SELinux is preventing rsyslogd (syslogd_t) "read" to ./System.map-2.6.25-0.95.rc4.fc9 (system_map_t).
by Antonio Olivares
Dear all,
Upon installing the updates of rawhide Report
20080308, I got the following from setroubleshooter.
Suggestions/Comments are welcome.
Regards,
Antonio
Summary:
SELinux is preventing rsyslogd (syslogd_t) "read" to
./System.map-2.6.25-0.95.rc4.fc9 (system_map_t).
Detailed Description:
SELinux denied access requested by rsyslogd. It is not
expected that this access
is required by rsyslogd and this access may signal an
intrusion attempt. It is
also possible that the specific version or
configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials.
You could try to restore
the default system file context for
./System.map-2.6.25-0.95.rc4.fc9,
restorecon -v './System.map-2.6.25-0.95.rc4.fc9'
If this does not work, there is currently no automatic
way to allow this access.
Instead, you can generate a local policy module to
allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux
protection is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
unconfined_u:system_r:syslogd_t
Target Context
system_u:object_r:system_map_t
Target Objects
./System.map-2.6.25-0.95.rc4.fc9 [ file ]
Source rsyslogd
Source Path /sbin/rsyslogd
Port <Unknown>
Host localhost
Source RPM Packages rsyslog-2.0.2-1.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.3.1-12.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost
Platform Linux localhost
2.6.25-0.95.rc4.fc9 #1 SMP Thu Mar
6 01:17:49 EST 2008 i686
athlon
Alert Count 1
First Seen Sat 08 Mar 2008 07:58:10
AM CST
Last Seen Sat 08 Mar 2008 07:58:10
AM CST
Local ID
b9ac46d0-bfde-485c-8cec-2547c11a4daf
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1204984690.594:21):
avc: denied { read } for pid=2913 comm="rsyslogd"
name="System.map-2.6.25-0.95.rc4.fc9" dev=sda3
ino=6052 scontext=unconfined_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:system_map_t:s0 tclass=file
host=localhost type=SYSCALL
msg=audit(1204984690.594:21): arch=40000003 syscall=5
success=no exit=-13 a0=1357c0 a1=0 a2=1b6 a3=0 items=0
ppid=2912 pid=2913 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="rsyslogd" exe="/sbin/rsyslogd"
subj=unconfined_u:system_r:syslogd_t:s0 key=(null)
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
16 years, 1 month
New AVCs with today's rawhide.... (mostly xdm related)
by Tom London
Running rawhide, targeted.
Had problems after today's rawhide update.
Booting in permissive mode produced:
module localxdm 1.0;
require {
type unconfined_t;
type security_t;
type xdm_var_lib_t;
type syslogd_t;
type unconfined_execmem_t;
type xdm_xserver_t;
type system_map_t;
type mono_t;
type xdm_t;
type mount_t;
class unix_stream_socket { read write };
class x_property read;
class security { check_context compute_create compute_av };
class file { read write getattr };
class dir { write read mounton };
}
#============= mono_t ==============
allow mono_t unconfined_t:x_property read;
#============= mount_t ==============
allow mount_t xdm_t:unix_stream_socket { read write };
allow mount_t xdm_var_lib_t:dir { write read mounton };
#============= syslogd_t ==============
allow syslogd_t system_map_t:file { read getattr };
#============= unconfined_execmem_t ==============
allow unconfined_execmem_t unconfined_t:x_property read;
allow unconfined_execmem_t xdm_t:x_property read;
#============= xdm_t ==============
allow xdm_t xdm_var_lib_t:dir mounton;
#============= xdm_xserver_t ==============
allow xdm_xserver_t security_t:dir read;
allow xdm_xserver_t security_t:file { write read };
allow xdm_xserver_t security_t:security { check_context compute_create
compute_av };
I'll attach the raw audit file below.
