unpriv user domain <--> SE-PostgreSQL
by KaiGai Kohei
Dan,
At the selinux-policy-3.4.2, you pulled the latest upstreamed
refpolicy which contains a set of SE-PostgreSQL policies,
but it neglected to merge an interface invocation at
userdom_unpriv_user_template(), as follows:
optional_policy(`
postgresql_userdom_template($1,$1_t,$1_r)
')
It prevents user_t, staff_t, ... to access SE-PostgreSQL.
Could you update it?
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(a)ak.jp.nec.com>
15 years, 10 months
simple question with home serviing ruby on rails web site
by Craig White
I'm running in permissive mode so all I'm getting is warnings but I'm
wondering the best way to solve this...
error every time httpd starts...
SELinux has denied httpd access to potentially mislabeled file(s)
(./svn-new). This means that SELinux will not allow httpd to use these
files. It is common for users to edit files in their home directory or
tmp directories and then move (mv) them to system directories. The
problem is that the files end up with the wrong file context which
confined applications are not allowed to access. Allowing AccessIf you
want httpd to access this files, you need to relabel them using
restorecon -v './svn-new'. You might want to relabel the entire
directory using restorecon -R -v './svn-new'. Additional
InformationSource Context:
system_u:system_r:httpd_t:SystemLow-SystemHighTarget Context:
user_u:object_r:user_home_tTarget Objects: ./svn-new [ dir ]Source:
httpdSource Path: /usr/sbin/httpd
/home/craig/svn-new is an svn checkout and is the 'RAILS ROOT' directory
for the web server.
$ ls -ldZ /home/craig/svn-new/
drwxrwxr-x craig craig
user_u:object_r:user_home_t /home/craig/svn-new/
This is on Fedora 9. In the past, I could have used
system-config-security and set selinux to allow web page serving from
user home directories but I don't see that tool any more.
What's the best way to handle this?
Craig
15 years, 10 months
chcon in %post
by Jason L Tibbitts III
I just came across a package that does this:
%post
/usr/bin/chcon -t unconfined_execmem_exec_t %{_libexecdir}/haddock.bin >/dev/null 2>&1 || :
rpmlint complains bitterly about it, and honestly I'm really not sure
what's supposed to happen here. This is a ghc-compiled binary. (ghc
is a Haskell compiler.)
So, if you have a binary in a package that really needs this context,
is running chcon in %post the right way to do it?
- J<
15 years, 10 months
polyinstation and removable media
by Stefan Schulze Frielinghaus
Something strange happens when /tmp and /var/tmp are polyinstantiated
for all of my users except root and adm.
/etc/security/namespace.conf:
/tmp tmpfs tmpfs root,adm
/var/tmp tmpfs tmpfs root,adm
When the user logs into a GDM session using GNOME and plugs in a
USB-Stick, DVD or whatever the device is _not_ mounted. Everything else
works fine. The directory in /media is created and everything is setup
correctly but the final mount command is not issued.
The logfiles don't speak that much but maybe this is a little hint.
Jun 21 19:20:19 test kernel: sd 0:0:0:0: [sda] Attached SCSI removable
disk
Jun 21 19:20:19 test console-kit-daemon[1629]: WARNING: Couldn't
read /proc/2766/environ: Error reading file '/proc/2766/environ': No
such process
Jun 21 19:20:20 test hald: mounted /dev/sda1 on behalf of uid 500
Jun 21 19:20:20 test gnome-keyring-daemon[2647]: adding removable
location: volume_uuid_47DB_BAD8 at /media/blub
And here is a logfile without polyinstantiation:
Jun 21 19:25:00 test kernel: sd 1:0:0:0: [sda] Attached SCSI removable
disk
Jun 21 19:25:00 test kernel: sd 1:0:0:0: Attached scsi generic sg0 type
0
Jun 21 19:25:01 test gnome-keyring-daemon[3746]: adding removable
location: volume_uuid_47DB_BAD8 at /media/blub
Jun 21 19:25:01 test hald: mounted /dev/sda1 on behalf of uid 500
Both logs say that the media was mounted but that's not true if
polyinstantiated. Maybe something related to the console-kit-daemon
warning message?
Does someone has an idea or can confirm this?
Best regards
Stefan
15 years, 10 months
What to do about "invalid context"
by Göran Uddeborg
Could anyone explain what is wrong when I get the error below?
The problem:
I get error messages when I try to run crontab.
mimmi> env LANG=en_US.utf8 crontab -l
Authentication service cannot retrieve authentication info
You (göran) are not allowed to access to (crontab) because of pam configuration.
What I have found out:
In the audit log there is this entry:
mimmi> sudo ausearch -a 3208
----
time->Sat Jun 14 11:17:09 2008
type=SYSCALL msg=audit(1213435029.953:3208): arch=c000003e syscall=59 success=no exit=-13 a0=7f7c49c10238 a1=7fff57b9d760 a2=7f7c49e11f50 a3=7f7c4f562a70 items=0 ppid=5234 pid=5236 auid=503 uid=0 gid=503 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(1213435029.953:3208): security_compute_sid: invalid context unconfined_u:unconfined_r:updpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=process
Using strace I see that crontab tries to exec /sbin/unix_update and
fails, which I suppose is what this message is about:
4826 execve("/sbin/unix_update", ["/sbin/unix_update", "g\303\266ran", "verify"], [/* 0 vars */]) = -1 EACCES (Permission denied)
My first though was that maybe the label on unix_update had not been
correctly updated in some upgrade or so. But doing a restorecon on
it didn't change its context (system_u:object_r:updpwd_exec_t:s0).
I assume there is something broken in the host configurations, rather
than some bug in the policy. But I don't understand what it is or
what to do about it. I'm usually able to figure out
"type=AVC"/"avc: denied" issues, but what do I do about a
"type=SELINUX_ERR"/"invalid context"?
15 years, 10 months
What is the proper context for .strigi?
by Dan Thurman
I have run into a problem of limted space for .strigi
which was located in my home directory, so I decided
to move ~/.strigi to another partition with ample space
and created a symbolic link from ~/.strigi to the new
location on a different partition.
Selinux is reporting:
SELinux is preventing strigidaemon (unconfined_t) "mmap_zero" to
<Unknown> (unconfined_t).
So, what is the proper context for .strigi and all of the files/directories
contained within?
Thanks!
Dan
15 years, 10 months
Fwd: [MLS Policy]:- Problem for mapping between the Linux user to SELinux user for fedora 8
by prakash hallalli
Hi...
Now I am trying to configuring RBAC using MLS (Multilevel Security) Policy
for fedora 8.
Because i have read danwalsh jornal he side MLS policy is more use full for
RBAC.
*
http://danwalsh.livejournal.com/?skip=40
Using RBAC In FC5/MLS Policy*
So i am using MLS policy for RBAC. Here i have installed MLS packages and
changed to targeted policy in to mls policy.
Then i have configured the roles for users but i couldn't set the roles
because when i am setting the roles it will display the error message.
Steps to reproduce:
1) Adding the SELinux audit user using semanage command.
# semanage user -a -R staff_r -R auditadm_r -P staff audit_u
2) Here i am checking SELinux user.
[root@turtle2 ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux
Roles
audit_u staff SystemLow SystemLow staff_r
auditadm_r
root sysadm SystemLow SystemLow:SystemLow-SystemHigh
system_r sysadm_r staff_r secadm_r auditadm_r
staff_u staff SystemLow SystemLow:SystemLow-SystemHigh
sysadm_r staff_r secadm_r auditadm_r
sysadm_u sysadm SystemLow SystemLow:SystemLow-SystemHigh
sysadm_r
system_u user SystemLow SystemLow:SystemLow-SystemHigh
system_r
user_u user SystemLow SystemLow
system_r user_r
[root@turtle2 ~]#
3) Now i am setting the Linux user to SELinux users, when i am setting the
SELinux user it will throw the error message as follows.
[root@turtle2 ~]# semanage login -a -s audit -r SystemLow-SystemHigh prakash
libsemanage.validate_handler: selinux user audit does not exist No such file
or directory.
libsemanage.validate_handler: seuser mapping [prakash -> (audit,
s0-s15:c0.c1023)] is invalid No such file or directory.
libsemanage.dbase_llist_iterate: could not iterate over records No such file
or directory.
/usr/sbin/semanage: Could not add login mapping for prakash
[root@turtle2 ~]#
4) I am using sysadm_r root information as follows
[root@turtle2 ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=root:sysadm_r:sysadm_t:SystemLow:SystemLow-SystemHigh
[root@turtle2 ~]#
5) This is i am getting audit log messages using ausearch command.
[root@turtle2 ~]# ausearch -i -m AVC -sv no
type=SYSCALL msg=audit(06/02/2008 22:09:05.165:6877768) : arch=i386
syscall=read success=no exit=-13(Permission denied) a0=3 a1=9098808 a2=400
a3=400 items=0 ppid=1 pid=2060 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
comm=gam_server exe=/usr/libexec/gam_server
subj=system_u:system_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(06/02/2008 22:09:05.165:6877768) : avc: denied { read }
for pid=2060 comm=gam_server path=inotify dev=inotifyfs ino=1
scontext=system_u:system_r:rpm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
I don't know why its throwing this error. I have searched in to google but i
couldn't find.
Please help me what should i do.
Thanks,
Prakash
15 years, 10 months
Re: f9 selinux complaint opening dvd reader .hal-mtab-lock
by Antonio Olivares
--- On Fri, 6/13/08, Skunk Worx <skunkworx(a)verizon.net> wrote:
> From: Skunk Worx <skunkworx(a)verizon.net>
> Subject: f9 selinux complaint opening dvd reader .hal-mtab-lock
> To: "For users of Fedora Core releases" <fedora-list(a)redhat.com>
> Date: Friday, June 13, 2008, 9:33 PM
> When I open my DVD reader by pushing the button I get a
> sheriff badge.
>
> Should I just apply the "Fix Command"?
> ---
> John
>
> Summary
> SELinux prevented umount from mounting on the file or
> directory
> "/media/.hal-mtab-lock" (type "mnt_t").
>
> Detailed Description
> SELinux prevented umount from mounting a filesystem on the
> file or
> directory "/media/.hal-mtab-lock" of type
> "mnt_t". By default SELinux
> limits the mounting of filesystems to only some files or
> directories
> (those with types that have the mountpoint attribute). The
> type "mnt_t"
> does not have this attribute. You can either relabel the
> file or
> directory or set the boolean
> "allow_mount_anyfile" to true to allow
> mounting on any file or directory.
>
> Allowing Access
> Changing the "allow_mount_anyfile" boolean to
> true will allow this
> access: "setsebool -P allow_mount_anyfile=1."
>
> Fix Command
> setsebool -P allow_mount_anyfile=1
>
> Additional Information
> Source Context: system_u:system_r:mount_t:s0
> Target Context: system_u:object_r:mnt_t:s0
> Target Objects: /media/.hal-mtab-lock [ file ]
> Source: umount
> Source Path: /bin/umount
> Port: <Unknown>
> Host: localhost.localdomain
> Source RPM Packages: util-linux-ng-2.13.1-6.fc9
> Target RPM Packages:
> Policy RPM: selinux-policy-3.3.1-64.fc9
> Selinux Enabled: True
> Policy Type: targeted
> MLS Enabled: True
> Enforcing Mode: Enforcing
> Plugin Name: allow_mount_anyfile
> Host Name: localhost.localdomain
> Platform: Linux localhost.localdomain
> 2.6.25.6-55.fc9.x86_64 #1 SMP Tue
> Jun 10 16:05:21 EDT 2008 x86_64 x86_64
> Alert Count: 7
> First Seen: Sun 25 May 2008 01:45:46 AM PDT
> Last Seen: Fri 13 Jun 2008 09:20:53 PM PDT
> Local ID: eb563b96-3949-4532-8792-f239a145eef7
> Line Numbers:
>
> Raw Audit Messages :
> host=localhost.localdomain type=AVC
> msg=audit(1213417253.89:56): avc:
> denied { read write } for pid=3267 comm="umount"
> path="/media/.hal-mtab-lock" dev=dm-0 ino=4505604
>
> scontext=system_u:system_r:mount_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=file
>
> host=localhost.localdomain type=SYSCALL
> msg=audit(1213417253.89:56):
> arch=c000003e syscall=59 success=yes exit=0 a0=403665
> a1=7fff5c756200
> a2=7fff5c756888 a3=0 items=0 ppid=3266 pid=3267
> auid=4294967295 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none)
> ses=4294967295 comm="umount"
> exe="/bin/umount"
> subj=system_u:system_r:mount_t:s0 key=(null)
>
> --
> fedora-list mailing list
> fedora-list(a)redhat.com
> To unsubscribe:
> https://www.redhat.com/mailman/listinfo/fedora-list
I get the same thing :(
I applied the suggested fix, but still see the same
CCD: fedora-selinux-list(a)redhat.com
Summary:
SELinux prevented umount from mounting on the file or directory
"/media/.hal-mtab-lock" (type "mnt_t").
