Re: need howto for SELinux config--ssh on non-standard port
On 01/06/2010 09:29 PM, John Poelstra wrote: I'm running sshd on a high (1024) port number and cannot find a clear step by step guide for configuring this correctly on Fedora 12 on google I've come across lots of random bugs and forum questions, but nothing that starts at the beginning of the process through the end. I'm a total SELinux newbie and usually just disable itall together when things like this happen. I'm trying to change my ways :) Can anyone provide any URLs or the steps? If someone can provide the steps here I'll blog about it to get it documented so others do not have to suffer the same fate. Thanks, John http://docs.fedoraproject.org/selinux-managing-confined-services-guide/en-US/F11/html/sect-Managing_Confined_Services-Configuration_examples-Changing_port_numbers.html If the avc is for an undefined port port_t then you can do the command # semanage port -a -t ssh_port_t PORTNUM If you are listing to a defined port NAME_port_t, then you need to load a custom policy module # grep ssh /var/log/audit/audit.log | audit2allow -m myssh # semodule -i myssh.pp -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux is preventing /usr/sbin/cupsd ipc_lock access.
On 01/04/2010 12:52 PM, Paolo Galtieri wrote: I've started seeing this selinux alert SELinux is preventing /usr/sbin/cupsd ipc_lock access. [cupsd has a permissive type (cupsd_t). This access was not denied.]SELinux denied access requested by cupsd. It is not expected that this access is required by cupsd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access Is this something I should be concerned about? THis is something new and will be allowed in the next policy update. Not really something to be concerned about. I'm also seeing this alert SELinux is preventing /usr/bin/gok getattr access on /var/mail. SELinux denied access requested by gok. It is not expected that this access is required by gok and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. I don't use gok so I'm not sure why I'm getting these alerts. gok is doing a getattr on all mounted file systems, which is probably causing this avc. It will also be allowed in next release. Fixed in selinux-policy-3.6.32-66.fc12.noarch Paolo -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert
On 12/19/2009 02:06 PM, vinny wrote: Hello, I installed F12 in 2 desktop no problem both working perfectly. lately one has developed this security problem, it suggest to rename a file as a possible cure, I do not understand how can a file change name by it self. So before I make a mess of things I better ask for help. Vinny Summary: SELinux is preventing /bin/find getattr access to /var/lib/misc/prelink.full. Detailed Description: [find has a permissive type (prelink_cron_system_t). This access was not denied.] SELinux denied access requested by find. /var/lib/misc/prelink.full may be a mislabeled. /var/lib/misc/prelink.full default SELinux type is prelink_var_lib_t, but its current type is cron_var_lib_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creating a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report against this package. Allowing Access: You can restore the default system context to this file by executing the restorecon command. restorecon '/var/lib/misc/prelink.full', if this file is a directory, you can recursively restore using restorecon -R '/var/lib/misc/prelink.full'. Fix Command: /sbin/restorecon '/var/lib/misc/prelink.full' Additional Information: Source Context system_u:system_r:prelink_cron_system_t:s0-s0:c0.c 1023 Target Contextsystem_u:object_r:cron_var_lib_t:s0 Target Objects/var/lib/misc/prelink.full [ file ] Sourcefind Source Path /bin/find Port Unknown Host localhost.localdomain Source RPM Packages findutils-4.4.2-4.fc12 Target RPM Packages prelink-0.4.2-4.fc12 Policy RPMselinux-policy-3.6.32-55.fc12 Selinux Enabled True Policy Type targeted Enforcing ModeEnforcing Plugin Name restorecon Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.31.6-166.fc12.i686.PAE #1 SMP Wed Dec 9 11:00:30 EST 2009 i686 i686 Alert Count 4 First SeenSat 12 Dec 2009 07:32:14 AM EST Last Seen Sat 19 Dec 2009 01:45:15 PM EST Local ID e5732596-f308-439c-9920-c4a394f95061 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1261248315.138:22): avc: denied { getattr } for pid=2950 comm=find path=/var/lib/misc/prelink.full dev=dm-0 ino=2402 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1261248315.138:22): arch=4003 syscall=300 success=yes exit=0 a0=ff9c a1=8594704 a2=85946a4 a3=100 items=0 ppid=2949 pid=2950 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=find exe=/bin/find subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null) Fixed in selinux-policy-3.6.32-59.fc12.noarch yum update selinux-policy-targeted --enablerepo=updatest-testing I believe this is now fixed in this release. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux message F-12 -
On 12/14/2009 06:01 AM, Bob Goodwin wrote: I keep seeing a star icon in the F-12 box which produces the message below. I wonder if it has anything to do with my ssh problems? What does it mean? What must I do to satisfy it? Bob # Summary: SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1 sys_tty_config access. Detailed Description: [polkit-agent-he has a permissive type (policykit_auth_t). This access was not denied.] SELinux denied access requested by polkit-agent-he. It is not expected that this access is required by polkit-agent-he and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c 0.c1023 Target Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c 0.c1023 Target ObjectsNone [ capability ] Sourcepolkit-agent-he Source Path /usr/libexec/polkit-1/polkit-agent-helper-1 Port Unknown Host box6 Source RPM Packages polkit-0.95-0.git20090913.3.fc12 Target RPM Packages Policy RPMselinux-policy-3.6.32-55.fc12 Selinux Enabled True Policy Type targeted Enforcing ModeEnforcing Plugin Name catchall Host Name box6 Platform Linux box6 2.6.31.6-166.fc12.i686.PAE #1 SMP Wed Dec 9 11:00:30 EST 2009 i686 i686 Alert Count 10 First SeenWed 09 Dec 2009 10:03:47 AM EST Last Seen Sun 13 Dec 2009 07:36:40 PM EST Local ID 71279b6b-af71-4208-85fe-64503a292646 Line Numbers Raw Audit Messages node=box6 type=AVC msg=audit(1260751000.112:20114): avc: denied { sys_tty_config } for pid=15535 comm=polkit-agent-he capability=26 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tclass=capability node=box6 type=SYSCALL msg=audit(1260751000.112:20114): arch=4003 syscall=54 success=yes exit=0 a0=2 a1=5401 a2=bfa30888 a3=bfa3099c items=0 ppid=14661 pid=15535 auid=501 uid=501 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm=polkit-agent-he exe=/usr/libexec/polkit-1/polkit-agent-helper-1 subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null) . I am not sure why policykit_auth_t would need to configure the tty and I am dontauditing it in the next update release. Which I will push as soon as fedora infastructure gets put back up. Fixed in selinux-policy-3.6.32-59.fc12.noarch -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: httpd with symbolic links and selinux enabled
On 12/01/2009 11:47 PM, Tim wrote: On Tue, 2009-12-01 at 12:04 -0500, Daniel J Walsh wrote: You need to fix the context to match that in public_html chcon -R -t httpd_user_content_t foo Would do it. If that's the problem (just SELinux preventing serving), you'd also have to keep re-changing the contexts, every time there was a SELinux relabel, and every time you created new files in that location. Or, set a policy rule so that files, automatically get suitable contexts for those file locations. Yes that is true. I have also added a boolean to allow apache to read all files in the homedir, httpd_read_user_content setsebool -P httpd_read_user_content 1 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: httpd with symbolic links and selinux enabled
On 11/26/2009 03:54 AM, Justin Jereza wrote: Have you configured Apache to follow symlinks? http://localhost/manual/mod/core.html#options Yes, Apache follows symlinks. That's why http://localhost/~user/foo/ is accessible. You also need appropriate file and directory permissions (world readable files and directories, and directories need to be world executable, too). All necessary permissions are set. Only directories inside ~/foo that contain symlinks are inaccessible. Remove the symlinks, and they become accessible. Also, http://localhost/~user/foo/bar/baz.html is accessible even though http://localhost/~user/foo/bar/ isn't. Finally, symlinks within ~/public_html itself work fine. So it seems that symlinks within symlinks are the only ones that give me trouble. Should have attached the following log messages earlier: Nov 26 16:49:26 adnix kernel: type=1400 audit(1259225366.816:11484): avc: denied { read } for pid=21208 comm=httpd name=index.html dev=dm-2 ino=5144788 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file Nov 26 16:49:26 adnix kernel: type=1400 audit(1259225366.816:11485): avc: denied { getattr } for pid=21208 comm=httpd path=/home/justin/foo/bar/index.html dev=dm-2 ino=5144788 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file You need to fix the context to match that in public_html chcon -R -t httpd_user_content_t foo Would do it. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Updating selinux-policy-targeted-3.6.32-46.fc12.noarch failed
On 11/29/2009 09:51 AM, Neal Becker wrote: Updating : selinux-policy-targeted-3.6.32-46.fc12.noarch 94/302 libsepol.scope_copy_callback: audioentropy: Duplicate declaration in module: type/attribute entropyd_var_run_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Try to remove the entropyd package semodule -r audio_entropy -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Issue with F13 dracut/kernel/selinux
On 11/17/2009 04:12 AM, Bruno Wolff III wrote: I just went to rawhide over the last day and am not able to boot into kernel 2.6.32-0.48.rc7.git1.fc13 unless selinux is disabled. (permissive isn't good enough). I can boot into my old kernel 2.6.31.5-127.fc12 which had a dracut generated image from before the upgrade. The error occurs when udev is trying to unlock my nonroot partitions. I get an error message refering to filesetcon not working on a /dev/mapper file. I get asked for passwords again (since all of the file systems have the same luks password I normally don't have to do this) and the correct password doesn't work. If I boot with selinux=0, the system boots with the 2.6.32-0.48.rc7.git1.fc13 kernel (but then I have to relabel the next time I boot without that option). I am using selinux-policy-targeted-3.6.33-1.fc13. I have not made the leap yet to F13 to see what the problems are. I will look into this. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: trying to understand SELinux message
On 11/17/2009 03:05 AM, Ian Malone wrote: 2009/11/16 Tim ignored_mail...@yahoo.com.au: On Mon, 2009-11-16 at 13:56 +0800, Mr. Teo En Ming (Zhang Enming) wrote: Well, for home or personal use systems, you don't really need SELinux. SELinux is for mission critical servers. Until you do something that SELinux would have protected you from... People do actually do things that need securing, on home computers (do their banking, etc.). Just browsing the internet and reading your mail are the two major points of breakdown on the Windows world, and I'd like it if that problem doesn't migrate over to Linux, as well. SELinux is not going to protect you from phishing or cross site scripting attacks. It's not going to offer much protection for just browsing the internet. On the other hand, disabling it is often part of my troubleshooting process and I've had times (even with F11) when that has been necessary just to get a working system. I'll aim to get things working 'properly' (i.e. with it on) again, but to see disabling SELinux equated with running as root elsewhere in this thread is a bit surprising. I don't want to get embroiled in the debate. I would like to point out a little paper I wrote call SELinux four things. Where I try to describe the 4 things that can cause SELinux to complain, and how to remedy them. http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf SELinux has many ways that can fairly easily be customized to reach your security goals, if you understand what SELinux is doing. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: selinux and home dirs
On 11/17/2009 05:27 PM, Wolfgang S. Rupprecht wrote: How do I add a second /home tree to selinux so that both /home and /home2 have the same policies and restorecon correctly? There seems to be quite a bit of logic in /etc/selinux/targeted/contexts/files/file_contexts.homedirs to treat the files in the home directory specially, but I can't see where the /home/ string gets set. -wolfgang Are you doing this in F12? If yes then please update the policycoreutils package in updates-testing. And look at semanage fcontext --equiv -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: trying to understand SELinux message
On 11/16/2009 12:09 AM, Paul Allen Newell wrote: Hello: I just upgraded two of my systems to latest yum update (2.6.30.9-96.fc11.i686.PAE) with the hopes that the CD and DVD issues have been resolved (they have, almost, but thats a separate bugzilla report). What I am querying about in this email is a message that I am seeing when I log in as root (yes, I know the caveats and try to respect, but I always make sure the ability is there if I need it). I log in from the start page GUI and there are no problems until, after a couple of seconds later, a pop-up from the star icon in the upper right says I got problems. I open it up and it says: SELinux is preventing the gdm-session-wor from using potentially mislabeled files (/root). Okay, that's nice to know, but I have no idea what it is trying to tell me needs to be fixed. I've got a couple files in the home directory but nothing looks funny about them (*.txt cut-and-paste of yum update/installs and an html of how-to-install f11 from scratch). I have edited both /etc/pam.d/gdm and /etc/pam.d/gdm-password per Fedora website instructions to allow root access. Closer inspection says that I first began getting this message on 20jun09 after a yum update (I did original f11 install at the beginning of June). I just hadn't noticed it since I don't often log in as root, though I do remember seeing something in the summer and figuring it was a glip that would get fixed in future updates). Any suggestions as to what I should be looking for to get rid of this message ... if I do indeed actually need to pay attention to it. If there is more info I can provide, please let me know what it is and how to get it and I will gladly post such. Thanks in advance, Paul Paul SELinux policy can not be written in such a way to allow you to run X Windows as root. The problem is too many Applications require rights to write to the homedir and we want to treat /root differently then /home. Allow an confined application to write to /root would allow it to do evil stuff by replacing /root/.bashrc for example. And the next time an admin logged in the script would run. If you require running X as root then you will need to put SELinux into permissive mode. In F12 we are now preventing users from logging in as root from GDM because it is so dangerous from a security point of view. Imagine running firefox as root and what problems it can cause. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: cups-pdf and selinux
Don't worry about it, you are not alone... :^( -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: cups-pdf and selinux
On 11/12/2009 01:24 PM, Henrique Koesjan wrote: Hi Daniel, Find attached the message. Thanks in advance. henri On Wed, Nov 11, 2009 at 12:41 PM, Daniel J Walsh dwa...@redhat.com wrote: On 11/11/2009 09:08 AM, Henrique Koesjan wrote: Does anyone knows how to make cups-pdf works with selinux? I've tried #setsebool -P cupsd_disable_trans 1 but it does not seem work. Sumário SELinux is preventing gs (cups_pdf_t) search to / (mount_tmp_t). Descrição detalhada SELinux denied access requested by gs. / may be a mislabeled. / default SELinux type is root_t, but its current type is mount_tmp_t. Changing this file back to the default type, may fix your problem. henri Could you attach the complete setroubleshoot message. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines You have mislabeled your /var/tmp directory chcon -R -t tmp_t /var/tmp Will fix the problem -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: cups-pdf and selinux
On 11/12/2009 02:29 PM, Henrique Koesjan wrote: too many thanks Daniel, 3 seconds for solving troubles!. Sincerely this mailing list (the people in it) helps a lot less experienced users and all users I believe. henri, many thanks again. Henri, Can you please go back and read the setroubleshoot, it told you what was wrong... Sumário: SELinux is preventing nm-system-setti (NetworkManager_t) getattr to /var/tmp (mount_tmp_t). Descrição detalhada: SELinux denied access requested by nm-system-setti. /var/tmp may be a mislabeled. /var/tmp default SELinux type is tmp_t, but its current type is mount_tmp_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creates a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Permitindo acesso: You can restore the default system context to this file by executing the restorecon command. restorecon '/var/tmp', if this file is a directory, you can recursively restore using restorecon -R '/var/tmp'. Reparar comando: restorecon '/var/tmp' -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: cups-pdf and selinux
On 11/11/2009 09:08 AM, Henrique Koesjan wrote: Does anyone knows how to make cups-pdf works with selinux? I've tried #setsebool -P cupsd_disable_trans 1 but it does not seem work. Sumário SELinux is preventing gs (cups_pdf_t) search to / (mount_tmp_t). Descrição detalhada SELinux denied access requested by gs. / may be a mislabeled. / default SELinux type is root_t, but its current type is mount_tmp_t. Changing this file back to the default type, may fix your problem. henri Could you attach the complete setroubleshoot message. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: A question about allow_unconfined_mmap_low in f11 amd selinux
On 11/09/2009 03:15 PM, Justin wrote: On Mon, Nov 9, 2009 at 2:40 PM, Mike Cloaked mike.cloa...@gmail.com wrote: Eric Paris eparis at redhat.com writes: I have Crossover installed and not wine, and just checked: [mike at home1 ~]$ cat /proc/sys/vm/mmap_min_addr 65536 This is an f11 box. I also set the boolean by doing # setsebool -P allow_unconfined_mmap_low 1 Bad news! For maximum protection would want that bool off. You do not want to ALLOW unconfined to mmap low memory. -Eric Many thanks Eric - I just tried unsetting the boolean - # setsebool -P allow_unconfined_mmap_low 0 Excel and Word 2003 still run in Crossover after resetting it without AVCs popping up - I will unset it in the other machines where I have this also - I guess selinux policy may have changed so that setting it as I did originally is no longer necessary. Really? For me there is no allow_unconfined_mmap_low at all and I'm definitely still getting the error with any Wine application with mmap_low_allowed set to 0. selinux-policy-3.6.32-41.fc12.noarch The name has changed between RHEL5 - allow_unconfined_mmap_low and F12 - mmap_low_allowed The meaning has also changed in RHEL5 unconfined domains are allowed to mmap_low if the boolean is set. vbetool and wine are allowed whether or not the boolean is set. In F12 No domains are allowed to mmap_low unless the boolean is set. If it is set wine, vbetool and unconfined domains are allowed to mmap_zero. One of you is running wine in RHEL5 which is allowed to mmap_zero without the boolean. We changed this in F12 so that wine will break without the boolean set. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: conflict between seedit - selinux-policy and qstat - torque-client
On 11/04/2009 01:38 PM, Bill Nottingham wrote: Because seedit getting installed causes selinux-policy-targeted and friends to get screwed up. That sounds like a reason to not ship seedit. Am I missing something? Bill I would not ship it. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: A question about allow_unconfined_mmap_low in f11 amd selinux
On 11/03/2009 04:35 PM, Adam Jackson wrote: On Tue, 2009-11-03 at 21:31 +, Mike Cloaked wrote: For people running wine or Crossover and using MS Office 2003 and related codes it is necessary to do: # setsebool -P allow_unconfined_mmap_low 1 To prevent AVC denials. However there is recent publicity at http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/ which highlights that there is still a vulnerability in the kernel if this is set. For people running f11 with this boolean set how can one run wine and still remain secure? i.e. what should an admin do to protect the system? You can't. If I'm being slightly less flip: run wine in a kvm instance with selinux disabled, forward X to the host. - ajax You can run with SELinux in enforcement. mmap_low_allowed is the name of the boolean moving forward. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: conflict between seedit - selinux-policy and qstat - torque-client
On 11/04/2009 08:14 AM, Rudolf Kastl wrote: Why do those packages have to conflict with each other? 1. seedit and selinux-policy-{targeted,mls} - i dont see a single file conflicting atleast with the targeted policy... 2. qstat and torque-client both provide a qstat binary... is there anything done to get that resolved upstream? or is it a conflicts and forget scenario? from my personal pov conflicts should be resolved instead of just marked so things can be properly installed in parallel. everything else looks broken to me. kind regards, Rudolf Kastl Because seedit getting installed causes selinux-policy-targeted and friends to get screwed up. People installing everything installs accidentally get seedit installed and start reporting weird bugs to the selinux-policy package and a shocked that they are not in the default install. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: A question about allow_unconfined_mmap_low in f11 amd selinux
On 11/04/2009 10:23 AM, mike cloaked wrote: Daniel J Walsh dwalsh at redhat.com writes: You can run with SELinux in enforcement. mmap_low_allowed is the name of the boolean moving forward. By moving forward do you mean that one can, in f11, reset the original boolean and set boolean mmap_low_allowed instead, in a forthcoming policy update? Or is this a planned change coming for f12 but not yet policy in earlier versions? Thanks allow_unconfined_mmap_zero boolean meant to allow unconfined_domains to mmap_zero. vbetool_exec_t and wine_exec_t have this capability without the boolean. We have removed that altogether. Now out of the box NO apps will have the ability to mmap_zero. If you want to run wine or vbetool(Hopefully fixed soon) You will have to set the boolean. All unconfined_domains will continue then also have this access. This access has proven to be a critical security feature, and several kernel/root vulnerabilities will be prevented by turning this boolean off, with the only down side, preventing old windows applications from running by default in wine. (If vbetool is fixed). -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: A question about allow_unconfined_mmap_low in f11 amd selinux
On 11/04/2009 10:23 AM, mike cloaked wrote: Daniel J Walsh dwalsh at redhat.com writes: You can run with SELinux in enforcement. mmap_low_allowed is the name of the boolean moving forward. By moving forward do you mean that one can, in f11, reset the original boolean and set boolean mmap_low_allowed instead, in a forthcoming policy update? Or is this a planned change coming for f12 but not yet policy in earlier versions? Thanks We have setroubleshoot plugins that explain exactly to the users what they need to do to turn make their wine apps run. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Selinux Hates Samsung CLX3175FN Printer
On 10/21/2009 02:10 PM, Jim wrote: FC11/KDE Samsung has a very good printer in the CLX3175FN Lazer , I picked up for $250.00 at OfficeMax, a $400.00 printer. Anyhow You can get the printer drivers for Linux on their Support Site. When installing the print drivers you have to do it from su - . Selinux won't let the printer to print until you do a touch /.autorelabel and reboot computer. Then you can print, but you still get Selinux complaining about a file here and there for the printer that requires a restorecon -R -v . Why doesn't Selinux do the proper relabling during when it does /.autorelabel ?? Please attach the AVC messages you are seeing from cups tat is causing you a problem /var/log/audit/audit.log -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
If you are building a dbus/PolicyKit mechanism please tell SELinux developers about it.
Remember if you need to build a tool that will run partially as root, we would like to write policy to confine it. A badly written Dbus activation service, can be just as dangerous as a badly written setuid application. We need to have SELinux confinement on the root portion of your application. Dan -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Why SELinux is preventing /usr/lib64/nspluginwrapper/npviewer.bin execmem access on Unknown?
On 10/09/2009 01:41 PM, Petrus de Calguarium wrote: I have noticed that trying to play some videos on You Tube generates this selinux denial and the video refuses to play. However, other videos on You Tube don't generate this error and play just peachy. What makes the videos different to selinux? Probably code paths on flashplayer are causing execmem while others are not. Which Version of the OS/Policy are you seeing execmem problems at youtube? -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Why SELinux is preventing /usr/lib64/nspluginwrapper/npviewer.bin execmem access on Unknown?
On 10/09/2009 02:53 PM, Petrus de Calguarium wrote: Daniel J Walsh wrote: Which Version of the OS/Policy are you seeing execmem problems at youtube? selinux-policy-targeted-3.6.32-22.fc12.noarch Using f11.92, obviously :-) Download the latest policy package from koji, should fix your problems. http://koji.fedoraproject.org/koji/buildinfo?buildID=135962 I just submitted a request to get this package into beta. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Mock/Pungi and selinux for building re-spins in f11
On 10/07/2009 08:42 AM, Julian Aloofi wrote: Am Dienstag, den 06.10.2009, 12:57 -0700 schrieb Mike Cloaked: Does anyone know if it is still current practice to set SELinux to permissive before doing a spin re-build in mock/pungi in F11? Or has selinux policy now reached the point of refinement such that running a respin build works fine with selinux enforcing? Would be useful to know - I have not done respin builds since F10 so I am a little out of touch with current practice. Thanks in advance. -- View this message in context: http://www.nabble.com/Mock-Pungi-and-selinux-for-building-re-spins-in-f11-tp25775562p25775562.html Sent from the Fedora List mailing list archive at Nabble.com. Yes, that's still required to successfully build a re-spin in pungi and revisor if I remember correctly. Could someone send me a list of AVC's. Is this the same problem that livecd has? Building a different OS, causes it's policy to be loaded during the install. We should be able to convince the Mock environment that SELinux is disabled, and then allow mock the ability to put down the labels like we do with livecd. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Mock/Pungi and selinux for building re-spins in f11
On 10/07/2009 01:51 PM, Mike Cloaked wrote: Daniel J Walsh wrote: On 10/07/2009 08:42 AM, Julian Aloofi wrote: Am Dienstag, den 06.10.2009, 12:57 -0700 schrieb Mike Cloaked: Does anyone know if it is still current practice to set SELinux to permissive before doing a spin re-build in mock/pungi in F11? Or has selinux policy now reached the point of refinement such that running a respin build works fine with selinux enforcing? Would be useful to know - I have not done respin builds since F10 so I am a little out of touch with current practice. Thanks in advance. -- View this message in context: http://www.nabble.com/Mock-Pungi-and-selinux-for-building-re-spins-in-f11-tp25775562p25775562.html Sent from the Fedora List mailing list archive at Nabble.com. Yes, that's still required to successfully build a re-spin in pungi and revisor if I remember correctly. Could someone send me a list of AVC's. Is this the same problem that livecd has? Building a different OS, causes it's policy to be loaded during the install. We should be able to convince the Mock environment that SELinux is disabled, and then allow mock the ability to put down the labels like we do with livecd. Dan, I'll try and do a test build in the next couple of days, and post AVCs if they pop up - would it be best to do this in a BZ report, rather than to Fedora list? If so which component? selinux or mock/pungi? Open up one bug on mock/pungi with me cc'd and we can fix it. Since I think most of the changes have to be made in Mock to fake SELinux into thinking it is disabled or a fake /selinux like livecd has. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On 10/05/2009 05:27 PM, Paolo Galtieri wrote: On Mon, Oct 5, 2009 at 2:13 PM, Daniel J Walsh dwa...@redhat.com wrote: On 10/05/2009 03:22 PM, Paolo Galtieri wrote: On Mon, Oct 5, 2009 at 11:11 AM, Daniel J Walsh dwa...@redhat.com wrote: On 10/05/2009 02:08 PM, Jim wrote: FC11/Kde Trying to print on a Samsung CLX-3175FN. Selinux is playing havoc with printer drivers, these drivers are from Samsung and I'm getting many Selinux Alerts, to many to keep running Restorecon. The printing is coming out with double columns with 1/8 white lines down through text or pictures. There are no GPL drivers for this printer, it's to New ! If I disable Selinux, the printer will print normal. How do I relabel all the files on the computer ? do I relabel from telinit 3 or what ? Please show me the AVC's you are seeing. Or send me a compresses /var/log/audit/audit.log -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines I have seen the following SELinux alert: SELinux is preventing hp (hplip_t) name_bind howl_port_t. lpstat -t shows printer HP_Color_LaserJet_2605dn disabled since Thu 01 Oct 2009 09:36:23 AM MST - /usr/lib/cups/backend/hp failed If I change the URI associated with the printer config from hp:/net/HP_Color_laserjet_2605dn?zc=hpcolorjet to hp:/net/HP_Color_laserjet_2605dn?ip=192.168.10.71 then the alerts go away. The printer is an HP printer and was configured using hp-setup. Paolo Could you grep for howl_port_t and attach the output grep howl_port_t /var/log/audit/audit.log -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines type=AVC msg=audit(1254414474.185:50294): avc: denied { name_bind } for pid=18462 comm=hp src=5353 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket type=AVC msg=audit(1254414573.360:50295): avc: denied { name_bind } for pid=18499 comm=hp src=5353 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket type=AVC msg=audit(1254414980.894:50346): avc: denied { name_bind } for pid=18699 comm=hp src=5353 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket type=AVC msg=audit(1254415674.640:50382): avc: denied { name_bind } for pid=18942 comm=hp src=5353 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket type=AVC msg=audit(1254415783.474:50425): avc: denied { name_bind } for pid=19012 comm=hp src=5353 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket type=AVC msg=audit(1254415964.178:50441): avc: denied { name_bind } for pid=19154 comm=hp src=5353 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket Paolo I guess the question is why does the hplip want to listen on the Multicast DNS port. If this is supposed to happen, we need to add it to policy. You can add it for now using audit2allow # grep hplip_t /var/log/audit/audit.log | audit2allow -M myhplip # semodule -i myhplip.pp -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On 10/05/2009 02:08 PM, Jim wrote: FC11/Kde Trying to print on a Samsung CLX-3175FN. Selinux is playing havoc with printer drivers, these drivers are from Samsung and I'm getting many Selinux Alerts, to many to keep running Restorecon. The printing is coming out with double columns with 1/8 white lines down through text or pictures. There are no GPL drivers for this printer, it's to New ! If I disable Selinux, the printer will print normal. How do I relabel all the files on the computer ? do I relabel from telinit 3 or what ? Please show me the AVC's you are seeing. Or send me a compresses /var/log/audit/audit.log -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux Problems
On 10/05/2009 03:22 PM, Paolo Galtieri wrote: On Mon, Oct 5, 2009 at 11:11 AM, Daniel J Walsh dwa...@redhat.com wrote: On 10/05/2009 02:08 PM, Jim wrote: FC11/Kde Trying to print on a Samsung CLX-3175FN. Selinux is playing havoc with printer drivers, these drivers are from Samsung and I'm getting many Selinux Alerts, to many to keep running Restorecon. The printing is coming out with double columns with 1/8 white lines down through text or pictures. There are no GPL drivers for this printer, it's to New ! If I disable Selinux, the printer will print normal. How do I relabel all the files on the computer ? do I relabel from telinit 3 or what ? Please show me the AVC's you are seeing. Or send me a compresses /var/log/audit/audit.log -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines I have seen the following SELinux alert: SELinux is preventing hp (hplip_t) name_bind howl_port_t. lpstat -t shows printer HP_Color_LaserJet_2605dn disabled since Thu 01 Oct 2009 09:36:23 AM MST - /usr/lib/cups/backend/hp failed If I change the URI associated with the printer config from hp:/net/HP_Color_laserjet_2605dn?zc=hpcolorjet to hp:/net/HP_Color_laserjet_2605dn?ip=192.168.10.71 then the alerts go away. The printer is an HP printer and was configured using hp-setup. Paolo Could you grep for howl_port_t and attach the output grep howl_port_t /var/log/audit/audit.log -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: latest selinux policy update errors
Mark Haney wrote: Is anyone else seeing these types of failures with the latest selinux updates? libsemanage.semanage_direct_remove: Module dpkg was not found. semodule: Failed on dpkg! error: %trigger(selinux-policy-strict-2.6.4-21.fc7.noarch) scriptlet failed, exit status 1 libsemanage.semanage_direct_remove: Module dpkg was not found. semodule: Failed on dpkg! error: %trigger(selinux-policy-strict-2.6.4-23.fc7.noarch) scriptlet failed, exit status 1 Should I file a bug report? No I think this is an isolated occurrence. If it happens on the next update, report it. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Lots of SELinux denial messages.
On 09/19/2009 02:10 PM, Les wrote: I have upgraded to F11 using the upgrade from the update process. And it went smoothly. However, I am now getting a lot of SElinux messages (I had to set it to permissive to get anything done at all.) I have submitted bugs on two of them, and will submit more bugs later. I have relabled the system (extensive and took time) used the restorecon command where it was recommended, but still there are messages, and I need to get those resolved prior to turning SELinux back on. So I am including a few of the most predominate messages in this message. If you have had these and have a cure, or know some approach that is safe to turning these off so I can re-enable SELinux, please let me know. If I get no responses in a day or so I will submit bugzillas on these as well. I should note that while the first shows a time of around 0300, my system was idle at that time. I went to bed at about 2:30 and rebooted at that time. Also I emptied the que of alerts when I logged on, so these showed up today since about 9:30. There were four more of these all targeting different objects. Regards, Les H Summary: SELinux is preventing dbus-daemon (system_dbusd_t) search unconfined_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by dbus-daemon. It is not expected that this access is required by dbus-daemon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects9374 [ dir ] Sourcedbus-daemon Source Path /bin/dbus-daemon Port Unknown Host localhost.localdomain Source RPM Packages dbus-1.2.12-2.fc11 Target RPM Packages Policy RPMselinux-policy-3.6.12-82.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModePermissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.30.5-43.fc11.i586 #1 SMP Thu Aug 27 21:18:54 EDT 2009 i686 i686 Alert Count 2 First SeenSat 19 Sep 2009 11:03:18 AM PDT Last Seen Sat 19 Sep 2009 11:03:18 AM PDT Local ID 136137e2-5f20-4d7d-88e5-a65c26b266a6 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1253383398.33:262): avc: denied { search } for pid=1472 comm=dbus-daemon name=9374 dev=proc ino=42807 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir node=localhost.localdomain type=AVC msg=audit(1253383398.33:262): avc: denied { read } for pid=1472 comm=dbus-daemon name=cmdline dev=proc ino=42818 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1253383398.33:262): arch=4003 syscall=5 success=yes exit=41 a0=2bd1290 a1=0 a2=249e a3=bfca767c items=0 ppid=1 pid=1472 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm=dbus-daemon exe=/bin/dbus-daemon subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) Summary: SELinux is preventing dbus-daemon (system_dbusd_t) search unconfined_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by dbus-daemon. It is not expected that this access is required by dbus-daemon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing
Re: selinux hasn't been running for over a week
On 09/18/2009 10:01 AM, Steve Grubb wrote: On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote: If the kernel has SELinux and it is not in permissive mode, it should execute load_policy Yes in permissive mode load_policy will return 2 if it can not load policy. I guess dracut should also look in /etc/selinux/config to see if the SELINUX environment variable is not set to enforcing. What about interaction with the kernel command line? What the kernel was given is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says enabled, shouldn't the kernel command line take priority? Yes kernel command line wins. Second is /etc/selinux/config (SELINUX) line Execute the kernel command line to initialize the selinux and enforcing environment variables. cmdline options are (selinux=0 to disable SELinux) (enforcing=0 to put selinux in permissive mode) then dracut should execute . /etc/selinux/config if [ $selinux != 0 $enforcing != 0 $SELINUX == enforcing ]; then load_policy if $? != 0; ReportError() blow up elif [ $selinux != 0 ($enforcing == 0 || $SELINUX == permissive) ]; then load_policy if $? != 0; ReportError() # Continue no matter what elif [ $selinux == 0 || $enforcing == 0 || $SELINUX == disabled ]; then # Continue no matter what, although it would nice to tell the kernel to drop SELinux support elif Report_error() Blow Up endif You mean if the machine is in permissive mode, it should load_policy, but not crash. But it should log the reason so it can be debugged. Load_policy will exit with 0 on success or 2 on failure and SELinux in permissive mode. And if chroot fails, we need to handle it. This will probably crash anyways In the code I looked at, only if it returned 3... -Steve -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: selinux hasn't been running for over a week
On 09/18/2009 10:05 AM, Stephen Smalley wrote: On Fri, 2009-09-18 at 10:01 -0400, Steve Grubb wrote: On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote: If the kernel has SELinux and it is not in permissive mode, it should execute load_policy Yes in permissive mode load_policy will return 2 if it can not load policy. I guess dracut should also look in /etc/selinux/config to see if the SELINUX environment variable is not set to enforcing. What about interaction with the kernel command line? What the kernel was given is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says enabled, shouldn't the kernel command line take priority? That all gets taken care of inside of libselinux selinux_init_load_policy() function, which is what load_policy calls. You mean if the machine is in permissive mode, it should load_policy, but not crash. But it should log the reason so it can be debugged. Load_policy will exit with 0 on success or 2 on failure and SELinux in permissive mode. And if chroot fails, we need to handle it. This will probably crash anyways In the code I looked at, only if it returned 3... load_policy exits with 3 if the load policy failed and the system was supposed to be in enforcing mode (based on the combination of kernel command line arguments, which do take precedence, and the /etc/selinux/config setting). It exits with 2 if the load policy failed and the system was supposed to be permissive. Right but what happens if load_policy is called with the wrong parameter? What happens if load_policy can not be called because of permission denied? -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: selinux hasn't been running for over a week
On 09/18/2009 10:25 AM, Stephen Smalley wrote: On Fri, 2009-09-18 at 10:16 -0400, Daniel J Walsh wrote: On 09/18/2009 10:05 AM, Stephen Smalley wrote: On Fri, 2009-09-18 at 10:01 -0400, Steve Grubb wrote: On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote: If the kernel has SELinux and it is not in permissive mode, it should execute load_policy Yes in permissive mode load_policy will return 2 if it can not load policy. I guess dracut should also look in /etc/selinux/config to see if the SELINUX environment variable is not set to enforcing. What about interaction with the kernel command line? What the kernel was given is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says enabled, shouldn't the kernel command line take priority? That all gets taken care of inside of libselinux selinux_init_load_policy() function, which is what load_policy calls. You mean if the machine is in permissive mode, it should load_policy, but not crash. But it should log the reason so it can be debugged. Load_policy will exit with 0 on success or 2 on failure and SELinux in permissive mode. And if chroot fails, we need to handle it. This will probably crash anyways In the code I looked at, only if it returned 3... load_policy exits with 3 if the load policy failed and the system was supposed to be in enforcing mode (based on the combination of kernel command line arguments, which do take precedence, and the /etc/selinux/config setting). It exits with 2 if the load policy failed and the system was supposed to be permissive. Right but what happens if load_policy is called with the wrong parameter? What happens if load_policy can not be called because of permission denied? I'm not entirely clear as to why you are asking, but: $ load_policy --foo load_policy: invalid option -- '-' usage: load_policy [-qi] $ echo $? 1 $ runcon system_u:system_r:httpd_t:s0 load_policy runcon: load_policy: Permission denied $ echo $? 126 Are you just saying that dracut needs to fail closed (i.e. halt the system) if the exit code is anything other than 0 (success) or 2 (failed but permissive)? Well it is not that simple. If the kernel cmdline had selinux=0 or enforcing=0 or /etc/selinux/config had SELINUX=disabled or SELINUX=permissive then it should continue, otherwise the machine has to be assumed to be in enforcing mode, so if it can not load policy it is a system failure. I would figure this is what the MLS crowd would want. You configured the machine to run in enforcing mode and the system can not load policy for some reason, you need to crash. This is what the old patches did. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: selinux disabled in rawhide ?
On 09/14/2009 06:18 AM, Tomas Mraz wrote: On Sun, 2009-09-13 at 19:28 -0400, Daniel J Walsh wrote: On 09/12/2009 12:13 PM, Dave Jones wrote: I did two installs yesterday, and both of them have ended up with SELINUX=disabled in /etc/selinux/config I changed them back to 'enabled', rebooted, which caused a relabel, and all seems fine. What's happening here ? Dave I don't know there was a bug in dracut that was causing selinux to be disabled. Dan, do you mean the https://bugzilla.redhat.com/show_bug.cgi?id=520753 ? But this one looks like a different bug perhaps in anaconda? At least it seems to be worth reporting it to bz on anaconda. Yes open a bugzilla for it. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: selinux disabled in rawhide ?
On 09/12/2009 12:13 PM, Dave Jones wrote: I did two installs yesterday, and both of them have ended up with SELINUX=disabled in /etc/selinux/config I changed them back to 'enabled', rebooted, which caused a relabel, and all seems fine. What's happening here ? Dave I don't know there was a bug in dracut that was causing selinux to be disabled. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Easy way to remove SELinux permissions?
On 09/10/2009 01:58 AM, Sean Carlos wrote: At one point I performed a new Fedora install and restored my personal files before disabling SELinux which I don't need. As a result many files have permissions which include a dot at the end, e.g.: -rw-rw-r--. This causes havoc with many applications, i.e. gedit complains it cannot make a back-up file. Open a bugzilla on this. Having an extended attribute should not cause gedit to work to fail. Q: How can I EASILY remove all SELinux attributes, e.g. perhaps with a single command? Best regards, Sean Carlos -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Easy way to remove SELinux permissions?
On 09/10/2009 11:19 AM, Stephen Smalley wrote: On Thu, 2009-09-10 at 10:58 -0400, Daniel J Walsh wrote: On 09/10/2009 01:58 AM, Sean Carlos wrote: At one point I performed a new Fedora install and restored my personal files before disabling SELinux which I don't need. As a result many files have permissions which include a dot at the end, e.g.: -rw-rw-r--. This causes havoc with many applications, i.e. gedit complains it cannot make a back-up file. Open a bugzilla on this. Having an extended attribute should not cause gedit to work to fail. I think what is happening is this: gedit has been instrumented to preserve the security.selinux attribute on files. This works fine when SELinux is enabled, as SELinux applies a set of permission checks on setting its attributes and does not require a Linux capability / superuser access in doing so. But when SELinux is disabled, setting any attribute in the security.* namespace is restricted to CAP_SYS_ADMIN and thus non-root use of gedit will fail on the setxattr() call with EPERM. I would say that gedit should check SELinux enfocing mode and if disabled continue to work. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Where are selinux workarounds/exceptions/hacks tracked?
On 09/05/2009 12:17 PM, nodata wrote: I remember ages and ages ago when selinux first came to Fedora that lots of apps (Java, flash, Mozilla/Firefox) didn't work because the apps did dodgy things with memory. I was wondering if these dodgy things still existed, and if they did, what effort was being put into making them go away? Is it tracked anywhere? Thanks. Java/Mono/Wine all have to do the dodgy things in memory, Since by there nature they write to a memory location and then execute the code. I believe firefox/Mozilla has been fixed. Also certain libflash instances have been fixed. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: SELinux Exim Problem
On 09/07/2009 04:34 AM, Didar Hossain wrote: On Sat, Sep 5, 2009 at 9:45 PM, Frank Chiullifrankc.fed...@gmail.com wrote: On F11 when exim attempts to retrieve mail from my ISP, I get the following: How are you pulling the mail from your ISP? Summary: SELinux is preventing exim (exim_t) getattr boot_t. Detailed Description: SELinux denied access requested by exim. It is not expected that this access is required by exim and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextsystem_u:system_r:exim_t:s0 Target Contextsystem_u:object_r:boot_t:s0 Target Objects/boot [ dir ] Sourceexim Source Path /usr/sbin/exim Port Unknown Host flinux Source RPM Packages exim-4.69-10.fc11 Target RPM Packages filesystem-2.4.21-1.fc11 Policy RPMselinux-policy-3.6.12-80.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall Host Name flinux Platform Linux flinux 2.6.29.6-217.2.16.fc11.i686.PAE #1 SMP Mon Aug 24 17:16:21 EDT 2009 i686 athlon Alert Count 327 First SeenSun 12 Jul 2009 05:09:10 PM PDT Last Seen Sat 05 Sep 2009 09:05:41 AM PDT Local ID c330c7e2-7fd7-45ae-8ebb-8de1def6e145 Line Numbers Raw Audit Messages node=flinux type=AVC msg=audit(1252166741.77:28): avc: denied { getattr } for pid=2279 comm=exim path=/boot dev=sda1 ino=2 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir node=flinux type=SYSCALL msg=audit(1252166741.77:28): arch=4003 syscall=195 success=no exit=-13 a0=bfbe1292 a1=bfbe1688 a2=756ff4 a3=0 items=0 ppid=1489 pid=2279 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 comm=exim exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) = Other information: RPMs: exim-4.69-10.fc11.i586 selinux-policy-3.6.12-80.fc11.noarch selinux-policy-targeted-3.6.12-80.fc11.noarch The mail does get through but I get an SELinux error for each message. I've looked for '/boot' in exim config files but came up empty. I installed F11 but kept my home directory which is on a different disk. Since I have not heard anyone else complaining about this, I figure that it's my configuration. I just don't know where else to look. Frank -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines Probably some api that exim is calling is looking at the mounted file systems which is causing it to look at /boot. I think we can allow this for now. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F10 SElinux issues
On 08/04/2009 11:11 AM, Steve wrote: Daniel, Daniel J Walsh dwa...@redhat.com wrote: On 08/03/2009 10:50 AM, Steve Blackwell wrote: Ever since I upgraded from F9 to F10 when F9 went EOL I've been having lots of SElinux warnings. Here's one. I get at seemingly random times, ie not when I log in. Aug 3 09:06:50 steve setroubleshoot: SELinux is preventing polkit-read-aut (polkit_auth_t) write to /var/log/gdm/:0-greeter.log (xserver_log_t). For complete SELinux messages. run sealert -l a4a0ec72-1ae8-46af-a27c-441b4a5f1cdb This looks like a redirection of stdout to the log file. You can add this rule using # grep polkit-read-aut /var/log/audit/audit.log | audit2allow -M mypolkit # semodule -i mypolkit.pp I believe this is actually a bug in xdm. in that it should be passing append privs for its log versus write. I can, and will, try this but it seems to me I have a more fundamental problem. As I said, this is just one of many alerts. They come in bunches every half hour or so. The latest group were all SElinux is preventing certwatch from. 7 of them. Before that it was system-config-s and polkit, about 25 different ones of those, some with multiple instances. In F9, I would only occasionally get an alert. Also, if this is really a bug in xdm, can I really be the first one to find it? F10 has been out for 7 or 8 months. If a relabel caused you to loose labels, then you need to add the labels via semanage fcontext instead of just executing a chcon. For example, if I had web content under /myweb # semanage fcontext -a -t httpd_sys_content_t '/myweb(/.*)?' # restorecon -R -v /myweb Would tell the SELinux system about my alternative labeling. I don't really have alternative labelling. I just fixed a few of the things that got flagged. I guess a relabel put everything back to the default. IIUC what you are suggesting is to make those changes permanent. Would an rpm update to policy override that? Thanks, Steve No, that is what permanent means. RPM asks the SELinux libraries how to label the system. If you tell SELinux that /myweb needs to be labeled httpd_sys_content_t then RPM will honor that. Restorecon, udev, matchpathcon... and any other program that uses libselinux for labeling will also. Please send me a compressed /var/log/audit/audit.log off list if you would like me to look at why SELinux is complaining on your box. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F10 SElinux issues
On 08/03/2009 10:50 AM, Steve Blackwell wrote: Ever since I upgraded from F9 to F10 when F9 went EOL I've been having lots of SElinux warnings. Here's one. I get at seemingly random times, ie not when I log in. Aug 3 09:06:50 steve setroubleshoot: SELinux is preventing polkit-read-aut (polkit_auth_t) write to /var/log/gdm/:0-greeter.log (xserver_log_t). For complete SELinux messages. run sealert -l a4a0ec72-1ae8-46af-a27c-441b4a5f1cdb This looks like a redirection of stdout to the log file. You can add this rule using # grep polkit-read-aut /var/log/audit/audit.log | audit2allow -M mypolkit # semodule -i mypolkit.pp I believe this is actually a bug in xdm. in that it should be passing append privs for its log versus write. If a relabel caused you to loose labels, then you need to add the labels via semanage fcontext instead of just executing a chcon. For example, if I had web content under /myweb # semanage fcontext -a -t httpd_sys_content_t '/myweb(/.*)?' # restorecon -R -v /myweb Would tell the SELinux system about my alternative labeling. A blog I wrote about similar stuff. http://danwalsh.livejournal.com/28027.html setroubleshoot suggests restorecon -v '/var/log/gdm/:0-greeter.log' # ls -lZ /var/log/gdm/:0-greeter.log -rw-r--r-- gdm gdm system_u:object_r:xserver_log_t:s0 /var/log/gdm/:0-greeter.log # restorecon -v /var/log/gdm/:0-greeter.log ]# ls -lZ /var/log/gdm/:0-greeter.log -rw-r--r-- gdm gdm system_u:object_r:xserver_log_t:s0 /var/log/gdm/:0-greeter.log ie no change # tail /var/log/gdm/:0-greeter.log Warning: No symbols defined for I228 (keycode 228) Warning: No symbols defined for I230 (keycode 230) Warning: No symbols defined for I248 (keycode 248) Warning: No symbols defined for I249 (keycode 249) Warning: No symbols defined for I250 (keycode 250) Warning: No symbols defined for I251 (keycode 251) Warning: No symbols defined for I252 (keycode 252) Warning: No symbols defined for I253 (keycode 253) Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x1200022 (Login Wind) Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed. This computer is on a 2 machine home network, the other machine being a Vista laptop and I have them connected via Samba. Is some client trying to login from the laptop? # rpm -qa | grep selinux selinux-policy-3.5.13-67.fc10.noarch libselinux-devel-2.0.78-1.fc10.i386 selinux-policy-targeted-3.5.13-67.fc10.noarch libselinux-2.0.78-1.fc10.i386 libselinux-utils-2.0.78-1.fc10.i386 libselinux-python-2.0.78-1.fc10.i386 Any suggestions? Thanks, Steve -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
On 07/26/2009 05:45 PM, Frank Chiulli wrote: Sorry for the delay in responding. I've been on the road and unable to access my Fedora box. So after a little grief with SELinux and permissions I have a log file of exim. I'd post it here but it's 724 lines long. I looked for boot in the file but came up empty. Is there some snippet of the file that I could post? Frank On Thu, Jul 16, 2009 at 1:37 AM, Gordon Messmeryiny...@eburg.com wrote: On 07/14/2009 07:33 PM, Frank Chiulli wrote: Here's what I did: - as root, I ran '/etc/init.d/exim stop' - as root, I ran 'exim -bd -d+all/tmp/ex.file 21' - as a normal user, I ran 'fetchmail' In the past, this would result in an AVC error; but not this time. BTW, there was one new message in my mail file as a result of this. Sadly, starting exim in that way will not give it the same SELinux context as it would get when run by the init process. If you stop the service and service exim start, it should get its old context, and the AVC messages should return. That'll get you back to where you can debug the problem. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines Just compress the log file. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
On 07/13/2009 04:06 PM, Frank Chiulli wrote: Here is the original post: This is a recently installed/patched F11 system. It was a fresh install to one disk leaving my home directory untouched on another disk. Today, I installed exim and removed sendmail via yum at the command line. I am using the same exim.conf file that I had used with F10 after having compared it to the original one. I am now receiving the following message when I attempt to retrieve mail from my ISP: Jul 12 14:26:36 flinux setroubleshoot: SELinux is preventing exim (exim_t) getattr boot_t. For complete SELinux messages. run sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad Summary: SELinux is preventing exim (exim_t) getattr boot_t. Detailed Description: SELinux denied access requested by exim. It is not expected that this access is required by exim and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextunconfined_u:system_r:exim_t:s0 Target Contextsystem_u:object_r:boot_t:s0 Target Objects/boot [ dir ] Sourceexim Source Path /usr/sbin/exim PortUnknown Host flinux Source RPM Packages exim-4.69-10.fc11 Target RPM Packages filesystem-2.4.21-1.fc11 Policy RPMselinux-policy-3.6.12-62.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall Host Name flinux Platform Linux flinux 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue Jun 16 23:19:53 EDT 2009 i686 athlon Alert Count 289 First SeenSun Jul 12 14:22:12 2009 Last Seen Sun Jul 12 14:23:53 2009 Local ID e699bb55-c0dc-4bbf-a57e-3d82d6dadcad Line Numbers Raw Audit Messages node=flinux type=AVC msg=audit(1247433833.210:331): avc: denied { getattr } for pid=2508 comm=exim path=/boot dev=sda1 ino=2 scontext=unconfined_u:system_r:exim_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir node=flinux type=SYSCALL msg=audit(1247433833.210:331): arch=4003 syscall=195 success=no exit=-13 a0=bfa2e2c2 a1=bfa2e6b8 a2=b7dbfff4 a3=0 items=0 ppid=2447 pid=2508 auid=500 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=1 comm=exim exe=/usr/sbin/exim subj=unconfined_u:system_r:exim_t:s0 key=(null) Frank On Mon, Jul 13, 2009 at 8:02 AM, Daniel J Walshdwa...@redhat.com wrote: On 07/13/2009 08:24 AM, Frank Chiulli wrote: I realized that just before I received your email and did post to fedora-list. My mistake and thanks for the heads up. Frank On Mon, Jul 13, 2009 at 5:22 AM, David JM Emmettm...@davidjmemmett.co.uk wrote: Don't mean to be completely rude but doesn't this belong on a support forum? On Mon, 2009-07-13 at 05:17 -0700, Frank Chiulli wrote: Didar, Mail is arriving. I just get one SELinux message for every mail message. I agree...exim should not be referencing /boot AFAIK. But I'm not an expert. Frank On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossaindidar.hoss...@gmail.com wrote: On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiullifrankc.fed...@gmail.com wrote: Thomas, Thanks for the suggestion. Unfortunately it did not work. I'm still getting the same error. Frank Is Exim not executing it's job as it is supposed to - as in delivery of mail is hampered by this error? I am no SELinux or Exim expert, but, AFAIK the /boot directory is not supposed to be related to the regular functioning of Exim. Didar ___ Fedora-infrastructure-list mailing list fedora-infrastructure-l...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list I am missing the first email in this chain. What AVC are you seeing from exim when mail arrives? I think these usually happen when the user is listing / ls -lZ / Could cause this type of AVC. Of if the confined application was started when it's Current Working Directory was the /boot directory. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux warning about sendmail
On 07/10/2009 06:09 PM, Andras Simon wrote: Sometimes I see the warning: SELinux is preventing the sendmail from using potentially mislabeled files (/root). sendmail is not installed, but according to sealert, this warning is really about ssmtp. Of course I'm not trying to mail any file from /root, in fact, I don't mail anything. Any idea what might be going on? Andras What is the AVC. It might be just doing a getattr of /root which could trigger an AVC. When an app starts with it's homedir set to /root, it will getattr on the $HOME, which can cause this AVC. Usually these are dontaudited. So I would need to see the AVC to understand what it is complaining about. grep avc /var/log/audit/audit.log -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: httpd vs. avahi and SELinux in Fedora 11
On 07/11/2009 07:06 PM, Steven F. LeBrun wrote: After doing a clean install of Fedora 11, the Apache webserver, httpd 2.2.11, is failing. The error log [see below] shows that all the httpd children are killing themselves with Segmentation faults. Httpd was working fine in Fedora 10, same laptop and I started with a fresh install of Apache's httpd using the RPM provided for Fedora 11. At first I thought that maybe it is an SELinux problem. Then I noticed in the error_log the following line: [error] avahi_entry_group_add_service_strlst(tardis) failed: Local name collision The FQHN of my laptop where I am trying to run httpd is tardis.home.lebruns.com Question 1: Is the segmentation faults due to an SELinux policy issue? I checked the files that should be displayed and their security context looks correct. Is there a problem displayed in the first error log line where it states: SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 Question 2: Any ideas of what is causing the avahi error message? What causes a Local name collision? None of the configuration files specify the host name that httpd is running on. [Setting ServiceName did not change anything.] Error Log: [Sat Jul 11 18:50:26 2009] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Sat Jul 11 18:50:26 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Sat Jul 11 18:50:26 2009] [notice] Digest: generating secret for digest authentication ... [Sat Jul 11 18:50:26 2009] [notice] Digest: done [Sat Jul 11 18:50:26 2009] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads. [Sat Jul 11 18:50:26 2009] [notice] mod_python: using mutex_directory /tmp [Sat Jul 11 18:50:27 2009] [error] avahi_entry_group_add_service_strlst(tardis) failed: Local name collision [Sat Jul 11 18:50:27 2009] [notice] Apache/2.2.11 (Unix) DAV/2 mod_mono/2.4 mod_nss/2.2.11 NSS/3.12.2.0 PHP/5.2.9 mod_python/3.3.1 Python/2.6 mod_ssl/2.2.11 OpenSSL/0.9.8k-fips mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations [Sat Jul 11 18:50:27 2009] [notice] child pid 10956 exit signal Segmentation fault (11) [Sat Jul 11 18:50:27 2009] [notice] child pid 10957 exit signal Segmentation fault (11) ... The exit signal Segmentation fault (11) repeats ad nausium until httpd is stopped. Any help and/or suggestions will be appreciated. Does this happen if SELinux is in permissive mode? Is selinux reporting errors in the /var/log/audit/audit.log? # getsebool -a | grep avahi httpd_dbus_avahi -- on THe only avahi/dbus boolean is defined above. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F11 mrtg external scripts permission errors (selinux?)
