unsubscribe

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



unsubscribe

-----Original Message-----
From: fedora-selinux-list-bounces@xxxxxxxxxx
[mailto:fedora-selinux-list-bounces@xxxxxxxxxx] On Behalf Of
fedora-selinux-list-request@xxxxxxxxxx
Sent: Saturday, May 20, 2006 12:00 PM
To: fedora-selinux-list@xxxxxxxxxx
Subject: fedora-selinux-list Digest, Vol 27, Issue 19

Send fedora-selinux-list mailing list submissions to
	fedora-selinux-list@xxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	https://www.redhat.com/mailman/listinfo/fedora-selinux-list
or, via email, send a message with subject or body 'help' to
	fedora-selinux-list-request@xxxxxxxxxx

You can reach the person managing the list at
	fedora-selinux-list-owner@xxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of fedora-selinux-list digest..."


Today's Topics:

   1. printer AVCs.... (Tom London)
   2. Re: need help for local.te (Hongwei Li)
   3. Re: need help for local.te (Kayvan A. Sylvan)
   4. Re: need help for local.te (Hongwei Li)
   5. Re: selinux prelink avc's (dragoran)
   6. Trusted Solaris over SELinux (Justin Conover)
   7. Re: Trusted Solaris over SELinux (Andy Green)
   8. Re: Trusted Solaris over SELinux (Martin Ebourne)
   9. Re: Trusted Solaris over SELinux (Justin Conover)
  10. Re: Trusted Solaris over SELinux (Andy Green)


----------------------------------------------------------------------

Message: 1
Date: Fri, 19 May 2006 09:02:35 -0700
From: "Tom London" <selinux@xxxxxxxxx>
Subject: printer AVCs....
To: "Fedora SELinux support list for users & developers."
	<fedora-selinux-list@xxxxxxxxxx>
Message-ID:
	<4c4ba1530605190902q5c981798m31d36366654f159@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Running latest Rawhide, targeted/enforcing.

I get the following when 'deactivating/activating' a USB printer (and
printing fails):

type=AVC msg=audit(1148052935.119:30): avc:  denied  { create } for
pid=1902 comm="python" scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:system_r:hplip_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1148052935.119:30): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bffa4878 a2=49ebaff4 a3=bffa4e69 items=0
pid=1902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python"
subj=system_u:system_r:hplip_t:s0
type=SOCKETCALL msg=audit(1148052935.119:30): nargs=3 a0=10 a1=3 a2=0

type=USER_AVC msg=audit(1148053114.333:32): user pid=1735 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:
denied  { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobQueuedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)'

The following messages were in /var/log/messages:

May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc:  denied  { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobQueuedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc:  denied  { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=QueueChanged
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC
avc:  denied  { send_msg } for msgtype=signal
interface=com.redhat.PrinterSpooler member=JobStartedLocal
dest=org.freedesktop.DBus spid=1913 tpid=2748
scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh
tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?"
(sauid=81, hostname=?, addr=?, terminal=?)
May 19 08:35:35 localhost hpiod: invalid product id string: Broken
pipe io/hpiod/device.cpp 623
May 19 08:35:35 localhost hpiod: unable to Device::Open
hp:/usb/hp_LaserJet_1300?serial=00CNCB954325 io/hpiod/device.cpp 862
May 19 08:35:35 localhost hp_LaserJet_1300?serial=00CNCB954325: INFO:
open device failed; will retry in 30 seconds...
May 19 08:36:05 localhost hpiod: invalid product id string: Broken
pipe io/hpiod/device.cpp 623

tom
-- 
Tom London



------------------------------

Message: 2
Date: Fri, 19 May 2006 12:13:15 -0500 (CDT)
From: "Hongwei Li" <hongwei@xxxxxxxxx>
Subject: Re: need help for local.te
To: fedora-selinux-list@xxxxxxxxxx
Message-ID:
	<1866.128.252.85.103.1148058795.squirrel@xxxxxxxxxxxxxxxxxx>
Content-Type: text/plain;charset=iso-8859-1

