Re: fedora-selinux-list Digest, Vol 20, Issue 18

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Greetings fellow travellers.


Could someone please help me with the following errors:

audit(1129788324.500:0): avc:  denied  { execute } for  pid=3105 exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.501:0): avc:  denied  { execute } for  pid=3106 exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.507:0): avc:  denied  { execute } for  pid=3107 exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.510:0): avc:  denied  { execute } for  pid=3108 exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.514:0): avc:  denied  { execute } for  pid=3109 exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.517:0): avc:  denied  { execute } for  pid=3110 exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.521:0): avc:  denied  { execute } for  pid=3111 exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.522:0): avc:  denied  { execute } for  pid=3112 exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.528:0): avc:  denied  { execute } for  pid=3113 exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file
audit(1129788324.529:0): avc:  denied  { execute } for  pid=3114 exe=/usr/sbin/squid name=squidclamav dev=hda8 ino=185872 scontext=user_u:system_r:squid_t t
context=root:object_r:usr_t tclass=file


These errors are from dmesg, and occured after compiling and installing squidclam from source.

Here is the output of selinuxconf:

[root@shiva jay]# selinuxconfig
selinux state="enforcing"
policypath="/etc/selinux/targeted"
default_type_path="/etc/selinux/targeted/contexts/default_type"
default_context_path="/etc/selinux/targeted/contexts/default_contexts"
default_failsafe_context_path="/etc/selinux/targeted/contexts/failsafe_context"
binary_policy_path="/etc/selinux/targeted/policy/policy"
user_contexts_path="/etc/selinux/targeted/contexts/users/"
contexts_path="/etc/selinux/targeted/contexts"

Output of uname -a:
[root@shiva jay]# uname -a
Linux shiva 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686 i686 i386 GNU/Linux

Any help would be greatly appreciated.

God bless.





fedora-selinux-list-request@xxxxxxxxxx wrote:


  
Send fedora-selinux-list mailing list submissions to
	fedora-selinux-list@xxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	https://www.redhat.com/mailman/listinfo/fedora-selinux-list
or, via email, send a message with subject or body 'help' to
	fedora-selinux-list-request@xxxxxxxxxx

You can reach the person managing the list at
	fedora-selinux-list-owner@xxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of fedora-selinux-list digest..."


Today's Topics:

   1. Re: mailman cgi-bin denied search (Tim Fenn)
   2. Preserving Context with tar (W. Scott wilburn)
   3. Re: mailman cgi-bin denied search (Daniel J Walsh)
   4. Re: Preserving Context with tar (Daniel J Walsh)
   5. Re: mailman cgi-bin denied search (Tim Fenn)
   6. Re: Preserving Context with tar (Stephen Smalley)


----------------------------------------------------------------------

Message: 1
Date: Wed, 19 Oct 2005 13:49:47 -0700
From: Tim Fenn <fenn@xxxxxxxxxxxx>
Subject: Re: mailman cgi-bin denied search
To: Daniel J Walsh <dwalsh@xxxxxxxxxx>
Cc: fedora-selinux-list@xxxxxxxxxx
Message-ID: <20051019204947.GC6466@xxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
  

  

    
Tim Fenn wrote:
    

    

      
I recently installed mailman on my FC3 box (using the redhat based
RPMs), and it seems to be working just fine, except for the numerous
avc messages it cranks out whenever I run one of the cgi scripts
associated with mailman (e.g. via the web interface):

Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc:  denied
{ search } for  pid=18761 comm="listinfo" name="run" dev=sda1
ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
u:object_r:var_run_t tclass=dir

      

    

    
Why would mailman listinfo be searching /var/log directory?

    

  

  

Well, I get the same errors with mailmanctl:

./mailmanctl status

yields no output, and the following errors:
Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc:  denied
{ read write } for  pid=20837 comm="mailmanctl" name="3" dev=devpts
ino=5 scontext=root:system_r:mailman_mail_t
tcontext=root:object_r:devpts_t tclass=chr_file
Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc:  denied
{ search } for  pid=20837 comm="mailmanctl" name="run" dev=sda1
ino=1294372 scontext=root:system_r:mailman_mail_t
tcontext=system_u:object_r:var_run_t tclass=dir
Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc:  denied
{ setgid } for  pid=20837 comm="mailmanctl" capability=6
scontext=root:system_r:mailman_mail_t
tcontext=root:system_r:mailman_mail_t tclass=capability

However, if I comment out:

from Mailman.Logging.Syslog import syslog

in the mailmanctl script, all is well:

# ./mailmanctl status
mailman (pid 17677) is running...

and no error messages.  I would assume the same is true with the
cgi-bin scripts, such as listinfo.  Should I file a bugzilla report?

Regards,
Tim



------------------------------

Message: 2
Date: Wed, 19 Oct 2005 15:56:06 -0600
From: "W. Scott wilburn" <wilburn@xxxxxxxx>
Subject: Preserving Context with tar
To: fedora-selinux-list@xxxxxxxxxx
Message-ID: <20051019215606.GE4717@xxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

Sorry to be asking such a simple question. Is it possible to preserve 
file contexts using tar? I would have thought -p would do this, but 
it appears no, atleast on RHEL4 and FC4.

The reason to do this is a use tar to install modified config files on 
new machines. Having to relabel after doing this is somewhat slow. 
Perhaps there is a better solution?

Thanks,
Scott Wilburn



------------------------------

Message: 3
Date: Wed, 19 Oct 2005 22:31:36 -0400
From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
Subject: Re: mailman cgi-bin denied search
To: Daniel J Walsh <dwalsh@xxxxxxxxxx>, fedora-selinux-list@xxxxxxxxxx
Message-ID: <43570188.5060201@xxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Tim Fenn wrote:
  

  

    
On Wed, Oct 19, 2005 at 09:57:07AM -0400, Daniel J Walsh wrote:
  
    

    

      
Tim Fenn wrote:
    
      

      

        
I recently installed mailman on my FC3 box (using the redhat based
RPMs), and it seems to be working just fine, except for the numerous
avc messages it cranks out whenever I run one of the cgi scripts
associated with mailman (e.g. via the web interface):

Oct 19 00:34:21 agora kernel: audit(1129707261.236:212): avc:  denied
{ search } for  pid=18761 comm="listinfo" name="run" dev=sda1
ino=1294372 scontext=root:system_r:mailman_cgi_t tcontext=system_
u:object_r:var_run_t tclass=dir

      
        

      

      
Why would mailman listinfo be searching /var/log directory?

    
      

    

    
Well, I get the same errors with mailmanctl:

./mailmanctl status

yields no output, and the following errors:
Oct 19 13:22:39 agora kernel: audit(1129753359.647:314): avc:  denied
{ read write } for  pid=20837 comm="mailmanctl" name="3" dev=devpts
ino=5 scontext=root:system_r:mailman_mail_t
tcontext=root:object_r:devpts_t tclass=chr_file
Oct 19 13:22:39 agora kernel: audit(1129753359.694:318): avc:  denied
{ search } for  pid=20837 comm="mailmanctl" name="run" dev=sda1
ino=1294372 scontext=root:system_r:mailman_mail_t
tcontext=system_u:object_r:var_run_t tclass=dir
Oct 19 13:22:39 agora kernel: audit(1129753359.802:322): avc:  denied
{ setgid } for  pid=20837 comm="mailmanctl" capability=6
scontext=root:system_r:mailman_mail_t
tcontext=root:system_r:mailman_mail_t tclass=capability

However, if I comment out:

from Mailman.Logging.Syslog import syslog

in the mailmanctl script, all is well:

# ./mailmanctl status
mailman (pid 17677) is running...

and no error messages.  I would assume the same is true with the
cgi-bin scripts, such as listinfo.  Should I file a bugzilla report?

Regards,
Tim
  
    

  

  
Yes.  submit a bug.   Although generating these in FC4 would be far more 
interesting.  Also do these AVC messages cause problems or are they just 
being reported.  No output from the script is fixed in FC4.



  






-- 
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator

Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa

Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94

Alternate email address: jayendren@xxxxxxxxxx





--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list




















[Index of Archives]
 
 
[Fedora Users]
 
 
[Fedora Desktop]
 
 
[Big List of Linux Books]
 
 
[Yosemite News]
 
 
[Yosemite Campsites]
 
 
[KDE Users]
 
 
[Gnome Users]


















 
Powered by Linux