On 07/12/2009 07:04 AM, Jurgen Kramer wrote: I've just upgraded my server to Fedora 11 (clean install) and I am trying to get everything working again. I have some problems with my mrtg scripts, they seem not allowed to run. I guess this has something to do with selinux. I see the following errors in the log: Can't exec /etc/mrtg/cpu_temp.sh: Permission denied at /usr/bin/mrtg line 2030. 2009-07-12 12:35:02: WARNING: Running '/etc/mrtg/cpu_temp.sh': Permission denied 2009-07-12 12:35:02: WARNING: Could not get any data from external command '/etc/mrtg/cpu_temp.sh' Maybe the external command did not even start. (Permission denied) I changed the security context for all files residing in /etc/mrtg to: [kra...@nasng mrtg]$ ll -Z -rwx--. root root system_u:object_r:mrtg_etc_t:s0 cpufan_speed.sh -rwx--. root root system_u:object_r:mrtg_etc_t:s0 cpu_temp.sh -rwx--. root root system_u:object_r:mrtg_etc_t:s0 fan_speed.sh -rwx--. root root system_u:object_r:mrtg_etc_t:s0 hdd_temp.sh -rwx--. root root system_u:object_r:mrtg_etc_t:s0 mb_temp.sh -rw-r--r--. root root system_u:object_r:mrtg_etc_t:s0 mrtg.cfg -rwx--. root root system_u:object_r:mrtg_etc_t:s0 nbfan_speed.sh but I still get the permission denied errors. What should the correct security context for the scripts be? Or do they need to be moved to another location? BTW running the command as executed by the crontab by hand works without problems. Jurgen mrtg_t can read etc_t but not execute it, these should probably be labeled bin_t. Please attach the AVC messages that mrtg is complaining about, so I can try to write a better setroubleshoot plugin for this. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
On 07/13/2009 08:24 AM, Frank Chiulli wrote: I realized that just before I received your email and did post to fedora-list. My mistake and thanks for the heads up. Frank On Mon, Jul 13, 2009 at 5:22 AM, David JM Emmettm...@davidjmemmett.co.uk wrote: Don't mean to be completely rude but doesn't this belong on a support forum? On Mon, 2009-07-13 at 05:17 -0700, Frank Chiulli wrote: Didar, Mail is arriving. I just get one SELinux message for every mail message. I agree...exim should not be referencing /boot AFAIK. But I'm not an expert. Frank On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossaindidar.hoss...@gmail.com wrote: On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiullifrankc.fed...@gmail.com wrote: Thomas, Thanks for the suggestion. Unfortunately it did not work. I'm still getting the same error. Frank Is Exim not executing it's job as it is supposed to - as in delivery of mail is hampered by this error? I am no SELinux or Exim expert, but, AFAIK the /boot directory is not supposed to be related to the regular functioning of Exim. Didar ___ Fedora-infrastructure-list mailing list fedora-infrastructure-l...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list I am missing the first email in this chain. What AVC are you seeing from exim when mail arrives? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: mysql vs selinux
On 07/06/2009 10:08 PM, Amadeus W.M. wrote: [r...@alm ~]# semanage fcontext -a -t mysqld_db_t /data/mysql(/.*)? [r...@alm ~]# restorecon -R -v /data/mysql Try # semanage fcontext -a -t mysqld_db_t /data(/.*)? # restorecon -R -v /data -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: [F11, SELinux] What is mls?
On 07/07/2009 09:33 AM, Marko Vojinovic wrote: On Tue, Jul 7, 2009 at 1:58 PM, Stephen Smalleys...@tycho.nsa.gov wrote: You can ignore, and I think they are silenced by a policy update. A libselinux constructor probes for /selinux/mls to initialize internal state used later by the library functions, and unfortunately all of the net-tools are getting linked against libselinux now just because of netstat -Z support. No, you don't need selinux-policy-mls. There is a patch pending for libselinux that will make such probing happen lazily and thus avoid such denials. Ok, so after the updates arrive, the alerts will simply go away, IIUC. Thanks! Best, :-) Marko You can grab the updates now yum upgrade selinux-policy-targeted --enablerepo=updates-testing We had a request in to push to stable, for about a week, I do not know what is holding this up. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: mysql vs selinux
On 07/05/2009 11:57 PM, Amadeus W.M. wrote: Trying to run mysqld with datadir=/data/mysql (i.e. different than the default datadir=/var/lib/mysql). When I start mysqld for the first time it fails: [r...@alm ~]# /etc/rc.d/init.d/mysqld start Initializing MySQL database: Installing MySQL system tables... 090705 23:01:52 [Warning] Can't create test file /data/mysql/alm.lower-test 090705 23:01:52 [Warning] Can't create test file /data/mysql/alm.lower-test /usr/libexec/mysqld: Can't change dir to '/data/mysql/' (Errcode: 13) 090705 23:01:52 [ERROR] Aborting and selinux pops up and says Summary: SELinux is preventing mysqld (mysqld_t) search to / (default_t). Detailed Description: SELinux denied access requested by mysqld. / may be a mislabeled. / default SELinux type is root_t, but its current type is default_t. Changing this file back to the default type, may fix your problem. more stuff Poking around on google I found this suggestion: http://www.linuxforums.org/forum/servers/54215-moving-mysql-datafile- another-location-2.html chcon -R -u system_u -r object_r -t mysqld_db_t /home/mysqldb chcon -R -u system_u -r object_r -t mysqld_db_t /var/lib/mysql/ chcon -u system_u -r object_r -t mysqld_etc_t /etc/my.cnf with /data/mysql instead of /home/mysqldb, of course. This was as of FC7. Would this still be the right thing to do in F11? I'm really being patient here with selinux, trying to give it a 2nd chance (first chance was about F3 or F4). I'm trying to avoid the barbaric solution of disabling it alltogether yet again. Oh, by the way, I am able to run mysqld without a hitch even with selinux enabled provided that I use the default datadir=/var/lib/mysql. That's not acceptable though, as my /var is too small for the colossal amount of data I have. I tried to keep this post relatively short, so I didn't include all selinux info. If more is necessary, I'll post it. Please help! Here is a new guide we are working on for setting up different confined services. There is a chapter on mysql. http://sradvan.fedorapeople.org/SELinux_Managing_Confined_Services/en-US/html/ Specifically check out the chapter this page http://sradvan.fedorapeople.org/SELinux_Managing_Confined_Services/en-US/html/sect-Managing_Confined_Services-MySQL-Configuration_Examples.html -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux advisory
On 06/26/2009 11:20 AM, Paolo Galtieri wrote: I keep getting the following SELinux alert. SELinux is preventing hostname (hostname_t) read security_t The alert data is shown below. I'm not sure what I might have changed to cause this. Paolo Summary: SELinux is preventing hostname (hostname_t) read security_t. Detailed Description: SELinux denied access requested by hostname. It is not expected that this access is required by hostname and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:hostname_t:s0 Target Context system_u:object_r:security_t:s0 Target Objects mls [ file ] Source hostname Source Path /bin/hostname Port Unknown Host peglaptop10 Source RPM Packages net-tools-1.60-92.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-50.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name peglaptop10 Platform Linux peglaptop10 2.6.29.5-191.fc11.x86_64 #1 SMP Tue Jun 16 23:23:21 EDT 2009 x86_64 x86_64 Alert Count 108 First Seen Fri 19 Jun 2009 06:33:48 PM MST Last Seen Fri 26 Jun 2009 07:31:49 AM MST Local ID 2bc187c8-f1ab-4a44-8c0b-cc092191743b Line Numbers Raw Audit Messages node=peglaptop10 type=AVC msg=audit(1246026709.145:1331): avc: denied { read } for pid=14213 comm=hostname name=mls dev=selinuxfs ino=12 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file node=peglaptop10 type=SYSCALL msg=audit(1246026709.145:1331): arch=c03e syscall=2 success=no exit=-13 a0=7fff3f294550 a1=0 a2=7fff3f29455c a3=fff8 items=0 ppid=14200 pid=14213 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=hostname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null) You can ignore this for now and update to selinux-policy-3.6.12-57.fc11.noarch, when it becomes available. Or you can grab it now at https://admin.fedoraproject.org/updates/selinux-policy-3.6.12-57.fc11 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux, cups, hplip
On 06/23/2009 08:09 PM, Richard Shaw wrote: On Mon, Jun 22, 2009 at 3:48 PM, Daniel J Walshdwa...@redhat.com wrote: On 06/20/2009 01:50 PM, Steven Stern wrote: On 06/20/2009 06:12 AM, Daniel J Walsh wrote: On 06/19/2009 07:10 PM, Steven Stern wrote: After installing hplip-gui, I got selinux errors when checking on the printer status. audit2allow generated the following policy module cups20090619 1.0; require { type hwdata_t; type xdm_t; class dir search; class file { read getattr open }; } #= xdm_t == allow xdm_t hwdata_t:dir search; allow xdm_t hwdata_t:file { read getattr open }; xdm is checking the printer status? This allow rule indicates the X Login program is checking the printer status. Could you attach the AVC's you used to generate this policy. And here's another one related to hplip type=AVC msg=audit(1245520061.974:38037): avc: denied { read } for pid=25561 comm=python name=mls dev=selinuxfs ino=12 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1245520061.974:38037): avc: denied { read open } for pid=25561 comm=python name=mls dev=selinuxfs ino=12 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file Could you report this as a bug to cups. Cups has some MLS aware ness in it and maybe it is reading this file directly rather then through libselinux. CC me on the bug report dwa...@redhat.com Just a me too here. I've got two separate issues, one has to do with this thread. Just after installing F11 everything seemed fine. I poked the necessary holes in my firewall and shared my printer queues and my wife could print from her F10 laptop. Now it seems just about every job gets stuck and I see the AVC denials about python. Here's the details for mine (just in case anything is different: --- Summary: SELinux is preventing python (hplip_t) read security_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by python. It is not expected that this access is required by python and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextsystem_u:system_r:hplip_t:s0 Target Contextsystem_u:object_r:security_t:s0 Target Objectsmls [ file ] Sourcepython Source Path /usr/bin/python PortUnknown Host hobbes.localdomain Source RPM Packages python-2.6-9.fc11 Target RPM Packages Policy RPMselinux-policy-3.6.12-50.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModePermissive Plugin Name catchall Host Name hobbes.localdomain Platform Linux hobbes.localdomain 2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64 Alert Count 16 First SeenSun 21 Jun 2009 02:29:26 PM CDT Last Seen Tue 23 Jun 2009 06:58:21 PM CDT Local ID 0a0b19ce-a912-4305-9e4a-1e1369ea4f3f Line Numbers Raw Audit Messages node=hobbes.localdomain type=AVC msg=audit(1245801501.788:374): avc: denied { read } for pid=11771 comm=python name=mls dev=selinuxfs ino=12 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file node=hobbes.localdomain type=AVC msg=audit(1245801501.788:374): avc: denied { open } for pid=11771 comm=python name=mls dev=selinuxfs ino=12 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file node=hobbes.localdomain type=SYSCALL msg=audit(1245801501.788:374): arch=c03e syscall=2 success=yes exit=6 a0=7fffb58ba060 a1=0 a2=7fffb58ba06c a3=fff8 items=0 ppid=11764 pid=11771 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=python exe=/usr/bin/python subj=system_u:system_r:hplip_t:s0 key=(null) --- Thanks, Richard Those should not be blocking anything. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F11 SELinux Squid port 2082
On 06/23/2009 01:37 AM, Mark Panen wrote: Hi It is impossible for me to reach a web page that uses port 2082 through squid as SELinux keeps blocking it. If i bypass squid i can reach the web page. How do i configure SELinux to allow port 2082 ? Mark One of two ways, you can either allow squid to connect to any port by turning on the squid_connect_any boolean setsebool -P squid_connect_any 1 Or you can tell SELinux port 2082 is an http port semanage port -a -t http_port_t 2082 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux, cups, hplip
On 06/20/2009 01:50 PM, Steven Stern wrote: On 06/20/2009 06:12 AM, Daniel J Walsh wrote: On 06/19/2009 07:10 PM, Steven Stern wrote: After installing hplip-gui, I got selinux errors when checking on the printer status. audit2allow generated the following policy module cups20090619 1.0; require { type hwdata_t; type xdm_t; class dir search; class file { read getattr open }; } #= xdm_t == allow xdm_t hwdata_t:dir search; allow xdm_t hwdata_t:file { read getattr open }; xdm is checking the printer status? This allow rule indicates the X Login program is checking the printer status. Could you attach the AVC's you used to generate this policy. And here's another one related to hplip type=AVC msg=audit(1245520061.974:38037): avc: denied { read } for pid=25561 comm=python name=mls dev=selinuxfs ino=12 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1245520061.974:38037): avc: denied { read open } for pid=25561 comm=python name=mls dev=selinuxfs ino=12 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file Could you report this as a bug to cups. Cups has some MLS aware ness in it and maybe it is reading this file directly rather then through libselinux. CC me on the bug report dwa...@redhat.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux, cups, hplip
On 06/19/2009 07:10 PM, Steven Stern wrote: After installing hplip-gui, I got selinux errors when checking on the printer status. audit2allow generated the following policy module cups20090619 1.0; require { type hwdata_t; type xdm_t; class dir search; class file { read getattr open }; } #= xdm_t == allow xdm_t hwdata_t:dir search; allow xdm_t hwdata_t:file { read getattr open }; xdm is checking the printer status? This allow rule indicates the X Login program is checking the printer status. Could you attach the AVC's you used to generate this policy. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: power mgmt, screen off, selinux - F11
On 06/17/2009 08:17 AM, Steven Stern wrote: My screen no longer shuts off after 30 minutes. It had been fine, but on SYSTEM - PREFERENCES - POWER MANAGEMENT, I clicked the Make Default button. After entering the root password, the were several selinux errors regarding the labeling of %gconf.xml in ~/.gconf/apps. I put selinux into permissive mode and tried again. Run restorecon -R -v ~/ to fix the labeling in your home dir, Should be able to run SELinux in enforcing mode. My screensaver now kicks in at the desired time, but the monitor is no longer turned off. It looks like the file is set correctly in my home directories. Suggestions? That I do not know. $cat .gconf/apps/gnome-power-manager/timeout/%gconf.xml ?xml version=1.0? gconf entry name=sleep_display_ac mtime=1245240339 type=int value=1200/ /gconf $cat .gconf/apps/gnome-power-manager/ui/%gconf.xml ?xml version=1.0? gconf entry name=enable_sound mtime=1245240540 type=bool value=true/ /gconf $cat .gconf/apps/gnome-power-manager/backlight/%gconf.xml ?xml version=1.0? gconf entry name=idle_dim_ac mtime=1245240540 type=bool value=false/ /gconf -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: packaging web applications, SELinux
On 06/16/2009 11:34 AM, Chuck Anderson wrote: Is there any pointer to best practices for packing a web application that provides static content, cgi scripts, integrates with Apache configuration, and works with SELinux? How should I package the SELinux policy needed to make this work? The Packaging Guidelines mention Web Applications, but not how to make them work with SELinux: https://fedoraproject.org/wiki/Packaging/Guidelines#Web_Applications Thanks. Good question. I would suggest we start writing this and if we could come up with standard locations for content we could make it make it work without the packages having to worry about it. I would suggest that we store static content in a directory like /usr/share/MYAPP/html/... Cgi scripts in /usr/share/MYAPP/cgi-bin/... Writable directories from the Web in a directory named /var/lib/MYAPP or some subdir of this. If your web app is a cgi, I would prefer that we write policy for it to confine it differently then the default. Writing policy for cgi scripts is supprisingly easy and I would be willing to help. If we went with a standard I could setup the labeling for /usr/share/[^/]*/html(/.*)? to be httpd_sys_content_t And /usr/share/[^/]*/cgi-bin(/.*)? to be httpd_sys_script_exec_t Labeling /var/lib/MYAPP would be more difficult unless we came up with a standard subdir. /var/lib/MYAPP/htmldata Then if an app writes it own policy for handling we can override these default labels. -- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list
Re: Dbus/Selinux issue after upgrading to F11
On 06/13/2009 07:52 PM, NMONNET wrote: ype=AVC msg=audit(1244936277.370:81): avc: denied { search } for pid=2394 comm=dbus-daemon name=3998 dev=proc ino=337975 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0 tclass=dir type=AVC msg=audit(1244936277.370:81): avc: denied { read } for pid=2394 comm=dbus-daemon name=cmdline dev=proc ino=337976 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0 tclass=file type=SYSCALL msg=audit(1244936277.370:81): arch=c03e syscall=2 success=yes exit=66 a0=7f02cc625660 a1=0 a2=7f02cc625672 a3=0 items=0 ppid=1 pid=2394 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm=dbus-daemon exe=/bin/dbus-daemon subj=system_u:system_r:system_dbusd_t:s0- s0:c0.c1023 key=(null) type=AVC msg=audit(1244936292.198:82): avc: denied { search } for pid=2394 comm=dbus-daemon name=3972 dev=proc ino=338174 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_mono_t:s0 tclass=dir type=SYSCALL msg=audit(1244936292.198:82): arch=c03e syscall=2 success=yes exit=67 a0=7f02cc639d70 a1=0 a2=7f02cc639d82 a3=0 items=0 ppid=1 pid=2394 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm=dbus-daemon exe=/bin/dbus-daemon subj=system_u:system_r:system_dbusd_t:s0- s0:c0.c1023 key=(null) Please upgrade to the latest selinux-policy in updates or it might still be in updates-testing yum update selinux-policy-targeted If you do not get an update try yum update selinux-policy-targeted --enablerepo=updatest-testing -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Dbus/Selinux issue after upgrading to F11
On 06/15/2009 10:46 AM, Wander Boessenkool wrote: On Mon, Jun 15, 2009 at 10:34:32AM -0400, Daniel J Walsh wrote: On 06/13/2009 07:52 PM, NMONNET wrote: ype=AVC msg=audit(1244936277.370:81): avc: denied { search } for pid=2394 comm=dbus-daemon name=3998 dev=proc ino=337975 Please upgrade to the latest selinux-policy in updates or it might still be in updates-testing yum update selinux-policy-targeted If you do not get an update try yum update selinux-policy-targeted --enablerepo=updatest-testing What fixed it for me was doing: setenforce 0; fixfiles -F restore; setenforce 1; reboot after doing f8 - f9 - f10 - f11 over the years not all contexts were exactly as they should be. Yes upgrading continuously can leave you with mislabeled files. The dbus issue was caused by it trying to read the /proc entries of running processes, probably executing killall or pidof commands. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: system-config-selinux error after updates
policycoreutils-2.0.62-12.5.fc11 Currently in Updates testing or policycoreutils-2.0.62-12.6.fc11 in Koji should fix this problem. I have asked for -5 to be pushed into F11 final. Please grab one of these packages to see if it fixes your problem. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux preventing D-Bus starting ConsoleKit etc - Was: F10 - pulseaudio not running
On 05/21/2009 09:42 AM, Mike Fleetwood wrote: Daniel J Walsh wrote: Are you seeing any avc's in /var/log/audit/audit.log? With SELinux in permissive mode ... [r...@mfleetwo3 ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh [r...@mfleetwo3 ~]# service messagebus status dbus-daemon (pid 2736 2055) is running... I get the following in /var/log/audit/audit.log: type=SELINUX_ERR msg=audit(1242912572.287:30134): security_compute_sid: invalid context unconfined_u:unconfined_r:initrc_t:s0 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=process type=SYSCALL msg=audit(1242912572.287:30134): arch=4003 syscall=11 success=yes exit=0 a0=bf981981 a1=bf980194 a2=8fca858 a3=4 items=0 ppid=4082 pid=4087 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm=messagebus exe=/bin/bash subj=unconfined_u:unconfined_r:initrc_t:s0 key=(null) type=SELINUX_ERR msg=audit(1242912572.294:30135): security_compute_sid: invalid context unconfined_u:unconfined_r:initrc_t:s0 for scontext=unconfined_u:unconfined_r:initrc_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=process type=SYSCALL msg=audit(1242912572.294:30135): arch=4003 syscall=11 success=yes exit=0 a0=8ec9e78 a1=8ec44b8 a2=8ec9c08 a3=0 items=0 ppid=4088 pid=4089 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm=consoletype exe=/sbin/consoletype subj=unconfined_u:unconfined_r:initrc_t:s0 key=(null) type=SELINUX_ERR msg=audit(1242912572.310:30136): security_compute_sid: invalid context unconfined_u:unconfined_r:initrc_t:s0 for scontext=unconfined_u:unconfined_r:initrc_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=process type=SYSCALL msg=audit(1242912572.310:30136): arch=4003 syscall=11 success=yes exit=0 a0=8ec8e80 a1=8ec48f8 a2=8ec8fd0 a3=0 items=0 ppid=4090 pid=4091 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm=pidof exe=/sbin/killall5 subj=unconfined_u:unconfined_r:initrc_t:s0 key=(null) I assume that there is a single SELinux related root cause which is preventing D-Bus starting ConsoleKit and preventing /sbin/service reporting status of daemon when SELinux is in enforcing mode. P.S. Sorry in advance if I don't replay for a week I am away on holiday from Friday for a week with unknown Internet connectivity. Thanks, Mike Your message bus is running as initrc_t which indicates that you have a labeling problem. fixfiles restore Reboot and you should be all set. Your message bus should be running as system_dbusd_t. It is also running as unconfined_u:unconfined_r which indicates you have stopped and started it. If you run restorecon -R -v /bin I would figure you will see some mislabeled files. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux preventing D-Bus starting ConsoleKit etc - Was: F10 - pulseaudio not running
On 05/21/2009 11:27 AM, Mike Fleetwood wrote: Daniel J Walsh wrote: Your message bus is running as initrc_t which indicates that you have a labeling problem. fixfiles restore Reboot and you should be all set. Your message bus should be running as system_dbusd_t. It is also running as unconfined_u:unconfined_r which indicates you have stopped and started it. If you run restorecon -R -v /bin I would figure you will see some mislabeled files. Logged in to X11 via GDM as my user mfleetwo, then in a terminal su -. [r...@mfleetwo3 ~]# sestatus SELinux status: enabled SELinuxfs mount:/selinux Current mode: permissive Mode from config file: enforcing Policy version: 23 Policy from config file:targeted [r...@mfleetwo3 ~]# fixfiles restore /sbin/setfiles: unable to stat file /home/mfleetwo/.gvfs: Permission denied /sbin/setfiles: error while labeling /: Permission denied /sbin/setfiles: error while labeling /boot: Permission denied And in /var/log/audit/audit.log: type=FS_RELABEL msg=audit(1242919396.655:30941): user pid=4985 uid=0 auid=500 ses=2 subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 msg='op=mass relabel: exe=/sbin/setfiles (hostname=?, addr=?, terminal=pts/1 res=failed)' Stopped at this point as to me it looks like 'fixfiles restore' didn't work. [r...@mfleetwo3 ~]# df -k Filesystem 1K-blocks Used Available Use% Mounted on /dev/mapper/VolGroup00-LogVol00 46884088 36970092 7504128 84% / /dev/sda1 202219 28319163573 15% /boot tmpfs 77276876772692 1% /dev/shm [r...@mfleetwo3 ~]# ls -dZ / /boot drwxr-xr-x root root system_u:object_r:root_t / drwxr-xr-x root root system_u:object_r:boot_t /boot Thanks, Mike What file system are you using? Try # restorecon -R -v / 2 /dev/null You will get lots of errors. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux preventing D-Bus starting ConsoleKit etc - Was: F10 - pulseaudio not running
On 05/21/2009 03:26 PM, Mike Fleetwood wrote: Daniel J Walsh: What file system are you using? Try # restorecon -R -v / 2 /dev/null You will get lots of errors. Ext3 file system. [r...@mfleetwo3 ~]# mount | egrep '/ |/boot' /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw) /dev/sda1 on /boot type ext3 (rw) [r...@mfleetwo3 ~]# restorecon -R -v / 2 /dev/null restorecon reset /dev/shm context system_u:object_r:tmpfs_t:s0-system_u:object_r:device_t:s0 restorecon reset /dev/shm/pulse-shm-1549836239 context unconfined_u:object_r:unconfined_tmpfs_t:s0-system_u:object_r:device_t:s0 I only got these 2 context corrections. About as I expected as I performed a full relabel earlier by touching /.autolabel and rebooting only a few days ago before I asked for help. Thanks, Mike Mike could you join me on irc #selinux on freenode and talk to me there (dwalsh)? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux preventing D-Bus starting ConsoleKit etc - Was: F10 - pulseaudio not running
On 05/20/2009 04:23 AM, Mike Fleetwood wrote: I wrote: I can see that on my functioning desktops that before login, gdm has been granted read-write access, via ACLs, to the sound device files in /dev/snd/. After GDM login my user is granted read-write instead. On my broken desktop there are no ACLs granting extra permissions. I have now restored the original permissions on the /dev/snd/* files and added my user read-write access via ACLs. Still pulseaudio does not start. I also noticed that on my broken desktop, console-kit-daemon is not running. So far I have only found that console-kit-daemon may have been started with /etc/rc.d/init.d/ConsoleKit circa Fedora 8. That consoleKit service script been removed in Fedora 10 and I don't yet know how console-kit-daemon is meant to be started. Is console-kit-daemon running even relevant to GDM adding ACLs for the console user to access devices? Probably. Is this relevant to why pulseaudio fails to start? Don't know as even when standard file permissions, rather than ACLs, allowed access to /dev/snd/* pulseaudio died on startup. From my functional home desktop ... [m...@rockover ~]$ getfacl -p /dev/snd/controlC0 # file: /dev/snd/controlC0 # owner: root # group: root user::rw- user:mike:rw- group::rw- mask::rw- other::--- (Same results of additional user mike ACL for all devices in /dev/snd/). [m...@rockover ~]$ ck-list-sessions Session4: unix-user = '500' realname = 'Mike Fleetwood' seat = 'Seat1' session-type = '' active = TRUE x11-display = ':0' x11-display-device = '/dev/tty1' display-device = '' remote-host-name = '' is-local = TRUE on-since = '2009-04-08T19:06:01.429138Z' login-session-id = '702' [m...@rockover ~]$ ps -ef | fgrep console-kit-daemon root 2477 1 0 Apr08 ?00:00:00 /usr/sbin/console-kit-daemon mike 23954 19225 0 12:05 pts/000:00:00 fgrep console-kit-daemon From my broken work desktop ... [mflee...@mfleetwo3 ~]$ su - Password: [r...@mfleetwo3 ~]# chmod o= /dev/snd/* [r...@mfleetwo3 ~]# setfacl -m u:mfleetwo:rw /dev/snd/* [r...@mfleetwo3 ~]# ls -l /dev/snd/* crw-rw+ 1 root root 116, 7 2009-04-22 13:13 /dev/snd/controlC0 crw-rw+ 1 root root 116, 6 2009-04-22 13:13 /dev/snd/hwC0D0 crw-rw+ 1 root root 116, 5 2009-05-06 12:15 /dev/snd/pcmC0D0c crw-rw+ 1 root root 116, 4 2009-05-06 12:15 /dev/snd/pcmC0D0p crw-rw+ 1 root root 116, 3 2009-04-22 13:13 /dev/snd/seq crw-rw+ 1 root root 116, 2 2009-04-22 13:13 /dev/snd/timer [r...@mfleetwo3 ~]# getfacl -p /dev/snd/controlC0 # file: /dev/snd/controlC0 # owner: root # group: root user::rw- user:mfleetwo:rw- group::rw- mask::rw- other::--- [r...@mfleetwo3 ~]# exit logout [mflee...@mfleetwo3 ~]$ pulseaudio --start --log-target=syslog I: caps.c: Limited capabilities successfully to CAP_SYS_NICE. I: caps.c: Dropping root privileges. I: caps.c: Limited capabilities successfully to CAP_SYS_NICE. [WARN 9224] polkit-session.c:144:polkit_session_set_uid(): session != NULL Not built with -rdynamic so unable to print a backtrace [mflee...@mfleetwo3 ~]$ echo $? 1 [mflee...@mfleetwo3 ~]$ ps -ef | fgrep pulseaudio [mflee...@mfleetwo3 ~]$ ck-list-sessions ** (ck-list-sessions:9244): WARNING **: Failed to get list of seats: Cannot launch daemon, file not found or permissions invalid [mflee...@mfleetwo3 ~]$ ps -ef | fgrep console-kit-daemon I have identified that my issues are caused by SELinux. I have rebooted with enforcing=0 to switch SELinux into permissive mode and ConsoleKit and Pulseaudio start correctly and audacious plays music. Even after performing a full relabelling of the SELinux security context of all files by touching /.autorelabel and rebooting, SELinux in enforcing is preventing D-Bus starting ConsoleKit and Pulseaudio starting. Investigation into SELinux continuing. E.g. SELinux in enforcing mode: [r...@mfleetwo3 ~]# id -Z unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh [r...@mfleetwo3 ~]# service messagebus status env: /etc/init.d/messagebus: Permission denied and SELinux in permissive mode: [r...@mfleetwo3 ~]# service messagebus status dbus-daemon (pid 2736 2055) is running... Thanks, Mike Are you fully yum update on selinux policy? yum -y upgrade selinux-policy-targeted -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux disallows read-only loop mount of a file, but only at boot [SOLVED]
On 05/05/2009 08:17 PM, David wrote: On Wed, May 6, 2009 at 8:58 AM, Eamon Walshewa...@tycho.nsa.gov wrote: David wrote: I'm attempting to mount a loop device (a ro file) at boot using fstab. My fstab entry works fine from the command line, but it fails at boot time due to a selinux avc error. I assume this is due to incorrect file context. The file is under a nonstandard top level directory, so I need to specifically assign it the correct file context, which I would do if I could figure out what it ought to be. mount_loopback_t. Yes this works. Thank you to everyone who replied. Thanks Eamon for nurturing my understanding of selinux, which is what I hoped for when posting. I will explore your suggestions. Actually I did notice mount_loopback_t early in my exploration. But I naively ignored it due to my expectation that loopback refers to a network interface, not a loop device as used by mount. I did not realise how widespread it is to confuse these terms. The word loopback does not appear in 'man 8 mount'. It really surprises me that the selinux specification is not more precise on this usage. Surely mount_loopback_t is a mistake, it should be named mount_loop_t. Some people are never happy!! ;-) I will change the label to mount_loop_t in rawhide/F11 policy. And alias mount_loopback_t to it. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux disallows read-only loop mount of a file, but only at boot [SOLVED]
On 05/04/2009 05:19 AM, David wrote: [da...@kablamm ~]$ cat /etc/selinux/targeted/contexts/files/file_contexts | grep mount /etc/rc.d/init.d/autofs -- system_u:object_r:automount_script_exec_t:s0 /bin/mount.*-- system_u:object_r:mount_exec_t:s0 /bin/umount.* -- system_u:object_r:mount_exec_t:s0 /sbin/mount.* -- system_u:object_r:mount_exec_t:s0 /sbin/umount.* -- system_u:object_r:mount_exec_t:s0 /var/run/autofs.* system_u:object_r:automount_var_run_t:s0 /var/run/pam_mount(/.*)?system_u:object_r:pam_var_run_t:s0 /usr/bin/smbmnt -- system_u:object_r:smbmount_exec_t:s0 /bin/fusermount -- system_u:object_r:mount_exec_t:s0 /usr/bin/smbmount -- system_u:object_r:smbmount_exec_t:s0 /usr/bin/fusermount -- system_u:object_r:mount_exec_t:s0 /usr/sbin/automount -- system_u:object_r:automount_exec_t:s0 /usr/sbin/rpc\.mountd -- system_u:object_r:nfsd_exec_t:s0 /etc/apm/event\.d/autofs-- system_u:object_r:automount_exec_t:s0 [r...@kablamm david]# chcon -t mount_exec_t /HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso Appears to be [SOLVED] ... off for a fizzy drink :-) If I got this wrong, please comment. What OS Are you running? What policy version? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Setting up CVS repository and avoiding Selinux issues?
