Re: How can I set label to symbolic link ?
by Shintaro Fujiwara
Here it is , sir...
Well, actually I'm trying to write my segatex policy.
/usr/bin/segatex is actually link to /usr/bin/consolehelper
In my INSTALL script I declared,
##################################
ln -s /usr/bin/consolehelper /usr/bin/segatex
##################################
I've been running my program in unconfined domain for several years,
but I want to confine it now.
So, I tried to label segatex_exec_t to /usr/bin/segatex.
Made it fine, install all-right.
I could find segatex module, you know...
But alas, I could not restorecon nor autorelabel.
Why?
# segatex executable will have:
# label: system_u:object_r:segatex_exec_t
# MLS sensitivity: s0
# MCS categories: <none>
/usr/bin/segatex --
gen_context(system_u:object_r:segatex_exec_t,s0)
/usr/share/segatex(/.*)? --
gen_context(system_u:object_r:segatex_etc_t,s0)
2009/4/20 Daniel J Walsh <dwalsh(a)redhat.com>:
> On 04/20/2009 08:32 AM, Shintaro Fujiwara wrote:
>>
>> I wrote a policy which declares some label to symbolic link, and I
>> restoreconed, but failed ?
>>
>> Am I stupid or what should I do to this ?
>>
>> Thanks.
>>
> What does you fc file look like?
>
--
http://intrajp.no-ip.com/ Home Page
15 years, 2 months
kde4 AVC
by John Griffiths
I occasionally get:
Summary:
SELinux prevented kde4-config from writing ./.kde.
Detailed Description:
SELinux prevented kde4-config from writing ./.kde. If ./.kde is a core
file, you
may want to allow this. If ./.kde is not a core file, this could signal a
intrusion attempt.
Allowing Access:
Changing the "allow_daemons_dump_core" boolean to true will allow this
access:
"setsebool -P allow_daemons_dump_core=1."
Fix Command:
setsebool -P allow_daemons_dump_core=1
Additional Information:
Source Context system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Context system_u:object_r:root_t
Target Objects ./.kde [ dir ]
Source kde4-config
Source Path /usr/bin/kde4-config
Port <Unknown>
Host elijah.suretrak21.net
Source RPM Packages kdelibs-4.2.1-4.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-54.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_daemons_dump_core
Host Name elijah.suretrak21.net
Platform Linux elijah.suretrak21.net
2.6.27.21-170.2.56.fc10.i686 #1 SMP Mon Mar 23
23:37:54 EDT 2009 i686 i686
Alert Count 2
First Seen Wed 15 Apr 2009 11:56:28 AM EDT
Last Seen Wed 15 Apr 2009 01:11:24 PM EDT
Local ID 1391a7fb-e6fd-4c5f-b5bf-9c9354857f3a
Line Numbers
Raw Audit Messages
node=elijah.suretrak21.net type=AVC msg=audit(1239815484.398:11): avc:
denied { create } for pid=3132 comm="kde4-config" name=".kde"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:root_t:s0 tclass=dir
node=elijah.suretrak21.net type=SYSCALL msg=audit(1239815484.398:11):
arch=40000003 syscall=39 success=no exit=-13 a0=8464158 a1=1c0
a2=279ce8c a3=1 items=0 ppid=3131 pid=3132 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="kde4-config" exe="/usr/bin/kde4-config"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
selinux is preventing kde4 from writing to my .kde directory in my home
directory. The suggestion to allow core dumps is obviously incorrect in
this situation.
I can build a local policy to correct this but would think it effects
far more user than I and may indicate a need for a policy fix.
