FC5: Problem with acroread and CISCO VPN
by Klaus Steinberger
Hello,
in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well as
acroread:
[klaus.steinberger@noname ~]$ acroread
/usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading shared
libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore
segment prot after reloc: Permission denied
[klaus.steinberger@noname ~]$
type=AVC msg=audit(1146115808.601:23): avc: denied { execmod } for pid=3366
comm="acroread" name="libJP2K.so" dev=hda2 ino=2680495
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file
type=SYSCALL msg=audit(1146115808.601:23): arch=40000003 syscall=125
success=no exit=-13 a0=2d4000 a1=aa000 a2=5 a3=bfb2dfd0 items=0 pid=3366
auid=10022 uid=10022 gid=100 euid=10022 suid=10022 fsuid=10022 egid=100
sgid=100 fsgid=100 comm="acroread"
exe="/usr/lib/acroread/Reader/intellinux/bin/acroread"
type=AVC_PATH msg=audit(1146115808.601:23):
path="/usr/lib/acroread/Reader/intellinux/lib/libJP2K.so"
[klaus.steinberger@noname ~]$ vpnclient connect lrz
vpnclient: error while loading shared
libraries: /opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot
after reloc: Permission denied
[klaus.steinberger@noname ~]$
type=AVC msg=audit(1146115819.449:24): avc: denied { execmod } for pid=3437
comm="vpnclient" name="libvpnapi.so" dev=hda2 ino=2676482
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file
type=SYSCALL msg=audit(1146115819.449:24): arch=40000003 syscall=125
success=no exit=-13 a0=5ce000 a1=43000 a2=5 a3=bfa87450 items=0 pid=3437
auid=10022 uid=10022 gid=100 euid=10022 suid=10022 fsuid=10022 egid=100
sgid=100 fsgid=100 comm="vpnclient" exe="/opt/cisco-vpnclient/bin/vpnclient"
type=AVC_PATH msg=audit(1146115819.449:24):
path="/opt/cisco-vpnclient/lib/libvpnapi.so"
My system is up2date:
[klaus.steinberger@noname ~]$ rpm -q selinux-policy-targeted
selinux-policy-targeted-2.2.34-3.fc5
[klaus.steinberger@noname ~]$ rpm -q acroread
acroread-7.0.5-2.2
[klaus.steinberger@noname ~]$
I'm currently not to familiar with selinux, so the only workaround I know is
to "setenforce 0".
Sincerly,
Klaus
--
Klaus Steinberger Maier-Leibnitz Labor
Phone: (+49 89)289 14287 Am Coulombwall 6, D-85748 Garching, Germany
FAX: (+49 89)289 14280 EMail: Klaus.Steinberger(a)Physik.Uni-Muenchen.DE
URL: http://www.physik.uni-muenchen.de/~k2/
In a world without Walls and Fences, who needs Windows and Gates
16 years, 11 months
prelink and ssh_keysign_exec_t
by Tom London
Running latest rawhide, targeted/enforcing (selinux-policy-targeted-2.2.38-1):
Prelink produces the following AVC:
type=AVC msg=audit(1147186351.884:41): avc: denied { read } for
pid=4803 comm="prelink" name="ssh-keysign" dev=dm-0 ino=9242507
scontext=system_u:system_r:prelink_t:s0
tcontext=system_u:object_r:ssh_keysign_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1147186351.884:41): arch=40000003 syscall=5
success=no exit=-13 a0=8de2b68 a1=8000 a2=0 a3=0 items=1 pid=4803
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink"
subj=system_u:system_r:prelink_t:s0
type=CWD msg=audit(1147186351.884:41): cwd="/"
type=PATH msg=audit(1147186351.884:41): item=0
name="/usr/libexec/openssh/ssh-keysign" inode=9242507 dev=fd:00
mode=0104711 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ssh_keysign_exec_t:s0
tom
--
Tom London
16 years, 11 months
NFS sharing is blocked
by Aurelien Bompard
Hi all,
Since the last policy upgrade, I can't share my NFS dir. Since this
directory is also available through apache, I had to set its type to
httpd_sys_content_t.
I'm getting this type of message :
type=AVC msg=audit(1146845517.056:16545): avc: denied { getattr } for
pid=8729 comm="rpc.mountd" name="musique" dev=md0 ino=17039419
scontext=user_u:system_r:nfsd_t:s0
tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=dir
Which type should it be labeled to to be seen from NFS and from Apache (and
from FTP by the way) ?
Which leads me to another question: is there a tool to view which
file_contexts a program is allowed to access ? If there isn't, do you think
it wouldn't be hard to write one (can the python bindings do that) ?
Thanks
Aurélien
--
http://aurelien.bompard.org ~~~~ Jabber : abompard(a)jabber.fr
"Millions long for immortality who do not know what to do with themselves
on a rainy Sunday afternoon." -- Susan Ertz
16 years, 11 months
Re: Disable for java?
by Fred Harris
Thanks for replying.
Bruno, I tried doing what you said, but had to use
setsebool -P allow_execmem true ('true' instead of 'on')
is that the same thing? I think it was already enabled anyway.
The problem I'm getting is with message logging, not with
enabling.
Paul, the messages I'm getting are the following.
>>>
May 4 16:50:32 bd1 kernel: audit(1146786631.723:22): avc: granted { execmem } for pid=2159 comm="java" scontext=root:system_r:initrc_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=process
<<<
Why would installing in other than /opt make a difference? I used to install in
/usr/java, but Fedora says that /opt is where you should install a comprehensive
package like the JDK. I purposely don't install the GNU JDK because there
are lots of bugs in it I've found.
How do you update to the latest policy for SELinux? I yumed to the latest Kernel. I can't find a package for SELinux, though.
I think I'm not getting some very basic stuff about working with SELinux. It's pretty confusing to me. I've searched most of the FAQs and explanations
I can find on Google. Is there a simple, good link that explains it all? For instance I have this basic question about whether or not you can turn off
monitoring for a specific application like java_home/bin/java. It seems to me that something like that would be absolutely necessary while apps get up to speed with SELinux.
Thanks.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
16 years, 11 months
Re: Disable for java?
by Fred Harris
BTW, sorry, I'm not sure if I made this clear. The reason execmem message logging is a problem is that they're flooding my logs and are making log reading very difficult. It seems to be about a couple of hundred messages at Tomcat startup and another couple hundred every hour, so it's a big pain to deal with them.
Thanks
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
16 years, 11 months
targeted policy will not let hostname write to pgstartup.log
by John Griffiths
When postgreSQL starts, hostname is denied write to the pgstartup.log.
May 4 23:13:12 gei kernel: audit(1146798787.850:59): avc: denied {
append } for pid=2479 comm="hostname" name="pgstartup.log" dev=dm-0
ino=1333032 scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:object_r:postgresql_log_t:s0 tclass=file
Using selinux-policy-targeted-2.2.34-3.fc5
Regards,
John
16 years, 11 months
Disable for java?
by Fred Harris
Is there any way to disable selinux for java? I tried
chcon -t java_exec_t /opt/java
which I found searching around, and that didn't work.
The problem I'm having is that I'm getting a million messages
complaining about "execmem", I guess having something to
do with accessing shared memory. I'm trying to run Tomcat
and get about 100 messages per minute, so I'm faced
with either turning off selinux completely, turning off
the error logging on selinux, or turning off selinux
for java specifically.
I'm running the latest Sun Java version.
Thanks.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
16 years, 11 months
Re: lame/libxvidcore & execstack
by Ted Rule
Erm. Doesn't that break "rpm -V" file consistency checking?
Shouldn't it rather be done at the end of the rpm SPEC %install phase
during the RPM build rather than during RPM install itself?
Daniel J Walsh wrote:
> Date: Wed, 03 May 2006 14:10:27 -0400
> From: Daniel J Walsh <dwalsh(a)redhat.com>
> Subject: Re: lame/libxvidcore & execstack
> To: fedora-selinux-list(a)redhat.com
> Message-ID: <4458F213.4040505(a)redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Axel Thimm wrote:
> > On Tue, May 02, 2006 at 03:09:03PM -0400, Daniel J Walsh wrote:
> >
> >> Axel Thimm wrote:
> >>
> >>> On Tue, May 02, 2006 at 02:27:24PM -0400, John Griffiths wrote:
> >>>
> >>>
> >>>> Axel Thimm wrote:
> >>>>
> >>>>
> >>>>> On Tue, May 02, 2006 at 02:07:37PM -0400, John Griffiths wrote:
> >>>>>
> >>>>>
> >>>>>> Daniel J Walsh wrote:
> >>>>>>
> >>>>>>
> >>>>>>> John Griffiths wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>> fedora-selinux-list-request(a)redhat.com wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>> Subject:
> >>>>>>>>> Error running ffmpeg due to permission denied on library
> >>>>>>>>> From:
> >>>>>>>>> "Robert Foster" <rfoster(a)mountainvisions.com.au>
> >>>>>>>>> Date:
> >>>>>>>>> Thu, 27 Apr 2006 12:41:09 +1000
> >>>>>>>>> To:
> >>>>>>>>> <fedora-selinux-list(a)redhat.com>
> >>>>>>>>>
> >>>>>>>>> To:
> >>>>>>>>> <fedora-selinux-list(a)redhat.com>
> >>>>>>>>> I'm trying to get ffmpeg working for Gallery2 on FC5, and
> getting
> >>>>>>>>> the following error (from the debug message via Gallery):
> >>>>>>>>>
> >>>>>>>>>
> >>>
> >>>
> >>>>>>>> I had the same problem when using Kino which also uses
> ffmpeg. Here
> >>>>>>>> is what I did and it works.
> >>>>>>>>
> >>>>>>>> execstack -c /usr/lib/libmp3lame.so.0
> >>>>>>>> execstack -c /usr/lib/libxvidcore.so.4
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>> Please submit bugs on these to Kino and ffmpeg.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> Actually /usr/lib/libmp3lame.so.0 is part of
> lame-3.96.1-10.rhfc5.at
> >>>>>> and libxvidcore4-1.1.0-8.rhfc5.at both from ATRpms.net.
> >>>>>>
> >>>>>> I'll let the people at ATRpm know.
> >>>>>>
> >>>>>>
> >>>>> Is this considered a packaging or upstream issue?
> >>>>>
> >>>>> If packaging: What is the recommended way to fix it
> specfile-wise?
> >>>>>
> >>>>>
> >>>>>
> >>> >From this, I find the folks at ATRpms know.
> >>>
> >>>>
> >>>>
> >>> I'm very sure they'll be just as confused as I am ;)
> >>>
> >>>
> >> Point them at
> >>
> >
> > ^^^^
> >
> > Them is largely myself, that's why I can tell how confused "they"
> will
> > be. ;)
> >
> >
> >> http://people.redhat.com/~drepper/selinux-mem.html
> >>
> >> and
> >>
> >> http://people.redhat.com/drepper/nonselsec.pdf
> >>
> >
> > But these reference upstream fixing, not packaging ones. Do idioms
> > exist to cirumvent this at the packaging level (other than fixing
> the
> > source and Patch0: the fix), or is the recommendation to report to
> > upstream and wait for a fix while disabling selinux at the mean
> time?
>
> How about executing
>
> execstack -c /usr/lib/libmp3lame.so.0
>
> execstack -c /usr/lib/libxvidcore.so.4
>
>
> In the postinstall? If it does not break anything.
>
Erm. Doesn't that break "rpm -V" file checking?
Shouldn't it be done at the end of the rpm SPEC %install phase during
the build?
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
16 years, 11 months
failed to customize policy, SELinux won't let me
by Florin Andrei
Fresh FC5 install (not an update) on an Intel 32bit CPU.
Applied all updates, reboot, let anacron do its job, reboot.
Installed Postfix and Cyrus-IMAPd
While testing Postfix with Cyrus I got this:
May 3 09:38:25 stantz kernel: audit(1146674305.211:305): avc: denied
{ search } for pid=3441 comm="lmtp" name="lib" dev=hda2 ino=2293761
scontext=user_u:system_r:postfix_master_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
OK, fine, I go here and follow the steps (all the time working in
the /root/selinux directory):
http://fedora.redhat.com/docs/selinux-faq-fc5/#faq-entry-local.te
However, I can't seem to load the local module:
# /usr/sbin/semodule -i local.pp
/usr/sbin/semodule: Could not read file 'local.pp':
# ls
local.fc local.if local.pp local.te tmp
# cat local.te
policy_module(local, 1.0)
require {
type postfix_master_t;
type var_lib_t;
}
allow postfix_master_t var_lib_t:dir search;
In the logs I get this:
audit(1146674668.001:307): avc: denied { search } for pid=3569
comm="semodule" name="selinux" dev=hda4 ino=6501763
scontext=user_u:system_r:semanage_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=dir
What is going on?
--
Florin Andrei
http://florin.myip.org/
16 years, 11 months
