Re: List of avc for fedora 16

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/25/2011 10:38 PM, David Highley wrote:
> "Dominick Grift wrote:"
>> 
>> 
>> --=-QXDzVu1MWO4munhPKxie Content-Type: text/plain;
>> charset="UTF-8" Content-Transfer-Encoding: quoted-printable
>> 
>> On Sun, 2011-09-25 at 20:20 +0200, Miroslav Grepl wrote:
>>> On 09/25/2011 10:10 AM, Dominick Grift wrote:
>>>> On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
>>>>> "Dominick Grift wrote:"
>>>>>> 
>>>>>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
>>
>>>>>> 
=3D
>>>>>> Content-Type: multipart/signed; micalg=3D"pgp-sha512"; 
>>>>>> protocol=3D"application/pgp-signature";
>>>>>> boundary=3D"=3D-W/U2hq2saAQV=
>> GsubU72y"
>>>>>> 
>>>>>> 
>>>>>> --=3D-W/U2hq2saAQVGsubU72y Content-Type: text/plain;
>>>>>> charset=3D"UTF-8" Content-Transfer-Encoding:
>>>>>> quoted-printable
>>>>>> 
>>>>>> On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
>>>>>>> I checked bugzilla but did not see anything about this
>>>>>>> list of avc alerts for fedora 16. Should they be
>>>>>>> reported or is something miss configured? =3D20 =3D20
>>>>>> setsebool-P allow_ypbind on
> 
> Submitted bug report 741141 on selinux bool getting turned off.
> 
>>>>> The bool gets turned off in the reboot process.
>>>> Thats strange, is systemd turning it back off?
>>>> 
>>>>> It solves almost all the avc issues but a few remained
>>>>> which were solved with this policy file: module mysystemd
>>>>> 1.0;
>>>>> 
>>>>> require { type systemd_logind_t; type var_yp_t; type
>>>>> node_t; type hi_reserved_port_t; class udp_socket {
>>>>> name_bind bind create setopt node_bind }; class file { read
>>>>> open }; }
>>>>> 
>>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D systemd_logind_t
>>>>> =3D=3D=3D=3D=
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>>>> allow systemd_logind_t hi_reserved_port_t:udp_socket
>>>>> name_bind; allow systemd_logind_t node_t:udp_socket
>>>>> node_bind; allow systemd_logind_t self:udp_socket { bind
>>>>> create setopt }; allow systemd_logind_t var_yp_t:file {
>>>>> read open };
>>>> This is likely a bug, Could you file a bugzilla for the
>>>> above?
>>> Yes, please, open a new bug. Thank you.
> 
> Submitted bug report 741143 for the above avc issue.
> 
>> 
>> proposed fix:
>> 
>> diff --git policy/modules/system/systemd.te 
>> policy/modules/system/systemd.te index e50a989..d5e32c2 100644 
>> --- policy/modules/system/systemd.te +++
>> policy/modules/system/systemd.te @@ -130,6 +130,10 @@ ') =20 
>> optional_policy(` +	nis_use_ypbind(systemd_logind_t) +') + 
>> +optional_policy(` # It links /run/user/$USER/X11/display to
>> /tmp/.X11-unix/X* sock_file 
>> xserver_search_xdm_tmp_dirs(systemd_logind_t) ')
>> 
>>> =20 Regards, Miroslav
>>>> 
>>>>> We also need to do a systemctl restart autofs.service after
>>>>> boot up. W=
>> e
>>>>> use NIS and auto mounted home directories.
>>>>> 
>>>>>> should fix it. if it does than this should not be
>>>>>> reported
>>>>>> 
>>>>>> There is a way to check whether a specified AVC denial
>>>>>> can be allowed=
>> ,
>>>>>> for example your first avc denial:
>>>>>> 
>>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> a=
>> ccountsd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
>>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> #!!!! This avc is allowed in the current policy =3D20 
>>>>>>> allow accountsd_t hi_reserved_port_t:tcp_socket
>>>>>>> name_bind; #!!!! This avc is allowed in the current
>>>>>>> policy
>>>>>> # sesearch -SCT --allow -s accountsd_t -t
>>>>>> hi_reserved_port_t -c tcp_socket -p name_bind
>>>>>> 
>>>>>> Found 1 semantic av rules: DT allow nsswitch_domain
>>>>>> rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
>>>>>> 
>>>>>> This tells me that this access can be allowed by toggling
>>>>>> the allow_ypbind boolean to enabled. The DT tells me that
>>>>>> this boolean is currently disabled.
>>>>>> 
>>>>>>> allow accountsd_t portmap_port_t:tcp_socket
>>>>>>> name_connect; #!!!! This avc is allowed in the current
>>>>>>> policy =3D20 allow accountsd_t var_yp_t:dir search; 
>>>>>>> =3D20 
>>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> a=
>> utomount_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
>>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> #!!!! This avc is allowed in the current policy =3D20 
>>>>>>> allow automount_t var_yp_t:file read; =3D20 
>>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> p=
>> olicykit_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
>>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> #!!!! This avc is allowed in the current policy =3D20 
>>>>>>> allow policykit_t hi_reserved_port_t:tcp_socket
>>>>>>> name_bind; #!!!! This avc is allowed in the current
>>>>>>> policy =3D20 allow policykit_t
>>>>>>> kerberos_port_t:tcp_socket name_bind; #!!!! This avc is
>>>>>>> allowed in the current policy =3D20 allow policykit_t
>>>>>>> kprop_port_t:tcp_socket name_bind; #!!!! This avc is
>>>>>>> allowed in the current policy =3D20 allow policykit_t
>>>>>>> portmap_port_t:tcp_socket name_connect; #!!!! This avc
>>>>>>> is allowed in the current policy =3D20 allow
>>>>>>> policykit_t var_yp_t:dir search; =3D20 
>>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> s=
>> shd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
>>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> #!!!! This avc is allowed in the current policy =3D20 
>>>>>>> allow sshd_t ftp_port_t:tcp_socket name_bind; #!!!!
>>>>>>> This avc is allowed in the current policy =3D20 allow
>>>>>>> sshd_t hi_reserved_port_t:tcp_socket name_bind; #!!!!
>>>>>>> This avc is allowed in the current policy =3D20 allow
>>>>>>> sshd_t hi_reserved_port_t:udp_socket name_bind; #!!!!
>>>>>>> This avc is allowed in the current policy =3D20 allow
>>>>>>> sshd_t spamd_port_t:tcp_socket name_bind; #!!!! This
>>>>>>> avc is allowed in the current policy =3D20 allow sshd_t
>>>>>>> var_yp_t:dir search; =3D20 
>>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> s=
>> ystem_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D
>>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> #!!!! This avc is allowed in the current policy =3D20 
>>>>>>> allow system_dbusd_t hi_reserved_port_t:tcp_socket
>>>>>>> name_bind; #!!!! This avc is allowed in the current
>>>>>>> policy =3D20 allow system_dbusd_t
>>>>>>> portmap_port_t:tcp_socket name_connect; #!!!! This avc
>>>>>>> is allowed in the current policy =3D20 allow
>>>>>>> system_dbusd_t rndc_port_t:tcp_socket name_bind; =3D20 
>>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> x=
>> dm_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
>>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> #!!!! This avc is allowed in the current policy =3D20 
>>>>>>> allow xdm_dbusd_t hi_reserved_port_t:tcp_socket
>>>>>>> name_bind; #!!!! This avc is allowed in the current
>>>>>>> policy =3D20 allow xdm_dbusd_t
>>>>>>> portmap_port_t:tcp_socket name_connect; -- selinux
>>>>>>> mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>
>>>>>>
