Warren Togami wrote:
This is my first time running with selinux enforcement enabled and
this system has been apt upgraded from FC2test1 to latest rawhide, so
please forgive me that some of these will be duplicates and others may
be errors. Please let me know which are not duplicates, and if you
want me to bugzilla them.
To be clear, I did the following in order to ensure that my labels are
correct during runtime. I hope this was correct.
setenforce off
fixfiles relabel
setenforce 1
1) Infinite Loop of these messages when using "/sbin/ifup eth0" as
non-root user. This is allowed when enforcement is disabled. CTRL-C
is abled to stop the looping.
Apr 5 21:07:28 ibmlaptop kernel: audit(1081235248.571:0): avc:
denied { setuid } for pid=2463 exe=/bin/bash capability=7
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=capability
Apr 5 21:07:28 ibmlaptop kernel: audit(1081235248.589:0): avc:
denied { setuid } for pid=2463 exe=/usr/sbin/usernetctl capability=7
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=capability
I am not sure how you set this up to work. I execute /sbin/ifup eth0
and I get
Users cannot control this device.
If we want to allow this we will need policy to allow it. Any want to
take a try at it?
2) "su -" from my non-root user caused this error. I was
however
allowed to work as root.
Apr 5 21:07:42 ibmlaptop su(pam_unix)[12399]: session opened for user
root by warren(uid=500)
Apr 5 21:07:42 ibmlaptop su[12399]: pam_xauth: error creating
temporary file `/root/.xauthsDAz4e': Permission denied
Apr 5 21:07:42 ibmlaptop kernel: audit(1081235262.772:0): avc:
denied { write } for pid=12399 exe=/bin/su name=root dev=hda2
ino=1291809 scontext=user_u:user_r:user_su_t
tcontext=root:object_r:staff_home_dir_t tclass=dir
This should be fixed in latest policy 1.9.2-12
3) Then as root, I used "ifup eth0" which succeeded, but
with the
following in /var/log/messages.
Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc:
denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
ino=1389922 scontext=root:system_r:dhcpc_t
tcontext=system_u:object_r:home_root_t tclass=dir
Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc:
denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
ino=1389922 scontext=root:system_r:dhcpc_t
tcontext=system_u:object_r:home_root_t tclass=dir
Apr 5 21:07:45 ibmlaptop dhclient: can't create
/var/lib/dhcp/dhclient-eth0.leases: Permission denied
Apr 5 21:07:46 ibmlaptop dhclient: sit0: unknown hardware address
type 776
Apr 5 21:07:48 ibmlaptop dhclient: DHCPDISCOVER on eth0 to
255.255.255.255 port 67 interval 4
Apr 5 21:07:48 ibmlaptop dhclient: DHCPOFFER from 172.31.16.1
Apr 5 21:07:48 ibmlaptop dhclient: DHCPREQUEST on eth0 to
255.255.255.255 port 67
Apr 5 21:07:48 ibmlaptop dhclient: DHCPACK from 172.31.16.1
Apr 5 21:07:48 ibmlaptop dhclient: can't create
/var/lib/dhcp/dhclient-eth0.leases: Permission denied
Apr 5 21:07:48 ibmlaptop dhclient: bound to 172.31.16.101 -- renewal
in 356918 seconds.
Apr 5 21:07:48 ibmlaptop kernel: audit(1081235268.039:0): avc:
denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
ino=1389922 scontext=root:system_r:dhcpc_t
tcontext=system_u:object_r:home_root_t tclass=dir
Added policy to allow this , but not sure what it is trying todo. Could
you try it in non-enforcing mode and grab the avc messages.
4) GNOME mixer_applet2 is unable to reach the device. Strangely this
began failing in permissive mode too, but it works when selinux is
totally disabled and not loaded.
Apr 5 21:07:10 ibmlaptop kernel: audit(1081235230.797:0): avc:
denied { setattr } for pid=2435 exe=/usr/libexec/mixer_applet2
name=registry.xml dev=hda2 ino=1425367 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:var_t tclass=file
This needs more investigation if it fails in permissive mode.
5) This is vmware from the VMWare WS 4.5.1 service startup. The
issues are ... complicated, numerous, and scary looking.
Apr 5 21:06:08 ibmlaptop kernel: vmmon: module license 'unspecified'
taints kernel.
Apr 5 21:06:08 ibmlaptop kernel: vmnet: module license 'unspecified'
taints kernel.
Apr 5 21:06:08 ibmlaptop kernel: audit(1081235168.858:0): avc:
denied { search } for pid=1909 exe=/usr/bin/vmnet-netifup name=net
dev= ino=344 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 5 21:06:08 ibmlaptop kernel: audit(1081235168.867:0): avc:
denied { search } for pid=1910 exe=/usr/bin/vmnet-netifup name=net
dev= ino=344 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 5 21:06:09 ibmlaptop kernel: audit(1081235169.047:0): avc:
denied { node_bind } for pid=1931 exe=/usr/bin/vmnet-natd
scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:node_inaddr_any_t tclass=rawip_socket
Apr 5 21:06:09 ibmlaptop kernel: audit(1081235169.048:0): avc:
denied { create } for pid=1931 exe=/usr/bin/vmnet-natd
name=vmnat.1931 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:var_run_t tclass=sock_file
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium
DHCP Server 2.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997,
1998, 1999 The Internet Software Consortium.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Please contribute if you find
this software useful.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: For info, please visit
http://www.isc.org/dhcp-contrib.html
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium
DHCP Server 2.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997,
1998, 1999 The Internet Software Consortium.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium
DHCP Server 2.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997,
1998, 1999 The Internet Software Consortium.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Configured subnet: 173.31.18.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Please contribute if you find
this software useful.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Setting vmnet-dhcp IP address:
173.31.18.254
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: For info, please visit
http://www.isc.org/dhcp-contrib.html
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Recving on VNet/vmnet1/173.31.18.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:10 ibmlaptop vmnet-dhcpd: Sending on VNet/vmnet1/173.31.18.0
Apr 5 21:06:11 ibmlaptop vmnet-dhcpd: Configured subnet: 173.31.17.0
Apr 5 21:06:12 ibmlaptop vmnet-dhcpd: Setting vmnet-dhcp IP address:
173.31.17.254
Apr 5 21:06:12 ibmlaptop vmnet-dhcpd: Recving on VNet/vmnet8/173.31.17.0
Apr 5 21:06:12 ibmlaptop vmnet-dhcpd: Sending on VNet/vmnet8/173.31.17.0
Apr 5 21:06:15 ibmlaptop kernel: audit(1081235175.873:0): avc:
denied { create } for pid=2253 exe=/usr/bin/vmware-nmbd
scontext=system_u:system_r:vmware_t
tcontext=system_u:system_r:vmware_t tclass=udp_socket
Apr 5 21:06:15 ibmlaptop kernel: audit(1081235175.873:0): avc:
denied { create } for pid=2253 exe=/usr/bin/vmware-nmbd
scontext=system_u:system_r:vmware_t
tcontext=system_u:system_r:vmware_t tclass=udp_socket
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.460:0): avc:
denied { read } for pid=2254 exe=/usr/bin/vmware-smbd name=urandom
dev=hda2 ino=1270748 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_fileApr 5
21:06:16 ibmlaptop kernel: audit(1081235176.461:0): avc: denied {
read } for pid=2254 exe=/usr/bin/vmware-smbd name=shadow dev=hda2
ino=1963867 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:shadow_t tclass=file
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.804:0): avc:
denied { setgid } for pid=2254 exe=/usr/bin/vmware-smbd capability=6
scontext=system_u:system_r:vmware_t
tcontext=system_u:system_r:vmware_t tclass=capability
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.804:0): avc:
denied { setgid } for pid=2254 exe=/usr/bin/vmware-smbd capability=6
scontext=system_u:system_r:vmware_t
tcontext=system_u:system_r:vmware_t tclass=capability
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.805:0): avc:
denied { setgid } for pid=2254 exe=/usr/bin/vmware-smbd capability=6
scontext=system_u:system_r:vmware_t
tcontext=system_u:system_r:vmware_t tclass=capability
Apr 5 21:06:16 ibmlaptop last message repeated 2 times
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.899:0): avc:
denied { read } for pid=2254 exe=/usr/bin/vmware-smbd name=printcap
dev=hda2 ino=1962265 scontext=system_u:system_r:vmware_t
tcontext=system_u:object_r:cupsd_rw_etc_t tclass=file
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.899:0): avc:
denied { create } for pid=2254 exe=/usr/bin/vmware-smbd
scontext=system_u:system_r:vmware_t
tcontext=system_u:system_r:vmware_t tclass=udp_socket Apr 5 21:06:17
ibmlaptop kernel: audit(1081235177.041:0): avc: denied {
sys_resource } for pid=2254 exe=/usr/bin/vmware-smbd capability=24
scontext=system_u:system_r:vmware_t
tcontext=system_u:system_r:vmware_t tclass=capability
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list