March 2010 - selinux - Fedora Mailing-Lists

Apache/PHP mail function SELinux permissions

by Ted Rule

I've had a "problem" recently with SELinux permissions related to PHP's mail functions. These appear to give rise to two different classes of error, one for read permissions on the httpd_t domain itself, and one for read/write permission on a file in the httpd_tmp_t domain. aureport gives this: $ sudo aureport -a |grep system_mail |head 6. 25/10/09 13:12:48 sendmail user_u:system_r:system_mail_t:s0 11 file read user_u:system_r:httpd_t:s0 denied 116101 7. 25/10/09 13:15:57 sendmail user_u:system_r:system_mail_t:s0 11 file read write user_u:object_r:httpd_tmp_t:s0 denied 116102 17. 25/10/09 13:39:46 sendmail user_u:system_r:system_mail_t:s0 11 file read write user_u:object_r:httpd_tmp_t:s0 denied 116124 23. 25/10/09 13:43:04 sendmail user_u:system_r:system_mail_t:s0 11 file read write user_u:object_r:httpd_tmp_t:s0 denied 116136 24. 25/10/09 13:43:04 sendmail user_u:system_r:system_mail_t:s0 11 file read user_u:system_r:httpd_t:s0 denied 116136 30. 25/10/09 13:52:57 sendmail user_u:system_r:system_mail_t:s0 11 file read write user_u:object_r:httpd_tmp_t:s0 denied 116148 31. 25/10/09 13:52:57 sendmail user_u:system_r:system_mail_t:s0 11 file read user_u:system_r:httpd_t:s0 denied 116148 39. 25/10/09 14:01:18 sendmail user_u:system_r:system_mail_t:s0 11 file read write user_u:object_r:httpd_tmp_t:s0 denied 116168 40. 25/10/09 14:01:18 sendmail user_u:system_r:system_mail_t:s0 11 file read user_u:system_r:httpd_t:s0 denied 116168 48. 25/10/09 14:11:50 sendmail user_u:system_r:system_mail_t:s0 11 file read write user_u:object_r:httpd_tmp_t:s0 denied 116181 Policy on the Apache hosts currently uses selinux-policy-2.4.6-203.el5 Looking in more detail at ausearch we see that the httpd_t related avc is apparently related to an "eventpoll" file descriptor, whilst the httpd_tmp_t avc is probably for a file created by php in /tmp. Looking at the php source code itself, I see that it is simply opening a temporary file containing the body of the Email and pouring it via a pipe into an instance of sendmail via popen(). As such, it seems likely that both classes of avc's are simply file descriptors "leaking" into the popen'ed child process running in the system_mail_t domain. Sadly, for other reasons, the Apache hosts are still in permissive, so it's currently unclear to me whether the PHP mail function would fail completely if either of these permissions are denied in enforcing mode, but it makes me wonder whether there would be any sense in a wider solution to leaky descriptors which caused popen() itself to close all file descriptors other than STDIN/STDOUT/STDERR if the popen'ed executable implies a domain transition. Alternatively, one might envisage a set of selinux booleans which allowed a more granular control of leaked descriptors outside of STDIN/STDOUT/STDERR. The other potential policy improvement would be for system_mail_t to simply "dontaudit" denials relating to eventpoll class file descriptors and temporary files in context *_tmp_t. time->Sun Oct 25 13:12:48 2009 type=SYSCALL msg=audit(1256476368.217:116101): arch=40000003 syscall=11 success=yes exit=0 a0=97e5ff0 a1=97e5798 a2=97e5600 a3=40 items=0 ppid=20809 pid=22040 auid=500 uid=48 gid=48 euid= 48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=11966 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=user_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1256476368.217:116101): avc: denied { read } for pid=22040 comm="sendmail" path="eventpoll:[129640960]" dev=eventpollfs ino=129640960 scontext=user_u:system_r:system _mail_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file ---- time->Sun Oct 25 13:15:57 2009 type=SYSCALL msg=audit(1256476557.234:116102): arch=40000003 syscall=11 success=yes exit=0 a0=9ab7ff0 a1=9ab7798 a2=9ab7600 a3=40 items=0 ppid=21767 pid=22099 auid=500 uid=48 gid=48 euid= 48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=11966 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=user_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1256476557.234:116102): avc: denied { read write } for pid=22099 comm="sendmail" path=2F746D702F2E7863616368652E302E302E313032353230323336322E6C6F636B202864656C65746 56429 dev=dm-3 ino=97922 scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file ---- time->Sun Oct 25 13:39:46 2009 type=SYSCALL msg=audit(1256477986.012:116124): arch=40000003 syscall=11 success=yes exit=0 a0=97f1ff0 a1=97f1798 a2=97f1600 a3=40 items=0 ppid=23457 pid=23560 auid=500 uid=48 gid=48 euid= 48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=11966 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=user_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1256477986.012:116124): avc: denied { read write } for pid=23560 comm="sendmail" path=2F746D702F2E7863616368652E302E302E313032353230323336322E6C6F636B202864656C65746 56429 dev=dm-3 ino=97922 scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file ---- time->Sun Oct 25 13:43:04 2009 type=SYSCALL msg=audit(1256478184.954:116136): arch=40000003 syscall=11 success=yes exit=0 a0=8f48ff0 a1=8f48798 a2=8f48600 a3=40 items=0 ppid=23048 pid=23802 auid=500 uid=48 gid=48 euid= 48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=11966 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=user_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1256478184.954:116136): avc: denied { read } for pid=23802 comm="sendmail" path="eventpoll:[129701955]" dev=eventpollfs ino=129701955 scontext=user_u:system_r:system _mail_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file type=AVC msg=audit(1256478184.954:116136): avc: denied { read write } for pid=23802 comm="sendmail" path=2F746D702F2E7863616368652E302E302E313032353230323336322E6C6F636B202864656C65746 56429 dev=dm-3 ino=97922 scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file ---- time->Sun Oct 25 13:52:57 2009 type=SYSCALL msg=audit(1256478777.377:116148): arch=40000003 syscall=11 success=yes exit=0 a0=945bff0 a1=945b798 a2=945b600 a3=40 items=0 ppid=24396 pid=24439 auid=500 uid=48 gid=48 euid= 48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=11966 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=user_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1256478777.377:116148): avc: denied { read } for pid=24439 comm="sendmail" path="eventpoll:[129734033]" dev=eventpollfs ino=129734033 scontext=user_u:system_r:system _mail_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file type=AVC msg=audit(1256478777.377:116148): avc: denied { read write } for pid=24439 comm="sendmail" path=2F746D702F2E7863616368652E302E302E313032353230323336322E6C6F636B202864656C65746 56429 dev=dm-3 ino=97922 scontext=user_u:system_r:system_mail_t:s0 tcontext=user_u:object_r:httpd_tmp_t:s0 tclass=file ---- -- Ted Rule Director, Layer3 Systems Ltd Layer3 Systems Limited is registered in England. Company no 3130393 W: http://www.layer3.co.uk/

