smbd execstack error
by Tim Fenn
I just finished installing FC5 on a machine along with samba, and for
whatever reason I'm getting execstack errors when trying to start it
(just using service smb start):
kernel: audit(1151522284.161:13552): avc: denied { execstack } for
pid=28158 comm="smbd" scontext=user_u:system_r:smbd_t:s0
tcontext=user_u:system_r:smbd_t:s0 tclass=process
although execstack reports otherwise:
# execstack -q /usr/sbin/smbd
- /usr/sbin/smbd
setup:
samba-3.0.22-1.fc5
selinux-policy-targeted-2.2.43-4.fc5
kernel 2.6.17-1.2139_FC5
Any hints/pointers as to whats going on here would be greatly
appreciated.
-Tim
17 years, 10 months
rpc.statd, ntpdate/ntpd avcs..
by Tom London
Running targeted/enforcing, latest rawhide.
Noticed the following in /var/log/audit/audit.log:
type=AVC msg=audit(1151339261.011:8): avc: denied { send } for
pid=2087 comm="rpc.statd" saddr=127.0.0.1 src=32770 daddr=127.0.0.1
dest=111 netif=lo scontext=system_u:system_r:rpcd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=SYSCALL msg=audit(1151339261.011:8): arch=40000003 syscall=102
success=no exit=-1 a0=b a1=bfc68f34 a2=fefff4 a3=fad8c0 items=0
ppid=2086 pid=2087 auid=4294967295 uid=29 gid=29 euid=29 suid=29
fsuid=29 egid=29 sgid=29 fsgid=29 tty=(none) comm="rpc.statd"
exe="/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0
type=SOCKADDR msg=audit(1151339261.011:8):
saddr=0200006F7F0000010000000000000000
type=SOCKETCALL msg=audit(1151339261.011:8): nargs=6 a0=7 a1=96281f8
a2=38 a3=0 a4=9628010 a5=10
type=AVC msg=audit(1151339261.123:9): avc: denied { send } for
pid=2087 comm="rpc.statd" saddr=127.0.0.1 src=32770 daddr=127.0.0.1
dest=111 netif=lo scontext=system_u:system_r:rpcd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=AVC msg=audit(1151339277.372:11): avc: denied { send } for
pid=2290 comm="ntpdate" saddr=10.10.4.52 src=32771 daddr=10.10.2.102
dest=53 netif=eth0 scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=SYSCALL msg=audit(1151339277.372:11): arch=40000003 syscall=102
success=no exit=-1 a0=9 a1=bfd21190 a2=3d1ff4 a3=5 items=0 ppid=2281
pid=2290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate"
subj=system_u:system_r:ntpd_t:s0
type=SOCKETCALL msg=audit(1151339277.372:11): nargs=4 a0=4 a1=bfd214f0
a2=20 a3=4000
type=AVC msg=audit(1151339277.372:12): avc: denied { send } for
pid=2290 comm="ntpdate" saddr=10.10.4.52 src=32771 daddr=10.10.2.11
dest=53 netif=eth0 scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=SYSCALL msg=audit(1151339277.372:12): arch=40000003 syscall=102
success=no exit=-1 a0=9 a1=bfd21190 a2=3d1ff4 a3=3 items=0 ppid=2281
pid=2290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="ntpdate" exe="/usr/sbin/ntpdate"
subj=system_u:system_r:ntpd_t:s0
type=SOCKETCALL msg=audit(1151339277.372:12): nargs=4 a0=4 a1=bfd214f0
a2=20 a3=4000
<<<< similar for ntpd >>>>>
type=SYSCALL msg=audit(1151339261.123:9): arch=40000003 syscall=102
success=no exit=-1 a0=b a1=bfc68ee4 a2=fefff4 a3=fad8c0 items=0 ppid=1
pid=2087 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29
egid=29 sgid=29 fsgid=29 tty=(none) comm="rpc.statd"
exe="/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0
type=SOCKADDR msg=audit(1151339261.123:9):
saddr=0200006F7F0000010000000000000000
type=SOCKETCALL msg=audit(1151339261.123:9): nargs=6 a0=3 a1=9628f40
a2=38 a3=0 a4=9628d58 a5=10
type=AVC msg=audit(1151339261.163:10): avc: denied { send } for
pid=2087 comm="rpc.statd" saddr=127.0.0.1 src=32771 daddr=127.0.0.1
dest=111 netif=lo scontext=system_u:system_r:rpcd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
type=SYSCALL msg=audit(1151339261.163:10): arch=40000003 syscall=102
success=no exit=-1 a0=b a1=bfc68ec0 a2=fefff4 a3=fad8c0 items=0 ppid=1
pid=2087 auid=4294967295 uid=29 gid=29 euid=29 suid=29 fsuid=29
egid=29 sgid=29 fsgid=29 tty=(none) comm="rpc.statd"
