daemons running as initrc_t
by Tom London
[root@localhost ~]# ps agxZ | grep initrc_t
system_u:system_r:initrc_t 2818 ? S 0:00 nasd -b -local
system_u:system_r:initrc_t 3174 ? Ss 0:00
NetworkManagerDispatcher
--pid-file=/var/run/NetworkManager/NetworkManagerDispatcher.pid
system_u:system_r:unconfined_t 3802 pts/0 S+ 0:00 grep initrc_t
[root@localhost ~]#
So, nasd and Network run in initrc_t.
Should nasd have its own domain (e.g., nasd_exec_t -> nasd_t)?
What about NetworkManagerDispatcher (e.g., also NetworkManager_exec_t, other?)?
tom
--
Tom London
16 years, 9 months
syslog is now rsyslog.....
by Tom London
Believe some changes (e.g., /etc/rsyslog.conf, /sbin/rsyslogd,...) are in order?
[root@localhost ~]# ps agxZ | grep syslog
system_u:system_r:initrc_t 2511 ? Ssl 0:00 rsyslogd -m 0
system_u:system_r:unconfined_t 4154 pts/0 S+ 0:00 grep syslog
[root@localhost ~]#
tom
--
Tom London
16 years, 9 months
Issues after today's Rawhide update...
by Tom London
After today's update (targeted/enforcing), I get a bunch of AVCs.
audit.log file attached.
tom
[root@localhost ~]# audit2allow -i log
#============= NetworkManager_t ==============
allow NetworkManager_t device_t:sock_file write;
#============= auditd_t ==============
allow auditd_t device_t:sock_file write;
#============= avahi_t ==============
allow avahi_t device_t:sock_file write;
#============= crond_t ==============
allow crond_t device_t:sock_file write;
#============= cupsd_t ==============
allow cupsd_t unlabeled_t:file ioctl;
#============= dhcpc_t ==============
allow dhcpc_t device_t:sock_file write;
#============= entropyd_t ==============
allow entropyd_t device_t:sock_file write;
#============= fsdaemon_t ==============
allow fsdaemon_t device_t:sock_file write;
#============= gpm_t ==============
allow gpm_t device_t:sock_file write;
#============= ntpd_t ==============
allow ntpd_t device_t:sock_file write;
#============= rpcbind_t ==============
allow rpcbind_t self:capability sys_tty_config;
allow rpcbind_t self:udp_socket listen;
#============= sendmail_t ==============
allow sendmail_t device_t:sock_file write;
#============= setroubleshootd_t ==============
allow setroubleshootd_t device_t:sock_file write;
#============= sshd_t ==============
allow sshd_t device_t:sock_file write;
#============= system_chkpwd_t ==============
allow system_chkpwd_t device_t:sock_file write;
#============= system_dbusd_t ==============
allow system_dbusd_t device_t:sock_file write;
#============= xdm_t ==============
allow xdm_t device_t:sock_file write;
--
Tom London
16 years, 9 months
does selinux policy have an avc denied for zedeyen fate" <zedeyen_fate13@hotmail.com>?
by Antonio Olivares
"zedeyen fate" <zedeyen_fate13(a)hotmail.com> Add to
Address BookAdd to Address Book Add Mobile Alert
To:Send an Instant Message sanor(a)yahoo.com,
olivares14031(a)yahoo.com,
fedora-selinux-list(a)redhat.com, Send an Instant
Message fhuddles(a)yahoo.com, marketsq(a)ci.sat.tx.us,
Send an Instant Message suzanaeckermann(a)yahoo.com,
Send an Instant Message sandyacrestx(a)yahoo.com, Send
an Instant Message creeksidemom(a)yahoo.com, Send an
Instant Message stevenv_us(a)yahoo.com, Send an Instant
Message tazzy694me(a)yahoo.com, Send an Instant Message
lisitalk(a)yahoo.com, Send an Instant Message
erbowen2020(a)yahoo.com, Send an Instant Message
lolitapg(a)yahoo.com, Send an Instant Message
neferuaten11(a)yahoo.com, Send an Instant Message
myprivateemailacct(a)yahoo.com, Send an Instant Message
avilamyra888(a)yahoo.com, Send an Instant Message
a_texan_abroad(a)yahoo.com, Send an Instant Message
skinnykoffeekupsa(a)yahoo.com, Send an Instant Message
michelle_leatherbury(a)yahoo.com, Send an Instant
Message mycahzcreationz(a)yahoo.com, Send an Instant
Message pagedegffg5(a)yahoo.com, Send an Instant Message
peterjon93(a)yahoo.com, Send an Instant Message
theazsundvltch(a)yahoo.com, Send an Instant Message
burkenancyb(a)yahoo.com, tamir(a)yahoo-inc.com, Send an
Instant Message eshel_tamir(a)yahoo.com, Send an Instant
Message akdrlaura(a)yahoo.com, Send an Instant Message
assemblytjonz42(a)yahoo.com, occasional(a)madriver.com,
Send an Instant Message rarebirdfinds(a)yahoo.com, Send
an Instant Message yawdraob(a)yahoo.com, Send an Instant
Message tx4ks(a)yahoo.com, Send an Instant Message
pincheshhh(a)yahoo.com, Send an Instant Message
s1l1l1(a)yahoo.com, Send an Instant Message
energyspinalcenters(a)yahoo.com, Send an Instant Message
mariachi823(a)yahoo.com, Send an Instant Message
metromusic(a)yahoo.com
Subject: I HAVE DECIDED TO CONTACT YOU
Date: Tue, 17 Jul 2007 17:51:28 +0000
Seriously,
Did anyone also get this mail in the
fedora-selinux-list(a)redhat.com?
He apparently addressed it to list as it is the third
in the to section. This person loves yahoo, but also
likes fedora-selinux-list.
Regards,
Antonio
____________________________________________________________________________________
Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.
http://farechase.yahoo.com/
16 years, 9 months
Containing vmware player 2.0.0 with SELINUX
by Louis Lam
Hi all,
At this point i'm still trying to use SELINUX to "contain" vmware player, making it run in
targeted mode.
I'm still rather new to this but through the help of Ken, i've been able to manipulate modules and
get it to "affect" the vmware player but at this point my vmware player is still "broken".
Would anyone be able to share their configurations (.te,.fc,.if) file if you've managed to get it
to work with vmware player or vmware-workstation 6 ? CUrrently i'm working with Fedora 7 but
intend to port it back to RHEL 5.
I've downloaded the latest reference policy from oss and examined the vmware relevant files. From
examining the vmware.fc and "/etc/selinux/targeted/modules/active/file_context", seems like the
vmware.fc file could have been written for an older/different version of vmware where the vmnet
devices are at /dev/vmnet.* instead of /dev/vmnet* found in vmplayer 2/workstation 6. Which
version was it written for?
I went on to modify the vmware.fc file and managed to compile and load the vmware.pp module. But
currently this affected the vmware services at startup, e.g. vmnet-dhcpd. For vmware, when
something fails to start, it would ask me to rum vmware-config.pl again when i restart it. Doing
this would recreate the /dev/vmnet* files over again but it will not have the right context,
defaulting to "device_t" instead of "vmware_device_t" that i have modified. The line in my
vmware.fc looks like this:
/dev/vmnet0 -- gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet1 -- gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet8 -- gen_context(system_u:object_r:vmware_device_t,s0)
I was thinking that if the script has created a new /dev/vmnet file it would automatically use the
vmware_device_t context but it didn't. Did i miss out anything?
What is the two "--" on the line mean? are they significant?
Sorry about the long post, any help or advice? Thanks.
Louis
Send instant messages to your online friends http://uk.messenger.yahoo.com
16 years, 9 months
AVC Denied Dhcp and Iptables.
by piotreek
Hi guys i found some strange messages in my logs. It seams that selinux is
blocking a dhcp an Iptables.
I found similar post on group about DHCP but my messages are different.I am
using FC7 latest policy update didn't resolve the problem.
P.S I am using firestater as my firewall.
Have a look
Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:4): avc: denied {
execute } for pid=1775 comm="sh" name="iptables" dev=sdb1 ino=3793910
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:5): avc: denied {
getattr } for pid=1775 comm="sh" name="iptables" dev=sdb1 ino=3793910
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:6): avc: denied {
getattr } for pid=1775 comm="sh" name="iptables" dev=sdb1 ino=3793910
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:7): avc: denied {
execute } for pid=1776 comm="sh" name="iptables" dev=sdb1 ino=3793910
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:8): avc: denied {
getattr } for pid=1776 comm="sh" name="iptables" dev=sdb1 ino=3793910
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:9): avc: denied {
getattr } for pid=1776 comm="sh" name="iptables" dev=sdb1 ino=3793910
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:10): avc: denied {
execute } for pid=1778 comm="sh" name="iptables" dev=sdb1 ino=3793910
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:11): avc: denied {
getattr } for pid=1778 comm="sh" name="iptables" dev=sdb1 ino=3793910
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:12): avc: denied {
getattr } for pid=1778 comm="sh" name="iptables" dev=sdb1 ino=3793910
scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Jun 7 08:08:54 c79-70 kernel: audit(1181196527.975:13): audit_pid=1863
old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0
Greatings Peter
16 years, 9 months
update of selinux-policy-targeted: failed?
by Tom London
yum failure with today's rawhide:
Updating : selinux-policy-targeted ##################### [ 31/126]
libsepol.permission_copy_callback: Module evolution depends on
permission flow_out in class packet, not satisfied
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
tom
--
Tom London
16 years, 9 months
vmware and eclipse avc denied in selinux-policy-targeted-3.0.2-3.fc8.noarch
by NZzi
hi,
i am in f8 rawhide with selinux-policy-targeted-3.0.2-3.fc8.noarch
there are some avc denied about vmware and eclipse:
1 vmware config
after i update to selinux-policy-targeted-3.0.2-3.fc8.noarch,
i find my vmware must be re-configed every time i run it.
but when i run vmware-config.pl, some avc denied messages occured:
avc: denied { read, write } for comm="vmnet-bridge" cwd="/usr/bin" dev=00:10
egid=0 euid=0 exe="/usr/bin/vmnet-bridge" exit=-13 fsgid=0 fsuid=0 gid=0
inode=230929 item=0 items=1 mode=020600 name="vmnet0"
obj=system_u:object_r:device_t:s0 ogid=0 ouid=0 path="/dev/vmnet0" pid=22164
rdev=77:00 scontext=system_u:system_r:vmware_host_t:s0 sgid=0
subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
......
other avc errors are similar, it seemed that /dev/vmnet* are mislabeled,
they were all labeled device_t, not vmware_device_t.
IIRC, i installed and configured vmware 6 well, before the merge of
targeted and strict policy, i.e. <selinux-policy-targeted-3.0
i had compared the vmware* between these two versions policy, i had
not find any changes which will result to these errors.
i also find the /dev in my system is tmpfs, so the file on this fs
should be labeled using fs_use_trans.
I want to add type_transition rules to verify my guess, but i don't know
the type of /usr/bin/vmware-config.pl, which is "bin_t" now in my system
is there something i missed?
2 Eclipse avc error
when i launch eclipse(SLIDE), i got avc error:
avc: denied { unix_read, unix_write } for comm="X" egid=0 euid=0
exe="/usr/bin/Xorg" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2880
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=shm
tcontext=system_u:system_r:java_t:s0 tty=tty7 uid=0
i think this should be added in policy as "dontaudit", because it seemed
that it dont influence my use of eclipse
16 years, 9 months
rpmverify vs selinux problem
by Emanuele Maiarelli
i'm running rpmverify and it return the following output:
rpmverify -a|grep bin
........C /usr/share/locale/en_GB/LC_MESSAGES/kgreet_winbind.mo
........C /usr/share/locale/fi/LC_MESSAGES/kabcformat_binary.mo
........C /usr/share/locale/fi/LC_MESSAGES/kbinaryclock.mo
........C /usr/share/locale/fi/LC_MESSAGES/kgreet_winbind.mo
........C /usr/share/locale/ja/LC_MESSAGES/kabcformat_binary.mo
........C /usr/share/locale/ja/LC_MESSAGES/kbinaryclock.mo
........C /usr/share/locale/ja/LC_MESSAGES/kgreet_winbind.mo
........C /usr/share/locale/sk/LC_MESSAGES/kabcformat_binary.mo
........C /usr/share/locale/sk/LC_MESSAGES/kbinaryclock.mo
........C /usr/share/locale/sk/LC_MESSAGES/kgreet_winbind.mo
........C /usr/bin/firefox
........C /usr/lib/firefox-1.0.7/components/libinspector.so
........C /usr/lib/firefox-1.0.7/firefox-bin
........C /usr/lib/firefox-1.0.7/libgtkxtbin.so
........C /usr/lib/firefox-1.0.7/res/html/gopher-binary.gif
........C /usr/bin/viewfax
........C /usr/sbin/openldap/back_sql-2.2.so.7
........C /usr/sbin/openldap/back_sql-2.2.so.7.0.22
........C /usr/sbin/openldap/back_sql.la
........C /usr/bin/amstex
........C /usr/bin/bamstex
........C /usr/bin/bplain
........C /usr/bin/lambda
It means "C selinux Context differs".
Considering the /etc/sysconfig/selinux
------------ /etc/sysconfig/selinux ------------
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
------------------------------------------------
Can this be caused by the SELINUXTYPE=targeted?
i've tried
'touch /.autorelabel' and reboot
'fixfiles -Ra> restore'
'fixfiles relabel'
but this doesn't solve the problem.
any hints?
Thanks in advice,
PS: i have already post the problem on fedora-security-list
(
https://www.redhat.com/archives/fedora-security-list/2007-July/thread.html
thread 'rpmverify output')
they helped me and finally suggested to post it on fedora-selinux-list :)
16 years, 9 months
Kernal caching
by Laura Crawley
We have a problem: when all the cache is used, it goes
straight to swap which terminates our program. Has
anyone seen this? Also, is there a way to configure
the cache size for the kernel?
Thank you,
Laura
Get a sneak peak at messages with a handy reading pane with All new Yahoo! Mail: http://mrd.mail.yahoo.com/try_beta?.intl=ca
16 years, 9 months
