FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-10-2008, 12:48 PM
David Timms
 
Default mrtg selinux denials in default configuration

I'm getting selinux denials with a default install of mrtg. I found a
bug opened/ and closed notabug:

https://bugzilla.redhat.com/show_bug.cgi?id=439953

However, that relates to a custom user config that calls a script, and
the response was that matching policy needs to be built.


In my case mrtg is running completely default {which may well be fully
useless - I haven't learnt enough about it yet}.


Should there be selinux denials on a default install of a package ?

DaveT.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-10-2008, 01:14 PM
David Timms
 
Default mrtg selinux denials in default configuration

David Timms wrote:

Should there be selinux denials on a default install of a package ?

audit item attached.

DT.

Summary:

SELinux is preventing mrtg (mrtg_t) "read" to ./root (user_home_dir_t).

Detailed Description:

SELinux denied access requested by mrtg. It is not expected that this access is
required by mrtg and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./root,

restorecon -v './root'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:mrtg_t:SystemLow-SystemHigh
Target Context system_ubject_r:user_home_dir_t
Target Objects ./root [ dir ]
Source mrtg
Source Path /usr/bin/perl
Port <Unknown>
Host poweredge
Source RPM Packages perl-5.10.0-20.fc9
Target RPM Packages filesystem-2.4.13-1.fc9
Policy RPM selinux-policy-3.3.1-31.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name poweredge
Platform Linux poweredge 2.6.25-0.195.rc8.git1.fc9.i686 #1
SMP Thu Apr 3 09:42:34 EDT 2008 i686 i686
Alert Count 332
First Seen Thu 10 Apr 2008 09:05:01 EST
Last Seen Thu 10 Apr 2008 22:50:01 EST
Local ID a045e8a5-d15b-43b2-8254-d957bc0f286d
Line Numbers

Raw Audit Messages

host=poweredge type=AVC msg=audit(1207831801.359:1488): avc: denied { read } for pid=17588 comm="mrtg" name="root" dev=sda3 ino=960961 scontext=system_u:system_r:mrtg_t:s0-s0:c0.c1023 tcontext=system_ubject_r:user_home_dir_t:s0 tclass=dir

host=poweredge type=SYSCALL msg=audit(1207831801.359:1488): arch=40000003 syscall=5 success=no exit=-13 a0=113427 a1=8000 a2=0 a3=8000 items=0 ppid=17586 pid=17588 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=185 comm="mrtg" exe="/usr/bin/perl" subj=system_u:system_r:mrtg_t:s0-s0:c0.c1023 key=(null)



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-10-2008, 07:57 PM
Daniel J Walsh
 
Default mrtg selinux denials in default configuration

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Timms wrote:
> David Timms wrote:
>> Should there be selinux denials on a default install of a package ?
> audit item attached.
>
> DT.
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Your /root directory is labeled incorrectly.

restorecon -R -v /root

Should fix. That is what setroubleshoot suggested, did you try it.
Default installs should not be generating AVC's
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkf+cTwACgkQrlYvE4MpobMjDACfYngwMvtz5t Vgs0niXSEStBrR
gc0AoIAjcKC85DpETBumjap9YMsuQCu7
=gdb2
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-10-2008, 10:12 PM
David Timms
 
Default mrtg selinux denials in default configuration

Daniel J Walsh wrote:

David Timms wrote:

David Timms wrote:

Should there be selinux denials on a default install of a package ?

audit item attached.



Your /root directory is labeled incorrectly.
I did a touch /.autorelabel and reboot yesterday morning, and made the
setroubleshooter work. These have occurred since then. There is some old
.xauth files from last year in the folder, but none seem to have
incorrect context.



restorecon -R -v /root

Tried restorecon -R -v -n /root
- there were no replies.

restorecon -R -v /root
- there was also no replies.
My understanding is that any files that needed their secontext restored
woudl have been echoed.



Should fix. That is what setroubleshoot suggested, did you try it.

No.
Is {restorecon -v './root'} the same as the above ?
It does not echo any response either.


Default installs should not be generating AVC's

Does that include an upgrade F8-F9beta ?

In any case I'm doing a full relabel again, after I send this message,
and I'll see if that solves it...


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-14-2008, 07:39 PM
Daniel J Walsh
 
Default mrtg selinux denials in default configuration

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Timms wrote:
> Daniel J Walsh wrote:
>> David Timms wrote:
>>> David Timms wrote:
>>>> Should there be selinux denials on a default install of a package ?
>>> audit item attached.
>
>> Your /root directory is labeled incorrectly.
> I did a touch /.autorelabel and reboot yesterday morning, and made the
> setroubleshooter work. These have occurred since then. There is some old
> .xauth files from last year in the folder, but none seem to have
> incorrect context.
>
>> restorecon -R -v /root
> Tried restorecon -R -v -n /root
> - there were no replies.
>
> restorecon -R -v /root
> - there was also no replies.
> My understanding is that any files that needed their secontext restored
> woudl have been echoed.
>
>> Should fix. That is what setroubleshoot suggested, did you try it.
> No.
> Is {restorecon -v './root'} the same as the above ?
> It does not echo any response either.
>
>> Default installs should not be generating AVC's
> Does that include an upgrade F8-F9beta ?
>
> In any case I'm doing a full relabel again, after I send this message,
> and I'll see if that solves it...
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No the upgrade from F8-F9 Beta will create avc's. :^(

I am working on fixing these.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgDswAACgkQrlYvE4MpobPAXwCfRkanAojdPE tLXTAL7hmzhYtZ
FQkAoMOe3UiHDYDbimJnUF0lQVV0/Qzh
=QETz
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-14-2008, 07:40 PM
Daniel J Walsh
 
Default mrtg selinux denials in default configuration

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Timms wrote:
> Daniel J Walsh wrote:
>> David Timms wrote:
>>> David Timms wrote:
>>>> Should there be selinux denials on a default install of a package ?
>>> audit item attached.
>
>> Your /root directory is labeled incorrectly.
> I did a touch /.autorelabel and reboot yesterday morning, and made the
> setroubleshooter work. These have occurred since then. There is some old
> .xauth files from last year in the folder, but none seem to have
> incorrect context.
>
>> restorecon -R -v /root
> Tried restorecon -R -v -n /root
> - there were no replies.
>
> restorecon -R -v /root
> - there was also no replies.
> My understanding is that any files that needed their secontext restored
> woudl have been echoed.
>
>> Should fix. That is what setroubleshoot suggested, did you try it.
> No.
> Is {restorecon -v './root'} the same as the above ?
> It does not echo any response either.
>
>> Default installs should not be generating AVC's
> Does that include an upgrade F8-F9beta ?
>
> In any case I'm doing a full relabel again, after I send this message,
> and I'll see if that solves it...
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


# semanage user -l
# semanage login -l
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgDsxoACgkQrlYvE4MpobOR0gCfT8/PZqIkYNAfXgLdj48DW7XR
HPIAoI7odaO50NgrU7jmFB6LGZ7rXRum
=t+Ki
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-15-2008, 12:51 PM
David Timms
 
Default mrtg selinux denials in default configuration

Daniel J Walsh wrote:

# semanage user -l
# semanage login -l

#assume DJW_REQUESTING_RESULT:

# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Lvl MCS Range
SELinux Roles

root user s0 SystemLow-SystemHigh
system_r staff_r unconfined_r sysadm_r
staff_u user s0 SystemLow-SystemHigh
system_r staff_r sysadm_r
sysadm_u user s0 SystemLow-SystemHigh
sysadm_r
system_u user s0 SystemLow-SystemHigh
system_r
unconfined_u unconfined s0 SystemLow-SystemHigh
system_r unconfined_r
user_u user s0 s0 user_r

# semanage login -l
Login Name SELinux User MLS/MCS Range


__default__ unconfined_u SystemLow-SystemHigh
root unconfined_u SystemLow-SystemHigh
system_u system_u SystemLow-SystemHigh

As an aside, I erased mrtg yesterday - mo more mrtg denials.
Reinstalled mrtg just now, mrtg denials every five minutes. It is also
possible that when originally installed under F8, that I attempted to
configure it, but I can't find any evidence of that in /etc ...etc. My
other machine doesn't popup the denials with a default install, so I
expect there must be some invalid or selinux not configured to match
service requirements.
===
Actually running same -l on another f9beta notebook:
# semanage user -l {has the ones above plus:}

Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles

guest_u guest s0 s0 guest_r
xguest_u xguest s0 s0
xguest_r

# semanage login -l {same 3 items, except the selinux user for root is
different}.
Login Name SELinux User MLS/MCS Range


root root SystemLow-SystemHigh

Given autorelabel doesn't seem to solve it, is it worth {possible} to
rpm -e the targeted policy, then reinstall it - or am I barking up the
wrong tree ?
=====

DaveT.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-15-2008, 01:57 PM
Daniel J Walsh
 
Default mrtg selinux denials in default configuration

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Timms wrote:
> Daniel J Walsh wrote:
>> # semanage user -l
>> # semanage login -l
> #assume DJW_REQUESTING_RESULT:
>
> # semanage user -l
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Lvl MCS Range
> SELinux Roles
>
> root user s0 SystemLow-SystemHigh
> system_r staff_r unconfined_r sysadm_r
> staff_u user s0 SystemLow-SystemHigh
> system_r staff_r sysadm_r
> sysadm_u user s0 SystemLow-SystemHigh
> sysadm_r
> system_u user s0 SystemLow-SystemHigh
> system_r
> unconfined_u unconfined s0 SystemLow-SystemHigh
> system_r unconfined_r
> user_u user s0 s0 user_r
>
> # semanage login -l
> Login Name SELinux User MLS/MCS Range
>
>
> __default__ unconfined_u SystemLow-SystemHigh
> root unconfined_u SystemLow-SystemHigh
> system_u system_u SystemLow-SystemHigh
>
> As an aside, I erased mrtg yesterday - mo more mrtg denials.
> Reinstalled mrtg just now, mrtg denials every five minutes. It is also
> possible that when originally installed under F8, that I attempted to
> configure it, but I can't find any evidence of that in /etc ...etc. My
> other machine doesn't popup the denials with a default install, so I
> expect there must be some invalid or selinux not configured to match
> service requirements.
> ===
> Actually running same -l on another f9beta notebook:
> # semanage user -l {has the ones above plus:}
>
> Labeling MLS/ MLS/
> SELinux User Prefix MCS Level MCS Range
> SELinux Roles
>
> guest_u guest s0 s0
> guest_r
> xguest_u xguest s0 s0
> xguest_r
>
> # semanage login -l {same 3 items, except the selinux user for root is
> different}.
> Login Name SELinux User MLS/MCS Range
>
>
> root root SystemLow-SystemHigh
>
> Given autorelabel doesn't seem to solve it, is it worth {possible} to
> rpm -e the targeted policy, then reinstall it - or am I barking up the
> wrong tree ?
> =====
>
> DaveT.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Ok I looked at the bugzilla, looks like mrtg is execing top which is
reading all process /proc information. Does it need to be able to read
all this, or can I dontaudit it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgEtEYACgkQrlYvE4MpobPnWgCfWlInfyvJgs kvev32mFqTWAos
Kq0AnROErPbG2Ycqk3MW3Bal0kJSG7r5
=wtxK
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-16-2008, 11:49 PM
David Timms
 
Default mrtg selinux denials in default configuration

Daniel J Walsh wrote:

...
Ok I looked at the bugzilla, looks like mrtg is execing top which is
reading all process /proc information. Does it need to be able to read
all this, or can I dontaudit it.


Dan, I really don't know the answer to that - I haven't got around to
understanding / configuring mrtg at all. I got the impression from that
bug that the poster had a specific configuration that was causing that -
and that he would have to create allow rules for it to work, whereas I
don't seem to have any configuration for mrtg {except what is provided
in the rpm - a crond */5 min run using it's default config
/etc/mrtg/mrtg.cfg


A can confirm that commenting the /etc/cron.d/mrtg command stops the
denials, but I don't understand why my other F9Beta++ machine doesn't
generate the same denials.


As an aside: is there a way to perform an rpm -V to verify the packages
v on-disk contexts ? I could do this for mrtg and all it's requirements.


DaveT.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-17-2008, 12:31 PM
Daniel J Walsh
 
Default mrtg selinux denials in default configuration

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Timms wrote:
> Daniel J Walsh wrote:
>> ...
>> Ok I looked at the bugzilla, looks like mrtg is execing top which is
>> reading all process /proc information. Does it need to be able to read
>> all this, or can I dontaudit it.
>
> Dan, I really don't know the answer to that - I haven't got around to
> understanding / configuring mrtg at all. I got the impression from that
> bug that the poster had a specific configuration that was causing that -
> and that he would have to create allow rules for it to work, whereas I
> don't seem to have any configuration for mrtg {except what is provided
> in the rpm - a crond */5 min run using it's default config
> /etc/mrtg/mrtg.cfg
>
> A can confirm that commenting the /etc/cron.d/mrtg command stops the
> denials, but I don't understand why my other F9Beta++ machine doesn't
> generate the same denials.
>
> As an aside: is there a way to perform an rpm -V to verify the packages
> v on-disk contexts ? I could do this for mrtg and all it's requirements.
>
> DaveT.
Not really but you can do a fixfiles -R mrtg restore to read the rpm
database and fix the labels on disk.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgHQy8ACgkQrlYvE4MpobPPzgCfd81hsUnlz1 zSSQnYhXR2r6AY
GF8An3Bmnut5i0iZtNcpcCcS6hvmXgZC
=WwPm
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 08:35 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org