Re: RHEL 7 consoletype_exec interface issue
by Douglas Brown
Hi,
In RHEL 7 when using the userdom_unpriv_user_template interface to create a new role, it in turn uses the consoletype_exec interface; but when I attempt to insert a policy compiled with this, it says the type consoletype_exec_t doesn’t exist.
N.B. This works on RHEL 6.
Thanks,
Doug
6 years, 8 months
Problems with enigmail, gnupg2, and thunderbird.
by Jean-David Beyer
I have all these programs:
enigmail 1.8.2 ,
thunderbird-38.4.0-1.el6_7.x86_64 , and
gnupg2-2.0.14-8.el6.x86_64 .
They all sort-of work. If I start up thunderbird and want to compose a
message, I can do that. If I say I want to sign or encrypt it, I can
sort of do that too. A pinentry dialog box comes up, and I enter my
passphrase, and it works.
Similarly for reading signed or encrypted messages.
But I get the pinentry dialog box _every time_, and I did not used to
with the 1.4 (I think it was ) versions of these programs.
I have googled and stuff, and nothing I find seems to apply to RHEL
systems.
They have me enter stuff into .profile, and I have no such file.
They want me to put stuff into .xsession, .bashrc, and .bash_profile.
They all do stuff. But not useable.
I assume this is a configuration problem. But where do I find the
_authoritative documentation_ on how to configure these programs to work
together.
Some advice talks about a gnome keyring.
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521.
/( )\ Shrewsbury, New Jersey http://linuxcounter.net
^^-^^ 10:20:01 up 5 days, 10:53, 2 users, load average: 5.04, 4.69, 4.57
7 years, 11 months
acpid cannot run 'amixer' due to SELinux issue?
by John W
Hello,
I'm trying to control the system volume on my laptop using the special
volume keys on the keyboard.
Pressing the keys generates acpi events, so I am using acpid to handle them.
I have a script at /etc/acpid/actions that runs, no problem.
However, the script does not work when run via the acpid daemon. In
particular the "amixer" command it uses to alter the volume fails.
It works fine when run manually, and fine when run as root.
I suspect SELinux because:
1) Running 'setenforce 0' causes it to start working
2) I see denials in the audit.log:
type=AVC msg=audit(1450643943.351:1071): avc: denied { read }
for pid=17124 comm="amixer" name="controlC0" dev="devtmpfs" ino=13431
scontext=system_u:system_r:apmd_t:s0
tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file
permissive=0
First question: Should I be opening a bug report about this? This page
indicates maybe so:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/...
Now, I have gone ahead trying to get this working using audit2allow.
Indeed, I have created a policy package, with these bits:
allow apmd_t sound_device_t:chr_file ioctl;
allow apmd_t sound_device_t:chr_file { read open };
I installed the .pp file with "semodule -i", and it shows up in "semodule -l".
Now, no audit.log entries are produced. But it still doesn't work!
It *does* work when I use "setenforce 0", but apparently my custom
policy package, while it does silence the audit log, does not fix the
issue.
So, my second question: What else could be going on?
Wouldn't any denials show up in the log?
I would like to solve this in a focused way, rather than turning off
SELinux entirely, but currently that seems to be the only thing that
works, and I can't see how to proceed...
My system info, if you want:
$ uname -a
Linux biglap.home.lan 3.18.9-200.fc21.x86_64 #1 SMP Mon Mar 9
15:10:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/fedora-release
Fedora release 21 (Twenty One)
Thanks
-John
7 years, 11 months
sddm cannot use unix_chkpwd and fails to log users in
by Andrej Podzimek
Hello!
This post is related to an already long thread I started on users@ -- https://lists.fedoraproject.org/pipermail/users/2015-December/467426.html However, I thought I'd better ask for a few debugging tips here as well. In a nutshell,
* text console login and startx work fine, so does KDE 5.
* when sddm is started from a root shell, users log in just fine.
* when sddm is started from systemd, it can't log users in.
There's something about the environment set up by systemd that sddm can't tolerate. And there are a few SELinux glitches in the logs. Here's an output from "journalctl -f" during an unsuccessful login attempt (sddm started by systemd): https://andrej.podzimek.org/loginjournal.txt It captures how sddm can't open the user's session for some reason, then it blips into a text console and back and restores its login console again.
With permissive mode or after setenforce 0, sddm just hangs with the password input field greyed out and stays that way forever. Which makes it unclear whether SELinux is indeed to blame here...
I've (of course) tried .autorelabel, a recursive restorecon on /home, new and empty user directories, setenforce 0, permissive mode etc., but that just doesn't help.
What's wrong here? Any ideas?
Cheers,
Andrej
7 years, 11 months
AVC for mdadm
by David Highley
Any idea what is causing these AVCs?
time->Wed Dec 16 03:27:02 2015
type=AVC msg=audit(1450265222.013:16754): avc: denied { read } for pid=10738 comm="mdadm" name="RstSataV-193dfefa-a445-4302-99d8-ef3aad1a04c6" dev="efivarfs" ino=1180 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0
7 years, 11 months
logrotate and unlabeled_t
by jason taylor
Hi All,
I am attempting to use logrotate to rotate a log file with the
unlabeled_t context, as it turns out SELinux is not happy about this
and denies logrotate access to the log file.
What's the preferred method here to allow access? I used audit2allow
and installed the .pp but but was reading some docs[0] and wanted to
double check my solution.
The points in the docs were that I wanted to check on were "Missing TE
rules are usually caused by bugs in SELinux policy and should be
reports.." Should I report my particular instance as a bug?
"Modules created with audit2allow may allow more access than required.
It is recommended that policy created with audit2allow be posted to the
upstream SELinux list for review."
Thanks in advance!
JT
[0] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Li
nux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-
Enhanced_Linux-Troubleshooting-Fixing_Problems.html
7 years, 11 months
SELinux and relocatable RPMs
by Marko Rauhamaa
When creating an SELinux policy to go with my package, I write a .fc
file. However, the .fc file format does not seem amenable to relocatable
RPMs.
Is there a recommendation for how to handle the relocation in policies?
I wouldn't like to mandate a dependency on selinux-policy-devel.
Marko
7 years, 12 months
Newbie question
by David Li
Hi,
I am about to start SELinux learning and development. I have a stock
Cento 7.1 install and I am curious what''s difference between the
following two:
1. Enable SElinux and setenforce 1 on the stock install
vs.
2. Build a reference policy RPM and install it on the box. Then do
step 1 as above.
Are there any differences in terms of ref policy? Would step 1 also
have the ref policy enabled by default too?
Thanks.
David
7 years, 12 months
invalid security context, lpr_t
by Dr. Michael J. Chudobiak
Hi,
I've installed the Citrix Receiver rpm
(https://www.citrix.com/downloads/citrix-receiver/linux.html). The
citrix client runs, but doesn't see the local printers. The messages in
the audit log are not of the "normal" type, in my limited experience:
[root@daisy files]# audit2allow -a
libsepol.context_from_record: invalid security context:
"unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 to sid
libsepol.context_from_record: invalid security context:
"unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023"
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 to sid
It works fine in permissive mode.
Any pointers on how to fix this?
- Mike
7 years, 12 months
Re: Using interfaces with role statements fails to compile when used inside a tunable_policy block
by Douglas Brown
Hi,
It seems that if an interface has a role statement inside it, that interface can’t be used *inside* a tunable_policy block.
For example, the shutdown_run() interface causes this policy to fail compilation:
policy_module(test, 1.0.0)
require {
type staff_t;
role staff_r;
}
gen_tunable(staff_shutdown, false)
tunable_policy(`staff_shutdown', `
shutdown_run(staff_t,staff_r)
')
This is the error given:
test.te":10:ERROR 'syntax error' at token 'role' on line 3360:
role staff_r types shutdown_t;
#line 10
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/test.mod] Error 1
If I manually put the rules that interface generates into the tunable_policy block but place the role statement outside, it compiles fine. The rpm_run() interface also fails to compile when inside a tunable_policy block (presumably for the same reason).
Thanks,
Doug
7 years, 12 months
