Re: semodule
by Vadym Chepkov
--- On Tue, 5/26/09, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> Do you have a file in
> /etc/selinux/targeted/contexts/users/unconfined_u
>
-rw-r--r-- 1 root root 578 2009-05-07 07:30 /etc/selinux/targeted/contexts/users/unconfined_u
14 years, 11 months
Re: semodule
by Vadym Chepkov
I made sure all labels are correct via 'fixfiles check'.
restarted sshd via 'service sshd restart'
$ ps -efZ|grep sshd
system_u:system_r:sshd_t:SystemLow-SystemHigh root 30757 1 0 15:39 ? 00:00:00 /usr/sbin/sshd
system_u:system_r:sshd_t:SystemLow-SystemHigh root 30765 30757 0 15:39 ? 00:00:00 sshd: vvc [priv]
system_u:system_r:sshd_t:SystemLow-SystemHigh vvc 30769 30765 0 15:39 ? 00:00:00 sshd: vvc@pts/0
system_u:system_r:unconfined_t:SystemLow-SystemHigh vvc 30806 30770 0 15:39 pts/0 00:00:00
[vvc@pegasus ~]$ id -Z
system_u:system_r:unconfined_t:SystemLow-SystemHigh
Sincerely yours,
Vadym Chepkov
14 years, 11 months
Re: semodule
by Vadym Chepkov
> Yes execute
>
> semanage login -m -s unconfined_u -r s0-s0:c0.c1023
> __default__
> semanage login -m -s unconfined_u -r s0-s0:c0.c1023 root
>
> You might have to add the unconfined_u user
>
> # semanage user -a -P user -R "unconfined_r system_r" -r
> s0-s0:c0.c1023
> unconfined_u
>
> Upgrade from F8-F10 did not work properly.
Ok
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u SystemLow-SystemHigh
root unconfined_u SystemLow-SystemHigh
system_u system_u SystemLow-SystemHigh
# semanage user -l|grep unconfined_u
unconfined_u user s0 SystemLow-SystemHigh system_r unconfined_r
But, when I login, I still have
id -Z
system_u:system_r:unconfined_t:SystemLow-SystemHigh
Do I have to reboot??
14 years, 11 months
Re: semodule
by Vadym Chepkov
> Ok While you are there please do
>
> ls -lZ `tty`
>
ls -lZ `tty`
crw--w---- vvc tty system_u:object_r:sshd_devpts_t /dev/pts/1
> What OS Version are you using?
>
It's Fedora 10, but it was brought to this level by series of yum upgrade since Fedora 5. I probably found why I am having this problem.
This is the system that has the issue:
semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root root s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
This is Fedora 10 installed from DVD
semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
I guess somewhere along the way login entries were not upgraded properly. I will try to change this first and see if it will solve the problem.
Thank you,
Vadym
14 years, 11 months
Re: semodule
by Vadym Chepkov
I ssh do the host, sudo to the root and issue semodule -i local.pp command
id -Z
system_u:system_r:unconfined_t:SystemLow-SystemHigh
Sincerely yours,
Vadym Chepkov
--- On Tue, 5/26/09, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> Setroubleshoot is mistaken. Are you ssh into a box
> and the running
> load_policy or are you running ssh remotehost load_policy?
>
> If you ssh into a box and execute id -Z what does it show?
>
14 years, 11 months
semodule
by Vadym Chepkov
Hello,
I have this AVC denial when I try to load my local policy module:
time->Sun May 24 08:31:57 2009
type=SYSCALL msg=audit(1243168317.542:724332): arch=40000003 syscall=11 success=yes exit=0 a0=1056700 a1=1563f60 a2=0 a3=0 items=0 ppid=17011 pid=17266 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="load_policy" exe="/usr/sbin/load_policy" subj=system_u:system_r:load_policy_t:s0
-s0:c0.c1023 key=(null)
type=AVC msg=audit(1243168317.542:724332): avc: denied { read write } for pid=17266 comm="load_policy" name="1" dev=devpts ino=3 scontext=system_u:system_r:load_pol
icy_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sshd_devpts_t:s0 tclass=chr_file
SETroubleshoot suggests setsebool -P allow_daemons_use_tty=1, but I have it on already. What gives? Thank you.
selinux-policy-targeted-3.5.13-59.fc10.noarch
Sincerely yours,
Vadym Chepkov
14 years, 11 months
Why can not user_t link var_lib_t files?
by Göran Uddeborg
Is there some reason user_t is denied to link a file with type
var_lib_t (among others)? Or did it just happen that way? I don't
see any security advantage.
(It doesn't matter for the question, but I suspect somebody will ask
why I want this. The particular use case where we were hit by this is
non-standard. We have a digital TV receiver box that saves recordings
via NFS under /var/lib/TV on a server. A user wanted to edit out the
commercials from one recording using the m2vmp2cut tool. The tool is
most easy to use when the original recording is in the working
directory. She could copy the file from /var/lib/TV/... to her home
directory, but to save a lot of time and space she tried to make a
(hard) link instead. SELinux denied her that. Obviously
non-standard, and the regular policy doesn't know anything about these
files. And I know various ways to work around it, including adding a
module. But I was a bit surprised over the denial. I would have
expected user_t to be allowed to do this. Thus my question, is this
by design or by mistake?)
14 years, 11 months
selinux and sctp
by Nigel Rumens
Hi,
Does selinux understand sctp?
When I run (for example)
sctp_darn -H 0 -P 9876 -l
It results in an avc denial message which tells me the target object is
of type None[rawip_socket]
Also semanage port -l shows only udp and tcp
Machine tested on was F11 (fully updated) - I also tried it F10 with the
same results
Thanks
wooky
14 years, 11 months
Selinux, Fail2ban problems
by Jim
FC10/KDE
Has anyone run across this problem run across this while running
fail2ban-0.8.3-18.fc10.noarch ??
there are two Redhat bug reports on this same problem and they seem to
think it's fixed, but it isn't.
Bug #
499674
491444
14 years, 11 months
