SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "unix_read unix_write" to <Unknown> (wine_t).
by Antonio Olivares
Are any of the testers still seeing this after the updates?
Summary
SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "unix_read unix_write"
to <Unknown> (wine_t).
Detailed Description
SELinux denied access requested by /usr/bin/Xorg. It is not expected that
this access is required by /usr/bin/Xorg and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
Target Context system_u:system_r:wine_t:s0
Target Objects None [ shm ]
Affected RPM Packages xorg-x11-server-Xorg-1.3.0.0-24.fc8 [application]
Policy RPM selinux-policy-3.0.8-2.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.23-0.187.rc6.git7.fc8 #1 SMP Tue Sep 18
18:05:52 EDT 2007 i686 i686
Alert Count 122
First Seen Fri 21 Sep 2007 08:05:30 AM CDT
Last Seen Fri 21 Sep 2007 08:06:41 AM CDT
Local ID 0ccdd94f-6b5d-4d1c-a03c-90f450f7d265
Line Numbers
Raw Audit Messages
avc: denied { unix_read, unix_write } for comm=X egid=0 euid=0 exe=/usr/bin/Xorg
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2484
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=shm
tcontext=system_u:system_r:wine_t:s0 tty=tty7 uid=0
Regards,
Antonio
____________________________________________________________________________________
Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.
http://answers.yahoo.com/dir/?link=list&sid=396545469
16 years, 7 months
unconfined_execmem_t and dbus,avahi
by Tom London
Running latest Rawhide, targeted/enforcing.
I run rhythmbox in 'unconfined_execmem_t' to allow it to load an MP3
library (allows me to play stuff from my iPod).
I get the following AVCs (the first from /var/log/messages). (I'm
guessing the second is from rhythmbox too).
Sep 19 07:17:25 localhost dbus: avc: denied { acquire_svc } for
service=org.gnome.Rhythmbox spid=5080
scontext=system_u:system_r:unconfined_execmem_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=dbus
type=USER_AVC msg=audit(1190211461.162:23): user pid=3090 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:
denied { send_msg } for msgtype=method_call
interface=org.freedesktop.Avahi.Server member=GetAPIVersion
dest=org.freedesktop.Avahi spid=5080 tpid=4092
scontext=system_u:system_r:unconfined_execmem_t:s0
tcontext=system_u:system_r:avahi_t:s0 tclass=dbus :
exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
Issues to allow such?
tom
--
Tom London
16 years, 7 months
hald denied avcs for Fedora Core 6
by Antonio Olivares
Dear all,
I am getting the following denied avcs for hald upon startup/shutdown. The selinux policy is up to date, how can I fix this? There is no troubleshooter like in fedora 7 which suggests a fix.
audit(1189722647.486:4): avc: denied { use } for pid=3098 comm="hald" name="console" dev=tmpfs ino=1083 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd
audit(1189722647.487:5): avc: denied { use } for pid=3098 comm="hald" name="console" dev=tmpfs ino=1083 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd
audit(1189722647.488:6): avc: denied { use } for pid=3098 comm="hald" name="console" dev=tmpfs ino=1083 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd
[olivares@localhost ~]$ rpm -qa selinux*
selinux-policy-2.4.6-80.fc6
selinux-policy-targeted-2.4.6-80.fc6
[olivares@localhost ~]$
Thanks,
Antonio
____________________________________________________________________________________
Tonight's top picks. What will you watch tonight? Preview the hottest shows on Yahoo! TV.
http://tv.yahoo.com/
16 years, 7 months
Squirrelmail_disk_quota_plugin
by Ludman Tamás
Hi all,
sorry my bad english, I hope you understant my problem.
I would like to use Squirrelmail's plugin: quota_check, but SELinux
don't allowed this...
"...disk quota plugin: Uses the *nix quota binary as wwwquota to get
information about and show the disk quota usage of the user logged in.
It incorporates Flash movies to display more attractive and interactive
information. ..."
I tried these:
[root@modules]# cat /var/log/audit/audit.log | audit2allow -m local > local
[root@modules]# checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 6) to local.mod
[root@modules]# semodule_package -o local.pp -m local.mod
[root@modules]# semodule -i local.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow
httpd_t s
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
and I tried with another, but the result is equal than above :
# make -f /usr/share/selinux/devel/Makefile
# semodule -i local.pp
______________________________________________
in my audit.log:
....
type=AVC msg=audit(1189681628.573:13563): avc: denied { read } for
pid=31798 comm="sudo" name="shadow" dev=md8 ino=1949004
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1189681628.573:13564): avc: denied { write } for
pid=31798 comm="sudo" name="log" dev=tmpfs ino=11165
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=sock_file
type=AVC msg=audit(1189681697.332:13578): avc: denied { read } for
pid=31845 comm="sudo" name="shadow" dev=md8 ino=1949004
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1189681697.332:13579): avc: denied { getattr } for
pid=31845 comm="sudo" name="shadow" dev=md8 ino=1949004
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1189681697.334:13580): avc: denied { write } for
pid=31845 comm="sudo" name="log" dev=tmpfs ino=11165
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=sock_file
type=AVC msg=audit(1189681697.334:13580): avc: denied { sendto } for
pid=31845 comm="sudo" name="log" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1189681704.450:13587): avc: denied { read } for
pid=31858 comm="sudo" name="shadow" dev=md8 ino=1949004
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1189681704.450:13588): avc: denied { getattr } for
pid=31858 comm="sudo" name="shadow" dev=md8 ino=1949004
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1189681776.487:13607): avc: denied { search } for
pid=31945 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
type=AVC msg=audit(1189681776.489:13608): avc: denied { getattr } for
pid=31945 comm="wwwquota" name="md6" dev=tmpfs ino=7380
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1189681776.490:13609): avc: denied { quotaget }
for pid=31945 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=AVC msg=audit(1189681826.629:13630): avc: denied { search } for
pid=31975 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
type=AVC msg=audit(1189681826.631:13631): avc: denied { getattr } for
pid=31975 comm="wwwquota" name="md6" dev=tmpfs ino=7380
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1189681826.632:13632): avc: denied { quotaget }
for pid=31975 comm="wwwquota" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
.....
______________________________________________
in my /etc/sudoers:
...
apache ALL=NOPASSWD: /usr/bin/wwwquota -v [A-z]*
...
______________________________________________
in my /etc/selinux/config:
SELINUX=enforcing
SELINUXTYPE=targeted
SETLOCALDEFS=0
______________________________________________
My system is:
Fedora Core 6, kernel 2.6.22.2-42.fc6
libselinux.i386 1.33.4-2.fc6
libselinux-devel.i386 1.33.4-2.fc6
selinux-policy.noarch 2.4.6-80.fc6
selinux-policy-devel.noarch 2.4.6-80.fc6
selinux-policy-mls.noarch 2.4.6-80.fc6
selinux-policy-strict.noarch 2.4.6-80.fc6
selinux-policy-targeted.noarch 2.4.6-80.fc6
What can I do?
Thanx a lot, everybody.
LT
16 years, 7 months
Re: selinux denies wine and xorg
by Daniel J Walsh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adam Jackson wrote:
> On Wed, 2007-09-12 at 16:32 -0700, Antonio Olivares wrote:
>> https://bugzilla.redhat.com/show_bug.cgi?id=288671
>>
>> Just following the advice given here:
>> Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>>
>> against this package.
>>
>> Summary
>> SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "unix_read unix_write"
>> to <Unknown> (wine_t).
>>
>> Detailed Description
>> SELinux denied access requested by /usr/bin/Xorg. It is not expected that
>> this access is required by /usr/bin/Xorg and this access may signal an
>> intrusion attempt. It is also possible that the specific version or
>> configuration of the application is causing it to require additional access.
>>
>> Allowing Access
>> You can generate a local policy module to allow this access - see
>> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
>> SELinux protection altogether. Disabling SELinux protection is not
>> recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>> against this package.
>>
>> Additional Information
>>
>> Source Context system_u:system_r:xdm_xserver_t:SystemLow-
>> SystemHigh
>> Target Context system_u:system_r:wine_t
>> Target Objects None [ shm ]
>
> That's... quite odd. Whatever shm objects X wants to talk to should be
> fine, but it's not clear what kind of object it is from this report.
>
> - ajax
>
Fixed in selinux-policy-3.0.8-1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFG8AEGrlYvE4MpobMRAkidAJ4huVxe/B0n5N4JOkDPP5i0S7KN8wCfVOLl
bRs/0rnjIRVkG6Fv/QE/hjA=
=CQ93
-----END PGP SIGNATURE-----
16 years, 7 months
funny AVC from virt-manager
by Tom London
Running latest rawhide.
If I try to 'run/open' a kvm virtual machine using virt-manager, I get
the following AVC:
type=AVC msg=audit(1189626420.012:34): avc: denied { execmem } for
pid=8603 comm="/usr/share/virt"
scontext=system_u:system_r:unconfined_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1189626420.012:34): arch=40000003 syscall=192
success=no exit=-13 a0=0 a1=1000000 a2=7 a3=121 items=0 ppid=8602
pid=8603 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 tty=(none) comm="/usr/share/virt"
exe="/usr/bin/python" subj=system_u:system_r:unconfined_t:s0
key=(null)
Notice the reference to '/usr/share/virt'. This doesn't exist (but
/usr/share/virt-manager does exist).
Ignoring the evident problem with virt-manager, any idea why the
'audit trail' would appear to be messed up?
tom
--
Tom London
16 years, 7 months
Error: setroubleshootd dead but subsys locked
by Steven Stromer
Had a strange, and as yet unexplained, 'event' (I wasn't in front of the
machine when things went weird) that took place while a system was left
running a large rsync over ssh. On returning, a majority of the
directories under /var vanished, and a number of services refused to
start after a reboot, including auditd, nfsd, system message bus, hpiod,
hpssd, mysql, syslogd, httpd, sm-client, and setroubleshootd.
In the cases of most of these services, there seemed to be problems
either with orphaned /var/run/*.pid files, or with orphaned
/var/lock/subsys/* lock files. Also, many services were reporting
'subsys locked'. Deleting orphaned files, followed by relabeling the
filesystem selinux permissions did the trick, with relabeling being the
key to getting things going again. Debugging was made more challenging
by the fact that I had no logs to refer to.
Now, almost all seems well, but I can't get setroubleshootd to start
unless I select 'setroubleshootd_disable_trans'. Without this checked,
setroubleshootd seems to start, but then fails:
[root@file1 subsys]# rm setroubleshootd
rm: remove regular empty file `setroubleshootd'? y
[root@file1 subsys]# service setroubleshoot status
setroubleshootd is stopped
[root@file1 subsys]# service setroubleshoot start
Starting setroubleshootd: [ OK ]
[root@file1 subsys]# service setroubleshoot status
setroubleshootd dead but subsys locked
Attempting to run setroubleshoot generates the error:
'attempt to open server connection failed: (2, 'No such file or directory')
Since someone might ask about permissions:
[root@file1 subsys]# ls -laRZ /var/log | grep setroubleshoot
drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t
setroubleshoot
/var/log/setroubleshoot:
drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t .
-rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t
setroubleshootd.log
-rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t
setroubleshootd.log.1
-rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t
setroubleshootd.log.2
Can anyone explain why setroubleshootd_disable_trans should need to be
selected? Also, since this entire event seems to have close ties to
selinux, would anyone have an idea what might have happened to this system?
Thanks for any ideas; it's been a long day...
Steven Stromer
16 years, 7 months
Write denied, but no write attempted!?!
by Göran Uddeborg
I'm using xdm rather than gdm. SELinux prevents
/sbin/pam_console_apply (pam_console_t) "write" to /var/log/xdm.log
(var_log_t). It happens once every time someone logs in or out. See
the attached mail from SETroubleshoot for an example.
To understand what is going on, I tried to strace the processes. But
pam_console_apply doesn't attempt to write anything at all! See the
attached (compressed) strace from pid 4480, the process mentioned in
the SETroubleshoot mail.
Xdm has stderr pointing to /var/log/xdm.log, so it's not unlikely that
the open fd is inherited by pam_console_apply. But if the inheritance
itself was disallowed, wouldn't it be a "use" that would be denied by
SELinux rather than a "write"?
What am I missing?
(The system is not up-to-date. It is possible this message would go
away with an upgrade. I'm not looking for a way to get rid of the
message here, I'm trying to understand what is going on.)
16 years, 7 months
selinux denies wine and xorg
by Antonio Olivares
https://bugzilla.redhat.com/show_bug.cgi?id=288671
Just following the advice given here:
Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Summary
SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "unix_read unix_write"
to <Unknown> (wine_t).
Detailed Description
SELinux denied access requested by /usr/bin/Xorg. It is not expected that
this access is required by /usr/bin/Xorg and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:xdm_xserver_t:SystemLow-
SystemHigh
Target Context system_u:system_r:wine_t
Target Objects None [ shm ]
Affected RPM Packages xorg-x11-server-Xorg-1.3.0.0-23.fc8 [application]
Policy RPM selinux-policy-3.0.7-10.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall
Host Name localhost
Platform Linux localhost 2.6.23-0.174.rc6.fc8 #1 SMP Tue
Sep 11 19:06:17 EDT 2007 i686 athlon
Alert Count 4
First Seen Wed 12 Sep 2007 08:10:49 AM CDT
Last Seen Wed 12 Sep 2007 06:23:24 PM CDT
Local ID 8b5115b9-d7d8-40de-8f2b-5ffb7e7ecfb7
Line Numbers
Raw Audit Messages
avc: denied { unix_read, unix_write } for comm=X egid=0 euid=0 exe=/usr/bin/Xorg
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2447
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=shm
tcontext=system_u:system_r:wine_t:s0 tty=tty7 uid=0
____________________________________________________________________________________
Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel and lay it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
16 years, 7 months
