5:10 a.m.
Greetings fellow travellers.
Could someone please help me with the following errors:
*audit(1129788324.500:0): avc: denied { execute } for pid=3105
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.501:0): avc: denied { execute } for pid=3106
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.507:0): avc: denied { execute } for pid=3107
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.510:0): avc: denied { execute } for pid=3108
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.514:0): avc: denied { execute } for pid=3109
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.517:0): avc: denied { execute } for pid=3110
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.521:0): avc: denied { execute } for pid=3111
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.522:0): avc: denied { execute } for pid=3112
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.528:0): avc: denied { execute } for pid=3113
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.529:0): avc: denied { execute } for pid=3114
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file*
These errors are from dmesg, and occured after compiling and installing
squidclam from source.
Here is the output of selinuxconf:
[*root@shiva jay]# selinuxconfig
selinux state="enforcing"
policypath="/etc/selinux/targeted"
default_type_path="/etc/selinux/targeted/contexts/default_type"
default_context_path="/etc/selinux/targeted/contexts/default_contexts"
default_failsafe_context_path="/etc/selinux/targeted/contexts/failsafe_context"
binary_policy_path="/etc/selinux/targeted/policy/policy"
user_contexts_path="/etc/selinux/targeted/contexts/users/"
contexts_path="/etc/selinux/targeted/contexts"*
Output of uname -a:
*[root@shiva jay]# uname -a
Linux shiva 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686 i686
i386 GNU/Linux*
Any help would be greatly appreciated.
God bless.
fedora-selinux-list-request(a)redhat.com wrote:
Send fedora-selinux-list mailing list submissions to
fedora-selinux-list(a)redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
or, via email, send a message with subject or body 'help' to
fedora-selinux-list-request(a)redhat.com
You can reach the person managing the list at
fedora-selinux-list-owner(a)redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of fedora-selinux-list digest..."
Today's Topics:
1. Re: mailman cgi-bin denied search (Tim Fenn)
2. Preserving Context with tar (W. Scott wilburn)
3. Re: mailman cgi-bin denied search (Daniel J Walsh)
4. Re: Preserving Context with tar (Daniel J Walsh)
5. Re: mailman cgi-bin denied search (Tim Fenn)
6. Re: Preserving Context with tar (Stephen Smalley)
----------------------------------------------------------------------
Message: 1
Date: Wed, 19 Oct 2005 13:49:47 -0700
From: Tim Fenn <fenn(a)stanford.edu>
Subject: Re: mailman cgi-bin denied search
To: Daniel J Walsh <dwalsh(a)redhat.com>
Cc: fedora-selinux-list(a)redhat.com
Message-ID: <20051019204947.GC6466(a)stanford.edu>
Content-Type: text/plain; charset=us-ascii
On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>Tim Fenn wrote:
>
>
>>I recently installed mailman on my FC3 box (using the redhat based
>>RPMs), and it seems to be working just fine, except for the numerous
>>avc messages it cranks out whenever I run one of the cgi scripts
>>associated with mailman (e.g. via the web interface):
>>
>>Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied
>>{ search } for pid=18761 comm="listinfo" name="run" dev=sda1
>>ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>u:object_r:var_run_t tclass=dir
>>
>>
>>
>Why would mailman listinfo be searching /var/log directory?
>
>
>
Well, I get the same errors with mailmanctl:
./mailmanctl status
yields no output, and the following errors:
Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
{ read write } for pid=20837 comm="mailmanctl" name="3" dev=devpts
ino=5 scontext=root:system_r:mailman_mail_t
tcontext=root:object_r:devpts_t tclass=chr_file
Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
{ search } for pid=20837 comm="mailmanctl" name="run" dev=sda1
ino=1294372 scontext=root:system_r:mailman_mail_t
tcontext=system_u:object_r:var_run_t tclass=dir
Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
{ setgid } for pid=20837 comm="mailmanctl" capability=6
scontext=root:system_r:mailman_mail_t
tcontext=root:system_r:mailman_mail_t tclass=capability
However, if I comment out:
from Mailman.Logging.Syslog import syslog
in the mailmanctl script, all is well:
# ./mailmanctl status
mailman (pid 17677) is running...
and no error messages. I would assume the same is true with the
cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
Regards,
Tim
------------------------------
Message: 2
Date: Wed, 19 Oct 2005 15:56:06 -0600
From: "W. Scott wilburn" <wilburn(a)lanl.gov>
Subject: Preserving Context with tar
To: fedora-selinux-list(a)redhat.com
Message-ID: <20051019215606.GE4717(a)wilburn.lanl.gov>
Content-Type: text/plain; charset=us-ascii
Sorry to be asking such a simple question. Is it possible to preserve
file contexts using tar? I would have thought -p would do this, but
it appears no, atleast on RHEL4 and FC4.
The reason to do this is a use tar to install modified config files on
new machines. Having to relabel after doing this is somewhat slow.
Perhaps there is a better solution?
Thanks,
Scott Wilburn
------------------------------
Message: 3
Date: Wed, 19 Oct 2005 22:31:36 -0400
From: Daniel J Walsh <dwalsh(a)redhat.com>
Subject: Re: mailman cgi-bin denied search
To: Daniel J Walsh <dwalsh(a)redhat.com>, fedora-selinux-list(a)redhat.com
Message-ID: <43570188.5060201(a)redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Tim Fenn wrote:
>On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>
>
>
>>Tim Fenn wrote:
>>
>>
>>
>>>I recently installed mailman on my FC3 box (using the redhat based
>>>RPMs), and it seems to be working just fine, except for the numerous
>>>avc messages it cranks out whenever I run one of the cgi scripts
>>>associated with mailman (e.g. via the web interface):
>>>
>>>Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied
>>>{ search } for pid=18761 comm="listinfo" name="run"
dev=sda1
>>>ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>u:object_r:var_run_t tclass=dir
>>>
>>>
>>>
>>>
>>Why would mailman listinfo be searching /var/log directory?
>>
>>
>>
>>
>Well, I get the same errors with mailmanctl:
>
>./mailmanctl status
>
>yields no output, and the following errors:
>Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
>{ read write } for pid=20837 comm="mailmanctl" name="3"
dev=devpts
>ino=5 scontext=root:system_r:mailman_mail_t
>tcontext=root:object_r:devpts_t tclass=chr_file
>Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
>{ search } for pid=20837 comm="mailmanctl" name="run" dev=sda1
>ino=1294372 scontext=root:system_r:mailman_mail_t
>tcontext=system_u:object_r:var_run_t tclass=dir
>Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
>{ setgid } for pid=20837 comm="mailmanctl" capability=6
>scontext=root:system_r:mailman_mail_t
>tcontext=root:system_r:mailman_mail_t tclass=capability
>
>However, if I comment out:
>
>from Mailman.Logging.Syslog import syslog
>
>in the mailmanctl script, all is well:
>
># ./mailmanctl status
>mailman (pid 17677) is running...
>
>and no error messages. I would assume the same is true with the
>cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
>
>Regards,
>Tim
>
>
>
Yes. submit a bug. Although generating these in FC4 would be far more
interesting. Also do these AVC messages cause problems or are they just
being reported. No output from the script is fixed in FC4.
--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator
Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa
Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94
Alternate email address: jayendren(a)mweb.co.za
11:43 a.m.
New subject: fedora-selinux-list Digest, Vol 20, Issue 18
Jayendren Anand Maduray wrote:
Greetings fellow travellers.
I would start by trying something like
chcon -t bin_t *`which squidclamav`
Btw where does squidclamav reside?
*
Could someone please help me with the following errors:
*audit(1129788324.500:0): avc: denied { execute } for pid=3105
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.501:0): avc: denied { execute } for pid=3106
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.507:0): avc: denied { execute } for pid=3107
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.510:0): avc: denied { execute } for pid=3108
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.514:0): avc: denied { execute } for pid=3109
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.517:0): avc: denied { execute } for pid=3110
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.521:0): avc: denied { execute } for pid=3111
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.522:0): avc: denied { execute } for pid=3112
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.528:0): avc: denied { execute } for pid=3113
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.529:0): avc: denied { execute } for pid=3114
exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file*
These errors are from dmesg, and occured after compiling and
installing squidclam from source.
Here is the output of selinuxconf:
[*root@shiva jay]# selinuxconfig
selinux state="enforcing"
policypath="/etc/selinux/targeted"
default_type_path="/etc/selinux/targeted/contexts/default_type"
default_context_path="/etc/selinux/targeted/contexts/default_contexts"
default_failsafe_context_path="/etc/selinux/targeted/contexts/failsafe_context"
binary_policy_path="/etc/selinux/targeted/policy/policy"
user_contexts_path="/etc/selinux/targeted/contexts/users/"
contexts_path="/etc/selinux/targeted/contexts"*
Output of uname -a:
*[root@shiva jay]# uname -a
Linux shiva 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686
i686 i386 GNU/Linux*
Any help would be greatly appreciated.
God bless.
fedora-selinux-list-request(a)redhat.com wrote:
> Send fedora-selinux-list mailing list submissions to
> fedora-selinux-list(a)redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> or, via email, send a message with subject or body 'help' to
> fedora-selinux-list-request(a)redhat.com
>
> You can reach the person managing the list at
> fedora-selinux-list-owner(a)redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of fedora-selinux-list digest..."
>
>
> Today's Topics:
>
> 1. Re: mailman cgi-bin denied search (Tim Fenn)
> 2. Preserving Context with tar (W. Scott wilburn)
> 3. Re: mailman cgi-bin denied search (Daniel J Walsh)
> 4. Re: Preserving Context with tar (Daniel J Walsh)
> 5. Re: mailman cgi-bin denied search (Tim Fenn)
> 6. Re: Preserving Context with tar (Stephen Smalley)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 19 Oct 2005 13:49:47 -0700
> From: Tim Fenn <fenn(a)stanford.edu>
> Subject: Re: mailman cgi-bin denied search
> To: Daniel J Walsh <dwalsh(a)redhat.com>
> Cc: fedora-selinux-list(a)redhat.com
> Message-ID: <20051019204947.GC6466(a)stanford.edu>
> Content-Type: text/plain; charset=us-ascii
>
> On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>
>> Tim Fenn wrote:
>>
>>> I recently installed mailman on my FC3 box (using the redhat based
>>> RPMs), and it seems to be working just fine, except for the numerous
>>> avc messages it cranks out whenever I run one of the cgi scripts
>>> associated with mailman (e.g. via the web interface):
>>>
>>> Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied
>>> { search } for pid=18761 comm="listinfo" name="run"
dev=sda1
>>> ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>> u:object_r:var_run_t tclass=dir
>>>
>>>
>> Why would mailman listinfo be searching /var/log directory?
>>
>>
>
> Well, I get the same errors with mailmanctl:
>
> ./mailmanctl status
>
> yields no output, and the following errors:
> Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
> { read write } for pid=20837 comm="mailmanctl" name="3"
dev=devpts
> ino=5 scontext=root:system_r:mailman_mail_t
> tcontext=root:object_r:devpts_t tclass=chr_file
> Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
> { search } for pid=20837 comm="mailmanctl" name="run" dev=sda1
> ino=1294372 scontext=root:system_r:mailman_mail_t
> tcontext=system_u:object_r:var_run_t tclass=dir
> Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
> { setgid } for pid=20837 comm="mailmanctl" capability=6
> scontext=root:system_r:mailman_mail_t
> tcontext=root:system_r:mailman_mail_t tclass=capability
>
> However, if I comment out:
>
> from Mailman.Logging.Syslog import syslog
>
> in the mailmanctl script, all is well:
>
> # ./mailmanctl status
> mailman (pid 17677) is running...
>
> and no error messages. I would assume the same is true with the
> cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
>
> Regards,
> Tim
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 19 Oct 2005 15:56:06 -0600
> From: "W. Scott wilburn" <wilburn(a)lanl.gov>
> Subject: Preserving Context with tar
> To: fedora-selinux-list(a)redhat.com
> Message-ID: <20051019215606.GE4717(a)wilburn.lanl.gov>
> Content-Type: text/plain; charset=us-ascii
>
> Sorry to be asking such a simple question. Is it possible to preserve
> file contexts using tar? I would have thought -p would do this, but
> it appears no, atleast on RHEL4 and FC4.
>
> The reason to do this is a use tar to install modified config files on
> new machines. Having to relabel after doing this is somewhat slow.
> Perhaps there is a better solution?
>
> Thanks,
> Scott Wilburn
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 19 Oct 2005 22:31:36 -0400
> From: Daniel J Walsh <dwalsh(a)redhat.com>
> Subject: Re: mailman cgi-bin denied search
> To: Daniel J Walsh <dwalsh(a)redhat.com>, fedora-selinux-list(a)redhat.com
> Message-ID: <43570188.5060201(a)redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Tim Fenn wrote:
>
>> On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>>
>>
>>> Tim Fenn wrote:
>>>
>>>
>>>> I recently installed mailman on my FC3 box (using the redhat based
>>>> RPMs), and it seems to be working just fine, except for the numerous
>>>> avc messages it cranks out whenever I run one of the cgi scripts
>>>> associated with mailman (e.g. via the web interface):
>>>>
>>>> Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied
>>>> { search } for pid=18761 comm="listinfo" name="run"
dev=sda1
>>>> ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>> u:object_r:var_run_t tclass=dir
>>>>
>>>>
>>>>
>>> Why would mailman listinfo be searching /var/log directory?
>>>
>>>
>>>
>> Well, I get the same errors with mailmanctl:
>>
>> ./mailmanctl status
>>
>> yields no output, and the following errors:
>> Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
>> { read write } for pid=20837 comm="mailmanctl" name="3"
dev=devpts
>> ino=5 scontext=root:system_r:mailman_mail_t
>> tcontext=root:object_r:devpts_t tclass=chr_file
>> Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
>> { search } for pid=20837 comm="mailmanctl" name="run"
dev=sda1
>> ino=1294372 scontext=root:system_r:mailman_mail_t
>> tcontext=system_u:object_r:var_run_t tclass=dir
>> Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
>> { setgid } for pid=20837 comm="mailmanctl" capability=6
>> scontext=root:system_r:mailman_mail_t
>> tcontext=root:system_r:mailman_mail_t tclass=capability
>>
>> However, if I comment out:
>>
>> from Mailman.Logging.Syslog import syslog
>>
>> in the mailmanctl script, all is well:
>>
>> # ./mailmanctl status
>> mailman (pid 17677) is running...
>>
>> and no error messages. I would assume the same is true with the
>> cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
>>
>> Regards,
>> Tim
>>
>>
> Yes. submit a bug. Although generating these in FC4 would be far more
> interesting. Also do these AVC messages cause problems or are they just
> being reported. No output from the script is fixed in FC4.
>
>
>
>
--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator
Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa
Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94
Alternate email address: jayendren(a)mweb.co.za
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
1:24 a.m.
New subject: fedora-selinux-list Digest, Vol 20, Issue 18
Thank for your response, i really appreciate it.
Squid clam binary is located in:
/usr/local/squidclamav/bin
I isssue:
[root@shiva jay]# chcon -t bin_t *`which /usr/local/squidclamav/bin/`
and get error:
/usr/bin/which: no in (/usr/local/squidclamav/bin)
Then i try:
chcon -t bin_t *`/usr/local/squidclamav/bin/squidclamav`
SquidClamav running as UID 0: writing logs to stderr
Mon Oct 24 08:23:18 2005:Reading Patterns from config
/usr/local/squidclamav/etc/squidclamav.conf
Mon Oct 24 08:23:18 2005:SquidClamav (PID 4550) started
Does the original error mean the SELinux has not been configured to
allow squidclamav?
Last nite i ran a touch /.autorelabel
which relabelled my system, still the same problem. I have disabled
SELinux support for squid, so at least squid is working now.
God bless.
Daniel J Walsh wrote:
Jayendren Anand Maduray wrote:
> Greetings fellow travellers.
>
I would start by trying something like
chcon -t bin_t *`which squidclamav`
Btw where does squidclamav reside?
*
>
> Could someone please help me with the following errors:
>
> *audit(1129788324.500:0): avc: denied { execute } for pid=3105
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.501:0): avc: denied { execute } for pid=3106
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.507:0): avc: denied { execute } for pid=3107
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.510:0): avc: denied { execute } for pid=3108
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.514:0): avc: denied { execute } for pid=3109
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.517:0): avc: denied { execute } for pid=3110
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.521:0): avc: denied { execute } for pid=3111
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.522:0): avc: denied { execute } for pid=3112
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.528:0): avc: denied { execute } for pid=3113
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file
> audit(1129788324.529:0): avc: denied { execute } for pid=3114
> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
> scontext=user_u:system_r:squid_t t
> context=root:object_r:usr_t tclass=file*
>
>
> These errors are from dmesg, and occured after compiling and
> installing squidclam from source.
>
> Here is the output of selinuxconf:
>
> [*root@shiva jay]# selinuxconfig
> selinux state="enforcing"
> policypath="/etc/selinux/targeted"
> default_type_path="/etc/selinux/targeted/contexts/default_type"
> default_context_path="/etc/selinux/targeted/contexts/default_contexts"
>
default_failsafe_context_path="/etc/selinux/targeted/contexts/failsafe_context"
>
> binary_policy_path="/etc/selinux/targeted/policy/policy"
> user_contexts_path="/etc/selinux/targeted/contexts/users/"
> contexts_path="/etc/selinux/targeted/contexts"*
>
> Output of uname -a:
> *[root@shiva jay]# uname -a
> Linux shiva 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686
> i686 i386 GNU/Linux*
>
> Any help would be greatly appreciated.
>
> God bless.
>
>
> fedora-selinux-list-request(a)redhat.com wrote:
>
>> Send fedora-selinux-list mailing list submissions to
>> fedora-selinux-list(a)redhat.com
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> or, via email, send a message with subject or body 'help' to
>> fedora-selinux-list-request(a)redhat.com
>>
>> You can reach the person managing the list at
>> fedora-selinux-list-owner(a)redhat.com
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of fedora-selinux-list digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: mailman cgi-bin denied search (Tim Fenn)
>> 2. Preserving Context with tar (W. Scott wilburn)
>> 3. Re: mailman cgi-bin denied search (Daniel J Walsh)
>> 4. Re: Preserving Context with tar (Daniel J Walsh)
>> 5. Re: mailman cgi-bin denied search (Tim Fenn)
>> 6. Re: Preserving Context with tar (Stephen Smalley)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Wed, 19 Oct 2005 13:49:47 -0700
>> From: Tim Fenn <fenn(a)stanford.edu>
>> Subject: Re: mailman cgi-bin denied search
>> To: Daniel J Walsh <dwalsh(a)redhat.com>
>> Cc: fedora-selinux-list(a)redhat.com
>> Message-ID: <20051019204947.GC6466(a)stanford.edu>
>> Content-Type: text/plain; charset=us-ascii
>>
>> On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>>
>>
>>> Tim Fenn wrote:
>>>
>>>
>>>> I recently installed mailman on my FC3 box (using the redhat based
>>>> RPMs), and it seems to be working just fine, except for the numerous
>>>> avc messages it cranks out whenever I run one of the cgi scripts
>>>> associated with mailman (e.g. via the web interface):
>>>>
>>>> Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied
>>>> { search } for pid=18761 comm="listinfo" name="run"
dev=sda1
>>>> ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>> u:object_r:var_run_t tclass=dir
>>>>
>>>>
>>>
>>> Why would mailman listinfo be searching /var/log directory?
>>>
>>>
>>
>>
>> Well, I get the same errors with mailmanctl:
>>
>> ./mailmanctl status
>>
>> yields no output, and the following errors:
>> Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
>> { read write } for pid=20837 comm="mailmanctl" name="3"
dev=devpts
>> ino=5 scontext=root:system_r:mailman_mail_t
>> tcontext=root:object_r:devpts_t tclass=chr_file
>> Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
>> { search } for pid=20837 comm="mailmanctl" name="run"
dev=sda1
>> ino=1294372 scontext=root:system_r:mailman_mail_t
>> tcontext=system_u:object_r:var_run_t tclass=dir
>> Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
>> { setgid } for pid=20837 comm="mailmanctl" capability=6
>> scontext=root:system_r:mailman_mail_t
>> tcontext=root:system_r:mailman_mail_t tclass=capability
>>
>> However, if I comment out:
>>
>> from Mailman.Logging.Syslog import syslog
>>
>> in the mailmanctl script, all is well:
>>
>> # ./mailmanctl status
>> mailman (pid 17677) is running...
>>
>> and no error messages. I would assume the same is true with the
>> cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
>>
>> Regards,
>> Tim
>>
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Wed, 19 Oct 2005 15:56:06 -0600
>> From: "W. Scott wilburn" <wilburn(a)lanl.gov>
>> Subject: Preserving Context with tar
>> To: fedora-selinux-list(a)redhat.com
>> Message-ID: <20051019215606.GE4717(a)wilburn.lanl.gov>
>> Content-Type: text/plain; charset=us-ascii
>>
>> Sorry to be asking such a simple question. Is it possible to
>> preserve file contexts using tar? I would have thought -p would do
>> this, but it appears no, atleast on RHEL4 and FC4.
>>
>> The reason to do this is a use tar to install modified config files
>> on new machines. Having to relabel after doing this is somewhat
>> slow. Perhaps there is a better solution?
>>
>> Thanks,
>> Scott Wilburn
>>
>>
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Wed, 19 Oct 2005 22:31:36 -0400
>> From: Daniel J Walsh <dwalsh(a)redhat.com>
>> Subject: Re: mailman cgi-bin denied search
>> To: Daniel J Walsh <dwalsh(a)redhat.com>, fedora-selinux-list(a)redhat.com
>> Message-ID: <43570188.5060201(a)redhat.com>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>> Tim Fenn wrote:
>>
>>
>>> On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>>>
>>>
>>>> Tim Fenn wrote:
>>>>
>>>>
>>>>> I recently installed mailman on my FC3 box (using the redhat based
>>>>> RPMs), and it seems to be working just fine, except for the numerous
>>>>> avc messages it cranks out whenever I run one of the cgi scripts
>>>>> associated with mailman (e.g. via the web interface):
>>>>>
>>>>> Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc:
>>>>> denied
>>>>> { search } for pid=18761 comm="listinfo"
name="run" dev=sda1
>>>>> ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>>> u:object_r:var_run_t tclass=dir
>>>>>
>>>>>
>>>>
>>>> Why would mailman listinfo be searching /var/log directory?
>>>>
>>>>
>>>
>>> Well, I get the same errors with mailmanctl:
>>>
>>> ./mailmanctl status
>>>
>>> yields no output, and the following errors:
>>> Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
>>> { read write } for pid=20837 comm="mailmanctl" name="3"
dev=devpts
>>> ino=5 scontext=root:system_r:mailman_mail_t
>>> tcontext=root:object_r:devpts_t tclass=chr_file
>>> Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
>>> { search } for pid=20837 comm="mailmanctl" name="run"
dev=sda1
>>> ino=1294372 scontext=root:system_r:mailman_mail_t
>>> tcontext=system_u:object_r:var_run_t tclass=dir
>>> Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
>>> { setgid } for pid=20837 comm="mailmanctl" capability=6
>>> scontext=root:system_r:mailman_mail_t
>>> tcontext=root:system_r:mailman_mail_t tclass=capability
>>>
>>> However, if I comment out:
>>>
>>> from Mailman.Logging.Syslog import syslog
>>>
>>> in the mailmanctl script, all is well:
>>>
>>> # ./mailmanctl status
>>> mailman (pid 17677) is running...
>>>
>>> and no error messages. I would assume the same is true with the
>>> cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
>>>
>>> Regards,
>>> Tim
>>>
>>
>> Yes. submit a bug. Although generating these in FC4 would be far
>> more interesting. Also do these AVC messages cause problems or are
>> they just being reported. No output from the script is fixed in FC4.
>>
>>
>>
>>
>
>
> --
> Jayendren Anand Maduray
> Microsoft Certified Professional
> Network Plus
> IT Administrator
>
> Perinatal HIV Research Unit
> Old Potch Road
> Chris Hani Baragwanath Hospital
> Soweto
> South Africa
>
> Tel: +27 11 989 9776
> Tel: +27 11 989 9999
> Fax: +27 11 938 3973
> Cel: 082 22 774 94
>
> Alternate email address: jayendren(a)mweb.co.za
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator
Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa
Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94
Alternate email address: jayendren(a)mweb.co.za
9:12 a.m.
New subject: fedora-selinux-list Digest, Vol 20, Issue 18
Jayendren Anand Maduray wrote:
Thank for your response, i really appreciate it.
Squid clam binary is located in:
/usr/local/squidclamav/bin
I isssue:
[root@shiva jay]# chcon -t bin_t *`which /usr/local/squidclamav/bin/`
and get error:
Just enter
chcon -t bin_t /usr/local/squidclamav/bin/*
But the relabel should have done that for you.
ls -lZ /usr/local/squidclamav/bin
Should show files marked as bin_t. Now turn on squid (IE change the
boolean and restart the service).
What AVC messages are you seeing now?
Dan
No the
--
3:29 a.m.
New subject: fedora-selinux-list Digest, Vol 20, Issue 18
Thanks for you help, again!
Here is the output:
[root@shiva jay]# chcon -t bin_t /usr/local/squidclamav/bin/*
You have mail in /var/spool/mail/jay
[root@shiva jay]#
[root@shiva jay]# ls -lZ /usr/local/squidclamav/bin
-rwxr-xr-x root root system_u:object_r:bin_t squidclamav
I will reboot, and check the system as it starts up.
Currently, i use system-config-securitylevel to re-enable squid.
Which file can i edit to do this from the command line?
God bless.
Daniel J Walsh wrote:
Jayendren Anand Maduray wrote:
> Thank for your response, i really appreciate it.
>
> Squid clam binary is located in:
>
> /usr/local/squidclamav/bin
>
>
> I isssue:
>
> [root@shiva jay]# chcon -t bin_t *`which /usr/local/squidclamav/bin/`
>
> and get error:
Just enter
chcon -t bin_t /usr/local/squidclamav/bin/*
But the relabel should have done that for you.
ls -lZ /usr/local/squidclamav/bin
Should show files marked as bin_t. Now turn on squid (IE change the
boolean and restart the service).
What AVC messages are you seeing now?
Dan
No the
--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator
Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa
Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94
Alternate email address: jayendren(a)mweb.co.za
9:55 a.m.
New subject: fedora-selinux-list Digest, Vol 20, Issue 18
Jayendren Anand Maduray wrote:
Thanks for you help, again!
Here is the output:
[root@shiva jay]# chcon -t bin_t /usr/local/squidclamav/bin/*
You have mail in /var/spool/mail/jay
[root@shiva jay]#
[root@shiva jay]# ls -lZ /usr/local/squidclamav/bin
-rwxr-xr-x root root system_u:object_r:bin_t
squidclamav
I will reboot, and check the system as it starts up.
Currently, i use system-config-securitylevel to re-enable squid.
Which file can i edit to do this from the command line?
setsebool and getsebool are
command line tools for manipulating booleans
setsebool -P squid_disable_trans=1
Enables SELinux enforcement and writes this to the defaults file
/etc/selinux/SELINUXTYPE/booleans.local
--
1:55 a.m.
New subject: fedora-selinux-list Digest, Vol 20, Issue 18
wow!
thanks.
SELinux rocks, still got a lot to learn though....
God bless.
Daniel J Walsh wrote:
Jayendren Anand Maduray wrote:
> Thanks for you help, again!
>
> Here is the output:
>
> [root@shiva jay]# chcon -t bin_t /usr/local/squidclamav/bin/*
> You have mail in /var/spool/mail/jay
> [root@shiva jay]#
> [root@shiva jay]# ls -lZ /usr/local/squidclamav/bin
> -rwxr-xr-x root root system_u:object_r:bin_t
> squidclamav
>
>
> I will reboot, and check the system as it starts up.
>
> Currently, i use system-config-securitylevel to re-enable squid.
>
> Which file can i edit to do this from the command line?
setsebool and getsebool are command line tools for manipulating booleans
setsebool -P squid_disable_trans=1
Enables SELinux enforcement and writes this to the defaults file
/etc/selinux/SELINUXTYPE/booleans.local
--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator
Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa
Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94
Alternate email address: jayendren(a)mweb.co.za
1:20 a.m.
New subject: fedora-selinux-list Digest, Vol 20, Issue 18
Hi!
Just noticed more errors!
Here is the output:
audit(1130392269.590:0): avc: denied { append } for pid=3218
exe=/usr/sbin/squid path=/var/log/squid/squid.out dev=hda8 ino=755115
scontext=user_u:system_r:squid_t tcontext=system_u:object_r:bin_t
tclass=file
audit(1130392269.590:0): avc: denied { append } for pid=3218
exe=/usr/sbin/squid path=/var/log/squid/squid.out dev=hda8 ino=755115
scontext=user_u:system_r:squid_t tcontext=system_u:object_r:bin_t
tclass=file
audit(1130392270.019:0): avc: denied { getattr } for pid=3218
exe=/usr/sbin/squid path=/usr/local/squidclamav/bin/squidclamav dev=hda8
ino=185872 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:bin_t tclass=file
Also:
[root@shiva jay]# ls -lZ /var/log/squid/
-rw-r--r-- squid squid system_u:object_r:bin_t access.log
-rw-r--r-- squid squid system_u:object_r:bin_t cache.log
-rw-r--r-- squid squid system_u:object_r:bin_t squid.out
-rw-r--r-- squid squid system_u:object_r:bin_t store.log
[root@shiva jay]# service squid restart
Stopping squid: /etc/init.d/squid: line 82: 5108
Aborted $SQUID -k check >>/var/log/squid/squid.out 2>&1
[FAILED]
Starting squid: /etc/init.d/squid: line 53: 5109
Aborted $SQUID $SQUID_OPTS >>/var/log/squid/squid.out 2>&1
[FAILED]
Please note that i re-enabled SElinux for squid via
system-config-security in FC3.
Any help will be appreciated.
God bless.
Daniel J Walsh wrote:
Jayendren Anand Maduray wrote:
> Thanks for you help, again!
>
> Here is the output:
>
> [root@shiva jay]# chcon -t bin_t /usr/local/squidclamav/bin/*
> You have mail in /var/spool/mail/jay
> [root@shiva jay]#
> [root@shiva jay]# ls -lZ /usr/local/squidclamav/bin
> -rwxr-xr-x root root system_u:object_r:bin_t
> squidclamav
>
>
> I will reboot, and check the system as it starts up.
>
> Currently, i use system-config-securitylevel to re-enable squid.
>
> Which file can i edit to do this from the command line?
setsebool and getsebool are command line tools for manipulating booleans
setsebool -P squid_disable_trans=1
Enables SELinux enforcement and writes this to the defaults file
/etc/selinux/SELINUXTYPE/booleans.local
--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator
Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa
Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94
Alternate email address: jayendren(a)mweb.co.za
8:31 a.m.
New subject: fedora-selinux-list Digest, Vol 20, Issue 18
Jayendren Anand Maduray wrote:
Hi!
Just noticed more errors!
Here is the output:
audit(1130392269.590:0): avc: denied { append } for pid=3218
exe=/usr/sbin/squid path=/var/log/squid/squid.out dev=hda8 ino=755115
scontext=user_u:system_r:squid_t tcontext=system_u:object_r:bin_t
tclass=file
audit(1130392269.590:0): avc: denied { append } for pid=3218
exe=/usr/sbin/squid path=/var/log/squid/squid.out dev=hda8 ino=755115
scontext=user_u:system_r:squid_t tcontext=system_u:object_r:bin_t
tclass=file
audit(1130392270.019:0): avc: denied { getattr } for pid=3218
exe=/usr/sbin/squid path=/usr/local/squidclamav/bin/squidclamav
dev=hda8 ino=185872 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:bin_t tclass=file
Looks like you labeled /var/log/squid
incorrectly. restorecon -R -v
/var/log
Also:
[root@shiva jay]# ls -lZ /var/log/squid/
-rw-r--r-- squid squid system_u:object_r:bin_t access.log
-rw-r--r-- squid squid system_u:object_r:bin_t cache.log
-rw-r--r-- squid squid system_u:object_r:bin_t squid.out
-rw-r--r-- squid squid system_u:object_r:bin_t store.log
[root@shiva jay]# service squid restart
Stopping squid: /etc/init.d/squid: line 82: 5108
Aborted $SQUID -k check >>/var/log/squid/squid.out 2>&1
[FAILED]
Starting squid: /etc/init.d/squid: line 53: 5109
Aborted $SQUID $SQUID_OPTS >>/var/log/squid/squid.out
2>&1
[FAILED]
Please note that i re-enabled SElinux for squid via
system-config-security in FC3.
Any help will be appreciated.
God bless.
Daniel J Walsh wrote:
> Jayendren Anand Maduray wrote:
>
>> Thanks for you help, again!
>>
>> Here is the output:
>>
>> [root@shiva jay]# chcon -t bin_t /usr/local/squidclamav/bin/*
>> You have mail in /var/spool/mail/jay
>> [root@shiva jay]#
>> [root@shiva jay]# ls -lZ /usr/local/squidclamav/bin
>> -rwxr-xr-x root root system_u:object_r:bin_t
>> squidclamav
>>
>>
>> I will reboot, and check the system as it starts up.
>>
>> Currently, i use system-config-securitylevel to re-enable squid.
>>
>> Which file can i edit to do this from the command line?
>
> setsebool and getsebool are command line tools for manipulating booleans
>
> setsebool -P squid_disable_trans=1
>
> Enables SELinux enforcement and writes this to the defaults file
>
> /etc/selinux/SELINUXTYPE/booleans.local
>
>
--
8:48 a.m.
New subject: fedora-selinux-list Digest, Vol 20, Issue 18
Hi!
The relabeling was done by touching a /.autorelabel
Followed advice, and ran:
[root@shiva music]# restorecon -R -v /var/log
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context
/var/log/samba/#######.log->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context
/var/log/Xorg.0.log.old->system_u:object_r:var_log_t
restorecon reset context /var/log/Xorg.0.log->system_u:object_r:var_log_t
restorecon reset context
/var/log/squid/store.log->system_u:object_r:squid_log_t
restorecon reset context
/var/log/squid/access.log->system_u:object_r:squid_log_t
restorecon reset context
/var/log/squid/cache.log->system_u:object_r:squid_log_t
restorecon reset context
/var/log/squid/squid.out->system_u:object_r:squid_log_t
restorecon reset context /var/log/gdm/:0.log->system_u:object_r:var_log_t
restorecon reset context /var/log/gdm/:0.log.3->system_u:object_r:var_log_t
restorecon reset context /var/log/gdm/:0.log.1->system_u:object_r:var_log_t
restorecon reset context /var/log/gdm/:0.log.2->system_u:object_r:var_log_t
restorecon reset context /var/log/gdm/:0.log.4->system_u:object_r:var_log_t
[root@shiva music]# ls -lZ /var/log/squid/
-rw-r--r-- squid squid system_u:object_r:squid_log_t access.log
-rw-r--r-- squid squid system_u:object_r:squid_log_t cache.log
-rw-r--r-- squid squid system_u:object_r:squid_log_t squid.out
-rw-r--r-- squid squid system_u:object_r:squid_log_t store.log
[root@shiva music]# service squid restart
Stopping squid: /etc/init.d/squid: line 82: 8548
Aborted $SQUID -k check >>/var/log/squid/squid.out 2>&1
[FAILED]
Starting squid: /etc/init.d/squid: line 53: 8549
Aborted $SQUID $SQUID_OPTS >>/var/log/squid/squid.out 2>&1
[FAILED]
[root@shiva music]# dmesg | tail
audit(1130420511.344:0): avc: denied { getattr } for pid=8548
exe=/usr/sbin/squid path=/usr/local/squidclamav/bin/squidclamav dev=hda8
ino=185872 scontext=root:system_r:squid_t
tcontext=system_u:object_r:bin_t tclass=file
audit(1130420511.595:0): avc: denied { getattr } for pid=8549
exe=/usr/sbin/squid path=/usr/local/squidclamav/bin/squidclamav dev=hda8
ino=185872 scontext=root:system_r:squid_t
tcontext=system_u:object_r:bin_t tclass=file
Some values were hashed out for obvious reasons.
Thanks again for your input. It is appreciated.
God bless.
Daniel J Walsh wrote:
Jayendren Anand Maduray wrote:
> Hi!
>
> Just noticed more errors!
>
> Here is the output:
>
> audit(1130392269.590:0): avc: denied { append } for pid=3218
> exe=/usr/sbin/squid path=/var/log/squid/squid.out dev=hda8 ino=755115
> scontext=user_u:system_r:squid_t tcontext=system_u:object_r:bin_t
> tclass=file
> audit(1130392269.590:0): avc: denied { append } for pid=3218
> exe=/usr/sbin/squid path=/var/log/squid/squid.out dev=hda8 ino=755115
> scontext=user_u:system_r:squid_t tcontext=system_u:object_r:bin_t
> tclass=file
> audit(1130392270.019:0): avc: denied { getattr } for pid=3218
> exe=/usr/sbin/squid path=/usr/local/squidclamav/bin/squidclamav
> dev=hda8 ino=185872 scontext=user_u:system_r:squid_t
> tcontext=system_u:object_r:bin_t tclass=file
Looks like you labeled /var/log/squid incorrectly. restorecon -R -v
/var/log
>
>
> Also:
>
> [root@shiva jay]# ls -lZ /var/log/squid/
> -rw-r--r-- squid squid system_u:object_r:bin_t
> access.log
> -rw-r--r-- squid squid system_u:object_r:bin_t cache.log
> -rw-r--r-- squid squid system_u:object_r:bin_t squid.out
> -rw-r--r-- squid squid system_u:object_r:bin_t store.log
>
> [root@shiva jay]# service squid restart
>
> Stopping squid: /etc/init.d/squid: line 82: 5108
> Aborted $SQUID -k check >>/var/log/squid/squid.out 2>&1
> [FAILED]
> Starting squid: /etc/init.d/squid: line 53: 5109
> Aborted $SQUID $SQUID_OPTS >>/var/log/squid/squid.out
> 2>&1
> [FAILED]
>
> Please note that i re-enabled SElinux for squid via
> system-config-security in FC3.
>
> Any help will be appreciated.
>
> God bless.
>
>
> Daniel J Walsh wrote:
>
>> Jayendren Anand Maduray wrote:
>>
>>> Thanks for you help, again!
>>>
>>> Here is the output:
>>>
>>> [root@shiva jay]# chcon -t bin_t /usr/local/squidclamav/bin/*
>>> You have mail in /var/spool/mail/jay
>>> [root@shiva jay]#
>>> [root@shiva jay]# ls -lZ /usr/local/squidclamav/bin
>>> -rwxr-xr-x root root system_u:object_r:bin_t
>>> squidclamav
>>>
>>>
>>> I will reboot, and check the system as it starts up.
>>>
>>> Currently, i use system-config-securitylevel to re-enable squid.
>>>
>>> Which file can i edit to do this from the command line?
>>
>>
>> setsebool and getsebool are command line tools for manipulating
>> booleans
>>
>> setsebool -P squid_disable_trans=1
>>
>> Enables SELinux enforcement and writes this to the defaults file
>>
>> /etc/selinux/SELINUXTYPE/booleans.local
>>
>>
>
--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator
Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa
Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94
Alternate email address: jayendren(a)mweb.co.za
9:15 a.m.
New subject: fedora-selinux-list Digest, Vol 20, Issue 18
What version of policy are you using?
rpm -q selinux-policy-targeted
The avc you are reporting is allowed in current policy
grep -r squid_t.*bin_t policy.conf
allow squid_t { lib_t squid_exec_t bin_t sbin_t shell_exec_t } :file { {
read getattr lock execute ioctl } execute_no_trans };
--
1:53 a.m.
New subject: SquidClamAV - SElinux enabled
Good day, sir
version:
[root@shiva jay]# rpm -qi selinux-policy-targeted
Name : selinux-policy-targeted Relocations: /usr
Version : 1.17.30 Vendor: Red Hat, Inc.
Release : 2.19 Build Date: Mon 01 Nov 2004
23:36:23 SAST
Install Date: Thu 21 Apr 2005 20:05:09 SAST Build Host:
tweety.build.redhat.com
Group : System Environment/Base Source RPM:
selinux-policy-targeted-1.17.30-2.19.src.rpm
Size : 222858 License: GPL
Signature : DSA/SHA1, Tue 02 Nov 2004 18:06:52 SAST, Key ID
b44269d04f2a6fd2
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Summary : SELinux targeted policy configuration
This may sound dumb, but what is avc?
God bless.
Daniel J Walsh wrote:
What version of policy are you using?
rpm -q selinux-policy-targeted
The avc you are reporting is allowed in current policy
grep -r squid_t.*bin_t policy.conf
allow squid_t { lib_t squid_exec_t bin_t sbin_t shell_exec_t } :file {
{ read getattr lock execute ioctl } execute_no_trans };
--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator
Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa
Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94
Alternate email address: jayendren(a)mweb.co.za
6754
days inactive
6761
days old
selinux@lists.fedoraproject.org
11 comments
2 participants
participants (2)
-
Daniel J Walsh -
Jayendren Anand Maduray