July 2008 - selinux - Fedora Mailing-Lists

rsyncd can't open log file, but there are no avc messages

by Johnny Tan

I'm stumped. I run a Java app called Solr, which does search indexing. My solr server creates the index, then I have a bunch of solr clients that rsync that index over. The rsync itself is fine, that works. The problem is it won't write to the appropriate logfile, which is: /opt/solr/logs/rsyncd.log /opt/solr/logs is a symlink to /var/log/store. Here's how it looks: == [root@solr:~]# ls -l /opt/solr/ lrwxrwxrwx 1 tomcat tomcat 14 Apr 29 13:52 logs -> /var/log/store [root@solr:~]# ls -ldZ /opt/solr/logs/ drwxr-xr-x tomcat tomcat user_u:object_r:var_log_t /opt/solr/logs/ [root@solr:~]# ls -ldZ /var/log/store drwxr-xr-x tomcat tomcat user_u:object_r:var_log_t /var/log/store [root@solr:~]# ls -Z /opt/solr/logs/rsyncd.log -rw-rw-rw- tomcat tomcat user_u:object_r:var_log_t /var/log/store/rsyncd.log == Note that the mode is 666 on the rsyncd.log. When a client tries to connect, though, I get, in /var/log/messages: Jun 24 10:15:02 solr rsyncd[19355]: rsync: failed to open log-file /opt/solr/logs/rsyncd.log: Permission denied (13) But there are no avc denials (no, I don't have audit package installed, so all avc messages go to /var/log/messages -- I do get avc denials for other things). So, at first, I didn't think it was selinux-related, and tried to troubleshoot general unix permissions. But got nowhere. Then I noticed... when I put selinux in permissive mode, it works -- rsyncd properly logs to the above file. When I set it back to enforcing, I get the above error in /var/log/messages and nothing in the rsyncd.log, but no avc denials either. Any ideas? If it helps, here's how my rsyncd module looks like: == module solrrsync 1.0; require { type initrc_tmp_t; type port_t; type var_log_t; type restorecon_t; type rsync_t; type usr_t; class netlink_route_socket { read create bind getattr write nlmsg_read }; class lnk_file read; class file { read write getattr create append }; class tcp_socket { name_connect name_bind }; class dir { write add_name }; } #============= restorecon_t ============== allow restorecon_t initrc_tmp_t:file { read write }; allow restorecon_t usr_t:lnk_file read; allow restorecon_t var_log_t:lnk_file read; #============= rsync_t ============== allow rsync_t initrc_tmp_t:file { read write }; allow rsync_t port_t:tcp_socket { name_connect name_bind }; allow rsync_t self:netlink_route_socket { read create bind getattr write nlmsg_read }; allow rsync_t usr_t:lnk_file read; allow rsync_t usr_t:file { read getattr }; allow rsync_t var_log_t:lnk_file read; allow rsync_t var_log_t:dir { write add_name }; allow rsync_t var_log_t:file { read write getattr create append };

15 years, 9 months

6
16
0 / 0

auditd went crazy

by Chuck Anderson

July 1st at 00:18:02, I started getting thousands of audit messages (hundreds per second). They didn't stop until I did "service auditd restart": I finally noticed the problem when logwatch told me this: audit: audit_backlog=262 > audit_backlog_limit=256 audit: audit_lost=1 audit_rate_limit=0 audit_backlog_limit=256 audit: backlog limit exceeded audit: audit_backlog=262 > audit_backlog_limit=256 audit: audit_lost=2 audit_rate_limit=0 audit_backlog_limit=256 audit: backlog limit exceeded audit: audit_backlog=262 > audit_backlog_limit=256 audit: audit_lost=3 audit_rate_limit=0 audit_backlog_limit=256 audit: backlog limit exceeded audit: audit_backlog=262 > audit_backlog_limit=256 Here is the start of the messages, with a few normal audit messages before it: type=LOGIN msg=audit(07/01/2008 00:10:01.754:139884) : login pid=24775 uid=root old auid=unset new auid=root ---- type=USER_START msg=audit(07/01/2008 00:10:01.755:139885) : user pid=24775 uid=root auid=root subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron res=success)' ---- type=CRED_DISP msg=audit(07/01/2008 00:10:01.763:139886) : user pid=24773 uid=root auid=root subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron res=success)' ---- type=USER_END msg=audit(07/01/2008 00:10:01.763:139887) : user pid=24773 uid=root auid=root subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron res=success)' ---- type=CRED_DISP msg=audit(07/01/2008 00:10:01.770:139888) : user pid=24775 uid=root auid=root subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron res=success)' ---- type=USER_END msg=audit(07/01/2008 00:10:01.770:139889) : user pid=24775 uid=root auid=root subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron res=success)' ---- type=USER_ACCT msg=audit(07/01/2008 00:15:01.775:139890) : user pid=24781 uid=root auid=unset subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron res=success)' ---- type=CRED_ACQ msg=audit(07/01/2008 00:15:01.776:139891) : user pid=24781 uid=root auid=unset subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron res=success)' ---- type=LOGIN msg=audit(07/01/2008 00:15:01.776:139892) : login pid=24781 uid=root old auid=unset new auid=root ---- type=USER_START msg=audit(07/01/2008 00:15:01.777:139893) : user pid=24781 uid=root auid=root subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron res=success)' ---- type=CRED_DISP msg=audit(07/01/2008 00:15:01.791:139894) : user pid=24781 uid=root auid=root subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron res=success)' ---- type=USER_END msg=audit(07/01/2008 00:15:01.791:139895) : user pid=24781 uid=root auid=root subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron res=success)' ---- type=SYSCALL msg=audit(07/01/2008 00:18:02.766:139896) : arch=i386 syscall=execve success=yes exit=0 a0=9c0aa40 a1=9c069a8 a2=9c0ab08 a3=0 items=0 ppid=24821 pid=24826 auid=fs uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none$ type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13697886] dev=sockfs ino=13697886 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692415] dev=sockfs ino=13692415 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692404] dev=sockfs ino=13692404 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692402] dev=sockfs ino=13692402 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692400] dev=sockfs ino=13692400 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692398] dev=sockfs ino=13692398 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692396] dev=sockfs ino=13692396 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692394] dev=sockfs ino=13692394 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692392] dev=sockfs ino=13692392 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692390] dev=sockfs ino=13692390 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692388] dev=sockfs ino=13692388 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692386] dev=sockfs ino=13692386 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692380] dev=sockfs ino=13692380 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692377] dev=sockfs ino=13692377 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692375] dev=sockfs ino=13692375 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692326] dev=sockfs ino=13692326 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692301] dev=sockfs ino=13692301 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692299] dev=sockfs ino=13692299 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692297] dev=sockfs ino=13692297 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692226] dev=sockfs ino=13692226 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692219] dev=sockfs ino=13692219 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692217] dev=sockfs ino=13692217 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13648053] dev=sockfs ino=13648053 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692215] dev=sockfs ino=13692215 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13692087] dev=sockfs ino=13692087 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13698044] dev=sockfs ino=13698044 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13698042] dev=sockfs ino=13698042 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13698039] dev=sockfs ino=13698039 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13698037] dev=sockfs ino=13698037 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13698035] dev=sockfs ino=13698035 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13698033] dev=sockfs ino=13698033 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied { read write } for pid=24826 comm=rndc path=socket:[13698029] dev=sockfs ino=13698029 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket ... type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830554] dev=sockfs ino=13830554 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830552] dev=sockfs ino=13830552 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830550] dev=sockfs ino=13830550 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830548] dev=sockfs ino=13830548 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830546] dev=sockfs ino=13830546 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830544] dev=sockfs ino=13830544 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830542] dev=sockfs ino=13830542 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830540] dev=sockfs ino=13830540 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830538] dev=sockfs ino=13830538 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830536] dev=sockfs ino=13830536 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830530] dev=sockfs ino=13830530 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830460] dev=sockfs ino=13830460 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830435] dev=sockfs ino=13830435 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830238] dev=sockfs ino=13830238 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830433] dev=sockfs ino=13830433 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830431] dev=sockfs ino=13830431 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied { read write } for pid=9726 comm=rndc path=socket:[13830360] dev=sockfs ino=13830360 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket Anyone know what happened?

15 years, 9 months

3
4
0 / 0

Mislabeled files

by Frank Murphy

I have no idea which dir to relabel? and wouldl this dir relabel hold, after a full relabel? #locate comes up empty even after #updatedb $ rpm -qa | grep selinux selinux-policy-3.3.1-69.fc9.noarch libselinux-2.0.64-2.fc9.i386 libselinux-python-2.0.64-2.fc9.i386 selinux-policy-targeted-3.3.1-69.fc9.noarch ----------------------------------------------------------------------- Summary: SELinux is preventing the sendmail from using potentially mislabeled files (2F746D702F52734B6B436E774F202864656C6574656429). Detailed Description: SELinux has denied sendmail access to potentially mislabeled file(s) (2F746D702F52734B6B436E774F202864656C6574656429). This means that SELinux will not allow sendmail to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want sendmail to access this files, you need to relabel them using restorecon -v '2F746D702F52734B6B436E774F202864656C6574656429'. You might want to relabel the entire directory using restorecon -R -v ''. Additional Information: Source Context system_u:system_r:exim_t:s0 Target Context system_u:object_r:system_mail_tmp_t:s0 Target Objects 2F746D702F52734B6B436E774F202864656C6574656429 [ file ] Source sendmail Source Path /usr/sbin/exim Port <Unknown> Host frank-01 Source RPM Packages exim-4.69-4.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-69.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name frank-01 Platform Linux frank-01 2.6.25.6-55.fc9.i686 #1 SMP Tue Jun 10 16:27:49 EDT 2008 i686 i686 Alert Count 1 First Seen Tue 01 Jul 2008 15:22:49 IST Last Seen Tue 01 Jul 2008 15:22:49 IST Local ID baefd44f-8e96-4353-8db7-badf98ef6335 Line Numbers Raw Audit Messages host=frank-01 type=AVC msg=audit(1214922169.332:32): avc: denied { read } for pid=11248 comm="sendmail" path=2F746D702F52734B6B436E774F202864656C6574656429 dev=dm-0 ino=34537 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:system_mail_tmp_t:s0 tclass=file host=frank-01 type=SYSCALL msg=audit(1214922169.332:32): arch=40000003 syscall=11 success=yes exit=0 a0=8058e0b a1=9eb060c a2=bf93c6e8 a3=9eb060c items=0 ppid=11247 pid=11248 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/exim" subj=system_u:system_r:exim_t:s0 key=(null) -- skype: Frankly3D http://www.frankly3d.com

15 years, 9 months

3
6
0 / 0

audit2allow -M local < /tmp/avcs ?

by Frank Murphy

[root@frank-01 ~]# audit2allow -M local < /tmp/avcs -bash: /tmp/avcs: No such file or directory Where to go next. The logs are mailed to "root@localhost" by exim. What and where need to be allowed. Have already done a /sbin/fixfiles relabel. (mislabelled stuff) To allow for future logs? Frank

15 years, 9 months

3
6
0 / 0

fixfiles -relabel error (frrank-01)

by Frank Murphy

[frank@frank-01 ~]$ su - root Password: [root@frank-01 ~]# fixfiles relabel Files in the /tmp directory may be labeled incorrectly, this command can remove all files in /tmp. If you choose to remove files from /tmp, a reboot will be required after completion. Do you wish to clean out the /tmp directory [N]? y Cleaning out /tmp /sbin/setfiles: unable to stat file /home/frank/.gvfs: Permission denied /sbin/setfiles: error while labeling /home: Permission denied /sbin/setfiles: error while labeling /boot: Permission denied I'm guess /home has to be done as su - frank? /boot no idea.

15 years, 9 months

2
1
0 / 0

Packets are unlabeled over a labeled network interface

by Christian Kuester

Hi List, I'm trying to use network interface labeling with Fedora 8. But it doesn't behave like I would assume, so it seems that I'm doing something wrong. Here's the way I did it: I added a type blacknic_netifcon_t in a local module by type blacknic_netifcon_t; and # semanage interface -a -t blacknic_netifcon_t eth1 results of this command seem correct since: # seinfo --netif Netifcon: 2 netifcon eth1 system_u:object_r:blacknic_netifcon_t:s0 system_u:object_r:blacknic_netifcon_t:s0 netifcon lo system_u:object_r:lo_netif_t:s0 - s15:c0.c1023 system_u:object_r:unlabeled_t:s0 - s15:c0.c1023 But packets over this interface are still unlabeled: type=AVC msg=audit(1215170990.011:689777822): avc: denied { send } for pid=30988 comm="socat" saddr=192.168.100.54 src=3 daddr=78.xx.xx.xx dest=1024 netif=eth1 scontext=user_u:user_r:exe_t:s0 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=packet Christian

15 years, 9 months

2
1
0 / 0

Upstream status of spamc_t local policy?

by Paul Howarth

The Fedora 9 spamassassin module has an interface `spamassassin_domtrans_spamc' and an extensive set of rules labelled as "spamc_t local policy". This is an interface/ruleset that I need to get policy for spamass-milter working again (Bug #447247), and to that end I've created a "milters" policy module (http://www.city-fan.org/~paul/spamass-milter/) that works very well for me. However, I can't really progress this upstream because the `spamassassin_domtrans_spamc' interface and "spamc_t local policy" aren't in upstream refpolicy svn yet. Strangely though, I see comments in the policy labelled "cjp:", which suggests that it's seen upstream review at some point. What's the status of this? For the moment I've encapsulated the non-upstream bits of policy that I need in a "my-sa" module (again at http://www.city-fan.org/~paul/spamass-milter/) and this works fine with my milters module on CentOS 5.2. Paul.

15 years, 9 months

1
0
0 / 0

gconf-2 creating > unlabelled_t files

by Frank Murphy

Do I run "cp -P /usr/libexec/gconfd-2" ----------------------------------------------------- Summary: SELinux is preventing gconfd-2 from creating a file with a context of unlabeled_t on a filesystem. Detailed Description: SELinux is preventing gconfd-2 from creating a file with a context of unlabeled_t on a filesystem. Usually this happens when you ask the cp command to maintain the context of a file when copying between file systems, "cp -a" for example. Not all file contexts should be maintained between the file systems. For example, a read-only file type like iso9660_t should not be placed on a r/w system. "cp -P" might be a better solution, as this will adopt the default file context for the destination. Allowing Access: Use a command like "cp -P" to preserve all permissions except SELinux context. Additional Information: Source Context unconfined_u:object_r:unlabeled_t:s0 Target Context system_u:object_r:fs_t:s0 Target Objects .testing.writeability [ filesystem ] Source gconfd-2 Source Path /usr/libexec/gconfd-2 Port <Unknown> Host frank-03 Source RPM Packages GConf2-2.22.0-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-72.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name filesystem_associate Host Name frank-03 Platform Linux frank-03 2.6.25.6-55.fc9.i686 #1 SMP Tue Jun 10 16:27:49 EDT 2008 i686 i686 Alert Count 1 First Seen Wed 02 Jul 2008 12:06:53 IST Last Seen Wed 02 Jul 2008 12:06:53 IST Local ID 9af5a524-6e39-40da-a8f0-146b28ebee10 Line Numbers Raw Audit Messages host=frank-03 type=AVC msg=audit(1214996813.541:52): avc: denied { associate } for pid=9827 comm="gconfd-2" name=".testing.writeability" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem host=frank-03 type=SYSCALL msg=audit(1214996813.541:52): arch=40000003 syscall=5 success=no exit=-13 a0=8652d18 a1=41 a2=1c0 a3=8652d18 items=0 ppid=1 pid=9827 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

15 years, 10 months

2
1
0 / 0

Creating a custom user role

by Jonathan Stott

Hi I'm on FC9, and I would like to create a user based on guest_u who is almost as unprivileged as that role, but is allowed to ssh out. So I opened up the polgengui tool kit and selected 'minimal terminal user role' I then also allowed it access to the guest role as an additional role. (I'm not sure if this step is required) I then allowed the role to connect to port 22 And then made the policy files. On running the script, I got the message '/usr/sbin/semanage: You must specify a prefix', which lead me to look a little closer at the generated file. One thing I noticed was that amongst the roles to be assigned to the new role was 'system_r', which I believe is the system administration role, so removing that and adding a prefix of user, I could then run the script and install the role. Adding it as the role for the user I want to allow ssh access out to, I then tried to login, which got me the message Unable to get valid context for username Setting the user to guest_u or user_u works fine, though. What did I do wrong? Regards, Jonathan.

15 years, 10 months

2
1
0 / 0

xinetd rsync --daemon problems

by Chuck Anderson

I'm using Fedora Core 6, and trying to start a rsync daemon via xinetd. The default configuration is: # default: off # description: The rsync server is a good addition to an ftp server, as it \ # allows crc checksumming etc. service rsync { disable = no socket_type = stream wait = no user = root server = /usr/bin/rsync server_args = --daemon log_on_failure += USERID } With this rsyncd.conf: motd file = /etc/rsyncd.motd pid file = /var/run/rsyncd.pid port = 873 uid = rsyncd gid = mirror use chroot = yes max connections = 10 log file = /var/log/rsyncd.log read only = yes hosts allow = 127.0.0.1, ::1, etc.... #hosts deny = 0.0.0.0/0, :: ignore nonreadable = yes transfer logging = yes timeout = 600 dont compress = * [fedora-linux-core] path = /srv/ftp/pub/fedora/linux/core comment = Fedora Linux Core [fedora-linux-core-updates] path = /srv/ftp/pub/fedora/linux/core/updates comment = Fedora Linux Core Updates [fedora-linux-extras] path = /srv/ftp/pub/fedora/linux/extras comment = Fedora Linux Extras [fedora-linux-core-test] path = /srv/ftp/pub/fedora/linux/core/test comment = Fedora Linux Core Test [fedora-linux-releases] path = /srv/ftp/pub/fedora/linux/releases comment = Fedora Linux Releases [fedora-linux-development] path = /srv/ftp/pub/fedora/linux/development comment = Fedora Linux Development [fedora-enchilada] path = /srv/ftp/pub/fedora comment = Fedora - The whole enchilada [fedora-linux-updates] path = /srv/ftp/pub/fedora/linux/updates comment = Fedora Linux Updates [fedora-web] path = /srv/ftp/pub/fedora/web comment = Web content for Fedora Linux mirrors I get these AVCs when running from xinetd and making a client connection that I don't get if I start the daemon directly via "rsync --daemon" as root: type=AVC msg=audit(1192132336.713:3464): avc: denied { lock } for pid=8488 comm="rsync" name="rsyncd.lock" dev=dm-4 ino=2064435 scontext=user_u:system_r:rsync_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1192132336.713:3464): arch=40000003 syscall=221 success=no exit=-13 a0=4 a1=d a2=bff80730 a3=bff80730 items=0 ppid=8167 pid=8488 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=user_u:system_r:rsync_t:s0 key=(null) type=AVC_PATH msg=audit(1192132336.713:3464): path="/var/run/rsyncd.lock" type=AVC msg=audit(1192132400.044:3465): avc: denied { bind } for pid=8499 comm="rsync" scontext=user_u:system_r:rsync_t:s0 tcontext=user_u:system_r:rsync_t:s0 tclass=netlink_route_socket type=SYSCALL msg=audit(1192132400.044:3465): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf8f4674 a2=4df50ff4 a3=3 items=0 ppid=8167 pid=8499 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=user_u:system_r:rsync_t:s0 key=(null) I tried creating and loading a policy module: # grep "rsync" /var/log/audit/audit.log | audit2allow -M rsyncd # semodule -i rsyncd.pp Here is rsyncd.te: module rsyncd 1.0; require { type var_run_t; type rsync_t; class netlink_route_socket create; class file { read write }; } #============= rsync_t ============== allow rsync_t self:netlink_route_socket create; allow rsync_t var_run_t:file { read write }; But I still get these AVCs: type=AVC msg=audit(1192139751.238:3586): avc: denied { bind } for pid=9311 comm="rsync" scontext=user_u:system_r:rsync_t:s0 tcontext=user_u:system_r:rsync_t:s0 tclass=netlink_route_socket type=SYSCALL msg=audit(1192139751.238:3586): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfbb6144 a2=4df50ff4 a3=3 items=0 ppid=8732 pid=9311 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync" subj=user_u:system_r:rsync_t:s0 key=(null) Additionally, when using xinetd I don't ever get any log messages in /var/log/rsyncd.log like I do when I run "rsync --daemon" directly: 2007/10/11 17:08:01 [8613] rsyncd version 2.6.9 starting, listening on port 873 2007/10/11 17:08:13 [8616] connect from dustpuppy.wpi.edu (2001:468:616:8c9:213:72ff:fe74:da15) 2007/10/11 17:08:13 [8616] rsync on fedora-enchilada/linux/ from dustpuppy.wpi.edu (2001:468:616:8c9:213:72ff:fe74:da15) 2007/10/11 21:08:13 [8616] building file list 2007/10/11 21:08:13 [8616] sent 1629 bytes received 106 bytes total size 19

15 years, 10 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux July 2008