sharing a partition betweed FC3 and FC5
by D. Hugh Redelmeier
[I sent this to fedora-list(a)redhat.com a couple of minutes ago. I
apologize for cross-posting.]
I installed 32-bit Fedora Core 5 on an Athlon-64 box. I intended this
installation to co-exist with a 64-bit Fedora Core 3 installation.
The two installations share a /home ext3 partition and the swap partition.
This is often how I do upgrades: a dual boot system with both old and
new bootable.
The problem is that the FC5 installation did something to
the /home partition that prevents the FC3 from mounting it.
When I manually try a mount of /home from FC3, the useless
mount-failure message is preceded by these messages. I think that
they are the key:
inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2
inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2
(In dmesg, these two messages were preceded by these that might be relevant:
kjournald starting. Commit interval 5 seconds
EXT3 FS on hda5, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: initialized (dev hda5, type ext3), uses xattr
)
(The useless mount failure message is:
mount: wrong fs type, bad option, bad superblock on /dev/hda5
or too many mounted file systems
This message is disgracefully non-specific.)
I think that this is a problem with SELinux. The following thread
looks relevant but unhelpful:
http://www.redhat.com/archives/fedora-selinux-list/2006-April/msg00002.html
It provides a solution (I hope) for FC4 but FC3 would not have such an update.
I tried using enforcing=0 on the FC3 kernel command line, but nothing changed.
I thought ext3 was compatible between Fedora releases. Unfortunately,
SELinux seems to have made things a lot more brittle.
==> Is there something simple that I can do to allow the existing
/home ext3 partition to be shared between FC3 and FC5?
==> What does the error message mean?
inode 2 is the root of the filesystem.
It appears that kernel routine inode_doinit_with_dentry is calling context_to_sid
and context_to_sid is returning EINVAL (because the context was invalid).
But even knowing that, I don't know what it actually means or is caused by.
(By the way, if FC5 worked well, it might not matter. Unfortunately,
there is some regression in xorg that prevents dual-head working
properly on FC5 where it did on FC3.)
16 years, 7 months
strict error message
by Richard Hally
I've been getting the following error message when updating with yum:
> Updating : selinux-policy-strict ####################### [26/66]
> /etc/selinux/strict/contexts/files/file_contexts: Multiple different specifications for /usr/bin/apt-get (system_u:object_r:rpm_exec_t:s0 and system_u:object_r:apt_exec_t:s0).
> /etc/selinux/strict/contexts/files/file_contexts: Multiple different specifications for /usr/bin/apt-shell (system_u:object_r:rpm_exec_t:s0 and system_u:object_r:apt_exec_t:s0).
Do I need to bugzilla this?
Richard
16 years, 7 months
borkage during today's updates....
by Tom London
Running rawhide, targeted/enforcing.
Updates today produced the following during 'yumex'.
tom
libsemanage.semanage_install_active: Could not copy
/etc/selinux/targeted/modules/active/netfilter_contexts to
/etc/selinux/targeted/contexts/netfilter_contexts.
libsemanage.semanage_install_active: Could not copy
/etc/selinux/targeted/modules/active/netfilter_contexts to
/etc/selinux/targeted/contexts/netfilter_contexts.
semodule: Failed!
type=AVC msg=audit(1154880996.523:64): avc: denied { write } for
pid=7536 comm="semodule" name="contexts" dev=dm-0 ino=1081413
scontext=system_u:system_r:semanage_t:s0
tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1154880996.523:64): arch=40000003 syscall=5
success=no exit=-13 a0=bf8f19e8 a1=241 a2=1a4 a3=1a4 items=0 ppid=7535
pid=7536 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 comm="semodule" exe="/usr/sbin/semodule"
subj=system_u:system_r:semanage_t:s0 key=(null)
type=AVC msg=audit(1154881005.684:65): avc: denied { getattr } for
pid=7591 comm="python" name="__init__.py" dev=dm-0 ino=8587951
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1154881005.684:65): arch=40000003 syscall=195
success=no exit=-13 a0=bff360b7 a1=bff35ba4 a2=4abd6ff4 a3=21 items=0
ppid=7590 pid=7591 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC_PATH msg=audit(1154881005.684:65):
path="/usr/share/setroubleshoot/plugins/__init__.py"
type=AVC msg=audit(1154881005.748:66): avc: denied { getattr } for
pid=7591 comm="python" name="__init__.pyc" dev=dm-0 ino=8587952
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1154881005.748:66): arch=40000003 syscall=195
success=no exit=-13 a0=bff360b7 a1=bff35ba4 a2=4abd6ff4 a3=21 items=0
ppid=1 pid=7591 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC_PATH msg=audit(1154881005.748:66):
path="/usr/share/setroubleshoot/plugins/__init__.pyc"
type=DAEMON_END msg=audit(1154881015.289:1851) auditd normal halt,
sending auid=500 pid=7605 subj=system_u:system_, auditd pid=1898
type=DAEMON_START msg=audit(1154881017.336:6926) auditd start,
ver=1.2.5, format=raw, auid=500 res=success, auditd pid=7620
type=CONFIG_CHANGE msg=audit(1154881017.468:69):
audit_backlog_limit=256 old=256 by auid=500
subj=system_u:system_r:auditctl_t:s0
type=CONFIG_CHANGE msg=audit(1154881017.476:70): audit_enabled=1 old=1
by auid=500 subj=system_u:system_r:auditd_t:s0
type=AVC msg=audit(1154881024.357:71): avc: denied { use } for
pid=7649 comm="restorecond" name="null" dev=tmpfs ino=1372
scontext=system_u:system_r:restorecond_t:s0
tcontext=system_u:system_r:rpm_script_t:s0 tclass=fd
type=AVC msg=audit(1154881024.357:71): avc: denied { use } for
pid=7649 comm="restorecond" name="null" dev=tmpfs ino=1372
scontext=system_u:system_r:restorecond_t:s0
tcontext=system_u:system_r:rpm_script_t:s0 tclass=fd
type=SYSCALL msg=audit(1154881024.357:71): arch=40000003 syscall=11
success=yes exit=0 a0=83ae870 a1=83ae800 a2=83aea88 a3=83ae608 items=0
ppid=7648 pid=7649 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="restorecond"
exe="/usr/sbin/restorecond" subj=system_u:system_r:restorecond_t:s0
key=(null)
type=AVC_PATH msg=audit(1154881024.357:71): path="/dev/null"
type=AVC_PATH msg=audit(1154881024.357:71): path="/dev/null"
--
Tom London
16 years, 7 months
Logrotate and Selinux
by Ian Marks
I am trying to set logrotate to rotate specific syslogged files outside
of /var/log. My application is logging under /opt/app_name/log/. To
allow syslog to be able to log/wite to this file, I had to set the
appropriate context of the file to user_u:object_r:var_log_t. Since the
file isn't under /var/log, I don't think the context will be preserved
once it's been rotated, thus preventing syslog from writing to the
file. What is the best fix for this in RHEL4.
Thanks,
Ian
16 years, 7 months
Audit logging
by Stuart James
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
For the purpose of PCI auditing, I am looking into doing a proper
security trail particularly of users who su / sudo to root/system_r.
- From PCI standards
10.5 Secure audit trails so they cannot be altered, including the
following:
10.5.1 Limit viewing of audit trails to those with a
job-related need.
10.5.2 Protect audit trail files from unauthorized
modifications.
10.5.3 Promptly back-up audit trail files to a
centralized log server or media that is difficult to alter
To begin i have ventured into using Auditctl and defining a
few rules to start with.
Would it be best to write a custom selinux policy to log all system_r
commands / syscalls so someone could not just turn off the auditd.
Currently we already use Syslog-ng, which hopefully we can incorporate
auditd to log to the central syslog servers.
The rules I have played with by adding to /etc/audit.rules (among
others)
(we use auid 999 for testing)
- -a entry,always -F uid=0 -F auid=999 -S open -S exit
- -a task,always -F uid=0 -F auid=999
The problem is, i get tons of syscalls for applications such as sshd
and tail
type=SYSCALL msg=audit(1154617455.081:67195): arch=c000003e syscall=2
success=yes exit=4 a0=2aaaabf9b375 a1=0 a2=1b6 a3=0 items=1 pid=25418
auid=XXX uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=user_u:system_r:unconfined_t:s0-s0:c0.c255
Would it be possible to use the "exclude" for auditctl, but i am
unsure of how to not log sshd and tail without using a pid which can
obviously change.
Is auditctl the appropriate way to go about logging, or is it better to
modify the selinux policy in some way.
Thanks in advance,
- --
Stuart James
System Administrator
DDI - (44) 0 1765 643354
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFE0g93r8LwOCpshrYRAiUHAJ9CyVFsNq7XLX7xHl0k4h5OUJ4YSwCgjtUb
OJO2NkkAn8f1In6TsXTNF6Y=
=zxA3
-----END PGP SIGNATURE-----
16 years, 7 months
new httpd related avcs
by dragoran
hello
today I found this in my logs running FC5 with targeted-policy:
audit(1154611448.959:6): avc: denied { read } for pid=5341 comm="sh"
name="[7359]" dev=eventpollfs ino=7359
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=file
audit(1154611449.099:7): avc: denied { read } for pid=5342 comm="sh"
name="[7359]" dev=eventpollfs ino=7359
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=file
audit(1154611464.112:8): avc: denied { read } for pid=5345 comm="sh"
name="[7361]" dev=eventpollfs ino=7361
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=file
audit(1154611464.164:9): avc: denied { read } for pid=5346 comm="sh"
name="[7361]" dev=eventpollfs ino=7361
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=file
audit(1154611506.527:10): avc: denied { read } for pid=5351 comm="sh"
name="[7365]" dev=eventpollfs ino=7365
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=file
audit(1154611506.571:11): avc: denied { read } for pid=5352 comm="sh"
name="[7365]" dev=eventpollfs ino=7365
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=file
audit(1154611507.831:12): avc: denied { read } for pid=5354 comm="sh"
name="[7358]" dev=eventpollfs ino=7358
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=file
audit(1154611507.919:13): avc: denied { read } for pid=5355 comm="sh"
name="[7358]" dev=eventpollfs ino=7358
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=file
audit(1154611508.475:14): avc: denied { read } for pid=5357 comm="sh"
name="[7362]" dev=eventpollfs ino=7362
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=file
audit(1154611508.531:15): avc: denied { read } for pid=5358 comm="sh"
name="[7362]" dev=eventpollfs ino=7362
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=file
audit(1154611888.403:16): avc: denied { read } for pid=5392 comm="sh"
name="[7361]" dev=eventpollfs ino=7361
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=file
audit(1154611888.447:17): avc: denied { read } for pid=5393 comm="sh"
name="[7361]" dev=eventpollfs ino=7361
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=file
what is causing them?
bug or something mislabled?
httpd-2.2.2-1.2
selinux-policy-targeted-2.3.3-8.fc5
16 years, 7 months
hotplug_t?
by Axel Thimm
Hi,
after upgrading FC4 to FC5 and enabling selinux/targeted/permissive I
see lot's of hotplug_t domains. Most prominently every bash login and
the default ssh -l root domains (before newrole) are such. This
doesn't look right, did the upgrade go wrong somewhere?
Thanks!
--
Axel.Thimm at ATrpms.net
16 years, 7 months
smb can't access its own logfiles?
by dragoran
I got this erros:
audit(1154259027.504:4): avc: denied { create } for pid=2610
comm="smbd" name="cores" scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:samba_log_t:s0 tclass=dir
audit(1154259027.996:5): avc: denied { create } for pid=2613
comm="nmbd" name="cores" scontext=system_u:system_r:nmbd_t:s0
tcontext=system_u:object_r:samba_log_t:s0 tclass=dir
on a FC5 system running
selinux-policy-targeted-2.3.2-1.fc5 and samba-3.0.23a-1.fc5.1
is this a known bug/regression or should I fill a bug report?
16 years, 8 months
AVC on install of libutempter ?
by Tom London
After installing today's rawhide (selinux-policy-2.3.3-14), I 'yum
install libutempter'. I believe the following occured then:
type=USER_CHAUTHTOK msg=audit(07/29/2006 09:51:16.038:68) : user
pid=4163 uid=root auid=tbl subj=user_u:system_r:groupadd_t:s0
msg='op=adding group acct=utempter exe=(hostname=?, addr=?,
terminal=pts/0 res=success)'
----
type=PATH msg=audit(07/29/2006 09:51:16.042:69) : item=1
name=inode=7798798 dev=fd:00 mode=file,755 ouid=root ogid=root
rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(07/29/2006 09:51:16.042:69) : item=0
name=inode=8303056 dev=fd:00 mode=file,755 ouid=root ogid=root
rdev=00:00 obj=system_u:object_r:nscd_exec_t:s0
type=CWD msg=audit(07/29/2006 09:51:16.042:69) : cwd=
type=EXECVE msg=audit(07/29/2006 09:51:16.042:69) :
a0="/usr/sbin/nscd" a1="nscd" a2="-i" a3="group"
type=AVC_PATH msg=audit(07/29/2006 09:51:16.042:69) : path=
type=AVC_PATH msg=audit(07/29/2006 09:51:16.042:69) : path=
type=SYSCALL msg=audit(07/29/2006 09:51:16.042:69) : arch=i386
syscall=execve success=yes exit=0 a0=804de0d a1=bf8131a4 a2=bf8131b8
a3=1 items=2 ppid=4163 pid=4164 auid=tbl uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0
comm=exe=subj=user_u:system_r:nscd_t:s0 key=(null)
type=AVC msg=audit(07/29/2006 09:51:16.042:69) : avc: denied { read
write } for pid=4164 comm=name=dev=dm-0 ino=853755
scontext=user_u:system_r:nscd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(07/29/2006 09:51:16.042:69) : avc: denied { write
} for pid=4164 comm=name=dev=dm-0 ino=854746
scontext=user_u:system_r:nscd_t:s0 tcontext=system_u:object_r:etc_t:s0
tclass=file
tom
--
Tom London
16 years, 8 months
