Spamassassin + Procmail + Lockfile + SELinux = broken
by mothra
I'm rather green, and have had some trouble deciphering a lot of the
SELinux stuff. Any help would be great. I'm using procmail to filter
mail through spamassassin (SA), but SELinux appears to be interfering. I
say this because if I turn off enforcing, mail gets through properly
tagged by SA. With SELinux on, messages are not tagged by SA. The log
looks like this:
Jun 26 23:07:51 parsnip kernel: audit(1182917271.036:1779): enforcing=1
old_enforcing=0 auid=4294967295
Jun 26 23:07:51 parsnip dbus: avc: received setenforce notice (enforcing=1)
Jun 26 23:08:04 parsnip kernel: audit(1182917284.795:1780): avc: denied
{ search } for pid=28116 comm="spamassassin" name="tmp" dev=sda3
ino=26738689 scontext=user_u:system_r:procmail_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
My (rather ignorant) read is that procmail_t and tmp_t are not matching
(procmail does try to write a lockfile). And what I have gleaned is that
I either need some sort of rule that somehow matches these two, or I need
to change some tags (on my /tmp directory?) to allow this to proceed.
Am I anywhere near the ballpark? I tried audit2why to decipher this, but
it complained that it didn't understand policies outside of the range
15-20. Audit2allow returns
allow procmail_t tmp_t:di search;
But I'm not sure what to do with it...
Thanks in advance for any help!
- Lowell
16 years, 10 months
Is there a simple way to allow execmem for a single binary?
by Bruno Wolff III
I have a propietary app (iHEAT) that is getting execmem denials. I would
prefer to allow just this one app to be able to do that rather than disabling
the check for everything. I am using the targeted policy in Fedora 7.
I saw there was a context type unconfined_execmem, but that doesn't seem
to permit execution.
Is there some context I can use or perhaps I need to relabel a library and
not the executable?
16 years, 10 months
ftpd and PAM
by Paul Howarth
The PAM config files for vsftpd and prpftpd look like this:
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session include system-auth
session required pam_loginuid.so
So it makes sense for ftpd_t to be able to set the login uid and create
a session keyring:
logging_set_loginuid(ftpd_t)
allow ftpd_t self:key { write search link };
Curiously, I've done this locally but still get this AVC when logging in
on proftpd, with an open dovecot IMAP session on the same server:
type=AVC msg=audit(1182853960.377:103383): avc: denied { link } for
pid=24601 comm="proftpd" scontext=root:system_r:ftpd_t:s0
tcontext=root:system_r:dovecot_t:s0 tclass=key
Paul.
16 years, 10 months
Turboprint and FC7
by piotreek
Hi guys im using turboprint drivers for my IP 1000 Canon. When i try to
print from Open Office i get this below:
sealert -l 26616fa9-ba9f-44fb-9cf2-d1940f15217f
Summary
SELinux is preventing /lib/ld-2.6.so (cupsd_t) "execmem" to <Nieznane>
(cupsd_t).
Detailed Description
SELinux denied access requested by /lib/ld-2.6.so. It is not
expected that
this access is required by /lib/ld-2.6.so and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:cupsd_t:SystemLow-SystemHigh
Target Context system_u:system_r:cupsd_t:SystemLow-SystemHigh
Target Objects None [ process ]
Affected RPM Packages glibc-2.6-3 [application]
Policy RPM selinux-policy-2.6.4-13.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.catchall
Host Name c79-70.icpnet.pl
Platform Linux *.icpnet.pl 2.6.21-1.3194.fc7 #1 SMP
Wed May 23 22:35:01 EDT 2007 i686 athlon
Alert Count 1
First Seen Sun Jun 10 19:48:42 2007
Last Seen Sun Jun 10 19:48:42 2007
Local ID 26616fa9-ba9f-44fb-9cf2-d1940f15217f
Line Numbers
Raw Audit Messages
avc: denied { execmem } for comm="ld-linux.so.2" egid=7 euid=4
exe="/lib/ld-2.6.so" exit=0 fsgid=7 fsuid=4 gid=7 items=0 pid=3240
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=process
tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tty=(none) uid=4
On Fc 6 turboprint was working fine.
16 years, 10 months
dovecot_auth_t wants capability audit_write and netlink_audit_socket create
by John Lindgren
Hi,
New to this list, not totally new to selinux.
Running F7 with everything current (06/04/2007), policy is
selinux-policy-targeted-2.6.4-8.fc7.
cat /var/log/audit/audit.log:
type=AVC msg=audit(1181003986.020:18662): avc: denied { audit_write }
for pid=13774 comm="dovecot-auth" capability=29
scontext=root:system_r:dovecot_auth_t:s0
tcontext=root:system_r:dovecot_auth_t:s0 tclass=capability
type=AVC msg=audit(1181003859.499:18627): avc: denied { create } for
pid=1352 0 comm="dovecot-auth" scontext=root:system_r:dovecot_auth_t:s0
tcontext=root:sys tem_r:dovecot_auth_t:s0 tclass=netlink_audit_socket
cat /var/log/audit/audit.log | audit2allow -M local:
cat local.te:
module local 1.0;
require {
type dovecot_auth_t;
class capability audit_write;
class netlink_audit_socket { write nlmsg_relay create read };
}
#============= dovecot_auth_t ==============
allow dovecot_auth_t self:capability audit_write;
allow dovecot_auth_t self:netlink_audit_socket { write nlmsg_relay
create read };
semodule -i local.pp:
libsepol.check_assertion_helper: assertion on line 0 violated by allow
dovecot_auth_t dovecot_auth_t:netlink_audit_socket { nlmsg_relay };
libsepol.check_assertion_helper: assertion on line 0 violated by allow
dovecot_auth_t dovecot_auth_t:capability { audit_write };
libsepol.check_assertions: 2 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
Should I add something magical (what, I'm not sure) to the .te to allow
this anyway? Or is there something missing from the distribution
targeted policy? Or edit the base policy and recompile the whole thing?
Or...
Anyone else having this problem?
John
16 years, 10 months
RPM with seperate selinux package
by Jan-Frode Myklebust
I've been building syslog-ng RPMs, with the needed selinux module
as a separate sub-package following the instructions at:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
but there's a problem with the logics of having the selinux package
"Requires: main package", as then the main package will get installed
and started before there is a working policy installed.
So, is there any way of re-ordering this, without having the main
package depend on the selinux package? i.e. I want to allow someone
to install only the syslog-ng-2.0.4-12.i386.rpm if they don't want
the selinux module, but I want the selinux module to be installed
first if both are installed in the same operation.
My current srpm --> http://tanso.net/yum/packages/syslog-ng-2.0.4-12.src.rpm
-jf
16 years, 10 months
Vanilla F7 install + Xen: selinux problems on guest creation.
by Mike Carney
Greetings,
Just installed F7 from DVD, and installed Xen/Xen kernel. Then ran yum to
pick up the latest updates. When attempting to create a F7 guest using
virt-install, I see the following errors in the audit.log, and the creation
fails:
type=AVC msg=audit(1181917818.119:37): avc: denied { write } for pid=3032
comm="block" name="xen" dev=sda7 ino=29298
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1181917818.119:37): arch=40000003 syscall=5
success=no exit=-13 a0=9aba538 a1=8441 a2=1b6 a3=8441 items=0 ppid=3029
pid=3032 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="block" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1181917818.139:38): avc: denied { write } for pid=3041
comm="vif-bridge" name="xen" dev=sda7 ino=29298
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1181917818.139:38): arch=40000003 syscall=5
success=no exit=-13 a0=9947ad0 a1=8441 a2=1b6 a3=8441 items=0 ppid=3035
pid=3041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="vif-bridge" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1181917918.741:55): avc: denied { write } for pid=3269
comm="vif-bridge" name="xen" dev=sda7 ino=29298
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1181917918.741:55): arch=40000003 syscall=5
success=no exit=-13 a0=84f7ad0 a1=8441 a2=1b6 a3=8441 items=0 ppid=3266
pid=3269 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="vif-bridge" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1181917918.853:56): avc: denied { write } for pid=3290
comm="xen-hotplug-cle" name="xen" dev=sda7 ino=29298
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1181917918.853:56): arch=40000003 syscall=5
success=no exit=-13 a0=850db58 a1=8441 a2=1b6 a3=8441 items=0 ppid=3275
pid=3290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="xen-hotplug-cle" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1181917918.893:57): avc: denied { write } for pid=3289
comm="block" name="xen" dev=sda7 ino=29298
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1181917918.893:57): arch=40000003 syscall=5
success=no exit=-13 a0=9b4d548 a1=8441 a2=1b6 a3=8441 items=0 ppid=3268
pid=3289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="block" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1181917918.941:58): avc: denied { write } for pid=3300
comm="xen-hotplug-cle" name="xen" dev=sda7 ino=29298
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1181917918.941:58): arch=40000003 syscall=5
success=no exit=-13 a0=930fb68 a1=8441 a2=1b6 a3=8441 items=0 ppid=3268
pid=3300 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="xen-hotplug-cle" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
audit2allow recommends the following policy rule:
audit2allow < audit.log
#============= udev_t ==============
allow udev_t xend_var_log_t:dir write;
Has this fix already been made, or do I need to load this change into the
policy db myself?
Thanks!
16 years, 10 months
crond_t avc messages with selinux-policy-targeted-2.6.4-17.fc7
by Will Woods
This is happening once per minute - every time cron runs. urgh. Using
vixie-cron-4.1-82.fc7.
avc: denied { audit_control } for comm="crond" egid=0 euid=0
exe="/usr/sbin/crond" exit=-1 fsgid=0 fsuid=0 gid=0 items=0 pid=4230
scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 suid=0 tclass=capability
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tty=(none) uid=0
-w
16 years, 10 months