Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   SELinux Admin newbie question (http://www.linux-archive.org/fedora-selinux-support/335882-selinux-admin-newbie-question.html)

Daniel J Walsh 03-04-2010 03:12 PM

SELinux Admin newbie question
 
On 03/04/2010 10:24 AM, Temlakos wrote:
> Where do I find the logs to tell me what permissions a certain new
> application will need to operate?
>
> I'm using Fedora 12 on an HP Pavilion machine with a dual-core
> processor. Several times I have tried to install an application called
> TweetDeck. And each time I do, I am told that TweetDeck is having
> trouble accessing some secure passwords that are stored on the machine.
>
> I am convinced that SELinux is doing it. But I don't know how to get
> SELinux to play nice, because I can't see where the problem is.
>
> Temlakos
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
SELinux messages are in /var/log/audit/audit.log

ausearch -m avc -ts recent

Will show you recent messages.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Sebastian Pfaff 03-04-2010 03:17 PM

SELinux Admin newbie question
 
Hey Temlakos,

> Where do I find the logs to tell me what permissions a certain new
> application will need to operate?

You find these messages in /var/log/audit/audit.log. Open this file
with a pager of your choice (e.g. less or more). Then look for
messages with type AVC. As an alternativ you can use ausearch to find
SELinux AVC (Access Vector Cache) denials/messages.

this command:

ausearch -m avc -ts today # shows you all auditd messages of type AVC
which are generated today. Consult manpage of ausearch for details.

How to read AVC denials is described here:

http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/

(Read topic "7.3. Fixing Problems")

> I'm using Fedora 12 on an HP Pavilion machine with a dual-core
> processor. Several times I have tried to install an application called
> TweetDeck. And each time I do, I am told that TweetDeck is having
> trouble accessing some secure passwords that are stored on the
> machine.

Redo your workflow and paste your AVC denials to this list.

> I am convinced that SELinux is doing it.

Probably yes.

> But I don't know how to get
> SELinux to play nice, because I can't see where the problem is.

You can use audit2allow to get SELinux to play nice. But be careful
when using this command. audit2allow simply generates SELinux rules
(aka Access Vector Rules) based on /var/log/audit/audit.log . It is
not uncommon that audit2allow allows more than you want. But for a
beginner this tool is a good choice.

--
Sebastian Pfaff


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 03-04-2010 04:11 PM

SELinux Admin newbie question
 
On 03/04/2010 04:24 PM, Temlakos wrote:
> Where do I find the logs to tell me what permissions a certain new
> application will need to operate?

/var/log/audit/audit.log

some AVC denials may be hidden.

To expose hidden denials:

semodule -DB

To undo exposing hidden denials:

semodule -B

> I'm using Fedora 12 on an HP Pavilion machine with a dual-core
> processor. Several times I have tried to install an application called
> TweetDeck. And each time I do, I am told that TweetDeck is having
> trouble accessing some secure passwords that are stored on the machine.
>
> I am convinced that SELinux is doing it. But I don't know how to get
> SELinux to play nice, because I can't see where the problem is.
>
> Temlakos
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Temlakos 03-04-2010 04:47 PM

SELinux Admin newbie question
 
Sebastian Pfaff wrote:
> Hey Temlakos,
>
>> Where do I find the logs to tell me what permissions a certain new
>> application will need to operate?
>
> You find these messages in /var/log/audit/audit.log. Open this file
> with a pager of your choice (e.g. less or more). Then look for
> messages with type AVC. As an alternativ you can use ausearch to find
> SELinux AVC (Access Vector Cache) denials/messages.
>
> this command:
>
> ausearch -m avc -ts today # shows you all auditd messages of type AVC
> which are generated today. Consult manpage of ausearch for details.
>
> How to read AVC denials is described here:
>
> http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/
>
> (Read topic "7.3. Fixing Problems")
>
>> I'm using Fedora 12 on an HP Pavilion machine with a dual-core
>> processor. Several times I have tried to install an application called
>> TweetDeck. And each time I do, I am told that TweetDeck is having
>> trouble accessing some secure passwords that are stored on the machine.
>
> Redo your workflow and paste your AVC denials to this list.
>
>> I am convinced that SELinux is doing it.
>
> Probably yes.
>
>> But I don't know how to get
>> SELinux to play nice, because I can't see where the problem is.
>
> You can use audit2allow to get SELinux to play nice. But be careful
> when using this command. audit2allow simply generates SELinux rules
> (aka Access Vector Rules) based on /var/log/audit/audit.log . It is
> not uncommon that audit2allow allows more than you want. But for a
> beginner this tool is a good choice.
>
> --
> Sebastian Pfaff
>
>

