September 2007 - selinux - Fedora Mailing-Lists

by Antonio Olivares

Dear all, New avcs have appeared: Summary SELinux is preventing /sbin/ip (ifconfig_t) "write" to pipe (unconfined_t). Detailed Description SELinux denied access requested by /sbin/ip. It is not expected that this access is required by /sbin/ip and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:ifconfig_t Target Context system_u:system_r:unconfined_t Target Objects pipe [ fifo_file ] Affected RPM Packages iproute-2.6.22-2.fc8 [application] Policy RPM selinux-policy-3.0.8-13.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23-0.202.rc8.fc8 #1 SMP Mon Sep 24 22:09:05 EDT 2007 i686 i686 Alert Count 3 First Seen Wed 26 Sep 2007 06:34:54 PM CDT Last Seen Wed 26 Sep 2007 06:34:54 PM CDT Local ID d0527712-8653-4588-9f61-e20604d839bf Line Numbers Raw Audit Messages avc: denied { write } for comm=ip dev=pipefs egid=0 euid=0 exe=/sbin/ip exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=pipe:[11604] pid=3103 scontext=system_u:system_r:ifconfig_t:s0 sgid=0 subj=system_u:system_r:ifconfig_t:s0 suid=0 tclass=fifo_file tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=0 Summary SELinux is preventing consoletype (consoletype_t) "read" to pipe (unconfined_t). Detailed Description SELinux denied access requested by consoletype. It is not expected that this access is required by consoletype and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:consoletype_t Target Context system_u:system_r:unconfined_t Target Objects pipe [ fifo_file ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-13.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23-0.202.rc8.fc8 #1 SMP Mon Sep 24 22:09:05 EDT 2007 i686 i686 Alert Count 2 First Seen Wed 26 Sep 2007 06:34:54 PM CDT Last Seen Wed 26 Sep 2007 06:34:54 PM CDT Local ID 8b0eaa38-b9e4-4472-9cd0-ddd5b686793e Line Numbers Raw Audit Messages avc: denied { read } for comm=consoletype dev=pipefs path=pipe:[11541] pid=3036 scontext=system_u:system_r:consoletype_t:s0 tclass=fifo_file tcontext=system_u:system_r:unconfined_t:s0 How do I deal with these. I am seeing this only on one of the machines. On the other two are fine. Crossing my fingers. Thanks, Antonio ____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting

16 years, 9 months

1
0
0 / 0

selinux-policy man pages translation (Russian)

by Andrey Markelov

Hi all. I have opened a bug #306521. Another man pages translations to Russian after policycoreutils (bug #250741). I translated all man pages from selinux-policy (refpolicy) to Russian language. I hope it it will be useful for security specialists in my country and will take part in SELinux popularisation. -- Andrey Markelov, Plus Communications Phone: +7(495)777-0-111 ext.533

16 years, 9 months

1
0
0 / 0

postfix ldap selinux (centos5)

