September 2006 - selinux - Fedora Mailing-Lists

by Tom London

Running latest Rawhide, targeted/permissive. Got this after burning a DVD with gnome-DVD-Creator (e.g., Places->DVD Creator), and pressing the "Eject" button (running in Permissive mode): type=AVC msg=audit(1159390121.634:37): avc: denied { setexec } for pid=4152 comm="userhelper" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=process type=SYSCALL msg=audit(1159390121.634:37): arch=40000003 syscall=4 success=yes exit=34 a0=4 a1=84329d8 a2=22 a3=48de06a9 items=0 ppid=4151 pid=4152 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="userhelper" exe="/usr/sbin/userhelper" subj=system_u:system_r:hald_t:s0 key=(null) type=AVC msg=audit(1159390121.634:38): avc: denied { transition } for pid=4152 comm="userhelper" name="eject" dev=dm-0 ino=5481735 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process type=AVC msg=audit(1159390121.634:38): avc: denied { siginh } for pid=4152 comm="eject" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process type=AVC msg=audit(1159390121.634:38): avc: denied { rlimitinh } for pid=4152 comm="eject" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process type=AVC msg=audit(1159390121.634:38): avc: denied { noatsecure } for pid=4152 comm="eject" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1159390121.634:38): arch=40000003 syscall=11 success=yes exit=0 a0=84320e0 a1=bfef3550 a2=8432930 a3=2 items=0 ppid=4151 pid=4152 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="eject" exe="/usr/sbin/eject" subj=system_u:system_r:unconfined_t:s0 key=(null) type=AVC_PATH msg=audit(1159390121.634:38): path="/usr/sbin/eject" tom -- Tom London

17 years, 7 months

1
0
0 / 0

MLS and Biba

by Salvo Giuffrida

Good morning, is it possible to configure the MLS policy, using mlsconstraint, to enforce a Biba integrity model of security (no read down, no write up), instead of the Bell-LaPadula (no read up, no write down)? I'm reading the book "SELinux by example", and there there's written that the MLS facility in the Security Server is not very flexible, and allows only to enforce the rules "no read up, no write down". But, if I'm the one configuring the policy in the file "mls", shouldn't I be able to change the rules to the opposite? Thanks a lot... _________________________________________________________________ Blocca le pop-up pubblicitarie con MSN Toolbar! http://toolbar.msn.it/

17 years, 7 months

2
1
0 / 0

How to get unionfs work with SELinux on Fedora 5?

by Andreas Sachs

Hello I'm running Fedora Core 5 Server with unionfs file system to merge some directories and export them through nfs. SELinux is in enforcing mode and the targeted-policy is selected. Unionfs is build with extended attributes support (EXTRACFLAGS=-DUNIONFS_XATTR). When I try to mount the union from a client I get a permission denied error from server. The following is in my /var/log/messages on the server: Nov 1 10:32:43 localhost kernel: SELinux: initialized (dev unionfs, type unionfs), not configured for labeling Nov 1 10:32:43 localhost kernel: audit(1162373563.375:109): avc: denied { getattr } for pid=2021 comm="hald" name="/" dev=unionfs ino=744 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir Nov 1 10:50:57 localhost kernel: audit(1162374657.604:110): avc: denied { getattr } for pid=1810 comm="rpc.mountd" name="/" dev=unionfs ino=744 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir Nov 1 10:50:57 localhost mountd[1810]: authenticated mount request from 192.168.1.13:1011 for /test (/test) Nov 1 10:50:57 localhost kernel: audit(1162374657.632:111): avc: denied { getattr } for pid=1810 comm="rpc.mountd" name="/" dev=unionfs ino=744 scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir Nov 1 10:50:57 localhost mountd[1810]: can't stat exported dir /test: Permission denied For the Red Hat Enterprise Linux there is a workaround: 1. Install strict/targetted selinux policy sources 2. Open /etc/selinux/<policy_type>/src/policy/fs_use 3. Append "fs_use_xattr unionfs system_u:object_r:fs_t;" 4. Compile, install, and reload the selinux policy How can I adopt the workaround to work on Fedora 5, because there are no policy sources available? How can I define "fs_use_xattr unionfs system_u:object_r:fs_t;" on Fedora Core 5? Thanks! Andreas Sachs

17 years, 7 months

2
1
0 / 0

cupsd accessing afick.log clamd.log freshclam.log

by Vikram Goyal

Hello, I am getting these avc denied messages. I am not sure if these should be incorporated in local policy. type=AVC msg=audit(1159051843.723:565): avc: denied { read write } for pid=14645 comm="cupsd" name="afick.log" dev=sda12 ino=643989 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=AVC msg=audit(1159051843.723:565): avc: denied { read write } for pid=14645 comm="cupsd" name="clamd.log" dev=sda12 ino=643867 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=root:object_r:clamd_var_log_t:s0 tclass=file type=AVC msg=audit(1159051843.723:565): avc: denied { read write } for pid=14645 comm="cupsd" name="freshclam.log" dev=sda12 ino=643915 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=root:object_r:var_log_t:s0 tclass=file audit2allow produces - allow cupsd_t clamd_var_log_t:file { read write }; allow cupsd_t var_log_t:file { read write }; The installed versions are: cups-1.2.3-1.6 clamav-0.88.4-21.fc5.at afick-2.2-2.2.fc5.rf Thanks! -- vikram... |||||||| |||||||| ^^'''''^^||root||^^^'''''''^^ // \\ )) //(( \\// \\ // /\\ || \\ || / )) (( \\ -- If in any problem you find yourself doing an immense amount of work, the answer can be obtained by simple inspection. -- ~|~ = Registered Linux User #285795

