selinux April 2014

selinux@lists.fedoraproject.org

14 participants
15 discussions

Start a nNew thread

setsebool returns word Killed
by Shintaro Fujiwara 30 Apr '14

30 Apr '14

Hi, I want to send mail from php script so, I typed, # setsebool -P httpd_can_sendmail on Killed What's wrong?

2 2

fcontext for perl modules (.pm)
by mark 24 Apr '14

24 Apr '14

I know these are being used by perl cgi... .so's, I know, are textrel_shlib_t; is there something similar for .pm's? googling (and binging) is finding me not very much of nothing.... mark

2 1

the right way to delete a mistake in file contexts
by mark 24 Apr '14

24 Apr '14

What's the *correct* way to delete a mistake. I just did an semanage fcontext, and in the wildcard, had *., rather than .*. I seem to have made selinux stop complaining by deleting the line from /etc/selinux/targeted/contexts/files/file_contexts.local and /etc/selinux/targeted/modules/active/file_contexts.local, but I doubt that's the recommended method.... mark

2 1

Dovecot ldap cert access
by William 24 Apr '14

24 Apr '14

Hi, I run a dovecot instance that looks up users from ldap. Of course, this is done via SSL/TLS. As a result, I get a number of denials that dovecot can't read the slapd_cert type. Would it be worth adding an optional policy to dovecot.te such as: optional_policy(` ldap_read_certs(dovecot_auth_t) ') PS: What is optional_policy for? Is that just so that if that interface / type isn't available, it doesn't cause an error in the policy build? -- William Brown <william(a)firstyear.id.au>

2 1

journald bypassing MAC checks?
by Florian Weimer 24 Apr '14

24 Apr '14

systemd-journald has a facility where it accepts file descriptors from unprivileged local users and reads the log message from them. This is done to bypass size restrictions on UNIX domain socket datagram messages. The code is here in server_process_native_file: http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-nativ… Does this bypass MAC checks because the journald process has different privileges than the user who opened the file descriptor? -- Florian Weimer / Red Hat Product Security Team

3 3

dovecot issues
by mark 22 Apr '14

22 Apr '14

CentOS 6.5, selinux-policy-targeted 3.7.19-231. We have many years of /var/spool/indexes/<user>/... They're currently all dovecot_t. grep imap /var/log/audit/audit.log | audit2allow tells me "The source type 'dovecot_t' can write to a 'dir' of the following types: # dovecot_tmp_t, user_home_t, dovecot_spool_t, mail_home_rw_t, dovecot_var_log_t, dovecot_var_run_t, mail_spool_t, cluster_conf_t, nfs_t So, is this trying to tell me that I need to relabel *everything* down there as something else - dovecot_spool_t, or what? mark

2 1

In case you do not follow me on Twitter @rhatdan
by Daniel J Walsh 21 Apr '14

21 Apr '14

SELinux Coloring Book was a huge hit at the Red Hat Summit last week in San Francisco. We gave out around 1000 coloring books, and people seemed to enjoy them and actually learn some stuff. Máirín Duffy has setup a git hub site where you can download the source and do translations. https://github.com/mairin/selinux-coloring-book Or you can print it directly from http://blog.linuxgrrl.com/2014/04/16/the-selinux-coloring-book/ These books are based on the article in opensource.com http://opensource.com/business/13/11/selinux-policy-guide which won a Readers Choice Award on opensource.com. I find it an easy way to explain Type Enforcement, MCS and MLS Separation.

1 0

How to check if semodule -l is correct
by Bruno Wolff III 14 Apr '14

14 Apr '14

I have been seeing something that looks like my add on policies aren't being used after selinux updates in some cases. The modules show up in output of semodule -l, but I get audit warnings for things allowed by them and some services don't work as expected. (And the audit2allow output even notes that they should be allowed by current policy.) Is there a way I can check to see if semodule -l is telling me what's really loaded into whatever is doing the enforcing?

1 0

semanage error when upgrading to RHEL 6.5
by Andy Ruch 07 Apr '14

07 Apr '14

Hello, I have a policy that was originally written for RHEL 6.2. I’m now trying to upgrade to RHEL 6.5 and I’m having problems with semanage. I can install a fresh RHEL 6.5 system with the targeted policy and everything works fine. I then uninstall the targeted policy and install my policy and I can’t link the linux user and selinux user. >> semanage user –a -R sysadm_r -R staff_r -r s0-s0:c0.c1023 testuser_u >> useradd -G wheel testuser >> semanage login -a -r s0-s0:c0.c1023 -s testuser_u testuser libsemanage.dbase_llist_query: could not query record value /usr/sbin/semanage: Could not query user for testuser I have the RHEL 6.5 source code for libsemanage and the targeted policy but so far I haven't been able to find differences that would affect this problem. Could someone please point me in the right direction as far as what semanage is expecting? What would prevent libsemanage from querying for the user? Thanks, Andy

3 15

SELinux Coloring Book will be at the Red Hat Summit.
by Daniel J Walsh 04 Apr '14

04 Apr '14

https://twitter.com/rhatdan/status/451845033063632898/photo/1 Color while you learn :^) If you are going to the Summit (http://red.ht/1o0WbsI) Make sure you stop by and pick one up. We will make the PDF available after the Summit.

3 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux April 2014