rhel selinux question
by Barry Allard
If someone would be so kind to answer a noob question. When installing an
apache authentication extension called WebAuth (3.5.4), it works great with
selinux disabled (setenforce 0), but turn on enforcement (setenforce 1),
bam, cant read/write the necessary files. To selinux, perhaps it looks like
rogue code trying to modify configuration files.
Files:
/etc/httpd/conf/webauth/keytab
/etc/httpd/conf/webauth/keyring
/etc/httpd/conf/webauth/service_token_cache
Messages:
audit(1187726388.800:5): avc: denied { write } for pid=2030 comm="httpd"
name="webauth" dev=dm-0 ino=66396 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:httpd_config_t:s0 tclass=dir
audit(1187727527.410:38): avc: denied { read } for pid=2229 comm="httpd"
name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:user_home_t:s0 tclass=file
audit(1187727527.415:39): avc: denied { read } for pid=2229 comm="httpd"
name="keytab" dev=dm-0 ino=196626 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:user_home_t:s0 tclass=file
audit(1187727527.420:40): avc: denied { write } for pid=2229 comm="httpd"
name="service_token_cache" dev=dm-0 ino=66426
scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_config_t:s0
tclass=file
audit2allow says
"allow httpd_t httpd_config_t:dir write;
allow httpd_t httpd_config_t:file write;
allow httpd_t user_home_t:file read;"
but this seems arbitrarily permissive.
What would give only access read/write access these three files? Sorry if
this is off-topic.
Running RHEL 5 ("ES", 32-bit) patched. RTFM'ed already:
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/
not much help.
Kind Regards,
Barry Allard
Systems Administrator
Stanford Medical Informatics
+1.650.723.7270
15 years, 7 months
A tool to generate missing requires for a SELinux module?
by Aleksander Adamowski
Hi!
I often find myself in a need for a tool that would scan a module's .te
file and generate the missing requires.
It should determine all the missing requires, for which there are rules
in that module, in one pass, and present either the missing requires
only, or the full contents of the require {} section (in the second
case, it could merge the missing class permissions with any existing
permissions for given pre-existing classes).
I know that I can use audit2allow to generate the requires for me with
-r switch, but it has 3 shortcomings:
1. It dumbly generates requires for all the classes/types/attributes
it sees - and since it doesn't know anything about intended module
where the rules will go to, it will probably generate requires for
types/attributes that are defined in that module. Such require
output, when blindly pasted into module's source, will generate
duplicate definition errors.
2. It knows nothing about preexisting requires in the target module,
so it will spit out all of them and one has to remove duplicates
by hand (e.g. using vi: "'a,'b!sort", then "'a'b!uniq")
3. It won't help me if I write some rules by hand, not based on AVC
messages.
I think the problem is widespread enough that someone could have written
a tool for that already - I'd like to know about that before I start
writing one myself :)
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl
--
Aleksander Adamowski
Administrator systemów korporacyjnych; Instruktor
Altkom Akademia S.A. http://www.altkom.pl
Warszawa, ul. Chłodna 51
kom. 0-601-318-080
Sąd Rejonowy dla m.st. Warszawy w Warszawie, XII Wydział Gospodarczy Krajowego Rejestru Sądowego,
KRS: 0000120139, NIP 118-00-08-391, Kapitał zakładowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa.
Niniejsza wiadomość zawiera informacje zastrzeżone i stanowiące tajemnicę przedsiębiorstwa firmy Altkom Akademia S.A.
Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do własnych celów jest zabronione.
Jeżeli otrzymaliście Państwo niniejszą wiadomość omyłkowo, prosimy o niezwłoczne skontaktowanie się z nadawcą oraz usunięcie wszelkich kopii niniejszej wiadomości.
This message contains proprietary information and trade secrets of Altkom Akademia S.A. company.
Unauthorized use or disclosure of this information to any third party is prohibited.
If you received this message by mistake, please contact the sender immediately and delete all copies of this message.
