umount SELinux alert in Fedora 11
by Rahul Sundaram
Hi,
Summary:
SELinux prevented umount from mounting on the file or directory "mtab" (type
"etc_t").
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1244693043.30:19491): avc:
denied { unlink } for pid=10969 comm="umount" name="mtab" dev=dm-1
ino=87534 scontext=system_u:system_r:mount_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
node=localhost.localdomain type=SYSCALL msg=audit(1244693043.30:19491):
arch=40000003 syscall=38 success=yes exit=0 a0=a1043b a1=a1040a
a2=a12b88 a3=4 items=0 ppid=1886 pid=10969 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="umount" exe="/bin/umount"
subj=system_u:system_r:mount_t:s0-s0:c0.c1023 key=(null)
---
Rahul
14 years, 10 months
secure mode for sudo
by Dominick Grift
Why does sudo not have a secure_mode boolean like su has?
if(secure_mode) {
# Only allow transitions to unprivileged user domains.
userdom_spec_domtrans_unpriv_users($1_sudo_t)
} else {
# Allow transitions to all user domains
userdom_spec_domtrans_all_users($1_sudo_t)
}
14 years, 10 months
selinux local policy from F10 to F11?
by mike cloaked
If you have generated local selinux policy using semanage fcontext for
specific files or directories in F10, is there now a recommended way
to automate retrieval of these and then create the same rule set for
F11 after a clean F11 install?
I know that you can do
# semanage fcontext -C -l and send the output to a file.
This will generate lines such as
SELinux fcontext type Context
/home/mike/.cxoffice(/.*)? all files
system_u:object_r:textrel_shlib_t:s0
/home/mike/.cxoffice/dotwine/drive_c/Windows/System/SHLWAPI.DLL all
files system_u:object_r:textrel_shlib_t:s0
/home/mike/.cxoffice/dotwine/drive_c/Windows/System/ole32.dll all
files system_u:object_r:textrel_shlib_t:s0
/home/mike/.wine(/.*)? all files
system_u:object_r:textrel_shlib_t:s0
However I guess that saving this will still not allow these rules to
be written back to the new system in an automated way unless a script
is written to parse the lines and create a set of new selinux fcontext
lines that will create each local
rule with something like:
semanage fcontext -a -t textrel_shlib_t /home/mike/.cxoffice(/.*)?
with one for each original line in the output generated from the old
system before it was replaced?
If there is a cleaner way to achieve this I would like to hear about it?
--
mike
14 years, 10 months
bizarre packet labelings
by brian retford
We have a fairly customized centos 5.3 distribution, but I know of nothing
that would cause the behavior I'm seeing. We don't use iptables or ipsec,
secmark is enabled in the kernel. I get avc denied messages for packets that
almost certainly do exist, but the targets almost never make sense (at least
to me), things like ls_exec_t, lib_t, and other seemingly random types.
Thoughts?
avc: denied { send } for pid=3202 comm="sshd" saddr=172.27.13.41 src=22
daddr=172.27.134.1 dest=40428 netif=eth0
scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lib_t:s0 tclass=packet
-b
14 years, 10 months
squid denial on F11 for var_run_t
by Scott Radvan
Hi list,
As many of you know I am working on a Managing Confined Services guide
for Fedora.
Having set up a simple squid environment on Fedora 11, with minimal
and default settings in squid.conf (http_port 3128 as allowed by
semanage, and a default cache_dir), I was able to create the cache
directory structure, but I got a denial when actually starting squid for
the first time (I assume this happens as it attempts to create its pid
in /var/run):
--
SELinux is preventing squid (squid_t) "read" var_run_t.
node=localhost.localdomain type=AVC msg=audit(1244690560.923:31): avc:
denied { read } for pid=2413 comm="squid" name="squid.pid" dev=dm-0
ino=364 scontext=unconfined_u:system_r:squid_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
node=localhost.localdomain type=SYSCALL msg=audit(1244690560.923:31):
arch=40000003 syscall=5 success=no exit=-13 a0=b7ec8340 a1=8000 a2=1b6
a3=0 items=0 ppid=2404 pid=2413 auid=500 uid=23 gid=23 euid=0 suid=0
fsuid=0 egid=23 sgid=23 fsgid=23 tty=pts0 ses=1 comm="squid"
exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
--
I followed the FAQ as was linked in the denial text:
http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385
Using audit2allow, which gave me a type enforcement file, the contents
of which are:
--
module local 1.0;
require {
type var_run_t;
type squid_t;
class file read;
}
#============= squid_t ==============
allow squid_t var_run_t:file read;
--
and after creating and injecting a module from this as described in
that FAQ entry, I am now able to start squid and get it working fine.
Should this be filed as a bug? Is there a better way to fix it? I
figured it was worth mentioning as this happened out-of-the-box on F11
with default settings.
I am happy to provide any further details or output should you require
it.
selinux 3.6.12-39.fc11
linux 2.6.29.4-167.fc11
squid 3.0.STABLE13-1.fc11
Thanks,
--
Scott Radvan
Content Author, Platform (Installation and Deployment)
Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com
14 years, 10 months
selinux denying dev-kit, and others
by Antonio Olivares
Summary:
SELinux is preventing gnome-clock-app (gnomeclock_t) "read" inotifyfs_t.
Detailed Description:
SELinux denied access requested by gnome-clock-app. It is not expected that this
access is required by gnome-clock-app and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:gnomeclock_t:SystemLow-
SystemHigh
Target Context system_u:object_r:inotifyfs_t:SystemLow
Target Objects inotify [ dir ]
Source gnome-clock-app
Source Path /usr/libexec/gnome-clock-applet-mechanism
Port <Unknown>
Host localhost.localdomain
Source RPM Packages gnome-panel-2.26.2-3.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.15-1.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
Alert Count 1
First Seen Tue 16 Jun 2009 08:36:10 AM CDT
Last Seen Tue 16 Jun 2009 08:36:10 AM CDT
Local ID b01fae6b-cc0e-42cb-bea3-2c84383966e0
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1245159370.605:31): avc: denied { read } for pid=2250 comm="gnome-clock-app" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
node=localhost.localdomain type=SYSCALL msg=audit(1245159370.605:31): arch=40000003 syscall=11 success=yes exit=0 a0=9a9fe28 a1=9a9fce8 a2=9a9f008 a3=9aa22a8 items=0 ppid=2249 pid=2250 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gnome-clock-app" exe="/usr/libexec/gnome-clock-applet-mechanism" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing devkit-disks-da (devicekit_disk_t) "getattr" inotifyfs_t.
Detailed Description:
SELinux denied access requested by devkit-disks-da. It is not expected that this
access is required by devkit-disks-da and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:devicekit_disk_t:SystemLow-
SystemHigh
Target Context system_u:object_r:inotifyfs_t:SystemLow
Target Objects inotify [ dir ]
Source devkit-disks-da
Source Path /usr/libexec/devkit-disks-daemon
Port <Unknown>
Host localhost.localdomain
Source RPM Packages DeviceKit-disks-004-3.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.15-1.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
Alert Count 1
First Seen Tue 16 Jun 2009 08:35:52 AM CDT
Last Seen Tue 16 Jun 2009 08:35:52 AM CDT
Local ID 8b03ae67-6d8b-49ea-821b-c78a2b4e715e
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1245159352.360:30): avc: denied { getattr } for pid=2214 comm="devkit-disks-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
node=localhost.localdomain type=SYSCALL msg=audit(1245159352.360:30): arch=40000003 syscall=197 success=yes exit=0 a0=7 a1=bfd94d00 a2=5ddff4 a3=95f8510 items=0 ppid=1 pid=2214 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-da" exe="/usr/libexec/devkit-disks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing devkit-disks-da (devicekit_disk_t) "read" inotifyfs_t.
Detailed Description:
SELinux denied access requested by devkit-disks-da. It is not expected that this
access is required by devkit-disks-da and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:devicekit_disk_t:SystemLow-
SystemHigh
Target Context system_u:object_r:inotifyfs_t:SystemLow
Target Objects inotify [ dir ]
Source devkit-disks-da
Source Path /usr/libexec/devkit-disks-daemon
Port <Unknown>
Host localhost.localdomain
Source RPM Packages DeviceKit-disks-004-3.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.15-1.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
Alert Count 8
First Seen Tue 16 Jun 2009 07:21:24 AM CDT
Last Seen Tue 16 Jun 2009 08:35:51 AM CDT
Local ID 0ecb0348-2ba7-401d-a917-9c0f74a7f61d
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1245159351.885:29): avc: denied { read } for pid=2214 comm="devkit-disks-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
node=localhost.localdomain type=SYSCALL msg=audit(1245159351.885:29): arch=40000003 syscall=11 success=yes exit=0 a0=87bbe50 a1=87be290 a2=87bb008 a3=87bbd90 items=0 ppid=2213 pid=2214 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-da" exe="/usr/libexec/devkit-disks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing devkit-power-da (devicekit_power_t) "getattr" inotifyfs_t.
Detailed Description:
SELinux denied access requested by devkit-power-da. It is not expected that this
access is required by devkit-power-da and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:devicekit_power_t:SystemLow-
SystemHigh
Target Context system_u:object_r:inotifyfs_t:SystemLow
Target Objects inotify [ dir ]
Source devkit-power-da
Source Path /usr/libexec/devkit-power-daemon
Port <Unknown>
Host localhost.localdomain
Source RPM Packages DeviceKit-power-008-1.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.15-1.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
Alert Count 1
First Seen Tue 16 Jun 2009 08:35:45 AM CDT
Last Seen Tue 16 Jun 2009 08:35:45 AM CDT
Local ID 48abf8a4-c9fb-4129-abd3-35ed578349eb
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1245159345.55:27): avc: denied { getattr } for pid=2174 comm="devkit-power-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
node=localhost.localdomain type=SYSCALL msg=audit(1245159345.55:27): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfeb5e40 a2=5ddff4 a3=90cc030 items=0 ppid=1 pid=2174 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-power-da" exe="/usr/libexec/devkit-power-daemon" subj=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing devkit-daemon (devicekit_t) "read" inotifyfs_t.
Detailed Description:
SELinux denied access requested by devkit-daemon. It is not expected that this
access is required by devkit-daemon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:devicekit_t:SystemLow-SystemHigh
Target Context system_u:object_r:inotifyfs_t:SystemLow
Target Objects inotify [ dir ]
Source devkit-daemon
Source Path /usr/libexec/devkit-daemon
Port <Unknown>
Host localhost.localdomain
Source RPM Packages DeviceKit-003-1
Target RPM Packages
Policy RPM selinux-policy-3.6.15-1.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
Alert Count 1
First Seen Tue 16 Jun 2009 08:35:45 AM CDT
Last Seen Tue 16 Jun 2009 08:35:45 AM CDT
Local ID a1417ce4-b120-4778-9802-f21888673601
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1245159345.63:28): avc: denied { read } for pid=2178 comm="devkit-daemon" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
node=localhost.localdomain type=SYSCALL msg=audit(1245159345.63:28): arch=40000003 syscall=11 success=yes exit=0 a0=8fe4e10 a1=8fe4d98 a2=8fe4008 a3=8fe7358 items=0 ppid=2177 pid=2178 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-daemon" exe="/usr/libexec/devkit-daemon" subj=system_u:system_r:devicekit_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing devkit-power-da (devicekit_power_t) "read" inotifyfs_t.
Detailed Description:
SELinux denied access requested by devkit-power-da. It is not expected that this
access is required by devkit-power-da and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:devicekit_power_t:SystemLow-
SystemHigh
Target Context system_u:object_r:inotifyfs_t:SystemLow
Target Objects inotify [ dir ]
Source devkit-power-da
Source Path /usr/libexec/devkit-power-daemon
Port <Unknown>
Host localhost.localdomain
Source RPM Packages DeviceKit-power-008-1.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.15-1.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
Alert Count 9
First Seen Tue 16 Jun 2009 07:21:24 AM CDT
Last Seen Tue 16 Jun 2009 08:35:44 AM CDT
Local ID a3306212-15db-4b4b-a00a-d2c310e28d4f
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1245159344.629:26): avc: denied { read } for pid=2174 comm="devkit-power-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
node=localhost.localdomain type=SYSCALL msg=audit(1245159344.629:26): arch=40000003 syscall=11 success=yes exit=0 a0=9147e50 a1=914a290 a2=9147008 a3=9147d90 items=0 ppid=2173 pid=2174 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-power-da" exe="/usr/libexec/devkit-power-daemon" subj=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 key=(null)
14 years, 10 months
F-11: proftpd can't create /var/log/proftpd/controls.log
by Paul Howarth
I needed to add this policy to allow proftpd to start in F-11:
# Proftpd needs to create /var/log/proftpd/controls.log
allow ftpd_t xferlog_t:dir { write add_name };
/var/log/proftpd is xferlog_t and it seems ftpd_t can't create new
files in directories of that type.
Paul.
14 years, 10 months
Re: semodule
by Vadym Chepkov
authconfig --updateall fixed the issue. I think this step should be added to YumUpgradeFaq wiki page.
Sincerely yours,
Vadym Chepkov
14 years, 10 months
SELinux/dbus issues since upgrading to F11 (from F10)
by NMONNET
I get shitloads of AVC from dbus since I upgraded; and in fact, I can't
even log in in enforceing mode anymore. I tried relabelling, same
difference.
Example:
type=AVC msg=audit(1244936277.370:81): avc: denied { search } for
pid=2394 comm="dbus-daemon" name="3998" dev=proc ino=337975
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0 tclass=dir
type=AVC msg=audit(1244936277.370:81): avc: denied { read } for pid=2394
comm="dbus-daemon" name="cmdline" dev=proc ino=337976
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0 tclass=file
type=SYSCALL msg=audit(1244936277.370:81): arch=c000003e syscall=2
success=yes exit=66 a0=7f02cc625660 a1=0 a2=7f02cc625672 a3=0 items=0
ppid=1 pid=2394 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81
egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon"
exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-
s0:c0.c1023 key=(null)
type=AVC msg=audit(1244936292.198:82): avc: denied { search } for
pid=2394 comm="dbus-daemon" name="3972" dev=proc ino=338174
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_mono_t:s0 tclass=dir
type=SYSCALL msg=audit(1244936292.198:82): arch=c000003e syscall=2
success=yes exit=67 a0=7f02cc639d70 a1=0 a2=7f02cc639d82 a3=0 items=0
ppid=1 pid=2394 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81
egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon"
exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-
s0:c0.c1023 key=(null)
Your help much appreciated!
14 years, 10 months
