Bootup error with Selinux +F15
by magina antimage
Hi,
i have tried disabling SElinux ,because i didnt had selinux module
enabled in my kernel.
i have tried changing /etc/selinux/config:
from SELINUX=permissive to SELINUX=disabled
but still i get error
"Failed to load SELinux policy." during bootup
i have referred to "https://bugzilla.redhat.com/show_bug.cgi?id=692573 "
and tried to solve this problem, but no positive results
also sometimes i get I/O errors on my hard disk (during boot) after
one or two boots .
i am not sure whether its because of SElinux or not,but while
searching this I/O error i came across few cases where these I/O
errors were because of SElinux policies.
other details:
arch:x86
selinux version:libselinux-2.0.99-4.fc15.i686
10 years, 4 months
NFS Home Directory Files Mis-Labelled
by Mike Pinkerton
[Note: I sent this message yesterday without first subscribing to
the list -- intending to check the web archive for responses.
Because my message has not yet shown up in the web archive, I
subscribed in order to re-send this. My apologies if both messages
make it out of the moderation queue.]
Last summer, I set up a network with about a dozen stationary boxes
and 15-20 moveable users. All users are authenticating via FreeIPA,
and have their home directories NFS-mounted from a central file
server. Both the desktop boxes and the file server were running
Fedora 16.
+ User home directories were mounted from "/srv/exports/<user_name>".
+ The desktop boxes had SE Linux boolean "use_nfs_home_dirs=1".
+ The file server had "/etc/selinux/targeted/contexts/files/
file_contexts.local" with:
/srv system_u:object_r:home_root_t:s0
All was working well.
In March, I upgraded all of the desktop boxes, as well as the file
server and the FreeIPA server to Fedora 18.
+ User home directories are still mounted from "/srv/exports/
<user_name>".
+ The desktop boxes still have SE Linux boolean "use_nfs_home_dirs=1".
+ The file server still has "/etc/selinux/targeted/contexts/files/
file_contexts.local" with:
/srv system_u:object_r:home_root_t:s0
The problems is that, as some users create files, they are being
created with context:
"system_u:object_r:user_home_t:s0"
rather than:
"unconfined_u:object_r:user_home_t:s0"
If I run "restorecon -FR /srv" , then the files are re-labelled to
the "unconfined_u".
I don't know how frequently files are created with the wrong context.
Any ideas as to what is happening?
Thanks.
--
Mike
10 years, 7 months
I need a script invoked from procmail_t to run unconfined.
by Robert Nichols
I have a script invoked from a procmail recipe that needs to perform
actions involving searching for processes by name, playing sound through
pulseaudio, sending mail, plus a few others. When I run with enforcing=0
I get 385 AVC denials (103KB, not attached), and that's _without_
disabling the "dontaudit" rules, which would yield over 100 more
denials. The target contexts are not something I can change without
totally destroying the current policy.
Any suggestions other than the 120 "allow" rules that audit2allow would
suggest (and that's without considering the "dontaudit" denials)?
I'm getting _really_ tired of this. I'm spending more time trying to
get things to work under SELinux than it would take me to recover from a
(highly unlikely) intrusion. Sometimes the cost of insurance is just
too high.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
10 years, 7 months
Disable policy module?
by Moray Henderson
Is there a way to disable a particular module in
selinux-policy-targeted-3.7.19-195.el6_4.1.noarch.rpm without having to
modify and rebuild the whole RPM?
Our versions of Ruby and Passenger put things in different places than the
ones expected by the SELinux passenger module so we've had to remove it and
make our own. That meant we missed a RHEL 6.4 selinux-policy update and
ended up with a broken Samba 3.6. If there's a way we can go back to using
the standard selinux-policy rpms but disable the passenger module, it would
be very useful.
Thanks,
Moray.
"To err is human; to purr, feline."
10 years, 7 months
Issue on a new system
by mark
We've just built a new machine, running CentOS 6.4. I built, then my
manager pulled stuff off the machine that it's replacing, installing as
necessary. I'm seeing a ton of complaints of "SELinux is preventing
/usr/libexec/dovecot/imap from search access on the directory indexes.".
Now, ps -Z | grep dove shows that dovecot's running as
unconfined_u:system_r:dovecot_t:s0, while a typical index it's trying to
read shows ll -Z as system_u:object_r:dovecot_t. As a side note, it's
owned by user, with group of nobody.
I see the same file on the old server as being system_u:object_r:var_spool_t.
Why would selinux be complaining? Is what was on the old system the
correct context?
mark
10 years, 7 months
Re: Issue on a new system
by mark
From: Miroslav Grepl <mgrepl(a)redhat.com>
On 04/23/2013 04:37 PM, m.roth(a)5-cent.us wrote:
> m.roth(a)5-cent.us wrote:
>>
> This is very frustrating. My manager rebooted this morning, so now I'm not
> sure about which avc I wrote about yesterday. However, I see various
> things:
<snip>
> 3. This one makes *zero* sense to me: SELinux is preventing
> /lib64/security/pam_krb5/pam_krb5_storetmp from execute access on the
> file /lib64/security/pam_krb5/pam_krb5_storetmp. ll -Z
> -rwxr-xr-x. root root system_u:object_r:bin_t:s0
> /lib64/security/pam_krb5/pam_krb5_storetmp*
<snip>
>And last one would need
>corecmd_exec_bin() for a source type from AVC msg which we don't have.
Not sure how to use that, but I'm at work for a few more minutes, and it's
telling me, from sealert,
SELinux is preventing /lib64/security/pam_krb5/pam_krb5_storetmp from
execute access on the file /lib64/security/pam_krb5/pam_krb5_storetmp.
And one of the raw avcs is:
type=AVC msg=audit(1367010914.610:143690): avc: denied {
execute_no_trans } for pid=1310 comm="auth"
path="/lib64/security/pam_krb5/pam_krb5_storetmp" dev=sda3 ino=15343658
scontext=system_u:system_r:dovecot_auth_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=file
Thanks.
mark
10 years, 7 months
question on patch files in selinux source package
by John Emrich
I am running Fedora-18 and have the SELinux policy release 86.fc18.
Installed Packages
>Name : selinux-policy
>Arch : noarch
>Version : 3.11.1
>Release : 86.fc18
>Size : 62
>Repo : installed
>From repo : updates
>Summary : SELinux policy configuration
>URL : http://oss.tresys.com/repos/refpolicy/
>License : GPLv2+
>Description : SELinux Reference Policy - modular.
> : Based off of reference policy: Checked out revision 2.20091117
I downloaded the matching source selinux-policy-3.11.1-86.fc18.src.rpm
When installing this I noticed patch files (but no related documentation)
rpmbuild/SOURCES/policy-f18-base.patch
rpmbuild/SOURCES/policy_contrib-rawhide-roleattribute.patch
rpmbuild/SOURCES/policy-f18-contrib.patch
rpmbuild/SOURCES/policy-rawhide-roleattribute.patch
Are these patches just there for reference or do they also need to be applied on top of the 86.fc18.src installation?
Thank You
John Emrich
847-312-1244 (cell)
10 years, 7 months
Re: Disable policy module?
by Dominick Grift
On Fri, 2013-04-26 at 10:16 +0100, Moray Henderson wrote:
> Is there a way to disable a particular module in
> selinux-policy-targeted-3.7.19-195.el6_4.1.noarch.rpm without having to
> modify and rebuild the whole RPM?
>
sudo semodule -d passenger
disables the passenger module
> Our versions of Ruby and Passenger put things in different places than the
> ones expected by the SELinux passenger module so we've had to remove it and
> make our own. That meant we missed a RHEL 6.4 selinux-policy update and
> ended up with a broken Samba 3.6. If there's a way we can go back to using
> the standard selinux-policy rpms but disable the passenger module, it would
> be very useful.
>
> Thanks,
>
>
> Moray.
> "To err is human; to purr, feline."
>
>
>
>
>
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
10 years, 7 months
selinux problems connecting with a chroot user to a RHEL6 system
by Garey Mills
Hello -
I am experiencing the following problem with Selinux on a RHEL6
system:
I am trying to set up a chrooted user. I edited sshd_config to
contain the lines
Match User physics
ChrootDirectory /chrootAccounts/physics
X11Forwarding no
AllowTcpForwarding no
I created a user named 'physics' with the home directory of
/chrootAccounts/physics and constructed a chroot jail consisting of the
directory /chrootAccounts and the requisite bin, dev and lib directories.
If I disable selinux, I can log in.
I enabled selinux and then tried to log in. This generated a
number of 'avc' errors
which I dealt with using 'audit2allow' utility. At the end of this
process I ended up with the following error message that will not clear:
Apr 22 15:10:44 srblib3 kernel: type=1400 audit(1366668644.309:100143):
avc: denied { transition } for pid=4852 comm="sshd" path="/bin/sh"
dev=sda3 ino=524299
scontext=system_u:system_r:chroot_user_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process
Trying to solve this by going to Google, I found that this problem (that
'chroot_user_t' cannot 'transition' to the sh process) had been solved
and patches submitted on a Debian Selinux list, but apparently not in
RHEL6.
Does anyone know a solution to this that could be applied by
someone who knows how to use audit2allow but not much else about Selinux?
--
Garey Mills
Library Systems Office
UC Berkeley
10 years, 7 months