by Harry Hoffman

My apologies if this is the wrong list and there is a rhel/centos specific selinux list... Trying to run postfix-2.2.3 on centos5. I'm using LDAP for maps and authentication. Everytime I run postqueue -p (to show the mail queue) the command times out. The following messages are logged in /var/log/maillog: Sep 25 14:50:03 mail1 postfix/showq[9842]: nss_ldap: failed to bind to LDAP serv er ldap://localhost/: Can't contact LDAP server Sep 25 14:50:03 mail1 postfix/showq[9842]: nss_ldap: failed to bind to LDAP serv er ldap://localhost/: Can't contact LDAP server Sep 25 14:50:03 mail1 postfix/showq[9842]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Sep 25 14:50:07 mail1 postfix/showq[9842]: nss_ldap: failed to bind to LDAP serv er ldap://localhost/: Can't contact LDAP server The following AVCs show up in /var/log/audit/audit.log: type=AVC msg=audit(1190746203.204:2162): avc: denied { create } for pid=9842 comm="showq" scontext=root:system_r:postfix_showq_t:s0 tcontext=root:system_r:po stfix_showq_t:s0 tclass=netlink_route_socket type=SYSCALL msg=audit(1190746203.204:2162): arch=40000003 syscall=102 success=n o exit=-13 a0=1 a1=bfb679e4 a2=484ff4 a3=bfb67c61 items=0 ppid=9835 pid=9842 aui d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) comm= "showq" exe="/usr/libexec/postfix/showq" subj=root:system_r:postfix_showq_t:s0 k ey=(null) type=AVC msg=audit(1190746203.204:2163): avc: denied { name_connect } for pid =9842 comm="showq" dest=389 scontext=root:system_r:postfix_showq_t:s0 tcontext=s ystem_u:object_r:ldap_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1190746203.204:2163): arch=40000003 syscall=102 success=n o exit=-13 a0=3 a1=bfb67b10 a2=1251b18 a3=973d6a0 items=0 ppid=9835 pid=9842 aui d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) comm= "showq" exe="/usr/libexec/postfix/showq" subj=root:system_r:postfix_showq_t:s0 k ey=(null) type=AVC msg=audit(1190746203.204:2164): avc: denied { create } for pid=9842 comm="showq" scontext=root:system_r:postfix_showq_t:s0 tcontext=root:system_r:po stfix_showq_t:s0 tclass=netlink_route_socket type=SYSCALL msg=audit(1190746203.204:2164): arch=40000003 syscall=102 success=n o exit=-13 a0=1 a1=bfb679e4 a2=484ff4 a3=bfb67c61 items=0 ppid=9835 pid=9842 aui d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) comm= "showq" exe="/usr/libexec/postfix/showq" subj=root:system_r:postfix_showq_t:s0 k ey=(null) type=AVC msg=audit(1190746203.204:2165): avc: denied { name_connect } for pid =9842 comm="showq" dest=389 scontext=root:system_r:postfix_showq_t:s0 tcontext=s ystem_u:object_r:ldap_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1190746203.204:2165): arch=40000003 syscall=102 success=n o exit=-13 a0=3 a1=bfb67b10 a2=1251b18 a3=9755b90 items=0 ppid=9835 pid=9842 aui d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) comm= "showq" exe="/usr/libexec/postfix/showq" subj=root:system_r:postfix_showq_t:s0 k ey=(null) type=AVC msg=audit(1190746207.205:2166): avc: denied { create } for pid=9842 comm="showq" scontext=root:system_r:postfix_showq_t:s0 tcontext=root:system_r:po stfix_showq_t:s0 tclass=netlink_route_socket type=SYSCALL msg=audit(1190746207.205:2166): arch=40000003 syscall=102 success=n o exit=-13 a0=1 a1=bfb679e4 a2=484ff4 a3=bfb67c61 items=0 ppid=9835 pid=9842 aui d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) comm= "showq" exe="/usr/libexec/postfix/showq" subj=root:system_r:postfix_showq_t:s0 k ey=(null) type=AVC msg=audit(1190746207.205:2167): avc: denied { name_connect } for pid =9842 comm="showq" dest=389 scontext=root:system_r:postfix_showq_t:s0 tcontext=s ystem_u:object_r:ldap_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1190746207.205:2167): arch=40000003 syscall=102 success=n o exit=-13 a0=3 a1=bfb67b10 a2=1251b18 a3=973d660 items=0 ppid=9835 pid=9842 aui d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) comm= "showq" exe="/usr/libexec/postfix/showq" subj=root:system_r:postfix_showq_t:s0 k ey=(null)

16 years, 9 months

2
1
0 / 0

SELinux is preventing /usr/lib/cups/backend/hp (hplip_t) "read write" to socket:[41030] (cupsd_t).

by Antonio Olivares

Thanks for fixing the other issues :) Now this one started as of today :( Summary SELinux is preventing /usr/lib/cups/backend/hp (hplip_t) "read write" to socket:[41030] (cupsd_t). Detailed Description SELinux denied access requested by /usr/lib/cups/backend/hp. It is not expected that this access is required by /usr/lib/cups/backend/hp and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:hplip_t:SystemLow-SystemHigh Target Context system_u:system_r:cupsd_t:SystemLow-SystemHigh Target Objects socket:[41030] [ unix_stream_socket ] Affected RPM Packages hplip-2.7.7-4.fc8 [application] Policy RPM selinux-policy-3.0.8-11.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost Platform Linux localhost 2.6.23-0.202.rc8.fc8 #1 SMP Mon Sep 24 22:09:05 EDT 2007 i686 athlon Alert Count 1 First Seen Tue 25 Sep 2007 08:54:39 AM CDT Last Seen Tue 25 Sep 2007 08:54:39 AM CDT Local ID 7cbc1a88-cda1-4ff4-b13b-218173d9ae7f Line Numbers Raw Audit Messages avc: denied { read, write } for comm=hp dev=sockfs egid=7 euid=4 exe=/usr/lib/cups/backend/hp exit=0 fsgid=7 fsuid=4 gid=7 items=0 path=socket:[41030] pid=3214 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 sgid=7 subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 suid=4 tclass=unix_stream_socket tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tty=(none) uid=4 Thanks, Antonio ____________________________________________________________________________________ Pinpoint customers who are looking for what you sell. http://searchmarketing.yahoo.com/

16 years, 9 months

2
1
0 / 0

SELinux is preventing /sbin/setfiles (setfiles_t) "write" to pipe:[37965] (rpm_t)

by Antonio Olivares

Summary SELinux is preventing /sbin/setfiles (setfiles_t) "write" to pipe:[37965] (rpm_t). Detailed Description SELinux denied access requested by /sbin/setfiles. It is not expected that this access is required by /sbin/setfiles and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:setfiles_t Target Context system_u:system_r:rpm_t Target Objects pipe:[37965] [ fifo_file ] Affected RPM Packages policycoreutils-2.0.25-14.fc8 [application] Policy RPM selinux-policy-3.0.8-3.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost Platform Linux localhost 2.6.23-0.189.rc6.git8.fc8 #1 SMP Wed Sep 19 20:34:10 EDT 2007 i686 athlon Alert Count 2 First Seen Mon 24 Sep 2007 06:33:12 AM CDT Last Seen Mon 24 Sep 2007 06:33:13 AM CDT Local ID 1bf48637-4571-49ee-b8e4-2d2952c9168a Line Numbers Raw Audit Messages avc: denied { write } for comm=restorecon dev=pipefs egid=0 euid=0 exe=/sbin/setfiles exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=pipe:[37965] pid=3179 scontext=system_u:system_r:setfiles_t:s0 sgid=0 subj=system_u:system_r:setfiles_t:s0 suid=0 tclass=fifo_file tcontext=system_u:system_r:rpm_t:s0 tty=(none) uid=0 ____________________________________________________________________________________ Pinpoint customers who are looking for what you sell. http://searchmarketing.yahoo.com/

16 years, 9 months

1
0
0 / 0

New NetworkManager, wireless, ....

by Tom London

Running latest Rawhide, targeted. In enforcing mode, NetworkManager (i.e., nm-applet) doesn't 'see' my wireless stuff. Rebooting in permissive, NetworkManager now 'sees' the wireless networks. In enforcing mode, I get this: #============= system_dbusd_t ============== allow system_dbusd_t lib_t:file execute_no_trans; In permissive mode, I get the following AVCs: #============= NetworkManager_t ============== allow NetworkManager_t system_dbusd_t:netlink_selinux_socket { read write }; allow NetworkManager_t var_log_t:dir { write search add_name }; allow NetworkManager_t var_log_t:file { create getattr }; #============= system_dbusd_t ============== allow system_dbusd_t lib_t:file execute_no_trans; I attach both audit logs. tom -- Tom London

16 years, 9 months

1
0
0 / 0

many selinux alerts hard to keep up, this one unix_read unix_write to <Unknown> (wine_t). occurs most

by Antonio Olivares

SELinux is preventing python (cupsd_config_t) "read" to 002 (usb_device_t). SELinux is preventing python (cupsd_config_t) "read write" to 002 (usb_device_t). SELinux is preventing python (cupsd_config_t) "read" to 004 (usb_device_t). SELinux is preventing python (cupsd_config_t) "read" to 001 (usb_device_t). + ..., + This one does not want to go away -> SELinux is preventing /usr/bin/Xorg (xdm_xserver_t) "unix_read unix_write" to <Unknown> (wine_t). http://www.geocities.com/olivares14031/selinux-20070921.txt Not complaining, only making them aware so that these ills can be cured. Antonio ____________________________________________________________________________________ Tonight's top picks. What will you watch tonight? Preview the hottest shows on Yahoo! TV. http://tv.yahoo.com/

16 years, 9 months

1
0
0 / 0

udev_t and alsa_var_lib_t....

by Tom London

Running latest Rawhide. Get these in /var/log/messages before auditd starts: Sep 21 14:03:47 localhost kernel: audit(1190408616.016:4): avc: denied { search } for pid=1835 comm="salsa" name="alsa" dev=dm-0 ino=688427 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=dir Sep 21 14:03:47 localhost kernel: audit(1190408616.016:5): avc: denied { search } for pid=1834 comm="salsa" name="alsa" dev=dm-0 ino=688427 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=dir Sep 21 14:03:47 localhost kernel: audit(1190408616.016:6): avc: denied { search } for pid=1837 comm="salsa" name="alsa" dev=dm-0 ino=688427 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=dir Sep 21 14:03:47 localhost kernel: audit(1190408616.016:7): avc: denied { search } for pid=1836 comm="salsa" name="alsa" dev=dm-0 ino=688427 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=dir Believe this is from /etc/udev/rules/90-alsa.rules: SUBSYSTEM=="sound", KERNEL=="controlC*" RUN+="/sbin/salsa" SUBSYSTEM=="sound", KERNEL=="pcm*" RUN+="/sbin/salsa" Appears to be trying to read /var/lib/alsa/asound.state and restoring audio state to previously set values. tom -- Tom London

16 years, 9 months

1
0
0 / 0

more fine grained access in /etc

by Torbjørn Lindahl

Hello, I am writing an application that I want to limit using selinux. audit.log shows that it wants access to /etc/nsswitch.conf and /etc/hosts - which doesn't seem to unreasonable, however both these have types etc_t , and allowing myapp_t to read etc_t would also give it access to for example /etc/passwd, which i do not want. Do I have to invent a new type for these two files to be able to keep my application from the other etc_t files in /etc ? -- mvh Torbjørn Lindahl

16 years, 9 months

4
8
0 / 0

selinux errors on rawhide despite update

by Antonio Olivares

I have updated this machine running rawhide and I still see many of these. Did they not get fixed with the new selinux-policy? Summary SELinux is preventing python (cupsd_config_t) "read" to 003 (usb_device_t). Detailed Description SELinux denied access requested by python. It is not expected that this access is required by python and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for 003, restorecon -v 003 If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:cupsd_config_t Target Context system_u:object_r:usb_device_t Target Objects 003 [ chr_file ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-3.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost Platform Linux localhost 2.6.23-0.189.rc6.git8.fc8 #1 SMP Wed Sep 19 20:34:10 EDT 2007 i686 athlon Alert Count 6 First Seen Mon 17 Sep 2007 07:07:18 PM CDT Last Seen Thu 20 Sep 2007 07:16:40 PM CDT Local ID cbf278e4-fbdc-4926-9daf-0eca08b62ddd Line Numbers Raw Audit Messages avc: denied { read } for comm=python dev=tmpfs egid=0 euid=0 exe=/usr/bin/python exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=003 pid=2326 scontext=system_u:system_r:cupsd_config_t:s0 sgid=0 subj=system_u:system_r:cupsd_config_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:usb_device_t:s0 tty=(none) uid=0 avc: denied { read } for comm=python dev=tmpfs egid=0 euid=0 exe=/usr/bin/python exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=001 pid=2326 scontext=system_u:system_r:cupsd_config_t:s0 sgid=0 subj=system_u:system_r:cupsd_config_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:usb_device_t:s0 tty=(none) uid=0 Might not the new policy have been updated? Thanks, Antonio ____________________________________________________________________________________ Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. http://farechase.yahoo.com/

16 years, 9 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux September 2007