Bootup error with Selinux +F15
by magina antimage
Hi,
i have tried disabling SElinux ,because i didnt had selinux module
enabled in my kernel.
i have tried changing /etc/selinux/config:
from SELINUX=permissive to SELINUX=disabled
but still i get error
"Failed to load SELinux policy." during bootup
i have referred to "https://bugzilla.redhat.com/show_bug.cgi?id=692573 "
and tried to solve this problem, but no positive results
also sometimes i get I/O errors on my hard disk (during boot) after
one or two boots .
i am not sure whether its because of SElinux or not,but while
searching this I/O error i came across few cases where these I/O
errors were because of SElinux policies.
other details:
arch:x86
selinux version:libselinux-2.0.99-4.fc15.i686
10 years, 8 months
AWStats Update-now link has permissions issues
by Dan Thurman
Did anyone get awstats "Update now" button to work?
For me, awstats does not have permissions to access /tmp
for locking (if enabled) and/or to open /var/log/httpd/access_log
file in attempts to update the awstats data.
I am running selinux, but not certain it is an selinux issue...
11 years, 5 months
Re: Bug 539519: selinux doesn't like httpd trying to read /var/run/pcscd.pid
by mark
-------- Original Message --------
From: Daniel J Walsh <dwalsh(a)redhat.com>
>On 10/19/2012 10:48 AM, m.roth(a)5-cent.us wrote:
> From: Daniel J Walsh <dwalsh(a)redhat.com> On 10/17/2012 01:22 PM,
> m.roth(a)5-cent.us wrote:
>> Daniel J Walsh wrote:
>>> On 10/17/2012 11:48 AM, m.roth(a)5-cent.us wrote:
>>>
>>> Did you check the label on /var/run/pcscd.pid? What is the actual
>>> avc you are seeing?
>> -rw-r--r--. root root system_u:object_r:pcscd_var_run_t:s0
>> /var/run/pcscd.pid
>>
>> And the sealert shows just the catchall.
>>
>> SELinux is preventing /usr/sbin/httpd from read access on the file
>> /var/run/pcscd.pid.
>>
>> ***** Plugin catchall (100. confidence)
>> Can you execute
>> ausearch -m avc
I think this is a sample of what you were asking for:
time->Fri Oct 19 00:45:01 2012
type=SYSCALL msg=audit(1350621901.305:71913): arch=c000003e syscall=2
success=ye
s exit=18 a0=7f0ebf4a6e22 a1=0 a2=1b6 a3=0 items=0 ppid=6184 pid=6247
auid=42949
67295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
tty=(none)
ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
subj=system_u:system_r:httpd_
t:s0 key=(null)
type=AVC msg=audit(1350621901.305:71913): avc: denied { open } for
pid=6247 c
omm="httpd" name="pcscd.pid" dev=sda3 ino=81412261
scontext=system_u:system_r:ht
tpd_t:s0 tcontext=system_u:object_r:pcscd_var_run_t:s0 tclass=file
type=AVC msg=audit(1350621901.305:71913): avc: denied { read } for
pid=6247 c
omm="httpd" name="pcscd.pid" dev=sda3 ino=81412261
scontext=system_u:system_r:ht
tpd_t:s0 tcontext=system_u:object_r:pcscd_var_run_t:s0 tclass=file
mark
11 years, 5 months
pam_selinux(sshd:session): Error! Unable to set executable context
by Radha Venkatesh (radvenka)
We have an selinux user specialuser_u defined. The outputs of the semanage command are as seen below
semanager user –l
admin_u user s0 SystemLow-SystemHigh system_r sysadm_r
guest_u guest s0 s0 guest_r
remotesupport_u user s0 SystemLow-SystemHigh system_r sysadm_r
root sysadm s0 SystemLow-SystemHigh system_r sysadm_r
specialuser_u user s0 s0 system_r sysadm_r
staff_u staff s0 SystemLow-SystemHigh sysadm_r staff_r
sysadm_u sysadm s0 SystemLow-SystemHigh sysadm_r
system_u user s0 SystemLow-SystemHigh system_r
Now, we see the following in our log files
pam_selinux(sshd:session): Error! Unable to set executable context €‡\ ialuser_u:sysadm_r:sysadm_t.
…
…
…
pam_selinux(sshd:session): Error! Unable to set executable context €×ª_ialuser_u:sysadm_r:sysadm_t:s0.
…
…
…
pam_selinux(sshd:session): Error! Unable to set executable context €gb ialuser_u:sysadm_r:sysadm_t.
…
…
…
pam_selinux(sshd:session): Error! Unable to set executable context € ³_ialuser_u:sysadm_r:sysadm_t:s0.
/etc/pam.d/sshd looks as follows
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session required pam_selinux.so
Could anyone help us with why we are seeing these error messages and why the specialuser_u is corrupted with control chars?
11 years, 5 months
unlabeled_t types for files
by Anamitra Dutta Majumdar
We have been recently seeing some denials related to one of our files I ramfs
The audit2allow shows as follows
allow mount_t unlabeled_t:filesystem relabelfrom;
Our product is based on RHEL6 . We did not see this in the RHEL5 version of our product.
Why would there be files of type unlabeled_t on the system with the move to RHEL6?
Thanks,
Anamitra
11 years, 5 months
Re: Bug 539519: selinux doesn't like httpd trying to read /var/run/pcscd.pid
by mark
From: Daniel J Walsh <dwalsh(a)redhat.com>
On 10/17/2012 01:22 PM, m.roth(a)5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 10/17/2012 11:48 AM, m.roth(a)5-cent.us wrote:
>>
>> Did you check the label on /var/run/pcscd.pid? What is the actual avc
>> you are seeing?
> -rw-r--r--. root root system_u:object_r:pcscd_var_run_t:s0
> /var/run/pcscd.pid
>
> And the sealert shows just the catchall.
>
> SELinux is preventing /usr/sbin/httpd from read access on the file
> /var/run/pcscd.pid.
>
> ***** Plugin catchall (100. confidence)
> Can you execute
> ausearch -m avc
> And get the AVC's that way.
I was out yesterday, which is why I didn't get back to you before.
Yup, and get a ton of
type=AVC msg=audit(1350608218.778:42990): avc: denied { read write } for
pid=27757 comm="iptables" path="socket:[20864]" dev=sockfs ino=20864
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
mark
11 years, 5 months
How to clear Samba through SELinux
by Temlakos
Everyone:
I go through this exercise with every update. I have two machines on my
network. One runs Windows; the other runs Fedora (now up to 17).
Right now, the Fedora box can "see" everything in the Windows box that
belongs to the default Windows user.
But: the Windows box can see that a share is available but may not visit
the share.
I cleared Samba through the firewall; otherwise I'd have no connection
at all.
Now: what Booleans or modules do I need to set or reset to clear Samba
through SELinux? I don't seem to have any configuration tool (not
graphical, anyway) to let me see where the problem is. The Windows box
doesn't say much, except "Windows cannot access this share; you need to
talk to the system admin in charge of the other system." Well, I /am/
the system admin. I'd like to clear each machine for full read-write
access to the other. But right now, I have to do all my sharing through
the Fedora machine.
(As to why I would even want a Windows machine around: I keep it around
for programs like TV tuning and DVD authoring that /just work out of the
box/. I also use that Windows box as a print server. That works.)
So in essence, my Fedora box is a good client but a bad server. I think
maybe SELinux is the one remaining obstacle. I need to know how to clear it.
Temlakos
11 years, 5 months
Bug 539519: selinux doesn't like httpd trying to read /var/run/pcscd.pid
by mark
Hi, folks - esp. Dan Walsh.
Started seeing this in a log:
setroubleshoot: SELinux is preventing /usr/sbin/httpd from read access on
the file /var/run/pcscd.pid. For complete SELinux messages. run sealert -l
7549ac41-0b77-49d5-9fd5-814506b6dbf5
I know that they're running subversion, and its webserver.
Googling around, before I created a local policy, I found this:
<https://bugzilla.redhat.com/show_bug.cgi?id=539519>
We're running the current (as in, I yum updated and rebooted) CentOS 6.3.
Could this have slipped back in, somehow?
mark
11 years, 5 months
sesearch output
by Moray Henderson
On CentOS 6 I'm trying to get logrotate to work on some web files. At the
moment they're httpd_sys_content_t and give
Oct 16 03:43:06 sls kernel: type=1400 audit(1350355386.304:42512): avc:
denied { read write } for pid=1275 comm="logrotate" name="dnsview.html"
dev=dm-4 ino=263703 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
I wanted to see what did have access to those files, so used
# sesearch --allow -t httpd_sys_content_t | less
I thought that would show me all the allow rules with a target of
httpd_sys_content_t, but it seems to show other stuff as well, which
confused me:
allow logwatch_t file_type : filesystem getattr ;
allow logwatch_t file_type : file getattr ;
allow logwatch_t file_type : dir { getattr search open } ;
allow logwatch_t file_type : lnk_file getattr ;
and so on. Is that supposed to show up? Does it mean that logwatch can
search all directories regardless of their context?
Is there a context that would be appropriate for my files or will I need
custom policy if I want to rotate them?
Moray.
"To err is human; to purr, feline."
11 years, 5 months
Re: sesearch output
by Dominick Grift
On Tue, 2012-10-16 at 15:39 +0100, Moray Henderson wrote:
> On CentOS 6 I'm trying to get logrotate to work on some web files. At the
> moment they're httpd_sys_content_t and give
>
> Oct 16 03:43:06 sls kernel: type=1400 audit(1350355386.304:42512): avc:
> denied { read write } for pid=1275 comm="logrotate" name="dnsview.html"
> dev=dm-4 ino=263703 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
>
> I wanted to see what did have access to those files, so used
>
> # sesearch --allow -t httpd_sys_content_t | less
>
> I thought that would show me all the allow rules with a target of
> httpd_sys_content_t, but it seems to show other stuff as well, which
> confused me:
>
> allow logwatch_t file_type : filesystem getattr ;
> allow logwatch_t file_type : file getattr ;
> allow logwatch_t file_type : dir { getattr search open } ;
> allow logwatch_t file_type : lnk_file getattr ;
>
> and so on. Is that supposed to show up? Does it mean that logwatch can
> search all directories regardless of their context?
httpd_sys_content_t is classified a file_type thus sesearch returning
these make sense
when you run:
sesearch --allow -t httpd_sys_content_t | less
you query the policy.db for all allow rules where httpd_sys_content_t is
a target direct or indirect.
> Is there a context that would be appropriate for my files or will I need
> custom policy if I want to rotate them?
>
logrotate is for rotating logfiles. types for log files are classified
"logfile"
So either classify your type logfile or use a existing type that is
classified logfile
list all types that are classified logfile
seinfo -xalogfile
list all the classification of the httpd_sys_content_type
seinfo -xthttpd_sys_content_t
list all classifications
seinfo -a
list all types
seinfo -t
query policy data base for logrotate_t access allowed to logfile targets
sesearch --ASCT -s logrotate_t -t logfile
etc etc
When you understand the concept of classifying things with type and role
attributes and learn how to use semanage, seinfo and sesearch to query
the policy.db then you can find solutions to any selinux policy problem.
I look at attributes as being able to append metadata to a type
It basically tells you or allow you to specify the property of a type
by default a type is just a type
to make a type for example a type for files you assign the existing
file_type type attribute to the type. now it is classified a file type
Then you can write rules that apply to groups of types
so for example in stead of allowing "myapp_t" to write a files with a
single file type of "myfile_t" you can allow it to write all types that
are types of files (classified file_type)
allow myapp_t myfile_t:file write;
versus
allow myapp_t file_type:file write;
There are many classifications (type attributes) and you can create your
own and assign them to types
>
> Moray.
> "To err is human; to purr, feline."
>
>
>
>
>
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
11 years, 5 months