Hi Antonio
When I first enable selinux - I had problems getting the system to
relabel properly. I had a discussion about it on this thread:
http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17914&start=0#forumpost65139
<http://www.centos.org/modules/newbb/viewtopic.php?topic_id=17914&start=0#forumpost65139>
The solution which worked for me is towards the end of this thread. I
think I had to update some policy modules before issuing the relabel
request. From memory - the problem arose because I upgraded from Centos
5.0 to 5.2 before enabling selinux. I'm running 5.3 now - and selinux is
working OK - but I still have some issues with some of my server
applications (webmin in particular).
Richard.
Antonio Olivares wrote:
I'll copy/paste alerts one by one :
Summary:
SELinux is preventing access to files with the default label, default_t.
Detailed Description:
SELinux permission checks on files labeled default_t are being denied. These
files/directories have the default label on them. This can indicate a labeling
problem, especially if the files being referred to are not top level
directories. Any files/directories under standard system directories, /usr,
/var. /dev, /tmp, ..., should not be labeled with the default label. The default
label is for files/directories which do not have a label on a parent directory.
So if you create a new directory in / you might legitimately get this label.
Allowing Access:
If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: "touch /.autorelabel; reboot"
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:default_t:s0
Target Objects .kde [ dir ]
Source kde4-config
Source Path /usr/bin/kde4-config
Port <Unknown>
Host gray
Source RPM Packages kdelibs-4.2.2-9.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.12-9.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name default
Host Name gray
Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr
20 15:33:38 EDT 2009 x86_64 x86_64
Alert Count 92
First Seen Thu 23 Apr 2009 08:34:03 PM CDT
Last Seen Tue 28 Apr 2009 04:52:40 PM CDT
Local ID bfed3a21-1e6d-40ce-bd73-53aaabd164a7
Line Numbers
Raw Audit Messages
node=gray type=AVC msg=audit(1240955560.271:36): avc: denied { search } for pid=1767 comm="kde4-config" name=".kde" dev=dm-0 ino=262 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
node=gray type=SYSCALL msg=audit(1240955560.271:36): arch=c000003e syscall=6 success=no exit=-13 a0=6e5e58 a1=7fff38fa1be0 a2=7fff38fa1be0 a3=21 items=0 ppid=1766 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing access to files with the default label, default_t.
Detailed Description:
SELinux permission checks on files labeled default_t are being denied. These
files/directories have the default label on them. This can indicate a labeling
problem, especially if the files being referred to are not top level
directories. Any files/directories under standard system directories, /usr,
/var. /dev, /tmp, ..., should not be labeled with the default label. The default
label is for files/directories which do not have a label on a parent directory.
So if you create a new directory in / you might legitimately get this label.
Allowing Access:
If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: "touch /.autorelabel; reboot"
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:default_t:s0
Target Objects /.kde [ dir ]
Source kde4-config
Source Path /usr/bin/kde4-config
Port <Unknown>
Host gray
Source RPM Packages kdelibs-4.2.2-9.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.12-9.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name default
Host Name gray
Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr
20 15:33:38 EDT 2009 x86_64 x86_64
Alert Count 28
First Seen Thu 23 Apr 2009 08:34:03 PM CDT
Last Seen Tue 28 Apr 2009 04:52:40 PM CDT
Local ID 6da3a105-c4c8-4352-bd0e-3f438b1634a8
Line Numbers
Raw Audit Messages
node=gray type=AVC msg=audit(1240955560.107:34): avc: denied { getattr } for pid=1767 comm="kde4-config" path="/.kde" dev=dm-0 ino=262 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
node=gray type=SYSCALL msg=audit(1240955560.107:34): arch=c000003e syscall=6 success=no exit=-13 a0=7fff38fa1c80 a1=7fff38fa1b80 a2=7fff38fa1b80 a3=6d3b20 items=0 ppid=1766 pid=1767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kde4-config" exe="/usr/bin/kde4-config" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing ck-get-x11-serv (consolekit_t) "search" xdm_var_run_t.
Detailed Description:
SELinux denied access requested by ck-get-x11-serv. It is not expected that this
access is required by ck-get-x11-serv and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context system_u:object_r:xdm_var_run_t:s0
Target Objects gdm [ dir ]
Source ck-get-x11-serv
Source Path /usr/libexec/ck-get-x11-server-pid
Port <Unknown>
Host gray
Source RPM Packages ConsoleKit-x11-0.3.0-8.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.12-9.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name gray
Platform Linux gray 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr
20 15:33:38 EDT 2009 x86_64 x86_64
Alert Count 9
First Seen Thu 23 Apr 2009 03:55:23 PM CDT
Last Seen Tue 28 Apr 2009 04:52:47 PM CDT
Local ID 93d6261d-88da-4ca0-9328-743e29739a13
Line Numbers
Raw Audit Messages
node=gray type=AVC msg=audit(1240955567.631:44): avc: denied { search } for pid=1938 comm="ck-get-x11-serv" name="gdm" dev=dm-0 ino=263869 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir
node=gray type=SYSCALL msg=audit(1240955567.631:44): arch=c000003e syscall=21 success=no exit=-13 a0=7fff62086fab a1=4 a2=0 a3=7fff62083710 items=0 ppid=1937 pid=1938 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
I have tried the fixes. I still see the same sealerts :(
touch, reboot autorelabel.
I have booted in permissive mode and still see the alters :(
Should I file a bug here?
Thanks,
Antonio
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
