August 2007 - selinux - Fedora Mailing-Lists

by Ali Nebi

On Thu, 2007-08-30 at 12:00 -0400, fedora-selinux-list-request(a)redhat.com wrote: > Send fedora-selinux-list mailing list submissions to > fedora-selinux-list(a)redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > or, via email, send a message with subject or body 'help' to > fedora-selinux-list-request(a)redhat.com > > You can reach the person managing the list at > fedora-selinux-list-owner(a)redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of fedora-selinux-list digest..." > > > Today's Topics: > > 1. Re: Nagios Web Interface and SELinux (Michael Thomas) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 29 Aug 2007 15:37:18 -0700 > From: Michael Thomas <wart(a)kobold.org> > Subject: Re: Nagios Web Interface and SELinux > To: Daniel J Walsh <dwalsh(a)redhat.com> > Cc: fedora-selinux-list(a)redhat.com > Message-ID: <46D5F51E.20206(a)kobold.org> > Content-Type: text/plain; charset=ISO-8859-1 > > Daniel J Walsh wrote: > > Ryan Skadberg wrote: > >> I have been trying to get nagios up and running on 2 different > >> machines. One running FC5 and one running FC6. Nagios itself starts > >> up fine, but the web interface fails miserably. > >> > >> When looking at /var/log/messages, I see things like: > >> Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied > >> { execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi" > >> dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0 > >> tcontext=system_u:object_r:lib_t:s0 tclass=file > >> > > Where is this file located? Looks like this needs a context like > > httpd_sys_content_t or httpd_sys_script_t. > > > > > > chcon -R -t httpd_sys_content_t PATH_TO_DIR > > I just ran into the same problem on EPEL-5. It appears that the path > for the nagios cgi scripts is wrong in > /etc/selinux/targeted/contexts/files/file_contexts: > > # grep nagios /etc/selinux/targeted/contexts/files/file_contexts > /usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t:s0 > [...] > > This should be: > > /usr/lib(64)?/nagios/cgi-bin/.+ -- > > --Wart > > > > ------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list(a)redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > End of fedora-selinux-list Digest, Vol 42, Issue 32 > *************************************************** Hi, i have installed nagios on fedora 6, and i have not problems with selinux there. I can tell you selinux contexts for some needed file, it looks work fine. i don't get audit messages. 1. /etc/nagio - system_u:object_r:nagios_etc_t 2. [anebi@asgard ~]$ ls -Z /etc/nagios/ -rw-rw-r-- root root system_u:object_r:nagios_etc_t cgi.cfg -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t commands.cfg -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t contactgroups.cfg -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t contacts.cfg -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t hostgroups.cfg -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t hosts.cfg -rw-r--r-- apache apache system_u:object_r:nagios_etc_t htpasswd.users -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t nagios.cfg -rw-r--r-- nagios nagios system_u:object_r:nrpe_etc_t nrpe.cfg drwxr-x--- root nagios system_u:object_r:nagios_etc_t private drw-r--r-- nagios nagios system_u:object_r:nagios_etc_t sample drwxr-xr-x nagios nagios system_u:object_r:nagios_etc_t services -rw-r--r-- nagios nagios system_u:object_r:nagios_etc_t timeperiods.cfg 3. [anebi@asgard ~]$ ls -Zd /usr/share/nagios/ drwxr-xr-x root root system_u:object_r:usr_t /usr/share/nagios/ 4. [anebi@asgard ~]$ ls -Z /usr/share/nagios/ drwxr-xr-x root root system_u:object_r:usr_t html 5. [anebi@asgard ~]$ ls -Z /usr/share/nagios/html/ drwxr-xr-x root root system_u:object_r:usr_t contexthelp drwxr-xr-x root root system_u:object_r:usr_t docs drwxr-xr-x root root system_u:object_r:usr_t images -rw-r--r-- root root system_u:object_r:usr_t index.html -rw-r--r-- root root system_u:object_r:usr_t main.html drwxr-xr-x root root system_u:object_r:usr_t media -rw-r--r-- root root system_u:object_r:usr_t robots.txt -rw-r--r-- root root system_u:object_r:usr_t side.html drwxr-xr-x root root system_u:object_r:usr_t ssi drwxr-xr-x root root system_u:object_r:usr_t stylesheets 6. [anebi@asgard ~]$ ls -Zd /usr/lib64/nagios/ drwxr-xr-x root root system_u:object_r:lib_t /usr/lib64/nagios/ 7. [anebi@asgard ~]$ ls -Z /usr/lib64/nagios/ drwxr-xr-x root root system_u:object_r:lib_t cgi-bin drwxr-xr-x root root system_u:object_r:bin_t plugins 8. [anebi@asgard ~]$ ls -Z /usr/lib64/nagios/cgi-bin/ -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t avail.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t cmd.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t config.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t extinfo.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t histogram.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t history.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t notifications.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t outages.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t showlog.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t status.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t statusmap.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t statuswml.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t statuswrl.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t summary.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t tac.cgi -rwxr-xr-x root root system_u:object_r:nagios_cgi_exec_t trends.cgi 9. [anebi@asgard ~]$ ls -Z /usr/lib64/nagios/plugins/ -rwxr-xr-x root root system_u:object_r:bin_t check_ackpoller lrwxrwxrwx root root system_u:object_r:bin_t check_clamd -> check_tcp -rwsr-x--- root nagios system_u:object_r:bin_t check_dhcp -rwxr-xr-x root root system_u:object_r:bin_t check_disk lrwxrwxrwx root root system_u:object_r:bin_t check_ftp -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_http -rwsr-xr-x root root system_u:object_r:bin_t check_ide_smart lrwxrwxrwx root root system_u:object_r:bin_t check_imap -> check_tcp lrwxrwxrwx root root system_u:object_r:bin_t check_jabber -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_linux_raid -rwxr-xr-x root root system_u:object_r:bin_t check_load -rwxr-xr-x root root system_u:object_r:bin_t check_nagios lrwxrwxrwx root root system_u:object_r:bin_t check_nntp -> check_tcp lrwxrwxrwx root root system_u:object_r:bin_t check_nntps -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_nrpe -rwxr-xr-x root root system_u:object_r:bin_t check_ping lrwxrwxrwx root root system_u:object_r:bin_t check_pop -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_sensors lrwxrwxrwx root root system_u:object_r:bin_t check_simap -> check_tcp lrwxrwxrwx root root system_u:object_r:bin_t check_spop -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_ssh lrwxrwxrwx root root system_u:object_r:bin_t check_ssmtp -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_tcp lrwxrwxrwx root root system_u:object_r:bin_t check_udp -> check_tcp -rwxr-xr-x root root system_u:object_r:bin_t check_users drwxr-xr-x root root system_u:object_r:bin_t eventhandlers -rwxr-xr-x root root system_u:object_r:bin_t negate -rwxr-xr-x root root system_u:object_r:bin_t notify_by_reliable -rwxr-xr-x root root system_u:object_r:bin_t urlize -rw-r--r-- root root system_u:object_r:bin_t utils.pm -rwxr-xr-x root root system_u:object_r:bin_t utils.sh 10. [anebi@asgard ~]$ ls -Z /var/log/nagios/ drwxr-xr-x nagios nagios system_u:object_r:nagios_log_t archives -rw-rw-r-- nagios nagios system_u:object_r:nagios_log_t comments.dat -rw-rw-r-- nagios nagios system_u:object_r:nagios_log_t downtime.dat -rw-r--r-- nagios nagios system_u:object_r:nagios_log_t nagios.log -rw-r--r-- nagios nagios system_u:object_r:nagios_log_t objects.cache -rw------- nagios nagios system_u:object_r:nagios_log_t retention.dat -rw-rw-r-- nagios nagios system_u:object_r:nagios_log_t status.dat 11. [anebi@asgard ~]$ ls -Z /var/run/nagios.pid -rw-r--r-- nagios nagios system_u:object_r:initrc_var_run_t /var/run/nagios.pid I'm not sure about this, i think i had messages for this Now our systems are running on permissive mode. I hope that, this info can help you. Regards, Ali Nebi!

