rsyncd can't open log file, but there are no avc messages
by Johnny Tan
I'm stumped.
I run a Java app called Solr, which does search indexing. My
solr server creates the index, then I have a bunch of solr
clients that rsync that index over.
The rsync itself is fine, that works. The problem is it
won't write to the appropriate logfile, which is:
/opt/solr/logs/rsyncd.log
/opt/solr/logs is a symlink to /var/log/store.
Here's how it looks:
==
[root@solr:~]# ls -l /opt/solr/
lrwxrwxrwx 1 tomcat tomcat 14 Apr 29 13:52 logs ->
/var/log/store
[root@solr:~]# ls -ldZ /opt/solr/logs/
drwxr-xr-x tomcat tomcat user_u:object_r:var_log_t
/opt/solr/logs/
[root@solr:~]# ls -ldZ /var/log/store
drwxr-xr-x tomcat tomcat user_u:object_r:var_log_t
/var/log/store
[root@solr:~]# ls -Z /opt/solr/logs/rsyncd.log
-rw-rw-rw- tomcat tomcat user_u:object_r:var_log_t
/var/log/store/rsyncd.log
==
Note that the mode is 666 on the rsyncd.log. When a client
tries to connect, though, I get, in /var/log/messages:
Jun 24 10:15:02 solr rsyncd[19355]: rsync: failed to open
log-file /opt/solr/logs/rsyncd.log: Permission denied (13)
But there are no avc denials (no, I don't have audit package
installed, so all avc messages go to /var/log/messages -- I
do get avc denials for other things).
So, at first, I didn't think it was selinux-related, and
tried to troubleshoot general unix permissions. But got nowhere.
Then I noticed... when I put selinux in permissive mode, it
works -- rsyncd properly logs to the above file. When I set
it back to enforcing, I get the above error in
/var/log/messages and nothing in the rsyncd.log, but no avc
denials either.
Any ideas?
If it helps, here's how my rsyncd module looks like:
==
module solrrsync 1.0;
require {
type initrc_tmp_t;
type port_t;
type var_log_t;
type restorecon_t;
type rsync_t;
type usr_t;
class netlink_route_socket { read create bind
getattr write nlmsg_read };
class lnk_file read;
class file { read write getattr create append };
class tcp_socket { name_connect name_bind };
class dir { write add_name };
}
#============= restorecon_t ==============
allow restorecon_t initrc_tmp_t:file { read write };
allow restorecon_t usr_t:lnk_file read;
allow restorecon_t var_log_t:lnk_file read;
#============= rsync_t ==============
allow rsync_t initrc_tmp_t:file { read write };
allow rsync_t port_t:tcp_socket { name_connect name_bind };
allow rsync_t self:netlink_route_socket { read create bind
getattr write nlmsg_read };
allow rsync_t usr_t:lnk_file read;
allow rsync_t usr_t:file { read getattr };
allow rsync_t var_log_t:lnk_file read;
allow rsync_t var_log_t:dir { write add_name };
allow rsync_t var_log_t:file { read write getattr create
append };
15 years, 9 months
auditd went crazy
by Chuck Anderson
July 1st at 00:18:02, I started getting thousands of audit messages
(hundreds per second). They didn't stop until I did "service auditd
restart":
I finally noticed the problem when logwatch told me this:
audit: audit_backlog=262 > audit_backlog_limit=256
audit: audit_lost=1 audit_rate_limit=0 audit_backlog_limit=256
audit: backlog limit exceeded
audit: audit_backlog=262 > audit_backlog_limit=256
audit: audit_lost=2 audit_rate_limit=0 audit_backlog_limit=256
audit: backlog limit exceeded
audit: audit_backlog=262 > audit_backlog_limit=256
audit: audit_lost=3 audit_rate_limit=0 audit_backlog_limit=256
audit: backlog limit exceeded
audit: audit_backlog=262 > audit_backlog_limit=256
Here is the start of the messages, with a few normal audit messages
before it:
type=LOGIN msg=audit(07/01/2008 00:10:01.754:139884) : login pid=24775
uid=root old auid=unset new auid=root
----
type=USER_START msg=audit(07/01/2008 00:10:01.755:139885) : user
pid=24775 uid=root auid=root
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open
acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron
res=success)'
----
type=CRED_DISP msg=audit(07/01/2008 00:10:01.763:139886) : user
pid=24773 uid=root auid=root
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron
res=success)'
----
type=USER_END msg=audit(07/01/2008 00:10:01.763:139887) : user
pid=24773 uid=root auid=root
subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:session_close acct=root exe=/usr/sbin/crond (hostname=?,
addr=?, terminal=cron res=success)'
----
type=CRED_DISP msg=audit(07/01/2008 00:10:01.770:139888) : user
pid=24775 uid=root auid=root
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron
res=success)'
----
