List of operations
by Göran Uddeborg
Maybe this is a FAQ, but I haven't found it answered in any of the
FAQ:s I've looked through:
Is there some kind of documentation list over the available classes
and operations (permissions)?
Other concepts, like types and roles are defined in the policy, with
some luck together with a comment. In some cases there are even
manual pages, like httpd_selinux.
But the list of available classes and operations must be defined by
the kernel module if I understand things correctly. I could extract a
list from the flask/access_vectors file. But I would have liked
something with a sentence or so of explanation. Some names may be
self-explanatory, but many are not obvious. I'm imagining some kind
of list like the appendices of the O'Reilley book, but updated for the
current version. Does such a list exist somewhere? Or is it just in
my imagination? :-)
16 years, 7 months
2007 SELinux Symposium dates and call for papers
by Joshua Brindle
The Security Enhanced Linux (SELinux) Symposium announces that its third
annual Symposium is scheduled for March 12-16, 2007, at the Wyndham
Hotel, Baltimore, Maryland, USA. The Symposium also announces the
opening of its call for papers. The event is the only of its kind to
examine SELinux and the power of the flexible mandatory access control
security it brings to Linux. The first two years of this annual event
were a tremendous success providing the SELinux development and user
community the opportunity to discuss related research results,
development plans, and applications.
The call for papers is open until October 9, 2006. Paper requirements
and topics of interest are available on the Symposium web site at
www.selinux-symposium.org.
16 years, 9 months
suggest an icon for selinux (e.g. setroubleshoot)
by John Dennis
We need an icon to be used on the desktop which is associated with
SELinux. The first intended use would be the icon associated with
setroubleshoot to indicate you have an SELinux issue to deal with.
In the interim we've been using Tux with a badge, but we can't use Tux
because of legal constraints (however, lets not go down that rathole in
this thread :-).
We can't use a police badge because that's very close to the icon used
for consolehelper root access.
So far we've come up with:
* Traffic Light (indicates stop/go).
* Crossed swords
* Bobby hat (English policeman)
We would like some suggestions, anybody have a good idea? Just remember
it has to be identifiable at small sizes. Images associated with the NSA
probably won't get warm feelings in a variety of places.
--
John Dennis <jdennis(a)redhat.com>
Red Hat Inc.
16 years, 9 months
Error with today's selinux-policy-targeted update
by Tom London
Running rawhide, targeted/enforcing.
During today's update of selinux-policy-targeted-2.3.10-3, I get:
Updating : selinux-policy-targeted ##################### [ 37/142]
libsepol.print_missing_requirements: oddjob's global requirements were
not met: type/attribute oddjob_mkhomedir_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
No obvious messages in /var/log/messages or /var/log/audit/audit.log
tom
--
Tom London
16 years, 9 months
Red Hat SELinux Application Development Guide?
by Benjamin Tsai
I googled-out this document for writing selinux-aware software
application, but can't find any of a link from RedHat.
Does this document exist? Besides, is there any tutorial for writing
selinux-aware programs?
I have read "Red Hat SELinux Guide", NSA "Implementing SELinux as a
Linux Security Module," ... and some other documents about writing
selinux policy.
But still don't get it how to write such a program. Please give me some
directions. Thx.
16 years, 9 months
Please review allow rules
by Charles A. Crayne
The following rule were created by audit2allow to enable my server to
operate denial messages. If some kind sole would glance over them to see
if they raise any red flags, I would appreciate it.
allow fetchmail_t user_home_t:file { getattr ioctl read };
allow httpd_sys_script_t user_home_t:dir { getattr read remove_name rmdir
search write };
allow httpd_sys_script_t user_home_t:file { append execute
execute_no_trans getattr ioctl read unlink };
allow httpd_t snmpd_var_lib_t:file { getattr read };
allow httpd_t system_dbusd_var_run_t:dir { getattr read };
allow innd_t file_t:file { getattr ioctl read write };
allow innd_t home_root_t:dir search;
allow innd_t tmp_t:dir search;
allow innd_t user_home_t:file { getattr read };
allow procmail_t inaddr_any_node_t:tcp_socket node_bind;
allow procmail_t innd_etc_t:dir search;
allow procmail_t innd_etc_t:file read;
allow procmail_t innd_exec_t:file { execute execute_no_trans read };
allow procmail_t innd_port_t:tcp_socket name_connect;
allow procmail_t ls_exec_t:file { execute execute_no_trans getattr read };
allow procmail_t procmail_exec_t:file execute_no_trans;
allow procmail_t pyzor_exec_t:file { execute execute_no_trans getattr
ioctl read };
allow procmail_t razor_port_t:tcp_socket name_connect;
allow procmail_t smtp_port_t:tcp_socket name_connect;
allow procmail_t tmp_t:dir { add_name create read remove_name rmdir search
write };
allow procmail_t tmp_t:file { create getattr ioctl read unlink
write };
allow procmail_t user_home_t:file { execute execute_no_trans };
allow spamd_t pyzor_exec_t:file { execute execute_no_trans getattr ioctl
read };
allow spamd_t user_home_dir_t:dir read;
allow spamd_t user_home_dir_t:file { append getattr ioctl read };
allow xfs_t default_t:dir search;
allow xfs_t default_t:file { getattr read };
-- Chuck
16 years, 9 months
selinux-policy-2.3.3-8.fc5
by Paul Howarth
... includes this changelog entry:
* Tue Jun 20 2006 Dan Walsh <dwalsh(a)redhat.com> 2.2.47-5
- Break out selinux-devel package
but sadly it's not true :-(
Paul.
16 years, 9 months
Using seaudit-report to send reports per e-mail or post to an Intranet page
by Paolo D.
Hello everybody,
in Red Hat SELinux Guide, paragraph 6.2.3, page 95 of 130, Kersten Wade
wrote about seaudit-report: "The command lets you specify the incoming log
source, either from files or STDIN, and output to a le or STDOUT as text or
styled HTML. By piping through seaudit-report using STDIN and STDOUT, you
can use this utility to generate automatic reports that can be sent via
email or posted on an Intranet page."
This solution is definitely interesting to me, have you code to implement
it?
Paolo De Nictolis
16 years, 9 months
Fw: Icons Disapperd
by Pranav Vishnoi
I nevr found relabel/. command. any other command u have.
Some selinux denied msg are written below, Plz check these denied messages
&
gives me some solution. I am attaching my local.te file.
I am using this file to create local.pp then used semodule -i local.pp to
install thismodule.
Aug 26 11:40:39 remosecurity kernel: audit(1156572639.910:111): avc:
denied
{ getattr } for pid=2041 comm="hald" name="/"
dev=hda6 ino=2 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
Aug 26 00:51:17 remosecurity kernel: cdrom: This disc doesn't have any
tracks I recognize!
Aug 26 00:51:17 remosecurity kernel: audit(1156533677.305:112): avc:
denied
{ getattr } for pid=2041 comm="hald" name="/"
dev=hda6 ino=2 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
Aug 26 02:11:02 remosecurity kernel: audit(1156538462.736:115): avc:
denied
{ search } for pid=2041 comm="hald" name="/" dev=hda6 ino=2
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=dir
Aug 26 02:21:59 remosecurity kernel: audit(1156539119.081:116): avc:
denied
{ getattr } for pid=2041 comm="hald" name="/"
dev=hda6 ino=2 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
1:- Any other way to use this local.te. and when i change permission
/etc/selinux/config enforcing. i have a session error whein I want to
login.
----- Original Message -----
From: "Rahul" <sundaram(a)fedoraproject.org>
> To: "Pranav Vishnoi" <pvishnoi(a)networkprograms.com>
> Cc: "Daniel J Walsh" <dwalsh(a)redhat.com>; <fedora-selinux-list(a)redhat.com>
> Sent: Saturday, August 26, 2006 1:45 AM
> Subject: Re: Icons Disapperd
>
>
> > Pranav Vishnoi wrote:
> > > Thanks Rahul
> > > For giving me a certification details.
> > > But my problem is remain. I have some questions.
> > > 1.After setenforce 1 Iam unable to login root, Where I do changes to
> give
> > > access permision to root. It gives message wrong password. but when I
do
> > > setenforce 0
> > > there is no problem to login as root.
> >
> > Then you need to look at AVC denied messages in /var/log/messages or
> > /var/log/audit (if audit service is enabled) and post the messages to
> > this list if you are unable to figure out and resolve it.
> >
> >
> > > 2. In live cd there is no procedure for auto relabel / structure. any
> short
> > > command for relabel / .
> >
> > relabel /. seems a rather short command to me.
> >
> > > 3. Can I replace policy.20 with policy.18 or used fc3 policy?
> > >
> >
> > Usually a bad idea as newer policies tend to be better.
> >
> > Rahul
>
16 years, 9 months
A couple of mount AVCs
by Jason L Tibbitts III
I'm experimenting with turning on Selinux for my FC5 desktops. I took
a machine that was kickstated with "selinux --disabled", fully
updated, edited /etc/sysconfig/selinux to change "disabled" to
"enforcing", rebooted and waited for the relabel.
Upon boot I get this twice:
audit(1155677507.814:309): avc: denied { mounton } for pid=1566 comm="mount" name="mail" dev=dm-4 ino=393219 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir
/var/spool/mail is NFS supposed to be NFS mounted, but this AVC causes
that mount to fail. (Yes, IMAP will be my savior, but some people
here still use /bin/mail. Really.) What's odd is that I can log in
as root and type "mount /var/spool/mail" and it mounts fine.
We also have NFS-mounted user home directories via autofs; the map is
in LDAP and nscd is running. Every attempt to access a user home
directory results in:
audit(1155738357.735:345): avc: denied { write } for pid=7344 comm="mount" name="socket" dev=dm-4 ino=131097 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file
audit(1155738357.735:346): avc: denied { write } for pid=7344 comm="mount" name="socket" dev=dm-4 ino=131097 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file
SELinux: initialized (dev 0:18, type nfs), uses genfs_contexts
and the mount actually succeeds.
On a whim I touched /.autorelabel and rebooted again; the AVCs are
unchanged.
Again, fully updated FC5:
selinux-policy-targeted-2.3.3-8.fc5.noarch
libselinux-1.30.3-4.fc5.i386
selinux-policy-2.3.3-8.fc5.noarch
kernel-2.6.17-1.2174_FC5.i586
- J<
16 years, 9 months
