FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-14-2008, 06:23 PM
Chuck Anderson
 
Default audit log for "setenforce" changes?

On Mon, Jan 14, 2008 at 01:46:17PM -0500, Stephen Smalley wrote:
> load_policy doesn't touch the enforcing status.
>
> > Anyway, you have some serious labeling issue there in /var...
> >
> > try restorecon -R /var

The labelleing issues I would (perhaps incorrectly) expect from
running SELinux in permissive mode. I decided to relabel and reboot
into enforcing mode. What a disaster. The system couldn't boot
enough to run the "fixfiles restore" from /etc/rc.sysinit, not even in
single user mode. I had to eventually boot into single user mode with
the selinux=0 kernel parameter and run "fixfiles restore" manully.
Then I discovered that somehow a bunch of bogus "unconfined" entries
had appeared in
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:

#
#
# User-specific file contexts, generated via libsemanage
# use semanage command to manage system users to change the file_context
#
#


#
# Home Context for user unconfined_u
#

/etc/[^/]*/.+ unconfined_ubject_r:unconfined_home_t:s0
/etc/[^/]*/.gnome2(/.*)? unconfined_ubject_r:unconfined_gnome_home_t:s0
/etc/[^/]*/.*/plugins/nprhapengine.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/etc/[^/]*/.*/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/etc/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_ubject_r:httpd_unconfined_content_t:s 0
/etc/[^/]*/.java(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/etc/[^/]*/.galeon(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/etc/[^/]*/.mozilla(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/etc/[^/]*/.phoenix(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/etc/[^/]*/.mozilla(/.*)?/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/etc/[^/]*/.netscape(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/etc/[^/]*/.gstreamer-.*/[^/]*.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/etc/[^/]*/.config/gtk-.* unconfined_ubject_r:unconfined_gnome_home_t:s0
/etc/[^/]* -d unconfined_ubject_r:unconfined_home_dir_t:s0
/etc/[^/]* -l unconfined_ubject_r:unconfined_home_dir_t:s0
/etc/lost+found/.* <<none>>
/etc -d system_ubject_r:home_root_t:s0
/etc/.journal <<none>>
/etc/lost+found -d system_ubject_r:lost_found_t:s0


#
# Home Context for user unconfined_u
#

/home/[^/]*/.+ unconfined_ubject_r:unconfined_home_t:s0
/home/[^/]*/.gnome2(/.*)? unconfined_ubject_r:unconfined_gnome_home_t:s0
/home/[^/]*/.*/plugins/nprhapengine.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/home/[^/]*/.*/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/home/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_ubject_r:httpd_unconfined_content_t:s 0
/home/[^/]*/.java(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/home/[^/]*/.galeon(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/home/[^/]*/.mozilla(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/home/[^/]*/.phoenix(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/home/[^/]*/.mozilla(/.*)?/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/home/[^/]*/.netscape(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/home/[^/]*/.gstreamer-.*/[^/]*.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/home/[^/]*/.config/gtk-.* unconfined_ubject_r:unconfined_gnome_home_t:s0
/home/[^/]* -d unconfined_ubject_r:unconfined_home_dir_t:s0
/home/[^/]* -l unconfined_ubject_r:unconfined_home_dir_t:s0
/home/lost+found/.* <<none>>
/home -d system_ubject_r:home_root_t:s0
/home/.journal <<none>>
/home/lost+found -d system_ubject_r:lost_found_t:s0


#
# Home Context for user unconfined_u
#

/opt/[^/]*/.+ unconfined_ubject_r:unconfined_home_t:s0
/opt/[^/]*/.gnome2(/.*)? unconfined_ubject_r:unconfined_gnome_home_t:s0
/opt/[^/]*/.*/plugins/nprhapengine.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/opt/[^/]*/.*/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/opt/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_ubject_r:httpd_unconfined_content_t:s 0
/opt/[^/]*/.java(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/opt/[^/]*/.galeon(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/opt/[^/]*/.mozilla(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/opt/[^/]*/.phoenix(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/opt/[^/]*/.mozilla(/.*)?/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/opt/[^/]*/.netscape(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/opt/[^/]*/.gstreamer-.*/[^/]*.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/opt/[^/]*/.config/gtk-.* unconfined_ubject_r:unconfined_gnome_home_t:s0
/opt/[^/]* -d unconfined_ubject_r:unconfined_home_dir_t:s0
/opt/[^/]* -l unconfined_ubject_r:unconfined_home_dir_t:s0
/opt/lost+found/.* <<none>>
/opt -d system_ubject_r:home_root_t:s0
/opt/.journal <<none>>
/opt/lost+found -d system_ubject_r:lost_found_t:s0


#
# Home Context for user unconfined_u
#

/usr/libexec/[^/]*/.+ unconfined_ubject_r:unconfined_home_t:s0
/usr/libexec/[^/]*/.gnome2(/.*)? unconfined_ubject_r:unconfined_gnome_home_t:s0
/usr/libexec/[^/]*/.*/plugins/nprhapengine.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/usr/libexec/[^/]*/.*/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/usr/libexec/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_ubject_r:httpd_unconfined_content_t:s 0
/usr/libexec/[^/]*/.java(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/usr/libexec/[^/]*/.galeon(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/usr/libexec/[^/]*/.mozilla(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/usr/libexec/[^/]*/.phoenix(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/usr/libexec/[^/]*/.mozilla(/.*)?/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/usr/libexec/[^/]*/.netscape(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/usr/libexec/[^/]*/.gstreamer-.*/[^/]*.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/usr/libexec/[^/]*/.config/gtk-.* unconfined_ubject_r:unconfined_gnome_home_t:s0
/usr/libexec/[^/]* -d unconfined_ubject_r:unconfined_home_dir_t:s0
/usr/libexec/[^/]* -l unconfined_ubject_r:unconfined_home_dir_t:s0
/usr/libexec/lost+found/.* <<none>>
/usr/libexec -d system_ubject_r:home_root_t:s0
/usr/libexec/.journal <<none>>
/usr/libexec/lost+found -d system_ubject_r:lost_found_t:s0


#
# Home Context for user unconfined_u
#

/var/log/[^/]*/.+ unconfined_ubject_r:unconfined_home_t:s0
/var/log/[^/]*/.gnome2(/.*)? unconfined_ubject_r:unconfined_gnome_home_t:s0
/var/log/[^/]*/.*/plugins/nprhapengine.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/var/log/[^/]*/.*/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/var/log/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_ubject_r:httpd_unconfined_content_t:s 0
/var/log/[^/]*/.java(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/var/log/[^/]*/.galeon(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/var/log/[^/]*/.mozilla(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/var/log/[^/]*/.phoenix(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/var/log/[^/]*/.mozilla(/.*)?/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/var/log/[^/]*/.netscape(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
/var/log/[^/]*/.gstreamer-.*/[^/]*.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
/var/log/[^/]*/.config/gtk-.* unconfined_ubject_r:unconfined_gnome_home_t:s0
/var/log/[^/]* -d unconfined_ubject_r:unconfined_home_dir_t:s0
/var/log/[^/]* -l unconfined_ubject_r:unconfined_home_dir_t:s0
/var/log/lost+found/.* <<none>>
/var/log -d system_ubject_r:home_root_t:s0
/var/log/.journal <<none>>
/var/log/lost+found -d system_ubject_r:lost_found_t:s0
/tmp/gconfd-.* -d unconfined_ubject_r:unconfined_tmp_t:s0


