Re: SELinux smolt stats
by James Morris
On Mon, 18 Feb 2008, Yaakov Nemoy wrote:
> > where the percentage enabled is actually thus at least 74% ?
>
> We probably need more detailed reporting for this sort of thing. I'll
> put it on a TODO, for after FOSDEM. I wanted to get this draft out,
> so we can decide what reporting we need on a more evolutionary basis.
> (Or by intelligent design if you hold by that sort of thing.)
Ok, can we simply get an answer on how the numbers are arrived at for
cases prior to when SELinux reporting started? i.e. if not reporting
SELinux (F7 etc), is the default to present it on the site as "Disabled" ?
Knowing that, we can simply derive the correct value.
Also, could a note be added to that page so that people don't assume it is
fully correct as stated ?
We've had enough problems historically with people adopting one benchmark
result from a range of results as being the overall result, for example.
- James
--
James Morris
<jmorris(a)namei.org>
16 years, 2 months
SELinux smolt stats
by James Morris
It seems that the SELinux enablement stats are now online -- thanks!
I have a question about what the numbers mean. The current values are:
SELinux Enabled
False 185085 53.3 %
True 162262 46.7 %
for 347347 registered hosts.
Now, the "OS" column include several distros and versions, including FC5,
Centos5 through to current rawhide, with the same number of total hosts.
As the SELinux figures have only been collected since F8, does this mean
that we should calculate "total SELinux enabled" only for:
OS Hosts
F8 130282
F7.x (rawhide) 5517
F8.x (rawhide) 920
----------------------------
136719 (actually providing SELinux stats)
----------------------------
where the percentage enabled is actually thus at least 74% ?
- James
--
James Morris
<jmorris(a)namei.org>
16 years, 2 months
Selinux config to get linuxprinter working under Fedora 8
by Edward Kuns
I added the following configuration (via system-config-selinux)
to /etc/selinux/targeted/contexts/files/file_contexts.local and this
appears sufficient to get printing working for my Samsung CLP-500
printer using the drivers provided by the manufacturer. These drivers
install partially under /opt/Samsung/mfp/ and partially
under /usr/local/linuxprinter/ (including -- under the bin directory
listed below -- a file "lpr" and a file "llpr").
I notice that settings already exist for Brother printers, so how do I
get these settings added to file_contexts officially for those printers
that use the linuxprinter framework?
/usr/local/linuxprinter/ppd/.* -- system_u:object_r:cupsd_rw_etc_t:s0
/usr/local/linuxprinter/bin/l?lpr -- system_u:object_r:lpr_exec_t:s0
/usr/local/linuxprinter/filters(/.*)? -- system_u:object_r:bin_t:s0
Thanks
Eddie
--
Edward Kuns <ekuns(a)kilroy.chi.il.us>
16 years, 2 months
[ANN]segatex-4.90 released
by Shintaro Fujiwara
I released segatex-4.90.
Incorporated policygentool.
It generates files, but when you do not set path, modules will fail when you
try to install it.
I will fix this problem on segatex-5.0.
Please wait.
But, you can edit files so if you are interested, please try and have some
fun.
--
http://intrajp.no-ip.com/ Home Page
16 years, 2 months
SELinux module to allow a single network port?
by Chris Adams
I originally posted this to the RHEL5 list, but someone pointed me to
this list (I didn't realize there was an SELinux list).
I have done some minor SELinux customizations with a module, and now I'm
trying to do something a little more complicated.
I want to allow a CGI to do a "whois" lookup. It is a perl script that
is attempting to open a TCP socket to port 43. I ran audit2allow, but I
think the generated rule allows CGIs to open outbound sockets to any
port. I'd rather just allow TCP to port 43.
I don't see a defined whois port type, and I don't know quite how to
define it myself in a module.
Help?
--
Chris Adams <cmadams(a)hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
16 years, 2 months
RE: CVS Servers [SOLVED]
by Dan Thurman
Daniel J Walsh wrote:
>Paul Howarth wrote:
>> Daniel B. Thurman wrote:
>>>>>> Bind mount:
>>>>>> ========
>>>
>>> Ok, the issue is solved. What I did not know is, you
>>> need to make sure that when you create an empty directory,
>>> you also need to make sure that the ownership of that
>>> directory is: cvs:cvs before bind mounting. So:
>>>
>>> 1) mkdir /cvs
>>> 2) chown cvs:cvs /cvs
>>>
>>> then
>>>
>>> 3) mount --bind /var/cvs /cvs
>>>
>>> it all works now!
