selinux May 2005

selinux@lists.fedoraproject.org

47 participants
63 discussions

Is there a SELinux tutorial for ISVs ?
by Davide Bolcioni 09 May '05

09 May '05

Greetings, I was looking for directions about how would an ISV rool own policy for the packages it ships. A very basic and step-by-step tutorial, for tiny minds :-) Thank you for your consideration, Davide Bolcioni

8 18

Re: using tmpfs for /tmp and selinux
by Aleksandar Milivojevic 09 May '05

09 May '05

Sorry for posting this outside of corresponding thread for those using threading. I'm new to the list, and found thread in the archives, so couldn't simply hit reply in my mail reader. I've applied changes described to the rc.sysinit (restorecon /tmp), created local.te (allow tmpfile tmpfs_t:filesystem associate;) and reloaded policy. It seems to be working for me on both FC3 and RHEL4. The question I have is, will this patches (to both initscripts and selinux-policy-targeted) be present in U1 for RHEL4? Thanks, Aleksandar Milivojevic ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.

2 1

"service iptables stop" not working -- /proc/net unreadable
by Chuck Anderson 05 May '05

05 May '05

I had a problem disabling my iptables firewall today, and noticed that /proc/net being unreadable was the cause of "service iptables stop" not working. I have an avc: audit(1115326402.826:0): avc: denied { search } for pid=5818 exe=/bin/tcsh name=net dev=proc ino=-268435434 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:proc_net_t tclass=dir What happened to my /proc? #ls -lZ /proc/net ls: /proc/net: Permission denied #ls -lZd /proc/net ls: /proc/net: Permission denied #ls -lZ /proc|grep net ?--------- ? ? net #ls -l /proc|grep net ?--------- ? ? ? ? ? net This is FC3 with kernel-2.6.11-1.14_FC3 and selinux-policy-targeted-1.17.30-3.1.

2 1

MySQL 5.0.4 Beta AVC Denied Messages
by Robert L Cochran 04 May '05

04 May '05

I am getting the following messages while attempting to start the MySQL 5.0.4 server mysqld with SELinux running on Fedora Core 3, and with all current patches applied. I've already tried restorecon -R -v /usr/lib/mysql restorecon -R -v /var/lib/mysql restorecon -v /usr/sbin/mysqld I want to allow MySQL to run. Any suggestions? May 4 21:02:53 rclap kernel: audit(1115254973.641:0): avc: denied { setsched } for pid=3729exe=/usr/sbin/mysqld scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t tclass=process May 4 21:02:53 rclap kernel: audit(1115254973.641:0): avc: denied { setsched } for pid=3730exe=/usr/sbin/mysqld scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t tclass=process May 4 21:02:53 rclap kernel: audit(1115254973.641:0): avc: denied { setsched } for pid=3731exe=/usr/sbin/mysqld scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t tclass=process May 4 21:02:53 rclap kernel: audit(1115254973.642:0): avc: denied { setsched } for pid=3732exe=/usr/sbin/mysqld scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t tclass=process May 4 21:02:54 rclap kernel: audit(1115254974.758:0): avc: denied { setsched } for pid=3735exe=/usr/sbin/mysqld scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t tclass=process May 4 21:02:54 rclap kernel: audit(1115254974.758:0): avc: denied { setsched } for pid=3736exe=/usr/sbin/mysqld scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t tclass=process May 4 21:02:54 rclap kernel: audit(1115254974.758:0): avc: denied { setsched } for pid=3737exe=/usr/sbin/mysqld scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t tclass=process May 4 21:02:54 rclap kernel: audit(1115254974.759:0): avc: denied { setsched } for pid=3738exe=/usr/sbin/mysqld scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t tclass=process May 4 21:02:54 rclap kernel: audit(1115254974.801:0): avc: denied { setsched } for pid=3739exe=/usr/sbin/mysqld scontext=user_u:system_r:mysqld_t tcontext=user_u:system_r:mysqld_t tclass=process y

1 0

Problems with today's rawhide (.1284, etc.)
by Tom London 04 May '05

04 May '05

Running targeted/enforcing, today's rawhide. After installing today's packages, system fails to boot. Hangs just after starting init, after producing a message like MAKEDEV:mkdir: file exists System will boot with 'enforcing=0'. The log shows many avc denials to tmpfs (below). Did I mess up? tom -------------------------------------------------------- May 4 07:33:23 localhost kernel: audit(1115191953.487:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:kudzu_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:33:23 localhost kernel: audit(1115191970.159:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:hwclock_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:33:23 localhost kernel: audit(1115217172.838:0): avc: denied { getattr } for path=/dev/mapper/VolGroup00-LogVol00 dev=tmpfs ino=6442 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tmpfs_t tclass=blk_file May 4 07:33:23 localhost kernel: audit(1115217172.839:0): avc: denied { read write } for name=VolGroup00-LogVol00 dev=tmpfs ino=6442 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tmpfs_t tclass=blk_file May 4 07:33:23 localhost kernel: audit(1115217172.839:0): avc: denied { ioctl } for path=/dev/mapper/VolGroup00-LogVol00 dev=tmpfs ino=6442 scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:tmpfs_t tclass=blk_file May 4 07:33:23 localhost kernel: audit(1115217177.481:0): avc: denied { write } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:33:23 localhost kernel: audit(1115217177.481:0): avc: denied { add_name } for name=log scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:33:23 localhost kernel: audit(1115217177.481:0): avc: denied { create } for name=log scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file May 4 07:33:23 localhost kernel: audit(1115217177.481:0): avc: denied { setattr } for name=log dev=tmpfs ino=6865 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file May 4 07:33:23 localhost kernel: audit(1115217178.127:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:33:23 localhost kernel: audit(1115217178.127:0): avc: denied { write } for name=log dev=tmpfs ino=6865 scontext=system_u:system_r:klogd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file May 4 07:33:23 localhost kernel: audit(1115217198.206:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:cardmgr_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:33:23 localhost kernel: audit(1115217198.206:0): avc: denied { write } for name=log dev=tmpfs ino=6865 scontext=system_u:system_r:cardmgr_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file May 4 07:33:23 localhost kernel: audit(1115217200.530:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:33:23 localhost kernel: audit(1115217200.530:0): avc: denied { write } for name=log dev=tmpfs ino=6865 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file May 4 07:33:23 localhost kernel: audit(1115217200.821:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:33:23 localhost kernel: audit(1115217202.856:0): avc: denied { read } for name=config dev=dm-0 ino=1275872 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:selinux_config_t tclass=file May 4 07:33:23 localhost kernel: audit(1115217202.856:0): avc: denied { getattr } for path=/etc/selinux/config dev=dm-0 ino=1275872 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:selinux_config_t tclass=file May 4 07:33:29 localhost kernel: audit(1115217209.362:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:portmap_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:33:29 localhost kernel: audit(1115217209.580:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:33:29 localhost kernel: audit(1115217209.581:0): avc: denied { write } for name=log dev=tmpfs ino=6865 scontext=system_u:system_r:rpcd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file May 4 07:33:31 localhost kernel: audit(1115217211.468:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:howl_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:33:36 localhost kernel: audit(1115217216.843:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:33:39 localhost kernel: audit(1115217219.784:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:ntpd_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:33:39 localhost kernel: audit(1115217219.784:0): avc: denied { write } for name=log dev=tmpfs ino=6865 scontext=system_u:system_r:ntpd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file May 4 07:33:41 localhost kernel: audit(1115217221.632:0): avc: denied { read } for name=fd dev=tmpfs ino=2839 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:tmpfs_t tclass=lnk_file May 4 07:34:00 localhost kernel: audit(1115217240.363:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:34:01 localhost kernel: audit(1115217241.339:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:34:02 localhost kernel: audit(1115217242.433:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:34:04 localhost kernel: audit(1115217244.727:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:updfstab_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:34:04 localhost kernel: audit(1115217244.727:0): avc: denied { write } for name=log dev=tmpfs ino=6865 scontext=system_u:system_r:updfstab_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file May 4 07:34:09 localhost kernel: audit(1115217249.960:0): avc: denied { read } for name=mapper dev=tmpfs ino=3919 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:34:09 localhost kernel: audit(1115217249.960:0): avc: denied { getattr } for path=/dev/mapper dev=tmpfs ino=3919 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:34:09 localhost kernel: audit(1115217249.960:0): avc: denied { getattr } for path=/dev/mapper/VolGroup00-LogVol01 dev=tmpfs ino=6444 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:tmpfs_t tclass=blk_file May 4 07:34:10 localhost kernel: audit(1115217250.223:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:34:12 localhost kernel: audit(1115217252.745:0): avc: denied { search } for name=rhgb dev=dm-0 ino=1277513 scontext=system_u:system_r:init_t tcontext=system_u:object_r:mnt_t tclass=dir May 4 07:34:39 localhost kernel: audit(1115217279.531:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:hald_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:35:00 localhost dbus: avc: denied { send_msg } for msgtype=method_call interface=com.redhat.CupsDriverConfig member=MatchDriver dest=com.redhat.CupsDriverConfig spid=3570 tpid=3058 scontext=user_u:system_r:unconfined_t tcontext=system_u:system_r:cupsd_config_t tclass=dbus May 4 07:35:00 localhost kernel: audit(1115217300.770:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:35:00 localhost kernel: audit(1115217300.770:0): avc: denied { write } for name=log dev=tmpfs ino=6865 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file May 4 07:35:00 localhost kernel: audit(1115217300.771:0): avc: denied { search } for name=/ dev=tmpfs ino=2832 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:tmpfs_t tclass=dir May 4 07:35:34 localhost kernel: audit(1115217334.071:0): avc: denied { write } for name=cache dev=dm-0 ino=2142136 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:var_t tclass=dir May 4 07:35:34 localhost kernel: audit(1115217334.071:0): avc: denied { add_name } for name=foomatic scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:var_t tclass=dir May 4 07:35:34 localhost kernel: audit(1115217334.071:0): avc: denied { create } for name=foomatic scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:var_t tclass=dir May 4 07:35:34 localhost kernel: audit(1115217334.071:0): avc: denied { create } for name=printconf.pickle scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:var_t tclass=file May 4 07:35:34 localhost kernel: audit(1115217334.071:0): avc: denied { getattr } for path=/var/cache/foomatic/printconf.pickle dev=dm-0 ino=2158741 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:var_t tclass=file May 4 07:35:34 localhost kernel: audit(1115217334.072:0): avc: denied { write } for path=/var/cache/foomatic/printconf.pickle dev=dm-0 ino=2158741 scontext=system_u:system_r:cupsd_config_t tcontext=system_u:object_r:var_t tclass=file May 4 07:35:34 localhost dbus: avc: denied { send_msg } for msgtype=method_return dest=:1.5 spid=3058 tpid=3570 scontext=system_u:system_r:cupsd_config_t tcontext=user_u:system_r:unconfined_t tclass=dbus -- Tom London

1 0

awstats
by Farkas Levente 03 May '05

03 May '05

hi, we use http://awstats.sourceforge.net/ to generate http web statistics. in order to generate date there is a hourly cron job which collect the statistics from the webserver's log file. but this scripts use the same collection of perl scripts which generates the web pages. how can i solve it? i found this description: http://yanbaru.dyndns.org/linux/fedora2awstats.html although i don't realy like local.te. is there any 'default' settings for awstats? i wish we has some kind of default policy which include rules for awstats too:-0 yours. -- Levente "Si vis pacem para bellum!"

2 1

RE: make relabel > restorecon
by Steve Brueckner 03 May '05

03 May '05

Daniel J Walsh wrote: > Steve Brueckner wrote: >> Daniel J Walsh wrote: >>> Steve Brueckner wrote: >>>> I have a file >>>> /etc/selinux/targeted/src/policy/file_contexts/programs/tspi_dillo.fc >>>> that contains the following line only: >>>> >>>> /tspi/usr/local/bin/dillo -- system_u:object_r:tspi_dillo_exec_t >>>> >>>> When I do # make reload and then # make relabel the system >>>> correctly labels the file and adds the above line to the master >>>> file_contexts file. >>>> >>>> However, if I then run # /sbin/restorecon /tspi/usr/local/bin/dillo >>>> the file's type reverts to default_t >>>> >>>> Any ideas on why this is happening? >>>> >>> I take it you have a domains/program/tspi_dillo.te file? >>> >>> grep dillo /etc/selinux/targeted/context/files/* >>> >> Yes, I have >> /etc/selinux/targeted/src/policy/domains/program/tspi_dillo.te >> which declares the tspi_dillo_exec_t. >> >> However, I think your grep showed me where the problem lies. There >> are two file_contexts files: >> /etc/selinux/targeted/src/policy/file_contexts/file_contexts >> /etc/selinux/targeted/context/files/file_contexts >> >> And a diff shows that the former has the context for dillo and the >> latter does not. I was apparently mistaken earlier when I said that >> the "master" file_contexts file contains the line in question. >> >> So my question now becomes how does the former get updated? I've >> done make reload and make relabel but it seems that neither is >> updating /etc/selinux/targeted/context/files/file_contexts. >> > That is strange. Make reload should have copied the your > file_context over. > > Try make -W users load > See if the file_context gets replaced. Any chance of clock skew on > your machine. Fooling make into thinking users had been updated did the trick, thanks. My clock, logs, and file times all look fine, so I don't think clock skew is the problem. I am, however, running (last week's) rawhide SELinux and rawhide kernel on an othewise FC3 install, so maybe there's something not meshing in there. Am I correct in thinking that the rawhide SELinux packages are currently being written and tested on FC4? Anyway, I appreciate the assist. - Steve Brueckner, ATC-NY

3 2

selinux-policy-strict-1.23.14-2 - glitches...
by Tom London 03 May '05

03 May '05

Running strict/enforcing, latest rawhide. The following crop up with today's updates: 0. Early boot denials: May 3 06:42:12 fedora kernel: security: 3 users, 6 roles, 1333 types, 63 boolsMay 3 06:42:12 fedora kernel: security: 55 classes, 342123 rules May 3 06:42:12 fedora kernel: SELinux: Completing initialization. May 3 06:42:12 fedora kernel: SELinux: Setting up existing superblocks. May 3 06:42:12 fedora kernel: audit(1115102485.415:0): avc: denied { read } for name=proc dev=hda2 ino=3407873 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir May 3 06:42:12 fedora kernel: audit(1115102485.416:0): avc: denied { search } for name=/ dev=hda2 ino=2 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir May 3 06:42:12 fedora last message repeated 3 times May 3 06:42:12 fedora kernel: SELinux: initialized (dev hda2, type ext3), uses xattr Also, init seems to be doing a PID scan: May 3 06:42:13 fedora kernel: audit(1115102490.729:0): avc: denied { read } for name=stat dev=proc ino=65550 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=file May 3 06:42:13 fedora kernel: audit(1115102490.730:0): avc: denied { read } for name=stat dev=proc ino=31916046 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:init_t tclass=file May 3 06:42:13 fedora kernel: audit(1115102490.730:0): avc: denied { read } for name=stat dev=proc ino=32505870 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:initrc_t tclass=file May 3 06:42:13 fedora kernel: audit(1115102490.730:0): avc: denied { read } for name=stat dev=proc ino=36175886 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:hotplug_t tclass=file <<<SNIP>>> 1. privoxy is non functional: May 3 06:42:53 fedora kernel: audit(1115127773.695:0): avc: denied { name_bind } for src=8118 scontext=system_u:system_r:privoxy_t tcontext=system_u:object_r:http_cache_port_t tclass=tcp_socket so suggest adding allow privoxy_t http_cache_port_t:tcp_socket name_bind; to privoxy.te 2. trouble starting ptal. I can't tell if this is a missing transition to ptal_t, or just a missing entry in net_contexts. Help? May 3 06:42:21 fedora kernel: audit(1115127741.848:0): avc: denied { name_bind } for src=5703 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:port_t tclass=tcp_socket May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied { name_bind } for src=5704 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:port_t tclass=tcp_socket May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied { name_bind } for src=5705 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:port_t tclass=tcp_socket May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied { name_bind } for src=5706 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:port_t tclass=tcp_socket May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied { name_bind } for src=5707 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:port_t tclass=tcp_socket May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied { name_bind } for src=5708 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:port_t tclass=tcp_socket May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied { name_bind } for src=5709 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:port_t tclass=tcp_socket May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied { name_bind } for src=5710 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:port_t tclass=tcp_socket May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied { name_bind } for src=5711 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:port_t tclass=tcp_socket May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied { name_bind } for src=5712 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:port_t tclass=tcp_socket May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied { name_bind } for src=5713 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:port_t tclass=tcp_socket May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied { name_bind } for src=5714 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:port_t tclass=tcp_socket May 3 