September 2007 - selinux - Fedora Mailing-Lists

by Ryan Skadberg

I have been trying to get nagios up and running on 2 different machines. One running FC5 and one running FC6. Nagios itself starts up fine, but the web interface fails miserably. When looking at /var/log/messages, I see things like: Dec 3 11:38:17 xray kernel: audit(1165174697.348:289): avc: denied { execute_no_trans } for pid=22237 comm="httpd" name="tac.cgi" dev=dm-0 ino=11272226 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file I noticed in the selinux-policy-targeted Changelog: * Wed Jul 26 2006 Dan Walsh <dwalsh(a)redhat.com> 2.3.3-13 - Add nagios policy This may have been for the program itself or maybe the web interface, but it sure doesn't seem to be working for me. Both systems are set to: SELINUX=enforcing SELINUXTYPE=targeted SETLOCALDEFS=0 Anyone have any advice on how to fix this? Thanks! Skadz

16 years, 7 months

3
4
0 / 0

cups/snmpd_var_lib_t

by Tom London

Got this when printing: Summary SELinux is preventing /usr/lib/cups/backend/hp (cupsd_t) "getattr" to /usr/share/snmp/mibs/.index (snmpd_var_lib_t). Detailed Description SELinux denied access requested by /usr/lib/cups/backend/hp. It is not expected that this access is required by /usr/lib/cups/backend/hp and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /usr/share/snmp/mibs/.index, restorecon -v /usr/share/snmp/mibs/.index If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:cupsd_t:SystemLow-SystemHigh Target Context system_u:object_r:snmpd_var_lib_t Target Objects /usr/share/snmp/mibs/.index [ file ] Affected RPM Packages hplip-2.7.7-4.fc8 [application] Policy RPM selinux-policy-3.0.7-10.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23-0.174.rc6.fc8 #1 SMP Tue Sep 11 19:06:17 EDT 2007 i686 i686 Alert Count 4 First Seen Wed 12 Sep 2007 09:09:26 AM PDT Last Seen Wed 12 Sep 2007 09:11:38 AM PDT Local ID 147ebf61-d964-48b7-b572-befcad9e1411 Line Numbers Raw Audit Messages avc: denied { getattr } for comm=hp dev=dm-0 egid=7 euid=4 exe=/usr/lib/cups/backend/hp exit=-13 fsgid=7 fsuid=4 gid=7 items=0 path=/usr/share/snmp/mibs/.index pid=6246 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=file tcontext=system_u:object_r:snmpd_var_lib_t:s0 tty=(none) uid=4 -- Tom London

16 years, 7 months

1
0
0 / 0

maxima fails to load because of selinux, other things happening

by Antonio Olivares

Dear all, I am having difficulties with maxima because of selinux. Other denied avcs have been corrected by following troubleshooters advice. avc: denied { create } for comm="newaliases" egid=51 euid=0 exe="/usr/sbin/sendmail.sendmail" exit=-13 fsgid=51 fsuid=0 gid=0 items=0 name="aliases.db" pid=7643 scontext=system_u:system_r:sendmail_t:s0 sgid=51 subj=system_u:system_r:sendmail_t:s0 suid=0 tclass=file tcontext=system_u:object_r:etc_aliases_t:s0 tty=(none) uid=0 restorecon -v aliases.db [olivares@localhost ~]$ su - Password: [root@localhost ~]# restorecon -v aliases.db restorecon: stat error on aliases.db: No such file or directory [root@localhost ~]# avc: denied { execmem } for comm="mplayer" egid=500 euid=500 exe="/usr/local/bin/mplayer" exit=-13 fsgid=500 fsuid=500 gid=500 items=0 pid=3151 scontext=system_u:system_r:unconfined_t:s0 sgid=500 subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500 [root@localhost ~]# chcon -t unconfined_execmem_exec_t /usr/local/bin/mplayer [root@localhost ~]# semanage fcontext -a -t unconfined_execmem_exec_t /usr/local/bin/mplayer [root@localhost ~]# [olivares@localhost ~]$ maxima & [1] 3834 [olivares@localhost ~]$ xmaxima & [2] 3859 [1] Segmentation fault maxima [olivares@localhost ~]$ su - Password: [root@localhost ~]# chcon -t unconfined_execmem_exec_t /usr/lib/maxima/5.13.0/binary-gcl/maxima [root@localhost ~]# semanage fcontext -a -t unconfined_execmem_exec_t /usr/lib/maxima/5.13.0/binary-gcl/maxima [root@localhost ~]# chcon -t unconfined_execmem_exec_t /usr/lib/maxima/5.13.0/binary-gcl/maxima [root@localhost ~]# [root@localhost ~]# chcon -t textrel_shlib_t /usr/lib/maxima/5.13.0/binary-gcl/maxima [root@localhost ~]# semanage fcontext -a -t textrel_shlib_t /usr/lib/maxima/5.13.0/binary-gcl/maxima [root@localhost ~]# Did not work so I filed a bug report: https://bugzilla.redhat.com/show_bug.cgi?id=287761 Regards, Antonio ____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting

16 years, 7 months

1
0
0 / 0

Error: setroubleshootd dead but subsys locked (Repost)

by Steven Stromer

Had a strange, and as yet unexplained, 'event' (I wasn't in front of the machine when things went weird) that took place while a system was left running a large rsync over ssh. On returning, a majority of the directories under /var vanished, and a number of services refused to start after a reboot, including auditd, nfsd, system message bus, hpiod, hpssd, mysql, syslogd, httpd, sm-client, and setroubleshootd. In the cases of most of these services, there seemed to be problems either with orphaned /var/run/*.pid files, or with orphaned /var/lock/subsys/* lock files. Also, many services were reporting 'subsys locked'. Deleting orphaned files, followed by relabeling the filesystem selinux permissions did the trick, with relabeling being the key to getting things going again. Debugging was made more challenging by the fact that I had no logs to refer to. Now, almost all seems well, but I can't get setroubleshootd to start unless I select 'setroubleshootd_disable_trans'. Without this checked, setroubleshootd seems to start, but then fails: [root@file1 subsys]# rm setroubleshootd rm: remove regular empty file `setroubleshootd'? y [root@file1 subsys]# service setroubleshoot status setroubleshootd is stopped [root@file1 subsys]# service setroubleshoot start Starting setroubleshootd: [ OK ] [root@file1 subsys]# service setroubleshoot status setroubleshootd dead but subsys locked Attempting to run setroubleshoot generates the error: 'attempt to open server connection failed: (2, 'No such file or directory') Since someone might ask about permissions: [root@file1 subsys]# ls -laRZ /var/log | grep setroubleshoot drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t setroubleshoot /var/log/setroubleshoot: drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t . -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t setroubleshootd.log -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t setroubleshootd.log.1 -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t setroubleshootd.log.2 Can anyone explain why setroubleshootd_disable_trans should need to be selected? Also, since this entire event seems to have close ties to selinux, would anyone have an idea what might have happened to this system? Thanks for any ideas; it's been a long day... Steven Stromer

16 years, 7 months

1
0
0 / 0

denied avc for wine

by Antonio Olivares

Finally, the denied avc for wine appeared. Wine started working yesterday and it is running now and here is the avc denial for it. Summary SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "unix_read unix_write" to <Unknown> (wine_t). Detailed Description SELinux denied access requested by /usr/bin/Xorg. It is not expected that this access is required by /usr/bin/Xorg and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:xdm_xserver_t:SystemLow- SystemHigh Target Context system_u:system_r:wine_t Target Objects None [ shm ] Affected RPM Packages xorg-x11-server-Xorg-1.3.0.0-23.fc8 [application] Policy RPM selinux-policy-3.0.7-10.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost Platform Linux localhost 2.6.23-0.174.rc6.fc8 #1 SMP Tue Sep 11 19:06:17 EDT 2007 i686 athlon Alert Count 2 First Seen Wed 12 Sep 2007 08:10:49 AM CDT Last Seen Wed 12 Sep 2007 08:10:49 AM CDT Local ID 8b5115b9-d7d8-40de-8f2b-5ffb7e7ecfb7 Line Numbers Raw Audit Messages avc: denied { unix_read, unix_write } for comm=X egid=0 euid=0 exe=/usr/bin/Xorg exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2440 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=shm tcontext=system_u:system_r:wine_t:s0 tty=tty7 uid=0 Please advice on how to deal with this. I was quiet and using another computer but now since wine started working I came back to it and I saw this. Thanks, Antonio ____________________________________________________________________________________ Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC

16 years, 7 months

1
0
0 / 0

Error: setroubleshootd dead but subsys locked

by Steven Stromer

Had a strange, and as yet unexplained, 'event' (I wasn't in front of the machine when things went weird) that took place while a system was left running a large rsync over ssh. On returning, a majority of the directories under /var vanished, and a number of services refused to start after a reboot, including auditd, nfsd, system message bus, hpiod, hpssd, mysql, syslogd, httpd, sm-client, and setroubleshootd. In the cases of most of these services, there seemed to be problems either with orphaned /var/run/*.pid files, or with orphaned /var/lock/subsys/* lock files. Also, many services were reporting 'subsys locked'. Deleting orphaned files, followed by relabeling the filesystem selinux permissions did the trick, with relabeling being the key to getting things going again. Debugging was made more challenging by the fact that I had no logs to refer to. Now, almost all seems well, but I can't get setroubleshootd to start unless I select 'setroubleshootd_disable_trans'. Without this checked, setroubleshootd seems to start, but then fails: [root@file1 subsys]# rm setroubleshootd rm: remove regular empty file `setroubleshootd'? y [root@file1 subsys]# service setroubleshoot status setroubleshootd is stopped [root@file1 subsys]# service setroubleshoot start Starting setroubleshootd: [ OK ] [root@file1 subsys]# service setroubleshoot status setroubleshootd dead but subsys locked Attempting to run setroubleshoot generates the error: 'attempt to open server connection failed: (2, 'No such file or directory') Since someone might ask about permissions: [root@file1 subsys]# ls -laRZ /var/log | grep setroubleshoot drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t setroubleshoot /var/log/setroubleshoot: drwxr-xr-x root root system_u:object_r:setroubleshoot_var_log_t . -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t setroubleshootd.log -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t setroubleshootd.log.1 -rw-r--r-- root root system_u:object_r:setroubleshoot_var_log_t setroubleshootd.log.2 Can anyone explain why setroubleshootd_disable_trans should need to be selected? Also, since this entire event seems to have close ties to selinux, would anyone have an idea what might have happened to this system? Thanks for any ideas; it's been a long day... Steven Stromer

16 years, 7 months

1
0
0 / 0

Labelling a new port

by Konstantin Ryabitsev

Hello, all: I'm trying to write a policy for memcached, but I'm not sure how I'd declare a new memcached_port_t (11211/tcp). Any pointers? TIA! Cheers, -- Konstantin Ryabitsev Montréal, Québec

16 years, 7 months

4
6
0 / 0

anybody running backup and virus scanner solution on SELinux

by bala

Hi All, We would like to know, anybody using commercial [OR] open source based backup and virus scanner products on SELinux environement. pls share and suggest some products that runs and tested on SELinux environment. thanks in advance, -bala- ____________________________________________________________________________________ Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222

16 years, 7 months

1
0
0 / 0

setroubleshootd: write access to "system_bus_socket" ....?

by Tom London

Running latest rawhide, targeted/enforcing. Just started noticing this: type=AVC msg=audit(1189383749.641:16): avc: denied { write } for pid=3307 comm="setroubleshootd" name="system_bus_socket" dev=dm-0 ino=65933 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1189383749.641:16): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf980f90 a2=8c5474 a3=0 items=0 ppid=1 pid=3307 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) [tbl@localhost ~]$ ls -lZ /var/run/dbus/system* srwxrwxrwx root root system_u:object_r:system_dbusd_var_run_t /var/run/dbus/system_bus_socket [tbl@localhost ~]$ tom -- Tom London

16 years, 7 months

1
0
0 / 0

order of rules?

by "Stanisław T. Findeisen"

Please tell me if the following is correct about resource access in SELinux: (1) everything is denied by default (2) administrator can add "allow" rules (3) SO, there is nothing about "rule chains", like in iptables. There is just rule SET. In other words, order of rules is not significant. True or false? Thanks. -- "Serce medrcow jest w domu zaloby, a serce glupcow w domu wesela." (Koh 7:4)

16 years, 7 months

3
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux September 2007