Re: knotify4, NetworkManager (NetworkManager_t) "read write" unconfined_t., ..
by Antonio Olivares
--- On Fri, 10/24/08, Rex Dieter <rdieter(a)math.unl.edu> wrote:
> From: Rex Dieter <rdieter(a)math.unl.edu>
> Subject: Re: knotify4, NetworkManager (NetworkManager_t) "read write" unconfined_t., ..
> To: fedora-test-list(a)redhat.com
> Cc: fedora-selinux-list(a)redhat.com
> Date: Friday, October 24, 2008, 2:48 PM
> Antonio Olivares wrote:
>
>
> > First one knotify is a bug that I have reported:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=467210
> >
> > but was closed because it was not an selinux bug, who
> has the hot potato
> > now? I keep seeing this on two of my three machines
> :( Has someone else
> > seen this?
>
> Not reproducible. Are you *sure* you have no 3rd-party
> software installed?
>
> I ask, because I've seen quite a few spurious similar
> reports, and they *all* were due to various 3rd-party crud
> (usually nvidia binary X drivers).
>
Absolutely positively sure I have no third party stuff on both machines. How can I prove it if there is a way to prove it.
It is strange that one of the three machines in which I run rawhide works perfectly well and have no complaints on knotify.
Thanks,
Antonio
>
> -- Rex
>
>
> --
> fedora-test-list mailing list
> fedora-test-list(a)redhat.com
> To unsubscribe:
> https://www.redhat.com/mailman/listinfo/fedora-test-list
14 years, 5 months
Re: Question on SELinux
by Paul Howarth
On Sat, 18 Oct 2008 12:34:53 +0000
lionel ong <odin743(a)hotmail.com> wrote:
>
> > Date: Sat, 18 Oct 2008 13:25:59 +0100> From: paul(a)city-fan.org> To:
> > odin743(a)hotmail.com> CC: fedora-selinux-list(a)redhat.com> Subject:
> > Re: Question on SELinux> > On Sat, 18 Oct 2008 09:55:26 +0000>
> > lionel ong <odin743(a)hotmail.com> wrote:> > > > Port 80 is the port
> > that the websites firefox connects to use; if you> prevent firefox
> > from connecting to websites on port 80 it's just not> going to work
> > at all, unless you're trying to force it through a proxy> on a
> > different port perhaps?> > Paul.
> Hi, yes I understand that the firefox will fail to work, but I am
> just trying out the things policies can do, it's ok if firefox fails.
> Do you know how I could stop firefox from using Port 80 and uses some
> other port? Regards, Lionel
I've never done anything like that but I guess a good starting point
would be xguest (see http://danwalsh.livejournal.com/14778.html) and
tweaking policy from there.
Paul.
14 years, 5 months
Permissive domain how-to?
by Shintaro Fujiwara
Hi, I want to set permissive some domain as Mr Walsh gave us a hint,
but when I tried to do that,
[root@notepc ~]# semanage permissive -a zabbix_t
/usr/sbin/semanage: Permission denied
Another one was same result.
Why ?
--
http://intrajp.no-ip.com/ Home Page
14 years, 5 months
Policy module building on rawhide
by Paul Howarth
My module builds are failing on rawhide:
$ /usr/bin/make NAME=mls -f /usr/share/selinux/devel/Makefile
cat: /selinux/mls: No such file or directory
Compiling mls fastcgi module
m4: tmp/fastcgi.mod.role: No such file or directory
make: *** [tmp/fastcgi.mod] Error 1
The commands being run, according to "make -n" are:
$ make -n NAME=mls -f /usr/share/selinux/devel/Makefile
cat: /selinux/mls: No such file or directory
echo "Compiling mls fastcgi module"
test -d tmp || mkdir -p tmp
m4 -D enable_mls -D distro_redhat -D hide_broken_symptoms -D
mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s
/usr/share/selinux/devel/include/support/all_perms.spt
/usr/share/selinux/devel/include/support/file_patterns.spt
/usr/share/selinux/devel/include/support/ipc_patterns.spt
/usr/share/selinux/devel/include/support/loadable_module.spt
/usr/share/selinux/devel/include/support/misc_macros.spt
/usr/share/selinux/devel/include/support/misc_patterns.spt
/usr/share/selinux/devel/include/support/mls_mcs_macros.spt
/usr/share/selinux/devel/include/support/obj_perm_sets.spt
tmp/all_interfaces.conf fastcgi.te tmp/fastcgi.mod.role > tmp/fastcgi.tmp
/usr/bin/checkmodule -M -m tmp/fastcgi.tmp -o tmp/fastcgi.mod
m4 -D enable_mls -D distro_redhat -D hide_broken_symptoms -D
mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024
/usr/share/selinux/devel/include/support/all_perms.spt
/usr/share/selinux/devel/include/support/file_patterns.spt
/usr/share/selinux/devel/include/support/ipc_patterns.spt
/usr/share/selinux/devel/include/support/loadable_module.spt
/usr/share/selinux/devel/include/support/misc_macros.spt
/usr/share/selinux/devel/include/support/misc_patterns.spt
/usr/share/selinux/devel/include/support/mls_mcs_macros.spt
/usr/share/selinux/devel/include/support/obj_perm_sets.spt fastcgi.fc >
tmp/fastcgi.mod.fc
echo "Creating mls fastcgi.pp policy package"
/usr/bin/semodule_package -o fastcgi.pp -m tmp/fastcgi.mod -f
tmp/fastcgi.mod.fc
rm tmp/fastcgi.mod.fc tmp/fastcgi.mod
I'm guessing the missing .mod.role file would have been created by the
commented-out rule in /usr/share/selinux/devel/include/Makefile:
tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
@test -d $(@D) || mkdir -p $(@D)
# $(call peruser-expansion,$(basename $(@F)),$@.role)
$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
Do I need to do something different for F10, or is this a bug?
Paul.
14 years, 5 months
Re: Contents of fedora-selinux-list Digest, Vol 56, Issue 19
by Antonio Olivares
--- On Tue, 10/21/08, fedora-selinux-list-request(a)redhat.com <fedora-selinux-list-request(a)redhat.com> wrote:
> From: fedora-selinux-list-request(a)redhat.com <fedora-selinux-list-request(a)redhat.com>
> Subject: fedora-selinux-list Digest, Vol 56, Issue 19
> To: fedora-selinux-list(a)redhat.com
> Date: Tuesday, October 21, 2008, 9:00 AM
> Send fedora-selinux-list mailing list submissions to
> fedora-selinux-list(a)redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> or, via email, send a message with subject or body
> 'help' to
> fedora-selinux-list-request(a)redhat.com
>
> You can reach the person managing the list at
> fedora-selinux-list-owner(a)redhat.com
>
> When replying, please edit your Subject line so it is more
> specific
> than "Re: Contents of fedora-selinux-list
> Message: 2
> Date: Mon, 20 Oct 2008 13:57:08 -0400
> From: Daniel J Walsh <dwalsh(a)redhat.com>
> Subject: Re: selinux is denying consolekit, hal?, ...,
> To: olivares14031(a)yahoo.com
> Cc: fedora-selinux-list(a)redhat.com
> Message-ID: <48FCC674.9010209(a)redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> These should be filed against the kernel. These tools
> should not
> suddenly need sys_resource. I believe this is a kernel
> bug.
I will wait then because we just got a new kernel, and it would be a waste of time and resources to file against a kernel that is no longer there :( I hope that you and others won't get upset, unless the new kernel behaves the same way, then absolutely like absolute value of x |x| :)
Thanks,
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 20 Oct 2008 14:31:53 -0500
> From: Rex Dieter <rdieter(a)math.unl.edu>
> Subject: Re: selinux is denying consolekit, hal?, ...,
> To: fedora-selinux-list(a)redhat.com
> Message-ID: <gdimb9$jio$1(a)ger.gmane.org>
> Content-Type: text/plain; charset=us-ascii
>
> Antonio Olivares wrote:
>
> > Dear fellow selinux experts,
> >
> > selinux is at it again, this time, setroubleshoot shot
> out the warnings:
>
> Any 3rd-party software installed? Say, like a binary
> X/kernel driver? :)
Nope! Regular nv driver as comes default. I used to like testing nvidia drivers before, but none anymore as it is a hassle to have to build them everytime a new kernel comes out(yes I have heard of livna,and freshrpms and now rpmfusion), I do not want to go there yet.
Thanks,
Antonio
>
> -- Rex
>
>
>
> ------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> End of fedora-selinux-list Digest, Vol 56, Issue 19
> ***************************************************
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
14 years, 5 months
selinux is denying consolekit, hal?, ...,
by Antonio Olivares
Dear fellow selinux experts,
selinux is at it again, this time, setroubleshoot shot out the warnings:
Summary:
SELinux is preventing hal-acl-tool (hald_acl_t) "sys_resource" hald_acl_t.
Detailed Description:
SELinux denied access requested by hal-acl-tool. It is not expected that this
access is required by hal-acl-tool and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:hald_acl_t:s0
Target Context system_u:system_r:hald_acl_t:s0
Target Objects None [ capability ]
Source hal-acl-tool
Source Path /usr/libexec/hal-acl-tool
Port <Unknown>
Host riohigh
Source RPM Packages hal-0.5.12-3.20081013git.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-1.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat
Oct 18 20:35:56 EDT 2008 i686 athlon
Alert Count 25
First Seen Thu 16 Oct 2008 05:21:21 PM CDT
Last Seen Mon 20 Oct 2008 07:22:37 AM CDT
Local ID 2dda3b9b-7240-47c2-9865-4e1c1971771c
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1224505357.902:104): avc: denied { sys_resource } for pid=3200 comm="hal-acl-tool" capability=24 scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=capability
node=riohigh type=SYSCALL msg=audit(1224505357.902:104): arch=40000003 syscall=4 success=yes exit=2132 a0=4 a1=b7f94000 a2=854 a3=854 items=0 ppid=1873 pid=3200 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null)
Summary:
SELinux is preventing knotify4 from making the program stack executable.
Detailed Description:
The knotify4 application attempted to make its stack executable. This is a
potential security problem. This should never ever be necessary. Stack memory is
not executable on most OSes these days and this will not change. Executable
stack memory is one of the biggest security problems. An execstack error might
in fact be most likely raised by malicious code. Applications are sometimes
coded incorrectly and request this permission. The SELinux Memory Protection
Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how
to remove this requirement. If knotify4 does not work and you need it to work,
you can configure SELinux temporarily to allow this access until the application
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust knotify4 to
run correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/bin/knotify4'" You must also change the default file context files on the
system in order to preserve them even on a full relabel. "semanage fcontext -a
-t unconfined_execmem_exec_t '/usr/bin/knotify4'"
Fix Command:
chcon -t unconfined_execmem_exec_t '/usr/bin/knotify4'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ process ]
Source knotify4
Source Path /usr/bin/knotify4
Port <Unknown>
Host riohigh
Source RPM Packages kdebase-runtime-4.1.2-5.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-1.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execstack
Host Name riohigh
Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat
Oct 18 20:35:56 EDT 2008 i686 athlon
Alert Count 2
First Seen Mon 20 Oct 2008 07:21:30 AM CDT
Last Seen Mon 20 Oct 2008 07:21:30 AM CDT
Local ID eebb1d00-400c-4898-888b-ae7a132cd800
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1224505290.544:95): avc: denied { execstack } for pid=2883 comm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
node=riohigh type=SYSCALL msg=audit(1224505290.544:95): arch=40000003 syscall=125 success=no exit=-13 a0=bf983000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=2883 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing console-kit-dae (consolekit_t) "sys_resource"
consolekit_t.
Detailed Description:
SELinux denied access requested by console-kit-dae. It is not expected that this
access is required by console-kit-dae and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Objects None [ capability ]
Source console-kit-dae
Source Path /usr/sbin/console-kit-daemon
Port <Unknown>
Host riohigh
Source RPM Packages ConsoleKit-0.3.0-2.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-1.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.27.3-27.rc1.fc10.i686 #1 SMP Sat
Oct 18 20:35:56 EDT 2008 i686 athlon
Alert Count 23
First Seen Thu 16 Oct 2008 04:27:59 PM CDT
Last Seen Mon 20 Oct 2008 07:20:39 AM CDT
Local ID 18c02e39-31cf-4b70-b999-fa910c61d822
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1224505239.547:88): avc: denied { sys_resource } for pid=1810 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability
node=riohigh type=SYSCALL msg=audit(1224505239.547:88): arch=40000003 syscall=4 success=yes exit=672 a0=1a a1=9fb1758 a2=2a0 a3=9fb1758 items=0 ppid=1 pid=1810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing sm-notify (rpcd_t) "sys_resource" rpcd_t.
Detailed Description:
SELinux denied access requested by sm-notify. It is not expected that this
access is required by sm-notify and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:rpcd_t:s0
Target Context unconfined_u:system_r:rpcd_t:s0
Target Objects None [ capability ]
Source rpc.statd
Source Path /sbin/rpc.statd
Port <Unknown>
Host riohigh
Source RPM Packages nfs-utils-1.1.3-6.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.12-2.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.27-3.fc10.i686 #1 SMP Fri Oct 10
01:26:26 EDT 2008 i686 athlon
Alert Count 2
First Seen Thu 16 Oct 2008 05:15:06 PM CDT
Last Seen Thu 16 Oct 2008 05:15:06 PM CDT
Local ID cc9a1241-41d6-4b07-aa8c-4d2701763004
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1224195306.728:103): avc: denied { sys_resource } for pid=7184 comm="sm-notify" capability=24 scontext=unconfined_u:system_r:rpcd_t:s0 tcontext=unconfined_u:system_r:rpcd_t:s0 tclass=capability
node=riohigh type=SYSCALL msg=audit(1224195306.728:103): arch=40000003 syscall=4 success=yes exit=5 a0=5 a1=bffbd700 a2=5 a3=5 items=0 ppid=7183 pid=7184 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sm-notify" exe="/usr/sbin/sm-notify" subj=unconfined_u:system_r:rpcd_t:s0 key=(null)
Which ones should I file bugs against, if there are any to file?
I have seen knotify and selinux again, this one is filed. Do I need more info?
Thanks,
Antonio
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
14 years, 5 months
SELinux troubleshooter
by Rahul Sundaram
Hi,
It would be nice if I could just tell SELinux troubleshooter not to show
me alerts at all or filter out particular set of alerts so I don't get
repeated popups say when building a live cd or for known issues. It is
otherwise quite annoying at times and I have to kill it to get it to
shut up.
Rahul
14 years, 5 months
libavfilter SELinux policy issue
by Rahul Sundaram
Hi.
This makes Firefox crash if SELinux is in enforcing mode.
Summary:
SELinux is preventing ld-linux.so.2 from loading
/usr/lib/libavfilter.so.0.1.0
which requires text relocation.
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
The ld-linux.so.2 application attempted to load
/usr/lib/libavfilter.so.0.1.0
which requires text relocation. This is a potential security problem. Most
libraries do not need this permission. Libraries are sometimes coded
incorrectly
and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/libavfilter.so.0.1.0 to use relocation as a workaround, until the
library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you trust /usr/lib/libavfilter.so.0.1.0 to run correctly, you can
change the
file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/libavfilter.so.0.1.0'" You must also change the default file
context
files on the system in order to preserve them even on a full relabel.
"semanage
fcontext -a -t textrel_shlib_t '/usr/lib/libavfilter.so.0.1.0'"
Fix Command:
chcon -t textrel_shlib_t '/usr/lib/libavfilter.so.0.1.0'
Additional Information:
Source Context system_u:system_r:prelink_t:s0-s0:c0.c1023
Target Context system_u:object_r:lib_t:s0
Target Objects /usr/lib/libavfilter.so.0.1.0 [ file ]
Source ld-linux.so.2
Source Path /lib/ld-2.8.90.so
Port <Unknown>
Host sundaram
Source RPM Packages glibc-2.8.90-13
Target RPM Packages ffmpeg-libs-0.4.9-0.50.20080908.fc10
Policy RPM selinux-policy-3.5.10-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name allow_execmod
Host Name sundaram
Platform Linux sundaram
2.6.25.14-108.fc9.i686 #1 SMP Mon Aug 4
14:08:11
EDT 2008 i686 i686
Alert Count 1
First Seen Fri 17 Oct 2008 04:05:58 AM IST
Last Seen Fri 17 Oct 2008 04:05:58 AM IST
Local ID 5bf00553-84ae-49ea-a793-7977855b9541
Line Numbers
Raw Audit Messages
node=sundaram type=AVC msg=audit(1224196558.619:111): avc: denied {
execmod } for pid=27387 comm="ld-linux.so.2"
path="/usr/lib/libavfilter.so.0.1.0" dev=dm-0 ino=68753
scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lib_t:s0 tclass=file
node=sundaram type=SYSCALL msg=audit(1224196558.619:111): arch=40000003
syscall=125 success=yes exit=0 a0=111000 a1=3000 a2=5 a3=bfbedde0
items=0 ppid=27136 pid=27387 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=10 comm="ld-linux.so.2"
exe="/lib/ld-2.8.90.so" subj=system_u:system_r:prelink_t:s0-s0:c0.c1023
key=(null)
Rahul
14 years, 5 months
Question on SELinux
by lionel ong
Hi!
I am currently exploring the SELinux policy management GUI tool (polgengui) and trying to create a policy to stop Firefox from using its default port 80, so that when I do a *netstat *command on the terminal, the Firefox application will not be shown using tcp port 80 but some other tcp port instead.
Is there any commands on terminal or ways to use the tool that I could use to accomplish the above? Thanks for your time!
Regards,
Lionel
_________________________________________________________________
Join the Fantasy Football club and win cash prizes here!
http://fantasyfootball.sg.msn.com
14 years, 5 months
SELinux, VLC and text relocation
by Rahul Sundaram
Hi
Summary:
SELinux is preventing vlc from loading
/usr/lib/vlc/codec/librealvideo_plugin.so
which requires text relocation.
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
The vlc application attempted to load
/usr/lib/vlc/codec/librealvideo_plugin.so
which requires text relocation. This is a potential security problem. Most
libraries do not need this permission. Libraries are sometimes coded
incorrectly
and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/vlc/codec/librealvideo_plugin.so to use relocation as a workaround,
until the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you trust /usr/lib/vlc/codec/librealvideo_plugin.so to run correctly,
you can
change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/vlc/codec/librealvideo_plugin.so'" You must also change the
default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t textrel_shlib_t
'/usr/lib/vlc/codec/librealvideo_plugin.so'"
Fix Command:
chcon -t textrel_shlib_t '/usr/lib/vlc/codec/librealvideo_plugin.so'
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context system_u:object_r:lib_t:s0
Target Objects /usr/lib/vlc/codec/librealvideo_plugin.so
[ file ]
Source vlc
Source Path /usr/bin/vlc
Port <Unknown>
Host sundaram
Source RPM Packages vlc-core-0.9.4-1.fc10
Target RPM Packages vlc-core-0.9.4-1.fc10
Policy RPM selinux-policy-3.5.12-3.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name allow_execmod
Host Name sundaram
Platform Linux sundaram 2.6.27-13.fc10.i686
#1 SMP Wed Oct 15 02:06:26 EDT 2008 i686 i686
Alert Count 1
First Seen Sat 18 Oct 2008 08:18:07 AM IST
Last Seen Sat 18 Oct 2008 08:18:07 AM IST
Local ID 046cbf7a-5c30-4f56-8e3a-01169befcb34
Line Numbers
Raw Audit Messages
node=sundaram type=AVC msg=audit(1224298087.506:271): avc: denied {
execmod } for pid=25126 comm="vlc"
path="/usr/lib/vlc/codec/librealvideo_plugin.so" dev=dm-0 ino=246161
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lib_t:s0 tclass=file
node=sundaram type=SYSCALL msg=audit(1224298087.506:271): arch=40000003
syscall=125 success=yes exit=0 a0=7859000 a1=19000 a2=5 a3=bf8a3690
items=0 ppid=1 pid=25126 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="vlc"
exe="/usr/bin/vlc"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Rahul
14 years, 5 months
