Re: need howto for SELinux config--ssh on non-standard port

[Daniel J Walsh]

On 01/06/2010 09:29 PM, John Poelstra wrote:
 I'm running sshd on a high (1024) port number and cannot find a clear
 step by step guide for configuring this correctly on Fedora 12 on
 google I've come across lots of random bugs and forum questions, but
 nothing that starts at the beginning of the process through the end.
 
 I'm a total SELinux newbie and usually just disable itall together when
 things like this happen.  I'm trying to change my ways :)   Can anyone
 provide any URLs or the steps?
 
 If someone can provide the steps here I'll blog about it to get it
 documented so others do not have to suffer the same fate.
 
 Thanks,
 John
 

http://docs.fedoraproject.org/selinux-managing-confined-services-guide/en-US/F11/html/sect-Managing_Confined_Services-Configuration_examples-Changing_port_numbers.html

If the avc is for an undefined port port_t  then you can do the command

# semanage port -a -t ssh_port_t PORTNUM

If you are listing to a defined port NAME_port_t, then you need to load a 
custom policy module

# grep ssh /var/log/audit/audit.log | audit2allow -m myssh
# semodule -i myssh.pp

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: SELinux is preventing /usr/sbin/cupsd ipc_lock access.

[Daniel J Walsh]

On 01/04/2010 12:52 PM, Paolo Galtieri wrote:
 I've started seeing this selinux alert
 
 SELinux is preventing /usr/sbin/cupsd ipc_lock access.
 
 [cupsd has a permissive type (cupsd_t). This access was not denied.]SELinux
 denied access requested by cupsd. It is not expected that this access is
 required by cupsd and this access may signal an intrusion attempt. It is
 also possible that the specific version or configuration of the application
 is causing it to require additional access
 
 Is this something I should be concerned about?
THis is something new and will be allowed in the next policy update.  Not 
really something to be concerned about.
 
 I'm also seeing this alert
 
 SELinux is preventing /usr/bin/gok getattr access on /var/mail.
 
 SELinux denied access requested by gok. It is not expected that this access
 is required by gok and this access may signal an intrusion attempt. It is
 also possible that the specific version or configuration of the application
 is causing it to require additional access.
 
 I don't use gok so I'm not sure why I'm getting these alerts.
 
gok is doing a getattr on all mounted file systems, which is probably causing 
this avc.  It will also be allowed in next release.

Fixed in selinux-policy-3.6.32-66.fc12.noarch
 Paolo
 
 

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: SELinux security alert

[Daniel J Walsh]

On 12/19/2009 02:06 PM, vinny wrote:
 Hello,
 I installed F12 in 2 desktop no problem both working perfectly.
 lately one has developed this security problem, it suggest to rename a
 file as a possible cure, I do not understand how can a file change name
 by it self. So before I make a mess of things I better ask for help.
 Vinny 
 
 Summary:
 
 SELinux is preventing /bin/find getattr access
 to /var/lib/misc/prelink.full.
 
 Detailed Description:
 
 [find has a permissive type (prelink_cron_system_t). This access was not
 denied.]
 
 SELinux denied access requested by find. /var/lib/misc/prelink.full may
 be a
 mislabeled. /var/lib/misc/prelink.full default SELinux type is
 prelink_var_lib_t,
 but its current type is cron_var_lib_t. Changing this file back to the
 default
 type, may fix your problem.
 
 File contexts can be assigned to a file in the following ways.
 
   * Files created in a directory receive the file context of the parent
 directory by default.
   * The SELinux policy might override the default label inherited from
 the
 parent directory by specifying a process running in context A which
 creates
 a file in a directory labeled B will instead create the file with
 label C.
 An example of this would be the dhcp client running with the
 dhclient_t type
 and creating a file in the directory /etc. This file would normally
 receive
 the etc_t type due to parental inheritance but instead the file is
 labeled
 with the net_conf_t type because the SELinux policy specifies this.
   * Users can change the file context on a file using tools such as
 chcon, or
 restorecon.
 
 This file could have been mislabeled either by user error, or if an
 normally
 confined application was run under the wrong domain.
 
 However, this might also indicate a bug in SELinux because the file
 should not
 have been labeled with this type.
 
 If you believe this is a bug, please file a bug report against this
 package.
 
 Allowing Access:
 
 You can restore the default system context to this file by executing the
 restorecon command. restorecon '/var/lib/misc/prelink.full', if this
 file is a
 directory, you can recursively restore using restorecon -R
 '/var/lib/misc/prelink.full'.
 
 Fix Command:
 
 /sbin/restorecon '/var/lib/misc/prelink.full'
 
 Additional Information:
 
 Source Context
 system_u:system_r:prelink_cron_system_t:s0-s0:c0.c
   1023
 Target Contextsystem_u:object_r:cron_var_lib_t:s0
 Target Objects/var/lib/misc/prelink.full [ file ]
 Sourcefind
 Source Path   /bin/find
 Port  Unknown
 Host  localhost.localdomain
 Source RPM Packages   findutils-4.4.2-4.fc12
 Target RPM Packages   prelink-0.4.2-4.fc12
 Policy RPMselinux-policy-3.6.32-55.fc12
 Selinux Enabled   True
 Policy Type   targeted
 Enforcing ModeEnforcing
 Plugin Name   restorecon
 Host Name localhost.localdomain
 Platform  Linux localhost.localdomain
   2.6.31.6-166.fc12.i686.PAE #1 SMP Wed Dec
 9
   11:00:30 EST 2009 i686 i686
 Alert Count   4
 First SeenSat 12 Dec 2009 07:32:14 AM EST
 Last Seen Sat 19 Dec 2009 01:45:15 PM EST
 Local ID  e5732596-f308-439c-9920-c4a394f95061
 Line Numbers  
 
 Raw Audit Messages
 
 node=localhost.localdomain type=AVC msg=audit(1261248315.138:22): avc:
 denied  { getattr } for  pid=2950 comm=find
 path=/var/lib/misc/prelink.full dev=dm-0 ino=2402
 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file
 
 node=localhost.localdomain type=SYSCALL msg=audit(1261248315.138:22):
 arch=4003 syscall=300 success=yes exit=0 a0=ff9c a1=8594704
 a2=85946a4 a3=100 items=0 ppid=2949 pid=2950 auid=0 uid=0 gid=0 euid=0
 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=find
 exe=/bin/find
 subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)
 
 
 
 

Fixed in selinux-policy-3.6.32-59.fc12.noarch
yum update selinux-policy-targeted --enablerepo=updatest-testing

I believe this is now fixed in this release.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Selinux message F-12 -

[Daniel J Walsh]

On 12/14/2009 06:01 AM, Bob Goodwin wrote:
 
 I keep seeing a star icon in the F-12 box which produces the message
 below. I wonder if it has anything to do with my ssh problems?
 
 What does it mean? What must I do to satisfy it?
 
 Bob
 
 #
 
 Summary:
 
 SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1
 sys_tty_config access.
 
 Detailed Description:
 
 [polkit-agent-he has a permissive type (policykit_auth_t). This access
 was not
 denied.]
 
 SELinux denied access requested by polkit-agent-he. It is not expected
 that this
 access is required by polkit-agent-he and this access may signal an
 intrusion
 attempt. It is also possible that the specific version or configuration
 of the
 application is causing it to require additional access.
 
 Allowing Access:
 
 You can generate a local policy module to allow this access - see FAQ
 (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a
 bug
 report.
 
 Additional Information:
 
 Source Context   
 unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c
   0.c1023
 Target Context   
 unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c
   0.c1023
 Target ObjectsNone [ capability ]
 Sourcepolkit-agent-he
 Source Path   /usr/libexec/polkit-1/polkit-agent-helper-1
 Port Unknown
 Host  box6
 Source RPM Packages   polkit-0.95-0.git20090913.3.fc12
 Target RPM Packages
 Policy RPMselinux-policy-3.6.32-55.fc12
 Selinux Enabled   True
 Policy Type   targeted
 Enforcing ModeEnforcing
 Plugin Name   catchall
 Host Name box6
 Platform  Linux box6 2.6.31.6-166.fc12.i686.PAE #1
 SMP Wed
   Dec 9 11:00:30 EST 2009 i686 i686
 Alert Count   10
 First SeenWed 09 Dec 2009 10:03:47 AM EST
 Last Seen Sun 13 Dec 2009 07:36:40 PM EST
 Local ID  71279b6b-af71-4208-85fe-64503a292646
 Line Numbers
 
 Raw Audit Messages
 
 node=box6 type=AVC msg=audit(1260751000.112:20114): avc:  denied  {
 sys_tty_config } for  pid=15535 comm=polkit-agent-he capability=26
 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023
 tcontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023
 tclass=capability
 
 node=box6 type=SYSCALL msg=audit(1260751000.112:20114): arch=4003
 syscall=54 success=yes exit=0 a0=2 a1=5401 a2=bfa30888 a3=bfa3099c
 items=0 ppid=14661 pid=15535 auid=501 uid=501 gid=501 euid=0 suid=0
 fsuid=0 egid=501 sgid=501 fsgid=501 tty=(none) ses=1
 comm=polkit-agent-he exe=/usr/libexec/polkit-1/polkit-agent-helper-1
 subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)
 
 
 
 
 
 .
 
I am not sure why policykit_auth_t would need to configure the tty and I am 
dontauditing it in the next update release.  Which I will
push as soon as fedora infastructure gets put back up.

Fixed in selinux-policy-3.6.32-59.fc12.noarch

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: httpd with symbolic links and selinux enabled

[Daniel J Walsh]

On 12/01/2009 11:47 PM, Tim wrote:
 On Tue, 2009-12-01 at 12:04 -0500, Daniel J Walsh wrote:
 You need to fix the context to match that in public_html
  
 chcon -R -t httpd_user_content_t foo 
  
 Would do it.
 
 If that's the problem (just SELinux preventing serving), you'd also have
 to keep re-changing the contexts, every time there was a SELinux
 relabel, and every time you created new files in that location.  Or, set
 a policy rule so that files, automatically get suitable contexts for
 those file locations.
 
Yes that is true.

I have also added a boolean to allow apache to read all files in the homedir, 
httpd_read_user_content

setsebool -P httpd_read_user_content 1

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: httpd with symbolic links and selinux enabled

[Daniel J Walsh]

On 11/26/2009 03:54 AM, Justin Jereza wrote:
 Have you configured Apache to follow symlinks?
 http://localhost/manual/mod/core.html#options
 
 Yes, Apache follows symlinks. That's why http://localhost/~user/foo/
 is accessible.
 
 You also need appropriate file and directory permissions (world readable
 files and directories, and directories need to be world executable,
 too).
 
 All necessary permissions are set. Only directories inside ~/foo that
 contain symlinks are inaccessible. Remove the symlinks, and they
 become accessible. Also, http://localhost/~user/foo/bar/baz.html is
 accessible even though http://localhost/~user/foo/bar/ isn't. Finally,
 symlinks within ~/public_html itself work fine. So it seems that
 symlinks within symlinks are the only ones that give me trouble.
 
 Should have attached the following log messages earlier:
 
 Nov 26 16:49:26 adnix kernel: type=1400 audit(1259225366.816:11484):
 avc:  denied  { read } for  pid=21208 comm=httpd name=index.html
 dev=dm-2 ino=5144788 scontext=unconfined_u:system_r:httpd_t:s0
 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file
 Nov 26 16:49:26 adnix kernel: type=1400 audit(1259225366.816:11485):
 avc:  denied  { getattr } for  pid=21208 comm=httpd
 path=/home/justin/foo/bar/index.html dev=dm-2 ino=5144788
 scontext=unconfined_u:system_r:httpd_t:s0
 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file
 
You need to fix the context to match that in public_html

chcon -R -t httpd_user_content_t foo 

Would do it.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Updating selinux-policy-targeted-3.6.32-46.fc12.noarch failed

[Daniel J Walsh]

On 11/29/2009 09:51 AM, Neal Becker wrote:
   Updating   : selinux-policy-targeted-3.6.32-46.fc12.noarch 
 94/302 
 libsepol.scope_copy_callback: audioentropy: Duplicate declaration in 
 module: type/attribute entropyd_var_run_t (No such file or directory).
 libsemanage.semanage_link_sandbox: Link packages failed (No such file or 
 directory).
 semodule:  Failed!
 
 

Try to remove the entropyd package

semodule -r audio_entropy

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Issue with F13 dracut/kernel/selinux

[Daniel J Walsh]

On 11/17/2009 04:12 AM, Bruno Wolff III wrote:
 I just went to rawhide over the last day and am not able to boot into
 kernel 2.6.32-0.48.rc7.git1.fc13 unless selinux is disabled. (permissive
 isn't good enough). I can boot into my old kernel 2.6.31.5-127.fc12 which
 had a dracut generated image from before the upgrade. The error occurs
 when udev is trying to unlock my nonroot partitions. I get an error
 message refering to filesetcon not working on a /dev/mapper file. I get
 asked for passwords again (since all of the file systems have the same
 luks password I normally don't have to do this) and the correct password
 doesn't work. If I boot with selinux=0, the system boots with the
 2.6.32-0.48.rc7.git1.fc13 kernel (but then I have to relabel the next
 time I boot without that option).
 I am using selinux-policy-targeted-3.6.33-1.fc13.
 
I have not made the leap yet to F13 to see what the problems are.  I will look 
into this.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: trying to understand SELinux message

[Daniel J Walsh]

On 11/17/2009 03:05 AM, Ian Malone wrote:
 2009/11/16 Tim ignored_mail...@yahoo.com.au:
 On Mon, 2009-11-16 at 13:56 +0800, Mr. Teo En Ming (Zhang Enming) wrote:
 Well, for home or personal use systems, you don't really need SELinux.
 SELinux is for mission critical servers.

 Until you do something that SELinux would have protected you from...

 People do actually do things that need securing, on home computers (do
 their banking, etc.).  Just browsing the internet and reading your mail
 are the two major points of breakdown on the Windows world, and I'd like
 it if that problem doesn't migrate over to Linux, as well.

 
 SELinux is not going to protect you from phishing or cross site
 scripting attacks.  It's not going to offer much protection for just
 browsing the internet.
 
 On the other hand, disabling it is often part of my troubleshooting
 process and I've had times (even with F11) when that has been
 necessary just to get a working system.  I'll aim to get things
 working 'properly' (i.e. with it on) again, but to see disabling
 SELinux equated with running as root elsewhere in this thread is a bit
 surprising.
 

I don't want to get embroiled in the debate.  I would like to point out a 
little paper I wrote call

SELinux four things.  Where I try to describe the 4 things that can cause 
SELinux to complain, and 
how to remedy them.

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf

SELinux has many ways that can fairly easily be customized to reach your 
security goals, if you understand what
SELinux is doing.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: selinux and home dirs

[Daniel J Walsh]

On 11/17/2009 05:27 PM, Wolfgang S. Rupprecht wrote:
 
 How do I add a second /home tree to selinux so that both /home and
 /home2 have the same policies and restorecon correctly?  There seems to
 be quite a bit of logic in
 /etc/selinux/targeted/contexts/files/file_contexts.homedirs to treat the
 files in the home directory specially, but I can't see where the /home/
 string gets set.
 
 -wolfgang
Are you doing this in F12?

If yes then please update the policycoreutils package in updates-testing.

And look at semanage fcontext --equiv


-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: trying to understand SELinux message

[Daniel J Walsh]

On 11/16/2009 12:09 AM, Paul Allen Newell wrote:
 Hello:
 
 I just upgraded two of my systems to latest yum update
 (2.6.30.9-96.fc11.i686.PAE) with the hopes that the CD and DVD issues
 have been resolved (they have, almost, but thats a separate bugzilla
 report).
 
 What I am querying about in this email is a message that I am seeing
 when I log in as root (yes, I know the caveats and try to respect, but I
 always make sure the ability is there if I need it). I log in from the
 start page GUI and there are no problems until, after a couple of
 seconds later, a pop-up from the star icon in the upper right says I
 got problems. I open it up and it says:
 
 SELinux is preventing the gdm-session-wor from using potentially
 mislabeled files (/root).
 
 Okay, that's nice to know, but I have no idea what it is trying to tell
 me needs to be fixed. I've got a couple files in the home directory but
 nothing looks funny about them (*.txt cut-and-paste of yum
 update/installs and an html of how-to-install f11 from scratch).
 
 I have edited both /etc/pam.d/gdm and /etc/pam.d/gdm-password per Fedora
 website instructions to allow root access.
 
 Closer inspection says that I first began getting this message on
 20jun09 after a yum update (I did original f11 install at the beginning
 of June). I just hadn't noticed it since I don't often log in as root,
 though I do remember seeing something in the summer and figuring it was
 a glip that would get fixed in future updates).
 
 Any suggestions as to what I should be looking for to get rid of this
 message ... if I do indeed actually need to pay attention to it. If
 there is more info I can provide, please let me know what it is and how
 to get it and I will gladly post such.
 
 Thanks in advance,
 Paul
 
 
Paul SELinux policy can not be written in such a way to allow you to run X 
Windows as root.

The problem is too many Applications require rights to write to the homedir and 
we want to treat /root differently then /home.
Allow an confined application to write to /root would allow it to do evil stuff 
by replacing /root/.bashrc for example.

And the next time an admin logged in the script would run.  

If you require running X as root then you will need to put SELinux into 
permissive mode.  In F12 we are now preventing users from logging in as root 
from GDM because it is so dangerous from a security point of view.

Imagine running firefox as root and what problems it can cause.


-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: cups-pdf and selinux

[Daniel J Walsh]

Don't worry about it, you are not alone...  :^(

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: cups-pdf and selinux

[Daniel J Walsh]

On 11/12/2009 01:24 PM, Henrique Koesjan wrote:
 Hi Daniel,
 
 Find attached the message. Thanks in advance.
 
 henri
 
 On Wed, Nov 11, 2009 at 12:41 PM, Daniel J Walsh dwa...@redhat.com wrote:
 On 11/11/2009 09:08 AM, Henrique Koesjan wrote:
 Does anyone knows how to make cups-pdf works with selinux? I've tried
 #setsebool -P cupsd_disable_trans 1 but it does not seem work.

 Sumário
 SELinux is preventing gs (cups_pdf_t) search to / (mount_tmp_t).

 Descrição detalhada
 SELinux denied access requested by gs. / may be a mislabeled. /
 default SELinux type is root_t, but its current type is mount_tmp_t.
 Changing this file back to the default type, may fix your problem.

 henri

 Could you attach the complete setroubleshoot message.

 --
 fedora-list mailing list
 fedora-list@redhat.com
 To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

You have mislabeled your /var/tmp directory

chcon -R -t tmp_t /var/tmp 

Will fix the problem

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: cups-pdf and selinux

[Daniel J Walsh]

On 11/12/2009 02:29 PM, Henrique Koesjan wrote:
 too many thanks Daniel,
 
 3 seconds for solving troubles!. Sincerely this mailing list (the
 people in it) helps a lot less experienced users and all users I
 believe.
 
 henri, many thanks again.
 
Henri, 

Can you please go back and read the setroubleshoot, it told you what was 
wrong...

 Sumário:
 
 SELinux is preventing nm-system-setti (NetworkManager_t) getattr to /var/tmp
 (mount_tmp_t).
 
 Descrição detalhada:
 
 SELinux denied access requested by nm-system-setti. /var/tmp may be a
 mislabeled. /var/tmp default SELinux type is tmp_t, but its current type is
 mount_tmp_t. Changing this file back to the default type, may fix your 
 problem.
 
 File contexts can be assigned to a file in the following ways.
 
   * Files created in a directory receive the file context of the parent
 directory by default.
   * The SELinux policy might override the default label inherited from the
 parent directory by specifying a process running in context A which 
 creates
 a file in a directory labeled B will instead create the file with label C.
 An example of this would be the dhcp client running with the dhclient_t 
 type
 and creates a file in the directory /etc. This file would normally receive
 the etc_t type due to parental inheritance but instead the file is labeled
 with the net_conf_t type because the SELinux policy specifies this.
   * Users can change the file context on a file using tools such as chcon, or
 restorecon.
 
 This file could have been mislabeled either by user error, or if an normally
 confined application was run under the wrong domain.
 
 However, this might also indicate a bug in SELinux because the file should not
 have been labeled with this type.
 
 If you believe this is a bug, please file a bug report
 (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
 
 Permitindo acesso:
 
 You can restore the default system context to this file by executing the
 restorecon command. restorecon '/var/tmp', if this file is a directory, you 
 can
 recursively restore using restorecon -R '/var/tmp'.
 
 Reparar comando:
 
 restorecon '/var/tmp'

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: cups-pdf and selinux

[Daniel J Walsh]

On 11/11/2009 09:08 AM, Henrique Koesjan wrote:
 Does anyone knows how to make cups-pdf works with selinux? I've tried
 #setsebool -P cupsd_disable_trans 1 but it does not seem work.
 
 Sumário
 SELinux is preventing gs (cups_pdf_t) search to / (mount_tmp_t).
 
 Descrição detalhada
 SELinux denied access requested by gs. / may be a mislabeled. /
 default SELinux type is root_t, but its current type is mount_tmp_t.
 Changing this file back to the default type, may fix your problem.
 
 henri
 
Could you attach the complete setroubleshoot message.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: A question about allow_unconfined_mmap_low in f11 amd selinux

[Daniel J Walsh]

On 11/09/2009 03:15 PM, Justin wrote:
 On Mon, Nov 9, 2009 at 2:40 PM, Mike Cloaked mike.cloa...@gmail.com wrote:
 Eric Paris eparis at redhat.com writes:

 I have Crossover installed and not wine, and just checked:
 [mike at home1 ~]$ cat /proc/sys/vm/mmap_min_addr
 65536

 This is an f11 box.  I also set the boolean by doing
 # setsebool -P allow_unconfined_mmap_low 1

 Bad news!  For maximum protection would want that bool off.  You do not
 want to ALLOW unconfined to mmap low memory.

 -Eric

 Many thanks Eric - I just tried unsetting the boolean -
 # setsebool -P allow_unconfined_mmap_low 0

 Excel and Word 2003 still run in Crossover after resetting it without AVCs
 popping up - I will unset it in the other machines where I have this also -
 I guess selinux policy may have changed so that setting it as I did 
 originally
 is no longer necessary.
 
 Really? For me there is no allow_unconfined_mmap_low at all and I'm
 definitely still getting the error with any Wine application with
 mmap_low_allowed set to 0.
 
 selinux-policy-3.6.32-41.fc12.noarch
 
The name has changed between RHEL5 - allow_unconfined_mmap_low and F12 - 
mmap_low_allowed 

The meaning has also changed 

in RHEL5

unconfined domains are allowed to mmap_low if the boolean is set.  vbetool and 
wine are allowed whether or not the boolean is set.

In F12
No domains are allowed to mmap_low unless the boolean is set.   If it is set 
wine, vbetool and unconfined domains are allowed to mmap_zero.

One of you is running wine in RHEL5 which is allowed to mmap_zero without the 
boolean.  We changed this in F12 so that wine will break without the boolean 
set.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: conflict between seedit - selinux-policy and qstat - torque-client

[Daniel J Walsh]

On 11/04/2009 01:38 PM, Bill Nottingham wrote:
 Because seedit getting installed causes selinux-policy-targeted and friends 
 to get screwed up.
 
 That sounds like a reason to not ship seedit. Am I missing something?
 
 Bill
 
I would not ship it.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: A question about allow_unconfined_mmap_low in f11 amd selinux

[Daniel J Walsh]

On 11/03/2009 04:35 PM, Adam Jackson wrote:
 On Tue, 2009-11-03 at 21:31 +, Mike Cloaked wrote:
 For people running wine or Crossover and using MS Office 2003 and related 
 codes
 it is necessary to do:
 # setsebool -P allow_unconfined_mmap_low 1
 To prevent AVC denials.

 However there is recent publicity at 
 http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability/
 which highlights that there is still a vulnerability in the kernel if this is
 set.

 For people running f11 with this boolean set how can one run wine and still
 remain secure? i.e. what should an admin do to protect the system?
 
 You can't.
 
 If I'm being slightly less flip: run wine in a kvm instance with selinux
 disabled, forward X to the host.
 
 - ajax
 

You can run with SELinux in enforcement.  

mmap_low_allowed is the name of the boolean moving forward.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: conflict between seedit - selinux-policy and qstat - torque-client

[Daniel J Walsh]

On 11/04/2009 08:14 AM, Rudolf Kastl wrote:
 Why do those packages have to conflict with each other?
 
 1. seedit and selinux-policy-{targeted,mls} - i dont see a single
 file conflicting atleast with the targeted policy...
 
 2. qstat and torque-client both provide a qstat binary... is there
 anything done to get that resolved upstream? or is it a conflicts and
 forget scenario?
 
 from my personal pov conflicts should be resolved instead of just
 marked so things can be properly installed in parallel. everything
 else looks broken to me.
 
 kind regards,
 Rudolf Kastl
 
Because seedit getting installed causes selinux-policy-targeted and friends to 
get screwed up. People installing everything installs accidentally get seedit 
installed and start reporting weird bugs to the selinux-policy package and a 
shocked that they are not in the default install.  


-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: A question about allow_unconfined_mmap_low in f11 amd selinux

[Daniel J Walsh]

On 11/04/2009 10:23 AM, mike cloaked wrote:
 Daniel J Walsh dwalsh at redhat.com writes:
 
 You can run with SELinux in enforcement.

 mmap_low_allowed is the name of the boolean moving forward.

 
 By moving forward do you mean that one can, in f11, reset the
 original boolean and set boolean mmap_low_allowed instead, in a
 forthcoming policy update?
 
 Or is this a planned change coming for f12 but not yet policy in
 earlier versions?
 
 Thanks
 
allow_unconfined_mmap_zero boolean meant to allow unconfined_domains to 
mmap_zero.
vbetool_exec_t and wine_exec_t have this capability without the boolean.

We have removed that altogether.  

Now out of the box NO apps will have the ability to mmap_zero.  If you want to 
run wine or vbetool(Hopefully fixed soon)
You will have to set the boolean.  All unconfined_domains will continue then 
also have this access.

This access has proven to be a critical security feature, and several 
kernel/root vulnerabilities will be prevented by turning this boolean off, with 
the only down side, preventing old windows applications from running by default 
in wine.   (If vbetool is fixed).

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: A question about allow_unconfined_mmap_low in f11 amd selinux

[Daniel J Walsh]

On 11/04/2009 10:23 AM, mike cloaked wrote:
 Daniel J Walsh dwalsh at redhat.com writes:
 
 You can run with SELinux in enforcement.

 mmap_low_allowed is the name of the boolean moving forward.

 
 By moving forward do you mean that one can, in f11, reset the
 original boolean and set boolean mmap_low_allowed instead, in a
 forthcoming policy update?
 
 Or is this a planned change coming for f12 but not yet policy in
 earlier versions?
 
 Thanks
 
We have setroubleshoot plugins that explain exactly to the users what they need 
to do to turn make their wine apps run.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Selinux Hates Samsung CLX3175FN Printer

[Daniel J Walsh]

On 10/21/2009 02:10 PM, Jim wrote:
 FC11/KDE
 
 Samsung has a very good printer in the CLX3175FN Lazer , I picked up for
 $250.00 at OfficeMax, a $400.00 printer.
 
 Anyhow You can get the printer drivers for Linux on their Support Site.
 When installing the print drivers you have to do it from su - .
 Selinux won't let the printer to print until you do a  touch
 /.autorelabel and reboot computer.
 
 Then you can print, but you still get Selinux complaining about a file
 here and there for the printer that requires a restorecon -R -v .
 
 Why doesn't Selinux do the proper relabling during when it does
 /.autorelabel  ??
 
Please attach the AVC messages you are seeing from cups tat is causing you a 
problem

/var/log/audit/audit.log

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

If you are building a dbus/PolicyKit mechanism please tell SELinux developers about it.

[Daniel J Walsh]

Remember if you need to build a tool that will run partially as root, we would 
like to write policy to confine it.  A badly written Dbus activation service, 
can be just as dangerous as a badly written setuid application.  We need to 
have SELinux confinement on the root portion of your application.

Dan

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Why SELinux is preventing /usr/lib64/nspluginwrapper/npviewer.bin execmem access on Unknown?

[Daniel J Walsh]

On 10/09/2009 01:41 PM, Petrus de Calguarium wrote:
 I have noticed that trying to play some videos on You 
 Tube generates this selinux denial and the video refuses 
 to play.
 
 However, other videos on You Tube don't generate this 
 error and play just peachy.
 
 What makes the videos different to selinux?
 
 
Probably code paths on flashplayer are causing execmem while others are not.


Which Version of the OS/Policy are you seeing execmem problems at youtube?

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Why SELinux is preventing /usr/lib64/nspluginwrapper/npviewer.bin execmem access on Unknown?

[Daniel J Walsh]

On 10/09/2009 02:53 PM, Petrus de Calguarium wrote:
 Daniel J Walsh wrote:
 
 Which Version of the OS/Policy are you seeing execmem 
 problems at youtube?
 
 selinux-policy-targeted-3.6.32-22.fc12.noarch
 
 Using f11.92, obviously :-)
 
 
Download the latest policy package from koji, should fix your problems.


http://koji.fedoraproject.org/koji/buildinfo?buildID=135962

I just submitted a request to get this package into beta.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Mock/Pungi and selinux for building re-spins in f11

[Daniel J Walsh]

On 10/07/2009 08:42 AM, Julian Aloofi wrote:
 Am Dienstag, den 06.10.2009, 12:57 -0700 schrieb Mike Cloaked:
 Does anyone know if it is still current practice to set SELinux to permissive
 before doing a spin re-build in mock/pungi in F11?

 Or has selinux policy now reached the point of refinement such that running
 a respin build works fine with selinux enforcing?

 Would be useful to know - I have not done respin builds since F10 so I am a
 little out of touch with current practice.

 Thanks in advance.
 -- 
 View this message in context: 
 http://www.nabble.com/Mock-Pungi-and-selinux-for-building-re-spins-in-f11-tp25775562p25775562.html
 Sent from the Fedora List mailing list archive at Nabble.com.

 Yes, that's still required to successfully build a re-spin in pungi and
 revisor if I remember correctly.
 
Could someone send me a list of AVC's.  Is this the same problem that livecd 
has?  Building a different OS, causes it's policy to be loaded during the 
install.  We should be able to convince the Mock environment that SELinux is 
disabled, and then allow mock the ability to put down the labels like we do 
with livecd.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Mock/Pungi and selinux for building re-spins in f11

[Daniel J Walsh]

On 10/07/2009 01:51 PM, Mike Cloaked wrote:
 
 
 Daniel J Walsh wrote:

 On 10/07/2009 08:42 AM, Julian Aloofi wrote:
 Am Dienstag, den 06.10.2009, 12:57 -0700 schrieb Mike Cloaked:
 Does anyone know if it is still current practice to set SELinux to
 permissive
 before doing a spin re-build in mock/pungi in F11?

 Or has selinux policy now reached the point of refinement such that
 running
 a respin build works fine with selinux enforcing?

 Would be useful to know - I have not done respin builds since F10 so I
 am a
 little out of touch with current practice.

 Thanks in advance.
 -- 
 View this message in context:
 http://www.nabble.com/Mock-Pungi-and-selinux-for-building-re-spins-in-f11-tp25775562p25775562.html
 Sent from the Fedora List mailing list archive at Nabble.com.

 Yes, that's still required to successfully build a re-spin in pungi and
 revisor if I remember correctly.

 Could someone send me a list of AVC's.  Is this the same problem that
 livecd has?  Building a different OS, causes it's policy to be loaded
 during the install.  We should be able to convince the Mock environment
 that SELinux is disabled, and then allow mock the ability to put down the
 labels like we do with livecd.


 
 Dan, I'll try and do a test build in the next couple of days, and post AVCs
 if they pop up - would it be best to do this in a BZ report, rather than to
 Fedora list? If so which component? selinux or mock/pungi?
Open up one bug on mock/pungi with me cc'd and we can fix it.  Since I think 
most of the changes have to be made in Mock to fake SELinux into thinking it is 
disabled or a fake /selinux like livecd has.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Selinux Problems

[Daniel J Walsh]

On 10/05/2009 05:27 PM, Paolo Galtieri wrote:
 On Mon, Oct 5, 2009 at 2:13 PM, Daniel J Walsh dwa...@redhat.com wrote:
 
 On 10/05/2009 03:22 PM, Paolo Galtieri wrote:
 On Mon, Oct 5, 2009 at 11:11 AM, Daniel J Walsh dwa...@redhat.com
 wrote:

 On 10/05/2009 02:08 PM, Jim wrote:
 FC11/Kde

 Trying to print on a Samsung CLX-3175FN.
 Selinux is playing havoc with printer drivers, these drivers are from
 Samsung and I'm getting many Selinux Alerts, to many to keep running
 Restorecon.
 The printing is coming out with double columns with 1/8 white lines
 down through text or pictures.
 There are no GPL drivers for this printer, it's to New !

 If I disable Selinux, the printer will print normal.

 How do I relabel all the files on the computer ?
 do I relabel from telinit 3 or what ?

 Please show me the AVC's you are seeing.  Or send me a compresses
 /var/log/audit/audit.log

 --
 fedora-list mailing list
 fedora-list@redhat.com
 To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 Guidelines:
 http://fedoraproject.org/wiki/Communicate/MailingListGuidelines


 I have seen the following SELinux alert:

 SELinux is preventing hp (hplip_t) name_bind howl_port_t.

 lpstat -t shows

 printer HP_Color_LaserJet_2605dn disabled since Thu 01 Oct 2009 09:36:23
 AM
 MST -
 /usr/lib/cups/backend/hp failed

 If I change the URI associated with the printer config from

 hp:/net/HP_Color_laserjet_2605dn?zc=hpcolorjet

 to

 hp:/net/HP_Color_laserjet_2605dn?ip=192.168.10.71

 then the alerts go away.

 The printer is an HP printer and was configured using hp-setup.

 Paolo


 Could you grep for howl_port_t and attach the output

 grep howl_port_t /var/log/audit/audit.log


 --
 fedora-list mailing list
 fedora-list@redhat.com
 To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 Guidelines:
 http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

 
 type=AVC msg=audit(1254414474.185:50294): avc:  denied  { name_bind } for
 pid=18462 comm=hp src=5353
 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
 type=AVC msg=audit(1254414573.360:50295): avc:  denied  { name_bind } for
 pid=18499 comm=hp src=5353
 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
 type=AVC msg=audit(1254414980.894:50346): avc:  denied  { name_bind } for
 pid=18699 comm=hp src=5353
 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
 type=AVC msg=audit(1254415674.640:50382): avc:  denied  { name_bind } for
 pid=18942 comm=hp src=5353
 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
 type=AVC msg=audit(1254415783.474:50425): avc:  denied  { name_bind } for
 pid=19012 comm=hp src=5353
 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
 type=AVC msg=audit(1254415964.178:50441): avc:  denied  { name_bind } for
 pid=19154 comm=hp src=5353
 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
 
 Paolo
 
 
I guess the question is why does the hplip want to listen on the Multicast DNS 
port.  If this is supposed to happen, we need to add it to policy.

You can add it for now using audit2allow

# grep hplip_t /var/log/audit/audit.log | audit2allow -M myhplip
# semodule -i myhplip.pp

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Selinux Problems

[Daniel J Walsh]

On 10/05/2009 02:08 PM, Jim wrote:
 FC11/Kde
 
 Trying to print on a Samsung CLX-3175FN.
 Selinux is playing havoc with printer drivers, these drivers are from
 Samsung and I'm getting many Selinux Alerts, to many to keep running
 Restorecon.
 The printing is coming out with double columns with 1/8 white lines
 down through text or pictures.
 There are no GPL drivers for this printer, it's to New !
 
 If I disable Selinux, the printer will print normal.
 
 How do I relabel all the files on the computer ?
 do I relabel from telinit 3 or what ?
 
Please show me the AVC's you are seeing.  Or send me a compresses 
/var/log/audit/audit.log

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Selinux Problems

[Daniel J Walsh]

On 10/05/2009 03:22 PM, Paolo Galtieri wrote:
 On Mon, Oct 5, 2009 at 11:11 AM, Daniel J Walsh dwa...@redhat.com wrote:
 
 On 10/05/2009 02:08 PM, Jim wrote:
 FC11/Kde

 Trying to print on a Samsung CLX-3175FN.
 Selinux is playing havoc with printer drivers, these drivers are from
 Samsung and I'm getting many Selinux Alerts, to many to keep running
 Restorecon.
 The printing is coming out with double columns with 1/8 white lines
 down through text or pictures.
 There are no GPL drivers for this printer, it's to New !

 If I disable Selinux, the printer will print normal.

 How do I relabel all the files on the computer ?
 do I relabel from telinit 3 or what ?

 Please show me the AVC's you are seeing.  Or send me a compresses
 /var/log/audit/audit.log

 --
 fedora-list mailing list
 fedora-list@redhat.com
 To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 Guidelines:
 http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

 
 I have seen the following SELinux alert:
 
 SELinux is preventing hp (hplip_t) name_bind howl_port_t.
 
 lpstat -t shows
 
 printer HP_Color_LaserJet_2605dn disabled since Thu 01 Oct 2009 09:36:23 AM
 MST -
 /usr/lib/cups/backend/hp failed
 
 If I change the URI associated with the printer config from
 
 hp:/net/HP_Color_laserjet_2605dn?zc=hpcolorjet
 
 to
 
 hp:/net/HP_Color_laserjet_2605dn?ip=192.168.10.71
 
 then the alerts go away.
 
 The printer is an HP printer and was configured using hp-setup.
 
 Paolo
 
 
Could you grep for howl_port_t and attach the output

grep howl_port_t /var/log/audit/audit.log


-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: latest selinux policy update errors

[Daniel J Walsh]

Mark Haney wrote:

Is anyone else seeing these types of failures with the latest selinux
updates?

libsemanage.semanage_direct_remove: Module dpkg was not found.
semodule:  Failed on dpkg!
error: %trigger(selinux-policy-strict-2.6.4-21.fc7.noarch) scriptlet
failed, exit status 1
libsemanage.semanage_direct_remove: Module dpkg was not found.
semodule:  Failed on dpkg!
error: %trigger(selinux-policy-strict-2.6.4-23.fc7.noarch) scriptlet
failed, exit status 1


Should I file a bug report?

  
No I think this is an isolated occurrence.  If it happens on the next 
update, report it.


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Lots of SELinux denial messages.

[Daniel J Walsh]

On 09/19/2009 02:10 PM, Les wrote:
 I have upgraded to F11 using the upgrade from the update process.  And
 it went smoothly.  However, I am now getting a lot of SElinux messages
 (I had to set it to permissive to get anything done at all.)  I have
 submitted bugs on two of them, and will submit more bugs later.  I have
 relabled the system (extensive and took time) used the restorecon
 command where it was recommended, but still there are messages, and I
 need to get those resolved prior to turning SELinux back on.
 
   So I am including a few of the most predominate messages in this
 message.  If you have had these and have a cure, or know some approach
 that is safe to turning these off so I can re-enable SELinux, please let
 me know.  If I get no responses in a day or so I will submit bugzillas
 on these as well.
 
   I should note that while the first shows a time of around 0300, my
 system was idle at that time.  I went to bed at about 2:30 and rebooted
 at that time.  Also I emptied the que of alerts when I logged on, so
 these showed up today since about 9:30.  There were four more of these
 all targeting different objects.
 
 Regards, 
 Les H
 
 
 
 
 Summary:
 
 SELinux is preventing dbus-daemon (system_dbusd_t) search
 unconfined_t.
 
 Detailed Description:
 
 [SELinux is in permissive mode, the operation would have been denied but
 was
 permitted due to permissive mode.]
 
 SELinux denied access requested by dbus-daemon. It is not expected that
 this
 access is required by dbus-daemon and this access may signal an
 intrusion
 attempt. It is also possible that the specific version or configuration
 of the
 application is causing it to require additional access.
 
 Allowing Access:
 
 You can generate a local policy module to allow this access - see FAQ
 (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
 disable
 SELinux protection altogether. Disabling SELinux protection is not
 recommended.
 Please file a bug report
 (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
 against this package.
 
 Additional Information:
 
 Source Context
 system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
 Target Context
 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
   023
 Target Objects9374 [ dir ]
 Sourcedbus-daemon
 Source Path   /bin/dbus-daemon
 Port  Unknown
 Host  localhost.localdomain
 Source RPM Packages   dbus-1.2.12-2.fc11
 Target RPM Packages   
 Policy RPMselinux-policy-3.6.12-82.fc11
 Selinux Enabled   True
 Policy Type   targeted
 MLS Enabled   True
 Enforcing ModePermissive
 Plugin Name   catchall
 Host Name localhost.localdomain
 Platform  Linux localhost.localdomain
 2.6.30.5-43.fc11.i586
   #1 SMP Thu Aug 27 21:18:54 EDT 2009 i686
 i686
 Alert Count   2
 First SeenSat 19 Sep 2009 11:03:18 AM PDT
 Last Seen Sat 19 Sep 2009 11:03:18 AM PDT
 Local ID  136137e2-5f20-4d7d-88e5-a65c26b266a6
 Line Numbers  
 
 Raw Audit Messages
 
 node=localhost.localdomain type=AVC msg=audit(1253383398.33:262): avc:
 denied  { search } for  pid=1472 comm=dbus-daemon name=9374 dev=proc
 ino=42807 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 tclass=dir
 
 node=localhost.localdomain type=AVC msg=audit(1253383398.33:262): avc:
 denied  { read } for  pid=1472 comm=dbus-daemon name=cmdline
 dev=proc ino=42818
 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 tclass=file
 
 node=localhost.localdomain type=SYSCALL msg=audit(1253383398.33:262):
 arch=4003 syscall=5 success=yes exit=41 a0=2bd1290 a1=0 a2=249e
 a3=bfca767c items=0 ppid=1 pid=1472 auid=4294967295 uid=81 gid=81
 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none)
 ses=4294967295 comm=dbus-daemon exe=/bin/dbus-daemon
 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
 
 
 
 Summary:
 
 SELinux is preventing dbus-daemon (system_dbusd_t) search
 unconfined_t.
 
