August 2006 - selinux - Fedora Mailing-Lists

by Charles A. Crayne

With a fully updated FC5 targeted policy, in permissive mode, while sorting incoming mail, procmail invokes spamassassin, which wants read and getattr permission for file /etc/shadow. I used audit2allow to create an allow rule for these cases, but the resulting local.pp module will not load, because it triggers an assert rule. What is the recommended resolution to this issue? -- Chuck

16 years, 7 months

4
9
0 / 0

Can't set context of VFAT filesystem

by Ian Pilcher

I am unable to use the context, fscontext, or defcontext options when mounting a VFAT filesystem: type=AVC msg=audit(1155867673.190:23): avc: denied { relabelto } for pid=2641 comm="mount" scontext=root:system_r:unconfined_mount_t:s0-s0:c0.c255 tcontext=system_u:object_r:bootloader_t:s0 tclass=filesystem Anyone know if this is a bug or expected behavior? Thanks! -- ======================================================================== Ian Pilcher i.pilcher(a)comcast.net ========================================================================

16 years, 7 months

3
4
0 / 0

R: RHEL4 Strict Policy Question

by Paolo D.

---------------------------------------------------------------------- Message: 1 Date: Fri, 18 Aug 2006 19:26:43 -0400 From: "Ricardo Neves" <jrmneves(a)hotmail.com> Subject: RHEL4 Strict Policy Question To: <fedora-selinux-list(a)redhat.com> Message-ID: <BAY102-DAV85D0E1040B268C8A9EE74D1420(a)phx.gbl> Content-Type: text/plain; format=flowed; charset="Windows-1252"; reply-type=original I'm new to SELinux and I have a basic doubt that I can't find any conclusive answer. I'm building a prototype using Red Hat Enterprise Linux 4 and I want to consider using a strict policy for this project. The base strict policy does not come with Red Hat, so I've been searching and reading conflicting information about it which would be (1)downloading from Red Hat (I can't find it anywhere) or (2) getting it from Fedora Core 4 and making some tweaks in the policy. Can anybody tell me if any of these options apply? If I need to download from Red Hat, is it charged and, if I should get from FC4, is it usable at all when applied to RHEL4? Thanks in advance, I apologize if this has been asked before in this list... ------------------------------ Hello Ricardo, Did you take in consideration using Tresys' Reference Policy (http://oss.tresys.com/projects/refpolicy)? As you can note if you click "Download Release" (http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease) and look at the end of page, there are RPM for RHEL 4 also. Paolo De Nictolis

16 years, 7 months

2
1
0 / 0

RHEL4 Strict Policy Question

by Ricardo Neves

I'm new to SELinux and I have a basic doubt that I can't find any conclusive answer. I'm building a prototype using Red Hat Enterprise Linux 4 and I want to consider using a strict policy for this project. The base strict policy does not come with Red Hat, so I've been searching and reading conflicting information about it which would be (1)downloading from Red Hat (I can't find it anywhere) or (2) getting it from Fedora Core 4 and making some tweaks in the policy. Can anybody tell me if any of these options apply? If I need to download from Red Hat, is it charged and, if I should get from FC4, is it usable at all when applied to RHEL4? Thanks in advance, I apologize if this has been asked before in this list...

16 years, 7 months

1
0
0 / 0

Does SELinux-enabled mkdir *really* need --context=CTX (aka -Z CTX)?

by Jim Meyering

I've just posted the above question to fedora-list: https://www.redhat.com/archives/fedora-list/2006-August/msg02264.html Feedback welcome.

16 years, 7 months

1
0
0 / 0

A request: using seaudit-report to automatically generate reports and posting per e-mail and on Intranet site

by Paolo D.

Hello everybody, on RHEL-SELG, I read piping through STDIN/STDOUT can be used, with seaudit-report, to create an automatic reports generator, and to send them through e-mail and post on an Intranet page. This is a solution I definitely need; has anyone implemented? Hope to hear from you soon, Paolo De Nictolis

16 years, 7 months

1
0
0 / 0

wireles

by steve westfall

All... I have just purchased a new note book to upgrade my antique. It has a wireless mini PCI card (I believe it is an Intel card). I have the regular Ethernet up and running, however, the wireless is not. Every time I try to set it up (via network add under he wireless section) it comes back and tells me that the card was not found and, hence, could not be set up. Any ideas?

