ANN: 2008 SELinux Developer Summit CFP
by James Morris
---------------------------------------------------------------------------
2008 SELinux Developer Summit Call For Participation (CFP)
---------------------------------------------------------------------------
The call for participation for the 2008 SELinux Developer Summit is now
open. The summit will be held July 22nd in Ottawa. See the original
announcement[1] for the summit and the summit wiki page[2] for background
about the summit and summaries of prior summits. Note that all attendees of
the mini-summit must be registered as attendees of the Linux Symposium [3].
The focus of this year's summit will be usability and infrastructure.
Usability topics of interest include (but are not limited to) policy
development, administration, and desktop integration. Infrastructure topics
of interest include (but are not limited to) embedded systems, label
translation, userspace object managers, network filesystems, and labeled
networking.
Other topics relating to SELinux technology, flexible mandatory access
control, and its application to real-world problems are also of interest for
this symposium. Such topics might include:
* Updates on the various Linux distributions using SELinux
* Flexible MAC in other operating systems
* Case studies and application experience with flexible MAC
* User and customer concerns and needs
Forms of participation include:
* Technical presentations (20-30 minutes each, papers are optional)
* Discussions (submitter acts as facilitator)
* Panels (submitter acts as moderator)
* Lightning talks (work-in-progress reports)
No marketing pitches will be accepted.
Proposals may be sent to the organizing team at:
selinux-summit-team AT namei.org
In your proposal, please identify the form of participation, the amount of
time you expect to need, and a title and abstract describing the topic you
wish to cover.
If you wish to attend the summit without presenting, please also send a
notification of your intent to attend to the organizing team at the above
alias.
** Whether presenting or just attending, you must register for the Linux
Symposium[3] in order to attend the SELinux Developer Summit. **
This CFP will end on April 18. Participants will be notified by April 25,
and the schedule will be published on April 02.
[1] SELinux Summit announcement, http://marc.info/?l=selinux&m=120716549912011&w=2
[2] SELinux Summit wiki page, http://selinuxproject.org/page/Developer_Summit_2008
[3] Linux Symposium, http://www.linuxsymposium.org/2008/
----------------------------------------------------------------------------
--
James Morris
<jmorris(a)namei.org>
16 years, 1 month
Re: enabling selinux
by Rahul Sundaram
Nesser, Phil wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - From your email below:
>
>
> # cat /etc/selinux/config
>
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - SELinux is fully disabled.
> SELINUX=enabled
> ^^^^^^^^^^^^^^^
>
> Change to: SELINUX=enforcing
>
> SELINUX=enabled gets you permissive mode.
Duh. Thanks.
Rahul
16 years, 1 month
Re: enabling selinux
by Andrew Farris
Andrew Farris wrote:
> Rahul Sundaram wrote:
>> # rpm -qa | grep -i selinux
>>
>> libselinux-2.0.61-1.fc9.i386
>> selinux-policy-targeted-3.3.1-26.fc9.noarch
>
> You're missing the main policy rpm:
> yum install selinux-policy
Sry, first reply went off-list. You need the policy as well as sub-policy, so
you'd want selinux-policy and selinux-policy-targeted or selinux-policy and
selinux-policy-mls for instance.
--
Andrew Farris <lordmorgul(a)gmail.com> www.lordmorgul.net
gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29
revoked key 0xC99B1DF3 no longer used
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
16 years, 1 month
enabling selinux
by Rahul Sundaram
Hi,
I did a yum upgrade from Fedora 8 to Rawhide and disabled SELinux during
the upgrade just to avoid issues. Now that I finished upgrading, I tried
setting it to on and in enforcing mode.
Relabeling proceeded as expected though seemed slower than usual. After
bootup, I noticed that it says it is in permissive mode. Lots of things
have changed including the init system and I am not sure what to check.
Can someone help me out?
# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
----
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: error (Success)
Policy version: 22
Policy from config file: targeted
# rpm -qa | grep -i selinux
libselinux-2.0.61-1.fc9.i386
selinux-policy-targeted-3.3.1-26.fc9.noarch
Rahul
16 years, 1 month
php and oci8 issues
by Pad Hosmane
Hi,
I am compiling php 5.2.5 with OCI8 on centOS 5. I have installed the
following from oracle
oracle-instantclient-basic-10.2.0.3-1
oracle-instantclient-sqlplus-10.2.0.3-1
oracle-instantclient-devel-10.2.0.3-1
These were the compile used while configure php
'./configure' '--prefix=/usr/local/php-5.2.5'
'--cache-file=../config.cache' '--with-libdir=lib'
'--with-config-file-path=/usr/local/php-5.2.5/etc'
'--with-config-file-scan-dir=/usr/local/php-5.2.5/etc/php.d'
'--disable-debug' '--with-pic' '--disable-rpath' '--with-pear'
'--with-bz2' '--with-curl' '--with-exec-dir=/usr/bin'
'--with-freetype-dir=/usr' '--with-png-dir=/usr'
'--enable-gd-native-ttf' '--with-gettext' '--with-gmp' '--with-iconv'
'--with-jpeg-dir=/usr' '--with-openssl' '--with-pspell'
'--with-pcre-regex' '--with-zlib' '--with-layout=GNU' '--enable-exif'
'--enable-ftp' '--enable-magic-quotes' '--enable-sockets'
'--enable-sysvsem' '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx'
'--with-kerberos' '--enable-ucd-snmp-hack' '--with-snmp=shared,/usr'
'--with-unixODBC=shared,/usr' '--enable-shmop' '--enable-calendar'
'--with-mime-magic=/etc/httpd/conf/magic' '--without-sqlite'
'--with-libxml-dir=/usr' '--enable-dom=shared' '--with-pgsql=shared'
'--disable-dba' '--disable-xmlreader' '--disable-xmlwriter'
'--without-gdbm' '--with-gd=shared' '--with-imap=shared'
'--with-imap-ssl' '--with-mysql=shared,/usr'
'--with-mysqli=shared,/usr/bin/mysql_config' '--enable-mbstring=shared'
'--enable-mbregex' '--with-libmbfl'
'--with-pdo-mysql=shared,/usr/bin/mysql_config' '--enable-pdo=shared'
'--with-pdo-odbc=shared,unixODBC,/usr' '--with-xmlrpc=shared'
'--with-ncurses=shared' '--with-ldap=shared'
'--with-pdo-pgsql=shared,/usr' '--without-pdo-sqlite' '--with-db4=/usr'
'--enable-force-cgi-redirect' '--enable-pcntl' '--with-xsl=shared,/usr'
'--enable-xmlreader=shared' '--enable-xmlwriter=shared'
'--enable-fastcgi' '--enable-cgi' '--with-apxs2=/usr/sbin/apxs'
'--with-oci8=shared,instantclient,/usr/lib/oracle/10.2.0.3/client/lib'
'--enable-sigchild'
Compile and install was successful. Apache was not working and these are
the sealert messages, i am putting here only summary, raw audit message
and suggestions, which i followed in the same order below to make Apache
work
1. Summary
SELinux is preventing /usr/local/php-5.2.5/bin/php from loading
/usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so which requires text
relocation.
Raw Audit Messages
avc: denied { execmod } for comm="php" dev=dm-0 egid=0 euid=0
exe="/usr/local/php-5.2.5/bin/php" exit=-13 fsgid=0 fsuid=0 gid=0
items=0
path="/usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so" pid=27356
scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:lib_t:s0 tty=pts1 uid=0
chcon -t textrel_shlib_t /usr/lib/oracle/10.2.0.3/client/lib/*.so
2. SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access
to
<Unknown> (httpd_t).
Raw Audit Messages
avc: denied { execstack } for comm="httpd" egid=0 euid=0
exe="/usr/sbin/httpd"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=27907
scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0
suid=0
tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0
setsebool -P httpd_disable_trans=1
3. Summary
SELinux is preventing /usr/sbin/httpd from changing the access
protection of
memory on the heap.
Raw Audit Messages
avc: denied { execheap } for comm="httpd" egid=0 euid=0
exe="/usr/sbin/httpd"
exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=3913
scontext=root:system_r:initrc_t:s0
sgid=0 subj=root:system_r:initrc_t:s0 suid=0 tclass=process
tcontext=root:system_r:initrc_t:s0 tty=(none) uid=0
setsebool -P allow_execheap=1
Has anybody compiled PHP 5 with Oracle client on Redhat or Centos 5 with
out any selinux issues? Is this the known issue or my procedures are
wrong. I have tried compiling couple of weeks back with Red Hat ent5 php
source rpms and got the same selinux errors. Any possible help to put
back allow_execheap=0 httpd_disable_trans=0.
Thanks.
16 years, 1 month
samba ro filesystems bool not effective
by Andrew Farris
This denial is preventing access to a filesystem I have shared via
samba. Whenever a system connects to the samba share the denial
occurs several times, and the share is empty when viewed from the
client. My home dir can be shared fine through samba but not
/media/archive (see below).
Filesystem is mounted by:
LABEL=archive /media/archive vfat auto,rw,async,users,group,nosuid,noexec,shortname=lower,fmask=0013,dmask=0002,gid=555
0 0
> ls -alFshnZ
drwxrwxr-x 0 555 system_u:object_r:dosfs_t:s0 archive/
I have already setsebool -P samba_export_all_ro=1 and verified it is
set in system-config-selinux. It seems not to have any effect here.
I set (true):
samba_export_all_ro, samba_export_all_rw, samba_export_fusefs
I set (false:
samba_enable_home_dirs, use_samba_home_dirs, samba_run_unconfined
With those settings... my home dir is shared and accessible via samba,
but the ro share is not. What is going on here?
SELinux is preventing the samba daemon from serving r/o local files to remote
clients.
Detailed Description:
SELinux has preventing the samba daemon (smbd) from reading files on the local
system. If you have not exported these file systems, this could signals an
intrusion.
Allowing Access:
If you want to export file systems using samba you need to turn on the
samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1".