Regards,
John
15 years, 2 months
setroubleshootd[2488] general protection ip:3d96a99884 sp:7fff6ce7ef00 error:0 in libpython2.6.so.1.0[3d96a00000+1690
by Antonio Olivares
Seeing the following:
setroubleshootd[2488] general protection ip:3d96a99884 sp:7fff6ce7ef00 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2520] general protection ip:3d96a99884 sp:7fff6f406210 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2523] general protection ip:3d96a99884 sp:7fffd481a8a0 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2536] general protection ip:3d96a99884 sp:7fffe9bcfc50 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2538] general protection ip:3d96a99884 sp:7fff183f0470 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2566] general protection ip:3d96a99884 sp:7fff000430c0 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2584] general protection ip:3d96a99884 sp:7fffce3cd450 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2589] general protection ip:3d96a99884 sp:7fffb77a2820 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2591] general protection ip:3d96a99884 sp:7fff8bcdf2c0 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2596] general protection ip:3d96a99884 sp:7fff941f1270 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
__ratelimit: 10 callbacks suppressed
setroubleshootd[2633] general protection ip:3d96a99884 sp:7fff7fa78af0 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2637] general protection ip:3d96a99884 sp:7fffb3799560 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2642] general protection ip:3d96a99884 sp:7fff57bfdc80 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2649] general protection ip:3d96a99884 sp:7fff3329f320 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2653] general protection ip:3d96a99884 sp:7fffb5e04e80 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
eth0: no IPv6 routers present
setroubleshootd[2656] general protection ip:3d96a99884 sp:7fff0ccb48f0 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2658] general protection ip:3d96a99884 sp:7ffff6c67ce0 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2660] general protection ip:3d96a99884 sp:7fffb05495d0 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2663] general protection ip:3d96a99884 sp:7ffffc783800 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
setroubleshootd[2704] general protection ip:3d96a99884 sp:7fff106486c0 error:0 in libpython2.6.so.1.0[3d96a00000+169000]
What is wrong? Or is it just me?
Regards,
Antonio
15 years, 2 months
selinux and crontab one-more-time
by Antonio Olivares
Dear fellow Selinux experts,
I have encountered this before, apparently it has not gone away. Running Fedora 11 Beta. I have a small crontab file that will shutdown the machine at 4:15 pm :
[students@antonio-fedora-x86-64 ~]$ crontab -l
# min hour day-of-month month day-of-week command
15 16 * * 1-5 /usr/bin/poweroff >/dev/null 2>&1
Seatroubleshooter comes up and gives me the following:
In the other machine running rawhide I can't even access crontab -l, it tells me that I cannot do anything I have no authorizations :(
Summary:
SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by crontab. It is not expected that this access
is required by crontab and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0
.c1023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source crontab
Source Path /usr/bin/crontab
Port <Unknown>
Host antonio-fedora-x86-64
Source RPM Packages cronie-1.2-7.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.12-3.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name antonio-fedora-x86-64
Platform Linux antonio-fedora-x86-64
2.6.29.1-68.fc11.x86_64 #1 SMP Sat Apr 11 02:20:46
EDT 2009 x86_64 x86_64
Alert Count 53
First Seen Tue 14 Apr 2009 03:58:24 PM CDT
Last Seen Tue 14 Apr 2009 04:06:56 PM CDT
Local ID 5b712474-909f-4775-a5d6-bf5a78404916
Line Numbers
Raw Audit Messages
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12989]" dev=sockfs ino=12989 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=AVC msg=audit(1239743216.390:74): avc: denied { read write } for pid=19560 comm="crontab" path="socket:[12791]" dev=sockfs ino=12791 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=antonio-fedora-x86-64 type=SYSCALL msg=audit(1239743216.390:74): arch=c000003e syscall=59 success=yes exit=0 a0=acb200 a1=ac0d10 a2=adeda0 a3=7fff2149c340 items=0 ppid=19528 pid=19560 auid=501 uid=501 gid=501 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null)
Thank you in Advance,
Antonio
15 years, 2 months
levels in targeted mode
by Brian Ginn
I am using RHEL5 with SELINUXTYPE=targeted in enforcing mode.
If I ssh as root to that host, id -Z reports
root:system_r:unconfined_t:SystemLow-SystemHigh
which includes a level.
If I ssh as a user to that same host, id -Z reports
user_u:system_r:unconfined_t
which does not include a level.
As that user, If I su -, id -z reports
user_u:system_r:unconfined_t
If I then execute:
newrole -l SystemLow-SystemHigh
I get an error:
Error: you are not allowed to change levels on a non secure terminal
I get the same behavior from sudo bash.
Questions:
1: Does root's SystemLow-SystemHigh level actually mean anything in targeted mode?
2: Why does newrole consider the ssh terminal insecure, when ssh as root will give me the "full level"?
3: Is there a way to get from not having a level to SystemLow-SystemHigh?
Thanks
Brian
15 years, 2 months
MCS Levels and Ranges
by Brian Ginn
How should I interpret the following?
The MCS Level and Range are confusing me.
Or perhaps the difference between user and login is confusing me.
'semanage login -l' shows user_u has Range s0
'semanage user -l' shows user_u has Level s0 and Range SystemLow-SystemHigh
[root@rhel5 ~]# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root root SystemLow-SystemHigh
[root@rhel5 ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
root user s0 SystemLow-SystemHigh system_r sysadm_r user_r
system_u user s0 SystemLow-SystemHigh system_r
user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r
[root@rhel5 ~]#
15 years, 2 months
indexcon errors on Fedora 9 64-bit
by Brian Ginn
Using lsof, I discovered that indexcon hung at my home directory.
Looking there, I saw a .gvfs directory with rwx------ perms
Even though indexcon was running by root unconfined, I thought this
might be a problem. I had to kill a few processes to change the
directories permissions.
Then, indexcon got a lot further, but hung at /lib/modules/2.6.25-14.fc9.x86_64
There, I found a couple symlinks that do not exist. I removed them.
Then, indexcon errors out with:
ERROR: Could not read SELinux file context for /proc/sys/kernel.
ls -Z /proc/sys/kernel shows all the files have a "?" for the context.
Any suggestions?
Thanks,
Brian
15 years, 2 months
postfix fifo file
by Craig White
This is from a newly setup CentOS 5.3 server...and I definitely don't
understand what it's wanting to make it happy.
# sealert -l 6208be6e-3fb4-4748-80e8-769687066b83
Summary:
SELinux is preventing postfix-script (postfix_master_t) "ioctl" to pipe
(crond_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but
was permitted due to permissive mode.]
SELinux denied access requested by postfix-script. It is not expected
that this access is required by postfix-script and this access may
signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to require
additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context user_u:system_r:postfix_master_t
Target Context
system_u:system_r:crond_t:SystemLow-SystemHigh
Target Objects pipe [ fifo_file ]
Source postfix-script
Source Path /bin/bash
Port <Unknown>
Host srv1.azapple.com
Source RPM Packages bash-3.2-24.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name srv1.azapple.com
Platform Linux srv1.azapple.com 2.6.18-128.1.1.el5
#1 SMP
Wed Mar 25 18:15:30 EDT 2009 i686 i686
Alert Count 8
First Seen Thu Apr 2 04:34:40 2009
Last Seen Thu Apr 9 04:17:20 2009
Local ID 6208be6e-3fb4-4748-80e8-769687066b83
Line Numbers
Raw Audit Messages
host=srv1.azapple.com type=AVC msg=audit(1239275840.489:3152): avc:
denied { ioctl } for pid=11778 comm="postfix-script"
path="pipe:[1634010]" dev=pipefs ino=1634010
scontext=user_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
host=srv1.azapple.com type=SYSCALL msg=audit(1239275840.489:3152):
arch=40000003 syscall=54 success=no exit=-22 a0=0 a1=5401 a2=bfc30d40
a3=bfc30e4c items=0 ppid=11761 pid=11778 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=212
comm="postfix-script" exe="/bin/bash"
subj=user_u:system_r:postfix_master_t:s0 key=(null)
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
15 years, 2 months
Policies for Devices?
by Robert Mykland
Folks,
Is there a way I can use policies to prevent a specific device, say a
USB key, from being written to except by one specific application? If
so, how would I go about writing that?
Thanks in Advance,
-- Robert.
--
Robert Mykland Voice: (831) 212-0622
Founder/CTO Ascenium Corporation
"A new world of computing fulfilling people's lives"
15 years, 2 months
