7:36 p.m.
I have a UPS that sends an SNMP trap when the main power goes out.
I wrote my snmptrapd.conf file to execute a script when the trap is
received. The script simply calls zenity to pop up a message.
Here's my problem. If I start snmptrapd from the command line
everything works beautifully but if I have the system start it at boot
time or via System->Administration->Services, the trap gets logged
in /var/log/messages but the zenity window doesn't get displayed and I
get these SELinux messages in /var/log/messages.
SELinux is preventing the zenity from using potentially mislabeled
files (XO)...
SELinux is preventing zenity (snmpd_t) "name_connect" to <Unknown>
<xserver_port_t>...
I've looked at the ouput of
# ps -ef | grep snmptrapd
and it is identical in both cases so I don't understand why one works
and the other doesn't. I tried
# cat /var/log/messages | audit2allow -m local
but that just produced a file that said:
module local 1.0;
and nothing else.
I'm running RHEL5.4 with SELinux in enforcing mode.
Any help would be appreciated.
Thanks,
Steve
3:11 a.m.
On Thu, Dec 17, 2009 at 08:36:00PM -0500, Steve Blackwell wrote:
I have a UPS that sends an SNMP trap when the main power goes out.
I wrote my snmptrapd.conf file to execute a script when the trap is
received. The script simply calls zenity to pop up a message.
Here's my problem. If I start snmptrapd from the command line
everything works beautifully but if I have the system start it at boot
time or via System->Administration->Services, the trap gets logged
Because when you start it manually it gets executed in the users environment which is
unrestricted/ unprotected in el5
in /var/log/messages but the zenity window doesn't get displayed
and I
get these SELinux messages in /var/log/messages.
SELinux is preventing the zenity from using potentially mislabeled
files (XO)...
SELinux is preventing zenity (snmpd_t) "name_connect" to <Unknown>
<xserver_port_t>...
I've looked at the ouput of
# ps -ef | grep snmptrapd
and it is identical in both cases so I don't understand why one works
and the other doesn't. I tried
# cat /var/log/messages | audit2allow -m local
The avc denial gets logged to /var/log/audit/audit.log:
ausearch -m avc -ts yesterday | grep snmpt_t | audit2allow -M mysnmp | semodule -i
mysnmp.pp
but that just produced a file that said:
module local 1.0;
and nothing else.
I'm running RHEL5.4 with SELinux in enforcing mode.
Any help would be appreciated.
Thanks,
Steve
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
8:25 p.m.
On Fri, 18 Dec 2009 10:11:53 +0100
Dominick Grift <domg472(a)gmail.com> wrote:
On Thu, Dec 17, 2009 at 08:36:00PM -0500, Steve Blackwell wrote:
> I have a UPS that sends an SNMP trap when the main power goes out.
> I wrote my snmptrapd.conf file to execute a script when the trap is
> received. The script simply calls zenity to pop up a message.
>
> Here's my problem. If I start snmptrapd from the command line
> everything works beautifully but if I have the system start it at
> boot time or via System->Administration->Services, the trap gets
> logged
Because when you start it manually it gets executed in the users
environment which is unrestricted/ unprotected in el5
OK, I see that now. I got a bit wrapped around the axel because
snmptrapd sometimes creates a file (I'm not quite sure
when) called /var/net-smpd/snmptrapd.conf and if I run
# /etc/rc.d/init.d/snmptrapd restart
as root it gets created with a snmpd_var_lib_t type but if I just
start snmptrapd from the command line as root it gets created with a
different type and then the system can't restart snmptrapd because it
doesn't have permission to write to that file. ... I think...
> in /var/log/messages but the zenity window doesn't get displayed
> and I get these SELinux messages in /var/log/messages.
>
> SELinux is preventing the zenity from using potentially mislabeled
> files (XO)...
>
> SELinux is preventing zenity (snmpd_t) "name_connect" to <Unknown>
> <xserver_port_t>...
