[Fwd: Re: Can't export samba share]
by max
That reply/reply all is a blessing and a curse :^)
-------- Original Message --------
Subject: Re: Can't export samba share
Date: Mon, 21 Jul 2008 11:26:12 -0400
From: max <maximilianbianco(a)gmail.com>
To: Steve Blackwell <zephod(a)cfl.rr.com>
References: <20080721105041.1fd67e05(a)steve.blackwell>
Steve Blackwell wrote:
> I have a dual boot F8/XP machine and I want to export, via samba, the
> NTFS partition so that I can use it to back up my wife's Vista machine.
> It seems that selinux is preventing this from happening. Here is the
> summary message from setroubleshoot:
>
> SELinux is preventing the samba daemon from serving r/o local files to
> remote clients.
>
> and the Allowing Access section says:
>
> If you want to export file systems using samba you need to turn on the
> samba_export_all_ro boolean: "setsebool -P samba_export_all_ro=1". The
> following command will allow this access:setsebool -P
> samba_export_all_ro=1
>
> There seems to be 2 problems here; 1) The filesystem that I'm trying to
> export is read-write not read-only and 2) I have already set
> samba_export_all_ro=1. In fact I also set samba_export_all_rw=1 and I
> even set samba_run_unconfined=1 and I still get the same messages.
I would try setting samba_export_all_ro=0, leave samba_export_all_rw=1
Those two settings will conflict and denials should always win out over
allows.
>
> Here is the filesystem I'm trying to export:
>
> # cat /etc/fstab | grep ntfs
> /dev/sdb1 /mnt/c_drive ntfs-3g rw,defaults,umask=0000 0 0
>
> # ls -lZ /mnt
> drwxrwxrwx root root system_u:object_r:fusefs_t:s0 c_drive
>
> Here is the /etc/samba/smb.conf stanza:
> [Kellie]
> comment = Winblows backup
> path = /mnt/c_drive
> writable = yes
> browseable = yes
> valid users = Kellie
>
> User Kellie can see the Kellie share from her Vista computer but
> whenever she tries to use it, I get an AVC.
>
> # rpm -qa | grep selinux
> libselinux-python-2.0.43-1.fc8
> selinux-policy-devel-3.0.8-109.fc8
> libselinux-devel-2.0.43-1.fc8
> selinux-policy-3.0.8-109.fc8
> libselinux-2.0.43-1.fc8
> selinux-policy-targeted-3.0.8-109.fc8
>
> # uname -sr
> Linux 2.6.25.10-47.fc8
>
> I suppose I could go back to permissive mode but I'd like to get this
> to work.
>
> Any suggestion?
> Thanks,
> Steve
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
15 years, 9 months
SELinux User Guide
by Murray McAllister
Hi,
Apologies if this doubles up for anyone.
My name is Murray McAllister and I am working as a content author for
Red Hat. I have recently started a new project -- an SELinux User Guide
-- with Daniel Walsh, Michael Smith, and a few other people from Red Hat.
There are a few SELinux books, but these are very technical. We want to
create a guide that people with no previous SELinux experience can use,
to allow them to do what they want without turning SELinux off.
I have started a rough information plan that includes the current
schedule, information sources, and some ideas for the content that may
be included. The information plan is located at
<https://fedoraproject.org/wiki/Docs/Drafts/SELinux_User_Guide/SELinux_Inf...>.
The main project page is located at
<https://fedoraproject.org/wiki/Docs/Drafts/SELinux_User_Guide>.
Among other things, we are going to try to cover the following topics
from the current SELinux project documentation todo list
(http://selinuxproject.org/page/Documentation_TODO):
* "Explain how to interpret an AVC message and how to get additional
information via SYSCALL audit, including how to add a simple syscall
audit filter to enable collection of PATH information".
* Document Confined Users".
* "Update FC5 FAQ".
* "Document the use of the mount command for overriding file context".
* "Describe Audit2allow and how it can just Fix the machine".
* "Update and organize the Fedora SELinux FAQ".
If anyone has any ideas about what they would like to see in the guide,
or any corrections to the current topics we would like to include,
please let us know. As well, user feedback and comments can be left at
<https://fedoraproject.org/wiki/Docs/Drafts/SELinux_User_Guide/SELinux_Fee...>.
A Fedora account (https://admin.fedoraproject.org/accounts/) is required
to use the Wiki - if you do not have one, please do not hesitate to mail
me directly, or respond to this thread.
Thanks for your time,
Murray.
15 years, 9 months
question on persistent security context storage
by Andy Warner
Hello,
I am currently developing an "SELinux aware" DBMS (primarily TE and MLS)
that is characterized by:
1. The need to store a security context (in some recoverable form) in
our persistent database (storage size of the context is an important factor)
2. The need to frequently perform a high number of security access
checks in a performance sensitive way
My question relates to the first characteristic from above. I am having
trouble deciding on the best way to store the security context in the
database. From my research I see (I think!) three different
representations for a security context: 1) string; 2) raw; 3) SID.
The string representation, generally, seems clear as this is what is
shown in all documentation as the context representation that exists in
user space. My only question regarding the string representation is: is
there is any hard limit to the length of the security context string? Do
I need to allow for no theoretical size limit on a context string if I
choose to store it?
I am inferring the the raw representation exists from seeing *_raw
functions (e.g., security_compute_create_raw) referenced in selinux
header files. Other than seeing these functions declared I am having
trouble finding out much about a raw representation. Is there any
advantage to storing/manipulating a context in its raw representation?
That is, are they more suited for a fast security access check, are they
smaller in size, or do they have a fixed or maximum length?
The SID I have also seen mentioned in various documentations but can
determine little about them. My guess is that they are an integer value
that is used for fast internal access, particularly for the AVC. Are
SIDs indeed integer values? Are they persistent or are they meaningful
only for a particular OS session?
I have also considered maintaining my own internal, persistent mapping
between string based contexts and an integer representation, the mapping
being stored/indexed inside the DBMS. This gives me a small storage
overhead with a fixed size.
Any answers, pointers to documentation, or other help would be greatly
appreciated!
Andy Warner
15 years, 9 months
F9: gam_server
by Dan Thurman
Again, more issues. Suggested fix?
============================
Summary:
SELinux is preventing gam_server (gamin_t) "dac_override" to <Unknown>
(gamin_t).
Detailed Description:
SELinux denied access requested by gam_server. It is not expected that this
access is required by gam_server and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:gamin_t:s0
Target Context system_u:system_r:gamin_t:s0
Target Objects None [ capability ]
Source gam_server
Source Path /usr/libexec/gam_server
Port <Unknown>
Host bronze.cdkkt.com
Source RPM Packages gamin-0.1.9-5.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-74.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name bronze.cdkkt.com
Platform Linux bronze.cdkkt.com
2.6.25.9-76.fc9.i686 #1 SMP
Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count 20
First Seen Thu 10 Jul 2008 10:35:43 AM PDT
Last Seen Thu 10 Jul 2008 11:11:40 AM PDT
Local ID 5eb1bf77-5c10-4071-9892-bac42ca11adb
Line Numbers
Raw Audit Messages
host=bronze.cdkkt.com type=AVC msg=audit(1215713500.169:272): avc:
denied { dac_override } for pid=11637 comm="gam_server" capability=1
scontext=system_u:system_r:gamin_t:s0
tcontext=system_u:system_r:gamin_t:s0 tclass=capability
host=bronze.cdkkt.com type=AVC msg=audit(1215713500.169:272): avc:
denied { dac_read_search } for pid=11637 comm="gam_server"
capability=2 scontext=system_u:system_r:gamin_t:s0
tcontext=system_u:system_r:gamin_t:s0 tclass=capability
host=bronze.cdkkt.com type=SYSCALL msg=audit(1215713500.169:272):
arch=40000003 syscall=33 success=no exit=-13 a0=96ca580 a1=0 a2=4b9264
a3=10 items=0 ppid=1 pid=11637 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="gam_server" exe="/usr/libexec/gam_server"
subj=system_u:system_r:gamin_t:s0 key=(null)
15 years, 9 months
ldap server + enforcing mode?
by Robert Story
I'm trying to get ldap (from openldap-servers-2.4.8-6) running in
enforcing mode on a F9 server. When I try in enforcing mode, it fails.
I've attaced the AVCs from the audit log, for 'service ldap start' in
enforcing and permissive mode (with don't audit disabled), along with
the avcs after the first round were passed through audit2allow and
loaded.. After those are added and loaded, it starts up fine with no
AVCs...
Should I file a bug report in bugzilla, or is this message sufficient?
--
Robert Story
SPARTA
15 years, 9 months
Selinux & Apache
by Colly Murray
Hi there,
I'm having some problems with apache and selinux.
Yesterday in /var/log/httpd/error_log I had:
[Thu Jul 17 16:34:26 2008] [notice] SELinux policy enabled; httpd running as
context user_u:system_r:httpd_t
[Thu Jul 17 16:34:26 2008] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Thu Jul 17 16:34:26 2008] [notice] Digest: generating secret for digest
authentication ...
[Thu Jul 17 16:34:26 2008] [notice] Digest: done
[Thu Jul 17 16:34:26 2008] [warn] pid file /var/www/ditsite/logs/httpd.pid
overwritten -- Unclean shutdown of previous Apache run?
[Thu Jul 17 16:34:26 2008] [notice] Apache configured -- resuming normal
operations
It happened a couple of times on a production site, so I decided to try
disabling protection for httpd Daemon:
# setsebool -P httpd_disable_trans 1
# service httpd restart
Message in /var/log/messages
Jul 18 13:37:46 localhost dbus: avc: received policyload notice (seqno=3)
Jul 18 13:37:47 localhost setsebool: The httpd_disable_trans policy boolean
was changed to 1 by root
Jul 18 13:37:48 localhost setroubleshoot: SELinux is preventing setsebool
(semanage_t) "sys_admin" to <Unknown> (semanage_t). For complete SELinux
messages. run sealert -l dbc64b3f-71be-48c7-aa07-03264440576c
Sealert says the following:
Summary:
SELinux is preventing httpd (httpd_t) "sys_admin" to <Unknown> (httpd_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux denied access requested by httpd. It is not expected that this
access is
required by httpd and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context root:system_r:httpd_t
Target Context root:system_r:httpd_t
Target Objects None [ capability ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host OSTRAIS
Source RPM Packages httpd-2.2.3-11.el5_1.3
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5_2
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name OSTRAIS
Platform Linux OSTRAIS 2.6.18-92.1.1.el5 #1 SMP Thu May
22
09:01:47 EDT 2008 x86_64 x86_64
Alert Count 10
First Seen Thu Jul 17 17:20:02 2008
Last Seen Fri Jul 18 13:33:30 2008
Local ID b22d5d55-1982-4c69-820e-7df4dbd33842
Line Numbers
Raw Audit Messages
host=OSTRAIS type=AVC msg=audit(1216384410.773:2490): avc: denied {
sys_admin } for pid=24960 comm="httpd" capability=21
scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0
tclass=capability
1.) Why is selinux preventing me from changing this value?
2.) Am I taking the correct approach?
httpd-2.2.3-11.el5_1.3/
Linux 2.6.18-92.1.1.el5 x86_64 GNU/Linux
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
Thanks
Colly
This message has been scanned for content and viruses by the DIT Information Services E-Mail Scanning Service, and is believed to be clean. http://www.dit.ie
15 years, 9 months
mod_mono_server_global
by Dan Thurman
I get this consistenly. What can I do to fix this?
=====================================
Summary:
SELinux is preventing the mono from using potentially mislabeled files
(mod_mono_server_global).
Detailed Description:
SELinux has denied mono access to potentially mislabeled file(s)
(mod_mono_server_global). This means that SELinux will not allow mono to use
these files. It is common for users to edit files in their home
directory or tmp
directories and then move (mv) them to system directories. The problem
is that
the files end up with the wrong file context which confined applications
are not
allowed to access.
Allowing Access:
If you want mono to access this files, you need to relabel them using
restorecon
-v 'mod_mono_server_global'. You might want to relabel the entire directory
using restorecon -R -v '<Unknown>'.
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:tmp_t:s0
Target Objects mod_mono_server_global [ sock_file ]
Source mono
Source Path /usr/bin/mono
Port <Unknown>
Host bronze.cdkkt.com
Source RPM Packages mono-core-1.9.1-2.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-74.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name bronze.cdkkt.com
Platform Linux bronze.cdkkt.com
2.6.25.9-76.fc9.i686 #1 SMP
Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count 4
First Seen Thu 10 Jul 2008 10:55:05 AM PDT
Last Seen Fri 11 Jul 2008 07:37:33 AM PDT
Local ID 96f5392e-305d-47db-8dc8-93a057a25b0e
Line Numbers
Raw Audit Messages
host=bronze.cdkkt.com type=AVC msg=audit(1215787053.571:36): avc:
denied { create } for pid=8865 comm="mono"
name="mod_mono_server_global" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
host=bronze.cdkkt.com type=SYSCALL msg=audit(1215787053.571:36):
arch=40000003 syscall=102 per=400000 success=no exit=-13 a0=2
a1=bfc83fe0 a2=823b524 a3=4 items=0 ppid=1 pid=8865 auid=4294967295
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
tty=(none) ses=4294967295 comm="mono" exe="/usr/bin/mono"
subj=system_u:system_r:httpd_t:s0 key=(null)
15 years, 9 months
How can i create a new role in the targeted policy
by Cai Xianchao
Hi all,
I'm using RHEL 5.2GA and working in the targeted policy. There are only
two roles in the targeted policy: system_r and object_r.I want to create
a new role, how can i?