13 years, 2 months

3
5
0 / 0

selinux and oracle instantclient

by Arian

Hello all, I am using Oracle 11.2 instant client on CentOS (which i heard is based a version of Fedora/RedHat), and I was trying to use php's PDO and oci8 modules to test connections to Oracle. I had originally gotten a php error about pdo_oci.so/oci8.so data execution on a dynamic link library, libclsh. I asked selinux boards and they said to try 'setsebool -P allow_execstack on'... I think after that change, i still had issues, so they suggested to turn it off temporarily to see if it works... So I went into /etc/sysconfig/selinux and set: SELINUX=disabled and my script connected and read some rows from the oracle db. Im not sure if anyone has had issues with oracle client to work with selinux, without turning it off. I saw a blog stating to run these, but i have no idea if it will work for my version of oracle, or what it does: "tail -f /var/log/audit/audit.log | tee oracle.log audit2allow -M oracle < oracle.log semodule -i oracle.pp" Thanks!, Ari

13 years, 5 months

6
8
0 / 0

dovecot 2.0

by Paul Howarth

dovecot 2.0 renames some files from 1.x and needs some additional policy: File contexts: /etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) /usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) /usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) Rules: type dovecot_tmp_t; files_tmp_file(dovecot_tmp_t) manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir }) allow dovecot_t self:capability kill; allow dovecot_t dovecot_auth_t:process signal; With those additions, I've got dovecot 2.0 running in my simple PAM-based environment, leaving just the following AVC: type=AVC msg=audit(1269955050.887:91063): avc: denied { write } for pid=15315 comm="dovecot" name="dovecot.conf" dev=dm-6 ino=11454 scontext=unconfined_u:system_r:dovecot_t:s0 tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file type=SYSCALL msg=audit(1269955050.887:91063): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fffa5620390 a2=6e a3=7fffa5620220 items=0 ppid=15314 pid=15315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2219 comm="dovecot" exe="/usr/sbin/dovecot" subj=unconfined_u:system_r:dovecot_t:s0 key=(null) I haven't figured out where that's coming from yet but it looks far too suspicious to allow, and doesn't seem to break anything when it's not allowed. Paul.

13 years, 6 months

2
6
0 / 0

at a loss with a problem: munin-node df

by pbdlists＠pinboard.com

Hi all, I'm quite at a loss with this one and would be thankful if somebody could point out where my thinking is wrong and possibly what would be the most appropriate way to fix the issue. I've got a F12 machine with httpd, git and munin (server and node) installed. Things work fine except that munin-node gets an avc denied when running df. Running 'munin-run df' on the command line works fine, but telnetting to port 4949 and issuing the command 'fetch df', which should basically do the same, returns a '# Bad exit' message and the following selinux logs: type=AVC msg=audit(1269984513.464:737891): avc: denied { search } for pid=29383 comm="df" name="git" dev=vdb1 ino=918433 scontext=unconfined_u:system_r:munin_t:s0 tcontext=system_u:object_r:httpd_git_content_t:s0 tclass=dir type=SYSCALL msg=audit(1269984513.464:737891): arch=c000003e syscall=137 success=yes exit=128 a0=b32df0 a1=7fffc9958bf0 a2=7fffc9959490 a3=3237e7ea20 items=0 ppid=29382 pid=29383 auid=0 uid=801 gid=801 euid=801 suid=801 fsuid=801 egid=801 sgid=801 fsgid=801 tty=(none) ses=13057 comm="df" exe="/bin/df" subj=unconfined_u:system_r:munin_t:s0 key=(null) user and group 801 are the munin user: # getent passwd 801 munin:x:801:801:Munin user:/var/lib/munin:/sbin/nologin # getent group 801 munin:x:801: inode 918433 is the directory /var/www/git on /dev/vd1: # ls -ldi /var/www/git 918433 drwxr-xr-x. 3 root root 4096 2010-03-27 20:12 /var/www/git # df -h /var/www /var/www/git/repos Filesystem Size Used Avail Use% Mounted on /dev/vdb1 20G 12G 6.8G 64% /var/www /dev/vde1 20G 4.4G 15G 24% /var/www/git/repos As can be seen above, /var/www/git/repos is a mountpoint. It does have the same context as /var/www/git, as well as a few more items: # find /var/www -context "system_u:object_r:httpd_git_content_t:s0" -ls 918433 4 drwxr-xr-x 3 root root 4096 Mar 27 20:12 /var/www/git 919158 4 -rw-r--r-- 1 root root 115 Dec 24 00:00 /var/www/git/git-favicon.png 919159 4 -rw-r--r-- 1 root root 207 Dec 24 00:00 /var/www/git/git-logo.png 919161 12 -rw-r--r-- 1 root root 8379 Dec 24 00:00 /var/www/git/gitweb.css 2 4 dr-xr-xr-x 21 autocheckout autocheckout 4096 Feb 23 22:06 /var/www/git/repos 11 16 drwx------ 2 root root 16384 Feb 8 20:00 /var/www/git/repos/lost+found The port, which munin-node is listening on, is labelled with munin_port_t, which is, I believe, the reason things work from the command line but not via the network: # semanage port -l | grep 4949 munin_port_t tcp 4949 munin_port_t udp 4949 Up to here I still understand things, by connecting to port 4949 my connection gets the context munin_t and somehow that is not allowed to do a search on httpd_git_content_t. The following test-policy in fact would take care of this problem (tested): policy_module(kktest,0.0.1) require { type munin_t; type httpd_git_content_t; }; bool allow_kktest false; if (allow_kktest) { allow munin_t httpd_git_content_t : dir { search } ; } else { }; But what I simply cannot understand is why I do not get any avc denials, even without my test policy module, in the following two cases: 1) By changing the type of /var/www/git to something else, like httpd_sys_content_t: chcon -t httpd_sys_content_t /var/www/git I still have other directories with the same type /var/www/git previously had and they don't cause any problem. 2) By leaving /var/www/git at type httpd_git_content_t, which normally causes the problems, but umounting the filesystem below it: umount /var/www/git/repos What the heck am I missing? And would my test module not merely be a working but also a correct solution? (Guess I could answer the second question myself, once I get the first mistery solved.) Thanks a lot, Kurt -- ---------------------------------------------------------------------- : Kurt(a)pinboard.com http://www.pinboard.com/ business : : http://kurt.www.pinboard.com/ private : ---------------------------------------------------------------------- : Unix and Internet Specialist : : PGP fingerprint 7D6F 672A D30C CB86 30F3 88E4 194C 9BCB C382 DC4A : ----------------------------------------------------------------------

13 years, 6 months

2
2
0 / 0

F12: /var/run/utmp

by Dan Thurman

I am not sure what to make of this, so how can I fix it: =================================== Summary: SELinux is preventing /usr/bin/uptime from using potentially mislabeled files /var/run/utmp. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied the uptime access to potentially mislabeled files /var/run/utmp. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, abrt_helper_exec_t, httpd_helper_exec_t, dbusd_etc_t, httpd_squirrelmail_t, httpd_php_exec_t, httpd_nagios_htaccess_t, textrel_shlib_t, rpm_script_tmp_t, samba_var_t, ld_so_t, net_conf_t, public_content_t, sysctl_kernel_t, httpd_modules_t, rpm_tmp_t, httpd_suexec_exec_t, application_exec_type, httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t, httpd_squid_htaccess_t, httpd_munin_htaccess_t, etc_runtime_t, mailman_archive_t, httpd_var_lib_t, httpd_var_run_t, bin_t, cert_t, ld_so_cache_t, httpd_t, fail2ban_var_lib_t, lib_t, httpd_awstats_htaccess_t, httpd_user_htaccess_t, usr_t, chroot_exec_t, httpd_rotatelogs_exec_t, public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, nagios_etc_t, nagios_log_t, sssd_public_t, mailman_data_t, httpd_keytab_t, httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t, cluster_conf_t, httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t, httpd_lock_t, httpd_log_t, logfile, httpd_rw_content, krb5_conf_t, locale_t, httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content, proc_t, src_t, sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t, iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile, udev_tbl_t, abrt_t, httpd_tmp_t, lib_t, shell_exec_t, httpd_w3c_validator_htaccess_t, mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_nagios_content_t, httpd_w3c_validator_content_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t, httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t, httpd_apcupsd_cgi_content_t, httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_sys_content_t, root_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t, httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t, httpd_awstats_content_t, httpd_sys_script_exec_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpd_git_script_exec_t, httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t, httpd_prewikka_script_exec_t, httpd_munin_content_ra_t, httpd_munin_content_rw_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /var/run/utmp so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/var/run/utmp'. where FILE_TYPE is one of the following: abrt_helper_exec_t, httpd_helper_exec_t, dbusd_etc_t, httpd_squirrelmail_t, httpd_php_exec_t, httpd_nagios_htaccess_t, textrel_shlib_t, rpm_script_tmp_t, samba_var_t, ld_so_t, net_conf_t, public_content_t, sysctl_kernel_t, httpd_modules_t, rpm_tmp_t, httpd_suexec_exec_t, application_exec_type, httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t, httpd_squid_htaccess_t, httpd_munin_htaccess_t, etc_runtime_t, mailman_archive_t, httpd_var_lib_t, httpd_var_run_t, bin_t, cert_t, ld_so_cache_t, httpd_t, fail2ban_var_lib_t, lib_t, httpd_awstats_htaccess_t, httpd_user_htaccess_t, usr_t, chroot_exec_t, httpd_rotatelogs_exec_t, public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, nagios_etc_t, nagios_log_t, sssd_public_t, mailman_data_t, httpd_keytab_t, httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t, cluster_conf_t, httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t, httpd_lock_t, httpd_log_t, logfile, httpd_rw_content, krb5_conf_t, locale_t, httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content, proc_t, src_t, sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t, iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile, udev_tbl_t, abrt_t, httpd_tmp_t, lib_t, shell_exec_t, httpd_w3c_validator_htaccess_t, mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_nagios_content_t, httpd_w3c_validator_content_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t, httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t, httpd_apcupsd_cgi_content_t, httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_sys_content_t, root_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t, httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t, httpd_awstats_content_t, httpd_sys_script_exec_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpd_git_script_exec_t, httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t, httpd_prewikka_script_exec_t, httpd_munin_content_ra_t, httpd_munin_content_rw_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:initrc_var_run_t:s0 Target Objects /var/run/utmp [ file ] Source uptime Source Path /usr/bin/uptime Port <Unknown> Host host.domain.com Source RPM Packages procps-3.2.8-3.fc12 Target RPM Packages initscripts-9.02.1-1 Policy RPM selinux-policy-3.6.32-103.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name httpd_bad_labels Host Name host.domain.com Platform Linux host.domain.com 2.6.32.9-70.fc12.i686 #1 SMP Wed Mar 3 05:14:32 UTC 2010 i686 i686 Alert Count 2 First Seen Sun 28 Mar 2010 12:04:45 PM PDT Last Seen Sun 28 Mar 2010 12:09:52 PM PDT Local ID 5f9c855c-31e3-42c9-83fd-9c9b6262cd00 Line Numbers Raw Audit Messages node=host.domain.com type=AVC msg=audit(1269803392.422:30): avc: denied { open } for pid=4900 comm="uptime" name="utmp" dev=sdb10 ino=206 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file node=host.domain.com type=SYSCALL msg=audit(1269803392.422:30): arch=40000003 syscall=5 success=yes exit=4 a0=3f5cb5 a1=88000 a2=430680 a3=3f5cbb items=0 ppid=2613 pid=4900 auid=4294967295 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="uptime" exe="/usr/bin/uptime" subj=system_u:system_r:httpd_t:s0 key=(null)

