Help
-----Original Message-----
From: fedora-selinux-list-request(a)redhat.com
To: fedora-selinux-list(a)redhat.com
Sent: 5/20/06 12:00 PM
Subject: fedora-selinux-list Digest, Vol 27, Issue 19
Send fedora-selinux-list mailing list submissions to
fedora-selinux-list(a)redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
or, via email, send a message with subject or body 'help' to
fedora-selinux-list-request(a)redhat.com
You can reach the person managing the list at
fedora-selinux-list-owner(a)redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of fedora-selinux-list digest..."
Today's Topics:
1. printer AVCs.... (Tom London)
2. Re: need help for local.te (Hongwei Li)
3. Re: need help for local.te (Kayvan A. Sylvan)
4. Re: need help for local.te (Hongwei Li)
5. Re: selinux prelink avc's (dragoran)
6. Trusted Solaris over SELinux (Justin Conover)
7. Re: Trusted Solaris over SELinux (Andy Green)
8. Re: Trusted Solaris over SELinux (Martin Ebourne)
9. Re: Trusted Solaris over SELinux (Justin Conover)
10. Re: Trusted Solaris over SELinux (Andy Green)
----------------------------------------------------------------------
Message: 1
Date: Fri, 19 May 2006 09:02:35 -0700
From: "Tom London" <selinux(a)gmail.com>
Subject: printer AVCs....
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Message-ID:
<4c4ba1530605190902q5c981798m31d36366654f159(a)mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Running latest Rawhide, targeted/enforcing.
I get the following when 'deactivating/activating' a USB printer (and
printing fails):
type=AVC msg=audit(1148052935.119:30): avc: denied { create } for
pid=1902 comm="python" scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:system_r:hplip_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1148052935.119:30): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bffa4878 a2=49ebaff4 a3=bffa4e69 items=0
pid=1902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python"
subj=system_u:system_r:hplip_t:s0
type=SOCKETCALL msg=audit(1148052935.119:30): nargs=3 a0=10 a1=3 a2=0
type=USER_AVC msg=audit(1148053114.333:32): user pid=1735 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:
denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobQueuedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)'
The following messages were in /var/log/messages:
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc: denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobQueuedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc: denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=QueueChanged
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc: denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobStartedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:35 localhost hpiod: invalid product id string: Broken
pipe io/hpiod/device.cpp 623
May 19 08:35:35 localhost hpiod: unable to Device::Open
hp:/usb/hp_LaserJet_1300?serial=00CNCB954325 io/hpiod/device.cpp 862
May 19 08:35:35 localhost hp_LaserJet_1300?serial=00CNCB954325: INFO:
open device failed; will retry in 30 seconds...
May 19 08:36:05 localhost hpiod: invalid product id string: Broken
pipe io/hpiod/device.cpp 623
tom
--
Tom London
------------------------------
Message: 2
Date: Fri, 19 May 2006 12:13:15 -0500 (CDT)
From: "Hongwei Li" <hongwei(a)wustl.edu>
Subject: Re: need help for local.te
To: fedora-selinux-list(a)redhat.com
Message-ID:
<1866.128.252.85.103.1148058795.squirrel(a)morpheus.wustl.edu>
Content-Type: text/plain;charset=iso-8859-1
On Fri, 2006-05-19 at 09:58 -0500, Hongwei Li wrote:
> Hi,
>
> I need help about local.te. My system:
>
> kernel: 2.6.16-1.2111_FC5smp
> selinux-policy-targeted: 2.2.38-1.fc5
> audit: 1.1.5-1
> sendmail: 8.13.6-0.FC5.1
> squirrelmail: 1.4.6-5.fc5
>
> When I try to create an email folder in squirrelmail, I got Error. So, I
> run
> the following to create my local.te and add my module. Here are what I run
> and get:
>
> # audit2allow -M local < /var/log/audit/audit.log
> Generating type enforcment file: local.te
> Compiling policy
> checkmodule -M -m -o local.mod local.te
> semodule_package -o local.pp -m local.mod
>
> ******************** IMPORTANT ***********************
>
> In order to load this newly created policy package into the kernel,
> you are required to execute
>
> semodule -i local.pp
>
> # ls -l
> total 40
> -rw-r--r-- 1 root root 2448 May 19 09:46 local.mod
> -rw-r--r-- 1 root root 2464 May 19 09:46 local.pp
> -rw-r--r-- 1 root root 733 May 19 09:46 local.te
>
> # semodule -i local.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> httpd_t
> shadow_t:file { read };
> libsepol.check_assertions: 1 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule: Failed!
>
> How to solve the problem?
>
> Thanks!
This means that your local.te file includes a rule that allows httpd to
read your /etc/shadow file, and this violates an assertion in the base
policy. Review your local.te file, prune entries that are not
legitimate, and rebuild the .mod and .pp files, e.g.
