Nabble - Fedora SELinux List

Re: How can i call a function which is usually used by root?

2008-12-02T16:20:33Z

On Tue, Dec 02, 2008 at 05:21:24PM +0800, wk wrote:
>
> I want write a c program.And a common user(not in root group) will run
> this program.
> In this program,I call fread(/dev/sdc...) and fwrite(/dev/sdc),but this
> call will return "permission no allow".If I use the root user,will be
> ok.
> How to change to the authority to root's?
> I know the root's password.

Your best bet is "sudo" or better look at the pairs of tools like:

/usr/bin/system-config-bind
/usr/sbin/system-config-bind

They take advantage of "consolehelper" and the commone case that
/usr/sbin is not in the search path of commmon users but /usr/bin is.

Note well, From the man page:
consolehelper requires that a PAM configuration for every managed pro-
gram exist. So to make /sbin/foo or /usr/sbin/foo managed, you need to
create a link from /usr/bin/foo to /usr/bin/consolehelper and create
the file /etc/pam.d/foo, normally using the pam_console(8) PAM module.

--
T o m M i t c h e l l
Found me a new hat, now what?

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: spamc / spamd communication problem

2008-12-02T13:32:36Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bob Richmond wrote:

> I'm trying to make spamd listen on a unix domain socket, and let spamc
> connect to it. The question is, I can't figure out the intended
> destination for the spamd socket file (as specified via --socketpath
> passed to spamd and -U to spamc). I see that spamc_t has permission to
> connect to a socket with a type of spamd_tmp_t, but there doesn't appear
> to be an fc rule for where a new socket file would inherit that type.
>
> It makes sense to me that the socket file should exist in
> /var/run/spamassassin/spamd.sock to be consistent, but
> /var/run/spamassassin has a type of spamd_var_run_t, where spamc has no
> permission to connect to a sock_file under. Any help?
>
> I'm running F10, policy version selinux-policy-targeted-3.5.13-18.fc10.
>
> Thanks!
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Currently it is only allowed to connect to a sock file in /tmp,
Although it should be allowed to use /var/run/spamassassin.

I will update policy

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-29.fc10

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1qXQACgkQrlYvE4MpobOpNACeOVVplPU+IG9QALu6UdBLUaMw
0GUAoJ+d23rJPHb5LhSzrPTt/DNEZCnH
=HHE9
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: selinux denying a cups printer

2008-12-02T13:21:41Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gene Heskett wrote:

> Greetings;
>
> Uptodate F8, targeted setting
>
> host=coyote.coyote.den type=AVC msg=audit(1227891049.940:679): avc: denied {
> execute } for pid=6486 comm="cupsd" name="lp3" dev=sda3 ino=104400725
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
>
> host=coyote.coyote.den type=SYSCALL msg=audit(1227891049.940:679):
> arch=40000003 syscall=33 success=no exit=-13 a0=bff13656 a1=1 a2=b7f17ff4
> a3=b7f18a3c items=0 ppid=6485 pid=6486 auid=0 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cupsd"
> exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> key=(null)
>
> The troubleshooters recommended fix is a restorecon -v './lp3'
>
> The only ./lp3 I could find was in /etc/cups.d/interfaces/lp3, and while it
> did change the context of the file, it does not fix the problem. This
> particular driver ppd is the lpr and cupswrapper of the HL2140 driver kit
> from Brother, and apparently is installed in a /usr/local/Brother subdir by
> their rpms.
>
> All this did work flawlessly before I had a drive failure, and it worked after
> an Fu8 install, but failed sometime in the nearly 2 weeks uptime, as did all
> my other printer profiles, which I have now deleted and rebuilt, and work
> except for this one.
>
> I am going to try touching /.autorelabel and reboot again see if that helps.
> However, nothing happened the last time I tried that 2 weeks ago...
>

grep interfaces /etc/selinux/targeted/contexts/files/file_contexts
/etc/cups/interfaces(/.*)? system_u:object_r:cupsd_interface_t:s0

chcon -t cupsd_interface_t /etc/cups.d/interfaces/lp3
Should fix it.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1puUACgkQrlYvE4MpobP4agCeOu1UiTOQbStLoXYjuCZ8rVHq
QKgAn0nm7uucimNgultxxSjgtQdKqU1g
=CXYP
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: SELinux is preventing npviewer.bin (nsplugin_t) "read" to ./pulse-shm-4180703699

2008-12-02T13:17:13Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:

> Dear fellow selinux experts,
>
> Net avc for npviewer :(
>
>
> Summary:
>
> SELinux is preventing npviewer.bin (nsplugin_t) "read" to ./pulse-shm-4180703699
> (tmpfs_t).
>
> Detailed Description:
>
> SELinux denied access requested by npviewer.bin. It is not expected that this
> access is required by npviewer.bin and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to restore
> the default system file context for ./pulse-shm-4180703699,
>
> restorecon -v './pulse-shm-4180703699'
>
> If this does not work, there is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
> 3
> Target Context unconfined_u:object_r:tmpfs_t:s0
> Target Objects ./pulse-shm-4180703699 [ file ]
> Source npviewer.bin
> Source Path /usr/lib/nspluginwrapper/npviewer.bin
> Port <Unknown>
> Host riohigh
> Source RPM Packages nspluginwrapper-1.1.4-1.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.5.13-18.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name riohigh
> Platform Linux riohigh 2.6.27.5-117.fc10.i686 #1 SMP Tue
> Nov 18 12:19:59 EST 2008 i686 athlon
> Alert Count 1
> First Seen Tue 02 Dec 2008 06:57:09 AM CST
> Last Seen Tue 02 Dec 2008 06:57:09 AM CST
> Local ID c049e765-9d3b-4384-927a-19797fb78d8d
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1228222629.565:217): avc: denied { read } for pid=4625 comm="npviewer.bin" name="pulse-shm-4180703699" dev=tmpfs ino=36988 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file
>
> node=riohigh type=SYSCALL msg=audit(1228222629.565:217): arch=40000003 syscall=5 success=no exit=-13 a0=bfda08d0 a1=a0000 a2=0 a3=bfda08d0 items=0 ppid=4427 pid=4625 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=13 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
>
>
> I try the fix and i get:
>
> [olivares@riohigh ~]$ su -
> Password:
> [root@riohigh ~]# restorecon -v './pulse-shm-4180703699'
>
> restorecon: stat error on ./pulse-shm-4180703699: No such file or directory
> [root@riohigh ~]#
>
> Thanks,
>
> Antonio
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

This one has me baffled, on how you created this file. This file should
be labeled user_tmpfs_t in which case nsplugin would have been allowed
to use it, But for some reason it got created with the incorrect context.

Could you try to upgrade to the latest policy and see if this still happens.

I tried an experiment as the unconfined user

# mount -t tmpfs_t /dev/shm /mnt
# ls -ldZ /mnt/redhat/
drwxrwxrwt root root staff_u:object_r:tmpfs_t:s0 /mnt/redhat/
# touch /mnt/redhat/test
# ls -lZ /mnt/redhat/test
- -rw-r--r-- root root staff_u:object_r:user_tmpfs_t:s0 /mnt/redhat/test

Which is what pulseaudio should have done.

Could you check what context pulseaudio is running with

# ps -eZ | grep pulse

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1pdkACgkQrlYvE4MpobNjawCg6EmpLWaQNOK9ndoYgD8GN4TV
HG8AoNJIqutO0vFPPa1tjRW+gLk2V9WU
=L/DR
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: iptables denials on Centos

2008-12-02T12:56:05Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tony Molloy wrote:

> Hi,
>
> I'm running several fully updated CentOS 5.2 servers and am trying to get all
> the SELinux denials sorted out.
>
> Here are two of the ones that I've got left. I can generate local policy to
> allow these but is that the best way. The full sealert messages have been
> cut.
>
>
> 1. SELinux is preventing iptables (iptables_t) "read write" to socket
> (initrc_t). For complete SELinux messages. run sealert -l
> 80760bb0-da8f-4fe8-855a-1cfc5789a597
>

This is most likely a leaked file descriptor from the tool that is
launching iptables, you can safely add this

> [root@garryowen ~]# sealert -l 80760bb0-da8f-4fe8-855a-1cfc5789a597
>
> Summary:
>
> SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t).
>
> Detailed Description:
>
> SELinux denied access requested by iptables. It is not expected that this
> ...
>
> Allowing Access:
> You can generate a local policy module to allow this access - see FAQ
> ...
>
> Additional Information:
>
> Source Context system_u:system_r:iptables_t
> Target Context system_u:system_r:initrc_t
> Target Objects socket [ packet_socket ]
> Source iptables
> Source Path /sbin/iptables
> Port <Unknown>
> Host garryowen.xx.xx.xx
> Source RPM Packages iptables-1.3.5-4.el5
> Target RPM Packages
> Policy RPM selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name catchall
> Host Name garryowen.xx.xx.xx
> Platform Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5
>
> Raw Audit Messages
>
> host=garryowen.xx.xx.xx type=AVC msg=audit(1227684250.838:20268): avc: denied
> { read write } for pid=22829 comm="iptables" path="socket:[18015]"
> dev=sockfs ino=18015 scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=packet_socket
>
> host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1227684250.838:20268):
> arch=40000003 syscall=11 success=yes exit=0 a0=9c95470 a1=9c956f8 a2=9c95610
> a3=40 items=0 ppid=5571 pid=22829 auid=4294967295 uid=0 gid=0 euid=0 suid=0
> fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables"
> exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
>
>
> 2. SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t). For
> complete SELinux messages. run sealert -l
> 879c2152-44ee-4594-96c6-96716fda722b
>
> [root@garryowen ~]# sealert -l 879c2152-44ee-4594-96c6-96716fda722b
>
> Summary:
>
> SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t).
>
> Detailed Description:
>
> SELinux denied access requested by iptables. It is not expected that this
> ...
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> ...
>
> Additional Information:
>
> Source Context root:system_r:iptables_t
> Target Context system_u:system_r:crond_t:SystemLow-SystemHigh
> Target Objects pipe [ fifo_file ]
> Source iptables
> Source Path /sbin/iptables
> Port <Unknown>
> Host garryowen.xx.xx.xx
> Source RPM Packages iptables-1.3.5-4.el5
> Target RPM Packages
> Policy RPM selinux-policy-2.4.6-137.1.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name catchall
> Host Name garryowen.xx.xx.xx
> Platform Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5
>
> Raw Audit Messages
>
> host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc: denied
> { read } for pid=14428 comm="iptables" path="pipe:[1462004]" dev=pipefs
> ino=1462004 scontext=root:system_r:iptables_t:s0
> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
>
> host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc: denied
> { write } for pid=14428 comm="iptables" path="pipe:[1462005]" dev=pipefs
> ino=1462005 scontext=root:system_r:iptables_t:s0
> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
>
> host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1228007101.709:31231):
> arch=40000003 syscall=11 success=yes exit=0 a0=9985ab8 a1=9985698 a2=996d5d0
> a3=0 items=0 ppid=14416 pid=14428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=5147 comm="iptables"
> exe="/sbin/iptables" subj=root:system_r:iptables_t:s0 key=(null)
>
>
> Thanks,
>
> Tony
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

This is also a leaked file descriptor which can be added.

You should grab the latest preview selinux-policy
selinux-policy-2.4.6-197.el5
for RHEL5.3 and try it out, it has lots of fixes.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1oOUACgkQrlYvE4MpobM5+ACglHd6Oiag5uR7maY9CpDSNJMd
UCEAnRtRSwjGNA5cEkNK3sLavhSrWrZa
=zWKP
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: nspluginwrapper and .PDF files

2008-12-02T12:52:28Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul C. Rauser wrote:

> Over the past several days, I have begin to experiment with enabling the allow_unconfined_nsplugin_transition boolean in a F10 test environment.
>
> One of the most consistent demands from my test users/potential security threats is the ability to open .PDF files. Using mozplugger to do this launches evince, which throws AVCs all over and is probably undesirable anyway for the reasons listed in Dan Walsh's Nov 4 blog post on http://danwalsh.livejournal.com/
>
> On the other hand, removing mozplugger and using the Adobe Acrobat 8.1.3 Firefox plugin throws lots of AVCs of its own -- and even more when doing things like printing -- and thus may not be the way to go.
>
> If allow_unconfined_nsplugin_transition is to be useful in user land, it seems that the boolean should allow .PDF opening/saving/printing out of the box using either evince or Adobe's reader. I am happy to bugzilla the AVCs for one or the other and help with testing -- any preference in the community for which one?
>
>
>
> Paul C. Rauser
> ægis law group LLP
> 901 F Street, N.W.
> Suite 500
>
> Washington, D.C. 20004
> T: 202 737 3375
> F: 202 737 3330
> E: prauser@...
>
> NOTICE: This communication from Aegis Law Group LLP may contain information that is legally privileged, confidential, or exempt from disclosure. If you are not the intended recipient, please note that any disclosure, copying, distribution, or use of the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by return e-mail and delete all copies.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Make sure your home directory is properly labeled and install the latest
selinux policy. selinux-policy-3.5.13-26

# yum upgrade selinux-policy\* --enablerepo=updates-testing
# restorecon -R -v /home

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1oAwACgkQrlYvE4MpobOw3QCfbqFd/HMm3xMIRSoluXuAhexM
6v0AniFlrcR/+fOy1SkbvBoLjh8H4G94
=eCmI
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: interface file

2008-12-02T12:50:24Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Konrad Azzopardi wrote:

> hi there,
>
> A simple question - if i want to create some interface like
> corenet_tcp_connect_yule_port(), would it be ok to put it in the
> interface file cause i saw a lot of similar macros depracated inside
> the interface files ?. If it is not the right place, would the
> corenetwork.if.in be the right place ? what is the best way to go
> about it ? tnx a lot
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Usually these rules go into the upstream package. So I would submit
your package for upstream acceptance, but you can put any interface into
the if file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1n5AACgkQrlYvE4MpobOMaQCfVHHCuCt+ebQNO8kJSdOEkUJ1
bPEAn2L6q6vSSHe9kYnoi047ptqWYxL+
=Fh1Z
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Problem with restorecon

2008-12-02T12:49:19Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Konrad Azzopardi wrote:

> Hi people,
>
> i have the following policy version installed
> selinux-policy-3.3.1-107.fc9.noarch
> selinux-policy-devel-3.3.1-107.fc9.noarch
> selinux-policy-targeted-3.3.1-107.fc9.noarch
>
> I create an Selinux policy and generated the following filecontexts
>
> [root@MALTA konsu]# semanage fcontext -l | grep yule
> /etc/init.d/yule regular file
> system_u:object_r:yule_script_exec_t:s0
> /var/run/yule.pid regular file
> system_u:object_r:yule_var_run_t:s0
> /var/log/yule(/.*)? regular file
> system_u:object_r:yule_log_t:s0
> /var/lib/yule(/.*)? regular file
> system_u:object_r:yule_var_lib_t:s0
> /etc/yulerc regular file
> system_u:object_r:yule_config_t:s0
> /usr/local/sbin/yule regular file
> system_u:object_r:yule_exec_t:s0
>
> Allt he files seems to become labelled normally as expected except
> /etc/init.d/yule
>
> [root@MALTA konsu]# restorecon -R -v /etc/init.d/yule
> [root@MALTA konsu]# ls -lrtZ /etc/init.d/yule
> -rwx------ root root system_u:object_r:initrc_exec_t:s0 /etc/init.d/yule
>
> I cannot get rid of initrc_exec_t. Although my script is still
> confined correctly, I would like to label this file normally, is there
> a reason why restorecon fails ?
>
> many thanks
> konrad
>
>
>
> fedora-selinux-list
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Make sure you escape the "."s The regular expression matching does not
always work as expected.

/etc/init\.d/yule regular file
system_u:object_r:yule_script_exec_t:s0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1n08ACgkQrlYvE4MpobM2wwCePyFIGH8o2ZstmxdYFJ5eXE2r
vFIAoKv7XAslgUGEs0Rc27TnLMFPBzs0
=Q+CX
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Setroubleshootd on FC8 has a major memory leak

2008-12-02T12:28:16Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

spo wrote:

> Hello,
>
> after 9 days of running it used over 2G (virt, rss ~1G).
>
> Greetings,
> Edek
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Try this.

# service setroubleshoot stop
>/var/lib/setroubleshoot/audit_listener_database.xml
# service setroubleshoot start

I think your problem is the xml database has grown too large. Newer
versions of setroubleshoot only allow 50 AVCs.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1mmAACgkQrlYvE4MpobOXPQCg0SN2R317vRM0hYOD5eb7RbCV
HGcAoJnDjUJgWY3xy7q6Pz3IASUiHNXD
=bfgP
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: preventing unconfined users exec in home and tmp

2008-12-02T12:25:38Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Murray McAllister wrote:

> Murray McAllister wrote:
>> Hi,
>>
>> I have turned "allow_unconfined_exec_content" off, but unconfined
>> users (unconfined_u) can still execute files in their home directories
>> and /tmp/.
>>
>> I tried adding a user with "useradd -Z unconfined_u". This user can
>> still execute. I could not find any dontaudit rules.
>>
>> Am I missing something?
> I am running Fedora release 10 (Cambridge):
>
> selinux-policy-targeted-3.5.13-18.fc10.noarch
> selinux-policy-3.5.13-18.fc10.noarch
> selinux-policy-doc-3.5.13-18.fc10.noarch
> libselinux-utils-2.0.73-1.fc10.i386
> libselinux-python-2.0.73-1.fc10.i386
> libselinux-2.0.73-1.fc10.i386
> policycoreutils-2.0.57-11.fc10.i386
>
> Cheers.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@...
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Yes this boolean really should not exist, it is caused by calling an
interface. that allows PARAM to execute user_home_t, but unconfiened_t
can already execute any file on the system so the boolean has no effect.
The boolean only works for confined users.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk1mcIACgkQrlYvE4MpobNI9gCglCtb/KiWAJGUW5Batvngsf3e
dQQAnRsPCndAvOw7o3ADhFL89qZq3fDI
=rUbd
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Problem with restorecon

2008-12-02T12:20:41Z

Believe it or not, a reboot fixed it, and this is not windows :)

On Tue, Dec 2, 2008 at 12:03 AM, Bruno Wolff III <bruno@...> wrote:

> On Mon, Dec 01, 2008 at 23:47:04 +0100,
> Konrad Azzopardi <konrad.azzopardi@...> wrote:
>>
>> I cannot get rid of initrc_exec_t. Although my script is still
>> confined correctly, I would like to label this file normally, is there
>> a reason why restorecon fails ?
>
> My guess would be that the last matching rule for /etc/init.d/yule is not
> the one you have shown.
> As far as I can tell the management of rules for restorecon is not complete
> as there isn't any easy way to order the rules.
> For add on rules you can delete existing ones and re-add them to put them
> at the end of the list. That is a pain.
>
> I don't think a list of re's matching complete paths that is order dependent
> is the best way to solve this problem. I think it would be better to have
> something that matched the tree structure of the file system.
>

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

spamc / spamd communication problem

2008-12-02T09:05:38Z

I'm trying to make spamd listen on a unix domain socket, and let spamc
connect to it. The question is, I can't figure out the intended
destination for the spamd socket file (as specified via --socketpath
passed to spamd and -U to spamc). I see that spamc_t has permission to
connect to a socket with a type of spamd_tmp_t, but there doesn't appear
to be an fc rule for where a new socket file would inherit that type.

It makes sense to me that the socket file should exist in
/var/run/spamassassin/spamd.sock to be consistent, but
/var/run/spamassassin has a type of spamd_var_run_t, where spamc has no
permission to connect to a sock_file under. Any help?

I'm running F10, policy version selinux-policy-targeted-3.5.13-18.fc10.

Thanks!

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: How can i call a function which is usually used by root?

2008-12-02T07:31:54Z

Quoting wk (304702903@...):
> I want write a c program.And a common user(not in root group) will run this program.
> In this program,I call fread(/dev/sdc...) and fwrite(/dev/sdc),but this call will return "permission no allow".If I use the root user,will be ok.
> How to change to the authority to root's?
>
> I know the root's password.

Offhand I suspect what you need is CAP_SYS_RAWIO (maybe CAP_SYS_ADMIN).
But I don't know how your program is designed so am not sure how to
best give your program that privilege:

1. Make program setuid root, have it immediately switch
to nonroot and keep root in your saved uid so you can move it
back to euid when you need to write /dev/sdc.
(man setresuid)
2. Put CAP_SYS_RAWIO in fP (or fI if you can put it in
the calling user's pI), then have your program
put the capability into pE just when it needs to
write to /dev/sdc.
(man 7 capabilities)
3. Write a separate minimal partially privileged helper
program which answers requests by your main program.
Then you could use selinux to enforce an assured
pipeline to prevent anyone else using the helper.
(google privilege separation)

-serge

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

SELinux is preventing npviewer.bin (nsplugin_t) "read" to ./pulse-shm-4180703699

2008-12-02T04:59:16Z

Dear fellow selinux experts,

Net avc for npviewer :(

Summary:

SELinux is preventing npviewer.bin (nsplugin_t) "read" to ./pulse-shm-4180703699
(tmpfs_t).

Detailed Description:

SELinux denied access requested by npviewer.bin. It is not expected that this
access is required by npviewer.bin and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./pulse-shm-4180703699,

restorecon -v './pulse-shm-4180703699'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102
3
Target Context unconfined_u:object_r:tmpfs_t:s0
Target Objects ./pulse-shm-4180703699 [ file ]
Source npviewer.bin
Source Path /usr/lib/nspluginwrapper/npviewer.bin
Port <Unknown>
Host riohigh
Source RPM Packages nspluginwrapper-1.1.4-1.fc11
Target RPM Packages
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name riohigh
Platform Linux riohigh 2.6.27.5-117.fc10.i686 #1 SMP Tue
Nov 18 12:19:59 EST 2008 i686 athlon
Alert Count 1
First Seen Tue 02 Dec 2008 06:57:09 AM CST
Last Seen Tue 02 Dec 2008 06:57:09 AM CST
Local ID c049e765-9d3b-4384-927a-19797fb78d8d
Line Numbers

Raw Audit Messages

node=riohigh type=AVC msg=audit(1228222629.565:217): avc: denied { read } for pid=4625 comm="npviewer.bin" name="pulse-shm-4180703699" dev=tmpfs ino=36988 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file

node=riohigh type=SYSCALL msg=audit(1228222629.565:217): arch=40000003 syscall=5 success=no exit=-13 a0=bfda08d0 a1=a0000 a2=0 a3=bfda08d0 items=0 ppid=4427 pid=4625 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=13 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)

I try the fix and i get:

[olivares@riohigh ~]$ su -
Password:
[root@riohigh ~]# restorecon -v './pulse-shm-4180703699'

restorecon: stat error on ./pulse-shm-4180703699: No such file or directory
[root@riohigh ~]#

Thanks,

Antonio

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: installing xine from source yields lots of selinux denials

2008-12-02T04:50:34Z

--- On Tue, 12/2/08, Rahul Sundaram <sundaram@...> wrote:

> From: Rahul Sundaram <sundaram@...>
> Subject: Re: installing xine from source yields lots of selinux denials
> To: olivares14031@...
> Cc: fedora-selinux-list@...
> Date: Tuesday, December 2, 2008, 2:44 AM
> Antonio Olivares wrote:
> > Dear all,
> >
> > Trying to install xine-lib from source *to put in the
> missing pieces* gives selinux denials with chcon
>
> It would be much simpler to install xine-lib-extras from
> rpmfusion.
>
> Rahul

Done!!!

I got it from rpmfusion.

Regards,

Antonio

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: installing xine from source yields lots of selinux denials

2008-12-02T02:44:48Z

Antonio Olivares wrote:
> Dear all,
>
> Trying to install xine-lib from source *to put in the missing pieces* gives selinux denials with chcon

It would be much simpler to install xine-lib-extras from rpmfusion.

Rahul

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

iptables denials on Centos

2008-12-02T01:39:16Z

Hi,

I'm running several fully updated CentOS 5.2 servers and am trying to get all
the SELinux denials sorted out.

Here are two of the ones that I've got left. I can generate local policy to
allow these but is that the best way. The full sealert messages have been
cut.

1. SELinux is preventing iptables (iptables_t) "read write" to socket
(initrc_t). For complete SELinux messages. run sealert -l
80760bb0-da8f-4fe8-855a-1cfc5789a597

[root@garryowen ~]# sealert -l 80760bb0-da8f-4fe8-855a-1cfc5789a597

Summary:

SELinux is preventing iptables (iptables_t) "read write" to socket (initrc_t).

Detailed Description:

SELinux denied access requested by iptables. It is not expected that this
...

Allowing Access:
You can generate a local policy module to allow this access - see FAQ
...

Additional Information:

Source Context system_u:system_r:iptables_t
Target Context system_u:system_r:initrc_t
Target Objects socket [ packet_socket ]
Source iptables
Source Path /sbin/iptables
Port <Unknown>
Host garryowen.xx.xx.xx
Source RPM Packages iptables-1.3.5-4.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name garryowen.xx.xx.xx
Platform Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5

Raw Audit Messages

host=garryowen.xx.xx.xx type=AVC msg=audit(1227684250.838:20268): avc: denied
{ read write } for pid=22829 comm="iptables" path="socket:[18015]"
dev=sockfs ino=18015 scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=packet_socket

host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1227684250.838:20268):
arch=40000003 syscall=11 success=yes exit=0 a0=9c95470 a1=9c956f8 a2=9c95610
a3=40 items=0 ppid=5571 pid=22829 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables"
exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)

2. SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t). For
complete SELinux messages. run sealert -l
879c2152-44ee-4594-96c6-96716fda722b

[root@garryowen ~]# sealert -l 879c2152-44ee-4594-96c6-96716fda722b

Summary:

SELinux is preventing iptables (iptables_t) "read" to pipe (crond_t).

Detailed Description:

SELinux denied access requested by iptables. It is not expected that this
...

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
...

Additional Information:

Source Context root:system_r:iptables_t
Target Context system_u:system_r:crond_t:SystemLow-SystemHigh
Target Objects pipe [ fifo_file ]
Source iptables
Source Path /sbin/iptables
Port <Unknown>
Host garryowen.xx.xx.xx
Source RPM Packages iptables-1.3.5-4.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name garryowen.xx.xx.xx
Platform Linux garryowen.xx.xx.xx 2.6.18-92.1.18.el5

Raw Audit Messages

host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc: denied
{ read } for pid=14428 comm="iptables" path="pipe:[1462004]" dev=pipefs
ino=1462004 scontext=root:system_r:iptables_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file

host=garryowen.xx.xx.xx type=AVC msg=audit(1228007101.709:31231): avc: denied
{ write } for pid=14428 comm="iptables" path="pipe:[1462005]" dev=pipefs
ino=1462005 scontext=root:system_r:iptables_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file

host=garryowen.xx.xx.xx type=SYSCALL msg=audit(1228007101.709:31231):
arch=40000003 syscall=11 success=yes exit=0 a0=9985ab8 a1=9985698 a2=996d5d0
a3=0 items=0 ppid=14416 pid=14428 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=5147 comm="iptables"
exe="/sbin/iptables" subj=root:system_r:iptables_t:s0 key=(null)

Thanks,

Tony

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

How can i call a function which is usually used by root?

2008-12-02T01:21:24Z

I want write a c program.And a common user(not in root group) will run this program.
In this program,I call fread(/dev/sdc...) and fwrite(/dev/sdc),but this call will return "permission no allow".If I use the root user,will be ok.
How to change to the authority to root's?

I know the root's password.

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Problem with restorecon

2008-12-01T15:03:03Z

On Mon, Dec 01, 2008 at 23:47:04 +0100,
Konrad Azzopardi <konrad.azzopardi@...> wrote:
>
> I cannot get rid of initrc_exec_t. Although my script is still
> confined correctly, I would like to label this file normally, is there
> a reason why restorecon fails ?

My guess would be that the last matching rule for /etc/init.d/yule is not
the one you have shown.
As far as I can tell the management of rules for restorecon is not complete
as there isn't any easy way to order the rules.
For add on rules you can delete existing ones and re-add them to put them
at the end of the list. That is a pain.

I don't think a list of re's matching complete paths that is order dependent
is the best way to solve this problem. I think it would be better to have
something that matched the tree structure of the file system.

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

interface file

2008-12-01T14:48:49Z

hi there,

A simple question - if i want to create some interface like
corenet_tcp_connect_yule_port(), would it be ok to put it in the
interface file cause i saw a lot of similar macros depracated inside
the interface files ?. If it is not the right place, would the
corenetwork.if.in be the right place ? what is the best way to go
about it ? tnx a lot

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Problem with restorecon

2008-12-01T14:47:04Z

Hi people,

i have the following policy version installed
selinux-policy-3.3.1-107.fc9.noarch
selinux-policy-devel-3.3.1-107.fc9.noarch
selinux-policy-targeted-3.3.1-107.fc9.noarch

I create an Selinux policy and generated the following filecontexts

[root@MALTA konsu]# semanage fcontext -l | grep yule
/etc/init.d/yule regular file
system_u:object_r:yule_script_exec_t:s0
/var/run/yule.pid regular file
system_u:object_r:yule_var_run_t:s0
/var/log/yule(/.*)? regular file
system_u:object_r:yule_log_t:s0
/var/lib/yule(/.*)? regular file
system_u:object_r:yule_var_lib_t:s0
/etc/yulerc regular file
system_u:object_r:yule_config_t:s0
/usr/local/sbin/yule regular file
system_u:object_r:yule_exec_t:s0

Allt he files seems to become labelled normally as expected except
/etc/init.d/yule

[root@MALTA konsu]# restorecon -R -v /etc/init.d/yule
[root@MALTA konsu]# ls -lrtZ /etc/init.d/yule
-rwx------ root root system_u:object_r:initrc_exec_t:s0 /etc/init.d/yule

I cannot get rid of initrc_exec_t. Although my script is still
confined correctly, I would like to label this file normally, is there
a reason why restorecon fails ?

many thanks
konrad

fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

nspluginwrapper and .PDF files

2008-12-01T14:32:09Z

Over the past several days, I have begin to experiment with enabling the allow_unconfined_nsplugin_transition boolean in a F10 test environment.

One of the most consistent demands from my test users/potential security threats is the ability to open .PDF files. Using mozplugger to do this launches evince, which throws AVCs all over and is probably undesirable anyway for the reasons listed in Dan Walsh's Nov 4 blog post on http://danwalsh.livejournal.com/

On the other hand, removing mozplugger and using the Adobe Acrobat 8.1.3 Firefox plugin throws lots of AVCs of its own -- and even more when doing things like printing -- and thus may not be the way to go.

If allow_unconfined_nsplugin_transition is to be useful in user land, it seems that the boolean should allow .PDF opening/saving/printing out of the box using either evince or Adobe's reader. I am happy to bugzilla the AVCs for one or the other and help with testing -- any preference in the community for which one?

Paul C. Rauser
ægis law group LLP
901 F Street, N.W.
Suite 500

Washington, D.C. 20004
T: 202 737 3375
F: 202 737 3330
E: prauser@...

NOTICE: This communication from Aegis Law Group LLP may contain information that is legally privileged, confidential, or exempt from disclosure. If you are not the intended recipient, please note that any disclosure, copying, distribution, or use of the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by return e-mail and delete all copies.

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: browser_confine_xguest

2008-12-01T12:48:16Z

The name/ usage of browser_confine_xguest is a bit confusing and system-config-selinux does not give any enlightenment.

It may not even matter since I do not have xguest installed, but for academic purposes, does browser_confine_xguest confine the xguest to only browsing the localhost if it is on or off? Dan Walsh's journal seems to indicate that this should be on to allow browsing of the Internet by xguest which would seem to be the opposite of confine.

This indicates whether the xguest account will transition to xguest_mozilla_t or not. If you turn this boolean on, xguest will be able to browse the web using firefox/mozilla. If you turn it off the account will only be allowed to run mozilla/firefox locally. You will not have any access to the net. -- http://danwalsh.livejournal.com/13376.html

Am I just reading this wrong?

Regards,
John

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: selinux denying a cups printer [followup]

2008-11-28T09:33:53Z

On Friday 28 November 2008, Gene Heskett wrote:

>Greetings;
>
>Uptodate F8, targeted setting
>
>host=coyote.coyote.den type=AVC msg=audit(1227891049.940:679): avc: denied {
>execute } for pid=6486 comm="cupsd" name="lp3" dev=sda3 ino=104400725
>scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
>tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
>
>host=coyote.coyote.den type=SYSCALL msg=audit(1227891049.940:679):
>arch=40000003 syscall=33 success=no exit=-13 a0=bff13656 a1=1 a2=b7f17ff4
>a3=b7f18a3c items=0 ppid=6485 pid=6486 auid=0 uid=0 gid=0 euid=0 suid=0
>fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cupsd"
>exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
>key=(null)
>
>The troubleshooters recommended fix is a restorecon -v './lp3'
>
>The only ./lp3 I could find was in /etc/cups.d/interfaces/lp3, and while it
>did change the context of the file, it does not fix the problem. This
>particular driver ppd is the lpr and cupswrapper of the HL2140 driver kit
>from Brother, and apparently is installed in a /usr/local/Brother subdir by
>their rpms.
>
>All this did work flawlessly before I had a drive failure, and it worked
> after an Fu8 install, but failed sometime in the nearly 2 weeks uptime, as
> did all my other printer profiles, which I have now deleted and rebuilt,
> and work except for this one.
>
>I am going to try touching /.autorelabel and reboot again see if that helps.
>However, nothing happened the last time I tried that 2 weeks ago...

The autorelabel was done, but it didn't help.

--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Anyone can hold the helm when the sea is calm.
-- Publius Syrus

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

selinux denying a cups printer

2008-11-28T09:06:31Z

Greetings;

Uptodate F8, targeted setting

host=coyote.coyote.den type=AVC msg=audit(1227891049.940:679): avc: denied {
execute } for pid=6486 comm="cupsd" name="lp3" dev=sda3 ino=104400725
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file

host=coyote.coyote.den type=SYSCALL msg=audit(1227891049.940:679):
arch=40000003 syscall=33 success=no exit=-13 a0=bff13656 a1=1 a2=b7f17ff4
a3=b7f18a3c items=0 ppid=6485 pid=6486 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cupsd"
exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
key=(null)

The troubleshooters recommended fix is a restorecon -v './lp3'

The only ./lp3 I could find was in /etc/cups.d/interfaces/lp3, and while it
did change the context of the file, it does not fix the problem. This
particular driver ppd is the lpr and cupswrapper of the HL2140 driver kit
from Brother, and apparently is installed in a /usr/local/Brother subdir by
their rpms.

All this did work flawlessly before I had a drive failure, and it worked after
an Fu8 install, but failed sometime in the nearly 2 weeks uptime, as did all
my other printer profiles, which I have now deleted and rebuilt, and work
except for this one.

I am going to try touching /.autorelabel and reboot again see if that helps.
However, nothing happened the last time I tried that 2 weeks ago...

--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Q: How many IBM CPU's does it take to do a logical right shift?
A: 33. 1 to hold the bits and 32 to push the register.

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Setroubleshootd on FC8 has a major memory leak

2008-11-28T00:24:18Z

Hello,

after 9 days of running it used over 2G (virt, rss ~1G).

Greetings,
Edek

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: How to HTTP Serve Fedora Distribution

2008-11-26T14:57:28Z

"Murray McAllister wrote:"

>
> David Highley wrote:
> > How can we set up HTTP serving of Fedora distribution since we can not
> > label the files in the ISO? What we have tried:
> > - copy ISO file into web tree
> > - loopback mount the ISO to /mnt
> > - symlink /mnt into the web tree
> > or
> > - create directory in web tree
> > - loopback mount the ISO to directory in web tree
> >
> > Selinux blocks access to the distribution. The only solution we are
> > aware of is to drop the pants on selinux by going to permissive mode.
> >
> > David Highley
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@...
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Hi,
>
> Paul seemed to have answered your question. There are some examples of
> overriding SELinux contexts with the mount command here:
>
> <http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-Mounting_File_Systems.html>
>
> Hope that helps,
>
> Cheers.
>

Yes, Paul did answer my question. We were not aware that options had
been added to the mount command.

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: How to HTTP Serve Fedora Distribution

2008-11-26T07:39:33Z

David Highley wrote:

> How can we set up HTTP serving of Fedora distribution since we can not
> label the files in the ISO? What we have tried:
> - copy ISO file into web tree
> - loopback mount the ISO to /mnt
> - symlink /mnt into the web tree
> or
> - create directory in web tree
> - loopback mount the ISO to directory in web tree
>
> Selinux blocks access to the distribution. The only solution we are
> aware of is to drop the pants on selinux by going to permissive mode.

I put the ISO file in my web tree and loopback mount it with a context
option, e.g. in fstab:

/srv/nb/distros/fc10/os/x86_64/iso/Fedora-10-x86_64-DVD.iso
/srv/nb/distros/fc10/os/x86_64/dvd iso9660
_netdev,ro,loop,fscontext=system_u:object_r:public_content_t:s0 0 0
/srv/nb/distros/fc10/os/i386/iso/Fedora-10-i386-DVD.iso
/srv/nb/distros/fc10/os/i386/dvd iso9660
_netdev,ro,loop,fscontext=system_u:object_r:public_content_t:s0 0 0

The resulting hierarchy can be exported using ftp, http, rsync, samba, etc.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

How to HTTP Serve Fedora Distribution

2008-11-26T07:33:31Z

How can we set up HTTP serving of Fedora distribution since we can not
label the files in the ISO? What we have tried:
- copy ISO file into web tree
- loopback mount the ISO to /mnt
- symlink /mnt into the web tree
or
- create directory in web tree
- loopback mount the ISO to directory in web tree

Selinux blocks access to the distribution. The only solution we are
aware of is to drop the pants on selinux by going to permissive mode.

David Highley

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: preventing unconfined users exec in home and tmp

2008-11-25T17:23:43Z

Murray McAllister wrote:
> Hi,
>
> I have turned "allow_unconfined_exec_content" off, but unconfined users
> (unconfined_u) can still execute files in their home directories and /tmp/.
>
> I tried adding a user with "useradd -Z unconfined_u". This user can
> still execute. I could not find any dontaudit rules.
>
> Am I missing something?
I am running Fedora release 10 (Cambridge):

selinux-policy-targeted-3.5.13-18.fc10.noarch
selinux-policy-3.5.13-18.fc10.noarch
selinux-policy-doc-3.5.13-18.fc10.noarch
libselinux-utils-2.0.73-1.fc10.i386
libselinux-python-2.0.73-1.fc10.i386
libselinux-2.0.73-1.fc10.i386
policycoreutils-2.0.57-11.fc10.i386

Cheers.

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

preventing unconfined users exec in home and tmp

2008-11-25T17:11:48Z

Hi,

I have turned "allow_unconfined_exec_content" off, but unconfined users
(unconfined_u) can still execute files in their home directories and /tmp/.

I tried adding a user with "useradd -Z unconfined_u". This user can
still execute. I could not find any dontaudit rules.

Am I missing something?

Thanks.

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Which permission to execute a script?

2008-11-24T08:43:10Z

On Mon, Nov 24, 2008 at 10:40:56 -0500,
Daniel J Walsh <dwalsh@...> wrote:
>
> A couple of things, people have asked for the ability to stop the
> execution of programs in the homedir. So the least priv app does not
> have the ability to execute content. Since xguest has the ability to
> execute perl, sh, python and other interpreters, the value of shutting
> down execution in the homedir is questionable. This means
> ~/bin/myscript.sh will fail, but sh ~/bin/myscript.sh will work. The
> blocking of execution does work for all compiled code.

OK, that explains what I was seeing.

> The policy is for the boolean allows the execution of user_home_t, but
> not other labeled file in the homedir, which is a bug.

And I think that explains why changing the booleans didn't fix my specific
situation.

Thanks for the explanation.

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: GCL

2008-11-24T07:52:49Z

On Mon, Nov 24, 2008 at 8:43 AM, Daniel J Walsh <dwalsh@...> wrote:
> Yes, please open a bugzilla.
>
> We can make a duplicate policy for GCL to java, with execheap. But we
> need to track this via bugzilla.

Okay, here it is.

https://bugzilla.redhat.com/show_bug.cgi?id=472780

Thanks,
--
Jerry James
http://loganjerry.googlepages.com/

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: GCL

2008-11-24T07:43:10Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jerry James wrote:

> On Mon, Nov 24, 2008 at 8:14 AM, Daniel J Walsh <dwalsh@...> wrote:
>> Ok, is the GCL package available in Fedora? This probably should be
>> opened as a bugzilla. If gcl really needs execheap, we need to create a
>> new policy for it, since execmem_exec_t apps currently do not get this
>> and I really don't want to give them this. I guess I would like to hear
>> Ulrich Drepper chime in on this need.
>
> The GCL package has been in Fedora since 2005, but has not built
> successfully for months. I recently took over as maintainer and am
> trying to get it into a buildable state again. I've fixed the other
> problems; this seems to be the final blocker.
>
> If I make the saved images have type execmem_exec_t, then the build
> produces the "early" image successfully. When that image runs and
> tries to load up a bunch of Lisp files to produce the final image,
> SELinux kills it with an AVC denial that mentions execheap. I
> mentioned on fedora-devel-list that making the saved images have type
> java_exec_t produces a successful build. If you can tell me how to
> test with exactly execmem + execheap privileges, then I can make sure
> there is nothing else in the java_exec_t set that GCL needs.
> Otherwise, we may have to go through multiple iterations of "no wait,
> GCL needs one more permission".
>
> Do I need to audit the source code to discover the reason for the
> execheap need? I can guess; it's probably (eval form) that needs it,
> but I don't know that for sure.
>
> Say the word and I'll make a bugzilla entry for this. Thanks for your help.

Yes, please open a bugzilla.

We can make a duplicate policy for GCL to java, with execheap. But we
need to track this via bugzilla.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkqy44ACgkQrlYvE4MpobNJrQCfSR9kDnPc9i8mUy94mOZtJ+th
nTcAniypT1D+gpNMV3x8F8onG1wUKn66
=UnCw
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Re: Which permission to execute a script?

2008-11-24T07:40:56Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bruno Wolff III wrote:

> On Mon, Nov 17, 2008 at 19:07:40 -0600,
> Bruno Wolff III <bruno@...> wrote:
>> On Mon, Nov 17, 2008 at 17:07:42 -0600,
>> Bruno Wolff III <bruno@...> wrote:
>>> There doesn't seem to be a http_user_script_exec_t type. Probably it's a
>>> typo, but I didn't see a way to get a full list and didn't manage to
>>> guess the correct name.
>> Yep, typo. For the archive, 'seinfo -t' provides a list of types.
>>
>> The guest policy (at least my modified version) does not allow access to
>> files labelled httpd_user_script_exec_t.
>>
>> I'll keep putzing with this.
>
> I have it working now. In the end I needed to give both execute and
> execute_no_trans permission for tom_t running httpd_sys_script_exec_t.
>
> The allow_xguest_exec_content and allow_guest_exec_content booleans
> didn't seem to make a difference.
>
> Going forward I might want to spend the time to dial this policy back
> as I am executing the scripts with those types as an unconfined user
> (or perhaps I should use the user_u role) and I'd like to prevent tom_t
> from changing them (or replacing the files) with selinux.
>
> I was having trouble finding what the manage_files_pattern and
> manage_dirs_pattern macros expand to and exactly what functions some
> of the permissions allow. Is there any good documentation of these things
> online?

A couple of things, people have asked for the ability to stop the
execution of programs in the homedir. So the least priv app does not
have the ability to execute content. Since xguest has the ability to
execute perl, sh, python and other interpreters, the value of shutting
down execution in the homedir is questionable. This means
~/bin/myscript.sh will fail, but sh ~/bin/myscript.sh will work. The
blocking of execution does work for all compiled code.

The policy is for the boolean allows the execution of user_home_t, but
not other labeled file in the homedir, which is a bug.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkqywcACgkQrlYvE4MpobNYZQCfYVlEjsxEouyMpe2yJgxnZEOV
7QcAn0Ys5OU0YLQU75I4fFaRFmzK11Ec
=GyTO
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list