Well, before I use audit2allow, I'll first want to know how to turn that
off. Anyway, here's the output, after I un-hid the alerts:

-------------------------------------------

[root@temlakosbeta temlakos]# semodule -DB
[root@temlakosbeta temlakos]# ausearch -m avc -ts today
----
time->Thu Mar 4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.038:22518): arch=40000003 syscall=5
success=no exit=-13 a0=1387d20 a1=98800 a2=c93ff4 a3=1387d20 items=0
ppid=1 pid=1545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon"
exe="/bin/dbus-daemon" subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1267724351.038:22518): avc: denied { search } for
pid=1545 comm="dbus-daemon" name="root" dev=dm-0 ino=106497
scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
time->Thu Mar 4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.050:22520): arch=40000003 syscall=11
success=yes exit=0 a0=12c2778 a1=746ae28 a2=0 a3=0 items=0 ppid=5873
pid=5879 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles"
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.050:22520): avc: denied { noatsecure }
for pid=5879 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.050:22520): avc: denied { siginh } for
pid=5879 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.050:22520): avc: denied { rlimitinh }
for pid=5879 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Mar 4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.052:22521): arch=40000003 syscall=11
success=yes exit=0 a0=9f05c30 a1=9f055a8 a2=9f05008 a3=9f081e8 items=0
ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd"
exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.052:22521): avc: denied { noatsecure }
for pid=5878 comm="setroubleshootd"
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.052:22521): avc: denied { siginh } for
pid=5878 comm="setroubleshootd"
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1267724351.052:22521): avc: denied { rlimitinh }
for pid=5878 comm="setroubleshootd"
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Mar 4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.227:22522): arch=40000003 syscall=33
success=no exit=-13 a0=9868e90 a1=2 a2=60f900 a3=9809c00 items=0
ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd"
exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.227:22522): avc: denied { write } for
pid=5878 comm="setroubleshootd" name="rpm" dev=dm-0 ino=32769
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
----
time->Thu Mar 4 12:39:11 2010
type=SYSCALL msg=audit(1267724351.229:22523): arch=40000003 syscall=33
success=no exit=-13 a0=9898478 a1=2 a2=60f900 a3=9854390 items=0
ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd"
exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1267724351.229:22523): avc: denied { write } for
pid=5878 comm="setroubleshootd" name="rpm" dev=dm-0 ino=32769
scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
[root@temlakosbeta temlakos]#

------------------------------------------


The workflow is this: using Adobe AIR Installer to install the TweetDeck
application. I only just performed this test, and that's what I got from
a single workflow.

Temlakos
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 03-04-2010 04:53 PM

SELinux Admin newbie question
 
On 03/04/2010 06:47 PM, Temlakos wrote:

>
> Well, before I use audit2allow, I'll first want to know how to turn that
> off. Anyway, here's the output, after I un-hid the alerts:
>

I do not see any AVC denials that i think are related.

Does the app work in permissive mode. If it does, than that confirmes
that this is a issue of SELinux

If the app does not work in permissive mode, than this suggests that
this issue is not related to SELinux.

If it is related to SELinux:

1. semodule -DB to unload hidden denials.
2. Run the app to reproduce the issue.
3. see /var/log/audit/audit.log for clues.

(The AVC denials that you have enclosed, to me do not show anything that
i think are related)

>
> The workflow is this: using Adobe AIR Installer to install the TweetDeck
> application. I only just performed this test, and that's what I got from
> a single workflow.
>
> Temlakos
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Temlakos 03-04-2010 05:14 PM

SELinux Admin newbie question
 
Dominick Grift wrote:
> On 03/04/2010 06:47 PM, Temlakos wrote:
>
>
>> Well, before I use audit2allow, I'll first want to know how to turn that
>> off. Anyway, here's the output, after I un-hid the alerts:
>>
>>
>
> I do not see any AVC denials that i think are related.
>
> Does the app work in permissive mode. If it does, than that confirmes
> that this is a issue of SELinux
>
> If the app does not work in permissive mode, than this suggests that
> this issue is not related to SELinux.
>
> If it is related to SELinux:
>
> 1. semodule -DB to unload hidden denials.
> 2. Run the app to reproduce the issue.
> 3. see /var/log/audit/audit.log for clues.
>
> (The AVC denials that you have enclosed, to me do not show anything that
> i think are related)
>
>

Well, they must be related--because when I put SELinux into Permissive
mode for the current session, the installation went through. Now I have
it back on Enforcing mode, and TweetDeck still runs exactly as it
should. So the installation created an issue, but the application, once
installed, creates none.

Anyway--in case I have to use that installer again, as I think I might,
I'd like to have somebody go over those alerts--because they /have/ to
be related, somehow. Here they are again:

> [root@temlakosbeta temlakos]# semodule -DB
> [root@temlakosbeta temlakos]# ausearch -m avc -ts today
> ----
> time->Thu Mar 4 12:39:11 2010
> type=SYSCALL msg=audit(1267724351.038:22518): arch=40000003 syscall=5
> success=no exit=-13 a0=1387d20 a1=98800 a2=c93ff4 a3=1387d20 items=0
> ppid=1 pid=1545 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon"
> exe="/bin/dbus-daemon"
> subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1267724351.038:22518): avc: denied { search }
> for pid=1545 comm="dbus-daemon" name="root" dev=dm-0 ino=106497
> scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> ----
> time->Thu Mar 4 12:39:11 2010
> type=SYSCALL msg=audit(1267724351.050:22520): arch=40000003 syscall=11
> success=yes exit=0 a0=12c2778 a1=746ae28 a2=0 a3=0 items=0 ppid=5873
> pid=5879 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts1 ses=1 comm="setfiles" exe="/sbin/setfiles"
> subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1267724351.050:22520): avc: denied { noatsecure }
> for pid=5879 comm="setfiles"
> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
> tclass=process
> type=AVC msg=audit(1267724351.050:22520): avc: denied { siginh }
> for pid=5879 comm="setfiles"
> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
> tclass=process
> type=AVC msg=audit(1267724351.050:22520): avc: denied { rlimitinh }
> for pid=5879 comm="setfiles"
> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
> tclass=process
> ----
> time->Thu Mar 4 12:39:11 2010
> type=SYSCALL msg=audit(1267724351.052:22521): arch=40000003 syscall=11
> success=yes exit=0 a0=9f05c30 a1=9f055a8 a2=9f05008 a3=9f081e8 items=0
> ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd"
> exe="/usr/bin/python"
> subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1267724351.052:22521): avc: denied { noatsecure }
> for pid=5878 comm="setroubleshootd"
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1267724351.052:22521): avc: denied { siginh }
> for pid=5878 comm="setroubleshootd"
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1267724351.052:22521): avc: denied { rlimitinh }
> for pid=5878 comm="setroubleshootd"
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> ----
> time->Thu Mar 4 12:39:11 2010
> type=SYSCALL msg=audit(1267724351.227:22522): arch=40000003 syscall=33
> success=no exit=-13 a0=9868e90 a1=2 a2=60f900 a3=9809c00 items=0
> ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd"
> exe="/usr/bin/python"
> subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1267724351.227:22522): avc: denied { write } for
> pid=5878 comm="setroubleshootd" name="rpm" dev=dm-0 ino=32769
> scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
> ----
> time->Thu Mar 4 12:39:11 2010
> type=SYSCALL msg=audit(1267724351.229:22523): arch=40000003 syscall=33
> success=no exit=-13 a0=9898478 a1=2 a2=60f900 a3=9854390 items=0
> ppid=5877 pid=5878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd"
> exe="/usr/bin/python"
> subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1267724351.229:22523): avc: denied { write } for
> pid=5878 comm="setroubleshootd" name="rpm" dev=dm-0 ino=32769
> scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
> [root@temlakosbeta temlakos]#

Temlakos

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 03-04-2010 05:20 PM

SELinux Admin newbie question
 
On 03/04/2010 07:14 PM, Temlakos wrote:

>
> Anyway--in case I have to use that installer again, as I think I might,
> I'd like to have somebody go over those alerts--because they /have/ to
> be related, somehow. Here they are again:

Just a comment:

ausearch -m avc -ts ... does not show all denials in
/var/log/audit/audit.log

There could also be user space AVC denials present which can be listed with:

ausearch -m user_avc -ts ...

In some rare cases sone AVC denials may end up in dmesg and/or
/var/log/messages.

Unfortunately i do not see anything in your enclosed AVC denials that i
suspect may be related to your issue. Hopefully someone else does.

>
> Temlakos
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Temlakos 03-04-2010 05:33 PM

SELinux Admin newbie question
 
Dominick Grift wrote:
> On 03/04/2010 07:14 PM, Temlakos wrote:
>
>
>> Anyway--in case I have to use that installer again, as I think I might,
>> I'd like to have somebody go over those alerts--because they /have/ to
>> be related, somehow. Here they are again:
>>
>
> Just a comment:
>
> ausearch -m avc -ts ... does not show all denials in
> /var/log/audit/audit.log
>
> There could also be user space AVC denials present which can be listed with:
>
> ausearch -m user_avc -ts ...
>
> In some rare cases sone AVC denials may end up in dmesg and/or
> /var/log/messages.
>
> Unfortunately i do not see anything in your enclosed AVC denials that i
> suspect may be related to your issue. Hopefully someone else does.
>
>

Well, I just tried searching on user_avc, even after un-hiding the
alerts. Result:

<no matches>

So what I submitted, has to be it.

But: might this have anything to do with it? I'm using KDE now, and one
of the things that the installer had to do was to get into KWallet, and
for that the system asked for my KWallet password, which I gave.

I'm new to KDE, and I'm surprised that I didn't use it earlier. KDE has
an automatic package installer that has already made my life a lot
simpler, and when I realized that I was using a lot of KDE-specific
apps, KDE was the logical choice. But maybe KDE has some subtleties that
occasionally create a security problem in a security-enhanced environment.

Temlakos
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 03-04-2010 05:45 PM

SELinux Admin newbie question
 
On 03/04/2010 01:33 PM, Temlakos wrote:
> Dominick Grift wrote:
>
>> On 03/04/2010 07:14 PM, Temlakos wrote:
>>
>>
>>
>>> Anyway--in case I have to use that installer again, as I think I might,
>>> I'd like to have somebody go over those alerts--because they /have/ to
>>> be related, somehow. Here they are again:
>>>
>>>
>> Just a comment:
>>
>> ausearch -m avc -ts ... does not show all denials in
>> /var/log/audit/audit.log
>>
>> There could also be user space AVC denials present which can be listed with:
>>
>> ausearch -m user_avc -ts ...
>>
>> In some rare cases sone AVC denials may end up in dmesg and/or
>> /var/log/messages.
>>
>> Unfortunately i do not see anything in your enclosed AVC denials that i
>> suspect may be related to your issue. Hopefully someone else does.
>>
>>
>>
> Well, I just tried searching on user_avc, even after un-hiding the
> alerts. Result:
>
> <no matches>
>
> So what I submitted, has to be it.
>
> But: might this have anything to do with it? I'm using KDE now, and one
> of the things that the installer had to do was to get into KWallet, and
> for that the system asked for my KWallet password, which I gave.
>
> I'm new to KDE, and I'm surprised that I didn't use it earlier. KDE has
> an automatic package installer that has already made my life a lot
> simpler, and when I realized that I was using a lot of KDE-specific
> apps, KDE was the logical choice. But maybe KDE has some subtleties that
> occasionally create a security problem in a security-enhanced environment.
>
> Temlakos
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
I have seen installations trip over execmod,execmem and execstack checks.

Also if the tools use java, it can do some stuff that SELinux does not like.

getsebool allow_execstack allow_execmem allow_execmod

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Temlakos 03-04-2010 09:18 PM

SELinux Admin newbie question
 
Daniel J Walsh wrote:
> On 03/04/2010 01:33 PM, Temlakos wrote:
>> Dominick Grift wrote:
>>
>>> On 03/04/2010 07:14 PM, Temlakos wrote:
>>>
>>>
>>>
>>>> Anyway--in case I have to use that installer again, as I think I
>>>> might,
>>>> I'd like to have somebody go over those alerts--because they /have/ to
>>>> be related, somehow. Here they are again:
>>>>
>>>>
>>> Just a comment:
>>>
>>> ausearch -m avc -ts ... does not show all denials in
>>> /var/log/audit/audit.log
>>>
>>> There could also be user space AVC denials present which can be
>>> listed with:
>>>
>>> ausearch -m user_avc -ts ...
>>>
>>> In some rare cases sone AVC denials may end up in dmesg and/or
>>> /var/log/messages.
>>>
>>> Unfortunately i do not see anything in your enclosed AVC denials that i
>>> suspect may be related to your issue. Hopefully someone else does.
>>>
>>>
>>>
>> Well, I just tried searching on user_avc, even after un-hiding the
>> alerts. Result:
>>
>> <no matches>
>>
>> So what I submitted, has to be it.
>>
>> But: might this have anything to do with it? I'm using KDE now, and one
>> of the things that the installer had to do was to get into KWallet, and
>> for that the system asked for my KWallet password, which I gave.
>>
>> I'm new to KDE, and I'm surprised that I didn't use it earlier. KDE has
>> an automatic package installer that has already made my life a lot
>> simpler, and when I realized that I was using a lot of KDE-specific
>> apps, KDE was the logical choice. But maybe KDE has some subtleties that
>> occasionally create a security problem in a security-enhanced
>> environment.
>>
>> Temlakos
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
> I have seen installations trip over execmod,execmem and execstack checks.
>
> Also if the tools use java, it can do some stuff that SELinux does not
> like.
>
> getsebool allow_execstack allow_execmem allow_execmod
>
>
allow_execstack --> on
allow_execmem --> on
allow_execmod --> off

OK, what next?

Temlakos
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 03:10 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.