F7 mls enforcing failed login and recursive fault
by Joe Nall
I built and fully updated a F7/MLS system today and was unable to
login in MLS enforcing from the console or ssh (no X, init level 2 or
3). I rebooted with a clean audit.log in permissive mode, logged in
and found two login related denials
type=AVC msg=audit(1187740851.272:22): avc: denied
{ audit_control } for pid=2299 comm="login" capability=30
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tcontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tclass=capability
and a second dbus related one that I was unable to replicate for this
email
I created a quick policy to see if I could log in in enforcing mode.
policy_module(f7fix,1.0.0)
gen_require(`
type local_login_t, initrc_t;
class dbus send_msg;
')
allow local_login_t initrc_t:dbus send_msg;
allow local_login_t self:capability audit_control;
and got this nasty result
Aug 21 18:19:12 f7 kernel: ds: 007b es: 007b fs: 00d8 gs: 0000
ss: 0068
Aug 21 18:19:12 f7 kernel: Process login (pid: 2310, ti=f7f98000
task=f70de2b0 task.ti=f7f98000)
Aug 21 18:19:12 f7 kernel: Stack: c06ab7d9 fffffff3 00000000 c06f27ac
fffffff3 fffffff3 00000000 c04ad93d
Aug 21 18:19:12 f7 kernel: c06f27a0 f77b8878 c04ad987 f77b8800
f77b8800 f77b8878 c0555fae f7c8df00
Aug 21 18:19:12 f7 kernel: c05509ee f77b8800 f773e938 00000000
00000000 c0550a20 f70aa800 c053660d
Aug 21 18:19:12 f7 kernel: Call Trace:
Aug 21 18:19:12 f7 kernel: [<c04ad93d>] remove_files+0x15/0x1e
Aug 21 18:19:12 f7 kernel: [<c04ad987>] sysfs_remove_group+0x41/0x57
Aug 21 18:19:12 f7 kernel: [<c0555fae>] device_pm_remove+0x32/0x70
Aug 21 18:19:12 f7 kernel: [<c05509ee>] device_del+0x183/0x1ad
Aug 21 18:19:12 f7 kernel: [<c0550a20>] device_unregister+0x8/0x10
Aug 21 18:19:12 f7 kernel: [<c053660d>] vcs_remove_sysfs+0x17/0x31
Aug 21 18:19:12 f7 kernel: [<c053b24a>] con_close+0x49/0x5b
Aug 21 18:19:12 f7 kernel: [<c052fec7>] release_dev+0x1df/0x5e3
Aug 21 18:19:12 f7 kernel: [<c045d35e>] free_pages_bulk+0x100/0x16e
Aug 21 18:19:12 f7 kernel: [<c045d585>] __pagevec_free+0x14/0x1a
Aug 21 18:19:12 f7 kernel: [<c045f7a5>] release_pages+0x10a/0x112
Aug 21 18:19:12 f7 kernel: [<c05302da>] tty_release+0xf/0x18
Aug 21 18:19:12 f7 kernel: [<c04765eb>] __fput+0xb4/0x16a
Aug 21 18:19:12 f7 kernel: [<c04740f9>] filp_close+0x51/0x58
Aug 21 18:19:12 f7 kernel: [<c0428683>] put_files_struct+0x5f/0xa7
Aug 21 18:19:12 f7 kernel: [<c04296be>] do_exit+0x21f/0x6d3
Aug 21 18:19:12 f7 kernel: [<c0429bdf>] sys_exit_group+0x0/0xd
Aug 21 18:19:12 f7 kernel: [<c0404f70>] syscall_call+0x7/0xb
Aug 21 18:19:12 f7 kernel: [<c0600000>] __sched_text_start+0x6e8/0x89e
Aug 21 18:19:12 f7 kernel: =======================
Aug 21 18:19:12 f7 kernel: Code: 8b 40 24 8b 40 24 c3 8b 40 14 8b 00
c3 8b 40 14 8b 00 c3 55 57 56 53 83 ec 0c 85 c0 89 44 24 04 89 14 24
0f 84 ed 00 00 00 89 c2 <8b> 40 0c 85 c0 0f 84 e0 00 00 00 8b 52 54
83 c0 74 89 54 24 08
Aug 21 18:19:12 f7 kernel: EIP: [<c04ab620>] sysfs_hash_and_remove
+0x18/0x110 SS:ESP 0068:f7f98e04
Aug 21 18:19:12 f7 kernel: Fixing recursive fault but reboot is needed!
potentially relevant rpm versions
kernel-2.6.21-1.3194.fc7
audit-1.5.3-1.fc7
util-linux-2.13-0.52.fc7
checkpolicy-2.0.3-1.fc7
policycoreutils-2.0.16-11.fc7
policycoreutils-gui-2.0.16-11.fc7
policycoreutils-newrole-2.0.16-11.fc7
seedit-policy-2.1.1-2.fc7.2
selinux-policy-2.6.4-33.fc7
selinux-policy-devel-2.6.4-33.fc7
selinux-policy-mls-2.6.4-33.fc7
selinux-policy-targeted-2.6.4-33.fc7
joe
15 years, 7 months
SElinux beginner
by jihene tanneche
I want to compile selinux under kernel 2.6 independently of the linux's
distribution, because later I will hold selinux to an embedded system,
any help
thanks
____________________________________________________________________________________________
Découvrez le blog Yahoo! Mail : dernières nouveautés, astuces, conseils.. et vos réactions !
http://blog.mail.yahoo.fr
15 years, 7 months
cups AVC...
by Tom London
Running latest Rawhide, I get the following when configuring a printer
inside of Cups web interface (localhost:631):
type=AVC msg=audit(1187113075.195:823): avc: denied { getattr } for
pid=20531 comm="hp" path="/usr/share/snmp/mibs/.index" dev=dm-0
ino=9240602 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1187113075.195:823): arch=40000003 syscall=195
success=yes exit=0 a0=bfef1ab8 a1=bfef179c a2=9e0ff4 a3=3a items=0
ppid=14556 pid=20531 auid=500 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7
sgid=7 fsgid=7 tty=(none) comm="hp" exe="/usr/lib/cups/backend/hp"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1187113075.195:824): avc: denied { read } for
pid=20531 comm="hp" name=".index" dev=dm-0 ino=9240602
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1187113075.195:824): arch=40000003 syscall=5
success=yes exit=5 a0=bfef1ab8 a1=8000 a2=1b6 a3=87f6f30 items=0
ppid=14556 pid=20531 auid=500 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7
sgid=7 fsgid=7 tty=(none) comm="hp" exe="/usr/lib/cups/backend/hp"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
--
Tom London
15 years, 7 months
Tr : SElinux beginner
by jihene tanneche
I want to compile selinux under kernel 2.6 independently of the linux's
distribution, because later I will hold selinux to an embedded system with ARM9,
any help
thanks
Découvrez le blog Yahoo! Mail : dernières nouveautés, astuces, conseils.. et vos réactions !
____________________________________________________________________________________________
Découvrez le blog Yahoo! Mail : dernières nouveautés, astuces, conseils.. et vos réactions !
http://blog.mail.yahoo.fr
15 years, 7 months
xdm_server_t wants urandom_device_t
by Tom London
Latest Rawhide, targeted/enforcing.
Get this early (right after cups 'label change' start up messages):
type=AVC msg=audit(1187373560.608:18): avc: denied { read } for
pid=3111 comm="sh" name="urandom" dev=tmpfs ino=2350
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1187373560.608:18): arch=40000003 syscall=5
success=no exit=-13 a0=80d2bc0 a1=8000 a2=0 a3=8000 items=0 ppid=3075
pid=3111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=tty7 comm="sh" exe="/bin/bash"
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null)
--
Tom London
15 years, 7 months
ldconfig denials on F7
by Jason L Tibbitts III
I'm seeing a ton of the following denials when installing packages:
audit(1187332559.271:77): avc: denied { use } for pid=3692 comm="ldconfig" name="console" dev=tmpfs ino=1143 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd
My specific situation may be odd. I kickstart a small system from a
fully updated repo. Then when that system boots, /etc/rc.local calls
a script which calls yum to install the rest of the system. Is it
possible that this arrangement misses some essential domain
transition?
The selinux packages installed are:
selinux-policy-2.6.4-33.fc7.noarch
selinux-policy-targeted-2.6.4-33.fc7.noarch
- J<
15 years, 7 months
[RFC] policy about nas sound server
by NZzi
hi all,
i write module for Network Audio System (NAS) in fedora
rawhide.
firstly, i think there is not policy for nas, so i write
from scratch, but after finishing, i found there is a
soundserver module in policy, so i ported my nas policy
into this module.
i am not familiar with nas, so i just make some tests for
new soundserver policy, especially some tools in nas package,
including:
audemo, audial, auinfo, aupanel, auplay......
IMHO, it seems to work well, and there was not any errors
about nas in audit messages.
-(:16:13:$)-> rpm -q nas
nas-1.9-2.fc7.i386
-(yangshao@Nerazzurri:pts/2)--------------------------------------(~/workBench/selinux/soundserver)-(5/5)-
-(:16:13:$)-> ps axZ|grep nas
system_u:system_r:soundd_t 2322 ? S 0:00 nasd -b -local
system_u:system_r:unconfined_t 4329 pts/2 S+ 0:00 egrep --color
-r --exclude=*.svn* nas
-(yangshao@Nerazzurri:pts/2)--------------------------------------(~/workBench/selinux/soundserver)-(5/5)-
-(:16:13:$)-> rpm -q selinux-policy-targeted
selinux-policy-targeted-3.0.4-1.fc8.noarch
please review this patch.
15 years, 7 months
where can i find selinux policy sourcecode
by dee kitty
I want to learn how to configure the selinux policy, and i have installed fedora7, but I don't find TE configuration files mentioned in paper "configuring the selinux policy" in /etc/selinux. Then I find many selinux policys such as selinux reference policy and installed it . But I don't find many files mentioned in paper "configuring the selinux policy" also. How can i do?
thank you very much
__________________________________________________
赶快注册雅虎超大容量免费邮箱?
http://cn.mail.yahoo.com
15 years, 7 months
