List of operations
by Göran Uddeborg
Maybe this is a FAQ, but I haven't found it answered in any of the
FAQ:s I've looked through:
Is there some kind of documentation list over the available classes
and operations (permissions)?
Other concepts, like types and roles are defined in the policy, with
some luck together with a comment. In some cases there are even
manual pages, like httpd_selinux.
But the list of available classes and operations must be defined by
the kernel module if I understand things correctly. I could extract a
list from the flask/access_vectors file. But I would have liked
something with a sentence or so of explanation. Some names may be
self-explanatory, but many are not obvious. I'm imagining some kind
of list like the appendices of the O'Reilley book, but updated for the
current version. Does such a list exist somewhere? Or is it just in
my imagination? :-)
17 years, 1 month
Mounting the news spool
by Davide Bolcioni
Greetings,
while attempting to set up leafnode <http://leafnode.sourceforge.net> I
had a problem with mounting its spool, /var/spool/news:
Sep 14 00:36:11 camelot kernel: audit(1158186712.955:375): avc: denied
{ mounton } for pid=1353 comm="mount" name="news" dev=dm-3 ino=65600
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:news_spool_t:s0 tclass=dir
Using audit2why and then audit2allow I was able to come up with the
following .te policy:
module news 1.0;
require {
class dir mounton;
type mount_t;
type news_spool_t;
role system_r;
};
allow mount_t news_spool_t:dir mounton;
which to my untrained eye looked good. Researching the archives before
writing this, however, I came upon the answer for a similar problem:
https://www.redhat.com/archives/fedora-selinux-list/2006-August/msg00096....
and found out that it would probably have been enough to label the
mount point mnt_t (haven't tried it yet). Assuming it works, how should
I have found out about it ? I tried rpm -qd and found out about the
selinux-policy documentation, but nothing showed up for the targeted
policy. In this context, isn't audit2allow somewhat ... dangerous ?
Or was it just a shortcoming in the leafnode RPM, so I should be looking
at what INN is doing instead ?
Thank you for your consideration,
Davide Bolcioni
--
There is no place like /home.
17 years, 2 months
People running Postfix in FC5 not running Selinux?
by Stephen John Smoogen
I installed a system from the original FC5 disks and updated to latest
versions in yum repos. I changed over to postfix and found that it
wasnt working for some reason.. no errros to /var/log/messages or
/var/log/secure.. and I completely forgot for a day to look at audit.
When my brain turned back on I found that postfix didnt start because
a it was trying to use a pam entry that I had put in pam_tally.so in.
Woops. Fixed that.. but postfix still wouldnt start up.
This also showed me that my /etc/services file needed a relabel as I
had put in a more verbose one. So I did a complete system relabel in
case I missed something else.
postfix was able to start email but could not do a mailq
doing a mailq showed me things like
allow postfix_local_t initrc_var_run_t:file { read write };
allow postfix_showq_t initrc_var_run_t:file { read write };
type=AVC msg=audit(1159574724.622:397): avc: denied { read write }
for pid=2621 comm="local" name="unix.local" dev=dm-3 ino=163870
scontext=system_u:system_r:postfix_local_t:s0
tcontext=user_u:object_r:initrc_var_run_t:s0 tclass=file
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean
settings; check boolean settings.
You can see the necessary allow rules by running
audit2allow with this audit message as input.
type=AVC msg=audit(1159574753.636:398): avc: denied { read write }
for pid=2625 comm="showq" name="unix.showq" dev=dm-3 ino=163871
scontext=system_u:system_r:postfix_showq_t:s0
tcontext=user_u:object_r:initrc_var_run_t:s0 tclass=file
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean
settings; check boolean settings.
You can see the necessary allow rules by running
audit2allow with this audit message as input.
Not sure what I should do next. Turning off the selinux
selinux-policy-targeted-2.3.7-2.fc5
selinux-policy-2.3.7-2.fc5
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
17 years, 2 months
question about semodule
by Sandra Rueda
Hello,
I was playing with semodule (trying to understand how it works) so I added
a module. Later I also played with refpolicy and monolithic building
(again trying to understand how it works).
Now I want to delete the module I loaded before and this is the message I
am getting from the system:
# semodule -v -r KnockServer
Attempting to remove module 'KnockServer':
Ok: return value of 0.
Committing changes:
/usr/sbin/load_policy: Can't load policy: Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
/usr/sbin/load_policy: Can't load policy: Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
semodule: Failed!
semodule -l works fine (apparently) and one of the items in the list is
KnockServer and its version.
Is there any way to know why semodule -r is failing? What argument is
invalid?
I have other questions about modules: what is the relationship between the
modules and the binary policy file installed at
/etc/selinux/(strict|targeted)/policy? Does this file include just base
modules? If so, where are the files for non-base modules stored? Is it
another binary file?
Thanks in advance,
Sandra
17 years, 2 months
prelink_t AVC
by Tom London
Running latest Rawhide, targeted/enforcing.
Got this today:
type=AVC msg=audit(1159549607.591:47): avc: denied { read } for
pid=7982 comm="prelink" name="spamc" dev=dm-0 ino=5488531
scontext=system_u:system_r:prelink_t:s0
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1159549607.591:47): arch=40000003 syscall=5
success=no exit=-13 a0=93651a0 a1=8000 a2=0 a3=0 items=0 ppid=7973
pid=7982 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink"
subj=system_u:system_r:prelink_t:s0 key=(null)
tom
--
Tom London
17 years, 2 months
setroubleshoot messages/TypeError
by Tom London
Running latest rawhide, targeted/enforcing.
I see this in both /var/log/messages and
/var/log/setroubleshoot/setroubleshoot.log:
2006-09-28 10:25:45,359 [plugin.ERROR] failed to retrieve rpm info for [unknown]
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/setroubleshoot/util.py", line
117, in get_rpm_nvr_by_file_path
mi = ts.dbMatch(rpm.RPMTAG_BASENAMES, path)
TypeError: unknown key type
The following is added in /var/log/messages:
Sep 28 10:25:45 localhost setroubleshoot: SELinux is preventing
/usr/bin/vmnet-natd (unconfined_t) "node_bind" to [unknown]
(inaddr_any_node_t). See audit.log for complete SELinux messages.
id = 9503dabe-b132-4703-b7b5-7f7294aa5034
Here is the AVC from /var/log/audit/audit.log:
type=AVC msg=audit(1159464342.472:22): avc: denied { node_bind } for
pid=3523 comm="vmnet-natd" scontext=user_u:system_r:unconfined_t:s0
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=rawip_socket
type=SYSCALL msg=audit(1159464342.472:22): arch=40000003 syscall=102
per=400000 success=no exit=-13 a0=2 a1=bfaf24f0 a2=8a98158 a3=7
items=0 ppid=3457 pid=3523 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="vmnet-natd"
exe="/usr/bin/vmnet-natd" subj=user_u:system_r:unconfined_t:s0
key=(null)
This is an AVC I get when the VMWare modules start up (I did a
'service vmware start' this time). [I leave the policy unmodified to
catch this as one of my 'testing' cases.]
tom
--
Tom London
17 years, 2 months
cupsd_t/hplip_etc_t AVCs configuring w/ browser interface
by Tom London
Running Rawhide, targeted/enforcing:
Get the following when attempting to 'add/modify' cups classes using
the browser interface (http://localhost:631). I'm guessing its trying
to access /etc/hp:
[tbl@localhost hp]$ ls -lZ /etc/hp
-rw-r--r-- root root system_u:object_r:hplip_etc_t hplip.conf
[tbl@localhost hp]$
type=AVC msg=audit(1159399431.862:77): avc: denied { search } for
pid=4914 comm="hp" name="hp" dev=dm-0 ino=11108479
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir
type=SYSCALL msg=audit(1159399431.862:77): arch=40000003 syscall=5
success=no exit=-13 a0=804c305 a1=0 a2=1b6 a3=9518008 items=0
ppid=4913 pid=4914 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0
egid=7 sgid=7 fsgid=7 tty=(none) comm="hp"
exe="/usr/lib/cups/backend/hp"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
Putting it in permissive mode and browsing to 'Administration' page produces:
type=AVC msg=audit(1159400309.010:111): avc: denied { search } for
pid=5019 comm="hp" name="hp" dev=dm-0 ino=11108479
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir
type=AVC msg=audit(1159400309.010:111): avc: denied { read } for
pid=5019 comm="hp" name="hplip.conf" dev=dm-0 ino=11108480
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1159400309.010:111): arch=40000003 syscall=5
success=yes exit=4 a0=804c305 a1=0 a2=1b6 a3=806a008 items=0 ppid=5018
pid=5019 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7
sgid=7 fsgid=7 tty=(none) comm="hp" exe="/usr/lib/cups/backend/hp"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1159400309.014:112): avc: denied { getattr } for
pid=5019 comm="hp" name="hplip.conf" dev=dm-0 ino=11108480
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1159400309.014:112): arch=40000003 syscall=197
success=yes exit=0 a0=4 a1=bf866cd8 a2=49872ff4 a3=806a008 items=0
ppid=5018 pid=5019 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0
egid=7 sgid=7 fsgid=7 tty=(none) comm="hp"
exe="/usr/lib/cups/backend/hp"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1159400309.014:112): path="/etc/hp/hplip.conf"
type=AVC msg=audit(1159400310.474:113): avc: denied { search } for
pid=5039 comm="python" name="hp" dev=dm-0 ino=11108479
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir
type=AVC msg=audit(1159400310.474:113): avc: denied { getattr } for
pid=5039 comm="python" name="hplip.conf" dev=dm-0 ino=11108480
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1159400310.474:113): arch=40000003 syscall=195
success=yes exit=0 a0=99b4a98 a1=bfb26f88 a2=49872ff4 a3=99601b0
items=0 ppid=5018 pid=5039 auid=4294967295 uid=0 gid=7 euid=0 suid=0
fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) comm="python"
exe="/usr/bin/python" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
key=(null)
type=AVC_PATH msg=audit(1159400310.474:113): path="/etc/hp/hplip.conf"
type=AVC msg=audit(1159400310.474:114): avc: denied { read } for
pid=5039 comm="python" name="hplip.conf" dev=dm-0 ino=11108480
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1159400310.474:114): arch=40000003 syscall=5
success=yes exit=4 a0=99b4a98 a1=8000 a2=1b6 a3=99d2070 items=0
ppid=5018 pid=5039 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0
egid=7 sgid=7 fsgid=7 tty=(none) comm="python" exe="/usr/bin/python"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
tom
--
Tom London
17 years, 2 months
Two issues
by Richard Irving
Hi,
I am having two issues with FC5 (x86_64) and selinux....
First, it appears the system is having a problem logging AVC's:
===================================================================
Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC
avc: received policyload notice (seqno=4) : exe="?" (sauid=81,
hostname=?, addr=?, terminal=?)
Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC
avc: 2 AV entries and 2/512 buckets used, longest chain length 1 :
exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC
avc: received policyload notice (seqno=4) : exe="/bin/dbus-daemon"
(sauid=500, hostname=?, addr=?, terminal=?)
Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC
avc: 0 AV entries and 0/512 buckets used, longest chain length 0 :
exe="/bin/dbus-daemon" (sauid=500, hostname=?, addr=?, terminal=?)
================================================================
And second, I was working on a hand edited local.te, as selinux is
preventing vsftpd from creating files in users home directories...
When running the policy compiler, I get.....
========================================================================
(unknown source)::ERROR 'permission write is not defined for class dir'
at token ';' on line 22:
allow ftpd_t user_home_dir_t:dir { getattr read search write };
allow ftpd_t user_home_t:dir { getattr read search write };
===============================================================
And it appears "write" is no longer a valid attribute for directories
? What is its replacement ? The AVC is calling it a "write" problem...
and audit2allow says the correcting line should be:
allow ftpd_t user_home_dir_t:dir write;
Am I missing something ?
TIA!
17 years, 2 months
allow_domains_use_tty message in today's update
by Tom London
Running latest Rawhide, targeted/enforcing.
Get the following message during today's update:
libsepol.sepol_genbools_array: boolean allow_domains_use_tty no longer in policy
tom
--
Tom London
17 years, 2 months
