Hi,
just tried receiving a fax with mgetty (and notifying me via email with the attached fax) Watching all denials flowing by (permissive mode, selinux-policy-targeted-3.6.32-59.fc12.noarch) I'm wondering whether someone already started preparing a policy or whether I should try to start it on myself? Anyone knows? Google does not find much of value
Klaus
On Tue, Dec 29, 2009 at 10:17:36AM +0100, Klaus Lichtenwalder wrote:
Hi,
just tried receiving a fax with mgetty (and notifying me via email with the attached fax) Watching all denials flowing by (permissive mode, selinux-policy-targeted-3.6.32-59.fc12.noarch) I'm wondering whether someone already started preparing a policy or whether I should try to start it on myself? Anyone knows? Google does not find much of value
Can you show us the AVC denials?
Klaus
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/ PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Am Dienstag, den 29.12.2009, 12:16 +0100 schrieb Dominick Grift:
On Tue, Dec 29, 2009 at 10:17:36AM +0100, Klaus Lichtenwalder wrote:
Hi,
just tried receiving a fax with mgetty (and notifying me via email with the attached fax) Watching all denials flowing by (permissive mode, selinux-policy-targeted-3.6.32-59.fc12.noarch) I'm wondering whether someone already started preparing a policy or whether I should try to start it on myself? Anyone knows? Google does not find much of value
Can you show us the AVC denials?
Sure, no problem. One thing, as a first step I put new_fax into bin_t, as this was a suggestion from sealert output. I do think this probably does not belong to the getty policy, as mgetty, receiving a fax, does far more than standard getty, imho.
Klaus
On Tue, Dec 29, 2009 at 12:27:56PM +0100, Klaus Lichtenwalder wrote:
Am Dienstag, den 29.12.2009, 12:16 +0100 schrieb Dominick Grift:
On Tue, Dec 29, 2009 at 10:17:36AM +0100, Klaus Lichtenwalder wrote:
Hi,
just tried receiving a fax with mgetty (and notifying me via email with the attached fax) Watching all denials flowing by (permissive mode, selinux-policy-targeted-3.6.32-59.fc12.noarch) I'm wondering whether someone already started preparing a policy or whether I should try to start it on myself? Anyone knows? Google does not find much of value
Can you show us the AVC denials?
Sure, no problem. One thing, as a first step I put new_fax into bin_t, as this was a suggestion from sealert output. I do think this probably does not belong to the getty policy, as mgetty, receiving a fax, does far more than standard getty, imho.
echo "policy_module(mygetty, 1.0.0)" > mygetty.te; echo "optional_policy(`" >> mygetty.te; echo "gen_require(`" >> mygetty.te; echo "type getty_t;" >> mygetty.te; echo "')" >> mygetty.te; echo "corecmd_exec_shell(getty_t)" >> mygetty.te; echo "')" >> mygetty.te;
make -f /usr/share/selinux/devel/Makefile mygetty.pp sudo semodule -i mygetty.pp
See if this solves your issue
Klaus
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/ PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.657:57496): arch=c000003e syscall=59 success=yes exit=0 a0=3273d3ace3 a1=7fffef415d60 a2=7fffef418a30 a3=7f0863d089d0 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.657:57496): avc: denied { execute_no_trans } for pid=1283 comm="mgetty" path="/bin/bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1262016758.657:57496): avc: denied { read open } for pid=1283 comm="mgetty" name="bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1262016758.657:57496): avc: denied { execute } for pid=1283 comm="mgetty" name="bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.659:57497): arch=c000003e syscall=2 success=yes exit=3 a0=3273d3c1f2 a1=0 a2=1b6 a3=2 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.659:57497): avc: denied { open } for pid=1283 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1262016758.659:57497): avc: denied { read } for pid=1283 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.661:57498): arch=c000003e syscall=5 success=yes exit=128 a0=3 a1=7fff05edb290 a2=7fff05edb290 a3=2 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.661:57498): avc: denied { getattr } for pid=1283 comm="sh" path="/proc/meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.662:57499): arch=c000003e syscall=4 success=yes exit=128 a0=1090ab0 a1=7fff05edd2e0 a2=7fff05edd2e0 a3=8 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.662:57499): avc: denied { getattr } for pid=1283 comm="sh" path="/bin/bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.664:57500): arch=c000003e syscall=59 success=yes exit=0 a0=1093a10 a1=1093b30 a2=1092b20 a3=18 items=0 ppid=1283 pid=1286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1262016758.664:57500): avc: denied { read write } for pid=1286 comm="sendmail" name="ttyS0" dev=tmpfs ino=2217 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.806:57501): arch=c000003e syscall=2 success=yes exit=0 a0=3273d3c1f2 a1=0 a2=1b6 a3=2 items=0 ppid=1288 pid=1289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.806:57501): avc: denied { open } for pid=1289 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1262016758.806:57501): avc: denied { read } for pid=1289 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.807:57502): arch=c000003e syscall=5 success=yes exit=128 a0=0 a1=7fff44b52830 a2=7fff44b52830 a3=2 items=0 ppid=1288 pid=1289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.807:57502): avc: denied { getattr } for pid=1289 comm="sh" path="/proc/meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.809:57503): arch=c000003e syscall=59 success=yes exit=0 a0=eb55b0 a1=eb5480 a2=eb3e50 a3=30 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.809:57503): avc: denied { execute_no_trans } for pid=1291 comm="sh" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1262016758.809:57503): avc: denied { read open } for pid=1291 comm="sh" name="new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1262016758.809:57503): avc: denied { execute } for pid=1291 comm="sh" name="new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.817:57504): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fffcdc622a0 a3=2 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.817:57504): avc: denied { ioctl } for pid=1291 comm="new_fax" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.817:57505): arch=c000003e syscall=5 success=yes exit=0 a0=ff a1=7fffcdc62370 a2=7fffcdc62370 a3=0 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.817:57505): avc: denied { getattr } for pid=1291 comm="new_fax" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Tue, Dec 29, 2009 at 12:27:56PM +0100, Klaus Lichtenwalder wrote:
Am Dienstag, den 29.12.2009, 12:16 +0100 schrieb Dominick Grift:
On Tue, Dec 29, 2009 at 10:17:36AM +0100, Klaus Lichtenwalder wrote:
Hi,
just tried receiving a fax with mgetty (and notifying me via email with the attached fax) Watching all denials flowing by (permissive mode, selinux-policy-targeted-3.6.32-59.fc12.noarch) I'm wondering whether someone already started preparing a policy or whether I should try to start it on myself? Anyone knows? Google does not find much of value
Can you show us the AVC denials?
Sure, no problem. One thing, as a first step I put new_fax into bin_t, as this was a suggestion from sealert output. I do think this probably does not belong to the getty policy, as mgetty, receiving a fax, does far more than standard getty, imho.
Whoops i forgot some policy:
echo "policy_module(mygetty, 1.0.0)" > mygetty.te; echo "optional_policy(`" >> mygetty.te; echo "gen_require(`" >> mygetty.te; echo "type getty_t;" >> mygetty.te; echo "')" >> mygetty.te; echo "corecmd_exec_bin(getty_t)" >> mygetty.te; echo "corecmd_exec_shell(getty_t)" >> mygetty.te; echo "kernel_read_system_state(getty_t)" >> mygetty.te; echo "')" >> mygetty.te;
make -f /usr/share/selinux/devel/Makefile mygetty.pp sudo semodule -i mygetty.pp
As for system_mail_t:
echo "policy_module(mymail, 1.0.0)" > mymail.te; echo "optional_policy(`" >> mymail.te; echo "gen_require(`" >> mymail.te; echo "type system_mail_t;" >> mymail.te; echo "')" >> mymail.te; echo "term_use_unallocated_ttys(system_mail_t)" >> mymail.te; echo "')" >> mymail.te;
make -f /usr/share/selinux/devel/Makefile mymail.pp sudo semodule -i mymail.pp
That should help.
Klaus
Klaus Lichtenwalder, Dipl. Inform., http://lklaus.homelinux.org/Klaus/ PGP Key fingerprint: A5C0 F73A 2C83 96EE 766B 9C62 DB6D 1258 0E9B B6D1
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.657:57496): arch=c000003e syscall=59 success=yes exit=0 a0=3273d3ace3 a1=7fffef415d60 a2=7fffef418a30 a3=7f0863d089d0 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.657:57496): avc: denied { execute_no_trans } for pid=1283 comm="mgetty" path="/bin/bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1262016758.657:57496): avc: denied { read open } for pid=1283 comm="mgetty" name="bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1262016758.657:57496): avc: denied { execute } for pid=1283 comm="mgetty" name="bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.659:57497): arch=c000003e syscall=2 success=yes exit=3 a0=3273d3c1f2 a1=0 a2=1b6 a3=2 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.659:57497): avc: denied { open } for pid=1283 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1262016758.659:57497): avc: denied { read } for pid=1283 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.661:57498): arch=c000003e syscall=5 success=yes exit=128 a0=3 a1=7fff05edb290 a2=7fff05edb290 a3=2 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.661:57498): avc: denied { getattr } for pid=1283 comm="sh" path="/proc/meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.662:57499): arch=c000003e syscall=4 success=yes exit=128 a0=1090ab0 a1=7fff05edd2e0 a2=7fff05edd2e0 a3=8 items=0 ppid=31795 pid=1283 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.662:57499): avc: denied { getattr } for pid=1283 comm="sh" path="/bin/bash" dev=dm-6 ino=12628 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.664:57500): arch=c000003e syscall=59 success=yes exit=0 a0=1093a10 a1=1093b30 a2=1092b20 a3=18 items=0 ppid=1283 pid=1286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(1262016758.664:57500): avc: denied { read write } for pid=1286 comm="sendmail" name="ttyS0" dev=tmpfs ino=2217 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.806:57501): arch=c000003e syscall=2 success=yes exit=0 a0=3273d3c1f2 a1=0 a2=1b6 a3=2 items=0 ppid=1288 pid=1289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.806:57501): avc: denied { open } for pid=1289 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1262016758.806:57501): avc: denied { read } for pid=1289 comm="sh" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.807:57502): arch=c000003e syscall=5 success=yes exit=128 a0=0 a1=7fff44b52830 a2=7fff44b52830 a3=2 items=0 ppid=1288 pid=1289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.807:57502): avc: denied { getattr } for pid=1289 comm="sh" path="/proc/meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.809:57503): arch=c000003e syscall=59 success=yes exit=0 a0=eb55b0 a1=eb5480 a2=eb3e50 a3=30 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.809:57503): avc: denied { execute_no_trans } for pid=1291 comm="sh" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1262016758.809:57503): avc: denied { read open } for pid=1291 comm="sh" name="new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file type=AVC msg=audit(1262016758.809:57503): avc: denied { execute } for pid=1291 comm="sh" name="new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.817:57504): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fffcdc622a0 a3=2 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.817:57504): avc: denied { ioctl } for pid=1291 comm="new_fax" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
time->Mon Dec 28 17:12:38 2009 type=SYSCALL msg=audit(1262016758.817:57505): arch=c000003e syscall=5 success=yes exit=0 a0=ff a1=7fffcdc62370 a2=7fffcdc62370 a3=0 items=0 ppid=1289 pid=1291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=4294967295 comm="new_fax" exe="/bin/bash" subj=system_u:system_r:getty_t:s0 key=(null) type=AVC msg=audit(1262016758.817:57505): avc: denied { getattr } for pid=1291 comm="new_fax" path="/etc/mgetty+sendfax/new_fax" dev=dm-6 ino=51 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Dominick,
Am Dienstag, den 29.12.2009, 13:02 +0100 schrieb Dominick Grift:
Whoops i forgot some policy:
Ok, I was already wondering whether that could be it, trying to understand :-)
echo "policy_module(mygetty, 1.0.0)" > mygetty.te; echo "optional_policy(`" >> mygetty.te; echo "gen_require(`" >> mygetty.te; echo "type getty_t;" >> mygetty.te; echo "')" >> mygetty.te; echo "corecmd_exec_bin(getty_t)" >> mygetty.te; echo "corecmd_exec_shell(getty_t)" >> mygetty.te; echo "kernel_read_system_state(getty_t)" >> mygetty.te; echo "')" >> mygetty.te;
make -f /usr/share/selinux/devel/Makefile mygetty.pp sudo semodule -i mygetty.pp
As for system_mail_t:
echo "policy_module(mymail, 1.0.0)" > mymail.te; echo "optional_policy(`" >> mymail.te; echo "gen_require(`" >> mymail.te; echo "type system_mail_t;" >> mymail.te; echo "')" >> mymail.te; echo "term_use_unallocated_ttys(system_mail_t)" >> mymail.te; echo "')" >> mymail.te;
make -f /usr/share/selinux/devel/Makefile mymail.pp sudo semodule -i mymail.pp
That should help.
This helps a lot, as fax receiving (and notifying) works without AVC denials showing up. No I'm off trying to understand everything. With all those makros, one get's a lot done with little code :-)
Thanks again Klaus
On 12/29/2009 01:52 PM, Klaus Lichtenwalder wrote:
Dominick,
Am Dienstag, den 29.12.2009, 13:02 +0100 schrieb Dominick Grift:
Whoops i forgot some policy:
Ok, I was already wondering whether that could be it, trying to understand :-)
echo "policy_module(mygetty, 1.0.0)" > mygetty.te; echo "optional_policy(`" >> mygetty.te; echo "gen_require(`" >> mygetty.te; echo "type getty_t;" >> mygetty.te; echo "')" >> mygetty.te; echo "corecmd_exec_bin(getty_t)" >> mygetty.te; echo "corecmd_exec_shell(getty_t)" >> mygetty.te; echo "kernel_read_system_state(getty_t)" >> mygetty.te; echo "')" >> mygetty.te;
make -f /usr/share/selinux/devel/Makefile mygetty.pp sudo semodule -i mygetty.pp
As for system_mail_t:
echo "policy_module(mymail, 1.0.0)" > mymail.te; echo "optional_policy(`" >> mymail.te; echo "gen_require(`" >> mymail.te; echo "type system_mail_t;" >> mymail.te; echo "')" >> mymail.te; echo "term_use_unallocated_ttys(system_mail_t)" >> mymail.te; echo "')" >> mymail.te;
make -f /usr/share/selinux/devel/Makefile mymail.pp sudo semodule -i mymail.pp
That should help.
This helps a lot, as fax receiving (and notifying) works without AVC denials showing up. No I'm off trying to understand everything. With all those makros, one get's a lot done with little code :-)
Well there was already policy for getty present but it seems to not be sufficient for your configuration (or it may signal misconfiguration on your part)
With regard to system_mail_t this is likely due to a bug. (known bug) Where the tty device does not get properly labeled. My fix makes it work but it is not a good fix ( user tty devices need to get labeled properly)
If you are certain that you are using getty properly then consider reporting the AVC denials and my policy for getty_t to bugzilla/selinux-policy so that getties policy can be extended to support your configuration.
Thanks again Klaus
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Am Dienstag, den 29.12.2009, 14:06 +0100 schrieb Dominick Grift: [...]
Well there was already policy for getty present but it seems to not be sufficient for your configuration (or it may signal misconfiguration on your part)
Yes, but mgetty does lots more than getty (which can be used for serial devices, too). It is always possible I made a mistake configuring mgetty, but I'm using it for ca 15 years now (starting with some 0.x release, if I remember correctly), so I'm fairly confident I did not...
The extensions needed for the policy are for the mechanisms after the successful receipt of a fax, and as this is nothing needed in the getty-policy I guess mgetty does need its own policy.
With regard to system_mail_t this is likely due to a bug. (known bug) Where the tty device does not get properly labeled. My fix makes it work but it is not a good fix ( user tty devices need to get labeled properly)
If you are certain that you are using getty properly then consider reporting the AVC denials and my policy for getty_t to bugzilla/selinux-policy so that getties policy can be extended to support your configuration.
Yes, I forgot to ask in my last mail, I will check and try to understand, possibly help weed out the (possible) bugs and then go ahead.
Thanks, Klaus
selinux@lists.fedoraproject.org