FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-23-2008, 12:24 AM
Antonio Olivares
 
Default selinux denials for new Fedora 9 install

Dear all,

I have installed Fedora 9 unto a new machine x86_64, it was working beautifully, I am at this time putting in updates. However I got some selinux denials from setroubleshoot deamon

Tomboy Notes shows this error in box
egin{box}

"Tomboy Notes" has quit unexpectedly

If you reload a panel object, it will automatically be added back to the panel.

end{box}

The selinux denials follow:

Advice/Suggestions/Comments are welcome

Regards,

Antonio


Summary:

SELinux is preventing tomboy (unlabeled_t) "read" to socket (unlabeled_t).

Detailed Description:

SELinux denied access requested by tomboy. It is not expected that this access
is required by tomboy and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_ubject_r:unlabeled_t:s0
Target Context system_ubject_r:unlabeled_t:s0
Target Objects socket [ unix_stream_socket ]
Source tomboy
Source Path /usr/bin/mono
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mono-core-1.9.1-2.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-42.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.25-14.fc9.x86_64
#1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64
Alert Count 1
First Seen Thu 22 May 2008 02:18:36 PM CDT
Last Seen Thu 22 May 2008 02:18:36 PM CDT
Local ID e22208e0-0d5a-43aa-a57d-ca251e71c7f0
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1211483916.963:40): avc: denied { read } for pid=2664 comm="tomboy" path="socket:[19661]" dev=sockfs ino=19661 scontext=system_ubject_r:unlabeled_t:s0 tcontext=system_ubject_r:unlabeled_t:s0 tclass=unix_stream_socket

host=localhost.localdomain type=SYSCALL msg=audit(1211483916.963:40): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=e69c24 a2=1000 a3=1 items=0 ppid=1 pid=2664 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="tomboy" exe="/usr/bin/mono" subj=system_ubject_r:unlabeled_t:s0 key=(null)





Summary:

SELinux is preventing tomboy (unlabeled_t) "write" to socket (unlabeled_t).

Detailed Description:

SELinux denied access requested by tomboy. It is not expected that this access
is required by tomboy and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_ubject_r:unlabeled_t:s0
Target Context system_ubject_r:unlabeled_t:s0
Target Objects socket [ unix_stream_socket ]
Source tomboy
Source Path /usr/bin/mono
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mono-core-1.9.1-2.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-42.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.25-14.fc9.x86_64
#1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64
Alert Count 5
First Seen Thu 22 May 2008 02:18:37 PM CDT
Last Seen Thu 22 May 2008 02:18:37 PM CDT
Local ID 125d1844-fea9-4203-9bde-2f6582a25bec
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1211483917.148:46): avc: denied { write } for pid=2664 comm="tomboy" path="socket:[19778]" dev=sockfs ino=19778 scontext=system_ubject_r:unlabeled_t:s0 tcontext=system_ubject_r:unlabeled_t:s0 tclass=unix_stream_socket

host=localhost.localdomain type=SYSCALL msg=audit(1211483917.148:46): arch=c000003e syscall=20 success=no exit=-13 a0=14 a1=ef21e0 a2=1 a3=a0 items=0 ppid=1 pid=2664 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="tomboy" exe="/usr/bin/mono" subj=system_ubject_r:unlabeled_t:s0 key=(null)




Summary:

SELinux is preventing tomboy (unlabeled_t) "search" to / (root_t).

Detailed Description:

SELinux denied access requested by tomboy. It is not expected that this access
is required by tomboy and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /,

restorecon -v '/'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_ubject_r:unlabeled_t:s0
Target Context system_ubject_r:root_t:s0
Target Objects / [ dir ]
Source tomboy
Source Path /usr/bin/mono
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mono-core-1.9.1-2.fc9
Target RPM Packages filesystem-2.4.13-1.fc9
Policy RPM selinux-policy-3.3.1-42.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.25-14.fc9.x86_64
#1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64
Alert Count 1
First Seen Thu 22 May 2008 02:18:37 PM CDT
Last Seen Thu 22 May 2008 02:18:37 PM CDT
Local ID dc21e5d6-47fb-47f9-97de-31a1009d6922
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1211483917.148:47): avc: denied { search } for pid=2664 comm="tomboy" name="/" dev=dm-0 ino=2 scontext=system_ubject_r:unlabeled_t:s0 tcontext=system_ubject_r:root_t:s0 tclass=dir

host=localhost.localdomain type=SYSCALL msg=audit(1211483917.148:47): arch=c000003e syscall=87 success=no exit=-13 a0=ef24a0 a1=ef1cd0 a2=ef24a0 a3=7ffff6f6ede0 items=0 ppid=1 pid=2664 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="tomboy" exe="/usr/bin/mono" subj=system_ubject_r:unlabeled_t:s0 key=(null)



Summary:

SELinux is preventing tomboy (unlabeled_t) "unix_write" to <Unknown>
(unlabeled_t).

Detailed Description:

SELinux denied access requested by tomboy. It is not expected that this access
is required by tomboy and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_ubject_r:unlabeled_t:s0
Target Context system_ubject_r:unlabeled_t:s0
Target Objects None [ sem ]
Source tomboy
Source Path /usr/bin/mono
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mono-core-1.9.1-2.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-42.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.25-14.fc9.x86_64
#1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64
Alert Count 1
First Seen Thu 22 May 2008 02:18:37 PM CDT
Last Seen Thu 22 May 2008 02:18:37 PM CDT
Local ID be7c4e58-a211-4d65-b643-49e9315ba3a6
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1211483917.148:48): avc: denied { unix_write } for pid=2664 comm="tomboy" key=1291903136 scontext=system_ubject_r:unlabeled_t:s0 tcontext=system_ubject_r:unlabeled_t:s0 tclass=sem

host=localhost.localdomain type=SYSCALL msg=audit(1211483917.148:48): arch=c000003e syscall=65 success=no exit=-13 a0=0 a1=7ffff6f6f0d0 a2=1 a3=700 items=0 ppid=1 pid=2664 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="tomboy" exe="/usr/bin/mono" subj=system_ubject_r:unlabeled_t:s0 key=(null)




Summary:

SELinux is preventing tomboy (unlabeled_t) "signal" to <Unknown> (unlabeled_t).

Detailed Description:

SELinux denied access requested by tomboy. It is not expected that this access
is required by tomboy and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_ubject_r:unlabeled_t:s0
Target Context system_ubject_r:unlabeled_t:s0
Target Objects None [ process ]
Source tomboy
Source Path /usr/bin/mono
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mono-core-1.9.1-2.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-42.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.25-14.fc9.x86_64
#1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64
Alert Count 2
First Seen Thu 22 May 2008 02:18:37 PM CDT
Last Seen Thu 22 May 2008 02:18:37 PM CDT
Local ID 8a1b1271-3864-4af1-90f6-b050cca48dd5
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1211483917.266:51): avc: denied { signal } for pid=2664 comm="tomboy" scontext=system_ubject_r:unlabeled_t:s0 tcontext=system_ubject_r:unlabeled_t:s0 tclass=process

host=localhost.localdomain type=SYSCALL msg=audit(1211483917.266:51): arch=c000003e syscall=234 success=no exit=-13 a0=a68 a1=a68 a2=6 a3=8 items=0 ppid=1 pid=2664 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="tomboy" exe="/usr/bin/mono" subj=system_ubject_r:unlabeled_t:s0 key=(null)



Summary:

SELinux is preventing tomboy (unlabeled_t) "fork" to <Unknown> (unlabeled_t).

Detailed Description:

SELinux denied access requested by tomboy. It is not expected that this access
is required by tomboy and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_ubject_r:unlabeled_t:s0
Target Context system_ubject_r:unlabeled_t:s0
Target Objects None [ process ]
Source tomboy
Source Path /usr/bin/mono
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mono-core-1.9.1-2.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-42.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.25-14.fc9.x86_64
#1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64
Alert Count 1
First Seen Thu 22 May 2008 02:18:37 PM CDT
Last Seen Thu 22 May 2008 02:18:37 PM CDT
Local ID 25c06d10-f06e-4883-a58b-65a70df67409
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1211483917.499:84): avc: denied { fork } for pid=2664 comm="tomboy" scontext=system_ubject_r:unlabeled_t:s0 tcontext=system_ubject_r:unlabeled_t:s0 tclass=process

host=localhost.localdomain type=SYSCALL msg=audit(1211483917.499:84): arch=c000003e syscall=56 success=no exit=-13 a0=1200011 a1=0 a2=0 a3=7f0aede2d840 items=0 ppid=1 pid=2664 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="tomboy" exe="/usr/bin/mono" subj=system_ubject_r:unlabeled_t:s0 key=(null)



Summary:

SELinux is preventing tomboy (unlabeled_t) "use" to /dev/null (unconfined_t).

Detailed Description:

SELinux denied access requested by tomboy. It is not expected that this access
is required by tomboy and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_ubject_r:unlabeled_t:s0
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects /dev/null [ fd ]
Source tomboy
Source Path /usr/bin/mono
Port <Unknown>
Host localhost.localdomain
Source RPM Packages mono-core-1.9.1-2.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-42.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.25-14.fc9.x86_64
#1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64
Alert Count 35
First Seen Thu 22 May 2008 02:18:36 PM CDT
Last Seen Thu 22 May 2008 02:18:37 PM CDT
Local ID a83681c0-d977-4078-83ad-3ffe26691266
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1211483917.499:85): avc: denied { use } for pid=2664 comm="tomboy" path="/dev/null" dev=tmpfs ino=1898 scontext=system_ubject_r:unlabeled_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fd

host=localhost.localdomain type=SYSCALL msg=audit(1211483917.499:85): arch=c000003e syscall=1 success=no exit=-13 a0=2 a1=13d570 a2=124 a3=7f0aede2d7b0 items=0 ppid=1 pid=2664 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="tomboy" exe="/usr/bin/mono" subj=system_ubject_r:unlabeled_t:s0 key=(null)




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-23-2008, 12:23 PM
Stephen Smalley
 
Default selinux denials for new Fedora 9 install

On Thu, 2008-05-22 at 17:24 -0700, Antonio Olivares wrote:
> Dear all,
>
> I have installed Fedora 9 unto a new machine x86_64, it was working beautifully, I am at this time putting in updates. However I got some selinux denials from setroubleshoot deamon
>
> Tomboy Notes shows this error in box
> egin{box}
>
> "Tomboy Notes" has quit unexpectedly
>
> If you reload a panel object, it will automatically be added back to the panel.
>
> end{box}
>
> The selinux denials follow:
>
> Advice/Suggestions/Comments are welcome

The unlabeled_t indicates that whatever context tomboy was running in
was made invalid by a policy update. You should have seen messages
in /var/log/messages about invalidating contexts upon the policy load.

Re-starting the process should get it into a valid context again.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-23-2008, 01:30 PM
Antonio Olivares
 
Default selinux denials for new Fedora 9 install

--- Stephen Smalley <sds@tycho.nsa.gov> wrote:

>
> On Thu, 2008-05-22 at 17:24 -0700, Antonio Olivares
> wrote:
> > Dear all,
> >
> > I have installed Fedora 9 unto a new machine
> x86_64, it was working beautifully, I am at this
> time putting in updates. However I got some selinux
> denials from setroubleshoot deamon
> >
> > Tomboy Notes shows this error in box
> > egin{box}
> >
> > "Tomboy Notes" has quit unexpectedly
> >
> > If you reload a panel object, it will
> automatically be added back to the panel.
> >
> > end{box}
> >
> > The selinux denials follow:
> >
> > Advice/Suggestions/Comments are welcome
>
> The unlabeled_t indicates that whatever context
> tomboy was running in
> was made invalid by a policy update. You should
> have seen messages
> in /var/log/messages about invalidating contexts
> upon the policy load.
>
> Re-starting the process should get it into a valid
> context again.
>
> --
> Stephen Smalley
> National Security Agency
>
>

The updates fixed it

Thanks!

Antonio




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-23-2008, 07:07 PM
Daniel J Walsh
 
Default selinux denials for new Fedora 9 install

Antonio Olivares wrote:
> --- Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
>> On Thu, 2008-05-22 at 17:24 -0700, Antonio Olivares
>> wrote:
>>> Dear all,
>>>
>>> I have installed Fedora 9 unto a new machine
>> x86_64, it was working beautifully, I am at this
>> time putting in updates. However I got some selinux
>> denials from setroubleshoot deamon
>>> Tomboy Notes shows this error in box
>>> egin{box}
>>>
>>> "Tomboy Notes" has quit unexpectedly
>>>
>>> If you reload a panel object, it will
>> automatically be added back to the panel.
>>> end{box}
>>>
>>> The selinux denials follow:
>>>
>>> Advice/Suggestions/Comments are welcome
>> The unlabeled_t indicates that whatever context
>> tomboy was running in
>> was made invalid by a policy update. You should
>> have seen messages
>> in /var/log/messages about invalidating contexts
>> upon the policy load.
>>
>> Re-starting the process should get it into a valid
>> context again.
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>>
>
> The updates fixed it
>
> Thanks!
>
> Antonio
>
>


There is a bug in policy where mono_t is changed to unconfined_mono_t,
So on upgrade mono_t becomes unlabeled_t.

Tough to fix at this point. Only will happen if you upgrade while
logged in. Starting tomboy again will work and run as unconfined_mono_t.
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:44 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org