Re: permitting execmod for a application
by Daniel J Walsh
Till Maas wrote:
> Daniel J Walsh wrote:
>
>
>> execmod should only be required for a shared library. You can get
>> selinux to allow this by executing
>>
>> chcon -t texrel_shlib_t PATHTOLIB
>>
>
> Thanks, this works.
>
>
>> If possible could you build the library to not require this type.
>>
>
> Is there a guide how to do this? I.e. what normally leads to this problem
> and to solve it without having to read a lot of selinux? I know, I should
> read more about it, but I absolutely do not have so much time for this
> right now :-(
>
> Regards,
> Till
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
http://people.redhat.com/~drepper/selinux-mem.html
explains the memory checks. I would advise you to install
setroubleshoot which should help you with other selinux errors.
16 years
wondering ??
by Euman
Wondering when someone will fix the init issue for kernels past 1981.fc7
I cant figure it out, obviously. Would like to boot 2999.fc7 so its been
a boog for awhile.
--
Registered Linux User #380358
16 years
selinux policy change yields unbootable initrd
by Will Woods
(See my other mail on the subject here:
http://redhat.com/archives/fedora-test-list/2007-March/msg00295.html )
Something in selinux-policy-2.5.8-4.fc7 (and I think -3 as well) is
denying ldconfig permission to create symlinks in /tmp. mkinitrd uses
ldconfig to set up the symlinks in the initrd it creates (in a temp dir
under /tmp), so then nash won't load (missing ld-linux.so.2), so your
system won't boot.
Here's the relevant info, triggered when installing a new kernel (which
runs mkinitrd):
avc: denied { create } for comm="ldconfig" egid=0 euid=0
exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0
sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file
tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0
Hope this helps,
-w
16 years
logwatch AVCs
by Paul Howarth
FC6, on a system using LDAP auth:
type=AVC msg=audit(1174305023.309:160): avc: denied { create } for
pid=5320 comm="perl"
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tclass=netlink_route_socket
type=SYSCALL msg=audit(1174305023.309:160): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bfafaf20 a2=4933dff4 a3=bfafb19d items=0
ppid=5318 pid=5320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="perl" exe="/usr/bin/perl"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1174305023.311:161): avc: denied { create } for
pid=5320 comm="perl"
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tclass=unix_dgram_socket
type=SYSCALL msg=audit(1174305023.311:161): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bfafb2a4 a2=4933dff4 a3=14 items=0 ppid=5318
pid=5320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="perl" exe="/usr/bin/perl"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
I added rules:
# Allow logwatch to send syslog messages and read the routing table
allow logwatch_t self:netlink_route_socket { r_netlink_socket_perms };
logging_send_syslog_msg(logwatch_t)
The syslog messages being sent were along the lines of:
Mar 19 11:52:33 xy01m005 perl: nss_ldap: failed to bind to LDAP server
ldap://10.1.0.65: Can't contact LDAP server
Mar 19 11:52:33 xy01m005 perl: nss_ldap: could not search LDAP server -
Server is unavailable
Mar 19 11:52:34 xy01m005 perl: nss_ldap: failed to bind to LDAP server
ldap://10.1.0.65: Can't contact LDAP server
Mar 19 11:52:34 xy01m005 perl: nss_ldap: failed to bind to LDAP server
ldap://10.1.0.65: Can't contact LDAP server
Mar 19 11:52:34 xy01m005 perl: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
So these were valid messages that I needed to see...
Paul.
16 years
Re: permitting execmod for a application
by Daniel J Walsh
Till Maas wrote:
> Hello,
>
> I am trying to package virtualbox for fedora and do not know enough to
> create the needed files for it. At the moment it contains executables
> in /opt/VirtualBox (this will change) that need execmod permissions.
>
> Can someone please give a example that create the context, labels the files
> and permits execmod?
>
>
execmod should only be required for a shared library. You can get
selinux to allow this by executing
chcon -t texrel_shlib_t PATHTOLIB
If possible could you build the library to not require this type.
> Regards,
> Till
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
16 years
sysfs AVC from today's Rawhide...
by Tom London
targeted/enforcing. Seems to occur during gnome login....
type=AVC msg=audit(1173794972.786:18): avc: denied { write } for
pid=3358 comm="modprobe" name="config" dev=sysfs ino=8517
scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=SYSCALL msg=audit(1173794972.786:18): arch=40000003 syscall=11
success=yes exit=0 a0=bfabe678 a1=bfabd638 a2=bfabf020 a3=400 items=0
ppid=3335 pid=3358 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=tty7 comm="modprobe" exe="/sbin/modprobe"
subj=system_u:system_r:insmod_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1173794972.786:18):
path="/sys/devices/pci0000:00/0000:00:02.0/config"
--
Tom London
16 years
dovecot wants to access squid cache dir
by Vikram Goyal
hello,
I am using FC6. Running selinux in targeted mode.
selinux-policy-targeted-2.4.6-41
dovecot-1.0-1.1.rc15.fc6
Using dovecot I get the following audit messages.
----------------------------------------------------------------
type=USER_AUTH msg=audit(1173532461.741:31): user pid=14121 uid=0 auid=500 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=vikram : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0.0.1, terminal=dovecot res=success)'
type=USER_ACCT msg=audit(1173532461.753:32): user pid=14121 uid=0 auid=500 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=vikram : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0.0.1, terminal=dovecot res=success)'
type=AVC msg=audit(1173532461.781:33): avc: denied { getattr } for pid=14124 comm="dovecot" name="/" dev=sda6 ino=2 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir
type=SYSCALL msg=audit(1173532461.781:33): arch=40000003 syscall=195 success=no exit=-13 a0=8f6a942 a1=bfff2068 a2=a5bff4 a3=8f6a94d items=0 ppid=14104 pid=14124 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=0 fsgid=500 tty=(none) comm="dovecot" exe="/usr/sbin/dovecot" subj=user_u:system_r:dovecot_t:s0 key=(null)
type=AVC_PATH msg=audit(1173532461.781:33): path="/usr/sbin"
type=AVC msg=audit(1173532461.785:34): avc: denied { getattr } for pid=14124 comm="dovecot" name="/" dev=sda11 ino=2 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:squid_cache_t:s0 tclass=dir
type=SYSCALL msg=audit(1173532461.785:34): arch=40000003 syscall=195 success=no exit=-13 a0=8f6a943 a1=bfff2068 a2=a5bff4 a3=8f6a955 items=0 ppid=14104 pid=14124 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=0 fsgid=500 tty=(none) comm="dovecot" exe="/usr/sbin/dovecot" subj=user_u:system_r:dovecot_t:s0 key=(null)
type=AVC_PATH msg=audit(1173532461.785:34): path="/var/spool/squid"
----------------------------------------------------------------
The advice audit2allow gives me:
root@fc6host ~]# audit2allow
allow dovecot_t sbin_t:dir getattr;
allow dovecot_t squid_cache_t:dir getattr;
I have allowed it for now but I'm not sure.
please advice.
Thanks!
--
vikram...
||||||||
||||||||
^^'''''^^||root||^^^'''''''^^
// \\ ))
//(( \\// \\
// /\\ || \\
|| / )) (( \\
--
DISCLAIMER:
Use of this advanced computing technology does not imply an endorsement
of Western industrial civilization.
--
.
-
~|~
=
Registered Linux User #285795
16 years
Making a python/shell script run in httpd_t (or some other domain)
by Forrest Taylor
I am trying to make a python script run in the httpd_t domain on RHEL5
RC4. I have assigned the script the httpd_exec_t type. I searched the
archives, and I saw an earlier post that stated that I should use the -E
option to python:
#!/usr/bin/python -E
I see the same entry in python scripts like setroubleshootd. However,
when I try to run my script (or setroubleshootd, for that matter)
directly, it runs in unconfined_t. I have the same problem with shell
executables. Any tips?
run_init will run as expected, but it does also ask for the root
password. I know that I could change the pam.d/ entry, but I don't want
to do that at this point.
I created an init script that simply calls the executable. This works
as expected, as long as the script starts with the interpreter (e.g.,
#!/bin/bash). If I leave out that line, it does not transition. Any
idea why?
Thanks,
Forrest
16 years
AVC from gnome 'eject'
by Tom London
Running latest Rawhide, targeted/enforcing.
Trying to unmount/eject CD by right-clicking on its icon and selecting
'eject' does the unmount, but fails to eject (produces an error
popup).
Found this in /var/log/audit/audit.log:
type=AVC msg=audit(1173069472.190:85): avc: denied { setexec } for
pid=10486 comm="userhelper" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:hald_t:s0 tclass=process
type=SYSCALL msg=audit(1173069472.190:85): arch=40000003 syscall=4
success=no exit=-13 a0=4 a1=8cefa48 a2=1c a3=43469be9 items=0
ppid=10485 pid=10486 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="userhelper"
exe="/usr/sbin/userhelper" subj=system_u:system_r:hald_t:s0 key=(null)
tom
--
Tom London
16 years
ConsoleKit AVC
by Tom London
One more AVC from ConsoleKit:
type=AVC msg=audit(1172877528.598:13): avc: denied { write } for
pid=2896 comm="console-kit-dae" name="run" dev=dm-0 ino=65576
scontext=system_u:system_r:consolekit_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1172877528.598:13): arch=40000003 syscall=5
success=no exit=-13 a0=805280c a1=2c1 a2=1a4 a3=bfffb6b0 items=0
ppid=2895 pid=2896 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="console-kit-dae"
exe="/usr/sbin/console-kit-daemon"
subj=system_u:system_r:consolekit_t:s0 key=(null)
tom
--
Tom London
16 years
