Fw: had no X on rawhide, got X submitted bunch of reports due to selinux denials
by Antonio Olivares
--- On Thu, 6/25/09, Antonio Olivares <olivares14031(a)yahoo.com> wrote:
> From: Antonio Olivares <olivares14031(a)yahoo.com>
> Subject: had no X on rawhide, got X submitted bunch of reports due to selinux denials
> To: fedora-test-list(a)redhat.com
> Cc: fedora-selinux-list(a)redhat.com, olivares14031(a)yahoo.com
> Date: Thursday, June 25, 2009, 1:45 PM
> Dear fellow testers and selinux
> experts,
>
> On rawhide last day at work for summer, I got to report a
> great deal of bugreports on selinux complaints, I have
> gotten the mails separately. I had no X for good part
> of last week and this week. I got updated and finally
> got X but new kernel could not install because
>
> grubby fatal error: unable to find a suitable
> template
>
> only the -24 kernel boots the -28.rc12.fc12 kernel does not
> even get created because of above error. Also, a great
> deal of selinux denials(avcs are shown in attachment I hope
> goes through). Also one/two/several kernel oops are
> here also.
>
> This might be last chance to send this bugs, I will not get
> back to rawhide till mid to late August when I come back to
> work. So I will send what I can and I hope it is not
> in vain.
>
> Regards,
>
> Antonio
>
>
>
Text file was very big :(, uploaded it to website in case you want to see kernel oops and stuff that happened. Since I could not get X, I logged in via level 3 and used enforcing=0, since I got a great bunch of selinux denials something with /var/tmp/rpm??? or something like that. File is here:
http://www.geocities.com/olivares14031/session.html
Hope it helps in some way, otherwise I'll be back in August. I'll receive mail, but probably can't do much unless I get internet from somewhere else, then I can get back and reply when needed.
Regards,
Antonio
14 years, 10 months
Fail2Ban
by Arthur Dent
Hello all,
Following a spate of unsuccessful but irritating attempts to brute-force my
home Fedora 9 server I decided to install fail2ban (using yum).
Starting it up gave me several AVCs of two types. One example of each type is
pasted below.
Running audit2allow gave me the following policy. I have implemented the
policy, and it works, but should it be necessary? I have googled a bit and
found a couple of old bug reports but I'm not sure they're relevant and I
think they have been incorporated into more recent policies anyway...
policy_module(myfail2ban, 9.1.0)
require {
type iptables_t;
type system_mail_t;
type fail2ban_t;
class unix_stream_socket { read write };
}
#============= iptables_t ==============
allow iptables_t fail2ban_t:unix_stream_socket { read write };
#============= system_mail_t ==============
allow system_mail_t fail2ban_t:unix_stream_socket { read write };
Does that look OK? Is there a bool I could have set?
Thanks for your help...
Mark
2 x AVCs
========
>From SELinux_Troubleshoot(a)mydomain.com Thu Jun 25 19:19:30 2009
Return-Path: <SELinux_Troubleshoot(a)mydomain.com>
Received: from mydomain.com (mydomain.com [127.0.0.1])
by mydomain.com (8.14.2/8.14.2) with ESMTP id n5PIJUBI003995
for <root@localhost>; Thu, 25 Jun 2009 19:19:30 +0100
Message-Id: <200906251819.n5PIJUBI003995(a)mydomain.com>
Content-Type: multipart/alternative; boundary="===============1813742656=="
MIME-Version: 1.0
Subject: [SELinux AVC Alert] SELinux is preventing iptables (iptables_t) "read
write" fail2ban_t.
From: SELinux_Troubleshoot(a)mydomain.com
To: root(a)mydomain.com
Date: Thu, 25 Jun 2009 18:19:30 -0000
Status: RO
Content-Length: 10088
Lines: 157
--===============1813742656==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Summary:
SELinux is preventing iptables (iptables_t) "read write" fail2ban_t.
Detailed Description:
SELinux denied access requested by iptables. It is not expected that this access
is required by iptables and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:iptables_t:s0
Target Context unconfined_u:system_r:fail2ban_t:s0
Target Objects socket [ unix_stream_socket ]
Source iptables
Source Path /sbin/iptables
Port <Unknown>
Host mydomain.com
Source RPM Packages iptables-1.4.1.1-2.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-133.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name mydomain.com
Platform Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP
Fri Oct 17 14:52:14 EDT 2008 i686 i686
Alert Count 9
First Seen Tue Jun 23 14:12:58 2009
Last Seen Thu Jun 25 19:19:20 2009
Local ID 8291512a-d501-4af1-9e24-25d2052bf649
Line Numbers
Raw Audit Messages
node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc: denied { read write } for pid=3974 comm="iptables" path="socket:[21986]" dev=sockfs ino=21986 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc: denied { read write } for pid=3974 comm="iptables" path="socket:[22005]" dev=sockfs ino=22005 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc: denied { read write } for pid=3974 comm="iptables" path="socket:[22072]" dev=sockfs ino=22072 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=mydomain.com type=SYSCALL msg=audit(1245953960.354:478): arch=40000003 syscall=11 success=yes exit=0 a0=8cd7978 a1=8cd7cb8 a2=8cd7e38 a3=0 items=0 ppid=3969 pid=3974 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=unconfined_u:system_r:iptables_t:s0 key=(null)
--===============1813742656==--
>From SELinux_Troubleshoot(a)mydomain.com Thu Jun 25 19:19:31 2009
Return-Path: <SELinux_Troubleshoot(a)mydomain.com>
Received: from mydomain.com (mydomain.com [127.0.0.1])
by mydomain.com (8.14.2/8.14.2) with ESMTP id n5PIJVHv003998
for <root@localhost>; Thu, 25 Jun 2009 19:19:31 +0100
Message-Id: <200906251819.n5PIJVHv003998(a)mydomain.com>
Content-Type: multipart/alternative; boundary="===============0749694059=="
MIME-Version: 1.0
Subject: [SELinux AVC Alert] SELinux is preventing sendmail (system_mail_t)
"read write" fail2ban_t.
From: SELinux_Troubleshoot(a)mydomain.com
To: root(a)mydomain.com
Date: Thu, 25 Jun 2009 18:19:31 -0000
Status: RO
Content-Length: 9500
Lines: 151
--===============0749694059==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Summary:
SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t.
Detailed Description:
SELinux denied access requested by sendmail. It is not expected that this access
is required by sendmail and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:system_mail_t:s0
Target Context unconfined_u:system_r:fail2ban_t:s0
Target Objects socket [ unix_stream_socket ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
Host mydomain.com
Source RPM Packages sendmail-8.14.2-4.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-133.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name mydomain.com
Platform Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP
Fri Oct 17 14:52:14 EDT 2008 i686 i686
Alert Count 3
First Seen Tue Jun 23 14:12:59 2009
Last Seen Thu Jun 25 19:19:20 2009
Local ID 18e4bfc0-cbb2-41a6-af2c-8b271450ed73
Line Numbers
Raw Audit Messages
node=mydomain.com type=AVC msg=audit(1245953960.510:479): avc: denied { read write } for pid=3980 comm="sendmail" path="socket:[21986]" dev=sockfs ino=21986 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=mydomain.com type=AVC msg=audit(1245953960.510:479): avc: denied { read write } for pid=3980 comm="sendmail" path="socket:[22005]" dev=sockfs ino=22005 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=mydomain.com type=SYSCALL msg=audit(1245953960.510:479): arch=40000003 syscall=11 success=yes exit=0 a0=8908a90 a1=8908aa8 a2=8908d88 a3=0 items=0 ppid=3978 pid=3980 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=unconfined_u:system_r:system_mail_t:s0 key=(null)
--===============0749694059==
14 years, 10 months
"cannot restore segment prot after reloc"
by John Oliver
[root@ucore-web ~]# service httpd configtest
httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax
error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load
/etc/httpd/modules/vcapache.so into server:
/etc/httpd/modules/vcapache.so: cannot restore segment prot after reloc:
Permission denied
[root@ucore-web ~]# ls -lZ /etc/httpd/modules/vcapache.so
-rwxr-xr-x root root system_u:object_r:httpd_modules_t
/etc/httpd/modules/vcapache.so
I used chcon to make vcapache.so have the same attributes as other
Apache modules...
-rwxr-xr-x root root system_u:object_r:httpd_modules_t mod_userdir.so
-rwxr-xr-x root root system_u:object_r:httpd_modules_t mod_usertrack.so
-rwxr-xr-x root root system_u:object_r:httpd_modules_t mod_version.so
-rwxr-xr-x root root system_u:object_r:httpd_modules_t
mod_vhost_alias.so
-rwxr-xr-x root root system_u:object_r:httpd_modules_t vcapache.so
How to fix? Googling results in a thousand suggestions to disable
SELinux and a couple to "chcon -t texrel_shlib_t" which did not work for
me.
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
14 years, 10 months
su or sudo from unconfined user to confined user
by Mohamed Aburowais
Hello,
I've a requirement to use a system as a root, but I need to move so offen to other users and be able to move to their default SELinux user and roles.
As it appears to be, it is no a common thing to do, but is it possible without implementing a new policy?
Regards
_________________________________________________________________
Get the best of MSN on your mobile
http://clk.atdmt.com/UKM/go/147991039/direct/01/
14 years, 10 months
[ANN] CDS Framework 3.6
by David Sugar
Version 3.6 of the CDS Framework Toolkit from Tresys Technology is now
available for download from the Tresys Open Source website at
http://oss.tresys.com/projects/cdsframework
The CDS Framework Toolkit is an Eclipse plug-in that allows engineers to
graphically design a system's security architecture, targeting
information flow security goals. The toolkit uses the security
architecture diagram to generate SELinux policy based on the Reference
Policy or CLIP policy. It integrates with SLIDE to provide additional
SELinux policy development capabilities.
CDS Framework version 3.6 - highlights:
* Adds feature to hide secondary information flows.
* Adds quick fix support added to audit view to fix denials by
modifying the security architecture diagram.
Dave Sugar
Tresys Technology, LLC
14 years, 10 months
F-11 miscellany
by Paul Howarth
Get this on every reboot:
type=AVC msg=audit(1245652935.723:12): avc: denied { write } for
pid=4130 comm="rm" name="/" dev=dm-18 ino=2
scontext=system_u:system_r:mysqld_safe_t:s0
tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir type=AVC
msg=audit(1245652935.723:12): avc: denied { remove_name } for
pid=4130 comm="rm" name="mysql.sock" dev=dm-18 ino=49156
scontext=system_u:system_r:mysqld_safe_t:s0
tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir type=AVC
msg=audit(1245652935.723:12): avc: denied { unlink } for pid=4130
comm="rm" name="mysql.sock" dev=dm-18 ino=49156
scontext=system_u:system_r:mysqld_safe_t:s0
tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1245652935.723:12): arch=c000003e syscall=263
success=yes exit=0 a0=ffffffffffffff9c a1=7fff0d7d5ece a2=0
a3=7fff0d7d5060 items=0 ppid=4044 pid=4130 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="rm" exe="/bin/rm" subj=system_u:system_r:mysqld_safe_t:s0
key=(null)
I have /var/lib/mysql as a separate filesystem, hence the "/".
Curiously, setroubleshoot misinterprets this as a mislabelled root
directory, saying it should be "root_t" (the root directory *is*
root_t).
Also had this one this morning:
type=AVC msg=audit(1245652948.769:13): avc: denied { search } for
pid=4510 comm="gnome-settings-" name="hwdata" dev=dm-2 ino=24065
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hwdata_t:s0 tclass=dir type=SYSCALL
msg=audit(1245652948.769:13): arch=c000003e syscall=2 success=no
exit=-13 a0=31e6e1fb0e a1=0 a2=0 a3=1a items=0 ppid=4508 pid=4510
auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42
fsgid=42 tty=(none) ses=4294967295 comm="gnome-settings-"
exe="/usr/libexec/gnome-settings-daemon"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Paul.
14 years, 10 months
Re: daemons and policy update
by Vadym Chepkov
By the way, I would prefer if crond would just die in cases like this.
Sincerely yours,
Vadym Chepkov
--- On Sat, 6/20/09, Vadym Chepkov <chepkov(a)yahoo.com> wrote:
> From: Vadym Chepkov <chepkov(a)yahoo.com>
> Subject: daemons and policy update
> To: "Fedora SELinux" <fedora-selinux-list(a)redhat.com>
> Date: Saturday, June 20, 2009, 6:28 AM
> All,
>
> This is not the very first time I experienced this and I
> wonder what is the common sense to solving this kind of
> issues.
>
> I installed this policy update:
>
> selinux-policy-targeted-3.6.12-45.fc11
> Tue 16 Jun 2009 06:29:13 AM EDT
>
> Only today I released it made crond in-operational
> completely for several days.
>
> /var/log/cron:
> Jun 20 06:08:02 hut crond[7705]: (*system*) ERROR (Could
> not set exec or keycreate context to
> system_u:system_r:system_cronjob_t:SystemLow-SystemHigh for
> user)
> Jun 20 06:08:02 hut crond[7705]: (root) ERROR (failed to
> change SELinux context)
>
> So every single crontab jobs were missed. Simple service
> crond restart fixes the problem. Do I need to reboot the
> system every time the new policy is installed, is this the
> "recommended" approach? Thank you.
>
> Sincerely yours,
> Vadym Chepkov
>
14 years, 10 months
daemons and policy update
by Vadym Chepkov
All,
This is not the very first time I experienced this and I wonder what is the common sense to solving this kind of issues.
I installed this policy update:
selinux-policy-targeted-3.6.12-45.fc11 Tue 16 Jun 2009 06:29:13 AM EDT
Only today I released it made crond in-operational completely for several days.
/var/log/cron:
Jun 20 06:08:02 hut crond[7705]: (*system*) ERROR (Could not set exec or keycreate context to system_u:system_r:system_cronjob_t:SystemLow-SystemHigh for user)
Jun 20 06:08:02 hut crond[7705]: (root) ERROR (failed to change SELinux context)
So every single crontab jobs were missed. Simple service crond restart fixes the problem. Do I need to reboot the system every time the new policy is installed, is this the "recommended" approach? Thank you.
Sincerely yours,
Vadym Chepkov
14 years, 10 months
gpsd on F11-64
by rick
I have a shiny new F11 install and am getting the following in the syslog:
Jun 18 15:41:16 calvin setroubleshoot: SELinux prevented gpsd from
using the terminal 0. For complete SELinux messages. run sealert -l
d33b557f-d1a4-4bde-add4-93b93ce91cc6
Fedora seems to be gpsd-challenged but the alert suggests trying
restorecon which does not seem to do anything...
Summary:
SELinux is preventing gpsd (gpsd_t) "write" to run (var_run_t).
and fyi:
# ls -Z gpsd
-rwxr-xr-x. root root system_u:object_r:gpsd_exec_t:s0 gpsd
...so does this warrant a bug report on the policy or is it possible
to change the context of the daemon's file so that it will work?
fyi, the audit msg is below and the gpsd init script looks for the
file in the wrong place, so perhaps the policy expects it to be in
/usr/bin instead of usr/sbin also...
any help appreciated,
rick
------------
Raw Audit Messages
node=calvin.rikm.net type=AVC msg=audit(1245353432.700:34699): avc:
denied { write } for pid=12148 comm="gpsd" name="run" dev=sda7
ino=1654 scontext=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_run_t:s0 tclass=dir
node=calvin.rikm.net type=SYSCALL msg=audit(1245353432.700:34699):
arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fffd13b8d40
a2=6e a3=3db7168fcc items=0 ppid=12147 pid=12148 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="gpsd" exe="/usr/sbin/gpsd"
subj=unconfined_u:unconfined_r:gpsd_t:s0-s0:c0.c1023 key=(null)
-------------
--
. . . this space intentionally left blank . . .
14 years, 10 months