13 years, 6 months

2
3
0 / 0

SELinux on a cluster

by Jan Kasprzak

Hello, SELinux list! is there anybody who uses SELinux on a cluster of computers? If so, I have two questions: - how do you synchronize the policy between the nodes? (Especially when there are local modifications and parts of a policy)? Can I simply rsync /etc/selinux/policy/targeted from a host I have just modified to the other node, and then run something (what?) to make the changes visible on the other node as well? - are SELinux file contexts in ext3/4 xattrs portable between hosts? My cluster has a shared filesystem on top of drbd, mounted on a primary node. Will it work also after a failover to the secondary node (and remounting the FS there), or would it be necessary to do a restorecon on that filesystem first? Thanks, -Yenya -- | Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> | | GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E | | http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ | Please don't top post and in particular don't attach entire digests to your mail or we'll all soon be using bittorrent to read the list. --Alan Cox

13 years, 6 months

3
2
0 / 0

F12: setroubleshoot: [dbus.proxies.ERROR] Introspect...

by Dan Thurman

On rebooting, this showed up and I have no clue what it is: ==================================== Mar 28 12:05:41 <host> setroubleshoot: [dbus.proxies.ERROR] Introspect error on :1.191:/org/fedoraproject/Setroubleshootd: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

13 years, 6 months

2
1
0 / 0

selinux broke httpd: libxml2.so.2: failed to map segment from shared object: Permission denied

by Aleksey Tsalolikhin

Hi. httpd used to work but now does not start up. Error message: Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf: Cannot load /etc/httpd/modules/libphp5.so into server: libxml2.so.2: failed to map segment from shared object: Permission denied I can start httpd if I turn off SElinux, but I want to figure this out and re-enable SELinux. SElinux labels on libxml.so.2.6.26 are OK ( system_u:object_r:lib_t ) and "restorecon -n libxml.so.2.6.26" does not return anything so the labels match default. (libxml.so.2 is a symlink to 2.6.26) No recent AVC denied entries in /var/log/audit/audit.log or /var/log/messages. (One did not get logged when I tried to start httpd and failed.) I googled the above error message but all I could find were web pages in Chinese advising to run restorecon on libxml2.so file or turn off SElinux. Any suggestions on how to investigate this? Thanks, Aleksey

13 years, 6 months

4
4
0 / 0

On what schedule is selinux-policy updated?

by Scott Salley

I'm excitedly awaiting a set of patches I submitted to the selinux reference policy to be picked up by Fedora. I've noticed that the selinux-policy* has frequent updates available and expect to see these updates soon (fingers crossed). Is there a published schedule for pushing out new selinux-policy* rpms and picking up changes from the reference policy?

13 years, 6 months

5
6
0 / 0

userdom_unpriv_user_template use errors and creating new roles

by Andy Warner

Using FC12, fully updated. I have two basic, but possibly related questions. The first is regarding a change to the targeted policy that resulted in an install error for our Trusted RUBIX policy when using the userdom_unpriv_user_template interface, as off the last targeted policy update. The second are denials I now receive after changing our policy to use a different interface. First issue: Our policy had been declaring a custom role (rubix_dbadm_r in this case) using the following: userdom_unpriv_user_template(rubix_dbadm) corecmd_exec_shell(rubix_dbadm_t) Originally, this worked for its intended purposes with no selinux denials. As of installing policy update: Name : selinux-policy-targeted Arch : noarch Version : 3.6.32 Release : 103.fc12 When we build our policy we received the following errors: rubix-dev.te:175: Warning: xserver_user_client() has been deprecated, please use xserver_user_x_domain_template instead. Installing rubix-dev-targeted policy libsepol.print_missing_requirements: rubix-dev's global requirements were not met: type/attribute xdrawable_type (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! I had been receiving the depreciated warning a while (ignoring at my own peril), the link error was new to this targeted policy version. I also received errors while installing selinux-policy-targeted rpm itself, stating a different requirement not being met in the then installed rubix-dev policy. I do not recall the exact error message, but remember it was an X related type that was missing. Noting the X connection between the depreciated function and the link error, I traced the reference to the depreciated 'xserver_user_client' interface to 'userdom_unpriv_user_template'. I did not call 'xserver_user_client' directly. I replaced the call to 'userdom_unpriv_user_template' with a call to 'userdom_restricted_user_template' and my then policy installed properly. But using the 'userdom_restricted_user_template ' interface, now I notice some selinux denials during a call to newrole, which is my second question below. I am not sure that the change to the new interface is the cause of the denials, I am just now noticing them. Should the 'userdom_unpriv_user_template' interface either be fixed or removed from the userdom *.if file? Second issue: The rubix_dbadm_r role is now created with: userdom_restricted_user_template(rubix_dbadm) corecmd_exec_shell(rubix_dbadm_t) When I perform a newrole, I receive denials as follows (note, I am in permissive mode so the newrole succeeds): $ id -Z rxdev_u:staff_r:staff_t:s0-s0:c0.c1023 $ ls -Z `tty` crw--w----. warner tty rxdev_u:object_r:user_devpts_t:s0 /dev/pts/4 $ newrole -r rubix_dbadm_r Password: $ Note: I am a bit surprised that the tty type is user_devpts_t and not staff_devpts_t, though I am very unfamiliar with this. Mar 22 11:04:03 localhost setroubleshoot: SELinux is preventing /usr/bin/newrole "write" access on /var/run/dbus/system_bus_socket. For complete SELinux messages. run sealert -l 95fc56ee-8711-460c-874b-6ddb91cc9add Mar 22 11:04:03 localhost setroubleshoot: SELinux is preventing /usr/bin/newrole "write" access on /var/run/dbus/system_bus_socket. For complete SELinux messages. run sealert -l 95fc56ee-8711-460c-874b-6ddb91cc9add # more securetty_types sysadm_tty_device_t user_tty_device_t staff_tty_device_t user_devpts_t devpts_t # Are these denials related to how I create the rubix_dbadm_r role? Is there a proper way to create a role suitable for auser to transition into and as a potential default logon user role? I fully admit my choice of creating a role was through observation of other policy code and trail and error. It would be nice to have a definitive word on it. Thanks, Andy

13 years, 6 months

2
6
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux March 2010