selinux and smagent
by mark
Apologies if this has been covered a million times; if so, please point me
to the post or thread that answers this.
selinux has an error-handling problem. It complains (we're running it in
permissive mode, or it would be real grief):
host=<hostname> type=AVC msg=audit(1259003353.282:46730): avc: denied {
write } for pid=27369 comm="LLAWP" path="/var/log/httpd/smagent.log"
dev=sda3 ino=46107891 scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_log_t:s0 tclass=file
host=<hostname> type=SYSCALL msg=audit(1259003353.282:46730):
arch=c000003e syscall=1 per=400000 success=yes exit=124 a0=15
a1=2aaaab249000 a2=7c a3=7473657571655273 items=0 ppid=1 pid=27369
auid=32870 uid=48 gid=0 euid=48 suid=48 fsuid=48 egid=0 sgid=0 fsgid=0
tty=(none) ses=4473 comm="LLAWP"
exe="/usr/local/opt/smwa-6qmr5-cr013-rhas30-x86-64/webagent/bin/LLAWP"
subj=user_u:system_r:httpd_t:s0 key=(null)
Now, running sealert tells me to set httpd_unified to 1. I've done this,
several times, and no joy, so obviously it is *not* the actual error.
I've also tried restorecon.
So, what's the actual error? I'm really tired of this, on more than one
server, cluttering my logs....
Thanks in advance.
mark
14 years, 5 months
Denial Msg - apache, mogrify, perl, cgi, postgres, setenforce delay
by Jonathan Hoover
Hello all,
One of our developers has a fairly simple script that uploads an image to a server, via a cgi perl script. The box is Fedora 11, all up to date. He is using the CGI and the File::Basename perl modules. He is also using mogrify from the ImageMagick package to change the width of the uploaded file, and save it as a thumbnail. This is called in perl via system("mogrify $args"). This seems to succeed, as the thumbnail file is created and valid. Finally, a record is added to a postgresql database.
What's puzzling is that with SELinux in permissive mode, all goes as expected, with the following messages logged. With it set to enforcing, though, we get an error from postgresql about more expressions than target columns, with what appears to be the filehandle to the image.
>From /var/log/messages:
Nov 22 10:16:02 kilby setroubleshoot: SELinux is preventing mogrify (httpd_sys_script_t) "getsched" httpd_sys_script_t. For complete SELinux messages. run sealert -l 201e87d5-7250-4a96-a3ab-6b148b40f206
>From /var/log/audit/audit.log, these two:
type=AVC msg=audit(1258906560.216:220051): avc: denied { getsched } for pid=31641 comm="mogrify" scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:system_r:httpd_sys_script_t:s0 tclass=process
type=SYSCALL msg=audit(1258906560.216:220051): arch=40000003 syscall=242 success=no exit=-13 a0=7b99 a1=80 a2=bfe5a490 a3=80 items=0 ppid=31638 pid=31641 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=433 comm="mogrify" exe="/usr/bin/mogrify" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
>From my apache.err.log, only when SELinux is set to enforcing:
[Sat Nov 21 17:08:27 2009] [error] [client 64.198.x.x] DBD::Pg::st execute failed: ERROR: INSERT has more expressions than target columns at /www/website/htdocs/modules//dbfunc.pl line 23, <fh00001testpicture.jpg> line 192., referer: http://64.198.x.x/add-listing.cgi
So, a few questions:
1. I notice a somewhat random delay of 10 to 30 minutes before the script works after a "setenforce 0". Likewise, it takes some amount of time after a "setenforce 1" before the script breaks. Is there supposed to be a delay? This makes troubleshooting very difficult, because you don't really know if it's enforcing yet or not. I noticed this message in /var/log/messages, and thought it might be related to the delay: Nov 22 09:57:33 kilby dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=1)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
2. What is the "getsched" action that mogrify is attempting?
3. Why the httpd_sys_script_t context?
4. Should the file upload and mogrify be creating files with a httpd_sys_content_rw_t context? The "rw" read/write part I was a little concerned by.
