java processbuilder and SELinux
by Christoph Höger
Hi,
I found that (somehow quite old googling brought up fc3) issue on my f10
desktop:
I have a self compiled (proprietary - so no SELinux policy available)
program in my home dir. Running it via a terminal works fine. But
running from a java process (in that case eclipse) using a
ProcessBuilder returned:
cannot restore segment prot after reloc: Permission denied
I already thought that this was something SELinux related and I know
that the developers of that certain tool had no security in mind and I
stumbled about textrel_shlib_t and allow_execmod, and indeed
allow_execmod fixed that issue (I'll need to relabel soon). But two
things seem really weird to me:
1. from a normal terminal using bash I can start that prog. Why?
2. There is no audit message in audit.log (and I had no "SELinux
prevented..." popup) Is that a bug?
any suggestions on that? Bugzilla?
Christoph
14 years, 8 months
relabel after policy update
by Vadym Chepkov
Hi,
I wonder do I have to relabel system after each policy update, it seems rpm doesn't do a good job:
# restorecon -vR /usr
restorecon reset /usr/bin/pyzord context system_u:object_r:spamd_exec_t:s0->system_u:object_r:pyzord_exec_t:s0
restorecon reset /usr/bin/razor-report context system_u:object_r:spamc_exec_t:s0->system_u:object_r:razor_exec_t:s0
restorecon reset /usr/bin/razor-admin context system_u:object_r:spamc_exec_t:s0->system_u:object_r:razor_exec_t:s0
restorecon reset /usr/bin/razor-check context system_u:object_r:spamc_exec_t:s0->system_u:object_r:razor_exec_t:s0
restorecon reset /usr/bin/razor-client context system_u:object_r:spamc_exec_t:s0->system_u:object_r:razor_exec_t:s0
restorecon reset /usr/bin/razor-revoke context system_u:object_r:spamc_exec_t:s0->system_u:object_r:razor_exec_t:s0
restorecon reset /usr/bin/pyzor context system_u:object_r:spamc_exec_t:s0->system_u:object_r:pyzor_exec_t:s0
Sincerely yours,
Vadym Chepkov
14 years, 8 months
add a transition rule
by Vadym Chepkov
Hi,
I have a script, executed by apache, which is running in httpd_svn_script_t domain. This script calls svn-mailer(bin_t) which in turns calls /usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there is no transition defined, sendmail still runs in httpd_svn_script_t and I get humongous amount of avc's. What would be the proper rule to add to the local policy to make sendmail running in the proper domain, sendmail_t?
And for that matter if httpd_can_sendmail --> on, shouldn't it be happening automatically? Thank you.
Sincerely yours,
Vadym Chepkov
14 years, 9 months
Many selinux complaints about ps after video card failure caused nouveou to fill /var
by Edward Kuns
I don't know if selinux was misbehaving or was just doing the best it
could on a crippled system. Apparently, my video card failed this
morning, causing nouveou to write 3.5 Gig of logs to /var/log/messages
in a matter of minutes -- the same text over and over and over. This
filled /var. I came upon the computer many hours later. The hard drive
light was flickering, so the computer was busy, but the computer was
basically crashed. Unreachable from the keyboard, unreachable from the
network.
To make a long story short, after I replaced the video card and moved an
enormous /var/log/messages to another partition for later review, then
rebooted, everything came up fine. And the tail end of the logs (when I
started cleaning things up) is full of selinux denials, almost all to
ps. I look at setroubleshoot and it has 50/50 complaints, almost all
about ps running in the context mysqld_safe_t, complaints such as:
SELinux is preventing ps (mysqld_safe_t) "getattr" hald_t.
SELinux is preventing ps (mysqld_safe_t) "getattr" initrc_t.
SELinux is preventing ps (mysqld_safe_t) "getattr" crond_t.
Is it worth my sending the full details for these AVCs to this list, or
is this an expected or understood misbehavior during /var-full
situations? (Or some 3rd option)
Thanks
Eddie
14 years, 9 months
ausearch and terminal
by Vadym Chepkov
Hi,
I observe a very strange behavior of the ausearch utility.
audit-1.7.7-6.el5_3.3
# cat /root/bin/autest.sh
/sbin/ausearch -m avc| wc -l
If I run it, I get expected results:
# /root/bin/autest.sh
1563
But if I run it from cron, I get this in e-mail:
<no matches>
0
Why??
Sincerely yours,
Vadym Chepkov
14 years, 9 months
semodule returns "cannot allocate memory" --
by Edward Kuns
A module previously loaded disappeared when I had to totally reload
policy from scratch on a Fedora 8 -> 11 upgrade. By "totally reload" I
mean:
# cd /etc/selinux/targeted
# mv modules modules.old
# yum erase selinux-policy selinux-policy-targeted
# yum install selinux-policy selinux-policy-targeted
The above fixed my corrupted policy that nothing else appeared to be
able to fix, but I forgot to reload some custom modules that I have
locally, only one of which seems to be needed today (for mailman).
Today I tried to reload this custom module and I got:
So I tried to reload it:
[root@kilroy policy]# semodule -i mymailman.pp
SELinux: Could not load policy
file /etc/selinux/targeted/policy/policy.24: Cannot allocate memory
/usr/sbin/load_policy: Can't load policy: Cannot allocate memory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
SELinux: Could not load policy
file /etc/selinux/targeted/policy/policy.24: Cannot allocate memory
/usr/sbin/load_policy: Can't load policy: Cannot allocate memory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
semodule: Failed!
I rebooted and tried again to the same result.
I currently have selinux-policy (and -targeted) 3.6.12-69.fc11. Well, I
tried the above again (move and reinstall of policy) and got the
following failure on the reinstall:
Installing : selinux-policy-3.6.12-69.fc11.noarch
1/4
Installing : selinux-policy-targeted-3.6.12-69.fc11.noarch
2/4
SELinux: Could not load policy
file /etc/selinux/targeted/policy/policy.24: Cannot allocate memory
/usr/sbin/load_policy: Can't load policy: Cannot allocate memory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
libsemanage.semanage_install_active: Could not
copy /etc/selinux/targeted/modules/active/policy.kern
to /etc/selinux/targeted/policy/policy.24. (No such file or directory).
semodule: Failed!
Installing : setroubleshoot-2.1.14-2.fc11.i586
3/4
Installing : policycoreutils-gui-2.0.62-12.12.fc11.i586
4/4
So now I think I'm worse off than before. How do I fix this? By the
way, this server has 4 GB memory, so it's hard to believe I'm truly out
of memory. Also, swap is not being used. But if I look
in /var/log/messages, I see the following:
vmap allocation for size 3801088 failed: use vmalloc=<size> to increase
size.
How do I fix this, and just how bad is my selinux messed up?
Thanks
Eddie
14 years, 9 months
Did cert_t go away for /var/named/chroot/etc/pki?
by Edward Kuns
Due to the problems I've described recently, I fully reloaded my selinux
policy and finally did a full relabel. During this relabel, I saw
things such as the following:
restorecon
reset /var/named/chroot/etc/pki/dnssec-keys/harvest/time.gov.conf
context system_u:object_r:cert_t:s0->system_u:object_r:etc_t:s0
and when I run system-config-selinux and go to "File labeling" and
search for pki, indeed I only see pki in the two following file specs:
/etc/pki(/.*)?
/etc/pki/dovecot(/.*)?
The policy currently installed is:
selinux-policy-3.6.12-69.fc11.noarch
selinux-policy-targeted-3.6.12-69.fc11.noarch
Am I missing something? Is this an expected change?
Thanks
Eddie
14 years, 9 months