15 years, 7 months

1
0
0 / 0

senmail, /etc/aliases.db ....

by Tom London

Running Rawhide, targeted/enforcing. Notice this in /var/log/audit/audit.log: type=AVC msg=audit(1188316403.485:16): avc: denied { create } for pid=2704 comm="newaliases" name="aliases.db" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file type=SYSCALL msg=audit(1188316403.485:16): arch=40000003 syscall=5 success=no exit=-13 a0=bfa8ddd8 a1=c2 a2=1a0 a3=c2 items=0 ppid=2691 pid=2704 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) comm="newaliases" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null) Looks like it is occurring when sendmail gets started during boot. Running /usr/bin/newalises manually at root console works with no AVCs, but leaves /etc/aliases.db with the 'wrong' label: [root@localhost ~]# ls -Zl /etc/alia* -rw-r--r-- 1 system_u:object_r:etc_aliases_t root root 1512 2005-04-25 09:48 /etc/aliases -rw-r----- 1 system_u:object_r:etc_t root smmsp 12288 2007-08-28 10:27 /etc/aliases.db [root@localhost ~]# restorecon -v /etc/alias* restorecon reset /etc/aliases.db context system_u:object_r:etc_t:s0->system_u:object_r:etc_aliases_t:s0 [root@localhost ~]# Should /etc/init.d/sendmail fix the label after running newalises? tom -- Tom London

15 years, 7 months

3
2
0 / 0

Re: Some questions about /dev/twe* and selinux context

by Ali Nebi

Thanks for the tips and answers. I hope that they will fix the problem, i will use some of the techniques that you said me above. This info will be useful for others too. Thanks. Regards, Ali Nebi!

15 years, 7 months

1
0
0 / 0

Some questions about /dev/twe* and selinux context

by Ali Nebi

Hi all, i have some problems with selinux context about /dev/twe* I get these messages: Aug 28 08:41:19 w3host kernel: audit(1188283279.352:167): avc: denied { getattr } for pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268 scontext=system_u:system_r:fsdaem on_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Aug 28 08:41:19 w3host kernel: audit(1188283279.388:168): avc: denied { read } for pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268 scontext=system_u:system_r:fsdaemon_ t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Aug 28 08:41:19 w3host kernel: audit(1188283279.445:169): avc: denied { ioctl } for pid=2512 comm="smartd" name="twe0" dev=tmpfs ino=10268 scontext=system_u:system_r:fsdaemon _t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file I know that /dev/twe* must have fixed_disk_device_t context. When i fix it with chcon -t fixed_disk_device_t /dev/twe* the avc stop to audit for this. Everything works ok. When i restarted the system, the context changed to device_t again. I wrote in rc.local the command to change cotentext, but it returned me "no such file or directory". I know that twe* devices are created automatically on boot, so let's say that this is no problem. I decided to use semanage to add rule for /dev/twe* like this: /usr/sbin/semanage fcontext -a -f -c -t fixed_disk_device_t "/dev/twe*" After reboot, the result was the same, the context is device_t :( When i used restorecon command: /sbin/restorecon /dev/twe* it changed the context to fixed_disk_device_t So the questions are: 1. Where i make mistake 2. What can i do to fix this problem ? Regards, Ali Nebi!

15 years, 7 months

4
3
0 / 0

RE: rhel selinux question

by Barry Allard

Follow-up: went with this and it works now: /etc/httpd/conf/webauth/keytab -> /etc/webauth/ /etc/httpd/conf/webauth/keyring -> /var/lib/webauth/ /etc/httpd/conf/webauth/service_token_cache -> /var/lib/webauth/ /etc/httpd/conf/webauth/krb5cc_ldap -> /var/lib/webauth/ chcon -R -t httpd_sys_script_rw_t /var/lib/webauth/ Installer script source available upon request. Much thanks to Daniel Walsh and Ken Yang for pointing me in the right direction. Barry

15 years, 7 months

1
0
0 / 0

ps not showing contexts?

by Michael Thomas

After a month's worth of rawhide updates, I noticed that ps is no longer reporting the contexts for processes: [root@localhost audit]# selinuxenabled && echo $? 0 [root@localhost audit]# rpm -q selinux-policy-targeted selinux-policy-targeted-3.0.5-11.fc8 [root@localhost ~]# ps auwxZ | tail - gdm 2422 0.2 5.7 80604 29540 ? Ss 21:58 0:03 /usr/libexec/gdmgreeter --gtk-module=gail:atk-bridge:/usr/lib/gtk-2.0/modules/libkeymouselistener - gdm 2424 0.4 0.7 13272 3956 ? S 21:58 0:05 /usr/libexec/at-spi-registryd - gdm 2426 0.0 0.5 38748 2700 ? Ssl 21:58 0:00 /usr/libexec/bonobo-activation-server --ac-activate --ior-output-fd=13 Any ideas what may have caused this to stop working? --Wart

15 years, 7 months

2
5
0 / 0

/dev/shm - tmpfs_t or device_t ?

by Tom London

Running latest Rawhide, targeted/enforcing. I notice that if I run 'restorecon -v -R -n /dev' I get: [root@localhost ~]# restorecon -v -R -n /dev restorecon reset /dev/shm context system_u:object_r:tmpfs_t:s0->system_u:object_r:device_t:s0 [root@localhost ~]# but [root@localhost ~]# ls -ldZ /dev/shm drwxrwxrwt root root system_u:object_r:tmpfs_t /dev/shm [root@localhost ~]# Seems funny to me.... Is that right? tom -- Tom London

15 years, 7 months

3
2
0 / 0

sendmail->nscd log noise?

by Jason L Tibbitts III

These keep appearing in my logs and logwatch spams me about it daily. Does it actually indicate any type of problem? If not, I guess this merits a ticket against logwatch. audit(1187812814.448:127): user pid=2725 uid=28 auid=4294967295 subj=system_u:system_r:nscd_t:s0 msg='avc: granted null for scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=nscd - J<

15 years, 7 months

2
1
0 / 0

SELinux and Bugzilla

by Pedro Silva

15 years, 7 months

1
0
0 / 0

ANN: SELinux Policy IDE (SLIDE) version 1.2

by David Sugar

Version 1.2 of the SELinux Policy IDE (SLIDE) from Tresys Technology is now available for download from the Tresys Open source website at http://oss.tresys.com. SLIDE is an Eclipse plug-in that integrates with the SELinux Reference Policy to provide a development environment for building SELinux policy. SLIDE Features: * A graphical user interface for policy development, including policy syntax highlighting, context suggestions, and integrated compilation. * Integration with SELinux Reference Policy, including quick lookup and documentation for interfaces and macros. * Wizards and easy to use templates to automate common tasks from creating a new SELinux policy to adding an interface into an existing module. * Integrated remote policy installation and audit log monitoring, to facilitate policy testing. * Seamless integration with the power of standard Eclipse. Version 1.2 highlights: * Graphical interface for network configuration via corenetwork. * Added auto completion, context help, and tool tip descriptions for Reference Policy macros, as well as including macros in the interface view and showing their definitions in the declaration view. * Improved documentation on the open source web site. * Updates to work with SETools version 3.3. * Fixed problems with the Console output. * Bugs fixed with undo/redo when toggling commenting on numerous lines of policy. If you would like to contribute, currently the best help would be to test and provide feedback on the SLIDE plugin and SLIDE Remote. Dave Sugar Tresys Technology, LLC

15 years, 7 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux August 2007