Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora User (http://www.linux-archive.org/fedora-user/)
-   -   SELinux (http://www.linux-archive.org/fedora-user/49933-selinux.html)

James Mckenzie 01-01-1970 01:00 AM

SELINUX
 
Tim <ignored_mailbox@yahoo.com.au> wrote:
>Sent: Aug 31, 2010 5:30 AM
>To: Community support for Fedora users <users@lists.fedoraproject.org>
>Subject: Re: SELINUX
>
>On Tue, 2010-08-31 at 00:15 +0000, JB wrote:
>> Well, if selinux is the best that happened to security since sliced bread, then
>> why people make these comments ?
>
>Because people like to bitch, particularly the ignorant ones.
>
Maybe because SeLinux is harder than hell to configure, if your favorite application is not already configured. This is BY DESIGN to prevent 'ordinary' users from mucking around in it.

>> Why do security people think they have the ability to dictate to
>> application writers that they use specialized API's or write arcane
>> security policies?
>
>Gee, that's a tough one. Probably because security people know more
>about security than non-security-aware programmers...
>
Bingo. Maybe it is also so that they write more secure code as well.

If you are on the Internet, SeLinux is a great product which is designed to give you enhanced, but not perfect, security.

Now that's my dime on this. I don't run SeLinux, my system is not networked. That is MY decision. If it ever becomes networked, SeLinux, ip tables and a bunch of other stuff is going on it first.

James McKenzie
SSCP 367830
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

James Mckenzie 01-01-1970 01:00 AM

SELinux
 
Ralf Corsepius <rc040203@freenet.de> wrote:
>Sent: Aug 31, 2010 8:43 AM
>To: users@lists.fedoraproject.org
>Subject: Re: SELinux
>
>On 08/31/2010 05:32 PM, Bruno Wolff III wrote:
>> On Wed, Sep 01, 2010 at 00:14:09 +0900,
>> Takehiko Abe<keke@gol.com> wrote:
>>> ;;; sorry other one goes straight to you
>>>
>>> > Linus is not exactly famous for his ability to understand security
>>> > concepts. I find the fact your argument is produced by google and
>>> > cut/paste rather than technical material ... enlightening
>>>
>>> Well, please educate me. All I hear from advocates is "more security"
>>> without a concrete example. You mentioned the danger of emails get
>>> stolen without SELinux. Please give me the scenario. So we can gauge
>>> the risk.
>>
>> If you read email you need selinux. If you read email with a client that
>> fires up plugins to read special content (e.g. html, pdfs, flash) then you
>> really need selinux.
>>
>> If you use a web browser to view more than a short list of trusted sites,
>> you need selinux.
>>
>> If you run network services accessible from outside the machine then you
>> need selinux.
>>
>> If you run binaries from semitrusted groups (this includes most commercial
>> software) then you need selinux.
>
>You don't _need_ SELinux in any such cases.

I disagree, but that is just my nature. If you wander off onto a malware site, you really need SeLinux in that case.
>
>SELinux is aiming at catching malfunctioning/misbehaving programs and
>_may_ prevent damage in use-cases such as those you list.
>
>However, SELinux also causes mal-functions and prevents applications
>from operating properly. Semi-educated tweaking SELinux may even cause
>further damage up to rendering systems completely unusable.
>
>To me this means: If the defaults work, use it. If it doesn't, switch it
>off, otherwise you might easily shoot yourself into the foot.
>
If you don't know what you are doing with SeLinux it is very easy to misconfigure it and lock up a system. If you don't know what you are doing, now is the time to ask for help, not trapse off and try it on your own. SeLinux is VERY unforgiving and that is what most people fear about it. Remember, it is a Security system first.

That is why folks are so scared of it. Sort of like the 'big black cave reported to have a big black bear in it.' Bring a flashlight (knowledge) and you are ok. Walk in without one, and you are lunch (and so is your system.)

Yes, you should have SeLinux or some other security system installed on any system that is connected to the Internet. It is the 'big black cave' we all should respect, not fear.

James McKenzie


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

James Mckenzie 01-01-1970 01:00 AM

SELinux
 
Takehiko Abe <keke@gol.com> wrote:
>Sent: Aug 31, 2010 8:14 AM
>To: Community support for Fedora users <users@lists.fedoraproject.org>
>Subject: Re: SELinux
>
>;;; sorry other one goes straight to you
>
> > Linus is not exactly famous for his ability to understand security
> > concepts. I find the fact your argument is produced by google and
> > cut/paste rather than technical material ... enlightening
>
>Well, please educate me. All I hear from advocates is "more security"
>without a concrete example. You mentioned the danger of emails get
>stolen without SELinux. Please give me the scenario. So we can gauge
>the risk.
>
Simple, I sniff the net at the local Internet cafe. I capture your login/password. I login to your mail account and run a delete. Mail gone. Simple scenario. I can also break into your machine and do the same. SeLinux and other security software attempts to prevent this.

Also, there are malware programs that do keylogging and password capturing. Do you want these running on your system? They run on Linux as well as Windows (Firefox has one notable example of this and was solved by applying a patch.)

> > But hey if Linus jumped down a volcano would you follow ?
>
>Sure I will. Did he?

No. But then again I have this thing about volcanos and jumping, it's just not me (Humor intended.)

I don't follow every word that Linus says and I don't follow every word from everyone else. However, SeLinux has a reputation that is justly deserved. It, like Linux, is very picky on which friends it chooses to take on. It is very easy to make a mistake and some are just plain not recoverable from. That is the way it was designed.

James McKenzie

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

James Mckenzie 01-01-1970 01:00 AM

SELinux
 
Marko Vojinovic <vvmarko@gmail.com> wrote:
>Sent: Aug 31, 2010 9:55 AM
>To: users@lists.fedoraproject.org
>Subject: Re: SELINUX
>
>On Tuesday, August 31, 2010 15:34:42 James Mckenzie wrote:
>> Tim <ignored_mailbox@yahoo.com.au> wrote:
>> >On Tue, 2010-08-31 at 00:15 +0000, JB wrote:
>> >> Well, if selinux is the best that happened to security since sliced
>> >> bread, then why people make these comments ?
>> >
>> >Because people like to bitch, particularly the ignorant ones.
>>
>> Maybe because SeLinux is harder than hell to configure, if your favorite
>> application is not already configured. This is BY DESIGN to prevent
>> 'ordinary' users from mucking around in it.
>
>Yea, sure, can you imagine, one needs to know how to use no less than *two*
>commands --- chcon and semanage --- this is waaay beyond the capabilities of
>any mortal sysadmin... And reading their dreaded man pages, oh my, I get
>scared just thinking about trying to read them...
>
Sysadmins should know how to read man pages, that's where they get a lot of information from. I'm speaking from the mortal view point of the person migrating from Windows to Linux and they find that they have hosed up SeLinux beyond repair.

>There is a saying from where I come from --- people are not divided into
>competent and incompetent, but into whiners and non-whiners.

I disagree. However, that is my opinion and you have yours. That's why life is so interesting.

I don't divide it that way: There are the knowing and unknowing. Those who know should be the one's making the changes and documenting them. The unknowing should seek out the knowing to 'show them the way'. It's called education. However, there are those that will charge ahead into the 'cave with the bear without the flashlight'. Those I would classify as what you call 'whiners'. It is no fun to rebuild a system after they've been around.

James McKenzie

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

James Mckenzie 01-01-1970 01:00 AM

SELinux
 
Takehiko Abe <keke@gol.com> wrote:
>Sent: Sep 1, 2010 5:25 AM
>To: Community support for Fedora users <users@lists.fedoraproject.org>
>Subject: Re: SELinux
>
> >> I assume you know the chances that an average linux user actually get
> >> exploited in that way is very low.
> >
> > I would love to see the academic paper reference for this and the
> > analysis as to why - maybe it's because most of them use SELinux ;)
>
>Just count the known incidents of such exploits. ZERO. No WMD.

Pure bullshit. There are PLENTY of UNIX/Linux systems that are 'powned'. SeLinux prevents but does not stop this, if running in permissive mode. In enforcing mode, all hell breaks loose. At least you will be aware that this has happened and in enforcing mode the attack maybe stopped. In enforcing mode, you can attempt to evaluate and eliminate the damage. You don't READ about this because most companies don't want to admit their security system don't work.
Remember the TV add about the fact that the firewall did not stop the 17 year old hacker from taking almost 200,000 credit card records and then building the robot of his dreams (this was an actual event folks, don't laugh)? This MIGHT have been prevented if the company used and enforced a high quality security system like SeLinux. SeLinux acts as a host based security system and is only as good as YOU make it. If you don't want it, you don't have to have it. But when the PCI folks (aka MasterCard/Visa/AMEX/Discover/JCB) shut off your ability to accept and process Credit/Debit transactions, you have no one to blame but yourself. When your competition 'mysteriously' shows up with your design, then you have to ask, "How did they get that?" Security systems are there for a reason. We all have information that others desire and it is up to us to ensure that it does not appear in the hands of the 'bad guys'. So, are you going to run around the Internet 'naked' or are you g
oing to use every tool at your hands (Bastille/iptables/SeLinux)? I prefer the latter scenario. Of course, a very determined cracker is going to get in, but the ordinary Joe is not.

BTW, the EASIEST system to 'pown' is a Mac. I'll leave it up to you to do the work (Google is definitely your friend with this.)

Please remember, it is up to YOU to protect YOUR data, no one else.

James McKenzie

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

James Mckenzie 01-01-1970 01:00 AM

SELinux
 
Takehiko Abe <keke@gol.com> wrote:
>Sent: Sep 1, 2010 8:43 AM
>To: Community support for Fedora users <users@lists.fedoraproject.org>
>Subject: Re: SELinux
>
>>> Just count the known incidents of such exploits. ZERO. No WMD.
>>
>> Pure bullshit. There are PLENTY of UNIX/Linux systems that are 'powned'.
>
>You misunderstood my sentence. out of context. this is the second time.
>you are knocking a strawman.

Forgive me then. I think that you read that browsers were more 'secure' under Linux than under Windows. This is definitely not true and has been proven time and time again. However, installing user interactable malware is possible, but definitely more difficult under Linux/UNIX.

As far as operating system security, yes Linux is more secure. This is because of the inherint closeed security of UNIX vice the open security of Windows. Using SeLinux is like having a 'belt and suspenders' system. It verifies that all is secure, and limits users to only what they should be doing.

Again, my apologies for misreading your original message. As far as systems security, inherint in the product, Linux wins hands down. However, one must be extremely cautious when browsing not to step on a 'land mine' site.

James McKenzie

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Terry - Fedora Core 02-07-2008 09:51 PM

SELinux
 
As I reported on another thread, SELinux has caused me trouble and
blocked access to my hard disks.


To solve the problem, I set SELinux to "permissive" mode. Am I positive
that SELinux caused the problem of not being able access the hard disks.
No. But then when I set SELinux to permissive mode the problem
disappeared. Not proof, but very strong evidence.


My question:

Should I enable SELinux again?

What do I gain if I do?

Will the gain be greater than the loss of accessing my computer hard disks?

And if I do, how do I try to prevent it from locking me out of the hard
disks again?


How do I determine what caused SELinux to block access, how much trouble
is it to change SELinux to prevent it from doing that again?


Your insights are appreciated.

Terry

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Richard England 02-08-2008 02:24 AM

SELinux
 
Terry - Fedora Core wrote:
As I reported on another thread, SELinux has caused me trouble and
blocked access to my hard disks.


To solve the problem, I set SELinux to "permissive" mode. Am I
positive that SELinux caused the problem of not being able access the
hard disks. No. But then when I set SELinux to permissive mode the
problem disappeared. Not proof, but very strong evidence.


My question:

Should I enable SELinux again?

What do I gain if I do?

Will the gain be greater than the loss of accessing my computer hard
disks?


And if I do, how do I try to prevent it from locking me out of the
hard disks again?


How do I determine what caused SELinux to block access, how much
trouble is it to change SELinux to prevent it from doing that again?


Your insights are appreciated.

Terry

You need to provide more solid details around "...blocked access to my
hard disks." What error messages are you seeing? Some one on this list
might be able to assist you. Is SELinux involved? Probably, given your
experience but how is yet to be determine. It might be as simple as a
need to relabel your file system ("touch /.autorelabel" and reboot. ),
but provide more detail and someone can help tell you if that is your
problem


I've been running F7 and F8 with SElinux enabled for as long as they
have both been out and have had not difficulties. So it is possible.


~~R

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Daniel J Walsh 02-08-2008 12:41 PM

SELinux
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Terry - Fedora Core wrote:
> As I reported on another thread, SELinux has caused me trouble and
> blocked access to my hard disks.
>
> To solve the problem, I set SELinux to "permissive" mode. Am I positive
> that SELinux caused the problem of not being able access the hard disks.
> No. But then when I set SELinux to permissive mode the problem
> disappeared. Not proof, but very strong evidence.
>
> My question:
>
> Should I enable SELinux again?
>
> What do I gain if I do?
>
> Will the gain be greater than the loss of accessing my computer hard disks?
>
> And if I do, how do I try to prevent it from locking me out of the hard
> disks again?
>
> How do I determine what caused SELinux to block access, how much trouble
> is it to change SELinux to prevent it from doing that again?
>
> Your insights are appreciated.
>
> Terry
>
Look for error messages in /var/log/audit/audit.log. Install
setroubleshoot, it will tell you when SELinux is complaining about
something and attempt to give you a way to fix it.

Most likely the disk you are having problems with is not labeled
correcty. SELinux relies on extended attributes containing labels for
every file on the system. If a file does not have a label, the kernel
says the label is file_t and no confined domains can use the file. You
can either label the disk, by executing a command like
restorecon -R -v PATHTODDISK
Or you can fully relabel the entire system using

touch /.autorelabel; reboot

Or if you do not want to label the disk you can use the mount
command/fstab entry to put a single label for the entire file system.

mount -o context="sytstem_u:object_r:default_t:s0" DISK MOUNTPOINT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkesW+4ACgkQrlYvE4MpobNpBACfW4/15U2VqZv1PxQcG0YAxa5T
j7oAnjpnnytDIRB7glrH4kfSnfrOxoY7
=6Dz3
-----END PGP SIGNATURE-----

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Terry - Fedora Core 02-08-2008 05:19 PM

SELinux
 
Richard England wrote:

Terry - Fedora Core wrote:
As I reported on another thread, SELinux has caused me trouble and
blocked access to my hard disks.


To solve the problem, I set SELinux to "permissive" mode. Am I
positive that SELinux caused the problem of not being able access the
hard disks. No. But then when I set SELinux to permissive mode the
problem disappeared. Not proof, but very strong evidence.


My question:

Should I enable SELinux again?

What do I gain if I do?

Will the gain be greater than the loss of accessing my computer hard
disks?


And if I do, how do I try to prevent it from locking me out of the
hard disks again?


How do I determine what caused SELinux to block access, how much
trouble is it to change SELinux to prevent it from doing that again?


Your insights are appreciated.

Terry

You need to provide more solid details around "...blocked access to my
hard disks." What error messages are you seeing? Some one on this
list might
The error messages were along the lines that an application could not
write to it's resource file in it's hidden directory in my home directory.


Also, Konqueror simply refused to open any directories whatsoever. It
displayed the directory structure in the navigation panel, but it would
not allow access to any directory, even directories under my home
directory. Nor would it allow access to other hard disks on the system -
hard disks other than the hard disk that FEdora Core 8 is installed on.
The computer was still working, but ALL directories and ALL files were
simply not accesable, either by Konqueror or any other application. Even
when I used File Manager (Konqueror) in super user mode or the super
user terminal. I simply got error messages that I did not have
sufficient permission to access the directory/file - even the super user
(root) got the same message. I attributed t6his to SELinux based on the
simple logic that SELinux was giving me the error messages relating to
blocking access to something or other. See SELinux error reports below.
be able to assist you. Is SELinux involved? Probably, given your
experience but how is yet to be determine. It might be as simple as
a need to relabel your file system ("touch /.autorelabel" and reboot.
), but provide more detail and someone can help tell you if that is
your problem


I've been running F7 and F8 with SElinux enabled for as long as they
have both been out and have had not difficulties. So it is possible.
I copied the SELinux Troubleshooter reports on another thread, but they
don't seem to have made it to the list so I'll copy them below. They
make no sense to me. It references something about labeling problems,
but I did not label anything. I would expect the installation program to
apply appropriate labels to everything that the user would need to do to
download and install and configure the system for normal use so that
SELinux would not need to complain about such things. (Note the octal
IDs below have been randomly changed by me - I get nervous when I see
such information being made public :-) )


Terry

SELinux Trouble Reports follow - 4 (converted to text from pdf by
pdftotext)



Summary SELinux is preventing gdm (xdm_t) "execute" to <Unknown>
(rpm_exec_t). Detailed Description SELinux denied access requested by
gdm. It is not expected that this access is required by gdm and this
access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access. Allowing Access Sometimes labeling problems
can cause SELinux denials. You could try to restore the default system
file context for <Unknown>, restorecon -v <Unknown> If this does not
work, there is currently no automatic way to allow this access. Instead,
you can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information Source Context Target Context Target Objects
Affected RPM Packages Policy RPM Selinux Enabled Policy Type MLS Enabled
Enforcing Mode Plugin Name Host Name Platform Alert Count First Seen
Last Seen Local ID Line Numbers Raw Audit Messages avc: denied { execute
} for comm=gdm dev=sda7 name=rpm pid=3107
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=file
tcontext=system_u:object_r:rpm_exec_t:s0
system_u:system_r:xdm_t:s0-s0:c0.c1023 system_u:object_r:rpm_exec_t:s0
None [ file ] selinux-policy-3.0.8-44.fc8 True targeted True Enforcing
plugins.catchall_file Home-Net Linux Home-Net 2.6.23.1-42.fc8 #1 SMP Tue
Oct 30 13:55:12 EDT 2007 i686 i686 7 Wed 06 Feb 2008 01:50:35 PM EST Thu
07 Feb 2008 10:26:00 AM EST 41e3c4c1-b5da-4c6a-8917-01b4013c448f


Summary SELinux is preventing gdm (xdm_t) "getattr" to /bin/rpm
(rpm_exec_t). Detailed Description SELinux denied access requested by
gdm. It is not expected that this access is required by gdm and this
access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access. Allowing Access Sometimes labeling problems
can cause SELinux denials. You could try to restore the default system
file context for /bin/rpm, restorecon -v /bin/rpm If this does not work,
there is currently no automatic way to allow this access. Instead, you
can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information Source Context Target Context Target Objects
Affected RPM Packages Policy RPM Selinux Enabled Policy Type MLS Enabled
Enforcing Mode Plugin Name Host Name Platform Alert Count First Seen
Last Seen Local ID Line Numbers Raw Audit Messages avc: denied { getattr
} for comm=gdm dev=sda7 egid=0 euid=0 exe=/bin/bash exit=-13 fsgid=0
fsuid=0 gid=0 items=0 path=/bin/rpm pid=3107
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:rpm_exec_t:s0 tty=(none) uid=0
system_u:system_r:xdm_t:s0-s0:c0.c1023 system_u:object_r:rpm_exec_t:s0
/bin/rpm [ file ] rpm-4.4.2.2-3.fc8 [target] selinux-policy-3.0.8-44.fc8
True targeted True Enforcing plugins.catchall_file Home-Net Linux
Home-Net 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 i686
13 Wed 06 Feb 2008 01:50:35 PM EST Thu 07 Feb 2008 10:26:00 AM EST
845ddb2e-69a4-6f67-5508-83456c0bff19


Summary SELinux is preventing sh (loadkeys_t) "search" to <Unknown>
(home_root_t). Detailed Description SELinux denied access requested by
sh. It is not expected that this access is required by sh and this
access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access. Allowing Access Sometimes labeling problems
can cause SELinux denials. You could try to restore the default system
file context for <Unknown>, restorecon -v <Unknown> If this does not
work, there is currently no automatic way to allow this access. Instead,
you can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information Source Context Target Context Target Objects
Affected RPM Packages Policy RPM Selinux Enabled Policy Type MLS Enabled
Enforcing Mode Plugin Name Host Name Platform Alert Count First Seen
Last Seen Local ID Line Numbers Raw Audit Messages avc: denied { search
} for comm=sh dev=sda7 egid=0 euid=0 exe=/bin/bash exit=-13 fsgid=0
fsuid=0 gid=0 items=0 name=home pid=4986
scontext=system_u:system_r:loadkeys_t:s0 sgid=0
subj=system_u:system_r:loadkeys_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:home_root_t:s0 tty=(none) uid=0
system_u:system_r:loadkeys_t:s0 system_u:object_r:home_root_t:s0 None [
dir ] selinux-policy-3.0.8-44.fc8 True targeted True Enforcing
plugins.catchall_file Home-Net Linux Home-Net 2.6.23.1-42.fc8 #1 SMP Tue
Oct 30 13:55:12 EDT 2007 i686 i686 2 Wed 06 Feb 2008 04:52:48 PM EST Wed
06 Feb 2008 04:52:48 PM EST 54a23c38-b925-4467-aa0e-5d3fdcc5d799


Summary SELinux is preventing sh (loadkeys_t) "search" to <Unknown>
(unconfined_home_dir_t). Detailed Description SELinux denied access
requested by sh. It is not expected that this access is required by sh
and this access may signal an intrusion attempt. It is also possible
that the specific version or configuration of the application is causing
it to require additional access. Allowing Access Sometimes labeling
problems can cause SELinux denials. You could try to restore the default
system file context for <Unknown>, restorecon -v <Unknown> If this does
not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access -
see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information Source Context Target Context Target Objects
Affected RPM Packages Policy RPM Selinux Enabled Policy Type MLS Enabled
Enforcing Mode Plugin Name Host Name Platform Alert Count First Seen
Last Seen Local ID Line Numbers Raw Audit Messages avc: denied { search
} for comm=sh dev=sda7 name=terry pid=4986
scontext=system_u:system_r:loadkeys_t:s0 tclass=dir
tcontext=unconfined_u:object_r:unconfined_home_dir _t:s0
system_u:system_r:loadkeys_t:s0
unconfined_u:object_r:unconfined_home_dir_t:s0 None [ dir ]
selinux-policy-3.0.8-44.fc8 True targeted True Enforcing
plugins.catchall_file Home-Net Linux Home-Net 2.6.23.1-42.fc8 #1 SMP Tue
Oct 30 13:55:12 EDT 2007 i686 i686 22 Wed 06 Feb 2008 04:52:48 PM EST
Wed 06 Feb 2008 04:52:48 PM EST 04bec695-038f-408d-bf7a-fa3c5f6e2812




~~R



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list


All times are GMT. The time now is 04:57 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.