> On Fri, 2006-05-19 at 09:58 -0500, Hongwei Li wrote:
>> Hi,
>>
>> I need help about local.te.  My system:
>>
>> kernel:         2.6.16-1.2111_FC5smp
>> selinux-policy-targeted:     2.2.38-1.fc5
>> audit:          1.1.5-1
>> sendmail:       8.13.6-0.FC5.1
>> squirrelmail:   1.4.6-5.fc5
>>
>> When I try to create an email folder in squirrelmail, I got Error.  So, I
>> run
>> the following to create my local.te and add my module.  Here are what I
run
>> and get:
>>
>> # audit2allow -M local < /var/log/audit/audit.log
>> Generating type enforcment file: local.te
>> Compiling policy
>> checkmodule -M -m -o local.mod local.te
>> semodule_package -o local.pp -m local.mod
>>
>> ******************** IMPORTANT ***********************
>>
>> In order to load this newly created policy package into the kernel,
>> you are required to execute
>>
>> semodule -i local.pp
>>
>> # ls -l
>> total 40
>> -rw-r--r-- 1 root root 2448 May 19 09:46 local.mod
>> -rw-r--r-- 1 root root 2464 May 19 09:46 local.pp
>> -rw-r--r-- 1 root root  733 May 19 09:46 local.te
>>
>> # semodule -i local.pp
>> libsepol.check_assertion_helper: assertion on line 0 violated by allow
>> httpd_t
>> shadow_t:file { read };
>> libsepol.check_assertions: 1 assertion violations occured
>> libsemanage.semanage_expand_sandbox: Expand module failed
>> semodule:  Failed!
>>
>> How to solve the problem?
>>
>> Thanks!
>
> This means that your local.te file includes a rule that allows httpd to
> read your /etc/shadow file, and this violates an assertion in the base
> policy.  Review your local.te file, prune entries that are not
> legitimate, and rebuild the .mod and .pp files, e.g.
> # vi local.te # edit out bogus entries or replace them with dontaudit
rules
> # checkmodule -m -M -o local.mod local.te
> # semodule_package -o local.pp -m local.mod
> # semodule -i local.pp
>
> --
> Stephen Smalley
> National Security Agency

The problem is I need to re-do for local.te from time to time, and whenver I
run (after rebooting)
# audit2allow -M local < /var/log/audit/audit.log
the line

allow httpd_t shadow_t:file { getattr read write };

is automatically added to local.te -- this time, it added more, not just
read.
 I believe that this is because I need to run change_password plugin in
squirrelmail.  It is not a problem in fc4 selinux -- I run audit2allow to
add
entry into local.te and run make load, then everything is working.  But, in
fc5, it is a problem.  If I remove that line, then whenever I run the above
command, it is automatically added.

How to fix the problem?

Thanks!

Hongwei




------------------------------

Message: 3
Date: Fri, 19 May 2006 18:30:37 -0700
From: "Kayvan A. Sylvan" <kayvan@xxxxxxxxxx>
Subject: Re: need help for local.te
To: Hongwei Li <hongwei@xxxxxxxxx>
Cc: fedora-selinux-list@xxxxxxxxxx
Message-ID: <20060520013037.GD2422@xxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

On Fri, May 19, 2006 at 12:13:15PM -0500, Hongwei Li wrote:
> 
> The problem is I need to re-do for local.te from time to time, and whenver
I
> run (after rebooting)
> # audit2allow -M local < /var/log/audit/audit.log
> the line
> 
> allow httpd_t shadow_t:file { getattr read write };
> 
> is automatically added to local.te -- [...]
> How to fix the problem?

How about something like this?

audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te

-- 
Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena
(8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)



------------------------------

Message: 4
Date: Fri, 19 May 2006 22:16:44 -0500 (CDT)
From: "Hongwei Li" <hongwei@xxxxxxxxx>
Subject: Re: need help for local.te
To: fedora-selinux-list@xxxxxxxxxx
Message-ID:
	<1808.70.230.152.93.1148095004.squirrel@xxxxxxxxxxxxxxxxxx>
Content-Type: text/plain;charset=iso-8859-1

> On Fri, May 19, 2006 at 12:13:15PM -0500, Hongwei Li wrote:
>>
>> The problem is I need to re-do for local.te from time to time, and
whenver I
>> run (after rebooting)
>> # audit2allow -M local < /var/log/audit/audit.log
>> the line
>>
>> allow httpd_t shadow_t:file { getattr read write };
>>
>> is automatically added to local.te -- [...]
>> How to fix the problem?
>
> How about something like this?
>
> audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
>
> --
> Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
> Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena
(8/8/89)

I did and got:

# audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te
# checkmodule -M -m -o local.mod local.te
checkmodule:  loading policy configuration from local.te
(unknown source)::ERROR 'unknown type dovecot_auth_t' at token ';' on line
33:
allow procmail_t tmp_t:dir { search write };
allow dovecot_auth_t initrc_var_run_t:file { read write };
checkmodule:  error(s) encountered while parsing configuration

I manually edit local.te to add a line
        type dovecot_auth_t;
and run it again, then got

# checkmodule -M -m -o local.mod local.te
checkmodule:  loading policy configuration from local.te
(unknown source)::ERROR 'unknown type initrc_var_run_t' at token ';' on line
34:
allow procmail_t tmp_t:dir { search write };
allow dovecot_auth_t initrc_var_run_t:file { read write };
checkmodule:  error(s) encountered while parsing configuration

The line 34 is:

allow dovecot_auth_t initrc_var_run_t:file { read write };

What to do next? Thanks!

Hongwei



------------------------------

Message: 5
Date: Sat, 20 May 2006 13:18:35 +0200
From: dragoran <dragoran@xxxxxxxxxxxxxxx>
Subject: Re: selinux prelink avc's
To: dragoran <dragoran@xxxxxxxxxxxxxxx>
Cc: fedora-selinux-list@xxxxxxxxxx
Message-ID: <446EFB0B.8030508@xxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed

dragoran wrote:
> audit(1147793154.831:353): avc:  denied  { execute_no_trans } for  
> pid=5195 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
> scontext=system_u:system_r:prelink_t:s0 
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793154.831:354): avc:  denied  { execute_no_trans } for  
> pid=5196 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
> scontext=system_u:system_r:prelink_t:s0 
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793155.019:355): avc:  denied  { execute_no_trans } for  
> pid=5197 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
> scontext=system_u:system_r:prelink_t:s0 
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793155.447:356): avc:  denied  { execute_no_trans } for  
> pid=5198 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
> scontext=system_u:system_r:prelink_t:s0 
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> audit(1147793156.255:357): avc:  denied  { execute_no_trans } for  
> pid=5199 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 
> scontext=system_u:system_r:prelink_t:s0 
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> I am using FC5 with selinux-policy-targeted-2.2.36-2.fc5
> whats gonig on? is a file misslabeled or is this a policy bug?
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
hello?
any solution for this problem?



------------------------------

Message: 6
Date: Sat, 20 May 2006 08:22:57 -0500
From: "Justin Conover" <justin.conover@xxxxxxxxx>
Subject: Trusted Solaris over SELinux
To: "Fedora SELinux support list for users & developers."
	<fedora-selinux-list@xxxxxxxxxx>
Message-ID:
	<a36b7e2a0605200622v54259deale2e30cb73f6f7ab6@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trust
ed

I thought this was interesting.  Yeah, I use Solaris to so I read some Sun
blogs too.  :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/947
ff5bd/attachment.html

------------------------------

Message: 7
Date: Sat, 20 May 2006 15:04:33 +0100
From: Andy Green <andy@xxxxxxxxxxx>
Subject: Re: Trusted Solaris over SELinux
To: "Fedora SELinux support list for users & developers."
	<fedora-selinux-list@xxxxxxxxxx>
Message-ID: <446F21F1.5020607@xxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Justin Conover wrote:

>
http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trust
ed
> 
> I thought this was interesting.  Yeah, I use Solaris to so I read some 
> Sun blogs too.  :)

Get thee to somewhere far away from the NHS...

http://globalspecials.sun.com/servlet/ControllerServlet?Action=DisplayPage&L
ocale=en_US&id=ProductDetailsPage&SiteID=sunstor&productID=36446400&Env=BASE

...with yer $995 - $27K trusted Solaris junk.  Give me Linux+selinux at 
$0 per unit when I am flat on my back... or happy and healthy and paying 
my taxes.

