selinux and oracle instantclient
by Arian
Hello all,
I am using Oracle 11.2 instant client on CentOS (which i heard is based a
version of Fedora/RedHat), and I was trying to use php's PDO and oci8
modules to test connections to Oracle.
I had originally gotten a php error about pdo_oci.so/oci8.so data execution
on a dynamic link library, libclsh. I asked selinux boards and they said to
try 'setsebool -P allow_execstack on'... I think after that change, i still
had issues, so they suggested to turn it off temporarily to see if it
works...
So I went into /etc/sysconfig/selinux and set:
SELINUX=disabled
and my script connected and read some rows from the oracle db.
Im not sure if anyone has had issues with oracle client to work with
selinux, without turning it off.
I saw a blog stating to run these, but i have no idea if it will work for my
version of oracle, or what it does:
"tail -f /var/log/audit/audit.log | tee oracle.log
audit2allow -M oracle < oracle.log
semodule -i oracle.pp"
Thanks!,
Ari
14 years, 1 month
relabel fails
by Vadym Chepkov
Hi,
I am trying to enable SELinux on a server where it was disabled before, but the autorelabel process fails. I have set SELinux in permissive mode and when I try to use fixfiles to do it manually I get these errors:
# fixfiles restore
/etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 19 has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 20 has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 21 has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 22 has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 24 has invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 44 has invalid context root:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 45 has invalid context root:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 46 has invalid context root:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs: line 47 has invalid context root:object_r:user_mozilla_home_t:s0
Exiting after 10 errors.
selinux-policy-targeted-2.4.6-255.el5_4.4
Thanks
Sincerely yours,
Vadym Chepkov
14 years, 1 month
execstack and execmem
by Shintaro Fujiwara
Hi, I'm recently working on F12 web server and I got httpd_t execstack
and execmem.
Can I allow those ?
The server I'm woking on right now is a test server which have copied
all the contents from FC6 which I have move on permissive mode for
half a year.
I have not read a log at all on FC6 server.
I'm trying to move all the contents that I have now on F12.
I already succeeded another web server which has no script stuff so
the problem may caused by the script which I have written for certain
web-pages.
The server I'm working I can't touch couple of days, but some script I
wrote wants to do that, I guess.
The script has a type httpd_sys_content_t still, so that may be a problem.
Yes, it's in the documentroot of Apache.
Maybe I should put the script outside of documentroot or label other
than httpd stuff with local.pp.
I could not have time to read that thouroughly, but I can report on Monday.
I will report this matter till I get the right answer and I run the
server right.
Thanks in advance.
-------------------------------------------
segatex--SELinux tool
http://sourceforge.net/projects/segatex/
14 years, 1 month
dbadm.pp is not available in selinux-policy package
by KaiGai Kohei
It seems to me the latest selinux-policy package forgot to build
dbadm package, although its interface file is distributed.
[kaigai@saba ~]$ rpm -q selinux-policy
selinux-policy-3.7.15-4.fc13.noarch
[kaigai@saba ~]$ rpm -ql selinux-policy | grep dbadm
/usr/share/selinux/devel/include/roles/dbadm.if
However,
[kaigai@saba ~]$ rpm -ql selinux-policy-targeted | grep dbadm
Perhaps, modules-targeted.conf of the selinux-policy spec was not
updated when it upgraded to the upstream policy which containts
dbadm.*.
Could you fix it?
Thanks,
--
KaiGai Kohei <kaigai(a)ak.jp.nec.com>
14 years, 1 month
Steps to login with non-traditional selinux roles
by KaiGai Kohei
I'm trying to set up a certain user to login with non-traditional
selinux roles (such as dbadm_u), but it does not work well.
Am I missing something?
[root@saba ~]# rpm -q selinux-policy
selinux-policy-3.7.15-4.fc13.noarch
[root@saba ~]# semanage user -a -R webadm_r webadm_u
[root@saba ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
webadm_u user s0 s0 webadm_r
xguest_u user s0 s0 xguest_r
[root@saba ~]# semanage login -a -s webadm_u ymj
[root@saba ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
ymj webadm_u s0
[root@saba ~]# cd /etc/selinux/targeted/contexts/users/
[root@saba users]# cat user_u | sed 's/user_/webadm_/g' > webadm_u
[root@saba users]# cat webadm_u
system_r:local_login_t:s0 webadm_r:webadm_t:s0
system_r:remote_login_t:s0 webadm_r:webadm_t:s0
system_r:sshd_t:s0 webadm_r:webadm_t:s0
system_r:crond_t:s0 webadm_r:webadm_t:s0
system_r:xdm_t:s0 webadm_r:webadm_t:s0
webadm_r:webadm_su_t:s0 webadm_r:webadm_t:s0
webadm_r:webadm_sudo_t:s0 webadm_r:webadm_t:s0
system_r:initrc_su_t:s0 webadm_r:webadm_t:s0
webadm_r:webadm_t:s0 webadm_r:webadm_t:s0
[root@saba users]# ssh ymj@localhost
ymj@localhost's password:
Last login: Thu Apr 8 09:12:43 2010 from localhost
Connection to localhost closed.
[root@saba users]# setenforce 0
[root@saba users]# ssh ymj@localhost
ymj@localhost's password:
Last login: Thu Apr 8 09:12:56 2010 from localhost
[ymj@saba ~]$ id -Z
system_u:system_r:unconfined_t:s0-s0:c0.c1023
With "semanage -BD", I could find the following avc denial audit logs
during above command execution, but it does not seem to me these
violations prevent ymj's login directly.
type=AVC msg=audit(1270685681.731:24535): avc: denied { rlimitinh } for pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.731:24535): avc: denied { siginh } for pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.731:24535): avc: denied { noatsecure } for pid=17257 comm="unix_chkpwd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.748:24537): avc: denied { rlimitinh } for pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.748:24537): avc: denied { siginh } for pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.748:24537): avc: denied { noatsecure } for pid=17259 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.770:24544): avc: denied { siginh } for pid=17262 comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.770:24544): avc: denied { noatsecure } for pid=17262 comm="bash" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1270685681.925:24545): avc: denied { write } for pid=17259 comm="setroubleshootd" name="rpm" dev=sda3 ino=180226 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1270685681.926:24546): avc: denied { write } for pid=17259 comm="setroubleshootd" name="__db.001" dev=sda3 ino=180240 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file
I guess pam_selinux.so kills the connection due to lack of something to be
configured in enforcing mode.
Do you have any suggestion?
--
KaiGai Kohei <kaigai(a)ak.jp.nec.com>
14 years, 1 month
file_contexts.homedirs and new users
by Klaus Lichtenwalder
Hi,
I just stumbled about the effect that adding a new user and creating a
.ssh directory does not automatically fix its context though it's listed
in file_contexts.homedirs (this was done via unattended package
installs). It is fixed by an explicit restorecon, though.
I searched google up and down and did not find how/when the
homedirs-File gets applied. Restorecon explicitely used sets the context
to home_ssh_t and everything is fine. So sorry if I missed something
obvious, but I just don't get how and when the policy from
file_contexts.homedirs gets applied
(it's on an up to date F12 system)
Klaus
--
------------------------------------------------------------------------
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/
PGP Key fingerprint: BF52 72FA 1F5A 1E29 C0F8 498C C4C6 633C 2821 97DA
14 years, 1 month
Root not allowed to use procmail??????
by Robert Nichols
Summary:
SELinux is preventing /usr/bin/procmail "read" access on /root/.procmailrc.
Additional Information:
Source Context system_u:system_r:procmail_t:s0
Target Context unconfined_u:object_r:admin_home_t:s0
Target Objects /root/.procmailrc [ file ]
Source procmail
Source Path /usr/bin/procmail
Port <Unknown>
Host omega-3a.local
Source RPM Packages procmail-3.22-25.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-106.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name catchall
Host Name omega-3a.local
Platform Linux omega-3a.local 2.6.32.10-90.fc12.x86_64 #1
SMP Tue Mar 23 09:47:08 UTC 2010 x86_64 x86_64
Alert Count 2
First Seen Sun 04 Apr 2010 12:40:06 PM CDT
Last Seen Sun 04 Apr 2010 12:40:06 PM CDT
Local ID 3c358dab-c665-4cd2-83e1-f53bde028ed6
Line Numbers
Raw Audit Messages
node=omega-3a.local type=AVC msg=audit(1270402806.932:37129): avc: denied {
read } for pid=13981 comm="procmail" name=".procmailrc" dev=sda2 ino=838
scontext=system_u:system_r:procmail_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
node=omega-3a.local type=AVC msg=audit(1270402806.932:37129): avc: denied {
open } for pid=13981 comm="procmail" name=".procmailrc" dev=sda2 ino=838
scontext=system_u:system_r:procmail_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
node=omega-3a.local type=SYSCALL msg=audit(1270402806.932:37129): arch=c000003e
syscall=2 success=yes exit=4 a0=23ef320 a1=0 a2=0 a3=3a358800f0 items=0
ppid=13980 pid=13981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail"
subj=system_u:system_r:procmail_t:s0 key=(null)
Summary:
SELinux is preventing /usr/bin/procmail "open" access on
/root/mail/procmail.log.
Additional Information:
Source Context system_u:system_r:procmail_t:s0
Target Context system_u:object_r:admin_home_t:s0
Target Objects /root/mail/procmail.log [ file ]
Source procmail
Source Path /usr/bin/procmail
Port <Unknown>
Host omega-3a.local
Source RPM Packages procmail-3.22-25.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-106.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name catchall
Host Name omega-3a.local
Platform Linux omega-3a.local 2.6.32.10-90.fc12.x86_64 #1
SMP Tue Mar 23 09:47:08 UTC 2010 x86_64 x86_64
Alert Count 1
First Seen Sun 04 Apr 2010 12:40:06 PM CDT
Last Seen Sun 04 Apr 2010 12:40:06 PM CDT
Local ID b8607748-23c6-4ca1-a82f-2ad2ee1c5ac6
Line Numbers
Raw Audit Messages
node=omega-3a.local type=AVC msg=audit(1270402806.966:37130): avc: denied {
open } for pid=13981 comm="procmail" name="procmail.log" dev=sda2 ino=27007
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:admin_home_t:s0 tclass=file
node=omega-3a.local type=SYSCALL msg=audit(1270402806.966:37130): arch=c000003e
syscall=2 success=yes exit=6 a0=23f1200 a1=441 a2=1b7 a3=28 items=0 ppid=13980
pid=13981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="procmail" exe="/usr/bin/procmail"
subj=system_u:system_r:procmail_t:s0 key=(null)
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
14 years, 1 month
httpd mod_auth_pam winbind
by Vadym Chepkov
Hi,
I have selinux-policy-targeted-2.4.6-255.el5_4.4
allow_httpd_mod_auth_pam --> on
httpd_can_network_connect --> on
httpd with mod_auth_pam via winbind
get the following avc when in "permissive" mode
type=SYSCALL msg=audit(1270181973.950:37): arch=c000003e syscall=41 success=yes exit=19 a0=10 a1=3 a2=9 a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1270181973.950:37): avc: denied { create } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1270181973.950:38): arch=c000003e syscall=44 success=yes exit=124 a0=13 a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1270181973.950:38): avc: denied { nlmsg_relay } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1270181973.950:38): avc: denied { write } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1270181973.950:39): arch=c000003e syscall=45 success=yes exit=36 a0=13 a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1270181973.950:39): avc: denied { read } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
audit2allow suggests simple:
allow httpd_t self:netlink_audit_socket { nlmsg_relay write create read };
Is something missing in the policy or I missed some other boolean?
Thank you.
Sincerely yours,
Vadym Chepkov
14 years, 1 month
dovecot 2.0
by Paul Howarth
dovecot 2.0 renames some files from 1.x and needs some additional policy:
File contexts:
/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
/usr/libexec/dovecot/auth --
gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/dovecot-lda --
gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
Rules:
type dovecot_tmp_t;
files_tmp_file(dovecot_tmp_t)
manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
allow dovecot_t self:capability kill;
allow dovecot_t dovecot_auth_t:process signal;
With those additions, I've got dovecot 2.0 running in my simple
PAM-based environment, leaving just the following AVC:
type=AVC msg=audit(1269955050.887:91063): avc: denied { write } for
pid=15315 comm="dovecot" name="dovecot.conf" dev=dm-6 ino=11454
scontext=unconfined_u:system_r:dovecot_t:s0
tcontext=system_u:object_r:dovecot_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1269955050.887:91063): arch=c000003e syscall=42
success=no exit=-13 a0=4 a1=7fffa5620390 a2=6e a3=7fffa5620220 items=0
ppid=15314 pid=15315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts2 ses=2219 comm="dovecot" exe="/usr/sbin/dovecot"
subj=unconfined_u:system_r:dovecot_t:s0 key=(null)
I haven't figured out where that's coming from yet but it looks far too
suspicious to allow, and doesn't seem to break anything when it's not
allowed.
Paul.
14 years, 1 month