Detailed Description:
SELinux prevented umount from mounting a filesystem on the file or directory
"/media/.hal-mtab-lock" of type "mnt_t". By default SELinux limits the mounting
of filesystems to only some files or directories (those with types that have the
mountpoint attribute). The type "mnt_t" does not have this attribute. You can
either relabel the file or directory or set the boolean "allow_mount_anyfile" to
true to allow mounting on any file or directory.
Allowing Access:
Changing the "allow_mount_anyfile" boolean to true will allow this access:
"setsebool -P allow_mount_anyfile=1."
Fix Command:
setsebool -P allow_mount_anyfile=1
Additional Information:
Source Context system_u:system_r:mount_t:s0
Target Context system_u:object_r:mnt_t:s0
Target Objects /media/.hal-mtab-lock [ file ]
Source umount
Source Path /bin/umount
Port <Unknown>
Host localhost.localdomain
Source RPM Packages util-linux-ng-2.13.1-6.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-51.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_mount_anyfile
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.25.6-55.fc9.x86_64
#1 SMP Tue Jun 10 16:05:21 EDT 2008 x86_64 x86_64
Alert Count 3
First Seen Wed 11 Jun 2008 09:10:49 PM CDT
Last Seen Fri 13 Jun 2008 11:43:08 PM CDT
Local ID 035edd4c-51d5-49fb-b01f-6468353b5b2d
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1213418588.58:32): avc: denied { write } for pid=3290 comm="umount" path="/media/.hal-mtab-lock" dev=dm-0 ino=1785859 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=file
host=localhost.localdomain type=SYSCALL msg=audit(1213418588.58:32): arch=c000003e syscall=59 success=yes exit=0 a0=403665 a1=7fffd7da1770 a2=7fffd7da1df8 a3=0 items=0 ppid=3289 pid=3290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="umount" exe="/bin/umount" subj=system_u:system_r:mount_t:s0 key=(null)
I manually ejected a data cd.
Thanks,
Antonio
15 years, 11 months
Fwd: [MLS Policy]:- MLS policy problem when manully restart the servers .
by prakash hallalli
Hi
I have followed the same steps what you are given the information to change
the libc.so.6 file label. Now user will be able to login to the system it
not showing any error message while login time. But still i am not able do
system restart services. Now it showing error message is unrecognized
service.
I have received the following error messages.
[root@turtle11 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 21
Policy from config file: mls
[root@turtle11 ~]# service nfs restart
Shutting down NFS mountd: [ OK ]
Shutting down NFS daemon: [ OK ]
Shutting down NFS quotas: [ OK ]
Shutting down NFS services: [ OK ]
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
[root@turtle11 ~]# setenforce 1
[root@turtle11 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: mls
[root@turtle11 ~]# service nfs restart
nfs: unrecognized service
[root@turtle11 ~]# service ldap restart
ldap: unrecognized service
[root@turtle11 ~]# service samba restart
samba: unrecognized service
[root@turtle11 ~]# service named restart
named: unrecognized service
[root@turtle11 ~]#
Please help me, what should i do.
Thanks,
prakash
On Tue, Jun 10, 2008 at 5:37 PM, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
>
> On Tue, 2008-06-10 at 17:14 +0530, prakash hallalli wrote:
> > Hi All
> >
> > I have configured SELinux on ContOS 5.1. I have configured the RBAC
> > using MLS (Multilevel Security) Policy.
> > Now i am trying to restart the system services and they are not
> > restarting and it is throwing some error message.
> > I have a question here, with mls policy enabled will i be able to
> > restart the system service? If yes then what to do and If no what is
> > the reason?
> >
> > Steps to reproduce:
> >
> > 1) MLS Policy configuration.
> >
> > 1. Install selinux-policy-mls
> > 2. Set SELINUXTYPE=MLS in /etc/selinux/config file
> > 3. touch ./autorelabel; on root's home directory, and reboot the
> > machine.
> > 4. While machine is rebooting, change the GRUB parameter.
