[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: List of selinux issues



Warren Togami wrote:

This is my first time running with selinux enforcement enabled and this system has been apt upgraded from FC2test1 to latest rawhide, so please forgive me that some of these will be duplicates and others may be errors. Please let me know which are not duplicates, and if you want me to bugzilla them.

To be clear, I did the following in order to ensure that my labels are correct during runtime. I hope this was correct.

setenforce off
fixfiles relabel
setenforce 1



1) Infinite Loop of these messages when using "/sbin/ifup eth0" as non-root user. This is allowed when enforcement is disabled. CTRL-C is abled to stop the looping.

Apr 5 21:07:28 ibmlaptop kernel: audit(1081235248.571:0): avc: denied { setuid } for pid=2463 exe=/bin/bash capability=7 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability
Apr 5 21:07:28 ibmlaptop kernel: audit(1081235248.589:0): avc: denied { setuid } for pid=2463 exe=/usr/sbin/usernetctl capability=7 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability



I am not sure how you set this up to work. I execute /sbin/ifup eth0 and I get
Users cannot control this device.


If we want to allow this we will need policy to allow it. Any want to take a try at it?

2) "su -" from my non-root user caused this error. I was however allowed to work as root.

Apr 5 21:07:42 ibmlaptop su(pam_unix)[12399]: session opened for user root by warren(uid=500)
Apr 5 21:07:42 ibmlaptop su[12399]: pam_xauth: error creating temporary file `/root/.xauthsDAz4e': Permission denied
Apr 5 21:07:42 ibmlaptop kernel: audit(1081235262.772:0): avc: denied { write } for pid=12399 exe=/bin/su name=root dev=hda2 ino=1291809 scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir



This should be fixed in latest policy 1.9.2-12

3) Then as root, I used "ifup eth0" which succeeded, but with the following in /var/log/messages.

Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc: denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2 ino=1389922 scontext=root:system_r:dhcpc_t tcontext=system_u:object_r:home_root_t tclass=dir
Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc: denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2 ino=1389922 scontext=root:system_r:dhcpc_t tcontext=system_u:object_r:home_root_t tclass=dir
Apr 5 21:07:45 ibmlaptop dhclient: can't create /var/lib/dhcp/dhclient-eth0.leases: Permission denied
Apr 5 21:07:46 ibmlaptop dhclient: sit0: unknown hardware address type 776
Apr 5 21:07:48 ibmlaptop dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4
Apr 5 21:07:48 ibmlaptop dhclient: DHCPOFFER from 172.31.16.1
Apr 5 21:07:48 ibmlaptop dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67
Apr 5 21:07:48 ibmlaptop dhclient: DHCPACK from 172.31.16.1
Apr 5 21:07:48 ibmlaptop dhclient: can't create /var/lib/dhcp/dhclient-eth0.leases: Permission denied
Apr 5 21:07:48 ibmlaptop dhclient: bound to 172.31.16.101 -- renewal in 356918 seconds.
Apr 5 21:07:48 ibmlaptop kernel: audit(1081235268.039:0): avc: denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2 ino=1389922 scontext=root:system_r:dhcpc_t tcontext=system_u:object_r:home_root_t tclass=dir


Added policy to allow this , but not sure what it is trying todo. Could you try it in non-enforcing mode and grab the avc messages.


4) GNOME mixer_applet2 is unable to reach the device. Strangely this began failing in permissive mode too, but it works when selinux is totally disabled and not loaded.


Apr 5 21:07:10 ibmlaptop kernel: audit(1081235230.797:0): avc: denied { setattr } for pid=2435 exe=/usr/libexec/mixer_applet2 name=registry.xml dev=hda2 ino=1425367 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_t tclass=file


This needs more investigation if it fails in permissive mode.

5) This is vmware from the VMWare WS 4.5.1 service startup. The issues are ... complicated, numerous, and scary looking.

Apr 5 21:06:08 ibmlaptop kernel: vmmon: module license 'unspecified' taints kernel.
Apr 5 21:06:08 ibmlaptop kernel: vmnet: module license 'unspecified' taints kernel.
Apr 5 21:06:08 ibmlaptop kernel: audit(1081235168.858:0): avc: denied { search } for pid=1909 exe=/usr/bin/vmnet-netifup name=net dev= ino=344 scontext=system_u:system_r:vmware_t tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 5 21:06:08 ibmlaptop kernel: audit(1081235168.867:0): avc: denied { search } for pid=1910 exe=/usr/bin/vmnet-netifup name=net dev= ino=344 scontext=system_u:system_r:vmware_t tcontext=system_u:object_r:sysfs_t tclass=dir
Apr 5 21:06:09 ibmlaptop kernel: audit(1081235169.047:0): avc: denied { node_bind } for pid=1931 exe=/usr/bin/vmnet-natd scontext=system_u:system_r:vmware_t tcontext=system_u:object_r:node_inaddr_any_t tclass=rawip_socket
Apr 5 21:06:09 ibmlaptop kernel: audit(1081235169.048:0): avc: denied { create } for pid=1931 exe=/usr/bin/vmnet-natd name=vmnat.1931 scontext=system_u:system_r:vmware_t tcontext=system_u:object_r:var_run_t tclass=sock_file
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium DHCP Server 2.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Please contribute if you find this software useful.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: For info, please visit http://www.isc.org/dhcp-contrib.html
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium DHCP Server 2.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.


Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Internet Software Consortium DHCP Server 2.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Copyright 1995, 1996, 1997, 1998, 1999 The Internet Software Consortium.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: All rights reserved.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Configured subnet: 173.31.18.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Please contribute if you find this software useful.
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Setting vmnet-dhcp IP address: 173.31.18.254
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: For info, please visit http://www.isc.org/dhcp-contrib.html
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd: Recving on VNet/vmnet1/173.31.18.0
Apr 5 21:06:09 ibmlaptop vmnet-dhcpd:
Apr 5 21:06:10 ibmlaptop vmnet-dhcpd: Sending on VNet/vmnet1/173.31.18.0
Apr 5 21:06:11 ibmlaptop vmnet-dhcpd: Configured subnet: 173.31.17.0
Apr 5 21:06:12 ibmlaptop vmnet-dhcpd: Setting vmnet-dhcp IP address: 173.31.17.254
Apr 5 21:06:12 ibmlaptop vmnet-dhcpd: Recving on VNet/vmnet8/173.31.17.0
Apr 5 21:06:12 ibmlaptop vmnet-dhcpd: Sending on VNet/vmnet8/173.31.17.0
Apr 5 21:06:15 ibmlaptop kernel: audit(1081235175.873:0): avc: denied { create } for pid=2253 exe=/usr/bin/vmware-nmbd scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t tclass=udp_socket
Apr 5 21:06:15 ibmlaptop kernel: audit(1081235175.873:0): avc: denied { create } for pid=2253 exe=/usr/bin/vmware-nmbd scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t tclass=udp_socket
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.460:0): avc: denied { read } for pid=2254 exe=/usr/bin/vmware-smbd name=urandom dev=hda2 ino=1270748 scontext=system_u:system_r:vmware_t tcontext=system_u:object_r:urandom_device_t tclass=chr_fileApr 5 21:06:16 ibmlaptop kernel: audit(1081235176.461:0): avc: denied { read } for pid=2254 exe=/usr/bin/vmware-smbd name=shadow dev=hda2 ino=1963867 scontext=system_u:system_r:vmware_t tcontext=system_u:object_r:shadow_t tclass=file
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.804:0): avc: denied { setgid } for pid=2254 exe=/usr/bin/vmware-smbd capability=6 scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t tclass=capability
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.804:0): avc: denied { setgid } for pid=2254 exe=/usr/bin/vmware-smbd capability=6 scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t tclass=capability
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.805:0): avc: denied { setgid } for pid=2254 exe=/usr/bin/vmware-smbd capability=6 scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t tclass=capability
Apr 5 21:06:16 ibmlaptop last message repeated 2 times
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.899:0): avc: denied { read } for pid=2254 exe=/usr/bin/vmware-smbd name=printcap dev=hda2 ino=1962265 scontext=system_u:system_r:vmware_t tcontext=system_u:object_r:cupsd_rw_etc_t tclass=file
Apr 5 21:06:16 ibmlaptop kernel: audit(1081235176.899:0): avc: denied { create } for pid=2254 exe=/usr/bin/vmware-smbd scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t tclass=udp_socket Apr 5 21:06:17 ibmlaptop kernel: audit(1081235177.041:0): avc: denied { sys_resource } for pid=2254 exe=/usr/bin/vmware-smbd capability=24 scontext=system_u:system_r:vmware_t tcontext=system_u:system_r:vmware_t tclass=capability
--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]