# vi local.te # edit out bogus entries or replace them with dontaudit rules
# checkmodule -m -M -o local.mod local.te
# semodule_package -o local.pp -m local.mod
# semodule -i local.pp
--
Stephen Smalley
National Security Agency
The problem is I need to re-do for local.te from time to time, and whenver I
run (after rebooting)
# audit2allow -M local < /var/log/audit/audit.log
the line
allow httpd_t shadow_t:file { getattr read write };
is automatically added to local.te -- this time, it added more, not just read.
I believe that this is because I need to run change_password plugin in
squirrelmail. It is not a problem in fc4 selinux -- I run audit2allow to add
entry into local.te and run make load, then everything is working. But, in
fc5, it is a problem. If I remove that line, then whenever I run the above
command, it is automatically added.
How to fix the problem?
Thanks!
Hongwei
------------------------------
Message: 3
Date: Fri, 19 May 2006 18:30:37 -0700
From: "Kayvan A. Sylvan" <kayvan(a)sylvan.com>
Subject: Re: need help for local.te
To: Hongwei Li <hongwei(a)wustl.edu>
Cc: fedora-selinux-list(a)redhat.com
Message-ID: <20060520013037.GD2422(a)satyr.sylvan.com>
Content-Type: text/plain; charset=us-ascii
On Fri, May 19, 2006 at 12:13:15PM -0500, Hongwei Li wrote:
The problem is I need to re-do for local.te from time to time, and whenver I
run (after rebooting)
# audit2allow -M local < /var/log/audit/audit.log
the line
allow httpd_t shadow_t:file { getattr read write };
is automatically added to local.te -- [...]
How to fix the problem?
How about something like this?
audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
------------------------------
Message: 4
Date: Fri, 19 May 2006 22:16:44 -0500 (CDT)
From: "Hongwei Li" <hongwei(a)wustl.edu>
Subject: Re: need help for local.te
To: fedora-selinux-list(a)redhat.com
Message-ID:
<1808.70.230.152.93.1148095004.squirrel(a)morpheus.wustl.edu>
Content-Type: text/plain;charset=iso-8859-1
On Fri, May 19, 2006 at 12:13:15PM -0500, Hongwei Li wrote:
>
> The problem is I need to re-do for local.te from time to time, and whenver I
> run (after rebooting)
> # audit2allow -M local < /var/log/audit/audit.log
> the line
>
> allow httpd_t shadow_t:file { getattr read write };
>
> is automatically added to local.te -- [...]
> How to fix the problem?
How about something like this?
audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
I did and got:
# audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
# checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
(unknown source)::ERROR 'unknown type dovecot_auth_t' at token ';' on line
33:
allow procmail_t tmp_t:dir { search write };
allow dovecot_auth_t initrc_var_run_t:file { read write };
checkmodule: error(s) encountered while parsing configuration
I manually edit local.te to add a line
type dovecot_auth_t;
and run it again, then got
# checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
(unknown source)::ERROR 'unknown type initrc_var_run_t' at token ';' on
line 34:
allow procmail_t tmp_t:dir { search write };
allow dovecot_auth_t initrc_var_run_t:file { read write };
checkmodule: error(s) encountered while parsing configuration
The line 34 is:
allow dovecot_auth_t initrc_var_run_t:file { read write };
What to do next? Thanks!
Hongwei
------------------------------
Message: 5
Date: Sat, 20 May 2006 13:18:35 +0200
From: dragoran <dragoran(a)feuerpokemon.de>
Subject: Re: selinux prelink avc's
To: dragoran <dragoran(a)feuerpokemon.de>
Cc: fedora-selinux-list(a)redhat.com
Message-ID: <446EFB0B.8030508(a)feuerpokemon.de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
dragoran wrote:
audit(1147793154.831:353): avc: denied { execute_no_trans } for
pid=5195 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
scontext=system_u:system_r:prelink_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
audit(1147793154.831:354): avc: denied { execute_no_trans } for
pid=5196 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
scontext=system_u:system_r:prelink_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
audit(1147793155.019:355): avc: denied { execute_no_trans } for
pid=5197 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
scontext=system_u:system_r:prelink_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
audit(1147793155.447:356): avc: denied { execute_no_trans } for
pid=5198 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
scontext=system_u:system_r:prelink_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
audit(1147793156.255:357): avc: denied { execute_no_trans } for
pid=5199 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
scontext=system_u:system_r:prelink_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
I am using FC5 with selinux-policy-targeted-2.2.36-2.fc5
whats gonig on? is a file misslabeled or is this a policy bug?
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
hello?
any solution for this problem?
------------------------------
Message: 6
Date: Sat, 20 May 2006 08:22:57 -0500
From: "Justin Conover" <justin.conover(a)gmail.com>
Subject: Trusted Solaris over SELinux
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Message-ID:
<a36b7e2a0605200622v54259deale2e30cb73f6f7ab6(a)mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_tr...
I thought this was interesting. Yeah, I use Solaris to so I read some Sun
blogs too. :)