AVCs from cron.daily (F9)
by Paul Howarth
On my work box, which is an up-to-date F9 install, I get a set of AVCs
from cron.daily every day, which I don't get on my home boxes. I suspect
it's because we use LDAP auth at work. It boils down to this when passed
through audit2allow -R:
require {
type logwatch_t;
type locate_t;
type tmpreaper_t;
type logrotate_t;
}
#============= locate_t ==============
cron_rw_tcp_sockets(locate_t)
#============= logrotate_t ==============
cron_rw_tcp_sockets(logrotate_t)
#============= logwatch_t ==============
cron_rw_tcp_sockets(logwatch_t)
#============= tmpreaper_t ==============
cron_rw_tcp_sockets(tmpreaper_t)
Sample AVC:
time->Tue Jun 3 05:05:05 2008
type=SYSCALL msg=audit(1212465905.734:5714): arch=c000003e syscall=59
success=yes exit=0 a0=25545d0 a1=2551360 a2=25539a0 a3=8 items=0
ppid=12101 pid=12134 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=605 comm="tmpwatch"
exe="/usr/sbin/tmpwatch"
subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1212465905.734:5714): avc: denied { read write }
for pid=12134 comm="tmpwatch" path="socket:[24785059]" dev=sockfs
ino=24785059 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 tclass=tcp_socket
Paul.
15 years, 10 months
strange messages while installing selinux-policy-targeted
by Dr. Michael J. Chudobiak
I can't seem to make selinux run on one of my systems. Can anyone make
sense of these odd installation messages:
Running Transaction
Installing : selinux-policy-targeted [1/1]
libsemanage.dbase_llist_query: could not query record value (No such
file or directory).
/usr/sbin/semanage: range not supported on Non MLS machines
/usr/sbin/semanage: range not supported on Non MLS machines
/usr/sbin/semanage: range not supported on Non MLS machines
libsepol.sepol_user_modify: MLS is enabled, but no MLS default level was
defined for user guest_u
libsepol.sepol_user_modify: could not load (null) into policy
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local
modifications into policy
/usr/sbin/semanage: Could not add SELinux user guest_u
libsepol.sepol_user_modify: MLS is enabled, but no MLS default level was
defined for user xguest_u
libsepol.sepol_user_modify: could not load (null) into policy
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local
modifications into policy
/usr/sbin/semanage: Could not add SELinux user xguest_u
Installed: selinux-policy-targeted.noarch 0:3.3.1-55.fc9
Complete!
- Mike
15 years, 10 months
Sendmail milters in Fedora 8
by Paul Howarth
Since upgrading my mail server from Fedora 7 to Fedora 8, I've come
across some problems with the sockets used for communication between
sendmail and two of the "milter" plugins I'm using with it, namely
milter-regex and spamass-milter. It's very likely that other milters
will have similar issues.
The sockets used are created when the milter starts, as follows:
milter-regex:
/var/spool/milter-regex/sock (var_spool_t, inherited from parent directory)
spamass-milter:
/var/run/spamass-milter/spamass-milter.sock (spamd_var_run_t, in policy)
These are pretty well the upstream locations, though I'm open to moving
the milter-regex socket from /var/spool to /var/run or elsewhere for
consistency.
Since moving to Fedora 8, I've had to add the following to local policy
to get these milters working:
allow sendmail_t spamd_var_run_t:dir { search getattr };
allow sendmail_t spamd_var_run_t:sock_file { getattr write };
allow sendmail_t var_spool_t:sock_file { getattr write };
allow sendmail_t initrc_t:unix_stream_socket { read write connectto };
The last of these is the strangest, and relates to Bug #425958
(https://bugzilla.redhat.com/show_bug.cgi?id=425958). Whilst the socket
file itself has the context listed above, the unix domain socket that
sendmail connects to is still initrc_t, as can be seen from the output
of "netstat -lpZ":
...
unix 2 [ ACC ] STREAM LISTENING 14142
5853/spamass-milter system_u:system_r:initrc_t:s0
/var/run/spamass-milter/spamass-milter.sock
unix 2 [ ACC ] STREAM LISTENING 13794
5779/milter-regex system_u:system_r:initrc_t:s0
/var/spool/milter-regex/sock
...
So, my questions are:
1. Why are the sockets still initrc_t?
2. Is this a kernel issue or a userspace issue that should be fixed in
the milters?
3. Should there be a standard place for milter sockets to live, and if
so, where?
4. How come this worked OK in Fedora 7 and previous releases?
Paul.
15 years, 11 months
Issues setting up a 2nd Private DNS server
by Dan Thurman
I am trying to setup a 2nd private DNS server in my private
network, behind the firewall (with DNS access enabled) and
I am able to resolve all of my local systems. However, I have
some problems. One involves SELinux and the other involved
forwarding as shown below:
1) SELinux errors are reported only when starting/stopping/restarting
named.
++++++++++++++++++++++++++++++++++++++++++++++
Source Context system_u:system_r:named_t:s0
Target Context system_u:system_r:unconfined_t:s0
Target Objects socket [ unix_stream_socket ]
Source named-checkconf
Source Path /usr/sbin/named-checkconf
Port <Unknown>
Host gold.cdkkt.com
Source RPM Packages bind-9.5.0-26.b3.fc8
Target RPM Packages
Policy RPM selinux-policy-3.0.8-101.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name gold.cdkkt.com
Platform Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1
SMP Wed
May 7 16:50:09 EDT 2008 i686 i686
Alert Count 4
First Seen Mon 02 Jun 2008 10:00:25 AM PDT
Last Seen Mon 02 Jun 2008 10:01:43 AM PDT
Local ID 7faef252-f1ea-4e36-8f51-167799fcb429
Line Numbers
Raw Audit Messages
host=gold.cdkkt.com type=AVC msg=audit(1212426103.808:4122): avc:
denied { read write } for pid=7037 comm="named" path="socket:[874313]"
dev=sockfs ino=874313 scontext=system_u:system_r:named_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.808:4122):
arch=40000003 syscall=11 success=yes exit=0 a0=9b05a68 a1=9b05e38
a2=9b04fe0 a3=0 items=0 ppid=7036 pid=7037 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="named"
exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
++++++++++++++++++++++++++++++++++++++++++++++
Source Context system_u:system_r:ndc_t:s0
Target Context system_u:system_r:unconfined_t:s0
Target Objects socket [ unix_stream_socket ]
Source rndc
Source Path /usr/sbin/rndc
Port <Unknown>
Host gold.cdkkt.com
Source RPM Packages bind-9.5.0-26.b3.fc8
Target RPM Packages
Policy RPM selinux-policy-3.0.8-101.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name gold.cdkkt.com
Platform Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1
SMP Wed
May 7 16:50:09 EDT 2008 i686 i686
Alert Count 4
First Seen Mon 02 Jun 2008 10:00:23 AM PDT
Last Seen Mon 02 Jun 2008 10:01:43 AM PDT
Local ID cc0e5f4b-aa41-4543-9569-df7d65f83f1c
Line Numbers
Raw Audit Messages
host=gold.cdkkt.com type=AVC msg=audit(1212426103.905:4123): avc:
denied { read write } for pid=7064 comm="rndc" path="socket:[874313]"
dev=sockfs ino=874313 scontext=system_u:system_r:ndc_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.905:4123):
arch=40000003 syscall=11 success=yes exit=0 a0=90000d0 a1=9000078
a2=8fe12e0 a3=0 items=0 ppid=7055 pid=7064 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rndc"
exe="/usr/sbin/rndc" subj=system_u:system_r:ndc_t:s0 key=(null)
++++++++++++++++++++++++++++++++++++++++++++++
Source Context system_u:system_r:mount_t:s0
Target Context system_u:system_r:unconfined_t:s0
Target Objects socket [ unix_stream_socket ]
Source umount
Source Path /bin/umount
Port <Unknown>
Host gold.cdkkt.com
Source RPM Packages util-linux-ng-2.13.1-2.fc8
Target RPM Packages
Policy RPM selinux-policy-3.0.8-101.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name gold.cdkkt.com
Platform Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1
SMP Wed
May 7 16:50:09 EDT 2008 i686 i686
Alert Count 4
First Seen Mon 02 Jun 2008 10:00:25 AM PDT
Last Seen Mon 02 Jun 2008 10:01:43 AM PDT
Local ID 439fbb1b-17d2-40b4-9242-744d5d69e303
Line Numbers
Raw Audit Messages
host=gold.cdkkt.com type=AVC msg=audit(1212426103.790:4120): avc:
denied { read write } for pid=7034 comm="mount" path="socket:[874313]"
dev=sockfs ino=874313 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.790:4120):
arch=40000003 syscall=11 success=yes exit=0 a0=870e610 a1=86e8fa8
a2=86eb2e0 a3=0 items=0 ppid=7014 pid=7034 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount"
exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
++++++++++++++++++++++++++++++++++++++++++++++
2) Forwarders do not work:
++++++++++++++++++++++++++++++++++++++++++++++
** server can't find msn.com: NXDOMAIN
++++++++++++++++++++++++++++++++++++++++++++++
Please advise,
Dan
15 years, 11 months