selinux November 2008

selinux@lists.fedoraproject.org

25 participants
36 discussions

by Antonio Olivares

Dear fellow testers and selinux experts, what is in line 1887, I have installed Fedora 10 Preview and I when I try to install a package, I get the following message: Running rpm_check_debug Running Transaction Test /etc/selinux/targeted/contexts/files/file_contexts: line 1887 is missing fields, skipping /etc/selinux/targeted/contexts/files/file_contexts: line 1887 is missing fields, skipping Finished Transaction Test Transaction Test Succeeded Running Transaction /etc/selinux/targeted/contexts/files/file_contexts: line 1887 is missing fields, skipping /etc/selinux/targeted/contexts/files/file_contexts: line 1887 is missing fields, skipping Smolt profile is here: http://www.smolts.org/client/show/pub_52cf9c16-aa07-4697-8df6-7b47eb9855f4 (public) TIA, Antonio

15 years, 5 months

1
1
0 / 0

SELinux is preventing perl (logwatch_t) "execute" to ./ifconfig (ifconfig_exec_t).

by Frank Murphy

restorecon\Full\fixfiles: relabel not removed avc. --------------------------- Summary: SELinux is preventing perl (logwatch_t) "execute" to ./ifconfig (ifconfig_exec_t). Detailed Description: SELinux denied access requested by perl. It is not expected that this access is required by perl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./ifconfig, restorecon -v './ifconfig' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:logwatch_t:s0 Target Context system_u:object_r:ifconfig_exec_t:s0 Target Objects ./ifconfig [ file ] Source perl Source Path /usr/bin/perl Port <Unknown> Host frank-01 Source RPM Packages perl-5.10.0-49.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-11.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name frank-01 Platform Linux frank-01 2.6.27.4-79.fc10.i686 #1 SMP Tue Nov 4 21:56:37 EST 2008 i686 i686 Alert Count 1 First Seen Sun 09 Nov 2008 10:10:33 GMT Last Seen Sun 09 Nov 2008 10:10:33 GMT Local ID e3112123-9c28-4417-ba5e-71236aa7b429 Line Numbers Raw Audit Messages node=frank-01 type=AVC msg=audit(1226225433.356:75): avc: denied { execute } for pid=24728 comm="perl" name="ifconfig" dev=dm-0 ino=4322 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file node=frank-01 type=SYSCALL msg=audit(1226225433.356:75): arch=40000003 syscall=11 success=no exit=-13 a0=9ed4ebc a1=9f7d2a4 a2=bfce9130 a3=bfce8ac8 items=0 ppid=24727 pid=24728 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:logwatch_t:s0 key=(null) -- gpg id EB547226 Revoked Forgot Password :( aMSN: Frankly3D http://www.frankly3d.com

15 years, 5 months

1
0
0 / 0

Generating policies for Nagios on Fedora9 - difficulties

by Dirk H. Schulz

Hi folks, I have compiled Nagios 3.05 on Fedora9 (all updates current) and now try to get it running together with SELinux. I have piped the AVC denials from audit.log to audit2allow and generated policies which I loaded using "semodule -i POLNAME.pp". Now I have the weird state that: - Nagios still cannot check postfix' mailqueue with check_mailq - Nagios still cannot write emails to the mailqueue but there is no AVC denials any more in audit.log and Nagios stopped logging to syslog (although it still works as seen on the web pages). There is also no SETroubleshoot messages in /var/log/messages any more. Setting "setenforce 0" makes Nagios run smoothly, so the problem is still related SELinux somehow, but since nothing shows up in the logs any more it is quite difficult to troubleshoot. Logging in general does work, e. g. I can find a "Error code 69 returned from /usr/bin/mailq" in /var/log/maillog every time Nagios runs the mailq check. Changing the setenforce value leads to an entry in audit.log, so even auditd logging partially works. I have even restarted rsyslog with no effect. How do I find out why SELinux is not logging completely any more? And by the way: I also had the phenomenon that auditd claimed lots of denials of ping while Nagios did not have any difficulty pinging - that does not look very trustworthy on the part of SELinux, does it? Any hint or help is appreciated. Dirk

15 years, 5 months

4
5
0 / 0

g-p-m SELinux policy denials

by Rahul Sundaram

Hi, I have the copied the copy of g-p-m related denials below: --- Summary: SELinux is preventing gnome-power-man (xdm_t) "create" to 10357b34dbb443572a67020848c54ed9:runtime (xdm_var_lib_t). Detailed Description: SELinux denied access requested by gnome-power-man. It is not expected that this access is required by gnome-power-man and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for 10357b34dbb443572a67020848c54ed9:runtime, restorecon -v '10357b34dbb443572a67020848c54ed9:runtime' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:xdm_var_lib_t:s0 Target Objects 10357b34dbb443572a67020848c54ed9:runtime [ lnk_file ] Source gnome-power-man Source Path /usr/bin/gnome-power-manager Port <Unknown> Host sundaram.pnq.redhat.com Source RPM Packages gnome-power-manager-2.24.1-3.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-11.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name sundaram.pnq.redhat.com Platform Linux sundaram.pnq.redhat.com 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct 30 00:49:42 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 05 Nov 2008 10:17:25 PM IST Last Seen Wed 05 Nov 2008 10:17:25 PM IST Local ID 5bed64ed-4506-4f5e-aea2-22bef1bd3d82 Line Numbers Raw Audit Messages node=sundaram.pnq.redhat.com type=AVC msg=audit(1225903645.809:25): avc: denied { create } for pid=8176 comm="gnome-power-man" name="10357b34dbb443572a67020848c54ed9:runtime" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=lnk_file node=sundaram.pnq.redhat.com type=SYSCALL msg=audit(1225903645.809:25): arch=40000003 syscall=83 success=no exit=-13 a0=8f31138 a1=8f31040 a2=6d9b660 a3=8f311e0 items=0 ppid=1 pid=8176 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="gnome-power-man" exe="/usr/bin/gnome-power-manager" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) --------------- Summary: SELinux is preventing gnome-power-man (xdm_t) "sendto" xdm_t. Detailed Description: SELinux denied access requested by gnome-power-man. It is not expected that this access is required by gnome-power-man and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Objects None [ unix_dgram_socket ] Source gnome-power-man Source Path /usr/bin/gnome-power-manager Port <Unknown> Host sundaram.pnq.redhat.com Source RPM Packages gnome-power-manager-2.24.1-3.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-11.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name sundaram.pnq.redhat.com Platform Linux sundaram.pnq.redhat.com 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct 30 00:49:42 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 05 Nov 2008 10:17:25 PM IST Last Seen Wed 05 Nov 2008 10:17:25 PM IST Local ID 288d421c-cab3-49b2-9b6b-ac5398816f4d Line Numbers Raw Audit Messages node=sundaram.pnq.redhat.com type=AVC msg=audit(1225903645.846:26): avc: denied { sendto } for pid=8176 comm="gnome-power-man" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket node=sundaram.pnq.redhat.com type=SYSCALL msg=audit(1225903645.846:26): arch=40000003 syscall=102 success=no exit=-13 a0=9 a1=b7127670 a2=a0b234 a3=0 items=0 ppid=1 pid=8176 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="gnome-power-man" exe="/usr/bin/gnome-power-manager" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) --- Rahul

15 years, 5 months

2
1
0 / 0

libavformat and SELinux policy issue

by Rahul Sundaram

Hi, When using mplayer for the past few days, I am getting the following SELinux policy issue: ---- Summary: SELinux is preventing totem-video-thu from loading /usr/lib/sse2/libavformat.so.52.22.1 which requires text relocation. Detailed Description: The totem-video-thu application attempted to load /usr/lib/sse2/libavformat.so.52.22.1 which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/sse2/libavformat.so.52.22.1 to use relocation as a workaround, until the library is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust /usr/lib/sse2/libavformat.so.52.22.1 to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib/sse2/libavformat.so.52.22.1'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib/sse2/libavformat.so.52.22.1'" Fix Command: chcon -t textrel_shlib_t '/usr/lib/sse2/libavformat.so.52.22.1' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:object_r:lib_t:s0 Target Objects /usr/lib/sse2/libavformat.so.52.22.1 [ file ] Source totem-video-thu Source Path /usr/bin/totem-video-thumbnailer Port <Unknown> Host sundaram.redhat.com Source RPM Packages totem-2.24.3-1.fc10 Target RPM Packages ffmpeg-libs-0.4.9-0.51.20080908.fc10 Policy RPM selinux-policy-3.5.13-11.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execmod Host Name sundaram.redhat.com Platform Linux sundaram.redhat.com 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct 30 00:49:42 EDT 2008 i686 i686 Alert Count 719 First Seen Thu 06 Nov 2008 12:51:21 AM IST Last Seen Thu 06 Nov 2008 01:05:40 AM IST Local ID 7e3f9978-5247-4568-9b3b-f14b7db6643c Line Numbers Raw Audit Messages node=sundaram.redhat.com type=AVC msg=audit(1225913740.104:764): avc: denied { execmod } for pid=16396 comm="totem-video-thu" path="/usr/lib/sse2/libavformat.so.52.22.1" dev=dm-0 ino=70735 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file node=sundaram.redhat.com type=SYSCALL msg=audit(1225913740.104:764): arch=40000003 syscall=125 success=no exit=-13 a0=15e2000 a1=ac000 a2=5 a3=b735a350 items=0 ppid=2638 pid=16396 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) --- Rahul

15 years, 5 months

2
1
0 / 0

Unneeded inbuilt *.pp modules

by Frank Murphy

Is it ok to backup and remove to usb stick, and inbuilt policy modules *.pp not required. ie qemu apache. Things which basically will *definitely* be running on this server. If I click booleans on selinux management, the check marks reappear immediately Frank -- gpg id EB547226 Revoked Forgot Password :( aMSN: Frankly3D http://www.frankly3d.com

15 years, 5 months

2
2
0 / 0

← Newer
1
2
3
4
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux November 2008