selinux August 2006

selinux@lists.fedoraproject.org

41 participants
41 discussions

sharing a partition betweed FC3 and FC5
by D. Hugh Redelmeier 07 Aug '06

07 Aug '06

[I sent this to fedora-list(a)redhat.com a couple of minutes ago. I apologize for cross-posting.] I installed 32-bit Fedora Core 5 on an Athlon-64 box. I intended this installation to co-exist with a 64-bit Fedora Core 3 installation. The two installations share a /home ext3 partition and the swap partition. This is often how I do upgrades: a dual boot system with both old and new bootable. The problem is that the FC5 installation did something to the /home partition that prevents the FC3 from mounting it. When I manually try a mount of /home from FC3, the useless mount-failure message is preceded by these messages. I think that they are the key: inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2 inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2 (In dmesg, these two messages were preceded by these that might be relevant: kjournald starting. Commit interval 5 seconds EXT3 FS on hda5, internal journal EXT3-fs: mounted filesystem with ordered data mode. SELinux: initialized (dev hda5, type ext3), uses xattr ) (The useless mount failure message is: mount: wrong fs type, bad option, bad superblock on /dev/hda5 or too many mounted file systems This message is disgracefully non-specific.) I think that this is a problem with SELinux. The following thread looks relevant but unhelpful: http://www.redhat.com/archives/fedora-selinux-list/2006-April/msg00002.html It provides a solution (I hope) for FC4 but FC3 would not have such an update. I tried using enforcing=0 on the FC3 kernel command line, but nothing changed. I thought ext3 was compatible between Fedora releases. Unfortunately, SELinux seems to have made things a lot more brittle. ==> Is there something simple that I can do to allow the existing /home ext3 partition to be shared between FC3 and FC5? ==> What does the error message mean? inode 2 is the root of the filesystem. It appears that kernel routine inode_doinit_with_dentry is calling context_to_sid and context_to_sid is returning EINVAL (because the context was invalid). But even knowing that, I don't know what it actually means or is caused by. (By the way, if FC5 worked well, it might not matter. Unfortunately, there is some regression in xorg that prevents dual-head working properly on FC5 where it did on FC3.)

3 5

strict error message
by Richard Hally 06 Aug '06

06 Aug '06

I've been getting the following error message when updating with yum: > Updating : selinux-policy-strict ####################### [26/66] > /etc/selinux/strict/contexts/files/file_contexts: Multiple different specifications for /usr/bin/apt-get (system_u:object_r:rpm_exec_t:s0 and system_u:object_r:apt_exec_t:s0). > /etc/selinux/strict/contexts/files/file_contexts: Multiple different specifications for /usr/bin/apt-shell (system_u:object_r:rpm_exec_t:s0 and system_u:object_r:apt_exec_t:s0). Do I need to bugzilla this? Richard

3 3

borkage during today's updates....
by Tom London 06 Aug '06

06 Aug '06

Running rawhide, targeted/enforcing. Updates today produced the following during 'yumex'. tom libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/netfilter_contexts to /etc/selinux/targeted/contexts/netfilter_contexts. libsemanage.semanage_install_active: Could not copy /etc/selinux/targeted/modules/active/netfilter_contexts to /etc/selinux/targeted/contexts/netfilter_contexts. semodule: Failed! type=AVC msg=audit(1154880996.523:64): avc: denied { write } for pid=7536 comm="semodule" name="contexts" dev=dm-0 ino=1081413 scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir type=SYSCALL msg=audit(1154880996.523:64): arch=40000003 syscall=5 success=no exit=-13 a0=bf8f19e8 a1=241 a2=1a4 a3=1a4 items=0 ppid=7535 pid=7536 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="semodule" exe="/usr/sbin/semodule" subj=system_u:system_r:semanage_t:s0 key=(null) type=AVC msg=audit(1154881005.684:65): avc: denied { getattr } for pid=7591 comm="python" name="__init__.py" dev=dm-0 ino=8587951 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1154881005.684:65): arch=40000003 syscall=195 success=no exit=-13 a0=bff360b7 a1=bff35ba4 a2=4abd6ff4 a3=21 items=0 ppid=7590 pid=7591 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC_PATH msg=audit(1154881005.684:65): path="/usr/share/setroubleshoot/plugins/__init__.py" type=AVC msg=audit(1154881005.748:66): avc: denied { getattr } for pid=7591 comm="python" name="__init__.pyc" dev=dm-0 ino=8587952 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1154881005.748:66): arch=40000003 syscall=195 success=no exit=-13 a0=bff360b7 a1=bff35ba4 a2=4abd6ff4 a3=21 items=0 ppid=1 pid=7591 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC_PATH msg=audit(1154881005.748:66): path="/usr/share/setroubleshoot/plugins/__init__.pyc" type=DAEMON_END msg=audit(1154881015.289:1851) auditd normal halt, sending auid=500 pid=7605 subj=system_u:system_, auditd pid=1898 type=DAEMON_START msg=audit(1154881017.336:6926) auditd start, ver=1.2.5, format=raw, auid=500 res=success, auditd pid=7620 type=CONFIG_CHANGE msg=audit(1154881017.468:69): audit_backlog_limit=256 old=256 by auid=500 subj=system_u:system_r:auditctl_t:s0 type=CONFIG_CHANGE msg=audit(1154881017.476:70): audit_enabled=1 old=1 by auid=500 subj=system_u:system_r:auditd_t:s0 type=AVC msg=audit(1154881024.357:71): avc: denied { use } for pid=7649 comm="restorecond" name="null" dev=tmpfs ino=1372 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=fd type=AVC msg=audit(1154881024.357:71): avc: denied { use } for pid=7649 comm="restorecond" name="null" dev=tmpfs ino=1372 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=fd type=SYSCALL msg=audit(1154881024.357:71): arch=40000003 syscall=11 success=yes exit=0 a0=83ae870 a1=83ae800 a2=83aea88 a3=83ae608 items=0 ppid=7648 pid=7649 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="restorecond" exe="/usr/sbin/restorecond" subj=system_u:system_r:restorecond_t:s0 key=(null) type=AVC_PATH msg=audit(1154881024.357:71): path="/dev/null" type=AVC_PATH msg=audit(1154881024.357:71): path="/dev/null" -- Tom London

1 1

Logrotate and Selinux
by Ian Marks 04 Aug '06

04 Aug '06

I am trying to set logrotate to rotate specific syslogged files outside of /var/log. My application is logging under /opt/app_name/log/. To allow syslog to be able to log/wite to this file, I had to set the appropriate context of the file to user_u:object_r:var_log_t. Since the file isn't under /var/log, I don't think the context will be preserved once it's been rotated, thus preventing syslog from writing to the file. What is the best fix for this in RHEL4. Thanks, Ian

1 0

Policy Module Packaging Guidelines (first draft)
by Paul Howarth 04 Aug '06

04 Aug '06

I've written up my thoughts on packaging policy modules with applications: http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules Fire away! Paul.

4 7

Audit logging
by Stuart James 04 Aug '06

04 Aug '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, For the purpose of PCI auditing, I am looking into doing a proper security trail particularly of users who su / sudo to root/system_r. - From PCI standards 10.5 Secure audit trails so they cannot be altered, including the following: 10.5.1 Limit viewing of audit trails to those with a job-related need. 10.5.2 Protect audit trail files from unauthorized modifications. 10.5.3 Promptly back-up audit trail files to a centralized log server or media that is difficult to alter To begin i have ventured into using Auditctl and defining a few rules to start with. Would it be best to write a custom selinux policy to log all system_r commands / syscalls so someone could not just turn off the auditd. Currently we already use Syslog-ng, which hopefully we can incorporate auditd to log to the central syslog servers. The rules I have played with by adding to /etc/audit.rules (among others) (we use auid 999 for testing) - -a entry,always -F uid=0 -F auid=999 -S open -S exit - -a task,always -F uid=0 -F auid=999 The problem is, i get tons of syscalls for applications such as sshd and tail type=SYSCALL msg=audit(1154617455.081:67195): arch=c000003e syscall=2 success=yes exit=4 a0=2aaaabf9b375 a1=0 a2=1b6 a3=0 items=1 pid=25418 auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=user_u:system_r:unconfined_t:s0-s0:c0.c255 Would it be possible to use the "exclude" for auditctl, but i am unsure of how to not log sshd and tail without using a pid which can obviously change. Is auditctl the appropriate way to go about logging, or is it better to modify the selinux policy in some way. Thanks in advance, - -- Stuart James System Administrator DDI - (44) 0 1765 643354 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFE0g93r8LwOCpshrYRAiUHAJ9CyVFsNq7XLX7xHl0k4h5OUJ4YSwCgjtUb OJO2NkkAn8f1In6TsXTNF6Y= =zxA3 -----END PGP SIGNATURE-----

3 6

new httpd related avcs
by dragoran 03 Aug '06

03 Aug '06

hello today I found this in my logs running FC5 with targeted-policy: audit(1154611448.959:6): avc: denied { read } for pid=5341 comm="sh" name="[7359]" dev=eventpollfs ino=7359 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611449.099:7): avc: denied { read } for pid=5342 comm="sh" name="[7359]" dev=eventpollfs ino=7359 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611464.112:8): avc: denied { read } for pid=5345 comm="sh" name="[7361]" dev=eventpollfs ino=7361 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611464.164:9): avc: denied { read } for pid=5346 comm="sh" name="[7361]" dev=eventpollfs ino=7361 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611506.527:10): avc: denied { read } for pid=5351 comm="sh" name="[7365]" dev=eventpollfs ino=7365 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611506.571:11): avc: denied { read } for pid=5352 comm="sh" name="[7365]" dev=eventpollfs ino=7365 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611507.831:12): avc: denied { read } for pid=5354 comm="sh" name="[7358]" dev=eventpollfs ino=7358 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611507.919:13): avc: denied { read } for pid=5355 comm="sh" name="[7358]" dev=eventpollfs ino=7358 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611508.475:14): avc: denied { read } for pid=5357 comm="sh" name="[7362]" dev=eventpollfs ino=7362 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611508.531:15): avc: denied { read } for pid=5358 comm="sh" name="[7362]" dev=eventpollfs ino=7362 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611888.403:16): avc: denied { read } for pid=5392 comm="sh" name="[7361]" dev=eventpollfs ino=7361 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file audit(1154611888.447:17): avc: denied { read } for pid=5393 comm="sh" name="[7361]" dev=eventpollfs ino=7361 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file what is causing them? bug or something mislabled? httpd-2.2.2-1.2 selinux-policy-targeted-2.3.3-8.fc5

1 0

hotplug_t?
by Axel Thimm 02 Aug '06

02 Aug '06

Hi, after upgrading FC4 to FC5 and enabling selinux/targeted/permissive I see lot's of hotplug_t domains. Most prominently every bash login and the default ssh -l root domains (before newrole) are such. This doesn't look right, did the upgrade go wrong somewhere? Thanks! -- Axel.Thimm at ATrpms.net

4 16

smb can't access its own logfiles?
by dragoran 01 Aug '06

01 Aug '06

I got this erros: audit(1154259027.504:4): avc: denied { create } for pid=2610 comm="smbd" name="cores" scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:samba_log_t:s0 tclass=dir audit(1154259027.996:5): avc: denied { create } for pid=2613 comm="nmbd" name="cores" scontext=system_u:system_r:nmbd_t:s0 tcontext=system_u:object_r:samba_log_t:s0 tclass=dir on a FC5 system running selinux-policy-targeted-2.3.2-1.fc5 and samba-3.0.23a-1.fc5.1 is this a known bug/regression or should I fill a bug report?

2 4

AVC on install of libutempter ?
by Tom London 01 Aug '06

01 Aug '06

After installing today's rawhide (selinux-policy-2.3.3-14), I 'yum install libutempter'. I believe the following occured then: type=USER_CHAUTHTOK msg=audit(07/29/2006 09:51:16.038:68) : user pid=4163 uid=root auid=tbl subj=user_u:system_r:groupadd_t:s0 msg='op=adding group acct=utempter exe=(hostname=?, addr=?, terminal=pts/0 res=success)' ---- type=PATH msg=audit(07/29/2006 09:51:16.042:69) : item=1 name=inode=7798798 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(07/29/2006 09:51:16.042:69) : item=0 name=inode=8303056 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nscd_exec_t:s0 type=CWD msg=audit(07/29/2006 09:51:16.042:69) : cwd= type=EXECVE msg=audit(07/29/2006 09:51:16.042:69) : a0="/usr/sbin/nscd" a1="nscd" a2="-i" a3="group" type=AVC_PATH msg=audit(07/29/2006 09:51:16.042:69) : path= type=AVC_PATH msg=audit(07/29/2006 09:51:16.042:69) : path= type=SYSCALL msg=audit(07/29/2006 09:51:16.042:69) : arch=i386 syscall=execve success=yes exit=0 a0=804de0d a1=bf8131a4 a2=bf8131b8 a3=1 items=2 ppid=4163 pid=4164 auid=tbl uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 comm=exe=subj=user_u:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(07/29/2006 09:51:16.042:69) : avc: denied { read write } for pid=4164 comm=name=dev=dm-0 ino=853755 scontext=user_u:system_r:nscd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(07/29/2006 09:51:16.042:69) : avc: denied { write } for pid=4164 comm=name=dev=dm-0 ino=854746 scontext=user_u:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file tom -- Tom London

3 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux August 2006