16 years, 7 months

2
1
0 / 0

{a|min}getty/wtmp AVCs

by Émeric Maschino

Hi, I'm getting the following AVCs on my Itanium system (selinux-policy-targeted-2.3.6-1). Are they also noticeable on other architectures? audit(1155148758.991:4): avc: denied { write } for pid=2382 comm="mingetty" n ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy stem_u:object_r:var_log_t:s0 tclass=file audit(1155148758.991:5): avc: denied { write } for pid=2383 comm="mingetty" n ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy stem_u:object_r:var_log_t:s0 tclass=file audit(1155148759.411:6): avc: denied { write } for pid=2384 comm="mingetty" n ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy stem_u:object_r:var_log_t:s0 tclass=file audit(1155148759.627:7): avc: denied { write } for pid=2385 comm="mingetty" n ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy stem_u:object_r:var_log_t:s0 tclass=file audit(1155148759.627:8): avc: denied { write } for pid=2381 comm="agetty" nam e="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=syst em_u:object_r:var_log_t:s0 tclass=file audit(1155148760.063:9): avc: denied { write } for pid=2386 comm="mingetty" n ame="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=sy stem_u:object_r:var_log_t:s0 tclass=file audit(1155148760.199:10): avc: denied { write } for pid=2387 comm="mingetty" name="wtmp" dev=dm-0 ino=360636 scontext=system_u:system_r:getty_t:s0 tcontext=s ystem_u:object_r:var_log_t:s0 tclass=file Cheers, �meric

16 years, 7 months

2
2
0 / 0

A question about root user and SELinux

by Paolo D.

Hello everybody, perhaps a newbie question; should it be the case, please beg your pardon. Let's imagine a user acquire root rights. Especially on Fedora Core, which modify su command to automatically map it to sysadm_r role, couldn't he/she simply disable SELinux, delete logs, and so on? Hope to hear from you soon, Paolo De Nictolis, Eng.

16 years, 7 months

2
1
0 / 0

Re: postfix, procmail and SELinux - No Go

by Paul Howarth

On Tue, 2006-06-06 at 21:34 -0500, Marc Schwartz wrote: > Paul, > > OK...seemingly back up and running. Here are the present avc messages > since re-loading everything and confirming that the file contexts are > back to the changes that we made. > > I note that the /proc/meminfo messages are back, but now for > clamassassin. I am sure that I have reloaded the new modules that we > created, so not sure what is up here, unless there was some conflict > when the two versions of the policies we seemingly loaded earlier today. > > Let me know on these and if perhaps I missed something: You forgot that we reverted the clamassassin context change yesterday. # restorecon -v /usr/local/bin/clamassassin > type=AVC msg=audit(1149646922.456:801): avc: denied { read } for pid=23273 comm="clamassassin" name="meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file > type=SYSCALL msg=audit(1149646922.456:801): arch=40000003 syscall=5 success=yes exit=3 a0=489093ef a1=0 a2=1b6 a3=a021240 items=1 pid=23273 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash" > type=CWD msg=audit(1149646922.456:801): cwd="/home/marcs" > type=PATH msg=audit(1149646922.456:801): item=0 name="/proc/meminfo" flags=101 inode=4026531842 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 > type=AVC msg=audit(1149646922.456:802): avc: denied { getattr } for pid=23273 comm="clamassassin" name="meminfo" dev=proc ino=-268435454 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file > type=SYSCALL msg=audit(1149646922.456:802): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bf8d7f28 a2=4891eff4 a3=3 items=0 pid=23273 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash"type=AVC_PATH msg=audit(1149646922.456:802): path="/proc/meminfo" > type=AVC msg=audit(1149646922.456:803): avc: denied { search } for pid=23273 comm="clamassassin" name="bin" dev=hdc7 ino=3112982 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir > type=SYSCALL msg=audit(1149646922.456:803): arch=40000003 syscall=5 success=yes exit=3 a0=a023018 a1=8000 a2=0 a3=8000 items=1 pid=23273 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamassassin" exe="/bin/bash" > type=CWD msg=audit(1149646922.456:803): cwd="/home/marcs" > type=PATH msg=audit(1149646922.456:803): item=0 name="/usr/local/bin/clamassassin" flags=101 inode=3115337 dev=16:07 mode=0100555 ouid=0 ogid=0 rdev=00:00 > type=AVC msg=audit(1149646922.460:804): avc: denied { execute } for pid=23274 comm="clamassassin" name="mktemp" dev=hdc7 ino=1966111 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file > type=AVC msg=audit(1149646922.460:804): avc: denied { execute_no_trans } for pid=23274 comm="clamassassin" name="mktemp" dev=hdc7 ino=1966111 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file > type=AVC msg=audit(1149646922.460:804): avc: denied { read } for pid=23274 comm="clamassassin" name="mktemp" dev=hdc7 ino=1966111 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file > type=SYSCALL msg=audit(1149646922.460:804): arch=40000003 syscall=11 success=yes exit=0 a0=a0232c0 a1=a023500 a2=a026dd0 a3=a023228 items=2 pid=23274 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="mktemp" exe="/bin/mktemp" > type=AVC_PATH msg=audit(1149646922.460:804): path="/bin/mktemp" > type=AVC_PATH msg=audit(1149646922.460:804): path="/bin/mktemp" > type=CWD msg=audit(1149646922.460:804): cwd="/home/marcs" > type=PATH msg=audit(1149646922.460:804): item=0 name="/bin/mktemp" flags=101 inode=1966111 dev=16:07 mode=0100555 ouid=0 ogid=0 rdev=00:00 > type=PATH msg=audit(1149646922.460:804): item=1 flags=101 inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 > type=AVC msg=audit(1149646922.460:805): avc: denied { read } for pid=23274 comm="mktemp" name="urandom" dev=tmpfs ino=1719 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file > type=SYSCALL msg=audit(1149646922.460:805): arch=40000003 syscall=5 success=yes exit=3 a0=80494d8 a1=0 a2=48920120 a3=8f5f008 items=1 pid=23274 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="mktemp" exe="/bin/mktemp" > type=CWD msg=audit(1149646922.460:805): cwd="/home/marcs" > type=PATH msg=audit(1149646922.460:805): item=0 name="/dev/urandom" flags=101 inode=1719 dev=00:0f mode=020444 ouid=0 ogid=0 rdev=01:09 > type=AVC msg=audit(1149646922.468:806): avc: denied { execute_no_trans } for pid=23277 comm="clamassassin" name="clamscan" dev=hdc7 ino=3123838 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:clamscan_exec_t:s0 tclass=file > type=SYSCALL msg=audit(1149646922.468:806): arch=40000003 syscall=11 success=yes exit=0 a0=a026c00 a1=a026210 a2=a026dd0 a3=a026d90 items=2 pid=23277 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="clamscan" exe="/usr/bin/clamscan" > type=AVC_PATH msg=audit(1149646922.468:806): path="/usr/bin/clamscan" > type=CWD msg=audit(1149646922.468:806): cwd="/home/marcs" > type=PATH msg=audit(1149646922.468:806): item=0 name="/usr/bin/clamscan" flags=101 inode=3123838 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 > type=PATH msg=audit(1149646922.468:806): item=1 