In addition, there were two avcs produced in /var/log/messages before
the start of audit:
Mar 8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:3):
avc: denied { read } for pid=2257 comm="rsyslogd"
name="System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:system_map_t:s0 tclass=file
Mar 8 09:49:52 localhost kernel: type=1400 audit(1204998591.798:4):
avc: denied { getattr } for pid=2257 comm="rsyslogd"
path="/boot/System.map-2.6.25-0.95.rc4.local2.fc9" dev=sda3 ino=6064
scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:system_map_t:s0 tclass=file
Not sure all of these need to be "allow", but "semodule -i
localxdm.pp" makes the system boot and run in enforcing mode.
tom
--
Tom London
16 years, 1 month
getting denials when run from init script but not from command-line
by Johnny Tan
I took the Fedora-8 SRPM for rsyslog 2.0.2 and rebuilt it
for CentOS-5 x86_64. After doing:
# semanage fcontext -a -t syslogd_exec_t /sbin/rsyslogd
# semanage fcontext -a -t klogd_exec_t /sbin/rklogd
I can do "service rsyslog start" and it works.
Then, I did the rebuild for rsyslog version 3.11.6. Had to
tweak the spec and conf files a bit, but got it packaged and
installed. And made sure the above contexts were retained
(they were).
However, when I go to run it "service rsyslog start" using
the same init script that worked with the 2.0.2 version, I
get this:
==
type=SYSCALL msg=audit(03/05/2008 17:43:26.966:224) :
arch=x86_64 syscall=bind success=yes exit=0 a0=1 a1=51b2ae0
a2=10 a3=7fffa9e3f63c items=0 ppid=29717 pid=29718 auid=root
uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) comm=rsyslogd
exe=/sbin/rsyslogd subj=root:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(03/05/2008 17:43:26.966:224) : avc:
denied { node_bind } for pid=29718 comm=rsyslogd src=61514
scontext=root:system_r:syslogd_t:s0
tcontext=system_u:object_r:inaddr_any_node_t:s0
tclass=tcp_socket
==
BUT, when I run it directly from the command-line:
/sbin/rsyslogd
I do NOT get those denials.
I know how to create the module to allow the above, but what
I'm more interested in is what allows me to run it from the
command-line but not from the init script.
The line that starts the rsyslogd in the init script is:
daemon rsyslogd $SYSLOGD_OPTIONS
("daemon" being a function sourced from /etc/init.d/functions)
But even if I replace that line with a simple:
/sbin/rsyslogd
it still gives me the denials.
Anyone have ideas why? I don't want to just create the
module and sweep this under the rug.
Here's the full start() function section of the
/etc/init.d/rsyslog:
start() {
[ -x /sbin/rsyslogd ] || exit 5
# Source config
if [ -f /etc/sysconfig/rsyslog ] ; then
. /etc/sysconfig/rsyslog
else
KLOGD_OPTIONS="-2"
fi
if [ -z "$SYSLOG_UMASK" ] ; then
SYSLOG_UMASK=077;
fi
umask $SYSLOG_UMASK
echo -n $"Starting system logger: "
daemon rsyslogd $SYSLOGD_OPTIONS
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/rsyslog
return $RETVAL
}
Thanks,
johnn
16 years, 1 month
SELinux is preventing npviewer.bin (nsplugin_t) "write" to controlC0 (sound_device_t)
by Antonio Olivares
npviewer again, how to fix this.
Thanks in Advance(TIA)
Regards,
Antonio
Summary:
SELinux is preventing npviewer.bin (nsplugin_t)
"write" to controlC0
(sound_device_t).
Detailed Description:
SELinux denied access requested by npviewer.bin. It is
not expected that this
access is required by npviewer.bin and this access may
signal an intrusion
attempt. It is also possible that the specific version
or configuration of the
application is causing it to require additional
access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials.
You could try to restore
the default system file context for controlC0,
restorecon -v 'controlC0'
If this does not work, there is currently no automatic
way to allow this access.
Instead, you can generate a local policy module to
allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux
protection is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
unconfined_u:unconfined_r:nsplugin_t:SystemLow-
SystemHigh
Target Context
system_u:object_r:sound_device_t
Target Objects controlC0 [ chr_file ]
Source npviewer.bin
Source Path
/usr/lib/nspluginwrapper/npviewer.bin
Port <Unknown>
Host localhost
Source RPM Packages
nspluginwrapper-0.9.91.5-24.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.3.1-12.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost
Platform Linux localhost
2.6.25-0.95.rc4.fc9 #1 SMP Thu Mar
6 01:17:49 EST 2008 i686
athlon
Alert Count 38
First Seen Sat 08 Mar 2008 01:14:52
PM CST
Last Seen Sat 08 Mar 2008 01:14:53
PM CST
Local ID
9114420d-3aef-41ef-beec-bea0499d79df
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1205003693.102:60):
avc: denied { write } for pid=2954
comm="npviewer.bin" name="controlC0" dev=tmpfs
ino=5307
scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sound_device_t:s0
tclass=chr_file
host=localhost type=SYSCALL
msg=audit(1205003693.102:60): arch=40000003 syscall=5
success=no exit=-13 a0=bfe512ea a1=2 a2=1e a3=2
items=0 ppid=2870 pid=2954 auid=500 uid=500 gid=500
euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) ses=1 comm="npviewer.bin"
exe="/usr/lib/nspluginwrapper/npviewer.bin"
subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
key=(null)
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
16 years, 1 month
SELinux is preventing gnome-clock-app (gnomeclock_t) "sys_nice" to <Unknown> (gnomeclock_t).
by Antonio Olivares
Dear all,
system time is behind 5 hours, when booting livecd
time is correct, and windows also, but in Fedora it is
behind 5 hours. I had ntpd to have time correct, but
somehow it did not correct the time, upon trying to
change date via panel, I was greeted with
Summary:
SELinux is preventing gnome-clock-app (gnomeclock_t)
"sys_nice" to <Unknown>
(gnomeclock_t).
Detailed Description:
SELinux denied access requested by gnome-clock-app. It
is not expected that this
access is required by gnome-clock-app and this access
may signal an intrusion
attempt. It is also possible that the specific version
or configuration of the
application is causing it to require additional
access.
Allowing Access:
You can generate a local policy module to allow this
access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux
protection is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
system_u:system_r:gnomeclock_t:SystemLow-
SystemHigh
Target Context
system_u:system_r:gnomeclock_t:SystemLow-
SystemHigh
Target Objects None [ capability ]
Source gnome-clock-app
Source Path
/usr/libexec/gnome-clock-applet-mechanism
Port <Unknown>
Host localhost
Source RPM Packages
gnome-panel-2.21.92-5.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.3.1-12.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost
Platform Linux localhost
2.6.25-0.95.rc4.fc9 #1 SMP Thu Mar
6 01:17:49 EST 2008 i686
athlon
Alert Count 1
First Seen Sat 08 Mar 2008 01:12:37
PM CST
Last Seen Sat 08 Mar 2008 01:12:37
PM CST
Local ID
d97e2362-cf08-4c53-a387-56e7c332aaf9
Line Numbers
Raw Audit Messages
host=localhost type=AVC msg=audit(1205003557.746:18):
avc: denied { sys_nice } for pid=2839
comm="gnome-clock-app" capability=23
scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
tcontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
tclass=capability
host=localhost type=SYSCALL
msg=audit(1205003557.746:18): arch=40000003 syscall=3
success=yes exit=198 a0=9 a1=bf952768 a2=1000 a3=0
items=0 ppid=1 pid=2839 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="gnome-clock-app"
exe="/usr/libexec/gnome-clock-applet-mechanism"
subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
key=(null)
Thanks in advance
Regards,
Antonio
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
16 years, 1 month
rawhide, upstart, mls, telinit and udp
by Joe Nall
In rawhide (upstart) mls, I'm seeing avcs like
allow initrc_t init_t:unix_dgram_socket sendto;
allow init_t staff_t:unix_dgram_socket sendto;
allow init_t user_t:unix_dgram_socket sendto;
Reading the init.if file there is an empty, depreciated udp interface
for init.
Adding the following to the init_telinit interface fixes the avc, but
it looks like the new interface may be the old udp ...
--- serefpolicy-3.3.1/policy/modules/system/init.if.orig 2008-03-08
14:57:10.000000000 -0600
+++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-03-08
14:58:08.000000000 -0600
@@ -470,10 +470,12 @@ interface(`init_write_initctl',`
interface(`init_telinit',`
gen_require(`
type initctl_t;
+ type init_t;
')
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
init_exec($1)
')
joe
16 years, 1 month
how to allow one program to mount to /tmp?
by Johnny Tan
I use puppet to do config management. It writes to
/tmp/puppet.$$ files to capture the output of commands, then
reads in from those tmp files after.
It seems that when puppet attempts to do a mount command to
/tmp, selinux is denying it.
When I do audit2allow, it comes up with this:
==
require {
type initrc_tmp_t;
type mount_t;
class file { read write };
}
#============= mount_t ==============
allow mount_t initrc_tmp_t:file { read write };
==
To me, this seems a bit broad. The above allows any program
to mount to /tmp, right?
How can I modify it such that only my puppet program is
allowed, but continued to deny all others?
johnn
16 years, 1 month
/var/tmp/host_0 context getting set to initrc_tmp_t
by Jason L Tibbitts III
I'm trying to track down a situation where the context of
/var/tmp/host_0 somehow gets set to initrc_tmp_t instead of
krb5_host_rcache_t. When this happens, I get the following denial:
audit(1204783558.948:68): avc: denied { getattr } for pid=11121
comm="sshd" path="/var/tmp/host_0" dev=dm-3 ino=753668
scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
and ssh gssapi authentication stops working.
This machine is a kerberos slave server, and my best guess is that kpropd
(which runs as initrc_t) is rewriting (i.e. deleting and recreating)
that file at some point. Unfortunately I can't cause it to happen so
I'm not sure that's what's going on.
This is probably a corner case among corner cases, but has anyone seen
anything like this?
- J<
16 years, 1 month
Rawhide mls avcs on boot
by Joe Nall
rawhide mls (selinux-policy-3.3.1-11) has a number of these avcs in /
var/log/messages on boot
Mar 6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:5):
avc: denied { unmount } for pid=1 comm="init"
scontext=system_u:system_r:kernel_t:s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
Mar 6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.560:6):
avc: denied { unmount } for pid=1 comm="init"
scontext=system_u:system_r:kernel_t:s15:c0.c1023
tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
Mar 6 10:00:01 xw4100 kernel: type=1400 audit(1204819180.561:7):
avc: denied { unmount } for pid=1 comm="init"
scontext=system_u:system_r:kernel_t:s15:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
is adding
allow kernel_t proc_t:filesystem unmount;
allow kernel_t sysfs_t:filesystem unmount;
allow kernel_t tmpfs_t:filesystem unmount;
to kernel.te the correct fix for this?
joe
16 years, 1 month
gvfs AVC mounting /var/lib/gdm/.gvfs
by Tom London
See this after today's rawhide update (targeted/enforcing):
type=LABEL_LEVEL_CHANGE msg=audit(1204827382.645:12): user pid=2409
uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
msg='printer=Local uri=file:/dev/null banners=none,none range=unknown:
exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=127.0.0.1,
terminal=? res=success)'
type=AVC msg=audit(1204827439.066:13): avc: denied { mounton } for
pid=2827 comm="gvfs-fuse-daemo" path="/var/lib/gdm/.gvfs" dev=dm-0
ino=66829 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1204827439.066:13): arch=40000003 syscall=21
success=no exit=-13 a0=9fa94d0 a1=9fa89e8 a2=9fa9510 a3=6 items=0
ppid=1 pid=2827 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295
comm="gvfs-fuse-daemo" exe="/usr/libexec/gvfs-fuse-daemon"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1204827505.624:14): user pid=2815 uid=0
auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
msg='op=PAM:authentication acct=tbl
exe="/usr/libexec/gdm-session-worker" (hostname=?, addr=?, terminal=:0
res=failed)'
--
Tom London
16 years, 1 month
