December 2012 - selinux - Fedora Mailing-Lists

clarification on seliniux type enforcement

by sruthi mohan

Hi, I logged in as user having privileges system_u user. I tried changing the type of cheese application on ubuntu to userdefined type. The camera device is of v4l_device_t type. But i am still able to access camera. Please let me know how do i restrict the usage of camera. Thanks in advance

11 years, 4 months

2
1
0 / 0

change mls label on network resources

by Andy Ruch

Hello, Is there any way to change the sensitivity/category on a network resource (interface, node, port) on a system without recompiling the policy? It appears that semanage only supports the label option for the 'user' subcommand. Running RHEL 6.2 Thanks, Andy Ruch

11 years, 4 months

2
1
0 / 0

Cleaning up semanage

by David Quigley

I've given a few talks on SELinux over the past year and I've spoken to a bunch of people on google+ about SELinux and one topic keeps coming up. Many people find semanage to be large and convoluted with the help text being way to large to sort through. The latter part of the complaint is easy to address. The code for argument parsing in semanage (last time I checked) doesn't use things like argparse. If we switched it over to argparse we could get per sub-command help messages that would be more useful to people when they messed up a sub-command. Would anyone be opposed if I spent the time to migrate semanage argument parsing and help messages over to argparse or a similar library? The second problem some people have is that semanage is a multiplexed command. I'm not sure what the right way to approach this is. If we look at other applications which are multiplexers we get a few examples. Busybox is the first example and covers most of the discussion. The two ways of invoking busybox is either busybox command_name arguments or command_name arguments where command_name is a symlink to the busybox binary. If we chose the latter way of handling it we would need to decide on one of two ways of naming the sub-commands. The first method would be to come up with a naming convention for the subcommands to avoid collisions like selogin for semanage login or seusers for semanage users etc. The second method would be to do what git use to do which is prepend the tool name onto the subcommand. For example semanage-fcontext, semanage-login, semanage-users etc... If we chose this route then we'd need to investigate what git's reason for moving away from it was and decide if it applies to our situation as well. If we convert over to argparse for argument parsing it should be trivial to do some processing on argv[0] to extract out a subcommand from a name and use the correct routines. I'm not sure that solving the second problem gets us substantial gains or if having help messages that are specific to each subcommand will help users more. Does anyone have any thoughts about this?

11 years, 4 months

5
12
0 / 0

sealert

by mark

Current CentOS 6.3 I get this. / is only 54%. SELinux is preventing /usr/bin/perl from using the sys_resource capability. ***** Plugin sys_resource (91.4 confidence) suggests *********************** If you do not want to get this AVC any longer. These AVC's are caused by running out of resources, usually disk space on your / partition. Then you must cleanup diskspace or make sure you are not running too many processes. Do clear up your disk. <snip> Could someone at least FIX THE TEXT? I mean, it's junior high school, at most: sentence fragments, etc. Now, the real reason for the AVC is something I've yet to look into.... mark, grammar ninja

11 years, 4 months

3
5
0 / 0

Re: sealert

by mark

Matthew Miller wrote: > On Fri, Dec 14, 2012 at 09:25:04AM -0500, m.roth(a)5-cent.us wrote: >> However, I also see that a user was running R, and oom-killer was >> invoked. My suspicion is that it's *not* disk space that's run out, as the >> message suggests, but rather that the system ran out of memory, and the sealert >> gave the wrong information. > > Is this F18? It's not putting these on /tmp, is it? As I left at the top of my email, CentOS 6.3, fully updated. mark

11 years, 4 months

1
0
0 / 0

SELinux Google+ Community

by David Quigley

I set up a community page on Google+ for SELinux. All of the cool kids seems to be using google+ now for open source related projects so I figured it would be nice to have a community page where people could post questions ,tutorials ,articles, etc...

11 years, 4 months

2
2
0 / 0

New AVCs Fedora 17

by David Highley

There seems to be a slew of avcs again lately, many of which are over net_admin which we now have many custom modules for. Below are the yet new ones after rebooting a system today. By the way, I'm sure there is away to tell when you no longer need the customized modules. Some fixes come quickly and we know that we can remove a module. In general they hang around until the next system upgrade where we start from scratch. There are a couple that we have not fixed or thought we had fixed. We have the below rule in a custom module for rsyslod already but saw this on the reboot. #============= syslogd_t ============== allow syslogd_t proc_net_t:file read; The issue seems to be involved with Gnome, not quite what we customize to fix the issue. #============= xdm_t ============== allow xdm_t default_t:lnk_file read; module junk 1.0; require { type sendmail_t; type syslogd_t; type default_t; type xdm_t; type var_yp_t; type sshdfilter_t; type ypbind_t; type passwd_file_t; type proc_net_t; type httpd_t; class process execmem; class capability net_admin; class tcp_socket create; class file read; class lnk_file read; class dir search; } #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_execmem' allow httpd_t self:process execmem; #============= sendmail_t ============== allow sendmail_t self:capability net_admin; #============= sshdfilter_t ============== allow sshdfilter_t passwd_file_t:file read; allow sshdfilter_t self:tcp_socket create; allow sshdfilter_t var_yp_t:dir search; #============= syslogd_t ============== allow syslogd_t proc_net_t:file read; #============= xdm_t ============== allow xdm_t default_t:lnk_file read; #============= ypbind_t ============== allow ypbind_t proc_net_t:file read; ---- time->Thu Dec 6 06:10:34 2012 type=SYSCALL msg=audit(1354803034.037:18): arch=c000003e syscall=21 success=no exit=-13 a0=7fff6d855e60 a1=4 a2=7fff6d855e6e a3=1c items=0 ppid=1 pid=833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null) type=AVC msg=audit(1354803034.037:18): avc: denied { read } for pid=833 comm="rsyslogd" name="unix" dev="proc" ino=4026531999 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Thu Dec 6 06:10:41 2012 type=SYSCALL msg=audit(1354803041.423:50): arch=c000003e syscall=21 success=no exit=-13 a0=7ffff7f5b7d0 a1=4 a2=7ffff7f5b7de a3=1c items=0 ppid=1 pid=1068 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ypbind" exe="/usr/sbin/ypbind" subj=system_u:system_r:ypbind_t:s0 key=(null) type=AVC msg=audit(1354803041.423:50): avc: denied { read } for pid=1068 comm="ypbind" name="unix" dev="proc" ino=4026531999 scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Thu Dec 6 06:10:44 2012 type=SYSCALL msg=audit(1354803044.071:94): arch=c000003e syscall=16 success=no exit=-19 a0=4 a1=8933 a2=7fff0638b000 a3=1c items=0 ppid=1 pid=1281 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null) type=AVC msg=audit(1354803044.071:94): avc: denied { net_admin } for pid=1281 comm="sendmail" capability=12 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability ---- time->Thu Dec 6 06:10:42 2012 type=SYSCALL msg=audit(1354803042.200:57): arch=c000003e syscall=16 success=no exit=-19 a0=4 a1=8933 a2=7fff07197d80 a3=1c items=0 ppid=1 pid=1087 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null) type=AVC msg=audit(1354803042.200:57): avc: denied { net_admin } for pid=1087 comm="sendmail" capability=12 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:sendmail_t:s0 tclass=capability ---- time->Thu Dec 6 06:10:42 2012 type=SYSCALL msg=audit(1354803042.424:59): arch=c000003e syscall=9 success=no exit=-13 a0=7fe5bd000000 a1=270000 a2=7 a3=32 items=0 ppid=1 pid=1107 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/bin/java" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1354803042.424:59): avc: denied { execmem } for pid=1107 comm="java" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process ---- time->Thu Dec 6 06:10:42 2012 type=SYSCALL msg=audit(1354803042.975:64): arch=c000003e syscall=2 success=no exit=-13 a0=7fb87ddd76ca a1=80000 a2=1b6 a3=238 items=0 ppid=1205 pid=1206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null) type=AVC msg=audit(1354803042.975:64): avc: denied { read } for pid=1206 comm="sh" name="passwd" dev="dm-1" ino=140024 scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file ---- time->Thu Dec 6 06:10:42 2012 type=SYSCALL msg=audit(1354803042.975:65): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9cd586f8 a1=0 a2=7fff9cd58721 a3=7fff9cd58470 items=0 ppid=1205 pid=1206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null) type=AVC msg=audit(1354803042.975:65): avc: denied { search } for pid=1206 comm="sh" name="yp" dev="dm-1" ino=346 scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Thu Dec 6 06:10:42 2012 type=SYSCALL msg=audit(1354803042.975:66): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null) type=AVC msg=audit(1354803042.975:66): avc: denied { create } for pid=1206 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket ---- time->Thu Dec 6 06:10:42 2012 type=SYSCALL msg=audit(1354803042.975:67): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null) type=AVC msg=audit(1354803042.975:67): avc: denied { create } for pid=1206 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket ---- time->Thu Dec 6 06:10:42 2012 type=SYSCALL msg=audit(1354803042.975:68): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null) type=AVC msg=audit(1354803042.975:68): avc: denied { create } for pid=1206 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket ---- time->Thu Dec 6 06:10:42 2012 type=SYSCALL msg=audit(1354803042.975:69): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null) type=AVC msg=audit(1354803042.975:69): avc: denied { create } for pid=1206 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket ---- time->Thu Dec 6 06:10:42 2012 type=SYSCALL msg=audit(1354803042.978:70): arch=c000003e syscall=2 success=no exit=-13 a0=7fab786b76ca a1=80000 a2=1b6 a3=238 items=0 ppid=1205 pid=1210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null) type=AVC msg=audit(1354803042.978:70): avc: denied { read } for pid=1210 comm="sh" name="passwd" dev="dm-1" ino=140024 scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file ---- time->Thu Dec 6 06:10:42 2012 type=SYSCALL msg=audit(1354803042.978:71): arch=c000003e syscall=2 success=no exit=-13 a0=7fff3d234438 a1=0 a2=7fff3d234461 a3=7fff3d2341b0 items=0 ppid=1205 pid=1210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null) type=AVC msg=audit(1354803042.978:71): avc: denied { search } for pid=1210 comm="sh" name="yp" dev="dm-1" ino=346 scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir ---- time->Thu Dec 6 06:10:42 2012 type=SYSCALL msg=audit(1354803042.978:72): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null) type=AVC msg=audit(1354803042.978:72): avc: denied { create } for pid=1210 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket ---- time->Thu Dec 6 06:10:42 2012 type=SYSCALL msg=audit(1354803042.978:73): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null) type=AVC msg=audit(1354803042.978:73): avc: denied { create } for pid=1210 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket ---- time->Thu Dec 6 06:10:42 2012 type=SYSCALL msg=audit(1354803042.978:74): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null) type=AVC msg=audit(1354803042.978:74): avc: denied { create } for pid=1210 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket ---- time->Thu Dec 6 06:10:42 2012 type=SYSCALL msg=audit(1354803042.978:75): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=1 a2=6 a3=98 items=0 ppid=1205 pid=1210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:sshdfilter_t:s0 key=(null) type=AVC msg=audit(1354803042.978:75): avc: denied { create } for pid=1210 comm="sh" scontext=system_u:system_r:sshdfilter_t:s0 tcontext=system_u:system_r:sshdfilter_t:s0 tclass=tcp_socket ---- time->Thu Dec 6 06:10:58 2012 type=SYSCALL msg=audit(1354803058.098:114): arch=c000003e syscall=21 success=no exit=-13 a0=1a99c70 a1=0 a2=1dfb770 a3=7fff939317d0 items=0 ppid=1656 pid=1739 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=1 comm="gnome-shell" exe="/usr/bin/gnome-shell" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1354803058.098:114): avc: denied { read } for pid=1739 comm="gnome-shell" name="dhighley" dev="dm-1" ino=3014658 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file ---- time->Thu Dec 6 06:10:58 2012 type=SYSCALL msg=audit(1354803058.110:115): arch=c000003e syscall=21 success=no exit=-13 a0=2049b20 a1=0 a2=7f749c002b20 a3=7fff939317d0 items=0 ppid=1656 pid=1739 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=1 comm="gnome-shell" exe="/usr/bin/gnome-shell" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1354803058.110:115): avc: denied { read } for pid=1739 comm="gnome-shell" name="mhighley" dev="dm-1" ino=3014659 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file ---- time->Thu Dec 6 06:10:58 2012 type=SYSCALL msg=audit(1354803058.111:116): arch=c000003e syscall=21 success=no exit=-13 a0=2075400 a1=0 a2=7f749c002b20 a3=7fff93933c60 items=0 ppid=1656 pid=1739 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=1 comm="gnome-shell" exe="/usr/bin/gnome-shell" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1354803058.111:116): avc: denied { read } for pid=1739 comm="gnome-shell" name="mhighley" dev="dm-1" ino=3014659 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file

11 years, 4 months

1
0
0 / 0

semanage input file

by Andy Ruch

Hello, I'm trying to pass an input file to semanage as recommended in http://danwalsh.livejournal.com/41593.html. I'm using RHEL 6. I get the error "/usr/sbin/semanage: Could not start semanage transaction" when I execute the following: semanage -i - << _EOF user -l _EOF However, "semanage user -l" works just fine. Any suggestions? *Note that I'm just listing the users as an example of the concept. Thanks, Andy

11 years, 4 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux December 2012