5. Any idea why this is throwing a postgres error? I would have expected the mogrify to not work given the error messages in /var/log/messages and /var/log/audit/audit.log - but that works just fine. Plus, the INSERT seems to be just fine actually, as I have the developer spitting that out in the page that is returned.
Thanks in advance,
Jon
14 years, 5 months
List of all alert types
by Zaina AFOULKI
Hello,
I'm quite new to using SELinux, I noticed that each alert in
/var/log/audit/audit.log starts with the type, examples :
type=USER_ROLE_CHANGE
type=USER_START
type=USER_AUTH
I'm trying to develop a graphical interface for SELinux alerts...
Is there a way I can get the list of all types ?
I searched for a while and couldn't find it, your help will be greatly
appreciated.
Thanks in advance,
--
Zaina AFOULKI
Étudiante à l'Ecole Nationale Supérieure d'Ingénieurs de Bourges.
1ère année Sécurité et Technologies Informatiques
14 years, 5 months
Selinux + qemu + lvm issues
by Michael Schenck
I'm running CentOS 5.4 and am trying to allow qemu to use LVM LV's for
storage. I created this file form audit2allow:
module kvm 1.0;
require {
type qemu_t;
type fixed_disk_device_t;
class blk_file read;
class blk_file getattr;
}
allow qemu_t fixed_disk_device_t:blk_file { read getattr };
I use this script to load it:
#!/bin/sh
# Puppet Template
# Serial: 2008120401
SE_LOCAL=/etc/selinux/local
/usr/bin/checkmodule -M -m -o ${SE_LOCAL}/kvm.mod ${SE_LOCAL}/kvm.te
/usr/bin/semodule_package -o ${SE_LOCAL}/kvm.pp -m ${SE_LOCAL}/kvm.mod
/usr/sbin/semodule -i ${SE_LOCAL}/kvm.pp
/bin/rm ${SE_LOCAL}/kvm.mod ${SE_LOCAL}/kvm.pp
When I try to load it, it fails with the following error:
[root@HostKVM2:/etc/selinux/local]# ./kvm-setup.sh
/usr/bin/checkmodule: loading policy configuration from
/etc/selinux/local/kvm.te
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 6) to
/etc/selinux/local/kvm.mod
libsepol.check_assertion_helper: assertion on line 0 violated by allow
qemu_t fixed_disk_device_t:blk_file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
/usr/sbin/semodule: Failed!
Can someone tell me what I'm doing wrong?
Best regards,
Michael Schenck
--
Michael Schenck - Senior Systems Administrator - LimeWire LLC
Phone: 212-775-3046
E-mail: mschenck(a)limewire.com
14 years, 5 months
BZ 533427
by Gene Czarcinski
https://bugzilla.redhat.com/show_bug.cgi?id=533427 was first reported 6
November and on 6 November you reported that the problem was fixed in selinux-
policy-3.6.32-42.fc12.noarch
WHERE IS selinux-policy-3.6.32-42.fc12.noarch ????
Today is 17 November. This update (or a later/more-recent version) has not
appeared in either updates or updates-testing for F12.
This impacts the abrt package's ability to report meaningful bugs!
Gene
14 years, 5 months
equivalent contexts in f12 - has the command changed?
by mike cloaked
I just tried to do
semanage fcontext -a -e /home /opt/Local/home
but it failed saying:
-e not valid for fcontext objects
Can't create lock file '/var/cache/abrt/pyhook-1258493827-2356.lock':
Permission denied
Traceback (most recent call last):
File "/usr/sbin/semanage", line 501, in <module>
process_args(sys.argv[1:])
File "/usr/sbin/semanage", line 392, in process_args
OBJECT.add_equal(target, equal)
AttributeError: fcontextRecords instance has no attribute 'add_equal'
Has this command become obsolete in f12? if so what is the equivalent that I
should use? It used to work fine in f11.
--
View this message in context: http://old.nabble.com/equivalent-contexts-in-f12---has-the-command-change...
Sent from the Fedora SELinux List mailing list archive at Nabble.com.
14 years, 5 months
file contexts labelling - possible bug?
by Matthew Ife
This might just be me being daft in some sense but I have come across
the following situation and was hoping someone could shed light on it.
Part of setting up kerberos involves creating a principal database with
the kdb5_util command.
When you setup the database (typically as unconfined_t on a default
installation) it puts various files in;
/var/kerberos/krb5kdc
of which include the principal database itself and various controls such
as a lock file.
This folder gets the context krb5kdc_conf_t and a few file contexts
exist in the fcontext database to manage the additional creation of
files in side, one of which is the principal.ok file which is used as a
lock file.
When creating the lock file with the command above it should get the
label (according to fcontexts) of krb5kdc_lock_t as a regex exists such
as:
/var/kerberos/krb5kdc/principal.*\.ok system_u:object_r:krb5kdc_lock_t
But, the file gets the parent directory context of conf_t. Likewise,
removing the lock file manually and touching the file again also
demonstrates the same behavior. If you then run restorecon/fixfiles on
the directory it will correctly reset the file to the right location.
I've checked with strace to see if something strange happens (if the
principal.ok file gets created as a temp name then moved) but there is
no such behaviour. Thus I'm stuck in understanding whats going on. Why
does default filesystem labelling give the file conf_t and restorecon
give it the (correct) lock_t?
14 years, 5 months
idea: customizable_types.local
by Dominick Grift
Now we have restorecond -u running and it can be a pain. especially for
people that write their own custom modules.
for example i have a backup script that can write anywhere in
user_home_t. be it ~ or ~/Downloads.
It write the backups with a special type, But restorecond -u resets it
to user_home_t even before its finished writing ;)
Here comes customizable_types in. This can be used to add the type to it
so that restorecond -u doesnt try to reset it.
Thats cool, but what if you update your selinux policy? will
customizable_types be overwritten? Maybe it would be good to have a
customizable_types.local so that you can add your customizable types
there and not have to worry about policy updates or restorecond -u.
What do you think about this idea?
14 years, 5 months
semodule: Failed!
by John Oliver
[root@mda-services4 ~]# grep nagios /var/log/audit/audit.log |
audit2allow
#============= nagios_t ==============
allow nagios_t var_t:dir read;
[root@mda-services4 ~]# grep nagios /var/log/audit/audit.log |
audit2allow -M nagios
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i nagios.pp
[root@mda-services4 ~]# semodule -i nagios.pp
libsepol.print_missing_requirements: nagios's global requirements were
not met: type/attribute nagios_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
What on Earth does that mean???
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
14 years, 5 months
Oopps, sealert hit an error! :(
by Antonio Olivares
I see the following
Opps, sealert hit an error!
Traceback (most recent call last):
File "/usr/bin/sealert", line 970, in <module>
run_as_dbus_service(username)
File "/usr/bin/sealert", line 97, in run_as_dbus_service
app = SEAlert(user, dbus_service.presentation_manager, watch_setroubleshootd=True)
File "/usr/bin/sealert", line 616, in __init__
self.browser = BrowserApplet(self.username, self.alert_client)
File "/usr/lib/python2.6/site-packages/setroubleshoot/browser.py", line 404, in __init__
self.check_policy()
File "/usr/lib/python2.6/site-packages/setroubleshoot/browser.py", line 448, in check_policy
pl = yb.doPackageLists(patterns=['selinux-policy'])
File "/usr/lib/python2.6/site-packages/yum/__init__.py", line 1759, in doPackageLists
avail = self.pkgSack.returnNewestByNameArch(patterns=patterns,
File "/usr/lib/python2.6/site-packages/yum/__init__.py", line 720, in <lambda>
pkgSack = property(fget=lambda self: self._getSacks(),
File "/usr/lib/python2.6/site-packages/yum/__init__.py", line 549, in _getSacks
self.repos.populateSack(which=repos)
File "/usr/lib/python2.6/site-packages/yum/repos.py", line 277, in populateSack
sack.populate(repo, mdtype, callback, cacheonly)
File "/usr/lib/python2.6/site-packages/yum/yumRepo.py", line 187, in populate
dobj = repo_cache_function(xml, csum)
File "/usr/lib/python2.6/site-packages/sqlitecachec.py", line 46, in getPrimary
self.repoid))
TypeError: Can not open SQL database: unable to open database file
Thanks,
Antonio
14 years, 5 months