>
> I've looked at the ouput of
>
> # ps -ef | grep snmptrapd
>
> and it is identical in both cases so I don't understand why one
> works and the other doesn't. I tried
>
> # cat /var/log/messages | audit2allow -m local
The avc denial gets logged to .:
ausearch -m avc -ts yesterday | grep snmpt_t | audit2allow -M mysnmp
| semodule -i mysnmp.pp
This was also confusing me because I had auditd turned off and so the
avc denials are supposed to go to /var/log/messages but it seems that
some still went to /var/log/audit/audit.log.
Anyhow running this command helped in that I don't get any more avc
denials logged but I still don't see my dialog popup. I'm going to try
this again starting with a clean log.
I have a few questions if you have the time to answer them.
I have been reading this:
http://www.linuxtopia.org/online_books/getting_started_with_SELinux/index...
and this:
http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index...
which I found quite useful but they are way out of date. Is there
anything comparable that is current?
My understanding is that a .te is a policy configuration file, a text
file and that a .pp file is a policy package, a binary file. Does
the .te file get "compiled" into a .pp file and if so how does this
happen?
I read that the policy directory for Fedora systems is
/etc/security/selinux/src/policy
but neither the RHEL5.4 system at work nor my Fedora 11 system at home
has such a directory and the only .te file is in
/usr/share/selinux/devel.
Where is the accepted location to put .te files?
Is there a way to "see" what a .pp file is doing? A disassembly of
sorts. I'd like to look at some examples. There are plenty of .pp files
in /etc/selinux/targeted/modules/active/modules.
Thanks,
Steve
>
> but that just produced a file that said:
>
> module local 1.0;
>
> and nothing else.
>
> I'm running RHEL5.4 with SELinux in enforcing mode.
>
> Any help would be appreciated.
>
> Thanks,
> Steve
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
9:06 p.m.
On 21/12/09 02:25, Steve Blackwell wrote:
On Fri, 18 Dec 2009 10:11:53 +0100
Dominick Grift<domg472(a)gmail.com> wrote:
> On Thu, Dec 17, 2009 at 08:36:00PM -0500, Steve Blackwell wrote:
>
>> I have a UPS that sends an SNMP trap when the main power goes out.
>> I wrote my snmptrapd.conf file to execute a script when the trap is
>> received. The script simply calls zenity to pop up a message.
>>
>> Here's my problem. If I start snmptrapd from the command line
>> everything works beautifully but if I have the system start it at
>> boot time or via System->Administration->Services, the trap gets
>> logged
>>
> Because when you start it manually it gets executed in the users
> environment which is unrestricted/ unprotected in el5
>
OK, I see that now. I got a bit wrapped around the axel because
snmptrapd sometimes creates a file (I'm not quite sure
when) called /var/net-smpd/snmptrapd.conf and if I run
# /etc/rc.d/init.d/snmptrapd restart
as root it gets created with a snmpd_var_lib_t type but if I just
start snmptrapd from the command line as root it gets created with a
different type and then the system can't restart snmptrapd because it
doesn't have permission to write to that file. ... I think...
>
>> in /var/log/messages but the zenity window doesn't get displayed
>> and I get these SELinux messages in /var/log/messages.
>>
>> SELinux is preventing the zenity from using potentially mislabeled
>> files (XO)...
>>
>> SELinux is preventing zenity (snmpd_t) "name_connect"
to<Unknown>
>> <xserver_port_t>...
>>
>> I've looked at the ouput of
>>
>> # ps -ef | grep snmptrapd
>>
>> and it is identical in both cases so I don't understand why one
>> works and the other doesn't. I tried
>>
>> # cat /var/log/messages | audit2allow -m local
>>
> The avc denial gets logged to .:
>
> ausearch -m avc -ts yesterday | grep snmpt_t | audit2allow -M mysnmp
> | semodule -i mysnmp.pp
>
This was also confusing me because I had auditd turned off and so the
avc denials are supposed to go to /var/log/messages but it seems that
some still went to /var/log/audit/audit.log.
Anyhow running this command helped in that I don't get any more avc
denials logged but I still don't see my dialog popup. I'm going to try
this again starting with a clean log.
I have a few questions if you have the time to answer them.
I have been reading this:
http://www.linuxtopia.org/online_books/getting_started_with_SELinux/index...
and this:
http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index...
which I found quite useful but they are way out of date. Is there
anything comparable that is current?
