Re: auditd fails to start on FC6 system, newer kernels effect?
by Steve G
> FC6 system, uptodate, kernel 2.6.24-rc3,
Where did this kernel come from & does it have the same config options that Fedora uses?
> but this has existed since I re-enabled
> selinux in permissive mode just to see what complained.
What happens when you boot a normal Fedora kernel?
> Connection refused sounds as if something else isn't running
> that should be, but no direct clue, so what else needs to
> run too, before auditd?
I have a feeling something is not right with the kernel if selinux is in permissive and its failing to connect.
-Steve
____________________________________________________________________________________
Be a better pen pal.
Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/
16 years, 5 months
problems with /dev/slamr0, mknod/insmod
by Antonio Olivares
Dear all,
On a fedora 8 machine with clean install, deleted Fedora 6 and started fresh, I get a warning about insmod as I did with Fedora 7, on Fedora 7 the problem went away, but on Fedora 8, setroubleshoot will warm me more than it did before so I kindly ask for guidance as to how to generate policy to allow the /dev/slamr0 to run without problems with selinux.
avc: denied { setattr } for comm=chgrp dev=tmpfs egid=0 euid=0 exe=/bin/chgrp
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=slamr0 pid=1890
scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0
suid=0 tclass=chr_file tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
I'll attach the selinux-alert that I got and ask for guidance to resolve this issue.
TIA,
Antonio
____________________________________________________________________________________
Get easy, one-click access to your favorites.
Make Yahoo! your homepage.
http://www.yahoo.com/r/hs
16 years, 5 months
home_dir default_t
by Per Sjoholm
I have som problem with alerts of default_t and relabel does not solve
the problem
Running FC7
I have my machine local home under /home_l /home is used for nfs/autofs
#> genhomedircon
#> touch /.autorelabel ; reboot
/home_l/*/* gets labeled with default_t
restorecon -v -R /home_l
labels with user_home_t
Why is there a differns between autorelabel and restorecon
Why does autorelabel sets /home and /home_l to default_t
--
Per Sjöholm
Spanga, Stockholm, Sweden
16 years, 5 months
SELinux is preventing the ck-get-x11-serv from using potentially mislabeled files (<Unknown>).
by Antonio Olivares
Just as I sent out the other mail about the selinux denying X I have gotten this one, what should I do? Advice/comments/suggestions are welcome.
Regards,
Antonio
Summary
SELinux is preventing the ck-get-x11-serv from using potentially mislabeled
files (<Unknown>).
Detailed Description
SELinux has denied ck-get-x11-serv access to potentially mislabeled file(s)
(<Unknown>). This means that SELinux will not allow ck-get-x11-serv to use
these files. It is common for users to edit files in their home directory
or tmp directories and then move (mv) them to system directories. The
problem is that the files end up with the wrong file context which confined
applications are not allowed to access.
Allowing Access
If you want ck-get-x11-serv to access this files, you need to relabel them
using restorecon -v <Unknown>. You might want to relabel the entire
directory using restorecon -R -v <Unknown>.
Additional Information
Source Context system_u:system_r:consolekit_t
Target Context system_u:object_r:user_home_t
Target Objects None [ file ]
Affected RPM Packages
Policy RPM selinux-policy-3.0.8-44.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.home_tmp_bad_labels
Host Name localhost
Platform Linux localhost 2.6.24-0.38.rc2.git6.fc9 #1 SMP
Fri Nov 16 17:20:39 EST 2007 i686 athlon
Alert Count 5
First Seen Sun 11 Nov 2007 09:40:02 AM CST
Last Seen Mon 19 Nov 2007 07:25:44 AM CST
Local ID fa84efec-ad7f-46d6-a356-d16d9235b774
Line Numbers
Raw Audit Messages
avc: denied { read } for comm=ck-get-x11-serv dev=dm-0 name=.Xauthority pid=2874
scontext=system_u:system_r:consolekit_t:s0 tclass=file
tcontext=system_u:object_r:user_home_t:s0
____________________________________________________________________________________
Get easy, one-click access to your favorites.
Make Yahoo! your homepage.
http://www.yahoo.com/r/hs
16 years, 5 months
auditd fails to start on FC6 system, newer kernels effect?
by Gene Heskett
Greetings;
FC6 system, uptodate, kernel 2.6.24-rc3, but this has existed since I
re-enabled selinux in permissive mode just to see what complained.
The manpage says to use the -f option for foreground troubleshooting, so here
goes:
[root@coyote linux-2.6.24-rc3]# man auditd
[root@coyote linux-2.6.24-rc3]# which auditd
/sbin/auditd
[root@coyote linux-2.6.24-rc3]# auditd -f
Config file /etc/audit/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit/audit.log
log_format_parser called with: RAW
priority_boost_parser called with: 3
flush_parser called with: INCREMENTAL
freq_parser called with: 20
num_logs_parser called with: 4
dispatch_parser called with: /sbin/audispd
qos_parser called with: lossy
max_log_size_parser called with: 5
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with: SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
Started dispatcher: /sbin/audispd pid: 7828
type=DAEMON_START msg=audit(1195291550.719:1106) auditd start, ver=1.4.2,
format=raw, auid=4294967295 pid=7824 res=success, auditd pid=7824
config_manager init complete
Error setting audit daemon pid (Connection refused)
type=DAEMON_ABORT msg=audit(1195291550.720:1107) auditd error halt,
auid=4294967295 pid=7824 res=failed, auditd pid=7824
Unable to set audit pid, exiting
The audit daemon is exiting.
Error setting audit daemon pid (Connection refused)
[root@coyote linux-2.6.24-rc3]#
Connection refused sounds as if something else isn't running that should be,
but no direct clue, so what else needs to run too, before auditd?
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
meeting, n.:
An assembly of people coming together to decide what person or
department not represented in the room must solve a problem.
16 years, 5 months
ANN: SELinux Policy Editor 2.2.0
by Yuichi Nakamura
Hi.
We've released SELinux Policy Editor(SEEdit) 2.2.0.
SEEdit is a tool to write policy easily.
Changes from 2.1.0.
1) Policy development for embedded device support.
You can develop policy for embedded devices by SEEdit.
2) Improved SPDL compiler.
seedit-conveter(Program that convert SPDL to selinux policy)
does not use local file information, labeling rule has been changed.
By that, you can cross-develop policy for embedded devices.
For non-embedded people,
speed to convert SPDL to SELinux policy has become faster.
3) Support Fedora 8.
For detail, please look at
http://seedit.sourceforge.net/
Regards,
--
Yuichi Nakamura
Hitachi Software Engineering Co., Ltd.
Japan SELinux Users Group(JSELUG): http://www.selinux.gr.jp/
SELinux Policy Editor: http://seedit.sourceforge.net/
16 years, 5 months
Re: selinux blocks lircmd
by kwhiskerz
I had hoped that selinux would finally work. When I installed f8 and saw that
it was set to enforcing and all but the lircmd mouse worked, I was
encouraged. Perhaps it will finally work after all, once that problem is
solved.
Then came a policy update this afternoon and I rebooted and when I looked, I
saw that the system had been put into permissive mode. Now everything works
just great. I was really hoping that everything would finally work great in
enforcing, but I guess there must be a reason for permissive.
So, what is the difference between enforcing and permissive (since permissive
is not disabled)? Does it block some things, but not everything?
16 years, 5 months
Fedora 8: SELinux doesn't allow to manually start sshd?
by Andrey Markelov
Hello!
My system:
Fedora 8, selinux-policy-3.0.8-44 in targeted mode.
I log in to the system as ordinary user and then do su -.
When I try to start sshd daemon in Fedora 8 by typing "service sshd start"
I receive "Permission denied" message and this entry in audit.log:
type=SELINUX_ERR msg=audit(1194792116.506:236): security_compute_sid: invalid context unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 for scontext=unconfined_u:system_r:initrc_t:s0 tcontext=system_u:object_r:sshd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1194792116.506:236): arch=40000003 syscall=11 success=yes exit=0 a0=8f58ab0 a1=8f58658 a2=8f451c0 a3=0 items=0 ppid=11059 pid=11068 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
When I try to start sshd my id -Z is:
unconfined_u:system_r:unconfined_t
I have some questions:
1) How can I explain that SELINUX_ERR message and "subj=..." in SYSCALL message?
2) Is it normal situation? In RHEL5 the "su -; service sshd start" commands work fine.
3) How can I enable "service sshd start" in that situation?
____
Andrey Markelov
Plus Communications
Phone: +7(495)777-0-111 ext.533
16 years, 5 months
setroubleshoot, xdm AVCs
by Tom London
Just noticed the following. I'm running 'mostly Rawhide' (except for
f8 gdm, mesa-*--7.1-0.4.fc9 and selinux-policy-3.0.8-56.fc8).
Got them booting in permissive mode:
[root@localhost ~]# audit2allow -i log
#============= setroubleshootd_t ==============
allow setroubleshootd_t self:capability sys_nice;
allow setroubleshootd_t self:process setsched;
allow setroubleshootd_t sysctl_net_t:dir search;
allow setroubleshootd_t tmp_t:dir read;
#============= xdm_xserver_t ==============
allow xdm_xserver_t hwdata_t:dir search;
allow xdm_xserver_t hwdata_t:file { read getattr };
[root@localhost ~]#
I attach the complete /var/log/audit/audit.log.
tom
--
Tom London
16 years, 5 months
