Procmail can't delete a tmp file but has free reign over regular files???
by Robert Nichols
A process running as procmail_t can do pretty much anything to files of
type user_home_t, but is restricted from the user_tmp_t file in /tmp
that I want to use as a semaphore. Were is the logic in that? It's
like granting free access to the vault, but locking up the
leave-a-penny-take-a-penny jar.
From selinux-policy-targeted-3.7.19-195.el6_4.3.noarch:
allow procmail_t user_home_t : file { ioctl read write create getattr setattr
lock append unlink link rename open } ;
allow application_domain_type user_tmp_t : file { getattr append } ;
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
11 years
MCS confusing questions
by bigclouds
hi,
1. url http://danwalsh.livejournal.com/63472.html
one place, you said s0:c1,c2 can access 4 MCS. include s0:c1
but after a while. you said
svirt_t:s0:c1,c2 would be able to read a svirt_tmp_t:s0:c1 file?
why?
2. why "svirt_t:s0:c1,c2 would be able to read a svirt_tmp_t:s0:c1 file", if it is because s0:c1,c2 is higher level than s0:c1?
thanks
11 years
if MCS is not supported on NFS
by bigclouds
hi,all
i mount nfs, but anyhow i use nfs files, those files's label does not have MCS(cxxx,cxxx), if MCS is not supported
thanks.
11 years
First crack at argparse parser for semanage.
by David Quigley
I posted this yesterday but sent it from the wrong account so its
probably in moderation.
Attached is my first crack at the argparse version of semanage. Right
now it just parses the command line and spits out the dictionary raw.
Please mess around with the command line and make sure that it behaves
how you would expect. Some of the names in the dictionary are a bit
weird and I'm having trouble getting sensible semantics for fcontext -e
but it should be parsing the command lines properly. Also not all of the
help text is in place yet. If you want to add some help text either send
it to me in an email or send me a patch and I'll apply it to my repo. I
still need to commit the latest changes to my github account but once I
do you should be able to get the same file from my semanage-argparse
repo on github. After we're sure that the parsing works as we'd like and
the help messages are sensible to people I'll work on gluing this
frontend back onto the seobject class that semanage uses to do that
actual policy store manipulations. Someone pointed out that I have some
spelling mistakes in there. I will make sure to address them in the next
version once I add more help text.
Dave
11 years
Re: 3Ware raid /dev/tw?? not label at boot
by David Highley
"Daniel J Walsh wrote:"
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/19/2013 11:36 PM, David Highley wrote:
> > We are seeing a previously fixed issue reoccurring that the device entries,
> > /dev/tw??, are not getting labeled at boot time so smartd is getting
> > blocked. Current policy is: selinux-policy-targeted-3.11.1-91.fc18.noarch
> >
> > Started with the previous version. -- selinux mailing list
> > selinux(a)lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> What exact devices. The way this works can be racy. The kernel creates a
> device and udev notices the device and relabels it. If smartd notices the
> device before udev fixes it, we can generate an AVC. We might be able to use
> named filetrans, but it can only handle exact matches. If the device number is
> big and random, we have to go back to the race condition where udev fixes the
> label. Currently we do not have named file trans for any tw devices.
They are /dev/tw0 to /dev/twa15. Since we are able to do a restorecon it
is more likely the race condition and that smartd is getting started too
early by systemd. We will submit a bug report against smartd as the
probably need to modify the smartd.service file to had some wait
coordination.
Boot and install times are great. Won't boar all of you with the multi
hour conference room login experience I had last week at work due to IT
management of systems and Windows:-)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlFybVwACgkQrlYvE4MpobMfEQCfa3NWbRg9Nxvo4/qF1PoTzHuB
> +F4AnA8cY+r4l45atlQ8yzNBWFKsUg5H
> =j4jD
> -----END PGP SIGNATURE-----
>
11 years
3Ware raid /dev/tw?? not label at boot
by David Highley
We are seeing a previously fixed issue reoccurring that the device
entries, /dev/tw??, are not getting labeled at boot time so smartd is
getting blocked. Current policy is:
selinux-policy-targeted-3.11.1-91.fc18.noarch
Started with the previous version.
11 years
allow guest_u to access screen
by Lakshmipathi.G
Hi -
I'm trying to allow guest_u user to execute 'screen' command. When guest_u
executes screen ,access gets denied,
but I can't find any logs under /var/log/audit/audit.log . If SElinux
disabled, guest_u can properly execute screen command.
# grep screen /var/log/audit/audit.log | audit2allow -M screen
Nothing to do
How to provide screen command access to guest_u in a safe manner ? Such a
policy open up any other security issues?
Thanks for any pointers/help.
--
----
Cheers,
Lakshmipathi.G
FOSS Programmer.
www.giis.co.in
11 years
question about process power which has MCSx
by bigclouds
hi,all
a qemu-kvm process and its disk(image file) have the same MCS(s0:c111,c555). it express this process have access to this image.
i do not know the power to access its image file is the max or min?
if any other power this process(domain) has?how much?
i want to know the exact power a qemu-kvm process has besides access its image file ,other kinds of files,dirs etc.
my test case:
after start a guestVM(its disk xml ,cache='none' error_policy='stop'), make some modification on its files and save them.
then go to hypervisor, modify the MCS of guestVM's image file.
1.i can read those files(cache=none)?it should not be so. why?
2.then modify files and save, the guestVM hang, it is paused on UI. this is right qeum process can not write again. why this guestVM is hang? and can not be resumed
3.look at audit info. denied { write } for pid=52162 comm="qemu-kvm".
that pid is 52162, is not my qemu-kvm's pid? why?
thanks so much.
11 years
Re: First crack at argparse parser for semanage.
by mark
David Quigley wrote:
> On 04/18/2013 10:12, m.roth(a)5-cent.us wrote:
>> David Quigley wrote:
<snip>
>>> Attached is my first crack at the argparse version of semanage.
<snip>
>> Well, if you're screwing with semanage's syntax... can't the bizarre
syntax of wildcards be changed to something *normal*? Y'know, like make
semanage fcontext -a -t httpd_sys_content_t /web\*
>> ?
>> And why doesn't semanage have a was to set -t u?
>
> I'm not sure I understand your last question. Also I'm trying not to
mess with the syntax so we don't obsolete all the documentation out
there.
>
Maybe, but the semanage syntax for wildcards is *utterly* unlike any other
usage - any shell, or perl, or whatever, and I see absolutely no reason to
have it so different. I guarantee it confuses people - I had problems just
a bit ago.
And the second note - if there's a syntax for semanage that lets me change
user context, I don't see it - the -s doesn't seem to let me do, for
example, -s system_u.
mark
--
mark's standard complaint about the selinux list: NO OTHER LIST I'm on, or
have been on in the 22 years I've been on the 'Net, is configured to have
reply, rather than reply all, reply to the sender, rather than the list.
11 years
