selinux September 2013

selinux@lists.fedoraproject.org

11 participants
15 discussions

Announcement the se-sandbox-runner
by Alex Roithman 03 Sep '13

03 Sep '13

Hi, i wrote the simple Qt-wrap for SELinux Sandbox (sandbox utility) and created the ReviewRequest: https://bugzilla.redhat.com/show_bug.cgi?id=999366 I hope that you are interested in it. Maybe someone wish to complete the review or advice about his work. Fl@sh.

3 14

Back to FC 19 AVCs
by mark 03 Sep '13

03 Sep '13

I did a full relabel of the system. getsebool reports use_nfs_home_dirs --> on The dated subdirectory is in motion's home directory, owned by motion, and NFS mounted. And yet I get this from sealert: SELinux is preventing /usr/bin/mplayer from read access on the directory 2013-08-14. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that mplayer should be allowed read access on the 2013-08-14 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mplayer /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:zoneminder_t:s0 Target Context system_u:object_r:nfs_t:s0 Target Objects 2013-08-14 [ dir ] Source mplayer Source Path /usr/bin/mplayer Port <Unknown> <snip> Platform Linux argo 3.10.4-300.fc19.x86_64 #1 SMP Tue Jul 30 11:29:05 UTC 2013 x86_64 x86_64 Alert Count 62 First Seen 2013-01-02 11:26:28 EST Last Seen 2013-08-14 14:09:34 EDT Local ID a01e1306-2704-45c0-813d-9bffa97c7bd1 Raw Audit Messages type=AVC msg=audit(1376503774.334:31452): avc: denied { read } for pid=17414 comm="mplayer" name="2013-08-14" dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=AVC msg=audit(1376503774.334:31452): avc: denied { open } for pid=17414 comm="mplayer" path="/home/motion/camera/2013-08-14" dev="0:38" ino=29229148 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1376503774.334:31452): arch=x86_64 syscall=openat success=yes exit=EINTR a0=ffffffffffffff9c a1=7f3f37f3d540 a2=90800 a3=0 items=0 ppid=17413 pid=17414 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mplayer exe=/usr/bin/mplayer subj=system_u:system_r:zoneminder_t:s0 key=(null) Hash: mplayer,zoneminder_t,nfs_t,dir,read

