Re: logwatch does not show disk usage of partitions mounted in /mnt
by Ron Yorston
Daniel J Walsh wrote:
>Well I am a developer of SELinux policy. The policy I put out yesterday
>will dontaudit this, but now I am thinking it should be allowed.
Please, allow it. What was the rationale for preventing logwatch showing
disk usage of partitions mounted in /mnt anyway?
Ron
18 years, 1 month
Need testers for Modules policicy on RHEL4
by Daniel J Walsh
I have back ported the entire selinux tool chain to RHEL4. I have also
attempted to create a modular policy to match RHEL4 policy as closely as
possible.
These packages are out on
ftp://people.redhat.com/dwalsh/SELinux/RHEL4_MODULAR
If anyone wants to play with these and do some testing that would be great.
There is no commitment from Red Hat to ever ship this. But if it is
ever going to ship,
we need to find problems with it now.
So if you have a spare RHEL4 box and want to play with modular policy,
this is your chance.
Thanks,
Dan
18 years, 1 month
Re: rawhide report: 20060330 changes
by Justin Conover
On 3/30/06, Build System <buildsys(a)redhat.com> wrote:
>
> New package xorg-x11-drv-vmmouse
> Xorg X11 vmmouse input driver
>
>
>
> Updated Packages:
>
> bind-30:9.3.2-14.FC6
> --------------------
> * Wed Mar 29 2006 Jason Vsa Dias <jvdias(a)redhat.com> - 30:9.3.2-14
> - fix bug 186577: remove -L/usr/lib from libbind.pc and more .spec file
> cleanup
> - add '%doc' sample configuration files in /usr/share/doc/bind*/sample
> - rebuild with new gcc and glibc
>
> ethereal-0.10.14-4.svn.1
> ------------------------
> * Wed Mar 29 2006 Radek Vokál <rvokal(a)redhat.com> 0.10.14-4.svn.1
> - update to latest svn version
> - dumpcap
>
> fedora-release-5.89-rawhide
> ---------------------------
>
> gcc-4.1.0-4
> -----------
> * Tue Mar 28 2006 Jakub Jelinek <jakub(a)redhat.com> 4.1.0-4
> - update from gcc-4_1-branch (-r111697:112431)
> - PRs ada/25885, c/26004, fortran/17298, fortran/20935, fortran/20938,
> fortran/23092, fortran/24519, fortran/24557, fortran/25045,
> fortran/25054, fortran/25075, fortran/25089, fortran/25378,
> fortran/25395, fortran/26041, fortran/26054, fortran/26064,
> fortran/26107, fortran/26277, fortran/26393, fortran/26716,
> fortran/26741, libfortran/21303, libfortran/24903, libgcj/24461,
> libgcj/25713, libgcj/26103, libgcj/26688, libgcj/26706,
> libgfortran/26499, libgfortran/26509, libgfortran/26554,
> libgfortran/26661, libgfortran/26880, libstdc++/26132,
> middle-end/18859, middle-end/19543, middle-end/26557,
> middle-end/26630, other/26489, target/25917, target/26347,
> target/26459, target/26532, target/26607, tree-optimization/26524,
> tree-optimization/26587, tree-optimization/26672
> - fix visibility and builtins interaction (Jason Merrill,
> PR middle-end/20297, #175442)
> - merge gomp changes from trunk (-r112022:112023, -r112250:112251,
> -r112252:112253, -r112350:112351 and -r112282:112283)
> - PRs c++/26691, middle-end/26084, middle-end/26611, c++/26690,
> middle-end/25989
> - support visibility attribute on namespaces (Jason Merrill, PR c++/21764,
> PR c++/19238)
> - use hidden visibility for anonymous namespaces by default (Jason
> Merrill,
> PR c++/21581)
>
> gnome-pilot-2.0.13-8
> --------------------
> * Wed Mar 29 2006 Than Ngo <than(a)redhat.com> 2.0.13-8
> - rebuilt against pilot-link-0.11.8
>
> gnome-pilot-conduits-2.0.13-4
> -----------------------------
> * Wed Mar 29 2006 Than Ngo <than(a)redhat.com> 2.0.13-4
> - rebuilt against pilot-link-0.11.8
> - don't apply gnome-pilot-conduits-2.0.13-port-to-pilot-link-0.12.patch
>
> iputils-20020927-37
> -------------------
> * Wed Mar 29 2006 Radek Vokál <rvokal(a)redhat.com> - 20020927-37
> - fix ifenslave, shows interface addresses
> - add RPM_OPT_FLAGS to ifenslave
>
> * Sun Mar 12 2006 Radek Vokál <rvokal(a)redhat.com> - 20020927-36
> - fix ifenslave man page (#185223)
>
> jpilot-0.99.8-4
> ---------------
> * Wed Mar 29 2006 Than Ngo <than(a)redhat.com> 0.99.8-4
> - rebuilt against pilot-link-0.11.8
>
> kernel-2.6.16-1.2104_FC6
> ------------------------
> * Wed Mar 29 2006 Dave Jones <davej(a)redhat.com>
> - 2.6.16-git16 & git17
>
> libsepol-1.12.4-1
> -----------------
> * Wed Mar 29 2006 Dan Walsh <dwalsh(a)redhat.com> 1.12.4-1
> - Upgrade to latest from NSA
> * Generalize test for bitmap overflow in ebitmap_set_bit.
>
> logrotate-3.7.3-3
> -----------------
> * Tue Mar 28 2006 Peter Vrabec <pvrabec(a)redhat.com> 3.7.3-3
> - correct man page "extension" option description (#185318)
>
> ncpfs-2.2.6-2
> -------------
> * Wed Mar 29 2006 Martin Stransky <stransky(a)redhat.com> 2.2.6-2
> - removed opt flags (#186683)
>
> openoffice.org-1:2.0.2-5.7.3
> ----------------------------
> * Wed Mar 29 2006 Caolan McNamara <caolanm(a)redhat.com> - 1:2.0.2-5.7
> - rh#186747# TTF conts converted to Type 1 in print to file ps
>
> * Tue Mar 28 2006 Caolan McNamara <caolanm(a)redhat.com> - 1:2.0.2-5.6
> - more rh#186215#/ooo#63583# accessibility fixes
> - better fallback to english if help is missing
>
> pam_krb5-2.2.8-1
> ----------------
> * Wed Mar 29 2006 Nalin Dahyabhai <nalin(a)redhat.com> - 2.2.8-1
> - don't try to validate creds in a password-changing situation, because
> the
> attempt will always fail unless the matching key is in the keytab, which
> should never be the case for the password-changing service (#187303,
> rbasch)
> - if v4 has been disabled completely, go ahead and try to set 2b tokens
> because we're going to end up having to do that anyway (#182378)
>
> * Fri Mar 10 2006 Nalin Dahyabhai <nalin(a)redhat.com> - 2.2.7-2
> - fixup man page conflicts in %install
>
> * Wed Mar 08 2006 Bill Nottingham <notting(a)redhat.com> - 2.2.6-2.2
> - don't use paths in man pages - avoids multilib conflicts
>
> pilot-link-2:0.11.8-14
> ----------------------
> * Wed Mar 29 2006 Than Ngo <than(a)redhat.com> 2:0.11.8-14
> - rebuild to get rid of libpisock.so.9
>
> * Wed Mar 29 2006 Than Ngo <than(a)redhat.com> 2:0.11.8-13
> - downgrade to stable release 0.11.8
>
> policycoreutils-1.30.4-1
> ------------------------
> * Wed Mar 29 2006 Dan Walsh <dwalsh(a)redhat.com> 1.30.4-1
> - Update from upstream
> * Merged audit2allow fixes for refpolicy from Dan Walsh.
> * Merged fixfiles patch from Dan Walsh.
> * Merged restorecond daemon from Dan Walsh.
> * Merged semanage non-MLS fixes from Chris PeBenito.
> * Merged semanage and semodule man page examples from Thomas
> Bleher.
>
> * Tue Mar 28 2006 Dan Walsh <dwalsh(a)redhat.com> 1.30.1-4
> - Clean up reference policy generation in audit2allow
>
> scim-1.4.4-9.1.fc5
> ------------------
> * Wed Mar 29 2006 Jens Petersen <petersen(a)redhat.com> - 1.4.4-9.1.fc5
> - make scim-libs prereq libstdc++so7 to avoid update-gtk-immodules error
> when
> installing on i386 (#186365)
> - setup xinput.d for some more locale (as_IN, or_IN, si_LK, vi_VN, and
> zh_HK)
>
> * Thu Mar 02 2006 Jens Petersen <petersen(a)redhat.com> - 1.4.4-9
> - make scim-libs prereq gtk2 > 2.8 to avoid update-gtk-immodules error
> when upgrading from FC4 (#183636)
>
> * Wed Mar 01 2006 Jens Petersen <petersen(a)redhat.com> - 1.4.4-8
> - add scim-system-default-config.patch
> - add Zenkaku_Hankaku as trigger hotkey for Japanese users
> - use static XIM event flow so deadkeys work under XIM in off state
> (#169975)
> - add alternatives as prereq for %post and %postun (pknirsch, #182853)
>
> scim-hangul-0.2.2-1.fc6
> -----------------------
> * Thu Mar 30 2006 Akira TAGOH <tagoh(a)redhat.com> - 0.2.2-1
> - New upstream release.
>
> selinux-policy-2.2.28-1
> -----------------------
> * Mon Mar 27 2006 Dan Walsh <dwalsh(a)redhat.com> 2.2.28-1
> - Update to upstream
>
> * Wed Mar 22 2006 Dan Walsh <dwalsh(a)redhat.com> 2.2.27-1
> - Update to upstream
>
> * Wed Mar 22 2006 Dan Walsh <dwalsh(a)redhat.com> 2.2.25-3
> - Fix policyhelp
>
> squid-7:2.5.STABLE13-3
> ----------------------
> * Wed Mar 29 2006 Martin Stransky <stransky(a)redhat.com> - 7:2.5.STABLE13-3
> - improved pre script (#187217) - added group switch
>
> sysreport-1.4.3-5
> -----------------
> * Tue Mar 28 2006 Than Ngo <than(a)redhat.com> 1.4.3-5
> - use LANG=C
>
> * Tue Mar 14 2006 Than Ngo <than(a)redhat.com> 1.4.3-4
> - add the correct option to collect iptables information (mangle) #181299
> - collect shared memory Segments info #181681
>
> system-config-samba-1.2.35-1
> ----------------------------
> * Wed Mar 29 2006 Nils Philippsen <nphilipp(a)redhat.com> - 1.2.35
> - don't require gnome module (#187200)
> - don't wrap text in About dialog
>
> xscreensaver-1:4.24-2
> ---------------------
> * Fri Mar 24 2006 Ray Strode <rstrode(a)redhat.com> - 1:4.24-2
> - add patch from jwz to reap zombie processes (bug 185833)
>
> xterm-211-4.FC6
> ---------------
> * Wed Mar 29 2006 Jason Vas Dias <jvdias(a)redhat.com> - 211-4
> - fix bug 186935: cursor GCs must be freed with XtReleaseGC
I know the fedora-release/repo stuff doesn't matter, but what about the
other errors I'm seeing today's update?
Updating : libgcj ################ [
6/100]warning: /usr/lib/security/libgcj.security created as
/usr/lib/security/libgcj.security.rpmnew
<SNIP>
Updating : selinux-policy-strict ##################### [ 25/100]
libsepol.scope_copy_callback: authlogin: Duplicate declaration in module:
type/attribute system_chkpwd_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
Updating : fedora-release [
26/100]warning: /etc/yum.repos.d/fedora-core.repo created as
/etc/yum.repos.d/fedora-core.repo.rpmnew
Updating : fedora-release [
26/100]warning: /etc/yum.repos.d/fedora-development.repo created as
/etc/yum.repos.d/fedora-development.repo.rpmnew
Updating : fedora-release [
26/100]warning: /etc/yum.repos.d/fedora-extras-development.repo created as
/etc/yum.repos.d/fedora-extras-development.repo.rpmnew
Updating : fedora-release [
26/100]warning: /etc/yum.repos.d/fedora-extras.repo created as
/etc/yum.repos.d/fedora-extras.repo.rpmnew
Updating : fedora-release [
26/100]warning: /etc/yum.repos.d/fedora-updates-testing.repo created as
/etc/yum.repos.d/fedora-updates-testing.repo.rpmnew
Updating : fedora-release [
26/100]warning: /etc/yum.repos.d/fedora-updates.repo created as
/etc/yum.repos.d/fedora-updates.repo.rpmnew
Updating : fedora-release ##################### [ 26/100]
<SNIP>
Updating : selinux-policy-targeted ##################### [ 30/100]
/usr/sbin/load_policy: Can't load policy: Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
/usr/sbin/load_policy: Can't load policy: Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
semodule: Failed!
/sbin/restorecon reset /usr/bin/hidd context
system_u:object_r:bluetooth_exec_t->system_u:object_r:bin_t
Updating : openoffice.org-base ##################### [ 31/100]
18 years, 1 month
autorelabel and changed security contexts
by Florin Andrei
I've a FC4 server that's slightly customized:
- /var/lib/imap and /var/spool/imap are moved to /home/cyrus (and /home
is a separate partition)
- /var/spool/squid is moved to another place (separate partition)
- /var/lib/mysql is moved to another place (separate partition)
- /var/log is on it's own partition
I customized the policy so that Cyrus IMAPd can access /home/cyrus
properly. But then I did "touch /.autorelabel; reboot" and Cyrus broke
completely. Upon investigation, I noticed that the security contexts of
the Cyrus folders in /home/cyrus were altered, from e.g.
system_u:object_r:cyrus_var_lib_t to... I forgot to what - something
else anyway.
Questions:
Why autorelabel changes the security contexts?
How can I tell autorelabel to leave alone /home/cyrus (or give it the
security contexts that I want those files to have)?
I am asking these questions because I want to upgrade the server to FC5,
keep the partitioning scheme, but avoid the multiple and annoying
SELinux issues I had when I installed FC4 on that machine.
So I guess the questions are at the same time for FC4 and FC5.
--
Florin Andrei
http://florin.myip.org/
18 years, 1 month
semanage / file_contexts.local
by Paul Howarth
On my FC4 system, I created a file
/etc/selinux/targeted/contexts/files/file_contexts.local that contained
the following lines:
/srv/backup(/.*)? system_u:object_r:ftpd_anon_rw_t
/srv/softlib(/.*)? system_u:object_r:ftpd_anon_rw_t
This was to ensure that that files created in these areas got the right
context, and that it would survive a relabel. Having since learned about
customizable types, I probably didn't need to do that in this case, but
the principle applies anyway.
My understanding is that in FC5, the equivalent thing to do for this
would be to use semanage to add additional fcontext objects. Is that
right (I think the semanage manpage could do with an example or two btw,
hint, hint)?
My first question is: if I use semanage, is there a convenient way to
check, on a running system, which objects are there as part of the base
policy and which have been added later, like a file context equivalent
of "semodule -l"?
My second question is: I have lots of log messages like this:
Mar 26 04:24:39 badby kernel: inode_doinit_with_dentry:
context_to_sid(system_u:object_r:ftpd_anon_rw_t) returned 22 for
dev=sdb6 ino=96769
Google suggests that this is a hangover from FC4 that shouldn't be
there, and I suspect is has to do with the presence of my
/etc/selinux/targeted/contexts/files/file_contexts.local file. I'm
thinking of changing this to:
/srv/backup(/.*)? system_u:object_r:public_content_rw_t:s0
/srv/softlib(/.*)? system_u:object_r:public_content_rw_t:s0
or even deleting it entirely and doing the equivalent with semanage.
When I do one of these things, when will it take effect? Will I need to
reboot, or rebuild policy somehow?
Paul.
18 years, 1 month
SELinux FAQ problem
by Florin Andrei
I am following the instructions found here to customize the policy:
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2784794
But I get this:
######################################################
# audit2allow -i audit.txt -M local -l
Generating type enforcment file: local.te
Compiling policy
checkmodule -M -m -o local.mod local.te
/usr/bin/audit2allow: sh: checkmodule: command not found
######################################################
The problem is, I have no idea what is "checkmodule".
######################################################
# which checkmodule
/usr/bin/which: no checkmodule in
(/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)
# yum provides checkmodule
Loading "installonlyn" plugin
Searching Packages:
Setting up repositories
macromedia
[1/5]
livna
[2/5]
core
[3/5]
updates
[4/5]
extras
[5/5]
Reading repository metadata in from local files
Importing additional filelist information
No Matches found
######################################################
--
Florin Andrei
http://florin.myip.org/
18 years, 1 month
selinux-policy-targeted-2.2.26-1 policy was bad.
by Daniel J Walsh
I have pulled it out of rawhide. If you have updated and want to get
your machine working again with SELinux
you need to install selinux-policy-targeted-2.2.25-* you can do this
with the following command
rpm -Uhv --oldpackage selinux-policy-targeted-2.2.25-2
This will report an error but the correct files will have been placed on
disk.
Now if you execute
semodule -n -b /usr/share/selinux/targeted/base.pp; touch /.autorelabel;
reboot
When this finishes your system should be back and running with selinux
enabled.
Policy was broken by a change to the policy tool chain that we are
working to fix.
Sorry about the problems this has caused.
Dan
18 years, 1 month
adduser rights on FC5
by Ben
I have a fresh FC5 install that I tried to add the heatbeat package
to, and saw this:
Mar 25 12:04:28 johnny kernel: audit(1143317068.339:75): avc:
denied { read write } for pid=19283 comm="useradd" name="lastlog"
dev=dm-0 ino=880549 scontext=root:system_r:useradd_t:s0-s0:c0.c255
tcontext=system_u:object_r:var_log_t:s0 tclass=file
Mar 25 12:05:28 johnny yum: Installed: heartbeat.x86_64 2.0.3-9.fc5
I'm running the most recent targeted config, 2.2.23-15. Should I be
worried that heartbeat didn't install properly?
18 years, 1 month
M4 processing for SELinux module
by W. Michael Petullo
I've found some good documentation on building SELinux modules at
http://sepolicy-server.sourceforge.net/index.php?page=module-overview.
However, this article states, "Note that the syslog.te file must already
be preprocessed by m4 if it contains macros." I can't find any clear
documentation that describes how to perform this step.
How does one process a policy source file using m4 and what package
provides the required macro definitions (i.e.: domain_auto_trans?)
--
Mike
:wq
18 years, 1 month