Bootup error with Selinux +F15
by magina antimage
Hi,
i have tried disabling SElinux ,because i didnt had selinux module
enabled in my kernel.
i have tried changing /etc/selinux/config:
from SELINUX=permissive to SELINUX=disabled
but still i get error
"Failed to load SELinux policy." during bootup
i have referred to "https://bugzilla.redhat.com/show_bug.cgi?id=692573 "
and tried to solve this problem, but no positive results
also sometimes i get I/O errors on my hard disk (during boot) after
one or two boots .
i am not sure whether its because of SElinux or not,but while
searching this I/O error i came across few cases where these I/O
errors were because of SElinux policies.
other details:
arch:x86
selinux version:libselinux-2.0.99-4.fc15.i686
9 years, 10 months
dovecot 2.2
by Paul Howarth
dovecot 2.2 has (or will very soon) landed in Rawhide, and I found its
auth process worked slightly differently.
It now creates a file /var/run/dovecot/auth-token-secret.dat.tmp, opens
and writes to it, then renames it
to /var/run/dovecot/auth-token-secret.dat.
I added the following to local policy to make it work:
manage_files_pattern(dovecot_auth_t, dovecot_var_run_t,
dovecot_var_run_t)
Paul.
10 years, 3 months
List of domains & types
by Alain Williams
My exim config needs to speak to MySQL (for greylisting).
To allow this to work I needed to run:
setsebool -P exim_can_connect_db 1
And that seems to do the trick.
Now sealert tells me:
SELinux is preventing /usr/sbin/exim from getattr access on the file /usr/share/mysql/charsets/Index.xml.
If you want to allow exim to have getattr access on the Index.xml file
Then you need to change the label on /usr/share/mysql/charsets/Index.xml
Do
# semanage fcontext -a -t FILE_TYPE '/usr/share/mysql/charsets/Index.xml'
It then lists a whole set of suggested types.
The label on /usr/share/mysql/charsets/Index.xml is system_u:object_r:usr_t:s0
I picked exim_t (which seemed reasonable - just on the name). But when I try I
get permission denied, a bit of digging tells me that exim_t is a domain for a
process rather than a type for a file.
Questions:
a) How do I work out what type to set the file to ?
b) I would presumably need to do so for every file in /usr/share/mysql/charsets/
c) Is changing the type on a file so that the MTA can access it the right thing
anyway, should I not be allowing exim access to usr_t instead ... but would
that not open things to wide ?
d) More generally: where do I look to get a list of all the XXX_t, what they
are, what they are supposed to be used for, ... so that I can work out what
the best choice is ?
Regards
PS I am using CentOS 6.3.
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>
10 years, 3 months
SELinux Blocking Ping
by Erik Boyer
Good Morning,
I have a website written in PHP installed on a 64 bit Fedora 16 server that I am trying to have ping a host to monitor it's availability.
Because using sockets requires root access I wrote a simple shell script to handle the ping, returning simply "up" or "down" back to PHP.
The problem is that SELinux seems to be stopping Ping from working correctly. The PHP page takes a long time to load (around 30 seconds or so) and even if the host is up, the shell script still reports it as down because of the exit status of ping. In the error log for PHP there are thousands of lines of:
ping: sendmsg: Permission denied
To the point where if you ping just one host once it grows to over 200 MB. I have tried Google extensively and it seems others have this problem but there is no real answer. I have tried setting the setuid and setgid for the ping executable with chmod g+s and u+s, even giving the apache user ownership permission but to no avail. The only thing that has worked thus far is to turn off SELinux and then the scripts work fine without issue. I should also note that I can run the shell script on the shell without a problem, and the PHP exec() function can run something like "whoami" without issue.
I have looked at the available binary switches for SELinux but none of them seem to do what I need. I really don't want to have to turn off SELinux for this server, as it is a webserver and I want as much protection on it as possible.
Does anyone have any suggestions? Any help is appreciated.
Here is the contents of the shell script:
/bin/ping -c 1 -W 0.2 $1
rc=$?
if [[ $rc -eq 0 ]] ; then
echo "up"
else
echo "down"
fi
Here is how I am calling this through PHP ($i is predetermined earlier in the script):
$ping = exec("/var/www/html/ips/ping.sh 10.0.1.".$i);
if ($ping == "up")
{
echo "Response time: ";
echo exec("/usr/bin/perl /var/lib/cacti/scripts/ping.pl 10.0.1.".$i);
echo " ms.";
}
The perl script is taken from Cacti (installed separately via yum) but does not run from my scripts with SELinux enabled. Again disabled it returns values as expected, and run directly from a shell it works without issue.
Could anyone shed some light on this for me?
Thank you,
Erik Boyer
Production / IT System Support
KUKA Toledo Production Operations, LLC
Tel. +1 419 727-5549, Fax +1 419 729-7085, Cell 419-438-5350
erik.boyer(a)ktpo.com<mailto:erik.boyer@ktpo.com>
www.ktpo.com<http://www.ktpo.com/>
Consider the environment. If you print this email, please recycle.
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of contents of this e-mail is strictly forbidden.
10 years, 3 months
problem with hostnamectl
by Ed Greshko
Hi,
I just installed a F18 system from the DVD choosing only to install the KDE desktop. I then did a "yum update" and updated everything.
