May 2012 - selinux - Fedora Mailing-Lists

[sandbox] modifying the Xephyr window title (patch)

by Christoph A.

Hi, If most of your windows are sandboxed applications, your bar looks like: [Sandbox sandbo..] [Sandbox sandbo..] [Sandbox sandbo..] and it is hard to find a specific application. example of a current Xephyr title: Sandbox sandbox_web_t:s0:c112,c991 -- /usr/bin/firefox with the modification in the attached patch titles will look like: /usr/bin/firefox (sandbox_web_t) and it should be easier to find a specific application. In addition to the type I would find it handy to also include the DISPLAY in the title (needed when using xsel for copy'n paste). The second patch only adds '-nolisten tcp' to Xephyr, but if there are use cases where one needs Xephyr to open a listener this patch will break thinks. regards, Christoph A. btw: secon's manpage doesn't contain the '-l' option.

11 years, 3 months

2
10
0 / 0

Poor error when loading policy module

by Moray Henderson

I'm updating a custom policy from CentOS 5 to CentOS 6. The module builds successfully, but fails to load: # semodule -i mypolicy.pp /etc/selinux/targeted/contexts/files/file_contexts: Invalid argument libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed! It took me some time to work out that the error should have read: File context already exists for /var/run/passenger: mypolicy.fc line 5 Now that I know there is already policy for Passenger, I can adjust mine accordingly. Any chance of getting a more helpful version of the error included in semodule? Moray. "To err is human; to purr, feline."

11 years, 3 months

3
5
0 / 0

3.9 -> 3.10 policy language syntax changes

by Mr Dash Four

I've noticed that in the new SELinux policy there are some (very welcome) additions to the language syntax, like if .. else statements. I also noticed that the gen_tunable has been replaced with gen_bool and so on. Is there a definite guide (or even a changelog) where I could educate myself on these changes? Thanks!

11 years, 3 months

2
7
0 / 0

Add another one: the same sealert problem

by mark

I hadn't paid attention when one or two folks recently posted this (that may have been on the CentOS list), but it's hit us, also: $ sealert -l d1655210-f43c-4737-98dc-86b6aac82bb6 Entity: line 53: parser error : Input is not proper UTF-8, indicate encoding ! Bytes: 0x99 0x3C 0x2F 0x74 <tpath>`</tpath> ^ failed to connect to server: xmlParseDoc() failed I tried reinstalling sealert-server, but no joy. I can't really reboot this server on a blind hope that doing so would fix it. Anyone have a clue for a way to solve this? Here's the report from the abrt full crash report: analyze.py:426:lookup_signature:ProgramError: [Errno 1001] signature not found Traceback (most recent call last): File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line 401, in auto_save_callback self.save() File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line 377, in save self.prune() File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line 340, in prune self.delete_signature(sig, prune=True) File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line 471, in delete_signature siginfo = self.lookup_signature(sig) File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line 426, in lookup_signature raise ProgramError(ERR_NO_SIGNATURE_MATCH) ProgramError: [Errno 1001] signature not found Local variables in innermost frame: matches: [] siginfo: None self: <setroubleshoot.analyze.SETroubleshootDatabase object at 0x1de8350> sig: <setroubleshoot.signature.SEFaultSignature object at 0x6386950> What signature is it looking for, and where? mark

