Re: /var/tmp/host_0 context getting set to initrc_tmp_t
by Jason L Tibbitts III
>You don't want to leave daemons running in initrc_t. So you want to put kpropd into a domain, whether an existing one (if something similar in purpose and required accesses exists) or a new one, and then you can
>ensure that the file will get the right type when created.
Well, I undeestand what you're saying, but I'm just using the stock F8 policy. Is this bugzilla-worthy?
16 years, 1 month
Partitions Mounted by fstab
by Arthur Dent
Hello Chaps,
I'm running SELinux in permissive mode on F8. I was thinking of switching to
enforcing mode and took a peek inside /var/log/messages to see what denials
SELinux is currently reporting. I was *horrified* - there must be thousands
there! Doing "cat /var/log/audit/audit.log" is even worse - it takes about a minute to
scroll through!
They mainly relate to procmail, clamd and samba but I get many reports of
incorrectly labelled files (file_t).
I want to tackle these one step at a time and I think the first place to start
is with the incorrectly labelled files.
I have tried the "touch ./autorelabel; reboot" trick (several times!) but I
still get the same errors.
As a mater of interest, I have a procmail recipe which writes a copy of every
mail I receive to a backup area on my /dev/sda8 partition, mounted as
/mnt/backup/ by fstab. (It is an ext3 partition).
I have tried doing:
"restorecon -v -R /mnt/backup"
and even:
"fixfiles relabel"
on this partition, but I gather this will not work. I think that I must
somehow define a policy for this (and probably other) partition(s), but I am
unclear as to how to go about this.
I am reasonably familiar with Linux generally, but am a complete SELinux
virgin (and frankly scared silly of it). I normally turn off SELinux as my
first action after installing a distro, but I think it's about time I got to
grips with its security benefits.
I would be very grateful therefore if someone could hold my hand through this
learning process!
I have to run this particular box headless and access via ssh so I have to do
everything with command-line tools.
Thanks in advance...
Mark
16 years, 1 month
Please help getting a policy to compile with mta_send_mail()
by Edward Kuns
I know I must be doing something wrong, but hours and hours of googling
have not turned up any help. The following is in myclamav.te:
module myclamav 1.0;
require {
type shell_exec_t;
type sendmail_exec_t;
type bin_t;
type clamd_t;
class dir search;
class file { execute getattr };
}
mta_send_mail(clamd_t);
#============= clamd_t ==============
allow clamd_t bin_t:dir search;
allow clamd_t sendmail_exec_t:file { execute getattr };
allow clamd_t shell_exec_t:file getattr;
As root, I run:
checkmodule -m myclamav.te
which if I understand things will compile the TE file into a PP file
which I can load. However, it complains about a syntax error on the
mta_send_mail line. I've tried a lot of variations, but I cannot make
this file compile.
Looking for examples, I look in /etc/selinux/targeted/src, but the "src"
directory does not exist. I believe I have all RPMs installed that I
need:
# rpm -qa 'selinux*' 'setroubleshoot*' 'setools*'
selinux-policy-targeted-3.0.8-87.fc8
setools-console-3.3.1-7.fc8
selinux-policy-devel-3.0.8-87.fc8
selinux-doc-1.26-1.1
selinux-policy-3.0.8-87.fc8
setroubleshoot-server-2.0.5-2.fc8
setroubleshoot-2.0.5-2.fc8
setroubleshoot-plugins-2.0.4-3.fc8
setools-3.3.1-7.fc8
setools-libs-tcl-3.3.1-7.fc8
setools-libs-3.3.1-7.fc8
setools-gui-3.3.1-7.fc8
I know I must be missing something obvious, but I am out of clues.
Thanks
Eddie
16 years, 1 month
qemu-kvm AVCs for tmp_t with -smb
by Tom London
Running rawhide, targeted/permissive:
Get the following when I run "qemu-kvm .... -smb ~/dir":
type=AVC msg=audit(1204759184.650:46): avc: denied { write } for
pid=12188 comm="qemu-kvm" name="tmp" dev=dm-0 ino=2686977
scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1204759184.650:46): avc: denied { add_name } for
pid=12188 comm="qemu-kvm" name="qemu-smb.12188"
scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1204759184.650:46): avc: denied { create } for
pid=12188 comm="qemu-kvm" name="qemu-smb.12188"
scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1204759184.650:46): arch=40000003 syscall=39
success=yes exit=0 a0=82cb740 a1=1c0 a2=8177c24 a3=bfd0e6fd items=0
ppid=12187 pid=12188 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="qemu-kvm"
exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:qemu_t:s0
key=(null)
type=AVC msg=audit(1204759184.650:47): avc: denied { write } for
pid=12188 comm="qemu-kvm" name="qemu-smb.12188" dev=dm-0 ino=2687085
scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1204759184.650:47): avc: denied { add_name } for
pid=12188 comm="qemu-kvm" name="smb.conf"
scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1204759184.650:47): avc: denied { create } for
pid=12188 comm="qemu-kvm" name="smb.conf"
scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1204759184.650:47): avc: denied { write } for
pid=12188 comm="qemu-kvm" name="smb.conf" dev=dm-0 ino=2687118
scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1204759184.650:47): arch=40000003 syscall=5
success=yes exit=3 a0=bfd0b150 a1=8241 a2=1b6 a3=240 items=0
ppid=12187 pid=12188 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="qemu-kvm"
exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:qemu_t:s0
key=(null)
type=AVC msg=audit(1204759184.651:48): avc: denied { getattr } for
pid=12188 comm="qemu-kvm" path="/tmp/qemu-smb.12188/smb.conf" dev=dm-0
ino=2687118 scontext=unconfined_u:unconfined_r:qemu_t:s0
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1204759184.651:48): arch=40000003 syscall=197
success=yes exit=0 a0=3 a1=bfd09fa4 a2=2aaff4 a3=a3c6d60 items=0
ppid=12187 pid=12188 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="qemu-kvm"
exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:qemu_t:s0
key=(null)
or
#============= qemu_t ==============
allow qemu_t tmp_t:dir { write create add_name };
allow qemu_t tmp_t:file { write create getattr };
Is this a problem caused by me running the shell commands instead of
virt-manager?
tom
--
Tom London
16 years, 1 month
gvfs-fuse-daemon throws read/write AVC for /dev/fuse
by Tom London
Running rawhide, targeted/enforcing (selinux-policy-3.3.1-10.fc9.noarch)
Notice this in /var/log/audit/audit.log:
type=AVC msg=audit(1204736621.705:13): avc: denied { read write }
for pid=2823 comm="gvfs-fuse-daemo" name="fuse" dev=tmpfs ino=2019
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fuse_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1204736621.705:13): arch=40000003 syscall=5
success=no exit=-13 a0=9d9118 a1=8002 a2=0 a3=8002 items=0 ppid=1
pid=2823 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295
comm="gvfs-fuse-daemo" exe="/usr/libexec/gvfs-fuse-daemon"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
But, gvfs-fuse-daemon appears to be running in unconfined_t, why xdm_t?
[root@localhost ~]# ps agxZ | grep gvfs
unconfined_u:unconfined_r:unconfined_t 3130 ? S 0:00 /usr/libexec/gvfsd
unconfined_u:unconfined_r:unconfined_t 3137 ? Ssl 0:00
/usr/libexec//gvfs-fuse-daemon /home/tbl/.gvfs
unconfined_u:unconfined_r:unconfined_t 3144 ? S 0:00
/usr/libexec/gvfsd-trash --spawner :1.8 /org/gtk/gvfs/exec_spaw/0
unconfined_u:unconfined_r:unconfined_t 3155 ? S 0:00
/usr/libexec/gvfsd-burn --spawner :1.8 /org/gtk/gvfs/exec_spaw/1
unconfined_u:unconfined_r:unconfined_t 3673 pts/0 S+ 0:00 grep gvfs
[root@localhost ~]#
The AVC appears to occur after the CUPS LABEL_LEVEL_CHANGES audit
messages, but before the USER_AUTH from gdm-greeter.
Is this some sort of transition/timing issue?
tom
--
Tom London
16 years, 1 month
Support for xorg-x11-drv-ivtv
by Nicolas Chauvet
Hello !
I maintain xorg-x11-drv-ivtv within fedora. This is a Xorg driver for
the PVR-350 video device.
quote of the delopper
-------------------
One thing I did notice in testing is that SELinux blocks X from
accessing /dev/video48. This cripples the ivtv X driver, since it requires
the video device (video48->video55) to add Xv overlay support to X. Without
Xv support, video playback in programs such a mplayer, xine, mythtv, etc.
won't work very well. I've attached the actual report from SELinux regarding
the device access.
------------------
I wonder if this special context should be handled with a
selinux-policy-'any' package and if something with udev device
creation would be required.
This driver remains in updates-testing for now (with F-7 F-8) and will
hit Rawhide as soon as i have backported the required libpciacces
patch.
Nicolas (kwizart)
16 years, 1 month
Trying SELinux again on CentOS 5.1 - local script problems
by Robert Nichols
Being masochistic by nature, I decided to take another crack at getting
SELinux running on my system, and ran into a couple of problems with
some important local scripts. First, some system information:
System: CentOS 5.1 on an Intel Pentium 4 CPU
kernel-2.6.18-53.1.13.el5
selinux-policy-targeted-2.4.6-106.el5_1.3
setools-3.0-3.el5
Problem 1:
Here, my dhclient-exit-hooks script is examining the 'named' configuration
file to verify that the local DNS server will be forwarding queries to the
servers assigned by DHCP. The script will reconfigure and restart 'named'
if necessary, and that would undoubtedly result in more AVCs. Testing every
combination of things that might happen is impractical, so just running
audit2allow on these AVCs is almost certainly insufficient. Operation of
this script absolutely must not be blocked. How can I open the door wide
enough to ensure that?
avc: denied { search } for pid=2551 comm="dhclient-script" name="named" dev=hda6 ino=267649
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
avc: denied { search } for pid=2551 comm="dhclient-script" name="chroot" dev=hda6 ino=267651
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=dir
avc: denied { getattr } for pid=2551 comm="dhclient-script" path="/var/named/chroot/etc/named.conf" dev=hda6
ino=267674 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file
avc: denied { read } for pid=2599 comm="grep" name="named.conf" dev=hda6 ino=267674
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file
Problem 2:
Here, my ifup-local script is starting a tcpdump capture on eth1. It is
important to me that this capture begin automatically with the eth1 link
is started. The actual directory where the capture files are stored has
been given a context system_u:object_r:netutils_tmp_t, and that works
without complaint (and does not appear below). Is there a way to make
this work other than blindly running audit2allow on all these AVCs?
Other than perhaps the stderr file (/root/eth1-cap.out), I don't see any
possibility of adjusting target contexts. (Why system_u:system_r:netutils_t
should be denied search and read permission in /proc is puzzling.)
avc: denied { write } for pid=2670 comm="tcpdump" path="/root/eth1-cap.out" dev=hda2 ino=43920
scontext=system_u:system_r:netutils_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
avc: denied { search } for pid=2670 comm="tcpdump" name="nscd" dev=hda6 ino=283420
scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir
avc: denied { search } for pid=2670 comm="tcpdump" name="sys" dev=proc ino=-268435428
scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir
avc: denied { search } for pid=2670 comm="tcpdump" name="kernel" dev=proc ino=-268435416
scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
avc: denied { read } for pid=2670 comm="tcpdump" name="ngroups_max" dev=proc ino=-268435369
scontext=system_u:system_r:netutils_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
avc: denied { search } for pid=2670 comm="tcpdump" name="/" dev=hdb1 ino=2 scontext=system_u:system_r:netutils_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=dir
That last AVC is puzzling, because the root directory ("/") is not located
on hdb1. That device holds the directory where the capture files are
being stored. Inode 2 on /dev/hdb1 is on mount point "/x" in the
filesystem.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
16 years, 1 month
SELinux prevented dbus-daemon from using the terminal /dev/tty1.
by Antonio Olivares
At one point, these were cured and now they reappear.
How can I make them go away for good?
Thanks,
Antonio
Summary:
SELinux prevented dbus-daemon from using the terminal
/dev/tty1.
Detailed Description:
SELinux prevented dbus-daemon from using the terminal
/dev/tty1. In most cases
daemons do not need to interact with the terminal,
usually these avc messages
can be ignored. All of the confined daemons should
have dontaudit rules around
using the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this selinux-policy.
If you would like to allow all daemons to interact
with the terminal, you can
turn on the allow_daemons_use_tty boolean.
Allowing Access:
Changing the "allow_daemons_use_tty" boolean to true
will allow this access:
"setsebool -P allow_daemons_use_tty=1."
Fix Command:
setsebool -P allow_daemons_use_tty=1
Additional Information:
Source Context
unconfined_u:unconfined_r:unconfined_dbusd_t
:SystemLow-SystemHigh
Target Context
unconfined_u:object_r:unconfined_tty_device_t
Target Objects /dev/tty1 [ chr_file ]
Source dbus-daemon
Source Path /bin/dbus-daemon
Port <Unknown>
Host localhost
Source RPM Packages dbus-1.1.20-1.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.3.1-9.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_daemons_use_tty
Host Name localhost
Platform Linux localhost
2.6.25-0.80.rc3.git2.fc9 #1 SMP
Fri Feb 29 18:17:34 EST
2008 i686 athlon
Alert Count 14
First Seen Fri 01 Feb 2008 05:06:20
PM CST
Last Seen Mon 03 Mar 2008 03:57:07
PM CST
Local ID
c0a79310-b4d4-41fc-a712-a4db505290d5
Line Numbers
Raw Audit Messages
host=localhost type=AVC
msg=audit(1204581427.951:2778): avc: denied { read
write } for pid=1306 comm="dbus-daemon"
path="/dev/tty1" dev=tmpfs ino=1857
scontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:unconfined_tty_device_t:s0
tclass=chr_file
host=localhost type=SYSCALL
msg=audit(1204581427.951:2778): arch=40000003
syscall=11 success=yes exit=0 a0=804c908 a1=bf92fc8c
a2=bf9310b4 a3=7 items=0 ppid=1305 pid=1306 auid=500
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 tty=(none) ses=1 comm="dbus-daemon"
exe="/bin/dbus-daemon"
subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023
key=(null)
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
16 years, 1 month
SELinux is preventing npviewer.bin (nsplugin_t) "read" to controlC0 (sound_device_t).
by Antonio Olivares
Dear all,
I am getting to see the following errors that slow
down my machine and take CPU to 100%
Thanks,
Antonio
Summary:
SELinux is preventing npviewer.bin (nsplugin_t) "read"
to controlC0
(sound_device_t).
Detailed Description:
SELinux denied access requested by npviewer.bin. It is
not expected that this
access is required by npviewer.bin and this access may
signal an intrusion
attempt. It is also possible that the specific version
or configuration of the
application is causing it to require additional
access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials.
You could try to restore
the default system file context for controlC0,
restorecon -v 'controlC0'
If this does not work, there is currently no automatic
way to allow this access.
Instead, you can generate a local policy module to
allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux
protection is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
unconfined_u:unconfined_r:nsplugin_t:SystemLow-
SystemHigh
Target Context
system_u:object_r:sound_device_t
Target Objects controlC0 [ chr_file ]
Source npviewer.bin
Source Path
/usr/lib/nspluginwrapper/npviewer.bin
Port <Unknown>
Host localhost
Source RPM Packages
nspluginwrapper-0.9.91.5-23.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.3.1-9.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost
Platform Linux localhost
2.6.25-0.80.rc3.git2.fc9 #1 SMP
Fri Feb 29 18:17:34 EST
2008 i686 athlon
Alert Count 2689
First Seen Tue 26 Feb 2008 03:24:34
PM CST
Last Seen Mon 03 Mar 2008 03:54:56
PM CST
Local ID
469b1532-4ab3-4757-be58-2248cc0f9f05
Line Numbers
Raw Audit Messages
host=localhost type=AVC
msg=audit(1204581296.416:2216): avc: denied { read }
for pid=1218 comm="npviewer.bin" name="controlC0"
dev=tmpfs ino=5312
scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sound_device_t:s0
tclass=chr_file
host=localhost type=SYSCALL
msg=audit(1204581296.416:2216): arch=40000003
syscall=5 success=no exit=-13 a0=bfe497f2 a1=0 a2=1e
a3=bfe497f2 items=0 ppid=32748 pid=1218 auid=500
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 tty=(none) ses=1
comm="npviewer.bin"
exe="/usr/lib/nspluginwrapper/npviewer.bin"
subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
key=(null)
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
16 years, 1 month
F8 samba AVCs
by Paul Howarth
I seem to have started getting some strange samba AVCs recently.
time->Tue Mar 4 09:19:23 2008
type=SYSCALL msg=audit(1204622363.345:5098): arch=c000003e syscall=4
success=no exit=-13 a0=7fff884950d0 a1=7fff88494800 a2=7fff88494800
a3=7fff88494cd0 items=0 ppid=6593 pid=1987 auid=500 uid=500 gid=0
euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none)
comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0
key=(null)
type=AVC msg=audit(1204622363.345:5098): avc: denied { getattr } for
pid=1987 comm="smbd" path="/home/paul/.recently-used.xbel" dev=dm-16
ino=2442050 scontext=unconfined_u:system_r:smbd_t:s0
tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file
This is despite having samba_enable_home_dirs set:
# getsebool -a | grep samba
samba_domain_controller --> off
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> on
samba_share_nfs --> off
use_samba_home_dirs --> off
# rpm -qa --last selinux\*
selinux-policy-devel-3.0.8-87.fc8 Fri 29 Feb 2008 11:23:47
AM GMT
selinux-policy-targeted-3.0.8-87.fc8 Fri 29 Feb 2008 11:23:32
AM GMT
selinux-policy-3.0.8-87.fc8 Fri 29 Feb 2008 11:23:28
AM GMT
BTW, what does samba_run_unconfined do?
What's the difference between user_home_t and unconfined_home_t? This
box is a fresh install of F8 but with /home preserved from F7.
Paul.
16 years, 1 month
