On 03/25/2009 07:03 PM, Antonio Olivares wrote:
Dear all,
I have resolved one problem(Not getting internet at startup by default), but have not fixed the crontab one and other(s):
This one does not go away :(
Summary:
SELinux is preventing crontab (admin_crontab_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by crontab. It is not expected that this access
is required by crontab and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0
.c1023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source crontab
Source Path /usr/bin/crontab
Port<Unknown>
Host riohigh
Source RPM Packages cronie-1.2-7.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.8-3.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586
#1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon
Alert Count 177
First Seen Mon 02 Mar 2009 07:11:37 PM CST
Last Seen Wed 25 Mar 2009 04:57:03 PM CST
Local ID 3883b140-4d39-40f5-9262-ce2c4c4e2e16
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53528]" dev=sockfs ino=53528 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1238021823.376:68): avc: denied { read write } for pid=4331 comm="crontab" path="socket:[53148]" dev=sockfs ino=53148 scontext=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1238021823.376:68): arch=40000003 syscall=11 success=yes exit=0 a0=9fcb5c8 a1=9fcbd10 a2=9fb5ae0 a3=9fcbd10 items=0 ppid=4295 pid=4331 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:admin_crontab_t:s0-s0:c0.c1023 key=(null)
I can't modify my crontab file:
[olivares@riohigh ~]$ crontab -l
Authentication service cannot retrieve authentication info
You (olivares) are not allowed to access to (crontab) because of pam configuration.
[olivares@riohigh ~]$
if I disable selinux, I can modify it and view it, but not with selinux enabled.
I got greeted with the following:
Summary:
SELinux is preventing access to files with the default label, default_t.
Detailed Description:
SELinux permission checks on files labeled default_t are being denied. These
files/directories have the default label on them. This can indicate a labeling
problem, especially if the files being referred to are not top level
directories. Any files/directories under standard system directories, /usr,
/var. /dev, /tmp, ..., should not be labeled with the default label. The default
label is for files/directories which do not have a label on a parent directory.
So if you create a new directory in / you might legitimately get this label.
Allowing Access:
If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: "touch /.autorelabel; reboot"
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:default_t:s0
Target Objects /.kde [ dir ]
Source kde4-config
Source Path /usr/bin/kde4-config
Port<Unknown>
Host riohigh
Source RPM Packages kdelibs-4.2.1-4.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.8-3.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name default
Host Name riohigh
Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586
#1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon
Alert Count 7
First Seen Wed 25 Mar 2009 04:38:14 PM CST
Last Seen Wed 25 Mar 2009 04:38:14 PM CST
Local ID d3d42e40-6a28-48cf-8717-b85579c55bad
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1238020694.487:40): avc: denied { getattr } for pid=2434 comm="kde4-config" path="/.kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
node=riohigh type=SYSCALL msg=audit(1238020694.487:40): arch=40000003 syscall=196 success=no exit=-13 a0=bfc3730b a1=bfc37258 a2=a12ff4 a3=a036c59 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing access to files with the default label, default_t.
Detailed Description:
SELinux permission checks on files labeled default_t are being denied. These
files/directories have the default label on them. This can indicate a labeling
problem, especially if the files being referred to are not top level
directories. Any files/directories under standard system directories, /usr,
/var. /dev, /tmp, ..., should not be labeled with the default label. The default
label is for files/directories which do not have a label on a parent directory.
So if you create a new directory in / you might legitimately get this label.
Allowing Access:
If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: "touch /.autorelabel; reboot"
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:default_t:s0
Target Objects .kde [ dir ]
Source kde4-config
Source Path /usr/bin/kde4-config
Port<Unknown>
Host riohigh
Source RPM Packages kdelibs-4.2.1-4.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.8-3.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name default
Host Name riohigh
Platform Linux riohigh 2.6.29-0.258.2.3.rc8.git2.fc11.i586
#1 SMP Tue Mar 24 18:37:23 EDT 2009 i686 athlon
Alert Count 23
First Seen Wed 25 Mar 2009 04:38:14 PM CST
Last Seen Wed 25 Mar 2009 04:38:14 PM CST
Local ID 711eec22-2695-4e57-91ad-622e9c5f3b53
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1238020694.489:42): avc: denied { search } for pid=2434 comm="kde4-config" name=".kde" dev=sda5 ino=14897 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
node=riohigh type=SYSCALL msg=audit(1238020694.489:42): arch=40000003 syscall=196 success=no exit=-13 a0=a036c58 a1=bfc37230 a2=a12ff4 a3=a031250 items=0 ppid=2433 pid=2434 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Startup did not take the 20 seconds, it took like 8 to 10 minutes with the relabeling and still see the same things. Is there an update that will fix this or do I have to disable selinux or boot in permissive in order to have a working machine.
Please help this is no longer fun as it once was.
Regards,
Antonio
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The kde read/writing to /.kde is a kde bug/ kdm should have a home
directory that we could give access to, not /. I have this setup and
although it genetates AVC's I am able to login fine. Although gdm
works better.
If you want to get rid of these avc's you could execute.
# semanage fcontext -a -t xdm_var_run_t '/\.kde(/.*)?'
# restorecon -R -v /.kde
Running crontab -e as root, problem is also a kdebase/konsole problem of
leaked file descriptors. If you do an ls /proc/self/fd in the konsole
you will see a whole bunch of file descriptors that have been leaked to
the konsole. When you start a confined domain from the console SELinux
reports these leaked file descriptors and closes them.
ls -l /proc/self/fd
should show something like
# ls -l /proc/self/fd
total 0
lr-x------. 1 root root 64 2009-03-26 08:31 0 -> /dev/pts/4
lrwx------. 1 root root 64 2009-03-26 08:31 1 -> /dev/pts/4
lrwx------. 1 root root 64 2009-03-26 08:31 2 -> /dev/pts/4
lr-x------. 1 root root 64 2009-03-26 08:31 3 -> /proc/32759/fd
Which are three fd's to the terminal and one to the directory you are
listing.
I see no avc that would break crontab -e?
[olivares@riohigh ~]$ crontab -l
Authentication service cannot retrieve authentication info
You (olivares) are not allowed to access to (crontab) because of pam
configuration.
Looks like you are running this as a normal user? Or are you running as
root?
I can not get this to happen on my machine, so I think it might be
something about the way you have pam setup? Do you have anything
special setup in pam?
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
