January 2008 - selinux - Fedora Mailing-Lists

Memory protection and system-config-securitylevel

by Kamil J. Dudek

Hello everybody Forgive me, if this subject has already been mentioned here, but I simply couldn't find answer anywhere. Few days ago I started system-config-securitylevel. I found something interesting in "Modify SELinux policies". A memory protection - there are four options in there. Two of them are enabled, with a description that if having this enabled is required by some program, it should be reported to bugzilla. I didn't do it, because of very strange effects after turning it off. Disabling "Allow all executable files to map memory areas as executable and readable, which is dangerous and such program should be reported to bugzilla" and "Allow all executable files to mark stack as executable.That shouldn't ever be required" option(translation from polish) made system act very strange. First thing I've observed was that Kobo game stopped working. GMPC stopped playing. Also stuff outside of Fedora like Java and NVidia drivers failed. So I should have "reported to bugzilla" to many application to make it have any sense. Such bug report would be only annoying but according to system-config-securitylevel... What is it with these two options? To make everything work properly they should be enabled, but their description that they should be disabled is confusing. Thank you and forgive me any mess I've done by this post -- Pozdrawiam - Kamil J. Dudek

14 years, 2 months

2
3
0 / 0

mount point labels

by Clarkson, Mike R (US SSA)

I'm attempting to create the labeled mount point with the following command: mount -t nfs -o context=system_u:object_r:import_file_t:s0 nas:/vol/home /home/SimulatedImport/output/home The mount point is created without any errors, but the label that I specify in the mount command is not used. Instead of system_u:object_r:import_file_t, the context of the /home/SimulatedImport/output/home is system_u:object_r:nfs_t:s0. ls -dZ /home/SimulatedImport/output/home drwxr-xr-x root root system_u:object_r:nfs_t:s0 /home/m252/SimulatedImport/output/home I'm running RHEL5 with a policy built as mls off of the targeted policy. Does anyone know why the context label is not taking? Thanks

14 years, 2 months

3
7
0 / 0

xinetd rsync --daemon problems

by Chuck Anderson

I'm using Fedora Core 6, and trying to start a rsync daemon via xinetd. The default configuration is: # default: off # description: The rsync server is a good addition to an ftp server, as it \ # allows crc checksumming etc. service rsync { disable = no socket_type = stream wait = no user = root server = /usr/bin/rsync server_args = --daemon log_on_failure += USERID } With this rsyncd.conf: motd file = /etc/rsyncd.motd pid file = /var/run/rsyncd.pid port = 873 uid = rsyncd gid = mirror use chroot = yes max connections = 10 log file = /var/log/rsyncd.log read only = yes hosts allow = 127.0.0.1, ::1, etc.... #hosts deny = 0.0.0.0/0, :: ignore nonreadable = yes transfer logging = yes timeout = 600 dont compress = * [fedora-linux-core] path = /srv/ftp/pub/fedora/linux/core comment = Fedora Linux Core [fedora-linux-core-updates] path = /srv/ftp/pub/fedora/linux/core/updates comment = Fedora Linux Core Updates [fedora-linux-extras] path = /srv/ftp/pub/fedora/linux/extras comment = Fedora Linux Extras [fedora-linux-core-test] path = /srv/ftp/pub/fedora/linux/core/test comment = Fedora Linux Core Test [fedora-linux-releases] path = /srv/ftp/pub/fedora/linux/releases comment = Fedora Linux Releases [fedora-linux-development] path = /srv/ftp/pub/fedora/linux/development comment = Fedora Linux Development [fedora-enchilada] path = /srv/ftp/pub/fedora comment = Fedora - The whole enchilada [fedora-linux-updates] path = /srv/ftp/pub/fedora/linux/updates comment = Fedora Linux Updates [fedora-web] path = /srv/ftp/pub/fedora/web comment = Web content for Fedora Linux mirrors I get these AVCs when running from xinetd and making a client connection that I don't get if I start the daemon directly via "rsync --daemon" as root: type=AVC msg=audit(1192132336.713:3464): avc: denied { lock } for pid=8488 comm="rsync" name="rsyncd.lock" dev=dm-4 ino=2064435 scontext=user_u:system_r:rsync_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1192132336.713:3464): arch=40000003 syscall=221 success=no exit=-13 a0=4 a1=d a2=bff80730 a3=bff80730 items=0 ppid=8167 pid=8488 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=user_u:system_r:rsync_t:s0 key=(null) type=AVC_PATH msg=audit(1192132336.713:3464): path="/var/run/rsyncd.lock" type=AVC msg=audit(1192132400.044:3465): avc: denied { bind } for pid=8499 comm="rsync" scontext=user_u:system_r:rsync_t:s0 tcontext=user_u:system_r:rsync_t:s0 tclass=netlink_route_socket type=SYSCALL msg=audit(1192132400.044:3465): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf8f4674 a2=4df50ff4 a3=3 items=0 ppid=8167 pid=8499 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=user_u:system_r:rsync_t:s0 key=(null) I tried creating and loading a policy module: # grep "rsync" /var/log/audit/audit.log | audit2allow -M rsyncd # semodule -i rsyncd.pp Here is rsyncd.te: module rsyncd 1.0; require { type var_run_t; type rsync_t; class netlink_route_socket create; class file { read write }; } #============= rsync_t ============== allow rsync_t self:netlink_route_socket create; allow rsync_t var_run_t:file { read write }; But I still get these AVCs: type=AVC msg=audit(1192139751.238:3586): avc: denied { bind } for pid=9311 comm="rsync" scontext=user_u:system_r:rsync_t:s0 tcontext=user_u:system_r:rsync_t:s0 tclass=netlink_route_socket type=SYSCALL msg=audit(1192139751.238:3586): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfbb6144 a2=4df50ff4 a3=3 items=0 ppid=8732 pid=9311 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=user_u:system_r:rsync_t:s0 key=(null) Additionally, when using xinetd I don't ever get any log messages in /var/log/rsyncd.log like I do when I run "rsync --daemon" directly: 2007/10/11 17:08:01 [8613] rsyncd version 2.6.9 starting, listening on port 873 2007/10/11 17:08:13 [8616] connect from dustpuppy.wpi.edu (2001:468:616:8c9:213:72ff:fe74:da15) 2007/10/11 17:08:13 [8616] rsync on fedora-enchilada/linux/ from dustpuppy.wpi.edu (2001:468:616:8c9:213:72ff:fe74:da15) 2007/10/11 21:08:13 [8616] building file list 2007/10/11 21:08:13 [8616] sent 1629 bytes received 106 bytes total size 19

15 years, 5 months

2
2
0 / 0

Sendmail milters in Fedora 8

by Paul Howarth

Since upgrading my mail server from Fedora 7 to Fedora 8, I've come across some problems with the sockets used for communication between sendmail and two of the "milter" plugins I'm using with it, namely milter-regex and spamass-milter. It's very likely that other milters will have similar issues. The sockets used are created when the milter starts, as follows: milter-regex: /var/spool/milter-regex/sock (var_spool_t, inherited from parent directory) spamass-milter: /var/run/spamass-milter/spamass-milter.sock (spamd_var_run_t, in policy) These are pretty well the upstream locations, though I'm open to moving the milter-regex socket from /var/spool to /var/run or elsewhere for consistency. Since moving to Fedora 8, I've had to add the following to local policy to get these milters working: allow sendmail_t spamd_var_run_t:dir { search getattr }; allow sendmail_t spamd_var_run_t:sock_file { getattr write }; allow sendmail_t var_spool_t:sock_file { getattr write }; allow sendmail_t initrc_t:unix_stream_socket { read write connectto }; The last of these is the strangest, and relates to Bug #425958 (https://bugzilla.redhat.com/show_bug.cgi?id=425958). Whilst the socket file itself has the context listed above, the unix domain socket that sendmail connects to is still initrc_t, as can be seen from the output of "netstat -lpZ": ... unix 2 [ ACC ] STREAM LISTENING 14142 5853/spamass-milter system_u:system_r:initrc_t:s0 /var/run/spamass-milter/spamass-milter.sock unix 2 [ ACC ] STREAM LISTENING 13794 5779/milter-regex system_u:system_r:initrc_t:s0 /var/spool/milter-regex/sock ... So, my questions are: 1. Why are the sockets still initrc_t? 2. Is this a kernel issue or a userspace issue that should be fixed in the milters? 3. Should there be a standard place for milter sockets to live, and if so, where? 4. How come this worked OK in Fedora 7 and previous releases? Paul.

15 years, 6 months

2
13
0 / 0

SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (consolekit_t) "execute" to <Unknown> (polkit_auth_exec_t).

by Antonio Olivares

Unknown, what is happening with console-kit-daemon? Summary: SELinux is preventing console-kit-dae(/usr/sbin/console-kit-daemon) (consolekit_t) "execute" to <Unknown> (polkit_auth_exec_t). Detailed Description: SELinux denied access requested by console-kit-dae(/usr/sbin/console-kit-daemon). It is not expected that this access is required by console-kit-dae(/usr/sbin/console-kit-daemon) and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:consolekit_t Target Context system_u:object_r:polkit_auth_exec_t Target Objects None [ file ] Source console-kit-dae(/usr/sbin/console-kit-daemon) Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.2.5-20.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.24-9.fc9 #1 SMP Tue Jan 29 18:08:15 EST 2008 i686 i686 Alert Count 1 First Seen Wed 30 Jan 2008 06:58:11 PM CST Last Seen Wed 30 Jan 2008 06:58:11 PM CST Local ID f1411c87-1b39-4d5a-bec3-67e1feb8ec07 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1201741091.457:30): avc: denied { execute } for pid=2897 comm="console-kit-dae" name="polkit-read-auth-helper" dev=dm-0 ino=116712 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:polkit_auth_exec_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1201741091.457:30): arch=40000003 syscall=11 success=no exit=-13 a0=77097c a1=bff98da0 a2=bff9962c a3=0 items=0 ppid=2264 pid=2897 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0 key=(null) ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

15 years, 10 months

3
2
0 / 0

AVC from smartd

by Paul Howarth

One of the drives in my RAID1 array failed this evening, so smartd let me know about it by email. Along the way, it generated an AVC (F8): type=AVC msg=audit(1201808872.737:2426): avc: denied { read } for pid=27830 comm="sh" name="urandom" dev=tmpfs ino=2374 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1201808872.737:2426): arch=c000003e syscall=2 success=no exit=-13 a0=48cb94 a1=0 a2=6cb6 a3=3324f529f0 items=0 ppid=27829 pid=27830 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sh" exe="/bin/bash" subj=system_u:system_r:fsdaemon_t:s0 key=(null) Not quite sure why it needed to access /dev/urandom, and it doesn't appear to have stopped the mail being sent, so maybe this is one to be dontaudit-ed? Paul.

15 years, 10 months

1
0
0 / 0

How to modify port by semanage

by Shintaro Fujiwara

Hi, please tell me modifying port by semanage. I could add and delete port ok, but don't know how to modify it. I read man but -m example was not there. Thanks in advance. -- http://intrajp.no-ip.com/ Home Page

15 years, 10 months

2
2
0 / 0

mounting of samba shares via fstab in F8 (and recently updated F7)

by Eric Anderson

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, ~ I have run into a problem with reading a credentials file from fstab at startup. I have been working with Dan Walsh and have at least a temporary resolution. Details of our e-mail conversation are below: The problem: I get Error 13 talking about access denied to the credentials file. If SELinux is sent to permissive, this is not an issue. I have tried 20 different searches on google, samba.org and several fedora sites to try to get the context required for the credentials file to be accessible to the startup scripts that process fstab. current SELinux context of credentials file: # ls -lZ /root/.smb/yyy - -rw-r----- root root system_u:object_r:user_home_t:s0 /root/.smb/yyy fstab entry: //mtc1-server/progs /media/mtc1-server/progs cifs ip=xxx.xxx.xxx.xxx,credentials=/root/.smb/yyy,uid=aaaa,gid=aaaa,file_mode=0664,dir_mode=0775 0 0 ~ If I use "su -" and manually mount the share, passing only the directory to the mount command, it completes with no errors. This is only an issue at startup. The Resolution: You should execute # grep mount_t /var/log/audit/audit.log | audit2allow -M mysamba # semodule -i mysamba.pp This will add the new rule. If anybody wants/needs more details, feel free to contact me. - -- Eric Anderson Communication Systems Engineer PLEXSYS Interface Products, Inc. E-mail: eric.anderson(a)plexsysipi.com Phone: (405) 734-6090 Fax: (405) 734-6153 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHoLLuZqXKXmrU3HIRAid1AJ0ZDQN3RnJSFQrEDlvhRsv89ZGfkQCeIiLa 4oJhf2TRRfM3T2xAToc+H0k= =0gZ4 -----END PGP SIGNATURE-----

15 years, 10 months

2
2
0 / 0

module install during make not working correctly

by Clarkson, Mike R (US SSA)

I have a simple helloworld example and policy module with the following line in the helloworldfile.fc file: /usr/local/test/HelloWorldFile -- gen_context(root:object_r:helloworld_exec_t,__SYSTEMLOW__) When I make the policy using "make load", it appears to install the helloworldfile.pp in /usr/share/selinux/mls and then install it using semodule. After doing this if I use restorecon to set the file context of /usr/local/test/HelloWorldFile, the context is incorrect. It has the type usr_t, which is the type for the /usr/local/test directory. If I then manually install the module using "/usr/sbin/semodule -i /usr/share/selinux/mls/helloworldfile.pp", and again use restorecon to reset the file context, it has the correct context. I have no idea why the module install during the "make" process is not working correctly. I'd appreciate any help in figuring out what is going on. I'm using RHEL5.1 with the mls policy. Below I have captured the sequence of commands described above, along with the output. Thanks [clarkson@m2ut5 test]# make load Compliling mls helloworldfile.mod module echo "ifdef(\`""helloworldfile""_per_role_template',\`" > tmp/helloworldfile.mod.role m4 -D strict_policy -D enable_mls -D mls_num_sens=5 -D mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms policy/rolemap | gawk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $3 "; role " $1 ";)\nhelloworldfile_per_role_template(" $2 "," $3 "," $1 ")" }' >> tmp/helloworldfile.mod.role echo "')" >> tmp/helloworldfile.mod.role echo "ifdef(\`""helloworldfile""_per_userdomain_template',\`" >> tmp/helloworldfile.mod.role echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""helloworldfile""_per_userdomain_template)'__endline__)" >> tmp/helloworldfile.mod.role m4 -D strict_policy -D enable_mls -D mls_num_sens=5 -D mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms policy/rolemap | gawk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $3 "; role " $1 ";)\nhelloworldfile_per_userdomain_template(" $2 "," $3 "," $1 ")" }' >> tmp/helloworldfile.mod.role echo "')" >> tmp/helloworldfile.mod.role m4 -D strict_policy -D enable_mls -D mls_num_sens=5 -D mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms -s policy/support/fc_dir_variables.spt policy/support/file_patterns.spt policy/support/loadable_module.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt tmp/generated_definitions.conf tmp/all_interfaces.conf policy/modules/apps/helloworldfile.te tmp/helloworldfile.mod.role > tmp/helloworldfile.tmp /usr/bin/checkmodule -M -m tmp/helloworldfile.tmp -o tmp/helloworldfile.mod /usr/bin/checkmodule: loading policy configuration from tmp/helloworldfile.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 6) to tmp/helloworldfile.mod m4 -D strict_policy -D enable_mls -D mls_num_sens=5 -D mls_num_cats=256 -D mcs_num_cats=256 -D hide_broken_symptoms policy/support/fc_dir_variables.spt policy/support/file_patterns.spt policy/support/loadable_module.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt policy/support/fc_dir_variables.spt policy/support/file_patterns.spt policy/support/loadable_module.spt policy/support/misc_macros.spt policy/support/mls_mcs_macros.spt policy/support/obj_perm_sets.spt policy/modules/apps/helloworldfile.fc > tmp/helloworldfile.mod.fc Creating mls helloworldfile.pp policy package /usr/bin/semodule_package -o helloworldfile.pp -m tmp/helloworldfile.mod -f tmp/helloworldfile.mod.fc Installing mls helloworldfile.pp policy package. install -m 0644 helloworldfile.pp /usr/share/selinux/mls Loading configured modules. /usr/sbin/semodule -s mls -b /usr/share/selinux/mls/base.pp -i /usr/share/selinux/mls/acct.pp -i /usr/share/selinux/mls/ada.pp -i /usr/share/selinux/mls/afs.pp -i /usr/share/selinux/mls/aide.pp -i /usr/share/selinux/mls/alsa.pp -i /usr/share/selinux/mls/amanda.pp -i /usr/share/selinux/mls/amavis.pp -i /usr/share/selinux/mls/amtu.pp -i /usr/share/selinux/mls/anaconda.pp -i /usr/share/selinux/mls/apache.pp -i /usr/share/selinux/mls/apm.pp -i /usr/share/selinux/mls/apt.pp -i /usr/share/selinux/mls/arpwatch.pp -i /usr/share/selinux/mls/asterisk.pp -i /usr/share/selinux/mls/audioentropy.pp -i /usr/share/selinux/mls/audit.pp -i /usr/share/selinux/mls/authbind.pp -i /usr/share/selinux/mls/authlogin.pp -i /usr/share/selinux/mls/automount.pp -i /usr/share/selinux/mls/avahi.pp -i /usr/share/selinux/mls/backup.pp -i /usr/share/selinux/mls/bind.pp -i /usr/share/selinux/mls/bluetooth.pp -i /usr/share/selinux/mls/bootloader.pp -i /usr/share/selinux/mls/calamaris.pp -i /usr/share/selinux/mls/canna.pp -i /usr/share/selinux/mls/ccs.pp -i /usr/share/selinux/mls/cdrecord.pp -i /usr/share/selinux/mls/certwatch.pp -i /usr/share/selinux/mls/cipe.pp -i /usr/share/selinux/mls/clamav.pp -i /usr/share/selinux/mls/clock.pp -i /usr/share/selinux/mls/clockspeed.pp -i /usr/share/selinux/mls/comsat.pp -i /usr/share/selinux/mls/consoletype.pp -i /usr/share/selinux/mls/courier.pp -i /usr/share/selinux/mls/cpucontrol.pp -i /usr/share/selinux/mls/cron.pp -i /usr/share/selinux/mls/cups.pp -i /usr/share/selinux/mls/cvs.pp -i /usr/share/selinux/mls/cyrus.pp -i /usr/share/selinux/mls/daemontools.pp -i /usr/share/selinux/mls/dante.pp -i /usr/share/selinux/mls/dbskk.pp -i /usr/share/selinux/mls/dbus.pp -i /usr/share/selinux/mls/dcc.pp -i /usr/share/selinux/mls/ddclient.pp -i /usr/share/selinux/mls/ddcprobe.pp -i /usr/share/selinux/mls/dhcp.pp -i /usr/share/selinux/mls/dictd.pp -i /usr/share/selinux/mls/distcc.pp -i /usr/share/selinux/mls/djbdns.pp -i /usr/share/selinux/mls/dmesg.pp -i /usr/share/selinux/mls/dmidecode.pp -i /usr/share/selinux/mls/dnsmasq.pp -i /usr/share/selinux/mls/dovecot.pp -i /usr/share/selinux/mls/dpkg.pp -i /usr/share/selinux/mls/ethereal.pp -i /usr/share/selinux/mls/evolution.pp -i /usr/share/selinux/mls/export.pp -i /usr/share/selinux/mls/fail2ban.pp -i /usr/share/selinux/mls/fetchmail.pp -i /usr/share/selinux/mls/finger.pp -i /usr/share/selinux/mls/firstboot.pp -i /usr/share/selinux/mls/frontgate.pp -i /usr/share/selinux/mls/fstools.pp -i /usr/share/selinux/mls/ftp.pp -i /usr/share/selinux/mls/ftp_trans.pp -i /usr/share/selinux/mls/games.pp -i /usr/share/selinux/mls/gatekeeper.pp -i /usr/share/selinux/mls/getty.pp -i /usr/share/selinux/mls/gift.pp -i /usr/share/selinux/mls/gnome.pp -i /usr/share/selinux/mls/gpg.pp -i /usr/share/selinux/mls/gpm.pp -i /usr/share/selinux/mls/hal.pp -i /usr/share/selinux/mls/helloworldfile.pp -i /usr/share/selinux/mls/hostname.pp -i /usr/share/selinux/mls/hotplug.pp -i /usr/share/selinux/mls/howl.pp -i /usr/share/selinux/mls/i18n_input.pp -i /usr/share/selinux/mls/imaze.pp -i /usr/share/selinux/mls/import.pp -i /usr/share/selinux/mls/inetd.pp -i /usr/share/selinux/mls/init.pp -i /usr/share/selinux/mls/inn.pp -i /usr/share/selinux/mls/ipsec.pp -i /usr/share/selinux/mls/iptables.pp -i /usr/share/selinux/mls/irc.pp -i /usr/share/selinux/mls/ircd.pp -i /usr/share/selinux/mls/irqbalance.pp -i /usr/share/selinux/mls/iscsi.pp -i /usr/share/selinux/mls/jabber.pp -i /usr/share/selinux/mls/java.pp -i /usr/share/selinux/mls/kerberos.pp -i /usr/share/selinux/mls/ktalk.pp -i /usr/share/selinux/mls/kudzu.pp -i /usr/share/selinux/mls/ldap.pp -i /usr/share/selinux/mls/libraries.pp -i /usr/share/selinux/mls/loadkeys.pp -i /usr/share/selinux/mls/locallogin.pp -i /usr/share/selinux/mls/lockdev.pp -i /usr/share/selinux/mls/logging.pp -i /usr/share/selinux/mls/logrotate.pp -i /usr/share/selinux/mls/logwatch.pp -i /usr/share/selinux/mls/lpd.pp -i /usr/share/selinux/mls/lvm.pp -i /usr/share/selinux/mls/mailman.pp -i /usr/share/selinux/mls/miscfiles.pp -i /usr/share/selinux/mls/modutils.pp -i /usr/share/selinux/mls/mono.pp -i /usr/share/selinux/mls/monop.pp -i /usr/share/selinux/mls/mount.pp -i /usr/share/selinux/mls/mozilla.pp -i /usr/share/selinux/mls/mplayer.pp -i /usr/share/selinux/mls/mrtg.pp -i /usr/share/selinux/mls/mta.pp -i /usr/share/selinux/mls/munin.pp -i /usr/share/selinux/mls/mysql.pp -i /usr/share/selinux/mls/nagios.pp -i /usr/share/selinux/mls/nessus.pp -i /usr/share/selinux/mls/netlabel.pp -i /usr/share/selinux/mls/netutils.pp -i /usr/share/selinux/mls/networkmanager.pp -i /usr/share/selinux/mls/nis.pp -i /usr/share/selinux/mls/nscd.pp -i /usr/share/selinux/mls/nsd.pp -i /usr/share/selinux/mls/ntop.pp -i /usr/share/selinux/mls/ntp.pp -i /usr/share/selinux/mls/nx.pp -i /usr/share/selinux/mls/oav.pp -i /usr/share/selinux/mls/oddjob.pp -i /usr/share/selinux/mls/openca.pp -i /usr/share/selinux/mls/openct.pp -i /usr/share/selinux/mls/openvpn.pp -i /usr/share/selinux/mls/oracle_db.pp -i /usr/share/selinux/mls/oracle_sp.pp -i /usr/share/selinux/mls/pcmcia.pp -i /usr/share/selinux/mls/pcs.pp -i /usr/share/selinux/mls/pcscd.pp -i /usr/share/selinux/mls/pegasus.pp -i /usr/share/selinux/mls/perdition.pp -i /usr/share/selinux/mls/portage.pp -i /usr/share/selinux/mls/portmap.pp -i /usr/share/selinux/mls/portslave.pp -i /usr/share/selinux/mls/postfix.pp -i /usr/share/selinux/mls/postgresql.pp -i /usr/share/selinux/mls/postgrey.pp -i /usr/share/selinux/mls/ppp.pp -i /usr/share/selinux/mls/prelink.pp -i /usr/share/selinux/mls/privoxy.pp -i /usr/share/selinux/mls/procmail.pp -i /usr/share/selinux/mls/publicfile.pp -i /usr/share/selinux/mls/pxe.pp -i /usr/share/selinux/mls/pyzor.pp -i /usr/share/selinux/mls/qmail.pp -i /usr/share/selinux/mls/query.pp -i /usr/share/selinux/mls/quota.pp -i /usr/share/selinux/mls/radius.pp -i /usr/share/selinux/mls/radvd.pp -i /usr/share/selinux/mls/raid.pp -i /usr/share/selinux/mls/razor.pp -i /usr/share/selinux/mls/rdisc.pp -i /usr/share/selinux/mls/readahead.pp -i /usr/share/selinux/mls/remotelogin.pp -i /usr/share/selinux/mls/resmgr.pp -i /usr/share/selinux/mls/rhgb.pp -i /usr/share/selinux/mls/ricci.pp -i /usr/share/selinux/mls/rlogin.pp -i /usr/share/selinux/mls/roundup.pp -i /usr/share/selinux/mls/rpc.pp -i /usr/share/selinux/mls/rpm.pp -i /usr/share/selinux/mls/rshd.pp -i /usr/share/selinux/mls/rssh.pp -i /usr/share/selinux/mls/rsync.pp -i /usr/share/selinux/mls/samba.pp -i /usr/share/selinux/mls/sasl.pp -i /usr/share/selinux/mls/screen.pp -i /usr/share/selinux/mls/selinuxutil.pp -i /usr/share/selinux/mls/sendmail.pp -i /usr/share/selinux/mls/setcontest.pp -i /usr/share/selinux/mls/setrans.pp -i /usr/share/selinux/mls/setroubleshoot.pp -i /usr/share/selinux/mls/slocate.pp -i /usr/share/selinux/mls/slrnpull.pp -i /usr/share/selinux/mls/smartmon.pp -i /usr/share/selinux/mls/snmp.pp -i /usr/share/selinux/mls/snort.pp -i /usr/share/selinux/mls/soundserver.pp -i /usr/share/selinux/mls/spamassassin.pp -i /usr/share/selinux/mls/speedtouch.pp -i /usr/share/selinux/mls/squid.pp -i /usr/share/selinux/mls/ssh.pp -i /usr/share/selinux/mls/storage.pp -i /usr/share/selinux/mls/stunnel.pp -i /usr/share/selinux/mls/su.pp -i /usr/share/selinux/mls/sudo.pp -i /usr/share/selinux/mls/sxid.pp -i /usr/share/selinux/mls/sysnetwork.pp -i /usr/share/selinux/mls/sysstat.pp -i /usr/share/selinux/mls/tcpd.pp -i /usr/share/selinux/mls/telnet.pp -i /usr/share/selinux/mls/tftp.pp -i /usr/share/selinux/mls/thunderbird.pp -i /usr/share/selinux/mls/timidity.pp -i /usr/share/selinux/mls/tmpreaper.pp -i /usr/share/selinux/mls/tor.pp -i /usr/share/selinux/mls/transproxy.pp -i /usr/share/selinux/mls/tripwire.pp -i /usr/share/selinux/mls/tvtime.pp -i /usr/share/selinux/mls/tzdata.pp -i /usr/share/selinux/mls/ucspitcp.pp -i /usr/share/selinux/mls/udev.pp -i /usr/share/selinux/mls/uml.pp -i /usr/share/selinux/mls/unconfined.pp -i /usr/share/selinux/mls/updfstab.pp -i /usr/share/selinux/mls/uptime.pp -i /usr/share/selinux/mls/usbmodules.pp -i /usr/share/selinux/mls/userdomain.pp -i /usr/share/selinux/mls/userhelper.pp -i /usr/share/selinux/mls/usermanage.pp -i /usr/share/selinux/mls/usernetctl.pp -i /usr/share/selinux/mls/uucp.pp -i /usr/share/selinux/mls/uwimap.pp -i /usr/share/selinux/mls/vbetool.pp -i /usr/share/selinux/mls/vmware.pp -i /usr/share/selinux/mls/vpn.pp -i /usr/share/selinux/mls/watchdog.pp -i /usr/share/selinux/mls/webalizer.pp -i /usr/share/selinux/mls/weblogic.pp -i /usr/share/selinux/mls/wine.pp -i /usr/share/selinux/mls/xen.pp -i /usr/share/selinux/mls/xfs.pp -i /usr/share/selinux/mls/xprint.pp -i /usr/share/selinux/mls/xserver.pp -i /usr/share/selinux/mls/yam.pp -i /usr/share/selinux/mls/zebra.pp rm tmp/helloworldfile.mod.fc tmp/helloworldfile.mod [clarkson@m2ut5 policy]# cd /usr/local/test [clarkson@m2ut5 test]# /sbin/restorecon HelloWorldFile [clarkson@m2ut5 test]# ls -Z HelloWorldFile -rwxr-xr-x clarkson m2 system_u:object_r:usr_t:SystemLow HelloWorldFile [clarkson@m2ut5 test]# /usr/sbin/semodule -i /usr/share/selinux/mls/helloworldfile.pp [clarkson@m2ut5 test]# /sbin/restorecon HelloWorldFile [clarkson@m2ut5 test]# ls -Z HelloWorldFile -rwxr-xr-x clarkson m2 root:object_r:helloworld_exec_t:SystemLow HelloWorldFile

15 years, 10 months

1
1
0 / 0

Re: [RFC] security: add iptables "security" table for MAC rules

by James Morris

On Tue, 29 Jan 2008, Paul Moore wrote: > That seems reasonable. By the way, this isn't really related, but is it > possible to change the NF_IP_PRI_SELINUX_* constants to NF_IP_PRI_SECURITY_* > for the sake of consistency or are those values already visible to userspace? They are visible to userspace, and included in glibc headers, but I don't see any userland use of them via google codesearch or know of a possible valid use. > I suppose we could always rename them anyway and just add a #define for > compatibility ... Yep, if you want to. - James -- James Morris <jmorris(a)namei.org>

15 years, 10 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux January 2008