F8 ssh avc
by Paul Howarth
Got this one on the server end when using sftp with key-based auth and
using keychain:
type=AVC msg=audit(1196678377.841:1040): avc: denied { setkeycreate }
for pid=23895 comm="sshd"
scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1196678377.841:1040): arch=40000003 syscall=4
success=no exit=-13 a0=5 a1=b802c120 a2=22 a3=15a03a items=0 ppid=31470
pid=23895 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
What's actually being denied here? Everything still seemed to work.
Paul.
16 years, 4 months
[Bug] some problems about setroubleshoot
by NZzi
hi all:
in my F8(update) with setroubleshoot:
setroubleshoot-1.10.7-1.fc8.noarch
my setroubleshoot often close connect:
connection lost on /var/run/setroubleshoot/setroubleshoot_server
i found a error message in setroubleshoot log:
2007-11-29 10:02:41,561 [email.WARNING] 无法打开文件
/var/lib/setroubleshoot/email_alert_recipients, No such file or directory
in english is:
2007-11-29 10:02:41,561 [email.WARNING] can not open file:
/var/lib/setroubleshoot/email_alert_recipients, No such file or directory
and after i restart setroubleshoot
$ sudo service setroubleshoot restart
停止 setroubleshootd: [OK]
启动 setroubleshootd: [OK]
i got:
/var/lib/setroubleshoot/audit_listener_database.xml:570: parser error :
Input is not proper UTF-8, indicate encoding !
Bytes: 0xDF 0x20 0xE8 0xAE
如果您想让 � 访问这个文件,您需要使用 restorecon -v <未知
in english is:
/var/lib/setroubleshoot/audit_listener_database.xml:570: parser error :
Input is not proper UTF-8, indicate encoding !
Bytes: 0xDF 0x20 0xE8 0xAE
If you want to access this file,you should use restorecon -v < unknown
above english error messages is translated by me, not setroubleshoot
original error messages.
because i doubt that the error is caused by chinese locale, so i keep
the "chinese error message" from setroubleshoot. My system runs in
LANG=zh_CN.UTF-8
16 years, 4 months
Re: selinux preventing clamd and amavisd even in Permissive
by John Griffiths
OK. I am baffled. I went out to do some shopping and when I came back,
everything was working. And no one else was working on the system
either. There are a couple of AVCs but they don't seem to affect anything.
Oh well. I must remind myself; computers only do what they are
programmed to do ... computers only do what they are programmed to do
... computers only do what they are programmed to do ... computers only
do what they are programmed to do ...
Sorry for the alarm.
Regards,
John
16 years, 4 months
selinux preventing clamd and amavisd even in Permissive
by John Griffiths
I am getting numerous AVCs from selinixtrobleshoot when clamd and
amavisd try to operate even with selinux in Permissive mode the actions
are still prevented.
I did a touch /.autorelabel before reporting this. The problem still occurs.
An example:
Summary
SELinux is preventing /usr/bin/clamscan (clamscan_t) "read" to <Unknown>
(amavis_spool_t).
Detailed Description
SELinux denied access requested by /usr/bin/clamscan. It is not expected
that this access is required by /usr/bin/clamscan and this access
may signal
an intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown> If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module
to allow
this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context system_u:system_r:clamscan_t
Target Context system_u:object_r:amavis_spool_t
Target Objects None [ dir ]
Affected RPM Packages clamav-0.91.2-3.fc8 [application]
Policy RPM selinux-policy-3.0.8-56.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall_file
Host Name joe
Platform Linux joe 2.6.23.1-49.fc8 #1
SMP Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count 7
First Seen Sat 01 Dec 2007 02:13:33 AM EST
Last Seen Sat 01 Dec 2007 02:23:33 AM EST
Local ID d41e6d82-4a90-48ee-a554-3c557f6cfe61
Line Numbers
Raw Audit Messages
avc: denied { read } for comm=clamscan dev=dm-0 egid=490 euid=495
exe=/usr/bin/clamscan exit=6 fsgid=490 fsuid=495 gid=490 items=0
name=clamav-
f1269664cac0bef43a67b3a6dbae41b8 pid=2785
scontext=system_u:system_r:clamscan_t:s0 sgid=490
subj=system_u:system_r:clamscan_t:s0 suid=495 tclass=dir
tcontext=system_u:object_r:amavis_spool_t:s0 tty=(none) uid=495
There are others, but selinux should only log the AVCs in Permissive.
Right? But the selinux system is actually doing denials. The email
system will not work since the emails cannot be virus checked. Glad this
is a test installation.
There was a problem in Fedora Core 6 with Postfix, amavisd, and clamd as
I remember it, but it would run in Permissive.
I will post all the the AVCs later, but I thought this was important.
Regards,
John
16 years, 4 months
CGI can't read public_html files
by Alexander Slesarev
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello!
I want to access public_html files from CGI script, but can't do it -
got AVC error during reading README file from public_html dir:
- -----------------------------------------------------------------------
[root@elc6002s nuald]# tail /var/log/messages | grep setroubleshoot -m 1
Nov 29 13:42:51 elc6002s setroubleshoot: #012 SELinux is preventing
the format.cgi from using potentially mislabeled files <Unknown>
(unconfined_home_dir_t).#012 For complete SELinux messages. run
sealert -l 69519bd7-3e77-46d9-b845-7f066c4515e6
- -----------------------------------------------------------------------
I have only one item with unconfined_home_dir_t type in the path to
README file:
- -----------------------------------------------------------------------
[nuald@elc6002s public_html]$ ls -Z `pwd`/README && pushd . > /dev/null
&& while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd >
/dev/null
- -rw-rw-r-- nuald nuald system_u:object_r:httpd_user_content_t:s0
/home/nuald/public_html/README
drwxrwxr-x nuald nuald system_u:object_r:httpd_user_content_t:s0
/home/nuald/public_html
drwx--x--x nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0
/home/nuald
drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home
- -----------------------------------------------------------------------
So, only my home dir have unconfined_home_dir_t type. But I do not want
to change it to httpd_sys_content_t type and I don't like this solution.
The CGI script itself works fine either it have httpd_user_content_t
type now:
- -----------------------------------------------------------------------
[nuald@elc6002s cgi-bin]$ ls -Z `pwd`/format.cgi && pushd . > /dev/null
&& while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd >
/dev/null
- -rwxr-xr-x nuald nuald system_u:object_r:httpd_user_content_t:s0
/home/nuald/public_html/cgi-bin/format.cgi
drwxr-xr-x nuald nuald system_u:object_r:httpd_user_content_t:s0
/home/nuald/public_html/cgi-bin
drwxrwxr-x nuald nuald system_u:object_r:httpd_user_content_t:s0
/home/nuald/public_html
drwx--x--x nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0
/home/nuald
drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home
- -----------------------------------------------------------------------
So the script only can't read files in public_html folder. What is right
way to fix it?
The script itself is below and used as
http://localhost/~nuald/cgi-bin/format.cgi?file=README
- -----------------------------------------------------------------------
[nuald@elc6002s cgi-bin]$ cat format.cgi
#!/usr/bin/perl -wT
use strict;
use CGI qw/:standard/;
use IO::File;
use File::Spec;
use Cwd 'realpath';
print header;
my $filename = param('file') or die "Can be executed only as CGI";
my $updir = File::Spec->updir();
my $rel_path = File::Spec->catfile($updir, $filename);
my $path = realpath($rel_path) ;
my $file = IO::File->new($path,"<") or die "Can't open file $path";
my $text = join "", <$file>;
$file->close or die "Can't close file";
print $text;
- -----------------------------------------------------------------------
Thanks in advance.
- --
Best regards, Alex Slesarev.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHULe0NLNdFA8Hg1cRCBUOAJ9LhblT0DTYN5hs4HqDYzfNpt66MACgitJO
hR0isSJ+FDxHy7C8Izc+y7k=
=MDzY
-----END PGP SIGNATURE-----
16 years, 4 months