gmane.linux.redhat.fedora.selinux

Re: ImportError: No module named selinux

Mr Dash Four — 2012-05-26T01:46:53

checkpolicy and libsepol do not need python and build successfully. 
libselinux, libsemanage and policycoreutils *can* be build with an older version of python2 (I've got 2.6.4), provided a few tweaks are done to the .spec file. 
setools definitely needs python 2.7+, so I used python3 there instead in addition to quite extensive set of tweaks to the .spec file (I did the same trick with the previous version of the policy as well). 

After that, everything is fine, though during build of the minimum policy I get the following rpm packaging error:

File not found: /builddir/build/BUILDROOT/selinux-policy-3.10.0-86.fc13.x86_64/etc/selinux/minimum/contexts/users/staff_u/usr/share/selinux/minimum/modules.lst

Don't know whether this is a bug or not. It only happens with the minimum policy (mls and targeted build without problems). I don't use the minimum policy anyway so it is not that important in my case.
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/se

Re: ImportError: No module named selinux

Mr Dash Four — 2012-05-25T12:43:46

I have it installed, though I think I found what is causing the above error.

When I compiled all core selinux-related dependencies, I based them on 
python 3 instead of python 2. I am still on the "old" version of python 
2 (the one which comes with FC13), because in order to upgrade it I have 
to also do that for another 100+ packages I have on my system and that 
it is something I can't undertake at the moment.

I assumed, wrongly as it turned out, that python 3 would be 100% 
replacement for python 2 and since I remember the nightmare I had to go 
through when I did the same exercise when upgrading the core selinux 
tools in order to bring them to the FC15 level and trying to make this 
work with the "old" python 2 version I've had on my system, I thought I 
could get away with just using python 3 this time.

Well, that didn't work and it looks as though python 2 is also needed (a 
fact I confirmed a couple of hours after writing my original post as 
/usr/bin/sepolgen-ifgen uses python 2, not python 3),

Re: ImportError: No module named selinux

Daniel J Walsh — 2012-05-25T10:10:09

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/24/2012 09:48 PM, Mr Dash Four wrote:
yum install libselinux-python
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+/WoEACgkQrlYvE4MpobNhkQCgp9HXM+rGX6qv/YzmACSsY2BO
hrUAoOtp6AFvRZaSNueSxUY3LiRTZ2Sc
=6EDL
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

ImportError: No module named selinux

Mr Dash Four — 2012-05-25T01:48:08

I am trying to compile and build version 3.10.0-86 of the selinux policy, but during compilation I get the following:

/usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin
/usr/bin/sepolgen-ifgen -p tmp/policy.bin -i policy -o tmp/output
Traceback (most recent call last):
  File "/usr/bin/sepolgen-ifgen", line 34, in <module>
    import selinux
ImportError: No module named selinux
make: *** [validate] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.bEqivE (%install)


RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.bEqivE (%install)


What could be the cause for this?
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Re: Policy version mismatch

Daniel J Walsh — 2012-05-24T19:01:07

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/24/2012 12:24 PM, David Quigley wrote:

What policy file did it build?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk++hXMACgkQrlYvE4MpobMToACgo2k5nt6bCjr1/7tv1Zr1AeuG
6XYAn1RfCfxEsIvu0RqvIYswxg6HII6q
=g2JS
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Re: Policy version mismatch

David Quigley — 2012-05-24T16:24:50

I don't think your post applies to his question. His email seems to 
indicate to me that he is building the policy binary on RHEL 6 for RHEL 
6 and then on install time its trying to downgrade the policy. He is 
wondering why it didn't just build for the policy version being used by 
the system.

Dave
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Re: Policy version mismatch

Daniel J Walsh — 2012-05-24T16:14:08

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/24/2012 11:05 AM, Moray Henderson wrote:


Read

http://danwalsh.livejournal.com/49762.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk++XlAACgkQrlYvE4MpobMf+wCghm6D/Gn5Yh9mLIHF1vTo5k2m
7KkAnRSdi7LWcywz1LeE6ir8nygh1wVj
=hxTJ
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Policy version mismatch

Moray Henderson — 2012-05-24T15:05:59

I've got a policy module which works fine when I build and load it on CentOS
5.  When I build and try to load it on CentOS 6 it complains:

SELinux:  Could not downgrade policy file
/etc/selinux/targeted/policy/policy.24, searching for an older version.
SELinux:  Could not open policy file <=
/etc/selinux/targeted/policy/policy.24:  No such file or directory

There's nothing in the policy source specifying version so I would have
expected the module automatically to build for the correct policy version
when built on CentOS 6.  Any pointers where to look or what to do next?


