May 2008 - selinux - Fedora Mailing-Lists

by Eric Paris

So I'm still stumbling along in the dark trying to get livecd-creator to build me a nice new F10 image inside an F10 host. I've actually got an image that built and runs, but not without its issues. my kickstart file has: auth --enableshadow --enablemd5 rootpw redhat but the livecd always has x for the password in /etc/password and * for the password in /etc/shadow. No ideas here I must admit. I'm highly doubtful its selinux since it happens in permissive and enforcing. I have just been booting into single user, calling passwd, init 3, and logging in to play around in my live image.... 3 errors/issues/quirks in building/running my livecd 1) libsemanage.dbase_llist_query: could not query record value I'm told empty table, but I don't know what that means 2) /usr/sbin/semanage: Invalid prefix user This pops out when semanage calls: if selinux.security_check_context("system_u:object_r:%s_home_t:s0" % prefix) != 0: I assume this has to do with my bastardized /selinux inside the chroot. Should we just make it != 0 && != -ENOENT or whatever the error is we get there? 3) When booting I get 3 messages that say: inode_doinit_with_dentry: no dentry for dev=dm-0 ino=8345 The 3 inodes in question correspond to /etc/udev /etc/udev/rules.d /etc/udev/rules.d/50-udev-default.rules no clues where this is coming from. I don't see it when I booted my host system.... Anyway, at this point I want clues/help/suggestions on how to create my hacked up /selinux inside the chroot. Right now all I'm going is creating it on the host system and bind mounting it into the chroot. I really should be creating this inside creator.py. All that needs to be inside it is 3 files. copies of mls and policyvers from the host system and load is a chrfile of /dev/null. I could just create those in the livecd image and they will get mounted on top of when its running, but I don't want to waste the 50 bytes or whatever it would take. Any good suggests on how to build this temp? Or where I could clean it out later? -Eric

15 years, 11 months

5
13
0 / 0

livecd-creator and selinux, status at the end of week 1

by Eric Paris

I've spent pretty much all week flailing around try to get livecd-creator working with selinux enforcing with F10 as both the host and the image. Next week begins the journey of working on making old composes work on F10. Where do I stand? Well, it seems to work! I booted an image and logged in. Changes I've made so far (doesn't look like a whole lot for basically a week of work....) policycoreutils got some updates to allow users to be created in the chroot (already built and in koji) and to make relabeling a little better. libselinux has no changes with my current approach. I do not want rpm running inside the chroot to transition to rpm_t, nor do I want scriptlets to run as rpm_script_t as then those scriptlets can cause transitions to things like depmod_t which isn't going to have permissions necessary to run with the possibly screwy labels inside the chroot. I added one rule to policy to allow hal to respond back to chroot allow hald_t unconfined_notrans_t:dbus send_msg; Create a fake /selinux inside the chroot it contains: mls -> copy from host poliyver -> copy from host enforce -> 0 load -> /dev/null This means that from the point of view of the inside of the chroot selinux is "on" but not enforcing. The not enforcing part is important because some programs (passwd for example) try to determine if selinux is going to permit something before it actually tries it. If passwd realizes that selinux is enforcing but then it doesn't have a real /selinux to make those decisions it gets mad. So I'm lieing to the chroot. Changes to livecd-creator: diff -Naupr imgcreate/creator.py imgcreate.new/creator.py --- imgcreate/creator.py 2008-05-06 12:16:08.000000000 -0400 +++ imgcreate.new/creator.py 2008-05-16 13:01:05.000000000 -0400 @@ -22,6 +22,7 @@ import stat import sys import tempfile import shutil +import selinux import yum import rpm @@ -427,7 +428,7 @@ class ImageCreator(object): self._mount_instroot(base_on) - for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum"): + for d in ("/dev/pts", "/etc", "/boot", "/var/log", "/var/cache/yum", "/sys", "/proc"): makedirs(self._instroot + d) cachesrc = cachedir or (self.__builddir + "/yum-cache") @@ -439,10 +440,6 @@ class ImageCreator(object): (cachesrc, "/var/cache/yum")]: self.__bindmounts.append(BindChrootMount(f, self._instroot, dest)) - # /selinux should only be mounted if selinux is enabled (enforcing or permissive) - if kickstart.selinux_enabled(self.ks): - self.__bindmounts.append(BindChrootMount("/selinux", self._instroot, None)) - # Create minimum /dev origumask = os.umask(0000) devices = [('null', 1, 3, 0666), @@ -460,6 +457,20 @@ class ImageCreator(object): os.symlink('/proc/self/fd/2', self._instroot + "/dev/stderr") os.umask(origumask) + # selinux whoo hooo + if kickstart.selinux_enabled(self.ks): + makedirs(self._instroot + "/selinux") + # this should actually create our new fake /selinux, not bind from the host, though i haven't decided how + self.__bindmounts.append(BindChrootMount("/selinux1", self._instroot, "/selinux")) + + # label the fs like it is a root before the bind mounting + cmd = "/sbin/setfiles -F -r %s %s %s" % (self._instroot, selinux.selinux_file_context_path(), self._instroot) + os.system(cmd) + # these dumb things don't get magically fixed, so make the user generic + for f in ["/proc", "/sys", "/selinux"]: + cmd = "chcon -u system_u %s" % (self._instroot + f) + os.system(cmd) + self._do_bindmounts() os.symlink("../proc/mounts", self._instroot + "/etc/mtab") diff -Naupr imgcreate/kickstart.py imgcreate.new/kickstart.py --- imgcreate/kickstart.py 2008-05-06 12:16:08.000000000 -0400 +++ imgcreate.new/kickstart.py 2008-05-15 10:10:40.000000000 -0400 @@ -372,11 +372,11 @@ class SelinuxConfig(KickstartConfig): if ksselinux.selinux == ksconstants.SELINUX_DISABLED: return - if not os.path.exists(self.path("/sbin/restorecon")): + if os.path.exists(self.path("/sbin/restorecon")): + self.call(["/sbin/restorecon", "-l", "-v", "-r", "-F", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/"]) + else: return - self.call(["/sbin/restorecon", "-l", "-v", "-r", "/"]) - def apply(self, ksselinux): if os.path.exists(self.path("/usr/sbin/lokkit")): args = ["/usr/sbin/lokkit", "-f", "--quiet", "--nostart"]

15 years, 11 months

2
3
0 / 0

Re: livecd-creator and selinux, status at the end of week 1

by Eric Paris

On Mon, 2008-05-19 at 09:11 -0400, David Huff wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Eric Paris wrote: > | I've spent pretty much all week flailing around try to get > | livecd-creator working with selinux enforcing with F10 as both the host > | and the image. Next week begins the journey of working on making old > | composes work on F10. Where do I stand? Well, it seems to work! I > | booted an image and logged in. > | > > > I have seen similar issues with the appliance-tools Im working on > (thincrust.net). On thing I have noticed is that kickstart.py only > likes crypted passwds, so make sure you use the --iscrytped option in > the ks file. > > I have also noticed another problem, if you set selinux disabled via the > kickstart and try to set no root passwd, by excluding a rootpw > line in the ks, you get an error similar too: > > "only root can do that" > > I think this is due to selinux context on the host you are > building the image on. I saw this running a F9 client on a F9 host, > from your post on Friday, I will try generating a rwahide image on a > rawhide host and see if I have similar results. If you wouldn't mind opening a BZ, for now lets open it against libselinux assign it to me and let me know all of the problems you have run into involving passwd. I think I understand all of that cruft now. -Eric

15 years, 11 months

1
0
0 / 0

Differences between openssh and pam_selinux

by Tomas Mraz

There are some differences in how openssh and pam_selinux get the user's context. As I want to replace part of the openssh's SELinux code with pam_selinux I'd like to know which one is more correct. Here's the rough algorithm for both: OpenSSH ======= 1. get selinux user & default level with getseuserbyname() 2. obtain default ctx with get_default_context_with_level() 3. obtain requested ctx for requested level with get_default_context_with_level() 4. set requested role to the requested ctx 5. set type for the requested role to the requested ctx (obtained from get_default_type(requested role)) 6. copy the requested ctx and set the requested level in the copy 7. compare the requested ctx with the copy - if not equal -> fail 8. do the points 3. - 7. with the difference that the default level is used instead of requested level 9. do security_compute_av with CONTEXT__CONTAINS to check whether the context from 7. is allowed for context from 8. if not allowed -> fail 10. use the context from 7. as the user's context. pam_selinux =========== 1. get selinux user & default level with getseuserbyname() 2. use get_ordered_context_list_with_level() to obtain list of context for the user & level, as the default user's context is taken the first one on the list 3. if this fails: 3a. the level and role is obtained from user and combined into a context with default type for the role and the selinux user 3b. this ctx is checked with security_check_context() - if fails -> fail else we have the user's context -> end 4. if 2. succeeds and module is configured to allow asking user for role/level then user is asked for requested role and level 5. the requested ctx starts as copy of the default ctx 6. the requested role is set to requested ctx, requested level is set and the default type (get_default_type()) for the requested role is set 7. the requested ctx is checked with security_check_context() - if fails -> fail 8. do security_compute_av with CONTEXT__CONTAINS to check whether the context from 7. is allowed for default context if not allowed -> fail 9. use the context from 7. as the user's context. So which one is correct if any? -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb

15 years, 11 months

2
2
0 / 0

spamc not working from procmail in Fedora 9

by Daniel Fazekas

SELinux appears to stop spamc from being called from procmail: type=1401 audit(1210924808.115:14): security_compute_sid: invalid context system_u:system_r:spamc_t:s0 for scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=process procmail logs: /usr/bin/spamc: /usr/bin/spamc: cannot execute binary file procmail: Error while writing to "/usr/bin/spamc" procmail: Rescue of unfiltered data succeeded In my .procmailrc I have this line: INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc Used to work fine in previous releases of Fedora. Is there anything I could set to allow this? I have already tried a full touch ./autorelabel && reboot, it didn't help. SELinux is using selinux-policy-targeted-3.3.1-42.fc9.noarch selinux-policy-3.3.1-42.fc9.noarch

15 years, 11 months

2
1
0 / 0

tools that present a graphical abstraction of a SELinux policy

by Christian Lange

Hi, I'm a student of the university of Rostock, In the scope of my master thesis I want to get an overview about existing graphical tools (commercial or free), abstracting from underlying SELinux details, helping users to define and maintain SELinux policies (TE & MCS). So far, I found the following tools: - SLIDE - VIRGIL - Tresys Brickwall Security Suite They only use masks for data input and don't abstract from the policy to show a graph. My questions are: - Is there any tool that creates a abstract view of a policy as a graph or something like that? - Is there any demand for such a tool? Thanks in advance

15 years, 11 months

3
2
0 / 0

Re: lost gnome

by Antonio Olivares

--- "Clyde E. Kunkel" <clydekunkel7734(a)cox.net> wrote: > Antonio Olivares wrote: > > Dear all, > > > > After changing the repos to point back to rawhide. > I > > have lost gnome in the process. I cannot log into > > gnome. Thankfully KDE does work :), However, I > would > > like to have both functioning if possible. > > > > I'll attach a text file which shows messages that > > could be useful to fix this issue. > > > > Regards, > > > > Antonio > > > > > > > > > Earlier thread discussed this and response from Tom > London: > > "Reverting GConf2 packages "fixed this for me". (I > noticed some new > SELinux messages that may be causing this, and > reported to dwalsh > already.) > > I had other issues that reverting gnome-session and > gnome-settings-daemon fixed..... > > tom" > -- > --------------------------------- > Regards, > > Old Fart > > -- > fedora-test-list mailing list > fedora-test-list(a)redhat.com > To unsubscribe: > https://www.redhat.com/mailman/listinfo/fedora-test-list > Thank you very much Clyde, That is it! Selinux has its hands on it: I'll run KDE in the meantime, the cure looks a bit complicated :( Part of dmesg: [olivares@localhost ~]$ uname -a Linux localhost 2.6.25.2-5.fc10.i686 #1 SMP Wed May 7 18:06:55 EDT 2008 i686 athlon i386 GNU/Linux [olivares@localhost ~]$ cat /etc/fedora-release Fedora release 9.90 (Rawhide) [olivares@localhost ~]$ dmesg Initializing cgroup subsys cpuset Initializing cgroup subsys cpu Linux version 2.6.25.2-5.fc10.i686 (mockbuild@) (gcc version 4.3.0 20080428 (Red Hat 4.3.0-8) (GCC) ) #1 SMP Wed May 7 18:06:55 EDT 2008 BIOS-provided physical RAM map: BIOS-e820: 0000000000000000 - 000000000009fc00 (usable) BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved) BIOS-e820: 00000000000e0000 - 0000000000100000 (reserved) BIOS-e820: 0000000000100000 - 000000002ffd0000 (usable) BIOS-e820: 000000002ffd0000 - 000000002ffdf000 (ACPI data) BIOS-e820: 000000002ffdf000 - 0000000030000000 (ACPI NVS) BIOS-e820: 00000000fec00000 - 00000000fec01000 (reserved) BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved) BIOS-e820: 00000000ff7c0000 - 0000000100000000 (reserved) ***** removed to show relevant parts ***** SELinux: initialized (dev rpc_pipefs, type rpc_pipefs), uses genfs_contexts SELinux: initialized (dev autofs, type autofs), uses genfs_contexts SELinux: initialized (dev autofs, type autofs), uses genfs_contexts SELinux: initialized (dev autofs, type autofs), uses genfs_contexts Bluetooth: Core ver 2.11 NET: Registered protocol family 31 Bluetooth: HCI device and connection manager initialized Bluetooth: HCI socket layer initialized Bluetooth: L2CAP ver 2.9 Bluetooth: L2CAP socket layer initialized Bluetooth: RFCOMM socket layer initialized Bluetooth: RFCOMM TTY layer initialized Bluetooth: RFCOMM ver 1.8 Bluetooth: BNEP (Ethernet Emulation) ver 1.2 Bluetooth: BNEP filters: protocol multicast Bridge firewalling registered pan0: Dropping NETIF_F_UFO since no NETIF_F_HW_CSUM feature. serial8250: too much work for irq18 serial8250: too much work for irq18 type=1400 audit(1210890146.560:4): avc: denied { execute } for pid=2337 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890146.610:5): avc: denied { execute } for pid=2339 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890147.848:6): avc: denied { execute } for pid=2350 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890147.850:7): avc: denied { execute } for pid=2352 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890147.865:8): avc: denied { execute } for pid=2354 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890147.877:9): avc: denied { execute } for pid=2356 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890148.582:10): avc: denied { execute } for pid=2363 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890148.632:11): avc: denied { execute } for pid=2365 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890148.650:12): avc: denied { execute } for pid=2367 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890148.662:13): avc: denied { execute } for pid=2369 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file printk: 196 messages suppressed. type=1400 audit(1210890151.618:79): avc: denied { execute } for pid=2505 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file printk: 57 messages suppressed. type=1400 audit(1210890163.178:99): avc: denied { execute } for pid=2556 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890163.214:100): avc: denied { execute } for pid=2560 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file printk: 33 messages suppressed. gnome-session[2618]: segfault at 0 ip 00d36187 sp bfc554a4 error 4 in libglib-2.0.so.0.1600.3[cdc000+e0000] type=1400 audit(1210890178.407:112): avc: denied { execute } for pid=2831 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890178.421:113): avc: denied { execute } for pid=2834 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file printk: 250 messages suppressed. type=1400 audit(1210890187.515:197): avc: denied { execute } for pid=3058 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890187.562:198): avc: denied { execute } for pid=3063 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file printk: 33 messages suppressed. type=1400 audit(1210890240.289:210): avc: denied { read } for pid=3496 comm="nm-system-setti" name="PolicyKit.reload" dev=dm-0 ino=3244718 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_crond_var_lib_t:s0 tclass=file type=1400 audit(1210890240.432:211): avc: denied { getattr } for pid=3496 comm="nm-system-setti" path="/dev/root" dev=tmpfs ino=318 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=1400 audit(1210890242.221:212): avc: denied { execstack } for pid=3506 comm="nspluginscan" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process klauncher[3388]: segfault at 8048814 ip 001c8da8 sp bffe22c0 error 7 in libX11.so.6.2.0[1b3000+fd000] nepomukservices[3465] general protection ip:448adef sp:bfdc34f0 error:0 in libnepomuk.so.4.1.0[4460000+6d000] type=1400 audit(1210890272.055:213): avc: denied { execute } for pid=3593 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890272.069:214): avc: denied { execute } for pid=3596 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890272.314:215): avc: denied { execute } for pid=3622 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890272.317:216): avc: denied { execute } for pid=3624 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890272.319:217): avc: denied { execute } for pid=3626 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890272.321:218): avc: denied { execute } for pid=3628 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890272.396:219): avc: denied { execute } for pid=3637 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890272.411:220): avc: denied { execute } for pid=3640 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file printk: 226 messages suppressed. type=1400 audit(1210890280.758:296): avc: denied { execute } for pid=3818 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file type=1400 audit(1210890280.793:297): avc: denied { execute } for pid=3822 comm="dbus-daemon" name="gconfd-2" dev=dm-0 ino=32542974 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gconfd_exec_t:s0 tclass=file printk: 36 messages suppressed. type=1400 audit(1210890308.692:310): avc: denied { execstack } for pid=4157 comm="nspluginscan" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process [olivares@localhost ~]$ ccd: to fedora-selinux-list(a)redhat.com Regards, Antonio

15 years, 11 months

2
1
0 / 0

Fedora buildsys and SELinux

by Karsten Wade

As announced on fedora-devel-list[1], we'd like to come to a resolution (consensus, actions) on the challenges we have with SELinux in the Fedora build system. I expect the following: * All the parties are here now needed to figure this out * Someone better than me is going to reply with specifics about what is not working in the buildsys * We all agree it's pretty important to get this figured out in a good way One example of a project blocking on this work is the Fedora spin server. We would have to put a non-SELinux secured server in the loop somewhere for the actual spin building, and any way we do that is going to be hacky and whacky. The main problem I see outside of the technical issues is a marketing one. Fedora's infrastructure is a set of open tools that anyone can download and make work themselves. We know that people do that. Fedora Infrastructure is a feature producer; just as Fedora Docs supplies a full-course documentation toolchain, so does Infrastructure supply a full-course FLOSS project toolset.[2] We do *not* want to be explaining that a new feature doesn't work with SELinux. At the very minimum, we have been consistent about the value of SELinux in Fedora, and to ship something as a Fedora feature that cannot run under SELinux ... well, that would be bad. This is why other Fedora folks are asking the Fedora SELinux team to take this off the backburner. Thanks - Karsten [1] https://www.redhat.com/archives/fedora-devel-list/2008-April/msg01064.html [2] Yep, that's right; Fedora Infrastructure is a feature of Fedora. For example, the new grid project 'Fedora Sleepwalker' is looking to get integrated into firstboot or some kind of JoinBuddy. When that happens, adding your install to the Fedora Sleepwalker grid is going to be touted as a major feature for that release. -- Karsten Wade, Sr. Developer Community Mgr. Dev Fu : http://developer.redhatmagazine.com Fedora : http://quaid.fedorapeople.org gpg key : AD0E0C41

15 years, 11 months

13
50
0 / 0

polyinstantiation of the /tmp dir

by Clarkson, Mike R (US SSA)

I'm having a problem setting up polyinstantiation for the /tmp dir. I'm using RHEL5.1 and I've set it up to create instance directories under the /tmp-inst directory based on level when using newrole. It works, but the instance directory has ownership/permissions (dac permissions) set so that the user can not write to the polyinstantiated directory #ls -l /tmp-inst/ total 24 drwxr-xr-x 2 root root 4096 May 14 20:17 system_u:object_r:tmp_t:s0-s4:c0.c255_clarkson drwxr-xr-x 2 root root 4096 May 14 18:40 system_u:object_r:tmp_t:s4:c0.c255_clarkson Either the directories need to be created with the user as the owner (clarkson in this case), or the permissions need to be 777. I've set this up before on other boxes and had it work. Not sure what the difference is now. Any ideas?

15 years, 11 months

2
1
0 / 0

RE: Samba shares...

by Dan Thurman

Daniel J Walsh wrote: |Daniel B. Thurman wrote: || Stephen Smalley || |Daniel B. Thurman wrote: || |> |You can certainly generate a local policy module that gives || |> |access to fusefs_t, but it would be better if we could get || |> |the context mount option to work. || |> || |> I will try anything you suggest. Let me know if you can || |> resolve this issue, otherwise let me know (in detail) how || |> to write a policy as a last resort? || | || |To generate local policy for this issue, you'd do something |like this: || | || |$ su - || |# ausearch -m AVC | grep fuse | audit2allow -M myfuse || |# semodule -i myfuse.pp || | || |Then the fuse-related denials should be allowed. || || Uh, almost. It still will not allow me to chmod or chgrp || the mounted filesystem which means that I cannot write to || the shared NTFS filesystem without assigning the proper || permissions. I have set samba properties to allow writes || but apparently this problem resides with fuse again. Grr. || || What can I do to allow samba shared writes? |Look for additional AVC's with ausearch | |You can run the above command another time. | |You can put the machine into permissive mode and gather all of the AVC |messages | |setenforce 0 |Run your test |ausearch -m AVC | grep fuse | audit2allow -M myfuse |semodule -i myfuse.pp |setenforce 1 Yup! That worked! Thanks, Dan! Dan

15 years, 11 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux May 2008