sellinux line command
by Fred J.
Hi
while following the stops to install JRE as per
http://stanton-finley.net/fedora_core_5_installation_notes.html
the instruction which says:
If you have not already done so go to "System" > "Administration" > "Security Level and Firewall". Enter your root password and click "ok". On the "SELinux" tab click on "Modify SELinux Policy", click on "Compatibility" to open it and tick the check box next to "Allow the use of shared libraries with Text Relocation". Click "ok". Reboot your machine to implement the new SELinux policy.
I don't have kde or gnome and neither of the following seams to match what the article is talking about.
# system-config-securitylevel
# system-config-securitylevel-tui
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.
17 years, 7 months
How to build a local (unionfs) policy module for Fedora Core 5 (kernel 2.6.17)?
by Andreas Sachs
Hello,
I'm trying to build a local unionfs policy module for Fedora Core 5 (kernel
2.6.17). SElinux is set to enforcing and the policy type is targeted.
After I mount a union, I get the following in my /var/log/messages
Nov 6 13:34:41 localhost kernel: SELinux: initialized (dev unionfs, type
unionfs), not configured for labeling
I have written a local unionfs policy module:
policy_module(unionfs, 1.0)
require {
type fs_t;
};
fs_use_xattr unionfs system_u:object_r:fs_t;
But I get a syntax error:
Compiling targeted unionfs module
/usr/bin/checkmodule: loading policy configuration from tmp/unionfs.tmp
unionfs.te:8:ERROR 'syntax error' at token 'fs_use_xattr' on line 59102:
fs_use_xattr unionfs system_u:object_r:fs_t;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/unionfs.mod] Fehler 1
How can I do it right?
Thanks
Andreas Sachs
17 years, 7 months
Mounting the news spool
by Davide Bolcioni
Greetings,
while attempting to set up leafnode <http://leafnode.sourceforge.net> I
had a problem with mounting its spool, /var/spool/news:
Sep 14 00:36:11 camelot kernel: audit(1158186712.955:375): avc: denied
{ mounton } for pid=1353 comm="mount" name="news" dev=dm-3 ino=65600
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:news_spool_t:s0 tclass=dir
Using audit2why and then audit2allow I was able to come up with the
following .te policy:
module news 1.0;
require {
class dir mounton;
type mount_t;
type news_spool_t;
role system_r;
};
allow mount_t news_spool_t:dir mounton;
which to my untrained eye looked good. Researching the archives before
writing this, however, I came upon the answer for a similar problem:
https://www.redhat.com/archives/fedora-selinux-list/2006-August/msg00096....
and found out that it would probably have been enough to label the
mount point mnt_t (haven't tried it yet). Assuming it works, how should
I have found out about it ? I tried rpm -qd and found out about the
selinux-policy documentation, but nothing showed up for the targeted
policy. In this context, isn't audit2allow somewhat ... dangerous ?
Or was it just a shortcoming in the leafnode RPM, so I should be looking
at what INN is doing instead ?
Thank you for your consideration,
Davide Bolcioni
--
There is no place like /home.
17 years, 7 months
People running Postfix in FC5 not running Selinux?
by Stephen John Smoogen
I installed a system from the original FC5 disks and updated to latest
versions in yum repos. I changed over to postfix and found that it
wasnt working for some reason.. no errros to /var/log/messages or
/var/log/secure.. and I completely forgot for a day to look at audit.
When my brain turned back on I found that postfix didnt start because
a it was trying to use a pam entry that I had put in pam_tally.so in.
Woops. Fixed that.. but postfix still wouldnt start up.
This also showed me that my /etc/services file needed a relabel as I
had put in a more verbose one. So I did a complete system relabel in
case I missed something else.
postfix was able to start email but could not do a mailq
doing a mailq showed me things like
allow postfix_local_t initrc_var_run_t:file { read write };
allow postfix_showq_t initrc_var_run_t:file { read write };
type=AVC msg=audit(1159574724.622:397): avc: denied { read write }
for pid=2621 comm="local" name="unix.local" dev=dm-3 ino=163870
scontext=system_u:system_r:postfix_local_t:s0
tcontext=user_u:object_r:initrc_var_run_t:s0 tclass=file
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean
settings; check boolean settings.
You can see the necessary allow rules by running
audit2allow with this audit message as input.
type=AVC msg=audit(1159574753.636:398): avc: denied { read write }
for pid=2625 comm="showq" name="unix.showq" dev=dm-3 ino=163871
scontext=system_u:system_r:postfix_showq_t:s0
tcontext=user_u:object_r:initrc_var_run_t:s0 tclass=file
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean
settings; check boolean settings.
You can see the necessary allow rules by running
audit2allow with this audit message as input.
Not sure what I should do next. Turning off the selinux
selinux-policy-targeted-2.3.7-2.fc5
selinux-policy-2.3.7-2.fc5
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
17 years, 7 months
errors on fedora core 6-test3 updated as of 20061002
by Antonio Olivares
Dear all,
I get the following message(s) when I do a dmesg. I lost connection to the network and I am looking for a solution. Here \are the avc's that I get
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
SELinux: initialized (dev autofs, type autofs), uses genfs_contexts
audit(1159868098.257:4): avc: denied { name_bind } for pid=1890 comm="hpiod" src=2208 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
audit(1159868103.789:5): avc: denied { search } for pid=2048 comm="hald" name="irq" dev=proc ino=-268435211 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1159868103.789:6): avc: denied { search } for pid=2048 comm="hald" name="irq" dev=proc ino=-268435211 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1159868103.789:7): avc: denied { search } for pid=2048 comm="hald" name="irq" dev=proc ino=-268435211 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1159868103.789:8): avc: denied { search } for pid=2048 comm="hald" name="irq" dev=proc ino=-268435211 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
audit(1159868103.789:9): avc: denied { search } for pid=2048 comm="hald" name="irq" dev=proc ino=-268435211 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir
eth0: no IPv6 routers present
audit(1159872008.506:10): avc: denied { getattr } for pid=2908 comm="sendmail" name="root" dev=dm-0 ino=9066497 scontext=system_u:system_r:system_mail_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir
Thanks,
Antonio
17 years, 7 months
prelink, still?
by Tom London
Running latest rawhide, targeted/enforcing.
Policy: selinux-policy-2.3.16-9
I'm still getting:
type=AVC msg=audit(1159700653.385:150): avc: denied { execute } for
pid=7605 comm="ld-linux.so.2" name="spamc" dev=dm-0 ino=5488531
scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023
tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1159700653.385:150): arch=40000003 syscall=192
success=no exit=-13 a0=8048000 a1=7000 a2=5 a3=812 items=0 ppid=7526
pid=7605 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="ld-linux.so.2" exe="/lib/ld-2.4.90.so"
subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1159700653.385:150): path="/usr/bin/spamc"
That expected?
tom
--
Tom London
17 years, 7 months
AVC from Hibernate?
by Tom London
Running today's rawhide, targeted/enforcing.
I believe I got the following attempting to do a 'hibernate'. Does
this make sense (e.g., grub trying to write stage2)?
type=AVC msg=audit(1159816717.165:22): avc: denied { write } for
pid=3422 comm="grub" name="stage2" dev=sda3 ino=10087
scontext=system_u:system_r:bootloader_t:s0
tcontext=system_u:object_r:boot_runtime_t:s0 tclass=file
type=SYSCALL msg=audit(1159816717.165:22): arch=40000003 syscall=5
success=no exit=-13 a0=807b747 a1=2 a2=1b6 a3=8c8dc38 items=0
ppid=3405 pid=3422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="grub" exe="/sbin/grub"
subj=system_u:system_r:bootloader_t:s0 key=(null)
tom
--
Tom London
17 years, 7 months
Squid what to access port 3008
by Darwin H. Webb
Squid is denied access to port 3008 (may be printer?)
Is this a missing rule or a mis-label or is someone really trying to
dump out adds on the printer?
I run the squid as default conf.
Darwin
17 years, 7 months
question about semodule
by Sandra Rueda
Hello,
I was playing with semodule (trying to understand how it works) so I added
a module. Later I also played with refpolicy and monolithic building
(again trying to understand how it works).
Now I want to delete the module I loaded before and this is the message I
am getting from the system:
# semodule -v -r KnockServer
Attempting to remove module 'KnockServer':
Ok: return value of 0.
Committing changes:
/usr/sbin/load_policy: Can't load policy: Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
/usr/sbin/load_policy: Can't load policy: Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
semodule: Failed!
semodule -l works fine (apparently) and one of the items in the list is
KnockServer and its version.
Is there any way to know why semodule -r is failing? What argument is
invalid?
I have other questions about modules: what is the relationship between the
modules and the binary policy file installed at
/etc/selinux/(strict|targeted)/policy? Does this file include just base
modules? If so, where are the files for non-base modules stored? Is it
another binary file?
Thanks in advance,
Sandra
17 years, 7 months
