[sandbox] modifying the Xephyr window title (patch)
by Christoph A.
Hi,
If most of your windows are sandboxed applications, your bar looks like:
[Sandbox sandbo..] [Sandbox sandbo..] [Sandbox sandbo..]
and it is hard to find a specific application.
example of a current Xephyr title:
Sandbox sandbox_web_t:s0:c112,c991 -- /usr/bin/firefox
with the modification in the attached patch titles will look like:
/usr/bin/firefox (sandbox_web_t)
and it should be easier to find a specific application.
In addition to the type I would find it handy to also include the
DISPLAY in the title (needed when using xsel for copy'n paste).
The second patch only adds '-nolisten tcp' to Xephyr, but if there are
use cases where one needs Xephyr to open a listener this patch will
break thinks.
regards,
Christoph A.
btw: secon's manpage doesn't contain the '-l' option.
11 years, 9 months
software update & SELinux libraries
by Lowell
Hi!
Three times over the last few days, the Software Update program has
announced that it has 10 updates it wants to install. I okay this,
provide the password to approve it, the program gets the list of pkgs.
(a few SELinux libraries, a microcode reader, an ffmpeg lib, among
others) downloads, attempts to install, fails and closes; the details
say "Fail;fail'
This is Fedora 17 64-bit Gnome on a Toshiba Satellite A665.
Thought you might like to know of this.
thx
Lowell Premer
11 years, 9 months
Unable to activate SELinux (on RHEL 6.2)
by Simon Reber
Hi all,
I'm having trouble to active SELinux on our RHEL 6 Linux system.
We have some sort of special installation framework (cobbler and puppet)
and initially disabled SELinux (which is fine)
[output from Kickstart]
...
selinux --disabled
...
%packages --excludedocs --nobase
kernel
yum
openssh-server
openssh-clients
audit
logrotate
tmpwatch
vixie-cron
crontabs
ksh
ntp
perl
bind-utils
sudo
which
sendmail
wget
redhat-lsb
rsync
authconfig
lsof
unzip
sharutils
logwatch
libacl
nfs-utils
lcsetup
-firstboot
-tftp-server
-system-config-soundcard
-libselinux-python
-selinux-policy
-libselinux-utils
-selinux-policy-targeted
...
But for some high Security Risk systems, it's required to turn it on
anyway.
So I followed the guidance on:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Securi
ty-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enab
ling_and_Disabling_SELinux.html to enable SELinux again on these systems
Unfortunately does the system not initiate SELinux correctly nor do I
see any hint where the problem is:
tgl90a-8401 root:/etc/init $ sestatus
SELinux status: disabled
tgl90a-8401 root:/etc/init $ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
The only thing I can see is:
tgl90a-8401 root:/etc/init $ cat /var/log/messages
Jun 13 13:41:30 tgl90a-8401 kernel: SELinux: Initializing.
Does anybody know if I need additional packages on the system or any
special setting set?
If tried "permissive" mode with /.autorelable - which didn't
work either
I also installed @Base Group to ensure nothing is missing - but
still the same result
I've tried it with the same setup on RHEL 5 which perfectly worked - but
not on RHEL 6!
So I'm really looking forward to get some hints/tips
Thanks and all the best,
Si
11 years, 9 months
Poor error when loading policy module
by Moray Henderson
I'm updating a custom policy from CentOS 5 to CentOS 6. The module builds
successfully, but fails to load:
# semodule -i mypolicy.pp
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule: Failed!
It took me some time to work out that the error should have read:
File context already exists for /var/run/passenger: mypolicy.fc line 5
Now that I know there is already policy for Passenger, I can adjust mine
accordingly. Any chance of getting a more helpful version of the error
included in semodule?
Moray.
"To err is human; to purr, feline."
11 years, 9 months
#restorecon -R / ; operation not support
by casinee app
Hi,
when i execute #restorecon -R / , all the output is "... operation not
support". I had check the source code, and in
linux/security/selinux/hooks.c :
...
sbsec = inode->i_sb->s_security;
if (!(sbsec->flags & SE_SBLABELSUPP))
{
return -EOPNOTSUPP;
}
...
it returned. The SE_SBLABELSUPP defined as 0x40, i want to know how can i
do to make the filesystem to support the SecurityContext of selinux.
Thanks.
11 years, 9 months
F17 systemd AVC
by Vadym Chepkov
Hi,
I just upgraded to Fedora 17.
I see these AVC on the console and dmesg output during the startup:
[ 10.617385] type=1400 audit(1338674944.983:4): avc: denied { create } for pid=472 comm="systemd-tmpfile" name="lp0" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
[ 10.618270] type=1400 audit(1338674944.984:5): avc: denied { create } for pid=472 comm="systemd-tmpfile" name="lp1" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
[ 10.619047] type=1400 audit(1338674944.985:6): avc: denied { create } for pid=472 comm="systemd-tmpfile" name="lp2" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
[ 10.619769] type=1400 audit(1338674944.985:7): avc: denied { create } for pid=472 comm="systemd-tmpfile" name="lp3" scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
[ 10.648250] type=1400 audit(1338674945.014:8): avc: denied { read } for pid=472 comm="systemd-tmpfile" name="lock" dev="dm-3" ino=3764 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
[ 10.648824] type=1400 audit(1338674945.014:9): avc: denied { read } for pid=472 comm="systemd-tmpfile" name="lock" dev="dm-3" ino=3764 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
Something I should be concerned about or can be safely ignored?
Thanks,
Vadym
11 years, 9 months
SELinux policy installation error
by thomas cameron
Howdy All -
I just installed F17 i386 on my daughter's laptop and ran yum update. I
saw this:
Updating : selinux-policy-3.10.0-125.fc17.noarch
19/405
/usr/share/selinux/devel/include/services/jetty.if: Syntax error on line
180472 jetty_cache_t [type=IDENTIFIER]
It seems non-fatal, but I am not sure. Shall I BZ it, or do you already
know about it?
TC
11 years, 9 months