AVCs from restarting httpd but only when in permissive mode
by Edward Kuns
I had to reboot earlier this week because X crashed in a way that took
out my keyboard, requiring a reboot to get the keyboard to work again.
And when I temporarily set to permissive some time ago to do some
testing, then set back to enforcing, somehow my "default" mode got left
in permissive. That's now fixed and I'm back in enforcing mode.
Anyway, after the reboot I came up in permissive mode, which is how I
discovered this.
If I restart httpd while in permissive mode, I get two AVCs. If I
restart httpd while in enforcing mode, I get none. Is this normal or
expected? Since I only get these AVCs while in permissive mode, there's
no error in httpd logs to look for. (And when I look anyway, all I see
is normal "starting up" sorts of messages.)
type=AVC msg=audit(1208684921.858:22475): avc: denied { read write }
for pid=2956 comm="httpd" name="context" dev=selinuxfs ino=5
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1208684921.858:22475): arch=40000003 syscall=5
success=yes exit=14 a0=bfc89488 a1=8002 a2=0 a3=8002 items=0 ppid=1
pid=2956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1208684921.858:22476): avc: denied
{ check_context } for pid=2956 comm="httpd"
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=security
type=SYSCALL msg=audit(1208684921.858:22476): arch=40000003 syscall=4
success=yes exit=33 a0=e a1=b931e310 a2=21 a3=b931e310 items=0 ppid=1
pid=2956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
Eddie
--
Eddie Kuns | Home: ekuns(a)kilroy.chi.il.us
--------------/ URL: http://kilroy.chi.il.us/
"Ah, savory cheese puffs, made inedible by time and fate." -- The Tick
16 years, 2 months
Denials when installing from updates-testing
by Adam Huffman
This morning I used yum to install the latest packages from the
updates-testing repository for F8. Some SELinux denials meant that
problems were reported with a lot of these updates e.g.
Updating : libxml2 ##################### [ 1/145]
error: %post(libxml2-2.6.32-1.fc8.x86_64) scriptlet failed, exit status 255
Updating : gtk2 ##################### [ 2/145]
error: %post(gtk2-2.12.8-2.fc8.x86_64) scriptlet failed, exit status 255
Updating : libxslt ##################### [ 3/145]
error: %post(libxslt-1.1.23-1.fc8.x86_64) scriptlet failed, exit status 255
Updating : evolution-data-server ##################### [ 4/145]
error: %post(evolution-data-server-1.12.3-5.fc8.x86_64) scriptlet
failed, exit status 255
and here are excerpts of the sealert messages:
Summary:
SELinux is preventing yum (mono_t) "transition" to /sbin/ldconfig
(rpm_script_t).
Source Context unconfined_u:system_r:mono_t:SystemLow-SystemHigh
Target Context
unconfined_u:system_r:rpm_script_t:SystemLow-SystemHigh
Target Objects /sbin/ldconfig [ process ]
Source yum
Source Path /usr/bin/python
Port <Unknown>
Source RPM Packages python-2.5.1-15.fc8
Target RPM Packages glibc-2.7-2
Policy RPM selinux-policy-3.0.8-95.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Raw Audit Messages
type=AVC msg=audit(1208774766.511:30956): avc: denied { transition }
for pid=4487 comm="yum" path="/sbin/ldconfig" dev=dm-0 ino=852080
scontext=unconfined_u:system_r:mono_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
tclass=process
type=SYSCALL msg=audit(1208774766.511:30956): arch=c000003e syscall=59
success=no exit=-13 a0=1637234f a1=7fff43a32a40 a2=947ac50
a3=3d4fc13bb2 items=0 ppid=4089 pid=4487 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts9 comm="yum"
exe="/usr/bin/python" subj=unconfined_u:system_r:mono_t:s0-s0:c0.c1023
key=(null)
and
Summary:
SELinux is preventing yum (mono_t) "transition" to /bin/bash (rpm_script_t).
Additional Information:
Source Context unconfined_u:system_r:mono_t:SystemLow-SystemHigh
Target Context
unconfined_u:system_r:rpm_script_t:SystemLow-SystemHigh
Target Objects /bin/bash [ process ]
Source yum
Source Path /usr/bin/python
Port <Unknown>
Source RPM Packages python-2.5.1-15.fc8
Target RPM Packages bash-3.2-20.fc8
Policy RPM selinux-policy-3.0.8-95.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Alert Count 69
First Seen Mon 07 Apr 2008 13:02:19 BST
Last Seen Mon 21 Apr 2008 11:46:06 BST
Local ID e148a133-5374-43a6-953b-45076d5c667b
Line Numbers
Raw Audit Messages
type=AVC msg=audit(1208774766.470:30955): avc: denied { transition }
for pid=4486 comm="yum" path="/bin/bash" dev=dm-0 ino=65580
scontext=unconfined_u:system_r:mono_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
tclass=process
type=SYSCALL msg=audit(1208774766.470:30955): arch=c000003e syscall=59
success=no exit=-13 a0=1658931a a1=7fff43a32a40 a2=947ac50
a3=3d4fc13bb2 items=0 ppid=4089 pid=4486 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts9 comm="yum"
exe="/usr/bin/python" subj=unconfined_u:system_r:mono_t:s0-s0:c0.c1023
key=(null)
Does this look like a local problem and relabelling is needed?
Adam
16 years, 2 months
Re: selinux denies X, but can get in via permissive mode
by Antonio Olivares
--- Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Antonio Olivares wrote:
> > --- Dennis Jacobfeuerborn
> > <d.jacobfeuerborn(a)conversis.de> wrote:
> >
> >> Antonio Olivares wrote:
> >>> No, I tried
> >>> # touch ./autorelabel
> >> That should be "touch /.autorelabel"
> >>
> >> Regards,
> >> Dennis
> >>
> >> --
> >> fedora-test-list mailing list
> >> fedora-test-list(a)redhat.com
> >> To unsubscribe:
> >>
> >
>
https://www.redhat.com/mailman/listinfo/fedora-test-list
> >
> > I did it the right way as you write it correctly.
> But
> > still get a bunch of errors. I have to still boot
> > with enforcing=0 because the selinux denials are
> too
> > much to handle. The setroubleshooter utility
> fires
> > like the fastest guns in the west. It will need
> to
> > wait for a bigger fix than the ones in the avcs
> > message to fix.
> >
> > Regards,
> >
> > Antonio
> >
> >
> >
>
____________________________________________________________________________________
> > Be a better friend, newshound, and
> > know-it-all with Yahoo! Mobile. Try it now.
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> >
>
> I would try the following commands, they should have
> executed during the
> upgrade.
>
> # semanage user -a -S targeted -P user -R
> "unconfined_r system_r" -r
> s0-s0:c0.c1023 unconfined_u
> # semanage login -m -S targeted -P user -s
> "unconfined_u" -r
> s0-s0:c0.c1023 __default__
> # semanage login -m -S targeted -P user -s
> "unconfined_u" -r
> s0-s0:c0.c1023 root
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora -
> http://enigmail.mozdev.org
>
>
iEYEARECAAYFAkgHQtMACgkQrlYvE4MpobODCACfcX5PPphfMlvt2/Ch07zeG2aC
> EPgAoJA67HOTXJljsothzYv27pxx/Lwy
> =rSbx
> -----END PGP SIGNATURE-----
>
> --
> fedora-test-list mailing list
> fedora-test-list(a)redhat.com
> To unsubscribe:
>
https://www.redhat.com/mailman/listinfo/fedora-test-list
>
Dan,
Thank you very much. The above commands cured the
illness, along with the su - errors as well.
[olivares@localhost ~]$ su -
Password:
[root@localhost ~]#
Regards,
Antonio
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
16 years, 2 months
selinux mini-summit sub-policy topic
by Serge E. Hallyn
Hi,
It appears many of us have a related policy issue.
The Fedora folks want to be able to create distro images under a chroot
or namespace with selinux enforcing, but with the distro images having
different policy from the host. I don't know whether they want to be
able to run tests under that image, or only be able to write down
potentially unknown labels so as to be able to lay the image down on
disk.
The fmac (opensolaris) folks may want to be able to load different
policies in different zones.
The linux containers folks (and I) want basically the same thing as
zones folks, that, is to support container administrators loading their
own policy. My plan had been to pull together what I can to propose a
LISA paper, so I was hoping to really get geared up this week after
finishing other papers. (This is free time stuff, and has been on
the back burner for a year now.) In the containers case, I am
starting to use the type namespace (container1.subtype1) to confine
a container policy, where subtype1 in container1 is known to the
host as container1.subtype1. This leaves MLS and MCS unsupported ATM.
Dan Walsh is working policy for xen/qemu images, however that is
not really related as the vm has its own OS. I'm mentioning it here
in case I'm wrong.
Are there other projects needing similar support? There used to be
a problem with rpms being able to create files with not-yet-defined
types, which may be more similar to the fedora problem above, and I
have no idea whether/how that ended up being resolved.
Is it worth proposing a joint topic for discussion at the selinux
mini-summit? It could take several formats, from a meeting amongst
ourselves followd by a panel discussion, to a set of lightning talks, to
a 30 minute joint presentation where we present what we talk about in
emails before OLS.
thanks,
-serge
16 years, 2 months
mrtg selinux denials in default configuration
by Development discussions related to Fedora
I'm getting selinux denials with a default install of mrtg. I found a
bug opened/ and closed notabug:
https://bugzilla.redhat.com/show_bug.cgi?id=439953
However, that relates to a custom user config that calls a script, and
the response was that matching policy needs to be built.
In my case mrtg is running completely default {which may well be fully
useless - I haven't learnt enough about it yet}.
Should there be selinux denials on a default install of a package ?
DaveT.
16 years, 2 months
selinux denies X, but can get in via permissive mode
by Antonio Olivares
Dear all,
*** fedora 7 ==> Fedora rawhide machine.
booting with enforcing=0 parameter. Could not su -
before, but with enforcing=0 can now. The following
warning comes up.
How can I fix to boot normally,
Thanks,
Antonio
Summary:
SELinux prevented X from using the terminal /dev/tty7.
Detailed Description:
[SELinux is in permissive mode, the operation would
have been denied but was
permitted due to permissive mode.]
SELinux prevented X from using the terminal /dev/tty7.
In most cases daemons do
not need to interact with the terminal, usually these
avc messages can be
ignored. All of the confined daemons should have
dontaudit rules around using
the terminal. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this selinux-policy.
If you would like to allow all daemons to interact
with the terminal, you can
turn on the allow_daemons_use_tty boolean.
Allowing Access:
Changing the "allow_daemons_use_tty" boolean to true
will allow this access:
"setsebool -P allow_daemons_use_tty=1."
Fix Command:
setsebool -P allow_daemons_use_tty=1
Additional Information:
Source Context user_u:user_r:user_t
Target Context
system_u:object_r:tty_device_t
Target Objects /dev/tty7 [ chr_file ]
Source X
Source Path /usr/bin/Xorg
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
xorg-x11-server-Xorg-1.4.99.901-21.20080407.fc9
Target RPM Packages
Policy RPM
selinux-policy-3.3.1-33.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name allow_daemons_use_tty
Host Name localhost.localdomain
Platform Linux
localhost.localdomain
2.6.25-0.218.rc8.git7.fc9.i686 #1 SMP Wed Apr 9
20:35:56 EDT 2008 i686
i686
Alert Count 1
First Seen Wed 16 Apr 2008 06:51:08
PM CDT
Last Seen Wed 16 Apr 2008 06:51:08
PM CDT
Local ID
08f38222-ea43-4584-b095-04504b198679
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC
msg=audit(1208389868.367:37): avc: denied { ioctl }
for pid=2431 comm="X" path="/dev/tty7" dev=tmpfs
ino=237 scontext=user_u:user_r:user_t:s0
tcontext=system_u:object_r:tty_device_t:s0
tclass=chr_file
host=localhost.localdomain type=SYSCALL
msg=audit(1208389868.367:37): arch=40000003 syscall=54
success=yes exit=0 a0=7 a1=4b30 a2=640ba6 a3=51eb851f
items=0 ppid=2430 pid=2431 auid=500 uid=500 gid=500
euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500
tty=tty7 ses=1 comm="X" exe="/usr/bin/Xorg"
subj=user_u:user_r:user_t:s0 key=(null)
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
16 years, 2 months
Fail2ban and SELinux
by max
I recently installed fail2ban on my F8 box. I don't allow remote
access to my box but it had been mentioned recently so I decided to
test it out. I installed it a few days ago but didn't do anything with
it till last night. I had forgotten about it but I was perusing log
files and saw 21 AVC's related it to it. I pulled up my services gui
and sure enough it wasn't running. I tried to start it and got
denied(it wouldn't start from a terminal at all, complaining that the
service is unrecognized). No problem , i expected as much when I saw
the AVC's in my log files but I always try things more than once so I
tried to start it a second time and this time and every time after it
started without generating a denial. Is this because I manually
started the service? That doesn't make sense because then it would
have worked the first time as well but it didn't. I see that there is
a policy module for fail2ban but if the module is in place then
shouldn't it have run without issues? Why 21 AVC's and then its
working? I am learning my way around SELinux but I don't feel
comfortable enough to troubleshoot this problem correctly, so where do
I start?
Max
16 years, 2 months
Samba access to /var/www/html and webalizer
by Leonid Zeitlin
Hi all,
I want to export my /var/www/html directory via Samba. Man samba_selinux
suggests: "If you want to share files with multiple domains (Apache, FTP,
rsync, Samba), you can set a file context of public_content_t and
public_content_rw_t." Ok, I did just that and relabeled /var/www/html as
public_content_rw_t. I found that Samba still cannot access /var/www/html,
because /var/www was still labelled httpd_sys_content_t. Ok, I relabled
/var/www as well.
Now I see that webalizer can't work. It can't enter its directory
/var/www/usage, because /var/www is labelled public_content_t and webalizer
can't search this directory.
Short of setting samba_export_all_rw, is there a way to get both Samba and
Webalizer to work? Perhaps webalizer should be allowed to read/search
public_content_t and public_content_rw_t?
Thanks,
Leonid
16 years, 2 months