Moray.
"To err is human; to purr, feline."





--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Re: EL6: procmail vs. /home/*/bin/shellscript.sh

Chuck Anderson — 2012-05-18T19:03:13

No go:

selinux-policy-targeted-3.7.19-153.el6.noarch
selinux-policy-3.7.19-153.el6.noarch


require {
        type sendmail_t;
        type spamc_t;
        type home_bin_t;
        type procmail_t;
        class process { siginh noatsecure rlimitinh };
        class dir search;
}

#============= procmail_t ==============
allow procmail_t home_bin_t:dir search;
allow procmail_t spamc_t:process { siginh rlimitinh noatsecure };

#============= sendmail_t ==============
allow sendmail_t procmail_t:process { siginh rlimitinh noatsecure };

I've attached the AVC and SYSCALL messages from audit.log from when I
upgraded to 3.7.19-153.  I believe the "semodule -DB" I did yesterday
should still be in effect, so this includes things that are normally
dontaudited.
type=AVC msg=audit(1337366173.791:7373): avc:  denied  { read } for  pid=23438 comm="load_policy" path="/tmp/tmpTA16yC" dev=dm-1 ino=1019 scontext=unconfined_u:system_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
typ

Re: EL6: procmail vs. /home/*/bin/shellscript.sh

Daniel J Walsh — 2012-05-18T14:34:45

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/17/2012 07:32 PM, Chuck Anderson wrote:

Hey chuck, could you check to see if this is fixed by installing the 6.3
policy.  Preview currently available at:

people.redhat.com/dwalsh/SELinux/RHEL6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+2XgUACgkQrlYvE4MpobNT9gCfYdkEQ/m0JDFQXouQdsX104w9
+qMAoMJuW4F19wHZvbPYmKyBlEPuB17Y
=1f3c
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

EL6: procmail vs. /home/*/bin/shellscript.sh

Chuck Anderson — 2012-05-17T23:32:21

I'm using EL 6.2 with sendmail & procmail.  I'm having trouble with
calling custom scripts in my home directory from .procmailrc such as
this recipe:

######################################################
#
# BACKUP INCOMING MAIL
#
# Stores the last 16 messages in a backup folder.
# "Just in Case"
#
# Create a folder in your $MAILDIR called "backup"
# BEFORE you execute this procmail recipe.
#
:0 c
backup

:0 ic
| /home/cra/bin/procmail-prune-backup-msg

The script is labeled with home_bin_t:

-rwxr-xr-x. cra cra system_u:object_r:home_bin_t:s0  /home/cra/bin/procmail-prune-backup-msg

which is a Bourne Shell script similar to this:

#!/bin/sh
cd /home/cra/mail/backup
/bin/ls -t | /bin/grep ^msg\. | /bin/sed -e 1,256d | /usr/bin/xargs -n 256 /bin/rm -f

In my procmail log I get:

/bin/sh: /home/cra/bin/procmail-prune-backup-msg: Permission denied

It works if I "setenforce 0".

With Enforcing, here is the AVC I get (after enabling dontaudit rules
with semodule -DB):

# ausearch -i -m AVC
type=SYSCALL msg=au

Re: No audit lines produced

Miroslav Grepl — 2012-05-16T16:38:18

So execute

# semodule -DB
re-test it
# ausearch -m avc -ts recent
# semodule -B


Also we will need to add labeling for the check_dhcpd_pools plugin.

--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Re: MySQL and ldconif avcs

David Highley — 2012-05-15T12:56:52

"Miroslav Grepl wrote:"

Did some rechecking after setting the sebool for mysql and getting
an application update. No longer see the issues here.

--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Re: No audit lines produced

Dominick Grift — 2012-05-15T12:09:36

Run semodule -DB to build a policy database without the dontaudit rules.
Run semodule -B to build a policy database (with the dontaudit rules
included)

On Tue, 2012-05-15 at 11:37 +0100, Jonathan Gazeley wrote:


--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

No audit lines produced

Jonathan Gazeley — 2012-05-15T10:37:24

I'm trying to debug a Nagios plugin that isn't playing nicely with 
SELinux. It executes a system binary to get statistics about DHCP pool 
usage, and obviously SELinux stamps on that access and the plugin only 
returns partial data.

In Permissive mode the plugin works, it Enforcing it doesn't. But in 
neither mode are there any debug messages in audit.log

[jg4461< at >dhcp1 ~]$ sudo setenforce 0
[jg4461< at >dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c 
check_dhcpd_pools
OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90, 
rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90, 
rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90, 
rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90, 
rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90, 
rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90, 
rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90

[jg4461< at >dhcp1 ~]$ sudo setenforce 1
[jg4461< at >dhcp1 ~]$ /usr/lib64/

Re: MySQL and ldconif avcs

Miroslav Grepl — 2012-05-09T17:24:23

Open a new bug please. Thank you.

--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Re: Creating multiple constrained admin roles

Daniel J Walsh — 2012-05-09T14:36:16

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/09/2012 10:17 AM, Tim Sheppard wrote:

Yes this is theoretically possible.   The problem is certain domains when run
in as an Evil Admin would be able to break out.  For example if you only allow
the packagemaintainer to run rpm, then he will need to transition to rpm_t
which is basically unconfined.  He could then write a simple rpm to disable
SELinux and install it.  Game over.

Google

"confined admin site:danwalsh.livejournal.com"

You will find lots of blog posts on how to do this.

We ship a webadm_r and logadm_r now.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+qgOAACgkQrlYvE4MpobOIjQCggx23Svk/knouooCDXvk6KKOE
Q6MAn3+nMKyCpPCyotERi7UJn3tVTnre
=KUi0
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Creating multiple constrained admin roles

Tim Sheppard — 2012-05-09T14:17:57

Hi,

I was wondering if it is possible to create a number of admin roles, 
each with limited access to specified admin features, e.g. package 
management only, NIC / Firewall management only, policy management only 
etc and to effectively completely remove the root account as a system 
wide administrator using selinux?

I have seen mention of Kiosk Users and the SELinux play machine (sadly 
my corporate network does not allow global ssh access) so I believe this 
is entirely possible, but am not entirely sure of the best resources to 
delve into so any pointers would be very welcome.

Many Thanks,

Tim

This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the co

Re: VirtualGL/TurboVNC and selinux

Daniel J Walsh — 2012-05-07T19:45:15

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/07/2012 03:12 PM, Mark Dalton wrote:

Turn off the dontaudit rules and then send me the log compressed.

# semodule -DB
# reboot
# ausearch -m avc -i -ts recent | gzip -c > /tmp/audit.log.tgz
# semodule -B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+oJksACgkQrlYvE4MpobNOlACg2bPaENSryRcGZG+Dhe9UikDm
GjEAoNYt1ys5o9Ysd/65KaMp3+X/Nui5
=21rr
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Re: VirtualGL/TurboVNC and selinux

Mark Dalton — 2012-05-07T19:12:57

I did not see anything obviously useful to me..   The attachment also 
had some information.
My goal is to find a way to keep selinux enabled and run VirtualGL.

Thank you for your quick response.

Mark

First boot:
[root< at >amelie log]# ausearch -m avc -ts recent
----
time->Mon May  7 14:54:57 2012
type=SYSCALL msg=audit(1336416897.225:118): arch=c000003e syscall=59 
success=yes exit=0 a0=1f0d870 a1=1f0d5a0 a2=1f0c5e0 a3=10 items=0 
ppid=1981 pid=1982 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="portreserve" 
exe="/sbin/portreserve" subj=system_u:system_r:portreserve_t:s0 key=(null)
type=AVC msg=audit(1336416897.225:118): avc:  denied  { read write } 
for  pid=1982 comm="portreserve" path="/dev/console" dev=devtmpfs 
ino=5164 scontext=system_u:system_r:portreserve_t:s0 
tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
----
time->Mon May  7 14:54:57 2012
type=SYSCALL msg=audit(1336416897.230:120): arch=c000003e syscall=47 
success=yes ex

Re: VirtualGL/TurboVNC and selinux

Daniel J Walsh — 2012-05-07T18:32:14

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/07/2012 02:29 PM, Mark Dalton wrote:


Can you boot in permissive mode?  What avc messages are you seeing?

ausearch -m avc -ts recent

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+oFS4ACgkQrlYvE4MpobMklgCfeLpmGmqt14kHw7AdU3X1z6pj
DLwAn2syj9BkDDaY2IjSF2WbPurW+tGZ
=jGq8
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux< at >lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux