FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-05-2010, 12:43 PM
Daniel J Walsh
 
Default SELinux Admin newbie question

On 03/04/2010 05:18 PM, Temlakos wrote:
> Daniel J Walsh wrote:
>
>> On 03/04/2010 01:33 PM, Temlakos wrote:
>>
>>> Dominick Grift wrote:
>>>
>>>
>>>> On 03/04/2010 07:14 PM, Temlakos wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Anyway--in case I have to use that installer again, as I think I
>>>>> might,
>>>>> I'd like to have somebody go over those alerts--because they /have/ to
>>>>> be related, somehow. Here they are again:
>>>>>
>>>>>
>>>>>
>>>> Just a comment:
>>>>
>>>> ausearch -m avc -ts ... does not show all denials in
>>>> /var/log/audit/audit.log
>>>>
>>>> There could also be user space AVC denials present which can be
>>>> listed with:
>>>>
>>>> ausearch -m user_avc -ts ...
>>>>
>>>> In some rare cases sone AVC denials may end up in dmesg and/or
>>>> /var/log/messages.
>>>>
>>>> Unfortunately i do not see anything in your enclosed AVC denials that i
>>>> suspect may be related to your issue. Hopefully someone else does.
>>>>
>>>>
>>>>
>>>>
>>> Well, I just tried searching on user_avc, even after un-hiding the
>>> alerts. Result:
>>>
>>> <no matches>
>>>
>>> So what I submitted, has to be it.
>>>
>>> But: might this have anything to do with it? I'm using KDE now, and one
>>> of the things that the installer had to do was to get into KWallet, and
>>> for that the system asked for my KWallet password, which I gave.
>>>
>>> I'm new to KDE, and I'm surprised that I didn't use it earlier. KDE has
>>> an automatic package installer that has already made my life a lot
>>> simpler, and when I realized that I was using a lot of KDE-specific
>>> apps, KDE was the logical choice. But maybe KDE has some subtleties that
>>> occasionally create a security problem in a security-enhanced
>>> environment.
>>>
>>> Temlakos
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>>
>>>
>> I have seen installations trip over execmod,execmem and execstack checks.
>>
>> Also if the tools use java, it can do some stuff that SELinux does not
>> like.
>>
>> getsebool allow_execstack allow_execmem allow_execmod
>>
>>
>>
> allow_execstack --> on
> allow_execmem --> on
> allow_execmod --> off
>
> OK, what next?
>
> Temlakos
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Try installing with allow_execmod on.

setsebool allow_execmod 1

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-05-2010, 01:46 PM
Temlakos
 
Default SELinux Admin newbie question

On 03/05/2010 08:43 AM, Daniel J Walsh wrote:
> On 03/04/2010 05:18 PM, Temlakos wrote:
>> Daniel J Walsh wrote:
>>> On 03/04/2010 01:33 PM, Temlakos wrote:
>>>> Dominick Grift wrote:
>>>>
>>>>> On 03/04/2010 07:14 PM, Temlakos wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Anyway--in case I have to use that installer again, as I think I
>>>>>> might,
>>>>>> I'd like to have somebody go over those alerts--because they
>>>>>> /have/ to
>>>>>> be related, somehow. Here they are again:
>>>>>>
>>>>>>
>>>>> Just a comment:
>>>>>
>>>>> ausearch -m avc -ts ... does not show all denials in
>>>>> /var/log/audit/audit.log
>>>>>
>>>>> There could also be user space AVC denials present which can be
>>>>> listed with:
>>>>>
>>>>> ausearch -m user_avc -ts ...
>>>>>
>>>>> In some rare cases sone AVC denials may end up in dmesg and/or
>>>>> /var/log/messages.
>>>>>
>>>>> Unfortunately i do not see anything in your enclosed AVC denials
>>>>> that i
>>>>> suspect may be related to your issue. Hopefully someone else does.
>>>>>
>>>>>
>>>>>
>>>> Well, I just tried searching on user_avc, even after un-hiding the
>>>> alerts. Result:
>>>>
>>>> <no matches>
>>>>
>>>> So what I submitted, has to be it.
>>>>
>>>> But: might this have anything to do with it? I'm using KDE now, and
>>>> one
>>>> of the things that the installer had to do was to get into KWallet,
>>>> and
>>>> for that the system asked for my KWallet password, which I gave.
>>>>
>>>> I'm new to KDE, and I'm surprised that I didn't use it earlier. KDE
>>>> has
>>>> an automatic package installer that has already made my life a lot
>>>> simpler, and when I realized that I was using a lot of KDE-specific
>>>> apps, KDE was the logical choice. But maybe KDE has some subtleties
>>>> that
>>>> occasionally create a security problem in a security-enhanced
>>>> environment.
>>>>
>>>> Temlakos
>>>> --
>>>> selinux mailing list
>>>> selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>>
>>> I have seen installations trip over execmod,execmem and execstack
>>> checks.
>>>
>>> Also if the tools use java, it can do some stuff that SELinux does not
>>> like.
>>>
>>> getsebool allow_execstack allow_execmem allow_execmod
>>>
>>>
>> allow_execstack --> on
>> allow_execmem --> on
>> allow_execmod --> off
>>
>> OK, what next?
>>
>> Temlakos
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> Try installing with allow_execmod on.
>
> setsebool allow_execmod 1
>
>

Done and thanks. Maybe next time I have to use AIR Installer, it will
behave.

It's nice to be able to enforce the security policy full-time.

Temlakos

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 01:25 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org