New to this list, and new to SELinux.
by Jean-David Beyer
I have been running Red Hat Enterprise Linux since 2004, starting with
RHEL 3. Later I upgraded to RHEL 5. When I needed a new computer, I got
RHEL 6 to run on it.
RHEL 6 runs with SELinux turned on by default and it is presenting me
with oneproblem, but my /var/log/messages file indicates I have _a lot_
of others.
Now according to Red Hat's documentation, I should report these as bugs,
but that seems a bit extreme if it is just a misconfiguration problem.
> Missing Type Enforcement rules are usually caused by bugs in SELinux
> policy, and should be reported in Red Hat Bugzilla. For Red Hat
> Enterprise Linux, create bugs against the Red Hat Enterprise Linux
> product, and select the selinux-policy component. Include the output
> of the audit2allow -w -a and audit2allow -a commands in such bug
> reports.
Should I really do that? And if so, just how? How do I specify the
problem in a way to be useful?
One problem is that I have a shell script, run by cron that sends an
email with mailx to me (on the same machine). That means it is run by
root. And the mail fails when cron runs it. It is adding an attachment
and SELinux says it is denied. Now when I run it myself, but logged in
as root, the e-mail works. I do not specifically want to solve that
problem here, but I do need to now how to change the system policy file,
wherever it is, so I do not need to continually make little ones, say by
running stuff like this:
# grep boinc_client /var/log/audit/audit.log | audit2allow -M myboinc
# semodule -i myboinc.pp
I also wish to make the change, if they are really required, permanent.
Any advice?
11 years, 3 months
Backups with rsync totally broken in Fedora 18
by David Highley
Upgraded a test box to Fedora 18 and have tried to get rsync backups to
it working. Looked at many discussions about backing up in a selinux
environment and all discussions seemed to be incomplete.
Most indicate you should not keep selinux labels, but none of those
discussion indicate what options to change. After working on a thousand
line policy file I'm beginning to think you just want to completely turn
off any audit of the rsync domain.
Is this how we should approach backups? If you do not preserve selinux
labels what should the backup location get labeled to?
I'm surprised as long as selinux has been in use that a template with
details has not been defined for this. By the way I had just submitted
an enhancement bug report for rsync with examples of getting it to
function with systemd control.
11 years, 3 months
SELinux: avc: denied { associate }
by Napoleon Quashie
This has been "doing my head in" as the British will say. I've been
battling it for days now. A post to Fedora forums and irc hasn't helped.
You guys are my last resort. It goes like so:
1. type=AVC msg=audit(1358529889.481:315): avc: denied { associate }
for pid=1522 comm="httpd"name="access.log" scontext
=system_u:object_r:httpd_sys_rw_content_t:s0tcontext
=system_u:object_r:httpd_sys_content_t:s0 tclass=filesystem
2.
3. Was caused by:
4. Unknown - would be allowed by active policy
5. Possible mismatch between this policy and the one
under which the audit message was generated.
6.
7. Possible mismatch between current in-memory boolean
settings vs. permanent ones.
8.
------------------------------------------------------------------------------------------------
9.
10. <VirtualHost *:80>
11. ServerAdmin webmaster@localhost
12. ServerName lab.dev
13.
14. DocumentRoot /shared/www/lab/public
15.
16. <Directory /shared/www/lab/public/>
17. Options Indexes FollowSymLinks
18. AllowOverride All
19. Order allow,deny
20. Allow from all
21. </Directory>
22.
23. # Custom log file locations
24. LogLevel warn
25. ErrorLog /shared/www/lab/logs/error.log
26. CustomLog /shared/www/lab/access.log combined
27.
28. </VirtualHost>
29.
------------------------------------------------------------------------------------------
30. /etc/fstab
31. ----------
32. #
33. # /etc/fstab
34. # Created by anaconda on Tue Jan 15 21:01:00 2013
35. #
36. # Accessible filesystems, by reference, are maintained under
'/dev/disk'
37. # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for
more info
38. #
39. /dev/mapper/fedora-root / ext4 defaults
1 1
40. UUID=f92ec976-f49c-496d-be24-2bd7391eec2e /boot
ext4 defaults 1 2
41. /dev/mapper/fedora-home /home ext4 defaults
1 2
42. /dev/mapper/fedora-swap swap swap defaults
0 0
43. /dev/disk/by-uuid/E0D8317FD83154CE /windows auto
nosuid,nodev,nofail,x-gvfs-show,x-gvfs-name=Windows 0 0
44. /dev/disk/by-uuid/D0D6BF93D6BF7874 /shared auto context=
"system_u:object_r:httpd_sys_content_t:s0" 0 0
45.
=======================================================================================================
46.
47. /shared is an ntfs partition and /shared/www/public is the root of
the site lab.dev
Thanks for any assistance.
11 years, 3 months
[ANN] segatex-7.840 released. (segatex is a third party SELinux GUI tool)
by Shintaro Fujiwara
segatex-7.840 released !
http://sourceforge.net/projects/segatex/?source=navbar
I have fixed refpolicy analyzer, but it's not completed yet so I will
fix it in near future.
Interfaces and macros are mixed in the name of interface.
But, you can understand little by little refpolicy just hitting the buttons.
Those who wants to understand how interfaces work, please see
/usr/share/segatex/raw_if_files/*.if_raw
It's already there, but you can break down .if files pushing breakif.sh.
It will take a long time to break all the interfaces down especially
in contrib directory.
///////////////////////////////////////////////////////////////////////////////////////
segatex is a SELinux third-party GUI tool.
See tresys page here.
http://userspace.selinuxproject.org/trac/wiki/SelinuxTools
///////////////////////////////////////////////////////////////////////////////////////
Enjoy !
11 years, 3 months
Context for Xvnc?
by Ian Pilcher
I just went through the process of setting up Xvnc with XDMCP on F18,
and I ran into an SELinux-related issue.
I have configured KDM to accept XDMCP queries from localhost, and I'm
starting Xvnc with the following systemd unit file:
/etc/systemd/system/xvnc@.service:
[Unit]
Description=VNC remote display %I
After=syslog.target
[Service]
Type=simple
User=nobody
ExecStart=/usr/bin/Xvnc -SecurityTypes None -query 127.0.0.1 %i
[Install]
WantedBy=multi-user.target
When I first did this, KDM was unable to talk to Xvnc:
/var/log/kdm.log:
/usr/bin/xrdb: Permission denied
/usr/bin/xrdb: Can't open display ':10'
kdmgreet: cannot connect to X server :10
/var/log/audit/audit.log:
type=AVC msg=audit(1357179264.974:426): avc: denied { connectto }
for pid=11481 comm="kdm_greet"
path=002F746D702F2E5831312D756E69782F583130
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
The problem was that Xvnc was running as initrc_t, because /usr/bin/Xvnc
was labeled as bin_t. Changing the label to xserver_exec_t makes the
process run as xserver_t, KDM is able to connect to the server, and
everything appears to be working.
Is there a reason I'm not seeing that the context of /usr/bin/Xvnc
should *not* be changed to xserver_exec_t? If not, I'll go ahead and
BZ this.
Thanks!
--
========================================================================
Ian Pilcher arequipeno(a)gmail.com
Sometimes there's nothing left to do but crash and burn...or die trying.
========================================================================
11 years, 3 months
Invalid security context messages
by Anamitra Dutta Majumdar
We have removed the unconfined domain from our system based on RHEL6.
After that when we run audit2allow we see the following messages
[root@vos-cm148 ~]# audit2allow -a
libsepol.context_from_record: invalid security context: "sysadm_u:system_r:useradd_t:s0-s0:c0.c1023"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert sysadm_u:system_r:useradd_t:s0-s0:c0.c1023 to sid
Are these harmful? What do they mean and how can we get rid of them.
Thanks,
Anamitra
11 years, 3 months
sechecker tool not working
by Anamitra Dutta Majumdar
We are trying to run the sechecker tool on one of our boxes based on RHEL6 and get the following error..
[root@vos-cm142 ~]# sechecker -m types_wo_allow -v
Using policy: /etc/selinux/targeted/policy/policy.24
Using file contexts: /etc/selinux/targeted/contexts/files/file_contexts
ERROR: Cannot get avrules: Neverallow rules requested but not available
ERROR: Cannot get avrules: Neverallow rules requested but not available
ERROR: Cannot get avrules: Neverallow rules requested but not available
ERROR: Cannot get avrules: Neverallow rules requested but not available
Is this a known issue.
Thanks,
Anamitra
11 years, 3 months
sendmail and server.lock
by mark
We have a server in permissive, thank you, so this is just an annoyance,
but I want to make it go away.
Centos 6.3, current
torque 2.5.7-9.el6
It's the head node of a torque cluster. I found someone, while googling,
who describes the same error, and presumably the same action resulting in
the same result. He writes:
Excerpt:
We're running Torque 2.3.7 on a central Torque server running RHEL6.3 OS
(this old version of Torque is *required* for stable use with the Maui
scheduler, see an older thread in this list).
We're seeing the following syslog message every time a job completes and
sends an E-mail message to the user:
setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail from
write access on the file /var/spool/torque/server_priv/server.lock.
SELinux is enabled in permissive mode, so this is not a severe problem,
but it's still a nuisance to have extraneous syslog messages. I prefer
having SELinux enabled in order to log security related events.
I looked at the Torque code server/svr_mail.c which opens a pipe to
execute Sendmail, writes some data and then closes the pipe. The
pbs_server's lockfile filename is never written to the Sendmail pipe, so
why on earth would SELinux complain about Sendmail trying to write to
that lockfile?? Could it be because svr_mail.c closes the pipe by
fclose(outmail) in stead of pclose(outmail) as is done in the Torque 2.5
code?
--- end excerpt ---
So, what can I do to make selinux shut up about this? server.lock is in
/var/lib/torque/server_priv, and shows as
ll -Z /var/lib/torque/server_priv/
drwxr-x---. root root system_u:object_r:var_lib_t:s0 ./
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 ../
<...>
-rw-------. root root system_u:object_r:var_lib_t:s0 server.lock
mark
11 years, 3 months
zoneminder & nfs, redux
by mark
Hi. I've tried relabelling the entire system after a roboot, and I'm still
getting the AVCs when motion is trying to do things with files it's
creating/removing on an NFS-mounted directory.
Fedora 17, fully updated, kernel 3.6.10-2.fc17.x86_6
selinux-policy 3.10.0-161.fc17
selinux-policy-targeted 3.10.0-161.fc17
mark
11 years, 3 months
No default labels, is it intentional?
by Göran Uddeborg
I'm running a "restorecon -n -R -v /" from cron once a month, just to
be careful and know what is happening. Last night when it ran, I got
a lot of error messages like these:
restorecon: Warning no default label for /dev/pts/3
and
restorecon: Warning no default label for /tmp/efs0YYVa79.html
There were a couple for things in /dev, and lots of them for things in
/tmp.
I have lately been upgrading bit by bit to Fedora 18 (the beta,
strictly speaking, since the final release isn't officially out at the
time of this writing), so I assume the new message is related to these
upgrades. But why? When I list file contexts, I see rules like this:
/dev/pts(/.*)? all files <<None>>
So I guess it is not a simple mistake. But what is the reason? Why
don't some /dev entries, and almost the entire /tmp directory, have
any default context any more?
11 years, 3 months