FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-01-2008, 04:47 PM
Lance Spitzner
 
Default Beginner question deciphering SELinux logs

I'm very excited to learn more about SELinux as I jump in configuring
this amazing tool. So I hope you folks don't mind a beginner
question or two. Right now I'm attempting to better understand AVC
logs. I've got SAMBA setup to do standard file sharing on CentOS
5.1. Default targeted policy is set in enforcing mode. When set to
permissive, no problem. However, enforcing is giving me the following
error below. I've already set the following booleans to 1, which has
not helped.


samba_enable_home_dirs on
use_samba_home_dirs on

Could a kind soul share with me what the log below is telling me?

Thanks!

lance

PS: Is there anyway to configure SELinux/auditd to use regular dates,
as sylogd does?



type=AVC msg=audit(1199209100.230:984): avc: denied { read } for
pid=26929 comm="smbd" name="home" dev=sdb1 ino=92504065
scontext=user_u:system_r:smbd_t:s0
tcontext=system_ubject_r:home_root_t:s0 tclass=dir


type=SYSCALL msg=audit(1199209100.230:984): arch=40000003 syscall=5
success=no exit=-13 a0=93f9288 a1=18800 a2=bf85dccc a3=93f9268 items=0
ppid=22310 pid=26929 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500
egid=500 sgid=0 fsgid=500 tty=(none) comm="smbd" exe="/usr/sbin/smbd"
subj=user_u:system_r:smbd_t:s0 key=(null)


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-01-2008, 06:45 PM
Lance Spitzner
 
Default Beginner question deciphering SELinux logs

Thanks for the tremendous feedback so far, I appreciate it! I hope
this is not bad form, but I would like to answer my own question, but
then I have more questions. The error below shows that Samba SMB
service could not access 'home' which turns out to be /home.


System #ls -ldZ /home
drwxr-xr-x root root system_ubject_r:home_root_t /home

For some reason smbd_t cannot access home_root_t. So I did a chcon
on /home which fixed the problem. My question is, by fixing the error
have I made Samba more insecure, was this a bug, is there something I
could do instead?


chcon system_ubject_r:user_home_dir_t /home

Thanks!

lance


type=AVC msg=audit(1199209100.230:984): avc: denied { read } for
pid=26929 comm="smbd" name="home" dev=sdb1 ino=92504065
scontext=user_u:system_r:smbd_t:s0
tcontext=system_ubject_r:home_root_t:s0 tclass=dir


type=SYSCALL msg=audit(1199209100.230:984): arch=40000003 syscall=5
success=no exit=-13 a0=93f9288 a1=18800 a2=bf85dccc a3=93f9268
items=0 ppid=22310 pid=26929 auid=500 uid=500 gid=0 euid=500 suid=0
fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) comm="smbd" exe="/usr/
sbin/smbd" subj=user_u:system_r:smbd_t:s0 key=(null)


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-02-2008, 01:34 AM
Eric Paris
 
Default Beginner question deciphering SELinux logs

On Tue, 2008-01-01 at 11:47 -0600, Lance Spitzner wrote:

> PS: Is there anyway to configure SELinux/auditd to use regular dates,
> as sylogd does?

Stop looking at audit logs directly. (I'll leave the policy questions
to the policy people, sorry)

ausearch -m AVC -i

-Eric

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-02-2008, 01:59 AM
Lance Spitzner
 
Default Beginner question deciphering SELinux logs

PS: Is there anyway to configure SELinux/auditd to use regular dates,
as sylogd does?


Stop looking at audit logs directly. (I'll leave the policy questions
to the policy people, sorry)

ausearch -m AVC -i


Very cool, thanks! One other outstanding suggestion I received was
the RPM pkg 'setroubleshoot'. It does a mind blowing / amazing job of
taking AVC error messages and explaining to you exactly what they mean
and suggested actions. Not only does it help troubleshooting, but it
helps to better understand SElinux in general. Now only if there was
such a utlity for the rest of Linux logging (dmesg anyone? .


Thanks!

lance

Summary
SELinux is preventing /usr/sbin/named (named_t) "getattr" access to
/dev/random (tmpfs_t).

Detailed Description
SELinux denied access requested by /usr/sbin/named. It is not
expected that
this access is required by /usr/sbin/named and this access may
signal an

intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require
additional access.
Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this

package.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for /dev/random,
restorecon -v
/dev/random. There is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this
access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you
can
disable SELinux protection entirely for the application.
Disabling SELinux

protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
Changing the "named_disable_trans" boolean to true will disable
SELinux

protection this application: "setsebool -P named_disable_trans=1."

The following command will allow this access:
setsebool -P named_disable_trans=1

Additional Information

Source Context user_u:system_r:named_t
Target Context system_ubject_r:tmpfs_t
Target Objects /dev/random [ chr_file ]
Affected RPM Packages
Policy RPM
Selinux Enabled
Policy Type
MLS Enabled
Enforcing Mode
Plugin Name plugins.disable_trans
Host Name
Platform
Alert Count 1
Line Numbers 1689,1690

Raw Audit Messages

avc: denied { getattr } for comm="named" dev=sdb1 egid=25 euid=25
exe="/usr/sbin/named" exit=-13 fsgid=25 fsuid=25 gid=25 items=0
path="/dev/random" pid=10791 scontext=user_u:system_r:named_t:s0 sgid=25
subj=user_u:system_r:named_t:s0 suid=25 tclass=chr_file
tcontext=system_ubject_r:tmpfs_t:s0 tty=(none) uid=25

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-02-2008, 03:02 PM
Eric Paris
 
Default Beginner question deciphering SELinux logs

On Tue, 2008-01-01 at 20:59 -0600, Lance Spitzner wrote:
> >
> >> PS: Is there anyway to configure SELinux/auditd to use regular dates,
> >> as sylogd does?
> >
> > Stop looking at audit logs directly. (I'll leave the policy questions
> > to the policy people, sorry)
> >
> > ausearch -m AVC -i
>
> Very cool, thanks! One other outstanding suggestion I received was
> the RPM pkg 'setroubleshoot'. It does a mind blowing / amazing job of
> taking AVC error messages and explaining to you exactly what they mean
> and suggested actions. Not only does it help troubleshooting, but it
> helps to better understand SElinux in general. Now only if there was
> such a utlity for the rest of Linux logging (dmesg anyone? .
>
> Thanks!
>
> lance
>
> Summary
> SELinux is preventing /usr/sbin/named (named_t) "getattr" access to
> /dev/random (tmpfs_t).

ummm, how did it get mislabled? hmmm, anyway, if you followed the
restorecon suggestion i assume it started working....

-Eric

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 04:44 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org