[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Help unsubscribe



Help

-----Original Message-----
From: fedora-selinux-list-request redhat com
To: fedora-selinux-list redhat com
Sent: 5/20/06 12:00 PM
Subject: fedora-selinux-list Digest, Vol 27, Issue 19

Send fedora-selinux-list mailing list submissions to
	fedora-selinux-list redhat com

To subscribe or unsubscribe via the World Wide Web, visit
	https://www.redhat.com/mailman/listinfo/fedora-selinux-list
or, via email, send a message with subject or body 'help' to
	fedora-selinux-list-request redhat com

You can reach the person managing the list at
	fedora-selinux-list-owner redhat com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of fedora-selinux-list digest..."


Today's Topics:

   1. printer AVCs.... (Tom London)
   2. Re: need help for local.te (Hongwei Li)
   3. Re: need help for local.te (Kayvan A. Sylvan)
   4. Re: need help for local.te (Hongwei Li)
   5. Re: selinux prelink avc's (dragoran)
   6. Trusted Solaris over SELinux (Justin Conover)
   7. Re: Trusted Solaris over SELinux (Andy Green)
   8. Re: Trusted Solaris over SELinux (Martin Ebourne)
   9. Re: Trusted Solaris over SELinux (Justin Conover)
  10. Re: Trusted Solaris over SELinux (Andy Green)


----------------------------------------------------------------------

Message: 1
Date: Fri, 19 May 2006 09:02:35 -0700
From: "Tom London" <selinux gmail com>
Subject: printer AVCs....
To: "Fedora SELinux support list for users & developers."
	<fedora-selinux-list redhat com>
Message-ID:
	<4c4ba1530605190902q5c981798m31d36366654f159 mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Running latest Rawhide, targeted/enforcing.

I get the following when 'deactivating/activating' a USB printer (and
printing fails):

type=AVC msg=audit(1148052935.119:30): avc:  denied  { create } for
pid=1902 comm="python" scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:system_r:hplip_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1148052935.119:30): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bffa4878 a2=49ebaff4 a3=bffa4e69 items=0
pid=1902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python"
subj=system_u:system_r:hplip_t:s0
type=SOCKETCALL msg=audit(1148052935.119:30): nargs=3 a0=10 a1=3 a2=0

type=USER_AVC msg=audit(1148053114.333:32): user pid=1735 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:
denied  { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobQueuedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)'

The following messages were in /var/log/messages:

May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc:  denied  { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobQueuedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc:  denied  { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=QueueChanged
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc:  denied  { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobStartedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:35 localhost hpiod: invalid product id string: Broken
pipe io/hpiod/device.cpp 623
May 19 08:35:35 localhost hpiod: unable to Device::Open
hp:/usb/hp_LaserJet_1300?serial=00CNCB954325 io/hpiod/device.cpp 862
May 19 08:35:35 localhost hp_LaserJet_1300?serial=00CNCB954325: INFO:
open device failed; will retry in 30 seconds...
May 19 08:36:05 localhost hpiod: invalid product id string: Broken
pipe io/hpiod/device.cpp 623

tom
-- 
Tom London



------------------------------

Message: 2
Date: Fri, 19 May 2006 12:13:15 -0500 (CDT)
From: "Hongwei Li" <hongwei wustl edu>
Subject: Re: need help for local.te
To: fedora-selinux-list redhat com
Message-ID:
	<1866 128 252 85 103 1148058795 squirrel morpheus wustl edu>
Content-Type: text/plain;charset=iso-8859-1

> On Fri, 2006-05-19 at 09:58 -0500, Hongwei Li wrote:
>> Hi,
>>
>> I need help about local.te.  My system:
>>
>> kernel:         2.6.16-1.2111_FC5smp
>> selinux-policy-targeted:     2.2.38-1.fc5
>> audit:          1.1.5-1
>> sendmail:       8.13.6-0.FC5.1
>> squirrelmail:   1.4.6-5.fc5
>>
>> When I try to create an email folder in squirrelmail, I got Error.  So, I
>> run
>> the following to create my local.te and add my module.  Here are what I run
>> and get:
>>
>> # audit2allow -M local < /var/log/audit/audit.log
>> Generating type enforcment file: local.te
>> Compiling policy
>> checkmodule -M -m -o local.mod local.te
>> semodule_package -o local.pp -m local.mod
>>
>> ******************** IMPORTANT ***********************
>>
>> In order to load this newly created policy package into the kernel,
>> you are required to execute
>>
>> semodule -i local.pp
>>
>> # ls -l
>> total 40
>> -rw-r--r-- 1 root root 2448 May 19 09:46 local.mod
>> -rw-r--r-- 1 root root 2464 May 19 09:46 local.pp
>> -rw-r--r-- 1 root root  733 May 19 09:46 local.te
>>
>> # semodule -i local.pp
>> libsepol.check_assertion_helper: assertion on line 0 violated by allow
>> httpd_t
>> shadow_t:file { read };
>> libsepol.check_assertions: 1 assertion violations occured
>> libsemanage.semanage_expand_sandbox: Expand module failed
>> semodule:  Failed!
>>
>> How to solve the problem?
>>
>> Thanks!
>
> This means that your local.te file includes a rule that allows httpd to
> read your /etc/shadow file, and this violates an assertion in the base
> policy.  Review your local.te file, prune entries that are not
> legitimate, and rebuild the .mod and .pp files, e.g.
> # vi local.te # edit out bogus entries or replace them with dontaudit rules
> # checkmodule -m -M -o local.mod local.te
> # semodule_package -o local.pp -m local.mod
> # semodule -i local.pp
>
> --
> Stephen Smalley
> National Security Agency

The problem is I need to re-do for local.te from time to time, and whenver I
run (after rebooting)
# audit2allow -M local < /var/log/audit/audit.log
the line

allow httpd_t shadow_t:file { getattr read write };

is automatically added to local.te -- this time, it added more, not just read.
 I believe that this is because I need to run change_password plugin in
squirrelmail.  It is not a problem in fc4 selinux -- I run audit2allow to add
entry into local.te and run make load, then everything is working.  But, in
fc5, it is a problem.  If I remove that line, then whenever I run the above
command, it is automatically added.

How to fix the problem?

Thanks!

Hongwei




------------------------------

Message: 3
Date: Fri, 19 May 2006 18:30:37 -0700
From: "Kayvan A. Sylvan" <kayvan sylvan com>
Subject: Re: need help for local.te
To: Hongwei Li <hongwei wustl edu>
Cc: fedora-selinux-list redhat com
Message-ID: <20060520013037 GD2422 satyr sylvan com>
Content-Type: text/plain; charset=us-ascii

On Fri, May 19, 2006 at 12:13:15PM -0500, Hongwei Li wrote:
> 
> The problem is I need to re-do for local.te from time to time, and whenver I
> run (after rebooting)
> # audit2allow -M local < /var/log/audit/audit.log
> the line
> 
> allow httpd_t shadow_t:file { getattr read write };
> 
> is automatically added to local.te -- [...]
> How to fix the problem?

How about something like this?

audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te

-- 
Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)



------------------------------

Message: 4
Date: Fri, 19 May 2006 22:16:44 -0500 (CDT)
From: "Hongwei Li" <hongwei wustl edu>
Subject: Re: need help for local.te
To: fedora-selinux-list redhat com
Message-ID:
	<1808 70 230 152 93 1148095004 squirrel morpheus wustl edu>
Content-Type: text/plain;charset=iso-8859-1

> On Fri, May 19, 2006 at 12:13:15PM -0500, Hongwei Li wrote:
>>
>> The problem is I need to re-do for local.te from time to time, and whenver I
>> run (after rebooting)
>> # audit2allow -M local < /var/log/audit/audit.log
>> the line
>>
>> allow httpd_t shadow_t:file { getattr read write };
>>
>> is automatically added to local.te -- [...]
>> How to fix the problem?
>
> How about something like this?
>
> audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
>
> --
> Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
> Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)

I did and got:

# audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
# checkmodule -M -m -o local.mod local.te
checkmodule:  loading policy configuration from local.te
(unknown source)::ERROR 'unknown type dovecot_auth_t' at token ';' on line 33:
allow procmail_t tmp_t:dir { search write };
allow dovecot_auth_t initrc_var_run_t:file { read write };
checkmodule:  error(s) encountered while parsing configuration

I manually edit local.te to add a line
        type dovecot_auth_t;
and run it again, then got

# checkmodule -M -m -o local.mod local.te
checkmodule:  loading policy configuration from local.te
(unknown source)::ERROR 'unknown type initrc_var_run_t' at token ';' on line 34:
allow procmail_t tmp_t:dir { search write };
allow dovecot_auth_t initrc_var_run_t:file { read write };
checkmodule:  error(s) encountered while parsing configuration

The line 34 is:

allow dovecot_auth_t initrc_var_run_t:file { read write };

What to do next? Thanks!

Hongwei



------------------------------

Message: 5
Date: Sat, 20 May 2006 13:18:35 +0200
From: dragoran <dragoran feuerpokemon de>
Subject: Re: selinux prelink avc's
To: dragoran <dragoran feuerpokemon de>
Cc: fedora-selinux-list redhat com
Message-ID: <446EFB0B 8030508 feuerpokemon de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed

dragoran wrote:
> audit(1147793154.831:353): avc:  denied  { execute_no_trans } for  
> pid=5195 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
> scontext=system_u:system_r:prelink_t:s0 
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793154.831:354): avc:  denied  { execute_no_trans } for  
> pid=5196 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
> scontext=system_u:system_r:prelink_t:s0 
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793155.019:355): avc:  denied  { execute_no_trans } for  
> pid=5197 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
> scontext=system_u:system_r:prelink_t:s0 
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793155.447:356): avc:  denied  { execute_no_trans } for  
> pid=5198 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
> scontext=system_u:system_r:prelink_t:s0 
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793156.255:357): avc:  denied  { execute_no_trans } for  
> pid=5199 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
> scontext=system_u:system_r:prelink_t:s0 
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> I am using FC5 with selinux-policy-targeted-2.2.36-2.fc5
> whats gonig on? is a file misslabeled or is this a policy bug?
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
hello?
any solution for this problem?



------------------------------

Message: 6
Date: Sat, 20 May 2006 08:22:57 -0500
From: "Justin Conover" <justin conover gmail com>
Subject: Trusted Solaris over SELinux
To: "Fedora SELinux support list for users & developers."
	<fedora-selinux-list redhat com>
Message-ID:
	<a36b7e2a0605200622v54259deale2e30cb73f6f7ab6 mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trusted

I thought this was interesting.  Yeah, I use Solaris to so I read some Sun
blogs too.  :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/947ff5bd/attachment.html

------------------------------

Message: 7
Date: Sat, 20 May 2006 15:04:33 +0100
From: Andy Green <andy warmcat com>
Subject: Re: Trusted Solaris over SELinux
To: "Fedora SELinux support list for users & developers."
	<fedora-selinux-list redhat com>
Message-ID: <446F21F1 5020607 warmcat com>
Content-Type: text/plain; charset="iso-8859-1"

Justin Conover wrote:

> http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trusted
> 
> I thought this was interesting.  Yeah, I use Solaris to so I read some 
> Sun blogs too.  :)

Get thee to somewhere far away from the NHS...

http://globalspecials.sun.com/servlet/ControllerServlet?Action=DisplayPage&Locale=en_US&id=ProductDetailsPage&SiteID=sunstor&productID=36446400&Env=BASE

...with yer $995 - $27K trusted Solaris junk.  Give me Linux+selinux at 
$0 per unit when I am flat on my back... or happy and healthy and paying 
my taxes.

