rpc.mountd" capability=1 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781795.498:65): avc: denied { dac_read_search } for pid=26228 comm="rpc.mountd" capability=2 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781795.498:66): avc: denied { dac_override } for pid=26228 comm="rpc.mountd" capability=1 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781795.498:67): avc: denied { dac_read_search } for pid=26228 comm="rpc.mountd" capability=2 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781817.496:68): avc: denied { dac_override } for pid=26228 comm="rpc.mountd" capability=1 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781817.496:69): avc: denied { dac_read_search } for pid=26228 comm="rpc.mountd" capability=2 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781817.496:70): avc: denied { dac_override } for pid=26228 comm="rpc.mountd" capability=1 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability audit(1145781817.496:71): avc: denied { dac_read_search } for pid=26228 comm="rpc.mountd" capability=2 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability All boleans for nfs are set to true, if I do setenforce 0 it works. I am using selinux-policy-targeted-2.2.34-3.fc5 (from updates testing) on FC x86_64.

16 years, 10 months

1
2
0 / 0

Where are targeted policy sources for FC5?

by James Garrison

Many references exist to an RPM package called selinux-policy-targeted-sources in FC4, but this package doesn't seem to exist in FC5. Anyonw know where the corresponding package for FC5 is located? -- James Garrison Athens Group, Inc. mailto:jhg@athensgroup.com 5608 Parkcrest Dr http://www.athensgroup.com Austin, TX 78731 SKYPE callto:jhg-athensgroup (512) 345-0600 x150 PGP: RSA=0x92E90A3B DH/DSS=0x498D331C

16 years, 10 months

3
6
0 / 0

Dovecot quota support

by Paul Howarth

Dovecot now has quota support and it uses getmntent() to find the mountpoints. However, it's not allowed to read /etc/mtab: May 12 12:52:51 goalkeeper kernel: audit(1147434771.028:15131): avc: denied { read } for pid=15788 comm="dovecot" name="mtab" dev=dm-0 ino=381458 scontext=user_u:system_r:dovecot_t:s0 tcontext=user_u:object_r:etc_runtime_t:s0 tclass=file May 12 12:52:51 goalkeeper kernel: audit(1147434771.028:15132): avc: denied { getattr } for pid=15788 comm="dovecot" name="mtab" dev=dm-0 ino=381458 scontext=user_u:system_r:dovecot_t:s0 tcontext=user_u:object_r:etc_runtime_t:s0 tclass=file These getattr denials are for the three non-LVM partitions I have (/dev/shm being the tmpfs one). The 6 LVM volumes didn't generate these: May 12 12:52:51 goalkeeper kernel: audit(1147434771.048:15133): avc: denied { getattr } for pid=15788 comm="dovecot" name="/" dev=hda2 ino=2 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir May 12 12:52:51 goalkeeper kernel: audit(1147434771.048:15134): avc: denied { getattr } for pid=15788 comm="dovecot" name="/" dev=hda1 ino=2 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir May 12 12:52:51 goalkeeper kernel: audit(1147434771.048:15135): avc: denied { getattr } for pid=15788 comm="dovecot" name="/" dev=tmpfs ino=4523 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir No big deal for me as I don't use quotas but someone will complain about it eventually... Paul.

16 years, 10 months

1
0
0 / 0

Allowing vsftpd access for user's home directory

by Ketut Mahaindra

Hello all, I have installation of FC5. I want to make vsftpd run with chroot environment of user home directory. So far it does not work because SELinux prevents the vsftpd to access the home directory. What's the best way to configure SELinux for this purpose? I don't want to disable it. I have been googling it around but so far has not came up with any easy solution. Any help will be appreciated. P.S. - I have the following AVC error messages: avc: denied { dac_override } for pid=9099 comm="vsftpd" capability=1 scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0 tclass=capability avc: denied { dac_read_search } for pid=9099 comm="vsftpd" capability=2 scontext=system_u:system_r:ftpd_t:s0 tcontext=system_u:system_r:ftpd_t:s0 tclass=capability -- Best regards, Ketut Mahaindra (Ito)

16 years, 10 months

6
12
0 / 0

rndc and chroot

by Paul Howarth

It appears that rndc and chroot named don't mix nicely. I got these denials: May 10 15:07:08 goalkeeper kernel: audit(1147270028.236:15088): avc: denied { read } for pid=19767 comm="rndc" name="rndc.conf" dev=dm-0 ino=381773 scontext=root:system_r:ndc_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=lnk_file May 10 15:07:08 goalkeeper kernel: audit(1147270028.272:15089): avc: denied { read } for pid=19767 comm="rndc" name="rndc.key" dev=dm-0 ino=381783 scontext=root:system_r:ndc_t:s0 tcontext=system_u:object_r:dnssec_t:s0 tclass=lnk_file because rndc isn't allowed to follow symlinks into the chroot named environment: $ ls -lZ /etc/rndc.* lrwxrwxrwx root named system_u:object_r:named_conf_t /etc/rndc.conf -> /var/named/chroot//etc/rndc.conf lrwxrwxrwx root named system_u:object_r:dnssec_t /etc/rndc.key -> /var/named/chroot/etc/rndc.key $ ls -lZL /etc/rndc.* -rw-r----- root named system_u:object_r:named_conf_t /etc/rndc.conf -rw-r----- root named system_u:object_r:dnssec_t /etc/rndc.key I think ndc_t should be able to follow these links. Paul.

16 years, 10 months

2
2
0 / 0

selinux-policy.spec wierdness?

by Valdis.Kletnieks＠vt.edu

Am looking at selinux-policy-2.2.38-1.src.rpm. Does anybody know why there isn't a %build section in the .SPEC file? I was *hoping* to do a 'rpmbuild -bc' to assist in debugging an outstanding problem I'm having with strict policy, but apparently all the building gets done in the %install. Blech.

16 years, 10 months

4
4
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux May 2006