Re: security_bounded_transition

2017-11-06 Thread Stephen Smalley
ms=2 ppid=20592 pid=20593 auid=0 uid=109 gid=65534 euid=109 > suid=109 fsuid=109 egid=65534 sg > id=65534 fsgid=65534 tty=pts1 ses=1 comm="dpkg" exe="/usr/bin/dpkg" > subj=root:sysadm_r:apt_t:s0-s0:c0.c1023 key=(null) > type=SELINUX_ERR msg=audit(1509791421.220:2221

Re: security_bounded_transition

2017-11-04 Thread Christian Göttsche via Selinux
0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(1509791421.220:2221): op=security_bounded_transition seresult=denied oldcontext=root:sysadm_r:apt_t:s0-s0:c0.c1023 newcontext=root:sysadm_r:dpkg_t:s0-s0:c0.c1023 type=AVC msg=audit(1509791421.220:2221): avc: denied { nnp_transition } for pid=205

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

2017-05-22 Thread Stephen Smalley
ausearch -m SELINUX_ERR,AVC -ts recent > > time->Mon May 22 15:03:56 2017 > > type=PROCTITLE msg=audit(1495479836.876:5483): > > proctitle=2F62696E2F7368002F7661722F772F6367692D62696E2F666F6F2 > > E6 > > 36 > > 769 > > type=PATH msg=audit(14954798

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

2017-05-22 Thread Stephen Smalley
tem=0 name="/var/www/cgi- bin/foo.cgi" inode=538621 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:httpd_sys_script_exec_t:s0 nametype=NORMAL type=CWD msg=audit(1495479836.876:5483): cwd="/var/www/cgi-bin" type=EXECVE msg=audit(1495479836.876:5483): a

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

2017-05-22 Thread Stephen Smalley
On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote: > On Mon, May 22, 2017 at 11:23 AM, Dominick Grift com> wrote: > > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote: > > > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote: > > > > Hi, running latest

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

2017-05-22 Thread Chris O'Neil
# >> > ### >> > # With enforcement enabled ... CGI script fails, all you find is a >> > # single deny in /var/log/audit/audit.log >> > # >> > ### >> > >> > # sete

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

2017-05-22 Thread Dominick Grift
url localhost/cgi-bin/ok.cgi > > > OK > > > > > > > > > # > > > ### > > > # With enforcement enabled ... CGI script fails, all you find is a > > > # single deny in /var/log/audit/au

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

2017-05-22 Thread Stephen Smalley
On Mon, 2017-05-22 at 20:23 +0200, Dominick Grift wrote: > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote: > > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote: > > > Hi, running latest RHEL 7.3 ... struggling with an SELinux issue > > > related > > > to Apache httpd that I

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

2017-05-22 Thread Dominick Grift
# > > ### > > > > # setenforce 1 > > # systemctl restart httpd.service > > > > # getenforce > > Enforcing > > > > $ curl localhost/cgi-bin/ok.cgi > > 500 Server ErrorServer > > Er

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

2017-05-22 Thread Stephen Smalley
> # > ### > > # setenforce 1 > # systemctl restart httpd.service > > # getenforce > Enforcing > > $ curl localhost/cgi-bin/ok.cgi > 500 Server ErrorServer > Error > > # tail /v

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

2017-05-22 Thread Dominick Grift
be safe ... no luck ... same problem as before, same > message in /var/log/audit/audit.log. Also tried changing the value from > "Yes" to "No" and rebooting, that didn't help. Yes that only applies to systemd-importd (which i suppose no one uses at least not w

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

2017-05-22 Thread Chris O'Neil
. $ curl localhost/cgi-bin/ok.cgi 500 Server ErrorServer Error # tail /var/log/audit/audit.log | grep denied type=SELINUX_ERR msg=audit(1495473331.188:183): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:httpd_t:s0 newcontext=system_u:system_r:httpd_sys_script_t:s0 Confirmed I do

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

2017-05-22 Thread Dominick Grift
## > # With enforcement enabled ... CGI script fails, all you find is a > # single deny in /var/log/audit/audit.log > > > # setenforce 1 > # systemctl restart httpd.service > > # getenforce > Enforcing > > $ curl localhost/cgi-bin/ok.cgi >

RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

2017-05-22 Thread Chris O'Neil
/audit.log # setenforce 1 # systemctl restart httpd.service # getenforce Enforcing $ curl localhost/cgi-bin/ok.cgi 500 Server ErrorServer Error # tail /var/log/audit/audit.log | grep denied type=SELINUX_ERR msg=audit(1495468154.591:121695): op=security_bounded_

Re: security_bounded_transition

2017-04-05 Thread Dominick Grift
On Wed, Apr 05, 2017 at 10:54:08AM -0400, Stephen Smalley wrote: > On Wed, 2017-04-05 at 14:58 +0200, cgzones wrote: > > Hi list, > > > > when running `apt update` i'm getting a bunch of the following > > security_bounded_transition audits: > > > > type=PR

Re: security_bounded_transition

2017-04-05 Thread Stephen Smalley
On Wed, 2017-04-05 at 14:58 +0200, cgzones wrote: > Hi list, > > when running `apt update` i'm getting a bunch of the following > security_bounded_transition audits: > > type=PROCTITLE msg=audit(05/04/17 14:47:20.268:219) : > proctitle=/usr/bin/dpkg --print-foreign-architec

security_bounded_transition

2017-04-05 Thread cgzones
Hi list, when running `apt update` i'm getting a bunch of the following security_bounded_transition audits: type=PROCTITLE msg=audit(05/04/17 14:47:20.268:219) : proctitle=/usr/bin/dpkg --print-foreign-architectures type=PATH msg=audit(05/04/17 14:47:20.268:219) : item=1 name=/lib64/ld-linux-x86

Re: security_bounded_transition fails

2015-12-18 Thread Dominick Grift
> > However the transition fails with audit message > > "op=security_bounded_transition result=denied oldcontext=old_context > > newcontext=new_context". > > > > Is there any policy rule that could be used to fix this or is this just not > > suppor

Re: security_bounded_transition fails

2015-12-18 Thread Dominick Grift
ge- > From: Dominick Grift [mailto:dac.overr...@gmail.com] > Sent: 18 December, 2015 12:45 > To: Hannu Savolainen; selinux@tycho.nsa.gov > Subject: Re: security_bounded_transition fails > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Fri, Dec 18, 2015 at 1

Re: security_bounded_transition fails

2015-12-18 Thread Stephen Smalley
that it will create a chrooted container and join all threads to a new SELinux context. However the transition fails with audit message "op=security_bounded_transition result=denied oldcontext=old_context newcontext=new_context". Is there any policy rule that could be used to fix this or is

Re: security_bounded_transition fails

2015-12-18 Thread Stephen Smalley
On 12/18/2015 10:05 AM, Dominick Grift wrote: On Fri, Dec 18, 2015 at 11:27:13AM +, Hannu Savolainen wrote: Many thanks, Adding the allow rules seem to be enough (have to verify that one more time next week). Fortunately the typebounds rule doesn't seem to be necessary since it