fedora-selinux-list Digest, Vol 20, Issue 18

Jayendren Anand Maduray jayendren at hivsa.com
Mon Oct 24 06:24:31 UTC 2005 

Thank for your response, i really appreciate it.

Squid clam binary is located in:

/usr/local/squidclamav/bin


I isssue:

[root at shiva jay]# chcon -t bin_t *`which /usr/local/squidclamav/bin/`

and get error:

/usr/bin/which: no  in (/usr/local/squidclamav/bin)


Then i try:

 chcon -t bin_t *`/usr/local/squidclamav/bin/squidclamav`
SquidClamav running as UID 0: writing logs to stderr
Mon Oct 24 08:23:18 2005:Reading Patterns from config 
/usr/local/squidclamav/etc/squidclamav.conf
Mon Oct 24 08:23:18 2005:SquidClamav (PID 4550) started

Does the original error mean the SELinux has not been configured to 
allow squidclamav?

Last nite i ran a touch /.autorelabel
which relabelled my system, still the same problem. I have disabled 
SELinux support for squid, so at least squid is working now.

God bless.




Daniel J Walsh wrote:

> Jayendren Anand Maduray wrote:
>
>> Greetings fellow travellers.
>>
> I would start by trying something like
> chcon -t bin_t *`which squidclamav`
> Btw where does squidclamav reside?
>
> *
>
>>
>> Could someone please help me with the following errors:
>>
>> *audit(1129788324.500:0): avc:  denied  { execute } for  pid=3105 
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.501:0): avc:  denied  { execute } for  pid=3106 
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.507:0): avc:  denied  { execute } for  pid=3107 
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.510:0): avc:  denied  { execute } for  pid=3108 
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.514:0): avc:  denied  { execute } for  pid=3109 
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.517:0): avc:  denied  { execute } for  pid=3110 
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.521:0): avc:  denied  { execute } for  pid=3111 
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.522:0): avc:  denied  { execute } for  pid=3112 
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.528:0): avc:  denied  { execute } for  pid=3113 
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.529:0): avc:  denied  { execute } for  pid=3114 
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file*
>>
>>
>> These errors are from dmesg, and occured after compiling and 
>> installing squidclam from source.
>>
>> Here is the output of selinuxconf:
>>
>> [*root at shiva jay]# selinuxconfig
>> selinux state="enforcing"
>> policypath="/etc/selinux/targeted"
>> default_type_path="/etc/selinux/targeted/contexts/default_type"
>> default_context_path="/etc/selinux/targeted/contexts/default_contexts"
>> default_failsafe_context_path="/etc/selinux/targeted/contexts/failsafe_context" 
>>
>> binary_policy_path="/etc/selinux/targeted/policy/policy"
>> user_contexts_path="/etc/selinux/targeted/contexts/users/"
>> contexts_path="/etc/selinux/targeted/contexts"*
>>
>> Output of uname -a:
>> *[root at shiva jay]# uname -a
>> Linux shiva 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686 
>> i686 i386 GNU/Linux*
>>
>> Any help would be greatly appreciated.
>>
>> God bless.
>>
>>
>> fedora-selinux-list-request at redhat.com wrote:
>>
>>> Send fedora-selinux-list mailing list submissions to
>>>     fedora-selinux-list at redhat.com
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>     https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>> or, via email, send a message with subject or body 'help' to
>>>     fedora-selinux-list-request at redhat.com
>>>
>>> You can reach the person managing the list at
>>>     fedora-selinux-list-owner at redhat.com
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of fedora-selinux-list digest..."
>>>
>>>
>>> Today's Topics:
>>>
>>>    1. Re: mailman cgi-bin denied search (Tim Fenn)
>>>    2. Preserving Context with tar (W. Scott wilburn)
>>>    3. Re: mailman cgi-bin denied search (Daniel J Walsh)
>>>    4. Re: Preserving Context with tar (Daniel J Walsh)
>>>    5. Re: mailman cgi-bin denied search (Tim Fenn)
>>>    6. Re: Preserving Context with tar (Stephen Smalley)
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Wed, 19 Oct 2005 13:49:47 -0700
>>> From: Tim Fenn <fenn at stanford.edu>
>>> Subject: Re: mailman cgi-bin denied search
>>> To: Daniel J Walsh <dwalsh at redhat.com>
>>> Cc: fedora-selinux-list at redhat.com
>>> Message-ID: <20051019204947.GC6466 at stanford.edu>
>>> Content-Type: text/plain; charset=us-ascii
>>>
>>> On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>>>  
>>>
>>>> Tim Fenn wrote:
>>>>    
>>>>
>>>>> I recently installed mailman on my FC3 box (using the redhat based
>>>>> RPMs), and it seems to be working just fine, except for the numerous
>>>>> avc messages it cranks out whenever I run one of the cgi scripts
>>>>> associated with mailman (e.g. via the web interface):
>>>>>
>>>>> Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc:  denied
>>>>> { search } for  pid=18761 comm="listinfo" name="run" dev=sda1
>>>>> ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>>> u:object_r:var_run_t tclass=dir
>>>>>
>>>>>       
>>>>
>>>> Why would mailman listinfo be searching /var/log directory?
>>>>
>>>>     
>>>
>>>
>>> Well, I get the same errors with mailmanctl:
>>>
>>> ./mailmanctl status
>>>
>>> yields no output, and the following errors:
>>> Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc:  denied
>>> { read write } for  pid=20837 comm="mailmanctl" name="3" dev=devpts
>>> ino=5 scontext=root:system_r:mailman_mail_t
>>> tcontext=root:object_r:devpts_t tclass=chr_file
>>> Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc:  denied
>>> { search } for  pid=20837 comm="mailmanctl" name="run" dev=sda1
>>> ino=1294372 scontext=root:system_r:mailman_mail_t
>>> tcontext=system_u:object_r:var_run_t tclass=dir
>>> Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc:  denied
>>> { setgid } for  pid=20837 comm="mailmanctl" capability=6
>>> scontext=root:system_r:mailman_mail_t
>>> tcontext=root:system_r:mailman_mail_t tclass=capability
>>>
>>> However, if I comment out:
>>>
>>> from Mailman.Logging.Syslog import syslog
>>>
>>> in the mailmanctl script, all is well:
>>>
>>> # ./mailmanctl status
>>> mailman (pid 17677) is running...
>>>
>>> and no error messages.  I would assume the same is true with the
>>> cgi-bin scripts, such as listinfo.  Should I file a bugzilla report?
>>>
>>> Regards,
>>> Tim
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 2
>>> Date: Wed, 19 Oct 2005 15:56:06 -0600
>>> From: "W. Scott wilburn" <wilburn at lanl.gov>
>>> Subject: Preserving Context with tar
>>> To: fedora-selinux-list at redhat.com
>>> Message-ID: <20051019215606.GE4717 at wilburn.lanl.gov>
>>> Content-Type: text/plain; charset=us-ascii
>>>
>>> Sorry to be asking such a simple question. Is it possible to 
>>> preserve file contexts using tar? I would have thought -p would do 
>>> this, but it appears no, atleast on RHEL4 and FC4.
>>>
>>> The reason to do this is a use tar to install modified config files 
>>> on new machines. Having to relabel after doing this is somewhat 
>>> slow. Perhaps there is a better solution?
>>>
>>> Thanks,
>>> Scott Wilburn
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 3
>>> Date: Wed, 19 Oct 2005 22:31:36 -0400
>>> From: Daniel J Walsh <dwalsh at redhat.com>
>>> Subject: Re: mailman cgi-bin denied search
>>> To: Daniel J Walsh <dwalsh at redhat.com>, fedora-selinux-list at redhat.com
>>> Message-ID: <43570188.5060201 at redhat.com>
>>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>
>>> Tim Fenn wrote:
>>>  
>>>
>>>> On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>>>>      
>>>>
>>>>> Tim Fenn wrote:
>>>>>          
>>>>>
>>>>>> I recently installed mailman on my FC3 box (using the redhat based
>>>>>> RPMs), and it seems to be working just fine, except for the numerous
>>>>>> avc messages it cranks out whenever I run one of the cgi scripts
>>>>>> associated with mailman (e.g. via the web interface):
>>>>>>
>>>>>> Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc:  
>>>>>> denied
>>>>>> { search } for  pid=18761 comm="listinfo" name="run" dev=sda1
>>>>>> ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>>>> u:object_r:var_run_t tclass=dir
>>>>>>
>>>>>>               
>>>>>
>>>>> Why would mailman listinfo be searching /var/log directory?
>>>>>
>>>>>           
>>>>
>>>> Well, I get the same errors with mailmanctl:
>>>>
>>>> ./mailmanctl status
>>>>
>>>> yields no output, and the following errors:
>>>> Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc:  denied
>>>> { read write } for  pid=20837 comm="mailmanctl" name="3" dev=devpts
>>>> ino=5 scontext=root:system_r:mailman_mail_t
>>>> tcontext=root:object_r:devpts_t tclass=chr_file
>>>> Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc:  denied
>>>> { search } for  pid=20837 comm="mailmanctl" name="run" dev=sda1
>>>> ino=1294372 scontext=root:system_r:mailman_mail_t
>>>> tcontext=system_u:object_r:var_run_t tclass=dir
>>>> Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc:  denied
>>>> { setgid } for  pid=20837 comm="mailmanctl" capability=6
>>>> scontext=root:system_r:mailman_mail_t
>>>> tcontext=root:system_r:mailman_mail_t tclass=capability
>>>>
>>>> However, if I comment out:
>>>>
>>>> from Mailman.Logging.Syslog import syslog
>>>>
>>>> in the mailmanctl script, all is well:
>>>>
>>>> # ./mailmanctl status
>>>> mailman (pid 17677) is running...
>>>>
>>>> and no error messages.  I would assume the same is true with the
>>>> cgi-bin scripts, such as listinfo.  Should I file a bugzilla report?
>>>>
>>>> Regards,
>>>> Tim
>>>>       
>>>
>>> Yes.  submit a bug.   Although generating these in FC4 would be far 
>>> more interesting.  Also do these AVC messages cause problems or are 
>>> they just being reported.  No output from the script is fixed in FC4.
>>>
>>>
>>>
>>>   
>>
>>
>> -- 
>> Jayendren Anand Maduray
>> Microsoft Certified Professional
>> Network Plus
>> IT Administrator
>>
>> Perinatal HIV Research Unit
>> Old Potch Road
>> Chris Hani Baragwanath Hospital
>> Soweto
>> South Africa
>>
>> Tel: +27 11 989 9776
>> Tel: +27 11 989 9999
>> Fax: +27 11 938 3973
>> Cel: 082 22 774 94
>>
>> Alternate email address: jayendren at mweb.co.za
>>   
>> ------------------------------------------------------------------------
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
>

-- 
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator

Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa

Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94

Alternate email address: jayendren at mweb.co.za

More information about the fedora-selinux-list mailing list