Re: Cron mail problem with FC6/strict
by Ted Rule
Since my previous posting on this matter, I've performed a few more
tests, slightly amended policy, and found a somewhat surprising result.
Because earlier tests indicated that individual Jobs could initiate mail
themselves from system_crond_t, but NOT crond itself, I reasoned that
maybe there was perhaps something in one or all of policy / crond /
libselinux / kernel which prevented crond - which had already performed
a setexeccon - to exec another process which directly required a domain
transition.
Therefore, I made use of crond's "-m" option to provide a shell wrapper
to sendmail itself employing the same command line params as crond
invokes, as in:
[root@topaz ~]# cat /usr/sbin/sendmail.sendmail.crond
#!/bin/sh
/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t
[root@topaz ~]#
I also labelled the wrapper as sendmail_exec_t:
[root@topaz ~]# ls -lZ /usr/sbin/sendmail.sendmail*
-rwxr-sr-x root smmsp
system_u:object_r:sendmail_exec_t /usr/sbin/sendmail.sendmail
-rwxr-xr-x root root
staff_u:object_r:sendmail_exec_t /usr/sbin/sendmail.sendmail.crond
[root@topaz ~]#
Because of findings from previous tests, I added an entrypoint to
SELinux policy which appears to be required:
domain_entry_file(system_crond_t, sendmail_exec_t)
And then I invoked the wrapper via /etc/sysconfig/crond:
[root@topaz ~]# cat /etc/sysconfig/crond
# Settings for the CRON daemon.
# CRONDARGS= : any extra command-line startup arguments for crond
# CRON_VALIDATE_MAILRCPTS=1:a non-empty value of this variable will
# enable vixie-cron-4.1's validation of
# mail recipient names, which would then be
# restricted to contain only the chars
# from this tr(1) set : [@!:%-_.,:alnum:]
# otherwise mailing is not attempted.
#CRONDARGS=
CRONDARGS="-m/usr/sbin/sendmail.sendmail.crond"
[root@topaz ~]#
With all this in place, I found that Crond COULD launch the wrapper
script, which in turn launched sendmail itself, and Cron mail WAS
delivered.
If I simply comment out the CRONDARGS setting to revert crond to
"normal" operation, it succeeds in executing /usr/sbin/sendmail, but
fails to transition to system_mail_t and no mail is delivered.
As a next test, I further emulated /usr/sbin/sendmail itself by adding
group membership, setgid flags and selinux ownership:
[root@topaz ~]# ls -lZ /usr/sbin/sendmail.*
-rwxr-sr-x root smmsp
system_u:object_r:sendmail_exec_t /usr/sbin/sendmail.sendmail
-rwxr-sr-x root smmsp
system_u:object_r:sendmail_exec_t /usr/sbin/sendmail.sendmail.crond
[root@topaz ~]#
This still appears to work Ok.
All in all, I appear to have a workround for the problem. It DOES seem
to require one tweak to the existing policy - the extra
domain_entry_file setting. However, I'm still very much in the dark as
to why the wrapper script works and the binary copy of sendmail doesn't.
Ted
On Wed, 2007-01-24 at 10:19 +0000, Ted Rule wrote:
> Quoting "Christopher J. PeBenito" <cpebenito(a)tresys.com>:
>
> > On Sun, 2007-01-21 at 23:05 +0000, Ted Rule wrote:
> >> A little while ago, I found that anacron wasn't running correctly under
> >> FC6/strict, which led to me add a temporary fixup .te for its operation.
> >> Once I had that in place, I finally received the cron.daily and logwatch
> >> Emails every day shortly after bootup.
> >>
> >> With that in place, I recently took to leaving the machine powered
> >> overnight, which of course led to all the Cron jobs running via crond
> >> instead of anacron.
> >>
> >> Oddly, I noticed that the logwatch Email arrived, but NOT the cron.daily
> >> summary Email.
> >>
> >> Looking further, I found this odd avc:
> >>
> >> Jan 21 21:29:51 topaz kernel: audit(1169414991.423:988): avc: denied
> >> { entrypoint } for pid=4891 comm="crond" name="sendmail.sendmail"
> >> dev=hda6 ino=1313020
> >> scontext=system_u:system_r:system_crond_t:s0-s0:c0.c1023
> >> tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
> >>
> >> i.e. the crond child process running in system_crond_t was apparently
> >> unable to run sendmail.
> >
> > Is this supposed to be cron emailing the output of the cron jobs or the
> > cron job itself emailing something?
>
> The former: as mentioned above, my tests indicate that the latter seems
> to work
> Ok.
>
> As far as I can tell, what happens is that crond starts in
> crond_t, forks a crond child, setexeccon's to system_crond_t to run the
> Job, and
> then forks a sendmail process to pick up the stdout/stderr from the
> Job. Hence I
> think you end up with something like this:
>
> 101 crond_t crond
> 102 system_crond_t \ crond
> 103 system_crond_t \ cron-job-script
> 104 system_mail_t \ sendmail
>
> where stdout/stderr from the cron-job-script is routed into the
> sendmail stdin,
> with email subject line and similar parameters injected from pid 102. I also
> believe that pid 104 is not created at all until some output is generated by
> pid 103 - hence silent Cron Jobs don't create the avc denials for sendmail.
>
> sendmail directly or indirectly launched by pid 103 is Ok according to
> my tests,
> but seemingly sendmail launched by pid 102 itself gronks.
>
>
> >
> > --
> > Chris PeBenito
> > Tresys Technology, LLC
> > (410) 290-1411 x150
> >
> >
>
--
Ted Rule
Director, Layer3 Systems Ltd
W: http://www.layer3.co.uk/
17 years, 2 months
re-configuring PHP
by Bruce Therrien
Hi,
Go-daddy insists that I re-configure PHP to use GD.
Can someone tell me where PHP is located on my server.
All I can find is php.ini........
I'm running core 6, with PHP 5.0.4, but I need the GD support.
I have the configure text ready to execute, but where?
I use Putty for access.
Here's the text:
./configure --build=i386-redhat-linux --host=i386-redhat-linux
--target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr
--exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin
--sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include
--libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var
--sharedstatedir=/usr/com --mandir=/usr/share/man
--infodir=/usr/share/info --cache-file=../config.cache --with-libdir=lib
--with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d
--disable-debug --with-pic --disable-rpath --with-bz2 --with-curl
--with-exec-dir=/usr/bin --with-freetype-dir=/usr --with-png-dir=/usr
--enable-gd-native-ttf --with-gdbm --with-gd --with-gettext --with-gmp
--with-iconv --with-jpeg-dir=/usr --with-openssl --with-png
--with-pspell --with-expat-dir=/usr --with-pcre-regex=/usr --with-zlib
--with-layout=GNU --enable-exif --enable-ftp --enable-magic-quotes
--enable-sockets --enable-sysvsem --enable-sysvshm --enable-sysvmsg
--enable-track-vars --enable-trans-sid --enable-yp --enable-wddx
--with-pear=/usr/share/pear --with-kerberos --enable-ucd-snmp-hack
--with-unixODBC=shared,/usr --enable-memory-limit --enable-shmop
--enable-calendar --enable-dbx --enable-dio
--with-mime-magic=/etc/httpd/conf/magic --without-sqlite
--without-mysql --without-gd --without-odbc --disable-dom --disable-dba
Together,
Bruce Therrien <bruce.therrien(a)wm-mw.org>
Vice-president, Online systems
WebMusic-MusiqueWeb
The only on line international music network owned by all of its Affiliates...
Together International Foundation
146 ch du Tour-du-Lac
Lac-Beauport, Quebec G3B 0T3
Canada
Quebec City Phone : 1.418.694.9700
New-York City Phone : 1.646.808.0236
Hartford IP Phone : 1.860.819.3723
Office IP Phone : 1.747.668.5625
Michel's Pager : 1.418.650.8494
Skype : musicweb
http://wm-mw.org
http://t-i-f.org
"We are sharing a vision, and determined to share that vision with all
who wish to be a part of it. Dedicated to promote and enhance the concept,
and will do whatever it takes to ensure that people from around the world
will no longer be taken in by false promises of security." - SID '98
This is the end of the internet.
Please turn around and go back.
17 years, 2 months
Re: Mail problems...
by melaina@libero.it
Hello,
a follow-up to my last e-mail. I fear part of the problem may be caused by the policy shipping with Plesk, contained in the file plesk.te. Could this transition be causing the issue?
# qmail permissions
# always enabled
allow system_mail_t system_mail_t:fifo_file rw_file_perms;
can_exec(system_mail_t, sendmail_exec_t)
r_dir_file(system_mail_t, sendmail_exec_t)
ifdef(`mta.te', `
domain_auto_trans(httpd_sys_script_t, sendmail_exec_t, system_mail_t)
')
---------- Initial Header -----------
17 years, 2 months
an easy way to edit security policies in fc6
by selinux@lucullo.it
hi,
i'm new to selinux and i need to know how can i easy modify
a selinux targeted policy rule in fc6.
my apache can't write in a /var subdir.
my idea is to start looking in to logs and then edit the
policy (or the files attributes) to avoid problems.
is there an easy tool for editing policy source?
is there a complete how to (for fc6 targeted selinux)?
excuse me for my bad english.
thank you in advance.
17 years, 2 months
Selinux error help - continued
by Dan Track
On Wed, 2007-02-07 at 16:34 +0000, Dan Track wrote:
> Hi Stephen
>
> Firstly apologies for sending to the wrong list.
Ok, then take follow-ups to fedora-selinux-list please.
> Thanks for the advice it was really an eye opener. I trawlled through
> the assert.te file in my selinux src directory, however I can tell
> which rule to remove, could you please guide to which rule it is.
> Currently my file looks like this:
>
> neverallow { domain -unrestricted -snmpd_t -pegasus_t }
> unconfined_t:process ~sigchld;
The rule above. Rather than removing it entirely, you could adjust it
to make a specific exception for this case. What do you truly need your
process to be able to do?
> # Confined domains must never see unconfined domain's /proc/pid entries.
> neverallow { domain -unrestricted -snmpd_t -pegasus_t }
> unconfined_t:dir { getattr search };
This one will also get in your process' way if it truly needs to operate
on unconfined processes.
Naturally, if you go too far in this direction, you are effectively
removing any real restriction on httpd and might as well just disable
its protection altogether (via the corresponding boolean).
Hi Stephen.
I've moved the conversation over to the selinux list. My program is
actually Beltane which is a web front end for managing samhain ( a
filesystem integrity checker). The point at which the problem arises
is when a setuid binary (belatne_cp) wants to write to a file it
creates in the /tmp directory and then it wants to move that file to
the /var/lib/yule/profiles directory. Its at this point I get the
selinux error:
Feb 7 14:26:10 jupiter kernel: audit(1170858370.177:2547): avc:
denied { getsession } for pid=555 comm="httpd"
scontext=root:system_r:httpd_t tcontext=root:system_r:unconfined_t
tclass=process
Feb 7 14:26:27 jupiter kernel: audit(1170858387.985:2548): avc:
denied { getattr } for pid=14295 comm="beltane_cp"
name="TMPFILIyEqoa" dev=sda3 ino=147699
scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:httpd_var_lib_t tclass=file
This beltane_cp file is called by apache.
Hope this helps in making clear what I'm trying to do.
Thanks again
Dan
17 years, 2 months
ANN: SETools Release
by Christopher J. PeBenito
A new release of SETools is now available on the Tresys OSS site, from
http://oss.tresys.com. The primary change in this release is the
addition of support for loading sets of policy modules in all of the
tools. This enables analysis of the policy with nearly all of the
information available from the original source policy, such as original
attribute names. The complete change log for this release follows.
SETools 3.1:
SETools:
* All tools that open a policy now support loadable policy modules.
Command line tools expect the first module to be a base module
followed optionally by any other modules. Graphical tools have
a new open policy dialog to select a base module and any number of
additional modules.
* Release of RPM packages that are compatible with Fedora Core 5 and
6. The spec and support files are in packages/rpm.
libapol:
* New class apol_policy_path_t to represent a base policy and any
number of modules. Use this whenever referring to the file or
files constituting a policy.
libqpol:
* Policy features such as attribute names or MLS can now be queried
individally via qpol_policy_has_capability() rather than inferred
by policy type and version.
* New class qpol_module_t to represent a particular policy module
prior to it being linked into a base policy (qpol_policy_t).
libseaudit:
* Rewrite of library to have proper namespaces. libseaudit is now
fully documented and suitable for third-party users.
seaudit:
* Rewrite to use new libseaudit.
* Numerous tweaks to the interface to be more user friendly.
seaudit-report:
* Rewrite to use new libseaudit.
sediffx:
* Numerous tweaks to the interface to be more user friendly.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
17 years, 2 months
ANN: NSA Director of Information Assurance to be Keynote Speaker at SELinux Symposium
by Frank Mayer
All, we just announced that Richard Schaeffer, NSA Director of Information
Assurance, will be a keynote speaker at the SELinux symposium this March
(I've attached the press release below). He joins Daniel Frye of IBM as our
two keynote speakers this year.
As a reminder early registration ends February 23. After that date the
conference rate goes up some, but as important, the block of reserved hotel
rooms for the conference are no longer assured. So if you are planning to
come to the symposium this year, I recommend you register by that date.
Regards, Frank
-=-=-=-=-=-=-=-=-=-=-=-=-=-
FOR IMMEDIATE RELEASE
CONTACT: info(a)selinux-symposium.org
National Security Agency Director of Information Assurance to be
Keynote Speaker at Third Security Enhanced Linux Symposium
Baltimore, MarylandFebruary 7, 2007 Richard Schaeffer, Director of
Information Assurance for the National Security Agency (NSA), will be a
keynote speaker for the third annual Security Enhanced Linux (SELinux)
Symposium (www.selinux-symposium.org), scheduled for March 12-16, 2007 in
Baltimore, Maryland.
The Information Assurance Directorate (IAD) is the NSA mission element
charged with providing products and services critical to protecting the
United States¹ national security systems. IAD is also responsible for
defining and implementing the Information Assurance Strategy to protect the
Department of Defense¹s (DoD) Global Information Grid (GIG). Moreover, IAD
supports ongoing military operations against terrorism by delivering
solutions that allow the secure and dynamic sharing of information across
security domains at multiple classification levels in today¹s net-centric
environment.
Consistent with its national security mission, NSA originally developed and
publicly released SELinux as a demonstration that high-end security access
control features could be successfully integrated into mainstream open
source technology. At this year¹s symposium, Mr. Schaeffer will present a
keynote address entitled ³SELinux: An Example of a Better Path to
Information Assurance through Partnership.² In this address, Mr. Schaeffer
will discuss the benefits to both Government and business organizations that
can be gained by working with the open source community.
About the SELinux Symposium
The Security Enhanced Linux (SELinux) Symposium is an annual exchange of
ideas, technology, and research involving SELinux. SELinux is emerging
technology that adds flexible, strong mandatory access control security to
Linux. The third annual symposium is scheduled for March 12-16, 2007 in
Baltimore, Maryland, USA. This year's symposium is sponsored by
Hewlett-Packard, IBM, Red Hat, and Tresys Technology. The event brings
together experts from business, government, and academia to share research,
development, and application experiences using SELinux. For information on
registration and sponsorship opportunities, see www.selinux-symposium.org.
17 years, 2 months
Mail problems...
by melaina@libero.it
Hello!
I have just started playing a bit with SELinux in permissive mode on my system. I have qmail with spamassassin installed; the only AVC denied messages I get (after I relabeled the system and fixed domains on a couple of log files), is the following:
Jan 30 20:23:13 drake kernel: audit(1170210193.998:8): avc: denied { read } for pid=11862 comm="sendmail" name="RsmVLSTr" dev=loop0 ino=20 scontext=user_u: system_r:system_mail_t tcontext=user_u:object_r:httpd_sys_script_rw_t tclass=fil e
Jan 30 20:23:13 drake kernel: audit(1170210193.998:9): avc: denied { read wr ite } for pid=11862 comm="sendmail" name="jk-runtime-status" dev=hda5 ino=49827 49 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:httpd_log_t tclass=file
Jan 30 20:23:14 drake kernel: audit(1170210194.019:10): avc: denied { ioctl } for pid=11863 comm="qmail-scanner-q" name="error_log" dev=hda5 ino=4984894 sc ontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:httpd_log_t tcla ss=file
Jan 30 20:23:14 drake kernel: audit(1170210194.026:11): avc: denied { read } for pid=11863 comm="sperl5.8.5" name="mounts" dev=proc ino=777453584 scontext= user_u:system_r:system_mail_t tcontext=user_u:system_r:system_mail_t tclass=file
Jan 30 20:23:14 drake kernel: audit(1170210194.026:12): avc: denied { getatt r } for pid=11863 comm="sperl5.8.5" name="mounts" dev=proc ino=777453584 sconte xt=user_u:system_r:system_mail_t tcontext=user_u:system_r:system_mail_t tclass=f ile
Jan 30 20:23:15 drake kernel: audit(1170210195.204:13): avc: denied { append } for pid=11863 comm="perl5.8.5" name="qmail-queue.log" dev=hda5 ino=5130271 s context=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tcl ass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.204:14): avc: denied { ioctl } for pid=11863 comm="perl5.8.5" name="qmail-queue.log" dev=hda5 ino=5130271 sc ontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tcla ss=file
Jan 30 20:23:15 drake kernel: audit(1170210195.205:15): avc: denied { getatt r } for pid=11863 comm="perl5.8.5" name="qmail-queue.log" dev=hda5 ino=5130271 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tc lass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.206:16): avc: denied { read } for pid=11863 comm="perl5.8.5" name="qmail-scanner-queue-version.txt" dev=hda5 ino=5130273 scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:v ar_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.208:17): avc: denied { write } for pid=11863 comm="perl5.8.5" name="tmp" dev=hda5 ino=5195094 scontext=user_ u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.208:18): avc: denied { add_na me } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com1170210195772118 63" scontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:var_spool_ t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.208:19): avc: denied { create } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863 " scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tc lass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.409:20): avc: denied { create } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863 " scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tc lass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.410:21): avc: denied { ioctl } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.410:22): avc: denied { getatt r } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com11702101957721186 3" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:o bject_r:var_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.414:23): avc: denied { write } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.418:24): avc: denied { link } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:obje ct_r:var_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.419:25): avc: denied { remove _name } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com1170210195772 11863" dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=syst em_u:object_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.419:26): avc: denied { unlink } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863 " dev=hda5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:ob ject_r:var_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.424:27): avc: denied { read w rite } for pid=11864 comm="sh" name="tty" dev=tmpfs ino=1804 scontext=user_u:sy stem_r:system_mail_t tcontext=system_u:object_r:devtty_t tclass=chr_file
Jan 30 20:23:15 drake kernel: audit(1170210195.431:28): avc: denied { read } for pid=11865 comm="sh" name="drake.mydomain.com117021019577211863" dev=hda 5 ino=5276868 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:va r_spool_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.434:29): avc: denied { write } for pid=11865 comm="reformime" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5408221 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.434:30): avc: denied { add_na me } for pid=11865 comm="reformime" name="1170210195.11865-0.drake.mydomain. com" scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.739:31): avc: denied { read } for pid=11863 comm="perl5.8.5" name="drake.mydomain.com117021019577211863" dev=hda5 ino=5408221 scontext=user_u:system_r:system_mail_t tcontext=user_u:obje ct_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.755:32): avc: denied { read } for pid=11863 comm="perl5.8.5" name="tmp" dev=hda5 ino=4980740 scontext=user_u :system_r:system_mail_t tcontext=system_u:object_r:var_t tclass=lnk_file
Jan 30 20:23:15 drake kernel: audit(1170210195.795:33): avc: denied { execut e } for pid=11867 comm="perl5.8.5" name="find" dev=hda5 ino=5297451 scontext=us er_u:system_r:system_mail_t tcontext=system_u:object_r:file_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.796:34): avc: denied { execut e_no_trans } for pid=11867 comm="perl5.8.5" name="find" dev=hda5 ino=5297451 sc ontext=user_u:system_r:system_mail_t tcontext=system_u:object_r:file_t tclass=fi le
Jan 30 20:23:15 drake kernel: audit(1170210195.796:35): avc: denied { read } for pid=11867 comm="perl5.8.5" name="find" dev=hda5 ino=5297451 scontext=user_ u:system_r:system_mail_t tcontext=system_u:object_r:file_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.798:36): avc: denied { search } for pid=11867 comm="find" name="selinux" dev=hda5 ino=557257 scontext=user_u :system_r:system_mail_t tcontext=system_u:object_r:selinux_config_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.798:37): avc: denied { read } for pid=11867 comm="find" name="config" dev=hda5 ino=557274 scontext=user_u:sy stem_r:system_mail_t tcontext=user_u:object_r:selinux_config_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.798:38): avc: denied { getatt r } for pid=11867 comm="find" name="config" dev=hda5 ino=557274 scontext=user_u :system_r:system_mail_t tcontext=user_u:object_r:selinux_config_t tclass=file
Jan 30 20:23:15 drake kernel: audit(1170210195.860:39): avc: denied { read } for pid=11871 comm="rm" name="qscan" dev=hda5 ino=5130256 scontext=user_u:syst em_r:system_mail_t tcontext=system_u:object_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.860:40): avc: denied { remove _name } for pid=11871 comm="rm" name="1170210195.11865-0.drake.mydomain.com" dev=hda5 ino=5408222 scontext=user_u:system_r:system_mail_t tcontext=user_u:obj ect_r:var_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.861:41): avc: denied { rmdir } for pid=11871 comm="rm" name="drake.mydomain.com117021019577211863" dev=hd a5 ino=5408221 scontext=user_u:system_r:system_mail_t tcontext=user_u:object_r:v ar_spool_t tclass=dir
Jan 30 20:23:15 drake kernel: audit(1170210195.873:42): avc: denied { sigchl d } for pid=1 comm="init" scontext=user_u:system_r:system_mail_t tcontext=user_ u:system_r:unconfined_t tclass=process
Any directions to fix this?
Thanks!
------------------------------------------------------
Mutuo da 200.000 ? Tassi ridotti da 4.25%. Solo per richieste online. Mutuionline.it
http://click.libero.it/mutuionline31ge07
17 years, 2 months
prelink AVC
by Tom London
Latest rawhide, targeted/enforcing:
type=AVC msg=audit(1170548651.391:53): avc: denied { read } for
pid=7741 comm="prelink" name="ssh-agent" dev=dm-0 ino=5479875
context=system_u:system_r:prelink_t:s0-s0:c0.c1023
context=system_u:object_r:ssh_agent_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1170548651.391:53): arch=40000003 syscall=5
success=no exit=-13 a0=9022ce8 a1=8000 a2=0 a3=0 items=0 ppid=7732
pid=7741 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="prelink" exe="/usr/sbin/prelink"
subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null)
tom
--
Tom London
17 years, 2 months
Crossover
by Göran Uddeborg
Crossover installs under /opt/cxoffice by default. The rules for
wine-style programs does not seem to cover that hierarchy, and just
trying to run things gives a lot of denied execmods.
I assume just mirroring the settings for regular wine is fine for
Crossover too:
/opt/cxoffice/lib/wine/.+\.so system_u:object_r:textrel_shlib_t:s0
/opt/cxoffice/bin/wine system_u:object_r:wine_exec_t:s0
I changed the files (only directly with chcon) and it appears to work.
At least so far, we have not used this too much yet.
Does this make sense? Do you want a bugzilla about it?
17 years, 2 months
