selinux February 2009

selinux@lists.fedoraproject.org

43 participants
57 discussions

selinux issue
by John Oliver 10 Feb '09

10 Feb '09

I know jack-diddly about selinux. Up until now, I've simply disabled it each time I ran into a headache like this. I'm having this issue on a RHEL5.3 machine. The problem does not show up on several existing RHEL5.2 machines... I don't know if that's because my predecessor knew the magic recipe, or because of a some difference between 5.2 and 5.3 [root@localhost ~]# service httpd start Starting httpd: httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load /etc/httpd/modules/vcapache.so into server: /etc/httpd/modules/vcapache.so: cannot enable executable stack as shared object requires: Permission denied [FAILED] [root@localhost ~]# tail -2 /var/log/messages Feb 9 12:59:54 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux messages. run sealert -l d41f81b1-555f-4992-be21-4e4ac141f620 Feb 9 13:03:10 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux messages. run sealert -l 072e94cc-778b-44a7-b407-ea6616385489 [root@localhost ~]# sealert -l 072e94cc-778b-44a7-b407-ea6616385489 Summary: SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> (httpd_t). Detailed Description: SELinux denied access requested by httpd. It is not expected that this access is required by httpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:httpd_t Target Context root:system_r:httpd_t Target Objects None [ process ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host localhost.localdomain Source RPM Packages httpd-2.2.3-22.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-128.el5 #1 SMP Wed Dec 17 11:42:39 EST 2008 i686 i686 Alert Count 1 First Seen Mon Feb 9 13:03:09 2009 Last Seen Mon Feb 9 13:03:09 2009 Local ID 072e94cc-778b-44a7-b407-ea6616385489 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1234184589.996:31): avc: denied { execstack } for pid=2957 comm="httpd" scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0 tclass=process host=localhost.localdomain type=SYSCALL msg=audit(1234184589.996:31): arch=40000003 syscall=125 success=no exit=-13 a0=bf80d000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=2956 pid=2957 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null) How do I make this particular module work? If I do an "ls -Z" on /etc/httpd/modules/ it has the same permissions as every other module... -rwxr-xr-x root root system_ubject_r:httpd_modules_t mod_vhost_alias.so -rwxr-xr-x root root system_ubject_r:httpd_modules_t vcapache.so -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * ***********************************************************************

3 4

vsftpd using mysql
by Maria Iano 10 Feb '09

10 Feb '09

My vsftpd server needs to talk to my mysql server, and is being denied. Before I use audit2allow to make special rules I wanted to ask whether there is a boolean out there that I am missing. Here is what audit2allow gives me: allow ftpd_t mysqld_db_t:dir search; allow ftpd_t mysqld_t:unix_stream_socket connectto; allow ftpd_t mysqld_var_run_t:sock_file write; I notice there is a boolean for httpd to talk to mysql, which makes me think there might be one for vsftpd. Does anyone know if such a one exists? Thanks, Maria

5 12

awstats AVC denial
by Vadym Chepkov 10 Feb '09

10 Feb '09

Hi, I can't figure out why do I get denies in my Redhat installation. This is what I have: selinux-policy-targeted-2.4.6-203.el5 httpd_enable_cgi --> on httpd_unified --> off system_u:object_r:httpd_sys_content_t:s0 /var/www/awstats system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/awstats/awstats.pl system_u:object_r:httpd_sys_content_t:s0 /var/www/awstats/awstats022009.txt And this is what I get: type=AVC msg=audit(1234014919.167:40376): avc: denied { read } for pid=32656 comm="awstats.pl" name="awstats" dev=sda1 ino=704533 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir type=AVC msg=audit(1234014919.167:40377): avc: denied { getattr } for pid=32656 comm="awstats.pl" path="/var/www/awstats/awstats022009.txt" dev=sda1 ino=706623 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file The question is, why? Thank you. Sincerely yours, Vadym Chepkov

3 11

Help with squid / squidGuard
by Arthur Dent 10 Feb '09

10 Feb '09

Hello all, Still on my mission to clean up any unnecessary local policies I might have mistakenly created I have now turned my attention to my squid web proxy. I have a nightly script which downloads updated blacklists to be fed to squidGuard. They are held in a variety of directories under /var/squidGuard/blacklists/ and without my local policy I get avcs when something tries to access one of these blacklist databases. The proposed remedy of: restorecon -v '/var/squidGuard/blacklists/blacklists/porn/domains.db' made no difference. When I do a ls -laZ on these directories I get a mizture of: squid squid system_u:object_r:var_t:s0 and squid squid unconfined_u:object_r:var_t:s0 Which should it be? Should I build a chcon statement into the download script? Audit2why said that the denial was caused by a "Missing type enforcement (TE) allow rule." and audit2allow produced this (which is the same as I had in my local policy): require { type squid_t; } #============= squid_t ============== files_rw_var_files(squid_t) Should I just stick with my local policy, or fix something else? Thanks Mark p.s. Happy to post the whole avc(s) if required...

3 12

Re: on machine with CPU -> 100%, lots of avc's
by Antonio Olivares 10 Feb '09

10 Feb '09

--- On Wed, 2/4/09, Christopher Beland <beland(a)alum.mit.edu> wrote: > From: Christopher Beland <beland(a)alum.mit.edu> > Subject: Re: on machine with CPU -> 100%, lots of avc's > To: olivares14031(a)yahoo.com > Cc: "For testers of Fedora Core development releases" <fedora-test-list(a)redhat.com> > Date: Wednesday, February 4, 2009, 7:45 PM > Try (as root): > > service auditd restart > > and see if auditd returns OK or FAIL? It might spit out > some errors, or > put something in /var/log/messages. If it complains about > the log not > being writable by owner, then "chmod u+w > /var/log/audit/*" is what > fixed it for me. > > It could also be an SELinux problem, but only if you have > SELINUX=enforcing in /etc/selinux/config. On my test > machine, I > generally set SELINUX=permissive there so I see avc > denials, but > everything continues working even if there is an SELinux > misconfiguration. > > > Disable SELinux and AVCs will be gone. Forever. > > I agree SELinux can be quite frustrating once you start > customizing > services, and I have been known to turn it off entirely for > that reason. > But for testing purpose, it's extremely useful to have > people like us > stumble across avc denials so the general public > doesn't have to, and > they can enjoy the security benefits. > > -B. Thank you for your help, I am now seeing setroubleshooter kick in :) [olivares@localhost ~]$ su - Password: [root@localhost ~]# service auditd restart Stopping auditd: [FAILED] Starting auditd: [FAILED] [root@localhost ~]# tail -f /var/log/messages Feb 5 11:00:39 localhost kernel: type=1400 audit(1233853239.594:5): avc: denied { read write } for pid=3871 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Feb 5 11:00:39 localhost kernel: type=1400 audit(1233853239.594:6): avc: denied { read write } for pid=3871 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.081:7): avc: denied { read write } for pid=3881 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.081:8): avc: denied { read write } for pid=3881 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.122:9): avc: denied { read write } for pid=3885 comm="auditd" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.122:10): avc: denied { read write } for pid=3885 comm="auditd" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Feb 5 11:00:40 localhost auditd: audit log is not writable by owner Feb 5 11:00:40 localhost auditd: The audit daemon is exiting. Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.159:11): avc: denied { read write } for pid=3887 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Feb 5 11:00:40 localhost kernel: type=1400 audit(1233853240.159:12): avc: denied { read write } for pid=3887 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket ^C [root@localhost ~]# chmod u+w /var/log/audit/* You have new mail in /var/spool/mail/root [root@localhost ~]# service auditd restart Stopping auditd: [FAILED] Starting auditd: [ OK ] [root@localhost ~]# service auditd status auditd (pid 3930) is running... [root@localhost ~]# Now I get to see the alerts: Summary: SELinux is preventing consoletype (consoletype_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by consoletype. It is not expected that this access is required by consoletype and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:consoletype_t Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Objects socket [ unix_stream_socket ] Source consoletype Source Path /sbin/consoletype Port <Unknown> Host localhost Source RPM Packages initscripts-8.89-1 Target RPM Packages Policy RPM selinux-policy-3.6.4-2.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost Platform Linux localhost 2.6.29-0.78.rc3.git5.fc11.i686 #1 SMP Tue Feb 3 16:45:12 EST 2009 i686 athlon Alert Count 2 First Seen Thu 05 Feb 2009 11:02:08 AM CST Last Seen Thu 05 Feb 2009 11:02:08 AM CST Local ID f1514423-f554-4573-bbbc-be7e2ea49653 Line Numbers Raw Audit Messages node=localhost type=AVC msg=audit(1233853328.116:21): avc: denied { read write } for pid=3961 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost type=AVC msg=audit(1233853328.116:21): avc: denied { read write } for pid=3961 comm="consoletype" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost type=SYSCALL msg=audit(1233853328.116:21): arch=40000003 syscall=11 success=yes exit=0 a0=8401580 a1=84015e0 a2=84012e8 a3=84015e0 items=0 ppid=3960 pid=3961 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null) Summary: SELinux is preventing auditctl (auditctl_t) "read write" unconfined_t. Detailed Description: SELinux denied access requested by auditctl. It is not expected that this access is required by auditctl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:auditctl_t Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Objects socket [ unix_stream_socket ] Source auditctl Source Path /sbin/auditctl Port <Unknown> Host localhost Source RPM Packages audit-1.7.11-2.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.4-2.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost Platform Linux localhost 2.6.29-0.78.rc3.git5.fc11.i686 #1 SMP Tue Feb 3 16:45:12 EST 2009 i686 athlon Alert Count 2 First Seen Thu 05 Feb 2009 11:01:56 AM CST Last Seen Thu 05 Feb 2009 11:01:56 AM CST Local ID 57e3c37f-6698-456e-9d2f-86ad2b68220a Line Numbers Raw Audit Messages node=localhost type=AVC msg=audit(1233853316.292:19): avc: denied { read write } for pid=3936 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost type=AVC msg=audit(1233853316.292:19): avc: denied { read write } for pid=3936 comm="auditctl" path="socket:[12370]" dev=sockfs ino=12370 scontext=unconfined_u:system_r:auditctl_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=localhost type=SYSCALL msg=audit(1233853316.292:19): arch=40000003 syscall=11 success=yes exit=0 a0=83a4c40 a1=83a4e38 a2=83a8350 a3=83a4e38 items=0 ppid=3913 pid=3936 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="auditctl" exe="/sbin/auditctl" subj=unconfined_u:system_r:auditctl_t:s0 key=(null) I will now check my other two machines to see if auditd is running or not and apply the same fix. Thank you for helping out again with this problem. Regards, Antonio

2 2

denying group of users from r/w/x files
by Ali Hamad 10 Feb '09

10 Feb '09

Hello : I really do not know how to do this, but I really need it. Here is what I want to do : remove all the Selinux rules ( targeted ) since I really do not need them. I only need selinux to do only the following : a) create a rule for file that can not be accessed from known group of users. i.e group A can not read/write/execute this file. However, the file permission is 666 and that file permission can not be changed. b) directory that has permission of 777. However, group A of users can not write/read/execute it. Here is what I came up with : /usr/sbin/semanage fcontext -a -t ?? /var/file.txt I did not know what type I should put in there. would you please guide me how to achieve my goal ? Any suggestion is highly appreciated. Ali.

3 2

Fedora 9 can't use apache's mod_auth_shadow
by Kevin White 10 Feb '09

10 Feb '09

I'm trying to set an out-of-the-box httpd to use mod_auth_shadow to authenticate users. Selinux won't let me. mod_auth_shadow runs /usr/sbin/validate (which is chrooted) to actually check against /etc/shadow: [root@localhost selinux]# ls -lrtZ /usr/sbin/validate -rwsr-xr-x root root system_u:object_r:chkpwd_exec_t:s0 /usr/sbin/validate Validate appears to be labeled correctly, so, apparently the problem is that httpd can't make the domain transistion. I really don't know how to allow it to. I'd like to. Help! Thanks, Kevin selinux-policy-devel-3.3.1-118.fc9.noarch selinux-policy-3.3.1-118.fc9.noarch selinux-policy-targeted-3.3.1-118.fc9.noarch httpd-2.2.9-1.fc9.i386 mod_auth_shadow-2.2-4.fc9.i386

3 5

[ANN]SELinux tool : segatex-7.20 released
by Shintaro Fujiwara 09 Feb '09

09 Feb '09

Hi, I released segatex-7.20 which had been written using qt4 classes. Because Fedora10's default qt version is 4, I ported code for it. http://sourceforge.net/projects/segatex/ ###########segatex###################################################################### You can setenforce 0 or 1 by pushing button. Any action will set statusBar label anew. You can see status pushing state menu, too. Yum install/update SELinux related RPMs, including seedit. Options are not yet implied. You can audit2allow. It's a combination of audit2allow -m local -i logname -o filename.te with other options, -l -R -v -e, and you can rename module name changing local to whatever you want. You can see denied audit.log. You can generate interface macroed policy (require brace not included yet). You can semodule -l -i -u -r. Of course you can make new module. You can install,update,remove modules. All you have to do is just pushing button. You can semanage -l. It's "boolean login user port interface fcontext translation". But it's different order.Login and user comes first. You can semanage login -a -m -d. You can semanage fcontext -a -m -d. You can semanage port -a -m -d. You can semanage translation -a -m -d. You can setsebool [-P] boolean value You can generate brand-new policy module. You can aureport. You can ausearch. You can add/delete Linux user. You can grep process. You can relabel the whole system. You can restorcon the whole directory wherever you want. You can ftp download. ########segatex_editor################################################################## Push break .te button. You will see raw .te files in raw_te_files/layer directory. ########################## Push break .if button. You will see raw .if files in raw_if_files/layer directory. But interfaces which reside inside itselves are stay as is. Refer those already broken in the file. -- http://intrajp.no-ip.com/ Home Page

1 0

Re: system_u
by Konrad Azzopardi 09 Feb '09

09 Feb '09

Dear all Is there any reason why by default system_u in Fedora 10 is not allowed to have system_r role ? Tnx Konrad

3 3

Re: selinux-polgengui
by Konrad Azzopardi 09 Feb '09

09 Feb '09

Hi all, I am experiencing a problem in selinux-polgengui. I have policycoreutils-gui-2.0.57-14.fc10.i386 installed and I am using selinux-policy-targeted-3.5.13-41.fc10.noarch While generating a policy, the GUI is erraneously (in my opinion) using the init_script_domtrans_spec() macro that seemed to exist in init.if in previous policy but not anymore. Tnx Konrad

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux February 2009