Re: permitting execmod for a application
by Daniel J Walsh
Till Maas wrote:
> Daniel J Walsh wrote:
>
>
>> execmod should only be required for a shared library. You can get
>> selinux to allow this by executing
>>
>> chcon -t texrel_shlib_t PATHTOLIB
>>
>
> Thanks, this works.
>
>
>> If possible could you build the library to not require this type.
>>
>
> Is there a guide how to do this? I.e. what normally leads to this problem
> and to solve it without having to read a lot of selinux? I know, I should
> read more about it, but I absolutely do not have so much time for this
> right now :-(
>
> Regards,
> Till
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
http://people.redhat.com/~drepper/selinux-mem.html
explains the memory checks. I would advise you to install
setroubleshoot which should help you with other selinux errors.
17 years, 1 month
wondering ??
by Euman
Wondering when someone will fix the init issue for kernels past 1981.fc7
I cant figure it out, obviously. Would like to boot 2999.fc7 so its been
a boog for awhile.
--
Registered Linux User #380358
17 years, 1 month
selinux policy change yields unbootable initrd
by Will Woods
(See my other mail on the subject here:
http://redhat.com/archives/fedora-test-list/2007-March/msg00295.html )
Something in selinux-policy-2.5.8-4.fc7 (and I think -3 as well) is
denying ldconfig permission to create symlinks in /tmp. mkinitrd uses
ldconfig to set up the symlinks in the initrd it creates (in a temp dir
under /tmp), so then nash won't load (missing ld-linux.so.2), so your
system won't boot.
Here's the relevant info, triggered when installing a new kernel (which
runs mkinitrd):
avc: denied { create } for comm="ldconfig" egid=0 euid=0
exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0
sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file
tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0
Hope this helps,
-w
17 years, 1 month
logwatch AVCs
by Paul Howarth
FC6, on a system using LDAP auth:
type=AVC msg=audit(1174305023.309:160): avc: denied { create } for
pid=5320 comm="perl"
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tclass=netlink_route_socket
type=SYSCALL msg=audit(1174305023.309:160): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bfafaf20 a2=4933dff4 a3=bfafb19d items=0
ppid=5318 pid=5320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="perl" exe="/usr/bin/perl"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1174305023.311:161): avc: denied { create } for
pid=5320 comm="perl"
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tclass=unix_dgram_socket
type=SYSCALL msg=audit(1174305023.311:161): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bfafb2a4 a2=4933dff4 a3=14 items=0 ppid=5318
pid=5320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="perl" exe="/usr/bin/perl"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
I added rules:
# Allow logwatch to send syslog messages and read the routing table
allow logwatch_t self:netlink_route_socket { r_netlink_socket_perms };
logging_send_syslog_msg(logwatch_t)
The syslog messages being sent were along the lines of:
Mar 19 11:52:33 xy01m005 perl: nss_ldap: failed to bind to LDAP server
ldap://10.1.0.65: Can't contact LDAP server
Mar 19 11:52:33 xy01m005 perl: nss_ldap: could not search LDAP server -
Server is unavailable
Mar 19 11:52:34 xy01m005 perl: nss_ldap: failed to bind to LDAP server
ldap://10.1.0.65: Can't contact LDAP server
Mar 19 11:52:34 xy01m005 perl: nss_ldap: failed to bind to LDAP server
ldap://10.1.0.65: Can't contact LDAP server
Mar 19 11:52:34 xy01m005 perl: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
So these were valid messages that I needed to see...
Paul.
17 years, 1 month
Re: permitting execmod for a application
by Daniel J Walsh
Till Maas wrote:
> Hello,
>
> I am trying to package virtualbox for fedora and do not know enough to
> create the needed files for it. At the moment it contains executables
> in /opt/VirtualBox (this will change) that need execmod permissions.
>
> Can someone please give a example that create the context, labels the files
> and permits execmod?
>
>
execmod should only be required for a shared library. You can get
selinux to allow this by executing
chcon -t texrel_shlib_t PATHTOLIB
If possible could you build the library to not require this type.
> Regards,
> Till
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
17 years, 1 month
sysfs AVC from today's Rawhide...
by Tom London
targeted/enforcing. Seems to occur during gnome login....
type=AVC msg=audit(1173794972.786:18): avc: denied { write } for
pid=3358 comm="modprobe" name="config" dev=sysfs ino=8517
scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=SYSCALL msg=audit(1173794972.786:18): arch=40000003 syscall=11
success=yes exit=0 a0=bfabe678 a1=bfabd638 a2=bfabf020 a3=400 items=0
ppid=3335 pid=3358 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=tty7 comm="modprobe" exe="/sbin/modprobe"
subj=system_u:system_r:insmod_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1173794972.786:18):
path="/sys/devices/pci0000:00/0000:00:02.0/config"
--
Tom London
17 years, 1 month
dovecot wants to access squid cache dir
by Vikram Goyal
hello,
I am using FC6. Running selinux in targeted mode.
selinux-policy-targeted-2.4.6-41
dovecot-1.0-1.1.rc15.fc6
Using dovecot I get the following audit messages.
----------------------------------------------------------------
type=USER_AUTH msg=audit(1173532461.741:31): user pid=14121 uid=0 auid=500 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct=vikram : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0.0.1, terminal=dovecot res=success)'
type=USER_ACCT msg=audit(1173532461.753:32): user pid=14121 uid=0 auid=500 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct=vikram : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0.0.1, terminal=dovecot res=success)'
type=AVC msg=audit(1173532461.781:33): avc: denied { getattr } for pid=14124 comm="dovecot" name="/" dev=sda6 ino=2 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir
type=SYSCALL msg=audit(1173532461.781:33): arch=40000003 syscall=195 success=no exit=-13 a0=8f6a942 a1=bfff2068 a2=a5bff4 a3=8f6a94d items=0 ppid=14104 pid=14124 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=0 fsgid=500 tty=(none) comm="dovecot" exe="/usr/sbin/dovecot" subj=user_u:system_r:dovecot_t:s0 key=(null)
type=AVC_PATH msg=audit(1173532461.781:33): path="/usr/sbin"
type=AVC msg=audit(1173532461.785:34): avc: denied { getattr } for pid=14124 comm="dovecot" name="/" dev=sda11 ino=2 scontext=user_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:squid_cache_t:s0 tclass=dir
type=SYSCALL msg=audit(1173532461.785:34): arch=40000003 syscall=195 success=no exit=-13 a0=8f6a943 a1=bfff2068 a2=a5bff4 a3=8f6a955 items=0 ppid=14104 pid=14124 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=500 sgid=0 fsgid=500 tty=(none) comm="dovecot" exe="/usr/sbin/dovecot" subj=user_u:system_r:dovecot_t:s0 key=(null)
type=AVC_PATH msg=audit(1173532461.785:34): path="/var/spool/squid"
----------------------------------------------------------------
The advice audit2allow gives me:
root@fc6host ~]# audit2allow
allow dovecot_t sbin_t:dir getattr;
allow dovecot_t squid_cache_t:dir getattr;
I have allowed it for now but I'm not sure.
please advice.
Thanks!
--
vikram...
||||||||
||||||||
^^'''''^^||root||^^^'''''''^^
// \\ ))
//(( \\// \\
// /\\ || \\
|| / )) (( \\
--
DISCLAIMER:
Use of this advanced computing technology does not imply an endorsement
of Western industrial civilization.
--
.
-
~|~
=
Registered Linux User #285795
17 years, 1 month
Making a python/shell script run in httpd_t (or some other domain)
by Forrest Taylor
I am trying to make a python script run in the httpd_t domain on RHEL5
RC4. I have assigned the script the httpd_exec_t type. I searched the
archives, and I saw an earlier post that stated that I should use the -E
option to python:
#!/usr/bin/python -E
I see the same entry in python scripts like setroubleshootd. However,
when I try to run my script (or setroubleshootd, for that matter)
directly, it runs in unconfined_t. I have the same problem with shell
executables. Any tips?
run_init will run as expected, but it does also ask for the root
password. I know that I could change the pam.d/ entry, but I don't want
to do that at this point.
I created an init script that simply calls the executable. This works
as expected, as long as the script starts with the interpreter (e.g.,
#!/bin/bash). If I leave out that line, it does not transition. Any
idea why?
Thanks,
Forrest
17 years, 1 month
AVC from gnome 'eject'
by Tom London
Running latest Rawhide, targeted/enforcing.
Trying to unmount/eject CD by right-clicking on its icon and selecting
'eject' does the unmount, but fails to eject (produces an error
popup).
Found this in /var/log/audit/audit.log:
type=AVC msg=audit(1173069472.190:85): avc: denied { setexec } for
pid=10486 comm="userhelper" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:hald_t:s0 tclass=process
type=SYSCALL msg=audit(1173069472.190:85): arch=40000003 syscall=4
success=no exit=-13 a0=4 a1=8cefa48 a2=1c a3=43469be9 items=0
ppid=10485 pid=10486 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="userhelper"
exe="/usr/sbin/userhelper" subj=system_u:system_r:hald_t:s0 key=(null)
tom
--
Tom London
17 years, 1 month
ConsoleKit AVC
by Tom London
One more AVC from ConsoleKit:
type=AVC msg=audit(1172877528.598:13): avc: denied { write } for
pid=2896 comm="console-kit-dae" name="run" dev=dm-0 ino=65576
scontext=system_u:system_r:consolekit_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1172877528.598:13): arch=40000003 syscall=5
success=no exit=-13 a0=805280c a1=2c1 a2=1a4 a3=bfffb6b0 items=0
ppid=2895 pid=2896 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="console-kit-dae"
exe="/usr/sbin/console-kit-daemon"
subj=system_u:system_r:consolekit_t:s0 key=(null)
tom
--
Tom London
17 years, 1 month
