mknod still not working after suggested fix
by Antonio Olivares
selinux is still not allowing mknod to do its job.
I have to manually create the device node every boot
[root@localhost ~]# mknod -m 600 /dev/slamr0 c 242 0
[1]+ Done gedit /boot/grub/grub.conf
[root@localhost ~]# modprobe ungrab-winmodem
[root@localhost ~]# modprobe slamr
[root@localhost ~]# slmodemd -c USA /dev/slamr0 &
[1] 2709
[root@localhost ~]# SmartLink Soft Modem: version 2.9.11 Jun 4 2007 00:14:21
symbolic link `/dev/ttySL0' -> `/dev/pts/1' created.
modem `slamr0' created. TTY is `/dev/pts/1'
Use `/dev/ttySL0' as modem device, Ctrl+C for termination.
audit(1181023411.825:4): avc: denied { mknod } for pid=673 comm="mknod" capability=27 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=capability
[root@localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i myinsmod.pp
[root@localhost ~]# semodule -i myinsmod.pp
What should I try now?
Regards,
Antonio
____________________________________________________________________________________
Get the Yahoo! toolbar and be alerted to new email wherever you're surfing.
http://new.toolbar.yahoo.com/toolbar/features/mail/index.php
16 years, 10 months
Re: mknod denials, avcs from dmesg please help
by Antonio Olivares
----- Original Message ----
From: Daniel J Walsh <dwalsh(a)redhat.com>
To: Antonio Olivares <olivares14031(a)yahoo.com>
Cc: fedora-selinux-list(a)redhat.com
Sent: Monday, June 4, 2007 3:52:18 PM
Subject: Re: mknod denials, avcs from dmesg please help
Antonio Olivares wrote:
> ----- Original Message ----
> From: Daniel J Walsh <dwalsh(a)redhat.com>
> To: Antonio Olivares <olivares14031(a)yahoo.com>
> Cc: fedora-selinux-list(a)redhat.com
> Sent: Monday, June 4, 2007 1:55:57 PM
> Subject: Re: mknod denials, avcs from dmesg please help
>
> Ok the avc
>
> audit(1180944508.786:4): avc: denied { write } for pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
>
> Looks like the interesting one. The rest were caused by you doing a restorecon -R -v /, or the original mislabeling of /root.
>
> What node is insmod trying to create in /dev? Do you have any idea what is going on here?
>
> This is very strange that you would get this avc since insmod_t is supposed to be unconfined in FC-7
>
> Also
>
>
> Thank you for responding. Indeed it is the mknod entry that is causing trouble. I use smartlink modem and thus I have added to /etc/modprobe.conf
>
> alias char-major-243 slusb
> alias char-major-242 slamr
> install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0)
>
> so that I do not have to type as root user (su -) modprobe ungrab-winmodem, modprobe slamr, slmodemd -c USA /dev/slamr0 everytime I start up the computer. This is for automation. As a result of this denied avc, automation of loading slamr module fails.
>
> This is the only one now causing trouble
>
> audit(1180952201.602:4): avc: denied { write } for pid=675 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
>
> How should I tackle this one, without disabling selinux, or setting it to permissive?
>
> Thanks,
>
> Antonio
>
>
>
# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
# semodule -i myinsmod.pp
will customize your policy to allow mknod to work.
>
>
>
> ____________________________________________________________________________________
> Be a PS3 game guru.
> Get your game face on with the latest PS3 news and previews at Yahoo! Games.
> http://videogames.yahoo.com/platform?platform=120121
>
Thanks for the help, but
[root@localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
compilation failed:
sh: /usr/bin/checkmodule: No such file or directory
[root@localhost ~]# semodule -i myinsmod.pp
semodule: Could not read file 'myinsmod.pp':
[root@localhost ~]#
which packages should I have to install in order for this to work?
Regards,
Antonio
____________________________________________________________________________________
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php
16 years, 10 months
Re: [redhat-lspp] Some enhancements for pam_namespace
by Tomas Mraz
On Mon, 2007-06-04 at 12:10 -0500, Klaus Weidner wrote:
> On Fri, Jun 01, 2007 at 09:47:17AM +0200, Tomas Mraz wrote:
> > I've implemented some enhancements for pam_namespace which can be used
> > for temporary logons. These enhancements were proposed by Dan Walsh.
> > Please review if you're interested.
> > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=241226
> > https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=155825
>
> I like the functionality, but I'm starting to think that pam_namespace
> may get too complex if too many special cases get added. Rather than
> implementing a complex ad-hoc language for the namespace conf file, would
> it make sense to provide the option of calling an external script, giving
> it username and context etc. as arguments, and using its output as a list
> of namespace configurations?
>
> That way, you could keep policy decisions in the script.
That would help just with the ~xguest part of the enhancements but this
change is really simple and doesn't affect much of the code.
However the temp dir part must be handled in the module directly. The
only change could be instead of calling 'rm -rf' directly to call
something like namespace.remove script. But as the only logical thing is
to remove the temporary directory anyway I don't think it is worth the
hassle.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
16 years, 10 months
mknod issue, checkpolicy wa missing now loaded.
by Antonio Olivares
Daniel,
checkpolicy was the one that was missing. Sorry for not figuring it out. And thanks for helping me out with selinux.
[olivares@localhost ~]$ rpm -qa checkpolicy
[olivares@localhost ~]$ rpm -qa selinux*
selinux-policy-targeted-2.6.4-8.fc7
selinux-policy-2.6.4-8.fc7
[root@localhost ~]# yum install checkpolicy
Loading "installonlyn" plugin
Setting up Install Process
Parsing package install arguments
fedora 100% |=========================| 2.1 kB 00:00
primary.sqlite.bz2 100% |=========================| 3.8 MB 15:16
updates 100% |=========================| 1.9 kB 00:00
primary.sqlite.bz2 100% |=========================| 95 kB 00:20
Resolving Dependencies
--> Running transaction check
---> Package checkpolicy.i386 0:2.0.2-1.fc7 set to be updated
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
checkpolicy i386 2.0.2-1.fc7 fedora 256 k
Transaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 256 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): checkpolicy-2.0.2- 100% |=========================| 256 kB 00:50
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 4f2a6fd2
Importing GPG key 0x4F2A6FD2 "Fedora Project <fedora(a)redhat.com>" from /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
Is this ok [y/N]: y
Importing GPG key 0xDB42A60E "Red Hat, Inc <security(a)redhat.com>" from /etc/pki/rpm-gpg/RPM-GPG-KEY
Is this ok [y/N]: y
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: checkpolicy ######################### [1/1]
Installed: checkpolicy.i386 0:2.0.2-1.fc7
Complete!
[root@localhost ~]#
[root@localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i myinsmod.pp
[root@localhost ~]# semodule -i myinsmod.pp
Regards,
Antonio
____________________________________________________________________________________
Sucker-punch spam with award-winning protection.
Try the free Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/features_spam.html
16 years, 10 months
Re: mknod denials, avcs from dmesg please help
by Antonio Olivares
----- Original Message ----
From: Daniel J Walsh <dwalsh(a)redhat.com>
To: Antonio Olivares <olivares14031(a)yahoo.com>
Cc: fedora-selinux-list(a)redhat.com
Sent: Monday, June 4, 2007 1:55:57 PM
Subject: Re: mknod denials, avcs from dmesg please help
Ok the avc
audit(1180944508.786:4): avc: denied { write } for pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
Looks like the interesting one. The rest were caused by you doing a restorecon -R -v /, or the original mislabeling of /root.
What node is insmod trying to create in /dev? Do you have any idea what is going on here?
This is very strange that you would get this avc since insmod_t is supposed to be unconfined in FC-7
Also
Thank you for responding. Indeed it is the mknod entry that is causing trouble. I use smartlink modem and thus I have added to /etc/modprobe.conf
alias char-major-243 slusb
alias char-major-242 slamr
install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0)
so that I do not have to type as root user (su -) modprobe ungrab-winmodem, modprobe slamr, slmodemd -c USA /dev/slamr0 everytime I start up the computer. This is for automation. As a result of this denied avc, automation of loading slamr module fails.
This is the only one now causing trouble
audit(1180952201.602:4): avc: denied { write } for pid=675 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
How should I tackle this one, without disabling selinux, or setting it to permissive?
Thanks,
Antonio
____________________________________________________________________________________
Be a PS3 game guru.
Get your game face on with the latest PS3 news and previews at Yahoo! Games.
http://videogames.yahoo.com/platform?platform=120121
16 years, 10 months
mknod denials, avcs from dmesg please help
by Antonio Olivares
Dear Selinux experts,
I have successfully loaded Fedora 7 on a machine that refused to boot it with a kernel panic. I am on track with it but selinux is getting in my way.
I have done
[root@localhost ~]# restorecon -v /
[root@localhost ~]# touch /.autorelabel; reboot
three times and still these avcs refuse to go away.
Summary
SELinux is preventing access to files with the default label, default_t.
Detailed Description
SELinux permission checks on files labeled default_t are being denied.
These files/directories have the default label on them. This can indicate a
labeling problem, especially if the files being referred to are not top
level directories. Any files/directories under standard system directories,
/usr, /var. /dev, /tmp, ..., should not be labeled with the default label.
The default label is for files/directories which do not have a label on a
parent directory. So if you create a new directory in / you might
legitimately get this label.
Allowing Access
If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: "touch /.autorelabel; reboot"
Additional Information
Source Context system_u:system_r:consolekit_t
Target Context system_u:object_r:default_t
Target Objects root [ dir ]
Affected RPM Packages ConsoleKit-x11-0.2.1-2.fc7
[application]filesystem-2.4.6-1.fc7 [target]
Policy RPM selinux-policy-2.6.4-8.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.default
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.21-1.3194.fc7 #1
SMP Wed May 23 22:35:01 EDT 2007 i686 athlon
Alert Count 1
First Seen Sun 03 Jun 2007 11:10:16 PM CDT
Last Seen Sun 03 Jun 2007 11:10:16 PM CDT
Local ID 2ea0300c-de6c-4cb1-a4a7-edbca6d8fcf1
Line Numbers
Raw Audit Messages
avc: denied { search } for comm="ck-get-x11-serv" dev=dm-0 egid=0 euid=0
exe="/usr/libexec/ck-get-x11-server-pid" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="root" pid=2512 scontext=system_u:system_r:consolekit_t:s0 sgid=0
subj=system_u:system_r:consolekit_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0
Summary
SELinux is preventing /bin/mknod (insmod_t) "write" to / (device_t).
Detailed Description
SELinux denied access requested by /bin/mknod. It is not expected that this
access is required by /bin/mknod and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of
the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for /, restorecon -v / If this does
not work, there is currently no automatic way to allow this access. Instead,
you can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:insmod_t
Target Context system_u:object_r:device_t
Target Objects / [ dir ]
Affected RPM Packages coreutils-6.9-2.fc7
[application]filesystem-2.4.6-1.fc7 [target]
Policy RPM selinux-policy-2.6.4-8.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.21-1.3194.fc7 #1
SMP Wed May 23 22:35:01 EDT 2007 i686 athlon
Alert Count 1
First Seen Sun 03 Jun 2007 11:52:01 PM CDT
Last Seen Sun 03 Jun 2007 11:52:01 PM CDT
Local ID 2f4ccd0d-5eab-4194-9ce2-9b424aed8163
Line Numbers
Raw Audit Messages
avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2893
scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
Here are them again from dmesg.
audit(1180944508.786:4): avc: denied { write } for pid=655 comm="mknod" name="/" dev=tmpfs ino=752 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
and
SELinux: initialized (dev sda1, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
audit(1180944512.785:5): enforcing=0 old_enforcing=1 auid=4294967295
audit(1180944712.754:6): avc: denied { getattr } for pid=996 comm="setfiles" name="mdstat" dev=proc ino=-268435296 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_mdstat_t:s0 tclass=file
audit(1180944712.754:7): avc: denied { getattr } for pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1180944712.754:8): avc: denied { read } for pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1180944712.754:9): avc: denied { search } for pid=996 comm="setfiles" name="irq" dev=proc ino=-268435418 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1180944712.754:10): avc: denied { getattr } for pid=996 comm="setfiles" name="smp_affinity" dev=proc ino=-268435372 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=file
audit(1180944712.754:11): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
audit(1180944712.754:12): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
audit(1180944712.754:13): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file
audit(1180944712.754:14): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
audit(1180944712.754:15): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
audit(1180944712.754:16): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
audit(1180944712.754:17): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
audit(1180944712.754:18): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=file
audit(1180944712.754:19): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_net_unix_t:s0 tclass=dir
audit(1180944712.754:20): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file
audit(1180944712.754:21): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=file
audit(1180944712.754:22): avc: denied { read } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=file
audit(1180944712.754:23): avc: denied { search } for pid=996 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=dir
audit(1180944712.754:24): avc: denied { getattr } for pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1180944712.754:25): avc: denied { read } for pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1180944712.754:26): avc: denied { search } for pid=996 comm="setfiles" name="net" dev=proc ino=-268435431 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
audit(1180944712.754:27): avc: denied { getattr } for pid=996 comm="setfiles" name="packet" dev=proc ino=-268435293 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
audit(1180944712.754:28): avc: denied { getattr } for pid=996 comm="setfiles" name="kcore" dev=proc ino=-268435434 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_kcore_t:s0 tclass=file
audit(1180944712.754:29): avc: denied { getattr } for pid=996 comm="setfiles" name="kmsg" dev=proc ino=-268435447 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:proc_kmsg_t:s0 tclass=file
audit(1180944712.754:30): avc: denied { getattr } for pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
audit(1180944712.754:31): avc: denied { read } for pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
audit(1180944712.754:32): avc: denied { search } for pid=996 comm="setfiles" name="1" dev=proc ino=1288 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir
audit(1180944712.754:33): avc: denied { getattr } for pid=996 comm="setfiles" name="10" dev=proc ino=7925 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file
audit(1180944712.754:34): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=7905 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
audit(1180944712.754:35): avc: denied { getattr } for pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
audit(1180944712.754:36): avc: denied { read } for pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
audit(1180944712.754:37): avc: denied { search } for pid=996 comm="setfiles" name="2" dev=proc ino=1289 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
audit(1180944712.754:38): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=7962 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=file
audit(1180944712.754:39): avc: denied { getattr } for pid=996 comm="setfiles" name="cwd" dev=proc ino=7970 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lnk_file
audit(1180944716.754:40): avc: denied { getattr } for pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
audit(1180944716.754:41): avc: denied { read } for pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
audit(1180944716.754:42): avc: denied { search } for pid=996 comm="setfiles" name="292" dev=proc ino=1195 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dir
audit(1180944716.754:43): avc: denied { getattr } for pid=996 comm="setfiles" name="0" dev=proc ino=9478 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=lnk_file
audit(1180944716.754:44): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=9458 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=file
audit(1180944716.754:45): avc: denied { getattr } for pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir
audit(1180944716.754:46): avc: denied { read } for pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir
audit(1180944716.754:47): avc: denied { search } for pid=996 comm="setfiles" name="360" dev=proc ino=1549 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir
audit(1180944716.754:48): avc: denied { getattr } for pid=996 comm="setfiles" name="0" dev=proc ino=9597 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=lnk_file
audit(1180944716.754:49): avc: denied { getattr } for pid=996 comm="setfiles" name="environ" dev=proc ino=9577 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=file
audit(1180944820.238:50): avc: denied { create } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1180944820.238:51): avc: denied { write } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1180944820.238:52): avc: denied { nlmsg_relay } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1180944820.238:53): avc: denied { audit_write } for pid=995 comm="setfiles" capability=29 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=capability
audit(1180944820.238:54): avc: denied { read } for pid=995 comm="setfiles" scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=netlink_audit_socket
audit(1180944820.238:55): enforcing=1 old_enforcing=0 auid=4294967295
Suggestions/advice as to how to fix this are greatly appreciated.
[olivares@localhost ~]$ uname -a
Linux localhost.localdomain 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlon i386 GNU/Linux
[olivares@localhost ~]$ cat /etc/fedora-release
Fedora release 7 (Moonshine)
[olivares@localhost ~]$
Regards,
Antonio
____________________________________________________________________________________
We won't tell. Get more on shows you hate to love
(and love to hate): Yahoo! TV's Guilty Pleasures list.
http://tv.yahoo.com/collections/265
16 years, 10 months
Samba log files have wrong context?
by Bob Kashani
SELinux keeps complaining that the file contexts for log files
in /var/log/samba are wrong. All of the files are labeled samba_log_t
but it seems to want samba_share_t, is this correct?
This is what selinux troubleshooter reports:
Summary
SELinux is preventing samba (/usr/sbin/smbd) "append" to log.chaucer
(samba_log_t).
Detailed Description
SELinux denied samba access to log.chaucer. If you want to share
this
directory with samba it has to have a file context label of
samba_share_t.
If you did not intend to use log.chaucer as a samba repository it
could
indicate either a bug or it could signal a intrusion attempt.
Allowing Access
You can alter the file context by executing chcon -R -t
samba_share_t
log.chaucer
The following command will allow this access:
chcon -R -t samba_share_t log.chaucer
Additional Information
Source Context system_u:system_r:smbd_t
Target Context system_u:object_r:samba_log_t
Target Objects log.chaucer [ file ]
Affected RPM Packages samba-3.0.25-2.fc7 [application]
Policy RPM selinux-policy-2.6.4-8.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.samba_share
Host Name chaucer
Platform Linux chaucer 2.6.21-1.3194.fc7 #1 SMP Wed
May 23
22:35:01 EDT 2007 i686 athlon
Alert Count 3
First Seen Sun 03 Jun 2007 04:50:41 PM PDT
Last Seen Sun 03 Jun 2007 04:50:41 PM PDT
Local ID ef44bd9c-87aa-4898-9c3d-bb0a3def2ade
Line Numbers
Raw Audit Messages
avc: denied { append } for comm="smbd" dev=sda2 egid=0 euid=0
exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="log.chaucer"
pid=2945 scontext=system_u:system_r:smbd_t:s0 sgid=0
subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:samba_log_t:s0 tty=(none) uid=0
16 years, 10 months
Udev AVC spawning a script
by Aurelien Bompard
Hi,
I comaintain synce (a framework to connect to PocketPC devices) in Fedora,
and since Fedora 7 it does not autoconnect the device when plugged in.
Autoconnection is done by an Udev rule :
# cat /etc/udev/rules.d/60-synce.rules
ACTION=="add", SUBSYSTEM=="usb_device", SYSFS{idVendor}=="0bb4",
SYSFS{idProduct}=="0a06", SYMLINK+="ipaq",
RUN+="/usr/bin/synce-serial-start"
synce-serial-start is a shell script that sources a
file: /usr/share/synce/synce-serial-common
On F7, I get AVC messages for getattr and read permissions from
synce-serial-start to this file:
type=AVC msg=audit(1180872169.345:3815): avc: denied { getattr } for
pid=31270 comm="synce-serial-st" name="synce-serial-common" dev=sda2
ino=438256 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC_PATH msg=audit(1180872169.345:3815):
path="/usr/share/synce/synce-serial-common"
type=AVC msg=audit(1180872169.345:3816): avc: denied { read } for
pid=31270 comm="synce-serial-st" name="synce-serial-common" dev=sda2
ino=438256 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=file
How should I label /usr/share/synce/synce-serial-common to allow access from
udev_t ?
And in general, how can I view which labels are allowed (and in which way)
for a given type ?
Thanks !
Aurélien
--
http://aurelien.bompard.org ~~~~ Jabber : abompard(a)jabber.fr
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlbxq' | dc
16 years, 10 months
AVC from dhclient on boot....
by Tom London
Seeing this for the last few days on Rawhide:
Jun 2 12:24:36 localhost kernel: e1000: eth0: e1000_watchdog: NIC
Link is Up 100 Mbps Full Duplex, Flow Control: RX/TX
Jun 2 12:24:36 localhost kernel: e1000: eth0: e1000_watchdog: 10/100
speed: disabling TSO
Jun 2 12:24:36 localhost kernel: audit(1180812265.018:8): avc:
denied { getattr } for pid=2101 comm="dhclient-script"
name="setfiles" dev=dm-0 ino=11337869
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
Not sure where this comes from.
There is a call to 'cp -fp', could that be it?
tom
--
Tom London
16 years, 10 months
Fedora 7 nvidia issues
by Bob Kashani
Hi, folks. I'm having a few issues with nvidia on a fresh install of F7.
During startup I see messages that state that nvidia can't create:
/dev/nvidia0
/dev/nvidia1
/dev/nvidia2
/dev/nvidia3
/dev/nvidiactl
kmod-nvidia-96xx-1.0.9631-12.2.6.21_1.3194.fc7
xorg-x11-drv-nvidia-96xx-1.0.9631-11.lvn7
Here are the relevant avcs while running in permissive mode:
Jun 1 12:48:17 chaucer kernel: audit(1180702076.657:2): policy loaded
auid=4294967295
Jun 1 12:48:17 chaucer kernel: audit(1180727282.123:3): avc: denied
{ getattr } for pid=410 comm="cp" name="nvidia0" dev
=sda2 ino=1944970 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=chr_file
Jun 1 12:48:17 chaucer kernel: audit(1180727282.123:4): avc: denied
{ create } for pid=410 comm="cp" name="nvidia0" scon
text=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=chr_file
Jun 1 12:48:17 chaucer kernel: audit(1180727282.123:5): avc: denied
{ setattr } for pid=410 comm="cp" name="nvidia0" dev
=tmpfs ino=1644 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=chr_file
Thanks,
Bob
16 years, 10 months
