unsubscribe
Douglas.D.Hartman
Douglas.D.Hartman at cox.net
Sat May 20 17:21:09 UTC 2006
unsubscribe
-----Original Message-----
From: fedora-selinux-list-bounces at redhat.com
[mailto:fedora-selinux-list-bounces at redhat.com] On Behalf Of
fedora-selinux-list-request at redhat.com
Sent: Saturday, May 20, 2006 12:00 PM
To: fedora-selinux-list at redhat.com
Subject: fedora-selinux-list Digest, Vol 27, Issue 19
Send fedora-selinux-list mailing list submissions to
fedora-selinux-list at redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
or, via email, send a message with subject or body 'help' to
fedora-selinux-list-request at redhat.com
You can reach the person managing the list at
fedora-selinux-list-owner at redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of fedora-selinux-list digest..."
Today's Topics:
1. printer AVCs.... (Tom London)
2. Re: need help for local.te (Hongwei Li)
3. Re: need help for local.te (Kayvan A. Sylvan)
4. Re: need help for local.te (Hongwei Li)
5. Re: selinux prelink avc's (dragoran)
6. Trusted Solaris over SELinux (Justin Conover)
7. Re: Trusted Solaris over SELinux (Andy Green)
8. Re: Trusted Solaris over SELinux (Martin Ebourne)
9. Re: Trusted Solaris over SELinux (Justin Conover)
10. Re: Trusted Solaris over SELinux (Andy Green)
----------------------------------------------------------------------
Message: 1
Date: Fri, 19 May 2006 09:02:35 -0700
From: "Tom London" <selinux at gmail.com>
Subject: printer AVCs....
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list at redhat.com>
Message-ID:
<4c4ba1530605190902q5c981798m31d36366654f159 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Running latest Rawhide, targeted/enforcing.
I get the following when 'deactivating/activating' a USB printer (and
printing fails):
type=AVC msg=audit(1148052935.119:30): avc: denied { create } for
pid=1902 comm="python" scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:system_r:hplip_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1148052935.119:30): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bffa4878 a2=49ebaff4 a3=bffa4e69 items=0
pid=1902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python"
subj=system_u:system_r:hplip_t:s0
type=SOCKETCALL msg=audit(1148052935.119:30): nargs=3 a0=10 a1=3 a2=0
type=USER_AVC msg=audit(1148053114.333:32): user pid=1735 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:
denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobQueuedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)'
The following messages were in /var/log/messages:
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc: denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobQueuedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc: denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=QueueChanged
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc: denied { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobStartedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:35 localhost hpiod: invalid product id string: Broken
pipe io/hpiod/device.cpp 623
May 19 08:35:35 localhost hpiod: unable to Device::Open
hp:/usb/hp_LaserJet_1300?serial=00CNCB954325 io/hpiod/device.cpp 862
May 19 08:35:35 localhost hp_LaserJet_1300?serial=00CNCB954325: INFO:
open device failed; will retry in 30 seconds...
May 19 08:36:05 localhost hpiod: invalid product id string: Broken
pipe io/hpiod/device.cpp 623
tom
--
Tom London
------------------------------
Message: 2
Date: Fri, 19 May 2006 12:13:15 -0500 (CDT)
From: "Hongwei Li" <hongwei at wustl.edu>
Subject: Re: need help for local.te
To: fedora-selinux-list at redhat.com
Message-ID:
<1866.128.252.85.103.1148058795.squirrel at morpheus.wustl.edu>
Content-Type: text/plain;charset=iso-8859-1
> On Fri, 2006-05-19 at 09:58 -0500, Hongwei Li wrote:
>> Hi,
>>
>> I need help about local.te. My system:
>>
>> kernel: 2.6.16-1.2111_FC5smp
>> selinux-policy-targeted: 2.2.38-1.fc5
>> audit: 1.1.5-1
>> sendmail: 8.13.6-0.FC5.1
>> squirrelmail: 1.4.6-5.fc5
>>
>> When I try to create an email folder in squirrelmail, I got Error. So, I
>> run
>> the following to create my local.te and add my module. Here are what I
run
>> and get:
>>
>> # audit2allow -M local < /var/log/audit/audit.log
>> Generating type enforcment file: local.te
>> Compiling policy
>> checkmodule -M -m -o local.mod local.te
>> semodule_package -o local.pp -m local.mod
>>
>> ******************** IMPORTANT ***********************
>>
>> In order to load this newly created policy package into the kernel,
>> you are required to execute
>>
>> semodule -i local.pp
>>
>> # ls -l
>> total 40
>> -rw-r--r-- 1 root root 2448 May 19 09:46 local.mod
>> -rw-r--r-- 1 root root 2464 May 19 09:46 local.pp
>> -rw-r--r-- 1 root root 733 May 19 09:46 local.te
>>
>> # semodule -i local.pp
>> libsepol.check_assertion_helper: assertion on line 0 violated by allow
>> httpd_t
>> shadow_t:file { read };
>> libsepol.check_assertions: 1 assertion violations occured
>> libsemanage.semanage_expand_sandbox: Expand module failed
>> semodule: Failed!
>>
>> How to solve the problem?
>>
>> Thanks!
>
> This means that your local.te file includes a rule that allows httpd to
> read your /etc/shadow file, and this violates an assertion in the base
> policy. Review your local.te file, prune entries that are not
> legitimate, and rebuild the .mod and .pp files, e.g.
> # vi local.te # edit out bogus entries or replace them with dontaudit
rules
> # checkmodule -m -M -o local.mod local.te
> # semodule_package -o local.pp -m local.mod
> # semodule -i local.pp
>
> --
> Stephen Smalley
> National Security Agency
The problem is I need to re-do for local.te from time to time, and whenver I
run (after rebooting)
# audit2allow -M local < /var/log/audit/audit.log
the line
allow httpd_t shadow_t:file { getattr read write };
is automatically added to local.te -- this time, it added more, not just
read.
I believe that this is because I need to run change_password plugin in
squirrelmail. It is not a problem in fc4 selinux -- I run audit2allow to
add
entry into local.te and run make load, then everything is working. But, in
fc5, it is a problem. If I remove that line, then whenever I run the above
command, it is automatically added.
How to fix the problem?
Thanks!
Hongwei
------------------------------
Message: 3
Date: Fri, 19 May 2006 18:30:37 -0700
From: "Kayvan A. Sylvan" <kayvan at sylvan.com>
Subject: Re: need help for local.te
To: Hongwei Li <hongwei at wustl.edu>
Cc: fedora-selinux-list at redhat.com
Message-ID: <20060520013037.GD2422 at satyr.sylvan.com>
Content-Type: text/plain; charset=us-ascii
On Fri, May 19, 2006 at 12:13:15PM -0500, Hongwei Li wrote:
>
> The problem is I need to re-do for local.te from time to time, and whenver
I
> run (after rebooting)
> # audit2allow -M local < /var/log/audit/audit.log
> the line
>
> allow httpd_t shadow_t:file { getattr read write };
>
> is automatically added to local.te -- [...]
> How to fix the problem?
How about something like this?
audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena
(8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
------------------------------
Message: 4
Date: Fri, 19 May 2006 22:16:44 -0500 (CDT)
From: "Hongwei Li" <hongwei at wustl.edu>
Subject: Re: need help for local.te
To: fedora-selinux-list at redhat.com
Message-ID:
<1808.70.230.152.93.1148095004.squirrel at morpheus.wustl.edu>
Content-Type: text/plain;charset=iso-8859-1
> On Fri, May 19, 2006 at 12:13:15PM -0500, Hongwei Li wrote:
>>
>> The problem is I need to re-do for local.te from time to time, and
whenver I
>> run (after rebooting)
>> # audit2allow -M local < /var/log/audit/audit.log
>> the line
>>
>> allow httpd_t shadow_t:file { getattr read write };
>>
>> is automatically added to local.te -- [...]
>> How to fix the problem?
>
> How about something like this?
>
> audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
>
> --
> Kayvan A. Sylvan | Proud husband of | Father to my kids:
> Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena
(8/8/89)
I did and got:
# audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
# checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
(unknown source)::ERROR 'unknown type dovecot_auth_t' at token ';' on line
33:
allow procmail_t tmp_t:dir { search write };
allow dovecot_auth_t initrc_var_run_t:file { read write };
checkmodule: error(s) encountered while parsing configuration
I manually edit local.te to add a line
type dovecot_auth_t;
and run it again, then got
# checkmodule -M -m -o local.mod local.te
checkmodule: loading policy configuration from local.te
(unknown source)::ERROR 'unknown type initrc_var_run_t' at token ';' on line
34:
allow procmail_t tmp_t:dir { search write };
allow dovecot_auth_t initrc_var_run_t:file { read write };
checkmodule: error(s) encountered while parsing configuration
The line 34 is:
allow dovecot_auth_t initrc_var_run_t:file { read write };
What to do next? Thanks!
Hongwei
------------------------------
Message: 5
Date: Sat, 20 May 2006 13:18:35 +0200
From: dragoran <dragoran at feuerpokemon.de>
Subject: Re: selinux prelink avc's
To: dragoran <dragoran at feuerpokemon.de>
Cc: fedora-selinux-list at redhat.com
Message-ID: <446EFB0B.8030508 at feuerpokemon.de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
dragoran wrote:
> audit(1147793154.831:353): avc: denied { execute_no_trans } for
> pid=5195 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
> scontext=system_u:system_r:prelink_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793154.831:354): avc: denied { execute_no_trans } for
> pid=5196 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
> scontext=system_u:system_r:prelink_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793155.019:355): avc: denied { execute_no_trans } for
> pid=5197 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
> scontext=system_u:system_r:prelink_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793155.447:356): avc: denied { execute_no_trans } for
> pid=5198 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
> scontext=system_u:system_r:prelink_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793156.255:357): avc: denied { execute_no_trans } for
> pid=5199 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163
> scontext=system_u:system_r:prelink_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> I am using FC5 with selinux-policy-targeted-2.2.36-2.fc5
> whats gonig on? is a file misslabeled or is this a policy bug?
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
hello?
any solution for this problem?
------------------------------
Message: 6
Date: Sat, 20 May 2006 08:22:57 -0500
From: "Justin Conover" <justin.conover at gmail.com>
Subject: Trusted Solaris over SELinux
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list at redhat.com>
Message-ID:
<a36b7e2a0605200622v54259deale2e30cb73f6f7ab6 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trust
ed
I thought this was interesting. Yeah, I use Solaris to so I read some Sun
blogs too. :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/947
ff5bd/attachment.html
------------------------------
Message: 7
Date: Sat, 20 May 2006 15:04:33 +0100
From: Andy Green <andy at warmcat.com>
Subject: Re: Trusted Solaris over SELinux
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list at redhat.com>
Message-ID: <446F21F1.5020607 at warmcat.com>
Content-Type: text/plain; charset="iso-8859-1"
Justin Conover wrote:
>
http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trust
ed
>
> I thought this was interesting. Yeah, I use Solaris to so I read some
> Sun blogs too. :)
Get thee to somewhere far away from the NHS...
http://globalspecials.sun.com/servlet/ControllerServlet?Action=DisplayPage&L
ocale=en_US&id=ProductDetailsPage&SiteID=sunstor&productID=36446400&Env=BASE
...with yer $995 - $27K trusted Solaris junk. Give me Linux+selinux at
$0 per unit when I am flat on my back... or happy and healthy and paying
my taxes.
-Andy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4492 bytes
Desc: S/MIME Cryptographic Signature
Url :
https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/1ef
ab05f/smime.bin
------------------------------
Message: 8
Date: Sat, 20 May 2006 15:15:12 +0100
From: Martin Ebourne <lists at ebourne.me.uk>
Subject: Re: Trusted Solaris over SELinux
To: fedora-selinux-list at redhat.com
Message-ID: <1148134512.6512.14.camel at avenin.ebourne.me.uk>
Content-Type: text/plain
On Sat, 2006-05-20 at 08:22 -0500, Justin Conover wrote:
>
http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trust
ed
>
> I thought this was interesting. Yeah, I use Solaris to so I read some
> Sun blogs too. :)
High on opinion, low on fact.
Just how was that interesting? As a measure of desperation?
Martin.
------------------------------
Message: 9
Date: Sat, 20 May 2006 09:46:35 -0500
From: "Justin Conover" <justin.conover at gmail.com>
Subject: Re: Trusted Solaris over SELinux
To: "Andy Green" <andy at warmcat.com>
Cc: "Fedora SELinux support list for users & developers."
<fedora-selinux-list at redhat.com>
Message-ID:
<a36b7e2a0605200746q123f5276sf7af83f00398c95e at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
On 5/20/06, Andy Green <andy at warmcat.com> wrote:
>
> Justin Conover wrote:
>
> >
>
http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trust
ed
> >
> > I thought this was interesting. Yeah, I use Solaris to so I read some
> > Sun blogs too. :)
>
> Get thee to somewhere far away from the NHS...
>
>
>
http://globalspecials.sun.com/servlet/ControllerServlet?Action=DisplayPage&L
ocale=en_US&id=ProductDetailsPage&SiteID=sunstor&productID=36446400&Env=BASE
>
> ...with yer $995 - $27K trusted Solaris junk. Give me Linux+selinux at
> $0 per unit when I am flat on my back... or happy and healthy and paying
> my taxes.
>
> -Andy
Actually Solaris 10 is intergrating the bits of Trusted Solaris which will
make it FREE. I'm not saying one is better than the other, simply wondering
what the SELinux developers thought.
To say that Trusted Solaris is junk seems a bit silly, if your only talking
of price, ok, but if your talking the OS, than your just mis-informed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/840
7fb7b/attachment.html
------------------------------
Message: 10
Date: Sat, 20 May 2006 16:35:32 +0100
From: Andy Green <andy at warmcat.com>
Subject: Re: Trusted Solaris over SELinux
To: Justin Conover <justin.conover at gmail.com>
Cc: "Fedora SELinux support list for users & developers."
<fedora-selinux-list at redhat.com>
Message-ID: <446F3744.3090509 at warmcat.com>
Content-Type: text/plain; charset="iso-8859-1"
Justin Conover wrote:
>
http://globalspecials.sun.com/servlet/ControllerServlet?Action=DisplayPage&L
ocale=en_US&id=ProductDetailsPage&SiteID=sunstor&productID=36446400&Env=BASE
>
> ...with yer $995 - $27K trusted Solaris junk. Give me Linux+selinux
at
> $0 per unit when I am flat on my back... or happy and healthy and
paying
> Actually Solaris 10 is intergrating the bits of Trusted Solaris which
> will make it FREE. I'm not saying one is better than the other, simply
> wondering what the SELinux developers thought.
>
> To say that Trusted Solaris is junk seems a bit silly, if your only
> talking of price, ok, but if your talking the OS, than your just
> mis-informed.
I'm talking of the price. I'm sure IBM take their cut for managing it,
but at $995+ /cpu, $0 linux+selinux has to win out here even if Trusted
Solaris poops golden eggs. The benchmark is Windows level of security.
-Andy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4492 bytes
Desc: S/MIME Cryptographic Signature
Url :
https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/0df
d33b5/smime.bin
------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
End of fedora-selinux-list Digest, Vol 27, Issue 19
***************************************************
More information about the fedora-selinux-list
mailing list