unsubscribe -----Original Message----- From: fedora-selinux-list-bounces@xxxxxxxxxx [mailto:fedora-selinux-list-bounces@xxxxxxxxxx] On Behalf Of fedora-selinux-list-request@xxxxxxxxxx Sent: Saturday, May 20, 2006 12:00 PM To: fedora-selinux-list@xxxxxxxxxx Subject: fedora-selinux-list Digest, Vol 27, Issue 19 Send fedora-selinux-list mailing list submissions to fedora-selinux-list@xxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-selinux-list or, via email, send a message with subject or body 'help' to fedora-selinux-list-request@xxxxxxxxxx You can reach the person managing the list at fedora-selinux-list-owner@xxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of fedora-selinux-list digest..." Today's Topics: 1. printer AVCs.... (Tom London) 2. Re: need help for local.te (Hongwei Li) 3. Re: need help for local.te (Kayvan A. Sylvan) 4. Re: need help for local.te (Hongwei Li) 5. Re: selinux prelink avc's (dragoran) 6. Trusted Solaris over SELinux (Justin Conover) 7. Re: Trusted Solaris over SELinux (Andy Green) 8. Re: Trusted Solaris over SELinux (Martin Ebourne) 9. Re: Trusted Solaris over SELinux (Justin Conover) 10. Re: Trusted Solaris over SELinux (Andy Green) ---------------------------------------------------------------------- Message: 1 Date: Fri, 19 May 2006 09:02:35 -0700 From: "Tom London" <selinux@xxxxxxxxx> Subject: printer AVCs.... To: "Fedora SELinux support list for users & developers." <fedora-selinux-list@xxxxxxxxxx> Message-ID: <4c4ba1530605190902q5c981798m31d36366654f159@xxxxxxxxxxxxxx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Running latest Rawhide, targeted/enforcing. I get the following when 'deactivating/activating' a USB printer (and printing fails): type=AVC msg=audit(1148052935.119:30): avc: denied { create } for pid=1902 comm="python" scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hplip_t:s0 tclass=netlink_route_socket type=SYSCALL msg=audit(1148052935.119:30): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bffa4878 a2=49ebaff4 a3=bffa4e69 items=0 pid=1902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:hplip_t:s0 type=SOCKETCALL msg=audit(1148052935.119:30): nargs=3 a0=10 a1=3 a2=0 type=USER_AVC msg=audit(1148053114.333:32): user pid=1735 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=signal interface=com.redhat.PrinterSpooler member=JobQueuedLocal dest=org.freedesktop.DBus spid=1913 tpid=2748 scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' The following messages were in /var/log/messages: May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC avc: denied { send_msg } for msgtype=signal interface=com.redhat.PrinterSpooler member=JobQueuedLocal dest=org.freedesktop.DBus spid=1913 tpid=2748 scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC avc: denied { send_msg } for msgtype=signal interface=com.redhat.PrinterSpooler member=QueueChanged dest=org.freedesktop.DBus spid=1913 tpid=2748 scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) May 19 08:35:33 localhost dbus: Can't send to audit system: USER_AVC avc: denied { send_msg } for msgtype=signal interface=com.redhat.PrinterSpooler member=JobStartedLocal dest=org.freedesktop.DBus spid=1913 tpid=2748 scontext=system_u:system_r:cupsd_t:SystemLow-SystemHigh tcontext=user_u:system_r:unconfined_execmem_t tclass=dbus : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) May 19 08:35:35 localhost hpiod: invalid product id string: Broken pipe io/hpiod/device.cpp 623 May 19 08:35:35 localhost hpiod: unable to Device::Open hp:/usb/hp_LaserJet_1300?serial=00CNCB954325 io/hpiod/device.cpp 862 May 19 08:35:35 localhost hp_LaserJet_1300?serial=00CNCB954325: INFO: open device failed; will retry in 30 seconds... May 19 08:36:05 localhost hpiod: invalid product id string: Broken pipe io/hpiod/device.cpp 623 tom -- Tom London ------------------------------ Message: 2 Date: Fri, 19 May 2006 12:13:15 -0500 (CDT) From: "Hongwei Li" <hongwei@xxxxxxxxx> Subject: Re: need help for local.te To: fedora-selinux-list@xxxxxxxxxx Message-ID: <1866.128.252.85.103.1148058795.squirrel@xxxxxxxxxxxxxxxxxx> Content-Type: text/plain;charset=iso-8859-1 > On Fri, 2006-05-19 at 09:58 -0500, Hongwei Li wrote: >> Hi, >> >> I need help about local.te. My system: >> >> kernel: 2.6.16-1.2111_FC5smp >> selinux-policy-targeted: 2.2.38-1.fc5 >> audit: 1.1.5-1 >> sendmail: 8.13.6-0.FC5.1 >> squirrelmail: 1.4.6-5.fc5 >> >> When I try to create an email folder in squirrelmail, I got Error. So, I >> run >> the following to create my local.te and add my module. Here are what I run >> and get: >> >> # audit2allow -M local < /var/log/audit/audit.log >> Generating type enforcment file: local.te >> Compiling policy >> checkmodule -M -m -o local.mod local.te >> semodule_package -o local.pp -m local.mod >> >> ******************** IMPORTANT *********************** >> >> In order to load this newly created policy package into the kernel, >> you are required to execute >> >> semodule -i local.pp >> >> # ls -l >> total 40 >> -rw-r--r-- 1 root root 2448 May 19 09:46 local.mod >> -rw-r--r-- 1 root root 2464 May 19 09:46 local.pp >> -rw-r--r-- 1 root root 733 May 19 09:46 local.te >> >> # semodule -i local.pp >> libsepol.check_assertion_helper: assertion on line 0 violated by allow >> httpd_t >> shadow_t:file { read }; >> libsepol.check_assertions: 1 assertion violations occured >> libsemanage.semanage_expand_sandbox: Expand module failed >> semodule: Failed! >> >> How to solve the problem? >> >> Thanks! > > This means that your local.te file includes a rule that allows httpd to > read your /etc/shadow file, and this violates an assertion in the base > policy. Review your local.te file, prune entries that are not > legitimate, and rebuild the .mod and .pp files, e.g. > # vi local.te # edit out bogus entries or replace them with dontaudit rules > # checkmodule -m -M -o local.mod local.te > # semodule_package -o local.pp -m local.mod > # semodule -i local.pp > > -- > Stephen Smalley > National Security Agency The problem is I need to re-do for local.te from time to time, and whenver I run (after rebooting) # audit2allow -M local < /var/log/audit/audit.log the line allow httpd_t shadow_t:file { getattr read write }; is automatically added to local.te -- this time, it added more, not just read. I believe that this is because I need to run change_password plugin in squirrelmail. It is not a problem in fc4 selinux -- I run audit2allow to add entry into local.te and run make load, then everything is working. But, in fc5, it is a problem. If I remove that line, then whenever I run the above command, it is automatically added. How to fix the problem? Thanks! Hongwei ------------------------------ Message: 3 Date: Fri, 19 May 2006 18:30:37 -0700 From: "Kayvan A. Sylvan" <kayvan@xxxxxxxxxx> Subject: Re: need help for local.te To: Hongwei Li <hongwei@xxxxxxxxx> Cc: fedora-selinux-list@xxxxxxxxxx Message-ID: <20060520013037.GD2422@xxxxxxxxxxxxxxxx> Content-Type: text/plain; charset=us-ascii On Fri, May 19, 2006 at 12:13:15PM -0500, Hongwei Li wrote: > > The problem is I need to re-do for local.te from time to time, and whenver I > run (after rebooting) > # audit2allow -M local < /var/log/audit/audit.log > the line > > allow httpd_t shadow_t:file { getattr read write }; > > is automatically added to local.te -- [...] > How to fix the problem? How about something like this? audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te -- Kayvan A. Sylvan | Proud husband of | Father to my kids: Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89) http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92) ------------------------------ Message: 4 Date: Fri, 19 May 2006 22:16:44 -0500 (CDT) From: "Hongwei Li" <hongwei@xxxxxxxxx> Subject: Re: need help for local.te To: fedora-selinux-list@xxxxxxxxxx Message-ID: <1808.70.230.152.93.1148095004.squirrel@xxxxxxxxxxxxxxxxxx> Content-Type: text/plain;charset=iso-8859-1 > On Fri, May 19, 2006 at 12:13:15PM -0500, Hongwei Li wrote: >> >> The problem is I need to re-do for local.te from time to time, and whenver I >> run (after rebooting) >> # audit2allow -M local < /var/log/audit/audit.log >> the line >> >> allow httpd_t shadow_t:file { getattr read write }; >> >> is automatically added to local.te -- [...] >> How to fix the problem? > > How about something like this? > > audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te > > -- > Kayvan A. Sylvan | Proud husband of | Father to my kids: > Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89) I did and got: # audit2allow -l -i /var/log/audit/audit.log | grep -v shadow >> local.te # checkmodule -M -m -o local.mod local.te checkmodule: loading policy configuration from local.te (unknown source)::ERROR 'unknown type dovecot_auth_t' at token ';' on line 33: allow procmail_t tmp_t:dir { search write }; allow dovecot_auth_t initrc_var_run_t:file { read write }; checkmodule: error(s) encountered while parsing configuration I manually edit local.te to add a line type dovecot_auth_t; and run it again, then got # checkmodule -M -m -o local.mod local.te checkmodule: loading policy configuration from local.te (unknown source)::ERROR 'unknown type initrc_var_run_t' at token ';' on line 34: allow procmail_t tmp_t:dir { search write }; allow dovecot_auth_t initrc_var_run_t:file { read write }; checkmodule: error(s) encountered while parsing configuration The line 34 is: allow dovecot_auth_t initrc_var_run_t:file { read write }; What to do next? Thanks! Hongwei ------------------------------ Message: 5 Date: Sat, 20 May 2006 13:18:35 +0200 From: dragoran <dragoran@xxxxxxxxxxxxxxx> Subject: Re: selinux prelink avc's To: dragoran <dragoran@xxxxxxxxxxxxxxx> Cc: fedora-selinux-list@xxxxxxxxxx Message-ID: <446EFB0B.8030508@xxxxxxxxxxxxxxx> Content-Type: text/plain; charset=ISO-8859-15; format=flowed dragoran wrote: > audit(1147793154.831:353): avc: denied { execute_no_trans } for > pid=5195 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 > scontext=system_u:system_r:prelink_t:s0 > tcontext=system_u:object_r:lib_t:s0 tclass=file > audit(1147793154.831:354): avc: denied { execute_no_trans } for > pid=5196 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 > scontext=system_u:system_r:prelink_t:s0 > tcontext=system_u:object_r:lib_t:s0 tclass=file > audit(1147793155.019:355): avc: denied { execute_no_trans } for > pid=5197 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 > scontext=system_u:system_r:prelink_t:s0 > tcontext=system_u:object_r:lib_t:s0 tclass=file > audit(1147793155.447:356): avc: denied { execute_no_trans } for > pid=5198 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 > scontext=system_u:system_r:prelink_t:s0 > tcontext=system_u:object_r:lib_t:s0 tclass=file > audit(1147793156.255:357): avc: denied { execute_no_trans } for > pid=5199 comm="prelink" name="ld-2.4.so" dev=md0 ino=8061163 > scontext=system_u:system_r:prelink_t:s0 > tcontext=system_u:object_r:lib_t:s0 tclass=file > I am using FC5 with selinux-policy-targeted-2.2.36-2.fc5 > whats gonig on? is a file misslabeled or is this a policy bug? > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > hello? any solution for this problem? ------------------------------ Message: 6 Date: Sat, 20 May 2006 08:22:57 -0500 From: "Justin Conover" <justin.conover@xxxxxxxxx> Subject: Trusted Solaris over SELinux To: "Fedora SELinux support list for users & developers." <fedora-selinux-list@xxxxxxxxxx> Message-ID: <a36b7e2a0605200622v54259deale2e30cb73f6f7ab6@xxxxxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trust ed I thought this was interesting. Yeah, I use Solaris to so I read some Sun blogs too. :) -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/947 ff5bd/attachment.html ------------------------------ Message: 7 Date: Sat, 20 May 2006 15:04:33 +0100 From: Andy Green <andy@xxxxxxxxxxx> Subject: Re: Trusted Solaris over SELinux To: "Fedora SELinux support list for users & developers." <fedora-selinux-list@xxxxxxxxxx> Message-ID: <446F21F1.5020607@xxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Justin Conover wrote: > http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trust ed > > I thought this was interesting. Yeah, I use Solaris to so I read some > Sun blogs too. :) Get thee to somewhere far away from the NHS... http://globalspecials.sun.com/servlet/ControllerServlet?Action=DisplayPage&L ocale=en_US&id=ProductDetailsPage&SiteID=sunstor&productID=36446400&Env=BASE ...with yer $995 - $27K trusted Solaris junk. Give me Linux+selinux at $0 per unit when I am flat on my back... or happy and healthy and paying my taxes. -Andy -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4492 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/1ef ab05f/smime.bin ------------------------------ Message: 8 Date: Sat, 20 May 2006 15:15:12 +0100 From: Martin Ebourne <lists@xxxxxxxxxxxxx> Subject: Re: Trusted Solaris over SELinux To: fedora-selinux-list@xxxxxxxxxx Message-ID: <1148134512.6512.14.camel@xxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain On Sat, 2006-05-20 at 08:22 -0500, Justin Conover wrote: > http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trust ed > > I thought this was interesting. Yeah, I use Solaris to so I read some > Sun blogs too. :) High on opinion, low on fact. Just how was that interesting? As a measure of desperation? Martin. ------------------------------ Message: 9 Date: Sat, 20 May 2006 09:46:35 -0500 From: "Justin Conover" <justin.conover@xxxxxxxxx> Subject: Re: Trusted Solaris over SELinux To: "Andy Green" <andy@xxxxxxxxxxx> Cc: "Fedora SELinux support list for users & developers." <fedora-selinux-list@xxxxxxxxxx> Message-ID: <a36b7e2a0605200746q123f5276sf7af83f00398c95e@xxxxxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" On 5/20/06, Andy Green <andy@xxxxxxxxxxx> wrote: > > Justin Conover wrote: > > > > http://blogs.sun.com/roller/page/darren?entry=dear_ibm_please_consider_trust ed > > > > I thought this was interesting. Yeah, I use Solaris to so I read some > > Sun blogs too. :) > > Get thee to somewhere far away from the NHS... > > > http://globalspecials.sun.com/servlet/ControllerServlet?Action=DisplayPage&L ocale=en_US&id=ProductDetailsPage&SiteID=sunstor&productID=36446400&Env=BASE > > ...with yer $995 - $27K trusted Solaris junk. Give me Linux+selinux at > $0 per unit when I am flat on my back... or happy and healthy and paying > my taxes. > > -Andy Actually Solaris 10 is intergrating the bits of Trusted Solaris which will make it FREE. I'm not saying one is better than the other, simply wondering what the SELinux developers thought. To say that Trusted Solaris is junk seems a bit silly, if your only talking of price, ok, but if your talking the OS, than your just mis-informed. -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/840 7fb7b/attachment.html ------------------------------ Message: 10 Date: Sat, 20 May 2006 16:35:32 +0100 From: Andy Green <andy@xxxxxxxxxxx> Subject: Re: Trusted Solaris over SELinux To: Justin Conover <justin.conover@xxxxxxxxx> Cc: "Fedora SELinux support list for users & developers." <fedora-selinux-list@xxxxxxxxxx> Message-ID: <446F3744.3090509@xxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Justin Conover wrote: > http://globalspecials.sun.com/servlet/ControllerServlet?Action=DisplayPage&L ocale=en_US&id=ProductDetailsPage&SiteID=sunstor&productID=36446400&Env=BASE > > ...with yer $995 - $27K trusted Solaris junk. Give me Linux+selinux at > $0 per unit when I am flat on my back... or happy and healthy and paying > Actually Solaris 10 is intergrating the bits of Trusted Solaris which > will make it FREE. I'm not saying one is better than the other, simply > wondering what the SELinux developers thought. > > To say that Trusted Solaris is junk seems a bit silly, if your only > talking of price, ok, but if your talking the OS, than your just > mis-informed. I'm talking of the price. I'm sure IBM take their cut for managing it, but at $995+ /cpu, $0 linux+selinux has to win out here even if Trusted Solaris poops golden eggs. The benchmark is Windows level of security. -Andy -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4492 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-selinux-list/attachments/20060520/0df d33b5/smime.bin ------------------------------ -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list End of fedora-selinux-list Digest, Vol 27, Issue 19 *************************************************** -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
