MLS Security Levels
by Jeronimo Zucco
How many is the atual max number of sensitivity level and max capabilities in
a MLS security context ?
In Fedora 5 was: s0-s15 and c0-c255. Today is the same values? Where can i get
this information?
--
Jeronimo Zucco
LPIC-1 Linux Professional Institute Certified
Núcleo de Processamento de Dados
Universidade de Caxias do Sul
http://jczucco.blogspot.com
---------------------------------------
Essa mensagem foi enviada pelo UCS Mail
16 years, 5 months
hald_acl_t AVC
by Tom London
Seeing this after some updates today (enforcing):
#============= hald_acl_t ==============
allow hald_acl_t self:fifo_file write;
type=AVC msg=audit(1197057157.993:94): avc: denied { write } for
pid=11138 comm="polkit-read-aut" path="pipe:[79635]" dev=pipefs
ino=79635 scontext=system_u:system_r:hald_acl_t:s0
tcontext=system_u:system_r:hald_acl_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1197057157.993:94): arch=40000003 syscall=4
success=no exit=-13 a0=1 a1=bfea83c8 a2=9 a3=9 items=0 ppid=11123
pid=11138 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=87
sgid=87 fsgid=87 tty=(none) comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:hald_acl_t:s0 key=(null)
type=USER_ACCT msg=audit(1197057661.316:95): user pid=11508 uid=0
auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:accounting acct=root exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
--
Tom London
16 years, 5 months
Good Primer
by Max
No offense to Google but I prefer to consult with my
fellow humans sometimes....where can i find a good
intro or primer on SELinux? All opinions welcome.
Thanks
Max
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
16 years, 5 months
AVC with today's rawhide
by Tom London
I think today's policykit update needs some more love....
Graphical login failed with 'respawn too fast' messages.
Here are the AVCs:
type=AVC msg=audit(1196960817.504:18): avc: denied { read } for
pid=2324 comm="hald" name="PolicyKit.reload" dev=dm-0 ino=67633
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:system_crond_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1196960817.504:18): arch=40000003 syscall=292
success=no exit=-13 a0=d a1=923400 a2=106 a3=9b25d88 items=0 ppid=2323
pid=2324 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="hald" exe="/usr/sbin/hald"
subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1196961900.294:38): avc: denied { getattr } for
pid=3308 comm="polkit-read-aut" scontext=root:system_r:hald_t:s0
tcontext=root:system_r:hald_t:s0 tclass=process
type=SYSCALL msg=audit(1196961900.294:38): arch=40000003 syscall=3
success=yes exit=24 a0=4 a1=945f538 a2=fff a3=fff items=0 ppid=2833
pid=3308 auid=0 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=87 sgid=87
fsgid=87 tty=(none) comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=root:system_r:hald_t:s0 key=(null)
'audit2allow -M'/etc. fixes:
#============= hald_t ==============
allow hald_t self:process getattr;
allow hald_t system_crond_var_lib_t:file read;
tom
--
Tom London
16 years, 5 months
Re: home directory problems with Fedora 8
by John Griffiths
My reply is not selinux related but will solve you bashing the /home.
Put /home on a separate file system. When you install Fedora 9 or
whatever comes down the pike, install and use the advanced options for
the disk layout. Do not change the lay out and make sure you know which
partition belongs to which file system. Lay them out the same way and
choose not to format the partitions you want to keep. Depending on what
options you choose, you may have to just not do anything with the /home
file system at install and add the mount after the installation over the
/home directory.
Works for me.
Regards,
John
>
> Subject:
> home directory problems with Fedora 8
> From:
> Chris Howard <chris(a)yipyap.com>
> Date:
> Wed, 05 Dec 2007 22:51:59 -0700
> To:
> fedora-selinux-list(a)redhat.com
>
> To:
> fedora-selinux-list(a)redhat.com
>
> Content-Transfer-Encoding:
> 7bit
> Precedence:
> junk
> MIME-Version:
> 1.0
> Reply-To:
> chris(a)yipyap.com
> Message-ID:
> <1196920319.3483.7.camel(a)w0ep.yipyap.com>
> Content-Type:
> text/plain
> Message:
> 2
>
>
> I have previously existing home directories under /u01/home.
> I did this because upgrading from FC6 to Fedora 7 caused me trouble
> and I want to avoid having to recreate my home directory. So I copied
> the whole system into /u01 before doing a fresh Fedora 8 install. I
> do not have a separate home-only partition.
>
> SELinux prevents me from making a symbolic link like this:
>
> /home--> /u01/home or like this
>
> /home/chris--> /u01/home/chris.
>
> If I setup a dummy user with home at /home/chris, then
> edit /etc/passwd to change the home to /u01/home/chris... that doesn't
> work either.
>
> nor if I create a new user like so:
>
> useradd -d /u01/home/pete pete
>
> Is there something magic about the string '/home' ?
> that keeps me from creating home directories anywhere else?
>
> I'd really love to keep from smashing /home on every OS reload.
>
> For now I have SELinux in Permissive mode so I can at least use the
> system.
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
16 years, 5 months
[Bug] about the bug with semanage
by NZzi
hi selinuxers:
several days, i remmeber someone report a bug about
semanage in non-english locale:
-(:11:30:$)-> locale
LANG=zh_CN.UTF-8
LC_CTYPE="zh_CN.UTF-8"
LC_NUMERIC="zh_CN.UTF-8"
LC_TIME="zh_CN.UTF-8"
LC_COLLATE="zh_CN.UTF-8"
LC_MONETARY="zh_CN.UTF-8"
LC_MESSAGES="zh_CN.UTF-8"
LC_PAPER="zh_CN.UTF-8"
LC_NAME="zh_CN.UTF-8"
LC_ADDRESS="zh_CN.UTF-8"
LC_TELEPHONE="zh_CN.UTF-8"
LC_MEASUREMENT="zh_CN.UTF-8"
LC_IDENTIFICATION="zh_CN.UTF-8"
LC_ALL=
-(yangshao@NZzi:pts/4)--------------------(~)-(3/133)-
-(:13:17:$)-> sudo semanage login -l
/usr/sbin/semanage: ascii
-(:11:02:$)-> LANG=C sudo semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ system_u s0
root root -s0:c0.c255
system_u system_u SystemLow-SystemHigh
i notice this bug is fixed in F9 rawhide, but F8 has not
16 years, 5 months
Re: pulseaudio, policykit - works in permissive, fails in enforcing
by Tom London
On Dec 3, 2007 3:50 PM, Tom London <selinux(a)gmail.com> wrote:
> Forgot to attach the AVCs......
>
> Does this one look suspicious?
>
> type=AVC msg=audit(1196722543.811:703): avc: denied { search } for
> pid=2746 comm="ck-get-x11-disp" name="2719" dev=proc ino=9484
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=dir
> type=SYSCALL msg=audit(1196722543.811:703): arch=40000003 syscall=5
> success=no exit=-13 a0=8299418 a1=8000 a2=0 a3=8000 items=0 ppid=2715
> pid=2746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="ck-get-x11-disp"
> exe="/usr/libexec/ck-get-x11-display-device"
> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
Attached compressed....sigh
tom
--
Tom London
16 years, 5 months
AW: RHEL5 + strict policy: Unprivileged user cron - "Unauthorized SELinux context"
by Harald Beugler-Bell
I got a similar problem when trying to run cron as root. It looks like selinux is unable to get the correct user context of the crond process
crond[5587]: (*system*) NULL security context for user ()
crond[5587]: CRON (root) ERROR: failed to change SELinux context
crond[5587]: CRON (root) ERROR: cannot set security context
The file context of the cron file is set according to default context:
$ ls -lZ /etc/cron.d/testing-cron
-rw-r--r-- root root system_u:object_r:system_cron_spool_t:s0 /etc/cron.d/testing-cron
$ ps -efZ | grep crond
staff_u:system_r:crond_t:s0 root 14922 1 0 00:19 ? 00:00:00 /usr/sbin/crond start
$ /usr/sbin/semanage login -l | egrep "root|system"
root root s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
bash-3.1# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5 (Tikanga)
vixie-cron-4.1-66.1.el5
libselinux-1.33.4-2.el5
libselinux-python-1.33.4-2.el5
selinux-policy-strict-2.4.6-79.el5
selinux-policy-2.4.6-79.el5
any help is welcome.
thanks
Hari
----- Ursprüngliche Mail ----
Von: Aleksander Adamowski <aleksander.adamowski.fedora(a)altkom.pl>
An: fedora-selinux-list(a)redhat.com
Gesendet: Mittwoch, den 28. November 2007, 16:10:58 Uhr
Betreff: Re: RHEL5 + strict policy: Unprivileged user cron - "Unauthorized SELinux context"
Stephen Smalley pisze:
> On Wed, 2007-11-28 at 21:16 +0100, Aleksander Adamowski wrote:
>
>> crond[27249]: (apache) Unauthorized SELinux context, but SELinux in
>> permissive mode, continuing (cron/apache)
>> crond[29358]: (apache) NULL security context for user, but SELinux
in
>> permissive mode, continuing ()
>>
>
> Sounds like it just stayed in crond's context since it failed the
check
> and the system was permissive. Naturally, in enforcing mode, it
would
> have not executed the job at all.
>
> crond computes a context for the user's cron job in the usual manner,
> then applies a entrypoint permission check between that context and
the
> file context on the crontab file (which gets picked up from a
> combination of its creator and the parent directory). If that check
> fails, then crond refuses to execute the crontab commands in that
> process context. The check is intended to prevent injection of
commands
> from one context into another via crontab, unless authorized by
policy
> of course.
>
That's reasonable.
> I'd have expected it to try to run the cron job in user_u:user_r:
> user_crond_t:s0 since apache wouldn't have a specific entry in
seusers.
> So it would have wanted the crontab file to have user_cron_spool_t on
> it, which would have happened if a user_t process created it. If
> instead an admin created it and it got sysadm_cron_spool_t or
> staff_cron_spool_t, that might explain it. So you could relabel it
or
> allow that permission. First though check the current label on the
> crontab file.
>
Yes, you're right. That was precisely the cause.
I've used "crontab -e -u apache" as root.
The files in /var/spool/cron got sysadm_cron_spool_t type (the full
context was root:object_r:sysadm_cron_spool_t).
After running "fixfiles relabel /var/spool/cron/", the apache crontab
got system_u:object_r:user_cron_spool_t.
Now cron runs fine and doesn't log anything suspicious.
IMHO crontab should be modified to relabel crontab files that are
edited
using the "-u" option, but this is a question to Dan - should I file a
new bug to bugzilla.redhat.com on this?
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
___________________________________________________________
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
16 years, 5 months
pulseaudio, policykit - works in permissive, fails in enforcing
by Tom London
Running latest Rawhide.
I've noticed the following problem that I cannot track down fully.
Pulseaudio seems to have stopped working when in enforcing mode,
unless I manually change the permissions to the numerous /dev/ files
to 666 (e.g., /dev/*dsp*, /dev/audio* /dev/snd/*, ....)
I get no AVCs. Below are snippets from /var/log/messages.
My (simpleminded) interpretation is that in permissive mode, policykit
is running but not when in enforcing.
Any suggestions on how to track this down further?
tom
Permissive:
Dec 3 09:48:10 localhost pulseaudio[2947]: polkit.c: Failed to show
grant dialog: Unable to lookup exe for caller
Dec 3 09:48:10 localhost pulseaudio[2947]: polkit.c: PolicyKit
responded with 'auth_admin_keep_always'
Dec 3 09:48:10 localhost pulseaudio[2947]: pid.c: Stale PID file, overwriting.
Dec 3 09:48:10 localhost pulseaudio[2947]: main.c:
setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
Dec 3 09:48:12 localhost pulseaudio[2947]: module.c: Failed to load
module "module-rtp-recv" (argument: ""): initialization failed.
Dec 3 09:48:12 localhost pulseaudio[2947]: module-gconf.c:
pa_module_load() failed
Enforcing:
Dec 3 10:59:27 localhost pulseaudio[3995]: pid.c: Stale PID file, overwriting.
Dec 3 10:59:27 localhost pulseaudio[3995]: main.c:
setrlimit(RLIMIT_NICE, (31, 31)) failed: Operation not permitted
Dec 3 10:59:28 localhost pulseaudio[3995]: alsa-util.c: Error opening
PCM device hw:0: No such device
Dec 3 10:59:28 localhost pulseaudio[3995]: module.c: Failed to load
module "module-alsa-sink" (argument: "device_id=0
sink_name=alsa_output.pci_8086_27d8_alsa_playback_0"): initialization
failed.
Dec 3 10:59:28 localhost pulseaudio[3995]: alsa-util.c: Error opening
PCM device hw:0: No such device
Dec 3 10:59:28 localhost pulseaudio[3995]: module.c: Failed to load
module "module-alsa-source" (argument: "device_id=0
source_name=alsa_input.pci_8086_27d8_alsa_capture_0"): initialization
failed.
Dec 3 10:59:29 localhost pulseaudio[3995]: module.c: Failed to load
module "module-rtp-recv" (argument: ""): initialization failed.
Dec 3 10:59:29 localhost pulseaudio[3995]: module-gconf.c:
pa_module_load() failed
--
Tom London
16 years, 5 months
rpm_script_t AVC with today's openoffice.org-writer2latex
by Tom London
Yum update today stalled in enforcing mode.
In permissive mode, worked, but got this:
type=AVC msg=audit(1196693534.458:415): avc: denied { execstack }
for pid=12928 comm="uno.bin"
scontext=system_u:system_r:rpm_script_t:s0
tcontext=system_u:system_r:rpm_script_t:s0 tclass=process
type=AVC msg=audit(1196693534.458:415): avc: denied { execmem } for
pid=12928 comm="uno.bin" scontext=system_u:system_r:rpm_script_t:s0
tcontext=system_u:system_r:rpm_script_t:s0 tclass=process
type=SYSCALL msg=audit(1196693534.458:415): arch=40000003 syscall=125
success=yes exit=0 a0=bfa83000 a1=1000 a2=1000007 a3=fffff000 items=0
ppid=12906 pid=12928 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 comm="uno.bin"
exe="/usr/lib/openoffice.org/program/uno.bin"
subj=system_u:system_r:rpm_script_t:s0 key=(null)
Not sure where to file this.... openoffice.org?
tom
--
Tom London
16 years, 5 months
