Hi, I am having two issues with FC5 (x86_64) and selinux....
First, it appears the system is having a problem logging AVC's:
=================================================================== Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=4) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC avc: 2 AV entries and 2/512 buckets used, longest chain length 1 : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=4) : exe="/bin/dbus-daemon" (sauid=500, hostname=?, addr=?, terminal=?) Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC avc: 0 AV entries and 0/512 buckets used, longest chain length 0 : exe="/bin/dbus-daemon" (sauid=500, hostname=?, addr=?, terminal=?) ================================================================
And second, I was working on a hand edited local.te, as selinux is preventing vsftpd from creating files in users home directories... When running the policy compiler, I get.....
======================================================================== (unknown source)::ERROR 'permission write is not defined for class dir' at token ';' on line 22: allow ftpd_t user_home_dir_t:dir { getattr read search write }; allow ftpd_t user_home_t:dir { getattr read search write }; ===============================================================
And it appears "write" is no longer a valid attribute for directories ? What is its replacement ? The AVC is calling it a "write" problem... and audit2allow says the correcting line should be:
allow ftpd_t user_home_dir_t:dir write;
Am I missing something ?
TIA!
On Wed, 2006-09-27 at 13:32 -0400, Richard Irving wrote:
Hi, I am having two issues with FC5 (x86_64) and selinux....
First, it appears the system is having a problem logging AVC's:
=================================================================== Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=4) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC avc: 2 AV entries and 2/512 buckets used, longest chain length 1 : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=4) : exe="/bin/dbus-daemon" (sauid=500, hostname=?, addr=?, terminal=?) Sep 27 13:09:16 localhost dbus: Can't send to audit system: USER_AVC avc: 0 AV entries and 0/512 buckets used, longest chain length 0 : exe="/bin/dbus-daemon" (sauid=500, hostname=?, addr=?, terminal=?)
Not certain about this one, although I recall issues with the session dbus (which runs with the user's identity, not as root) not being able to generate audit messages in the past. Steve?
================================================================
And second, I was working on a hand edited local.te, as selinux is preventing vsftpd from creating files in users home directories... When running the policy compiler, I get.....
======================================================================== (unknown source)::ERROR 'permission write is not defined for class dir' at token ';' on line 22: allow ftpd_t user_home_dir_t:dir { getattr read search write }; allow ftpd_t user_home_t:dir { getattr read search write }; ===============================================================
And it appears "write" is no longer a valid attribute for directories ? What is its replacement ? The AVC is calling it a "write" problem... and audit2allow says the correcting line should be:
allow ftpd_t user_home_dir_t:dir write;
Am I missing something ?
TIA!
How was that local.te file generated? In any event, assuming you are trying to build it as a module, it needs to declare any required permissions in its require block, which can either be done explicitly or by using the policy_module() macro. Otherwise, the compiler doesn't know that it is an external dependency.
Not certain about this one, although I recall issues with the session dbus (which runs with the user's identity, not as root) not being able to generate audit messages in the past. Steve?
Yes, true. This was fixed in rawhide/fc6. Not sure if it'll be backported. In theory, it could be.
-Steve
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Well, this is a near virgin install of FC5.....
(Actually, it *is* virgin)
It is a bit cumbersome to hand audit, and create policy without audit2allow to predigest it...
Worse, without the AVC's making it to actual logging, it is a silent death, in terms of knowing *what* has failed, and why...
Any known work around ?
Carnac, I am not....
TIA!
Steve G wrote:
Not certain about this one, although I recall issues with the session dbus (which runs with the user's identity, not as root) not being able to generate audit messages in the past. Steve?
Yes, true. This was fixed in rawhide/fc6. Not sure if it'll be backported. In theory, it could be.
-Steve
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Richard Irving wrote:
Well, this is a near virgin install of FC5.....
Please yum update to get to the latest SELinux tool chain and policy. Lots of bug fixes have gone in. There is a boolean to allow ftp to access users homedirectories which you could set
setsebool -P ftp_home_dir=1
(Actually, it *is* virgin)
It is a bit cumbersome to hand audit, and create policy without audit2allow to predigest it...
Worse, without the AVC's making it to actual logging, it is a silent death, in terms of knowing *what* has failed, and why...
The dbus avc message is not that important. It is basically saying userspace dbus can not send audit messages. This fix is too stop trying, in userspace.
Regular avc message should be going to /var/log/messages or /var/log/audit/audit.log
Any known work around ?
Carnac, I am not....
TIA!
Steve G wrote:
Not certain about this one, although I recall issues with the session dbus (which runs with the user's identity, not as root) not being able to generate audit messages in the past. Steve?
Yes, true. This was fixed in rawhide/fc6. Not sure if it'll be backported. In theory, it could be.
-Steve
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
allow ftpd_t user_home_dir_t:dir write;
Am I missing something ?
TIA!
How was that local.te file generated? In any event, assuming you are trying to build it as a module, it needs to declare any required permissions in its require block, which can either be done explicitly or by using the policy_module() macro. Otherwise, the compiler doesn't know that it is an external dependency.
That was what I needed !
As you can tell, I am a "newby" to this modular version.
A fixfiles ran to help the DBUS issue, "fixed" me all right, the vsftpd daemon is (*was*) kaput. (It worked fine *before* the fixfiles) I have created a working policy to resurrect the service. Being as I had not changed anything, besides running "yum update" on a virgin install, I suspect FC5 users are currently one "fixfiles" away from replicating my dilemma.. (I replicated this on another virgin system, as a sanity test.)
So, just a FYI, heads up, and a Thank You!
PPS: Any suggestions on recovering those DBUS messages, would be *greatly* appreciated... it is kind of hard to audit, without an audit trail.
<humor> Say, the person who did that work didn't previously work for Diebold, did they ? :-P </humor>
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Richard Irving -
Stephen Smalley -
Steve G