type=USER_END msg=audit(07/01/2008 00:10:01.770:139889) : user
pid=24775 uid=root auid=root
subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:session_close acct=root exe=/usr/sbin/crond (hostname=?,
addr=?, terminal=cron res=success)'
----
type=USER_ACCT msg=audit(07/01/2008 00:15:01.775:139890) : user
pid=24781 uid=root auid=unset
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron
res=success)'
----
type=CRED_ACQ msg=audit(07/01/2008 00:15:01.776:139891) : user
pid=24781 uid=root auid=unset
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron
res=success)'
----
type=LOGIN msg=audit(07/01/2008 00:15:01.776:139892) : login pid=24781
uid=root old auid=unset new auid=root
----
type=USER_START msg=audit(07/01/2008 00:15:01.777:139893) : user
pid=24781 uid=root auid=root
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open
acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron
res=success)'
----
type=CRED_DISP msg=audit(07/01/2008 00:15:01.791:139894) : user
pid=24781 uid=root auid=root
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cron
res=success)'
----
type=USER_END msg=audit(07/01/2008 00:15:01.791:139895) : user
pid=24781 uid=root auid=root
subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:session_close acct=root exe=/usr/sbin/crond (hostname=?,
addr=?, terminal=cron res=success)'
----
type=SYSCALL msg=audit(07/01/2008 00:18:02.766:139896) : arch=i386
syscall=execve success=yes exit=0 a0=9c0aa40 a1=9c069a8 a2=9c0ab08
a3=0 items=0 ppid=24821 pid=24826 auid=fs uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none$
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13697886]
dev=sockfs ino=13697886 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692415]
dev=sockfs ino=13692415 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692404]
dev=sockfs ino=13692404 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692402]
dev=sockfs ino=13692402 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692400]
dev=sockfs ino=13692400 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692398]
dev=sockfs ino=13692398 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692396]
dev=sockfs ino=13692396 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692394]
dev=sockfs ino=13692394 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692392]
dev=sockfs ino=13692392 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692390]
dev=sockfs ino=13692390 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692388]
dev=sockfs ino=13692388 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692386]
dev=sockfs ino=13692386 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692380]
dev=sockfs ino=13692380 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692377]
dev=sockfs ino=13692377 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692375]
dev=sockfs ino=13692375 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692326]
dev=sockfs ino=13692326 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692301]
dev=sockfs ino=13692301 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692299]
dev=sockfs ino=13692299 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692297]
dev=sockfs ino=13692297 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692226]
dev=sockfs ino=13692226 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692219]
dev=sockfs ino=13692219 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692217]
dev=sockfs ino=13692217 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13648053]
dev=sockfs ino=13648053 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692215]
dev=sockfs ino=13692215 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13692087]
dev=sockfs ino=13692087 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13698044]
dev=sockfs ino=13698044 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13698042]
dev=sockfs ino=13698042 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13698039]
dev=sockfs ino=13698039 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13698037]
dev=sockfs ino=13698037 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13698035]
dev=sockfs ino=13698035 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13698033]
dev=sockfs ino=13698033 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/01/2008 00:18:02.766:139896) : avc: denied {
read write } for pid=24826 comm=rndc path=socket:[13698029]
dev=sockfs ino=13698029 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
...
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830554] dev=sockfs
ino=13830554 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830552] dev=sockfs
ino=13830552 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830550] dev=sockfs
ino=13830550 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830548] dev=sockfs
ino=13830548 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830546] dev=sockfs
ino=13830546 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830544] dev=sockfs
ino=13830544 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830542] dev=sockfs
ino=13830542 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830540] dev=sockfs
ino=13830540 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830538] dev=sockfs
ino=13830538 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830536] dev=sockfs
ino=13830536 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830530] dev=sockfs
ino=13830530 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830460] dev=sockfs
ino=13830460 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830435] dev=sockfs
ino=13830435 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830238] dev=sockfs
ino=13830238 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830433] dev=sockfs
ino=13830433 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830431] dev=sockfs
ino=13830431 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
type=AVC msg=audit(07/02/2008 10:54:46.348:144433) : avc: denied {
read write } for pid=9726 comm=rndc path=socket:[13830360] dev=sockfs
ino=13830360 scontext=unconfined_u:system_r:ndc_t:s0
tcontext=unconfined_u:system_r:initrc_t:s0 tclass=tcp_socket
Anyone know what happened?
15 years, 9 months
Mislabeled files
by Frank Murphy
I have no idea which dir to relabel?
and wouldl this dir relabel hold, after a full relabel?
#locate comes up empty even after #updatedb
$ rpm -qa | grep selinux
selinux-policy-3.3.1-69.fc9.noarch
libselinux-2.0.64-2.fc9.i386
libselinux-python-2.0.64-2.fc9.i386
selinux-policy-targeted-3.3.1-69.fc9.noarch
-----------------------------------------------------------------------
Summary:
SELinux is preventing the sendmail from using potentially mislabeled
files
(2F746D702F52734B6B436E774F202864656C6574656429).
Detailed Description:
SELinux has denied sendmail access to potentially mislabeled file(s)
(2F746D702F52734B6B436E774F202864656C6574656429). This means that
SELinux will
not allow sendmail to use these files. It is common for users to edit
files in
their home directory or tmp directories and then move (mv) them to
system
directories. The problem is that the files end up with the wrong file
context
which confined applications are not allowed to access.
Allowing Access:
If you want sendmail to access this files, you need to relabel them
using
restorecon -v '2F746D702F52734B6B436E774F202864656C6574656429'. You
might want
to relabel the entire directory using restorecon -R -v ''.
Additional Information:
Source Context system_u:system_r:exim_t:s0
Target Context system_u:object_r:system_mail_tmp_t:s0
Target Objects
2F746D702F52734B6B436E774F202864656C6574656429 [
file ]
Source sendmail
Source Path /usr/sbin/exim
Port <Unknown>
Host frank-01
Source RPM Packages exim-4.69-4.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-69.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name frank-01
Platform Linux frank-01 2.6.25.6-55.fc9.i686 #1 SMP
Tue Jun
10 16:27:49 EDT 2008 i686 i686
Alert Count 1
First Seen Tue 01 Jul 2008 15:22:49 IST
Last Seen Tue 01 Jul 2008 15:22:49 IST
Local ID baefd44f-8e96-4353-8db7-badf98ef6335
Line Numbers
Raw Audit Messages
host=frank-01 type=AVC msg=audit(1214922169.332:32): avc: denied
{ read } for pid=11248 comm="sendmail"
path=2F746D702F52734B6B436E774F202864656C6574656429 dev=dm-0 ino=34537
scontext=system_u:system_r:exim_t:s0
tcontext=system_u:object_r:system_mail_tmp_t:s0 tclass=file
host=frank-01 type=SYSCALL msg=audit(1214922169.332:32): arch=40000003
syscall=11 success=yes exit=0 a0=8058e0b a1=9eb060c a2=bf93c6e8
a3=9eb060c items=0 ppid=11247 pid=11248 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="sendmail" exe="/usr/sbin/exim" subj=system_u:system_r:exim_t:s0
key=(null)
--
skype: Frankly3D
http://www.frankly3d.com
15 years, 9 months
audit2allow -M local < /tmp/avcs ?
by Frank Murphy
[root@frank-01 ~]# audit2allow -M local < /tmp/avcs
-bash: /tmp/avcs: No such file or directory
Where to go next.
The logs are mailed to "root@localhost" by exim.
What and where need to be allowed.
Have already done a /sbin/fixfiles relabel. (mislabelled stuff)
To allow for future logs?
Frank
15 years, 9 months
fixfiles -relabel error (frrank-01)
by Frank Murphy
[frank@frank-01 ~]$ su - root
Password:
[root@frank-01 ~]# fixfiles relabel
Files in the /tmp directory may be labeled incorrectly, this
command
can remove all files in /tmp. If you choose to remove files
from /tmp,
a reboot will be required after completion.
Do you wish to clean out the /tmp directory [N]? y
Cleaning out /tmp
/sbin/setfiles: unable to stat file /home/frank/.gvfs: Permission
denied
/sbin/setfiles: error while labeling /home: Permission denied
/sbin/setfiles: error while labeling /boot: Permission denied
I'm guess /home has to be done as su - frank?
/boot no idea.
15 years, 9 months
Packets are unlabeled over a labeled network interface
by Christian Kuester
Hi List,
I'm trying to use network interface labeling with Fedora 8. But it
doesn't behave like I would assume, so it seems that I'm doing something
wrong. Here's the way I did it:
I added a type blacknic_netifcon_t in a local module by
type blacknic_netifcon_t;
and
# semanage interface -a -t blacknic_netifcon_t eth1
results of this command seem correct since:
# seinfo --netif
Netifcon: 2
netifcon eth1 system_u:object_r:blacknic_netifcon_t:s0
system_u:object_r:blacknic_netifcon_t:s0
netifcon lo system_u:object_r:lo_netif_t:s0 - s15:c0.c1023
system_u:object_r:unlabeled_t:s0 - s15:c0.c1023
But packets over this interface are still unlabeled:
type=AVC msg=audit(1215170990.011:689777822): avc: denied { send } for
pid=30988 comm="socat" saddr=192.168.100.54 src=3 daddr=78.xx.xx.xx
dest=1024 netif=eth1 scontext=user_u:user_r:exe_t:s0
tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=packet
Christian
15 years, 9 months
Upstream status of spamc_t local policy?
by Paul Howarth
The Fedora 9 spamassassin module has an interface
`spamassassin_domtrans_spamc' and an extensive set of rules labelled as
"spamc_t local policy". This is an interface/ruleset that I need to get
policy for spamass-milter working again (Bug #447247), and to that end
I've created a "milters" policy module
(http://www.city-fan.org/~paul/spamass-milter/) that works very well for me.
However, I can't really progress this upstream because the
`spamassassin_domtrans_spamc' interface and "spamc_t local policy"
aren't in upstream refpolicy svn yet. Strangely though, I see comments
in the policy labelled "cjp:", which suggests that it's seen upstream
review at some point. What's the status of this?
For the moment I've encapsulated the non-upstream bits of policy that I
need in a "my-sa" module (again at
http://www.city-fan.org/~paul/spamass-milter/) and this works fine with
my milters module on CentOS 5.2.
Paul.
15 years, 9 months
gconf-2 creating > unlabelled_t files
by Frank Murphy
Do I run "cp -P /usr/libexec/gconfd-2"
-----------------------------------------------------
Summary:
SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem.
Detailed Description:
SELinux is preventing gconfd-2 from creating a file with a context of
unlabeled_t on a filesystem. Usually this happens when you ask the cp command to
maintain the context of a file when copying between file systems, "cp -a" for
example. Not all file contexts should be maintained between the file systems.
For example, a read-only file type like iso9660_t should not be placed on a r/w
system. "cp -P" might be a better solution, as this will adopt the default file
context for the destination.
Allowing Access:
Use a command like "cp -P" to preserve all permissions except SELinux context.
Additional Information:
Source Context unconfined_u:object_r:unlabeled_t:s0
Target Context system_u:object_r:fs_t:s0
Target Objects .testing.writeability [ filesystem ]
Source gconfd-2
Source Path /usr/libexec/gconfd-2
Port <Unknown>
Host frank-03
Source RPM Packages GConf2-2.22.0-1.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-72.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name filesystem_associate
Host Name frank-03
Platform Linux frank-03 2.6.25.6-55.fc9.i686 #1 SMP Tue Jun
10 16:27:49 EDT 2008 i686 i686
Alert Count 1
First Seen Wed 02 Jul 2008 12:06:53 IST
Last Seen Wed 02 Jul 2008 12:06:53 IST
Local ID 9af5a524-6e39-40da-a8f0-146b28ebee10
Line Numbers
Raw Audit Messages
host=frank-03 type=AVC msg=audit(1214996813.541:52): avc: denied {
associate } for pid=9827 comm="gconfd-2" name=".testing.writeability"
scontext=unconfined_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
host=frank-03 type=SYSCALL msg=audit(1214996813.541:52): arch=40000003
syscall=5 success=no exit=-13 a0=8652d18 a1=41 a2=1c0 a3=8652d18
items=0 ppid=1 pid=9827 auid=500 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gconfd-2"
exe="/usr/libexec/gconfd-2"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
15 years, 10 months
Creating a custom user role
by Jonathan Stott
Hi
I'm on FC9, and I would like to create a user based on guest_u who is almost as unprivileged as that role, but is allowed to ssh out.
So I opened up the polgengui tool kit and selected 'minimal terminal user role'
I then also allowed it access to the guest role as an additional role. (I'm not sure if this step is required)
I then allowed the role to connect to port 22
And then made the policy files.
On running the script, I got the message '/usr/sbin/semanage: You must
specify a prefix', which lead me to look a little closer at the generated file. One thing I noticed was that amongst the roles to be assigned to the new role was 'system_r', which I believe is the system administration role, so removing that and adding a prefix of user, I could then run the script and install the role.
Adding it as the role for the user I want to allow ssh access out to, I then tried to login, which got me the message
Unable to get valid context for username
Setting the user to guest_u or user_u works fine, though. What did I do wrong?
Regards,
Jonathan.
15 years, 10 months
xinetd rsync --daemon problems
by Chuck Anderson
I'm using Fedora Core 6, and trying to start a rsync daemon via
xinetd. The default configuration is:
# default: off
# description: The rsync server is a good addition to an ftp server, as it \
# allows crc checksumming etc.
service rsync
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = --daemon
log_on_failure += USERID
}
With this rsyncd.conf:
motd file = /etc/rsyncd.motd
pid file = /var/run/rsyncd.pid
port = 873
uid = rsyncd
gid = mirror
use chroot = yes
max connections = 10
log file = /var/log/rsyncd.log
read only = yes
hosts allow = 127.0.0.1, ::1, etc....
#hosts deny = 0.0.0.0/0, ::
ignore nonreadable = yes
transfer logging = yes
timeout = 600
dont compress = *
[fedora-linux-core]
path = /srv/ftp/pub/fedora/linux/core
comment = Fedora Linux Core
[fedora-linux-core-updates]
path = /srv/ftp/pub/fedora/linux/core/updates
comment = Fedora Linux Core Updates
[fedora-linux-extras]
path = /srv/ftp/pub/fedora/linux/extras
comment = Fedora Linux Extras
[fedora-linux-core-test]
path = /srv/ftp/pub/fedora/linux/core/test
comment = Fedora Linux Core Test
[fedora-linux-releases]
path = /srv/ftp/pub/fedora/linux/releases
comment = Fedora Linux Releases
[fedora-linux-development]
path = /srv/ftp/pub/fedora/linux/development
comment = Fedora Linux Development
[fedora-enchilada]
path = /srv/ftp/pub/fedora
comment = Fedora - The whole enchilada
[fedora-linux-updates]
path = /srv/ftp/pub/fedora/linux/updates
comment = Fedora Linux Updates
[fedora-web]
path = /srv/ftp/pub/fedora/web
comment = Web content for Fedora Linux mirrors
I get these AVCs when running from xinetd and making a client
connection that I don't get if I start the daemon directly via "rsync
--daemon" as root:
type=AVC msg=audit(1192132336.713:3464): avc: denied { lock } for
pid=8488 comm="rsync" name="rsyncd.lock" dev=dm-4 ino=2064435
scontext=user_u:system_r:rsync_t:s0
tcontext=root:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1192132336.713:3464): arch=40000003 syscall=221
success=no exit=-13 a0=4 a1=d a2=bff80730 a3=bff80730 items=0
ppid=8167 pid=8488 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync"
subj=user_u:system_r:rsync_t:s0 key=(null)
type=AVC_PATH msg=audit(1192132336.713:3464):
path="/var/run/rsyncd.lock"
type=AVC msg=audit(1192132400.044:3465): avc: denied { bind } for
pid=8499 comm="rsync" scontext=user_u:system_r:rsync_t:s0
tcontext=user_u:system_r:rsync_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1192132400.044:3465): arch=40000003 syscall=102
success=no exit=-13 a0=2 a1=bf8f4674 a2=4df50ff4 a3=3 items=0
ppid=8167 pid=8499 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync"
subj=user_u:system_r:rsync_t:s0 key=(null)
I tried creating and loading a policy module:
# grep "rsync" /var/log/audit/audit.log | audit2allow -M rsyncd
# semodule -i rsyncd.pp
Here is rsyncd.te:
module rsyncd 1.0;
require {
type var_run_t;
type rsync_t;
class netlink_route_socket create;
class file { read write };
}
#============= rsync_t ==============
allow rsync_t self:netlink_route_socket create;
allow rsync_t var_run_t:file { read write };
But I still get these AVCs:
type=AVC msg=audit(1192139751.238:3586): avc: denied { bind } for
pid=9311 comm="rsync" scontext=user_u:system_r:rsync_t:s0
tcontext=user_u:system_r:rsync_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1192139751.238:3586): arch=40000003 syscall=102
success=no exit=-13 a0=2 a1=bfbb6144 a2=4df50ff4 a3=3 items=0
ppid=8732 pid=9311 auid=10002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="rsync" exe="/usr/bin/rsync"
subj=user_u:system_r:rsync_t:s0 key=(null)
Additionally, when using xinetd I don't ever get any log messages in
/var/log/rsyncd.log like I do when I run "rsync --daemon" directly:
2007/10/11 17:08:01 [8613] rsyncd version 2.6.9 starting, listening on port 873
2007/10/11 17:08:13 [8616] connect from dustpuppy.wpi.edu (2001:468:616:8c9:213:72ff:fe74:da15)
2007/10/11 17:08:13 [8616] rsync on fedora-enchilada/linux/ from dustpuppy.wpi.edu (2001:468:616:8c9:213:72ff:fe74:da15)
2007/10/11 21:08:13 [8616] building file list
2007/10/11 21:08:13 [8616] sent 1629 bytes received 106 bytes total size 19
15 years, 10 months