line 1887 is missing
by Antonio Olivares
Dear fellow testers and selinux experts,
what is in line 1887, I have installed Fedora 10 Preview and I when I try to install a package, I get the following message:
Running rpm_check_debug
Running Transaction Test
/etc/selinux/targeted/contexts/files/file_contexts: line 1887 is missing fields, skipping
/etc/selinux/targeted/contexts/files/file_contexts: line 1887 is missing fields, skipping
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
/etc/selinux/targeted/contexts/files/file_contexts: line 1887 is missing fields, skipping
/etc/selinux/targeted/contexts/files/file_contexts: line 1887 is missing fields, skipping
Smolt profile is here:
http://www.smolts.org/client/show/pub_52cf9c16-aa07-4697-8df6-7b47eb9855f4 (public)
TIA,
Antonio
15 years, 5 months
SELinux is preventing perl (logwatch_t) "execute" to ./ifconfig (ifconfig_exec_t).
by Frank Murphy
restorecon\Full\fixfiles: relabel not removed avc.
---------------------------
Summary:
SELinux is preventing perl (logwatch_t) "execute" to ./ifconfig
(ifconfig_exec_t).
Detailed Description:
SELinux denied access requested by perl. It is not expected that this
access is
required by perl and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for ./ifconfig,
restorecon -v './ifconfig'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0
Target Context system_u:object_r:ifconfig_exec_t:s0
Target Objects ./ifconfig [ file ]
Source perl
Source Path /usr/bin/perl
Port <Unknown>
Host frank-01
Source RPM Packages perl-5.10.0-49.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-11.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name frank-01
Platform Linux frank-01 2.6.27.4-79.fc10.i686 #1
SMP Tue
Nov 4 21:56:37 EST 2008 i686 i686
Alert Count 1
First Seen Sun 09 Nov 2008 10:10:33 GMT
Last Seen Sun 09 Nov 2008 10:10:33 GMT
Local ID e3112123-9c28-4417-ba5e-71236aa7b429
Line Numbers
Raw Audit Messages
node=frank-01 type=AVC msg=audit(1226225433.356:75): avc: denied {
execute } for pid=24728 comm="perl" name="ifconfig" dev=dm-0 ino=4322
scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
node=frank-01 type=SYSCALL msg=audit(1226225433.356:75): arch=40000003
syscall=11 success=no exit=-13 a0=9ed4ebc a1=9f7d2a4 a2=bfce9130
a3=bfce8ac8 items=0 ppid=24727 pid=24728 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:logwatch_t:s0
key=(null)
--
gpg id EB547226 Revoked Forgot Password :(
aMSN: Frankly3D
http://www.frankly3d.com
15 years, 5 months
Generating policies for Nagios on Fedora9 - difficulties
by Dirk H. Schulz
Hi folks,
I have compiled Nagios 3.05 on Fedora9 (all updates current) and now try to
get it running together with SELinux.
I have piped the AVC denials from audit.log to audit2allow and generated
policies which I loaded using "semodule -i POLNAME.pp".
Now I have the weird state that:
- Nagios still cannot check postfix' mailqueue with check_mailq
- Nagios still cannot write emails to the mailqueue
but there is no AVC denials any more in audit.log and Nagios stopped
logging to syslog (although it still works as seen on the web pages). There
is also no SETroubleshoot messages in /var/log/messages any more.
Setting "setenforce 0" makes Nagios run smoothly, so the problem is still
related SELinux somehow, but since nothing shows up in the logs any more it
is quite difficult to troubleshoot.
Logging in general does work, e. g. I can find a "Error code 69 returned
from /usr/bin/mailq" in /var/log/maillog every time Nagios runs the mailq
check. Changing the setenforce value leads to an entry in audit.log, so
even auditd logging partially works.
I have even restarted rsyslog with no effect.
How do I find out why SELinux is not logging completely any more?
And by the way: I also had the phenomenon that auditd claimed lots of
denials of ping while Nagios did not have any difficulty pinging - that
does not look very trustworthy on the part of SELinux, does it?
Any hint or help is appreciated.
Dirk
15 years, 5 months
g-p-m SELinux policy denials
by Rahul Sundaram
Hi,
I have the copied the copy of g-p-m related denials below:
---
Summary:
SELinux is preventing gnome-power-man (xdm_t) "create" to
10357b34dbb443572a67020848c54ed9:runtime (xdm_var_lib_t).
Detailed Description:
SELinux denied access requested by gnome-power-man. It is not expected
that this
access is required by gnome-power-man and this access may signal an
intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for
10357b34dbb443572a67020848c54ed9:runtime,
restorecon -v '10357b34dbb443572a67020848c54ed9:runtime'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:xdm_var_lib_t:s0
Target Objects 10357b34dbb443572a67020848c54ed9:runtime [
lnk_file ]
Source gnome-power-man
Source Path /usr/bin/gnome-power-manager
Port <Unknown>
Host sundaram.pnq.redhat.com
Source RPM Packages gnome-power-manager-2.24.1-3.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-11.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name sundaram.pnq.redhat.com
Platform Linux sundaram.pnq.redhat.com
2.6.27.4-68.fc10.i686 #1 SMP Thu Oct 30
00:49:42
EDT 2008 i686 i686
Alert Count 1
First Seen Wed 05 Nov 2008 10:17:25 PM IST
Last Seen Wed 05 Nov 2008 10:17:25 PM IST
Local ID 5bed64ed-4506-4f5e-aea2-22bef1bd3d82
Line Numbers
Raw Audit Messages
node=sundaram.pnq.redhat.com type=AVC msg=audit(1225903645.809:25): avc:
denied { create } for pid=8176 comm="gnome-power-man"
name="10357b34dbb443572a67020848c54ed9:runtime"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=lnk_file
node=sundaram.pnq.redhat.com type=SYSCALL msg=audit(1225903645.809:25):
arch=40000003 syscall=83 success=no exit=-13 a0=8f31138 a1=8f31040
a2=6d9b660 a3=8f311e0 items=0 ppid=1 pid=8176 auid=4294967295 uid=42
gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none)
ses=4294967295 comm="gnome-power-man" exe="/usr/bin/gnome-power-manager"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
---------------
Summary:
SELinux is preventing gnome-power-man (xdm_t) "sendto" xdm_t.
Detailed Description:
SELinux denied access requested by gnome-power-man. It is not expected
that this
access is required by gnome-power-man and this access may signal an
intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects None [ unix_dgram_socket ]
Source gnome-power-man
Source Path /usr/bin/gnome-power-manager
Port <Unknown>
Host sundaram.pnq.redhat.com
Source RPM Packages gnome-power-manager-2.24.1-3.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-11.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name sundaram.pnq.redhat.com
Platform Linux sundaram.pnq.redhat.com
2.6.27.4-68.fc10.i686 #1 SMP Thu Oct 30
00:49:42
EDT 2008 i686 i686
Alert Count 1
First Seen Wed 05 Nov 2008 10:17:25 PM IST
Last Seen Wed 05 Nov 2008 10:17:25 PM IST
Local ID 288d421c-cab3-49b2-9b6b-ac5398816f4d
Line Numbers
Raw Audit Messages
node=sundaram.pnq.redhat.com type=AVC msg=audit(1225903645.846:26): avc:
denied { sendto } for pid=8176 comm="gnome-power-man"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
node=sundaram.pnq.redhat.com type=SYSCALL msg=audit(1225903645.846:26):
arch=40000003 syscall=102 success=no exit=-13 a0=9 a1=b7127670 a2=a0b234
a3=0 items=0 ppid=1 pid=8176 auid=4294967295 uid=42 gid=42 euid=42
suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295
comm="gnome-power-man" exe="/usr/bin/gnome-power-manager"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
---
Rahul
15 years, 5 months
libavformat and SELinux policy issue
by Rahul Sundaram
Hi,
When using mplayer for the past few days, I am getting the following
SELinux policy issue:
----
Summary:
SELinux is preventing totem-video-thu from loading
/usr/lib/sse2/libavformat.so.52.22.1 which requires text relocation.
Detailed Description:
The totem-video-thu application attempted to load
/usr/lib/sse2/libavformat.so.52.22.1 which requires text relocation.
This is a
potential security problem. Most libraries do not need this permission.
Libraries are sometimes coded incorrectly and request this permission. The
SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/sse2/libavformat.so.52.22.1 to use relocation as a workaround,
until
the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you trust /usr/lib/sse2/libavformat.so.52.22.1 to run correctly, you can
change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/sse2/libavformat.so.52.22.1'" You must also change the default
file
context files on the system in order to preserve them even on a full
relabel.
"semanage fcontext -a -t textrel_shlib_t
'/usr/lib/sse2/libavformat.so.52.22.1'"
Fix Command:
chcon -t textrel_shlib_t '/usr/lib/sse2/libavformat.so.52.22.1'
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context system_u:object_r:lib_t:s0
Target Objects /usr/lib/sse2/libavformat.so.52.22.1 [ file ]
Source totem-video-thu
Source Path /usr/bin/totem-video-thumbnailer
Port <Unknown>
Host sundaram.redhat.com
Source RPM Packages totem-2.24.3-1.fc10
Target RPM Packages ffmpeg-libs-0.4.9-0.51.20080908.fc10
Policy RPM selinux-policy-3.5.13-11.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execmod
Host Name sundaram.redhat.com
Platform Linux sundaram.redhat.com
2.6.27.4-68.fc10.i686 #1 SMP Thu Oct 30
00:49:42
EDT 2008 i686 i686
Alert Count 719
First Seen Thu 06 Nov 2008 12:51:21 AM IST
Last Seen Thu 06 Nov 2008 01:05:40 AM IST
Local ID 7e3f9978-5247-4568-9b3b-f14b7db6643c
Line Numbers
Raw Audit Messages
node=sundaram.redhat.com type=AVC msg=audit(1225913740.104:764): avc:
denied { execmod } for pid=16396 comm="totem-video-thu"
path="/usr/lib/sse2/libavformat.so.52.22.1" dev=dm-0 ino=70735
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lib_t:s0 tclass=file
node=sundaram.redhat.com type=SYSCALL msg=audit(1225913740.104:764):
arch=40000003 syscall=125 success=no exit=-13 a0=15e2000 a1=ac000 a2=5
a3=b735a350 items=0 ppid=2638 pid=16396 auid=500 uid=500 gid=500
euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
---
Rahul
15 years, 5 months
Unneeded inbuilt *.pp modules
by Frank Murphy
Is it ok to backup and remove to usb stick,
and inbuilt policy modules *.pp not required.
ie qemu apache.
Things which basically will *definitely* be running on this server.
If I click booleans on selinux management,
the check marks reappear immediately
Frank
--
gpg id EB547226 Revoked Forgot Password :(
aMSN: Frankly3D
http://www.frankly3d.com
15 years, 5 months