 Detailed Description:
 
 [SELinux is in permissive mode, the operation would have been denied but
 was
 permitted due to permissive mode.]
 
 SELinux denied access requested by dbus-daemon. It is not expected that
 this
 access is required by dbus-daemon and this access may signal an
 intrusion
 attempt. It is also possible that the specific version or configuration
 of the
 application is causing it to require additional access.
 
 Allowing 

Re: selinux hasn't been running for over a week

[Daniel J Walsh]

On 09/18/2009 10:01 AM, Steve Grubb wrote:
 On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote:
 If the kernel has SELinux and it is not in permissive mode, it should
  execute load_policy

 Yes in permissive mode load_policy will return 2 if it can not load policy.
 I guess dracut should also look in /etc/selinux/config to see if the
  SELINUX  environment variable is not set to enforcing.
 
 What about interaction with the kernel command line? What the kernel was 
 given 
 is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says 
 enabled, shouldn't the kernel command line take priority?
 
 
Yes kernel command line wins.

Second is /etc/selinux/config (SELINUX) line

Execute the kernel command line to initialize the 
selinux and enforcing environment variables.  cmdline options are (selinux=0 to 
disable SELinux) (enforcing=0 to put selinux in permissive mode)


then dracut should execute
. /etc/selinux/config
if [ $selinux != 0  $enforcing != 0   $SELINUX == enforcing ]; then 
load_policy
if $? != 0; ReportError()  blow up
elif [ $selinux != 0  ($enforcing == 0 || $SELINUX == permissive) ]; 
then 
load_policy
if $? != 0; ReportError()
# Continue no matter what
elif  [ $selinux == 0 || $enforcing == 0 || $SELINUX == disabled ]; 
then 
# Continue no matter what, although it would nice to tell the kernel to 
drop SELinux support
elif  
Report_error()
Blow Up
endif


 You mean if the machine is in permissive mode, it should load_policy, but
 not  crash. But it should log the reason so it can be debugged.

 Load_policy will exit with 0 on success or 2 on failure and SELinux in
  permissive mode.

 And if chroot fails, we need to handle it.

 This will probably crash anyways
 
 In the code I looked at, only if it returned 3...
 
 -Steve 

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: selinux hasn't been running for over a week

[Daniel J Walsh]

On 09/18/2009 10:05 AM, Stephen Smalley wrote:
 On Fri, 2009-09-18 at 10:01 -0400, Steve Grubb wrote:
 On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote:
 If the kernel has SELinux and it is not in permissive mode, it should
  execute load_policy

 Yes in permissive mode load_policy will return 2 if it can not load policy.
 I guess dracut should also look in /etc/selinux/config to see if the
  SELINUX  environment variable is not set to enforcing.

 What about interaction with the kernel command line? What the kernel was 
 given 
 is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config 
 says 
 enabled, shouldn't the kernel command line take priority?
 
 That all gets taken care of inside of libselinux
 selinux_init_load_policy() function, which is what load_policy calls.
 

 You mean if the machine is in permissive mode, it should load_policy, but
 not  crash. But it should log the reason so it can be debugged.

 Load_policy will exit with 0 on success or 2 on failure and SELinux in
  permissive mode.

 And if chroot fails, we need to handle it.

 This will probably crash anyways

 In the code I looked at, only if it returned 3...
 
 load_policy exits with 3 if the load policy failed and the system was
 supposed to be in enforcing mode (based on the combination of kernel
 command line arguments, which do take precedence, and
 the /etc/selinux/config setting).  It exits with 2 if the load policy
 failed and the system was supposed to be permissive.
  
Right but what happens if load_policy is called with the wrong parameter?
What happens if load_policy can not be called because of permission denied?

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: selinux hasn't been running for over a week

[Daniel J Walsh]

On 09/18/2009 10:25 AM, Stephen Smalley wrote:
 On Fri, 2009-09-18 at 10:16 -0400, Daniel J Walsh wrote:
 On 09/18/2009 10:05 AM, Stephen Smalley wrote:
 On Fri, 2009-09-18 at 10:01 -0400, Steve Grubb wrote:
 On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote:
 If the kernel has SELinux and it is not in permissive mode, it should
  execute load_policy

 Yes in permissive mode load_policy will return 2 if it can not load 
 policy.
 I guess dracut should also look in /etc/selinux/config to see if the
  SELINUX  environment variable is not set to enforcing.

 What about interaction with the kernel command line? What the kernel was 
 given 
 is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config 
 says 
 enabled, shouldn't the kernel command line take priority?

 That all gets taken care of inside of libselinux
 selinux_init_load_policy() function, which is what load_policy calls.


 You mean if the machine is in permissive mode, it should load_policy, but
 not  crash. But it should log the reason so it can be debugged.

 Load_policy will exit with 0 on success or 2 on failure and SELinux in
  permissive mode.

 And if chroot fails, we need to handle it.

 This will probably crash anyways

 In the code I looked at, only if it returned 3...

 load_policy exits with 3 if the load policy failed and the system was
 supposed to be in enforcing mode (based on the combination of kernel
 command line arguments, which do take precedence, and
 the /etc/selinux/config setting).  It exits with 2 if the load policy
 failed and the system was supposed to be permissive.
  
 Right but what happens if load_policy is called with the wrong parameter?
 What happens if load_policy can not be called because of permission denied?
 
 I'm not entirely clear as to why you are asking, but:
 $ load_policy --foo
 load_policy: invalid option -- '-'
 usage:  load_policy [-qi]
 $ echo $?
 1
 $ runcon system_u:system_r:httpd_t:s0 load_policy
 runcon: load_policy: Permission denied
 $ echo $?
 126
 
 Are you just saying that dracut needs to fail closed (i.e. halt the
 system) if the exit code is anything other than 0 (success) or 2 (failed
 but permissive)?
 
Well it is not that simple.

If the kernel cmdline had selinux=0 or enforcing=0 or /etc/selinux/config had 
SELINUX=disabled or SELINUX=permissive then it should continue, otherwise the 
machine has to be assumed to be in enforcing mode, so if it can not load policy 
it is a system failure.

I would figure this is what the MLS crowd would want.  You configured the 
machine to run in enforcing mode and the system can not load policy for some 
reason, you need to crash.  This is what the old patches did.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: selinux disabled in rawhide ?

[Daniel J Walsh]

On 09/14/2009 06:18 AM, Tomas Mraz wrote:
 On Sun, 2009-09-13 at 19:28 -0400, Daniel J Walsh wrote:
 On 09/12/2009 12:13 PM, Dave Jones wrote:
 I did two installs yesterday, and both of them have ended up with
 SELINUX=disabled in /etc/selinux/config

 I changed them back to 'enabled', rebooted, which caused a relabel,
 and all seems fine.

 What's happening here ?

 Dave

 I don't know there was a bug in dracut that was causing selinux to be 
 disabled.
 
 Dan, do you mean the
 https://bugzilla.redhat.com/show_bug.cgi?id=520753 ?
 
 But this one looks like a different bug perhaps in anaconda? At least it
 seems to be worth reporting it to bz on anaconda.
 
Yes open a bugzilla for it.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: selinux disabled in rawhide ?

[Daniel J Walsh]

On 09/12/2009 12:13 PM, Dave Jones wrote:
 I did two installs yesterday, and both of them have ended up with
 SELINUX=disabled in /etc/selinux/config
 
 I changed them back to 'enabled', rebooted, which caused a relabel,
 and all seems fine.
 
 What's happening here ?
 
   Dave
 
I don't know there was a bug in dracut that was causing selinux to be disabled.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Easy way to remove SELinux permissions?

[Daniel J Walsh]

On 09/10/2009 01:58 AM, Sean Carlos wrote:
 
 At one point I performed a new Fedora install and restored my personal
 files before disabling SELinux which I don't need.
 
 As a result many files have permissions which include a dot at the end,
 e.g.:
 
 -rw-rw-r--.
 
 This causes havoc with many applications, i.e. gedit complains it cannot
 make a back-up file.
Open a bugzilla on this.  Having an extended attribute should not cause gedit 
to work to fail.
 
 Q: How can I EASILY remove all SELinux attributes, e.g. perhaps with a
 single command?
 
 Best regards,
 
 Sean Carlos

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Easy way to remove SELinux permissions?

[Daniel J Walsh]

On 09/10/2009 11:19 AM, Stephen Smalley wrote:
 On Thu, 2009-09-10 at 10:58 -0400, Daniel J Walsh wrote:
 On 09/10/2009 01:58 AM, Sean Carlos wrote:

 At one point I performed a new Fedora install and restored my personal
 files before disabling SELinux which I don't need.

 As a result many files have permissions which include a dot at the end,
 e.g.:

 -rw-rw-r--.

 This causes havoc with many applications, i.e. gedit complains it cannot
 make a back-up file.
 Open a bugzilla on this.  Having an extended attribute should not cause 
 gedit to work to fail.
 
 I think what is happening is this:  gedit has been instrumented to
 preserve the security.selinux attribute on files.  This works fine when
 SELinux is enabled, as SELinux applies a set of permission checks on
 setting its attributes and does not require a Linux capability /
 superuser access in doing so.  But when SELinux is disabled, setting any
 attribute in the security.* namespace is restricted to CAP_SYS_ADMIN and
 thus non-root use of gedit will fail on the setxattr() call with EPERM.
 
I would say that gedit should check SELinux enfocing mode and if disabled 
continue to work.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Where are selinux workarounds/exceptions/hacks tracked?

[Daniel J Walsh]

On 09/05/2009 12:17 PM, nodata wrote:
 I remember ages and ages ago when selinux first came to Fedora that lots
 of apps (Java, flash, Mozilla/Firefox) didn't work because the apps did
 dodgy things with memory.
 
 I was wondering if these dodgy things still existed, and if they did,
 what effort was being put into making them go away? Is it tracked
 anywhere?
 
 Thanks.
 
Java/Mono/Wine all have to do the dodgy things in memory,  Since by there 
nature they write to a memory location and then execute the code.  I believe 
firefox/Mozilla has been fixed.  Also certain libflash instances have been 
fixed.

-- 
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: SELinux Exim Problem

[Daniel J Walsh]

On 09/07/2009 04:34 AM, Didar Hossain wrote:
 On Sat, Sep 5, 2009 at 9:45 PM, Frank Chiullifrankc.fed...@gmail.com wrote:
 On F11 when exim attempts to retrieve mail from my ISP, I get the following:
 
 How are you pulling the mail from your ISP?
 
 
 Summary:
 SELinux is preventing exim (exim_t) getattr boot_t.

 Detailed Description:
 SELinux denied access requested by exim. It is not expected that this
 access is required by exim and this access may signal an intrusion
 attempt. It is also possible that the specific version or
 configuration of the application is causing it to require additional
 access.

 Allowing Access:
 You can generate a local policy module to allow this access - see FAQ
 (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
 disable SELinux protection altogether. Disabling SELinux protection is
 not recommended.  Please file a bug report
 (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
 package.

 Additional Information:
 Source Contextsystem_u:system_r:exim_t:s0
 Target Contextsystem_u:object_r:boot_t:s0
 Target Objects/boot [ dir ]
 Sourceexim
 Source Path   /usr/sbin/exim
 Port  Unknown
 Host  flinux
 Source RPM Packages   exim-4.69-10.fc11
 Target RPM Packages   filesystem-2.4.21-1.fc11
 Policy RPMselinux-policy-3.6.12-80.fc11
 Selinux Enabled   True
 Policy Type   targeted
 MLS Enabled   True
 Enforcing ModeEnforcing
 Plugin Name   catchall
 Host Name flinux
 Platform  Linux flinux 2.6.29.6-217.2.16.fc11.i686.PAE #1
  SMP Mon Aug 24 17:16:21 EDT 2009 i686 athlon
 Alert Count   327
 First SeenSun 12 Jul 2009 05:09:10 PM PDT
 Last Seen Sat 05 Sep 2009 09:05:41 AM PDT
 Local ID  c330c7e2-7fd7-45ae-8ebb-8de1def6e145
 Line Numbers

 Raw Audit Messages
 node=flinux type=AVC msg=audit(1252166741.77:28): avc:  denied  {
 getattr } for  pid=2279 comm=exim path=/boot dev=sda1 ino=2
 scontext=system_u:system_r:exim_t:s0
 tcontext=system_u:object_r:boot_t:s0 tclass=dir

 node=flinux type=SYSCALL msg=audit(1252166741.77:28): arch=4003
 syscall=195 success=no exit=-13 a0=bfbe1292 a1=bfbe1688 a2=756ff4 a3=0
 items=0 ppid=1489 pid=2279 auid=4294967295 uid=93 gid=93 euid=93
 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295
 comm=exim exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0
 key=(null)

 =

 Other information:
 RPMs:
 exim-4.69-10.fc11.i586
 selinux-policy-3.6.12-80.fc11.noarch
 selinux-policy-targeted-3.6.12-80.fc11.noarch

 The mail does get through but I get an SELinux error for each message.

 I've looked for '/boot' in exim config files but came up empty.

 I installed F11 but kept my home directory which is on a different disk.

 Since I have not heard anyone else complaining about this, I figure
 that it's my configuration.  I just don't know where else to look.

 Frank

 --
 fedora-list mailing list
 fedora-list@redhat.com
 To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

 
Probably some api that exim is calling is looking at the mounted file systems 
which is causing it to look at /boot.

I think we can allow this for now.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F10 SElinux issues

[Daniel J Walsh]

On 08/04/2009 11:11 AM, Steve wrote:
 Daniel,
 
  Daniel J Walsh dwa...@redhat.com wrote: 
 On 08/03/2009 10:50 AM, Steve Blackwell wrote:
 Ever since I upgraded from F9 to F10 when F9 went EOL I've been having
 lots of SElinux warnings. Here's one. I get at seemingly random times,
 ie not when I log in.

 Aug  3 09:06:50 steve setroubleshoot: SELinux is preventing
 polkit-read-aut (polkit_auth_t) write to /var/log/gdm/:0-greeter.log
 (xserver_log_t). For complete SELinux messages. run sealert -l
 a4a0ec72-1ae8-46af-a27c-441b4a5f1cdb

 This looks like a redirection of stdout to the log file.  You can add this 
 rule using 

 # grep polkit-read-aut /var/log/audit/audit.log | audit2allow -M mypolkit
 # semodule -i mypolkit.pp
  
 I believe this is actually a bug in xdm. in that it should be passing append 
 privs for its log versus write.
 
 I can, and will, try this but it seems to me I have a more fundamental 
 problem. 
 As I said, this is just one of many alerts. They come in bunches every half 
 hour or so. The latest group were all SElinux is preventing certwatch 
 from. 7 of them. Before that it was system-config-s and polkit, about 25 
 different ones of those, some with multiple instances. In F9, I would only 
 occasionally get an alert. Also, if this is really a bug in xdm, can I really 
 be the first one to find it? F10 has been out for 7 or 8 months.
 
 If a relabel caused you to loose labels, then you need to add the labels via 
 semanage fcontext instead of just executing a chcon.

 For example, if I had web content under /myweb

 # semanage fcontext -a -t httpd_sys_content_t '/myweb(/.*)?'
 # restorecon -R -v /myweb

 Would tell the SELinux system about my alternative labeling.
 
 I don't really have alternative labelling. I just fixed a few of the things 
 that got flagged. I guess a relabel put everything back to the default. IIUC 
 what you are suggesting is to make those changes permanent. Would an rpm 
 update to policy override that?
 
 Thanks,
 Steve
 
 
 
No, that is what permanent means.  RPM asks the SELinux libraries how to label 
the system.  If you tell SELinux that /myweb needs to be labeled 
httpd_sys_content_t then RPM will honor that.  Restorecon, udev, 
matchpathcon... and any other program that uses libselinux for labeling will 
also.

Please send me a compressed /var/log/audit/audit.log off list if you would like 
me to look at why SELinux is complaining on your box.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F10 SElinux issues

[Daniel J Walsh]

On 08/03/2009 10:50 AM, Steve Blackwell wrote:
 Ever since I upgraded from F9 to F10 when F9 went EOL I've been having
 lots of SElinux warnings. Here's one. I get at seemingly random times,
 ie not when I log in.
 
 Aug  3 09:06:50 steve setroubleshoot: SELinux is preventing
 polkit-read-aut (polkit_auth_t) write to /var/log/gdm/:0-greeter.log
 (xserver_log_t). For complete SELinux messages. run sealert -l
 a4a0ec72-1ae8-46af-a27c-441b4a5f1cdb
 
This looks like a redirection of stdout to the log file.  You can add this rule 
using 

# grep polkit-read-aut /var/log/audit/audit.log | audit2allow -M mypolkit
# semodule -i mypolkit.pp
 
I believe this is actually a bug in xdm. in that it should be passing append 
privs for its log versus write.

If a relabel caused you to loose labels, then you need to add the labels via 
semanage fcontext instead of just executing a chcon.

For example, if I had web content under /myweb

# semanage fcontext -a -t httpd_sys_content_t '/myweb(/.*)?'
# restorecon -R -v /myweb

Would tell the SELinux system about my alternative labeling.

A blog I wrote about similar stuff.

http://danwalsh.livejournal.com/28027.html
 setroubleshoot suggests restorecon -v '/var/log/gdm/:0-greeter.log'
 
 # ls -lZ /var/log/gdm/:0-greeter.log
 -rw-r--r--  gdm gdm
 system_u:object_r:xserver_log_t:s0 /var/log/gdm/:0-greeter.log
 
 # restorecon -v /var/log/gdm/:0-greeter.log
 
 ]# ls -lZ /var/log/gdm/:0-greeter.log
 -rw-r--r--  gdm gdm
 system_u:object_r:xserver_log_t:s0 /var/log/gdm/:0-greeter.log
 
 ie no change
 
 # tail /var/log/gdm/:0-greeter.log
 Warning:  No symbols defined for I228 (keycode 228)
 Warning:  No symbols defined for I230 (keycode 230)
 Warning:  No symbols defined for I248 (keycode 248)
 Warning:  No symbols defined for I249 (keycode 249)
 Warning:  No symbols defined for I250 (keycode 250)
 Warning:  No symbols defined for I251 (keycode 251)
 Warning:  No symbols defined for I252 (keycode 252)
 Warning:  No symbols defined for I253 (keycode 253)
 Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message
 with a timestamp of 0 for 0x1200022 (Login Wind) Window manager
 warning: meta_window_activate called by a pager with a 0 timestamp; the
 pager needs to be fixed.
 
 This computer is on a 2 machine home network, the other machine being a
 Vista laptop and I have them connected via Samba. Is some client trying
 to login from the laptop?
 
 # rpm -qa | grep selinux
 selinux-policy-3.5.13-67.fc10.noarch
 libselinux-devel-2.0.78-1.fc10.i386
 selinux-policy-targeted-3.5.13-67.fc10.noarch
 libselinux-2.0.78-1.fc10.i386
 libselinux-utils-2.0.78-1.fc10.i386
 libselinux-python-2.0.78-1.fc10.i386
 
 Any suggestions?
 
 Thanks,
 Steve
 

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: exim: SELinux

[Daniel J Walsh]

On 07/26/2009 05:45 PM, Frank Chiulli wrote:
 Sorry for the delay in responding.  I've been on the road and unable
 to access my Fedora box.  So after a little grief with SELinux and
 permissions I have a log file of exim.  I'd post it here but it's 724
 lines long.  I looked for boot in the file but came up empty.  Is
 there some snippet of the file that I could post?
 
 Frank
 
 On Thu, Jul 16, 2009 at 1:37 AM, Gordon Messmeryiny...@eburg.com wrote:
 On 07/14/2009 07:33 PM, Frank Chiulli wrote:
 Here's what I did:
- as root, I ran '/etc/init.d/exim stop'
- as root, I ran 'exim -bd -d+all/tmp/ex.file 21'

- as a normal user, I ran 'fetchmail'
  In the past, this would result in an AVC error; but not this time.
  BTW, there was one new message in my mail file as a result of this.
 Sadly, starting exim in that way will not give it the same SELinux context
 as it would get when run by the init process.  If you stop the service and
 service exim start, it should get its old context, and the AVC messages
 should return.  That'll get you back to where you can debug the problem.

 --
 fedora-list mailing list
 fedora-list@redhat.com
 To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

 
Just compress the log file.  

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: exim: SELinux

[Daniel J Walsh]

On 07/13/2009 04:06 PM, Frank Chiulli wrote:

Here is the original post:

This is a recently installed/patched F11 system.  It was a fresh
install to one disk leaving my home directory untouched on another
disk.  Today, I installed exim and removed sendmail via yum at the
command line.  I am using the same exim.conf file that I had used with
F10 after having compared it to the original one.  I am now receiving
the following message when I attempt to retrieve mail from my ISP:
Jul 12 14:26:36 flinux setroubleshoot: SELinux is preventing exim
(exim_t) getattr boot_t. For complete SELinux messages. run sealert
-l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad


sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad
Summary:

SELinux is preventing exim (exim_t) getattr boot_t.

Detailed Description:

SELinux denied access requested by exim. It is not expected that this access is
required by exim and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Contextunconfined_u:system_r:exim_t:s0
Target Contextsystem_u:object_r:boot_t:s0
Target Objects/boot [ dir ]
Sourceexim
Source Path   /usr/sbin/exim
PortUnknown
Host  flinux
Source RPM Packages   exim-4.69-10.fc11
Target RPM Packages   filesystem-2.4.21-1.fc11
Policy RPMselinux-policy-3.6.12-62.fc11
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModeEnforcing
Plugin Name   catchall
Host Name flinux
Platform  Linux flinux 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue
  Jun 16 23:19:53 EDT 2009 i686 athlon
Alert Count   289
First SeenSun Jul 12 14:22:12 2009
Last Seen Sun Jul 12 14:23:53 2009
Local ID  e699bb55-c0dc-4bbf-a57e-3d82d6dadcad
Line Numbers

Raw Audit Messages

node=flinux type=AVC msg=audit(1247433833.210:331): avc:  denied  {
getattr } for  pid=2508 comm=exim path=/boot dev=sda1 ino=2
scontext=unconfined_u:system_r:exim_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir

node=flinux type=SYSCALL msg=audit(1247433833.210:331): arch=4003
syscall=195 success=no exit=-13 a0=bfa2e2c2 a1=bfa2e6b8 a2=b7dbfff4
a3=0 items=0 ppid=2447 pid=2508 auid=500 uid=93 gid=93 euid=93 suid=93
fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=1 comm=exim
exe=/usr/sbin/exim subj=unconfined_u:system_r:exim_t:s0 key=(null)

Frank

On Mon, Jul 13, 2009 at 8:02 AM, Daniel J Walshdwa...@redhat.com  wrote:

On 07/13/2009 08:24 AM, Frank Chiulli wrote:

I realized that just before I received your email and did post to
fedora-list.  My mistake and thanks for the heads up.

Frank

On Mon, Jul 13, 2009 at 5:22 AM, David JM Emmettm...@davidjmemmett.co.uk  
wrote:

Don't mean to be completely rude but doesn't this belong on a support
forum?

On Mon, 2009-07-13 at 05:17 -0700, Frank Chiulli wrote:

Didar,
Mail is arriving.  I just get one SELinux message for every mail message.

I agree...exim should not be referencing /boot AFAIK.  But I'm not an expert.

Frank

On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossaindidar.hoss...@gmail.com  wrote:

On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiullifrankc.fed...@gmail.com  wrote:

Thomas,
Thanks for the suggestion.  Unfortunately it did not work.  I'm still
getting the same error.

Frank

Is Exim not executing it's job as it is supposed to - as in delivery
of mail is hampered by this error?

I am no SELinux or Exim expert, but, AFAIK the /boot directory is
not supposed to be related to the regular functioning of Exim.

Didar


___
Fedora-infrastructure-list mailing list
fedora-infrastructure-l...@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

I am missing the first email in this chain.  What AVC are you seeing from exim 
when mail arrives?


I think these usually happen when the user is listing /
ls -lZ /

Could cause this type of AVC.

Of if the confined application was started when it's Current Working 
Directory was the /boot directory.



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: SELinux warning about sendmail

[Daniel J Walsh]

On 07/10/2009 06:09 PM, Andras Simon wrote:
 Sometimes I see the warning:
 
 SELinux is preventing the sendmail from using potentially mislabeled files
 (/root).
 
 sendmail is not installed, but according to sealert, this warning is
 really about ssmtp.
 Of course I'm not trying to mail any file from /root, in fact, I don't
 mail anything. Any idea what might be going on?
 
 Andras
 
What is the AVC.  It might be just doing a getattr of /root which could trigger 
an AVC.

When an app starts with it's homedir set to /root, it will getattr on the 
$HOME, which can cause this AVC.  Usually these are dontaudited.  So I would 
need to see the AVC to understand what it is complaining about.

grep avc /var/log/audit/audit.log

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: httpd vs. avahi and SELinux in Fedora 11

[Daniel J Walsh]

On 07/11/2009 07:06 PM, Steven F. LeBrun wrote:
 After doing a clean install of Fedora 11, the Apache webserver, httpd
 2.2.11, is failing.  The error log [see below] shows that all the httpd
 children are killing themselves with Segmentation faults.
 
 Httpd was working fine in Fedora 10, same laptop and I started with a
 fresh install of Apache's httpd using the RPM provided for Fedora 11. 
 At first I thought that maybe it is an SELinux problem.  Then I noticed
 in the error_log the following line:
 
 [error] avahi_entry_group_add_service_strlst(tardis) failed: Local
 name collision
 
 The FQHN of my laptop where I am trying to run httpd is
 tardis.home.lebruns.com
 
 Question 1:  Is the segmentation faults due to an SELinux policy issue? 
 I checked the files that should be displayed and their security context
 looks correct.  Is there a problem displayed in the first error log line
 where it states:
 
   SELinux policy enabled; httpd running as context
 unconfined_u:system_r:httpd_t:s0
 
 Question 2:  Any ideas of what is causing the avahi error message?  What
 causes a Local name collision?  None of the configuration files
 specify the host name that httpd is running on.  [Setting ServiceName
 did not change anything.]
 
 Error Log:
 [Sat Jul 11 18:50:26 2009] [notice] SELinux policy enabled; httpd
 running as context unconfined_u:system_r:httpd_t:s0
 [Sat Jul 11 18:50:26 2009] [notice] suEXEC mechanism enabled (wrapper:
 /usr/sbin/suexec)
 [Sat Jul 11 18:50:26 2009] [notice] Digest: generating secret for digest
 authentication ...
 [Sat Jul 11 18:50:26 2009] [notice] Digest: done
 [Sat Jul 11 18:50:26 2009] [notice] mod_python: Creating 4 session
 mutexes based on 256 max processes and 0 max threads.
 [Sat Jul 11 18:50:26 2009] [notice] mod_python: using mutex_directory /tmp
 [Sat Jul 11 18:50:27 2009] [error]
 avahi_entry_group_add_service_strlst(tardis) failed: Local name collision
 [Sat Jul 11 18:50:27 2009] [notice] Apache/2.2.11 (Unix) DAV/2
 mod_mono/2.4 mod_nss/2.2.11 NSS/3.12.2.0 PHP/5.2.9 mod_python/3.3.1
 Python/2.6 mod_ssl/2.2.11 OpenSSL/0.9.8k-fips mod_perl/2.0.4
 Perl/v5.10.0 configured -- resuming normal operations
 [Sat Jul 11 18:50:27 2009] [notice] child pid 10956 exit signal
 Segmentation fault (11)
 [Sat Jul 11 18:50:27 2009] [notice] child pid 10957 exit signal
 Segmentation fault (11)
 ...
 The exit signal Segmentation fault (11) repeats ad nausium until httpd
 is stopped.
 
 Any help and/or suggestions will be appreciated.
 
Does this happen if SELinux is in permissive mode?  Is selinux reporting errors 
in the /var/log/audit/audit.log?

# getsebool -a | grep avahi
httpd_dbus_avahi -- on

THe only avahi/dbus boolean is defined above.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F11 mrtg external scripts permission errors (selinux?)

[Daniel J Walsh]

On 07/12/2009 07:04 AM, Jurgen Kramer wrote:
 I've just upgraded my server to Fedora 11 (clean install) and I am
 trying to get everything working again. I have some problems with my
 mrtg scripts, they seem not allowed to run. I guess this has something
 to do with selinux.
 
 I see the following errors in the log:
 
 Can't exec /etc/mrtg/cpu_temp.sh: Permission denied at /usr/bin/mrtg
 line 2030.
 2009-07-12 12:35:02: WARNING: Running '/etc/mrtg/cpu_temp.sh':
 Permission denied
 2009-07-12 12:35:02: WARNING: Could not get any data from external
 command '/etc/mrtg/cpu_temp.sh'
 Maybe the external command did not even start. (Permission denied)
 
 I changed the security context for all files residing in /etc/mrtg to:
 
 [kra...@nasng mrtg]$ ll -Z
 -rwx--. root root system_u:object_r:mrtg_etc_t:s0  cpufan_speed.sh
 -rwx--. root root system_u:object_r:mrtg_etc_t:s0  cpu_temp.sh
 -rwx--. root root system_u:object_r:mrtg_etc_t:s0  fan_speed.sh
 -rwx--. root root system_u:object_r:mrtg_etc_t:s0  hdd_temp.sh
 -rwx--. root root system_u:object_r:mrtg_etc_t:s0  mb_temp.sh
 -rw-r--r--. root root system_u:object_r:mrtg_etc_t:s0  mrtg.cfg
 -rwx--. root root system_u:object_r:mrtg_etc_t:s0  nbfan_speed.sh
 
 but I still get the permission denied errors.
 What should the correct security context for the scripts be? Or do they
 need to be moved to another location?
 
 BTW running the command as executed by the crontab by hand works without
 problems.
 
 
 Jurgen
 
mrtg_t can read etc_t but not execute it, these should probably be labeled 
bin_t.

Please attach the AVC messages that mrtg is complaining about, so I can try to 
write a better setroubleshoot plugin for this.


-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: exim: SELinux

[Daniel J Walsh]

On 07/13/2009 08:24 AM, Frank Chiulli wrote:
 I realized that just before I received your email and did post to
 fedora-list.  My mistake and thanks for the heads up.
 
 Frank
 
 On Mon, Jul 13, 2009 at 5:22 AM, David JM Emmettm...@davidjmemmett.co.uk 
 wrote:
 Don't mean to be completely rude but doesn't this belong on a support
 forum?

 On Mon, 2009-07-13 at 05:17 -0700, Frank Chiulli wrote:
 Didar,
 Mail is arriving.  I just get one SELinux message for every mail message.

 I agree...exim should not be referencing /boot AFAIK.  But I'm not an 
 expert.

 Frank

 On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossaindidar.hoss...@gmail.com 
 wrote:
 On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiullifrankc.fed...@gmail.com 
 wrote:
 Thomas,
 Thanks for the suggestion.  Unfortunately it did not work.  I'm still
 getting the same error.

 Frank
 Is Exim not executing it's job as it is supposed to - as in delivery
 of mail is hampered by this error?

 I am no SELinux or Exim expert, but, AFAIK the /boot directory is
 not supposed to be related to the regular functioning of Exim.

 Didar

 ___
 Fedora-infrastructure-list mailing list
 fedora-infrastructure-l...@redhat.com
 https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

 
I am missing the first email in this chain.  What AVC are you seeing from exim 
when mail arrives?

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: mysql vs selinux

[Daniel J Walsh]

On 07/06/2009 10:08 PM, Amadeus W.M. wrote:

[r...@alm ~]# semanage fcontext -a -t mysqld_db_t /data/mysql(/.*)?
[r...@alm ~]# restorecon -R -v /data/mysql



Try

# semanage fcontext -a -t mysqld_db_t /data(/.*)?
# restorecon -R -v /data



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: [F11, SELinux] What is mls?

[Daniel J Walsh]

On 07/07/2009 09:33 AM, Marko Vojinovic wrote:

On Tue, Jul 7, 2009 at 1:58 PM, Stephen Smalleys...@tycho.nsa.gov  wrote:

You can ignore, and I think they are silenced by a policy update.
A libselinux constructor probes for /selinux/mls to initialize internal
state used later by the library functions, and unfortunately all of the
net-tools are getting linked against libselinux now just because of
netstat -Z support.  No, you don't need selinux-policy-mls.

There is a patch pending for libselinux that will make such probing
happen lazily and thus avoid such denials.


Ok, so after the updates arrive, the alerts will simply go away, IIUC. Thanks!

Best, :-)
Marko


You can grab the updates now

yum upgrade selinux-policy-targeted --enablerepo=updates-testing

We had a request in to push to stable, for about a week,  I do not know 
what is holding this up.


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: mysql vs selinux

[Daniel J Walsh]

On 07/05/2009 11:57 PM, Amadeus W.M. wrote:

Trying to run mysqld with datadir=/data/mysql (i.e. different than the
default datadir=/var/lib/mysql). When I start mysqld for the first time it
fails:

[r...@alm ~]# /etc/rc.d/init.d/mysqld start
Initializing MySQL database:  Installing MySQL system tables...
090705 23:01:52 [Warning] Can't create test file /data/mysql/alm.lower-test
090705 23:01:52 [Warning] Can't create test file /data/mysql/alm.lower-test
/usr/libexec/mysqld: Can't change dir to '/data/mysql/' (Errcode: 13)
090705 23:01:52 [ERROR] Aborting



and selinux pops up and says

Summary:
SELinux is preventing mysqld (mysqld_t) search to / (default_t).

Detailed Description:
SELinux denied access requested by mysqld. / may be a mislabeled. /
default SELinux type is root_t, but its current type is default_t.
Changing this file back to the default type, may fix your problem.

more stuff


Poking around on google I found this suggestion:


http://www.linuxforums.org/forum/servers/54215-moving-mysql-datafile-
another-location-2.html

chcon -R -u system_u -r object_r -t mysqld_db_t /home/mysqldb
chcon -R -u system_u -r object_r -t mysqld_db_t /var/lib/mysql/
chcon -u system_u -r object_r -t mysqld_etc_t /etc/my.cnf

with /data/mysql instead of /home/mysqldb, of course.

This was as of FC7. Would this still be the right thing to do in F11?
I'm really being patient here with selinux, trying to give it a 2nd chance
(first chance was about F3 or F4). I'm trying to avoid the barbaric
solution of disabling it alltogether yet again.

Oh, by the way, I am able to run mysqld without a hitch even with selinux
enabled provided that I use the default datadir=/var/lib/mysql. That's not
acceptable though, as my /var is too small for the colossal amount of data
I have.


I tried to keep this post relatively short, so I didn't include all
selinux info. If more is necessary, I'll post it. Please help!






Here is a new guide we are working on for setting up different confined 
services.  There is a chapter on mysql.




http://sradvan.fedorapeople.org/SELinux_Managing_Confined_Services/en-US/html/

Specifically check out the chapter this page

http://sradvan.fedorapeople.org/SELinux_Managing_Confined_Services/en-US/html/sect-Managing_Confined_Services-MySQL-Configuration_Examples.html

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: SELinux advisory

[Daniel J Walsh]

On 06/26/2009 11:20 AM, Paolo Galtieri wrote:

I keep getting the following SELinux alert.
SELinux is preventing hostname (hostname_t) read security_t

The alert data is shown below. I'm not sure what I might have changed to
cause this.

Paolo

Summary:

SELinux is preventing hostname (hostname_t) read security_t.

Detailed Description:

SELinux denied access requested by hostname. It is not expected that
this access
is required by hostname and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:hostname_t:s0
Target Context system_u:object_r:security_t:s0
Target Objects mls [ file ]
Source hostname
Source Path /bin/hostname
Port Unknown
Host peglaptop10
Source RPM Packages net-tools-1.60-92.fc11
Target RPM Packages Policy RPM selinux-policy-3.6.12-50.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name peglaptop10
Platform Linux peglaptop10 2.6.29.5-191.fc11.x86_64 #1 SMP
Tue Jun 16 23:23:21 EDT 2009 x86_64 x86_64
Alert Count 108
First Seen Fri 19 Jun 2009 06:33:48 PM MST
Last Seen Fri 26 Jun 2009 07:31:49 AM MST
Local ID 2bc187c8-f1ab-4a44-8c0b-cc092191743b
Line Numbers
Raw Audit Messages
node=peglaptop10 type=AVC msg=audit(1246026709.145:1331): avc: denied {
read } for pid=14213 comm=hostname name=mls dev=selinuxfs ino=12
scontext=system_u:system_r:hostname_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file

node=peglaptop10 type=SYSCALL msg=audit(1246026709.145:1331):
arch=c03e syscall=2 success=no exit=-13 a0=7fff3f294550 a1=0
a2=7fff3f29455c a3=fff8 items=0 ppid=14200 pid=14213 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm=hostname exe=/bin/hostname
subj=system_u:system_r:hostname_t:s0 key=(null)



You can ignore this for now and update to 
selinux-policy-3.6.12-57.fc11.noarch, when it becomes available.


Or you can grab it now at

https://admin.fedoraproject.org/updates/selinux-policy-3.6.12-57.fc11


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Selinux, cups, hplip

[Daniel J Walsh]

On 06/23/2009 08:09 PM, Richard Shaw wrote:

On Mon, Jun 22, 2009 at 3:48 PM, Daniel J Walshdwa...@redhat.com  wrote:


On 06/20/2009 01:50 PM, Steven Stern wrote:


On 06/20/2009 06:12 AM, Daniel J Walsh wrote:


On 06/19/2009 07:10 PM, Steven Stern wrote:


After installing hplip-gui, I got selinux errors when checking on the
printer status.

audit2allow generated the following policy

module cups20090619 1.0;

require {
type hwdata_t;
type xdm_t;
class dir search;
class file { read getattr open };
}

#= xdm_t ==
allow xdm_t hwdata_t:dir search;
allow xdm_t hwdata_t:file { read getattr open };


  xdm is checking the printer status? This allow rule indicates the X

Login program is checking the printer status. Could you attach the AVC's
you used to generate this policy.



And here's another one related to hplip

type=AVC msg=audit(1245520061.974:38037): avc: denied { read } for
pid=25561 comm=python name=mls dev=selinuxfs ino=12
scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file

type=AVC msg=audit(1245520061.974:38037): avc: denied { read open } for
pid=25561 comm=python name=mls dev=selinuxfs ino=12
scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file



  Could you report this as a bug to cups. Cups has some MLS aware ness in

it and maybe it is reading this file directly rather then through
libselinux.  CC me on the bug report dwa...@redhat.com



Just a me too here. I've got two separate issues, one has to do with this
thread. Just after installing F11 everything seemed fine. I poked the
necessary holes in my firewall and shared my printer queues and my wife
could print from her F10 laptop. Now it seems just about every job gets
stuck and I see the AVC denials about python. Here's the details for mine
(just in case anything is different:

---
Summary:

SELinux is preventing python (hplip_t) read security_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by python. It is not expected that this
access
is required by python and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application
is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Contextsystem_u:system_r:hplip_t:s0
Target Contextsystem_u:object_r:security_t:s0
Target Objectsmls [ file ]
Sourcepython
Source Path   /usr/bin/python
PortUnknown
Host  hobbes.localdomain
Source RPM Packages   python-2.6-9.fc11
Target RPM Packages
Policy RPMselinux-policy-3.6.12-50.fc11
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModePermissive
Plugin Name   catchall
Host Name hobbes.localdomain
Platform  Linux hobbes.localdomain
2.6.29.4-167.fc11.x86_64
   #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64
x86_64
Alert Count   16
First SeenSun 21 Jun 2009 02:29:26 PM CDT
Last Seen Tue 23 Jun 2009 06:58:21 PM CDT
Local ID  0a0b19ce-a912-4305-9e4a-1e1369ea4f3f
Line Numbers

Raw Audit Messages

node=hobbes.localdomain type=AVC msg=audit(1245801501.788:374): avc:
denied  { read } for  pid=11771 comm=python name=mls dev=selinuxfs
ino=12 scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file

node=hobbes.localdomain type=AVC msg=audit(1245801501.788:374): avc:
denied  { open } for  pid=11771 comm=python name=mls dev=selinuxfs
ino=12 scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file

node=hobbes.localdomain type=SYSCALL msg=audit(1245801501.788:374):
arch=c03e syscall=2 success=yes exit=6 a0=7fffb58ba060 a1=0
a2=7fffb58ba06c a3=fff8 items=0 ppid=11764 pid=11771 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm=python exe=/usr/bin/python
subj=system_u:system_r:hplip_t:s0 key=(null)
---

Thanks,
Richard



Those should not be blocking anything.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F11 SELinux Squid port 2082

[Daniel J Walsh]

On 06/23/2009 01:37 AM, Mark Panen wrote:

Hi

It is impossible for me to reach a web page that uses port 2082
through squid as SELinux keeps blocking it. If i bypass squid i can
reach the web page.

How do i configure SELinux to allow port 2082 ?

Mark



One of two ways, you can either allow squid to connect to any port by 
turning on the squid_connect_any boolean


setsebool -P squid_connect_any 1

Or you can tell SELinux port 2082 is an http port

semanage port -a -t http_port_t 2082


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Selinux, cups, hplip

[Daniel J Walsh]

On 06/20/2009 01:50 PM, Steven Stern wrote:

On 06/20/2009 06:12 AM, Daniel J Walsh wrote:

On 06/19/2009 07:10 PM, Steven Stern wrote:

After installing hplip-gui, I got selinux errors when checking on the
printer status.

audit2allow generated the following policy

module cups20090619 1.0;

require {
type hwdata_t;
type xdm_t;
class dir search;
class file { read getattr open };
}

#= xdm_t ==
allow xdm_t hwdata_t:dir search;
allow xdm_t hwdata_t:file { read getattr open };



xdm is checking the printer status? This allow rule indicates the X
Login program is checking the printer status. Could you attach the AVC's
you used to generate this policy.



And here's another one related to hplip

type=AVC msg=audit(1245520061.974:38037): avc: denied { read } for
pid=25561 comm=python name=mls dev=selinuxfs ino=12
scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file

type=AVC msg=audit(1245520061.974:38037): avc: denied { read open } for
pid=25561 comm=python name=mls dev=selinuxfs ino=12
scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file



Could you report this as a bug to cups. Cups has some MLS aware ness in 
it and maybe it is reading this file directly rather then through 
libselinux.  CC me on the bug report dwa...@redhat.com


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Selinux, cups, hplip

[Daniel J Walsh]

On 06/19/2009 07:10 PM, Steven Stern wrote:

After installing hplip-gui, I got selinux errors when checking on the
printer status.

audit2allow generated the following policy

module cups20090619 1.0;

require {
type hwdata_t;
type xdm_t;
class dir search;
class file { read getattr open };
}

#= xdm_t ==
allow xdm_t hwdata_t:dir search;
allow xdm_t hwdata_t:file { read getattr open };


xdm is checking the printer status?  This allow rule indicates the X 
Login program is checking the printer status.  Could you attach the 
AVC's you used to generate this policy.


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: power mgmt, screen off, selinux - F11

[Daniel J Walsh]

On 06/17/2009 08:17 AM, Steven Stern wrote:

My screen no longer shuts off after 30 minutes.

It had been fine, but on SYSTEM - PREFERENCES - POWER MANAGEMENT, I
clicked the Make Default button. After entering the root password, the
were several selinux errors regarding the labeling of %gconf.xml in
~/.gconf/apps. I put selinux into permissive mode and tried again.

Run restorecon -R -v ~/
to fix the labeling in your home dir,  Should be able to run SELinux in 
enforcing mode.



My screensaver now kicks in at the desired time, but the monitor is no
longer turned off.

It looks like the file is set correctly in my home directories.
Suggestions?


That I do not know.

$cat .gconf/apps/gnome-power-manager/timeout/%gconf.xml
?xml version=1.0?
gconf
entry name=sleep_display_ac mtime=1245240339 type=int value=1200/
/gconf

$cat .gconf/apps/gnome-power-manager/ui/%gconf.xml
?xml version=1.0?
gconf
entry name=enable_sound mtime=1245240540 type=bool value=true/
/gconf

$cat .gconf/apps/gnome-power-manager/backlight/%gconf.xml
?xml version=1.0?
gconf
entry name=idle_dim_ac mtime=1245240540 type=bool value=false/
/gconf





--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: packaging web applications, SELinux

[Daniel J Walsh]

On 06/16/2009 11:34 AM, Chuck Anderson wrote:

Is there any pointer to best practices for packing a web application
that provides static content, cgi scripts, integrates with Apache
configuration, and works with SELinux?  How should I package the
SELinux policy needed to make this work?

The Packaging Guidelines mention Web Applications, but not how to make
them work with SELinux:

https://fedoraproject.org/wiki/Packaging/Guidelines#Web_Applications

Thanks.

Good question.  I would suggest we start writing this and if we could 
come up with standard locations for content we could make it make it 
work without the packages having to worry about it.


I would suggest that we store static content in a directory like

/usr/share/MYAPP/html/...

Cgi scripts in

/usr/share/MYAPP/cgi-bin/...

Writable directories from the Web in a directory named

/var/lib/MYAPP or some subdir of this.

If your web app is a cgi, I would prefer that we write policy for it to 
confine it differently then the default.  Writing policy for cgi scripts 
is supprisingly easy and I would be willing to help.


If we went with a standard I could setup the labeling for

/usr/share/[^/]*/html(/.*)? to be httpd_sys_content_t

And

/usr/share/[^/]*/cgi-bin(/.*)? to be httpd_sys_script_exec_t

Labeling /var/lib/MYAPP would be more difficult unless we came up with a 
standard subdir.


/var/lib/MYAPP/htmldata 

Then if an app writes it own policy for handling we can override these 
default labels.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Re: Dbus/Selinux issue after upgrading to F11

[Daniel J Walsh]

On 06/13/2009 07:52 PM, NMONNET wrote:

ype=AVC msg=audit(1244936277.370:81): avc:  denied  { search } for
pid=2394 comm=dbus-daemon name=3998 dev=proc ino=337975
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0 tclass=dir
type=AVC msg=audit(1244936277.370:81): avc:  denied  { read } for
pid=2394 comm=dbus-daemon name=cmdline dev=proc ino=337976
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0 tclass=file
type=SYSCALL msg=audit(1244936277.370:81): arch=c03e syscall=2
success=yes exit=66 a0=7f02cc625660 a1=0 a2=7f02cc625672 a3=0 items=0
ppid=1 pid=2394 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81
egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm=dbus-daemon
exe=/bin/dbus-daemon subj=system_u:system_r:system_dbusd_t:s0-
s0:c0.c1023 key=(null)
type=AVC msg=audit(1244936292.198:82): avc:  denied  { search } for
pid=2394 comm=dbus-daemon name=3972 dev=proc ino=338174
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_mono_t:s0 tclass=dir
type=SYSCALL msg=audit(1244936292.198:82): arch=c03e syscall=2
success=yes exit=67 a0=7f02cc639d70 a1=0 a2=7f02cc639d82 a3=0 items=0
ppid=1 pid=2394 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81
egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm=dbus-daemon
exe=/bin/dbus-daemon subj=system_u:system_r:system_dbusd_t:s0-
s0:c0.c1023 key=(null)

Please upgrade to the latest selinux-policy in updates or it might still 
be in updates-testing


yum update selinux-policy-targeted

If you do  not get an update try

yum update selinux-policy-targeted --enablerepo=updatest-testing

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Dbus/Selinux issue after upgrading to F11

[Daniel J Walsh]

On 06/15/2009 10:46 AM, Wander Boessenkool wrote:

On Mon, Jun 15, 2009 at 10:34:32AM -0400, Daniel J Walsh wrote:

On 06/13/2009 07:52 PM, NMONNET wrote:

ype=AVC msg=audit(1244936277.370:81): avc:  denied  { search } for
pid=2394 comm=dbus-daemon name=3998 dev=proc ino=337975

Please upgrade to the latest selinux-policy in updates or it might still
be in updates-testing

yum update selinux-policy-targeted

If you do  not get an update try

yum update selinux-policy-targeted --enablerepo=updatest-testing


What fixed it for me was doing:
setenforce 0; fixfiles -F restore; setenforce 1; reboot

after doing f8 -  f9 -  f10 -  f11 over the years not all contexts were
exactly as they should be.


Yes upgrading continuously can leave you with mislabeled files.

The dbus issue was caused by it trying to read the /proc entries of 
running processes, probably executing killall  or pidof commands.




--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines




--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: system-config-selinux error after updates

[Daniel J Walsh]

policycoreutils-2.0.62-12.5.fc11  Currently in Updates testing or
policycoreutils-2.0.62-12.6.fc11 in Koji should fix this problem.

I have asked for -5 to be pushed into F11 final.  Please grab one of 
these packages to see if it fixes your problem.


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: SELinux preventing D-Bus starting ConsoleKit etc - Was: F10 - pulseaudio not running

[Daniel J Walsh]

On 05/21/2009 09:42 AM, Mike Fleetwood wrote:

Daniel J Walsh wrote:

Are you seeing any avc's in /var/log/audit/audit.log?


With SELinux in permissive mode ...
[r...@mfleetwo3 ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh
[r...@mfleetwo3 ~]# service messagebus status
dbus-daemon (pid 2736 2055) is running...

I get the following in /var/log/audit/audit.log:
type=SELINUX_ERR msg=audit(1242912572.287:30134):
security_compute_sid:  invalid context
unconfined_u:unconfined_r:initrc_t:s0 for
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1242912572.287:30134): arch=4003 syscall=11
success=yes exit=0 a0=bf981981 a1=bf980194 a2=8fca858 a3=4 items=0
ppid=4082 pid=4087 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=2 comm=messagebus exe=/bin/bash
subj=unconfined_u:unconfined_r:initrc_t:s0 key=(null)
type=SELINUX_ERR msg=audit(1242912572.294:30135):
security_compute_sid:  invalid context
unconfined_u:unconfined_r:initrc_t:s0 for
scontext=unconfined_u:unconfined_r:initrc_t:s0
tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1242912572.294:30135): arch=4003 syscall=11
success=yes exit=0 a0=8ec9e78 a1=8ec44b8 a2=8ec9c08 a3=0 items=0
ppid=4088 pid=4089 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=2 comm=consoletype
exe=/sbin/consoletype subj=unconfined_u:unconfined_r:initrc_t:s0
key=(null)
type=SELINUX_ERR msg=audit(1242912572.310:30136):
security_compute_sid:  invalid context
unconfined_u:unconfined_r:initrc_t:s0 for
scontext=unconfined_u:unconfined_r:initrc_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=process
type=SYSCALL msg=audit(1242912572.310:30136): arch=4003 syscall=11
success=yes exit=0 a0=8ec8e80 a1=8ec48f8 a2=8ec8fd0 a3=0 items=0
ppid=4090 pid=4091 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=2 comm=pidof exe=/sbin/killall5
subj=unconfined_u:unconfined_r:initrc_t:s0 key=(null)


I assume that there is a single SELinux related root cause which is
preventing D-Bus starting ConsoleKit and preventing /sbin/service
reporting status of daemon when SELinux is in enforcing mode.

P.S. Sorry in advance if I don't replay for a week I am away on
holiday from Friday for a week with unknown Internet connectivity.

Thanks,
Mike

Your message bus is running as initrc_t which indicates that you have a 
labeling problem.


fixfiles restore

Reboot and you should be all set.

Your message bus should be running as system_dbusd_t.  It is also 
running as unconfined_u:unconfined_r which indicates you have stopped 
and started it.


If you run restorecon -R -v /bin  I would figure you will see some 
mislabeled files.


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: SELinux preventing D-Bus starting ConsoleKit etc - Was: F10 - pulseaudio not running

[Daniel J Walsh]

On 05/21/2009 11:27 AM, Mike Fleetwood wrote:

Daniel J Walsh wrote:

Your message bus is running as initrc_t which indicates that you have a
labeling problem.

fixfiles restore

Reboot and you should be all set.

Your message bus should be running as system_dbusd_t.  It is also running as
unconfined_u:unconfined_r which indicates you have stopped and started it.

If you run restorecon -R -v /bin  I would figure you will see some
mislabeled files.


Logged in to X11 via GDM as my user mfleetwo, then in a terminal su -.

[r...@mfleetwo3 ~]# sestatus
SELinux status: enabled
SELinuxfs mount:/selinux
Current mode:   permissive
Mode from config file:  enforcing
Policy version: 23
Policy from config file:targeted

[r...@mfleetwo3 ~]# fixfiles restore
/sbin/setfiles:  unable to
stat file /home/mfleetwo/.gvfs: Permission denied
/sbin/setfiles:  error while labeling /:  Permission denied
/sbin/setfiles:  error while labeling /boot:  Permission denied

And in /var/log/audit/audit.log:
type=FS_RELABEL msg=audit(1242919396.655:30941): user pid=4985 uid=0
auid=500 ses=2 subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
msg='op=mass relabel: exe=/sbin/setfiles (hostname=?, addr=?,
terminal=pts/1 res=failed)'

Stopped at this point as to me it looks like 'fixfiles restore' didn't work.

[r...@mfleetwo3 ~]# df -k
Filesystem   1K-blocks  Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
   46884088  36970092   7504128  84% /
/dev/sda1   202219 28319163573  15% /boot
tmpfs   77276876772692   1% /dev/shm

[r...@mfleetwo3 ~]# ls -dZ / /boot
drwxr-xr-x  root root system_u:object_r:root_t /
drwxr-xr-x  root root system_u:object_r:boot_t /boot

Thanks,
Mike


What file system are you using?

Try
# restorecon -R -v / 2 /dev/null

You will get lots of errors.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: SELinux preventing D-Bus starting ConsoleKit etc - Was: F10 - pulseaudio not running

[Daniel J Walsh]

On 05/21/2009 03:26 PM, Mike Fleetwood wrote:

Daniel J Walsh:

What file system are you using?

Try
# restorecon -R -v / 2  /dev/null

You will get lots of errors.


Ext3 file system.
[r...@mfleetwo3 ~]# mount | egrep '/ |/boot'
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
/dev/sda1 on /boot type ext3 (rw)

[r...@mfleetwo3 ~]# restorecon -R -v / 2  /dev/null
restorecon reset /dev/shm context
system_u:object_r:tmpfs_t:s0-system_u:object_r:device_t:s0
restorecon reset /dev/shm/pulse-shm-1549836239 context
unconfined_u:object_r:unconfined_tmpfs_t:s0-system_u:object_r:device_t:s0

I only got these 2 context corrections.  About as I expected as I
performed a full relabel earlier by touching /.autolabel and rebooting
only a few days ago before I asked for help.

Thanks,
Mike

Mike could you join me on irc #selinux on freenode and talk to me there 
(dwalsh)?


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: SELinux preventing D-Bus starting ConsoleKit etc - Was: F10 - pulseaudio not running

[Daniel J Walsh]

On 05/20/2009 04:23 AM, Mike Fleetwood wrote:

I wrote:

I can see that on my functioning desktops that before login, gdm has
been granted read-write access, via ACLs, to the sound device files in
/dev/snd/.  After GDM login my user is granted read-write instead.

On my broken desktop there are no ACLs granting extra permissions.  I
have now restored the original permissions on the /dev/snd/* files and
added my user read-write access via ACLs.  Still pulseaudio does not
start.

I also noticed that on my broken desktop, console-kit-daemon is not
running.  So far I have only found that console-kit-daemon may have
been started with /etc/rc.d/init.d/ConsoleKit circa Fedora 8.  That
consoleKit service script been removed in Fedora 10 and I don't yet
know how console-kit-daemon is meant to be started.

Is console-kit-daemon running even relevant to GDM adding ACLs for the
console user to access devices?  Probably.  Is this relevant to why
pulseaudio fails to start?  Don't know as even when standard file
permissions, rather than ACLs, allowed access to /dev/snd/* pulseaudio
died on startup.

 From my functional home desktop ...
[m...@rockover ~]$ getfacl -p /dev/snd/controlC0
# file: /dev/snd/controlC0
# owner: root
# group: root
user::rw-
user:mike:rw-
group::rw-
mask::rw-
other::---
(Same results of additional user mike ACL for all devices in /dev/snd/).
[m...@rockover ~]$ ck-list-sessions
Session4:
unix-user = '500'
realname = 'Mike Fleetwood'
seat = 'Seat1'
session-type = ''
active = TRUE
x11-display = ':0'
x11-display-device = '/dev/tty1'
display-device = ''
remote-host-name = ''
is-local = TRUE
on-since = '2009-04-08T19:06:01.429138Z'
login-session-id = '702'
[m...@rockover ~]$ ps -ef | fgrep console-kit-daemon
root  2477 1  0 Apr08 ?00:00:00 /usr/sbin/console-kit-daemon
mike 23954 19225  0 12:05 pts/000:00:00 fgrep console-kit-daemon

 From my broken work desktop ...
[mflee...@mfleetwo3 ~]$ su -
Password:
[r...@mfleetwo3 ~]# chmod o= /dev/snd/*
[r...@mfleetwo3 ~]# setfacl -m u:mfleetwo:rw /dev/snd/*
[r...@mfleetwo3 ~]# ls -l /dev/snd/*
crw-rw+ 1 root root 116, 7 2009-04-22 13:13 /dev/snd/controlC0
crw-rw+ 1 root root 116, 6 2009-04-22 13:13 /dev/snd/hwC0D0
crw-rw+ 1 root root 116, 5 2009-05-06 12:15 /dev/snd/pcmC0D0c
crw-rw+ 1 root root 116, 4 2009-05-06 12:15 /dev/snd/pcmC0D0p
crw-rw+ 1 root root 116, 3 2009-04-22 13:13 /dev/snd/seq
crw-rw+ 1 root root 116, 2 2009-04-22 13:13 /dev/snd/timer
[r...@mfleetwo3 ~]# getfacl -p /dev/snd/controlC0
# file: /dev/snd/controlC0
# owner: root
# group: root
user::rw-
user:mfleetwo:rw-
group::rw-
mask::rw-
other::---
[r...@mfleetwo3 ~]# exit
logout
[mflee...@mfleetwo3 ~]$ pulseaudio --start --log-target=syslog
I: caps.c: Limited capabilities successfully to CAP_SYS_NICE.
I: caps.c: Dropping root privileges.
I: caps.c: Limited capabilities successfully to CAP_SYS_NICE.
[WARN  9224] polkit-session.c:144:polkit_session_set_uid(): session != NULL
  Not built with -rdynamic so unable to print a backtrace
[mflee...@mfleetwo3 ~]$ echo $?
1
[mflee...@mfleetwo3 ~]$ ps -ef | fgrep pulseaudio
[mflee...@mfleetwo3 ~]$ ck-list-sessions

** (ck-list-sessions:9244): WARNING **: Failed to get list of seats:
Cannot launch daemon, file not found or permissions invalid
[mflee...@mfleetwo3 ~]$ ps -ef | fgrep console-kit-daemon


I have identified that my issues are caused by SELinux.  I have
rebooted with enforcing=0 to switch SELinux into permissive mode and
ConsoleKit and Pulseaudio start correctly and audacious plays music.
Even after performing a full relabelling of the SELinux security
context of all files by touching /.autorelabel and rebooting, SELinux
in enforcing is preventing D-Bus starting ConsoleKit and Pulseaudio
starting.  Investigation into SELinux continuing.

E.g. SELinux in enforcing mode:
[r...@mfleetwo3 ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh
[r...@mfleetwo3 ~]# service messagebus status
env: /etc/init.d/messagebus: Permission denied

and SELinux in permissive mode:
[r...@mfleetwo3 ~]# service messagebus status
dbus-daemon (pid 2736 2055) is running...

Thanks,
Mike


Are you fully yum update on selinux policy?


yum -y upgrade selinux-policy-targeted


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Selinux disallows read-only loop mount of a file, but only at boot [SOLVED]

[Daniel J Walsh]

On 05/05/2009 08:17 PM, David wrote:

On Wed, May 6, 2009 at 8:58 AM, Eamon Walshewa...@tycho.nsa.gov  wrote:

David wrote:

I'm attempting to mount a loop device (a ro file) at boot using fstab.
My fstab entry works fine from the command line, but it fails at boot
time due to a selinux avc error. I assume this is due to incorrect
file context. The file is under a nonstandard top level directory, so
I need to specifically assign it the correct file context, which I
would do if I could figure out what it ought to be.

mount_loopback_t.


Yes this works. Thank you to everyone who replied. Thanks Eamon for
nurturing my understanding of selinux, which is what I hoped for when
posting. I will explore your suggestions.

Actually I did notice mount_loopback_t early in my exploration. But
I naively ignored it due to my expectation that loopback refers to a
network interface, not a loop device as used by mount.

I did not realise how widespread it is to confuse these terms. The
word loopback does not appear in 'man 8 mount'. It really surprises me
that the selinux specification is not more precise on this usage.

Surely mount_loopback_t is a mistake, it should be named mount_loop_t.

Some people are never happy!! ;-)



I will change the label to mount_loop_t in rawhide/F11 policy.  And 
alias mount_loopback_t to it.


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Selinux disallows read-only loop mount of a file, but only at boot [SOLVED]

[Daniel J Walsh]

On 05/04/2009 05:19 AM, David wrote:

[da...@kablamm ~]$ cat
/etc/selinux/targeted/contexts/files/file_contexts | grep mount
/etc/rc.d/init.d/autofs --  system_u:object_r:automount_script_exec_t:s0
/bin/mount.*--  system_u:object_r:mount_exec_t:s0
/bin/umount.*   --  system_u:object_r:mount_exec_t:s0
/sbin/mount.*   --  system_u:object_r:mount_exec_t:s0
/sbin/umount.*  --  system_u:object_r:mount_exec_t:s0
/var/run/autofs.*   system_u:object_r:automount_var_run_t:s0
/var/run/pam_mount(/.*)?system_u:object_r:pam_var_run_t:s0
/usr/bin/smbmnt --  system_u:object_r:smbmount_exec_t:s0
/bin/fusermount --  system_u:object_r:mount_exec_t:s0
/usr/bin/smbmount   --  system_u:object_r:smbmount_exec_t:s0
/usr/bin/fusermount --  system_u:object_r:mount_exec_t:s0
/usr/sbin/automount --  system_u:object_r:automount_exec_t:s0
/usr/sbin/rpc\.mountd   --  system_u:object_r:nfsd_exec_t:s0
/etc/apm/event\.d/autofs--  system_u:object_r:automount_exec_t:s0

[r...@kablamm david]# chcon -t mount_exec_t
/HUGE/get/iso/Fedora-09-i386-DVD/Fedora-09-i386-DVD.iso

Appears to be [SOLVED] ... off for a fizzy drink :-)

If I got this wrong, please comment.


What OS Are you running?

What policy version?


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Setting up CVS repository and avoiding Selinux issues?

[Daniel J Walsh]

On 04/28/2009 10:07 PM, Daniel B. Thurman wrote:



I am trying to get my CVS repository setup.  Apparently,
it appears that the repository must be in the root directory,
otherwise I get selinux permission denials.

What I tried to do initially was to locate the repository
on a NTFS filesystem for which the context is fusefs
which could not be changed, no matter what I tried.
I got selinux permission errors.

Giving that up, I moved the repository to a ext3 filesystem
located on a separate drive/partition, mounted on /f-App1,
where the repository is located @ /f-App1/Develop/cvs, and did:

cd /f-App1/Develop/
chown -R cvs:cvs cvs
chcon -R -t cvs_data_t cvs
find cvs -type d -exec chmod 755 {} \;
find cvs -type t -exec chmod 754 {} \;
ln -s /f-App1/Develop/cvs /cvs

and I got selinux complaining that the files are not /cvs rooted.

So I did:

cp -a /f-App1/Develop/cvs  /cvs1
rm -f /cvs
ln -s /cvs1 /cvs

And it worked.

How can I place my repository in a non-rooted, non-standard
repository location and avoid the selinux complaints?


I blogged on your email

http://danwalsh.livejournal.com/28027.html

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Setting up CVS repository and avoiding Selinux issues?

[Daniel J Walsh]

On 04/29/2009 11:20 AM, Daniel B. Thurman wrote:

Daniel J Walsh wrote:

On 04/28/2009 10:07 PM, Daniel B. Thurman wrote:



I am trying to get my CVS repository setup. Apparently,
it appears that the repository must be in the root directory,
otherwise I get selinux permission denials.

What I tried to do initially was to locate the repository
on a NTFS filesystem for which the context is fusefs
which could not be changed, no matter what I tried.
I got selinux permission errors.

Giving that up, I moved the repository to a ext3 filesystem
located on a separate drive/partition, mounted on /f-App1,
where the repository is located @ /f-App1/Develop/cvs, and did:

cd /f-App1/Develop/
chown -R cvs:cvs cvs
chcon -R -t cvs_data_t cvs
find cvs -type d -exec chmod 755 {} \;
find cvs -type t -exec chmod 754 {} \;
ln -s /f-App1/Develop/cvs /cvs

and I got selinux complaining that the files are not /cvs rooted.

So I did:

cp -a /f-App1/Develop/cvs /cvs1
rm -f /cvs
ln -s /cvs1 /cvs

And it worked.

How can I place my repository in a non-rooted, non-standard
repository location and avoid the selinux complaints?


I blogged on your email

http://danwalsh.livejournal.com/28027.html


Thanks a lot Dan! I will see what I can do to resolve
my CVS issues. Please read my posting in reply to Todd
Dennison. I was asking myself why the all or nothing
proposition, and about using selinux context with more
flexibility than what we have? I understand that security
prevails over flexibility but I was wondering if there was
a way to gain more flexibility and yet still retain security?

Well I would argue they are very flexible.  I did give you a couple of 
solutions but there are theoretically multiple others.


And I am always willing to accept other solutions.

svn and git seem to be using http_sys_content_t for their context so I 
guess we could attempt to allow those domains access to cvs_data?

For example, if multiple context / file was possible, then
one could theoretically traverse from the top of the tree
to allow passage to the leaf of the tree? Yes I can imagine
it is a bit more complexity, but... if security is not compromised,
then, perhaps it's worth it?

I guess maybe we should have had this conversation on the blog.  There 
are many context that most confined services can traverse.  For example 
usr_t, etc_t, var_t


I have added a comment to my blog.

PS: For some reason or another, I am no longer receiving
Fedora SeLinux mailing list postings. Is the Fedora SeLinux
mailing list still active?


Yes.  This list is still available.

Last message is 4/28 fron me.  :^)


Kind regards,
Dan



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: SELinux and named

[Daniel J Walsh]

On 03/29/2009 11:29 AM, Steven Stern wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Running named in a chroot, I've been getting these messages for about a
week. Running restorecon, as suggested by the troubleshooter, doesn't help.

Mar 26 05:08:55 sds-desk setroubleshoot: SELinux is preventing logrotate
(logrotate_t) getattr to /var/named/data/named.run (named_cache_t).
For complete SELinux messages. run sealert -l
d0d5bc39-fa99-4238-be5c-480a54ed38ae
Mar 27 05:08:55 sds-desk setroubleshoot: SELinux is preventing logrotate
(logrotate_t) getattr to /var/named/data/named.run (named_cache_t).
For complete SELinux messages. run sealert -l
d0d5bc39-fa99-4238-be5c-480a54ed38ae
Mar 28 05:08:53 sds-desk setroubleshoot: SELinux is preventing logrotate
(logrotate_t) getattr to /var/named/data/named.run (named_cache_t).
For complete SELinux messages. run sealert -l
d0d5bc39-fa99-4238-be5c-480a54ed38ae
Mar 29 05:08:54 sds-desk setroubleshoot: SELinux is preventing logrotate
(logrotate_t) getattr to /var/named/data/named.run (named_cache_t).
For complete SELinux messages. run sealert -l
d0d5bc39-fa99-4238-be5c-480a54ed38ae

- --

   Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAknPk94ACgkQeERILVgMyvB8cACfW/z5vfNXbkgcGOiVxvLf3daZ
K5AAmgO6L5PgrwgUUG4wAU7Rv7Jynh9z
=/y/i
-END PGP SIGNATURE-

Is logrotate being setup specially to rotate files in 
/var/named/data/named.run ?


Or is this a standard configuration?



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: SELinux and named

[Daniel J Walsh]

On 03/30/2009 12:54 PM, Steven Stern wrote:

Daniel J Walsh wrote:

On 03/29/2009 11:29 AM, Steven Stern wrote:
Running named in a chroot, I've been getting these messages for about a
week. Running restorecon, as suggested by the troubleshooter, doesn't
help.

Mar 26 05:08:55 sds-desk setroubleshoot: SELinux is preventing logrotate
(logrotate_t) getattr to /var/named/data/named.run (named_cache_t).
For complete SELinux messages. run sealert -l
d0d5bc39-fa99-4238-be5c-480a54ed38ae
Mar 27 05:08:55 sds-desk setroubleshoot: SELinux is preventing logrotate
(logrotate_t) getattr to /var/named/data/named.run (named_cache_t).
For complete SELinux messages. run sealert -l
d0d5bc39-fa99-4238-be5c-480a54ed38ae
Mar 28 05:08:53 sds-desk setroubleshoot: SELinux is preventing logrotate
(logrotate_t) getattr to /var/named/data/named.run (named_cache_t).
For complete SELinux messages. run sealert -l
d0d5bc39-fa99-4238-be5c-480a54ed38ae
Mar 29 05:08:54 sds-desk setroubleshoot: SELinux is preventing logrotate
(logrotate_t) getattr to /var/named/data/named.run (named_cache_t).
For complete SELinux messages. run sealert -l
d0d5bc39-fa99-4238-be5c-480a54ed38ae

Is logrotate being setup specially to rotate files in
/var/named/data/named.run ?



Or is this a standard configuration?



This is the standard logrotate.  I used audit2allow to create a policy
permitting it.

Ok I put a patch into Rawhide, and I believe the next F10 policy will 
have a fix for this.


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Anyone unable to run specifc applications after recent selinux-policy?

[Daniel J Walsh]

On 03/24/2009 08:40 AM, Mike Cloaked wrote:



Mike Cloaked wrote:

I just tried to run Okular in F10 (first time since recent selinux policy
update) and nothing happens - used to work fine!

Also Crossover no longer executes programmes -

I wonder if anyone else is seeing this change of behaviour?



I now have a programme failure that seems to indicate that it is possibly
the java update that has broken something!
Anyone have any further ideas or information about breakage after the latest
updates?

What avc messages are you seeing?


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Anyone unable to run specifc applications after recent selinux-policy?

[Daniel J Walsh]

On 03/24/2009 10:53 AM, Mike Cloaked wrote:



Daniel J Walsh wrote:


What avc messages are you seeing?




That is the problem - I am not seeing avc's, or log messages or anything -
the programs just won't run! The gnome desktop seems normal other than that
these few programs won't work. I am totally puzzled - I have changed the
monitor from an analogue one to a DVI connected one as well as having yum
updated, but that presumably is not relevant? I am wandering in the dark
about this - not sure how to diagnose?



setenforce 0

and see if they run.


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Fedora/Linux Security Guide

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Eric Christensen wrote:
 SELinux is addressed in a completely separate guide.

Then that should be SCREAMED from the first line of this guide.

SELinux is a fundamental Security attribute of Fedora, and you guide is
the Fedora/Linux Secutity Guide.  But your document treats it like it is
an afterthought.

If I pick up a Fedora/Linux Security Guied and do not see SELinux right
a way, I am very confused.

I had to search the guide for the work SELinux and it is mentioned

First mention of selinux is on Page 33, as a footnote.


Page 33:
.3  This access is still subject to the restrictions imposed by SELinux,
if it is enabled.

Next reference
Page 145:

15. restore default SELinux security contexts: /sbin/restorecon -v -R /home

Page 150:

? use security-enhancing software and tools, for example,
Security-Enhanced Linux (SELinux) for
  Mandatory Access Control (MAC), Netfilter iptables for packet
filtering (firewall), and the GNU
  Privacy Guard (GnuPG) for encrypting files.

Then Chapter 7 Under references you finally give information on SELinux,
but the guide you refer to is buried under several semi-useful links.

...

Community
Fedora SELinux User Guide
   http://docs.fedoraproject.org/selinux-user-guide/


So why not in your Introduction to Security section explain what this
guide will not cover?  SELinux and refer to the guides that do cover it
there.

I
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkm30MkACgkQrlYvE4MpobMLogCfVMPEPLWBj4CIkh9zqVihe5nF
PR0An3QfUDkROZi2Y2qzoT3Cmztu2YhI
=yo5d
-END PGP SIGNATURE-

--
Fedora-security-list mailing list
Fedora-security-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-security-list

Re: Small SELinux issue with kdm and grub [solved]

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

dexter wrote:
 2009/3/9 Daniel J Walsh dwa...@redhat.com:
 All this for arguable value.
 
 You forgot to add in your opinion!
 Because I happen to like the option of selecting which kernel I boot
 from next before I restart.
 
 ...dex
 
Aren't you arguing with me. :^)

In my opinion.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkm2ZfUACgkQrlYvE4MpobP6GgCgkaTK/JHMi9KcqAq4CB2A0pv8
2NMAoIPBkU6wiFktob6N/ePLeBL/c/s0
=pb7f
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Small SELinux issue with kdm and grub [solved]

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Marko Vojinovic wrote:
 On Sunday 08 March 2009 23:39, Kevin Kofler wrote:
 Marko Vojinovic wrote:
 I don't understand the last point. What is the feature of KDM that you
 talk about? I don't remember enabling any specific feature of KDM other
 than autologin. Is that it?
 In the 5th tab of the KDM options, there's an option to set your boot
 loader, it should be set to None (which is what we set it to by default).
 If you set it to GRUB, KDM will try to talk to GRUB and SELinux will block
 it.
 
 Aha! I found it!
 
 It was indeed set to grub instead of none. I really don't remember ever 
 touching that setting, but memory can be misleading. Anyway, it doesn't 
 matter anymore. I have set it to none and SELinux stopped complaining.
 
 Thanks! :-)
 Marko
 
Resoning for SELinux to deny this:

Login programs are becoming a lot larger, lots of software needs to be
run in order to allow Assisted Technologies.  Most of this software
can be executed by a non logged in user, so a bug in the software could
compromise the system.  Allowing the login program to manipulate the
boot environment might allow a slightly compromised login program to
turn off security options like SELinux, or change other kernel options.

All this for arguable value.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkm1HhEACgkQrlYvE4MpobNhCgCggOCnAxHmMmQFWscYG2VAeIQQ
LiMAoOZXo8lg3elOJMP9IEzc3kas03g2
=VgF4
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: selinux-policy-3.5.13-46.fc10.noarch - slight hiccup!

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mike Cloaked wrote:
 
 
 Daniel J Walsh wrote:

 This is very strange, I have no idea why SELinux update would do this,
 and suspect that something else might have gone wrong.  Were there other
 packages in the update?

 I will update my F10 and see what is going on.

 Could be someone is doing a chcon -t usr_t in a post install script?

 selinux-policy should only be doing the equivalent of a restorecon -vR
 in its post install.  Actually executes fixfiles
 fixfiles -C ${FILE_CONTEXT}.pre restore

 Which figures out what was different between the old file context and
 the new and runs restorecon on them.


 
 Dan, I had a problem this morning on another machine where there is a bind
 mounted /var/spool/mail directory (restorecon -vR /var/spool/mail seems to
 have fixed it). In all the cases where the user contexts had a problem were
 machines with bind mounted /home areas.  I wonder if this could be the
 common factor?
Yes if you bind mount a usr_t directory without telling the system about
it, it could cause labeling problems.

For example, if you store your homedirs in /usr/myhome/dwalsh and bind
mount this over /home/dwalsh.  SELinux will label the directory usr_t
since /usr/myhome/dwalsh defaults to a usr_t label.  If you bind mount
it over /home/dwalsh and run restorecon on /home/dwalsh it will label it
properly.  But depending on which directory have restorecon run on it
you can get different results.  Usually we only have small relabels that
happen on policy upgrades, so it probably never hit this directory.  But
this update seems to have triggered a larger relabel something like

restorecon -R -v /usr


So the problem in SELinux is we do not have an easy way to say
/usr/myhome == /home
or /usr/myhome/dwalsh == /home/dwalsh

THis is on my todo list.

Sorry about the inconvience.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmtQc4ACgkQrlYvE4MpobMcKACdGifRevbSSegtASaYvVrPFAVo
nLQAoKzIyjAtMamo8vTBQYOVCcZVrQhZ
=BNxC
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: selinux-policy-3.5.13-46.fc10.noarch - slight hiccup!

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mike Cloaked wrote:
 I have just updated some f10 boxes a few minutes ago. On logging on again
 after rebooting to the new kernel this evening, the main user directories
 have had their contexts changed to usr_t so I presume some kind of
 relabelling has been done - but not correctly!  After restorecon -vR
 /home/user the contexts have mostly reverted to where they should be - I
 initially noticed because ssh suddenly started demanding a passphrase when
 it should not need one - and then I noted avc denials. 
 
 This is for selinux-policy-3.5.13-46.fc10.noarch and the related targeted
 policy.  
 
 I have tested on several systems and so far all is well after doing 
 restorecon -vR /home
 as root to fix all user areas in one go.  Any one user can fix their own
 user area by doing restorecon -vR /home/user 
 I presume that this will lose any chcon changes - but any contexts that were
 saved as a rule using semanage fcontext presumably should be restored -
 though I have not had time to explore all directories yet.  
 
 This update was pushed to stable today so presumably it will take a while to
 sync to all mirrors.
This is very strange, I have no idea why SELinux update would do this,
and suspect that something else might have gone wrong.  Were there other
packages in the update?

I will update my F10 and see what is going on.

Could be someone is doing a chcon -t usr_t in a post install script?

selinux-policy should only be doing the equivalent of a restorecon -vR
in its post install.  Actually executes fixfiles
fixfiles -C ${FILE_CONTEXT}.pre restore

Which figures out what was different between the old file context and
the new and runs restorecon on them.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmsU7kACgkQrlYvE4MpobN6lQCffrFK6jwoOzie8zepkchh5dDt
WhgAn1F+TgmE+KKfSF8bcpEDADyvmzn6
=4dD4
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: network-scripts problem

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Antonio Olivares wrote:
 
 
 --- On Tue, 2/17/09, Antonio Olivares olivares14...@yahoo.com wrote:
 
 From: Antonio Olivares olivares14...@yahoo.com
 Subject: network-scripts problem
 To: fedora-list@redhat.com
 Cc: fedora-selinux-l...@redhat.com
 Date: Tuesday, February 17, 2009, 7:43 AM
 Dear fellow testers, 

 I encountered network functions/network-scripts problem :(

 [r...@localhost ~]# dhclient eth0
 Missing /etc/sysconfig/network-scripts/network-functions,
 exiting.
 Missing /etc/sysconfig/network-scripts/network-functions,
 exiting.
 Missing /etc/sysconfig/network-scripts/network-functions,
 exiting.
 ^C 
   
 [r...@localhost ~]# restorecon -v 'network-scripts'
   
 restorecon:  stat error on network-scripts:  No such file
 or directory
 [r...@localhost ~]# restorecon -v network-scripts
 restorecon:  stat error on network-scripts:  No such file
 or directory
 [r...@localhost ~]# dhclient eth0   
 Missing /etc/sysconfig/network-scripts/network-functions,
 exiting.
 ^C 
   
 You have new mail in /var/spool/mail/root  
   
 [r...@localhost ~]# service network status 
   
 Configured devices:
   
 lo eth0 eth1   
   
 Currently active devices:
 lo eth1 eth0
 [r...@localhost ~]# service network restart
 Shutting down interface eth0: 
 [  OK  ]
 Shutting down interface eth1: 
 [  OK  ]
 Shutting down loopback interface: 
 [  OK  ]
 Disabling IPv4 packet forwarding:  net.ipv4.ip_forward = 0
   
 [  OK  ]
 Bringing up loopback interface:   
 [  OK  ]
 Bringing up interface eth0:
 Determining IP information for eth0...Missing
 /etc/sysconfig/network-scripts/network-functions, exiting.
 ^C

 Got also greeted by selinux alert:


 Summary:

 SELinux is preventing dhclient-script (dhcpc_t)
 search to network-scripts
 (net_conf_t).

 Detailed Description:

 SELinux denied access requested by dhclient-script. It is
 not expected that this
 access is required by dhclient-script and this access may
 signal an intrusion
 attempt. It is also possible that the specific version or
 configuration of the
 application is causing it to require additional access.

 Allowing Access:

 Sometimes labeling problems can cause SELinux denials. You
 could try to restore
 the default system file context for network-scripts,

 restorecon -v 'network-scripts'

 If this does not work, there is currently no automatic way
 to allow this access.
 Instead, you can generate a local policy module to allow
 this access - see FAQ
 (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
 Or you can disable
 SELinux protection altogether. Disabling SELinux protection
 is not recommended.
 Please file a bug report
 (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
 against this package.

 Additional Information:

 Source Context   
 unconfined_u:system_r:dhcpc_t:SystemLow-SystemHigh
 Target Contextsystem_u:object_r:net_conf_t
 Target Objectsnetwork-scripts [ dir ]
 Sourcedhclient-script
 Source Path   /bin/bash
 Port  Unknown
 Host  localhost
 Source RPM Packages   bash-4.0-0.4.rc1.fc11
 Target RPM Packages   
 Policy RPMselinux-policy-3.6.6-1.fc11
 Selinux Enabled   True
 Policy Type   targeted
 MLS Enabled   True
 Enforcing ModeEnforcing
 Plugin Name   catchall_file
 Host Name localhost
 Platform  Linux localhost
 2.6.29-0.124.rc5.fc11.i586 #1 SMP
   Mon Feb 16 21:15:37 EST 2009
 i686 athlon
 Alert Count   3
 First SeenTue 17 Feb 2009 09:32:55 AM
 CST
 Last Seen Tue 17 Feb 2009 09:33:55 AM
 CST
 Local ID 
 878e2548-4687-45f0-8115-d40144370614
 Line Numbers  

 Raw Audit Messages

 node=localhost type=AVC msg=audit(1234884835.408:131): avc:
  denied  { search } for  pid=11969
 comm=dhclient-script
 name=network-scripts dev=dm-0 ino=28344324
 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir

 node=localhost type=SYSCALL msg=audit(1234884835.408:131):
 arch=4003 syscall=195 success=no exit=-13 a0=8463100
 a1=bfb25c2c a2=b45ff4 a3=8463102 items=0 ppid=11968
 pid=11969 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
 sgid=0 fsgid=0 tty=pts1 ses=1
 comm=dhclient-script exe=/bin/bash
 

Re: Upgrade and SELinux messages

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Les wrote:
 I upgraded from F8 to F10.  It appeared to go smoothly, but then I 
 received the following SELinux errors:
 
 //
 /** first 
 
 Summary:
 
 SELinux is preventing dbus-daemon-lau (system_dbusd_t) execute to
 ./console-kit-daemon (consolekit_exec_t).
 
 Detailed Description:
 
 SELinux denied access requested by dbus-daemon-lau. It is not expected
 that this access is required by dbus-daemon-lau and this access may
 signal an intrusion attempt. It is also possible that the specific
 version or configuration of the application is causing it to require
 additional access. 
 
 Allowing Access:
 
 Sometimes labeling problems can cause SELinux denials. You could try to
 restore
 the default system file context for ./console-kit-daemon,
 
 restorecon -v './console-kit-daemon'
 
 
 Additional Information:
 
 Source Context
 system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
 Target Contextsystem_u:object_r:consolekit_exec_t:s0
 Target Objects./console-kit-daemon [ file ]
 Sourcedbus-daemon-lau
 Source Path   /lib/dbus-1/dbus-daemon-launch-helper
 Port  Unknown
 Host  localhost.localdomain
 Source RPM Packages   dbus-1.2.4-1.fc10
 Target RPM Packages   
 Policy RPMselinux-policy-3.5.13-18.fc10
 Selinux Enabled   True
 Policy Type   targeted
 MLS Enabled   True
 Enforcing ModeEnforcing
 Plugin Name   catchall_file
 Host Name localhost.localdomain
 Platform  Linux localhost.localdomain
 2.6.27.5-117.fc10.i686
   #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
 i686
 Alert Count   35
 First SeenThu 15 Jan 2009 03:45:37 PM PST
 Last Seen Thu 15 Jan 2009 03:47:19 PM PST
 Local ID  a0430578-0415-40c9-ac4e-b9f86d3b479c
 Line Numbers  
 
 Raw Audit Messages
 
 node=localhost.localdomain type=AVC msg=audit(1232063239.982:58): avc:
 denied  { execute } for  pid=3010 comm=dbus-daemon-lau
 name=console-kit-daemon dev=dm-0 ino=54362144
 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:consolekit_exec_t:s0 tclass=file
 
 node=localhost.localdomain type=SYSCALL msg=audit(1232063239.982:58):
 arch=4003 syscall=11 success=no exit=-13 a0=8f08e48 a1=8f08dc8
 a2=8f08008 a3=2d09bc items=0 ppid=3009 pid=3010 auid=4294967295 uid=0
 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
 ses=4294967295 comm=dbus-daemon-lau
 exe=/lib/dbus-1/dbus-daemon-launch-helper
 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
 
 ###
 ### The restorecon mentioned returned an error that the file doesn't 
 ### exist.
 
 //
 /** second
 
 Summary:
 
 SELinux is preventing plymouthd from creating a file with a context of
 unlabeled_t on a filesystem.
 
 Detailed Description:
 
 SELinux is preventing plymouthd from creating a file with a context of
 unlabeled_t on a filesystem. Usually this happens when you ask the cp
 command to
 maintain the context of a file when copying between file systems, cp
 -a for
 example. Not all file contexts should be maintained between the file
 systems.
 For example, a read-only file type like iso9660_t should not be placed
 on a r/w
 system. cp -P might be a better solution, as this will adopt the
 default file
 context for the destination.
 
 Allowing Access:
 
 Use a command like cp -P to preserve all permissions except SELinux
 context.
 
 Additional Information:
 
 Source Contextsystem_u:object_r:unlabeled_t:s0
 Target Contextsystem_u:object_r:fs_t:s0
 Target Objectsforce-display-on-active-vt [ filesystem ]
 Sourceplymouthd
 Source Path   Unknown
 Port  Unknown
 Host  localhost.localdomain
 Source RPM Packages   
 Target RPM Packages   
 Policy RPMselinux-policy-3.5.13-18.fc10
 Selinux Enabled   True
 Policy Type   targeted
 MLS Enabled   True
 Enforcing ModeEnforcing
 Plugin Name   filesystem_associate
 Host Name localhost.localdomain
 Platform  Linux localhost.localdomain
 2.6.27.5-117.fc10.i686
   #1 SMP Tue Nov 18 12:19:59 EST 2008 i686
 i686
 Alert Count   1
 First SeenThu 15 Jan 2009 03:45:42 PM PST
 Last Seen Thu 15 Jan 2009 03:45:42 PM PST
 Local ID  

Re: VMware Server 2.0, selinux, and F10

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Christopher A. Williams wrote:
 I had promised to do this and post my results a week ago and got
 thoroughly tied up over the holidays - sorry about that. It was a good
 Christmas for us though! :)
 
 So - I did get around to loading up a server with the latest version of
 F10 (32-bit in this case) to run the 32-bit version of VMware Server 2.0
 (build 122956) to try and answer the burning question: Does selinux need
 to be disabled for VMware Server to run properly on F10?
 
 I know the inpatient out there can't wait to read the whole post, so
 here's the answer:
 
 Yes.
 
 According to our testing (a friend of mine who also frequents this list
 was here too), the current version of VMware Server DOES NOT RUN on F10
 (32-bit) unless selinux is DISABLED. Permissive mode doesn't cut it - it
 still causes VMware Server to not run.
 
 Here are the details:
 Server: Whitebox Supermicro 1U chassis, dual 2.4GHz Pentium Xeon
 processors, 4GB RAM, Dual Gig-E NICs, dual 250GB IDE drives
 
 OS: F10 32-bit, with all patches as of 12-28-08
 Kernel: 2.6.27.9-159.fc10 (PAE version - required to see the full 4GB)
 
 We loaded a fresh copy F10 with all of the required development tools
 and supporting stuff VMware Server needs to compile, and left selinux in
 its default (enforcing) mode and targeted policy. The system was
 intentionally updated with all of the latest available patches. After
 rebooting (kernel update that included a switch to the PAE kernel), we
 then installed VMware Server from the RPM via Package Kit. The initial
 RPM install went as expected with no errors or issues beyond the warning
 that the RPM is not signed (Request to VMware: Please, PLEASE make sure
 that you always sign your RPMs!).
 
 Next up was to configure the system. We fired up a terminal window,
 switched user to root, and then launched vmware-config.pl as normal. The
 script properly found everything it needed, set up the virtual networks,
 and compiled all of the modules against the PAE kernel with no errors at
 all. All of the services reported in as having started successfully when
 the script exited, which was when the trouble started.
 
 We immediately picked up an selinux error saying that one of the modules
 required the ability to use text relocation. No big deal here, which is
 why I don't remember off hand which module committed the offense. I'll
 go back and pull it up next chance - I'm on a different system right
 now. The selinux troubleshooter gave us the required command to address
 this issue, so we fixed the problem and off we went.
 
 ...Or so we thought.
 
 It seems that something else in selinux is interfering with a new VMware
 Server 2.0 service called VirtualMachines. I'm not sure what the problem
 is, how it happens, or why. What happens is that you can launch Firefox
 to talk to VMware server (http://localhost:8222 in this case) and get
 the VMware Server login page. However, from there you are unable to
 login. The system times out with a message basically saying that
 communication with the back-end server processes has been lost. Further
 checking (service vmware status) shows that several VMware Server
 services are actually NOT running.
 
 Upon trying to restart the vmware services (service vmware restart), we
 see that the VirtualMachines service has failed. There are no errors I
 can see, and nothing in dmesg out of the ordinary.
 
 Next, we placed selinux into permissive mode to see if anything might
 pop up or change, and then rebooted the system. We saw exactly the same
 behavior from VMware Server as before when selinux was in enforcing
 mode.
 
 Finally, we disabled selinux altogether and rebooted once more. This
 time, VMware Server came up and ran flawlessly. In fact, it was
 impressively fast given the age of the hardware.
 
 Just for grins, we then completely erased VMware Server, rebooted, and
 double-checked to make sure everything about it was completely gone from
 the system. We then re-installed it using the exact same procedure as
 before. VMware Server installed and ran flawlessly. In fact, just to be
 sure again, we rebooted the server one more time. Again VMware Server
 came up and ran without issues.
 
 Thus, in our testing of this, it is clear there are multiple issues with
 VMware Server and selinux. One of the issues is that a specific module
 requires text relocation, which is easily solved. The other issue is
 going to be a little more difficult to troubleshoot, but clearly there
 is something that conflicts between selinux and one of the new VMware
 Server services, and the only way to get around it at this point is to
 disable selinux.
 
 I'll have the system handy for the next day or so to do some additional
 testing, but then I have to put it back into production. Let me know
 what specifics I should look for next to find the source of the problem.
 
 Cheers,
 
 Chris
 
 
 
 --
 ==
 By all means 

Re: VMware Server 2.0, selinux, and F10

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Daniel J Walsh wrote:
 Christopher A. Williams wrote:
 I had promised to do this and post my results a week ago and got
 thoroughly tied up over the holidays - sorry about that. It was a good
 Christmas for us though! :)
 
 So - I did get around to loading up a server with the latest version of
 F10 (32-bit in this case) to run the 32-bit version of VMware Server 2.0
 (build 122956) to try and answer the burning question: Does selinux need
 to be disabled for VMware Server to run properly on F10?
 
 I know the inpatient out there can't wait to read the whole post, so
 here's the answer:
 
 Yes.
 
 According to our testing (a friend of mine who also frequents this list
 was here too), the current version of VMware Server DOES NOT RUN on F10
 (32-bit) unless selinux is DISABLED. Permissive mode doesn't cut it - it
 still causes VMware Server to not run.
 
 Here are the details:
 Server: Whitebox Supermicro 1U chassis, dual 2.4GHz Pentium Xeon
 processors, 4GB RAM, Dual Gig-E NICs, dual 250GB IDE drives
 
 OS: F10 32-bit, with all patches as of 12-28-08
 Kernel: 2.6.27.9-159.fc10 (PAE version - required to see the full 4GB)
 
 We loaded a fresh copy F10 with all of the required development tools
 and supporting stuff VMware Server needs to compile, and left selinux in
 its default (enforcing) mode and targeted policy. The system was
 intentionally updated with all of the latest available patches. After
 rebooting (kernel update that included a switch to the PAE kernel), we
 then installed VMware Server from the RPM via Package Kit. The initial
 RPM install went as expected with no errors or issues beyond the warning
 that the RPM is not signed (Request to VMware: Please, PLEASE make sure
 that you always sign your RPMs!).
 
 Next up was to configure the system. We fired up a terminal window,
 switched user to root, and then launched vmware-config.pl as normal. The
 script properly found everything it needed, set up the virtual networks,
 and compiled all of the modules against the PAE kernel with no errors at
 all. All of the services reported in as having started successfully when
 the script exited, which was when the trouble started.
 
 We immediately picked up an selinux error saying that one of the modules
 required the ability to use text relocation. No big deal here, which is
 why I don't remember off hand which module committed the offense. I'll
 go back and pull it up next chance - I'm on a different system right
 now. The selinux troubleshooter gave us the required command to address
 this issue, so we fixed the problem and off we went.
 
 ...Or so we thought.
 
 It seems that something else in selinux is interfering with a new VMware
 Server 2.0 service called VirtualMachines. I'm not sure what the problem
 is, how it happens, or why. What happens is that you can launch Firefox
 to talk to VMware server (http://localhost:8222 in this case) and get
 the VMware Server login page. However, from there you are unable to
 login. The system times out with a message basically saying that
 communication with the back-end server processes has been lost. Further
 checking (service vmware status) shows that several VMware Server
 services are actually NOT running.
 
 Upon trying to restart the vmware services (service vmware restart), we
 see that the VirtualMachines service has failed. There are no errors I
 can see, and nothing in dmesg out of the ordinary.
 
 Next, we placed selinux into permissive mode to see if anything might
 pop up or change, and then rebooted the system. We saw exactly the same
 behavior from VMware Server as before when selinux was in enforcing
 mode.
 
 Finally, we disabled selinux altogether and rebooted once more. This
 time, VMware Server came up and ran flawlessly. In fact, it was
 impressively fast given the age of the hardware.
 
 Just for grins, we then completely erased VMware Server, rebooted, and
 double-checked to make sure everything about it was completely gone from
 the system. We then re-installed it using the exact same procedure as
 before. VMware Server installed and ran flawlessly. In fact, just to be
 sure again, we rebooted the server one more time. Again VMware Server
 came up and ran without issues.
 
 Thus, in our testing of this, it is clear there are multiple issues with
 VMware Server and selinux. One of the issues is that a specific module
 requires text relocation, which is easily solved. The other issue is
 going to be a little more difficult to troubleshoot, but clearly there
 is something that conflicts between selinux and one of the new VMware
 Server services, and the only way to get around it at this point is to
 disable selinux.
 
 I'll have the system handy for the next day or so to do some additional
 testing, but then I have to put it back into production. Let me know
 what specifics I should look for next to find the source of the problem.
 
 Cheers,
 
 Chris

Re: Setting SELinux for vsftpd - SOLVED

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark Haney wrote:
 Mark Haney wrote:
 I've got a server that we use to do speed testing of our upstreams (and
 customers links) using FTP.  This is a fresh F10 install and I'm getting
 what seems to be a very common selinux ftp error (226 Failed to open
 directory). I've googled up a couple of forum posts on how to fix it,
 but most say just to disable selinux.  That I'd not like to do.
 However, one of the options says to do this:

 setsebool -P ftpd_disable_trans 1

 But I get an error:

 [r...@noc5 speedtest]# setsebool -P ftpd_disable_trans 1
 libsemanage.dbase_llist_set: record not found in the database
 libsemanage.dbase_llist_set: could not set record value
 Could not change boolean ftpd_disable_trans
 Could not change policy booleans

 I have seen the GUI method of doing this, but since I don't run X on
 this server that's not much help.  What's the correct method of setting
 selinux up for this?


 
 For anyone who wants to know.  The correct option (which, btw, took me
 down deep into google to find) is this:
 
 setsebool -P ftp_home_dir 1
 
 It's amazing to me that this isn't set up by default on a fresh install
 with ftp as one of the installed packages.
 
 
man ftpd_selinux

explains a lot of this.

The reason that this is not on by default is that most ftp sites are
used to share anonymous ftp information, so there is not reason for ftp
to read users home directories.  This allows us to protect the users
home directories even if ftp becomes compromised.

You could also take the error output in /var/log/audit/audit.log and
pipe it to audit2why and it should have told you which boolean to set.

Finally if you were running setroubleshoot it might also give you the
right answer.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkljsp0ACgkQrlYvE4MpobPQLwCg2ww2+lKZqrDVhC/ipC5qm+wW
OiAAoKrduGgC7uVwlOwrpx1rnwi7fXjJ
=zCN4
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: selinux policy updates - a question

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Tim wrote:
 On Sun, 2009-01-04 at 12:36 -0800, Mike Cloaked wrote:
 Fairly regularly there are selinux updates that come in during yum
 updates - I presume that nothing gets changed unless a relabel is
 done?  Or am I wrong?
 
 A policy can set what can be done with certain types of file.  i.e. The
 rules can change.  That doesn't involve relabelling a file.
 
 Of course there are other things that can change in an update.  
 
 As I understand it, if a relabel is required, the update will arrange it
 to happen.
 
Yes updates involve changes to the policy, they almost always involve
additional allow rules.  I strive to never take away privs on updates
within a release.  Usually there is no new confined domains in an update.

The update also does a diff between the current file context file and
the new file context file and runs restorecon on all differences, so
some relabeling can happen.

An update will never change the enforcing mode, or the policy type,  so
if you are permissive you stay permissive, if disabled you stay
disabled,  enforcing stays enforcing.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkliEZAACgkQrlYvE4MpobPxEgCbB+UFynRPYSDtpKPcH5Pxd1gr
2rcAoMB5KuMuRCT99bXOiX7UEXa5SMdY
=fdod
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: How to deal with Selinux local packages?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Steven Stern wrote:
 Ran a yum update today  that  picked up these pages
 
  selinux-policy  noarch   3.5.13-34.fc10updates   613 k
  selinux-policy-targeted noarch   3.5.13-34.fc10 updates   2.0 M
 
 and saw this:
 
   Updating   : selinux-policy-targeted
  28/104
 libsepol.print_missing_requirements: policy20080911's global
 requirements were not met: type/attribute user_gnome_home_t
 libsemanage.semanage_link_sandbox: Link packages failed
 semodule:  Failed!
 
 The policy 20080911 was something created with audit2allow to work
 around a problem with a prior defefault selinux policy.
 
 Is there a better way to manage needed local exceptions?
 
This looks like a bug gnome_home_t is supposed to be an alias of
user_gnome_home_t, not sure why you would have gotten this error.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklP6gIACgkQrlYvE4MpobMW3gCcDIb2Z3SfSuH+YnFifwNava7q
ga0AniyXXGg47lN7dME7Nr6hvZqOcP2L
=stkv
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Sound problems with SELinux ?

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

William Case wrote:
 Hi;
 
 This probably more of a frustration question than an eventually solving
 it myself question.
 
 I couldn't get any sound -- I originally thought it was an Adobe Flash
 problem -- until I changed SELinux from enforcing to permissive.  How do
 I make sound available to the user while still using SELinux enforcing?
Check the /var/log/audit/audit.log file for AVC messages.

Is this F10?


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklP7FgACgkQrlYvE4MpobPrBwCg00pZ6HmSSf7TIEtodLr90NCJ
rC8Anj99qBpBb1NrxjrH2025USrQ2AEX
=yyco
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F10, VMware Server 2.0, and selinux

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Christopher A. Williams wrote:
 On Sun, 2008-12-14 at 21:27 -0500, Claude Jones wrote:
 On Sunday 14 December 2008 18:21:44 Christopher A. Williams wrote:
 As to how long this has gone on, it has since F8 and VMware Server
 1.0.x. The only known work-around I am aware of is to disable selinux,
 after which it runs impressively well. It compiles and runs on F9 and
 F10 out of the box with no patches needed.
 Sorry, Christopher, but I am not posting these replies because I'm a VMWare 
 booster. As I stated, my solution may not work for all, but, you are simply 
 misstating things, or not speaking clearly. 
 
 I think you may have misunderstood my point here. As the OP on this
 thread, I asked a question and someone (not you) decided to use that as
 a platform to trash VMware. I thought that was inappropriate. I see the
 problem I'm having with selinux as an inconvenience at this point, but
 would like to know how to fix it.
 
 To repeat, I am currently running VMWare Server version 1.0.7 build-108231; 
 I've been running some version of VMWare server since it was first made 
 available free, on several versions of Fedora including this machine, which 
 is 
 on F10; I have another machine right beside it that is running F9 and also 
 runs VMWareServer; I do NOT disable selinux on any of my machines, ever, 
 except for brief testing purposes; VMWare server has been running all day on 
 this machine I'm typing on, and I have a WinXP vm running in it through 
 which 
 I run Outlook so I can connect to my company's Exchange 2008 mail server. 
 
 I have been running VMware Server since it was originally GSX Server 1.0
 and a for pay product. I've also run VMware Workstation since the
 first public beta of version 1.0 - right up through the latest build of
 6.5 on F10 on the laptop I'm using to write this. Unity, by the way, has
 a few minor flaws, but is otherwise very cool. I'm also a seasoned
 VMware Certified Professional (working on a VCDX), so I think I have a
 bit of qualified experience with these product lines. At least VMware
 seems to think so...
 
 I'm happy to see you have Server 1.0 working with selinux enabled. This
 has never worked for me, and if you follow the VMware community forums
 (maybe where I should have posted this to begin with), you would see
 that I'm not alone in that. With selinux enabled and using a targeted
 policy, VMware Server will refuse to start. Placing selinux in
 permissive mode to try and catch issues produces the same result. No
 errors that I could see/find on it either. If you follow the VMware
 Community threads on this, the acknowledged work-around remains
 disabling selinux.
 
 I occasionally try re-enabling selinux with no luck. I admit I have not
 yet tried that on the latest build of 2.0 on a recently patched F10
 system. That build only came out a couple of weeks ago and I've been
 traveling heavily - there's only so much of me to go around.
 
 I am merely posting this because I consider most of the information in this 
 thread to be misleading, which could discourage others. It would be useful 
 if 
 you really care, to attempt to run VMWare server on your machine, post the 
 errors you get, and get some help - to assert that it won't run because you 
 can't get it to run, without explaining your procedures is not helpful.
 
 Sorry you feel that way. In light of what I have written above, your It
 works for me, so it must be something you're doing, statement doesn't
 make the info I have reported misleading. It just means your experience
 has been different (along with your opinion). I have posted this issue
 here and elsewhere before. I also have used some of my connections with
 technical people I know inside of VMware to find more on the problem.
 The answer: disable selinux. As you saw with another post, there is also
 an anti-VMware crowd lurking who then cries foul on VMware rather than
 advocate investigating the problem further. I don't think I have written
 anything that would confuse or discourage someone from trying or using
 VMware products. I certainly have not done so intentionally.
 
 Since you seem to have VMware Server 1.0 working with selinux on F9 and
 F10, perhaps you should post your procedure for loading it. I might be
 able to duplicate that with a 2.0 installation. As also has been
 mentioned, you should seriously consider that VMware Server 1.x is
 reaching EOL, and you really should move to something else shortly.
 
 Outside of the issues with selinux, I repeat that my experiences with
 2.0 have been very positive. It's a major step forward from 1.0 as a
 server based solution.
 
 I repeat that I would personally not recommend it as a _desktop_
 solution - but VMware Server isn't intended for that, and there are
 better desktop alternatives. I'm planning to load up another server with
 F10 and VMware Server 2.0 this weekend. I'll try this with selinux
 enabled again and report back.
 
 

Re: F10, VMware Server 2.0, and selinux

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Christopher A. Williams wrote:
 I'm just curious - Has anyone made any progress on figuring out why
 VMware Server 2.0 does NOT run on F10 unless selinux is disabled? Even
 running selinux in permissive mode causes VMware Server fits.
 
 This has been this way at least since VMware Server 1.x running on F8. I
 know because I can recall having to fully disable selinux on my VMware
 Server systems for at least that long.
 
 It never seems to have been fixed to this day, and that's a long time
 for such an issue to exist. Is anyone working to resolve it?
 
 Cheers,
 
 Chris
 
Do you have a bugzilla on this?  I am not aware of the problem.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklCeWwACgkQrlYvE4MpobPuqACdHdLTygrCPvb4iMQa1ivZWiTG
8C0AniqIJLafkp1kR2VCSKIjBc+Cp3Tz
=t34/
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: How to get rid of selinux

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

gab_v wrote:
 Dear all,
 I have a Fedora 9 distr.
 
 I've lot of problem with SELinux, so I want to know how to get rid of it. In 
 particular I am interested NOT in make SELinux status Disabled but to 
 uninstall it. 
 
 I am not sure how to do it, also because I just started working with Linux OS.
 
 How can I do?
 
 I was thinking about 
 doing
 rpm -qa |grep SELinux
 and then 
 rpm -e ...
 
 But will it be enough?
 
 I want to do very safe commands since I need the computer at work.
 
 Thanks in advance
 
 p.s.  
 I said not how to disabled SELinux because I did it once and I did not solve 
 the problem and, after that, I had a block at boot process.
 
 

libselinux is a core library of the Fedora System and some other Linux
Distributes, it can not be removed.  Policycoreutils includes restorecon
command which has been required by several other packages, so it can not
be removed either.  You should be able to remove other selinux packages.

yum remove selinux-poliycy

Should remove the policy package which is the largest package.  We have
not heard of SELinux disabled problems in years so saying it caused you
problems a while ago, probably was a very old version of Fedora or was
not an SELinux problem in the first place, or you really did not have
SELinux disabled.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk+dxkACgkQrlYvE4MpobNOwwCg1hwqQMIWq+dHgdO8PrAdfmyo
0rEAni24yPzYlms2d1FYJdbwxw9UziVj
=niOr
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Selinux and Firefox

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Matthew Saltzman wrote:
 On Sun, 2008-12-07 at 20:44 -0600, Mikkel L. Ellertson wrote:
 Jim wrote:
 stan wrote:
 I don't run KDE and SELinux is Greek to me, but what is the error
 message, and does SETroubleshooter (the yellow star) recommend a fix? 
 That will probably help others respond.

 It was the /user/.macromedia directory that was causing Selinux to send
 errors, I ran the recommened command to correct selinux but that didn't
 help so I just sent the .macromedia directory to the trashcan and it
 regenerated a new .macromedia directory and no more problems with Selinux.

 One thing that can be a problem with the SELinux messages is that
 they usually do not provide the full path to the file you need to
 change the context of - it is usually something like ./file witch
 only works if you are in the correct directory when you try to
 change the context.
 
 It would be nice if the full path were reported, but one can often find
 the relevant file with just a 'locate' and a little common sense
 (your .sig quote notwithstanding).
 
 Mikkel
Yes, sadly this is a kernel issue, the kernel only has an Inode at the
time of the AVC and is unable to regenerate the complete path.  You can
turn on full auditing but this hits you with a 5% hit on permformance,
not considered worth it.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk+150ACgkQrlYvE4MpobP2/wCgwduBtlZBFyajfjb4/ZZH65Hn
DnAAniCkskXpZw9E7UiK8+tuwvrUPiy7
=XLf7
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Openvpn and Selinux

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Zoltan Kota wrote:
 Hi,
 
 In my F10 installation selinux seems to prevent working openvpn. After
 connection openvpn wants to modify /etc/resolv.conf that is not
 allowed I think.
 
 I start openvpn by the command
 
 [EMAIL PROTECTED] /etc/init.d/openvpn start
 
 and I get selinux messages like this:
 
 ---
 Summary:
 SELinux is preventing cp (openvpn_t) write to ./etc (etc_t).
 Detailed Description:
 SELinux is preventing cp (openvpn_t) write to ./etc (etc_t). The SELinux 
 type
 etc_t, is a generic type for all files in the directory and very few processes
 (SELinux Domains) are allowed to write to this SELinux type. This type of 
 denial
 usual indicates a mislabeled file. By default a file created in a directory 
 has
 the gets the context of the parent directory, but SELinux policy has rules 
 about
 the creation of directories, that say if a process running in one SELinux 
 Domain
 (D1) creates a file in a directory with a particular SELinux File Context (F1)
 the file gets a different File Context (F2). The policy usually allows the
 SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if 
 for
 some reason a file (./etc) was created with the wrong context, this domain 
 will
 be denied. The usual solution to this problem is to reset the file context on
 the target file, restorecon -v './etc'. If the file context does not change 
 from
 etc_t, then this is probably a bug in policy. Please file a bug report
 (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
 package. If it does change, you can try your application again to see if it
 works. The file context could have been mislabeled by editing the file or 
 moving
 the file from a different directory, if the file keeps getting mislabeled, 
 check
 the init scripts to see if they are doing something to mislabel the file.
 
 Allowing Access:
 You can attempt to fix file context by executing restorecon -v './etc'
 Fix Command:
 restorecon './etc'
 Additional Information:
 Source Contextunconfined_u:system_r:openvpn_t:s0
 Target Contextsystem_u:object_r:etc_t:s0
 Target Objects./etc [ dir ]
 Sourcecp
 Source Path   /bin/cp
 Port  Unknown
 ...
 -
 Summary:
 SELinux is preventing dns.up (openvpn_t) write to ./resolv.conf 
 (net_conf_t).
 Detailed Description:
 SELinux denied access requested by dns.up. It is not expected that this access
 is required by dns.up and this access may signal an intrusion attempt. It is
 also possible that the specific version or configuration of the application is
 causing it to require additional access.
 
 Allowing Access:
 Sometimes labeling problems can cause SELinux denials. You could try to 
 restore
 the default system file context for ./resolv.conf,
 
 restorecon -v './resolv.conf'
 
 If this does not work, there is currently no automatic way to allow this 
 access.
 Instead, you can generate a local policy module to allow this access - see FAQ
 (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
 SELinux protection altogether. Disabling SELinux protection is not 
 recommended.
 Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
 against this package.
 
 Additional Information:
 Source Contextunconfined_u:system_r:openvpn_t:s0
 Target Contextsystem_u:object_r:net_conf_t:s0
 Target Objects./resolv.conf [ file ]
 Sourcedns.up
 Source Path   /bin/bash
 Port  Unknown
 ...
 -
 Summary:
 SELinux is preventing dns.up (openvpn_t) write openvpn_t.
 
 Detailed Description:
 SELinux denied access requested by dns.up. It is not expected that this access
 is required by dns.up and this access may signal an intrusion attempt. It is
 also possible that the specific version or configuration of the application is
 causing it to require additional access.
 
 Allowing Access:
 You can generate a local policy module to allow this access - see FAQ
 (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
 SELinux protection altogether. Disabling SELinux protection is not 
 recommended.
 Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
 against this package.
 
 Additional Information:
 Source Contextunconfined_u:system_r:openvpn_t:s0
 Target Contextunconfined_u:system_r:openvpn_t:s0
 Target Objectspipe [ fifo_file ]
 Sourcedns.up
 Source Path   /bin/bash
 Port  Unknown
 ...
 -
 Summary:
 SELinux is preventing cut (openvpn_t) getattr openvpn_t.
 
 Detailed Description:
 SELinux denied access requested by cut. It is not expected that this access is
 required by cut and this access may signal an intrusion attempt. It 

Re: IcedTea Firefox and SELinux

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

insidepowe wrote:
 I have the java applet not initialized problem also and have solved it.
 
 I think there is a conflict between jre java-plugin and IcedTea plugin. so I 
 removed IcedTea and java applet is now working. 
 
 1. Download jre-6u1-linux-i586.bin
 2. su--pwd--mv jre-6u1-linux-i586.bin to /usr/local
 3. chmod a+x jre-6u1-linux-i586.bin
 4. verify permissions: ls -l
 5. ./jre-6u1-linux-i586.bin
 6. Do you agree? Yes.--Done
 7. It's installed under: /usr/local/jre1.6.0_01
 8. cd ../lib/firefox-1.5.0.10/plugins/
 9. ln -s 
 /usr/local/jre1.6.0_01/plugin/i386/ns7/libjavaplugin_oji.so
 10.Edit  Preferences. Under Advanced category 
 Select Enable Java
 
 --delete ICedTea plugin (having conflict with Java Plugin)
 
 I got this help from a forum but forget the source. 
 
 p/s: use about :plugins to check what plugin has been loaded in firefox
 
 hope this help  :-)
 
 
If you update to the latest selinux-policy and run restorecon -R -v
/home it should fix the labeling on the .icedteaplugin
which is causing selinux problems.  These problems are being caused by
the defaulting of allow_unconfined_nsplugin_transition to on.

This is confining the nsplugin to a limited number of directories in
your homedir.  If you do not want nsplugin confined, you can turn off
the boolean by executing

# setsebool -P allow_unconfined_nsplugin_transition 0
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1oeEACgkQrlYvE4MpobNnfgCfVCuNX52TvBN9SK3lDu9EYqPv
GM0AnjrFgv1AyQ/6FmwoUMCb99j39du7
=vlXJ
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Problems with kdm in F10 (solved - SELinux issues)

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Marcelo Magno T. Sales wrote:
 Em Dom 30 Nov 2008, Rex Dieter escreveu:
 Marcelo Magno T. Sales wrote:
 Em Dom 30 Nov 2008, Marcelo Magno T. Sales escreveu:
 People,

 I've just installed F10 and have fully updated the system.
 When I replace gdm with kdm, I can only log in to KDE using the
 root account. When I try to log in using a regular user account, I
 get the following error message:
 Cannot enter home directory. Using /.
 When I click ok, I get this other one:
 Could not start kstartupconfig4. Check your installation.

 If I revert to gdm, everything is fine again. What may be causing
 this problem?

 Also, user photos are not shown in kdm. The default image is
 displayed for every user, despite they all have their photos
 configured since before F10 was installed. I did a fresh install
 of F10 (didn't upgrade from F9), but the /home file system was not
 modified. The user photos still appear in Kickoff. KDM was
 configured with System Configuration to show preferentially the
 user photos and use the default image only if users have not
 provided their own photos. Why aren't the user photos displayed in
 kdm?
 Both problems were solved when SELinux was disabled. Now I'm
 counting 5 weird problems solved by disabling SELinux.
 That's not really a solution, just a workaround.
 
 Indeed, but that's the only way I could find to make it work.
 
 Odd, I can't reproduce either problem with SELinux enabled.  I'd
 venture it's either a geniuine selinux issue (mislabelling) or a
 local configuration, or some combination of the 2.
 
 It's possible, I've been using this home directories since FC3. Maybe 
 there's some old garbage in the users dirs that is causing the problem.
 
 Does setroubleshoot highlight anything out of the ordinary?
 
 I didn't get any warning. But would it function at the kdm login screen? 
 Don't I have to be already logged in to get setroubleshoot warnings?
 
 []'s
 Marcelo
 
Try running

restorecon -R -v /home

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1p54ACgkQrlYvE4MpobPZvgCfbn9tnmliS3uNTII50GrVycmp
i20AoOANlZkqtUUvHbfj6VGYooH43UCx
=IyLk
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: Kismet and SELinux

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mike Cloaked wrote:
 I am running an F9 system with SELinux enabled on a laptop.
 I recently installed kismet (yum install kismet) to check local wireless
 channels so I can ensure my AP does not conflict with other boxes nearby.
 
 I made the usual mods to the config files to set up sources etc and change
 the suiduser but when I try to run kismet as root (in exactly the same way
 as previously on boxes with SElinux disabled), I get an avc denial and on
 the terminal I get:
 FATAL: Could not open SSID track file '/home/mike/ssid_map': permision
 denied.
 
 The SELinux denial contains a Summary:
 SELinux is preventing the kismet_server from using potentially mislabeled
 files (./ssid_map).
 
 It suggested using restorecon but this makes no difference. The context
 remains as previously:
 system_u:object_r:user_home_t:s0
 I removed the file and tried again but kismet won't start if the file is
 absent. 
 
 I also tried to use chcon to set the context for this file - and this also
 makes no difference - at least with the contexts I tried for kismet_log_t
 and kismet_t is not permitted.
 
 Can anyone suggest how I might work around this?
kismet is not allowed to read files in the home directory,   So you
either need to move the ssid_map to a directory which kismet can read or
 modify policy to allow kismet to read the homedir.

/var/lib/kismet is probably a better location.

Or modify local policy with

# grep kismet /var/log/audit/audit.log | audit2allow -M mykismet
# semodule -i mykismet.pp
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkka4wEACgkQrlYvE4MpobPOmACfRsWXKFW4tzqcFO511MdbZkPE
vdAAoNTwqhbIn9AW+iJn4nv0Td8gr6D7
=35x5
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: F9 cannot boot without selinux=0

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Vandaman wrote:
 My Fedora 9 box cannot boot without selinux=0. It was a nightmare 
 doing a http install only to find it was referring to non-existent 
 selinux  policy files. I booted by selinux=0 and then a yum update 
 solved some of the problems but now it cannot boot without selinux=0.
 
 [EMAIL PROTECTED] ~]$ rpm -qa | grep selinux
 libselinux-python-2.0.67-4.fc9.i386
 selinux-policy-devel-3.3.1-103.fc9.noarch
 libselinux-2.0.67-4.fc9.i386
 selinux-policy-3.3.1-103.fc9.noarch
 
 Regards,
 Vandaman.
 
 
   
 
You are missing the selinux-policy-targeted package

yum install selinux-policy-targeted
Enable SELinux
reboot, it should relabel, you might need to do this in permissive mode.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkTOygACgkQrlYvE4MpobOWDQCg37mnkbJ4H1sWfpUnJyx+1dGG
/g0AoLAILR0VgaKd1DQPIArnVW+UBPs8
=n+1K
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

PolicyKit Proliferation is a Security Disaster in the making.

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Currently I am aware of at least 4 PolicyKit apps in Fedora 10 with a
lot more on the way.  I believe we are not treating these as the
security vulnerability that they represent.  Now I do NOT believe there
is anything wrong with PolicyKit itself.  The problems is in the apps
that are using it.

Lets take a look at system-config-services.  This service comes up and
prompts me for the root password before I start and stop a service. That
is good, works just like it did when system-config-services used
consolehelper.   Except for one problem, it defaults to a clicked
Remember authorization meaning the next time I run
system-config-services it will NOT prompt for the password.  Now there
is a check box for This session only  But it is defaulted to off also.

So this means that I clicked Start A service Entered the Root
Password and took the default.  Now any process on my desktop has the
ability to start and stop any service on my machine without me even
knowing about it  There also might be a bug in
system-config-services communications with dbus that would allow me to
spawn a root shell.

This is the equivalent or worse then a setuid app, and yet we do nothing
to control the proliferation of these apps, while we shut down all apps
that setuid

All PolicyKit app that requires the Admin Password should default to
For this Session Only, and potentially for this action only.
Consolekit only preserved the authentication for 5 minutes, by default,
 now we preserve it for ever by default.  The argurment can be made that
consolehelper used to be allowed to permanently save the user being
allowed, but this involved an admin editing a file and probably a better
understanding of what he is doing.

SELinux can help a little to mitigate the risk but SELinux is not going
to be running everywhere.   And for something like
system-config-services, SELinux can do almost nothing since the tool
needs to start and stop all services which is a pretty high level of
security.

Fedora Security team should be looking at all packages that get
PolicyKit integration to make sure they are secure, have the correct
PolicyKit authorization, and a security check should be put on the
service side of the app.   I think we should write lint apps to look at
PolicyKit specifications and look for vulnerable xml policy.  Rpmlint
and RPMDiff should run this to make sure apps are secure by default.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkTI6wACgkQrlYvE4MpobM/cgCdHDl8UwPJEfgi0Kg0bJ4U4zKS
KpEAoJUrIvU2fFCSazlTwYPTKuLx5YjT
=HLnc
-END PGP SIGNATURE-

--
Fedora-security-list mailing list
Fedora-security-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-security-list

Re: selinux question(s) (/home really = /n/home..)

[Daniel J Walsh]

 build from my kickstart is finishing updating
 right now (had to add oddjob/turn it on by default). Once its done I'll send
 what info I can.

 Before i was getting an selinux alert/error, but i generated and loaded a
 local policy, which took care of the selinux alert, but still didn't fix
 xguest (it just bouces back out to GDM).

 More coming soon. Thanks for all the help!



 On Tue, Nov 4, 2008 at 1:54 PM, Daniel J Walsh [EMAIL PROTECTED] wrote:

 Matt Nicholson wrote:
 Right, that did it (after i started the oddjobd service, that is).

 Now, the original reason i turned selinux back on was to use
 xguestsaddly, this isn't working still...

 Why not?  Are you fully up2date?
 
 xguest should be working on F9 and F10 right now.
 
 SNIP

- --
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines:
http://fedoraproject.org/wiki/Communicate/MailingListGuidelines



I don't think you have all the packages that are in the final release of
F10.  Since the AVC you are talking about is fixed and the libxcb
package should be there also.

selinux-policy-3.5.13-11.fc10
libxcb-1.1.91-5.fc10
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkRo0wACgkQrlYvE4MpobOTGwCgzOMaTZUI+mt0qeO/XktT1rk/
X9AAnjZ7PzOLQF+qjz0PYM+ycyPJYbNI
=NrnJ
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: selinux question(s) (/home really = /n/home..)

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Matt Nicholson wrote:
 So, I have an environment, where we pull user data/auth from ldap/kerberos
 for a bunch of fedora workstations. I would love to have selinux turned on
 on these, but, right now it jsut doesn't work with our setup.
 
 See, your users home directories are in a few different places. for the most
 part, LDAP think their home is at /n/home, or /n/data/home. So, i have /home
 bind mounted to those locations, and, sith selinux off, its all nice and
 happy. Another weird thing, is that /home is local on these workstations, so
 when a user sits at a workstation for the first time, an empty homedir must
 be created. We hope to move to nfs /home soon, but not yet.
 
Can you look at using pam_oddjob_mkhomedir rather then pam_mkhomedir

yum install oddjob\*

Should fix the problem.

 once i turn it on, however, users cannot log in, and the home directoies
 cannot be created. I get selinux messages like:
 
 Summary:
 
 SELinux is preventing sshd (sshd_t) create to ./nichols2 (home_root_t).
 
 Detailed Description:
 
 SELinux denied access requested by sshd. It is not expected that this access
 is
 required by sshd and this access may signal an intrusion attempt. It is also
 possible that the specific version or configuration of the application is
 causing it to require additional access.
 
 Allowing Access:
 
 Sometimes labeling problems can cause SELinux denials. You could try to
 restore
 the default system file context for ./nichols2,
 
 restorecon -v './nichols2'
 
 If this does not work, there is currently no automatic way to allow this
 access.
 Instead, you can generate a local policy module to allow this access - see
 FAQ
 (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
 disable
 SELinux protection altogether. Disabling SELinux protection is not
 recommended.
 Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
 against this package.
 
 Additional Information:
 
 Source Contextsystem_u:system_r:sshd_t:s0-s0:c0.c1023
 Target Contextsystem_u:object_r:home_root_t:s0
 Target Objects./nichols2 [ dir ]
 Sourcesshd
 Source Path   /usr/sbin/sshd
 Port  Unknown
 Host  dhcp-0016533596-c5-74
 Source RPM Packages   openssh-server-5.1p1-2.fc9
 Target RPM Packages
 Policy RPMselinux-policy-3.3.1-103.fc9
 Selinux Enabled   True
 Policy Type   targeted
 MLS Enabled   True
 Enforcing ModeEnforcing
 Plugin Name   catchall_file
 Host Name dhcp-0016533596-c5-74
 Platform  Linux dhcp-0016533596-c5-74
 2.6.26.6-79.fc9.i686
   #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686
 Alert Count   1
 First SeenTue Nov  4 10:49:41 2008
 Last Seen Tue Nov  4 10:49:41 2008
 Local ID  803e925f-1d6e-4473-9054-dbaf0c0f3abd
 Line Numbers
 
 Raw Audit Messages
 
 host=dhcp-0016533596-c5-74 type=AVC msg=audit(1225813781.838:89): avc:
 denied  { create } for  pid=4956 comm=sshd name=nichols2
 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
 
 host=dhcp-0016533596-c5-74 type=SYSCALL msg=audit(1225813781.838:89):
 arch=4003 syscall=39 success=no exit=-13 a0=b9b4f058 a1=1ed a2=8209e4
 a3=b9b7d230 items=0 ppid=2341 pid=4956 auid=4294967295 uid=0 gid=0 euid=0
 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd
 exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
 
 Thats for an ssh login attempt. I get the same for one via GDM. I've tried
 adding context=system_r:object_r:home_root_t when i bind mount the /home
 on /n/home etc, and no luck so far. do I need to relabel /n ? what/how
 should I? any help would be awesome.
 
 Thanks,
 
 Matt
 
 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkQdnUACgkQrlYvE4MpobPlnQCeI054kP0QjzCP1u4X5mr1yD9v
/jgAoJLJ3lfNDoBwnlk4CcyLyw0s3qdh
=Ly01
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Re: selinux question(s) (/home really = /n/home..)

[Daniel J Walsh]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Matt Nicholson wrote:
 Right, that did it (after i started the oddjobd service, that is).
 
 Now, the original reason i turned selinux back on was to use
 xguestsaddly, this isn't working still...
 
Why not?  Are you fully up2date?

xguest should be working on F9 and F10 right now.

SNIP
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkQmlkACgkQrlYvE4MpobNXvwCeK5prZkPCBNDq3cYprnuwkJOZ
JaQAnRpM41iDhoQ0AWeTmmqYAqrpLLLI
=rAZp
-END PGP SIGNATURE-

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines