selinux May 2011

selinux@lists.fedoraproject.org

17 participants
15 discussions

Start a nNew thread

None

by Steve G

What about achieving strong erection?... http://spsp2.free.fr/friends_links.php?oksiteid=23u4

13 years, 1 month

1
0
0 / 0

SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown.

by Francis Shim

SELinux is preventing /usr/bin/skype from mmap_zero access on the memprotect Unknown. ***** Plugin mmap_zero (53.1 confidence) suggests ************************** If you do not think /usr/bin/skype should need to mmap low memory in the kernel. Then you may be under attack by a hacker, this is a very dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (42.6 confidence) suggests ******************* If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean. Do setsebool -P mmap_low_allowed 1 ***** Plugin catchall (5.76 confidence) suggests *************************** If you believe that skype should be allowed mmap_zero access on the Unknown memprotect by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep skype /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_execmem_t:s0- s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_execmem_t:s0- s0:c0.c1023 Target Objects Unknown [ memprotect ] Source skype Source Path /usr/bin/skype Port <Unknown> Host mobile-pc.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.7-40.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name mobile-pc.localdomain Platform Linux mobile-pc.localdomain 2.6.35.13-91.fc14.i686.PAE #1 SMP Tue May 3 13:29:55 UTC 2011 i686 i686 Alert Count 100 First Seen Mon 16 May 2011 03:37:35 PM EDT Last Seen Mon 16 May 2011 03:37:35 PM EDT Local ID 162a1493-50dc-4231-ad0f-808d6fe5330b Raw Audit Messages type=AVC msg=audit(1305574655.789:127): avc: denied { mmap_zero } for pid=2784 comm="skype" scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tclass=memprotect Hash: skype,unconfined_execmem_t,unconfined_execmem_t,memprotect,mmap_zero audit2allow #============= unconfined_execmem_t ============== #!!!! This avc is allowed in the current policy allow unconfined_execmem_t self:memprotect mmap_zero; audit2allow -R #============= unconfined_execmem_t ============== #!!!! This avc is allowed in the current policy allow unconfined_execmem_t self:memprotect mmap_zero;

13 years, 1 month

1
0
0 / 0

Fedora 14 does not respect /etc/sysconfig/selinux?

by Eric Warnke

I have a number of testing systems installed with Fedora 14. They were installed with the minimal profile, have no 3rd party repositories or rpm's installed, are fully up-to-date, and were exhibiting some strange behavior with the corosync/pacemaker packages. The problems with corosync are a direct result of the system not respecting the /etc/sysconfog/selinux directives. I have attached some sessions below to show the errant behavior. Boot 1: [root@tiny ~]# uptime 08:30:43 up 0 min, 1 user, load average: 0.15, 0.06, 0.02 [root@tiny ~]# getenforce Enforcing [root@tiny ~]# more /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted Boot 2: [root@tiny ~]# uptime 08:33:01 up 0 min, 1 user, load average: 0.30, 0.06, 0.02 [root@tiny ~]# getenforce Enforcing [root@tiny ~]# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted After a call to setenforce 0 [root@tiny ~]# getenforce Permissive As you can clearly see the SELINUX directive is being ignored during boot. I have had to move startup of the affected packages to /etc/rc.local after a call to setenforce 0. Cheers, Eric Warnke Research IT Group SUNY at Albany

13 years, 1 month

3
3
0 / 0

During startup, many failed to set security context msgs

by Clyde E. Kunkel

Permissive mode, Fedora rawhide up-to-date as of 20110503. Expected or a bug? [ 56.268826] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.283356] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.285470] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.287470] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.289540] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.295823] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.299256] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.301278] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.303297] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.305212] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.307129] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.308964] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.310833] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.312721] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.314588] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.316392] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.318191] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.320056] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.321812] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.323502] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.325167] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.326805] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.328488] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.330128] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_t:s0 for /var: Permission denied [ 56.341490] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:var_run_t:s0 for /run: Permission denied [ 56.343236] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 56.344736] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 56.346391] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 56.348053] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied [ 56.349674] systemd-tmpfiles[1308]: Failed to set security context system_u:object_r:tmp_t:s0 for /tmp: Permission denied -- Regards, OldFart

13 years, 1 month

1
0
0 / 0

F13" SeLinux Troubleshooter no longer starts

by Dan Thurman

With the last couple of updates, somehow SeLinux Troubleshooter no longer comes up. It just spins the Busy spinner and quits. Is this a bug being worked on?

13 years, 1 month

1
0
0 / 0

← Newer
1
2
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux May 2011