selinux June 2007

selinux@lists.fedoraproject.org

50 participants
63 discussions

Spamassassin + Procmail + Lockfile + SELinux = broken
by mothra 27 Jun '07

27 Jun '07

I'm rather green, and have had some trouble deciphering a lot of the SELinux stuff. Any help would be great. I'm using procmail to filter mail through spamassassin (SA), but SELinux appears to be interfering. I say this because if I turn off enforcing, mail gets through properly tagged by SA. With SELinux on, messages are not tagged by SA. The log looks like this: Jun 26 23:07:51 parsnip kernel: audit(1182917271.036:1779): enforcing=1 old_enforcing=0 auid=4294967295 Jun 26 23:07:51 parsnip dbus: avc: received setenforce notice (enforcing=1) Jun 26 23:08:04 parsnip kernel: audit(1182917284.795:1780): avc: denied { search } for pid=28116 comm="spamassassin" name="tmp" dev=sda3 ino=26738689 scontext=user_u:system_r:procmail_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir My (rather ignorant) read is that procmail_t and tmp_t are not matching (procmail does try to write a lockfile). And what I have gleaned is that I either need some sort of rule that somehow matches these two, or I need to change some tags (on my /tmp directory?) to allow this to proceed. Am I anywhere near the ballpark? I tried audit2why to decipher this, but it complained that it didn't understand policies outside of the range 15-20. Audit2allow returns allow procmail_t tmp_t:di search; But I'm not sure what to do with it... Thanks in advance for any help! - Lowell

3 3

Is there a simple way to allow execmem for a single binary?
by Bruno Wolff III 27 Jun '07

27 Jun '07

I have a propietary app (iHEAT) that is getting execmem denials. I would prefer to allow just this one app to be able to do that rather than disabling the check for everything. I am using the targeted policy in Fedora 7. I saw there was a context type unconfined_execmem, but that doesn't seem to permit execution. Is there some context I can use or perhaps I need to relabel a library and not the executable?

2 2

Pravinth has Tagged you! :)
by ganesan pravinth 26 Jun '07

26 Jun '07

1 0

ftpd and PAM
by Paul Howarth 26 Jun '07

26 Jun '07

The PAM config files for vsftpd and prpftpd look like this: #%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include system-auth account include system-auth session include system-auth session required pam_loginuid.so So it makes sense for ftpd_t to be able to set the login uid and create a session keyring: logging_set_loginuid(ftpd_t) allow ftpd_t self:key { write search link }; Curiously, I've done this locally but still get this AVC when logging in on proftpd, with an open dovecot IMAP session on the same server: type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0 tcontext=root:system_r:dovecot_t:s0 tclass=key Paul.

2 5

Is there a way to set default MCS labels for file creation?
by Bruno Wolff III 23 Jun '07

23 Jun '07

Is there a way to set a default set of labels for newly created files based on file paths or role?

2 4

Turboprint and FC7
by piotreek 22 Jun '07

22 Jun '07

Hi guys im using turboprint drivers for my IP 1000 Canon. When i try to print from Open Office i get this below: sealert -l 26616fa9-ba9f-44fb-9cf2-d1940f15217f Summary SELinux is preventing /lib/ld-2.6.so (cupsd_t) "execmem" to <Nieznane> (cupsd_t). Detailed Description SELinux denied access requested by /lib/ld-2.6.so. It is not expected that this access is required by /lib/ld-2.6.so and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:cupsd_t:SystemLow-SystemHigh Target Context system_u:system_r:cupsd_t:SystemLow-SystemHigh Target Objects None [ process ] Affected RPM Packages glibc-2.6-3 [application] Policy RPM selinux-policy-2.6.4-13.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall Host Name c79-70.icpnet.pl Platform Linux *.icpnet.pl 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 1 First Seen Sun Jun 10 19:48:42 2007 Last Seen Sun Jun 10 19:48:42 2007 Local ID 26616fa9-ba9f-44fb-9cf2-d1940f15217f Line Numbers Raw Audit Messages avc: denied { execmem } for comm="ld-linux.so.2" egid=7 euid=4 exe="/lib/ld-2.6.so" exit=0 fsgid=7 fsuid=4 gid=7 items=0 pid=3240 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=process tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tty=(none) uid=4 On Fc 6 turboprint was working fine.

2 1

dovecot_auth_t wants capability audit_write and netlink_audit_socket create
by John Lindgren 22 Jun '07

22 Jun '07

Hi, New to this list, not totally new to selinux. Running F7 with everything current (06/04/2007), policy is selinux-policy-targeted-2.6.4-8.fc7. cat /var/log/audit/audit.log: type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write } for pid=13774 comm="dovecot-auth" capability=29 scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0 tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket cat /var/log/audit/audit.log | audit2allow -M local: cat local.te: module local 1.0; require { type dovecot_auth_t; class capability audit_write; class netlink_audit_socket { write nlmsg_relay create read }; } #============= dovecot_auth_t ============== allow dovecot_auth_t self:capability audit_write; allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay create read }; semodule -i local.pp: libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay }; libsepol.check_assertion_helper: assertion on line 0 violated by allow dovecot_auth_t dovecot_auth_t:capability { audit_write }; libsepol.check_assertions: 2 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! Should I add something magical (what, I'm not sure) to the .te to allow this anyway? Or is there something missing from the distribution targeted policy? Or edit the base policy and recompile the whole thing? Or... Anyone else having this problem? John

7 14

RPM with seperate selinux package
by Jan-Frode Myklebust 20 Jun '07

20 Jun '07

I've been building syslog-ng RPMs, with the needed selinux module as a separate sub-package following the instructions at: http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules but there's a problem with the logics of having the selinux package "Requires: main package", as then the main package will get installed and started before there is a working policy installed. So, is there any way of re-ordering this, without having the main package depend on the selinux package? i.e. I want to allow someone to install only the syslog-ng-2.0.4-12.i386.rpm if they don't want the selinux module, but I want the selinux module to be installed first if both are installed in the same operation. My current srpm --> http://tanso.net/yum/packages/syslog-ng-2.0.4-12.src.rpm -jf

2 1

Vanilla F7 install + Xen: selinux problems on guest creation.
by Mike Carney 20 Jun '07

20 Jun '07

Greetings, Just installed F7 from DVD, and installed Xen/Xen kernel. Then ran yum to pick up the latest updates. When attempting to create a F7 guest using virt-install, I see the following errors in the audit.log, and the creation fails: type=AVC msg=audit(1181917818.119:37): avc: denied { write } for pid=3032 comm="block" name="xen" dev=sda7 ino=29298 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1181917818.119:37): arch=40000003 syscall=5 success=no exit=-13 a0=9aba538 a1=8441 a2=1b6 a3=8441 items=0 ppid=3029 pid=3032 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="block" exe="/bin/bash" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1181917818.139:38): avc: denied { write } for pid=3041 comm="vif-bridge" name="xen" dev=sda7 ino=29298 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1181917818.139:38): arch=40000003 syscall=5 success=no exit=-13 a0=9947ad0 a1=8441 a2=1b6 a3=8441 items=0 ppid=3035 pid=3041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="vif-bridge" exe="/bin/bash" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1181917918.741:55): avc: denied { write } for pid=3269 comm="vif-bridge" name="xen" dev=sda7 ino=29298 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1181917918.741:55): arch=40000003 syscall=5 success=no exit=-13 a0=84f7ad0 a1=8441 a2=1b6 a3=8441 items=0 ppid=3266 pid=3269 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="vif-bridge" exe="/bin/bash" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1181917918.853:56): avc: denied { write } for pid=3290 comm="xen-hotplug-cle" name="xen" dev=sda7 ino=29298 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1181917918.853:56): arch=40000003 syscall=5 success=no exit=-13 a0=850db58 a1=8441 a2=1b6 a3=8441 items=0 ppid=3275 pid=3290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="xen-hotplug-cle" exe="/bin/bash" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1181917918.893:57): avc: denied { write } for pid=3289 comm="block" name="xen" dev=sda7 ino=29298 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1181917918.893:57): arch=40000003 syscall=5 success=no exit=-13 a0=9b4d548 a1=8441 a2=1b6 a3=8441 items=0 ppid=3268 pid=3289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="block" exe="/bin/bash" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1181917918.941:58): avc: denied { write } for pid=3300 comm="xen-hotplug-cle" name="xen" dev=sda7 ino=29298 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir type=SYSCALL msg=audit(1181917918.941:58): arch=40000003 syscall=5 success=no exit=-13 a0=930fb68 a1=8441 a2=1b6 a3=8441 items=0 ppid=3268 pid=3300 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="xen-hotplug-cle" exe="/bin/bash" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) audit2allow recommends the following policy rule: audit2allow < audit.log #============= udev_t ============== allow udev_t xend_var_log_t:dir write; Has this fix already been made, or do I need to load this change into the policy db myself? Thanks!

2 1

crond_t avc messages with selinux-policy-targeted-2.6.4-17.fc7
by Will Woods 19 Jun '07

19 Jun '07

This is happening once per minute - every time cron runs. urgh. Using vixie-cron-4.1-82.fc7. avc: denied { audit_control } for comm="crond" egid=0 euid=0 exe="/usr/sbin/crond" exit=-1 fsgid=0 fsuid=0 gid=0 items=0 pid=4230 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 suid=0 tclass=capability tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tty=(none) uid=0 -w

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux June 2007