new avcs from setroubleshoot browser
by Antonio Olivares
Dear all,
New avcs have appeared:
Summary
SELinux is preventing /sbin/ip (ifconfig_t) "write" to pipe (unconfined_t).
Detailed Description
SELinux denied access requested by /sbin/ip. It is not expected that this
access is required by /sbin/ip and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of
the application is causing it to require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:ifconfig_t
Target Context system_u:system_r:unconfined_t
Target Objects pipe [ fifo_file ]
Affected RPM Packages iproute-2.6.22-2.fc8 [application]
Policy RPM selinux-policy-3.0.8-13.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.23-0.202.rc8.fc8
#1 SMP Mon Sep 24 22:09:05 EDT 2007 i686 i686
Alert Count 3
First Seen Wed 26 Sep 2007 06:34:54 PM CDT
Last Seen Wed 26 Sep 2007 06:34:54 PM CDT
Local ID d0527712-8653-4588-9f61-e20604d839bf
Line Numbers
Raw Audit Messages
avc: denied { write } for comm=ip dev=pipefs egid=0 euid=0 exe=/sbin/ip exit=0
fsgid=0 fsuid=0 gid=0 items=0 path=pipe:[11604] pid=3103
scontext=system_u:system_r:ifconfig_t:s0 sgid=0
subj=system_u:system_r:ifconfig_t:s0 suid=0 tclass=fifo_file
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=0
Summary
SELinux is preventing consoletype (consoletype_t) "read" to pipe
(unconfined_t).
Detailed Description
SELinux denied access requested by consoletype. It is not expected that this
access is required by consoletype and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of
the application is causing it to require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:consoletype_t
Target Context system_u:system_r:unconfined_t
Target Objects pipe [ fifo_file ]
Affected RPM Packages
Policy RPM selinux-policy-3.0.8-13.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.23-0.202.rc8.fc8
#1 SMP Mon Sep 24 22:09:05 EDT 2007 i686 i686
Alert Count 2
First Seen Wed 26 Sep 2007 06:34:54 PM CDT
Last Seen Wed 26 Sep 2007 06:34:54 PM CDT
Local ID 8b0eaa38-b9e4-4472-9cd0-ddd5b686793e
Line Numbers
Raw Audit Messages
avc: denied { read } for comm=consoletype dev=pipefs path=pipe:[11541] pid=3036
scontext=system_u:system_r:consoletype_t:s0 tclass=fifo_file
tcontext=system_u:system_r:unconfined_t:s0
How do I deal with these. I am seeing this only on one of the machines. On the other two are fine. Crossing my fingers.
Thanks,
Antonio
____________________________________________________________________________________
Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online.
http://smallbusiness.yahoo.com/webhosting
16 years, 9 months
selinux-policy man pages translation (Russian)
by Andrey Markelov
Hi all.
I have opened a bug #306521.
Another man pages translations to Russian after policycoreutils (bug #250741).
I translated all man pages from selinux-policy (refpolicy) to Russian language. I hope it it will be
useful for security specialists in my country and will take part in SELinux popularisation.
--
Andrey Markelov,
Plus Communications
Phone: +7(495)777-0-111 ext.533
16 years, 9 months
postfix ldap selinux (centos5)
by Harry Hoffman
My apologies if this is the wrong list and there is a rhel/centos
specific selinux list...
Trying to run postfix-2.2.3 on centos5. I'm using LDAP for maps and
authentication.
Everytime I run postqueue -p (to show the mail queue) the command times out.
The following messages are logged in /var/log/maillog:
Sep 25 14:50:03 mail1 postfix/showq[9842]: nss_ldap: failed to bind to
LDAP serv
er ldap://localhost/: Can't contact LDAP server
Sep 25 14:50:03 mail1 postfix/showq[9842]: nss_ldap: failed to bind to
LDAP serv
er ldap://localhost/: Can't contact LDAP server
Sep 25 14:50:03 mail1 postfix/showq[9842]: nss_ldap: reconnecting to
LDAP server
(sleeping 4 seconds)...
Sep 25 14:50:07 mail1 postfix/showq[9842]: nss_ldap: failed to bind to
LDAP serv
er ldap://localhost/: Can't contact LDAP server
The following AVCs show up in /var/log/audit/audit.log:
type=AVC msg=audit(1190746203.204:2162): avc: denied { create } for
pid=9842
comm="showq" scontext=root:system_r:postfix_showq_t:s0
tcontext=root:system_r:po
stfix_showq_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1190746203.204:2162): arch=40000003 syscall=102
success=n
o exit=-13 a0=1 a1=bfb679e4 a2=484ff4 a3=bfb67c61 items=0 ppid=9835
pid=9842 aui
d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89
tty=(none) comm=
"showq" exe="/usr/libexec/postfix/showq"
subj=root:system_r:postfix_showq_t:s0 k
ey=(null)
type=AVC msg=audit(1190746203.204:2163): avc: denied { name_connect }
for pid
=9842 comm="showq" dest=389 scontext=root:system_r:postfix_showq_t:s0
tcontext=s
ystem_u:object_r:ldap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1190746203.204:2163): arch=40000003 syscall=102
success=n
o exit=-13 a0=3 a1=bfb67b10 a2=1251b18 a3=973d6a0 items=0 ppid=9835
pid=9842 aui
d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89
tty=(none) comm=
"showq" exe="/usr/libexec/postfix/showq"
subj=root:system_r:postfix_showq_t:s0 k
ey=(null)
type=AVC msg=audit(1190746203.204:2164): avc: denied { create } for
pid=9842
comm="showq" scontext=root:system_r:postfix_showq_t:s0
tcontext=root:system_r:po
stfix_showq_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1190746203.204:2164): arch=40000003 syscall=102
success=n
o exit=-13 a0=1 a1=bfb679e4 a2=484ff4 a3=bfb67c61 items=0 ppid=9835
pid=9842 aui
d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89
tty=(none) comm=
"showq" exe="/usr/libexec/postfix/showq"
subj=root:system_r:postfix_showq_t:s0 k
ey=(null)
type=AVC msg=audit(1190746203.204:2165): avc: denied { name_connect }
for pid
=9842 comm="showq" dest=389 scontext=root:system_r:postfix_showq_t:s0
tcontext=s
ystem_u:object_r:ldap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1190746203.204:2165): arch=40000003 syscall=102
success=n
o exit=-13 a0=3 a1=bfb67b10 a2=1251b18 a3=9755b90 items=0 ppid=9835
pid=9842 aui
d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89
tty=(none) comm=
"showq" exe="/usr/libexec/postfix/showq"
subj=root:system_r:postfix_showq_t:s0 k
ey=(null)
type=AVC msg=audit(1190746207.205:2166): avc: denied { create } for
pid=9842
comm="showq" scontext=root:system_r:postfix_showq_t:s0
tcontext=root:system_r:po
stfix_showq_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1190746207.205:2166): arch=40000003 syscall=102
success=n
o exit=-13 a0=1 a1=bfb679e4 a2=484ff4 a3=bfb67c61 items=0 ppid=9835
pid=9842 aui
d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89
tty=(none) comm=
"showq" exe="/usr/libexec/postfix/showq"
subj=root:system_r:postfix_showq_t:s0 k
ey=(null)
type=AVC msg=audit(1190746207.205:2167): avc: denied { name_connect }
for pid
=9842 comm="showq" dest=389 scontext=root:system_r:postfix_showq_t:s0
tcontext=s
ystem_u:object_r:ldap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1190746207.205:2167): arch=40000003 syscall=102
success=n
o exit=-13 a0=3 a1=bfb67b10 a2=1251b18 a3=973d660 items=0 ppid=9835
pid=9842 aui
d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89
tty=(none) comm=
"showq" exe="/usr/libexec/postfix/showq"
subj=root:system_r:postfix_showq_t:s0 k
ey=(null)
16 years, 9 months
SELinux is preventing /usr/lib/cups/backend/hp (hplip_t) "read write" to socket:[41030] (cupsd_t).
by Antonio Olivares
Thanks for fixing the other issues :)
Now this one started as of today :(
Summary
SELinux is preventing /usr/lib/cups/backend/hp (hplip_t) "read write" to
socket:[41030] (cupsd_t).
Detailed Description
SELinux denied access requested by /usr/lib/cups/backend/hp. It is not
expected that this access is required by /usr/lib/cups/backend/hp and this
access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:hplip_t:SystemLow-SystemHigh
Target Context system_u:system_r:cupsd_t:SystemLow-SystemHigh
Target Objects socket:[41030] [ unix_stream_socket ]
Affected RPM Packages hplip-2.7.7-4.fc8 [application]
Policy RPM selinux-policy-3.0.8-11.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall
Host Name localhost
Platform Linux localhost 2.6.23-0.202.rc8.fc8 #1 SMP Mon
Sep 24 22:09:05 EDT 2007 i686 athlon
Alert Count 1
First Seen Tue 25 Sep 2007 08:54:39 AM CDT
Last Seen Tue 25 Sep 2007 08:54:39 AM CDT
Local ID 7cbc1a88-cda1-4ff4-b13b-218173d9ae7f
Line Numbers
Raw Audit Messages
avc: denied { read, write } for comm=hp dev=sockfs egid=7 euid=4
exe=/usr/lib/cups/backend/hp exit=0 fsgid=7 fsuid=4 gid=7 items=0
path=socket:[41030] pid=3214 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
sgid=7 subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 suid=4
tclass=unix_stream_socket tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tty=(none) uid=4
Thanks,
Antonio
____________________________________________________________________________________
Pinpoint customers who are looking for what you sell.
http://searchmarketing.yahoo.com/
16 years, 9 months
SELinux is preventing /sbin/setfiles (setfiles_t) "write" to pipe:[37965] (rpm_t)
by Antonio Olivares
Summary
SELinux is preventing /sbin/setfiles (setfiles_t) "write" to pipe:[37965]
(rpm_t).
Detailed Description
SELinux denied access requested by /sbin/setfiles. It is not expected that
this access is required by /sbin/setfiles and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:setfiles_t
Target Context system_u:system_r:rpm_t
Target Objects pipe:[37965] [ fifo_file ]
Affected RPM Packages policycoreutils-2.0.25-14.fc8 [application]
Policy RPM selinux-policy-3.0.8-3.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall
Host Name localhost
Platform Linux localhost 2.6.23-0.189.rc6.git8.fc8 #1 SMP
Wed Sep 19 20:34:10 EDT 2007 i686 athlon
Alert Count 2
First Seen Mon 24 Sep 2007 06:33:12 AM CDT
Last Seen Mon 24 Sep 2007 06:33:13 AM CDT
Local ID 1bf48637-4571-49ee-b8e4-2d2952c9168a
Line Numbers
Raw Audit Messages
avc: denied { write } for comm=restorecon dev=pipefs egid=0 euid=0
exe=/sbin/setfiles exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=pipe:[37965]
pid=3179 scontext=system_u:system_r:setfiles_t:s0 sgid=0
subj=system_u:system_r:setfiles_t:s0 suid=0 tclass=fifo_file
tcontext=system_u:system_r:rpm_t:s0 tty=(none) uid=0
____________________________________________________________________________________
Pinpoint customers who are looking for what you sell.
http://searchmarketing.yahoo.com/
16 years, 9 months
New NetworkManager, wireless, ....
by Tom London
Running latest Rawhide, targeted.
In enforcing mode, NetworkManager (i.e., nm-applet) doesn't 'see' my
wireless stuff.
Rebooting in permissive, NetworkManager now 'sees' the wireless networks.
In enforcing mode, I get this:
#============= system_dbusd_t ==============
allow system_dbusd_t lib_t:file execute_no_trans;
In permissive mode, I get the following AVCs:
#============= NetworkManager_t ==============
allow NetworkManager_t system_dbusd_t:netlink_selinux_socket { read write };
allow NetworkManager_t var_log_t:dir { write search add_name };
allow NetworkManager_t var_log_t:file { create getattr };
#============= system_dbusd_t ==============
allow system_dbusd_t lib_t:file execute_no_trans;
I attach both audit logs.
tom
--
Tom London
16 years, 9 months
many selinux alerts hard to keep up, this one unix_read unix_write to <Unknown> (wine_t). occurs most
by Antonio Olivares
SELinux is preventing python (cupsd_config_t) "read" to 002 (usb_device_t).
SELinux is preventing python (cupsd_config_t) "read write" to 002
(usb_device_t).
SELinux is preventing python (cupsd_config_t) "read" to 004 (usb_device_t).
SELinux is preventing python (cupsd_config_t) "read" to 001 (usb_device_t).
+ ..., +
This one does not want to go away ->
SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "unix_read unix_write"
to <Unknown> (wine_t).
http://www.geocities.com/olivares14031/selinux-20070921.txt
Not complaining, only making them aware so that these ills can be cured.
Antonio
____________________________________________________________________________________
Tonight's top picks. What will you watch tonight? Preview the hottest shows on Yahoo! TV.
http://tv.yahoo.com/
16 years, 9 months
udev_t and alsa_var_lib_t....
by Tom London
Running latest Rawhide.
Get these in /var/log/messages before auditd starts:
Sep 21 14:03:47 localhost kernel: audit(1190408616.016:4): avc:
denied { search } for pid=1835 comm="salsa" name="alsa" dev=dm-0
ino=688427 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=dir
Sep 21 14:03:47 localhost kernel: audit(1190408616.016:5): avc:
denied { search } for pid=1834 comm="salsa" name="alsa" dev=dm-0
ino=688427 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=dir
Sep 21 14:03:47 localhost kernel: audit(1190408616.016:6): avc:
denied { search } for pid=1837 comm="salsa" name="alsa" dev=dm-0
ino=688427 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=dir
Sep 21 14:03:47 localhost kernel: audit(1190408616.016:7): avc:
denied { search } for pid=1836 comm="salsa" name="alsa" dev=dm-0
ino=688427 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=dir
Believe this is from /etc/udev/rules/90-alsa.rules:
SUBSYSTEM=="sound", KERNEL=="controlC*" RUN+="/sbin/salsa"
SUBSYSTEM=="sound", KERNEL=="pcm*" RUN+="/sbin/salsa"
Appears to be trying to read /var/lib/alsa/asound.state and restoring
audio state to previously set values.
tom
--
Tom London
16 years, 9 months
more fine grained access in /etc
by Torbjørn Lindahl
Hello, I am writing an application that I want to limit using selinux.
audit.log shows that it wants access to /etc/nsswitch.conf and /etc/hosts -
which doesn't seem to unreasonable, however both these have types etc_t ,
and allowing myapp_t to read etc_t would also give it access to for example
/etc/passwd, which i do not want.
Do I have to invent a new type for these two files to be able to keep my
application from the other etc_t files in /etc ?
--
mvh
Torbjørn Lindahl
16 years, 9 months
selinux errors on rawhide despite update
by Antonio Olivares
I have updated this machine running rawhide and I still see many of these. Did they not get fixed with the new selinux-policy?
Summary
SELinux is preventing python (cupsd_config_t) "read" to 003 (usb_device_t).
Detailed Description
SELinux denied access requested by python. It is not expected that this
access is required by python and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of
the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for 003, restorecon -v 003 If this
does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:cupsd_config_t
Target Context system_u:object_r:usb_device_t
Target Objects 003 [ chr_file ]
Affected RPM Packages
Policy RPM selinux-policy-3.0.8-3.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name localhost
Platform Linux localhost 2.6.23-0.189.rc6.git8.fc8 #1 SMP
Wed Sep 19 20:34:10 EDT 2007 i686 athlon
Alert Count 6
First Seen Mon 17 Sep 2007 07:07:18 PM CDT
Last Seen Thu 20 Sep 2007 07:16:40 PM CDT
Local ID cbf278e4-fbdc-4926-9daf-0eca08b62ddd
Line Numbers
Raw Audit Messages
avc: denied { read } for comm=python dev=tmpfs egid=0 euid=0 exe=/usr/bin/python
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=003 pid=2326
scontext=system_u:system_r:cupsd_config_t:s0 sgid=0
subj=system_u:system_r:cupsd_config_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:usb_device_t:s0 tty=(none) uid=0
avc: denied { read } for comm=python dev=tmpfs egid=0 euid=0 exe=/usr/bin/python exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=001 pid=2326 scontext=system_u:system_r:cupsd_config_t:s0 sgid=0 subj=system_u:system_r:cupsd_config_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:usb_device_t:s0 tty=(none) uid=0
Might not the new policy have been updated?
Thanks,
Antonio
____________________________________________________________________________________
Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.
http://farechase.yahoo.com/
16 years, 9 months