>>>>>>> 
- --=3D-W/U2hq2saAQVGsubU72y
>>>>>> Content-Type: application/pgp-signature;
>>>>>> name=3D"signature.asc" Content-Description: This is a
>>>>>> digitally signed message part Content-Transfer-Encoding:
>>>>>> 7bit
>>>>>> 
>>>>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11
>>>>>> (GNU/Linux)
>>>>>> 
>>>>>> iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJqlBCsaE7HYaYuP
>>>>>>
>>>>>> 
pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
>>>>>> y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP
>>>>>>
>>>>>> 
Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUDCv8vm+i
>>>>>> 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIMz2yfAB2uLQ9uBw
>>>>>>
>>>>>> 
NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
>>>>>> iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL
>>>>>>
>>>>>> 
gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIsjB
>>>>>> uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9
>>>>>>
>>>>>> 
fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi4HYe+dAzJzAuel
>>>>>> avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU
>>>>>>
>>>>>> 
qFJjNtZOZfKswyZUYHSk
>>>>>> =3D+k0S -----END PGP SIGNATURE-----
>>>>>> 
>>>>>> --=3D-W/U2hq2saAQVGsubU72y--
>>>>>> 
>>>>>> 
>>>>>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
>>
>>>>>> 
=3D
>>>>>> Content-Type: text/plain; charset=3D"us-ascii" 
>>>>>> MIME-Version: 1.0 Content-Transfer-Encoding: 7bit 
>>>>>> Content-Disposition: inline
>>>>>> 
>>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux 
>>>>>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
>>
>>>>>> 
=3D--
>>>>>> 
>>>>> 
>>>> 
>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> =20
>> 
>> 
>> --=-QXDzVu1MWO4munhPKxie Content-Type: application/pgp-signature;
>> name="signature.asc" Content-Description: This is a digitally
>> signed message part Content-Transfer-Encoding: 7bit
>> 
>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
>> 
>> iQIcBAABCgAGBQJOf3SHAAoJEBqhFeh0z2SR9lAP/Az14jMxonOPezVm3fQu8orZ 
>> 6cs79nIhdS+xSvzWnYBG/X3uhHy56LNbGhZEbDzrFLxPOYTLYDROA0CAnYLJCZe1 
>> fMt0pBjYARqj8e/jBFVDmJgJe7CJWhjJ8+QAC/iNPVGyBRYZliRBV03qfeVNbQIR 
>> n8Va/5W2Bw56xMyQ2w3QQgteccxgl3wddPyWwTC4rVfva9cXIQhM3PJnIDVXeQrY 
>> DvxhymeHbukkl2Jnk2nzLv10St20Gu/zg3CPgzodVGjUenUuF3P8AxB7yJ0/phfU 
>> Z20Bi3sGChENQs0cdEkZoIhRy8tVPlEuUgyyyePh+UNxLIZUkOf4EXnHEQ/WFNsv 
>> ZRkiKQLzWd79sDVwXMXU2kGzonyUbmAdXvhwZtSIYNj1aToNXFqKpHXRS0cuhR1+ 
>> UVYp4/q/cSLqyrpPR85Ou6BDvE8gMIulglzSLYdjSxgvGVfd5XXBCojlRGGs2gbC 
>> mE6eWH5XfiJCYsTQeBaxV0vVo4li7kb4/TL2OM169X3dTeId43dcKEri0XMlLaEQ 
>> lzlPg5YN2FzKsZjfR4uggl8u3HjjBOXX/bAbuZkr8kAl4pn5JXLbK3TC6xs/q0Yd 
>> dTFIfSoLlip/b/gyjjpfqZKAQa0+QIMxuZg95urKH6ykxb3KqGCf4q3gMAP4uMwW 
>> T/EOLkcmEJLL552gPgma =yVbI -----END PGP SIGNATURE-----
>> 
>> --=-QXDzVu1MWO4munhPKxie--
>> 
> 
> 


We should use auth_use_nsswitch(systemd_logind_t)  I think.

Are you setting the allow_ypbind boolean permanently

setsebool -P allow_ypbind 1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6AfcwACgkQrlYvE4MpobOT1ACfVmiCMrnt1hxtUQCNDgB6CkfH
FyMAn1/Ui1rbdA5aGjYfbpA3S/xuOnmJ
=AOGA
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux