August 2007 - selinux - Fedora Mailing-Lists

by Todd Zullinger

Hi, I recently noticed some problems when building packages for rawhide with mock. The mock logs have a log of these: /sbin/ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Permission denied error: %postun(glibc-2.6-4.i686) scriptlet failed, exit status 1 The audit messages look like this: avc: denied { read } for comm="ldconfig" dev=sda2 egid=502 euid=0 exe="/sbin/ldconfig" exit=-13 fsgid=502 fsuid=0 gid=502 items=0 name="lib" pid=4247 scontext=user_u:system_r:ldconfig_t:s0 sgid=502 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=dir tcontext=user_u:object_r:var_lib_t:s0 tty=(none) uid=0 avc: denied { write } for comm="ldconfig" dev=sda2 egid=502 euid=0 exe="/sbin/ldconfig" exit=-13 fsgid=502 fsuid=0 gid=502 items=0 name="etc" pid=4247 scontext=user_u:system_r:ldconfig_t:s0 sgid=502 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=dir tcontext=user_u:object_r:var_lib_t:s0 tty=(none) uid=0 I'm guessing this has to do with the contexts on etc: $ ll -dZ /etc/ /var/lib/mock/fedora-development-i386/root/etc/ drwxr-xr-x root root system_u:object_r:etc_t /etc/ drwxrwsr-x build mock user_u:object_r:var_lib_t /var/lib/mock/fedora-development-i386/root/etc/ Is this something that needs to be fixed in mock or in the selinux policy? Thanks, -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When I think about all the crap I learned in high school ... it's a wonder I can think at all. -- Paul Simon

16 years, 8 months

2
3
0 / 0

selinux-policy-targeted no src directory ?

by MARK ROWE

Hi All, Please can someone suggest a solution to the following, I am not that familiar with Linux and have been tasked to re-configure 2 existing servers that cannot be upgraded due to company policy etc: I have 2 servers running MySQL on Fedora Core 4 and need to set them up for master/slave replication. This I have done but have found that SELinux is stopping the mysqld on the slave from making a network connection to the master. I downloaded selinux-policy-targeted-1.23.16-6.noarch.rpm and installed it with no errors reported but it failed to create the /etc/selinux/targeted/src directory. I tried several times at installing the package but each time it failed to create the right directories. Can anyone suggest how I can get this installed correctly or how I can get SELinux to allow mysqld network connection without it? Regards, Mark.

16 years, 8 months

1
0
0 / 0

Re: Need help with SELinux and SGE/ssh

by Daniel J Walsh

Orion Poplawski wrote: > Daniel J Walsh wrote: >> What context is your sshd running under? >> Normal sshd runs under >> >> system_u:system_r:sshd_t:SystemLow-SystemHigh >> >> I think you might be having a problem if you sshd is only running at >> s0 and trying to log people in at >> SystemLow-SystemHigh. > > Well, in permissive mode it ends up like: > > root:system_r:unconfined_t:SystemLow-SystemHigh orion 7737 7732 0 > 13:45 ? 00:00:00 sshd: orion@notty > > But this is after login. I'm not sure there's a good way to tell what > it is before the login completes though - unless the error messages > indicate that it is running in s0. > > How can I make sure that it is running at SystemLow-SystemHigh to > start with? Get the SGE daemons running in that mode so that children > inherit that? > Or setup a transition from the SGE Daemons to sshd_t:s0-SystemHigh

16 years, 8 months

1
0
0 / 0

Need help with SELinux and SGE/ssh

by Orion Poplawski

I'm running Sun Grid Engine on a CentOS 5 cluster and am having trouble with SELinux preventing the proper setup of parallel environments. Turning SELinux off allows everything to work properly. The problem seems to be when SGE tries to use ssh to login to a remote machine. As part of this process, it starts up a private sshd daemon to handle the connection. The relevant error appears to be: type=USER_LOGIN msg=audit(1186001097.981:19489): user pid=12066 uid=0 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct=steph: exe="/usr/sbin/sshd" (hostname=?, addr=192.168.0.120, terminal=sshd res=failed)' type=USER_ROLE_CHANGE msg=audit(1186001098.201:19491): user pid=12066 uid=0 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='sshd: default-context=user_u:system_r:unconfined_t:s0 selected-context=user_u:system_r:unconfined_t:s0-s0:c0.c1023: exe="/usr/sbin/sshd" (hostname=?, addr=?, terminal=? res=failed)' sshd reports: Aug 1 14:44:58 coop00 sshd[12066]: error: deny MLS level SystemLow-SystemHigh (user range s0). Continuing in permissive mode I'm at a loss here. Can anyone explain what is going on and what is failing? How can I make it work without running in permissive mode? Thanks! -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion(a)cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com

16 years, 8 months

2
1
0 / 0

hald wants more ....

by Tom London

Today's rawhide. Problems with hal starting. In enforcing mode get this: type=AVC msg=audit(1186156132.596:13): avc: denied { read } for pid=2994 comm="hald" name="reload" dev=dm-0 ino=67152 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1186156132.596:13): arch=40000003 syscall=292 success=no exit=-13 a0=d a1=5379f4 a2=106 a3=8c50d88 items=0 ppid=2993 pid=2994 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null) Believe the reference is to /var/lib/PolicyKit/reload. Bad things seem to happen with this reject. Rebooting in permissive mode: type=AVC msg=audit(1186158594.486:18): avc: denied { read } for pid=2920 comm="hald" name="reload" dev=dm-0 ino=67152 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1186158594.486:18): arch=40000003 syscall=292 success=yes exit=1 a0=d a1=5379f4 a2=106 a3=9ae4d88 items=0 ppid=2919 pid=2920 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null) type=AVC msg=audit(1186158599.790:19): avc: denied { signal } for pid=2934 comm="hal-acl-tool" scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=process type=SYSCALL msg=audit(1186158599.790:19): arch=40000003 syscall=270 success=yes exit=0 a0=b76 a1=b76 a2=6 a3=bf81ad5c items=0 ppid=2921 pid=2934 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null) type=ANOM_ABEND msg=audit(1186158599.791:20): auid=4294967295 uid=0 gid=0 subj=system_u:system_r:hald_acl_t:s0 pid=2934 comm="hal-acl-tool" sig=6 System is happier (NetworkManager seems to work, etc.) tom -- Tom London

16 years, 8 months

1
0
0 / 0

ldconfig AVCs ..... needs /var

by Tom London

Today's Rawhide: targeted/enforcing/permissive. Today's 'yum update' of library packages that run 'ldconfig' produce: type=AVC msg=audit(1186149388.713:55): avc: denied { write } for pid=6019 comm="ldconfig" name="ldconfig" dev=dm-0 ino=67143 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1186149388.713:55): arch=40000003 syscall=5 success=no exit=-13 a0=97443e0 a1=20241 a2=180 a3=97443e0 items=0 ppid=4587 pid=6019 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) Running in permissive mode: type=AVC msg=audit(1186149533.240:59): avc: denied { write } for pid=6055 comm="ldconfig" name="ldconfig" dev=dm-0 ino=67143 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1186149533.240:59): avc: denied { add_name } for pid=6055 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1186149533.240:59): avc: denied { create } for pid=6055 comm="ldconfig" name="aux-cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1186149533.240:59): arch=40000003 syscall=5 success=yes exit=3 a0=82c43e0 a1=20241 a2=180 a3=82c43e0 items=0 ppid=6051 pid=6055 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) type=AVC msg=audit(1186149533.240:60): avc: denied { write } for pid=6055 comm="ldconfig" path="/var/cache/ldconfig/aux-cache~" dev=dm-0 ino=66583 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1186149533.240:60): arch=40000003 syscall=4 success=yes exit=48749 a0=3 a1=82e5a48 a2=be6d a3=82c43e0 items=0 ppid=6051 pid=6055 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) type=AVC msg=audit(1186149533.241:61): avc: denied { remove_name } for pid=6055 comm="ldconfig" name="aux-cache~" dev=dm-0 ino=66583 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=AVC msg=audit(1186149533.241:61): avc: denied { rename } for pid=6055 comm="ldconfig" name="aux-cache~" dev=dm-0 ino=66583 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1186149533.241:61): arch=40000003 syscall=38 success=yes exit=0 a0=82c43e0 a1=80c5ef2 a2=3 a3=82c43e0 items=0 ppid=6051 pid=6055 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ldconfig" exe="/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) tom -- Tom London

16 years, 8 months

1
0
0 / 0

[ANN] SETools 3.3 Release

by Christopher J. PeBenito

A new release of SETools is now available on the Tresys OSS site, from http://oss.tresys.com. The primary changes this release are performance enhancements, especially for source policies, the ability to select which AV rules are compared (allow and dontaudit only, for example) in sediff and sediffx, and a rewrite of libsefs with C++. The complete change log for this release follows. SETools 3.3: SETools: * SETools now has an external dependency upon libsqlite3 >= 3.2. The supplied configure script will enforce this dependency. * pkg-config scripts are installed with the SETools libraries. libsefs: * Rewrite of library to have proper namespaces and much more usable object-oriented design. * SWIG wrappers generated for this library if the appropriate configure flags are set. findcon, searchcon: * Merge searchcon's functionality into findcon. The searchcon tool has been removed from SETools. indexcon, replcon: * Updated to use new libsefs design. apol: * Updated to use new libsefs design. * Modified to use the SWIG Tcl interface rather than a custom C library. apol is now a combination of a Tcl script (simply called 'apol') and associated packages that are required at runtime. * Neverallow rules are only loaded and expanded when the user performs a search for them. This will dramatically speed up initial policy load time. awish: * awish is no longer needed and thus has been removed from SETools. sediff, sediffx: * Instead of differentiating "AV rules" or "TE rules", user now specifies which particular rule to compare (allow, dontaudit, type_transition, etc.). * Neverallow rules are only loaded and expanded when the user performs a diff upon them. This will dramatically speed up initial policy load time. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150

16 years, 8 months

1
0
0 / 0

Policycoreutils man pages translation to Russian language

by Andrey Markelov

Hello, I translated all 20 man pages from policycoreutils to Russian language. Before that work I had some experiences with translation (as example translation to Russian RHEL4 doc in A.B.A. Inventa - http://www.rhd.ru/docs/). So, i hope that my translation - ok. Also, translation was checked by my colleague - RHCX. Is it possible to include translated pages in policycoreutils package? Also i open ticket #250741 in bugzilla. ____ Andrey Markelov Plus Communications Phone: +7(495)777-0-111 ext.533

16 years, 8 months

1
0
0 / 0

newrole?

by bradley

I recently have decided I was going to play with selinux. Before I set the selinux value to enforcing I read up on it online and saw that to change my privileges I need to use the newrole command. It seemed simple enough, but I don't seem to have this command and there's also no man page on it. When I checked fedora forums some one had the same problem, and the only reply to it was to send an email here. Does anyone have any information that can help me out? I am using fedora 7 on a thinkpad T60 by the way. --Brad

16 years, 8 months

2
1
0 / 0

New resource for add in selinux.sf.net - Spanish Documentation

by Wilmer Jaramillo M.

We believe really important to begin only will writing selinux for spanish speakers, http://wiki.fedora-ve.org/SELinux/ should to be the link for to begin and http://wiki.fedora-ve.org/SELinux/Tips just have more complete information. The wiki not apply any restriction if you want to join, to participate in the SELinux Spanish Documentation. Thanks for the attention. -- Wilmer Jaramillo M. GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A

16 years, 8 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux August 2007