>>>
>>>>>> mount --bind /var/cvs /cvs
>>>>>>
[snip!]
One more issue: How to I make the bind-mount permenant,
i.e. do I need to add this to fstab and if so, how?
Dan: As far a LVM, I do not use it. I haven't yet learned of
it's benefits so I have not applied it to my current filesystems
for fear of blowing up my current installation.
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.5/1279 - Release Date: 2/14/2008 6:35 PM
16 years, 2 months
CVS Servers
by Dan Thurman
In one of the Fedora CVS server setup, it says that if the
administrator wants to use a simple pserver remote string
such as:
export CVSROOT=':pserver:<username>@<systemname>:/cvs'
Then one has to:
1) /etc/xinetd.d/cvs:
server_args = -f --allow-root=/cvs pserver
2) ln -s /var/cvs /cvs
But the problem here is that SELinux has no context for
the symbolic link /cvs, therefore deny's access.
I tried setting context for /cvs by:
1) chcon -t cvs_data_t
No dice. Does not work.
To see if I can cvs login bypassing Selinux, I tried:
1) setenforce 0
2) cvs login (successfully)
3) setenforce 1
So, what can I do to get SElinux to authorize the /cvs symbolic link
access to /var/cvs?
Thanks-
Dan
16 years, 2 months
qemu-kvm AVC
by Tom London
Hadn't run qemu-kvm for a bit.
Now get this AVC (both enforcing/targeted):
type=AVC msg=audit(1202932089.281:48): avc: denied { execmem } for
pid=10351 comm="qemu-kvm"
scontext=unconfined_u:unconfined_r:unconfined_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1202932089.281:48): arch=40000003 syscall=125
success=no exit=-13 a0=8df0000 a1=1001000 a2=7 a3=a7d5358 items=0
ppid=3049 pid=10351 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="qemu-kvm"
exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:unconfined_t:s0
key=(null)
Not sure if it interferes with anything....
tom
--
Tom London
16 years, 2 months
problems with sending emails from Apache
by "Stanisław T. Findeisen"
Hello, I am using Fedora 7 x86_64, have these packages installed:
selinux-policy-2.6.4-70.fc7
selinux-policy-targeted-2.6.4-70.fc7
and get these errors:
syslog:
Feb 13 18:18:12 srv-1 kernel: audit(1202923092.221:5): avc: denied {
search } for pid=8423 comm="sendmail" name="postfix" dev=sda1
ino=4935485 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir
Apache error log:
[Wed Feb 13 18:15:02 2008] [error] [client 84.10.17.54] File does not
exist: /var/www/html/gnu-linux/favicon.ico
sendmail: fatal: open /etc/postfix/main.cf: Permission denied
[Wed Feb 13 20:27:16 2008] [info] [client 84.10.17.54] (70007)The
timeout specified has expired: core_output_filter: writing data to the
network
I think that occured when PHP application tried to send email from
within Apache HTTP server.
STF
16 years, 2 months
named avc (Fedora 8)
by Paul Howarth
Got this one today:
type=AVC msg=audit(1202724149.875:1426): avc: denied { name_bind } for
pid=2468 comm="named" src=2605 scontext=system_u:system_r:named_t:s0
tcontext=system_u:object_r:bgp_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1202724149.875:1426): arch=c000003e syscall=49
success=no exit=-13 a0=38 a1=41400d70 a2=1c a3=41400b6c items=0 ppid=1
pid=2468 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25
sgid=25 fsgid=25 tty=(none) comm="named" exe="/usr/sbin/named"
subj=system_u:system_r:named_t:s0 key=(null)
I suspect that this snippet from the logwatch report is related:
could not update an IPv6 random query port: permission denied: 1 Time(s)
I guess I need to specify the query-source and query-source-v6 bind
options to tie this down?
Paul.
16 years, 2 months