fedora-selinux-list Digest, Vol 20, Issue 18
Jayendren Anand Maduray
jayendren at hivsa.com
Mon Oct 24 06:24:31 UTC 2005
Thank for your response, i really appreciate it.
Squid clam binary is located in:
/usr/local/squidclamav/bin
I isssue:
[root at shiva jay]# chcon -t bin_t *`which /usr/local/squidclamav/bin/`
and get error:
/usr/bin/which: no in (/usr/local/squidclamav/bin)
Then i try:
chcon -t bin_t *`/usr/local/squidclamav/bin/squidclamav`
SquidClamav running as UID 0: writing logs to stderr
Mon Oct 24 08:23:18 2005:Reading Patterns from config
/usr/local/squidclamav/etc/squidclamav.conf
Mon Oct 24 08:23:18 2005:SquidClamav (PID 4550) started
Does the original error mean the SELinux has not been configured to
allow squidclamav?
Last nite i ran a touch /.autorelabel
which relabelled my system, still the same problem. I have disabled
SELinux support for squid, so at least squid is working now.
God bless.
Daniel J Walsh wrote:
> Jayendren Anand Maduray wrote:
>
>> Greetings fellow travellers.
>>
> I would start by trying something like
> chcon -t bin_t *`which squidclamav`
> Btw where does squidclamav reside?
>
> *
>
>>
>> Could someone please help me with the following errors:
>>
>> *audit(1129788324.500:0): avc: denied { execute } for pid=3105
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.501:0): avc: denied { execute } for pid=3106
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.507:0): avc: denied { execute } for pid=3107
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.510:0): avc: denied { execute } for pid=3108
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.514:0): avc: denied { execute } for pid=3109
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.517:0): avc: denied { execute } for pid=3110
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.521:0): avc: denied { execute } for pid=3111
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.522:0): avc: denied { execute } for pid=3112
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.528:0): avc: denied { execute } for pid=3113
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file
>> audit(1129788324.529:0): avc: denied { execute } for pid=3114
>> exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872
>> scontext=user_u:system_r:squid_t t
>> context=root:object_r:usr_t tclass=file*
>>
>>
>> These errors are from dmesg, and occured after compiling and
>> installing squidclam from source.
>>
>> Here is the output of selinuxconf:
>>
>> [*root at shiva jay]# selinuxconfig
>> selinux state="enforcing"
>> policypath="/etc/selinux/targeted"
>> default_type_path="/etc/selinux/targeted/contexts/default_type"
>> default_context_path="/etc/selinux/targeted/contexts/default_contexts"
>> default_failsafe_context_path="/etc/selinux/targeted/contexts/failsafe_context"
>>
>> binary_policy_path="/etc/selinux/targeted/policy/policy"
>> user_contexts_path="/etc/selinux/targeted/contexts/users/"
>> contexts_path="/etc/selinux/targeted/contexts"*
>>
>> Output of uname -a:
>> *[root at shiva jay]# uname -a
>> Linux shiva 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686
>> i686 i386 GNU/Linux*
>>
>> Any help would be greatly appreciated.
>>
>> God bless.
>>
>>
>> fedora-selinux-list-request at redhat.com wrote:
>>
>>> Send fedora-selinux-list mailing list submissions to
>>> fedora-selinux-list at redhat.com
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>> or, via email, send a message with subject or body 'help' to
>>> fedora-selinux-list-request at redhat.com
>>>
>>> You can reach the person managing the list at
>>> fedora-selinux-list-owner at redhat.com
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of fedora-selinux-list digest..."
>>>
>>>
>>> Today's Topics:
>>>
>>> 1. Re: mailman cgi-bin denied search (Tim Fenn)
>>> 2. Preserving Context with tar (W. Scott wilburn)
>>> 3. Re: mailman cgi-bin denied search (Daniel J Walsh)
>>> 4. Re: Preserving Context with tar (Daniel J Walsh)
>>> 5. Re: mailman cgi-bin denied search (Tim Fenn)
>>> 6. Re: Preserving Context with tar (Stephen Smalley)
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Wed, 19 Oct 2005 13:49:47 -0700
>>> From: Tim Fenn <fenn at stanford.edu>
>>> Subject: Re: mailman cgi-bin denied search
>>> To: Daniel J Walsh <dwalsh at redhat.com>
>>> Cc: fedora-selinux-list at redhat.com
>>> Message-ID: <20051019204947.GC6466 at stanford.edu>
>>> Content-Type: text/plain; charset=us-ascii
>>>
>>> On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>>>
>>>
>>>> Tim Fenn wrote:
>>>>
>>>>
>>>>> I recently installed mailman on my FC3 box (using the redhat based
>>>>> RPMs), and it seems to be working just fine, except for the numerous
>>>>> avc messages it cranks out whenever I run one of the cgi scripts
>>>>> associated with mailman (e.g. via the web interface):
>>>>>
>>>>> Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc: denied
>>>>> { search } for pid=18761 comm="listinfo" name="run" dev=sda1
>>>>> ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>>> u:object_r:var_run_t tclass=dir
>>>>>
>>>>>
>>>>
>>>> Why would mailman listinfo be searching /var/log directory?
>>>>
>>>>
>>>
>>>
>>> Well, I get the same errors with mailmanctl:
>>>
>>> ./mailmanctl status
>>>
>>> yields no output, and the following errors:
>>> Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
>>> { read write } for pid=20837 comm="mailmanctl" name="3" dev=devpts
>>> ino=5 scontext=root:system_r:mailman_mail_t
>>> tcontext=root:object_r:devpts_t tclass=chr_file
>>> Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
>>> { search } for pid=20837 comm="mailmanctl" name="run" dev=sda1
>>> ino=1294372 scontext=root:system_r:mailman_mail_t
>>> tcontext=system_u:object_r:var_run_t tclass=dir
>>> Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
>>> { setgid } for pid=20837 comm="mailmanctl" capability=6
>>> scontext=root:system_r:mailman_mail_t
>>> tcontext=root:system_r:mailman_mail_t tclass=capability
>>>
>>> However, if I comment out:
>>>
>>> from Mailman.Logging.Syslog import syslog
>>>
>>> in the mailmanctl script, all is well:
>>>
>>> # ./mailmanctl status
>>> mailman (pid 17677) is running...
>>>
>>> and no error messages. I would assume the same is true with the
>>> cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
>>>
>>> Regards,
>>> Tim
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 2
>>> Date: Wed, 19 Oct 2005 15:56:06 -0600
>>> From: "W. Scott wilburn" <wilburn at lanl.gov>
>>> Subject: Preserving Context with tar
>>> To: fedora-selinux-list at redhat.com
>>> Message-ID: <20051019215606.GE4717 at wilburn.lanl.gov>
>>> Content-Type: text/plain; charset=us-ascii
>>>
>>> Sorry to be asking such a simple question. Is it possible to
>>> preserve file contexts using tar? I would have thought -p would do
>>> this, but it appears no, atleast on RHEL4 and FC4.
>>>
>>> The reason to do this is a use tar to install modified config files
>>> on new machines. Having to relabel after doing this is somewhat
>>> slow. Perhaps there is a better solution?
>>>
>>> Thanks,
>>> Scott Wilburn
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 3
>>> Date: Wed, 19 Oct 2005 22:31:36 -0400
>>> From: Daniel J Walsh <dwalsh at redhat.com>
>>> Subject: Re: mailman cgi-bin denied search
>>> To: Daniel J Walsh <dwalsh at redhat.com>, fedora-selinux-list at redhat.com
>>> Message-ID: <43570188.5060201 at redhat.com>
>>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>>
>>> Tim Fenn wrote:
>>>
>>>
>>>> On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
>>>>
>>>>
>>>>> Tim Fenn wrote:
>>>>>
>>>>>
>>>>>> I recently installed mailman on my FC3 box (using the redhat based
>>>>>> RPMs), and it seems to be working just fine, except for the numerous
>>>>>> avc messages it cranks out whenever I run one of the cgi scripts
>>>>>> associated with mailman (e.g. via the web interface):
>>>>>>
>>>>>> Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc:
>>>>>> denied
>>>>>> { search } for pid=18761 comm="listinfo" name="run" dev=sda1
>>>>>> ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
>>>>>> u:object_r:var_run_t tclass=dir
>>>>>>
>>>>>>
>>>>>
>>>>> Why would mailman listinfo be searching /var/log directory?
>>>>>
>>>>>
>>>>
>>>> Well, I get the same errors with mailmanctl:
>>>>
>>>> ./mailmanctl status
>>>>
>>>> yields no output, and the following errors:
>>>> Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc: denied
>>>> { read write } for pid=20837 comm="mailmanctl" name="3" dev=devpts
>>>> ino=5 scontext=root:system_r:mailman_mail_t
>>>> tcontext=root:object_r:devpts_t tclass=chr_file
>>>> Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc: denied
>>>> { search } for pid=20837 comm="mailmanctl" name="run" dev=sda1
>>>> ino=1294372 scontext=root:system_r:mailman_mail_t
>>>> tcontext=system_u:object_r:var_run_t tclass=dir
>>>> Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc: denied
>>>> { setgid } for pid=20837 comm="mailmanctl" capability=6
>>>> scontext=root:system_r:mailman_mail_t
>>>> tcontext=root:system_r:mailman_mail_t tclass=capability
>>>>
>>>> However, if I comment out:
>>>>
>>>> from Mailman.Logging.Syslog import syslog
>>>>
>>>> in the mailmanctl script, all is well:
>>>>
>>>> # ./mailmanctl status
>>>> mailman (pid 17677) is running...
>>>>
>>>> and no error messages. I would assume the same is true with the
>>>> cgi-bin scripts, such as listinfo. Should I file a bugzilla report?
>>>>
>>>> Regards,
>>>> Tim
>>>>
>>>
>>> Yes. submit a bug. Although generating these in FC4 would be far
>>> more interesting. Also do these AVC messages cause problems or are
>>> they just being reported. No output from the script is fixed in FC4.
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Jayendren Anand Maduray
>> Microsoft Certified Professional
>> Network Plus
>> IT Administrator
>>
>> Perinatal HIV Research Unit
>> Old Potch Road
>> Chris Hani Baragwanath Hospital
>> Soweto
>> South Africa
>>
>> Tel: +27 11 989 9776
>> Tel: +27 11 989 9999
>> Fax: +27 11 938 3973
>> Cel: 082 22 774 94
>>
>> Alternate email address: jayendren at mweb.co.za
>>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
>
--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator
Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa
Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94
Alternate email address: jayendren at mweb.co.za
More information about the fedora-selinux-list
mailing list