June 2007 - selinux - Fedora Mailing-Lists

Re: kdebase: selinux preventing appending to /var/log/kdm.log ?

by Daniel J Walsh

Rex Dieter wrote: > Daniel J Walsh wrote: >> Rex Dieter wrote: >>> See also: >>> http://bugzilla.redhat.com/243505 >>> >>> Raw Audit Messages >>> >>> avc: denied { append } for comm="pam_console_app" dev=sda6 egid=500 >>> euid=0 >>> exe="/sbin/pam_console_apply" exit=0 fsgid=500 fsuid=0 gid=500 items=0 >>> name="kdm.log" path="/var/log/kdm.log" pid=3804 >>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 sgid=500 >>> subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0 tclass=file >>> tcontext=system_u:object_r:xserver_log_t:s0 tty=(none) uid=0 >>> >>> >> Well you have a few of choices. >> >> 1. Ignore it for now, since I doubt it causes any problem. >> >> 2. Write custom policy for it. >> >> # grep pam_console_t /var/log/audit/audit.log | audit2allow -M >> mypamconsole >> # semodule -i mypamconsole.pp >> >> 3. Wait for the next policy update which will write a rule to >> dontaudit this. > > Would it be-better/help if kdm.log was in /var/log/kdm/ dir instead of > /var/log/ directly? > > -- Rex Ordinarily yes, but in this case it does not matter. The problem is a redirection of stdout to the log file and pam_console_t does not have permission to write there. So it generates an avc when it starts pam_console. pam_console runs anyways and completes.

16 years, 10 months

1
0
0 / 0

kdebase: selinux preventing appending to /var/log/kdm.log ?

by Rex Dieter

See also: http://bugzilla.redhat.com/243505 Raw Audit Messages avc: denied { append } for comm="pam_console_app" dev=sda6 egid=500 euid=0 exe="/sbin/pam_console_apply" exit=0 fsgid=500 fsuid=0 gid=500 items=0 name="kdm.log" path="/var/log/kdm.log" pid=3804 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 sgid=500 subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:xserver_log_t:s0 tty=(none) uid=0 Any advice on how best to address this? -- Rex

16 years, 10 months

2
1
0 / 0

mknod problem still present denied avc's

by Antonio Olivares

dmesg returns audit(1181681041.681:4): avc: denied { add_name } for pid=739 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir After I did this again [olivares@localhost ~]$ su - Password: [root@localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i myinsmod.pp [root@localhost ~]# semodule -i myinsmod.pp [root@localhost ~]# Selinux troubleshooter returned this: avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2766 scontext=user_u:system_r:insmod_t:s0 sgid=0 subj=user_u:system_r:insmod_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=pts0 uid=0 Policy RPM: selinux-policy-2.6.4-8.fc7 Affected RPM Packages: coreutils-6.9-2.fc7 [application]Policy RPM: selinux-policy-2.6.4-12.fc7 How can I effectively fix this? This is my /etc/modprobe.conf [root@localhost Download]# cat /etc/modprobe.conf alias eth0 8139too alias scsi_hostadapter sata_via alias scsi_hostadapter1 pata_via alias snd-card-0 snd-via82xx options snd-card-0 index=0 options snd-via82xx index=0 install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0) [root@localhost Download]# Thanks, Antonio ____________________________________________________________________________________ Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC

16 years, 10 months

2
1
0 / 0

apcupsd problems on FC7

by Number Cruncher

I have an APC UPS supporting one of our web servers and would like to keep SELinux enabled, but the apcupsd is unable to run its support script /etc/apcupsd/apccontrol when a power out even occurs. This script is needed to gracefully inform users and power off the machine cleanly. Jun 12 12:51:40 web kernel: audit(1181649100.560:15): avc: denied { execute } for pid=4129 comm="apcupsd" name="apccontrol" dev=dm-0 ino=1870532 sconte xt=root:system_r:apcupsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file Jun 12 12:51:40 web kernel: audit(1181649100.560:16): avc: denied { execute } for pid=4130 comm="apcupsd" name="apccontrol" dev=dm-0 ino=1870532 sconte xt=root:system_r:apcupsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file I've tried writing a local policy, but just seem to propagate the problem: module local 1.0; require { type bin_t; type apcupsd_t; type net_conf_t; type etc_t; type shell_exec_t; type hostname_exec_t; type proc_t; class file { read execute getattr execute_no_trans }; class dir search; class lnk_file read; } #============= apcupsd_t ============== allow apcupsd_t etc_t:file execute; allow apcupsd_t etc_t:file execute_no_trans; allow apcupsd_t net_conf_t:file read; allow apcupsd_t bin_t:dir search; allow apcupsd_t bin_t:lnk_file read; allow apcupsd_t shell_exec_t:file execute; allow apcupsd_t shell_exec_t:file read; allow apcupsd_t bin_t:file { read getattr execute execute_no_trans }; allow apcupsd_t hostname_exec_t:file { read execute getattr }; allow apcupsd_t proc_t:file {read getattr}; type=AVC msg=audit(1181656523.928:210): avc: denied { read write } for pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933 scontext=root:system_r:apcupsd _t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1181656523.928:210): arch=40000003 syscall=5 success=no exit=-13 a0=4997c08b a1=8002 a2=0 a3=4997c091 items=0 ppid=1 pid=7520 auid=4294 967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5 tty=(none) comm="wall" exe="/usr/bin/wall" subj=root:system_r:apcupsd_t:s0 key=(null) type=AVC msg=audit(1181656523.928:211): avc: denied { read } for pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933 scontext=root:system_r:apcupsd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1181656523.928:211): arch=40000003 syscall=5 success=no exit=-13 a0=4997c08b a1=8000 a2=0 a3=4997c091 items=0 ppid=1 pid=7520 auid=4294 967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5 tty=(none) comm="wall" exe="/usr/bin/wall" subj=root:system_r:apcupsd_t:s0 key=(null) type=AVC msg=audit(1181656523.928:212): avc: denied { read write } for pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933 scontext=root:system_r:apcupsd _t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1181656523.928:212): arch=40000003 syscall=5 success=no exit=-13 a0=4997c08b a1=8002 a2=0 a3=4997c091 items=0 ppid=1 pid=7520 auid=4294 967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5 tty=(none) comm="wall" exe="/usr/bin/wall" subj=root:system_r:apcupsd_t:s0 key=(null) type=AVC msg=audit(1181656523.928:213): avc: denied { read } for pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933 scontext=root:system_r:apcupsd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1181656523.928:213): arch=40000003 syscall=5 success=no exit=-13 a0=4997c08b a1=8000 a2=0 a3=4997c091 items=0 ppid=1 pid=7520 auid=4294 967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5 tty=(none) comm="wall" exe="/usr/bin/wall" subj=root:system_r:apcupsd_t:s0 key=(null) type=USER_AVC msg=audit(1181656637.910:214): user pid=1869 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload noti ce (seqno=14) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' System: kernel-2.6.21-1.3226.fc7 selinux-policy-2.6.4-13.fc7 Any help appreciated, Simon

16 years, 10 months

2
1
0 / 0

audio-entropd needs some help....

by Tom London

Running latest Rawhide, targeted. Running in enforcing mode, audio-entropyd fails to start. Flipping to permissive mode and restarting, I get these: type=AVC msg=audit(1181506748.052:78): avc: denied { read write } for pid=8712 comm="audio-entropyd" name="random" dev=tmpfs ino=3167 scontext=system_u:system_r:entropyd_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1181506748.052:78): arch=40000003 syscall=5 success=yes exit=4 a0=804a2b3 a1=2 a2=0 a3=bfbbdef0 items=0 ppid=1 pid=8712 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="audio-entropyd" exe="/usr/sbin/audio-entropyd" subj=system_u:system_r:entropyd_t:s0 key=(null) type=AVC msg=audit(1181506748.052:79): avc: denied { dac_override } for pid=8712 comm="audio-entropyd" capability=1 scontext=system_u:system_r:entropyd_t:s0 tcontext=system_u:system_r:entropyd_t:s0 tclass=capability type=SYSCALL msg=audit(1181506748.052:79): arch=40000003 syscall=5 success=yes exit=5 a0=804a268 a1=0 a2=45ef7fc0 a3=804a268 items=0 ppid=1 pid=8712 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="audio-entropyd" exe="/usr/sbin/audio-entropyd" subj=system_u:system_r:entropyd_t:s0 key=(null) Looks like it wants read/write access to /dev/random plus dac_override. tom -- Tom London

16 years, 10 months

4
5
0 / 0

udev file access

by Michael Thomas

I installed a custom udev rule in /etc/udev/rules.d/ that invokes a shell script to backup my usb thumb drive whenever it's plugged in. The script makes use of 'mkdir', 'find', and 'dd' to create the backup. The backups are created in a /images/backups directory, that has the default label 'user_u:object_r:file_t'. When udev launches the script, I get avcs because udev isn't allowed to write to file_t (not surprising): avc: denied { read } for comm="find" dev=sda3 egid=0 euid=0 exe="/usr/bin/find" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=4539 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir tcontext=system_u:object_r:file_t:s0 tty=(none) uid=0 How should this backup directory get labeled so that udev can write to it? Or should I create a custom file context for backup files and then give udev_t permission to write to the backup file context? --Mike

16 years, 10 months

2
1
0 / 0

openvpn on fedora 7

by Matthew Gillen

I had to add the following module before openvpn would work. The first issue was that openvpn didn't have permission to write a .pid file to /var/run/openvpn. The other problem seemed to be that a TCP socket could not be created (the name_connect part). The dac_override is something that I don't get. Why would openvpn need that? Unix permissions problems? Here's the additional policy: ----------------------------- require { type openvpn_t; type openvpn_port_t; type openvpn_var_run_t; class capability dac_override; class tcp_socket name_connect; class dir { write search add_name }; } #============= openvpn_t ============== allow openvpn_t openvpn_port_t:tcp_socket name_connect; allow openvpn_t openvpn_var_run_t:dir { write search add_name }; allow openvpn_t self:capability dac_override; ----------------------------- Thanks, Matt

16 years, 10 months

4
5
0 / 0

Re: AVC Denied Dhcp and Iptables.

by piotreek

2007/6/11, piotreek <piotreek23(a)gmail.com>: > > 2007/6/11, Daniel J Walsh <dwalsh(a)redhat.com>: > > > > piotreek wrote: > > > Hi guys i found some strange messages in my logs. It seams that > > > selinux is blocking a dhcp an Iptables. > > > I found similar post on group about DHCP but my messages are > > > different.I am using FC7 latest policy update didn't resolve the > > problem. > > > P.S I am using firestater as my firewall. > > I believe you will need to write custom policy to make this work. You > > can simply add these rules using audit2allow. > > > > # grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc > > > > # semodule -i mydhcpc.pp > > > > Having dhcpc allowed to turn on/off firewall rules is of debatable > > security risk. > > > THX but i found what causing problem. Firestarter was causing this > messages. After uninstall i i have writ-ed my own Iptables script. And > strange messages disappeared. > > >

16 years, 10 months

1
0
0 / 0

Swat (samba configurator) working with SELinux

by Fox 2000

Hello, I have a problem with Swat Samba configurator module and SElinux: SELinux=permissive => Swat works. SELinux= enforcing => can't login to swat. I've alread searched the internet for support, but it looks like SELinux is something people still do not understand well. I include myself in this situation. All the answers I get is turn SELinux off. I believe there must be a better idea than that! Thanks for your time reading/answering this. All the Best, Fochi ____________________________________________________________________________________ Park yourself in front of a world of choices in alternative vehicles. Visit the Yahoo! Auto Green Center. http://autos.yahoo.com/green_center/

16 years, 10 months

3
2
0 / 0

checkpolicy

by Nitish Dutt

Hi everybody actually i am newbie to this open source world and just working on SElinux as my project.I had started studying source code of checkpolicy component of Selinux but im not getting from where to start and wats d function of each file in the checkpolicy package.culd any body pls help me out wid dat.........

16 years, 10 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux June 2007