flags=101 inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 The context change should fix all of the above. > type=AVC msg=audit(1149646926.516:807): avc: denied { recv_msg } for saddr=66.250.40.33 src=24441 daddr=192.168.1.2 dest=32875 netif=eth0 scontext=user_u:system_r:pyzor_t:s0 tcontext=system_u:object_r:pyzor_port_t:s0 tclass=udp_socket Hmm, pyzor needs to receive messages as well as send them... > type=AVC msg=audit(1149646926.528:808): avc: denied { create } for pid=23325 comm="dccproc" scontext=user_u:system_r:spamd_t:s0 tcontext=user_u:system_r:spamd_t:s0 tclass=netlink_route_socket > type=SYSCALL msg=audit(1149646926.528:808): arch=40000003 syscall=102 success=yes exit=3 a0=1 a1=bfb89868 a2=4891eff4 a3=8069fbf items=0 pid=23325 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc" > type=SOCKETCALL msg=audit(1149646926.528:808): nargs=3 a0=10 a1=3 a2=0 > type=AVC msg=audit(1149646926.528:809): avc: denied { bind } for pid=23325 comm="dccproc" scontext=user_u:system_r:spamd_t:s0 tcontext=user_u:system_r:spamd_t:s0 tclass=netlink_route_socket > type=SYSCALL msg=audit(1149646926.528:809): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfb89868 a2=4891eff4 a3=3 items=0 pid=23325 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc" > type=SOCKADDR msg=audit(1149646926.528:809): saddr=100000000000000000000000 > type=SOCKETCALL msg=audit(1149646926.528:809): nargs=3 a0=3 a1=bfb89874 a2=c > type=AVC msg=audit(1149646926.528:810): avc: denied { getattr } for pid=23325 comm="dccproc" scontext=user_u:system_r:spamd_t:s0 tcontext=user_u:system_r:spamd_t:s0 tclass=netlink_route_socket > type=SYSCALL msg=audit(1149646926.528:810): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=bfb89868 a2=4891eff4 a3=3 items=0 pid=23325 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc" > type=SOCKETCALL msg=audit(1149646926.528:810): nargs=3 a0=3 a1=bfb89874 a2=bfb89880 > type=AVC msg=audit(1149646926.528:811): avc: denied { write } for pid=23325 comm="dccproc" scontext=user_u:system_r:spamd_t:s0 tcontext=user_u:system_r:spamd_t:s0 tclass=netlink_route_socket > type=AVC msg=audit(1149646926.528:811): avc: denied { nlmsg_read } for pid=23325 comm="dccproc" scontext=user_u:system_r:spamd_t:s0 tcontext=user_u:system_r:spamd_t:s0 tclass=netlink_route_socket > type=SYSCALL msg=audit(1149646926.528:811): arch=40000003 syscall=102 success=yes exit=20 a0=b a1=bfb887b4 a2=4891eff4 a3=ffffffcc items=0 pid=23325 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc" > type=SOCKADDR msg=audit(1149646926.528:811): saddr=100000000000000000000000 > type=SOCKETCALL msg=audit(1149646926.528:811): nargs=6 a0=3 a1=bfb8982c a2=14 a3=0 a4=bfb89840 a5=c > type=AVC msg=audit(1149646926.528:812): avc: denied { read } for pid=23325 comm="dccproc" scontext=user_u:system_r:spamd_t:s0 tcontext=user_u:system_r:spamd_t:s0 tclass=netlink_route_socket > type=SYSCALL msg=audit(1149646926.528:812): arch=40000003 syscall=102 success=yes exit=128 a0=11 a1=bfb887b4 a2=4891eff4 a3=ffffffcc items=0 pid=23325 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=0 sgid=500 fsgid=0 comm="dccproc" exe="/usr/local/bin/dccproc" > type=SOCKETCALL msg=audit(1149646926.528:812): nargs=3 a0=3 a1=bfb89810 a2=0 I've seen a lot of these recently. I think dcc is trying to read the routing table. We'll allow that. (snip) The rest seem to be duplicates. Updated policy modules: ####### mydcc.te ####### policy_module(mydcc, 0.1.3) require { type spamd_t; } type dcc_var_t; files_type(dcc_var_t) type dcc_client_map_t; files_type(dcc_client_map_t) # Allow spamd to behave as a dcc client allow spamd_t dcc_client_map_t:file rw_file_perms; allow spamd_t dcc_var_t:dir search; # Allow spamd to read the routing table (needed by dcc) allow spamd_t self:netlink_route_socket { r_netlink_socket_perms }; ####### mypyzor.te ####### policy_module(mypyzor, 0.1.3) require { type pyzor_t; type pyzor_port_t; type spamd_t; }; # temp files type pyzor_tmp_t; files_tmp_file(pyzor_tmp_t) # Allow pyzor to create and use temp files and dirs allow pyzor_t pyzor_tmp_t:dir create_dir_perms; allow pyzor_t pyzor_tmp_t:file create_file_perms; files_type(pyzor_tmp_t) files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir }) # Allow pyzor to read config (and any other file...) # from user home directories userdom_read_unpriv_users_home_content_files(pyzor_t) # Allow pyzor to read /dev/urandom dev_read_urand(pyzor_t) # Allow pyzor to send and receive pyzor messages! allow pyzor_t pyzor_port_t:udp_socket send_msg; allow pyzor_t pyzor_port_t:udp_socket recv_msg; # Allow spamd to signal pyzor (kill/hup ?) allow spamd_t pyzor_t:process signal; # Allow pyzor to ...? corecmd_search_bin(pyzor_t) kernel_read_kernel_sysctls(pyzor_t) # It does a getattr on /usr/bin/time for reasons unknown... allow pyzor_t bin_t:dir getattr; allow pyzor_t bin_t:file getattr; # Pyzor/python probably doesn't need to be able to read /proc/meminfo kernel_dontaudit_list_proc(pyzor_t) kernel_dontaudit_read_system_state(pyzor_t) Paul.

16 years, 7 months

8
104
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux August 2006