06:42:21 fedora kernel: audit(1115127741.849:0): avc: denied { name_bind } for src=5715 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:port_t tclass=tcp_socket May 3 06:42:21 fedora ptal-photod: ptal-photod(mlc:usb:PSC_900_Series): bind(tcpPort=5729) failed, errno=13! Also: May 3 06:42:22 fedora kernel: audit(1115127741.921:0): avc: denied { write } for name=rhgb-console dev=ramfs ino=5658 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file May 3 06:42:25 fedora ptal-mlcd: ERROR at ExMgr.cpp:2525, dev=<mlc:usb:PSC_900_Series>, pid=2372, e=1, t=1115127745 Couldn't find device! May 3 06:42:25 fedora kernel: audit(1115127745.660:0): avc: denied { write } for name=001 dev=usbfs ino=4489 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t tclass=file May 3 06:42:25 fedora kernel: audit(1115127745.660:0): avc: denied { write } for name=001 dev=usbfs ino=4489 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t tclass=file May 3 06:42:25 fedora kernel: audit(1115127745.660:0): avc: denied { write } for name=001 dev=usbfs ino=4473 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t tclass=file May 3 06:42:25 fedora kernel: audit(1115127745.661:0): avc: denied { write } for name=001 dev=usbfs ino=4473 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t tclass=file May 3 06:42:25 fedora kernel: audit(1115127745.661:0): avc: denied { write } for name=001 dev=usbfs ino=4457 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t tclass=file May 3 06:42:25 fedora kernel: audit(1115127745.661:0): avc: denied { write } for name=001 dev=usbfs ino=4457 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbfs_t tclass=file 3. issues with fifo files: May 3 06:42:14 fedora kernel: IPv6 over IPv4 tunneling driver May 3 06:42:14 fedora kernel: audit(1115127718.038:0): avc: denied { write } for name=rhgb-console dev=ramfs ino=5658 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file May 3 06:42:14 fedora kernel: audit(1115127718.041:0): avc: denied { write } for name=rhgb-console dev=ramfs ino=5658 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file May 3 06:42:14 fedora kernel: audit(1115127718.256:0): avc: denied { write } for name=rhgb-console dev=ramfs ino=5658 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file May 3 06:42:14 fedora kernel: audit(1115127718.260:0): avc: denied { write } for name=rhgb-console dev=ramfs ino=5658 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file May 3 06:42:14 fedora kernel: ACPI: Power Button (FF) [PWRF] <<<SNIP>>> May 3 06:42:50 fedora ntpd[2472]: kernel time sync status 0040 May 3 06:42:50 fedora kernel: audit(1115127770.407:0): avc: denied { write } for name=rhgb-console dev=ramfs ino=5658 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file May 3 06:42:50 fedora ntpd[2472]: frequency initialized 67.355 PPM from /var/lib/ntp/drift May 3 06:42:50 fedora ntpd[2472]: configure: keyword "authenticate" unknown, line ignored May 3 06:42:51 fedora kernel: audit(1115127771.070:0): avc: denied { write } for name=rhgb-console dev=ramfs ino=5658 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file <<<SNIP>>> May 3 06:42:59 fedora kernel: audit(1115127779.773:0): avc: denied { write } for name=rhgb-console dev=ramfs ino=5658 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file May 3 06:42:59 fedora kernel: audit(1115127779.800:0): avc: denied { write } for name=rhgb-console dev=ramfs ino=5658 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:ramfs_t tclass=fifo_file 4. ddclient (fix to support http_port_t): May 3 06:42:52 fedora kernel: audit(1115127772.664:0): avc: denied { name_connect } for dest=80 scontext=system_u:system_r:ddclient_t tcontext=system_u:object_r:http_port_t tclass=tcp_socket or allow ddclient_t http_port_t:tcp_socket name_connect; 5. su denial: May 3 06:44:04 fedora su(pam_unix)[3241]: session opened for user root by tbl(uid=500) May 3 06:44:17 fedora kernel: audit(1115127857.306:0): avc: denied { unix_read unix_write } for key=1592234044 scontext=user_u:user_r:user_t tcontext=system_u:system_r:xdm_t tclass=sem Does allow user_t xdm_t:sem { unix_read unix_write }; make sense? Thanks! tom -- Tom London

1 0

RE: make relabel > restorecon
by Steve Brueckner 03 May '05

03 May '05

Daniel J Walsh wrote: > Steve Brueckner wrote: > >> I have a file >> /etc/selinux/targeted/src/policy/file_contexts/programs/tspi_dillo.fc >> that contains the following line only: >> >> /tspi/usr/local/bin/dillo -- system_u:object_r:tspi_dillo_exec_t >> >> When I do # make reload and then # make relabel the system correctly >> labels the file and adds the above line to the master file_contexts >> file. >> >> However, if I then run # /sbin/restorecon /tspi/usr/local/bin/dillo >> the file's type reverts to default_t >> >> Any ideas on why this is happening? >> >> > I take it you have a domains/program/tspi_dillo.te file? > > grep dillo /etc/selinux/targeted/context/files/* > Yes, I have /etc/selinux/targeted/src/policy/domains/program/tspi_dillo.te which declares the tspi_dillo_exec_t. However, I think your grep showed me where the problem lies. There are two file_contexts files: /etc/selinux/targeted/src/policy/file_contexts/file_contexts /etc/selinux/targeted/context/files/file_contexts And a diff shows that the former has the context for dillo and the latter does not. I was apparently mistaken earlier when I said that the "master" file_contexts file contains the line in question. So my question now becomes how does the former get updated? I've done make reload and make relabel but it seems that neither is updating /etc/selinux/targeted/context/files/file_contexts. Thanks, - Steve Brueckner, ATC-NY

2 1

make relabel > restorecon
by Steve Brueckner 02 May '05

02 May '05

I have a file /etc/selinux/targeted/src/policy/file_contexts/programs/tspi_dillo.fc that contains the following line only: /tspi/usr/local/bin/dillo -- system_u:object_r:tspi_dillo_exec_t When I do # make reload and then # make relabel the system correctly labels the file and adds the above line to the master file_contexts file. However, if I then run # /sbin/restorecon /tspi/usr/local/bin/dillo the file's type reverts to default_t Any ideas on why this is happening? Thanks, - Steve Brueckner, ATC-NY

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux May 2005