4 5

Sosreport Fedora 19
by David Highley 03 Sep '13

03 Sep '13

Lots of avc for sosreport in Fedora 19. type=SYSCALL msg=audit(1376177902.497:110): arch=c000003e syscall=16 success=no exit=-65 a0=3 a1=8940 a2=7fff72ed5bf0 a3=7fff72ed59a0 items=0 ppid=3710 pid=3736 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="brctl" exe="/usr/sbin/brctl" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1376177902.497:110): avc: denied { module_request } for pid=3736 comm="brctl" kmod="bridge" scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=SYSCALL msg=audit(1376177902.968:111): arch=c000003e syscall=6 success=no exit=-13 a0=7fff425f9af0 a1=1dcd140 a2=1dcd140 a3=fffff800 items=0 ppid=3710 pid=3764 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ls" exe="/usr/bin/ls" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1376177902.968:111): avc: denied { getattr } for pid=3764 comm="ls" path="/dev/initctl" dev="devtmpfs" ino=8906 scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1376177902.980:112): arch=c000003e syscall=6 success=no exit=-13 a0=7fff425f9af0 a1=1ddbb30 a2=1ddbb30 a3=fffffff8 items=0 ppid=3710 pid=3764 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ls" exe="/usr/bin/ls" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1376177902.980:112): avc: denied { getattr } for pid=3764 comm="ls" path="/dev/pts/ptmx" dev="devpts" ino=2 scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file type=SYSCALL msg=audit(1376177903.375:113): arch=c000003e syscall=4 success=no exit=-13 a0=2051cb0 a1=7fff82adf0c0 a2=7fff82adf0c0 a3=0 items=0 ppid=3710 pid=3772 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="df" exe="/usr/bin/df" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1376177903.375:113): avc: denied { getattr } for pid=3772 comm="df" path="/sys/fs/pstore" dev="pstore" ino=9238 scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pstorefs_t:s0 tclass=dir type=SYSCALL msg=audit(1376177903.408:114): arch=c000003e syscall=4 success=no exit=-13 a0=2052470 a1=7fff82adf0c0 a2=7fff82adf0c0 a3=0 items=0 ppid=3710 pid=3772 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="df" exe="/usr/bin/df" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1376177903.408:114): avc: denied { getattr } for pid=3772 comm="df" path="/sys/kernel/config" dev="configfs" ino=15409 scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:object_r:configfs_t:s0 tclass=dir type=SYSCALL msg=audit(1376177904.575:115): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80803 a2=f a3=d2be50 items=0 ppid=3710 pid=3803 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="lsusb" exe="/usr/bin/lsusb" subj=system_u:system_r:sosreport_t:s0-s0:c 0.c1023 key=(null) type=AVC msg=audit(1376177904.575:115): avc: denied { create } for pid=3803 comm="lsusb" scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tclass=netlink_kobject_uevent_socket type=SYSCALL msg=audit(1376177904.650:116): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80803 a2=f a3=1697e50 items=0 ppid=3710 pid=3804 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="lsusb" exe="/usr/bin/lsusb" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1376177904.650:116): avc: denied { create } for pid=3804 comm="lsusb" scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tclass=netlink_kobject_uevent_socket type=SYSCALL msg=audit(1376180405.316:271): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=7fffde20a870 items=0 ppid=3710 pid=6315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="iptables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1376180405.316:271): avc: denied { create } for pid=6315 comm="iptables" scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tclass=rawip_socket type=SYSCALL msg=audit(1376180405.317:272): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=7fffde20a810 items=0 ppid=3710 pid=6315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=( none) comm="iptables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1376180405.317:272): avc: denied { create } for pid=6315 comm="iptables" scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tclass=rawip_socket type=SYSCALL msg=audit(1376180405.323:273): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=7fffec93d130 items=0 ppid=3710 pid=6316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="iptables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1376180405.323:273): avc: denied { create } for pid=6316 comm="iptables" scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tclass=rawip_socket type=SYSCALL msg=audit(1376180405.323:274): arch=c000003e syscall=41 success=no exit=-13 a0=2 a1=3 a2=ff a3=7fffec93d0d0 items=0 ppid=3710 pid=6316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="iptables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1376180405.323:274): avc: denied { create } for pid=6316 comm="iptables" scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tclass=rawip_socket type=SYSCALL msg=audit(1376180405.697:281): arch=c000003e syscall=89 success=no exit=-13 a0=7fffa26e89e0 a1=7fffa26e87c0 a2=1d a3=3 items=0 ppid=3710 pid=6324 a

3 2

FC19, AVC mailx
by mark 03 Sep '13

03 Sep '13

SELinux is preventing /usr/bin/mailx from ioctl access on the unix_stream_socket unix_stream_socket. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that mailx should be allowed ioctl access on the unix_stream_socket unix_stream_socket by default. <snip> Additional Information: Source Context system_u:system_r:system_mail_t:s0 Target Context system_u:system_r:init_t:s0 Target Objects unix_stream_socket [ unix_stream_socket ] Source mail Source Path /usr/bin/mailx Port <Unknown> <snip> Source RPM Packages mailx-12.5-8.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-69.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive <snip> Platform Linux <...> 3.10.4-300.fc19.x86_64 #1 SMP Tue Jul 30 11:29:05 UTC 2013 x86_64 x86_64 Alert Count 53 First Seen 2013-07-31 09:17:16 EDT Last Seen 2013-08-20 09:06:53 EDT Local ID c515e3ea-2126-47ac-9d89-5295777101e7 Raw Audit Messages type=AVC msg=audit(1377004013.420:62309): avc: denied { ioctl } for pid=31047 comm="mail" path="socket:[12915]" dev="sockfs" ino=12915 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1377004013.420:62309): arch=x86_64 syscall=ioctl success=no exit=ENOTTY a0=1 a1=5401 a2=7fff8006f380 a3=7fff8006f1d0 items=0 ppid=31031 pid=31047 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=mail exe=/usr/bin/mailx subj=system_u:system_r:system_mail_t:s0 key=(null) Hash: mail,system_mail_t,init_t,unix_stream_socket,ioctl mark "call me befuddled"

2 1

Nonstandard Homedir Label
by Robert Gabriel 03 Sep '13

03 Sep '13

Hi, If I have in /etc/passwd splunk:x:101:101:Splunk User:/opt/splunkdashboards/var/lib/splunk:/sbin/ nologin and in splunkdashboards.fc: /opt/splunkdashboards/var/lib(/.*)? gen_context(system_u:object_r: splunkdashboards_var_lib_t,s0) then following label: guest_u:object_r:usr_home_dir_t. If in /etc/passwd splunk:x:101:101:Splunk User:/nonexistant:/sbin/nologin then label as expected. I see Apache and Postfix have homedirs in various directories and are labelled correctly. Please why? Thank you.

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux September 2013