> > enforcing=0
> >
> > 2) Now system is in permissive mode and SELinux status is as follows.
> >
> > # sestatus
> > SELinux status: enabled
> > SELinuxfs mount: /selinux
> > Current mode: permissive
> > Mode from config file: enforcing
> > Policy version: 21
> > policy from config file: mls
> >
> > 3) Restart the system services and they restart successfully.
> >
> > [root@turtle11 ~]# service nfs restart
> > Shutting down NFS mountd: [FAILED]
> > Shutting down NFS daemon: [FAILED]
> > Shutting down NFS quotas: [FAILED]
> > Shutting down NFS services: [FAILED]
> > Starting NFS services: [
> > OK ]
> > Starting NFS quotas: [
> > OK ]
> > Starting NFS daemon: [
> > OK ]
> > Starting NFS mountd: [
> > OK ]
> >
> > 4) Now i am setting enforcing mode using setenforce command.
> >
> > root@turtle11 ~]#setenforce 1
> > root@turtle11 ~]# sestatus
> > SELinux status: enabled
> > SELinuxfs mount: /selinux
> > Current mode: enforcing
> > Mode from config file: enforcing
> > Policy version: 21
> > Policy from config file: mls
> >
> > 5) a) Now system is in enforcing mode and i am trying to restart the
> > system service. The restart will result in error message.
> >
> > root@turtle11 ~]#service nfs restart
> > /sbin/consoletype: error while loading shared libraries: libc.so.6:
> > cannot open shared object file: No such file or directory
> > /sbin/consoletype: error while loading shared libraries: libc.so.6:
> > cannot open shared object file: No such file or directory
>
> This suggests that libc.so.6 has the wrong label. In older versions of
> the policy, this was a difference between targeted and strict/mls
> policies. Boot in single-user mode and run fixfiles -F relabel.
>
> > nfs: unrecognized service
> >
> > b) When I trying to login it will show the following error.
> >
> > turtle login: smbldap3
> > /bin/login:error while loading shared libraries: libcrypt.so.1:failed
> > to map segment from shared object: Permission denied
> > /sbin/mingetty: error while loading shared libraries: libc.so.6:
> > failed to map segment from shared object: Permission denied
> >
> > c) When using su command.
> >
> > root@turtle11 ~]# su smbldap3
> > su: error while loading shared libraries: libpam.so.0: failed to map
> > segment from shared object: Permission denied
> >
> > I am not sure what is going on. I referred to many websites and PDFs
> > but couldn't get the proper solution.
> >
> > please help me.
> >
> > Thanks
> > Prakash.
> >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> --
> Stephen Smalley
> National Security Agency
>
>
15 years, 11 months
F9: su and sudo don't work as user
by Chuck Anderson
Ok, I thought this was a known issue but I can't seem to find it
mentioned anywhere. I have a F9 system that "su" and "sudo" don't
work on. I noticed that my context was user_u rather than
unconfined_u:
Login on the console as cra:
[cra@system 20:25:34 /home/cra]>id
uid=10002(cra) gid=10002(cra) groups=1000(netops),2011(mirror),10002(cra) context=user_u:user_r:user_t:s0
[cra@system 20:25:36 /home/cra]>su
/bin/su: Permission denied.
[cra@system 20:25:37 /home/cra]>sudo
sudo: setresuid(ROOT_UID, 1, ROOT_UID): Operation not permitted
So I tried to go in as root and fix the context like this:
Login on the console as root:
[root@system ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 22
Policy from config file: targeted
[root@system ~]# setenforce 0
[root@system ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0
root root s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
[root@system ~]# semanage login -m -s unconfined_u root
libsemanage.validate_handler: selinux user unconfined_u does not exist (No such file or directory).
libsemanage.validate_handler: seuser mapping [root -> (unconfined_u, s0-s0:c0.c1023)] is invalid (No such file or directory).
libsemanage.dbase_llist_iterate: could not iterate over records (No such file or directory).
/usr/sbin/semanage: Could not modify login mapping for root
[root@system ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 22
Policy from config file: targeted
[root@system ~]# setenforce 1
[root@system ~]# exit
But it didn't work as you can see. I'm running these versions:
kernel-2.6.25.4-30.fc9.x86_64
selinux-policy-targeted-3.3.1-64.fc9.noarch
Can someone please help?
Thanks.
15 years, 11 months