Fix Command:
setsebool -P samba_export_all_ro=1
Additional Information:
Source Context unconfined_u:system_r:smbd_t:s0
Target Context system_u:object_r:dosfs_t:s0
Target Objects / [ dir ]
Source smbd
Source Path /usr/sbin/smbd
Port <Unknown>
Host cirithungol
Source RPM Packages samba-3.2.0-1.pre2.8.fc9
Target RPM Packages filesystem-2.4.12-1.fc9
Policy RPM selinux-policy-3.3.1-26.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name samba_export_all_ro
Host Name cirithungol
Platform Linux cirithungol 2.6.25-0.172.rc7.git4.fc9.i686
#1 SMP Fri Mar 28 21:46:59 EDT 2008 i686 i686
Alert Count 40
First Seen Mon 31 Mar 2008 11:18:08 PM PDT
Last Seen Tue 01 Apr 2008 02:30:29 PM PDT
Local ID 431fbfb7-e677-45d9-98b9-0a23ea0ab572
Line Numbers
Raw Audit Messages
host=cirithungol type=AVC msg=audit(1207085429.4:3307): avc: denied
{ read } for pid=10886 comm="smbd" name="/" dev=sdc3 ino=1
scontext=unconfined_u:system_r:smbd_t:s0
tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
host=cirithungol type=SYSCALL msg=audit(1207085429.4:3307):
arch=40000003 syscall=5 success=no exit=-13 a0=b9157d60 a1=98800 a2=2f
a3=b9157d10 items=0 ppid=6064 pid=10886 auid=500 uid=500 gid=0
euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=1
comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0
key=(null)
--
Andrew Farris <lordmorgul(a)gmail.com> www.lordmorgul.net
gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29
revoked key 0xC99B1DF3 no longer used
No one now has, and no one will ever again get, the big picture. - Daniel Geer
16 years, 1 month
preventing console-kit-dae (consolekit_t) "read" to (polkit_var_lib_t) on restart
by Andrew Farris
This occurs on Rawhide when trying to 'Restart' from Gnome System
menu. My user does have policykit authorization to restart the system
(others logged in or not) and to shutdown the system, but neither
work. At the moment I have to logout, then switch to VT1 and reboot.
GDM cannot restart either.
SELinux is preventing console-kit-dae (consolekit_t) "read" to
./org.freedesktop.hal.device-access.sound.override (polkit_var_lib_t).
Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:polkit_var_lib_t:s0
Target Objects ./org.freedesktop.hal.device-access.sound.override
[ file ]
Source console-kit-dae
Source Path /usr/sbin/console-kit-daemon
Port <Unknown>
Host cirithungol
Source RPM Packages ConsoleKit-0.2.10-1.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-26.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name cirithungol
Platform Linux cirithungol 2.6.25-0.172.rc7.git4.fc9.i686
#1 SMP Fri Mar 28 21:46:59 EDT 2008 i686 i686
Alert Count 1
First Seen Wed 02 Apr 2008 12:00:41 AM PDT
Last Seen Wed 02 Apr 2008 12:00:41 AM PDT
Local ID bade6013-09c9-4ca8-afba-3632172a3fc9
Line Numbers
Raw Audit Messages
host=cirithungol type=AVC msg=audit(1207119641.661:3387): avc: denied
{ read } for pid=2192 comm="console-kit-dae"
name="org.freedesktop.hal.device-access.sound.override" dev=dm-0
ino=727047 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:polkit_var_lib_t:s0 tclass=file
host=cirithungol type=SYSCALL msg=audit(1207119641.661:3387):
arch=40000003 syscall=5 success=no exit=-13 a0=98d1918 a1=8000 a2=0
a3=8000 items=0 ppid=1 pid=2192 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon"
subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
--
Andrew Farris <lordmorgul(a)gmail.com> www.lordmorgul.net
gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29
revoked key 0xC99B1DF3 no longer used
No one now has, and no one will ever again get, the big picture. - Daniel Geer
16 years, 1 month
ANN: SELinux Developer Summit 2008, Ottawa
by James Morris
----------------------------------------------------------------------------
SELinux Developer Summit 2008, Ottawa
----------------------------------------------------------------------------
This is to announce the 2008 SELinux Developer Summit, which is to be held
in Ottawa on the 22nd of July, as an OLS mini-summit.
The SELinux Developer Summit will be a one day summit intended to provide
a forum for focused technical discussion regarding current and future
development plans for SELinux and related Flask/TE projects.
The intended audience will consist of current SELinux developers,
system/security administrators, distribution organizers/packagers, and power
users. The format will be a mix of presentations and moderated discussion,
including a panel where attendees will be invited to submit questions and
feedback.
** This will be an open event, although, to attend, you will be required to be
registered for the 2008 Linux Symposium. **
A Call for Participation (CFP) will be issued on 7th April, 2008. If you wish
to submit a presentation or panel topic, please do so then.
To contact the organizing team, send email to:
selinux-summit-team AT namei.org
Also refer to the resources below for more information.
[1] SELinux Developer Summit:
http://selinuxproject.org/page/Developer_Summit_2008
[2] OLS mini-summits:
http://www.linuxsymposium.org/2008/minisummits.php
----------------------------------------------------------------------------
--
James Morris
<jmorris(a)namei.org>
16 years, 1 month