15 years, 7 months
gnome-keyring-daemon and ~/keyrings
by Tom London
Running latest Rawhide, targeted enforcing.
Notice this:
type=AVC msg=audit(1187879289.771:16): avc: denied { write } for
pid=3165 comm="gnome-keyring-d" name="keyrings" dev=dm-0 ino=131089
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:user_gnome_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1187879289.771:16): arch=40000003 syscall=5
success=no exit=-13 a0=9c7ea68 a1=80c2 a2=180 a3=80c2 items=0 ppid=1
pid=3165 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) comm="gnome-keyring-d"
exe="/usr/bin/gnome-keyring-daemon"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
But 'ps agxZ | grep key' shows:
[root@localhost lib]# ps agxZ | grep key
system_u:system_r:unconfined_t 3150 ? S 0:00
/usr/bin/gnome-keyring-daemon
system_u:system_r:unconfined_t 3971 pts/0 S+ 0:00 grep key
[root@localhost lib]#
pid in AVC says '3165', not 3150, so .....
What could this be? Leaked fd?
tom
--
Tom London
15 years, 7 months
mixer_applet2 and execmod ?!
by Tom London
Running latest Rawhide, targeted/enforcing.
This just started (at least, I didn't notice this before):
type=AVC msg=audit(1187881774.893:26): avc: denied { execmod } for
pid=3407 comm="mixer_applet2" path="/usr/lib/libtheora.so.0.2.0"
dev=dm-0 ino=5474587 scontext=system_u:system_r:unconfined_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1187881774.893:26): arch=40000003 syscall=125
success=no exit=-13 a0=e87000 a1=48000 a2=5 a3=bf8f9200 items=0
ppid=3395 pid=3407 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="mixer_applet2"
exe="/usr/libexec/mixer_applet2"
subj=system_u:system_r:unconfined_t:s0 key=(null)
tom
--
Tom London
15 years, 7 months
[ANN] SETools 3.3.1 Release
by Christopher J. PeBenito
A new release of SETools is now available on the Tresys OSS site, from
http://oss.tresys.com. This is a minor release, to fix a few minor
issues seen in the 3.3 release. The complete change log for this
release follows.
SETools 3.3.1:
* Fix to configure when Tcl is not found on build system; fix when
compiling with --disable-gui option.
* Fix to uninstall targets of Java wrappers.
* Fix to libapol where transitive flows could return results that
were supposed to be excluded; fixed memory leaks in infoflow graph
generation.
* Fix to libsefs when running MLS query on non-MLS fclists.
* Fix to apol when reading older .apol files; fix copy and select
all on certain tabs; fix to filter by attribute on some advanced
dialogs.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
15 years, 7 months
too many selinux alerts, after touch ./ autorelabel reboot
by Antonio Olivares
Dear all,
selinux on rawhide is cranking out many denials. . These do not show up on dmesg. What is happening? I do not know enough to help myself fix them.
Here's one of them
Summary
SELinux is preventing dhclient-script (dhcpc_t) "getattr" to /sbin/setfiles
(setfiles_exec_t).
Detailed Description
SELinux denied access requested by dhclient-script. It is not expected that
this access is required by dhclient-script and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for /sbin/setfiles, restorecon -v
/sbin/setfiles If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow
this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context user_u:system_r:dhcpc_t
Target Context system_u:object_r:setfiles_exec_t
Target Objects /sbin/setfiles [ file ]
Affected RPM Packages policycoreutils-2.0.19-1.fc8 [target]
Policy RPM selinux-policy-2.6.5-2.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name localhost
Platform Linux localhost 2.6.21-1.3194.fc7 #1 SMP Wed May
23 22:35:01 EDT 2007 i686 athlon
Alert Count 1
First Seen Tue 21 Aug 2007 07:41:12 AM CDT
Last Seen Tue 21 Aug 2007 07:41:12 AM CDT
Local ID 73dc2e0c-fc2c-496f-8f0e-87e72cfd3ce5
Line Numbers
Raw Audit Messages
avc: denied { getattr } for comm="dhclient-script" dev=dm-0 egid=0 euid=0
exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="setfiles"
path="/sbin/setfiles" pid=3563 scontext=user_u:system_r:dhcpc_t:s0 sgid=0
subj=user_u:system_r:dhcpc_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:setfiles_exec_t:s0 tty=(none) uid=0
SELinux is preventing /usr/bin/uptime (logwatch_t) "read write" to utmp (initrc_var_run_t).
SELinux is preventing /usr/bin/uptime (logwatch_t) "read" to utmp (initrc_var_run_t).
SELinux is preventing /usr/sbin/useradd (useradd_t) "read write" to faillog (var_log_t).
SELinux is preventing /sbin/rpc.statd (rpcd_t) "search" to sbin (bin_t).
This one is a major one:
SELinux prevented /sbin/ldconfig from using the terminal /dev/pts/0.
Changing the "allow_daemons_use_tty" boolean to true will allow this access: "setsebool -P allow_daemons_use_tty=1."The following command will allow this access:setsebool -P allow_daemons_use_tty=1
There are some more, but in reality. I cannot understand why they do not show up on a regular dmesg. How can I cure all these selinux denials. This is reminiscent on the installation of Fedora 7, with too many problems with selinux.
Sorry to complain, but I need some help. I hope that I am not the only one with these kind of errors.
Regards,
Antonio
____________________________________________________________________________________
Luggage? GPS? Comic books?
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz
15 years, 7 months
several problems after successful update, wine, texlive and selinux
by Antonio Olivares
Dear all,
I have successfully updated the machine I asked help to update for which advice was quickly given and resolved. However, after updating I find the following problems:
1) wine does not work. Is it because of selinux? dmesg does not show this :(
[olivares@localhost ~]$ wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe &
[1] 3004
[olivares@localhost ~]$ bash: /usr/bin/wine: Permission denied
[1]+ Exit 126 wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe
[olivares@localhost ~]$ wine --help
bash: /usr/bin/wine: Permission denied
[olivares@localhost ~]$ wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe &
[1] 3007
[olivares@localhost ~]$ bash: /usr/bin/wine: Permission denied
[1]+ Exit 126 wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe
[olivares@localhost ~]$ rpm -qa wine*
wine-capi-0.9.43-2.fc8
wine-twain-0.9.43-2.fc8
wine-nas-0.9.43-2.fc8
wine-jack-0.9.43-2.fc8
wine-0.9.43-2.fc8
wine-cms-0.9.43-2.fc8
wine-tools-0.9.43-2.fc8
wine-core-0.9.43-2.fc8
wine-esd-0.9.43-2.fc8
wine-ldap-0.9.43-2.fc8
2) texlive install was almost successfull all the way except for tetex-xdvi no equivalent texlive package. I am surprised that f8 test 1 still had tetex instead of texlive, but here I installed it using the instructions on the Wiki.
[root@localhost Downloads]# yum install texlive texlive-latex
Setting up Install Process
Parsing package install arguments
development 100% |=========================| 2.1 kB 00:00
primary.sqlite.bz2 100% |=========================| 4.2 MB 00:03
texlive 100% |=========================| 951 B 00:00
primary.xml.gz 100% |=========================| 7.2 kB 00:00
texlive : ################################################## 23/23
Resolving Dependencies
--> Running transaction check
---> Package texlive.i386 0:2007-0.10.fc7 set to be updated
---> Package texlive-latex.i386 0:2007-0.10.fc7 set to be updated
--> Processing Dependency: texlive-texmf = 2007 for package: texlive
--> Processing Dependency: libt1.so.5 for package: texlive
--> Processing Dependency: libTECkit.so.0 for package: texlive
--> Processing Dependency: texlive-texmf-errata = 2007 for package: texlive-latex
--> Processing Dependency: texlive-dvips = 2007 for package: texlive-latex
--> Processing Dependency: texlive-texmf-latex = 2007 for package: texlive-latex
--> Processing Dependency: texlive-texmf-errata = 2007 for package: texlive
--> Processing Dependency: texlive-fonts = 2007-0.10.fc7 for package: texlive
--> Processing Dependency: libkpathsea.so.4 for package: texlive
--> Restarting Dependency Resolution with new changes.
--> Running transaction check
---> Package texlive-texmf-latex.noarch 0:2007-0.10.fc7 set to be updated
---> Package texlive-fonts.i386 0:2007-0.10.fc7 set to be updated
---> Package texlive-dvips.i386 0:2007-0.10.fc7 set to be updated
---> Package texlive.i386 0:2007-0.10.fc7 set to be updated
---> Package texlive-latex.i386 0:2007-0.10.fc7 set to be updated
---> Package texlive-texmf-errata.noarch 0:2007-0.9.fc7 set to be updated
---> Package texlive-texmf.noarch 0:2007-0.10.fc7 set to be updated
---> Package t1lib.i386 0:5.1.1-1.fc8 set to be updated
---> Package teckit.i386 0:2.2.1-1.fc8 set to be updated
---> Package kpathsea.i386 0:2007-0.10.fc7 set to be updated
--> Processing Dependency: texlive-texmf-fonts >= 2007 for package: texlive-fonts
--> Processing Dependency: texlive-texmf-errata-latex = 2007 for package: texlive-texmf-latex
--> Processing Dependency: texlive-texmf-common = 2007 for package: texlive-texmf-latex
--> Processing Dependency: texlive-texmf-dvips = 2007 for package: texlive-dvips
--> Restarting Dependency Resolution with new changes.
--> Running transaction check
---> Package texlive-texmf-latex.noarch 0:2007-0.10.fc7 set to be updated
---> Package texlive-fonts.i386 0:2007-0.10.fc7 set to be updated
---> Package texlive-dvips.i386 0:2007-0.10.fc7 set to be updated
---> Package texlive-texmf-fonts.noarch 0:2007-0.10.fc7 set to be updated
---> Package texlive-texmf-errata-latex.noarch 0:2007-0.9.fc7 set to be updated
---> Package texlive-texmf-common.noarch 0:2007-0.10.fc7 set to be updated
---> Package texlive-texmf-dvips.noarch 0:2007-0.10.fc7 set to be updated
--> Processing Dependency: texlive-texmf-errata-common = 2007-0.9.fc7 for package: texlive-texmf-errata-latex
--> Processing Dependency: texlive-texmf-errata-fonts = 2007 for package: texlive-texmf-fonts
--> Processing Dependency: texlive-texmf-errata-dvips = 2007 for package: texlive-texmf-dvips
--> Restarting Dependency Resolution with new changes.
--> Running transaction check
---> Package texlive-texmf-errata-common.noarch 0:2007-0.9.fc7 set to be updated
---> Package texlive-texmf-errata-fonts.noarch 0:2007-0.9.fc7 set to be updated
---> Package texlive-texmf-fonts.noarch 0:2007-0.10.fc7 set to be updated
---> Package texlive-texmf-errata-latex.noarch 0:2007-0.9.fc7 set to be updated
---> Package texlive-texmf-errata-dvips.noarch 0:2007-0.9.fc7 set to be updated
---> Package texlive-texmf-dvips.noarch 0:2007-0.10.fc7 set to be updated
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
texlive i386 2007-0.10.fc7 texlive 5.8 M
texlive-latex i386 2007-0.10.fc7 texlive 74 k
Installing for dependencies:
kpathsea i386 2007-0.10.fc7 texlive 148 k
t1lib i386 5.1.1-1.fc8 development 316 k
teckit i386 2.2.1-1.fc8 development 322 k
texlive-dvips i386 2007-0.10.fc7 texlive 176 k
texlive-fonts i386 2007-0.10.fc7 texlive 509 k
texlive-texmf noarch 2007-0.10.fc7 texlive 8.2 M
texlive-texmf-common noarch 2007-0.10.fc7 texlive 7.4 k
texlive-texmf-dvips noarch 2007-0.10.fc7 texlive 826 k
texlive-texmf-errata noarch 2007-0.9.fc7 texlive 3.3 k
texlive-texmf-errata-common noarch 2007-0.9.fc7 texlive 3.4 k
texlive-texmf-errata-dvips noarch 2007-0.9.fc7 texlive 3.3 k
texlive-texmf-errata-fonts noarch 2007-0.9.fc7 texlive 3.2 k
texlive-texmf-errata-latex noarch 2007-0.9.fc7 texlive 3.3 k
texlive-texmf-fonts noarch 2007-0.10.fc7 texlive 55 M
texlive-texmf-latex noarch 2007-0.10.fc7 texlive 3.1 M
Transaction Summary
=============================================================================
Install 17 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 74 M
Is this ok [y/N]: y
Downloading Packages:
(1/17): kpathsea-2007-0.1 100% |=========================| 148 kB 00:00
(2/17): teckit-2.2.1-1.fc 100% |=========================| 322 kB 00:00
(3/17): texlive-texmf-dvi 100% |=========================| 826 kB 00:00
(4/17): texlive-texmf-err 100% |=========================| 3.3 kB 00:00
(5/17): t1lib-5.1.1-1.fc8 100% |=========================| 316 kB 00:00
(6/17): texlive-texmf-com 100% |=========================| 7.4 kB 00:00
(7/17): texlive-texmf-200 100% |=========================| 8.2 MB 00:05
(8/17): texlive-texmf-err 100% |=========================| 3.3 kB 00:00
(9/17): texlive-texmf-err 100% |=========================| 3.3 kB 00:00
(10/17): texlive-latex-20 100% |=========================| 74 kB 00:00
(11/17): texlive-texmf-fo 100% |=========================| 55 MB 00:37
(12/17): texlive-texmf-er 100% |=========================| 3.2 kB 00:00
(13/17): texlive-2007-0.1 100% |=========================| 5.8 MB 00:04
(14/17): texlive-dvips-20 100% |=========================| 176 kB 00:00
(15/17): texlive-fonts-20 100% |=========================| 509 kB 00:00
(16/17): texlive-texmf-er 100% |=========================| 3.4 kB 00:00
(17/17): texlive-texmf-la 100% |=========================| 3.1 MB 00:02
Running rpm_check_debug
--> Populating transaction set with selected packages. Please wait.
---> Package texlive-texmf-latex.noarch 0:2007-0.10.fc7 set to be updated
---> Package texlive-texmf-errata-common.noarch 0:2007-0.9.fc7 set to be updated
---> Package texlive-fonts.i386 0:2007-0.10.fc7 set to be updated
---> Package texlive-dvips.i386 0:2007-0.10.fc7 set to be updated
---> Package texlive.i386 0:2007-0.10.fc7 set to be updated
---> Package texlive-texmf-errata-fonts.noarch 0:2007-0.9.fc7 set to be updated
---> Package texlive-texmf-fonts.noarch 0:2007-0.10.fc7 set to be updated
---> Package texlive-latex.i386 0:2007-0.10.fc7 set to be updated
---> Package texlive-texmf-errata.noarch 0:2007-0.9.fc7 set to be updated
---> Package texlive-texmf-errata-latex.noarch 0:2007-0.9.fc7 set to be updated
---> Package texlive-texmf.noarch 0:2007-0.10.fc7 set to be updated
---> Package texlive-texmf-common.noarch 0:2007-0.10.fc7 set to be updated
---> Package t1lib.i386 0:5.1.1-1.fc8 set to be updated
---> Package texlive-texmf-errata-dvips.noarch 0:2007-0.9.fc7 set to be updated
---> Package texlive-texmf-dvips.noarch 0:2007-0.10.fc7 set to be updated
---> Package teckit.i386 0:2.2.1-1.fc8 set to be updated
---> Package kpathsea.i386 0:2007-0.10.fc7 set to be updated
ERROR with rpm_check_debug vs depsolve:
Package tetex-xdvi needs tetex-dvips = 3.0, this is not available.