17 years, 7 months

3
3
0 / 0

segatex RPM version released

by shintaro_fujiwara

Hi. I'm writing a SELinux tool named segatex. Mainly for beginners using targeted policy. I released RPM version a few minutes ago. You can download from http://sourceforge.net/projects/segatex/ Thanks.

17 years, 7 months

1
0
0 / 0

selinux-policy.src

by Salvo Giuffrida

I installed the selinux-policy.src.rpm package, and I have the sources of the reference policy in /usr/src/redhat/SOURCES/refpolicy. What is it? A "base" policy on top of which all the other are developed? Where are the sources of the targeted/strict policy? Thanks a lot for the answers _________________________________________________________________ Scarica gratuitamente MSN Toolbar! http://toolbar.msn.it/

17 years, 7 months

2
1
0 / 0

A few questions

by Salvo Giuffrida

Good morning, I have some questions regarding aspects of SELinux I don't understand: - The format of the file default_context in /etc/selinux/strict/contexts: why are there some lines for cron? From what I know, this file is intended to assign a default initial context to logged-in users. So, why there's also cron? Because it starts processes (jobs)? - What about the "identity" part of the security context? How is filled? - What makes the access control of SELinux "mandatory"? The fact that normal users can't change the security policy? - From what I understood, the root user in SELinux is partitioned into a lot of domains, so, even if I program which runs as "sysadm_r:some_domain_t" is compromised, the damage is limited to the domain, right? But, can't the attacker transition to another domain using newrole, and do other damages, and continue on? - Why in the Fedora there isn't the "staff_r" role? Thanks a lot for the answers _________________________________________________________________ Blocca le pop-up pubblicitarie con MSN Toolbar! http://toolbar.msn.it/

17 years, 7 months

5
10
0 / 0

RE: How to apply new policy exactly?

by Benjamin Tsai

Thank you for the clarification. I have reconfigured selinux/config and recompile policy as the way I did it yesterday, but now I got another error like this /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. libsemanage.semanage_install_active: Could not copy /etc/selinux/refpolicy/modules/active/policy.kern to /etc/selinux/refpolicy/policy/policy.20. /usr/sbin/semodule: Failed! after make load. In fact, I cannot find this file "policy.kern", neither some helpful information on Google. Please help me out, Thx. :) Best Regards, Benjamin Tsai

17 years, 7 months

4
11
0 / 0

.pp files

by Salvo Giuffrida

What is the function of the .pp files in /etc/selinux/targeted/modules/active/modules? I read a book from O'Reilly (SELinux - NSA's Open Source Security Enhanced Linux) and there's no mention of their function... Thanks a lot _________________________________________________________________ Ricerche online più semplici e veloci con MSN Toolbar! http://toolbar.msn.it/

17 years, 7 months

4
6
0 / 0

setrans_t *:dir search .....

by Tom London

Running latest rawhide, targeted/enforcing. mctransd wants to access the 'processID' directories in /proc, and this is failing, e.g.: type=AVC msg=audit(1158434177.034:15): avc: denied { search } for pid=1914 comm="mcstransd" name="2348" dev=proc ino=153878530 scontext=system_u:system_r:setrans_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=dir type=SYSCALL msg=audit(1158434177.034:15): arch=40000003 syscall=5 success=no exit=-13 a0=9828568 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=1914 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mcstransd" exe="/sbin/mcstransd" subj=system_u:system_r:setrans_t:s0 key=(null) type=AVC msg=audit(1158434177.038:16): avc: denied { search } for pid=1914 comm="mcstransd" name="2348" dev=proc ino=153878530 scontext=system_u:system_r:setrans_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=dir type=SYSCALL msg=audit(1158434177.038:16): arch=40000003 syscall=5 success=no exit=-13 a0=9828678 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=1914 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mcstransd" exe="/sbin/mcstransd" subj=system_u:system_r:setrans_t:s0 key=(null) Seems to be failing for crond_t, cupd_t, udev_t, xdm_t Also, 'ls -ldZ /proc/2348' fails in enforcing mode now: [root@localhost proc]# ls -ldZ 2348 ls: 2348: Permission denied [root@localhost proc]# getenforce Enforcing [root@localhost proc]# setenforce 0 [root@localhost proc]# [root@localhost proc]# ls -ldZ 2348 dr-xr-xr-x root root system_u:system_r:crond_t:SystemLow-SystemHigh 2348 [root@localhost proc]# [root@localhost proc]# setenforce 1 [root@localhost proc]# tom -- Tom London

17 years, 7 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux September 2006