My understanding is that a .te is a policy configuration file, a text
file and that a .pp file is a policy package, a binary file. Does
the .te file get "compiled" into a .pp file and if so how does this
happen?
I read that the policy directory for Fedora systems is
/etc/security/selinux/src/policy
but neither the RHEL5.4 system at work nor my Fedora 11 system at home
has such a directory and the only .te file is in
/usr/share/selinux/devel.
Where is the accepted location to put .te files?
Is there a way to "see" what a .pp file is doing? A disassembly of
sorts. I'd like to look at some examples. There are plenty of .pp files
in /etc/selinux/targeted/modules/active/modules.
Thanks,
Steve
>> but that just produced a file that said:
>>
>> module local 1.0;
>>
>> and nothing else.
>>
>> I'm running RHEL5.4 with SELinux in enforcing mode.
>>
>> Any help would be appreciated.
>>
>> Thanks,
>> Steve
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Steve,
we have two selinux docs in the fedora docs at
http://docs.fedoraproject.org/
Also maybe Daniels Blog might be useful to you @
http://danwalsh.livejournal.com/
There are more, but I cant think of them at the moment. If you harass
fenris02 in #fedora, and ask him for the SElinux links,he has got a
script that
blahs them out.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore(a)internexusconnect.net
Thawte Notary
For Fedora related issues, please email me at:
TSantore(a)fedoraproject.org
10:36 p.m.
On Mon, 21 Dec 2009 03:06:55 +0000
Tristan Santore <tristan.santore(a)internexusconnect.net> wrote:
> I have been reading this:
> http://www.linuxtopia.org/online_books/getting_started_with_SELinux/index...
> and this:
> http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index...
> which I found quite useful but they are way out of date. Is there
> anything comparable that is current?
Steve,
we have two selinux docs in the fedora docs at
http://docs.fedoraproject.org/
Also maybe Daniels Blog might be useful to you @
http://danwalsh.livejournal.com/
There are more, but I cant think of them at the moment. If you harass
fenris02 in #fedora, and ask him for the SElinux links,he has got a
script that
blahs them out.
Regards,
Tristan
Thanks, I'll check those out.
Steve
10:52 a.m.
On 12/20/2009 11:36 PM, Steve Blackwell wrote:
On Mon, 21 Dec 2009 03:06:55 +0000
Tristan Santore <tristan.santore(a)internexusconnect.net> wrote:
>
>> I have been reading this:
>> http://www.linuxtopia.org/online_books/getting_started_with_SELinux/index...
>> and this:
>> http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index...
>> which I found quite useful but they are way out of date. Is there
>> anything comparable that is current?
> Steve,
> we have two selinux docs in the fedora docs at
> http://docs.fedoraproject.org/
> Also maybe Daniels Blog might be useful to you @
> http://danwalsh.livejournal.com/
>
> There are more, but I cant think of them at the moment. If you harass
> fenris02 in #fedora, and ask him for the SElinux links,he has got a
> script that
> blahs them out.
>
> Regards,
> Tristan
>
Thanks, I'll check those out.
Steve
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Steve are you all set now, or do you still need help?
3:32 a.m.
On Sun, Dec 20, 2009 at 09:25:58PM -0500, Steve Blackwell wrote:
On Fri, 18 Dec 2009 10:11:53 +0100
Dominick Grift <domg472(a)gmail.com> wrote:
> On Thu, Dec 17, 2009 at 08:36:00PM -0500, Steve Blackwell wrote:
> > I have a UPS that sends an SNMP trap when the main power goes out.
> > I wrote my snmptrapd.conf file to execute a script when the trap is
> > received. The script simply calls zenity to pop up a message.
> >
> > Here's my problem. If I start snmptrapd from the command line
> > everything works beautifully but if I have the system start it at
> > boot time or via System->Administration->Services, the trap gets
> > logged
>
> Because when you start it manually it gets executed in the users
> environment which is unrestricted/ unprotected in el5
OK, I see that now. I got a bit wrapped around the axel because
snmptrapd sometimes creates a file (I'm not quite sure
when) called /var/net-smpd/snmptrapd.conf and if I run
# /etc/rc.d/init.d/snmptrapd restart
as root it gets created with a snmpd_var_lib_t type but if I just
start snmptrapd from the command line as root it gets created with a
different type and then the system can't restart snmptrapd because it
doesn't have permission to write to that file. ... I think...
>
> > in /var/log/messages but the zenity window doesn't get displayed
> > and I get these SELinux messages in /var/log/messages.
> >
> > SELinux is preventing the zenity from using potentially mislabeled
> > files (XO)...
> >
> > SELinux is preventing zenity (snmpd_t) "name_connect" to
<Unknown>
> > <xserver_port_t>...
> >
> > I've looked at the ouput of
> >
> > # ps -ef | grep snmptrapd
> >
> > and it is identical in both cases so I don't understand why one
> > works and the other doesn't. I tried
> >
> > # cat /var/log/messages | audit2allow -m local
>
> The avc denial gets logged to .:
>
> ausearch -m avc -ts yesterday | grep snmpt_t | audit2allow -M mysnmp
> | semodule -i mysnmp.pp
This was also confusing me because I had auditd turned off and so the
avc denials are supposed to go to /var/log/messages but it seems that
some still went to /var/log/audit/audit.log.
Anyhow running this command helped in that I don't get any more avc
denials logged but I still don't see my dialog popup. I'm going to try
this again starting with a clean log.
I have a few questions if you have the time to answer them.
I have been reading this:
http://www.linuxtopia.org/online_books/getting_started_with_SELinux/index...
and this:
http://www.linuxtopia.org/online_books/writing_SELinux_policy_guide/index...
which I found quite useful but they are way out of date. Is there
anything comparable that is current?
I recently wrote a bit about the policy structure in Fedora 12 , that also applies to 11
and to some degree el5.
its here:
http://82.197.205.60/~dgrift/stuff/Managing_a_SELinux_environment_with_Fe...
its not detailed though.
My understanding is that a .te is a policy configuration file, a text
file and that a .pp file is a policy package, a binary file. Does
the .te file get "compiled" into a .pp file and if so how does this
happen?
the .te , .fc and .if files make a complete source policy module. yes. A binary
representation of this (.pp) is what gets loaded "into the kernel"
This is done via the checkmodule and semodule_package commands. We usually use the
installed /usr/share/selinux/devel/Makefile to do this (requires selinux-policy-devel on
el5)
I read that the policy directory for Fedora systems is
/etc/security/selinux/src/policy
but neither the RHEL5.4 system at work nor my Fedora 11 system at home
I think that is old (el4/fc4/5?)
has such a directory and the only .te file is in
/usr/share/selinux/devel.
Where is the accepted location to put .te files?
.te files is source policy. It should not get installed. The only source policy file that
can get installed is the .if source policy file. This file is kind of like a header file.
It has shared policy that can be used by other modules to interact with that modules'
type.
Is there a way to "see" what a .pp file is doing? A
disassembly of
sorts. I'd like to look at some examples. There are plenty of .pp files
in /etc/selinux/targeted/modules/active/modules.
The is not pp disassembler but the sesearch command can be used to query the installed
policy. (part of setools)
Thanks,
Steve
> >
> > but that just produced a file that said:
> >
> > module local 1.0;
> >
> > and nothing else.
> >
> > I'm running RHEL5.4 with SELinux in enforcing mode.
> >
> > Any help would be appreciated.
> >
> > Thanks,
> > Steve
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
3:48 a.m.
Steve Blackwell wrote:
SELinux is preventing zenity (snmpd_t) "name_connect" to
<Unknown>
<xserver_port_t>...
I've looked at the ouput of
# ps -ef | grep snmptrapd
and it is identical in both cases so I don't understand why one works
and the other doesn't. I tried
# ps -Zef | grep snmptrapd
should show you the context of the running process.
Moray.
"To err is human. To purr, feline"
5248
days inactive
5251
days old
selinux@lists.fedoraproject.org
7 comments
5 participants
participants (5)
-
Daniel J Walsh -
Dominick Grift -
Moray Henderson -
Steve Blackwell -
Tristan Santore