AVCs on eject from DVD creator
by Tom London
Running latest Rawhide, targeted/permissive.
Got this after burning a DVD with gnome-DVD-Creator (e.g., Places->DVD
Creator), and pressing the "Eject" button (running in Permissive
mode):
type=AVC msg=audit(1159390121.634:37): avc: denied { setexec } for
pid=4152 comm="userhelper" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:hald_t:s0 tclass=process
type=SYSCALL msg=audit(1159390121.634:37): arch=40000003 syscall=4
success=yes exit=34 a0=4 a1=84329d8 a2=22 a3=48de06a9 items=0
ppid=4151 pid=4152 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="userhelper"
exe="/usr/sbin/userhelper" subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1159390121.634:38): avc: denied { transition }
for pid=4152 comm="userhelper" name="eject" dev=dm-0 ino=5481735
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1159390121.634:38): avc: denied { siginh } for
pid=4152 comm="eject" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1159390121.634:38): avc: denied { rlimitinh } for
pid=4152 comm="eject" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1159390121.634:38): avc: denied { noatsecure }
for pid=4152 comm="eject" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1159390121.634:38): arch=40000003 syscall=11
success=yes exit=0 a0=84320e0 a1=bfef3550 a2=8432930 a3=2 items=0
ppid=4151 pid=4152 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="eject" exe="/usr/sbin/eject"
subj=system_u:system_r:unconfined_t:s0 key=(null)
type=AVC_PATH msg=audit(1159390121.634:38): path="/usr/sbin/eject"
tom
--
Tom London
17 years, 7 months
MLS and Biba
by Salvo Giuffrida
Good morning, is it possible to configure the MLS policy, using
mlsconstraint, to enforce a Biba integrity model of security (no read down,
no write up), instead of the Bell-LaPadula (no read up, no write down)? I'm
reading the book "SELinux by example", and there there's written that the
MLS facility in the Security Server is not very flexible, and allows only to
enforce the rules "no read up, no write down". But, if I'm the one
configuring the policy in the file "mls", shouldn't I be able to change the
rules to the opposite?
Thanks a lot...
_________________________________________________________________
Blocca le pop-up pubblicitarie con MSN Toolbar! http://toolbar.msn.it/
17 years, 7 months
How to get unionfs work with SELinux on Fedora 5?
by Andreas Sachs
Hello
I'm running Fedora Core 5 Server with unionfs file system to merge some
directories and export them through nfs. SELinux is in enforcing mode and
the targeted-policy is selected. Unionfs is build with extended attributes
support (EXTRACFLAGS=-DUNIONFS_XATTR).
When I try to mount the union from a client I get a permission denied error
from server.
The following is in my /var/log/messages on the server:
Nov 1 10:32:43 localhost kernel: SELinux: initialized (dev unionfs, type
unionfs), not configured for labeling
Nov 1 10:32:43 localhost kernel: audit(1162373563.375:109): avc: denied {
getattr } for pid=2021 comm="hald" name="/" dev=unionfs ino=744
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Nov 1 10:50:57 localhost kernel: audit(1162374657.604:110): avc: denied {
getattr } for pid=1810 comm="rpc.mountd" name="/" dev=unionfs ino=744
scontext=system_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Nov 1 10:50:57 localhost mountd[1810]: authenticated mount request from
192.168.1.13:1011 for /test (/test)
Nov 1 10:50:57 localhost kernel: audit(1162374657.632:111): avc: denied {
getattr } for pid=1810 comm="rpc.mountd" name="/" dev=unionfs ino=744
scontext=system_u:system_r:nfsd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Nov 1 10:50:57 localhost mountd[1810]: can't stat exported dir /test:
Permission denied
For the Red Hat Enterprise Linux there is a workaround:
1. Install strict/targetted selinux policy sources
2. Open /etc/selinux/<policy_type>/src/policy/fs_use
3. Append "fs_use_xattr unionfs system_u:object_r:fs_t;"
4. Compile, install, and reload the selinux policy
How can I adopt the workaround to work on Fedora 5, because there are no
policy sources available?
How can I define "fs_use_xattr unionfs system_u:object_r:fs_t;" on Fedora
Core 5?
Thanks!
Andreas Sachs
17 years, 7 months
cupsd accessing afick.log clamd.log freshclam.log
by Vikram Goyal
Hello,
I am getting these avc denied messages. I am not sure if these should be
incorporated in local policy.
type=AVC msg=audit(1159051843.723:565): avc: denied { read write } for
pid=14645 comm="cupsd" name="afick.log" dev=sda12 ino=643989
scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1159051843.723:565): avc: denied { read write } for
pid=14645 comm="cupsd" name="clamd.log" dev=sda12 ino=643867
scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=root:object_r:clamd_var_log_t:s0 tclass=file
type=AVC msg=audit(1159051843.723:565): avc: denied { read write } for
pid=14645 comm="cupsd" name="freshclam.log" dev=sda12 ino=643915
scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=root:object_r:var_log_t:s0 tclass=file
audit2allow produces -
allow cupsd_t clamd_var_log_t:file { read write };
allow cupsd_t var_log_t:file { read write };
The installed versions are:
cups-1.2.3-1.6
clamav-0.88.4-21.fc5.at
afick-2.2-2.2.fc5.rf
Thanks!