On 04/28/2009 10:07 PM, Daniel B. Thurman wrote: I am trying to get my CVS repository setup. Apparently, it appears that the repository must be in the root directory, otherwise I get selinux permission denials. What I tried to do initially was to locate the repository on a NTFS filesystem for which the context is fusefs which could not be changed, no matter what I tried. I got selinux permission errors. Giving that up, I moved the repository to a ext3 filesystem located on a separate drive/partition, mounted on /f-App1, where the repository is located @ /f-App1/Develop/cvs, and did: cd /f-App1/Develop/ chown -R cvs:cvs cvs chcon -R -t cvs_data_t cvs find cvs -type d -exec chmod 755 {} \; find cvs -type t -exec chmod 754 {} \; ln -s /f-App1/Develop/cvs /cvs and I got selinux complaining that the files are not /cvs rooted. So I did: cp -a /f-App1/Develop/cvs /cvs1 rm -f /cvs ln -s /cvs1 /cvs And it worked. How can I place my repository in a non-rooted, non-standard repository location and avoid the selinux complaints? I blogged on your email http://danwalsh.livejournal.com/28027.html -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Setting up CVS repository and avoiding Selinux issues?
On 04/29/2009 11:20 AM, Daniel B. Thurman wrote: Daniel J Walsh wrote: On 04/28/2009 10:07 PM, Daniel B. Thurman wrote: I am trying to get my CVS repository setup. Apparently, it appears that the repository must be in the root directory, otherwise I get selinux permission denials. What I tried to do initially was to locate the repository on a NTFS filesystem for which the context is fusefs which could not be changed, no matter what I tried. I got selinux permission errors. Giving that up, I moved the repository to a ext3 filesystem located on a separate drive/partition, mounted on /f-App1, where the repository is located @ /f-App1/Develop/cvs, and did: cd /f-App1/Develop/ chown -R cvs:cvs cvs chcon -R -t cvs_data_t cvs find cvs -type d -exec chmod 755 {} \; find cvs -type t -exec chmod 754 {} \; ln -s /f-App1/Develop/cvs /cvs and I got selinux complaining that the files are not /cvs rooted. So I did: cp -a /f-App1/Develop/cvs /cvs1 rm -f /cvs ln -s /cvs1 /cvs And it worked. How can I place my repository in a non-rooted, non-standard repository location and avoid the selinux complaints? I blogged on your email http://danwalsh.livejournal.com/28027.html Thanks a lot Dan! I will see what I can do to resolve my CVS issues. Please read my posting in reply to Todd Dennison. I was asking myself why the all or nothing proposition, and about using selinux context with more flexibility than what we have? I understand that security prevails over flexibility but I was wondering if there was a way to gain more flexibility and yet still retain security? Well I would argue they are very flexible. I did give you a couple of solutions but there are theoretically multiple others. And I am always willing to accept other solutions. svn and git seem to be using http_sys_content_t for their context so I guess we could attempt to allow those domains access to cvs_data? For example, if multiple context / file was possible, then one could theoretically traverse from the top of the tree to allow passage to the leaf of the tree? Yes I can imagine it is a bit more complexity, but... if security is not compromised, then, perhaps it's worth it? I guess maybe we should have had this conversation on the blog. There are many context that most confined services can traverse. For example usr_t, etc_t, var_t I have added a comment to my blog. PS: For some reason or another, I am no longer receiving Fedora SeLinux mailing list postings. Is the Fedora SeLinux mailing list still active? Yes. This list is still available. Last message is 4/28 fron me. :^) Kind regards, Dan -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux and named
On 03/29/2009 11:29 AM, Steven Stern wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Running named in a chroot, I've been getting these messages for about a week. Running restorecon, as suggested by the troubleshooter, doesn't help. Mar 26 05:08:55 sds-desk setroubleshoot: SELinux is preventing logrotate (logrotate_t) getattr to /var/named/data/named.run (named_cache_t). For complete SELinux messages. run sealert -l d0d5bc39-fa99-4238-be5c-480a54ed38ae Mar 27 05:08:55 sds-desk setroubleshoot: SELinux is preventing logrotate (logrotate_t) getattr to /var/named/data/named.run (named_cache_t). For complete SELinux messages. run sealert -l d0d5bc39-fa99-4238-be5c-480a54ed38ae Mar 28 05:08:53 sds-desk setroubleshoot: SELinux is preventing logrotate (logrotate_t) getattr to /var/named/data/named.run (named_cache_t). For complete SELinux messages. run sealert -l d0d5bc39-fa99-4238-be5c-480a54ed38ae Mar 29 05:08:54 sds-desk setroubleshoot: SELinux is preventing logrotate (logrotate_t) getattr to /var/named/data/named.run (named_cache_t). For complete SELinux messages. run sealert -l d0d5bc39-fa99-4238-be5c-480a54ed38ae - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknPk94ACgkQeERILVgMyvB8cACfW/z5vfNXbkgcGOiVxvLf3daZ K5AAmgO6L5PgrwgUUG4wAU7Rv7Jynh9z =/y/i -END PGP SIGNATURE- Is logrotate being setup specially to rotate files in /var/named/data/named.run ? Or is this a standard configuration? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux and named
On 03/30/2009 12:54 PM, Steven Stern wrote: Daniel J Walsh wrote: On 03/29/2009 11:29 AM, Steven Stern wrote: Running named in a chroot, I've been getting these messages for about a week. Running restorecon, as suggested by the troubleshooter, doesn't help. Mar 26 05:08:55 sds-desk setroubleshoot: SELinux is preventing logrotate (logrotate_t) getattr to /var/named/data/named.run (named_cache_t). For complete SELinux messages. run sealert -l d0d5bc39-fa99-4238-be5c-480a54ed38ae Mar 27 05:08:55 sds-desk setroubleshoot: SELinux is preventing logrotate (logrotate_t) getattr to /var/named/data/named.run (named_cache_t). For complete SELinux messages. run sealert -l d0d5bc39-fa99-4238-be5c-480a54ed38ae Mar 28 05:08:53 sds-desk setroubleshoot: SELinux is preventing logrotate (logrotate_t) getattr to /var/named/data/named.run (named_cache_t). For complete SELinux messages. run sealert -l d0d5bc39-fa99-4238-be5c-480a54ed38ae Mar 29 05:08:54 sds-desk setroubleshoot: SELinux is preventing logrotate (logrotate_t) getattr to /var/named/data/named.run (named_cache_t). For complete SELinux messages. run sealert -l d0d5bc39-fa99-4238-be5c-480a54ed38ae Is logrotate being setup specially to rotate files in /var/named/data/named.run ? Or is this a standard configuration? This is the standard logrotate. I used audit2allow to create a policy permitting it. Ok I put a patch into Rawhide, and I believe the next F10 policy will have a fix for this. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Anyone unable to run specifc applications after recent selinux-policy?
On 03/24/2009 08:40 AM, Mike Cloaked wrote: Mike Cloaked wrote: I just tried to run Okular in F10 (first time since recent selinux policy update) and nothing happens - used to work fine! Also Crossover no longer executes programmes - I wonder if anyone else is seeing this change of behaviour? I now have a programme failure that seems to indicate that it is possibly the java update that has broken something! Anyone have any further ideas or information about breakage after the latest updates? What avc messages are you seeing? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Anyone unable to run specifc applications after recent selinux-policy?
On 03/24/2009 10:53 AM, Mike Cloaked wrote: Daniel J Walsh wrote: What avc messages are you seeing? That is the problem - I am not seeing avc's, or log messages or anything - the programs just won't run! The gnome desktop seems normal other than that these few programs won't work. I am totally puzzled - I have changed the monitor from an analogue one to a DVI connected one as well as having yum updated, but that presumably is not relevant? I am wandering in the dark about this - not sure how to diagnose? setenforce 0 and see if they run. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Fedora/Linux Security Guide
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Eric Christensen wrote: SELinux is addressed in a completely separate guide. Then that should be SCREAMED from the first line of this guide. SELinux is a fundamental Security attribute of Fedora, and you guide is the Fedora/Linux Secutity Guide. But your document treats it like it is an afterthought. If I pick up a Fedora/Linux Security Guied and do not see SELinux right a way, I am very confused. I had to search the guide for the work SELinux and it is mentioned First mention of selinux is on Page 33, as a footnote. Page 33: .3 This access is still subject to the restrictions imposed by SELinux, if it is enabled. Next reference Page 145: 15. restore default SELinux security contexts: /sbin/restorecon -v -R /home Page 150: ? use security-enhancing software and tools, for example, Security-Enhanced Linux (SELinux) for Mandatory Access Control (MAC), Netfilter iptables for packet filtering (firewall), and the GNU Privacy Guard (GnuPG) for encrypting files. Then Chapter 7 Under references you finally give information on SELinux, but the guide you refer to is buried under several semi-useful links. ... Community Fedora SELinux User Guide http://docs.fedoraproject.org/selinux-user-guide/ So why not in your Introduction to Security section explain what this guide will not cover? SELinux and refer to the guides that do cover it there. I -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm30MkACgkQrlYvE4MpobMLogCfVMPEPLWBj4CIkh9zqVihe5nF PR0An3QfUDkROZi2Y2qzoT3Cmztu2YhI =yo5d -END PGP SIGNATURE- -- Fedora-security-list mailing list Fedora-security-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-security-list
Re: Small SELinux issue with kdm and grub [solved]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 dexter wrote: 2009/3/9 Daniel J Walsh dwa...@redhat.com: All this for arguable value. You forgot to add in your opinion! Because I happen to like the option of selecting which kernel I boot from next before I restart. ...dex Aren't you arguing with me. :^) In my opinion. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm2ZfUACgkQrlYvE4MpobP6GgCgkaTK/JHMi9KcqAq4CB2A0pv8 2NMAoIPBkU6wiFktob6N/ePLeBL/c/s0 =pb7f -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Small SELinux issue with kdm and grub [solved]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marko Vojinovic wrote: On Sunday 08 March 2009 23:39, Kevin Kofler wrote: Marko Vojinovic wrote: I don't understand the last point. What is the feature of KDM that you talk about? I don't remember enabling any specific feature of KDM other than autologin. Is that it? In the 5th tab of the KDM options, there's an option to set your boot loader, it should be set to None (which is what we set it to by default). If you set it to GRUB, KDM will try to talk to GRUB and SELinux will block it. Aha! I found it! It was indeed set to grub instead of none. I really don't remember ever touching that setting, but memory can be misleading. Anyway, it doesn't matter anymore. I have set it to none and SELinux stopped complaining. Thanks! :-) Marko Resoning for SELinux to deny this: Login programs are becoming a lot larger, lots of software needs to be run in order to allow Assisted Technologies. Most of this software can be executed by a non logged in user, so a bug in the software could compromise the system. Allowing the login program to manipulate the boot environment might allow a slightly compromised login program to turn off security options like SELinux, or change other kernel options. All this for arguable value. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkm1HhEACgkQrlYvE4MpobNhCgCggOCnAxHmMmQFWscYG2VAeIQQ LiMAoOZXo8lg3elOJMP9IEzc3kas03g2 =VgF4 -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: selinux-policy-3.5.13-46.fc10.noarch - slight hiccup!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Cloaked wrote: Daniel J Walsh wrote: This is very strange, I have no idea why SELinux update would do this, and suspect that something else might have gone wrong. Were there other packages in the update? I will update my F10 and see what is going on. Could be someone is doing a chcon -t usr_t in a post install script? selinux-policy should only be doing the equivalent of a restorecon -vR in its post install. Actually executes fixfiles fixfiles -C ${FILE_CONTEXT}.pre restore Which figures out what was different between the old file context and the new and runs restorecon on them. Dan, I had a problem this morning on another machine where there is a bind mounted /var/spool/mail directory (restorecon -vR /var/spool/mail seems to have fixed it). In all the cases where the user contexts had a problem were machines with bind mounted /home areas. I wonder if this could be the common factor? Yes if you bind mount a usr_t directory without telling the system about it, it could cause labeling problems. For example, if you store your homedirs in /usr/myhome/dwalsh and bind mount this over /home/dwalsh. SELinux will label the directory usr_t since /usr/myhome/dwalsh defaults to a usr_t label. If you bind mount it over /home/dwalsh and run restorecon on /home/dwalsh it will label it properly. But depending on which directory have restorecon run on it you can get different results. Usually we only have small relabels that happen on policy upgrades, so it probably never hit this directory. But this update seems to have triggered a larger relabel something like restorecon -R -v /usr So the problem in SELinux is we do not have an easy way to say /usr/myhome == /home or /usr/myhome/dwalsh == /home/dwalsh THis is on my todo list. Sorry about the inconvience. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmtQc4ACgkQrlYvE4MpobMcKACdGifRevbSSegtASaYvVrPFAVo nLQAoKzIyjAtMamo8vTBQYOVCcZVrQhZ =BNxC -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: selinux-policy-3.5.13-46.fc10.noarch - slight hiccup!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Cloaked wrote: I have just updated some f10 boxes a few minutes ago. On logging on again after rebooting to the new kernel this evening, the main user directories have had their contexts changed to usr_t so I presume some kind of relabelling has been done - but not correctly! After restorecon -vR /home/user the contexts have mostly reverted to where they should be - I initially noticed because ssh suddenly started demanding a passphrase when it should not need one - and then I noted avc denials. This is for selinux-policy-3.5.13-46.fc10.noarch and the related targeted policy. I have tested on several systems and so far all is well after doing restorecon -vR /home as root to fix all user areas in one go. Any one user can fix their own user area by doing restorecon -vR /home/user I presume that this will lose any chcon changes - but any contexts that were saved as a rule using semanage fcontext presumably should be restored - though I have not had time to explore all directories yet. This update was pushed to stable today so presumably it will take a while to sync to all mirrors. This is very strange, I have no idea why SELinux update would do this, and suspect that something else might have gone wrong. Were there other packages in the update? I will update my F10 and see what is going on. Could be someone is doing a chcon -t usr_t in a post install script? selinux-policy should only be doing the equivalent of a restorecon -vR in its post install. Actually executes fixfiles fixfiles -C ${FILE_CONTEXT}.pre restore Which figures out what was different between the old file context and the new and runs restorecon on them. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmsU7kACgkQrlYvE4MpobN6lQCffrFK6jwoOzie8zepkchh5dDt WhgAn1F+TgmE+KKfSF8bcpEDADyvmzn6 =4dD4 -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: network-scripts problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Antonio Olivares wrote: --- On Tue, 2/17/09, Antonio Olivares olivares14...@yahoo.com wrote: From: Antonio Olivares olivares14...@yahoo.com Subject: network-scripts problem To: fedora-list@redhat.com Cc: fedora-selinux-l...@redhat.com Date: Tuesday, February 17, 2009, 7:43 AM Dear fellow testers, I encountered network functions/network-scripts problem :( [r...@localhost ~]# dhclient eth0 Missing /etc/sysconfig/network-scripts/network-functions, exiting. Missing /etc/sysconfig/network-scripts/network-functions, exiting. Missing /etc/sysconfig/network-scripts/network-functions, exiting. ^C [r...@localhost ~]# restorecon -v 'network-scripts' restorecon: stat error on network-scripts: No such file or directory [r...@localhost ~]# restorecon -v network-scripts restorecon: stat error on network-scripts: No such file or directory [r...@localhost ~]# dhclient eth0 Missing /etc/sysconfig/network-scripts/network-functions, exiting. ^C You have new mail in /var/spool/mail/root [r...@localhost ~]# service network status Configured devices: lo eth0 eth1 Currently active devices: lo eth1 eth0 [r...@localhost ~]# service network restart Shutting down interface eth0: [ OK ] Shutting down interface eth1: [ OK ] Shutting down loopback interface: [ OK ] Disabling IPv4 packet forwarding: net.ipv4.ip_forward = 0 [ OK ] Bringing up loopback interface: [ OK ] Bringing up interface eth0: Determining IP information for eth0...Missing /etc/sysconfig/network-scripts/network-functions, exiting. ^C Got also greeted by selinux alert: Summary: SELinux is preventing dhclient-script (dhcpc_t) search to network-scripts (net_conf_t). Detailed Description: SELinux denied access requested by dhclient-script. It is not expected that this access is required by dhclient-script and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for network-scripts, restorecon -v 'network-scripts' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:dhcpc_t:SystemLow-SystemHigh Target Contextsystem_u:object_r:net_conf_t Target Objectsnetwork-scripts [ dir ] Sourcedhclient-script Source Path /bin/bash Port Unknown Host localhost Source RPM Packages bash-4.0-0.4.rc1.fc11 Target RPM Packages Policy RPMselinux-policy-3.6.6-1.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall_file Host Name localhost Platform Linux localhost 2.6.29-0.124.rc5.fc11.i586 #1 SMP Mon Feb 16 21:15:37 EST 2009 i686 athlon Alert Count 3 First SeenTue 17 Feb 2009 09:32:55 AM CST Last Seen Tue 17 Feb 2009 09:33:55 AM CST Local ID 878e2548-4687-45f0-8115-d40144370614 Line Numbers Raw Audit Messages node=localhost type=AVC msg=audit(1234884835.408:131): avc: denied { search } for pid=11969 comm=dhclient-script name=network-scripts dev=dm-0 ino=28344324 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir node=localhost type=SYSCALL msg=audit(1234884835.408:131): arch=4003 syscall=195 success=no exit=-13 a0=8463100 a1=bfb25c2c a2=b45ff4 a3=8463102 items=0 ppid=11968 pid=11969 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm=dhclient-script exe=/bin/bash
Re: Upgrade and SELinux messages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Les wrote: I upgraded from F8 to F10. It appeared to go smoothly, but then I received the following SELinux errors: // /** first Summary: SELinux is preventing dbus-daemon-lau (system_dbusd_t) execute to ./console-kit-daemon (consolekit_exec_t). Detailed Description: SELinux denied access requested by dbus-daemon-lau. It is not expected that this access is required by dbus-daemon-lau and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./console-kit-daemon, restorecon -v './console-kit-daemon' Additional Information: Source Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 Target Contextsystem_u:object_r:consolekit_exec_t:s0 Target Objects./console-kit-daemon [ file ] Sourcedbus-daemon-lau Source Path /lib/dbus-1/dbus-daemon-launch-helper Port Unknown Host localhost.localdomain Source RPM Packages dbus-1.2.4-1.fc10 Target RPM Packages Policy RPMselinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 35 First SeenThu 15 Jan 2009 03:45:37 PM PST Last Seen Thu 15 Jan 2009 03:47:19 PM PST Local ID a0430578-0415-40c9-ac4e-b9f86d3b479c Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1232063239.982:58): avc: denied { execute } for pid=3010 comm=dbus-daemon-lau name=console-kit-daemon dev=dm-0 ino=54362144 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_exec_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1232063239.982:58): arch=4003 syscall=11 success=no exit=-13 a0=8f08e48 a1=8f08dc8 a2=8f08008 a3=2d09bc items=0 ppid=3009 pid=3010 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dbus-daemon-lau exe=/lib/dbus-1/dbus-daemon-launch-helper subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) ### ### The restorecon mentioned returned an error that the file doesn't ### exist. // /** second Summary: SELinux is preventing plymouthd from creating a file with a context of unlabeled_t on a filesystem. Detailed Description: SELinux is preventing plymouthd from creating a file with a context of unlabeled_t on a filesystem. Usually this happens when you ask the cp command to maintain the context of a file when copying between file systems, cp -a for example. Not all file contexts should be maintained between the file systems. For example, a read-only file type like iso9660_t should not be placed on a r/w system. cp -P might be a better solution, as this will adopt the default file context for the destination. Allowing Access: Use a command like cp -P to preserve all permissions except SELinux context. Additional Information: Source Contextsystem_u:object_r:unlabeled_t:s0 Target Contextsystem_u:object_r:fs_t:s0 Target Objectsforce-display-on-active-vt [ filesystem ] Sourceplymouthd Source Path Unknown Port Unknown Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPMselinux-policy-3.5.13-18.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name filesystem_associate Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 Alert Count 1 First SeenThu 15 Jan 2009 03:45:42 PM PST Last Seen Thu 15 Jan 2009 03:45:42 PM PST Local ID
Re: VMware Server 2.0, selinux, and F10
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Christopher A. Williams wrote: I had promised to do this and post my results a week ago and got thoroughly tied up over the holidays - sorry about that. It was a good Christmas for us though! :) So - I did get around to loading up a server with the latest version of F10 (32-bit in this case) to run the 32-bit version of VMware Server 2.0 (build 122956) to try and answer the burning question: Does selinux need to be disabled for VMware Server to run properly on F10? I know the inpatient out there can't wait to read the whole post, so here's the answer: Yes. According to our testing (a friend of mine who also frequents this list was here too), the current version of VMware Server DOES NOT RUN on F10 (32-bit) unless selinux is DISABLED. Permissive mode doesn't cut it - it still causes VMware Server to not run. Here are the details: Server: Whitebox Supermicro 1U chassis, dual 2.4GHz Pentium Xeon processors, 4GB RAM, Dual Gig-E NICs, dual 250GB IDE drives OS: F10 32-bit, with all patches as of 12-28-08 Kernel: 2.6.27.9-159.fc10 (PAE version - required to see the full 4GB) We loaded a fresh copy F10 with all of the required development tools and supporting stuff VMware Server needs to compile, and left selinux in its default (enforcing) mode and targeted policy. The system was intentionally updated with all of the latest available patches. After rebooting (kernel update that included a switch to the PAE kernel), we then installed VMware Server from the RPM via Package Kit. The initial RPM install went as expected with no errors or issues beyond the warning that the RPM is not signed (Request to VMware: Please, PLEASE make sure that you always sign your RPMs!). Next up was to configure the system. We fired up a terminal window, switched user to root, and then launched vmware-config.pl as normal. The script properly found everything it needed, set up the virtual networks, and compiled all of the modules against the PAE kernel with no errors at all. All of the services reported in as having started successfully when the script exited, which was when the trouble started. We immediately picked up an selinux error saying that one of the modules required the ability to use text relocation. No big deal here, which is why I don't remember off hand which module committed the offense. I'll go back and pull it up next chance - I'm on a different system right now. The selinux troubleshooter gave us the required command to address this issue, so we fixed the problem and off we went. ...Or so we thought. It seems that something else in selinux is interfering with a new VMware Server 2.0 service called VirtualMachines. I'm not sure what the problem is, how it happens, or why. What happens is that you can launch Firefox to talk to VMware server (http://localhost:8222 in this case) and get the VMware Server login page. However, from there you are unable to login. The system times out with a message basically saying that communication with the back-end server processes has been lost. Further checking (service vmware status) shows that several VMware Server services are actually NOT running. Upon trying to restart the vmware services (service vmware restart), we see that the VirtualMachines service has failed. There are no errors I can see, and nothing in dmesg out of the ordinary. Next, we placed selinux into permissive mode to see if anything might pop up or change, and then rebooted the system. We saw exactly the same behavior from VMware Server as before when selinux was in enforcing mode. Finally, we disabled selinux altogether and rebooted once more. This time, VMware Server came up and ran flawlessly. In fact, it was impressively fast given the age of the hardware. Just for grins, we then completely erased VMware Server, rebooted, and double-checked to make sure everything about it was completely gone from the system. We then re-installed it using the exact same procedure as before. VMware Server installed and ran flawlessly. In fact, just to be sure again, we rebooted the server one more time. Again VMware Server came up and ran without issues. Thus, in our testing of this, it is clear there are multiple issues with VMware Server and selinux. One of the issues is that a specific module requires text relocation, which is easily solved. The other issue is going to be a little more difficult to troubleshoot, but clearly there is something that conflicts between selinux and one of the new VMware Server services, and the only way to get around it at this point is to disable selinux. I'll have the system handy for the next day or so to do some additional testing, but then I have to put it back into production. Let me know what specifics I should look for next to find the source of the problem. Cheers, Chris -- == By all means
Re: VMware Server 2.0, selinux, and F10
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daniel J Walsh wrote: Christopher A. Williams wrote: I had promised to do this and post my results a week ago and got thoroughly tied up over the holidays - sorry about that. It was a good Christmas for us though! :) So - I did get around to loading up a server with the latest version of F10 (32-bit in this case) to run the 32-bit version of VMware Server 2.0 (build 122956) to try and answer the burning question: Does selinux need to be disabled for VMware Server to run properly on F10? I know the inpatient out there can't wait to read the whole post, so here's the answer: Yes. According to our testing (a friend of mine who also frequents this list was here too), the current version of VMware Server DOES NOT RUN on F10 (32-bit) unless selinux is DISABLED. Permissive mode doesn't cut it - it still causes VMware Server to not run. Here are the details: Server: Whitebox Supermicro 1U chassis, dual 2.4GHz Pentium Xeon processors, 4GB RAM, Dual Gig-E NICs, dual 250GB IDE drives OS: F10 32-bit, with all patches as of 12-28-08 Kernel: 2.6.27.9-159.fc10 (PAE version - required to see the full 4GB) We loaded a fresh copy F10 with all of the required development tools and supporting stuff VMware Server needs to compile, and left selinux in its default (enforcing) mode and targeted policy. The system was intentionally updated with all of the latest available patches. After rebooting (kernel update that included a switch to the PAE kernel), we then installed VMware Server from the RPM via Package Kit. The initial RPM install went as expected with no errors or issues beyond the warning that the RPM is not signed (Request to VMware: Please, PLEASE make sure that you always sign your RPMs!). Next up was to configure the system. We fired up a terminal window, switched user to root, and then launched vmware-config.pl as normal. The script properly found everything it needed, set up the virtual networks, and compiled all of the modules against the PAE kernel with no errors at all. All of the services reported in as having started successfully when the script exited, which was when the trouble started. We immediately picked up an selinux error saying that one of the modules required the ability to use text relocation. No big deal here, which is why I don't remember off hand which module committed the offense. I'll go back and pull it up next chance - I'm on a different system right now. The selinux troubleshooter gave us the required command to address this issue, so we fixed the problem and off we went. ...Or so we thought. It seems that something else in selinux is interfering with a new VMware Server 2.0 service called VirtualMachines. I'm not sure what the problem is, how it happens, or why. What happens is that you can launch Firefox to talk to VMware server (http://localhost:8222 in this case) and get the VMware Server login page. However, from there you are unable to login. The system times out with a message basically saying that communication with the back-end server processes has been lost. Further checking (service vmware status) shows that several VMware Server services are actually NOT running. Upon trying to restart the vmware services (service vmware restart), we see that the VirtualMachines service has failed. There are no errors I can see, and nothing in dmesg out of the ordinary. Next, we placed selinux into permissive mode to see if anything might pop up or change, and then rebooted the system. We saw exactly the same behavior from VMware Server as before when selinux was in enforcing mode. Finally, we disabled selinux altogether and rebooted once more. This time, VMware Server came up and ran flawlessly. In fact, it was impressively fast given the age of the hardware. Just for grins, we then completely erased VMware Server, rebooted, and double-checked to make sure everything about it was completely gone from the system. We then re-installed it using the exact same procedure as before. VMware Server installed and ran flawlessly. In fact, just to be sure again, we rebooted the server one more time. Again VMware Server came up and ran without issues. Thus, in our testing of this, it is clear there are multiple issues with VMware Server and selinux. One of the issues is that a specific module requires text relocation, which is easily solved. The other issue is going to be a little more difficult to troubleshoot, but clearly there is something that conflicts between selinux and one of the new VMware Server services, and the only way to get around it at this point is to disable selinux. I'll have the system handy for the next day or so to do some additional testing, but then I have to put it back into production. Let me know what specifics I should look for next to find the source of the problem. Cheers, Chris
Re: Setting SELinux for vsftpd - SOLVED
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark Haney wrote: Mark Haney wrote: I've got a server that we use to do speed testing of our upstreams (and customers links) using FTP. This is a fresh F10 install and I'm getting what seems to be a very common selinux ftp error (226 Failed to open directory). I've googled up a couple of forum posts on how to fix it, but most say just to disable selinux. That I'd not like to do. However, one of the options says to do this: setsebool -P ftpd_disable_trans 1 But I get an error: [r...@noc5 speedtest]# setsebool -P ftpd_disable_trans 1 libsemanage.dbase_llist_set: record not found in the database libsemanage.dbase_llist_set: could not set record value Could not change boolean ftpd_disable_trans Could not change policy booleans I have seen the GUI method of doing this, but since I don't run X on this server that's not much help. What's the correct method of setting selinux up for this? For anyone who wants to know. The correct option (which, btw, took me down deep into google to find) is this: setsebool -P ftp_home_dir 1 It's amazing to me that this isn't set up by default on a fresh install with ftp as one of the installed packages. man ftpd_selinux explains a lot of this. The reason that this is not on by default is that most ftp sites are used to share anonymous ftp information, so there is not reason for ftp to read users home directories. This allows us to protect the users home directories even if ftp becomes compromised. You could also take the error output in /var/log/audit/audit.log and pipe it to audit2why and it should have told you which boolean to set. Finally if you were running setroubleshoot it might also give you the right answer. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkljsp0ACgkQrlYvE4MpobPQLwCg2ww2+lKZqrDVhC/ipC5qm+wW OiAAoKrduGgC7uVwlOwrpx1rnwi7fXjJ =zCN4 -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: selinux policy updates - a question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim wrote: On Sun, 2009-01-04 at 12:36 -0800, Mike Cloaked wrote: Fairly regularly there are selinux updates that come in during yum updates - I presume that nothing gets changed unless a relabel is done? Or am I wrong? A policy can set what can be done with certain types of file. i.e. The rules can change. That doesn't involve relabelling a file. Of course there are other things that can change in an update. As I understand it, if a relabel is required, the update will arrange it to happen. Yes updates involve changes to the policy, they almost always involve additional allow rules. I strive to never take away privs on updates within a release. Usually there is no new confined domains in an update. The update also does a diff between the current file context file and the new file context file and runs restorecon on all differences, so some relabeling can happen. An update will never change the enforcing mode, or the policy type, so if you are permissive you stay permissive, if disabled you stay disabled, enforcing stays enforcing. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkliEZAACgkQrlYvE4MpobPxEgCbB+UFynRPYSDtpKPcH5Pxd1gr 2rcAoMB5KuMuRCT99bXOiX7UEXa5SMdY =fdod -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: How to deal with Selinux local packages?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steven Stern wrote: Ran a yum update today that picked up these pages selinux-policy noarch 3.5.13-34.fc10updates 613 k selinux-policy-targeted noarch 3.5.13-34.fc10 updates 2.0 M and saw this: Updating : selinux-policy-targeted 28/104 libsepol.print_missing_requirements: policy20080911's global requirements were not met: type/attribute user_gnome_home_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! The policy 20080911 was something created with audit2allow to work around a problem with a prior defefault selinux policy. Is there a better way to manage needed local exceptions? This looks like a bug gnome_home_t is supposed to be an alias of user_gnome_home_t, not sure why you would have gotten this error. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklP6gIACgkQrlYvE4MpobMW3gCcDIb2Z3SfSuH+YnFifwNava7q ga0AniyXXGg47lN7dME7Nr6hvZqOcP2L =stkv -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Sound problems with SELinux ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 William Case wrote: Hi; This probably more of a frustration question than an eventually solving it myself question. I couldn't get any sound -- I originally thought it was an Adobe Flash problem -- until I changed SELinux from enforcing to permissive. How do I make sound available to the user while still using SELinux enforcing? Check the /var/log/audit/audit.log file for AVC messages. Is this F10? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklP7FgACgkQrlYvE4MpobPrBwCg00pZ6HmSSf7TIEtodLr90NCJ rC8Anj99qBpBb1NrxjrH2025USrQ2AEX =yyco -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F10, VMware Server 2.0, and selinux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Christopher A. Williams wrote: On Sun, 2008-12-14 at 21:27 -0500, Claude Jones wrote: On Sunday 14 December 2008 18:21:44 Christopher A. Williams wrote: As to how long this has gone on, it has since F8 and VMware Server 1.0.x. The only known work-around I am aware of is to disable selinux, after which it runs impressively well. It compiles and runs on F9 and F10 out of the box with no patches needed. Sorry, Christopher, but I am not posting these replies because I'm a VMWare booster. As I stated, my solution may not work for all, but, you are simply misstating things, or not speaking clearly. I think you may have misunderstood my point here. As the OP on this thread, I asked a question and someone (not you) decided to use that as a platform to trash VMware. I thought that was inappropriate. I see the problem I'm having with selinux as an inconvenience at this point, but would like to know how to fix it. To repeat, I am currently running VMWare Server version 1.0.7 build-108231; I've been running some version of VMWare server since it was first made available free, on several versions of Fedora including this machine, which is on F10; I have another machine right beside it that is running F9 and also runs VMWareServer; I do NOT disable selinux on any of my machines, ever, except for brief testing purposes; VMWare server has been running all day on this machine I'm typing on, and I have a WinXP vm running in it through which I run Outlook so I can connect to my company's Exchange 2008 mail server. I have been running VMware Server since it was originally GSX Server 1.0 and a for pay product. I've also run VMware Workstation since the first public beta of version 1.0 - right up through the latest build of 6.5 on F10 on the laptop I'm using to write this. Unity, by the way, has a few minor flaws, but is otherwise very cool. I'm also a seasoned VMware Certified Professional (working on a VCDX), so I think I have a bit of qualified experience with these product lines. At least VMware seems to think so... I'm happy to see you have Server 1.0 working with selinux enabled. This has never worked for me, and if you follow the VMware community forums (maybe where I should have posted this to begin with), you would see that I'm not alone in that. With selinux enabled and using a targeted policy, VMware Server will refuse to start. Placing selinux in permissive mode to try and catch issues produces the same result. No errors that I could see/find on it either. If you follow the VMware Community threads on this, the acknowledged work-around remains disabling selinux. I occasionally try re-enabling selinux with no luck. I admit I have not yet tried that on the latest build of 2.0 on a recently patched F10 system. That build only came out a couple of weeks ago and I've been traveling heavily - there's only so much of me to go around. I am merely posting this because I consider most of the information in this thread to be misleading, which could discourage others. It would be useful if you really care, to attempt to run VMWare server on your machine, post the errors you get, and get some help - to assert that it won't run because you can't get it to run, without explaining your procedures is not helpful. Sorry you feel that way. In light of what I have written above, your It works for me, so it must be something you're doing, statement doesn't make the info I have reported misleading. It just means your experience has been different (along with your opinion). I have posted this issue here and elsewhere before. I also have used some of my connections with technical people I know inside of VMware to find more on the problem. The answer: disable selinux. As you saw with another post, there is also an anti-VMware crowd lurking who then cries foul on VMware rather than advocate investigating the problem further. I don't think I have written anything that would confuse or discourage someone from trying or using VMware products. I certainly have not done so intentionally. Since you seem to have VMware Server 1.0 working with selinux on F9 and F10, perhaps you should post your procedure for loading it. I might be able to duplicate that with a 2.0 installation. As also has been mentioned, you should seriously consider that VMware Server 1.x is reaching EOL, and you really should move to something else shortly. Outside of the issues with selinux, I repeat that my experiences with 2.0 have been very positive. It's a major step forward from 1.0 as a server based solution. I repeat that I would personally not recommend it as a _desktop_ solution - but VMware Server isn't intended for that, and there are better desktop alternatives. I'm planning to load up another server with F10 and VMware Server 2.0 this weekend. I'll try this with selinux enabled again and report back.
