selinux June 2007

selinux@lists.fedoraproject.org

50 participants
63 discussions

mknod still not working after suggested fix
by Antonio Olivares 05 Jun '07

05 Jun '07

selinux is still not allowing mknod to do its job. I have to manually create the device node every boot [root@localhost ~]# mknod -m 600 /dev/slamr0 c 242 0 [1]+ Done gedit /boot/grub/grub.conf [root@localhost ~]# modprobe ungrab-winmodem [root@localhost ~]# modprobe slamr [root@localhost ~]# slmodemd -c USA /dev/slamr0 & [1] 2709 [root@localhost ~]# SmartLink Soft Modem: version 2.9.11 Jun 4 2007 00:14:21 symbolic link `/dev/ttySL0' -> `/dev/pts/1' created. modem `slamr0' created. TTY is `/dev/pts/1' Use `/dev/ttySL0' as modem device, Ctrl+C for termination. audit(1181023411.825:4): avc: denied { mknod } for pid=673 comm="mknod" capability=27 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=capability [root@localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i myinsmod.pp [root@localhost ~]# semodule -i myinsmod.pp What should I try now? Regards, Antonio ____________________________________________________________________________________ Get the Yahoo! toolbar and be alerted to new email wherever you're surfing. http://new.toolbar.yahoo.com/toolbar/features/mail/index.php

2 1

Re: mknod denials, avcs from dmesg please help
by Antonio Olivares 05 Jun '07

05 Jun '07

----- Original Message ---- From: Daniel J Walsh <dwalsh(a)redhat.com> To: Antonio Olivares <olivares14031(a)yahoo.com> Cc: fedora-selinux-list(a)redhat.com Sent: Monday, June 4, 2007 3:52:18 PM Subject: Re: mknod denials, avcs from dmesg please help Antonio Olivares wrote: > ----- Original Message ---- > From: Daniel J Walsh <dwalsh(a)redhat.com> > To: Antonio Olivares <olivares14031(a)yahoo.com> > Cc: fedora-selinux-list(a)redhat.com > Sent: Monday, June 4, 2007 1:55:57 PM > Subject: Re: mknod denials, avcs from dmesg please help > > Ok the avc > > audit(1180944508.786:4): avc: denied { write } for pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir > > Looks like the interesting one. The rest were caused by you doing a restorecon -R -v /, or the original mislabeling of /root. > > What node is insmod trying to create in /dev? Do you have any idea what is going on here? > > This is very strange that you would get this avc since insmod_t is supposed to be unconfined in FC-7 > > Also > > > Thank you for responding. Indeed it is the mknod entry that is causing trouble. I use smartlink modem and thus I have added to /etc/modprobe.conf > > alias char-major-243 slusb > alias char-major-242 slamr > install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0) > > so that I do not have to type as root user (su -) modprobe ungrab-winmodem, modprobe slamr, slmodemd -c USA /dev/slamr0 everytime I start up the computer. This is for automation. As a result of this denied avc, automation of loading slamr module fails. > > This is the only one now causing trouble > > audit(1180952201.602:4): avc: denied { write } for pid=675 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir > > How should I tackle this one, without disabling selinux, or setting it to permissive? > > Thanks, > > Antonio > > > # grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod # semodule -i myinsmod.pp will customize your policy to allow mknod to work. > > > > ____________________________________________________________________________________ > Be a PS3 game guru. > Get your game face on with the latest PS3 news and previews at Yahoo! Games. > http://videogames.yahoo.com/platform?platform=120121 > Thanks for the help, but [root@localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod compilation failed: sh: /usr/bin/checkmodule: No such file or directory [root@localhost ~]# semodule -i myinsmod.pp semodule: Could not read file 'myinsmod.pp': [root@localhost ~]# which packages should I have to install in order for this to work? Regards, Antonio ____________________________________________________________________________________ The fish are biting. Get more visitors on your site using Yahoo! Search Marketing. http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php

2 1

Re: [redhat-lspp] Some enhancements for pam_namespace
by Tomas Mraz 05 Jun '07

05 Jun '07

On Mon, 2007-06-04 at 12:10 -0500, Klaus Weidner wrote: > On Fri, Jun 01, 2007 at 09:47:17AM +0200, Tomas Mraz wrote: > > I've implemented some enhancements for pam_namespace which can be used > > for temporary logons. These enhancements were proposed by Dan Walsh. > > Please review if you're interested. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241226 > > https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=155825 > > I like the functionality, but I'm starting to think that pam_namespace > may get too complex if too many special cases get added. Rather than > implementing a complex ad-hoc language for the namespace conf file, would > it make sense to provide the option of calling an external script, giving > it username and context etc. as arguments, and using its output as a list > of namespace configurations? > > That way, you could keep policy decisions in the script. That would help just with the ~xguest part of the enhancements but this change is really simple and doesn't affect much of the code. However the temp dir part must be handled in the module directly. The only change could be instead of calling 'rm -rf' directly to call something like namespace.remove script. But as the only logical thing is to remove the temporary directory anyway I don't think it is worth the hassle. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb

1 0

mknod issue, checkpolicy wa missing now loaded.
by Antonio Olivares 04 Jun '07

04 Jun '07

Daniel, checkpolicy was the one that was missing. Sorry for not figuring it out. And thanks for helping me out with selinux. [olivares@localhost ~]$ rpm -qa checkpolicy [olivares@localhost ~]$ rpm -qa selinux* selinux-policy-targeted-2.6.4-8.fc7 selinux-policy-2.6.4-8.fc7 [root@localhost ~]# yum install checkpolicy Loading "installonlyn" plugin Setting up Install Process Parsing package install arguments fedora 100% |=========================| 2.1 kB 00:00 primary.sqlite.bz2 100% |=========================| 3.8 MB 15:16 updates 100% |=========================| 1.9 kB 00:00 primary.sqlite.bz2 100% |=========================| 95 kB 00:20 Resolving Dependencies --> Running transaction check ---> Package checkpolicy.i386 0:2.0.2-1.fc7 set to be updated Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Installing: checkpolicy i386 2.0.2-1.fc7 fedora 256 k Transaction Summary ============================================================================= Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 256 k Is this ok [y/N]: y Downloading Packages: (1/1): checkpolicy-2.0.2- 100% |=========================| 256 kB 00:50 warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2 Importing GPG key 0x4F2A6FD2 "Fedora Project <fedora(a)redhat.com>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora Is this ok [y/N]: y Importing GPG key 0xDB42A60E "Red Hat, Inc <security(a)redhat.com>" from /etc/pki/rpm-gpg/RPM-GPG-KEY Is this ok [y/N]: y Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: checkpolicy ######################### [1/1] Installed: checkpolicy.i386 0:2.0.2-1.fc7 Complete! [root@localhost ~]# [root@localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i myinsmod.pp [root@localhost ~]# semodule -i myinsmod.pp Regards, Antonio ____________________________________________________________________________________ Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html

1 0

Re: mknod denials, avcs from dmesg please help
by Antonio Olivares 04 Jun '07

04 Jun '07

----- Original Message ---- From: Daniel J Walsh <dwalsh(a)redhat.com> To: Antonio Olivares <olivares14031(a)yahoo.com> Cc: fedora-selinux-list(a)redhat.com Sent: Monday, June 4, 2007 1:55:57 PM Subject: Re: mknod denials, avcs from dmesg please help Ok the avc audit(1180944508.786:4): avc: denied { write } for pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir Looks like the interesting one. The rest were caused by you doing a restorecon -R -v /, or the original mislabeling of /root. What node is insmod trying to create in /dev? Do you have any idea what is going on here? This is very strange that you would get this avc since insmod_t is supposed to be unconfined in FC-7 Also Thank you for responding. Indeed it is the mknod entry that is causing trouble. I use smartlink modem and thus I have added to /etc/modprobe.conf alias char-major-243 slusb alias char-major-242 slamr install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0) so that I do not have to type as root user (su -) modprobe ungrab-winmodem, modprobe slamr, slmodemd -c USA /dev/slamr0 everytime I start up the computer. This is for automation. As a result of this denied avc, automation of loading slamr module fails. This is the only one now causing trouble audit(1180952201.602:4): avc: denied { write } for pid=675 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir How should I tackle this one, without disabling selinux, or setting it to permissive? Thanks, Antonio ____________________________________________________________________________________ Be a PS3 game guru. Get your game face on with the latest PS3 news and previews at Yahoo! Games. http://videogames.yahoo.com/platform?platform=120121

2 1

mknod denials, avcs from dmesg please help
by Antonio Olivares 04 Jun '07

04 Jun '07

Dear Selinux experts, I have successfully loaded Fedora 7 on a machine that refused to boot it with a kernel panic. I am on track with it but selinux is getting in my way. I have done [root@localhost ~]# restorecon -v / [root@localhost ~]# touch /.autorelabel; reboot three times and still these avcs refuse to go away. Summary SELinux is preventing access to files with the default label, default_t. Detailed Description SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. Allowing Access If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot" Additional Information Source Context system_u:system_r:consolekit_t Target Context system_u:object_r:default_t Target Objects root [ dir ] Affected RPM Packages ConsoleKit-x11-0.2.1-2.fc7 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.default Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 1 First Seen Sun 03 Jun 2007 11:10:16 PM CDT Last Seen Sun 03 Jun 2007 11:10:16 PM CDT Local ID 2ea0300c-de6c-4cb1-a4a7-edbca6d8fcf1 Line Numbers Raw Audit Messages avc: denied { search } for comm="ck-get-x11-serv" dev=dm-0 egid=0 euid=0 exe="/usr/libexec/ck-get-x11-server-pid" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="root" pid=2512 scontext=system_u:system_r:consolekit_t:s0 sgid=0 subj=system_u:system_r:consolekit_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0 Summary SELinux is preventing /bin/mknod (insmod_t) "write" to / (device_t). Detailed Description SELinux denied access requested by /bin/mknod. It is not expected that this access is required by /bin/mknod and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /, restorecon -v / If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:insmod_t Target Context system_u:object_r:device_t Target Objects / [ dir ] Affected RPM Packages coreutils-6.9-2.fc7 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 1 First Seen Sun 03 Jun 2007 11:52:01 PM CDT Last Seen Sun 03 Jun 2007 11:52:01 PM CDT Local ID 2f4ccd0d-5eab-4194-9ce2-9b424aed8163 Line Numbers Raw Audit Messages avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2893 scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 Here are them again from dmesg. audit(1180944508.786:4): avc: denied { write } for pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir and SELinux: initialized (dev sda1, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs audit(1180944512.785:5): enforcing=0 old_enforcing=1 auid=4294967295 audit(1180944712.754:6): avc: denied { getattr } for pid=996 comm="setfiles" name="mdstat" dev=proc ino=-268435296 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file audit(1180944712.754:7): avc: denied { getattr } for pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1180944712.754:8): avc: denied { read } for pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1180944712.754:9): avc: denied { search } for pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir audit(1180944712.754:10): avc: denied { getattr } for pid=996 comm="setfiles" name="smp_affinity" dev=proc ino=-268435372 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=file audit(1180944712.754:11): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file audit(1180944712.754:12): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir audit(1180944712.754:13): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file audit(1180944712.754:14): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir audit(1180944712.754:15): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file audit(1180944712.754:16): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir audit(1180944712.754:17): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file audit(1180944712.754:18): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file audit(1180944712.754:19): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=dir audit(1180944712.754:20): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file audit(1180944712.754:21): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file audit(1180944712.754:22): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=file audit(1180944712.754:23): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=dir audit(1180944712.754:24): avc: denied { getattr } for pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir audit(1180944712.754:25): avc: denied { read } for pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir audit(1180944712.754:26): avc: denied { search } for pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir audit(1180944712.754:27): avc: denied { getattr } for pid=996 comm="setfiles" name="packet" dev=proc ino=-268435293 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file audit(1180944712.754:28): avc: denied { getattr } for pid=996 comm="setfiles" name="kcore" dev=proc ino=-268435434 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file audit(1180944712.754:29): avc: denied { getattr } for pid=996 comm="setfiles" name="kmsg" dev=proc ino=-268435447 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file audit(1180944712.754:30): avc: denied { getattr } for pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir audit(1180944712.754:31): avc: denied { read } for pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir audit(1180944712.754:32): avc: denied { search } for pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir audit(1180944712.754:33): avc: denied { getattr } for pid=996 comm="setfiles" name="10" dev=proc ino=7925 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file audit(1180944712.754:34): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=7905 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file audit(1180944712.754:35): avc: denied { getattr } for pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir audit(1180944712.754:36): avc: denied { read } for pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir audit(1180944712.754:37): avc: denied { search } for pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir audit(1180944712.754:38): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=7962 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file audit(1180944712.754:39): avc: denied { getattr } for pid=996 comm="setfiles" name="cwd" dev=proc ino=7970 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lnk_file audit(1180944716.754:40): avc: denied { getattr } for pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir audit(1180944716.754:41): avc: denied { read } for pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir audit(1180944716.754:42): avc: denied { search } for pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir audit(1180944716.754:43): avc: denied { getattr } for pid=996 comm="setfiles" name="0" dev=proc ino=9478 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=lnk_file audit(1180944716.754:44): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=9458 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=file audit(1180944716.754:45): avc: denied { getattr } for pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir audit(1180944716.754:46): avc: denied { read } for pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir audit(1180944716.754:47): avc: denied { search } for pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir audit(1180944716.754:48): avc: denied { getattr } for pid=996 comm="setfiles" name="0" dev=proc ino=9597 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lnk_file audit(1180944716.754:49): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=9577 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=file audit(1180944820.238:50): avc: denied { create } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1180944820.238:51): avc: denied { write } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1180944820.238:52): avc: denied { nlmsg_relay } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1180944820.238:53): avc: denied { audit_write } for pid=995 comm="setfiles" capability=29 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability audit(1180944820.238:54): avc: denied { read } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket audit(1180944820.238:55): enforcing=1 old_enforcing=0 auid=4294967295 Suggestions/advice as to how to fix this are greatly appreciated. [olivares@localhost ~]$ uname -a Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon i386 GNU/Linux [olivares@localhost ~]$ cat /etc/fedora-release Fedora release 7 (Moonshine) [olivares@localhost ~]$ Regards, Antonio ____________________________________________________________________________________ We won't tell. Get more on shows you hate to love (and love to hate): Yahoo! TV's Guilty Pleasures list. http://tv.yahoo.com/collections/265

2 1

Samba log files have wrong context?
by Bob Kashani 04 Jun '07

04 Jun '07

SELinux keeps complaining that the file contexts for log files in /var/log/samba are wrong. All of the files are labeled samba_log_t but it seems to want samba_share_t, is this correct? This is what selinux troubleshooter reports: Summary SELinux is preventing samba (/usr/sbin/smbd) "append" to log.chaucer (samba_log_t). Detailed Description SELinux denied samba access to log.chaucer. If you want to share this directory with samba it has to have a file context label of samba_share_t. If you did not intend to use log.chaucer as a samba repository it could indicate either a bug or it could signal a intrusion attempt. Allowing Access You can alter the file context by executing chcon -R -t samba_share_t log.chaucer The following command will allow this access: chcon -R -t samba_share_t log.chaucer Additional Information Source Context system_u:system_r:smbd_t Target Context system_u:object_r:samba_log_t Target Objects log.chaucer [ file ] Affected RPM Packages samba-3.0.25-2.fc7 [application] Policy RPM selinux-policy-2.6.4-8.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.samba_share Host Name chaucer Platform Linux chaucer 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon Alert Count 3 First Seen Sun 03 Jun 2007 04:50:41 PM PDT Last Seen Sun 03 Jun 2007 04:50:41 PM PDT Local ID ef44bd9c-87aa-4898-9c3d-bb0a3def2ade Line Numbers Raw Audit Messages avc: denied { append } for comm="smbd" dev=sda2 egid=0 euid=0 exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="log.chaucer" pid=2945 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:samba_log_t:s0 tty=(none) uid=0

2 1

Udev AVC spawning a script
by Aurelien Bompard 04 Jun '07

04 Jun '07

Hi, I comaintain synce (a framework to connect to PocketPC devices) in Fedora, and since Fedora 7 it does not autoconnect the device when plugged in. Autoconnection is done by an Udev rule : # cat /etc/udev/rules.d/60-synce.rules ACTION=="add", SUBSYSTEM=="usb_device", SYSFS{idVendor}=="0bb4", SYSFS{idProduct}=="0a06", SYMLINK+="ipaq", RUN+="/usr/bin/synce-serial-start" synce-serial-start is a shell script that sources a file: /usr/share/synce/synce-serial-common On F7, I get AVC messages for getattr and read permissions from synce-serial-start to this file: type=AVC msg=audit(1180872169.345:3815): avc: denied { getattr } for pid=31270 comm="synce-serial-st" name="synce-serial-common" dev=sda2 ino=438256 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file type=AVC_PATH msg=audit(1180872169.345:3815): path="/usr/share/synce/synce-serial-common" type=AVC msg=audit(1180872169.345:3816): avc: denied { read } for pid=31270 comm="synce-serial-st" name="synce-serial-common" dev=sda2 ino=438256 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file How should I label /usr/share/synce/synce-serial-common to allow access from udev_t ? And in general, how can I view which labels are allowed (and in which way) for a given type ? Thanks ! Aurélien -- http://aurelien.bompard.org ~~~~ Jabber : abompard(a)jabber.fr echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlbxq' | dc

2 1

AVC from dhclient on boot....
by Tom London 04 Jun '07

04 Jun '07

Seeing this for the last few days on Rawhide: Jun 2 12:24:36 localhost kernel: e1000: eth0: e1000_watchdog: NIC Link is Up 100 Mbps Full Duplex, Flow Control: RX/TX Jun 2 12:24:36 localhost kernel: e1000: eth0: e1000_watchdog: 10/100 speed: disabling TSO Jun 2 12:24:36 localhost kernel: audit(1180812265.018:8): avc: denied { getattr } for pid=2101 comm="dhclient-script" name="setfiles" dev=dm-0 ino=11337869 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file Not sure where this comes from. There is a call to 'cp -fp', could that be it? tom -- Tom London

2 2

Fedora 7 nvidia issues
by Bob Kashani 03 Jun '07

03 Jun '07

Hi, folks. I'm having a few issues with nvidia on a fresh install of F7. During startup I see messages that state that nvidia can't create: /dev/nvidia0 /dev/nvidia1 /dev/nvidia2 /dev/nvidia3 /dev/nvidiactl kmod-nvidia-96xx-1.0.9631-12.2.6.21_1.3194.fc7 xorg-x11-drv-nvidia-96xx-1.0.9631-11.lvn7 Here are the relevant avcs while running in permissive mode: Jun 1 12:48:17 chaucer kernel: audit(1180702076.657:2): policy loaded auid=4294967295 Jun 1 12:48:17 chaucer kernel: audit(1180727282.123:3): avc: denied { getattr } for pid=410 comm="cp" name="nvidia0" dev =sda2 ino=1944970 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=chr_file Jun 1 12:48:17 chaucer kernel: audit(1180727282.123:4): avc: denied { create } for pid=410 comm="cp" name="nvidia0" scon text=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=chr_file Jun 1 12:48:17 chaucer kernel: audit(1180727282.123:5): avc: denied { setattr } for pid=410 comm="cp" name="nvidia0" dev =tmpfs ino=1644 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=chr_file Thanks, Bob

3 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux June 2007