F12: SeLinux denials on older Fedora version mounted filesystems
by Dan Thurman
I reported this before, but got no response - perhaps because
I bundled several issues into one posting? If so, here is a separate
posting.
It appears that SeLinux examines all mounted filesystem but
in this case, SeLinux sees other Fedora versions and starts to
complain when it is not related to the current running OS that
is running. As you can see below, and running F12, it complains
about F11 (and in several places in the mounted F11 filesystem).
Many other complaints are similar for mounted Fedora versions
BELOW the current running OS (F12), such as F11, 10, 9, 8, ...
How does one get around this issue?
=============================================
Summary:
SELinux is preventing /usr/bin/updatedb "getattr" access to
/md/RF11D1/etc/poker-network.
Detailed Description:
SELinux denied access requested by updatedb.
/md/RF11D1/etc/poker-network may be
a mislabeled. /md/RF11D1/etc/poker-network default SELinux type is
default_t,
but its current type is unlabeled_t. Changing this file back to the default
type, may fix your problem.
File contexts can be assigned to a file in the following ways.
* Files created in a directory receive the file context of the parent
directory by default.
* The SELinux policy might override the default label inherited from the
parent directory by specifying a process running in context A which
creates
a file in a directory labeled B will instead create the file with
label C.
An example of this would be the dhcp client running with the
dhclient_t type
and creating a file in the directory /etc. This file would normally
receive
the etc_t type due to parental inheritance but instead the file is
labeled
with the net_conf_t type because the SELinux policy specifies this.
* Users can change the file context on a file using tools such as
chcon, or
restorecon.
This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.
However, this might also indicate a bug in SELinux because the file
should not
have been labeled with this type.
If you believe this is a bug, please file a bug report against this package.
Allowing Access:
You can restore the default system context to this file by executing the
restorecon command. restorecon '/md/RF11D1/etc/poker-network', if this
file is a
directory, you can recursively restore using restorecon -R
'/md/RF11D1/etc/poker-network'.
Fix Command:
/sbin/restorecon '/md/RF11D1/etc/poker-network'
Additional Information:
Source Context system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context system_u:object_r:unlabeled_t:s0
Target Objects /md/RF11D1/etc/poker-network [ dir ]
Source updatedb
Source Path /usr/bin/updatedb
Port <Unknown>
Host gold.cdkkt.com
Source RPM Packages mlocate-0.22.2-1.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-92.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name restorecon
Host Name gold.cdkkt.com
Platform Linux gold.cdkkt.com
2.6.31.12-174.2.22.fc12.i686
#1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
Alert Count 4
First Seen Tue 02 Mar 2010 03:14:22 AM PST
Last Seen Fri 05 Mar 2010 03:15:44 AM PST
Local ID 98ffff35-e41b-4d4e-b3d3-d286a4916baf
Line Numbers
Raw Audit Messages
node=gold.cdkkt.com type=AVC msg=audit(1267787744.981:42770): avc:
denied { getattr } for pid=15175 comm="updatedb"
path="/md/RF11D1/etc/poker-network" dev=sda10 ino=413
scontext=system_u:system_r:locate_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
node=gold.cdkkt.com type=SYSCALL msg=audit(1267787744.981:42770):
arch=40000003 syscall=196 success=no exit=-13 a0=a02bea9 a1=bfb343b0
a2=4c5ff4 a3=a02bea9 items=0 ppid=15169 pid=15175 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=246
comm="updatedb" exe="/usr/bin/updatedb"
subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)
14 years, 1 month
F12: Selinux 'sendmail' denials on /var/log/message logfile
by Dan Thurman
Problems with sendmail:
======================================
Summary:
SELinux is preventing /usr/sbin/sendmail.sendmail "read" access on
/var/log/messages.
Detailed Description:
[sendmail has a permissive type (system_mail_t). This access was not
denied.]
SELinux denied access requested by sendmail. It is not expected that
this access
is required by sendmail and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_log_t:s0
Target Objects /var/log/messages [ file ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
Host host.domain.com
Source RPM Packages sendmail-8.14.3-8.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-92.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall
Host Name host.domain.com
Platform Linux host.domain.com
2.6.31.12-174.2.22.fc12.i686
#1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
Alert Count 12
First Seen Tue 02 Mar 2010 03:12:05 AM PST
Last Seen Fri 05 Mar 2010 03:13:28 AM PST
Local ID 420ceb87-17a4-4e9b-ae71-356723aa6b9f
Line Numbers
Raw Audit Messages
node=host.domain.com type=AVC msg=audit(1267787608.324:42763): avc:
denied { read } for pid=14919 comm="sendmail" path="/var/log/messages"
dev=sdb8 ino=20167
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=host.domain.com type=AVC msg=audit(1267787608.324:42763): avc:
denied { read } for pid=14919 comm="sendmail" path="/var/log/secure"
dev=sdb8 ino=20415
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=host.domain.com type=AVC msg=audit(1267787608.324:42763): avc:
denied { read } for pid=14919 comm="sendmail" path="/var/log/maillog"
dev=sdb8 ino=21877
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=host.domain.com type=SYSCALL msg=audit(1267787608.324:42763):
arch=40000003 syscall=11 success=yes exit=0 a0=85088a0 a1=8508928
a2=8507eb0 a3=8508928 items=0 ppid=14865 pid=14919 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=486 sgid=486 fsgid=486 tty=(none) ses=246
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
14 years, 1 month
SELinux Admin newbie question
by Temlakos
Where do I find the logs to tell me what permissions a certain new
application will need to operate?
I'm using Fedora 12 on an HP Pavilion machine with a dual-core
processor. Several times I have tried to install an application called
TweetDeck. And each time I do, I am told that TweetDeck is having
trouble accessing some secure passwords that are stored on the machine.
I am convinced that SELinux is doing it. But I don't know how to get
SELinux to play nice, because I can't see where the problem is.
Temlakos
14 years, 1 month
Got things working, but not sure how
by Scott Salley
I'd like to thank the mailing list inhabitants for all the help you've
given me. So, Thanks!
I modified the targeted policy for Fedora 12 and got Likewise Open to
install, join Active Directory, and allow users to authenticate without
any problems! The problem is, I'm not quite sure what some of the rules
do and whether they are necessary.
For example, I patched the authentication daemon (lsassd) to properly
set up the user's home directory and I'm using matchpathcon(3) and
setfilecon(3). At first, matchpathcon would fail but I could find *no*
messages indicating a problem. I finally copied a block of rules from
another policy and that worked.
The rules I copied are:
selinux_get_fs_mount(lsassd_t)
selinux_validate_context(lsassd_t)
selinux_compute_access_vector(lsassd_t)
selinux_compute_create_context(lsassd_t)
selinux_compute_relabel_context(lsassd_t)
selinux_compute_user_contexts(lsassd_t)
Now I could try things one by one and see what works and what doesn't,
but I have some other rule blocks where I have the same type of problem
and then a combinatorial explosion gets involved. I have also tried
looking things up online, but pages like this
(http://www.softeh.ro/doc/selinux-policy-2.2.23/html/kernel_selinux.html
) did not really help me for many of the rules.
What have I missed? Is there another level of logging I could turn on
somewhere?
14 years, 1 month
Using httpd and vsftpd together
by Dirk H. Schulz
Hi folks,
I want my web users to use vsftpd for populating their web space.
And I want SElinux to have an eye on everything there. But my problem is:
For vsftpd to work I need the following context on the web directories:
system_u:public_content_rw_t
For httpd to work I need the following context on the web directories:
object_r:httpd_sys_content_t
How can I achieve to let SElinux both daemons work on the same web
directory?
I am not very deep into SElinux by now, so please bear with me. I have
googled for this particular problem, but found nothing.
Any hint or help or url of a howto is appreciated.
Dirk
14 years, 1 month
error rebuilding source rpm selinux-policy-3.6.32-89.fc12.src.rpm
by yersinia
I do
rpmbuild --rebuild selinux-policy-3.6.32-89.fc12.src.rpm
(as described here http://danwalsh.livejournal.com/26428.html)
and have this result
......................
echo '</policy>' >> doc/policy.xml
if test -x /usr/bin/xmllint && test -f doc/policy.dtd; then \
/usr/bin/xmllint --noout --path doc/ --dtdvalid
doc/policy.dtd doc/policy.xml ;\
fi
Updating policy/modules.conf and policy/booleans.conf
python -E support/sedoctool.py -b policy/booleans.conf -m
policy/modules.conf -x doc/policy.xml
Updating policy/modules.conf and policy/booleans.conf
python -E support/sedoctool.py -b policy/booleans.conf -m
policy/modules.conf -x doc/policy.xml
+ cp -f selinux_config/modules-targeted.conf ./policy/modules.conf
+ cp -f selinux_config/booleans-targeted.conf ./policy/booleans.conf
+ cp -f selinux_config/users-targeted ./policy/users
+ make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n
DIRECT_INITRC=n MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 base.pp
make: *** No rule to make target `base.pp'. Stop.
error: Bad exit status from /home/machbuild/rpmbuild/tmp/rpm-tmp.kuOKrS
(%install)
Perhaps i miss something ?
Thanks in advance
14 years, 1 month
Policy redundancy and layout
by Scott Salley
I have a project with multiple daemons (around 6) which share many
common features (they access the network, create and maintain daemon
specific files, access random numbers, etc...), though they each deal
with a different set of tasks (monitoring network resources, providing
network file sharing services, providing network authentication
services, etc).
Is it okay to use the interface file to define a set of common
properties for these daemons to avoid listing everything out for each
daemon? If not the interface file, then how should a common set of
patterns for these daemons be defined?
I found listing the rules for each daemon to be bug prone and tedious.
14 years, 1 month