-Andy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4492 bytes
Desc: S/MIME Cryptographic Signature
Url :
https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/1ef
ab05f/smime.bin

------------------------------

Message: 8
Date: Sat, 20 May 2006 15:15:12 +0100
From: Martin Ebourne <lists@xxxxxxxxxxxxx>
Subject: Re: Trusted Solaris over SELinux
To: fedora-selinux-list@xxxxxxxxxx
Message-ID: <1148134512.6512.14.camel@xxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain

On Sat, 2006-05-20 at 08:22 -0500, Justin Conover wrote:
>
http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trust
ed
> 
> I thought this was interesting.  Yeah, I use Solaris to so I read some
> Sun blogs too.  :)

High on opinion, low on fact.

Just how was that interesting? As a measure of desperation?

Martin.



------------------------------

Message: 9
Date: Sat, 20 May 2006 09:46:35 -0500
From: "Justin Conover" <justin.conover@xxxxxxxxx>
Subject: Re: Trusted Solaris over SELinux
To: "Andy Green" <andy@xxxxxxxxxxx>
Cc: "Fedora SELinux support list for users & developers."
	<fedora-selinux-list@xxxxxxxxxx>
Message-ID:
	<a36b7e2a0605200746q123f5276sf7af83f00398c95e@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

On 5/20/06, Andy Green <andy@xxxxxxxxxxx> wrote:
>
> Justin Conover wrote:
>
> >
>
http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trust
ed
> >
> > I thought this was interesting.  Yeah, I use Solaris to so I read some
> > Sun blogs too.  :)
>
> Get thee to somewhere far away from the NHS...
>
>
>
http://globalspecials.sun.com/servlet/ControllerServlet?Action=DisplayPage&L
ocale=en_US&id=ProductDetailsPage&SiteID=sunstor&productID=36446400&Env=BASE
>
> ...with yer $995 - $27K trusted Solaris junk.  Give me Linux+selinux at
> $0 per unit when I am flat on my back... or happy and healthy and paying
> my taxes.
>
> -Andy


Actually Solaris 10 is intergrating the bits of Trusted Solaris which will
make it FREE.  I'm not saying one is better than the other, simply wondering
what the SELinux developers thought.

To say that Trusted Solaris is junk seems a bit silly, if your only talking
of price, ok, but if your talking the OS, than your just mis-informed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/840
7fb7b/attachment.html

------------------------------

Message: 10
Date: Sat, 20 May 2006 16:35:32 +0100
From: Andy Green <andy@xxxxxxxxxxx>
Subject: Re: Trusted Solaris over SELinux
To: Justin Conover <justin.conover@xxxxxxxxx>
Cc: "Fedora SELinux support list for users & developers."
	<fedora-selinux-list@xxxxxxxxxx>
Message-ID: <446F3744.3090509@xxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Justin Conover wrote:

>
http://globalspecials.sun.com/servlet/ControllerServlet?Action=DisplayPage&L
ocale=en_US&id=ProductDetailsPage&SiteID=sunstor&productID=36446400&Env=BASE
> 
>     ...with yer $995 - $27K trusted Solaris junk.  Give me Linux+selinux
at
>     $0 per unit when I am flat on my back... or happy and healthy and
paying

> Actually Solaris 10 is intergrating the bits of Trusted Solaris which 
> will make it FREE.  I'm not saying one is better than the other, simply 
> wondering what the SELinux developers thought.
> 
> To say that Trusted Solaris is junk seems a bit silly, if your only 
> talking of price, ok, but if your talking the OS, than your just 
> mis-informed.

I'm talking of the price.  I'm sure IBM take their cut for managing it, 
but at $995+ /cpu, $0 linux+selinux has to win out here even if Trusted 
Solaris poops golden eggs.  The benchmark is Windows level of security.

-Andy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4492 bytes
Desc: S/MIME Cryptographic Signature
Url :
https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/0df
d33b5/smime.bin

------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

End of fedora-selinux-list Digest, Vol 27, Issue 19
***************************************************

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux