Re: kdebase: selinux preventing appending to /var/log/kdm.log ?
by Daniel J Walsh
Rex Dieter wrote:
> Daniel J Walsh wrote:
>> Rex Dieter wrote:
>>> See also:
>>> http://bugzilla.redhat.com/243505
>>>
>>> Raw Audit Messages
>>>
>>> avc: denied { append } for comm="pam_console_app" dev=sda6 egid=500
>>> euid=0
>>> exe="/sbin/pam_console_apply" exit=0 fsgid=500 fsuid=0 gid=500 items=0
>>> name="kdm.log" path="/var/log/kdm.log" pid=3804
>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 sgid=500
>>> subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0 tclass=file
>>> tcontext=system_u:object_r:xserver_log_t:s0 tty=(none) uid=0
>>>
>>>
>> Well you have a few of choices.
>>
>> 1. Ignore it for now, since I doubt it causes any problem.
>>
>> 2. Write custom policy for it.
>>
>> # grep pam_console_t /var/log/audit/audit.log | audit2allow -M
>> mypamconsole
>> # semodule -i mypamconsole.pp
>>
>> 3. Wait for the next policy update which will write a rule to
>> dontaudit this.
>
> Would it be-better/help if kdm.log was in /var/log/kdm/ dir instead of
> /var/log/ directly?
>
> -- Rex
Ordinarily yes, but in this case it does not matter. The problem is a
redirection of stdout to the log file and pam_console_t does not have
permission to write there. So it generates an avc when it starts
pam_console. pam_console runs anyways and completes.
16 years, 10 months
kdebase: selinux preventing appending to /var/log/kdm.log ?
by Rex Dieter
See also:
http://bugzilla.redhat.com/243505
Raw Audit Messages
avc: denied { append } for comm="pam_console_app" dev=sda6 egid=500 euid=0
exe="/sbin/pam_console_apply" exit=0 fsgid=500 fsuid=0 gid=500 items=0
name="kdm.log" path="/var/log/kdm.log" pid=3804
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 sgid=500
subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:xserver_log_t:s0 tty=(none) uid=0
Any advice on how best to address this?
-- Rex
16 years, 10 months
mknod problem still present denied avc's
by Antonio Olivares
dmesg returns
audit(1181681041.681:4): avc: denied { add_name } for pid=739 comm="mknod" name="slamr0" scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=dir
After I did this again
[olivares@localhost ~]$ su -
Password:
[root@localhost ~]# grep insmod /var/log/audit/audit.log | audit2allow -M myinsmod
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i myinsmod.pp
[root@localhost ~]# semodule -i myinsmod.pp
[root@localhost ~]#
Selinux troubleshooter returned this:
avc: denied { write } for comm="mknod" dev=tmpfs egid=0 euid=0 exe="/bin/mknod" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=2766 scontext=user_u:system_r:insmod_t:s0 sgid=0 subj=user_u:system_r:insmod_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:device_t:s0 tty=pts0 uid=0
Policy RPM: selinux-policy-2.6.4-8.fc7
Affected RPM Packages: coreutils-6.9-2.fc7 [application]Policy RPM: selinux-policy-2.6.4-12.fc7
How can I effectively fix this?
This is my /etc/modprobe.conf
[root@localhost Download]# cat /etc/modprobe.conf
alias eth0 8139too
alias scsi_hostadapter sata_via
alias scsi_hostadapter1 pata_via
alias snd-card-0 snd-via82xx
options snd-card-0 index=0
options snd-via82xx index=0
install slamr modprobe --ignore-install ungrab-winmodem ; modprobe --ignore-install slamr; test -e /dev/slamr0 || (/bin/mknod -m 660 /dev/slamr0 c 242 0 2>/dev/null && chgrp dialout /dev/slamr0)
[root@localhost Download]#
Thanks,
Antonio
____________________________________________________________________________________
Yahoo! oneSearch: Finally, mobile search
that gives answers, not web links.
http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC
16 years, 10 months
apcupsd problems on FC7
by Number Cruncher
I have an APC UPS supporting one of our web servers and would like to
keep SELinux enabled, but the apcupsd is unable to run its support
script /etc/apcupsd/apccontrol when a power out even occurs. This script
is needed to gracefully inform users and power off the machine cleanly.
Jun 12 12:51:40 web kernel: audit(1181649100.560:15): avc: denied {
execute } for pid=4129 comm="apcupsd" name="apccontrol" dev=dm-0
ino=1870532 sconte
xt=root:system_r:apcupsd_t:s0 tcontext=system_u:object_r:etc_t:s0
tclass=file
Jun 12 12:51:40 web kernel: audit(1181649100.560:16): avc: denied {
execute } for pid=4130 comm="apcupsd" name="apccontrol" dev=dm-0
ino=1870532 sconte
xt=root:system_r:apcupsd_t:s0 tcontext=system_u:object_r:etc_t:s0
tclass=file
I've tried writing a local policy, but just seem to propagate the problem:
module local 1.0;
require {
type bin_t;
type apcupsd_t;
type net_conf_t;
type etc_t;
type shell_exec_t;
type hostname_exec_t;
type proc_t;
class file { read execute getattr execute_no_trans };
class dir search;
class lnk_file read;
}
#============= apcupsd_t ==============
allow apcupsd_t etc_t:file execute;
allow apcupsd_t etc_t:file execute_no_trans;
allow apcupsd_t net_conf_t:file read;
allow apcupsd_t bin_t:dir search;
allow apcupsd_t bin_t:lnk_file read;
allow apcupsd_t shell_exec_t:file execute;
allow apcupsd_t shell_exec_t:file read;
allow apcupsd_t bin_t:file { read getattr execute execute_no_trans };
allow apcupsd_t hostname_exec_t:file { read execute getattr };
allow apcupsd_t proc_t:file {read getattr};
type=AVC msg=audit(1181656523.928:210): avc: denied { read write } for
pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933
scontext=root:system_r:apcupsd
_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1181656523.928:210): arch=40000003 syscall=5
success=no exit=-13 a0=4997c08b a1=8002 a2=0 a3=4997c091 items=0 ppid=1
pid=7520 auid=4294
967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5
tty=(none) comm="wall" exe="/usr/bin/wall"
subj=root:system_r:apcupsd_t:s0 key=(null)
type=AVC msg=audit(1181656523.928:211): avc: denied { read } for
pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933
scontext=root:system_r:apcupsd_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1181656523.928:211): arch=40000003 syscall=5
success=no exit=-13 a0=4997c08b a1=8000 a2=0 a3=4997c091 items=0 ppid=1
pid=7520 auid=4294
967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5
tty=(none) comm="wall" exe="/usr/bin/wall"
subj=root:system_r:apcupsd_t:s0 key=(null)
type=AVC msg=audit(1181656523.928:212): avc: denied { read write } for
pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933
scontext=root:system_r:apcupsd
_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1181656523.928:212): arch=40000003 syscall=5
success=no exit=-13 a0=4997c08b a1=8002 a2=0 a3=4997c091 items=0 ppid=1
pid=7520 auid=4294
967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5
tty=(none) comm="wall" exe="/usr/bin/wall"
subj=root:system_r:apcupsd_t:s0 key=(null)
type=AVC msg=audit(1181656523.928:213): avc: denied { read } for
pid=7520 comm="wall" name="utmp" dev=dm-2 ino=8060933
scontext=root:system_r:apcupsd_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1181656523.928:213): arch=40000003 syscall=5
success=no exit=-13 a0=4997c08b a1=8000 a2=0 a3=4997c091 items=0 ppid=1
pid=7520 auid=4294
967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=5 sgid=5 fsgid=5
tty=(none) comm="wall" exe="/usr/bin/wall"
subj=root:system_r:apcupsd_t:s0 key=(null)
type=USER_AVC msg=audit(1181656637.910:214): user pid=1869 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:
received policyload noti
ce (seqno=14) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
System:
kernel-2.6.21-1.3226.fc7
selinux-policy-2.6.4-13.fc7
Any help appreciated,
Simon
16 years, 10 months
audio-entropd needs some help....
by Tom London
Running latest Rawhide, targeted.
Running in enforcing mode, audio-entropyd fails to start.
Flipping to permissive mode and restarting, I get these:
type=AVC msg=audit(1181506748.052:78): avc: denied { read write }
for pid=8712 comm="audio-entropyd" name="random" dev=tmpfs ino=3167
scontext=system_u:system_r:entropyd_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1181506748.052:78): arch=40000003 syscall=5
success=yes exit=4 a0=804a2b3 a1=2 a2=0 a3=bfbbdef0 items=0 ppid=1
pid=8712 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="audio-entropyd"
exe="/usr/sbin/audio-entropyd" subj=system_u:system_r:entropyd_t:s0
key=(null)
type=AVC msg=audit(1181506748.052:79): avc: denied { dac_override }
for pid=8712 comm="audio-entropyd" capability=1
scontext=system_u:system_r:entropyd_t:s0
tcontext=system_u:system_r:entropyd_t:s0 tclass=capability
type=SYSCALL msg=audit(1181506748.052:79): arch=40000003 syscall=5
success=yes exit=5 a0=804a268 a1=0 a2=45ef7fc0 a3=804a268 items=0
ppid=1 pid=8712 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="audio-entropyd"
exe="/usr/sbin/audio-entropyd" subj=system_u:system_r:entropyd_t:s0
key=(null)
Looks like it wants read/write access to /dev/random plus dac_override.
tom
--
Tom London
16 years, 10 months
udev file access
by Michael Thomas
I installed a custom udev rule in /etc/udev/rules.d/ that invokes a
shell script to backup my usb thumb drive whenever it's plugged in. The
script makes use of 'mkdir', 'find', and 'dd' to create the backup. The
backups are created in a /images/backups directory, that has the default
label 'user_u:object_r:file_t'.
When udev launches the script, I get avcs because udev isn't allowed to
write to file_t (not surprising):
avc: denied { read } for comm="find" dev=sda3 egid=0 euid=0
exe="/usr/bin/find" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
pid=4539 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:file_t:s0 tty=(none) uid=0
How should this backup directory get labeled so that udev can write to
it? Or should I create a custom file context for backup files and then
give udev_t permission to write to the backup file context?
--Mike
16 years, 10 months
openvpn on fedora 7
by Matthew Gillen
I had to add the following module before openvpn would work. The first issue
was that openvpn didn't have permission to write a .pid file to
/var/run/openvpn. The other problem seemed to be that a TCP socket could not
be created (the name_connect part).
The dac_override is something that I don't get. Why would openvpn need that?
Unix permissions problems?
Here's the additional policy:
-----------------------------
require {
type openvpn_t;
type openvpn_port_t;
type openvpn_var_run_t;
class capability dac_override;
class tcp_socket name_connect;
class dir { write search add_name };
}
#============= openvpn_t ==============
allow openvpn_t openvpn_port_t:tcp_socket name_connect;
allow openvpn_t openvpn_var_run_t:dir { write search add_name };
allow openvpn_t self:capability dac_override;
-----------------------------
Thanks,
Matt
16 years, 10 months
Re: AVC Denied Dhcp and Iptables.
by piotreek
2007/6/11, piotreek <piotreek23(a)gmail.com>:
>
> 2007/6/11, Daniel J Walsh <dwalsh(a)redhat.com>:
> >
> > piotreek wrote:
> > > Hi guys i found some strange messages in my logs. It seams that
> > > selinux is blocking a dhcp an Iptables.
> > > I found similar post on group about DHCP but my messages are
> > > different.I am using FC7 latest policy update didn't resolve the
> > problem.
> > > P.S I am using firestater as my firewall.
> > I believe you will need to write custom policy to make this work. You
> > can simply add these rules using audit2allow.
> >
> > # grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc
> >
> > # semodule -i mydhcpc.pp
> >
> > Having dhcpc allowed to turn on/off firewall rules is of debatable
> > security risk.
>
>
> THX but i found what causing problem. Firestarter was causing this
> messages. After uninstall i i have writ-ed my own Iptables script. And
> strange messages disappeared.
>
>
>
16 years, 10 months
Swat (samba configurator) working with SELinux
by Fox 2000
Hello,
I have a problem with Swat Samba configurator module
and SElinux:
SELinux=permissive => Swat works.
SELinux= enforcing => can't login to swat.
I've alread searched the internet for support, but it
looks like SELinux is something people still do not
understand well. I include myself in this situation.
All the answers I get is turn SELinux off. I believe
there must be a better idea than that!
Thanks for your time reading/answering this.
All the Best,
Fochi
____________________________________________________________________________________
Park yourself in front of a world of choices in alternative vehicles. Visit the Yahoo! Auto Green Center.
http://autos.yahoo.com/green_center/
16 years, 10 months
checkpolicy
by Nitish Dutt
Hi everybody
actually i am newbie to this open source world and just working on SElinux
as my project.I had started studying source code of checkpolicy component of
Selinux but im not getting from where to start and wats d function of each
file in the checkpolicy package.culd any body pls help me out wid dat.........
16 years, 10 months