SELinux is preventing avahi-daemon (avahi_t) "getcap" to <Unknown> (avahi_t).
by Antonio Olivares
Dear all,
I am running rawhide. I see the following:
Is avahi-deamon doing something that it shouldn't?
Thanks,
Antonio
Summary:
SELinux is preventing avahi-daemon (avahi_t) "getcap"
to <Unknown> (avahi_t).
Detailed Description:
SELinux denied access requested by avahi-daemon. It is
not expected that this
access is required by avahi-daemon and this access may
signal an intrusion
attempt. It is also possible that the specific version
or configuration of the
application is causing it to require additional
access.
Allowing Access:
You can generate a local policy module to allow this
access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux
protection is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
system_u:system_r:avahi_t
Target Context
system_u:system_r:avahi_t
Target Objects None [ process ]
Source avahi-daemon
Source Path /usr/sbin/avahi-daemon
Port <Unknown>
Host localhost
Source RPM Packages avahi-0.6.17-1.fc7
Target RPM Packages
Policy RPM
selinux-policy-3.3.0-1.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost
Platform Linux localhost
2.6.25-0.65.rc2.git7.fc9 #1 SMP
Sat Feb 23 23:06:09 EST
2008 i686 athlon
Alert Count 12
First Seen Sat 23 Feb 2008 01:04:44
PM CST
Last Seen Mon 25 Feb 2008 07:19:57
AM CST
Local ID
e83550c8-f8d8-4109-9f8f-215e82dbb99c
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1203945597.443:10):
avc: denied { getcap } for pid=2159
comm="avahi-daemon"
scontext=system_u:system_r:avahi_t:s0
tcontext=system_u:system_r:avahi_t:s0 tclass=process
host=localhost type=SYSCALL
msg=audit(1203945597.443:10): arch=40000003
syscall=184 success=no exit=-13 a0=8c60e3c a1=0
a2=9df0f0 a3=8c60e38 items=0 ppid=1 pid=2159
auid=4294967295 uid=70 gid=70 euid=70 suid=70 fsuid=70
egid=70 sgid=70 fsgid=70 tty=(none) ses=4294967295
comm="avahi-daemon" exe="/usr/sbin/avahi-daemon"
subj=system_u:system_r:avahi_t:s0 key=(null)
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
16 years, 2 months
avahi wants getcap
by Tom London
Running rawhide: avahi-0.6.22-7.fc9.i386, selinux-policy-3.3.0-1.fc9.noarch
Appears avahi needs getcap:
type=AVC msg=audit(1203904427.662:13): avc: denied { getcap } for
pid=2255 comm="avahi-daemon" scontext=system_u:system_r:avahi_t:s0
tcontext=system_u:system_r:avahi_t:s0 tclass=process
type=SYSCALL msg=audit(1203904427.662:13): arch=40000003 syscall=184
success=no exit=-13 a0=8a1a78c a1=0 a2=4cb0f0 a3=8a1a788 items=0
ppid=1 pid=2255 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="avahi-daemon"
exe="/usr/sbin/avahi-daemon" subj=system_u:system_r:avahi_t:s0
key=(null)
type=AVC msg=audit(1203904427.665:14): avc: denied { getcap } for
pid=2255 comm="avahi-daemon" scontext=system_u:system_r:avahi_t:s0
tcontext=system_u:system_r:avahi_t:s0 tclass=process
type=SYSCALL msg=audit(1203904427.665:14): arch=40000003 syscall=184
success=no exit=-13 a0=8a1b454 a1=0 a2=4cb0f0 a3=8a1b450 items=0
ppid=1 pid=2255 auid=4294967295 uid=70 gid=70 euid=70 suid=70 fsuid=70
egid=70 sgid=70 fsgid=70 tty=(none) ses=4294967295 comm="avahi-daemon"
exe="/usr/sbin/avahi-daemon" subj=system_u:system_r:avahi_t:s0
key=(null)
--
Tom London
16 years, 2 months
periodic policy audits
by Bill Nottingham
Again, looking through the policy I see sections for policy
to confine cardmgr, /etc/hotplug scripts, updfstab, etc. Do
we do any routine policy updates to purge obsolete policy?
If not, should we?
Bill
16 years, 2 months
SELinux is preventing ntpd (ntpd_t) "getcap" to <Unknown> (ntpd_t)
by Antonio Olivares
Summary:
SELinux is preventing ntpd (ntpd_t) "getcap" to
<Unknown> (ntpd_t).
Detailed Description:
SELinux denied access requested by ntpd. It is not
expected that this access is
required by ntpd and this access may signal an
intrusion attempt. It is also
possible that the specific version or configuration of
the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this
access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux
protection is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
unconfined_u:system_r:ntpd_t
Target Context
unconfined_u:system_r:ntpd_t
Target Objects None [ process ]
Source ntpdate
Source Path /usr/sbin/ntpdate
Port <Unknown>
Host localhost
Source RPM Packages ntp-4.2.4p4-3.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.2.9-1.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost
Platform Linux localhost
2.6.25-0.40.rc1.git2.fc9 #1 SMP
Wed Feb 13 17:55:35 EST
2008 i686 athlon
Alert Count 2
First Seen Thu 21 Feb 2008 10:58:12
AM CST
Last Seen Thu 21 Feb 2008 10:58:20
AM CST
Local ID
ad5db6a3-d94d-4ee7-87ca-e8ea7b0196ea
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1203613100.285:81):
avc: denied { getcap } for pid=14697 comm="ntpd"
scontext=unconfined_u:system_r:ntpd_t:s0
tcontext=unconfined_u:system_r:ntpd_t:s0
tclass=process
host=localhost type=SYSCALL
msg=audit(1203613100.285:81): arch=40000003
syscall=184 success=no exit=-13 a0=b8e93444 a1=0
a2=2ad0f0 a3=b8e93440 items=0 ppid=1 pid=14697
auid=500 uid=38 gid=38 euid=38 suid=38 fsuid=38
egid=38 sgid=38 fsgid=38 tty=(none) ses=2 comm="ntpd"
exe="/usr/sbin/ntpd"
subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
16 years, 2 months
"getcap" AVCs ....
by Tom London
Running selinux-policy-targeted-3.2.9-1.fc9.noarch
type=AVC msg=audit(1203608392.877:5): avc: denied { getcap } for
pid=2231 comm="dbus-daemon"
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:system_r:system_dbusd_t:s0 tclass=process
type=SYSCALL msg=audit(1203608392.877:5): arch=40000003 syscall=184
success=no exit=-14 a0=b93db7f4 a1=0 a2=1a20f0 a3=b93db7f0 items=0
ppid=1 pid=2231 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon"
exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0
key=(null)
and
type=AVC msg=audit(1203608414.575:14): avc: denied { getcap } for
pid=2295 comm="ntpd" scontext=system_u:system_r:ntpd_t:s0
tcontext=system_u:system_r:ntpd_t:s0 tclass=process
type=SYSCALL msg=audit(1203608414.575:14): arch=40000003 syscall=184
success=no exit=-14 a0=b8ab14cc a1=0 a2=2ad0f0 a3=b8ab14c8 items=0
ppid=1 pid=2295 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38
egid=38 sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd"
exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key=(null)
tom
--
Tom London
16 years, 2 months
Re: SELinux smolt stats
by James Morris
On Wed, 20 Feb 2008, Valent Turkovic wrote:
> James Morris wrote:
> > It seems that the SELinux enablement stats are now online -- thanks!
> >
> > I have a question about what the numbers mean. The current values are:
> >
> > SELinux Enabled
> > False 185085 53.3 % True 162262 46.7 %
>
> If this arguments are true for Fedora 8 than it looks like that more people
> dislike selinux than like it, right?
Why did you delete the rest of the email, which queried these numbers and
suggested that the real figure for enablement was much higher?
btw, I asked off-list for a raw SQL query for just F8 systems (which have
been reporting SELinux stats all along), and the "Enabled=True" value is
currently 94%.
It's not clear to me what these numbers really mean, and I think it may be
some time before we are able to really see what's happening (e.g. between
smolt changes, initial reports, re-reporting, different distro versions
with different levels of usability, permissive vs. enforcing etc.).
- James
--
James Morris
<jmorris(a)namei.org>
16 years, 2 months
Relocate directories (e.g. tmp): how?
by S P Arif Sahari Wibowo
Hi!
Is there any generic and straighforward way to adjust SELinux to
allow a functional directories replaced by a symlink to other
location?
For example, I have always been relocate the tmp and var
directories in one separate volume (rapid changing content).
Usually the volume will be mounted on /var and /tmp is a symlink
to var/tmp. This arrangement has been working well for me until
RHEL / CentOS 4. Then when I tried Fedora 8, this setup stop
working: SELinux stop some program - e.g. Xorg and dhcp client -
to work with this tmp symlink.
Is there a mechanism to tell SELinux to treat everything under
/var/tmp the same as under /tmp?
Thanks!
--
(stephan paul) Arif Sahari Wibowo
_____ _____ _____ _____
/____ /____/ /____/ /____
_____/ / / / _____/ http://www.arifsaha.com/
Xinnian Kuaile! 新年快樂 Gongxi Facai 恭喜發財
16 years, 2 months
mailman doesn't receive messages from sendmail on fresh F8 install
by Edward Kuns
I freshly installed F8 on a new box, then copied the mailman and
sendmail configuration over from the old box. I made sure everything
was labeled correctly with "restorecon -r -v /etc" and the same for /var
where mailman lives.
The web pages work, but if I try to send a message to any list, I get
SELinux alerts that prevent the message from going through. I don't
believe I was using selinux on the old machine. I know I could just set
selinux to permissive mode and this would probably work, but I'd rather
understand what the problem is and fix it.
Below are the selinux complaints generated from trying to send to the
mailman test list on my server:
Any ideas on what I can do to fix this? I've been googling for a couple
hours and haven't found anything that fits this situation exactly.
Thanks
Eddie
Summary
SELinux is preventing python (sendmail_t) "search" to <Unknown>
(mailman_log_t).
Detailed Description
SELinux denied access requested by python. It is not expected that
this
access is required by python and this access may signal an intrusion
attempt. It is also possible that the specific version or
configuration of
the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown> If this does not work, there is currently no automatic way
to
allow this access. Instead, you can generate a local policy module
to allow
this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
Additional Information
Source Context system_u:system_r:sendmail_t:s0
Target Context system_u:object_r:mailman_log_t:s0
Target Objects None [ dir ]
Affected RPM Packages
Policy RPM selinux-policy-3.0.8-84.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name kilroy.chi.il.us
Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8
#1 SMP
Sun Feb 10 17:48:34 EST 2008 i686 i686
Alert Count 15
First Seen Mon 18 Feb 2008 09:18:28 AM CST
Last Seen Mon 18 Feb 2008 01:06:39 PM CST
Local ID 78d260f8-f1d3-49b3-bea6-bc0cc400735c
Line Numbers
Raw Audit Messages
avc: denied { search } for comm=python dev=dm-2 egid=41 euid=8
exe=/usr/bin/python exit=-13 fsgid=41 fsuid=8 gid=41 items=0
name=mailman
pid=12198 scontext=system_u:system_r:sendmail_t:s0 sgid=41
subj=system_u:system_r:sendmail_t:s0 suid=8 tclass=dir
tcontext=system_u:object_r:mailman_log_t:s0 tty=(none) uid=8
Summary
SELinux is preventing python (sendmail_t) "getattr" to
/var/lib/mailman/lists/mailman/config.pck (mailman_data_t).
Detailed Description
SELinux denied access requested by python. It is not expected that
this
access is required by python and this access may signal an intrusion
attempt. It is also possible that the specific version or
configuration of
the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for
/var/lib/mailman/lists/mailman/config.pck, restorecon -v
/var/lib/mailman/lists/mailman/config.pck If this does not work,
there is
currently no automatic way to allow this access. Instead, you can
generate
a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:sendmail_t:s0
Target Context system_u:object_r:mailman_data_t:s0
Target Objects /var/lib/mailman/lists/mailman/config.pck
[ file ]
Affected RPM Packages
Policy RPM selinux-policy-3.0.8-84.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name kilroy.chi.il.us
Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8
#1 SMP
Sun Feb 10 17:48:34 EST 2008 i686 i686
Alert Count 1
First Seen Mon 18 Feb 2008 01:06:39 PM CST
Last Seen Mon 18 Feb 2008 01:06:39 PM CST
Local ID 5d954998-3826-4af2-9569-0295ae134c27
Line Numbers
Raw Audit Messages
avc: denied { getattr } for comm=python dev=dm-2 egid=41 euid=8
exe=/usr/bin/python exit=-13 fsgid=41 fsuid=8 gid=41 items=0
path=/var/lib/mailman/lists/mailman/config.pck pid=12198
scontext=system_u:system_r:sendmail_t:s0 sgid=41
subj=system_u:system_r:sendmail_t:s0 suid=8 tclass=file
tcontext=system_u:object_r:mailman_data_t:s0 tty=(none) uid=8
Summary
SELinux is preventing python (sendmail_t) "getattr" to
/var/lib/mailman/lists/mailman/config.pck.last (mailman_data_t).
Detailed Description
SELinux denied access requested by python. It is not expected that
this
access is required by python and this access may signal an intrusion
attempt. It is also possible that the specific version or
configuration of
the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for
/var/lib/mailman/lists/mailman/config.pck.last, restorecon -v
/var/lib/mailman/lists/mailman/config.pck.last If this does not
work, there
is currently no automatic way to allow this access. Instead, you
can
generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:sendmail_t:s0
Target Context system_u:object_r:mailman_data_t:s0
Target
Objects /var/lib/mailman/lists/mailman/config.pck.last [
file ]
Affected RPM Packages
Policy RPM selinux-policy-3.0.8-84.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name kilroy.chi.il.us
Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8
#1 SMP
Sun Feb 10 17:48:34 EST 2008 i686 i686
Alert Count 1
First Seen Mon 18 Feb 2008 01:06:39 PM CST
Last Seen Mon 18 Feb 2008 01:06:39 PM CST
Local ID 37d2b949-06bf-4cb0-845e-6aa41a16076c
Line Numbers
Raw Audit Messages
avc: denied { getattr } for comm=python dev=dm-2 egid=41 euid=8
exe=/usr/bin/python exit=-13 fsgid=41 fsuid=8 gid=41 items=0
path=/var/lib/mailman/lists/mailman/config.pck.last pid=12198
scontext=system_u:system_r:sendmail_t:s0 sgid=41
subj=system_u:system_r:sendmail_t:s0 suid=8 tclass=file
tcontext=system_u:object_r:mailman_data_t:s0 tty=(none) uid=8
16 years, 2 months
Problem with apache accessing files outside of /var/www/html directory
by David Bartmess
I'm trying to get apache to serve up via a CGI script the formatted contents
of a directory outside of the DocumentRoot directory structure, and SELinux
is giving me a "Permissions Denied" error.
How can I modify the SELinux context on the files being shown to fix this?
The current files/dirs have the following context:
drwxr-xr-x apache apache system_u:object_r:default_t v1x3x3_R3-6
drwxr-xr-x apache apache system_u:object_r:default_t v1x3x4-R1-0
drwxr-xr-x apache apache system_u:object_r:default_t v1x3x4-R2-0
-rwxr-xr-x apache apache system_u:object_r:default_t
ASUCTests_v1-2-3_b1x3x4.R2_JUnitReport.zip
-rwxr-xr-x apache apache system_u:object_r:default_t
Emma_Acquisition_Configuration_v2-3-0.zip
I'm a newbie at this SELinux stuff, so please speak clearly <grin>
David Bartmess. Configuration Manager
Cell: +1 (303) 883-9117
Office:+1 (303) 256-5123
16 years, 2 months
[F8] (Re)Starting httpd reveals php pdf.so stack permission errors...
by Dan Thurman
# setenforce 1 (If set to 0, no following errors are generated)
# service httpd restart
<Generates the following errors>
/etc/log/httpd/errors_log:
=================
PHP Warning: PHP Startup: Unable to load dynamic library
'/usr/lib/php/modules/pdf.so' - libpdf.so.6: cannot enable executable
stack as shared object requires: Permission denied in Unknown on line 0
# ls -lZ /usr/lib/php/modules/pdf.so
-rwxr-xr-x root root
system_u:object_r:textrel_shlib_t:s0 /usr/lib/php/modules/pdf.so
# find / -xdev -name libpdf.so.6
<does not exist>
/etc/log/audit/audit_log:
===============
type=AVC msg=audit(1203285527.123:3893): avc: denied { execstack } for
pid=21241 comm="httpd" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=process
type=SYSCALL msg=audit(1203285527.123:3893): arch=40000003 syscall=125
success=no exit=-13 a0=bfca1000 a1=1000 a2=1000007 a3=fffff000 items=0
ppid=1 pid=21241 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
SEAlert:
=================================================
Summary
SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" to
<Unknown>
(httpd_t).
Detailed Description
SELinux denied access requested by /usr/sbin/httpd. It is not
expected that
this access is required by /usr/sbin/httpd and this access may
signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects None [ process ]
Affected RPM Packages httpd-2.2.8-1.fc8 [application]
Policy RPM selinux-policy-3.0.8-84.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall
Host Name gold.cdkkt.com
Platform Linux gold.cdkkt.com 2.6.23.15-137.fc8 #1
SMP Sun
Feb 10 17:48:34 EST 2008 i686 i686
Alert Count 10
First Seen Sun 17 Feb 2008 04:50:41 AM PST
Last Seen Sun 17 Feb 2008 01:46:21 PM PST
Local ID b2d0de85-f78b-4945-8d01-1ef26660fe47
Line Numbers
Raw Audit Messages
avc: denied { execstack } for comm=httpd egid=0 euid=0
exe=/usr/sbin/httpd
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=20396
scontext=system_u:system_r:httpd_t:s0 sgid=0
subj=system_u:system_r:httpd_t:s0
suid=0 tclass=process tcontext=system_u:system_r:httpd_t:s0 tty=(none)
uid=0
16 years, 2 months