-Andy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4492 bytes
Desc: S/MIME Cryptographic Signature
Url : https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/1efab05f/smime.bin

------------------------------

Message: 8
Date: Sat, 20 May 2006 15:15:12 +0100
From: Martin Ebourne <lists ebourne me uk>
Subject: Re: Trusted Solaris over SELinux
To: fedora-selinux-list redhat com
Message-ID: <1148134512 6512 14 camel avenin ebourne me uk>
Content-Type: text/plain

On Sat, 2006-05-20 at 08:22 -0500, Justin Conover wrote:
> http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trusted
> 
> I thought this was interesting.  Yeah, I use Solaris to so I read some
> Sun blogs too.  :)

High on opinion, low on fact.

Just how was that interesting? As a measure of desperation?

Martin.



------------------------------

Message: 9
Date: Sat, 20 May 2006 09:46:35 -0500
From: "Justin Conover" <justin conover gmail com>
Subject: Re: Trusted Solaris over SELinux
To: "Andy Green" <andy warmcat com>
Cc: "Fedora SELinux support list for users & developers."
	<fedora-selinux-list redhat com>
Message-ID:
	<a36b7e2a0605200746q123f5276sf7af83f00398c95e mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"

On 5/20/06, Andy Green <andy warmcat com> wrote:
>
> Justin Conover wrote:
>
> >
> http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trusted
> >
> > I thought this was interesting.  Yeah, I use Solaris to so I read some
> > Sun blogs too.  :)
>
> Get thee to somewhere far away from the NHS...
>
>
> http://globalspecials.sun.com/servlet/ControllerServlet?Action=DisplayPage&Locale=en_US&id=ProductDetailsPage&SiteID=sunstor&productID=36446400&Env=BASE
>
> ...with yer $995 - $27K trusted Solaris junk.  Give me Linux+selinux at
> $0 per unit when I am flat on my back... or happy and healthy and paying
> my taxes.
>
> -Andy


Actually Solaris 10 is intergrating the bits of Trusted Solaris which will
make it FREE.  I'm not saying one is better than the other, simply wondering
what the SELinux developers thought.

To say that Trusted Solaris is junk seems a bit silly, if your only talking
of price, ok, but if your talking the OS, than your just mis-informed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/8407fb7b/attachment.html

------------------------------

Message: 10
Date: Sat, 20 May 2006 16:35:32 +0100
From: Andy Green <andy warmcat com>
Subject: Re: Trusted Solaris over SELinux
To: Justin Conover <justin conover gmail com>
Cc: "Fedora SELinux support list for users & developers."
	<fedora-selinux-list redhat com>
Message-ID: <446F3744 3090509 warmcat com>
Content-Type: text/plain; charset="iso-8859-1"

Justin Conover wrote:

>     http://globalspecials.sun.com/servlet/ControllerServlet?Action=DisplayPage&Locale=en_US&id=ProductDetailsPage&SiteID=sunstor&productID=36446400&Env=BASE
> 
>     ...with yer $995 - $27K trusted Solaris junk.  Give me Linux+selinux at
>     $0 per unit when I am flat on my back... or happy and healthy and paying

> Actually Solaris 10 is intergrating the bits of Trusted Solaris which 
> will make it FREE.  I'm not saying one is better than the other, simply 
> wondering what the SELinux developers thought.
> 
> To say that Trusted Solaris is junk seems a bit silly, if your only 
> talking of price, ok, but if your talking the OS, than your just 
> mis-informed.

I'm talking of the price.  I'm sure IBM take their cut for managing it, 
but at $995+ /cpu, $0 linux+selinux has to win out here even if Trusted 
Solaris poops golden eggs.  The benchmark is Windows level of security.

-Andy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4492 bytes
Desc: S/MIME Cryptographic Signature
Url : https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/0dfd33b5/smime.bin

------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

End of fedora-selinux-list Digest, Vol 27, Issue 19
***************************************************



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]