FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-27-2010, 03:45 PM
Daniel J Walsh
 
Default Help with messed up F11 SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/27/2010 11:41 AM, Steve Blackwell wrote:
> On Tue, 27 Apr 2010 17:01:26 +0200
> Dominick Grift <domg472@gmail.com> wrote:
>
>> On Tue, Apr 27, 2010 at 10:57:17AM -0400, Steve Blackwell wrote:
>>> On Tue, 27 Apr 2010 08:45:25 -0400
>>> Daniel J Walsh <dwalsh@redhat.com> wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>>>>> On Mon, 26 Apr 2010 11:11:00 -0400
>>>>> Daniel J Walsh <dwalsh@redhat.com> wrote:
>>>>>
>>>>>
>>>>>>> I do still have one (so far) problem though. When I tried to
>>>>>>> point my browser at my local BackupPC server page a get an
>>>>>>> "Unable to Connect" message and an AVC:
>>>>>>>
>>>>>>> Raw Audit Messages :
>>>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138):
>>>>>>> avc: denied { write } for pid=31707 comm="perl5.10.0"
>>>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>> tcontext=system_ubject_r:var_log_t:s0 tclass=sock_file
>>>>>>>
>>>>>>> node=steve.blackwell type=SYSCALL
>>>>>>> msg=audit(1272289200.98:138): arch=40000003 syscall=102
>>>>>>> success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008
>>>>>>> items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48
>>>>>>> euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>>>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>>>>>> key=(null)
>>>>>>>
>>>>>>> Now I know I could change the context of that socket file but
>>>>>>> I'm guessing that it gets created every time and so that is
>>>>>>> not a permanent solution. Is there a boolean I need to set;
>>>>>>> nothing looked obvious or perhaps a BackupPC policy I need to
>>>>>>> install?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Steve
>>>>>>> --
>>>>>>> selinux mailing list
>>>>>>> selinux@lists.fedoraproject.org
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>
>>>>>>>
>>>>>> What directory is the socket in?
>>>>>
>>>>> /var/log/BackupPC
>>>>>
>>>>> Steve
>>>>
>>>> The BackupPC package comes with labeling in F12/F13 of
>>>> httpd_sys_content_t.
>>>>
>>>> # matchpathcon /var/log/BackupPC/
>>>> /var/log/BackupPC system_ubject_r:httpd_sys_content_t:s0
>>>>
>>>> Execute the following, should fix the problem
>>>>
>>>> # semanage fcontext -a -t httpd_sys_content_t
>>>> '/var/log/BackupPC(/.*)?'
>>>> # restorecon -R -v /var/log/BackupPC
>>>
>>> No luck.
>>>
>>> This did relabel the files in /var/log/BackupPC
>>>
>>> [root@steve ~]# ls -lZ /var/log/BackupPC
>>> -r--r--r--. backuppc backuppc
>>> system_ubject_r:httpd_sys_content_t:s0 BackupPC.pid
>>> srwxr-x---. backuppc backuppc
>>> system_ubject_r:httpd_sys_content_t:s0 BackupPC.sock
>>
>> This pid and sock need to mv to /var/run, i asked backuppc packager
>> to do this long time ago but for some reason not fixed yet
>>
>
> I posted another message to the BackupPC list to try and find that
> status on your request but I didn't get an answer to my first question
> so I'm not holding my breath.
>
> In the meantime, would this work as a temporary workaround?
>
> # semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.sock
> # semanage fcontext -m -R system_r -t httpd_t /var/log/BackupPC.pid
> # restorecon -R -v /var/log/BackupPC
No that is wrong. httpd_sys_content_t is the correct label. httpd_t is
a process label not a file label.
>
> Thanks,
> Steve
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvXBoQACgkQrlYvE4MpobNenwCfUH27tXgLNE UWHh/Vr3Nr/dtC
orIAn1/qA4TX4pkGKZQhW3jTvdEFK46v
=TR96
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-27-2010, 04:18 PM
Steve Blackwell
 
Default Help with messed up F11 SELinux

On Tue, 27 Apr 2010 11:31:57 -0400
Daniel J Walsh <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/27/2010 10:57 AM, Steve Blackwell wrote:
> > On Tue, 27 Apr 2010 08:45:25 -0400
> > Daniel J Walsh <dwalsh@redhat.com> wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
> >>> On Mon, 26 Apr 2010 11:11:00 -0400
> >>> Daniel J Walsh <dwalsh@redhat.com> wrote:
> >>>
> >>>
> >>>>> I do still have one (so far) problem though. When I tried to
> >>>>> point my browser at my local BackupPC server page a get an
> >>>>> "Unable to Connect" message and an AVC:
> >>>>>
> >>>>> Raw Audit Messages :
> >>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
> >>>>> denied { write } for pid=31707 comm="perl5.10.0"
> >>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
> >>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>> tcontext=system_ubject_r:var_log_t:s0 tclass=sock_file
> >>>>>
> >>>>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
> >>>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
> >>>>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
> >>>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48
> >>>>> fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0"
> >>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> >>>>> key=(null)
> >>>>>
> >>>>> Now I know I could change the context of that socket file but
> >>>>> I'm guessing that it gets created every time and so that is not
> >>>>> a permanent solution. Is there a boolean I need to set; nothing
> >>>>> looked obvious or perhaps a BackupPC policy I need to install?
> >>>>>
> >>>>> Thanks,
> >>>>> Steve
> >>>>> --
> >>>>> selinux mailing list
> >>>>> selinux@lists.fedoraproject.org
> >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>
> >>>>>
> >>>> What directory is the socket in?
> >>>
> >>> /var/log/BackupPC
> >>>
> >>> Steve
> >>
> >> The BackupPC package comes with labeling in F12/F13 of
> >> httpd_sys_content_t.
> >>
> >> # matchpathcon /var/log/BackupPC/
> >> /var/log/BackupPC system_ubject_r:httpd_sys_content_t:s0
> >>
> >> Execute the following, should fix the problem
> >>
> >> # semanage fcontext -a -t httpd_sys_content_t
> >> '/var/log/BackupPC(/.*)?'
> >> # restorecon -R -v /var/log/BackupPC
> >
> > No luck.
> >
> > This did relabel the files in /var/log/BackupPC
> >
> > [root@steve ~]# ls -lZ /var/log/BackupPC
> > -r--r--r--. backuppc backuppc
> > system_ubject_r:httpd_sys_content_t:s0 BackupPC.pid
> > srwxr-x---. backuppc backuppc
> > system_ubject_r:httpd_sys_content_t:s0 BackupPC.sock
> > ...
> >
> > but SELinux still won't let me access the server. I get a slightly
> > different but essentially the same AVC as before:
> >
> > Raw Audit Messages :
> >
> > node=steve.blackwell type=AVC
> > msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
> > comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
> > scontext=system_u:system_r:httpd_t:s0
> > tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=sock_file
> >
> > node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
> > arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
> > a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295
> > uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> > tty=(none) ses=4294967295 comm="perl5.10.0"
> > exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> > key=(null)
> >
> > So it looks to my untrained eye that we have a process with context
> > system_u:system_r:httpd_t:s0
> > trying to write to a file that has a context
> > system_ubject_r:httpd_sys_content_t:s0
> >
> > and there is no rule to say that this is OK. Is that about right?
> >
> > Thanks,
> > Steve
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> You can add the ok rule using audit2allow
>
> # grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M
> mybackuppc
> # semodule -i mybackuppc.pp

OK, a little progress. Now I am getting a socket connect denial.
Will repeating the audit2allow process to correct this?

Thanks,
Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-27-2010, 05:17 PM
Daniel J Walsh
 
Default Help with messed up F11 SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/27/2010 12:18 PM, Steve Blackwell wrote:
> On Tue, 27 Apr 2010 11:31:57 -0400
> Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 04/27/2010 10:57 AM, Steve Blackwell wrote:
>>> On Tue, 27 Apr 2010 08:45:25 -0400
>>> Daniel J Walsh <dwalsh@redhat.com> wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>>>>> On Mon, 26 Apr 2010 11:11:00 -0400
>>>>> Daniel J Walsh <dwalsh@redhat.com> wrote:
>>>>>
>>>>>
>>>>>>> I do still have one (so far) problem though. When I tried to
>>>>>>> point my browser at my local BackupPC server page a get an
>>>>>>> "Unable to Connect" message and an AVC:
>>>>>>>
>>>>>>> Raw Audit Messages :
>>>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
>>>>>>> denied { write } for pid=31707 comm="perl5.10.0"
>>>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>> tcontext=system_ubject_r:var_log_t:s0 tclass=sock_file
>>>>>>>
>>>>>>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
>>>>>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
>>>>>>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
>>>>>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48
>>>>>>> fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>>>>>> key=(null)
>>>>>>>
>>>>>>> Now I know I could change the context of that socket file but
>>>>>>> I'm guessing that it gets created every time and so that is not
>>>>>>> a permanent solution. Is there a boolean I need to set; nothing
>>>>>>> looked obvious or perhaps a BackupPC policy I need to install?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Steve
>>>>>>> --
>>>>>>> selinux mailing list
>>>>>>> selinux@lists.fedoraproject.org
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>
>>>>>>>
>>>>>> What directory is the socket in?
>>>>>
>>>>> /var/log/BackupPC
>>>>>
>>>>> Steve
>>>>
>>>> The BackupPC package comes with labeling in F12/F13 of
>>>> httpd_sys_content_t.
>>>>
>>>> # matchpathcon /var/log/BackupPC/
>>>> /var/log/BackupPC system_ubject_r:httpd_sys_content_t:s0
>>>>
>>>> Execute the following, should fix the problem
>>>>
>>>> # semanage fcontext -a -t httpd_sys_content_t
>>>> '/var/log/BackupPC(/.*)?'
>>>> # restorecon -R -v /var/log/BackupPC
>>>
>>> No luck.
>>>
>>> This did relabel the files in /var/log/BackupPC
>>>
>>> [root@steve ~]# ls -lZ /var/log/BackupPC
>>> -r--r--r--. backuppc backuppc
>>> system_ubject_r:httpd_sys_content_t:s0 BackupPC.pid
>>> srwxr-x---. backuppc backuppc
>>> system_ubject_r:httpd_sys_content_t:s0 BackupPC.sock
>>> ...
>>>
>>> but SELinux still won't let me access the server. I get a slightly
>>> different but essentially the same AVC as before:
>>>
>>> Raw Audit Messages :
>>>
>>> node=steve.blackwell type=AVC
>>> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
>>> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
>>> scontext=system_u:system_r:httpd_t:s0
>>> tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=sock_file
>>>
>>> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
>>> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295
>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>> key=(null)
>>>
>>> So it looks to my untrained eye that we have a process with context
>>> system_u:system_r:httpd_t:s0
>>> trying to write to a file that has a context
>>> system_ubject_r:httpd_sys_content_t:s0
>>>
>>> and there is no rule to say that this is OK. Is that about right?
>>>
>>> Thanks,
>>> Steve
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>> You can add the ok rule using audit2allow
>>
>> # grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M
>> mybackuppc
>> # semodule -i mybackuppc.pp
>
> OK, a little progress. Now I am getting a socket connect denial.
> Will repeating the audit2allow process to correct this?
>
> Thanks,
> Steve
yes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvXHBUACgkQrlYvE4MpobM04gCg4cunuKobL/5XAhhyS+UVRn+f
El4AnRpyJ2jjHqYozA6Q/XaJg99uTEqI
=UocO
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-27-2010, 06:16 PM
Steve Blackwell
 
Default Help with messed up F11 SELinux

On Tue, 27 Apr 2010 13:17:09 -0400
Daniel J Walsh <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/27/2010 12:18 PM, Steve Blackwell wrote:
> > On Tue, 27 Apr 2010 11:31:57 -0400
> > Daniel J Walsh <dwalsh@redhat.com> wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> On 04/27/2010 10:57 AM, Steve Blackwell wrote:
> >>> On Tue, 27 Apr 2010 08:45:25 -0400
> >>> Daniel J Walsh <dwalsh@redhat.com> wrote:
> >>>
> >>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>> Hash: SHA1
> >>>>
> >>>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
> >>>>> On Mon, 26 Apr 2010 11:11:00 -0400
> >>>>> Daniel J Walsh <dwalsh@redhat.com> wrote:
> >>>>>
> >>>>>
> >>>>>>> I do still have one (so far) problem though. When I tried to
> >>>>>>> point my browser at my local BackupPC server page a get an
> >>>>>>> "Unable to Connect" message and an AVC:
> >>>>>>>
> >>>>>>> Raw Audit Messages :
> >>>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138):
> >>>>>>> avc: denied { write } for pid=31707 comm="perl5.10.0"
> >>>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
> >>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>> tcontext=system_ubject_r:var_log_t:s0 tclass=sock_file
> >>>>>>>
> >>>>>>> node=steve.blackwell type=SYSCALL
> >>>>>>> msg=audit(1272289200.98:138): arch=40000003 syscall=102
> >>>>>>> success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008
> >>>>>>> items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48
> >>>>>>> euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> >>>>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
> >>>>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> >>>>>>> key=(null)
> >>>>>>>
> >>>>>>> Now I know I could change the context of that socket file but
> >>>>>>> I'm guessing that it gets created every time and so that is
> >>>>>>> not a permanent solution. Is there a boolean I need to set;
> >>>>>>> nothing looked obvious or perhaps a BackupPC policy I need to
> >>>>>>> install?
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>> Steve
> >>>>>>> --
> >>>>>>> selinux mailing list
> >>>>>>> selinux@lists.fedoraproject.org
> >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>
> >>>>>>>
> >>>>>> What directory is the socket in?
> >>>>>
> >>>>> /var/log/BackupPC
> >>>>>
> >>>>> Steve
> >>>>
> >>>> The BackupPC package comes with labeling in F12/F13 of
> >>>> httpd_sys_content_t.
> >>>>
> >>>> # matchpathcon /var/log/BackupPC/
> >>>> /var/log/BackupPC system_ubject_r:httpd_sys_content_t:s0
> >>>>
> >>>> Execute the following, should fix the problem
> >>>>
> >>>> # semanage fcontext -a -t httpd_sys_content_t
> >>>> '/var/log/BackupPC(/.*)?'
> >>>> # restorecon -R -v /var/log/BackupPC
> >>>
> >>> No luck.
> >>>
> >>> This did relabel the files in /var/log/BackupPC
> >>>
> >>> [root@steve ~]# ls -lZ /var/log/BackupPC
> >>> -r--r--r--. backuppc backuppc
> >>> system_ubject_r:httpd_sys_content_t:s0 BackupPC.pid
> >>> srwxr-x---. backuppc backuppc
> >>> system_ubject_r:httpd_sys_content_t:s0 BackupPC.sock
> >>> ...
> >>>
> >>> but SELinux still won't let me access the server. I get a slightly
> >>> different but essentially the same AVC as before:
> >>>
> >>> Raw Audit Messages :
> >>>
> >>> node=steve.blackwell type=AVC
> >>> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
> >>> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
> >>> scontext=system_u:system_r:httpd_t:s0
> >>> tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=sock_file
> >>>
> >>> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
> >>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
> >>> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295
> >>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> >>> tty=(none) ses=4294967295 comm="perl5.10.0"
> >>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> >>> key=(null)
> >>>
> >>> So it looks to my untrained eye that we have a process with
> >>> context system_u:system_r:httpd_t:s0
> >>> trying to write to a file that has a context
> >>> system_ubject_r:httpd_sys_content_t:s0
> >>>
> >>> and there is no rule to say that this is OK. Is that about right?
> >>>
> >>> Thanks,
> >>> Steve
> >>> --
> >>> selinux mailing list
> >>> selinux@lists.fedoraproject.org
> >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>
> >> You can add the ok rule using audit2allow
> >>
> >> # grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow
> >> -M mybackuppc
> >> # semodule -i mybackuppc.pp
> >
> > OK, a little progress. Now I am getting a socket connect denial.
> > Will repeating the audit2allow process to correct this?
> >
> > Thanks,
> > Steve
> yes

I wasn't sure if running audit2allow a second time would add to
mybackuppc.pp or replace it so I ran

# grep "BackupPC.sock" /var/log/audit/audit.log | audit2allow -M
mybackuppc.pp
# semodule -i mybackuppc.pp

I also noticed a boolean called httpd_can_network_connect. This would
have worked too, correct?

Now I can connect to the server but I get a different AVC:

Raw Audit Messages :
node=steve.blackwell type=AVC msg=audit(1272391254.10:349): avc: denied
{ read } for pid=406 comm="perl5.10.0" name="disk" dev=dm-0 ino=32931842
scontext=system_u:system_r:httpd_t:s0
tcontext=system_ubject_r:mnt_t:s0 tclass=lnk_file

node=steve.blackwell type=SYSCALL msg=audit(1272391254.10:349):
arch=40000003 syscall=195 success=no exit=-13 a0=8d02824 a1=8b8e0c0
a2=4fbff4 a3=8b8e008 items=0 ppid=2033 pid=406 auid=4294967295 uid=48
gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0 key=(null)

disk is a link to an external USB drive where I keep the backups

[root@steve ~]# ls -lZ /media
drwxr-xr-x. root root system_ubject_r:mnt_t:s0
<the USB disk UUID>
lrwxrwxrwx. root root system_ubject_r:mnt_t:s0 disk ->
<the USB disk UUID>

So do I need to relabel the disk httpd_sys_content_t next?

Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-28-2010, 05:27 PM
Daniel J Walsh
 
Default Help with messed up F11 SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/27/2010 02:16 PM, Steve Blackwell wrote:
> On Tue, 27 Apr 2010 13:17:09 -0400
> Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 04/27/2010 12:18 PM, Steve Blackwell wrote:
>>> On Tue, 27 Apr 2010 11:31:57 -0400
>>> Daniel J Walsh <dwalsh@redhat.com> wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On 04/27/2010 10:57 AM, Steve Blackwell wrote:
>>>>> On Tue, 27 Apr 2010 08:45:25 -0400
>>>>> Daniel J Walsh <dwalsh@redhat.com> wrote:
>>>>>
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>>>>>>> On Mon, 26 Apr 2010 11:11:00 -0400
>>>>>>> Daniel J Walsh <dwalsh@redhat.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>>> I do still have one (so far) problem though. When I tried to
>>>>>>>>> point my browser at my local BackupPC server page a get an
>>>>>>>>> "Unable to Connect" message and an AVC:
>>>>>>>>>
>>>>>>>>> Raw Audit Messages :
>>>>>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138):
>>>>>>>>> avc: denied { write } for pid=31707 comm="perl5.10.0"
>>>>>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>> tcontext=system_ubject_r:var_log_t:s0 tclass=sock_file
>>>>>>>>>
>>>>>>>>> node=steve.blackwell type=SYSCALL
>>>>>>>>> msg=audit(1272289200.98:138): arch=40000003 syscall=102
>>>>>>>>> success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008
>>>>>>>>> items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48
>>>>>>>>> euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>>>>>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>>>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>>>>>>>> key=(null)
>>>>>>>>>
>>>>>>>>> Now I know I could change the context of that socket file but
>>>>>>>>> I'm guessing that it gets created every time and so that is
>>>>>>>>> not a permanent solution. Is there a boolean I need to set;
>>>>>>>>> nothing looked obvious or perhaps a BackupPC policy I need to
>>>>>>>>> install?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Steve
>>>>>>>>> --
>>>>>>>>> selinux mailing list
>>>>>>>>> selinux@lists.fedoraproject.org
>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>>
>>>>>>>>>
>>>>>>>> What directory is the socket in?
>>>>>>>
>>>>>>> /var/log/BackupPC
>>>>>>>
>>>>>>> Steve
>>>>>>
>>>>>> The BackupPC package comes with labeling in F12/F13 of
>>>>>> httpd_sys_content_t.
>>>>>>
>>>>>> # matchpathcon /var/log/BackupPC/
>>>>>> /var/log/BackupPC system_ubject_r:httpd_sys_content_t:s0
>>>>>>
>>>>>> Execute the following, should fix the problem
>>>>>>
>>>>>> # semanage fcontext -a -t httpd_sys_content_t
>>>>>> '/var/log/BackupPC(/.*)?'
>>>>>> # restorecon -R -v /var/log/BackupPC
>>>>>
>>>>> No luck.
>>>>>
>>>>> This did relabel the files in /var/log/BackupPC
>>>>>
>>>>> [root@steve ~]# ls -lZ /var/log/BackupPC
>>>>> -r--r--r--. backuppc backuppc
>>>>> system_ubject_r:httpd_sys_content_t:s0 BackupPC.pid
>>>>> srwxr-x---. backuppc backuppc
>>>>> system_ubject_r:httpd_sys_content_t:s0 BackupPC.sock
>>>>> ...
>>>>>
>>>>> but SELinux still won't let me access the server. I get a slightly
>>>>> different but essentially the same AVC as before:
>>>>>
>>>>> Raw Audit Messages :
>>>>>
>>>>> node=steve.blackwell type=AVC
>>>>> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
>>>>> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>> tcontext=system_ubject_r:httpd_sys_content_t:s0 tclass=sock_file
>>>>>
>>>>> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
>>>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
>>>>> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295
>>>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>>>> key=(null)
>>>>>
>>>>> So it looks to my untrained eye that we have a process with
>>>>> context system_u:system_r:httpd_t:s0
>>>>> trying to write to a file that has a context
>>>>> system_ubject_r:httpd_sys_content_t:s0
>>>>>
>>>>> and there is no rule to say that this is OK. Is that about right?
>>>>>
>>>>> Thanks,
>>>>> Steve
>>>>> --
>>>>> selinux mailing list
>>>>> selinux@lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>> You can add the ok rule using audit2allow
>>>>
>>>> # grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow
>>>> -M mybackuppc
>>>> # semodule -i mybackuppc.pp
>>>
>>> OK, a little progress. Now I am getting a socket connect denial.
>>> Will repeating the audit2allow process to correct this?
>>>
>>> Thanks,
>>> Steve
>> yes
>
> I wasn't sure if running audit2allow a second time would add to
> mybackuppc.pp or replace it so I ran
>
> # grep "BackupPC.sock" /var/log/audit/audit.log | audit2allow -M
> mybackuppc.pp
> # semodule -i mybackuppc.pp
>
> I also noticed a boolean called httpd_can_network_connect. This would
> have worked too, correct?
>
> Now I can connect to the server but I get a different AVC:
>
> Raw Audit Messages :
> node=steve.blackwell type=AVC msg=audit(1272391254.10:349): avc: denied
> { read } for pid=406 comm="perl5.10.0" name="disk" dev=dm-0 ino=32931842
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_ubject_r:mnt_t:s0 tclass=lnk_file
>
> node=steve.blackwell type=SYSCALL msg=audit(1272391254.10:349):
> arch=40000003 syscall=195 success=no exit=-13 a0=8d02824 a1=8b8e0c0
> a2=4fbff4 a3=8b8e008 items=0 ppid=2033 pid=406 auid=4294967295 uid=48
> gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
> ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
> disk is a link to an external USB drive where I keep the backups
>
> [root@steve ~]# ls -lZ /media
> drwxr-xr-x. root root system_ubject_r:mnt_t:s0
> <the USB disk UUID>
> lrwxrwxrwx. root root system_ubject_r:mnt_t:s0 disk ->
> <the USB disk UUID>
>
> So do I need to relabel the disk httpd_sys_content_t next?
>
> Steve
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
You could use something like
mount -o context="system_ubject_r:httpd_sys_content_t:s0"

Which will tell mount to mount your disk with this label.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvYcB4ACgkQrlYvE4MpobN4aQCg1OldKQ27BB TQ4yoqFax+xvTY
jLQAoJzcJsmJPDLpo2E0aGGj1KZRSFSl
=oFHJ
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-29-2010, 05:39 PM
Steve Blackwell
 
Default Help with messed up F11 SELinux

On Wed, 28 Apr 2010 13:27:58 -0400
Daniel J Walsh <dwalsh@redhat.com> wrote:

> > Now I can connect to the server but I get a different AVC:
> >
> > Raw Audit Messages :
> > node=steve.blackwell type=AVC msg=audit(1272391254.10:349): avc:
> > denied { read } for pid=406 comm="perl5.10.0" name="disk" dev=dm-0
> > ino=32931842 scontext=system_u:system_r:httpd_t:s0
> > tcontext=system_ubject_r:mnt_t:s0 tclass=lnk_file
> >
> > node=steve.blackwell type=SYSCALL msg=audit(1272391254.10:349):
> > arch=40000003 syscall=195 success=no exit=-13 a0=8d02824 a1=8b8e0c0
> > a2=4fbff4 a3=8b8e008 items=0 ppid=2033 pid=406 auid=4294967295
> > uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> > tty=(none) ses=4294967295 comm="perl5.10.0"
> > exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> > key=(null)
> >
> > disk is a link to an external USB drive where I keep the backups
> >
> > [root@steve ~]# ls -lZ /media
> > drwxr-xr-x. root root system_ubject_r:mnt_t:s0
> > <the USB disk UUID>
> > lrwxrwxrwx. root root system_ubject_r:mnt_t:s0 disk ->
> > <the USB disk UUID>
> >
> > So do I need to relabel the disk httpd_sys_content_t next?

> You could use something like
> mount -o context="system_ubject_r:httpd_sys_content_t:s0"
>
> Which will tell mount to mount your disk with this label.

I'm sure that would work but the disk is mounted by the automounter and
I'd have to dig into that to figure out where to put those options.

I went ahead and relabeled and it seems to be working. Now I just have
to solve the issues I was having with BackupPC when I was running in
permissive mode.

Thanks,
Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 05:08 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org