selinux January 2010

selinux@lists.fedoraproject.org

45 participants
44 discussions

by Andy Warner

Got the following output from using the newrole command on Fedora 12. Not sure where to properly report such bugs. If it helps, the rubix_remote_client_r role transition should fail (as it does) as there are no role transition rules for it. The role is associated with the current SELinux user. I believe my system just updated to the newest newrole package. [warner@Fedora12-Dev ~]$ yum info policycoreutils Loaded plugins: presto, refresh-packagekit Installed Packages Name : policycoreutils Arch : i686 Version : 2.0.78 Release : 3.fc12 Size : 3.3 M Repo : installed >From repo : updates Error output from newrole follows: [warner@Fedora12-Dev ~]$ newrole -r rubix_remote_client_r Password: failed to exec shell : Permission denied *** glibc detected *** newrole: double free or corruption (out): 0x01726138 *** ======= Backtrace: ========= /lib/libc.so.6(-0xff836d9f)[0x233261] /lib/libselinux.so.1(freecon+0x1e)[0x9fd42e] newrole(main+0x6eb)[0x119d6b] /lib/libc.so.6(__libc_start_main+0xe6)[0x1dbbb6] newrole(+0x16f1)[0x1186f1] ======= Memory map: ======== 00117000-0011d000 r-xp 00000000 fd:00 126525 /usr/bin/newrole 0011d000-0011e000 r--p 00005000 fd:00 126525 /usr/bin/newrole 0011e000-0011f000 rw-p 00006000 fd:00 126525 /usr/bin/newrole 0011f000-00135000 r-xp 00000000 fd:00 56679 /lib/libpthread-2.11.so 00135000-00136000 r--p 00015000 fd:00 56679 /lib/libpthread-2.11.so 00136000-00137000 rw-p 00016000 fd:00 56679 /lib/libpthread-2.11.so 00137000-00139000 rw-p 00000000 00:00 0 001a5000-001c3000 r-xp 00000000 fd:00 56677 /lib/ld-2.11.so 001c3000-001c4000 r--p 0001d000 fd:00 56677 /lib/ld-2.11.so 001c4000-001c5000 rw-p 0001e000 fd:00 56677 /lib/ld-2.11.so 001c5000-00333000 r-xp 00000000 fd:00 56678 /lib/libc-2.11.so 00333000-00334000 ---p 0016e000 fd:00 56678 /lib/libc-2.11.so 00334000-00336000 r--p 0016e000 fd:00 56678 /lib/libc-2.11.so 00336000-00337000 rw-p 00170000 fd:00 56678 /lib/libc-2.11.so 00337000-0033a000 rw-p 00000000 00:00 0 0055f000-00560000 r-xp 00000000 00:00 0 [vdso] 005f6000-005fa000 r-xp 00000000 fd:00 1331 /lib/libattr.so.1.1.0 005fa000-005fb000 rw-p 00003000 fd:00 1331 /lib/libattr.so.1.1.0 0062d000-00638000 r-xp 00000000 fd:00 10441 /lib/libnss_files-2.11.so 00638000-00639000 r--p 0000a000 fd:00 10441 /lib/libnss_files-2.11.so 00639000-0063a000 rw-p 0000b000 fd:00 10441 /lib/libnss_files-2.11.so 008a3000-008a5000 r-xp 00000000 fd:00 15448 /lib/libpam_misc.so.0.82.0 008a5000-008a6000 rw-p 00001000 fd:00 15448 /lib/libpam_misc.so.0.82.0 00928000-0092c000 r-xp 00000000 fd:00 1332 /lib/libcap.so.2.16 0092c000-0092d000 rw-p 00003000 fd:00 1332 /lib/libcap.so.2.16 00992000-00995000 r-xp 00000000 fd:00 56684 /lib/libdl-2.11.so 00995000-00996000 r--p 00002000 fd:00 56684 /lib/libdl-2.11.so 00996000-00997000 rw-p 00003000 fd:00 56684 /lib/libdl-2.11.so 009f3000-00a0f000 r-xp 00000000 fd:00 56687 /lib/libselinux.so.1 00a0f000-00a10000 r--p 0001b000 fd:00 56687 /lib/libselinux.so.1 00a10000-00a11000 rw-p 0001c000 fd:00 56687 /lib/libselinux.so.1 00c8b000-00c97000 r-xp 00000000 fd:00 15447 /lib/libpam.so.0.82.1 00c97000-00c98000 rw-p 0000b000 fd:00 15447 /lib/libpam.so.0.82.1 00e6f000-00e85000 r-xp 00000000 fd:00 15446 /lib/libaudit.so.1.0.0 00e85000-00e86000 r--p 00015000 fd:00 15446 /lib/libaudit.so.1.0.0 00e86000-00e87000 rw-p 00016000 fd:00 15446 /lib/libaudit.so.1.0.0 00ea9000-00ec6000 r-xp 00000000 fd:00 51325 /lib/libgcc_s-4.4.2-20091027.so.1 00ec6000-00ec7000 rw-p 0001c000 fd:00 51325 /lib/libgcc_s-4.4.2-20091027.so.1 00f05000-00f0c000 r-xp 00000000 fd:00 56680 /lib/librt-2.11.so 00f0c000-00f0d000 r--p 00006000 fd:00 56680 /lib/librt-2.11.so 00f0d000-00f0e000 rw-p 00007000 fd:00 56680 /lib/librt-2.11.so 01724000-017a9000 rw-p 00000000 00:00 0 [heap] b7627000-b7827000 r--p 00000000 fd:00 12545 /usr/lib/locale/locale-archive b7827000-b782a000 rw-p 00000000 00:00 0 b783b000-b7842000 r--s 00000000 fd:00 10739 /usr/lib/gconv/gconv-modules.cache b7842000-b7843000 rw-p 00000000 00:00 0 bfcce000-bfce3000 rw-p 00000000 00:00 0 [stack] [warner@Fedora12-Dev ~]$

14 years, 4 months

4
15
0 / 0

need help in contributing to se-linux policy development

by sai ganesh

hi, my name is sai. i am a fedora-ambassador<https://fedoraproject.org/wiki/user:ganesai>.i want to contribute to the development of se-linux policies.i am a Redhat certified se-linux policy administrator.i want to contribute to the development of se-linux policies.how can i contribute ? whom should i contact? i have already tried contacting the owners of the se-linux packages.i didn't get any response. -- s.saiganesh “The Linux philosophy is 'Laugh in the face of danger'. Oops. Wrong One. 'Do it yourself'. Yes, that's it

14 years, 4 months

2
1
0 / 0

policy for vino server (based on current rawhide policy)

by Dominick Grift

I create policy for vino server today. I tested it a few times and it works. You can either use it by enabling remote desktop or via empathy. It requires many patches etc though. I attached what i think is related. I might have missed some. Its also on my git repository ( i maintain it there ) git clone git://82.197.205.60/selinux-modules.git You will have to some vnc tube ports (vnc_port_t) there is a comment about it in vino.te.

14 years, 4 months

1
0
0 / 0

New Years Resolution

by Steve Blackwell

OK, here is one of my New Year's resolutions: Get a better understanding of SELinux. I'm running a F11 box in permissive mode and I get hundreds of AVCs. Let start with this one. SELinux is preventing dbus-daemon (system_dbusd_t) "search" unconfined_t. node=steve.blackwell type=AVC msg=audit(1262408462.863:1162): avc: denied { search } for pid=1613 comm="dbus-daemon" name="23667" dev=proc ino=584443 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=dir Now, if I'm reading this correctly, the dbus-daemon process tried to search a directory called 23667 but didn't have permission to do so. The problem with that is that I don't have a directory called 23667. At least there isn't one now but I suppose it could have existed at the time the AVC was generated which was just after midnight. I'm getting one of these every hour with different numbers for the target directory. I thought that it might be related to a cron job but it seems that the hourly crom job just calls anacron to check to see if the daily, weekly or monthly cron job needs to be run. The other possibility is that it has something to do with BackupPC. One thing I don't understand is why SELinux is flagging this in the first place. Since the target context is unconfined_t, should anything be able to search it? Steve.

14 years, 4 months

2
3
0 / 0

← Newer
1
2
3
4
5
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux January 2010