#
# Home Context for user root
#

/root/.+ rootbject_r:sysadm_home_t:s0
/root/.gnome2(/.*)? rootbject_r:sysadm_gnome_home_t:s0
/root/.*/plugins/nprhapengine.so.* -- rootbject_r:textrel_shlib_t:s0
/root/.*/plugins/libflashplayer.so.* -- rootbject_r:textrel_shlib_t:s0
/root/((www)|(web)|(public_html))(/.+)? rootbject_r:httpd_sysadm_content_t:s0
/root/.ssh(/.*)? rootbject_r:sysadm_home_ssh_t:s0
/root/.uml(/.*)? rootbject_r:sysadm_uml_rw_t:s0
/root/.java(/.*)? rootbject_r:sysadm_mozilla_home_t:s0
/root/.xauth.* -- rootbject_r:sysadm_xauth_home_t:s0
/root/.fonts(/.*)? rootbject_r:sysadm_fonts_t:s0
/root/.pyzor(/.*)? rootbject_r:sysadm_pyzor_home_t:s0
/root/.razor(/.*)? rootbject_r:sysadm_razor_home_t:s0
/root/vmware(/.*)? rootbject_r:sysadm_vmware_file_t:s0
/root/.galeon(/.*)? rootbject_r:sysadm_mozilla_home_t:s0
/root/.vmware(/.*)? rootbject_r:sysadm_vmware_file_t:s0
/root/.vmware[^/]*/.*.cfg -- rootbject_r:sysadm_vmware_conf_t:s0
/root/.mozilla(/.*)? rootbject_r:sysadm_mozilla_home_t:s0
/root/.phoenix(/.*)? rootbject_r:sysadm_mozilla_home_t:s0
/root/.mplayer(/.*)? rootbject_r:sysadm_mplayer_home_t:s0
/root/.mozilla(/.*)?/plugins/libflashplayer.so.* -- rootbject_r:textrel_shlib_t:s0
/root/.ethereal(/.*)? rootbject_r:sysadm_ethereal_home_t:s0
/root/.netscape(/.*)? rootbject_r:sysadm_mozilla_home_t:s0
/root/.Xauthority.* -- rootbject_r:sysadm_xauth_home_t:s0
/root/.fonts/auto(/.*)? rootbject_r:sysadm_fonts_cache_t:s0
/root/.gstreamer-.*/[^/]*.so.* -- rootbject_r:textrel_shlib_t:s0
/root/.config/gtk-.* rootbject_r:sysadm_gnome_home_t:s0
/root/.fonts.cache-.* -- rootbject_r:sysadm_fonts_cache_t:s0
/root/.ICEauthority.* -- rootbject_r:sysadm_iceauth_home_t:s0
/root/.spamassassin(/.*)? rootbject_r:sysadm_spamassassin_home_t:s0
/root -d rootbject_r:sysadm_home_dir_t:s0
/root -l rootbject_r:sysadm_home_dir_t:s0
/root/.ircmotd -- rootbject_r:sysadm_irc_home_t:s0
/root/.screenrc -- rootbject_r:sysadm_screen_ro_home_t:s0
/root/.fonts.conf -- rootbject_r:sysadm_fonts_config_t:s0
/tmp/gconfd-root -d rootbject_r:sysadm_tmp_t:s0


I deleted all the sections head up with "Home Context for user
unconfined_u" then re-ran "fixfiles restore".

The conclusion I draw is that running SELinux in permissive mode for
an extended period of time isn't well supported at all, and shouldn't
be recommended ever. Perhaps more testing should go into running a
system in permissive mode while yum updates apply selinux packages,
etc. to find these types of issues.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-14-2008, 06:36 PM
Daniel J Walsh
 
Default audit log for "setenforce" changes?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chuck Anderson wrote:
> On Mon, Jan 14, 2008 at 01:46:17PM -0500, Stephen Smalley wrote:
>> load_policy doesn't touch the enforcing status.
>>
>>> Anyway, you have some serious labeling issue there in /var...
>>>
>>> try restorecon -R /var
>
> The labelleing issues I would (perhaps incorrectly) expect from
> running SELinux in permissive mode. I decided to relabel and reboot
> into enforcing mode. What a disaster. The system couldn't boot
> enough to run the "fixfiles restore" from /etc/rc.sysinit, not even in
> single user mode. I had to eventually boot into single user mode with
> the selinux=0 kernel parameter and run "fixfiles restore" manully.
> Then I discovered that somehow a bunch of bogus "unconfined" entries
> had appeared in
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:
>
> #
> #
> # User-specific file contexts, generated via libsemanage
> # use semanage command to manage system users to change the file_context
> #
> #
>
>
> #
> # Home Context for user unconfined_u
> #
>
> /etc/[^/]*/.+ unconfined_ubject_r:unconfined_home_t:s0
> /etc/[^/]*/.gnome2(/.*)? unconfined_ubject_r:unconfined_gnome_home_t:s0
> /etc/[^/]*/.*/plugins/nprhapengine.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /etc/[^/]*/.*/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /etc/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_ubject_r:httpd_unconfined_content_t:s 0
> /etc/[^/]*/.java(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /etc/[^/]*/.galeon(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /etc/[^/]*/.mozilla(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /etc/[^/]*/.phoenix(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /etc/[^/]*/.mozilla(/.*)?/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /etc/[^/]*/.netscape(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /etc/[^/]*/.gstreamer-.*/[^/]*.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /etc/[^/]*/.config/gtk-.* unconfined_ubject_r:unconfined_gnome_home_t:s0
> /etc/[^/]* -d unconfined_ubject_r:unconfined_home_dir_t:s0
> /etc/[^/]* -l unconfined_ubject_r:unconfined_home_dir_t:s0
> /etc/lost+found/.* <<none>>
> /etc -d system_ubject_r:home_root_t:s0
> /etc/.journal <<none>>
> /etc/lost+found -d system_ubject_r:lost_found_t:s0
>
>
> #
> # Home Context for user unconfined_u
> #
>
> /home/[^/]*/.+ unconfined_ubject_r:unconfined_home_t:s0
> /home/[^/]*/.gnome2(/.*)? unconfined_ubject_r:unconfined_gnome_home_t:s0
> /home/[^/]*/.*/plugins/nprhapengine.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /home/[^/]*/.*/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /home/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_ubject_r:httpd_unconfined_content_t:s 0
> /home/[^/]*/.java(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /home/[^/]*/.galeon(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /home/[^/]*/.mozilla(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /home/[^/]*/.phoenix(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /home/[^/]*/.mozilla(/.*)?/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /home/[^/]*/.netscape(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /home/[^/]*/.gstreamer-.*/[^/]*.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /home/[^/]*/.config/gtk-.* unconfined_ubject_r:unconfined_gnome_home_t:s0
> /home/[^/]* -d unconfined_ubject_r:unconfined_home_dir_t:s0
> /home/[^/]* -l unconfined_ubject_r:unconfined_home_dir_t:s0
> /home/lost+found/.* <<none>>
> /home -d system_ubject_r:home_root_t:s0
> /home/.journal <<none>>
> /home/lost+found -d system_ubject_r:lost_found_t:s0
>
>
> #
> # Home Context for user unconfined_u
> #
>
> /opt/[^/]*/.+ unconfined_ubject_r:unconfined_home_t:s0
> /opt/[^/]*/.gnome2(/.*)? unconfined_ubject_r:unconfined_gnome_home_t:s0
> /opt/[^/]*/.*/plugins/nprhapengine.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /opt/[^/]*/.*/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /opt/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_ubject_r:httpd_unconfined_content_t:s 0
> /opt/[^/]*/.java(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /opt/[^/]*/.galeon(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /opt/[^/]*/.mozilla(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /opt/[^/]*/.phoenix(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /opt/[^/]*/.mozilla(/.*)?/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /opt/[^/]*/.netscape(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /opt/[^/]*/.gstreamer-.*/[^/]*.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /opt/[^/]*/.config/gtk-.* unconfined_ubject_r:unconfined_gnome_home_t:s0
> /opt/[^/]* -d unconfined_ubject_r:unconfined_home_dir_t:s0
> /opt/[^/]* -l unconfined_ubject_r:unconfined_home_dir_t:s0
> /opt/lost+found/.* <<none>>
> /opt -d system_ubject_r:home_root_t:s0
> /opt/.journal <<none>>
> /opt/lost+found -d system_ubject_r:lost_found_t:s0
>
>
> #
> # Home Context for user unconfined_u
> #
>
> /usr/libexec/[^/]*/.+ unconfined_ubject_r:unconfined_home_t:s0
> /usr/libexec/[^/]*/.gnome2(/.*)? unconfined_ubject_r:unconfined_gnome_home_t:s0
> /usr/libexec/[^/]*/.*/plugins/nprhapengine.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /usr/libexec/[^/]*/.*/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /usr/libexec/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_ubject_r:httpd_unconfined_content_t:s 0
> /usr/libexec/[^/]*/.java(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /usr/libexec/[^/]*/.galeon(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /usr/libexec/[^/]*/.mozilla(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /usr/libexec/[^/]*/.phoenix(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /usr/libexec/[^/]*/.mozilla(/.*)?/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /usr/libexec/[^/]*/.netscape(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /usr/libexec/[^/]*/.gstreamer-.*/[^/]*.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /usr/libexec/[^/]*/.config/gtk-.* unconfined_ubject_r:unconfined_gnome_home_t:s0
> /usr/libexec/[^/]* -d unconfined_ubject_r:unconfined_home_dir_t:s0
> /usr/libexec/[^/]* -l unconfined_ubject_r:unconfined_home_dir_t:s0
> /usr/libexec/lost+found/.* <<none>>
> /usr/libexec -d system_ubject_r:home_root_t:s0
> /usr/libexec/.journal <<none>>
> /usr/libexec/lost+found -d system_ubject_r:lost_found_t:s0
>
>
> #
> # Home Context for user unconfined_u
> #
>
> /var/log/[^/]*/.+ unconfined_ubject_r:unconfined_home_t:s0
> /var/log/[^/]*/.gnome2(/.*)? unconfined_ubject_r:unconfined_gnome_home_t:s0
> /var/log/[^/]*/.*/plugins/nprhapengine.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /var/log/[^/]*/.*/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /var/log/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_ubject_r:httpd_unconfined_content_t:s 0
> /var/log/[^/]*/.java(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /var/log/[^/]*/.galeon(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /var/log/[^/]*/.mozilla(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /var/log/[^/]*/.phoenix(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /var/log/[^/]*/.mozilla(/.*)?/plugins/libflashplayer.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /var/log/[^/]*/.netscape(/.*)? unconfined_ubject_r:unconfined_mozilla_home_t:s0
> /var/log/[^/]*/.gstreamer-.*/[^/]*.so.* -- unconfined_ubject_r:textrel_shlib_t:s0
> /var/log/[^/]*/.config/gtk-.* unconfined_ubject_r:unconfined_gnome_home_t:s0
> /var/log/[^/]* -d unconfined_ubject_r:unconfined_home_dir_t:s0
> /var/log/[^/]* -l unconfined_ubject_r:unconfined_home_dir_t:s0
> /var/log/lost+found/.* <<none>>
> /var/log -d system_ubject_r:home_root_t:s0
> /var/log/.journal <<none>>
> /var/log/lost+found -d system_ubject_r:lost_found_t:s0
> /tmp/gconfd-.* -d unconfined_ubject_r:unconfined_tmp_t:s0
>
>
> #
> # Home Context for user root
> #
>
> /root/.+ rootbject_r:sysadm_home_t:s0
> /root/.gnome2(/.*)? rootbject_r:sysadm_gnome_home_t:s0
> /root/.*/plugins/nprhapengine.so.* -- rootbject_r:textrel_shlib_t:s0
> /root/.*/plugins/libflashplayer.so.* -- rootbject_r:textrel_shlib_t:s0
> /root/((www)|(web)|(public_html))(/.+)? rootbject_r:httpd_sysadm_content_t:s0
> /root/.ssh(/.*)? rootbject_r:sysadm_home_ssh_t:s0
> /root/.uml(/.*)? rootbject_r:sysadm_uml_rw_t:s0
> /root/.java(/.*)? rootbject_r:sysadm_mozilla_home_t:s0
> /root/.xauth.* -- rootbject_r:sysadm_xauth_home_t:s0
> /root/.fonts(/.*)? rootbject_r:sysadm_fonts_t:s0
> /root/.pyzor(/.*)? rootbject_r:sysadm_pyzor_home_t:s0
> /root/.razor(/.*)? rootbject_r:sysadm_razor_home_t:s0
> /root/vmware(/.*)? rootbject_r:sysadm_vmware_file_t:s0
> /root/.galeon(/.*)? rootbject_r:sysadm_mozilla_home_t:s0
> /root/.vmware(/.*)? rootbject_r:sysadm_vmware_file_t:s0
> /root/.vmware[^/]*/.*.cfg -- rootbject_r:sysadm_vmware_conf_t:s0
> /root/.mozilla(/.*)? rootbject_r:sysadm_mozilla_home_t:s0
> /root/.phoenix(/.*)? rootbject_r:sysadm_mozilla_home_t:s0
> /root/.mplayer(/.*)? rootbject_r:sysadm_mplayer_home_t:s0
> /root/.mozilla(/.*)?/plugins/libflashplayer.so.* -- rootbject_r:textrel_shlib_t:s0
> /root/.ethereal(/.*)? rootbject_r:sysadm_ethereal_home_t:s0
> /root/.netscape(/.*)? rootbject_r:sysadm_mozilla_home_t:s0
> /root/.Xauthority.* -- rootbject_r:sysadm_xauth_home_t:s0
> /root/.fonts/auto(/.*)? rootbject_r:sysadm_fonts_cache_t:s0
> /root/.gstreamer-.*/[^/]*.so.* -- rootbject_r:textrel_shlib_t:s0
> /root/.config/gtk-.* rootbject_r:sysadm_gnome_home_t:s0
> /root/.fonts.cache-.* -- rootbject_r:sysadm_fonts_cache_t:s0
> /root/.ICEauthority.* -- rootbject_r:sysadm_iceauth_home_t:s0
> /root/.spamassassin(/.*)? rootbject_r:sysadm_spamassassin_home_t:s0
> /root -d rootbject_r:sysadm_home_dir_t:s0
> /root -l rootbject_r:sysadm_home_dir_t:s0
> /root/.ircmotd -- rootbject_r:sysadm_irc_home_t:s0
> /root/.screenrc -- rootbject_r:sysadm_screen_ro_home_t:s0
> /root/.fonts.conf -- rootbject_r:sysadm_fonts_config_t:s0
> /tmp/gconfd-root -d rootbject_r:sysadm_tmp_t:s0
>
>
> I deleted all the sections head up with "Home Context for user
> unconfined_u" then re-ran "fixfiles restore".
>
> The conclusion I draw is that running SELinux in permissive mode for
> an extended period of time isn't well supported at all, and shouldn't
> be recommended ever. Perhaps more testing should go into running a
> system in permissive mode while yum updates apply selinux packages,
> etc. to find these types of issues.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Do you have user accounts setup in /var/log? /lib/libexec?

If you have system accounts with homedirs and real shells, you can
confuse SELinux. Any system account should have a UID < 500 or a shell
of /bin/false or /sbin/nologin.

You also look like you have root account setup to login as system_u.
You probably want to execute

semanage login -m -s unconfined_u root


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeLucwACgkQrlYvE4MpobMbWQCgjv+H0sqo1A wqbozQuXxQ6gfw
WpwAnj7rx4yavBgSPaAIEphpyUiZr/Ud
=QQOb
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 01-14-2008, 07:10 PM
Chuck Anderson
 
Default audit log for "setenforce" changes?

On Mon, Jan 14, 2008 at 02:36:45PM -0500, Daniel J Walsh wrote:
> Do you have user accounts setup in /var/log? /lib/libexec?
> If you have system accounts with homedirs and real shells, you can
> confuse SELinux. Any system account should have a UID < 500 or a shell
> of /bin/false or /sbin/nologin.

I fixed all accounts to meet these expectations.

There were these which I changed to use shells of /sbin/nologin:

oracle:x:1003:1003:Oracle User:/opt/oracle:/bin/sh
netsaint:x:1005:1005:netsaint:/usr/libexec/netsaint:/bin/sh
autores:x:2000:2000:Autores:/opt/autores:
dhcpd:x:2001:2001HCP Daemon:/etc/dhcpd:/bin/bash
autostat:x:2003:2003:Autostatus:/etc/autostatus:/bin/false
nagios:x:2004:2004:nagios:/var/log/nagios:/bin/sh

> You also look like you have root account setup to login as system_u.
> You probably want to execute
>
> semanage login -m -s unconfined_u root

Done.

Thanks for all the help. It sounds like I should go through all my
systems to be sure they meet current SELinux standards.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 02:39 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org