Policy Constraint Violation
by Anamitra Dutta Majumdar
We are getting the following constrain violation in RHEL6 based system
type=AVC msg=audit(1374251063.832:433289): avc: denied { relabelfrom } for pid=6499 comm="cp" name="ld.so.conf" dev=sda1 ino=1181947 scontext=admin_u:sysadm_r:ipsec_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tcl
ass=file
Was caused by:
Policy constraint violation.
May require adding a type attribute to the domain or type to satisfy the constraint.
Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
What would be the interface to address this?
Thanks,
Anamitra
10 years, 9 months
A bit of confusion over dkim_milter_t
by Erinn Looney-Triggs
As is my usual state with things SELinux I am a bit confused about a
problem I was trying to troubleshoot involving opendkim.
Essentially I was getting this:
node=host.example.com type=AVC msg=audit(1374091410.640:248952): avc:
denied { name_bind } for pid=4528 comm="opendkim" src=8891
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Ok simple enough I think, so I start to search the rules:
sesearch -s dkim_milter_t -t port_t --allow
Found 4 semantic av rules:
allow dkim_milter_t port_t : tcp_socket { name_bind name_connect } ;
allow dkim_milter_t port_t : udp_socket name_bind ;
allow dkim_milter_t port_type : tcp_socket { recv_msg send_msg } ;
allow dkim_milter_t port_type : udp_socket { recv_msg send_msg } ;
Umm, ok doesn't that pretty much list it as allowed there?
Anyway I pump the denial through audit2allow just for kicks:
#============= dkim_milter_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow dkim_milter_t port_t:tcp_socket name_bind;
Again still a little confused by why this rule is necessary when I can
find it in the policy. But I get even more confused why setting
allow_ypbind to 1 fixes the issue.
What am I missing here?
If you could please CC me I only get the digests.
-Erinn
10 years, 9 months
Re: semanage syntax
by mark
From: Daniel J Walsh <dwalsh(a)redhat.com>
On 07/12/2013 11:41 AM, m.roth(a)5-cent.us wrote:
> Something I have not yet found while googling: we have a package (bloody CA
> idiots) that has a directory with *both* executables and libraries. I want
> to change only the .so's to textrel_shlib_t; I do not want to change the
> directory, or the executables. Pardon my ignorance of what I consider to be
> an obscure wildcard usage, but how do do this? I've tried semanage fcontext
> -a -t textrel_shlib_t "/usr/local/opt/smwa/webagent/bin/*.so"
You need to use regular expressions.
# semanage fcontext -a -t textrel_shlib_t
"/usr/local/opt/smwa/webagent/bin/.*\.so"
# restorecon -R -v /usr/local/opt/smwa
Should work.
> with and without parens around the asterisk, and around the last slash and
> the asterisk....
Well... after seeing errors in /var/log/messages concerning my previous
tries, I looked in
/etc/selinux/targeted/contexts/files/file_contexts.local, and saw all of
them entered; I noted it was autogenerated by semanage. I did something
I'm sure is not approved, I just deleted all the previous attempts from
that file. I then ran the command, as you have it, above, and that did
*not* work. One question: *will* it work if smwa is a symlink, not a hard
full path?
mark
10 years, 9 months
matchportcon?
by David Quigley
Do we have an equivalent of matchpathcon for ports? Where we can specify
a protocol and port and see what the policy thinks it labeled?
Dave
10 years, 9 months
A cgi issue
by mark
Before I create a local policy, could someone explain to me the reason
that the standard policy (CentOS 6.4,
selinux-policy-3.7.19-195.el6_4.12.noarch,
selinux-policy-targeted-3.7.19-195.el6_4.12.noarch) does not allow a .cgi
script to read a configuration file?
grep ticket2 /var/log/audit/audit.log | audit2allow
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_config_t:file { read ioctl open getattr };
mark
10 years, 9 months
Suggestion for "setroubleshoot-server" package
by Jorge Fábregas
Hi,
I've got a couple of Minimal-installation servers (RHEL 6.4 fully
updated) and in order to receive the nice AVC messages on
/var/log/messages we all know you need the setroubleshoot-server
package. The problem is, once installed, you won't get any messages
there unless you:
# service auditd restart
(so that it can pick-up the recently installed sedispatch plugin)
# service messagebus start
(as it is down albeit chkconfig-wise is on for next reboot)
Shouldn't the above be part of the %post script on the
setroubleshoot-package? I'm pretty sure many people bump into this.
Should I open a bugzilla? Or am I being too picky? :)
Regards,
Jorge
10 years, 9 months
semanage syntax
by mark
Something I have not yet found while googling: we have a package (bloody
CA idiots) that has a directory with *both* executables and libraries. I
want to change only the .so's to textrel_shlib_t; I do not want to change
the directory, or the executables. Pardon my ignorance of what I consider
to be an obscure wildcard usage, but how do do this? I've tried
semanage fcontext -a -t textrel_shlib_t
"/usr/local/opt/smwa/webagent/bin/*.so"
with and without parens around the asterisk, and around the last slash and
the asterisk....
mark
10 years, 9 months
NFS Labels
by Jorge Fábregas
Hi,
In the nfsd_selinux man page it mentions:
nfsd_ro_t
nfsd_rw_t
...which might give you the impression that those are the labels you
might use for your shares. I tried them and the client could mount the
shares read-write (regardless of the label on the server). Clearly they
don't work or perhaps I'm using them in an unintended way.
After searching the mailing list I found out that, since nfs mainly runs
as a kernel module, SELinux can't control it. Apparently that's also
the reason the read-only and read-write booleans were removed. I'm now
wondering:
Did NFS used to run as a daemon in the past?
Since NFS is practically unconfined, what are the nfsd_ro_t and rw_t
labels for?
Thanks!
--
Jorge
10 years, 9 months
Root user unable to change type
by Eric Chennells
Hello,
I must be missing something in my understanding of selinux but I'm having
problem where the root user can not change the selinux type of a directory.
I am running in targeted mode.
I was experimenting and changed the type of /tmp/bah to "unconfined_t". I
am now unable to either delete the directory or to change the type back to
"tmp_t "
chcon -R -t tmp_t /tmp/bah/
Results in:
chcon: failed to change context of `/tmp/bah/' to
`unconfined_u:object_r:tmp_t:s0': Permission denied
Audit2allow is suggesting "allow unconfined_t self:dir relabelfrom;" but I
don't want to apply that because it seems that would allow all unconfined
files/processes to relabel themselves, is that correct?
Thanks for any tips.
Eric
Notice of Confidentiality: The information transmitted is intended only for the
person or entity to which it is addressed and may contain confidential and/or
privileged material. Any review, re-transmission, dissemination or other use of
or taking of any action in reliance upon this information by persons or entities
other than the intended recipient is prohibited. If you received this in error
please contact the sender immediately by return electronic transmission and then
immediately delete this transmission including all attachments without copying,
distributing or disclosing the same.
10 years, 9 months