Best regards
15 years, 9 months
Problems with logwatch, sagator and zope?
by Dan Thurman
My logs are reporting many errors, one which appears here:
Jul 14 20:15:41 bronze setroubleshoot: SELinux is preventing 0logwatch
(logwatch_t) "read" to sagator (var_log_t). For complete SELinux
messages. run sealert -l 623798e3-17ec-4751-ae16-e2d92c397e72
.... And more here:
Jul 14 20:20:06 bronze logrotate: ALERT exited abnormally with [1]
Jul 14 20:22:02 bronze setroubleshoot: SELinux is preventing updatedb
(locate_t) "getattr" to /usr/share/sagator (sagator_t). For complete
SELinux messages. run sealert -l 54affa1b-dd31-4c24-b021-3e5ce8da3fe4
Jul 14 20:27:49 bronze setroubleshoot: SELinux is preventing logrotate
(logrotate_t) "getattr" to /var/lib/zope/etc/logrotate.conf (var_lib_t).
For complete SELinux messages. run sealert -l
0851295f-58e7-43d8-940c-614514dcfdad
=================================================================
# sealert -l 623798e3-17ec-4751-ae16-e2d92c397e72
==========================================
Summary:
SELinux is preventing 0logwatch (logwatch_t) "read" to sagator (var_log_t).
Detailed Description:
SELinux denied access requested by 0logwatch. It is not expected that this
access is required by 0logwatch and this access may signal an intrusion
attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for sagator,
restorecon -v 'sagator'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:logwatch_t:s0
Target Context system_u:object_r:var_log_t:s0
Target Objects sagator [ lnk_file ]
Source 0logwatch
Source Path /usr/bin/perl
Port <Unknown>
Host bronze.cdkkt.com
Source RPM Packages perl-5.10.0-30.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-74.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name bronze.cdkkt.com
Platform Linux bronze.cdkkt.com
2.6.25.9-76.fc9.i686 #1 SMP
Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count 8
First Seen Mon Jul 14 20:15:41 2008
Last Seen Mon Jul 14 20:15:41 2008
Local ID 623798e3-17ec-4751-ae16-e2d92c397e72
Line Numbers
Raw Audit Messages
host=bronze.cdkkt.com type=AVC msg=audit(1216091741.414:1543): avc:
denied { read } for pid=19074 comm="0logwatch" name="sagator" dev=sda6
ino=86871 scontext=system_u:system_r:logwatch_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=lnk_file
host=bronze.cdkkt.com type=SYSCALL msg=audit(1216091741.414:1543):
arch=40000003 syscall=5 success=no exit=-13 a0=bf87c1c8 a1=98800
a2=8a67e30 a3=bf87c1c8 items=0 ppid=15038 pid=19074 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="0logwatch" exe="/usr/bin/perl"
subj=system_u:system_r:logwatch_t:s0 key=(null)
=================================================================
# sealert -l 0851295f-58e7-43d8-940c-614514dcfdad
# ls -lZ /var/lib/zope/etc/logrotate.conf
-rw-r--r-- root zope system_u:object_r:var_lib_t:s0
/var/lib/zope/etc/logrotate.conf
==========================================
Summary:
SELinux is preventing logrotate (logrotate_t) "getattr" to
/var/lib/zope/etc/logrotate.conf (var_lib_t).
Detailed Description:
SELinux denied access requested by logrotate. It is not expected that this
access is required by logrotate and this access may signal an intrusion
attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for /var/lib/zope/etc/logrotate.conf,
restorecon -v '/var/lib/zope/etc/logrotate.conf'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:logrotate_t:s0
Target Context system_u:object_r:var_lib_t:s0
Target Objects /var/lib/zope/etc/logrotate.conf [ file ]
Source logrotate
Source Path /usr/sbin/logrotate
Port <Unknown>
Host bronze.cdkkt.com
Source RPM Packages logrotate-3.7.6-5.fc9
Target RPM Packages compat-zope-2.10.5-3.lvn9
Policy RPM selinux-policy-3.3.1-74.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name bronze.cdkkt.com
Platform Linux bronze.cdkkt.com
2.6.25.9-76.fc9.i686 #1 SMP
Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count 1
First Seen Mon Jul 14 20:27:49 2008
Last Seen Mon Jul 14 20:27:49 2008
Local ID 0851295f-58e7-43d8-940c-614514dcfdad
Line Numbers
Raw Audit Messages
host=bronze.cdkkt.com type=AVC msg=audit(1216092469.664:1690): avc:
denied { getattr } for pid=6689 comm="logrotate"
path="/var/lib/zope/etc/logrotate.conf" dev=sda6 ino=2220768
scontext=system_u:system_r:logrotate_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
host=bronze.cdkkt.com type=SYSCALL msg=audit(1216092469.664:1690):
arch=40000003 syscall=195 success=no exit=-13 a0=bfb60ec5 a1=bfb5fa2c
a2=bcbff4 a3=bfb5fac4 items=0 ppid=6687 pid=6689 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="logrotate" exe="/usr/sbin/logrotate"
subj=system_u:system_r:logrotate_t:s0 key=(null)
=================================================================
15 years, 9 months