selinux December 2007

selinux@lists.fedoraproject.org

38 participants
66 discussions

by Paul Howarth

Got this one on the server end when using sftp with key-based auth and using keychain: type=AVC msg=audit(1196678377.841:1040): avc: denied { setkeycreate } for pid=23895 comm="sshd" scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1196678377.841:1040): arch=40000003 syscall=4 success=no exit=-13 a0=5 a1=b802c120 a2=22 a3=15a03a items=0 ppid=31470 pid=23895 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) What's actually being denied here? Everything still seemed to work. Paul.

16 years, 4 months

3
2
0 / 0

[Bug] some problems about setroubleshoot

by NZzi

hi all: in my F8(update) with setroubleshoot: setroubleshoot-1.10.7-1.fc8.noarch my setroubleshoot often close connect: connection lost on /var/run/setroubleshoot/setroubleshoot_server i found a error message in setroubleshoot log: 2007-11-29 10:02:41,561 [email.WARNING] 无法打开文件 /var/lib/setroubleshoot/email_alert_recipients, No such file or directory in english is: 2007-11-29 10:02:41,561 [email.WARNING] can not open file: /var/lib/setroubleshoot/email_alert_recipients, No such file or directory and after i restart setroubleshoot $ sudo service setroubleshoot restart 停止 setroubleshootd： [OK] 启动 setroubleshootd： [OK] i got: /var/lib/setroubleshoot/audit_listener_database.xml:570: parser error : Input is not proper UTF-8, indicate encoding ! Bytes: 0xDF 0x20 0xE8 0xAE 如果您想让 � 访问这个文件，您需要使用 restorecon -v <未知 in english is: /var/lib/setroubleshoot/audit_listener_database.xml:570: parser error : Input is not proper UTF-8, indicate encoding ! Bytes: 0xDF 0x20 0xE8 0xAE If you want to access this file，you should use restorecon -v < unknown above english error messages is translated by me, not setroubleshoot original error messages. because i doubt that the error is caused by chinese locale, so i keep the "chinese error message" from setroubleshoot. My system runs in LANG=zh_CN.UTF-8

16 years, 4 months

2
2
0 / 0

[ANN] segatex-4.00 RPM,SRPM released !!

by Shintaro Fujiwara

I released RPM,SRPM version of segatex-4.00.tgz. segatex is a program even if not knowing much about SELinux commands, can easily set SELinux commands by GUI. Written in C++. Requires Qt ( qt-devel package ). Thank you very much for your attention. p.s. I want to wrap semanage next. Any comments appreciated to me. -- Shintaro Fujiwara segatex project (SELinux policy tool) http://sourceforge.net/projects/segatex/ Home page http://intrajp.no-ip.com/ Blog http://intrajp.no-ip.com/nucleus/ CMS http://intrajp.no-ip.com/xoops/ Wiki http://intrajp.no-ip.com/pukiwiki/

16 years, 4 months

1
0
0 / 0

Re: selinux preventing clamd and amavisd even in Permissive

by John Griffiths

OK. I am baffled. I went out to do some shopping and when I came back, everything was working. And no one else was working on the system either. There are a couple of AVCs but they don't seem to affect anything. Oh well. I must remind myself; computers only do what they are programmed to do ... computers only do what they are programmed to do ... computers only do what they are programmed to do ... computers only do what they are programmed to do ... Sorry for the alarm. Regards, John

16 years, 4 months

1
0
0 / 0

selinux preventing clamd and amavisd even in Permissive

by John Griffiths

I am getting numerous AVCs from selinixtrobleshoot when clamd and amavisd try to operate even with selinux in Permissive mode the actions are still prevented. I did a touch /.autorelabel before reporting this. The problem still occurs. An example: Summary SELinux is preventing /usr/bin/clamscan (clamscan_t) "read" to <Unknown> (amavis_spool_t). Detailed Description SELinux denied access requested by /usr/bin/clamscan. It is not expected that this access is required by /usr/bin/clamscan and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:clamscan_t Target Context system_u:object_r:amavis_spool_t Target Objects None [ dir ] Affected RPM Packages clamav-0.91.2-3.fc8 [application] Policy RPM selinux-policy-3.0.8-56.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall_file Host Name joe Platform Linux joe 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007 i686 i686 Alert Count 7 First Seen Sat 01 Dec 2007 02:13:33 AM EST Last Seen Sat 01 Dec 2007 02:23:33 AM EST Local ID d41e6d82-4a90-48ee-a554-3c557f6cfe61 Line Numbers Raw Audit Messages avc: denied { read } for comm=clamscan dev=dm-0 egid=490 euid=495 exe=/usr/bin/clamscan exit=6 fsgid=490 fsuid=495 gid=490 items=0 name=clamav- f1269664cac0bef43a67b3a6dbae41b8 pid=2785 scontext=system_u:system_r:clamscan_t:s0 sgid=490 subj=system_u:system_r:clamscan_t:s0 suid=495 tclass=dir tcontext=system_u:object_r:amavis_spool_t:s0 tty=(none) uid=495 There are others, but selinux should only log the AVCs in Permissive. Right? But the selinux system is actually doing denials. The email system will not work since the emails cannot be virus checked. Glad this is a test installation. There was a problem in Fedora Core 6 with Postfix, amavisd, and clamd as I remember it, but it would run in Permissive. I will post all the the AVCs later, but I thought this was important. Regards, John

16 years, 4 months

2
2
0 / 0

CGI can't read public_html files

by Alexander Slesarev

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello! I want to access public_html files from CGI script, but can't do it - got AVC error during reading README file from public_html dir: - ----------------------------------------------------------------------- [root@elc6002s nuald]# tail /var/log/messages | grep setroubleshoot -m 1 Nov 29 13:42:51 elc6002s setroubleshoot: #012 SELinux is preventing the format.cgi from using potentially mislabeled files <Unknown> (unconfined_home_dir_t).#012 For complete SELinux messages. run sealert -l 69519bd7-3e77-46d9-b845-7f066c4515e6 - ----------------------------------------------------------------------- I have only one item with unconfined_home_dir_t type in the path to README file: - ----------------------------------------------------------------------- [nuald@elc6002s public_html]$ ls -Z `pwd`/README && pushd . > /dev/null && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd > /dev/null - -rw-rw-r-- nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html/README drwxrwxr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html drwx--x--x nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0 /home/nuald drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home - ----------------------------------------------------------------------- So, only my home dir have unconfined_home_dir_t type. But I do not want to change it to httpd_sys_content_t type and I don't like this solution. The CGI script itself works fine either it have httpd_user_content_t type now: - ----------------------------------------------------------------------- [nuald@elc6002s cgi-bin]$ ls -Z `pwd`/format.cgi && pushd . > /dev/null && while [[ `pwd` != '/' ]]; do ls -Zd `pwd` && cd ..; done && popd > /dev/null - -rwxr-xr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html/cgi-bin/format.cgi drwxr-xr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html/cgi-bin drwxrwxr-x nuald nuald system_u:object_r:httpd_user_content_t:s0 /home/nuald/public_html drwx--x--x nuald nuald unconfined_u:object_r:unconfined_home_dir_t:s0 /home/nuald drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home - ----------------------------------------------------------------------- So the script only can't read files in public_html folder. What is right way to fix it? The script itself is below and used as http://localhost/~nuald/cgi-bin/format.cgi?file=README - ----------------------------------------------------------------------- [nuald@elc6002s cgi-bin]$ cat format.cgi #!/usr/bin/perl -wT use strict; use CGI qw/:standard/; use IO::File; use File::Spec; use Cwd 'realpath'; print header; my $filename = param('file') or die "Can be executed only as CGI"; my $updir = File::Spec->updir(); my $rel_path = File::Spec->catfile($updir, $filename); my $path = realpath($rel_path) ; my $file = IO::File->new($path,"<") or die "Can't open file $path"; my $text = join "", <$file>; $file->close or die "Can't close file"; print $text; - ----------------------------------------------------------------------- Thanks in advance. - -- Best regards, Alex Slesarev. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHULe0NLNdFA8Hg1cRCBUOAJ9LhblT0DTYN5hs4HqDYzfNpt66MACgitJO hR0isSJ+FDxHy7C8Izc+y7k= =MDzY -----END PGP SIGNATURE-----

16 years, 4 months

1
0
0 / 0

← Newer
1
2
3
4
5
6
7
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux December 2007