Complete!
and selinux is causing too much trouble. Here's an example: Sorry for all the text in the selinux alert.
Summary
SELinux is preventing /usr/lib/firefox-2.0.0.6/firefox-bin from making the
program stack executable.
Detailed Description
The /usr/lib/firefox-2.0.0.6/firefox-bin application attempted to make the
its stack executable. This is a potential security problem. This should
never ever be necessary. stack memory is not executable on most OSes these
days and this will not change. Executable stack memory is one of the biggest
security problems. An execstack error might in fact be most likely raised by
malicious code. Applications are sometimes coded incorrectly and request
this permission. The http://people.redhat.com/drepper/selinux-mem.html web
page explains how to remove this requirement. If /usr/lib/firefox-2.0.0.6
/firefox-bin does not work and you need it to work, you can configure
SELinux temporarily to allow this access until the application is fixed.
Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
Allowing Access
Sometimes a library is accidentally marked with the execstack flag, if you
find a library with this flag you can clear it with the execstack -c
LIBRARY_PATH. Then retry your application. If the app continues to not
work, you can turn the flack back on with execstac -s LIBRARY_PATH.
Otherwise, if you trust /usr/lib/firefox-2.0.0.6/firefox-bin to run
correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
/usr/lib/firefox-2.0.0.6/firefox-bin" You must also change the default file
context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t unconfined_execmem_exec_t
/usr/lib/firefox-2.0.0.6/firefox-bin"
The following command will allow this access:
chcon -t unconfined_execmem_exec_t /usr/lib/firefox-2.0.0.6/firefox-bin
Additional Information
Source Context system_u:system_r:unconfined_t
Target Context system_u:system_r:unconfined_t
Target Objects None [ process ]
Affected RPM Packages firefox-2.0.0.6-3.fc8 [application]
Policy RPM selinux-policy-3.0.5-8.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.allow_execstack
Host Name localhost
Platform Linux localhost 2.6.23-0.115.rc3.git1.fc8 #1 SMP
Fri Aug 17 20:58:14 EDT 2007 i686 athlon
Alert Count 6
First Seen Tue 21 Aug 2007 04:17:07 PM CDT
Last Seen Tue 21 Aug 2007 04:54:17 PM CDT
Local ID bbd222d8-abbe-4dd8-b54b-46c7d29b434c
Line Numbers
Raw Audit Messages
avc: denied { execstack } for comm="firefox-bin" egid=500 euid=500
exe="/usr/lib/firefox-2.0.0.6/firefox-bin" exit=-13 fsgid=500 fsuid=500 gid=500
items=0 pid=3011 scontext=system_u:system_r:unconfined_t:s0 sgid=500
subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500
SELinux is preventing /usr/sbin/hald (hald_t) "read" to reload (var_lib_t).
SELinux prevented /usr/sbin/ntpd from using the terminal 0
avc: denied { read, write } for comm="ntpd" dev=devpts egid=0 euid=0 exe="/usr/sbin/ntpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="0" pid=17348 scontext=user_u:system_r:ntpd_t:s0 sgid=0 subj=user_u:system_r:ntpd_t:s0 suid=0 tclass=chr_file tcontext=user_u:object_r:devpts_t:s0 tty=(none) uid=0
SELinux is preventing /usr/sbin/cupsd (unlabeled_t) "create" to (unlabeled_t).
SELinux is preventing /usr/sbin/cupsd (unlabeled_t) "append" to /var/log/cups/error_log (cupsd_log_t).
