How do I create an initial policy for a new app?
by Brian Ginn
using the polgengui, i get an error that the type is unknown (see below).
I compared the generated files to /usr/share/selinux/devel/example.*
I can see that I need to add the initial type myapp2_t;
... there are some other differences. For example:
Polgengui's myapp2.te:
corecmd_executable_file(pbrun_exec_t)
example.te:
domain_type(myapp_t)
domain_entry_file(myapp_t, myapp_exec_t)
Do these accomplish essentially the same thing?
Thanks,
Brian
+ . ./myapp2.sh
++ set -x
++ make -f /usr/share/selinux/devel/Makefile
Compiling targeted myapp2 module
/usr/bin/checkmodule: loading policy configuration from tmp/myapp2.tmp
myapp2.te:22:ERROR 'unknown type myapp2_t' at token ';' on line 83532:
allow myapp2_t myapp2_rw_t:file { create getattr setattr read write append rename link unlink ioctl lock };
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/myapp2.mod] Error 1
++ /usr/sbin/semodule -i myapp2.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t system_chkpwd_t:process { transition };
libsepol.check_assertion_helper: assertion on line 0 violated by allow myapp2_t updpwd_t:process { transition };
libsepol.check_assertion_helper: assertion on line 0 violated by allow system_chkpwd_t myapp2_t:process { sigchld };
libsepol.check_assertion_helper: assertion on line 0 violated by allow updpwd_t myapp2_t:process { sigchld };
libsepol.check_assertions: 4 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
/usr/sbin/semodule: Failed!
++ /sbin/restorecon -F -R -v /usr/local/bin/myapp2
/sbin/restorecon reset /usr/local/bin/myapp2 context system_u:object_r:bin_t:s0->system_u:object_r:bin_t:s0
++ /sbin/restorecon -F -R -v /etc/pb.settings
/sbin/restorecon reset /etc/pb.settings context system_u:object_r:etc_t:s0->system_u:object_r:etc_t:s0
++ /usr/sbin/semanage port -a -t myapp2_port_t -p tcp 23000
libsepol.context_from_record: type myapp2_port_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.port_from_record: could not create port structure for range 23000:23000 (tcp)
libsepol.sepol_port_modify: could not load port range 23000 - 23000 (tcp)
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local modifications into policy
/usr/sbin/semanage: Could not add port tcp/23000
++ echo -ne '\033]0;root@localhost:~'
[root@localhost ~]#
`
15 years, 1 month
cobbler selinux policy
by Per Sjoholm
Looked for a way of handling multi distro PXE setup on CentOS 5 and
found cobbler
It has a webinterface + cmd
cobblers wiki mention SELinux but only for allowing things
Cobbler needs to write and read critical files.
Does anyone have a a SELinux policy for cobbler?
Thanks
/Per
15 years, 2 months
kernel oops, dhclient, NetworkManager denials
by Antonio Olivares
Dear selinux experts,
I am running rawhide and I have encountered the following denied avc's. Thank you all for your help in anticipation :).
Summary:
SELinux is preventing kerneloops (kerneloops_t) "read" inotifyfs_t.
Detailed Description:
SELinux denied access requested by kerneloops. It is not expected that this
access is required by kerneloops and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:kerneloops_t:s0-s0:c0.c1023
Target Context system_u:object_r:inotifyfs_t:s0
Target Objects inotify [ dir ]
Source kerneloops
Source Path /usr/sbin/kerneloops
Port <Unknown>
Host riohigh
Source RPM Packages kerneloops-0.12-3.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.7-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
Wed Mar 4 18:03:29 EST 2009 i686 athlon
Alert Count 2
First Seen Fri 06 Mar 2009 08:37:41 AM CST
Last Seen Fri 06 Mar 2009 04:13:48 PM CST
Local ID a255a610-ce27-4ae2-8583-5e79658a0022
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377628.970:206): avc: denied { read } for pid=14322 comm="kerneloops" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:kerneloops_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
node=riohigh type=SYSCALL msg=audit(1236377628.970:206): arch=40000003 syscall=11 success=yes exit=0 a0=987de20 a1=987dde8 a2=987d008 a3=9880368 items=0 ppid=14321 pid=14322 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kerneloops" exe="/usr/sbin/kerneloops" subj=system_u:system_r:kerneloops_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing NetworkManager (NetworkManager_t) "read write"
unconfined_t.
