F10 Logwatch and avc(s) long post
by Frank Murphy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------A snip from the logwatch included at end-----------------
Summary:
SELinux is preventing netstat (logwatch_t) "search" to <Unknown>
(sysctl_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this
access
is required by netstat and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for <Unknown>,
restorecon -v '<Unknown>'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects None [ dir ]
Source ifconfig
Source Path /sbin/ifconfig
Port <Unknown>
Host frank-01
Source RPM Packages net-tools-1.60-91.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name frank-01
Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1
SMP Tue
Nov 18 12:19:59 EST 2008 i686 i686
Alert Count 4
First Seen Sat 22 Nov 2008 09:17:13 GMT
Last Seen Sat 22 Nov 2008 09:17:13 GMT
Local ID 144ff94f-abf9-47ba-8ab6-bda6cceb41e8
Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.820:48): avc: denied {
search } for pid=4085 comm="netstat"
scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
node=frank-01 type=SYSCALL msg=audit(1227345433.820:48): arch=40000003
syscall=33 success=no exit=-13 a0=805f195 a1=4 a2=ffffffff a3=8064020
items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat"
exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
�
Summary:
SELinux is preventing netstat (logwatch_t) "read" to ./unix (proc_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this
access
is required by netstat and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./unix,
restorecon -v './unix'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0
Target Context system_u:object_r:proc_net_t:s0
Target Objects ./unix [ file ]
Source ifconfig
Source Path /sbin/ifconfig
Port <Unknown>
Host frank-01
Source RPM Packages net-tools-1.60-91.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name frank-01
Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1
SMP Tue
Nov 18 12:19:59 EST 2008 i686 i686
Alert Count 2
First Seen Sat 22 Nov 2008 09:17:13 GMT
Last Seen Sat 22 Nov 2008 09:17:13 GMT
Local ID c323266d-4b2a-4e47-9b13-eeb640939573
Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.820:45): avc: denied {
read } for pid=4085 comm="netstat" name="unix" dev=proc ino=4026531984
scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1227345433.820:45): arch=40000003
syscall=33 success=no exit=-13 a0=805c8b9 a1=4 a2=ffffffff a3=8064360
items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat"
exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
�
Summary:
SELinux is preventing netstat (logwatch_t) "read" to ./if_inet6
(proc_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this
access
is required by netstat and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./if_inet6,
restorecon -v './if_inet6'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0
Target Context system_u:object_r:proc_net_t:s0
Target Objects ./if_inet6 [ file ]
Source ifconfig
Source Path /sbin/ifconfig
Port <Unknown>
Host frank-01
Source RPM Packages net-tools-1.60-91.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name frank-01
Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1
SMP Tue
Nov 18 12:19:59 EST 2008 i686 i686
Alert Count 4
First Seen Sat 22 Nov 2008 09:17:13 GMT
Last Seen Sat 22 Nov 2008 09:17:13 GMT
Local ID 9de63b84-aff8-4a49-bc45-510abd4637b3
Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.820:46): avc: denied {
read } for pid=4085 comm="netstat" name="if_inet6" dev=proc
ino=4026532168 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1227345433.820:46): arch=40000003
syscall=33 success=no exit=-13 a0=805f29e a1=4 a2=ffffffff a3=8064180
items=0 ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat"
exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
�
Summary:
SELinux is preventing netstat (logwatch_t) "read" to ./dev (proc_net_t).
Detailed Description:
SELinux denied access requested by netstat. It is not expected that this
access
is required by netstat and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./dev,
restorecon -v './dev'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0
Target Context system_u:object_r:proc_net_t:s0
Target Objects ./dev [ file ]
Source ifconfig
Source Path /sbin/ifconfig
Port <Unknown>
Host frank-01
Source RPM Packages net-tools-1.60-91.fc10
Target RPM Packages filesystem-2.4.19-1.fc10
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name frank-01
Platform Linux frank-01 2.6.27.5-117.fc10.i686 #1
SMP Tue
Nov 18 12:19:59 EST 2008 i686 i686
Alert Count 6
First Seen Sat 22 Nov 2008 09:17:13 GMT
Last Seen Sat 22 Nov 2008 09:17:13 GMT
Local ID 44eb7259-6162-4669-9b01-b5d48a63aaa5
Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1227345433.855:51): avc: denied {
read } for pid=4085 comm="netstat" name="dev" dev=proc ino=4026531957
scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1227345433.855:51): arch=40000003
syscall=5 success=no exit=-13 a0=805ff47 a1=0 a2=1b6 a3=0 items=0
ppid=4084 pid=4085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat"
exe="/bin/netstat" subj=system_u:system_r:logwatch_t:s0 key=(null)
Logwatch:
--------------------- Network Report Begin ------------------------
Warning: cannot open /proc/net/dev (Permission denied). Limited output.
Warning: cannot open /proc/net/dev (Permission denied). Limited output.
Warning: cannot open /proc/net/dev (Permission denied). Limited output.
------------- Network Interfaces ---------------
Ethernet : 1
Other : 1
Total : 2
------------- Ethernet -------------------------
eth1 Link encap:Ethernet HWaddr 00:19:E0:7A:40:4C
------------- Other ----------------------------
lo Link encap:Local Loopback
------------- Network Interfaces ---------------
------------- Network statistics ---------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN qlen 1000
link/ether 00:19:e0:7a:40:4c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.5/24 brd 192.168.0.255 scope global eth1
inet6 fe80::219:e0ff:fe7a:404c/64 scope link
valid_lft forever preferred_lft forever
Warning: cannot open /proc/net/dev (Permission denied). Limited output.
Warning: cannot open /proc/net/dev (Permission denied). Limited output.
Warning: cannot open /proc/net/dev (Permission denied). Limited output.
Iface MTU RX-ERR TX-ERR
eth1 1500 no BMRU
lo 16436 no LRU
------------- Network statistics ---------------
---------------------- Network Report End -------------------------
- --
gpg id EB547226 Revoked Forgot Password :(
aMSN: Frankly3D
http://www.frankly3d.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkknz/8ACgkQzrcOE0b3RmITUgCfR/8BYJmpAiluEAH0SWqOtXnr
QUgAn1bhRbsmlsZGyJEsTlwl2MNcp57J
=fMiJ
-----END PGP SIGNATURE-----
15 years, 5 months
selinux denies iptables
by Antonio Olivares
Dear all,
I am still having trouble setting up the dhcp server because selinux denies iptables
type=1400 audit(1227530280.458:4): avc: denied { write } for pid=1430 comm="ip6tables-resto" path="/0" dev=devpts ino=2 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
Thanks in Advance,
Antonio
15 years, 5 months
restorecon isn't restoring what matchpathcon shows
by Chuck Anderson
There are a bunch of files and directories in my F10 home dirs that
have type unconfined_u:object_r:user_home_t, but matchpathcon says
they are supposed to be system_u:object_r:user_home_t. I tried to run
restorecon but it isn't changing the type:
[root@l 9:06:49 /home/install]#matchpathcon /home/install/Templates
/home/install/Templates system_u:object_r:user_home_t:s0
[root@l 9:06:51 /home/install]#ls -lZd Templates
drwxr-xr-x install install unconfined_u:object_r:user_home_t:s0
Templates/
[root@l 9:06:56 /home/install]#restorecon -R Templates
[root@l 9:07:07 /home/install]#ls -lZd Templates
drwxr-xr-x install install unconfined_u:object_r:user_home_t:s0
Templates/
[root@l 9:07:10 /home/install]#su - install
[install@l ~]$ restorecon -R .
[install@l ~]$ restorecon -R Templates/
[install@l ~]$ logout
[root@l 9:08:23 /home/install]#ls -lZd Templates
drwxr-xr-x install install unconfined_u:object_r:user_home_t:s0
Templates/
Why does this happen?
15 years, 5 months
Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.439:5): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin"
by Antonio Olivares
Dear fellow selinux experts,
npviewer is causing lots of trouble. Firefox freezes and I have to kill it/terminate it and restart it just to post :(
What should I do, I have filed bugs on this several times :(
Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.439:5): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem
Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.548:6): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem
Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.659:7): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem
Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.694:8): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem
Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.732:9): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem
Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.764:10): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem
Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.790:11): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem
Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.816:12): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem
Nov 19 07:13:55 localhost kernel: type=1400 audit(1227100435.841:13): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem
Nov 19 07:14:02 localhost kernel: __ratelimit: 42 callbacks suppressed
Nov 19 07:14:02 localhost kernel: type=1400 audit(1227100442.317:28): avc: denied { unix_read unix_write } for pid=3833 comm="npviewer.bin" key=5678293 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=sem
Thanks,
Antonio
15 years, 5 months
Installing MLS policy on Fedora 9
by Elihu Smails
I have installed Fedora 9 and wanted to install the MLS Policy. I
performed the following steps:
1. Install Fedora 9
2. Install Patches
3. Reboot
4. yum install -y selinux-policy-mls
5. Open /etc/selinux/config and change the following:
SELINUX=enforcing
SELINUXTYPE=targeted
to
SELINUX=permissive
SELINUXTYPE=mls
6. touch /.autorelabel
7. Reboot. The relabelling works fine
8. Set SELINUX to enforcing in /etc/selinux/config
9. Reboot. I get many error messages about the file system and it
drops me into a single user shell.
Can someone please tell me what the proper steps are.
Thank you.
15 years, 5 months
Selinux issues in user-compiled code
by Jason L Tibbitts III
A while back I made the decision to enable selinux on all of my user
desktops. It hasn't really been all that painful; generally the
issues I have are with proprietary software, essentially all of which
it seems has one issue or another.
This morning I received the following question from a user:
-----
Can you explain why I often get a linker error:
"cannot restore segment prot after reloc: Permission denied"
running code I've built in my home directory.But then if I rerun once
or twice it will execute properly. It's not always the same library
that the linker complains about....
-----
Unfortunately I don't really know how to answer. I can handle selinux
at a system level, because if I know some program has an issue I can
just change a file context and things work. But I've no idea how to
deal with code that users might compile, or where to point them for
info in writing code that doesn't have these issues.
- J<
15 years, 5 months
root vs system cron jobs (MLS_LEVEL)
by Nikolas Lam
Hi
On Fedora 9, we've got a symlink in /etc/cron.daily/
to /usr/local/bin/checkmailspool which ultimately tries to run
/usr/sbin/postqueue -p
It works if you call it via the root user's crontab, but not when you
put the script in /etc/cron.daily/. (I've included the sealert output
below).
When called by the "system" cron (in which the denial occurs) id -Z
output is
system_u:system_r:system_crond_t:s0-s0:c0.c1023
OTOH, the root cron (which works) shows
root:unconfined_r:unconfined_t:s0-s0:c0.c1023
I've just read crontab(5) which mentions setting MLS_LEVEL on the first
line of the crontab, but it seems to suggest that this would apply
(perhaps unnecessarily) to all the jobs run in that crontab.
What's the recommended method to get this one script working from
within /etc/cron.daily/ ?
Regards,
Nik Lam
Summary:
SELinux is preventing postqueue (postfix_postqueue_t) "connectto" to
/var/spool/postfix/public/showq (unconfined_t).
Detailed Description:
SELinux denied access requested by postqueue. It is not expected that
this
access is required by postqueue and this access may signal an intrusion
attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
system_u:system_r:postfix_postqueue_t:s0-s0:c0.c10
23
Target Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects /var/spool/postfix/public/showq [
unix_stream_socket ]
Source postqueue
Source Path /usr/sbin/postqueue
Port <Unknown>
Host replaced.example.com
Source RPM Packages postfix-2.5.5-1.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-107.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name replaced.example.com
Platform Linux replaced.example.com
2.6.25.14-108.fc9.i686 #1 SMP Mon Aug 4
14:08:11
EDT 2008 i686 i686
Alert Count 38
First Seen Tue Nov 4 05:04:42 2008
Last Seen Thu Nov 20 05:04:42 2008
Local ID f5f4066b-d167-44ca-9c00-afd71f485225
Line Numbers
Raw Audit Messages
host=replaced.example.com type=AVC msg=audit(1227117882.675:17773): avc:
denied { connectto } for pid=15651 comm="postqueue"
path="/var/spool/postfix/public/showq"
scontext=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket
host=replaced.example.com type=SYSCALL msg=audit(1227117882.675:17773):
arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa89e00
a2=b808eff4 a3=bfa89e6a items=0 ppid=15647 pid=15651 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=90 sgid=90 fsgid=90 tty=(none) ses=2419
comm="postqueue" exe="/usr/sbin/postqueue"
subj=system_u:system_r:postfix_postqueue_t:s0-s0:c0.c1023 key=(null)
15 years, 5 months
seliux denying spamd write access to its own user home dir
by Gene Heskett
Greetings;
Just recovering from a drive failure, and just now managed to get enough perl
deps installed to run spamassassin.
I modified the spamassassin script in /etc/init.d to run it as the same user
that fetches the mail, also fixed the spamassassin in /etc/sysconfig to
match, and according to htop, the spamd's are running as that user.
But, selinux is still having a cow for every incoming message.
=========
Source Context: system_u:system_r:spamd_t:s0
Target Context: system_u:object_r:home_root_t:s0
Target Objects: ./user_prefs [ file ]
===temp end of snip
>From that, here is that file:
[root@coyote .spamassassin]# ls -l user_prefs
-rw-r--r-- 1 gene gene 1164 2006-01-16 13:45 user_prefs
[root@coyote .spamassassin]# ls -l --context user_prefs
-rw-r--r-- gene gene system_u:object_r:home_root_t:s0 user_prefs
===back to troubleshooter output
host=coyote.coyote.den type=AVC msg=audit(1227116423.127:797): avc: denied {
write } for pid=7118 comm="spamd" name="user_prefs" dev=sda3 ino=74942440
scontext=system_u:system_r:spamd_t:s0
tcontext=system_u:object_r:home_root_t:s0 tclass=file
host=coyote.coyote.den type=SYSCALL msg=audit(1227116423.127:797):
arch=40000003 syscall=5 success=no exit=-13 a0=9a83590 a1=8241 a2=1b6 a3=8241
items=0 ppid=7116 pid=7118 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501
egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="spamd" exe="/usr/bin/perl"
subj=system_u:system_r:spamd_t:s0 key=(null)
=========
Secondary Q: when are we going to be able to copy & paste from the
selinuxtroubleshooter screen and preserve the ^%$*^%$( formatting?
I have performed the troubleshooter recommended fix:
setsebool -P spamd_enable_home_dirs=1
and restarted spamassassin several times.
Perms or context problem with the /home dirs?
A bug?
Or I need to do an autorelabel?
The /home dirs, FWIW, were copied from another drive by mc & then 'chown -R
user:user' when the copy was finished which may not have been the correct
thing to do FAIK. But it was the only way I could preserve an email corpus
that is in the 10Gb area for size.
There are no entries for spamassassin or spamd in /etc/group that I could use
to make that file a member of.
Fix please?
Thanks.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
"Truth never comes into the world but like a bastard, to the ignominy
of him that brought her birth."
-- Milton
15 years, 5 months
Further on SElinux and kismet
by mike cloaked
Some days ago I was trying to run kismet on a system with F9 running
SElinux and kismet failed to start and complained about being unable
to write to the file ssid_map which was in the normal user main dir.
There was an AVC denial indicating that kismet was not permitted to access
that file.
It was suggested that I make kismet look at /var/lib/kismet instead.
Having tried again this evening and changed kismet.conf so that
%h/ was changed to /var/lib/kismet/ then kismet still fails to start and the
terminal window gives:
Will attempt to put networkmanager to sleep...
Allowing clients to fetch WEP keys.
WARNING: Disabling GPS logging.
SSID cloak file did not exist, it will be created.
FATAL: Could not open SSID track file '/var/lib/kismet/ssid_map' for writing:
Permission denied
Sending termination request to channel control child 3538...
Waiting for channel control child 3538 to exit...
WARNING: Sometimes cards don't always come out of monitor mode
cleanly. If your card is not fully working, you may need to
restart or reconfigure it for normal operation.
Trying to wake networkmanager back up...
WARNING: Failed to connect to DBUS system, will not be able to control
networkmanager: Failed to connect to socket /var/run/dbus/system_bus_socket:
Permission denied
WARNING: Failed to send 'wake' command to networkmanager via DBUS, NM may still
be inactive.Kismet exiting.
Done.
I checked the contexts:
[root@lapmike2 kismet]# ll -Zld /var/lib/kismet
drwxrwx--- 2 system_u:object_r:kismet_var_lib_t:s0 root kismet 4096 2008-11-18
20:59 /var/lib/kismet
[root@lapmike2 kismet]# ll -Z /var/lib/kismet
-rw-rw-rw- root root unconfined_u:object_r:kismet_var_lib_t:s0 ssid_map
Any ideas how to fix this - in the above there is no AVC denial but I am
guessing that SElinux may still be involved?
15 years, 5 months
