Logrotate on mounted partition
by Arthur Dent
I have a procmail recipe which writes a copy of every mail I receive
(just because I'm paranoid it doesn't mean they aren't out to get me!)
to a backup area on my /dev/sda9 partition, mounted as
/mnt/backup/ by fstab. (It is an ext3 partition).
Back in March 2008 when I was on F8 Stephen Smalley kindly helped me to
prevent the hundreds of avcs by suggesting the following:
semanage fcontext -a -t mail_spool_t "/mnt/backup(/.*)?"
restorecon -v -R /mnt/backup
This worked perfectly. It also held true throughout my time with F9. I
have now upgraded to F11 (I skipped F10) and it still kind of works. I
get an avc when logrotate tries to access these files.
The strange thing is this didn't happen under F8 or F9.
Is there an elegant solution to this problem or should I write a policy
module?
This is what audit2allow proposes:
module rawmail 1.0;
require {
type mail_spool_t;
type logrotate_t;
class file getattr;
}
#============= logrotate_t ==============
allow logrotate_t mail_spool_t:file getattr;
The full avc is below.
Many thanks for all your help....
Mark
Summary
SELinux is preventing logrotate (logrotate_t) "getattr" mail_spool_t.
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]
SELinux denied access requested by logrotate. It is not expected that
this access is required by logrotate and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.
Allowing Access
You can generate a local policy module to allow this access - see FAQ Or
you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package.
Additional Information
Source Context:
system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context:
system_u:object_r:mail_spool_t:s0
Target Objects:
/mnt/backup/mail/rawmail [ file ]
Source:
logrotate
Source Path:
/usr/sbin/logrotate
Port:
<Unknown>
Host:
troodos.org.uk
Source RPM Packages:
logrotate-3.7.8-2.fc11
Target RPM Packages:
Policy RPM:
selinux-policy-3.6.12-72.fc11
Selinux Enabled:
True
Policy Type:
targeted
MLS Enabled:
True
Enforcing Mode:
Permissive
Plugin Name:
catchall
Host Name:
mydomain
Platform:
Linux mydomain
2.6.29.6-217.2.3.fc11.i686.PAE #1
SMP Wed Jul 29 16:05:22 EDT 2009
i686 i686
Alert Count:
3
First Seen:
Thu Aug 13 03:45:40 2009
Last Seen:
Sat Aug 15 03:26:41 2009
Local ID:
3a8c20b3-ff25-43ea-8214-bd926c28215b
Line Numbers:
Raw Audit Messages :
node=mydomain type=AVC msg=audit(1250303201.472:2436): avc: denied
{ getattr } for pid=15100 comm="logrotate"
path="/mnt/backup/mail/rawmail" dev=sda9 ino=2490369
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1250303201.472:2436):
arch=40000003 syscall=196 success=yes exit=0 a0=8a7d598 a1=bfe1faa4
a2=77cff4 a3=1 items=0 ppid=15098 pid=15100 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=513 comm="logrotate"
exe="/usr/sbin/logrotate"
subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
14 years, 8 months
xguest: firefox - execmem
by Christoph A.
Hi,
I wanted to try the xguest user, but firefox always crashed on startup.
This AVC appears many times in the logs:
type=AVC msg=audit(1250580934.287:24730): avc: denied { execmem } for
pid=4845 comm="firefox" scontext=xguest_u:xguest_r:mozilla_t:s0
tcontext=xguest_u:xguest_r:mozilla_t:s0 tclass=process
execmem is not allowed:
getsebool -a|grep execmem
allow_execmem --> off
Allowing execmem resolves the problem, but is there a better solution
for this?
Another question:
I would like to make some permanent changes to the xguest account
(keyboard layout, safe passphrase for wifi access, set keyring pw,
remove some icons,...)
How can I as admin do that?
thanks,
Christoph
14 years, 8 months
setroubleshooter not filing bugs, is there another way
by Antonio Olivares
Dear fellow selinux experts,
I am encountering a problem with setroubleshooter and avc denials for wine. It gives me a fatal error report, but I can't copy + paste like I used to, I tried to file a bugzilla report but the process hangs and it is not being sent. Is there another way to capture the report so I can send in the avc denials?
I am running xfce fully updated in rawhide. I try to dmesg but get no avcs and I can't run windows programs under wine without seeing the setroubleshoot(er) go crazy :(
Thanks,
Antonio
14 years, 8 months
rsync as backup from f11 to F10 - issues
by mike cloaked
I have been running backups using rsync from various machines on my LAN onto
a main (F10) machine into which is plugged a usb external drive that takes
the backup files.
This year the machine into which the backup drive is plugged has been
running F10 fully up to date, and with SELinux fully enforcing.