11 years, 3 months

2
1
0 / 0

Segfault while compiling refpolicy 2.20120215

by Johannes Segitz

Hi, I'm currently experimenting with SELinux on Fedora 16. When i try to compile refpolicy 2.20120215 I get this: # make load <snip> /usr/sbin/semodule -s refpolicy -b /usr/share/selinux/refpolicy/base.pp -i /usr/share/selinux/refpolicy/abrt.pp -i /usr/share/selinux/refpolicy/accountsd.pp -i /usr/share/selinux/refpolicy/acct.pp -i /usr/share/selinux/refpolicy/ada.pp -i /usr/share/selinux/refpolicy/afs.pp -i /usr/share/selinux/refpolicy/aiccu.pp -i /usr/share/selinux/refpolicy/aide.pp -i /usr/share/selinux/refpolicy/aisexec.pp -i /usr/share/selinux/refpolicy/alsa.pp -i /usr/share/selinux/refpolicy/amanda.pp -i /usr/share/selinux/refpolicy/amavis.pp -i /usr/share/selinux/refpolicy/amtu.pp -i /usr/share/selinux/refpolicy/anaconda.pp -i /usr/share/selinux/refpolicy/apache.pp -i /usr/share/selinux/refpolicy/apcupsd.pp -i /usr/share/selinux/refpolicy/apm.pp -i /usr/share/selinux/refpolicy/application.pp -i /usr/share/selinux/refpolicy/apt.pp -i /usr/share/selinux/refpolicy/arpwatch.pp -i /usr/share/selinux/refpolicy/asterisk.pp -i /usr/share/selinux/refpolicy/auditadm.pp -i /usr/share/selinux/refpolicy/authbind.pp -i /usr/share/selinux/refpolicy/authlogin.pp -i /usr/share/selinux/refpolicy/automount.pp -i /usr/share/selinux/refpolicy/avahi.pp -i /usr/share/selinux/refpolicy/awstats.pp -i /usr/share/selinux/refpolicy/backup.pp -i /usr/share/selinux/refpolicy/bind.pp -i /usr/share/selinux/refpolicy/bitlbee.pp -i /usr/share/selinux/refpolicy/bluetooth.pp -i /usr/share/selinux/refpolicy/bootloader.pp -i /usr/share/selinux/refpolicy/brctl.pp -i /usr/share/selinux/refpolicy/bugzilla.pp -i /usr/share/selinux/refpolicy/calamaris.pp -i /usr/share/selinux/refpolicy/canna.pp -i /usr/share/selinux/refpolicy/ccs.pp -i /usr/share/selinux/refpolicy/cdrecord.pp -i /usr/share/selinux/refpolicy/certmaster.pp -i /usr/share/selinux/refpolicy/certmonger.pp -i /usr/share/selinux/refpolicy/certwatch.pp -i /usr/share/selinux/refpolicy/cgroup.pp -i /usr/share/selinux/refpolicy/chronyd.pp -i /usr/share/selinux/refpolicy/cipe.pp -i /usr/share/selinux/refpolicy/clamav.pp -i /usr/share/selinux/refpolicy/clock.pp -i /usr/share/selinux/refpolicy/clockspeed.pp -i /usr/share/selinux/refpolicy/clogd.pp -i /usr/share/selinux/refpolicy/cmirrord.pp -i /usr/share/selinux/refpolicy/cobbler.pp -i /usr/share/selinux/refpolicy/colord.pp -i /usr/share/selinux/refpolicy/comsat.pp -i /usr/share/selinux/refpolicy/consolekit.pp -i /usr/share/selinux/refpolicy/consoletype.pp -i /usr/share/selinux/refpolicy/corosync.pp -i /usr/share/selinux/refpolicy/courier.pp -i /usr/share/selinux/refpolicy/cpucontrol.pp -i /usr/share/selinux/refpolicy/cpufreqselector.pp -i /usr/share/selinux/refpolicy/cron.pp -i /usr/share/selinux/refpolicy/cups.pp -i /usr/share/selinux/refpolicy/cvs.pp -i /usr/share/selinux/refpolicy/cyphesis.pp -i /usr/share/selinux/refpolicy/cyrus.pp -i /usr/share/selinux/refpolicy/daemontools.pp -i /usr/share/selinux/refpolicy/dante.pp -i /usr/share/selinux/refpolicy/dbadm.pp -i /usr/share/selinux/refpolicy/dbskk.pp -i /usr/share/selinux/refpolicy/dbus.pp -i /usr/share/selinux/refpolicy/dcc.pp -i /usr/share/selinux/refpolicy/ddclient.pp -i /usr/share/selinux/refpolicy/ddcprobe.pp -i /usr/share/selinux/refpolicy/denyhosts.pp -i /usr/share/selinux/refpolicy/devicekit.pp -i /usr/share/selinux/refpolicy/dhcp.pp -i /usr/share/selinux/refpolicy/dictd.pp -i /usr/share/selinux/refpolicy/distcc.pp -i /usr/share/selinux/refpolicy/djbdns.pp -i /usr/share/selinux/refpolicy/dkim.pp -i /usr/share/selinux/refpolicy/dmesg.pp -i /usr/share/selinux/refpolicy/dmidecode.pp -i /usr/share/selinux/refpolicy/dnsmasq.pp -i /usr/share/selinux/refpolicy/dovecot.pp -i /usr/share/selinux/refpolicy/dpkg.pp -i /usr/share/selinux/refpolicy/entropyd.pp -i /usr/share/selinux/refpolicy/evolution.pp -i /usr/share/selinux/refpolicy/exim.pp -i /usr/share/selinux/refpolicy/fail2ban.pp -i /usr/share/selinux/refpolicy/fetchmail.pp -i /usr/share/selinux/refpolicy/finger.pp -i /usr/share/selinux/refpolicy/firstboot.pp -i /usr/share/selinux/refpolicy/fprintd.pp -i /usr/share/selinux/refpolicy/fstools.pp -i /usr/share/selinux/refpolicy/ftp.pp -i /usr/share/selinux/refpolicy/games.pp -i /usr/share/selinux/refpolicy/gatekeeper.pp -i /usr/share/selinux/refpolicy/getty.pp -i /usr/share/selinux/refpolicy/gift.pp -i /usr/share/selinux/refpolicy/git.pp -i /usr/share/selinux/refpolicy/gitosis.pp -i /usr/share/selinux/refpolicy/glance.pp -i /usr/share/selinux/refpolicy/gnome.pp -i /usr/share/selinux/refpolicy/gnomeclock.pp -i /usr/share/selinux/refpolicy/gpg.pp -i /usr/share/selinux/refpolicy/gpm.pp -i /usr/share/selinux/refpolicy/gpsd.pp -i /usr/share/selinux/refpolicy/guest.pp -i /usr/share/selinux/refpolicy/hadoop.pp -i /usr/share/selinux/refpolicy/hal.pp -i /usr/share/selinux/refpolicy/hddtemp.pp -i /usr/share/selinux/refpolicy/hostname.pp -i /usr/share/selinux/refpolicy/hotplug.pp -i /usr/share/selinux/refpolicy/howl.pp -i /usr/share/selinux/refpolicy/i18n_input.pp -i /usr/share/selinux/refpolicy/icecast.pp -i /usr/share/selinux/refpolicy/ifplugd.pp -i /usr/share/selinux/refpolicy/imaze.pp -i /usr/share/selinux/refpolicy/inetd.pp -i /usr/share/selinux/refpolicy/init.pp -i /usr/share/selinux/refpolicy/inn.pp -i /usr/share/selinux/refpolicy/ipsec.pp -i /usr/share/selinux/refpolicy/iptables.pp -i /usr/share/selinux/refpolicy/irc.pp -i /usr/share/selinux/refpolicy/ircd.pp -i /usr/share/selinux/refpolicy/irqbalance.pp -i /usr/share/selinux/refpolicy/iscsi.pp -i /usr/share/selinux/refpolicy/jabber.pp -i /usr/share/selinux/refpolicy/java.pp -i /usr/share/selinux/refpolicy/kdump.pp -i /usr/share/selinux/refpolicy/kdumpgui.pp -i /usr/share/selinux/refpolicy/kerberos.pp -i /usr/share/selinux/refpolicy/kerneloops.pp -i /usr/share/selinux/refpolicy/kismet.pp -i /usr/share/selinux/refpolicy/ksmtuned.pp -i /usr/share/selinux/refpolicy/ktalk.pp -i /usr/share/selinux/refpolicy/kudzu.pp -i /usr/share/selinux/refpolicy/ldap.pp -i /usr/share/selinux/refpolicy/libraries.pp -i /usr/share/selinux/refpolicy/likewise.pp -i /usr/share/selinux/refpolicy/lircd.pp -i /usr/share/selinux/refpolicy/livecd.pp -i /usr/share/selinux/refpolicy/loadkeys.pp -i /usr/share/selinux/refpolicy/locallogin.pp -i /usr/share/selinux/refpolicy/lockdev.pp -i /usr/share/selinux/refpolicy/logadm.pp -i /usr/share/selinux/refpolicy/logging.pp -i /usr/share/selinux/refpolicy/logrotate.pp -i /usr/share/selinux/refpolicy/logwatch.pp -i /usr/share/selinux/refpolicy/lpd.pp -i /usr/share/selinux/refpolicy/lvm.pp -i /usr/share/selinux/refpolicy/mailman.pp -i /usr/share/selinux/refpolicy/mcelog.pp -i /usr/share/selinux/refpolicy/mediawiki.pp -i /usr/share/selinux/refpolicy/memcached.pp -i /usr/share/selinux/refpolicy/milter.pp -i /usr/share/selinux/refpolicy/miscfiles.pp -i /usr/share/selinux/refpolicy/modemmanager.pp -i /usr/share/selinux/refpolicy/modutils.pp -i /usr/share/selinux/refpolicy/mojomojo.pp -i /usr/share/selinux/refpolicy/mono.pp -i /usr/share/selinux/refpolicy/monop.pp -i /usr/share/selinux/refpolicy/mount.pp -i /usr/share/selinux/refpolicy/mozilla.pp -i /usr/share/selinux/refpolicy/mpd.pp -i /usr/share/selinux/refpolicy/mplayer.pp -i /usr/share/selinux/refpolicy/mrtg.pp -i /usr/share/selinux/refpolicy/mta.pp -i /usr/share/selinux/refpolicy/munin.pp -i /usr/share/selinux/refpolicy/mysql.pp -i /usr/share/selinux/refpolicy/nagios.pp -i /usr/share/selinux/refpolicy/ncftool.pp -i /usr/share/selinux/refpolicy/nessus.pp -i /usr/share/selinux/refpolicy/netlabel.pp -i /usr/share/selinux/refpolicy/netutils.pp -i /usr/share/selinux/refpolicy/networkmanager.pp -i /usr/share/selinux/refpolicy/nis.pp -i /usr/share/selinux/refpolicy/nscd.pp -i /usr/share/selinux/refpolicy/nsd.pp -i /usr/share/selinux/refpolicy/nslcd.pp -i /usr/share/selinux/refpolicy/ntop.pp -i /usr/share/selinux/refpolicy/ntp.pp -i /usr/share/selinux/refpolicy/nut.pp -i /usr/share/selinux/refpolicy/nx.pp -i /usr/share/selinux/refpolicy/oav.pp -i /usr/share/selinux/refpolicy/oddjob.pp -i /usr/share/selinux/refpolicy/oident.pp -i /usr/share/selinux/refpolicy/openca.pp -i /usr/share/selinux/refpolicy/openct.pp -i /usr/share/selinux/refpolicy/openvpn.pp -i /usr/share/selinux/refpolicy/pads.pp -i /usr/share/selinux/refpolicy/passenger.pp -i /usr/share/selinux/refpolicy/pcmcia.pp -i /usr/share/selinux/refpolicy/pcscd.pp -i /usr/share/selinux/refpolicy/pegasus.pp -i /usr/share/selinux/refpolicy/perdition.pp -i /usr/share/selinux/refpolicy/pingd.pp -i /usr/share/selinux/refpolicy/plymouthd.pp -i /usr/share/selinux/refpolicy/podsleuth.pp -i /usr/share/selinux/refpolicy/policykit.pp -i /usr/share/selinux/refpolicy/portage.pp -i /usr/share/selinux/refpolicy/portmap.pp -i /usr/share/selinux/refpolicy/portreserve.pp -i /usr/share/selinux/refpolicy/portslave.pp -i /usr/share/selinux/refpolicy/postfix.pp -i /usr/share/selinux/refpolicy/postfixpolicyd.pp -i /usr/share/selinux/refpolicy/postgresql.pp -i /usr/share/selinux/refpolicy/postgrey.pp -i /usr/share/selinux/refpolicy/ppp.pp -i /usr/share/selinux/refpolicy/prelink.pp -i /usr/share/selinux/refpolicy/prelude.pp -i /usr/share/selinux/refpolicy/privoxy.pp -i /usr/share/selinux/refpolicy/procmail.pp -i /usr/share/selinux/refpolicy/psad.pp -i /usr/share/selinux/refpolicy/ptchown.pp -i /usr/share/selinux/refpolicy/publicfile.pp -i /usr/share/selinux/refpolicy/pulseaudio.pp -i /usr/share/selinux/refpolicy/puppet.pp -i /usr/share/selinux/refpolicy/pxe.pp -i /usr/share/selinux/refpolicy/pyicqt.pp -i /usr/share/selinux/refpolicy/pyzor.pp -i /usr/share/selinux/refpolicy/qemu.pp -i /usr/share/selinux/refpolicy/qmail.pp -i /usr/share/selinux/refpolicy/qpid.pp -i /usr/share/selinux/refpolicy/quota.pp -i /usr/share/selinux/refpolicy/radius.pp -i /usr/share/selinux/refpolicy/radvd.pp -i /usr/share/selinux/refpolicy/raid.pp -i /usr/share/selinux/refpolicy/razor.pp -i /usr/share/selinux/refpolicy/rdisc.pp -i /usr/share/selinux/refpolicy/readahead.pp -i /usr/share/selinux/refpolicy/remotelogin.pp -i /usr/share/selinux/refpolicy/resmgr.pp -i /usr/share/selinux/refpolicy/rgmanager.pp -i /usr/share/selinux/refpolicy/rhcs.pp -i /usr/share/selinux/refpolicy/rhgb.pp -i /usr/share/selinux/refpolicy/rhsmcertd.pp -i /usr/share/selinux/refpolicy/ricci.pp -i /usr/share/selinux/refpolicy/rlogin.pp -i /usr/share/selinux/refpolicy/roundup.pp -i /usr/share/selinux/refpolicy/rpc.pp -i /usr/share/selinux/refpolicy/rpcbind.pp -i /usr/share/selinux/refpolicy/rpm.pp -i /usr/share/selinux/refpolicy/rshd.pp -i /usr/share/selinux/refpolicy/rssh.pp -i /usr/share/selinux/refpolicy/rsync.pp -i /usr/share/selinux/refpolicy/rtkit.pp -i /usr/share/selinux/refpolicy/rwho.pp -i /usr/share/selinux/refpolicy/samba.pp -i /usr/share/selinux/refpolicy/sambagui.pp -i /usr/share/selinux/refpolicy/samhain.pp -i /usr/share/selinux/refpolicy/sanlock.pp -i /usr/share/selinux/refpolicy/sasl.pp -i /usr/share/selinux/refpolicy/sblim.pp -i /usr/share/selinux/refpolicy/screen.pp -i /usr/share/selinux/refpolicy/secadm.pp -i /usr/share/selinux/refpolicy/sectoolm.pp -i /usr/share/selinux/refpolicy/selinuxutil.pp -i /usr/share/selinux/refpolicy/sendmail.pp -i /usr/share/selinux/refpolicy/setrans.pp -i /usr/share/selinux/refpolicy/setroubleshoot.pp -i /usr/share/selinux/refpolicy/seunshare.pp -i /usr/share/selinux/refpolicy/shorewall.pp -i /usr/share/selinux/refpolicy/shutdown.pp -i /usr/share/selinux/refpolicy/slocate.pp -i /usr/share/selinux/refpolicy/slrnpull.pp -i /usr/share/selinux/refpolicy/smartmon.pp -i /usr/share/selinux/refpolicy/smokeping.pp -i /usr/share/selinux/refpolicy/smoltclient.pp -i /usr/share/selinux/refpolicy/snmp.pp -i /usr/share/selinux/refpolicy/snort.pp -i /usr/share/selinux/refpolicy/sosreport.pp -i /usr/share/selinux/refpolicy/soundserver.pp -i /usr/share/selinux/refpolicy/spamassassin.pp -i /usr/share/selinux/refpolicy/speedtouch.pp -i /usr/share/selinux/refpolicy/squid.pp -i /usr/share/selinux/refpolicy/ssh.pp -i /usr/share/selinux/refpolicy/sssd.pp -i /usr/share/selinux/refpolicy/staff.pp -i /usr/share/selinux/refpolicy/storage.pp -i /usr/share/selinux/refpolicy/stunnel.pp -i /usr/share/selinux/refpolicy/su.pp -i /usr/share/selinux/refpolicy/sudo.pp -i /usr/share/selinux/refpolicy/sxid.pp -i /usr/share/selinux/refpolicy/sysadm.pp -i /usr/share/selinux/refpolicy/sysnetwork.pp -i /usr/share/selinux/refpolicy/sysstat.pp -i /usr/share/selinux/refpolicy/tcpd.pp -i /usr/share/selinux/refpolicy/tcsd.pp -i /usr/share/selinux/refpolicy/telepathy.pp -i /usr/share/selinux/refpolicy/telnet.pp -i /usr/share/selinux/refpolicy/tftp.pp -i /usr/share/selinux/refpolicy/tgtd.pp -i /usr/share/selinux/refpolicy/thunderbird.pp -i /usr/share/selinux/refpolicy/timidity.pp -i /usr/share/selinux/refpolicy/tmpreaper.pp -i /usr/share/selinux/refpolicy/tor.pp -i /usr/share/selinux/refpolicy/transproxy.pp -i /usr/share/selinux/refpolicy/tripwire.pp -i /usr/share/selinux/refpolicy/tuned.pp -i /usr/share/selinux/refpolicy/tvtime.pp -i /usr/share/selinux/refpolicy/tzdata.pp -i /usr/share/selinux/refpolicy/ucspitcp.pp -i /usr/share/selinux/refpolicy/udev.pp -i /usr/share/selinux/refpolicy/ulogd.pp -i /usr/share/selinux/refpolicy/uml.pp -i /usr/share/selinux/refpolicy/unconfined.pp -i /usr/share/selinux/refpolicy/unprivuser.pp -i /usr/share/selinux/refpolicy/updfstab.pp -i /usr/share/selinux/refpolicy/uptime.pp -i /usr/share/selinux/refpolicy/usbmodules.pp -i /usr/share/selinux/refpolicy/usbmuxd.pp -i /usr/share/selinux/refpolicy/userdomain.pp -i /usr/share/selinux/refpolicy/userhelper.pp -i /usr/share/selinux/refpolicy/usermanage.pp -i /usr/share/selinux/refpolicy/usernetctl.pp -i /usr/share/selinux/refpolicy/uucp.pp -i /usr/share/selinux/refpolicy/uuidd.pp -i /usr/share/selinux/refpolicy/uwimap.pp -i /usr/share/selinux/refpolicy/varnishd.pp -i /usr/share/selinux/refpolicy/vbetool.pp -i /usr/share/selinux/refpolicy/vdagent.pp -i /usr/share/selinux/refpolicy/vhostmd.pp -i /usr/share/selinux/refpolicy/virt.pp -i /usr/share/selinux/refpolicy/vlock.pp -i /usr/share/selinux/refpolicy/vmware.pp -i /usr/share/selinux/refpolicy/vnstatd.pp -i /usr/share/selinux/refpolicy/vpn.pp -i /usr/share/selinux/refpolicy/w3c.pp -i /usr/share/selinux/refpolicy/watchdog.pp -i /usr/share/selinux/refpolicy/webadm.pp -i /usr/share/selinux/refpolicy/webalizer.pp -i /usr/share/selinux/refpolicy/wine.pp -i /usr/share/selinux/refpolicy/wireshark.pp -i /usr/share/selinux/refpolicy/wm.pp -i /usr/share/selinux/refpolicy/xen.pp -i /usr/share/selinux/refpolicy/xfs.pp -i /usr/share/selinux/refpolicy/xguest.pp -i /usr/share/selinux/refpolicy/xprint.pp -i /usr/share/selinux/refpolicy/xscreensaver.pp -i /usr/share/selinux/refpolicy/xserver.pp -i /usr/share/selinux/refpolicy/yam.pp -i /usr/share/selinux/refpolicy/zabbix.pp -i /usr/share/selinux/refpolicy/zarafa.pp -i /usr/share/selinux/refpolicy/zebra.pp -i /usr/share/selinux/refpolicy/zosremote.pp make: *** [load] Segmentation fault (core dumped) Abrt data is available at http://www.segitz.de/abrt.tar.bz2. Any hints? Johannes

11 years, 3 months

1
0
0 / 0

VirtualGL/TurboVNC and selinux

by Mark Dalton

I was not able to get VirtualGL and selinux to work together. It is something during boot time it seems. I have tried generating rules based on audit/audit.log. The VirtualGL web http://www.virtualgl.org/Documentation/RHEL6 states they don't know how to make it work either. I have tried in permissive mode after boot and that did not work either, which is why I think it is something during boot time. Like the device setup. My guess is related to: /dev/dri as it sets up these and then access to the /dev/nvidia0 and /dev/nvidiactl are restricted to vglusers group (in my case it can be configured with/without group restriction). From VirtualGL website they also have: vglgenkey Issues Currently, the only known way to make|vglgenkey|work (|vglgenkey|is used to grant 3D X Server access to members of the|vglusers|group) is to disable SELinux. With SELinux enabled, the*//usr/bin/xauth/*file is hidden within the context of the GDM startup scripts, so|vglgenkey|has no way of generating or importing an xauth key to*//etc/opt/VirtualGL/vgl_xauth_key/*(and, for that matter, access is denied to*//etc/opt/VirtualGL/*as well.) Perhaps someone with a greater knowledge of SELinux can explain how to disable enforcement only for GDM and not the whole system. I had reinstalled that previous machine and don't have the other rules I applied. I repeated this on another machine, and did not run any audit2allow. Also there are 2 problems: 1. Boot time problem with the VirtualGL which seems to generate a avc message. (Fails if the machine is not booted in permissive or disabled mode) 2. A problem with xauth when setenforce is enforcing. (This works if setenforce is permissive or disabled regardless of the boot time settings). The machine policy is set to targeted. Attached is the longer data with strace. The xauth does not seem to generate any audit.log messages even with semodule -DB, but if I turn selinux to permissive the xauth commands succeed. To clarify: - It works if the system is booted with /etc/selinux/config SELINUX=permissive or SELINUX=disable - It fails if the system is booted with /etc/selinux/config SELINUX=enforcing * Even if after the boot 'setenforce 0' is run - My I do get avc message, note this is running in permissive mode. [root@amelie mdalton]# grep -i avc /var/log/audit/audit.log type=USER_AVC msg=audit(1331199802.711:70545): user pid=4970 uid=28 auid=0 ses=3756 subj=system_u:system_r:nscd_t:s0 msg='avc: received policyload notice (seqno=4) : exe="?" sauid=28 hostname=? addr=? terminal=?' [root@amelie mdalton]# ls -Z /dev/dri /dev/nvidia* ls: cannot access /dev/dri: No such file or directory crw-rw----. root vglusers system_u:object_r:device_t:s0 /dev/nvidia0 crw-rw----. root vglusers system_u:object_r:device_t:s0 /dev/nvidiactl Mark

11 years, 3 months

2
4
0 / 0

Policy version mismatch

by Moray Henderson

I've got a policy module which works fine when I build and load it on CentOS 5. When I build and try to load it on CentOS 6 it complains: SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.24, searching for an older version. SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.24: No such file or directory There's nothing in the policy source specifying version so I would have expected the module automatically to build for the correct policy version when built on CentOS 6. Any pointers where to look or what to do next? Moray. "To err is human; to purr, feline."

11 years, 3 months

3
4
0 / 0

dovecot and allow_ypbind

by lejeczek

hi everybody I wonder why dovecot when run with spool in users home's would need allow_ypbind=1 would you know? thanks!

11 years, 3 months

3
2
0 / 0

ImportError: No module named selinux

by Mr Dash Four

I am trying to compile and build version 3.10.0-86 of the selinux policy, but during compilation I get the following: /usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin /usr/bin/sepolgen-ifgen -p tmp/policy.bin -i policy -o tmp/output Traceback (most recent call last): File "/usr/bin/sepolgen-ifgen", line 34, in <module> import selinux ImportError: No module named selinux make: *** [validate] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.bEqivE (%install) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.bEqivE (%install) What could be the cause for this?

11 years, 4 months

2
3
0 / 0

EL6: procmail vs. /home/*/bin/shellscript.sh

by Chuck Anderson

I'm using EL 6.2 with sendmail & procmail. I'm having trouble with calling custom scripts in my home directory from .procmailrc such as this recipe: ###################################################### # # BACKUP INCOMING MAIL # # Stores the last 16 messages in a backup folder. # "Just in Case" # # Create a folder in your $MAILDIR called "backup" # BEFORE you execute this procmail recipe. # :0 c backup :0 ic | /home/cra/bin/procmail-prune-backup-msg The script is labeled with home_bin_t: -rwxr-xr-x. cra cra system_u:object_r:home_bin_t:s0 /home/cra/bin/procmail-prune-backup-msg which is a Bourne Shell script similar to this: #!/bin/sh cd /home/cra/mail/backup /bin/ls -t | /bin/grep ^msg\. | /bin/sed -e 1,256d | /usr/bin/xargs -n 256 /bin/rm -f In my procmail log I get: /bin/sh: /home/cra/bin/procmail-prune-backup-msg: Permission denied It works if I "setenforce 0". With Enforcing, here is the AVC I get (after enabling dontaudit rules with semodule -DB): # ausearch -i -m AVC type=SYSCALL msg=audit(05/17/2012 19:17:15.773:273) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=1c8d460 a1=0 a2=1c8d487 a3=28 items=0 ppid=5252 pid=5257 auid=root uid=cra gid=cra euid=cra suid=cra fsuid=cra egid=cra sgid=cra fsgid=cra tty=(none) ses=1 comm=sh exe=/bin/bash subj=unconfined_u:system_r:procmail_t:s0 key=(null) type=AVC msg=audit(05/17/2012 19:17:15.773:273) : avc: denied { search } for pid=5257 comm=sh name=bin dev=dm-10 ino=2760827 scontext=unconfined_u:system_r:procmail_t:s0 tcontext=user_u:object_r:home_bin_t:s0 tclass=dir I did a bunch of research on this and found this old changelog entry and the discussions/bugzillas leading up to it: #rpm -q selinux-policy selinux-policy-3.7.19-126.el6_2.10.noarch #rpm -q --changelog selinux-policy ... * Tue May 25 2010 Dan Walsh <dwalsh(a)redhat.com> 3.7.19-22 - Allow procmail to execute scripts in the users home dir that are labeled home_bin_t - Fix /var/run/abrtd.lock label Was there a recent regression that broke this functionality or did it not really make it into Enterprise Linux despite this changelog? Any ideas on how to fix this cleanly without having to disable Enforcing mode? Thanks.

11 years, 4 months

2
2
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux May 2012