I want to change the host name so I tried using hostnamectl. It fails and issues the following message.
Failed to issue method call: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
In the audit.log I find.
type=USER_AVC msg=audit(1361418023.172:331): pid=618 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.70 spid=2188 tpid=2214 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
What needs to be done to correct the problem. A known issue?
--
Don't be bullied by the judgmental grammar and spelling police.
10 years, 3 months
httpd permission problem
by Gergely Buday
Hi there,
I got the advice on the Apache mailing list that this might be an
selinux problem.
I have a directory under my home dir, and I would like that Apache
served that. It says 403 Forbidden. I have created a web group that
includes my user and apache. It is set in the httpd.conf file. After
using chcon, ls -Z tells me
drwxr-x---. gergoe web system_u:object_r:httpd_sys_content_t:s0 wordpress
and the same for all the files under. Still, I cannot access the
content in that dir.
What else should I set?
- Gergely
10 years, 3 months
RE: SELinux Blocking Ping
by Ted Rule
I've had something similar work with this sort of extra policy.
$ cat localhttpping.te
##############################################
module localhttpping 1.0.4;
require {
type httpd_sys_script_t;
type ping_t;
type ping_exec_t;
class process { transition };
}
allow httpd_sys_script_t ping_t:process transition;
domain_auto_trans(httpd_sys_script_t,ping_exec_t,ping_t);
$
This was from a CGI shell script, so if it's coming via PHP it might be
in httpd_t rather than httpd_sys_script_t
--
Ted Rule
Director, Layer3 Systems Ltd
Layer3 Systems Limited is registered in England. Company no 3130393
43 Pendle Road, Streatham, London, SW16 6RT
Tel: 020-8769-4484
Mob: 07946-908914
GPG Fingerprint = 9227:3434:b51d:c7a1:eea6:21e2:418a:8997:c104:7566
E: ejtr(a)layer3.co.uk
W: http://www.layer3.co.uk/
10 years, 3 months
Question about "exec-shield"
by Maurizio Pagani
Hi there,
I've a question about "exec-shield", pratically, in some servers SELinux
it's Disabled, but I see that "exec-shield" is enabled:
******************************************
[root@app12trnr TSCM]# sysctl -a|grep -i exec
kernel.exec-shield = 1
[root@app12trnr TSCM]# sestatus
SELinux status: disabled
******************************************
- Now, the question is: also if SELinux is Disabled, the
exec-shield works normally? And if the answer is "yes", with wich criteria
the exec-shield block an application to write on memory?
- Because I think that only SELinux can manage "exec-shield" for
decide with wich criteria can block something to write on memory. Because I
saw that there is "process object class" with some permissions that specify
proper "execheap, execstack, and go on" for manage "allow/deny".
I hope I was clear with the question.
Thanks in advance,
Maurizio Pagani
10 years, 3 months
type_transition and sigchild
by Maurizio Pagani
Hi there,
I'm a beginner of SELinux and i'm trying to implement "type_transition"
(process mode), this is my rules:
###### TYPE TRANSITION FOR lvm_t ############################
role diskadm_role_r types lvm_t;
type_transition diskadm_role_t lvm_exec_t : process lvm_t;
allow diskadm_role_t lvm_exec_t : file { getattr read open execute};
allow diskadm_role_t lvm_t: process transition;
#########################################################
But when I launch lvm commands, for example "lvdisplay" I receive this
message:
###############################################################
bash-4.1# lvdisplay
lvdisplay: error while loading shared libraries:
/lib64/ld-linux-x86-64.so.2: cannot apply additional memory protection after
relocation: Permission denied
###############################################################
I go to see in audit.log, and i've these avc-denied:
###############################################################
type=AVC msg=audit(1361254531.179:7044668): avc: denied { sigchld } for
pid=3968 comm="bash" scontext=ssh_role_u:diskadm_role_r:lvm_t:s0
tcontext=ssh_role_u:diskadm_role_r:diskadm_role_t:s0 tclass=process
###############################################################
I should create only a new rule for "allow lvm_t diskadm_role_t: process
sigchild", but there is a good reason because I must allow this? I'm
reading/studing a guide for "type_transition" in "SELinux By Example book"
and in this link: http://selinuxproject.org/page/TypeRules but i don't see
anything about "sigchild" and it's not highlighted nowhere as requirement
for "type_transition" rule.
Thanks in advance,
Maurizio Pagani
10 years, 3 months
httpd permission problem
by mark
Hi there,
I got the advice on the Apache mailing list that this might be an
selinux problem.
I have a directory under my home dir, and I would like that Apache
served that. It says 403 Forbidden. I have created a web group that
includes my user and apache. It is set in the httpd.conf file. After
using chcon, ls -Z tells me
drwxr-x---. gergoe web system_u:object_r:httpd_sys_content_t:s0 wordpress
and the same for all the files under. Still, I cannot access the
content in that dir.
What else should I set?
#0 (before 1): running a website out of your home directory is
completely and totally a no-no. You might as well open your system up to
the 'Net with a sign "Crackers Welcome!"
Move it to somewhere like, say, /var/www/html.
#1: selinux may be preventing it because the *directory* context doesn't
allow it.
mark
10 years, 3 months
