selinux December 2015

selinux@lists.fedoraproject.org

12 participants
14 discussions

Re: RHEL 7 consoletype_exec interface issue
by Douglas Brown 27 Mar '17

27 Mar '17

Hi, In RHEL 7 when using the userdom_unpriv_user_template interface to create a new role, it in turn uses the consoletype_exec interface; but when I attempt to insert a policy compiled with this, it says the type consoletype_exec_t doesn’t exist. N.B. This works on RHEL 6. Thanks, Doug

3 2

Problems with enigmail, gnupg2, and thunderbird.
by Jean-David Beyer 30 Dec '15

30 Dec '15

I have all these programs: enigmail 1.8.2 , thunderbird-38.4.0-1.el6_7.x86_64 , and gnupg2-2.0.14-8.el6.x86_64 . They all sort-of work. If I start up thunderbird and want to compose a message, I can do that. If I say I want to sign or encrypt it, I can sort of do that too. A pinentry dialog box comes up, and I enter my passphrase, and it works. Similarly for reading signed or encrypted messages. But I get the pinentry dialog box _every time_, and I did not used to with the 1.4 (I think it was ) versions of these programs. I have googled and stuff, and nothing I find seems to apply to RHEL systems. They have me enter stuff into .profile, and I have no such file. They want me to put stuff into .xsession, .bashrc, and .bash_profile. They all do stuff. But not useable. I assume this is a configuration problem. But where do I find the _authoritative documentation_ on how to configure these programs to work together. Some advice talks about a gnome keyring. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jersey http://linuxcounter.net ^^-^^ 10:20:01 up 5 days, 10:53, 2 users, load average: 5.04, 4.69, 4.57

1 0

acpid cannot run 'amixer' due to SELinux issue?
by John W 24 Dec '15

24 Dec '15

Hello, I'm trying to control the system volume on my laptop using the special volume keys on the keyboard. Pressing the keys generates acpi events, so I am using acpid to handle them. I have a script at /etc/acpid/actions that runs, no problem. However, the script does not work when run via the acpid daemon. In particular the "amixer" command it uses to alter the volume fails. It works fine when run manually, and fine when run as root. I suspect SELinux because: 1) Running 'setenforce 0' causes it to start working 2) I see denials in the audit.log: type=AVC msg=audit(1450643943.351:1071): avc: denied { read } for pid=17124 comm="amixer" name="controlC0" dev="devtmpfs" ino=13431 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file permissive=0 First question: Should I be opening a bug report about this? This page indicates maybe so: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/ht… Now, I have gone ahead trying to get this working using audit2allow. Indeed, I have created a policy package, with these bits: allow apmd_t sound_device_t:chr_file ioctl; allow apmd_t sound_device_t:chr_file { read open }; I installed the .pp file with "semodule -i", and it shows up in "semodule -l". Now, no audit.log entries are produced. But it still doesn't work! It *does* work when I use "setenforce 0", but apparently my custom policy package, while it does silence the audit log, does not fix the issue. So, my second question: What else could be going on? Wouldn't any denials show up in the log? I would like to solve this in a focused way, rather than turning off SELinux entirely, but currently that seems to be the only thing that works, and I can't see how to proceed... My system info, if you want: $ uname -a Linux biglap.home.lan 3.18.9-200.fc21.x86_64 #1 SMP Mon Mar 9 15:10:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux $ cat /etc/fedora-release Fedora release 21 (Twenty One) Thanks -John

3 6

sddm cannot use unix_chkpwd and fails to log users in
by Andrej Podzimek 21 Dec '15

21 Dec '15

Hello! This post is related to an already long thread I started on users@ -- https://lists.fedoraproject.org/pipermail/users/2015-December/467426.html However, I thought I'd better ask for a few debugging tips here as well. In a nutshell, * text console login and startx work fine, so does KDE 5. * when sddm is started from a root shell, users log in just fine. * when sddm is started from systemd, it can't log users in. There's something about the environment set up by systemd that sddm can't tolerate. And there are a few SELinux glitches in the logs. Here's an output from "journalctl -f" during an unsuccessful login attempt (sddm started by systemd): https://andrej.podzimek.org/loginjournal.txt It captures how sddm can't open the user's session for some reason, then it blips into a text console and back and restores its login console again. With permissive mode or after setenforce 0, sddm just hangs with the password input field greyed out and stays that way forever. Which makes it unclear whether SELinux is indeed to blame here... I've (of course) tried .autorelabel, a recursive restorecon on /home, new and empty user directories, setenforce 0, permissive mode etc., but that just doesn't help. What's wrong here? Any ideas? Cheers, Andrej

1 1

AVC for mdadm
by David Highley 17 Dec '15

17 Dec '15

Any idea what is causing these AVCs? time->Wed Dec 16 03:27:02 2015 type=AVC msg=audit(1450265222.013:16754): avc: denied { read } for pid=10738 comm="mdadm" name="RstSataV-193dfefa-a445-4302-99d8-ef3aad1a04c6" dev="efivarfs" ino=1180 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0

2 3

logrotate and unlabeled_t
by jason taylor 15 Dec '15

15 Dec '15

Hi All, I am attempting to use logrotate to rotate a log file with the unlabeled_t context, as it turns out SELinux is not happy about this and denies logrotate access to the log file. What's the preferred method here to allow access? I used audit2allow and installed the .pp but but was reading some docs[0] and wanted to double check my solution. The points in the docs were that I wanted to check on were "Missing TE rules are usually caused by bugs in SELinux policy and should be reports.." Should I report my particular instance as a bug? "Modules created with audit2allow may allow more access than required. It is recommended that policy created with audit2allow be posted to the upstream SELinux list for review." Thanks in advance! JT [0] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Li nux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security- Enhanced_Linux-Troubleshooting-Fixing_Problems.html

4 6

SELinux and relocatable RPMs
by Marko Rauhamaa 08 Dec '15

08 Dec '15

When creating an SELinux policy to go with my package, I write a .fc file. However, the .fc file format does not seem amenable to relocatable RPMs. Is there a recommendation for how to handle the relocation in policies? I wouldn't like to mandate a dependency on selinux-policy-devel. Marko

3 4

Newbie question
by David Li 08 Dec '15

08 Dec '15

Hi, I am about to start SELinux learning and development. I have a stock Cento 7.1 install and I am curious what''s difference between the following two: 1. Enable SElinux and setenforce 1 on the stock install vs. 2. Build a reference policy RPM and install it on the box. Then do step 1 as above. Are there any differences in terms of ref policy? Would step 1 also have the ref policy enabled by default too? Thanks. David

3 2

invalid security context, lpr_t
by Dr. Michael J. Chudobiak 08 Dec '15

08 Dec '15

Hi, I've installed the Citrix Receiver rpm (https://www.citrix.com/downloads/citrix-receiver/linux.html) The citrix client runs, but doesn't see the local printers. The messages in the audit log are not of the "normal" type, in my limited experience: [root@daisy files]# audit2allow -a libsepol.context_from_record: invalid security context: "unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023" libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 to sid libsepol.context_from_record: invalid security context: "unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023" libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 to sid It works fine in permissive mode. Any pointers on how to fix this? - Mike

3 3

Re: Using interfaces with role statements fails to compile when used inside a tunable_policy block
by Douglas Brown 08 Dec '15

08 Dec '15

Hi, It seems that if an interface has a role statement inside it, that interface can’t be used *inside* a tunable_policy block. For example, the shutdown_run() interface causes this policy to fail compilation: policy_module(test, 1.0.0) require { type staff_t; role staff_r; } gen_tunable(staff_shutdown, false) tunable_policy(`staff_shutdown', ` shutdown_run(staff_t,staff_r) ') This is the error given: test.te":10:ERROR 'syntax error' at token 'role' on line 3360: role staff_r types shutdown_t; #line 10 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/test.mod] Error 1 If I manually put the rules that interface generates into the tunable_policy block but place the role statement outside, it compiles fine. The rpm_run() interface also fails to compile when inside a tunable_policy block (presumably for the same reason). Thanks, Doug

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux December 2015