exe="/sbin/rpc.statd" subj=system_u:system_r:rpcd_t:s0
type=SOCKADDR msg=audit(1151339261.163:10):
saddr=0200006F7F0000010000000000000000
type=SOCKETCALL msg=audit(1151339261.163:10): nargs=6 a0=7 a1=962cb38
a2=38 a3=0 a4=962c950 a5=10
tom
--
Tom London
17 years, 10 months
FC6T1 avc denied messages
by Jay Cliburn
I installed FC6T1 in the last day or two, and I'm seeing lots of
avc:denied messages when something tries to access the network. The
common thread seems to be netif. SELinux is enforcing.
I relabeled with:
setfiles /etc/selinux/targeted/contexts/files/file_contexts /
but the problem persists.
[root@gadwall etc]# grep "avc: denied" /var/log/messages | more
Jun 25 04:12:39 gadwall kernel: audit(1151226759.322:28): avc: denied { send } for pid=4327 comm="local" saddr=127.0.0.1 src=32769 daddr=127.0.0.1 dest=512 netif=lo scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 04:26:44 gadwall kernel: audit(1151227604.199:29): avc: denied { send } for pid=28419 comm="smtp" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 04:26:47 gadwall kernel: audit(1151227607.199:30): avc: denied { send } for pid=28697 comm="makewhatis" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 04:26:53 gadwall kernel: audit(1151227613.199:31): avc: denied { send } for pid=29189 comm="gawk" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 04:27:05 gadwall kernel: audit(1151227625.200:32): avc: denied { send } for pid=30221 comm="gawk" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 05:00:03 gadwall kernel: audit(1151229603.556:33): avc: denied { send } for pid=22871 comm="smtp" saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 05:00:06 gadwall kernel: audit(1151229606.556:34): avc: denied { send } for saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 05:00:12 gadwall kernel: audit(1151229612.556:35): avc: denied { send } for saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 05:00:24 gadwall kernel: audit(1151229624.557:36): avc: denied { send } for saddr=192.168.1.8 src=46979 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 06:06:43 gadwall kernel: audit(1151233603.890:37): avc: denied { send } for pid=22984 comm="smtp" saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 06:06:46 gadwall kernel: audit(1151233606.890:38): avc: denied { send } for saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 06:06:52 gadwall kernel: audit(1151233612.890:39): avc: denied { send } for saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 06:07:04 gadwall kernel: audit(1151233624.891:40): avc: denied { send } for saddr=192.168.1.8 src=46089 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 07:30:04 gadwall kernel: audit(1151238604.282:41): avc: denied { send } for pid=23122 comm="smtp" saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 07:30:07 gadwall kernel: audit(1151238607.283:42): avc: denied { send } for saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 07:30:13 gadwall kernel: audit(1151238613.283:43): avc: denied { send } for saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 07:30:25 gadwall kernel: audit(1151238625.284:44): avc: denied { send } for saddr=192.168.1.8 src=34065 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 08:53:25 gadwall kernel: audit(1151243605.259:45): avc: denied { send } for pid=23349 comm="smtp" saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 08:53:28 gadwall kernel: audit(1151243608.259:46): avc: denied { send } for saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 08:53:34 gadwall kernel: audit(1151243614.259:47): avc: denied { send } for saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 08:53:46 gadwall kernel: audit(1151243626.260:48): avc: denied { send } for saddr=192.168.1.8 src=33208 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 10:16:44 gadwall kernel: audit(1151248604.735:49): avc: denied { send } for pid=23490 comm="smtp" saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 10:16:47 gadwall kernel: audit(1151248607.736:50): avc: denied { send } for saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 10:16:53 gadwall kernel: audit(1151248613.736:51): avc: denied { send } for saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 10:17:05 gadwall kernel: audit(1151248625.737:52): avc: denied { send } for saddr=192.168.1.8 src=47209 daddr=192.168.1.3 dest=25 netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 11:25:07 gadwall kernel: audit(1151252707.572:53): avc: denied { send } for pid=23734 comm="ntpd" saddr=192.168.1.8 src=32771 daddr=4.2.2.1 dest=53 netif=eth0 scontext=user_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 11:25:07 gadwall kernel: audit(1151252707.572:54): avc: denied { send } for pid=23734 comm="ntpd" saddr=192.168.1.8 src=32771 daddr=4.2.2.2 dest=53 netif=eth0 scontext=user_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
Jun 25 11:25:07 gadwall kernel: audit(1151252707.572:55): avc: denied { send } for pid=23734 comm="ntpd" saddr=192.168.1.8 src=32771 daddr=4.2.2.1 dest=53 netif=eth0 scontext=user_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet
17 years, 10 months
Polyinstantiated directory instance name bug?
by Joe Nall
I added the following line to the end of /etc/pam.d/[login,sshd,su]
session required pam_namespace.so debug
I added the following line to /etc/security/namespace.conf
/var/polyinstantiated /var/polyinstantiated/polyinstantiated-
inst/ context root,adm
If I ssh to test@localhost and touch /var/polyinstantiated/foo I get
cd /var
[root@cipso var]# ls -lR polyinstantiated/
polyinstantiated/:
total 20
d--------- 3 root root 4096 Jun 23 18:32 polyinstantiated-inst
polyinstantiated/polyinstantiated-inst:
total 8
drwxrwxrwx 2 root root 4096 Jun 23 18:41 test
polyinstantiated/polyinstantiated-inst/test:
total 8
-rw-rw-r-- 1 test test 0 Jun 23 18:41 bar
-rw-rw-r-- 1 test test 0 Jun 23 18:35 foo
Shouldn't the instance name be the context instead of the username
(test)?
joe
17 years, 10 months
Step-by-Step Guide To Creating SELinux Policy for Google Earth
by Benjy Grogan
Hello:
Would it be possible for the SELinux team at Red Hat to create an
SELinux policy module for Google Earth and to show the step by step
process for confining the application? I think these kind of examples
would be useful to developers attempting to create SELinux policies
for other rpm packages out there. I'm not interested so much in the
actual policy module, but in creating it myself from step-by-step
instructions. IMHO, that would be the best way to educate developers
on how to use SELinux.
Thanks,
Benjy
17 years, 10 months
firefox downloaded files are user_u:object_r:tmp_t
by dragoran
When I download a file using firefox it is saved as
user_u:object_r:tmp_t it should be user_u:object_r:user_home_t
I have a folder which is shared using samba and when I download a file
into it I had to restorecon it in order to let the windows clients (and
linux) see it.
I am using FC5 x86_64 with selinux-policy-targeted-2.2.40-1.fc5
note: I am using a 32bit firefox build
17 years, 10 months
Re: Selinux Sources
by Paul Howarth
Miguel Fernandes wrote:
> Sorry, I'm not following you. I'm relatively new to linux and don't know
> what to do. Is SRPM like an RPM? it installs in the same way?
Not quite. The SRPM contains the source code, patches, and other files
for a package, plus the "recipe" in the form of a "spec" file for how to
build the regular RPM. When you install an SRPM, it's just extracted
into a few directories and not entered into your RPM database. You do
not have to be root to install an SRPM, and in fact you shouldn't build
packages as root anyway, for security reasons.
Here's what I'd do to look at the sources in FC5:
1. Set up an RPM build environment for your account:
http://www.city-fan.org/tips/CreateRPMBuildEnvironment
2. Get the selinux-policy SRPM:
# yum install yum-utils
(do that as root; you don't need to be root for anything else)
$ yumdownloader --source --enablerepo=updates-source selinux-policy
3. Install the SRPM:
$ rpm -Uvh selinux-policy-2.2.43-4.fc5.src.rpm
4. Unpack tarball and apply patches:
$ cd ~/rpmbuild/SPECS
$ rpmbuild -bp selinux-policy.spec
That should leave you with the patched policy sources corresponding to
the latest FC5 policy in ~/rpmbuild/BUILD/serefpolicy-2.2.43
Paul.
17 years, 10 months
Help, SELinux warnings on data-preserved partitions
by yaomaidongxi-fc3forum@yahoo.com.cn
Sincere apologies if you receive this multiple times.
Hi, everyone
I installed a Fedora Core 5 on my desktop PC. Each time by the end of a startup, I can see the following errors on the screen, for each patitions that not formatted on installing (because they have data and used before that install).
# Here come the errors
Jun 21 10:30:04 localhost avahi-daemon[2216]: Server startup complete. Host name is localhost.local. Local service cookie is 283868878.
Jun 21 10:30:05 localhost kernel: audit(1150857005.013:2): avc: denied { getattr } for pid=2236 comm="hald" name="/" dev=sda6 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
Jun 21 10:30:05 localhost kernel: audit(1150857005.177:3): avc: denied { getattr } for pid=2236 comm="hald" name="/" dev=sda6 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
...
And many warnings like that. I also observed that there is a "operation not supported" message when mounting on start-up and a failure on stopping bluetooth daemon. I asked in a forum and someone told me it is a problem of SELinux that "Hald daemon can't get attributes from this partition". I am suggested 1) disable SELinux; 2) ignore these warnings; 3) read SELinux's mannual. But I am a newbie and not ready to look though the whole mannal to find out a solution. Is there a quick and easy way to fix it? Thanks.
---YAO
---------------------------------
Mp3疯狂搜-新歌热歌高速下
17 years, 10 months
Problem with run_init
by Roland Cruesemann
Hello,
this is a rather basic question concerning run_init.
I use the targeted policy.
If I start a daemon, for example postgresql, with run_init:
run_init /etc/init.d/postgresql start
postgresql ends up in the unconfined_t domain.
But during a reboot postgresql is transferred to the
correct postgresql_t domain.
The content of /etc/selinux/targeted/contexts/initrc_context is
user_u:system_r:unconfined_t
Best regards,
Roland Cruesemann
--
Roland Crüsemann
TC TrustCenter a company of GeoTrust
Sonninstr. 24 - 28
D-20097 Hamburg
Germany
Phone: +49 40 / 80 80 26 210
Fax: +49 40 / 80 80 26 126
mailto:roland.cruesemann@trustcenter.de
http://www.trustcenter.de
http://www.geotrust.com
This email may contain confidential and privileged material for the sole
use of the intended recipient. Any review or distribution by others is
strictly prohibited. If you are not the intended recipient please
contact the sender and delete all copies.
17 years, 10 months
runcon command
by Roland Cruesemann
Hello,
we use the targeted policy.
We would like to start the PostgreSQL database under the
user postgresql too.
But doing so using the command runcon one needs an additional
allow unconfined_t postgresql_t:process transition;
statement.
This is of course not so nice.
Are there any other methods available?
Best regards,
Roland Cruesemann
--
Roland Crüsemann
TC TrustCenter a company of GeoTrust
Sonninstr. 24 - 28
D-20097 Hamburg
Germany
Phone: +49 40 / 80 80 26 210
Fax: +49 40 / 80 80 26 126
mailto:roland.cruesemann@trustcenter.de
http://www.trustcenter.de
http://www.geotrust.com
This email may contain confidential and privileged material for the sole
use of the intended recipient. Any review or distribution by others is
strictly prohibited. If you are not the intended recipient please
contact the sender and delete all copies.
17 years, 10 months