Machines on the LAN have been running backups across the network using an
rsync command within a script which essentially does:
rsync --delete -aXH --exclude blah /opt
home1:/media/usbdrive/BACKUPS/myhostname
and similar for other directories.
This has worked fine until I installed F11 on some of the machines in the
LAN, with ext4 filesystems on them.
Trying the same thing in this case gave AVC denials on the machine (running
F10) to which the the external usb drive was attached (and with an ext3
filesystem to take the backups)
The AVC contained:
Summary
SELinux is preventing rsync (unconfined_t) "mac_admin" unconfined_t.
Detailed Description
SELinux denied access requested by rsync. It is not expected that this
access is required by rsync and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access
You can generate a local policy module to allow this access - see FAQ Or you
can disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a bug report against this package.
Additional Information
Source Context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Target Context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Target Objects: None [ capability2 ]
Source: rsync
Source Path: /usr/bin/rsync
Port: <Unknown>
Host: home1.xxxxxxxxx
Source RPM Packages: rsync-3.0.6-0.fc10
Target RPM Packages: Policy RPM: selinux-policy-3.5.13-67.fc10Selinux
Enabled: TruePolicy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: catchall
Host Name: home1.xxxxxxxxx
Platform: Linux home1.xxxxxxxxxx 2.6.27.29-170.2.78.fc10.i686 #1 SMP Fri
Jul 31 04:40:15 EDT 2009 i686 i686
Alert Count: 72
First Seen: Tue 11 Aug 2009 08:45:24 PM BST
Last Seen: Tue 11 Aug 2009 08:57:08 PM BST
Local ID: 2f39a50c-7f62-4e03-aa28-5826d349f52a
Line Numbers:
Raw Audit Messages :
node=home1.xxxxxxxxxxxxxx type=AVC msg=audit(1250020628.16:1141): avc:
denied { mac_admin } for pid=18683 comm="rsync" capability=33
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=capability2
node=home1.xxxxxxxxxxxxxx type=SYSCALL msg=audit(1250020628.16:1141):
arch=40000003 syscall=227 success=no exit=-22 a0=bfc81358 a1=9e3808c
a2=9e38068 a3=24 items=0 ppid=18663 pid=18683 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=145 comm="rsync"
exe="/usr/bin/rsync"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
This seems to stem from a context incompatibility between F10 and F11.
My work-around is as follows:
I have made a new ext4 filesystem on the external drive using mke2fs -t ext4
and labelling it using e2label, and then running the backup with the drive
attached to a machine running F11 with SElinux enforcing and which has an
ext4 filesystem for / and /opt.
Now I am currently running a backup from one of the other machines on the
LAN which is also running F11 with SElinux enforcing and so far I am not
seeing AVC denials.
My question is whether there is a workaround for the original scenario
backup up files from the F11 machines onto an external drive with ext3
connected to an F10 machine with ext3 filesystem. Or is the filesystem a red
herring and the problem stemming from selinux alone?
You may ask why I need to copy the extended attributes - it surely makes
life easier if I restore files later.
--
View this message in context: http://www.nabble.com/rsync-as-backup-from-f11-to-F10---issues-tp24925988...
Sent from the Fedora SELinux List mailing list archive at Nabble.com.
14 years, 8 months
F11 Relabel problem
by Arthur Dent
Hello all,
I have just upgraded from F9 to F11 and, still having one or two selinux
related problems, decided to do a /.autorelabel.
Knowing how long this can take on my ageing hardware I went off for a
cup of tea...
On the screen when I returned (the job had not finished) was:
SELinux: Context system_u:object_r:gamin_??? is not valid (left
unmapped)
The question marks are mine. I just reached for a pen when another load
of messages flashed by and the job finished.
Here is what I found in /var/log/messages:
Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped).
Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid
(left unmapped).
Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:squid_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:dovecot_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:fail2ban_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid
(left unmapped).
Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:samba_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left
unmapped).
Context system_u:object_r:squid_var_t:s0 is not valid (left unmapped).
Context unconfined_u:object_r:squid_var_t:s0 is not valid (left
unmapped).
My question(s):
1) Should I be worried?
2) Should I do anything?
Note: I don't know if this is relevant because there is not much
additional information to go on in the logs, but - I have in
my /etc/fstab mappings to other partitions - one of which contains the
former F9 system (so that I can refer to previous system configs while I
tune my F11 system) /home is on its own partition.
Thanks for any help / suggestions....
Mark
14 years, 8 months
kvm/qemu problems
by Dr. Michael J. Chudobiak
Hi all,
My kvm/qemu instance of WindowsXP on Fedora stopped functioning in the
past week or two, due to some change in selinux policies. This is the
problem:
[root@xena ~]# audit2allow -a
#============= svirt_t ==============
allow svirt_t devpts_t:chr_file setattr;
allow svirt_t self:capability { chown fsetid };
allow svirt_t self:process setrlimit;
Is there a handy just-make-it-work boolean for this? Should this be a bug?
selinux-policy-targeted-3.6.12-72.fc11.noarch
- Mike
14 years, 8 months
Apache crashing in F-11
by Rob Crittenden
I'm having a problem where Apache is segfaulting when SELinux is enabled
because of an AVC. I'm using freeIPA which defines a mod_python handler.
The AVCs are:
type=AVC msg=audit(1250255388.275:27650): avc: denied { execute } for
pid=7849 comm="httpd"
path=2F746D702F6666696A7435517772202864656C6574656429 dev=sda1
ino=442585 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_tmp_t:s0 tclass=file
type=AVC msg=audit(1250255388.288:27652): avc: denied { execute } for
pid=7850 comm="httpd"
path=2F6465762F73686D2F6666696D436E667967202864656C6574656429 dev=tmpfs
ino=33960 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_tmpfs_t:s0 tclass=file
audit2allow generated this:
module test 1.0;
require {
type httpd_tmp_t;
type httpd_t;
type httpd_tmpfs_t;
class file execute;
}
#============= httpd_t ==============
allow httpd_t httpd_tmp_t:file execute;
allow httpd_t httpd_tmpfs_t:file execute;
I'm a bit stumped. What should I look for, something doing an exec,
something messing in /tmp, both?
thanks
rob
14 years, 8 months
samba and system users home
by Vadym Chepkov
Hi,
Each time anybody trying to access a samba share I get a denials like this:
type=AVC msg=audit(1250191256.756:26956): avc: denied { getattr } for pid=20508 comm="smbd" path="/var/www" dev=dm-5 ino=2 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1250191256.756:26955): avc: denied { getattr } for pid=20508 comm="smbd" path="/var/mysql" dev=dm-4 ino=2 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir
I am not sure why samba is trying to access this directories, it's no ones home, just a mount point. dovecot generates the same AVCs, but only when it starts. What is the best way to suppress these? Thanks.
Sincerely yours,
Vadym Chepkov
14 years, 8 months
does SELinux can log all the files access?
by Bai Shuwei
Hi, ALL:
I cannot find any log tools to log all the files access, including
delete/remove/read/write operations. So i want to know whether SELinux
upport the functions. Thanks for your responce!
Best Regards!
Bai Shuwei
--
Love other people, as same as love yourself!
Don't think all the time, do it by your hands!
Personal URL: http://dslab.lzu.edu.cn:8080/members/baishw/
E-Mail: baishuwei(a)gmail.com or baishuwei(a)dslab.lzu.edu.cn
14 years, 8 months
two denials one for ck-get-x11-serv and one for wine
by Antonio Olivares
Dear fellow selinux experts and users,
I had problems updating a rawhide machine and I used xfce spin to get back in the saddle. I encountered two denials and I post them here for guidance.
Thanks in Advance,
Antonio
Summary:
SELinux is preventing the ck-get-x11-serv from using potentially mislabeled
files (.Xauthority).
Detailed Description:
SELinux has denied ck-get-x11-serv access to potentially mislabeled file(s)
(.Xauthority). This means that SELinux will not allow ck-get-x11-serv to use
these files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.
Allowing Access:
If you want ck-get-x11-serv to access this files, you need to relabel them using
restorecon -v '.Xauthority'. You might want to relabel the entire directory
using restorecon -R -v ''.
Additional Information:
Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:admin_home_t:s0
Target Objects .Xauthority [ file ]
Source ck-get-x11-serv
Source Path /usr/libexec/ck-get-x11-server-pid
Port <Unknown>
Host (removed)
Source RPM Packages ConsoleKit-x11-0.3.1-2.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.26-8.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name (removed)
Platform Linux localhost.localdomain
2.6.31-0.125.rc5.git2.fc12.i686 #1 SMP Tue Aug 4
03:18:57 EDT 2009 i686 i686
Alert Count 1
First Seen Wed 12 Aug 2009 02:42:54 AM CDT
Last Seen Wed 12 Aug 2009 02:42:54 AM CDT
Local ID ffd20bb6-e1cf-466f-b51e-9de4c94b4991
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1250062974.438:22): avc: denied { read } for pid=1325 comm="ck-get-x11-serv" name=".Xauthority" dev=dm-0 ino=78946 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
node=localhost.localdomain type=SYSCALL msg=audit(1250062974.438:22): arch=40000003 syscall=33 success=no exit=-13 a0=bffedfbc a1=4 a2=18ab18 a3=bffedfbc items=0 ppid=1324 pid=1325 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
Can't copy the wine and can't submit the above one to bugzilla. The wine one looks serious as I try to run some windows programs that worked before without problems. Will see how I can capture them?
14 years, 8 months