--
vikram...
||||||||
||||||||
^^'''''^^||root||^^^'''''''^^
// \\ ))
//(( \\// \\
// /\\ || \\
|| / )) (( \\
--
If in any problem you find yourself doing an immense amount of work, the
answer can be obtained by simple inspection.
--
~|~
=
Registered Linux User #285795
17 years, 7 months
selinux-policy.src
by Salvo Giuffrida
I installed the selinux-policy.src.rpm package, and I have the sources of
the reference policy in /usr/src/redhat/SOURCES/refpolicy. What is it? A
"base" policy on top of which all the other are developed? Where are the
sources of the targeted/strict policy?
Thanks a lot for the answers
_________________________________________________________________
Scarica gratuitamente MSN Toolbar! http://toolbar.msn.it/
17 years, 7 months
A few questions
by Salvo Giuffrida
Good morning, I have some questions regarding aspects of SELinux I don't
understand:
- The format of the file default_context in /etc/selinux/strict/contexts:
why are there some lines for cron? From what I know, this file is intended
to assign a default initial context to logged-in users. So, why there's also
cron? Because it starts processes (jobs)?
- What about the "identity" part of the security context? How is filled?
- What makes the access control of SELinux "mandatory"? The fact that normal
users can't change the security policy?
- From what I understood, the root user in SELinux is partitioned into a lot
of domains, so, even if I program which runs as "sysadm_r:some_domain_t" is
compromised, the damage is limited to the domain, right? But, can't the
attacker transition to another domain using newrole, and do other damages,
and continue on?
- Why in the Fedora there isn't the "staff_r" role?
Thanks a lot for the answers
_________________________________________________________________
Blocca le pop-up pubblicitarie con MSN Toolbar! http://toolbar.msn.it/
17 years, 7 months
RE: How to apply new policy exactly?
by Benjamin Tsai
Thank you for the clarification. I have reconfigured selinux/config and
recompile policy as the way I did it yesterday, but now I got another
error like this
/usr/sbin/load_policy: Can't load policy: Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
libsemanage.semanage_install_active: Could not copy
/etc/selinux/refpolicy/modules/active/policy.kern to
/etc/selinux/refpolicy/policy/policy.20.
/usr/sbin/semodule: Failed!
after make load.
In fact, I cannot find this file "policy.kern", neither some helpful
information on Google.
Please help me out, Thx. :)
Best Regards,
Benjamin Tsai
17 years, 7 months
.pp files
by Salvo Giuffrida
What is the function of the .pp files in
/etc/selinux/targeted/modules/active/modules?
I read a book from O'Reilly (SELinux - NSA's Open Source Security Enhanced
Linux) and there's no mention of their function...
Thanks a lot
_________________________________________________________________
Ricerche online più semplici e veloci con MSN Toolbar!
http://toolbar.msn.it/
17 years, 7 months
setrans_t *:dir search .....
by Tom London
Running latest rawhide, targeted/enforcing.
mctransd wants to access the 'processID' directories in /proc, and
this is failing, e.g.:
type=AVC msg=audit(1158434177.034:15): avc: denied { search } for
pid=1914 comm="mcstransd" name="2348" dev=proc ino=153878530
scontext=system_u:system_r:setrans_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=dir
type=SYSCALL msg=audit(1158434177.034:15): arch=40000003 syscall=5
success=no exit=-13 a0=9828568 a1=8000 a2=0 a3=8000 items=0 ppid=1
pid=1914 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="mcstransd" exe="/sbin/mcstransd"
subj=system_u:system_r:setrans_t:s0 key=(null)
type=AVC msg=audit(1158434177.038:16): avc: denied { search } for
pid=1914 comm="mcstransd" name="2348" dev=proc ino=153878530
scontext=system_u:system_r:setrans_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=dir
type=SYSCALL msg=audit(1158434177.038:16): arch=40000003 syscall=5
success=no exit=-13 a0=9828678 a1=8000 a2=0 a3=8000 items=0 ppid=1
pid=1914 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="mcstransd" exe="/sbin/mcstransd"
subj=system_u:system_r:setrans_t:s0 key=(null)
Seems to be failing for crond_t, cupd_t, udev_t, xdm_t
Also, 'ls -ldZ /proc/2348' fails in enforcing mode now:
[root@localhost proc]# ls -ldZ 2348
ls: 2348: Permission denied
[root@localhost proc]# getenforce
Enforcing
[root@localhost proc]# setenforce 0
[root@localhost proc]#
[root@localhost proc]# ls -ldZ 2348
dr-xr-xr-x root root system_u:system_r:crond_t:SystemLow-SystemHigh 2348
[root@localhost proc]#
[root@localhost proc]# setenforce 1
[root@localhost proc]#
tom
--
Tom London
17 years, 7 months