November 2010 - selinux - Fedora Mailing-Lists

[[patch] Please review: Make a confined kernel boot.

by Dominick Grift

Can someone please have a look at the following. This works for me, but: https://bugzilla.redhat.com/show_bug.cgi?id=598475 I have removed the patch to dracut mentioned in the rhbz in my personal branch because it seems to no longer be needed. However this patch is still applied to Fedora as far as i know. Because maintainer wants proof that its no longer needed and he does not want to try it himself. So the change in this patch will not be enough to make a stock fedora 14 boot unless you remove: mount --bind /dev "$NEWROOT/dev" chroot "$NEWROOT" /sbin/restorecon -R /dev from selinux-loadpolicy.sh and regenerate a new initramfs. Signed-off-by: Dominick Grift <domg472(a)gmail.com> --- :100644 100644 c381190... cbd0d5c... M policy/modules/kernel/devices.if :100644 100644 806026c... 07eea83... M policy/modules/kernel/kernel.te :100644 100644 bde6daa... b2f68b8... M policy/modules/kernel/storage.if policy/modules/kernel/devices.if | 37 +++++++++++++++++++++++++++++++++++++ policy/modules/kernel/kernel.te | 30 ++++++++++++++++++++---------- policy/modules/kernel/storage.if | 38 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 95 insertions(+), 10 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index c381190..cbd0d5c 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -480,6 +480,24 @@ interface(`dev_dontaudit_setattr_generic_blk_files',` ######################################## ## <summary> +## Set attributes of generic block device nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_setattr_generic_blk_files',` + gen_require(` + type device_t; + ') + + setattr_blk_files_pattern($1, device_t, device_t) +') + +######################################## +## <summary> ## Create generic block device files. ## </summary> ## <param name="domain"> @@ -3996,6 +4014,25 @@ interface(`dev_write_urand',` ######################################## ## <summary> +## Delete USB character device nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_delete_generic_usb_dev',` + gen_require(` + type usb_device_t, device_t; + ') + + delete_chr_files_pattern($1, device_t, usb_device_t) + dev_remove_entry_generic_dirs($1) +') + +######################################## +## <summary> ## Getattr generic the USB devices. ## </summary> ## <param name="domain"> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 806026c..07eea83 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -185,6 +185,7 @@ allow kernel_t self:capability *; allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; allow kernel_t self:sem create_sem_perms; +allow kernel_t self:system module_request; allow kernel_t self:msg { send receive }; allow kernel_t self:msgq create_msgq_perms; allow kernel_t self:unix_dgram_socket create_socket_perms; @@ -206,9 +207,9 @@ allow kernel_t proc_net_t:file read_file_perms; allow kernel_t proc_mdstat_t:file read_file_perms; -allow kernel_t proc_kcore_t:file getattr; +allow kernel_t proc_kcore_t:file getattr_file_perms; -allow kernel_t proc_kmsg_t:file getattr; +allow kernel_t proc_kmsg_t:file getattr_file_perms; allow kernel_t sysctl_kernel_t:dir list_dir_perms; allow kernel_t sysctl_kernel_t:file read_file_perms; @@ -242,10 +243,13 @@ dev_search_usbfs(kernel_t) # devtmpfs handling: dev_create_generic_dirs(kernel_t) dev_delete_generic_dirs(kernel_t) +dev_setattr_generic_blk_files(kernel_t) dev_create_generic_blk_files(kernel_t) dev_delete_generic_blk_files(kernel_t) dev_create_generic_chr_files(kernel_t) dev_delete_generic_chr_files(kernel_t) +dev_delete_generic_usb_dev(kernel_t) +dev_setattr_generic_usb_dev(kernel_t) dev_mounton(kernel_t) # Mount root file system. Used when loading a policy @@ -259,7 +263,6 @@ term_use_all_terms(kernel_t) term_use_ptmx(kernel_t) corecmd_exec_shell(kernel_t) -corecmd_list_bin(kernel_t) # /proc/sys/kernel/modprobe is set to /bin/true if not using modules. corecmd_exec_bin(kernel_t) @@ -284,15 +287,13 @@ mls_file_read_all_levels(kernel_t) mls_socket_write_all_levels(kernel_t) mls_fd_share_all_levels(kernel_t) -logging_manage_generic_logs(kernel_t) +userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) ifdef(`distro_redhat',` # Bugzilla 222337 fs_rw_tmpfs_chr_files(kernel_t) ') -userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) - optional_policy(` hotplug_search_config(kernel_t) ') @@ -302,16 +303,16 @@ optional_policy(` ') optional_policy(` - libs_use_ld_so(kernel_t) - libs_use_shared_libs(kernel_t) + logging_manage_generic_logs(kernel_t) + logging_send_syslog_msg(kernel_t) ') optional_policy(` - logging_send_syslog_msg(kernel_t) + nis_use_ypbind(kernel_t) ') optional_policy(` - nis_use_ypbind(kernel_t) + plymouthd_manage_lib_files(kernel_t) ') optional_policy(` @@ -366,6 +367,15 @@ optional_policy(` ') optional_policy(` + storage_delete_scsi_generic_dev(kernel_t) + storage_setattr_scsi_generic_dev(kernel_t) + storage_delete_removable_dev(kernel_t) + storage_setattr_removable_dev(kernel_t) + storage_delete_fixed_disk_dev(kernel_t) + storage_setattr_fixed_disk_dev(kernel_t) +') + +optional_policy(` unconfined_domain_noaudit(kernel_t) ') diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index bde6daa..b2f68b8 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -388,6 +388,25 @@ interface(`storage_dontaudit_rw_fuse',` ######################################## ## <summary> +## Delete generic SCSI interface device nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`storage_delete_scsi_generic_dev',` + gen_require(` + type scsi_generic_device_t; + ') + + allow $1 scsi_generic_device_t:chr_file delete_chr_file_perms; + dev_remove_entry_generic_dirs($1) +') + +######################################## +## <summary> ## Allow the caller to get the attributes of ## the generic SCSI interface device nodes. ## </summary> @@ -517,6 +536,25 @@ interface(`storage_dontaudit_rw_scsi_generic',` ######################################## ## <summary> +## Delete removable block device nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`storage_delete_removable_dev',` + gen_require(` + type removable_device_t; + ') + + allow $1 removable_device_t:blk_file delete_blk_file_perms; + dev_remove_entry_generic_dirs($1) +') + +######################################## +## <summary> ## Allow the caller to get the attributes of removable ## devices device nodes. ## </summary> -- 1.7.2.3

13 years, 5 months

1
0
0 / 0

Selinux and pyzor issues Fedora 14

by David Highley

type=SYSCALL msg=audit(1289762432.625:42770): arch=c000003e syscall=59 success=no exit=-13 a0=4ae4910 a1=2c32330 a2=19e8140 a3=8 items=0 ppid=6912 pid=6913 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) type=AVC msg=audit(1289762432.625:42770): avc: denied { execute_no_trans } for pid=6913 comm="spamassassin" path="/usr/bin/pyzor" dev=dm-0 ino=6052724 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file

13 years, 5 months

2
2
0 / 0

node-specific rules

by Mr Dash Four

I have a bit of a conundrum for the more knowledgeable on here: I would like to define a block in the policy file (.te) - via tunable_policy statement perhaps - which is executed based on a particular value set from outside. For example: I would like to activate a block of the following statements: network_node(XXX, s0 - mls_systemhigh, YYY, ZZZ) corenet_tcp_sendrecv_XXX_if(my_t) corenet_udp_sendrecv_XXX_if(my_t) corenet_tcp_sendrecv_XXX_node(my_t) corenet_tcp_bind_XXX_node(my_t) corenet_udp_bind_XXX_node(my_t) depending on a particular value being set for XXX, YYY and ZZZ (being the actual interface name, its IP address and netmask) from the outside - possibly via the SELinux tools. Is that possible? The reason I am doing this is because I am writing a policy for a couple of domains/processes and want to restrict their access down to a particular node of particular number of interface which will be defined (i.e. the interface name, IP address and netmask) AFTER the policy has been built and once defined, the values may change. My SELinux knowledge is not that complete to figure out how to deal with this. Any help is, as always, appreciated. Thanks.

13 years, 5 months

1
1
0 / 0

What is missing with this policy

by David Highley

When I install the following policy I see these warnings, what is missing? libsemanage.semanage_fc_sort: WARNING: semanage_fc_sort: Incomplete context. libsemanage.semanage_fc_sort: WARNING: semanage_fc_sort: Incomplete context. sshdfilter.fc: /etc/rc\.d/init\.d/sshdfilter -- gen_context(system_u:object_r:sshdfilter_initrc_exec_t, s0) /etc/sshdfilterrc.* -- gen_context(system_u:object_r:sshdfilter_etc_t, s0) /usr/sbin/sshdfilter -- gen_context(system_u:object_r:sshdfilter_exec_t, s0) #/var/run/sshdfilter.fifo -- gen_context(system_u:object_r:sshdfilter_syslog_t, s0) sshdfilter.if: ## <summary></summary> sshdfilter.te: policy_module(sshdfilter, 1.0.7) type sshdfilter_t; type sshdfilter_exec_t; init_daemon_domain(sshdfilter_t, sshdfilter_exec_t) type sshdfilter_initrc_exec_t; init_script_file(sshdfilter_initrc_exec_t) type sshdfilter_etc_t; files_config_file(sshdfilter_etc_t) dev_read_urand(sshdfilter_t) corecmd_search_bin(sshdfilter_t) miscfiles_read_localization(sshdfilter_t) require { type var_run_t; type usr_t; type syslogd_t; type etc_t; type shell_exec_t; type sshdfilter_t; type bin_t; type devlog_t; type sshdfilter_etc_t; type proc_t; type net_conf_t; class sock_file { write getattr }; class lnk_file read; class unix_dgram_socket { write create connect ioctl sendto }; class file { execute read ioctl execute_no_trans getattr open create }; class fifo_file { write ioctl read open getattr }; class dir { write add_name remove_name }; } #============= sshdfilter_t ============== allow sshdfilter_t bin_t:file { read getattr open execute execute_no_trans }; allow sshdfilter_t bin_t:lnk_file read; allow sshdfilter_t devlog_t:sock_file { write getattr }; allow sshdfilter_t etc_t:file { read getattr open }; allow sshdfilter_t proc_t:file { read getattr open }; allow sshdfilter_t self:fifo_file { read write ioctl getattr }; allow sshdfilter_t self:unix_dgram_socket { write create ioctl connect }; allow sshdfilter_t shell_exec_t:file { read execute open getattr execute_no_trans }; allow sshdfilter_t sshdfilter_etc_t:file { read ioctl open getattr }; allow sshdfilter_t syslogd_t:unix_dgram_socket sendto; allow sshdfilter_t usr_t:file { read getattr open ioctl }; allow sshdfilter_t var_run_t:dir { write add_name remove_name }; allow sshdfilter_t var_run_t:file { write getattr unlink open create ioctl }; allow sshdfilter_t var_run_t:fifo_file { read open ioctl getattr }; allow sshdfilter_t net_conf_t:file { read getattr open }; optional_policy(` iptables_domtrans(sshdfilter_t) ')

13 years, 5 months

3
5
0 / 0

iptables AVC

by Tony Molloy

Hi, I'm running SELinux in enforcing mode on fully updated CentOS-5 servers. selinux-policy-targeted-2.4.6-279.el5_5.2.noarch After an upgrade of selinux-policy-targeted last night I'm seeing the following AVC on several of the servers. [root@garryowen ~]# sealert -l badcaefe-41c9-4fcc-a264-24bff72bcfd7 Summary: SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t). Detailed Description: SELinux denied access requested by iptables. It is not expected that this access is required by iptables and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:iptables_t Target Context system_u:system_r:initrc_t Target Objects socket [ unix_dgram_socket ] Source iptables Source Path /sbin/iptables Port <Unknown> Host garryowen.x.y.z Source RPM Packages iptables-1.3.5-5.3.el5_4.1 Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name garryowen.x.y.z Platform Linux garryowen.x.y.z 2.6.18-194.17.4.el5 #1 SMP Mon Oct 25 15:50:53 EDT 2010 x86_64 x86_64 Alert Count 4 First Seen Fri Nov 12 07:58:02 2010 Last Seen Fri Nov 12 08:08:32 2010 Local ID badcaefe-41c9-4fcc-a264-24bff72bcfd7 Line Numbers Raw Audit Messages host=garryowen.x.y.z type=AVC msg=audit(1289549312.375:38126): avc: denied { read write } for pid=12864 comm="iptables" path="socket:[14188]" dev=sockfs ino=14188 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket host=garryowen.x.y.z type=SYSCALL msg=audit(1289549312.375:38126): arch=c000003e syscall=59 success=yes exit=0 a0=b88cd30 a1=b88d5e0 a2=b883c40 a3=8 items=0 ppid=12849 pid=12864 auid=4294967295 uid=0 gid=997 euid=0 suid=0 fsuid=0 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null) I can generate a local policy to allow this. Regards, Tony

13 years, 5 months

2
1
0 / 0

Named and /dev/random Fedora 14

by David Highley

Anyone else seeing this issue with a new install of Fedora 14? Attempted to get around issue with audit2allow, but was not successful. time->Wed Nov 10 21:28:20 2010 type=SYSCALL msg=audit(1289453300.241:33869): arch=c000003e syscall=4 success=no exit=-13 a0=7f482c177050 a1=7f4826a61590 a2=7f4826a61590 a3=7f482960e150 items=0 ppid=4267 pid=4272 auid=1000 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=1 comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(1289453300.241:33869): avc: denied { getattr } for pid=4272 comm="named" path="/dev/random" dev=dm-0 ino=2361331 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file ---- time->Wed Nov 10 21:45:00 2010 type=SYSCALL msg=audit(1289454300.409:5): arch=c000003e syscall=2 success=no exit=-13 a0=7f41edbc8050 a1=800 a2=0 a3=7f41eb05f150 items=0 ppid=1168 pid=1172 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(1289454300.409:5): avc: denied { read } for pid=1172 comm="named" name="random" dev=dm-0 ino=2361331 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file ---- time->Thu Nov 11 09:45:29 2010 type=SYSCALL msg=audit(1289497529.277:177): arch=c000003e syscall=2 success=no exit=-13 a0=7f3f6554f050 a1=800 a2=0 a3=7f3f629e6150 items=0 ppid=5581 pid=5585 auid=1000 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=19 comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(1289497529.277:177): avc: denied { read } for pid=5585 comm="named" name="random" dev=dm-0 ino=2361331 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file ---- time->Thu Nov 11 09:48:34 2010 type=SYSCALL msg=audit(1289497714.136:178): arch=c000003e syscall=2 success=no exit=-13 a0=7f6e92cdc050 a1=800 a2=0 a3=7f6e90173150 items=0 ppid=5704 pid=5706 auid=1000 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=19 comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(1289497714.136:178): avc: denied { read } for pid=5706 comm="named" name="random" dev=dm-0 ino=2361331 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file ---- time->Thu Nov 11 09:55:11 2010 type=SYSCALL msg=audit(1289498111.595:193): arch=c000003e syscall=4 success=no exit=-13 a0=7f90a3eb2050 a1=7f909e79c590 a2=7f909e79c590 a3=7f90a1349150 items=0 ppid=5916 pid=5921 auid=1000 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=19 comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(1289498111.595:193): avc: denied { getattr } for pid=5921 comm="named" path="/dev/random" dev=dm-0 ino=2361331 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file ---- time->Thu Nov 11 09:56:26 2010 type=SYSCALL msg=audit(1289498186.109:195): arch=c000003e syscall=2 success=no exit=-13 a0=7f6e01308050 a1=800 a2=0 a3=7f6dfe79f150 items=0 ppid=6042 pid=6046 auid=1000 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=19 comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(1289498186.109:195): avc: denied { read } for pid=6046 comm="named" name="random" dev=dm-0 ino=2361331 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file ---- time->Thu Nov 11 10:01:50 2010 type=SYSCALL msg=audit(1289498510.975:204): arch=c000003e syscall=4 success=no exit=-13 a0=7f7313ba9050 a1=7f730f495590 a2=7f730f495590 a3=7f7311040150 items=0 ppid=6199 pid=6202 auid=1000 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=19 comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(1289498510.975:204): avc: denied { getattr } for pid=6202 comm="named" path="/dev/random" dev=dm-0 ino=2361331 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file

13 years, 5 months

2
4
0 / 0

sandbox in X11 root window on RHEL6

by Luc de Louw

Dear all, I'm involved in a project which involves some hardened Linux clients. I plan to realize them with RHEL6 desktops. Recently I stumbled upon Dan Walsh's SELinux sandbox, which looks to fit and surpasses the security requirements and it is part of RHEL6. The goal is to run exactly one application in the X11 root window w/o authentication, this is done by the application. So, not gdm, kdm, xdm should run, no gnome-,kde- whatever-desktops apps and panels should be visible/accessible. Any hints on this? TIA for any advice, Luc

13 years, 5 months

2
1
0 / 0

sealerts upon updating to rawhide from F14

by Antonio Olivares

Dear fellow tests, I see several sealerts aside from dracut error: I tried to send in report via bugzilla, but forgot my password :( I got this: browser.py:277:row_activated:TypeError: GtkTreeSelection.get_selected can not be used when selection mode is gtk.SELECTION_MULTIPLE Traceback (most recent call last): File "/usr/lib64/python2.7/site-packages/setroubleshoot/browser.py", line 277, in row_activated store, iter = x.get_selection().get_selected() TypeError: GtkTreeSelection.get_selected can not be used when selection mode is gtk.SELECTION_MULTIPLE Local variables in innermost frame: y: (0,) x: <gtk.TreeView object at 0x4d64050 (GtkTreeView at 0x2a4e260)> self: <setroubleshoot.browser.BrowserApplet instance at 0x29d55a8> z: <gtk.TreeViewColumn object at 0x4d647d0 (GtkTreeViewColumn at 0x4e4d260)> newer F15 kernel dies quickly and drops to a shell, see semodule report [olivares@localhost ~]$ rpm -qa kernel* kernel-2.6.35.6-48.fc14.x86_64 kernel-devel-2.6.35.6-45.fc14.x86_64 kernel-2.6.35.6-46.fc14.x86_64 kernel-headers-2.6.36-1.fc15.x86_64 kernel-devel-2.6.35.6-48.fc14.x86_64 kernel-devel-2.6.36-1.fc15.x86_64 kernel-2.6.36-1.fc15.x86_64 [olivares@localhost ~]$ cat /etc/fedora-release Fedora release 15 (Rawhide) [olivares@localhost ~]$ sealert [olivares@localhost ~]$ cd Documents/ [olivares@localhost Documents]$ script report1.txt Script started, file is report1.txt [olivares@localhost Documents]$ su - Password: [root@localhost ~]# grep /usr/bin/xauth /var/log/audit/audit.log | audit2allow -M mypol compilation failed: mypol.te:6:ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from mypol.te [root@localhost ~]# semodule -i mypol.pp semodule: Failed on mypol.pp! [root@localhost ~]# grep /bin/mount /var/log/audit/audit.log | audit2allow -M mypol compilation failed: mypol.te:6:ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from mypol.te [root@localhost ~]# semodule -i mypol.pp semodule: Failed on mypol.pp! [root@localhost ~]# grep /usr/bin/nspluginscan /var/log/audit/audit.log | audit2allow -M mypol compilation failed: mypol.te:6:ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from mypol.te [root@localhost ~]# semodule -i mypol.ppsemodule: Failed on mypol.pp! Thanks in Advance, Antonio

13 years, 5 months

2
1
0 / 0

httpd_sys_content_t

by mark

In the process of trying to get rid of irritating messages, I'm still trying to find and change the context from default_t. Well, I looked at /public/htdocs, and notice that's default_t. So, looking at another server, I see that one has them as httpd_sys_content_t. I try chcon httpd_sys_content_t /public/htdocs... and chcon: invalid context: httpd_sys_content_t CentOS 5.5, current rpm -qa | grep policy: selinux-policy-targeted-2.4.6-279.el5_5.1 checkpolicy-1.33.1-6.el5 selinux-policy-2.4.6-279.el5_5.1 policycoreutils-1.33.12-14.8.el5 The other server is the same. Clues for the poor? mark

13 years, 5 months

2
1
0 / 0

26 alerts as of updating to rawhide now that Fedora 14 is out :(

by Antonio Olivares

Dear folks, I have updated two working Fedora 14 machines to rawhide and have encountered several issues. On the only box that I can get X http://www.smolts.org/client/show/pub_5ac3cf00-431e-4f01-bec4-8ee7abe1c644, I see 26 alerts: I have reported only 1(to bugzilla), for the rest I cannot since I don't get report link :( /bin/mount file /proc/<pid>/mounts if you want to allow mount to have read access on the mounts file by default /sbin/killall5 getattr file /usr/sbin/sendmail.sendmail If you want to allow killall5 to have getattr access on the sendmail.sendmail file by default nm-dispatcher.action /usr/bin/hald /usr/sbin/pcscd rpc.idmapd dhclient wpa_supplicant cupsd polkitd modem-manager mdadm udevd atd mingetty acpid abrtd rpcbind irqbalance rsyslogd audispd auditd If you want to fix the label, plymouthd(deleted) does not have the default system label. If you want to allow killall5 to have getattr access on the plymouthd (deleted) file by default. nspluginscan .Xauthority Dracut is broken, I can only boot Fedora 14 kernel, and not [students@localhost ~]$ uname -a Linux localhost.localdomain 2.6.35.6-48.fc14.x86_64 #1 SMP Fri Oct 22 15:36:08 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux [students@localhost ~]$ rpm -qa kernel-2.6.36 [students@localhost ~]$ rpm -qa kernel* kernel-2.6.35.6-48.fc14.x86_64 kernel-devel-2.6.35.6-45.fc14.x86_64 kernel-2.6.35.6-46.fc14.x86_64 kernel-headers-2.6.36-1.fc15.x86_64 kernel-devel-2.6.35.6-48.fc14.x86_64 kernel-devel-2.6.36-1.fc15.x86_64 kernel-2.6.36-1.fc15.x86_64 I tried booting with enforcing=0 in the new 2.6.36-1.fc15.x86_64 kernel but it does not do anything :( suggestions/advice/ welcome. Thanks, Antonio

13 years, 5 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux November 2010