Detailed Description:
SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:NetworkManager_t:s0
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source NetworkManager
Source Path /usr/sbin/NetworkManager
Port <Unknown>
Host riohigh
Source RPM Packages NetworkManager-0.7.0.99-1.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.7-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
Wed Mar 4 18:03:29 EST 2009 i686 athlon
Alert Count 5
First Seen Mon 23 Feb 2009 07:23:54 AM CST
Last Seen Fri 06 Mar 2009 04:15:00 PM CST
Local ID f192ed25-15af-43fd-aa2e-524cca16b88a
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461 pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
Summary:
SELinux is preventing consoletype (consoletype_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by consoletype. It is not expected that this
access is required by consoletype and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:consoletype_t:s0
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source consoletype
Source Path /sbin/consoletype
Port <Unknown>
Host riohigh
Source RPM Packages initscripts-8.89-2
Target RPM Packages
Policy RPM selinux-policy-3.6.7-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
Wed Mar 4 18:03:29 EST 2009 i686 athlon
Alert Count 10
First Seen Mon 23 Feb 2009 07:23:51 AM CST
Last Seen Fri 06 Mar 2009 04:15:00 PM CST
Local ID 2797c459-0038-4c1e-a419-d4bc54691e3a
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377700.541:235): avc: denied { read write } for pid=14459 comm="consoletype" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.541:235): avc: denied { read write } for pid=14459 comm="consoletype" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.541:235): avc: denied { read write } for pid=14459 comm="consoletype" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236377700.541:235): arch=40000003 syscall=11 success=yes exit=0 a0=8fe0470 a1=8fe0078 a2=8fe01c8 a3=8fe0078 items=0 ppid=14458 pid=14459 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null)
Summary:
SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by dhclient. It is not expected that this access
is required by dhclient and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source dhclient
Source Path /sbin/dhclient
Port <Unknown>
Host riohigh
Source RPM Packages dhclient-4.1.0-9.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.7-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
Wed Mar 4 18:03:29 EST 2009 i686 athlon
Alert Count 3
First Seen Fri 06 Mar 2009 04:16:01 PM CST
Last Seen Fri 06 Mar 2009 04:16:01 PM CST
Local ID a9c1d6de-334d-4f45-99bb-470f0f97e3ff
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377761.743:243): avc: denied { read write } for pid=14537 comm="dhclient" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377761.743:243): avc: denied { read write } for pid=14537 comm="dhclient" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377761.743:243): avc: denied { read write } for pid=14537 comm="dhclient" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236377761.743:243): arch=40000003 syscall=11 success=yes exit=0 a0=8d98e40 a1=8da51d0 a2=8d891b8 a3=8da51d0 items=0 ppid=14469 pid=14537 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=10 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
I first started the system, then I saw that there was no connection, so I did a service NetworkManager stop, followed by a start and then the denied avc. I did not get a working internet connection, so I then went to call dhclient, the command worked, but selinux kicked in. Thank you for your help. Will get back to work on Monday :)
Regards,
Antonio
15 years, 2 months
Moving /etc/fonts/ to fonts_t?
by Jan Kasprzak
In my Fedora 10 system, all fonts under /usr/share/fonts
are of the fonts_t type, while the fontconfig files under /etc/fonts
are of the default etc_t type. I think it would make sense to move
the whole /etc/fonts directory under the fonts_t type, so that user
can easily say "this domain can use fonts" and be done without allowing
the domain to read the whole /etc directory and files.
What do you think about it? Does it make sense to modify the default
Fedora policy according to these lines?
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<
15 years, 2 months
Environment variables over exec()?
by Jan Kasprzak
Hello,
I am probably overlooking something, but it seems that SELinux prevents
the environment variables to be inherited to the new program over exec():
I have a daemon (running in its own domain mydaemon_t) which tries
to fork() and then exec() a program which has domain_auto_trans()
to a new domain myprogram_t. Now I want to pass a TMPDIR environment
variable from the daemon to the program. It does not work - I get
AVCs about myprogram_t trying to read the tmp_t directory (which means
it still tries to use /tmp, not whatever is written in TMPDIR.
I have created my own directory /var/myprogram/tmp which I also
put into the TMPDIR variable. When I add "sleep(100)" to the daemon
just before the exec() of myprogram, I can see the TMPDIR variable correctly
set in /proc/<pid>/environ.
When I do "setenforce 0", running the program from the daemon
causes the /var/myprogram/tmp mtime to be updated and no AVCs are logged,
so the program gets the TMPDIR variable correctly set up.
Does SELinux prevent the environment variables to be inherited
over exec()? If so, how can I enable it?
Thanks,
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<
15 years, 2 months
Rebooted, permissive, setroubleshooter going nuts.
by Gene Heskett
Greetings;
And a portion of this lists archive on this box has gone missing to boot.
So I can't look up the command to extract all these hits, about once every 2
minutes or so, to a logfile I can post. And when I click on the star, it
tells me the connection has been lost to
/var/run/setroubleshoot/setroubleshoot_server. But there is a zero length
file there, generated when I rebooted to 2.6.29-rc7 5:18 ago WTH?
And I just found a very short setroubleshooter.log which I will attach. It
looks like it got a tummy ache just a few minutes ago.
I think I will follow what I did with 29-rc7, and not build any sound modules
for anything except the audigy2, cuz now I have sound, akonadi even starts!
Help?
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Your motives for doing whatever good deed you may have in mind will be
misinterpreted by somebody.
15 years, 2 months
TCP server howto
by Jan Kasprzak
Hello,
what is a recommended way of allowing a domain to act as a generic TCP
server. I.e. to create a stream socket, bind(2) it to a single defined
port with INADDR_ANY, listen(2) on it, accept(2) connections on it,
and communicate (read/write/send*/recv*) on it.
So far I am using audit2allow, and it has led me to the following
setup (actual reading/writing not verified yet, more rules would probably
be needed):
allow $1 hi_reserved_port_t:tcp_socket name_bind;
allow $1 inaddr_any_node_t:tcp_socket node_bind;
allow $1 self:capability net_bind_service;
However, I guess hi_reserver_port_t is not a _single_ port. I have
seen the network_port() macro in corenetwork.if, but using
network_port($1, tcp,654,s0);
gives a syntax error.
Is there any high-level macro for setting up a single port and allowing
it to be bound, listened, read and written?
[ my system is Fedora 10 with the targeted policy ]
Thanks,
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
>> If you find yourself arguing with Alan Cox, you’re _probably_ wrong. <<
>> --James Morris in "How and Why You Should Become a Kernel Hacker" <<
15 years, 2 months
dbus and kerneloops with selinux avc
by Antonio Olivares
Dear all,
after applying the updates, I encountered the following avc courtesy of setroubleshooter:
Summary:
SELinux is preventing dbus-daemon-lau (system_dbusd_t) "execute"
kerneloops_exec_t.
Detailed Description:
SELinux denied access requested by dbus-daemon-lau. It is not expected that this
access is required by dbus-daemon-lau and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context system_u:object_r:kerneloops_exec_t:s0
Target Objects kerneloops [ file ]
Source dbus-daemon-lau
Source Path /lib/dbus-1/dbus-daemon-launch-helper
Port <Unknown>
Host riohigh
Source RPM Packages dbus-1.2.4.4permissive-4.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.7-1.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.197.rc7.fc11.i586 #1 SMP
Tue Mar 3 23:01:11 EST 2009 i686 athlon
Alert Count 1
First Seen Wed 04 Mar 2009 07:46:21 PM CST
Last Seen Wed 04 Mar 2009 07:46:21 PM CST
Local ID 71016152-e696-4ba1-af79-497748fd156b
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236217581.391:21): avc: denied { execute } for pid=3241 comm="dbus-daemon-lau" name="kerneloops" dev=sda5 ino=8699 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kerneloops_exec_t:s0 tclass=file
node=riohigh type=SYSCALL msg=audit(1236217581.391:21): arch=40000003 syscall=11 success=no exit=-13 a0=9c95e20 a1=9c95de8 a2=9c95008 a3=9c98368 items=0 ppid=3240 pid=3241 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
Thanks,
Antonio
15 years, 2 months
Fedora 10 sendmail/smrsh denied
by Bob Richmond
Files in /etc/smrsh used to get a type of "etc_smrsh_t" that allowed
files in there to be executed by smrsh on behalf of sendmail. That went
away, and now sendmail can't execute mail processing programs under
/etc/smrsh. Did the standard location for mail processing programs change?
15 years, 2 months
avcs on rawhide new and old one
by Antonio Olivares
Summary:
SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by crontab. It is not expected that this access
is required by crontab and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0
.c1023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source crontab
Source Path /usr/bin/crontab
Port <Unknown>
Host riohigh
Source RPM Packages cronie-1.2-6.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.6-8.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.176.rc6.git5.fc11.i586 #1
SMP Sat Feb 28 20:51:15 EST 2009 i686 athlon
Alert Count 16
First Seen Mon 02 Mar 2009 07:11:37 PM CST
Last Seen Mon 02 Mar 2009 07:11:39 PM CST
Local ID 3883b140-4d39-40f5-9262-ce2c4c4e2e16
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15740]" dev=sockfs ino=15740 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236042699.560:325): avc: denied { read write } for pid=7023 comm="crontab" path="socket:[15509]" dev=sockfs ino=15509 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236042699.560:325): arch=40000003 syscall=11 success=yes exit=0 a0=9756cc8 a1=9765140 a2=9750a18 a3=9765140 items=0 ppid=6988 pid=7023 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux prevented kde4-config from writing .kde.
Detailed Description:
SELinux prevented kde4-config from writing .kde. If .kde is a core file, you may
want to allow this. If .kde is not a core file, this could signal a intrusion
attempt.
Allowing Access:
Changing the "allow_daemons_dump_core" boolean to true will allow this access:
"setsebool -P allow_daemons_dump_core=1."
Fix Command:
setsebool -P allow_daemons_dump_core=1
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:root_t:s0
Target Objects .kde [ dir ]
Source kde4-config
Source Path /usr/bin/kde4-config
Port <Unknown>
Host riohigh
Source RPM Packages kdelibs-4.2.1-1.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.6-8.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_daemons_dump_core
Host Name riohigh
Platform Linux riohigh 2.6.29-0.176.rc6.git5.fc11.i586 #1
SMP Sat Feb 28 20:51:15 EST 2009 i686 athlon
Alert Count 16
First Seen Tue 17 Feb 2009 08:36:03 AM CST
Last Seen Mon 02 Mar 2009 03:49:11 PM CST
Local ID 6d47417b-4b4b-4c4f-9c12-6210059fc418
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236030551.278:7): avc: denied { create } for pid=2361 comm="kde4-config" name=".kde" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir
node=riohigh type=SYSCALL msg=audit(1236030551.278:7): arch=40000003 syscall=39 success=no exit=-13 a0=9e843f8 a1=1c0 a2=60cf8c a3=0 items=0 ppid=2360 pid=2361 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Thanks,
Antonio
15 years, 2 months