SELinux prevented /sbin/rpc.statd from using the terminal /dev/pts/0.
......, there are a bunch of them. sorry for not posting them.
dmesg does not show any of these when running dmesg from the terminal.
see
http://www.geocities.com/olivares14031//20070821164505-dmesg.htm
for details. Will do an
# touch /.autorelabel
# reboot
and hope that it cures many of these issues.
Regards,
Antonio
____________________________________________________________________________________
Shape Yahoo! in your own image. Join our Network Research Panel today! http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
15 years, 7 months
Questions about some selinux audit messages
by Ali Nebi
Hi everyone,
i get in all servers these audit messages:
Aug 21 14:17:34 casamerica kernel: audit(1187698654.515:356):avc:denied
{ append } for pid=9416 comm="sendmail" name="error.log" dev=dm-0
ino=16416800 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
Aug 21 14:17:34 casamerica kernel: audit(1187698654.515:357):avc:denied
{ read write } for pid=9416 comm="sendmail" name="[eventpoll]"
dev=anon_inodefs ino=393 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Aug 21 14:17:34 casamerica kernel: audit(1187698654.599:358):avc:denied
{ append } for pid=9417 comm="postdrop" name="error_log" dev=dm-0
ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0
tcontext=root:object_r:httpd_log_t:s0 tclass=file
Aug 21 14:17:34 casamerica kernel: audit(1187698654.603:359):avc:denied
{ getattr } for pid=9417 comm="postdrop" name="error_log" dev=dm-0
ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0
tcontext=root:object_r:httpd_log_t:s0 tclass=file
Aug 21 14:26:58 casamerica kernel: audit(1187699218.244:360):avc:denied
{ append } for pid=9448 comm="sendmail" name="error.log" dev=dm-0
ino=16416800 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
Aug 21 14:26:58 casamerica kernel: audit(1187699218.244:361):avc:denied
{ read write } for pid=9448 comm="sendmail" name="[eventpoll]"
dev=anon_inodefs ino=393 scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Aug 21 14:26:58 casamerica kernel: audit(1187699218.253:362):avc:denied
{ append } for pid=9449 comm="postdrop" name="error_log" dev=dm-0
ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0
tcontext=root:object_r:httpd_log_t:s0 tclass=file
Aug 21 14:26:58 casamerica kernel: audit(1187699218.256:363):avc:denied
{ getattr } for pid=9449 comm="postdrop" name="error_log" dev=dm-0
ino=15631250 scontext=system_u:system_r:postfix_postdrop_t:s0
tcontext=root:object_r:httpd_log_t:s0 tclass=file
Aug 21 15:36:34 w3host kernel: audit(1187703394.426:423): avc:denied
{ name_connect } for pid=32151 comm="httpd" dest=5432
scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
so, these are the messages.
We have installed Fedora 6, x86_64
My questions are these:
1. Why postdrop try to read, append, get atribute the apache logs. Is
can be because we have installed Logwatch program. We get these in all
servers.
2. I have to allow postdrop to make what is needed with the logs, this
is secure and it will not be problem for something?
3. For the last one, httpd, try to connect to postgresql socket, why
this happen and is it secure?
4. I have to give this permission of httpd to connect to postgresql.
We have set postgresql to work on localhost and not to execute queries
from remote host and sites.
I will wait for your opinions, thanks in advanced.
Regards, Ali Nebi!
15 years, 7 months
Data access to two daemon
by Arthur Pemberton
I have a personal server setup with SELinux in targeted mode.
I would like to allow rw access over these files to Samba, and ro
access to these files to httpd.
In my current setup, SELinux requires the security context of the
respective daemon to allow access to them.
Since I gave Samba access more priority, the current context is:
root:object_r:samba_share_t
The files are not owned by root, they are currently chowned pembo13:comrades.
Please advise on the best method to arrange for the access that I seem
to require.
Thank you.
--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )
15 years, 7 months