Re: F10, VMware Server 2.0, and selinux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Christopher A. Williams wrote: I'm just curious - Has anyone made any progress on figuring out why VMware Server 2.0 does NOT run on F10 unless selinux is disabled? Even running selinux in permissive mode causes VMware Server fits. This has been this way at least since VMware Server 1.x running on F8. I know because I can recall having to fully disable selinux on my VMware Server systems for at least that long. It never seems to have been fixed to this day, and that's a long time for such an issue to exist. Is anyone working to resolve it? Cheers, Chris Do you have a bugzilla on this? I am not aware of the problem. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklCeWwACgkQrlYvE4MpobPuqACdHdLTygrCPvb4iMQa1ivZWiTG 8C0AniqIJLafkp1kR2VCSKIjBc+Cp3Tz =t34/ -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: How to get rid of selinux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 gab_v wrote: Dear all, I have a Fedora 9 distr. I've lot of problem with SELinux, so I want to know how to get rid of it. In particular I am interested NOT in make SELinux status Disabled but to uninstall it. I am not sure how to do it, also because I just started working with Linux OS. How can I do? I was thinking about doing rpm -qa |grep SELinux and then rpm -e ... But will it be enough? I want to do very safe commands since I need the computer at work. Thanks in advance p.s. I said not how to disabled SELinux because I did it once and I did not solve the problem and, after that, I had a block at boot process. libselinux is a core library of the Fedora System and some other Linux Distributes, it can not be removed. Policycoreutils includes restorecon command which has been required by several other packages, so it can not be removed either. You should be able to remove other selinux packages. yum remove selinux-poliycy Should remove the policy package which is the largest package. We have not heard of SELinux disabled problems in years so saying it caused you problems a while ago, probably was a very old version of Fedora or was not an SELinux problem in the first place, or you really did not have SELinux disabled. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkk+dxkACgkQrlYvE4MpobNOwwCg1hwqQMIWq+dHgdO8PrAdfmyo 0rEAni24yPzYlms2d1FYJdbwxw9UziVj =niOr -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux and Firefox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew Saltzman wrote: On Sun, 2008-12-07 at 20:44 -0600, Mikkel L. Ellertson wrote: Jim wrote: stan wrote: I don't run KDE and SELinux is Greek to me, but what is the error message, and does SETroubleshooter (the yellow star) recommend a fix? That will probably help others respond. It was the /user/.macromedia directory that was causing Selinux to send errors, I ran the recommened command to correct selinux but that didn't help so I just sent the .macromedia directory to the trashcan and it regenerated a new .macromedia directory and no more problems with Selinux. One thing that can be a problem with the SELinux messages is that they usually do not provide the full path to the file you need to change the context of - it is usually something like ./file witch only works if you are in the correct directory when you try to change the context. It would be nice if the full path were reported, but one can often find the relevant file with just a 'locate' and a little common sense (your .sig quote notwithstanding). Mikkel Yes, sadly this is a kernel issue, the kernel only has an Inode at the time of the AVC and is unable to regenerate the complete path. You can turn on full auditing but this hits you with a 5% hit on permformance, not considered worth it. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkk+150ACgkQrlYvE4MpobP2/wCgwduBtlZBFyajfjb4/ZZH65Hn DnAAniCkskXpZw9E7UiK8+tuwvrUPiy7 =XLf7 -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Openvpn and Selinux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Zoltan Kota wrote: Hi, In my F10 installation selinux seems to prevent working openvpn. After connection openvpn wants to modify /etc/resolv.conf that is not allowed I think. I start openvpn by the command [EMAIL PROTECTED] /etc/init.d/openvpn start and I get selinux messages like this: --- Summary: SELinux is preventing cp (openvpn_t) write to ./etc (etc_t). Detailed Description: SELinux is preventing cp (openvpn_t) write to ./etc (etc_t). The SELinux type etc_t, is a generic type for all files in the directory and very few processes (SELinux Domains) are allowed to write to this SELinux type. This type of denial usual indicates a mislabeled file. By default a file created in a directory has the gets the context of the parent directory, but SELinux policy has rules about the creation of directories, that say if a process running in one SELinux Domain (D1) creates a file in a directory with a particular SELinux File Context (F1) the file gets a different File Context (F2). The policy usually allows the SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for some reason a file (./etc) was created with the wrong context, this domain will be denied. The usual solution to this problem is to reset the file context on the target file, restorecon -v './etc'. If the file context does not change from etc_t, then this is probably a bug in policy. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy package. If it does change, you can try your application again to see if it works. The file context could have been mislabeled by editing the file or moving the file from a different directory, if the file keeps getting mislabeled, check the init scripts to see if they are doing something to mislabel the file. Allowing Access: You can attempt to fix file context by executing restorecon -v './etc' Fix Command: restorecon './etc' Additional Information: Source Contextunconfined_u:system_r:openvpn_t:s0 Target Contextsystem_u:object_r:etc_t:s0 Target Objects./etc [ dir ] Sourcecp Source Path /bin/cp Port Unknown ... - Summary: SELinux is preventing dns.up (openvpn_t) write to ./resolv.conf (net_conf_t). Detailed Description: SELinux denied access requested by dns.up. It is not expected that this access is required by dns.up and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./resolv.conf, restorecon -v './resolv.conf' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextunconfined_u:system_r:openvpn_t:s0 Target Contextsystem_u:object_r:net_conf_t:s0 Target Objects./resolv.conf [ file ] Sourcedns.up Source Path /bin/bash Port Unknown ... - Summary: SELinux is preventing dns.up (openvpn_t) write openvpn_t. Detailed Description: SELinux denied access requested by dns.up. It is not expected that this access is required by dns.up and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextunconfined_u:system_r:openvpn_t:s0 Target Contextunconfined_u:system_r:openvpn_t:s0 Target Objectspipe [ fifo_file ] Sourcedns.up Source Path /bin/bash Port Unknown ... - Summary: SELinux is preventing cut (openvpn_t) getattr openvpn_t. Detailed Description: SELinux denied access requested by cut. It is not expected that this access is required by cut and this access may signal an intrusion attempt. It
Re: IcedTea Firefox and SELinux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 insidepowe wrote: I have the java applet not initialized problem also and have solved it. I think there is a conflict between jre java-plugin and IcedTea plugin. so I removed IcedTea and java applet is now working. 1. Download jre-6u1-linux-i586.bin 2. su--pwd--mv jre-6u1-linux-i586.bin to /usr/local 3. chmod a+x jre-6u1-linux-i586.bin 4. verify permissions: ls -l 5. ./jre-6u1-linux-i586.bin 6. Do you agree? Yes.--Done 7. It's installed under: /usr/local/jre1.6.0_01 8. cd ../lib/firefox-1.5.0.10/plugins/ 9. ln -s /usr/local/jre1.6.0_01/plugin/i386/ns7/libjavaplugin_oji.so 10.Edit Preferences. Under Advanced category Select Enable Java --delete ICedTea plugin (having conflict with Java Plugin) I got this help from a forum but forget the source. p/s: use about :plugins to check what plugin has been loaded in firefox hope this help :-) If you update to the latest selinux-policy and run restorecon -R -v /home it should fix the labeling on the .icedteaplugin which is causing selinux problems. These problems are being caused by the defaulting of allow_unconfined_nsplugin_transition to on. This is confining the nsplugin to a limited number of directories in your homedir. If you do not want nsplugin confined, you can turn off the boolean by executing # setsebool -P allow_unconfined_nsplugin_transition 0 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkk1oeEACgkQrlYvE4MpobNnfgCfVCuNX52TvBN9SK3lDu9EYqPv GM0AnjrFgv1AyQ/6FmwoUMCb99j39du7 =vlXJ -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Problems with kdm in F10 (solved - SELinux issues)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marcelo Magno T. Sales wrote: Em Dom 30 Nov 2008, Rex Dieter escreveu: Marcelo Magno T. Sales wrote: Em Dom 30 Nov 2008, Marcelo Magno T. Sales escreveu: People, I've just installed F10 and have fully updated the system. When I replace gdm with kdm, I can only log in to KDE using the root account. When I try to log in using a regular user account, I get the following error message: Cannot enter home directory. Using /. When I click ok, I get this other one: Could not start kstartupconfig4. Check your installation. If I revert to gdm, everything is fine again. What may be causing this problem? Also, user photos are not shown in kdm. The default image is displayed for every user, despite they all have their photos configured since before F10 was installed. I did a fresh install of F10 (didn't upgrade from F9), but the /home file system was not modified. The user photos still appear in Kickoff. KDM was configured with System Configuration to show preferentially the user photos and use the default image only if users have not provided their own photos. Why aren't the user photos displayed in kdm? Both problems were solved when SELinux was disabled. Now I'm counting 5 weird problems solved by disabling SELinux. That's not really a solution, just a workaround. Indeed, but that's the only way I could find to make it work. Odd, I can't reproduce either problem with SELinux enabled. I'd venture it's either a geniuine selinux issue (mislabelling) or a local configuration, or some combination of the 2. It's possible, I've been using this home directories since FC3. Maybe there's some old garbage in the users dirs that is causing the problem. Does setroubleshoot highlight anything out of the ordinary? I didn't get any warning. But would it function at the kdm login screen? Don't I have to be already logged in to get setroubleshoot warnings? []'s Marcelo Try running restorecon -R -v /home -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkk1p54ACgkQrlYvE4MpobPZvgCfbn9tnmliS3uNTII50GrVycmp i20AoOANlZkqtUUvHbfj6VGYooH43UCx =IyLk -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Kismet and SELinux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Cloaked wrote: I am running an F9 system with SELinux enabled on a laptop. I recently installed kismet (yum install kismet) to check local wireless channels so I can ensure my AP does not conflict with other boxes nearby. I made the usual mods to the config files to set up sources etc and change the suiduser but when I try to run kismet as root (in exactly the same way as previously on boxes with SElinux disabled), I get an avc denial and on the terminal I get: FATAL: Could not open SSID track file '/home/mike/ssid_map': permision denied. The SELinux denial contains a Summary: SELinux is preventing the kismet_server from using potentially mislabeled files (./ssid_map). It suggested using restorecon but this makes no difference. The context remains as previously: system_u:object_r:user_home_t:s0 I removed the file and tried again but kismet won't start if the file is absent. I also tried to use chcon to set the context for this file - and this also makes no difference - at least with the contexts I tried for kismet_log_t and kismet_t is not permitted. Can anyone suggest how I might work around this? kismet is not allowed to read files in the home directory, So you either need to move the ssid_map to a directory which kismet can read or modify policy to allow kismet to read the homedir. /var/lib/kismet is probably a better location. Or modify local policy with # grep kismet /var/log/audit/audit.log | audit2allow -M mykismet # semodule -i mykismet.pp -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkka4wEACgkQrlYvE4MpobPOmACfRsWXKFW4tzqcFO511MdbZkPE vdAAoNTwqhbIn9AW+iJn4nv0Td8gr6D7 =35x5 -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: F9 cannot boot without selinux=0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vandaman wrote: My Fedora 9 box cannot boot without selinux=0. It was a nightmare doing a http install only to find it was referring to non-existent selinux policy files. I booted by selinux=0 and then a yum update solved some of the problems but now it cannot boot without selinux=0. [EMAIL PROTECTED] ~]$ rpm -qa | grep selinux libselinux-python-2.0.67-4.fc9.i386 selinux-policy-devel-3.3.1-103.fc9.noarch libselinux-2.0.67-4.fc9.i386 selinux-policy-3.3.1-103.fc9.noarch Regards, Vandaman. You are missing the selinux-policy-targeted package yum install selinux-policy-targeted Enable SELinux reboot, it should relabel, you might need to do this in permissive mode. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkTOygACgkQrlYvE4MpobOWDQCg37mnkbJ4H1sWfpUnJyx+1dGG /g0AoLAILR0VgaKd1DQPIArnVW+UBPs8 =n+1K -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
PolicyKit Proliferation is a Security Disaster in the making.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Currently I am aware of at least 4 PolicyKit apps in Fedora 10 with a lot more on the way. I believe we are not treating these as the security vulnerability that they represent. Now I do NOT believe there is anything wrong with PolicyKit itself. The problems is in the apps that are using it. Lets take a look at system-config-services. This service comes up and prompts me for the root password before I start and stop a service. That is good, works just like it did when system-config-services used consolehelper. Except for one problem, it defaults to a clicked Remember authorization meaning the next time I run system-config-services it will NOT prompt for the password. Now there is a check box for This session only But it is defaulted to off also. So this means that I clicked Start A service Entered the Root Password and took the default. Now any process on my desktop has the ability to start and stop any service on my machine without me even knowing about it There also might be a bug in system-config-services communications with dbus that would allow me to spawn a root shell. This is the equivalent or worse then a setuid app, and yet we do nothing to control the proliferation of these apps, while we shut down all apps that setuid All PolicyKit app that requires the Admin Password should default to For this Session Only, and potentially for this action only. Consolekit only preserved the authentication for 5 minutes, by default, now we preserve it for ever by default. The argurment can be made that consolehelper used to be allowed to permanently save the user being allowed, but this involved an admin editing a file and probably a better understanding of what he is doing. SELinux can help a little to mitigate the risk but SELinux is not going to be running everywhere. And for something like system-config-services, SELinux can do almost nothing since the tool needs to start and stop all services which is a pretty high level of security. Fedora Security team should be looking at all packages that get PolicyKit integration to make sure they are secure, have the correct PolicyKit authorization, and a security check should be put on the service side of the app. I think we should write lint apps to look at PolicyKit specifications and look for vulnerable xml policy. Rpmlint and RPMDiff should run this to make sure apps are secure by default. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkTI6wACgkQrlYvE4MpobM/cgCdHDl8UwPJEfgi0Kg0bJ4U4zKS KpEAoJUrIvU2fFCSazlTwYPTKuLx5YjT =HLnc -END PGP SIGNATURE- -- Fedora-security-list mailing list Fedora-security-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-security-list
Re: selinux question(s) (/home really = /n/home..)
build from my kickstart is finishing updating right now (had to add oddjob/turn it on by default). Once its done I'll send what info I can. Before i was getting an selinux alert/error, but i generated and loaded a local policy, which took care of the selinux alert, but still didn't fix xguest (it just bouces back out to GDM). More coming soon. Thanks for all the help! On Tue, Nov 4, 2008 at 1:54 PM, Daniel J Walsh [EMAIL PROTECTED] wrote: Matt Nicholson wrote: Right, that did it (after i started the oddjobd service, that is). Now, the original reason i turned selinux back on was to use xguestsaddly, this isn't working still... Why not? Are you fully up2date? xguest should be working on F9 and F10 right now. SNIP - -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines I don't think you have all the packages that are in the final release of F10. Since the AVC you are talking about is fixed and the libxcb package should be there also. selinux-policy-3.5.13-11.fc10 libxcb-1.1.91-5.fc10 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkRo0wACgkQrlYvE4MpobOTGwCgzOMaTZUI+mt0qeO/XktT1rk/ X9AAnjZ7PzOLQF+qjz0PYM+ycyPJYbNI =NrnJ -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: selinux question(s) (/home really = /n/home..)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Nicholson wrote: So, I have an environment, where we pull user data/auth from ldap/kerberos for a bunch of fedora workstations. I would love to have selinux turned on on these, but, right now it jsut doesn't work with our setup. See, your users home directories are in a few different places. for the most part, LDAP think their home is at /n/home, or /n/data/home. So, i have /home bind mounted to those locations, and, sith selinux off, its all nice and happy. Another weird thing, is that /home is local on these workstations, so when a user sits at a workstation for the first time, an empty homedir must be created. We hope to move to nfs /home soon, but not yet. Can you look at using pam_oddjob_mkhomedir rather then pam_mkhomedir yum install oddjob\* Should fix the problem. once i turn it on, however, users cannot log in, and the home directoies cannot be created. I get selinux messages like: Summary: SELinux is preventing sshd (sshd_t) create to ./nichols2 (home_root_t). Detailed Description: SELinux denied access requested by sshd. It is not expected that this access is required by sshd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./nichols2, restorecon -v './nichols2' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextsystem_u:system_r:sshd_t:s0-s0:c0.c1023 Target Contextsystem_u:object_r:home_root_t:s0 Target Objects./nichols2 [ dir ] Sourcesshd Source Path /usr/sbin/sshd Port Unknown Host dhcp-0016533596-c5-74 Source RPM Packages openssh-server-5.1p1-2.fc9 Target RPM Packages Policy RPMselinux-policy-3.3.1-103.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall_file Host Name dhcp-0016533596-c5-74 Platform Linux dhcp-0016533596-c5-74 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686 Alert Count 1 First SeenTue Nov 4 10:49:41 2008 Last Seen Tue Nov 4 10:49:41 2008 Local ID 803e925f-1d6e-4473-9054-dbaf0c0f3abd Line Numbers Raw Audit Messages host=dhcp-0016533596-c5-74 type=AVC msg=audit(1225813781.838:89): avc: denied { create } for pid=4956 comm=sshd name=nichols2 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir host=dhcp-0016533596-c5-74 type=SYSCALL msg=audit(1225813781.838:89): arch=4003 syscall=39 success=no exit=-13 a0=b9b4f058 a1=1ed a2=8209e4 a3=b9b7d230 items=0 ppid=2341 pid=4956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) Thats for an ssh login attempt. I get the same for one via GDM. I've tried adding context=system_r:object_r:home_root_t when i bind mount the /home on /n/home etc, and no luck so far. do I need to relabel /n ? what/how should I? any help would be awesome. Thanks, Matt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkQdnUACgkQrlYvE4MpobPlnQCeI054kP0QjzCP1u4X5mr1yD9v /jgAoJLJ3lfNDoBwnlk4CcyLyw0s3qdh =Ly01 -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: selinux question(s) (/home really = /n/home..)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Nicholson wrote: Right, that did it (after i started the oddjobd service, that is). Now, the original reason i turned selinux back on was to use xguestsaddly, this isn't working still... Why not? Are you fully up2date? xguest should be working on F9 and F10 right now. SNIP -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkkQmlkACgkQrlYvE4MpobNXvwCeK5prZkPCBNDq3cYprnuwkJOZ JaQAnRpM41iDhoQ0AWeTmmqYAqrpLLLI =rAZp -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines