[[patch] Please review: Make a confined kernel boot.
by Dominick Grift
Can someone please have a look at the following. This works for me, but:
https://bugzilla.redhat.com/show_bug.cgi?id=598475
I have removed the patch to dracut mentioned in the rhbz in my personal branch because it seems to no longer be needed. However this patch is still applied to Fedora as far as i know. Because maintainer wants proof that its no longer needed and he does not want to try it himself.
So the change in this patch will not be enough to make a stock fedora 14 boot unless you remove:
mount --bind /dev "$NEWROOT/dev"
chroot "$NEWROOT" /sbin/restorecon -R /dev
from selinux-loadpolicy.sh and regenerate a new initramfs.
Signed-off-by: Dominick Grift <domg472(a)gmail.com>
---
:100644 100644 c381190... cbd0d5c... M policy/modules/kernel/devices.if
:100644 100644 806026c... 07eea83... M policy/modules/kernel/kernel.te
:100644 100644 bde6daa... b2f68b8... M policy/modules/kernel/storage.if
policy/modules/kernel/devices.if | 37 +++++++++++++++++++++++++++++++++++++
policy/modules/kernel/kernel.te | 30 ++++++++++++++++++++----------
policy/modules/kernel/storage.if | 38 ++++++++++++++++++++++++++++++++++++++
3 files changed, 95 insertions(+), 10 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index c381190..cbd0d5c 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -480,6 +480,24 @@ interface(`dev_dontaudit_setattr_generic_blk_files',`
########################################
## <summary>
+## Set attributes of generic block device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ setattr_blk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
## Create generic block device files.
## </summary>
## <param name="domain">
@@ -3996,6 +4014,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
+## Delete USB character device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_generic_usb_dev',`
+ gen_require(`
+ type usb_device_t, device_t;
+ ')
+
+ delete_chr_files_pattern($1, device_t, usb_device_t)
+ dev_remove_entry_generic_dirs($1)
+')
+
+########################################
+## <summary>
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 806026c..07eea83 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -185,6 +185,7 @@ allow kernel_t self:capability *;
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
allow kernel_t self:sem create_sem_perms;
+allow kernel_t self:system module_request;
allow kernel_t self:msg { send receive };
allow kernel_t self:msgq create_msgq_perms;
allow kernel_t self:unix_dgram_socket create_socket_perms;
@@ -206,9 +207,9 @@ allow kernel_t proc_net_t:file read_file_perms;
allow kernel_t proc_mdstat_t:file read_file_perms;
-allow kernel_t proc_kcore_t:file getattr;
+allow kernel_t proc_kcore_t:file getattr_file_perms;
-allow kernel_t proc_kmsg_t:file getattr;
+allow kernel_t proc_kmsg_t:file getattr_file_perms;
allow kernel_t sysctl_kernel_t:dir list_dir_perms;
allow kernel_t sysctl_kernel_t:file read_file_perms;
@@ -242,10 +243,13 @@ dev_search_usbfs(kernel_t)
# devtmpfs handling:
dev_create_generic_dirs(kernel_t)
dev_delete_generic_dirs(kernel_t)
+dev_setattr_generic_blk_files(kernel_t)
dev_create_generic_blk_files(kernel_t)
dev_delete_generic_blk_files(kernel_t)
dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t)
+dev_delete_generic_usb_dev(kernel_t)
+dev_setattr_generic_usb_dev(kernel_t)
dev_mounton(kernel_t)
# Mount root file system. Used when loading a policy
@@ -259,7 +263,6 @@ term_use_all_terms(kernel_t)
term_use_ptmx(kernel_t)
corecmd_exec_shell(kernel_t)
-corecmd_list_bin(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
corecmd_exec_bin(kernel_t)
@@ -284,15 +287,13 @@ mls_file_read_all_levels(kernel_t)
mls_socket_write_all_levels(kernel_t)
mls_fd_share_all_levels(kernel_t)
-logging_manage_generic_logs(kernel_t)
+userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
ifdef(`distro_redhat',`
# Bugzilla 222337
fs_rw_tmpfs_chr_files(kernel_t)
')
-userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
-
optional_policy(`
hotplug_search_config(kernel_t)
')
@@ -302,16 +303,16 @@ optional_policy(`
')
optional_policy(`
- libs_use_ld_so(kernel_t)
- libs_use_shared_libs(kernel_t)
+ logging_manage_generic_logs(kernel_t)
+ logging_send_syslog_msg(kernel_t)
')
optional_policy(`
- logging_send_syslog_msg(kernel_t)
+ nis_use_ypbind(kernel_t)
')
optional_policy(`
- nis_use_ypbind(kernel_t)
+ plymouthd_manage_lib_files(kernel_t)
')
optional_policy(`
@@ -366,6 +367,15 @@ optional_policy(`
')
optional_policy(`
+ storage_delete_scsi_generic_dev(kernel_t)
+ storage_setattr_scsi_generic_dev(kernel_t)
+ storage_delete_removable_dev(kernel_t)
+ storage_setattr_removable_dev(kernel_t)
+ storage_delete_fixed_disk_dev(kernel_t)
+ storage_setattr_fixed_disk_dev(kernel_t)
+')
+
+optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index bde6daa..b2f68b8 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -388,6 +388,25 @@ interface(`storage_dontaudit_rw_fuse',`
########################################
## <summary>
+## Delete generic SCSI interface device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_delete_scsi_generic_dev',`
+ gen_require(`
+ type scsi_generic_device_t;
+ ')
+
+ allow $1 scsi_generic_device_t:chr_file delete_chr_file_perms;
+ dev_remove_entry_generic_dirs($1)
+')
+
+########################################
+## <summary>
## Allow the caller to get the attributes of
## the generic SCSI interface device nodes.
## </summary>
@@ -517,6 +536,25 @@ interface(`storage_dontaudit_rw_scsi_generic',`
########################################
## <summary>
+## Delete removable block device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_delete_removable_dev',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ allow $1 removable_device_t:blk_file delete_blk_file_perms;
+ dev_remove_entry_generic_dirs($1)
+')
+
+########################################
+## <summary>
## Allow the caller to get the attributes of removable
## devices device nodes.
## </summary>
--
1.7.2.3
13 years, 5 months
Selinux and pyzor issues Fedora 14
by David Highley
type=SYSCALL msg=audit(1289762432.625:42770): arch=c000003e syscall=59 success=no exit=-13 a0=4ae4910 a1=2c32330 a2=19e8140 a3=8 items=0 ppid=6912 pid=6913 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
type=AVC msg=audit(1289762432.625:42770): avc: denied { execute_no_trans } for pid=6913 comm="spamassassin" path="/usr/bin/pyzor" dev=dm-0 ino=6052724 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
13 years, 5 months
node-specific rules
by Mr Dash Four
I have a bit of a conundrum for the more knowledgeable on here: I would
like to define a block in the policy file (.te) - via tunable_policy
statement perhaps - which is executed based on a particular value set
from outside. For example:
I would like to activate a block of the following statements:
network_node(XXX, s0 - mls_systemhigh, YYY, ZZZ)
corenet_tcp_sendrecv_XXX_if(my_t)
corenet_udp_sendrecv_XXX_if(my_t)
corenet_tcp_sendrecv_XXX_node(my_t)
corenet_tcp_bind_XXX_node(my_t)
corenet_udp_bind_XXX_node(my_t)
depending on a particular value being set for XXX, YYY and ZZZ (being
the actual interface name, its IP address and netmask) from the outside
- possibly via the SELinux tools. Is that possible?
The reason I am doing this is because I am writing a policy for a couple
of domains/processes and want to restrict their access down to a
particular node of particular number of interface which will be defined
(i.e. the interface name, IP address and netmask) AFTER the policy has
been built and once defined, the values may change. My SELinux knowledge
is not that complete to figure out how to deal with this. Any help is,
as always, appreciated. Thanks.
13 years, 5 months
What is missing with this policy
by David Highley
When I install the following policy I see these warnings, what is
missing?
libsemanage.semanage_fc_sort: WARNING: semanage_fc_sort: Incomplete context.
libsemanage.semanage_fc_sort: WARNING: semanage_fc_sort: Incomplete context.
sshdfilter.fc:
/etc/rc\.d/init\.d/sshdfilter --
gen_context(system_u:object_r:sshdfilter_initrc_exec_t, s0)
/etc/sshdfilterrc.* -- gen_context(system_u:object_r:sshdfilter_etc_t, s0)
/usr/sbin/sshdfilter -- gen_context(system_u:object_r:sshdfilter_exec_t, s0)
#/var/run/sshdfilter.fifo -- gen_context(system_u:object_r:sshdfilter_syslog_t, s0)
sshdfilter.if:
## <summary></summary>
sshdfilter.te:
policy_module(sshdfilter, 1.0.7)
type sshdfilter_t;
type sshdfilter_exec_t;
init_daemon_domain(sshdfilter_t, sshdfilter_exec_t)
type sshdfilter_initrc_exec_t;
init_script_file(sshdfilter_initrc_exec_t)
type sshdfilter_etc_t;
files_config_file(sshdfilter_etc_t)
dev_read_urand(sshdfilter_t)
corecmd_search_bin(sshdfilter_t)
miscfiles_read_localization(sshdfilter_t)
require {
type var_run_t;
type usr_t;
type syslogd_t;
type etc_t;
type shell_exec_t;
type sshdfilter_t;
type bin_t;
type devlog_t;
type sshdfilter_etc_t;
type proc_t;
type net_conf_t;
class sock_file { write getattr };
class lnk_file read;
class unix_dgram_socket { write create connect ioctl sendto };
class file { execute read ioctl execute_no_trans getattr open create };
class fifo_file { write ioctl read open getattr };
class dir { write add_name remove_name };
}
#============= sshdfilter_t ==============
allow sshdfilter_t bin_t:file { read getattr open execute execute_no_trans };
allow sshdfilter_t bin_t:lnk_file read;
allow sshdfilter_t devlog_t:sock_file { write getattr };
allow sshdfilter_t etc_t:file { read getattr open };
allow sshdfilter_t proc_t:file { read getattr open };
allow sshdfilter_t self:fifo_file { read write ioctl getattr };
allow sshdfilter_t self:unix_dgram_socket { write create ioctl connect };
allow sshdfilter_t shell_exec_t:file { read execute open getattr execute_no_trans };
allow sshdfilter_t sshdfilter_etc_t:file { read ioctl open getattr };
allow sshdfilter_t syslogd_t:unix_dgram_socket sendto;
allow sshdfilter_t usr_t:file { read getattr open ioctl };
allow sshdfilter_t var_run_t:dir { write add_name remove_name };
allow sshdfilter_t var_run_t:file { write getattr unlink open create ioctl };
allow sshdfilter_t var_run_t:fifo_file { read open ioctl getattr };
allow sshdfilter_t net_conf_t:file { read getattr open };
optional_policy(`
iptables_domtrans(sshdfilter_t)
')
13 years, 5 months
iptables AVC
by Tony Molloy
Hi,
I'm running SELinux in enforcing mode on fully updated CentOS-5 servers.
selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
After an upgrade of selinux-policy-targeted last night I'm seeing the
following AVC on several of the servers.
[root@garryowen ~]# sealert -l badcaefe-41c9-4fcc-a264-24bff72bcfd7
Summary:
SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t).
Detailed Description:
SELinux denied access requested by iptables. It is not expected that this
access
is required by iptables and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:iptables_t
Target Context system_u:system_r:initrc_t
Target Objects socket [ unix_dgram_socket ]
Source iptables
Source Path /sbin/iptables
Port <Unknown>
Host garryowen.x.y.z
Source RPM Packages iptables-1.3.5-5.3.el5_4.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name garryowen.x.y.z
Platform Linux garryowen.x.y.z 2.6.18-194.17.4.el5
#1 SMP Mon Oct 25 15:50:53 EDT 2010 x86_64
x86_64
Alert Count 4
First Seen Fri Nov 12 07:58:02 2010
Last Seen Fri Nov 12 08:08:32 2010
Local ID badcaefe-41c9-4fcc-a264-24bff72bcfd7
Line Numbers
Raw Audit Messages
host=garryowen.x.y.z type=AVC msg=audit(1289549312.375:38126): avc: denied {
read write } for pid=12864 comm="iptables" path="socket:[14188]" dev=sockfs
ino=14188 scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket
host=garryowen.x.y.z type=SYSCALL msg=audit(1289549312.375:38126):
arch=c000003e syscall=59 success=yes exit=0 a0=b88cd30 a1=b88d5e0 a2=b883c40
a3=8 items=0 ppid=12849 pid=12864 auid=4294967295 uid=0 gid=997 euid=0 suid=0
fsuid=0 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm="iptables"
exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
I can generate a local policy to allow this.
Regards,
Tony
13 years, 5 months
Named and /dev/random Fedora 14
by David Highley
Anyone else seeing this issue with a new install of Fedora 14? Attempted
to get around issue with audit2allow, but was not successful.
time->Wed Nov 10 21:28:20 2010
type=SYSCALL msg=audit(1289453300.241:33869): arch=c000003e syscall=4
success=no exit=-13 a0=7f482c177050 a1=7f4826a61590 a2=7f4826a61590
a3=7f482960e150 items=0 ppid=4267 pid=4272 auid=1000 uid=25 gid=25
euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=1
comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0
key=(null)
type=AVC msg=audit(1289453300.241:33869): avc: denied { getattr } for
pid=4272 comm="named" path="/dev/random" dev=dm-0 ino=2361331
scontext=unconfined_u:system_r:named_t:s0
tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Wed Nov 10 21:45:00 2010
type=SYSCALL msg=audit(1289454300.409:5): arch=c000003e syscall=2
success=no exit=-13 a0=7f41edbc8050 a1=800 a2=0 a3=7f41eb05f150 items=0
ppid=1168 pid=1172 auid=4294967295 uid=25 gid=25 euid=25 suid=25
fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named"
exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1289454300.409:5): avc: denied { read } for
pid=1172 comm="named" name="random" dev=dm-0 ino=2361331
scontext=system_u:system_r:named_t:s0
tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Thu Nov 11 09:45:29 2010
type=SYSCALL msg=audit(1289497529.277:177): arch=c000003e syscall=2
success=no exit=-13 a0=7f3f6554f050 a1=800 a2=0 a3=7f3f629e6150 items=0
ppid=5581 pid=5585 auid=1000 uid=25 gid=25 euid=25 suid=25 fsuid=25
egid=25 sgid=25 fsgid=25 tty=(none) ses=19 comm="named"
exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1289497529.277:177): avc: denied { read } for
pid=5585 comm="named" name="random" dev=dm-0 ino=2361331
scontext=unconfined_u:system_r:named_t:s0
tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Thu Nov 11 09:48:34 2010
type=SYSCALL msg=audit(1289497714.136:178): arch=c000003e syscall=2
success=no exit=-13 a0=7f6e92cdc050 a1=800 a2=0 a3=7f6e90173150 items=0
ppid=5704 pid=5706 auid=1000 uid=25 gid=25 euid=25 suid=25 fsuid=25
egid=25 sgid=25 fsgid=25 tty=(none) ses=19 comm="named"
exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1289497714.136:178): avc: denied { read } for
pid=5706 comm="named" name="random" dev=dm-0 ino=2361331
scontext=unconfined_u:system_r:named_t:s0
tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Thu Nov 11 09:55:11 2010
type=SYSCALL msg=audit(1289498111.595:193): arch=c000003e syscall=4
success=no exit=-13 a0=7f90a3eb2050 a1=7f909e79c590 a2=7f909e79c590
a3=7f90a1349150 items=0 ppid=5916 pid=5921 auid=1000 uid=25 gid=25
euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=19
comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0
key=(null)
type=AVC msg=audit(1289498111.595:193): avc: denied { getattr } for
pid=5921 comm="named" path="/dev/random" dev=dm-0 ino=2361331
scontext=unconfined_u:system_r:named_t:s0
tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Thu Nov 11 09:56:26 2010
type=SYSCALL msg=audit(1289498186.109:195): arch=c000003e syscall=2
success=no exit=-13 a0=7f6e01308050 a1=800 a2=0 a3=7f6dfe79f150 items=0
ppid=6042 pid=6046 auid=1000 uid=25 gid=25 euid=25 suid=25 fsuid=25
egid=25 sgid=25 fsgid=25 tty=(none) ses=19 comm="named"
exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1289498186.109:195): avc: denied { read } for
pid=6046 comm="named" name="random" dev=dm-0 ino=2361331
scontext=unconfined_u:system_r:named_t:s0
tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
----
time->Thu Nov 11 10:01:50 2010
type=SYSCALL msg=audit(1289498510.975:204): arch=c000003e syscall=4
success=no exit=-13 a0=7f7313ba9050 a1=7f730f495590 a2=7f730f495590
a3=7f7311040150 items=0 ppid=6199 pid=6202 auid=1000 uid=25 gid=25
euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=19
comm="named" exe="/usr/sbin/named" subj=unconfined_u:system_r:named_t:s0
key=(null)
type=AVC msg=audit(1289498510.975:204): avc: denied { getattr } for
pid=6202 comm="named" path="/dev/random" dev=dm-0 ino=2361331
scontext=unconfined_u:system_r:named_t:s0
tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file
13 years, 5 months
sandbox in X11 root window on RHEL6
by Luc de Louw
Dear all,
I'm involved in a project which involves some hardened Linux clients. I
plan to realize them with RHEL6 desktops.
Recently I stumbled upon Dan Walsh's SELinux sandbox, which looks to fit
and surpasses the security requirements and it is part of RHEL6.
The goal is to run exactly one application in the X11 root window w/o
authentication, this is done by the application.
So, not gdm, kdm, xdm should run, no gnome-,kde- whatever-desktops apps
and panels should be visible/accessible.
Any hints on this?
TIA for any advice,
Luc
13 years, 5 months
sealerts upon updating to rawhide from F14
by Antonio Olivares
Dear fellow tests,
I see several sealerts aside from dracut error:
I tried to send in report via bugzilla, but forgot my password :(
I got this:
browser.py:277:row_activated:TypeError: GtkTreeSelection.get_selected can not be used when selection mode is gtk.SELECTION_MULTIPLE
Traceback (most recent call last):
File "/usr/lib64/python2.7/site-packages/setroubleshoot/browser.py", line 277, in row_activated
store, iter = x.get_selection().get_selected()
TypeError: GtkTreeSelection.get_selected can not be used when selection mode is gtk.SELECTION_MULTIPLE
Local variables in innermost frame:
y: (0,)
x: <gtk.TreeView object at 0x4d64050 (GtkTreeView at 0x2a4e260)>
self: <setroubleshoot.browser.BrowserApplet instance at 0x29d55a8>
z: <gtk.TreeViewColumn object at 0x4d647d0 (GtkTreeViewColumn at 0x4e4d260)>
newer F15 kernel dies quickly and drops to a shell, see semodule report
[olivares@localhost ~]$ rpm -qa kernel*
kernel-2.6.35.6-48.fc14.x86_64
kernel-devel-2.6.35.6-45.fc14.x86_64
kernel-2.6.35.6-46.fc14.x86_64
kernel-headers-2.6.36-1.fc15.x86_64
kernel-devel-2.6.35.6-48.fc14.x86_64
kernel-devel-2.6.36-1.fc15.x86_64
kernel-2.6.36-1.fc15.x86_64
[olivares@localhost ~]$ cat /etc/fedora-release
Fedora release 15 (Rawhide)
[olivares@localhost ~]$ sealert
[olivares@localhost ~]$ cd Documents/
[olivares@localhost Documents]$ script report1.txt
Script started, file is report1.txt
[olivares@localhost Documents]$ su -
Password:
[root@localhost ~]# grep /usr/bin/xauth /var/log/audit/audit.log | audit2allow -M mypol
compilation failed:
mypol.te:6:ERROR 'syntax error' at token '' on line 6:
/usr/bin/checkmodule: error(s) encountered while parsing configuration
/usr/bin/checkmodule: loading policy configuration from mypol.te
[root@localhost ~]# semodule -i mypol.pp
semodule: Failed on mypol.pp!
[root@localhost ~]# grep /bin/mount /var/log/audit/audit.log | audit2allow -M mypol
compilation failed:
mypol.te:6:ERROR 'syntax error' at token '' on line 6:
/usr/bin/checkmodule: error(s) encountered while parsing configuration
/usr/bin/checkmodule: loading policy configuration from mypol.te
[root@localhost ~]# semodule -i mypol.pp
semodule: Failed on mypol.pp!
[root@localhost ~]# grep /usr/bin/nspluginscan /var/log/audit/audit.log | audit2allow -M mypol
compilation failed:
mypol.te:6:ERROR 'syntax error' at token '' on line 6:
/usr/bin/checkmodule: error(s) encountered while parsing configuration
/usr/bin/checkmodule: loading policy configuration from mypol.te
[root@localhost ~]# semodule -i mypol.ppsemodule: Failed on mypol.pp!
Thanks in Advance,
Antonio
13 years, 5 months
httpd_sys_content_t
by mark
In the process of trying to get rid of irritating messages, I'm still
trying to find and change the context from default_t. Well, I looked at
/public/htdocs, and notice that's default_t. So, looking at another
server, I see that one has them as httpd_sys_content_t. I try chcon
httpd_sys_content_t /public/htdocs... and chcon: invalid context:
httpd_sys_content_t
CentOS 5.5, current
rpm -qa | grep policy:
selinux-policy-targeted-2.4.6-279.el5_5.1
checkpolicy-1.33.1-6.el5
selinux-policy-2.4.6-279.el5_5.1
policycoreutils-1.33.12-14.8.el5
The other server is the same. Clues for the poor?
mark
13 years, 5 months
26 alerts as of updating to rawhide now that Fedora 14 is out :(
by Antonio Olivares
Dear folks,
I have updated two working Fedora 14 machines to rawhide and have encountered several issues. On the only box that I can get X
http://www.smolts.org/client/show/pub_5ac3cf00-431e-4f01-bec4-8ee7abe1c644, I see 26 alerts: I have reported only 1(to bugzilla), for the rest I cannot since I don't get report link :(
/bin/mount file /proc/<pid>/mounts
if you want to allow mount to have read access on the mounts file by default
/sbin/killall5 getattr file /usr/sbin/sendmail.sendmail
If you want to allow killall5 to have getattr access on the sendmail.sendmail
file by default
nm-dispatcher.action
/usr/bin/hald
/usr/sbin/pcscd
rpc.idmapd
dhclient
wpa_supplicant
cupsd
polkitd
modem-manager
mdadm
udevd
atd
mingetty
acpid
abrtd
rpcbind
irqbalance
rsyslogd
audispd
auditd
If you want to fix the label, plymouthd(deleted) does not have the default
system label.
If you want to allow killall5 to have getattr access on the plymouthd (deleted)
file by default.
nspluginscan
.Xauthority
Dracut is broken, I can only boot Fedora 14 kernel, and not
[students@localhost ~]$ uname -a
Linux localhost.localdomain 2.6.35.6-48.fc14.x86_64 #1 SMP Fri Oct 22 15:36:08 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux
[students@localhost ~]$ rpm -qa kernel-2.6.36
[students@localhost ~]$ rpm -qa kernel*
kernel-2.6.35.6-48.fc14.x86_64
kernel-devel-2.6.35.6-45.fc14.x86_64
kernel-2.6.35.6-46.fc14.x86_64
kernel-headers-2.6.36-1.fc15.x86_64
kernel-devel-2.6.35.6-48.fc14.x86_64
kernel-devel-2.6.36-1.fc15.x86_64
kernel-2.6.36-1.fc15.x86_64
I tried booting with enforcing=0 in the new 2.6.36-1.fc15.x86_64 kernel but it does not do anything :( suggestions/advice/ welcome.
Thanks,
Antonio
13 years, 5 months