June 2006 - selinux - Fedora Mailing-Lists

by Tim Fenn

I just finished installing FC5 on a machine along with samba, and for whatever reason I'm getting execstack errors when trying to start it (just using service smb start): kernel: audit(1151522284.161:13552): avc: denied { execstack } for pid=28158 comm="smbd" scontext=user_u:system_r:smbd_t:s0 tcontext=user_u:system_r:smbd_t:s0 tclass=process although execstack reports otherwise: # execstack -q /usr/sbin/smbd - /usr/sbin/smbd setup: samba-3.0.22-1.fc5 selinux-policy-targeted-2.2.43-4.fc5 kernel 2.6.17-1.2139_FC5 Any hints/pointers as to whats going on here would be greatly appreciated. -Tim

17 years, 10 months

2
2
0 / 0

rpc.statd, ntpdate/ntpd avcs..

by Tom London

Running targeted/enforcing, latest rawhide. Noticed the following in /var/log/audit/audit.log: type=AVC msg=audit(1151339261.011:8): avc: denied { send } for pid=2087 comm="rpc.statd" saddr=127.0.0.1 src=32770 daddr=127.0.0.1 dest=111 netif=lo scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet type=SYSCALL msg=audit(1151339261.011:8): arch=40000003 syscall=102 success=no exit=-1 a0=b a1=bfc68f34 a2=fefff4 a3=fad8c0 items=0 ppid=2086 pid=2087 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29 egid=29 sgid=29 fsgid=29 tty=(none) comm="rpc.statd" exe="/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 type=SOCKADDR msg=audit(1151339261.011:8): saddr=0200006F7F0000010000000000000000 type=SOCKETCALL msg=audit(1151339261.011:8): nargs=6 a0=7 a1=96281f8 a2=38 a3=0 a4=9628010 a5=10 type=AVC msg=audit(1151339261.123:9): avc: denied { send } for pid=2087 comm="rpc.statd" saddr=127.0.0.1 src=32770 daddr=127.0.0.1 dest=111 netif=lo scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet type=AVC msg=audit(1151339277.372:11): avc: denied { send } for pid=2290 comm="ntpdate" saddr=10.10.4.52 src=32771 daddr=10.10.2.102 dest=53 netif=eth0 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet type=SYSCALL msg=audit(1151339277.372:11): arch=40000003 syscall=102 success=no exit=-1 a0=9 a1=bfd21190 a2=3d1ff4 a3=5 items=0 ppid=2281 pid=2290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" subj=system_u:system_r:ntpd_t:s0 type=SOCKETCALL msg=audit(1151339277.372:11): nargs=4 a0=4 a1=bfd214f0 a2=20 a3=4000 type=AVC msg=audit(1151339277.372:12): avc: denied { send } for pid=2290 comm="ntpdate" saddr=10.10.4.52 src=32771 daddr=10.10.2.11 dest=53 netif=eth0 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet type=SYSCALL msg=audit(1151339277.372:12): arch=40000003 syscall=102 success=no exit=-1 a0=9 a1=bfd21190 a2=3d1ff4 a3=3 items=0 ppid=2281 pid=2290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate" subj=system_u:system_r:ntpd_t:s0 type=SOCKETCALL msg=audit(1151339277.372:12): nargs=4 a0=4 a1=bfd214f0 a2=20 a3=4000 <<<< similar for ntpd >>>>> type=SYSCALL msg=audit(1151339261.123:9): arch=40000003 syscall=102 success=no exit=-1 a0=b a1=bfc68ee4 a2=fefff4 a3=fad8c0 items=0 ppid=1 pid=2087 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29 egid=29 sgid=29 fsgid=29 tty=(none) comm="rpc.statd" exe="/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 type=SOCKADDR msg=audit(1151339261.123:9): saddr=0200006F7F0000010000000000000000 type=SOCKETCALL msg=audit(1151339261.123:9): nargs=6 a0=3 a1=9628f40 a2=38 a3=0 a4=9628d58 a5=10 type=AVC msg=audit(1151339261.163:10): avc: denied { send } for pid=2087 comm="rpc.statd" saddr=127.0.0.1 src=32771 daddr=127.0.0.1 dest=111 netif=lo scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet type=SYSCALL msg=audit(1151339261.163:10): arch=40000003 syscall=102 success=no exit=-1 a0=b a1=bfc68ec0 a2=fefff4 a3=fad8c0 items=0 ppid=1 pid=2087 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29 egid=29 sgid=29 fsgid=29 tty=(none) comm="rpc.statd" exe="/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0 type=SOCKADDR msg=audit(1151339261.163:10): saddr=0200006F7F0000010000000000000000 type=SOCKETCALL msg=audit(1151339261.163:10): nargs=6 a0=7 a1=962cb38 a2=38 a3=0 a4=962c950 a5=10 tom -- Tom London

17 years, 10 months

1
1
0 / 0

FC6T1 avc denied messages

by Jay Cliburn

I installed FC6T1 in the last day or two, and I'm seeing lots of avc:denied messages when something tries to access the network. The common thread seems to be netif. SELinux is enforcing. I relabeled with: setfiles /etc/selinux/targeted/contexts/files/file_contexts / but the problem persists. [root@gadwall etc]# grep "avc: denied" /var/log/messages | more Jun 25 04:12:39 gadwall kernel: audit(1151226759.322:28): avc: denied { send } for pid=4327 comm="local" saddr=127.0.0.1 src=32769 daddr=127.0.0.1 dest=512 netif=lo scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 04:26:44 gadwall kernel: audit(1151227604.199:29): avc: denied { send } for pid=28419 comm="smtp" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 04:26:47 gadwall kernel: audit(1151227607.199:30): avc: denied { send } for pid=28697 comm="makewhatis" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 04:26:53 gadwall kernel: audit(1151227613.199:31): avc: denied { send } for pid=29189 comm="gawk" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 04:27:05 gadwall kernel: audit(1151227625.200:32): avc: denied { send } for pid=30221 comm="gawk" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 05:00:03 gadwall kernel: audit(1151229603.556:33): avc: denied { send } for pid=22871 comm="smtp" saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 05:00:06 gadwall kernel: audit(1151229606.556:34): avc: denied { send } for saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 05:00:12 gadwall kernel: audit(1151229612.556:35): avc: denied { send } for saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 05:00:24 gadwall kernel: audit(1151229624.557:36): avc: denied { send } for saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 06:06:43 gadwall kernel: audit(1151233603.890:37): avc: denied { send } for pid=22984 comm="smtp" saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 06:06:46 gadwall kernel: audit(1151233606.890:38): avc: denied { send } for saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 06:06:52 gadwall kernel: audit(1151233612.890:39): avc: denied { send } for saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 06:07:04 gadwall kernel: audit(1151233624.891:40): avc: denied { send } for saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 07:30:04 gadwall kernel: audit(1151238604.282:41): avc: denied { send } for pid=23122 comm="smtp" saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 07:30:07 gadwall kernel: audit(1151238607.283:42): avc: denied { send } for saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 07:30:13 gadwall kernel: audit(1151238613.283:43): avc: denied { send } for saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 07:30:25 gadwall kernel: audit(1151238625.284:44): avc: denied { send } for saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 08:53:25 gadwall kernel: audit(1151243605.259:45): avc: denied { send } for pid=23349 comm="smtp" saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 08:53:28 gadwall kernel: audit(1151243608.259:46): avc: denied { send } for saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 08:53:34 gadwall kernel: audit(1151243614.259:47): avc: denied { send } for saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 08:53:46 gadwall kernel: audit(1151243626.260:48): avc: denied { send } for saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 10:16:44 gadwall kernel: audit(1151248604.735:49): avc: denied { send } for pid=23490 comm="smtp" saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 10:16:47 gadwall kernel: audit(1151248607.736:50): avc: denied { send } for saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 10:16:53 gadwall kernel: audit(1151248613.736:51): avc: denied { send } for saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 10:17:05 gadwall kernel: audit(1151248625.737:52): avc: denied { send } for saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 11:25:07 gadwall kernel: audit(1151252707.572:53): avc: denied { send } for pid=23734 comm="ntpd" saddr=192.168.1.8 src=32771 daddr=4.2.2.1 dest=53 netif=eth0 scontext=user_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 11:25:07 gadwall kernel: audit(1151252707.572:54): avc: denied { send } for pid=23734 comm="ntpd" saddr=192.168.1.8 src=32771 daddr=4.2.2.2 dest=53 netif=eth0 scontext=user_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 11:25:07 gadwall kernel: audit(1151252707.572:55): avc: denied { send } for pid=23734 comm="ntpd" saddr=192.168.1.8 src=32771 daddr=4.2.2.1 dest=53 netif=eth0 scontext=user_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet

17 years, 10 months

3
5
0 / 0

Polyinstantiated directory instance name bug?

by Joe Nall

I added the following line to the end of /etc/pam.d/[login,sshd,su] session required pam_namespace.so debug I added the following line to /etc/security/namespace.conf /var/polyinstantiated /var/polyinstantiated/polyinstantiated- inst/ context root,adm If I ssh to test@localhost and touch /var/polyinstantiated/foo I get cd /var [root@cipso var]# ls -lR polyinstantiated/ polyinstantiated/: total 20 d--------- 3 root root 4096 Jun 23 18:32 polyinstantiated-inst polyinstantiated/polyinstantiated-inst: total 8 drwxrwxrwx 2 root root 4096 Jun 23 18:41 test polyinstantiated/polyinstantiated-inst/test: total 8 -rw-rw-r-- 1 test test 0 Jun 23 18:41 bar -rw-rw-r-- 1 test test 0 Jun 23 18:35 foo Shouldn't the instance name be the context instead of the username (test)? joe

17 years, 10 months

2
3
0 / 0

Step-by-Step Guide To Creating SELinux Policy for Google Earth

by Benjy Grogan

Hello: Would it be possible for the SELinux team at Red Hat to create an SELinux policy module for Google Earth and to show the step by step process for confining the application? I think these kind of examples would be useful to developers attempting to create SELinux policies for other rpm packages out there. I'm not interested so much in the actual policy module, but in creating it myself from step-by-step instructions. IMHO, that would be the best way to educate developers on how to use SELinux. Thanks, Benjy

17 years, 10 months

4
13
0 / 0

firefox downloaded files are user_u:object_r:tmp_t

by dragoran

When I download a file using firefox it is saved as user_u:object_r:tmp_t it should be user_u:object_r:user_home_t I have a folder which is shared using samba and when I download a file into it I had to restorecon it in order to let the windows clients (and linux) see it. I am using FC5 x86_64 with selinux-policy-targeted-2.2.40-1.fc5 note: I am using a 32bit firefox build

17 years, 10 months

3
7
0 / 0

Re: Selinux Sources

by Paul Howarth

Miguel Fernandes wrote: > Sorry, I'm not following you. I'm relatively new to linux and don't know > what to do. Is SRPM like an RPM? it installs in the same way? Not quite. The SRPM contains the source code, patches, and other files for a package, plus the "recipe" in the form of a "spec" file for how to build the regular RPM. When you install an SRPM, it's just extracted into a few directories and not entered into your RPM database. You do not have to be root to install an SRPM, and in fact you shouldn't build packages as root anyway, for security reasons. Here's what I'd do to look at the sources in FC5: 1. Set up an RPM build environment for your account: http://www.city-fan.org/tips/CreateRPMBuildEnvironment 2. Get the selinux-policy SRPM: # yum install yum-utils (do that as root; you don't need to be root for anything else) $ yumdownloader --source --enablerepo=updates-source selinux-policy 3. Install the SRPM: $ rpm -Uvh selinux-policy-2.2.43-4.fc5.src.rpm 4. Unpack tarball and apply patches: $ cd ~/rpmbuild/SPECS $ rpmbuild -bp selinux-policy.spec That should leave you with the patched policy sources corresponding to the latest FC5 policy in ~/rpmbuild/BUILD/serefpolicy-2.2.43 Paul.

17 years, 10 months

2
1
0 / 0

Help, SELinux warnings on data-preserved partitions

by yaomaidongxi-fc3forum＠yahoo.com.cn

Sincere apologies if you receive this multiple times. Hi, everyone I installed a Fedora Core 5 on my desktop PC. Each time by the end of a startup, I can see the following errors on the screen, for each patitions that not formatted on installing (because they have data and used before that install). # Here come the errors Jun 21 10:30:04 localhost avahi-daemon[2216]: Server startup complete. Host name is localhost.local. Local service cookie is 283868878. Jun 21 10:30:05 localhost kernel: audit(1150857005.013:2): avc: denied { getattr } for pid=2236 comm="hald" name="/" dev=sda6 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir Jun 21 10:30:05 localhost kernel: audit(1150857005.177:3): avc: denied { getattr } for pid=2236 comm="hald" name="/" dev=sda6 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir ... And many warnings like that. I also observed that there is a "operation not supported" message when mounting on start-up and a failure on stopping bluetooth daemon. I asked in a forum and someone told me it is a problem of SELinux that "Hald daemon can't get attributes from this partition". I am suggested 1) disable SELinux; 2) ignore these warnings; 3) read SELinux's mannual. But I am a newbie and not ready to look though the whole mannal to find out a solution. Is there a quick and easy way to fix it? Thanks. ---YAO --------------------------------- Mp3疯狂搜-新歌热歌高速下

17 years, 10 months

2
1
0 / 0

Problem with run_init

by Roland Cruesemann

Hello, this is a rather basic question concerning run_init. I use the targeted policy. If I start a daemon, for example postgresql, with run_init: run_init /etc/init.d/postgresql start postgresql ends up in the unconfined_t domain. But during a reboot postgresql is transferred to the correct postgresql_t domain. The content of /etc/selinux/targeted/contexts/initrc_context is user_u:system_r:unconfined_t Best regards, Roland Cruesemann -- Roland Crüsemann TC TrustCenter a company of GeoTrust Sonninstr. 24 - 28 D-20097 Hamburg Germany Phone: +49 40 / 80 80 26 210 Fax: +49 40 / 80 80 26 126 mailto:roland.cruesemann@trustcenter.de http://www.trustcenter.de http://www.geotrust.com This email may contain confidential and privileged material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient please contact the sender and delete all copies.

17 years, 10 months

3
2
0 / 0

runcon command

by Roland Cruesemann

Hello, we use the targeted policy. We would like to start the PostgreSQL database under the user postgresql too. But doing so using the command runcon one needs an additional allow unconfined_t postgresql_t:process transition; statement. This is of course not so nice. Are there any other methods available? Best regards, Roland Cruesemann -- Roland Crüsemann TC TrustCenter a company of GeoTrust Sonninstr. 24 - 28 D-20097 Hamburg Germany Phone: +49 40 / 80 80 26 210 Fax: +49 40 / 80 80 26 126 mailto:roland.cruesemann@trustcenter.de http://www.trustcenter.de http://www.geotrust.com This email may contain confidential and privileged material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient please contact the sender and delete all copies.

17 years, 10 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux June 2006